documentation: Bump version

Add inline rule-set & Add reload for local rule-set
Unique rule-set names
2026-04-13 20:28:32 +10:00 · 2024-06-26 17:48:02 +08:00 · 2024-06-26 13:57:15 +08:00 · 2024-06-26 13:57:15 +08:00 · 2024-06-26 13:57:15 +08:00 · 2024-06-26 13:57:15 +08:00
164 changed files with 3324 additions and 5929 deletions
--- a/.github/workflows/debug.yml
+++ b/.github/workflows/debug.yml
@@ -22,13 +22,14 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.22
+        continue-on-error: true
      - name: Run Test
        run: |
          go test -v ./...
@@ -37,7 +38,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -57,7 +58,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -72,26 +73,6 @@ jobs:
          key: go121-${{ hashFiles('**/go.sum') }}
      - name: Run Test
        run: make ci_build
-  build_go122:
-    name: Debug build (Go 1.22)
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.22
-      - name: Cache go module
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/go/pkg/mod
-          key: go122-${{ hashFiles('**/go.sum') }}
-      - name: Run Test
-        run: make ci_build
  cross:
    strategy:
      matrix:
@@ -207,7 +188,7 @@ jobs:
      TAGS: with_clash_api,with_quic
    steps:
      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,93 +1,16 @@
-name: Publish Docker Images
+name: Build Docker Images

 on:
  release:
    types:
-      - published
+      - released
  workflow_dispatch:
    inputs:
      tag:
        description: "The tag version you want to build"
-
-env:
-  REGISTRY_IMAGE: ghcr.io/sagernet/sing-box
-
 jobs:
  build:
    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: true
-      matrix:
-        platform:
-          - linux/amd64
-          - linux/arm/v6
-          - linux/arm/v7
-          - linux/arm64
-          - linux/386
-          - linux/ppc64le
-          - linux/riscv64
-          - linux/s390x
-    steps:
-      - name: Get commit to build
-        id: ref
-        run: |-
-          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
-            ref="${{ github.ref_name }}"
-          else
-            ref="${{ github.event.inputs.tag }}"
-          fi
-          echo "ref=$ref"
-          echo "ref=$ref" >> $GITHUB_OUTPUT
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          ref: ${{ steps.ref.outputs.ref }}
-          fetch-depth: 0
-      - name: Prepare
-        run: |
-          platform=${{ matrix.platform }}
-          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
-      - name: Setup QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY_IMAGE }}
-      - name: Build and push by digest
-        id: build
-        uses: docker/build-push-action@v6
-        with:
-          platforms: ${{ matrix.platform }}
-          context: .
-          build-args: |
-            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
-          labels: ${{ steps.meta.outputs.labels }}
-          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
-      - name: Export digest
-        run: |
-          mkdir -p /tmp/digests
-          digest="${{ steps.build.outputs.digest }}"
-          touch "/tmp/digests/${digest#sha256:}"
-      - name: Upload digest
-        uses: actions/upload-artifact@v4
-        with:
-          name: digests-${{ env.PLATFORM_PAIR }}
-          path: /tmp/digests/*
-          if-no-files-found: error
-          retention-days: 1
-  merge:
-    runs-on: ubuntu-latest
-    needs:
-      - build
    steps:
      - name: Get commit to build
        id: ref
@@ -106,28 +29,34 @@ jobs:
          fi
          echo "latest=$latest"
          echo "latest=$latest" >> $GITHUB_OUTPUT
-      - name: Download digests
-        uses: actions/download-artifact@v4
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
-          path: /tmp/digests
-          pattern: digests-*
-          merge-multiple: true
-      - name: Set up Docker Buildx
+          ref: ${{ steps.ref.outputs.ref }}
+      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@v3
+      - name: Setup QEMU for Docker Buildx
+        uses: docker/setup-qemu-action@v3
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Create manifest list and push
-        working-directory: /tmp/digests
-        run: |
-          docker buildx imagetools create \
-            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}" \
-            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}" \
-            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
-      - name: Inspect image
-        run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}
-          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}
+      - name: Docker metadata
+        id: metadata
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/sagernet/sing-box
+      - name: Build and release Docker images
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
+          context: .
+          target: dist
+          build-args: |
+            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
+          tags: |
+            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.latest }}
+            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.ref }}
+          push: true
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -22,13 +22,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.22
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v6
        with:
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -10,13 +10,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.22
      - name: Extract signing key
        run: |-
          mkdir -p $HOME/.gnupg
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -12,5 +12,4 @@ jobs:
        with:
          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
          days-before-stale: 60
-          days-before-close: 5
-          exempt-issue-labels: 'bug,enhancement'
+          days-before-close: 5
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -6,7 +6,14 @@ linters:
    - gci
    - staticcheck
    - paralleltest
-    - ineffassign
+
+run:
+  skip-dirs:
+    - transport/simple-obfs
+    - transport/clashssr
+    - transport/cloudflaretls
+    - transport/shadowtls/tls
+    - transport/shadowtls/tls_go119

 linters-settings:
  gci:
@@ -16,13 +23,4 @@ linters-settings:
      - prefix(github.com/sagernet/)
      - default
  staticcheck:
-    checks:
-      - all
-      - -SA1003
-
-run:
-  go: "1.23"
-
-issues:
-  exclude-dirs:
-    - transport/simple-obfs
+    go: '1.20'
--- a/.goreleaser.fury.yaml
+++ b/.goreleaser.fury.yaml
@@ -26,7 +26,6 @@ builds:
      - linux_arm_7
      - linux_s390x
      - linux_riscv64
-      - linux_mips64le
    mod_timestamp: '{{ .CommitTimestamp }}'
 snapshot:
  name_template: "{{ .Version }}.{{ .ShortCommit }}"
@@ -49,19 +48,10 @@ nfpms:
      - src: release/config/config.json
        dst: /etc/sing-box/config.json
        type: config
-
      - src: release/config/sing-box.service
        dst: /usr/lib/systemd/system/sing-box.service
      - src: release/config/sing-box@.service
        dst: /usr/lib/systemd/system/sing-box@.service
-
-      - src: release/completions/sing-box.bash
-        dst: /usr/share/bash-completion/completions/sing-box.bash
-      - src: release/completions/sing-box.fish
-        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
-      - src: release/completions/sing-box.zsh
-        dst: /usr/share/zsh/site-functions/_sing-box
-
      - src: LICENSE
        dst: /usr/share/licenses/sing-box/LICENSE
    deb:
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,4 +1,3 @@
-version: 2
 project_name: sing-box
 builds:
  - &template
@@ -8,9 +7,7 @@ builds:
      - -v
      - -trimpath
    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
-      - -s
-      - -buildid=
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
    tags:
      - with_gvisor
      - with_quic
@@ -26,13 +23,13 @@ builds:
    targets:
      - linux_386
      - linux_amd64_v1
+      - linux_amd64_v3
      - linux_arm64
-      - linux_arm_6
      - linux_arm_7
      - linux_s390x
      - linux_riscv64
-      - linux_mips64le
      - windows_amd64_v1
+      - windows_amd64_v3
      - windows_386
      - windows_arm64
      - darwin_amd64_v1
@@ -89,6 +86,8 @@ builds:
      - android_arm64
      - android_386
      - android_amd64
+snapshot:
+  name_template: "{{ .Version }}.{{ .ShortCommit }}"
 archives:
  - &template
    id: archive
@@ -102,7 +101,7 @@ archives:
    wrap_in_directory: true
    files:
      - LICENSE
-    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
  - id: archive-legacy
    <<: *template
    builds:
@@ -111,7 +110,7 @@ archives:
 nfpms:
  - id: package
    package_name: sing-box
-    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
    builds:
      - main
    homepage: https://sing-box.sagernet.org/
@@ -122,26 +121,15 @@ nfpms:
      - deb
      - rpm
      - archlinux
-#      - apk
-#      - ipk
    priority: extra
    contents:
      - src: release/config/config.json
        dst: /etc/sing-box/config.json
        type: config
-
      - src: release/config/sing-box.service
        dst: /usr/lib/systemd/system/sing-box.service
      - src: release/config/sing-box@.service
        dst: /usr/lib/systemd/system/sing-box@.service
-
-      - src: release/completions/sing-box.bash
-        dst: /usr/share/bash-completion/completions/sing-box.bash
-      - src: release/completions/sing-box.fish
-        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
-      - src: release/completions/sing-box.zsh
-        dst: /usr/share/zsh/site-functions/_sing-box
-
      - src: LICENSE
        dst: /usr/share/licenses/sing-box/LICENSE
    deb:
@@ -153,34 +141,13 @@ nfpms:
      signature:
        key_file: "{{ .Env.NFPM_KEY_PATH }}"
    overrides:
-      apk:
-        contents:
-          - src: release/config/config.json
-            dst: /etc/sing-box/config.json
-            type: config
+      deb:
+        conflicts:
+          - sing-box-beta
+      rpm:
+        conflicts:
+          - sing-box-beta

-          - src: release/config/sing-box.initd
-            dst: /etc/init.d/sing-box
-
-          - src: release/completions/sing-box.bash
-            dst: /usr/share/bash-completion/completions/sing-box.bash
-          - src: release/completions/sing-box.fish
-            dst: /usr/share/fish/vendor_completions.d/sing-box.fish
-          - src: release/completions/sing-box.zsh
-            dst: /usr/share/zsh/site-functions/_sing-box
-
-          - src: LICENSE
-            dst: /usr/share/licenses/sing-box/LICENSE
-      ipk:
-        contents:
-          - src: release/config/config.json
-            dst: /etc/sing-box/config.json
-            type: config
-
-          - src: release/config/openwrt.init
-            dst: /etc/init.d/sing-box
-          - src: release/config/openwrt.conf
-            dst: /etc/config/sing-box
 source:
  enabled: false
  name_template: '{{ .ProjectName }}-{{ .Version }}.source'
--- a/4
+++ b/4
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.23-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.22-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
@@ -21,7 +21,7 @@ FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
    && apk upgrade \
-    && apk add bash tzdata ca-certificates nftables \
+    && apk add bash tzdata ca-certificates \
    && rm -rf /var/cache/apk/*
 COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]
--- a/62
+++ b/62
@@ -27,9 +27,6 @@ ci_build:
 	go build $(PARAMS) $(MAIN)
 	go build $(MAIN_PARAMS) $(MAIN)

-generate_completions:
-	go run -v --tags generate,generate_completions $(MAIN)
-
 install:
 	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)

@@ -69,6 +66,7 @@ release:
 		dist/*.deb \
 		dist/*.rpm \
 		dist/*_amd64.pkg.tar.zst \
+		dist/*_amd64v3.pkg.tar.zst \
 		dist/*_arm64.pkg.tar.zst \
 		dist/release
 	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
@@ -101,12 +99,10 @@ publish_android:
 publish_android_appcenter:
 	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadPlayRelease

-
-# TODO: find why and remove `-destination 'generic/platform=iOS'`
 build_ios:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFI.xcarchive && \
-	xcodebuild archive -scheme SFI -configuration Release -destination 'generic/platform=iOS' -archivePath build/SFI.xcarchive -allowProvisioningUpdates
+	xcodebuild archive -scheme SFI -configuration Release -archivePath build/SFI.xcarchive

 upload_ios_app_store:
 	cd ../sing-box-for-apple && \
@@ -117,61 +113,55 @@ release_ios: build_ios upload_ios_app_store
 build_macos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFM.xcarchive && \
-	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive -allowProvisioningUpdates
+	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive

 upload_macos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates

 release_macos: build_macos upload_macos_app_store

-build_macos_standalone:
+build_macos_independent:
 	cd ../sing-box-for-apple && \
-	rm -rf build/SFM.System.xcarchive && \
-	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive -allowProvisioningUpdates
+	rm -rf build/SFT.System.xcarchive && \
+	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive

-build_macos_dmg:
+notarize_macos_independent:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist  -allowProvisioningUpdates
+
+wait_notarize_macos_independent:
+	sleep 60
+
+export_macos_independent:
 	rm -rf dist/SFM
 	mkdir -p dist/SFM
 	cd ../sing-box-for-apple && \
-	rm -rf build/SFM.System && \
-	rm -rf build/SFM.dmg && \
-	xcodebuild -exportArchive \
-		-archivePath "build/SFM.System.xcarchive" \
-		-exportOptionsPlist SFM.System/Export.plist -allowProvisioningUpdates \
-		-exportPath "build/SFM.System" && \
-	create-dmg \
-		--volname "sing-box" \
-		--volicon "build/SFM.System/SFM.app/Contents/Resources/AppIcon.icns" \
-		--icon "SFM.app" 0 0 \
- 		--hide-extension "SFM.app" \
- 		--app-drop-link 0 0 \
- 		--skip-jenkins \
-		--notarize "notarytool-password" \
-		"../sing-box/dist/SFM/SFM.dmg" "build/SFM.System/SFM.app"
+	xcodebuild -exportNotarizedApp -archivePath build/SFM.System.xcarchive -exportPath "../sing-box/dist/SFM"

-upload_macos_dmg:
+upload_macos_independent:
 	cd dist/SFM && \
-	cp SFM.dmg "SFM-${VERSION}-universal.dmg" && \
-	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dmg"
+	rm -f *.zip && \
+	zip -ry "SFM-${VERSION}-universal.zip" SFM.app && \
+	ghr --replace --draft --prerelease "v${VERSION}" *.zip

-release_macos_standalone: build_macos_standalone build_macos_dmg upload_macos_dmg
+release_macos_independent: build_macos_independent notarize_macos_independent wait_notarize_macos_independent export_macos_independent upload_macos_independent

 build_tvos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFT.xcarchive && \
-	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive -allowProvisioningUpdates
+	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive

 upload_tvos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates

 release_tvos: build_tvos upload_tvos_app_store

 update_apple_version:
 	go run ./cmd/internal/update_apple_version

-release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_standalone
+release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_independent

 release_apple_beta: update_apple_version release_ios release_macos release_tvos

@@ -198,8 +188,8 @@ lib:
 	go run ./cmd/internal/build_libbox -target ios

 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.4
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.4
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.3
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.3

 docs:
 	venv/bin/mkdocs serve
--- a/README.md
+++ b/README.md
@@ -8,6 +8,10 @@ The universal proxy platform.

 https://sing-box.sagernet.org

+## Support
+
+https://community.sagernet.org/c/sing-box/
+
 ## License

 ```
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -31,16 +31,11 @@ type InboundContext struct {
 	Network     string
 	Source      M.Socksaddr
 	Destination M.Socksaddr
+	Domain      string
+	Protocol    string
 	User        string
 	Outbound    string

-	// sniffer
-
-	Protocol     string
-	Domain       string
-	Client       string
-	SniffContext any
-
 	// cache

 	InboundDetour        string
--- a/adapter/v2ray.go
+++ b/adapter/v2ray.go
@@ -22,5 +22,4 @@ type V2RayServerTransportHandler interface {

 type V2RayClientTransport interface {
 	DialContext(ctx context.Context) (net.Conn, error)
-	Close() error
 }
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/internal/build_shared/sdk.go
+++ b/cmd/internal/build_shared/sdk.go
@@ -86,7 +86,7 @@ func findNDK() bool {
 	})
 	for _, versionName := range versionNames {
 		currentNDKPath := filepath.Join(androidSDKPath, "ndk", versionName)
-		if rw.IsFile(filepath.Join(currentNDKPath, versionFile)) {
+		if rw.IsFile(filepath.Join(androidSDKPath, versionFile)) {
 			androidNDKPath = currentNDKPath
 			log.Warn("reproducibility warning: using NDK version " + versionName + " instead of " + fixedVersion)
 			return true
--- a/cmd/internal/update_apple_version/main.go
+++ b/cmd/internal/update_apple_version/main.go
@@ -26,8 +26,8 @@ func main() {
 	common.Must(decoder.Decode(&project))
 	objectsMap := project["objects"].(map[string]any)
 	projectContent := string(common.Must1(os.ReadFile("sing-box.xcodeproj/project.pbxproj")))
-	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfavt"}, newVersion.VersionString())
-	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfavt.standalone", "io.nekohasekai.sfavt.system"}, newVersion.String())
+	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
+	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
 	if updated0 || updated1 {
 		log.Info("updated version to ", newVersion.VersionString(), " (", newVersion.String(), ")")
 	}
--- a/cmd/sing-box/cmd.go
+++ b/cmd/sing-box/cmd.go
@@ -1,68 +0,0 @@
-package main
-
-import (
-	"context"
-	"os"
-	"os/user"
-	"strconv"
-	"time"
-
-	_ "github.com/sagernet/sing-box/include"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/service/filemanager"
-
-	"github.com/spf13/cobra"
-)
-
-var (
-	globalCtx         context.Context
-	configPaths       []string
-	configDirectories []string
-	workingDir        string
-	disableColor      bool
-)
-
-var mainCommand = &cobra.Command{
-	Use:              "sing-box",
-	PersistentPreRun: preRun,
-}
-
-func init() {
-	mainCommand.PersistentFlags().StringArrayVarP(&configPaths, "config", "c", nil, "set configuration file path")
-	mainCommand.PersistentFlags().StringArrayVarP(&configDirectories, "config-directory", "C", nil, "set configuration directory path")
-	mainCommand.PersistentFlags().StringVarP(&workingDir, "directory", "D", "", "set working directory")
-	mainCommand.PersistentFlags().BoolVarP(&disableColor, "disable-color", "", false, "disable color output")
-}
-
-func preRun(cmd *cobra.Command, args []string) {
-	globalCtx = context.Background()
-	sudoUser := os.Getenv("SUDO_USER")
-	sudoUID, _ := strconv.Atoi(os.Getenv("SUDO_UID"))
-	sudoGID, _ := strconv.Atoi(os.Getenv("SUDO_GID"))
-	if sudoUID == 0 && sudoGID == 0 && sudoUser != "" {
-		sudoUserObject, _ := user.Lookup(sudoUser)
-		if sudoUserObject != nil {
-			sudoUID, _ = strconv.Atoi(sudoUserObject.Uid)
-			sudoGID, _ = strconv.Atoi(sudoUserObject.Gid)
-		}
-	}
-	if sudoUID > 0 && sudoGID > 0 {
-		globalCtx = filemanager.WithDefault(globalCtx, "", "", sudoUID, sudoGID)
-	}
-	if disableColor {
-		log.SetStdLogger(log.NewDefaultFactory(context.Background(), log.Formatter{BaseTime: time.Now(), DisableColors: true}, os.Stderr, "", nil, false).Logger())
-	}
-	if workingDir != "" {
-		_, err := os.Stat(workingDir)
-		if err != nil {
-			filemanager.MkdirAll(globalCtx, workingDir, 0o777)
-		}
-		err = os.Chdir(workingDir)
-		if err != nil {
-			log.Fatal(err)
-		}
-	}
-	if len(configPaths) == 0 && len(configDirectories) == 0 {
-		configPaths = append(configPaths, "config.json")
-	}
-}
--- a/cmd/sing-box/cmd_geoip_export.go
+++ b/cmd/sing-box/cmd_geoip_export.go
@@ -87,7 +87,7 @@ func geoipExport(countryCode string) error {
 		headlessRule.IPCIDR = append(headlessRule.IPCIDR, cidr.String())
 	}
 	var plainRuleSet option.PlainRuleSetCompat
-	plainRuleSet.Version = C.RuleSetVersion2
+	plainRuleSet.Version = C.RuleSetVersion1
 	plainRuleSet.Options.Rules = []option.HeadlessRule{
 		{
 			Type:           C.RuleTypeDefault,
--- a/cmd/sing-box/cmd_geosite_export.go
+++ b/cmd/sing-box/cmd_geosite_export.go
@@ -70,7 +70,7 @@ func geositeExport(category string) error {
 	headlessRule.DomainKeyword = defaultRule.DomainKeyword
 	headlessRule.DomainRegex = defaultRule.DomainRegex
 	var plainRuleSet option.PlainRuleSetCompat
-	plainRuleSet.Version = C.RuleSetVersion2
+	plainRuleSet.Version = C.RuleSetVersion1
 	plainRuleSet.Options.Rules = []option.HeadlessRule{
 		{
 			Type:           C.RuleTypeDefault,
--- a/cmd/sing-box/cmd_rule_set_compile.go
+++ b/cmd/sing-box/cmd_rule_set_compile.go
@@ -6,7 +6,6 @@ import (
 	"strings"

 	"github.com/sagernet/sing-box/common/srs"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/json"
@@ -74,7 +73,7 @@ func compileRuleSet(sourcePath string) error {
 	if err != nil {
 		return err
 	}
-	err = srs.Write(outputFile, ruleSet, plainRuleSet.Version == C.RuleSetVersion2)
+	err = srs.Write(outputFile, ruleSet)
 	if err != nil {
 		outputFile.Close()
 		os.Remove(outputPath)
--- a/cmd/sing-box/cmd_rule_set_convert.go
+++ b/cmd/sing-box/cmd_rule_set_convert.go
@@ -1,88 +0,0 @@
-package main
-
-import (
-	"io"
-	"os"
-	"strings"
-
-	"github.com/sagernet/sing-box/cmd/sing-box/internal/convertor/adguard"
-	"github.com/sagernet/sing-box/common/srs"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-
-	"github.com/spf13/cobra"
-)
-
-var (
-	flagRuleSetConvertType   string
-	flagRuleSetConvertOutput string
-)
-
-var commandRuleSetConvert = &cobra.Command{
-	Use:   "convert [source-path]",
-	Short: "Convert adguard DNS filter to rule-set",
-	Args:  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		err := convertRuleSet(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandRuleSet.AddCommand(commandRuleSetConvert)
-	commandRuleSetConvert.Flags().StringVarP(&flagRuleSetConvertType, "type", "t", "", "Source type, available: adguard")
-	commandRuleSetConvert.Flags().StringVarP(&flagRuleSetConvertOutput, "output", "o", flagRuleSetCompileDefaultOutput, "Output file")
-}
-
-func convertRuleSet(sourcePath string) error {
-	var (
-		reader io.Reader
-		err    error
-	)
-	if sourcePath == "stdin" {
-		reader = os.Stdin
-	} else {
-		reader, err = os.Open(sourcePath)
-		if err != nil {
-			return err
-		}
-	}
-	var rules []option.HeadlessRule
-	switch flagRuleSetConvertType {
-	case "adguard":
-		rules, err = adguard.Convert(reader)
-	case "":
-		return E.New("source type is required")
-	default:
-		return E.New("unsupported source type: ", flagRuleSetConvertType)
-	}
-	if err != nil {
-		return err
-	}
-	var outputPath string
-	if flagRuleSetConvertOutput == flagRuleSetCompileDefaultOutput {
-		if strings.HasSuffix(sourcePath, ".txt") {
-			outputPath = sourcePath[:len(sourcePath)-4] + ".srs"
-		} else {
-			outputPath = sourcePath + ".srs"
-		}
-	} else {
-		outputPath = flagRuleSetConvertOutput
-	}
-	outputFile, err := os.Create(outputPath)
-	if err != nil {
-		return err
-	}
-	defer outputFile.Close()
-	err = srs.Write(outputFile, option.PlainRuleSet{Rules: rules}, true)
-	if err != nil {
-		outputFile.Close()
-		os.Remove(outputPath)
-		return err
-	}
-	outputFile.Close()
-	return nil
-}
--- a/cmd/sing-box/cmd_rule_set_decompile.go
+++ b/cmd/sing-box/cmd_rule_set_decompile.go
@@ -1,83 +0,0 @@
-package main
-
-import (
-	"io"
-	"os"
-	"strings"
-
-	"github.com/sagernet/sing-box/common/srs"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/json"
-
-	"github.com/spf13/cobra"
-)
-
-var flagRuleSetDecompileOutput string
-
-const flagRuleSetDecompileDefaultOutput = "<file_name>.json"
-
-var commandRuleSetDecompile = &cobra.Command{
-	Use:   "decompile [binary-path]",
-	Short: "Decompile rule-set binary to json",
-	Args:  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		err := decompileRuleSet(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandRuleSet.AddCommand(commandRuleSetDecompile)
-	commandRuleSetDecompile.Flags().StringVarP(&flagRuleSetDecompileOutput, "output", "o", flagRuleSetDecompileDefaultOutput, "Output file")
-}
-
-func decompileRuleSet(sourcePath string) error {
-	var (
-		reader io.Reader
-		err    error
-	)
-	if sourcePath == "stdin" {
-		reader = os.Stdin
-	} else {
-		reader, err = os.Open(sourcePath)
-		if err != nil {
-			return err
-		}
-	}
-	plainRuleSet, err := srs.Read(reader, true)
-	if err != nil {
-		return err
-	}
-	ruleSet := option.PlainRuleSetCompat{
-		Version: C.RuleSetVersion1,
-		Options: plainRuleSet,
-	}
-	var outputPath string
-	if flagRuleSetDecompileOutput == flagRuleSetDecompileDefaultOutput {
-		if strings.HasSuffix(sourcePath, ".srs") {
-			outputPath = sourcePath[:len(sourcePath)-4] + ".json"
-		} else {
-			outputPath = sourcePath + ".json"
-		}
-	} else {
-		outputPath = flagRuleSetDecompileOutput
-	}
-	outputFile, err := os.Create(outputPath)
-	if err != nil {
-		return err
-	}
-	encoder := json.NewEncoder(outputFile)
-	encoder.SetIndent("", "  ")
-	err = encoder.Encode(ruleSet)
-	if err != nil {
-		outputFile.Close()
-		os.Remove(outputPath)
-		return err
-	}
-	outputFile.Close()
-	return nil
-}
--- a/cmd/sing-box/cmd_rule_set_match.go
+++ b/cmd/sing-box/cmd_rule_set_match.go
@@ -14,7 +14,6 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
-	M "github.com/sagernet/sing/common/metadata"

 	"github.com/spf13/cobra"
 )
@@ -22,8 +21,8 @@ import (
 var flagRuleSetMatchFormat string

 var commandRuleSetMatch = &cobra.Command{
-	Use:   "match <rule-set path> <IP address/domain>",
-	Short: "Check if an IP address or a domain matches the rule-set",
+	Use:   "match <rule-set path> <domain>",
+	Short: "Check if a domain matches the rule-set",
 	Args:  cobra.ExactArgs(2),
 	Run: func(cmd *cobra.Command, args []string) {
 		err := ruleSetMatch(args[0], args[1])
@@ -75,20 +74,15 @@ func ruleSetMatch(sourcePath string, domain string) error {
 	default:
 		return E.New("unknown rule-set format: ", flagRuleSetMatchFormat)
 	}
-	ipAddress := M.ParseAddr(domain)
-	var metadata adapter.InboundContext
-	if ipAddress.IsValid() {
-		metadata.Destination = M.SocksaddrFrom(ipAddress, 0)
-	} else {
-		metadata.Domain = domain
-	}
 	for i, ruleOptions := range plainRuleSet.Rules {
 		var currentRule adapter.HeadlessRule
 		currentRule, err = route.NewHeadlessRule(nil, ruleOptions)
 		if err != nil {
 			return E.Cause(err, "parse rule_set.rules.[", i, "]")
 		}
-		if currentRule.Match(&metadata) {
+		if currentRule.Match(&adapter.InboundContext{
+			Domain: domain,
+		}) {
 			println(F.ToString("match rules.[", i, "]: ", currentRule))
 		}
 	}
--- a/cmd/sing-box/cmd_rule_set_upgrade.go
+++ b/cmd/sing-box/cmd_rule_set_upgrade.go
@@ -1,94 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"io"
-	"os"
-	"path/filepath"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/json"
-
-	"github.com/spf13/cobra"
-)
-
-var commandRuleSetUpgradeFlagWrite bool
-
-var commandRuleSetUpgrade = &cobra.Command{
-	Use:   "upgrade <source-path>",
-	Short: "Upgrade rule-set json",
-	Args:  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		err := upgradeRuleSet(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandRuleSetUpgrade.Flags().BoolVarP(&commandRuleSetUpgradeFlagWrite, "write", "w", false, "write result to (source) file instead of stdout")
-	commandRuleSet.AddCommand(commandRuleSetUpgrade)
-}
-
-func upgradeRuleSet(sourcePath string) error {
-	var (
-		reader io.Reader
-		err    error
-	)
-	if sourcePath == "stdin" {
-		reader = os.Stdin
-	} else {
-		reader, err = os.Open(sourcePath)
-		if err != nil {
-			return err
-		}
-	}
-	content, err := io.ReadAll(reader)
-	if err != nil {
-		return err
-	}
-	plainRuleSetCompat, err := json.UnmarshalExtended[option.PlainRuleSetCompat](content)
-	if err != nil {
-		return err
-	}
-	switch plainRuleSetCompat.Version {
-	case C.RuleSetVersion1:
-	default:
-		log.Info("already up-to-date")
-		return nil
-	}
-	plainRuleSet, err := plainRuleSetCompat.Upgrade()
-	if err != nil {
-		return err
-	}
-	buffer := new(bytes.Buffer)
-	encoder := json.NewEncoder(buffer)
-	encoder.SetIndent("", "  ")
-	err = encoder.Encode(plainRuleSet)
-	if err != nil {
-		return E.Cause(err, "encode config")
-	}
-	outputPath, _ := filepath.Abs(sourcePath)
-	if !commandRuleSetUpgradeFlagWrite || sourcePath == "stdin" {
-		os.Stdout.WriteString(buffer.String() + "\n")
-		return nil
-	}
-	if bytes.Equal(content, buffer.Bytes()) {
-		return nil
-	}
-	output, err := os.Create(sourcePath)
-	if err != nil {
-		return E.Cause(err, "open output")
-	}
-	_, err = output.Write(buffer.Bytes())
-	output.Close()
-	if err != nil {
-		return E.Cause(err, "write output")
-	}
-	os.Stderr.WriteString(outputPath + "\n")
-	return nil
-}
--- a/cmd/sing-box/cmd_run.go
+++ b/cmd/sing-box/cmd_run.go
@@ -188,12 +188,9 @@ func run() error {
 			cancel()
 			closeCtx, closed := context.WithCancel(context.Background())
 			go closeMonitor(closeCtx)
-			err = instance.Close()
+			instance.Close()
 			closed()
 			if osSignal != syscall.SIGHUP {
-				if err != nil {
-					log.Error(E.Cause(err, "sing-box did not closed properly"))
-				}
 				return nil
 			}
 			break
--- a/cmd/sing-box/generate_completions.go
+++ b/cmd/sing-box/generate_completions.go
@@ -1,28 +0,0 @@
-//go:build generate && generate_completions
-
-package main
-
-import "github.com/sagernet/sing-box/log"
-
-func main() {
-	err := generateCompletions()
-	if err != nil {
-		log.Fatal(err)
-	}
-}
-
-func generateCompletions() error {
-	err := mainCommand.GenBashCompletionFile("release/completions/sing-box.bash")
-	if err != nil {
-		return err
-	}
-	err = mainCommand.GenFishCompletionFile("release/completions/sing-box.fish", true)
-	if err != nil {
-		return err
-	}
-	err = mainCommand.GenZshCompletionFile("release/completions/sing-box.zsh")
-	if err != nil {
-		return err
-	}
-	return nil
-}
--- a/cmd/sing-box/internal/convertor/adguard/convertor.go
+++ b/cmd/sing-box/internal/convertor/adguard/convertor.go
@@ -1,346 +0,0 @@
-package adguard
-
-import (
-	"bufio"
-	"io"
-	"net/netip"
-	"os"
-	"strconv"
-	"strings"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-)
-
-type agdguardRuleLine struct {
-	ruleLine    string
-	isRawDomain bool
-	isExclude   bool
-	isSuffix    bool
-	hasStart    bool
-	hasEnd      bool
-	isRegexp    bool
-	isImportant bool
-}
-
-func Convert(reader io.Reader) ([]option.HeadlessRule, error) {
-	scanner := bufio.NewScanner(reader)
-	var (
-		ruleLines    []agdguardRuleLine
-		ignoredLines int
-	)
-parseLine:
-	for scanner.Scan() {
-		ruleLine := scanner.Text()
-		if ruleLine == "" || ruleLine[0] == '!' || ruleLine[0] == '#' {
-			continue
-		}
-		originRuleLine := ruleLine
-		if M.IsDomainName(ruleLine) {
-			ruleLines = append(ruleLines, agdguardRuleLine{
-				ruleLine:    ruleLine,
-				isRawDomain: true,
-			})
-			continue
-		}
-		hostLine, err := parseAdGuardHostLine(ruleLine)
-		if err == nil {
-			if hostLine != "" {
-				ruleLines = append(ruleLines, agdguardRuleLine{
-					ruleLine:    hostLine,
-					isRawDomain: true,
-					hasStart:    true,
-					hasEnd:      true,
-				})
-			}
-			continue
-		}
-		if strings.HasSuffix(ruleLine, "|") {
-			ruleLine = ruleLine[:len(ruleLine)-1]
-		}
-		var (
-			isExclude   bool
-			isSuffix    bool
-			hasStart    bool
-			hasEnd      bool
-			isRegexp    bool
-			isImportant bool
-		)
-		if !strings.HasPrefix(ruleLine, "/") && strings.Contains(ruleLine, "$") {
-			params := common.SubstringAfter(ruleLine, "$")
-			for _, param := range strings.Split(params, ",") {
-				paramParts := strings.Split(param, "=")
-				var ignored bool
-				if len(paramParts) > 0 && len(paramParts) <= 2 {
-					switch paramParts[0] {
-					case "app", "network":
-						// maybe support by package_name/process_name
-					case "dnstype":
-						// maybe support by query_type
-					case "important":
-						ignored = true
-						isImportant = true
-					case "dnsrewrite":
-						if len(paramParts) == 2 && M.ParseAddr(paramParts[1]).IsUnspecified() {
-							ignored = true
-						}
-					}
-				}
-				if !ignored {
-					ignoredLines++
-					log.Debug("ignored unsupported rule with modifier: ", paramParts[0], ": ", ruleLine)
-					continue parseLine
-				}
-			}
-			ruleLine = common.SubstringBefore(ruleLine, "$")
-		}
-		if strings.HasPrefix(ruleLine, "@@") {
-			ruleLine = ruleLine[2:]
-			isExclude = true
-		}
-		if strings.HasSuffix(ruleLine, "|") {
-			ruleLine = ruleLine[:len(ruleLine)-1]
-		}
-		if strings.HasPrefix(ruleLine, "||") {
-			ruleLine = ruleLine[2:]
-			isSuffix = true
-		} else if strings.HasPrefix(ruleLine, "|") {
-			ruleLine = ruleLine[1:]
-			hasStart = true
-		}
-		if strings.HasSuffix(ruleLine, "^") {
-			ruleLine = ruleLine[:len(ruleLine)-1]
-			hasEnd = true
-		}
-		if strings.HasPrefix(ruleLine, "/") && strings.HasSuffix(ruleLine, "/") {
-			ruleLine = ruleLine[1 : len(ruleLine)-1]
-			if ignoreIPCIDRRegexp(ruleLine) {
-				ignoredLines++
-				log.Debug("ignored unsupported rule with IPCIDR regexp: ", ruleLine)
-				continue
-			}
-			isRegexp = true
-		} else {
-			if strings.Contains(ruleLine, "://") {
-				ruleLine = common.SubstringAfter(ruleLine, "://")
-			}
-			if strings.Contains(ruleLine, "/") {
-				ignoredLines++
-				log.Debug("ignored unsupported rule with path: ", ruleLine)
-				continue
-			}
-			if strings.Contains(ruleLine, "##") {
-				ignoredLines++
-				log.Debug("ignored unsupported rule with element hiding: ", ruleLine)
-				continue
-			}
-			if strings.Contains(ruleLine, "#$#") {
-				ignoredLines++
-				log.Debug("ignored unsupported rule with element hiding: ", ruleLine)
-				continue
-			}
-			var domainCheck string
-			if strings.HasPrefix(ruleLine, ".") || strings.HasPrefix(ruleLine, "-") {
-				domainCheck = "r" + ruleLine
-			} else {
-				domainCheck = ruleLine
-			}
-			if ruleLine == "" {
-				ignoredLines++
-				log.Debug("ignored unsupported rule with empty domain", originRuleLine)
-				continue
-			} else {
-				domainCheck = strings.ReplaceAll(domainCheck, "*", "x")
-				if !M.IsDomainName(domainCheck) {
-					_, ipErr := parseADGuardIPCIDRLine(ruleLine)
-					if ipErr == nil {
-						ignoredLines++
-						log.Debug("ignored unsupported rule with IPCIDR: ", ruleLine)
-						continue
-					}
-					if M.ParseSocksaddr(domainCheck).Port != 0 {
-						log.Debug("ignored unsupported rule with port: ", ruleLine)
-					} else {
-						log.Debug("ignored unsupported rule with invalid domain: ", ruleLine)
-					}
-					ignoredLines++
-					continue
-				}
-			}
-		}
-		ruleLines = append(ruleLines, agdguardRuleLine{
-			ruleLine:    ruleLine,
-			isExclude:   isExclude,
-			isSuffix:    isSuffix,
-			hasStart:    hasStart,
-			hasEnd:      hasEnd,
-			isRegexp:    isRegexp,
-			isImportant: isImportant,
-		})
-	}
-	if len(ruleLines) == 0 {
-		return nil, E.New("AdGuard rule-set is empty or all rules are unsupported")
-	}
-	if common.All(ruleLines, func(it agdguardRuleLine) bool {
-		return it.isRawDomain
-	}) {
-		return []option.HeadlessRule{
-			{
-				Type: C.RuleTypeDefault,
-				DefaultOptions: option.DefaultHeadlessRule{
-					Domain: common.Map(ruleLines, func(it agdguardRuleLine) string {
-						return it.ruleLine
-					}),
-				},
-			},
-		}, nil
-	}
-	mapDomain := func(it agdguardRuleLine) string {
-		ruleLine := it.ruleLine
-		if it.isSuffix {
-			ruleLine = "||" + ruleLine
-		} else if it.hasStart {
-			ruleLine = "|" + ruleLine
-		}
-		if it.hasEnd {
-			ruleLine += "^"
-		}
-		return ruleLine
-	}
-
-	importantDomain := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return it.isImportant && !it.isRegexp && !it.isExclude }), mapDomain)
-	importantDomainRegex := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return it.isImportant && it.isRegexp && !it.isExclude }), mapDomain)
-	importantExcludeDomain := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return it.isImportant && !it.isRegexp && it.isExclude }), mapDomain)
-	importantExcludeDomainRegex := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return it.isImportant && it.isRegexp && it.isExclude }), mapDomain)
-	domain := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return !it.isImportant && !it.isRegexp && !it.isExclude }), mapDomain)
-	domainRegex := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return !it.isImportant && it.isRegexp && !it.isExclude }), mapDomain)
-	excludeDomain := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return !it.isImportant && !it.isRegexp && it.isExclude }), mapDomain)
-	excludeDomainRegex := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return !it.isImportant && it.isRegexp && it.isExclude }), mapDomain)
-	currentRule := option.HeadlessRule{
-		Type: C.RuleTypeDefault,
-		DefaultOptions: option.DefaultHeadlessRule{
-			AdGuardDomain: domain,
-			DomainRegex:   domainRegex,
-		},
-	}
-	if len(excludeDomain) > 0 || len(excludeDomainRegex) > 0 {
-		currentRule = option.HeadlessRule{
-			Type: C.RuleTypeLogical,
-			LogicalOptions: option.LogicalHeadlessRule{
-				Mode: C.LogicalTypeAnd,
-				Rules: []option.HeadlessRule{
-					{
-						Type: C.RuleTypeDefault,
-						DefaultOptions: option.DefaultHeadlessRule{
-							AdGuardDomain: excludeDomain,
-							DomainRegex:   excludeDomainRegex,
-							Invert:        true,
-						},
-					},
-					currentRule,
-				},
-			},
-		}
-	}
-	if len(importantDomain) > 0 || len(importantDomainRegex) > 0 {
-		currentRule = option.HeadlessRule{
-			Type: C.RuleTypeLogical,
-			LogicalOptions: option.LogicalHeadlessRule{
-				Mode: C.LogicalTypeOr,
-				Rules: []option.HeadlessRule{
-					{
-						Type: C.RuleTypeDefault,
-						DefaultOptions: option.DefaultHeadlessRule{
-							AdGuardDomain: importantDomain,
-							DomainRegex:   importantDomainRegex,
-						},
-					},
-					currentRule,
-				},
-			},
-		}
-	}
-	if len(importantExcludeDomain) > 0 || len(importantExcludeDomainRegex) > 0 {
-		currentRule = option.HeadlessRule{
-			Type: C.RuleTypeLogical,
-			LogicalOptions: option.LogicalHeadlessRule{
-				Mode: C.LogicalTypeAnd,
-				Rules: []option.HeadlessRule{
-					{
-						Type: C.RuleTypeDefault,
-						DefaultOptions: option.DefaultHeadlessRule{
-							AdGuardDomain: importantExcludeDomain,
-							DomainRegex:   importantExcludeDomainRegex,
-							Invert:        true,
-						},
-					},
-					currentRule,
-				},
-			},
-		}
-	}
-	log.Info("parsed rules: ", len(ruleLines), "/", len(ruleLines)+ignoredLines)
-	return []option.HeadlessRule{currentRule}, nil
-}
-
-func ignoreIPCIDRRegexp(ruleLine string) bool {
-	if strings.HasPrefix(ruleLine, "(http?:\\/\\/)") {
-		ruleLine = ruleLine[12:]
-	} else if strings.HasPrefix(ruleLine, "(https?:\\/\\/)") {
-		ruleLine = ruleLine[13:]
-	} else if strings.HasPrefix(ruleLine, "^") {
-		ruleLine = ruleLine[1:]
-	} else {
-		return false
-	}
-	_, parseErr := strconv.ParseUint(common.SubstringBefore(ruleLine, "\\."), 10, 8)
-	return parseErr == nil
-}
-
-func parseAdGuardHostLine(ruleLine string) (string, error) {
-	idx := strings.Index(ruleLine, " ")
-	if idx == -1 {
-		return "", os.ErrInvalid
-	}
-	address, err := netip.ParseAddr(ruleLine[:idx])
-	if err != nil {
-		return "", err
-	}
-	if !address.IsUnspecified() {
-		return "", nil
-	}
-	domain := ruleLine[idx+1:]
-	if !M.IsDomainName(domain) {
-		return "", E.New("invalid domain name: ", domain)
-	}
-	return domain, nil
-}
-
-func parseADGuardIPCIDRLine(ruleLine string) (netip.Prefix, error) {
-	var isPrefix bool
-	if strings.HasSuffix(ruleLine, ".") {
-		isPrefix = true
-		ruleLine = ruleLine[:len(ruleLine)-1]
-	}
-	ruleStringParts := strings.Split(ruleLine, ".")
-	if len(ruleStringParts) > 4 || len(ruleStringParts) < 4 && !isPrefix {
-		return netip.Prefix{}, os.ErrInvalid
-	}
-	ruleParts := make([]uint8, 0, len(ruleStringParts))
-	for _, part := range ruleStringParts {
-		rulePart, err := strconv.ParseUint(part, 10, 8)
-		if err != nil {
-			return netip.Prefix{}, err
-		}
-		ruleParts = append(ruleParts, uint8(rulePart))
-	}
-	bitLen := len(ruleParts) * 8
-	for len(ruleParts) < 4 {
-		ruleParts = append(ruleParts, 0)
-	}
-	return netip.PrefixFrom(netip.AddrFrom4(*(*[4]byte)(ruleParts)), bitLen), nil
-}
--- a/cmd/sing-box/internal/convertor/adguard/convertor_test.go
+++ b/cmd/sing-box/internal/convertor/adguard/convertor_test.go
@@ -1,140 +0,0 @@
-package adguard
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/route"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestConverter(t *testing.T) {
-	t.Parallel()
-	rules, err := Convert(strings.NewReader(`
-||example.org^
-|example.com^
-example.net^
-||example.edu
-||example.edu.tw^
-|example.gov
-example.arpa
-@@|sagernet.example.org|
-||sagernet.org^$important
-@@|sing-box.sagernet.org^$important
-`))
-	require.NoError(t, err)
-	require.Len(t, rules, 1)
-	rule, err := route.NewHeadlessRule(nil, rules[0])
-	require.NoError(t, err)
-	matchDomain := []string{
-		"example.org",
-		"www.example.org",
-		"example.com",
-		"example.net",
-		"isexample.net",
-		"www.example.net",
-		"example.edu",
-		"example.edu.cn",
-		"example.edu.tw",
-		"www.example.edu",
-		"www.example.edu.cn",
-		"example.gov",
-		"example.gov.cn",
-		"example.arpa",
-		"www.example.arpa",
-		"isexample.arpa",
-		"example.arpa.cn",
-		"www.example.arpa.cn",
-		"isexample.arpa.cn",
-		"sagernet.org",
-		"www.sagernet.org",
-	}
-	notMatchDomain := []string{
-		"example.org.cn",
-		"notexample.org",
-		"example.com.cn",
-		"www.example.com.cn",
-		"example.net.cn",
-		"notexample.edu",
-		"notexample.edu.cn",
-		"www.example.gov",
-		"notexample.gov",
-		"sagernet.example.org",
-		"sing-box.sagernet.org",
-	}
-	for _, domain := range matchDomain {
-		require.True(t, rule.Match(&adapter.InboundContext{
-			Domain: domain,
-		}), domain)
-	}
-	for _, domain := range notMatchDomain {
-		require.False(t, rule.Match(&adapter.InboundContext{
-			Domain: domain,
-		}), domain)
-	}
-}
-
-func TestHosts(t *testing.T) {
-	t.Parallel()
-	rules, err := Convert(strings.NewReader(`
-127.0.0.1 localhost
-::1 localhost #[IPv6]
-0.0.0.0 google.com
-`))
-	require.NoError(t, err)
-	require.Len(t, rules, 1)
-	rule, err := route.NewHeadlessRule(nil, rules[0])
-	require.NoError(t, err)
-	matchDomain := []string{
-		"google.com",
-	}
-	notMatchDomain := []string{
-		"www.google.com",
-		"notgoogle.com",
-		"localhost",
-	}
-	for _, domain := range matchDomain {
-		require.True(t, rule.Match(&adapter.InboundContext{
-			Domain: domain,
-		}), domain)
-	}
-	for _, domain := range notMatchDomain {
-		require.False(t, rule.Match(&adapter.InboundContext{
-			Domain: domain,
-		}), domain)
-	}
-}
-
-func TestSimpleHosts(t *testing.T) {
-	t.Parallel()
-	rules, err := Convert(strings.NewReader(`
-example.com
-www.example.org
-`))
-	require.NoError(t, err)
-	require.Len(t, rules, 1)
-	rule, err := route.NewHeadlessRule(nil, rules[0])
-	require.NoError(t, err)
-	matchDomain := []string{
-		"example.com",
-		"www.example.org",
-	}
-	notMatchDomain := []string{
-		"example.com.cn",
-		"www.example.com",
-		"notexample.com",
-		"example.org",
-	}
-	for _, domain := range matchDomain {
-		require.True(t, rule.Match(&adapter.InboundContext{
-			Domain: domain,
-		}), domain)
-	}
-	for _, domain := range notMatchDomain {
-		require.False(t, rule.Match(&adapter.InboundContext{
-			Domain: domain,
-		}), domain)
-	}
-}
--- a/cmd/sing-box/main.go
+++ b/cmd/sing-box/main.go
@@ -1,11 +1,74 @@
-//go:build !generate
-
 package main

-import "github.com/sagernet/sing-box/log"
+import (
+	"context"
+	"os"
+	"os/user"
+	"strconv"
+	"time"
+
+	_ "github.com/sagernet/sing-box/include"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/service/filemanager"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	globalCtx         context.Context
+	configPaths       []string
+	configDirectories []string
+	workingDir        string
+	disableColor      bool
+)
+
+var mainCommand = &cobra.Command{
+	Use:              "sing-box",
+	PersistentPreRun: preRun,
+}
+
+func init() {
+	mainCommand.PersistentFlags().StringArrayVarP(&configPaths, "config", "c", nil, "set configuration file path")
+	mainCommand.PersistentFlags().StringArrayVarP(&configDirectories, "config-directory", "C", nil, "set configuration directory path")
+	mainCommand.PersistentFlags().StringVarP(&workingDir, "directory", "D", "", "set working directory")
+	mainCommand.PersistentFlags().BoolVarP(&disableColor, "disable-color", "", false, "disable color output")
+}

 func main() {
 	if err := mainCommand.Execute(); err != nil {
 		log.Fatal(err)
 	}
 }
+
+func preRun(cmd *cobra.Command, args []string) {
+	globalCtx = context.Background()
+	sudoUser := os.Getenv("SUDO_USER")
+	sudoUID, _ := strconv.Atoi(os.Getenv("SUDO_UID"))
+	sudoGID, _ := strconv.Atoi(os.Getenv("SUDO_GID"))
+	if sudoUID == 0 && sudoGID == 0 && sudoUser != "" {
+		sudoUserObject, _ := user.Lookup(sudoUser)
+		if sudoUserObject != nil {
+			sudoUID, _ = strconv.Atoi(sudoUserObject.Uid)
+			sudoGID, _ = strconv.Atoi(sudoUserObject.Gid)
+		}
+	}
+	if sudoUID > 0 && sudoGID > 0 {
+		globalCtx = filemanager.WithDefault(globalCtx, "", "", sudoUID, sudoGID)
+	}
+	if disableColor {
+		log.SetStdLogger(log.NewDefaultFactory(context.Background(), log.Formatter{BaseTime: time.Now(), DisableColors: true}, os.Stderr, "", nil, false).Logger())
+	}
+	if workingDir != "" {
+		_, err := os.Stat(workingDir)
+		if err != nil {
+			filemanager.MkdirAll(globalCtx, workingDir, 0o777)
+		}
+		err = os.Chdir(workingDir)
+		if err != nil {
+			log.Fatal(err)
+		}
+	}
+	if len(configPaths) == 0 && len(configDirectories) == 0 {
+		configPaths = append(configPaths, "config.json")
+	}
+}
--- a/common/dialer/default_go1.20.go
+++ b/common/dialer/default_go1.20.go
@@ -5,7 +5,7 @@ package dialer
 import (
 	"net"

-	"github.com/metacubex/tfo-go"
+	"github.com/sagernet/tfo-go"
 )

 type tcpDialer = tfo.Dialer
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -28,12 +28,13 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 	} else {
 		dialer = NewDetour(router, options.Detour)
 	}
-	if options.Detour == "" {
+	domainStrategy := dns.DomainStrategy(options.DomainStrategy)
+	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
 		dialer = NewResolveDialer(
 			router,
 			dialer,
 			options.Detour == "" && !options.TCPFastOpen,
-			dns.DomainStrategy(options.DomainStrategy),
+			domainStrategy,
 			time.Duration(options.FallbackDelay))
 	}
 	return dialer, nil
--- a/common/dialer/tfo.go
+++ b/common/dialer/tfo.go
@@ -15,8 +15,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-
-	"github.com/metacubex/tfo-go"
+	"github.com/sagernet/tfo-go"
 )

 type slowOpenConn struct {
--- a/common/geosite/geosite_test.go
+++ b/common/geosite/geosite_test.go
@@ -1,34 +0,0 @@
-package geosite_test
-
-import (
-	"bytes"
-	"testing"
-
-	"github.com/sagernet/sing-box/common/geosite"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestGeosite(t *testing.T) {
-	t.Parallel()
-
-	var buffer bytes.Buffer
-	err := geosite.Write(&buffer, map[string][]geosite.Item{
-		"test": {
-			{
-				Type:  geosite.RuleTypeDomain,
-				Value: "example.org",
-			},
-		},
-	})
-	require.NoError(t, err)
-	reader, codes, err := geosite.NewReader(bytes.NewReader(buffer.Bytes()))
-	require.NoError(t, err)
-	require.Equal(t, []string{"test"}, codes)
-	items, err := reader.Read("test")
-	require.NoError(t, err)
-	require.Equal(t, []geosite.Item{{
-		Type:  geosite.RuleTypeDomain,
-		Value: "example.org",
-	}}, items)
-}
--- a/common/geosite/reader.go
+++ b/common/geosite/reader.go
@@ -5,20 +5,17 @@ import (
 	"encoding/binary"
 	"io"
 	"os"
-	"sync"
 	"sync/atomic"

+	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/varbin"
 )

 type Reader struct {
-	access         sync.Mutex
-	reader         io.ReadSeeker
-	bufferedReader *bufio.Reader
-	metadataIndex  int64
-	domainIndex    map[string]int
-	domainLength   map[string]int
+	reader       io.ReadSeeker
+	domainIndex  map[string]int
+	domainLength map[string]int
 }

 func Open(path string) (*Reader, []string, error) {
@@ -26,22 +23,14 @@ func Open(path string) (*Reader, []string, error) {
 	if err != nil {
 		return nil, nil, err
 	}
-	reader, codes, err := NewReader(content)
+	reader := &Reader{
+		reader: content,
+	}
+	err = reader.readMetadata()
 	if err != nil {
 		content.Close()
 		return nil, nil, err
 	}
-	return reader, codes, nil
-}
-
-func NewReader(readSeeker io.ReadSeeker) (*Reader, []string, error) {
-	reader := &Reader{
-		reader: readSeeker,
-	}
-	err := reader.readMetadata()
-	if err != nil {
-		return nil, nil, err
-	}
 	codes := make([]string, 0, len(reader.domainIndex))
 	for code := range reader.domainIndex {
 		codes = append(codes, code)
@@ -56,8 +45,7 @@ type geositeMetadata struct {
 }

 func (r *Reader) readMetadata() error {
-	counter := &readCounter{Reader: r.reader}
-	reader := bufio.NewReader(counter)
+	reader := bufio.NewReader(r.reader)
 	version, err := reader.ReadByte()
 	if err != nil {
 		return err
@@ -65,39 +53,21 @@ func (r *Reader) readMetadata() error {
 	if version != 0 {
 		return E.New("unknown version")
 	}
-	entryLength, err := binary.ReadUvarint(reader)
+	metadataEntries, err := varbin.ReadValue[[]geositeMetadata](reader, binary.BigEndian)
 	if err != nil {
 		return err
 	}
-	keys := make([]string, entryLength)
 	domainIndex := make(map[string]int)
 	domainLength := make(map[string]int)
-	for i := 0; i < int(entryLength); i++ {
-		var (
-			code       string
-			codeIndex  uint64
-			codeLength uint64
-		)
-		code, err = varbin.ReadValue[string](reader, binary.BigEndian)
-		if err != nil {
-			return err
-		}
-		keys[i] = code
-		codeIndex, err = binary.ReadUvarint(reader)
-		if err != nil {
-			return err
-		}
-		codeLength, err = binary.ReadUvarint(reader)
-		if err != nil {
-			return err
-		}
-		domainIndex[code] = int(codeIndex)
-		domainLength[code] = int(codeLength)
+	for _, entry := range metadataEntries {
+		domainIndex[entry.Code] = int(entry.Index)
+		domainLength[entry.Code] = int(entry.Length)
 	}
 	r.domainIndex = domainIndex
 	r.domainLength = domainLength
-	r.metadataIndex = counter.count - int64(reader.Buffered())
-	r.bufferedReader = reader
+	if reader.Buffered() > 0 {
+		return common.Error(r.reader.Seek(int64(-reader.Buffered()), io.SeekCurrent))
+	}
 	return nil
 }

@@ -106,17 +76,17 @@ func (r *Reader) Read(code string) ([]Item, error) {
 	if !exists {
 		return nil, E.New("code ", code, " not exists!")
 	}
-	_, err := r.reader.Seek(r.metadataIndex+int64(index), io.SeekStart)
+	_, err := r.reader.Seek(int64(index), io.SeekCurrent)
 	if err != nil {
 		return nil, err
 	}
-	r.bufferedReader.Reset(r.reader)
-	itemList := make([]Item, r.domainLength[code])
-	err = varbin.Read(r.bufferedReader, binary.BigEndian, &itemList)
+	counter := &readCounter{Reader: r.reader}
+	domain, err := varbin.ReadValue[[]Item](bufio.NewReader(counter), binary.BigEndian)
 	if err != nil {
 		return nil, err
 	}
-	return itemList, nil
+	_, err = r.reader.Seek(int64(-index)-counter.count, io.SeekCurrent)
+	return domain, err
 }

 func (r *Reader) Upstream() any {
--- a/common/geosite/writer.go
+++ b/common/geosite/writer.go
@@ -5,6 +5,7 @@ import (
 	"encoding/binary"
 	"sort"

+	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/varbin"
 )

@@ -19,11 +20,9 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {
 	index := make(map[string]int)
 	for _, code := range keys {
 		index[code] = content.Len()
-		for _, item := range domains[code] {
-			err := varbin.Write(content, binary.BigEndian, item)
-			if err != nil {
-				return err
-			}
+		err := varbin.Write(content, binary.BigEndian, domains[code])
+		if err != nil {
+			return err
 		}
 	}

@@ -32,26 +31,17 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {
 		return err
 	}

-	_, err = varbin.WriteUvarint(writer, uint64(len(keys)))
+	err = varbin.Write(writer, binary.BigEndian, common.Map(keys, func(it string) *geositeMetadata {
+		return &geositeMetadata{
+			Code:   it,
+			Index:  uint64(index[it]),
+			Length: uint64(len(domains[it])),
+		}
+	}))
 	if err != nil {
 		return err
 	}

-	for _, code := range keys {
-		err = varbin.Write(writer, binary.BigEndian, code)
-		if err != nil {
-			return err
-		}
-		_, err = varbin.WriteUvarint(writer, uint64(index[code]))
-		if err != nil {
-			return err
-		}
-		_, err = varbin.WriteUvarint(writer, uint64(len(domains[code])))
-		if err != nil {
-			return err
-		}
-	}
-
 	_, err = writer.Write(content.Bytes())
 	if err != nil {
 		return err
--- a/common/ja3/LICENSE
+++ b/common/ja3/LICENSE
@@ -1,29 +0,0 @@
-BSD 3-Clause License
-
-Copyright (c) 2018, Open Systems AG
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-* Redistributions of source code must retain the above copyright notice, this
-  list of conditions and the following disclaimer.
-
-* Redistributions in binary form must reproduce the above copyright notice,
-  this list of conditions and the following disclaimer in the documentation
-  and/or other materials provided with the distribution.
-
-* Neither the name of the copyright holder nor the names of its
-  contributors may be used to endorse or promote products derived from
-  this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/common/ja3/README.md
+++ b/common/ja3/README.md
@@ -1,3 +0,0 @@
-# JA3
-
-mod from: https://github.com/open-ch/ja3
--- a/common/ja3/error.go
+++ b/common/ja3/error.go
@@ -1,31 +0,0 @@
-// Copyright (c) 2018, Open Systems AG. All rights reserved.
-//
-// Use of this source code is governed by a BSD-style license
-// that can be found in the LICENSE file in the root of the source
-// tree.
-
-package ja3
-
-import "fmt"
-
-// Error types
-const (
-	LengthErr        string = "length check %v failed"
-	ContentTypeErr   string = "content type not matching"
-	VersionErr       string = "version check %v failed"
-	HandshakeTypeErr string = "handshake type not matching"
-	SNITypeErr       string = "SNI type not supported"
-)
-
-// ParseError can be encountered while parsing a segment
-type ParseError struct {
-	errType string
-	check   int
-}
-
-func (e *ParseError) Error() string {
-	if e.errType == LengthErr || e.errType == VersionErr {
-		return fmt.Sprintf(e.errType, e.check)
-	}
-	return fmt.Sprint(e.errType)
-}
--- a/common/ja3/ja3.go
+++ b/common/ja3/ja3.go
@@ -1,83 +0,0 @@
-// Copyright (c) 2018, Open Systems AG. All rights reserved.
-//
-// Use of this source code is governed by a BSD-style license
-// that can be found in the LICENSE file in the root of the source
-// tree.
-
-package ja3
-
-import (
-	"crypto/md5"
-	"encoding/hex"
-
-	"golang.org/x/exp/slices"
-)
-
-type ClientHello struct {
-	Version             uint16
-	CipherSuites        []uint16
-	Extensions          []uint16
-	EllipticCurves      []uint16
-	EllipticCurvePF     []uint8
-	Versions            []uint16
-	SignatureAlgorithms []uint16
-	ServerName          string
-	ja3ByteString       []byte
-	ja3Hash             string
-}
-
-func (j *ClientHello) Equals(another *ClientHello, ignoreExtensionsSequence bool) bool {
-	if j.Version != another.Version {
-		return false
-	}
-	if !slices.Equal(j.CipherSuites, another.CipherSuites) {
-		return false
-	}
-	if !ignoreExtensionsSequence && !slices.Equal(j.Extensions, another.Extensions) {
-		return false
-	}
-	if ignoreExtensionsSequence && !slices.Equal(j.Extensions, another.sortedExtensions()) {
-		return false
-	}
-	if !slices.Equal(j.EllipticCurves, another.EllipticCurves) {
-		return false
-	}
-	if !slices.Equal(j.EllipticCurvePF, another.EllipticCurvePF) {
-		return false
-	}
-	if !slices.Equal(j.SignatureAlgorithms, another.SignatureAlgorithms) {
-		return false
-	}
-	return true
-}
-
-func (j *ClientHello) sortedExtensions() []uint16 {
-	extensions := make([]uint16, len(j.Extensions))
-	copy(extensions, j.Extensions)
-	slices.Sort(extensions)
-	return extensions
-}
-
-func Compute(payload []byte) (*ClientHello, error) {
-	ja3 := ClientHello{}
-	err := ja3.parseSegment(payload)
-	return &ja3, err
-}
-
-func (j *ClientHello) String() string {
-	if j.ja3ByteString == nil {
-		j.marshalJA3()
-	}
-	return string(j.ja3ByteString)
-}
-
-func (j *ClientHello) Hash() string {
-	if j.ja3ByteString == nil {
-		j.marshalJA3()
-	}
-	if j.ja3Hash == "" {
-		h := md5.Sum(j.ja3ByteString)
-		j.ja3Hash = hex.EncodeToString(h[:])
-	}
-	return j.ja3Hash
-}
--- a/common/ja3/parser.go
+++ b/common/ja3/parser.go
@@ -1,357 +0,0 @@
-// Copyright (c) 2018, Open Systems AG. All rights reserved.
-//
-// Use of this source code is governed by a BSD-style license
-// that can be found in the LICENSE file in the root of the source
-// tree.
-
-package ja3
-
-import (
-	"encoding/binary"
-	"strconv"
-)
-
-const (
-	// Constants used for parsing
-	recordLayerHeaderLen                  int    = 5
-	handshakeHeaderLen                    int    = 6
-	randomDataLen                         int    = 32
-	sessionIDHeaderLen                    int    = 1
-	cipherSuiteHeaderLen                  int    = 2
-	compressMethodHeaderLen               int    = 1
-	extensionsHeaderLen                   int    = 2
-	extensionHeaderLen                    int    = 4
-	sniExtensionHeaderLen                 int    = 5
-	ecExtensionHeaderLen                  int    = 2
-	ecpfExtensionHeaderLen                int    = 1
-	versionExtensionHeaderLen             int    = 1
-	signatureAlgorithmsExtensionHeaderLen int    = 2
-	contentType                           uint8  = 22
-	handshakeType                         uint8  = 1
-	sniExtensionType                      uint16 = 0
-	sniNameDNSHostnameType                uint8  = 0
-	ecExtensionType                       uint16 = 10
-	ecpfExtensionType                     uint16 = 11
-	versionExtensionType                  uint16 = 43
-	signatureAlgorithmsExtensionType      uint16 = 13
-
-	// Versions
-	// The bitmask covers the versions SSL3.0 to TLS1.2
-	tlsVersionBitmask uint16 = 0xFFFC
-	tls13             uint16 = 0x0304
-
-	// GREASE values
-	// The bitmask covers all GREASE values
-	GreaseBitmask uint16 = 0x0F0F
-
-	// Constants used for marshalling
-	dashByte  = byte(45)
-	commaByte = byte(44)
-)
-
-// parseSegment to populate the corresponding ClientHello object or return an error
-func (j *ClientHello) parseSegment(segment []byte) error {
-	// Check if we can decode the next fields
-	if len(segment) < recordLayerHeaderLen {
-		return &ParseError{LengthErr, 1}
-	}
-
-	// Check if we have "Content Type: Handshake (22)"
-	contType := uint8(segment[0])
-	if contType != contentType {
-		return &ParseError{errType: ContentTypeErr}
-	}
-
-	// Check if TLS record layer version is supported
-	tlsRecordVersion := uint16(segment[1])<<8 | uint16(segment[2])
-	if tlsRecordVersion&tlsVersionBitmask != 0x0300 && tlsRecordVersion != tls13 {
-		return &ParseError{VersionErr, 1}
-	}
-
-	// Check that the Handshake is as long as expected from the length field
-	segmentLen := uint16(segment[3])<<8 | uint16(segment[4])
-	if len(segment[recordLayerHeaderLen:]) < int(segmentLen) {
-		return &ParseError{LengthErr, 2}
-	}
-	// Keep the Handshake messege, ignore any additional following record types
-	hs := segment[recordLayerHeaderLen : recordLayerHeaderLen+int(segmentLen)]
-
-	err := j.parseHandshake(hs)
-
-	return err
-}
-
-// parseHandshake body
-func (j *ClientHello) parseHandshake(hs []byte) error {
-	// Check if we can decode the next fields
-	if len(hs) < handshakeHeaderLen+randomDataLen+sessionIDHeaderLen {
-		return &ParseError{LengthErr, 3}
-	}
-
-	// Check if we have "Handshake Type: Client Hello (1)"
-	handshType := uint8(hs[0])
-	if handshType != handshakeType {
-		return &ParseError{errType: HandshakeTypeErr}
-	}
-
-	// Check if actual length of handshake matches (this is a great exclusion criterion for false positives,
-	// as these fields have to match the actual length of the rest of the segment)
-	handshakeLen := uint32(hs[1])<<16 | uint32(hs[2])<<8 | uint32(hs[3])
-	if len(hs[4:]) != int(handshakeLen) {
-		return &ParseError{LengthErr, 4}
-	}
-
-	// Check if Client Hello version is supported
-	tlsVersion := uint16(hs[4])<<8 | uint16(hs[5])
-	if tlsVersion&tlsVersionBitmask != 0x0300 && tlsVersion != tls13 {
-		return &ParseError{VersionErr, 2}
-	}
-	j.Version = tlsVersion
-
-	// Check if we can decode the next fields
-	sessionIDLen := uint8(hs[38])
-	if len(hs) < handshakeHeaderLen+randomDataLen+sessionIDHeaderLen+int(sessionIDLen) {
-		return &ParseError{LengthErr, 5}
-	}
-
-	// Cipher Suites
-	cs := hs[handshakeHeaderLen+randomDataLen+sessionIDHeaderLen+int(sessionIDLen):]
-
-	// Check if we can decode the next fields
-	if len(cs) < cipherSuiteHeaderLen {
-		return &ParseError{LengthErr, 6}
-	}
-
-	csLen := uint16(cs[0])<<8 | uint16(cs[1])
-	numCiphers := int(csLen / 2)
-	cipherSuites := make([]uint16, 0, numCiphers)
-
-	// Check if we can decode the next fields
-	if len(cs) < cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen {
-		return &ParseError{LengthErr, 7}
-	}
-
-	for i := 0; i < numCiphers; i++ {
-		cipherSuite := uint16(cs[2+i<<1])<<8 | uint16(cs[3+i<<1])
-		cipherSuites = append(cipherSuites, cipherSuite)
-	}
-	j.CipherSuites = cipherSuites
-
-	// Check if we can decode the next fields
-	compressMethodLen := uint16(cs[cipherSuiteHeaderLen+int(csLen)])
-	if len(cs) < cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen+int(compressMethodLen) {
-		return &ParseError{LengthErr, 8}
-	}
-
-	// Extensions
-	exs := cs[cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen+int(compressMethodLen):]
-
-	err := j.parseExtensions(exs)
-
-	return err
-}
-
-// parseExtensions of the handshake
-func (j *ClientHello) parseExtensions(exs []byte) error {
-	// Check for no extensions, this fields header is nonexistent if no body is used
-	if len(exs) == 0 {
-		return nil
-	}
-
-	// Check if we can decode the next fields
-	if len(exs) < extensionsHeaderLen {
-		return &ParseError{LengthErr, 9}
-	}
-
-	exsLen := uint16(exs[0])<<8 | uint16(exs[1])
-	exs = exs[extensionsHeaderLen:]
-
-	// Check if we can decode the next fields
-	if len(exs) < int(exsLen) {
-		return &ParseError{LengthErr, 10}
-	}
-
-	var sni []byte
-	var extensions, ellipticCurves []uint16
-	var ellipticCurvePF []uint8
-	var versions []uint16
-	var signatureAlgorithms []uint16
-	for len(exs) > 0 {
-
-		// Check if we can decode the next fields
-		if len(exs) < extensionHeaderLen {
-			return &ParseError{LengthErr, 11}
-		}
-
-		exType := uint16(exs[0])<<8 | uint16(exs[1])
-		exLen := uint16(exs[2])<<8 | uint16(exs[3])
-		// Ignore any GREASE extensions
-		extensions = append(extensions, exType)
-		// Check if we can decode the next fields
-		if len(exs) < extensionHeaderLen+int(exLen) {
-			return &ParseError{LengthErr, 12}
-		}
-
-		sex := exs[extensionHeaderLen : extensionHeaderLen+int(exLen)]
-
-		switch exType {
-		case sniExtensionType: // Extensions: server_name
-
-			// Check if we can decode the next fields
-			if len(sex) < sniExtensionHeaderLen {
-				return &ParseError{LengthErr, 13}
-			}
-
-			sniType := uint8(sex[2])
-			sniLen := uint16(sex[3])<<8 | uint16(sex[4])
-			sex = sex[sniExtensionHeaderLen:]
-
-			// Check if we can decode the next fields
-			if len(sex) != int(sniLen) {
-				return &ParseError{LengthErr, 14}
-			}
-
-			switch sniType {
-			case sniNameDNSHostnameType:
-				sni = sex
-			default:
-				return &ParseError{errType: SNITypeErr}
-			}
-		case ecExtensionType: // Extensions: supported_groups
-
-			// Check if we can decode the next fields
-			if len(sex) < ecExtensionHeaderLen {
-				return &ParseError{LengthErr, 15}
-			}
-
-			ecsLen := uint16(sex[0])<<8 | uint16(sex[1])
-			numCurves := int(ecsLen / 2)
-			ellipticCurves = make([]uint16, 0, numCurves)
-			sex = sex[ecExtensionHeaderLen:]
-
-			// Check if we can decode the next fields
-			if len(sex) != int(ecsLen) {
-				return &ParseError{LengthErr, 16}
-			}
-
-			for i := 0; i < numCurves; i++ {
-				ecType := uint16(sex[i*2])<<8 | uint16(sex[1+i*2])
-				ellipticCurves = append(ellipticCurves, ecType)
-			}
-
-		case ecpfExtensionType: // Extensions: ec_point_formats
-
-			// Check if we can decode the next fields
-			if len(sex) < ecpfExtensionHeaderLen {
-				return &ParseError{LengthErr, 17}
-			}
-
-			ecpfsLen := uint8(sex[0])
-			numPF := int(ecpfsLen)
-			ellipticCurvePF = make([]uint8, numPF)
-			sex = sex[ecpfExtensionHeaderLen:]
-
-			// Check if we can decode the next fields
-			if len(sex) != numPF {
-				return &ParseError{LengthErr, 18}
-			}
-
-			for i := 0; i < numPF; i++ {
-				ellipticCurvePF[i] = uint8(sex[i])
-			}
-		case versionExtensionType:
-			if len(sex) < versionExtensionHeaderLen {
-				return &ParseError{LengthErr, 19}
-			}
-			versionsLen := int(sex[0])
-			for i := 0; i < versionsLen; i += 2 {
-				versions = append(versions, binary.BigEndian.Uint16(sex[1:][i:]))
-			}
-		case signatureAlgorithmsExtensionType:
-			if len(sex) < signatureAlgorithmsExtensionHeaderLen {
-				return &ParseError{LengthErr, 20}
-			}
-			ssaLen := binary.BigEndian.Uint16(sex)
-			for i := 0; i < int(ssaLen); i += 2 {
-				signatureAlgorithms = append(signatureAlgorithms, binary.BigEndian.Uint16(sex[2:][i:]))
-			}
-		}
-		exs = exs[4+exLen:]
-	}
-	j.ServerName = string(sni)
-	j.Extensions = extensions
-	j.EllipticCurves = ellipticCurves
-	j.EllipticCurvePF = ellipticCurvePF
-	j.Versions = versions
-	j.SignatureAlgorithms = signatureAlgorithms
-	return nil
-}
-
-// marshalJA3 into a byte string
-func (j *ClientHello) marshalJA3() {
-	// An uint16 can contain numbers with up to 5 digits and an uint8 can contain numbers with up to 3 digits, but we
-	// also need a byte for each separating character, except at the end.
-	byteStringLen := 6*(1+len(j.CipherSuites)+len(j.Extensions)+len(j.EllipticCurves)) + 4*len(j.EllipticCurvePF) - 1
-	byteString := make([]byte, 0, byteStringLen)
-
-	// Version
-	byteString = strconv.AppendUint(byteString, uint64(j.Version), 10)
-	byteString = append(byteString, commaByte)
-
-	// Cipher Suites
-	if len(j.CipherSuites) != 0 {
-		for _, val := range j.CipherSuites {
-			if val&GreaseBitmask != 0x0A0A {
-				continue
-			}
-			byteString = strconv.AppendUint(byteString, uint64(val), 10)
-			byteString = append(byteString, dashByte)
-		}
-		// Replace last dash with a comma
-		byteString[len(byteString)-1] = commaByte
-	} else {
-		byteString = append(byteString, commaByte)
-	}
-
-	// Extensions
-	if len(j.Extensions) != 0 {
-		for _, val := range j.Extensions {
-			if val&GreaseBitmask != 0x0A0A {
-				continue
-			}
-			byteString = strconv.AppendUint(byteString, uint64(val), 10)
-			byteString = append(byteString, dashByte)
-		}
-		// Replace last dash with a comma
-		byteString[len(byteString)-1] = commaByte
-	} else {
-		byteString = append(byteString, commaByte)
-	}
-
-	// Elliptic curves
-	if len(j.EllipticCurves) != 0 {
-		for _, val := range j.EllipticCurves {
-			if val&GreaseBitmask != 0x0A0A {
-				continue
-			}
-			byteString = strconv.AppendUint(byteString, uint64(val), 10)
-			byteString = append(byteString, dashByte)
-		}
-		// Replace last dash with a comma
-		byteString[len(byteString)-1] = commaByte
-	} else {
-		byteString = append(byteString, commaByte)
-	}
-
-	// ECPF
-	if len(j.EllipticCurvePF) != 0 {
-		for _, val := range j.EllipticCurvePF {
-			byteString = strconv.AppendUint(byteString, uint64(val), 10)
-			byteString = append(byteString, dashByte)
-		}
-		// Remove last dash
-		byteString = byteString[:len(byteString)-1]
-	}
-
-	j.ja3ByteString = byteString
-}
--- a/common/process/searcher_darwin.go
+++ b/common/process/searcher_darwin.go
@@ -60,12 +60,12 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {

 	isIPv4 := ip.Is4()

-	value, err := unix.SysctlRaw(spath)
+	value, err := syscall.Sysctl(spath)
 	if err != nil {
 		return "", err
 	}

-	buf := value
+	buf := []byte(value)

 	// from darwin-xnu/bsd/netinet/in_pcblist.c:get_pcblist_n
 	// size/offset are round up (aligned) to 8 bytes in darwin
--- a/common/sniff/bittorrent.go
+++ b/common/sniff/bittorrent.go
@@ -12,51 +12,58 @@ import (
 )

 const (
-	trackerConnectFlag    = 0
-	trackerProtocolID     = 0x41727101980
-	trackerConnectMinSize = 16
+	trackerConnectFlag = iota
+	trackerAnnounceFlag
+	trackerScrapeFlag
+
+	trackerProtocolID = 0x41727101980
+
+	trackerConnectMinSize  = 16
+	trackerAnnounceMinSize = 20
+	trackerScrapeMinSize   = 8
 )

 // BitTorrent detects if the stream is a BitTorrent connection.
 // For the BitTorrent protocol specification, see https://www.bittorrent.org/beps/bep_0003.html
-func BitTorrent(_ context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
+func BitTorrent(_ context.Context, reader io.Reader) (*adapter.InboundContext, error) {
 	var first byte
 	err := binary.Read(reader, binary.BigEndian, &first)
 	if err != nil {
-		return err
+		return nil, err
 	}

 	if first != 19 {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}

 	var protocol [19]byte
 	_, err = reader.Read(protocol[:])
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if string(protocol[:]) != "BitTorrent protocol" {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}

-	metadata.Protocol = C.ProtocolBitTorrent
-	return nil
+	return &adapter.InboundContext{
+		Protocol: C.ProtocolBitTorrent,
+	}, nil
 }

 // UTP detects if the packet is a uTP connection packet.
 // For the uTP protocol specification, see
 //  1. https://www.bittorrent.org/beps/bep_0029.html
 //  2. https://github.com/bittorrent/libutp/blob/2b364cbb0650bdab64a5de2abb4518f9f228ec44/utp_internal.cpp#L112
-func UTP(_ context.Context, metadata *adapter.InboundContext, packet []byte) error {
+func UTP(_ context.Context, packet []byte) (*adapter.InboundContext, error) {
 	// A valid uTP packet must be at least 20 bytes long.
 	if len(packet) < 20 {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}

 	version := packet[0] & 0x0F
 	ty := packet[0] >> 4
 	if version != 1 || ty > 4 {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}

 	// Validate the extensions
@@ -65,35 +72,42 @@ func UTP(_ context.Context, metadata *adapter.InboundContext, packet []byte) err
 	for extension != 0 {
 		err := binary.Read(reader, binary.BigEndian, &extension)
 		if err != nil {
-			return err
+			return nil, err
 		}

 		var length byte
 		err = binary.Read(reader, binary.BigEndian, &length)
 		if err != nil {
-			return err
+			return nil, err
 		}
 		_, err = reader.Seek(int64(length), io.SeekCurrent)
 		if err != nil {
-			return err
+			return nil, err
 		}
 	}
-	metadata.Protocol = C.ProtocolBitTorrent
-	return nil
+
+	return &adapter.InboundContext{
+		Protocol: C.ProtocolBitTorrent,
+	}, nil
 }

 // UDPTracker detects if the packet is a UDP Tracker Protocol packet.
 // For the UDP Tracker Protocol specification, see https://www.bittorrent.org/beps/bep_0015.html
-func UDPTracker(_ context.Context, metadata *adapter.InboundContext, packet []byte) error {
-	if len(packet) < trackerConnectMinSize {
-		return os.ErrInvalid
+func UDPTracker(_ context.Context, packet []byte) (*adapter.InboundContext, error) {
+	switch {
+	case len(packet) >= trackerConnectMinSize &&
+		binary.BigEndian.Uint64(packet[:8]) == trackerProtocolID &&
+		binary.BigEndian.Uint32(packet[8:12]) == trackerConnectFlag:
+		fallthrough
+	case len(packet) >= trackerAnnounceMinSize &&
+		binary.BigEndian.Uint32(packet[8:12]) == trackerAnnounceFlag:
+		fallthrough
+	case len(packet) >= trackerScrapeMinSize &&
+		binary.BigEndian.Uint32(packet[8:12]) == trackerScrapeFlag:
+		return &adapter.InboundContext{
+			Protocol: C.ProtocolBitTorrent,
+		}, nil
+	default:
+		return nil, os.ErrInvalid
 	}
-	if binary.BigEndian.Uint64(packet[:8]) != trackerProtocolID {
-		return os.ErrInvalid
-	}
-	if binary.BigEndian.Uint32(packet[8:12]) != trackerConnectFlag {
-		return os.ErrInvalid
-	}
-	metadata.Protocol = C.ProtocolBitTorrent
-	return nil
 }
--- a/common/sniff/bittorrent_test.go
+++ b/common/sniff/bittorrent_test.go
@@ -6,7 +6,6 @@ import (
 	"encoding/hex"
 	"testing"

-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"

@@ -25,8 +24,7 @@ func TestSniffBittorrent(t *testing.T) {
 	for _, pkt := range packets {
 		pkt, err := hex.DecodeString(pkt)
 		require.NoError(t, err)
-		var metadata adapter.InboundContext
-		err = sniff.BitTorrent(context.TODO(), &metadata, bytes.NewReader(pkt))
+		metadata, err := sniff.BitTorrent(context.TODO(), bytes.NewReader(pkt))
 		require.NoError(t, err)
 		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
 	}
@@ -45,8 +43,8 @@ func TestSniffUTP(t *testing.T) {
 	for _, pkt := range packets {
 		pkt, err := hex.DecodeString(pkt)
 		require.NoError(t, err)
-		var metadata adapter.InboundContext
-		err = sniff.UTP(context.TODO(), &metadata, pkt)
+
+		metadata, err := sniff.UTP(context.TODO(), pkt)
 		require.NoError(t, err)
 		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
 	}
@@ -56,17 +54,27 @@ func TestSniffUDPTracker(t *testing.T) {
 	t.Parallel()

 	connectPackets := []string{
+		// connect packets
 		"00000417271019800000000078e90560",
 		"00000417271019800000000022c5d64d",
 		"000004172710198000000000b3863541",
+
+		// announce packets
+		"3d7592ead4b8c9e300000001b871a3820000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002092f616e6e6f756e6365",
+		"3d7592ead4b8c9e30000000188deed1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002092f616e6e6f756e6365",
+		"3d7592ead4b8c9e300000001ceb948ad0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a3362cdb7020ff920e5aa642c3d4066950dd1f01f4d00000000000000000000000000000000000000000000000000000000000000000000000000000000000002092f616e6e6f756e6365",
+
+		// scrape packets
+		"3d7592ead4b8c9e300000002d2f4bba5a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
+		"3d7592ead4b8c9e300000002441243292aae6c35c94fcfb415dbe95f408b9ce91ee846ed",
+		"3d7592ead4b8c9e300000002b2aa461b1ad1fa9661cf3fe45fb2504ad52ec6c67758e294",
 	}

 	for _, pkt := range connectPackets {
 		pkt, err := hex.DecodeString(pkt)
 		require.NoError(t, err)

-		var metadata adapter.InboundContext
-		err = sniff.UDPTracker(context.TODO(), &metadata, pkt)
+		metadata, err := sniff.UDPTracker(context.TODO(), pkt)
 		require.NoError(t, err)
 		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
 	}
--- a/common/sniff/dns.go
+++ b/common/sniff/dns.go
@@ -17,17 +17,18 @@ import (
 	mDNS "github.com/miekg/dns"
 )

-func StreamDomainNameQuery(readCtx context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
+func StreamDomainNameQuery(readCtx context.Context, reader io.Reader) (*adapter.InboundContext, error) {
 	var length uint16
 	err := binary.Read(reader, binary.BigEndian, &length)
 	if err != nil {
-		return os.ErrInvalid
+		return nil, err
 	}
 	if length == 0 {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}
 	buffer := buf.NewSize(int(length))
 	defer buffer.Release()
+
 	readCtx, cancel := context.WithTimeout(readCtx, time.Millisecond*100)
 	var readTask task.Group
 	readTask.Append0(func(ctx context.Context) error {
@@ -36,20 +37,19 @@ func StreamDomainNameQuery(readCtx context.Context, metadata *adapter.InboundCon
 	err = readTask.Run(readCtx)
 	cancel()
 	if err != nil {
-		return err
+		return nil, err
 	}
-	return DomainNameQuery(readCtx, metadata, buffer.Bytes())
+	return DomainNameQuery(readCtx, buffer.Bytes())
 }

-func DomainNameQuery(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
+func DomainNameQuery(ctx context.Context, packet []byte) (*adapter.InboundContext, error) {
 	var msg mDNS.Msg
 	err := msg.Unpack(packet)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if len(msg.Question) == 0 || msg.Question[0].Qclass != mDNS.ClassINET || !M.IsDomainName(msg.Question[0].Name) {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}
-	metadata.Protocol = C.ProtocolDNS
-	return nil
+	return &adapter.InboundContext{Protocol: C.ProtocolDNS}, nil
 }
--- a/common/sniff/dtls.go
+++ b/common/sniff/dtls.go
@@ -1,32 +0,0 @@
-package sniff
-
-import (
-	"context"
-	"os"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-)
-
-func DTLSRecord(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
-	const fixedHeaderSize = 13
-	if len(packet) < fixedHeaderSize {
-		return os.ErrInvalid
-	}
-	contentType := packet[0]
-	switch contentType {
-	case 20, 21, 22, 23, 25:
-	default:
-		return os.ErrInvalid
-	}
-	versionMajor := packet[1]
-	if versionMajor != 0xfe {
-		return os.ErrInvalid
-	}
-	versionMinor := packet[2]
-	if versionMinor != 0xff && versionMinor != 0xfd {
-		return os.ErrInvalid
-	}
-	metadata.Protocol = C.ProtocolDTLS
-	return nil
-}
--- a/common/sniff/dtls_test.go
+++ b/common/sniff/dtls_test.go
@@ -1,33 +0,0 @@
-package sniff_test
-
-import (
-	"context"
-	"encoding/hex"
-	"testing"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/sniff"
-	C "github.com/sagernet/sing-box/constant"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestSniffDTLSClientHello(t *testing.T) {
-	t.Parallel()
-	packet, err := hex.DecodeString("16fefd0000000000000000007e010000720000000000000072fefd668a43523798e064bd806d0c87660de9c611a59bbdfc3892c4e072d94f2cafc40000000cc02bc02fc00ac014c02cc0300100003c000d0010000e0403050306030401050106010807ff01000100000a00080006001d00170018000b00020100000e000900060008000700010000170000")
-	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.DTLSRecord(context.Background(), &metadata, packet)
-	require.NoError(t, err)
-	require.Equal(t, metadata.Protocol, C.ProtocolDTLS)
-}
-
-func TestSniffDTLSClientApplicationData(t *testing.T) {
-	t.Parallel()
-	packet, err := hex.DecodeString("17fefd000100000000000100440001000000000001a4f682b77ecadd10f3f3a2f78d90566212366ff8209fd77314f5a49352f9bb9bd12f4daba0b4736ae29e46b9714d3b424b3e6d0234736619b5aa0d3f")
-	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.DTLSRecord(context.Background(), &metadata, packet)
-	require.NoError(t, err)
-	require.Equal(t, metadata.Protocol, C.ProtocolDTLS)
-}
--- a/common/sniff/http.go
+++ b/common/sniff/http.go
@@ -11,12 +11,10 @@ import (
 	"github.com/sagernet/sing/protocol/http"
 )

-func HTTPHost(_ context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
+func HTTPHost(ctx context.Context, reader io.Reader) (*adapter.InboundContext, error) {
 	request, err := http.ReadRequest(std_bufio.NewReader(reader))
 	if err != nil {
-		return err
+		return nil, err
 	}
-	metadata.Protocol = C.ProtocolHTTP
-	metadata.Domain = M.ParseSocksaddr(request.Host).AddrString()
-	return nil
+	return &adapter.InboundContext{Protocol: C.ProtocolHTTP, Domain: M.ParseSocksaddr(request.Host).AddrString()}, nil
 }
--- a/common/sniff/http_test.go
+++ b/common/sniff/http_test.go
@@ -5,7 +5,6 @@ import (
 	"strings"
 	"testing"

-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"

 	"github.com/stretchr/testify/require"
@@ -14,8 +13,7 @@ import (
 func TestSniffHTTP1(t *testing.T) {
 	t.Parallel()
 	pkt := "GET / HTTP/1.1\r\nHost: www.google.com\r\nAccept: */*\r\n\r\n"
-	var metadata adapter.InboundContext
-	err := sniff.HTTPHost(context.Background(), &metadata, strings.NewReader(pkt))
+	metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
 	require.NoError(t, err)
 	require.Equal(t, metadata.Domain, "www.google.com")
 }
@@ -23,8 +21,7 @@ func TestSniffHTTP1(t *testing.T) {
 func TestSniffHTTP1WithPort(t *testing.T) {
 	t.Parallel()
 	pkt := "GET / HTTP/1.1\r\nHost: www.gov.cn:8080\r\nAccept: */*\r\n\r\n"
-	var metadata adapter.InboundContext
-	err := sniff.HTTPHost(context.Background(), &metadata, strings.NewReader(pkt))
+	metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
 	require.NoError(t, err)
 	require.Equal(t, metadata.Domain, "www.gov.cn")
 }
--- a/common/sniff/quic.go
+++ b/common/sniff/quic.go
@@ -5,99 +5,95 @@ import (
 	"context"
 	"crypto"
 	"crypto/aes"
-	"crypto/tls"
 	"encoding/binary"
 	"io"
 	"os"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/ja3"
 	"github.com/sagernet/sing-box/common/sniff/internal/qtls"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"

 	"golang.org/x/crypto/hkdf"
 )

-var ErrClientHelloFragmented = E.New("need more packet for chromium QUIC connection")
-
-func QUICClientHello(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
+func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContext, error) {
 	reader := bytes.NewReader(packet)
+
 	typeByte, err := reader.ReadByte()
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if typeByte&0x40 == 0 {
-		return E.New("bad type byte")
+		return nil, E.New("bad type byte")
 	}
 	var versionNumber uint32
 	err = binary.Read(reader, binary.BigEndian, &versionNumber)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if versionNumber != qtls.VersionDraft29 && versionNumber != qtls.Version1 && versionNumber != qtls.Version2 {
-		return E.New("bad version")
+		return nil, E.New("bad version")
 	}
 	packetType := (typeByte & 0x30) >> 4
 	if packetType == 0 && versionNumber == qtls.Version2 || packetType == 2 && versionNumber != qtls.Version2 || packetType > 2 {
-		return E.New("bad packet type")
+		return nil, E.New("bad packet type")
 	}

 	destConnIDLen, err := reader.ReadByte()
 	if err != nil {
-		return err
+		return nil, err
 	}

 	if destConnIDLen == 0 || destConnIDLen > 20 {
-		return E.New("bad destination connection id length")
+		return nil, E.New("bad destination connection id length")
 	}

 	destConnID := make([]byte, destConnIDLen)
 	_, err = io.ReadFull(reader, destConnID)
 	if err != nil {
-		return err
+		return nil, err
 	}

 	srcConnIDLen, err := reader.ReadByte()
 	if err != nil {
-		return err
+		return nil, err
 	}

 	_, err = io.CopyN(io.Discard, reader, int64(srcConnIDLen))
 	if err != nil {
-		return err
+		return nil, err
 	}

 	tokenLen, err := qtls.ReadUvarint(reader)
 	if err != nil {
-		return err
+		return nil, err
 	}

 	_, err = io.CopyN(io.Discard, reader, int64(tokenLen))
 	if err != nil {
-		return err
+		return nil, err
 	}

 	packetLen, err := qtls.ReadUvarint(reader)
 	if err != nil {
-		return err
+		return nil, err
 	}

 	hdrLen := int(reader.Size()) - reader.Len()
 	if hdrLen+int(packetLen) > len(packet) {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}

 	_, err = io.CopyN(io.Discard, reader, 4)
 	if err != nil {
-		return err
+		return nil, err
 	}

 	pnBytes := make([]byte, aes.BlockSize)
 	_, err = io.ReadFull(reader, pnBytes)
 	if err != nil {
-		return err
+		return nil, err
 	}

 	var salt []byte
@@ -121,7 +117,7 @@ func QUICClientHello(ctx context.Context, metadata *adapter.InboundContext, pack
 	hpKey := qtls.HKDFExpandLabel(crypto.SHA256, secret, []byte{}, hkdfHeaderProtectionLabel, 16)
 	block, err := aes.NewCipher(hpKey)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	mask := make([]byte, aes.BlockSize)
 	block.Encrypt(mask, pnBytes)
@@ -133,7 +129,7 @@ func QUICClientHello(ctx context.Context, metadata *adapter.InboundContext, pack
 	}
 	packetNumberLength := newPacket[0]&0x3 + 1
 	if hdrLen+int(packetNumberLength) > int(packetLen)+hdrLen {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}
 	var packetNumber uint32
 	switch packetNumberLength {
@@ -146,7 +142,7 @@ func QUICClientHello(ctx context.Context, metadata *adapter.InboundContext, pack
 	case 4:
 		packetNumber = binary.BigEndian.Uint32(newPacket[hdrLen:])
 	default:
-		return E.New("bad packet number length")
+		return nil, E.New("bad packet number length")
 	}
 	extHdrLen := hdrLen + int(packetNumberLength)
 	copy(newPacket[extHdrLen:hdrLen+4], packet[extHdrLen:])
@@ -170,208 +166,138 @@ func QUICClientHello(ctx context.Context, metadata *adapter.InboundContext, pack
 	binary.BigEndian.PutUint64(nonce[len(nonce)-8:], uint64(packetNumber))
 	decrypted, err := cipher.Open(newPacket[extHdrLen:extHdrLen], nonce, data, newPacket[:extHdrLen])
 	if err != nil {
-		return err
+		return nil, err
 	}
 	var frameType byte
-	var fragments []qCryptoFragment
+	var frameLen uint64
+	var fragments []struct {
+		offset  uint64
+		length  uint64
+		payload []byte
+	}
 	decryptedReader := bytes.NewReader(decrypted)
-	const (
-		frameTypePadding         = 0x00
-		frameTypePing            = 0x01
-		frameTypeAck             = 0x02
-		frameTypeAck2            = 0x03
-		frameTypeCrypto          = 0x06
-		frameTypeConnectionClose = 0x1c
-	)
-	var frameTypeList []uint8
 	for {
 		frameType, err = decryptedReader.ReadByte()
 		if err == io.EOF {
 			break
 		}
-		frameTypeList = append(frameTypeList, frameType)
 		switch frameType {
-		case frameTypePadding:
+		case 0x00: // PADDING
 			continue
-		case frameTypePing:
+		case 0x01: // PING
 			continue
-		case frameTypeAck, frameTypeAck2:
+		case 0x02, 0x03: // ACK
 			_, err = qtls.ReadUvarint(decryptedReader) // Largest Acknowledged
 			if err != nil {
-				return err
+				return nil, err
 			}
 			_, err = qtls.ReadUvarint(decryptedReader) // ACK Delay
 			if err != nil {
-				return err
+				return nil, err
 			}
 			ackRangeCount, err := qtls.ReadUvarint(decryptedReader) // ACK Range Count
 			if err != nil {
-				return err
+				return nil, err
 			}
 			_, err = qtls.ReadUvarint(decryptedReader) // First ACK Range
 			if err != nil {
-				return err
+				return nil, err
 			}
 			for i := 0; i < int(ackRangeCount); i++ {
 				_, err = qtls.ReadUvarint(decryptedReader) // Gap
 				if err != nil {
-					return err
+					return nil, err
 				}
 				_, err = qtls.ReadUvarint(decryptedReader) // ACK Range Length
 				if err != nil {
-					return err
+					return nil, err
 				}
 			}
 			if frameType == 0x03 {
 				_, err = qtls.ReadUvarint(decryptedReader) // ECT0 Count
 				if err != nil {
-					return err
+					return nil, err
 				}
 				_, err = qtls.ReadUvarint(decryptedReader) // ECT1 Count
 				if err != nil {
-					return err
+					return nil, err
 				}
 				_, err = qtls.ReadUvarint(decryptedReader) // ECN-CE Count
 				if err != nil {
-					return err
+					return nil, err
 				}
 			}
-		case frameTypeCrypto:
+		case 0x06: // CRYPTO
 			var offset uint64
 			offset, err = qtls.ReadUvarint(decryptedReader)
 			if err != nil {
-				return err
+				return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, err
 			}
 			var length uint64
 			length, err = qtls.ReadUvarint(decryptedReader)
 			if err != nil {
-				return err
+				return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, err
 			}
 			index := len(decrypted) - decryptedReader.Len()
-			fragments = append(fragments, qCryptoFragment{offset, length, decrypted[index : index+int(length)]})
+			fragments = append(fragments, struct {
+				offset  uint64
+				length  uint64
+				payload []byte
+			}{offset, length, decrypted[index : index+int(length)]})
+			frameLen += length
 			_, err = decryptedReader.Seek(int64(length), io.SeekCurrent)
 			if err != nil {
-				return err
+				return nil, err
 			}
-		case frameTypeConnectionClose:
+		case 0x1c: // CONNECTION_CLOSE
 			_, err = qtls.ReadUvarint(decryptedReader) // Error Code
 			if err != nil {
-				return err
+				return nil, err
 			}
 			_, err = qtls.ReadUvarint(decryptedReader) // Frame Type
 			if err != nil {
-				return err
+				return nil, err
 			}
 			var length uint64
 			length, err = qtls.ReadUvarint(decryptedReader) // Reason Phrase Length
 			if err != nil {
-				return err
+				return nil, err
 			}
 			_, err = decryptedReader.Seek(int64(length), io.SeekCurrent) // Reason Phrase
 			if err != nil {
-				return err
+				return nil, err
 			}
 		default:
-			return os.ErrInvalid
+			return nil, os.ErrInvalid
 		}
 	}
-	if metadata.SniffContext != nil {
-		fragments = append(fragments, metadata.SniffContext.([]qCryptoFragment)...)
-		metadata.SniffContext = nil
-	}
-	var frameLen uint64
-	for _, fragment := range fragments {
-		frameLen += fragment.length
-	}
-	buffer := buf.NewSize(5 + int(frameLen))
-	defer buffer.Release()
-	buffer.WriteByte(0x16)
-	binary.Write(buffer, binary.BigEndian, uint16(0x0303))
-	binary.Write(buffer, binary.BigEndian, uint16(frameLen))
+	tlsHdr := make([]byte, 5)
+	tlsHdr[0] = 0x16
+	binary.BigEndian.PutUint16(tlsHdr[1:], uint16(0x0303))
+	binary.BigEndian.PutUint16(tlsHdr[3:], uint16(frameLen))
 	var index uint64
 	var length int
+	var readers []io.Reader
+	readers = append(readers, bytes.NewReader(tlsHdr))
 find:
 	for {
 		for _, fragment := range fragments {
 			if fragment.offset == index {
-				buffer.Write(fragment.payload)
+				readers = append(readers, bytes.NewReader(fragment.payload))
 				index = fragment.offset + fragment.length
 				length++
 				continue find
 			}
 		}
-		break
+		if length == len(fragments) {
+			break
+		}
+		return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, E.New("bad fragments")
+	}
+	metadata, err := TLSClientHello(ctx, io.MultiReader(readers...))
+	if err != nil {
+		return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, err
 	}
 	metadata.Protocol = C.ProtocolQUIC
-	fingerprint, err := ja3.Compute(buffer.Bytes())
-	if err != nil {
-		metadata.Protocol = C.ProtocolQUIC
-		metadata.Client = C.ClientChromium
-		metadata.SniffContext = fragments
-		return ErrClientHelloFragmented
-	}
-	metadata.Domain = fingerprint.ServerName
-	for metadata.Client == "" {
-		if len(frameTypeList) == 1 {
-			metadata.Client = C.ClientFirefox
-			break
-		}
-		if frameTypeList[0] == frameTypeCrypto && isZero(frameTypeList[1:]) {
-			if len(fingerprint.Versions) == 2 && fingerprint.Versions[0]&ja3.GreaseBitmask == 0x0A0A &&
-				len(fingerprint.EllipticCurves) == 5 && fingerprint.EllipticCurves[0]&ja3.GreaseBitmask == 0x0A0A {
-				metadata.Client = C.ClientSafari
-				break
-			}
-			if len(fingerprint.CipherSuites) == 1 && fingerprint.CipherSuites[0] == tls.TLS_AES_256_GCM_SHA384 &&
-				len(fingerprint.EllipticCurves) == 1 && fingerprint.EllipticCurves[0] == uint16(tls.X25519) &&
-				len(fingerprint.SignatureAlgorithms) == 1 && fingerprint.SignatureAlgorithms[0] == uint16(tls.ECDSAWithP256AndSHA256) {
-				metadata.Client = C.ClientSafari
-				break
-			}
-		}
-
-		if frameTypeList[len(frameTypeList)-1] == frameTypeCrypto && isZero(frameTypeList[:len(frameTypeList)-1]) {
-			metadata.Client = C.ClientQUICGo
-			break
-		}
-
-		if count(frameTypeList, frameTypeCrypto) > 1 || count(frameTypeList, frameTypePing) > 0 {
-			if maybeUQUIC(fingerprint) {
-				metadata.Client = C.ClientQUICGo
-			} else {
-				metadata.Client = C.ClientChromium
-			}
-			break
-		}
-
-		metadata.Client = C.ClientUnknown
-		//nolint:staticcheck
-		break
-	}
-	return nil
-}
-
-func isZero(slices []uint8) bool {
-	for _, slice := range slices {
-		if slice != 0 {
-			return false
-		}
-	}
-	return true
-}
-
-func count(slices []uint8, value uint8) int {
-	var times int
-	for _, slice := range slices {
-		if slice == value {
-			times++
-		}
-	}
-	return times
-}
-
-type qCryptoFragment struct {
-	offset  uint64
-	length  uint64
-	payload []byte
+	return metadata, nil
 }
--- a/common/sniff/quic_blacklist.go
+++ b/common/sniff/quic_blacklist.go
@@ -1,24 +0,0 @@
-package sniff
-
-import (
-	"crypto/tls"
-
-	"github.com/sagernet/sing-box/common/ja3"
-)
-
-// Chromium sends separate client hello packets, but UQUIC has not yet implemented this behavior
-// The cronet without this behavior does not have version 115
-var uQUICChrome115 = &ja3.ClientHello{
-	Version:             tls.VersionTLS12,
-	CipherSuites:        []uint16{4865, 4866, 4867},
-	Extensions:          []uint16{0, 10, 13, 16, 27, 43, 45, 51, 57, 17513},
-	EllipticCurves:      []uint16{29, 23, 24},
-	SignatureAlgorithms: []uint16{1027, 2052, 1025, 1283, 2053, 1281, 2054, 1537, 513},
-}
-
-func maybeUQUIC(fingerprint *ja3.ClientHello) bool {
-	if uQUICChrome115.Equals(fingerprint, true) {
-		return true
-	}
-	return false
-}
--- a/common/sniff/quic_test.go
+++ b/common/sniff/quic_test.go
@@ -5,69 +5,31 @@ import (
 	"encoding/hex"
 	"testing"

-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
-	C "github.com/sagernet/sing-box/constant"

 	"github.com/stretchr/testify/require"
 )

-func TestSniffQUICChromium(t *testing.T) {
+func TestSniffQUICv1(t *testing.T) {
 	t.Parallel()
-	pkt, err := hex.DecodeString("c30000000108f40d654cc09b27f5000044d08a94548e57e43cc5483f129986187c432d58d46674830442988f869566a6e31e2ae37c9f7acbf61cc81621594fab0b3dfdc1635460b32389563dc8e74006315661cd22694114612973c1c45910621713a48b375854f095e8a77ccf3afa64e972f0f7f7002f50e0b014b1b146ea47c07fb20b73ad5587872b51a0b3fafdf1c4cf4fe6f8b112142392efa25d993abe2f42582be145148bdfe12edcd96c3655b65a4781b093e5594ba8e3ae5320f12e8314fc3ca374128cc43381046c322b964681ed4395c813b28534505118201459665a44b8f0abead877de322e9040631d20b05f15b81fa7ff785d4041aecc37c7e2ccdc5d1532787ce566517e8985fd5c200dbfd1e67bc255efaba94cfc07bb52fea4a90887413b134f2715b5643542aa897c6116486f428d82da64d2a2c1e1bdd40bd592558901a554b003d6966ac5a7b8b9413eddbf6ef21f28386c74981e3ce1d724c341e95494907626659692720c81114ca4acea35a14c402cfa3dc2228446e78dc1b81fa4325cf7e314a9cad6a6bdff33b3351dcba74eb15fae67f1227283aa4cdd64bcadf8f19358333f8549b596f4350297b5c65274565869d497398339947b9d3d064e5b06d39d34b436d8a41c1a3880de10bd26c3b1c5b4e2a49b0d4d07b8d90cd9e92bc611564d19ea8ec33099e92033caf21f5307dbeaa4708b99eb313bff99e2081ac25fd12d6a72e8335e0724f6718fe023cd0ad0d6e6a6309f09c9c391eec2bc08e9c3210a043c08e1759f354c121f6517fff4d6e20711a871e41285d48d930352fddffb92c96ba57df045ce99f8bfdfa8edc0969ce68a51e9fbb4f54b956d9df74a9e4af27ed2b27839bce1cffeca8333c0aaee81a570217442f9029ba8fedb84a2cf4be4d910982d891ea00e816c7fb98e8020e896a9c6fdd9106611da0a99dde18df1b7a8f6327acb1eed9ad93314451e48cb0dfb9571728521ca3db2ac0968159d5622556a55d51a422d11995b650949aaefc5d24c16080446dfc4fbc10353f9f93ce161ab513367bb89ab83988e0630b689e174e27bcfcc31996ee7b0bca909e251b82d69a28fee5a5d662e127508cd19dbbe5097b7d5b62a49203d66764197a527e472e2627e44a93d44177dace9d60e7d0e03305ddf4cfe47cdf2362e14de79ef46a6763ce696cd7854a48d9419a0817507a4713ffd4977b906d4f2b5fb6dbe1bd15bc505d5fea582190bf531a45d5ee026da8918547fd5105f15e5d061c7b0cf80a34990366ed8e91e13c2f0d85e5dad537298808d193cf54b7eaac33f10051f74cb6b75e52f81618c36f03d86aef613ba237a1a793ba1539938a38f62ccaf7bd5f6c5e0ce53cde4012fcf2b758214a0422d2faaa798e86e19d7481b42df2b36a73d287ff28c20cce01ce598771fec16a8f1f00305c06010126013a6c1de9f589b4e79d693717cd88ad1c42a2d99fa96617ba0bc6365b68e21a70ebc447904aa27979e1514433cfd83bfec09f137c747d47582cb63eb28f873fb94cf7a59ff764ddfbb687d79a58bb10f85949269f7f72c611a5e0fbb52adfa298ff060ec2eb7216fd7302ea8fb07798cbb3be25cb53ac8161aac2b5bbcfbcfb01c113d28bd1cb0333fb89ac82a95930f7abded0a2f5a623cc6a1f62bf3f38ef1b81c1e50a634f657dbb6770e4af45879e2fb1e00c742e7b52205c8015b5c0f5b1e40186ff9aa7288ab3e01a51fb87761f9bc6837082af109b39cc9f620")
+	pkt, err := hex.DecodeString("cc0000000108d2dc7bad02241f5003796e71004215a71bfcb05159416c724be418537389acdd9a4047306283dcb4d7a9cad5cc06322042d204da67a8dbaa328ab476bb428b48fd001501863afd203f8d4ef085629d664f1a734a65969a47e4a63d4e01a21f18c1d90db0c027180906dc135f9ae421bb8617314c8d54c175fef3d3383d310d0916ebcbd6eed9329befbbb109d8fd4af1d2cf9d6adce8e6c1260a7f8256e273e326da0aa7cc148d76e7a08489dc9d52ade89c027cbc3491ada46417c2c04e2ca768e9a7dd6aa00c594e48b678927325da796817693499bb727050cb3baf3d3291a397c3a8d868e8ec7b8f7295e347455c9dadbe2252ae917ac793d958c7fb8a3d2cdb34e3891eb4286f18617556ff7216dd60256aa5b1d11ff4753459fc5f9dedf11d483a26a0835dc6cd50e1c1f54f86e8f1e502821183cd874f6447a74e818bf3445c7795acf4559d1c1fac474911d2ead5c8d23e4aa4f67afb66efe305a30a0b5d825679b31ddc186cbea936535795c7e8c378c87b8c5adc065154d15bae8f85ac8fec2da40c3aa623b682a065440831555011d7647cde44446a0fb4cf5892f2c088ae1920643094be72e3c499fe8d265caf939e8ab607a5b9317917d2a32a812e8a0e6a2f84721bbb5984ffd242838f705d13f4cfb249bc6a5c80d58ac2595edf56648ec3fe21d787573c253a79805252d6d81e26d367d4ff29ef66b5fe8992086af7bada8cad10b82a7c0dc406c5b6d0c5ec3c583e767f759ce08cad6c3c8f91e5a8")
 	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
-	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Equal(t, metadata.Client, C.ClientChromium)
-	require.ErrorIs(t, err, sniff.ErrClientHelloFragmented)
-	pkt, err = hex.DecodeString("c90000000108f40d654cc09b27f5000044d073eb38807026d4088455e650e7ccf750d01a72f15f9bfc8ff40d223499db1a485cff14dbd45b9be118172834dc35dca3cf62f61a1266f40b92faf3d28d67a466cfdca678ddced15cd606d31959cf441828467857b226d1a241847c82c57312cefe68ba5042d929919bcd4403b39e5699fe87dda05df1b3801e048edee792458e9b1a9b1d4039df05847bcee3be567494b5876e3bd4c3220fe9dfdb2c07d77410f907f744251ef15536cc03b267d3668d5b75bc1ad2fe735cd3bb73519dd9f1625a49e17ad27bdeccf706c83b5ea339a0a05dd0072f4a8f162bd29926b4997f05613c6e4b0270b0c02805ca0543f27c1ff8505a5750bdd33529ee73c491050a10c6903f53c1121dbe0380e84c007c8df74a1b02443ed80ba7766aef5549e618d4fd249844ee28565142005369869299e8c3035ecef3d799f6cada8549e75b4ce4cbf4c85ef071fd7ff067b1ca9b5968dc41d13d011f6d7843823bac97acb1eb8ee45883f0f254b5f9bd4c763b67e2d8c70a7618a0ef0de304cf597a485126e09f8b2fd795b394c0b4bc4cd2634c2057970da2c798c5e8af7aed4f76f5e25d04e3f8c9c5a5b150d17e0d4c74229898c69b8dc7b8bcc9d359eb441de75c68fbdebec62fb669dcccfb1aad03e3fa073adb2ccf7bb14cbaf99e307d2c903ee71a8f028102eb510caee7e7397512086a78d1f95635c7d06845b5a708652dc4e5cd61245aae5b3c05b84815d84d367bce9b9e3f6d6b90701ac3679233c14d5ce2a1eff26469c966266dc6284bdb95c9c6158934c413a872ce22101e4163e3293d236b301592ca4ccacc1fd4c37066e79c2d9857c8a2560dcf0b33b19163c4240c471b19907476e7e25c65f7eb37276594a0f6b4c33c340cc3284178f17ac5e34dbe7509db890e4ddfd0540fbf9deb32a0101d24fe58b26c5f81c627db9d6ae59d7a111a3d5d1f6109f4eec0d0234e6d73c73a44f50999462724b51ce0fd8283535d70d9e83872c79c59897407a0736741011ae5c64862eb0712f9e7b07aa1d5418ca3fde8626257c6fe418f3c5479055bb2b0ab4c25f649923fc2a41c79aaa7d0f3af6d8b8cf06f61f0230d09bbb60bb49b9e49cc5973748a6cf7ffdee7804d424f9423c63e7ff22f4bd24e4867636ef9fe8dd37f59941a8a47c27765caa8e875a30b62834f17c569227e5e6ed15d58e05d36e76332befad065a2cd4079e66d5af189b0337624c89b1560c3b1b0befd5c1f20e6de8e3d664b3ac06b3d154b488983e14aa93266f5f8b621d2a9bb7ccce509eb26e025c9c45f7cccc09ce85b3103af0c93ce9822f82ecb168ca3177829afb2ea0da2c380e7b1728add55a5d42632e2290363d4cbe432b67e13691648e1acfab22cf0d551eee857709b428bb78e27a45aff6eca301c02e4d13cf36cc2494fdd1aef8dede6e18febd79dca4c6964d09b91c25a08f0947c76ab5104de9404459c2edf5f4adb9dfd771be83656f77fbbafb1ad3281717066010be8778952495383c9f2cf0a38527228c662a35171c5981731f1af09bab842fe6c3162ad4152a4221f560eb6f9bea66b294ffbd3643da2fe34096da13c246505452540177a2a0a1a69106e5cfc279a4890fc3be2952f26be245f930e6c2d9e7e26ee960481e72b99594a1185b46b94b6436d00ba6c70ffe135d43907c92c6f1c09fb9453f103730714f5700fa4347f9715c774cb04a7218dacc66d9c2fade18b14e684aa7fc9ebda0a28")
+	metadata, err := sniff.QUICClientHello(context.Background(), pkt)
 	require.NoError(t, err)
-	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
-	require.NoError(t, err)
-	require.Equal(t, metadata.Domain, "google.com")
+	require.Equal(t, metadata.Domain, "cloudflare-quic.com")
 }

-func TestSniffUQUICChrome115(t *testing.T) {
+func TestSniffQUICFragment(t *testing.T) {
 	t.Parallel()
-	pkt, err := hex.DecodeString("cb0000000108181e17c387120abc000044d0705b6a3ef9ee37a8d3949a7d393ed078243c2ee2c3627fad1c3f107c117f4f071131ad61848068fcbbe5c65803c147f7f8ec5e2cd77b77beea23ba779d936dccac540f8396400e3190ea35cc2942af4171a04cb14272491920f90124959f44e80143678c0b52f5d31af319aaa589db2f940f004562724d0af40f737e1bb0002a071e6a1dbc9f52c64f070806a5010abed0298053634d9c9126bd7949ae5087998ade762c0ad06691d99c0875a38c601fc1ee77bfc3b8c11381829f2c9bdd022f4499c43ff1d6aee1a0d296861461dda217d22c568b276016ef3929e59d2f7d7ddf7809920fb7dc805641608949f3f8466ab3d37149aac501f0b107d808f3add4acfc657e4a82e2b88e97a6c74a00c419548760ab3414ba13915c78a1ca79dceee8d59fbe299f20b671ac44823218368b2a026baa55170cf549519ac21dbb6d31d248bd339438a4e663bcdca1fe3ae3f045a5dc19b122e9db9d7af9757076666dda4e9ace1c67def77fa14786f0cab3ebf7a270ea6e2b37838318c95779f80c3b8471948d0046c3614b3a13477c939a39a7855d85d13522a45ae0765739cd5eedef87237e824a929983ace27640c6495dbf5a72fa0b96893dc5d28f3988249a57bdb458d460b4a57043de3da750a76b6e5d2259247ca27cd864ea18f0d09aa62ab6eb7c014fb43179b2a1963d170b756cce83eeaebff78a828d025c811848e16ff862a8080d093478cd2208c8ab0803178325bc0d9d6bb25e62fa50c4ad15cf80916da6578796932036c72e43eb480d1e423ed812ac75a97722f8416529b82ba8ee2219c535012282bb17066bd53e78b87a71abdb7ebdb2a7c2766ff8397962e87d0f85485b64b4ee81cc84f99c47f33f2b0872716441992773f59186e38d32dbf5609a6fda94cb928cd25f5a7a3ab736b5a4236b6d5409ab18892c6a4d3480fc2350abfdf0bab1cedb55bdf0760fdb703e6688f4de596254eed4ed3e67eb03d0717b8e15b31e735214e588c87ae36bc6c310e1894b4c15143e4ccf287b2dbc707a946bf9671ae3c574f9486b2c82eec784bba4cbc76113cbe0f97ac8c13cfa38f2925ab9d06887a612ce48280a91d7e074e6caf898d88e2bbf71360899abf48a03f9a70cf2891199f2d63b116f4871af0ebb4f4906792f66cc21d1609f189138532875c129a68c73e7bcd3b5d8100beac1d8ac4b20d94a59ac8df5a5af58a9acb20413eadf97189f5f19ff889155f0c4d37514ec184eb6903967ff38a41fc087abb0f2cad3761d6e3f95f92a09a72f5c065b16e188088b87460241f27ecdb1bc6ece92c8d36b2d68b58d0fb4d4b3c928c579ade8ae5a995833aadd297c30a37f7bc35440fc97070e1b198e0fac00157452177d16d2803b4239997452b4ad3a951173bdec47a033fd7f8a7942accaa9aaa905b3c5a2175e7c3e07c48bf25331727fd69cd1e64d74d8c9d4a6f8f4491adb7bc911505cb19877083d8f21a12475e313fccf57877ff3556318e81ed9145dd9427f2b65275440893035f417481f721c69215af8ae103530cd0a1d35bf2cb5a27628f8d44d7c6f5ec12ce79d0a8333e0eb48771115d0a191304e46b8db19bbe5c40f1c346dde98e76ff5e21ff38d2c34e60cb07766ed529dd6d2cbacd7fbf1ed8a0e6e40decad0ca5021e91552be87c156d3ae2fffef41c65b14ba6d488f2c3227a1ab11ffce0e2dc47723a69da27a67a7f26e1cb13a7103af9b87a8db8e18ea")
+	pkt, err := hex.DecodeString("cc00000001082e3d5d1b64040c55000044d0ccea69e773f6631c1d18b04ae9ee75fcfc34ef74fa62533c93534338a86f101a05d70e0697fb483063fa85db1c59ccfbda5c35234931d8524d8aac37eaaad649470a67794cd754b23c98695238b8363452333bc8c4858376b4166e001da2006e35cf98a91e11a56419b2786775284942d0f7163982f7c248867d12dd374957481dbc564013ff785e1916195eef671f725908f761099d992d69231336ba81d9e25fe2fa3a6eff4318a6ccf10176fc841a1b315f7b35c5b292266fc869d76ca533e7d14e86d82db2e22eacd350977e47d2e012d8a5891c5aaf2a0f4c2b2dae897c161e5b68cbb4dee952472bdc1e21504b8f02534ec4366ce3f8bf86efc78e0232778fbd554457567112abdcafcf6d4d8fcf35083c25d9495679614aba21696e338c62b585046cc55ba8c09c844361d889a47c3ea703b4e23545a9ab2c0bb369693a9ddfb5daffa85cf80fdd6ad66738664e5b0a551729b4955cff7255afcb04dee88c2f072c9de7400947a1bd9327ac5d012a33000ada021d4c03d249fb017d6ac9200b2f9436beab8183ddfbe2d8aee31ffb7df9e1cc181c1af80c39a89965d18ed12da8e3ebe2ae1fbe4b348f83ba19e3e3d1c9b22bcf03ab6ad9b30fe180623faa291ebad83bcd71d7b57f2f5e2f3b8e81d24fb70b2f2159239e8f21ffafef2747aba47d97ab4081e603c018b10678cf99cab1fb42156a14486fa435153979d7279fd22cd40af7088bfc7eff41af2f4b3c0c8864d0040d74dff427f7bffdb8c278474ea00311326cf4925471a8cf596cb92119f19e0f789490ba9cb77b98015a987d93e0324cf1a38b55109f00c3e6ddc5180fb107bf468323afec9bb49fd6a86418569789d66cafe3b8253c2aebb3af3782c1c54dd560487d031d28e6a6e23e159581bb1d47efc4da3fe1d169f9ffb0ca9ba61af0a38a92fde5bc5e6ec026e8378a6315a7b95abf1d2da790a391306ce74d0baf8e2ce648ca74c487f2c0a76a28a80cdf5bd34316eb607684fe7e6d9e83824a00e07660d0b90e3cddd61ebf10748263474afa88c300549e64ce2e90560bb1a12dee7e9484f729a8a4ee7c5651adb5194b3b3ae38e501567c7dbf36e7bb37a2c20b74655f47f2d9af18e52e9d4c9c9eee8e63745779b8f0b06f3a09d846ba62eb978ad77c85de1ee2fee3fbb4c2d283c73e1ccba56a4658e48a2665d200f7f9342f8e84c2ba490094a4f94feec89e42d2f654f564c2beb2997bafa1fc2c68ad8e160b63587d49abc31b834878d52acfb05fb73d0e059b206162e3c90b40c4bc08407ffcb3c08431895b691a3fea923f1f3b48db75d3e6b91fd319ffe4d486e0e14bd5c6affc838dee63d9e0b80f169b5e6c02c7321dcb20deb2b8e707b60e345a308d505bbf26a93d8f18b39d62632e9a77cbe48b3b32eb8819d6311a49820d40f5acbf0273c91c36b2269a03e72ee64df3dfb10ddefe73c64ef60870b2b77bd99dea655f5fe791b538a929a14d99f6d69685d72431ea5f0f4b27a044f2f575ab474fcc3857895934de1ca2581798eaef2c17fe5aaf2e6add97fa32997c7026f15c1b1ad0e6043ae506027a7c0242546fdc851cca39a204e56879f2cef838be8ec66e0f2292f8c862e06f810eb9b80c7a467ce6e90155206352c7f82b1173ba3b98d35bb72c259a60db20dd1a43fe6d7aef0265e6eaa5caafd9b64b448ff745a2046acbdb65cf2a5007809808a4828dc99097feedc734c236260c584")
 	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
+	metadata, err := sniff.QUICClientHello(context.Background(), pkt)
 	require.NoError(t, err)
-	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Equal(t, metadata.Client, C.ClientQUICGo)
-	require.Equal(t, metadata.Domain, "www.google.com")
-}
-
-func TestSniffQUICFirefox(t *testing.T) {
-	t.Parallel()
-	pkt, err := hex.DecodeString("c8000000010867f174d7ebfe1b0803cd9c20004286de068f7963cf1736349ee6ebe0ddcd3e4cd0041a51ced3f7ce9eea1fb595458e74bdb4b792b16449bd8cae71419862c4fcbe766eaec7d1af65cd298e1dd46f8bd94a77ab4ca28c54b8e9773de3f02d7cb2463c9f7dcacfb311f024b0266ec6ab7bfb615b4148333fb4d4ece7c4cd90029ca30c2cbae2216b428499ec873fa125797e71c5a5da85087760ad37ca610020f71b76e82651c47576e20bf33cf676cb2d400b8c09d3c8cb4e21c47d2b21f6b68732bef30c8cefd5c723fc23eb29e6f7f65a5e52aad9055c1fb3d8b1811f0380b38d7e2eee8eb37dd5bd5d4ca4b66540175d916289d88a9df7c161964d713999c5057d27edb298ef5164352568b0d4bac3c15d90456e8fd460e41b81d0ec1b1e94b87d3333cc6908b018e0914ae1f214d73e75398da3d55a0106161d3a75897b4eb66e98c59010fae75f0d367d38be48c3a5c58bc8a30773c3fff50690ac9d487822f85d4f5713d626baa92d36e858dd21259cf814bce0b90d18da88a1ade40113e5a088cdb304a2558879152a8cf15c1839e056378aa41acba6fcb9974dee54bd50b5d4eb2c475654e06c0ec06b7f18f4462c808684843a1071041b9bfb2688324e0120144944416e30e83eedbbbcbc275b1f53762d3db18f0998ce54f0e1c512946b4098f07781d49264fa148f4c8220a3b02e73d7f15554aa370aafeff73cb75c52c494edf90f0261abfdd32a4d670f729de50266162687aa8efe14b8506f313b058b02aaaab5825428f5f4510b8e49451fdcb7b5a4af4b59c831afcb89fb4f64dba78e3b38387e87e9e8cdaa1f3b700a87c7d442388863b8950296e5773b38f308d62f52548c0bbf308e40540747cca5bf99b1345bc0d70b8f0e69a83b85a8d69f795b87f93e2bfccf52b529afea4ff6fd456957000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
-	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
-	require.NoError(t, err)
-	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Equal(t, metadata.Client, C.ClientFirefox)
-	require.Equal(t, metadata.Domain, "www.google.com")
-}
-
-func TestSniffQUICSafari(t *testing.T) {
-	t.Parallel()
-	pkt, err := hex.DecodeString("c70000000108e4e75af2e223198a0000449ef2d83cb4473a62765eba67424cd4a5817315cbf55a9e8daaca360904b0bae60b1629cfeba11e2dfbbf5ea4c588cb134e31af36fd7a409fb0fcc0187e9b56037ac37964ed20a8c1ca19fd6cfd53398324b3d0c71537294f769db208fa998b6811234a4a7eb3b5eceb457ae92e3a2d98f7c110702db8064b5c29fa3298eb1d0529fd445a84a5fd6ff8709be90f8af4f94998d8a8f2953bb05ad08c80668eca784c6aec959114e68e5b827e7c41c79f2277c716a967e7fcc8d1b77442e6cb18329dbedb34b473516b468cba5fc20659e655fbe37f36408289b9a475fcee091bd82828d3be00367e9e5cec9423bb97854abdada1d7562a3777756eb3bddef826ddc1ef46137cb01bb504a54d410d9bcb74cd5f959050c84edf343fa6a49708c228a758ee7adbbadf260b2f1984911489712e2cb364a3d6520badba4b7e539b9c163eeddfd96c0abb0de151e47496bb9750be76ee17ccdb61d35d2c6795174037d6f9d282c3f36c4d9a90b64f3b6ddd0cf4d9ed8e6f7805e25928fa04b087e63ae02761df30720cc01dfc32b64c575c8a66ef82e9a17400ff80cd8609b93ba16d668f4aa734e71c4a5d145f14ee1151bec970214e0ff83fc3e1e85d8694f2975f9155c57c18b7b69bb6a36832a9435f1f4b346a7be188f3a75f9ad2cc6ad0a3d26d6fa7d4c1179bd49bd5989d15ba43ff602890107db96484695086627356750d7b2b3b714ba65d564654e8f60ac10f5b6d3bfb507e8eaa31bab1da2d676195046d165c7f8b32829c9f9b68d97b2af7ac04a1369357e4b65de2b2f24eaf27cc8d95e05db001adebe726f927a94e43e62ce671e6e306e16f05aafcbe6c49080e80286d7939f375023d110a5ad9069364ae928ca480454a9dcddd61bc48b7efeb716a5bd6c7cd39c486ceb20c738af6abf22ba1ddd8b4a3b781fc2f251173409e1aadccbd7514e97106d0ebfc3af6e59445f74cd733a1ba99b10fce3fb4e9f7c88f5e25b567f5ba2b8dabacd375e7faf7634bfa178cbe51aee63032c5126b196ea47b02385fc3062a000fb7e4b4d0d12e74579f8830ede20d10829496032b2cc56743287f9a9b4d5091877a82fea44deb2cffac8a379f78a151d99e28cbc74d732c083bf06d50584e3f18f254e71a48d6ababaf6fff6f425e9be001510dfbe6a32a27792c00ada036b62ddb90c706d7b882c76a7072f5dd11c69a1f49d4ba183cb0b57545419fa27b9b9706098848935ae9c9e8fbe9fac165d1339128b991a73d20e7795e8d6a8c6adfbf20bf13ada43f2aef3ba78c14697910507132623f721387dce60c4707225b84d9782d469a5d9eaa099f35d6a590ef142ddef766495cf3337815ceef5ff2b3ed352637e72b5c23a2a8ff7d7440236a19b981d47f8e519a0431ebfbc0b78d8a36798b4c060c0c6793499f1e2e818862560a5b501c8d02ba1517be1941da2af5b174e0189c62978d878eb0f9c9db3a9221c28fb94645cf6e85ff2eea8c65ba3083a7382b131b83102dd67aa5453ad7375a4eb8c69fc479fbd29dab8924f801d253f2c997120b705c6e5217fb74702e2f1038917dd5fb0eeb7ae1bf7a668fc7d50c034b4cd5a057a8482e6bc9c921297f44e76967265623a167cd9883eb6e64bc77856dc333bd605d7df3bed0e5cecb5a99fe8b62873d58530f")
-	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
-	require.NoError(t, err)
-	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Equal(t, metadata.Client, C.ClientSafari)
-	require.Equal(t, metadata.Domain, "www.google.com")
+	require.Equal(t, metadata.Domain, "cloudflare-quic.com")
 }

 func FuzzSniffQUIC(f *testing.F) {
 	f.Fuzz(func(t *testing.T, data []byte) {
-		var metadata adapter.InboundContext
-		err := sniff.QUICClientHello(context.Background(), &metadata, data)
-		require.Error(t, err)
+		sniff.QUICClientHello(context.Background(), data)
 	})
 }
--- a/common/sniff/rdp.go
+++ b/common/sniff/rdp.go
@@ -1,90 +0,0 @@
-package sniff
-
-import (
-	"context"
-	"encoding/binary"
-	"io"
-	"os"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common/rw"
-)
-
-func RDP(_ context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
-	var tpktVersion uint8
-	err := binary.Read(reader, binary.BigEndian, &tpktVersion)
-	if err != nil {
-		return err
-	}
-	if tpktVersion != 0x03 {
-		return os.ErrInvalid
-	}
-
-	var tpktReserved uint8
-	err = binary.Read(reader, binary.BigEndian, &tpktReserved)
-	if err != nil {
-		return err
-	}
-	if tpktReserved != 0x00 {
-		return os.ErrInvalid
-	}
-
-	var tpktLength uint16
-	err = binary.Read(reader, binary.BigEndian, &tpktLength)
-	if err != nil {
-		return err
-	}
-
-	if tpktLength != 19 {
-		return os.ErrInvalid
-	}
-
-	var cotpLength uint8
-	err = binary.Read(reader, binary.BigEndian, &cotpLength)
-	if err != nil {
-		return err
-	}
-
-	if cotpLength != 14 {
-		return os.ErrInvalid
-	}
-
-	var cotpTpduType uint8
-	err = binary.Read(reader, binary.BigEndian, &cotpTpduType)
-	if err != nil {
-		return err
-	}
-	if cotpTpduType != 0xE0 {
-		return os.ErrInvalid
-	}
-
-	err = rw.SkipN(reader, 5)
-	if err != nil {
-		return err
-	}
-
-	var rdpType uint8
-	err = binary.Read(reader, binary.BigEndian, &rdpType)
-	if err != nil {
-		return err
-	}
-	if rdpType != 0x01 {
-		return os.ErrInvalid
-	}
-	var rdpFlags uint8
-	err = binary.Read(reader, binary.BigEndian, &rdpFlags)
-	if err != nil {
-		return err
-	}
-	var rdpLength uint8
-	err = binary.Read(reader, binary.BigEndian, &rdpLength)
-	if err != nil {
-		return err
-	}
-	if rdpLength != 8 {
-		return os.ErrInvalid
-	}
-	metadata.Protocol = C.ProtocolRDP
-	return nil
-}
--- a/common/sniff/rdp_test.go
+++ b/common/sniff/rdp_test.go
@@ -1,25 +0,0 @@
-package sniff_test
-
-import (
-	"bytes"
-	"context"
-	"encoding/hex"
-	"testing"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/sniff"
-	C "github.com/sagernet/sing-box/constant"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestSniffRDP(t *testing.T) {
-	t.Parallel()
-
-	pkt, err := hex.DecodeString("030000130ee00000000000010008000b000000010008000b000000")
-	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.RDP(context.TODO(), &metadata, bytes.NewReader(pkt))
-	require.NoError(t, err)
-	require.Equal(t, C.ProtocolRDP, metadata.Protocol)
-}
--- a/common/sniff/sniff.go
+++ b/common/sniff/sniff.go
@@ -14,65 +14,49 @@ import (
 )

 type (
-	StreamSniffer = func(ctx context.Context, metadata *adapter.InboundContext, reader io.Reader) error
-	PacketSniffer = func(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error
+	StreamSniffer = func(ctx context.Context, reader io.Reader) (*adapter.InboundContext, error)
+	PacketSniffer = func(ctx context.Context, packet []byte) (*adapter.InboundContext, error)
 )

-func Skip(metadata adapter.InboundContext) bool {
-	// skip server first protocols
-	switch metadata.Destination.Port {
-	case 25, 465, 587:
-		// SMTP
-		return true
-	case 143, 993:
-		// IMAP
-		return true
-	case 110, 995:
-		// POP3
-		return true
-	}
-	return false
-}
-
-func PeekStream(ctx context.Context, metadata *adapter.InboundContext, conn net.Conn, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) error {
+func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) (*adapter.InboundContext, error) {
 	if timeout == 0 {
 		timeout = C.ReadPayloadTimeout
 	}
 	deadline := time.Now().Add(timeout)
 	var errors []error
-	for i := 0; ; i++ {
+
+	for i := 0; i < 3; i++ {
 		err := conn.SetReadDeadline(deadline)
 		if err != nil {
-			return E.Cause(err, "set read deadline")
+			return nil, E.Cause(err, "set read deadline")
 		}
 		_, err = buffer.ReadOnceFrom(conn)
-		_ = conn.SetReadDeadline(time.Time{})
+		err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
 		if err != nil {
 			if i > 0 {
 				break
 			}
-			return E.Cause(err, "read payload")
+			return nil, E.Cause(err, "read payload")
 		}
-		errors = nil
 		for _, sniffer := range sniffers {
-			err = sniffer(ctx, metadata, bytes.NewReader(buffer.Bytes()))
-			if err == nil {
-				return nil
+			metadata, err := sniffer(ctx, bytes.NewReader(buffer.Bytes()))
+			if metadata != nil {
+				return metadata, nil
 			}
 			errors = append(errors, err)
 		}
 	}
-	return E.Errors(errors...)
+	return nil, E.Errors(errors...)
 }

-func PeekPacket(ctx context.Context, metadata *adapter.InboundContext, packet []byte, sniffers ...PacketSniffer) error {
+func PeekPacket(ctx context.Context, packet []byte, sniffers ...PacketSniffer) (*adapter.InboundContext, error) {
 	var errors []error
 	for _, sniffer := range sniffers {
-		err := sniffer(ctx, metadata, packet)
-		if err == nil {
-			return nil
+		metadata, err := sniffer(ctx, packet)
+		if metadata != nil {
+			return metadata, nil
 		}
 		errors = append(errors, err)
 	}
-	return E.Errors(errors...)
+	return nil, E.Errors(errors...)
 }
--- a/common/sniff/ssh.go
+++ b/common/sniff/ssh.go
@@ -1,26 +0,0 @@
-package sniff
-
-import (
-	"bufio"
-	"context"
-	"io"
-	"os"
-	"strings"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-)
-
-func SSH(_ context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
-	scanner := bufio.NewScanner(reader)
-	if !scanner.Scan() {
-		return os.ErrInvalid
-	}
-	fistLine := scanner.Text()
-	if !strings.HasPrefix(fistLine, "SSH-2.0-") {
-		return os.ErrInvalid
-	}
-	metadata.Protocol = C.ProtocolSSH
-	metadata.Client = fistLine[8:]
-	return nil
-}
--- a/common/sniff/ssh_test.go
+++ b/common/sniff/ssh_test.go
@@ -1,26 +0,0 @@
-package sniff_test
-
-import (
-	"bytes"
-	"context"
-	"encoding/hex"
-	"testing"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/sniff"
-	C "github.com/sagernet/sing-box/constant"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestSniffSSH(t *testing.T) {
-	t.Parallel()
-
-	pkt, err := hex.DecodeString("5353482d322e302d64726f70626561720d0a000001a40a1492892570d1223aef61b0d647972c8bd30000009f637572766532353531392d7368613235362c637572766532353531392d736861323536406c69627373682e6f72672c6469666669652d68656c6c6d616e2d67726f757031342d7368613235362c6469666669652d68656c6c6d616e2d67726f757031342d736861312c6b6578677565737332406d6174742e7563632e61736e2e61752c6b65782d7374726963742d732d763030406f70656e7373682e636f6d000000207373682d656432353531392c7273612d736861322d3235362c7373682d7273610000003363686163686132302d706f6c7931333035406f70656e7373682e636f6d2c6165733132382d6374722c6165733235362d6374720000003363686163686132302d706f6c7931333035406f70656e7373682e636f6d2c6165733132382d6374722c6165733235362d63747200000017686d61632d736861312c686d61632d736861322d32353600000017686d61632d736861312c686d61632d736861322d323536000000046e6f6e65000000046e6f6e65000000000000000000000000002aa6ed090585b7d635b6")
-	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.SSH(context.TODO(), &metadata, bytes.NewReader(pkt))
-	require.NoError(t, err)
-	require.Equal(t, C.ProtocolSSH, metadata.Protocol)
-	require.Equal(t, "dropbear", metadata.Client)
-}
--- a/common/sniff/stun.go
+++ b/common/sniff/stun.go
@@ -9,17 +9,16 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 )

-func STUNMessage(_ context.Context, metadata *adapter.InboundContext, packet []byte) error {
+func STUNMessage(ctx context.Context, packet []byte) (*adapter.InboundContext, error) {
 	pLen := len(packet)
 	if pLen < 20 {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}
 	if binary.BigEndian.Uint32(packet[4:8]) != 0x2112A442 {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}
 	if len(packet) < 20+int(binary.BigEndian.Uint16(packet[2:4])) {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}
-	metadata.Protocol = C.ProtocolSTUN
-	return nil
+	return &adapter.InboundContext{Protocol: C.ProtocolSTUN}, nil
 }
--- a/common/sniff/stun_test.go
+++ b/common/sniff/stun_test.go
@@ -5,7 +5,6 @@ import (
 	"encoding/hex"
 	"testing"

-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"

@@ -16,16 +15,14 @@ func TestSniffSTUN(t *testing.T) {
 	t.Parallel()
 	packet, err := hex.DecodeString("000100002112a44224b1a025d0c180c484341306")
 	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.STUNMessage(context.Background(), &metadata, packet)
+	metadata, err := sniff.STUNMessage(context.Background(), packet)
 	require.NoError(t, err)
 	require.Equal(t, metadata.Protocol, C.ProtocolSTUN)
 }

 func FuzzSniffSTUN(f *testing.F) {
 	f.Fuzz(func(t *testing.T, data []byte) {
-		var metadata adapter.InboundContext
-		if err := sniff.STUNMessage(context.Background(), &metadata, data); err == nil {
+		if _, err := sniff.STUNMessage(context.Background(), data); err == nil {
 			t.Fail()
 		}
 	})
--- a/common/sniff/tls.go
+++ b/common/sniff/tls.go
@@ -10,7 +10,7 @@ import (
 	"github.com/sagernet/sing/common/bufio"
 )

-func TLSClientHello(ctx context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
+func TLSClientHello(ctx context.Context, reader io.Reader) (*adapter.InboundContext, error) {
 	var clientHello *tls.ClientHelloInfo
 	err := tls.Server(bufio.NewReadOnlyConn(reader), &tls.Config{
 		GetConfigForClient: func(argHello *tls.ClientHelloInfo) (*tls.Config, error) {
@@ -19,9 +19,7 @@ func TLSClientHello(ctx context.Context, metadata *adapter.InboundContext, reade
 		},
 	}).HandshakeContext(ctx)
 	if clientHello != nil {
-		metadata.Protocol = C.ProtocolTLS
-		metadata.Domain = clientHello.ServerName
-		return nil
+		return &adapter.InboundContext{Protocol: C.ProtocolTLS, Domain: clientHello.ServerName}, nil
 	}
-	return err
+	return nil, err
 }
--- a/common/srs/binary.go
+++ b/common/srs/binary.go
@@ -36,12 +36,10 @@ const (
 	ruleItemPackageName
 	ruleItemWIFISSID
 	ruleItemWIFIBSSID
-	ruleItemAdGuardDomain
-	ruleItemProcessPathRegex
 	ruleItemFinal uint8 = 0xFF
 )

-func Read(reader io.Reader, recover bool) (ruleSet option.PlainRuleSet, err error) {
+func Read(reader io.Reader, recovery bool) (ruleSet option.PlainRuleSet, err error) {
 	var magicBytes [3]byte
 	_, err = io.ReadFull(reader, magicBytes[:])
 	if err != nil {
@@ -56,21 +54,21 @@ func Read(reader io.Reader, recover bool) (ruleSet option.PlainRuleSet, err erro
 	if err != nil {
 		return ruleSet, err
 	}
-	if version > C.RuleSetVersion2 {
+	if version != 1 {
 		return ruleSet, E.New("unsupported version: ", version)
 	}
-	compressReader, err := zlib.NewReader(reader)
+	zReader, err := zlib.NewReader(reader)
 	if err != nil {
 		return
 	}
-	bReader := bufio.NewReader(compressReader)
+	bReader := bufio.NewReader(zReader)
 	length, err := binary.ReadUvarint(bReader)
 	if err != nil {
 		return
 	}
 	ruleSet.Rules = make([]option.HeadlessRule, length)
 	for i := uint64(0); i < length; i++ {
-		ruleSet.Rules[i], err = readRule(bReader, recover)
+		ruleSet.Rules[i], err = readRule(bReader, recovery)
 		if err != nil {
 			err = E.Cause(err, "read rule[", i, "]")
 			return
@@ -79,44 +77,34 @@ func Read(reader io.Reader, recover bool) (ruleSet option.PlainRuleSet, err erro
 	return
 }

-func Write(writer io.Writer, ruleSet option.PlainRuleSet, generateUnstable bool) error {
+func Write(writer io.Writer, ruleSet option.PlainRuleSet) error {
 	_, err := writer.Write(MagicBytes[:])
 	if err != nil {
 		return err
 	}
-	var version uint8
-	if generateUnstable {
-		version = C.RuleSetVersion2
-	} else {
-		version = C.RuleSetVersion1
-	}
-	err = binary.Write(writer, binary.BigEndian, version)
+	err = binary.Write(writer, binary.BigEndian, uint8(1))
 	if err != nil {
 		return err
 	}
-	compressWriter, err := zlib.NewWriterLevel(writer, zlib.BestCompression)
+	zWriter, err := zlib.NewWriterLevel(writer, zlib.BestCompression)
 	if err != nil {
 		return err
 	}
-	bWriter := bufio.NewWriter(compressWriter)
+	bWriter := bufio.NewWriter(zWriter)
 	_, err = varbin.WriteUvarint(bWriter, uint64(len(ruleSet.Rules)))
 	if err != nil {
 		return err
 	}
 	for _, rule := range ruleSet.Rules {
-		err = writeRule(bWriter, rule, generateUnstable)
+		err = writeRule(bWriter, rule)
 		if err != nil {
 			return err
 		}
 	}
-	err = bWriter.Flush()
-	if err != nil {
-		return err
-	}
-	return compressWriter.Close()
+	return zWriter.Close()
 }

-func readRule(reader varbin.Reader, recover bool) (rule option.HeadlessRule, err error) {
+func readRule(reader varbin.Reader, recovery bool) (rule option.HeadlessRule, err error) {
 	var ruleType uint8
 	err = binary.Read(reader, binary.BigEndian, &ruleType)
 	if err != nil {
@@ -125,28 +113,28 @@ func readRule(reader varbin.Reader, recover bool) (rule option.HeadlessRule, err
 	switch ruleType {
 	case 0:
 		rule.Type = C.RuleTypeDefault
-		rule.DefaultOptions, err = readDefaultRule(reader, recover)
+		rule.DefaultOptions, err = readDefaultRule(reader, recovery)
 	case 1:
 		rule.Type = C.RuleTypeLogical
-		rule.LogicalOptions, err = readLogicalRule(reader, recover)
+		rule.LogicalOptions, err = readLogicalRule(reader, recovery)
 	default:
 		err = E.New("unknown rule type: ", ruleType)
 	}
 	return
 }

-func writeRule(writer varbin.Writer, rule option.HeadlessRule, generateUnstable bool) error {
+func writeRule(writer varbin.Writer, rule option.HeadlessRule) error {
 	switch rule.Type {
 	case C.RuleTypeDefault:
-		return writeDefaultRule(writer, rule.DefaultOptions, generateUnstable)
+		return writeDefaultRule(writer, rule.DefaultOptions)
 	case C.RuleTypeLogical:
-		return writeLogicalRule(writer, rule.LogicalOptions, generateUnstable)
+		return writeLogicalRule(writer, rule.LogicalOptions)
 	default:
 		panic("unknown rule type: " + rule.Type)
 	}
 }

-func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHeadlessRule, err error) {
+func readDefaultRule(reader varbin.Reader, recovery bool) (rule option.DefaultHeadlessRule, err error) {
 	var lastItemType uint8
 	for {
 		var itemType uint8
@@ -173,9 +161,6 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 				return
 			}
 			rule.DomainMatcher = matcher
-			if recover {
-				rule.Domain, rule.DomainSuffix = matcher.Dump()
-			}
 		case ruleItemDomainKeyword:
 			rule.DomainKeyword, err = readRuleItemString(reader)
 		case ruleItemDomainRegex:
@@ -185,7 +170,7 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 			if err != nil {
 				return
 			}
-			if recover {
+			if recovery {
 				rule.SourceIPCIDR = common.Map(rule.SourceIPSet.Prefixes(), netip.Prefix.String)
 			}
 		case ruleItemIPCIDR:
@@ -193,7 +178,7 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 			if err != nil {
 				return
 			}
-			if recover {
+			if recovery {
 				rule.IPCIDR = common.Map(rule.IPSet.Prefixes(), netip.Prefix.String)
 			}
 		case ruleItemSourcePort:
@@ -208,25 +193,12 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 			rule.ProcessName, err = readRuleItemString(reader)
 		case ruleItemProcessPath:
 			rule.ProcessPath, err = readRuleItemString(reader)
-		case ruleItemProcessPathRegex:
-			rule.ProcessPathRegex, err = readRuleItemString(reader)
 		case ruleItemPackageName:
 			rule.PackageName, err = readRuleItemString(reader)
 		case ruleItemWIFISSID:
 			rule.WIFISSID, err = readRuleItemString(reader)
 		case ruleItemWIFIBSSID:
 			rule.WIFIBSSID, err = readRuleItemString(reader)
-		case ruleItemAdGuardDomain:
-			if recover {
-				err = E.New("unable to decompile binary AdGuard rules to rule-set")
-				return
-			}
-			var matcher *domain.AdGuardMatcher
-			matcher, err = domain.ReadAdGuardMatcher(reader)
-			if err != nil {
-				return
-			}
-			rule.AdGuardDomainMatcher = matcher
 		case ruleItemFinal:
 			err = binary.Read(reader, binary.BigEndian, &rule.Invert)
 			return
@@ -240,7 +212,7 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 	}
 }

-func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, generateUnstable bool) error {
+func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule) error {
 	err := binary.Write(writer, binary.BigEndian, uint8(0))
 	if err != nil {
 		return err
@@ -264,7 +236,7 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 		if err != nil {
 			return err
 		}
-		err = domain.NewMatcher(rule.Domain, rule.DomainSuffix, !generateUnstable).Write(writer)
+		err = domain.NewMatcher(rule.Domain, rule.DomainSuffix).Write(writer)
 		if err != nil {
 			return err
 		}
@@ -329,12 +301,6 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 			return err
 		}
 	}
-	if len(rule.ProcessPathRegex) > 0 {
-		err = writeRuleItemString(writer, ruleItemProcessPathRegex, rule.ProcessPathRegex)
-		if err != nil {
-			return err
-		}
-	}
 	if len(rule.PackageName) > 0 {
 		err = writeRuleItemString(writer, ruleItemPackageName, rule.PackageName)
 		if err != nil {
@@ -353,16 +319,6 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 			return err
 		}
 	}
-	if len(rule.AdGuardDomain) > 0 {
-		err = binary.Write(writer, binary.BigEndian, ruleItemAdGuardDomain)
-		if err != nil {
-			return err
-		}
-		err = domain.NewAdGuardMatcher(rule.AdGuardDomain).Write(writer)
-		if err != nil {
-			return err
-		}
-	}
 	err = binary.Write(writer, binary.BigEndian, ruleItemFinal)
 	if err != nil {
 		return err
@@ -457,7 +413,7 @@ func readLogicalRule(reader varbin.Reader, recovery bool) (logicalRule option.Lo
 	return
 }

-func writeLogicalRule(writer varbin.Writer, logicalRule option.LogicalHeadlessRule, generateUnstable bool) error {
+func writeLogicalRule(writer varbin.Writer, logicalRule option.LogicalHeadlessRule) error {
 	err := binary.Write(writer, binary.BigEndian, uint8(1))
 	if err != nil {
 		return err
@@ -478,7 +434,7 @@ func writeLogicalRule(writer varbin.Writer, logicalRule option.LogicalHeadlessRu
 		return err
 	}
 	for _, rule := range logicalRule.Rules {
-		err = writeRule(writer, rule, generateUnstable)
+		err = writeRule(writer, rule)
 		if err != nil {
 			return err
 		}
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -217,10 +217,18 @@ func init() {

 func uTLSClientHelloID(name string) (utls.ClientHelloID, error) {
 	switch name {
-	case "chrome_psk", "chrome_psk_shuffle", "chrome_padding_psk_shuffle", "chrome_pq":
-		fallthrough
 	case "chrome", "":
 		return utls.HelloChrome_Auto, nil
+	case "chrome_psk":
+		return utls.HelloChrome_100_PSK, nil
+	case "chrome_psk_shuffle":
+		return utls.HelloChrome_112_PSK_Shuf, nil
+	case "chrome_padding_psk_shuffle":
+		return utls.HelloChrome_114_Padding_PSK_Shuf, nil
+	case "chrome_pq":
+		return utls.HelloChrome_115_PQ, nil
+	case "chrome_pq_psk":
+		return utls.HelloChrome_115_PQ_PSK, nil
 	case "firefox":
 		return utls.HelloFirefox_Auto, nil
 	case "edge":
--- a/constant/protocol.go
+++ b/constant/protocol.go
@@ -7,15 +7,4 @@ const (
 	ProtocolDNS        = "dns"
 	ProtocolSTUN       = "stun"
 	ProtocolBitTorrent = "bittorrent"
-	ProtocolDTLS       = "dtls"
-	ProtocolSSH        = "ssh"
-	ProtocolRDP        = "rdp"
-)
-
-const (
-	ClientChromium = "chromium"
-	ClientSafari   = "safari"
-	ClientFirefox  = "firefox"
-	ClientQUICGo   = "quic-go"
-	ClientUnknown  = "unknown"
 )
--- a/constant/rule.go
+++ b/constant/rule.go
@@ -14,11 +14,7 @@ const (
 	RuleSetTypeInline   = "inline"
 	RuleSetTypeLocal    = "local"
 	RuleSetTypeRemote   = "remote"
+	RuleSetVersion1     = 1
 	RuleSetFormatSource = "source"
 	RuleSetFormatBinary = "binary"
 )
-
-const (
-	RuleSetVersion1 = 1 + iota
-	RuleSetVersion2
-)
--- a/debug_go118.go
+++ b/debug_go118.go
@@ -0,0 +1,36 @@
+//go:build !go1.19
+
+package box
+
+import (
+	"runtime/debug"
+
+	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/option"
+)
+
+func applyDebugOptions(options option.DebugOptions) {
+	applyDebugListenOption(options)
+	if options.GCPercent != nil {
+		debug.SetGCPercent(*options.GCPercent)
+	}
+	if options.MaxStack != nil {
+		debug.SetMaxStack(*options.MaxStack)
+	}
+	if options.MaxThreads != nil {
+		debug.SetMaxThreads(*options.MaxThreads)
+	}
+	if options.PanicOnFault != nil {
+		debug.SetPanicOnFault(*options.PanicOnFault)
+	}
+	if options.TraceBack != "" {
+		debug.SetTraceback(options.TraceBack)
+	}
+	if options.MemoryLimit != 0 {
+		// debug.SetMemoryLimit(int64(options.MemoryLimit))
+		conntrack.MemoryLimit = uint64(options.MemoryLimit)
+	}
+	if options.OOMKiller != nil {
+		conntrack.KillerEnabled = *options.OOMKiller
+	}
+}
--- a/debug_go119.go
+++ b/debug_go119.go
@@ -1,3 +1,5 @@
+//go:build go1.19
+
 package box

 import (
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,159 +2,11 @@
 icon: material/alert-decagram
 ---

-#### 1.10.0-rc.1
-
-* Fixes and improvements
-
-### 1.9.7
-
-* Fixes and improvements
-
-#### 1.10.0-beta.11
-
-* Update uTLS to v1.6.7 **1**
-* Add ipk in release artifacts
-
-**1**:
-
-Some legacy chrome fingerprints have been removed and will fallback to chrome, see [utls](/configuration/shared/tls#utls).
-
-#### 1.10.0-beta.10
-
-* Add `process_path_regex` rule item
-* Fixes and improvements
-
-_The macOS standalone versions of sing-box (>=1.9.5/<1.10.0-beta.11) now silently fail and require manual granting of the **Full Disk Access** permission to system extension to start, probably due to Apple's changed security policy. We will prompt users about this in feature versions._
-
-### 1.9.6
-
-* Fixes and improvements
-
-### 1.9.5
-
-* Update quic-go to v0.47.0
-* Fix direct dialer not resolving domain
-* Fix no error return when empty DNS cache retrieved
-* Fix build with go1.23
-* Fix stream sniffer
-* Fix bad redirect in clash-api
-* Fix wireguard events chan leak
-* Fix cached conn eats up read deadlines
-* Fix disconnected interface selected as default in windows
-* Update Bundle Identifiers for Apple platform clients **1**
-
-**1**:
-
-See [Migration](/migration/#bundle-identifier-updates-in-apple-platform-clients).
-
-We are still working on getting all sing-box apps back on the App Store, which should be completed within a week
-(SFI on the App Store and others on TestFlight are already available).
-
-#### 1.10.0-beta.8
-
-* Fixes and improvements
-
-_With the help of a netizen, we are in the process of getting sing-box apps back on the App Store, which should be completed within a month (TestFlight is already available)._
-
-#### 1.10.0-beta.7
-
-* Update quic-go to v0.47.0
-* Fixes and improvements
-
-#### 1.10.0-beta.6
-
-* Add RDP sniffer
-* Fixes and improvements
-
-#### 1.10.0-beta.5
-
-* Add PNA support for [Clash API](/configuration/experimental/clash-api/)
-* Fixes and improvements
-
-#### 1.10.0-beta.3
-
-* Add SSH sniffer
-* Fixes and improvements
-
-#### 1.10.0-beta.2
-
-* Build with go1.23
-* Fixes and improvements
-
-### 1.9.4
-
-* Update quic-go to v0.46.0
-* Update Hysteria2 BBR congestion control
-* Filter HTTPS ipv4hint/ipv6hint with domain strategy
-* Fix crash on Android when using process rules
-* Fix non-IP queries accepted by address filter rules
-* Fix UDP server for shadowsocks AEAD multi-user inbounds
-* Fix default next protos for v2ray QUIC transport
-* Fix default end value of port range configuration options
-* Fix reset v2ray transports
-* Fix panic caused by rule-set generation of duplicate keys for `domain_suffix`
-* Fix UDP connnection leak when sniffing
-* Fixes and improvements
-
-_Due to problems with our Apple developer account,
-sing-box apps on Apple platforms are temporarily unavailable for download or update.
-If your company or organization is willing to help us return to the App Store,
-please [contact us](mailto:contact@sagernet.org)._
-
-#### 1.10.0-alpha.29
-
-* Update quic-go to v0.46.0
-* Fixes and improvements
-
-#### 1.10.0-alpha.25
-
-* Add AdGuard DNS Filter support **1**
-
-**1**:
-
-The new feature allows you to use AdGuard DNS Filter lists in a sing-box without AdGuard Home.
-
-See [AdGuard DNS Filter](/configuration/rule-set/adguard/).
-
-#### 1.10.0-alpha.23
-
-* Add Chromium support for QUIC sniffer
-* Add client type detect support for QUIC sniffer **1**
-* Fixes and improvements
-
-**1**:
-
-Now the QUIC sniffer can correctly extract the server name from Chromium requests and
-can identify common QUIC clients, including
-Chromium, Safari, Firefox, quic-go (including uquic disguised as Chrome).
-
-See [Protocol Sniff](/configuration/route/sniff/) and [Route Rule](/configuration/route/rule/#client).
-
-#### 1.10.0-alpha.22
-
-* Optimize memory usages of rule-sets **1**
-* Fixes and improvements
-
-**1**:
-
-See [Source Format](/configuration/rule-set/source-format/#version).
-
-#### 1.10.0-alpha.20
-
-* Add DTLS sniffer
-* Fixes and improvements
-
-#### 1.10.0-alpha.19
-
-* Add `rule-set decompile` command
-* Add IP address support for `rule-set match` command
-* Fixes and improvements
-
 #### 1.10.0-alpha.18

 * Add new `inline` rule-set type **1**
 * Add auto reload support for local rule-set
-* Update fsnotify usages **2**
+* Improve fsnotify usages **2**
 * Fixes and improvements

 **1**:
--- a/docs/clients/android/features.md
+++ b/docs/clients/android/features.md
@@ -40,7 +40,6 @@ SFA provides an unprivileged TUN implementation through Android VpnService.
 |-----------------------|------------------|-----------------------------------|
 | `process_name`        | :material-close: | No permission                     |
 | `process_path`        | :material-close: | No permission                     |
-| `process_path_regex`  | :material-close: | No permission                     |
 | `package_name`        | :material-check: | /                                 |
 | `user`                | :material-close: | Use `package_name` instead        |
 | `user_id`             | :material-close: | Use `package_name` instead        |
--- a/docs/clients/apple/features.md
+++ b/docs/clients/apple/features.md
@@ -42,7 +42,6 @@ SFI/SFM/SFT provides an unprivileged TUN implementation through NetworkExtension
 |-----------------------|------------------|-----------------------|
 | `process_name`        | :material-close: | No permission         |
 | `process_path`        | :material-close: | No permission         |
-| `process_path_regex`  | :material-close: | No permission         |
 | `package_name`        | :material-close: | /                     |
 | `user`                | :material-close: | No permission         |
 | `user_id`             | :material-close: | No permission         |
--- a/docs/clients/apple/index.md
+++ b/docs/clients/apple/index.md
@@ -14,13 +14,13 @@ platform-specific function implementation, such as TUN transparent proxy impleme

 ## :material-download: Download

-* [App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)
-* TestFlight (Beta)
+* [App Store](https://apps.apple.com/us/app/sing-box/id6451272673)
+* ~~TestFlight (Beta)~~

 TestFlight quota is only available to [sponsors](https://github.com/sponsors/nekohasekai)
 (one-time sponsorships are accepted).
-Once you donate, you can get an invitation by join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot)
-or sending us your Apple ID [via email](mailto:contact@sagernet.org).
+Once you donate, you can get an invitation by sending us your Apple ID [via email](mailto:contact@sagernet.org),
+or join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot).

 ## :material-file-download: Download (macOS standalone version)

--- a/docs/clients/index.zh.md
+++ b/docs/clients/index.zh.md
@@ -2,11 +2,11 @@

 由 Project S 维护，提供统一的体验与平台特定的功能。

-| 平台                                    | 客户端                                      |
-|---------------------------------------|------------------------------------------|
+| 平台                                    | 客户端                                     |
+|---------------------------------------|-----------------------------------------|
 | :material-android: Android            | [sing-box for Android](./android/)       |
 | :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
-| :material-laptop: Desktop             | 施工中                                      |
+| :material-laptop: Desktop             | 施工中                                     |

 此处没有列出一些声称使用或以 sing-box 为卖点的第三方项目。此类项目维护者的动机是获得更多用户，即使它们提供友好的商业
 VPN 客户端功能， 但代码质量很差且包含广告。
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -6,8 +6,7 @@ icon: material/new-box

    :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
    :material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)  
-    :material-plus: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)  
-    :material-plus: [process_path_regex](#process_path_regex)
+    :material-plus: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)

 !!! quote "Changes in sing-box 1.9.0"

@@ -104,9 +103,6 @@ icon: material/new-box
        "process_path": [
          "/usr/bin/curl"
        ],
-        "process_path_regex": [
-          "^/usr/bin/.+"
-        ],
        "package_name": [
          "com.termux"
        ],
@@ -272,16 +268,6 @@ Match process name.

 Match process path.

-#### process_path_regex
-
-!!! question "Since sing-box 1.10.0"
-
-!!! quote ""
-
-    Only supported on Linux, Windows, and macOS.
-
-Match process path using regular expression.
-
 #### package_name

 Match android package name.
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -6,8 +6,7 @@ icon: material/new-box

    :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
    :material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)  
-    :material-plus: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)  
-    :material-plus: [process_path_regex](#process_path_regex)
+    :material-plus: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)

 !!! quote "sing-box 1.9.0 中的更改"

@@ -104,9 +103,6 @@ icon: material/new-box
        "process_path": [
          "/usr/bin/curl"
        ],
-        "process_path_regex": [
-          "^/usr/bin/.+"
-        ],
        "package_name": [
          "com.termux"
        ],
@@ -270,16 +266,6 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 匹配进程路径。

-#### process_path_regex
-
-!!! question "自 sing-box 1.10.0 起"
-
-!!! quote ""
-
-    仅支持 Linux、Windows 和 macOS.
-
-使用正则表达式匹配进程路径。
-
 #### package_name

 匹配 Android 应用包名。
--- a/docs/configuration/experimental/clash-api.md
+++ b/docs/configuration/experimental/clash-api.md
@@ -1,12 +1,3 @@
---
-icon: material/new-box
---
-
-!!! quote "Changes in sing-box 1.10.0"
-
-    :material-plus: [access_control_allow_origin](#access_control_allow_origin)  
-    :material-plus: [access_control_allow_private_network](#access_control_allow_private_network)
-
 !!! quote "Changes in sing-box 1.8.0"

    :material-delete-alert: [store_mode](#store_mode)  
@@ -17,59 +8,24 @@ icon: material/new-box

 ### Structure

-=== "Structure"
-
-    ```json
-    {
-      "external_controller": "127.0.0.1:9090",
-      "external_ui": "",
-      "external_ui_download_url": "",
-      "external_ui_download_detour": "",
-      "secret": "",
-      "default_mode": "",
-      "access_control_allow_origin": [],
-      "access_control_allow_private_network": false,
-      
-      // Deprecated
-      
-      "store_mode": false,
-      "store_selected": false,
-      "store_fakeip": false,
-      "cache_file": "",
-      "cache_id": ""
-    }
-    ```
-
-=== "Example (online)"
-
-    !!! question "Since sing-box 1.10.0"
-
-    ```json
-    {
-      "external_controller": "127.0.0.1:9090",
-      "access_control_allow_origin": [
-        "http://127.0.0.1",
-        "http://yacd.haishan.me"
-      ],
-      "access_control_allow_private_network": true
-    }
-    ```
-
-=== "Example (download)"
-
-    !!! question "Since sing-box 1.10.0"
-
-    ```json
-    {
-      "external_controller": "0.0.0.0:9090",
-      "external_ui": "dashboard"
-      // external_ui_download_detour: "direct"
-    }
-    ```
-
-!!! note ""
-
-    You can ignore the JSON Array [] tag when the content is only one item
+```json
+{
+  "external_controller": "127.0.0.1:9090",
+  "external_ui": "",
+  "external_ui_download_url": "",
+  "external_ui_download_detour": "",
+  "secret": "",
+  "default_mode": "",
+  
+  // Deprecated
+  
+  "store_mode": false,
+  "store_selected": false,
+  "store_fakeip": false,
+  "cache_file": "",
+  "cache_id": ""
+}
+```

 ### Fields

@@ -107,22 +63,6 @@ Default mode in clash, `Rule` will be used if empty.

 This setting has no direct effect, but can be used in routing and DNS rules via the `clash_mode` rule item.

-#### access_control_allow_origin
-
-!!! question "Since sing-box 1.10.0"
-
-CORS allowed origins, `*` will be used if empty.
-
-To access the Clash API on a private network from a public website, you must explicitly specify it in `access_control_allow_origin` instead of using `*`.
-
-#### access_control_allow_private_network
-
-!!! question "Since sing-box 1.10.0"
-
-Allow access from private network.
-
-To access the Clash API on a private network from a public website, `access_control_allow_private_network` must be enabled.
-
 #### store_mode

 !!! failure "Deprecated in sing-box 1.8.0"
--- a/docs/configuration/experimental/clash-api.zh.md
+++ b/docs/configuration/experimental/clash-api.zh.md
@@ -1,12 +1,3 @@
---
-icon: material/new-box
---
-
-!!! quote "sing-box 1.10.0 中的更改"
-
-    :material-plus: [access_control_allow_origin](#access_control_allow_origin)  
-    :material-plus: [access_control_allow_private_network](#access_control_allow_private_network)
-
 !!! quote "sing-box 1.8.0 中的更改"

    :material-delete-alert: [store_mode](#store_mode)  
@@ -17,59 +8,24 @@ icon: material/new-box

 ### 结构

-=== "结构"
-
-    ```json
-    {
-      "external_controller": "127.0.0.1:9090",
-      "external_ui": "",
-      "external_ui_download_url": "",
-      "external_ui_download_detour": "",
-      "secret": "",
-      "default_mode": "",
-      "access_control_allow_origin": [],
-      "access_control_allow_private_network": false,
-      
-      // Deprecated
-      
-      "store_mode": false,
-      "store_selected": false,
-      "store_fakeip": false,
-      "cache_file": "",
-      "cache_id": ""
-    }
-    ```
-
-=== "示例 (在线)"
-
-    !!! question "自 sing-box 1.10.0 起"
-
-    ```json
-    {
-      "external_controller": "127.0.0.1:9090",
-      "access_control_allow_origin": [
-        "http://127.0.0.1",
-        "http://yacd.haishan.me"
-      ],
-      "access_control_allow_private_network": true
-    }
-    ```
-
-=== "示例 (下载)"
-
-    !!! question "自 sing-box 1.10.0 起"
-
-    ```json
-    {
-      "external_controller": "0.0.0.0:9090",
-      "external_ui": "dashboard"
-      // external_ui_download_detour: "direct"
-    }
-    ```
-
-!!! note ""
-
-    当内容只有一项时，可以忽略 JSON 数组 [] 标签
+```json
+{
+  "external_controller": "127.0.0.1:9090",
+  "external_ui": "",
+  "external_ui_download_url": "",
+  "external_ui_download_detour": "",
+  "secret": "",
+  "default_mode": "",
+  
+  // Deprecated
+  
+  "store_mode": false,
+  "store_selected": false,
+  "store_fakeip": false,
+  "cache_file": "",
+  "cache_id": ""
+}
+```

 ### Fields

@@ -105,22 +61,6 @@ Clash 中的默认模式，默认使用 `Rule`。

 此设置没有直接影响，但可以通过 `clash_mode` 规则项在路由和 DNS 规则中使用。

-#### access_control_allow_origin
-
-!!! question "自 sing-box 1.10.0 起"
-
-允许的 CORS 来源，默认使用 `*`。
-
-要从公共网站访问私有网络上的 Clash API，必须在 `access_control_allow_origin` 中明确指定它而不是使用 `*`。
-
-#### access_control_allow_private_network
-
-!!! question "自 sing-box 1.10.0 起"
-
-允许从私有网络访问。
-
-要从公共网站访问私有网络上的 Clash API，必须启用 `access_control_allow_private_network`。
-
 #### store_mode

 !!! failure "已在 sing-box 1.8.0 废弃"
--- a/docs/configuration/inbound/index.md
+++ b/docs/configuration/inbound/index.md
@@ -15,24 +15,24 @@

 ### Fields

-| Type          | Format                        | Injectable       |
-|---------------|-------------------------------|------------------|
-| `direct`      | [Direct](./direct/)           | :material-close: |
-| `mixed`       | [Mixed](./mixed/)             | TCP              |
-| `socks`       | [SOCKS](./socks/)             | TCP              |
-| `http`        | [HTTP](./http/)               | TCP              |
-| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP              |
-| `vmess`       | [VMess](./vmess/)             | TCP              |
-| `trojan`      | [Trojan](./trojan/)           | TCP              |
-| `naive`       | [Naive](./naive/)             | :material-close: |
-| `hysteria`    | [Hysteria](./hysteria/)       | :material-close: |
-| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP              |
-| `tuic`        | [TUIC](./tuic/)               | :material-close: |
-| `hysteria2`   | [Hysteria2](./hysteria2/)     | :material-close: |
-| `vless`       | [VLESS](./vless/)             | TCP              |
-| `tun`         | [Tun](./tun/)                 | :material-close: |
-| `redirect`    | [Redirect](./redirect/)       | :material-close: |
-| `tproxy`      | [TProxy](./tproxy/)           | :material-close: |
+| Type          | Format                        | Injectable |
+|---------------|-------------------------------|------------|
+| `direct`      | [Direct](./direct/)           | X          |
+| `mixed`       | [Mixed](./mixed/)             | TCP        |
+| `socks`       | [SOCKS](./socks/)             | TCP        |
+| `http`        | [HTTP](./http/)               | TCP        |
+| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP        |
+| `vmess`       | [VMess](./vmess/)             | TCP        |
+| `trojan`      | [Trojan](./trojan/)           | TCP        |
+| `naive`       | [Naive](./naive/)             | X          |
+| `hysteria`    | [Hysteria](./hysteria/)       | X          |
+| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP        |
+| `tuic`        | [TUIC](./tuic/)               | X          |
+| `hysteria2`   | [Hysteria2](./hysteria2/)     | X          |
+| `vless`       | [VLESS](./vless/)             | TCP        |
+| `tun`         | [Tun](./tun/)                 | X          |
+| `redirect`    | [Redirect](./redirect/)       | X          |
+| `tproxy`      | [TProxy](./tproxy/)           | X          |

 #### tag

--- a/docs/configuration/inbound/index.zh.md
+++ b/docs/configuration/inbound/index.zh.md
@@ -15,24 +15,24 @@

 ### 字段

-| 类型            | 格式                            | 注入支持             |
-|---------------|-------------------------------|------------------|
-| `direct`      | [Direct](./direct/)           | :material-close: |
-| `mixed`       | [Mixed](./mixed/)             | TCP              |
-| `socks`       | [SOCKS](./socks/)             | TCP              |
-| `http`        | [HTTP](./http/)               | TCP              |
-| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP              |
-| `vmess`       | [VMess](./vmess/)             | TCP              |
-| `trojan`      | [Trojan](./trojan/)           | TCP              |
-| `naive`       | [Naive](./naive/)             | :material-close: |
-| `hysteria`    | [Hysteria](./hysteria/)       | :material-close: |
-| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP              |
-| `tuic`        | [TUIC](./tuic/)               | :material-close: |
-| `hysteria2`   | [Hysteria2](./hysteria2/)     | :material-close: |
-| `vless`       | [VLESS](./vless/)             | TCP              |
-| `tun`         | [Tun](./tun/)                 | :material-close: |
-| `redirect`    | [Redirect](./redirect/)       | :material-close: |
-| `tproxy`      | [TProxy](./tproxy/)           | :material-close: |
+| 类型            | 格式                           | 注入支持 |
+|---------------|------------------------------|------|
+| `direct`      | [Direct](./direct/)           | X    |
+| `mixed`       | [Mixed](./mixed/)             | TCP  |
+| `socks`       | [SOCKS](./socks/)             | TCP  |
+| `http`        | [HTTP](./http/)               | TCP  |
+| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP  |
+| `vmess`       | [VMess](./vmess/)             | TCP  |
+| `trojan`      | [Trojan](./trojan/)           | TCP  |
+| `naive`       | [Naive](./naive/)             | X    |
+| `hysteria`    | [Hysteria](./hysteria/)       | X    |
+| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP  |
+| `tuic`        | [TUIC](./tuic/)               | X    |
+| `hysteria2`   | [Hysteria2](./hysteria2/)     | X    |
+| `vless`       | [VLESS](./vless/)             | TCP  |
+| `tun`         | [Tun](./tun/)                 | X    |
+| `redirect`    | [Redirect](./redirect/)       | X    |
+| `tproxy`      | [TProxy](./tproxy/)           | X    |

 #### tag

--- a/docs/configuration/inbound/trojan.md
+++ b/docs/configuration/inbound/trojan.md
@@ -47,7 +47,7 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

 #### fallback

-!!! failure ""
+!!! quote ""

    There is no evidence that GFW detects and blocks Trojan servers based on HTTP responses, and opening the standard http/s port on the server is a much bigger signature.

--- a/docs/configuration/outbound/block.md
+++ b/docs/configuration/outbound/block.md
@@ -9,6 +9,6 @@
 }
 ```

-### Fields
+### 字段

-No fields.
+No fields.
--- a/docs/configuration/route/rule.md
+++ b/docs/configuration/route/rule.md
@@ -4,10 +4,8 @@ icon: material/alert-decagram

 !!! quote "Changes in sing-box 1.10.0"

-    :material-plus: [client](#client)  
    :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
    :material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)  
-    :material-plus: [process_path_regex](#process_path_regex)

 !!! quote "Changes in sing-box 1.8.0"

@@ -42,12 +40,6 @@ icon: material/alert-decagram
          "http",
          "quic"
        ],
-        "client": [
-          "chromium",
-          "safari",
-          "firefox",
-          "quic-go"
-        ],
        "domain": [
          "test.com"
        ],
@@ -102,9 +94,6 @@ icon: material/alert-decagram
        "process_path": [
          "/usr/bin/curl"
        ],
-        "process_path_regex": [
-          "^/usr/bin/.+"
-        ],
        "package_name": [
          "com.termux"
        ],
@@ -177,13 +166,7 @@ Username, see each inbound for details.

 #### protocol

-Sniffed protocol, see [Protocol Sniff](/configuration/route/sniff/) for details.
-
-#### client
-
-!!! question "Since sing-box 1.10.0"
-
-Sniffed client type, see [Protocol Sniff](/configuration/route/sniff/) for details.
+Sniffed protocol, see [Sniff](/configuration/route/sniff/) for details.

 #### network

@@ -281,16 +264,6 @@ Match process name.

 Match process path.

-#### process_path_regex
-
-!!! question "Since sing-box 1.10.0"
-
-!!! quote ""
-
-    Only supported on Linux, Windows, and macOS.
-
-Match process path using regular expression.
-
 #### package_name

 Match android package name.
--- a/docs/configuration/route/rule.zh.md
+++ b/docs/configuration/route/rule.zh.md
@@ -4,10 +4,8 @@ icon: material/alert-decagram

 !!! quote "sing-box 1.10.0 中的更改"

-    :material-plus: [client](#client)  
    :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
-    :material-plus: [process_path_regex](#process_path_regex)
-
+    :material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)  

 !!! quote "sing-box 1.8.0 中的更改"

@@ -42,12 +40,6 @@ icon: material/alert-decagram
          "http",
          "quic"
        ],
-        "client": [
-          "chromium",
-          "safari",
-          "firefox",
-          "quic-go"
-        ],
        "domain": [
          "test.com"
        ],
@@ -100,9 +92,6 @@ icon: material/alert-decagram
        "process_path": [
          "/usr/bin/curl"
        ],
-        "process_path_regex": [
-          "^/usr/bin/.+"
-        ],
        "package_name": [
          "com.termux"
        ],
@@ -177,12 +166,6 @@ icon: material/alert-decagram

 探测到的协议, 参阅 [协议探测](/zh/configuration/route/sniff/)。

-#### client
-
-!!! question "自 sing-box 1.10.0 起"
-
-探测到的客户端类型, 参阅 [协议探测](/zh/configuration/route/sniff/)。
-
 #### network

 `tcp` 或 `udp`。
@@ -279,16 +262,6 @@ icon: material/alert-decagram

 匹配进程路径。

-#### process_path_regex
-
-!!! question "自 sing-box 1.10.0 起"
-
-!!! quote ""
-
-    仅支持 Linux、Windows 和 macOS.
-
-使用正则表达式匹配进程路径。
-
 #### package_name

 匹配 Android 应用包名。
--- a/docs/configuration/route/sniff.md
+++ b/docs/configuration/route/sniff.md
@@ -1,35 +1,12 @@
---
-icon: material/new-box
---
-
-!!! quote "Changes in sing-box 1.10.0"
-
-    :material-plus: QUIC client type detect support for QUIC  
-    :material-plus: Chromium support for QUIC  
-    :material-plus: BitTorrent support  
-    :material-plus: DTLS support  
-    :material-plus: SSH support  
-    :material-plus: RDP support
-
 If enabled in the inbound, the protocol and domain name (if present) of by the connection can be sniffed.

 #### Supported Protocols

-| Network |   Protocol   | Domain Name |      Client      |
-|:-------:|:------------:|:-----------:|:----------------:|
-|   TCP   |    `http`    |    Host     |        /         |
-|   TCP   |    `tls`     | Server Name |        /         |
-|   UDP   |    `quic`    | Server Name | QUIC Client Type |
-|   UDP   |    `stun`    |      /      |        /         |
-| TCP/UDP |    `dns`     |      /      |        /         |
-| TCP/UDP | `bittorrent` |      /      |        /         |
-|   UDP   |    `dtls`    |      /      |        /         |
-|   TCP   |    `ssh`     |      /      | SSH Client Name  |
-|   TCP   |    `rdp`     |      /      |        /         |
-
-|       QUIC Client        |    Type    |
-|:------------------------:|:----------:|
-|     Chromium/Cronet      | `chrimium` |
-| Safari/Apple Network API |  `safari`  |
-| Firefox / uquic firefox  | `firefox`  |
-|  quic-go / uquic chrome  | `quic-go`  |
+| Network |  Protocol   | Domain Name |
+|:-------:|:-----------:|:-----------:|
+|   TCP   |    HTTP     |    Host     |
+|   TCP   |     TLS     | Server Name |
+|   UDP   |    QUIC     | Server Name |
+|   UDP   |    STUN     |      /      |
+| TCP/UDP |     DNS     |      /      |
+| TCP/UDP | BitTorrent  |      /      |
--- a/docs/configuration/route/sniff.zh.md
+++ b/docs/configuration/route/sniff.zh.md
@@ -1,35 +1,12 @@
---
-icon: material/new-box
---
-
-!!! quote "sing-box 1.10.0 中的更改"
-
-    :material-plus: QUIC 的 客户端类型探测支持  
-    :material-plus: QUIC 的 Chromium 支持  
-    :material-plus: BitTorrent 支持  
-    :material-plus: DTLS 支持  
-    :material-plus: SSH 支持  
-    :material-plus: RDP 支持
-
 如果在入站中启用，则可以嗅探连接的协议和域名（如果存在）。

 #### 支持的协议

-|   网络    |      协议      |     域名      |    客户端     |
-|:-------:|:------------:|:-----------:|:----------:|
-|   TCP   |    `http`    |    Host     |     /      |
-|   TCP   |    `tls`     | Server Name |     /      |
-|   UDP   |    `quic`    | Server Name | QUIC 客户端类型 |
-|   UDP   |    `stun`    |      /      |     /      |
-| TCP/UDP |    `dns`     |      /      |     /      |
-| TCP/UDP | `bittorrent` |      /      |     /      |
-|   UDP   |    `dtls`    |      /      |     /      |
-|   TCP   |    `ssh`     |      /      | SSH 客户端名称  |
-|   TCP   |    `rdp`     |      /      |     /      |
-
-|         QUIC 客户端         |     类型     |
-|:------------------------:|:----------:|
-|     Chromium/Cronet      | `chrimium` |
-| Safari/Apple Network API |  `safari`  |
-| Firefox / uquic firefox  | `firefox`  |
-|  quic-go / uquic chrome  | `quic-go`  |
+|   网络    |     协议      |     域名      |
+|:-------:|:-----------:|:-----------:|
+|   TCP   |    HTTP     |    Host     |
+|   TCP   |     TLS     | Server Name |
+|   UDP   |    QUIC     | Server Name |
+|   UDP   |    STUN     |      /      |
+| TCP/UDP |     DNS     |      /      |
+| TCP/UDP | BitTorrent  |      /      |
--- a/docs/configuration/rule-set/adguard.md
+++ b/docs/configuration/rule-set/adguard.md
@@ -1,71 +0,0 @@
---
-icon: material/new-box
---
-
-# AdGuard DNS Filter
-
-!!! question "Since sing-box 1.10.0"
-
-sing-box supports some rule-set formats from other projects which cannot be fully translated to sing-box,
-currently only AdGuard DNS Filter.
-
-These formats are not directly supported as source formats,
-instead you need to convert them to binary rule-set.
-
-## Convert
-
-Use `sing-box rule-set convert --type adguard [--output <file-name>.srs] <file-name>.txt` to convert to binary rule-set.
-
-## Performance
-
-AdGuard keeps all rules in memory and matches them sequentially,
-while sing-box chooses high performance and smaller memory usage.
-As a trade-off, you cannot know which rule item is matched.
-
-## Compatibility
-
-Almost all rules in [AdGuardSDNSFilter](https://github.com/AdguardTeam/AdGuardSDNSFilter)
-and rules in rule-sets listed in [adguard-filter-list](https://github.com/ppfeufer/adguard-filter-list)
-are supported.
-
-## Supported formats
-
-### AdGuard Filter
-
-#### Basic rule syntax
-
-| Syntax | Supported        |
-|--------|------------------|
-| `@@`   | :material-check: | 
-| `\|\|` | :material-check: | 
-| `\|`   | :material-check: |
-| `^`    | :material-check: |
-| `*`    | :material-check: |
-
-#### Host syntax
-
-| Syntax      | Example                  | Supported                |
-|-------------|--------------------------|--------------------------|
-| Scheme      | `https://`               | :material-alert: Ignored |
-| Domain Host | `example.org`            | :material-check:         |
-| IP Host     | `1.1.1.1`, `10.0.0.`     | :material-close:         |
-| Regexp      | `/regexp/`               | :material-check:         |
-| Port        | `example.org:80`         | :material-close:         |
-| Path        | `example.org/path/ad.js` | :material-close:         |
-
-#### Modifier syntax
-
-| Modifier              | Supported                |
-|-----------------------|--------------------------|
-| `$important`          | :material-check:         |
-| `$dnsrewrite=0.0.0.0` | :material-alert: Ignored |
-| Any other modifiers   | :material-close:         |
-
-### Hosts
-
-Only items with `0.0.0.0` IP addresses will be accepted.
-
-### Simple
-
-When all rule lines are valid domains, they are treated as simple line-by-line domain rules which,
-like hosts, only match the exact same domain.
--- a/docs/configuration/rule-set/headless-rule.md
+++ b/docs/configuration/rule-set/headless-rule.md
@@ -57,9 +57,6 @@
      "process_path": [
        "/usr/bin/curl"
      ],
-      "process_path_regex": [
-        "^/usr/bin/.+"
-      ],
      "package_name": [
        "com.termux"
      ],
@@ -163,16 +160,6 @@ Match process name.

 Match process path.

-#### process_path_regex
-
-!!! question "Since sing-box 1.10.0"
-
-!!! quote ""
-
-    Only supported on Linux, Windows, and macOS.
-
-Match process path using regular expression.
-
 #### package_name

 Match android package name.
--- a/docs/configuration/rule-set/source-format.md
+++ b/docs/configuration/rule-set/source-format.md
@@ -1,20 +1,12 @@
---
-icon: material/new-box
---
-
 # Source Format

-!!! quote "Changes in sing-box 1.10.0"
-
-    :material-plus: version `2`
-
 !!! question "Since sing-box 1.8.0"

 ### Structure

 ```json
 {
-  "version": 2,
+  "version": 1,
  "rules": []
 }
 ```
@@ -29,16 +21,7 @@ Use `sing-box rule-set compile [--output <file-name>.srs] <file-name>.json` to c

 ==Required==

-Version of rule-set, one of `1` or `2`.
-
-* 1: Initial rule-set version, since sing-box 1.8.0.
-* 2: Optimized memory usages of `domain_suffix` rules.
-
-The new rule-set version `2` does not make any changes to the format, only affecting `binary` rule-sets compiled by command `rule-set compile`
-
-Since 1.10.0, the optimization is always applied to `source` rule-sets even if version is set to `1`.
-
-It is recommended to upgrade to `2` after sing-box 1.10.0 becomes a stable version.
+Version of rule-set, must be `1`.

 #### rules

--- a/docs/configuration/shared/dial.zh.md
+++ b/docs/configuration/shared/dial.zh.md
@@ -83,10 +83,7 @@

 如果设置，域名将在请求发出之前解析为 IP。

-| 出站     | 受影响的域名             | 默认回退值                                |
-|----------|--------------------------|-------------------------------------------|
-| `direct` | 请求中的域名              | `inbound.domain_strategy`                 | 
-|  others  | 服务器地址中的域名        | /                                         |
+默认使用 `dns.strategy`。

 #### fallback_delay

--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@@ -1,8 +1,4 @@
---
-icon: material/alert-decagram
---
-
-!!! quote "Changes in sing-box 1.10.0"
+!!! quote "Changes in sing-box 1.8.0"

    :material-alert-decagram: [utls](#utls)  

@@ -214,25 +210,28 @@ The path to the server private key, in PEM format.

 ==Client only==

-!!! failure ""
-    
-    There is no evidence that GFW detects and blocks servers based on TLS client fingerprinting, and using an imperfect emulation that has not been security reviewed could pose security risks.
+!!! note ""
+
+    uTLS is poorly maintained and the effect may be unproven, use at your own risk.

 uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance.

 Available fingerprint values:

-!!! warning "Removed since sing-box 1.10.0"
+!!! question "Since sing-box 1.8.0"

-    Some legacy chrome fingerprints have been removed and will fallback to chrome:
-
-    :material-close: chrome_psk  
-    :material-close: chrome_psk_shuffle  
-    :material-close: chrome_padding_psk_shuffle  
-    :material-close: chrome_pq  
-    :material-close: chrome_pq_psk
+    :material-plus: chrome_psk  
+    :material-plus: chrome_psk_shuffle  
+    :material-plus: chrome_padding_psk_shuffle  
+    :material-plus: chrome_pq  
+    :material-plus: chrome_pq_psk

 * chrome
+* chrome_psk
+* chrome_psk_shuffle
+* chrome_padding_psk_shuffle
+* chrome_pq
+* chrome_pq_psk
 * firefox
 * edge
 * safari
--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@@ -1,8 +1,4 @@
---
-icon: material/alert-decagram
---
-
-!!! quote "sing-box 1.10.0 中的更改"
+!!! quote "sing-box 1.8.0 中的更改"

    :material-alert-decagram: [utls](#utls)  

@@ -48,8 +44,8 @@ icon: material/alert-decagram
    "handshake": {
      "server": "google.com",
      "server_port": 443,
-      ...
-      // 拨号字段
+
+      ... // 拨号字段
    },
    "private_key": "UuMBgl7MXTPx9inmQp2UC7Jcnwc6XYbwDNebonM-FCc",
    "short_id": [
@@ -206,25 +202,28 @@ TLS 版本值：

 ==仅客户端==

-!!! failure ""
+!!! note ""

-    没有证据表明 GFW 根据 TLS 客户端指纹检测并阻止服务器，并且，使用一个未经安全审查的不完美模拟可能带来安全隐患。
+    uTLS 维护不善且其效果可能未经证实，使用风险自负。

 uTLS 是 "crypto/tls" 的一个分支，它提供了 ClientHello 指纹识别阻力。

 可用的指纹值：

-!!! warning "已在 sing-box 1.10.0 移除"
+!!! question "自 sing-box 1.8.0 起"

-    一些旧 chrome 指纹已被删除，并将会退到 chrome：
-
-    :material-close: chrome_psk  
-    :material-close: chrome_psk_shuffle  
-    :material-close: chrome_padding_psk_shuffle  
-    :material-close: chrome_pq  
-    :material-close: chrome_pq_psk
+    :material-plus: chrome_psk  
+    :material-plus: chrome_psk_shuffle  
+    :material-plus: chrome_padding_psk_shuffle  
+    :material-plus: chrome_pq  
+    :material-plus: chrome_pq_psk

 * chrome
+* chrome_psk
+* chrome_psk_shuffle
+* chrome_padding_psk_shuffle
+* chrome_pq
+* chrome_pq_psk
 * firefox
 * edge
 * safari
--- a/docs/installation/build-from-source.md
+++ b/docs/installation/build-from-source.md
@@ -6,18 +6,26 @@ icon: material/file-code

 ## :material-graph: Requirements

-### sing-box 1.10
+Before sing-box 1.4.0:

-* Go 1.20.0 - ~
+* Go 1.18.5 - 1.20.x
+
+Since sing-box 1.4.0:
+
+* Go 1.18.5 - ~
+* Go 1.20.0 - ~ with tag `with_quic` enabled
+
+Since sing-box 1.5.0:
+
+* Go 1.18.5 - ~
+* Go 1.20.0 - ~ with tag `with_quic` or `with_ech` enabled
+
+Since sing-box 1.8.0:
+
+* Go 1.18.5 - ~
 * Go 1.20.0 - ~ with tag `with_quic`, or `with_utls` enabled
 * Go 1.21.0 - ~ with tag `with_ech` enabled

-### sing-box 1.9
-
-* Go 1.18.5 - 1.22.x
-* Go 1.20.0 - 1.22.x with tag `with_quic`, or `with_utls` enabled
-* Go 1.21.0 - 1.22.x with tag `with_ech` enabled
-
 You can download and install Go from: https://go.dev/doc/install, latest version is recommended.

 ## :material-fast-forward: Simple Build
--- a/docs/installation/build-from-source.zh.md
+++ b/docs/installation/build-from-source.zh.md
@@ -6,17 +6,25 @@ icon: material/file-code

 ## :material-graph: 要求

-### sing-box 1.10
+sing-box 1.4.0 前:

-* Go 1.20.0 - ~
-* Go 1.20.0 - ~ with tag `with_quic`, or `with_utls` enabled
-* Go 1.21.0 - ~ with tag `with_ech` enabled
+* Go 1.18.5 - 1.20.x

-### sing-box 1.9
+从 sing-box 1.4.0:

-* Go 1.18.5 - 1.22.x
-* Go 1.20.0 - 1.22.x with tag `with_quic`, or `with_utls` enabled
-* Go 1.21.0 - 1.22.x with tag `with_ech` enabled
+* Go 1.18.5 - ~
+* Go 1.20.0 - ~ 如果启用构建标记 `with_quic`
+
+从 sing-box 1.5.0:
+
+* Go 1.18.5 - ~
+* Go 1.20.0 - ~ 如果启用构建标记 `with_quic` 或 `with_ech`
+
+从 sing-box 1.8.0:
+
+* Go 1.18.5 - ~
+* Go 1.20.0 - ~ 如果启用构建标记 `with_quic` 或 `with_utls`
+* Go 1.20.1 - ~ 如果启用构建标记 `with_ech`

 您可以从 https://go.dev/doc/install 下载并安装 Go，推荐使用最新版本。

--- a/docs/installation/package-manager.md
+++ b/docs/installation/package-manager.md
@@ -24,7 +24,14 @@ icon: material/package
    sudo dnf config-manager --add-repo https://sing-box.app/sing-box.repo
    sudo dnf install sing-box # or sing-box-beta
    ```
-    (This applies to any distribution that uses `dnf` as the package manager: Fedora, CentOS, even OpenSUSE with DNF installed.)
+
+=== ":material-redhat: CentOS / YUM"
+
+    ```bash
+    sudo yum install -y yum-utils
+    sudo yum-config-manager --add-repo https://sing-box.app/sing-box.repo
+    sudo yum install sing-box # or sing-box-beta
+    ```

 ## :material-download-box: Manual Installation

@@ -39,7 +46,6 @@ icon: material/package
    ```bash
    bash <(curl -fsSL https://sing-box.app/rpm-install.sh)
    ```
-    (This applies to any distribution that uses `rpm` and `systemd`.  Because of how `rpm` defines dependencies, if it installs, it probably works.)

 === ":simple-archlinux: Archlinux / PKG"

@@ -57,7 +63,6 @@ icon: material/package
    | nixpkgs  | NixOS         | `nix-env -iA nixos.sing-box` | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/sing-box.svg)][nixpkgs] |
    | Homebrew | macOS / Linux | `brew install sing-box`      | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew]                |
    | APK      | Alpine        | `apk add sing-box`           | [![Alpine Linux Edge package](https://repology.org/badge/version-for-repo/alpine_edge/sing-box.svg)][alpine]  |
-    | DEB      | AOSC          | `apt install sing-box`       | [![AOSC package](https://repology.org/badge/version-for-repo/aosc/sing-box.svg)][aosc]                        |

 === ":material-apple: macOS"

@@ -85,22 +90,6 @@ icon: material/package
    |------------|----------|------------------------|--------------------------------------------------------------------------------------------|
    | FreshPorts | FreeBSD  | `pkg install sing-box` | [![FreeBSD port](https://repology.org/badge/version-for-repo/freebsd/sing-box.svg)][ports] |

-## :material-alert: Problematic Sources
-
-| Type       | Platform | Link                                                                                      | Promblem(s)                             |
-|------------|----------|-------------------------------------------------------------------------------------------|-----------------------------------------|
-| DEB        | AOSC     | [aosc-os-abbs](https://github.com/AOSC-Dev/aosc-os-abbs/tree/stable/app-network/sing-box) | Problematic build tag list modification |
-| Homebrew   | /        | [homebrew-core][brew]                                                                     | Problematic build tag list modification |
-| Termux     | Android  | [termux-packages][termux]                                                                 | Problematic build tag list modification |
-| FreshPorts | FreeBSD  | [FreeBSD ports][ports]                                                                    | Old Go  (go1.20)                        |
-
-If you are a user of them, please report issues to them:
-
-1. Please do not modify release build tags without full understanding of the related functionality: enabling non-default
-   labels may result in decreased performance; the lack of default labels may cause user confusion.
-2. sing-box supports compiling with some older Go versions, but it is not recommended (especially versions that are no
-   longer supported by Go).
-
 ## :material-book-multiple: Service Management

 For Linux systems with [systemd][systemd], usually the installation already includes a sing-box service,
@@ -139,6 +128,4 @@ you can manage the service using the following command:

 [ports]: https://www.freshports.org/net/sing-box

-[aosc]: https://packages.aosc.io/packages/sing-box
-
 [systemd]: https://systemd.io/
--- a/docs/installation/package-manager.zh.md
+++ b/docs/installation/package-manager.zh.md
@@ -24,7 +24,14 @@ icon: material/package
    sudo dnf config-manager --add-repo https://sing-box.app/sing-box.repo
    sudo dnf install sing-box # or sing-box-beta
    ```
-    （这适用于任何使用 `dnf` 作为包管理器的发行版：Fedora、CentOS，甚至安装了 DNF 的 OpenSUSE。）
+
+=== ":material-redhat: CentOS / YUM"
+
+    ```bash
+    sudo yum install -y yum-utils
+    sudo yum-config-manager --add-repo https://sing-box.app/sing-box.repo
+    sudo yum install sing-box # or sing-box-beta
+    ```

 ## :material-download-box: 手动安装

@@ -39,7 +46,6 @@ icon: material/package
    ```bash
    bash <(curl -fsSL https://sing-box.app/rpm-install.sh)
    ```
-    （这适用于任何使用 `rpm` 和 `systemd` 的发行版。由于 `rpm` 定义依赖关系的方式，如果安装成功，就多半能用。）

 === ":simple-archlinux: Archlinux / PKG"

@@ -57,7 +63,6 @@ icon: material/package
    | nixpkgs  | NixOS         | `nix-env -iA nixos.sing-box` | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/sing-box.svg)][nixpkgs] |
    | Homebrew | macOS / Linux | `brew install sing-box`      | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew]                |
    | APK      | Alpine        | `apk add sing-box`           | [![Alpine Linux Edge package](https://repology.org/badge/version-for-repo/alpine_edge/sing-box.svg)][alpine]  |
-    | DEB      | AOSC          | `apt install sing-box`       | [![AOSC package](https://repology.org/badge/version-for-repo/aosc/sing-box.svg)][aosc]                        |

 === ":material-apple: macOS"

@@ -85,20 +90,6 @@ icon: material/package
    |------------|---------|------------------------|--------------------------------------------------------------------------------------------|
    | FreshPorts | FreeBSD | `pkg install sing-box` | [![FreeBSD port](https://repology.org/badge/version-for-repo/freebsd/sing-box.svg)][ports] |

-## :material-alert: 存在问题的源
-
-| 类型         | 平台      | 链接                                                                                        | 原因              |
-|------------|---------|-------------------------------------------------------------------------------------------|-----------------|
-| DEB        | AOSC    | [aosc-os-abbs](https://github.com/AOSC-Dev/aosc-os-abbs/tree/stable/app-network/sing-box) | 存在问题的构建标志列表修改   |
-| Homebrew   | /       | [homebrew-core][brew]                                                                     | 存在问题的构建标志列表修改   |
-| Termux     | Android | [termux-packages][termux]                                                                 | 存在问题的构建标志列表修改   |
-| FreshPorts | FreeBSD | [FreeBSD ports][ports]                                                                    | 太旧的 Go (go1.20) |
-
-如果您是其用户，请向他们报告问题：
-
-1. 在未完全了解相关功能的情况下，请勿修改发布版本标签：启用非默认标签可能会导致性能下降；缺少默认标签可能会引起用户混淆。
-2. sing-box 支持使用一些较旧的 Go 版本进行编译，但不推荐使用（特别是已不再受 Go 支持的版本）。
-
 ## :material-book-multiple: 服务管理

 对于带有 [systemd][systemd] 的 Linux 系统，通常安装已经包含 sing-box 服务，
@@ -133,6 +124,4 @@ icon: material/package

 [ports]: https://www.freshports.org/net/sing-box

-[aosc]: https://packages.aosc.io/packages/sing-box
-
 [systemd]: https://systemd.io/
--- a/docs/manual/proxy-protocol/hysteria2.md
+++ b/docs/manual/proxy-protocol/hysteria2.md
@@ -4,17 +4,16 @@ icon: material/lightning-bolt

 # Hysteria 2

-Hysteria 2 is a simple, Chinese-made protocol based on QUIC.
-The selling point is Brutal, a congestion control algorithm that
-tries to achieve a user-defined bandwidth despite packet loss.
+The most popular Chinese-made simple protocol based on QUIC, the selling point is Brutal,
+a congestion control algorithm that can resist packet loss by manually specifying the required rate by the user.

 !!! warning

-    Even though GFW rarely blocks UDP-based proxies, such protocols actually have far more obvious characteristics than TCP based proxies.
+    Even though GFW rarely blocks UDP-based proxies, such protocols actually have far more characteristics than TCP based proxies.

-| Specification                                                             | Resists passive detection | Resists active probes |
-|---------------------------------------------------------------------------|---------------------------|-----------------------|
-| [hysteria.network](https://v2.hysteria.network/docs/developers/Protocol/) | :material-alert:          | :material-check:      |
+| Specification                                                             | Binary Characteristics | Active Detect Hiddenness |
+|---------------------------------------------------------------------------|------------------------|--------------------------|
+| [hysteria.network](https://v2.hysteria.network/docs/developers/Protocol/) | :material-alert:       | :material-check:         |

 ## :material-text-box-check: Password Generator

@@ -45,7 +44,7 @@ To use sing-box with the official program, you need to fill in that combination
    Replace `up_mbps` and `down_mbps` values with the actual bandwidth of your server.

 === ":material-harddisk: With local certificate"
-
+    
    ```json
     {
      "inbounds": [
--- a/docs/manual/proxy-protocol/shadowsocks.md
+++ b/docs/manual/proxy-protocol/shadowsocks.md
@@ -4,18 +4,15 @@ icon: material/send

 # Shadowsocks

-Shadowsocks is the most well-known Chinese-made proxy protocol.
-It exists in multiple versions, but only AEAD 2022 ciphers 
-over TCP with multiplexing is recommended.
+As the most well-known Chinese-made proxy protocol,
+Shadowsocks exists in multiple versions,
+but only AEAD 2022 ciphers TCP with multiplexing is recommended.

-| Ciphers        | Specification                                              | Cryptographically sound | Resists passive detection | Resists active probes |
-|----------------|------------------------------------------------------------|-------------------------|---------------------------|-----------------------|
-| Stream Ciphers | [shadowsocks.org](https://shadowsocks.org/doc/stream.html) | :material-alert:        | :material-alert:          | :material-alert:      |
-| AEAD           | [shadowsocks.org](https://shadowsocks.org/doc/aead.html)   | :material-check:        | :material-alert:          | :material-alert:      |
-| AEAD 2022      | [shadowsocks.org](https://shadowsocks.org/doc/sip022.html) | :material-check:        | :material-check:          | :material-help:       |
-
-(We strongly recommend using multiplexing to send UDP traffic over TCP, because
-doing otherwise is vulnerable to passive detection.)
+| Ciphers        | Specification                                              | Cryptographic Security | Binary Characteristics | Active Detect Hiddenness |
+|----------------|------------------------------------------------------------|------------------------|------------------------|--------------------------|
+| Stream Ciphers | [shadowsocks.org](https://shadowsocks.org/doc/stream.html) | :material-alert:       | :material-alert:       | :material-alert:         |
+| AEAD           | [shadowsocks.org](https://shadowsocks.org/doc/aead.html)   | :material-check:       | :material-alert:       | :material-alert:         |
+| AEAD 2022      | [shadowsocks.org](https://shadowsocks.org/doc/sip022.html) | :material-check:       | :material-check:       | :material-help:          |

 ## :material-text-box-check: Password Generator

--- a/docs/manual/proxy-protocol/trojan.md
+++ b/docs/manual/proxy-protocol/trojan.md
@@ -4,15 +4,15 @@ icon: material/horse

 # Trojan

-Torjan is the most commonly used TLS proxy made in China. It can be used in various combinations,
+As the most commonly used TLS proxy made in China, Trojan can be used in various combinations,
 but only the combination of uTLS and multiplexing is recommended.

-| Protocol and implementation combination | Specification                                                        | Resists passive detection | Resists active probes |
-|-----------------------------------------|----------------------------------------------------------------------|---------------------------|-----------------------|
-| Origin / trojan-gfw                     | [trojan-gfw.github.io](https://trojan-gfw.github.io/trojan/protocol) | :material-check:          | :material-check:      |
-| Basic Go implementation                 | /                                                                    | :material-alert:          | :material-check:      |
-| with privates transport by V2Ray        | No formal definition                                                 | :material-alert:          | :material-alert:      |
-| with uTLS enabled                       | No formal definition                                                 | :material-help:           | :material-check:      |
+| Protocol and implementation combination | Specification                                                        | Binary Characteristics | Active Detect Hiddenness |
+|-----------------------------------------|----------------------------------------------------------------------|------------------------|--------------------------|
+| Origin / trojan-gfw                     | [trojan-gfw.github.io](https://trojan-gfw.github.io/trojan/protocol) | :material-check:       | :material-check:         |
+| Basic Go implementation                 | /                                                                    | :material-alert:       | :material-check:         |
+| with privates transport by V2Ray        | No formal definition                                                 | :material-alert:       | :material-alert:         |
+| with uTLS enabled                       | No formal definition                                                 | :material-help:        | :material-check:         |                             

 ## :material-text-box-check: Password Generator

@@ -211,3 +211,4 @@ but only the combination of uTLS and multiplexing is recommended.
      ]
    }
    ```
+
--- a/docs/migration.md
+++ b/docs/migration.md
@@ -70,23 +70,6 @@ Old fields are deprecated and will be removed in sing-box 1.11.0.
    }
    ```

-## 1.9.5
-
-### Bundle Identifier updates in Apple platform clients
-
-Due to problems with our old Apple developer account,
-we can only change Bundle Identifiers to re-list sing-box apps,
-which means the data will not be automatically inherited.
-
-For iOS, you need to back up your old data yourself (if you still have access to it);  
-for tvOS, you need to re-import profiles from your iPhone or iPad or create it manually;  
-for macOS, you can migrate the data folder using the following command:
-
-```bash
-cd ~/Library/Group\ Containers && \ 
-  mv group.io.nekohasekai.sfa group.io.nekohasekai.sfavt
-```
-
 ## 1.9.0

 ### `domain_suffix` behavior update
--- a/docs/migration.zh.md
+++ b/docs/migration.zh.md
@@ -70,22 +70,6 @@ icon: material/arrange-bring-forward
    }
    ```

-## 1.9.5
-
-### Apple 平台客户端的 Bundle Identifier 更新
-
-由于我们旧的苹果开发者账户存在问题，我们只能通过更新 Bundle Identifiers
-来重新上架 sing-box 应用， 这意味着数据不会自动继承。
-
-对于 iOS，您需要自行备份旧的数据（如果您仍然可以访问）；  
-对于 Apple tvOS，您需要从 iPhone 或 iPad 重新导入配置或者手动创建；  
-对于 macOS，您可以使用以下命令迁移数据文件夹：
-
-```bash
-cd ~/Library/Group\ Containers && \ 
-  mv group.io.nekohasekai.sfa group.io.nekohasekai.sfavt
-```
-
 ## 1.9.0

 ### `domain_suffix` 行为更新
--- a/docs/sponsors.md
+++ b/docs/sponsors.md
@@ -1,26 +0,0 @@
---
-icon: material/hand-coin
---
-
-# Sponsors
-
-Do you or your friends use sing-box?
-
-You can help keep the project bug-free and feature rich by sponsoring
-the project maintainer via [GitHub Sponsors](https://github.com/sponsors/nekohasekai).
-
-![](https://nekohasekai.github.io/sponsor-images/sponsors.svg)
-
-### Special Sponsors
-
-**Viral Tech, Inc.**
-
-Helping us re-list sing-box apps on the Apple Store.
-
---
-
-[![JetBrains logo](https://resources.jetbrains.com/storage/products/company/brand/logos/jetbrains.svg)](https://www.jetbrains.com)
-
-Free license for the amazing IDEs.
-
---
--- a/docs/support.md
+++ b/docs/support.md
@@ -5,7 +5,8 @@ icon: material/forum
 # Support

 | Channel                       | Link                                        |
-| :---------------------------- | :------------------------------------------ |
+|:------------------------------|:--------------------------------------------|
+| Community                     | https://community.sagernet.org              |
 | GitHub Issues                 | https://github.com/SagerNet/sing-box/issues |
 | Telegram notification channel | https://t.me/yapnc                          |
 | Telegram user group           | https://t.me/yapug                          |
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	f7c96d9d78	documentation: Bump version	2024-06-26 17:48:02 +08:00
世界	6a88b05569	Add inline rule-set & Add reload for local rule-set	2024-06-26 13:57:15 +08:00
世界	1e294b1b30	Unique rule-set names	2024-06-26 13:57:15 +08:00
世界	8d993fdabb	Add accept empty DNS rule option	2024-06-26 13:57:15 +08:00
世界	ab6db88db8	Add custom options for TUN `auto-route` and `auto-redirect`	2024-06-26 13:57:15 +08:00
世界	34dbf7656d	Improve base DNS transports	2024-06-26 13:57:15 +08:00
世界	7e84cf4b4f	Add auto-redirect & Improve auto-route	2024-06-26 13:57:10 +08:00
世界	fb7abb4822	WTF is this	2024-06-26 13:57:10 +08:00
世界	90b63d69b1	platform: Fix clash server reload on android	2024-06-26 13:57:10 +08:00
世界	0528c742c8	platform: Add log update interval	2024-06-26 13:57:10 +08:00
世界	9d1ecde082	platform: Prepare connections list	2024-06-26 13:57:10 +08:00
世界	f568f5125e	Drop support for go1.18 and go1.19	2024-06-26 13:57:10 +08:00
iosmanthus	cd2c18df96	Introduce bittorrent related protocol sniffers * Introduce bittorrent related protocol sniffers including, sniffers of 1. BitTorrent Protocol (TCP) 2. uTorrent Transport Protocol (UDP) Signed-off-by: iosmanthus <myosmanthustree@gmail.com> Co-authored-by: 世界 <i@sekai.icu>	2024-06-26 13:57:10 +08:00