Bump version

Fix parse UDP DNS server with addr:port address
Stop passing device sleep events on Android and Apple platforms
2024-06-08 21:43:04 +08:00 · 2024-06-08 21:39:47 +08:00 · 2024-06-08 21:39:47 +08:00 · 2024-06-08 21:39:47 +08:00
263 changed files with 4990 additions and 10951 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,599 +0,0 @@
 name: Build
 on:
  workflow_dispatch:
    inputs:
      version:
        description: "Version name"
        required: true
        type: string
      build:
        description: "Build type"
        required: true
        type: choice
        default: "All"
        options:
          - All
          - Binary
          - Android
          - Apple
          - app-store
          - iOS
          - macOS
          - tvOS
          - macOS-standalone
          - publish-android
  push:
    branches:
      - main-next
      - dev-next
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }}
  cancel-in-progress: true
 jobs:
  calculate_version:
    name: Calculate version
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.outputs.outputs.version }}
    steps:
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ^1.23
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
          echo "version=${{ inputs.version }}" 
          echo "version=${{ inputs.version }}" >> "$GITHUB_ENV"
      - name: Calculate version
        if: github.event_name != 'workflow_dispatch'
        run: |-
          go run -v ./cmd/internal/read_tag --nightly
      - name: Set outputs
        id: outputs
        run: |-
          echo "version=$version" >> "$GITHUB_OUTPUT"
  build:
    name: Build binary
    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
    runs-on: ubuntu-latest
    needs:
      - calculate_version
    strategy:
      matrix:
        include:
          - name: linux_386
            goos: linux
            goarch: 386
          - name: linux_amd64
            goos: linux
            goarch: amd64
          - name: linux_arm64
            goos: linux
            goarch: arm64
          - name: linux_arm
            goos: linux
            goarch: arm
            goarm: 6
          - name: linux_arm_v7
            goos: linux
            goarch: arm
            goarm: 7
          - name: linux_s390x
            goos: linux
            goarch: s390x
          - name: linux_riscv64
            goos: linux
            goarch: riscv64
          - name: linux_mips64le
            goos: linux
            goarch: mips64le
          - name: windows_amd64
            goos: windows
            goarch: amd64
            require_legacy_go: true
          - name: windows_386
            goos: windows
            goarch: 386
            require_legacy_go: true
          - name: windows_arm64
            goos: windows
            goarch: arm64
          - name: darwin_arm64
            goos: darwin
            goarch: arm64
          - name: darwin_amd64
            goos: darwin
            goarch: amd64
            require_legacy_go: true
          - name: android_arm64
            goos: android
            goarch: arm64
          - name: android_arm
            goos: android
            goarch: arm
            goarm: 7
          - name: android_amd64
            goos: android
            goarch: amd64
          - name: android_386
            goos: android
            goarch: 386
    steps:
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ^1.23
      - name: Cache legacy Go
        if: matrix.require_legacy_go
        id: cache-legacy-go
        uses: actions/cache@v4
        with:
          path: |
            ~/go/go1.20.14
          key: go120
      - name: Setup legacy Go
        if: matrix.require_legacy_go == 'true' && steps.cache-legacy-go.outputs.cache-hit != 'true'
        run: |-
          wget https://dl.google.com/go/go1.20.14.linux-amd64.tar.gz
          tar -xzf go1.20.14.linux-amd64.tar.gz
          mv go $HOME/go/go1.20.14
      - name: Setup Android NDK
        if: matrix.goos == 'android'
        uses: nttld/setup-ndk@v1
        with:
          ndk-version: r28-beta2
          local-cache: true
      - name: Setup Goreleaser
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro
          version: latest
          install-only: true
      - name: Extract signing key
        run: |-
          mkdir -p $HOME/.gnupg
          cat > $HOME/.gnupg/sagernet.key <<EOF
          ${{ secrets.GPG_KEY }}
          EOF
          echo "HOME=$HOME" >> "$GITHUB_ENV"
      - name: Set tag
        run: |-
          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=true" >> "$GITHUB_ENV"
          git tag v${{ needs.calculate_version.outputs.version }} -f
      - name: Build
        if: matrix.goos != 'android'
        run: |-
          goreleaser release --clean --split
        env:
          GOOS: ${{ matrix.goos }}
          GOARCH: ${{ matrix.goarch }}
          GOPATH: ${{ env.HOME }}/go
          GOARM: ${{ matrix.goarm }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
      - name: Build Android
        if: matrix.goos == 'android'
        run: |-
          go install -v ./cmd/internal/build
          GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build goreleaser release --clean --split
        env:
          BUILD_GOOS: ${{ matrix.goos }}
          BUILD_GOARCH: ${{ matrix.goarch }}
          GOARM: ${{ matrix.goarm }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
      - name: Upload artifact
        if: github.event_name == 'workflow_dispatch'
        uses: actions/upload-artifact@v4
        with:
          name: binary-${{ matrix.name }}
          path: 'dist'
  build_android:
    name: Build Android
    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
    runs-on: ubuntu-latest
    needs:
      - calculate_version
    steps:
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
          submodules: 'recursive'
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ^1.23
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
        with:
          ndk-version: r28-beta2
      - name: Setup OpenJDK
        run: |-
          sudo apt update && sudo apt install -y openjdk-17-jdk-headless
          /usr/lib/jvm/java-17-openjdk-amd64/bin/java --version
      - name: Set tag
        run: |-
          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=true" >> "$GITHUB_ENV"
          git tag v${{ needs.calculate_version.outputs.version }} -f
      - name: Build library
        run: |-
          make lib_install
          export PATH="$PATH:$(go env GOPATH)/bin"
          make lib_android
        env:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
      - name: Checkout main branch
        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
        run: |-
          cd clients/android
          git checkout main
      - name: Checkout dev branch
        if: github.ref == 'refs/heads/dev-next'
        run: |-
          cd clients/android
          git checkout dev
      - name: Gradle cache
        uses: actions/cache@v4
        with:
          path: ~/.gradle
          key: gradle-${{ hashFiles('**/*.gradle') }}
      - name: Build
        run: |-
          go run -v ./cmd/internal/update_android_version --ci
          mkdir clients/android/app/libs
          cp libbox.aar clients/android/app/libs
          cd clients/android
          ./gradlew :app:assemblePlayRelease :app:assembleOtherRelease
        env:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
          LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
      - name: Prepare upload
        if: github.event_name == 'workflow_dispatch'
        run: |-
          mkdir -p dist/release
          cp clients/android/app/build/outputs/apk/play/release/*.apk dist/release
          cp clients/android/app/build/outputs/apk/other/release/*-universal.apk dist/release
      - name: Upload artifact
        if: github.event_name == 'workflow_dispatch'
        uses: actions/upload-artifact@v4
        with:
          name: binary-android-apks
          path: 'dist'
  publish_android:
    name: Publish Android
    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
    runs-on: ubuntu-latest
    needs:
      - calculate_version
    steps:
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
          submodules: 'recursive'
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ^1.23
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
        with:
          ndk-version: r28-beta2
      - name: Setup OpenJDK
        run: |-
          sudo apt update && sudo apt install -y openjdk-17-jdk-headless
          /usr/lib/jvm/java-17-openjdk-amd64/bin/java --version
      - name: Set tag
        run: |-
          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=true" >> "$GITHUB_ENV"
          git tag v${{ needs.calculate_version.outputs.version }} -f
      - name: Build library
        run: |-
          make lib_install
          export PATH="$PATH:$(go env GOPATH)/bin"
          make lib_android
        env:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
      - name: Checkout main branch
        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
        run: |-
          cd clients/android
          git checkout main
      - name: Checkout dev branch
        if: github.ref == 'refs/heads/dev-next'
        run: |-
          cd clients/android
          git checkout dev
      - name: Gradle cache
        uses: actions/cache@v4
        with:
          path: ~/.gradle
          key: gradle-${{ hashFiles('**/*.gradle') }}
      - name: Build
        run: |-
          go run -v ./cmd/internal/update_android_version --ci
          mkdir clients/android/app/libs
          cp libbox.aar clients/android/app/libs
          cd clients/android
          echo -n "$SERVICE_ACCOUNT_CREDENTIALS" | base64 --decode > service-account-credentials.json
          ./gradlew :app:publishPlayReleaseBundle
        env:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
          LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
          SERVICE_ACCOUNT_CREDENTIALS: ${{ secrets.SERVICE_ACCOUNT_CREDENTIALS }}
  build_apple:
    name: Build Apple clients
    runs-on: macos-15
    needs:
      - calculate_version
    strategy:
      matrix:
        include:
          - name: iOS
            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'iOS' }}
            platform: ios
            scheme: SFI
            destination: 'generic/platform=iOS'
            archive: build/SFI.xcarchive
            upload: SFI/Upload.plist
          - name: macOS
            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'macOS' }}
            platform: macos
            scheme: SFM
            destination: 'generic/platform=macOS'
            archive: build/SFM.xcarchive
            upload: SFI/Upload.plist
          - name: tvOS
            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'tvOS' }}
            platform: tvos
            scheme: SFT
            destination: 'generic/platform=tvOS'
            archive: build/SFT.xcarchive
            upload: SFI/Upload.plist
          - name: macOS-standalone
            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone' }}
            platform: macos
            scheme: SFM.System
            destination: 'generic/platform=macOS'
            archive: build/SFM.System.xcarchive
            export: SFM.System/Export.plist
            export_path: build/SFM.System
    steps:
      - name: Checkout
        if: matrix.if
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
          submodules: 'recursive'
      - name: Setup Go
        if: matrix.if
        uses: actions/setup-go@v5
        with:
          go-version: ^1.23
      - name: Setup Xcode stable
        if: matrix.if && github.ref == 'refs/heads/main-next'
        run: |-
          sudo xcode-select -s /Applications/Xcode_16.2.app
      - name: Setup Xcode beta
        if: matrix.if && github.ref == 'refs/heads/dev-next'
        run: |-
          sudo xcode-select -s /Applications/Xcode_16.2.app
      - name: Set tag
        if: matrix.if
        run: |-
          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=true" >> "$GITHUB_ENV"
          git tag v${{ needs.calculate_version.outputs.version }} -f
          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
      - name: Checkout main branch
        if: matrix.if && github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
        run: |-
          cd clients/apple
          git checkout main
      - name: Checkout dev branch
        if: matrix.if && github.ref == 'refs/heads/dev-next'
        run: |-
          cd clients/apple
          git checkout dev
      - name: Setup certificates
        if: matrix.if
        run: |-
          CERTIFICATE_PATH=$RUNNER_TEMP/Certificates.p12
          KEYCHAIN_PATH=$RUNNER_TEMP/certificates.keychain-db
          echo -n "$CERTIFICATES_P12" | base64 --decode -o $CERTIFICATE_PATH
          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
          security list-keychain -d user -s $KEYCHAIN_PATH
          PROFILES_ZIP_PATH=$RUNNER_TEMP/Profiles.zip
          echo -n "$PROVISIONING_PROFILES" | base64 --decode -o $PROFILES_ZIP_PATH
          PROFILES_PATH="$HOME/Library/MobileDevice/Provisioning Profiles"
          mkdir -p "$PROFILES_PATH"
          unzip $PROFILES_ZIP_PATH -d "$PROFILES_PATH"
          ASC_KEY_PATH=$RUNNER_TEMP/Key.p12
          echo -n "$ASC_KEY" | base64 --decode -o $ASC_KEY_PATH
          xcrun notarytool store-credentials "notarytool-password" \
            --key $ASC_KEY_PATH \
            --key-id $ASC_KEY_ID \
            --issuer $ASC_KEY_ISSUER_ID
          echo "ASC_KEY_PATH=$ASC_KEY_PATH" >> "$GITHUB_ENV"
          echo "ASC_KEY_ID=$ASC_KEY_ID" >> "$GITHUB_ENV"
          echo "ASC_KEY_ISSUER_ID=$ASC_KEY_ISSUER_ID" >> "$GITHUB_ENV"
        env:
          CERTIFICATES_P12: ${{ secrets.CERTIFICATES_P12 }}
          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
          KEYCHAIN_PASSWORD: ${{ secrets.P12_PASSWORD }}
          PROVISIONING_PROFILES: ${{ secrets.PROVISIONING_PROFILES }}
          ASC_KEY: ${{ secrets.ASC_KEY }}
          ASC_KEY_ID: ${{ secrets.ASC_KEY_ID }}
          ASC_KEY_ISSUER_ID: ${{ secrets.ASC_KEY_ISSUER_ID }}
      - name: Build library
        if: matrix.if
        run: |-
          make lib_install
          export PATH="$PATH:$(go env GOPATH)/bin"
          go run ./cmd/internal/build_libbox -target apple -platform ${{ matrix.platform }}
          mv Libbox.xcframework clients/apple
      - name: Update macOS version
        if: matrix.if && matrix.name == 'macOS' && github.event_name == 'workflow_dispatch'
        run: |-
          MACOS_PROJECT_VERSION=$(go run -v ./cmd/internal/app_store_connect next_macos_project_version)
          echo "MACOS_PROJECT_VERSION=$MACOS_PROJECT_VERSION"
          echo "MACOS_PROJECT_VERSION=$MACOS_PROJECT_VERSION" >> "$GITHUB_ENV"
      - name: Build
        if: matrix.if
        run: |-
          go run -v ./cmd/internal/update_apple_version --ci
          cd clients/apple
          xcodebuild archive \
            -scheme "${{ matrix.scheme }}" \
            -configuration Release \
            -destination "${{ matrix.destination }}" \
            -archivePath "${{ matrix.archive }}" \
            -allowProvisioningUpdates \
            -authenticationKeyPath $ASC_KEY_PATH \
            -authenticationKeyID $ASC_KEY_ID \
            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
      - name: Upload to App Store Connect
        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch'
        run: |-
          go run -v ./cmd/internal/app_store_connect cancel_app_store ${{ matrix.platform }}
          cd clients/apple
          xcodebuild -exportArchive \
            -archivePath "${{ matrix.archive }}" \
            -exportOptionsPlist ${{ matrix.upload }} \
            -allowProvisioningUpdates \
            -authenticationKeyPath $ASC_KEY_PATH \
            -authenticationKeyID $ASC_KEY_ID \
            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
      - name: Publish to TestFlight
        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/dev-next'
        run: |-
          go run -v ./cmd/internal/app_store_connect publish_testflight ${{ matrix.platform }}
      - name: Build image
        if: matrix.if && matrix.name == 'macOS-standalone' && github.event_name == 'workflow_dispatch'
        run: |-
          pushd clients/apple
          xcodebuild -exportArchive \
          	-archivePath "${{ matrix.archive }}" \
          	-exportOptionsPlist ${{ matrix.export }} \
          	-exportPath "${{ matrix.export_path }}"
          brew install create-dmg
          create-dmg \
          	--volname "sing-box" \
          	--volicon "${{ matrix.export_path }}/SFM.app/Contents/Resources/AppIcon.icns" \
          	--icon "SFM.app" 0 0 \
          		--hide-extension "SFM.app" \
          		--app-drop-link 0 0 \
          		--skip-jenkins \
          	SFM.dmg "${{ matrix.export_path }}/SFM.app"
          xcrun notarytool submit "SFM.dmg" --wait --keychain-profile "notarytool-password"          
          cd "${{ matrix.archive }}"
          zip -r SFM.dSYMs.zip dSYMs
          popd
          mkdir -p dist/release
          cp clients/apple/SFM.dmg "dist/release/SFM-${VERSION}-universal.dmg"
          cp "clients/apple/${{ matrix.archive }}/SFM.dSYMs.zip" "dist/release/SFM-${VERSION}-universal.dSYMs.zip"
      - name: Upload image
        if: matrix.if && matrix.name == 'macOS-standalone' && github.event_name == 'workflow_dispatch'
        uses: actions/upload-artifact@v4
        with:
          name: binary-macos-dmg
          path: 'dist'
  upload:
    name: Upload builds
    if: always() && github.event_name == 'workflow_dispatch' && (inputs.build == 'All' || inputs.build == 'Binary' || inputs.build == 'Android' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone')
    runs-on: ubuntu-latest
    needs:
      - calculate_version
      - build
      - build_android
      - build_apple
    steps:
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
      - name: Setup Goreleaser
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro
          version: latest
          install-only: true
      - name: Cache ghr
        uses: actions/cache@v4
        id: cache-ghr
        with:
          path: |
            ~/go/bin/ghr
          key: ghr
      - name: Setup ghr
        if: steps.cache-ghr.outputs.cache-hit != 'true'
        run: |-
          cd $HOME
          git clone https://github.com/nekohasekai/ghr ghr
          cd ghr
          go install -v .
      - name: Set tag
        run: |-
          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=true" >> "$GITHUB_ENV"
          git tag v${{ needs.calculate_version.outputs.version }} -f
          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
      - name: Download builds
        uses: actions/download-artifact@v4
        with:
          path: dist
          merge-multiple: true
      - name: Merge builds
        if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
        run: |-
          goreleaser continue --merge --skip publish
          mkdir -p dist/release
          mv dist/*/sing-box*{tar.gz,zip,deb,rpm,_amd64.pkg.tar.zst,_arm64.pkg.tar.zst} dist/release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
      - name: Upload builds
        if: ${{ env.PUBLISHED != 'true' }}
        run: |-
          export PATH="$PATH:$HOME/go/bin"
          ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Replace builds
        if: ${{ env.PUBLISHED == 'true' }}
        run: |-
          export PATH="$PATH:$HOME/go/bin"
          ghr --replace -p 5 "v${VERSION}" dist/release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/debug.yml
+++ b/.github/workflows/debug.yml
@@ -0,0 +1,220 @@
 name: Debug build
 on:
  push:
    branches:
      - stable-next
      - main-next
      - dev-next
    paths-ignore:
      - '**.md'
      - '.github/**'
      - '!.github/workflows/debug.yml'
  pull_request:
    branches:
      - stable-next
      - main-next
      - dev-next
 jobs:
  build:
    name: Debug build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ^1.22
        continue-on-error: true
      - name: Run Test
        run: |
          go test -v ./...
  build_go118:
    name: Debug build (Go 1.18)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ~1.18
      - name: Cache go module
        uses: actions/cache@v4
        with:
          path: |
            ~/go/pkg/mod
          key: go118-${{ hashFiles('**/go.sum') }}
      - name: Run Test
        run: make ci_build_go118
  build_go120:
    name: Debug build (Go 1.20)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ~1.20
      - name: Cache go module
        uses: actions/cache@v4
        with:
          path: |
            ~/go/pkg/mod
          key: go120-${{ hashFiles('**/go.sum') }}
      - name: Run Test
        run: make ci_build_go120
  build_go121:
    name: Debug build (Go 1.21)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ~1.21
      - name: Cache go module
        uses: actions/cache@v4
        with:
          path: |
            ~/go/pkg/mod
          key: go121-${{ hashFiles('**/go.sum') }}
      - name: Run Test
        run: make ci_build
  cross:
    strategy:
      matrix:
        include:
          # windows
          - name: windows-amd64
            goos: windows
            goarch: amd64
            goamd64: v1
          - name: windows-amd64-v3
            goos: windows
            goarch: amd64
            goamd64: v3
          - name: windows-386
            goos: windows
            goarch: 386
          - name: windows-arm64
            goos: windows
            goarch: arm64
          - name: windows-arm32v7
            goos: windows
            goarch: arm
            goarm: 7
          # linux
          - name: linux-amd64
            goos: linux
            goarch: amd64
            goamd64: v1
          - name: linux-amd64-v3
            goos: linux
            goarch: amd64
            goamd64: v3
          - name: linux-386
            goos: linux
            goarch: 386
          - name: linux-arm64
            goos: linux
            goarch: arm64
          - name: linux-armv5
            goos: linux
            goarch: arm
            goarm: 5
          - name: linux-armv6
            goos: linux
            goarch: arm
            goarm: 6
          - name: linux-armv7
            goos: linux
            goarch: arm
            goarm: 7
          - name: linux-mips-softfloat
            goos: linux
            goarch: mips
            gomips: softfloat
          - name: linux-mips-hardfloat
            goos: linux
            goarch: mips
            gomips: hardfloat
          - name: linux-mipsel-softfloat
            goos: linux
            goarch: mipsle
            gomips: softfloat
          - name: linux-mipsel-hardfloat
            goos: linux
            goarch: mipsle
            gomips: hardfloat
          - name: linux-mips64
            goos: linux
            goarch: mips64
          - name: linux-mips64el
            goos: linux
            goarch: mips64le
          - name: linux-s390x
            goos: linux
            goarch: s390x
          # darwin
          - name: darwin-amd64
            goos: darwin
            goarch: amd64
            goamd64: v1
          - name: darwin-amd64-v3
            goos: darwin
            goarch: amd64
            goamd64: v3
          - name: darwin-arm64
            goos: darwin
            goarch: arm64
          # freebsd
          - name: freebsd-amd64
            goos: freebsd
            goarch: amd64
            goamd64: v1
          - name: freebsd-amd64-v3
            goos: freebsd
            goarch: amd64
            goamd64: v3
          - name: freebsd-386
            goos: freebsd
            goarch: 386
          - name: freebsd-arm64
            goos: freebsd
            goarch: arm64
      fail-fast: true
    runs-on: ubuntu-latest
    env:
      GOOS: ${{ matrix.goos }}
      GOARCH: ${{ matrix.goarch }}
      GOAMD64: ${{ matrix.goamd64 }}
      GOARM: ${{ matrix.goarm }}
      GOMIPS: ${{ matrix.gomips }}
      CGO_ENABLED: 0
      TAGS: with_clash_api,with_quic
    steps:
      - name: Checkout
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ^1.21
      - name: Build
        id: build
        run: make
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,93 +1,16 @@
-name: Publish Docker Images
+name: Build Docker Images
 on:
  release:
    types:
-      - published
+      - released
  workflow_dispatch:
    inputs:
      tag:
        description: "The tag version you want to build"
 env:
  REGISTRY_IMAGE: ghcr.io/sagernet/sing-box
 jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true
      matrix:
        platform:
          - linux/amd64
          - linux/arm/v6
          - linux/arm/v7
          - linux/arm64
          - linux/386
          - linux/ppc64le
          - linux/riscv64
          - linux/s390x
    steps:
      - name: Get commit to build
        id: ref
        run: |-
          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
            ref="${{ github.ref_name }}"
          else
            ref="${{ github.event.inputs.tag }}"
          fi
          echo "ref=$ref"
          echo "ref=$ref" >> $GITHUB_OUTPUT
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          ref: ${{ steps.ref.outputs.ref }}
          fetch-depth: 0
      - name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      - name: Setup QEMU
        uses: docker/setup-qemu-action@v3
      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}
      - name: Build and push by digest
        id: build
        uses: docker/build-push-action@v6
        with:
          platforms: ${{ matrix.platform }}
          context: .
          build-args: |
            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
          labels: ${{ steps.meta.outputs.labels }}
          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
      - name: Export digest
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"
      - name: Upload digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ env.PLATFORM_PAIR }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1
  merge:
    runs-on: ubuntu-latest
    needs:
      - build
    steps:
      - name: Get commit to build
        id: ref
@@ -106,28 +29,34 @@ jobs:
          fi
          echo "latest=$latest"
          echo "latest=$latest" >> $GITHUB_OUTPUT
-      - name: Download digests
+      - name: Checkout
-        uses: actions/download-artifact@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
        with:
-          path: /tmp/digests
+          ref: ${{ steps.ref.outputs.ref }}
-          pattern: digests-*
+      - name: Setup Docker Buildx
          merge-multiple: true
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Setup QEMU for Docker Buildx
        uses: docker/setup-qemu-action@v3
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Create manifest list and push
+      - name: Docker metadata
-        working-directory: /tmp/digests
+        id: metadata
-        run: |
+        uses: docker/metadata-action@v5
-          docker buildx imagetools create \
+        with:
-            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}" \
+          images: ghcr.io/sagernet/sing-box
-            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}" \
+      - name: Build and release Docker images
-            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
+        uses: docker/build-push-action@v5
-      - name: Inspect image
+        with:
-        run: |
+          platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
-          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}
+          context: .
-          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}
+          target: dist
          build-args: |
            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
          tags: |
            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.latest }}
            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.ref }}
          push: true
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -22,13 +22,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.22
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v6
        with:
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -10,18 +10,19 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.22
      - name: Extract signing key
        run: |-
          mkdir -p $HOME/.gnupg
          cat > $HOME/.gnupg/sagernet.key <<EOF
          ${{ secrets.GPG_KEY }}
          echo "HOME=$HOME" >> "$GITHUB_ENV"
          EOF
          echo "HOME=$HOME" >> "$GITHUB_ENV"
      - name: Publish release
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -12,5 +12,4 @@ jobs:
        with:
          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
          days-before-stale: 60
-          days-before-close: 5
+          days-before-close: 5
          exempt-issue-labels: 'bug,enhancement'
--- a/.gitignore
+++ b/.gitignore
@@ -14,5 +14,3 @@
 /*.xcframework/
 .DS_Store
 /config.d/
 /venv/
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -6,7 +6,14 @@ linters:
    - gci
    - staticcheck
    - paralleltest
-    - ineffassign
+
 run:
  skip-dirs:
    - transport/simple-obfs
    - transport/clashssr
    - transport/cloudflaretls
    - transport/shadowtls/tls
    - transport/shadowtls/tls_go119
 linters-settings:
  gci:
@@ -16,13 +23,4 @@ linters-settings:
      - prefix(github.com/sagernet/)
      - default
  staticcheck:
-    checks:
+    go: '1.20'
      - all
      - -SA1003
 run:
  go: "1.23"
 issues:
  exclude-dirs:
    - transport/simple-obfs
--- a/.goreleaser.fury.yaml
+++ b/.goreleaser.fury.yaml
@@ -26,7 +26,6 @@ builds:
      - linux_arm_7
      - linux_s390x
      - linux_riscv64
      - linux_mips64le
    mod_timestamp: '{{ .CommitTimestamp }}'
 snapshot:
  name_template: "{{ .Version }}.{{ .ShortCommit }}"
@@ -49,19 +48,10 @@ nfpms:
      - src: release/config/config.json
        dst: /etc/sing-box/config.json
        type: config
      - src: release/config/sing-box.service
        dst: /usr/lib/systemd/system/sing-box.service
      - src: release/config/sing-box@.service
        dst: /usr/lib/systemd/system/sing-box@.service
      - src: release/completions/sing-box.bash
        dst: /usr/share/bash-completion/completions/sing-box.bash
      - src: release/completions/sing-box.fish
        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
      - src: release/completions/sing-box.zsh
        dst: /usr/share/zsh/site-functions/_sing-box
      - src: LICENSE
        dst: /usr/share/licenses/sing-box/LICENSE
    deb:
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,4 +1,3 @@
 version: 2
 project_name: sing-box
 builds:
  - &template
@@ -8,9 +7,7 @@ builds:
      - -v
      - -trimpath
    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
      - -s
      - -buildid=
    tags:
      - with_gvisor
      - with_quic
@@ -26,13 +23,13 @@ builds:
    targets:
      - linux_386
      - linux_amd64_v1
      - linux_amd64_v3
      - linux_arm64
      - linux_arm_6
      - linux_arm_7
      - linux_s390x
      - linux_riscv64
      - linux_mips64le
      - windows_amd64_v1
      - windows_amd64_v3
      - windows_386
      - windows_arm64
      - darwin_amd64_v1
@@ -89,6 +86,8 @@ builds:
      - android_arm64
      - android_386
      - android_amd64
 snapshot:
  name_template: "{{ .Version }}.{{ .ShortCommit }}"
 archives:
  - &template
    id: archive
@@ -102,7 +101,7 @@ archives:
    wrap_in_directory: true
    files:
      - LICENSE
-    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
  - id: archive-legacy
    <<: *template
    builds:
@@ -111,7 +110,7 @@ archives:
 nfpms:
  - id: package
    package_name: sing-box
-    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
    builds:
      - main
    homepage: https://sing-box.sagernet.org/
@@ -122,26 +121,15 @@ nfpms:
      - deb
      - rpm
      - archlinux
 #      - apk
 #      - ipk
    priority: extra
    contents:
      - src: release/config/config.json
        dst: /etc/sing-box/config.json
        type: config
      - src: release/config/sing-box.service
        dst: /usr/lib/systemd/system/sing-box.service
      - src: release/config/sing-box@.service
        dst: /usr/lib/systemd/system/sing-box@.service
      - src: release/completions/sing-box.bash
        dst: /usr/share/bash-completion/completions/sing-box.bash
      - src: release/completions/sing-box.fish
        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
      - src: release/completions/sing-box.zsh
        dst: /usr/share/zsh/site-functions/_sing-box
      - src: LICENSE
        dst: /usr/share/licenses/sing-box/LICENSE
    deb:
@@ -153,34 +141,13 @@ nfpms:
      signature:
        key_file: "{{ .Env.NFPM_KEY_PATH }}"
    overrides:
-      apk:
+      deb:
-        contents:
+        conflicts:
-          - src: release/config/config.json
+          - sing-box-beta
-            dst: /etc/sing-box/config.json
+      rpm:
-            type: config
+        conflicts:
          - sing-box-beta
          - src: release/config/sing-box.initd
            dst: /etc/init.d/sing-box
          - src: release/completions/sing-box.bash
            dst: /usr/share/bash-completion/completions/sing-box.bash
          - src: release/completions/sing-box.fish
            dst: /usr/share/fish/vendor_completions.d/sing-box.fish
          - src: release/completions/sing-box.zsh
            dst: /usr/share/zsh/site-functions/_sing-box
          - src: LICENSE
            dst: /usr/share/licenses/sing-box/LICENSE
      ipk:
        contents:
          - src: release/config/config.json
            dst: /etc/sing-box/config.json
            type: config
          - src: release/config/openwrt.init
            dst: /etc/init.d/sing-box
          - src: release/config/openwrt.conf
            dst: /etc/config/sing-box
 source:
  enabled: false
  name_template: '{{ .ProjectName }}-{{ .Version }}.source'
@@ -200,6 +167,4 @@ release:
  ids:
    - archive
    - package
-  skip_upload: true
+  skip_upload: true
 partial:
  by: target
--- a/4
+++ b/4
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.23-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.22-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
@@ -21,7 +21,7 @@ FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
    && apk upgrade \
-    && apk add bash tzdata ca-certificates nftables \
+    && apk add bash tzdata ca-certificates \
    && rm -rf /var/cache/apk/*
 COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]
--- a/122
+++ b/122
@@ -1,6 +1,7 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS_GO120 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api,with_quic,with_utls
+TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api
 TAGS_GO120 = with_quic,with_utls
 TAGS_GO121 = with_ech
 TAGS ?= $(TAGS_GO118),$(TAGS_GO120),$(TAGS_GO121)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server
@@ -19,17 +20,18 @@ PREFIX ?= $(shell go env GOPATH)
 build:
 	go build $(MAIN_PARAMS) $(MAIN)
 ci_build_go118:
 	go build $(PARAMS) $(MAIN)
 	go build $(PARAMS) -tags "$(TAGS_GO118)" $(MAIN)
 ci_build_go120:
 	go build $(PARAMS) $(MAIN)
-	go build $(PARAMS) -tags "$(TAGS_GO120)" $(MAIN)
+	go build $(PARAMS) -tags "$(TAGS_GO118),$(TAGS_GO120)" $(MAIN)
 ci_build:
 	go build $(PARAMS) $(MAIN)
 	go build $(MAIN_PARAMS) $(MAIN)
 generate_completions:
 	go run -v --tags generate,generate_completions $(MAIN)
 install:
 	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)
@@ -69,9 +71,10 @@ release:
 		dist/*.deb \
 		dist/*.rpm \
 		dist/*_amd64.pkg.tar.zst \
 		dist/*_amd64v3.pkg.tar.zst \
 		dist/*_arm64.pkg.tar.zst \
 		dist/release
-	ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release
+	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
 	rm -r dist/release
 release_repo:
@@ -90,21 +93,21 @@ upload_android:
 	mkdir -p dist/release_android
 	cp ../sing-box-for-android/app/build/outputs/apk/play/release/*.apk dist/release_android
 	cp ../sing-box-for-android/app/build/outputs/apk/other/release/*-universal.apk dist/release_android
-	ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release_android
+	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release_android
 	rm -rf dist/release_android
 release_android: lib_android update_android_version build_android upload_android
 publish_android:
-	cd ../sing-box-for-android && ./gradlew :app:publishPlayReleaseBundle && ./gradlew --stop
+	cd ../sing-box-for-android && ./gradlew :app:publishPlayReleaseBundle
 publish_android_appcenter:
 	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadPlayRelease
 # TODO: find why and remove `-destination 'generic/platform=iOS'`
 # TODO: remove xcode clean when fix control widget fixed
 build_ios:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFI.xcarchive && \
-	xcodebuild clean -scheme SFI && \
+	xcodebuild archive -scheme SFI -configuration Release -archivePath build/SFI.xcarchive
 	xcodebuild archive -scheme SFI -configuration Release -destination 'generic/platform=iOS' -archivePath build/SFI.xcarchive -allowProvisioningUpdates
 upload_ios_app_store:
 	cd ../sing-box-for-apple && \
@@ -115,89 +118,58 @@ release_ios: build_ios upload_ios_app_store
 build_macos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFM.xcarchive && \
-	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive -allowProvisioningUpdates
+	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive
 upload_macos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
 release_macos: build_macos upload_macos_app_store
-build_macos_standalone:
+build_macos_independent:
 	cd ../sing-box-for-apple && \
-	rm -rf build/SFM.System.xcarchive && \
+	rm -rf build/SFT.System.xcarchive && \
-	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive -allowProvisioningUpdates
+	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive
-build_macos_dmg:
+notarize_macos_independent:
 	cd ../sing-box-for-apple && \
 	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist  -allowProvisioningUpdates
 wait_notarize_macos_independent:
 	sleep 60
 export_macos_independent:
 	rm -rf dist/SFM
 	mkdir -p dist/SFM
 	cd ../sing-box-for-apple && \
-	rm -rf build/SFM.System && \
+	xcodebuild -exportNotarizedApp -archivePath build/SFM.System.xcarchive -exportPath "../sing-box/dist/SFM"
 	rm -rf build/SFM.dmg && \
 	xcodebuild -exportArchive \
 		-archivePath "build/SFM.System.xcarchive" \
 		-exportOptionsPlist SFM.System/Export.plist -allowProvisioningUpdates \
 		-exportPath "build/SFM.System" && \
 	create-dmg \
 		--volname "sing-box" \
 		--volicon "build/SFM.System/SFM.app/Contents/Resources/AppIcon.icns" \
 		--icon "SFM.app" 0 0 \
 		--hide-extension "SFM.app" \
 		--app-drop-link 0 0 \
 		--skip-jenkins \
 		"../sing-box/dist/SFM/SFM.dmg" "build/SFM.System/SFM.app"
-notarize_macos_dmg:
+upload_macos_independent:
 	xcrun notarytool submit "dist/SFM/SFM.dmg" --wait \
 	  --keychain-profile "notarytool-password" \
  	  --no-s3-acceleration
 upload_macos_dmg:
 	cd dist/SFM && \
-	cp SFM.dmg "SFM-${VERSION}-universal.dmg" && \
+	rm -f *.zip && \
-	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dmg"
+	zip -ry "SFM-${VERSION}-universal.zip" SFM.app && \
 	ghr --replace --draft --prerelease "v${VERSION}" *.zip
-upload_macos_dsyms:
+release_macos_independent: build_macos_independent notarize_macos_independent wait_notarize_macos_independent export_macos_independent upload_macos_independent
 	pushd ../sing-box-for-apple/build/SFM.System.xcarchive && \
 	zip -r SFM.dSYMs.zip dSYMs && \
 	mv SFM.dSYMs.zip ../../../sing-box/dist/SFM && \
 	popd && \
 	cd dist/SFM && \
 	cp SFM.dSYMs.zip "SFM-${VERSION}-universal.dSYMs.zip" && \
 	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dSYMs.zip"
 release_macos_standalone: build_macos_standalone build_macos_dmg notarize_macos_dmg upload_macos_dmg upload_macos_dsyms
 build_tvos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFT.xcarchive && \
-	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive -allowProvisioningUpdates
+	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive
 upload_tvos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
 release_tvos: build_tvos upload_tvos_app_store
 update_apple_version:
 	go run ./cmd/internal/update_apple_version
-update_macos_version:
+release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_independent
 	MACOS_PROJECT_VERSION=$(shell go run -v ./cmd/internal/app_store_connect next_macos_project_version) go run ./cmd/internal/update_apple_version
 release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_standalone
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
 publish_testflight:
 	go run -v ./cmd/internal/app_store_connect publish_testflight
 prepare_app_store:
 	go run -v ./cmd/internal/app_store_connect prepare_app_store
 publish_app_store:
 	go run -v ./cmd/internal/app_store_connect publish_app_store
 test:
 	@go test -v ./... && \
 	cd test && \
@@ -213,33 +185,25 @@ test_stdio:
 lib_android:
 	go run ./cmd/internal/build_libbox -target android
 lib_android_debug:
 	go run ./cmd/internal/build_libbox -target android -debug
 lib_apple:
 	go run ./cmd/internal/build_libbox -target apple
 lib_ios:
-	go run ./cmd/internal/build_libbox -target apple -platform ios -debug
+	go run ./cmd/internal/build_libbox -target ios
 lib:
 	go run ./cmd/internal/build_libbox -target android
 	go run ./cmd/internal/build_libbox -target ios
 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.4
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.3
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.4
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.3
 docs:
-	venv/bin/mkdocs serve
+	mkdocs serve
 publish_docs:
-	venv/bin/mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
+	mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
 docs_install:
-	python -m venv venv
+	pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
 	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
 clean:
 	rm -rf bin dist sing-box
 	rm -f $(shell go env GOPATH)/sing-box
--- a/README.md
+++ b/README.md
@@ -8,6 +8,10 @@ The universal proxy platform.
 https://sing-box.sagernet.org
 ## Support
 https://community.sagernet.org/c/sing-box/
 ## License
 ```
--- a/adapter/experimental.go
+++ b/adapter/experimental.go
@@ -4,13 +4,14 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
 	"io"
 	"net"
 	"time"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-dns"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/varbin"
+	"github.com/sagernet/sing/common/rw"
 )
 type ClashServer interface {
@@ -55,15 +56,16 @@ func (s *SavedRuleSet) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	err = varbin.Write(&buffer, binary.BigEndian, s.Content)
+	err = rw.WriteUVariant(&buffer, uint64(len(s.Content)))
 	if err != nil {
 		return nil, err
 	}
 	buffer.Write(s.Content)
 	err = binary.Write(&buffer, binary.BigEndian, s.LastUpdated.Unix())
 	if err != nil {
 		return nil, err
 	}
-	err = varbin.Write(&buffer, binary.BigEndian, s.LastEtag)
+	err = rw.WriteVString(&buffer, s.LastEtag)
 	if err != nil {
 		return nil, err
 	}
@@ -77,7 +79,12 @@ func (s *SavedRuleSet) UnmarshalBinary(data []byte) error {
 	if err != nil {
 		return err
 	}
-	err = varbin.Read(reader, binary.BigEndian, &s.Content)
+	contentLen, err := rw.ReadUVariant(reader)
 	if err != nil {
 		return err
 	}
 	s.Content = make([]byte, contentLen)
 	_, err = io.ReadFull(reader, s.Content)
 	if err != nil {
 		return err
 	}
@@ -87,7 +94,7 @@ func (s *SavedRuleSet) UnmarshalBinary(data []byte) error {
 		return err
 	}
 	s.LastUpdated = time.Unix(lastUpdated, 0)
-	err = varbin.Read(reader, binary.BigEndian, &s.LastEtag)
+	s.LastEtag, err = rw.ReadVString(reader)
 	if err != nil {
 		return err
 	}
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -31,16 +31,11 @@ type InboundContext struct {
 	Network     string
 	Source      M.Socksaddr
 	Destination M.Socksaddr
 	Domain      string
 	Protocol    string
 	User        string
 	Outbound    string
 	// sniffer
 	Protocol     string
 	Domain       string
 	Client       string
 	SniffContext any
 	// cache
 	InboundDetour        string
@@ -56,9 +51,7 @@ type InboundContext struct {
 	// rule cache
-	IPCIDRMatchSource bool
+	IPCIDRMatchSource            bool
 	IPCIDRAcceptEmpty bool
 	SourceAddressMatch           bool
 	SourcePortMatch              bool
 	DestinationAddressMatch      bool
@@ -69,7 +62,6 @@ type InboundContext struct {
 func (c *InboundContext) ResetRuleCache() {
 	c.IPCIDRMatchSource = false
 	c.IPCIDRAcceptEmpty = false
 	c.SourceAddressMatch = false
 	c.SourcePortMatch = false
 	c.DestinationAddressMatch = false
@@ -91,6 +83,15 @@ func ContextFrom(ctx context.Context) *InboundContext {
 	return metadata.(*InboundContext)
 }
 func AppendContext(ctx context.Context) (context.Context, *InboundContext) {
 	metadata := ContextFrom(ctx)
 	if metadata != nil {
 		return ctx, metadata
 	}
 	metadata = new(InboundContext)
 	return WithContext(ctx, metadata), metadata
 }
 func ExtendContext(ctx context.Context) (context.Context, *InboundContext) {
 	var newMetadata InboundContext
 	if metadata := ContextFrom(ctx); metadata != nil {
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -2,30 +2,23 @@ package adapter
 import (
 	"context"
 	"net"
 	"net/http"
 	"net/netip"
 	"sync"
 	"github.com/sagernet/sing-box/common/geoip"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"
 	mdns "github.com/miekg/dns"
 	"go4.org/netipx"
 )
 type Router interface {
 	Service
 	PreStarter
 	PostStarter
 	Cleanup() error
 	Outbounds() []Outbound
 	Outbound(tag string) (Outbound, bool)
@@ -52,9 +45,7 @@ type Router interface {
 	DefaultInterface() string
 	AutoDetectInterface() bool
 	AutoDetectInterfaceFunc() control.Func
-	DefaultMark() uint32
+	DefaultMark() int
 	RegisterAutoRedirectOutputMark(mark uint32) error
 	AutoRedirectOutputMark() uint32
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
@@ -101,63 +92,21 @@ type DNSRule interface {
 }
 type RuleSet interface {
-	Name() string
+	StartContext(ctx context.Context, startContext RuleSetStartContext) error
 	StartContext(ctx context.Context, startContext *HTTPStartContext) error
 	PostStart() error
 	Metadata() RuleSetMetadata
 	ExtractIPSet() []*netipx.IPSet
 	IncRef()
 	DecRef()
 	Cleanup()
 	RegisterCallback(callback RuleSetUpdateCallback) *list.Element[RuleSetUpdateCallback]
 	UnregisterCallback(element *list.Element[RuleSetUpdateCallback])
 	Close() error
 	HeadlessRule
 }
 type RuleSetUpdateCallback func(it RuleSet)
 type RuleSetMetadata struct {
 	ContainsProcessRule bool
 	ContainsWIFIRule    bool
 	ContainsIPCIDRRule  bool
 }
 type HTTPStartContext struct {
 	access          sync.Mutex
 	httpClientCache map[string]*http.Client
 }
-func NewHTTPStartContext() *HTTPStartContext {
+type RuleSetStartContext interface {
-	return &HTTPStartContext{
+	HTTPClient(detour string, dialer N.Dialer) *http.Client
-		httpClientCache: make(map[string]*http.Client),
+	Close()
 	}
 }
 func (c *HTTPStartContext) HTTPClient(detour string, dialer N.Dialer) *http.Client {
 	c.access.Lock()
 	defer c.access.Unlock()
 	if httpClient, loaded := c.httpClientCache[detour]; loaded {
 		return httpClient
 	}
 	httpClient := &http.Client{
 		Transport: &http.Transport{
 			ForceAttemptHTTP2:   true,
 			TLSHandshakeTimeout: C.TCPTimeout,
 			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 				return dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
 			},
 		},
 	}
 	c.httpClientCache[detour] = httpClient
 	return httpClient
 }
 func (c *HTTPStartContext) Close() {
 	c.access.Lock()
 	defer c.access.Unlock()
 	for _, client := range c.httpClientCache {
 		client.CloseIdleConnections()
 	}
 }
 type InterfaceUpdateListener interface {
--- a/adapter/v2ray.go
+++ b/adapter/v2ray.go
@@ -22,5 +22,4 @@ type V2RayServerTransportHandler interface {
 type V2RayClientTransport interface {
 	DialContext(ctx context.Context) (net.Conn, error)
 	Close() error
 }
--- a/box.go
+++ b/box.go
@@ -111,7 +111,6 @@ func New(options Options) (*Box, error) {
 			ctx,
 			router,
 			logFactory.NewLogger(F.ToString("inbound/", inboundOptions.Type, "[", tag, "]")),
 			tag,
 			inboundOptions,
 			options.PlatformInterface,
 		)
@@ -204,7 +203,7 @@ func (s *Box) PreStart() error {
 		defer func() {
 			v := recover()
 			if v != nil {
-				println(err.Error())
+				log.Error(E.Cause(err, "origin error"))
 				debug.PrintStack()
 				panic("panic on early close: " + fmt.Sprint(v))
 			}
@@ -223,9 +222,9 @@ func (s *Box) Start() error {
 		defer func() {
 			v := recover()
 			if v != nil {
-				println(err.Error())
+				log.Error(E.Cause(err, "origin error"))
 				debug.PrintStack()
-				println("panic on early start: " + fmt.Sprint(v))
+				panic("panic on early close: " + fmt.Sprint(v))
 			}
 		}()
 		s.Close()
@@ -303,11 +302,7 @@ func (s *Box) start() error {
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
-	err = s.postStart()
+	return s.postStart()
 	if err != nil {
 		return err
 	}
 	return s.router.Cleanup()
 }
 func (s *Box) postStart() error {
@@ -317,28 +312,16 @@ func (s *Box) postStart() error {
 			return E.Cause(err, "start ", serviceName)
 		}
 	}
-	// TODO: reorganize ALL start order
+	for _, outbound := range s.outbounds {
-	for _, out := range s.outbounds {
+		if lateOutbound, isLateOutbound := outbound.(adapter.PostStarter); isLateOutbound {
 		if lateOutbound, isLateOutbound := out.(adapter.PostStarter); isLateOutbound {
 			err := lateOutbound.PostStart()
 			if err != nil {
-				return E.Cause(err, "post-start outbound/", out.Tag())
+				return E.Cause(err, "post-start outbound/", outbound.Tag())
 			}
 		}
 	}
-	err := s.router.PostStart()
+
-	if err != nil {
+	return s.router.PostStart()
 		return err
 	}
 	for _, in := range s.inbounds {
 		if lateInbound, isLateInbound := in.(adapter.PostStarter); isLateInbound {
 			err = lateInbound.PostStart()
 			if err != nil {
 				return E.Cause(err, "post-start inbound/", in.Tag())
 			}
 		}
 	}
 	return nil
 }
 func (s *Box) Close() error {
--- a/box_outbound.go
+++ b/box_outbound.go
@@ -45,9 +45,7 @@ func (s *Box) startOutbounds() error {
 			}
 			started[outboundTag] = true
 			canContinue = true
-			if starter, isStarter := outboundToStart.(interface {
+			if starter, isStarter := outboundToStart.(common.Starter); isStarter {
 				Start() error
 			}); isStarter {
 				monitor.Start("initialize outbound/", outboundToStart.Type(), "[", outboundTag, "]")
 				err := starter.Start()
 				monitor.Finish()
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/internal/app_store_connect/main.go
+++ b/cmd/internal/app_store_connect/main.go
@@ -1,447 +0,0 @@
 package main
 import (
 	"context"
 	"net/http"
 	"os"
 	"strconv"
 	"time"
 	"github.com/sagernet/asc-go/asc"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 )
 func main() {
 	ctx := context.Background()
 	switch os.Args[1] {
 	case "next_macos_project_version":
 		err := fetchMacOSVersion(ctx)
 		if err != nil {
 			log.Fatal(err)
 		}
 	case "publish_testflight":
 		err := publishTestflight(ctx)
 		if err != nil {
 			log.Fatal(err)
 		}
 	case "cancel_app_store":
 		err := cancelAppStore(ctx, os.Args[2])
 		if err != nil {
 			log.Fatal(err)
 		}
 	case "prepare_app_store":
 		err := prepareAppStore(ctx)
 		if err != nil {
 			log.Fatal(err)
 		}
 	case "publish_app_store":
 		err := publishAppStore(ctx)
 		if err != nil {
 			log.Fatal(err)
 		}
 	default:
 		log.Fatal("unknown action: ", os.Args[1])
 	}
 }
 const (
 	appID   = "6673731168"
 	groupID = "5c5f3b78-b7a0-40c0-bcad-e6ef87bbefda"
 )
 func createClient(expireDuration time.Duration) *asc.Client {
 	privateKey, err := os.ReadFile(os.Getenv("ASC_KEY_PATH"))
 	if err != nil {
 		log.Fatal(err)
 	}
 	tokenConfig, err := asc.NewTokenConfig(os.Getenv("ASC_KEY_ID"), os.Getenv("ASC_KEY_ISSUER_ID"), expireDuration, privateKey)
 	if err != nil {
 		log.Fatal(err)
 	}
 	return asc.NewClient(tokenConfig.Client())
 }
 func fetchMacOSVersion(ctx context.Context) error {
 	client := createClient(time.Minute)
 	versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
 		FilterPlatform: []string{"MAC_OS"},
 	})
 	if err != nil {
 		return err
 	}
 	var versionID string
 findVersion:
 	for _, version := range versions.Data {
 		switch *version.Attributes.AppStoreState {
 		case asc.AppStoreVersionStateReadyForSale,
 			asc.AppStoreVersionStatePendingDeveloperRelease:
 			versionID = version.ID
 			break findVersion
 		}
 	}
 	if versionID == "" {
 		return E.New("no version found")
 	}
 	latestBuild, _, err := client.Builds.GetBuildForAppStoreVersion(ctx, versionID, &asc.GetBuildForAppStoreVersionQuery{})
 	if err != nil {
 		return err
 	}
 	versionInt, err := strconv.Atoi(*latestBuild.Data.Attributes.Version)
 	if err != nil {
 		return E.Cause(err, "parse version code")
 	}
 	os.Stdout.WriteString(F.ToString(versionInt+1, "\n"))
 	return nil
 }
 func publishTestflight(ctx context.Context) error {
 	tagVersion, err := build_shared.ReadTagVersion()
 	if err != nil {
 		return err
 	}
 	tag := tagVersion.VersionString()
 	client := createClient(10 * time.Minute)
 	log.Info(tag, " list build IDs")
 	buildIDsResponse, _, err := client.TestFlight.ListBuildIDsForBetaGroup(ctx, groupID, nil)
 	if err != nil {
 		return err
 	}
 	buildIDs := common.Map(buildIDsResponse.Data, func(it asc.RelationshipData) string {
 		return it.ID
 	})
 	var platforms []asc.Platform
 	if len(os.Args) == 3 {
 		switch os.Args[2] {
 		case "ios":
 			platforms = []asc.Platform{asc.PlatformIOS}
 		case "macos":
 			platforms = []asc.Platform{asc.PlatformMACOS}
 		case "tvos":
 			platforms = []asc.Platform{asc.PlatformTVOS}
 		default:
 			return E.New("unknown platform: ", os.Args[2])
 		}
 	} else {
 		platforms = []asc.Platform{
 			asc.PlatformIOS,
 			asc.PlatformMACOS,
 			asc.PlatformTVOS,
 		}
 	}
 	for _, platform := range platforms {
 		log.Info(string(platform), " list builds")
 		for {
 			builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
 				FilterApp:                       []string{appID},
 				FilterPreReleaseVersionPlatform: []string{string(platform)},
 			})
 			if err != nil {
 				return err
 			}
 			build := builds.Data[0]
 			if common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 5*time.Minute {
 				log.Info(string(platform), " ", tag, " waiting for process")
 				time.Sleep(15 * time.Second)
 				continue
 			}
 			if *build.Attributes.ProcessingState != "VALID" {
 				log.Info(string(platform), " ", tag, " waiting for process: ", *build.Attributes.ProcessingState)
 				time.Sleep(15 * time.Second)
 				continue
 			}
 			log.Info(string(platform), " ", tag, " list localizations")
 			localizations, _, err := client.TestFlight.ListBetaBuildLocalizationsForBuild(ctx, build.ID, nil)
 			if err != nil {
 				return err
 			}
 			localization := common.Find(localizations.Data, func(it asc.BetaBuildLocalization) bool {
 				return *it.Attributes.Locale == "en-US"
 			})
 			if localization.ID == "" {
 				log.Fatal(string(platform), " ", tag, " no en-US localization found")
 			}
 			if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
 				log.Info(string(platform), " ", tag, " update localization")
 				_, _, err = client.TestFlight.UpdateBetaBuildLocalization(ctx, localization.ID, common.Ptr(
 					F.ToString("sing-box ", tagVersion.String()),
 				))
 				if err != nil {
 					return err
 				}
 			}
 			log.Info(string(platform), " ", tag, " publish")
 			response, err := client.TestFlight.AddBuildsToBetaGroup(ctx, groupID, []string{build.ID})
 			if response != nil && response.StatusCode == http.StatusUnprocessableEntity {
 				log.Info("waiting for process")
 				time.Sleep(15 * time.Second)
 				continue
 			} else if err != nil {
 				return err
 			}
 			log.Info(string(platform), " ", tag, " list submissions")
 			betaSubmissions, _, err := client.TestFlight.ListBetaAppReviewSubmissions(ctx, &asc.ListBetaAppReviewSubmissionsQuery{
 				FilterBuild: []string{build.ID},
 			})
 			if err != nil {
 				return err
 			}
 			if len(betaSubmissions.Data) == 0 {
 				log.Info(string(platform), " ", tag, " create submission")
 				_, _, err = client.TestFlight.CreateBetaAppReviewSubmission(ctx, build.ID)
 				if err != nil {
 					return err
 				}
 			}
 			break
 		}
 	}
 	return nil
 }
 func cancelAppStore(ctx context.Context, platform string) error {
 	switch platform {
 	case "ios":
 		platform = string(asc.PlatformIOS)
 	case "macos":
 		platform = string(asc.PlatformMACOS)
 	case "tvos":
 		platform = string(asc.PlatformTVOS)
 	}
 	tag, err := build_shared.ReadTag()
 	if err != nil {
 		return err
 	}
 	client := createClient(time.Minute)
 	for {
 		log.Info(platform, " list versions")
 		versions, response, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
 			FilterPlatform: []string{string(platform)},
 		})
 		if isRetryable(response) {
 			continue
 		} else if err != nil {
 			return err
 		}
 		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
 			return *it.Attributes.VersionString == tag
 		})
 		if version.ID == "" {
 			return nil
 		}
 		log.Info(platform, " ", tag, " get submission")
 		submission, response, err := client.Submission.GetAppStoreVersionSubmissionForAppStoreVersion(ctx, version.ID, nil)
 		if response != nil && response.StatusCode == http.StatusNotFound {
 			return nil
 		}
 		if isRetryable(response) {
 			continue
 		} else if err != nil {
 			return err
 		}
 		log.Info(platform, " ", tag, " delete submission")
 		_, err = client.Submission.DeleteSubmission(ctx, submission.Data.ID)
 		if err != nil {
 			return err
 		}
 		return nil
 	}
 }
 func prepareAppStore(ctx context.Context) error {
 	tag, err := build_shared.ReadTag()
 	if err != nil {
 		return err
 	}
 	client := createClient(time.Minute)
 	for _, platform := range []asc.Platform{
 		asc.PlatformIOS,
 		asc.PlatformMACOS,
 		asc.PlatformTVOS,
 	} {
 		log.Info(string(platform), " list versions")
 		versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
 			FilterPlatform: []string{string(platform)},
 		})
 		if err != nil {
 			return err
 		}
 		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
 			return *it.Attributes.VersionString == tag
 		})
 		log.Info(string(platform), " ", tag, " list builds")
 		builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
 			FilterApp:                       []string{appID},
 			FilterPreReleaseVersionPlatform: []string{string(platform)},
 		})
 		if err != nil {
 			return err
 		}
 		if len(builds.Data) == 0 {
 			log.Fatal(platform, " ", tag, " no build found")
 		}
 		buildID := common.Ptr(builds.Data[0].ID)
 		if version.ID == "" {
 			log.Info(string(platform), " ", tag, " create version")
 			newVersion, _, err := client.Apps.CreateAppStoreVersion(ctx, asc.AppStoreVersionCreateRequestAttributes{
 				Platform:      platform,
 				VersionString: tag,
 			}, appID, buildID)
 			if err != nil {
 				return err
 			}
 			version = newVersion.Data
 		} else {
 			log.Info(string(platform), " ", tag, " check build")
 			currentBuild, response, err := client.Apps.GetBuildIDForAppStoreVersion(ctx, version.ID)
 			if err != nil {
 				return err
 			}
 			if response.StatusCode != http.StatusOK || currentBuild.Data.ID != *buildID {
 				switch *version.Attributes.AppStoreState {
 				case asc.AppStoreVersionStatePrepareForSubmission,
 					asc.AppStoreVersionStateRejected,
 					asc.AppStoreVersionStateDeveloperRejected:
 				case asc.AppStoreVersionStateWaitingForReview,
 					asc.AppStoreVersionStateInReview,
 					asc.AppStoreVersionStatePendingDeveloperRelease:
 					submission, _, err := client.Submission.GetAppStoreVersionSubmissionForAppStoreVersion(ctx, version.ID, nil)
 					if err != nil {
 						return err
 					}
 					if submission != nil {
 						log.Info(string(platform), " ", tag, " delete submission")
 						_, err = client.Submission.DeleteSubmission(ctx, submission.Data.ID)
 						if err != nil {
 							return err
 						}
 						time.Sleep(5 * time.Second)
 					}
 				default:
 					log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
 				}
 				log.Info(string(platform), " ", tag, " update build")
 				response, err = client.Apps.UpdateBuildForAppStoreVersion(ctx, version.ID, buildID)
 				if err != nil {
 					return err
 				}
 				if response.StatusCode != http.StatusNoContent {
 					response.Write(os.Stderr)
 					log.Fatal(string(platform), " ", tag, " unexpected response: ", response.Status)
 				}
 			} else {
 				switch *version.Attributes.AppStoreState {
 				case asc.AppStoreVersionStatePrepareForSubmission,
 					asc.AppStoreVersionStateRejected,
 					asc.AppStoreVersionStateDeveloperRejected:
 				case asc.AppStoreVersionStateWaitingForReview,
 					asc.AppStoreVersionStateInReview,
 					asc.AppStoreVersionStatePendingDeveloperRelease:
 					continue
 				default:
 					log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
 				}
 			}
 		}
 		log.Info(string(platform), " ", tag, " list localization")
 		localizations, _, err := client.Apps.ListLocalizationsForAppStoreVersion(ctx, version.ID, nil)
 		if err != nil {
 			return err
 		}
 		localization := common.Find(localizations.Data, func(it asc.AppStoreVersionLocalization) bool {
 			return *it.Attributes.Locale == "en-US"
 		})
 		if localization.ID == "" {
 			log.Info(string(platform), " ", tag, " no en-US localization found")
 		}
 		if localization.Attributes.WhatsNew == nil && *localization.Attributes.WhatsNew == "" {
 			log.Info(string(platform), " ", tag, " update localization")
 			_, _, err = client.Apps.UpdateAppStoreVersionLocalization(ctx, localization.ID, &asc.AppStoreVersionLocalizationUpdateRequestAttributes{
 				PromotionalText: common.Ptr("Yet another distribution for sing-box, the universal proxy platform."),
 				WhatsNew:        common.Ptr(F.ToString("sing-box ", tag, ": Fixes and improvements.")),
 			})
 			if err != nil {
 				return err
 			}
 		}
 		log.Info(string(platform), " ", tag, " create submission")
 	fixSubmit:
 		for {
 			_, response, err := client.Submission.CreateSubmission(ctx, version.ID)
 			if err != nil {
 				switch response.StatusCode {
 				case http.StatusInternalServerError:
 					continue
 				default:
 					response.Write(os.Stderr)
 					log.Info(string(platform), " ", tag, " unexpected response: ", response.Status)
 				}
 			}
 			switch response.StatusCode {
 			case http.StatusCreated:
 				break fixSubmit
 			default:
 				response.Write(os.Stderr)
 				log.Info(string(platform), " ", tag, " unexpected response: ", response.Status)
 			}
 		}
 	}
 	return nil
 }
 func publishAppStore(ctx context.Context) error {
 	tag, err := build_shared.ReadTag()
 	if err != nil {
 		return err
 	}
 	client := createClient(time.Minute)
 	for _, platform := range []asc.Platform{
 		asc.PlatformIOS,
 		asc.PlatformMACOS,
 		asc.PlatformTVOS,
 	} {
 		log.Info(string(platform), " list versions")
 		versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
 			FilterPlatform: []string{string(platform)},
 		})
 		if err != nil {
 			return err
 		}
 		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
 			return *it.Attributes.VersionString == tag
 		})
 		switch *version.Attributes.AppStoreState {
 		case asc.AppStoreVersionStatePrepareForSubmission, asc.AppStoreVersionStateDeveloperRejected:
 			log.Fatal(string(platform), " ", tag, " not submitted")
 		case asc.AppStoreVersionStateWaitingForReview,
 			asc.AppStoreVersionStateInReview:
 			log.Warn(string(platform), " ", tag, " waiting for review")
 			continue
 		case asc.AppStoreVersionStatePendingDeveloperRelease:
 		default:
 			log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
 		}
 		_, _, err = client.Publishing.CreatePhasedRelease(ctx, common.Ptr(asc.PhasedReleaseStateComplete), version.ID)
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func isRetryable(response *asc.Response) bool {
 	if response == nil {
 		return false
 	}
 	switch response.StatusCode {
 	case http.StatusInternalServerError, http.StatusUnprocessableEntity:
 		return true
 	default:
 		return false
 	}
 }
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -10,21 +10,17 @@ import (
 	_ "github.com/sagernet/gomobile"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
 	"github.com/sagernet/sing/common/shell"
 )
 var (
 	debugEnabled bool
 	target       string
 	platform     string
 )
 func init() {
 	flag.BoolVar(&debugEnabled, "debug", false, "enable debug")
 	flag.StringVar(&target, "target", "android", "target platform")
 	flag.StringVar(&platform, "platform", "", "specify platform")
 }
 func main() {
@@ -35,8 +31,8 @@ func main() {
 	switch target {
 	case "android":
 		buildAndroid()
-	case "apple":
+	case "ios":
-		buildApple()
+		buildiOS()
 	}
 }
@@ -66,35 +62,9 @@ func init() {
 func buildAndroid() {
 	build_shared.FindSDK()
 	var javaPath string
 	javaHome := os.Getenv("JAVA_HOME")
 	if javaHome == "" {
 		javaPath = "java"
 	} else {
 		javaPath = filepath.Join(javaHome, "bin", "java")
 	}
 	javaVersion, err := shell.Exec(javaPath, "--version").ReadOutput()
 	if err != nil {
 		log.Fatal(E.Cause(err, "check java version"))
 	}
 	if !strings.Contains(javaVersion, "openjdk 17") {
 		log.Fatal("java version should be openjdk 17")
 	}
 	var bindTarget string
 	if platform != "" {
 		bindTarget = platform
 	} else if debugEnabled {
 		bindTarget = "android/arm64"
 	} else {
 		bindTarget = "android"
 	}
 	args := []string{
 		"bind",
 		"-v",
 		"-target", bindTarget,
 		"-androidapi", "21",
 		"-javapkg=io.nekohasekai",
 		"-libname=box",
@@ -116,14 +86,14 @@ func buildAndroid() {
 	command := exec.Command(build_shared.GoBinPath+"/gomobile", args...)
 	command.Stdout = os.Stdout
 	command.Stderr = os.Stderr
-	err = command.Run()
+	err := command.Run()
 	if err != nil {
 		log.Fatal(err)
 	}
 	const name = "libbox.aar"
 	copyPath := filepath.Join("..", "sing-box-for-android", "app", "libs")
-	if rw.IsDir(copyPath) {
+	if rw.FileExists(copyPath) {
 		copyPath, _ = filepath.Abs(copyPath)
 		err = rw.CopyFile(name, filepath.Join(copyPath, name))
 		if err != nil {
@@ -133,20 +103,11 @@ func buildAndroid() {
 	}
 }
-func buildApple() {
+func buildiOS() {
 	var bindTarget string
 	if platform != "" {
 		bindTarget = platform
 	} else if debugEnabled {
 		bindTarget = "ios"
 	} else {
 		bindTarget = "ios,tvos,macos"
 	}
 	args := []string{
 		"bind",
 		"-v",
-		"-target", bindTarget,
+		"-target", "ios,iossimulator,tvos,tvossimulator,macos",
 		"-libname=box",
 	}
 	if !debugEnabled {
@@ -173,7 +134,7 @@ func buildApple() {
 	}
 	copyPath := filepath.Join("..", "sing-box-for-apple")
-	if rw.IsDir(copyPath) {
+	if rw.FileExists(copyPath) {
 		targetDir := filepath.Join(copyPath, "Libbox.xcframework")
 		targetDir, _ = filepath.Abs(targetDir)
 		os.RemoveAll(targetDir)
--- a/cmd/internal/build_shared/sdk.go
+++ b/cmd/internal/build_shared/sdk.go
@@ -11,7 +11,9 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
 	"github.com/sagernet/sing/common/shell"
 )
 var (
@@ -28,7 +30,7 @@ func FindSDK() {
 	}
 	for _, path := range searchPath {
 		path = os.ExpandEnv(path)
-		if rw.IsFile(filepath.Join(path, "licenses", "android-sdk-license")) {
+		if rw.FileExists(filepath.Join(path, "licenses", "android-sdk-license")) {
 			androidSDKPath = path
 			break
 		}
@@ -40,6 +42,14 @@ func FindSDK() {
 		log.Fatal("android NDK not found")
 	}
 	javaVersion, err := shell.Exec("java", "--version").ReadOutput()
 	if err != nil {
 		log.Fatal(E.Cause(err, "check java version"))
 	}
 	if !strings.Contains(javaVersion, "openjdk 17") {
 		log.Fatal("java version should be openjdk 17")
 	}
 	os.Setenv("ANDROID_HOME", androidSDKPath)
 	os.Setenv("ANDROID_SDK_HOME", androidSDKPath)
 	os.Setenv("ANDROID_NDK_HOME", androidNDKPath)
@@ -48,16 +58,12 @@ func FindSDK() {
 }
 func findNDK() bool {
-	const fixedVersion = "28.0.12674087"
+	const fixedVersion = "26.2.11394342"
 	const versionFile = "source.properties"
-	if fixedPath := filepath.Join(androidSDKPath, "ndk", fixedVersion); rw.IsFile(filepath.Join(fixedPath, versionFile)) {
+	if fixedPath := filepath.Join(androidSDKPath, "ndk", fixedVersion); rw.FileExists(filepath.Join(fixedPath, versionFile)) {
 		androidNDKPath = fixedPath
 		return true
 	}
 	if ndkHomeEnv := os.Getenv("ANDROID_NDK_HOME"); rw.IsFile(filepath.Join(ndkHomeEnv, versionFile)) {
 		androidNDKPath = ndkHomeEnv
 		return true
 	}
 	ndkVersions, err := os.ReadDir(filepath.Join(androidSDKPath, "ndk"))
 	if err != nil {
 		return false
@@ -80,7 +86,7 @@ func findNDK() bool {
 	})
 	for _, versionName := range versionNames {
 		currentNDKPath := filepath.Join(androidSDKPath, "ndk", versionName)
-		if rw.IsFile(filepath.Join(currentNDKPath, versionFile)) {
+		if rw.FileExists(filepath.Join(androidSDKPath, versionFile)) {
 			androidNDKPath = currentNDKPath
 			log.Warn("reproducibility warning: using NDK version " + versionName + " instead of " + fixedVersion)
 			return true
@@ -94,11 +100,11 @@ var GoBinPath string
 func FindMobile() {
 	goBin := filepath.Join(build.Default.GOPATH, "bin")
 	if runtime.GOOS == "windows" {
-		if !rw.IsFile(filepath.Join(goBin, "gobind.exe")) {
+		if !rw.FileExists(filepath.Join(goBin, "gobind.exe")) {
 			log.Fatal("missing gomobile installation")
 		}
 	} else {
-		if !rw.IsFile(filepath.Join(goBin, "gobind")) {
+		if !rw.FileExists(filepath.Join(goBin, "gobind")) {
 			log.Fatal("missing gomobile installation")
 		}
 	}
--- a/cmd/internal/build_shared/tag.go
+++ b/cmd/internal/build_shared/tag.go
@@ -20,11 +20,6 @@ func ReadTag() (string, error) {
 	return version.String() + "-" + shortCommit, nil
 }
 func ReadTagVersionRev() (badversion.Version, error) {
 	currentTagRev := common.Must1(shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput())
 	return badversion.Parse(currentTagRev[1:]), nil
 }
 func ReadTagVersion() (badversion.Version, error) {
 	currentTag := common.Must1(shell.Exec("git", "describe", "--tags").ReadOutput())
 	currentTagRev := common.Must1(shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput())
--- a/cmd/internal/read_tag/main.go
+++ b/cmd/internal/read_tag/main.go
@@ -1,62 +1,21 @@
 package main
 import (
 	"flag"
 	"os"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
 )
 var nightly bool
 func init() {
 	flag.BoolVar(&nightly, "nightly", false, "Print nightly tag")
 }
 func main() {
-	flag.Parse()
+	currentTag, err := build_shared.ReadTag()
-	if nightly {
+	if err != nil {
-		version, err := build_shared.ReadTagVersionRev()
+		log.Error(err)
-		if err != nil {
+		_, err = os.Stdout.WriteString("unknown\n")
 			log.Fatal(err)
 		}
 		var versionStr string
 		if version.PreReleaseIdentifier != "" {
 			versionStr = version.VersionString() + "-nightly"
 		} else {
 			version.Patch++
 			versionStr = version.VersionString() + "-nightly"
 		}
 		err = setGitHubEnv("version", versionStr)
 		if err != nil {
 			log.Fatal(err)
 		}
 	} else {
-		tag, err := build_shared.ReadTag()
+		_, err = os.Stdout.WriteString(currentTag + "\n")
-		if err != nil {
+	}
-			log.Error(err)
+	if err != nil {
-			os.Stdout.WriteString("unknown\n")
+		log.Error(err)
 		} else {
 			os.Stdout.WriteString(tag + "\n")
 		}
 	}
 }
 func setGitHubEnv(name string, value string) error {
 	outputFile, err := os.OpenFile(os.Getenv("GITHUB_ENV"), os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0o644)
 	if err != nil {
 		return err
 	}
 	_, err = outputFile.WriteString(name + "=" + value + "\n")
 	if err != nil {
 		outputFile.Close()
 		return err
 	}
 	err = outputFile.Close()
 	if err != nil {
 		return err
 	}
 	os.Stderr.WriteString(name + "=" + value + "\n")
 	return nil
 }
--- a/cmd/internal/update_android_version/main.go
+++ b/cmd/internal/update_android_version/main.go
@@ -1,7 +1,6 @@
 package main
 import (
 	"flag"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -13,22 +12,9 @@ import (
 	"github.com/sagernet/sing/common"
 )
 var flagRunInCI bool
 func init() {
 	flag.BoolVar(&flagRunInCI, "ci", false, "Run in CI")
 }
 func main() {
-	flag.Parse()
+	newVersion := common.Must1(build_shared.ReadTagVersion())
-	newVersion := common.Must1(build_shared.ReadTag())
+	androidPath, err := filepath.Abs("../sing-box-for-android")
 	var androidPath string
 	if flagRunInCI {
 		androidPath = "clients/android"
 	} else {
 		androidPath = "../sing-box-for-android"
 	}
 	androidPath, err := filepath.Abs(androidPath)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -45,10 +31,10 @@ func main() {
 	for _, propPair := range propsList {
 		switch propPair[0] {
 		case "VERSION_NAME":
-			if propPair[1] != newVersion {
+			if propPair[1] != newVersion.String() {
 				versionUpdated = true
-				propPair[1] = newVersion
+				propPair[1] = newVersion.String()
-				log.Info("updated version to ", newVersion)
+				log.Info("updated version to ", newVersion.String())
 			}
 		case "GO_VERSION":
 			if propPair[1] != runtime.Version() {
--- a/cmd/internal/update_apple_version/main.go
+++ b/cmd/internal/update_apple_version/main.go
@@ -1,7 +1,6 @@
 package main
 import (
 	"flag"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -14,22 +13,9 @@ import (
 	"howett.net/plist"
 )
 var flagRunInCI bool
 func init() {
 	flag.BoolVar(&flagRunInCI, "ci", false, "Run in CI")
 }
 func main() {
 	flag.Parse()
 	newVersion := common.Must1(build_shared.ReadTagVersion())
-	var applePath string
+	applePath, err := filepath.Abs("../sing-box-for-apple")
 	if flagRunInCI {
 		applePath = "clients/apple"
 	} else {
 		applePath = "../sing-box-for-apple"
 	}
 	applePath, err := filepath.Abs(applePath)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -40,8 +26,8 @@ func main() {
 	common.Must(decoder.Decode(&project))
 	objectsMap := project["objects"].(map[string]any)
 	projectContent := string(common.Must1(os.ReadFile("sing-box.xcodeproj/project.pbxproj")))
-	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfavt"}, newVersion.VersionString())
+	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
-	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfavt.standalone", "io.nekohasekai.sfavt.system"}, newVersion.String())
+	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
 	if updated0 || updated1 {
 		log.Info("updated version to ", newVersion.VersionString(), " (", newVersion.String(), ")")
 	}
--- a/cmd/sing-box/cmd.go
+++ b/cmd/sing-box/cmd.go
@@ -1,71 +0,0 @@
 package main
 import (
 	"context"
 	"os"
 	"os/user"
 	"strconv"
 	"time"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	_ "github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/filemanager"
 	"github.com/spf13/cobra"
 )
 var (
 	globalCtx         context.Context
 	configPaths       []string
 	configDirectories []string
 	workingDir        string
 	disableColor      bool
 )
 var mainCommand = &cobra.Command{
 	Use:              "sing-box",
 	PersistentPreRun: preRun,
 }
 func init() {
 	mainCommand.PersistentFlags().StringArrayVarP(&configPaths, "config", "c", nil, "set configuration file path")
 	mainCommand.PersistentFlags().StringArrayVarP(&configDirectories, "config-directory", "C", nil, "set configuration directory path")
 	mainCommand.PersistentFlags().StringVarP(&workingDir, "directory", "D", "", "set working directory")
 	mainCommand.PersistentFlags().BoolVarP(&disableColor, "disable-color", "", false, "disable color output")
 }
 func preRun(cmd *cobra.Command, args []string) {
 	globalCtx = context.Background()
 	sudoUser := os.Getenv("SUDO_USER")
 	sudoUID, _ := strconv.Atoi(os.Getenv("SUDO_UID"))
 	sudoGID, _ := strconv.Atoi(os.Getenv("SUDO_GID"))
 	if sudoUID == 0 && sudoGID == 0 && sudoUser != "" {
 		sudoUserObject, _ := user.Lookup(sudoUser)
 		if sudoUserObject != nil {
 			sudoUID, _ = strconv.Atoi(sudoUserObject.Uid)
 			sudoGID, _ = strconv.Atoi(sudoUserObject.Gid)
 		}
 	}
 	if sudoUID > 0 && sudoGID > 0 {
 		globalCtx = filemanager.WithDefault(globalCtx, "", "", sudoUID, sudoGID)
 	}
 	if disableColor {
 		log.SetStdLogger(log.NewDefaultFactory(context.Background(), log.Formatter{BaseTime: time.Now(), DisableColors: true}, os.Stderr, "", nil, false).Logger())
 	}
 	if workingDir != "" {
 		_, err := os.Stat(workingDir)
 		if err != nil {
 			filemanager.MkdirAll(globalCtx, workingDir, 0o777)
 		}
 		err = os.Chdir(workingDir)
 		if err != nil {
 			log.Fatal(err)
 		}
 	}
 	if len(configPaths) == 0 && len(configDirectories) == 0 {
 		configPaths = append(configPaths, "config.json")
 	}
 	globalCtx = service.ContextWith(globalCtx, deprecated.NewStderrManager(log.StdLogger()))
 }
--- a/cmd/sing-box/cmd_check.go
+++ b/cmd/sing-box/cmd_check.go
@@ -30,7 +30,7 @@ func check() error {
 	if err != nil {
 		return err
 	}
-	ctx, cancel := context.WithCancel(globalCtx)
+	ctx, cancel := context.WithCancel(context.Background())
 	instance, err := box.New(box.Options{
 		Context: ctx,
 		Options: options,
--- a/cmd/sing-box/cmd_geoip_export.go
+++ b/cmd/sing-box/cmd_geoip_export.go
@@ -87,7 +87,7 @@ func geoipExport(countryCode string) error {
 		headlessRule.IPCIDR = append(headlessRule.IPCIDR, cidr.String())
 	}
 	var plainRuleSet option.PlainRuleSetCompat
-	plainRuleSet.Version = C.RuleSetVersion2
+	plainRuleSet.Version = C.RuleSetVersion1
 	plainRuleSet.Options.Rules = []option.HeadlessRule{
 		{
 			Type:           C.RuleTypeDefault,
--- a/cmd/sing-box/cmd_geosite_export.go
+++ b/cmd/sing-box/cmd_geosite_export.go
@@ -70,7 +70,7 @@ func geositeExport(category string) error {
 	headlessRule.DomainKeyword = defaultRule.DomainKeyword
 	headlessRule.DomainRegex = defaultRule.DomainRegex
 	var plainRuleSet option.PlainRuleSetCompat
-	plainRuleSet.Version = C.RuleSetVersion2
+	plainRuleSet.Version = C.RuleSetVersion1
 	plainRuleSet.Options.Rules = []option.HeadlessRule{
 		{
 			Type:           C.RuleTypeDefault,
--- a/cmd/sing-box/cmd_merge.go
+++ b/cmd/sing-box/cmd_merge.go
@@ -54,11 +54,7 @@ func merge(outputPath string) error {
 			return nil
 		}
 	}
-	err = rw.MkdirParent(outputPath)
+	err = rw.WriteFile(outputPath, buffer.Bytes())
 	if err != nil {
 		return err
 	}
 	err = os.WriteFile(outputPath, buffer.Bytes(), 0o644)
 	if err != nil {
 		return err
 	}
--- a/cmd/sing-box/cmd_rule_set.go
+++ b/cmd/sing-box/cmd_rule_set.go
@@ -6,7 +6,7 @@ import (
 var commandRuleSet = &cobra.Command{
 	Use:   "rule-set",
-	Short: "Manage rule-sets",
+	Short: "Manage rule sets",
 }
 func init() {
--- a/cmd/sing-box/cmd_rule_set_compile.go
+++ b/cmd/sing-box/cmd_rule_set_compile.go
@@ -55,6 +55,10 @@ func compileRuleSet(sourcePath string) error {
 	if err != nil {
 		return err
 	}
 	if err != nil {
 		return err
 	}
 	ruleSet := plainRuleSet.Upgrade()
 	var outputPath string
 	if flagRuleSetCompileOutput == flagRuleSetCompileDefaultOutput {
 		if strings.HasSuffix(sourcePath, ".json") {
@@ -69,7 +73,7 @@ func compileRuleSet(sourcePath string) error {
 	if err != nil {
 		return err
 	}
-	err = srs.Write(outputFile, plainRuleSet.Options, plainRuleSet.Version)
+	err = srs.Write(outputFile, ruleSet)
 	if err != nil {
 		outputFile.Close()
 		os.Remove(outputPath)
--- a/cmd/sing-box/cmd_rule_set_convert.go
+++ b/cmd/sing-box/cmd_rule_set_convert.go
@@ -1,89 +0,0 @@
 package main
 import (
 	"io"
 	"os"
 	"strings"
 	"github.com/sagernet/sing-box/cmd/sing-box/internal/convertor/adguard"
 	"github.com/sagernet/sing-box/common/srs"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/spf13/cobra"
 )
 var (
 	flagRuleSetConvertType   string
 	flagRuleSetConvertOutput string
 )
 var commandRuleSetConvert = &cobra.Command{
 	Use:   "convert [source-path]",
 	Short: "Convert adguard DNS filter to rule-set",
 	Args:  cobra.ExactArgs(1),
 	Run: func(cmd *cobra.Command, args []string) {
 		err := convertRuleSet(args[0])
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func init() {
 	commandRuleSet.AddCommand(commandRuleSetConvert)
 	commandRuleSetConvert.Flags().StringVarP(&flagRuleSetConvertType, "type", "t", "", "Source type, available: adguard")
 	commandRuleSetConvert.Flags().StringVarP(&flagRuleSetConvertOutput, "output", "o", flagRuleSetCompileDefaultOutput, "Output file")
 }
 func convertRuleSet(sourcePath string) error {
 	var (
 		reader io.Reader
 		err    error
 	)
 	if sourcePath == "stdin" {
 		reader = os.Stdin
 	} else {
 		reader, err = os.Open(sourcePath)
 		if err != nil {
 			return err
 		}
 	}
 	var rules []option.HeadlessRule
 	switch flagRuleSetConvertType {
 	case "adguard":
 		rules, err = adguard.Convert(reader)
 	case "":
 		return E.New("source type is required")
 	default:
 		return E.New("unsupported source type: ", flagRuleSetConvertType)
 	}
 	if err != nil {
 		return err
 	}
 	var outputPath string
 	if flagRuleSetConvertOutput == flagRuleSetCompileDefaultOutput {
 		if strings.HasSuffix(sourcePath, ".txt") {
 			outputPath = sourcePath[:len(sourcePath)-4] + ".srs"
 		} else {
 			outputPath = sourcePath + ".srs"
 		}
 	} else {
 		outputPath = flagRuleSetConvertOutput
 	}
 	outputFile, err := os.Create(outputPath)
 	if err != nil {
 		return err
 	}
 	defer outputFile.Close()
 	err = srs.Write(outputFile, option.PlainRuleSet{Rules: rules}, C.RuleSetVersion2)
 	if err != nil {
 		outputFile.Close()
 		os.Remove(outputPath)
 		return err
 	}
 	outputFile.Close()
 	return nil
 }
--- a/cmd/sing-box/cmd_rule_set_decompile.go
+++ b/cmd/sing-box/cmd_rule_set_decompile.go
@@ -1,77 +0,0 @@
 package main
 import (
 	"io"
 	"os"
 	"strings"
 	"github.com/sagernet/sing-box/common/srs"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common/json"
 	"github.com/spf13/cobra"
 )
 var flagRuleSetDecompileOutput string
 const flagRuleSetDecompileDefaultOutput = "<file_name>.json"
 var commandRuleSetDecompile = &cobra.Command{
 	Use:   "decompile [binary-path]",
 	Short: "Decompile rule-set binary to json",
 	Args:  cobra.ExactArgs(1),
 	Run: func(cmd *cobra.Command, args []string) {
 		err := decompileRuleSet(args[0])
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func init() {
 	commandRuleSet.AddCommand(commandRuleSetDecompile)
 	commandRuleSetDecompile.Flags().StringVarP(&flagRuleSetDecompileOutput, "output", "o", flagRuleSetDecompileDefaultOutput, "Output file")
 }
 func decompileRuleSet(sourcePath string) error {
 	var (
 		reader io.Reader
 		err    error
 	)
 	if sourcePath == "stdin" {
 		reader = os.Stdin
 	} else {
 		reader, err = os.Open(sourcePath)
 		if err != nil {
 			return err
 		}
 	}
 	ruleSet, err := srs.Read(reader, true)
 	if err != nil {
 		return err
 	}
 	var outputPath string
 	if flagRuleSetDecompileOutput == flagRuleSetDecompileDefaultOutput {
 		if strings.HasSuffix(sourcePath, ".srs") {
 			outputPath = sourcePath[:len(sourcePath)-4] + ".json"
 		} else {
 			outputPath = sourcePath + ".json"
 		}
 	} else {
 		outputPath = flagRuleSetDecompileOutput
 	}
 	outputFile, err := os.Create(outputPath)
 	if err != nil {
 		return err
 	}
 	encoder := json.NewEncoder(outputFile)
 	encoder.SetIndent("", "  ")
 	err = encoder.Encode(ruleSet)
 	if err != nil {
 		outputFile.Close()
 		os.Remove(outputPath)
 		return err
 	}
 	outputFile.Close()
 	return nil
 }
--- a/cmd/sing-box/cmd_rule_set_match.go
+++ b/cmd/sing-box/cmd_rule_set_match.go
@@ -12,9 +12,7 @@ import (
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/route"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/spf13/cobra"
 )
@@ -22,8 +20,8 @@ import (
 var flagRuleSetMatchFormat string
 var commandRuleSetMatch = &cobra.Command{
-	Use:   "match <rule-set path> <IP address/domain>",
+	Use:   "match <rule-set path> <domain>",
-	Short: "Check if an IP address or a domain matches the rule-set",
+	Short: "Check if a domain matches the rule set",
 	Args:  cobra.ExactArgs(2),
 	Run: func(cmd *cobra.Command, args []string) {
 		err := ruleSetMatch(args[0], args[1])
@@ -55,31 +53,22 @@ func ruleSetMatch(sourcePath string, domain string) error {
 	if err != nil {
 		return E.Cause(err, "read rule-set")
 	}
-	var ruleSet option.PlainRuleSetCompat
+	var plainRuleSet option.PlainRuleSet
 	switch flagRuleSetMatchFormat {
 	case C.RuleSetFormatSource:
-		ruleSet, err = json.UnmarshalExtended[option.PlainRuleSetCompat](content)
+		var compat option.PlainRuleSetCompat
 		compat, err = json.UnmarshalExtended[option.PlainRuleSetCompat](content)
 		if err != nil {
 			return err
 		}
 		plainRuleSet = compat.Upgrade()
 	case C.RuleSetFormatBinary:
-		ruleSet, err = srs.Read(bytes.NewReader(content), false)
+		plainRuleSet, err = srs.Read(bytes.NewReader(content), false)
 		if err != nil {
 			return err
 		}
 	default:
-		return E.New("unknown rule-set format: ", flagRuleSetMatchFormat)
+		return E.New("unknown rule set format: ", flagRuleSetMatchFormat)
 	}
 	plainRuleSet, err := ruleSet.Upgrade()
 	if err != nil {
 		return err
 	}
 	ipAddress := M.ParseAddr(domain)
 	var metadata adapter.InboundContext
 	if ipAddress.IsValid() {
 		metadata.Destination = M.SocksaddrFrom(ipAddress, 0)
 	} else {
 		metadata.Domain = domain
 	}
 	for i, ruleOptions := range plainRuleSet.Rules {
 		var currentRule adapter.HeadlessRule
@@ -87,8 +76,10 @@ func ruleSetMatch(sourcePath string, domain string) error {
 		if err != nil {
 			return E.Cause(err, "parse rule_set.rules.[", i, "]")
 		}
-		if currentRule.Match(&metadata) {
+		if currentRule.Match(&adapter.InboundContext{
-			println(F.ToString("match rules.[", i, "]: ", currentRule))
+			Domain: domain,
 		}) {
 			println("match rules.[", i, "]: "+currentRule.String())
 		}
 	}
 	return nil
--- a/cmd/sing-box/cmd_rule_set_upgrade.go
+++ b/cmd/sing-box/cmd_rule_set_upgrade.go
@@ -1,94 +0,0 @@
 package main
 import (
 	"bytes"
 	"io"
 	"os"
 	"path/filepath"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/spf13/cobra"
 )
 var commandRuleSetUpgradeFlagWrite bool
 var commandRuleSetUpgrade = &cobra.Command{
 	Use:   "upgrade <source-path>",
 	Short: "Upgrade rule-set json",
 	Args:  cobra.ExactArgs(1),
 	Run: func(cmd *cobra.Command, args []string) {
 		err := upgradeRuleSet(args[0])
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func init() {
 	commandRuleSetUpgrade.Flags().BoolVarP(&commandRuleSetUpgradeFlagWrite, "write", "w", false, "write result to (source) file instead of stdout")
 	commandRuleSet.AddCommand(commandRuleSetUpgrade)
 }
 func upgradeRuleSet(sourcePath string) error {
 	var (
 		reader io.Reader
 		err    error
 	)
 	if sourcePath == "stdin" {
 		reader = os.Stdin
 	} else {
 		reader, err = os.Open(sourcePath)
 		if err != nil {
 			return err
 		}
 	}
 	content, err := io.ReadAll(reader)
 	if err != nil {
 		return err
 	}
 	plainRuleSetCompat, err := json.UnmarshalExtended[option.PlainRuleSetCompat](content)
 	if err != nil {
 		return err
 	}
 	switch plainRuleSetCompat.Version {
 	case C.RuleSetVersion1:
 	default:
 		log.Info("already up-to-date")
 		return nil
 	}
 	plainRuleSet, err := plainRuleSetCompat.Upgrade()
 	if err != nil {
 		return err
 	}
 	buffer := new(bytes.Buffer)
 	encoder := json.NewEncoder(buffer)
 	encoder.SetIndent("", "  ")
 	err = encoder.Encode(plainRuleSet)
 	if err != nil {
 		return E.Cause(err, "encode config")
 	}
 	outputPath, _ := filepath.Abs(sourcePath)
 	if !commandRuleSetUpgradeFlagWrite || sourcePath == "stdin" {
 		os.Stdout.WriteString(buffer.String() + "\n")
 		return nil
 	}
 	if bytes.Equal(content, buffer.Bytes()) {
 		return nil
 	}
 	output, err := os.Create(sourcePath)
 	if err != nil {
 		return E.Cause(err, "open output")
 	}
 	_, err = output.Write(buffer.Bytes())
 	output.Close()
 	if err != nil {
 		return E.Cause(err, "write output")
 	}
 	os.Stderr.WriteString(outputPath + "\n")
 	return nil
 }
--- a/cmd/sing-box/cmd_run.go
+++ b/cmd/sing-box/cmd_run.go
@@ -109,7 +109,7 @@ func readConfigAndMerge() (option.Options, error) {
 	}
 	var mergedMessage json.RawMessage
 	for _, options := range optionsList {
-		mergedMessage, err = badjson.MergeJSON(options.options.RawMessage, mergedMessage, false)
+		mergedMessage, err = badjson.MergeJSON(options.options.RawMessage, mergedMessage)
 		if err != nil {
 			return option.Options{}, E.Cause(err, "merge config at ", options.path)
 		}
@@ -188,12 +188,9 @@ func run() error {
 			cancel()
 			closeCtx, closed := context.WithCancel(context.Background())
 			go closeMonitor(closeCtx)
-			err = instance.Close()
+			instance.Close()
 			closed()
 			if osSignal != syscall.SIGHUP {
 				if err != nil {
 					log.Error(E.Cause(err, "sing-box did not closed properly"))
 				}
 				return nil
 			}
 			break
--- a/cmd/sing-box/cmd_tools_fetch.go
+++ b/cmd/sing-box/cmd_tools_fetch.go
@@ -9,10 +9,8 @@ import (
 	"net/url"
 	"os"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/spf13/cobra"
@@ -34,10 +32,7 @@ func init() {
 	commandTools.AddCommand(commandFetch)
 }
-var (
+var httpClient *http.Client
 	httpClient  *http.Client
 	http3Client *http.Client
 )
 func fetch(args []string) error {
 	instance, err := createPreStartedClient()
@@ -58,16 +53,8 @@ func fetch(args []string) error {
 		},
 	}
 	defer httpClient.CloseIdleConnections()
 	if C.WithQUIC {
 		err = initializeHTTP3Client(instance)
 		if err != nil {
 			return err
 		}
 		defer http3Client.CloseIdleConnections()
 	}
 	for _, urlString := range args {
-		var parsedURL *url.URL
+		parsedURL, err := url.Parse(urlString)
 		parsedURL, err = url.Parse(urlString)
 		if err != nil {
 			return err
 		}
@@ -76,27 +63,16 @@ func fetch(args []string) error {
 			parsedURL.Scheme = "http"
 			fallthrough
 		case "http", "https":
-			err = fetchHTTP(httpClient, parsedURL)
+			err = fetchHTTP(parsedURL)
 			if err != nil {
 				return err
 			}
 		case "http3":
 			if !C.WithQUIC {
 				return C.ErrQUICNotIncluded
 			}
 			parsedURL.Scheme = "https"
 			err = fetchHTTP(http3Client, parsedURL)
 			if err != nil {
 				return err
 			}
 		default:
 			return E.New("unsupported scheme: ", parsedURL.Scheme)
 		}
 	}
 	return nil
 }
-func fetchHTTP(httpClient *http.Client, parsedURL *url.URL) error {
+func fetchHTTP(parsedURL *url.URL) error {
 	request, err := http.NewRequest("GET", parsedURL.String(), nil)
 	if err != nil {
 		return err
--- a/cmd/sing-box/cmd_tools_fetch_http3.go
+++ b/cmd/sing-box/cmd_tools_fetch_http3.go
@@ -1,36 +0,0 @@
 //go:build with_quic
 package main
 import (
 	"context"
 	"crypto/tls"
 	"net/http"
 	"github.com/sagernet/quic-go"
 	"github.com/sagernet/quic-go/http3"
 	box "github.com/sagernet/sing-box"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 func initializeHTTP3Client(instance *box.Box) error {
 	dialer, err := createDialer(instance, N.NetworkUDP, commandToolsFlagOutbound)
 	if err != nil {
 		return err
 	}
 	http3Client = &http.Client{
 		Transport: &http3.RoundTripper{
 			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
 				destination := M.ParseSocksaddr(addr)
 				udpConn, dErr := dialer.DialContext(ctx, N.NetworkUDP, destination)
 				if dErr != nil {
 					return nil, dErr
 				}
 				return quic.DialEarly(ctx, bufio.NewUnbindPacketConn(udpConn), udpConn.RemoteAddr(), tlsCfg, cfg)
 			},
 		},
 	}
 	return nil
 }
--- a/cmd/sing-box/cmd_tools_fetch_http3_stub.go
+++ b/cmd/sing-box/cmd_tools_fetch_http3_stub.go
@@ -1,18 +0,0 @@
 //go:build !with_quic
 package main
 import (
 	"net/url"
 	"os"
 	box "github.com/sagernet/sing-box"
 )
 func initializeHTTP3Client(instance *box.Box) error {
 	return os.ErrInvalid
 }
 func fetchHTTP3(parsedURL *url.URL) error {
 	return os.ErrInvalid
 }
--- a/cmd/sing-box/generate_completions.go
+++ b/cmd/sing-box/generate_completions.go
@@ -1,28 +0,0 @@
 //go:build generate && generate_completions
 package main
 import "github.com/sagernet/sing-box/log"
 func main() {
 	err := generateCompletions()
 	if err != nil {
 		log.Fatal(err)
 	}
 }
 func generateCompletions() error {
 	err := mainCommand.GenBashCompletionFile("release/completions/sing-box.bash")
 	if err != nil {
 		return err
 	}
 	err = mainCommand.GenFishCompletionFile("release/completions/sing-box.fish", true)
 	if err != nil {
 		return err
 	}
 	err = mainCommand.GenZshCompletionFile("release/completions/sing-box.zsh")
 	if err != nil {
 		return err
 	}
 	return nil
 }
--- a/cmd/sing-box/internal/convertor/adguard/convertor.go
+++ b/cmd/sing-box/internal/convertor/adguard/convertor.go
@@ -1,346 +0,0 @@
 package adguard
 import (
 	"bufio"
 	"io"
 	"net/netip"
 	"os"
 	"strconv"
 	"strings"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 )
 type agdguardRuleLine struct {
 	ruleLine    string
 	isRawDomain bool
 	isExclude   bool
 	isSuffix    bool
 	hasStart    bool
 	hasEnd      bool
 	isRegexp    bool
 	isImportant bool
 }
 func Convert(reader io.Reader) ([]option.HeadlessRule, error) {
 	scanner := bufio.NewScanner(reader)
 	var (
 		ruleLines    []agdguardRuleLine
 		ignoredLines int
 	)
 parseLine:
 	for scanner.Scan() {
 		ruleLine := scanner.Text()
 		if ruleLine == "" || ruleLine[0] == '!' || ruleLine[0] == '#' {
 			continue
 		}
 		originRuleLine := ruleLine
 		if M.IsDomainName(ruleLine) {
 			ruleLines = append(ruleLines, agdguardRuleLine{
 				ruleLine:    ruleLine,
 				isRawDomain: true,
 			})
 			continue
 		}
 		hostLine, err := parseAdGuardHostLine(ruleLine)
 		if err == nil {
 			if hostLine != "" {
 				ruleLines = append(ruleLines, agdguardRuleLine{
 					ruleLine:    hostLine,
 					isRawDomain: true,
 					hasStart:    true,
 					hasEnd:      true,
 				})
 			}
 			continue
 		}
 		if strings.HasSuffix(ruleLine, "|") {
 			ruleLine = ruleLine[:len(ruleLine)-1]
 		}
 		var (
 			isExclude   bool
 			isSuffix    bool
 			hasStart    bool
 			hasEnd      bool
 			isRegexp    bool
 			isImportant bool
 		)
 		if !strings.HasPrefix(ruleLine, "/") && strings.Contains(ruleLine, "$") {
 			params := common.SubstringAfter(ruleLine, "$")
 			for _, param := range strings.Split(params, ",") {
 				paramParts := strings.Split(param, "=")
 				var ignored bool
 				if len(paramParts) > 0 && len(paramParts) <= 2 {
 					switch paramParts[0] {
 					case "app", "network":
 						// maybe support by package_name/process_name
 					case "dnstype":
 						// maybe support by query_type
 					case "important":
 						ignored = true
 						isImportant = true
 					case "dnsrewrite":
 						if len(paramParts) == 2 && M.ParseAddr(paramParts[1]).IsUnspecified() {
 							ignored = true
 						}
 					}
 				}
 				if !ignored {
 					ignoredLines++
 					log.Debug("ignored unsupported rule with modifier: ", paramParts[0], ": ", ruleLine)
 					continue parseLine
 				}
 			}
 			ruleLine = common.SubstringBefore(ruleLine, "$")
 		}
 		if strings.HasPrefix(ruleLine, "@@") {
 			ruleLine = ruleLine[2:]
 			isExclude = true
 		}
 		if strings.HasSuffix(ruleLine, "|") {
 			ruleLine = ruleLine[:len(ruleLine)-1]
 		}
 		if strings.HasPrefix(ruleLine, "||") {
 			ruleLine = ruleLine[2:]
 			isSuffix = true
 		} else if strings.HasPrefix(ruleLine, "|") {
 			ruleLine = ruleLine[1:]
 			hasStart = true
 		}
 		if strings.HasSuffix(ruleLine, "^") {
 			ruleLine = ruleLine[:len(ruleLine)-1]
 			hasEnd = true
 		}
 		if strings.HasPrefix(ruleLine, "/") && strings.HasSuffix(ruleLine, "/") {
 			ruleLine = ruleLine[1 : len(ruleLine)-1]
 			if ignoreIPCIDRRegexp(ruleLine) {
 				ignoredLines++
 				log.Debug("ignored unsupported rule with IPCIDR regexp: ", ruleLine)
 				continue
 			}
 			isRegexp = true
 		} else {
 			if strings.Contains(ruleLine, "://") {
 				ruleLine = common.SubstringAfter(ruleLine, "://")
 			}
 			if strings.Contains(ruleLine, "/") {
 				ignoredLines++
 				log.Debug("ignored unsupported rule with path: ", ruleLine)
 				continue
 			}
 			if strings.Contains(ruleLine, "##") {
 				ignoredLines++
 				log.Debug("ignored unsupported rule with element hiding: ", ruleLine)
 				continue
 			}
 			if strings.Contains(ruleLine, "#$#") {
 				ignoredLines++
 				log.Debug("ignored unsupported rule with element hiding: ", ruleLine)
 				continue
 			}
 			var domainCheck string
 			if strings.HasPrefix(ruleLine, ".") || strings.HasPrefix(ruleLine, "-") {
 				domainCheck = "r" + ruleLine
 			} else {
 				domainCheck = ruleLine
 			}
 			if ruleLine == "" {
 				ignoredLines++
 				log.Debug("ignored unsupported rule with empty domain", originRuleLine)
 				continue
 			} else {
 				domainCheck = strings.ReplaceAll(domainCheck, "*", "x")
 				if !M.IsDomainName(domainCheck) {
 					_, ipErr := parseADGuardIPCIDRLine(ruleLine)
 					if ipErr == nil {
 						ignoredLines++
 						log.Debug("ignored unsupported rule with IPCIDR: ", ruleLine)
 						continue
 					}
 					if M.ParseSocksaddr(domainCheck).Port != 0 {
 						log.Debug("ignored unsupported rule with port: ", ruleLine)
 					} else {
 						log.Debug("ignored unsupported rule with invalid domain: ", ruleLine)
 					}
 					ignoredLines++
 					continue
 				}
 			}
 		}
 		ruleLines = append(ruleLines, agdguardRuleLine{
 			ruleLine:    ruleLine,
 			isExclude:   isExclude,
 			isSuffix:    isSuffix,
 			hasStart:    hasStart,
 			hasEnd:      hasEnd,
 			isRegexp:    isRegexp,
 			isImportant: isImportant,
 		})
 	}
 	if len(ruleLines) == 0 {
 		return nil, E.New("AdGuard rule-set is empty or all rules are unsupported")
 	}
 	if common.All(ruleLines, func(it agdguardRuleLine) bool {
 		return it.isRawDomain
 	}) {
 		return []option.HeadlessRule{
 			{
 				Type: C.RuleTypeDefault,
 				DefaultOptions: option.DefaultHeadlessRule{
 					Domain: common.Map(ruleLines, func(it agdguardRuleLine) string {
 						return it.ruleLine
 					}),
 				},
 			},
 		}, nil
 	}
 	mapDomain := func(it agdguardRuleLine) string {
 		ruleLine := it.ruleLine
 		if it.isSuffix {
 			ruleLine = "||" + ruleLine
 		} else if it.hasStart {
 			ruleLine = "|" + ruleLine
 		}
 		if it.hasEnd {
 			ruleLine += "^"
 		}
 		return ruleLine
 	}
 	importantDomain := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return it.isImportant && !it.isRegexp && !it.isExclude }), mapDomain)
 	importantDomainRegex := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return it.isImportant && it.isRegexp && !it.isExclude }), mapDomain)
 	importantExcludeDomain := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return it.isImportant && !it.isRegexp && it.isExclude }), mapDomain)
 	importantExcludeDomainRegex := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return it.isImportant && it.isRegexp && it.isExclude }), mapDomain)
 	domain := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return !it.isImportant && !it.isRegexp && !it.isExclude }), mapDomain)
 	domainRegex := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return !it.isImportant && it.isRegexp && !it.isExclude }), mapDomain)
 	excludeDomain := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return !it.isImportant && !it.isRegexp && it.isExclude }), mapDomain)
 	excludeDomainRegex := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return !it.isImportant && it.isRegexp && it.isExclude }), mapDomain)
 	currentRule := option.HeadlessRule{
 		Type: C.RuleTypeDefault,
 		DefaultOptions: option.DefaultHeadlessRule{
 			AdGuardDomain: domain,
 			DomainRegex:   domainRegex,
 		},
 	}
 	if len(excludeDomain) > 0 || len(excludeDomainRegex) > 0 {
 		currentRule = option.HeadlessRule{
 			Type: C.RuleTypeLogical,
 			LogicalOptions: option.LogicalHeadlessRule{
 				Mode: C.LogicalTypeAnd,
 				Rules: []option.HeadlessRule{
 					{
 						Type: C.RuleTypeDefault,
 						DefaultOptions: option.DefaultHeadlessRule{
 							AdGuardDomain: excludeDomain,
 							DomainRegex:   excludeDomainRegex,
 							Invert:        true,
 						},
 					},
 					currentRule,
 				},
 			},
 		}
 	}
 	if len(importantDomain) > 0 || len(importantDomainRegex) > 0 {
 		currentRule = option.HeadlessRule{
 			Type: C.RuleTypeLogical,
 			LogicalOptions: option.LogicalHeadlessRule{
 				Mode: C.LogicalTypeOr,
 				Rules: []option.HeadlessRule{
 					{
 						Type: C.RuleTypeDefault,
 						DefaultOptions: option.DefaultHeadlessRule{
 							AdGuardDomain: importantDomain,
 							DomainRegex:   importantDomainRegex,
 						},
 					},
 					currentRule,
 				},
 			},
 		}
 	}
 	if len(importantExcludeDomain) > 0 || len(importantExcludeDomainRegex) > 0 {
 		currentRule = option.HeadlessRule{
 			Type: C.RuleTypeLogical,
 			LogicalOptions: option.LogicalHeadlessRule{
 				Mode: C.LogicalTypeAnd,
 				Rules: []option.HeadlessRule{
 					{
 						Type: C.RuleTypeDefault,
 						DefaultOptions: option.DefaultHeadlessRule{
 							AdGuardDomain: importantExcludeDomain,
 							DomainRegex:   importantExcludeDomainRegex,
 							Invert:        true,
 						},
 					},
 					currentRule,
 				},
 			},
 		}
 	}
 	log.Info("parsed rules: ", len(ruleLines), "/", len(ruleLines)+ignoredLines)
 	return []option.HeadlessRule{currentRule}, nil
 }
 func ignoreIPCIDRRegexp(ruleLine string) bool {
 	if strings.HasPrefix(ruleLine, "(http?:\\/\\/)") {
 		ruleLine = ruleLine[12:]
 	} else if strings.HasPrefix(ruleLine, "(https?:\\/\\/)") {
 		ruleLine = ruleLine[13:]
 	} else if strings.HasPrefix(ruleLine, "^") {
 		ruleLine = ruleLine[1:]
 	} else {
 		return false
 	}
 	_, parseErr := strconv.ParseUint(common.SubstringBefore(ruleLine, "\\."), 10, 8)
 	return parseErr == nil
 }
 func parseAdGuardHostLine(ruleLine string) (string, error) {
 	idx := strings.Index(ruleLine, " ")
 	if idx == -1 {
 		return "", os.ErrInvalid
 	}
 	address, err := netip.ParseAddr(ruleLine[:idx])
 	if err != nil {
 		return "", err
 	}
 	if !address.IsUnspecified() {
 		return "", nil
 	}
 	domain := ruleLine[idx+1:]
 	if !M.IsDomainName(domain) {
 		return "", E.New("invalid domain name: ", domain)
 	}
 	return domain, nil
 }
 func parseADGuardIPCIDRLine(ruleLine string) (netip.Prefix, error) {
 	var isPrefix bool
 	if strings.HasSuffix(ruleLine, ".") {
 		isPrefix = true
 		ruleLine = ruleLine[:len(ruleLine)-1]
 	}
 	ruleStringParts := strings.Split(ruleLine, ".")
 	if len(ruleStringParts) > 4 || len(ruleStringParts) < 4 && !isPrefix {
 		return netip.Prefix{}, os.ErrInvalid
 	}
 	ruleParts := make([]uint8, 0, len(ruleStringParts))
 	for _, part := range ruleStringParts {
 		rulePart, err := strconv.ParseUint(part, 10, 8)
 		if err != nil {
 			return netip.Prefix{}, err
 		}
 		ruleParts = append(ruleParts, uint8(rulePart))
 	}
 	bitLen := len(ruleParts) * 8
 	for len(ruleParts) < 4 {
 		ruleParts = append(ruleParts, 0)
 	}
 	return netip.PrefixFrom(netip.AddrFrom4(*(*[4]byte)(ruleParts)), bitLen), nil
 }
--- a/cmd/sing-box/internal/convertor/adguard/convertor_test.go
+++ b/cmd/sing-box/internal/convertor/adguard/convertor_test.go
@@ -1,140 +0,0 @@
 package adguard
 import (
 	"strings"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/route"
 	"github.com/stretchr/testify/require"
 )
 func TestConverter(t *testing.T) {
 	t.Parallel()
 	rules, err := Convert(strings.NewReader(`
 ||example.org^
 |example.com^
 example.net^
 ||example.edu
 ||example.edu.tw^
 |example.gov
 example.arpa
@@|sagernet.example.org|
 ||sagernet.org^$important
@@|sing-box.sagernet.org^$important
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
 	rule, err := route.NewHeadlessRule(nil, rules[0])
 	require.NoError(t, err)
 	matchDomain := []string{
 		"example.org",
 		"www.example.org",
 		"example.com",
 		"example.net",
 		"isexample.net",
 		"www.example.net",
 		"example.edu",
 		"example.edu.cn",
 		"example.edu.tw",
 		"www.example.edu",
 		"www.example.edu.cn",
 		"example.gov",
 		"example.gov.cn",
 		"example.arpa",
 		"www.example.arpa",
 		"isexample.arpa",
 		"example.arpa.cn",
 		"www.example.arpa.cn",
 		"isexample.arpa.cn",
 		"sagernet.org",
 		"www.sagernet.org",
 	}
 	notMatchDomain := []string{
 		"example.org.cn",
 		"notexample.org",
 		"example.com.cn",
 		"www.example.com.cn",
 		"example.net.cn",
 		"notexample.edu",
 		"notexample.edu.cn",
 		"www.example.gov",
 		"notexample.gov",
 		"sagernet.example.org",
 		"sing-box.sagernet.org",
 	}
 	for _, domain := range matchDomain {
 		require.True(t, rule.Match(&adapter.InboundContext{
 			Domain: domain,
 		}), domain)
 	}
 	for _, domain := range notMatchDomain {
 		require.False(t, rule.Match(&adapter.InboundContext{
 			Domain: domain,
 		}), domain)
 	}
 }
 func TestHosts(t *testing.T) {
 	t.Parallel()
 	rules, err := Convert(strings.NewReader(`
 127.0.0.1 localhost
 ::1 localhost #[IPv6]
 0.0.0.0 google.com
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
 	rule, err := route.NewHeadlessRule(nil, rules[0])
 	require.NoError(t, err)
 	matchDomain := []string{
 		"google.com",
 	}
 	notMatchDomain := []string{
 		"www.google.com",
 		"notgoogle.com",
 		"localhost",
 	}
 	for _, domain := range matchDomain {
 		require.True(t, rule.Match(&adapter.InboundContext{
 			Domain: domain,
 		}), domain)
 	}
 	for _, domain := range notMatchDomain {
 		require.False(t, rule.Match(&adapter.InboundContext{
 			Domain: domain,
 		}), domain)
 	}
 }
 func TestSimpleHosts(t *testing.T) {
 	t.Parallel()
 	rules, err := Convert(strings.NewReader(`
 example.com
 www.example.org
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
 	rule, err := route.NewHeadlessRule(nil, rules[0])
 	require.NoError(t, err)
 	matchDomain := []string{
 		"example.com",
 		"www.example.org",
 	}
 	notMatchDomain := []string{
 		"example.com.cn",
 		"www.example.com",
 		"notexample.com",
 		"example.org",
 	}
 	for _, domain := range matchDomain {
 		require.True(t, rule.Match(&adapter.InboundContext{
 			Domain: domain,
 		}), domain)
 	}
 	for _, domain := range notMatchDomain {
 		require.False(t, rule.Match(&adapter.InboundContext{
 			Domain: domain,
 		}), domain)
 	}
 }
--- a/cmd/sing-box/main.go
+++ b/cmd/sing-box/main.go
@@ -1,11 +1,74 @@
 //go:build !generate
 package main
-import "github.com/sagernet/sing-box/log"
+import (
 	"context"
 	"os"
 	"os/user"
 	"strconv"
 	"time"
 	_ "github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/service/filemanager"
 	"github.com/spf13/cobra"
 )
 var (
 	globalCtx         context.Context
 	configPaths       []string
 	configDirectories []string
 	workingDir        string
 	disableColor      bool
 )
 var mainCommand = &cobra.Command{
 	Use:              "sing-box",
 	PersistentPreRun: preRun,
 }
 func init() {
 	mainCommand.PersistentFlags().StringArrayVarP(&configPaths, "config", "c", nil, "set configuration file path")
 	mainCommand.PersistentFlags().StringArrayVarP(&configDirectories, "config-directory", "C", nil, "set configuration directory path")
 	mainCommand.PersistentFlags().StringVarP(&workingDir, "directory", "D", "", "set working directory")
 	mainCommand.PersistentFlags().BoolVarP(&disableColor, "disable-color", "", false, "disable color output")
 }
 func main() {
 	if err := mainCommand.Execute(); err != nil {
 		log.Fatal(err)
 	}
 }
 func preRun(cmd *cobra.Command, args []string) {
 	globalCtx = context.Background()
 	sudoUser := os.Getenv("SUDO_USER")
 	sudoUID, _ := strconv.Atoi(os.Getenv("SUDO_UID"))
 	sudoGID, _ := strconv.Atoi(os.Getenv("SUDO_GID"))
 	if sudoUID == 0 && sudoGID == 0 && sudoUser != "" {
 		sudoUserObject, _ := user.Lookup(sudoUser)
 		if sudoUserObject != nil {
 			sudoUID, _ = strconv.Atoi(sudoUserObject.Uid)
 			sudoGID, _ = strconv.Atoi(sudoUserObject.Gid)
 		}
 	}
 	if sudoUID > 0 && sudoGID > 0 {
 		globalCtx = filemanager.WithDefault(globalCtx, "", "", sudoUID, sudoGID)
 	}
 	if disableColor {
 		log.SetStdLogger(log.NewDefaultFactory(context.Background(), log.Formatter{BaseTime: time.Now(), DisableColors: true}, os.Stderr, "", nil, false).Logger())
 	}
 	if workingDir != "" {
 		_, err := os.Stat(workingDir)
 		if err != nil {
 			filemanager.MkdirAll(globalCtx, workingDir, 0o777)
 		}
 		err = os.Chdir(workingDir)
 		if err != nil {
 			log.Fatal(err)
 		}
 	}
 	if len(configPaths) == 0 && len(configDirectories) == 0 {
 		configPaths = append(configPaths, "config.json")
 	}
 }
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -50,26 +50,12 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	}
-	var autoRedirectOutputMark uint32
+	if options.RoutingMark != 0 {
 	if router != nil {
 		autoRedirectOutputMark = router.AutoRedirectOutputMark()
 	}
 	if autoRedirectOutputMark > 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(autoRedirectOutputMark))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(autoRedirectOutputMark))
 	}
 	if options.RoutingMark > 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(options.RoutingMark))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(options.RoutingMark))
-		if autoRedirectOutputMark > 0 {
+	} else if router != nil && router.DefaultMark() != 0 {
 			return nil, E.New("`auto_redirect` with `route_[_exclude]_address_set is conflict with `routing_mark`")
 		}
 	} else if router != nil && router.DefaultMark() > 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(router.DefaultMark()))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(router.DefaultMark()))
 		if autoRedirectOutputMark > 0 {
 			return nil, E.New("`auto_redirect` with `route_[_exclude]_address_set is conflict with `default_mark`")
 		}
 	}
 	if options.ReuseAddr {
 		listener.Control = control.Append(listener.Control, control.ReuseAddr())
@@ -81,7 +67,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 	if options.ConnectTimeout != 0 {
 		dialer.Timeout = time.Duration(options.ConnectTimeout)
 	} else {
-		dialer.Timeout = C.TCPConnectTimeout
+		dialer.Timeout = C.TCPTimeout
 	}
 	// TODO: Add an option to customize the keep alive period
 	dialer.KeepAlive = C.TCPKeepAliveInitial
@@ -179,7 +165,7 @@ func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 }
 func (d *DefaultDialer) ListenPacketCompat(network, address string) (net.PacketConn, error) {
-	return d.udpListener.ListenPacket(context.Background(), network, address)
+	return trackPacketConn(d.udpListener.ListenPacket(context.Background(), network, address))
 }
 func trackConn(conn net.Conn, err error) (net.Conn, error) {
--- a/common/dialer/default_go1.20.go
+++ b/common/dialer/default_go1.20.go
@@ -5,7 +5,7 @@ package dialer
 import (
 	"net"
-	"github.com/metacubex/tfo-go"
+	"github.com/sagernet/tfo-go"
 )
 type tcpDialer = tfo.Dialer
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -28,12 +28,13 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 	} else {
 		dialer = NewDetour(router, options.Detour)
 	}
-	if options.Detour == "" {
+	domainStrategy := dns.DomainStrategy(options.DomainStrategy)
 	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
 		dialer = NewResolveDialer(
 			router,
 			dialer,
 			options.Detour == "" && !options.TCPFastOpen,
-			dns.DomainStrategy(options.DomainStrategy),
+			domainStrategy,
 			time.Duration(options.FallbackDelay))
 	}
 	return dialer, nil
--- a/common/dialer/tfo.go
+++ b/common/dialer/tfo.go
@@ -15,8 +15,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-
+	"github.com/sagernet/tfo-go"
 	"github.com/metacubex/tfo-go"
 )
 type slowOpenConn struct {
--- a/common/geosite/geosite_test.go
+++ b/common/geosite/geosite_test.go
@@ -1,34 +0,0 @@
 package geosite_test
 import (
 	"bytes"
 	"testing"
 	"github.com/sagernet/sing-box/common/geosite"
 	"github.com/stretchr/testify/require"
 )
 func TestGeosite(t *testing.T) {
 	t.Parallel()
 	var buffer bytes.Buffer
 	err := geosite.Write(&buffer, map[string][]geosite.Item{
 		"test": {
 			{
 				Type:  geosite.RuleTypeDomain,
 				Value: "example.org",
 			},
 		},
 	})
 	require.NoError(t, err)
 	reader, codes, err := geosite.NewReader(bytes.NewReader(buffer.Bytes()))
 	require.NoError(t, err)
 	require.Equal(t, []string{"test"}, codes)
 	items, err := reader.Read("test")
 	require.NoError(t, err)
 	require.Equal(t, []geosite.Item{{
 		Type:  geosite.RuleTypeDomain,
 		Value: "example.org",
 	}}, items)
 }
--- a/common/geosite/reader.go
+++ b/common/geosite/reader.go
@@ -1,24 +1,17 @@
 package geosite
 import (
 	"bufio"
 	"encoding/binary"
 	"io"
 	"os"
 	"sync"
 	"sync/atomic"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/varbin"
+	"github.com/sagernet/sing/common/rw"
 )
 type Reader struct {
-	access         sync.Mutex
+	reader       io.ReadSeeker
-	reader         io.ReadSeeker
+	domainIndex  map[string]int
-	bufferedReader *bufio.Reader
+	domainLength map[string]int
 	metadataIndex  int64
 	domainIndex    map[string]int
 	domainLength   map[string]int
 }
 func Open(path string) (*Reader, []string, error) {
@@ -26,22 +19,14 @@ func Open(path string) (*Reader, []string, error) {
 	if err != nil {
 		return nil, nil, err
 	}
-	reader, codes, err := NewReader(content)
+	reader := &Reader{
 		reader: content,
 	}
 	err = reader.readMetadata()
 	if err != nil {
 		content.Close()
 		return nil, nil, err
 	}
 	return reader, codes, nil
 }
 func NewReader(readSeeker io.ReadSeeker) (*Reader, []string, error) {
 	reader := &Reader{
 		reader: readSeeker,
 	}
 	err := reader.readMetadata()
 	if err != nil {
 		return nil, nil, err
 	}
 	codes := make([]string, 0, len(reader.domainIndex))
 	for code := range reader.domainIndex {
 		codes = append(codes, code)
@@ -49,23 +34,15 @@ func NewReader(readSeeker io.ReadSeeker) (*Reader, []string, error) {
 	return reader, codes, nil
 }
 type geositeMetadata struct {
 	Code   string
 	Index  uint64
 	Length uint64
 }
 func (r *Reader) readMetadata() error {
-	counter := &readCounter{Reader: r.reader}
+	version, err := rw.ReadByte(r.reader)
 	reader := bufio.NewReader(counter)
 	version, err := reader.ReadByte()
 	if err != nil {
 		return err
 	}
 	if version != 0 {
 		return E.New("unknown version")
 	}
-	entryLength, err := binary.ReadUvarint(reader)
+	entryLength, err := rw.ReadUVariant(r.reader)
 	if err != nil {
 		return err
 	}
@@ -78,16 +55,16 @@ func (r *Reader) readMetadata() error {
 			codeIndex  uint64
 			codeLength uint64
 		)
-		code, err = varbin.ReadValue[string](reader, binary.BigEndian)
+		code, err = rw.ReadVString(r.reader)
 		if err != nil {
 			return err
 		}
 		keys[i] = code
-		codeIndex, err = binary.ReadUvarint(reader)
+		codeIndex, err = rw.ReadUVariant(r.reader)
 		if err != nil {
 			return err
 		}
-		codeLength, err = binary.ReadUvarint(reader)
+		codeLength, err = rw.ReadUVariant(r.reader)
 		if err != nil {
 			return err
 		}
@@ -96,8 +73,6 @@ func (r *Reader) readMetadata() error {
 	}
 	r.domainIndex = domainIndex
 	r.domainLength = domainLength
 	r.metadataIndex = counter.count - int64(reader.Buffered())
 	r.bufferedReader = reader
 	return nil
 }
@@ -106,32 +81,31 @@ func (r *Reader) Read(code string) ([]Item, error) {
 	if !exists {
 		return nil, E.New("code ", code, " not exists!")
 	}
-	_, err := r.reader.Seek(r.metadataIndex+int64(index), io.SeekStart)
+	_, err := r.reader.Seek(int64(index), io.SeekCurrent)
 	if err != nil {
 		return nil, err
 	}
-	r.bufferedReader.Reset(r.reader)
+	counter := &rw.ReadCounter{Reader: r.reader}
-	itemList := make([]Item, r.domainLength[code])
+	domain := make([]Item, r.domainLength[code])
-	err = varbin.Read(r.bufferedReader, binary.BigEndian, &itemList)
+	for i := range domain {
-	if err != nil {
+		var (
-		return nil, err
+			item Item
 			err  error
 		)
 		item.Type, err = rw.ReadByte(counter)
 		if err != nil {
 			return nil, err
 		}
 		item.Value, err = rw.ReadVString(counter)
 		if err != nil {
 			return nil, err
 		}
 		domain[i] = item
 	}
-	return itemList, nil
+	_, err = r.reader.Seek(int64(-index)-counter.Count(), io.SeekCurrent)
 	return domain, err
 }
 func (r *Reader) Upstream() any {
 	return r.reader
 }
 type readCounter struct {
 	io.Reader
 	count int64
 }
 func (r *readCounter) Read(p []byte) (n int, err error) {
 	n, err = r.Reader.Read(p)
 	if n > 0 {
 		atomic.AddInt64(&r.count, int64(n))
 	}
 	return
 }
--- a/common/geosite/writer.go
+++ b/common/geosite/writer.go
@@ -2,13 +2,13 @@ package geosite
 import (
 	"bytes"
-	"encoding/binary"
+	"io"
 	"sort"
-	"github.com/sagernet/sing/common/varbin"
+	"github.com/sagernet/sing/common/rw"
 )
-func Write(writer varbin.Writer, domains map[string][]Item) error {
+func Write(writer io.Writer, domains map[string][]Item) error {
 	keys := make([]string, 0, len(domains))
 	for code := range domains {
 		keys = append(keys, code)
@@ -19,34 +19,35 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {
 	index := make(map[string]int)
 	for _, code := range keys {
 		index[code] = content.Len()
-		for _, item := range domains[code] {
+		for _, domain := range domains[code] {
-			err := varbin.Write(content, binary.BigEndian, item)
+			content.WriteByte(domain.Type)
 			err := rw.WriteVString(content, domain.Value)
 			if err != nil {
 				return err
 			}
 		}
 	}
-	err := writer.WriteByte(0)
+	err := rw.WriteByte(writer, 0)
 	if err != nil {
 		return err
 	}
-	_, err = varbin.WriteUvarint(writer, uint64(len(keys)))
+	err = rw.WriteUVariant(writer, uint64(len(keys)))
 	if err != nil {
 		return err
 	}
 	for _, code := range keys {
-		err = varbin.Write(writer, binary.BigEndian, code)
+		err = rw.WriteVString(writer, code)
 		if err != nil {
 			return err
 		}
-		_, err = varbin.WriteUvarint(writer, uint64(index[code]))
+		err = rw.WriteUVariant(writer, uint64(index[code]))
 		if err != nil {
 			return err
 		}
-		_, err = varbin.WriteUvarint(writer, uint64(len(domains[code])))
+		err = rw.WriteUVariant(writer, uint64(len(domains[code])))
 		if err != nil {
 			return err
 		}
--- a/common/ja3/LICENSE
+++ b/common/ja3/LICENSE
@@ -1,29 +0,0 @@
 BSD 3-Clause License
 Copyright (c) 2018, Open Systems AG
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
 * Redistributions of source code must retain the above copyright notice, this
  list of conditions and the following disclaimer.
 * Redistributions in binary form must reproduce the above copyright notice,
  this list of conditions and the following disclaimer in the documentation
  and/or other materials provided with the distribution.
 * Neither the name of the copyright holder nor the names of its
  contributors may be used to endorse or promote products derived from
  this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/common/ja3/README.md
+++ b/common/ja3/README.md
@@ -1,3 +0,0 @@
 # JA3
 mod from: https://github.com/open-ch/ja3
--- a/common/ja3/error.go
+++ b/common/ja3/error.go
@@ -1,31 +0,0 @@
 // Copyright (c) 2018, Open Systems AG. All rights reserved.
 //
 // Use of this source code is governed by a BSD-style license
 // that can be found in the LICENSE file in the root of the source
 // tree.
 package ja3
 import "fmt"
 // Error types
 const (
 	LengthErr        string = "length check %v failed"
 	ContentTypeErr   string = "content type not matching"
 	VersionErr       string = "version check %v failed"
 	HandshakeTypeErr string = "handshake type not matching"
 	SNITypeErr       string = "SNI type not supported"
 )
 // ParseError can be encountered while parsing a segment
 type ParseError struct {
 	errType string
 	check   int
 }
 func (e *ParseError) Error() string {
 	if e.errType == LengthErr || e.errType == VersionErr {
 		return fmt.Sprintf(e.errType, e.check)
 	}
 	return fmt.Sprint(e.errType)
 }
--- a/common/ja3/ja3.go
+++ b/common/ja3/ja3.go
@@ -1,83 +0,0 @@
 // Copyright (c) 2018, Open Systems AG. All rights reserved.
 //
 // Use of this source code is governed by a BSD-style license
 // that can be found in the LICENSE file in the root of the source
 // tree.
 package ja3
 import (
 	"crypto/md5"
 	"encoding/hex"
 	"golang.org/x/exp/slices"
 )
 type ClientHello struct {
 	Version             uint16
 	CipherSuites        []uint16
 	Extensions          []uint16
 	EllipticCurves      []uint16
 	EllipticCurvePF     []uint8
 	Versions            []uint16
 	SignatureAlgorithms []uint16
 	ServerName          string
 	ja3ByteString       []byte
 	ja3Hash             string
 }
 func (j *ClientHello) Equals(another *ClientHello, ignoreExtensionsSequence bool) bool {
 	if j.Version != another.Version {
 		return false
 	}
 	if !slices.Equal(j.CipherSuites, another.CipherSuites) {
 		return false
 	}
 	if !ignoreExtensionsSequence && !slices.Equal(j.Extensions, another.Extensions) {
 		return false
 	}
 	if ignoreExtensionsSequence && !slices.Equal(j.Extensions, another.sortedExtensions()) {
 		return false
 	}
 	if !slices.Equal(j.EllipticCurves, another.EllipticCurves) {
 		return false
 	}
 	if !slices.Equal(j.EllipticCurvePF, another.EllipticCurvePF) {
 		return false
 	}
 	if !slices.Equal(j.SignatureAlgorithms, another.SignatureAlgorithms) {
 		return false
 	}
 	return true
 }
 func (j *ClientHello) sortedExtensions() []uint16 {
 	extensions := make([]uint16, len(j.Extensions))
 	copy(extensions, j.Extensions)
 	slices.Sort(extensions)
 	return extensions
 }
 func Compute(payload []byte) (*ClientHello, error) {
 	ja3 := ClientHello{}
 	err := ja3.parseSegment(payload)
 	return &ja3, err
 }
 func (j *ClientHello) String() string {
 	if j.ja3ByteString == nil {
 		j.marshalJA3()
 	}
 	return string(j.ja3ByteString)
 }
 func (j *ClientHello) Hash() string {
 	if j.ja3ByteString == nil {
 		j.marshalJA3()
 	}
 	if j.ja3Hash == "" {
 		h := md5.Sum(j.ja3ByteString)
 		j.ja3Hash = hex.EncodeToString(h[:])
 	}
 	return j.ja3Hash
 }
--- a/common/ja3/parser.go
+++ b/common/ja3/parser.go
@@ -1,357 +0,0 @@
 // Copyright (c) 2018, Open Systems AG. All rights reserved.
 //
 // Use of this source code is governed by a BSD-style license
 // that can be found in the LICENSE file in the root of the source
 // tree.
 package ja3
 import (
 	"encoding/binary"
 	"strconv"
 )
 const (
 	// Constants used for parsing
 	recordLayerHeaderLen                  int    = 5
 	handshakeHeaderLen                    int    = 6
 	randomDataLen                         int    = 32
 	sessionIDHeaderLen                    int    = 1
 	cipherSuiteHeaderLen                  int    = 2
 	compressMethodHeaderLen               int    = 1
 	extensionsHeaderLen                   int    = 2
 	extensionHeaderLen                    int    = 4
 	sniExtensionHeaderLen                 int    = 5
 	ecExtensionHeaderLen                  int    = 2
 	ecpfExtensionHeaderLen                int    = 1
 	versionExtensionHeaderLen             int    = 1
 	signatureAlgorithmsExtensionHeaderLen int    = 2
 	contentType                           uint8  = 22
 	handshakeType                         uint8  = 1
 	sniExtensionType                      uint16 = 0
 	sniNameDNSHostnameType                uint8  = 0
 	ecExtensionType                       uint16 = 10
 	ecpfExtensionType                     uint16 = 11
 	versionExtensionType                  uint16 = 43
 	signatureAlgorithmsExtensionType      uint16 = 13
 	// Versions
 	// The bitmask covers the versions SSL3.0 to TLS1.2
 	tlsVersionBitmask uint16 = 0xFFFC
 	tls13             uint16 = 0x0304
 	// GREASE values
 	// The bitmask covers all GREASE values
 	GreaseBitmask uint16 = 0x0F0F
 	// Constants used for marshalling
 	dashByte  = byte(45)
 	commaByte = byte(44)
 )
 // parseSegment to populate the corresponding ClientHello object or return an error
 func (j *ClientHello) parseSegment(segment []byte) error {
 	// Check if we can decode the next fields
 	if len(segment) < recordLayerHeaderLen {
 		return &ParseError{LengthErr, 1}
 	}
 	// Check if we have "Content Type: Handshake (22)"
 	contType := uint8(segment[0])
 	if contType != contentType {
 		return &ParseError{errType: ContentTypeErr}
 	}
 	// Check if TLS record layer version is supported
 	tlsRecordVersion := uint16(segment[1])<<8 | uint16(segment[2])
 	if tlsRecordVersion&tlsVersionBitmask != 0x0300 && tlsRecordVersion != tls13 {
 		return &ParseError{VersionErr, 1}
 	}
 	// Check that the Handshake is as long as expected from the length field
 	segmentLen := uint16(segment[3])<<8 | uint16(segment[4])
 	if len(segment[recordLayerHeaderLen:]) < int(segmentLen) {
 		return &ParseError{LengthErr, 2}
 	}
 	// Keep the Handshake messege, ignore any additional following record types
 	hs := segment[recordLayerHeaderLen : recordLayerHeaderLen+int(segmentLen)]
 	err := j.parseHandshake(hs)
 	return err
 }
 // parseHandshake body
 func (j *ClientHello) parseHandshake(hs []byte) error {
 	// Check if we can decode the next fields
 	if len(hs) < handshakeHeaderLen+randomDataLen+sessionIDHeaderLen {
 		return &ParseError{LengthErr, 3}
 	}
 	// Check if we have "Handshake Type: Client Hello (1)"
 	handshType := uint8(hs[0])
 	if handshType != handshakeType {
 		return &ParseError{errType: HandshakeTypeErr}
 	}
 	// Check if actual length of handshake matches (this is a great exclusion criterion for false positives,
 	// as these fields have to match the actual length of the rest of the segment)
 	handshakeLen := uint32(hs[1])<<16 | uint32(hs[2])<<8 | uint32(hs[3])
 	if len(hs[4:]) != int(handshakeLen) {
 		return &ParseError{LengthErr, 4}
 	}
 	// Check if Client Hello version is supported
 	tlsVersion := uint16(hs[4])<<8 | uint16(hs[5])
 	if tlsVersion&tlsVersionBitmask != 0x0300 && tlsVersion != tls13 {
 		return &ParseError{VersionErr, 2}
 	}
 	j.Version = tlsVersion
 	// Check if we can decode the next fields
 	sessionIDLen := uint8(hs[38])
 	if len(hs) < handshakeHeaderLen+randomDataLen+sessionIDHeaderLen+int(sessionIDLen) {
 		return &ParseError{LengthErr, 5}
 	}
 	// Cipher Suites
 	cs := hs[handshakeHeaderLen+randomDataLen+sessionIDHeaderLen+int(sessionIDLen):]
 	// Check if we can decode the next fields
 	if len(cs) < cipherSuiteHeaderLen {
 		return &ParseError{LengthErr, 6}
 	}
 	csLen := uint16(cs[0])<<8 | uint16(cs[1])
 	numCiphers := int(csLen / 2)
 	cipherSuites := make([]uint16, 0, numCiphers)
 	// Check if we can decode the next fields
 	if len(cs) < cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen {
 		return &ParseError{LengthErr, 7}
 	}
 	for i := 0; i < numCiphers; i++ {
 		cipherSuite := uint16(cs[2+i<<1])<<8 | uint16(cs[3+i<<1])
 		cipherSuites = append(cipherSuites, cipherSuite)
 	}
 	j.CipherSuites = cipherSuites
 	// Check if we can decode the next fields
 	compressMethodLen := uint16(cs[cipherSuiteHeaderLen+int(csLen)])
 	if len(cs) < cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen+int(compressMethodLen) {
 		return &ParseError{LengthErr, 8}
 	}
 	// Extensions
 	exs := cs[cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen+int(compressMethodLen):]
 	err := j.parseExtensions(exs)
 	return err
 }
 // parseExtensions of the handshake
 func (j *ClientHello) parseExtensions(exs []byte) error {
 	// Check for no extensions, this fields header is nonexistent if no body is used
 	if len(exs) == 0 {
 		return nil
 	}
 	// Check if we can decode the next fields
 	if len(exs) < extensionsHeaderLen {
 		return &ParseError{LengthErr, 9}
 	}
 	exsLen := uint16(exs[0])<<8 | uint16(exs[1])
 	exs = exs[extensionsHeaderLen:]
 	// Check if we can decode the next fields
 	if len(exs) < int(exsLen) {
 		return &ParseError{LengthErr, 10}
 	}
 	var sni []byte
 	var extensions, ellipticCurves []uint16
 	var ellipticCurvePF []uint8
 	var versions []uint16
 	var signatureAlgorithms []uint16
 	for len(exs) > 0 {
 		// Check if we can decode the next fields
 		if len(exs) < extensionHeaderLen {
 			return &ParseError{LengthErr, 11}
 		}
 		exType := uint16(exs[0])<<8 | uint16(exs[1])
 		exLen := uint16(exs[2])<<8 | uint16(exs[3])
 		// Ignore any GREASE extensions
 		extensions = append(extensions, exType)
 		// Check if we can decode the next fields
 		if len(exs) < extensionHeaderLen+int(exLen) {
 			return &ParseError{LengthErr, 12}
 		}
 		sex := exs[extensionHeaderLen : extensionHeaderLen+int(exLen)]
 		switch exType {
 		case sniExtensionType: // Extensions: server_name
 			// Check if we can decode the next fields
 			if len(sex) < sniExtensionHeaderLen {
 				return &ParseError{LengthErr, 13}
 			}
 			sniType := uint8(sex[2])
 			sniLen := uint16(sex[3])<<8 | uint16(sex[4])
 			sex = sex[sniExtensionHeaderLen:]
 			// Check if we can decode the next fields
 			if len(sex) != int(sniLen) {
 				return &ParseError{LengthErr, 14}
 			}
 			switch sniType {
 			case sniNameDNSHostnameType:
 				sni = sex
 			default:
 				return &ParseError{errType: SNITypeErr}
 			}
 		case ecExtensionType: // Extensions: supported_groups
 			// Check if we can decode the next fields
 			if len(sex) < ecExtensionHeaderLen {
 				return &ParseError{LengthErr, 15}
 			}
 			ecsLen := uint16(sex[0])<<8 | uint16(sex[1])
 			numCurves := int(ecsLen / 2)
 			ellipticCurves = make([]uint16, 0, numCurves)
 			sex = sex[ecExtensionHeaderLen:]
 			// Check if we can decode the next fields
 			if len(sex) != int(ecsLen) {
 				return &ParseError{LengthErr, 16}
 			}
 			for i := 0; i < numCurves; i++ {
 				ecType := uint16(sex[i*2])<<8 | uint16(sex[1+i*2])
 				ellipticCurves = append(ellipticCurves, ecType)
 			}
 		case ecpfExtensionType: // Extensions: ec_point_formats
 			// Check if we can decode the next fields
 			if len(sex) < ecpfExtensionHeaderLen {
 				return &ParseError{LengthErr, 17}
 			}
 			ecpfsLen := uint8(sex[0])
 			numPF := int(ecpfsLen)
 			ellipticCurvePF = make([]uint8, numPF)
 			sex = sex[ecpfExtensionHeaderLen:]
 			// Check if we can decode the next fields
 			if len(sex) != numPF {
 				return &ParseError{LengthErr, 18}
 			}
 			for i := 0; i < numPF; i++ {
 				ellipticCurvePF[i] = uint8(sex[i])
 			}
 		case versionExtensionType:
 			if len(sex) < versionExtensionHeaderLen {
 				return &ParseError{LengthErr, 19}
 			}
 			versionsLen := int(sex[0])
 			for i := 0; i < versionsLen; i += 2 {
 				versions = append(versions, binary.BigEndian.Uint16(sex[1:][i:]))
 			}
 		case signatureAlgorithmsExtensionType:
 			if len(sex) < signatureAlgorithmsExtensionHeaderLen {
 				return &ParseError{LengthErr, 20}
 			}
 			ssaLen := binary.BigEndian.Uint16(sex)
 			for i := 0; i < int(ssaLen); i += 2 {
 				signatureAlgorithms = append(signatureAlgorithms, binary.BigEndian.Uint16(sex[2:][i:]))
 			}
 		}
 		exs = exs[4+exLen:]
 	}
 	j.ServerName = string(sni)
 	j.Extensions = extensions
 	j.EllipticCurves = ellipticCurves
 	j.EllipticCurvePF = ellipticCurvePF
 	j.Versions = versions
 	j.SignatureAlgorithms = signatureAlgorithms
 	return nil
 }
 // marshalJA3 into a byte string
 func (j *ClientHello) marshalJA3() {
 	// An uint16 can contain numbers with up to 5 digits and an uint8 can contain numbers with up to 3 digits, but we
 	// also need a byte for each separating character, except at the end.
 	byteStringLen := 6*(1+len(j.CipherSuites)+len(j.Extensions)+len(j.EllipticCurves)) + 4*len(j.EllipticCurvePF) - 1
 	byteString := make([]byte, 0, byteStringLen)
 	// Version
 	byteString = strconv.AppendUint(byteString, uint64(j.Version), 10)
 	byteString = append(byteString, commaByte)
 	// Cipher Suites
 	if len(j.CipherSuites) != 0 {
 		for _, val := range j.CipherSuites {
 			if val&GreaseBitmask != 0x0A0A {
 				continue
 			}
 			byteString = strconv.AppendUint(byteString, uint64(val), 10)
 			byteString = append(byteString, dashByte)
 		}
 		// Replace last dash with a comma
 		byteString[len(byteString)-1] = commaByte
 	} else {
 		byteString = append(byteString, commaByte)
 	}
 	// Extensions
 	if len(j.Extensions) != 0 {
 		for _, val := range j.Extensions {
 			if val&GreaseBitmask != 0x0A0A {
 				continue
 			}
 			byteString = strconv.AppendUint(byteString, uint64(val), 10)
 			byteString = append(byteString, dashByte)
 		}
 		// Replace last dash with a comma
 		byteString[len(byteString)-1] = commaByte
 	} else {
 		byteString = append(byteString, commaByte)
 	}
 	// Elliptic curves
 	if len(j.EllipticCurves) != 0 {
 		for _, val := range j.EllipticCurves {
 			if val&GreaseBitmask != 0x0A0A {
 				continue
 			}
 			byteString = strconv.AppendUint(byteString, uint64(val), 10)
 			byteString = append(byteString, dashByte)
 		}
 		// Replace last dash with a comma
 		byteString[len(byteString)-1] = commaByte
 	} else {
 		byteString = append(byteString, commaByte)
 	}
 	// ECPF
 	if len(j.EllipticCurvePF) != 0 {
 		for _, val := range j.EllipticCurvePF {
 			byteString = strconv.AppendUint(byteString, uint64(val), 10)
 			byteString = append(byteString, dashByte)
 		}
 		// Remove last dash
 		byteString = byteString[:len(byteString)-1]
 	}
 	j.ja3ByteString = byteString
 }
--- a/common/process/searcher_darwin.go
+++ b/common/process/searcher_darwin.go
@@ -60,12 +60,12 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 	isIPv4 := ip.Is4()
-	value, err := unix.SysctlRaw(spath)
+	value, err := syscall.Sysctl(spath)
 	if err != nil {
 		return "", err
 	}
-	buf := value
+	buf := []byte(value)
 	// from darwin-xnu/bsd/netinet/in_pcblist.c:get_pcblist_n
 	// size/offset are round up (aligned) to 8 bytes in darwin
--- a/common/sniff/bittorrent.go
+++ b/common/sniff/bittorrent.go
@@ -1,99 +0,0 @@
 package sniff
 import (
 	"bytes"
 	"context"
 	"encoding/binary"
 	"io"
 	"os"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 )
 const (
 	trackerConnectFlag    = 0
 	trackerProtocolID     = 0x41727101980
 	trackerConnectMinSize = 16
 )
 // BitTorrent detects if the stream is a BitTorrent connection.
 // For the BitTorrent protocol specification, see https://www.bittorrent.org/beps/bep_0003.html
 func BitTorrent(_ context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
 	var first byte
 	err := binary.Read(reader, binary.BigEndian, &first)
 	if err != nil {
 		return err
 	}
 	if first != 19 {
 		return os.ErrInvalid
 	}
 	var protocol [19]byte
 	_, err = reader.Read(protocol[:])
 	if err != nil {
 		return err
 	}
 	if string(protocol[:]) != "BitTorrent protocol" {
 		return os.ErrInvalid
 	}
 	metadata.Protocol = C.ProtocolBitTorrent
 	return nil
 }
 // UTP detects if the packet is a uTP connection packet.
 // For the uTP protocol specification, see
 //  1. https://www.bittorrent.org/beps/bep_0029.html
 //  2. https://github.com/bittorrent/libutp/blob/2b364cbb0650bdab64a5de2abb4518f9f228ec44/utp_internal.cpp#L112
 func UTP(_ context.Context, metadata *adapter.InboundContext, packet []byte) error {
 	// A valid uTP packet must be at least 20 bytes long.
 	if len(packet) < 20 {
 		return os.ErrInvalid
 	}
 	version := packet[0] & 0x0F
 	ty := packet[0] >> 4
 	if version != 1 || ty > 4 {
 		return os.ErrInvalid
 	}
 	// Validate the extensions
 	extension := packet[1]
 	reader := bytes.NewReader(packet[20:])
 	for extension != 0 {
 		err := binary.Read(reader, binary.BigEndian, &extension)
 		if err != nil {
 			return err
 		}
 		var length byte
 		err = binary.Read(reader, binary.BigEndian, &length)
 		if err != nil {
 			return err
 		}
 		_, err = reader.Seek(int64(length), io.SeekCurrent)
 		if err != nil {
 			return err
 		}
 	}
 	metadata.Protocol = C.ProtocolBitTorrent
 	return nil
 }
 // UDPTracker detects if the packet is a UDP Tracker Protocol packet.
 // For the UDP Tracker Protocol specification, see https://www.bittorrent.org/beps/bep_0015.html
 func UDPTracker(_ context.Context, metadata *adapter.InboundContext, packet []byte) error {
 	if len(packet) < trackerConnectMinSize {
 		return os.ErrInvalid
 	}
 	if binary.BigEndian.Uint64(packet[:8]) != trackerProtocolID {
 		return os.ErrInvalid
 	}
 	if binary.BigEndian.Uint32(packet[8:12]) != trackerConnectFlag {
 		return os.ErrInvalid
 	}
 	metadata.Protocol = C.ProtocolBitTorrent
 	return nil
 }
--- a/common/sniff/bittorrent_test.go
+++ b/common/sniff/bittorrent_test.go
@@ -1,73 +0,0 @@
 package sniff_test
 import (
 	"bytes"
 	"context"
 	"encoding/hex"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/stretchr/testify/require"
 )
 func TestSniffBittorrent(t *testing.T) {
 	t.Parallel()
 	packets := []string{
 		"13426974546f7272656e742070726f746f636f6c0000000000100000e21ea9569b69bab33c97851d0298bdfa89bc90922d5554313631302dea812fcd6a3563e3be40c1d1",
 		"13426974546f7272656e742070726f746f636f6c00000000001000052aa4f5a7e209e54b32803d43670971c4c8caaa052d5452333030302d653369733079647675763638",
 		"13426974546f7272656e742070726f746f636f6c00000000001000052aa4f5a7e209e54b32803d43670971c4c8caaa052d5452343035302d6f7a316c6e79377931716130",
 	}
 	for _, pkt := range packets {
 		pkt, err := hex.DecodeString(pkt)
 		require.NoError(t, err)
 		var metadata adapter.InboundContext
 		err = sniff.BitTorrent(context.TODO(), &metadata, bytes.NewReader(pkt))
 		require.NoError(t, err)
 		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
 	}
 }
 func TestSniffUTP(t *testing.T) {
 	t.Parallel()
 	packets := []string{
 		"010041a282d7ee7b583afb160004000006d8318da776968f92d666f7963f32dae23ba0d2c810d8b8209cc4939f54fde9eeaa521c2c20c9ba7f43f4fb0375f28de06643b5e3ca4685ab7ac76adca99783be72ef05ed59ef4234f5712b75b4c7c0d7bee8fe2ca20ad626ba5bb0ffcc16bf06790896f888048cf72716419a07db1a3dca4550fbcea75b53e97235168a221cf3e553dfbb723961bd719fab038d86e0ecb74747f5a2cd669de1c4b9ad375f3a492d09d98cdfad745435625401315bbba98d35d32086299801377b93495a63a9efddb8d05f5b37a5c5b1c0a25e917f12007bb5e05013ada8aff544fab8cadf61d80ddb0b60f12741e44515a109d144fd53ef845acb4b5ccf0d6fc302d7003d76df3fc3423bb0237301c9e88f900c2d392a8e0fdb36d143cf7527a93fd0a2638b746e72f6699fffcd4fd15348fce780d4caa04382fd9faf1ca0ae377ca805da7536662b84f5ee18dd3ae38fcb095a7543e55f9069ae92c8cf54ae44e97b558d35e2545c66601ed2149cbc32bd6df199a2be7cf0da8b2ff137e0d23e776bc87248425013876d3a3cc31a83b424b752bd0346437f24b532978005d8f5b1b0be1a37a2489c32a18a9ad3118e3f9d30eb299bffae18e1f0677c2a5c185e62519093fe6bc2b7339299ea50a587989f726ca6443a75dd5bb936f6367c6355d80fae53ff529d740b2e5576e3eefdf1fdbfc69c3c8d8ac750512635de63e054bee1d3b689bc1b2bc3d2601e42a00b5c89066d173d4ae7ffedfd2274e5cf6d868fbe640aedb69b8246142f00b32d459974287537ddd5373460dcbc92f5cfdd7a3ed6020822ae922d947893752ca1983d0d32977374c384ac8f5ab566859019b7351526b9f13e932037a55bb052d9deb3b3c23317e0784fdc51a64f2159bfea3b069cf5caf02ee2c3c1a6b6b427bb16165713e8802d95b5c8ed77953690e994bd38c9ae113fedaf6ee7fc2b96c032ceafc2a530ad0422e84546b9c6ad8ef6ea02fa508abddd1805c38a7b42e9b7c971b1b636865ebec06ed754bb404cd6b4e6cc8cb77bd4a0c43410d5cd5ef8fe853a66d49b3b9e06cb141236cdbfdd5761601dc54d1250b86c660e0f898fe62526fdd9acf0eab60a3bbbb2151970461f28f10b31689594bea646c4b03ee197d63bdef4e5a7c22716b3bb9494a83b78ecd81b338b80ac6c09c43485b1b09ba41c74343832c78f0520c1d659ac9eb1502094141e82fb9e5e620970ebc0655514c43c294a7714cbf9a499d277daf089f556398a01589a77494bec8bfb60a108f3813b55368672b88c1af40f6b3c8b513f7c70c3e0efce85228b8b9ec67ba0393f9f7305024d8e2da6a26cf85613d14f249170ce1000089df4c9c260df7f8292aa2ecb5d5bac97656d59aa248caedea2d198e51ce87baece338716d114b458de02d65c9ff808ca5b5b73723b4d1e962d9ac2d98176544dc9984cf8554d07820ef3dd0861cfe57b478328046380de589adad94ee44743ffac73bb7361feca5d56f07cf8ce75080e261282ae30350d7882679b15cab9e7e53ddf93310b33f7390ae5d318bb53f387e6af5d0ef4f947fc9cb8e7e38b52c7f8d772ece6156b38d88796ea19df02c53723b44df7c76315a0de9462f27287e682d2b4cda1a68fe00d7e48c51ee981be44e1ca940fb5190c12655edb4a83c3a4f33e48a015692df4f0b3d61656e362aca657b5ae8c12db5a0db3db1e45135ee918b66918f40e53c4f83e9da0cddfe63f736ae751ab3837a30ae3220d8e8e311487093a7b90c7e7e40dd54ca750e19452f9193aa892aa6a6229ab493dadae988b1724f7898ee69c36d3eb7364c4adbeca811cfe2065873e78c2b6dfdf1595f7a7831c07e03cda82e4f86f76438dfb2b07c13638ce7b509cfa71b88b5102b39a203b423202088e1c2103319cb32c13c1e546ff8612fa194c95a7808ab767c265a1bd5fa0efed5c8ec1701876a00ec8",
 		"01001ecb68176f215d04326300100000dbcf30292d14b54e9ee2d115ee5b8ebc7fad3e882d4fcdd0c14c6b917c11cb4c6a9f410b52a33ae97c2ac77c7a2b122b8955e09af3c5c595f1b2e79ca57cfe44c44e069610773b9bc9ba223d7f6b383e3adddd03fb88a8476028e30979c2ef321ffc97c5c132bcf9ac5b410bbb5ec6cefca3c7209202a14c5ae922b6b157b0a80249d13ffe5b996af0bc8e54ba576d148372494303e7ead0602b05b9c8fc97d48508a028a04d63a1fd28b0edfcd5c51715f63188b53eefede98a76912dca98518551a8856567307a56a702cbfcc115ea0c755b418bc2c7b57721239b82f09fb24328a4b0ce0f109bcb2a64e04b8aadb1f8487585425acdf8fc4ec8ea93cfcec5ac098bb29d42ddef6e46b03f34a5de28316726699b7cb5195c33e5c48abe87d591d63f9991c84c30819d186d6e0e95fd83c8dff07aa669c4430989bcaccfeacb9bcadbdb4d8f1964dbeb9687745656edd30b21c66cc0a1d742a78717d134a19a7f02d285a4973b1a198c00cfdff4676608dc4f3e817e3463c3b4e2c80d3e8d4fbac541a58a2fb7ad6939f607f8144eff6c8b0adc28ee5609ea158987519892fb",
 		"21001ecb6817f2805d044fd700100000dbd03029",
 		"410277ef0b1fb1f60000000000040000c233000000080000000000000000",
 	}
 	for _, pkt := range packets {
 		pkt, err := hex.DecodeString(pkt)
 		require.NoError(t, err)
 		var metadata adapter.InboundContext
 		err = sniff.UTP(context.TODO(), &metadata, pkt)
 		require.NoError(t, err)
 		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
 	}
 }
 func TestSniffUDPTracker(t *testing.T) {
 	t.Parallel()
 	connectPackets := []string{
 		"00000417271019800000000078e90560",
 		"00000417271019800000000022c5d64d",
 		"000004172710198000000000b3863541",
 	}
 	for _, pkt := range connectPackets {
 		pkt, err := hex.DecodeString(pkt)
 		require.NoError(t, err)
 		var metadata adapter.InboundContext
 		err = sniff.UDPTracker(context.TODO(), &metadata, pkt)
 		require.NoError(t, err)
 		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
 	}
 }
--- a/common/sniff/dns.go
+++ b/common/sniff/dns.go
@@ -17,17 +17,18 @@ import (
 	mDNS "github.com/miekg/dns"
 )
-func StreamDomainNameQuery(readCtx context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
+func StreamDomainNameQuery(readCtx context.Context, reader io.Reader) (*adapter.InboundContext, error) {
 	var length uint16
 	err := binary.Read(reader, binary.BigEndian, &length)
 	if err != nil {
-		return os.ErrInvalid
+		return nil, err
 	}
 	if length == 0 {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}
 	buffer := buf.NewSize(int(length))
 	defer buffer.Release()
 	readCtx, cancel := context.WithTimeout(readCtx, time.Millisecond*100)
 	var readTask task.Group
 	readTask.Append0(func(ctx context.Context) error {
@@ -36,20 +37,19 @@ func StreamDomainNameQuery(readCtx context.Context, metadata *adapter.InboundCon
 	err = readTask.Run(readCtx)
 	cancel()
 	if err != nil {
-		return err
+		return nil, err
 	}
-	return DomainNameQuery(readCtx, metadata, buffer.Bytes())
+	return DomainNameQuery(readCtx, buffer.Bytes())
 }
-func DomainNameQuery(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
+func DomainNameQuery(ctx context.Context, packet []byte) (*adapter.InboundContext, error) {
 	var msg mDNS.Msg
 	err := msg.Unpack(packet)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if len(msg.Question) == 0 || msg.Question[0].Qclass != mDNS.ClassINET || !M.IsDomainName(msg.Question[0].Name) {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}
-	metadata.Protocol = C.ProtocolDNS
+	return &adapter.InboundContext{Protocol: C.ProtocolDNS}, nil
 	return nil
 }
--- a/common/sniff/dtls.go
+++ b/common/sniff/dtls.go
@@ -1,32 +0,0 @@
 package sniff
 import (
 	"context"
 	"os"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 )
 func DTLSRecord(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
 	const fixedHeaderSize = 13
 	if len(packet) < fixedHeaderSize {
 		return os.ErrInvalid
 	}
 	contentType := packet[0]
 	switch contentType {
 	case 20, 21, 22, 23, 25:
 	default:
 		return os.ErrInvalid
 	}
 	versionMajor := packet[1]
 	if versionMajor != 0xfe {
 		return os.ErrInvalid
 	}
 	versionMinor := packet[2]
 	if versionMinor != 0xff && versionMinor != 0xfd {
 		return os.ErrInvalid
 	}
 	metadata.Protocol = C.ProtocolDTLS
 	return nil
 }
--- a/common/sniff/dtls_test.go
+++ b/common/sniff/dtls_test.go
@@ -1,33 +0,0 @@
 package sniff_test
 import (
 	"context"
 	"encoding/hex"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/stretchr/testify/require"
 )
 func TestSniffDTLSClientHello(t *testing.T) {
 	t.Parallel()
 	packet, err := hex.DecodeString("16fefd0000000000000000007e010000720000000000000072fefd668a43523798e064bd806d0c87660de9c611a59bbdfc3892c4e072d94f2cafc40000000cc02bc02fc00ac014c02cc0300100003c000d0010000e0403050306030401050106010807ff01000100000a00080006001d00170018000b00020100000e000900060008000700010000170000")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.DTLSRecord(context.Background(), &metadata, packet)
 	require.NoError(t, err)
 	require.Equal(t, metadata.Protocol, C.ProtocolDTLS)
 }
 func TestSniffDTLSClientApplicationData(t *testing.T) {
 	t.Parallel()
 	packet, err := hex.DecodeString("17fefd000100000000000100440001000000000001a4f682b77ecadd10f3f3a2f78d90566212366ff8209fd77314f5a49352f9bb9bd12f4daba0b4736ae29e46b9714d3b424b3e6d0234736619b5aa0d3f")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.DTLSRecord(context.Background(), &metadata, packet)
 	require.NoError(t, err)
 	require.Equal(t, metadata.Protocol, C.ProtocolDTLS)
 }
--- a/common/sniff/http.go
+++ b/common/sniff/http.go
@@ -11,12 +11,10 @@ import (
 	"github.com/sagernet/sing/protocol/http"
 )
-func HTTPHost(_ context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
+func HTTPHost(ctx context.Context, reader io.Reader) (*adapter.InboundContext, error) {
 	request, err := http.ReadRequest(std_bufio.NewReader(reader))
 	if err != nil {
-		return err
+		return nil, err
 	}
-	metadata.Protocol = C.ProtocolHTTP
+	return &adapter.InboundContext{Protocol: C.ProtocolHTTP, Domain: M.ParseSocksaddr(request.Host).AddrString()}, nil
 	metadata.Domain = M.ParseSocksaddr(request.Host).AddrString()
 	return nil
 }
--- a/common/sniff/http_test.go
+++ b/common/sniff/http_test.go
@@ -5,7 +5,6 @@ import (
 	"strings"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	"github.com/stretchr/testify/require"
@@ -14,8 +13,7 @@ import (
 func TestSniffHTTP1(t *testing.T) {
 	t.Parallel()
 	pkt := "GET / HTTP/1.1\r\nHost: www.google.com\r\nAccept: */*\r\n\r\n"
-	var metadata adapter.InboundContext
+	metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
 	err := sniff.HTTPHost(context.Background(), &metadata, strings.NewReader(pkt))
 	require.NoError(t, err)
 	require.Equal(t, metadata.Domain, "www.google.com")
 }
@@ -23,8 +21,7 @@ func TestSniffHTTP1(t *testing.T) {
 func TestSniffHTTP1WithPort(t *testing.T) {
 	t.Parallel()
 	pkt := "GET / HTTP/1.1\r\nHost: www.gov.cn:8080\r\nAccept: */*\r\n\r\n"
-	var metadata adapter.InboundContext
+	metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
 	err := sniff.HTTPHost(context.Background(), &metadata, strings.NewReader(pkt))
 	require.NoError(t, err)
 	require.Equal(t, metadata.Domain, "www.gov.cn")
 }
--- a/common/sniff/quic.go
+++ b/common/sniff/quic.go
@@ -5,99 +5,95 @@ import (
 	"context"
 	"crypto"
 	"crypto/aes"
 	"crypto/tls"
 	"encoding/binary"
 	"io"
 	"os"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/ja3"
 	"github.com/sagernet/sing-box/common/sniff/internal/qtls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	"golang.org/x/crypto/hkdf"
 )
-var ErrClientHelloFragmented = E.New("need more packet for chromium QUIC connection")
+func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContext, error) {
 func QUICClientHello(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
 	reader := bytes.NewReader(packet)
 	typeByte, err := reader.ReadByte()
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if typeByte&0x40 == 0 {
-		return E.New("bad type byte")
+		return nil, E.New("bad type byte")
 	}
 	var versionNumber uint32
 	err = binary.Read(reader, binary.BigEndian, &versionNumber)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if versionNumber != qtls.VersionDraft29 && versionNumber != qtls.Version1 && versionNumber != qtls.Version2 {
-		return E.New("bad version")
+		return nil, E.New("bad version")
 	}
 	packetType := (typeByte & 0x30) >> 4
 	if packetType == 0 && versionNumber == qtls.Version2 || packetType == 2 && versionNumber != qtls.Version2 || packetType > 2 {
-		return E.New("bad packet type")
+		return nil, E.New("bad packet type")
 	}
 	destConnIDLen, err := reader.ReadByte()
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if destConnIDLen == 0 || destConnIDLen > 20 {
-		return E.New("bad destination connection id length")
+		return nil, E.New("bad destination connection id length")
 	}
 	destConnID := make([]byte, destConnIDLen)
 	_, err = io.ReadFull(reader, destConnID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	srcConnIDLen, err := reader.ReadByte()
 	if err != nil {
-		return err
+		return nil, err
 	}
 	_, err = io.CopyN(io.Discard, reader, int64(srcConnIDLen))
 	if err != nil {
-		return err
+		return nil, err
 	}
 	tokenLen, err := qtls.ReadUvarint(reader)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	_, err = io.CopyN(io.Discard, reader, int64(tokenLen))
 	if err != nil {
-		return err
+		return nil, err
 	}
 	packetLen, err := qtls.ReadUvarint(reader)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	hdrLen := int(reader.Size()) - reader.Len()
 	if hdrLen+int(packetLen) > len(packet) {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}
 	_, err = io.CopyN(io.Discard, reader, 4)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	pnBytes := make([]byte, aes.BlockSize)
 	_, err = io.ReadFull(reader, pnBytes)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	var salt []byte
@@ -121,7 +117,7 @@ func QUICClientHello(ctx context.Context, metadata *adapter.InboundContext, pack
 	hpKey := qtls.HKDFExpandLabel(crypto.SHA256, secret, []byte{}, hkdfHeaderProtectionLabel, 16)
 	block, err := aes.NewCipher(hpKey)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	mask := make([]byte, aes.BlockSize)
 	block.Encrypt(mask, pnBytes)
@@ -133,7 +129,7 @@ func QUICClientHello(ctx context.Context, metadata *adapter.InboundContext, pack
 	}
 	packetNumberLength := newPacket[0]&0x3 + 1
 	if hdrLen+int(packetNumberLength) > int(packetLen)+hdrLen {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}
 	var packetNumber uint32
 	switch packetNumberLength {
@@ -146,7 +142,7 @@ func QUICClientHello(ctx context.Context, metadata *adapter.InboundContext, pack
 	case 4:
 		packetNumber = binary.BigEndian.Uint32(newPacket[hdrLen:])
 	default:
-		return E.New("bad packet number length")
+		return nil, E.New("bad packet number length")
 	}
 	extHdrLen := hdrLen + int(packetNumberLength)
 	copy(newPacket[extHdrLen:hdrLen+4], packet[extHdrLen:])
@@ -170,208 +166,138 @@ func QUICClientHello(ctx context.Context, metadata *adapter.InboundContext, pack
 	binary.BigEndian.PutUint64(nonce[len(nonce)-8:], uint64(packetNumber))
 	decrypted, err := cipher.Open(newPacket[extHdrLen:extHdrLen], nonce, data, newPacket[:extHdrLen])
 	if err != nil {
-		return err
+		return nil, err
 	}
 	var frameType byte
-	var fragments []qCryptoFragment
+	var frameLen uint64
 	var fragments []struct {
 		offset  uint64
 		length  uint64
 		payload []byte
 	}
 	decryptedReader := bytes.NewReader(decrypted)
 	const (
 		frameTypePadding         = 0x00
 		frameTypePing            = 0x01
 		frameTypeAck             = 0x02
 		frameTypeAck2            = 0x03
 		frameTypeCrypto          = 0x06
 		frameTypeConnectionClose = 0x1c
 	)
 	var frameTypeList []uint8
 	for {
 		frameType, err = decryptedReader.ReadByte()
 		if err == io.EOF {
 			break
 		}
 		frameTypeList = append(frameTypeList, frameType)
 		switch frameType {
-		case frameTypePadding:
+		case 0x00: // PADDING
 			continue
-		case frameTypePing:
+		case 0x01: // PING
 			continue
-		case frameTypeAck, frameTypeAck2:
+		case 0x02, 0x03: // ACK
 			_, err = qtls.ReadUvarint(decryptedReader) // Largest Acknowledged
 			if err != nil {
-				return err
+				return nil, err
 			}
 			_, err = qtls.ReadUvarint(decryptedReader) // ACK Delay
 			if err != nil {
-				return err
+				return nil, err
 			}
 			ackRangeCount, err := qtls.ReadUvarint(decryptedReader) // ACK Range Count
 			if err != nil {
-				return err
+				return nil, err
 			}
 			_, err = qtls.ReadUvarint(decryptedReader) // First ACK Range
 			if err != nil {
-				return err
+				return nil, err
 			}
 			for i := 0; i < int(ackRangeCount); i++ {
 				_, err = qtls.ReadUvarint(decryptedReader) // Gap
 				if err != nil {
-					return err
+					return nil, err
 				}
 				_, err = qtls.ReadUvarint(decryptedReader) // ACK Range Length
 				if err != nil {
-					return err
+					return nil, err
 				}
 			}
 			if frameType == 0x03 {
 				_, err = qtls.ReadUvarint(decryptedReader) // ECT0 Count
 				if err != nil {
-					return err
+					return nil, err
 				}
 				_, err = qtls.ReadUvarint(decryptedReader) // ECT1 Count
 				if err != nil {
-					return err
+					return nil, err
 				}
 				_, err = qtls.ReadUvarint(decryptedReader) // ECN-CE Count
 				if err != nil {
-					return err
+					return nil, err
 				}
 			}
-		case frameTypeCrypto:
+		case 0x06: // CRYPTO
 			var offset uint64
 			offset, err = qtls.ReadUvarint(decryptedReader)
 			if err != nil {
-				return err
+				return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, err
 			}
 			var length uint64
 			length, err = qtls.ReadUvarint(decryptedReader)
 			if err != nil {
-				return err
+				return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, err
 			}
 			index := len(decrypted) - decryptedReader.Len()
-			fragments = append(fragments, qCryptoFragment{offset, length, decrypted[index : index+int(length)]})
+			fragments = append(fragments, struct {
 				offset  uint64
 				length  uint64
 				payload []byte
 			}{offset, length, decrypted[index : index+int(length)]})
 			frameLen += length
 			_, err = decryptedReader.Seek(int64(length), io.SeekCurrent)
 			if err != nil {
-				return err
+				return nil, err
 			}
-		case frameTypeConnectionClose:
+		case 0x1c: // CONNECTION_CLOSE
 			_, err = qtls.ReadUvarint(decryptedReader) // Error Code
 			if err != nil {
-				return err
+				return nil, err
 			}
 			_, err = qtls.ReadUvarint(decryptedReader) // Frame Type
 			if err != nil {
-				return err
+				return nil, err
 			}
 			var length uint64
 			length, err = qtls.ReadUvarint(decryptedReader) // Reason Phrase Length
 			if err != nil {
-				return err
+				return nil, err
 			}
 			_, err = decryptedReader.Seek(int64(length), io.SeekCurrent) // Reason Phrase
 			if err != nil {
-				return err
+				return nil, err
 			}
 		default:
-			return os.ErrInvalid
+			return nil, os.ErrInvalid
 		}
 	}
-	if metadata.SniffContext != nil {
+	tlsHdr := make([]byte, 5)
-		fragments = append(fragments, metadata.SniffContext.([]qCryptoFragment)...)
+	tlsHdr[0] = 0x16
-		metadata.SniffContext = nil
+	binary.BigEndian.PutUint16(tlsHdr[1:], uint16(0x0303))
-	}
+	binary.BigEndian.PutUint16(tlsHdr[3:], uint16(frameLen))
 	var frameLen uint64
 	for _, fragment := range fragments {
 		frameLen += fragment.length
 	}
 	buffer := buf.NewSize(5 + int(frameLen))
 	defer buffer.Release()
 	buffer.WriteByte(0x16)
 	binary.Write(buffer, binary.BigEndian, uint16(0x0303))
 	binary.Write(buffer, binary.BigEndian, uint16(frameLen))
 	var index uint64
 	var length int
 	var readers []io.Reader
 	readers = append(readers, bytes.NewReader(tlsHdr))
 find:
 	for {
 		for _, fragment := range fragments {
 			if fragment.offset == index {
-				buffer.Write(fragment.payload)
+				readers = append(readers, bytes.NewReader(fragment.payload))
 				index = fragment.offset + fragment.length
 				length++
 				continue find
 			}
 		}
-		break
+		if length == len(fragments) {
 			break
 		}
 		return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, E.New("bad fragments")
 	}
 	metadata, err := TLSClientHello(ctx, io.MultiReader(readers...))
 	if err != nil {
 		return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, err
 	}
 	metadata.Protocol = C.ProtocolQUIC
-	fingerprint, err := ja3.Compute(buffer.Bytes())
+	return metadata, nil
 	if err != nil {
 		metadata.Protocol = C.ProtocolQUIC
 		metadata.Client = C.ClientChromium
 		metadata.SniffContext = fragments
 		return ErrClientHelloFragmented
 	}
 	metadata.Domain = fingerprint.ServerName
 	for metadata.Client == "" {
 		if len(frameTypeList) == 1 {
 			metadata.Client = C.ClientFirefox
 			break
 		}
 		if frameTypeList[0] == frameTypeCrypto && isZero(frameTypeList[1:]) {
 			if len(fingerprint.Versions) == 2 && fingerprint.Versions[0]&ja3.GreaseBitmask == 0x0A0A &&
 				len(fingerprint.EllipticCurves) == 5 && fingerprint.EllipticCurves[0]&ja3.GreaseBitmask == 0x0A0A {
 				metadata.Client = C.ClientSafari
 				break
 			}
 			if len(fingerprint.CipherSuites) == 1 && fingerprint.CipherSuites[0] == tls.TLS_AES_256_GCM_SHA384 &&
 				len(fingerprint.EllipticCurves) == 1 && fingerprint.EllipticCurves[0] == uint16(tls.X25519) &&
 				len(fingerprint.SignatureAlgorithms) == 1 && fingerprint.SignatureAlgorithms[0] == uint16(tls.ECDSAWithP256AndSHA256) {
 				metadata.Client = C.ClientSafari
 				break
 			}
 		}
 		if frameTypeList[len(frameTypeList)-1] == frameTypeCrypto && isZero(frameTypeList[:len(frameTypeList)-1]) {
 			metadata.Client = C.ClientQUICGo
 			break
 		}
 		if count(frameTypeList, frameTypeCrypto) > 1 || count(frameTypeList, frameTypePing) > 0 {
 			if maybeUQUIC(fingerprint) {
 				metadata.Client = C.ClientQUICGo
 			} else {
 				metadata.Client = C.ClientChromium
 			}
 			break
 		}
 		metadata.Client = C.ClientUnknown
 		//nolint:staticcheck
 		break
 	}
 	return nil
 }
 func isZero(slices []uint8) bool {
 	for _, slice := range slices {
 		if slice != 0 {
 			return false
 		}
 	}
 	return true
 }
 func count(slices []uint8, value uint8) int {
 	var times int
 	for _, slice := range slices {
 		if slice == value {
 			times++
 		}
 	}
 	return times
 }
 type qCryptoFragment struct {
 	offset  uint64
 	length  uint64
 	payload []byte
 }
--- a/common/sniff/quic_blacklist.go
+++ b/common/sniff/quic_blacklist.go
@@ -1,24 +0,0 @@
 package sniff
 import (
 	"crypto/tls"
 	"github.com/sagernet/sing-box/common/ja3"
 )
 // Chromium sends separate client hello packets, but UQUIC has not yet implemented this behavior
 // The cronet without this behavior does not have version 115
 var uQUICChrome115 = &ja3.ClientHello{
 	Version:             tls.VersionTLS12,
 	CipherSuites:        []uint16{4865, 4866, 4867},
 	Extensions:          []uint16{0, 10, 13, 16, 27, 43, 45, 51, 57, 17513},
 	EllipticCurves:      []uint16{29, 23, 24},
 	SignatureAlgorithms: []uint16{1027, 2052, 1025, 1283, 2053, 1281, 2054, 1537, 513},
 }
 func maybeUQUIC(fingerprint *ja3.ClientHello) bool {
 	if uQUICChrome115.Equals(fingerprint, true) {
 		return true
 	}
 	return false
 }
--- a/common/sniff/quic_test.go
+++ b/common/sniff/quic_test.go
@@ -5,69 +5,31 @@ import (
 	"encoding/hex"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/stretchr/testify/require"
 )
-func TestSniffQUICChromium(t *testing.T) {
+func TestSniffQUICv1(t *testing.T) {
 	t.Parallel()
-	pkt, err := hex.DecodeString("c30000000108f40d654cc09b27f5000044d08a94548e57e43cc5483f129986187c432d58d46674830442988f869566a6e31e2ae37c9f7acbf61cc81621594fab0b3dfdc1635460b32389563dc8e74006315661cd22694114612973c1c45910621713a48b375854f095e8a77ccf3afa64e972f0f7f7002f50e0b014b1b146ea47c07fb20b73ad5587872b51a0b3fafdf1c4cf4fe6f8b112142392efa25d993abe2f42582be145148bdfe12edcd96c3655b65a4781b093e5594ba8e3ae5320f12e8314fc3ca374128cc43381046c322b964681ed4395c813b28534505118201459665a44b8f0abead877de322e9040631d20b05f15b81fa7ff785d4041aecc37c7e2ccdc5d1532787ce566517e8985fd5c200dbfd1e67bc255efaba94cfc07bb52fea4a90887413b134f2715b5643542aa897c6116486f428d82da64d2a2c1e1bdd40bd592558901a554b003d6966ac5a7b8b9413eddbf6ef21f28386c74981e3ce1d724c341e95494907626659692720c81114ca4acea35a14c402cfa3dc2228446e78dc1b81fa4325cf7e314a9cad6a6bdff33b3351dcba74eb15fae67f1227283aa4cdd64bcadf8f19358333f8549b596f4350297b5c65274565869d497398339947b9d3d064e5b06d39d34b436d8a41c1a3880de10bd26c3b1c5b4e2a49b0d4d07b8d90cd9e92bc611564d19ea8ec33099e92033caf21f5307dbeaa4708b99eb313bff99e2081ac25fd12d6a72e8335e0724f6718fe023cd0ad0d6e6a6309f09c9c391eec2bc08e9c3210a043c08e1759f354c121f6517fff4d6e20711a871e41285d48d930352fddffb92c96ba57df045ce99f8bfdfa8edc0969ce68a51e9fbb4f54b956d9df74a9e4af27ed2b27839bce1cffeca8333c0aaee81a570217442f9029ba8fedb84a2cf4be4d910982d891ea00e816c7fb98e8020e896a9c6fdd9106611da0a99dde18df1b7a8f6327acb1eed9ad93314451e48cb0dfb9571728521ca3db2ac0968159d5622556a55d51a422d11995b650949aaefc5d24c16080446dfc4fbc10353f9f93ce161ab513367bb89ab83988e0630b689e174e27bcfcc31996ee7b0bca909e251b82d69a28fee5a5d662e127508cd19dbbe5097b7d5b62a49203d66764197a527e472e2627e44a93d44177dace9d60e7d0e03305ddf4cfe47cdf2362e14de79ef46a6763ce696cd7854a48d9419a0817507a4713ffd4977b906d4f2b5fb6dbe1bd15bc505d5fea582190bf531a45d5ee026da8918547fd5105f15e5d061c7b0cf80a34990366ed8e91e13c2f0d85e5dad537298808d193cf54b7eaac33f10051f74cb6b75e52f81618c36f03d86aef613ba237a1a793ba1539938a38f62ccaf7bd5f6c5e0ce53cde4012fcf2b758214a0422d2faaa798e86e19d7481b42df2b36a73d287ff28c20cce01ce598771fec16a8f1f00305c06010126013a6c1de9f589b4e79d693717cd88ad1c42a2d99fa96617ba0bc6365b68e21a70ebc447904aa27979e1514433cfd83bfec09f137c747d47582cb63eb28f873fb94cf7a59ff764ddfbb687d79a58bb10f85949269f7f72c611a5e0fbb52adfa298ff060ec2eb7216fd7302ea8fb07798cbb3be25cb53ac8161aac2b5bbcfbcfb01c113d28bd1cb0333fb89ac82a95930f7abded0a2f5a623cc6a1f62bf3f38ef1b81c1e50a634f657dbb6770e4af45879e2fb1e00c742e7b52205c8015b5c0f5b1e40186ff9aa7288ab3e01a51fb87761f9bc6837082af109b39cc9f620")
+	pkt, err := hex.DecodeString("cc0000000108d2dc7bad02241f5003796e71004215a71bfcb05159416c724be418537389acdd9a4047306283dcb4d7a9cad5cc06322042d204da67a8dbaa328ab476bb428b48fd001501863afd203f8d4ef085629d664f1a734a65969a47e4a63d4e01a21f18c1d90db0c027180906dc135f9ae421bb8617314c8d54c175fef3d3383d310d0916ebcbd6eed9329befbbb109d8fd4af1d2cf9d6adce8e6c1260a7f8256e273e326da0aa7cc148d76e7a08489dc9d52ade89c027cbc3491ada46417c2c04e2ca768e9a7dd6aa00c594e48b678927325da796817693499bb727050cb3baf3d3291a397c3a8d868e8ec7b8f7295e347455c9dadbe2252ae917ac793d958c7fb8a3d2cdb34e3891eb4286f18617556ff7216dd60256aa5b1d11ff4753459fc5f9dedf11d483a26a0835dc6cd50e1c1f54f86e8f1e502821183cd874f6447a74e818bf3445c7795acf4559d1c1fac474911d2ead5c8d23e4aa4f67afb66efe305a30a0b5d825679b31ddc186cbea936535795c7e8c378c87b8c5adc065154d15bae8f85ac8fec2da40c3aa623b682a065440831555011d7647cde44446a0fb4cf5892f2c088ae1920643094be72e3c499fe8d265caf939e8ab607a5b9317917d2a32a812e8a0e6a2f84721bbb5984ffd242838f705d13f4cfb249bc6a5c80d58ac2595edf56648ec3fe21d787573c253a79805252d6d81e26d367d4ff29ef66b5fe8992086af7bada8cad10b82a7c0dc406c5b6d0c5ec3c583e767f759ce08cad6c3c8f91e5a8")
 	require.NoError(t, err)
-	var metadata adapter.InboundContext
+	metadata, err := sniff.QUICClientHello(context.Background(), pkt)
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
 	require.Equal(t, metadata.Client, C.ClientChromium)
 	require.ErrorIs(t, err, sniff.ErrClientHelloFragmented)
 	pkt, err = hex.DecodeString("c90000000108f40d654cc09b27f5000044d073eb38807026d4088455e650e7ccf750d01a72f15f9bfc8ff40d223499db1a485cff14dbd45b9be118172834dc35dca3cf62f61a1266f40b92faf3d28d67a466cfdca678ddced15cd606d31959cf441828467857b226d1a241847c82c57312cefe68ba5042d929919bcd4403b39e5699fe87dda05df1b3801e048edee792458e9b1a9b1d4039df05847bcee3be567494b5876e3bd4c3220fe9dfdb2c07d77410f907f744251ef15536cc03b267d3668d5b75bc1ad2fe735cd3bb73519dd9f1625a49e17ad27bdeccf706c83b5ea339a0a05dd0072f4a8f162bd29926b4997f05613c6e4b0270b0c02805ca0543f27c1ff8505a5750bdd33529ee73c491050a10c6903f53c1121dbe0380e84c007c8df74a1b02443ed80ba7766aef5549e618d4fd249844ee28565142005369869299e8c3035ecef3d799f6cada8549e75b4ce4cbf4c85ef071fd7ff067b1ca9b5968dc41d13d011f6d7843823bac97acb1eb8ee45883f0f254b5f9bd4c763b67e2d8c70a7618a0ef0de304cf597a485126e09f8b2fd795b394c0b4bc4cd2634c2057970da2c798c5e8af7aed4f76f5e25d04e3f8c9c5a5b150d17e0d4c74229898c69b8dc7b8bcc9d359eb441de75c68fbdebec62fb669dcccfb1aad03e3fa073adb2ccf7bb14cbaf99e307d2c903ee71a8f028102eb510caee7e7397512086a78d1f95635c7d06845b5a708652dc4e5cd61245aae5b3c05b84815d84d367bce9b9e3f6d6b90701ac3679233c14d5ce2a1eff26469c966266dc6284bdb95c9c6158934c413a872ce22101e4163e3293d236b301592ca4ccacc1fd4c37066e79c2d9857c8a2560dcf0b33b19163c4240c471b19907476e7e25c65f7eb37276594a0f6b4c33c340cc3284178f17ac5e34dbe7509db890e4ddfd0540fbf9deb32a0101d24fe58b26c5f81c627db9d6ae59d7a111a3d5d1f6109f4eec0d0234e6d73c73a44f50999462724b51ce0fd8283535d70d9e83872c79c59897407a0736741011ae5c64862eb0712f9e7b07aa1d5418ca3fde8626257c6fe418f3c5479055bb2b0ab4c25f649923fc2a41c79aaa7d0f3af6d8b8cf06f61f0230d09bbb60bb49b9e49cc5973748a6cf7ffdee7804d424f9423c63e7ff22f4bd24e4867636ef9fe8dd37f59941a8a47c27765caa8e875a30b62834f17c569227e5e6ed15d58e05d36e76332befad065a2cd4079e66d5af189b0337624c89b1560c3b1b0befd5c1f20e6de8e3d664b3ac06b3d154b488983e14aa93266f5f8b621d2a9bb7ccce509eb26e025c9c45f7cccc09ce85b3103af0c93ce9822f82ecb168ca3177829afb2ea0da2c380e7b1728add55a5d42632e2290363d4cbe432b67e13691648e1acfab22cf0d551eee857709b428bb78e27a45aff6eca301c02e4d13cf36cc2494fdd1aef8dede6e18febd79dca4c6964d09b91c25a08f0947c76ab5104de9404459c2edf5f4adb9dfd771be83656f77fbbafb1ad3281717066010be8778952495383c9f2cf0a38527228c662a35171c5981731f1af09bab842fe6c3162ad4152a4221f560eb6f9bea66b294ffbd3643da2fe34096da13c246505452540177a2a0a1a69106e5cfc279a4890fc3be2952f26be245f930e6c2d9e7e26ee960481e72b99594a1185b46b94b6436d00ba6c70ffe135d43907c92c6f1c09fb9453f103730714f5700fa4347f9715c774cb04a7218dacc66d9c2fade18b14e684aa7fc9ebda0a28")
 	require.NoError(t, err)
-	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
+	require.Equal(t, metadata.Domain, "cloudflare-quic.com")
 	require.NoError(t, err)
 	require.Equal(t, metadata.Domain, "google.com")
 }
-func TestSniffUQUICChrome115(t *testing.T) {
+func TestSniffQUICFragment(t *testing.T) {
 	t.Parallel()
-	pkt, err := hex.DecodeString("cb0000000108181e17c387120abc000044d0705b6a3ef9ee37a8d3949a7d393ed078243c2ee2c3627fad1c3f107c117f4f071131ad61848068fcbbe5c65803c147f7f8ec5e2cd77b77beea23ba779d936dccac540f8396400e3190ea35cc2942af4171a04cb14272491920f90124959f44e80143678c0b52f5d31af319aaa589db2f940f004562724d0af40f737e1bb0002a071e6a1dbc9f52c64f070806a5010abed0298053634d9c9126bd7949ae5087998ade762c0ad06691d99c0875a38c601fc1ee77bfc3b8c11381829f2c9bdd022f4499c43ff1d6aee1a0d296861461dda217d22c568b276016ef3929e59d2f7d7ddf7809920fb7dc805641608949f3f8466ab3d37149aac501f0b107d808f3add4acfc657e4a82e2b88e97a6c74a00c419548760ab3414ba13915c78a1ca79dceee8d59fbe299f20b671ac44823218368b2a026baa55170cf549519ac21dbb6d31d248bd339438a4e663bcdca1fe3ae3f045a5dc19b122e9db9d7af9757076666dda4e9ace1c67def77fa14786f0cab3ebf7a270ea6e2b37838318c95779f80c3b8471948d0046c3614b3a13477c939a39a7855d85d13522a45ae0765739cd5eedef87237e824a929983ace27640c6495dbf5a72fa0b96893dc5d28f3988249a57bdb458d460b4a57043de3da750a76b6e5d2259247ca27cd864ea18f0d09aa62ab6eb7c014fb43179b2a1963d170b756cce83eeaebff78a828d025c811848e16ff862a8080d093478cd2208c8ab0803178325bc0d9d6bb25e62fa50c4ad15cf80916da6578796932036c72e43eb480d1e423ed812ac75a97722f8416529b82ba8ee2219c535012282bb17066bd53e78b87a71abdb7ebdb2a7c2766ff8397962e87d0f85485b64b4ee81cc84f99c47f33f2b0872716441992773f59186e38d32dbf5609a6fda94cb928cd25f5a7a3ab736b5a4236b6d5409ab18892c6a4d3480fc2350abfdf0bab1cedb55bdf0760fdb703e6688f4de596254eed4ed3e67eb03d0717b8e15b31e735214e588c87ae36bc6c310e1894b4c15143e4ccf287b2dbc707a946bf9671ae3c574f9486b2c82eec784bba4cbc76113cbe0f97ac8c13cfa38f2925ab9d06887a612ce48280a91d7e074e6caf898d88e2bbf71360899abf48a03f9a70cf2891199f2d63b116f4871af0ebb4f4906792f66cc21d1609f189138532875c129a68c73e7bcd3b5d8100beac1d8ac4b20d94a59ac8df5a5af58a9acb20413eadf97189f5f19ff889155f0c4d37514ec184eb6903967ff38a41fc087abb0f2cad3761d6e3f95f92a09a72f5c065b16e188088b87460241f27ecdb1bc6ece92c8d36b2d68b58d0fb4d4b3c928c579ade8ae5a995833aadd297c30a37f7bc35440fc97070e1b198e0fac00157452177d16d2803b4239997452b4ad3a951173bdec47a033fd7f8a7942accaa9aaa905b3c5a2175e7c3e07c48bf25331727fd69cd1e64d74d8c9d4a6f8f4491adb7bc911505cb19877083d8f21a12475e313fccf57877ff3556318e81ed9145dd9427f2b65275440893035f417481f721c69215af8ae103530cd0a1d35bf2cb5a27628f8d44d7c6f5ec12ce79d0a8333e0eb48771115d0a191304e46b8db19bbe5c40f1c346dde98e76ff5e21ff38d2c34e60cb07766ed529dd6d2cbacd7fbf1ed8a0e6e40decad0ca5021e91552be87c156d3ae2fffef41c65b14ba6d488f2c3227a1ab11ffce0e2dc47723a69da27a67a7f26e1cb13a7103af9b87a8db8e18ea")
+	pkt, err := hex.DecodeString("cc00000001082e3d5d1b64040c55000044d0ccea69e773f6631c1d18b04ae9ee75fcfc34ef74fa62533c93534338a86f101a05d70e0697fb483063fa85db1c59ccfbda5c35234931d8524d8aac37eaaad649470a67794cd754b23c98695238b8363452333bc8c4858376b4166e001da2006e35cf98a91e11a56419b2786775284942d0f7163982f7c248867d12dd374957481dbc564013ff785e1916195eef671f725908f761099d992d69231336ba81d9e25fe2fa3a6eff4318a6ccf10176fc841a1b315f7b35c5b292266fc869d76ca533e7d14e86d82db2e22eacd350977e47d2e012d8a5891c5aaf2a0f4c2b2dae897c161e5b68cbb4dee952472bdc1e21504b8f02534ec4366ce3f8bf86efc78e0232778fbd554457567112abdcafcf6d4d8fcf35083c25d9495679614aba21696e338c62b585046cc55ba8c09c844361d889a47c3ea703b4e23545a9ab2c0bb369693a9ddfb5daffa85cf80fdd6ad66738664e5b0a551729b4955cff7255afcb04dee88c2f072c9de7400947a1bd9327ac5d012a33000ada021d4c03d249fb017d6ac9200b2f9436beab8183ddfbe2d8aee31ffb7df9e1cc181c1af80c39a89965d18ed12da8e3ebe2ae1fbe4b348f83ba19e3e3d1c9b22bcf03ab6ad9b30fe180623faa291ebad83bcd71d7b57f2f5e2f3b8e81d24fb70b2f2159239e8f21ffafef2747aba47d97ab4081e603c018b10678cf99cab1fb42156a14486fa435153979d7279fd22cd40af7088bfc7eff41af2f4b3c0c8864d0040d74dff427f7bffdb8c278474ea00311326cf4925471a8cf596cb92119f19e0f789490ba9cb77b98015a987d93e0324cf1a38b55109f00c3e6ddc5180fb107bf468323afec9bb49fd6a86418569789d66cafe3b8253c2aebb3af3782c1c54dd560487d031d28e6a6e23e159581bb1d47efc4da3fe1d169f9ffb0ca9ba61af0a38a92fde5bc5e6ec026e8378a6315a7b95abf1d2da790a391306ce74d0baf8e2ce648ca74c487f2c0a76a28a80cdf5bd34316eb607684fe7e6d9e83824a00e07660d0b90e3cddd61ebf10748263474afa88c300549e64ce2e90560bb1a12dee7e9484f729a8a4ee7c5651adb5194b3b3ae38e501567c7dbf36e7bb37a2c20b74655f47f2d9af18e52e9d4c9c9eee8e63745779b8f0b06f3a09d846ba62eb978ad77c85de1ee2fee3fbb4c2d283c73e1ccba56a4658e48a2665d200f7f9342f8e84c2ba490094a4f94feec89e42d2f654f564c2beb2997bafa1fc2c68ad8e160b63587d49abc31b834878d52acfb05fb73d0e059b206162e3c90b40c4bc08407ffcb3c08431895b691a3fea923f1f3b48db75d3e6b91fd319ffe4d486e0e14bd5c6affc838dee63d9e0b80f169b5e6c02c7321dcb20deb2b8e707b60e345a308d505bbf26a93d8f18b39d62632e9a77cbe48b3b32eb8819d6311a49820d40f5acbf0273c91c36b2269a03e72ee64df3dfb10ddefe73c64ef60870b2b77bd99dea655f5fe791b538a929a14d99f6d69685d72431ea5f0f4b27a044f2f575ab474fcc3857895934de1ca2581798eaef2c17fe5aaf2e6add97fa32997c7026f15c1b1ad0e6043ae506027a7c0242546fdc851cca39a204e56879f2cef838be8ec66e0f2292f8c862e06f810eb9b80c7a467ce6e90155206352c7f82b1173ba3b98d35bb72c259a60db20dd1a43fe6d7aef0265e6eaa5caafd9b64b448ff745a2046acbdb65cf2a5007809808a4828dc99097feedc734c236260c584")
 	require.NoError(t, err)
-	var metadata adapter.InboundContext
+	metadata, err := sniff.QUICClientHello(context.Background(), pkt)
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.NoError(t, err)
-	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
+	require.Equal(t, metadata.Domain, "cloudflare-quic.com")
 	require.Equal(t, metadata.Client, C.ClientQUICGo)
 	require.Equal(t, metadata.Domain, "www.google.com")
 }
 func TestSniffQUICFirefox(t *testing.T) {
 	t.Parallel()
 	pkt, err := hex.DecodeString("c8000000010867f174d7ebfe1b0803cd9c20004286de068f7963cf1736349ee6ebe0ddcd3e4cd0041a51ced3f7ce9eea1fb595458e74bdb4b792b16449bd8cae71419862c4fcbe766eaec7d1af65cd298e1dd46f8bd94a77ab4ca28c54b8e9773de3f02d7cb2463c9f7dcacfb311f024b0266ec6ab7bfb615b4148333fb4d4ece7c4cd90029ca30c2cbae2216b428499ec873fa125797e71c5a5da85087760ad37ca610020f71b76e82651c47576e20bf33cf676cb2d400b8c09d3c8cb4e21c47d2b21f6b68732bef30c8cefd5c723fc23eb29e6f7f65a5e52aad9055c1fb3d8b1811f0380b38d7e2eee8eb37dd5bd5d4ca4b66540175d916289d88a9df7c161964d713999c5057d27edb298ef5164352568b0d4bac3c15d90456e8fd460e41b81d0ec1b1e94b87d3333cc6908b018e0914ae1f214d73e75398da3d55a0106161d3a75897b4eb66e98c59010fae75f0d367d38be48c3a5c58bc8a30773c3fff50690ac9d487822f85d4f5713d626baa92d36e858dd21259cf814bce0b90d18da88a1ade40113e5a088cdb304a2558879152a8cf15c1839e056378aa41acba6fcb9974dee54bd50b5d4eb2c475654e06c0ec06b7f18f4462c808684843a1071041b9bfb2688324e0120144944416e30e83eedbbbcbc275b1f53762d3db18f0998ce54f0e1c512946b4098f07781d49264fa148f4c8220a3b02e73d7f15554aa370aafeff73cb75c52c494edf90f0261abfdd32a4d670f729de50266162687aa8efe14b8506f313b058b02aaaab5825428f5f4510b8e49451fdcb7b5a4af4b59c831afcb89fb4f64dba78e3b38387e87e9e8cdaa1f3b700a87c7d442388863b8950296e5773b38f308d62f52548c0bbf308e40540747cca5bf99b1345bc0d70b8f0e69a83b85a8d69f795b87f93e2bfccf52b529afea4ff6fd456957000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.NoError(t, err)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
 	require.Equal(t, metadata.Client, C.ClientFirefox)
 	require.Equal(t, metadata.Domain, "www.google.com")
 }
 func TestSniffQUICSafari(t *testing.T) {
 	t.Parallel()
 	pkt, err := hex.DecodeString("c70000000108e4e75af2e223198a0000449ef2d83cb4473a62765eba67424cd4a5817315cbf55a9e8daaca360904b0bae60b1629cfeba11e2dfbbf5ea4c588cb134e31af36fd7a409fb0fcc0187e9b56037ac37964ed20a8c1ca19fd6cfd53398324b3d0c71537294f769db208fa998b6811234a4a7eb3b5eceb457ae92e3a2d98f7c110702db8064b5c29fa3298eb1d0529fd445a84a5fd6ff8709be90f8af4f94998d8a8f2953bb05ad08c80668eca784c6aec959114e68e5b827e7c41c79f2277c716a967e7fcc8d1b77442e6cb18329dbedb34b473516b468cba5fc20659e655fbe37f36408289b9a475fcee091bd82828d3be00367e9e5cec9423bb97854abdada1d7562a3777756eb3bddef826ddc1ef46137cb01bb504a54d410d9bcb74cd5f959050c84edf343fa6a49708c228a758ee7adbbadf260b2f1984911489712e2cb364a3d6520badba4b7e539b9c163eeddfd96c0abb0de151e47496bb9750be76ee17ccdb61d35d2c6795174037d6f9d282c3f36c4d9a90b64f3b6ddd0cf4d9ed8e6f7805e25928fa04b087e63ae02761df30720cc01dfc32b64c575c8a66ef82e9a17400ff80cd8609b93ba16d668f4aa734e71c4a5d145f14ee1151bec970214e0ff83fc3e1e85d8694f2975f9155c57c18b7b69bb6a36832a9435f1f4b346a7be188f3a75f9ad2cc6ad0a3d26d6fa7d4c1179bd49bd5989d15ba43ff602890107db96484695086627356750d7b2b3b714ba65d564654e8f60ac10f5b6d3bfb507e8eaa31bab1da2d676195046d165c7f8b32829c9f9b68d97b2af7ac04a1369357e4b65de2b2f24eaf27cc8d95e05db001adebe726f927a94e43e62ce671e6e306e16f05aafcbe6c49080e80286d7939f375023d110a5ad9069364ae928ca480454a9dcddd61bc48b7efeb716a5bd6c7cd39c486ceb20c738af6abf22ba1ddd8b4a3b781fc2f251173409e1aadccbd7514e97106d0ebfc3af6e59445f74cd733a1ba99b10fce3fb4e9f7c88f5e25b567f5ba2b8dabacd375e7faf7634bfa178cbe51aee63032c5126b196ea47b02385fc3062a000fb7e4b4d0d12e74579f8830ede20d10829496032b2cc56743287f9a9b4d5091877a82fea44deb2cffac8a379f78a151d99e28cbc74d732c083bf06d50584e3f18f254e71a48d6ababaf6fff6f425e9be001510dfbe6a32a27792c00ada036b62ddb90c706d7b882c76a7072f5dd11c69a1f49d4ba183cb0b57545419fa27b9b9706098848935ae9c9e8fbe9fac165d1339128b991a73d20e7795e8d6a8c6adfbf20bf13ada43f2aef3ba78c14697910507132623f721387dce60c4707225b84d9782d469a5d9eaa099f35d6a590ef142ddef766495cf3337815ceef5ff2b3ed352637e72b5c23a2a8ff7d7440236a19b981d47f8e519a0431ebfbc0b78d8a36798b4c060c0c6793499f1e2e818862560a5b501c8d02ba1517be1941da2af5b174e0189c62978d878eb0f9c9db3a9221c28fb94645cf6e85ff2eea8c65ba3083a7382b131b83102dd67aa5453ad7375a4eb8c69fc479fbd29dab8924f801d253f2c997120b705c6e5217fb74702e2f1038917dd5fb0eeb7ae1bf7a668fc7d50c034b4cd5a057a8482e6bc9c921297f44e76967265623a167cd9883eb6e64bc77856dc333bd605d7df3bed0e5cecb5a99fe8b62873d58530f")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.NoError(t, err)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
 	require.Equal(t, metadata.Client, C.ClientSafari)
 	require.Equal(t, metadata.Domain, "www.google.com")
 }
 func FuzzSniffQUIC(f *testing.F) {
 	f.Fuzz(func(t *testing.T, data []byte) {
-		var metadata adapter.InboundContext
+		sniff.QUICClientHello(context.Background(), data)
 		err := sniff.QUICClientHello(context.Background(), &metadata, data)
 		require.Error(t, err)
 	})
 }
--- a/common/sniff/rdp.go
+++ b/common/sniff/rdp.go
@@ -1,90 +0,0 @@
 package sniff
 import (
 	"context"
 	"encoding/binary"
 	"io"
 	"os"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common/rw"
 )
 func RDP(_ context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
 	var tpktVersion uint8
 	err := binary.Read(reader, binary.BigEndian, &tpktVersion)
 	if err != nil {
 		return err
 	}
 	if tpktVersion != 0x03 {
 		return os.ErrInvalid
 	}
 	var tpktReserved uint8
 	err = binary.Read(reader, binary.BigEndian, &tpktReserved)
 	if err != nil {
 		return err
 	}
 	if tpktReserved != 0x00 {
 		return os.ErrInvalid
 	}
 	var tpktLength uint16
 	err = binary.Read(reader, binary.BigEndian, &tpktLength)
 	if err != nil {
 		return err
 	}
 	if tpktLength != 19 {
 		return os.ErrInvalid
 	}
 	var cotpLength uint8
 	err = binary.Read(reader, binary.BigEndian, &cotpLength)
 	if err != nil {
 		return err
 	}
 	if cotpLength != 14 {
 		return os.ErrInvalid
 	}
 	var cotpTpduType uint8
 	err = binary.Read(reader, binary.BigEndian, &cotpTpduType)
 	if err != nil {
 		return err
 	}
 	if cotpTpduType != 0xE0 {
 		return os.ErrInvalid
 	}
 	err = rw.SkipN(reader, 5)
 	if err != nil {
 		return err
 	}
 	var rdpType uint8
 	err = binary.Read(reader, binary.BigEndian, &rdpType)
 	if err != nil {
 		return err
 	}
 	if rdpType != 0x01 {
 		return os.ErrInvalid
 	}
 	var rdpFlags uint8
 	err = binary.Read(reader, binary.BigEndian, &rdpFlags)
 	if err != nil {
 		return err
 	}
 	var rdpLength uint8
 	err = binary.Read(reader, binary.BigEndian, &rdpLength)
 	if err != nil {
 		return err
 	}
 	if rdpLength != 8 {
 		return os.ErrInvalid
 	}
 	metadata.Protocol = C.ProtocolRDP
 	return nil
 }
--- a/common/sniff/rdp_test.go
+++ b/common/sniff/rdp_test.go
@@ -1,25 +0,0 @@
 package sniff_test
 import (
 	"bytes"
 	"context"
 	"encoding/hex"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/stretchr/testify/require"
 )
 func TestSniffRDP(t *testing.T) {
 	t.Parallel()
 	pkt, err := hex.DecodeString("030000130ee00000000000010008000b000000010008000b000000")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.RDP(context.TODO(), &metadata, bytes.NewReader(pkt))
 	require.NoError(t, err)
 	require.Equal(t, C.ProtocolRDP, metadata.Protocol)
 }
--- a/common/sniff/sniff.go
+++ b/common/sniff/sniff.go
@@ -14,65 +14,49 @@ import (
 )
 type (
-	StreamSniffer = func(ctx context.Context, metadata *adapter.InboundContext, reader io.Reader) error
+	StreamSniffer = func(ctx context.Context, reader io.Reader) (*adapter.InboundContext, error)
-	PacketSniffer = func(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error
+	PacketSniffer = func(ctx context.Context, packet []byte) (*adapter.InboundContext, error)
 )
-func Skip(metadata adapter.InboundContext) bool {
+func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) (*adapter.InboundContext, error) {
 	// skip server first protocols
 	switch metadata.Destination.Port {
 	case 25, 465, 587:
 		// SMTP
 		return true
 	case 143, 993:
 		// IMAP
 		return true
 	case 110, 995:
 		// POP3
 		return true
 	}
 	return false
 }
 func PeekStream(ctx context.Context, metadata *adapter.InboundContext, conn net.Conn, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) error {
 	if timeout == 0 {
 		timeout = C.ReadPayloadTimeout
 	}
 	deadline := time.Now().Add(timeout)
 	var errors []error
-	for i := 0; ; i++ {
+
 	for i := 0; i < 3; i++ {
 		err := conn.SetReadDeadline(deadline)
 		if err != nil {
-			return E.Cause(err, "set read deadline")
+			return nil, E.Cause(err, "set read deadline")
 		}
 		_, err = buffer.ReadOnceFrom(conn)
-		_ = conn.SetReadDeadline(time.Time{})
+		err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
 		if err != nil {
 			if i > 0 {
 				break
 			}
-			return E.Cause(err, "read payload")
+			return nil, E.Cause(err, "read payload")
 		}
 		errors = nil
 		for _, sniffer := range sniffers {
-			err = sniffer(ctx, metadata, bytes.NewReader(buffer.Bytes()))
+			metadata, err := sniffer(ctx, bytes.NewReader(buffer.Bytes()))
-			if err == nil {
+			if metadata != nil {
-				return nil
+				return metadata, nil
 			}
 			errors = append(errors, err)
 		}
 	}
-	return E.Errors(errors...)
+	return nil, E.Errors(errors...)
 }
-func PeekPacket(ctx context.Context, metadata *adapter.InboundContext, packet []byte, sniffers ...PacketSniffer) error {
+func PeekPacket(ctx context.Context, packet []byte, sniffers ...PacketSniffer) (*adapter.InboundContext, error) {
 	var errors []error
 	for _, sniffer := range sniffers {
-		err := sniffer(ctx, metadata, packet)
+		metadata, err := sniffer(ctx, packet)
-		if err == nil {
+		if metadata != nil {
-			return nil
+			return metadata, nil
 		}
 		errors = append(errors, err)
 	}
-	return E.Errors(errors...)
+	return nil, E.Errors(errors...)
 }
--- a/common/sniff/ssh.go
+++ b/common/sniff/ssh.go
@@ -1,26 +0,0 @@
 package sniff
 import (
 	"bufio"
 	"context"
 	"io"
 	"os"
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 )
 func SSH(_ context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
 	scanner := bufio.NewScanner(reader)
 	if !scanner.Scan() {
 		return os.ErrInvalid
 	}
 	fistLine := scanner.Text()
 	if !strings.HasPrefix(fistLine, "SSH-2.0-") {
 		return os.ErrInvalid
 	}
 	metadata.Protocol = C.ProtocolSSH
 	metadata.Client = fistLine[8:]
 	return nil
 }
--- a/common/sniff/ssh_test.go
+++ b/common/sniff/ssh_test.go
@@ -1,26 +0,0 @@
 package sniff_test
 import (
 	"bytes"
 	"context"
 	"encoding/hex"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/stretchr/testify/require"
 )
 func TestSniffSSH(t *testing.T) {
 	t.Parallel()
 	pkt, err := hex.DecodeString("5353482d322e302d64726f70626561720d0a000001a40a1492892570d1223aef61b0d647972c8bd30000009f637572766532353531392d7368613235362c637572766532353531392d736861323536406c69627373682e6f72672c6469666669652d68656c6c6d616e2d67726f757031342d7368613235362c6469666669652d68656c6c6d616e2d67726f757031342d736861312c6b6578677565737332406d6174742e7563632e61736e2e61752c6b65782d7374726963742d732d763030406f70656e7373682e636f6d000000207373682d656432353531392c7273612d736861322d3235362c7373682d7273610000003363686163686132302d706f6c7931333035406f70656e7373682e636f6d2c6165733132382d6374722c6165733235362d6374720000003363686163686132302d706f6c7931333035406f70656e7373682e636f6d2c6165733132382d6374722c6165733235362d63747200000017686d61632d736861312c686d61632d736861322d32353600000017686d61632d736861312c686d61632d736861322d323536000000046e6f6e65000000046e6f6e65000000000000000000000000002aa6ed090585b7d635b6")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.SSH(context.TODO(), &metadata, bytes.NewReader(pkt))
 	require.NoError(t, err)
 	require.Equal(t, C.ProtocolSSH, metadata.Protocol)
 	require.Equal(t, "dropbear", metadata.Client)
 }
--- a/common/sniff/stun.go
+++ b/common/sniff/stun.go
@@ -9,17 +9,16 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 )
-func STUNMessage(_ context.Context, metadata *adapter.InboundContext, packet []byte) error {
+func STUNMessage(ctx context.Context, packet []byte) (*adapter.InboundContext, error) {
 	pLen := len(packet)
 	if pLen < 20 {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}
 	if binary.BigEndian.Uint32(packet[4:8]) != 0x2112A442 {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}
 	if len(packet) < 20+int(binary.BigEndian.Uint16(packet[2:4])) {
-		return os.ErrInvalid
+		return nil, os.ErrInvalid
 	}
-	metadata.Protocol = C.ProtocolSTUN
+	return &adapter.InboundContext{Protocol: C.ProtocolSTUN}, nil
 	return nil
 }
--- a/common/sniff/stun_test.go
+++ b/common/sniff/stun_test.go
@@ -5,7 +5,6 @@ import (
 	"encoding/hex"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
@@ -16,16 +15,14 @@ func TestSniffSTUN(t *testing.T) {
 	t.Parallel()
 	packet, err := hex.DecodeString("000100002112a44224b1a025d0c180c484341306")
 	require.NoError(t, err)
-	var metadata adapter.InboundContext
+	metadata, err := sniff.STUNMessage(context.Background(), packet)
 	err = sniff.STUNMessage(context.Background(), &metadata, packet)
 	require.NoError(t, err)
 	require.Equal(t, metadata.Protocol, C.ProtocolSTUN)
 }
 func FuzzSniffSTUN(f *testing.F) {
 	f.Fuzz(func(t *testing.T, data []byte) {
-		var metadata adapter.InboundContext
+		if _, err := sniff.STUNMessage(context.Background(), data); err == nil {
 		if err := sniff.STUNMessage(context.Background(), &metadata, data); err == nil {
 			t.Fail()
 		}
 	})
--- a/common/sniff/tls.go
+++ b/common/sniff/tls.go
@@ -10,7 +10,7 @@ import (
 	"github.com/sagernet/sing/common/bufio"
 )
-func TLSClientHello(ctx context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
+func TLSClientHello(ctx context.Context, reader io.Reader) (*adapter.InboundContext, error) {
 	var clientHello *tls.ClientHelloInfo
 	err := tls.Server(bufio.NewReadOnlyConn(reader), &tls.Config{
 		GetConfigForClient: func(argHello *tls.ClientHelloInfo) (*tls.Config, error) {
@@ -19,9 +19,7 @@ func TLSClientHello(ctx context.Context, metadata *adapter.InboundContext, reade
 		},
 	}).HandshakeContext(ctx)
 	if clientHello != nil {
-		metadata.Protocol = C.ProtocolTLS
+		return &adapter.InboundContext{Protocol: C.ProtocolTLS, Domain: clientHello.ServerName}, nil
 		metadata.Domain = clientHello.ServerName
 		return nil
 	}
-	return err
+	return nil, err
 }
--- a/common/srs/binary.go
+++ b/common/srs/binary.go
@@ -1,7 +1,6 @@
 package srs
 import (
 	"bufio"
 	"compress/zlib"
 	"encoding/binary"
 	"io"
@@ -12,7 +11,7 @@ import (
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/domain"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/varbin"
+	"github.com/sagernet/sing/common/rw"
 	"go4.org/netipx"
 )
@@ -36,42 +35,38 @@ const (
 	ruleItemPackageName
 	ruleItemWIFISSID
 	ruleItemWIFIBSSID
 	ruleItemAdGuardDomain
 	ruleItemProcessPathRegex
 	ruleItemFinal uint8 = 0xFF
 )
-func Read(reader io.Reader, recover bool) (ruleSetCompat option.PlainRuleSetCompat, err error) {
+func Read(reader io.Reader, recovery bool) (ruleSet option.PlainRuleSet, err error) {
 	var magicBytes [3]byte
 	_, err = io.ReadFull(reader, magicBytes[:])
 	if err != nil {
 		return
 	}
 	if magicBytes != MagicBytes {
-		err = E.New("invalid sing-box rule-set file")
+		err = E.New("invalid sing-box rule set file")
 		return
 	}
 	var version uint8
 	err = binary.Read(reader, binary.BigEndian, &version)
 	if err != nil {
-		return ruleSetCompat, err
+		return ruleSet, err
 	}
-	if version > C.RuleSetVersionCurrent {
+	if version != 1 {
-		return ruleSetCompat, E.New("unsupported version: ", version)
+		return ruleSet, E.New("unsupported version: ", version)
 	}
-	compressReader, err := zlib.NewReader(reader)
+	zReader, err := zlib.NewReader(reader)
 	if err != nil {
 		return
 	}
-	bReader := bufio.NewReader(compressReader)
+	length, err := rw.ReadUVariant(zReader)
 	length, err := binary.ReadUvarint(bReader)
 	if err != nil {
 		return
 	}
-	ruleSetCompat.Version = version
+	ruleSet.Rules = make([]option.HeadlessRule, length)
 	ruleSetCompat.Options.Rules = make([]option.HeadlessRule, length)
 	for i := uint64(0); i < length; i++ {
-		ruleSetCompat.Options.Rules[i], err = readRule(bReader, recover)
+		ruleSet.Rules[i], err = readRule(zReader, recovery)
 		if err != nil {
 			err = E.Cause(err, "read rule[", i, "]")
 			return
@@ -80,38 +75,33 @@ func Read(reader io.Reader, recover bool) (ruleSetCompat option.PlainRuleSetComp
 	return
 }
-func Write(writer io.Writer, ruleSet option.PlainRuleSet, generateVersion uint8) error {
+func Write(writer io.Writer, ruleSet option.PlainRuleSet) error {
 	_, err := writer.Write(MagicBytes[:])
 	if err != nil {
 		return err
 	}
-	err = binary.Write(writer, binary.BigEndian, generateVersion)
+	err = binary.Write(writer, binary.BigEndian, uint8(1))
 	if err != nil {
 		return err
 	}
-	compressWriter, err := zlib.NewWriterLevel(writer, zlib.BestCompression)
+	zWriter, err := zlib.NewWriterLevel(writer, zlib.BestCompression)
 	if err != nil {
 		return err
 	}
-	bWriter := bufio.NewWriter(compressWriter)
+	err = rw.WriteUVariant(zWriter, uint64(len(ruleSet.Rules)))
 	_, err = varbin.WriteUvarint(bWriter, uint64(len(ruleSet.Rules)))
 	if err != nil {
 		return err
 	}
 	for _, rule := range ruleSet.Rules {
-		err = writeRule(bWriter, rule, generateVersion)
+		err = writeRule(zWriter, rule)
 		if err != nil {
 			return err
 		}
 	}
-	err = bWriter.Flush()
+	return zWriter.Close()
 	if err != nil {
 		return err
 	}
 	return compressWriter.Close()
 }
-func readRule(reader varbin.Reader, recover bool) (rule option.HeadlessRule, err error) {
+func readRule(reader io.Reader, recovery bool) (rule option.HeadlessRule, err error) {
 	var ruleType uint8
 	err = binary.Read(reader, binary.BigEndian, &ruleType)
 	if err != nil {
@@ -120,28 +110,28 @@ func readRule(reader varbin.Reader, recover bool) (rule option.HeadlessRule, err
 	switch ruleType {
 	case 0:
 		rule.Type = C.RuleTypeDefault
-		rule.DefaultOptions, err = readDefaultRule(reader, recover)
+		rule.DefaultOptions, err = readDefaultRule(reader, recovery)
 	case 1:
 		rule.Type = C.RuleTypeLogical
-		rule.LogicalOptions, err = readLogicalRule(reader, recover)
+		rule.LogicalOptions, err = readLogicalRule(reader, recovery)
 	default:
 		err = E.New("unknown rule type: ", ruleType)
 	}
 	return
 }
-func writeRule(writer varbin.Writer, rule option.HeadlessRule, generateVersion uint8) error {
+func writeRule(writer io.Writer, rule option.HeadlessRule) error {
 	switch rule.Type {
 	case C.RuleTypeDefault:
-		return writeDefaultRule(writer, rule.DefaultOptions, generateVersion)
+		return writeDefaultRule(writer, rule.DefaultOptions)
 	case C.RuleTypeLogical:
-		return writeLogicalRule(writer, rule.LogicalOptions, generateVersion)
+		return writeLogicalRule(writer, rule.LogicalOptions)
 	default:
 		panic("unknown rule type: " + rule.Type)
 	}
 }
-func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHeadlessRule, err error) {
+func readDefaultRule(reader io.Reader, recovery bool) (rule option.DefaultHeadlessRule, err error) {
 	var lastItemType uint8
 	for {
 		var itemType uint8
@@ -168,9 +158,6 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 				return
 			}
 			rule.DomainMatcher = matcher
 			if recover {
 				rule.Domain, rule.DomainSuffix = matcher.Dump()
 			}
 		case ruleItemDomainKeyword:
 			rule.DomainKeyword, err = readRuleItemString(reader)
 		case ruleItemDomainRegex:
@@ -180,7 +167,7 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 			if err != nil {
 				return
 			}
-			if recover {
+			if recovery {
 				rule.SourceIPCIDR = common.Map(rule.SourceIPSet.Prefixes(), netip.Prefix.String)
 			}
 		case ruleItemIPCIDR:
@@ -188,7 +175,7 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 			if err != nil {
 				return
 			}
-			if recover {
+			if recovery {
 				rule.IPCIDR = common.Map(rule.IPSet.Prefixes(), netip.Prefix.String)
 			}
 		case ruleItemSourcePort:
@@ -203,25 +190,12 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 			rule.ProcessName, err = readRuleItemString(reader)
 		case ruleItemProcessPath:
 			rule.ProcessPath, err = readRuleItemString(reader)
 		case ruleItemProcessPathRegex:
 			rule.ProcessPathRegex, err = readRuleItemString(reader)
 		case ruleItemPackageName:
 			rule.PackageName, err = readRuleItemString(reader)
 		case ruleItemWIFISSID:
 			rule.WIFISSID, err = readRuleItemString(reader)
 		case ruleItemWIFIBSSID:
 			rule.WIFIBSSID, err = readRuleItemString(reader)
 		case ruleItemAdGuardDomain:
 			if recover {
 				err = E.New("unable to decompile binary AdGuard rules to rule-set")
 				return
 			}
 			var matcher *domain.AdGuardMatcher
 			matcher, err = domain.ReadAdGuardMatcher(reader)
 			if err != nil {
 				return
 			}
 			rule.AdGuardDomainMatcher = matcher
 		case ruleItemFinal:
 			err = binary.Read(reader, binary.BigEndian, &rule.Invert)
 			return
@@ -235,7 +209,7 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 	}
 }
-func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, generateVersion uint8) error {
+func writeDefaultRule(writer io.Writer, rule option.DefaultHeadlessRule) error {
 	err := binary.Write(writer, binary.BigEndian, uint8(0))
 	if err != nil {
 		return err
@@ -259,7 +233,7 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 		if err != nil {
 			return err
 		}
-		err = domain.NewMatcher(rule.Domain, rule.DomainSuffix, generateVersion == C.RuleSetVersion1).Write(writer)
+		err = domain.NewMatcher(rule.Domain, rule.DomainSuffix).Write(writer)
 		if err != nil {
 			return err
 		}
@@ -324,12 +298,6 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 			return err
 		}
 	}
 	if len(rule.ProcessPathRegex) > 0 {
 		err = writeRuleItemString(writer, ruleItemProcessPathRegex, rule.ProcessPathRegex)
 		if err != nil {
 			return err
 		}
 	}
 	if len(rule.PackageName) > 0 {
 		err = writeRuleItemString(writer, ruleItemPackageName, rule.PackageName)
 		if err != nil {
@@ -348,19 +316,6 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 			return err
 		}
 	}
 	if len(rule.AdGuardDomain) > 0 {
 		if generateVersion < C.RuleSetVersion2 {
 			return E.New("AdGuard rule items is only supported in version 2 or later")
 		}
 		err = binary.Write(writer, binary.BigEndian, ruleItemAdGuardDomain)
 		if err != nil {
 			return err
 		}
 		err = domain.NewAdGuardMatcher(rule.AdGuardDomain).Write(writer)
 		if err != nil {
 			return err
 		}
 	}
 	err = binary.Write(writer, binary.BigEndian, ruleItemFinal)
 	if err != nil {
 		return err
@@ -372,31 +327,73 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 	return nil
 }
-func readRuleItemString(reader varbin.Reader) ([]string, error) {
+func readRuleItemString(reader io.Reader) ([]string, error) {
-	return varbin.ReadValue[[]string](reader, binary.BigEndian)
+	length, err := rw.ReadUVariant(reader)
 	if err != nil {
 		return nil, err
 	}
 	value := make([]string, length)
 	for i := uint64(0); i < length; i++ {
 		value[i], err = rw.ReadVString(reader)
 		if err != nil {
 			return nil, err
 		}
 	}
 	return value, nil
 }
-func writeRuleItemString(writer varbin.Writer, itemType uint8, value []string) error {
+func writeRuleItemString(writer io.Writer, itemType uint8, value []string) error {
-	err := writer.WriteByte(itemType)
+	err := binary.Write(writer, binary.BigEndian, itemType)
 	if err != nil {
 		return err
 	}
-	return varbin.Write(writer, binary.BigEndian, value)
+	err = rw.WriteUVariant(writer, uint64(len(value)))
 }
 func readRuleItemUint16(reader varbin.Reader) ([]uint16, error) {
 	return varbin.ReadValue[[]uint16](reader, binary.BigEndian)
 }
 func writeRuleItemUint16(writer varbin.Writer, itemType uint8, value []uint16) error {
 	err := writer.WriteByte(itemType)
 	if err != nil {
 		return err
 	}
-	return varbin.Write(writer, binary.BigEndian, value)
+	for _, item := range value {
 		err = rw.WriteVString(writer, item)
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
-func writeRuleItemCIDR(writer varbin.Writer, itemType uint8, value []string) error {
+func readRuleItemUint16(reader io.Reader) ([]uint16, error) {
 	length, err := rw.ReadUVariant(reader)
 	if err != nil {
 		return nil, err
 	}
 	value := make([]uint16, length)
 	for i := uint64(0); i < length; i++ {
 		err = binary.Read(reader, binary.BigEndian, &value[i])
 		if err != nil {
 			return nil, err
 		}
 	}
 	return value, nil
 }
 func writeRuleItemUint16(writer io.Writer, itemType uint8, value []uint16) error {
 	err := binary.Write(writer, binary.BigEndian, itemType)
 	if err != nil {
 		return err
 	}
 	err = rw.WriteUVariant(writer, uint64(len(value)))
 	if err != nil {
 		return err
 	}
 	for _, item := range value {
 		err = binary.Write(writer, binary.BigEndian, item)
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func writeRuleItemCIDR(writer io.Writer, itemType uint8, value []string) error {
 	var builder netipx.IPSetBuilder
 	for i, prefixString := range value {
 		prefix, err := netip.ParsePrefix(prefixString)
@@ -422,8 +419,9 @@ func writeRuleItemCIDR(writer varbin.Writer, itemType uint8, value []string) err
 	return writeIPSet(writer, ipSet)
 }
-func readLogicalRule(reader varbin.Reader, recovery bool) (logicalRule option.LogicalHeadlessRule, err error) {
+func readLogicalRule(reader io.Reader, recovery bool) (logicalRule option.LogicalHeadlessRule, err error) {
-	mode, err := reader.ReadByte()
+	var mode uint8
 	err = binary.Read(reader, binary.BigEndian, &mode)
 	if err != nil {
 		return
 	}
@@ -436,7 +434,7 @@ func readLogicalRule(reader varbin.Reader, recovery bool) (logicalRule option.Lo
 		err = E.New("unknown logical mode: ", mode)
 		return
 	}
-	length, err := binary.ReadUvarint(reader)
+	length, err := rw.ReadUVariant(reader)
 	if err != nil {
 		return
 	}
@@ -455,7 +453,7 @@ func readLogicalRule(reader varbin.Reader, recovery bool) (logicalRule option.Lo
 	return
 }
-func writeLogicalRule(writer varbin.Writer, logicalRule option.LogicalHeadlessRule, generateVersion uint8) error {
+func writeLogicalRule(writer io.Writer, logicalRule option.LogicalHeadlessRule) error {
 	err := binary.Write(writer, binary.BigEndian, uint8(1))
 	if err != nil {
 		return err
@@ -471,12 +469,12 @@ func writeLogicalRule(writer varbin.Writer, logicalRule option.LogicalHeadlessRu
 	if err != nil {
 		return err
 	}
-	_, err = varbin.WriteUvarint(writer, uint64(len(logicalRule.Rules)))
+	err = rw.WriteUVariant(writer, uint64(len(logicalRule.Rules)))
 	if err != nil {
 		return err
 	}
 	for _, rule := range logicalRule.Rules {
-		err = writeRule(writer, rule, generateVersion)
+		err = writeRule(writer, rule)
 		if err != nil {
 			return err
 		}
--- a/common/srs/ip_set.go
+++ b/common/srs/ip_set.go
@@ -2,13 +2,11 @@ package srs
 import (
 	"encoding/binary"
 	"io"
 	"net/netip"
 	"os"
 	"unsafe"
-	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/rw"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/varbin"
 	"go4.org/netipx"
 )
@@ -22,57 +20,94 @@ type myIPRange struct {
 	to   netip.Addr
 }
-type myIPRangeData struct {
+func readIPSet(reader io.Reader) (*netipx.IPSet, error) {
-	From []byte
+	var version uint8
-	To   []byte
+	err := binary.Read(reader, binary.BigEndian, &version)
 }
 func readIPSet(reader varbin.Reader) (*netipx.IPSet, error) {
 	version, err := reader.ReadByte()
 	if err != nil {
 		return nil, err
 	}
 	if version != 1 {
 		return nil, os.ErrInvalid
 	}
 	// WTF why using uint64 here
 	var length uint64
 	err = binary.Read(reader, binary.BigEndian, &length)
 	if err != nil {
 		return nil, err
 	}
 	ranges := make([]myIPRangeData, length)
 	err = varbin.Read(reader, binary.BigEndian, &ranges)
 	if err != nil {
 		return nil, err
 	}
 	mySet := &myIPSet{
-		rr: make([]myIPRange, len(ranges)),
+		rr: make([]myIPRange, length),
 	}
-	for i, rangeData := range ranges {
+	for i := uint64(0); i < length; i++ {
-		mySet.rr[i].from = M.AddrFromIP(rangeData.From)
+		var (
-		mySet.rr[i].to = M.AddrFromIP(rangeData.To)
+			fromLen  uint64
 			toLen    uint64
 			fromAddr netip.Addr
 			toAddr   netip.Addr
 		)
 		fromLen, err = rw.ReadUVariant(reader)
 		if err != nil {
 			return nil, err
 		}
 		fromBytes := make([]byte, fromLen)
 		_, err = io.ReadFull(reader, fromBytes)
 		if err != nil {
 			return nil, err
 		}
 		err = fromAddr.UnmarshalBinary(fromBytes)
 		if err != nil {
 			return nil, err
 		}
 		toLen, err = rw.ReadUVariant(reader)
 		if err != nil {
 			return nil, err
 		}
 		toBytes := make([]byte, toLen)
 		_, err = io.ReadFull(reader, toBytes)
 		if err != nil {
 			return nil, err
 		}
 		err = toAddr.UnmarshalBinary(toBytes)
 		if err != nil {
 			return nil, err
 		}
 		mySet.rr[i] = myIPRange{fromAddr, toAddr}
 	}
 	return (*netipx.IPSet)(unsafe.Pointer(mySet)), nil
 }
-func writeIPSet(writer varbin.Writer, set *netipx.IPSet) error {
+func writeIPSet(writer io.Writer, set *netipx.IPSet) error {
-	err := writer.WriteByte(1)
+	err := binary.Write(writer, binary.BigEndian, uint8(1))
 	if err != nil {
 		return err
 	}
-	dataList := common.Map((*myIPSet)(unsafe.Pointer(set)).rr, func(rr myIPRange) myIPRangeData {
+	mySet := (*myIPSet)(unsafe.Pointer(set))
-		return myIPRangeData{
+	err = binary.Write(writer, binary.BigEndian, uint64(len(mySet.rr)))
-			From: rr.from.AsSlice(),
+	if err != nil {
-			To:   rr.to.AsSlice(),
+		return err
 	}
 	for _, rr := range mySet.rr {
 		var (
 			fromBinary []byte
 			toBinary   []byte
 		)
 		fromBinary, err = rr.from.MarshalBinary()
 		if err != nil {
 			return err
 		}
-	})
+		err = rw.WriteUVariant(writer, uint64(len(fromBinary)))
-	err = binary.Write(writer, binary.BigEndian, uint64(len(dataList)))
+		if err != nil {
-	if err != nil {
+			return err
-		return err
+		}
-	}
+		_, err = writer.Write(fromBinary)
-	for _, data := range dataList {
+		if err != nil {
-		err = varbin.Write(writer, binary.BigEndian, data)
+			return err
 		}
 		toBinary, err = rr.to.MarshalBinary()
 		if err != nil {
 			return err
 		}
 		err = rw.WriteUVariant(writer, uint64(len(toBinary)))
 		if err != nil {
 			return err
 		}
 		_, err = writer.Write(toBinary)
 		if err != nil {
 			return err
 		}
--- a/common/tls/ech_server.go
+++ b/common/tls/ech_server.go
@@ -11,11 +11,12 @@ import (
 	"strings"
 	cftls "github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
 	"github.com/fsnotify/fsnotify"
 )
 type echServerConfig struct {
@@ -25,8 +26,9 @@ type echServerConfig struct {
 	key             []byte
 	certificatePath string
 	keyPath         string
 	watcher         *fsnotify.Watcher
 	echKeyPath      string
-	watcher         *fswatch.Watcher
+	echWatcher      *fsnotify.Watcher
 }
 func (c *echServerConfig) ServerName() string {
@@ -64,88 +66,146 @@ func (c *echServerConfig) Clone() Config {
 }
 func (c *echServerConfig) Start() error {
-	err := c.startWatcher()
+	if c.certificatePath != "" && c.keyPath != "" {
-	if err != nil {
+		err := c.startWatcher()
-		c.logger.Warn("create credentials watcher: ", err)
+		if err != nil {
 			c.logger.Warn("create fsnotify watcher: ", err)
 		}
 	}
 	if c.echKeyPath != "" {
 		err := c.startECHWatcher()
 		if err != nil {
 			c.logger.Warn("create fsnotify watcher: ", err)
 		}
 	}
 	return nil
 }
 func (c *echServerConfig) startWatcher() error {
-	var watchPath []string
+	watcher, err := fsnotify.NewWatcher()
 	if err != nil {
 		return err
 	}
 	if c.certificatePath != "" {
-		watchPath = append(watchPath, c.certificatePath)
+		err = watcher.Add(c.certificatePath)
 	}
 	if c.keyPath != "" {
 		watchPath = append(watchPath, c.keyPath)
 	}
 	if c.echKeyPath != "" {
 		watchPath = append(watchPath, c.echKeyPath)
 	}
 	if len(watchPath) == 0 {
 		return nil
 	}
 	watcher, err := fswatch.NewWatcher(fswatch.Options{
 		Path: watchPath,
 		Callback: func(path string) {
 			err := c.credentialsUpdated(path)
 			if err != nil {
 				c.logger.Error(E.Cause(err, "reload credentials from ", path))
 			}
 		},
 	})
 	if err != nil {
 		return err
 	}
 	err = watcher.Start()
 	if err != nil {
 		return err
 	}
 	c.watcher = watcher
 	return nil
 }
 func (c *echServerConfig) credentialsUpdated(path string) error {
 	if path == c.certificatePath || path == c.keyPath {
 		if path == c.certificatePath {
 			certificate, err := os.ReadFile(c.certificatePath)
 			if err != nil {
 				return err
 			}
 			c.certificate = certificate
 		} else {
 			key, err := os.ReadFile(c.keyPath)
 			if err != nil {
 				return err
 			}
 			c.key = key
 		}
 		keyPair, err := cftls.X509KeyPair(c.certificate, c.key)
 		if err != nil {
 			return E.Cause(err, "parse key pair")
 		}
 		c.config.Certificates = []cftls.Certificate{keyPair}
 		c.logger.Info("reloaded TLS certificate")
 	} else {
 		echKeyContent, err := os.ReadFile(c.echKeyPath)
 		if err != nil {
 			return err
 		}
 		block, rest := pem.Decode(echKeyContent)
 		if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
 			return E.New("invalid ECH keys pem")
 		}
 		echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
 		if err != nil {
 			return E.Cause(err, "parse ECH keys")
 		}
 		echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
 		if err != nil {
 			return E.Cause(err, "create ECH key set")
 		}
 		c.config.ServerECHProvider = echKeySet
 		c.logger.Info("reloaded ECH keys")
 	}
 	if c.keyPath != "" {
 		err = watcher.Add(c.keyPath)
 		if err != nil {
 			return err
 		}
 	}
 	c.watcher = watcher
 	go c.loopUpdate()
 	return nil
 }
 func (c *echServerConfig) loopUpdate() {
 	for {
 		select {
 		case event, ok := <-c.watcher.Events:
 			if !ok {
 				return
 			}
 			if event.Op&fsnotify.Write != fsnotify.Write {
 				continue
 			}
 			err := c.reloadKeyPair()
 			if err != nil {
 				c.logger.Error(E.Cause(err, "reload TLS key pair"))
 			}
 		case err, ok := <-c.watcher.Errors:
 			if !ok {
 				return
 			}
 			c.logger.Error(E.Cause(err, "fsnotify error"))
 		}
 	}
 }
 func (c *echServerConfig) reloadKeyPair() error {
 	if c.certificatePath != "" {
 		certificate, err := os.ReadFile(c.certificatePath)
 		if err != nil {
 			return E.Cause(err, "reload certificate from ", c.certificatePath)
 		}
 		c.certificate = certificate
 	}
 	if c.keyPath != "" {
 		key, err := os.ReadFile(c.keyPath)
 		if err != nil {
 			return E.Cause(err, "reload key from ", c.keyPath)
 		}
 		c.key = key
 	}
 	keyPair, err := cftls.X509KeyPair(c.certificate, c.key)
 	if err != nil {
 		return E.Cause(err, "reload key pair")
 	}
 	c.config.Certificates = []cftls.Certificate{keyPair}
 	c.logger.Info("reloaded TLS certificate")
 	return nil
 }
 func (c *echServerConfig) startECHWatcher() error {
 	watcher, err := fsnotify.NewWatcher()
 	if err != nil {
 		return err
 	}
 	err = watcher.Add(c.echKeyPath)
 	if err != nil {
 		return err
 	}
 	c.echWatcher = watcher
 	go c.loopECHUpdate()
 	return nil
 }
 func (c *echServerConfig) loopECHUpdate() {
 	for {
 		select {
 		case event, ok := <-c.echWatcher.Events:
 			if !ok {
 				return
 			}
 			if event.Op&fsnotify.Write != fsnotify.Write {
 				continue
 			}
 			err := c.reloadECHKey()
 			if err != nil {
 				c.logger.Error(E.Cause(err, "reload ECH key"))
 			}
 		case err, ok := <-c.echWatcher.Errors:
 			if !ok {
 				return
 			}
 			c.logger.Error(E.Cause(err, "fsnotify error"))
 		}
 	}
 }
 func (c *echServerConfig) reloadECHKey() error {
 	echKeyContent, err := os.ReadFile(c.echKeyPath)
 	if err != nil {
 		return err
 	}
 	block, rest := pem.Decode(echKeyContent)
 	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
 		return E.New("invalid ECH keys pem")
 	}
 	echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
 	if err != nil {
 		return E.Cause(err, "parse ECH keys")
 	}
 	echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
 	if err != nil {
 		return E.Cause(err, "create ECH key set")
 	}
 	c.config.ServerECHProvider = echKeySet
 	c.logger.Info("reloaded ECH keys")
 	return nil
 }
@@ -153,7 +213,12 @@ func (c *echServerConfig) Close() error {
 	var err error
 	if c.watcher != nil {
 		err = E.Append(err, c.watcher.Close(), func(err error) error {
-			return E.Cause(err, "close credentials watcher")
+			return E.Cause(err, "close certificate watcher")
 		})
 	}
 	if c.echWatcher != nil {
 		err = E.Append(err, c.echWatcher.Close(), func(err error) error {
 			return E.Cause(err, "close ECH key watcher")
 		})
 	}
 	return err
@@ -236,7 +301,7 @@ func NewECHServer(ctx context.Context, logger log.Logger, options option.Inbound
 	var echKey []byte
 	if len(options.ECH.Key) > 0 {
 		echKey = []byte(strings.Join(options.ECH.Key, "\n"))
-	} else if options.ECH.KeyPath != "" {
+	} else if options.KeyPath != "" {
 		content, err := os.ReadFile(options.ECH.KeyPath)
 		if err != nil {
 			return nil, E.Cause(err, "read ECH key")
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -7,13 +7,14 @@ import (
 	"os"
 	"strings"
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
 	"github.com/fsnotify/fsnotify"
 )
 var errInsecureUnused = E.New("tls: insecure unused")
@@ -26,7 +27,7 @@ type STDServerConfig struct {
 	key             []byte
 	certificatePath string
 	keyPath         string
-	watcher         *fswatch.Watcher
+	watcher         *fsnotify.Watcher
 }
 func (c *STDServerConfig) ServerName() string {
@@ -87,41 +88,59 @@ func (c *STDServerConfig) Start() error {
 }
 func (c *STDServerConfig) startWatcher() error {
-	var watchPath []string
+	watcher, err := fsnotify.NewWatcher()
 	if err != nil {
 		return err
 	}
 	if c.certificatePath != "" {
-		watchPath = append(watchPath, c.certificatePath)
+		err = watcher.Add(c.certificatePath)
 		if err != nil {
 			return err
 		}
 	}
 	if c.keyPath != "" {
-		watchPath = append(watchPath, c.keyPath)
+		err = watcher.Add(c.keyPath)
-	}
+		if err != nil {
-	watcher, err := fswatch.NewWatcher(fswatch.Options{
+			return err
-		Path: watchPath,
+		}
 		Callback: func(path string) {
 			err := c.certificateUpdated(path)
 			if err != nil {
 				c.logger.Error(err)
 			}
 		},
 	})
 	if err != nil {
 		return err
 	}
 	err = watcher.Start()
 	if err != nil {
 		return err
 	}
 	c.watcher = watcher
 	go c.loopUpdate()
 	return nil
 }
-func (c *STDServerConfig) certificateUpdated(path string) error {
+func (c *STDServerConfig) loopUpdate() {
-	if path == c.certificatePath {
+	for {
 		select {
 		case event, ok := <-c.watcher.Events:
 			if !ok {
 				return
 			}
 			if event.Op&fsnotify.Write != fsnotify.Write {
 				continue
 			}
 			err := c.reloadKeyPair()
 			if err != nil {
 				c.logger.Error(E.Cause(err, "reload TLS key pair"))
 			}
 		case err, ok := <-c.watcher.Errors:
 			if !ok {
 				return
 			}
 			c.logger.Error(E.Cause(err, "fsnotify error"))
 		}
 	}
 }
 func (c *STDServerConfig) reloadKeyPair() error {
 	if c.certificatePath != "" {
 		certificate, err := os.ReadFile(c.certificatePath)
 		if err != nil {
 			return E.Cause(err, "reload certificate from ", c.certificatePath)
 		}
 		c.certificate = certificate
-	} else if path == c.keyPath {
+	}
 	if c.keyPath != "" {
 		key, err := os.ReadFile(c.keyPath)
 		if err != nil {
 			return E.Cause(err, "reload key from ", c.keyPath)
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -217,10 +217,18 @@ func init() {
 func uTLSClientHelloID(name string) (utls.ClientHelloID, error) {
 	switch name {
 	case "chrome_psk", "chrome_psk_shuffle", "chrome_padding_psk_shuffle", "chrome_pq":
 		fallthrough
 	case "chrome", "":
 		return utls.HelloChrome_Auto, nil
 	case "chrome_psk":
 		return utls.HelloChrome_100_PSK, nil
 	case "chrome_psk_shuffle":
 		return utls.HelloChrome_112_PSK_Shuf, nil
 	case "chrome_padding_psk_shuffle":
 		return utls.HelloChrome_114_Padding_PSK_Shuf, nil
 	case "chrome_pq":
 		return utls.HelloChrome_115_PQ, nil
 	case "chrome_pq_psk":
 		return utls.HelloChrome_115_PQ_PSK, nil
 	case "firefox":
 		return utls.HelloFirefox_Auto, nil
 	case "edge":
--- a/common/urltest/urltest.go
+++ b/common/urltest/urltest.go
@@ -8,7 +8,6 @@ import (
 	"sync"
 	"time"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -114,7 +113,6 @@ func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err e
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		},
 		Timeout: C.TCPTimeout,
 	}
 	defer client.CloseIdleConnections()
 	resp, err := client.Do(req.WithContext(ctx))
--- a/constant/cgo_android_fix.go
+++ b/constant/cgo_android_fix.go
@@ -1,8 +0,0 @@
 //go:build android && debug
 package constant
 // TODO: remove after fixed
 // https://github.com/golang/go/issues/68760
 const FixAndroidStack = true
--- a/constant/cgo_android_fix_stub.go
+++ b/constant/cgo_android_fix_stub.go
@@ -1,5 +0,0 @@
 //go:build !(android && debug)
 package constant
 const FixAndroidStack = false
--- a/constant/path.go
+++ b/constant/path.go
@@ -13,14 +13,14 @@ var resourcePaths []string
 func FindPath(name string) (string, bool) {
 	name = os.ExpandEnv(name)
-	if rw.IsFile(name) {
+	if rw.FileExists(name) {
 		return name, true
 	}
 	for _, dir := range resourcePaths {
-		if path := filepath.Join(dir, dirName, name); rw.IsFile(path) {
+		if path := filepath.Join(dir, dirName, name); rw.FileExists(path) {
 			return path, true
 		}
-		if path := filepath.Join(dir, name); rw.IsFile(path) {
+		if path := filepath.Join(dir, name); rw.FileExists(path) {
 			return path, true
 		}
 	}
--- a/constant/protocol.go
+++ b/constant/protocol.go
@@ -1,21 +1,9 @@
 package constant
 const (
-	ProtocolTLS        = "tls"
+	ProtocolTLS  = "tls"
-	ProtocolHTTP       = "http"
+	ProtocolHTTP = "http"
-	ProtocolQUIC       = "quic"
+	ProtocolQUIC = "quic"
-	ProtocolDNS        = "dns"
+	ProtocolDNS  = "dns"
-	ProtocolSTUN       = "stun"
+	ProtocolSTUN = "stun"
 	ProtocolBitTorrent = "bittorrent"
 	ProtocolDTLS       = "dtls"
 	ProtocolSSH        = "ssh"
 	ProtocolRDP        = "rdp"
 )
 const (
 	ClientChromium = "chromium"
 	ClientSafari   = "safari"
 	ClientFirefox  = "firefox"
 	ClientQUICGo   = "quic-go"
 	ClientUnknown  = "unknown"
 )
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -32,12 +32,6 @@ const (
 func ProxyDisplayName(proxyType string) string {
 	switch proxyType {
 	case TypeTun:
 		return "TUN"
 	case TypeRedirect:
 		return "Redirect"
 	case TypeTProxy:
 		return "TProxy"
 	case TypeDirect:
 		return "Direct"
 	case TypeBlock:
@@ -48,8 +42,6 @@ func ProxyDisplayName(proxyType string) string {
 		return "SOCKS"
 	case TypeHTTP:
 		return "HTTP"
 	case TypeMixed:
 		return "Mixed"
 	case TypeShadowsocks:
 		return "Shadowsocks"
 	case TypeVMess:
--- a/constant/rule.go
+++ b/constant/rule.go
@@ -11,15 +11,9 @@ const (
 )
 const (
 	RuleSetTypeInline   = "inline"
 	RuleSetTypeLocal    = "local"
 	RuleSetTypeRemote   = "remote"
 	RuleSetVersion1     = 1
 	RuleSetFormatSource = "source"
 	RuleSetFormatBinary = "binary"
 )
 const (
 	RuleSetVersion1 = 1 + iota
 	RuleSetVersion2
 	RuleSetVersionCurrent = RuleSetVersion2
 )
--- a/constant/timeout.go
+++ b/constant/timeout.go
@@ -5,8 +5,7 @@ import "time"
 const (
 	TCPKeepAliveInitial        = 10 * time.Minute
 	TCPKeepAliveInterval       = 75 * time.Second
-	TCPConnectTimeout          = 5 * time.Second
+	TCPTimeout                 = 5 * time.Second
 	TCPTimeout                 = 15 * time.Second
 	ReadPayloadTimeout         = 300 * time.Millisecond
 	DNSTimeout                 = 10 * time.Second
 	QUICTimeout                = 30 * time.Second
--- a/debug_go118.go
+++ b/debug_go118.go
@@ -0,0 +1,36 @@
 //go:build !go1.19
 package box
 import (
 	"runtime/debug"
 	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
 func applyDebugOptions(options option.DebugOptions) {
 	applyDebugListenOption(options)
 	if options.GCPercent != nil {
 		debug.SetGCPercent(*options.GCPercent)
 	}
 	if options.MaxStack != nil {
 		debug.SetMaxStack(*options.MaxStack)
 	}
 	if options.MaxThreads != nil {
 		debug.SetMaxThreads(*options.MaxThreads)
 	}
 	if options.PanicOnFault != nil {
 		debug.SetPanicOnFault(*options.PanicOnFault)
 	}
 	if options.TraceBack != "" {
 		debug.SetTraceback(options.TraceBack)
 	}
 	if options.MemoryLimit != 0 {
 		// debug.SetMemoryLimit(int64(options.MemoryLimit))
 		conntrack.MemoryLimit = uint64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller
 	}
 }
--- a/debug_go119.go
+++ b/debug_go119.go
@@ -1,3 +1,5 @@
 //go:build go1.19
 package box
 import (
--- a/debug_http.go
+++ b/debug_http.go
@@ -46,7 +46,7 @@ func applyDebugListenOption(options option.DebugOptions) {
 			encoder := json.NewEncoder(writer)
 			encoder.SetIndent("", "  ")
-			encoder.Encode(&memObject)
+			encoder.Encode(memObject)
 		})
 		r.Route("/pprof", func(r chi.Router) {
 			r.HandleFunc("/", func(writer http.ResponseWriter, request *http.Request) {
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,429 +2,14 @@
 icon: material/alert-decagram
 ---
 ### 1.10.4
 * Fixes and improvements
 ### 1.10.2
 * Add deprecated warnings
 * Fix proxying websocket connections in HTTP/mixed inbounds
 * Fixes and improvements
 ### 1.10.1
 * Fixes and improvements
 ### 1.10.0
 Important changes since 1.9:
 * Introducing auto-redirect **1**
 * Add AdGuard DNS Filter support **2**
 * TUN address fields are merged **3**
 * Add custom options for `auto-route` and `auto-redirect` **4**
 * Drop support for go1.18 and go1.19 **5**
 * Add tailing comma support in JSON configuration
 * Improve sniffers **6**
 * Add new `inline` rule-set type **7**
 * Add access control options for Clash API **8**
 * Add `rule_set_ip_cidr_accept_empty` DNS address filter rule item **9**
 * Add auto reload support for local rule-set
 * Update fsnotify usages **10**
 * Add IP address support for `rule-set match` command
 * Add `rule-set decompile` command
 * Add `process_path_regex` rule item
 * Update uTLS to v1.6.7 **11**
 * Optimize memory usages of rule-sets **12**
 **1**:
 The new auto-redirect feature allows TUN to automatically
 configure connection redirection to improve proxy performance.
 When auto-redirect is enabled, new route address set options will allow you to
 automatically configure destination IP CIDR rules from a specified rule set to the firewall.
 Specified or unspecified destinations will bypass the sing-box routes to get better performance
 (for example, keep hardware offloading of direct traffics on the router).
 See [TUN](/configuration/inbound/tun).
 **2**:
 The new feature allows you to use AdGuard DNS Filter lists in a sing-box without AdGuard Home.
 See [AdGuard DNS Filter](/configuration/rule-set/adguard/).
 **3**:
 See [Migration](/migration/#tun-address-fields-are-merged).
 **4**:
 See [iproute2_table_index](/configuration/inbound/tun/#iproute2_table_index),
 [iproute2_rule_index](/configuration/inbound/tun/#iproute2_rule_index),
 [auto_redirect_input_mark](/configuration/inbound/tun/#auto_redirect_input_mark) and
 [auto_redirect_output_mark](/configuration/inbound/tun/#auto_redirect_output_mark).
 **5**:
 Due to maintenance difficulties, sing-box 1.10.0 requires at least Go 1.20 to compile.
 **6**:
 BitTorrent, DTLS, RDP, SSH sniffers are added.
 Now the QUIC sniffer can correctly extract the server name from Chromium requests and
 can identify common QUIC clients, including
 Chromium, Safari, Firefox, quic-go (including uquic disguised as Chrome).
 **7**:
 The new [rule-set](/configuration/rule-set/) type inline (which also becomes the default type)
 allows you to write headless rules directly without creating a rule-set file.
 **8**:
 With the new access control options, not only can you allow Clash dashboards
 to access the Clash API on your local network,
 you can also manually limit the websites that can access the API instead of allowing everyone.
 See [Clash API](/configuration/experimental/clash-api/).
 **9**:
 See [DNS Rule](/configuration/dns/rule/#rule_set_ip_cidr_accept_empty).
 **10**:
 sing-box now uses fsnotify correctly and will not cancel watching
 if the target file is deleted or recreated via rename (e.g. `mv`).
 This affects all path options that support reload, including
 `tls.certificate_path`, `tls.key_path`, `tls.ech.key_path` and `rule_set.path`.
 **11**:
 Some legacy chrome fingerprints have been removed and will fallback to chrome,
 see [utls](/configuration/shared/tls#utls).
 **12**:
 See [Source Format](/configuration/rule-set/source-format/#version).
 ### 1.9.7
 * Fixes and improvements
 #### 1.10.0-beta.11
 * Update uTLS to v1.6.7 **1**
 **1**:
 Some legacy chrome fingerprints have been removed and will fallback to chrome,
 see [utls](/configuration/shared/tls#utls).
 #### 1.10.0-beta.10
 * Add `process_path_regex` rule item
 * Fixes and improvements
 _The macOS standalone versions of sing-box (>=1.9.5/<1.10.0-beta.11) now silently fail and require manual granting of
 the **Full Disk Access** permission to system extension to start, probably due to Apple's changed security policy. We
 will prompt users about this in feature versions._
 ### 1.9.6
 * Fixes and improvements
 ### 1.9.5
 * Update quic-go to v0.47.0
 * Fix direct dialer not resolving domain
 * Fix no error return when empty DNS cache retrieved
 * Fix build with go1.23
 * Fix stream sniffer
 * Fix bad redirect in clash-api
 * Fix wireguard events chan leak
 * Fix cached conn eats up read deadlines
 * Fix disconnected interface selected as default in windows
 * Update Bundle Identifiers for Apple platform clients **1**
 **1**:
 See [Migration](/migration/#bundle-identifier-updates-in-apple-platform-clients).
 We are still working on getting all sing-box apps back on the App Store, which should be completed within a week
 (SFI on the App Store and others on TestFlight are already available).
 #### 1.10.0-beta.8
 * Fixes and improvements
 _With the help of a netizen, we are in the process of getting sing-box apps back on the App Store, which should be
 completed within a month (TestFlight is already available)._
 #### 1.10.0-beta.7
 * Update quic-go to v0.47.0
 * Fixes and improvements
 #### 1.10.0-beta.6
 * Add RDP sniffer
 * Fixes and improvements
 #### 1.10.0-beta.5
 * Add PNA support for [Clash API](/configuration/experimental/clash-api/)
 * Fixes and improvements
 #### 1.10.0-beta.3
 * Add SSH sniffer
 * Fixes and improvements
 #### 1.10.0-beta.2
 * Build with go1.23
 * Fixes and improvements
 ### 1.9.4
 * Update quic-go to v0.46.0
 * Update Hysteria2 BBR congestion control
 * Filter HTTPS ipv4hint/ipv6hint with domain strategy
 * Fix crash on Android when using process rules
 * Fix non-IP queries accepted by address filter rules
 * Fix UDP server for shadowsocks AEAD multi-user inbounds
 * Fix default next protos for v2ray QUIC transport
 * Fix default end value of port range configuration options
 * Fix reset v2ray transports
 * Fix panic caused by rule-set generation of duplicate keys for `domain_suffix`
 * Fix UDP connnection leak when sniffing
 * Fixes and improvements
 _Due to problems with our Apple developer account,
 sing-box apps on Apple platforms are temporarily unavailable for download or update.
 If your company or organization is willing to help us return to the App Store,
 please [contact us](mailto:contact@sagernet.org)._
 #### 1.10.0-alpha.29
 * Update quic-go to v0.46.0
 * Fixes and improvements
 #### 1.10.0-alpha.25
 * Add AdGuard DNS Filter support **1**
 **1**:
 The new feature allows you to use AdGuard DNS Filter lists in a sing-box without AdGuard Home.
 See [AdGuard DNS Filter](/configuration/rule-set/adguard/).
 #### 1.10.0-alpha.23
 * Add Chromium support for QUIC sniffer
 * Add client type detect support for QUIC sniffer **1**
 * Fixes and improvements
 **1**:
 Now the QUIC sniffer can correctly extract the server name from Chromium requests and
 can identify common QUIC clients, including
 Chromium, Safari, Firefox, quic-go (including uquic disguised as Chrome).
 See [Protocol Sniff](/configuration/route/sniff/) and [Route Rule](/configuration/route/rule/#client).
 #### 1.10.0-alpha.22
 * Optimize memory usages of rule-sets **1**
 * Fixes and improvements
 **1**:
 See [Source Format](/configuration/rule-set/source-format/#version).
 #### 1.10.0-alpha.20
 * Add DTLS sniffer
 * Fixes and improvements
 #### 1.10.0-alpha.19
 * Add `rule-set decompile` command
 * Add IP address support for `rule-set match` command
 * Fixes and improvements
 #### 1.10.0-alpha.18
 * Add new `inline` rule-set type **1**
 * Add auto reload support for local rule-set
 * Update fsnotify usages **2**
 * Fixes and improvements
 **1**:
 The new [rule-set](/configuration/rule-set/) type inline (which also becomes the default type)
 allows you to write headless rules directly without creating a rule-set file.
 **2**:
 sing-box now uses fsnotify correctly and will not cancel watching
 if the target file is deleted or recreated via rename (e.g. `mv`).
 This affects all path options that support reload, including
 `tls.certificate_path`, `tls.key_path`, `tls.ech.key_path` and `rule_set.path`.
 #### 1.10.0-alpha.17
 * Some chaotic changes **1**
 * `rule_set_ipcidr_match_source` rule items are renamed **2**
 * Add `rule_set_ip_cidr_accept_empty` DNS address filter rule item **3**
 * Update quic-go to v0.45.1
 * Fixes and improvements
 **1**:
 Something may be broken, please actively report problems with this version.
 **2**:
 `rule_set_ipcidr_match_source` route and DNS rule items are renamed to
 `rule_set_ip_cidr_match_source` and will be remove in sing-box 1.11.0.
 **3**:
 See [DNS Rule](/configuration/dns/rule/#rule_set_ip_cidr_accept_empty).
 #### 1.10.0-alpha.16
 * Add custom options for `auto-route` and `auto-redirect` **1**
 * Fixes and improvements
 **1**:
 See [iproute2_table_index](/configuration/inbound/tun/#iproute2_table_index),
 [iproute2_rule_index](/configuration/inbound/tun/#iproute2_rule_index),
 [auto_redirect_input_mark](/configuration/inbound/tun/#auto_redirect_input_mark) and
 [auto_redirect_output_mark](/configuration/inbound/tun/#auto_redirect_output_mark).
 #### 1.10.0-alpha.13
 * TUN address fields are merged **1**
 * Add route address set support for auto-redirect **2**
 **1**:
 See [Migration](/migration/#tun-address-fields-are-merged).
 **2**:
 The new feature will allow you to configure the destination IP CIDR rules
 in the specified rule-sets to the firewall automatically.
 Specified or unspecified destinations will bypass the sing-box routes to get better performance
 (for example, keep hardware offloading of direct traffics on the router).
 See [route_address_set](/configuration/inbound/tun/#route_address_set)
 and [route_exclude_address_set](/configuration/inbound/tun/#route_exclude_address_set).
 #### 1.10.0-alpha.12
 * Fix auto-redirect not configuring nftables forward chain correctly
 * Fixes and improvements
 ### 1.9.3
 * Fixes and improvements
 #### 1.10.0-alpha.10
 * Fixes and improvements
 ### 1.9.2
 * Fixes and improvements
 #### 1.10.0-alpha.8
 * Drop support for go1.18 and go1.19 **1**
 * Update quic-go to v0.45.0
 * Update Hysteria2 BBR congestion control
 * Fixes and improvements
 **1**:
 Due to maintenance difficulties, sing-box 1.10.0 requires at least Go 1.20 to compile.
 ### 1.9.1
 * Fixes and improvements
 #### 1.10.0-alpha.7
 * Fixes and improvements
 #### 1.10.0-alpha.5
 * Improve auto-redirect **1**
 **1**:
 nftables support and DNS hijacking has been added.
 Tun inbounds with `auto_route` and `auto_redirect` now works as expected on routers **without intervention**.
 #### 1.10.0-alpha.4
 * Fix auto-redirect **1**
 * Improve auto-route on linux **2**
 **1**:
 Tun inbounds with `auto_route` and `auto_redirect` now works as expected on routers.
 **2**:
 Tun inbounds with `auto_route` and `strict_route` now works as expected on routers and servers,
 but the usages of [exclude_interface](/configuration/inbound/tun/#exclude_interface) need to be updated.
 #### 1.10.0-alpha.2
 * Move auto-redirect to Tun **1**
 * Fixes and improvements
 **1**:
 Linux support are added.
 See [Tun](/configuration/inbound/tun/#auto_redirect).
 #### 1.10.0-alpha.1
 * Add tailing comma support in JSON configuration
 * Add simple auto-redirect for Android **1**
 * Add BitTorrent sniffer **2**
 **1**:
 It allows you to use redirect inbound in the sing-box Android client
 and automatically configures IPv4 TCP redirection via su.
 This may alleviate the symptoms of some OCD patients who think that
 redirect can effectively save power compared to the system HTTP Proxy.
 See [Redirect](/configuration/inbound/redirect/).
 **2**:
 See [Protocol Sniff](/configuration/route/sniff/).
 ### 1.9.0
 * Fixes and improvements
@@ -728,7 +313,7 @@ See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).
 Important changes since 1.7:
 * Migrate cache file from Clash API to independent options **1**
-* Introducing [rule-set](/configuration/rule-set/) **2**
+* Introducing [Rule Set](/configuration/rule-set/) **2**
 * Add `sing-box geoip`, `sing-box geosite` and `sing-box rule-set` commands **3**
 * Allow nested logical rules **4**
 * Independent `source_ip_is_private` and `ip_is_private` rules **5**
@@ -748,7 +333,7 @@ See [Cache File](/configuration/experimental/cache-file/) and
 **2**:
-rule-set is independent collections of rules that can be compiled into binaries to improve performance.
+Rule set is independent collections of rules that can be compiled into binaries to improve performance.
 Compared to legacy GeoIP and Geosite resources,
 it can include more types of rules, load faster,
 use less memory, and update automatically.
@@ -756,16 +341,16 @@ use less memory, and update automatically.
 See [Route#rule_set](/configuration/route/#rule_set),
 [Route Rule](/configuration/route/rule/),
 [DNS Rule](/configuration/dns/rule/),
-[rule-set](/configuration/rule-set/),
+[Rule Set](/configuration/rule-set/),
 [Source Format](/configuration/rule-set/source-format/) and
 [Headless Rule](/configuration/rule-set/headless-rule/).
-For GEO resources migration, see [Migrate GeoIP to rule-sets](/migration/#migrate-geoip-to-rule-sets) and
+For GEO resources migration, see [Migrate GeoIP to rule sets](/migration/#migrate-geoip-to-rule-sets) and
-[Migrate Geosite to rule-sets](/migration/#migrate-geosite-to-rule-sets).
+[Migrate Geosite to rule sets](/migration/#migrate-geosite-to-rule-sets).
 **3**:
-New commands manage GeoIP, Geosite and rule-set resources, and help you migrate GEO resources to rule-sets.
+New commands manage GeoIP, Geosite and rule set resources, and help you migrate GEO resources to rule sets.
 **4**:
@@ -962,7 +547,7 @@ This change is intended to break incorrect usage and essentially requires no act
 **1**:
-Now the rules in the `rule_set` rule item can be logically considered to be merged into the rule using rule-sets,
+Now the rules in the `rule_set` rule item can be logically considered to be merged into the rule using rule sets,
 rather than completely following the AND logic.
 #### 1.8.0-alpha.5
@@ -978,7 +563,7 @@ Since GeoIP was deprecated, we made this rule independent, see [Migration](/migr
 #### 1.8.0-alpha.1
 * Migrate cache file from Clash API to independent options **1**
-* Introducing [rule-set](/configuration/rule-set/) **2**
+* Introducing [Rule Set](/configuration/rule-set/) **2**
 * Add `sing-box geoip`, `sing-box geosite` and `sing-box rule-set` commands **3**
 * Allow nested logical rules **4**
@@ -989,7 +574,7 @@ See [Cache File](/configuration/experimental/cache-file/) and
 **2**:
-rule-set is independent collections of rules that can be compiled into binaries to improve performance.
+Rule set is independent collections of rules that can be compiled into binaries to improve performance.
 Compared to legacy GeoIP and Geosite resources,
 it can include more types of rules, load faster,
 use less memory, and update automatically.
@@ -997,16 +582,16 @@ use less memory, and update automatically.
 See [Route#rule_set](/configuration/route/#rule_set),
 [Route Rule](/configuration/route/rule/),
 [DNS Rule](/configuration/dns/rule/),
-[rule-set](/configuration/rule-set/),
+[Rule Set](/configuration/rule-set/),
 [Source Format](/configuration/rule-set/source-format/) and
 [Headless Rule](/configuration/rule-set/headless-rule/).
-For GEO resources migration, see [Migrate GeoIP to rule-sets](/migration/#migrate-geoip-to-rule-sets) and
+For GEO resources migration, see [Migrate GeoIP to rule sets](/migration/#migrate-geoip-to-rule-sets) and
-[Migrate Geosite to rule-sets](/migration/#migrate-geosite-to-rule-sets).
+[Migrate Geosite to rule sets](/migration/#migrate-geosite-to-rule-sets).
 **3**:
-New commands manage GeoIP, Geosite and rule-set resources, and help you migrate GEO resources to rule-sets.
+New commands manage GeoIP, Geosite and rule set resources, and help you migrate GEO resources to rule sets.
 **4**:
--- a/docs/clients/android/features.md
+++ b/docs/clients/android/features.md
@@ -40,7 +40,6 @@ SFA provides an unprivileged TUN implementation through Android VpnService.
 |-----------------------|------------------|-----------------------------------|
 | `process_name`        | :material-close: | No permission                     |
 | `process_path`        | :material-close: | No permission                     |
 | `process_path_regex`  | :material-close: | No permission                     |
 | `package_name`        | :material-check: | /                                 |
 | `user`                | :material-close: | Use `package_name` instead        |
 | `user_id`             | :material-close: | Use `package_name` instead        |
--- a/docs/clients/apple/features.md
+++ b/docs/clients/apple/features.md
@@ -42,7 +42,6 @@ SFI/SFM/SFT provides an unprivileged TUN implementation through NetworkExtension
 |-----------------------|------------------|-----------------------|
 | `process_name`        | :material-close: | No permission         |
 | `process_path`        | :material-close: | No permission         |
 | `process_path_regex`  | :material-close: | No permission         |
 | `package_name`        | :material-close: | /                     |
 | `user`                | :material-close: | No permission         |
 | `user_id`             | :material-close: | No permission         |
--- a/docs/clients/apple/index.md
+++ b/docs/clients/apple/index.md
@@ -14,13 +14,13 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 ## :material-download: Download
-* [App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)
+* [App Store](https://apps.apple.com/us/app/sing-box/id6451272673)
-* TestFlight (Beta)
+* ~~TestFlight (Beta)~~
 TestFlight quota is only available to [sponsors](https://github.com/sponsors/nekohasekai)
 (one-time sponsorships are accepted).
-Once you donate, you can get an invitation by join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot)
+Once you donate, you can get an invitation by sending us your Apple ID [via email](mailto:contact@sagernet.org),
-or sending us your Apple ID [via email](mailto:contact@sagernet.org).
+or join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot).
 ## :material-file-download: Download (macOS standalone version)
--- a/docs/clients/index.zh.md
+++ b/docs/clients/index.zh.md
@@ -2,11 +2,11 @@
 由 Project S 维护，提供统一的体验与平台特定的功能。
-| 平台                                    | 客户端                                      |
+| 平台                                    | 客户端                                     |
-|---------------------------------------|------------------------------------------|
+|---------------------------------------|-----------------------------------------|
 | :material-android: Android            | [sing-box for Android](./android/)       |
 | :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
-| :material-laptop: Desktop             | 施工中                                      |
+| :material-laptop: Desktop             | 施工中                                     |
 此处没有列出一些声称使用或以 sing-box 为卖点的第三方项目。此类项目维护者的动机是获得更多用户，即使它们提供友好的商业
 VPN 客户端功能， 但代码质量很差且包含广告。
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -2,13 +2,6 @@
 icon: material/new-box
 ---
 !!! quote "Changes in sing-box 1.10.0"
    :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
    :material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)  
    :material-plus: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)  
    :material-plus: [process_path_regex](#process_path_regex)
 !!! quote "Changes in sing-box 1.9.0"
    :material-plus: [geoip](#geoip)  
@@ -104,9 +97,6 @@ icon: material/new-box
        "process_path": [
          "/usr/bin/curl"
        ],
        "process_path_regex": [
          "^/usr/bin/.+"
        ],
        "package_name": [
          "com.termux"
        ],
@@ -127,10 +117,7 @@ icon: material/new-box
          "geoip-cn",
          "geosite-cn"
        ],
        // deprecated
        "rule_set_ipcidr_match_source": false,
        "rule_set_ip_cidr_match_source": false,
        "rule_set_ip_cidr_accept_empty": false,
        "invert": false,
        "outbound": [
          "direct"
@@ -170,7 +157,7 @@ icon: material/new-box
    (`source_port` || `source_port_range`) &&  
    `other fields`
-    Additionally, included rule-sets can be considered merged rather than as a single rule sub-item.
+    Additionally, included rule sets can be considered merged rather than as a single rule sub-item.
 #### inbound
@@ -272,16 +259,6 @@ Match process name.
 Match process path.
 #### process_path_regex
 !!! question "Since sing-box 1.10.0"
 !!! quote ""
    Only supported on Linux, Windows, and macOS.
 Match process path using regular expression.
 #### package_name
 Match android package name.
@@ -326,23 +303,13 @@ Match WiFi BSSID.
 !!! question "Since sing-box 1.8.0"
-Match [rule-set](/configuration/route/#rule_set).
+Match [Rule Set](/configuration/route/#rule_set).
 #### rule_set_ipcidr_match_source
 !!! question "Since sing-box 1.9.0"
-!!! failure "Deprecated in sing-box 1.10.0"
+Make `ipcidr` in rule sets match the source IP.
    `rule_set_ipcidr_match_source` is renamed to `rule_set_ip_cidr_match_source` and will be remove in sing-box 1.11.0.
 Make `ip_cidr` rule items in rule-sets match the source IP.
 #### rule_set_ip_cidr_match_source
 !!! question "Since sing-box 1.10.0"
 Make `ip_cidr` rule items in rule-sets match the source IP.
 #### invert
@@ -380,11 +347,11 @@ Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
 ### Address Filter Fields
-Only takes effect for address requests (A/AAAA/HTTPS). When the query results do not match the address filtering rule items, the current rule will be skipped.
+Only takes effect for IP address requests. When the query results do not match the address filtering rule items, the current rule will be skipped.
 !!! info ""
-    `ip_cidr` items in included rule-sets also takes effect as an address filtering field.
+    `ip_cidr` items in included rule sets also takes effect as an address filtering field.
 !!! note ""
@@ -408,12 +375,6 @@ Match IP CIDR with query response.
 Match private IP with query response.
 #### rule_set_ip_cidr_accept_empty
 !!! question "Since sing-box 1.10.0"
 Make `ip_cidr` rules in rule-sets accept empty query response.
 ### Logical Fields
 #### type
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	0bccaedc3c	Bump version	2024-06-08 21:43:04 +08:00
世界	be15ce5054	Fix parse UDP DNS server with addr:port address	2024-06-08 21:39:47 +08:00
世界	2d0326982b	Stop passing device sleep events on Android and Apple platforms	2024-06-08 21:39:47 +08:00
世界	98c1dd17a0	Fix rule-set start order	2024-06-08 21:39:47 +08:00
		`@@ -1,3 +0,0 @@`
			`# JA3`

			`mod from: https://github.com/open-ch/ja3`