Use stdlib ech

documentation: Bump version
Fix socks5 UDP implementation
2026-04-12 01:57:18 +10:00 · 2024-12-11 19:33:53 +08:00 · 2024-12-10 21:38:13 +08:00 · 2024-12-10 21:38:04 +08:00 · 2024-12-10 21:37:36 +08:00 · 2024-12-10 21:37:36 +08:00
68 changed files with 685 additions and 1533 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -7,6 +7,11 @@ on:
        description: "Version name"
        required: true
        type: string
+      prerelease:
+        description: "Is prerelease"
+        required: true
+        type: boolean
+        default: true
      build:
        description: "Build type"
        required: true
@@ -23,6 +28,10 @@ on:
          - tvOS
          - macOS-standalone
          - publish-android
+      macos_project_version:
+        description: "macOS project version"
+        required: false
+        type: string
  push:
    branches:
      - main-next
@@ -38,6 +47,7 @@ jobs:
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.outputs.outputs.version }}
+      prerelease: ${{ steps.outputs.outputs.prerelease }}
    steps:
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
@@ -51,7 +61,9 @@ jobs:
        if: github.event_name == 'workflow_dispatch'
        run: |-
          echo "version=${{ inputs.version }}" 
+          echo "prerelease=${{ inputs.prerelease }}"
          echo "version=${{ inputs.version }}" >> "$GITHUB_ENV"
+          echo "prerelease=${{ inputs.prerelease }}" >> "$GITHUB_ENV"
      - name: Calculate version
        if: github.event_name != 'workflow_dispatch'
        run: |-
@@ -60,6 +72,7 @@ jobs:
        id: outputs
        run: |-
          echo "version=$version" >> "$GITHUB_OUTPUT"
+          echo "prerelease=$prerelease" >> "$GITHUB_OUTPUT"
  build:
    name: Build binary
    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
@@ -170,8 +183,7 @@ jobs:
          echo "HOME=$HOME" >> "$GITHUB_ENV"
      - name: Set tag
        run: |-
-          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
-          git tag v${{ needs.calculate_version.outputs.version }} -f
+          git tag v${{ needs.calculate_version.outputs.version }}
      - name: Build
        if: matrix.goos != 'android'
        run: |-
@@ -231,8 +243,7 @@ jobs:
          /usr/lib/jvm/java-17-openjdk-amd64/bin/java --version
      - name: Set tag
        run: |-
-          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
-          git tag v${{ needs.calculate_version.outputs.version }} -f
+          git tag v${{ needs.calculate_version.outputs.version }}
      - name: Build library
        run: |-
          make lib_install
@@ -242,12 +253,12 @@ jobs:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
      - name: Checkout main branch
-        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: needs.calculate_version.outputs.prerelease == 'false'
        run: |-
          cd clients/android
          git checkout main
      - name: Checkout dev branch
-        if: github.ref == 'refs/heads/dev-next'
+        if: needs.calculate_version.outputs.prerelease == 'true'
        run: |-
          cd clients/android
          git checkout dev
@@ -256,8 +267,7 @@ jobs:
        with:
          path: ~/.gradle
          key: gradle-${{ hashFiles('**/*.gradle') }}
-      - name: Build release
-        if: github.event_name == 'workflow_dispatch'
+      - name: Build
        run: |-
          go run -v ./cmd/internal/update_android_version --ci
          mkdir clients/android/app/libs
@@ -268,47 +278,18 @@ jobs:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
          LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
-      - name: Build debug
-        if: github.event_name != 'workflow_dispatch'
-        run: |-
-          go run -v ./cmd/internal/update_android_version --ci
-          mkdir clients/android/app/libs
-          cp libbox.aar clients/android/app/libs
-          cd clients/android
-          ./gradlew :app:assemblePlayRelease
-        env:
-          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
-          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
-          LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
-      - name: Prepare release upload
+      - name: Prepare upload
        if: github.event_name == 'workflow_dispatch'
        run: |-
          mkdir -p dist/release
          cp clients/android/app/build/outputs/apk/play/release/*.apk dist/release
          cp clients/android/app/build/outputs/apk/other/release/*-universal.apk dist/release
-      - name: Prepare debug upload
-        if: github.event_name != 'workflow_dispatch'
-        run: |-
-          mkdir -p dist/release
-          cp clients/android/app/build/outputs/apk/play/release/*.apk dist/release
      - name: Upload artifact
        if: github.event_name == 'workflow_dispatch'
        uses: actions/upload-artifact@v4
        with:
          name: binary-android-apks
          path: 'dist'
-      - name: Upload debug apk (arm64-v8a)
-        if: github.event_name != 'workflow_dispatch'
-        uses: actions/upload-artifact@v4
-        with:
-          name: "SFA-${{ needs.calculate_version.outputs.version }}-arm64-v8a.apk"
-          path: 'dist/release/*-arm64-v8a.apk'
-      - name: Upload debug apk (universal)
-        if: github.event_name != 'workflow_dispatch'
-        uses: actions/upload-artifact@v4
-        with:
-          name: "SFA-${{ needs.calculate_version.outputs.version }}-universal.apk"
-          path: 'dist/release/*-universal.apk'
  publish_android:
    name: Publish Android
    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
@@ -336,8 +317,7 @@ jobs:
          /usr/lib/jvm/java-17-openjdk-amd64/bin/java --version
      - name: Set tag
        run: |-
-          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
-          git tag v${{ needs.calculate_version.outputs.version }} -f
+          git tag v${{ needs.calculate_version.outputs.version }}
      - name: Build library
        run: |-
          make lib_install
@@ -347,12 +327,12 @@ jobs:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
      - name: Checkout main branch
-        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: needs.calculate_version.outputs.prerelease == 'false'
        run: |-
          cd clients/android
          git checkout main
      - name: Checkout dev branch
-        if: github.ref == 'refs/heads/dev-next'
+        if: needs.calculate_version.outputs.prerelease == 'true'
        run: |-
          cd clients/android
          git checkout dev
@@ -374,38 +354,67 @@ jobs:
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
          LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
          SERVICE_ACCOUNT_CREDENTIALS: ${{ secrets.SERVICE_ACCOUNT_CREDENTIALS }}
+  build_apple_library:
+    name: Build Apple library
+    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store' || inputs.build == 'iOS' || inputs.build == 'macOS' || inputs.build == 'tvOS' || inputs.build == 'macOS-standalone'
+    runs-on: macos-15
+    needs:
+      - calculate_version
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+          submodules: 'recursive'
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.23
+      - name: Setup Xcode
+        run: |-
+          sudo xcode-select -s /Applications/Xcode_16.2_beta_3.app
+      - name: Set tag
+        run: |-
+          git tag v${{ needs.calculate_version.outputs.version }}
+      - name: Build library
+        run: |-
+          make lib_install
+          export PATH="$PATH:$(go env GOPATH)/bin"
+          make lib_ios
+      - name: Upload library
+        uses: actions/upload-artifact@v4
+        with:
+          name: library-apple
+          path: 'Libbox.xcframework'
  build_apple:
    name: Build Apple clients
    runs-on: macos-15
    needs:
      - calculate_version
+      - build_apple_library
    strategy:
      matrix:
        include:
          - name: iOS
            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'iOS' }}
-            platform: ios
            scheme: SFI
            destination: 'generic/platform=iOS'
            archive: build/SFI.xcarchive
            upload: SFI/Upload.plist
          - name: macOS
            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'macOS' }}
-            platform: macos
            scheme: SFM
            destination: 'generic/platform=macOS'
            archive: build/SFM.xcarchive
            upload: SFI/Upload.plist
          - name: tvOS
            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'tvOS' }}
-            platform: tvos
            scheme: SFT
            destination: 'generic/platform=tvOS'
            archive: build/SFT.xcarchive
            upload: SFI/Upload.plist
          - name: macOS-standalone
            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone' }}
-            platform: macos
            scheme: SFM.System
            destination: 'generic/platform=macOS'
            archive: build/SFM.System.xcarchive
@@ -423,27 +432,22 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ^1.23
-      - name: Setup Xcode stable
-        if: matrix.if && github.ref == 'refs/heads/main-next'
+      - name: Setup Xcode
+        if: matrix.if
        run: |-
-          sudo xcode-select -s /Applications/Xcode_16.2.app
-      - name: Setup Xcode beta
-        if: matrix.if && github.ref == 'refs/heads/dev-next'
-        run: |-
-          sudo xcode-select -s /Applications/Xcode_16.2.app
+          sudo xcode-select -s /Applications/Xcode_16.2_beta_3.app
      - name: Set tag
        if: matrix.if
        run: |-
-          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
-          git tag v${{ needs.calculate_version.outputs.version }} -f
+          git tag v${{ needs.calculate_version.outputs.version }}
          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
      - name: Checkout main branch
-        if: matrix.if && github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: matrix.if && needs.calculate_version.outputs.prerelease == 'false'
        run: |-
          cd clients/apple
          git checkout main
      - name: Checkout dev branch
-        if: matrix.if && github.ref == 'refs/heads/dev-next'
+        if: matrix.if && needs.calculate_version.outputs.prerelease == 'true'
        run: |-
          cd clients/apple
          git checkout dev
@@ -474,10 +478,6 @@ jobs:
            --key $ASC_KEY_PATH \
            --key-id $ASC_KEY_ID \
            --issuer $ASC_KEY_ISSUER_ID
-          
-          echo "ASC_KEY_PATH=$ASC_KEY_PATH" >> "$GITHUB_ENV"
-          echo "ASC_KEY_ID=$ASC_KEY_ID" >> "$GITHUB_ENV"
-          echo "ASC_KEY_ISSUER_ID=$ASC_KEY_ISSUER_ID" >> "$GITHUB_ENV"
        env:
          CERTIFICATES_P12: ${{ secrets.CERTIFICATES_P12 }}
          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
@@ -486,19 +486,12 @@ jobs:
          ASC_KEY: ${{ secrets.ASC_KEY }}
          ASC_KEY_ID: ${{ secrets.ASC_KEY_ID }}
          ASC_KEY_ISSUER_ID: ${{ secrets.ASC_KEY_ISSUER_ID }}
-      - name: Build library
+      - name: Download library
        if: matrix.if
-        run: |-
-          make lib_install
-          export PATH="$PATH:$(go env GOPATH)/bin"
-          go run ./cmd/internal/build_libbox -target apple -platform ${{ matrix.platform }}
-          mv Libbox.xcframework clients/apple
-      - name: Update macOS version
-        if: matrix.if && matrix.name == 'macOS' && github.event_name == 'workflow_dispatch'
-        run: |-
-          MACOS_PROJECT_VERSION=$(go run -v ./cmd/internal/app_store_connect next_macos_project_version)
-          echo "MACOS_PROJECT_VERSION=$MACOS_PROJECT_VERSION"
-          echo "MACOS_PROJECT_VERSION=$MACOS_PROJECT_VERSION" >> "$GITHUB_ENV"
+        uses: actions/download-artifact@v4
+        with:
+          name: library-apple
+          path: clients/apple/Libbox.xcframework
      - name: Build
        if: matrix.if
        run: |-
@@ -510,25 +503,27 @@ jobs:
            -destination "${{ matrix.destination }}" \
            -archivePath "${{ matrix.archive }}" \
            -allowProvisioningUpdates \
-            -authenticationKeyPath $ASC_KEY_PATH \
+            -authenticationKeyPath $RUNNER_TEMP/Key.p12 \
            -authenticationKeyID $ASC_KEY_ID \
            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
+        env:
+          MACOS_PROJECT_VERSION: ${{ inputs.macos_project_version }}
+          ASC_KEY_ID: ${{ secrets.ASC_KEY_ID }}
+          ASC_KEY_ISSUER_ID: ${{ secrets.ASC_KEY_ISSUER_ID }}
      - name: Upload to App Store Connect
        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch'
        run: |-
-          go run -v ./cmd/internal/app_store_connect cancel_app_store ${{ matrix.platform }}
          cd clients/apple
          xcodebuild -exportArchive \
            -archivePath "${{ matrix.archive }}" \
            -exportOptionsPlist ${{ matrix.upload }} \
            -allowProvisioningUpdates \
-            -authenticationKeyPath $ASC_KEY_PATH \
+            -authenticationKeyPath $RUNNER_TEMP/Key.p12 \
            -authenticationKeyID $ASC_KEY_ID \
            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
-      - name: Publish to TestFlight
-        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/dev-next'
-        run: |-
-          go run -v ./cmd/internal/app_store_connect publish_testflight ${{ matrix.platform }}
+        env:
+          ASC_KEY_ID: ${{ secrets.ASC_KEY_ID }}
+          ASC_KEY_ISSUER_ID: ${{ secrets.ASC_KEY_ISSUER_ID }}
      - name: Build image
        if: matrix.if && matrix.name == 'macOS-standalone' && github.event_name == 'workflow_dispatch'
        run: |-
@@ -562,7 +557,7 @@ jobs:
          path: 'dist'
  upload:
    name: Upload builds
-    if: always() && github.event_name == 'workflow_dispatch' && (inputs.build == 'All' || inputs.build == 'Binary' || inputs.build == 'Android' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone')
+    if: always() && github.event_name == 'workflow_dispatch' && inputs.build != 'publish-android'
    runs-on: ubuntu-latest
    needs:
      - calculate_version
@@ -596,8 +591,7 @@ jobs:
          go install -v .
      - name: Set tag
        run: |-
-          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
-          git tag v${{ needs.calculate_version.outputs.version }} -f
+          git tag v${{ needs.calculate_version.outputs.version }}
          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
      - name: Download builds
        uses: actions/download-artifact@v4
@@ -614,16 +608,8 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
      - name: Upload builds
-        if: ${{ env.PUBLISHED == 'false' }}
        run: |-
          export PATH="$PATH:$HOME/go/bin"
          ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Replace builds
-        if: ${{ env.PUBLISHED != 'false' }}
-        run: |-
-          export PATH="$PATH:$HOME/go/bin"
-          ghr --replace -p 5 "v${VERSION}" dist/release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/22
+++ b/22
@@ -28,7 +28,7 @@ ci_build:
 	go build $(MAIN_PARAMS) $(MAIN)

 generate_completions:
-	go run -v --tags $(TAGS),generate,generate_completions $(MAIN)
+	go run -v --tags generate,generate_completions $(MAIN)

 install:
 	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)
@@ -182,22 +182,10 @@ release_tvos: build_tvos upload_tvos_app_store
 update_apple_version:
 	go run ./cmd/internal/update_apple_version

-update_macos_version:
-	MACOS_PROJECT_VERSION=$(shell go run -v ./cmd/internal/app_store_connect next_macos_project_version) go run ./cmd/internal/update_apple_version
-
 release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_standalone

 release_apple_beta: update_apple_version release_ios release_macos release_tvos

-publish_testflight:
-	go run -v ./cmd/internal/app_store_connect publish_testflight
-
-prepare_app_store:
-	go run -v ./cmd/internal/app_store_connect prepare_app_store
-
-publish_app_store:
-	go run -v ./cmd/internal/app_store_connect publish_app_store
-
 test:
 	@go test -v ./... && \
 	cd test && \
@@ -216,11 +204,11 @@ lib_android:
 lib_android_debug:
 	go run ./cmd/internal/build_libbox -target android -debug

-lib_apple:
-	go run ./cmd/internal/build_libbox -target apple
-
 lib_ios:
-	go run ./cmd/internal/build_libbox -target apple -platform ios -debug
+	go run ./cmd/internal/build_libbox -target ios
+
+lib_ios_debug:
+	go run ./cmd/internal/build_libbox -target ios -debug

 lib:
 	go run ./cmd/internal/build_libbox -target android
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -72,7 +72,7 @@ type InboundContext struct {
 	UDPConnect                bool
 	UDPTimeout                time.Duration

-	NetworkStrategy     *C.NetworkStrategy
+	NetworkStrategy     C.NetworkStrategy
 	NetworkType         []C.InterfaceType
 	FallbackNetworkType []C.InterfaceType
 	FallbackDelay       time.Duration
--- a/adapter/network.go
+++ b/adapter/network.go
@@ -28,7 +28,7 @@ type NetworkManager interface {
 }

 type NetworkOptions struct {
-	NetworkStrategy     *C.NetworkStrategy
+	NetworkStrategy     C.NetworkStrategy
 	NetworkType         []C.InterfaceType
 	FallbackNetworkType []C.InterfaceType
 	FallbackDelay       time.Duration
--- a/box.go
+++ b/box.go
@@ -14,7 +14,6 @@ import (
 	"github.com/sagernet/sing-box/adapter/outbound"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/taskmonitor"
-	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/cachefile"
@@ -150,14 +149,6 @@ func New(options Options) (*Box, error) {
 	if err != nil {
 		return nil, E.Cause(err, "initialize router")
 	}
-
-	ntpOptions := common.PtrValueOrDefault(options.NTP)
-	var timeService *tls.TimeServiceWrapper
-	if ntpOptions.Enabled {
-		timeService = new(tls.TimeServiceWrapper)
-		service.MustRegister[ntp.TimeService](ctx, timeService)
-	}
-
 	for i, endpointOptions := range options.Endpoints {
 		var tag string
 		if endpointOptions.Tag != "" {
@@ -263,12 +254,13 @@ func New(options Options) (*Box, error) {
 			service.MustRegister[adapter.V2RayServer](ctx, v2rayServer)
 		}
 	}
+	ntpOptions := common.PtrValueOrDefault(options.NTP)
 	if ntpOptions.Enabled {
 		ntpDialer, err := dialer.New(ctx, ntpOptions.DialerOptions)
 		if err != nil {
 			return nil, E.Cause(err, "create NTP service")
 		}
-		ntpService := ntp.NewService(ntp.Options{
+		timeService := ntp.NewService(ntp.Options{
 			Context:       ctx,
 			Dialer:        ntpDialer,
 			Logger:        logFactory.NewLogger("ntp"),
@@ -276,8 +268,8 @@ func New(options Options) (*Box, error) {
 			Interval:      time.Duration(ntpOptions.Interval),
 			WriteToSystem: ntpOptions.WriteToSystem,
 		})
-		timeService.TimeService = ntpService
-		services = append(services, adapter.NewLifecycleService(ntpService, "ntp service"))
+		service.MustRegister[ntp.TimeService](ctx, timeService)
+		services = append(services, adapter.NewLifecycleService(timeService, "ntp service"))
 	}
 	return &Box{
 		network:    networkManager,
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/internal/app_store_connect/main.go
+++ b/cmd/internal/app_store_connect/main.go
@@ -1,445 +0,0 @@
-package main
-
-import (
-	"context"
-	"net/http"
-	"os"
-	"strconv"
-	"time"
-
-	"github.com/sagernet/asc-go/asc"
-	"github.com/sagernet/sing-box/cmd/internal/build_shared"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
-)
-
-func main() {
-	ctx := context.Background()
-	switch os.Args[1] {
-	case "next_macos_project_version":
-		err := fetchMacOSVersion(ctx)
-		if err != nil {
-			log.Fatal(err)
-		}
-	case "publish_testflight":
-		err := publishTestflight(ctx)
-		if err != nil {
-			log.Fatal(err)
-		}
-	case "cancel_app_store":
-		err := cancelAppStore(ctx, os.Args[2])
-		if err != nil {
-			log.Fatal(err)
-		}
-	case "prepare_app_store":
-		err := prepareAppStore(ctx)
-		if err != nil {
-			log.Fatal(err)
-		}
-	case "publish_app_store":
-		err := publishAppStore(ctx)
-		if err != nil {
-			log.Fatal(err)
-		}
-	default:
-		log.Fatal("unknown action: ", os.Args[1])
-	}
-}
-
-const (
-	appID   = "6673731168"
-	groupID = "5c5f3b78-b7a0-40c0-bcad-e6ef87bbefda"
-)
-
-func createClient(expireDuration time.Duration) *asc.Client {
-	privateKey, err := os.ReadFile(os.Getenv("ASC_KEY_PATH"))
-	if err != nil {
-		log.Fatal(err)
-	}
-	tokenConfig, err := asc.NewTokenConfig(os.Getenv("ASC_KEY_ID"), os.Getenv("ASC_KEY_ISSUER_ID"), expireDuration, privateKey)
-	if err != nil {
-		log.Fatal(err)
-	}
-	return asc.NewClient(tokenConfig.Client())
-}
-
-func fetchMacOSVersion(ctx context.Context) error {
-	client := createClient(time.Minute)
-	versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
-		FilterPlatform: []string{"MAC_OS"},
-	})
-	if err != nil {
-		return err
-	}
-	var versionID string
-findVersion:
-	for _, version := range versions.Data {
-		switch *version.Attributes.AppStoreState {
-		case asc.AppStoreVersionStateReadyForSale,
-			asc.AppStoreVersionStatePendingDeveloperRelease:
-			versionID = version.ID
-			break findVersion
-		}
-	}
-	if versionID == "" {
-		return E.New("no version found")
-	}
-	latestBuild, _, err := client.Builds.GetBuildForAppStoreVersion(ctx, versionID, &asc.GetBuildForAppStoreVersionQuery{})
-	if err != nil {
-		return err
-	}
-	versionInt, err := strconv.Atoi(*latestBuild.Data.Attributes.Version)
-	if err != nil {
-		return E.Cause(err, "parse version code")
-	}
-	os.Stdout.WriteString(F.ToString(versionInt+1, "\n"))
-	return nil
-}
-
-func publishTestflight(ctx context.Context) error {
-	tagVersion, err := build_shared.ReadTagVersion()
-	if err != nil {
-		return err
-	}
-	tag := tagVersion.VersionString()
-	client := createClient(10 * time.Minute)
-
-	log.Info(tag, " list build IDs")
-	buildIDsResponse, _, err := client.TestFlight.ListBuildIDsForBetaGroup(ctx, groupID, nil)
-	if err != nil {
-		return err
-	}
-	buildIDs := common.Map(buildIDsResponse.Data, func(it asc.RelationshipData) string {
-		return it.ID
-	})
-	var platforms []asc.Platform
-	if len(os.Args) == 3 {
-		switch os.Args[2] {
-		case "ios":
-			platforms = []asc.Platform{asc.PlatformIOS}
-		case "macos":
-			platforms = []asc.Platform{asc.PlatformMACOS}
-		case "tvos":
-			platforms = []asc.Platform{asc.PlatformTVOS}
-		default:
-			return E.New("unknown platform: ", os.Args[2])
-		}
-	} else {
-		platforms = []asc.Platform{
-			asc.PlatformIOS,
-			asc.PlatformMACOS,
-			asc.PlatformTVOS,
-		}
-	}
-	for _, platform := range platforms {
-		log.Info(string(platform), " list builds")
-		for {
-			builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
-				FilterApp:                       []string{appID},
-				FilterPreReleaseVersionPlatform: []string{string(platform)},
-			})
-			if err != nil {
-				return err
-			}
-			build := builds.Data[0]
-			if common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 5*time.Minute {
-				log.Info(string(platform), " ", tag, " waiting for process")
-				time.Sleep(15 * time.Second)
-				continue
-			}
-			if *build.Attributes.ProcessingState != "VALID" {
-				log.Info(string(platform), " ", tag, " waiting for process: ", *build.Attributes.ProcessingState)
-				time.Sleep(15 * time.Second)
-				continue
-			}
-			log.Info(string(platform), " ", tag, " list localizations")
-			localizations, _, err := client.TestFlight.ListBetaBuildLocalizationsForBuild(ctx, build.ID, nil)
-			if err != nil {
-				return err
-			}
-			localization := common.Find(localizations.Data, func(it asc.BetaBuildLocalization) bool {
-				return *it.Attributes.Locale == "en-US"
-			})
-			if localization.ID == "" {
-				log.Fatal(string(platform), " ", tag, " no en-US localization found")
-			}
-			if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
-				log.Info(string(platform), " ", tag, " update localization")
-				_, _, err = client.TestFlight.UpdateBetaBuildLocalization(ctx, localization.ID, common.Ptr(
-					F.ToString("sing-box ", tagVersion.String()),
-				))
-				if err != nil {
-					return err
-				}
-			}
-			log.Info(string(platform), " ", tag, " publish")
-			response, err := client.TestFlight.AddBuildsToBetaGroup(ctx, groupID, []string{build.ID})
-			if response != nil && response.StatusCode == http.StatusUnprocessableEntity {
-				log.Info("waiting for process")
-				time.Sleep(15 * time.Second)
-				continue
-			} else if err != nil {
-				return err
-			}
-			log.Info(string(platform), " ", tag, " list submissions")
-			betaSubmissions, _, err := client.TestFlight.ListBetaAppReviewSubmissions(ctx, &asc.ListBetaAppReviewSubmissionsQuery{
-				FilterBuild: []string{build.ID},
-			})
-			if err != nil {
-				return err
-			}
-			if len(betaSubmissions.Data) == 0 {
-				log.Info(string(platform), " ", tag, " create submission")
-				_, _, err = client.TestFlight.CreateBetaAppReviewSubmission(ctx, build.ID)
-				if err != nil {
-					return err
-				}
-			}
-			break
-		}
-	}
-	return nil
-}
-
-func cancelAppStore(ctx context.Context, platform string) error {
-	switch platform {
-	case "ios":
-		platform = string(asc.PlatformIOS)
-	case "macos":
-		platform = string(asc.PlatformMACOS)
-	case "tvos":
-		platform = string(asc.PlatformTVOS)
-	}
-	tag, err := build_shared.ReadTag()
-	if err != nil {
-		return err
-	}
-	client := createClient(time.Minute)
-	for {
-		log.Info(platform, " list versions")
-		versions, response, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
-			FilterPlatform: []string{string(platform)},
-		})
-		if isRetryable(response) {
-			continue
-		} else if err != nil {
-			return err
-		}
-		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
-			return *it.Attributes.VersionString == tag
-		})
-		if version.ID == "" {
-			return nil
-		}
-		log.Info(platform, " ", tag, " get submission")
-		submission, response, err := client.Submission.GetAppStoreVersionSubmissionForAppStoreVersion(ctx, version.ID, nil)
-		if response != nil && response.StatusCode == http.StatusNotFound {
-			return nil
-		}
-		if isRetryable(response) {
-			continue
-		} else if err != nil {
-			return err
-		}
-		log.Info(platform, " ", tag, " delete submission")
-		_, err = client.Submission.DeleteSubmission(ctx, submission.Data.ID)
-		if err != nil {
-			return err
-		}
-		return nil
-	}
-}
-
-func prepareAppStore(ctx context.Context) error {
-	tag, err := build_shared.ReadTag()
-	if err != nil {
-		return err
-	}
-	client := createClient(time.Minute)
-	for _, platform := range []asc.Platform{
-		asc.PlatformIOS,
-		asc.PlatformMACOS,
-		asc.PlatformTVOS,
-	} {
-		log.Info(string(platform), " list versions")
-		versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
-			FilterPlatform: []string{string(platform)},
-		})
-		if err != nil {
-			return err
-		}
-		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
-			return *it.Attributes.VersionString == tag
-		})
-		log.Info(string(platform), " ", tag, " list builds")
-		builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
-			FilterApp:                       []string{appID},
-			FilterPreReleaseVersionPlatform: []string{string(platform)},
-		})
-		if err != nil {
-			return err
-		}
-		if len(builds.Data) == 0 {
-			log.Fatal(platform, " ", tag, " no build found")
-		}
-		buildID := common.Ptr(builds.Data[0].ID)
-		if version.ID == "" {
-			log.Info(string(platform), " ", tag, " create version")
-			newVersion, _, err := client.Apps.CreateAppStoreVersion(ctx, asc.AppStoreVersionCreateRequestAttributes{
-				Platform:      platform,
-				VersionString: tag,
-			}, appID, buildID)
-			if err != nil {
-				return err
-			}
-			version = newVersion.Data
-
-		} else {
-			log.Info(string(platform), " ", tag, " check build")
-			currentBuild, response, err := client.Apps.GetBuildIDForAppStoreVersion(ctx, version.ID)
-			if err != nil {
-				return err
-			}
-			if response.StatusCode != http.StatusOK || currentBuild.Data.ID != *buildID {
-				switch *version.Attributes.AppStoreState {
-				case asc.AppStoreVersionStatePrepareForSubmission,
-					asc.AppStoreVersionStateRejected,
-					asc.AppStoreVersionStateDeveloperRejected:
-				case asc.AppStoreVersionStateWaitingForReview,
-					asc.AppStoreVersionStateInReview,
-					asc.AppStoreVersionStatePendingDeveloperRelease:
-					submission, _, err := client.Submission.GetAppStoreVersionSubmissionForAppStoreVersion(ctx, version.ID, nil)
-					if err != nil {
-						return err
-					}
-					if submission != nil {
-						log.Info(string(platform), " ", tag, " delete submission")
-						_, err = client.Submission.DeleteSubmission(ctx, submission.Data.ID)
-						if err != nil {
-							return err
-						}
-						time.Sleep(5 * time.Second)
-					}
-				default:
-					log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
-				}
-				log.Info(string(platform), " ", tag, " update build")
-				response, err = client.Apps.UpdateBuildForAppStoreVersion(ctx, version.ID, buildID)
-				if err != nil {
-					return err
-				}
-				if response.StatusCode != http.StatusNoContent {
-					response.Write(os.Stderr)
-					log.Fatal(string(platform), " ", tag, " unexpected response: ", response.Status)
-				}
-			} else {
-				switch *version.Attributes.AppStoreState {
-				case asc.AppStoreVersionStatePrepareForSubmission,
-					asc.AppStoreVersionStateRejected,
-					asc.AppStoreVersionStateDeveloperRejected:
-				case asc.AppStoreVersionStateWaitingForReview,
-					asc.AppStoreVersionStateInReview,
-					asc.AppStoreVersionStatePendingDeveloperRelease:
-					continue
-				default:
-					log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
-				}
-			}
-		}
-		log.Info(string(platform), " ", tag, " list localization")
-		localizations, _, err := client.Apps.ListLocalizationsForAppStoreVersion(ctx, version.ID, nil)
-		if err != nil {
-			return err
-		}
-		localization := common.Find(localizations.Data, func(it asc.AppStoreVersionLocalization) bool {
-			return *it.Attributes.Locale == "en-US"
-		})
-		if localization.ID == "" {
-			log.Info(string(platform), " ", tag, " no en-US localization found")
-		}
-		if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
-			log.Info(string(platform), " ", tag, " update localization")
-			_, _, err = client.Apps.UpdateAppStoreVersionLocalization(ctx, localization.ID, &asc.AppStoreVersionLocalizationUpdateRequestAttributes{
-				PromotionalText: common.Ptr("Yet another distribution for sing-box, the universal proxy platform."),
-				WhatsNew:        common.Ptr(F.ToString("sing-box ", tag, ": Fixes and improvements.")),
-			})
-			if err != nil {
-				return err
-			}
-		}
-		log.Info(string(platform), " ", tag, " create submission")
-	fixSubmit:
-		for {
-			_, response, err := client.Submission.CreateSubmission(ctx, version.ID)
-			if err != nil {
-				switch response.StatusCode {
-				case http.StatusInternalServerError:
-					continue
-				default:
-					return err
-				}
-			}
-			switch response.StatusCode {
-			case http.StatusCreated:
-				break fixSubmit
-			default:
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-func publishAppStore(ctx context.Context) error {
-	tag, err := build_shared.ReadTag()
-	if err != nil {
-		return err
-	}
-	client := createClient(time.Minute)
-	for _, platform := range []asc.Platform{
-		asc.PlatformIOS,
-		asc.PlatformMACOS,
-		asc.PlatformTVOS,
-	} {
-		log.Info(string(platform), " list versions")
-		versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
-			FilterPlatform: []string{string(platform)},
-		})
-		if err != nil {
-			return err
-		}
-		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
-			return *it.Attributes.VersionString == tag
-		})
-		switch *version.Attributes.AppStoreState {
-		case asc.AppStoreVersionStatePrepareForSubmission, asc.AppStoreVersionStateDeveloperRejected:
-			log.Fatal(string(platform), " ", tag, " not submitted")
-		case asc.AppStoreVersionStateWaitingForReview,
-			asc.AppStoreVersionStateInReview:
-			log.Warn(string(platform), " ", tag, " waiting for review")
-			continue
-		case asc.AppStoreVersionStatePendingDeveloperRelease:
-		default:
-			log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
-		}
-		_, _, err = client.Publishing.CreatePhasedRelease(ctx, common.Ptr(asc.PhasedReleaseStateComplete), version.ID)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func isRetryable(response *asc.Response) bool {
-	if response == nil {
-		return false
-	}
-	switch response.StatusCode {
-	case http.StatusInternalServerError, http.StatusUnprocessableEntity:
-		return true
-	default:
-		return false
-	}
-}
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -18,13 +18,11 @@ import (
 var (
 	debugEnabled bool
 	target       string
-	platform     string
 )

 func init() {
 	flag.BoolVar(&debugEnabled, "debug", false, "enable debug")
 	flag.StringVar(&target, "target", "android", "target platform")
-	flag.StringVar(&platform, "platform", "", "specify platform")
 }

 func main() {
@@ -35,8 +33,8 @@ func main() {
 	switch target {
 	case "android":
 		buildAndroid()
-	case "apple":
-		buildApple()
+	case "ios":
+		buildiOS()
 	}
 }

@@ -83,9 +81,7 @@ func buildAndroid() {
 	}

 	var bindTarget string
-	if platform != "" {
-		bindTarget = platform
-	} else if debugEnabled {
+	if debugEnabled {
 		bindTarget = "android/arm64"
 	} else {
 		bindTarget = "android"
@@ -133,14 +129,12 @@ func buildAndroid() {
 	}
 }

-func buildApple() {
+func buildiOS() {
 	var bindTarget string
-	if platform != "" {
-		bindTarget = platform
-	} else if debugEnabled {
+	if debugEnabled {
 		bindTarget = "ios"
 	} else {
-		bindTarget = "ios,tvos,macos"
+		bindTarget = "ios,iossimulator,tvos,tvossimulator,macos"
 	}

 	args := []string{
--- a/cmd/internal/build_shared/tag.go
+++ b/cmd/internal/build_shared/tag.go
@@ -36,3 +36,11 @@ func ReadTagVersion() (badversion.Version, error) {
 	}
 	return version, nil
 }
+
+func IsDevBranch() bool {
+	branch, err := shell.Exec("git", "branch", "--show-current").ReadOutput()
+	if err != nil {
+		return false
+	}
+	return branch == "dev-next"
+}
--- a/cmd/internal/read_tag/main.go
+++ b/cmd/internal/read_tag/main.go
@@ -6,6 +6,7 @@ import (

 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
+	F "github.com/sagernet/sing/common/format"
 )

 var nightly bool
@@ -21,14 +22,25 @@ func main() {
 		if err != nil {
 			log.Fatal(err)
 		}
-		var versionStr string
+		var (
+			versionStr   string
+			isPrerelease bool
+		)
 		if version.PreReleaseIdentifier != "" {
+			isPrerelease = true
 			versionStr = version.VersionString() + "-nightly"
 		} else {
 			version.Patch++
 			versionStr = version.VersionString() + "-nightly"
 		}
-		err = setGitHubEnv("version", versionStr)
+		if build_shared.IsDevBranch() {
+			isPrerelease = true
+		}
+		err = setGitHubOutput("version", versionStr)
+		if err != nil {
+			log.Fatal(err)
+		}
+		err = setGitHubOutput("prerelease", F.ToString(isPrerelease))
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -43,7 +55,7 @@ func main() {
 	}
 }

-func setGitHubEnv(name string, value string) error {
+func setGitHubOutput(name string, value string) error {
 	outputFile, err := os.OpenFile(os.Getenv("GITHUB_ENV"), os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0o644)
 	if err != nil {
 		return err
--- a/cmd/sing-box/cmd_merge.go
+++ b/cmd/sing-box/cmd_merge.go
@@ -18,7 +18,7 @@ import (
 )

 var commandMerge = &cobra.Command{
-	Use:   "merge <output-path>",
+	Use:   "merge <output>",
 	Short: "Merge configurations",
 	Run: func(cmd *cobra.Command, args []string) {
 		err := merge(args[0])
--- a/cmd/sing-box/cmd_rule_set_merge.go
+++ b/cmd/sing-box/cmd_rule_set_merge.go
@@ -1,162 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"io"
-	"os"
-	"path/filepath"
-	"sort"
-	"strings"
-
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/json"
-	"github.com/sagernet/sing/common/json/badjson"
-	"github.com/sagernet/sing/common/rw"
-
-	"github.com/spf13/cobra"
-)
-
-var (
-	ruleSetPaths       []string
-	ruleSetDirectories []string
-)
-
-var commandRuleSetMerge = &cobra.Command{
-	Use:   "merge <output-path>",
-	Short: "Merge rule-set source files",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := mergeRuleSet(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.ExactArgs(1),
-}
-
-func init() {
-	commandRuleSetMerge.Flags().StringArrayVarP(&ruleSetPaths, "config", "c", nil, "set input rule-set file path")
-	commandRuleSetMerge.Flags().StringArrayVarP(&ruleSetDirectories, "config-directory", "C", nil, "set input rule-set directory path")
-	commandRuleSet.AddCommand(commandRuleSetMerge)
-}
-
-type RuleSetEntry struct {
-	content []byte
-	path    string
-	options option.PlainRuleSetCompat
-}
-
-func readRuleSetAt(path string) (*RuleSetEntry, error) {
-	var (
-		configContent []byte
-		err           error
-	)
-	if path == "stdin" {
-		configContent, err = io.ReadAll(os.Stdin)
-	} else {
-		configContent, err = os.ReadFile(path)
-	}
-	if err != nil {
-		return nil, E.Cause(err, "read config at ", path)
-	}
-	options, err := json.UnmarshalExtendedContext[option.PlainRuleSetCompat](globalCtx, configContent)
-	if err != nil {
-		return nil, E.Cause(err, "decode config at ", path)
-	}
-	return &RuleSetEntry{
-		content: configContent,
-		path:    path,
-		options: options,
-	}, nil
-}
-
-func readRuleSet() ([]*RuleSetEntry, error) {
-	var optionsList []*RuleSetEntry
-	for _, path := range ruleSetPaths {
-		optionsEntry, err := readRuleSetAt(path)
-		if err != nil {
-			return nil, err
-		}
-		optionsList = append(optionsList, optionsEntry)
-	}
-	for _, directory := range ruleSetDirectories {
-		entries, err := os.ReadDir(directory)
-		if err != nil {
-			return nil, E.Cause(err, "read rule-set directory at ", directory)
-		}
-		for _, entry := range entries {
-			if !strings.HasSuffix(entry.Name(), ".json") || entry.IsDir() {
-				continue
-			}
-			optionsEntry, err := readRuleSetAt(filepath.Join(directory, entry.Name()))
-			if err != nil {
-				return nil, err
-			}
-			optionsList = append(optionsList, optionsEntry)
-		}
-	}
-	sort.Slice(optionsList, func(i, j int) bool {
-		return optionsList[i].path < optionsList[j].path
-	})
-	return optionsList, nil
-}
-
-func readRuleSetAndMerge() (option.PlainRuleSetCompat, error) {
-	optionsList, err := readRuleSet()
-	if err != nil {
-		return option.PlainRuleSetCompat{}, err
-	}
-	if len(optionsList) == 1 {
-		return optionsList[0].options, nil
-	}
-	var optionVersion uint8
-	for _, options := range optionsList {
-		if optionVersion < options.options.Version {
-			optionVersion = options.options.Version
-		}
-	}
-	var mergedMessage json.RawMessage
-	for _, options := range optionsList {
-		mergedMessage, err = badjson.MergeJSON(globalCtx, options.options.RawMessage, mergedMessage, false)
-		if err != nil {
-			return option.PlainRuleSetCompat{}, E.Cause(err, "merge config at ", options.path)
-		}
-	}
-	mergedOptions, err := json.UnmarshalExtendedContext[option.PlainRuleSetCompat](globalCtx, mergedMessage)
-	if err != nil {
-		return option.PlainRuleSetCompat{}, E.Cause(err, "unmarshal merged config")
-	}
-	mergedOptions.Version = optionVersion
-	return mergedOptions, nil
-}
-
-func mergeRuleSet(outputPath string) error {
-	mergedOptions, err := readRuleSetAndMerge()
-	if err != nil {
-		return err
-	}
-	buffer := new(bytes.Buffer)
-	encoder := json.NewEncoder(buffer)
-	encoder.SetIndent("", "  ")
-	err = encoder.Encode(mergedOptions)
-	if err != nil {
-		return E.Cause(err, "encode config")
-	}
-	if existsContent, err := os.ReadFile(outputPath); err != nil {
-		if string(existsContent) == buffer.String() {
-			return nil
-		}
-	}
-	err = rw.MkdirParent(outputPath)
-	if err != nil {
-		return err
-	}
-	err = os.WriteFile(outputPath, buffer.Bytes(), 0o644)
-	if err != nil {
-		return err
-	}
-	outputPath, _ = filepath.Abs(outputPath)
-	os.Stderr.WriteString(outputPath + "\n")
-	return nil
-}
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -2,16 +2,13 @@ package dialer

 import (
 	"context"
-	"errors"
 	"net"
 	"net/netip"
-	"syscall"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/conntrack"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/atomic"
@@ -19,7 +16,6 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
 )

 var (
@@ -28,36 +24,31 @@ var (
 )

 type DefaultDialer struct {
-	dialer4                tcpDialer
-	dialer6                tcpDialer
-	udpDialer4             net.Dialer
-	udpDialer6             net.Dialer
-	udpListener            net.ListenConfig
-	udpAddr4               string
-	udpAddr6               string
-	isWireGuardListener    bool
-	networkManager         adapter.NetworkManager
-	networkStrategy        *C.NetworkStrategy
-	defaultNetworkStrategy bool
-	networkType            []C.InterfaceType
-	fallbackNetworkType    []C.InterfaceType
-	networkFallbackDelay   time.Duration
-	networkLastFallback    atomic.TypedValue[time.Time]
+	dialer4              tcpDialer
+	dialer6              tcpDialer
+	udpDialer4           net.Dialer
+	udpDialer6           net.Dialer
+	udpListener          net.ListenConfig
+	udpAddr4             string
+	udpAddr6             string
+	isWireGuardListener  bool
+	networkManager       adapter.NetworkManager
+	networkStrategy      C.NetworkStrategy
+	networkType          []C.InterfaceType
+	fallbackNetworkType  []C.InterfaceType
+	networkFallbackDelay time.Duration
+	networkLastFallback  atomic.TypedValue[time.Time]
 }

-func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDialer, error) {
-	networkManager := service.FromContext[adapter.NetworkManager](ctx)
-	platformInterface := service.FromContext[platform.Interface](ctx)
-
+func NewDefault(networkManager adapter.NetworkManager, options option.DialerOptions) (*DefaultDialer, error) {
 	var (
-		dialer                 net.Dialer
-		listener               net.ListenConfig
-		interfaceFinder        control.InterfaceFinder
-		networkStrategy        *C.NetworkStrategy
-		defaultNetworkStrategy bool
-		networkType            []C.InterfaceType
-		fallbackNetworkType    []C.InterfaceType
-		networkFallbackDelay   time.Duration
+		dialer               net.Dialer
+		listener             net.ListenConfig
+		interfaceFinder      control.InterfaceFinder
+		networkStrategy      C.NetworkStrategy
+		networkType          []C.InterfaceType
+		fallbackNetworkType  []C.InterfaceType
+		networkFallbackDelay time.Duration
 	)
 	if networkManager != nil {
 		interfaceFinder = networkManager.InterfaceFinder()
@@ -83,38 +74,31 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 			listener.Control = control.Append(listener.Control, control.RoutingMark(autoRedirectOutputMark))
 		}
 	}
-	disableDefaultBind := options.BindInterface != "" || options.Inet4BindAddress != nil || options.Inet6BindAddress != nil
-	if disableDefaultBind || options.TCPFastOpen {
-		if options.NetworkStrategy != nil || len(options.NetworkType) > 0 && options.FallbackNetworkType == nil && options.FallbackDelay == 0 {
-			return nil, E.New("`network_strategy` is conflict with `bind_interface`, `inet4_bind_address`, `inet6_bind_address` and `tcp_fast_open`")
+	if C.NetworkStrategy(options.NetworkStrategy) != C.NetworkStrategyDefault {
+		if options.BindInterface != "" || options.Inet4BindAddress != nil || options.Inet6BindAddress != nil {
+			return nil, E.New("`network_strategy` is conflict with `bind_interface`, `inet4_bind_address` and `inet6_bind_address`")
+		}
+		networkStrategy = C.NetworkStrategy(options.NetworkStrategy)
+		networkType = common.Map(options.NetworkType, option.InterfaceType.Build)
+		fallbackNetworkType = common.Map(options.FallbackNetworkType, option.InterfaceType.Build)
+		networkFallbackDelay = time.Duration(options.NetworkFallbackDelay)
+		if networkManager == nil || !networkManager.AutoDetectInterface() {
+			return nil, E.New("`route.auto_detect_interface` is require by `network_strategy`")
 		}
 	}
-
-	if networkManager != nil {
+	if networkManager != nil && options.BindInterface == "" && options.Inet4BindAddress == nil && options.Inet6BindAddress == nil {
 		defaultOptions := networkManager.DefaultOptions()
-		if !disableDefaultBind {
+		if options.BindInterface == "" {
 			if defaultOptions.BindInterface != "" {
 				bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
 				dialer.Control = control.Append(dialer.Control, bindFunc)
 				listener.Control = control.Append(listener.Control, bindFunc)
 			} else if networkManager.AutoDetectInterface() {
-				if platformInterface != nil {
-					networkStrategy = (*C.NetworkStrategy)(options.NetworkStrategy)
-					if networkStrategy == nil {
-						networkStrategy = common.Ptr(C.NetworkStrategyDefault)
-						defaultNetworkStrategy = true
-					}
-					networkType = common.Map(options.NetworkType, option.InterfaceType.Build)
-					fallbackNetworkType = common.Map(options.FallbackNetworkType, option.InterfaceType.Build)
-					if networkStrategy == nil && len(networkType) == 0 && len(fallbackNetworkType) == 0 {
-						networkStrategy = defaultOptions.NetworkStrategy
-						networkType = defaultOptions.NetworkType
-						fallbackNetworkType = defaultOptions.FallbackNetworkType
-					}
-					networkFallbackDelay = time.Duration(options.FallbackDelay)
-					if networkFallbackDelay == 0 && defaultOptions.FallbackDelay != 0 {
-						networkFallbackDelay = defaultOptions.FallbackDelay
-					}
+				if defaultOptions.NetworkStrategy != C.NetworkStrategyDefault && C.NetworkStrategy(options.NetworkStrategy) == C.NetworkStrategyDefault {
+					networkStrategy = defaultOptions.NetworkStrategy
+					networkType = defaultOptions.NetworkType
+					fallbackNetworkType = defaultOptions.FallbackNetworkType
+					networkFallbackDelay = defaultOptions.FallbackDelay
 					bindFunc := networkManager.ProtectFunc()
 					dialer.Control = control.Append(dialer.Control, bindFunc)
 					listener.Control = control.Append(listener.Control, bindFunc)
@@ -188,6 +172,9 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 			listener.Control = control.Append(listener.Control, controlFn)
 		}
 	}
+	if networkStrategy != C.NetworkStrategyDefault && options.TCPFastOpen {
+		return nil, E.New("`tcp_fast_open` is conflict with `network_strategy` or `route.default_network_strategy`")
+	}
 	tcpDialer4, err := newTCPDialer(dialer4, options.TCPFastOpen)
 	if err != nil {
 		return nil, err
@@ -197,20 +184,19 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		return nil, err
 	}
 	return &DefaultDialer{
-		dialer4:                tcpDialer4,
-		dialer6:                tcpDialer6,
-		udpDialer4:             udpDialer4,
-		udpDialer6:             udpDialer6,
-		udpListener:            listener,
-		udpAddr4:               udpAddr4,
-		udpAddr6:               udpAddr6,
-		isWireGuardListener:    options.IsWireGuardListener,
-		networkManager:         networkManager,
-		networkStrategy:        networkStrategy,
-		defaultNetworkStrategy: defaultNetworkStrategy,
-		networkType:            networkType,
-		fallbackNetworkType:    fallbackNetworkType,
-		networkFallbackDelay:   networkFallbackDelay,
+		dialer4:              tcpDialer4,
+		dialer6:              tcpDialer6,
+		udpDialer4:           udpDialer4,
+		udpDialer6:           udpDialer6,
+		udpListener:          listener,
+		udpAddr4:             udpAddr4,
+		udpAddr6:             udpAddr6,
+		isWireGuardListener:  options.IsWireGuardListener,
+		networkManager:       networkManager,
+		networkStrategy:      networkStrategy,
+		networkType:          networkType,
+		fallbackNetworkType:  fallbackNetworkType,
+		networkFallbackDelay: networkFallbackDelay,
 	}, nil
 }

@@ -218,7 +204,7 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 	if !address.IsValid() {
 		return nil, E.New("invalid address")
 	}
-	if d.networkStrategy == nil {
+	if d.networkStrategy == C.NetworkStrategyDefault {
 		switch N.NetworkName(network) {
 		case N.NetworkUDP:
 			if !address.IsIPv6() {
@@ -237,21 +223,12 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 	}
 }

-func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network string, address M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
-	if strategy == nil {
-		strategy = d.networkStrategy
-	}
-	if strategy == nil {
+func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network string, address M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+	if strategy == C.NetworkStrategyDefault {
 		return d.DialContext(ctx, network, address)
 	}
-	if len(interfaceType) == 0 {
-		interfaceType = d.networkType
-	}
-	if len(fallbackInterfaceType) == 0 {
-		fallbackInterfaceType = d.fallbackNetworkType
-	}
-	if fallbackDelay == 0 {
-		fallbackDelay = d.networkFallbackDelay
+	if !d.networkManager.AutoDetectInterface() {
+		return nil, E.New("`route.auto_detect_interface` is require by `network_strategy`")
 	}
 	var dialer net.Dialer
 	if N.NetworkName(network) == N.NetworkTCP {
@@ -266,18 +243,12 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 		err       error
 	)
 	if !fastFallback {
-		conn, isPrimary, err = d.dialParallelInterface(ctx, dialer, network, address.String(), *strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
+		conn, isPrimary, err = d.dialParallelInterface(ctx, dialer, network, address.String(), strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	} else {
-		conn, isPrimary, err = d.dialParallelInterfaceFastFallback(ctx, dialer, network, address.String(), *strategy, interfaceType, fallbackInterfaceType, fallbackDelay, d.networkLastFallback.Store)
+		conn, isPrimary, err = d.dialParallelInterfaceFastFallback(ctx, dialer, network, address.String(), strategy, interfaceType, fallbackInterfaceType, fallbackDelay, d.networkLastFallback.Store)
 	}
 	if err != nil {
-		// bind interface failed on legacy xiaomi systems
-		if d.defaultNetworkStrategy && errors.Is(err, syscall.EPERM) {
-			d.networkStrategy = nil
-			return d.DialContext(ctx, network, address)
-		} else {
-			return nil, err
-		}
+		return nil, err
 	}
 	if !fastFallback && !isPrimary {
 		d.networkLastFallback.Store(time.Now())
@@ -286,7 +257,7 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 }

 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if d.networkStrategy == nil {
+	if d.networkStrategy == C.NetworkStrategyDefault {
 		if destination.IsIPv6() {
 			return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
 		} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
@@ -299,37 +270,18 @@ func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	}
 }

-func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
-	if strategy == nil {
-		strategy = d.networkStrategy
-	}
-	if strategy == nil {
+func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
+	if strategy == C.NetworkStrategyDefault {
 		return d.ListenPacket(ctx, destination)
 	}
-	if len(interfaceType) == 0 {
-		interfaceType = d.networkType
-	}
-	if len(fallbackInterfaceType) == 0 {
-		fallbackInterfaceType = d.fallbackNetworkType
-	}
-	if fallbackDelay == 0 {
-		fallbackDelay = d.networkFallbackDelay
+	if !d.networkManager.AutoDetectInterface() {
+		return nil, E.New("`route.auto_detect_interface` is require by `network_strategy`")
 	}
 	network := N.NetworkUDP
 	if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
 		network += "4"
 	}
-	packetConn, err := d.listenSerialInterfacePacket(ctx, d.udpListener, network, "", *strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
-	if err != nil {
-		// bind interface failed on legacy xiaomi systems
-		if d.defaultNetworkStrategy && errors.Is(err, syscall.EPERM) {
-			d.networkStrategy = nil
-			return d.ListenPacket(ctx, destination)
-		} else {
-			return nil, err
-		}
-	}
-	return trackPacketConn(packetConn, nil)
+	return trackPacketConn(d.listenSerialInterfacePacket(ctx, d.udpListener, network, "", strategy, interfaceType, fallbackInterfaceType, fallbackDelay))
 }

 func (d *DefaultDialer) ListenPacketCompat(network, address string) (net.PacketConn, error) {
--- a/common/dialer/default_parallel_interface.go
+++ b/common/dialer/default_parallel_interface.go
@@ -35,12 +35,12 @@ func (d *DefaultDialer) dialParallelInterface(ctx context.Context, dialer net.Di
 		conn, err := perNetDialer.DialContext(ctx, network, addr)
 		if err != nil {
 			select {
-			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Index, ")"), primary: primary}:
+			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Name, ")"), primary: primary}:
 			case <-returned:
 			}
 		} else {
 			select {
-			case results <- dialResult{Conn: conn, primary: primary}:
+			case results <- dialResult{Conn: conn}:
 			case <-returned:
 				conn.Close()
 			}
@@ -107,12 +107,12 @@ func (d *DefaultDialer) dialParallelInterfaceFastFallback(ctx context.Context, d
 		conn, err := perNetDialer.DialContext(ctx, network, addr)
 		if err != nil {
 			select {
-			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Index, ")"), primary: primary}:
+			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Name, ")"), primary: primary}:
 			case <-returned:
 			}
 		} else {
 			select {
-			case results <- dialResult{Conn: conn, primary: primary}:
+			case results <- dialResult{Conn: conn}:
 			case <-returned:
 				if primary && time.Since(startAt) <= fallbackDelay {
 					resetFastFallback(time.Time{})
@@ -157,7 +157,7 @@ func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listene
 		if err == nil {
 			return conn, nil
 		}
-		errors = append(errors, E.Cause(err, "listen ", primaryInterface.Name, " (", primaryInterface.Index, ")"))
+		errors = append(errors, E.Cause(err, "listen ", primaryInterface.Name, " (", primaryInterface.Name, ")"))
 	}
 	for _, fallbackInterface := range fallbackInterfaces {
 		perNetListener := listener
@@ -166,7 +166,7 @@ func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listene
 		if err == nil {
 			return conn, nil
 		}
-		errors = append(errors, E.Cause(err, "listen ", fallbackInterface.Name, " (", fallbackInterface.Index, ")"))
+		errors = append(errors, E.Cause(err, "listen ", fallbackInterface.Name, " (", fallbackInterface.Name, ")"))
 	}
 	return nil, E.Errors(errors...)
 }
@@ -177,57 +177,44 @@ func selectInterfaces(networkManager adapter.NetworkManager, strategy C.NetworkS
 	case C.NetworkStrategyDefault:
 		if len(interfaceType) == 0 {
 			defaultIf := networkManager.InterfaceMonitor().DefaultInterface()
-			if defaultIf != nil {
-				for _, iif := range interfaces {
-					if iif.Index == defaultIf.Index {
-						primaryInterfaces = append(primaryInterfaces, iif)
-					}
+			for _, iif := range interfaces {
+				if iif.Index == defaultIf.Index {
+					primaryInterfaces = append(primaryInterfaces, iif)
+				} else {
+					fallbackInterfaces = append(fallbackInterfaces, iif)
 				}
-			} else {
-				primaryInterfaces = interfaces
 			}
 		} else {
-			primaryInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
-				return common.Contains(interfaceType, it.Type)
+			primaryInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
+				return common.Contains(interfaceType, iif.Type)
 			})
 		}
 	case C.NetworkStrategyHybrid:
 		if len(interfaceType) == 0 {
 			primaryInterfaces = interfaces
 		} else {
-			primaryInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
-				return common.Contains(interfaceType, it.Type)
+			primaryInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
+				return common.Contains(interfaceType, iif.Type)
 			})
 		}
 	case C.NetworkStrategyFallback:
 		if len(interfaceType) == 0 {
 			defaultIf := networkManager.InterfaceMonitor().DefaultInterface()
-			if defaultIf != nil {
-				for _, iif := range interfaces {
-					if iif.Index == defaultIf.Index {
-						primaryInterfaces = append(primaryInterfaces, iif)
-						break
-					}
+			for _, iif := range interfaces {
+				if iif.Index == defaultIf.Index {
+					primaryInterfaces = append(primaryInterfaces, iif)
+				} else {
+					fallbackInterfaces = append(fallbackInterfaces, iif)
 				}
-			} else {
-				primaryInterfaces = interfaces
 			}
 		} else {
-			primaryInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
-				return common.Contains(interfaceType, it.Type)
-			})
-		}
-		if len(fallbackInterfaceType) == 0 {
-			fallbackInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
-				return !common.Any(primaryInterfaces, func(iif adapter.NetworkInterface) bool {
-					return it.Index == iif.Index
-				})
-			})
-		} else {
-			fallbackInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
-				return common.Contains(fallbackInterfaceType, iif.Type)
+			primaryInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
+				return common.Contains(interfaceType, iif.Type)
 			})
 		}
+		fallbackInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
+			return common.Contains(fallbackInterfaceType, iif.Type)
+		})
 	}
 	return primaryInterfaces, fallbackInterfaces
 }
--- a/common/dialer/default_parallel_network.go
+++ b/common/dialer/default_parallel_network.go
@@ -13,13 +13,7 @@ import (
 	N "github.com/sagernet/sing/common/network"
 )

-func DialSerialNetwork(ctx context.Context, dialer N.Dialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
-	if len(destinationAddresses) == 0 {
-		if !destination.IsIP() {
-			panic("invalid usage")
-		}
-		destinationAddresses = []netip.Addr{destination.Addr}
-	}
+func DialSerialNetwork(ctx context.Context, dialer N.Dialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
 	if parallelDialer, isParallel := dialer.(ParallelNetworkDialer); isParallel {
 		return parallelDialer.DialParallelNetwork(ctx, network, destination, destinationAddresses, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	}
@@ -44,14 +38,7 @@ func DialSerialNetwork(ctx context.Context, dialer N.Dialer, network string, des
 	return nil, E.Errors(errors...)
 }

-func DialParallelNetwork(ctx context.Context, dialer ParallelInterfaceDialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, preferIPv6 bool, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
-	if len(destinationAddresses) == 0 {
-		if !destination.IsIP() {
-			panic("invalid usage")
-		}
-		destinationAddresses = []netip.Addr{destination.Addr}
-	}
-
+func DialParallelNetwork(ctx context.Context, dialer ParallelInterfaceDialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, preferIPv6 bool, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
 	if fallbackDelay == 0 {
 		fallbackDelay = N.DefaultFallbackDelay
 	}
@@ -129,13 +116,7 @@ func DialParallelNetwork(ctx context.Context, dialer ParallelInterfaceDialer, ne
 	}
 }

-func ListenSerialNetworkPacket(ctx context.Context, dialer N.Dialer, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error) {
-	if len(destinationAddresses) == 0 {
-		if !destination.IsIP() {
-			panic("invalid usage")
-		}
-		destinationAddresses = []netip.Addr{destination.Addr}
-	}
+func ListenSerialNetworkPacket(ctx context.Context, dialer N.Dialer, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error) {
 	if parallelDialer, isParallel := dialer.(ParallelNetworkDialer); isParallel {
 		return parallelDialer.ListenSerialNetworkPacket(ctx, destination, destinationAddresses, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	}
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -17,15 +17,16 @@ import (
 )

 func New(ctx context.Context, options option.DialerOptions) (N.Dialer, error) {
+	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	if options.IsWireGuardListener {
-		return NewDefault(ctx, options)
+		return NewDefault(networkManager, options)
 	}
 	var (
 		dialer N.Dialer
 		err    error
 	)
 	if options.Detour == "" {
-		dialer, err = NewDefault(ctx, options)
+		dialer, err = NewDefault(networkManager, options)
 		if err != nil {
 			return nil, err
 		}
@@ -36,6 +37,9 @@ func New(ctx context.Context, options option.DialerOptions) (N.Dialer, error) {
 		}
 		dialer = NewDetour(outboundManager, options.Detour)
 	}
+	if networkManager == nil {
+		return NewDefault(networkManager, options)
+	}
 	if options.Detour == "" {
 		router := service.FromContext[adapter.Router](ctx)
 		if router != nil {
@@ -54,10 +58,11 @@ func NewDirect(ctx context.Context, options option.DialerOptions) (ParallelInter
 	if options.Detour != "" {
 		return nil, E.New("`detour` is not supported in direct context")
 	}
+	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	if options.IsWireGuardListener {
-		return NewDefault(ctx, options)
+		return NewDefault(networkManager, options)
 	}
-	dialer, err := NewDefault(ctx, options)
+	dialer, err := NewDefault(networkManager, options)
 	if err != nil {
 		return nil, err
 	}
@@ -72,11 +77,11 @@ func NewDirect(ctx context.Context, options option.DialerOptions) (ParallelInter

 type ParallelInterfaceDialer interface {
 	N.Dialer
-	DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
-	ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error)
+	DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
+	ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error)
 }

 type ParallelNetworkDialer interface {
-	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
-	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
+	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
+	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
 }
--- a/common/dialer/resolve.go
+++ b/common/dialer/resolve.go
@@ -106,7 +106,7 @@ func (d *resolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	return bufio.NewNATPacketConn(bufio.NewPacketConn(conn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
 }

-func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
 	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
@@ -134,7 +134,7 @@ func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context
 	}
 }

-func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
+func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
 	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
--- a/common/tls/client.go
+++ b/common/tls/client.go
@@ -30,14 +30,15 @@ func NewClient(ctx context.Context, serverAddress string, options option.Outboun
 		return nil, nil
 	}
 	if options.ECH != nil && options.ECH.Enabled {
-		return NewECHClient(ctx, serverAddress, options)
+		if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
+			return NewECHClient(ctx, serverAddress, options)
+		}
 	} else if options.Reality != nil && options.Reality.Enabled {
 		return NewRealityClient(ctx, serverAddress, options)
 	} else if options.UTLS != nil && options.UTLS.Enabled {
 		return NewUTLSClient(ctx, serverAddress, options)
-	} else {
-		return NewSTDClient(ctx, serverAddress, options)
 	}
+	return NewSTDClient(ctx, serverAddress, options)
 }

 func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, error) {
--- a/common/tls/ech_keygen.go
+++ b/common/tls/ech_keygen.go
@@ -7,7 +7,6 @@ import (
 	"encoding/binary"
 	"encoding/pem"

-	cftls "github.com/sagernet/cloudflare-tls"
 	E "github.com/sagernet/sing/common/exceptions"

 	"github.com/cloudflare/circl/hpke"
@@ -59,7 +58,6 @@ func ECHKeygenDefault(serverName string, pqSignatureSchemesEnabled bool) (config

 type echKeyConfigPair struct {
 	id      uint8
-	key     cftls.EXP_ECHKey
 	rawKey  []byte
 	conf    myECHKeyConfig
 	rawConf []byte
@@ -153,14 +151,13 @@ func echKeygen(version uint16, serverName string, conf []myECHKeyConfig, suite [
 		sk = be.AppendUint16(sk, uint16(len(b)))
 		sk = append(sk, b...)

-		cfECHKeys, err := cftls.EXP_UnmarshalECHKeys(sk)
+		cfECHKeys, err := UnmarshalECHKeys(sk)
 		if err != nil {
 			return nil, E.Cause(err, "bug: can't parse generated ECH server key")
 		}
 		if len(cfECHKeys) != 1 {
 			return nil, E.New("bug: unexpected server key count")
 		}
-		pair.key = cfECHKeys[0]
 		pair.rawKey = sk

 		pairs = append(pairs, pair)
--- a/common/tls/server.go
+++ b/common/tls/server.go
@@ -17,12 +17,13 @@ func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLS
 		return nil, nil
 	}
 	if options.ECH != nil && options.ECH.Enabled {
-		return NewECHServer(ctx, logger, options)
+		if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
+			return NewECHServer(ctx, logger, options)
+		}
 	} else if options.Reality != nil && options.Reality.Enabled {
 		return NewRealityServer(ctx, logger, options)
-	} else {
-		return NewSTDServer(ctx, logger, options)
 	}
+	return NewSTDServer(ctx, logger, options)
 }

 func ServerHandshake(ctx context.Context, conn net.Conn, config ServerConfig) (Conn, error) {
--- a/common/tls/std_client.go
+++ b/common/tls/std_client.go
@@ -4,16 +4,25 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/base64"
 	"net"
 	"net/netip"
 	"os"
 	"strings"

+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
+	aTLS "github.com/sagernet/sing/common/tls"
+	"github.com/sagernet/sing/service"
+
+	mDNS "github.com/miekg/dns"
 )

+var _ ConfigCompat = (*STDClientConfig)(nil)
+
 type STDClientConfig struct {
 	config *tls.Config
 }
@@ -46,6 +55,63 @@ func (s *STDClientConfig) Clone() Config {
 	return &STDClientConfig{s.config.Clone()}
 }

+type STDECHClientConfig struct {
+	STDClientConfig
+}
+
+func (s *STDClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
+	if len(s.config.EncryptedClientHelloConfigList) == 0 {
+		message := &mDNS.Msg{
+			MsgHdr: mDNS.MsgHdr{
+				RecursionDesired: true,
+			},
+			Question: []mDNS.Question{
+				{
+					Name:   mDNS.Fqdn(s.config.ServerName),
+					Qtype:  mDNS.TypeHTTPS,
+					Qclass: mDNS.ClassINET,
+				},
+			},
+		}
+		dnsRouter := service.FromContext[adapter.Router](ctx)
+		response, err := dnsRouter.Exchange(ctx, message)
+		if err != nil {
+			return nil, E.Cause(err, "fetch ECH config list")
+		}
+		if response.Rcode != mDNS.RcodeSuccess {
+			return nil, E.Cause(dns.RCodeError(response.Rcode), "fetch ECH config list")
+		}
+		for _, rr := range response.Answer {
+			switch resource := rr.(type) {
+			case *mDNS.HTTPS:
+				for _, value := range resource.Value {
+					if value.Key().String() == "ech" {
+						echConfigList, err := base64.StdEncoding.DecodeString(value.String())
+						if err != nil {
+							return nil, E.Cause(err, "decode ECH config")
+						}
+						s.config.EncryptedClientHelloConfigList = echConfigList
+					}
+				}
+			}
+		}
+		return nil, E.New("no ECH config found in DNS records")
+	}
+	tlsConn, err := s.Client(conn)
+	if err != nil {
+		return nil, err
+	}
+	err = tlsConn.HandshakeContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return tlsConn, nil
+}
+
+func (s *STDECHClientConfig) Clone() Config {
+	return &STDECHClientConfig{STDClientConfig{s.config.Clone()}}
+}
+
 func NewSTDClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
@@ -128,5 +194,21 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 		tlsConfig.RootCAs = certPool
 	}
+	if options.ECH != nil && options.ECH.Enabled {
+		var echConfig []byte
+		if len(options.ECH.Config) > 0 {
+			echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
+		} else if options.ECH.ConfigPath != "" {
+			content, err := os.ReadFile(options.ECH.ConfigPath)
+			if err != nil {
+				return nil, E.Cause(err, "read ECH config")
+			}
+			echConfig = content
+		}
+		if echConfig != nil {
+			tlsConfig.EncryptedClientHelloConfigList = echConfig
+		}
+		return &STDECHClientConfig{STDClientConfig{&tlsConfig}}, nil
+	}
 	return &STDClientConfig{&tlsConfig}, nil
 }
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -3,6 +3,7 @@ package tls
 import (
 	"context"
 	"crypto/tls"
+	"encoding/pem"
 	"net"
 	"os"
 	"strings"
@@ -14,6 +15,8 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
+
+	"golang.org/x/crypto/cryptobyte"
 )

 var errInsecureUnused = E.New("tls: insecure unused")
@@ -238,6 +241,31 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 			tlsConfig.Certificates = []tls.Certificate{keyPair}
 		}
 	}
+	if options.ECH != nil && options.ECH.Enabled {
+		var echKey []byte
+		if len(options.ECH.Key) > 0 {
+			echKey = []byte(strings.Join(options.ECH.Key, "\n"))
+		} else if options.ECH.KeyPath != "" {
+			content, err := os.ReadFile(options.ECH.KeyPath)
+			if err != nil {
+				return nil, E.Cause(err, "read ECH key")
+			}
+			echKey = content
+		} else {
+			return nil, E.New("missing ECH key")
+		}
+
+		block, rest := pem.Decode(echKey)
+		if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
+			return nil, E.New("invalid ECH keys pem")
+		}
+
+		echKeys, err := UnmarshalECHKeys(block.Bytes)
+		if err != nil {
+			return nil, E.Cause(err, "parse ECH keys")
+		}
+		tlsConfig.EncryptedClientHelloKeys = echKeys
+	}
 	return &STDServerConfig{
 		config:          tlsConfig,
 		logger:          logger,
@@ -248,3 +276,22 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		keyPath:         options.KeyPath,
 	}, nil
 }
+
+func UnmarshalECHKeys(raw []byte) ([]tls.EncryptedClientHelloKey, error) {
+	var keys []tls.EncryptedClientHelloKey
+	rawString := cryptobyte.String(raw)
+	for !rawString.Empty() {
+		var key tls.EncryptedClientHelloKey
+		if !rawString.ReadUint16LengthPrefixed((*cryptobyte.String)(&key.PrivateKey)) {
+			return nil, E.New("error parsing private key")
+		}
+		if !rawString.ReadUint16LengthPrefixed((*cryptobyte.String)(&key.Config)) {
+			return nil, E.New("error parsing config")
+		}
+		keys = append(keys, key)
+	}
+	if len(keys) == 0 {
+		return nil, E.New("empty ECH keys")
+	}
+	return keys, nil
+}
--- a/common/tls/time_wrapper.go
+++ b/common/tls/time_wrapper.go
@@ -1,22 +0,0 @@
-package tls
-
-import (
-	"time"
-
-	"github.com/sagernet/sing/common/ntp"
-)
-
-type TimeServiceWrapper struct {
-	ntp.TimeService
-}
-
-func (w *TimeServiceWrapper) TimeFunc() func() time.Time {
-	if w.TimeService == nil {
-		return nil
-	}
-	return w.TimeService.TimeFunc()
-}
-
-func (w *TimeServiceWrapper) Upstream() any {
-	return w.TimeService
-}
--- a/constant/cgo_android_fix.go
+++ b/constant/cgo_android_fix.go
@@ -0,0 +1,8 @@
+//go:build android && debug
+
+package constant
+
+// TODO: remove after fixed
+// https://github.com/golang/go/issues/68760
+
+const FixAndroidStack = true
--- a/constant/cgo_android_fix_stub.go
+++ b/constant/cgo_android_fix_stub.go
@@ -0,0 +1,5 @@
+//go:build !(android && debug)
+
+package constant
+
+const FixAndroidStack = false
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,36 +2,10 @@
 icon: material/alert-decagram
 ---

-#### 1.11.0-beta.16
+#### 1.11.0-beta.9

 * Fixes and improvements

-### 1.10.6
-
-* Fixes and improvements
-
-#### 1.11.0-beta.14
-
-* Allow adding route (exclude) address sets to routes **1**
-* Fixes and improvements
-
-**1**:
-
-When `auto_redirect` is not enabled, directly add `route[_exclude]_address_set`
-to tun routes (equivalent to `route[_exclude]_address`).
-
-Note that it **doesn't work on the Android graphical client** due to
-the Android VpnService not being able to handle a large number of routes (DeadSystemException),
-but otherwise it works fine on all command line clients and Apple platforms.
-
-See [route_address_set](/configuration/inbound/tun/#route_address_set) and
-[route_exclude_address_set](/configuration/inbound/tun/#route_exclude_address_set).
-
-#### 1.11.0-beta.12
-
-* Add `rule-set merge` command
-* Fixes and improvements
-
 #### 1.11.0-beta.3

 * Add more masquerade options for hysteria2 **1**
@@ -41,6 +15,10 @@ See [route_address_set](/configuration/inbound/tun/#route_address_set) and

 See [Hysteria2](/configuration/inbound/hysteria2/#masquerade).

+### 1.10.3
+
+* Fixes and improvements
+
 #### 1.11.0-alpha.25

 * Update quic-go to v0.48.2
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -4,9 +4,7 @@ icon: material/alert-decagram

 !!! quote "Changes in sing-box 1.11.0"

-    :material-delete-alert: [gso](#gso)  
-    :material-alert-decagram: [route_address_set](#stack)  
-    :material-alert-decagram: [route_exclude_address_set](#stack)
+    :material-delete-alert: [gso](#gso)

 !!! quote "Changes in sing-box 1.10.0"

@@ -90,13 +88,13 @@ icon: material/alert-decagram
    0
  ],
  "include_uid_range": [
-    "1000:99999"
+    "1000-99999"
  ],
  "exclude_uid": [
    1000
  ],
  "exclude_uid_range": [
-    "1000:99999"
+    "1000-99999"
  ],
  "include_android_user": [
    0,
@@ -250,7 +248,7 @@ use [VPNHotspot](https://github.com/Mygod/VPNHotspot).

 !!! question "Since sing-box 1.10.0"

-Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`.
+Connection input mark used by `route_address_set` and `route_exclude_address_set`.

 `0x2023` is used by default.

@@ -258,7 +256,7 @@ Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`

 !!! question "Since sing-box 1.10.0"

-Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`.
+Connection output mark used by `route_address_set` and `route_exclude_address_set`.

 `0x2024` is used by default.

@@ -331,55 +329,29 @@ Exclude custom routes when `auto_route` is enabled.

 #### route_address_set

-=== "With `auto_redirect` enabled"
+!!! question "Since sing-box 1.10.0"

-    !!! question "Since sing-box 1.10.0"
-
-    !!! quote ""
-    
-        Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
-    
-    Add the destination IP CIDR rules in the specified rule-sets to the firewall.
-    Unmatched traffic will bypass the sing-box routes.
-    
-    Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
-
-=== "Without `auto_redirect` enabled"
-
-    !!! question "Since sing-box 1.11.0"
-    
-    Add the destination IP CIDR rules in the specified rule-sets to routes, equivalent to adding to `route_address`.
-    Unmatched traffic will bypass the sing-box routes.
-
-    Note that it **doesn't work on the Android graphical client** due to
-    the Android VpnService not being able to handle a large number of routes (DeadSystemException),
-    but otherwise it works fine on all command line clients and Apple platforms.
-
-#### route_exclude_address_set
-
-=== "With `auto_redirect` enabled"
-
-    !!! question "Since sing-box 1.10.0"
-
-    !!! quote ""
+!!! quote ""

    Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.

-    Add the destination IP CIDR rules in the specified rule-sets to the firewall.
-    Matched traffic will bypass the sing-box routes.
-    
-    Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
+Add the destination IP CIDR rules in the specified rule-sets to the firewall.
+Unmatched traffic will bypass the sing-box routes.

-=== "Without `auto_redirect` enabled"
+Conflict with `route.default_mark` and `[dialOptions].routing_mark`.

-    !!! question "Since sing-box 1.11.0"
-    
-    Add the destination IP CIDR rules in the specified rule-sets to routes, equivalent to adding to `route_exclude_address`.
-    Matched traffic will bypass the sing-box routes.
+#### route_exclude_address_set

-    Note that it **doesn't work on the Android graphical client** due to
-    the Android VpnService not being able to handle a large number of routes (DeadSystemException),
-    but otherwise it works fine on all command line clients and Apple platforms.
+!!! question "Since sing-box 1.10.0"
+
+!!! quote ""
+
+    Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
+
+Add the destination IP CIDR rules in the specified rule-sets to the firewall.
+Matched traffic will bypass the sing-box routes.
+
+Conflict with `route.default_mark` and `[dialOptions].routing_mark`.

 #### endpoint_independent_nat

--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -4,9 +4,7 @@ icon: material/alert-decagram

 !!! quote "sing-box 1.11.0 中的更改"

-    :material-delete-alert: [gso](#gso)  
-    :material-alert-decagram: [route_address_set](#stack)  
-    :material-alert-decagram: [route_exclude_address_set](#stack)
+    :material-delete-alert: [gso](#gso)

 !!! quote "sing-box 1.10.0 中的更改"

@@ -90,13 +88,13 @@ icon: material/alert-decagram
    0
  ],
  "include_uid_range": [
-    "1000:99999"
+    "1000-99999"
  ],
  "exclude_uid": [
    1000
  ],
  "exclude_uid_range": [
-    "1000:99999"
+    "1000-99999"
  ],
  "include_android_user": [
    0,
@@ -331,53 +329,29 @@ tun 接口的 IPv6 前缀。

 #### route_address_set

-=== "`auto_redirect` 已启用"
+!!! question "自 sing-box 1.10.0 起"

-    !!! question "自 sing-box 1.10.0 起"
-    
-    !!! quote ""
-    
-        仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。 
-    
-    将指定规则集中的目标 IP CIDR 规则添加到防火墙。
-    不匹配的流量将绕过 sing-box 路由。
-    
-    与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
+!!! quote ""

-=== "`auto_redirect` 未启用"
+    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。 

-    !!! question "自 sing-box 1.11.0 起"
+将指定规则集中的目标 IP CIDR 规则添加到防火墙。
+不匹配的流量将绕过 sing-box 路由。

-    将指定规则集中的目标 IP CIDR 规则添加到路由，相当于添加到 `route_address`。
-    不匹配的流量将绕过 sing-box 路由。
-
-    请注意，由于 Android VpnService 无法处理大量路由（DeadSystemException），
-    因此它**在 Android 图形客户端上不起作用**，但除此之外，它在所有命令行客户端和 Apple 平台上都可以正常工作。
+与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。

 #### route_exclude_address_set

-=== "`auto_redirect` 已启用"
+!!! question "自 sing-box 1.10.0 起"

-    !!! question "自 sing-box 1.10.0 起"
-    
-    !!! quote ""
-    
-        仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。 
+!!! quote ""

-    将指定规则集中的目标 IP CIDR 规则添加到防火墙。
-    匹配的流量将绕过 sing-box 路由。
+    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。

-    与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
+将指定规则集中的目标 IP CIDR 规则添加到防火墙。
+匹配的流量将绕过 sing-box 路由。

-=== "`auto_redirect` 未启用"
-
-    !!! question "自 sing-box 1.11.0 起"
-
-    将指定规则集中的目标 IP CIDR 规则添加到路由，相当于添加到 `route_exclude_address`。
-    匹配的流量将绕过 sing-box 路由。
-
-    请注意，由于 Android VpnService 无法处理大量路由（DeadSystemException），
-    因此它**在 Android 图形客户端上不起作用**，但除此之外，它在所有命令行客户端和 Apple 平台上都可以正常工作。
+与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。

 #### endpoint_independent_nat

--- a/experimental/clashapi/server.go
+++ b/experimental/clashapi/server.go
@@ -128,8 +128,11 @@ func NewServer(ctx context.Context, logFactory log.ObservableFactory, options op
 	if options.ExternalUI != "" {
 		s.externalUI = filemanager.BasePath(ctx, os.ExpandEnv(options.ExternalUI))
 		chiRouter.Group(func(r chi.Router) {
-			r.Get("/ui", http.RedirectHandler("/ui/", http.StatusMovedPermanently).ServeHTTP)
-			r.Handle("/ui/*", http.StripPrefix("/ui/", http.FileServer(http.Dir(s.externalUI))))
+			fs := http.StripPrefix("/ui", http.FileServer(http.Dir(s.externalUI)))
+			r.Get("/ui", http.RedirectHandler("/ui/", http.StatusTemporaryRedirect).ServeHTTP)
+			r.Get("/ui/*", func(w http.ResponseWriter, r *http.Request) {
+				fs.ServeHTTP(w, r)
+			})
 		})
 	}
 	return s, nil
--- a/experimental/deprecated/constants.go
+++ b/experimental/deprecated/constants.go
@@ -1,11 +1,8 @@
 package deprecated

 import (
-	"fmt"
-
 	"github.com/sagernet/sing-box/common/badversion"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/locale"
 	F "github.com/sagernet/sing/common/format"

 	"golang.org/x/mod/semver"
@@ -37,9 +34,15 @@ func (n Note) Impending() bool {

 func (n Note) Message() string {
 	if n.MigrationLink != "" {
-		return fmt.Sprintf(locale.Current().DeprecatedMessage, n.Description, n.DeprecatedVersion, n.ScheduledVersion)
+		return F.ToString(
+			n.Description, " is deprecated in sing-box ", n.DeprecatedVersion,
+			" and will be removed in sing-box ", n.ScheduledVersion, ", please checkout documentation for migration.",
+		)
 	} else {
-		return fmt.Sprintf(locale.Current().DeprecatedMessageNoLink, n.Description, n.DeprecatedVersion, n.ScheduledVersion)
+		return F.ToString(
+			n.Description, " is deprecated in sing-box ", n.DeprecatedVersion,
+			" and will be removed in sing-box ", n.ScheduledVersion, ".",
+		)
 	}
 }

--- a/experimental/libbox/command_client.go
+++ b/experimental/libbox/command_client.go
@@ -7,6 +7,7 @@ import (
 	"path/filepath"
 	"time"

+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 )
@@ -113,7 +114,7 @@ func (c *CommandClient) Connect() error {
 		if err != nil {
 			return err
 		}
-		if sFixAndroidStack {
+		if C.FixAndroidStack {
 			go func() {
 				c.handler.Connected()
 				c.handler.InitializeClashMode(newIterator(modeList), currentMode)
--- a/experimental/libbox/config.go
+++ b/experimental/libbox/config.go
@@ -66,10 +66,6 @@ func (s *platformInterfaceStub) OpenTun(options *tun.Options, platformOptions op
 	return nil, os.ErrInvalid
 }

-func (s *platformInterfaceStub) UpdateRouteOptions(options *tun.Options, platformInterface option.TunPlatformOptions) error {
-	return os.ErrInvalid
-}
-
 func (s *platformInterfaceStub) UsePlatformDefaultInterfaceMonitor() bool {
 	return true
 }
--- a/experimental/libbox/monitor.go
+++ b/experimental/libbox/monitor.go
@@ -1,6 +1,7 @@
 package libbox

 import (
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -55,7 +56,7 @@ func (m *platformDefaultInterfaceMonitor) UnregisterCallback(element *list.Eleme
 }

 func (m *platformDefaultInterfaceMonitor) UpdateDefaultInterface(interfaceName string, interfaceIndex32 int32, isExpensive bool, isConstrained bool) {
-	if sFixAndroidStack {
+	if C.FixAndroidStack {
 		go m.updateDefaultInterface(interfaceName, interfaceIndex32, isExpensive, isConstrained)
 	} else {
 		m.updateDefaultInterface(interfaceName, interfaceIndex32, isExpensive, isConstrained)
--- a/experimental/libbox/platform.go
+++ b/experimental/libbox/platform.go
@@ -9,7 +9,6 @@ type PlatformInterface interface {
 	UsePlatformAutoDetectInterfaceControl() bool
 	AutoDetectInterfaceControl(fd int32) error
 	OpenTun(options TunOptions) (int32, error)
-	UpdateRouteOptions(options TunOptions) error
 	WriteLog(message string)
 	UseProcFS() bool
 	FindConnectionOwner(ipProtocol int32, sourceAddress string, sourcePort int32, destinationAddress string, destinationPort int32) (int32, error)
--- a/experimental/libbox/platform/interface.go
+++ b/experimental/libbox/platform/interface.go
@@ -13,7 +13,6 @@ type Interface interface {
 	UsePlatformAutoDetectInterfaceControl() bool
 	AutoDetectInterfaceControl(fd int) error
 	OpenTun(options *tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error)
-	UpdateRouteOptions(options *tun.Options, platformOptions option.TunPlatformOptions) error
 	CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor
 	Interfaces() ([]adapter.NetworkInterface, error)
 	UnderNetworkExtension() bool
--- a/experimental/libbox/service.go
+++ b/experimental/libbox/service.go
@@ -81,7 +81,7 @@ func NewService(configContent string, platformInterface PlatformInterface) (*Box
 }

 func (s *BoxService) Start() error {
-	if sFixAndroidStack {
+	if C.FixAndroidStack {
 		var err error
 		done := make(chan struct{})
 		go func() {
@@ -148,10 +148,10 @@ func (w *platformInterfaceWrapper) AutoDetectInterfaceControl(fd int) error {

 func (w *platformInterfaceWrapper) OpenTun(options *tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error) {
 	if len(options.IncludeUID) > 0 || len(options.ExcludeUID) > 0 {
-		return nil, E.New("platform: unsupported uid options")
+		return nil, E.New("android: unsupported uid options")
 	}
 	if len(options.IncludeAndroidUser) > 0 {
-		return nil, E.New("platform: unsupported android_user option")
+		return nil, E.New("android: unsupported android_user option")
 	}
 	routeRanges, err := options.BuildAutoRouteRanges(true)
 	if err != nil {
@@ -174,20 +174,6 @@ func (w *platformInterfaceWrapper) OpenTun(options *tun.Options, platformOptions
 	return tun.New(*options)
 }

-func (w *platformInterfaceWrapper) UpdateRouteOptions(options *tun.Options, platformOptions option.TunPlatformOptions) error {
-	if len(options.IncludeUID) > 0 || len(options.ExcludeUID) > 0 {
-		return E.New("android: unsupported uid options")
-	}
-	if len(options.IncludeAndroidUser) > 0 {
-		return E.New("android: unsupported android_user option")
-	}
-	routeRanges, err := options.BuildAutoRouteRanges(true)
-	if err != nil {
-		return err
-	}
-	return w.iif.UpdateRouteOptions(&tunOptions{options, routeRanges, platformOptions})
-}
-
 func (w *platformInterfaceWrapper) CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor {
 	return &platformDefaultInterfaceMonitor{
 		platformInterfaceWrapper: w,
--- a/experimental/libbox/setup.go
+++ b/experimental/libbox/setup.go
@@ -9,65 +9,48 @@ import (

 	"github.com/sagernet/sing-box/common/humanize"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/locale"
 	"github.com/sagernet/sing-box/log"
 )

 var (
-	sBasePath        string
-	sWorkingPath     string
-	sTempPath        string
-	sUserID          int
-	sGroupID         int
-	sTVOS            bool
-	sFixAndroidStack bool
+	sBasePath    string
+	sWorkingPath string
+	sTempPath    string
+	sUserID      int
+	sGroupID     int
+	sTVOS        bool
 )

 func init() {
 	debug.SetPanicOnFault(true)
 }

-type SetupOptions struct {
-	BasePath        string
-	WorkingPath     string
-	TempPath        string
-	Username        string
-	IsTVOS          bool
-	FixAndroidStack bool
-}
-
-func Setup(options *SetupOptions) error {
-	sBasePath = options.BasePath
-	sWorkingPath = options.WorkingPath
-	sTempPath = options.TempPath
-	if options.Username != "" {
-		sUser, err := user.Lookup(options.Username)
-		if err != nil {
-			return err
-		}
-		sUserID, _ = strconv.Atoi(sUser.Uid)
-		sGroupID, _ = strconv.Atoi(sUser.Gid)
-	} else {
-		sUserID = os.Getuid()
-		sGroupID = os.Getgid()
-	}
-	sTVOS = options.IsTVOS
-
-	// TODO: remove after fixed
-	// https://github.com/golang/go/issues/68760
-	sFixAndroidStack = options.FixAndroidStack
-
+func Setup(basePath string, workingPath string, tempPath string, isTVOS bool) {
+	sBasePath = basePath
+	sWorkingPath = workingPath
+	sTempPath = tempPath
+	sUserID = os.Getuid()
+	sGroupID = os.Getgid()
+	sTVOS = isTVOS
 	os.MkdirAll(sWorkingPath, 0o777)
 	os.MkdirAll(sTempPath, 0o777)
-	if options.Username != "" {
-		os.Chown(sWorkingPath, sUserID, sGroupID)
-		os.Chown(sTempPath, sUserID, sGroupID)
-	}
-	return nil
 }

-func SetLocale(localeId string) {
-	locale.Set(localeId)
+func SetupWithUsername(basePath string, workingPath string, tempPath string, username string) error {
+	sBasePath = basePath
+	sWorkingPath = workingPath
+	sTempPath = tempPath
+	sUser, err := user.Lookup(username)
+	if err != nil {
+		return err
+	}
+	sUserID, _ = strconv.Atoi(sUser.Uid)
+	sGroupID, _ = strconv.Atoi(sUser.Gid)
+	os.MkdirAll(sWorkingPath, 0o777)
+	os.MkdirAll(sTempPath, 0o777)
+	os.Chown(sWorkingPath, sUserID, sGroupID)
+	os.Chown(sTempPath, sUserID, sGroupID)
+	return nil
 }

 func Version() string {
--- a/experimental/libbox/tun.go
+++ b/experimental/libbox/tun.go
@@ -13,7 +13,7 @@ import (
 type TunOptions interface {
 	GetInet4Address() RoutePrefixIterator
 	GetInet6Address() RoutePrefixIterator
-	GetDNSServerAddress() (*StringBox, error)
+	GetDNSServerAddress() (string, error)
 	GetMTU() int32
 	GetAutoRoute() bool
 	GetStrictRoute() bool
@@ -89,11 +89,11 @@ func (o *tunOptions) GetInet6Address() RoutePrefixIterator {
 	return mapRoutePrefix(o.Inet6Address)
 }

-func (o *tunOptions) GetDNSServerAddress() (*StringBox, error) {
+func (o *tunOptions) GetDNSServerAddress() (string, error) {
 	if len(o.Inet4Address) == 0 || o.Inet4Address[0].Bits() == 32 {
-		return nil, E.New("need one more IPv4 address for DNS hijacking")
+		return "", E.New("need one more IPv4 address for DNS hijacking")
 	}
-	return wrapString(o.Inet4Address[0].Addr().Next().String()), nil
+	return o.Inet4Address[0].Addr().Next().String(), nil
 }

 func (o *tunOptions) GetMTU() int32 {
--- a/experimental/locale/locale.go
+++ b/experimental/locale/locale.go
@@ -1,30 +0,0 @@
-package locale
-
-var (
-	localeRegistry = make(map[string]*Locale)
-	current        = defaultLocal
-)
-
-type Locale struct {
-	// deprecated messages for graphical clients
-	DeprecatedMessage       string
-	DeprecatedMessageNoLink string
-}
-
-var defaultLocal = &Locale{
-	DeprecatedMessage:       "%s is deprecated in sing-box %s and will be removed in sing-box %s please checkout documentation for migration.",
-	DeprecatedMessageNoLink: "%s is deprecated in sing-box %s and will be removed in sing-box %s.",
-}
-
-func Current() *Locale {
-	return current
-}
-
-func Set(localeId string) bool {
-	locale, loaded := localeRegistry[localeId]
-	if !loaded {
-		return false
-	}
-	current = locale
-	return true
-}
--- a/experimental/locale/locale_zh_CN.go
+++ b/experimental/locale/locale_zh_CN.go
@@ -1,10 +0,0 @@
-package locale
-
-var warningMessageForEndUsers = "\n\n如果您不明白此消息意味着什么：您的配置文件已过时，且将很快不可用。请联系您的配置提供者以更新配置。"
-
-func init() {
-	localeRegistry["zh_CN"] = &Locale{
-		DeprecatedMessage:       "%s 已在 sing-box %s 中被弃用，且将在 sing-box %s 中被移除，请参阅迁移指南。" + warningMessageForEndUsers,
-		DeprecatedMessageNoLink: "%s 已在 sing-box %s 中被弃用，且将在 sing-box %s 中被移除。" + warningMessageForEndUsers,
-	}
-}
--- a/go.mod
+++ b/go.mod
@@ -17,7 +17,6 @@ require (
 	github.com/mholt/acmez v1.2.0
 	github.com/miekg/dns v1.1.62
 	github.com/oschwald/maxminddb-golang v1.12.0
-	github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1
 	github.com/sagernet/cors v1.2.1
@@ -26,14 +25,14 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20241123041152-536d05261cff
 	github.com/sagernet/quic-go v0.48.2-beta.1
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.6.0-beta.9
+	github.com/sagernet/sing v0.6.0-beta.6
 	github.com/sagernet/sing-dns v0.4.0-beta.1
 	github.com/sagernet/sing-mux v0.3.0-alpha.1
 	github.com/sagernet/sing-quic v0.4.0-alpha.4
 	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.2.0-alpha.2
-	github.com/sagernet/sing-tun v0.6.0-beta.7
+	github.com/sagernet/sing-tun v0.6.0-beta.2
 	github.com/sagernet/sing-vmess v0.2.0-beta.1
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
 	github.com/sagernet/utls v1.6.7
@@ -59,9 +58,7 @@ require (
 require (
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.6 // indirect
-	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
@@ -69,7 +66,6 @@ require (
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -4,8 +4,6 @@ github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sx
 github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/caddyserver/certmagic v0.20.0 h1:bTw7LcEZAh9ucYCRXyCpIrSAGplplI0vGYJ4BpCQ/Fc=
 github.com/caddyserver/certmagic v0.20.0/go.mod h1:N4sXgpICQUskEWpj7zVzvWD41p3NYacrNoZYiRM2jTg=
-github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
-github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
@@ -14,8 +12,6 @@ github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbe
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 h1:CaO/zOnF8VvUfEbhRatPcwKVWamvbYd8tQGRWacE9kU=
-github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw=
@@ -36,11 +32,8 @@ github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
-github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a h1:fEBsGL/sjAuJrgah5XqmmYsTLzJp/TO9Lhy39gkverk=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=
@@ -96,8 +89,6 @@ github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1
 github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs=
 github.com/quic-go/qtls-go1-20 v0.4.1/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1 h1:qi+ijeREa0yfAaO+NOcZ81gv4uzOfALUIdhkiIFvmG4=
-github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1/go.mod h1:JULDuzTMn2gyZFcjpTVZP4/UuwAdbHJ0bum2RdjXojU=
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkkD2QgdTuzQG263YZ+2emfpeyGqW0=
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1 h1:YbmpqPQEMdlk9oFSKYWRqVuu9qzNiOayIonKmv1gCXY=
@@ -119,8 +110,8 @@ github.com/sagernet/quic-go v0.48.2-beta.1/go.mod h1:1WgdDIVD1Gybp40JTWketeSfKA/
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.6.0-beta.9 h1:P8lKa5hN53fRNAVCIKy5cWd6/kLO5c4slhdsfehSmHs=
-github.com/sagernet/sing v0.6.0-beta.9/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.6.0-beta.6 h1:IFnTCG06Z5rLMZJqw1ZmDncDl2N9gsVw0MGvgakrpg8=
+github.com/sagernet/sing v0.6.0-beta.6/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-dns v0.4.0-beta.1 h1:W1XkdhigwxDOMgMDVB+9kdomCpb7ExsZfB4acPcTZFY=
 github.com/sagernet/sing-dns v0.4.0-beta.1/go.mod h1:8wuFcoFkWM4vJuQyg8e97LyvDwe0/Vl7G839WLcKDs8=
 github.com/sagernet/sing-mux v0.3.0-alpha.1 h1:IgNX5bJBpL41gGbp05pdDOvh/b5eUQ6cv9240+Ngipg=
@@ -133,8 +124,8 @@ github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wK
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.0-alpha.2 h1:RPrpgAdkP5td0vLfS5ldvYosFjSsZtRPxiyLV6jyKg0=
 github.com/sagernet/sing-shadowtls v0.2.0-alpha.2/go.mod h1:0j5XlzKxaWRIEjc1uiSKmVoWb0k+L9QgZVb876+thZA=
-github.com/sagernet/sing-tun v0.6.0-beta.7 h1:FCSX8oGBqb0H57AAvfGeeH/jMGYWCOg6XWkN/oeES+0=
-github.com/sagernet/sing-tun v0.6.0-beta.7/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
+github.com/sagernet/sing-tun v0.6.0-beta.2 h1:GK7r2jWKm7RhlJGTq4QadgFcebQia1c3BO3OlYMcQJ0=
+github.com/sagernet/sing-tun v0.6.0-beta.2/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
 github.com/sagernet/sing-vmess v0.2.0-beta.1 h1:5sXQ23uwNlZuDvygzi0dFtnG0Csm/SNqTjAHXJkpuj4=
 github.com/sagernet/sing-vmess v0.2.0-beta.1/go.mod h1:fLyE1emIcvQ5DV8reFWnufquZ7MkCSYM5ThodsR9NrQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
@@ -204,8 +195,6 @@ golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
 golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
--- a/option/outbound.go
+++ b/option/outbound.go
@@ -65,24 +65,25 @@ type DialerOptionsWrapper interface {
 }

 type DialerOptions struct {
-	Detour              string                            `json:"detour,omitempty"`
-	BindInterface       string                            `json:"bind_interface,omitempty"`
-	Inet4BindAddress    *badoption.Addr                   `json:"inet4_bind_address,omitempty"`
-	Inet6BindAddress    *badoption.Addr                   `json:"inet6_bind_address,omitempty"`
-	ProtectPath         string                            `json:"protect_path,omitempty"`
-	RoutingMark         FwMark                            `json:"routing_mark,omitempty"`
-	ReuseAddr           bool                              `json:"reuse_addr,omitempty"`
-	ConnectTimeout      badoption.Duration                `json:"connect_timeout,omitempty"`
-	TCPFastOpen         bool                              `json:"tcp_fast_open,omitempty"`
-	TCPMultiPath        bool                              `json:"tcp_multi_path,omitempty"`
-	UDPFragment         *bool                             `json:"udp_fragment,omitempty"`
-	UDPFragmentDefault  bool                              `json:"-"`
-	DomainStrategy      DomainStrategy                    `json:"domain_strategy,omitempty"`
-	NetworkStrategy     *NetworkStrategy                  `json:"network_strategy,omitempty"`
-	NetworkType         badoption.Listable[InterfaceType] `json:"network_type,omitempty"`
-	FallbackNetworkType badoption.Listable[InterfaceType] `json:"fallback_network_type,omitempty"`
-	FallbackDelay       badoption.Duration                `json:"fallback_delay,omitempty"`
-	IsWireGuardListener bool                              `json:"-"`
+	Detour               string                            `json:"detour,omitempty"`
+	BindInterface        string                            `json:"bind_interface,omitempty"`
+	Inet4BindAddress     *badoption.Addr                   `json:"inet4_bind_address,omitempty"`
+	Inet6BindAddress     *badoption.Addr                   `json:"inet6_bind_address,omitempty"`
+	ProtectPath          string                            `json:"protect_path,omitempty"`
+	RoutingMark          FwMark                            `json:"routing_mark,omitempty"`
+	ReuseAddr            bool                              `json:"reuse_addr,omitempty"`
+	ConnectTimeout       badoption.Duration                `json:"connect_timeout,omitempty"`
+	TCPFastOpen          bool                              `json:"tcp_fast_open,omitempty"`
+	TCPMultiPath         bool                              `json:"tcp_multi_path,omitempty"`
+	UDPFragment          *bool                             `json:"udp_fragment,omitempty"`
+	UDPFragmentDefault   bool                              `json:"-"`
+	DomainStrategy       DomainStrategy                    `json:"domain_strategy,omitempty"`
+	NetworkStrategy      NetworkStrategy                   `json:"network_strategy,omitempty"`
+	NetworkType          badoption.Listable[InterfaceType] `json:"network_type,omitempty"`
+	FallbackNetworkType  badoption.Listable[InterfaceType] `json:"fallback_network_type,omitempty"`
+	FallbackDelay        badoption.Duration                `json:"fallback_delay,omitempty"`
+	NetworkFallbackDelay badoption.Duration                `json:"network_fallback_delay,omitempty"`
+	IsWireGuardListener  bool                              `json:"-"`
 }

 func (o *DialerOptions) TakeDialerOptions() DialerOptions {
--- a/option/route.go
+++ b/option/route.go
@@ -13,7 +13,7 @@ type RouteOptions struct {
 	OverrideAndroidVPN         bool                              `json:"override_android_vpn,omitempty"`
 	DefaultInterface           string                            `json:"default_interface,omitempty"`
 	DefaultMark                FwMark                            `json:"default_mark,omitempty"`
-	DefaultNetworkStrategy     *NetworkStrategy                  `json:"default_network_strategy,omitempty"`
+	DefaultNetworkStrategy     NetworkStrategy                   `json:"default_network_strategy,omitempty"`
 	DefaultNetworkType         badoption.Listable[InterfaceType] `json:"default_network_type,omitempty"`
 	DefaultFallbackNetworkType badoption.Listable[InterfaceType] `json:"default_fallback_network_type,omitempty"`
 	DefaultFallbackDelay       badoption.Duration                `json:"default_fallback_delay,omitempty"`
--- a/option/rule_action.go
+++ b/option/rule_action.go
@@ -145,8 +145,8 @@ type RawRouteOptionsActionOptions struct {
 	OverrideAddress string `json:"override_address,omitempty"`
 	OverridePort    uint16 `json:"override_port,omitempty"`

-	NetworkStrategy *NetworkStrategy `json:"network_strategy,omitempty"`
-	FallbackDelay   uint32           `json:"fallback_delay,omitempty"`
+	NetworkStrategy NetworkStrategy `json:"network_strategy,omitempty"`
+	FallbackDelay   uint32          `json:"fallback_delay,omitempty"`

 	UDPDisableDomainUnmapping bool               `json:"udp_disable_domain_unmapping,omitempty"`
 	UDPConnect                bool               `json:"udp_connect,omitempty"`
--- a/option/rule_set.go
+++ b/option/rule_set.go
@@ -194,9 +194,8 @@ func (r LogicalHeadlessRule) IsValid() bool {
 }

 type _PlainRuleSetCompat struct {
-	Version    uint8           `json:"version"`
-	Options    PlainRuleSet    `json:"-"`
-	RawMessage json.RawMessage `json:"-"`
+	Version uint8        `json:"version"`
+	Options PlainRuleSet `json:"-"`
 }

 type PlainRuleSetCompat _PlainRuleSetCompat
@@ -230,7 +229,6 @@ func (r *PlainRuleSetCompat) UnmarshalJSON(bytes []byte) error {
 	if err != nil {
 		return err
 	}
-	r.RawMessage = bytes
 	return nil
 }

--- a/protocol/direct/outbound.go
+++ b/protocol/direct/outbound.go
@@ -32,12 +32,16 @@ var (

 type Outbound struct {
 	outbound.Adapter
-	logger              logger.ContextLogger
-	dialer              dialer.ParallelInterfaceDialer
-	domainStrategy      dns.DomainStrategy
-	fallbackDelay       time.Duration
-	overrideOption      int
-	overrideDestination M.Socksaddr
+	logger               logger.ContextLogger
+	dialer               dialer.ParallelInterfaceDialer
+	domainStrategy       dns.DomainStrategy
+	fallbackDelay        time.Duration
+	networkStrategy      C.NetworkStrategy
+	networkType          []C.InterfaceType
+	fallbackNetworkType  []C.InterfaceType
+	networkFallbackDelay time.Duration
+	overrideOption       int
+	overrideDestination  M.Socksaddr
 	// loopBack *loopBackDetector
 }

@@ -48,11 +52,15 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		return nil, err
 	}
 	outbound := &Outbound{
-		Adapter:        outbound.NewAdapterWithDialerOptions(C.TypeDirect, tag, []string{N.NetworkTCP, N.NetworkUDP}, options.DialerOptions),
-		logger:         logger,
-		domainStrategy: dns.DomainStrategy(options.DomainStrategy),
-		fallbackDelay:  time.Duration(options.FallbackDelay),
-		dialer:         outboundDialer,
+		Adapter:              outbound.NewAdapterWithDialerOptions(C.TypeDirect, tag, []string{N.NetworkTCP, N.NetworkUDP}, options.DialerOptions),
+		logger:               logger,
+		domainStrategy:       dns.DomainStrategy(options.DomainStrategy),
+		fallbackDelay:        time.Duration(options.FallbackDelay),
+		networkStrategy:      C.NetworkStrategy(options.NetworkStrategy),
+		networkType:          common.Map(options.NetworkType, option.InterfaceType.Build),
+		fallbackNetworkType:  common.Map(options.FallbackNetworkType, option.InterfaceType.Build),
+		networkFallbackDelay: time.Duration(options.NetworkFallbackDelay),
+		dialer:               outboundDialer,
 		// loopBack:       newLoopBackDetector(router),
 	}
 	//nolint:staticcheck
@@ -170,10 +178,10 @@ func (h *Outbound) DialParallel(ctx context.Context, network string, destination
 			return nil, E.New("no IPv6 address available for ", destination)
 		}
 	}
-	return dialer.DialParallelNetwork(ctx, h.dialer, network, destination, destinationAddresses, domainStrategy == dns.DomainStrategyPreferIPv6, nil, nil, nil, h.fallbackDelay)
+	return dialer.DialParallelNetwork(ctx, h.dialer, network, destination, destinationAddresses, domainStrategy == dns.DomainStrategyPreferIPv6, h.networkStrategy, h.networkType, h.fallbackNetworkType, h.fallbackDelay)
 }

-func (h *Outbound) DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, networkStrategy *C.NetworkStrategy, networkType []C.InterfaceType, fallbackNetworkType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func (h *Outbound) DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, networkStrategy C.NetworkStrategy, networkType []C.InterfaceType, fallbackNetworkType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
@@ -213,7 +221,7 @@ func (h *Outbound) DialParallelNetwork(ctx context.Context, network string, dest
 	return dialer.DialParallelNetwork(ctx, h.dialer, network, destination, destinationAddresses, domainStrategy == dns.DomainStrategyPreferIPv6, networkStrategy, networkType, fallbackNetworkType, fallbackDelay)
 }

-func (h *Outbound) ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, networkStrategy *C.NetworkStrategy, networkType []C.InterfaceType, fallbackNetworkType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error) {
+func (h *Outbound) ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, networkStrategy C.NetworkStrategy, networkType []C.InterfaceType, fallbackNetworkType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error) {
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
--- a/protocol/http/inbound.go
+++ b/protocol/http/inbound.go
@@ -82,16 +82,16 @@ func (h *Inbound) Close() error {
 }

 func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	var err error
 	if h.tlsConfig != nil {
-		tlsConn, err := tls.ServerHandshake(ctx, conn, h.tlsConfig)
+		conn, err = tls.ServerHandshake(ctx, conn, h.tlsConfig)
 		if err != nil {
 			N.CloseOnHandshakeFailure(conn, onClose, err)
 			h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source, ": TLS handshake"))
 			return
 		}
-		conn = tlsConn
 	}
-	err := http.HandleConnectionEx(ctx, conn, std_bufio.NewReader(conn), h.authenticator, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), metadata.Source, onClose)
+	err = http.HandleConnectionEx(ctx, conn, std_bufio.NewReader(conn), h.authenticator, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), metadata.Source, onClose)
 	if err != nil {
 		N.CloseOnHandshakeFailure(conn, onClose, err)
 		h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source))
--- a/protocol/mixed/inbound.go
+++ b/protocol/mixed/inbound.go
@@ -110,19 +110,11 @@ func (h *Inbound) streamUserPacketConnection(ctx context.Context, conn N.PacketC
 	metadata.InboundType = h.Type()
 	user, loaded := auth.UserFromContext[string](ctx)
 	if !loaded {
-		if !metadata.Destination.IsValid() {
-			h.logger.InfoContext(ctx, "inbound packet connection")
-		} else {
-			h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
-		}
+		h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
 		h.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
 		return
 	}
 	metadata.User = user
-	if !metadata.Destination.IsValid() {
-		h.logger.InfoContext(ctx, "[", user, "] inbound packet connection")
-	} else {
-		h.logger.InfoContext(ctx, "[", user, "] inbound packet connection to ", metadata.Destination)
-	}
+	h.logger.InfoContext(ctx, "[", user, "] inbound packet connection to ", metadata.Destination)
 	h.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
 }
--- a/protocol/socks/inbound.go
+++ b/protocol/socks/inbound.go
@@ -92,19 +92,11 @@ func (h *Inbound) streamUserPacketConnection(ctx context.Context, conn N.PacketC
 	metadata.InboundType = h.Type()
 	user, loaded := auth.UserFromContext[string](ctx)
 	if !loaded {
-		if !metadata.Destination.IsValid() {
-			h.logger.InfoContext(ctx, "inbound packet connection")
-		} else {
-			h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
-		}
+		h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
 		h.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
 		return
 	}
 	metadata.User = user
-	if !metadata.Destination.IsValid() {
-		h.logger.InfoContext(ctx, "[", user, "] inbound packet connection")
-	} else {
-		h.logger.InfoContext(ctx, "[", user, "] inbound packet connection to ", metadata.Destination)
-	}
+	h.logger.InfoContext(ctx, "[", user, "] inbound packet connection to ", metadata.Destination)
 	h.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
 }
--- a/protocol/trojan/inbound.go
+++ b/protocol/trojan/inbound.go
@@ -159,16 +159,16 @@ func (h *Inbound) Close() error {
 }

 func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	var err error
 	if h.tlsConfig != nil && h.transport == nil {
-		tlsConn, err := tls.ServerHandshake(ctx, conn, h.tlsConfig)
+		conn, err = tls.ServerHandshake(ctx, conn, h.tlsConfig)
 		if err != nil {
 			N.CloseOnHandshakeFailure(conn, onClose, err)
 			h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source, ": TLS handshake"))
 			return
 		}
-		conn = tlsConn
 	}
-	err := h.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, metadata.Source, onClose)
+	err = h.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, metadata.Source, onClose)
 	if err != nil {
 		N.CloseOnHandshakeFailure(conn, onClose, err)
 		h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source))
--- a/protocol/tun/inbound.go
+++ b/protocol/tun/inbound.go
@@ -209,22 +209,6 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		platformInterface: service.FromContext[platform.Interface](ctx),
 		platformOptions:   common.PtrValueOrDefault(options.Platform),
 	}
-	for _, routeAddressSet := range options.RouteAddressSet {
-		ruleSet, loaded := router.RuleSet(routeAddressSet)
-		if !loaded {
-			return nil, E.New("parse route_address_set: rule-set not found: ", routeAddressSet)
-		}
-		ruleSet.IncRef()
-		inbound.routeRuleSet = append(inbound.routeRuleSet, ruleSet)
-	}
-	for _, routeExcludeAddressSet := range options.RouteExcludeAddressSet {
-		ruleSet, loaded := router.RuleSet(routeExcludeAddressSet)
-		if !loaded {
-			return nil, E.New("parse route_exclude_address_set: rule-set not found: ", routeExcludeAddressSet)
-		}
-		ruleSet.IncRef()
-		inbound.routeExcludeRuleSet = append(inbound.routeExcludeRuleSet, ruleSet)
-	}
 	if options.AutoRedirect {
 		if !options.AutoRoute {
 			return nil, E.New("`auto_route` is required by `auto_redirect`")
@@ -245,11 +229,32 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		if err != nil {
 			return nil, E.Cause(err, "initialize auto-redirect")
 		}
-		if runtime.GOOS != "android" && len(inbound.routeAddressSet) > 0 || len(inbound.routeExcludeAddressSet) > 0 {
-			inbound.tunOptions.AutoRedirectMarkMode = true
-			err = networkManager.RegisterAutoRedirectOutputMark(inbound.tunOptions.AutoRedirectOutputMark)
-			if err != nil {
-				return nil, err
+		if runtime.GOOS != "android" {
+			var markMode bool
+			for _, routeAddressSet := range options.RouteAddressSet {
+				ruleSet, loaded := router.RuleSet(routeAddressSet)
+				if !loaded {
+					return nil, E.New("parse route_address_set: rule-set not found: ", routeAddressSet)
+				}
+				ruleSet.IncRef()
+				inbound.routeRuleSet = append(inbound.routeRuleSet, ruleSet)
+				markMode = true
+			}
+			for _, routeExcludeAddressSet := range options.RouteExcludeAddressSet {
+				ruleSet, loaded := router.RuleSet(routeExcludeAddressSet)
+				if !loaded {
+					return nil, E.New("parse route_exclude_address_set: rule-set not found: ", routeExcludeAddressSet)
+				}
+				ruleSet.IncRef()
+				inbound.routeExcludeRuleSet = append(inbound.routeExcludeRuleSet, ruleSet)
+				markMode = true
+			}
+			if markMode {
+				inbound.tunOptions.AutoRedirectMarkMode = true
+				err = networkManager.RegisterAutoRedirectOutputMark(inbound.tunOptions.AutoRedirectOutputMark)
+				if err != nil {
+					return nil, err
+				}
 			}
 		}
 	}
@@ -305,62 +310,18 @@ func (t *Inbound) Start(stage adapter.StartStage) error {
 		if t.tunOptions.Name == "" {
 			t.tunOptions.Name = tun.CalculateInterfaceName("")
 		}
-		if t.platformInterface == nil || runtime.GOOS != "android" {
-			t.routeAddressSet = common.FlatMap(t.routeRuleSet, adapter.RuleSet.ExtractIPSet)
-			for _, routeRuleSet := range t.routeRuleSet {
-				ipSets := routeRuleSet.ExtractIPSet()
-				if len(ipSets) == 0 {
-					t.logger.Warn("route_address_set: no destination IP CIDR rules found in rule-set: ", routeRuleSet.Name())
-				}
-				t.routeRuleSetCallback = append(t.routeRuleSetCallback, routeRuleSet.RegisterCallback(t.updateRouteAddressSet))
-				routeRuleSet.DecRef()
-				t.routeAddressSet = append(t.routeAddressSet, ipSets...)
-			}
-			t.routeExcludeAddressSet = common.FlatMap(t.routeExcludeRuleSet, adapter.RuleSet.ExtractIPSet)
-			for _, routeExcludeRuleSet := range t.routeExcludeRuleSet {
-				ipSets := routeExcludeRuleSet.ExtractIPSet()
-				if len(ipSets) == 0 {
-					t.logger.Warn("route_address_set: no destination IP CIDR rules found in rule-set: ", routeExcludeRuleSet.Name())
-				}
-				t.routeExcludeRuleSetCallback = append(t.routeExcludeRuleSetCallback, routeExcludeRuleSet.RegisterCallback(t.updateRouteAddressSet))
-				routeExcludeRuleSet.DecRef()
-				t.routeExcludeAddressSet = append(t.routeExcludeAddressSet, ipSets...)
-			}
-		}
 		var (
 			tunInterface tun.Tun
 			err          error
 		)
 		monitor := taskmonitor.New(t.logger, C.StartTimeout)
-		tunOptions := t.tunOptions
-		if t.autoRedirect == nil && !(runtime.GOOS == "android" && t.platformInterface != nil) {
-			for _, ipSet := range t.routeAddressSet {
-				for _, prefix := range ipSet.Prefixes() {
-					if prefix.Addr().Is4() {
-						tunOptions.Inet4RouteAddress = append(tunOptions.Inet4RouteAddress, prefix)
-					} else {
-						tunOptions.Inet6RouteAddress = append(tunOptions.Inet6RouteAddress, prefix)
-					}
-				}
-			}
-			for _, ipSet := range t.routeExcludeAddressSet {
-				for _, prefix := range ipSet.Prefixes() {
-					if prefix.Addr().Is4() {
-						tunOptions.Inet4RouteExcludeAddress = append(tunOptions.Inet4RouteExcludeAddress, prefix)
-					} else {
-						tunOptions.Inet6RouteExcludeAddress = append(tunOptions.Inet6RouteExcludeAddress, prefix)
-					}
-				}
-			}
-		}
-		monitor.Start("open interface")
+		monitor.Start("open tun interface")
 		if t.platformInterface != nil {
-			tunInterface, err = t.platformInterface.OpenTun(&tunOptions, t.platformOptions)
+			tunInterface, err = t.platformInterface.OpenTun(&t.tunOptions, t.platformOptions)
 		} else {
-			tunInterface, err = tun.New(tunOptions)
+			tunInterface, err = tun.New(t.tunOptions)
 		}
 		monitor.Finish()
-		t.tunOptions.Name = tunOptions.Name
 		if err != nil {
 			return E.Cause(err, "configure tun interface")
 		}
@@ -405,15 +366,39 @@ func (t *Inbound) Start(stage adapter.StartStage) error {
 			return E.Cause(err, "starting TUN interface")
 		}
 		if t.autoRedirect != nil {
+			t.routeAddressSet = common.FlatMap(t.routeRuleSet, adapter.RuleSet.ExtractIPSet)
+			for _, routeRuleSet := range t.routeRuleSet {
+				ipSets := routeRuleSet.ExtractIPSet()
+				if len(ipSets) == 0 {
+					t.logger.Warn("route_address_set: no destination IP CIDR rules found in rule-set: ", routeRuleSet.Name())
+				}
+				t.routeAddressSet = append(t.routeAddressSet, ipSets...)
+			}
+			t.routeExcludeAddressSet = common.FlatMap(t.routeExcludeRuleSet, adapter.RuleSet.ExtractIPSet)
+			for _, routeExcludeRuleSet := range t.routeExcludeRuleSet {
+				ipSets := routeExcludeRuleSet.ExtractIPSet()
+				if len(ipSets) == 0 {
+					t.logger.Warn("route_address_set: no destination IP CIDR rules found in rule-set: ", routeExcludeRuleSet.Name())
+				}
+				t.routeExcludeAddressSet = append(t.routeExcludeAddressSet, ipSets...)
+			}
 			monitor.Start("initialize auto-redirect")
 			err := t.autoRedirect.Start()
 			monitor.Finish()
 			if err != nil {
 				return E.Cause(err, "auto-redirect")
 			}
+			for _, routeRuleSet := range t.routeRuleSet {
+				t.routeRuleSetCallback = append(t.routeRuleSetCallback, routeRuleSet.RegisterCallback(t.updateRouteAddressSet))
+				routeRuleSet.DecRef()
+			}
+			for _, routeExcludeRuleSet := range t.routeExcludeRuleSet {
+				t.routeExcludeRuleSetCallback = append(t.routeExcludeRuleSetCallback, routeExcludeRuleSet.RegisterCallback(t.updateRouteAddressSet))
+				routeExcludeRuleSet.DecRef()
+			}
+			t.routeAddressSet = nil
+			t.routeExcludeAddressSet = nil
 		}
-		t.routeAddressSet = nil
-		t.routeExcludeAddressSet = nil
 	}
 	return nil
 }
@@ -421,41 +406,7 @@ func (t *Inbound) Start(stage adapter.StartStage) error {
 func (t *Inbound) updateRouteAddressSet(it adapter.RuleSet) {
 	t.routeAddressSet = common.FlatMap(t.routeRuleSet, adapter.RuleSet.ExtractIPSet)
 	t.routeExcludeAddressSet = common.FlatMap(t.routeExcludeRuleSet, adapter.RuleSet.ExtractIPSet)
-	if t.autoRedirect != nil {
-		t.autoRedirect.UpdateRouteAddressSet()
-	} else {
-		tunOptions := t.tunOptions
-		for _, ipSet := range t.routeAddressSet {
-			for _, prefix := range ipSet.Prefixes() {
-				if prefix.Addr().Is4() {
-					tunOptions.Inet4RouteAddress = append(tunOptions.Inet4RouteAddress, prefix)
-				} else {
-					tunOptions.Inet6RouteAddress = append(tunOptions.Inet6RouteAddress, prefix)
-				}
-			}
-		}
-		for _, ipSet := range t.routeExcludeAddressSet {
-			for _, prefix := range ipSet.Prefixes() {
-				if prefix.Addr().Is4() {
-					tunOptions.Inet4RouteExcludeAddress = append(tunOptions.Inet4RouteExcludeAddress, prefix)
-				} else {
-					tunOptions.Inet6RouteExcludeAddress = append(tunOptions.Inet6RouteExcludeAddress, prefix)
-				}
-			}
-		}
-		if t.platformInterface != nil {
-			err := t.platformInterface.UpdateRouteOptions(&tunOptions, t.platformOptions)
-			if err != nil {
-				t.logger.Error("update route addresses: ", err)
-			}
-		} else {
-			err := t.tunIf.UpdateRouteOptions(tunOptions)
-			if err != nil {
-				t.logger.Error("update route addresses: ", err)
-			}
-		}
-		t.logger.Info("updated route addresses")
-	}
+	t.autoRedirect.UpdateRouteAddressSet()
 	t.routeAddressSet = nil
 	t.routeExcludeAddressSet = nil
 }
--- a/protocol/vless/inbound.go
+++ b/protocol/vless/inbound.go
@@ -139,16 +139,16 @@ func (h *Inbound) Close() error {
 }

 func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	var err error
 	if h.tlsConfig != nil && h.transport == nil {
-		tlsConn, err := tls.ServerHandshake(ctx, conn, h.tlsConfig)
+		conn, err = tls.ServerHandshake(ctx, conn, h.tlsConfig)
 		if err != nil {
 			N.CloseOnHandshakeFailure(conn, onClose, err)
 			h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source, ": TLS handshake"))
 			return
 		}
-		conn = tlsConn
 	}
-	err := h.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, metadata.Source, onClose)
+	err = h.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, metadata.Source, onClose)
 	if err != nil {
 		N.CloseOnHandshakeFailure(conn, onClose, err)
 		h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source))
--- a/protocol/vmess/inbound.go
+++ b/protocol/vmess/inbound.go
@@ -153,16 +153,16 @@ func (h *Inbound) Close() error {
 }

 func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	var err error
 	if h.tlsConfig != nil && h.transport == nil {
-		tlsConn, err := tls.ServerHandshake(ctx, conn, h.tlsConfig)
+		conn, err = tls.ServerHandshake(ctx, conn, h.tlsConfig)
 		if err != nil {
 			N.CloseOnHandshakeFailure(conn, onClose, err)
 			h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source, ": TLS handshake"))
 			return
 		}
-		conn = tlsConn
 	}
-	err := h.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, metadata.Source, onClose)
+	err = h.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, metadata.Source, onClose)
 	if err != nil {
 		N.CloseOnHandshakeFailure(conn, onClose, err)
 		h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source))
--- a/protocol/wireguard/endpoint.go
+++ b/protocol/wireguard/endpoint.go
@@ -20,6 +20,7 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
 )

 func RegisterEndpoint(registry *endpoint.Registry) {
@@ -69,7 +70,7 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 		UDPTimeout: udpTimeout,
 		Dialer:     outboundDialer,
 		CreateDialer: func(interfaceName string) N.Dialer {
-			return common.Must1(dialer.NewDefault(ctx, option.DialerOptions{
+			return common.Must1(dialer.NewDefault(service.FromContext[adapter.NetworkManager](ctx), option.DialerOptions{
 				BindInterface: interfaceName,
 			}))
 		},
--- a/protocol/wireguard/outbound.go
+++ b/protocol/wireguard/outbound.go
@@ -19,6 +19,7 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
 )

 func RegisterOutbound(registry *outbound.Registry) {
@@ -85,7 +86,7 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		System:  options.SystemInterface,
 		Dialer:  outboundDialer,
 		CreateDialer: func(interfaceName string) N.Dialer {
-			return common.Must1(dialer.NewDefault(ctx, option.DialerOptions{
+			return common.Must1(dialer.NewDefault(service.FromContext[adapter.NetworkManager](ctx), option.DialerOptions{
 				BindInterface: interfaceName,
 			}))
 		},
--- a/release/completions/sing-box.bash
+++ b/release/completions/sing-box.bash
@@ -1179,36 +1179,6 @@ _sing-box_rule-set_match()
    noun_aliases=()
 }

-_sing-box_rule-set_merge()
-{
-    last_command="sing-box_rule-set_merge"
-
-    command_aliases=()
-
-    commands=()
-
-    flags=()
-    two_word_flags=()
-    local_nonpersistent_flags=()
-    flags_with_completion=()
-    flags_completion=()
-
-    flags+=("--config=")
-    two_word_flags+=("--config")
-    two_word_flags+=("-c")
-    flags+=("--config-directory=")
-    two_word_flags+=("--config-directory")
-    two_word_flags+=("-C")
-    flags+=("--directory=")
-    two_word_flags+=("--directory")
-    two_word_flags+=("-D")
-    flags+=("--disable-color")
-
-    must_have_one_flag=()
-    must_have_one_noun=()
-    noun_aliases=()
-}
-
 _sing-box_rule-set_upgrade()
 {
    last_command="sing-box_rule-set_upgrade"
@@ -1255,7 +1225,6 @@ _sing-box_rule-set()
    commands+=("decompile")
    commands+=("format")
    commands+=("match")
-    commands+=("merge")
    commands+=("upgrade")

    flags=()
--- a/route/conn.go
+++ b/route/conn.go
@@ -56,7 +56,7 @@ func (m *ConnectionManager) NewConnection(ctx context.Context, this N.Dialer, co
 		remoteConn net.Conn
 		err        error
 	)
-	if len(metadata.DestinationAddresses) > 0 || metadata.Destination.IsIP() {
+	if len(metadata.DestinationAddresses) > 0 {
 		remoteConn, err = dialer.DialSerialNetwork(ctx, this, N.NetworkTCP, metadata.Destination, metadata.DestinationAddresses, metadata.NetworkStrategy, metadata.NetworkType, metadata.FallbackNetworkType, metadata.FallbackDelay)
 	} else {
 		remoteConn, err = this.DialContext(ctx, N.NetworkTCP, metadata.Destination)
@@ -97,19 +97,12 @@ func (m *ConnectionManager) NewPacketConnection(ctx context.Context, this N.Dial
 		err                error
 	)
 	if metadata.UDPConnect {
-		parallelDialer, isParallelDialer := this.(dialer.ParallelInterfaceDialer)
 		if len(metadata.DestinationAddresses) > 0 {
-			if isParallelDialer {
+			if parallelDialer, isParallelDialer := this.(dialer.ParallelInterfaceDialer); isParallelDialer {
 				remoteConn, err = dialer.DialSerialNetwork(ctx, parallelDialer, N.NetworkUDP, metadata.Destination, metadata.DestinationAddresses, metadata.NetworkStrategy, metadata.NetworkType, metadata.FallbackNetworkType, metadata.FallbackDelay)
 			} else {
 				remoteConn, err = N.DialSerial(ctx, this, N.NetworkUDP, metadata.Destination, metadata.DestinationAddresses)
 			}
-		} else if metadata.Destination.IsIP() {
-			if isParallelDialer {
-				remoteConn, err = dialer.DialSerialNetwork(ctx, parallelDialer, N.NetworkUDP, metadata.Destination, metadata.DestinationAddresses, metadata.NetworkStrategy, metadata.NetworkType, metadata.FallbackNetworkType, metadata.FallbackDelay)
-			} else {
-				remoteConn, err = this.DialContext(ctx, N.NetworkUDP, metadata.Destination)
-			}
 		} else {
 			remoteConn, err = this.DialContext(ctx, N.NetworkUDP, metadata.Destination)
 		}
--- a/route/network.go
+++ b/route/network.go
@@ -62,7 +62,7 @@ func NewNetworkManager(ctx context.Context, logger logger.ContextLogger, routeOp
 		defaultOptions: adapter.NetworkOptions{
 			BindInterface:       routeOptions.DefaultInterface,
 			RoutingMark:         uint32(routeOptions.DefaultMark),
-			NetworkStrategy:     (*C.NetworkStrategy)(routeOptions.DefaultNetworkStrategy),
+			NetworkStrategy:     C.NetworkStrategy(routeOptions.DefaultNetworkStrategy),
 			NetworkType:         common.Map(routeOptions.DefaultNetworkType, option.InterfaceType.Build),
 			FallbackNetworkType: common.Map(routeOptions.DefaultFallbackNetworkType, option.InterfaceType.Build),
 			FallbackDelay:       time.Duration(routeOptions.DefaultFallbackDelay),
@@ -73,7 +73,7 @@ func NewNetworkManager(ctx context.Context, logger logger.ContextLogger, routeOp
 		inbound:           service.FromContext[adapter.InboundManager](ctx),
 		outbound:          service.FromContext[adapter.OutboundManager](ctx),
 	}
-	if routeOptions.DefaultNetworkStrategy != nil {
+	if C.NetworkStrategy(routeOptions.DefaultNetworkStrategy) != C.NetworkStrategyDefault {
 		if routeOptions.DefaultInterface != "" {
 			return nil, E.New("`default_network_strategy` is conflict with `default_interface`")
 		}
--- a/route/route.go
+++ b/route/route.go
@@ -415,18 +415,8 @@ match:
 					Fqdn: metadata.Destination.Fqdn,
 				}
 			}
-			if routeOptions.NetworkStrategy != nil {
-				metadata.NetworkStrategy = routeOptions.NetworkStrategy
-			}
-			if len(routeOptions.NetworkType) > 0 {
-				metadata.NetworkType = routeOptions.NetworkType
-			}
-			if len(routeOptions.FallbackNetworkType) > 0 {
-				metadata.FallbackNetworkType = routeOptions.FallbackNetworkType
-			}
-			if routeOptions.FallbackDelay != 0 {
-				metadata.FallbackDelay = routeOptions.FallbackDelay
-			}
+			metadata.NetworkStrategy = routeOptions.NetworkStrategy
+			metadata.FallbackDelay = routeOptions.FallbackDelay
 			if routeOptions.UDPDisableDomainUnmapping {
 				metadata.UDPDisableDomainUnmapping = true
 			}
@@ -473,7 +463,7 @@ match:
 	}
 	if !preMatch && inputPacketConn != nil && !metadata.Destination.IsFqdn() && !metadata.Destination.Addr.IsGlobalUnicast() {
 		var timeout time.Duration
-		if metadata.InboundType == C.TypeSOCKS || metadata.InboundType == C.TypeMixed {
+		if metadata.InboundType == C.TypeSOCKS {
 			timeout = C.TCPTimeout
 		}
 		newBuffer, newPacketBuffers, newErr := r.actionSniff(ctx, metadata, &rule.RuleActionSniff{Timeout: timeout}, inputConn, inputPacketConn)
@@ -572,7 +562,7 @@ func (r *Router) actionSniff(
 					return
 				}
 			} else {
-				if !metadata.Destination.IsFqdn() && !metadata.Destination.Addr.IsGlobalUnicast() {
+				if !metadata.Destination.Addr.IsGlobalUnicast() {
 					metadata.Destination = destination
 				}
 				if len(packetBuffers) > 0 {
--- a/route/route_dns.go
+++ b/route/route_dns.go
@@ -45,70 +45,69 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 		panic("no context")
 	}
 	var options dns.QueryOptions
-	var (
-		currentRuleIndex int
-		currentRule      adapter.DNSRule
-	)
-	if ruleIndex != -1 {
-		currentRuleIndex = ruleIndex + 1
-	}
-	for currentRuleIndex, currentRule = range r.dnsRules[currentRuleIndex:] {
-		if currentRule.WithAddressLimit() && !isAddressQuery {
-			continue
+	if ruleIndex < len(r.dnsRules) {
+		dnsRules := r.dnsRules
+		if ruleIndex != -1 {
+			dnsRules = dnsRules[ruleIndex+1:]
 		}
-		metadata.ResetRuleCache()
-		if currentRule.Match(metadata) {
-			displayRuleIndex := currentRuleIndex
-			if ruleIndex != -1 {
-				displayRuleIndex += ruleIndex + 1
+		for currentRuleIndex, currentRule := range dnsRules {
+			if currentRule.WithAddressLimit() && !isAddressQuery {
+				continue
 			}
-			ruleDescription := currentRule.String()
-			if ruleDescription != "" {
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] ", currentRule, " => ", currentRule.Action())
-			} else {
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
-			}
-			switch action := currentRule.Action().(type) {
-			case *R.RuleActionDNSRoute:
-				transport, loaded := r.transportMap[action.Server]
-				if !loaded {
-					r.dnsLogger.ErrorContext(ctx, "transport not found: ", action.Server)
-					continue
+			metadata.ResetRuleCache()
+			if currentRule.Match(metadata) {
+				displayRuleIndex := currentRuleIndex
+				if displayRuleIndex != -1 {
+					displayRuleIndex += displayRuleIndex + 1
 				}
-				_, isFakeIP := transport.(adapter.FakeIPTransport)
-				if isFakeIP && !allowFakeIP {
-					continue
-				}
-				if isFakeIP || action.DisableCache {
-					options.DisableCache = true
-				}
-				if action.RewriteTTL != nil {
-					options.RewriteTTL = action.RewriteTTL
-				}
-				if action.ClientSubnet.IsValid() {
-					options.ClientSubnet = action.ClientSubnet
-				}
-				if domainStrategy, dsLoaded := r.transportDomainStrategy[transport]; dsLoaded {
-					options.Strategy = domainStrategy
+				ruleDescription := currentRule.String()
+				if ruleDescription != "" {
+					r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] ", currentRule, " => ", currentRule.Action())
 				} else {
-					options.Strategy = r.defaultDomainStrategy
+					r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
 				}
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
-				return transport, options, currentRule, currentRuleIndex
-			case *R.RuleActionDNSRouteOptions:
-				if action.DisableCache {
-					options.DisableCache = true
+				switch action := currentRule.Action().(type) {
+				case *R.RuleActionDNSRoute:
+					transport, loaded := r.transportMap[action.Server]
+					if !loaded {
+						r.dnsLogger.ErrorContext(ctx, "transport not found: ", action.Server)
+						continue
+					}
+					_, isFakeIP := transport.(adapter.FakeIPTransport)
+					if isFakeIP && !allowFakeIP {
+						continue
+					}
+					if isFakeIP || action.DisableCache {
+						options.DisableCache = true
+					}
+					if action.RewriteTTL != nil {
+						options.RewriteTTL = action.RewriteTTL
+					}
+					if action.ClientSubnet.IsValid() {
+						options.ClientSubnet = action.ClientSubnet
+					}
+					if domainStrategy, dsLoaded := r.transportDomainStrategy[transport]; dsLoaded {
+						options.Strategy = domainStrategy
+					} else {
+						options.Strategy = r.defaultDomainStrategy
+					}
+					r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
+					return transport, options, currentRule, currentRuleIndex
+				case *R.RuleActionDNSRouteOptions:
+					if action.DisableCache {
+						options.DisableCache = true
+					}
+					if action.RewriteTTL != nil {
+						options.RewriteTTL = action.RewriteTTL
+					}
+					if action.ClientSubnet.IsValid() {
+						options.ClientSubnet = action.ClientSubnet
+					}
+					r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
+				case *R.RuleActionReject:
+					r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
+					return nil, options, currentRule, currentRuleIndex
 				}
-				if action.RewriteTTL != nil {
-					options.RewriteTTL = action.RewriteTTL
-				}
-				if action.ClientSubnet.IsValid() {
-					options.ClientSubnet = action.ClientSubnet
-				}
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
-			case *R.RuleActionReject:
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
-				return nil, options, currentRule, currentRuleIndex
 			}
 		}
 	}
--- a/route/router.go
+++ b/route/router.go
@@ -262,7 +262,7 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.Route
 				Context: ctx,
 				Name:    "local",
 				Address: "local",
-				Dialer:  common.Must1(dialer.NewDefault(ctx, option.DialerOptions{})),
+				Dialer:  common.Must1(dialer.NewDefault(router.network, option.DialerOptions{})),
 			})))
 		}
 		defaultTransport = transports[0]
@@ -363,6 +363,7 @@ func (r *Router) Start(stage adapter.StartStage) error {
 				return E.Cause(err, "initialize DNS server[", i, "]")
 			}
 		}
+	case adapter.StartStatePostStart:
 		var cacheContext *adapter.HTTPStartContext
 		if len(r.ruleSets) > 0 {
 			monitor.Start("initialize rule-set")
@@ -418,7 +419,6 @@ func (r *Router) Start(stage adapter.StartStage) error {
 				}
 			}
 		}
-	case adapter.StartStatePostStart:
 		for i, rule := range r.rules {
 			monitor.Start("initialize rule[", i, "]")
 			err := rule.Start()
--- a/route/rule/rule_action.go
+++ b/route/rule/rule_action.go
@@ -33,7 +33,7 @@ func NewRuleAction(ctx context.Context, logger logger.ContextLogger, action opti
 			RuleActionRouteOptions: RuleActionRouteOptions{
 				OverrideAddress:           M.ParseSocksaddrHostPort(action.RouteOptions.OverrideAddress, 0),
 				OverridePort:              action.RouteOptions.OverridePort,
-				NetworkStrategy:           (*C.NetworkStrategy)(action.RouteOptions.NetworkStrategy),
+				NetworkStrategy:           C.NetworkStrategy(action.RouteOptions.NetworkStrategy),
 				FallbackDelay:             time.Duration(action.RouteOptions.FallbackDelay),
 				UDPDisableDomainUnmapping: action.RouteOptions.UDPDisableDomainUnmapping,
 				UDPConnect:                action.RouteOptions.UDPConnect,
@@ -43,7 +43,7 @@ func NewRuleAction(ctx context.Context, logger logger.ContextLogger, action opti
 		return &RuleActionRouteOptions{
 			OverrideAddress:           M.ParseSocksaddrHostPort(action.RouteOptionsOptions.OverrideAddress, 0),
 			OverridePort:              action.RouteOptionsOptions.OverridePort,
-			NetworkStrategy:           (*C.NetworkStrategy)(action.RouteOptionsOptions.NetworkStrategy),
+			NetworkStrategy:           C.NetworkStrategy(action.RouteOptionsOptions.NetworkStrategy),
 			FallbackDelay:             time.Duration(action.RouteOptionsOptions.FallbackDelay),
 			UDPDisableDomainUnmapping: action.RouteOptionsOptions.UDPDisableDomainUnmapping,
 			UDPConnect:                action.RouteOptionsOptions.UDPConnect,
@@ -147,7 +147,7 @@ func (r *RuleActionRoute) String() string {
 type RuleActionRouteOptions struct {
 	OverrideAddress           M.Socksaddr
 	OverridePort              uint16
-	NetworkStrategy           *C.NetworkStrategy
+	NetworkStrategy           C.NetworkStrategy
 	NetworkType               []C.InterfaceType
 	FallbackNetworkType       []C.InterfaceType
 	FallbackDelay             time.Duration
--- a/route/rule_conds.go
+++ b/route/rule_conds.go
@@ -55,15 +55,15 @@ func isGeositeDNSRule(rule option.DefaultDNSRule) bool {
 }

 func isProcessRule(rule option.DefaultRule) bool {
-	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.ProcessPathRegex) > 0 || len(rule.PackageName) > 0 || len(rule.User) > 0 || len(rule.UserID) > 0
+	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.PackageName) > 0 || len(rule.User) > 0 || len(rule.UserID) > 0
 }

 func isProcessDNSRule(rule option.DefaultDNSRule) bool {
-	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.ProcessPathRegex) > 0 || len(rule.PackageName) > 0 || len(rule.User) > 0 || len(rule.UserID) > 0
+	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.PackageName) > 0 || len(rule.User) > 0 || len(rule.UserID) > 0
 }

 func isProcessHeadlessRule(rule option.DefaultHeadlessRule) bool {
-	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.ProcessPathRegex) > 0 || len(rule.PackageName) > 0
+	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.PackageName) > 0
 }

 func notPrivateNode(code string) bool {
--- a/test/go.mod
+++ b/test/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/docker/go-connections v0.5.0
 	github.com/gofrs/uuid/v5 v5.3.0
 	github.com/sagernet/quic-go v0.48.2-beta.1
-	github.com/sagernet/sing v0.6.0-beta.9
+	github.com/sagernet/sing v0.6.0-beta.5
 	github.com/sagernet/sing-dns v0.4.0-beta.1
 	github.com/sagernet/sing-quic v0.4.0-alpha.4
 	github.com/sagernet/sing-shadowsocks v0.2.7
@@ -85,7 +85,7 @@ require (
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 // indirect
 	github.com/sagernet/sing-mux v0.3.0-alpha.1 // indirect
 	github.com/sagernet/sing-shadowtls v0.2.0-alpha.2 // indirect
-	github.com/sagernet/sing-tun v0.6.0-beta.7 // indirect
+	github.com/sagernet/sing-tun v0.6.0-beta.2 // indirect
 	github.com/sagernet/sing-vmess v0.2.0-beta.1 // indirect
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 // indirect
 	github.com/sagernet/utls v1.6.7 // indirect
--- a/test/go.sum
+++ b/test/go.sum
@@ -146,8 +146,8 @@ github.com/sagernet/quic-go v0.48.2-beta.1/go.mod h1:1WgdDIVD1Gybp40JTWketeSfKA/
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.6.0-beta.9 h1:P8lKa5hN53fRNAVCIKy5cWd6/kLO5c4slhdsfehSmHs=
-github.com/sagernet/sing v0.6.0-beta.9/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.6.0-beta.5 h1:RD2j8WmJsvAbbBkAlJWaiYmnd+v/JohBiweoew7kMwo=
+github.com/sagernet/sing v0.6.0-beta.5/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-dns v0.4.0-beta.1 h1:W1XkdhigwxDOMgMDVB+9kdomCpb7ExsZfB4acPcTZFY=
 github.com/sagernet/sing-dns v0.4.0-beta.1/go.mod h1:8wuFcoFkWM4vJuQyg8e97LyvDwe0/Vl7G839WLcKDs8=
 github.com/sagernet/sing-mux v0.3.0-alpha.1 h1:IgNX5bJBpL41gGbp05pdDOvh/b5eUQ6cv9240+Ngipg=
@@ -160,8 +160,8 @@ github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wK
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.0-alpha.2 h1:RPrpgAdkP5td0vLfS5ldvYosFjSsZtRPxiyLV6jyKg0=
 github.com/sagernet/sing-shadowtls v0.2.0-alpha.2/go.mod h1:0j5XlzKxaWRIEjc1uiSKmVoWb0k+L9QgZVb876+thZA=
-github.com/sagernet/sing-tun v0.6.0-beta.7 h1:FCSX8oGBqb0H57AAvfGeeH/jMGYWCOg6XWkN/oeES+0=
-github.com/sagernet/sing-tun v0.6.0-beta.7/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
+github.com/sagernet/sing-tun v0.6.0-beta.2 h1:GK7r2jWKm7RhlJGTq4QadgFcebQia1c3BO3OlYMcQJ0=
+github.com/sagernet/sing-tun v0.6.0-beta.2/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
 github.com/sagernet/sing-vmess v0.2.0-beta.1 h1:5sXQ23uwNlZuDvygzi0dFtnG0Csm/SNqTjAHXJkpuj4=
 github.com/sagernet/sing-vmess v0.2.0-beta.1/go.mod h1:fLyE1emIcvQ5DV8reFWnufquZ7MkCSYM5ThodsR9NrQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
--- a/transport/dhcp/server.go
+++ b/transport/dhcp/server.go
@@ -253,7 +253,7 @@ func (t *Transport) recreateServers(iface *control.Interface, serverAddrs []neti
 			return it.String()
 		}), ","), "]")
 	}
-	serverDialer := common.Must1(dialer.NewDefault(t.options.Context, option.DialerOptions{
+	serverDialer := common.Must1(dialer.NewDefault(t.networkManager, option.DialerOptions{
 		BindInterface:      iface.Name,
 		UDPFragmentDefault: true,
 	}))
Author	SHA1	Message	Date
世界	658d4a180b	Use stdlib ech	2024-12-11 19:33:53 +08:00
世界	93966bdd36	documentation: Bump version	2024-12-10 21:38:13 +08:00
世界	14a4b0f922	Fix socks5 UDP implementation	2024-12-10 21:38:04 +08:00
世界	919b08e64c	clash-api: Fix missing endpoints	2024-12-10 21:37:36 +08:00
世界	bdd2472065	hysteria2: Add more masquerade options	2024-12-10 21:37:36 +08:00
世界	705c23866a	Improve timeouts	2024-12-10 21:37:36 +08:00
世界	ec310170cc	Add UDP timeout route option	2024-12-10 21:37:35 +08:00
世界	7405b22dc8	Make GSO adaptive	2024-12-10 21:37:35 +08:00
世界	cd2cf2450e	Fix tests	2024-12-10 21:37:35 +08:00
世界	a525f139dc	Fix lint	2024-12-10 21:37:34 +08:00
世界	cc8ba050dd	refactor: WireGuard endpoint	2024-12-10 21:37:34 +08:00
世界	987556fd3d	refactor: connection manager	2024-12-10 21:37:33 +08:00
世界	e6dd7d279d	documentation: Fix typo	2024-12-10 21:37:32 +08:00
世界	b1cbf141c7	Add override destination to route options	2024-12-10 21:37:32 +08:00
世界	ab616d8510	Add `dns.cache_capacity`	2024-12-10 21:37:32 +08:00
世界	097818dfef	Refactor multi networks strategy	2024-12-10 21:37:31 +08:00
世界	47af425e45	documentation: Remove unused titles	2024-12-10 21:37:31 +08:00
世界	5d49685683	Add multi network dialing	2024-12-10 21:37:30 +08:00
世界	15624a648c	documentation: Merge route options to route actions	2024-12-10 21:37:30 +08:00
世界	1bfedf5332	Add `network_[type/is_expensive/is_constrained]` rule items	2024-12-10 21:37:30 +08:00
世界	10d15259b6	Merge route options to route actions	2024-12-10 21:37:29 +08:00
世界	ee11ca4935	refactor: Platform Interfaces	2024-12-10 21:37:28 +08:00
世界	e83331c2d9	refactor: Extract services form router	2024-12-10 21:37:28 +08:00
世界	b74df53a9c	refactor: Modular network manager	2024-12-10 21:37:27 +08:00
世界	f64107f040	refactor: Modular inbound/outbound manager	2024-12-10 21:37:26 +08:00
世界	7db0e712b6	documentation: Add rule action	2024-12-10 21:37:26 +08:00
世界	edfdf1d4f3	documentation: Update the scheduled removal time of deprecated features	2024-12-10 21:37:25 +08:00
世界	eb3023d66c	documentation: Remove outdated icons	2024-12-10 21:37:25 +08:00
世界	2c39c4d19c	Migrate bad options to library	2024-12-10 21:37:25 +08:00
世界	aa3fcefb72	Implement udp connect	2024-12-10 21:37:25 +08:00
世界	ce503fd682	Implement new deprecated warnings	2024-12-10 21:37:24 +08:00
世界	017fa5e298	Improve rule actions	2024-12-10 21:37:23 +08:00
世界	94d187397d	Remove unused reject methods	2024-12-10 21:37:23 +08:00
世界	1d497b08d7	refactor: Modular inbounds/outbounds	2024-12-10 21:37:23 +08:00
世界	e52ab781bb	Implement dns-hijack	2024-12-10 21:37:23 +08:00
世界	2c1e398c78	Implement resolve(server)	2024-12-10 21:37:22 +08:00
世界	d4ad7ff638	Implement TCP and ICMP rejects	2024-12-10 21:37:22 +08:00
世界	ee0f3ba739	Crazy sekai overturns the small pond	2024-12-10 21:37:01 +08:00
世界	b365b1369d	Fix play release	2024-12-10 20:44:08 +08:00
世界	69f8d7fa72	Add workaround for `bulkBarrierPreWrite: unaligned arguments` panic	2024-12-10 20:36:32 +08:00
世界	746f63a9ac	Update debug iOS library build	2024-12-10 20:36:32 +08:00