Add NDIS inbound

This reverts commit eb4a184b7e.

.github/workflows/build.yml

@@ -170,7 +170,8 @@ jobs:
           echo "HOME=$HOME" >> "$GITHUB_ENV"
       - name: Set tag
         run: |-
-          git tag v${{ needs.calculate_version.outputs.version }}
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
       - name: Build
         if: matrix.goos != 'android'
         run: |-
@@ -230,7 +231,8 @@ jobs:
           /usr/lib/jvm/java-17-openjdk-amd64/bin/java --version
       - name: Set tag
         run: |-
-          git tag v${{ needs.calculate_version.outputs.version }}
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
       - name: Build library
         run: |-
           make lib_install
@@ -254,7 +256,8 @@ jobs:
         with:
           path: ~/.gradle
           key: gradle-${{ hashFiles('**/*.gradle') }}
-      - name: Build
+      - name: Build release
+        if: github.event_name == 'workflow_dispatch'
         run: |-
           go run -v ./cmd/internal/update_android_version --ci
           mkdir clients/android/app/libs
@@ -265,18 +268,47 @@ jobs:
           JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
           LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
-      - name: Prepare upload
+      - name: Build debug
+        if: github.event_name != 'workflow_dispatch'
+        run: |-
+          go run -v ./cmd/internal/update_android_version --ci
+          mkdir clients/android/app/libs
+          cp libbox.aar clients/android/app/libs
+          cd clients/android
+          ./gradlew :app:assemblePlayRelease
+        env:
+          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
+          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
+          LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
+      - name: Prepare release upload
         if: github.event_name == 'workflow_dispatch'
         run: |-
           mkdir -p dist/release
           cp clients/android/app/build/outputs/apk/play/release/*.apk dist/release
           cp clients/android/app/build/outputs/apk/other/release/*-universal.apk dist/release
+      - name: Prepare debug upload
+        if: github.event_name != 'workflow_dispatch'
+        run: |-
+          mkdir -p dist/release
+          cp clients/android/app/build/outputs/apk/play/release/*.apk dist/release
       - name: Upload artifact
         if: github.event_name == 'workflow_dispatch'
         uses: actions/upload-artifact@v4
         with:
           name: binary-android-apks
           path: 'dist'
+      - name: Upload debug apk (arm64-v8a)
+        if: github.event_name != 'workflow_dispatch'
+        uses: actions/upload-artifact@v4
+        with:
+          name: "SFA-${{ needs.calculate_version.outputs.version }}-arm64-v8a.apk"
+          path: 'dist/release/*-arm64-v8a.apk'
+      - name: Upload debug apk (universal)
+        if: github.event_name != 'workflow_dispatch'
+        uses: actions/upload-artifact@v4
+        with:
+          name: "SFA-${{ needs.calculate_version.outputs.version }}-universal.apk"
+          path: 'dist/release/*-universal.apk'
   publish_android:
     name: Publish Android
     if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
@@ -304,7 +336,8 @@ jobs:
           /usr/lib/jvm/java-17-openjdk-amd64/bin/java --version
       - name: Set tag
         run: |-
-          git tag v${{ needs.calculate_version.outputs.version }}
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
       - name: Build library
         run: |-
           make lib_install
@@ -393,16 +426,16 @@ jobs:
       - name: Setup Xcode stable
         if: matrix.if && github.ref == 'refs/heads/main-next'
         run: |-
-          sudo xcode-select -s /Applications/Xcode_16.1.app
+          sudo xcode-select -s /Applications/Xcode_16.2.app
       - name: Setup Xcode beta
         if: matrix.if && github.ref == 'refs/heads/dev-next'
         run: |-
-          sudo xcode-select -s /Applications/Xcode_16.2_Release_Candidate.app || \
+          sudo xcode-select -s /Applications/Xcode_16.2.app
-            sudo xcode-select -s /Applications/Xcode_16.1.app # TODO: remove after hosted runners update
       - name: Set tag
         if: matrix.if
         run: |-
-          git tag v${{ needs.calculate_version.outputs.version }}
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
           echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
       - name: Checkout main branch
         if: matrix.if && github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
@@ -492,6 +525,10 @@ jobs:
             -authenticationKeyPath $ASC_KEY_PATH \
             -authenticationKeyID $ASC_KEY_ID \
             -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
+      - name: Publish to TestFlight
+        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/dev-next'
+        run: |-
+          go run -v ./cmd/internal/app_store_connect publish_testflight ${{ matrix.platform }}
       - name: Build image
         if: matrix.if && matrix.name == 'macOS-standalone' && github.event_name == 'workflow_dispatch'
         run: |-
@@ -525,7 +562,7 @@ jobs:
           path: 'dist'
   upload:
     name: Upload builds
-    if: always() && github.event_name == 'workflow_dispatch' && inputs.build != 'publish-android'
+    if: always() && github.event_name == 'workflow_dispatch' && (inputs.build == 'All' || inputs.build == 'Binary' || inputs.build == 'Android' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone')
     runs-on: ubuntu-latest
     needs:
       - calculate_version
@@ -559,7 +596,8 @@ jobs:
           go install -v .
       - name: Set tag
         run: |-
-          git tag v${{ needs.calculate_version.outputs.version }}
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
           echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
       - name: Download builds
         uses: actions/download-artifact@v4
@@ -576,8 +614,16 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
       - name: Upload builds
+        if: ${{ env.PUBLISHED == 'false' }}
         run: |-
           export PATH="$PATH:$HOME/go/bin"
           ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Replace builds
+        if: ${{ env.PUBLISHED != 'false' }}
+        run: |-
+          export PATH="$PATH:$HOME/go/bin"
+          ghr --replace -p 5 "v${VERSION}" dist/release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.golangci.yml

@@ -22,6 +22,16 @@ linters-settings:
 
 run:
   go: "1.23"
+  build-tags:
+    - with_gvisor
+    - with_quic
+    - with_dhcp
+    - with_wireguard
+    - with_ech
+    - with_utls
+    - with_reality_server
+    - with_acme
+    - with_clash_api
 
 issues:
   exclude-dirs:

Makefile

@@ -28,7 +28,7 @@ ci_build:
 	go build $(MAIN_PARAMS) $(MAIN)
 
 generate_completions:
-	go run -v --tags generate,generate_completions $(MAIN)
+	go run -v --tags $(TAGS),generate,generate_completions $(MAIN)
 
 install:
 	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)

adapter/inbound.go

@@ -72,7 +72,7 @@ type InboundContext struct {
 	UDPConnect                bool
 	UDPTimeout                time.Duration
 
-	NetworkStrategy     C.NetworkStrategy
+	NetworkStrategy     *C.NetworkStrategy
 	NetworkType         []C.InterfaceType
 	FallbackNetworkType []C.InterfaceType
 	FallbackDelay       time.Duration

adapter/network.go

@@ -28,7 +28,7 @@ type NetworkManager interface {
 }
 
 type NetworkOptions struct {
-	NetworkStrategy     C.NetworkStrategy
+	NetworkStrategy     *C.NetworkStrategy
 	NetworkType         []C.InterfaceType
 	FallbackNetworkType []C.InterfaceType
 	FallbackDelay       time.Duration

box.go

@@ -12,8 +12,10 @@ import (
 	"github.com/sagernet/sing-box/adapter/endpoint"
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/adapter/outbound"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/taskmonitor"
+	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/cachefile"
@@ -83,7 +85,6 @@ func New(options Options) (*Box, error) {
 		ctx = context.Background()
 	}
 	ctx = service.ContextWithDefaultRegistry(ctx)
-
 	endpointRegistry := service.FromContext[adapter.EndpointRegistry](ctx)
 	inboundRegistry := service.FromContext[adapter.InboundRegistry](ctx)
 	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
@@ -100,7 +101,10 @@ func New(options Options) (*Box, error) {
 
 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
-	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
+	debugOptions := common.PtrValueOrDefault(experimentalOptions.Debug)
+	applyDebugOptions(debugOptions)
+	ctx = conntrack.ContextWithDefaultTracker(ctx, debugOptions.OOMKiller, uint64(debugOptions.MemoryLimit))
+
 	var needCacheFile bool
 	var needClashAPI bool
 	var needV2RayAPI bool
@@ -149,6 +153,14 @@ func New(options Options) (*Box, error) {
 	if err != nil {
 		return nil, E.Cause(err, "initialize router")
 	}
+
+	ntpOptions := common.PtrValueOrDefault(options.NTP)
+	var timeService *tls.TimeServiceWrapper
+	if ntpOptions.Enabled {
+		timeService = new(tls.TimeServiceWrapper)
+		service.MustRegister[ntp.TimeService](ctx, timeService)
+	}
+
 	for i, endpointOptions := range options.Endpoints {
 		var tag string
 		if endpointOptions.Tag != "" {
@@ -254,13 +266,12 @@ func New(options Options) (*Box, error) {
 			service.MustRegister[adapter.V2RayServer](ctx, v2rayServer)
 		}
 	}
-	ntpOptions := common.PtrValueOrDefault(options.NTP)
 	if ntpOptions.Enabled {
 		ntpDialer, err := dialer.New(ctx, ntpOptions.DialerOptions)
 		if err != nil {
 			return nil, E.Cause(err, "create NTP service")
 		}
-		timeService := ntp.NewService(ntp.Options{
+		ntpService := ntp.NewService(ntp.Options{
 			Context:       ctx,
 			Dialer:        ntpDialer,
 			Logger:        logFactory.NewLogger("ntp"),
@@ -268,8 +279,8 @@ func New(options Options) (*Box, error) {
 			Interval:      time.Duration(ntpOptions.Interval),
 			WriteToSystem: ntpOptions.WriteToSystem,
 		})
-		service.MustRegister[ntp.TimeService](ctx, timeService)
+		timeService.TimeService = ntpService
-		services = append(services, adapter.NewLifecycleService(timeService, "ntp service"))
+		services = append(services, adapter.NewLifecycleService(ntpService, "ntp service"))
 	}
 	return &Box{
 		network:    networkManager,

cmd/internal/app_store_connect/client.go

@@ -1,30 +0,0 @@
-package main
-
-import (
-	"context"
-	"fmt"
-	_ "unsafe"
-
-	"github.com/cidertool/asc-go/asc"
-)
-
-type Client struct {
-	*asc.Client
-}
-
-func (c *Client) UpdateBuildForAppStoreVersion(ctx context.Context, id string, buildID *string) (*asc.Response, error) {
-	linkage := newRelationshipDeclaration(buildID, "builds")
-	url := fmt.Sprintf("appStoreVersions/%s/relationships/build", id)
-	return c.patch(ctx, url, newRequestBody(linkage), nil)
-}
-
-func newRelationshipDeclaration(id *string, relationshipType string) *asc.RelationshipData {
-	if id == nil {
-		return nil
-	}
-
-	return &asc.RelationshipData{
-		ID:   *id,
-		Type: relationshipType,
-	}
-}

cmd/internal/app_store_connect/client_linkname.go

@@ -1,140 +0,0 @@
-package main
-
-import (
-	"context"
-	"net/http"
-	"net/url"
-	"reflect"
-	_ "unsafe"
-
-	"github.com/cidertool/asc-go/asc"
-	"github.com/google/go-querystring/query"
-)
-
-func (c *Client) newRequest(ctx context.Context, method string, path string, body *requestBody, options ...requestOption) (*http.Request, error) {
-	return clientNewRequest(c.Client, ctx, method, path, body, options...)
-}
-
-//go:linkname clientNewRequest github.com/cidertool/asc-go/asc.(*Client).newRequest
-func clientNewRequest(c *asc.Client, ctx context.Context, method string, path string, body *requestBody, options ...requestOption) (*http.Request, error)
-
-func (c *Client) do(ctx context.Context, req *http.Request, v interface{}) (*asc.Response, error) {
-	return clientDo(c.Client, ctx, req, v)
-}
-
-//go:linkname clientDo github.com/cidertool/asc-go/asc.(*Client).do
-func clientDo(c *asc.Client, ctx context.Context, req *http.Request, v interface{}) (*asc.Response, error)
-
-// get sends a GET request to the API as configured.
-func (c *Client) get(ctx context.Context, url string, query interface{}, v interface{}, options ...requestOption) (*asc.Response, error) {
-	var err error
-	if query != nil {
-		url, err = appendingQueryOptions(url, query)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	req, err := c.newRequest(ctx, "GET", url, nil, options...)
-	if err != nil {
-		return nil, err
-	}
-
-	resp, err := c.do(ctx, req, v)
-	if err != nil {
-		return resp, err
-	}
-
-	return resp, err
-}
-
-// post sends a POST request to the API as configured.
-func (c *Client) post(ctx context.Context, url string, body *requestBody, v interface{}) (*asc.Response, error) {
-	req, err := c.newRequest(ctx, "POST", url, body, withContentType("application/json"))
-	if err != nil {
-		return nil, err
-	}
-
-	resp, err := c.do(ctx, req, v)
-	if err != nil {
-		return resp, err
-	}
-
-	return resp, err
-}
-
-// patch sends a PATCH request to the API as configured.
-func (c *Client) patch(ctx context.Context, url string, body *requestBody, v interface{}) (*asc.Response, error) {
-	req, err := c.newRequest(ctx, "PATCH", url, body, withContentType("application/json"))
-	if err != nil {
-		return nil, err
-	}
-
-	resp, err := c.do(ctx, req, v)
-	if err != nil {
-		return resp, err
-	}
-
-	return resp, err
-}
-
-// delete sends a DELETE request to the API as configured.
-func (c *Client) delete(ctx context.Context, url string, body *requestBody) (*asc.Response, error) {
-	req, err := c.newRequest(ctx, "DELETE", url, body, withContentType("application/json"))
-	if err != nil {
-		return nil, err
-	}
-
-	return c.do(ctx, req, nil)
-}
-
-// request is a common structure for a request body sent to the API.
-type requestBody struct {
-	Data     interface{} `json:"data"`
-	Included interface{} `json:"included,omitempty"`
-}
-
-func newRequestBody(data interface{}) *requestBody {
-	return newRequestBodyWithIncluded(data, nil)
-}
-
-func newRequestBodyWithIncluded(data interface{}, included interface{}) *requestBody {
-	return &requestBody{Data: data, Included: included}
-}
-
-type requestOption func(*http.Request)
-
-func withAccept(typ string) requestOption {
-	return func(req *http.Request) {
-		req.Header.Set("Accept", typ)
-	}
-}
-
-func withContentType(typ string) requestOption {
-	return func(req *http.Request) {
-		req.Header.Set("Content-Type", typ)
-	}
-}
-
-// AddOptions adds the parameters in opt as URL query parameters to s.  opt
-// must be a struct whose fields may contain "url" tags.
-func appendingQueryOptions(s string, opt interface{}) (string, error) {
-	v := reflect.ValueOf(opt)
-	if v.Kind() == reflect.Ptr && v.IsNil() {
-		return s, nil
-	}
-
-	u, err := url.Parse(s)
-	if err != nil {
-		return s, err
-	}
-
-	qs, err := query.Values(opt)
-	if err != nil {
-		return s, err
-	}
-
-	u.RawQuery = qs.Encode()
-
-	return u.String(), nil
-}

cmd/internal/app_store_connect/main.go

@@ -7,13 +7,12 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/sagernet/asc-go/asc"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
-
-	"github.com/cidertool/asc-go/asc"
 )
 
 func main() {
@@ -54,20 +53,20 @@ const (
 	groupID = "5c5f3b78-b7a0-40c0-bcad-e6ef87bbefda"
 )
 
-func createClient() *Client {
+func createClient(expireDuration time.Duration) *asc.Client {
 	privateKey, err := os.ReadFile(os.Getenv("ASC_KEY_PATH"))
 	if err != nil {
 		log.Fatal(err)
 	}
-	tokenConfig, err := asc.NewTokenConfig(os.Getenv("ASC_KEY_ID"), os.Getenv("ASC_KEY_ISSUER_ID"), time.Minute, privateKey)
+	tokenConfig, err := asc.NewTokenConfig(os.Getenv("ASC_KEY_ID"), os.Getenv("ASC_KEY_ISSUER_ID"), expireDuration, privateKey)
 	if err != nil {
 		log.Fatal(err)
 	}
-	return &Client{asc.NewClient(tokenConfig.Client())}
+	return asc.NewClient(tokenConfig.Client())
 }
 
 func fetchMacOSVersion(ctx context.Context) error {
-	client := createClient()
+	client := createClient(time.Minute)
 	versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
 		FilterPlatform: []string{"MAC_OS"},
 	})
@@ -100,28 +99,107 @@ findVersion:
 }
 
 func publishTestflight(ctx context.Context) error {
-	client := createClient()
+	tagVersion, err := build_shared.ReadTagVersion()
-	var buildsToPublish []asc.Build
-	for _, platform := range []string{
-		"IOS",
-		"MAC_OS",
-		"TV_OS",
-	} {
-		builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
-			FilterApp:                       []string{appID},
-			FilterPreReleaseVersionPlatform: []string{platform},
-		})
-		if err != nil {
-			return err
-		}
-		buildsToPublish = append(buildsToPublish, builds.Data[0])
-	}
-	_, err := client.TestFlight.AddBuildsToBetaGroup(ctx, groupID, common.Map(buildsToPublish, func(it asc.Build) string {
-		return it.ID
-	}))
 	if err != nil {
 		return err
 	}
+	tag := tagVersion.VersionString()
+	client := createClient(10 * time.Minute)
+
+	log.Info(tag, " list build IDs")
+	buildIDsResponse, _, err := client.TestFlight.ListBuildIDsForBetaGroup(ctx, groupID, nil)
+	if err != nil {
+		return err
+	}
+	buildIDs := common.Map(buildIDsResponse.Data, func(it asc.RelationshipData) string {
+		return it.ID
+	})
+	var platforms []asc.Platform
+	if len(os.Args) == 3 {
+		switch os.Args[2] {
+		case "ios":
+			platforms = []asc.Platform{asc.PlatformIOS}
+		case "macos":
+			platforms = []asc.Platform{asc.PlatformMACOS}
+		case "tvos":
+			platforms = []asc.Platform{asc.PlatformTVOS}
+		default:
+			return E.New("unknown platform: ", os.Args[2])
+		}
+	} else {
+		platforms = []asc.Platform{
+			asc.PlatformIOS,
+			asc.PlatformMACOS,
+			asc.PlatformTVOS,
+		}
+	}
+	for _, platform := range platforms {
+		log.Info(string(platform), " list builds")
+		for {
+			builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
+				FilterApp:                       []string{appID},
+				FilterPreReleaseVersionPlatform: []string{string(platform)},
+			})
+			if err != nil {
+				return err
+			}
+			build := builds.Data[0]
+			if common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 5*time.Minute {
+				log.Info(string(platform), " ", tag, " waiting for process")
+				time.Sleep(15 * time.Second)
+				continue
+			}
+			if *build.Attributes.ProcessingState != "VALID" {
+				log.Info(string(platform), " ", tag, " waiting for process: ", *build.Attributes.ProcessingState)
+				time.Sleep(15 * time.Second)
+				continue
+			}
+			log.Info(string(platform), " ", tag, " list localizations")
+			localizations, _, err := client.TestFlight.ListBetaBuildLocalizationsForBuild(ctx, build.ID, nil)
+			if err != nil {
+				return err
+			}
+			localization := common.Find(localizations.Data, func(it asc.BetaBuildLocalization) bool {
+				return *it.Attributes.Locale == "en-US"
+			})
+			if localization.ID == "" {
+				log.Fatal(string(platform), " ", tag, " no en-US localization found")
+			}
+			if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
+				log.Info(string(platform), " ", tag, " update localization")
+				_, _, err = client.TestFlight.UpdateBetaBuildLocalization(ctx, localization.ID, common.Ptr(
+					F.ToString("sing-box ", tagVersion.String()),
+				))
+				if err != nil {
+					return err
+				}
+			}
+			log.Info(string(platform), " ", tag, " publish")
+			response, err := client.TestFlight.AddBuildsToBetaGroup(ctx, groupID, []string{build.ID})
+			if response != nil && response.StatusCode == http.StatusUnprocessableEntity {
+				log.Info("waiting for process")
+				time.Sleep(15 * time.Second)
+				continue
+			} else if err != nil {
+				return err
+			}
+			log.Info(string(platform), " ", tag, " list submissions")
+			betaSubmissions, _, err := client.TestFlight.ListBetaAppReviewSubmissions(ctx, &asc.ListBetaAppReviewSubmissionsQuery{
+				FilterBuild: []string{build.ID},
+			})
+			if err != nil {
+				return err
+			}
+			if len(betaSubmissions.Data) == 0 {
+				log.Info(string(platform), " ", tag, " create submission")
+				_, _, err = client.TestFlight.CreateBetaAppReviewSubmission(ctx, build.ID)
+				if err != nil {
+					return err
+				}
+			}
+			break
+		}
+	}
 	return nil
 }
 
@@ -138,34 +216,40 @@ func cancelAppStore(ctx context.Context, platform string) error {
 	if err != nil {
 		return err
 	}
-	client := createClient()
+	client := createClient(time.Minute)
-	log.Info(platform, " list versions")
+	for {
-	versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
+		log.Info(platform, " list versions")
-		FilterPlatform: []string{string(platform)},
+		versions, response, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
-	})
+			FilterPlatform: []string{string(platform)},
-	if err != nil {
+		})
-		return err
+		if isRetryable(response) {
-	}
+			continue
-	version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
+		} else if err != nil {
-		return *it.Attributes.VersionString == tag
+			return err
-	})
+		}
-	if version.ID == "" {
+		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
+			return *it.Attributes.VersionString == tag
+		})
+		if version.ID == "" {
+			return nil
+		}
+		log.Info(platform, " ", tag, " get submission")
+		submission, response, err := client.Submission.GetAppStoreVersionSubmissionForAppStoreVersion(ctx, version.ID, nil)
+		if response != nil && response.StatusCode == http.StatusNotFound {
+			return nil
+		}
+		if isRetryable(response) {
+			continue
+		} else if err != nil {
+			return err
+		}
+		log.Info(platform, " ", tag, " delete submission")
+		_, err = client.Submission.DeleteSubmission(ctx, submission.Data.ID)
+		if err != nil {
+			return err
+		}
 		return nil
 	}
-	log.Info(string(platform), " ", tag, " get submission")
-	submission, response, err := client.Submission.GetAppStoreVersionSubmissionForAppStoreVersion(ctx, version.ID, nil)
-	if response != nil && response.StatusCode == http.StatusNotFound {
-		return nil
-	}
-	if err != nil {
-		return err
-	}
-	log.Info(platform, " ", tag, " delete submission")
-	_, err = client.Submission.DeleteSubmission(ctx, submission.Data.ID)
-	if err != nil {
-		return err
-	}
-	return nil
 }
 
 func prepareAppStore(ctx context.Context) error {
@@ -173,7 +257,7 @@ func prepareAppStore(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
-	client := createClient()
+	client := createClient(time.Minute)
 	for _, platform := range []asc.Platform{
 		asc.PlatformIOS,
 		asc.PlatformMACOS,
@@ -242,7 +326,7 @@ func prepareAppStore(ctx context.Context) error {
 					log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
 				}
 				log.Info(string(platform), " ", tag, " update build")
-				response, err = client.UpdateBuildForAppStoreVersion(ctx, version.ID, buildID)
+				response, err = client.Apps.UpdateBuildForAppStoreVersion(ctx, version.ID, buildID)
 				if err != nil {
 					return err
 				}
@@ -275,7 +359,7 @@ func prepareAppStore(ctx context.Context) error {
 		if localization.ID == "" {
 			log.Info(string(platform), " ", tag, " no en-US localization found")
 		}
-		if localization.Attributes.WhatsNew == nil && *localization.Attributes.WhatsNew == "" {
+		if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
 			log.Info(string(platform), " ", tag, " update localization")
 			_, _, err = client.Apps.UpdateAppStoreVersionLocalization(ctx, localization.ID, &asc.AppStoreVersionLocalizationUpdateRequestAttributes{
 				PromotionalText: common.Ptr("Yet another distribution for sing-box, the universal proxy platform."),
@@ -294,16 +378,14 @@ func prepareAppStore(ctx context.Context) error {
 				case http.StatusInternalServerError:
 					continue
 				default:
-					response.Write(os.Stderr)
+					return err
-					log.Info(string(platform), " ", tag, " unexpected response: ", response.Status)
 				}
 			}
 			switch response.StatusCode {
 			case http.StatusCreated:
 				break fixSubmit
 			default:
-				response.Write(os.Stderr)
+				return err
-				log.Info(string(platform), " ", tag, " unexpected response: ", response.Status)
 			}
 		}
 	}
@@ -315,7 +397,7 @@ func publishAppStore(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
-	client := createClient()
+	client := createClient(time.Minute)
 	for _, platform := range []asc.Platform{
 		asc.PlatformIOS,
 		asc.PlatformMACOS,
@@ -349,3 +431,15 @@ func publishAppStore(ctx context.Context) error {
 	}
 	return nil
 }
+
+func isRetryable(response *asc.Response) bool {
+	if response == nil {
+		return false
+	}
+	switch response.StatusCode {
+	case http.StatusInternalServerError, http.StatusUnprocessableEntity:
+		return true
+	default:
+		return false
+	}
+}

cmd/sing-box/cmd_merge.go

@@ -18,7 +18,7 @@ import (
 )
 
 var commandMerge = &cobra.Command{
-	Use:   "merge <output>",
+	Use:   "merge <output-path>",
 	Short: "Merge configurations",
 	Run: func(cmd *cobra.Command, args []string) {
 		err := merge(args[0])

cmd/sing-box/cmd_rule_set_merge.go

@@ -0,0 +1,162 @@
+package main
+
+import (
+	"bytes"
+	"io"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/json/badjson"
+	"github.com/sagernet/sing/common/rw"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	ruleSetPaths       []string
+	ruleSetDirectories []string
+)
+
+var commandRuleSetMerge = &cobra.Command{
+	Use:   "merge <output-path>",
+	Short: "Merge rule-set source files",
+	Run: func(cmd *cobra.Command, args []string) {
+		err := mergeRuleSet(args[0])
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+	Args: cobra.ExactArgs(1),
+}
+
+func init() {
+	commandRuleSetMerge.Flags().StringArrayVarP(&ruleSetPaths, "config", "c", nil, "set input rule-set file path")
+	commandRuleSetMerge.Flags().StringArrayVarP(&ruleSetDirectories, "config-directory", "C", nil, "set input rule-set directory path")
+	commandRuleSet.AddCommand(commandRuleSetMerge)
+}
+
+type RuleSetEntry struct {
+	content []byte
+	path    string
+	options option.PlainRuleSetCompat
+}
+
+func readRuleSetAt(path string) (*RuleSetEntry, error) {
+	var (
+		configContent []byte
+		err           error
+	)
+	if path == "stdin" {
+		configContent, err = io.ReadAll(os.Stdin)
+	} else {
+		configContent, err = os.ReadFile(path)
+	}
+	if err != nil {
+		return nil, E.Cause(err, "read config at ", path)
+	}
+	options, err := json.UnmarshalExtendedContext[option.PlainRuleSetCompat](globalCtx, configContent)
+	if err != nil {
+		return nil, E.Cause(err, "decode config at ", path)
+	}
+	return &RuleSetEntry{
+		content: configContent,
+		path:    path,
+		options: options,
+	}, nil
+}
+
+func readRuleSet() ([]*RuleSetEntry, error) {
+	var optionsList []*RuleSetEntry
+	for _, path := range ruleSetPaths {
+		optionsEntry, err := readRuleSetAt(path)
+		if err != nil {
+			return nil, err
+		}
+		optionsList = append(optionsList, optionsEntry)
+	}
+	for _, directory := range ruleSetDirectories {
+		entries, err := os.ReadDir(directory)
+		if err != nil {
+			return nil, E.Cause(err, "read rule-set directory at ", directory)
+		}
+		for _, entry := range entries {
+			if !strings.HasSuffix(entry.Name(), ".json") || entry.IsDir() {
+				continue
+			}
+			optionsEntry, err := readRuleSetAt(filepath.Join(directory, entry.Name()))
+			if err != nil {
+				return nil, err
+			}
+			optionsList = append(optionsList, optionsEntry)
+		}
+	}
+	sort.Slice(optionsList, func(i, j int) bool {
+		return optionsList[i].path < optionsList[j].path
+	})
+	return optionsList, nil
+}
+
+func readRuleSetAndMerge() (option.PlainRuleSetCompat, error) {
+	optionsList, err := readRuleSet()
+	if err != nil {
+		return option.PlainRuleSetCompat{}, err
+	}
+	if len(optionsList) == 1 {
+		return optionsList[0].options, nil
+	}
+	var optionVersion uint8
+	for _, options := range optionsList {
+		if optionVersion < options.options.Version {
+			optionVersion = options.options.Version
+		}
+	}
+	var mergedMessage json.RawMessage
+	for _, options := range optionsList {
+		mergedMessage, err = badjson.MergeJSON(globalCtx, options.options.RawMessage, mergedMessage, false)
+		if err != nil {
+			return option.PlainRuleSetCompat{}, E.Cause(err, "merge config at ", options.path)
+		}
+	}
+	mergedOptions, err := json.UnmarshalExtendedContext[option.PlainRuleSetCompat](globalCtx, mergedMessage)
+	if err != nil {
+		return option.PlainRuleSetCompat{}, E.Cause(err, "unmarshal merged config")
+	}
+	mergedOptions.Version = optionVersion
+	return mergedOptions, nil
+}
+
+func mergeRuleSet(outputPath string) error {
+	mergedOptions, err := readRuleSetAndMerge()
+	if err != nil {
+		return err
+	}
+	buffer := new(bytes.Buffer)
+	encoder := json.NewEncoder(buffer)
+	encoder.SetIndent("", "  ")
+	err = encoder.Encode(mergedOptions)
+	if err != nil {
+		return E.Cause(err, "encode config")
+	}
+	if existsContent, err := os.ReadFile(outputPath); err != nil {
+		if string(existsContent) == buffer.String() {
+			return nil
+		}
+	}
+	err = rw.MkdirParent(outputPath)
+	if err != nil {
+		return err
+	}
+	err = os.WriteFile(outputPath, buffer.Bytes(), 0o644)
+	if err != nil {
+		return err
+	}
+	outputPath, _ = filepath.Abs(outputPath)
+	os.Stderr.WriteString(outputPath + "\n")
+	return nil
+}

cmd/sing-box/cmd_tools_fetch_http3.go

@@ -21,7 +21,7 @@ func initializeHTTP3Client(instance *box.Box) error {
 		return err
 	}
 	http3Client = &http.Client{
-		Transport: &http3.RoundTripper{
+		Transport: &http3.Transport{
 			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
 				destination := M.ParseSocksaddr(addr)
 				udpConn, dErr := dialer.DialContext(ctx, N.NetworkUDP, destination)

common/conntrack/conn.go

@@ -1,54 +0,0 @@
-package conntrack
-
-import (
-	"io"
-	"net"
-
-	"github.com/sagernet/sing/common/x/list"
-)
-
-type Conn struct {
-	net.Conn
-	element *list.Element[io.Closer]
-}
-
-func NewConn(conn net.Conn) (net.Conn, error) {
-	connAccess.Lock()
-	element := openConnection.PushBack(conn)
-	connAccess.Unlock()
-	if KillerEnabled {
-		err := KillerCheck()
-		if err != nil {
-			conn.Close()
-			return nil, err
-		}
-	}
-	return &Conn{
-		Conn:    conn,
-		element: element,
-	}, nil
-}
-
-func (c *Conn) Close() error {
-	if c.element.Value != nil {
-		connAccess.Lock()
-		if c.element.Value != nil {
-			openConnection.Remove(c.element)
-			c.element.Value = nil
-		}
-		connAccess.Unlock()
-	}
-	return c.Conn.Close()
-}
-
-func (c *Conn) Upstream() any {
-	return c.Conn
-}
-
-func (c *Conn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *Conn) WriterReplaceable() bool {
-	return true
-}

common/conntrack/context.go

@@ -0,0 +1,14 @@
+package conntrack
+
+import (
+	"context"
+
+	"github.com/sagernet/sing/service"
+)
+
+func ContextWithDefaultTracker(ctx context.Context, killerEnabled bool, memoryLimit uint64) context.Context {
+	if service.FromContext[Tracker](ctx) != nil {
+		return ctx
+	}
+	return service.ContextWith[Tracker](ctx, NewDefaultTracker(killerEnabled, memoryLimit))
+}

common/conntrack/default.go

@@ -0,0 +1,245 @@
+package conntrack
+
+import (
+	"net"
+	"net/netip"
+	runtimeDebug "runtime/debug"
+	"sync"
+	"time"
+
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/memory"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/x/list"
+)
+
+var _ Tracker = (*DefaultTracker)(nil)
+
+type DefaultTracker struct {
+	connAccess  sync.RWMutex
+	connList    list.List[net.Conn]
+	connAddress map[netip.AddrPort]netip.AddrPort
+
+	packetConnAccess  sync.RWMutex
+	packetConnList    list.List[AbstractPacketConn]
+	packetConnAddress map[netip.AddrPort]bool
+
+	pendingAccess sync.RWMutex
+	pendingList   list.List[netip.AddrPort]
+
+	killerEnabled   bool
+	memoryLimit     uint64
+	killerLastCheck time.Time
+}
+
+func NewDefaultTracker(killerEnabled bool, memoryLimit uint64) *DefaultTracker {
+	return &DefaultTracker{
+		connAddress:       make(map[netip.AddrPort]netip.AddrPort),
+		packetConnAddress: make(map[netip.AddrPort]bool),
+		killerEnabled:     killerEnabled,
+		memoryLimit:       memoryLimit,
+	}
+}
+
+func (t *DefaultTracker) NewConn(conn net.Conn) (net.Conn, error) {
+	err := t.KillerCheck()
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+	t.connAccess.Lock()
+	element := t.connList.PushBack(conn)
+	t.connAddress[M.AddrPortFromNet(conn.LocalAddr())] = M.AddrPortFromNet(conn.RemoteAddr())
+	t.connAccess.Unlock()
+	return &Conn{
+		Conn: conn,
+		closeFunc: common.OnceFunc(func() {
+			t.removeConn(element)
+		}),
+	}, nil
+}
+
+func (t *DefaultTracker) NewConnEx(conn net.Conn) (N.CloseHandlerFunc, error) {
+	err := t.KillerCheck()
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+	t.connAccess.Lock()
+	element := t.connList.PushBack(conn)
+	t.connAddress[M.AddrPortFromNet(conn.LocalAddr())] = M.AddrPortFromNet(conn.RemoteAddr())
+	t.connAccess.Unlock()
+	return N.OnceClose(func(it error) {
+		t.removeConn(element)
+	}), nil
+}
+
+func (t *DefaultTracker) NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
+	err := t.KillerCheck()
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+	t.packetConnAccess.Lock()
+	element := t.packetConnList.PushBack(conn)
+	t.packetConnAddress[M.AddrPortFromNet(conn.LocalAddr())] = true
+	t.packetConnAccess.Unlock()
+	return &PacketConn{
+		PacketConn: conn,
+		closeFunc: common.OnceFunc(func() {
+			t.removePacketConn(element)
+		}),
+	}, nil
+}
+
+func (t *DefaultTracker) NewPacketConnEx(conn AbstractPacketConn) (N.CloseHandlerFunc, error) {
+	err := t.KillerCheck()
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+	t.packetConnAccess.Lock()
+	element := t.packetConnList.PushBack(conn)
+	t.packetConnAddress[M.AddrPortFromNet(conn.LocalAddr())] = true
+	t.packetConnAccess.Unlock()
+	return N.OnceClose(func(it error) {
+		t.removePacketConn(element)
+	}), nil
+}
+
+func (t *DefaultTracker) CheckConn(source netip.AddrPort, destination netip.AddrPort) bool {
+	t.connAccess.RLock()
+	defer t.connAccess.RUnlock()
+	return t.connAddress[source] == destination
+}
+
+func (t *DefaultTracker) CheckPacketConn(source netip.AddrPort) bool {
+	t.packetConnAccess.RLock()
+	defer t.packetConnAccess.RUnlock()
+	return t.packetConnAddress[source]
+}
+
+func (t *DefaultTracker) AddPendingDestination(destination netip.AddrPort) func() {
+	t.pendingAccess.Lock()
+	defer t.pendingAccess.Unlock()
+	element := t.pendingList.PushBack(destination)
+	return func() {
+		t.pendingAccess.Lock()
+		defer t.pendingAccess.Unlock()
+		t.pendingList.Remove(element)
+	}
+}
+
+func (t *DefaultTracker) CheckDestination(destination netip.AddrPort) bool {
+	t.pendingAccess.RLock()
+	defer t.pendingAccess.RUnlock()
+	for element := t.pendingList.Front(); element != nil; element = element.Next() {
+		if element.Value == destination {
+			return true
+		}
+	}
+	return false
+}
+
+func (t *DefaultTracker) KillerCheck() error {
+	if !t.killerEnabled {
+		return nil
+	}
+	nowTime := time.Now()
+	if nowTime.Sub(t.killerLastCheck) < 3*time.Second {
+		return nil
+	}
+	t.killerLastCheck = nowTime
+	if memory.Total() > t.memoryLimit {
+		t.Close()
+		go func() {
+			time.Sleep(time.Second)
+			runtimeDebug.FreeOSMemory()
+		}()
+		return E.New("out of memory")
+	}
+	return nil
+}
+
+func (t *DefaultTracker) Count() int {
+	t.connAccess.RLock()
+	defer t.connAccess.RUnlock()
+	t.packetConnAccess.RLock()
+	defer t.packetConnAccess.RUnlock()
+	return t.connList.Len() + t.packetConnList.Len()
+}
+
+func (t *DefaultTracker) Close() {
+	t.connAccess.Lock()
+	for element := t.connList.Front(); element != nil; element = element.Next() {
+		element.Value.Close()
+	}
+	t.connList.Init()
+	t.connAccess.Unlock()
+	t.packetConnAccess.Lock()
+	for element := t.packetConnList.Front(); element != nil; element = element.Next() {
+		element.Value.Close()
+	}
+	t.packetConnList.Init()
+	t.packetConnAccess.Unlock()
+}
+
+func (t *DefaultTracker) removeConn(element *list.Element[net.Conn]) {
+	t.connAccess.Lock()
+	defer t.connAccess.Unlock()
+	delete(t.connAddress, M.AddrPortFromNet(element.Value.LocalAddr()))
+	t.connList.Remove(element)
+}
+
+func (t *DefaultTracker) removePacketConn(element *list.Element[AbstractPacketConn]) {
+	t.packetConnAccess.Lock()
+	defer t.packetConnAccess.Unlock()
+	delete(t.packetConnAddress, M.AddrPortFromNet(element.Value.LocalAddr()))
+	t.packetConnList.Remove(element)
+}
+
+type Conn struct {
+	net.Conn
+	closeFunc func()
+}
+
+func (c *Conn) Close() error {
+	c.closeFunc()
+	return c.Conn.Close()
+}
+
+func (c *Conn) Upstream() any {
+	return c.Conn
+}
+
+func (c *Conn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *Conn) WriterReplaceable() bool {
+	return true
+}
+
+type PacketConn struct {
+	net.PacketConn
+	closeFunc func()
+}
+
+func (c *PacketConn) Close() error {
+	c.closeFunc()
+	return c.PacketConn.Close()
+}
+
+func (c *PacketConn) Upstream() any {
+	return c.PacketConn
+}
+
+func (c *PacketConn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *PacketConn) WriterReplaceable() bool {
+	return true
+}

common/conntrack/killer.go

@@ -1,35 +0,0 @@
-package conntrack
-
-import (
-	runtimeDebug "runtime/debug"
-	"time"
-
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/memory"
-)
-
-var (
-	KillerEnabled   bool
-	MemoryLimit     uint64
-	killerLastCheck time.Time
-)
-
-func KillerCheck() error {
-	if !KillerEnabled {
-		return nil
-	}
-	nowTime := time.Now()
-	if nowTime.Sub(killerLastCheck) < 3*time.Second {
-		return nil
-	}
-	killerLastCheck = nowTime
-	if memory.Total() > MemoryLimit {
-		Close()
-		go func() {
-			time.Sleep(time.Second)
-			runtimeDebug.FreeOSMemory()
-		}()
-		return E.New("out of memory")
-	}
-	return nil
-}

common/conntrack/packet_conn.go

@@ -1,55 +0,0 @@
-package conntrack
-
-import (
-	"io"
-	"net"
-
-	"github.com/sagernet/sing/common/bufio"
-	"github.com/sagernet/sing/common/x/list"
-)
-
-type PacketConn struct {
-	net.PacketConn
-	element *list.Element[io.Closer]
-}
-
-func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
-	connAccess.Lock()
-	element := openConnection.PushBack(conn)
-	connAccess.Unlock()
-	if KillerEnabled {
-		err := KillerCheck()
-		if err != nil {
-			conn.Close()
-			return nil, err
-		}
-	}
-	return &PacketConn{
-		PacketConn: conn,
-		element:    element,
-	}, nil
-}
-
-func (c *PacketConn) Close() error {
-	if c.element.Value != nil {
-		connAccess.Lock()
-		if c.element.Value != nil {
-			openConnection.Remove(c.element)
-			c.element.Value = nil
-		}
-		connAccess.Unlock()
-	}
-	return c.PacketConn.Close()
-}
-
-func (c *PacketConn) Upstream() any {
-	return bufio.NewPacketConn(c.PacketConn)
-}
-
-func (c *PacketConn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *PacketConn) WriterReplaceable() bool {
-	return true
-}

common/conntrack/track.go

@@ -1,47 +0,0 @@
-package conntrack
-
-import (
-	"io"
-	"sync"
-
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/x/list"
-)
-
-var (
-	connAccess     sync.RWMutex
-	openConnection list.List[io.Closer]
-)
-
-func Count() int {
-	if !Enabled {
-		return 0
-	}
-	return openConnection.Len()
-}
-
-func List() []io.Closer {
-	if !Enabled {
-		return nil
-	}
-	connAccess.RLock()
-	defer connAccess.RUnlock()
-	connList := make([]io.Closer, 0, openConnection.Len())
-	for element := openConnection.Front(); element != nil; element = element.Next() {
-		connList = append(connList, element.Value)
-	}
-	return connList
-}
-
-func Close() {
-	if !Enabled {
-		return
-	}
-	connAccess.Lock()
-	defer connAccess.Unlock()
-	for element := openConnection.Front(); element != nil; element = element.Next() {
-		common.Close(element.Value)
-		element.Value = nil
-	}
-	openConnection.Init()
-}

common/conntrack/track_disable.go

@@ -1,5 +0,0 @@
-//go:build !with_conntrack
-
-package conntrack
-
-const Enabled = false

common/conntrack/track_enable.go

@@ -1,5 +0,0 @@
-//go:build with_conntrack
-
-package conntrack
-
-const Enabled = true

common/conntrack/tracker.go

@@ -0,0 +1,32 @@
+package conntrack
+
+import (
+	"net"
+	"net/netip"
+	"time"
+
+	N "github.com/sagernet/sing/common/network"
+)
+
+// TODO: add to N
+type AbstractPacketConn interface {
+	Close() error
+	LocalAddr() net.Addr
+	SetDeadline(t time.Time) error
+	SetReadDeadline(t time.Time) error
+	SetWriteDeadline(t time.Time) error
+}
+
+type Tracker interface {
+	NewConn(conn net.Conn) (net.Conn, error)
+	NewPacketConn(conn net.PacketConn) (net.PacketConn, error)
+	NewConnEx(conn net.Conn) (N.CloseHandlerFunc, error)
+	NewPacketConnEx(conn AbstractPacketConn) (N.CloseHandlerFunc, error)
+	CheckConn(source netip.AddrPort, destination netip.AddrPort) bool
+	CheckPacketConn(source netip.AddrPort) bool
+	AddPendingDestination(destination netip.AddrPort) func()
+	CheckDestination(destination netip.AddrPort) bool
+	KillerCheck() error
+	Count() int
+	Close()
+}

common/dialer/default.go

@@ -2,13 +2,16 @@ package dialer
 
 import (
 	"context"
+	"errors"
 	"net"
 	"net/netip"
+	"syscall"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/conntrack"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/atomic"
@@ -16,6 +19,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
 )
 
 var (
@@ -24,31 +28,38 @@ var (
 )
 
 type DefaultDialer struct {
-	dialer4              tcpDialer
+	tracker                conntrack.Tracker
-	dialer6              tcpDialer
+	dialer4                tcpDialer
-	udpDialer4           net.Dialer
+	dialer6                tcpDialer
-	udpDialer6           net.Dialer
+	udpDialer4             net.Dialer
-	udpListener          net.ListenConfig
+	udpDialer6             net.Dialer
-	udpAddr4             string
+	udpListener            net.ListenConfig
-	udpAddr6             string
+	udpAddr4               string
-	isWireGuardListener  bool
+	udpAddr6               string
-	networkManager       adapter.NetworkManager
+	isWireGuardListener    bool
-	networkStrategy      C.NetworkStrategy
+	networkManager         adapter.NetworkManager
-	networkType          []C.InterfaceType
+	networkStrategy        *C.NetworkStrategy
-	fallbackNetworkType  []C.InterfaceType
+	defaultNetworkStrategy bool
-	networkFallbackDelay time.Duration
+	networkType            []C.InterfaceType
-	networkLastFallback  atomic.TypedValue[time.Time]
+	fallbackNetworkType    []C.InterfaceType
+	networkFallbackDelay   time.Duration
+	networkLastFallback    atomic.TypedValue[time.Time]
 }
 
-func NewDefault(networkManager adapter.NetworkManager, options option.DialerOptions) (*DefaultDialer, error) {
+func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDialer, error) {
+	tracker := service.FromContext[conntrack.Tracker](ctx)
+	networkManager := service.FromContext[adapter.NetworkManager](ctx)
+	platformInterface := service.FromContext[platform.Interface](ctx)
+
 	var (
-		dialer               net.Dialer
+		dialer                 net.Dialer
-		listener             net.ListenConfig
+		listener               net.ListenConfig
-		interfaceFinder      control.InterfaceFinder
+		interfaceFinder        control.InterfaceFinder
-		networkStrategy      C.NetworkStrategy
+		networkStrategy        *C.NetworkStrategy
-		networkType          []C.InterfaceType
+		defaultNetworkStrategy bool
-		fallbackNetworkType  []C.InterfaceType
+		networkType            []C.InterfaceType
-		networkFallbackDelay time.Duration
+		fallbackNetworkType    []C.InterfaceType
+		networkFallbackDelay   time.Duration
 	)
 	if networkManager != nil {
 		interfaceFinder = networkManager.InterfaceFinder()
@@ -74,31 +85,38 @@ func NewDefault(networkManager adapter.NetworkManager, options option.DialerOpti
 			listener.Control = control.Append(listener.Control, control.RoutingMark(autoRedirectOutputMark))
 		}
 	}
-	if C.NetworkStrategy(options.NetworkStrategy) != C.NetworkStrategyDefault {
+	disableDefaultBind := options.BindInterface != "" || options.Inet4BindAddress != nil || options.Inet6BindAddress != nil
-		if options.BindInterface != "" || options.Inet4BindAddress != nil || options.Inet6BindAddress != nil {
+	if disableDefaultBind || options.TCPFastOpen {
-			return nil, E.New("`network_strategy` is conflict with `bind_interface`, `inet4_bind_address` and `inet6_bind_address`")
+		if options.NetworkStrategy != nil || len(options.NetworkType) > 0 && options.FallbackNetworkType == nil && options.FallbackDelay == 0 {
-		}
+			return nil, E.New("`network_strategy` is conflict with `bind_interface`, `inet4_bind_address`, `inet6_bind_address` and `tcp_fast_open`")
-		networkStrategy = C.NetworkStrategy(options.NetworkStrategy)
-		networkType = common.Map(options.NetworkType, option.InterfaceType.Build)
-		fallbackNetworkType = common.Map(options.FallbackNetworkType, option.InterfaceType.Build)
-		networkFallbackDelay = time.Duration(options.NetworkFallbackDelay)
-		if networkManager == nil || !networkManager.AutoDetectInterface() {
-			return nil, E.New("`route.auto_detect_interface` is require by `network_strategy`")
 		}
 	}
-	if networkManager != nil && options.BindInterface == "" && options.Inet4BindAddress == nil && options.Inet6BindAddress == nil {
+
+	if networkManager != nil {
 		defaultOptions := networkManager.DefaultOptions()
-		if options.BindInterface == "" {
+		if !disableDefaultBind {
 			if defaultOptions.BindInterface != "" {
 				bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
 				dialer.Control = control.Append(dialer.Control, bindFunc)
 				listener.Control = control.Append(listener.Control, bindFunc)
 			} else if networkManager.AutoDetectInterface() {
-				if defaultOptions.NetworkStrategy != C.NetworkStrategyDefault && C.NetworkStrategy(options.NetworkStrategy) == C.NetworkStrategyDefault {
+				if platformInterface != nil {
-					networkStrategy = defaultOptions.NetworkStrategy
+					networkStrategy = (*C.NetworkStrategy)(options.NetworkStrategy)
-					networkType = defaultOptions.NetworkType
+					if networkStrategy == nil {
-					fallbackNetworkType = defaultOptions.FallbackNetworkType
+						networkStrategy = common.Ptr(C.NetworkStrategyDefault)
-					networkFallbackDelay = defaultOptions.FallbackDelay
+						defaultNetworkStrategy = true
+					}
+					networkType = common.Map(options.NetworkType, option.InterfaceType.Build)
+					fallbackNetworkType = common.Map(options.FallbackNetworkType, option.InterfaceType.Build)
+					if networkStrategy == nil && len(networkType) == 0 && len(fallbackNetworkType) == 0 {
+						networkStrategy = defaultOptions.NetworkStrategy
+						networkType = defaultOptions.NetworkType
+						fallbackNetworkType = defaultOptions.FallbackNetworkType
+					}
+					networkFallbackDelay = time.Duration(options.FallbackDelay)
+					if networkFallbackDelay == 0 && defaultOptions.FallbackDelay != 0 {
+						networkFallbackDelay = defaultOptions.FallbackDelay
+					}
 					bindFunc := networkManager.ProtectFunc()
 					dialer.Control = control.Append(dialer.Control, bindFunc)
 					listener.Control = control.Append(listener.Control, bindFunc)
@@ -172,9 +190,6 @@ func NewDefault(networkManager adapter.NetworkManager, options option.DialerOpti
 			listener.Control = control.Append(listener.Control, controlFn)
 		}
 	}
-	if networkStrategy != C.NetworkStrategyDefault && options.TCPFastOpen {
-		return nil, E.New("`tcp_fast_open` is conflict with `network_strategy` or `route.default_network_strategy`")
-	}
 	tcpDialer4, err := newTCPDialer(dialer4, options.TCPFastOpen)
 	if err != nil {
 		return nil, err
@@ -184,19 +199,21 @@ func NewDefault(networkManager adapter.NetworkManager, options option.DialerOpti
 		return nil, err
 	}
 	return &DefaultDialer{
-		dialer4:              tcpDialer4,
+		tracker:                tracker,
-		dialer6:              tcpDialer6,
+		dialer4:                tcpDialer4,
-		udpDialer4:           udpDialer4,
+		dialer6:                tcpDialer6,
-		udpDialer6:           udpDialer6,
+		udpDialer4:             udpDialer4,
-		udpListener:          listener,
+		udpDialer6:             udpDialer6,
-		udpAddr4:             udpAddr4,
+		udpListener:            listener,
-		udpAddr6:             udpAddr6,
+		udpAddr4:               udpAddr4,
-		isWireGuardListener:  options.IsWireGuardListener,
+		udpAddr6:               udpAddr6,
-		networkManager:       networkManager,
+		isWireGuardListener:    options.IsWireGuardListener,
-		networkStrategy:      networkStrategy,
+		networkManager:         networkManager,
-		networkType:          networkType,
+		networkStrategy:        networkStrategy,
-		fallbackNetworkType:  fallbackNetworkType,
+		defaultNetworkStrategy: defaultNetworkStrategy,
-		networkFallbackDelay: networkFallbackDelay,
+		networkType:            networkType,
+		fallbackNetworkType:    fallbackNetworkType,
+		networkFallbackDelay:   networkFallbackDelay,
 	}, nil
 }
 
@@ -204,31 +221,48 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 	if !address.IsValid() {
 		return nil, E.New("invalid address")
 	}
-	if d.networkStrategy == C.NetworkStrategyDefault {
+	if d.networkStrategy == nil {
+		if address.IsFqdn() {
+			return nil, E.New("unexpected domain destination")
+		}
+		// Since pending check is only used by ndis, it is not performed for non-windows connections which are only supported on platform clients
+		if d.tracker != nil {
+			done := d.tracker.AddPendingDestination(address.AddrPort())
+			defer done()
+		}
 		switch N.NetworkName(network) {
 		case N.NetworkUDP:
 			if !address.IsIPv6() {
-				return trackConn(d.udpDialer4.DialContext(ctx, network, address.String()))
+				return d.trackConn(d.udpDialer4.DialContext(ctx, network, address.String()))
 			} else {
-				return trackConn(d.udpDialer6.DialContext(ctx, network, address.String()))
+				return d.trackConn(d.udpDialer6.DialContext(ctx, network, address.String()))
 			}
 		}
 		if !address.IsIPv6() {
-			return trackConn(DialSlowContext(&d.dialer4, ctx, network, address))
+			return d.trackConn(DialSlowContext(&d.dialer4, ctx, network, address))
 		} else {
-			return trackConn(DialSlowContext(&d.dialer6, ctx, network, address))
+			return d.trackConn(DialSlowContext(&d.dialer6, ctx, network, address))
 		}
 	} else {
 		return d.DialParallelInterface(ctx, network, address, d.networkStrategy, d.networkType, d.fallbackNetworkType, d.networkFallbackDelay)
 	}
 }
 
-func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network string, address M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network string, address M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
-	if strategy == C.NetworkStrategyDefault {
+	if strategy == nil {
+		strategy = d.networkStrategy
+	}
+	if strategy == nil {
 		return d.DialContext(ctx, network, address)
 	}
-	if !d.networkManager.AutoDetectInterface() {
+	if len(interfaceType) == 0 {
-		return nil, E.New("`route.auto_detect_interface` is require by `network_strategy`")
+		interfaceType = d.networkType
+	}
+	if len(fallbackInterfaceType) == 0 {
+		fallbackInterfaceType = d.fallbackNetworkType
+	}
+	if fallbackDelay == 0 {
+		fallbackDelay = d.networkFallbackDelay
 	}
 	var dialer net.Dialer
 	if N.NetworkName(network) == N.NetworkTCP {
@@ -243,61 +277,86 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 		err       error
 	)
 	if !fastFallback {
-		conn, isPrimary, err = d.dialParallelInterface(ctx, dialer, network, address.String(), strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
+		conn, isPrimary, err = d.dialParallelInterface(ctx, dialer, network, address.String(), *strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	} else {
-		conn, isPrimary, err = d.dialParallelInterfaceFastFallback(ctx, dialer, network, address.String(), strategy, interfaceType, fallbackInterfaceType, fallbackDelay, d.networkLastFallback.Store)
+		conn, isPrimary, err = d.dialParallelInterfaceFastFallback(ctx, dialer, network, address.String(), *strategy, interfaceType, fallbackInterfaceType, fallbackDelay, d.networkLastFallback.Store)
 	}
 	if err != nil {
-		return nil, err
+		// bind interface failed on legacy xiaomi systems
+		if d.defaultNetworkStrategy && errors.Is(err, syscall.EPERM) {
+			d.networkStrategy = nil
+			return d.DialContext(ctx, network, address)
+		} else {
+			return nil, err
+		}
 	}
 	if !fastFallback && !isPrimary {
 		d.networkLastFallback.Store(time.Now())
 	}
-	return trackConn(conn, nil)
+	return d.trackConn(conn, nil)
 }
 
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if d.networkStrategy == C.NetworkStrategyDefault {
+	if d.networkStrategy == nil {
 		if destination.IsIPv6() {
-			return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
+			return d.trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
 		} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
-			return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP+"4", d.udpAddr4))
+			return d.trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP+"4", d.udpAddr4))
 		} else {
-			return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4))
+			return d.trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4))
 		}
 	} else {
 		return d.ListenSerialInterfacePacket(ctx, destination, d.networkStrategy, d.networkType, d.fallbackNetworkType, d.networkFallbackDelay)
 	}
 }
 
-func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
+func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
-	if strategy == C.NetworkStrategyDefault {
+	if strategy == nil {
+		strategy = d.networkStrategy
+	}
+	if strategy == nil {
 		return d.ListenPacket(ctx, destination)
 	}
-	if !d.networkManager.AutoDetectInterface() {
+	if len(interfaceType) == 0 {
-		return nil, E.New("`route.auto_detect_interface` is require by `network_strategy`")
+		interfaceType = d.networkType
+	}
+	if len(fallbackInterfaceType) == 0 {
+		fallbackInterfaceType = d.fallbackNetworkType
+	}
+	if fallbackDelay == 0 {
+		fallbackDelay = d.networkFallbackDelay
 	}
 	network := N.NetworkUDP
 	if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
 		network += "4"
 	}
-	return trackPacketConn(d.listenSerialInterfacePacket(ctx, d.udpListener, network, "", strategy, interfaceType, fallbackInterfaceType, fallbackDelay))
+	packetConn, err := d.listenSerialInterfacePacket(ctx, d.udpListener, network, "", *strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
+	if err != nil {
+		// bind interface failed on legacy xiaomi systems
+		if d.defaultNetworkStrategy && errors.Is(err, syscall.EPERM) {
+			d.networkStrategy = nil
+			return d.ListenPacket(ctx, destination)
+		} else {
+			return nil, err
+		}
+	}
+	return d.trackPacketConn(packetConn, nil)
 }
 
 func (d *DefaultDialer) ListenPacketCompat(network, address string) (net.PacketConn, error) {
 	return d.udpListener.ListenPacket(context.Background(), network, address)
 }
 
-func trackConn(conn net.Conn, err error) (net.Conn, error) {
+func (d *DefaultDialer) trackConn(conn net.Conn, err error) (net.Conn, error) {
-	if !conntrack.Enabled || err != nil {
+	if d.tracker == nil || err != nil {
 		return conn, err
 	}
-	return conntrack.NewConn(conn)
+	return d.tracker.NewConn(conn)
 }
 
-func trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
+func (d *DefaultDialer) trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
-	if !conntrack.Enabled || err != nil {
+	if err != nil {
 		return conn, err
 	}
-	return conntrack.NewPacketConn(conn)
+	return d.tracker.NewPacketConn(conn)
 }

common/dialer/default_parallel_interface.go

@@ -35,12 +35,12 @@ func (d *DefaultDialer) dialParallelInterface(ctx context.Context, dialer net.Di
 		conn, err := perNetDialer.DialContext(ctx, network, addr)
 		if err != nil {
 			select {
-			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Name, ")"), primary: primary}:
+			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Index, ")"), primary: primary}:
 			case <-returned:
 			}
 		} else {
 			select {
-			case results <- dialResult{Conn: conn}:
+			case results <- dialResult{Conn: conn, primary: primary}:
 			case <-returned:
 				conn.Close()
 			}
@@ -107,12 +107,12 @@ func (d *DefaultDialer) dialParallelInterfaceFastFallback(ctx context.Context, d
 		conn, err := perNetDialer.DialContext(ctx, network, addr)
 		if err != nil {
 			select {
-			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Name, ")"), primary: primary}:
+			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Index, ")"), primary: primary}:
 			case <-returned:
 			}
 		} else {
 			select {
-			case results <- dialResult{Conn: conn}:
+			case results <- dialResult{Conn: conn, primary: primary}:
 			case <-returned:
 				if primary && time.Since(startAt) <= fallbackDelay {
 					resetFastFallback(time.Time{})
@@ -157,7 +157,7 @@ func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listene
 		if err == nil {
 			return conn, nil
 		}
-		errors = append(errors, E.Cause(err, "listen ", primaryInterface.Name, " (", primaryInterface.Name, ")"))
+		errors = append(errors, E.Cause(err, "listen ", primaryInterface.Name, " (", primaryInterface.Index, ")"))
 	}
 	for _, fallbackInterface := range fallbackInterfaces {
 		perNetListener := listener
@@ -166,7 +166,7 @@ func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listene
 		if err == nil {
 			return conn, nil
 		}
-		errors = append(errors, E.Cause(err, "listen ", fallbackInterface.Name, " (", fallbackInterface.Name, ")"))
+		errors = append(errors, E.Cause(err, "listen ", fallbackInterface.Name, " (", fallbackInterface.Index, ")"))
 	}
 	return nil, E.Errors(errors...)
 }
@@ -177,44 +177,57 @@ func selectInterfaces(networkManager adapter.NetworkManager, strategy C.NetworkS
 	case C.NetworkStrategyDefault:
 		if len(interfaceType) == 0 {
 			defaultIf := networkManager.InterfaceMonitor().DefaultInterface()
-			for _, iif := range interfaces {
+			if defaultIf != nil {
-				if iif.Index == defaultIf.Index {
+				for _, iif := range interfaces {
-					primaryInterfaces = append(primaryInterfaces, iif)
+					if iif.Index == defaultIf.Index {
-				} else {
+						primaryInterfaces = append(primaryInterfaces, iif)
-					fallbackInterfaces = append(fallbackInterfaces, iif)
+					}
 				}
+			} else {
+				primaryInterfaces = interfaces
 			}
 		} else {
-			primaryInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
+			primaryInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
-				return common.Contains(interfaceType, iif.Type)
+				return common.Contains(interfaceType, it.Type)
 			})
 		}
 	case C.NetworkStrategyHybrid:
 		if len(interfaceType) == 0 {
 			primaryInterfaces = interfaces
 		} else {
-			primaryInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
+			primaryInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
-				return common.Contains(interfaceType, iif.Type)
+				return common.Contains(interfaceType, it.Type)
 			})
 		}
 	case C.NetworkStrategyFallback:
 		if len(interfaceType) == 0 {
 			defaultIf := networkManager.InterfaceMonitor().DefaultInterface()
-			for _, iif := range interfaces {
+			if defaultIf != nil {
-				if iif.Index == defaultIf.Index {
+				for _, iif := range interfaces {
-					primaryInterfaces = append(primaryInterfaces, iif)
+					if iif.Index == defaultIf.Index {
-				} else {
+						primaryInterfaces = append(primaryInterfaces, iif)
-					fallbackInterfaces = append(fallbackInterfaces, iif)
+						break
+					}
 				}
+			} else {
+				primaryInterfaces = interfaces
 			}
 		} else {
-			primaryInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
+			primaryInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
-				return common.Contains(interfaceType, iif.Type)
+				return common.Contains(interfaceType, it.Type)
+			})
+		}
+		if len(fallbackInterfaceType) == 0 {
+			fallbackInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
+				return !common.Any(primaryInterfaces, func(iif adapter.NetworkInterface) bool {
+					return it.Index == iif.Index
+				})
+			})
+		} else {
+			fallbackInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
+				return common.Contains(fallbackInterfaceType, iif.Type)
 			})
 		}
-		fallbackInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
-			return common.Contains(fallbackInterfaceType, iif.Type)
-		})
 	}
 	return primaryInterfaces, fallbackInterfaces
 }

common/dialer/default_parallel_network.go

@@ -13,7 +13,13 @@ import (
 	N "github.com/sagernet/sing/common/network"
 )
 
-func DialSerialNetwork(ctx context.Context, dialer N.Dialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func DialSerialNetwork(ctx context.Context, dialer N.Dialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+	if len(destinationAddresses) == 0 {
+		if !destination.IsIP() {
+			panic("invalid usage")
+		}
+		destinationAddresses = []netip.Addr{destination.Addr}
+	}
 	if parallelDialer, isParallel := dialer.(ParallelNetworkDialer); isParallel {
 		return parallelDialer.DialParallelNetwork(ctx, network, destination, destinationAddresses, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	}
@@ -38,7 +44,14 @@ func DialSerialNetwork(ctx context.Context, dialer N.Dialer, network string, des
 	return nil, E.Errors(errors...)
 }
 
-func DialParallelNetwork(ctx context.Context, dialer ParallelInterfaceDialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, preferIPv6 bool, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func DialParallelNetwork(ctx context.Context, dialer ParallelInterfaceDialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, preferIPv6 bool, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+	if len(destinationAddresses) == 0 {
+		if !destination.IsIP() {
+			panic("invalid usage")
+		}
+		destinationAddresses = []netip.Addr{destination.Addr}
+	}
+
 	if fallbackDelay == 0 {
 		fallbackDelay = N.DefaultFallbackDelay
 	}
@@ -116,7 +129,13 @@ func DialParallelNetwork(ctx context.Context, dialer ParallelInterfaceDialer, ne
 	}
 }
 
-func ListenSerialNetworkPacket(ctx context.Context, dialer N.Dialer, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error) {
+func ListenSerialNetworkPacket(ctx context.Context, dialer N.Dialer, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error) {
+	if len(destinationAddresses) == 0 {
+		if !destination.IsIP() {
+			panic("invalid usage")
+		}
+		destinationAddresses = []netip.Addr{destination.Addr}
+	}
 	if parallelDialer, isParallel := dialer.(ParallelNetworkDialer); isParallel {
 		return parallelDialer.ListenSerialNetworkPacket(ctx, destination, destinationAddresses, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	}

common/dialer/dialer.go

@@ -17,16 +17,15 @@ import (
 )
 
 func New(ctx context.Context, options option.DialerOptions) (N.Dialer, error) {
-	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	if options.IsWireGuardListener {
-		return NewDefault(networkManager, options)
+		return NewDefault(ctx, options)
 	}
 	var (
 		dialer N.Dialer
 		err    error
 	)
 	if options.Detour == "" {
-		dialer, err = NewDefault(networkManager, options)
+		dialer, err = NewDefault(ctx, options)
 		if err != nil {
 			return nil, err
 		}
@@ -37,9 +36,6 @@ func New(ctx context.Context, options option.DialerOptions) (N.Dialer, error) {
 		}
 		dialer = NewDetour(outboundManager, options.Detour)
 	}
-	if networkManager == nil {
-		return NewDefault(networkManager, options)
-	}
 	if options.Detour == "" {
 		router := service.FromContext[adapter.Router](ctx)
 		if router != nil {
@@ -58,11 +54,10 @@ func NewDirect(ctx context.Context, options option.DialerOptions) (ParallelInter
 	if options.Detour != "" {
 		return nil, E.New("`detour` is not supported in direct context")
 	}
-	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	if options.IsWireGuardListener {
-		return NewDefault(networkManager, options)
+		return NewDefault(ctx, options)
 	}
-	dialer, err := NewDefault(networkManager, options)
+	dialer, err := NewDefault(ctx, options)
 	if err != nil {
 		return nil, err
 	}
@@ -77,11 +72,11 @@ func NewDirect(ctx context.Context, options option.DialerOptions) (ParallelInter
 
 type ParallelInterfaceDialer interface {
 	N.Dialer
-	DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
+	DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
-	ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error)
+	ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error)
 }
 
 type ParallelNetworkDialer interface {
-	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
+	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
-	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
+	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
 }

common/dialer/resolve.go

@@ -106,7 +106,7 @@ func (d *resolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	return bufio.NewNATPacketConn(bufio.NewPacketConn(conn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
 }
 
-func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
 	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
@@ -134,7 +134,7 @@ func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context
 	}
 }
 
-func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
+func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
 	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}

common/tls/ech_client.go

@@ -64,6 +64,7 @@ type echConnWrapper struct {
 
 func (c *echConnWrapper) ConnectionState() tls.ConnectionState {
 	state := c.Conn.ConnectionState()
+	//nolint:staticcheck
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,

common/tls/ech_keygen.go

@@ -147,6 +147,9 @@ func echKeygen(version uint16, serverName string, conf []myECHKeyConfig, suite [
 		pair.rawConf = b
 
 		secBuf, err := sec.MarshalBinary()
+		if err != nil {
+			return nil, E.Cause(err, "serialize ECH private key")
+		}
 		sk := []byte{}
 		sk = be.AppendUint16(sk, uint16(len(secBuf)))
 		sk = append(sk, secBuf...)

common/tls/ech_quic.go

@@ -28,7 +28,7 @@ func (c *echClientConfig) DialEarly(ctx context.Context, conn net.PacketConn, ad
 }
 
 func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config) http.RoundTripper {
-	return &http3.RoundTripper{
+	return &http3.Transport{
 		TLSClientConfig: c.config,
 		QUICConfig:      quicConfig,
 		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {

common/tls/reality_server.go

@@ -174,6 +174,7 @@ type realityConnWrapper struct {
 
 func (c *realityConnWrapper) ConnectionState() ConnectionState {
 	state := c.Conn.ConnectionState()
+	//nolint:staticcheck
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,

common/tls/time_wrapper.go

@@ -0,0 +1,22 @@
+package tls
+
+import (
+	"time"
+
+	"github.com/sagernet/sing/common/ntp"
+)
+
+type TimeServiceWrapper struct {
+	ntp.TimeService
+}
+
+func (w *TimeServiceWrapper) TimeFunc() func() time.Time {
+	if w.TimeService == nil {
+		return nil
+	}
+	return w.TimeService.TimeFunc()
+}
+
+func (w *TimeServiceWrapper) Upstream() any {
+	return w.TimeService
+}

common/tls/utls_client.go

@@ -69,6 +69,7 @@ type utlsConnWrapper struct {
 
 func (c *utlsConnWrapper) ConnectionState() tls.ConnectionState {
 	state := c.Conn.ConnectionState()
+	//nolint:staticcheck
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,

constant/cgo_android_fix.go

@@ -1,8 +0,0 @@
-//go:build android && debug
-
-package constant
-
-// TODO: remove after fixed
-// https://github.com/golang/go/issues/68760
-
-const FixAndroidStack = true

constant/cgo_android_fix_stub.go

@@ -1,5 +0,0 @@
-//go:build !(android && debug)
-
-package constant
-
-const FixAndroidStack = false

constant/proxy.go

@@ -23,6 +23,7 @@ const (
 	TypeVLESS        = "vless"
 	TypeTUIC         = "tuic"
 	TypeHysteria2    = "hysteria2"
+	TypeNDIS         = "ndis"
 )
 
 const (
@@ -80,6 +81,8 @@ func ProxyDisplayName(proxyType string) string {
 		return "Selector"
 	case TypeURLTest:
 		return "URLTest"
+	case TypeNDIS:
+		return "NDIS"
 	default:
 		return "Unknown"
 	}

debug.go

@@ -3,7 +3,6 @@ package box
 import (
 	"runtime/debug"
 
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
 
@@ -26,9 +25,5 @@ func applyDebugOptions(options option.DebugOptions) {
 	}
 	if options.MemoryLimit != 0 {
 		debug.SetMemoryLimit(int64(float64(options.MemoryLimit) / 1.5))
-		conntrack.MemoryLimit = uint64(options.MemoryLimit)
-	}
-	if options.OOMKiller != nil {
-		conntrack.KillerEnabled = *options.OOMKiller
 	}
 }

docs/changelog.md

@@ -2,12 +2,46 @@
 icon: material/alert-decagram
 ---
 
-#### 1.11.0-beta.9
+#### 1.11.0-beta.20
 
+* Hysteria2 `ignore_client_bandwidth` behavior update **1**
 * Fixes and improvements
 
-### 1.10.4
+**1**:
 
+When `up_mbps` and `down_mbps` are set, `ignore_client_bandwidth` instead denies clients from using BBR CC.
+
+See [Hysteria2](/configuration/inbound/hysteria2/#ignore_client_bandwidth).
+
+#### 1.11.0-beta.17
+
+* Add port hopping support for Hysteria2 **1**
+* Fixes and improvements
+
+**1**:
+
+See [Hysteria2](/configuration/outbound/hysteria2/).
+
+#### 1.11.0-beta.14
+
+* Allow adding route (exclude) address sets to routes **1**
+* Fixes and improvements
+
+**1**:
+
+When `auto_redirect` is not enabled, directly add `route[_exclude]_address_set`
+to tun routes (equivalent to `route[_exclude]_address`).
+
+Note that it **doesn't work on the Android graphical client** due to
+the Android VpnService not being able to handle a large number of routes (DeadSystemException),
+but otherwise it works fine on all command line clients and Apple platforms.
+
+See [route_address_set](/configuration/inbound/tun/#route_address_set) and
+[route_exclude_address_set](/configuration/inbound/tun/#route_exclude_address_set).
+
+#### 1.11.0-beta.12
+
+* Add `rule-set merge` command
 * Fixes and improvements
 
 #### 1.11.0-beta.3

docs/configuration/inbound/hysteria2.md

@@ -5,6 +5,7 @@ icon: material/alert-decagram
 !!! quote "Changes in sing-box 1.11.0"
 
     :material-alert: [masquerade](#masquerade)  
+    :material-alert: [ignore_client_bandwidth](#ignore_client_bandwidth)
 
 ### Structure
 
@@ -75,9 +76,13 @@ Authentication password
 
 #### ignore_client_bandwidth
 
-Commands the client to use the BBR flow control algorithm instead of Hysteria CC.
+*When `up_mbps` and `down_mbps` are not set*:
 
-Conflict with `up_mbps` and `down_mbps`.
+Commands clients to use the BBR CC instead of Hysteria CC.
+
+*When `up_mbps` and `down_mbps` are set*:
+
+Deny clients to use the BBR CC.
 
 #### tls
 

docs/configuration/inbound/hysteria2.zh.md

@@ -5,6 +5,7 @@ icon: material/alert-decagram
 !!! quote "sing-box 1.11.0 中的更改"
 
     :material-alert: [masquerade](#masquerade)  
+    :material-alert: [ignore_client_bandwidth](#ignore_client_bandwidth)
 
 ### 结构
 
@@ -72,9 +73,13 @@ Hysteria 用户
 
 #### ignore_client_bandwidth
 
+*当 `up_mbps` 和 `down_mbps` 未设定时*:
+
 命令客户端使用 BBR 拥塞控制算法而不是 Hysteria CC。
 
-与 `up_mbps` 和 `down_mbps` 冲突。
+*当 `up_mbps` 和 `down_mbps` 已设定时*:
+
+禁止客户端使用 BBR 拥塞控制算法。
 
 #### tls
 

docs/configuration/inbound/tun.md

@@ -5,6 +5,8 @@ icon: material/alert-decagram
 !!! quote "Changes in sing-box 1.11.0"
 
     :material-delete-alert: [gso](#gso)  
+    :material-alert-decagram: [route_address_set](#stack)  
+    :material-alert-decagram: [route_exclude_address_set](#stack)
 
 !!! quote "Changes in sing-box 1.10.0"
 
@@ -88,13 +90,13 @@ icon: material/alert-decagram
     0
   ],
   "include_uid_range": [
-    "1000-99999"
+    "1000:99999"
   ],
   "exclude_uid": [
     1000
   ],
   "exclude_uid_range": [
-    "1000-99999"
+    "1000:99999"
   ],
   "include_android_user": [
     0,
@@ -248,7 +250,7 @@ use [VPNHotspot](https://github.com/Mygod/VPNHotspot).
 
 !!! question "Since sing-box 1.10.0"
 
-Connection input mark used by `route_address_set` and `route_exclude_address_set`.
+Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`.
 
 `0x2023` is used by default.
 
@@ -256,7 +258,7 @@ Connection input mark used by `route_address_set` and `route_exclude_address_set
 
 !!! question "Since sing-box 1.10.0"
 
-Connection output mark used by `route_address_set` and `route_exclude_address_set`.
+Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`.
 
 `0x2024` is used by default.
 
@@ -329,29 +331,55 @@ Exclude custom routes when `auto_route` is enabled.
 
 #### route_address_set
 
-!!! question "Since sing-box 1.10.0"
+=== "With `auto_redirect` enabled"
 
-!!! quote ""
+    !!! question "Since sing-box 1.10.0"
 
-    Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
+    !!! quote ""
     
-Add the destination IP CIDR rules in the specified rule-sets to the firewall.
+        Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
-Unmatched traffic will bypass the sing-box routes.
     
-Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
+    Add the destination IP CIDR rules in the specified rule-sets to the firewall.
+    Unmatched traffic will bypass the sing-box routes.
+    
+    Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
+
+=== "Without `auto_redirect` enabled"
+
+    !!! question "Since sing-box 1.11.0"
+    
+    Add the destination IP CIDR rules in the specified rule-sets to routes, equivalent to adding to `route_address`.
+    Unmatched traffic will bypass the sing-box routes.
+
+    Note that it **doesn't work on the Android graphical client** due to
+    the Android VpnService not being able to handle a large number of routes (DeadSystemException),
+    but otherwise it works fine on all command line clients and Apple platforms.
 
 #### route_exclude_address_set
 
-!!! question "Since sing-box 1.10.0"
+=== "With `auto_redirect` enabled"
 
-!!! quote ""
+    !!! question "Since sing-box 1.10.0"
+
+    !!! quote ""
 
     Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
 
-Add the destination IP CIDR rules in the specified rule-sets to the firewall.
+    Add the destination IP CIDR rules in the specified rule-sets to the firewall.
-Matched traffic will bypass the sing-box routes.
+    Matched traffic will bypass the sing-box routes.
     
-Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
+    Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
+
+=== "Without `auto_redirect` enabled"
+
+    !!! question "Since sing-box 1.11.0"
+    
+    Add the destination IP CIDR rules in the specified rule-sets to routes, equivalent to adding to `route_exclude_address`.
+    Matched traffic will bypass the sing-box routes.
+
+    Note that it **doesn't work on the Android graphical client** due to
+    the Android VpnService not being able to handle a large number of routes (DeadSystemException),
+    but otherwise it works fine on all command line clients and Apple platforms.
 
 #### endpoint_independent_nat
 

docs/configuration/inbound/tun.zh.md

@@ -5,6 +5,8 @@ icon: material/alert-decagram
 !!! quote "sing-box 1.11.0 中的更改"
 
     :material-delete-alert: [gso](#gso)  
+    :material-alert-decagram: [route_address_set](#stack)  
+    :material-alert-decagram: [route_exclude_address_set](#stack)
 
 !!! quote "sing-box 1.10.0 中的更改"
 
@@ -88,13 +90,13 @@ icon: material/alert-decagram
     0
   ],
   "include_uid_range": [
-    "1000-99999"
+    "1000:99999"
   ],
   "exclude_uid": [
     1000
   ],
   "exclude_uid_range": [
-    "1000-99999"
+    "1000:99999"
   ],
   "include_android_user": [
     0,
@@ -329,29 +331,53 @@ tun 接口的 IPv6 前缀。
 
 #### route_address_set
 
-!!! question "自 sing-box 1.10.0 起"
+=== "`auto_redirect` 已启用"
 
-!!! quote ""
+    !!! question "自 sing-box 1.10.0 起"
     
-    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。 
+    !!! quote ""
     
-将指定规则集中的目标 IP CIDR 规则添加到防火墙。
+        仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。 
-不匹配的流量将绕过 sing-box 路由。
     
-与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
+    将指定规则集中的目标 IP CIDR 规则添加到防火墙。
+    不匹配的流量将绕过 sing-box 路由。
+    
+    与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
+
+=== "`auto_redirect` 未启用"
+
+    !!! question "自 sing-box 1.11.0 起"
+
+    将指定规则集中的目标 IP CIDR 规则添加到路由，相当于添加到 `route_address`。
+    不匹配的流量将绕过 sing-box 路由。
+
+    请注意，由于 Android VpnService 无法处理大量路由（DeadSystemException），
+    因此它**在 Android 图形客户端上不起作用**，但除此之外，它在所有命令行客户端和 Apple 平台上都可以正常工作。
 
 #### route_exclude_address_set
 
-!!! question "自 sing-box 1.10.0 起"
+=== "`auto_redirect` 已启用"
 
-!!! quote ""
+    !!! question "自 sing-box 1.10.0 起"
     
-    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。
+    !!! quote ""
     
-将指定规则集中的目标 IP CIDR 规则添加到防火墙。
+        仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。 
-匹配的流量将绕过 sing-box 路由。
 
-与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
+    将指定规则集中的目标 IP CIDR 规则添加到防火墙。
+    匹配的流量将绕过 sing-box 路由。
+
+    与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
+
+=== "`auto_redirect` 未启用"
+
+    !!! question "自 sing-box 1.11.0 起"
+
+    将指定规则集中的目标 IP CIDR 规则添加到路由，相当于添加到 `route_exclude_address`。
+    匹配的流量将绕过 sing-box 路由。
+
+    请注意，由于 Android VpnService 无法处理大量路由（DeadSystemException），
+    因此它**在 Android 图形客户端上不起作用**，但除此之外，它在所有命令行客户端和 Apple 平台上都可以正常工作。
 
 #### endpoint_independent_nat
 

docs/configuration/outbound/hysteria2.md

@@ -1,3 +1,12 @@
+---
+icon: material/new-box
+---
+
+!!! quote "Changes in sing-box 1.11.0"
+
+    :material-plus: [server_ports](#server_ports)  
+    :material-plus: [hop_interval](#hop_interval)
+
 ### Structure
 
 ```json
@@ -7,6 +16,10 @@
   
   "server": "127.0.0.1",
   "server_port": 1080,
+  "server_ports": [
+    "2080:3000"
+  ],
+  "hop_interval": "",
   "up_mbps": 100,
   "down_mbps": 100,
   "obfs": {
@@ -22,6 +35,10 @@
 }
 ```
 
+!!! note ""
+
+    You can ignore the JSON Array [] tag when the content is only one item
+
 !!! warning "Difference from official Hysteria2"
 
     The official Hysteria2 supports an authentication method called **userpass**,
@@ -44,6 +61,24 @@ The server address.
 
 The server port.
 
+Ignored if `server_ports` is set.
+
+#### server_ports
+
+!!! question "Since sing-box 1.11.0"
+
+Server port range list.
+
+Conflicts with `server_port`.
+
+#### hop_interval
+
+!!! question "Since sing-box 1.11.0"
+
+Port hopping interval.
+
+`30s` is used by default.
+
 #### up_mbps, down_mbps
 
 Max bandwidth, in Mbps.

docs/configuration/outbound/hysteria2.zh.md

@@ -1,3 +1,12 @@
+---
+icon: material/new-box
+---
+
+!!! quote "sing-box 1.11.0 中的更改"
+
+    :material-plus: [server_ports](#server_ports)  
+    :material-plus: [hop_interval](#hop_interval)
+
 ### 结构
 
 ```json
@@ -7,6 +16,10 @@
 
   "server": "127.0.0.1",
   "server_port": 1080,
+  "server_ports": [
+    "2080:3000"
+  ],
+  "hop_interval": "",
   "up_mbps": 100,
   "down_mbps": 100,
   "obfs": {
@@ -22,6 +35,10 @@
 }
 ```
 
+!!! note ""
+
+    当内容只有一项时，可以忽略 JSON 数组 [] 标签
+
 !!! warning "与官方 Hysteria2 的区别"
 
     官方程序支持一种名为 **userpass** 的验证方式，
@@ -42,6 +59,24 @@
 
 服务器端口。
 
+如果设置了 `server_ports`，则忽略此项。
+
+#### server_ports
+
+!!! question "自 sing-box 1.11.0 起"
+
+服务器端口范围列表。
+
+与 `server_port` 冲突。
+
+#### hop_interval
+
+!!! question "自 sing-box 1.11.0 起"
+
+端口跳跃间隔。
+
+默认使用 `30s`。
+
 #### up_mbps, down_mbps
 
 最大带宽。

experimental/clashapi/server.go

@@ -128,11 +128,8 @@ func NewServer(ctx context.Context, logFactory log.ObservableFactory, options op
 	if options.ExternalUI != "" {
 		s.externalUI = filemanager.BasePath(ctx, os.ExpandEnv(options.ExternalUI))
 		chiRouter.Group(func(r chi.Router) {
-			fs := http.StripPrefix("/ui", http.FileServer(http.Dir(s.externalUI)))
+			r.Get("/ui", http.RedirectHandler("/ui/", http.StatusMovedPermanently).ServeHTTP)
-			r.Get("/ui", http.RedirectHandler("/ui/", http.StatusTemporaryRedirect).ServeHTTP)
+			r.Handle("/ui/*", http.StripPrefix("/ui/", http.FileServer(http.Dir(s.externalUI))))
-			r.Get("/ui/*", func(w http.ResponseWriter, r *http.Request) {
-				fs.ServeHTTP(w, r)
-			})
 		})
 	}
 	return s, nil

experimental/deprecated/constants.go

@@ -1,8 +1,11 @@
 package deprecated
 
 import (
+	"fmt"
+
 	"github.com/sagernet/sing-box/common/badversion"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/locale"
 	F "github.com/sagernet/sing/common/format"
 
 	"golang.org/x/mod/semver"
@@ -34,15 +37,9 @@ func (n Note) Impending() bool {
 
 func (n Note) Message() string {
 	if n.MigrationLink != "" {
-		return F.ToString(
+		return fmt.Sprintf(locale.Current().DeprecatedMessage, n.Description, n.DeprecatedVersion, n.ScheduledVersion)
-			n.Description, " is deprecated in sing-box ", n.DeprecatedVersion,
-			" and will be removed in sing-box ", n.ScheduledVersion, ", please checkout documentation for migration.",
-		)
 	} else {
-		return F.ToString(
+		return fmt.Sprintf(locale.Current().DeprecatedMessageNoLink, n.Description, n.DeprecatedVersion, n.ScheduledVersion)
-			n.Description, " is deprecated in sing-box ", n.DeprecatedVersion,
-			" and will be removed in sing-box ", n.ScheduledVersion, ".",
-		)
 	}
 }
 

experimental/libbox/command_client.go

@@ -7,7 +7,6 @@ import (
 	"path/filepath"
 	"time"
 
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 )
@@ -114,7 +113,7 @@ func (c *CommandClient) Connect() error {
 		if err != nil {
 			return err
 		}
-		if C.FixAndroidStack {
+		if sFixAndroidStack {
 			go func() {
 				c.handler.Connected()
 				c.handler.InitializeClashMode(newIterator(modeList), currentMode)

experimental/libbox/command_conntrack.go

@@ -5,8 +5,6 @@ import (
 	"net"
 	runtimeDebug "runtime/debug"
 	"time"
-
-	"github.com/sagernet/sing-box/common/conntrack"
 )
 
 func (c *CommandClient) CloseConnections() error {
@@ -19,7 +17,7 @@ func (c *CommandClient) CloseConnections() error {
 }
 
 func (s *CommandServer) handleCloseConnections(conn net.Conn) error {
-	conntrack.Close()
+	tracker.Close()
 	go func() {
 		time.Sleep(time.Second)
 		runtimeDebug.FreeOSMemory()

experimental/libbox/command_status.go

@@ -6,7 +6,6 @@ import (
 	"runtime"
 	"time"
 
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/memory"
@@ -28,7 +27,7 @@ func (s *CommandServer) readStatus() StatusMessage {
 	var message StatusMessage
 	message.Memory = int64(memory.Inuse())
 	message.Goroutines = int32(runtime.NumGoroutine())
-	message.ConnectionsOut = int32(conntrack.Count())
+	message.ConnectionsOut = int32(tracker.Count())
 
 	if s.service != nil {
 		message.TrafficAvailable = true

experimental/libbox/config.go

@@ -66,6 +66,10 @@ func (s *platformInterfaceStub) OpenTun(options *tun.Options, platformOptions op
 	return nil, os.ErrInvalid
 }
 
+func (s *platformInterfaceStub) UpdateRouteOptions(options *tun.Options, platformInterface option.TunPlatformOptions) error {
+	return os.ErrInvalid
+}
+
 func (s *platformInterfaceStub) UsePlatformDefaultInterfaceMonitor() bool {
 	return true
 }

experimental/libbox/memory.go

@@ -7,17 +7,21 @@ import (
 	"github.com/sagernet/sing-box/common/conntrack"
 )
 
+var tracker *conntrack.DefaultTracker
+
 func SetMemoryLimit(enabled bool) {
+	if tracker != nil {
+		tracker.Close()
+	}
 	const memoryLimit = 45 * 1024 * 1024
 	const memoryLimitGo = memoryLimit / 1.5
 	if enabled {
 		runtimeDebug.SetGCPercent(10)
 		runtimeDebug.SetMemoryLimit(memoryLimitGo)
-		conntrack.KillerEnabled = true
+		tracker = conntrack.NewDefaultTracker(true, memoryLimit)
-		conntrack.MemoryLimit = memoryLimit
 	} else {
 		runtimeDebug.SetGCPercent(100)
 		runtimeDebug.SetMemoryLimit(math.MaxInt64)
-		conntrack.KillerEnabled = false
+		tracker = conntrack.NewDefaultTracker(false, 0)
 	}
 }

experimental/libbox/monitor.go

@@ -1,7 +1,6 @@
 package libbox
 
 import (
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -56,7 +55,7 @@ func (m *platformDefaultInterfaceMonitor) UnregisterCallback(element *list.Eleme
 }
 
 func (m *platformDefaultInterfaceMonitor) UpdateDefaultInterface(interfaceName string, interfaceIndex32 int32, isExpensive bool, isConstrained bool) {
-	if C.FixAndroidStack {
+	if sFixAndroidStack {
 		go m.updateDefaultInterface(interfaceName, interfaceIndex32, isExpensive, isConstrained)
 	} else {
 		m.updateDefaultInterface(interfaceName, interfaceIndex32, isExpensive, isConstrained)

experimental/libbox/platform.go

@@ -9,6 +9,7 @@ type PlatformInterface interface {
 	UsePlatformAutoDetectInterfaceControl() bool
 	AutoDetectInterfaceControl(fd int32) error
 	OpenTun(options TunOptions) (int32, error)
+	UpdateRouteOptions(options TunOptions) error
 	WriteLog(message string)
 	UseProcFS() bool
 	FindConnectionOwner(ipProtocol int32, sourceAddress string, sourcePort int32, destinationAddress string, destinationPort int32) (int32, error)

experimental/libbox/platform/interface.go

@@ -13,6 +13,7 @@ type Interface interface {
 	UsePlatformAutoDetectInterfaceControl() bool
 	AutoDetectInterfaceControl(fd int) error
 	OpenTun(options *tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error)
+	UpdateRouteOptions(options *tun.Options, platformOptions option.TunPlatformOptions) error
 	CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor
 	Interfaces() ([]adapter.NetworkInterface, error)
 	UnderNetworkExtension() bool

experimental/libbox/service.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/process"
 	"github.com/sagernet/sing-box/common/urltest"
 	C "github.com/sagernet/sing-box/constant"
@@ -60,6 +61,7 @@ func NewService(configContent string, platformInterface PlatformInterface) (*Box
 		useProcFS: platformInterface.UseProcFS(),
 	}
 	service.MustRegister[platform.Interface](ctx, platformWrapper)
+	service.MustRegister[conntrack.Tracker](ctx, tracker)
 	instance, err := box.New(box.Options{
 		Context:           ctx,
 		Options:           options,
@@ -81,7 +83,7 @@ func NewService(configContent string, platformInterface PlatformInterface) (*Box
 }
 
 func (s *BoxService) Start() error {
-	if C.FixAndroidStack {
+	if sFixAndroidStack {
 		var err error
 		done := make(chan struct{})
 		go func() {
@@ -148,10 +150,10 @@ func (w *platformInterfaceWrapper) AutoDetectInterfaceControl(fd int) error {
 
 func (w *platformInterfaceWrapper) OpenTun(options *tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error) {
 	if len(options.IncludeUID) > 0 || len(options.ExcludeUID) > 0 {
-		return nil, E.New("android: unsupported uid options")
+		return nil, E.New("platform: unsupported uid options")
 	}
 	if len(options.IncludeAndroidUser) > 0 {
-		return nil, E.New("android: unsupported android_user option")
+		return nil, E.New("platform: unsupported android_user option")
 	}
 	routeRanges, err := options.BuildAutoRouteRanges(true)
 	if err != nil {
@@ -174,6 +176,20 @@ func (w *platformInterfaceWrapper) OpenTun(options *tun.Options, platformOptions
 	return tun.New(*options)
 }
 
+func (w *platformInterfaceWrapper) UpdateRouteOptions(options *tun.Options, platformOptions option.TunPlatformOptions) error {
+	if len(options.IncludeUID) > 0 || len(options.ExcludeUID) > 0 {
+		return E.New("android: unsupported uid options")
+	}
+	if len(options.IncludeAndroidUser) > 0 {
+		return E.New("android: unsupported android_user option")
+	}
+	routeRanges, err := options.BuildAutoRouteRanges(true)
+	if err != nil {
+		return err
+	}
+	return w.iif.UpdateRouteOptions(&tunOptions{options, routeRanges, platformOptions})
+}
+
 func (w *platformInterfaceWrapper) CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor {
 	return &platformDefaultInterfaceMonitor{
 		platformInterfaceWrapper: w,

experimental/libbox/setup.go

@@ -9,50 +9,67 @@ import (
 
 	"github.com/sagernet/sing-box/common/humanize"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/locale"
 	"github.com/sagernet/sing-box/log"
 )
 
 var (
-	sBasePath    string
+	sBasePath        string
-	sWorkingPath string
+	sWorkingPath     string
-	sTempPath    string
+	sTempPath        string
-	sUserID      int
+	sUserID          int
-	sGroupID     int
+	sGroupID         int
-	sTVOS        bool
+	sTVOS            bool
+	sFixAndroidStack bool
 )
 
 func init() {
 	debug.SetPanicOnFault(true)
 }
 
-func Setup(basePath string, workingPath string, tempPath string, isTVOS bool) {
+type SetupOptions struct {
-	sBasePath = basePath
+	BasePath        string
-	sWorkingPath = workingPath
+	WorkingPath     string
-	sTempPath = tempPath
+	TempPath        string
-	sUserID = os.Getuid()
+	Username        string
-	sGroupID = os.Getgid()
+	IsTVOS          bool
-	sTVOS = isTVOS
+	FixAndroidStack bool
-	os.MkdirAll(sWorkingPath, 0o777)
-	os.MkdirAll(sTempPath, 0o777)
 }
 
-func SetupWithUsername(basePath string, workingPath string, tempPath string, username string) error {
+func Setup(options *SetupOptions) error {
-	sBasePath = basePath
+	sBasePath = options.BasePath
-	sWorkingPath = workingPath
+	sWorkingPath = options.WorkingPath
-	sTempPath = tempPath
+	sTempPath = options.TempPath
-	sUser, err := user.Lookup(username)
+	if options.Username != "" {
-	if err != nil {
+		sUser, err := user.Lookup(options.Username)
-		return err
+		if err != nil {
+			return err
+		}
+		sUserID, _ = strconv.Atoi(sUser.Uid)
+		sGroupID, _ = strconv.Atoi(sUser.Gid)
+	} else {
+		sUserID = os.Getuid()
+		sGroupID = os.Getgid()
 	}
-	sUserID, _ = strconv.Atoi(sUser.Uid)
+	sTVOS = options.IsTVOS
-	sGroupID, _ = strconv.Atoi(sUser.Gid)
+
+	// TODO: remove after fixed
+	// https://github.com/golang/go/issues/68760
+	sFixAndroidStack = options.FixAndroidStack
+
 	os.MkdirAll(sWorkingPath, 0o777)
 	os.MkdirAll(sTempPath, 0o777)
-	os.Chown(sWorkingPath, sUserID, sGroupID)
+	if options.Username != "" {
-	os.Chown(sTempPath, sUserID, sGroupID)
+		os.Chown(sWorkingPath, sUserID, sGroupID)
+		os.Chown(sTempPath, sUserID, sGroupID)
+	}
 	return nil
 }
 
+func SetLocale(localeId string) {
+	locale.Set(localeId)
+}
+
 func Version() string {
 	return C.Version
 }

experimental/libbox/tun.go

@@ -13,7 +13,7 @@ import (
 type TunOptions interface {
 	GetInet4Address() RoutePrefixIterator
 	GetInet6Address() RoutePrefixIterator
-	GetDNSServerAddress() (string, error)
+	GetDNSServerAddress() (*StringBox, error)
 	GetMTU() int32
 	GetAutoRoute() bool
 	GetStrictRoute() bool
@@ -89,11 +89,11 @@ func (o *tunOptions) GetInet6Address() RoutePrefixIterator {
 	return mapRoutePrefix(o.Inet6Address)
 }
 
-func (o *tunOptions) GetDNSServerAddress() (string, error) {
+func (o *tunOptions) GetDNSServerAddress() (*StringBox, error) {
 	if len(o.Inet4Address) == 0 || o.Inet4Address[0].Bits() == 32 {
-		return "", E.New("need one more IPv4 address for DNS hijacking")
+		return nil, E.New("need one more IPv4 address for DNS hijacking")
 	}
-	return o.Inet4Address[0].Addr().Next().String(), nil
+	return wrapString(o.Inet4Address[0].Addr().Next().String()), nil
 }
 
 func (o *tunOptions) GetMTU() int32 {

experimental/locale/locale.go

@@ -0,0 +1,30 @@
+package locale
+
+var (
+	localeRegistry = make(map[string]*Locale)
+	current        = defaultLocal
+)
+
+type Locale struct {
+	// deprecated messages for graphical clients
+	DeprecatedMessage       string
+	DeprecatedMessageNoLink string
+}
+
+var defaultLocal = &Locale{
+	DeprecatedMessage:       "%s is deprecated in sing-box %s and will be removed in sing-box %s please checkout documentation for migration.",
+	DeprecatedMessageNoLink: "%s is deprecated in sing-box %s and will be removed in sing-box %s.",
+}
+
+func Current() *Locale {
+	return current
+}
+
+func Set(localeId string) bool {
+	locale, loaded := localeRegistry[localeId]
+	if !loaded {
+		return false
+	}
+	current = locale
+	return true
+}

experimental/locale/locale_zh_CN.go

@@ -0,0 +1,10 @@
+package locale
+
+var warningMessageForEndUsers = "\n\n如果您不明白此消息意味着什么：您的配置文件已过时，且将很快不可用。请联系您的配置提供者以更新配置。"
+
+func init() {
+	localeRegistry["zh_CN"] = &Locale{
+		DeprecatedMessage:       "%s 已在 sing-box %s 中被弃用，且将在 sing-box %s 中被移除，请参阅迁移指南。" + warningMessageForEndUsers,
+		DeprecatedMessageNoLink: "%s 已在 sing-box %s 中被弃用，且将在 sing-box %s 中被移除。" + warningMessageForEndUsers,
+	}
+}

go.mod

@@ -4,13 +4,11 @@ go 1.20
 
 require (
 	github.com/caddyserver/certmagic v0.20.0
-	github.com/cidertool/asc-go v0.5.1
 	github.com/cloudflare/circl v1.3.7
 	github.com/cretz/bine v0.2.0
 	github.com/go-chi/chi/v5 v5.1.0
 	github.com/go-chi/render v1.0.3
 	github.com/gofrs/uuid/v5 v5.3.0
-	github.com/google/go-querystring v1.0.0
 	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2
 	github.com/libdns/alidns v1.0.3
 	github.com/libdns/cloudflare v0.1.1
@@ -19,6 +17,7 @@ require (
 	github.com/mholt/acmez v1.2.0
 	github.com/miekg/dns v1.1.62
 	github.com/oschwald/maxminddb-golang v1.12.0
+	github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1
 	github.com/sagernet/cors v1.2.1
@@ -27,28 +26,29 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20241123041152-536d05261cff
 	github.com/sagernet/quic-go v0.48.2-beta.1
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.6.0-beta.6
+	github.com/sagernet/sing v0.6.0-beta.9
 	github.com/sagernet/sing-dns v0.4.0-beta.1
 	github.com/sagernet/sing-mux v0.3.0-alpha.1
-	github.com/sagernet/sing-quic v0.4.0-alpha.4
+	github.com/sagernet/sing-quic v0.4.0-beta.3
 	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.2.0-alpha.2
-	github.com/sagernet/sing-tun v0.6.0-beta.6
+	github.com/sagernet/sing-tun v0.6.0-beta.7
-	github.com/sagernet/sing-vmess v0.2.0-beta.1
+	github.com/sagernet/sing-vmess v0.2.0-beta.2
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
 	github.com/sagernet/utls v1.6.7
 	github.com/sagernet/wireguard-go v0.0.1-beta.5
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
+	github.com/wiresock/ndisapi-go v0.0.0-20241230094942-3299a7566e08
 	go.uber.org/zap v1.27.0
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.29.0
+	golang.org/x/crypto v0.31.0
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
 	golang.org/x/mod v0.20.0
 	golang.org/x/net v0.31.0
-	golang.org/x/sys v0.27.0
+	golang.org/x/sys v0.28.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	google.golang.org/grpc v1.63.2
 	google.golang.org/protobuf v1.33.0
@@ -60,7 +60,7 @@ require (
 require (
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.6 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
@@ -70,6 +70,7 @@ require (
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -92,8 +93,8 @@ require (
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/sync v0.9.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/text v0.20.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
 	golang.org/x/tools v0.24.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect

go.sum

@@ -4,10 +4,8 @@ github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sx
 github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/caddyserver/certmagic v0.20.0 h1:bTw7LcEZAh9ucYCRXyCpIrSAGplplI0vGYJ4BpCQ/Fc=
 github.com/caddyserver/certmagic v0.20.0/go.mod h1:N4sXgpICQUskEWpj7zVzvWD41p3NYacrNoZYiRM2jTg=
-github.com/cenkalti/backoff/v4 v4.1.0 h1:c8LkOFQTzuO0WBM/ae5HdGQuZPfPxp7lqBRwQRm4fSc=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
-github.com/cenkalti/backoff/v4 v4.1.0/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cidertool/asc-go v0.5.1 h1:KYki2Y8IXJMOkOXy9y1sdr8tz6IdW2ti770K4bk7WY0=
-github.com/cidertool/asc-go v0.5.1/go.mod h1:LyrZWU7DeCh8cWrFwXcpl93ixRUUL2aEZV7/0h07FxA=
 github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
@@ -38,10 +36,11 @@ github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=
+github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
-github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a h1:fEBsGL/sjAuJrgah5XqmmYsTLzJp/TO9Lhy39gkverk=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=
@@ -97,6 +96,8 @@ github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1
 github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs=
 github.com/quic-go/qtls-go1-20 v0.4.1/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1 h1:qi+ijeREa0yfAaO+NOcZ81gv4uzOfALUIdhkiIFvmG4=
+github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1/go.mod h1:JULDuzTMn2gyZFcjpTVZP4/UuwAdbHJ0bum2RdjXojU=
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkkD2QgdTuzQG263YZ+2emfpeyGqW0=
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1 h1:YbmpqPQEMdlk9oFSKYWRqVuu9qzNiOayIonKmv1gCXY=
@@ -118,24 +119,24 @@ github.com/sagernet/quic-go v0.48.2-beta.1/go.mod h1:1WgdDIVD1Gybp40JTWketeSfKA/
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.6.0-beta.6 h1:IFnTCG06Z5rLMZJqw1ZmDncDl2N9gsVw0MGvgakrpg8=
+github.com/sagernet/sing v0.6.0-beta.9 h1:P8lKa5hN53fRNAVCIKy5cWd6/kLO5c4slhdsfehSmHs=
-github.com/sagernet/sing v0.6.0-beta.6/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.6.0-beta.9/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-dns v0.4.0-beta.1 h1:W1XkdhigwxDOMgMDVB+9kdomCpb7ExsZfB4acPcTZFY=
 github.com/sagernet/sing-dns v0.4.0-beta.1/go.mod h1:8wuFcoFkWM4vJuQyg8e97LyvDwe0/Vl7G839WLcKDs8=
 github.com/sagernet/sing-mux v0.3.0-alpha.1 h1:IgNX5bJBpL41gGbp05pdDOvh/b5eUQ6cv9240+Ngipg=
 github.com/sagernet/sing-mux v0.3.0-alpha.1/go.mod h1:FTcImmdfW38Lz7b+HQ+mxxOth1lz4ao8uEnz+MwIJQE=
-github.com/sagernet/sing-quic v0.4.0-alpha.4 h1:P9xAx3nIfcqb9M8jfgs0uLm+VxCcaY++FCqaBfHY3dQ=
+github.com/sagernet/sing-quic v0.4.0-beta.3 h1:cOBjlhVdRZmBm6hIw1GleERpnTSFdBB2htgx5kQ5uqg=
-github.com/sagernet/sing-quic v0.4.0-alpha.4/go.mod h1:h5RkKTmUhudJKzK7c87FPXD5w1bJjVyxMN9+opZcctA=
+github.com/sagernet/sing-quic v0.4.0-beta.3/go.mod h1:1UNObFodd8CnS3aCT53x9cigjPSCl3P//8dfBMCwBDM=
 github.com/sagernet/sing-shadowsocks v0.2.7 h1:zaopR1tbHEw5Nk6FAkM05wCslV6ahVegEZaKMv9ipx8=
 github.com/sagernet/sing-shadowsocks v0.2.7/go.mod h1:0rIKJZBR65Qi0zwdKezt4s57y/Tl1ofkaq6NlkzVuyE=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.0-alpha.2 h1:RPrpgAdkP5td0vLfS5ldvYosFjSsZtRPxiyLV6jyKg0=
 github.com/sagernet/sing-shadowtls v0.2.0-alpha.2/go.mod h1:0j5XlzKxaWRIEjc1uiSKmVoWb0k+L9QgZVb876+thZA=
-github.com/sagernet/sing-tun v0.6.0-beta.6 h1:xaIHoH78MqTSvZqQ4SQto8pC1A+X4qXReDRNaC8DQeI=
+github.com/sagernet/sing-tun v0.6.0-beta.7 h1:FCSX8oGBqb0H57AAvfGeeH/jMGYWCOg6XWkN/oeES+0=
-github.com/sagernet/sing-tun v0.6.0-beta.6/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
+github.com/sagernet/sing-tun v0.6.0-beta.7/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
-github.com/sagernet/sing-vmess v0.2.0-beta.1 h1:5sXQ23uwNlZuDvygzi0dFtnG0Csm/SNqTjAHXJkpuj4=
+github.com/sagernet/sing-vmess v0.2.0-beta.2 h1:obAkAL35X7ql4RnGzDg4dBYIRpGXRKqcN4LyLZpZGSs=
-github.com/sagernet/sing-vmess v0.2.0-beta.1/go.mod h1:fLyE1emIcvQ5DV8reFWnufquZ7MkCSYM5ThodsR9NrQ=
+github.com/sagernet/sing-vmess v0.2.0-beta.2/go.mod h1:HGhf9XUdeE2iOWrX0hQNFgXPbKyGlzpeYFyX0c/pykk=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo=
 github.com/sagernet/utls v1.6.7 h1:Ep3+aJ8FUGGta+II2IEVNUc3EDhaRCZINWkj/LloIA8=
@@ -157,6 +158,8 @@ github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 h1:tHNk7XK9GkmKUR6Gh8gV
 github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
+github.com/wiresock/ndisapi-go v0.0.0-20241230094942-3299a7566e08 h1:is+7xN6CAKtgxt3mDSl9OQNvjfi6LggugSP07QhDtws=
+github.com/wiresock/ndisapi-go v0.0.0-20241230094942-3299a7566e08/go.mod h1:lFE7JYt3LC2UYJ31mRDwl/K35pbtxDnkSDlXrYzgyqg=
 github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
 github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
@@ -171,8 +174,8 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
@@ -181,8 +184,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
 golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
-golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -190,14 +193,15 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
 golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
 golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

include/ndis.go

@@ -0,0 +1,12 @@
+//go:build windows && with_gvisor
+
+package include
+
+import (
+	"github.com/sagernet/sing-box/adapter/inbound"
+	"github.com/sagernet/sing-box/protocol/ndis"
+)
+
+func registerNDISInbound(registry *inbound.Registry) {
+	ndis.RegisterInbound(registry)
+}

include/ndis_nongvisor_stub.go

@@ -0,0 +1,20 @@
+//go:build windows && !with_gvisor
+
+package include
+
+import (
+	"context"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/adapter/inbound"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-tun"
+)
+
+func registerNDISInbound(registry *inbound.Registry) {
+	inbound.Register[option.NDISInboundOptions](registry, C.TypeNDIS, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.NDISInboundOptions) (adapter.Inbound, error) {
+		return nil, tun.ErrGVisorNotIncluded
+	})
+}

include/ndis_nonwindows_stub.go

@@ -0,0 +1,20 @@
+//go:build !windows
+
+package include
+
+import (
+	"context"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/adapter/inbound"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func registerNDISInbound(registry *inbound.Registry) {
+	inbound.Register[option.NDISInboundOptions](registry, C.TypeNDIS, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.NDISInboundOptions) (adapter.Inbound, error) {
+		return nil, E.New("NDIS is only supported in windows")
+	})
+}

include/registry.go

@@ -51,6 +51,7 @@ func InboundRegistry() *inbound.Registry {
 
 	registerQUICInbounds(registry)
 	registerStubForRemovedInbounds(registry)
+	registerNDISInbound(registry)
 
 	return registry
 }

option/debug.go

@@ -13,7 +13,7 @@ type DebugOptions struct {
 	PanicOnFault *bool       `json:"panic_on_fault,omitempty"`
 	TraceBack    string      `json:"trace_back,omitempty"`
 	MemoryLimit  MemoryBytes `json:"memory_limit,omitempty"`
-	OOMKiller    *bool       `json:"oom_killer,omitempty"`
+	OOMKiller    bool        `json:"oom_killer,omitempty"`
 }
 
 type MemoryBytes uint64

option/hysteria2.go

@@ -111,11 +111,13 @@ type Hysteria2MasqueradeString struct {
 type Hysteria2OutboundOptions struct {
 	DialerOptions
 	ServerOptions
-	UpMbps   int            `json:"up_mbps,omitempty"`
+	ServerPorts badoption.Listable[string] `json:"server_ports,omitempty"`
-	DownMbps int            `json:"down_mbps,omitempty"`
+	HopInterval badoption.Duration         `json:"hop_interval,omitempty"`
-	Obfs     *Hysteria2Obfs `json:"obfs,omitempty"`
+	UpMbps      int                        `json:"up_mbps,omitempty"`
-	Password string         `json:"password,omitempty"`
+	DownMbps    int                        `json:"down_mbps,omitempty"`
-	Network  NetworkList    `json:"network,omitempty"`
+	Obfs        *Hysteria2Obfs             `json:"obfs,omitempty"`
+	Password    string                     `json:"password,omitempty"`
+	Network     NetworkList                `json:"network,omitempty"`
 	OutboundTLSOptionsContainer
 	BrutalDebug bool `json:"brutal_debug,omitempty"`
 }

option/ndis.go

@@ -0,0 +1,17 @@
+package option
+
+import (
+	"net/netip"
+
+	"github.com/sagernet/sing/common/json/badoption"
+)
+
+type NDISInboundOptions struct {
+	Network                NetworkList                      `json:"network,omitempty"`
+	RouteAddress           badoption.Listable[netip.Prefix] `json:"route_address,omitempty"`
+	RouteAddressSet        badoption.Listable[string]       `json:"route_address_set,omitempty"`
+	RouteExcludeAddress    badoption.Listable[netip.Prefix] `json:"route_exclude_address,omitempty"`
+	RouteExcludeAddressSet badoption.Listable[string]       `json:"route_exclude_address_set,omitempty"`
+	InterfaceName          string                           `json:"interface_name,omitempty"`
+	UDPTimeout             UDPTimeoutCompat                 `json:"udp_timeout,omitempty"`
+}

option/outbound.go

@@ -65,25 +65,24 @@ type DialerOptionsWrapper interface {
 }
 
 type DialerOptions struct {
-	Detour               string                            `json:"detour,omitempty"`
+	Detour              string                            `json:"detour,omitempty"`
-	BindInterface        string                            `json:"bind_interface,omitempty"`
+	BindInterface       string                            `json:"bind_interface,omitempty"`
-	Inet4BindAddress     *badoption.Addr                   `json:"inet4_bind_address,omitempty"`
+	Inet4BindAddress    *badoption.Addr                   `json:"inet4_bind_address,omitempty"`
-	Inet6BindAddress     *badoption.Addr                   `json:"inet6_bind_address,omitempty"`
+	Inet6BindAddress    *badoption.Addr                   `json:"inet6_bind_address,omitempty"`
-	ProtectPath          string                            `json:"protect_path,omitempty"`
+	ProtectPath         string                            `json:"protect_path,omitempty"`
-	RoutingMark          FwMark                            `json:"routing_mark,omitempty"`
+	RoutingMark         FwMark                            `json:"routing_mark,omitempty"`
-	ReuseAddr            bool                              `json:"reuse_addr,omitempty"`
+	ReuseAddr           bool                              `json:"reuse_addr,omitempty"`
-	ConnectTimeout       badoption.Duration                `json:"connect_timeout,omitempty"`
+	ConnectTimeout      badoption.Duration                `json:"connect_timeout,omitempty"`
-	TCPFastOpen          bool                              `json:"tcp_fast_open,omitempty"`
+	TCPFastOpen         bool                              `json:"tcp_fast_open,omitempty"`
-	TCPMultiPath         bool                              `json:"tcp_multi_path,omitempty"`
+	TCPMultiPath        bool                              `json:"tcp_multi_path,omitempty"`
-	UDPFragment          *bool                             `json:"udp_fragment,omitempty"`
+	UDPFragment         *bool                             `json:"udp_fragment,omitempty"`
-	UDPFragmentDefault   bool                              `json:"-"`
+	UDPFragmentDefault  bool                              `json:"-"`
-	DomainStrategy       DomainStrategy                    `json:"domain_strategy,omitempty"`
+	DomainStrategy      DomainStrategy                    `json:"domain_strategy,omitempty"`
-	NetworkStrategy      NetworkStrategy                   `json:"network_strategy,omitempty"`
+	NetworkStrategy     *NetworkStrategy                  `json:"network_strategy,omitempty"`
-	NetworkType          badoption.Listable[InterfaceType] `json:"network_type,omitempty"`
+	NetworkType         badoption.Listable[InterfaceType] `json:"network_type,omitempty"`
-	FallbackNetworkType  badoption.Listable[InterfaceType] `json:"fallback_network_type,omitempty"`
+	FallbackNetworkType badoption.Listable[InterfaceType] `json:"fallback_network_type,omitempty"`
-	FallbackDelay        badoption.Duration                `json:"fallback_delay,omitempty"`
+	FallbackDelay       badoption.Duration                `json:"fallback_delay,omitempty"`
-	NetworkFallbackDelay badoption.Duration                `json:"network_fallback_delay,omitempty"`
+	IsWireGuardListener bool                              `json:"-"`
-	IsWireGuardListener  bool                              `json:"-"`
 }
 
 func (o *DialerOptions) TakeDialerOptions() DialerOptions {

option/route.go

@@ -13,7 +13,7 @@ type RouteOptions struct {
 	OverrideAndroidVPN         bool                              `json:"override_android_vpn,omitempty"`
 	DefaultInterface           string                            `json:"default_interface,omitempty"`
 	DefaultMark                FwMark                            `json:"default_mark,omitempty"`
-	DefaultNetworkStrategy     NetworkStrategy                   `json:"default_network_strategy,omitempty"`
+	DefaultNetworkStrategy     *NetworkStrategy                  `json:"default_network_strategy,omitempty"`
 	DefaultNetworkType         badoption.Listable[InterfaceType] `json:"default_network_type,omitempty"`
 	DefaultFallbackNetworkType badoption.Listable[InterfaceType] `json:"default_fallback_network_type,omitempty"`
 	DefaultFallbackDelay       badoption.Duration                `json:"default_fallback_delay,omitempty"`

option/rule_action.go

@@ -145,8 +145,8 @@ type RawRouteOptionsActionOptions struct {
 	OverrideAddress string `json:"override_address,omitempty"`
 	OverridePort    uint16 `json:"override_port,omitempty"`
 
-	NetworkStrategy NetworkStrategy `json:"network_strategy,omitempty"`
+	NetworkStrategy *NetworkStrategy `json:"network_strategy,omitempty"`
-	FallbackDelay   uint32          `json:"fallback_delay,omitempty"`
+	FallbackDelay   uint32           `json:"fallback_delay,omitempty"`
 
 	UDPDisableDomainUnmapping bool               `json:"udp_disable_domain_unmapping,omitempty"`
 	UDPConnect                bool               `json:"udp_connect,omitempty"`

option/rule_set.go

@@ -194,8 +194,9 @@ func (r LogicalHeadlessRule) IsValid() bool {
 }
 
 type _PlainRuleSetCompat struct {
-	Version uint8        `json:"version"`
+	Version    uint8           `json:"version"`
-	Options PlainRuleSet `json:"-"`
+	Options    PlainRuleSet    `json:"-"`
+	RawMessage json.RawMessage `json:"-"`
 }
 
 type PlainRuleSetCompat _PlainRuleSetCompat
@@ -229,6 +230,7 @@ func (r *PlainRuleSetCompat) UnmarshalJSON(bytes []byte) error {
 	if err != nil {
 		return err
 	}
+	r.RawMessage = bytes
 	return nil
 }
 

protocol/direct/outbound.go

@@ -32,16 +32,12 @@ var (
 
 type Outbound struct {
 	outbound.Adapter
-	logger               logger.ContextLogger
+	logger              logger.ContextLogger
-	dialer               dialer.ParallelInterfaceDialer
+	dialer              dialer.ParallelInterfaceDialer
-	domainStrategy       dns.DomainStrategy
+	domainStrategy      dns.DomainStrategy
-	fallbackDelay        time.Duration
+	fallbackDelay       time.Duration
-	networkStrategy      C.NetworkStrategy
+	overrideOption      int
-	networkType          []C.InterfaceType
+	overrideDestination M.Socksaddr
-	fallbackNetworkType  []C.InterfaceType
-	networkFallbackDelay time.Duration
-	overrideOption       int
-	overrideDestination  M.Socksaddr
 	// loopBack *loopBackDetector
 }
 
@@ -52,15 +48,11 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		return nil, err
 	}
 	outbound := &Outbound{
-		Adapter:              outbound.NewAdapterWithDialerOptions(C.TypeDirect, tag, []string{N.NetworkTCP, N.NetworkUDP}, options.DialerOptions),
+		Adapter:        outbound.NewAdapterWithDialerOptions(C.TypeDirect, tag, []string{N.NetworkTCP, N.NetworkUDP}, options.DialerOptions),
-		logger:               logger,
+		logger:         logger,
-		domainStrategy:       dns.DomainStrategy(options.DomainStrategy),
+		domainStrategy: dns.DomainStrategy(options.DomainStrategy),
-		fallbackDelay:        time.Duration(options.FallbackDelay),
+		fallbackDelay:  time.Duration(options.FallbackDelay),
-		networkStrategy:      C.NetworkStrategy(options.NetworkStrategy),
+		dialer:         outboundDialer,
-		networkType:          common.Map(options.NetworkType, option.InterfaceType.Build),
-		fallbackNetworkType:  common.Map(options.FallbackNetworkType, option.InterfaceType.Build),
-		networkFallbackDelay: time.Duration(options.NetworkFallbackDelay),
-		dialer:               outboundDialer,
 		// loopBack:       newLoopBackDetector(router),
 	}
 	//nolint:staticcheck
@@ -178,10 +170,10 @@ func (h *Outbound) DialParallel(ctx context.Context, network string, destination
 			return nil, E.New("no IPv6 address available for ", destination)
 		}
 	}
-	return dialer.DialParallelNetwork(ctx, h.dialer, network, destination, destinationAddresses, domainStrategy == dns.DomainStrategyPreferIPv6, h.networkStrategy, h.networkType, h.fallbackNetworkType, h.fallbackDelay)
+	return dialer.DialParallelNetwork(ctx, h.dialer, network, destination, destinationAddresses, domainStrategy == dns.DomainStrategyPreferIPv6, nil, nil, nil, h.fallbackDelay)
 }
 
-func (h *Outbound) DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, networkStrategy C.NetworkStrategy, networkType []C.InterfaceType, fallbackNetworkType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func (h *Outbound) DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, networkStrategy *C.NetworkStrategy, networkType []C.InterfaceType, fallbackNetworkType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
@@ -221,7 +213,7 @@ func (h *Outbound) DialParallelNetwork(ctx context.Context, network string, dest
 	return dialer.DialParallelNetwork(ctx, h.dialer, network, destination, destinationAddresses, domainStrategy == dns.DomainStrategyPreferIPv6, networkStrategy, networkType, fallbackNetworkType, fallbackDelay)
 }
 
-func (h *Outbound) ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, networkStrategy C.NetworkStrategy, networkType []C.InterfaceType, fallbackNetworkType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error) {
+func (h *Outbound) ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, networkStrategy *C.NetworkStrategy, networkType []C.InterfaceType, fallbackNetworkType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error) {
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination

protocol/http/inbound.go

@@ -82,16 +82,16 @@ func (h *Inbound) Close() error {
 }
 
 func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
-	var err error
 	if h.tlsConfig != nil {
-		conn, err = tls.ServerHandshake(ctx, conn, h.tlsConfig)
+		tlsConn, err := tls.ServerHandshake(ctx, conn, h.tlsConfig)
 		if err != nil {
 			N.CloseOnHandshakeFailure(conn, onClose, err)
 			h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source, ": TLS handshake"))
 			return
 		}
+		conn = tlsConn
 	}
-	err = http.HandleConnectionEx(ctx, conn, std_bufio.NewReader(conn), h.authenticator, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), metadata.Source, onClose)
+	err := http.HandleConnectionEx(ctx, conn, std_bufio.NewReader(conn), h.authenticator, adapter.NewUpstreamHandlerEx(metadata, h.newUserConnection, h.streamUserPacketConnection), metadata.Source, onClose)
 	if err != nil {
 		N.CloseOnHandshakeFailure(conn, onClose, err)
 		h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source))

protocol/hysteria/inbound.go

@@ -67,7 +67,7 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 	if len(options.Down) > 0 {
 		receiveBps, err = humanize.ParseBytes(options.Down)
 		if err != nil {
-			return nil, E.New("invalid down speed format: ", options.Down)
+			return nil, E.Cause(err, "invalid down speed format: ", options.Down)
 		}
 	} else {
 		receiveBps = uint64(options.DownMbps) * hysteria.MbpsToBps

protocol/hysteria2/outbound.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	"os"
+	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/adapter/outbound"
@@ -70,6 +71,8 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		Logger:             logger,
 		BrutalDebug:        options.BrutalDebug,
 		ServerAddress:      options.ServerOptions.Build(),
+		ServerPorts:        options.ServerPorts,
+		HopInterval:        time.Duration(options.HopInterval),
 		SendBPS:            uint64(options.UpMbps * hysteria.MbpsToBps),
 		ReceiveBPS:         uint64(options.DownMbps * hysteria.MbpsToBps),
 		SalamanderPassword: salamanderPassword,

protocol/mixed/inbound.go

@@ -110,11 +110,19 @@ func (h *Inbound) streamUserPacketConnection(ctx context.Context, conn N.PacketC
 	metadata.InboundType = h.Type()
 	user, loaded := auth.UserFromContext[string](ctx)
 	if !loaded {
-		h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
+		if !metadata.Destination.IsValid() {
+			h.logger.InfoContext(ctx, "inbound packet connection")
+		} else {
+			h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
+		}
 		h.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
 		return
 	}
 	metadata.User = user
-	h.logger.InfoContext(ctx, "[", user, "] inbound packet connection to ", metadata.Destination)
+	if !metadata.Destination.IsValid() {
+		h.logger.InfoContext(ctx, "[", user, "] inbound packet connection")
+	} else {
+		h.logger.InfoContext(ctx, "[", user, "] inbound packet connection to ", metadata.Destination)
+	}
 	h.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
 }

protocol/ndis/endpoint.go

@@ -0,0 +1,110 @@
+//go:build windows
+
+package ndis
+
+import (
+	"sync"
+
+	"github.com/sagernet/gvisor/pkg/buffer"
+	"github.com/sagernet/gvisor/pkg/tcpip"
+	"github.com/sagernet/gvisor/pkg/tcpip/header"
+	"github.com/sagernet/gvisor/pkg/tcpip/stack"
+
+	"github.com/wiresock/ndisapi-go"
+	"github.com/wiresock/ndisapi-go/driver"
+)
+
+var _ stack.LinkEndpoint = (*ndisEndpoint)(nil)
+
+type ndisEndpoint struct {
+	filter     *driver.QueuedPacketFilter
+	mtu        uint32
+	address    tcpip.LinkAddress
+	dispatcher stack.NetworkDispatcher
+}
+
+func (e *ndisEndpoint) MTU() uint32 {
+	return e.mtu
+}
+
+func (e *ndisEndpoint) SetMTU(mtu uint32) {
+}
+
+func (e *ndisEndpoint) MaxHeaderLength() uint16 {
+	return header.EthernetMinimumSize
+}
+
+func (e *ndisEndpoint) LinkAddress() tcpip.LinkAddress {
+	return e.address
+}
+
+func (e *ndisEndpoint) SetLinkAddress(addr tcpip.LinkAddress) {
+}
+
+func (e *ndisEndpoint) Capabilities() stack.LinkEndpointCapabilities {
+	return 0
+}
+
+func (e *ndisEndpoint) Attach(dispatcher stack.NetworkDispatcher) {
+	e.dispatcher = dispatcher
+}
+
+func (e *ndisEndpoint) IsAttached() bool {
+	return e.dispatcher != nil
+}
+
+func (e *ndisEndpoint) Wait() {
+}
+
+func (e *ndisEndpoint) ARPHardwareType() header.ARPHardwareType {
+	return header.ARPHardwareEther
+}
+
+func (e *ndisEndpoint) AddHeader(pkt *stack.PacketBuffer) {
+	eth := header.Ethernet(pkt.LinkHeader().Push(header.EthernetMinimumSize))
+	fields := header.EthernetFields{
+		SrcAddr: pkt.EgressRoute.LocalLinkAddress,
+		DstAddr: pkt.EgressRoute.RemoteLinkAddress,
+		Type:    pkt.NetworkProtocolNumber,
+	}
+	eth.Encode(&fields)
+}
+
+func (e *ndisEndpoint) ParseHeader(pkt *stack.PacketBuffer) bool {
+	_, ok := pkt.LinkHeader().Consume(header.EthernetMinimumSize)
+	return ok
+}
+
+func (e *ndisEndpoint) Close() {
+}
+
+func (e *ndisEndpoint) SetOnCloseAction(f func()) {
+}
+
+var bufferPool = sync.Pool{
+	New: func() any {
+		return new(ndisapi.IntermediateBuffer)
+	},
+}
+
+func (e *ndisEndpoint) WritePackets(list stack.PacketBufferList) (int, tcpip.Error) {
+	for _, packetBuffer := range list.AsSlice() {
+		ndisBuf := bufferPool.Get().(*ndisapi.IntermediateBuffer)
+		viewList, offset := packetBuffer.AsViewList()
+		var view *buffer.View
+		for view = viewList.Front(); view != nil && offset >= view.Size(); view = view.Next() {
+			offset -= view.Size()
+		}
+		index := copy(ndisBuf.Buffer[:], view.AsSlice()[offset:])
+		for view = view.Next(); view != nil; view = view.Next() {
+			index += copy(ndisBuf.Buffer[index:], view.AsSlice())
+		}
+		ndisBuf.Length = uint32(index)
+		err := e.filter.InsertPacketToMstcp(ndisBuf)
+		bufferPool.Put(ndisBuf)
+		if err != nil {
+			return 0, &tcpip.ErrAborted{}
+		}
+	}
+	return list.Len(), nil
+}

protocol/ndis/inbound.go

@@ -0,0 +1,203 @@
+//go:build windows
+
+package ndis
+
+import (
+	"context"
+	"net"
+	"net/netip"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/adapter/inbound"
+	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/common/taskmonitor"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/x/list"
+	"github.com/sagernet/sing/service"
+
+	"github.com/wiresock/ndisapi-go"
+	"go4.org/netipx"
+)
+
+func RegisterInbound(registry *inbound.Registry) {
+	inbound.Register[option.NDISInboundOptions](registry, C.TypeNDIS, NewInbound)
+}
+
+type Inbound struct {
+	inbound.Adapter
+	ctx                         context.Context
+	router                      adapter.Router
+	logger                      log.ContextLogger
+	api                         *ndisapi.NdisApi
+	tracker                     conntrack.Tracker
+	routeAddress                []netip.Prefix
+	routeExcludeAddress         []netip.Prefix
+	routeRuleSet                []adapter.RuleSet
+	routeRuleSetCallback        []*list.Element[adapter.RuleSetUpdateCallback]
+	routeExcludeRuleSet         []adapter.RuleSet
+	routeExcludeRuleSetCallback []*list.Element[adapter.RuleSetUpdateCallback]
+	stack                       *Stack
+}
+
+func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.NDISInboundOptions) (adapter.Inbound, error) {
+	api, err := ndisapi.NewNdisApi()
+	if err != nil {
+		return nil, E.Cause(err, "create NDIS API")
+	}
+	//if !api.IsDriverLoaded() {
+	//	return nil, E.New("missing NDIS driver")
+	//}
+	networkManager := service.FromContext[adapter.NetworkManager](ctx)
+	trackerOut := service.FromContext[conntrack.Tracker](ctx)
+	var udpTimeout time.Duration
+	if options.UDPTimeout != 0 {
+		udpTimeout = time.Duration(options.UDPTimeout)
+	} else {
+		udpTimeout = C.UDPTimeout
+	}
+	var (
+		routeRuleSet        []adapter.RuleSet
+		routeExcludeRuleSet []adapter.RuleSet
+	)
+	for _, routeAddressSet := range options.RouteAddressSet {
+		ruleSet, loaded := router.RuleSet(routeAddressSet)
+		if !loaded {
+			return nil, E.New("parse route_address_set: rule-set not found: ", routeAddressSet)
+		}
+		ruleSet.IncRef()
+		routeRuleSet = append(routeRuleSet, ruleSet)
+	}
+	for _, routeExcludeAddressSet := range options.RouteExcludeAddressSet {
+		ruleSet, loaded := router.RuleSet(routeExcludeAddressSet)
+		if !loaded {
+			return nil, E.New("parse route_exclude_address_set: rule-set not found: ", routeExcludeAddressSet)
+		}
+		ruleSet.IncRef()
+		routeExcludeRuleSet = append(routeExcludeRuleSet, ruleSet)
+	}
+	trackerIn := conntrack.NewDefaultTracker(false, 0)
+	return &Inbound{
+		Adapter:             inbound.NewAdapter(C.TypeNDIS, tag),
+		ctx:                 ctx,
+		router:              router,
+		logger:              logger,
+		api:                 api,
+		tracker:             trackerIn,
+		routeRuleSet:        routeRuleSet,
+		routeExcludeRuleSet: routeExcludeRuleSet,
+		stack: &Stack{
+			ctx:                 ctx,
+			logger:              logger,
+			network:             networkManager,
+			trackerIn:           trackerIn,
+			trackerOut:          trackerOut,
+			api:                 api,
+			udpTimeout:          udpTimeout,
+			routeAddress:        options.RouteAddress,
+			routeExcludeAddress: options.RouteExcludeAddress,
+		},
+	}, nil
+}
+
+func (t *Inbound) Start(stage adapter.StartStage) error {
+	switch stage {
+	case adapter.StartStateStart:
+		monitor := taskmonitor.New(t.logger, C.StartTimeout)
+		var (
+			routeAddressSet        []*netipx.IPSet
+			routeExcludeAddressSet []*netipx.IPSet
+		)
+		for _, routeRuleSet := range t.routeRuleSet {
+			ipSets := routeRuleSet.ExtractIPSet()
+			if len(ipSets) == 0 {
+				t.logger.Warn("route_address_set: no destination IP CIDR rules found in rule-set: ", routeRuleSet.Name())
+			}
+			t.routeRuleSetCallback = append(t.routeRuleSetCallback, routeRuleSet.RegisterCallback(t.updateRouteAddressSet))
+			routeRuleSet.DecRef()
+			routeAddressSet = append(routeAddressSet, ipSets...)
+		}
+		for _, routeExcludeRuleSet := range t.routeExcludeRuleSet {
+			ipSets := routeExcludeRuleSet.ExtractIPSet()
+			if len(ipSets) == 0 {
+				t.logger.Warn("route_exclude_address_set: no destination IP CIDR rules found in rule-set: ", routeExcludeRuleSet.Name())
+			}
+			t.routeExcludeRuleSetCallback = append(t.routeExcludeRuleSetCallback, routeExcludeRuleSet.RegisterCallback(t.updateRouteAddressSet))
+			routeExcludeRuleSet.DecRef()
+			routeExcludeAddressSet = append(routeExcludeAddressSet, ipSets...)
+		}
+		t.stack.routeAddressSet = routeAddressSet
+		t.stack.routeExcludeAddressSet = routeExcludeAddressSet
+		monitor.Start("starting NDIS stack")
+		t.stack.handler = t
+		err := t.stack.Start()
+		monitor.Finish()
+		if err != nil {
+			return E.Cause(err, "starting NDIS stack")
+		}
+	}
+	return nil
+}
+
+func (t *Inbound) Close() error {
+	if t.api != nil {
+		t.stack.Close()
+		t.api.Close()
+	}
+	return nil
+}
+
+func (t *Inbound) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr) error {
+	return t.router.PreMatch(adapter.InboundContext{
+		Inbound:     t.Tag(),
+		InboundType: C.TypeNDIS,
+		Network:     network,
+		Source:      source,
+		Destination: destination,
+	})
+}
+
+func (t *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+	ctx = log.ContextWithNewID(ctx)
+	var metadata adapter.InboundContext
+	metadata.Inbound = t.Tag()
+	metadata.InboundType = C.TypeNDIS
+	metadata.Source = source
+	metadata.Destination = destination
+	t.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
+	t.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
+	done, err := t.tracker.NewConnEx(conn)
+	if err != nil {
+		t.logger.ErrorContext(ctx, E.Cause(err, "track inbound connection"))
+		return
+	}
+	t.router.RouteConnectionEx(ctx, conn, metadata, N.AppendClose(onClose, done))
+}
+
+func (t *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+	ctx = log.ContextWithNewID(ctx)
+	var metadata adapter.InboundContext
+	metadata.Inbound = t.Tag()
+	metadata.InboundType = C.TypeNDIS
+	metadata.Source = source
+	metadata.Destination = destination
+	t.logger.InfoContext(ctx, "inbound packet connection from ", metadata.Source)
+	t.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
+	done, err := t.tracker.NewPacketConnEx(conn)
+	if err != nil {
+		t.logger.ErrorContext(ctx, E.Cause(err, "track inbound connection"))
+		return
+	}
+	t.router.RoutePacketConnectionEx(ctx, conn, metadata, N.AppendClose(onClose, done))
+}
+
+func (t *Inbound) updateRouteAddressSet(it adapter.RuleSet) {
+	t.stack.routeAddressSet = common.FlatMap(t.routeRuleSet, adapter.RuleSet.ExtractIPSet)
+	t.stack.routeExcludeAddressSet = common.FlatMap(t.routeExcludeRuleSet, adapter.RuleSet.ExtractIPSet)
+}

protocol/ndis/stack.go

@@ -0,0 +1,267 @@
+//go:build windows
+
+package ndis
+
+import (
+	"context"
+	"net/netip"
+	"time"
+
+	"github.com/sagernet/gvisor/pkg/buffer"
+	"github.com/sagernet/gvisor/pkg/tcpip"
+	"github.com/sagernet/gvisor/pkg/tcpip/header"
+	"github.com/sagernet/gvisor/pkg/tcpip/stack"
+	"github.com/sagernet/gvisor/pkg/tcpip/transport/tcp"
+	"github.com/sagernet/gvisor/pkg/tcpip/transport/udp"
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-tun"
+	"github.com/sagernet/sing/common/control"
+	"github.com/sagernet/sing/common/debug"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+
+	"github.com/wiresock/ndisapi-go"
+	"github.com/wiresock/ndisapi-go/driver"
+	"go4.org/netipx"
+	"golang.org/x/net/ipv4"
+	"golang.org/x/net/ipv6"
+)
+
+type Stack struct {
+	ctx                    context.Context
+	logger                 logger.ContextLogger
+	network                adapter.NetworkManager
+	trackerIn              conntrack.Tracker
+	trackerOut             conntrack.Tracker
+	api                    *ndisapi.NdisApi
+	handler                tun.Handler
+	udpTimeout             time.Duration
+	filter                 *driver.QueuedPacketFilter
+	stack                  *stack.Stack
+	endpoint               *ndisEndpoint
+	routeAddress           []netip.Prefix
+	routeExcludeAddress    []netip.Prefix
+	routeAddressSet        []*netipx.IPSet
+	routeExcludeAddressSet []*netipx.IPSet
+	currentInterface       *control.Interface
+}
+
+func (s *Stack) Start() error {
+	err := s.start(s.network.InterfaceMonitor().DefaultInterface())
+	if err != nil {
+		return err
+	}
+	s.network.InterfaceMonitor().RegisterCallback(s.updateDefaultInterface)
+	return nil
+}
+
+func (s *Stack) updateDefaultInterface(defaultInterface *control.Interface, flags int) {
+	if s.currentInterface.Equals(*defaultInterface) {
+		return
+	}
+	err := s.start(defaultInterface)
+	if err != nil {
+		s.logger.Error(E.Cause(err, "reconfigure NDIS at: ", defaultInterface.Name))
+	}
+}
+
+func (s *Stack) start(defaultInterface *control.Interface) error {
+	_ = s.Close()
+	adapters, err := s.api.GetTcpipBoundAdaptersInfo()
+	if err != nil {
+		return err
+	}
+	if defaultInterface != nil {
+		for index := 0; index < int(adapters.AdapterCount); index++ {
+			name := s.api.ConvertWindows2000AdapterName(string(adapters.AdapterNameList[index][:]))
+			if name != defaultInterface.Name {
+				continue
+			}
+			s.filter, err = driver.NewQueuedPacketFilter(s.api, adapters, nil, s.processOut)
+			if err != nil {
+				return err
+			}
+			address := tcpip.LinkAddress(adapters.CurrentAddress[index][:])
+			mtu := uint32(adapters.MTU[index])
+			endpoint := &ndisEndpoint{
+				filter:  s.filter,
+				mtu:     mtu,
+				address: address,
+			}
+			s.stack, err = tun.NewGVisorStack(endpoint)
+			if err != nil {
+				s.filter = nil
+				return err
+			}
+			s.stack.SetTransportProtocolHandler(tcp.ProtocolNumber, tun.NewTCPForwarder(s.ctx, s.stack, s.handler).HandlePacket)
+			s.stack.SetTransportProtocolHandler(udp.ProtocolNumber, tun.NewUDPForwarder(s.ctx, s.stack, s.handler, s.udpTimeout).HandlePacket)
+			err = s.filter.StartFilter(index)
+			if err != nil {
+				s.filter = nil
+				s.stack.Close()
+				s.stack = nil
+				return err
+			}
+			s.endpoint = endpoint
+			s.logger.Info("started at ", defaultInterface.Name)
+			break
+		}
+	}
+	s.currentInterface = defaultInterface
+	return nil
+}
+
+func (s *Stack) Close() error {
+	if s.filter != nil {
+		s.filter.StopFilter()
+		s.filter.Close()
+		s.filter = nil
+	}
+	if s.stack != nil {
+		s.stack.Close()
+		for _, endpoint := range s.stack.CleanupEndpoints() {
+			endpoint.Abort()
+		}
+		s.stack = nil
+	}
+	return nil
+}
+
+func (s *Stack) processOut(handle ndisapi.Handle, packet *ndisapi.IntermediateBuffer) ndisapi.FilterAction {
+	if packet.Length < header.EthernetMinimumSize {
+		return ndisapi.FilterActionPass
+	}
+	if s.endpoint.dispatcher == nil || s.filterPacket(packet.Buffer[:packet.Length]) {
+		return ndisapi.FilterActionPass
+	}
+	packetBuffer := stack.NewPacketBuffer(stack.PacketBufferOptions{
+		Payload: buffer.MakeWithData(packet.Buffer[:packet.Length]),
+	})
+	_, ok := packetBuffer.LinkHeader().Consume(header.EthernetMinimumSize)
+	if !ok {
+		packetBuffer.DecRef()
+		return ndisapi.FilterActionPass
+	}
+	ethHdr := header.Ethernet(packetBuffer.LinkHeader().Slice())
+	destinationAddress := ethHdr.DestinationAddress()
+	if destinationAddress == header.EthernetBroadcastAddress {
+		packetBuffer.PktType = tcpip.PacketBroadcast
+	} else if header.IsMulticastEthernetAddress(destinationAddress) {
+		packetBuffer.PktType = tcpip.PacketMulticast
+	} else if destinationAddress == s.endpoint.address {
+		packetBuffer.PktType = tcpip.PacketHost
+	} else {
+		packetBuffer.PktType = tcpip.PacketOtherHost
+	}
+	s.endpoint.dispatcher.DeliverNetworkPacket(ethHdr.Type(), packetBuffer)
+	packetBuffer.DecRef()
+	return ndisapi.FilterActionDrop
+}
+
+func (s *Stack) filterPacket(packet []byte) bool {
+	var ipHdr header.Network
+	switch header.IPVersion(packet[header.EthernetMinimumSize:]) {
+	case ipv4.Version:
+		ipHdr = header.IPv4(packet[header.EthernetMinimumSize:])
+	case ipv6.Version:
+		ipHdr = header.IPv6(packet[header.EthernetMinimumSize:])
+	default:
+		return true
+	}
+	sourceAddr := tun.AddrFromAddress(ipHdr.SourceAddress())
+	destinationAddr := tun.AddrFromAddress(ipHdr.DestinationAddress())
+	if !destinationAddr.IsGlobalUnicast() {
+		return true
+	}
+	var (
+		transportProtocol tcpip.TransportProtocolNumber
+		transportHdr      header.Transport
+	)
+	switch ipHdr.TransportProtocol() {
+	case tcp.ProtocolNumber:
+		transportProtocol = header.TCPProtocolNumber
+		transportHdr = header.TCP(ipHdr.Payload())
+	case udp.ProtocolNumber:
+		transportProtocol = header.UDPProtocolNumber
+		transportHdr = header.UDP(ipHdr.Payload())
+	default:
+		return false
+	}
+	source := netip.AddrPortFrom(sourceAddr, transportHdr.SourcePort())
+	destination := netip.AddrPortFrom(destinationAddr, transportHdr.DestinationPort())
+	if transportProtocol == header.TCPProtocolNumber {
+		if s.trackerIn.CheckConn(source, destination) {
+			if debug.Enabled {
+				s.logger.Trace("fall exists TCP ", source, " ", destination)
+			}
+			return false
+		}
+	} else {
+		if s.trackerIn.CheckPacketConn(source) {
+			if debug.Enabled {
+				s.logger.Trace("fall exists UDP ", source, " ", destination)
+			}
+		}
+	}
+	if len(s.routeAddress) > 0 {
+		var match bool
+		for _, route := range s.routeAddress {
+			if route.Contains(destinationAddr) {
+				match = true
+			}
+		}
+		if !match {
+			return true
+		}
+	}
+	if len(s.routeAddressSet) > 0 {
+		var match bool
+		for _, ipSet := range s.routeAddressSet {
+			if ipSet.Contains(destinationAddr) {
+				match = true
+			}
+		}
+		if !match {
+			return true
+		}
+	}
+	if len(s.routeExcludeAddress) > 0 {
+		for _, address := range s.routeExcludeAddress {
+			if address.Contains(destinationAddr) {
+				return true
+			}
+		}
+	}
+	if len(s.routeExcludeAddressSet) > 0 {
+		for _, ipSet := range s.routeAddressSet {
+			if ipSet.Contains(destinationAddr) {
+				return true
+			}
+		}
+	}
+	if s.trackerOut.CheckDestination(destination) {
+		if debug.Enabled {
+			s.logger.Trace("passing pending ", source, " ", destination)
+		}
+		return true
+	}
+	if transportProtocol == header.TCPProtocolNumber {
+		if s.trackerOut.CheckConn(source, destination) {
+			if debug.Enabled {
+				s.logger.Trace("passing TCP ", source, " ", destination)
+			}
+			return true
+		}
+	} else {
+		if s.trackerOut.CheckPacketConn(source) {
+			if debug.Enabled {
+				s.logger.Trace("passing UDP ", source, " ", destination)
+			}
+		}
+	}
+	if debug.Enabled {
+		s.logger.Trace("fall ", source, " ", destination)
+	}
+	return false
+}

protocol/socks/inbound.go

@@ -92,11 +92,19 @@ func (h *Inbound) streamUserPacketConnection(ctx context.Context, conn N.PacketC
 	metadata.InboundType = h.Type()
 	user, loaded := auth.UserFromContext[string](ctx)
 	if !loaded {
-		h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
+		if !metadata.Destination.IsValid() {
+			h.logger.InfoContext(ctx, "inbound packet connection")
+		} else {
+			h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
+		}
 		h.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
 		return
 	}
 	metadata.User = user
-	h.logger.InfoContext(ctx, "[", user, "] inbound packet connection to ", metadata.Destination)
+	if !metadata.Destination.IsValid() {
+		h.logger.InfoContext(ctx, "[", user, "] inbound packet connection")
+	} else {
+		h.logger.InfoContext(ctx, "[", user, "] inbound packet connection to ", metadata.Destination)
+	}
 	h.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
 }

protocol/trojan/inbound.go

@@ -159,16 +159,16 @@ func (h *Inbound) Close() error {
 }
 
 func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
-	var err error
 	if h.tlsConfig != nil && h.transport == nil {
-		conn, err = tls.ServerHandshake(ctx, conn, h.tlsConfig)
+		tlsConn, err := tls.ServerHandshake(ctx, conn, h.tlsConfig)
 		if err != nil {
 			N.CloseOnHandshakeFailure(conn, onClose, err)
 			h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source, ": TLS handshake"))
 			return
 		}
+		conn = tlsConn
 	}
-	err = h.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, metadata.Source, onClose)
+	err := h.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, metadata.Source, onClose)
 	if err != nil {
 		N.CloseOnHandshakeFailure(conn, onClose, err)
 		h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source))

protocol/tun/inbound.go

@@ -209,6 +209,22 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		platformInterface: service.FromContext[platform.Interface](ctx),
 		platformOptions:   common.PtrValueOrDefault(options.Platform),
 	}
+	for _, routeAddressSet := range options.RouteAddressSet {
+		ruleSet, loaded := router.RuleSet(routeAddressSet)
+		if !loaded {
+			return nil, E.New("parse route_address_set: rule-set not found: ", routeAddressSet)
+		}
+		ruleSet.IncRef()
+		inbound.routeRuleSet = append(inbound.routeRuleSet, ruleSet)
+	}
+	for _, routeExcludeAddressSet := range options.RouteExcludeAddressSet {
+		ruleSet, loaded := router.RuleSet(routeExcludeAddressSet)
+		if !loaded {
+			return nil, E.New("parse route_exclude_address_set: rule-set not found: ", routeExcludeAddressSet)
+		}
+		ruleSet.IncRef()
+		inbound.routeExcludeRuleSet = append(inbound.routeExcludeRuleSet, ruleSet)
+	}
 	if options.AutoRedirect {
 		if !options.AutoRoute {
 			return nil, E.New("`auto_route` is required by `auto_redirect`")
@@ -229,32 +245,11 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		if err != nil {
 			return nil, E.Cause(err, "initialize auto-redirect")
 		}
-		if runtime.GOOS != "android" {
+		if runtime.GOOS != "android" && len(inbound.routeAddressSet) > 0 || len(inbound.routeExcludeAddressSet) > 0 {
-			var markMode bool
+			inbound.tunOptions.AutoRedirectMarkMode = true
-			for _, routeAddressSet := range options.RouteAddressSet {
+			err = networkManager.RegisterAutoRedirectOutputMark(inbound.tunOptions.AutoRedirectOutputMark)
-				ruleSet, loaded := router.RuleSet(routeAddressSet)
+			if err != nil {
-				if !loaded {
+				return nil, err
-					return nil, E.New("parse route_address_set: rule-set not found: ", routeAddressSet)
-				}
-				ruleSet.IncRef()
-				inbound.routeRuleSet = append(inbound.routeRuleSet, ruleSet)
-				markMode = true
-			}
-			for _, routeExcludeAddressSet := range options.RouteExcludeAddressSet {
-				ruleSet, loaded := router.RuleSet(routeExcludeAddressSet)
-				if !loaded {
-					return nil, E.New("parse route_exclude_address_set: rule-set not found: ", routeExcludeAddressSet)
-				}
-				ruleSet.IncRef()
-				inbound.routeExcludeRuleSet = append(inbound.routeExcludeRuleSet, ruleSet)
-				markMode = true
-			}
-			if markMode {
-				inbound.tunOptions.AutoRedirectMarkMode = true
-				err = networkManager.RegisterAutoRedirectOutputMark(inbound.tunOptions.AutoRedirectOutputMark)
-				if err != nil {
-					return nil, err
-				}
 			}
 		}
 	}
@@ -310,18 +305,60 @@ func (t *Inbound) Start(stage adapter.StartStage) error {
 		if t.tunOptions.Name == "" {
 			t.tunOptions.Name = tun.CalculateInterfaceName("")
 		}
+		if t.platformInterface == nil || runtime.GOOS != "android" {
+			for _, routeRuleSet := range t.routeRuleSet {
+				ipSets := routeRuleSet.ExtractIPSet()
+				if len(ipSets) == 0 {
+					t.logger.Warn("route_address_set: no destination IP CIDR rules found in rule-set: ", routeRuleSet.Name())
+				}
+				t.routeRuleSetCallback = append(t.routeRuleSetCallback, routeRuleSet.RegisterCallback(t.updateRouteAddressSet))
+				routeRuleSet.DecRef()
+				t.routeAddressSet = append(t.routeAddressSet, ipSets...)
+			}
+			for _, routeExcludeRuleSet := range t.routeExcludeRuleSet {
+				ipSets := routeExcludeRuleSet.ExtractIPSet()
+				if len(ipSets) == 0 {
+					t.logger.Warn("route_exclude_address_set: no destination IP CIDR rules found in rule-set: ", routeExcludeRuleSet.Name())
+				}
+				t.routeExcludeRuleSetCallback = append(t.routeExcludeRuleSetCallback, routeExcludeRuleSet.RegisterCallback(t.updateRouteAddressSet))
+				routeExcludeRuleSet.DecRef()
+				t.routeExcludeAddressSet = append(t.routeExcludeAddressSet, ipSets...)
+			}
+		}
 		var (
 			tunInterface tun.Tun
 			err          error
 		)
 		monitor := taskmonitor.New(t.logger, C.StartTimeout)
-		monitor.Start("open tun interface")
+		tunOptions := t.tunOptions
+		if t.autoRedirect == nil && !(runtime.GOOS == "android" && t.platformInterface != nil) {
+			for _, ipSet := range t.routeAddressSet {
+				for _, prefix := range ipSet.Prefixes() {
+					if prefix.Addr().Is4() {
+						tunOptions.Inet4RouteAddress = append(tunOptions.Inet4RouteAddress, prefix)
+					} else {
+						tunOptions.Inet6RouteAddress = append(tunOptions.Inet6RouteAddress, prefix)
+					}
+				}
+			}
+			for _, ipSet := range t.routeExcludeAddressSet {
+				for _, prefix := range ipSet.Prefixes() {
+					if prefix.Addr().Is4() {
+						tunOptions.Inet4RouteExcludeAddress = append(tunOptions.Inet4RouteExcludeAddress, prefix)
+					} else {
+						tunOptions.Inet6RouteExcludeAddress = append(tunOptions.Inet6RouteExcludeAddress, prefix)
+					}
+				}
+			}
+		}
+		monitor.Start("open interface")
 		if t.platformInterface != nil {
-			tunInterface, err = t.platformInterface.OpenTun(&t.tunOptions, t.platformOptions)
+			tunInterface, err = t.platformInterface.OpenTun(&tunOptions, t.platformOptions)
 		} else {
-			tunInterface, err = tun.New(t.tunOptions)
+			tunInterface, err = tun.New(tunOptions)
 		}
 		monitor.Finish()
+		t.tunOptions.Name = tunOptions.Name
 		if err != nil {
 			return E.Cause(err, "configure tun interface")
 		}
@@ -366,39 +403,15 @@ func (t *Inbound) Start(stage adapter.StartStage) error {
 			return E.Cause(err, "starting TUN interface")
 		}
 		if t.autoRedirect != nil {
-			t.routeAddressSet = common.FlatMap(t.routeRuleSet, adapter.RuleSet.ExtractIPSet)
-			for _, routeRuleSet := range t.routeRuleSet {
-				ipSets := routeRuleSet.ExtractIPSet()
-				if len(ipSets) == 0 {
-					t.logger.Warn("route_address_set: no destination IP CIDR rules found in rule-set: ", routeRuleSet.Name())
-				}
-				t.routeAddressSet = append(t.routeAddressSet, ipSets...)
-			}
-			t.routeExcludeAddressSet = common.FlatMap(t.routeExcludeRuleSet, adapter.RuleSet.ExtractIPSet)
-			for _, routeExcludeRuleSet := range t.routeExcludeRuleSet {
-				ipSets := routeExcludeRuleSet.ExtractIPSet()
-				if len(ipSets) == 0 {
-					t.logger.Warn("route_address_set: no destination IP CIDR rules found in rule-set: ", routeExcludeRuleSet.Name())
-				}
-				t.routeExcludeAddressSet = append(t.routeExcludeAddressSet, ipSets...)
-			}
 			monitor.Start("initialize auto-redirect")
 			err := t.autoRedirect.Start()
 			monitor.Finish()
 			if err != nil {
 				return E.Cause(err, "auto-redirect")
 			}
-			for _, routeRuleSet := range t.routeRuleSet {
-				t.routeRuleSetCallback = append(t.routeRuleSetCallback, routeRuleSet.RegisterCallback(t.updateRouteAddressSet))
-				routeRuleSet.DecRef()
-			}
-			for _, routeExcludeRuleSet := range t.routeExcludeRuleSet {
-				t.routeExcludeRuleSetCallback = append(t.routeExcludeRuleSetCallback, routeExcludeRuleSet.RegisterCallback(t.updateRouteAddressSet))
-				routeExcludeRuleSet.DecRef()
-			}
-			t.routeAddressSet = nil
-			t.routeExcludeAddressSet = nil
 		}
+		t.routeAddressSet = nil
+		t.routeExcludeAddressSet = nil
 	}
 	return nil
 }
@@ -406,7 +419,41 @@ func (t *Inbound) Start(stage adapter.StartStage) error {
 func (t *Inbound) updateRouteAddressSet(it adapter.RuleSet) {
 	t.routeAddressSet = common.FlatMap(t.routeRuleSet, adapter.RuleSet.ExtractIPSet)
 	t.routeExcludeAddressSet = common.FlatMap(t.routeExcludeRuleSet, adapter.RuleSet.ExtractIPSet)
-	t.autoRedirect.UpdateRouteAddressSet()
+	if t.autoRedirect != nil {
+		t.autoRedirect.UpdateRouteAddressSet()
+	} else {
+		tunOptions := t.tunOptions
+		for _, ipSet := range t.routeAddressSet {
+			for _, prefix := range ipSet.Prefixes() {
+				if prefix.Addr().Is4() {
+					tunOptions.Inet4RouteAddress = append(tunOptions.Inet4RouteAddress, prefix)
+				} else {
+					tunOptions.Inet6RouteAddress = append(tunOptions.Inet6RouteAddress, prefix)
+				}
+			}
+		}
+		for _, ipSet := range t.routeExcludeAddressSet {
+			for _, prefix := range ipSet.Prefixes() {
+				if prefix.Addr().Is4() {
+					tunOptions.Inet4RouteExcludeAddress = append(tunOptions.Inet4RouteExcludeAddress, prefix)
+				} else {
+					tunOptions.Inet6RouteExcludeAddress = append(tunOptions.Inet6RouteExcludeAddress, prefix)
+				}
+			}
+		}
+		if t.platformInterface != nil {
+			err := t.platformInterface.UpdateRouteOptions(&tunOptions, t.platformOptions)
+			if err != nil {
+				t.logger.Error("update route addresses: ", err)
+			}
+		} else {
+			err := t.tunIf.UpdateRouteOptions(tunOptions)
+			if err != nil {
+				t.logger.Error("update route addresses: ", err)
+			}
+		}
+		t.logger.Info("updated route addresses")
+	}
 	t.routeAddressSet = nil
 	t.routeExcludeAddressSet = nil
 }

protocol/vless/inbound.go

@@ -139,16 +139,16 @@ func (h *Inbound) Close() error {
 }
 
 func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
-	var err error
 	if h.tlsConfig != nil && h.transport == nil {
-		conn, err = tls.ServerHandshake(ctx, conn, h.tlsConfig)
+		tlsConn, err := tls.ServerHandshake(ctx, conn, h.tlsConfig)
 		if err != nil {
 			N.CloseOnHandshakeFailure(conn, onClose, err)
 			h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source, ": TLS handshake"))
 			return
 		}
+		conn = tlsConn
 	}
-	err = h.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, metadata.Source, onClose)
+	err := h.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, metadata.Source, onClose)
 	if err != nil {
 		N.CloseOnHandshakeFailure(conn, onClose, err)
 		h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source))

protocol/vmess/inbound.go

@@ -153,16 +153,16 @@ func (h *Inbound) Close() error {
 }
 
 func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
-	var err error
 	if h.tlsConfig != nil && h.transport == nil {
-		conn, err = tls.ServerHandshake(ctx, conn, h.tlsConfig)
+		tlsConn, err := tls.ServerHandshake(ctx, conn, h.tlsConfig)
 		if err != nil {
 			N.CloseOnHandshakeFailure(conn, onClose, err)
 			h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source, ": TLS handshake"))
 			return
 		}
+		conn = tlsConn
 	}
-	err = h.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, metadata.Source, onClose)
+	err := h.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, metadata.Source, onClose)
 	if err != nil {
 		N.CloseOnHandshakeFailure(conn, onClose, err)
 		h.logger.ErrorContext(ctx, E.Cause(err, "process connection from ", metadata.Source))

protocol/wireguard/endpoint.go

@@ -20,7 +20,6 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
 )
 
 func RegisterEndpoint(registry *endpoint.Registry) {
@@ -70,7 +69,7 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 		UDPTimeout: udpTimeout,
 		Dialer:     outboundDialer,
 		CreateDialer: func(interfaceName string) N.Dialer {
-			return common.Must1(dialer.NewDefault(service.FromContext[adapter.NetworkManager](ctx), option.DialerOptions{
+			return common.Must1(dialer.NewDefault(ctx, option.DialerOptions{
 				BindInterface: interfaceName,
 			}))
 		},

protocol/wireguard/outbound.go

@@ -19,7 +19,6 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
 )
 
 func RegisterOutbound(registry *outbound.Registry) {
@@ -86,7 +85,7 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		System:  options.SystemInterface,
 		Dialer:  outboundDialer,
 		CreateDialer: func(interfaceName string) N.Dialer {
-			return common.Must1(dialer.NewDefault(service.FromContext[adapter.NetworkManager](ctx), option.DialerOptions{
+			return common.Must1(dialer.NewDefault(ctx, option.DialerOptions{
 				BindInterface: interfaceName,
 			}))
 		},

release/completions/sing-box.bash

@@ -1179,6 +1179,36 @@ _sing-box_rule-set_match()
     noun_aliases=()
 }
 
+_sing-box_rule-set_merge()
+{
+    last_command="sing-box_rule-set_merge"
+
+    command_aliases=()
+
+    commands=()
+
+    flags=()
+    two_word_flags=()
+    local_nonpersistent_flags=()
+    flags_with_completion=()
+    flags_completion=()
+
+    flags+=("--config=")
+    two_word_flags+=("--config")
+    two_word_flags+=("-c")
+    flags+=("--config-directory=")
+    two_word_flags+=("--config-directory")
+    two_word_flags+=("-C")
+    flags+=("--directory=")
+    two_word_flags+=("--directory")
+    two_word_flags+=("-D")
+    flags+=("--disable-color")
+
+    must_have_one_flag=()
+    must_have_one_noun=()
+    noun_aliases=()
+}
+
 _sing-box_rule-set_upgrade()
 {
     last_command="sing-box_rule-set_upgrade"
@@ -1225,6 +1255,7 @@ _sing-box_rule-set()
     commands+=("decompile")
     commands+=("format")
     commands+=("match")
+    commands+=("merge")
     commands+=("upgrade")
 
     flags=()

route/conn.go

@@ -56,7 +56,7 @@ func (m *ConnectionManager) NewConnection(ctx context.Context, this N.Dialer, co
 		remoteConn net.Conn
 		err        error
 	)
-	if len(metadata.DestinationAddresses) > 0 {
+	if len(metadata.DestinationAddresses) > 0 || metadata.Destination.IsIP() {
 		remoteConn, err = dialer.DialSerialNetwork(ctx, this, N.NetworkTCP, metadata.Destination, metadata.DestinationAddresses, metadata.NetworkStrategy, metadata.NetworkType, metadata.FallbackNetworkType, metadata.FallbackDelay)
 	} else {
 		remoteConn, err = this.DialContext(ctx, N.NetworkTCP, metadata.Destination)
@@ -97,12 +97,19 @@ func (m *ConnectionManager) NewPacketConnection(ctx context.Context, this N.Dial
 		err                error
 	)
 	if metadata.UDPConnect {
+		parallelDialer, isParallelDialer := this.(dialer.ParallelInterfaceDialer)
 		if len(metadata.DestinationAddresses) > 0 {
-			if parallelDialer, isParallelDialer := this.(dialer.ParallelInterfaceDialer); isParallelDialer {
+			if isParallelDialer {
 				remoteConn, err = dialer.DialSerialNetwork(ctx, parallelDialer, N.NetworkUDP, metadata.Destination, metadata.DestinationAddresses, metadata.NetworkStrategy, metadata.NetworkType, metadata.FallbackNetworkType, metadata.FallbackDelay)
 			} else {
 				remoteConn, err = N.DialSerial(ctx, this, N.NetworkUDP, metadata.Destination, metadata.DestinationAddresses)
 			}
+		} else if metadata.Destination.IsIP() {
+			if isParallelDialer {
+				remoteConn, err = dialer.DialSerialNetwork(ctx, parallelDialer, N.NetworkUDP, metadata.Destination, metadata.DestinationAddresses, metadata.NetworkStrategy, metadata.NetworkType, metadata.FallbackNetworkType, metadata.FallbackDelay)
+			} else {
+				remoteConn, err = this.DialContext(ctx, N.NetworkUDP, metadata.Destination)
+			}
 		} else {
 			remoteConn, err = this.DialContext(ctx, N.NetworkUDP, metadata.Destination)
 		}

route/network.go

@@ -35,6 +35,7 @@ var _ adapter.NetworkManager = (*NetworkManager)(nil)
 
 type NetworkManager struct {
 	logger            logger.ContextLogger
+	tracker           conntrack.Tracker
 	interfaceFinder   *control.DefaultInterfaceFinder
 	networkInterfaces atomic.TypedValue[[]adapter.NetworkInterface]
 
@@ -57,12 +58,13 @@ type NetworkManager struct {
 func NewNetworkManager(ctx context.Context, logger logger.ContextLogger, routeOptions option.RouteOptions) (*NetworkManager, error) {
 	nm := &NetworkManager{
 		logger:              logger,
+		tracker:             service.FromContext[conntrack.Tracker](ctx),
 		interfaceFinder:     control.NewDefaultInterfaceFinder(),
 		autoDetectInterface: routeOptions.AutoDetectInterface,
 		defaultOptions: adapter.NetworkOptions{
 			BindInterface:       routeOptions.DefaultInterface,
 			RoutingMark:         uint32(routeOptions.DefaultMark),
-			NetworkStrategy:     C.NetworkStrategy(routeOptions.DefaultNetworkStrategy),
+			NetworkStrategy:     (*C.NetworkStrategy)(routeOptions.DefaultNetworkStrategy),
 			NetworkType:         common.Map(routeOptions.DefaultNetworkType, option.InterfaceType.Build),
 			FallbackNetworkType: common.Map(routeOptions.DefaultFallbackNetworkType, option.InterfaceType.Build),
 			FallbackDelay:       time.Duration(routeOptions.DefaultFallbackDelay),
@@ -73,7 +75,7 @@ func NewNetworkManager(ctx context.Context, logger logger.ContextLogger, routeOp
 		inbound:           service.FromContext[adapter.InboundManager](ctx),
 		outbound:          service.FromContext[adapter.OutboundManager](ctx),
 	}
-	if C.NetworkStrategy(routeOptions.DefaultNetworkStrategy) != C.NetworkStrategyDefault {
+	if routeOptions.DefaultNetworkStrategy != nil {
 		if routeOptions.DefaultInterface != "" {
 			return nil, E.New("`default_network_strategy` is conflict with `default_interface`")
 		}
@@ -90,9 +92,6 @@ func NewNetworkManager(ctx context.Context, logger logger.ContextLogger, routeOp
 				return nil, E.Cause(err, "create network monitor")
 			}
 			nm.networkMonitor = networkMonitor
-			networkMonitor.RegisterCallback(func() {
-				_ = nm.interfaceFinder.Update()
-			})
 			interfaceMonitor, err := tun.NewDefaultInterfaceMonitor(nm.networkMonitor, logger, tun.DefaultInterfaceMonitorOptions{
 				InterfaceFinder:       nm.interfaceFinder,
 				OverrideAndroidVPN:    routeOptions.OverrideAndroidVPN,
@@ -358,7 +357,7 @@ func (r *NetworkManager) WIFIState() adapter.WIFIState {
 }
 
 func (r *NetworkManager) ResetNetwork() {
-	conntrack.Close()
+	r.tracker.Close()
 
 	for _, endpoint := range r.endpoint.Endpoints() {
 		listener, isListener := endpoint.(adapter.InterfaceUpdateListener)

route/route.go

@@ -11,7 +11,6 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/process"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
@@ -72,7 +71,10 @@ func (r *Router) routeConnection(ctx context.Context, conn net.Conn, metadata ad
 		injectable.NewConnectionEx(ctx, conn, metadata, onClose)
 		return nil
 	}
-	conntrack.KillerCheck()
+	err := r.connTracker.KillerCheck()
+	if err != nil {
+		return err
+	}
 	metadata.Network = N.NetworkTCP
 	switch metadata.Destination.Fqdn {
 	case mux.Destination.Fqdn:
@@ -190,7 +192,10 @@ func (r *Router) routePacketConnection(ctx context.Context, conn N.PacketConn, m
 		injectable.NewPacketConnectionEx(ctx, conn, metadata, onClose)
 		return nil
 	}
-	conntrack.KillerCheck()
+	err := r.connTracker.KillerCheck()
+	if err != nil {
+		return err
+	}
 
 	// TODO: move to UoT
 	metadata.Network = N.NetworkUDP
@@ -415,8 +420,18 @@ match:
 					Fqdn: metadata.Destination.Fqdn,
 				}
 			}
-			metadata.NetworkStrategy = routeOptions.NetworkStrategy
+			if routeOptions.NetworkStrategy != nil {
-			metadata.FallbackDelay = routeOptions.FallbackDelay
+				metadata.NetworkStrategy = routeOptions.NetworkStrategy
+			}
+			if len(routeOptions.NetworkType) > 0 {
+				metadata.NetworkType = routeOptions.NetworkType
+			}
+			if len(routeOptions.FallbackNetworkType) > 0 {
+				metadata.FallbackNetworkType = routeOptions.FallbackNetworkType
+			}
+			if routeOptions.FallbackDelay != 0 {
+				metadata.FallbackDelay = routeOptions.FallbackDelay
+			}
 			if routeOptions.UDPDisableDomainUnmapping {
 				metadata.UDPDisableDomainUnmapping = true
 			}
@@ -463,7 +478,7 @@ match:
 	}
 	if !preMatch && inputPacketConn != nil && !metadata.Destination.IsFqdn() && !metadata.Destination.Addr.IsGlobalUnicast() {
 		var timeout time.Duration
-		if metadata.InboundType == C.TypeSOCKS {
+		if metadata.InboundType == C.TypeSOCKS || metadata.InboundType == C.TypeMixed {
 			timeout = C.TCPTimeout
 		}
 		newBuffer, newPacketBuffers, newErr := r.actionSniff(ctx, metadata, &rule.RuleActionSniff{Timeout: timeout}, inputConn, inputPacketConn)
@@ -562,7 +577,7 @@ func (r *Router) actionSniff(
 					return
 				}
 			} else {
-				if !metadata.Destination.Addr.IsGlobalUnicast() {
+				if !metadata.Destination.IsFqdn() && !metadata.Destination.Addr.IsGlobalUnicast() {
 					metadata.Destination = destination
 				}
 				if len(packetBuffers) > 0 {

route/route_dns.go

@@ -45,69 +45,70 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 		panic("no context")
 	}
 	var options dns.QueryOptions
-	if ruleIndex < len(r.dnsRules) {
+	var (
-		dnsRules := r.dnsRules
+		currentRuleIndex int
-		if ruleIndex != -1 {
+		currentRule      adapter.DNSRule
-			dnsRules = dnsRules[ruleIndex+1:]
+	)
+	if ruleIndex != -1 {
+		currentRuleIndex = ruleIndex + 1
+	}
+	for currentRuleIndex, currentRule = range r.dnsRules[currentRuleIndex:] {
+		if currentRule.WithAddressLimit() && !isAddressQuery {
+			continue
 		}
-		for currentRuleIndex, currentRule := range dnsRules {
+		metadata.ResetRuleCache()
-			if currentRule.WithAddressLimit() && !isAddressQuery {
+		if currentRule.Match(metadata) {
-				continue
+			displayRuleIndex := currentRuleIndex
+			if ruleIndex != -1 {
+				displayRuleIndex += ruleIndex + 1
 			}
-			metadata.ResetRuleCache()
+			ruleDescription := currentRule.String()
-			if currentRule.Match(metadata) {
+			if ruleDescription != "" {
-				displayRuleIndex := currentRuleIndex
+				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] ", currentRule, " => ", currentRule.Action())
-				if displayRuleIndex != -1 {
+			} else {
-					displayRuleIndex += displayRuleIndex + 1
+				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
+			}
+			switch action := currentRule.Action().(type) {
+			case *R.RuleActionDNSRoute:
+				transport, loaded := r.transportMap[action.Server]
+				if !loaded {
+					r.dnsLogger.ErrorContext(ctx, "transport not found: ", action.Server)
+					continue
 				}
-				ruleDescription := currentRule.String()
+				_, isFakeIP := transport.(adapter.FakeIPTransport)
-				if ruleDescription != "" {
+				if isFakeIP && !allowFakeIP {
-					r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] ", currentRule, " => ", currentRule.Action())
+					continue
+				}
+				if isFakeIP || action.DisableCache {
+					options.DisableCache = true
+				}
+				if action.RewriteTTL != nil {
+					options.RewriteTTL = action.RewriteTTL
+				}
+				if action.ClientSubnet.IsValid() {
+					options.ClientSubnet = action.ClientSubnet
+				}
+				if domainStrategy, dsLoaded := r.transportDomainStrategy[transport]; dsLoaded {
+					options.Strategy = domainStrategy
 				} else {
-					r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
+					options.Strategy = r.defaultDomainStrategy
 				}
-				switch action := currentRule.Action().(type) {
+				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
-				case *R.RuleActionDNSRoute:
+				return transport, options, currentRule, currentRuleIndex
-					transport, loaded := r.transportMap[action.Server]
+			case *R.RuleActionDNSRouteOptions:
-					if !loaded {
+				if action.DisableCache {
-						r.dnsLogger.ErrorContext(ctx, "transport not found: ", action.Server)
+					options.DisableCache = true
-						continue
-					}
-					_, isFakeIP := transport.(adapter.FakeIPTransport)
-					if isFakeIP && !allowFakeIP {
-						continue
-					}
-					if isFakeIP || action.DisableCache {
-						options.DisableCache = true
-					}
-					if action.RewriteTTL != nil {
-						options.RewriteTTL = action.RewriteTTL
-					}
-					if action.ClientSubnet.IsValid() {
-						options.ClientSubnet = action.ClientSubnet
-					}
-					if domainStrategy, dsLoaded := r.transportDomainStrategy[transport]; dsLoaded {
-						options.Strategy = domainStrategy
-					} else {
-						options.Strategy = r.defaultDomainStrategy
-					}
-					r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
-					return transport, options, currentRule, currentRuleIndex
-				case *R.RuleActionDNSRouteOptions:
-					if action.DisableCache {
-						options.DisableCache = true
-					}
-					if action.RewriteTTL != nil {
-						options.RewriteTTL = action.RewriteTTL
-					}
-					if action.ClientSubnet.IsValid() {
-						options.ClientSubnet = action.ClientSubnet
-					}
-					r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
-				case *R.RuleActionReject:
-					r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
-					return nil, options, currentRule, currentRuleIndex
 				}
+				if action.RewriteTTL != nil {
+					options.RewriteTTL = action.RewriteTTL
+				}
+				if action.ClientSubnet.IsValid() {
+					options.ClientSubnet = action.ClientSubnet
+				}
+				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
+			case *R.RuleActionReject:
+				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
+				return nil, options, currentRule, currentRuleIndex
 			}
 		}
 	}

route/router.go

@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/geoip"
 	"github.com/sagernet/sing-box/common/geosite"
@@ -38,6 +39,7 @@ type Router struct {
 	ctx                     context.Context
 	logger                  log.ContextLogger
 	dnsLogger               log.ContextLogger
+	connTracker             conntrack.Tracker
 	inbound                 adapter.InboundManager
 	outbound                adapter.OutboundManager
 	connection              adapter.ConnectionManager
@@ -75,6 +77,7 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.Route
 		ctx:                   ctx,
 		logger:                logFactory.NewLogger("router"),
 		dnsLogger:             logFactory.NewLogger("dns"),
+		connTracker:           service.FromContext[conntrack.Tracker](ctx),
 		inbound:               service.FromContext[adapter.InboundManager](ctx),
 		outbound:              service.FromContext[adapter.OutboundManager](ctx),
 		connection:            service.FromContext[adapter.ConnectionManager](ctx),
@@ -262,7 +265,7 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.Route
 				Context: ctx,
 				Name:    "local",
 				Address: "local",
-				Dialer:  common.Must1(dialer.NewDefault(router.network, option.DialerOptions{})),
+				Dialer:  common.Must1(dialer.NewDefault(ctx, option.DialerOptions{})),
 			})))
 		}
 		defaultTransport = transports[0]
@@ -363,7 +366,6 @@ func (r *Router) Start(stage adapter.StartStage) error {
 				return E.Cause(err, "initialize DNS server[", i, "]")
 			}
 		}
-	case adapter.StartStatePostStart:
 		var cacheContext *adapter.HTTPStartContext
 		if len(r.ruleSets) > 0 {
 			monitor.Start("initialize rule-set")
@@ -419,6 +421,7 @@ func (r *Router) Start(stage adapter.StartStage) error {
 				}
 			}
 		}
+	case adapter.StartStatePostStart:
 		for i, rule := range r.rules {
 			monitor.Start("initialize rule[", i, "]")
 			err := rule.Start()

route/rule/rule_action.go

@@ -33,7 +33,7 @@ func NewRuleAction(ctx context.Context, logger logger.ContextLogger, action opti
 			RuleActionRouteOptions: RuleActionRouteOptions{
 				OverrideAddress:           M.ParseSocksaddrHostPort(action.RouteOptions.OverrideAddress, 0),
 				OverridePort:              action.RouteOptions.OverridePort,
-				NetworkStrategy:           C.NetworkStrategy(action.RouteOptions.NetworkStrategy),
+				NetworkStrategy:           (*C.NetworkStrategy)(action.RouteOptions.NetworkStrategy),
 				FallbackDelay:             time.Duration(action.RouteOptions.FallbackDelay),
 				UDPDisableDomainUnmapping: action.RouteOptions.UDPDisableDomainUnmapping,
 				UDPConnect:                action.RouteOptions.UDPConnect,
@@ -43,7 +43,7 @@ func NewRuleAction(ctx context.Context, logger logger.ContextLogger, action opti
 		return &RuleActionRouteOptions{
 			OverrideAddress:           M.ParseSocksaddrHostPort(action.RouteOptionsOptions.OverrideAddress, 0),
 			OverridePort:              action.RouteOptionsOptions.OverridePort,
-			NetworkStrategy:           C.NetworkStrategy(action.RouteOptionsOptions.NetworkStrategy),
+			NetworkStrategy:           (*C.NetworkStrategy)(action.RouteOptionsOptions.NetworkStrategy),
 			FallbackDelay:             time.Duration(action.RouteOptionsOptions.FallbackDelay),
 			UDPDisableDomainUnmapping: action.RouteOptionsOptions.UDPDisableDomainUnmapping,
 			UDPConnect:                action.RouteOptionsOptions.UDPConnect,
@@ -147,7 +147,7 @@ func (r *RuleActionRoute) String() string {
 type RuleActionRouteOptions struct {
 	OverrideAddress           M.Socksaddr
 	OverridePort              uint16
-	NetworkStrategy           C.NetworkStrategy
+	NetworkStrategy           *C.NetworkStrategy
 	NetworkType               []C.InterfaceType
 	FallbackNetworkType       []C.InterfaceType
 	FallbackDelay             time.Duration

route/rule_conds.go

@@ -55,15 +55,15 @@ func isGeositeDNSRule(rule option.DefaultDNSRule) bool {
 }
 
 func isProcessRule(rule option.DefaultRule) bool {
-	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.PackageName) > 0 || len(rule.User) > 0 || len(rule.UserID) > 0
+	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.ProcessPathRegex) > 0 || len(rule.PackageName) > 0 || len(rule.User) > 0 || len(rule.UserID) > 0
 }
 
 func isProcessDNSRule(rule option.DefaultDNSRule) bool {
-	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.PackageName) > 0 || len(rule.User) > 0 || len(rule.UserID) > 0
+	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.ProcessPathRegex) > 0 || len(rule.PackageName) > 0 || len(rule.User) > 0 || len(rule.UserID) > 0
 }
 
 func isProcessHeadlessRule(rule option.DefaultHeadlessRule) bool {
-	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.PackageName) > 0
+	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.ProcessPathRegex) > 0 || len(rule.PackageName) > 0
 }
 
 func notPrivateNode(code string) bool {

test/go.mod

@@ -13,9 +13,9 @@ require (
 	github.com/docker/go-connections v0.5.0
 	github.com/gofrs/uuid/v5 v5.3.0
 	github.com/sagernet/quic-go v0.48.2-beta.1
-	github.com/sagernet/sing v0.6.0-beta.5
+	github.com/sagernet/sing v0.6.0-beta.9
 	github.com/sagernet/sing-dns v0.4.0-beta.1
-	github.com/sagernet/sing-quic v0.4.0-alpha.4
+	github.com/sagernet/sing-quic v0.4.0-beta.3
 	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/spyzhov/ajson v0.9.4
@@ -85,8 +85,8 @@ require (
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 // indirect
 	github.com/sagernet/sing-mux v0.3.0-alpha.1 // indirect
 	github.com/sagernet/sing-shadowtls v0.2.0-alpha.2 // indirect
-	github.com/sagernet/sing-tun v0.6.0-beta.2 // indirect
+	github.com/sagernet/sing-tun v0.6.0-beta.7 // indirect
-	github.com/sagernet/sing-vmess v0.2.0-beta.1 // indirect
+	github.com/sagernet/sing-vmess v0.2.0-beta.2 // indirect
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 // indirect
 	github.com/sagernet/utls v1.6.7 // indirect
 	github.com/sagernet/wireguard-go v0.0.1-beta.5 // indirect
@@ -103,12 +103,12 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
-	golang.org/x/crypto v0.29.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.20.0 // indirect
-	golang.org/x/sync v0.9.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.27.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/text v0.20.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
 	golang.org/x/tools v0.24.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect

test/go.sum

@@ -146,24 +146,24 @@ github.com/sagernet/quic-go v0.48.2-beta.1/go.mod h1:1WgdDIVD1Gybp40JTWketeSfKA/
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.6.0-beta.5 h1:RD2j8WmJsvAbbBkAlJWaiYmnd+v/JohBiweoew7kMwo=
+github.com/sagernet/sing v0.6.0-beta.9 h1:P8lKa5hN53fRNAVCIKy5cWd6/kLO5c4slhdsfehSmHs=
-github.com/sagernet/sing v0.6.0-beta.5/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.6.0-beta.9/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-dns v0.4.0-beta.1 h1:W1XkdhigwxDOMgMDVB+9kdomCpb7ExsZfB4acPcTZFY=
 github.com/sagernet/sing-dns v0.4.0-beta.1/go.mod h1:8wuFcoFkWM4vJuQyg8e97LyvDwe0/Vl7G839WLcKDs8=
 github.com/sagernet/sing-mux v0.3.0-alpha.1 h1:IgNX5bJBpL41gGbp05pdDOvh/b5eUQ6cv9240+Ngipg=
 github.com/sagernet/sing-mux v0.3.0-alpha.1/go.mod h1:FTcImmdfW38Lz7b+HQ+mxxOth1lz4ao8uEnz+MwIJQE=
-github.com/sagernet/sing-quic v0.4.0-alpha.4 h1:P9xAx3nIfcqb9M8jfgs0uLm+VxCcaY++FCqaBfHY3dQ=
+github.com/sagernet/sing-quic v0.4.0-beta.3 h1:cOBjlhVdRZmBm6hIw1GleERpnTSFdBB2htgx5kQ5uqg=
-github.com/sagernet/sing-quic v0.4.0-alpha.4/go.mod h1:h5RkKTmUhudJKzK7c87FPXD5w1bJjVyxMN9+opZcctA=
+github.com/sagernet/sing-quic v0.4.0-beta.3/go.mod h1:1UNObFodd8CnS3aCT53x9cigjPSCl3P//8dfBMCwBDM=
 github.com/sagernet/sing-shadowsocks v0.2.7 h1:zaopR1tbHEw5Nk6FAkM05wCslV6ahVegEZaKMv9ipx8=
 github.com/sagernet/sing-shadowsocks v0.2.7/go.mod h1:0rIKJZBR65Qi0zwdKezt4s57y/Tl1ofkaq6NlkzVuyE=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.0-alpha.2 h1:RPrpgAdkP5td0vLfS5ldvYosFjSsZtRPxiyLV6jyKg0=
 github.com/sagernet/sing-shadowtls v0.2.0-alpha.2/go.mod h1:0j5XlzKxaWRIEjc1uiSKmVoWb0k+L9QgZVb876+thZA=
-github.com/sagernet/sing-tun v0.6.0-beta.2 h1:GK7r2jWKm7RhlJGTq4QadgFcebQia1c3BO3OlYMcQJ0=
+github.com/sagernet/sing-tun v0.6.0-beta.7 h1:FCSX8oGBqb0H57AAvfGeeH/jMGYWCOg6XWkN/oeES+0=
-github.com/sagernet/sing-tun v0.6.0-beta.2/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
+github.com/sagernet/sing-tun v0.6.0-beta.7/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
-github.com/sagernet/sing-vmess v0.2.0-beta.1 h1:5sXQ23uwNlZuDvygzi0dFtnG0Csm/SNqTjAHXJkpuj4=
+github.com/sagernet/sing-vmess v0.2.0-beta.2 h1:obAkAL35X7ql4RnGzDg4dBYIRpGXRKqcN4LyLZpZGSs=
-github.com/sagernet/sing-vmess v0.2.0-beta.1/go.mod h1:fLyE1emIcvQ5DV8reFWnufquZ7MkCSYM5ThodsR9NrQ=
+github.com/sagernet/sing-vmess v0.2.0-beta.2/go.mod h1:HGhf9XUdeE2iOWrX0hQNFgXPbKyGlzpeYFyX0c/pykk=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo=
 github.com/sagernet/utls v1.6.7 h1:Ep3+aJ8FUGGta+II2IEVNUc3EDhaRCZINWkj/LloIA8=
@@ -221,8 +221,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -240,8 +240,8 @@ golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -252,16 +252,16 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
-golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
 golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

test/hysteria2_test.go

@@ -3,24 +3,36 @@ package main
 import (
 	"net/netip"
 	"testing"
+	"time"
 
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-quic/hysteria2"
 	"github.com/sagernet/sing/common"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json/badoption"
 )
 
 func TestHysteria2Self(t *testing.T) {
 	t.Run("self", func(t *testing.T) {
-		testHysteria2Self(t, "")
+		testHysteria2Self(t, "", false)
 	})
 	t.Run("self-salamander", func(t *testing.T) {
-		testHysteria2Self(t, "password")
+		testHysteria2Self(t, "password", false)
+	})
+	t.Run("self-hop", func(t *testing.T) {
+		testHysteria2Self(t, "", true)
+	})
+	t.Run("self-hop-salamander", func(t *testing.T) {
+		testHysteria2Self(t, "password", true)
 	})
 }
 
-func testHysteria2Self(t *testing.T, salamanderPassword string) {
+func TestHysteria2Hop(t *testing.T) {
+	testHysteria2Self(t, "password", true)
+}
+
+func testHysteria2Self(t *testing.T, salamanderPassword string, portHop bool) {
 	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
 	var obfs *option.Hysteria2Obfs
 	if salamanderPassword != "" {
@@ -29,6 +41,14 @@ func testHysteria2Self(t *testing.T, salamanderPassword string) {
 			Password: salamanderPassword,
 		}
 	}
+	var (
+		serverPorts []string
+		hopInterval time.Duration
+	)
+	if portHop {
+		serverPorts = []string{F.ToString(serverPort, ":", serverPort)}
+		hopInterval = 5 * time.Second
+	}
 	startInstance(t, option.Options{
 		Inbounds: []option.Inbound{
 			{
@@ -77,10 +97,12 @@ func testHysteria2Self(t *testing.T, salamanderPassword string) {
 						Server:     "127.0.0.1",
 						ServerPort: serverPort,
 					},
-					UpMbps:   100,
+					ServerPorts: serverPorts,
-					DownMbps: 100,
+					HopInterval: badoption.Duration(hopInterval),
-					Obfs:     obfs,
+					UpMbps:      100,
-					Password: "password",
+					DownMbps:    100,
+					Obfs:        obfs,
+					Password:    "password",
 					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
 						TLS: &option.OutboundTLSOptions{
 							Enabled:         true,
@@ -112,6 +134,10 @@ func testHysteria2Self(t *testing.T, salamanderPassword string) {
 		},
 	})
 	testSuitLargeUDP(t, clientPort, testPort)
+	if portHop {
+		time.Sleep(5 * time.Second)
+		testSuitLargeUDP(t, clientPort, testPort)
+	}
 }
 
 func TestHysteria2Inbound(t *testing.T) {

test/wireguard_test.go

@@ -1,53 +0,0 @@
-package main
-
-import (
-	"net/netip"
-	"testing"
-	"time"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/json/badoption"
-)
-
-func _TestWireGuard(t *testing.T) {
-	startDockerContainer(t, DockerOptions{
-		Image: ImageBoringTun,
-		Cap:   []string{"MKNOD", "NET_ADMIN", "NET_RAW"},
-		Ports: []uint16{serverPort, testPort},
-		Bind: map[string]string{
-			"wireguard.conf": "/etc/wireguard/wg0.conf",
-		},
-		Cmd: []string{"wg0"},
-	})
-	time.Sleep(5 * time.Second)
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				Options: &option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     common.Ptr(badoption.Addr(netip.IPv4Unspecified())),
-						ListenPort: clientPort,
-					},
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeWireGuard,
-				Options: &option.WireGuardEndpointOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: serverPort,
-					},
-					Address:       []netip.Prefix{netip.MustParsePrefix("10.0.0.2/32")},
-					PrivateKey:    "qGnwlkZljMxeECW8fbwAWdvgntnbK7B8UmMFl3zM0mk=",
-					PeerPublicKey: "QsdcBm+oJw2oNv0cIFXLIq1E850lgTBonup4qnKEQBg=",
-				},
-			},
-		},
-	})
-	testSuitWg(t, clientPort, testPort)
-}