Add options to custom DNS query timeout

documentation: Bump version
Improve nftables rules for openwrt
2026-04-14 04:38:28 +10:00 · 2025-06-30 18:29:00 +08:00 · 2025-06-30 18:28:16 +08:00 · 2025-06-30 18:27:33 +08:00 · 2025-06-30 18:24:48 +08:00 · 2025-06-29 19:20:31 +08:00
57 changed files with 823 additions and 432 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -46,7 +46,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -109,7 +109,7 @@ jobs:
        if: ${{ ! matrix.legacy_go }}
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24
      - name: Cache Legacy Go
        if: matrix.require_legacy_go
        id: cache-legacy-go
@@ -294,7 +294,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -374,7 +374,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -472,15 +472,15 @@ jobs:
        if: matrix.if
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24
      - name: Setup Xcode stable
        if: matrix.if && github.ref == 'refs/heads/main-next'
        run: |-
-          sudo xcode-select -s /Applications/Xcode_16.2.app
+          sudo xcode-select -s /Applications/Xcode_16.4.app
      - name: Setup Xcode beta
        if: matrix.if && github.ref == 'refs/heads/dev-next'
        run: |-
-          sudo xcode-select -s /Applications/Xcode_16.2.app
+          sudo xcode-select -s /Applications/Xcode_16.4.app
      - name: Set tag
        if: matrix.if
        run: |-
@@ -615,7 +615,7 @@ jobs:
          path: 'dist'
  upload:
    name: Upload builds
-    if: always() && github.event_name == 'workflow_dispatch' && (inputs.build == 'All' || inputs.build == 'Binary' || inputs.build == 'Android' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone')
+    if: "!failure() && github.event_name == 'workflow_dispatch' && (inputs.build == 'All' || inputs.build == 'Binary' || inputs.build == 'Android' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone')"
    runs-on: ubuntu-latest
    needs:
      - calculate_version
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -28,7 +28,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v6
        with:
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -25,7 +25,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -66,7 +66,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24
      - name: Setup Android NDK
        if: matrix.os == 'android'
        uses: nttld/setup-ndk@v1
--- a/20
+++ b/20
@@ -108,6 +108,16 @@ upload_ios_app_store:
 	cd ../sing-box-for-apple && \
 	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
 export_ios_ipa:
 	cd ../sing-box-for-apple && \
 	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Export.plist -allowProvisioningUpdates -exportPath build/SFI && \
 	cp build/SFI/sing-box.ipa dist/SFI.ipa
 upload_ios_ipa:
 	cd dist && \
 	cp SFI.ipa "SFI-${VERSION}.ipa" && \
 	ghr --replace --draft --prerelease "v${VERSION}" "SFI-${VERSION}.ipa"
 release_ios: build_ios upload_ios_app_store
 build_macos:
@@ -175,6 +185,16 @@ upload_tvos_app_store:
 	cd ../sing-box-for-apple && \
 	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
 export_tvos_ipa:
 	cd ../sing-box-for-apple && \
 	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Export.plist -allowProvisioningUpdates -exportPath build/SFT && \
 	cp build/SFT/sing-box.ipa dist/SFT.ipa
 upload_tvos_ipa:
 	cd dist && \
 	cp SFT.ipa "SFT-${VERSION}.ipa" && \
 	ghr --replace --draft --prerelease "v${VERSION}" "SFT-${VERSION}.ipa"
 release_tvos: build_tvos upload_tvos_app_store
 update_apple_version:
--- a/adapter/dns.go
+++ b/adapter/dns.go
@@ -3,6 +3,7 @@ package adapter
 import (
 	"context"
 	"net/netip"
 	"time"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
@@ -36,6 +37,7 @@ type DNSQueryOptions struct {
 	Transport      DNSTransport
 	Strategy       C.DomainStrategy
 	LookupStrategy C.DomainStrategy
 	Timeout        time.Duration
 	DisableCache   bool
 	RewriteTTL     *uint32
 	ClientSubnet   netip.Prefix
@@ -53,6 +55,7 @@ func DNSQueryOptionsFrom(ctx context.Context, options *option.DomainResolveOptio
 	return &DNSQueryOptions{
 		Transport:    transport,
 		Strategy:     C.DomainStrategy(options.Strategy),
 		Timeout:      time.Duration(options.Timeout),
 		DisableCache: options.DisableCache,
 		RewriteTTL:   options.RewriteTTL,
 		ClientSubnet: options.ClientSubnet.Build(netip.Prefix{}),
@@ -70,6 +73,7 @@ type DNSTransport interface {
 	Type() string
 	Tag() string
 	Dependencies() []string
 	HasDetour() bool
 	Exchange(ctx context.Context, message *dns.Msg) (*dns.Msg, error)
 }
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -53,11 +53,11 @@ type InboundContext struct {
 	// sniffer
-	Protocol         string
+	Protocol     string
-	Domain           string
+	Domain       string
-	Client           string
+	Client       string
-	SniffContext     any
+	SniffContext any
-	PacketSniffError error
+	SniffError   error
 	// cache
--- a/clients/android
+++ b/clients/android
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -16,15 +16,17 @@ import (
 )
 var (
-	debugEnabled bool
+	debugEnabled  bool
-	target       string
+	target        string
-	platform     string
+	platform      string
 	withTailscale bool
 )
 func init() {
 	flag.BoolVar(&debugEnabled, "debug", false, "enable debug")
 	flag.StringVar(&target, "target", "android", "target platform")
 	flag.StringVar(&platform, "platform", "", "specify platform")
 	flag.BoolVar(&withTailscale, "with-tailscale", false, "build tailscale for iOS and tvOS")
 }
 func main() {
@@ -151,7 +153,9 @@ func buildApple() {
 		"-v",
 		"-target", bindTarget,
 		"-libname=box",
-		"-tags-macos=" + strings.Join(memcTags, ","),
+	}
 	if !withTailscale {
 		args = append(args, "-tags-macos="+strings.Join(memcTags, ","))
 	}
 	if !debugEnabled {
@@ -161,6 +165,9 @@ func buildApple() {
 	}
 	tags := append(sharedTags, iosTags...)
 	if withTailscale {
 		tags = append(tags, memcTags...)
 	}
 	if debugEnabled {
 		tags = append(tags, debugTags...)
 	}
--- a/cmd/sing-box/cmd_rule_set_convert.go
+++ b/cmd/sing-box/cmd_rule_set_convert.go
@@ -5,7 +5,7 @@ import (
 	"os"
 	"strings"
-	"github.com/sagernet/sing-box/cmd/sing-box/internal/convertor/adguard"
+	"github.com/sagernet/sing-box/common/convertor/adguard"
 	"github.com/sagernet/sing-box/common/srs"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
@@ -54,7 +54,7 @@ func convertRuleSet(sourcePath string) error {
 	var rules []option.HeadlessRule
 	switch flagRuleSetConvertType {
 	case "adguard":
-		rules, err = adguard.Convert(reader)
+		rules, err = adguard.ToOptions(reader, log.StdLogger())
 	case "":
 		return E.New("source type is required")
 	default:
--- a/cmd/sing-box/cmd_rule_set_decompile.go
+++ b/cmd/sing-box/cmd_rule_set_decompile.go
@@ -6,7 +6,10 @@ import (
 	"strings"
 	"github.com/sagernet/sing-box/common/srs"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/spf13/cobra"
@@ -50,6 +53,11 @@ func decompileRuleSet(sourcePath string) error {
 	if err != nil {
 		return err
 	}
 	if hasRule(ruleSet.Options.Rules, func(rule option.DefaultHeadlessRule) bool {
 		return len(rule.AdGuardDomain) > 0
 	}) {
 		return E.New("unable to decompile binary AdGuard rules to rule-set.")
 	}
 	var outputPath string
 	if flagRuleSetDecompileOutput == flagRuleSetDecompileDefaultOutput {
 		if strings.HasSuffix(sourcePath, ".srs") {
@@ -75,3 +83,19 @@ func decompileRuleSet(sourcePath string) error {
 	outputFile.Close()
 	return nil
 }
 func hasRule(rules []option.HeadlessRule, cond func(rule option.DefaultHeadlessRule) bool) bool {
 	for _, rule := range rules {
 		switch rule.Type {
 		case C.RuleTypeDefault:
 			if cond(rule.DefaultOptions) {
 				return true
 			}
 		case C.RuleTypeLogical:
 			if hasRule(rule.LogicalOptions.Rules, cond) {
 				return true
 			}
 		}
 	}
 	return false
 }
--- a/cmd/sing-box/internal/convertor/adguard/convertor.go
+++ b/cmd/sing-box/internal/convertor/adguard/convertor.go
@@ -2,6 +2,7 @@ package adguard
 import (
 	"bufio"
 	"bytes"
 	"io"
 	"net/netip"
 	"os"
@@ -9,10 +10,10 @@ import (
 	"strings"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 )
@@ -27,7 +28,7 @@ type agdguardRuleLine struct {
 	isImportant bool
 }
-func Convert(reader io.Reader) ([]option.HeadlessRule, error) {
+func ToOptions(reader io.Reader, logger logger.Logger) ([]option.HeadlessRule, error) {
 	scanner := bufio.NewScanner(reader)
 	var (
 		ruleLines    []agdguardRuleLine
@@ -36,7 +37,10 @@ func Convert(reader io.Reader) ([]option.HeadlessRule, error) {
 parseLine:
 	for scanner.Scan() {
 		ruleLine := scanner.Text()
-		if ruleLine == "" || ruleLine[0] == '!' || ruleLine[0] == '#' {
+		if ruleLine == "" {
 			continue
 		}
 		if strings.HasPrefix(ruleLine, "!") || strings.HasPrefix(ruleLine, "#") {
 			continue
 		}
 		originRuleLine := ruleLine
@@ -92,7 +96,7 @@ parseLine:
 				}
 				if !ignored {
 					ignoredLines++
-					log.Debug("ignored unsupported rule with modifier: ", paramParts[0], ": ", ruleLine)
+					logger.Debug("ignored unsupported rule with modifier: ", paramParts[0], ": ", originRuleLine)
 					continue parseLine
 				}
 			}
@@ -120,27 +124,35 @@ parseLine:
 			ruleLine = ruleLine[1 : len(ruleLine)-1]
 			if ignoreIPCIDRRegexp(ruleLine) {
 				ignoredLines++
-				log.Debug("ignored unsupported rule with IPCIDR regexp: ", ruleLine)
+				logger.Debug("ignored unsupported rule with IPCIDR regexp: ", originRuleLine)
 				continue
 			}
 			isRegexp = true
 		} else {
 			if strings.Contains(ruleLine, "://") {
 				ruleLine = common.SubstringAfter(ruleLine, "://")
 				isSuffix = true
 			}
 			if strings.Contains(ruleLine, "/") {
 				ignoredLines++
-				log.Debug("ignored unsupported rule with path: ", ruleLine)
+				logger.Debug("ignored unsupported rule with path: ", originRuleLine)
 				continue
 			}
-			if strings.Contains(ruleLine, "##") {
+			if strings.Contains(ruleLine, "?") || strings.Contains(ruleLine, "&") {
 				ignoredLines++
-				log.Debug("ignored unsupported rule with element hiding: ", ruleLine)
+				logger.Debug("ignored unsupported rule with query: ", originRuleLine)
 				continue
 			}
-			if strings.Contains(ruleLine, "#$#") {
+			if strings.Contains(ruleLine, "[") || strings.Contains(ruleLine, "]") ||
 				strings.Contains(ruleLine, "(") || strings.Contains(ruleLine, ")") ||
 				strings.Contains(ruleLine, "!") || strings.Contains(ruleLine, "#") {
 				ignoredLines++
-				log.Debug("ignored unsupported rule with element hiding: ", ruleLine)
+				logger.Debug("ignored unsupported cosmetic filter: ", originRuleLine)
 				continue
 			}
 			if strings.Contains(ruleLine, "~") {
 				ignoredLines++
 				logger.Debug("ignored unsupported rule modifier: ", originRuleLine)
 				continue
 			}
 			var domainCheck string
@@ -151,7 +163,7 @@ parseLine:
 			}
 			if ruleLine == "" {
 				ignoredLines++
-				log.Debug("ignored unsupported rule with empty domain", originRuleLine)
+				logger.Debug("ignored unsupported rule with empty domain", originRuleLine)
 				continue
 			} else {
 				domainCheck = strings.ReplaceAll(domainCheck, "*", "x")
@@ -159,13 +171,13 @@ parseLine:
 					_, ipErr := parseADGuardIPCIDRLine(ruleLine)
 					if ipErr == nil {
 						ignoredLines++
-						log.Debug("ignored unsupported rule with IPCIDR: ", ruleLine)
+						logger.Debug("ignored unsupported rule with IPCIDR: ", originRuleLine)
 						continue
 					}
 					if M.ParseSocksaddr(domainCheck).Port != 0 {
-						log.Debug("ignored unsupported rule with port: ", ruleLine)
+						logger.Debug("ignored unsupported rule with port: ", originRuleLine)
 					} else {
-						log.Debug("ignored unsupported rule with invalid domain: ", ruleLine)
+						logger.Debug("ignored unsupported rule with invalid domain: ", originRuleLine)
 					}
 					ignoredLines++
 					continue
@@ -283,10 +295,112 @@ parseLine:
 			},
 		}
 	}
-	log.Info("parsed rules: ", len(ruleLines), "/", len(ruleLines)+ignoredLines)
+	if ignoredLines > 0 {
 		logger.Info("parsed rules: ", len(ruleLines), "/", len(ruleLines)+ignoredLines)
 	}
 	return []option.HeadlessRule{currentRule}, nil
 }
 var ErrInvalid = E.New("invalid binary AdGuard rule-set")
 func FromOptions(rules []option.HeadlessRule) ([]byte, error) {
 	if len(rules) != 1 {
 		return nil, ErrInvalid
 	}
 	rule := rules[0]
 	var (
 		importantDomain             []string
 		importantDomainRegex        []string
 		importantExcludeDomain      []string
 		importantExcludeDomainRegex []string
 		domain                      []string
 		domainRegex                 []string
 		excludeDomain               []string
 		excludeDomainRegex          []string
 	)
 parse:
 	for {
 		switch rule.Type {
 		case C.RuleTypeLogical:
 			if !(len(rule.LogicalOptions.Rules) == 2 && rule.LogicalOptions.Rules[0].Type == C.RuleTypeDefault) {
 				return nil, ErrInvalid
 			}
 			if rule.LogicalOptions.Mode == C.LogicalTypeAnd && rule.LogicalOptions.Rules[0].DefaultOptions.Invert {
 				if len(importantExcludeDomain) == 0 && len(importantExcludeDomainRegex) == 0 {
 					importantExcludeDomain = rule.LogicalOptions.Rules[0].DefaultOptions.AdGuardDomain
 					importantExcludeDomainRegex = rule.LogicalOptions.Rules[0].DefaultOptions.DomainRegex
 					if len(importantExcludeDomain)+len(importantExcludeDomainRegex) == 0 {
 						return nil, ErrInvalid
 					}
 				} else {
 					excludeDomain = rule.LogicalOptions.Rules[0].DefaultOptions.AdGuardDomain
 					excludeDomainRegex = rule.LogicalOptions.Rules[0].DefaultOptions.DomainRegex
 					if len(excludeDomain)+len(excludeDomainRegex) == 0 {
 						return nil, ErrInvalid
 					}
 				}
 			} else if rule.LogicalOptions.Mode == C.LogicalTypeOr && !rule.LogicalOptions.Rules[0].DefaultOptions.Invert {
 				importantDomain = rule.LogicalOptions.Rules[0].DefaultOptions.AdGuardDomain
 				importantDomainRegex = rule.LogicalOptions.Rules[0].DefaultOptions.DomainRegex
 				if len(importantDomain)+len(importantDomainRegex) == 0 {
 					return nil, ErrInvalid
 				}
 			} else {
 				return nil, ErrInvalid
 			}
 			rule = rule.LogicalOptions.Rules[1]
 		case C.RuleTypeDefault:
 			domain = rule.DefaultOptions.AdGuardDomain
 			domainRegex = rule.DefaultOptions.DomainRegex
 			if len(domain)+len(domainRegex) == 0 {
 				return nil, ErrInvalid
 			}
 			break parse
 		}
 	}
 	var output bytes.Buffer
 	for _, ruleLine := range importantDomain {
 		output.WriteString(ruleLine)
 		output.WriteString("$important\n")
 	}
 	for _, ruleLine := range importantDomainRegex {
 		output.WriteString("/")
 		output.WriteString(ruleLine)
 		output.WriteString("/$important\n")
 	}
 	for _, ruleLine := range importantExcludeDomain {
 		output.WriteString("@@")
 		output.WriteString(ruleLine)
 		output.WriteString("$important\n")
 	}
 	for _, ruleLine := range importantExcludeDomainRegex {
 		output.WriteString("@@/")
 		output.WriteString(ruleLine)
 		output.WriteString("/$important\n")
 	}
 	for _, ruleLine := range domain {
 		output.WriteString(ruleLine)
 		output.WriteString("\n")
 	}
 	for _, ruleLine := range domainRegex {
 		output.WriteString("/")
 		output.WriteString(ruleLine)
 		output.WriteString("/\n")
 	}
 	for _, ruleLine := range excludeDomain {
 		output.WriteString("@@")
 		output.WriteString(ruleLine)
 		output.WriteString("\n")
 	}
 	for _, ruleLine := range excludeDomainRegex {
 		output.WriteString("@@/")
 		output.WriteString(ruleLine)
 		output.WriteString("/\n")
 	}
 	return output.Bytes(), nil
 }
 func ignoreIPCIDRRegexp(ruleLine string) bool {
 	if strings.HasPrefix(ruleLine, "(http?:\\/\\/)") {
 		ruleLine = ruleLine[12:]
@@ -294,11 +408,9 @@ func ignoreIPCIDRRegexp(ruleLine string) bool {
 		ruleLine = ruleLine[13:]
 	} else if strings.HasPrefix(ruleLine, "^") {
 		ruleLine = ruleLine[1:]
 	} else {
 		return false
 	}
-	_, parseErr := strconv.ParseUint(common.SubstringBefore(ruleLine, "\\."), 10, 8)
+	return common.Error(strconv.ParseUint(common.SubstringBefore(ruleLine, "\\."), 10, 8)) == nil ||
-	return parseErr == nil
+		common.Error(strconv.ParseUint(common.SubstringBefore(ruleLine, "."), 10, 8)) == nil
 }
 func parseAdGuardHostLine(ruleLine string) (string, error) {
--- a/cmd/sing-box/internal/convertor/adguard/convertor_test.go
+++ b/cmd/sing-box/internal/convertor/adguard/convertor_test.go
@@ -7,13 +7,15 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/route/rule"
 	"github.com/sagernet/sing/common/logger"
 	"github.com/stretchr/testify/require"
 )
 func TestConverter(t *testing.T) {
 	t.Parallel()
-	rules, err := Convert(strings.NewReader(`
+	ruleString := `||sagernet.org^$important
@@|sing-box.sagernet.org^$important
 ||example.org^
 |example.com^
 example.net^
@@ -21,10 +23,9 @@ example.net^
 ||example.edu.tw^
 |example.gov
 example.arpa
-@@|sagernet.example.org|
+@@|sagernet.example.org^
-||sagernet.org^$important
+`
-@@|sing-box.sagernet.org^$important
+	rules, err := ToOptions(strings.NewReader(ruleString), logger.NOP())
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
 	rule, err := rule.NewHeadlessRule(context.Background(), rules[0])
@@ -75,15 +76,18 @@ example.arpa
 			Domain: domain,
 		}), domain)
 	}
 	ruleFromOptions, err := FromOptions(rules)
 	require.NoError(t, err)
 	require.Equal(t, ruleString, string(ruleFromOptions))
 }
 func TestHosts(t *testing.T) {
 	t.Parallel()
-	rules, err := Convert(strings.NewReader(`
+	rules, err := ToOptions(strings.NewReader(`
 127.0.0.1 localhost
 ::1 localhost #[IPv6]
 0.0.0.0 google.com
-`))
+`), logger.NOP())
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
 	rule, err := rule.NewHeadlessRule(context.Background(), rules[0])
@@ -110,10 +114,10 @@ func TestHosts(t *testing.T) {
 func TestSimpleHosts(t *testing.T) {
 	t.Parallel()
-	rules, err := Convert(strings.NewReader(`
+	rules, err := ToOptions(strings.NewReader(`
 example.com
 www.example.org
-`))
+`), logger.NOP())
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
 	rule, err := rule.NewHeadlessRule(context.Background(), rules[0])
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -89,6 +89,7 @@ func NewWithOptions(options Options) (N.Dialer, error) {
 			dnsQueryOptions = adapter.DNSQueryOptions{
 				Transport:    transport,
 				Strategy:     strategy,
 				Timeout:      time.Duration(dialOptions.DomainResolver.Timeout),
 				DisableCache: dialOptions.DomainResolver.DisableCache,
 				RewriteTTL:   dialOptions.DomainResolver.RewriteTTL,
 				ClientSubnet: dialOptions.DomainResolver.ClientSubnet.Build(netip.Prefix{}),
--- a/common/dialer/tfo.go
+++ b/common/dialer/tfo.go
@@ -10,7 +10,6 @@ import (
 	"sync"
 	"time"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -25,7 +24,9 @@ type slowOpenConn struct {
 	destination M.Socksaddr
 	conn        net.Conn
 	create      chan struct{}
 	done        chan struct{}
 	access      sync.Mutex
 	closeOnce   sync.Once
 	err         error
 }
@@ -44,6 +45,7 @@ func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, des
 		network:     network,
 		destination: destination,
 		create:      make(chan struct{}),
 		done:        make(chan struct{}),
 	}, nil
 }
@@ -54,8 +56,8 @@ func (c *slowOpenConn) Read(b []byte) (n int, err error) {
 			if c.err != nil {
 				return 0, c.err
 			}
-		case <-c.ctx.Done():
+		case <-c.done:
-			return 0, c.ctx.Err()
+			return 0, os.ErrClosed
 		}
 	}
 	return c.conn.Read(b)
@@ -73,6 +75,8 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 			return 0, c.err
 		}
 		return c.conn.Write(b)
 	case <-c.done:
 		return 0, os.ErrClosed
 	default:
 	}
 	conn, err := c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
@@ -87,7 +91,13 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 }
 func (c *slowOpenConn) Close() error {
-	return common.Close(c.conn)
+	c.closeOnce.Do(func() {
 		close(c.done)
 		if c.conn != nil {
 			c.conn.Close()
 		}
 	})
 	return nil
 }
 func (c *slowOpenConn) LocalAddr() net.Addr {
@@ -152,8 +162,8 @@ func (c *slowOpenConn) WriteTo(w io.Writer) (n int64, err error) {
 			if c.err != nil {
 				return 0, c.err
 			}
-		case <-c.ctx.Done():
+		case <-c.done:
-			return 0, c.ctx.Err()
+			return 0, c.err
 		}
 	}
 	return bufio.Copy(w, c.conn)
--- a/common/process/searcher_darwin.go
+++ b/common/process/searcher_darwin.go
@@ -76,6 +76,8 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 		// rup8(sizeof(xtcpcb_n))
 		itemSize += 208
 	}
 	var fallbackUDPProcess string
 	// skip the first xinpgen(24 bytes) block
 	for i := 24; i+itemSize <= len(buf); i += itemSize {
 		// offset of xinpcb_n and xsocket_n
@@ -90,10 +92,12 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 		flag := buf[inp+44]
 		var srcIP netip.Addr
 		srcIsIPv4 := false
 		switch {
 		case flag&0x1 > 0 && isIPv4:
 			// ipv4
 			srcIP = netip.AddrFrom4(*(*[4]byte)(buf[inp+76 : inp+80]))
 			srcIsIPv4 = true
 		case flag&0x2 > 0 && !isIPv4:
 			// ipv6
 			srcIP = netip.AddrFrom16(*(*[16]byte)(buf[inp+64 : inp+80]))
@@ -101,13 +105,21 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 			continue
 		}
-		if ip != srcIP {
+		if ip == srcIP {
-			continue
+			// xsocket_n.so_last_pid
 			pid := readNativeUint32(buf[so+68 : so+72])
 			return getExecPathFromPID(pid)
 		}
-		// xsocket_n.so_last_pid
+		// udp packet connection may be not equal with srcIP
-		pid := readNativeUint32(buf[so+68 : so+72])
+		if network == N.NetworkUDP && srcIP.IsUnspecified() && isIPv4 == srcIsIPv4 {
-		return getExecPathFromPID(pid)
+			pid := readNativeUint32(buf[so+68 : so+72])
 			fallbackUDPProcess, _ = getExecPathFromPID(pid)
 		}
 	}
 	if network == N.NetworkUDP && len(fallbackUDPProcess) > 0 {
 		return fallbackUDPProcess, nil
 	}
 	return "", ErrNotFound
--- a/common/srs/binary.go
+++ b/common/srs/binary.go
@@ -215,16 +215,15 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 		case ruleItemWIFIBSSID:
 			rule.WIFIBSSID, err = readRuleItemString(reader)
 		case ruleItemAdGuardDomain:
 			if recover {
 				err = E.New("unable to decompile binary AdGuard rules to rule-set")
 				return
 			}
 			var matcher *domain.AdGuardMatcher
 			matcher, err = domain.ReadAdGuardMatcher(reader)
 			if err != nil {
 				return
 			}
 			rule.AdGuardDomainMatcher = matcher
 			if recover {
 				rule.AdGuardDomain = matcher.Dump()
 			}
 		case ruleItemNetworkType:
 			rule.NetworkType, err = readRuleItemUint8[option.InterfaceType](reader)
 		case ruleItemNetworkIsExpensive:
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -5,13 +5,13 @@ package tls
 import (
 	"context"
 	"crypto/tls"
 	"os"
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	"github.com/caddyserver/certmagic"
 	"github.com/libdns/alidns"
@@ -37,7 +37,38 @@ func (w *acmeWrapper) Close() error {
 	return nil
 }
-func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
+type acmeLogWriter struct {
 	logger logger.Logger
 }
 func (w *acmeLogWriter) Write(p []byte) (n int, err error) {
 	logLine := strings.ReplaceAll(string(p), "	", ": ")
 	switch {
 	case strings.HasPrefix(logLine, "error: "):
 		w.logger.Error(logLine[7:])
 	case strings.HasPrefix(logLine, "warn: "):
 		w.logger.Warn(logLine[6:])
 	case strings.HasPrefix(logLine, "info: "):
 		w.logger.Info(logLine[6:])
 	case strings.HasPrefix(logLine, "debug: "):
 		w.logger.Debug(logLine[7:])
 	default:
 		w.logger.Debug(logLine)
 	}
 	return len(p), nil
 }
 func (w *acmeLogWriter) Sync() error {
 	return nil
 }
 func encoderConfig() zapcore.EncoderConfig {
 	config := zap.NewProductionEncoderConfig()
 	config.TimeKey = zapcore.OmitKey
 	return config
 }
 func startACME(ctx context.Context, logger logger.Logger, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
 	var acmeServer string
 	switch options.Provider {
 	case "", "letsencrypt":
@@ -58,14 +89,15 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 	} else {
 		storage = certmagic.Default.Storage
 	}
 	zapLogger := zap.New(zapcore.NewCore(
 		zapcore.NewConsoleEncoder(encoderConfig()),
 		&acmeLogWriter{logger: logger},
 		zap.DebugLevel,
 	))
 	config := &certmagic.Config{
 		DefaultServerName: options.DefaultServerName,
 		Storage:           storage,
-		Logger: zap.New(zapcore.NewCore(
+		Logger:            zapLogger,
 			zapcore.NewConsoleEncoder(zap.NewProductionEncoderConfig()),
 			os.Stderr,
 			zap.InfoLevel,
 		)),
 	}
 	acmeConfig := certmagic.ACMEIssuer{
 		CA:                      acmeServer,
@@ -75,7 +107,7 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		DisableTLSALPNChallenge: options.DisableTLSALPNChallenge,
 		AltHTTPPort:             int(options.AlternativeHTTPPort),
 		AltTLSALPNPort:          int(options.AlternativeTLSPort),
-		Logger:                  config.Logger,
+		Logger:                  zapLogger,
 	}
 	if dnsOptions := options.DNS01Challenge; dnsOptions != nil && dnsOptions.Provider != "" {
 		var solver certmagic.DNS01Solver
@@ -103,6 +135,7 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		GetConfigForCert: func(certificate certmagic.Certificate) (*certmagic.Config, error) {
 			return config, nil
 		},
 		Logger: zapLogger,
 	})
 	config = certmagic.New(cache, *config)
 	var tlsConfig *tls.Config
--- a/common/tls/acme_stub.go
+++ b/common/tls/acme_stub.go
@@ -9,8 +9,9 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 )
-func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
+func startACME(ctx context.Context, logger logger.Logger, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
 	return nil, nil, E.New(`ACME is not included in this build, rebuild with -tags with_acme`)
 }
--- a/common/tls/ech.go
+++ b/common/tls/ech.go
@@ -25,7 +25,7 @@ import (
 	"golang.org/x/crypto/cryptobyte"
 )
-func parseECHClientConfig(ctx context.Context, options option.OutboundTLSOptions, tlsConfig *tls.Config) (Config, error) {
+func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, options option.OutboundTLSOptions) (Config, error) {
 	var echConfig []byte
 	if len(options.ECH.Config) > 0 {
 		echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
@@ -45,12 +45,12 @@ func parseECHClientConfig(ctx context.Context, options option.OutboundTLSOptions
 		if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 {
 			return nil, E.New("invalid ECH configs pem")
 		}
-		tlsConfig.EncryptedClientHelloConfigList = block.Bytes
+		clientConfig.SetECHConfigList(block.Bytes)
-		return &STDClientConfig{tlsConfig}, nil
+		return clientConfig, nil
 	} else {
-		return &STDECHClientConfig{
+		return &ECHClientConfig{
-			STDClientConfig: STDClientConfig{tlsConfig},
+			ECHCapableConfig: clientConfig,
-			dnsRouter:       service.FromContext[adapter.DNSRouter](ctx),
+			dnsRouter:        service.FromContext[adapter.DNSRouter](ctx),
 		}, nil
 	}
 }
@@ -102,15 +102,15 @@ func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {
 	return nil
 }
-type STDECHClientConfig struct {
+type ECHClientConfig struct {
-	STDClientConfig
+	ECHCapableConfig
 	access     sync.Mutex
 	dnsRouter  adapter.DNSRouter
 	lastTTL    time.Duration
 	lastUpdate time.Time
 }
-func (s *STDECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
+func (s *ECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
 	tlsConn, err := s.fetchAndHandshake(ctx, conn)
 	if err != nil {
 		return nil, err
@@ -122,17 +122,17 @@ func (s *STDECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn)
 	return tlsConn, nil
 }
-func (s *STDECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
+func (s *ECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
 	s.access.Lock()
 	defer s.access.Unlock()
-	if len(s.config.EncryptedClientHelloConfigList) == 0 || s.lastTTL == 0 || time.Now().Sub(s.lastUpdate) > s.lastTTL {
+	if len(s.ECHConfigList()) == 0 || s.lastTTL == 0 || time.Now().Sub(s.lastUpdate) > s.lastTTL {
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,
 			},
 			Question: []mDNS.Question{
 				{
-					Name:   mDNS.Fqdn(s.config.ServerName),
+					Name:   mDNS.Fqdn(s.ServerName()),
 					Qtype:  mDNS.TypeHTTPS,
 					Qclass: mDNS.ClassINET,
 				},
@@ -157,21 +157,21 @@ func (s *STDECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Con
 						}
 						s.lastTTL = time.Duration(rr.Header().Ttl) * time.Second
 						s.lastUpdate = time.Now()
-						s.config.EncryptedClientHelloConfigList = echConfigList
+						s.SetECHConfigList(echConfigList)
 						break match
 					}
 				}
 			}
 		}
-		if len(s.config.EncryptedClientHelloConfigList) == 0 {
+		if len(s.ECHConfigList()) == 0 {
 			return nil, E.New("no ECH config found in DNS records")
 		}
 	}
 	return s.Client(conn)
 }
-func (s *STDECHClientConfig) Clone() Config {
+func (s *ECHClientConfig) Clone() Config {
-	return &STDECHClientConfig{STDClientConfig: STDClientConfig{s.config.Clone()}, dnsRouter: s.dnsRouter, lastUpdate: s.lastUpdate}
+	return &ECHClientConfig{ECHCapableConfig: s.ECHCapableConfig.Clone().(ECHCapableConfig), dnsRouter: s.dnsRouter, lastUpdate: s.lastUpdate}
 }
 func UnmarshalECHKeys(raw []byte) ([]tls.EncryptedClientHelloKey, error) {
--- a/common/tls/ech_shared.go
+++ b/common/tls/ech_shared.go
@@ -11,6 +11,12 @@ import (
 	"github.com/cloudflare/circl/kem"
 )
 type ECHCapableConfig interface {
 	Config
 	ECHConfigList() []byte
 	SetECHConfigList([]byte)
 }
 func ECHKeygenDefault(serverName string) (configPem string, keyPem string, err error) {
 	cipherSuites := []echCipherSuite{
 		{
--- a/common/tls/ech_stub.go
+++ b/common/tls/ech_stub.go
@@ -10,7 +10,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 )
-func parseECHClientConfig(ctx context.Context, options option.OutboundTLSOptions, tlsConfig *tls.Config) (Config, error) {
+func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New("ECH requires go1.24, please recompile your binary.")
 }
--- a/common/tls/reality_client.go
+++ b/common/tls/reality_client.go
@@ -74,7 +74,7 @@ func NewRealityClient(ctx context.Context, serverAddress string, options option.
 	if decodedLen > 8 {
 		return nil, E.New("invalid short_id")
 	}
-	return &RealityClientConfig{ctx, uClient, publicKey, shortID}, nil
+	return &RealityClientConfig{ctx, uClient.(*UTLSClientConfig), publicKey, shortID}, nil
 }
 func (e *RealityClientConfig) ServerName() string {
--- a/common/tls/std_client.go
+++ b/common/tls/std_client.go
@@ -7,43 +7,60 @@ import (
 	"net"
 	"os"
 	"strings"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tlsfragment"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
 )
 type STDClientConfig struct {
-	config *tls.Config
+	ctx                   context.Context
 	config                *tls.Config
 	fragment              bool
 	fragmentFallbackDelay time.Duration
 	recordFragment        bool
 }
-func (s *STDClientConfig) ServerName() string {
+func (c *STDClientConfig) ServerName() string {
-	return s.config.ServerName
+	return c.config.ServerName
 }
-func (s *STDClientConfig) SetServerName(serverName string) {
+func (c *STDClientConfig) SetServerName(serverName string) {
-	s.config.ServerName = serverName
+	c.config.ServerName = serverName
 }
-func (s *STDClientConfig) NextProtos() []string {
+func (c *STDClientConfig) NextProtos() []string {
-	return s.config.NextProtos
+	return c.config.NextProtos
 }
-func (s *STDClientConfig) SetNextProtos(nextProto []string) {
+func (c *STDClientConfig) SetNextProtos(nextProto []string) {
-	s.config.NextProtos = nextProto
+	c.config.NextProtos = nextProto
 }
-func (s *STDClientConfig) Config() (*STDConfig, error) {
+func (c *STDClientConfig) Config() (*STDConfig, error) {
-	return s.config, nil
+	return c.config, nil
 }
-func (s *STDClientConfig) Client(conn net.Conn) (Conn, error) {
+func (c *STDClientConfig) Client(conn net.Conn) (Conn, error) {
-	return tls.Client(conn, s.config), nil
+	if c.recordFragment {
 		conn = tf.NewConn(conn, c.ctx, c.fragment, c.recordFragment, c.fragmentFallbackDelay)
 	}
 	return tls.Client(conn, c.config), nil
 }
-func (s *STDClientConfig) Clone() Config {
+func (c *STDClientConfig) Clone() Config {
-	return &STDClientConfig{s.config.Clone()}
+	return &STDClientConfig{c.ctx, c.config.Clone(), c.fragment, c.fragmentFallbackDelay, c.recordFragment}
 }
 func (c *STDClientConfig) ECHConfigList() []byte {
 	return c.config.EncryptedClientHelloConfigList
 }
 func (c *STDClientConfig) SetECHConfigList(EncryptedClientHelloConfigList []byte) {
 	c.config.EncryptedClientHelloConfigList = EncryptedClientHelloConfigList
 }
 func NewSTDClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
@@ -60,9 +77,7 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 	var tlsConfig tls.Config
 	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	tlsConfig.RootCAs = adapter.RootPoolFromContext(ctx)
-	if options.DisableSNI {
+	if !options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
 		tlsConfig.ServerName = serverName
 	}
 	if options.Insecure {
@@ -127,8 +142,10 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 		tlsConfig.RootCAs = certPool
 	}
 	stdConfig := &STDClientConfig{ctx, &tlsConfig, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
 	if options.ECH != nil && options.ECH.Enabled {
-		return parseECHClientConfig(ctx, options, &tlsConfig)
+		return parseECHClientConfig(ctx, stdConfig, options)
 	} else {
 		return stdConfig, nil
 	}
 	return &STDClientConfig{&tlsConfig}, nil
 }
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -169,7 +169,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 	var err error
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		//nolint:staticcheck
-		tlsConfig, acmeService, err = startACME(ctx, common.PtrValueOrDefault(options.ACME))
+		tlsConfig, acmeService, err = startACME(ctx, logger, common.PtrValueOrDefault(options.ACME))
 		if err != nil {
 			return nil, err
 		}
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -8,11 +8,12 @@ import (
 	"crypto/x509"
 	"math/rand"
 	"net"
 	"net/netip"
 	"os"
 	"strings"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tlsfragment"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
@@ -22,46 +23,60 @@ import (
 )
 type UTLSClientConfig struct {
-	config *utls.Config
+	ctx                   context.Context
-	id     utls.ClientHelloID
+	config                *utls.Config
 	id                    utls.ClientHelloID
 	fragment              bool
 	fragmentFallbackDelay time.Duration
 	recordFragment        bool
 }
-func (e *UTLSClientConfig) ServerName() string {
+func (c *UTLSClientConfig) ServerName() string {
-	return e.config.ServerName
+	return c.config.ServerName
 }
-func (e *UTLSClientConfig) SetServerName(serverName string) {
+func (c *UTLSClientConfig) SetServerName(serverName string) {
-	e.config.ServerName = serverName
+	c.config.ServerName = serverName
 }
-func (e *UTLSClientConfig) NextProtos() []string {
+func (c *UTLSClientConfig) NextProtos() []string {
-	return e.config.NextProtos
+	return c.config.NextProtos
 }
-func (e *UTLSClientConfig) SetNextProtos(nextProto []string) {
+func (c *UTLSClientConfig) SetNextProtos(nextProto []string) {
 	if len(nextProto) == 1 && nextProto[0] == http2.NextProtoTLS {
 		nextProto = append(nextProto, "http/1.1")
 	}
-	e.config.NextProtos = nextProto
+	c.config.NextProtos = nextProto
 }
-func (e *UTLSClientConfig) Config() (*STDConfig, error) {
+func (c *UTLSClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for uTLS")
 }
-func (e *UTLSClientConfig) Client(conn net.Conn) (Conn, error) {
+func (c *UTLSClientConfig) Client(conn net.Conn) (Conn, error) {
-	return &utlsALPNWrapper{utlsConnWrapper{utls.UClient(conn, e.config.Clone(), e.id)}, e.config.NextProtos}, nil
+	if c.recordFragment {
-}
+		conn = tf.NewConn(conn, c.ctx, c.fragment, c.recordFragment, c.fragmentFallbackDelay)
 func (e *UTLSClientConfig) SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error) {
 	e.config.SessionIDGenerator = generator
 }
 func (e *UTLSClientConfig) Clone() Config {
 	return &UTLSClientConfig{
 		config: e.config.Clone(),
 		id:     e.id,
 	}
 	return &utlsALPNWrapper{utlsConnWrapper{utls.UClient(conn, c.config.Clone(), c.id)}, c.config.NextProtos}, nil
 }
 func (c *UTLSClientConfig) SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error) {
 	c.config.SessionIDGenerator = generator
 }
 func (c *UTLSClientConfig) Clone() Config {
 	return &UTLSClientConfig{
 		c.ctx, c.config.Clone(), c.id, c.fragment, c.fragmentFallbackDelay, c.recordFragment,
 	}
 }
 func (c *UTLSClientConfig) ECHConfigList() []byte {
 	return c.config.EncryptedClientHelloConfigList
 }
 func (c *UTLSClientConfig) SetECHConfigList(EncryptedClientHelloConfigList []byte) {
 	c.config.EncryptedClientHelloConfigList = EncryptedClientHelloConfigList
 }
 type utlsConnWrapper struct {
@@ -116,14 +131,12 @@ func (c *utlsALPNWrapper) HandshakeContext(ctx context.Context) error {
 	return c.UConn.HandshakeContext(ctx)
 }
-func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
+func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
 	} else if serverAddress != "" {
-		if _, err := netip.ParseAddr(serverName); err != nil {
+		serverName = serverAddress
 			serverName = serverAddress
 		}
 	}
 	if serverName == "" && !options.Insecure {
 		return nil, E.New("missing server_name or insecure=true")
@@ -132,11 +145,7 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 	var tlsConfig utls.Config
 	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	tlsConfig.RootCAs = adapter.RootPoolFromContext(ctx)
-	if options.DisableSNI {
+	tlsConfig.ServerName = serverName
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
 		tlsConfig.ServerName = serverName
 	}
 	if options.Insecure {
 		tlsConfig.InsecureSkipVerify = options.Insecure
 	} else if options.DisableSNI {
@@ -192,7 +201,15 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 	if err != nil {
 		return nil, err
 	}
-	return &UTLSClientConfig{&tlsConfig, id}, nil
+	uConfig := &UTLSClientConfig{ctx, &tlsConfig, id, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
 	if options.ECH != nil && options.ECH.Enabled {
 		if options.Reality != nil && options.Reality.Enabled {
 			return nil, E.New("Reality is conflict with ECH")
 		}
 		return parseECHClientConfig(ctx, uConfig, options)
 	} else {
 		return uConfig, nil
 	}
 }
 var (
@@ -220,7 +237,7 @@ func init() {
 func uTLSClientHelloID(name string) (utls.ClientHelloID, error) {
 	switch name {
-	case "chrome_psk", "chrome_psk_shuffle", "chrome_padding_psk_shuffle", "chrome_pq":
+	case "chrome_psk", "chrome_psk_shuffle", "chrome_padding_psk_shuffle", "chrome_pq", "chrome_pq_psk":
 		fallthrough
 	case "chrome", "":
 		return utls.HelloChrome_Auto, nil
--- a/common/tlsfragment/conn.go
+++ b/common/tlsfragment/conn.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 	"time"
 	C "github.com/sagernet/sing-box/constant"
 	N "github.com/sagernet/sing/common/network"
 	"golang.org/x/net/publicsuffix"
@@ -19,16 +20,21 @@ type Conn struct {
 	tcpConn            *net.TCPConn
 	ctx                context.Context
 	firstPacketWritten bool
 	splitPacket        bool
 	splitRecord        bool
 	fallbackDelay      time.Duration
 }
-func NewConn(conn net.Conn, ctx context.Context, splitRecord bool, fallbackDelay time.Duration) *Conn {
+func NewConn(conn net.Conn, ctx context.Context, splitPacket bool, splitRecord bool, fallbackDelay time.Duration) *Conn {
 	if fallbackDelay == 0 {
 		fallbackDelay = C.TLSFragmentFallbackDelay
 	}
 	tcpConn, _ := N.UnwrapReader(conn).(*net.TCPConn)
 	return &Conn{
 		Conn:          conn,
 		tcpConn:       tcpConn,
 		ctx:           ctx,
 		splitPacket:   splitPacket,
 		splitRecord:   splitRecord,
 		fallbackDelay: fallbackDelay,
 	}
@@ -41,7 +47,7 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 		}()
 		serverName := indexTLSServerName(b)
 		if serverName != nil {
-			if !c.splitRecord {
+			if c.splitPacket {
 				if c.tcpConn != nil {
 					err = c.tcpConn.SetNoDelay(true)
 					if err != nil {
@@ -81,33 +87,41 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 					payload = b[splitIndexes[i-1]:splitIndexes[i]]
 				}
 				if c.splitRecord {
 					if c.splitPacket {
 						buffer.Reset()
 					}
 					payloadLen := uint16(len(payload))
 					buffer.Write(b[:3])
 					binary.Write(&buffer, binary.BigEndian, payloadLen)
 					buffer.Write(payload)
-				} else if c.tcpConn != nil && i != len(splitIndexes) {
+					if c.splitPacket {
-					err = writeAndWaitAck(c.ctx, c.tcpConn, payload, c.fallbackDelay)
+						payload = buffer.Bytes()
 					if err != nil {
 						return
 					}
-				} else {
+				}
-					_, err = c.Conn.Write(payload)
+				if c.splitPacket {
-					if err != nil {
+					if c.tcpConn != nil && i != len(splitIndexes) {
-						return
+						err = writeAndWaitAck(c.ctx, c.tcpConn, payload, c.fallbackDelay)
 						if err != nil {
 							return
 						}
 					} else {
 						_, err = c.Conn.Write(payload)
 						if err != nil {
 							return
 						}
 					}
 				}
 			}
-			if c.splitRecord {
+			if c.splitRecord && !c.splitPacket {
 				_, err = c.Conn.Write(buffer.Bytes())
 				if err != nil {
 					return
 				}
-			} else {
+			}
-				if c.tcpConn != nil {
+			if c.tcpConn != nil {
-					err = c.tcpConn.SetNoDelay(false)
+				err = c.tcpConn.SetNoDelay(false)
-					if err != nil {
+				if err != nil {
-						return
+					return
 					}
 				}
 			}
 			return len(b), nil
--- a/common/tlsfragment/conn_test.go
+++ b/common/tlsfragment/conn_test.go
@@ -15,7 +15,7 @@ func TestTLSFragment(t *testing.T) {
 	t.Parallel()
 	tcpConn, err := net.Dial("tcp", "1.1.1.1:443")
 	require.NoError(t, err)
-	tlsConn := tls.Client(tf.NewConn(tcpConn, context.Background(), false, 0), &tls.Config{
+	tlsConn := tls.Client(tf.NewConn(tcpConn, context.Background(), true, false, 0), &tls.Config{
 		ServerName: "www.cloudflare.com",
 	})
 	require.NoError(t, tlsConn.Handshake())
@@ -25,7 +25,17 @@ func TestTLSRecordFragment(t *testing.T) {
 	t.Parallel()
 	tcpConn, err := net.Dial("tcp", "1.1.1.1:443")
 	require.NoError(t, err)
-	tlsConn := tls.Client(tf.NewConn(tcpConn, context.Background(), true, 0), &tls.Config{
+	tlsConn := tls.Client(tf.NewConn(tcpConn, context.Background(), false, true, 0), &tls.Config{
 		ServerName: "www.cloudflare.com",
 	})
 	require.NoError(t, tlsConn.Handshake())
 }
 func TestTLS2Fragment(t *testing.T) {
 	t.Parallel()
 	tcpConn, err := net.Dial("tcp", "1.1.1.1:443")
 	require.NoError(t, err)
 	tlsConn := tls.Client(tf.NewConn(tcpConn, context.Background(), true, true, 0), &tls.Config{
 		ServerName: "www.cloudflare.com",
 	})
 	require.NoError(t, tlsConn.Handshake())
--- a/constant/timeout.go
+++ b/constant/timeout.go
@@ -9,6 +9,7 @@ const (
 	TCPTimeout                 = 15 * time.Second
 	ReadPayloadTimeout         = 300 * time.Millisecond
 	DNSTimeout                 = 10 * time.Second
 	DirectDNSTimeout           = 5 * time.Second
 	UDPTimeout                 = 5 * time.Minute
 	DefaultURLTestInterval     = 3 * time.Minute
 	DefaultURLTestIdleTimeout  = 30 * time.Minute
--- a/dns/client.go
+++ b/dns/client.go
@@ -30,7 +30,6 @@ var (
 var _ adapter.DNSClient = (*Client)(nil)
 type Client struct {
 	timeout          time.Duration
 	disableCache     bool
 	disableExpire    bool
 	independentCache bool
@@ -43,7 +42,6 @@ type Client struct {
 }
 type ClientOptions struct {
 	Timeout          time.Duration
 	DisableCache     bool
 	DisableExpire    bool
 	IndependentCache bool
@@ -55,7 +53,6 @@ type ClientOptions struct {
 func NewClient(options ClientOptions) *Client {
 	client := &Client{
 		timeout:          options.Timeout,
 		disableCache:     options.DisableCache,
 		disableExpire:    options.DisableExpire,
 		independentCache: options.IndependentCache,
@@ -63,9 +60,6 @@ func NewClient(options ClientOptions) *Client {
 		initRDRCFunc:     options.RDRC,
 		logger:           options.Logger,
 	}
 	if client.timeout == 0 {
 		client.timeout = C.DNSTimeout
 	}
 	cacheCapacity := options.CacheCapacity
 	if cacheCapacity < 1024 {
 		cacheCapacity = 1024
@@ -153,7 +147,15 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			return nil, ErrResponseRejectedCached
 		}
 	}
-	ctx, cancel := context.WithTimeout(ctx, c.timeout)
+	timeout := options.Timeout
 	if timeout == 0 {
 		if transport.HasDetour() {
 			timeout = C.DNSTimeout
 		} else {
 			timeout = C.DirectDNSTimeout
 		}
 	}
 	ctx, cancel := context.WithTimeout(ctx, timeout)
 	response, err := transport.Exchange(ctx, message)
 	cancel()
 	if err != nil {
--- a/dns/router.go
+++ b/dns/router.go
@@ -158,6 +158,9 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 				if action.Strategy != C.DomainStrategyAsIS {
 					options.Strategy = action.Strategy
 				}
 				if action.Timeout > 0 {
 					options.Timeout = action.Timeout
 				}
 				if isFakeIP || action.DisableCache {
 					options.DisableCache = true
 				}
@@ -180,6 +183,9 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 				if action.Strategy != C.DomainStrategyAsIS {
 					options.Strategy = action.Strategy
 				}
 				if action.Timeout > 0 {
 					options.Timeout = action.Timeout
 				}
 				if action.DisableCache {
 					options.DisableCache = true
 				}
--- a/dns/transport/dhcp/dhcp.go
+++ b/dns/transport/dhcp/dhcp.go
@@ -41,6 +41,7 @@ type Transport struct {
 	dns.TransportAdapter
 	ctx               context.Context
 	dialer            N.Dialer
 	hasDetour         bool
 	logger            logger.ContextLogger
 	networkManager    adapter.NetworkManager
 	interfaceName     string
@@ -59,6 +60,7 @@ func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, opt
 		TransportAdapter: dns.NewTransportAdapterWithLocalOptions(C.DNSTypeDHCP, tag, options.LocalDNSServerOptions),
 		ctx:              ctx,
 		dialer:           transportDialer,
 		hasDetour:        options.Detour != "",
 		logger:           logger,
 		networkManager:   service.FromContext[adapter.NetworkManager](ctx),
 		interfaceName:    options.Interface,
@@ -89,6 +91,10 @@ func (t *Transport) Close() error {
 	return nil
 }
 func (t *Transport) HasDetour() bool {
 	return t.hasDetour
 }
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	err := t.fetchServers()
 	if err != nil {
--- a/dns/transport/https.go
+++ b/dns/transport/https.go
@@ -3,11 +3,15 @@ package transport
 import (
 	"bytes"
 	"context"
 	"errors"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"strconv"
 	"sync"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
@@ -39,11 +43,13 @@ func RegisterHTTPS(registry *dns.TransportRegistry) {
 type HTTPSTransport struct {
 	dns.TransportAdapter
-	logger      logger.ContextLogger
+	logger           logger.ContextLogger
-	dialer      N.Dialer
+	dialer           N.Dialer
-	destination *url.URL
+	destination      *url.URL
-	headers     http.Header
+	headers          http.Header
-	transport   *http.Transport
+	transportAccess  sync.Mutex
 	transport        *http.Transport
 	transportResetAt time.Time
 }
 func NewHTTPS(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteHTTPSDNSServerOptions) (adapter.DNSTransport, error) {
@@ -161,12 +167,33 @@ func (t *HTTPSTransport) Start(stage adapter.StartStage) error {
 }
 func (t *HTTPSTransport) Close() error {
 	t.transportAccess.Lock()
 	defer t.transportAccess.Unlock()
 	t.transport.CloseIdleConnections()
 	t.transport = t.transport.Clone()
 	return nil
 }
 func (t *HTTPSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	startAt := time.Now()
 	response, err := t.exchange(ctx, message)
 	if err != nil {
 		if errors.Is(err, os.ErrDeadlineExceeded) {
 			t.transportAccess.Lock()
 			defer t.transportAccess.Unlock()
 			if t.transportResetAt.After(startAt) {
 				return nil, err
 			}
 			t.transport.CloseIdleConnections()
 			t.transport = t.transport.Clone()
 			t.transportResetAt = time.Now()
 		}
 		return nil, err
 	}
 	return response, nil
 }
 func (t *HTTPSTransport) exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	exMessage := *message
 	exMessage.Id = 0
 	exMessage.Compress = true
--- a/dns/transport/local/resolv_darwin_cgo.go
+++ b/dns/transport/local/resolv_darwin_cgo.go
@@ -20,7 +20,8 @@ import (
 )
 func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
-	if C.res_init() != 0 {
+	var state C.res_state
 	if C.res_ninit(state) != 0 {
 		return &dnsConfig{
 			servers:  defaultNS,
 			search:   dnsDefaultSearch(),
@@ -33,10 +34,10 @@ func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
 	conf := &dnsConfig{
 		ndots:    1,
 		timeout:  5 * time.Second,
-		attempts: int(C._res.retry),
+		attempts: int(state.retry),
 	}
-	for i := 0; i < int(C._res.nscount); i++ {
+	for i := 0; i < int(state.nscount); i++ {
-		ns := C._res.nsaddr_list[i]
+		ns := state.nsaddr_list[i]
 		addr := C.inet_ntoa(ns.sin_addr)
 		if addr == nil {
 			continue
@@ -44,7 +45,7 @@ func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
 		conf.servers = append(conf.servers, C.GoString(addr))
 	}
 	for i := 0; ; i++ {
-		search := C._res.dnsrch[i]
+		search := state.dnsrch[i]
 		if search == nil {
 			break
 		}
--- a/dns/transport_adapter.go
+++ b/dns/transport_adapter.go
@@ -14,6 +14,7 @@ type TransportAdapter struct {
 	transportType string
 	transportTag  string
 	dependencies  []string
 	hasDetour     bool
 	strategy      C.DomainStrategy
 	clientSubnet  netip.Prefix
 }
@@ -35,6 +36,7 @@ func NewTransportAdapterWithLocalOptions(transportType string, transportTag stri
 		transportType: transportType,
 		transportTag:  transportTag,
 		dependencies:  dependencies,
 		hasDetour:     localOptions.Detour != "",
 		strategy:      C.DomainStrategy(localOptions.LegacyStrategy),
 		clientSubnet:  localOptions.LegacyClientSubnet,
 	}
@@ -69,6 +71,10 @@ func (a *TransportAdapter) Dependencies() []string {
 	return a.dependencies
 }
 func (a *TransportAdapter) HasDetour() bool {
 	return a.hasDetour
 }
 func (a *TransportAdapter) LegacyStrategy() C.DomainStrategy {
 	return a.strategy
 }
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,6 +2,33 @@
 icon: material/alert-decagram
 ---
 #### 1.12.0-beta.30
 * Fixes and improvements
 ### 1.11.14
 * Fixes and improvements
 _We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
 violated the rules (TestFlight users are not affected)._
 #### 1.12.0-beta.24
 * Allow `tls_fragment` and `tls_record_fragment` to be enabled together **1**
 * Also add fragment options for TLS client configuration **2**
 * Fixes and improvements
 **1**:
 For debugging only, it is recommended to disable if record fragmentation works.
 See [Route Action](/configuration/route/rule_action/#tls_fragment).
 **2**:
 See [TLS](/configuration/shared/tls/).
 #### 1.12.0-beta.23
 * Add loopback address support for tun **1**
--- a/docs/configuration/endpoint/index.zh.md
+++ b/docs/configuration/endpoint/index.zh.md
@@ -25,7 +25,7 @@ icon: material/new-box
 | 类型          | 格式                        |
 |-------------|---------------------------|
-| `wireguard` | [WireGuard](./wiregaurd/) |
+| `wireguard` | [WireGuard](./wireguard/) |
 | `tailscale` | [Tailscale](./tailscale/) |
 #### tag
--- a/docs/configuration/experimental/clash-api.md
+++ b/docs/configuration/experimental/clash-api.md
@@ -59,7 +59,7 @@
    {
      "external_controller": "0.0.0.0:9090",
      "external_ui": "dashboard"
-      // external_ui_download_detour: "direct"
+      // "external_ui_download_detour": "direct"
    }
    ```
--- a/docs/configuration/experimental/clash-api.zh.md
+++ b/docs/configuration/experimental/clash-api.zh.md
@@ -59,7 +59,7 @@
    {
      "external_controller": "0.0.0.0:9090",
      "external_ui": "dashboard"
-      // external_ui_download_detour: "direct"
+      // "external_ui_download_detour": "direct"
    }
    ```
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -64,7 +64,7 @@ icon: material/new-box
  "auto_redirect_input_mark": "0x2023",
  "auto_redirect_output_mark": "0x2024",
  "loopback_address": [
-    "10.0.7.1"
+    "10.7.0.1"
  ],
  "strict_route": true,
  "route_address": [
@@ -284,7 +284,7 @@ Connection output mark used by `auto_redirect`.
 Loopback addresses make TCP connections to the specified address connect to the source address.
-Setting option value to `10.0.7.1` achieves the same behavior as SideStore/StosVPN.
+Setting option value to `10.7.0.1` achieves the same behavior as SideStore/StosVPN.
 When `auto_redirect` is enabled, the same behavior can be achieved for LAN devices (not just local) as a gateway.
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -64,7 +64,7 @@ icon: material/new-box
  "auto_redirect_input_mark": "0x2023",
  "auto_redirect_output_mark": "0x2024",
  "loopback_address": [
-    "10.0.7.1"
+    "10.7.0.1"
  ],
  "strict_route": true,
  "route_address": [
@@ -283,7 +283,7 @@ tun 接口的 IPv6 前缀。
 环回地址是用于使指向指定地址的 TCP 连接连接到来源地址的。
-将选项值设置为 `10.0.7.1` 可实现与 SideStore/StosVPN 相同的行为。
+将选项值设置为 `10.7.0.1` 可实现与 SideStore/StosVPN 相同的行为。
 当启用 `auto_redirect` 时，可以作为网关为局域网设备（而不仅仅是本地）实现相同的行为。
--- a/docs/configuration/route/rule_action.md
+++ b/docs/configuration/route/rule_action.md
@@ -172,14 +172,12 @@ and should not be used to circumvent real censorship.
 Due to poor performance, try `tls_record_fragment` first, and only apply to server names known to be blocked.
 On Linux, Apple platforms, (administrator privileges required) Windows,
-the wait time can be automatically detected, otherwise it will fall back to
+the wait time can be automatically detected. Otherwise, it will fall back to
 waiting for a fixed time specified by `tls_fragment_fallback_delay`.
 In addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time,
 because the target is considered to be local or behind a transparent proxy.
 Conflict with `tls_record_fragment`.
 #### tls_fragment_fallback_delay
 !!! question "Since sing-box 1.12.0"
@@ -194,11 +192,6 @@ The fallback value used when TLS segmentation cannot automatically determine the
 Fragment TLS handshake into multiple TLS records to bypass firewalls.
 This feature is intended to circumvent simple firewalls based on **plaintext packet matching**,
 and should not be used to circumvent real censorship.
 Conflict with `tls_fragment`.
 ### sniff
 ```json
--- a/docs/configuration/route/rule_action.zh.md
+++ b/docs/configuration/route/rule_action.zh.md
@@ -170,8 +170,6 @@ UDP 连接超时时间。
 此外，若实际等待时间小于 20 毫秒，同样会回退至固定等待时间模式，因为此时判定目标处于本地或透明代理之后。
 与 `tls_record_fragment` 冲突。
 #### tls_fragment_fallback_delay
 !!! question "自 sing-box 1.12.0 起"
@@ -186,10 +184,6 @@ UDP 连接超时时间。
 通过分段 TLS 握手数据包到多个 TLS 记录来绕过防火墙检测。
 此功能旨在规避基于**明文数据包匹配**的简单防火墙，不应该用于规避真的审查。
 与 `tls_fragment` 冲突。
 ### sniff
 ```json
--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@@ -4,6 +4,9 @@ icon: material/alert-decagram
 !!! quote "Changes in sing-box 1.12.0"
    :material-plus: [fragment](#fragment)  
    :material-plus: [fragment_fallback_delay](#fragment_fallback_delay)  
    :material-plus: [record_fragment](#record_fragment)  
    :material-delete-clock: [ech.pq_signature_schemes_enabled](#pq_signature_schemes_enabled)  
    :material-delete-clock: [ech.dynamic_record_sizing_disabled](#dynamic_record_sizing_disabled)
@@ -82,6 +85,9 @@ icon: material/alert-decagram
  "cipher_suites": [],
  "certificate": "",
  "certificate_path": "",
  "fragment": false,
  "fragment_fallback_delay": "",
  "record_fragment": false,
  "ech": {
    "enabled": false,
    "config": [],
@@ -313,6 +319,44 @@ The path to ECH configuration, in PEM format.
 If empty, load from DNS will be attempted.
 #### fragment
 !!! question "Since sing-box 1.12.0"
 ==Client only==
 Fragment TLS handshakes to bypass firewalls.
 This feature is intended to circumvent simple firewalls based on **plaintext packet matching**,
 and should not be used to circumvent real censorship.
 Due to poor performance, try `record_fragment` first, and only apply to server names known to be blocked.
 On Linux, Apple platforms, (administrator privileges required) Windows,
 the wait time can be automatically detected. Otherwise, it will fall back to
 waiting for a fixed time specified by `fragment_fallback_delay`.
 In addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time,
 because the target is considered to be local or behind a transparent proxy.
 #### fragment_fallback_delay
 !!! question "Since sing-box 1.12.0"
 ==Client only==
 The fallback value used when TLS segmentation cannot automatically determine the wait time.
 `500ms` is used by default.
 #### record_fragment
 !!! question "Since sing-box 1.12.0"
 ==Client only==
 Fragment TLS handshake into multiple TLS records to bypass firewalls.
 ### ACME Fields
 #### domain
--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@@ -4,6 +4,9 @@ icon: material/alert-decagram
 !!! quote "sing-box 1.12.0 中的更改"
    :material-plus: [tls_fragment](#tls_fragment)  
    :material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)  
    :material-plus: [tls_record_fragment](#tls_record_fragment)  
    :material-delete-clock: [ech.pq_signature_schemes_enabled](#pq_signature_schemes_enabled)  
    :material-delete-clock: [ech.dynamic_record_sizing_disabled](#dynamic_record_sizing_disabled)
@@ -82,6 +85,9 @@ icon: material/alert-decagram
  "cipher_suites": [],
  "certificate": [],
  "certificate_path": "",
  "fragment": false,
  "fragment_fallback_delay": "",
  "record_fragment": false,
  "ech": {
    "enabled": false,
    "pq_signature_schemes_enabled": false,
@@ -305,6 +311,41 @@ ECH PEM 配置路径
 如果为 true，则始终使用最大可能的 TLS 记录大小。
 如果为 false，则可能会调整 TLS 记录的大小以尝试改善延迟。
 #### tls_fragment
 !!! question "自 sing-box 1.12.0 起"
 ==仅客户端==
 通过分段 TLS 握手数据包来绕过防火墙检测。
 此功能旨在规避基于**明文数据包匹配**的简单防火墙，不应该用于规避真的审查。
 由于性能不佳，请首先尝试 `tls_record_fragment`，且仅应用于已知被阻止的服务器名称。
 在 Linux、Apple 平台和需要管理员权限的 Windows 系统上，可自动检测等待时间。
 若无法自动检测，将回退使用 `tls_fragment_fallback_delay` 指定的固定等待时间。
 此外，若实际等待时间小于 20 毫秒，同样会回退至固定等待时间模式，因为此时判定目标处于本地或透明代理之后。
 #### tls_fragment_fallback_delay
 !!! question "自 sing-box 1.12.0 起"
 ==仅客户端==
 当 TLS 分片功能无法自动判定等待时间时使用的回退值。
 默认使用 `500ms`。
 #### tls_record_fragment
 ==仅客户端==
 !!! question "自 sing-box 1.12.0 起"
 通过分段 TLS 握手数据包到多个 TLS 记录来绕过防火墙检测。
 ### ACME 字段
 #### domain
--- a/docs/manual/proxy/client.md
+++ b/docs/manual/proxy/client.md
@@ -94,18 +94,13 @@ flowchart TB
        "servers": [
          {
            "tag": "google",
-            "address": "tls://8.8.8.8"
+            "type": "tls",
            "server": "8.8.8.8"
          },
          {
            "tag": "local",
-            "address": "223.5.5.5",
+            "type": "udp",
-            "detour": "direct"
+            "server": "223.5.5.5"
          }
        ],
        "rules": [
          {
            "outbound": "any",
            "server": "local"
          }
        ],
        "strategy": "ipv4_only"
@@ -115,7 +110,8 @@ flowchart TB
          "type": "tun",
          "inet4_address": "172.19.0.1/30",
          "auto_route": true,
-          "strict_route": false
+          // "auto_redirect": true, // On linux
          "strict_route": true
        }
      ],
      "outbounds": [
@@ -123,25 +119,23 @@ flowchart TB
        {
          "type": "direct",
          "tag": "direct"
        },
        {
          "type": "dns",
          "tag": "dns-out"
        }
      ],
      "route": {
        "rules": [
          {
-            "protocol": "dns",
+            "action": "sniff"
            "outbound": "dns-out"
          },
          {
-            "geoip": [
+            "protocol": "dns",
-              "private"
+            "action": "hijack-dns"
-            ],
+          },
          {
            "ip_is_private": true,
            "outbound": "direct"
          }
        ],
        "default_domain_resolver": "local",
        "auto_detect_interface": true
      }
    }
@@ -155,18 +149,13 @@ flowchart TB
        "servers": [
          {
            "tag": "google",
-            "address": "tls://8.8.8.8"
+            "type": "tls",
            "server": "8.8.8.8"
          },
          {
            "tag": "local",
-            "address": "223.5.5.5",
+            "type": "udp",
-            "detour": "direct"
+            "server": "223.5.5.5"
          }
        ],
        "rules": [
          {
            "outbound": "any",
            "server": "local"
          }
        ]
      },
@@ -176,7 +165,8 @@ flowchart TB
          "inet4_address": "172.19.0.1/30",
          "inet6_address": "fdfe:dcba:9876::1/126",
          "auto_route": true,
-          "strict_route": false
+          // "auto_redirect": true, // On linux
          "strict_route": true
        }
      ],
      "outbounds": [
@@ -184,25 +174,23 @@ flowchart TB
        {
          "type": "direct",
          "tag": "direct"
        },
        {
          "type": "dns",
          "tag": "dns-out"
        }
      ],
      "route": {
        "rules": [
          {
-            "protocol": "dns",
+            "action": "sniff"
            "outbound": "dns-out"
          },
          {
-            "geoip": [
+            "protocol": "dns",
-              "private"
+            "action": "hijack-dns"
-            ],
+          },
          {
            "ip_is_private": true,
            "outbound": "direct"
          }
        ],
        "default_domain_resolver": "local",
        "auto_detect_interface": true
      }
    }
@@ -216,23 +204,22 @@ flowchart TB
        "servers": [
          {
            "tag": "google",
-            "address": "tls://8.8.8.8"
+            "type": "tls",
            "server": "8.8.8.8"
          },
          {
            "tag": "local",
-            "address": "223.5.5.5",
+            "type": "udp",
-            "detour": "direct"
+            "server": "223.5.5.5"
          },
          {
            "tag": "remote",
-            "address": "fakeip"
+            "type": "fakeip",
            "inet4_range": "198.18.0.0/15",
            "inet6_range": "fc00::/18"
          }
        ],
        "rules": [
          {
            "outbound": "any",
            "server": "local"
          },
          {
            "query_type": [
              "A",
@@ -241,11 +228,6 @@ flowchart TB
            "server": "remote"
          }
        ],
        "fakeip": {
          "enabled": true,
          "inet4_range": "198.18.0.0/15",
          "inet6_range": "fc00::/18"
        },
        "independent_cache": true
      },
      "inbounds": [
@@ -254,6 +236,7 @@ flowchart TB
          "inet4_address": "172.19.0.1/30",
          "inet6_address": "fdfe:dcba:9876::1/126",
          "auto_route": true,
          // "auto_redirect": true, // On linux
          "strict_route": true
        }
      ],
@@ -262,25 +245,23 @@ flowchart TB
        {
          "type": "direct",
          "tag": "direct"
        },
        {
          "type": "dns",
          "tag": "dns-out"
        }
      ],
      "route": {
        "rules": [
          {
-            "protocol": "dns",
+            "action": "sniff"
            "outbound": "dns-out"
          },
          {
-            "geoip": [
+            "protocol": "dns",
-              "private"
+            "action": "hijack-dns"
-            ],
+          },
          {
            "ip_is_private": true,
            "outbound": "direct"
          }
        ],
        "default_domain_resolver": "local",
        "auto_detect_interface": true
      }
    }
@@ -290,54 +271,6 @@ flowchart TB
 === ":material-dns: DNS rules"
    ```json
    {
      "dns": {
        "servers": [
          {
            "tag": "google",
            "address": "tls://8.8.8.8"
          },
          {
            "tag": "local",
            "address": "223.5.5.5",
            "detour": "direct"
          }
        ],
        "rules": [
          {
            "outbound": "any",
            "server": "local"
          },
          {
            "clash_mode": "Direct",
            "server": "local"
          },
          {
            "clash_mode": "Global",
            "server": "google"
          },
          {
            "rule_set": "geosite-geolocation-cn",
            "server": "local"
          }
        ]
      },
      "route": {
        "rule_set": [
          {
            "type": "remote",
            "tag": "geosite-geolocation-cn",
            "format": "binary",
            "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs"
          }
        ]
      }
    }
    ```
 === ":material-dns: DNS rules (Enhanced, but slower) (1.9.0+)"
    === ":material-shield-off: With DNS leaks"
        ```json
@@ -346,35 +279,20 @@ flowchart TB
            "servers": [
              {
                "tag": "google",
-                "address": "tls://8.8.8.8"
+                "type": "tls",
                "server": "8.8.8.8"
              },
              {
                "tag": "local",
-                "address": "https://223.5.5.5/dns-query",
+                "type": "https",
-                "detour": "direct"
+                "server": "223.5.5.5"
              }
            ],
            "rules": [
              {
                "outbound": "any",
                "server": "local"
              },
              {
                "clash_mode": "Direct",
                "server": "local"
              },
              {
                "clash_mode": "Global",
                "server": "google"
              },
              {
                "rule_set": "geosite-geolocation-cn",
                "server": "local"
              },
              {
                "clash_mode": "Default",
                "server": "google"
              },
              {
                "type": "logical",
                "mode": "and",
@@ -392,6 +310,7 @@ flowchart TB
            ]
          },
          "route": {
            "default_domain_resolver": "local",
            "rule_set": [
              {
                "type": "remote",
@@ -425,7 +344,7 @@ flowchart TB
        }
        ```
-    === ":material-security: Without DNS leaks, but slower (1.9.0-alpha.2+)"
+    === ":material-security: Without DNS leaks, but slower"
        ```json
        {
@@ -433,27 +352,16 @@ flowchart TB
            "servers": [
              {
                "tag": "google",
-                "address": "tls://8.8.8.8"
+                "type": "tls",
                "server": "8.8.8.8"
              },
              {
                "tag": "local",
-                "address": "https://223.5.5.5/dns-query",
+                "type": "https",
-                "detour": "direct"
+                "server": "223.5.5.5"
              }
            ],
            "rules": [
              {
                "outbound": "any",
                "server": "local"
              },
              {
                "clash_mode": "Direct",
                "server": "local"
              },
              {
                "clash_mode": "Global",
                "server": "google"
              },
              {
                "rule_set": "geosite-geolocation-cn",
                "server": "local"
@@ -476,6 +384,7 @@ flowchart TB
            ]
          },
          "route": {
            "default_domain_resolver": "local",
            "rule_set": [
              {
                "type": "remote",
@@ -517,14 +426,13 @@ flowchart TB
        {
          "type": "direct",
          "tag": "direct"
        },
        {
          "type": "block",
          "tag": "block"
        }
      ],
      "route": {
        "rules": [
          {
            "action": "sniff"
          },
          {
            "type": "logical",
            "mode": "or",
@@ -536,20 +444,12 @@ flowchart TB
                "port": 53
              }
            ],
-            "outbound": "dns"
+            "action": "hijack-dns"
          },
          {
            "ip_is_private": true,
            "outbound": "direct"
          },
          {
            "clash_mode": "Direct",
            "outbound": "direct"
          },
          {
            "clash_mode": "Global",
            "outbound": "default"
          },
          {
            "type": "logical",
            "mode": "or",
@@ -565,12 +465,23 @@ flowchart TB
                "protocol": "stun"
              }
            ],
-            "outbound": "block"
+            "action": "reject"
          },
          {
-            "rule_set": [
+            "rule_set": "geosite-geolocation-cn",
-              "geoip-cn",
+            "outbound": "direct"
-              "geosite-geolocation-cn"
+          },
          {
            "type": "logical",
            "mode": "and",
            "rules": [
              {
                "rule_set": "geoip-cn"
              },
              {
                "rule_set": "geosite-geolocation-!cn",
                "invert": true
              }
            ],
            "outbound": "direct"
          }
--- a/go.mod
+++ b/go.mod
@@ -34,7 +34,7 @@ require (
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11
-	github.com/sagernet/sing-tun v0.6.6-0.20250610083027-da0a50057fb5
+	github.com/sagernet/sing-tun v0.6.10-0.20250630100036-8763c24e4935
 	github.com/sagernet/sing-vmess v0.2.4-0.20250605032146-38cc72672c88
 	github.com/sagernet/smux v1.5.34-mod.2
 	github.com/sagernet/tailscale v1.80.3-mod.5
--- a/go.sum
+++ b/go.sum
@@ -180,8 +180,8 @@ github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnq
 github.com/sagernet/sing-shadowsocks2 v0.2.1/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11 h1:tK+75l64tm9WvEFrYRE1t0YxoFdWQqw/h7Uhzj0vJ+w=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11/go.mod h1:sWqKnGlMipCHaGsw1sTTlimyUpgzP4WP3pjhCsYt9oA=
-github.com/sagernet/sing-tun v0.6.6-0.20250610083027-da0a50057fb5 h1:zlcioVa11g8VLz5L0yPG7PbvQrw7mrxkDDdlMPEgqDk=
+github.com/sagernet/sing-tun v0.6.10-0.20250630100036-8763c24e4935 h1:wha4BG4mrEKaIoouVyiU5BcPfKD1n0LkiL4vqdjaVps=
-github.com/sagernet/sing-tun v0.6.6-0.20250610083027-da0a50057fb5/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
+github.com/sagernet/sing-tun v0.6.10-0.20250630100036-8763c24e4935/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
 github.com/sagernet/sing-vmess v0.2.4-0.20250605032146-38cc72672c88 h1:0pVm8sPOel+BoiCddW3pV3cKDKEaSioVTYDdTSKjyFI=
 github.com/sagernet/sing-vmess v0.2.4-0.20250605032146-38cc72672c88/go.mod h1:IL8Rr+EGwuqijszZkNrEFTQDKhilEpkqFqOlvdpS6/w=
 github.com/sagernet/smux v1.5.34-mod.2 h1:gkmBjIjlJ2zQKpLigOkFur5kBKdV6bNRoFu2WkltRQ4=
--- a/option/outbound.go
+++ b/option/outbound.go
@@ -91,6 +91,7 @@ type DialerOptions struct {
 type _DomainResolveOptions struct {
 	Server       string                `json:"server"`
 	Strategy     DomainStrategy        `json:"strategy,omitempty"`
 	Timeout      badoption.Duration    `json:"timeout,omitempty"`
 	DisableCache bool                  `json:"disable_cache,omitempty"`
 	RewriteTTL   *uint32               `json:"rewrite_ttl,omitempty"`
 	ClientSubnet *badoption.Prefixable `json:"client_subnet,omitempty"`
@@ -102,6 +103,7 @@ func (o DomainResolveOptions) MarshalJSON() ([]byte, error) {
 	if o.Server == "" {
 		return []byte("{}"), nil
 	} else if o.Strategy == DomainStrategy(C.DomainStrategyAsIS) &&
 		o.Timeout == 0 &&
 		!o.DisableCache &&
 		o.RewriteTTL == nil &&
 		o.ClientSubnet == nil {
--- a/option/rule_action.go
+++ b/option/rule_action.go
@@ -180,6 +180,7 @@ func (r *RouteOptionsActionOptions) UnmarshalJSON(data []byte) error {
 type DNSRouteActionOptions struct {
 	Server       string                `json:"server,omitempty"`
 	Strategy     DomainStrategy        `json:"strategy,omitempty"`
 	Timeout      badoption.Duration    `json:"timeout,omitempty"`
 	DisableCache bool                  `json:"disable_cache,omitempty"`
 	RewriteTTL   *uint32               `json:"rewrite_ttl,omitempty"`
 	ClientSubnet *badoption.Prefixable `json:"client_subnet,omitempty"`
@@ -187,6 +188,7 @@ type DNSRouteActionOptions struct {
 type _DNSRouteOptionsActionOptions struct {
 	Strategy     DomainStrategy        `json:"strategy,omitempty"`
 	Timeout      badoption.Duration    `json:"timeout,omitempty"`
 	DisableCache bool                  `json:"disable_cache,omitempty"`
 	RewriteTTL   *uint32               `json:"rewrite_ttl,omitempty"`
 	ClientSubnet *badoption.Prefixable `json:"client_subnet,omitempty"`
--- a/option/tls.go
+++ b/option/tls.go
@@ -37,19 +37,22 @@ func (o *InboundTLSOptionsContainer) ReplaceInboundTLSOptions(options *InboundTL
 }
 type OutboundTLSOptions struct {
-	Enabled         bool                       `json:"enabled,omitempty"`
+	Enabled               bool                       `json:"enabled,omitempty"`
-	DisableSNI      bool                       `json:"disable_sni,omitempty"`
+	DisableSNI            bool                       `json:"disable_sni,omitempty"`
-	ServerName      string                     `json:"server_name,omitempty"`
+	ServerName            string                     `json:"server_name,omitempty"`
-	Insecure        bool                       `json:"insecure,omitempty"`
+	Insecure              bool                       `json:"insecure,omitempty"`
-	ALPN            badoption.Listable[string] `json:"alpn,omitempty"`
+	ALPN                  badoption.Listable[string] `json:"alpn,omitempty"`
-	MinVersion      string                     `json:"min_version,omitempty"`
+	MinVersion            string                     `json:"min_version,omitempty"`
-	MaxVersion      string                     `json:"max_version,omitempty"`
+	MaxVersion            string                     `json:"max_version,omitempty"`
-	CipherSuites    badoption.Listable[string] `json:"cipher_suites,omitempty"`
+	CipherSuites          badoption.Listable[string] `json:"cipher_suites,omitempty"`
-	Certificate     badoption.Listable[string] `json:"certificate,omitempty"`
+	Certificate           badoption.Listable[string] `json:"certificate,omitempty"`
-	CertificatePath string                     `json:"certificate_path,omitempty"`
+	CertificatePath       string                     `json:"certificate_path,omitempty"`
-	ECH             *OutboundECHOptions        `json:"ech,omitempty"`
+	Fragment              bool                       `json:"fragment,omitempty"`
-	UTLS            *OutboundUTLSOptions       `json:"utls,omitempty"`
+	FragmentFallbackDelay badoption.Duration         `json:"fragment_fallback_delay,omitempty"`
-	Reality         *OutboundRealityOptions    `json:"reality,omitempty"`
+	RecordFragment        bool                       `json:"record_fragment,omitempty"`
 	ECH                   *OutboundECHOptions        `json:"ech,omitempty"`
 	UTLS                  *OutboundUTLSOptions       `json:"utls,omitempty"`
 	Reality               *OutboundRealityOptions    `json:"reality,omitempty"`
 }
 type OutboundTLSOptionsContainer struct {
--- a/protocol/vless/inbound.go
+++ b/protocol/vless/inbound.go
@@ -205,6 +205,10 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	var metadata adapter.InboundContext
 	metadata.Source = source
 	metadata.Destination = destination
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }
--- a/protocol/vmess/inbound.go
+++ b/protocol/vmess/inbound.go
@@ -219,6 +219,10 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	var metadata adapter.InboundContext
 	metadata.Source = source
 	metadata.Destination = destination
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
 	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }
--- a/route/conn.go
+++ b/route/conn.go
@@ -90,14 +90,8 @@ func (m *ConnectionManager) NewConnection(ctx context.Context, this N.Dialer, co
 		m.logger.ErrorContext(ctx, err)
 		return
 	}
-	if metadata.TLSFragment {
+	if metadata.TLSFragment || metadata.TLSRecordFragment {
-		fallbackDelay := metadata.TLSFragmentFallbackDelay
+		remoteConn = tf.NewConn(remoteConn, ctx, metadata.TLSFragment, metadata.TLSRecordFragment, metadata.TLSFragmentFallbackDelay)
 		if fallbackDelay == 0 {
 			fallbackDelay = C.TLSFragmentFallbackDelay
 		}
 		remoteConn = tf.NewConn(remoteConn, ctx, false, fallbackDelay)
 	} else if metadata.TLSRecordFragment {
 		remoteConn = tf.NewConn(remoteConn, ctx, true, 0)
 	}
 	m.access.Lock()
 	element := m.connections.PushBack(conn)
--- a/route/dns.go
+++ b/route/dns.go
@@ -2,7 +2,6 @@ package route
 import (
 	"context"
 	"errors"
 	"net"
 	"time"
@@ -10,7 +9,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
 	dnsOutbound "github.com/sagernet/sing-box/protocol/dns"
-	"github.com/sagernet/sing-tun"
+	R "github.com/sagernet/sing-box/route/rule"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
@@ -65,7 +64,7 @@ func (r *Router) hijackDNSPacket(ctx context.Context, conn N.PacketConn, packetB
 func ExchangeDNSPacket(ctx context.Context, router adapter.DNSRouter, logger logger.ContextLogger, conn N.PacketConn, buffer *buf.Buffer, metadata adapter.InboundContext, destination M.Socksaddr) {
 	err := exchangeDNSPacket(ctx, router, conn, buffer, metadata, destination)
-	if err != nil && !errors.Is(err, tun.ErrDrop) && !E.IsClosedOrCanceled(err) {
+	if err != nil && !R.IsRejected(err) && !E.IsClosedOrCanceled(err) {
 		logger.ErrorContext(ctx, E.Cause(err, "process DNS packet"))
 	}
 }
--- a/route/network.go
+++ b/route/network.go
@@ -76,6 +76,7 @@ func NewNetworkManager(ctx context.Context, logger logger.ContextLogger, routeOp
 			DomainResolver: defaultDomainResolver.Server,
 			DomainResolveOptions: adapter.DNSQueryOptions{
 				Strategy:     C.DomainStrategy(defaultDomainResolver.Strategy),
 				Timeout:      time.Duration(defaultDomainResolver.Timeout),
 				DisableCache: defaultDomainResolver.DisableCache,
 				RewriteTTL:   defaultDomainResolver.RewriteTTL,
 				ClientSubnet: defaultDomainResolver.ClientSubnet.Build(netip.Prefix{}),
--- a/route/route.go
+++ b/route/route.go
@@ -15,7 +15,7 @@ import (
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/route/rule"
+	R "github.com/sagernet/sing-box/route/rule"
 	"github.com/sagernet/sing-mux"
 	"github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing/common"
@@ -49,7 +49,7 @@ func (r *Router) RouteConnectionEx(ctx context.Context, conn net.Conn, metadata
 	err := r.routeConnection(ctx, conn, metadata, onClose)
 	if err != nil {
 		N.CloseOnHandshakeFailure(conn, onClose, err)
-		if E.IsClosedOrCanceled(err) {
+		if E.IsClosedOrCanceled(err) || R.IsRejected(err) {
 			r.logger.DebugContext(ctx, "connection closed: ", err)
 		} else {
 			r.logger.ErrorContext(ctx, err)
@@ -99,7 +99,7 @@ func (r *Router) routeConnection(ctx context.Context, conn net.Conn, metadata ad
 	var selectedOutbound adapter.Outbound
 	if selectedRule != nil {
 		switch action := selectedRule.Action().(type) {
-		case *rule.RuleActionRoute:
+		case *R.RuleActionRoute:
 			var loaded bool
 			selectedOutbound, loaded = r.outbound.Outbound(action.Outbound)
 			if !loaded {
@@ -110,10 +110,10 @@ func (r *Router) routeConnection(ctx context.Context, conn net.Conn, metadata ad
 				buf.ReleaseMulti(buffers)
 				return E.New("TCP is not supported by outbound: ", selectedOutbound.Tag())
 			}
-		case *rule.RuleActionReject:
+		case *R.RuleActionReject:
 			buf.ReleaseMulti(buffers)
 			return action.Error(ctx)
-		case *rule.RuleActionHijackDNS:
+		case *R.RuleActionHijackDNS:
 			for _, buffer := range buffers {
 				conn = bufio.NewCachedConn(conn, buffer)
 			}
@@ -151,7 +151,7 @@ func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, m
 	}))
 	if err != nil {
 		conn.Close()
-		if E.IsClosedOrCanceled(err) {
+		if E.IsClosedOrCanceled(err) || R.IsRejected(err) {
 			r.logger.DebugContext(ctx, "connection closed: ", err)
 		} else {
 			r.logger.ErrorContext(ctx, err)
@@ -168,7 +168,7 @@ func (r *Router) RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	err := r.routePacketConnection(ctx, conn, metadata, onClose)
 	if err != nil {
 		N.CloseOnHandshakeFailure(conn, onClose, err)
-		if E.IsClosedOrCanceled(err) {
+		if E.IsClosedOrCanceled(err) || R.IsRejected(err) {
 			r.logger.DebugContext(ctx, "connection closed: ", err)
 		} else {
 			r.logger.ErrorContext(ctx, err)
@@ -214,7 +214,7 @@ func (r *Router) routePacketConnection(ctx context.Context, conn N.PacketConn, m
 	var selectReturn bool
 	if selectedRule != nil {
 		switch action := selectedRule.Action().(type) {
-		case *rule.RuleActionRoute:
+		case *R.RuleActionRoute:
 			var loaded bool
 			selectedOutbound, loaded = r.outbound.Outbound(action.Outbound)
 			if !loaded {
@@ -225,10 +225,10 @@ func (r *Router) routePacketConnection(ctx context.Context, conn N.PacketConn, m
 				N.ReleaseMultiPacketBuffer(packetBuffers)
 				return E.New("UDP is not supported by outbound: ", selectedOutbound.Tag())
 			}
-		case *rule.RuleActionReject:
+		case *R.RuleActionReject:
 			N.ReleaseMultiPacketBuffer(packetBuffers)
 			return action.Error(ctx)
-		case *rule.RuleActionHijackDNS:
+		case *R.RuleActionHijackDNS:
 			return r.hijackDNSPacket(ctx, conn, packetBuffers, metadata, onClose)
 		}
 	}
@@ -266,7 +266,7 @@ func (r *Router) PreMatch(metadata adapter.InboundContext) error {
 	if selectedRule == nil {
 		return nil
 	}
-	rejectAction, isReject := selectedRule.Action().(*rule.RuleActionReject)
+	rejectAction, isReject := selectedRule.Action().(*R.RuleActionReject)
 	if !isReject {
 		return nil
 	}
@@ -342,7 +342,7 @@ func (r *Router) matchRule(
 	//nolint:staticcheck
 	if metadata.InboundOptions != common.DefaultValue[option.InboundOptions]() {
 		if !preMatch && metadata.InboundOptions.SniffEnabled {
-			newBuffer, newPackerBuffers, newErr := r.actionSniff(ctx, metadata, &rule.RuleActionSniff{
+			newBuffer, newPackerBuffers, newErr := r.actionSniff(ctx, metadata, &R.RuleActionSniff{
 				OverrideDestination: metadata.InboundOptions.SniffOverrideDestination,
 				Timeout:             time.Duration(metadata.InboundOptions.SniffTimeout),
 			}, inputConn, inputPacketConn, nil)
@@ -357,7 +357,7 @@ func (r *Router) matchRule(
 			}
 		}
 		if C.DomainStrategy(metadata.InboundOptions.DomainStrategy) != C.DomainStrategyAsIS {
-			fatalErr = r.actionResolve(ctx, metadata, &rule.RuleActionResolve{
+			fatalErr = r.actionResolve(ctx, metadata, &R.RuleActionResolve{
 				Strategy: C.DomainStrategy(metadata.InboundOptions.DomainStrategy),
 			})
 			if fatalErr != nil {
@@ -394,11 +394,11 @@ match:
 				}
 			}
 		}
-		var routeOptions *rule.RuleActionRouteOptions
+		var routeOptions *R.RuleActionRouteOptions
 		switch action := currentRule.Action().(type) {
-		case *rule.RuleActionRoute:
+		case *R.RuleActionRoute:
 			routeOptions = &action.RuleActionRouteOptions
-		case *rule.RuleActionRouteOptions:
+		case *R.RuleActionRouteOptions:
 			routeOptions = action
 		}
 		if routeOptions != nil {
@@ -451,7 +451,7 @@ match:
 			}
 		}
 		switch action := currentRule.Action().(type) {
-		case *rule.RuleActionSniff:
+		case *R.RuleActionSniff:
 			if !preMatch {
 				newBuffer, newPacketBuffers, newErr := r.actionSniff(ctx, metadata, action, inputConn, inputPacketConn, buffers)
 				if newErr != nil {
@@ -468,7 +468,7 @@ match:
 				selectedRuleIndex = currentRuleIndex
 				break match
 			}
-		case *rule.RuleActionResolve:
+		case *R.RuleActionResolve:
 			fatalErr = r.actionResolve(ctx, metadata, action)
 			if fatalErr != nil {
 				return
@@ -488,7 +488,7 @@ match:
 }
 func (r *Router) actionSniff(
-	ctx context.Context, metadata *adapter.InboundContext, action *rule.RuleActionSniff,
+	ctx context.Context, metadata *adapter.InboundContext, action *R.RuleActionSniff,
 	inputConn net.Conn, inputPacketConn N.PacketConn, inputBuffers []*buf.Buffer,
 ) (buffer *buf.Buffer, packetBuffers []*N.PacketBuffer, fatalErr error) {
 	if sniff.Skip(metadata) {
@@ -501,6 +501,9 @@ func (r *Router) actionSniff(
 	if inputConn != nil {
 		if len(action.StreamSniffers) == 0 && len(action.PacketSniffers) > 0 {
 			return
 		} else if metadata.SniffError != nil && !errors.Is(metadata.SniffError, sniff.ErrNeedMoreData) {
 			r.logger.DebugContext(ctx, "packet sniff skipped due to previous error: ", metadata.SniffError)
 			return
 		}
 		var streamSniffers []sniff.StreamSniffer
 		if len(action.StreamSniffers) > 0 {
@@ -525,6 +528,7 @@ func (r *Router) actionSniff(
 			action.Timeout,
 			streamSniffers...,
 		)
 		metadata.SniffError = err
 		if err == nil {
 			//goland:noinspection GoDeprecation
 			if action.OverrideDestination && M.IsDomainName(metadata.Domain) {
@@ -549,8 +553,8 @@ func (r *Router) actionSniff(
 	} else if inputPacketConn != nil {
 		if len(action.PacketSniffers) == 0 && len(action.StreamSniffers) > 0 {
 			return
-		} else if metadata.PacketSniffError != nil && !errors.Is(metadata.PacketSniffError, sniff.ErrNeedMoreData) {
+		} else if metadata.SniffError != nil && !errors.Is(metadata.SniffError, sniff.ErrNeedMoreData) {
-			r.logger.DebugContext(ctx, "packet sniff skipped due to previous error: ", metadata.PacketSniffError)
+			r.logger.DebugContext(ctx, "packet sniff skipped due to previous error: ", metadata.SniffError)
 			return
 		}
 		var packetSniffers []sniff.PacketSniffer
@@ -598,7 +602,7 @@ func (r *Router) actionSniff(
 					return
 				}
 			} else {
-				if len(packetBuffers) > 0 || metadata.PacketSniffError != nil {
+				if len(packetBuffers) > 0 || metadata.SniffError != nil {
 					err = sniff.PeekPacket(
 						ctx,
 						metadata,
@@ -618,7 +622,7 @@ func (r *Router) actionSniff(
 					Destination: destination,
 				}
 				packetBuffers = append(packetBuffers, packetBuffer)
-				metadata.PacketSniffError = err
+				metadata.SniffError = err
 				if errors.Is(err, sniff.ErrNeedMoreData) {
 					// TODO: replace with generic message when there are more multi-packet protocols
 					r.logger.DebugContext(ctx, "attempt to sniff fragmented QUIC client hello")
@@ -649,7 +653,7 @@ func (r *Router) actionSniff(
 	return
 }
-func (r *Router) actionResolve(ctx context.Context, metadata *adapter.InboundContext, action *rule.RuleActionResolve) error {
+func (r *Router) actionResolve(ctx context.Context, metadata *adapter.InboundContext, action *R.RuleActionResolve) error {
 	if metadata.Destination.IsFqdn() {
 		var transport adapter.DNSTransport
 		if action.Server != "" {
@@ -662,6 +666,7 @@ func (r *Router) actionResolve(ctx context.Context, metadata *adapter.InboundCon
 		addresses, err := r.dns.Lookup(adapter.WithContext(ctx, metadata), metadata.Destination.Fqdn, adapter.DNSQueryOptions{
 			Transport:    transport,
 			Strategy:     action.Strategy,
 			Timeout:      action.Timeout,
 			DisableCache: action.DisableCache,
 			RewriteTTL:   action.RewriteTTL,
 			ClientSubnet: action.ClientSubnet,
--- a/route/rule/rule_action.go
+++ b/route/rule/rule_action.go
@@ -2,6 +2,7 @@ package rule
 import (
 	"context"
 	"errors"
 	"net/netip"
 	"strings"
 	"sync"
@@ -112,6 +113,7 @@ func NewDNSRuleAction(logger logger.ContextLogger, action option.DNSRuleAction)
 			Server: action.RouteOptions.Server,
 			RuleActionDNSRouteOptions: RuleActionDNSRouteOptions{
 				Strategy:     C.DomainStrategy(action.RouteOptions.Strategy),
 				Timeout:      time.Duration(action.RouteOptions.Timeout),
 				DisableCache: action.RouteOptions.DisableCache,
 				RewriteTTL:   action.RouteOptions.RewriteTTL,
 				ClientSubnet: netip.Prefix(common.PtrValueOrDefault(action.RouteOptions.ClientSubnet)),
@@ -120,6 +122,7 @@ func NewDNSRuleAction(logger logger.ContextLogger, action option.DNSRuleAction)
 	case C.RuleActionTypeRouteOptions:
 		return &RuleActionDNSRouteOptions{
 			Strategy:     C.DomainStrategy(action.RouteOptionsOptions.Strategy),
 			Timeout:      time.Duration(action.RouteOptionsOptions.Timeout),
 			DisableCache: action.RouteOptionsOptions.DisableCache,
 			RewriteTTL:   action.RouteOptionsOptions.RewriteTTL,
 			ClientSubnet: netip.Prefix(common.PtrValueOrDefault(action.RouteOptionsOptions.ClientSubnet)),
@@ -234,20 +237,13 @@ func (r *RuleActionDNSRoute) Type() string {
 func (r *RuleActionDNSRoute) String() string {
 	var descriptions []string
 	descriptions = append(descriptions, r.Server)
-	if r.DisableCache {
+	descriptions = append(descriptions, r.Descriptions()...)
 		descriptions = append(descriptions, "disable-cache")
 	}
 	if r.RewriteTTL != nil {
 		descriptions = append(descriptions, F.ToString("rewrite-ttl=", *r.RewriteTTL))
 	}
 	if r.ClientSubnet.IsValid() {
 		descriptions = append(descriptions, F.ToString("client-subnet=", r.ClientSubnet))
 	}
 	return F.ToString("route(", strings.Join(descriptions, ","), ")")
 }
 type RuleActionDNSRouteOptions struct {
 	Strategy     C.DomainStrategy
 	Timeout      time.Duration
 	DisableCache bool
 	RewriteTTL   *uint32
 	ClientSubnet netip.Prefix
@@ -258,7 +254,17 @@ func (r *RuleActionDNSRouteOptions) Type() string {
 }
 func (r *RuleActionDNSRouteOptions) String() string {
 	return F.ToString("route-options(", strings.Join(r.Descriptions(), ","), ")")
 }
 func (r *RuleActionDNSRouteOptions) Descriptions() []string {
 	var descriptions []string
 	if r.Strategy != C.DomainStrategyAsIS {
 		descriptions = append(descriptions, F.ToString("strategy=", option.DomainStrategy(r.Strategy)))
 	}
 	if r.Timeout > 0 {
 		descriptions = append(descriptions, F.ToString("timeout=", r.Timeout.String()))
 	}
 	if r.DisableCache {
 		descriptions = append(descriptions, "disable-cache")
 	}
@@ -268,7 +274,7 @@ func (r *RuleActionDNSRouteOptions) String() string {
 	if r.ClientSubnet.IsValid() {
 		descriptions = append(descriptions, F.ToString("client-subnet=", r.ClientSubnet))
 	}
-	return F.ToString("route-options(", strings.Join(descriptions, ","), ")")
+	return descriptions
 }
 type RuleActionDirect struct {
@@ -284,6 +290,23 @@ func (r *RuleActionDirect) String() string {
 	return "direct" + r.description
 }
 type RejectedError struct {
 	Cause error
 }
 func (r *RejectedError) Error() string {
 	return "rejected"
 }
 func (r *RejectedError) Unwrap() error {
 	return r.Cause
 }
 func IsRejected(err error) bool {
 	var rejected *RejectedError
 	return errors.As(err, &rejected)
 }
 type RuleActionReject struct {
 	Method      string
 	NoDrop      bool
@@ -307,9 +330,9 @@ func (r *RuleActionReject) Error(ctx context.Context) error {
 	var returnErr error
 	switch r.Method {
 	case C.RuleActionRejectMethodDefault:
-		returnErr = syscall.ECONNREFUSED
+		returnErr = &RejectedError{syscall.ECONNREFUSED}
 	case C.RuleActionRejectMethodDrop:
-		return tun.ErrDrop
+		return &RejectedError{tun.ErrDrop}
 	default:
 		panic(F.ToString("unknown reject method: ", r.Method))
 	}
@@ -327,7 +350,7 @@ func (r *RuleActionReject) Error(ctx context.Context) error {
 		if ctx != nil {
 			r.logger.DebugContext(ctx, "dropped due to flooding")
 		}
-		return tun.ErrDrop
+		return &RejectedError{tun.ErrDrop}
 	}
 	return returnErr
 }
@@ -403,6 +426,7 @@ func (r *RuleActionSniff) String() string {
 type RuleActionResolve struct {
 	Server       string
 	Strategy     C.DomainStrategy
 	Timeout      time.Duration
 	DisableCache bool
 	RewriteTTL   *uint32
 	ClientSubnet netip.Prefix
@@ -420,6 +444,9 @@ func (r *RuleActionResolve) String() string {
 	if r.Strategy != C.DomainStrategyAsIS {
 		options = append(options, F.ToString(option.DomainStrategy(r.Strategy)))
 	}
 	if r.Timeout > 0 {
 		options = append(options, F.ToString("timeout=", r.Timeout.String()))
 	}
 	if r.DisableCache {
 		options = append(options, "disable_cache")
 	}
Author	SHA1	Message	Date
世界	0d8c15932f	Add options to custom DNS query timeout	2025-06-30 18:29:00 +08:00
世界	70371c3cbe	documentation: Bump version	2025-06-30 18:28:16 +08:00
世界	32bc8b48f1	Improve nftables rules for openwrt	2025-06-30 18:27:33 +08:00
世界	b5df508bc9	Fixed DoH server recover from conn freezes	2025-06-30 18:24:48 +08:00
世界	4789846113	Update libresolv usage	2025-06-29 19:20:31 +08:00
yu	ad94f94cfb	documentation: Update client configuration manual	2025-06-29 19:11:15 +08:00
yanwo	1f9de9f321	documentation: Fix typo Signed-off-by: yanwo <ogilvy@gmail.com>	2025-06-29 19:11:15 +08:00
anytinz	344bbf9494	documentation: Fix wrong SideStore loopback ip	2025-06-29 18:57:04 +08:00
世界	b7e16e70ab	Revert "release: Add IPA build" After testing, it seems that since extensions are not handled correctly, it cannot be installed by SideStore.	2025-06-29 18:57:04 +08:00
世界	391153ecb8	release: Add IPA build	2025-06-29 18:57:03 +08:00
世界	3d821db0b2	Add API to dump AdGuard rules	2025-06-29 18:57:03 +08:00
Sukka	344ecd3798	Improve AdGuard rule-set parser	2025-06-29 18:57:03 +08:00
Restia-Ashbell	a8a3f863cd	Add ECH support for uTLS	2025-06-29 18:57:02 +08:00
世界	ea190ca428	Improve TLS fragments	2025-06-29 18:57:02 +08:00
世界	e65b78d1e4	Add cache support for ssm-api	2025-06-29 18:57:02 +08:00
世界	84f7d80da7	Fix service will not be closed	2025-06-29 18:57:02 +08:00
世界	2b57eb0b30	Add loopback address support for tun	2025-06-29 18:57:01 +08:00
世界	9884f81298	Fix tproxy listener	2025-06-29 18:57:01 +08:00
世界	8493b4f1da	Fix systemd package	2025-06-29 18:57:01 +08:00
世界	8f1a8add85	Fix missing home for derp service	2025-06-29 18:57:01 +08:00
Zero Clover	85ee6bb266	documentation: Fix services	2025-06-29 18:57:01 +08:00
世界	c4387f7c37	Fix `dns.client_subnet` ignored	2025-06-29 18:57:01 +08:00
世界	dcb7a5caed	documentation: Minor fixes	2025-06-29 18:57:00 +08:00
世界	ae77cdeedd	Fix tailscale forward	2025-06-29 18:57:00 +08:00
世界	ec05d4e5e3	Minor fixes	2025-06-29 18:56:59 +08:00
世界	1f766d2b89	Add SSM API service	2025-06-29 18:56:59 +08:00
世界	a5a6c1f7d4	Add resolved service and DNS server	2025-06-29 18:56:59 +08:00
世界	cd43786279	Add DERP service	2025-06-29 18:56:59 +08:00
世界	43a211db28	Add service component type	2025-06-29 18:56:58 +08:00
世界	d4f6bdf792	Fix tproxy tcp control	2025-06-29 18:56:58 +08:00
愚者	99cf27bedd	release: Fix build tags for android Signed-off-by: 愚者 <11926619+FansChou@users.noreply.github.com>	2025-06-29 18:56:58 +08:00
世界	0a14c5ab1f	prevent creation of bind and mark controls on unsupported platforms	2025-06-29 18:56:58 +08:00
PuerNya	533b31e1f6	documentation: Fix description of reject DNS action behavior	2025-06-29 18:56:57 +08:00
Restia-Ashbell	8ed6523872	Fix TLS record fragment	2025-06-29 18:56:57 +08:00
世界	e5c162222d	Add missing `accept_routes` option for Tailscale	2025-06-29 18:56:57 +08:00
世界	88babbf3a7	Add TLS record fragment support	2025-06-29 18:56:56 +08:00
世界	49a03e0b23	Fix set edns0 client subnet	2025-06-29 18:56:56 +08:00
世界	9a8e9a34c0	Update minor dependencies	2025-06-29 18:56:56 +08:00
世界	17551db7be	Update certmagic and providers	2025-06-29 18:56:56 +08:00
世界	83201bb088	Update protobuf and grpc	2025-06-29 18:56:56 +08:00
世界	f0f1942f1f	Add control options for listeners	2025-06-29 18:56:55 +08:00
世界	c7e318be61	Update quic-go to v0.52.0	2025-06-29 18:56:54 +08:00
世界	2a5e0d0c92	Update utls to v1.7.2	2025-06-29 18:56:54 +08:00
世界	956e485342	Handle EDNS version downgrade	2025-06-29 18:56:54 +08:00
世界	23ede74e74	documentation: Fix anytls padding scheme description	2025-06-29 18:56:54 +08:00
安容	03317e61dd	Report invalid DNS address early	2025-06-29 18:56:54 +08:00
世界	fc81bd9a5b	Fix wireguard `listen_port`	2025-06-29 18:56:53 +08:00
世界	4d406cad84	clash-api: Add more meta api	2025-06-29 18:56:53 +08:00
世界	1f0282de9c	Fix DNS lookup	2025-06-29 18:56:53 +08:00
世界	b097912418	Fix fetch ECH configs	2025-06-29 18:56:52 +08:00
reletor	056c29e73a	documentation: Minor fixes	2025-06-29 18:56:52 +08:00
caelansar	7aa0a57e60	Fix callback deletion in UDP transport	2025-06-29 18:56:52 +08:00
世界	2673e64bcb	documentation: Try to make the play review happy	2025-06-29 18:56:51 +08:00
世界	3d3c1709d7	Fix missing handling of legacy `domain_strategy` options	2025-06-29 18:56:51 +08:00
世界	9de29a590f	Improve local DNS server	2025-06-29 18:56:50 +08:00
anytls	a5282b08ec	Update anytls Co-authored-by: anytls <anytls>	2025-06-29 18:56:50 +08:00
世界	b26c2083bf	Fix DNS dialer	2025-06-29 18:56:50 +08:00
世界	c1f4c691dc	release: Skip override version for iOS	2025-06-29 18:56:49 +08:00
iikira	c0ef6eb728	Fix UDP DNS server crash Signed-off-by: iikira <i2@mail.iikira.com>	2025-06-29 18:56:49 +08:00
ReleTor	074d61021f	Fix fetch ECH configs	2025-06-29 18:56:49 +08:00
世界	246c9d4e40	Allow direct outbounds without `domain_resolver`	2025-06-29 18:56:49 +08:00
世界	3e3466c8d7	Fix Tailscale dialer	2025-06-29 18:56:48 +08:00
dyhkwong	f73415a732	Fix DNS over QUIC stream close	2025-06-29 18:56:48 +08:00
anytls	ecabe9ffe1	Update anytls Co-authored-by: anytls <anytls>	2025-06-29 18:56:48 +08:00
Rambling2076	2dae1ee284	Fix missing `with_tailscale` in Dockerfile Signed-off-by: Rambling2076 <Rambling2076@proton.me>	2025-06-29 18:56:47 +08:00
世界	2afb24d698	Fail when default DNS server not found	2025-06-29 18:56:47 +08:00
世界	ade83ee758	Update gVisor to 20250319.0	2025-06-29 18:56:47 +08:00
世界	ac9c300ca7	Explicitly reject detour to empty direct outbounds	2025-06-29 18:56:47 +08:00
世界	e6eb3cec2b	Add netns support	2025-06-29 18:56:46 +08:00
世界	601b79371b	Add wildcard name support for predefined records	2025-06-29 18:56:46 +08:00
世界	56b957d30d	Remove map usage in options	2025-06-29 18:56:45 +08:00
世界	eb87b1a708	Fix unhandled DNS loop	2025-06-29 18:56:45 +08:00
世界	c0a5561bd4	Add wildcard-sni support for shadow-tls inbound	2025-06-29 18:56:45 +08:00
k9982874	4a3fe1d41c	Add ntp protocol sniffing	2025-06-29 18:56:45 +08:00
世界	4cbbcfb04d	option: Fix marshal legacy DNS options	2025-06-29 18:56:44 +08:00
世界	b3ad4e0e39	Make `domain_resolver` optional when only one DNS server is configured	2025-06-29 18:56:44 +08:00
世界	49f9c0011d	Fix DNS lookup context pollution	2025-06-29 18:56:44 +08:00
世界	c8c165af87	Fix http3 DNS server connecting to wrong address	2025-06-29 18:56:43 +08:00
Restia-Ashbell	3f790ff8c9	documentation: Fix typo	2025-06-29 18:56:43 +08:00
anytls	f2272ae1e7	Update sing-anytls Co-authored-by: anytls <anytls>	2025-06-29 18:56:43 +08:00
k9982874	b40c264c0a	Fix hosts DNS server	2025-06-29 18:56:43 +08:00
世界	29fc8d6a86	Fix UDP DNS server crash	2025-06-29 18:56:43 +08:00
世界	46ca27c926	documentation: Fix missing `ip_accept_any` DNS rule option	2025-06-29 18:56:42 +08:00
世界	243a5dd477	Fix anytls dialer usage	2025-06-29 18:56:42 +08:00
世界	844e9f09a6	Move predefined DNS server to rule action	2025-06-29 18:56:41 +08:00
世界	9aa673f79e	Fix domain resolver on direct outbound	2025-06-29 18:56:41 +08:00
Zephyruso	5abd74ffe3	Fix missing AnyTLS display name	2025-06-29 18:56:41 +08:00
anytls	68a32960bd	Update sing-anytls Co-authored-by: anytls <anytls>	2025-06-29 18:56:41 +08:00
Estel	1e62e3e5d4	documentation: Fix typo Signed-off-by: Estel <callmebedrockdigger@gmail.com>	2025-06-29 18:56:41 +08:00
TargetLocked	40c03a9913	Fix parsing legacy DNS options	2025-06-29 18:56:40 +08:00
世界	2ea4029868	Fix DNS fallback	2025-06-29 18:56:40 +08:00
世界	66f5cdd014	documentation: Fix missing hosts DNS server	2025-06-29 18:56:39 +08:00
anytls	89da2b6355	Add MinIdleSession option to AnyTLS outbound Co-authored-by: anytls <anytls>	2025-06-29 18:56:39 +08:00
ReleTor	ee2b8498e6	documentation: Minor fixes	2025-06-29 18:56:39 +08:00
libtry486	b1eaf537bd	documentation: Fix typo fix typo Signed-off-by: libtry486 <89328481+libtry486@users.noreply.github.com>	2025-06-29 18:56:39 +08:00
Alireza Ahmadi	63739c1621	Fix Outbound deadlock	2025-06-29 18:56:38 +08:00
世界	3c8ddee029	documentation: Fix AnyTLS doc	2025-06-29 18:56:38 +08:00
anytls	23aad70045	Add AnyTLS protocol	2025-06-29 18:56:38 +08:00
世界	0d67b51267	Migrate to stdlib ECH support	2025-06-29 18:56:37 +08:00
世界	c02f939265	Add fallback local DNS server for iOS	2025-06-29 18:56:37 +08:00
世界	36b84e25c2	Get darwin local DNS server from libresolv	2025-06-29 18:56:37 +08:00
世界	9fd4b0e9ae	Improve resolve action	2025-06-29 18:56:36 +08:00
世界	e68cdcc98a	Add back port hopping to hysteria 1	2025-06-29 18:56:36 +08:00
xchacha20-poly1305	2691617c5e	Remove single quotes of raw Moziila certs	2025-06-29 18:56:35 +08:00
世界	04056a1357	Add Tailscale endpoint	2025-06-29 18:56:35 +08:00
世界	faac858e5d	Build legacy binaries with latest Go	2025-06-29 18:56:35 +08:00
世界	a818c8abeb	documentation: Remove outdated icons	2025-06-29 18:56:34 +08:00
世界	15cbe9fc87	documentation: Certificate store	2025-06-29 18:56:34 +08:00
世界	e186f2d31e	documentation: TLS fragment	2025-06-29 18:56:34 +08:00
世界	e9323481a4	documentation: Outbound domain resolver	2025-06-29 18:56:33 +08:00
世界	a0a41ff2bb	documentation: Refactor DNS	2025-06-29 18:56:33 +08:00
世界	549daf9d41	Add certificate store	2025-06-29 18:56:33 +08:00
世界	fa370f7d04	Add TLS fragment support	2025-06-29 18:56:33 +08:00
世界	795cb17bfa	refactor: Outbound domain resolver	2025-06-29 18:56:32 +08:00
世界	00d8add761	refactor: DNS	2025-06-29 18:56:32 +08:00
Kyson	36db31c55a	documentation: Fix typo Co-authored-by: chenqixin <chenqixin@bytedance.com>	2025-06-29 18:54:05 +08:00
世界	4dbbf59c82	Fix logger for acme	2025-06-29 18:44:40 +08:00
世界	832eb4458d	release: Fix xcode version	2025-06-29 18:44:40 +08:00
dyhkwong	2cf989d306	Fix inbound with v2ray transport missing InboundOptions	2025-06-25 13:20:00 +08:00
世界	7d3ee29bd0	Also skip duplicate sniff for TCP	2025-06-21 12:57:27 +08:00
世界	cba0e46aba	Fix log for rejected connections	2025-06-21 12:57:26 +08:00
世界	9b8ab3e61e	Bump version	2025-06-19 11:57:44 +08:00
dyhkwong	47f18e823a	Fix: macOS udp find process should use unspecified fallback `be8d63ba8f`	2025-06-18 08:34:59 +08:00
世界	2d1b824b62	Fix gLazyConn race	2025-06-17 14:24:11 +08:00
世界	d511698f3f	Fix slowOpenConn	2025-06-12 08:05:04 +08:00
世界	cb435ea232	Fix default network strategy	2025-06-12 08:05:04 +08:00