documentation: Bump version

Signed-off-by: yanwo <ogilvy@gmail.com>

.fpm_pacman

@@ -1,23 +0,0 @@
--s dir
---name sing-box
---category net
---license GPL-3.0-or-later
---description "The universal proxy platform."
---url "https://sing-box.sagernet.org/"
---maintainer "nekohasekai <contact-git@sekai.icu>"
---config-files etc/sing-box/config.json
---after-install release/config/sing-box.postinst
-
-release/config/config.json=/etc/sing-box/config.json
-
-release/config/sing-box.service=/usr/lib/systemd/system/sing-box.service
-release/config/sing-box@.service=/usr/lib/systemd/system/sing-box@.service
-release/config/sing-box.sysusers=/usr/lib/sysusers.d/sing-box.conf
-release/config/sing-box.rules=usr/share/polkit-1/rules.d/sing-box.rules
-release/config/sing-box-split-dns.xml=/usr/share/dbus-1/system.d/sing-box-split-dns.conf
-
-release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
-release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish
-release/completions/sing-box.zsh=/usr/share/zsh/site-functions/_sing-box
-
-LICENSE=/usr/share/licenses/sing-box/LICENSE

.fpm_systemd

@@ -16,7 +16,7 @@ release/config/sing-box.service=/usr/lib/systemd/system/sing-box.service
 release/config/sing-box@.service=/usr/lib/systemd/system/sing-box@.service
 release/config/sing-box.sysusers=/usr/lib/sysusers.d/sing-box.conf
 release/config/sing-box.rules=usr/share/polkit-1/rules.d/sing-box.rules
-release/config/sing-box-split-dns.xml=/usr/share/dbus-1/system.d/sing-box-split-dns.conf
+release/config/sing-box-dbus.xml=/usr/share/dbus-1/system.d/sing-box-dbus.conf
 
 release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
 release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish

.github/setup_legacy_go.sh

@@ -1,27 +1,25 @@
 #!/usr/bin/env bash
 
-VERSION="1.25.7"
+VERSION="1.23.6"
 
 mkdir -p $HOME/go
 cd $HOME/go
 wget "https://dl.google.com/go/go${VERSION}.linux-amd64.tar.gz"
 tar -xzf "go${VERSION}.linux-amd64.tar.gz"
-mv go go_win7
-cd go_win7
+mv go go_legacy
+cd go_legacy
 
 # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-# this patch file only works on golang1.25.x
-# that means after golang1.26 release it must be changed
-# see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
+# this patch file only works on golang1.23.x
+# that means after golang1.24 release it must be changed
+# see: https://github.com/MetaCubeX/go/commits/release-branch.go1.23/
 # revert:
 # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
 # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
 # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
 # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
 
-alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
-
-curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/6a31d3fa8e47ddabc10bd97bff10d9a85f4cfb76.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/69e2eed6dd0f6d815ebf15797761c13f31213dd6.diff | patch --verbose -p 1

.github/workflows/build.yml

@@ -25,7 +25,8 @@ on:
           - publish-android
   push:
     branches:
-      - oldstable
+      - main-next
+      - dev-next
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }}
@@ -39,13 +40,13 @@ jobs:
       version: ${{ steps.outputs.outputs.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ^1.24
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -87,14 +88,13 @@ jobs:
           - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
 
           - { os: windows, arch: amd64 }
-          - { os: windows, arch: amd64, legacy_win7: true, legacy_name: "windows-7" }
+          - { os: windows, arch: amd64, legacy_go: true }
           - { os: windows, arch: "386" }
-          - { os: windows, arch: "386", legacy_win7: true, legacy_name: "windows-7" }
+          - { os: windows, arch: "386", legacy_go: true }
           - { os: windows, arch: arm64 }
 
           - { os: darwin, arch: amd64 }
           - { os: darwin, arch: arm64 }
-          - { os: darwin, arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
 
           - { os: android, arch: arm64, ndk: "aarch64-linux-android21" }
           - { os: android, arch: arm, ndk: "armv7a-linux-androideabi21" }
@@ -102,36 +102,31 @@ jobs:
           - { os: android, arch: "386", ndk: "i686-linux-android21" }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
-        if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
+        if: ${{ ! matrix.legacy_go }}
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
-      - name: Setup Go 1.24
-        if: matrix.legacy_go124
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.24.10
-      - name: Cache Go for Windows 7
-        if: matrix.legacy_win7
-        id: cache-go-for-windows7
+          go-version: ^1.24
+      - name: Cache Legacy Go
+        if: matrix.require_legacy_go
+        id: cache-legacy-go
         uses: actions/cache@v4
         with:
           path: |
-            ~/go/go_win7
-          key: go_win7_1255
-      - name: Setup Go for Windows 7
-        if: matrix.legacy_win7 && steps.cache-go-for-windows7.outputs.cache-hit != 'true'
+            ~/go/go_legacy
+          key: go_legacy_1236
+      - name: Setup Legacy Go
+        if: matrix.legacy_go && steps.cache-legacy-go.outputs.cache-hit != 'true'
         run: |-
-          .github/setup_go_for_windows7.sh
-      - name: Setup Go for Windows 7
-        if: matrix.legacy_win7
+          .github/setup_legacy_go.sh
+      - name: Setup Legacy Go 2
+        if: matrix.legacy_go
         run: |-
-          echo "PATH=$HOME/go/go_win7/bin:$PATH" >> $GITHUB_ENV
-          echo "GOROOT=$HOME/go/go_win7" >> $GITHUB_ENV
+          echo "PATH=$HOME/go/go_legacy/bin:$PATH" >> $GITHUB_ENV
+          echo "GOROOT=$HOME/go/go_legacy" >> $GITHUB_ENV
       - name: Setup Android NDK
         if: matrix.os == 'android'
         uses: nttld/setup-ndk@v1
@@ -189,8 +184,8 @@ jobs:
             DIR_NAME="${DIR_NAME}-${{ matrix.go386 }}"
           elif [[ -n "${{ matrix.gomips }}" && "${{ matrix.gomips }}" != 'hardfloat' ]]; then
             DIR_NAME="${DIR_NAME}-${{ matrix.gomips }}"
-          elif [[ -n "${{ matrix.legacy_name }}" ]]; then
-            DIR_NAME="${DIR_NAME}-legacy-${{ matrix.legacy_name }}"
+          elif [[ "${{ matrix.legacy_go }}" == 'true' ]]; then
+            DIR_NAME="${DIR_NAME}-legacy"
           fi
           echo "DIR_NAME=${DIR_NAME}" >> "${GITHUB_ENV}"
           PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
@@ -242,7 +237,7 @@ jobs:
           sudo gem install fpm
           sudo apt-get update
           sudo apt-get install -y libarchive-tools
-          cp .fpm_pacman .fpm
+          cp .fpm_systemd .fpm
           fpm -t pacman \
             -v "$PKG_VERSION" \
             -p "dist/sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.pacman }}.pkg.tar.zst" \
@@ -282,24 +277,24 @@ jobs:
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:
-          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.go386 && format('_{0}', matrix.go386) }}${{ matrix.gomips && format('_{0}', matrix.gomips) }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}
+          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.go386 && format('_{0}', matrix.go386) }}${{ matrix.gomips && format('_{0}', matrix.gomips) }}${{ matrix.legacy_go && '-legacy' || '' }}
           path: "dist"
   build_android:
     name: Build Android
-    if: (github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android') && github.ref != 'refs/heads/oldstable'
+    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
     runs-on: ubuntu-latest
     needs:
       - calculate_version
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
         with:
           fetch-depth: 0
           submodules: 'recursive'
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ^1.24
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -322,12 +317,12 @@ jobs:
           JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
       - name: Checkout main branch
-        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
         run: |-
           cd clients/android
           git checkout main
       - name: Checkout dev branch
-        if: github.ref == 'refs/heads/testing'
+        if: github.ref == 'refs/heads/dev-next'
         run: |-
           cd clients/android
           git checkout dev
@@ -366,20 +361,20 @@ jobs:
           path: 'dist'
   publish_android:
     name: Publish Android
-    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android' && github.ref != 'refs/heads/oldstable'
+    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
     runs-on: ubuntu-latest
     needs:
       - calculate_version
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
         with:
           fetch-depth: 0
           submodules: 'recursive'
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ^1.24
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -402,12 +397,12 @@ jobs:
           JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
       - name: Checkout main branch
-        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
         run: |-
           cd clients/android
           git checkout main
       - name: Checkout dev branch
-        if: github.ref == 'refs/heads/testing'
+        if: github.ref == 'refs/heads/dev-next'
         run: |-
           cd clients/android
           git checkout dev
@@ -431,8 +426,7 @@ jobs:
           SERVICE_ACCOUNT_CREDENTIALS: ${{ secrets.SERVICE_ACCOUNT_CREDENTIALS }}
   build_apple:
     name: Build Apple clients
-    runs-on: macos-26
-    if: false
+    runs-on: macos-15
     needs:
       - calculate_version
     strategy:
@@ -470,7 +464,7 @@ jobs:
     steps:
       - name: Checkout
         if: matrix.if
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
         with:
           fetch-depth: 0
           submodules: 'recursive'
@@ -478,7 +472,15 @@ jobs:
         if: matrix.if
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ^1.24
+      - name: Setup Xcode stable
+        if: matrix.if && github.ref == 'refs/heads/main-next'
+        run: |-
+          sudo xcode-select -s /Applications/Xcode_16.4.app
+      - name: Setup Xcode beta
+        if: matrix.if && github.ref == 'refs/heads/dev-next'
+        run: |-
+          sudo xcode-select -s /Applications/Xcode_16.4.app
       - name: Set tag
         if: matrix.if
         run: |-
@@ -486,12 +488,12 @@ jobs:
           git tag v${{ needs.calculate_version.outputs.version }} -f
           echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
       - name: Checkout main branch
-        if: matrix.if && github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
+        if: matrix.if && github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
         run: |-
           cd clients/apple
           git checkout main
       - name: Checkout dev branch
-        if: matrix.if && github.ref == 'refs/heads/testing'
+        if: matrix.if && github.ref == 'refs/heads/dev-next'
         run: |-
           cd clients/apple
           git checkout dev
@@ -577,7 +579,7 @@ jobs:
             -authenticationKeyID $ASC_KEY_ID \
             -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
       - name: Publish to TestFlight
-        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/testing'
+        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/dev-next'
         run: |-
           go run -v ./cmd/internal/app_store_connect publish_testflight ${{ matrix.platform }}
       - name: Build image
@@ -622,7 +624,7 @@ jobs:
       - build_apple
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
         with:
           fetch-depth: 0
       - name: Cache ghr
@@ -645,7 +647,7 @@ jobs:
           git tag v${{ needs.calculate_version.outputs.version }} -f
           echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
       - name: Download builds
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v4
         with:
           path: dist
           merge-multiple: true

.github/workflows/docker.yml

@@ -39,7 +39,7 @@ jobs:
           echo "ref=$ref"
           echo "ref=$ref" >> $GITHUB_OUTPUT
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
         with:
           ref: ${{ steps.ref.outputs.ref }}
           fetch-depth: 0
@@ -107,7 +107,7 @@ jobs:
           echo "latest=$latest"
           echo "latest=$latest" >> $GITHUB_OUTPUT
       - name: Download digests
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v4
         with:
           path: /tmp/digests
           pattern: digests-*

.github/workflows/lint.yml

@@ -3,20 +3,18 @@ name: Lint
 on:
   push:
     branches:
-      - oldstable
-      - stable
-      - testing
-      - unstable
+      - stable-next
+      - main-next
+      - dev-next
     paths-ignore:
       - '**.md'
       - '.github/**'
       - '!.github/workflows/lint.yml'
   pull_request:
     branches:
-      - oldstable
-      - stable
-      - testing
-      - unstable
+      - stable-next
+      - main-next
+      - dev-next
 
 jobs:
   build:
@@ -24,15 +22,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.24.10
+          go-version: ^1.24
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v6
         with:
           version: latest
           args: --timeout=30m

.github/workflows/linux.yml

@@ -7,11 +7,6 @@ on:
         description: "Version name"
         required: true
         type: string
-      forceBeta:
-        description: "Force beta"
-        required: false
-        type: boolean
-        default: false
   release:
     types:
       - published
@@ -24,13 +19,13 @@ jobs:
       version: ${{ steps.outputs.outputs.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ^1.24
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -65,13 +60,13 @@ jobs:
           - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64 }
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ^1.24
       - name: Setup Android NDK
         if: matrix.os == 'android'
         uses: nttld/setup-ndk@v1
@@ -104,11 +99,11 @@ jobs:
         run: |-
           TZ=UTC touch -t '197001010000' dist/sing-box
       - name: Set name
-        if: (! contains(needs.calculate_version.outputs.version, '-')) && !inputs.forceBeta
+        if: ${{ ! contains(needs.calculate_version.outputs.version, '-') }}
         run: |-
           echo "NAME=sing-box" >> "$GITHUB_ENV"
       - name: Set beta name
-        if: contains(needs.calculate_version.outputs.version, '-') || inputs.forceBeta
+        if: contains(needs.calculate_version.outputs.version, '-')
         run: |-
           echo "NAME=sing-box-beta" >> "$GITHUB_ENV"
       - name: Set version
@@ -171,7 +166,7 @@ jobs:
       - build
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
         with:
           fetch-depth: 0
       - name: Set tag
@@ -180,7 +175,7 @@ jobs:
           git tag v${{ needs.calculate_version.outputs.version }} -f
           echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
       - name: Download builds
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v4
         with:
           path: dist
           merge-multiple: true

.gitignore

@@ -15,6 +15,4 @@
 .DS_Store
 /config.d/
 /venv/
-CLAUDE.md
-AGENTS.md
-/.claude/
+

.golangci.yml

@@ -1,6 +1,27 @@
-version: "2"
+linters:
+  disable-all: true
+  enable:
+    - gofumpt
+    - govet
+    - gci
+    - staticcheck
+    - paralleltest
+    - ineffassign
+
+linters-settings:
+  gci:
+    custom-order: true
+    sections:
+      - standard
+      - prefix(github.com/sagernet/)
+      - default
+  staticcheck:
+    checks:
+      - all
+      - -SA1003
+
 run:
-  go: "1.24"
+  go: "1.23"
   build-tags:
     - with_gvisor
     - with_quic
@@ -9,51 +30,7 @@ run:
     - with_utls
     - with_acme
     - with_clash_api
-linters:
-  default: none
-  enable:
-    - govet
-    - ineffassign
-    - paralleltest
-    - staticcheck
-  settings:
-    staticcheck:
-      checks:
-        - all
-        - -S1000
-        - -S1008
-        - -S1017
-        - -ST1003
-        - -QF1001
-        - -QF1003
-        - -QF1008
-  exclusions:
-    generated: lax
-    presets:
-      - comments
-      - common-false-positives
-      - legacy
-      - std-error-handling
-    paths:
-      - transport/simple-obfs
-      - third_party$
-      - builtin$
-      - examples$
-formatters:
-  enable:
-    - gci
-    - gofumpt
-  settings:
-    gci:
-      sections:
-        - standard
-        - prefix(github.com/sagernet/)
-        - default
-      custom-order: true
-  exclusions:
-    generated: lax
-    paths:
-      - transport/simple-obfs
-      - third_party$
-      - builtin$
-      - examples$
+
+issues:
+  exclude-dirs:
+    - transport/simple-obfs

.goreleaser.fury.yaml

@@ -59,8 +59,8 @@ nfpms:
         dst: /usr/lib/sysusers.d/sing-box.conf
       - src: release/config/sing-box.rules
         dst: /usr/share/polkit-1/rules.d/sing-box.rules
-      - src: release/config/sing-box-split-dns.xml
-        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf
+      - src: release/config/sing-box-dbus.xml
+        dst: /usr/share/dbus-1/system.d/sing-box-dbus.conf
 
       - src: release/completions/sing-box.bash
         dst: /usr/share/bash-completion/completions/sing-box.bash

.goreleaser.yaml

@@ -140,8 +140,8 @@ nfpms:
         dst: /usr/lib/sysusers.d/sing-box.conf
       - src: release/config/sing-box.rules
         dst: /usr/share/polkit-1/rules.d/sing-box.rules
-      - src: release/config/sing-box-split-dns.xml
-        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf
+      - src: release/config/sing-box-dbus.xml
+        dst: /usr/share/dbus-1/system.d/sing-box-dbus.conf
 
       - src: release/completions/sing-box.bash
         dst: /usr/share/bash-completion/completions/sing-box.bash

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
@@ -20,6 +20,8 @@ RUN set -ex \
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
-    && apk add --no-cache --upgrade bash tzdata ca-certificates nftables
+    && apk upgrade \
+    && apk add bash tzdata ca-certificates nftables \
+    && rm -rf /var/cache/apk/*
 COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]

Makefile

@@ -17,10 +17,6 @@ build:
 	export GOTOOLCHAIN=local && \
 	go build $(MAIN_PARAMS) $(MAIN)
 
-race:
-	export GOTOOLCHAIN=local && \
-	go build -race $(MAIN_PARAMS) $(MAIN)
-
 ci_build:
 	export GOTOOLCHAIN=local && \
 	go build $(PARAMS) $(MAIN) && \
@@ -49,7 +45,7 @@ lint:
 	GOOS=freebsd golangci-lint run ./...
 
 lint_install:
-	go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
+	go install -v github.com/golangci/golangci-lint/cmd/golangci-lint@latest
 
 proto:
 	@go run ./cmd/internal/protogen
@@ -249,8 +245,8 @@ lib:
 	go run ./cmd/internal/build_libbox -target ios
 
 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.8
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.8
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.7
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.7
 
 docs:
 	venv/bin/mkdocs serve

README.md

@@ -1,11 +1,3 @@
-> Sponsored by [Warp](https://go.warp.dev/sing-box), built for coding with multiple AI agents
-
-<a href="https://go.warp.dev/sing-box">
-<img alt="Warp sponsorship" width="400" src="https://github.com/warpdotdev/brand-assets/raw/refs/heads/main/Github/Sponsor/Warp-Github-LG-02.png">
-</a>
-
----
-
 # sing-box
 
 The universal proxy platform.

adapter/dns.go

@@ -27,6 +27,8 @@ type DNSClient interface {
 	Start()
 	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error)
 	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error)
+	LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool)
+	ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool)
 	ClearCache()
 }
 

adapter/inbound.go

@@ -57,7 +57,6 @@ type InboundContext struct {
 	Domain       string
 	Client       string
 	SniffContext any
-	SnifferNames []string
 	SniffError   error
 
 	// cache
@@ -136,7 +135,8 @@ func ExtendContext(ctx context.Context) (context.Context, *InboundContext) {
 
 func OverrideContext(ctx context.Context) context.Context {
 	if metadata := ContextFrom(ctx); metadata != nil {
-		newMetadata := *metadata
+		var newMetadata InboundContext
+		newMetadata = *metadata
 		return WithContext(ctx, &newMetadata)
 	}
 	return ctx

adapter/network.go

@@ -20,7 +20,6 @@ type NetworkManager interface {
 	DefaultOptions() NetworkOptions
 	RegisterAutoRedirectOutputMark(mark uint32) error
 	AutoRedirectOutputMark() uint32
-	AutoRedirectOutputMarkFunc() control.Func
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager

adapter/outbound/manager.go

@@ -30,7 +30,7 @@ type Manager struct {
 	outboundByTag           map[string]adapter.Outbound
 	dependByTag             map[string][]string
 	defaultOutbound         adapter.Outbound
-	defaultOutboundFallback func() (adapter.Outbound, error)
+	defaultOutboundFallback adapter.Outbound
 }
 
 func NewManager(logger logger.ContextLogger, registry adapter.OutboundRegistry, endpoint adapter.EndpointManager, defaultTag string) *Manager {
@@ -44,7 +44,7 @@ func NewManager(logger logger.ContextLogger, registry adapter.OutboundRegistry,
 	}
 }
 
-func (m *Manager) Initialize(defaultOutboundFallback func() (adapter.Outbound, error)) {
+func (m *Manager) Initialize(defaultOutboundFallback adapter.Outbound) {
 	m.defaultOutboundFallback = defaultOutboundFallback
 }
 
@@ -55,31 +55,18 @@ func (m *Manager) Start(stage adapter.StartStage) error {
 	}
 	m.started = true
 	m.stage = stage
+	outbounds := m.outbounds
+	m.access.Unlock()
 	if stage == adapter.StartStateStart {
 		if m.defaultTag != "" && m.defaultOutbound == nil {
 			defaultEndpoint, loaded := m.endpoint.Get(m.defaultTag)
 			if !loaded {
-				m.access.Unlock()
 				return E.New("default outbound not found: ", m.defaultTag)
 			}
 			m.defaultOutbound = defaultEndpoint
 		}
-		if m.defaultOutbound == nil {
-			directOutbound, err := m.defaultOutboundFallback()
-			if err != nil {
-				m.access.Unlock()
-				return E.Cause(err, "create direct outbound for fallback")
-			}
-			m.outbounds = append(m.outbounds, directOutbound)
-			m.outboundByTag[directOutbound.Tag()] = directOutbound
-			m.defaultOutbound = directOutbound
-		}
-		outbounds := m.outbounds
-		m.access.Unlock()
 		return m.startOutbounds(append(outbounds, common.Map(m.endpoint.Endpoints(), func(it adapter.Endpoint) adapter.Outbound { return it })...))
 	} else {
-		outbounds := m.outbounds
-		m.access.Unlock()
 		for _, outbound := range outbounds {
 			err := adapter.LegacyStart(outbound, stage)
 			if err != nil {
@@ -200,7 +187,11 @@ func (m *Manager) Outbound(tag string) (adapter.Outbound, bool) {
 func (m *Manager) Default() adapter.Outbound {
 	m.access.RLock()
 	defer m.access.RUnlock()
-	return m.defaultOutbound
+	if m.defaultOutbound != nil {
+		return m.defaultOutbound
+	} else {
+		return m.defaultOutboundFallback
+	}
 }
 
 func (m *Manager) Remove(tag string) error {

adapter/upstream.go

@@ -73,7 +73,7 @@ func NewUpstreamContextHandlerEx(
 }
 
 func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	_, myMetadata := ExtendContext(ctx)
+	myMetadata := ContextFrom(ctx)
 	if source.IsValid() {
 		myMetadata.Source = source
 	}
@@ -84,7 +84,7 @@ func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context,
 }
 
 func (w *myUpstreamContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	_, myMetadata := ExtendContext(ctx)
+	myMetadata := ContextFrom(ctx)
 	if source.IsValid() {
 		myMetadata.Source = source
 	}
@@ -146,7 +146,7 @@ type routeContextHandlerWrapperEx struct {
 }
 
 func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	_, metadata := ExtendContext(ctx)
+	metadata := ContextFrom(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}
@@ -157,7 +157,7 @@ func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn
 }
 
 func (r *routeContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	_, metadata := ExtendContext(ctx)
+	metadata := ContextFrom(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}

adapter/upstream_legacy.go

@@ -78,8 +78,8 @@ func (w *myUpstreamHandlerWrapper) NewError(ctx context.Context, err error) {
 // Deprecated: removed
 func UpstreamMetadata(metadata InboundContext) M.Metadata {
 	return M.Metadata{
-		Source:      metadata.Source.Unwrap(),
-		Destination: metadata.Destination.Unwrap(),
+		Source:      metadata.Source,
+		Destination: metadata.Destination,
 	}
 }
 

box.go

@@ -314,15 +314,15 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "initialize service[", i, "]")
 		}
 	}
-	outboundManager.Initialize(func() (adapter.Outbound, error) {
-		return direct.NewOutbound(
+	outboundManager.Initialize(common.Must1(
+		direct.NewOutbound(
 			ctx,
 			router,
 			logFactory.NewLogger("outbound/direct"),
 			"direct",
 			option.DirectOutboundOptions{},
-		)
-	})
+		),
+	))
 	dnsTransportManager.Initialize(common.Must1(
 		local.NewTransport(
 			ctx,

cmd/internal/app_store_connect/main.go

@@ -134,7 +134,6 @@ func publishTestflight(ctx context.Context) error {
 			asc.PlatformTVOS,
 		}
 	}
-	waitingForProcess := false
 	for _, platform := range platforms {
 		log.Info(string(platform), " list builds")
 		for {
@@ -146,13 +145,12 @@ func publishTestflight(ctx context.Context) error {
 				return err
 			}
 			build := builds.Data[0]
-			if !waitingForProcess && (common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 30*time.Minute) {
+			if common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 30*time.Minute {
 				log.Info(string(platform), " ", tag, " waiting for process")
 				time.Sleep(15 * time.Second)
 				continue
 			}
 			if *build.Attributes.ProcessingState != "VALID" {
-				waitingForProcess = true
 				log.Info(string(platform), " ", tag, " waiting for process: ", *build.Attributes.ProcessingState)
 				time.Sleep(15 * time.Second)
 				continue

cmd/internal/build_libbox/main.go

@@ -107,10 +107,8 @@ func buildAndroid() {
 	}
 
 	if !debugEnabled {
-		sharedFlags[3] = sharedFlags[3] + " -checklinkname=0"
 		args = append(args, sharedFlags...)
 	} else {
-		debugFlags[1] = debugFlags[1] + " -checklinkname=0"
 		args = append(args, debugFlags...)
 	}
 

cmd/internal/tun_bench/main.go

@@ -1,284 +0,0 @@
-package main
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"net/netip"
-	"os"
-	"os/exec"
-	"strings"
-	"syscall"
-	"time"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/include"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/json"
-	"github.com/sagernet/sing/common/shell"
-)
-
-var iperf3Path string
-
-func main() {
-	err := main0()
-	if err != nil {
-		log.Fatal(err)
-	}
-}
-
-func main0() error {
-	err := shell.Exec("sudo", "ls").Run()
-	if err != nil {
-		return err
-	}
-	results, err := runTests()
-	if err != nil {
-		return err
-	}
-	encoder := json.NewEncoder(os.Stdout)
-	encoder.SetIndent("", "  ")
-	return encoder.Encode(results)
-}
-
-func runTests() ([]TestResult, error) {
-	boxPaths := []string{
-		os.ExpandEnv("$HOME/Downloads/sing-box-1.11.15-darwin-arm64/sing-box"),
-		//"/Users/sekai/Downloads/sing-box-1.11.15-linux-arm64/sing-box",
-		"./sing-box",
-	}
-	stacks := []string{
-		"gvisor",
-		"system",
-	}
-	mtus := []int{
-		1500,
-		4064,
-		// 16384,
-		// 32768,
-		// 49152,
-		65535,
-	}
-	flagList := [][]string{
-		{},
-	}
-	var results []TestResult
-	for _, boxPath := range boxPaths {
-		for _, stack := range stacks {
-			for _, mtu := range mtus {
-				if strings.HasPrefix(boxPath, ".") {
-					for _, flags := range flagList {
-						result, err := testOnce(boxPath, stack, mtu, false, flags)
-						if err != nil {
-							return nil, err
-						}
-						results = append(results, *result)
-					}
-				} else {
-					result, err := testOnce(boxPath, stack, mtu, false, nil)
-					if err != nil {
-						return nil, err
-					}
-					results = append(results, *result)
-				}
-			}
-		}
-	}
-	return results, nil
-}
-
-type TestResult struct {
-	BoxPath       string   `json:"box_path"`
-	Stack         string   `json:"stack"`
-	MTU           int      `json:"mtu"`
-	Flags         []string `json:"flags"`
-	MultiThread   bool     `json:"multi_thread"`
-	UploadSpeed   string   `json:"upload_speed"`
-	DownloadSpeed string   `json:"download_speed"`
-}
-
-func testOnce(boxPath string, stackName string, mtu int, multiThread bool, flags []string) (result *TestResult, err error) {
-	testAddress := netip.MustParseAddr("1.1.1.1")
-	testConfig := option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeTun,
-				Options: &option.TunInboundOptions{
-					Address:      []netip.Prefix{netip.MustParsePrefix("172.18.0.1/30")},
-					AutoRoute:    true,
-					MTU:          uint32(mtu),
-					Stack:        stackName,
-					RouteAddress: []netip.Prefix{netip.PrefixFrom(testAddress, testAddress.BitLen())},
-				},
-			},
-		},
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					Type: C.RuleTypeDefault,
-					DefaultOptions: option.DefaultRule{
-						RawDefaultRule: option.RawDefaultRule{
-							IPCIDR: []string{testAddress.String()},
-						},
-						RuleAction: option.RuleAction{
-							Action: C.RuleActionTypeRouteOptions,
-							RouteOptionsOptions: option.RouteOptionsActionOptions{
-								OverrideAddress: "127.0.0.1",
-							},
-						},
-					},
-				},
-			},
-			AutoDetectInterface: true,
-		},
-	}
-	ctx := include.Context(context.Background())
-	tempConfig, err := os.CreateTemp("", "tun-bench-*.json")
-	if err != nil {
-		return
-	}
-	defer os.Remove(tempConfig.Name())
-	encoder := json.NewEncoderContext(ctx, tempConfig)
-	encoder.SetIndent("", "  ")
-	err = encoder.Encode(testConfig)
-	if err != nil {
-		return nil, E.Cause(err, "encode test config")
-	}
-	tempConfig.Close()
-	var sudoArgs []string
-	if len(flags) > 0 {
-		sudoArgs = append(sudoArgs, "env")
-		sudoArgs = append(sudoArgs, flags...)
-	}
-	sudoArgs = append(sudoArgs, boxPath, "run", "-c", tempConfig.Name())
-	boxProcess := shell.Exec("sudo", sudoArgs...)
-	boxProcess.Stdout = &stderrWriter{}
-	boxProcess.Stderr = io.Discard
-	err = boxProcess.Start()
-	if err != nil {
-		return
-	}
-
-	if C.IsDarwin {
-		iperf3Path, err = exec.LookPath("iperf3-darwin")
-	} else {
-		iperf3Path, err = exec.LookPath("iperf3")
-	}
-	if err != nil {
-		return
-	}
-	serverProcess := shell.Exec(iperf3Path, "-s")
-	serverProcess.Stdout = io.Discard
-	serverProcess.Stderr = io.Discard
-	err = serverProcess.Start()
-	if err != nil {
-		return nil, E.Cause(err, "start iperf3 server")
-	}
-
-	time.Sleep(time.Second)
-
-	args := []string{"-c", testAddress.String()}
-	if multiThread {
-		args = append(args, "-P", "10")
-	}
-
-	uploadProcess := shell.Exec(iperf3Path, args...)
-	output, err := uploadProcess.Read()
-	if err != nil {
-		boxProcess.Process.Signal(syscall.SIGKILL)
-		serverProcess.Process.Signal(syscall.SIGKILL)
-		println(output)
-		return
-	}
-
-	uploadResult := common.SubstringBeforeLast(output, "iperf Done.")
-	uploadResult = common.SubstringBeforeLast(uploadResult, "sender")
-	uploadResult = common.SubstringBeforeLast(uploadResult, "bits/sec")
-	uploadResult = common.SubstringAfterLast(uploadResult, "Bytes")
-	uploadResult = strings.ReplaceAll(uploadResult, " ", "")
-
-	result = &TestResult{
-		BoxPath:     boxPath,
-		Stack:       stackName,
-		MTU:         mtu,
-		Flags:       flags,
-		MultiThread: multiThread,
-		UploadSpeed: uploadResult,
-	}
-
-	downloadProcess := shell.Exec(iperf3Path, append(args, "-R")...)
-	output, err = downloadProcess.Read()
-	if err != nil {
-		boxProcess.Process.Signal(syscall.SIGKILL)
-		serverProcess.Process.Signal(syscall.SIGKILL)
-		println(output)
-		return
-	}
-
-	downloadResult := common.SubstringBeforeLast(output, "iperf Done.")
-	downloadResult = common.SubstringBeforeLast(downloadResult, "receiver")
-	downloadResult = common.SubstringBeforeLast(downloadResult, "bits/sec")
-	downloadResult = common.SubstringAfterLast(downloadResult, "Bytes")
-	downloadResult = strings.ReplaceAll(downloadResult, " ", "")
-
-	result.DownloadSpeed = downloadResult
-
-	printArgs := []any{boxPath, stackName, mtu, "upload", uploadResult, "download", downloadResult}
-	if len(flags) > 0 {
-		printArgs = append(printArgs, "flags", strings.Join(flags, " "))
-	}
-	if multiThread {
-		printArgs = append(printArgs, "(-P 10)")
-	}
-	fmt.Println(printArgs...)
-	err = boxProcess.Process.Signal(syscall.SIGTERM)
-	if err != nil {
-		return
-	}
-
-	err = serverProcess.Process.Signal(syscall.SIGTERM)
-	if err != nil {
-		return
-	}
-
-	boxDone := make(chan struct{})
-	go func() {
-		boxProcess.Cmd.Wait()
-		close(boxDone)
-	}()
-
-	serverDone := make(chan struct{})
-	go func() {
-		serverProcess.Process.Wait()
-		close(serverDone)
-	}()
-
-	select {
-	case <-boxDone:
-	case <-time.After(2 * time.Second):
-		boxProcess.Process.Kill()
-	case <-time.After(4 * time.Second):
-		println("box process did not close!")
-		os.Exit(1)
-	}
-
-	select {
-	case <-serverDone:
-	case <-time.After(2 * time.Second):
-		serverProcess.Process.Kill()
-	case <-time.After(4 * time.Second):
-		println("server process did not close!")
-		os.Exit(1)
-	}
-
-	return
-}
-
-type stderrWriter struct{}
-
-func (w *stderrWriter) Write(p []byte) (n int, err error) {
-	return os.Stderr.Write(p)
-}

common/badtls/read_wait.go

@@ -128,10 +128,6 @@ func (c *ReadWaitConn) Upstream() any {
 	return c.Conn
 }
 
-func (c *ReadWaitConn) ReaderReplaceable() bool {
-	return true
-}
-
 var tlsRegistry []func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error)
 
 func init() {

common/badtls/read_wait_utls.go

@@ -6,26 +6,22 @@ import (
 	"net"
 	_ "unsafe"
 
+	"github.com/sagernet/sing/common"
+
 	"github.com/metacubex/utls"
 )
 
 func init() {
 	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
-		switch tlsConn := conn.(type) {
-		case *tls.UConn:
-			return true, func() error {
-					return utlsReadRecord(tlsConn.Conn)
-				}, func() error {
-					return utlsHandlePostHandshakeMessage(tlsConn.Conn)
-				}
-		case *tls.Conn:
-			return true, func() error {
-					return utlsReadRecord(tlsConn)
-				}, func() error {
-					return utlsHandlePostHandshakeMessage(tlsConn)
-				}
+		tlsConn, loaded := common.Cast[*tls.UConn](conn)
+		if !loaded {
+			return
 		}
-		return
+		return true, func() error {
+				return utlsReadRecord(tlsConn.Conn)
+			}, func() error {
+				return utlsHandlePostHandshakeMessage(tlsConn.Conn)
+			}
 	})
 }
 

common/certificate/store.go

@@ -7,7 +7,6 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
-	"sync"
 
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
@@ -22,7 +21,6 @@ import (
 var _ adapter.CertificateStore = (*Store)(nil)
 
 type Store struct {
-	access                    sync.RWMutex
 	systemPool                *x509.CertPool
 	currentPool               *x509.CertPool
 	certificate               string
@@ -117,14 +115,10 @@ func (s *Store) Close() error {
 }
 
 func (s *Store) Pool() *x509.CertPool {
-	s.access.RLock()
-	defer s.access.RUnlock()
 	return s.currentPool
 }
 
 func (s *Store) update() error {
-	s.access.Lock()
-	defer s.access.Unlock()
 	var currentPool *x509.CertPool
 	if s.systemPool == nil {
 		currentPool = x509.NewCertPool()

common/convertor/adguard/convertor.go

@@ -454,5 +454,5 @@ func parseADGuardIPCIDRLine(ruleLine string) (netip.Prefix, error) {
 	for len(ruleParts) < 4 {
 		ruleParts = append(ruleParts, 0)
 	}
-	return netip.PrefixFrom(netip.AddrFrom4([4]byte(ruleParts)), bitLen), nil
+	return netip.PrefixFrom(netip.AddrFrom4(*(*[4]byte)(ruleParts)), bitLen), nil
 }

common/dialer/default.go

@@ -15,6 +15,7 @@ import (
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/atomic"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
@@ -42,7 +43,7 @@ type DefaultDialer struct {
 	networkType            []C.InterfaceType
 	fallbackNetworkType    []C.InterfaceType
 	networkFallbackDelay   time.Duration
-	networkLastFallback    common.TypedValue[time.Time]
+	networkLastFallback    atomic.TypedValue[time.Time]
 }
 
 func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDialer, error) {
@@ -88,35 +89,37 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 
 	if networkManager != nil {
 		defaultOptions := networkManager.DefaultOptions()
-		if defaultOptions.BindInterface != "" && !disableDefaultBind {
-			bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
-			dialer.Control = control.Append(dialer.Control, bindFunc)
-			listener.Control = control.Append(listener.Control, bindFunc)
-		} else if networkManager.AutoDetectInterface() && !disableDefaultBind {
-			if platformInterface != nil {
-				networkStrategy = (*C.NetworkStrategy)(options.NetworkStrategy)
-				networkType = common.Map(options.NetworkType, option.InterfaceType.Build)
-				fallbackNetworkType = common.Map(options.FallbackNetworkType, option.InterfaceType.Build)
-				if networkStrategy == nil && len(networkType) == 0 && len(fallbackNetworkType) == 0 {
-					networkStrategy = defaultOptions.NetworkStrategy
-					networkType = defaultOptions.NetworkType
-					fallbackNetworkType = defaultOptions.FallbackNetworkType
-				}
-				networkFallbackDelay = time.Duration(options.FallbackDelay)
-				if networkFallbackDelay == 0 && defaultOptions.FallbackDelay != 0 {
-					networkFallbackDelay = defaultOptions.FallbackDelay
-				}
-				if networkStrategy == nil {
-					networkStrategy = common.Ptr(C.NetworkStrategyDefault)
-					defaultNetworkStrategy = true
-				}
-				bindFunc := networkManager.ProtectFunc()
-				dialer.Control = control.Append(dialer.Control, bindFunc)
-				listener.Control = control.Append(listener.Control, bindFunc)
-			} else {
-				bindFunc := networkManager.AutoDetectInterfaceFunc()
+		if !disableDefaultBind {
+			if defaultOptions.BindInterface != "" {
+				bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
 				dialer.Control = control.Append(dialer.Control, bindFunc)
 				listener.Control = control.Append(listener.Control, bindFunc)
+			} else if networkManager.AutoDetectInterface() {
+				if platformInterface != nil {
+					networkStrategy = (*C.NetworkStrategy)(options.NetworkStrategy)
+					networkType = common.Map(options.NetworkType, option.InterfaceType.Build)
+					fallbackNetworkType = common.Map(options.FallbackNetworkType, option.InterfaceType.Build)
+					if networkStrategy == nil && len(networkType) == 0 && len(fallbackNetworkType) == 0 {
+						networkStrategy = defaultOptions.NetworkStrategy
+						networkType = defaultOptions.NetworkType
+						fallbackNetworkType = defaultOptions.FallbackNetworkType
+					}
+					networkFallbackDelay = time.Duration(options.FallbackDelay)
+					if networkFallbackDelay == 0 && defaultOptions.FallbackDelay != 0 {
+						networkFallbackDelay = defaultOptions.FallbackDelay
+					}
+					if networkStrategy == nil {
+						networkStrategy = common.Ptr(C.NetworkStrategyDefault)
+						defaultNetworkStrategy = true
+					}
+					bindFunc := networkManager.ProtectFunc()
+					dialer.Control = control.Append(dialer.Control, bindFunc)
+					listener.Control = control.Append(listener.Control, bindFunc)
+				} else {
+					bindFunc := networkManager.AutoDetectInterfaceFunc()
+					dialer.Control = control.Append(dialer.Control, bindFunc)
+					listener.Control = control.Append(listener.Control, bindFunc)
+				}
 			}
 		}
 		if options.RoutingMark == 0 && defaultOptions.RoutingMark != 0 {
@@ -124,11 +127,6 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 			listener.Control = control.Append(listener.Control, setMarkWrapper(networkManager, defaultOptions.RoutingMark, true))
 		}
 	}
-	if networkManager != nil {
-		markFunc := networkManager.AutoRedirectOutputMarkFunc()
-		dialer.Control = control.Append(dialer.Control, markFunc)
-		listener.Control = control.Append(listener.Control, markFunc)
-	}
 	if options.ReuseAddr {
 		listener.Control = control.Append(listener.Control, control.ReuseAddr())
 	}
@@ -142,7 +140,8 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		dialer.Timeout = C.TCPConnectTimeout
 	}
 	// TODO: Add an option to customize the keep alive period
-	setKeepAliveConfig(&dialer, C.TCPKeepAliveInitial, C.TCPKeepAliveInterval)
+	dialer.KeepAlive = C.TCPKeepAliveInitial
+	dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(C.TCPKeepAliveInitial, C.TCPKeepAliveInterval))
 	var udpFragment bool
 	if options.UDPFragment != nil {
 		udpFragment = *options.UDPFragment
@@ -272,7 +271,7 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 	} else {
 		dialer = d.udpDialer4
 	}
-	fastFallback := time.Since(d.networkLastFallback.Load()) < C.TCPTimeout
+	fastFallback := time.Now().Sub(d.networkLastFallback.Load()) < C.TCPTimeout
 	var (
 		conn      net.Conn
 		isPrimary bool

common/dialer/default_go123.go

@@ -1,16 +0,0 @@
-//go:build go1.23
-
-package dialer
-
-import (
-	"net"
-	"time"
-)
-
-func setKeepAliveConfig(dialer *net.Dialer, idle time.Duration, interval time.Duration) {
-	dialer.KeepAliveConfig = net.KeepAliveConfig{
-		Enable:   true,
-		Idle:     idle,
-		Interval: interval,
-	}
-}

common/dialer/default_nongo123.go

@@ -1,15 +0,0 @@
-//go:build !go1.23
-
-package dialer
-
-import (
-	"net"
-	"time"
-
-	"github.com/sagernet/sing/common/control"
-)
-
-func setKeepAliveConfig(dialer *net.Dialer, idle time.Duration, interval time.Duration) {
-	dialer.KeepAlive = idle
-	dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(idle, interval))
-}

common/dialer/dialer.go

@@ -111,7 +111,7 @@ func NewWithOptions(options Options) (N.Dialer, error) {
 					dnsQueryOptions.Transport = dnsTransport.Default()
 				} else if options.NewDialer {
 					return nil, E.New("missing domain resolver for domain server address")
-				} else {
+				} else if !options.DirectOutbound {
 					deprecated.Report(options.Context, deprecated.OptionMissingDomainResolver)
 				}
 			}
@@ -145,7 +145,3 @@ type ParallelNetworkDialer interface {
 	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
 	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
 }
-
-type PacketDialerWithDestination interface {
-	ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error)
-}

common/dialer/tfo.go

@@ -8,10 +8,8 @@ import (
 	"net"
 	"os"
 	"sync"
-	"sync/atomic"
 	"time"
 
-	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -24,7 +22,7 @@ type slowOpenConn struct {
 	ctx         context.Context
 	network     string
 	destination M.Socksaddr
-	conn        atomic.Pointer[net.TCPConn]
+	conn        net.Conn
 	create      chan struct{}
 	done        chan struct{}
 	access      sync.Mutex
@@ -52,25 +50,22 @@ func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, des
 }
 
 func (c *slowOpenConn) Read(b []byte) (n int, err error) {
-	conn := c.conn.Load()
-	if conn != nil {
-		return conn.Read(b)
-	}
-	select {
-	case <-c.create:
-		if c.err != nil {
-			return 0, c.err
+	if c.conn == nil {
+		select {
+		case <-c.create:
+			if c.err != nil {
+				return 0, c.err
+			}
+		case <-c.done:
+			return 0, os.ErrClosed
 		}
-		return c.conn.Load().Read(b)
-	case <-c.done:
-		return 0, os.ErrClosed
 	}
+	return c.conn.Read(b)
 }
 
 func (c *slowOpenConn) Write(b []byte) (n int, err error) {
-	tcpConn := c.conn.Load()
-	if tcpConn != nil {
-		return tcpConn.Write(b)
+	if c.conn != nil {
+		return c.conn.Write(b)
 	}
 	c.access.Lock()
 	defer c.access.Unlock()
@@ -79,7 +74,7 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 		if c.err != nil {
 			return 0, c.err
 		}
-		return c.conn.Load().Write(b)
+		return c.conn.Write(b)
 	case <-c.done:
 		return 0, os.ErrClosed
 	default:
@@ -88,7 +83,7 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 	if err != nil {
 		c.err = err
 	} else {
-		c.conn.Store(conn.(*net.TCPConn))
+		c.conn = conn
 	}
 	n = len(b)
 	close(c.create)
@@ -98,77 +93,70 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 func (c *slowOpenConn) Close() error {
 	c.closeOnce.Do(func() {
 		close(c.done)
-		conn := c.conn.Load()
-		if conn != nil {
-			conn.Close()
+		if c.conn != nil {
+			c.conn.Close()
 		}
 	})
 	return nil
 }
 
 func (c *slowOpenConn) LocalAddr() net.Addr {
-	conn := c.conn.Load()
-	if conn == nil {
+	if c.conn == nil {
 		return M.Socksaddr{}
 	}
-	return conn.LocalAddr()
+	return c.conn.LocalAddr()
 }
 
 func (c *slowOpenConn) RemoteAddr() net.Addr {
-	conn := c.conn.Load()
-	if conn == nil {
+	if c.conn == nil {
 		return M.Socksaddr{}
 	}
-	return conn.RemoteAddr()
+	return c.conn.RemoteAddr()
 }
 
 func (c *slowOpenConn) SetDeadline(t time.Time) error {
-	conn := c.conn.Load()
-	if conn == nil {
+	if c.conn == nil {
 		return os.ErrInvalid
 	}
-	return conn.SetDeadline(t)
+	return c.conn.SetDeadline(t)
 }
 
 func (c *slowOpenConn) SetReadDeadline(t time.Time) error {
-	conn := c.conn.Load()
-	if conn == nil {
+	if c.conn == nil {
 		return os.ErrInvalid
 	}
-	return conn.SetReadDeadline(t)
+	return c.conn.SetReadDeadline(t)
 }
 
 func (c *slowOpenConn) SetWriteDeadline(t time.Time) error {
-	conn := c.conn.Load()
-	if conn == nil {
+	if c.conn == nil {
 		return os.ErrInvalid
 	}
-	return conn.SetWriteDeadline(t)
+	return c.conn.SetWriteDeadline(t)
 }
 
 func (c *slowOpenConn) Upstream() any {
-	return common.PtrOrNil(c.conn.Load())
+	return c.conn
 }
 
 func (c *slowOpenConn) ReaderReplaceable() bool {
-	return c.conn.Load() != nil
+	return c.conn != nil
 }
 
 func (c *slowOpenConn) WriterReplaceable() bool {
-	return c.conn.Load() != nil
+	return c.conn != nil
 }
 
 func (c *slowOpenConn) LazyHeadroom() bool {
-	return c.conn.Load() == nil
+	return c.conn == nil
 }
 
 func (c *slowOpenConn) NeedHandshake() bool {
-	return c.conn.Load() == nil
+	return c.conn == nil
 }
 
 func (c *slowOpenConn) WriteTo(w io.Writer) (n int64, err error) {
-	conn := c.conn.Load()
-	if conn == nil {
+	if c.conn == nil {
 		select {
 		case <-c.create:
 			if c.err != nil {
@@ -178,5 +166,5 @@ func (c *slowOpenConn) WriteTo(w io.Writer) (n int64, err error) {
 			return 0, c.err
 		}
 	}
-	return bufio.Copy(w, c.conn.Load())
+	return bufio.Copy(w, c.conn)
 }

common/listener/listener_tcp.go

@@ -3,7 +3,6 @@ package listener
 import (
 	"net"
 	"net/netip"
-	"strings"
 	"syscall"
 	"time"
 
@@ -57,7 +56,7 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 	if l.tproxy {
 		listenConfig.Control = control.Append(listenConfig.Control, func(network, address string, conn syscall.RawConn) error {
 			return control.Raw(conn, func(fd uintptr) error {
-				return redir.TProxy(fd, !strings.HasSuffix(network, "4"), false)
+				return redir.TProxy(fd, !M.ParseSocksaddr(address).IsIPv4(), false)
 			})
 		})
 	}

common/listener/listener_udp.go

@@ -5,7 +5,6 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strings"
 	"syscall"
 
 	"github.com/sagernet/sing-box/adapter"
@@ -42,7 +41,7 @@ func (l *Listener) ListenUDP() (net.PacketConn, error) {
 	if l.tproxy {
 		listenConfig.Control = control.Append(listenConfig.Control, func(network, address string, conn syscall.RawConn) error {
 			return control.Raw(conn, func(fd uintptr) error {
-				return redir.TProxy(fd, !strings.HasSuffix(network, "4"), true)
+				return redir.TProxy(fd, !M.ParseSocksaddr(address).IsIPv4(), true)
 			})
 		})
 	}
@@ -165,8 +164,9 @@ func (l *Listener) loopUDPOut() {
 				if l.shutdown.Load() && E.IsClosed(err) {
 					return
 				}
+				l.udpConn.Close()
 				l.logger.Error("udp listener write back: ", destination, ": ", err)
-				continue
+				return
 			}
 			continue
 		case <-l.packetOutboundClosed:

common/process/searcher_darwin.go

@@ -96,11 +96,11 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 		switch {
 		case flag&0x1 > 0 && isIPv4:
 			// ipv4
-			srcIP = netip.AddrFrom4([4]byte(buf[inp+76 : inp+80]))
+			srcIP = netip.AddrFrom4(*(*[4]byte)(buf[inp+76 : inp+80]))
 			srcIsIPv4 = true
 		case flag&0x2 > 0 && !isIPv4:
 			// ipv6
-			srcIP = netip.AddrFrom16([16]byte(buf[inp+64 : inp+80]))
+			srcIP = netip.AddrFrom16(*(*[16]byte)(buf[inp+64 : inp+80]))
 		default:
 			continue
 		}

common/sniff/quic.go

@@ -303,6 +303,8 @@ find:
 	metadata.Protocol = C.ProtocolQUIC
 	fingerprint, err := ja3.Compute(buffer.Bytes())
 	if err != nil {
+		metadata.Protocol = C.ProtocolQUIC
+		metadata.Client = C.ClientChromium
 		metadata.SniffContext = fragments
 		return E.Cause1(ErrNeedMoreData, err)
 	}
@@ -332,7 +334,7 @@ find:
 		}
 
 		if count(frameTypeList, frameTypeCrypto) > 1 || count(frameTypeList, frameTypePing) > 0 {
-			if isQUICGo(fingerprint) {
+			if maybeUQUIC(fingerprint) {
 				metadata.Client = C.ClientQUICGo
 			} else {
 				metadata.Client = C.ClientChromium

common/sniff/quic_blacklist.go

@@ -1,29 +1,24 @@
 package sniff
 
 import (
+	"crypto/tls"
+
 	"github.com/sagernet/sing-box/common/ja3"
 )
 
-const (
-	// X25519Kyber768Draft00 - post-quantum curve used by Go crypto/tls
-	x25519Kyber768Draft00 uint16 = 0x11EC // 4588
-	// renegotiation_info extension used by Go crypto/tls
-	extensionRenegotiationInfo uint16 = 0xFF01 // 65281
-)
+// Chromium sends separate client hello packets, but UQUIC has not yet implemented this behavior
+// The cronet without this behavior does not have version 115
+var uQUICChrome115 = &ja3.ClientHello{
+	Version:             tls.VersionTLS12,
+	CipherSuites:        []uint16{4865, 4866, 4867},
+	Extensions:          []uint16{0, 10, 13, 16, 27, 43, 45, 51, 57, 17513},
+	EllipticCurves:      []uint16{29, 23, 24},
+	SignatureAlgorithms: []uint16{1027, 2052, 1025, 1283, 2053, 1281, 2054, 1537, 513},
+}
 
-// isQUICGo detects native quic-go by checking for Go crypto/tls specific features.
-// Note: uQUIC with Chromium mimicry cannot be reliably distinguished from real Chromium
-// since it uses the same TLS fingerprint, so it will be identified as Chromium.
-func isQUICGo(fingerprint *ja3.ClientHello) bool {
-	for _, curve := range fingerprint.EllipticCurves {
-		if curve == x25519Kyber768Draft00 {
-			return true
-		}
-	}
-	for _, ext := range fingerprint.Extensions {
-		if ext == extensionRenegotiationInfo {
-			return true
-		}
+func maybeUQUIC(fingerprint *ja3.ClientHello) bool {
+	if uQUICChrome115.Equals(fingerprint, true) {
+		return true
 	}
 	return false
 }

common/sniff/quic_capture_test.go

@@ -1,188 +0,0 @@
-package sniff_test
-
-import (
-	"context"
-	"crypto/tls"
-	"encoding/hex"
-	"errors"
-	"net"
-	"testing"
-	"time"
-
-	"github.com/sagernet/quic-go"
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/sniff"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestSniffQUICQuicGoFingerprint(t *testing.T) {
-	t.Parallel()
-	const testSNI = "test.example.com"
-
-	udpConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
-	require.NoError(t, err)
-	defer udpConn.Close()
-
-	serverAddr := udpConn.LocalAddr().(*net.UDPAddr)
-	packetsChan := make(chan [][]byte, 1)
-
-	go func() {
-		var packets [][]byte
-		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
-		for i := 0; i < 10; i++ {
-			buf := make([]byte, 2048)
-			n, _, err := udpConn.ReadFromUDP(buf)
-			if err != nil {
-				break
-			}
-			packets = append(packets, buf[:n])
-		}
-		packetsChan <- packets
-	}()
-
-	clientConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
-	require.NoError(t, err)
-	defer clientConn.Close()
-
-	tlsConfig := &tls.Config{
-		ServerName:         testSNI,
-		InsecureSkipVerify: true,
-		NextProtos:         []string{"h3"},
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-	defer cancel()
-
-	_, _ = quic.Dial(ctx, clientConn, serverAddr, tlsConfig, &quic.Config{})
-
-	select {
-	case packets := <-packetsChan:
-		t.Logf("Captured %d packets", len(packets))
-
-		var metadata adapter.InboundContext
-		for i, pkt := range packets {
-			err := sniff.QUICClientHello(context.Background(), &metadata, pkt)
-			t.Logf("Packet %d: err=%v, domain=%s, client=%s", i, err, metadata.Domain, metadata.Client)
-			if metadata.Domain != "" {
-				break
-			}
-		}
-
-		t.Logf("\n=== quic-go TLS Fingerprint Analysis ===")
-		t.Logf("Domain: %s", metadata.Domain)
-		t.Logf("Client: %s", metadata.Client)
-		t.Logf("Protocol: %s", metadata.Protocol)
-
-		// The client should be identified as quic-go, not chromium
-		// Current issue: it's being identified as chromium
-		if metadata.Client == "chromium" {
-			t.Log("WARNING: quic-go is being misidentified as chromium!")
-		}
-
-	case <-time.After(5 * time.Second):
-		t.Fatal("Timeout")
-	}
-}
-
-func TestSniffQUICInitialFromQuicGo(t *testing.T) {
-	t.Parallel()
-
-	const testSNI = "test.example.com"
-
-	// Create UDP listener to capture ALL initial packets
-	udpConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
-	require.NoError(t, err)
-	defer udpConn.Close()
-
-	serverAddr := udpConn.LocalAddr().(*net.UDPAddr)
-
-	// Channel to receive captured packets
-	packetsChan := make(chan [][]byte, 1)
-
-	// Start goroutine to capture packets
-	go func() {
-		var packets [][]byte
-		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
-		for i := 0; i < 5; i++ { // Capture up to 5 packets
-			buf := make([]byte, 2048)
-			n, _, err := udpConn.ReadFromUDP(buf)
-			if err != nil {
-				break
-			}
-			packets = append(packets, buf[:n])
-		}
-		packetsChan <- packets
-	}()
-
-	// Create QUIC client connection (will fail but we capture the initial packet)
-	clientConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
-	require.NoError(t, err)
-	defer clientConn.Close()
-
-	tlsConfig := &tls.Config{
-		ServerName:         testSNI,
-		InsecureSkipVerify: true,
-		NextProtos:         []string{"h3"},
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-	defer cancel()
-
-	// This will fail (no server) but sends initial packet
-	_, _ = quic.Dial(ctx, clientConn, serverAddr, tlsConfig, &quic.Config{})
-
-	// Wait for captured packets
-	select {
-	case packets := <-packetsChan:
-		t.Logf("Captured %d QUIC packets", len(packets))
-
-		for i, packet := range packets {
-			t.Logf("Packet %d: length=%d, first 30 bytes: %x", i, len(packet), packet[:min(30, len(packet))])
-		}
-
-		// Test sniffer with first packet
-		if len(packets) > 0 {
-			var metadata adapter.InboundContext
-			err := sniff.QUICClientHello(context.Background(), &metadata, packets[0])
-
-			t.Logf("First packet sniff error: %v", err)
-			t.Logf("Protocol: %s", metadata.Protocol)
-			t.Logf("Domain: %s", metadata.Domain)
-			t.Logf("Client: %s", metadata.Client)
-
-			// If first packet needs more data, try with subsequent packets
-			// IMPORTANT: reuse metadata to accumulate CRYPTO fragments via SniffContext
-			if errors.Is(err, sniff.ErrNeedMoreData) && len(packets) > 1 {
-				t.Log("First packet needs more data, trying subsequent packets with shared context...")
-				for i := 1; i < len(packets); i++ {
-					// Reuse same metadata to accumulate fragments
-					err = sniff.QUICClientHello(context.Background(), &metadata, packets[i])
-					t.Logf("Packet %d sniff result: err=%v, domain=%s, sniffCtx=%v", i, err, metadata.Domain, metadata.SniffContext != nil)
-					if metadata.Domain != "" || (err != nil && !errors.Is(err, sniff.ErrNeedMoreData)) {
-						break
-					}
-				}
-			}
-
-			// Print hex dump for debugging
-			t.Logf("First packet hex:\n%s", hex.Dump(packets[0][:min(256, len(packets[0]))]))
-
-			// Log final results
-			t.Logf("Final: Protocol=%s, Domain=%s, Client=%s", metadata.Protocol, metadata.Domain, metadata.Client)
-
-			// Verify SNI extraction
-			if metadata.Domain == "" {
-				t.Errorf("Failed to extract SNI, expected: %s", testSNI)
-			} else {
-				require.Equal(t, testSNI, metadata.Domain, "SNI should match")
-			}
-
-			// Check client identification - quic-go should be identified as quic-go, not chromium
-			t.Logf("Client identified as: %s (expected: quic-go)", metadata.Client)
-		}
-
-	case <-time.After(5 * time.Second):
-		t.Fatal("Timeout waiting for QUIC packets")
-	}
-}

common/sniff/quic_test.go

@@ -19,7 +19,7 @@ func TestSniffQUICChromeNew(t *testing.T) {
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Empty(t, metadata.Client)
+	require.Equal(t, metadata.Client, C.ClientChromium)
 	require.ErrorIs(t, err, sniff.ErrNeedMoreData)
 	pkt, err = hex.DecodeString("cc0000000108e241a0c601413b4f004046006d8f15dae9999edf39d58df6762822b9a2ab996d7f6a10044338af3b51b1814bc4ac0fa5a87c34c6ae604af8cabc5957c5240174deefc8e378719ffdab2ae4e15bf4514bea44894b626c685cd5d5c965f7e97b3a1bdc520b75813e747f37a3ae83ad38b9ca2acb0de4fc9424839a50c8fb815a62b498609fbbc59145698860e0509cc08a04d1b119daef844ba2f09c16e2665e5cc0b47624b71f7b950c54fd56b4a1fbb826cba44eeeee3949ced8f5de60d4c81b19ee59f75aa1abb33f22c6b13c27095eb1e99cff01fdc93e6e88da2622ee18c08a79f508befd7e33e99bca60e64bef9a47b764384bd93823daeeb6fcb4d7cfbc4ab53eff59b3636f6dcaaf229b5a94941b5712807166b9bd5e82cb4a9708a71451c4cd6f6e33fb2fe40c8c70dd51a30b37ff9c5e35783debde0093fde19ce074b4887b3c90980b107b9c0f32cf61a66f37c251b789abc4d27fc421207966846c8cc7faa42d9af6ad355a6bc94cb78223b612be8b3e2a4df61fee83a674a0ceb8b7c3a29b97102cda22fecdf6a4628e5b612bc17eab64d6f75feedd0b106c0419e484e66725759964cb5935ac5125e5ae920cd280bd40df57c1d7ae1845700bd4eb7b7ab12bc0850950bfe6e69edd6ac1daa5db2c2b07484327196e561c513462d72872dc6771c39f6b60d46a1f2c92343b7338450a0ef8e39f97fa70652b3a12cd04043698951627aaaa82cc95e76df92021d30e8014c984f12eea0143de8b17e5e4a36ec07bf4814251b391f168a59ef75afcd2319249aaba930f06bb7a11b9491e6f71b3d5774a6503a965e94edd0a67737282fc9cb0271779ff14151b7aa9267bb8f7d643185512515aeea513c0c98bfae782381a3317064195d8825cf8b25c17cdab5fced02612a3f2870e40df57e6ca3f08228a2b04e8de1425eb4b970118f9bbdc212223ff86a5d6b648cdf2366722f21de4b14a1014879eadb69215cdb1aa2a9f4f310ecfe3116214fe3ab0a23f4775a0a54b48d7dfd8f7283ed687b3ac7e1a7e42a0bdc3478aba8651c03e1e9cc9df17d106b8130afe854269b0103b7a696f452721887b19d8181830073c9f10684c65f96d3a6c6efbae044eec03d6399e001fa44d54635dc72f9b8ea6b87d0f452cad1e1e32273e2b47c40f2730235adcae8523b8282f86b8cf1ab63ae54aaa06130df3bbf6ecac7d7d1d43d2a87aea837267ff8ccfaa4b7e47b7ded909e6603d0b928a304f8915c839153598adc4178eb48bc0e98ad7793d7980275e1e491ba4847a4a04ae30fe7f5cc7d4b6f4f63a525e9964d72245860ca76a668a4654adb6619f16e9db79131e5675b93cafb96c92f1da8464d4fef2a22e7f9db695965fe2cc27ea30974629c8fe17cfa2f860179e1eb9faaa88a91ec9ce6da28c1a2894c3b932b5e1c807146718cc77ca13c61eaae00c7c99e019f599772064b198c5c2c5e863336367673630b417ac845ddb7c93b0856317e5d64bab208c5730abc2c63536784fbeaaec139dffc917e775715f1e42164ddef5138d4d163609ab3fbdcab968f8738385c0e7e34ff3cf7771a1dc5ba25a8850fdf96dabafa21f9065f307457ce9af4b7a73450c9d20a3b46fa8d3a1163d22bd01a7d17f0ec274181bf9640fa941427694bfeb1346089f7a851efe0fbb7a2041fa6bb6541ccbad77dd3e1a97999fc05f1fef070e7b5c4b385b8b2a8cc32483fdeba6a373970de2fa4139ba18e5916f949aab0aab2894")
 	require.NoError(t, err)
@@ -39,7 +39,7 @@ func TestSniffQUICChromium(t *testing.T) {
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Empty(t, metadata.Client)
+	require.Equal(t, metadata.Client, C.ClientChromium)
 	require.ErrorIs(t, err, sniff.ErrNeedMoreData)
 	pkt, err = hex.DecodeString("c90000000108f40d654cc09b27f5000044d073eb38807026d4088455e650e7ccf750d01a72f15f9bfc8ff40d223499db1a485cff14dbd45b9be118172834dc35dca3cf62f61a1266f40b92faf3d28d67a466cfdca678ddced15cd606d31959cf441828467857b226d1a241847c82c57312cefe68ba5042d929919bcd4403b39e5699fe87dda05df1b3801e048edee792458e9b1a9b1d4039df05847bcee3be567494b5876e3bd4c3220fe9dfdb2c07d77410f907f744251ef15536cc03b267d3668d5b75bc1ad2fe735cd3bb73519dd9f1625a49e17ad27bdeccf706c83b5ea339a0a05dd0072f4a8f162bd29926b4997f05613c6e4b0270b0c02805ca0543f27c1ff8505a5750bdd33529ee73c491050a10c6903f53c1121dbe0380e84c007c8df74a1b02443ed80ba7766aef5549e618d4fd249844ee28565142005369869299e8c3035ecef3d799f6cada8549e75b4ce4cbf4c85ef071fd7ff067b1ca9b5968dc41d13d011f6d7843823bac97acb1eb8ee45883f0f254b5f9bd4c763b67e2d8c70a7618a0ef0de304cf597a485126e09f8b2fd795b394c0b4bc4cd2634c2057970da2c798c5e8af7aed4f76f5e25d04e3f8c9c5a5b150d17e0d4c74229898c69b8dc7b8bcc9d359eb441de75c68fbdebec62fb669dcccfb1aad03e3fa073adb2ccf7bb14cbaf99e307d2c903ee71a8f028102eb510caee7e7397512086a78d1f95635c7d06845b5a708652dc4e5cd61245aae5b3c05b84815d84d367bce9b9e3f6d6b90701ac3679233c14d5ce2a1eff26469c966266dc6284bdb95c9c6158934c413a872ce22101e4163e3293d236b301592ca4ccacc1fd4c37066e79c2d9857c8a2560dcf0b33b19163c4240c471b19907476e7e25c65f7eb37276594a0f6b4c33c340cc3284178f17ac5e34dbe7509db890e4ddfd0540fbf9deb32a0101d24fe58b26c5f81c627db9d6ae59d7a111a3d5d1f6109f4eec0d0234e6d73c73a44f50999462724b51ce0fd8283535d70d9e83872c79c59897407a0736741011ae5c64862eb0712f9e7b07aa1d5418ca3fde8626257c6fe418f3c5479055bb2b0ab4c25f649923fc2a41c79aaa7d0f3af6d8b8cf06f61f0230d09bbb60bb49b9e49cc5973748a6cf7ffdee7804d424f9423c63e7ff22f4bd24e4867636ef9fe8dd37f59941a8a47c27765caa8e875a30b62834f17c569227e5e6ed15d58e05d36e76332befad065a2cd4079e66d5af189b0337624c89b1560c3b1b0befd5c1f20e6de8e3d664b3ac06b3d154b488983e14aa93266f5f8b621d2a9bb7ccce509eb26e025c9c45f7cccc09ce85b3103af0c93ce9822f82ecb168ca3177829afb2ea0da2c380e7b1728add55a5d42632e2290363d4cbe432b67e13691648e1acfab22cf0d551eee857709b428bb78e27a45aff6eca301c02e4d13cf36cc2494fdd1aef8dede6e18febd79dca4c6964d09b91c25a08f0947c76ab5104de9404459c2edf5f4adb9dfd771be83656f77fbbafb1ad3281717066010be8778952495383c9f2cf0a38527228c662a35171c5981731f1af09bab842fe6c3162ad4152a4221f560eb6f9bea66b294ffbd3643da2fe34096da13c246505452540177a2a0a1a69106e5cfc279a4890fc3be2952f26be245f930e6c2d9e7e26ee960481e72b99594a1185b46b94b6436d00ba6c70ffe135d43907c92c6f1c09fb9453f103730714f5700fa4347f9715c774cb04a7218dacc66d9c2fade18b14e684aa7fc9ebda0a28")
 	require.NoError(t, err)
@@ -56,7 +56,7 @@ func TestSniffUQUICChrome115(t *testing.T) {
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.NoError(t, err)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Equal(t, metadata.Client, C.ClientChromium)
+	require.Equal(t, metadata.Client, C.ClientQUICGo)
 	require.Equal(t, metadata.Domain, "www.google.com")
 }
 

common/tls/client.go

@@ -53,48 +53,26 @@ func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, e
 	return tlsConn, nil
 }
 
-type Dialer interface {
-	N.Dialer
-	DialTLSContext(ctx context.Context, destination M.Socksaddr) (Conn, error)
-}
-
-type defaultDialer struct {
+type Dialer struct {
 	dialer N.Dialer
 	config Config
 }
 
-func NewDialer(dialer N.Dialer, config Config) Dialer {
-	return &defaultDialer{dialer, config}
+func NewDialer(dialer N.Dialer, config Config) N.Dialer {
+	return &Dialer{dialer, config}
 }
 
-func (d *defaultDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	if N.NetworkName(network) != N.NetworkTCP {
+func (d *Dialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	if network != N.NetworkTCP {
 		return nil, os.ErrInvalid
 	}
-	return d.DialTLSContext(ctx, destination)
+	conn, err := d.dialer.DialContext(ctx, network, destination)
+	if err != nil {
+		return nil, err
+	}
+	return ClientHandshake(ctx, conn, d.config)
 }
 
-func (d *defaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+func (d *Dialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	return nil, os.ErrInvalid
 }
-
-func (d *defaultDialer) DialTLSContext(ctx context.Context, destination M.Socksaddr) (Conn, error) {
-	return d.dialContext(ctx, destination)
-}
-
-func (d *defaultDialer) dialContext(ctx context.Context, destination M.Socksaddr) (Conn, error) {
-	conn, err := d.dialer.DialContext(ctx, N.NetworkTCP, destination)
-	if err != nil {
-		return nil, err
-	}
-	tlsConn, err := aTLS.ClientHandshake(ctx, conn, d.config)
-	if err != nil {
-		conn.Close()
-		return nil, err
-	}
-	return tlsConn, nil
-}
-
-func (d *defaultDialer) Upstream() any {
-	return d.dialer
-}

common/tls/ech.go

@@ -69,7 +69,11 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	} else {
 		return E.New("missing ECH keys")
 	}
-	echKeys, err := parseECHKeys(echKey)
+	block, rest := pem.Decode(echKey)
+	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
+		return E.New("invalid ECH keys pem")
+	}
+	echKeys, err := UnmarshalECHKeys(block.Bytes)
 	if err != nil {
 		return E.Cause(err, "parse ECH keys")
 	}
@@ -81,29 +85,21 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	return nil
 }
 
-func (c *STDServerConfig) setECHServerConfig(echKey []byte) error {
-	echKeys, err := parseECHKeys(echKey)
+func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {
+	echKey, err := os.ReadFile(echKeyPath)
 	if err != nil {
-		return err
+		return E.Cause(err, "reload ECH keys from ", echKeyPath)
 	}
-	c.access.Lock()
-	config := c.config.Clone()
-	config.EncryptedClientHelloKeys = echKeys
-	c.config = config
-	c.access.Unlock()
-	return nil
-}
-
-func parseECHKeys(echKey []byte) ([]tls.EncryptedClientHelloKey, error) {
 	block, _ := pem.Decode(echKey)
 	if block == nil || block.Type != "ECH KEYS" {
-		return nil, E.New("invalid ECH keys pem")
+		return E.New("invalid ECH keys pem")
 	}
 	echKeys, err := UnmarshalECHKeys(block.Bytes)
 	if err != nil {
-		return nil, E.Cause(err, "parse ECH keys")
+		return E.Cause(err, "parse ECH keys")
 	}
-	return echKeys, nil
+	tlsConfig.EncryptedClientHelloKeys = echKeys
+	return nil
 }
 
 type ECHClientConfig struct {
@@ -129,7 +125,7 @@ func (s *ECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (a
 func (s *ECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
 	s.access.Lock()
 	defer s.access.Unlock()
-	if len(s.ECHConfigList()) == 0 || s.lastTTL == 0 || time.Since(s.lastUpdate) > s.lastTTL {
+	if len(s.ECHConfigList()) == 0 || s.lastTTL == 0 || time.Now().Sub(s.lastUpdate) > s.lastTTL {
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,

common/tls/ech_shared.go

@@ -1,11 +1,14 @@
 package tls
 
 import (
-	"crypto/ecdh"
-	"crypto/rand"
+	"bytes"
+	"encoding/binary"
 	"encoding/pem"
 
-	"golang.org/x/crypto/cryptobyte"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	"github.com/cloudflare/circl/hpke"
+	"github.com/cloudflare/circl/kem"
 )
 
 type ECHCapableConfig interface {
@@ -14,68 +17,145 @@ type ECHCapableConfig interface {
 	SetECHConfigList([]byte)
 }
 
-func ECHKeygenDefault(publicName string) (configPem string, keyPem string, err error) {
-	echKey, err := ecdh.X25519().GenerateKey(rand.Reader)
+func ECHKeygenDefault(serverName string) (configPem string, keyPem string, err error) {
+	cipherSuites := []echCipherSuite{
+		{
+			kdf:  hpke.KDF_HKDF_SHA256,
+			aead: hpke.AEAD_AES128GCM,
+		}, {
+			kdf:  hpke.KDF_HKDF_SHA256,
+			aead: hpke.AEAD_ChaCha20Poly1305,
+		},
+	}
+	keyConfig := []myECHKeyConfig{
+		{id: 0, kem: hpke.KEM_X25519_HKDF_SHA256},
+	}
+
+	keyPairs, err := echKeygen(0xfe0d, serverName, keyConfig, cipherSuites)
 	if err != nil {
 		return
 	}
-	echConfig, err := marshalECHConfig(0, echKey.PublicKey().Bytes(), publicName, 0)
-	if err != nil {
-		return
+
+	var configBuffer bytes.Buffer
+	var totalLen uint16
+	for _, keyPair := range keyPairs {
+		totalLen += uint16(len(keyPair.rawConf))
 	}
-	configBuilder := cryptobyte.NewBuilder(nil)
-	configBuilder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
-		builder.AddBytes(echConfig)
-	})
-	configBytes, err := configBuilder.Bytes()
-	if err != nil {
-		return
+	binary.Write(&configBuffer, binary.BigEndian, totalLen)
+	for _, keyPair := range keyPairs {
+		configBuffer.Write(keyPair.rawConf)
 	}
-	keyBuilder := cryptobyte.NewBuilder(nil)
-	keyBuilder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
-		builder.AddBytes(echKey.Bytes())
-	})
-	keyBuilder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
-		builder.AddBytes(echConfig)
-	})
-	keyBytes, err := keyBuilder.Bytes()
-	if err != nil {
-		return
+
+	var keyBuffer bytes.Buffer
+	for _, keyPair := range keyPairs {
+		keyBuffer.Write(keyPair.rawKey)
 	}
-	configPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH CONFIGS", Bytes: configBytes}))
-	keyPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH KEYS", Bytes: keyBytes}))
+
+	configPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH CONFIGS", Bytes: configBuffer.Bytes()}))
+	keyPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH KEYS", Bytes: keyBuffer.Bytes()}))
 	return
 }
 
-func marshalECHConfig(id uint8, pubKey []byte, publicName string, maxNameLen uint8) ([]byte, error) {
-	const extensionEncryptedClientHello = 0xfe0d
-	const DHKEM_X25519_HKDF_SHA256 = 0x0020
-	const KDF_HKDF_SHA256 = 0x0001
-	builder := cryptobyte.NewBuilder(nil)
-	builder.AddUint16(extensionEncryptedClientHello)
-	builder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
-		builder.AddUint8(id)
-
-		builder.AddUint16(DHKEM_X25519_HKDF_SHA256) // The only DHKEM we support
-		builder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
-			builder.AddBytes(pubKey)
-		})
-		builder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
-			const (
-				AEAD_AES_128_GCM      = 0x0001
-				AEAD_AES_256_GCM      = 0x0002
-				AEAD_ChaCha20Poly1305 = 0x0003
-			)
-			for _, aeadID := range []uint16{AEAD_AES_128_GCM, AEAD_AES_256_GCM, AEAD_ChaCha20Poly1305} {
-				builder.AddUint16(KDF_HKDF_SHA256) // The only KDF we support
-				builder.AddUint16(aeadID)
-			}
-		})
-		builder.AddUint8(maxNameLen)
-		builder.AddUint8LengthPrefixed(func(builder *cryptobyte.Builder) {
-			builder.AddBytes([]byte(publicName))
-		})
-		builder.AddUint16(0) // extensions
-	})
-	return builder.Bytes()
+type echKeyConfigPair struct {
+	id      uint8
+	rawKey  []byte
+	conf    myECHKeyConfig
+	rawConf []byte
+}
+
+type echCipherSuite struct {
+	kdf  hpke.KDF
+	aead hpke.AEAD
+}
+
+type myECHKeyConfig struct {
+	id   uint8
+	kem  hpke.KEM
+	seed []byte
+}
+
+func echKeygen(version uint16, serverName string, conf []myECHKeyConfig, suite []echCipherSuite) ([]echKeyConfigPair, error) {
+	be := binary.BigEndian
+	// prepare for future update
+	if version != 0xfe0d {
+		return nil, E.New("unsupported ECH version", version)
+	}
+
+	suiteBuf := make([]byte, 0, len(suite)*4+2)
+	suiteBuf = be.AppendUint16(suiteBuf, uint16(len(suite))*4)
+	for _, s := range suite {
+		if !s.kdf.IsValid() || !s.aead.IsValid() {
+			return nil, E.New("invalid HPKE cipher suite")
+		}
+		suiteBuf = be.AppendUint16(suiteBuf, uint16(s.kdf))
+		suiteBuf = be.AppendUint16(suiteBuf, uint16(s.aead))
+	}
+
+	pairs := []echKeyConfigPair{}
+	for _, c := range conf {
+		pair := echKeyConfigPair{}
+		pair.id = c.id
+		pair.conf = c
+
+		if !c.kem.IsValid() {
+			return nil, E.New("invalid HPKE KEM")
+		}
+
+		kpGenerator := c.kem.Scheme().GenerateKeyPair
+		if len(c.seed) > 0 {
+			kpGenerator = func() (kem.PublicKey, kem.PrivateKey, error) {
+				pub, sec := c.kem.Scheme().DeriveKeyPair(c.seed)
+				return pub, sec, nil
+			}
+			if len(c.seed) < c.kem.Scheme().PrivateKeySize() {
+				return nil, E.New("HPKE KEM seed too short")
+			}
+		}
+
+		pub, sec, err := kpGenerator()
+		if err != nil {
+			return nil, E.Cause(err, "generate ECH config key pair")
+		}
+		b := []byte{}
+		b = be.AppendUint16(b, version)
+		b = be.AppendUint16(b, 0) // length field
+		// contents
+		// key config
+		b = append(b, c.id)
+		b = be.AppendUint16(b, uint16(c.kem))
+		pubBuf, err := pub.MarshalBinary()
+		if err != nil {
+			return nil, E.Cause(err, "serialize ECH public key")
+		}
+		b = be.AppendUint16(b, uint16(len(pubBuf)))
+		b = append(b, pubBuf...)
+
+		b = append(b, suiteBuf...)
+		// end key config
+		// max name len, not supported
+		b = append(b, 0)
+		// server name
+		b = append(b, byte(len(serverName)))
+		b = append(b, []byte(serverName)...)
+		// extensions, not supported
+		b = be.AppendUint16(b, 0)
+
+		be.PutUint16(b[2:], uint16(len(b)-4))
+
+		pair.rawConf = b
+
+		secBuf, err := sec.MarshalBinary()
+		if err != nil {
+			return nil, E.Cause(err, "serialize ECH private key")
+		}
+		sk := []byte{}
+		sk = be.AppendUint16(sk, uint16(len(secBuf)))
+		sk = append(sk, secBuf...)
+		sk = be.AppendUint16(sk, uint16(len(b)))
+		sk = append(sk, b...)
+		pair.rawKey = sk
+
+		pairs = append(pairs, pair)
+	}
+	return pairs, nil
 }

common/tls/ech_stub.go

@@ -18,6 +18,6 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	return E.New("ECH requires go1.24, please recompile your binary.")
 }
 
-func (c *STDServerConfig) setECHServerConfig(echKey []byte) error {
-	panic("unreachable")
+func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {
+	return E.New("ECH requires go1.24, please recompile your binary.")
 }

common/tls/reality_client.go

@@ -307,11 +307,3 @@ func (c *realityClientConnWrapper) Upstream() any {
 func (c *realityClientConnWrapper) CloseWrite() error {
 	return c.Close()
 }
-
-func (c *realityClientConnWrapper) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *realityClientConnWrapper) WriterReplaceable() bool {
-	return true
-}

common/tls/reality_server.go

@@ -206,11 +206,3 @@ func (c *realityConnWrapper) Upstream() any {
 func (c *realityConnWrapper) CloseWrite() error {
 	return c.Close()
 }
-
-func (c *realityConnWrapper) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *realityConnWrapper) WriterReplaceable() bool {
-	return true
-}

common/tls/std_client.go

@@ -86,16 +86,12 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 		tlsConfig.InsecureSkipVerify = true
 		tlsConfig.VerifyConnection = func(state tls.ConnectionState) error {
 			verifyOptions := x509.VerifyOptions{
-				Roots:         tlsConfig.RootCAs,
 				DNSName:       serverName,
 				Intermediates: x509.NewCertPool(),
 			}
 			for _, cert := range state.PeerCertificates[1:] {
 				verifyOptions.Intermediates.AddCert(cert)
 			}
-			if tlsConfig.Time != nil {
-				verifyOptions.CurrentTime = tlsConfig.Time()
-			}
 			_, err := state.PeerCertificates[0].Verify(verifyOptions)
 			return err
 		}

common/tls/std_server.go

@@ -6,7 +6,6 @@ import (
 	"net"
 	"os"
 	"strings"
-	"sync"
 	"time"
 
 	"github.com/sagernet/fswatch"
@@ -21,7 +20,6 @@ import (
 var errInsecureUnused = E.New("tls: insecure unused")
 
 type STDServerConfig struct {
-	access          sync.RWMutex
 	config          *tls.Config
 	logger          log.Logger
 	acmeService     adapter.SimpleLifecycle
@@ -34,22 +32,14 @@ type STDServerConfig struct {
 }
 
 func (c *STDServerConfig) ServerName() string {
-	c.access.RLock()
-	defer c.access.RUnlock()
 	return c.config.ServerName
 }
 
 func (c *STDServerConfig) SetServerName(serverName string) {
-	c.access.Lock()
-	defer c.access.Unlock()
-	config := c.config.Clone()
-	config.ServerName = serverName
-	c.config = config
+	c.config.ServerName = serverName
 }
 
 func (c *STDServerConfig) NextProtos() []string {
-	c.access.RLock()
-	defer c.access.RUnlock()
 	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
 		return c.config.NextProtos[1:]
 	} else {
@@ -58,15 +48,11 @@ func (c *STDServerConfig) NextProtos() []string {
 }
 
 func (c *STDServerConfig) SetNextProtos(nextProto []string) {
-	c.access.Lock()
-	defer c.access.Unlock()
-	config := c.config.Clone()
 	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
-		config.NextProtos = append(c.config.NextProtos[:1], nextProto...)
+		c.config.NextProtos = append(c.config.NextProtos[:1], nextProto...)
 	} else {
-		config.NextProtos = nextProto
+		c.config.NextProtos = nextProto
 	}
-	c.config = config
 }
 
 func (c *STDServerConfig) Config() (*STDConfig, error) {
@@ -91,6 +77,9 @@ func (c *STDServerConfig) Start() error {
 	if c.acmeService != nil {
 		return c.acmeService.Start()
 	} else {
+		if c.certificatePath == "" && c.keyPath == "" {
+			return nil
+		}
 		err := c.startWatcher()
 		if err != nil {
 			c.logger.Warn("create fsnotify watcher: ", err)
@@ -110,9 +99,6 @@ func (c *STDServerConfig) startWatcher() error {
 	if c.echKeyPath != "" {
 		watchPath = append(watchPath, c.echKeyPath)
 	}
-	if len(watchPath) == 0 {
-		return nil
-	}
 	watcher, err := fswatch.NewWatcher(fswatch.Options{
 		Path: watchPath,
 		Callback: func(path string) {
@@ -152,18 +138,10 @@ func (c *STDServerConfig) certificateUpdated(path string) error {
 		if err != nil {
 			return E.Cause(err, "reload key pair")
 		}
-		c.access.Lock()
-		config := c.config.Clone()
-		config.Certificates = []tls.Certificate{keyPair}
-		c.config = config
-		c.access.Unlock()
+		c.config.Certificates = []tls.Certificate{keyPair}
 		c.logger.Info("reloaded TLS certificate")
 	} else if path == c.echKeyPath {
-		echKey, err := os.ReadFile(c.echKeyPath)
-		if err != nil {
-			return E.Cause(err, "reload ECH keys from ", c.echKeyPath)
-		}
-		err = c.setECHServerConfig(echKey)
+		err := reloadECHKeys(c.echKeyPath, c.config)
 		if err != nil {
 			return err
 		}
@@ -284,7 +262,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 			return nil, err
 		}
 	}
-	serverConfig := &STDServerConfig{
+	return &STDServerConfig{
 		config:          tlsConfig,
 		logger:          logger,
 		acmeService:     acmeService,
@@ -293,11 +271,5 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		certificatePath: options.CertificatePath,
 		keyPath:         options.KeyPath,
 		echKeyPath:      echKeyPath,
-	}
-	serverConfig.config.GetConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) {
-		serverConfig.access.Lock()
-		defer serverConfig.access.Unlock()
-		return serverConfig.config, nil
-	}
-	return serverConfig, nil
+	}, nil
 }

common/tls/time_wrapper.go

@@ -11,13 +11,10 @@ type TimeServiceWrapper struct {
 }
 
 func (w *TimeServiceWrapper) TimeFunc() func() time.Time {
-	return func() time.Time {
-		if w.TimeService != nil {
-			return w.TimeService.TimeFunc()()
-		} else {
-			return time.Now()
-		}
+	if w.TimeService == nil {
+		return nil
 	}
+	return w.TimeService.TimeFunc()
 }
 
 func (w *TimeServiceWrapper) Upstream() any {

common/tls/utls_client.go

@@ -106,14 +106,6 @@ func (c *utlsConnWrapper) Upstream() any {
 	return c.UConn
 }
 
-func (c *utlsConnWrapper) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *utlsConnWrapper) WriterReplaceable() bool {
-	return true
-}
-
 type utlsALPNWrapper struct {
 	utlsConnWrapper
 	nextProtocols []string
@@ -153,16 +145,11 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 	var tlsConfig utls.Config
 	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	tlsConfig.RootCAs = adapter.RootPoolFromContext(ctx)
-	if !options.DisableSNI {
-		tlsConfig.ServerName = serverName
-	}
+	tlsConfig.ServerName = serverName
 	if options.Insecure {
 		tlsConfig.InsecureSkipVerify = options.Insecure
 	} else if options.DisableSNI {
-		if options.Reality != nil && options.Reality.Enabled {
-			return nil, E.New("disable_sni is unsupported in reality")
-		}
-		tlsConfig.InsecureServerNameToVerify = serverName
+		return nil, E.New("disable_sni is unsupported in uTLS")
 	}
 	if len(options.ALPN) > 0 {
 		tlsConfig.NextProtos = options.ALPN

common/tlsfragment/conn.go

@@ -45,7 +45,7 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 		defer func() {
 			c.firstPacketWritten = true
 		}()
-		serverName := IndexTLSServerName(b)
+		serverName := indexTLSServerName(b)
 		if serverName != nil {
 			if c.splitPacket {
 				if c.tcpConn != nil {
@@ -109,9 +109,6 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 						if err != nil {
 							return
 						}
-						if i != len(splitIndexes) {
-							time.Sleep(c.fallbackDelay)
-						}
 					}
 				}
 			}

common/tlsfragment/index.go

@@ -22,13 +22,13 @@ const (
 	tls13                   uint16 = 0x0304
 )
 
-type MyServerName struct {
+type myServerName struct {
 	Index      int
 	Length     int
 	ServerName string
 }
 
-func IndexTLSServerName(payload []byte) *MyServerName {
+func indexTLSServerName(payload []byte) *myServerName {
 	if len(payload) < recordLayerHeaderLen || payload[0] != contentType {
 		return nil
 	}
@@ -36,48 +36,47 @@ func IndexTLSServerName(payload []byte) *MyServerName {
 	if len(payload) < recordLayerHeaderLen+int(segmentLen) {
 		return nil
 	}
-	serverName := indexTLSServerNameFromHandshake(payload[recordLayerHeaderLen:])
+	serverName := indexTLSServerNameFromHandshake(payload[recordLayerHeaderLen : recordLayerHeaderLen+int(segmentLen)])
 	if serverName == nil {
 		return nil
 	}
-	serverName.Index += recordLayerHeaderLen
+	serverName.Length += recordLayerHeaderLen
 	return serverName
 }
 
-func indexTLSServerNameFromHandshake(handshake []byte) *MyServerName {
-	if len(handshake) < handshakeHeaderLen+randomDataLen+sessionIDHeaderLen {
+func indexTLSServerNameFromHandshake(hs []byte) *myServerName {
+	if len(hs) < handshakeHeaderLen+randomDataLen+sessionIDHeaderLen {
 		return nil
 	}
-	if handshake[0] != handshakeType {
+	if hs[0] != handshakeType {
 		return nil
 	}
-	handshakeLen := uint32(handshake[1])<<16 | uint32(handshake[2])<<8 | uint32(handshake[3])
-	if len(handshake[4:]) != int(handshakeLen) {
+	handshakeLen := uint32(hs[1])<<16 | uint32(hs[2])<<8 | uint32(hs[3])
+	if len(hs[4:]) != int(handshakeLen) {
 		return nil
 	}
-	tlsVersion := uint16(handshake[4])<<8 | uint16(handshake[5])
+	tlsVersion := uint16(hs[4])<<8 | uint16(hs[5])
 	if tlsVersion&tlsVersionBitmask != 0x0300 && tlsVersion != tls13 {
 		return nil
 	}
-	sessionIDLen := handshake[38]
-	currentIndex := handshakeHeaderLen + randomDataLen + sessionIDHeaderLen + int(sessionIDLen)
-	if len(handshake) < currentIndex {
+	sessionIDLen := hs[38]
+	if len(hs) < handshakeHeaderLen+randomDataLen+sessionIDHeaderLen+int(sessionIDLen) {
 		return nil
 	}
-	cipherSuites := handshake[currentIndex:]
-	if len(cipherSuites) < cipherSuiteHeaderLen {
+	cs := hs[handshakeHeaderLen+randomDataLen+sessionIDHeaderLen+int(sessionIDLen):]
+	if len(cs) < cipherSuiteHeaderLen {
 		return nil
 	}
-	csLen := uint16(cipherSuites[0])<<8 | uint16(cipherSuites[1])
-	if len(cipherSuites) < cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen {
+	csLen := uint16(cs[0])<<8 | uint16(cs[1])
+	if len(cs) < cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen {
 		return nil
 	}
-	compressMethodLen := uint16(cipherSuites[cipherSuiteHeaderLen+int(csLen)])
-	currentIndex += cipherSuiteHeaderLen + int(csLen) + compressMethodHeaderLen + int(compressMethodLen)
-	if len(handshake) < currentIndex {
+	compressMethodLen := uint16(cs[cipherSuiteHeaderLen+int(csLen)])
+	if len(cs) < cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen+int(compressMethodLen) {
 		return nil
 	}
-	serverName := indexTLSServerNameFromExtensions(handshake[currentIndex:])
+	currentIndex := cipherSuiteHeaderLen + int(csLen) + compressMethodHeaderLen + int(compressMethodLen)
+	serverName := indexTLSServerNameFromExtensions(cs[currentIndex:])
 	if serverName == nil {
 		return nil
 	}
@@ -85,7 +84,7 @@ func indexTLSServerNameFromHandshake(handshake []byte) *MyServerName {
 	return serverName
 }
 
-func indexTLSServerNameFromExtensions(exs []byte) *MyServerName {
+func indexTLSServerNameFromExtensions(exs []byte) *myServerName {
 	if len(exs) == 0 {
 		return nil
 	}
@@ -119,8 +118,7 @@ func indexTLSServerNameFromExtensions(exs []byte) *MyServerName {
 			}
 			sniLen := uint16(sex[3])<<8 | uint16(sex[4])
 			sex = sex[sniExtensionHeaderLen:]
-
-			return &MyServerName{
+			return &myServerName{
 				Index:      currentIndex + extensionHeaderLen + sniExtensionHeaderLen,
 				Length:     int(sniLen),
 				ServerName: string(sex),

common/tlsfragment/index_test.go

@@ -1,20 +0,0 @@
-package tf_test
-
-import (
-	"encoding/hex"
-	"testing"
-
-	"github.com/sagernet/sing-box/common/tlsfragment"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestIndexTLSServerName(t *testing.T) {
-	t.Parallel()
-	payload, err := hex.DecodeString("16030105f8010005f403036e35de7389a679c54029cf452611f2211c70d9ac3897271de589ab6155f8e4ab20637d225f1ef969ad87ed78bfb9d171300bcb1703b6f314ccefb964f79b7d0961002a0a0a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a01000581baba00000000000f000d00000a6769746875622e636f6d00170000ff01000100000a000e000c3a3a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed3a3a00010011ec04c0aeb2250c092a3463161cccb29d9183331a424964248579507ed23a180b0ceab2a5f5d9ce41547e497a89055471ea572867ba3a1fc3c9e45025274a20f60c6b60e62476b6afed0403af59ab83660ef4112ae20386a602010d0a5d454c0ed34c84ed4423e750213e6a2baab1bf9c4367a6007ab40a33d95220c2dcaa44f257024a5626b545db0510f4311b1a60714154909c6a61fdfca011fb2626d657aeb6070bf078508babe3b584555013e34acc56198ed4663742b3155a664a9901794c4586820a7dc162c01827291f3792e1237f801a8d1ef096013c181c4a58d2f6859ba75022d18cc4418bd4f351d5c18f83a58857d05af860c4b9ac018a5b63f17184e591532c6bc2cf2215d4a282c8a8a4f6f7aee110422c8bc9ebd3b1d609c568523aaae555db320e6c269473d87af38c256cbb9febc20aea6380c32a8916f7a373c8b1e37554e3260bf6621f6b804ee80b3c516b1d01985bf4c603b6daa9a5991de6a7a29f3a7122b8afb843a7660110fce62b43c615f5bcc2db688ba012649c0952b0a2c031e732d2b454c6b2968683cb8d244be2c9a7fa163222979eaf92722b92b862d81a3d94450c2b60c318421ebb4307c42d1f0473592a5c30e42039cc68cda9721e61aa63f49def17c15221680ed444896340133bbee67556f56b9f9d78a4df715f926a12add0cc9c862e46ea8b7316ae468282c18601b2771c9c9322f982228cf93effaacd3f80cbd12bce5fc36f56e2a3caf91e578a5fae00c9b23a8ed1a66764f4433c3628a70b8f0a6196adc60a4cb4226f07ba4c6b363fe9065563bfc1347452946386bab488686e837ab979c64f9047417fca635fe1bb4f074f256cc8af837c7b455e280426547755af90a61640169ef180aea3a77e662bb6dac1b6c3696027129b1a5edf495314e9c7f4b6110e16378ec893fa24642330a40aba1a85326101acb97c620fd8d71389e69eaed7bdb01bbe1fd428d66191150c7b2cd1ad4257391676a82ba8ce07fb2667c3b289f159003a7c7bc31d361b7b7f49a802961739d950dfcc0fa1c7abce5abdd2245101da391151490862028110465950b9e9c03d08a90998ab83267838d2e74a0593bc81f74cdf734519a05b351c0e5488c68dd810e6e9142ccc1e2f4a7f464297eb340e27acc6b9d64e12e38cce8492b3d939140b5a9e149a75597f10a23874c84323a07cdd657274378f887c85c4259b9c04cd33ba58ed630ef2a744f8e19dd34843dff331d2a6be7e2332c599289cd248a611c73d7481cd4a9bd43449a3836f14b2af18a1739e17999e4c67e85cc5bcecabb14185e5bcaff3c96098f03dc5aba819f29587758f49f940585354a2a780830528d68ccd166920dadcaa25cab5fc1907272a826aba3f08bc6b88757776812ecb6c7cec69a223ec0a13a7b62a2349a0f63ed7a27a3b15ba21d71fe6864ec6e089ae17cadd433fa3138f7ee24353c11365818f8fc34f43a05542d18efaac24bfccc1f748a0cc1a67ad379468b76fd34973dba785f5c91d618333cd810fe0700d1bbc8422029782628070a624c52c5309a4a64d625b11f8033ab28df34a1add297517fcc06b92b6817b3c5144438cf260867c57bde68c8c4b82e6a135ef676a52fbae5708002a404e6189a60e2836de565ad1b29e3819e5ed49f6810bcb28e1bd6de57306f94b79d9dae1cc4624d2a068499beef81cd5fe4b76dcbfff2a2008001d002001976128c6d5a934533f28b9914d2480aab2a8c1ab03d212529ce8b27640a716002d00020101002b000706caca03040303001b00030200015a5a000100")
-	require.NoError(t, err)
-	serverName := tf.IndexTLSServerName(payload)
-	require.NotNil(t, serverName)
-	require.Equal(t, serverName.ServerName, string(payload[serverName.Index:serverName.Index+serverName.Length]))
-	require.Equal(t, "github.com", serverName.ServerName)
-}

common/tlsfragment/wait_stub.go

@@ -9,10 +9,6 @@ import (
 )
 
 func writeAndWaitAck(ctx context.Context, conn *net.TCPConn, payload []byte, fallbackDelay time.Duration) error {
-	_, err := conn.Write(payload)
-	if err != nil {
-		return err
-	}
 	time.Sleep(fallbackDelay)
 	return nil
 }

common/tlsfragment/wait_windows.go

@@ -16,9 +16,6 @@ func writeAndWaitAck(ctx context.Context, conn *net.TCPConn, payload []byte, fal
 	err := winiphlpapi.WriteAndWaitAck(ctx, conn, payload)
 	if err != nil {
 		if errors.Is(err, windows.ERROR_ACCESS_DENIED) {
-			if _, err := conn.Write(payload); err != nil {
-				return err
-			}
 			time.Sleep(fallbackDelay)
 			return nil
 		}

common/urltest/urltest.go

@@ -47,15 +47,15 @@ func (s *HistoryStorage) LoadURLTestHistory(tag string) *adapter.URLTestHistory
 func (s *HistoryStorage) DeleteURLTestHistory(tag string) {
 	s.access.Lock()
 	delete(s.delayHistory, tag)
-	s.notifyUpdated()
 	s.access.Unlock()
+	s.notifyUpdated()
 }
 
 func (s *HistoryStorage) StoreURLTestHistory(tag string, history *adapter.URLTestHistory) {
 	s.access.Lock()
 	s.delayHistory[tag] = history
-	s.notifyUpdated()
 	s.access.Unlock()
+	s.notifyUpdated()
 }
 
 func (s *HistoryStorage) notifyUpdated() {
@@ -69,8 +69,6 @@ func (s *HistoryStorage) notifyUpdated() {
 }
 
 func (s *HistoryStorage) Close() error {
-	s.access.Lock()
-	defer s.access.Unlock()
 	s.updateHook = nil
 	return nil
 }

dns/client.go

@@ -2,14 +2,12 @@ package dns
 
 import (
 	"context"
-	"errors"
 	"net"
 	"net/netip"
 	"strings"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/compatible"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -19,7 +17,7 @@ import (
 	"github.com/sagernet/sing/contrab/freelru"
 	"github.com/sagernet/sing/contrab/maphash"
 
-	"github.com/miekg/dns"
+	dns "github.com/miekg/dns"
 )
 
 var (
@@ -32,18 +30,16 @@ var (
 var _ adapter.DNSClient = (*Client)(nil)
 
 type Client struct {
-	timeout            time.Duration
-	disableCache       bool
-	disableExpire      bool
-	independentCache   bool
-	clientSubnet       netip.Prefix
-	rdrc               adapter.RDRCStore
-	initRDRCFunc       func() adapter.RDRCStore
-	logger             logger.ContextLogger
-	cache              freelru.Cache[dns.Question, *dns.Msg]
-	cacheLock          compatible.Map[dns.Question, chan struct{}]
-	transportCache     freelru.Cache[transportCacheKey, *dns.Msg]
-	transportCacheLock compatible.Map[dns.Question, chan struct{}]
+	timeout          time.Duration
+	disableCache     bool
+	disableExpire    bool
+	independentCache bool
+	clientSubnet     netip.Prefix
+	rdrc             adapter.RDRCStore
+	initRDRCFunc     func() adapter.RDRCStore
+	logger           logger.ContextLogger
+	cache            freelru.Cache[dns.Question, *dns.Msg]
+	transportCache   freelru.Cache[transportCacheKey, *dns.Msg]
 }
 
 type ClientOptions struct {
@@ -95,34 +91,22 @@ func (c *Client) Start() {
 	}
 }
 
-func extractNegativeTTL(response *dns.Msg) (uint32, bool) {
-	for _, record := range response.Ns {
-		if soa, isSOA := record.(*dns.SOA); isSOA {
-			soaTTL := soa.Header().Ttl
-			soaMinimum := soa.Minttl
-			if soaTTL < soaMinimum {
-				return soaTTL, true
-			}
-			return soaMinimum, true
-		}
-	}
-	return 0, false
-}
-
 func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error) {
 	if len(message.Question) == 0 {
 		if c.logger != nil {
 			c.logger.WarnContext(ctx, "bad question size: ", len(message.Question))
 		}
-		return FixedResponseStatus(message, dns.RcodeFormatError), nil
+		responseMessage := dns.Msg{
+			MsgHdr: dns.MsgHdr{
+				Id:       message.Id,
+				Response: true,
+				Rcode:    dns.RcodeFormatError,
+			},
+			Question: message.Question,
+		}
+		return &responseMessage, nil
 	}
 	question := message.Question[0]
-	if question.Qtype == dns.TypeA && options.Strategy == C.DomainStrategyIPv6Only || question.Qtype == dns.TypeAAAA && options.Strategy == C.DomainStrategyIPv4Only {
-		if c.logger != nil {
-			c.logger.DebugContext(ctx, "strategy rejected")
-		}
-		return FixedResponseStatus(message, dns.RcodeSuccess), nil
-	}
 	clientSubnet := options.ClientSubnet
 	if !clientSubnet.IsValid() {
 		clientSubnet = c.clientSubnet
@@ -130,46 +114,12 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	if clientSubnet.IsValid() {
 		message = SetClientSubnet(message, clientSubnet)
 	}
-
 	isSimpleRequest := len(message.Question) == 1 &&
 		len(message.Ns) == 0 &&
-		(len(message.Extra) == 0 || len(message.Extra) == 1 &&
-			message.Extra[0].Header().Rrtype == dns.TypeOPT &&
-			message.Extra[0].Header().Class > 0 &&
-			message.Extra[0].Header().Ttl == 0 &&
-			len(message.Extra[0].(*dns.OPT).Option) == 0) &&
+		len(message.Extra) == 0 &&
 		!options.ClientSubnet.IsValid()
 	disableCache := !isSimpleRequest || c.disableCache || options.DisableCache
 	if !disableCache {
-		if c.cache != nil {
-			cond, loaded := c.cacheLock.LoadOrStore(question, make(chan struct{}))
-			if loaded {
-				select {
-				case <-cond:
-				case <-ctx.Done():
-					return nil, ctx.Err()
-				}
-			} else {
-				defer func() {
-					c.cacheLock.Delete(question)
-					close(cond)
-				}()
-			}
-		} else if c.transportCache != nil {
-			cond, loaded := c.transportCacheLock.LoadOrStore(question, make(chan struct{}))
-			if loaded {
-				select {
-				case <-cond:
-				case <-ctx.Done():
-					return nil, ctx.Err()
-				}
-			} else {
-				defer func() {
-					c.transportCacheLock.Delete(question)
-					close(cond)
-				}()
-			}
-		}
 		response, ttl := c.loadResponse(question, transport)
 		if response != nil {
 			logCachedResponse(c.logger, ctx, response, ttl)
@@ -177,14 +127,27 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			return response, nil
 		}
 	}
-
+	if question.Qtype == dns.TypeA && options.Strategy == C.DomainStrategyIPv6Only || question.Qtype == dns.TypeAAAA && options.Strategy == C.DomainStrategyIPv4Only {
+		responseMessage := dns.Msg{
+			MsgHdr: dns.MsgHdr{
+				Id:       message.Id,
+				Response: true,
+				Rcode:    dns.RcodeSuccess,
+			},
+			Question: []dns.Question{question},
+		}
+		if c.logger != nil {
+			c.logger.DebugContext(ctx, "strategy rejected")
+		}
+		return &responseMessage, nil
+	}
 	messageId := message.Id
 	contextTransport, clientSubnetLoaded := transportTagFromContext(ctx)
 	if clientSubnetLoaded && transport.Tag() == contextTransport {
 		return nil, E.New("DNS query loopback in transport[", contextTransport, "]")
 	}
 	ctx = contextWithTransportTag(ctx, transport.Tag())
-	if !disableCache && responseChecker != nil && c.rdrc != nil {
+	if responseChecker != nil && c.rdrc != nil {
 		rejected := c.rdrc.LoadRDRC(transport.Tag(), question.Name, question.Qtype)
 		if rejected {
 			return nil, ErrResponseRejectedCached
@@ -194,12 +157,7 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	response, err := transport.Exchange(ctx, message)
 	cancel()
 	if err != nil {
-		var rcodeError RcodeError
-		if errors.As(err, &rcodeError) {
-			response = FixedResponseStatus(message, int(rcodeError))
-		} else {
-			return nil, err
-		}
+		return nil, err
 	}
 	/*if question.Qtype == dns.TypeA || question.Qtype == dns.TypeAAAA {
 		validResponse := response
@@ -236,19 +194,15 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			response.Answer = append(response.Answer, validResponse.Answer...)
 		}
 	}*/
-	disableCache = disableCache || (response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError)
 	if responseChecker != nil {
 		var rejected bool
-		// TODO: add accept_any rule and support to check response instead of addresses
-		if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
+		if !(response.Rcode == dns.RcodeSuccess || response.Rcode == dns.RcodeNameError) {
 			rejected = true
-		} else if len(response.Answer) == 0 {
-			rejected = !responseChecker(nil)
 		} else {
 			rejected = !responseChecker(MessageToAddresses(response))
 		}
 		if rejected {
-			if !disableCache && c.rdrc != nil {
+			if c.rdrc != nil {
 				c.rdrc.SaveRDRCAsync(transport.Tag(), question.Name, question.Qtype, c.logger)
 			}
 			logRejectedResponse(c.logger, ctx, response)
@@ -275,17 +229,10 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		}
 	}
 	var timeToLive uint32
-	if len(response.Answer) == 0 {
-		if soaTTL, hasSOA := extractNegativeTTL(response); hasSOA {
-			timeToLive = soaTTL
-		}
-	}
-	if timeToLive == 0 {
-		for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-			for _, record := range recordList {
-				if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
-					timeToLive = record.Header().Ttl
-				}
+	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+		for _, record := range recordList {
+			if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
+				timeToLive = record.Header().Ttl
 			}
 		}
 	}
@@ -312,7 +259,7 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		}
 	}
 	logExchangedResponse(c.logger, ctx, response, timeToLive)
-	return response, nil
+	return response, err
 }
 
 func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
@@ -358,11 +305,70 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 func (c *Client) ClearCache() {
 	if c.cache != nil {
 		c.cache.Purge()
-	} else if c.transportCache != nil {
+	}
+	if c.transportCache != nil {
 		c.transportCache.Purge()
 	}
 }
 
+func (c *Client) LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool) {
+	if c.disableCache || c.independentCache {
+		return nil, false
+	}
+	if dns.IsFqdn(domain) {
+		domain = domain[:len(domain)-1]
+	}
+	dnsName := dns.Fqdn(domain)
+	if strategy == C.DomainStrategyIPv4Only {
+		response, err := c.questionCache(dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeA,
+			Qclass: dns.ClassINET,
+		}, nil)
+		if err != ErrNotCached {
+			return response, true
+		}
+	} else if strategy == C.DomainStrategyIPv6Only {
+		response, err := c.questionCache(dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeAAAA,
+			Qclass: dns.ClassINET,
+		}, nil)
+		if err != ErrNotCached {
+			return response, true
+		}
+	} else {
+		response4, _ := c.questionCache(dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeA,
+			Qclass: dns.ClassINET,
+		}, nil)
+		response6, _ := c.questionCache(dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeAAAA,
+			Qclass: dns.ClassINET,
+		}, nil)
+		if len(response4) > 0 || len(response6) > 0 {
+			return sortAddresses(response4, response6, strategy), true
+		}
+	}
+	return nil, false
+}
+
+func (c *Client) ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool) {
+	if c.disableCache || c.independentCache || len(message.Question) != 1 {
+		return nil, false
+	}
+	question := message.Question[0]
+	response, ttl := c.loadResponse(question, nil)
+	if response == nil {
+		return nil, false
+	}
+	logCachedResponse(c.logger, ctx, response, ttl)
+	response.Id = message.Id
+	return response, true
+}
+
 func sortAddresses(response4 []netip.Addr, response6 []netip.Addr, strategy C.DomainStrategy) []netip.Addr {
 	if strategy == C.DomainStrategyPreferIPv6 {
 		return append(response6, response4...)
@@ -384,15 +390,15 @@ func (c *Client) storeCache(transport adapter.DNSTransport, question dns.Questio
 				transportTag: transport.Tag(),
 			}, message)
 		}
+		return
+	}
+	if !c.independentCache {
+		c.cache.AddWithLifetime(question, message, time.Second*time.Duration(timeToLive))
 	} else {
-		if !c.independentCache {
-			c.cache.AddWithLifetime(question, message, time.Second*time.Duration(timeToLive))
-		} else {
-			c.transportCache.AddWithLifetime(transportCacheKey{
-				Question:     question,
-				transportTag: transport.Tag(),
-			}, message, time.Second*time.Duration(timeToLive))
-		}
+		c.transportCache.AddWithLifetime(transportCacheKey{
+			Question:     question,
+			transportTag: transport.Tag(),
+		}, message, time.Second*time.Duration(timeToLive))
 	}
 }
 
@@ -511,9 +517,6 @@ func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransp
 }
 
 func MessageToAddresses(response *dns.Msg) []netip.Addr {
-	if response == nil || response.Rcode != dns.RcodeSuccess {
-		return nil
-	}
 	addresses := make([]netip.Addr, 0, len(response.Answer))
 	for _, rawAnswer := range response.Answer {
 		switch answer := rawAnswer.(type) {
@@ -558,12 +561,9 @@ func transportTagFromContext(ctx context.Context) (string, bool) {
 func FixedResponseStatus(message *dns.Msg, rcode int) *dns.Msg {
 	return &dns.Msg{
 		MsgHdr: dns.MsgHdr{
-			Id:                 message.Id,
-			Response:           true,
-			Authoritative:      true,
-			RecursionDesired:   true,
-			RecursionAvailable: true,
-			Rcode:              rcode,
+			Id:       message.Id,
+			Rcode:    rcode,
+			Response: true,
 		},
 		Question: message.Question,
 	}

dns/client_truncate.go

@@ -15,7 +15,8 @@ func TruncateDNSMessage(request *dns.Msg, response *dns.Msg, headroom int) (*buf
 	}
 	responseLen := response.Len()
 	if responseLen > maxLen {
-		response = response.Copy()
+		copyResponse := *response
+		response = &copyResponse
 		response.Truncate(maxLen)
 	}
 	buffer := buf.NewSize(headroom*2 + 1 + responseLen)

dns/rcode.go

@@ -5,7 +5,6 @@ import (
 )
 
 const (
-	RcodeSuccess     RcodeError = mDNS.RcodeSuccess
 	RcodeFormatError RcodeError = mDNS.RcodeFormatError
 	RcodeNameError   RcodeError = mDNS.RcodeNameError
 	RcodeRefused     RcodeError = mDNS.RcodeRefused

dns/router.go

@@ -214,88 +214,101 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 	}
 	r.logger.DebugContext(ctx, "exchange ", FormatQuestion(message.Question[0].String()))
 	var (
-		response  *mDNS.Msg
 		transport adapter.DNSTransport
 		err       error
 	)
-	var metadata *adapter.InboundContext
-	ctx, metadata = adapter.ExtendContext(ctx)
-	metadata.Destination = M.Socksaddr{}
-	metadata.QueryType = message.Question[0].Qtype
-	switch metadata.QueryType {
-	case mDNS.TypeA:
-		metadata.IPVersion = 4
-	case mDNS.TypeAAAA:
-		metadata.IPVersion = 6
-	}
-	metadata.Domain = FqdnToDomain(message.Question[0].Name)
-	if options.Transport != nil {
-		transport = options.Transport
-		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
+	response, cached := r.client.ExchangeCache(ctx, message)
+	if !cached {
+		var metadata *adapter.InboundContext
+		ctx, metadata = adapter.ExtendContext(ctx)
+		metadata.Destination = M.Socksaddr{}
+		metadata.QueryType = message.Question[0].Qtype
+		switch metadata.QueryType {
+		case mDNS.TypeA:
+			metadata.IPVersion = 4
+		case mDNS.TypeAAAA:
+			metadata.IPVersion = 6
+		}
+		metadata.Domain = FqdnToDomain(message.Question[0].Name)
+		if options.Transport != nil {
+			transport = options.Transport
+			if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
+				if options.Strategy == C.DomainStrategyAsIS {
+					options.Strategy = legacyTransport.LegacyStrategy()
+				}
+				if !options.ClientSubnet.IsValid() {
+					options.ClientSubnet = legacyTransport.LegacyClientSubnet()
+				}
+			}
 			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = legacyTransport.LegacyStrategy()
+				options.Strategy = r.defaultDomainStrategy
 			}
-			if !options.ClientSubnet.IsValid() {
-				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-			}
-		}
-		if options.Strategy == C.DomainStrategyAsIS {
-			options.Strategy = r.defaultDomainStrategy
-		}
-		response, err = r.client.Exchange(ctx, transport, message, options, nil)
-	} else {
-		var (
-			rule      adapter.DNSRule
-			ruleIndex int
-		)
-		ruleIndex = -1
-		for {
-			dnsCtx := adapter.OverrideContext(ctx)
-			dnsOptions := options
-			transport, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex, isAddressQuery(message), &dnsOptions)
-			if rule != nil {
-				switch action := rule.Action().(type) {
-				case *R.RuleActionReject:
-					switch action.Method {
-					case C.RuleActionRejectMethodDefault:
-						return &mDNS.Msg{
-							MsgHdr: mDNS.MsgHdr{
-								Id:       message.Id,
-								Rcode:    mDNS.RcodeRefused,
-								Response: true,
-							},
-							Question: []mDNS.Question{message.Question[0]},
-						}, nil
-					case C.RuleActionRejectMethodDrop:
-						return nil, tun.ErrDrop
+			response, err = r.client.Exchange(ctx, transport, message, options, nil)
+		} else {
+			var (
+				rule      adapter.DNSRule
+				ruleIndex int
+			)
+			ruleIndex = -1
+			for {
+				dnsCtx := adapter.OverrideContext(ctx)
+				dnsOptions := options
+				transport, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex, isAddressQuery(message), &dnsOptions)
+				if rule != nil {
+					switch action := rule.Action().(type) {
+					case *R.RuleActionReject:
+						switch action.Method {
+						case C.RuleActionRejectMethodDefault:
+							return &mDNS.Msg{
+								MsgHdr: mDNS.MsgHdr{
+									Id:       message.Id,
+									Rcode:    mDNS.RcodeRefused,
+									Response: true,
+								},
+								Question: []mDNS.Question{message.Question[0]},
+							}, nil
+						case C.RuleActionRejectMethodDrop:
+							return nil, tun.ErrDrop
+						}
+					case *R.RuleActionPredefined:
+						return action.Response(message), nil
 					}
-				case *R.RuleActionPredefined:
-					return action.Response(message), nil
 				}
-			}
-			responseCheck := addressLimitResponseCheck(rule, metadata)
-			if dnsOptions.Strategy == C.DomainStrategyAsIS {
-				dnsOptions.Strategy = r.defaultDomainStrategy
-			}
-			response, err = r.client.Exchange(dnsCtx, transport, message, dnsOptions, responseCheck)
-			var rejected bool
-			if err != nil {
-				if errors.Is(err, ErrResponseRejectedCached) {
-					rejected = true
-					r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())), " (cached)")
-				} else if errors.Is(err, ErrResponseRejected) {
-					rejected = true
-					r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
-				} else if len(message.Question) > 0 {
-					r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
-				} else {
-					r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))
+				var responseCheck func(responseAddrs []netip.Addr) bool
+				if rule != nil && rule.WithAddressLimit() {
+					responseCheck = func(responseAddrs []netip.Addr) bool {
+						metadata.DestinationAddresses = responseAddrs
+						return rule.MatchAddressLimit(metadata)
+					}
 				}
+				if dnsOptions.Strategy == C.DomainStrategyAsIS {
+					dnsOptions.Strategy = r.defaultDomainStrategy
+				}
+				response, err = r.client.Exchange(dnsCtx, transport, message, dnsOptions, responseCheck)
+				var rejected bool
+				if err != nil {
+					if errors.Is(err, ErrResponseRejectedCached) {
+						rejected = true
+						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())), " (cached)")
+					} else if errors.Is(err, ErrResponseRejected) {
+						rejected = true
+						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
+						/*} else if responseCheck!= nil && errors.Is(err, RcodeError(mDNS.RcodeNameError)) {
+						rejected = true
+						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
+						*/
+					} else if len(message.Question) > 0 {
+						rejected = true
+						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
+					} else {
+						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))
+					}
+				}
+				if responseCheck != nil && rejected {
+					continue
+				}
+				break
 			}
-			if responseCheck != nil && rejected {
-				continue
-			}
-			break
 		}
 	}
 	if err != nil {
@@ -319,6 +332,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
 	var (
 		responseAddrs []netip.Addr
+		cached        bool
 		err           error
 	)
 	printResult := func() {
@@ -338,6 +352,13 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 			err = E.Cause(err, "lookup ", domain)
 		}
 	}
+	responseAddrs, cached = r.client.LookupCache(domain, options.Strategy)
+	if cached {
+		if len(responseAddrs) == 0 {
+			return nil, E.New("lookup ", domain, ": empty result (cached)")
+		}
+		return responseAddrs, nil
+	}
 	r.logger.DebugContext(ctx, "lookup domain ", domain)
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Destination = M.Socksaddr{}
@@ -370,13 +391,16 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 			if rule != nil {
 				switch action := rule.Action().(type) {
 				case *R.RuleActionReject:
-					return nil, &R.RejectedError{Cause: action.Error(ctx)}
+					switch action.Method {
+					case C.RuleActionRejectMethodDefault:
+						return nil, nil
+					case C.RuleActionRejectMethodDrop:
+						return nil, tun.ErrDrop
+					}
 				case *R.RuleActionPredefined:
-					responseAddrs = nil
 					if action.Rcode != mDNS.RcodeSuccess {
 						err = RcodeError(action.Rcode)
 					} else {
-						err = nil
 						for _, answer := range action.Answer {
 							switch record := answer.(type) {
 							case *mDNS.A:
@@ -389,7 +413,13 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 					goto response
 				}
 			}
-			responseCheck := addressLimitResponseCheck(rule, metadata)
+			var responseCheck func(responseAddrs []netip.Addr) bool
+			if rule != nil && rule.WithAddressLimit() {
+				responseCheck = func(responseAddrs []netip.Addr) bool {
+					metadata.DestinationAddresses = responseAddrs
+					return rule.MatchAddressLimit(metadata)
+				}
+			}
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -417,18 +447,6 @@ func isAddressQuery(message *mDNS.Msg) bool {
 	return false
 }
 
-func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(responseAddrs []netip.Addr) bool {
-	if rule == nil || !rule.WithAddressLimit() {
-		return nil
-	}
-	responseMetadata := *metadata
-	return func(responseAddrs []netip.Addr) bool {
-		checkMetadata := responseMetadata
-		checkMetadata.DestinationAddresses = responseAddrs
-		return rule.MatchAddressLimit(&checkMetadata)
-	}
-}
-
 func (r *Router) ClearCache() {
 	r.client.ClearCache()
 	if r.platformInterface != nil {

dns/transport/dhcp/dhcp.go

@@ -2,18 +2,17 @@ package dhcp
 
 import (
 	"context"
-	"errors"
-	"io"
 	"net"
 	"runtime"
 	"strings"
 	"sync"
-	"syscall"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-tun"
@@ -30,7 +29,6 @@ import (
 
 	"github.com/insomniacslk/dhcp/dhcpv4"
 	mDNS "github.com/miekg/dns"
-	"golang.org/x/exp/slices"
 )
 
 func RegisterTransport(registry *dns.TransportRegistry) {
@@ -47,12 +45,9 @@ type Transport struct {
 	networkManager    adapter.NetworkManager
 	interfaceName     string
 	interfaceCallback *list.Element[tun.DefaultInterfaceUpdateCallback]
-	transportLock     sync.RWMutex
+	transports        []adapter.DNSTransport
+	updateAccess      sync.Mutex
 	updatedAt         time.Time
-	servers           []M.Socksaddr
-	search            []string
-	ndots             int
-	attempts          int
 }
 
 func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, options option.DHCPDNSServerOptions) (adapter.DNSTransport, error) {
@@ -67,40 +62,27 @@ func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, opt
 		logger:           logger,
 		networkManager:   service.FromContext[adapter.NetworkManager](ctx),
 		interfaceName:    options.Interface,
-		ndots:            1,
-		attempts:         2,
 	}, nil
 }
 
-func NewRawTransport(transportAdapter dns.TransportAdapter, ctx context.Context, dialer N.Dialer, logger log.ContextLogger) *Transport {
-	return &Transport{
-		TransportAdapter: transportAdapter,
-		ctx:              ctx,
-		dialer:           dialer,
-		logger:           logger,
-		networkManager:   service.FromContext[adapter.NetworkManager](ctx),
-		ndots:            1,
-		attempts:         2,
-	}
-}
-
 func (t *Transport) Start(stage adapter.StartStage) error {
 	if stage != adapter.StartStateStart {
 		return nil
 	}
+	err := t.fetchServers()
+	if err != nil {
+		return err
+	}
 	if t.interfaceName == "" {
 		t.interfaceCallback = t.networkManager.InterfaceMonitor().RegisterCallback(t.interfaceUpdated)
 	}
-	go func() {
-		_, err := t.Fetch()
-		if err != nil {
-			t.logger.Error(E.Cause(err, "fetch DNS servers"))
-		}
-	}()
 	return nil
 }
 
 func (t *Transport) Close() error {
+	for _, transport := range t.transports {
+		transport.Close()
+	}
 	if t.interfaceCallback != nil {
 		t.networkManager.InterfaceMonitor().UnregisterCallback(t.interfaceCallback)
 	}
@@ -108,44 +90,23 @@ func (t *Transport) Close() error {
 }
 
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	servers, err := t.Fetch()
+	err := t.fetchServers()
 	if err != nil {
 		return nil, err
 	}
-	if len(servers) == 0 {
+
+	if len(t.transports) == 0 {
 		return nil, E.New("dhcp: empty DNS servers from response")
 	}
-	return t.Exchange0(ctx, message, servers)
-}
 
-func (t *Transport) Exchange0(ctx context.Context, message *mDNS.Msg, servers []M.Socksaddr) (*mDNS.Msg, error) {
-	question := message.Question[0]
-	domain := dns.FqdnToDomain(question.Name)
-	if len(servers) == 1 || !(message.Question[0].Qtype == mDNS.TypeA || message.Question[0].Qtype == mDNS.TypeAAAA) {
-		return t.exchangeSingleRequest(ctx, servers, message, domain)
-	} else {
-		return t.exchangeParallel(ctx, servers, message, domain)
+	var response *mDNS.Msg
+	for _, transport := range t.transports {
+		response, err = transport.Exchange(ctx, message)
+		if err == nil {
+			return response, nil
+		}
 	}
-}
-
-func (t *Transport) Fetch() ([]M.Socksaddr, error) {
-	t.transportLock.RLock()
-	updatedAt := t.updatedAt
-	servers := t.servers
-	t.transportLock.RUnlock()
-	if time.Since(updatedAt) < C.DHCPTTL {
-		return servers, nil
-	}
-	t.transportLock.Lock()
-	defer t.transportLock.Unlock()
-	if time.Since(t.updatedAt) < C.DHCPTTL {
-		return t.servers, nil
-	}
-	err := t.updateServers()
-	if err != nil {
-		return nil, err
-	}
-	return t.servers, nil
+	return nil, err
 }
 
 func (t *Transport) fetchInterface() (*control.Interface, error) {
@@ -163,6 +124,18 @@ func (t *Transport) fetchInterface() (*control.Interface, error) {
 	}
 }
 
+func (t *Transport) fetchServers() error {
+	if time.Since(t.updatedAt) < C.DHCPTTL {
+		return nil
+	}
+	t.updateAccess.Lock()
+	defer t.updateAccess.Unlock()
+	if time.Since(t.updatedAt) < C.DHCPTTL {
+		return nil
+	}
+	return t.updateServers()
+}
+
 func (t *Transport) updateServers() error {
 	iface, err := t.fetchInterface()
 	if err != nil {
@@ -175,7 +148,7 @@ func (t *Transport) updateServers() error {
 	cancel()
 	if err != nil {
 		return err
-	} else if len(t.servers) == 0 {
+	} else if len(t.transports) == 0 {
 		return E.New("dhcp: empty DNS servers response")
 	} else {
 		t.updatedAt = time.Now()
@@ -198,27 +171,13 @@ func (t *Transport) fetchServers0(ctx context.Context, iface *control.Interface)
 	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
 		listenAddr = "255.255.255.255:68"
 	}
-	var (
-		packetConn net.PacketConn
-		err        error
-	)
-	for i := 0; i < 5; i++ {
-		packetConn, err = listener.ListenPacket(t.ctx, "udp4", listenAddr)
-		if err == nil || !errors.Is(err, syscall.EADDRINUSE) {
-			break
-		}
-		time.Sleep(time.Second)
-	}
+	packetConn, err := listener.ListenPacket(t.ctx, "udp4", listenAddr)
 	if err != nil {
 		return err
 	}
 	defer packetConn.Close()
 
-	discovery, err := dhcpv4.NewDiscovery(iface.HardwareAddr, dhcpv4.WithBroadcast(true), dhcpv4.WithRequestedOptions(
-		dhcpv4.OptionDomainName,
-		dhcpv4.OptionDomainNameServer,
-		dhcpv4.OptionDNSDomainSearchList,
-	))
+	discovery, err := dhcpv4.NewDiscovery(iface.HardwareAddr, dhcpv4.WithBroadcast(true), dhcpv4.WithRequestedOptions(dhcpv4.OptionDomainNameServer))
 	if err != nil {
 		return err
 	}
@@ -243,12 +202,8 @@ func (t *Transport) fetchServersResponse(iface *control.Interface, packetConn ne
 	defer buffer.Release()
 
 	for {
-		buffer.Reset()
 		_, _, err := buffer.ReadPacketFrom(packetConn)
 		if err != nil {
-			if errors.Is(err, io.ErrShortBuffer) {
-				continue
-			}
 			return err
 		}
 
@@ -268,23 +223,31 @@ func (t *Transport) fetchServersResponse(iface *control.Interface, packetConn ne
 			continue
 		}
 
-		return t.recreateServers(iface, dhcpPacket)
+		dns := dhcpPacket.DNS()
+		if len(dns) == 0 {
+			return nil
+		}
+		return t.recreateServers(iface, common.Map(dns, func(it net.IP) M.Socksaddr {
+			return M.SocksaddrFrom(M.AddrFromIP(it), 53)
+		}))
 	}
 }
 
-func (t *Transport) recreateServers(iface *control.Interface, dhcpPacket *dhcpv4.DHCPv4) error {
-	searchList := dhcpPacket.DomainSearch()
-	if searchList != nil && len(searchList.Labels) > 0 {
-		t.search = searchList.Labels
-	} else if dhcpPacket.DomainName() != "" {
-		t.search = []string{dhcpPacket.DomainName()}
+func (t *Transport) recreateServers(iface *control.Interface, serverAddrs []M.Socksaddr) error {
+	if len(serverAddrs) > 0 {
+		t.logger.Info("dhcp: updated DNS servers from ", iface.Name, ": [", strings.Join(common.Map(serverAddrs, M.Socksaddr.String), ","), "]")
 	}
-	serverAddrs := common.Map(dhcpPacket.DNS(), func(it net.IP) M.Socksaddr {
-		return M.SocksaddrFrom(M.AddrFromIP(it), 53)
-	})
-	if len(serverAddrs) > 0 && !slices.Equal(t.servers, serverAddrs) {
-		t.logger.Info("dhcp: updated DNS servers from ", iface.Name, ": [", strings.Join(common.Map(serverAddrs, M.Socksaddr.String), ","), "], search: [", strings.Join(t.search, ","), "]")
+	serverDialer := common.Must1(dialer.NewDefault(t.ctx, option.DialerOptions{
+		BindInterface:      iface.Name,
+		UDPFragmentDefault: true,
+	}))
+	var transports []adapter.DNSTransport
+	for _, serverAddr := range serverAddrs {
+		transports = append(transports, transport.NewUDPRaw(t.logger, t.TransportAdapter, serverDialer, serverAddr))
 	}
-	t.servers = serverAddrs
+	for _, transport := range t.transports {
+		transport.Close()
+	}
+	t.transports = transports
 	return nil
 }

dns/transport/dhcp/dhcp_shared.go

@@ -1,213 +0,0 @@
-package dhcp
-
-import (
-	"context"
-	"errors"
-	"math/rand"
-	"strings"
-	"syscall"
-
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/dns/transport"
-	"github.com/sagernet/sing/common/buf"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	mDNS "github.com/miekg/dns"
-)
-
-func (t *Transport) exchangeSingleRequest(ctx context.Context, servers []M.Socksaddr, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
-	var lastErr error
-	for _, fqdn := range t.nameList(domain) {
-		response, err := t.tryOneName(ctx, servers, fqdn, message)
-		if err != nil {
-			lastErr = err
-			continue
-		}
-		return response, nil
-	}
-	return nil, lastErr
-}
-
-func (t *Transport) exchangeParallel(ctx context.Context, servers []M.Socksaddr, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
-	returned := make(chan struct{})
-	defer close(returned)
-	type queryResult struct {
-		response *mDNS.Msg
-		err      error
-	}
-	results := make(chan queryResult)
-	startRacer := func(ctx context.Context, fqdn string) {
-		response, err := t.tryOneName(ctx, servers, fqdn, message)
-		if err == nil {
-			if response.Rcode != mDNS.RcodeSuccess {
-				err = dns.RcodeError(response.Rcode)
-			} else if len(dns.MessageToAddresses(response)) == 0 {
-				err = dns.RcodeSuccess
-			}
-		}
-		select {
-		case results <- queryResult{response, err}:
-		case <-returned:
-		}
-	}
-	queryCtx, queryCancel := context.WithCancel(ctx)
-	defer queryCancel()
-	var nameCount int
-	for _, fqdn := range t.nameList(domain) {
-		nameCount++
-		go startRacer(queryCtx, fqdn)
-	}
-	var errors []error
-	for {
-		select {
-		case <-ctx.Done():
-			return nil, ctx.Err()
-		case result := <-results:
-			if result.err == nil {
-				return result.response, nil
-			}
-			errors = append(errors, result.err)
-			if len(errors) == nameCount {
-				return nil, E.Errors(errors...)
-			}
-		}
-	}
-}
-
-func (t *Transport) tryOneName(ctx context.Context, servers []M.Socksaddr, fqdn string, message *mDNS.Msg) (*mDNS.Msg, error) {
-	sLen := len(servers)
-	var lastErr error
-	for i := 0; i < t.attempts; i++ {
-		for j := 0; j < sLen; j++ {
-			server := servers[j]
-			question := message.Question[0]
-			question.Name = fqdn
-			response, err := t.exchangeOne(ctx, server, question)
-			if err != nil {
-				lastErr = err
-				continue
-			}
-			return response, nil
-		}
-	}
-	return nil, E.Cause(lastErr, fqdn)
-}
-
-func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, question mDNS.Question) (*mDNS.Msg, error) {
-	if server.Port == 0 {
-		server.Port = 53
-	}
-	request := &mDNS.Msg{
-		MsgHdr: mDNS.MsgHdr{
-			Id:                uint16(rand.Uint32()),
-			RecursionDesired:  true,
-			AuthenticatedData: true,
-		},
-		Question: []mDNS.Question{question},
-		Compress: true,
-	}
-	request.SetEdns0(buf.UDPBufferSize, false)
-	return t.exchangeUDP(ctx, server, request)
-}
-
-func (t *Transport) exchangeUDP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg) (*mDNS.Msg, error) {
-	conn, err := t.dialer.DialContext(ctx, N.NetworkUDP, server)
-	if err != nil {
-		return nil, err
-	}
-	defer conn.Close()
-	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
-		conn.SetDeadline(deadline)
-	}
-	buffer := buf.Get(buf.UDPBufferSize)
-	defer buf.Put(buffer)
-	rawMessage, err := request.PackBuffer(buffer)
-	if err != nil {
-		return nil, E.Cause(err, "pack request")
-	}
-	_, err = conn.Write(rawMessage)
-	if err != nil {
-		if errors.Is(err, syscall.EMSGSIZE) {
-			return t.exchangeTCP(ctx, server, request)
-		}
-		return nil, E.Cause(err, "write request")
-	}
-	n, err := conn.Read(buffer)
-	if err != nil {
-		if errors.Is(err, syscall.EMSGSIZE) {
-			return t.exchangeTCP(ctx, server, request)
-		}
-		return nil, E.Cause(err, "read response")
-	}
-	var response mDNS.Msg
-	err = response.Unpack(buffer[:n])
-	if err != nil {
-		return nil, E.Cause(err, "unpack response")
-	}
-	if response.Truncated {
-		return t.exchangeTCP(ctx, server, request)
-	}
-	return &response, nil
-}
-
-func (t *Transport) exchangeTCP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg) (*mDNS.Msg, error) {
-	conn, err := t.dialer.DialContext(ctx, N.NetworkTCP, server)
-	if err != nil {
-		return nil, err
-	}
-	defer conn.Close()
-	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
-		conn.SetDeadline(deadline)
-	}
-	err = transport.WriteMessage(conn, 0, request)
-	if err != nil {
-		return nil, err
-	}
-	return transport.ReadMessage(conn)
-}
-
-func (t *Transport) nameList(name string) []string {
-	l := len(name)
-	rooted := l > 0 && name[l-1] == '.'
-	if l > 254 || l == 254 && !rooted {
-		return nil
-	}
-
-	if rooted {
-		if avoidDNS(name) {
-			return nil
-		}
-		return []string{name}
-	}
-
-	hasNdots := strings.Count(name, ".") >= t.ndots
-	name += "."
-	// l++
-
-	names := make([]string, 0, 1+len(t.search))
-	if hasNdots && !avoidDNS(name) {
-		names = append(names, name)
-	}
-	for _, suffix := range t.search {
-		fqdn := name + suffix
-		if !avoidDNS(fqdn) && len(fqdn) <= 254 {
-			names = append(names, fqdn)
-		}
-	}
-	if !hasNdots && !avoidDNS(name) {
-		names = append(names, name)
-	}
-	return names
-}
-
-func avoidDNS(name string) bool {
-	if name == "" {
-		return true
-	}
-	if name[len(name)-1] == '.' {
-		name = name[:len(name)-1]
-	}
-	return strings.HasSuffix(name, ".onion")
-}

dns/transport/fakeip/store.go

@@ -17,43 +17,18 @@ type Store struct {
 	logger       logger.Logger
 	inet4Range   netip.Prefix
 	inet6Range   netip.Prefix
-	inet4Last    netip.Addr
-	inet6Last    netip.Addr
 	storage      adapter.FakeIPStorage
 	inet4Current netip.Addr
 	inet6Current netip.Addr
 }
 
 func NewStore(ctx context.Context, logger logger.Logger, inet4Range netip.Prefix, inet6Range netip.Prefix) *Store {
-	store := &Store{
+	return &Store{
 		ctx:        ctx,
 		logger:     logger,
 		inet4Range: inet4Range,
 		inet6Range: inet6Range,
 	}
-	if inet4Range.IsValid() {
-		store.inet4Last = broadcastAddress(inet4Range)
-	}
-	if inet6Range.IsValid() {
-		store.inet6Last = broadcastAddress(inet6Range)
-	}
-	return store
-}
-
-func broadcastAddress(prefix netip.Prefix) netip.Addr {
-	addr := prefix.Addr()
-	raw := addr.As16()
-	bits := prefix.Bits()
-	if addr.Is4() {
-		bits += 96
-	}
-	for i := bits; i < 128; i++ {
-		raw[i/8] |= 1 << (7 - i%8)
-	}
-	if addr.Is4() {
-		return netip.AddrFrom4([4]byte(raw[12:]))
-	}
-	return netip.AddrFrom16(raw)
 }
 
 func (s *Store) Start() error {
@@ -71,10 +46,10 @@ func (s *Store) Start() error {
 		s.inet6Current = metadata.Inet6Current
 	} else {
 		if s.inet4Range.IsValid() {
-			s.inet4Current = s.inet4Range.Addr().Next()
+			s.inet4Current = s.inet4Range.Addr().Next().Next()
 		}
 		if s.inet6Range.IsValid() {
-			s.inet6Current = s.inet6Range.Addr().Next()
+			s.inet6Current = s.inet6Range.Addr().Next().Next()
 		}
 		_ = storage.FakeIPReset()
 	}
@@ -108,7 +83,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv4 fakeip address range")
 		}
 		nextAddress := s.inet4Current.Next()
-		if nextAddress == s.inet4Last || !s.inet4Range.Contains(nextAddress) {
+		if !s.inet4Range.Contains(nextAddress) {
 			nextAddress = s.inet4Range.Addr().Next().Next()
 		}
 		s.inet4Current = nextAddress
@@ -118,7 +93,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv6 fakeip address range")
 		}
 		nextAddress := s.inet6Current.Next()
-		if nextAddress == s.inet6Last || !s.inet6Range.Contains(nextAddress) {
+		if !s.inet6Range.Contains(nextAddress) {
 			nextAddress = s.inet6Range.Addr().Next().Next()
 		}
 		s.inet6Current = nextAddress

dns/transport/https.go

@@ -8,6 +8,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"os"
 	"strconv"
 	"sync"
 	"time"
@@ -25,6 +26,7 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	aTLS "github.com/sagernet/sing/common/tls"
 	sHTTP "github.com/sagernet/sing/protocol/http"
 
 	mDNS "github.com/miekg/dns"
@@ -46,7 +48,7 @@ type HTTPSTransport struct {
 	destination      *url.URL
 	headers          http.Header
 	transportAccess  sync.Mutex
-	transport        *HTTPSTransportWrapper
+	transport        *http.Transport
 	transportResetAt time.Time
 }
 
@@ -61,8 +63,11 @@ func NewHTTPS(ctx context.Context, logger log.ContextLogger, tag string, options
 	if err != nil {
 		return nil, err
 	}
-	if len(tlsConfig.NextProtos()) == 0 {
-		tlsConfig.SetNextProtos([]string{http2.NextProtoTLS, "http/1.1"})
+	if common.Error(tlsConfig.Config()) == nil && !common.Contains(tlsConfig.NextProtos(), http2.NextProtoTLS) {
+		tlsConfig.SetNextProtos(append(tlsConfig.NextProtos(), http2.NextProtoTLS))
+	}
+	if !common.Contains(tlsConfig.NextProtos(), "http/1.1") {
+		tlsConfig.SetNextProtos(append(tlsConfig.NextProtos(), "http/1.1"))
 	}
 	headers := options.Headers.Build()
 	host := headers.Get("Host")
@@ -120,13 +125,37 @@ func NewHTTPSRaw(
 	serverAddr M.Socksaddr,
 	tlsConfig tls.Config,
 ) *HTTPSTransport {
+	var transport *http.Transport
+	if tlsConfig != nil {
+		transport = &http.Transport{
+			ForceAttemptHTTP2: true,
+			DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				tcpConn, hErr := dialer.DialContext(ctx, network, serverAddr)
+				if hErr != nil {
+					return nil, hErr
+				}
+				tlsConn, hErr := aTLS.ClientHandshake(ctx, tcpConn, tlsConfig)
+				if hErr != nil {
+					tcpConn.Close()
+					return nil, hErr
+				}
+				return tlsConn, nil
+			},
+		}
+	} else {
+		transport = &http.Transport{
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				return dialer.DialContext(ctx, network, serverAddr)
+			},
+		}
+	}
 	return &HTTPSTransport{
 		TransportAdapter: adapter,
 		logger:           logger,
 		dialer:           dialer,
 		destination:      destination,
 		headers:          headers,
-		transport:        NewHTTPSTransportWrapper(tls.NewDialer(dialer, tlsConfig), serverAddr),
+		transport:        transport,
 	}
 }
 
@@ -149,7 +178,7 @@ func (t *HTTPSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS
 	startAt := time.Now()
 	response, err := t.exchange(ctx, message)
 	if err != nil {
-		if errors.Is(err, context.DeadlineExceeded) {
+		if errors.Is(err, os.ErrDeadlineExceeded) {
 			t.transportAccess.Lock()
 			defer t.transportAccess.Unlock()
 			if t.transportResetAt.After(startAt) {

dns/transport/https_transport.go

@@ -1,80 +0,0 @@
-package transport
-
-import (
-	"context"
-	"errors"
-	"net"
-	"net/http"
-	"sync/atomic"
-
-	"github.com/sagernet/sing-box/common/tls"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-
-	"golang.org/x/net/http2"
-)
-
-var errFallback = E.New("fallback to HTTP/1.1")
-
-type HTTPSTransportWrapper struct {
-	http2Transport *http2.Transport
-	httpTransport  *http.Transport
-	fallback       *atomic.Bool
-}
-
-func NewHTTPSTransportWrapper(dialer tls.Dialer, serverAddr M.Socksaddr) *HTTPSTransportWrapper {
-	var fallback atomic.Bool
-	return &HTTPSTransportWrapper{
-		http2Transport: &http2.Transport{
-			DialTLSContext: func(ctx context.Context, _, _ string, _ *tls.STDConfig) (net.Conn, error) {
-				tlsConn, err := dialer.DialTLSContext(ctx, serverAddr)
-				if err != nil {
-					return nil, err
-				}
-				state := tlsConn.ConnectionState()
-				if state.NegotiatedProtocol == http2.NextProtoTLS {
-					return tlsConn, nil
-				}
-				tlsConn.Close()
-				fallback.Store(true)
-				return nil, errFallback
-			},
-		},
-		httpTransport: &http.Transport{
-			DialTLSContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
-				return dialer.DialTLSContext(ctx, serverAddr)
-			},
-		},
-		fallback: &fallback,
-	}
-}
-
-func (h *HTTPSTransportWrapper) RoundTrip(request *http.Request) (*http.Response, error) {
-	if h.fallback.Load() {
-		return h.httpTransport.RoundTrip(request)
-	} else {
-		response, err := h.http2Transport.RoundTrip(request)
-		if err != nil {
-			if errors.Is(err, errFallback) {
-				return h.httpTransport.RoundTrip(request)
-			}
-			return nil, err
-		}
-		return response, nil
-	}
-}
-
-func (h *HTTPSTransportWrapper) CloseIdleConnections() {
-	h.http2Transport.CloseIdleConnections()
-	h.httpTransport.CloseIdleConnections()
-}
-
-func (h *HTTPSTransportWrapper) Clone() *HTTPSTransportWrapper {
-	return &HTTPSTransportWrapper{
-		httpTransport: h.httpTransport,
-		http2Transport: &http2.Transport{
-			DialTLSContext: h.http2Transport.DialTLSContext,
-		},
-		fallback: h.fallback,
-	}
-}

dns/transport/local/local.go

@@ -2,15 +2,12 @@ package local
 
 import (
 	"context"
-	"errors"
 	"math/rand"
-	"syscall"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing-box/dns/transport/hosts"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
@@ -54,17 +51,18 @@ func (t *Transport) Close() error {
 
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	question := message.Question[0]
+	domain := dns.FqdnToDomain(question.Name)
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
-		addresses := t.hosts.Lookup(dns.FqdnToDomain(question.Name))
+		addresses := t.hosts.Lookup(domain)
 		if len(addresses) > 0 {
 			return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
 		}
 	}
 	systemConfig := getSystemDNSConfig(t.ctx)
 	if systemConfig.singleRequest || !(message.Question[0].Qtype == mDNS.TypeA || message.Question[0].Qtype == mDNS.TypeAAAA) {
-		return t.exchangeSingleRequest(ctx, systemConfig, message, question.Name)
+		return t.exchangeSingleRequest(ctx, systemConfig, message, domain)
 	} else {
-		return t.exchangeParallel(ctx, systemConfig, message, question.Name)
+		return t.exchangeParallel(ctx, systemConfig, message, domain)
 	}
 }
 
@@ -95,7 +93,7 @@ func (t *Transport) exchangeParallel(ctx context.Context, systemConfig *dnsConfi
 			if response.Rcode != mDNS.RcodeSuccess {
 				err = dns.RcodeError(response.Rcode)
 			} else if len(dns.MessageToAddresses(response)) == 0 {
-				err = dns.RcodeSuccess
+				err = E.New(fqdn, ": empty result")
 			}
 		}
 		select {
@@ -151,6 +149,12 @@ func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, questio
 	if server.Port == 0 {
 		server.Port = 53
 	}
+	var networks []string
+	if useTCP {
+		networks = []string{N.NetworkTCP}
+	} else {
+		networks = []string{N.NetworkUDP, N.NetworkTCP}
+	}
 	request := &mDNS.Msg{
 		MsgHdr: mDNS.MsgHdr{
 			Id:                uint16(rand.Uint32()),
@@ -160,74 +164,41 @@ func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, questio
 		Question: []mDNS.Question{question},
 		Compress: true,
 	}
-	request.SetEdns0(buf.UDPBufferSize, false)
-	if !useTCP {
-		return t.exchangeUDP(ctx, server, request, timeout)
-	} else {
-		return t.exchangeTCP(ctx, server, request, timeout)
-	}
-}
-
-func (t *Transport) exchangeUDP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg, timeout time.Duration) (*mDNS.Msg, error) {
-	conn, err := t.dialer.DialContext(ctx, N.NetworkUDP, server)
-	if err != nil {
-		return nil, err
-	}
-	defer conn.Close()
-	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
-		newDeadline := time.Now().Add(timeout)
-		if deadline.After(newDeadline) {
-			deadline = newDeadline
-		}
-		conn.SetDeadline(deadline)
-	}
+	request.SetEdns0(maxDNSPacketSize, false)
 	buffer := buf.Get(buf.UDPBufferSize)
 	defer buf.Put(buffer)
-	rawMessage, err := request.PackBuffer(buffer)
-	if err != nil {
-		return nil, E.Cause(err, "pack request")
-	}
-	_, err = conn.Write(rawMessage)
-	if err != nil {
-		if errors.Is(err, syscall.EMSGSIZE) {
-			return t.exchangeTCP(ctx, server, request, timeout)
+	for _, network := range networks {
+		ctx, cancel := context.WithDeadline(ctx, time.Now().Add(timeout))
+		defer cancel()
+		conn, err := t.dialer.DialContext(ctx, network, server)
+		if err != nil {
+			return nil, err
 		}
-		return nil, E.Cause(err, "write request")
-	}
-	n, err := conn.Read(buffer)
-	if err != nil {
-		if errors.Is(err, syscall.EMSGSIZE) {
-			return t.exchangeTCP(ctx, server, request, timeout)
+		defer conn.Close()
+		if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
+			conn.SetDeadline(deadline)
 		}
-		return nil, E.Cause(err, "read response")
+		rawMessage, err := request.PackBuffer(buffer)
+		if err != nil {
+			return nil, E.Cause(err, "pack request")
+		}
+		_, err = conn.Write(rawMessage)
+		if err != nil {
+			return nil, E.Cause(err, "write request")
+		}
+		n, err := conn.Read(buffer)
+		if err != nil {
+			return nil, E.Cause(err, "read response")
+		}
+		var response mDNS.Msg
+		err = response.Unpack(buffer[:n])
+		if err != nil {
+			return nil, E.Cause(err, "unpack response")
+		}
+		if response.Truncated && network == N.NetworkUDP {
+			continue
+		}
+		return &response, nil
 	}
-	var response mDNS.Msg
-	err = response.Unpack(buffer[:n])
-	if err != nil {
-		return nil, E.Cause(err, "unpack response")
-	}
-	if response.Truncated {
-		return t.exchangeTCP(ctx, server, request, timeout)
-	}
-	return &response, nil
-}
-
-func (t *Transport) exchangeTCP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg, timeout time.Duration) (*mDNS.Msg, error) {
-	conn, err := t.dialer.DialContext(ctx, N.NetworkTCP, server)
-	if err != nil {
-		return nil, err
-	}
-	defer conn.Close()
-	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
-		newDeadline := time.Now().Add(timeout)
-		if deadline.After(newDeadline) {
-			deadline = newDeadline
-		}
-		conn.SetDeadline(deadline)
-	}
-	err = transport.WriteMessage(conn, 0, request)
-	if err != nil {
-		return nil, err
-	}
-	return transport.ReadMessage(conn)
+	panic("unexpected")
 }

dns/transport/local/local_fallback.go

@@ -67,6 +67,7 @@ func (f *FallbackTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*m
 		return f.DNSTransport.Exchange(ctx, message)
 	}
 	question := message.Question[0]
+	domain := dns.FqdnToDomain(question.Name)
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
 		var network string
 		if question.Qtype == mDNS.TypeA {
@@ -74,7 +75,7 @@ func (f *FallbackTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*m
 		} else {
 			network = "ip6"
 		}
-		addresses, err := f.resolver.LookupNetIP(ctx, network, question.Name)
+		addresses, err := f.resolver.LookupNetIP(ctx, network, domain)
 		if err != nil {
 			var dnsError *net.DNSError
 			if errors.As(err, &dnsError) && dnsError.IsNotFound {
@@ -84,7 +85,7 @@ func (f *FallbackTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*m
 		}
 		return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
 	} else if question.Qtype == mDNS.TypeNS {
-		records, err := f.resolver.LookupNS(ctx, question.Name)
+		records, err := f.resolver.LookupNS(ctx, domain)
 		if err != nil {
 			var dnsError *net.DNSError
 			if errors.As(err, &dnsError) && dnsError.IsNotFound {
@@ -113,7 +114,7 @@ func (f *FallbackTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*m
 		}
 		return response, nil
 	} else if question.Qtype == mDNS.TypeCNAME {
-		cname, err := f.resolver.LookupCNAME(ctx, question.Name)
+		cname, err := f.resolver.LookupCNAME(ctx, domain)
 		if err != nil {
 			var dnsError *net.DNSError
 			if errors.As(err, &dnsError) && dnsError.IsNotFound {
@@ -141,7 +142,7 @@ func (f *FallbackTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*m
 			},
 		}, nil
 	} else if question.Qtype == mDNS.TypeTXT {
-		records, err := f.resolver.LookupTXT(ctx, question.Name)
+		records, err := f.resolver.LookupTXT(ctx, domain)
 		if err != nil {
 			var dnsError *net.DNSError
 			if errors.As(err, &dnsError) && dnsError.IsNotFound {
@@ -169,7 +170,7 @@ func (f *FallbackTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*m
 			},
 		}, nil
 	} else if question.Qtype == mDNS.TypeMX {
-		records, err := f.resolver.LookupMX(ctx, question.Name)
+		records, err := f.resolver.LookupMX(ctx, domain)
 		if err != nil {
 			var dnsError *net.DNSError
 			if errors.As(err, &dnsError) && dnsError.IsNotFound {

dns/transport/local/resolv.go

@@ -10,6 +10,11 @@ import (
 	"time"
 )
 
+const (
+	// net.maxDNSPacketSize
+	maxDNSPacketSize = 1232
+)
+
 type resolverConfig struct {
 	initOnce    sync.Once
 	ch          chan struct{}
@@ -99,7 +104,7 @@ func (c *dnsConfig) serverOffset() uint32 {
 	return 0
 }
 
-func (c *dnsConfig) nameList(name string) []string {
+func (conf *dnsConfig) nameList(name string) []string {
 	l := len(name)
 	rooted := l > 0 && name[l-1] == '.'
 	if l > 254 || l == 254 && !rooted {
@@ -113,15 +118,15 @@ func (c *dnsConfig) nameList(name string) []string {
 		return []string{name}
 	}
 
-	hasNdots := strings.Count(name, ".") >= c.ndots
+	hasNdots := strings.Count(name, ".") >= conf.ndots
 	name += "."
 	// l++
 
-	names := make([]string, 0, 1+len(c.search))
+	names := make([]string, 0, 1+len(conf.search))
 	if hasNdots && !avoidDNS(name) {
 		names = append(names, name)
 	}
-	for _, suffix := range c.search {
+	for _, suffix := range conf.search {
 		fqdn := name + suffix
 		if !avoidDNS(fqdn) && len(fqdn) <= 254 {
 			names = append(names, fqdn)

dns/transport/local/resolv_darwin_cgo.go

@@ -20,8 +20,8 @@ import (
 )
 
 func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
-	var state C.struct___res_state
-	if C.res_ninit(&state) != 0 {
+	var state C.res_state
+	if C.res_ninit(state) != 0 {
 		return &dnsConfig{
 			servers:  defaultNS,
 			search:   dnsDefaultSearch(),

dns/transport/local/resolv_test.go

@@ -1,13 +0,0 @@
-package local
-
-import (
-	"context"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestDNSReadConfig(t *testing.T) {
-	t.Parallel()
-	require.NoError(t, dnsReadConfig(context.Background(), "/etc/resolv.conf").err)
-}

dns/transport/local/resolv_windows.go

@@ -5,7 +5,6 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strconv"
 	"syscall"
 	"time"
 	"unsafe"
@@ -64,9 +63,6 @@ func dnsReadConfig(ctx context.Context, _ string) *dnsConfig {
 					continue
 				}
 				dnsServerAddr = netip.AddrFrom16(sockaddr.Addr)
-				if sockaddr.ZoneId != 0 {
-					dnsServerAddr = dnsServerAddr.WithZone(strconv.FormatInt(int64(sockaddr.ZoneId), 10))
-				}
 			default:
 				// Unexpected type.
 				continue

dns/transport/udp.go

@@ -60,7 +60,7 @@ func NewUDPRaw(logger logger.ContextLogger, adapter dns.TransportAdapter, dialer
 		logger:           logger,
 		dialer:           dialer,
 		serverAddr:       serverAddr,
-		udpSize:          2048,
+		udpSize:          512,
 		tcpTransport: &TCPTransport{
 			dialer:     dialer,
 			serverAddr: serverAddr,
@@ -97,19 +97,15 @@ func (t *UDPTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.M
 }
 
 func (t *UDPTransport) exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	t.access.Lock()
-	if edns0Opt := message.IsEdns0(); edns0Opt != nil {
-		if udpSize := int(edns0Opt.UDPSize()); udpSize > t.udpSize {
-			t.udpSize = udpSize
-			close(t.done)
-			t.done = make(chan struct{})
-		}
-	}
-	t.access.Unlock()
 	conn, err := t.open(ctx)
 	if err != nil {
 		return nil, err
 	}
+	if edns0Opt := message.IsEdns0(); edns0Opt != nil {
+		if udpSize := int(edns0Opt.UDPSize()); udpSize > t.udpSize {
+			t.udpSize = udpSize
+		}
+	}
 	buffer := buf.NewSize(1 + message.Len())
 	defer buffer.Release()
 	exMessage := *message

docs/changelog.md

@@ -2,277 +2,11 @@
 icon: material/alert-decagram
 ---
 
-#### 1.12.24
+#### 1.12.0-beta.33
 
+* Add firewalld compatibility for auto redirect
 * Fixes and improvements
 
-#### 1.12.23
-
-* Fixes and improvements
-
-#### 1.12.22
-
-* Fixes and improvements
-
-#### 1.12.21
-
-* Fixes and improvements
-
-#### 1.12.20
-
-* Fixes and improvements
-
-#### 1.12.19
-
-* Fixes and improvements
-
-#### 1.12.18
-
-* Add fallback routing rule for `auto_redirect` **1**
-* Fixes and improvements
-
-**1**:
-
-Adds a fallback iproute2 rule checked after system default rules (32766: main, 32767: default),
-ensuring traffic is routed to the sing-box table when no route is found in system tables.
-
-The rule index can be customized via `auto_redirect_iproute2_fallback_rule_index` (default: 32768).
-
-#### 1.12.17
-
-* Update uTLS to v1.8.2 **1**
-* Fixes and improvements
-
-**1**:
-
-This update fixes missing padding extension for Chrome 120+ fingerprints.
-
-Also, documentation has been updated with a warning about uTLS fingerprinting vulnerabilities.
-uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
-use NaiveProxy instead for TLS fingerprint resistance.
-
-#### 1.12.16
-
-* Fixes and improvements
-
-#### 1.12.15
-
-* Fixes and improvements
-
-#### 1.12.14
-
-* Fixes and improvements
-
-#### 1.12.13
-
-* Fix naive inbound
-* Fixes and improvements
-
-__Unfortunately, for non-technical reasons, we are currently unable to notarize the standalone version of the macOS client:
-because system extensions require signatures to function, we have had to temporarily halt its release.__
-
-__We plan to fix the App Store release issue and launch a new standalone desktop client, but until then,
-only clients on TestFlight will be available (unless you have an Apple Developer Program and compile from source code).__
-
-#### 1.12.12
-
-* Fixes and improvements
-
-#### 1.12.11
-
-* Fixes and improvements
-
-#### 1.12.10
-
-* Update uTLS to v1.8.1 **1**
-* Fixes and improvements
-
-**1**:
-
-This update fixes an critical issue that could cause simulated Chrome fingerprints to be detected,
-see https://github.com/refraction-networking/utls/pull/375.
-
-#### 1.12.9
-
-* Fixes and improvements
-
-#### 1.12.8
-
-* Fixes and improvements
-
-#### 1.12.5
-
-* Fixes and improvements
-
-#### 1.12.4
-
-* Fixes and improvements
-
-#### 1.12.3
-
-* Fixes and improvements
-
-#### 1.12.2
-
-* Fixes and improvements
-
-#### 1.12.1
-
-* Fixes and improvements
-
-#### 1.12.0
-
-* Refactor DNS servers **1**
-* Add domain resolver options**2**
-* Add TLS fragment/record fragment support to route options and outbound TLS options **3**
-* Add certificate options **4**
-* Add Tailscale endpoint and DNS server **5**
-* Drop support for go1.22 **6**
-* Add AnyTLS protocol **7**
-* Migrate to stdlib ECH implementation **8**
-* Add NTP sniffer **9**
-* Add wildcard SNI support for ShadowTLS inbound **10**
-* Improve `auto_redirect` **11**
-* Add control options for listeners **12**
-* Add DERP service **13**
-* Add Resolved service and DNS server **14**
-* Add SSM API service **15**
-* Add loopback address support for tun **16**
-* Improve tun performance on Apple platforms **17**
-* Update quic-go to v0.52.0
-* Update gVisor to 20250319.0
-* Update the status of graphical clients in stores **18**
-
-**1**:
-
-DNS servers are refactored for better performance and scalability.
-
-See [DNS server](/configuration/dns/server/).
-
-For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-servers).
-
-Compatibility for old formats will be removed in sing-box 1.14.0.
-
-**2**:
-
-Legacy `outbound` DNS rules are deprecated
-and can be replaced by the new `domain_resolver` option.
-
-See [Dial Fields](/configuration/shared/dial/#domain_resolver) and
-[Route](/configuration/route/#default_domain_resolver).
-
-For migration,
-see [Migrate outbound DNS rule items to domain resolver](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver).
-
-**3**:
-
-See [Route Action](/configuration/route/rule_action/#tls_fragment) and [TLS](/configuration/shared/tls/).
-
-**4**:
-
-New certificate options allow you to manage the default list of trusted X509 CA certificates.
-
-For the system certificate list, fixed Go not reading Android trusted certificates correctly.
-
-You can also use the Mozilla Included List instead, or add trusted certificates yourself.
-
-See [Certificate](/configuration/certificate/).
-
-**5**:
-
-See [Tailscale](/configuration/endpoint/tailscale/).
-
-**6**:
-
-Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.
-
-For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches
-from [MetaCubeX/go](https://github.com/MetaCubeX/go).
-
-**7**:
-
-The new AnyTLS protocol claims to mitigate TLS proxy traffic characteristics and comes with a new multiplexing scheme.
-
-See [AnyTLS Inbound](/configuration/inbound/anytls/) and [AnyTLS Outbound](/configuration/outbound/anytls/).
-
-**8**:
-
-See [TLS](/configuration/shared/tls).
-
-The build tag `with_ech` is no longer needed and has been removed.
-
-**9**:
-
-See [Protocol Sniff](/configuration/route/sniff/).
-
-**10**:
-
-See [ShadowTLS](/configuration/inbound/shadowtls/#wildcard_sni).
-
-**11**:
-
-Now `auto_redirect` fixes compatibility issues between tun and Docker bridge networks,
-see [Tun](/configuration/inbound/tun/#auto_redirect).
-
-**12**:
-
-You can now set `bind_interface`, `routing_mark` and `reuse_addr` in Listen Fields.
-
-See [Listen Fields](/configuration/shared/listen/).
-
-**13**:
-
-DERP service is a Tailscale DERP server, similar to [derper](https://pkg.go.dev/tailscale.com/cmd/derper).
-
-See [DERP Service](/configuration/service/derp/).
-
-**14**:
-
-Resolved service is a fake systemd-resolved DBUS service to receive DNS settings from other programs
-(e.g. NetworkManager) and provide DNS resolution.
-
-See [Resolved Service](/configuration/service/resolved/) and [Resolved DNS Server](/configuration/dns/server/resolved/).
-
-**15**:
-
-SSM API service is a RESTful API server for managing Shadowsocks servers.
-
-See [SSM API Service](/configuration/service/ssm-api/).
-
-**16**:
-
-TUN now implements SideStore's StosVPN.
-
-See [Tun](/configuration/inbound/tun/#loopback_address).
-
-**17**:
-
-We have significantly improved the performance of tun inbound on Apple platforms, especially in the gVisor stack.
-
-The following data was tested
-using [tun_bench](https://github.com/SagerNet/sing-box/blob/dev-next/cmd/internal/tun_bench/main.go) on M4 MacBook pro.
-
-| Version     | Stack  | MTU   | Upload | Download |
-|-------------|--------|-------|--------|----------|
-| 1.11.15     | gvisor | 1500  | 852M   | 2.57G    |
-| 1.12.0-rc.4 | gvisor | 1500  | 2.90G  | 4.68G    |
-| 1.11.15     | gvisor | 4064  | 2.31G  | 6.34G    |
-| 1.12.0-rc.4 | gvisor | 4064  | 7.54G  | 12.2G    |
-| 1.11.15     | gvisor | 65535 | 27.6G  | 18.1G    |
-| 1.12.0-rc.4 | gvisor | 65535 | 39.8G  | 34.7G    |
-| 1.11.15     | system | 1500  | 664M   | 706M     |
-| 1.12.0-rc.4 | system | 1500  | 2.44G  | 2.51G    |
-| 1.11.15     | system | 4064  | 1.88G  | 1.94G    |
-| 1.12.0-rc.4 | system | 4064  | 6.45G  | 6.27G    |
-| 1.11.15     | system | 65535 | 26.2G  | 17.4G    |
-| 1.12.0-rc.4 | system | 65535 | 17.6G  | 21.0G    |
-
-**18**:
-
-We continue to experience issues updating our sing-box apps on the App Store and Play Store.
-Until we rewrite and resubmit the apps, they are considered irrecoverable.
-Therefore, after this release, we will not be repeating this notice unless there is new information.
-
 ### 1.11.15
 
 * Fixes and improvements
@@ -551,8 +285,7 @@ See [AnyTLS Inbound](/configuration/inbound/anytls/) and [AnyTLS Outbound](/conf
 
 **2**:
 
-`resolve` route action now accepts `disable_cache` and other options like in DNS route actions,
-see [Route Action](/configuration/route/rule_action).
+`resolve` route action now accepts `disable_cache` and other options like in DNS route actions, see [Route Action](/configuration/route/rule_action).
 
 **3**:
 
@@ -583,8 +316,7 @@ See [Tailscale](/configuration/endpoint/tailscale/).
 
 Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.
 
-For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches
-from [MetaCubeX/go](https://github.com/MetaCubeX/go).
+For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from [MetaCubeX/go](https://github.com/MetaCubeX/go).
 
 ### 1.11.3
 

docs/clients/apple/index.md

@@ -9,7 +9,7 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 
 !!! failure ""
 
-    Due to non-technical reasons, we are temporarily unable to update the sing-box app on the App Store and release the standalone version of the macOS client (TestFlight users are not affected)
+    We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected).
 
 ## :material-graph: Requirements
 
@@ -18,7 +18,7 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 
 ## :material-download: Download
 
-* ~~[App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)~~
+* [App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)
 * TestFlight (Beta)
 
 TestFlight quota is only available to [sponsors](https://github.com/sponsors/nekohasekai)
@@ -26,15 +26,15 @@ TestFlight quota is only available to [sponsors](https://github.com/sponsors/nek
 Once you donate, you can get an invitation by join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot)
 or sending us your Apple ID [via email](mailto:contact@sagernet.org).
 
-## ~~:material-file-download: Download (macOS standalone version)~~
+## :material-file-download: Download (macOS standalone version)
 
-* ~~[Homebrew Cask](https://formulae.brew.sh/cask/sfm)~~
+* [Homebrew Cask](https://formulae.brew.sh/cask/sfm)
 
 ```bash
-# brew install sfm
+brew install sfm
 ```
 
-* ~~[GitHub Releases](https://github.com/SagerNet/sing-box/releases)~~
+* [GitHub Releases](https://github.com/SagerNet/sing-box/releases)
 
 ## :material-source-repository: Source code
 

docs/configuration/endpoint/wireguard.zh.md

@@ -61,7 +61,7 @@ WireGuard MTU。
 
 ==必填==
 
-接口的 IPv4/IPv6 地址或地址段的列表。
+接口的 IPv4/IPv6 地址或地址段的列表您。
 
 要分配给接口的 IP（v4 或 v6）地址段列表。
 

docs/configuration/inbound/shadowsocks.md

@@ -9,7 +9,6 @@
 
   "method": "2022-blake3-aes-128-gcm",
   "password": "8JCsPssfgS8tiRwiMlhARg==",
-  "managed": false,
   "multiplex": {}
 }
 ```
@@ -87,10 +86,6 @@ Both if empty.
 | 2022 methods  | `sing-box generate rand --base64 <Key Length>` |
 | other methods | any string                                     |
 
-#### managed
-
-Defaults to `false`. Enable this when the inbound is managed by the [SSM API](/configuration/service/ssm-api) for dynamic user.
-
 #### multiplex
 
 See [Multiplex](/configuration/shared/multiplex#inbound) for details.

docs/configuration/inbound/shadowsocks.zh.md

@@ -9,7 +9,6 @@
 
   "method": "2022-blake3-aes-128-gcm",
   "password": "8JCsPssfgS8tiRwiMlhARg==",
-  "managed": false,
   "multiplex": {}
 }
 ```
@@ -87,10 +86,6 @@ See [Listen Fields](/configuration/shared/listen/) for details.
 | 2022 methods  | `sing-box generate rand --base64 <密钥长度>` |
 | other methods | 任意字符串                                    |
 
-#### managed
-
-默认为 `false`。当该入站需要由 [SSM API](/zh/configuration/service/ssm-api) 管理用户时必须启用此字段。
-
 #### multiplex
 
 参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。

docs/configuration/inbound/tun.md

@@ -2,10 +2,6 @@
 icon: material/new-box
 ---
 
-!!! quote "Changes in sing-box 1.12.18"
-
-    :material-plus: [auto_redirect_iproute2_fallback_rule_index](#auto_redirect_iproute2_fallback_rule_index)
-
 !!! quote "Changes in sing-box 1.12.0"
 
     :material-plus: [loopback_address](#loopback_address)
@@ -67,7 +63,6 @@ icon: material/new-box
   "auto_redirect": true,
   "auto_redirect_input_mark": "0x2023",
   "auto_redirect_output_mark": "0x2024",
-  "auto_redirect_iproute2_fallback_rule_index": 32768,
   "loopback_address": [
     "10.7.0.1"
   ],
@@ -283,17 +278,6 @@ Connection output mark used by `auto_redirect`.
 
 `0x2024` is used by default.
 
-#### auto_redirect_iproute2_fallback_rule_index
-
-!!! question "Since sing-box 1.12.18"
-
-Linux iproute2 fallback rule index generated by `auto_redirect`.
-
-This rule is checked after system default rules (32766: main, 32767: default),
-routing traffic to the sing-box table only when no route is found in system tables.
-
-`32768` is used by default.
-
 #### loopback_address
 
 !!! question "Since sing-box 1.12.0"

docs/configuration/inbound/tun.zh.md

@@ -2,10 +2,6 @@
 icon: material/new-box
 ---
 
-!!! quote "sing-box 1.12.18 中的更改"
-
-    :material-plus: [auto_redirect_iproute2_fallback_rule_index](#auto_redirect_iproute2_fallback_rule_index)
-
 !!! quote "sing-box 1.12.0 中的更改"
 
     :material-plus: [loopback_address](#loopback_address)
@@ -67,7 +63,6 @@ icon: material/new-box
   "auto_redirect": true,
   "auto_redirect_input_mark": "0x2023",
   "auto_redirect_output_mark": "0x2024",
-  "auto_redirect_iproute2_fallback_rule_index": 32768,
   "loopback_address": [
     "10.7.0.1"
   ],
@@ -282,17 +277,6 @@ tun 接口的 IPv6 前缀。
 
 默认使用 `0x2024`。
 
-#### auto_redirect_iproute2_fallback_rule_index
-
-!!! question "自 sing-box 1.12.18 起"
-
-`auto_redirect` 生成的 iproute2 回退规则索引。
-
-此规则在系统默认规则（32766: main，32767: default）之后检查，
-仅当系统路由表中未找到路由时才将流量路由到 sing-box 路由表。
-
-默认使用 `32768`。
-
 #### loopback_address
 
 !!! question "自 sing-box 1.12.0 起"

docs/configuration/outbound/wireguard.zh.md

@@ -88,7 +88,7 @@ icon: material/delete-clock
 
 ==必填==
 
-接口的 IPv4/IPv6 地址或地址段的列表。
+接口的 IPv4/IPv6 地址或地址段的列表您。
 
 要分配给接口的 IP（v4 或 v6）地址段列表。
 

docs/configuration/shared/tls.md

@@ -230,18 +230,9 @@ The path to the server private key, in PEM format.
 
 ==Client only==
 
-!!! failure "Not Recommended"
-
-    uTLS has had repeated fingerprinting vulnerabilities discovered by researchers.
-
-    uTLS is a Go library that attempts to imitate browser TLS fingerprints by copying
-    ClientHello structure. However, browsers use completely different TLS stacks
-    (Chrome uses BoringSSL, Firefox uses NSS) with distinct implementation behaviors
-    that cannot be replicated by simply copying the handshake format, making detection possible.
-    Additionally, the library lacks active maintenance and has poor code quality,
-    making it unsuitable for censorship circumvention.
-
-    For TLS fingerprint resistance, use [NaiveProxy](/configuration/inbound/naive/) instead.
+!!! failure ""
+    
+    There is no evidence that GFW detects and blocks servers based on TLS client fingerprinting, and using an imperfect emulation that has not been security reviewed could pose security risks.
 
 uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance.
 

docs/configuration/shared/tls.zh.md

@@ -220,16 +220,9 @@ TLS 版本值：
 
 ==仅客户端==
 
-!!! failure "不推荐"
+!!! failure ""
 
-    uTLS 已被研究人员多次发现其指纹可被识别的漏洞。
-
-    uTLS 是一个试图通过复制 ClientHello 结构来模仿浏览器 TLS 指纹的 Go 库。
-    然而，浏览器使用完全不同的 TLS 实现（Chrome 使用 BoringSSL，Firefox 使用 NSS），
-    其实现行为无法通过简单复制握手格式来复现，其行为细节必然存在差异，使得检测成为可能。
-    此外，此库缺乏积极维护，且代码质量较差，不建议用于反审查场景。
-
-    如需 TLS 指纹抵抗，请改用 [NaiveProxy](/configuration/inbound/naive/)。
+    没有证据表明 GFW 根据 TLS 客户端指纹检测并阻止服务器，并且，使用一个未经安全审查的不完美模拟可能带来安全隐患。
 
 uTLS 是 "crypto/tls" 的一个分支，它提供了 ClientHello 指纹识别阻力。
 

docs/manual/proxy-protocol/trojan.md

@@ -4,7 +4,8 @@ icon: material/horse
 
 # Trojan
 
-Trojan is the most commonly used TLS proxy made in China. It can be used in various combinations.
+Torjan is the most commonly used TLS proxy made in China. It can be used in various combinations,
+but only the combination of uTLS and multiplexing is recommended.
 
 | Protocol and implementation combination | Specification                                                        | Resists passive detection | Resists active probes |
 |-----------------------------------------|----------------------------------------------------------------------|---------------------------|-----------------------|
@@ -139,7 +140,11 @@ Trojan is the most commonly used TLS proxy made in China. It can be used in vari
           "password": "password",
           "tls": {
             "enabled": true,
-            "server_name": "example.org"
+            "server_name": "example.org",
+            "utls": {
+              "enabled": true,
+              "fingerprint": "firefox"
+            }
           },
           "multiplex": {
             "enabled": true
@@ -166,7 +171,11 @@ Trojan is the most commonly used TLS proxy made in China. It can be used in vari
           "tls": {
             "enabled": true,
             "server_name": "example.org",
-            "certificate_path": "/path/to/certificate.pem"
+            "certificate_path": "/path/to/certificate.pem",
+            "utls": {
+              "enabled": true,
+              "fingerprint": "firefox"
+            }
           },
           "multiplex": {
             "enabled": true
@@ -189,7 +198,11 @@ Trojan is the most commonly used TLS proxy made in China. It can be used in vari
           "tls": {
             "enabled": true,
             "server_name": "example.org",
-            "insecure": true
+            "insecure": true,
+            "utls": {
+              "enabled": true,
+              "fingerprint": "firefox"
+            }
           },
           "multiplex": {
             "enabled": true

docs/manual/proxy/client.md

@@ -108,7 +108,7 @@ flowchart TB
       "inbounds": [
         {
           "type": "tun",
-          "address": ["172.19.0.1/30"],
+          "inet4_address": "172.19.0.1/30",
           "auto_route": true,
           // "auto_redirect": true, // On linux
           "strict_route": true
@@ -162,7 +162,8 @@ flowchart TB
       "inbounds": [
         {
           "type": "tun",
-          "address": ["172.19.0.1/30", "fdfe:dcba:9876::1/126"],
+          "inet4_address": "172.19.0.1/30",
+          "inet6_address": "fdfe:dcba:9876::1/126",
           "auto_route": true,
           // "auto_redirect": true, // On linux
           "strict_route": true
@@ -232,7 +233,8 @@ flowchart TB
       "inbounds": [
         {
           "type": "tun",
-          "address": ["172.19.0.1/30","fdfe:dcba:9876::1/126"],
+          "inet4_address": "172.19.0.1/30",
+          "inet6_address": "fdfe:dcba:9876::1/126",
           "auto_route": true,
           // "auto_redirect": true, // On linux
           "strict_route": true

docs/migration.md

@@ -351,15 +351,14 @@ DNS servers are refactored for better performance and scalability.
         ```json
         {
           "dns": {
-            "rules": [
+            "servers": [
               {
-                "domain": [
-                  "example.com"
-                ],
-                // other rules
-                
-                "action": "predefined",
-                "rcode": "REFUSED"
+                "type": "predefined",
+                "responses": [
+                  {
+                    "rcode": "REFUSED"
+                  }
+                ]
               }
             ]
           }
@@ -1188,4 +1187,4 @@ which will disrupt the existing `process_path` use cases in Windows.
         }
       }
     }
-    ```
+    ```

docs/migration.zh.md

@@ -8,7 +8,7 @@ icon: material/arrange-bring-forward
 
 DNS 服务器已经重构。
 
-!!! info "引用"
+!!! info "饮用"
 
     [DNS 服务器](/configuration/dns/server/) /
     [旧 DNS 服务器](/configuration/dns/server/legacy/)
@@ -351,15 +351,14 @@ DNS 服务器已经重构。
         ```json
         {
           "dns": {
-            "rules": [
+            "servers": [
               {
-                "domain": [
-                  "example.com"
-                ],
-                // 其它规则
-                
-                "action": "predefined",
-                "rcode": "REFUSED"
+                "type": "predefined",
+                "responses": [
+                  {
+                    "rcode": "REFUSED"
+                  }
+                ]
               }
             ]
           }

docs/sponsors.md

@@ -11,22 +11,16 @@ the project maintainer via [GitHub Sponsors](https://github.com/sponsors/nekohas
 
 ![](https://nekohasekai.github.io/sponsor-images/sponsors.svg)
 
-## Commercial Sponsors
+### Special Sponsors
 
-> [Warp](https://go.warp.dev/sing-box), Built for coding with multiple AI agents.
-
-[![](https://github.com/warpdotdev/brand-assets/raw/refs/heads/main/Github/Sponsor/Warp-Github-LG-02.png)](https://go.warp.dev/sing-box)
-
-## Special Sponsors
-
-> Viral Tech, Inc.
+**Viral Tech, Inc.**
 
 Helping us re-list sing-box apps on the Apple Store.
 
 ---
 
-> [JetBrains](https://www.jetbrains.com)
+[![JetBrains logo](https://resources.jetbrains.com/storage/products/company/brand/logos/jetbrains.svg)](https://www.jetbrains.com)
 
 Free license for the amazing IDEs.
 
-[![JetBrains logo](https://resources.jetbrains.com/storage/products/company/brand/logos/jetbrains.svg)](https://www.jetbrains.com)
+---

experimental/clashapi/connections.go

@@ -2,7 +2,6 @@ package clashapi
 
 import (
 	"bytes"
-	"context"
 	"net/http"
 	"strconv"
 	"time"
@@ -18,15 +17,15 @@ import (
 	"github.com/gofrs/uuid/v5"
 )
 
-func connectionRouter(ctx context.Context, router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
+func connectionRouter(router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
 	r := chi.NewRouter()
-	r.Get("/", getConnections(ctx, trafficManager))
+	r.Get("/", getConnections(trafficManager))
 	r.Delete("/", closeAllConnections(router, trafficManager))
 	r.Delete("/{id}", closeConnection(trafficManager))
 	return r
 }
 
-func getConnections(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func getConnections(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if r.Header.Get("Upgrade") != "websocket" {
 			snapshot := trafficManager.Snapshot()
@@ -68,12 +67,7 @@ func getConnections(ctx context.Context, trafficManager *trafficontrol.Manager)
 
 		tick := time.NewTicker(time.Millisecond * time.Duration(interval))
 		defer tick.Stop()
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-tick.C:
-			}
+		for range tick.C {
 			if err = sendSnapshot(); err != nil {
 				break
 			}

experimental/clashapi/server.go

@@ -115,12 +115,12 @@ func NewServer(ctx context.Context, logFactory log.ObservableFactory, options op
 		r.Use(authentication(options.Secret))
 		r.Get("/", hello(options.ExternalUI != ""))
 		r.Get("/logs", getLogs(logFactory))
-		r.Get("/traffic", traffic(s.ctx, trafficManager))
+		r.Get("/traffic", traffic(trafficManager))
 		r.Get("/version", version)
 		r.Mount("/configs", configRouter(s, logFactory))
 		r.Mount("/proxies", proxyRouter(s, s.router))
 		r.Mount("/rules", ruleRouter(s.router))
-		r.Mount("/connections", connectionRouter(s.ctx, s.router, trafficManager))
+		r.Mount("/connections", connectionRouter(s.router, trafficManager))
 		r.Mount("/providers/proxies", proxyProviderRouter())
 		r.Mount("/providers/rules", ruleProviderRouter())
 		r.Mount("/script", scriptRouter())
@@ -305,7 +305,7 @@ type Traffic struct {
 	Down int64 `json:"down"`
 }
 
-func traffic(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func traffic(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var conn net.Conn
 		if r.Header.Get("Upgrade") == "websocket" {
@@ -326,12 +326,7 @@ func traffic(ctx context.Context, trafficManager *trafficontrol.Manager) func(w
 		defer tick.Stop()
 		buf := &bytes.Buffer{}
 		uploadTotal, downloadTotal := trafficManager.Total()
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-tick.C:
-			}
+		for range tick.C {
 			buf.Reset()
 			uploadTotalNew, downloadTotalNew := trafficManager.Total()
 			err := json.NewEncoder(buf).Encode(Traffic{

experimental/clashapi/trafficontrol/manager.go

@@ -3,12 +3,12 @@ package trafficontrol
 import (
 	"runtime"
 	"sync"
-	"sync/atomic"
 	"time"
 
-	"github.com/sagernet/sing-box/common/compatible"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/clashapi/compatible"
 	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/atomic"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/common/x/list"
 

experimental/clashapi/trafficontrol/tracker.go

@@ -2,11 +2,11 @@ package trafficontrol
 
 import (
 	"net"
-	"sync/atomic"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/atomic"
 	"github.com/sagernet/sing/common/bufio"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"

experimental/libbox/command_urltest.go

@@ -62,7 +62,10 @@ func (s *CommandServer) handleURLTest(conn net.Conn) error {
 				return false
 			}
 			_, isGroup := it.(adapter.OutboundGroup)
-			return !isGroup
+			if isGroup {
+				return false
+			}
+			return true
 		})
 		b, _ := batch.New(serviceNow.ctx, batch.WithConcurrencyNum[any](10))
 		for _, detour := range outbounds {

experimental/libbox/config.go

@@ -22,7 +22,6 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"
-	"github.com/sagernet/sing/service/filemanager"
 )
 
 func BaseContext(platformInterface PlatformInterface) context.Context {
@@ -34,9 +33,7 @@ func BaseContext(platformInterface PlatformInterface) context.Context {
 			})
 		}
 	}
-	ctx := context.Background()
-	ctx = filemanager.WithDefault(ctx, sWorkingPath, sTempPath, sUserID, sGroupID)
-	return box.Context(ctx, include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry(), dnsRegistry, include.ServiceRegistry())
+	return box.Context(context.Background(), include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry(), dnsRegistry, include.ServiceRegistry())
 }
 
 func parseConfig(ctx context.Context, configContent string) (option.Options, error) {

experimental/libbox/iterator.go

@@ -18,7 +18,6 @@ func newIterator[T any](values []T) *iterator[T] {
 	return &iterator[T]{values}
 }
 
-//go:noinline
 func newPtrIterator[T any](values []T) *iterator[*T] {
 	return &iterator[*T]{common.Map(values, func(value T) *T { return &value })}
 }

experimental/libbox/pidfd_android.go

@@ -1,19 +0,0 @@
-package libbox
-
-import (
-	"os"
-	_ "unsafe"
-)
-
-// https://github.com/SagerNet/sing-box/issues/3233
-// https://github.com/golang/go/issues/70508
-// https://github.com/tailscale/tailscale/issues/13452
-
-//go:linkname checkPidfdOnce os.checkPidfdOnce
-var checkPidfdOnce func() error
-
-func init() {
-	checkPidfdOnce = func() error {
-		return os.ErrInvalid
-	}
-}

experimental/libbox/service.go

@@ -27,6 +27,7 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
+	"github.com/sagernet/sing/service/filemanager"
 	"github.com/sagernet/sing/service/pause"
 )
 
@@ -43,6 +44,7 @@ type BoxService struct {
 
 func NewService(configContent string, platformInterface PlatformInterface) (*BoxService, error) {
 	ctx := BaseContext(platformInterface)
+	ctx = filemanager.WithDefault(ctx, sWorkingPath, sTempPath, sUserID, sGroupID)
 	service.MustRegister[deprecated.Manager](ctx, new(deprecatedManager))
 	options, err := parseConfig(ctx, configContent)
 	if err != nil {