Bump version

The cache deduplication in Client.Exchange uses a channel-based lock
per DNS question. Waiting goroutines blocked on <-cond without context
awareness, causing them to accumulate indefinitely when the owning
goroutine's transport call stalls. Add select on ctx.Done() so waiters
respect context cancellation and timeouts.

.fpm_openwrt

@@ -14,6 +14,7 @@
 --depends kmod-inet-diag
 --depends kmod-tun
 --depends firewall4
+--depends kmod-nft-queue
 
 --before-remove release/config/openwrt.prerm
 

.github/CRONET_GO_VERSION

@@ -0,0 +1 @@
+dc1cda1fe28740ba069934ab62aeb8ef85388332

.github/setup_go_for_windows7.sh

@@ -1,25 +1,27 @@
 #!/usr/bin/env bash
 
-VERSION="1.23.12"
+VERSION="1.25.7"
 
 mkdir -p $HOME/go
 cd $HOME/go
 wget "https://dl.google.com/go/go${VERSION}.linux-amd64.tar.gz"
 tar -xzf "go${VERSION}.linux-amd64.tar.gz"
-mv go go_legacy
-cd go_legacy
+mv go go_win7
+cd go_win7
 
 # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-# this patch file only works on golang1.23.x
-# that means after golang1.24 release it must be changed
-# see: https://github.com/MetaCubeX/go/commits/release-branch.go1.23/
+# this patch file only works on golang1.25.x
+# that means after golang1.26 release it must be changed
+# see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
 # revert:
 # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
 # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
 # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
 # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
 
-curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/6a31d3fa8e47ddabc10bd97bff10d9a85f4cfb76.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/69e2eed6dd0f6d815ebf15797761c13f31213dd6.diff | patch --verbose -p 1
+alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
+
+curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1

.github/update_cronet.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+SCRIPT_DIR=$(dirname "$0")
+PROJECTS=$SCRIPT_DIR/../..
+
+git -C $PROJECTS/cronet-go fetch origin main
+git -C $PROJECTS/cronet-go fetch origin go
+go get -x github.com/sagernet/cronet-go/all@$(git -C $PROJECTS/cronet-go rev-parse origin/go)
+go get -x github.com/sagernet/cronet-go@$(git -C $PROJECTS/cronet-go rev-parse origin/go)
+go mod tidy
+git -C $PROJECTS/cronet-go rev-parse origin/go > "$SCRIPT_DIR/CRONET_GO_VERSION"

.github/update_cronet_dev.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+SCRIPT_DIR=$(dirname "$0")
+PROJECTS=$SCRIPT_DIR/../..
+
+git -C $PROJECTS/cronet-go fetch origin dev
+git -C $PROJECTS/cronet-go fetch origin go_dev
+go get -x github.com/sagernet/cronet-go/all@$(git -C $PROJECTS/cronet-go rev-parse origin/go_dev)
+go get -x github.com/sagernet/cronet-go@$(git -C $PROJECTS/cronet-go rev-parse origin/go_dev)
+go mod tidy
+git -C $PROJECTS/cronet-go rev-parse origin/dev > "$SCRIPT_DIR/CRONET_GO_VERSION"

.github/workflows/build.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.1
+          go-version: ^1.25.7
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -69,13 +69,25 @@ jobs:
     strategy:
       matrix:
         include:
-          - { os: linux, arch: amd64, debian: amd64, rpm: x86_64, pacman: x86_64, openwrt: "x86_64" }
-          - { os: linux, arch: "386", go386: sse2, debian: i386, rpm: i386, openwrt: "i386_pentium4" }
+          - { os: linux, arch: amd64, variant: purego, naive: true }
+          - { os: linux, arch: amd64, variant: glibc, naive: true }
+          - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, openwrt: "x86_64" }
+
+          - { os: linux, arch: arm64, variant: purego, naive: true }
+          - { os: linux, arch: arm64, variant: glibc, naive: true }
+          - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
+
+          - { os: linux, arch: "386", go386: sse2 }
+          - { os: linux, arch: "386", variant: glibc, naive: true, go386: sse2 }
+          - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, openwrt: "i386_pentium4" }
+
+          - { os: linux, arch: arm, goarm: "7" }
+          - { os: linux, arch: arm, variant: glibc, naive: true, goarm: "7" }
+          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
+
           - { os: linux, arch: "386", go386: softfloat, openwrt: "i386_pentium-mmx" }
-          - { os: linux, arch: arm64, debian: arm64, rpm: aarch64, pacman: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
           - { os: linux, arch: arm, goarm: "5", openwrt: "arm_arm926ej-s arm_cortex-a7 arm_cortex-a9 arm_fa526 arm_xscale" }
           - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl, openwrt: "arm_arm1176jzf-s_vfp" }
-          - { os: linux, arch: arm, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
           - { os: linux, arch: mips, gomips: softfloat, openwrt: "mips_24kc mips_4kec mips_mips32" }
           - { os: linux, arch: mipsle, gomips: hardfloat, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc_24kf" }
           - { os: linux, arch: mipsle, gomips: softfloat, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
@@ -87,58 +99,90 @@ jobs:
           - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
           - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
 
-          - { os: windows, arch: amd64 }
-          - { os: windows, arch: amd64, legacy_go123: true, legacy_name: "windows-7" }
-          - { os: windows, arch: "386" }
-          - { os: windows, arch: "386", legacy_go123: true, legacy_name: "windows-7" }
-          - { os: windows, arch: arm64 }
+          - { os: windows, arch: amd64, legacy_win7: true, legacy_name: "windows-7" }
+          - { os: windows, arch: "386", legacy_win7: true, legacy_name: "windows-7" }
 
-          - { os: darwin, arch: amd64 }
-          - { os: darwin, arch: arm64 }
-          - { os: darwin, arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
-
-          - { os: android, arch: arm64, ndk: "aarch64-linux-android21" }
-          - { os: android, arch: arm, ndk: "armv7a-linux-androideabi21" }
-          - { os: android, arch: amd64, ndk: "x86_64-linux-android21" }
-          - { os: android, arch: "386", ndk: "i686-linux-android21" }
+          - { os: android, arch: arm64, ndk: "aarch64-linux-android23" }
+          - { os: android, arch: arm, ndk: "armv7a-linux-androideabi23" }
+          - { os: android, arch: amd64, ndk: "x86_64-linux-android23" }
+          - { os: android, arch: "386", ndk: "i686-linux-android23" }
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
       - name: Setup Go
-        if: ${{ ! (matrix.legacy_go123 || matrix.legacy_go124) }}
+        if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.1
+          go-version: ^1.25.7
       - name: Setup Go 1.24
         if: matrix.legacy_go124
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.24.6
-      - name: Cache Go 1.23
-        if: matrix.legacy_go123
-        id: cache-legacy-go
+          go-version: ~1.24.10
+      - name: Cache Go for Windows 7
+        if: matrix.legacy_win7
+        id: cache-go-for-windows7
         uses: actions/cache@v4
         with:
           path: |
-            ~/go/go_legacy
-          key: go_legacy_12312
-      - name: Setup Go 1.23
-        if: matrix.legacy_go123 && steps.cache-legacy-go.outputs.cache-hit != 'true'
+            ~/go/go_win7
+          key: go_win7_1255
+      - name: Setup Go for Windows 7
+        if: matrix.legacy_win7 && steps.cache-go-for-windows7.outputs.cache-hit != 'true'
         run: |-
-          .github/setup_legacy_go.sh
-      - name: Setup Go 1.23
-        if: matrix.legacy_go123
+          .github/setup_go_for_windows7.sh
+      - name: Setup Go for Windows 7
+        if: matrix.legacy_win7
         run: |-
-          echo "PATH=$HOME/go/go_legacy/bin:$PATH" >> $GITHUB_ENV
-          echo "GOROOT=$HOME/go/go_legacy" >> $GITHUB_ENV
+          echo "PATH=$HOME/go/go_win7/bin:$PATH" >> $GITHUB_ENV
+          echo "GOROOT=$HOME/go/go_win7" >> $GITHUB_ENV
       - name: Setup Android NDK
         if: matrix.os == 'android'
         uses: nttld/setup-ndk@v1
         with:
           ndk-version: r28
           local-cache: true
+      - name: Clone cronet-go
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          CRONET_GO_VERSION=$(cat .github/CRONET_GO_VERSION)
+          git init ~/cronet-go
+          git -C ~/cronet-go remote add origin https://github.com/sagernet/cronet-go.git
+          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
+          git -C ~/cronet-go checkout FETCH_HEAD
+          git -C ~/cronet-go submodule update --init --recursive --depth=1
+      - name: Cache Chromium toolchain
+        if: matrix.naive
+        id: cache-chromium-toolchain
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
+            ~/cronet-go/naiveproxy/src/out/sysroot-build
+          key: chromium-toolchain-${{ matrix.arch }}-${{ matrix.variant }}-${{ hashFiles('.github/CRONET_GO_VERSION') }}
+      - name: Download Chromium toolchain
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          cd ~/cronet-go
+          if [[ "${{ matrix.variant }}" == "musl" ]]; then
+            go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl download-toolchain
+          else
+            go run ./cmd/build-naive --target=linux/${{ matrix.arch }} download-toolchain
+          fi
+      - name: Set Chromium toolchain environment
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          cd ~/cronet-go
+          if [[ "${{ matrix.variant }}" == "musl" ]]; then
+            go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl env >> $GITHUB_ENV
+          else
+            go run ./cmd/build-naive --target=linux/${{ matrix.arch }} env >> $GITHUB_ENV
+          fi
       - name: Set tag
         run: |-
           git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
@@ -146,15 +190,75 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale'
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
+          if [[ "${{ matrix.naive }}" == "true" ]]; then
+            TAGS="${TAGS},with_naive_outbound"
+          fi
+          if [[ "${{ matrix.variant }}" == "purego" ]]; then
+            TAGS="${TAGS},with_purego"
+          elif [[ "${{ matrix.variant }}" == "musl" ]]; then
+            TAGS="${TAGS},with_musl"
+          fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Build
-        if: matrix.os != 'android'
+      - name: Build (purego)
+        if: matrix.variant == 'purego'
         run: |
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "0"
+          GOOS: ${{ matrix.os }}
+          GOARCH: ${{ matrix.arch }}
+          GO386: ${{ matrix.go386 }}
+          GOARM: ${{ matrix.goarm }}
+          GOMIPS: ${{ matrix.gomips }}
+          GOMIPS64: ${{ matrix.gomips }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract libcronet.so
+        if: matrix.variant == 'purego' && matrix.naive
+        run: |
+          cd ~/cronet-go
+          CGO_ENABLED=0 go run -v ./cmd/build-naive extract-lib --target ${{ matrix.os }}/${{ matrix.arch }} -o $GITHUB_WORKSPACE/dist
+      - name: Build (glibc)
+        if: matrix.variant == 'glibc'
+        run: |
+          set -xeuo pipefail
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "1"
+          GOOS: linux
+          GOARCH: ${{ matrix.arch }}
+          GO386: ${{ matrix.go386 }}
+          GOARM: ${{ matrix.goarm }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build (musl)
+        if: matrix.variant == 'musl'
+        run: |
+          set -xeuo pipefail
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "1"
+          GOOS: linux
+          GOARCH: ${{ matrix.arch }}
+          GO386: ${{ matrix.go386 }}
+          GOARM: ${{ matrix.goarm }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build (non-variant)
+        if: matrix.os != 'android' && matrix.variant == ''
+        run: |
+          set -xeuo pipefail
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -174,7 +278,7 @@ jobs:
           export CXX="${CC}++"
           mkdir -p dist
           GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -193,6 +297,11 @@ jobs:
           elif [[ -n "${{ matrix.legacy_name }}" ]]; then
             DIR_NAME="${DIR_NAME}-legacy-${{ matrix.legacy_name }}"
           fi
+          if [[ "${{ matrix.variant }}" == "glibc" ]]; then
+            DIR_NAME="${DIR_NAME}-glibc"
+          elif [[ "${{ matrix.variant }}" == "musl" ]]; then
+            DIR_NAME="${DIR_NAME}-musl"
+          fi
           echo "DIR_NAME=${DIR_NAME}" >> "${GITHUB_ENV}"
           PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
           PKG_VERSION="${PKG_VERSION//-/\~}"
@@ -275,15 +384,177 @@ jobs:
             zip -r "${DIR_NAME}.zip" "${DIR_NAME}"
           else
             cp sing-box "${DIR_NAME}"
+            if [ -f libcronet.so ]; then
+              cp libcronet.so "${DIR_NAME}"
+            fi
             tar -czvf "${DIR_NAME}.tar.gz" "${DIR_NAME}"
           fi
           rm -r "${DIR_NAME}"
+      - name: Cleanup
+        run: rm -f dist/sing-box dist/libcronet.so
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.go386 && format('_{0}', matrix.go386) }}${{ matrix.gomips && format('_{0}', matrix.gomips) }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}${{ matrix.variant && format('-{0}', matrix.variant) }}
+          path: "dist"
+  build_darwin:
+    name: Build Darwin binaries
+    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
+    runs-on: macos-latest
+    needs:
+      - calculate_version
+    strategy:
+      matrix:
+        include:
+          - { arch: amd64 }
+          - { arch: arm64 }
+          - { arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        if: ${{ ! matrix.legacy_go124 }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.25.3
+      - name: Setup Go 1.24
+        if: matrix.legacy_go124
+        uses: actions/setup-go@v5
+        with:
+          go-version: ~1.24.6
+      - name: Set tag
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+      - name: Set build tags
+        run: |
+          set -xeuo pipefail
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
+          if [[ "${{ matrix.legacy_go124 }}" != "true" ]]; then
+            TAGS="${TAGS},with_naive_outbound"
+          fi
+          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
+      - name: Build
+        run: |
+          set -xeuo pipefail
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "1"
+          GOOS: darwin
+          GOARCH: ${{ matrix.arch }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set name
+        run: |-
+          DIR_NAME="sing-box-${{ needs.calculate_version.outputs.version }}-darwin-${{ matrix.arch }}"
+          if [[ -n "${{ matrix.legacy_name }}" ]]; then
+            DIR_NAME="${DIR_NAME}-legacy-${{ matrix.legacy_name }}"
+          fi
+          echo "DIR_NAME=${DIR_NAME}" >> "${GITHUB_ENV}"
+      - name: Archive
+        run: |
+          set -xeuo pipefail
+          cd dist
+          mkdir -p "${DIR_NAME}"
+          cp ../LICENSE "${DIR_NAME}"
+          cp sing-box "${DIR_NAME}"
+          tar -czvf "${DIR_NAME}.tar.gz" "${DIR_NAME}"
+          rm -r "${DIR_NAME}"
       - name: Cleanup
         run: rm dist/sing-box
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:
-          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.go386 && format('_{0}', matrix.go386) }}${{ matrix.gomips && format('_{0}', matrix.gomips) }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}
+          name: binary-darwin_${{ matrix.arch }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}
+          path: "dist"
+  build_windows:
+    name: Build Windows binaries
+    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
+    runs-on: windows-latest
+    needs:
+      - calculate_version
+    strategy:
+      matrix:
+        include:
+          - { arch: amd64, naive: true }
+          - { arch: "386" }
+          - { arch: arm64, naive: true }
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.25.4
+      - name: Set tag
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$env:GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+      - name: Build
+        if: matrix.naive
+        run: |
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,with_purego,badlinkname,tfogo_checklinkname0" `
+          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0" `
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "0"
+          GOOS: windows
+          GOARCH: ${{ matrix.arch }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build
+        if: ${{ !matrix.naive }}
+        run: |
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" `
+          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0" `
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "0"
+          GOOS: windows
+          GOARCH: ${{ matrix.arch }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract libcronet.dll
+        if: matrix.naive
+        run: |
+          $CRONET_GO_VERSION = Get-Content .github/CRONET_GO_VERSION
+          $env:CGO_ENABLED = "0"
+          go run -v "github.com/sagernet/cronet-go/cmd/build-naive@$CRONET_GO_VERSION" extract-lib --target windows/${{ matrix.arch }} -o dist
+      - name: Archive
+        if: matrix.naive
+        run: |
+          $DIR_NAME = "sing-box-${{ needs.calculate_version.outputs.version }}-windows-${{ matrix.arch }}"
+          mkdir "dist/$DIR_NAME"
+          Copy-Item LICENSE "dist/$DIR_NAME"
+          Copy-Item "dist/sing-box.exe" "dist/$DIR_NAME"
+          Copy-Item "dist/libcronet.dll" "dist/$DIR_NAME"
+          Compress-Archive -Path "dist/$DIR_NAME" -DestinationPath "dist/$DIR_NAME.zip"
+          Remove-Item -Recurse "dist/$DIR_NAME"
+      - name: Archive
+        if: ${{ !matrix.naive }}
+        run: |
+          $DIR_NAME = "sing-box-${{ needs.calculate_version.outputs.version }}-windows-${{ matrix.arch }}"
+          mkdir "dist/$DIR_NAME"
+          Copy-Item LICENSE "dist/$DIR_NAME"
+          Copy-Item "dist/sing-box.exe" "dist/$DIR_NAME"
+          Compress-Archive -Path "dist/$DIR_NAME" -DestinationPath "dist/$DIR_NAME.zip"
+          Remove-Item -Recurse "dist/$DIR_NAME"
+      - name: Cleanup
+        if: matrix.naive
+        run: Remove-Item dist/sing-box.exe, dist/libcronet.dll
+      - name: Cleanup
+        if: ${{ !matrix.naive }}
+        run: Remove-Item dist/sing-box.exe
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-windows_${{ matrix.arch }}
           path: "dist"
   build_android:
     name: Build Android
@@ -300,7 +571,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.1
+          go-version: ^1.25.7
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -348,9 +619,9 @@ jobs:
       - name: Build
         run: |-
           mkdir clients/android/app/libs
-          cp libbox.aar clients/android/app/libs
+          cp *.aar clients/android/app/libs
           cd clients/android
-          ./gradlew :app:assemblePlayRelease :app:assembleOtherRelease
+          ./gradlew :app:assembleOtherRelease :app:assembleOtherLegacyRelease
         env:
           JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
@@ -358,8 +629,18 @@ jobs:
       - name: Prepare upload
         run: |-
           mkdir -p dist
-          cp clients/android/app/build/outputs/apk/play/release/*.apk dist
-          cp clients/android/app/build/outputs/apk/other/release/*-universal.apk dist
+          #cp clients/android/app/build/outputs/apk/play/release/*.apk dist
+          cp clients/android/app/build/outputs/apk/other/release/*.apk dist
+          cp clients/android/app/build/outputs/apk/otherLegacy/release/*.apk dist
+          VERSION_CODE=$(grep VERSION_CODE clients/android/version.properties | cut -d= -f2)
+          VERSION_NAME=$(grep VERSION_NAME clients/android/version.properties | cut -d= -f2)
+          cat > dist/SFA-version-metadata.json << EOF
+          {
+            "version_code": ${VERSION_CODE},
+            "version_name": "${VERSION_NAME}"
+          }
+          EOF
+          cat dist/SFA-version-metadata.json
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:
@@ -380,7 +661,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.1
+          go-version: ^1.25.7
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -421,7 +702,7 @@ jobs:
         run: |-
           go run -v ./cmd/internal/update_android_version --ci
           mkdir clients/android/app/libs
-          cp libbox.aar clients/android/app/libs
+          cp *.aar clients/android/app/libs
           cd clients/android
           echo -n "$SERVICE_ACCOUNT_CREDENTIALS" | base64 --decode > service-account-credentials.json
           ./gradlew :app:publishPlayReleaseBundle
@@ -432,7 +713,8 @@ jobs:
           SERVICE_ACCOUNT_CREDENTIALS: ${{ secrets.SERVICE_ACCOUNT_CREDENTIALS }}
   build_apple:
     name: Build Apple clients
-    runs-on: macos-15
+    runs-on: macos-26
+    if: false # github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store' || inputs.build == 'iOS' || inputs.build == 'macOS' || inputs.build == 'tvOS' || inputs.build == 'macOS-standalone'
     needs:
       - calculate_version
     strategy:
@@ -478,15 +760,7 @@ jobs:
         if: matrix.if
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.1
-      - name: Setup Xcode stable
-        if: matrix.if && github.ref == 'refs/heads/main-next'
-        run: |-
-          sudo xcode-select -s /Applications/Xcode_16.4.app
-      - name: Setup Xcode beta
-        if: matrix.if && github.ref == 'refs/heads/dev-next'
-        run: |-
-          sudo xcode-select -s /Applications/Xcode_16.4.app
+          go-version: ^1.25.7
       - name: Set tag
         if: matrix.if
         run: |-
@@ -605,7 +879,7 @@ jobs:
           		--app-drop-link 0 0 \
           		--skip-jenkins \
           	SFM.dmg "${{ matrix.export_path }}/SFM.app"
-          xcrun notarytool submit "SFM.dmg" --wait --keychain-profile "notarytool-password"          
+          xcrun notarytool submit "SFM.dmg" --wait --keychain-profile "notarytool-password"
           cd "${{ matrix.archive }}"
           zip -r SFM.dSYMs.zip dSYMs
           popd
@@ -626,6 +900,8 @@ jobs:
     needs:
       - calculate_version
       - build
+      - build_darwin
+      - build_windows
       - build_android
       - build_apple
     steps:

.github/workflows/docker.yml

@@ -1,6 +1,10 @@
 name: Publish Docker Images
 
 on:
+  #push:
+  #  branches:
+  #    - main-next
+  #    - dev-next
   release:
     types:
       - published
@@ -13,8 +17,134 @@ env:
   REGISTRY_IMAGE: ghcr.io/sagernet/sing-box
 
 jobs:
-  build:
+  build_binary:
+    name: Build binary
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        include:
+          # Naive-enabled builds (musl)
+          - { arch: amd64, naive: true, docker_platform: "linux/amd64" }
+          - { arch: arm64, naive: true, docker_platform: "linux/arm64" }
+          - { arch: "386", naive: true, docker_platform: "linux/386" }
+          - { arch: arm, goarm: "7", naive: true, docker_platform: "linux/arm/v7" }
+          # Non-naive builds
+          - { arch: arm, goarm: "6", docker_platform: "linux/arm/v6" }
+          - { arch: ppc64le, docker_platform: "linux/ppc64le" }
+          - { arch: riscv64, docker_platform: "linux/riscv64" }
+          - { arch: s390x, docker_platform: "linux/s390x" }
+    steps:
+      - name: Get commit to build
+        id: ref
+        run: |-
+          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
+            ref="${{ github.ref_name }}"
+          else
+            ref="${{ github.event.inputs.tag }}"
+          fi
+          echo "ref=$ref"
+          echo "ref=$ref" >> $GITHUB_OUTPUT
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          ref: ${{ steps.ref.outputs.ref }}
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.25.4
+      - name: Clone cronet-go
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          CRONET_GO_VERSION=$(cat .github/CRONET_GO_VERSION)
+          git init ~/cronet-go
+          git -C ~/cronet-go remote add origin https://github.com/sagernet/cronet-go.git
+          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
+          git -C ~/cronet-go checkout FETCH_HEAD
+          git -C ~/cronet-go submodule update --init --recursive --depth=1
+      - name: Cache Chromium toolchain
+        if: matrix.naive
+        id: cache-chromium-toolchain
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
+            ~/cronet-go/naiveproxy/src/out/sysroot-build
+          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
+      - name: Download Chromium toolchain
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          cd ~/cronet-go
+          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl download-toolchain
+      - name: Set version
+        run: |
+          set -xeuo pipefail
+          VERSION=$(go run ./cmd/internal/read_tag)
+          echo "VERSION=${VERSION}" >> "${GITHUB_ENV}"
+      - name: Set Chromium toolchain environment
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          cd ~/cronet-go
+          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl env >> $GITHUB_ENV
+      - name: Set build tags
+        run: |
+          set -xeuo pipefail
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
+          if [[ "${{ matrix.naive }}" == "true" ]]; then
+            TAGS="${TAGS},with_naive_outbound,with_musl"
+          fi
+          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
+      - name: Build (naive)
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
+          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "1"
+          GOOS: linux
+          GOARCH: ${{ matrix.arch }}
+          GOARM: ${{ matrix.goarm }}
+      - name: Build (non-naive)
+        if: ${{ ! matrix.naive }}
+        run: |
+          set -xeuo pipefail
+          go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
+          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "0"
+          GOOS: linux
+          GOARCH: ${{ matrix.arch }}
+          GOARM: ${{ matrix.goarm }}
+      - name: Prepare artifact
+        run: |
+          platform=${{ matrix.docker_platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+          # Rename binary to include arch info for Dockerfile.binary
+          BINARY_NAME="sing-box-${{ matrix.arch }}"
+          if [[ -n "${{ matrix.goarm }}" ]]; then
+            BINARY_NAME="${BINARY_NAME}v${{ matrix.goarm }}"
+          fi
+          mv sing-box "${BINARY_NAME}"
+          echo "BINARY_NAME=${BINARY_NAME}" >> $GITHUB_ENV
+      - name: Upload binary
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-${{ env.PLATFORM_PAIR }}
+          path: ${{ env.BINARY_NAME }}
+          if-no-files-found: error
+          retention-days: 1
+  build_docker:
+    name: Build Docker image
+    runs-on: ubuntu-latest
+    needs:
+      - build_binary
     strategy:
       fail-fast: true
       matrix:
@@ -47,6 +177,16 @@ jobs:
         run: |
           platform=${{ matrix.platform }}
           echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+      - name: Download binary
+        uses: actions/download-artifact@v5
+        with:
+          name: binary-${{ env.PLATFORM_PAIR }}
+          path: .
+      - name: Prepare binary
+        run: |
+          # Find and make the binary executable
+          chmod +x sing-box-*
+          ls -la sing-box-*
       - name: Setup QEMU
         uses: docker/setup-qemu-action@v3
       - name: Setup Docker Buildx
@@ -68,8 +208,7 @@ jobs:
         with:
           platforms: ${{ matrix.platform }}
           context: .
-          build-args: |
-            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
+          file: Dockerfile.binary
           labels: ${{ steps.meta.outputs.labels }}
           outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
       - name: Export digest
@@ -87,7 +226,7 @@ jobs:
   merge:
     runs-on: ubuntu-latest
     needs:
-      - build
+      - build_docker
     steps:
       - name: Get commit to build
         id: ref
@@ -121,6 +260,7 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Create manifest list and push
+        if: github.event_name != 'push'
         working-directory: /tmp/digests
         run: |
           docker buildx imagetools create \
@@ -128,6 +268,7 @@ jobs:
             -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}" \
             $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
       - name: Inspect image
+        if: github.event_name != 'push'
         run: |
           docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}
           docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}

.github/workflows/linux.yml

@@ -1,6 +1,10 @@
 name: Build Linux Packages
 
 on:
+  #push:
+  #  branches:
+  #    - main-next
+  #    - dev-next
   workflow_dispatch:
     inputs:
       version:
@@ -30,7 +34,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.1
+          go-version: ^1.25.7
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -52,11 +56,13 @@ jobs:
     strategy:
       matrix:
         include:
-          - { os: linux, arch: amd64, debian: amd64, rpm: x86_64, pacman: x86_64 }
-          - { os: linux, arch: "386", debian: i386, rpm: i386 }
+          # Naive-enabled builds (musl)
+          - { os: linux, arch: amd64, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64 }
+          - { os: linux, arch: arm64, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64 }
+          - { os: linux, arch: "386", naive: true, debian: i386, rpm: i386 }
+          - { os: linux, arch: arm, goarm: "7", naive: true, debian: armhf, rpm: armv7hl, pacman: armv7hl }
+          # Non-naive builds (unsupported architectures)
           - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
-          - { os: linux, arch: arm, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl }
-          - { os: linux, arch: arm64, debian: arm64, rpm: aarch64, pacman: aarch64 }
           - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
           - { os: linux, arch: mipsle, debian: mipsel, rpm: mipsel }
           - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
@@ -71,13 +77,38 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.1
-      - name: Setup Android NDK
-        if: matrix.os == 'android'
-        uses: nttld/setup-ndk@v1
+          go-version: ^1.25.7
+      - name: Clone cronet-go
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          CRONET_GO_VERSION=$(cat .github/CRONET_GO_VERSION)
+          git init ~/cronet-go
+          git -C ~/cronet-go remote add origin https://github.com/sagernet/cronet-go.git
+          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
+          git -C ~/cronet-go checkout FETCH_HEAD
+          git -C ~/cronet-go submodule update --init --recursive --depth=1
+      - name: Cache Chromium toolchain
+        if: matrix.naive
+        id: cache-chromium-toolchain
+        uses: actions/cache@v4
         with:
-          ndk-version: r28
-          local-cache: true
+          path: |
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
+            ~/cronet-go/naiveproxy/src/out/sysroot-build
+          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
+      - name: Download Chromium toolchain
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          cd ~/cronet-go
+          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl download-toolchain
+      - name: Set Chromium toolchain environment
+        if: matrix.naive
+        run: |
+          set -xeuo pipefail
+          cd ~/cronet-go
+          go run ./cmd/build-naive --target=linux/${{ matrix.arch }} --libc=musl env >> $GITHUB_ENV
       - name: Set tag
         run: |-
           git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
@@ -85,14 +116,32 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale'
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
+          if [[ "${{ matrix.naive }}" == "true" ]]; then
+            TAGS="${TAGS},with_naive_outbound,with_musl"
+          fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Build
+      - name: Build (naive)
+        if: matrix.naive
         run: |
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "1"
+          GOOS: linux
+          GOARCH: ${{ matrix.arch }}
+          GOARM: ${{ matrix.goarm }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build (non-naive)
+        if: ${{ ! matrix.naive }}
+        run: |
+          set -xeuo pipefail
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -185,5 +234,6 @@ jobs:
           path: dist
           merge-multiple: true
       - name: Publish packages
+        if: github.event_name != 'push'
         run: |-
           ls dist | xargs -I {} curl -F "package=@dist/{}" https://${{ secrets.FURY_TOKEN }}@push.fury.io/sagernet/

.gitignore

@@ -15,4 +15,6 @@
 .DS_Store
 /config.d/
 /venv/
-
+CLAUDE.md
+AGENTS.md
+/.claude/

.goreleaser.fury.yaml

@@ -1,103 +0,0 @@
-project_name: sing-box
-builds:
-  - id: main
-    main: ./cmd/sing-box
-    flags:
-      - -v
-      - -trimpath
-    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
-      - -s
-      - -buildid=
-    tags:
-      - with_gvisor
-      - with_quic
-      - with_dhcp
-      - with_wireguard
-      - with_utls
-      - with_acme
-      - with_clash_api
-      - with_tailscale
-    env:
-      - CGO_ENABLED=0
-    targets:
-      - linux_386
-      - linux_amd64_v1
-      - linux_arm64
-      - linux_arm_7
-      - linux_s390x
-      - linux_riscv64
-      - linux_mips64le
-    mod_timestamp: '{{ .CommitTimestamp }}'
-snapshot:
-  name_template: "{{ .Version }}.{{ .ShortCommit }}"
-nfpms:
-  - &template
-    id: package
-    package_name: sing-box
-    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-    builds:
-      - main
-    homepage: https://sing-box.sagernet.org/
-    maintainer: nekohasekai <contact-git@sekai.icu>
-    description: The universal proxy platform.
-    license: GPLv3 or later
-    formats:
-      - deb
-      - rpm
-    priority: extra
-    contents:
-      - src: release/config/config.json
-        dst: /etc/sing-box/config.json
-        type: "config|noreplace"
-
-      - src: release/config/sing-box.service
-        dst: /usr/lib/systemd/system/sing-box.service
-      - src: release/config/sing-box@.service
-        dst: /usr/lib/systemd/system/sing-box@.service
-      - src: release/config/sing-box.sysusers
-        dst: /usr/lib/sysusers.d/sing-box.conf
-      - src: release/config/sing-box.rules
-        dst: /usr/share/polkit-1/rules.d/sing-box.rules
-      - src: release/config/sing-box-split-dns.xml
-        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf
-
-      - src: release/completions/sing-box.bash
-        dst: /usr/share/bash-completion/completions/sing-box.bash
-      - src: release/completions/sing-box.fish
-        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
-      - src: release/completions/sing-box.zsh
-        dst: /usr/share/zsh/site-functions/_sing-box
-
-      - src: LICENSE
-        dst: /usr/share/licenses/sing-box/LICENSE
-    deb:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-      fields:
-        Bugs: https://github.com/SagerNet/sing-box/issues
-    rpm:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-    conflicts:
-      - sing-box-beta
-  - id: package_beta
-    <<: *template
-    package_name: sing-box-beta
-    file_name_template: '{{ .ProjectName }}-beta_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-    formats:
-      - deb
-      - rpm
-    conflicts:
-      - sing-box
-release:
-  disable: true
-furies:
-  - account: sagernet
-    ids:
-      - package
-    disable: "{{ not (not .Prerelease) }}"
-  - account: sagernet
-    ids:
-      - package_beta
-    disable: "{{ not .Prerelease }}"

.goreleaser.yaml

@@ -1,213 +0,0 @@
-version: 2
-project_name: sing-box
-builds:
-  - &template
-    id: main
-    main: ./cmd/sing-box
-    flags:
-      - -v
-      - -trimpath
-    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
-      - -s
-      - -buildid=
-    tags:
-      - with_gvisor
-      - with_quic
-      - with_dhcp
-      - with_wireguard
-      - with_utls
-      - with_acme
-      - with_clash_api
-      - with_tailscale
-    env:
-      - CGO_ENABLED=0
-      - GOTOOLCHAIN=local
-    targets:
-      - linux_386
-      - linux_amd64_v1
-      - linux_arm64
-      - linux_arm_6
-      - linux_arm_7
-      - linux_s390x
-      - linux_riscv64
-      - linux_mips64le
-      - windows_amd64_v1
-      - windows_386
-      - windows_arm64
-      - darwin_amd64_v1
-      - darwin_arm64
-    mod_timestamp: '{{ .CommitTimestamp }}'
-  - id: legacy
-    <<: *template
-    tags:
-      - with_gvisor
-      - with_quic
-      - with_dhcp
-      - with_wireguard
-      - with_utls
-      - with_acme
-      - with_clash_api
-      - with_tailscale
-    env:
-      - CGO_ENABLED=0
-      - GOROOT={{ .Env.GOPATH }}/go_legacy
-    tool: "{{ .Env.GOPATH }}/go_legacy/bin/go"
-    targets:
-      - windows_amd64_v1
-      - windows_386
-  - id: android
-    <<: *template
-    env:
-      - CGO_ENABLED=1
-      - GOTOOLCHAIN=local
-    overrides:
-      - goos: android
-        goarch: arm
-        goarm: 7
-        env:
-          - CC=armv7a-linux-androideabi21-clang
-          - CXX=armv7a-linux-androideabi21-clang++
-      - goos: android
-        goarch: arm64
-        env:
-          - CC=aarch64-linux-android21-clang
-          - CXX=aarch64-linux-android21-clang++
-      - goos: android
-        goarch: 386
-        env:
-          - CC=i686-linux-android21-clang
-          - CXX=i686-linux-android21-clang++
-      - goos: android
-        goarch: amd64
-        goamd64: v1
-        env:
-          - CC=x86_64-linux-android21-clang
-          - CXX=x86_64-linux-android21-clang++
-    targets:
-      - android_arm_7
-      - android_arm64
-      - android_386
-      - android_amd64
-archives:
-  - &template
-    id: archive
-    builds:
-      - main
-      - android
-    formats:
-      - tar.gz
-    format_overrides:
-      - goos: windows
-        formats:
-          - zip
-    wrap_in_directory: true
-    files:
-      - LICENSE
-    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-  - id: archive-legacy
-    <<: *template
-    builds:
-      - legacy
-    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}-legacy'
-nfpms:
-  - id: package
-    package_name: sing-box
-    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-    builds:
-      - main
-    homepage: https://sing-box.sagernet.org/
-    maintainer: nekohasekai <contact-git@sekai.icu>
-    description: The universal proxy platform.
-    license: GPLv3 or later
-    formats:
-      - deb
-      - rpm
-      - archlinux
-#      - apk
-#      - ipk
-    priority: extra
-    contents:
-      - src: release/config/config.json
-        dst: /etc/sing-box/config.json
-        type: "config|noreplace"
-
-      - src: release/config/sing-box.service
-        dst: /usr/lib/systemd/system/sing-box.service
-      - src: release/config/sing-box@.service
-        dst: /usr/lib/systemd/system/sing-box@.service
-      - src: release/config/sing-box.sysusers
-        dst: /usr/lib/sysusers.d/sing-box.conf
-      - src: release/config/sing-box.rules
-        dst: /usr/share/polkit-1/rules.d/sing-box.rules
-      - src: release/config/sing-box-split-dns.xml
-        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf
-
-      - src: release/completions/sing-box.bash
-        dst: /usr/share/bash-completion/completions/sing-box.bash
-      - src: release/completions/sing-box.fish
-        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
-      - src: release/completions/sing-box.zsh
-        dst: /usr/share/zsh/site-functions/_sing-box
-
-      - src: LICENSE
-        dst: /usr/share/licenses/sing-box/LICENSE
-    deb:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-      fields:
-        Bugs: https://github.com/SagerNet/sing-box/issues
-    rpm:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-    overrides:
-      apk:
-        contents:
-          - src: release/config/config.json
-            dst: /etc/sing-box/config.json
-            type: config
-
-          - src: release/config/sing-box.initd
-            dst: /etc/init.d/sing-box
-
-          - src: release/completions/sing-box.bash
-            dst: /usr/share/bash-completion/completions/sing-box.bash
-          - src: release/completions/sing-box.fish
-            dst: /usr/share/fish/vendor_completions.d/sing-box.fish
-          - src: release/completions/sing-box.zsh
-            dst: /usr/share/zsh/site-functions/_sing-box
-
-          - src: LICENSE
-            dst: /usr/share/licenses/sing-box/LICENSE
-      ipk:
-        contents:
-          - src: release/config/config.json
-            dst: /etc/sing-box/config.json
-            type: config
-
-          - src: release/config/openwrt.init
-            dst: /etc/init.d/sing-box
-          - src: release/config/openwrt.conf
-            dst: /etc/config/sing-box
-source:
-  enabled: false
-  name_template: '{{ .ProjectName }}-{{ .Version }}.source'
-  prefix_template: '{{ .ProjectName }}-{{ .Version }}/'
-checksum:
-  disable: true
-  name_template: '{{ .ProjectName }}-{{ .Version }}.checksum'
-signs:
-  - artifacts: checksum
-release:
-  github:
-    owner: SagerNet
-    name: sing-box
-  draft: true
-  prerelease: auto
-  mode: replace
-  ids:
-    - archive
-    - package
-  skip_upload: true
-partial:
-  by: target

Dockerfile

@@ -13,15 +13,13 @@ RUN set -ex \
     && export COMMIT=$(git rev-parse --short HEAD) \
     && export VERSION=$(go run ./cmd/internal/read_tag) \
     && go build -v -trimpath -tags \
-        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale" \
+        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" \
         -o /go/bin/sing-box \
-        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid= -checklinkname=0" \
+        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
         ./cmd/sing-box
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
-    && apk upgrade \
-    && apk add bash tzdata ca-certificates nftables \
-    && rm -rf /var/cache/apk/*
+    && apk add --no-cache --upgrade bash tzdata ca-certificates nftables
 COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]

Dockerfile.binary

@@ -0,0 +1,8 @@
+FROM alpine
+ARG TARGETARCH
+ARG TARGETVARIANT
+LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
+RUN set -ex \
+    && apk add --no-cache --upgrade bash tzdata ca-certificates nftables
+COPY sing-box-${TARGETARCH}${TARGETVARIANT} /usr/local/bin/sing-box
+ENTRYPOINT ["sing-box"]

Makefile

@@ -1,12 +1,12 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale
+TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)
 
-PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid= -checklinkname=0"
+PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0"
 MAIN_PARAMS = $(PARAMS) -tags "$(TAGS)"
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
@@ -17,6 +17,10 @@ build:
 	export GOTOOLCHAIN=local && \
 	go build $(MAIN_PARAMS) $(MAIN)
 
+race:
+	export GOTOOLCHAIN=local && \
+	go build -race $(MAIN_PARAMS) $(MAIN)
+
 ci_build:
 	export GOTOOLCHAIN=local && \
 	go build $(PARAMS) $(MAIN) && \
@@ -33,6 +37,9 @@ fmt:
 	@gofmt -s -w .
 	@gci write --custom-order -s standard -s "prefix(github.com/sagernet/)" -s "default" .
 
+fmt_docs:
+	go run ./cmd/internal/format_docs
+
 fmt_install:
 	go install -v mvdan.cc/gofumpt@latest
 	go install -v github.com/daixiang0/gci@latest
@@ -82,12 +89,12 @@ update_android_version:
 	go run ./cmd/internal/update_android_version
 
 build_android:
-	cd ../sing-box-for-android && ./gradlew :app:clean :app:assemblePlayRelease :app:assembleOtherRelease && ./gradlew --stop
+	cd ../sing-box-for-android && ./gradlew :app:clean :app:assembleOtherRelease :app:assembleOtherLegacyRelease && ./gradlew --stop
 
 upload_android:
 	mkdir -p dist/release_android
-	cp ../sing-box-for-android/app/build/outputs/apk/play/release/*.apk dist/release_android
-	cp ../sing-box-for-android/app/build/outputs/apk/other/release/*-universal.apk dist/release_android
+	cp ../sing-box-for-android/app/build/outputs/apk/other/release/*.apk dist/release_android
+	cp ../sing-box-for-android/app/build/outputs/apk/otherLegacy/release/*.apk dist/release_android
 	ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release_android
 	rm -rf dist/release_android
 
@@ -102,7 +109,7 @@ build_ios:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFI.xcarchive && \
 	xcodebuild clean -scheme SFI && \
-	xcodebuild archive -scheme SFI -configuration Release -destination 'generic/platform=iOS' -archivePath build/SFI.xcarchive -allowProvisioningUpdates
+	xcodebuild archive -scheme SFI -configuration Release -destination 'generic/platform=iOS' -archivePath build/SFI.xcarchive -allowProvisioningUpdates | xcbeautify | grep -A 10 -e "Archive Succeeded" -e "ARCHIVE FAILED" -e "❌"
 
 upload_ios_app_store:
 	cd ../sing-box-for-apple && \
@@ -123,7 +130,7 @@ release_ios: build_ios upload_ios_app_store
 build_macos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFM.xcarchive && \
-	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive -allowProvisioningUpdates
+	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive -allowProvisioningUpdates | xcbeautify | grep -A 10 -e "Archive Succeeded" -e "ARCHIVE FAILED" -e "❌"
 
 upload_macos_app_store:
 	cd ../sing-box-for-apple && \
@@ -132,54 +139,50 @@ upload_macos_app_store:
 release_macos: build_macos upload_macos_app_store
 
 build_macos_standalone:
-	cd ../sing-box-for-apple && \
-	rm -rf build/SFM.System.xcarchive && \
-	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive -allowProvisioningUpdates
+	$(MAKE) -C ../sing-box-for-apple archive_macos_standalone
 
 build_macos_dmg:
-	rm -rf dist/SFM
-	mkdir -p dist/SFM
-	cd ../sing-box-for-apple && \
-	rm -rf build/SFM.System && \
-	rm -rf build/SFM.dmg && \
-	xcodebuild -exportArchive \
-		-archivePath "build/SFM.System.xcarchive" \
-		-exportOptionsPlist SFM.System/Export.plist -allowProvisioningUpdates \
-		-exportPath "build/SFM.System" && \
-	create-dmg \
-		--volname "sing-box" \
-		--volicon "build/SFM.System/SFM.app/Contents/Resources/AppIcon.icns" \
-		--icon "SFM.app" 0 0 \
- 		--hide-extension "SFM.app" \
- 		--app-drop-link 0 0 \
- 		--skip-jenkins \
-		"../sing-box/dist/SFM/SFM.dmg" "build/SFM.System/SFM.app"
+	$(MAKE) -C ../sing-box-for-apple build_macos_dmg
+
+build_macos_pkg:
+	$(MAKE) -C ../sing-box-for-apple build_macos_pkg
 
 notarize_macos_dmg:
-	xcrun notarytool submit "dist/SFM/SFM.dmg" --wait \
-	  --keychain-profile "notarytool-password" \
-  	  --no-s3-acceleration
+	$(MAKE) -C ../sing-box-for-apple notarize_macos_dmg
+
+notarize_macos_pkg:
+	$(MAKE) -C ../sing-box-for-apple notarize_macos_pkg
 
 upload_macos_dmg:
-	cd dist/SFM && \
-	cp SFM.dmg "SFM-${VERSION}-universal.dmg" && \
-	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dmg"
+	mkdir -p dist/SFM
+	cp ../sing-box-for-apple/build/SFM-Apple.dmg "dist/SFM/SFM-${VERSION}-Apple.dmg"
+	cp ../sing-box-for-apple/build/SFM-Intel.dmg "dist/SFM/SFM-${VERSION}-Intel.dmg"
+	cp ../sing-box-for-apple/build/SFM-Universal.dmg "dist/SFM/SFM-${VERSION}-Universal.dmg"
+	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Apple.dmg"
+	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Intel.dmg"
+	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Universal.dmg"
+
+upload_macos_pkg:
+	mkdir -p dist/SFM
+	cp ../sing-box-for-apple/build/SFM-Apple.pkg "dist/SFM/SFM-${VERSION}-Apple.pkg"
+	cp ../sing-box-for-apple/build/SFM-Intel.pkg "dist/SFM/SFM-${VERSION}-Intel.pkg"
+	cp ../sing-box-for-apple/build/SFM-Universal.pkg "dist/SFM/SFM-${VERSION}-Universal.pkg"
+	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Apple.pkg"
+	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Intel.pkg"
+	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Universal.pkg"
 
 upload_macos_dsyms:
-	pushd ../sing-box-for-apple/build/SFM.System.xcarchive && \
-	zip -r SFM.dSYMs.zip dSYMs && \
-	mv SFM.dSYMs.zip ../../../sing-box/dist/SFM && \
-	popd && \
-	cd dist/SFM && \
-	cp SFM.dSYMs.zip "SFM-${VERSION}-universal.dSYMs.zip" && \
-	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dSYMs.zip"
+	mkdir -p dist/SFM
+	cd ../sing-box-for-apple/build/SFM.System-universal.xcarchive && zip -r SFM.dSYMs.zip dSYMs
+	cp ../sing-box-for-apple/build/SFM.System-universal.xcarchive/SFM.dSYMs.zip "dist/SFM/SFM-${VERSION}.dSYMs.zip"
+	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}.dSYMs.zip"
 
-release_macos_standalone: build_macos_standalone build_macos_dmg notarize_macos_dmg upload_macos_dmg upload_macos_dsyms
+release_macos_standalone: build_macos_pkg notarize_macos_pkg upload_macos_pkg upload_macos_dsyms
 
 build_tvos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFT.xcarchive && \
-	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive -allowProvisioningUpdates
+	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive -allowProvisioningUpdates | xcbeautify | grep -A 10 -e "Archive Succeeded" -e "ARCHIVE FAILED" -e "❌"
 
 upload_tvos_app_store:
 	cd ../sing-box-for-apple && \
@@ -203,12 +206,12 @@ update_apple_version:
 update_macos_version:
 	MACOS_PROJECT_VERSION=$(shell go run -v ./cmd/internal/app_store_connect next_macos_project_version) go run ./cmd/internal/update_apple_version
 
-release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_standalone
+release_apple: lib_apple update_apple_version release_ios release_macos release_tvos release_macos_standalone
 
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
 
 publish_testflight:
-	go run -v ./cmd/internal/app_store_connect publish_testflight
+	go run -v ./cmd/internal/app_store_connect publish_testflight $(filter-out $@,$(MAKECMDGOALS))
 
 prepare_app_store:
 	go run -v ./cmd/internal/app_store_connect prepare_app_store
@@ -231,22 +234,18 @@ test_stdio:
 lib_android:
 	go run ./cmd/internal/build_libbox -target android
 
-lib_android_debug:
-	go run ./cmd/internal/build_libbox -target android -debug
-
 lib_apple:
 	go run ./cmd/internal/build_libbox -target apple
 
-lib_ios:
-	go run ./cmd/internal/build_libbox -target apple -platform ios -debug
+lib_android_new:
+	go run ./cmd/internal/build_libbox_newffi -target android
 
-lib:
-	go run ./cmd/internal/build_libbox -target android
-	go run ./cmd/internal/build_libbox -target ios
+lib_apple_new:
+	go run ./cmd/internal/build_libbox_newffi -target apple
 
 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.8
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.8
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.11
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.11
 
 docs:
 	venv/bin/mkdocs serve
@@ -266,3 +265,6 @@ update:
 	git fetch
 	git reset FETCH_HEAD --hard
 	git clean -fdx
+
+%:
+	@:

README.md

@@ -1,3 +1,11 @@
+> Sponsored by [Warp](https://go.warp.dev/sing-box), built for coding with multiple AI agents
+
+<a href="https://go.warp.dev/sing-box">
+<img alt="Warp sponsorship" width="400" src="https://github.com/warpdotdev/brand-assets/raw/refs/heads/main/Github/Sponsor/Warp-Github-LG-02.png">
+</a>
+
+---
+
 # sing-box
 
 The universal proxy platform.

adapter/dns.go

@@ -27,8 +27,6 @@ type DNSClient interface {
 	Start()
 	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error)
 	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error)
-	LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool)
-	ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool)
 	ClearCache()
 }
 
@@ -70,6 +68,7 @@ type DNSTransport interface {
 	Type() string
 	Tag() string
 	Dependencies() []string
+	Reset()
 	Exchange(ctx context.Context, message *dns.Msg) (*dns.Msg, error)
 }
 

adapter/endpoint/manager.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"os"
 	"sync"
+	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
@@ -11,6 +12,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 )
 
 var _ adapter.EndpointManager = (*Manager)(nil)
@@ -46,10 +48,14 @@ func (m *Manager) Start(stage adapter.StartStage) error {
 		return nil
 	}
 	for _, endpoint := range m.endpoints {
+		name := "endpoint/" + endpoint.Type() + "[" + endpoint.Tag() + "]"
+		m.logger.Trace(stage, " ", name)
+		startTime := time.Now()
 		err := adapter.LegacyStart(endpoint, stage)
 		if err != nil {
-			return E.Cause(err, stage, " endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
+			return E.Cause(err, stage, " ", name)
 		}
+		m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -66,11 +72,15 @@ func (m *Manager) Close() error {
 	monitor := taskmonitor.New(m.logger, C.StopTimeout)
 	var err error
 	for _, endpoint := range endpoints {
-		monitor.Start("close endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
+		name := "endpoint/" + endpoint.Type() + "[" + endpoint.Tag() + "]"
+		m.logger.Trace("close ", name)
+		startTime := time.Now()
+		monitor.Start("close ", name)
 		err = E.Append(err, endpoint.Close(), func(err error) error {
-			return E.Cause(err, "close endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
+			return E.Cause(err, "close ", name)
 		})
 		monitor.Finish()
+		m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -119,11 +129,15 @@ func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.
 	m.access.Lock()
 	defer m.access.Unlock()
 	if m.started {
+		name := "endpoint/" + endpoint.Type() + "[" + endpoint.Tag() + "]"
 		for _, stage := range adapter.ListStartStages {
+			m.logger.Trace(stage, " ", name)
+			startTime := time.Now()
 			err = adapter.LegacyStart(endpoint, stage)
 			if err != nil {
-				return E.Cause(err, stage, " endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
+				return E.Cause(err, stage, " ", name)
 			}
+			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	if existsEndpoint, loaded := m.endpointByTag[tag]; loaded {

adapter/experimental.go

@@ -4,8 +4,10 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
+	"io"
 	"time"
 
+	"github.com/sagernet/sing/common/observable"
 	"github.com/sagernet/sing/common/varbin"
 )
 
@@ -14,6 +16,7 @@ type ClashServer interface {
 	ConnectionTracker
 	Mode() string
 	ModeList() []string
+	SetModeUpdateHook(hook *observable.Subscriber[struct{}])
 	HistoryStorage() URLTestHistoryStorage
 }
 
@@ -23,7 +26,7 @@ type URLTestHistory struct {
 }
 
 type URLTestHistoryStorage interface {
-	SetHook(hook chan<- struct{})
+	SetHook(hook *observable.Subscriber[struct{}])
 	LoadURLTestHistory(tag string) *URLTestHistory
 	DeleteURLTestHistory(tag string)
 	StoreURLTestHistory(tag string, history *URLTestHistory)
@@ -66,7 +69,11 @@ func (s *SavedBinary) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	err = varbin.Write(&buffer, binary.BigEndian, s.Content)
+	_, err = varbin.WriteUvarint(&buffer, uint64(len(s.Content)))
+	if err != nil {
+		return nil, err
+	}
+	_, err = buffer.Write(s.Content)
 	if err != nil {
 		return nil, err
 	}
@@ -74,7 +81,11 @@ func (s *SavedBinary) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	err = varbin.Write(&buffer, binary.BigEndian, s.LastEtag)
+	_, err = varbin.WriteUvarint(&buffer, uint64(len(s.LastEtag)))
+	if err != nil {
+		return nil, err
+	}
+	_, err = buffer.WriteString(s.LastEtag)
 	if err != nil {
 		return nil, err
 	}
@@ -88,7 +99,12 @@ func (s *SavedBinary) UnmarshalBinary(data []byte) error {
 	if err != nil {
 		return err
 	}
-	err = varbin.Read(reader, binary.BigEndian, &s.Content)
+	contentLength, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return err
+	}
+	s.Content = make([]byte, contentLength)
+	_, err = io.ReadFull(reader, s.Content)
 	if err != nil {
 		return err
 	}
@@ -98,10 +114,16 @@ func (s *SavedBinary) UnmarshalBinary(data []byte) error {
 		return err
 	}
 	s.LastUpdated = time.Unix(lastUpdated, 0)
-	err = varbin.Read(reader, binary.BigEndian, &s.LastEtag)
+	etagLength, err := binary.ReadUvarint(reader)
 	if err != nil {
 		return err
 	}
+	etagBytes := make([]byte, etagLength)
+	_, err = io.ReadFull(reader, etagBytes)
+	if err != nil {
+		return err
+	}
+	s.LastEtag = string(etagBytes)
 	return nil
 }
 

adapter/inbound.go

@@ -5,7 +5,6 @@ import (
 	"net/netip"
 	"time"
 
-	"github.com/sagernet/sing-box/common/process"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
@@ -85,7 +84,7 @@ type InboundContext struct {
 	DestinationAddresses []netip.Addr
 	SourceGeoIPCode      string
 	GeoIPCode            string
-	ProcessInfo          *process.Info
+	ProcessInfo          *ConnectionOwner
 	QueryType            uint16
 	FakeIP               bool
 

adapter/inbound/manager.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"os"
 	"sync"
+	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
@@ -11,6 +12,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 )
 
 var _ adapter.InboundManager = (*Manager)(nil)
@@ -45,10 +47,14 @@ func (m *Manager) Start(stage adapter.StartStage) error {
 	inbounds := m.inbounds
 	m.access.Unlock()
 	for _, inbound := range inbounds {
+		name := "inbound/" + inbound.Type() + "[" + inbound.Tag() + "]"
+		m.logger.Trace(stage, " ", name)
+		startTime := time.Now()
 		err := adapter.LegacyStart(inbound, stage)
 		if err != nil {
-			return E.Cause(err, stage, " inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+			return E.Cause(err, stage, " ", name)
 		}
+		m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -65,11 +71,15 @@ func (m *Manager) Close() error {
 	monitor := taskmonitor.New(m.logger, C.StopTimeout)
 	var err error
 	for _, inbound := range inbounds {
-		monitor.Start("close inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+		name := "inbound/" + inbound.Type() + "[" + inbound.Tag() + "]"
+		m.logger.Trace("close ", name)
+		startTime := time.Now()
+		monitor.Start("close ", name)
 		err = E.Append(err, inbound.Close(), func(err error) error {
-			return E.Cause(err, "close inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+			return E.Cause(err, "close ", name)
 		})
 		monitor.Finish()
+		m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -121,11 +131,15 @@ func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.
 	m.access.Lock()
 	defer m.access.Unlock()
 	if m.started {
+		name := "inbound/" + inbound.Type() + "[" + inbound.Tag() + "]"
 		for _, stage := range adapter.ListStartStages {
+			m.logger.Trace(stage, " ", name)
+			startTime := time.Now()
 			err = adapter.LegacyStart(inbound, stage)
 			if err != nil {
-				return E.Cause(err, stage, " inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+				return E.Cause(err, stage, " ", name)
 			}
+			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	if existsInbound, loaded := m.inboundByTag[tag]; loaded {

adapter/lifecycle.go

@@ -1,6 +1,14 @@
 package adapter
 
-import E "github.com/sagernet/sing/common/exceptions"
+import (
+	"reflect"
+	"strings"
+	"time"
+
+	"github.com/sagernet/sing-box/log"
+	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+)
 
 type SimpleLifecycle interface {
 	Start() error
@@ -48,22 +56,47 @@ type LifecycleService interface {
 	Lifecycle
 }
 
-func Start(stage StartStage, services ...Lifecycle) error {
+func getServiceName(service any) string {
+	if named, ok := service.(interface {
+		Type() string
+		Tag() string
+	}); ok {
+		tag := named.Tag()
+		if tag != "" {
+			return named.Type() + "[" + tag + "]"
+		}
+		return named.Type()
+	}
+	t := reflect.TypeOf(service)
+	if t.Kind() == reflect.Ptr {
+		t = t.Elem()
+	}
+	return strings.ToLower(t.Name())
+}
+
+func Start(logger log.ContextLogger, stage StartStage, services ...Lifecycle) error {
 	for _, service := range services {
+		name := getServiceName(service)
+		logger.Trace(stage, " ", name)
+		startTime := time.Now()
 		err := service.Start(stage)
 		if err != nil {
 			return err
 		}
+		logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
 
-func StartNamed(stage StartStage, services []LifecycleService) error {
+func StartNamed(logger log.ContextLogger, stage StartStage, services []LifecycleService) error {
 	for _, service := range services {
+		logger.Trace(stage, " ", service.Name())
+		startTime := time.Now()
 		err := service.Start(stage)
 		if err != nil {
 			return E.Cause(err, stage.String(), " ", service.Name())
 		}
+		logger.Trace(stage, " ", service.Name(), " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }

adapter/network.go

@@ -10,6 +10,7 @@ import (
 
 type NetworkManager interface {
 	Lifecycle
+	Initialize(ruleSets []RuleSet)
 	InterfaceFinder() control.InterfaceFinder
 	UpdateInterfaces() error
 	DefaultNetworkInterface() *NetworkInterface
@@ -24,9 +25,10 @@ type NetworkManager interface {
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
+	NeedWIFIState() bool
 	WIFIState() WIFIState
-	ResetNetwork()
 	UpdateWIFIState()
+	ResetNetwork()
 }
 
 type NetworkOptions struct {

adapter/outbound/manager.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
@@ -13,6 +14,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/logger"
 )
 
@@ -81,10 +83,14 @@ func (m *Manager) Start(stage adapter.StartStage) error {
 		outbounds := m.outbounds
 		m.access.Unlock()
 		for _, outbound := range outbounds {
+			name := "outbound/" + outbound.Type() + "[" + outbound.Tag() + "]"
+			m.logger.Trace(stage, " ", name)
+			startTime := time.Now()
 			err := adapter.LegacyStart(outbound, stage)
 			if err != nil {
-				return E.Cause(err, stage, " outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+				return E.Cause(err, stage, " ", name)
 			}
+			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	return nil
@@ -109,22 +115,29 @@ func (m *Manager) startOutbounds(outbounds []adapter.Outbound) error {
 			}
 			started[outboundTag] = true
 			canContinue = true
+			name := "outbound/" + outboundToStart.Type() + "[" + outboundTag + "]"
 			if starter, isStarter := outboundToStart.(adapter.Lifecycle); isStarter {
-				monitor.Start("start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
+				m.logger.Trace("start ", name)
+				startTime := time.Now()
+				monitor.Start("start ", name)
 				err := starter.Start(adapter.StartStateStart)
 				monitor.Finish()
 				if err != nil {
-					return E.Cause(err, "start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
+					return E.Cause(err, "start ", name)
 				}
+				m.logger.Trace("start ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 			} else if starter, isStarter := outboundToStart.(interface {
 				Start() error
 			}); isStarter {
-				monitor.Start("start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
+				m.logger.Trace("start ", name)
+				startTime := time.Now()
+				monitor.Start("start ", name)
 				err := starter.Start()
 				monitor.Finish()
 				if err != nil {
-					return E.Cause(err, "start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
+					return E.Cause(err, "start ", name)
 				}
+				m.logger.Trace("start ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 			}
 		}
 		if len(started) == len(outbounds) {
@@ -171,11 +184,15 @@ func (m *Manager) Close() error {
 	var err error
 	for _, outbound := range outbounds {
 		if closer, isCloser := outbound.(io.Closer); isCloser {
-			monitor.Start("close outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+			name := "outbound/" + outbound.Type() + "[" + outbound.Tag() + "]"
+			m.logger.Trace("close ", name)
+			startTime := time.Now()
+			monitor.Start("close ", name)
 			err = E.Append(err, closer.Close(), func(err error) error {
-				return E.Cause(err, "close outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+				return E.Cause(err, "close ", name)
 			})
 			monitor.Finish()
+			m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	return nil
@@ -256,11 +273,15 @@ func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.
 		return err
 	}
 	if m.started {
+		name := "outbound/" + outbound.Type() + "[" + outbound.Tag() + "]"
 		for _, stage := range adapter.ListStartStages {
+			m.logger.Trace(stage, " ", name)
+			startTime := time.Now()
 			err = adapter.LegacyStart(outbound, stage)
 			if err != nil {
-				return E.Cause(err, stage, " outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+				return E.Cause(err, stage, " ", name)
 			}
+			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	m.access.Lock()

adapter/platform.go

@@ -0,0 +1,70 @@
+package adapter
+
+import (
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-tun"
+	"github.com/sagernet/sing/common/logger"
+)
+
+type PlatformInterface interface {
+	Initialize(networkManager NetworkManager) error
+
+	UsePlatformAutoDetectInterfaceControl() bool
+	AutoDetectInterfaceControl(fd int) error
+
+	UsePlatformInterface() bool
+	OpenInterface(options *tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error)
+
+	UsePlatformDefaultInterfaceMonitor() bool
+	CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor
+
+	UsePlatformNetworkInterfaces() bool
+	NetworkInterfaces() ([]NetworkInterface, error)
+
+	UnderNetworkExtension() bool
+	NetworkExtensionIncludeAllNetworks() bool
+
+	ClearDNSCache()
+	RequestPermissionForWIFIState() error
+	ReadWIFIState() WIFIState
+	SystemCertificates() []string
+
+	UsePlatformConnectionOwnerFinder() bool
+	FindConnectionOwner(request *FindConnectionOwnerRequest) (*ConnectionOwner, error)
+
+	UsePlatformWIFIMonitor() bool
+
+	UsePlatformNotification() bool
+	SendNotification(notification *Notification) error
+}
+
+type FindConnectionOwnerRequest struct {
+	IpProtocol         int32
+	SourceAddress      string
+	SourcePort         int32
+	DestinationAddress string
+	DestinationPort    int32
+}
+
+type ConnectionOwner struct {
+	ProcessID          uint32
+	UserId             int32
+	UserName           string
+	ProcessPath        string
+	AndroidPackageName string
+}
+
+type Notification struct {
+	Identifier string
+	TypeName   string
+	TypeID     int32
+	Title      string
+	Subtitle   string
+	Body       string
+	OpenURL    string
+}
+
+type SystemProxyStatus struct {
+	Available bool
+	Enabled   bool
+}

adapter/router.go

@@ -21,11 +21,11 @@ import (
 type Router interface {
 	Lifecycle
 	ConnectionRouter
-	PreMatch(metadata InboundContext, context tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error)
+	PreMatch(metadata InboundContext, context tun.DirectRouteContext, timeout time.Duration, supportBypass bool) (tun.DirectRouteDestination, error)
 	ConnectionRouterEx
 	RuleSet(tag string) (RuleSet, bool)
-	NeedWIFIState() bool
 	Rules() []Rule
+	NeedFindProcess() bool
 	AppendTracker(tracker ConnectionTracker)
 	ResetNetwork()
 }

adapter/service/manager.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"os"
 	"sync"
+	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
@@ -11,6 +12,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 )
 
 var _ adapter.ServiceManager = (*Manager)(nil)
@@ -43,10 +45,14 @@ func (m *Manager) Start(stage adapter.StartStage) error {
 	services := m.services
 	m.access.Unlock()
 	for _, service := range services {
+		name := "service/" + service.Type() + "[" + service.Tag() + "]"
+		m.logger.Trace(stage, " ", name)
+		startTime := time.Now()
 		err := adapter.LegacyStart(service, stage)
 		if err != nil {
-			return E.Cause(err, stage, " service/", service.Type(), "[", service.Tag(), "]")
+			return E.Cause(err, stage, " ", name)
 		}
+		m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -63,11 +69,15 @@ func (m *Manager) Close() error {
 	monitor := taskmonitor.New(m.logger, C.StopTimeout)
 	var err error
 	for _, service := range services {
-		monitor.Start("close service/", service.Type(), "[", service.Tag(), "]")
+		name := "service/" + service.Type() + "[" + service.Tag() + "]"
+		m.logger.Trace("close ", name)
+		startTime := time.Now()
+		monitor.Start("close ", name)
 		err = E.Append(err, service.Close(), func(err error) error {
-			return E.Cause(err, "close service/", service.Type(), "[", service.Tag(), "]")
+			return E.Cause(err, "close ", name)
 		})
 		monitor.Finish()
+		m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
 	return nil
 }
@@ -116,11 +126,15 @@ func (m *Manager) Create(ctx context.Context, logger log.ContextLogger, tag stri
 	m.access.Lock()
 	defer m.access.Unlock()
 	if m.started {
+		name := "service/" + service.Type() + "[" + service.Tag() + "]"
 		for _, stage := range adapter.ListStartStages {
+			m.logger.Trace(stage, " ", name)
+			startTime := time.Now()
 			err = adapter.LegacyStart(service, stage)
 			if err != nil {
-				return E.Cause(err, stage, " service/", service.Type(), "[", service.Tag(), "]")
+				return E.Cause(err, stage, " ", name)
 			}
+			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 		}
 	}
 	if existsService, loaded := m.serviceByTag[tag]; loaded {

adapter/upstream.go

@@ -73,7 +73,7 @@ func NewUpstreamContextHandlerEx(
 }
 
 func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	myMetadata := ContextFrom(ctx)
+	_, myMetadata := ExtendContext(ctx)
 	if source.IsValid() {
 		myMetadata.Source = source
 	}
@@ -84,7 +84,7 @@ func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context,
 }
 
 func (w *myUpstreamContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	myMetadata := ContextFrom(ctx)
+	_, myMetadata := ExtendContext(ctx)
 	if source.IsValid() {
 		myMetadata.Source = source
 	}
@@ -146,7 +146,7 @@ type routeContextHandlerWrapperEx struct {
 }
 
 func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	metadata := ContextFrom(ctx)
+	_, metadata := ExtendContext(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}
@@ -157,7 +157,7 @@ func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn
 }
 
 func (r *routeContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	metadata := ContextFrom(ctx)
+	_, metadata := ExtendContext(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}

box.go

@@ -22,7 +22,6 @@ import (
 	"github.com/sagernet/sing-box/dns/transport/local"
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/cachefile"
-	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/protocol/direct"
@@ -139,7 +138,7 @@ func New(options Options) (*Box, error) {
 	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
 		needV2RayAPI = true
 	}
-	platformInterface := service.FromContext[platform.Interface](ctx)
+	platformInterface := service.FromContext[adapter.PlatformInterface](ctx)
 	var defaultLogWriter io.Writer
 	if platformInterface != nil {
 		defaultLogWriter = io.Discard
@@ -184,7 +183,7 @@ func New(options Options) (*Box, error) {
 	service.MustRegister[adapter.ServiceManager](ctx, serviceManager)
 	dnsRouter := dns.NewRouter(ctx, logFactory, dnsOptions)
 	service.MustRegister[adapter.DNSRouter](ctx, dnsRouter)
-	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions)
+	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions, dnsOptions)
 	if err != nil {
 		return nil, E.Cause(err, "initialize network manager")
 	}
@@ -444,15 +443,15 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return E.Cause(err, "start logger")
 	}
-	err = adapter.StartNamed(adapter.StartStateInitialize, s.internalService) // cache-file clash-api v2ray-api
+	err = adapter.StartNamed(s.logger, adapter.StartStateInitialize, s.internalService) // cache-file clash-api v2ray-api
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStart, s.outbound, s.dnsTransport, s.dnsRouter, s.network, s.connection, s.router)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.outbound, s.dnsTransport, s.dnsRouter, s.network, s.connection, s.router)
 	if err != nil {
 		return err
 	}
@@ -464,27 +463,27 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.StartNamed(adapter.StartStateStart, s.internalService)
+	err = adapter.StartNamed(s.logger, adapter.StartStateStart, s.internalService)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStart, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.StartNamed(adapter.StartStatePostStart, s.internalService)
+	err = adapter.StartNamed(s.logger, adapter.StartStatePostStart, s.internalService)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
 	if err != nil {
 		return err
 	}
-	err = adapter.StartNamed(adapter.StartStateStarted, s.internalService)
+	err = adapter.StartNamed(s.logger, adapter.StartStateStarted, s.internalService)
 	if err != nil {
 		return err
 	}
@@ -498,17 +497,42 @@ func (s *Box) Close() error {
 	default:
 		close(s.done)
 	}
-	err := common.Close(
-		s.service, s.endpoint, s.inbound, s.outbound, s.router, s.connection, s.dnsRouter, s.dnsTransport, s.network,
-	)
+	var err error
+	for _, closeItem := range []struct {
+		name    string
+		service adapter.Lifecycle
+	}{
+		{"service", s.service},
+		{"endpoint", s.endpoint},
+		{"inbound", s.inbound},
+		{"outbound", s.outbound},
+		{"router", s.router},
+		{"connection", s.connection},
+		{"dns-router", s.dnsRouter},
+		{"dns-transport", s.dnsTransport},
+		{"network", s.network},
+	} {
+		s.logger.Trace("close ", closeItem.name)
+		startTime := time.Now()
+		err = E.Append(err, closeItem.service.Close(), func(err error) error {
+			return E.Cause(err, "close ", closeItem.name)
+		})
+		s.logger.Trace("close ", closeItem.name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
+	}
 	for _, lifecycleService := range s.internalService {
+		s.logger.Trace("close ", lifecycleService.Name())
+		startTime := time.Now()
 		err = E.Append(err, lifecycleService.Close(), func(err error) error {
 			return E.Cause(err, "close ", lifecycleService.Name())
 		})
+		s.logger.Trace("close ", lifecycleService.Name(), " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
+	s.logger.Trace("close logger")
+	startTime := time.Now()
 	err = E.Append(err, s.logFactory.Close(), func(err error) error {
 		return E.Cause(err, "close logger")
 	})
+	s.logger.Trace("close logger completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	return err
 }
 
@@ -527,3 +551,7 @@ func (s *Box) Inbound() adapter.InboundManager {
 func (s *Box) Outbound() adapter.OutboundManager {
 	return s.outbound
 }
+
+func (s *Box) LogFactory() log.Factory {
+	return s.logFactory
+}

cmd/internal/app_store_connect/main.go

@@ -100,11 +100,32 @@ findVersion:
 }
 
 func publishTestflight(ctx context.Context) error {
+	if len(os.Args) < 3 {
+		return E.New("platform required: ios, macos, or tvos")
+	}
+	var platform asc.Platform
+	switch os.Args[2] {
+	case "ios":
+		platform = asc.PlatformIOS
+	case "macos":
+		platform = asc.PlatformMACOS
+	case "tvos":
+		platform = asc.PlatformTVOS
+	default:
+		return E.New("unknown platform: ", os.Args[2])
+	}
+
 	tagVersion, err := build_shared.ReadTagVersion()
 	if err != nil {
 		return err
 	}
 	tag := tagVersion.VersionString()
+
+	releaseNotes := F.ToString("sing-box ", tagVersion.String())
+	if len(os.Args) >= 4 {
+		releaseNotes = strings.Join(os.Args[3:], " ")
+	}
+
 	client := createClient(20 * time.Minute)
 
 	log.Info(tag, " list build IDs")
@@ -115,97 +136,76 @@ func publishTestflight(ctx context.Context) error {
 	buildIDs := common.Map(buildIDsResponse.Data, func(it asc.RelationshipData) string {
 		return it.ID
 	})
-	var platforms []asc.Platform
-	if len(os.Args) == 3 {
-		switch os.Args[2] {
-		case "ios":
-			platforms = []asc.Platform{asc.PlatformIOS}
-		case "macos":
-			platforms = []asc.Platform{asc.PlatformMACOS}
-		case "tvos":
-			platforms = []asc.Platform{asc.PlatformTVOS}
-		default:
-			return E.New("unknown platform: ", os.Args[2])
-		}
-	} else {
-		platforms = []asc.Platform{
-			asc.PlatformIOS,
-			asc.PlatformMACOS,
-			asc.PlatformTVOS,
-		}
-	}
+
 	waitingForProcess := false
-	for _, platform := range platforms {
-		log.Info(string(platform), " list builds")
-		for {
-			builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
-				FilterApp:                       []string{appID},
-				FilterPreReleaseVersionPlatform: []string{string(platform)},
-			})
-			if err != nil {
-				return err
-			}
-			build := builds.Data[0]
-			if !waitingForProcess && (common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 30*time.Minute) {
-				log.Info(string(platform), " ", tag, " waiting for process")
-				time.Sleep(15 * time.Second)
-				continue
-			}
-			if *build.Attributes.ProcessingState != "VALID" {
-				waitingForProcess = true
-				log.Info(string(platform), " ", tag, " waiting for process: ", *build.Attributes.ProcessingState)
-				time.Sleep(15 * time.Second)
-				continue
-			}
-			log.Info(string(platform), " ", tag, " list localizations")
-			localizations, _, err := client.TestFlight.ListBetaBuildLocalizationsForBuild(ctx, build.ID, nil)
-			if err != nil {
-				return err
-			}
-			localization := common.Find(localizations.Data, func(it asc.BetaBuildLocalization) bool {
-				return *it.Attributes.Locale == "en-US"
-			})
-			if localization.ID == "" {
-				log.Fatal(string(platform), " ", tag, " no en-US localization found")
-			}
-			if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
-				log.Info(string(platform), " ", tag, " update localization")
-				_, _, err = client.TestFlight.UpdateBetaBuildLocalization(ctx, localization.ID, common.Ptr(
-					F.ToString("sing-box ", tagVersion.String()),
-				))
-				if err != nil {
-					return err
-				}
-			}
-			log.Info(string(platform), " ", tag, " publish")
-			response, err := client.TestFlight.AddBuildsToBetaGroup(ctx, groupID, []string{build.ID})
-			if response != nil && (response.StatusCode == http.StatusUnprocessableEntity || response.StatusCode == http.StatusNotFound) {
-				log.Info("waiting for process")
-				time.Sleep(15 * time.Second)
-				continue
-			} else if err != nil {
-				return err
-			}
-			log.Info(string(platform), " ", tag, " list submissions")
-			betaSubmissions, _, err := client.TestFlight.ListBetaAppReviewSubmissions(ctx, &asc.ListBetaAppReviewSubmissionsQuery{
-				FilterBuild: []string{build.ID},
-			})
-			if err != nil {
-				return err
-			}
-			if len(betaSubmissions.Data) == 0 {
-				log.Info(string(platform), " ", tag, " create submission")
-				_, _, err = client.TestFlight.CreateBetaAppReviewSubmission(ctx, build.ID)
-				if err != nil {
-					if strings.Contains(err.Error(), "ANOTHER_BUILD_IN_REVIEW") {
-						log.Error(err)
-						break
-					}
-					return err
-				}
-			}
-			break
+	log.Info(string(platform), " list builds")
+	for {
+		builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
+			FilterApp:                       []string{appID},
+			FilterPreReleaseVersionPlatform: []string{string(platform)},
+		})
+		if err != nil {
+			return err
 		}
+		build := builds.Data[0]
+		log.Info(string(platform), " ", tag, " found build: ", build.ID, " (", *build.Attributes.Version, ")")
+		if !waitingForProcess && (common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 30*time.Minute) {
+			log.Info(string(platform), " ", tag, " waiting for process")
+			time.Sleep(15 * time.Second)
+			continue
+		}
+		if *build.Attributes.ProcessingState != "VALID" {
+			waitingForProcess = true
+			log.Info(string(platform), " ", tag, " waiting for process: ", *build.Attributes.ProcessingState)
+			time.Sleep(15 * time.Second)
+			continue
+		}
+		log.Info(string(platform), " ", tag, " list localizations")
+		localizations, _, err := client.TestFlight.ListBetaBuildLocalizationsForBuild(ctx, build.ID, nil)
+		if err != nil {
+			return err
+		}
+		localization := common.Find(localizations.Data, func(it asc.BetaBuildLocalization) bool {
+			return *it.Attributes.Locale == "en-US"
+		})
+		if localization.ID == "" {
+			log.Fatal(string(platform), " ", tag, " no en-US localization found")
+		}
+		if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
+			log.Info(string(platform), " ", tag, " update localization")
+			_, _, err = client.TestFlight.UpdateBetaBuildLocalization(ctx, localization.ID, common.Ptr(releaseNotes))
+			if err != nil {
+				return err
+			}
+		}
+		log.Info(string(platform), " ", tag, " publish")
+		response, err := client.TestFlight.AddBuildsToBetaGroup(ctx, groupID, []string{build.ID})
+		if response != nil && (response.StatusCode == http.StatusUnprocessableEntity || response.StatusCode == http.StatusNotFound) {
+			log.Info("waiting for process")
+			time.Sleep(15 * time.Second)
+			continue
+		} else if err != nil {
+			return err
+		}
+		log.Info(string(platform), " ", tag, " list submissions")
+		betaSubmissions, _, err := client.TestFlight.ListBetaAppReviewSubmissions(ctx, &asc.ListBetaAppReviewSubmissionsQuery{
+			FilterBuild: []string{build.ID},
+		})
+		if err != nil {
+			return err
+		}
+		if len(betaSubmissions.Data) == 0 {
+			log.Info(string(platform), " ", tag, " create submission")
+			_, _, err = client.TestFlight.CreateBetaAppReviewSubmission(ctx, build.ID)
+			if err != nil {
+				if strings.Contains(err.Error(), "ANOTHER_BUILD_IN_REVIEW") {
+					log.Error(err)
+					break
+				}
+				return err
+			}
+		}
+		break
 	}
 	return nil
 }

cmd/internal/build_libbox/main.go

@@ -5,6 +5,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 	"strings"
 
 	_ "github.com/sagernet/gomobile"
@@ -16,17 +17,17 @@ import (
 )
 
 var (
-	debugEnabled  bool
-	target        string
-	platform      string
-	withTailscale bool
+	debugEnabled bool
+	target       string
+	platform     string
+	// withTailscale bool
 )
 
 func init() {
 	flag.BoolVar(&debugEnabled, "debug", false, "enable debug")
 	flag.StringVar(&target, "target", "android", "target platform")
 	flag.StringVar(&platform, "platform", "", "specify platform")
-	flag.BoolVar(&withTailscale, "with-tailscale", false, "build tailscale for iOS and tvOS")
+	// flag.BoolVar(&withTailscale, "with-tailscale", false, "build tailscale for iOS and tvOS")
 }
 
 func main() {
@@ -46,8 +47,8 @@ var (
 	sharedFlags []string
 	debugFlags  []string
 	sharedTags  []string
-	macOSTags   []string
-	memcTags    []string
+	darwinTags  []string
+	// memcTags    []string
 	notMemcTags []string
 	debugTags   []string
 )
@@ -59,19 +60,38 @@ func init() {
 	if err != nil {
 		currentTag = "unknown"
 	}
-	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=  -checklinkname=0")
-	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -checklinkname=0")
+	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid=  -checklinkname=0")
+	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0")
 
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api", "with_conntrack")
-	macOSTags = append(macOSTags, "with_dhcp")
-	memcTags = append(memcTags, "with_tailscale")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_naive_outbound", "with_clash_api", "with_conntrack", "badlinkname", "tfogo_checklinkname0")
+	darwinTags = append(darwinTags, "with_dhcp", "grpcnotrace")
+	// memcTags = append(memcTags, "with_tailscale")
+	sharedTags = append(sharedTags, "with_tailscale", "ts_omit_logtail", "ts_omit_ssh", "ts_omit_drive", "ts_omit_taildrop", "ts_omit_webclient", "ts_omit_doctor", "ts_omit_capture", "ts_omit_kube", "ts_omit_aws", "ts_omit_synology", "ts_omit_bird")
 	notMemcTags = append(notMemcTags, "with_low_memory")
 	debugTags = append(debugTags, "debug")
 }
 
-func buildAndroid() {
-	build_shared.FindSDK()
+type AndroidBuildConfig struct {
+	AndroidAPI int
+	OutputName string
+	Tags       []string
+}
 
+func filterTags(tags []string, exclude ...string) []string {
+	excludeMap := make(map[string]bool)
+	for _, tag := range exclude {
+		excludeMap[tag] = true
+	}
+	var result []string
+	for _, tag := range tags {
+		if !excludeMap[tag] {
+			result = append(result, tag)
+		}
+	}
+	return result
+}
+
+func checkJavaVersion() {
 	var javaPath string
 	javaHome := os.Getenv("JAVA_HOME")
 	if javaHome == "" {
@@ -87,61 +107,87 @@ func buildAndroid() {
 	if !strings.Contains(javaVersion, "openjdk 17") {
 		log.Fatal("java version should be openjdk 17")
 	}
+}
 
-	var bindTarget string
+func getAndroidBindTarget() string {
 	if platform != "" {
-		bindTarget = platform
+		return platform
 	} else if debugEnabled {
-		bindTarget = "android/arm64"
-	} else {
-		bindTarget = "android"
+		return "android/arm64"
 	}
+	return "android"
+}
 
+func buildAndroidVariant(config AndroidBuildConfig, bindTarget string) {
 	args := []string{
 		"bind",
 		"-v",
+		"-o", config.OutputName,
 		"-target", bindTarget,
-		"-androidapi", "21",
+		"-androidapi", strconv.Itoa(config.AndroidAPI),
 		"-javapkg=io.nekohasekai",
 		"-libname=box",
 	}
 
 	if !debugEnabled {
-		// sharedFlags[3] = sharedFlags[3] + " -checklinkname=0"
 		args = append(args, sharedFlags...)
 	} else {
-		// debugFlags[1] = debugFlags[1] + " -checklinkname=0"
 		args = append(args, debugFlags...)
 	}
 
-	tags := append(sharedTags, memcTags...)
-	if debugEnabled {
-		tags = append(tags, debugTags...)
-	}
-
-	args = append(args, "-tags", strings.Join(tags, ","))
+	args = append(args, "-tags", strings.Join(config.Tags, ","))
 	args = append(args, "./experimental/libbox")
 
 	command := exec.Command(build_shared.GoBinPath+"/gomobile", args...)
 	command.Stdout = os.Stdout
 	command.Stderr = os.Stderr
-	err = command.Run()
+	err := command.Run()
 	if err != nil {
 		log.Fatal(err)
 	}
 
-	const name = "libbox.aar"
 	copyPath := filepath.Join("..", "sing-box-for-android", "app", "libs")
 	if rw.IsDir(copyPath) {
 		copyPath, _ = filepath.Abs(copyPath)
-		err = rw.CopyFile(name, filepath.Join(copyPath, name))
+		err = rw.CopyFile(config.OutputName, filepath.Join(copyPath, config.OutputName))
 		if err != nil {
 			log.Fatal(err)
 		}
-		log.Info("copied to ", copyPath)
+		log.Info("copied ", config.OutputName, " to ", copyPath)
 	}
 }
 
+func buildAndroid() {
+	build_shared.FindSDK()
+	checkJavaVersion()
+
+	bindTarget := getAndroidBindTarget()
+
+	// Build main variant (SDK 23)
+	mainTags := append([]string{}, sharedTags...)
+	// mainTags = append(mainTags, memcTags...)
+	if debugEnabled {
+		mainTags = append(mainTags, debugTags...)
+	}
+	buildAndroidVariant(AndroidBuildConfig{
+		AndroidAPI: 23,
+		OutputName: "libbox.aar",
+		Tags:       mainTags,
+	}, bindTarget)
+
+	// Build legacy variant (SDK 21, no naive outbound)
+	legacyTags := filterTags(sharedTags, "with_naive_outbound")
+	// legacyTags = append(legacyTags, memcTags...)
+	if debugEnabled {
+		legacyTags = append(legacyTags, debugTags...)
+	}
+	buildAndroidVariant(AndroidBuildConfig{
+		AndroidAPI: 21,
+		OutputName: "libbox-legacy.aar",
+		Tags:       legacyTags,
+	}, bindTarget)
+}
+
 func buildApple() {
 	var bindTarget string
 	if platform != "" {
@@ -149,7 +195,7 @@ func buildApple() {
 	} else if debugEnabled {
 		bindTarget = "ios"
 	} else {
-		bindTarget = "ios,tvos,macos"
+		bindTarget = "ios,iossimulator,tvos,tvossimulator,macos"
 	}
 
 	args := []string{
@@ -159,11 +205,9 @@ func buildApple() {
 		"-libname=box",
 		"-tags-not-macos=with_low_memory",
 	}
-	if !withTailscale {
-		args = append(args, "-tags-macos="+strings.Join(append(macOSTags, memcTags...), ","))
-	} else {
-		args = append(args, "-tags-macos="+strings.Join(macOSTags, ","))
-	}
+	//if !withTailscale {
+	//	args = append(args, "-tags-macos="+strings.Join(memcTags, ","))
+	//}
 
 	if !debugEnabled {
 		args = append(args, sharedFlags...)
@@ -171,10 +215,10 @@ func buildApple() {
 		args = append(args, debugFlags...)
 	}
 
-	tags := sharedTags
-	if withTailscale {
-		tags = append(tags, memcTags...)
-	}
+	tags := append(sharedTags, darwinTags...)
+	//if withTailscale {
+	//	tags = append(tags, memcTags...)
+	//}
 	if debugEnabled {
 		tags = append(tags, debugTags...)
 	}

cmd/internal/build_libbox_newffi/main.go

@@ -0,0 +1,93 @@
+package main
+
+import (
+	"flag"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common/rw"
+)
+
+var target string
+
+func init() {
+	flag.StringVar(&target, "target", "android", "target platform (android or apple)")
+}
+
+func main() {
+	flag.Parse()
+
+	args := []string{
+		"generate",
+		"-v",
+		"--config", "experimental/libbox/ffi.json",
+		"--platform-type", target,
+	}
+	command := exec.Command("sing-ffi", args...)
+	command.Stdout = os.Stdout
+	command.Stderr = os.Stderr
+	err := command.Run()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	copyArtifacts(target)
+}
+
+func copyArtifacts(target string) {
+	switch target {
+	case "android":
+		copyPath := filepath.Join("..", "sing-box-for-android", "app", "libs")
+		if rw.IsDir(copyPath) {
+			copyPath, _ = filepath.Abs(copyPath)
+			for _, name := range []string{"libbox.aar", "libbox-legacy.aar"} {
+				artifactPath, found := findArtifactPath(name)
+				if !found {
+					continue
+				}
+				targetPath := filepath.Join(target, artifactPath)
+				os.RemoveAll(targetPath)
+				err := os.Rename(artifactPath, targetPath)
+				if err != nil {
+					log.Fatal(err)
+				}
+				log.Info("copied ", name, " to ", copyPath)
+			}
+		}
+	case "apple":
+		copyPath := filepath.Join("..", "sing-box-for-apple")
+		if rw.IsDir(copyPath) {
+			sourceDir, found := findArtifactPath("Libbox.xcframework")
+			if !found {
+				log.Fatal("Libbox.xcframework not found in current directory or experimental/libbox")
+			}
+
+			targetDir := filepath.Join(copyPath, "Libbox.xcframework")
+			targetDir, _ = filepath.Abs(targetDir)
+			err := os.RemoveAll(targetDir)
+			if err != nil {
+				log.Fatal(err)
+			}
+			err = os.Rename(sourceDir, targetDir)
+			if err != nil {
+				log.Fatal(err)
+			}
+			log.Info("copied ", sourceDir, " to ", targetDir)
+		}
+	}
+}
+
+func findArtifactPath(name string) (string, bool) {
+	candidates := []string{
+		name,
+		filepath.Join("experimental", "libbox", name),
+	}
+	for _, candidate := range candidates {
+		if rw.IsFile(candidate) || rw.IsDir(candidate) {
+			return candidate, true
+		}
+	}
+	return "", false
+}

cmd/internal/format_docs/main.go

@@ -0,0 +1,117 @@
+package main
+
+import (
+	"bytes"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/sagernet/sing-box/log"
+)
+
+func main() {
+	err := filepath.Walk("docs", func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if info.IsDir() {
+			return nil
+		}
+		if !strings.HasSuffix(path, ".md") {
+			return nil
+		}
+		return processFile(path)
+	})
+	if err != nil {
+		log.Fatal(err)
+	}
+}
+
+func processFile(path string) error {
+	content, err := os.ReadFile(path)
+	if err != nil {
+		return err
+	}
+
+	lines := strings.Split(string(content), "\n")
+	modified := false
+	result := make([]string, 0, len(lines))
+
+	inQuoteBlock := false
+	materialLines := []int{} // indices of :material- lines in the block
+
+	for _, line := range lines {
+		// Check for quote block start
+		if strings.HasPrefix(line, "!!! quote \"") && strings.Contains(line, "sing-box") {
+			inQuoteBlock = true
+			materialLines = nil
+			result = append(result, line)
+			continue
+		}
+
+		// Inside a quote block
+		if inQuoteBlock {
+			trimmed := strings.TrimPrefix(line, "    ")
+			isMaterialLine := strings.HasPrefix(trimmed, ":material-")
+			isEmpty := strings.TrimSpace(line) == ""
+			isIndented := strings.HasPrefix(line, "    ")
+
+			if isMaterialLine {
+				materialLines = append(materialLines, len(result))
+				result = append(result, line)
+				continue
+			}
+
+			// Block ends when:
+			// - Empty line AFTER we've seen material lines, OR
+			// - Non-indented, non-empty line
+			blockEnds := (isEmpty && len(materialLines) > 0) || (!isEmpty && !isIndented)
+			if blockEnds {
+				// Process collected material lines
+				if len(materialLines) > 0 {
+					for j, idx := range materialLines {
+						isLast := j == len(materialLines)-1
+						resultLine := strings.TrimRight(result[idx], " ")
+						if !isLast {
+							// Add trailing two spaces for non-last lines
+							resultLine += "  "
+						}
+						if result[idx] != resultLine {
+							modified = true
+							result[idx] = resultLine
+						}
+					}
+				}
+				inQuoteBlock = false
+				materialLines = nil
+			}
+		}
+
+		result = append(result, line)
+	}
+
+	// Handle case where file ends while still in a block
+	if inQuoteBlock && len(materialLines) > 0 {
+		for j, idx := range materialLines {
+			isLast := j == len(materialLines)-1
+			resultLine := strings.TrimRight(result[idx], " ")
+			if !isLast {
+				resultLine += "  "
+			}
+			if result[idx] != resultLine {
+				modified = true
+				result[idx] = resultLine
+			}
+		}
+	}
+
+	if modified {
+		newContent := strings.Join(result, "\n")
+		if !bytes.Equal(content, []byte(newContent)) {
+			log.Info("formatted: ", path)
+			return os.WriteFile(path, []byte(newContent), 0o644)
+		}
+	}
+
+	return nil
+}

cmd/internal/update_certificates/main.go

@@ -17,6 +17,10 @@ func main() {
 	if err != nil {
 		log.Error(err)
 	}
+	err = updateChromeIncludedRootCAs()
+	if err != nil {
+		log.Error(err)
+	}
 }
 
 func updateMozillaIncludedRootCAs() error {
@@ -69,3 +73,94 @@ func init() {
 	generated.WriteString("}\n")
 	return os.WriteFile("common/certificate/mozilla.go", []byte(generated.String()), 0o644)
 }
+
+func fetchChinaFingerprints() (map[string]bool, error) {
+	response, err := http.Get("https://ccadb.my.salesforce-sites.com/ccadb/AllCertificateRecordsCSVFormatv4")
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+	reader := csv.NewReader(response.Body)
+	header, err := reader.Read()
+	if err != nil {
+		return nil, err
+	}
+	countryIndex := slices.Index(header, "Country")
+	fingerprintIndex := slices.Index(header, "SHA-256 Fingerprint")
+
+	chinaFingerprints := make(map[string]bool)
+	for {
+		record, err := reader.Read()
+		if err == io.EOF {
+			break
+		} else if err != nil {
+			return nil, err
+		}
+		if record[countryIndex] == "China" {
+			chinaFingerprints[record[fingerprintIndex]] = true
+		}
+	}
+	return chinaFingerprints, nil
+}
+
+func updateChromeIncludedRootCAs() error {
+	chinaFingerprints, err := fetchChinaFingerprints()
+	if err != nil {
+		return err
+	}
+
+	response, err := http.Get("https://ccadb.my.salesforce-sites.com/ccadb/RootCACertificatesIncludedByRSReportCSV")
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+	reader := csv.NewReader(response.Body)
+	header, err := reader.Read()
+	if err != nil {
+		return err
+	}
+	subjectIndex := slices.Index(header, "Subject")
+	statusIndex := slices.Index(header, "Google Chrome Status")
+	certIndex := slices.Index(header, "X.509 Certificate (PEM)")
+	fingerprintIndex := slices.Index(header, "SHA-256 Fingerprint")
+
+	generated := strings.Builder{}
+	generated.WriteString(`// Code generated by 'make update_certificates'. DO NOT EDIT.
+
+package certificate
+
+import "crypto/x509"
+
+var chromeIncluded *x509.CertPool
+
+func init() {
+	chromeIncluded = x509.NewCertPool()
+`)
+	for {
+		record, err := reader.Read()
+		if err == io.EOF {
+			break
+		} else if err != nil {
+			return err
+		}
+		if record[statusIndex] != "Included" {
+			continue
+		}
+		if chinaFingerprints[record[fingerprintIndex]] {
+			continue
+		}
+		generated.WriteString("\n	// ")
+		generated.WriteString(record[subjectIndex])
+		generated.WriteString("\n")
+		generated.WriteString("	chromeIncluded.AppendCertsFromPEM([]byte(`")
+		cert := record[certIndex]
+		// Remove single quotes if present
+		if len(cert) > 0 && cert[0] == '\'' {
+			cert = cert[1 : len(cert)-1]
+		}
+		generated.WriteString(cert)
+		generated.WriteString("`))\n")
+	}
+	generated.WriteString("}\n")
+	return os.WriteFile("common/certificate/chrome.go", []byte(generated.String()), 0o644)
+}

cmd/sing-box/cmd_tools_fetch_http3.go

@@ -22,7 +22,7 @@ func initializeHTTP3Client(instance *box.Box) error {
 	}
 	http3Client = &http.Client{
 		Transport: &http3.Transport{
-			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
+			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (*quic.Conn, error) {
 				destination := M.ParseSocksaddr(addr)
 				udpConn, dErr := dialer.DialContext(ctx, N.NetworkUDP, destination)
 				if dErr != nil {

common/badtls/raw_conn.go

@@ -1,4 +1,4 @@
-//go:build go1.25 && !without_badtls
+//go:build go1.25 && badlinkname
 
 package badtls
 

common/badtls/raw_half_conn.go

@@ -1,4 +1,4 @@
-//go:build go1.25 && !without_badtls
+//go:build go1.25 && badlinkname
 
 package badtls
 

common/badtls/read_wait.go

@@ -1,4 +1,4 @@
-//go:build go1.25 && !without_badtls
+//go:build go1.25 && badlinkname
 
 package badtls
 

common/badtls/read_wait_stub.go

@@ -1,4 +1,4 @@
-//go:build !go1.25 || without_badtls
+//go:build !go1.25 || !badlinkname
 
 package badtls
 

common/badtls/registry.go

@@ -1,4 +1,4 @@
-//go:build go1.25 && !without_badtls
+//go:build go1.25 && badlinkname
 
 package badtls
 

common/badtls/registry_utls.go

@@ -1,4 +1,4 @@
-//go:build go1.25 && !without_badtls
+//go:build go1.25 && badlinkname
 
 package badtls
 

common/certificate/store.go

@@ -7,11 +7,11 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"
 
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
@@ -21,6 +21,7 @@ import (
 var _ adapter.CertificateStore = (*Store)(nil)
 
 type Store struct {
+	access                    sync.RWMutex
 	systemPool                *x509.CertPool
 	currentPool               *x509.CertPool
 	certificate               string
@@ -34,7 +35,7 @@ func NewStore(ctx context.Context, logger logger.Logger, options option.Certific
 	switch options.Store {
 	case C.CertificateStoreSystem, "":
 		systemPool = x509.NewCertPool()
-		platformInterface := service.FromContext[platform.Interface](ctx)
+		platformInterface := service.FromContext[adapter.PlatformInterface](ctx)
 		var systemValid bool
 		if platformInterface != nil {
 			for _, cert := range platformInterface.SystemCertificates() {
@@ -52,6 +53,8 @@ func NewStore(ctx context.Context, logger logger.Logger, options option.Certific
 		}
 	case C.CertificateStoreMozilla:
 		systemPool = mozillaIncluded
+	case C.CertificateStoreChrome:
+		systemPool = chromeIncluded
 	case C.CertificateStoreNone:
 		systemPool = nil
 	default:
@@ -115,10 +118,14 @@ func (s *Store) Close() error {
 }
 
 func (s *Store) Pool() *x509.CertPool {
+	s.access.RLock()
+	defer s.access.RUnlock()
 	return s.currentPool
 }
 
 func (s *Store) update() error {
+	s.access.Lock()
+	defer s.access.Unlock()
 	var currentPool *x509.CertPool
 	if s.systemPool == nil {
 		currentPool = x509.NewCertPool()

common/dialer/default.go

@@ -12,7 +12,6 @@ import (
 	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/listener"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/control"
@@ -20,6 +19,8 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
+
+	"github.com/database64128/tfo-go/v2"
 )
 
 var (
@@ -28,8 +29,8 @@ var (
 )
 
 type DefaultDialer struct {
-	dialer4                tcpDialer
-	dialer6                tcpDialer
+	dialer4                tfo.Dialer
+	dialer6                tfo.Dialer
 	udpDialer4             net.Dialer
 	udpDialer6             net.Dialer
 	udpListener            net.ListenConfig
@@ -47,7 +48,7 @@ type DefaultDialer struct {
 
 func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDialer, error) {
 	networkManager := service.FromContext[adapter.NetworkManager](ctx)
-	platformInterface := service.FromContext[platform.Interface](ctx)
+	platformInterface := service.FromContext[adapter.PlatformInterface](ctx)
 
 	var (
 		dialer                 net.Dialer
@@ -136,14 +137,29 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		dialer.Control = control.Append(dialer.Control, control.ProtectPath(options.ProtectPath))
 		listener.Control = control.Append(listener.Control, control.ProtectPath(options.ProtectPath))
 	}
+	if options.BindAddressNoPort {
+		if !C.IsLinux {
+			return nil, E.New("`bind_address_no_port` is only supported on Linux")
+		}
+		dialer.Control = control.Append(dialer.Control, control.BindAddressNoPort())
+	}
 	if options.ConnectTimeout != 0 {
 		dialer.Timeout = time.Duration(options.ConnectTimeout)
 	} else {
 		dialer.Timeout = C.TCPConnectTimeout
 	}
-	// TODO: Add an option to customize the keep alive period
-	dialer.KeepAlive = C.TCPKeepAliveInitial
-	dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(C.TCPKeepAliveInitial, C.TCPKeepAliveInterval))
+	if !options.DisableTCPKeepAlive {
+		keepIdle := time.Duration(options.TCPKeepAlive)
+		if keepIdle == 0 {
+			keepIdle = C.TCPKeepAliveInitial
+		}
+		keepInterval := time.Duration(options.TCPKeepAliveInterval)
+		if keepInterval == 0 {
+			keepInterval = C.TCPKeepAliveInterval
+		}
+		dialer.KeepAlive = keepIdle
+		dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(keepIdle, keepInterval))
+	}
 	var udpFragment bool
 	if options.UDPFragment != nil {
 		udpFragment = *options.UDPFragment
@@ -177,19 +193,10 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		udpAddr6 = M.SocksaddrFrom(bindAddr, 0).String()
 	}
 	if options.TCPMultiPath {
-		if !go121Available {
-			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
-		}
-		setMultiPathTCP(&dialer4)
-	}
-	tcpDialer4, err := newTCPDialer(dialer4, options.TCPFastOpen)
-	if err != nil {
-		return nil, err
-	}
-	tcpDialer6, err := newTCPDialer(dialer6, options.TCPFastOpen)
-	if err != nil {
-		return nil, err
+		dialer4.SetMultipathTCP(true)
 	}
+	tcpDialer4 := tfo.Dialer{Dialer: dialer4, DisableTFO: !options.TCPFastOpen}
+	tcpDialer6 := tfo.Dialer{Dialer: dialer6, DisableTFO: !options.TCPFastOpen}
 	return &DefaultDialer{
 		dialer4:                tcpDialer4,
 		dialer6:                tcpDialer6,
@@ -269,7 +276,7 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 	}
 	var dialer net.Dialer
 	if N.NetworkName(network) == N.NetworkTCP {
-		dialer = dialerFromTCPDialer(d.dialer4)
+		dialer = d.dialer4.Dialer
 	} else {
 		dialer = d.udpDialer4
 	}
@@ -317,9 +324,9 @@ func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 
 func (d *DefaultDialer) DialerForICMPDestination(destination netip.Addr) net.Dialer {
 	if !destination.Is6() {
-		return dialerFromTCPDialer(d.dialer6)
+		return d.dialer6.Dialer
 	} else {
-		return dialerFromTCPDialer(d.dialer4)
+		return d.dialer4.Dialer
 	}
 }
 
@@ -356,18 +363,8 @@ func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destina
 	return trackPacketConn(packetConn, nil)
 }
 
-func (d *DefaultDialer) ListenPacketCompat(network, address string) (net.PacketConn, error) {
-	udpListener := d.udpListener
-	udpListener.Control = control.Append(udpListener.Control, func(network, address string, conn syscall.RawConn) error {
-		for _, wgControlFn := range WgControlFns {
-			err := wgControlFn(network, address, conn)
-			if err != nil {
-				return err
-			}
-		}
-		return nil
-	})
-	return udpListener.ListenPacket(context.Background(), network, address)
+func (d *DefaultDialer) WireGuardControl() control.Func {
+	return d.udpListener.Control
 }
 
 func trackConn(conn net.Conn, err error) (net.Conn, error) {

common/dialer/default_go1.20.go

@@ -1,19 +0,0 @@
-//go:build go1.20
-
-package dialer
-
-import (
-	"net"
-
-	"github.com/metacubex/tfo-go"
-)
-
-type tcpDialer = tfo.Dialer
-
-func newTCPDialer(dialer net.Dialer, tfoEnabled bool) (tcpDialer, error) {
-	return tfo.Dialer{Dialer: dialer, DisableTFO: !tfoEnabled}, nil
-}
-
-func dialerFromTCPDialer(dialer tcpDialer) net.Dialer {
-	return dialer.Dialer
-}

common/dialer/default_go1.21.go

@@ -1,11 +0,0 @@
-//go:build go1.21
-
-package dialer
-
-import "net"
-
-const go121Available = true
-
-func setMultiPathTCP(dialer *net.Dialer) {
-	dialer.SetMultipathTCP(true)
-}

common/dialer/default_nongo1.20.go

@@ -1,22 +0,0 @@
-//go:build !go1.20
-
-package dialer
-
-import (
-	"net"
-
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type tcpDialer = net.Dialer
-
-func newTCPDialer(dialer net.Dialer, tfoEnabled bool) (tcpDialer, error) {
-	if tfoEnabled {
-		return dialer, E.New("TCP Fast Open requires go1.20, please recompile your binary.")
-	}
-	return dialer, nil
-}
-
-func dialerFromTCPDialer(dialer tcpDialer) net.Dialer {
-	return dialer
-}

common/dialer/default_nongo1.21.go

@@ -1,12 +0,0 @@
-//go:build !go1.21
-
-package dialer
-
-import (
-	"net"
-)
-
-const go121Available = false
-
-func setMultiPathTCP(dialer *net.Dialer) {
-}

common/dialer/tfo.go

@@ -1,5 +1,3 @@
-//go:build go1.20
-
 package dialer
 
 import (
@@ -16,7 +14,7 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 
-	"github.com/metacubex/tfo-go"
+	"github.com/database64128/tfo-go/v2"
 )
 
 type slowOpenConn struct {
@@ -32,7 +30,7 @@ type slowOpenConn struct {
 	err         error
 }
 
-func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+func DialSlowContext(dialer *tfo.Dialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	if dialer.DisableTFO || N.NetworkName(network) != N.NetworkTCP {
 		switch N.NetworkName(network) {
 		case N.NetworkTCP, N.NetworkUDP:

common/dialer/tfo_stub.go

@@ -1,20 +0,0 @@
-//go:build !go1.20
-
-package dialer
-
-import (
-	"context"
-	"net"
-
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	switch N.NetworkName(network) {
-	case N.NetworkTCP, N.NetworkUDP:
-		return dialer.DialContext(ctx, network, destination.String())
-	default:
-		return dialer.DialContext(ctx, network, destination.AddrString())
-	}
-}

common/dialer/wireguard.go

@@ -1,13 +1,9 @@
 package dialer
 
 import (
-	"net"
-
 	"github.com/sagernet/sing/common/control"
 )
 
 type WireGuardListener interface {
-	ListenPacketCompat(network, address string) (net.PacketConn, error)
+	WireGuardControl() control.Func
 }
-
-var WgControlFns []control.Func

common/geosite/compat_test.go

@@ -0,0 +1,234 @@
+package geosite
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/binary"
+	"strings"
+	"testing"
+
+	"github.com/sagernet/sing/common/varbin"
+
+	"github.com/stretchr/testify/require"
+)
+
+// Old implementation using varbin reflection-based serialization
+
+func oldWriteString(writer varbin.Writer, value string) error {
+	//nolint:staticcheck
+	return varbin.Write(writer, binary.BigEndian, value)
+}
+
+func oldWriteItem(writer varbin.Writer, item Item) error {
+	//nolint:staticcheck
+	return varbin.Write(writer, binary.BigEndian, item)
+}
+
+func oldReadString(reader varbin.Reader) (string, error) {
+	//nolint:staticcheck
+	return varbin.ReadValue[string](reader, binary.BigEndian)
+}
+
+func oldReadItem(reader varbin.Reader) (Item, error) {
+	//nolint:staticcheck
+	return varbin.ReadValue[Item](reader, binary.BigEndian)
+}
+
+func TestStringCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input string
+	}{
+		{"empty", ""},
+		{"single_char", "a"},
+		{"ascii", "example.com"},
+		{"utf8", "测试域名.中国"},
+		{"special_chars", "\x00\xff\n\t"},
+		{"127_bytes", strings.Repeat("x", 127)},
+		{"128_bytes", strings.Repeat("x", 128)},
+		{"16383_bytes", strings.Repeat("x", 16383)},
+		{"16384_bytes", strings.Repeat("x", 16384)},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Old write
+			var oldBuf bytes.Buffer
+			err := oldWriteString(&oldBuf, tc.input)
+			require.NoError(t, err)
+
+			// New write
+			var newBuf bytes.Buffer
+			err = writeString(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Bytes must match
+			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
+				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
+
+			// New write -> old read
+			readBack, err := oldReadString(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			require.Equal(t, tc.input, readBack)
+
+			// Old write -> new read
+			readBack2, err := readString(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
+			require.NoError(t, err)
+			require.Equal(t, tc.input, readBack2)
+		})
+	}
+}
+
+func TestItemCompat(t *testing.T) {
+	t.Parallel()
+
+	// Note: varbin.Write has a bug where struct values (not pointers) don't write their fields
+	// because field.CanSet() returns false for non-addressable values.
+	// The old geosite code passed Item values to varbin.Write, which silently wrote nothing.
+	// The new code correctly writes Type + Value using manual serialization.
+	// This test verifies the new serialization format and round-trip correctness.
+
+	cases := []struct {
+		name  string
+		input Item
+	}{
+		{"domain_empty", Item{Type: RuleTypeDomain, Value: ""}},
+		{"domain_normal", Item{Type: RuleTypeDomain, Value: "example.com"}},
+		{"domain_suffix", Item{Type: RuleTypeDomainSuffix, Value: ".example.com"}},
+		{"domain_keyword", Item{Type: RuleTypeDomainKeyword, Value: "google"}},
+		{"domain_regex", Item{Type: RuleTypeDomainRegex, Value: `^.*\.example\.com$`}},
+		{"utf8_domain", Item{Type: RuleTypeDomain, Value: "测试.com"}},
+		{"long_domain", Item{Type: RuleTypeDomainSuffix, Value: strings.Repeat("a", 200) + ".com"}},
+		{"128_bytes_value", Item{Type: RuleTypeDomain, Value: strings.Repeat("x", 128)}},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// New write
+			var newBuf bytes.Buffer
+			err := newBuf.WriteByte(byte(tc.input.Type))
+			require.NoError(t, err)
+			err = writeString(&newBuf, tc.input.Value)
+			require.NoError(t, err)
+
+			// Verify format: Type (1 byte) + Value (uvarint len + bytes)
+			require.True(t, len(newBuf.Bytes()) >= 1, "output too short")
+			require.Equal(t, byte(tc.input.Type), newBuf.Bytes()[0], "type byte mismatch")
+
+			// New write -> old read (varbin can read correctly when given addressable target)
+			readBack, err := oldReadItem(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			require.Equal(t, tc.input, readBack)
+
+			// New write -> new read
+			reader := bufio.NewReader(bytes.NewReader(newBuf.Bytes()))
+			typeByte, err := reader.ReadByte()
+			require.NoError(t, err)
+			value, err := readString(reader)
+			require.NoError(t, err)
+			require.Equal(t, tc.input, Item{Type: ItemType(typeByte), Value: value})
+		})
+	}
+}
+
+func TestGeositeWriteReadCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input map[string][]Item
+	}{
+		{
+			"empty_map",
+			map[string][]Item{},
+		},
+		{
+			"single_code_empty_items",
+			map[string][]Item{"test": {}},
+		},
+		{
+			"single_code_single_item",
+			map[string][]Item{"test": {{Type: RuleTypeDomain, Value: "a.com"}}},
+		},
+		{
+			"single_code_multi_items",
+			map[string][]Item{
+				"test": {
+					{Type: RuleTypeDomain, Value: "a.com"},
+					{Type: RuleTypeDomainSuffix, Value: ".b.com"},
+					{Type: RuleTypeDomainKeyword, Value: "keyword"},
+					{Type: RuleTypeDomainRegex, Value: `^.*$`},
+				},
+			},
+		},
+		{
+			"multi_code",
+			map[string][]Item{
+				"cn": {{Type: RuleTypeDomain, Value: "baidu.com"}, {Type: RuleTypeDomainSuffix, Value: ".cn"}},
+				"us": {{Type: RuleTypeDomain, Value: "google.com"}},
+				"jp": {{Type: RuleTypeDomainSuffix, Value: ".jp"}},
+			},
+		},
+		{
+			"utf8_values",
+			map[string][]Item{
+				"test": {
+					{Type: RuleTypeDomain, Value: "测试.中国"},
+					{Type: RuleTypeDomainSuffix, Value: ".テスト"},
+				},
+			},
+		},
+		{
+			"large_items",
+			generateLargeItems(1000),
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Write using new implementation
+			var buf bytes.Buffer
+			err := Write(&buf, tc.input)
+			require.NoError(t, err)
+
+			// Read back and verify
+			reader, codes, err := NewReader(bytes.NewReader(buf.Bytes()))
+			require.NoError(t, err)
+
+			// Verify all codes exist
+			codeSet := make(map[string]bool)
+			for _, code := range codes {
+				codeSet[code] = true
+			}
+			for code := range tc.input {
+				require.True(t, codeSet[code], "missing code: %s", code)
+			}
+
+			// Verify items match
+			for code, expectedItems := range tc.input {
+				items, err := reader.Read(code)
+				require.NoError(t, err)
+				require.Equal(t, expectedItems, items, "items mismatch for code: %s", code)
+			}
+		})
+	}
+}
+
+func generateLargeItems(count int) map[string][]Item {
+	items := make([]Item, count)
+	for i := 0; i < count; i++ {
+		items[i] = Item{
+			Type:  ItemType(i % 4),
+			Value: strings.Repeat("x", i%200) + ".com",
+		}
+	}
+	return map[string][]Item{"large": items}
+}

common/geosite/reader.go

@@ -9,7 +9,6 @@ import (
 	"sync/atomic"
 
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/varbin"
 )
 
 type Reader struct {
@@ -78,7 +77,7 @@ func (r *Reader) readMetadata() error {
 			codeIndex  uint64
 			codeLength uint64
 		)
-		code, err = varbin.ReadValue[string](reader, binary.BigEndian)
+		code, err = readString(reader)
 		if err != nil {
 			return err
 		}
@@ -112,9 +111,16 @@ func (r *Reader) Read(code string) ([]Item, error) {
 	}
 	r.bufferedReader.Reset(r.reader)
 	itemList := make([]Item, r.domainLength[code])
-	err = varbin.Read(r.bufferedReader, binary.BigEndian, &itemList)
-	if err != nil {
-		return nil, err
+	for i := range itemList {
+		typeByte, err := r.bufferedReader.ReadByte()
+		if err != nil {
+			return nil, err
+		}
+		itemList[i].Type = ItemType(typeByte)
+		itemList[i].Value, err = readString(r.bufferedReader)
+		if err != nil {
+			return nil, err
+		}
 	}
 	return itemList, nil
 }
@@ -135,3 +141,18 @@ func (r *readCounter) Read(p []byte) (n int, err error) {
 	}
 	return
 }
+
+func readString(reader io.ByteReader) (string, error) {
+	length, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return "", err
+	}
+	bytes := make([]byte, length)
+	for i := range bytes {
+		bytes[i], err = reader.ReadByte()
+		if err != nil {
+			return "", err
+		}
+	}
+	return string(bytes), nil
+}

common/geosite/writer.go

@@ -2,7 +2,6 @@ package geosite
 
 import (
 	"bytes"
-	"encoding/binary"
 	"sort"
 
 	"github.com/sagernet/sing/common/varbin"
@@ -20,7 +19,11 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {
 	for _, code := range keys {
 		index[code] = content.Len()
 		for _, item := range domains[code] {
-			err := varbin.Write(content, binary.BigEndian, item)
+			err := content.WriteByte(byte(item.Type))
+			if err != nil {
+				return err
+			}
+			err = writeString(content, item.Value)
 			if err != nil {
 				return err
 			}
@@ -38,7 +41,7 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {
 	}
 
 	for _, code := range keys {
-		err = varbin.Write(writer, binary.BigEndian, code)
+		err = writeString(writer, code)
 		if err != nil {
 			return err
 		}
@@ -59,3 +62,12 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {
 
 	return nil
 }
+
+func writeString(writer varbin.Writer, value string) error {
+	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	_, err = writer.Write([]byte(value))
+	return err
+}

common/ktls/ktls.go

@@ -1,4 +1,4 @@
-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname
 
 package ktls
 

common/ktls/ktls_alert.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname
 
 package ktls
 

common/ktls/ktls_cipher_suites_linux.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname
 
 package ktls
 

common/ktls/ktls_close.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname
 
 package ktls
 

common/ktls/ktls_const.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname
 
 package ktls
 

common/ktls/ktls_handshake_messages.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname
 
 package ktls
 

common/ktls/ktls_key_update.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname
 
 package ktls
 

common/ktls/ktls_linux.go

@@ -1,4 +1,4 @@
-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname
 
 package ktls
 

common/ktls/ktls_prf.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname
 
 package ktls
 

common/ktls/ktls_read.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname
 
 package ktls
 

common/ktls/ktls_read_wait.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname
 
 package ktls
 

common/ktls/ktls_stub_nolinkname.go

@@ -0,0 +1,15 @@
+//go:build linux && go1.25 && !badlinkname
+
+package ktls
+
+import (
+	"context"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	aTLS "github.com/sagernet/sing/common/tls"
+)
+
+func NewConn(ctx context.Context, logger logger.ContextLogger, conn aTLS.Conn, txOffload, rxOffload bool) (aTLS.Conn, error) {
+	return nil, E.New("kTLS requires build flags `badlinkname` and `-ldflags=-checklinkname=0`, please recompile your binary")
+}

common/ktls/ktls_stub_nonlinux.go

@@ -1,15 +1,15 @@
-//go:build !linux || !go1.25 || without_badtls
+//go:build !linux
 
 package ktls
 
 import (
 	"context"
-	"os"
 
+	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	aTLS "github.com/sagernet/sing/common/tls"
 )
 
 func NewConn(ctx context.Context, logger logger.ContextLogger, conn aTLS.Conn, txOffload, rxOffload bool) (aTLS.Conn, error) {
-	return nil, os.ErrInvalid
+	return nil, E.New("kTLS is only supported on Linux")
 }

common/ktls/ktls_stub_oldgo.go

@@ -0,0 +1,15 @@
+//go:build linux && !go1.25
+
+package ktls
+
+import (
+	"context"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	aTLS "github.com/sagernet/sing/common/tls"
+)
+
+func NewConn(ctx context.Context, logger logger.ContextLogger, conn aTLS.Conn, txOffload, rxOffload bool) (aTLS.Conn, error) {
+	return nil, E.New("kTLS requires Go 1.25 or later, please recompile your binary")
+}

common/ktls/ktls_write.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname
 
 package ktls
 

common/listener/listener_go121.go

@@ -1,11 +0,0 @@
-//go:build go1.21
-
-package listener
-
-import "net"
-
-const go121Available = true
-
-func setMultiPathTCP(listenConfig *net.ListenConfig) {
-	listenConfig.SetMultipathTCP(true)
-}

common/listener/listener_go123.go

@@ -1,16 +0,0 @@
-//go:build go1.23
-
-package listener
-
-import (
-	"net"
-	"time"
-)
-
-func setKeepAliveConfig(listener *net.ListenConfig, idle time.Duration, interval time.Duration) {
-	listener.KeepAliveConfig = net.KeepAliveConfig{
-		Enable:   true,
-		Idle:     idle,
-		Interval: interval,
-	}
-}

common/listener/listener_nongo121.go

@@ -1,10 +0,0 @@
-//go:build !go1.21
-
-package listener
-
-import "net"
-
-const go121Available = false
-
-func setMultiPathTCP(listenConfig *net.ListenConfig) {
-}

common/listener/listener_nongo123.go

@@ -1,15 +0,0 @@
-//go:build !go1.23
-
-package listener
-
-import (
-	"net"
-	"time"
-
-	"github.com/sagernet/sing/common/control"
-)
-
-func setKeepAliveConfig(listener *net.ListenConfig, idle time.Duration, interval time.Duration) {
-	listener.KeepAlive = idle
-	listener.Control = control.Append(listener.Control, control.SetKeepAlivePeriod(idle, interval))
-}

common/listener/listener_tcp.go

@@ -17,7 +17,7 @@ import (
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
 
-	"github.com/metacubex/tfo-go"
+	"github.com/database64128/tfo-go/v2"
 )
 
 func (l *Listener) ListenTCP() (net.Listener, error) {
@@ -37,7 +37,7 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 	if l.listenOptions.ReuseAddr {
 		listenConfig.Control = control.Append(listenConfig.Control, control.ReuseAddr())
 	}
-	if l.listenOptions.TCPKeepAlive >= 0 {
+	if !l.listenOptions.DisableTCPKeepAlive {
 		keepIdle := time.Duration(l.listenOptions.TCPKeepAlive)
 		if keepIdle == 0 {
 			keepIdle = C.TCPKeepAliveInitial
@@ -46,13 +46,14 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 		if keepInterval == 0 {
 			keepInterval = C.TCPKeepAliveInterval
 		}
-		setKeepAliveConfig(&listenConfig, keepIdle, keepInterval)
+		listenConfig.KeepAliveConfig = net.KeepAliveConfig{
+			Enable:   true,
+			Idle:     keepIdle,
+			Interval: keepInterval,
+		}
 	}
 	if l.listenOptions.TCPMultiPath {
-		if !go121Available {
-			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
-		}
-		setMultiPathTCP(&listenConfig)
+		listenConfig.SetMultipathTCP(true)
 	}
 	if l.tproxy {
 		listenConfig.Control = control.Append(listenConfig.Control, func(network, address string, conn syscall.RawConn) error {

common/process/searcher.go

@@ -5,6 +5,7 @@ import (
 	"net/netip"
 	"os/user"
 
+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-tun"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -12,7 +13,7 @@ import (
 )
 
 type Searcher interface {
-	FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error)
+	FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error)
 }
 
 var ErrNotFound = E.New("process not found")
@@ -22,15 +23,7 @@ type Config struct {
 	PackageManager tun.PackageManager
 }
 
-type Info struct {
-	ProcessID   uint32
-	ProcessPath string
-	PackageName string
-	User        string
-	UserId      int32
-}
-
-func FindProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
+func FindProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
 	info, err := searcher.FindProcessInfo(ctx, network, source, destination)
 	if err != nil {
 		return nil, err
@@ -38,7 +31,7 @@ func FindProcessInfo(searcher Searcher, ctx context.Context, network string, sou
 	if info.UserId != -1 {
 		osUser, _ := user.LookupId(F.ToString(info.UserId))
 		if osUser != nil {
-			info.User = osUser.Username
+			info.UserName = osUser.Username
 		}
 	}
 	return info, nil

common/process/searcher_android.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"net/netip"
 
+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
 )
 
@@ -17,22 +18,22 @@ func NewSearcher(config Config) (Searcher, error) {
 	return &androidSearcher{config.PackageManager}, nil
 }
 
-func (s *androidSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
+func (s *androidSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
 	_, uid, err := resolveSocketByNetlink(network, source, destination)
 	if err != nil {
 		return nil, err
 	}
 	if sharedPackage, loaded := s.packageManager.SharedPackageByID(uid % 100000); loaded {
-		return &Info{
-			UserId:      int32(uid),
-			PackageName: sharedPackage,
+		return &adapter.ConnectionOwner{
+			UserId:             int32(uid),
+			AndroidPackageName: sharedPackage,
 		}, nil
 	}
 	if packageName, loaded := s.packageManager.PackageByID(uid % 100000); loaded {
-		return &Info{
-			UserId:      int32(uid),
-			PackageName: packageName,
+		return &adapter.ConnectionOwner{
+			UserId:             int32(uid),
+			AndroidPackageName: packageName,
 		}, nil
 	}
-	return &Info{UserId: int32(uid)}, nil
+	return &adapter.ConnectionOwner{UserId: int32(uid)}, nil
 }

common/process/searcher_darwin.go

@@ -10,6 +10,7 @@ import (
 	"syscall"
 	"unsafe"
 
+	"github.com/sagernet/sing-box/adapter"
 	N "github.com/sagernet/sing/common/network"
 
 	"golang.org/x/sys/unix"
@@ -23,12 +24,12 @@ func NewSearcher(_ Config) (Searcher, error) {
 	return &darwinSearcher{}, nil
 }
 
-func (d *darwinSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
+func (d *darwinSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
 	processName, err := findProcessName(network, source.Addr(), int(source.Port()))
 	if err != nil {
 		return nil, err
 	}
-	return &Info{ProcessPath: processName, UserId: -1}, nil
+	return &adapter.ConnectionOwner{ProcessPath: processName, UserId: -1}, nil
 }
 
 var structSize = func() int {

common/process/searcher_linux.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"net/netip"
 
+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 )
 
@@ -19,7 +20,7 @@ func NewSearcher(config Config) (Searcher, error) {
 	return &linuxSearcher{config.Logger}, nil
 }
 
-func (s *linuxSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
+func (s *linuxSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
 	inode, uid, err := resolveSocketByNetlink(network, source, destination)
 	if err != nil {
 		return nil, err
@@ -28,7 +29,7 @@ func (s *linuxSearcher) FindProcessInfo(ctx context.Context, network string, sou
 	if err != nil {
 		s.logger.DebugContext(ctx, "find process path: ", err)
 	}
-	return &Info{
+	return &adapter.ConnectionOwner{
 		UserId:      int32(uid),
 		ProcessPath: processPath,
 	}, nil

common/process/searcher_windows.go

@@ -5,6 +5,7 @@ import (
 	"net/netip"
 	"syscall"
 
+	"github.com/sagernet/sing-box/adapter"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/winiphlpapi"
 
@@ -27,16 +28,16 @@ func initWin32API() error {
 	return winiphlpapi.LoadExtendedTable()
 }
 
-func (s *windowsSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
+func (s *windowsSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
 	pid, err := winiphlpapi.FindPid(network, source)
 	if err != nil {
 		return nil, err
 	}
 	path, err := getProcessPath(pid)
 	if err != nil {
-		return &Info{ProcessID: pid, UserId: -1}, err
+		return &adapter.ConnectionOwner{ProcessID: pid, UserId: -1}, err
 	}
-	return &Info{ProcessID: pid, ProcessPath: path, UserId: -1}, nil
+	return &adapter.ConnectionOwner{ProcessID: pid, ProcessPath: path, UserId: -1}, nil
 }
 
 func getProcessPath(pid uint32) (string, error) {

common/settings/wifi.go

@@ -0,0 +1,9 @@
+package settings
+
+import "github.com/sagernet/sing-box/adapter"
+
+type WIFIMonitor interface {
+	ReadWIFIState() adapter.WIFIState
+	Start() error
+	Close() error
+}

common/settings/wifi_linux.go

@@ -0,0 +1,46 @@
+package settings
+
+import (
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type LinuxWIFIMonitor struct {
+	monitor WIFIMonitor
+}
+
+func NewWIFIMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
+	monitors := []func(func(adapter.WIFIState)) (WIFIMonitor, error){
+		newNetworkManagerMonitor,
+		newIWDMonitor,
+		newWpaSupplicantMonitor,
+		newConnManMonitor,
+	}
+	var errors []error
+	for _, factory := range monitors {
+		monitor, err := factory(callback)
+		if err == nil {
+			return &LinuxWIFIMonitor{monitor: monitor}, nil
+		}
+		errors = append(errors, err)
+	}
+	return nil, E.Cause(E.Errors(errors...), "no supported WIFI manager found")
+}
+
+func (m *LinuxWIFIMonitor) ReadWIFIState() adapter.WIFIState {
+	return m.monitor.ReadWIFIState()
+}
+
+func (m *LinuxWIFIMonitor) Start() error {
+	if m.monitor != nil {
+		return m.monitor.Start()
+	}
+	return nil
+}
+
+func (m *LinuxWIFIMonitor) Close() error {
+	if m.monitor != nil {
+		return m.monitor.Close()
+	}
+	return nil
+}

common/settings/wifi_linux_connman.go

@@ -0,0 +1,168 @@
+//go:build linux
+
+package settings
+
+import (
+	"context"
+	"strings"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+
+	"github.com/godbus/dbus/v5"
+)
+
+type connmanMonitor struct {
+	conn       *dbus.Conn
+	callback   func(adapter.WIFIState)
+	cancel     context.CancelFunc
+	signalChan chan *dbus.Signal
+}
+
+func newConnManMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
+	conn, err := dbus.ConnectSystemBus()
+	if err != nil {
+		return nil, err
+	}
+	cmObj := conn.Object("net.connman", "/")
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+	defer cancel()
+	call := cmObj.CallWithContext(ctx, "net.connman.Manager.GetServices", 0)
+	if call.Err != nil {
+		conn.Close()
+		return nil, call.Err
+	}
+	return &connmanMonitor{conn: conn, callback: callback}, nil
+}
+
+func (m *connmanMonitor) ReadWIFIState() adapter.WIFIState {
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	cmObj := m.conn.Object("net.connman", "/")
+	var services []interface{}
+	err := cmObj.CallWithContext(ctx, "net.connman.Manager.GetServices", 0).Store(&services)
+	if err != nil {
+		return adapter.WIFIState{}
+	}
+
+	for _, service := range services {
+		servicePair, ok := service.([]interface{})
+		if !ok || len(servicePair) != 2 {
+			continue
+		}
+
+		serviceProps, ok := servicePair[1].(map[string]dbus.Variant)
+		if !ok {
+			continue
+		}
+
+		typeVariant, hasType := serviceProps["Type"]
+		if !hasType {
+			continue
+		}
+		serviceType, ok := typeVariant.Value().(string)
+		if !ok || serviceType != "wifi" {
+			continue
+		}
+
+		stateVariant, hasState := serviceProps["State"]
+		if !hasState {
+			continue
+		}
+		state, ok := stateVariant.Value().(string)
+		if !ok || (state != "online" && state != "ready") {
+			continue
+		}
+
+		nameVariant, hasName := serviceProps["Name"]
+		if !hasName {
+			continue
+		}
+		ssid, ok := nameVariant.Value().(string)
+		if !ok || ssid == "" {
+			continue
+		}
+
+		bssidVariant, hasBSSID := serviceProps["BSSID"]
+		if !hasBSSID {
+			return adapter.WIFIState{SSID: ssid}
+		}
+		bssid, ok := bssidVariant.Value().(string)
+		if !ok {
+			return adapter.WIFIState{SSID: ssid}
+		}
+
+		return adapter.WIFIState{
+			SSID:  ssid,
+			BSSID: strings.ToUpper(strings.ReplaceAll(bssid, ":", "")),
+		}
+	}
+
+	return adapter.WIFIState{}
+}
+
+func (m *connmanMonitor) Start() error {
+	if m.callback == nil {
+		return nil
+	}
+	ctx, cancel := context.WithCancel(context.Background())
+	m.cancel = cancel
+
+	m.signalChan = make(chan *dbus.Signal, 10)
+	m.conn.Signal(m.signalChan)
+
+	err := m.conn.AddMatchSignal(
+		dbus.WithMatchInterface("net.connman.Service"),
+		dbus.WithMatchSender("net.connman"),
+	)
+	if err != nil {
+		return err
+	}
+
+	state := m.ReadWIFIState()
+	go m.monitorSignals(ctx, m.signalChan, state)
+	m.callback(state)
+
+	return nil
+}
+
+func (m *connmanMonitor) monitorSignals(ctx context.Context, signalChan chan *dbus.Signal, lastState adapter.WIFIState) {
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case signal, ok := <-signalChan:
+			if !ok {
+				return
+			}
+			// godbus Signal.Name uses "interface.member" format (e.g. "net.connman.Service.PropertyChanged"),
+			// not just the member name. This differs from the D-Bus signal member in the match rule.
+			if signal.Name == "net.connman.Service.PropertyChanged" {
+				state := m.ReadWIFIState()
+				if state != lastState {
+					lastState = state
+					m.callback(state)
+				}
+			}
+		}
+	}
+}
+
+func (m *connmanMonitor) Close() error {
+	if m.cancel != nil {
+		m.cancel()
+	}
+	if m.signalChan != nil {
+		m.conn.RemoveSignal(m.signalChan)
+		close(m.signalChan)
+	}
+	if m.conn != nil {
+		m.conn.RemoveMatchSignal(
+			dbus.WithMatchInterface("net.connman.Service"),
+			dbus.WithMatchSender("net.connman"),
+		)
+		return m.conn.Close()
+	}
+	return nil
+}

common/settings/wifi_linux_iwd.go

@@ -0,0 +1,190 @@
+//go:build linux
+
+package settings
+
+import (
+	"context"
+	"strings"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+
+	"github.com/godbus/dbus/v5"
+)
+
+type iwdMonitor struct {
+	conn       *dbus.Conn
+	callback   func(adapter.WIFIState)
+	cancel     context.CancelFunc
+	signalChan chan *dbus.Signal
+}
+
+func newIWDMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
+	conn, err := dbus.ConnectSystemBus()
+	if err != nil {
+		return nil, err
+	}
+	iwdObj := conn.Object("net.connman.iwd", "/")
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+	defer cancel()
+	call := iwdObj.CallWithContext(ctx, "org.freedesktop.DBus.ObjectManager.GetManagedObjects", 0)
+	if call.Err != nil {
+		conn.Close()
+		return nil, call.Err
+	}
+	return &iwdMonitor{conn: conn, callback: callback}, nil
+}
+
+func (m *iwdMonitor) ReadWIFIState() adapter.WIFIState {
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	iwdObj := m.conn.Object("net.connman.iwd", "/")
+	var objects map[dbus.ObjectPath]map[string]map[string]dbus.Variant
+	err := iwdObj.CallWithContext(ctx, "org.freedesktop.DBus.ObjectManager.GetManagedObjects", 0).Store(&objects)
+	if err != nil {
+		return adapter.WIFIState{}
+	}
+
+	for _, interfaces := range objects {
+		stationProps, hasStation := interfaces["net.connman.iwd.Station"]
+		if !hasStation {
+			continue
+		}
+
+		stateVariant, hasState := stationProps["State"]
+		if !hasState {
+			continue
+		}
+		state, ok := stateVariant.Value().(string)
+		if !ok || state != "connected" {
+			continue
+		}
+
+		connectedNetworkVariant, hasNetwork := stationProps["ConnectedNetwork"]
+		if !hasNetwork {
+			continue
+		}
+		networkPath, ok := connectedNetworkVariant.Value().(dbus.ObjectPath)
+		if !ok || networkPath == "/" {
+			continue
+		}
+
+		networkInterfaces, hasNetworkPath := objects[networkPath]
+		if !hasNetworkPath {
+			continue
+		}
+
+		networkProps, hasNetworkInterface := networkInterfaces["net.connman.iwd.Network"]
+		if !hasNetworkInterface {
+			continue
+		}
+
+		nameVariant, hasName := networkProps["Name"]
+		if !hasName {
+			continue
+		}
+		ssid, ok := nameVariant.Value().(string)
+		if !ok {
+			continue
+		}
+
+		connectedBSSVariant, hasBSS := stationProps["ConnectedAccessPoint"]
+		if !hasBSS {
+			return adapter.WIFIState{SSID: ssid}
+		}
+		bssPath, ok := connectedBSSVariant.Value().(dbus.ObjectPath)
+		if !ok || bssPath == "/" {
+			return adapter.WIFIState{SSID: ssid}
+		}
+
+		bssInterfaces, hasBSSPath := objects[bssPath]
+		if !hasBSSPath {
+			return adapter.WIFIState{SSID: ssid}
+		}
+
+		bssProps, hasBSSInterface := bssInterfaces["net.connman.iwd.BasicServiceSet"]
+		if !hasBSSInterface {
+			return adapter.WIFIState{SSID: ssid}
+		}
+
+		addressVariant, hasAddress := bssProps["Address"]
+		if !hasAddress {
+			return adapter.WIFIState{SSID: ssid}
+		}
+		bssid, ok := addressVariant.Value().(string)
+		if !ok {
+			return adapter.WIFIState{SSID: ssid}
+		}
+
+		return adapter.WIFIState{
+			SSID:  ssid,
+			BSSID: strings.ToUpper(strings.ReplaceAll(bssid, ":", "")),
+		}
+	}
+
+	return adapter.WIFIState{}
+}
+
+func (m *iwdMonitor) Start() error {
+	if m.callback == nil {
+		return nil
+	}
+	ctx, cancel := context.WithCancel(context.Background())
+	m.cancel = cancel
+
+	m.signalChan = make(chan *dbus.Signal, 10)
+	m.conn.Signal(m.signalChan)
+
+	err := m.conn.AddMatchSignal(
+		dbus.WithMatchInterface("org.freedesktop.DBus.Properties"),
+		dbus.WithMatchSender("net.connman.iwd"),
+	)
+	if err != nil {
+		return err
+	}
+
+	state := m.ReadWIFIState()
+	go m.monitorSignals(ctx, m.signalChan, state)
+	m.callback(state)
+
+	return nil
+}
+
+func (m *iwdMonitor) monitorSignals(ctx context.Context, signalChan chan *dbus.Signal, lastState adapter.WIFIState) {
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case signal, ok := <-signalChan:
+			if !ok {
+				return
+			}
+			if signal.Name == "org.freedesktop.DBus.Properties.PropertiesChanged" {
+				state := m.ReadWIFIState()
+				if state != lastState {
+					lastState = state
+					m.callback(state)
+				}
+			}
+		}
+	}
+}
+
+func (m *iwdMonitor) Close() error {
+	if m.cancel != nil {
+		m.cancel()
+	}
+	if m.signalChan != nil {
+		m.conn.RemoveSignal(m.signalChan)
+		close(m.signalChan)
+	}
+	if m.conn != nil {
+		m.conn.RemoveMatchSignal(
+			dbus.WithMatchInterface("org.freedesktop.DBus.Properties"),
+			dbus.WithMatchSender("net.connman.iwd"),
+		)
+		return m.conn.Close()
+	}
+	return nil
+}

common/settings/wifi_linux_nm.go

@@ -0,0 +1,165 @@
+//go:build linux
+
+package settings
+
+import (
+	"context"
+	"strings"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+
+	"github.com/godbus/dbus/v5"
+)
+
+type networkManagerMonitor struct {
+	conn       *dbus.Conn
+	callback   func(adapter.WIFIState)
+	cancel     context.CancelFunc
+	signalChan chan *dbus.Signal
+}
+
+func newNetworkManagerMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
+	conn, err := dbus.ConnectSystemBus()
+	if err != nil {
+		return nil, err
+	}
+	nmObj := conn.Object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager")
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+	defer cancel()
+	var state uint32
+	err = nmObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager", "State").Store(&state)
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+	return &networkManagerMonitor{conn: conn, callback: callback}, nil
+}
+
+func (m *networkManagerMonitor) ReadWIFIState() adapter.WIFIState {
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	nmObj := m.conn.Object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager")
+
+	var activeConnectionPaths []dbus.ObjectPath
+	err := nmObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager", "ActiveConnections").Store(&activeConnectionPaths)
+	if err != nil || len(activeConnectionPaths) == 0 {
+		return adapter.WIFIState{}
+	}
+
+	for _, connectionPath := range activeConnectionPaths {
+		connObj := m.conn.Object("org.freedesktop.NetworkManager", connectionPath)
+
+		var devicePaths []dbus.ObjectPath
+		err = connObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.Connection.Active", "Devices").Store(&devicePaths)
+		if err != nil || len(devicePaths) == 0 {
+			continue
+		}
+
+		for _, devicePath := range devicePaths {
+			deviceObj := m.conn.Object("org.freedesktop.NetworkManager", devicePath)
+
+			var deviceType uint32
+			err = deviceObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.Device", "DeviceType").Store(&deviceType)
+			if err != nil || deviceType != 2 {
+				continue
+			}
+
+			var accessPointPath dbus.ObjectPath
+			err = deviceObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.Device.Wireless", "ActiveAccessPoint").Store(&accessPointPath)
+			if err != nil || accessPointPath == "/" {
+				continue
+			}
+
+			apObj := m.conn.Object("org.freedesktop.NetworkManager", accessPointPath)
+
+			var ssidBytes []byte
+			err = apObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.AccessPoint", "Ssid").Store(&ssidBytes)
+			if err != nil {
+				continue
+			}
+
+			var hwAddress string
+			err = apObj.CallWithContext(ctx, "org.freedesktop.DBus.Properties.Get", 0, "org.freedesktop.NetworkManager.AccessPoint", "HwAddress").Store(&hwAddress)
+			if err != nil {
+				continue
+			}
+
+			ssid := strings.TrimSpace(string(ssidBytes))
+			if ssid == "" {
+				continue
+			}
+
+			return adapter.WIFIState{
+				SSID:  ssid,
+				BSSID: strings.ToUpper(strings.ReplaceAll(hwAddress, ":", "")),
+			}
+		}
+	}
+
+	return adapter.WIFIState{}
+}
+
+func (m *networkManagerMonitor) Start() error {
+	if m.callback == nil {
+		return nil
+	}
+	ctx, cancel := context.WithCancel(context.Background())
+	m.cancel = cancel
+
+	m.signalChan = make(chan *dbus.Signal, 10)
+	m.conn.Signal(m.signalChan)
+
+	err := m.conn.AddMatchSignal(
+		dbus.WithMatchSender("org.freedesktop.NetworkManager"),
+		dbus.WithMatchInterface("org.freedesktop.DBus.Properties"),
+	)
+	if err != nil {
+		return err
+	}
+
+	state := m.ReadWIFIState()
+	go m.monitorSignals(ctx, m.signalChan, state)
+	m.callback(state)
+
+	return nil
+}
+
+func (m *networkManagerMonitor) monitorSignals(ctx context.Context, signalChan chan *dbus.Signal, lastState adapter.WIFIState) {
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case signal, ok := <-signalChan:
+			if !ok {
+				return
+			}
+			if signal.Name == "org.freedesktop.DBus.Properties.PropertiesChanged" {
+				state := m.ReadWIFIState()
+				if state != lastState {
+					lastState = state
+					m.callback(state)
+				}
+			}
+		}
+	}
+}
+
+func (m *networkManagerMonitor) Close() error {
+	if m.cancel != nil {
+		m.cancel()
+	}
+	if m.signalChan != nil {
+		m.conn.RemoveSignal(m.signalChan)
+		close(m.signalChan)
+	}
+	if m.conn != nil {
+		m.conn.RemoveMatchSignal(
+			dbus.WithMatchSender("org.freedesktop.NetworkManager"),
+			dbus.WithMatchInterface("org.freedesktop.DBus.Properties"),
+		)
+		return m.conn.Close()
+	}
+	return nil
+}

common/settings/wifi_linux_wpa.go

@@ -0,0 +1,225 @@
+package settings
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+)
+
+var wpaSocketCounter atomic.Uint64
+
+type wpaSupplicantMonitor struct {
+	socketPath  string
+	callback    func(adapter.WIFIState)
+	cancel      context.CancelFunc
+	monitorConn *net.UnixConn
+	connMutex   sync.Mutex
+}
+
+func newWpaSupplicantMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
+	socketDirs := []string{"/var/run/wpa_supplicant", "/run/wpa_supplicant"}
+	for _, socketDir := range socketDirs {
+		entries, err := os.ReadDir(socketDir)
+		if err != nil {
+			continue
+		}
+		for _, entry := range entries {
+			if entry.IsDir() || entry.Name() == "." || entry.Name() == ".." {
+				continue
+			}
+			socketPath := filepath.Join(socketDir, entry.Name())
+			id := wpaSocketCounter.Add(1)
+			localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-%d-%d", os.Getpid(), id), Net: "unixgram"}
+			remoteAddr := &net.UnixAddr{Name: socketPath, Net: "unixgram"}
+			conn, err := net.DialUnix("unixgram", localAddr, remoteAddr)
+			if err != nil {
+				continue
+			}
+			conn.Close()
+			return &wpaSupplicantMonitor{socketPath: socketPath, callback: callback}, nil
+		}
+	}
+	return nil, os.ErrNotExist
+}
+
+func (m *wpaSupplicantMonitor) ReadWIFIState() adapter.WIFIState {
+	id := wpaSocketCounter.Add(1)
+	localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-%d-%d", os.Getpid(), id), Net: "unixgram"}
+	remoteAddr := &net.UnixAddr{Name: m.socketPath, Net: "unixgram"}
+	conn, err := net.DialUnix("unixgram", localAddr, remoteAddr)
+	if err != nil {
+		return adapter.WIFIState{}
+	}
+	defer conn.Close()
+
+	conn.SetDeadline(time.Now().Add(3 * time.Second))
+
+	status, err := m.sendCommand(conn, "STATUS")
+	if err != nil {
+		return adapter.WIFIState{}
+	}
+
+	var ssid, bssid string
+	var connected bool
+	scanner := bufio.NewScanner(strings.NewReader(status))
+	for scanner.Scan() {
+		line := scanner.Text()
+		if strings.HasPrefix(line, "wpa_state=") {
+			state := strings.TrimPrefix(line, "wpa_state=")
+			connected = state == "COMPLETED"
+		} else if strings.HasPrefix(line, "ssid=") {
+			ssid = strings.TrimPrefix(line, "ssid=")
+		} else if strings.HasPrefix(line, "bssid=") {
+			bssid = strings.TrimPrefix(line, "bssid=")
+		}
+	}
+
+	if !connected || ssid == "" {
+		return adapter.WIFIState{}
+	}
+
+	return adapter.WIFIState{
+		SSID:  ssid,
+		BSSID: strings.ToUpper(strings.ReplaceAll(bssid, ":", "")),
+	}
+}
+
+// sendCommand sends a command to wpa_supplicant and returns the response.
+// Commands are sent without trailing newlines per the wpa_supplicant control
+// interface protocol - the official wpa_ctrl.c sends raw command strings.
+func (m *wpaSupplicantMonitor) sendCommand(conn *net.UnixConn, command string) (string, error) {
+	_, err := conn.Write([]byte(command))
+	if err != nil {
+		return "", err
+	}
+
+	buf := make([]byte, 4096)
+	n, err := conn.Read(buf)
+	if err != nil {
+		return "", err
+	}
+
+	response := string(buf[:n])
+	if strings.HasPrefix(response, "FAIL") {
+		return "", os.ErrInvalid
+	}
+
+	return strings.TrimSpace(response), nil
+}
+
+func (m *wpaSupplicantMonitor) Start() error {
+	if m.callback == nil {
+		return nil
+	}
+	ctx, cancel := context.WithCancel(context.Background())
+	m.cancel = cancel
+
+	state := m.ReadWIFIState()
+	go m.monitorEvents(ctx, state)
+	m.callback(state)
+
+	return nil
+}
+
+func (m *wpaSupplicantMonitor) monitorEvents(ctx context.Context, lastState adapter.WIFIState) {
+	var consecutiveErrors int
+	var debounceTimer *time.Timer
+	var debounceMutex sync.Mutex
+
+	localAddr := &net.UnixAddr{Name: fmt.Sprintf("@sing-box-wpa-mon-%d", os.Getpid()), Net: "unixgram"}
+	remoteAddr := &net.UnixAddr{Name: m.socketPath, Net: "unixgram"}
+	conn, err := net.DialUnix("unixgram", localAddr, remoteAddr)
+	if err != nil {
+		return
+	}
+	defer conn.Close()
+
+	m.connMutex.Lock()
+	m.monitorConn = conn
+	m.connMutex.Unlock()
+
+	// ATTACH/DETACH commands use os_strcmp() for exact matching in wpa_supplicant,
+	// so they must be sent without trailing newlines.
+	// See: https://w1.fi/cgit/hostap/tree/wpa_supplicant/ctrl_iface_unix.c
+	_, err = conn.Write([]byte("ATTACH"))
+	if err != nil {
+		return
+	}
+
+	buf := make([]byte, 4096)
+	n, err := conn.Read(buf)
+	if err != nil || !strings.HasPrefix(string(buf[:n]), "OK") {
+		return
+	}
+
+	for {
+		select {
+		case <-ctx.Done():
+			debounceMutex.Lock()
+			if debounceTimer != nil {
+				debounceTimer.Stop()
+			}
+			debounceMutex.Unlock()
+			conn.Write([]byte("DETACH"))
+			return
+		default:
+		}
+
+		conn.SetReadDeadline(time.Now().Add(30 * time.Second))
+		n, err := conn.Read(buf)
+		if err != nil {
+			if netErr, ok := err.(net.Error); ok && netErr.Timeout() {
+				continue
+			}
+			select {
+			case <-ctx.Done():
+				return
+			default:
+			}
+			consecutiveErrors++
+			if consecutiveErrors > 10 {
+				return
+			}
+			time.Sleep(time.Second)
+			continue
+		}
+		consecutiveErrors = 0
+
+		msg := string(buf[:n])
+		if strings.Contains(msg, "CTRL-EVENT-CONNECTED") || strings.Contains(msg, "CTRL-EVENT-DISCONNECTED") {
+			debounceMutex.Lock()
+			if debounceTimer != nil {
+				debounceTimer.Stop()
+			}
+			debounceTimer = time.AfterFunc(500*time.Millisecond, func() {
+				state := m.ReadWIFIState()
+				if state != lastState {
+					lastState = state
+					m.callback(state)
+				}
+			})
+			debounceMutex.Unlock()
+		}
+	}
+}
+
+func (m *wpaSupplicantMonitor) Close() error {
+	if m.cancel != nil {
+		m.cancel()
+	}
+	m.connMutex.Lock()
+	if m.monitorConn != nil {
+		m.monitorConn.Close()
+	}
+	m.connMutex.Unlock()
+	return nil
+}

common/settings/wifi_stub.go

@@ -0,0 +1,27 @@
+//go:build !linux && !windows
+
+package settings
+
+import (
+	"os"
+
+	"github.com/sagernet/sing-box/adapter"
+)
+
+type stubWIFIMonitor struct{}
+
+func NewWIFIMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
+	return nil, os.ErrInvalid
+}
+
+func (m *stubWIFIMonitor) ReadWIFIState() adapter.WIFIState {
+	return adapter.WIFIState{}
+}
+
+func (m *stubWIFIMonitor) Start() error {
+	return nil
+}
+
+func (m *stubWIFIMonitor) Close() error {
+	return nil
+}

common/settings/wifi_windows.go

@@ -0,0 +1,144 @@
+//go:build windows
+
+package settings
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"sync"
+	"syscall"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing/common/winwlanapi"
+
+	"golang.org/x/sys/windows"
+)
+
+type windowsWIFIMonitor struct {
+	handle    windows.Handle
+	callback  func(adapter.WIFIState)
+	cancel    context.CancelFunc
+	lastState adapter.WIFIState
+	mutex     sync.Mutex
+}
+
+func NewWIFIMonitor(callback func(adapter.WIFIState)) (WIFIMonitor, error) {
+	handle, err := winwlanapi.OpenHandle()
+	if err != nil {
+		return nil, err
+	}
+
+	interfaces, err := winwlanapi.EnumInterfaces(handle)
+	if err != nil {
+		winwlanapi.CloseHandle(handle)
+		return nil, err
+	}
+	if len(interfaces) == 0 {
+		winwlanapi.CloseHandle(handle)
+		return nil, fmt.Errorf("no wireless interfaces found")
+	}
+
+	return &windowsWIFIMonitor{
+		handle:   handle,
+		callback: callback,
+	}, nil
+}
+
+func (m *windowsWIFIMonitor) ReadWIFIState() adapter.WIFIState {
+	interfaces, err := winwlanapi.EnumInterfaces(m.handle)
+	if err != nil || len(interfaces) == 0 {
+		return adapter.WIFIState{}
+	}
+
+	for _, iface := range interfaces {
+		if iface.InterfaceState != winwlanapi.InterfaceStateConnected {
+			continue
+		}
+
+		guid := iface.InterfaceGUID
+		attrs, err := winwlanapi.QueryCurrentConnection(m.handle, &guid)
+		if err != nil {
+			continue
+		}
+
+		ssidLength := attrs.AssociationAttributes.SSID.Length
+		if ssidLength == 0 || ssidLength > winwlanapi.Dot11SSIDMaxLength {
+			continue
+		}
+
+		ssid := string(attrs.AssociationAttributes.SSID.SSID[:ssidLength])
+		bssid := formatBSSID(attrs.AssociationAttributes.BSSID)
+
+		return adapter.WIFIState{
+			SSID:  strings.TrimSpace(ssid),
+			BSSID: bssid,
+		}
+	}
+
+	return adapter.WIFIState{}
+}
+
+func formatBSSID(mac winwlanapi.Dot11MacAddress) string {
+	return fmt.Sprintf("%02X%02X%02X%02X%02X%02X",
+		mac[0], mac[1], mac[2], mac[3], mac[4], mac[5])
+}
+
+func (m *windowsWIFIMonitor) Start() error {
+	if m.callback == nil {
+		return nil
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	m.cancel = cancel
+
+	m.lastState = m.ReadWIFIState()
+
+	callbackFunc := func(data *winwlanapi.NotificationData, callbackContext uintptr) uintptr {
+		if data.NotificationSource != winwlanapi.NotificationSourceACM {
+			return 0
+		}
+		switch data.NotificationCode {
+		case winwlanapi.NotificationACMConnectionComplete,
+			winwlanapi.NotificationACMDisconnected:
+			m.checkAndNotify()
+		}
+		return 0
+	}
+
+	callbackPointer := syscall.NewCallback(callbackFunc)
+
+	err := winwlanapi.RegisterNotification(m.handle, winwlanapi.NotificationSourceACM, callbackPointer, 0)
+	if err != nil {
+		cancel()
+		return err
+	}
+
+	go func() {
+		<-ctx.Done()
+	}()
+
+	m.callback(m.lastState)
+	return nil
+}
+
+func (m *windowsWIFIMonitor) checkAndNotify() {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	state := m.ReadWIFIState()
+	if state != m.lastState {
+		m.lastState = state
+		if m.callback != nil {
+			m.callback(state)
+		}
+	}
+}
+
+func (m *windowsWIFIMonitor) Close() error {
+	if m.cancel != nil {
+		m.cancel()
+	}
+	winwlanapi.UnregisterNotification(m.handle)
+	return winwlanapi.CloseHandle(m.handle)
+}

common/sniff/quic.go

@@ -303,8 +303,6 @@ find:
 	metadata.Protocol = C.ProtocolQUIC
 	fingerprint, err := ja3.Compute(buffer.Bytes())
 	if err != nil {
-		metadata.Protocol = C.ProtocolQUIC
-		metadata.Client = C.ClientChromium
 		metadata.SniffContext = fragments
 		return E.Cause1(ErrNeedMoreData, err)
 	}
@@ -334,7 +332,7 @@ find:
 		}
 
 		if count(frameTypeList, frameTypeCrypto) > 1 || count(frameTypeList, frameTypePing) > 0 {
-			if maybeUQUIC(fingerprint) {
+			if isQUICGo(fingerprint) {
 				metadata.Client = C.ClientQUICGo
 			} else {
 				metadata.Client = C.ClientChromium

common/sniff/quic_blacklist.go

@@ -1,21 +1,29 @@
 package sniff
 
 import (
-	"crypto/tls"
-
 	"github.com/sagernet/sing-box/common/ja3"
 )
 
-// Chromium sends separate client hello packets, but UQUIC has not yet implemented this behavior
-// The cronet without this behavior does not have version 115
-var uQUICChrome115 = &ja3.ClientHello{
-	Version:             tls.VersionTLS12,
-	CipherSuites:        []uint16{4865, 4866, 4867},
-	Extensions:          []uint16{0, 10, 13, 16, 27, 43, 45, 51, 57, 17513},
-	EllipticCurves:      []uint16{29, 23, 24},
-	SignatureAlgorithms: []uint16{1027, 2052, 1025, 1283, 2053, 1281, 2054, 1537, 513},
-}
+const (
+	// X25519Kyber768Draft00 - post-quantum curve used by Go crypto/tls
+	x25519Kyber768Draft00 uint16 = 0x11EC // 4588
+	// renegotiation_info extension used by Go crypto/tls
+	extensionRenegotiationInfo uint16 = 0xFF01 // 65281
+)
 
-func maybeUQUIC(fingerprint *ja3.ClientHello) bool {
-	return !uQUICChrome115.Equals(fingerprint, true)
+// isQUICGo detects native quic-go by checking for Go crypto/tls specific features.
+// Note: uQUIC with Chromium mimicry cannot be reliably distinguished from real Chromium
+// since it uses the same TLS fingerprint, so it will be identified as Chromium.
+func isQUICGo(fingerprint *ja3.ClientHello) bool {
+	for _, curve := range fingerprint.EllipticCurves {
+		if curve == x25519Kyber768Draft00 {
+			return true
+		}
+	}
+	for _, ext := range fingerprint.Extensions {
+		if ext == extensionRenegotiationInfo {
+			return true
+		}
+	}
+	return false
 }

common/sniff/quic_capture_test.go

@@ -0,0 +1,188 @@
+package sniff_test
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/hex"
+	"errors"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/sagernet/quic-go"
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/sniff"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSniffQUICQuicGoFingerprint(t *testing.T) {
+	t.Parallel()
+	const testSNI = "test.example.com"
+
+	udpConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer udpConn.Close()
+
+	serverAddr := udpConn.LocalAddr().(*net.UDPAddr)
+	packetsChan := make(chan [][]byte, 1)
+
+	go func() {
+		var packets [][]byte
+		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
+		for i := 0; i < 10; i++ {
+			buf := make([]byte, 2048)
+			n, _, err := udpConn.ReadFromUDP(buf)
+			if err != nil {
+				break
+			}
+			packets = append(packets, buf[:n])
+		}
+		packetsChan <- packets
+	}()
+
+	clientConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer clientConn.Close()
+
+	tlsConfig := &tls.Config{
+		ServerName:         testSNI,
+		InsecureSkipVerify: true,
+		NextProtos:         []string{"h3"},
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	_, _ = quic.Dial(ctx, clientConn, serverAddr, tlsConfig, &quic.Config{})
+
+	select {
+	case packets := <-packetsChan:
+		t.Logf("Captured %d packets", len(packets))
+
+		var metadata adapter.InboundContext
+		for i, pkt := range packets {
+			err := sniff.QUICClientHello(context.Background(), &metadata, pkt)
+			t.Logf("Packet %d: err=%v, domain=%s, client=%s", i, err, metadata.Domain, metadata.Client)
+			if metadata.Domain != "" {
+				break
+			}
+		}
+
+		t.Logf("\n=== quic-go TLS Fingerprint Analysis ===")
+		t.Logf("Domain: %s", metadata.Domain)
+		t.Logf("Client: %s", metadata.Client)
+		t.Logf("Protocol: %s", metadata.Protocol)
+
+		// The client should be identified as quic-go, not chromium
+		// Current issue: it's being identified as chromium
+		if metadata.Client == "chromium" {
+			t.Log("WARNING: quic-go is being misidentified as chromium!")
+		}
+
+	case <-time.After(5 * time.Second):
+		t.Fatal("Timeout")
+	}
+}
+
+func TestSniffQUICInitialFromQuicGo(t *testing.T) {
+	t.Parallel()
+
+	const testSNI = "test.example.com"
+
+	// Create UDP listener to capture ALL initial packets
+	udpConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer udpConn.Close()
+
+	serverAddr := udpConn.LocalAddr().(*net.UDPAddr)
+
+	// Channel to receive captured packets
+	packetsChan := make(chan [][]byte, 1)
+
+	// Start goroutine to capture packets
+	go func() {
+		var packets [][]byte
+		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
+		for i := 0; i < 5; i++ { // Capture up to 5 packets
+			buf := make([]byte, 2048)
+			n, _, err := udpConn.ReadFromUDP(buf)
+			if err != nil {
+				break
+			}
+			packets = append(packets, buf[:n])
+		}
+		packetsChan <- packets
+	}()
+
+	// Create QUIC client connection (will fail but we capture the initial packet)
+	clientConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer clientConn.Close()
+
+	tlsConfig := &tls.Config{
+		ServerName:         testSNI,
+		InsecureSkipVerify: true,
+		NextProtos:         []string{"h3"},
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	// This will fail (no server) but sends initial packet
+	_, _ = quic.Dial(ctx, clientConn, serverAddr, tlsConfig, &quic.Config{})
+
+	// Wait for captured packets
+	select {
+	case packets := <-packetsChan:
+		t.Logf("Captured %d QUIC packets", len(packets))
+
+		for i, packet := range packets {
+			t.Logf("Packet %d: length=%d, first 30 bytes: %x", i, len(packet), packet[:min(30, len(packet))])
+		}
+
+		// Test sniffer with first packet
+		if len(packets) > 0 {
+			var metadata adapter.InboundContext
+			err := sniff.QUICClientHello(context.Background(), &metadata, packets[0])
+
+			t.Logf("First packet sniff error: %v", err)
+			t.Logf("Protocol: %s", metadata.Protocol)
+			t.Logf("Domain: %s", metadata.Domain)
+			t.Logf("Client: %s", metadata.Client)
+
+			// If first packet needs more data, try with subsequent packets
+			// IMPORTANT: reuse metadata to accumulate CRYPTO fragments via SniffContext
+			if errors.Is(err, sniff.ErrNeedMoreData) && len(packets) > 1 {
+				t.Log("First packet needs more data, trying subsequent packets with shared context...")
+				for i := 1; i < len(packets); i++ {
+					// Reuse same metadata to accumulate fragments
+					err = sniff.QUICClientHello(context.Background(), &metadata, packets[i])
+					t.Logf("Packet %d sniff result: err=%v, domain=%s, sniffCtx=%v", i, err, metadata.Domain, metadata.SniffContext != nil)
+					if metadata.Domain != "" || (err != nil && !errors.Is(err, sniff.ErrNeedMoreData)) {
+						break
+					}
+				}
+			}
+
+			// Print hex dump for debugging
+			t.Logf("First packet hex:\n%s", hex.Dump(packets[0][:min(256, len(packets[0]))]))
+
+			// Log final results
+			t.Logf("Final: Protocol=%s, Domain=%s, Client=%s", metadata.Protocol, metadata.Domain, metadata.Client)
+
+			// Verify SNI extraction
+			if metadata.Domain == "" {
+				t.Errorf("Failed to extract SNI, expected: %s", testSNI)
+			} else {
+				require.Equal(t, testSNI, metadata.Domain, "SNI should match")
+			}
+
+			// Check client identification - quic-go should be identified as quic-go, not chromium
+			t.Logf("Client identified as: %s (expected: quic-go)", metadata.Client)
+		}
+
+	case <-time.After(5 * time.Second):
+		t.Fatal("Timeout waiting for QUIC packets")
+	}
+}

common/sniff/quic_test.go

@@ -19,7 +19,7 @@ func TestSniffQUICChromeNew(t *testing.T) {
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Equal(t, metadata.Client, C.ClientChromium)
+	require.Empty(t, metadata.Client)
 	require.ErrorIs(t, err, sniff.ErrNeedMoreData)
 	pkt, err = hex.DecodeString("cc0000000108e241a0c601413b4f004046006d8f15dae9999edf39d58df6762822b9a2ab996d7f6a10044338af3b51b1814bc4ac0fa5a87c34c6ae604af8cabc5957c5240174deefc8e378719ffdab2ae4e15bf4514bea44894b626c685cd5d5c965f7e97b3a1bdc520b75813e747f37a3ae83ad38b9ca2acb0de4fc9424839a50c8fb815a62b498609fbbc59145698860e0509cc08a04d1b119daef844ba2f09c16e2665e5cc0b47624b71f7b950c54fd56b4a1fbb826cba44eeeee3949ced8f5de60d4c81b19ee59f75aa1abb33f22c6b13c27095eb1e99cff01fdc93e6e88da2622ee18c08a79f508befd7e33e99bca60e64bef9a47b764384bd93823daeeb6fcb4d7cfbc4ab53eff59b3636f6dcaaf229b5a94941b5712807166b9bd5e82cb4a9708a71451c4cd6f6e33fb2fe40c8c70dd51a30b37ff9c5e35783debde0093fde19ce074b4887b3c90980b107b9c0f32cf61a66f37c251b789abc4d27fc421207966846c8cc7faa42d9af6ad355a6bc94cb78223b612be8b3e2a4df61fee83a674a0ceb8b7c3a29b97102cda22fecdf6a4628e5b612bc17eab64d6f75feedd0b106c0419e484e66725759964cb5935ac5125e5ae920cd280bd40df57c1d7ae1845700bd4eb7b7ab12bc0850950bfe6e69edd6ac1daa5db2c2b07484327196e561c513462d72872dc6771c39f6b60d46a1f2c92343b7338450a0ef8e39f97fa70652b3a12cd04043698951627aaaa82cc95e76df92021d30e8014c984f12eea0143de8b17e5e4a36ec07bf4814251b391f168a59ef75afcd2319249aaba930f06bb7a11b9491e6f71b3d5774a6503a965e94edd0a67737282fc9cb0271779ff14151b7aa9267bb8f7d643185512515aeea513c0c98bfae782381a3317064195d8825cf8b25c17cdab5fced02612a3f2870e40df57e6ca3f08228a2b04e8de1425eb4b970118f9bbdc212223ff86a5d6b648cdf2366722f21de4b14a1014879eadb69215cdb1aa2a9f4f310ecfe3116214fe3ab0a23f4775a0a54b48d7dfd8f7283ed687b3ac7e1a7e42a0bdc3478aba8651c03e1e9cc9df17d106b8130afe854269b0103b7a696f452721887b19d8181830073c9f10684c65f96d3a6c6efbae044eec03d6399e001fa44d54635dc72f9b8ea6b87d0f452cad1e1e32273e2b47c40f2730235adcae8523b8282f86b8cf1ab63ae54aaa06130df3bbf6ecac7d7d1d43d2a87aea837267ff8ccfaa4b7e47b7ded909e6603d0b928a304f8915c839153598adc4178eb48bc0e98ad7793d7980275e1e491ba4847a4a04ae30fe7f5cc7d4b6f4f63a525e9964d72245860ca76a668a4654adb6619f16e9db79131e5675b93cafb96c92f1da8464d4fef2a22e7f9db695965fe2cc27ea30974629c8fe17cfa2f860179e1eb9faaa88a91ec9ce6da28c1a2894c3b932b5e1c807146718cc77ca13c61eaae00c7c99e019f599772064b198c5c2c5e863336367673630b417ac845ddb7c93b0856317e5d64bab208c5730abc2c63536784fbeaaec139dffc917e775715f1e42164ddef5138d4d163609ab3fbdcab968f8738385c0e7e34ff3cf7771a1dc5ba25a8850fdf96dabafa21f9065f307457ce9af4b7a73450c9d20a3b46fa8d3a1163d22bd01a7d17f0ec274181bf9640fa941427694bfeb1346089f7a851efe0fbb7a2041fa6bb6541ccbad77dd3e1a97999fc05f1fef070e7b5c4b385b8b2a8cc32483fdeba6a373970de2fa4139ba18e5916f949aab0aab2894")
 	require.NoError(t, err)
@@ -39,7 +39,7 @@ func TestSniffQUICChromium(t *testing.T) {
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Equal(t, metadata.Client, C.ClientChromium)
+	require.Empty(t, metadata.Client)
 	require.ErrorIs(t, err, sniff.ErrNeedMoreData)
 	pkt, err = hex.DecodeString("c90000000108f40d654cc09b27f5000044d073eb38807026d4088455e650e7ccf750d01a72f15f9bfc8ff40d223499db1a485cff14dbd45b9be118172834dc35dca3cf62f61a1266f40b92faf3d28d67a466cfdca678ddced15cd606d31959cf441828467857b226d1a241847c82c57312cefe68ba5042d929919bcd4403b39e5699fe87dda05df1b3801e048edee792458e9b1a9b1d4039df05847bcee3be567494b5876e3bd4c3220fe9dfdb2c07d77410f907f744251ef15536cc03b267d3668d5b75bc1ad2fe735cd3bb73519dd9f1625a49e17ad27bdeccf706c83b5ea339a0a05dd0072f4a8f162bd29926b4997f05613c6e4b0270b0c02805ca0543f27c1ff8505a5750bdd33529ee73c491050a10c6903f53c1121dbe0380e84c007c8df74a1b02443ed80ba7766aef5549e618d4fd249844ee28565142005369869299e8c3035ecef3d799f6cada8549e75b4ce4cbf4c85ef071fd7ff067b1ca9b5968dc41d13d011f6d7843823bac97acb1eb8ee45883f0f254b5f9bd4c763b67e2d8c70a7618a0ef0de304cf597a485126e09f8b2fd795b394c0b4bc4cd2634c2057970da2c798c5e8af7aed4f76f5e25d04e3f8c9c5a5b150d17e0d4c74229898c69b8dc7b8bcc9d359eb441de75c68fbdebec62fb669dcccfb1aad03e3fa073adb2ccf7bb14cbaf99e307d2c903ee71a8f028102eb510caee7e7397512086a78d1f95635c7d06845b5a708652dc4e5cd61245aae5b3c05b84815d84d367bce9b9e3f6d6b90701ac3679233c14d5ce2a1eff26469c966266dc6284bdb95c9c6158934c413a872ce22101e4163e3293d236b301592ca4ccacc1fd4c37066e79c2d9857c8a2560dcf0b33b19163c4240c471b19907476e7e25c65f7eb37276594a0f6b4c33c340cc3284178f17ac5e34dbe7509db890e4ddfd0540fbf9deb32a0101d24fe58b26c5f81c627db9d6ae59d7a111a3d5d1f6109f4eec0d0234e6d73c73a44f50999462724b51ce0fd8283535d70d9e83872c79c59897407a0736741011ae5c64862eb0712f9e7b07aa1d5418ca3fde8626257c6fe418f3c5479055bb2b0ab4c25f649923fc2a41c79aaa7d0f3af6d8b8cf06f61f0230d09bbb60bb49b9e49cc5973748a6cf7ffdee7804d424f9423c63e7ff22f4bd24e4867636ef9fe8dd37f59941a8a47c27765caa8e875a30b62834f17c569227e5e6ed15d58e05d36e76332befad065a2cd4079e66d5af189b0337624c89b1560c3b1b0befd5c1f20e6de8e3d664b3ac06b3d154b488983e14aa93266f5f8b621d2a9bb7ccce509eb26e025c9c45f7cccc09ce85b3103af0c93ce9822f82ecb168ca3177829afb2ea0da2c380e7b1728add55a5d42632e2290363d4cbe432b67e13691648e1acfab22cf0d551eee857709b428bb78e27a45aff6eca301c02e4d13cf36cc2494fdd1aef8dede6e18febd79dca4c6964d09b91c25a08f0947c76ab5104de9404459c2edf5f4adb9dfd771be83656f77fbbafb1ad3281717066010be8778952495383c9f2cf0a38527228c662a35171c5981731f1af09bab842fe6c3162ad4152a4221f560eb6f9bea66b294ffbd3643da2fe34096da13c246505452540177a2a0a1a69106e5cfc279a4890fc3be2952f26be245f930e6c2d9e7e26ee960481e72b99594a1185b46b94b6436d00ba6c70ffe135d43907c92c6f1c09fb9453f103730714f5700fa4347f9715c774cb04a7218dacc66d9c2fade18b14e684aa7fc9ebda0a28")
 	require.NoError(t, err)

common/srs/binary.go

@@ -6,6 +6,7 @@ import (
 	"encoding/binary"
 	"io"
 	"net/netip"
+	"unsafe"
 
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
@@ -505,7 +506,24 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 }
 
 func readRuleItemString(reader varbin.Reader) ([]string, error) {
-	return varbin.ReadValue[[]string](reader, binary.BigEndian)
+	length, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return nil, err
+	}
+	result := make([]string, length)
+	for i := range result {
+		strLen, err := binary.ReadUvarint(reader)
+		if err != nil {
+			return nil, err
+		}
+		buf := make([]byte, strLen)
+		_, err = io.ReadFull(reader, buf)
+		if err != nil {
+			return nil, err
+		}
+		result[i] = string(buf)
+	}
+	return result, nil
 }
 
 func writeRuleItemString(writer varbin.Writer, itemType uint8, value []string) error {
@@ -513,11 +531,34 @@ func writeRuleItemString(writer varbin.Writer, itemType uint8, value []string) e
 	if err != nil {
 		return err
 	}
-	return varbin.Write(writer, binary.BigEndian, value)
+	_, err = varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	for _, s := range value {
+		_, err = varbin.WriteUvarint(writer, uint64(len(s)))
+		if err != nil {
+			return err
+		}
+		_, err = writer.Write([]byte(s))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 func readRuleItemUint8[E ~uint8](reader varbin.Reader) ([]E, error) {
-	return varbin.ReadValue[[]E](reader, binary.BigEndian)
+	length, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return nil, err
+	}
+	result := make([]E, length)
+	_, err = io.ReadFull(reader, *(*[]byte)(unsafe.Pointer(&result)))
+	if err != nil {
+		return nil, err
+	}
+	return result, nil
 }
 
 func writeRuleItemUint8[E ~uint8](writer varbin.Writer, itemType uint8, value []E) error {
@@ -525,11 +566,25 @@ func writeRuleItemUint8[E ~uint8](writer varbin.Writer, itemType uint8, value []
 	if err != nil {
 		return err
 	}
-	return varbin.Write(writer, binary.BigEndian, value)
+	_, err = varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	_, err = writer.Write(*(*[]byte)(unsafe.Pointer(&value)))
+	return err
 }
 
 func readRuleItemUint16(reader varbin.Reader) ([]uint16, error) {
-	return varbin.ReadValue[[]uint16](reader, binary.BigEndian)
+	length, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return nil, err
+	}
+	result := make([]uint16, length)
+	err = binary.Read(reader, binary.BigEndian, result)
+	if err != nil {
+		return nil, err
+	}
+	return result, nil
 }
 
 func writeRuleItemUint16(writer varbin.Writer, itemType uint8, value []uint16) error {
@@ -537,7 +592,11 @@ func writeRuleItemUint16(writer varbin.Writer, itemType uint8, value []uint16) e
 	if err != nil {
 		return err
 	}
-	return varbin.Write(writer, binary.BigEndian, value)
+	_, err = varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	return binary.Write(writer, binary.BigEndian, value)
 }
 
 func writeRuleItemCIDR(writer varbin.Writer, itemType uint8, value []string) error {

common/srs/compat_test.go

@@ -0,0 +1,494 @@
+package srs
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/binary"
+	"net/netip"
+	"strings"
+	"testing"
+	"unsafe"
+
+	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/common/varbin"
+
+	"github.com/stretchr/testify/require"
+	"go4.org/netipx"
+)
+
+// Old implementations using varbin reflection-based serialization
+
+func oldWriteStringSlice(writer varbin.Writer, value []string) error {
+	//nolint:staticcheck
+	return varbin.Write(writer, binary.BigEndian, value)
+}
+
+func oldReadStringSlice(reader varbin.Reader) ([]string, error) {
+	//nolint:staticcheck
+	return varbin.ReadValue[[]string](reader, binary.BigEndian)
+}
+
+func oldWriteUint8Slice[E ~uint8](writer varbin.Writer, value []E) error {
+	//nolint:staticcheck
+	return varbin.Write(writer, binary.BigEndian, value)
+}
+
+func oldReadUint8Slice[E ~uint8](reader varbin.Reader) ([]E, error) {
+	//nolint:staticcheck
+	return varbin.ReadValue[[]E](reader, binary.BigEndian)
+}
+
+func oldWriteUint16Slice(writer varbin.Writer, value []uint16) error {
+	//nolint:staticcheck
+	return varbin.Write(writer, binary.BigEndian, value)
+}
+
+func oldReadUint16Slice(reader varbin.Reader) ([]uint16, error) {
+	//nolint:staticcheck
+	return varbin.ReadValue[[]uint16](reader, binary.BigEndian)
+}
+
+func oldWritePrefix(writer varbin.Writer, prefix netip.Prefix) error {
+	//nolint:staticcheck
+	err := varbin.Write(writer, binary.BigEndian, prefix.Addr().AsSlice())
+	if err != nil {
+		return err
+	}
+	return binary.Write(writer, binary.BigEndian, uint8(prefix.Bits()))
+}
+
+type oldIPRangeData struct {
+	From []byte
+	To   []byte
+}
+
+// Note: The old writeIPSet had a bug where varbin.Write(writer, binary.BigEndian, data)
+// with a struct VALUE (not pointer) silently wrote nothing because field.CanSet() returned false.
+// This caused IP range data to be missing from the output.
+// The new implementation correctly writes all range data.
+//
+// The old readIPSet used varbin.Read with a pre-allocated slice, which worked because
+// slice elements are addressable and CanSet() returns true for them.
+//
+// For compatibility testing, we verify:
+// 1. New write produces correct output with range data
+// 2. New read can parse the new format correctly
+// 3. Round-trip works correctly
+
+func oldReadIPSet(reader varbin.Reader) (*netipx.IPSet, error) {
+	version, err := reader.ReadByte()
+	if err != nil {
+		return nil, err
+	}
+	if version != 1 {
+		return nil, err
+	}
+	var length uint64
+	err = binary.Read(reader, binary.BigEndian, &length)
+	if err != nil {
+		return nil, err
+	}
+	ranges := make([]oldIPRangeData, length)
+	//nolint:staticcheck
+	err = varbin.Read(reader, binary.BigEndian, &ranges)
+	if err != nil {
+		return nil, err
+	}
+	mySet := &myIPSet{
+		rr: make([]myIPRange, len(ranges)),
+	}
+	for i, rangeData := range ranges {
+		mySet.rr[i].from = M.AddrFromIP(rangeData.From)
+		mySet.rr[i].to = M.AddrFromIP(rangeData.To)
+	}
+	return (*netipx.IPSet)(unsafe.Pointer(mySet)), nil
+}
+
+// New write functions (without itemType prefix for testing)
+
+func newWriteStringSlice(writer varbin.Writer, value []string) error {
+	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	for _, s := range value {
+		_, err = varbin.WriteUvarint(writer, uint64(len(s)))
+		if err != nil {
+			return err
+		}
+		_, err = writer.Write([]byte(s))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func newWriteUint8Slice[E ~uint8](writer varbin.Writer, value []E) error {
+	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	_, err = writer.Write(*(*[]byte)(unsafe.Pointer(&value)))
+	return err
+}
+
+func newWriteUint16Slice(writer varbin.Writer, value []uint16) error {
+	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
+	if err != nil {
+		return err
+	}
+	return binary.Write(writer, binary.BigEndian, value)
+}
+
+func newWritePrefix(writer varbin.Writer, prefix netip.Prefix) error {
+	addrSlice := prefix.Addr().AsSlice()
+	_, err := varbin.WriteUvarint(writer, uint64(len(addrSlice)))
+	if err != nil {
+		return err
+	}
+	_, err = writer.Write(addrSlice)
+	if err != nil {
+		return err
+	}
+	return writer.WriteByte(uint8(prefix.Bits()))
+}
+
+// Tests
+
+func TestStringSliceCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input []string
+	}{
+		{"nil", nil},
+		{"empty", []string{}},
+		{"single_empty", []string{""}},
+		{"single", []string{"test"}},
+		{"multi", []string{"a", "b", "c"}},
+		{"with_empty", []string{"a", "", "c"}},
+		{"utf8", []string{"测试", "テスト", "тест"}},
+		{"long_string", []string{strings.Repeat("x", 128)}},
+		{"many_elements", generateStrings(128)},
+		{"many_elements_256", generateStrings(256)},
+		{"127_byte_string", []string{strings.Repeat("x", 127)}},
+		{"128_byte_string", []string{strings.Repeat("x", 128)}},
+		{"mixed_lengths", []string{"a", strings.Repeat("b", 100), "", strings.Repeat("c", 200)}},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Old write
+			var oldBuf bytes.Buffer
+			err := oldWriteStringSlice(&oldBuf, tc.input)
+			require.NoError(t, err)
+
+			// New write
+			var newBuf bytes.Buffer
+			err = newWriteStringSlice(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Bytes must match
+			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
+				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
+
+			// New write -> old read
+			readBack, err := oldReadStringSlice(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			requireStringSliceEqual(t, tc.input, readBack)
+
+			// Old write -> new read
+			readBack2, err := readRuleItemString(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
+			require.NoError(t, err)
+			requireStringSliceEqual(t, tc.input, readBack2)
+		})
+	}
+}
+
+func TestUint8SliceCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input []uint8
+	}{
+		{"nil", nil},
+		{"empty", []uint8{}},
+		{"single_zero", []uint8{0}},
+		{"single_max", []uint8{255}},
+		{"multi", []uint8{0, 1, 127, 128, 255}},
+		{"boundary", []uint8{0x00, 0x7f, 0x80, 0xff}},
+		{"sequential", generateUint8Slice(256)},
+		{"127_elements", generateUint8Slice(127)},
+		{"128_elements", generateUint8Slice(128)},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Old write
+			var oldBuf bytes.Buffer
+			err := oldWriteUint8Slice(&oldBuf, tc.input)
+			require.NoError(t, err)
+
+			// New write
+			var newBuf bytes.Buffer
+			err = newWriteUint8Slice(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Bytes must match
+			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
+				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
+
+			// New write -> old read
+			readBack, err := oldReadUint8Slice[uint8](bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			requireUint8SliceEqual(t, tc.input, readBack)
+
+			// Old write -> new read
+			readBack2, err := readRuleItemUint8[uint8](bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
+			require.NoError(t, err)
+			requireUint8SliceEqual(t, tc.input, readBack2)
+		})
+	}
+}
+
+func TestUint16SliceCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input []uint16
+	}{
+		{"nil", nil},
+		{"empty", []uint16{}},
+		{"single_zero", []uint16{0}},
+		{"single_max", []uint16{65535}},
+		{"multi", []uint16{0, 255, 256, 32767, 32768, 65535}},
+		{"ports", []uint16{80, 443, 8080, 8443}},
+		{"127_elements", generateUint16Slice(127)},
+		{"128_elements", generateUint16Slice(128)},
+		{"256_elements", generateUint16Slice(256)},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Old write
+			var oldBuf bytes.Buffer
+			err := oldWriteUint16Slice(&oldBuf, tc.input)
+			require.NoError(t, err)
+
+			// New write
+			var newBuf bytes.Buffer
+			err = newWriteUint16Slice(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Bytes must match
+			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
+				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
+
+			// New write -> old read
+			readBack, err := oldReadUint16Slice(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			requireUint16SliceEqual(t, tc.input, readBack)
+
+			// Old write -> new read
+			readBack2, err := readRuleItemUint16(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
+			require.NoError(t, err)
+			requireUint16SliceEqual(t, tc.input, readBack2)
+		})
+	}
+}
+
+func TestPrefixCompat(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name  string
+		input netip.Prefix
+	}{
+		{"ipv4_0", netip.MustParsePrefix("0.0.0.0/0")},
+		{"ipv4_8", netip.MustParsePrefix("10.0.0.0/8")},
+		{"ipv4_16", netip.MustParsePrefix("192.168.0.0/16")},
+		{"ipv4_24", netip.MustParsePrefix("192.168.1.0/24")},
+		{"ipv4_32", netip.MustParsePrefix("1.2.3.4/32")},
+		{"ipv6_0", netip.MustParsePrefix("::/0")},
+		{"ipv6_64", netip.MustParsePrefix("2001:db8::/64")},
+		{"ipv6_128", netip.MustParsePrefix("::1/128")},
+		{"ipv6_full", netip.MustParsePrefix("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128")},
+		{"ipv4_private", netip.MustParsePrefix("172.16.0.0/12")},
+		{"ipv6_link_local", netip.MustParsePrefix("fe80::/10")},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Old write
+			var oldBuf bytes.Buffer
+			err := oldWritePrefix(&oldBuf, tc.input)
+			require.NoError(t, err)
+
+			// New write
+			var newBuf bytes.Buffer
+			err = newWritePrefix(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Bytes must match
+			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
+				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
+
+			// New write -> new read (no old read for prefix)
+			readBack, err := readPrefix(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			require.Equal(t, tc.input, readBack)
+
+			// Old write -> new read
+			readBack2, err := readPrefix(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
+			require.NoError(t, err)
+			require.Equal(t, tc.input, readBack2)
+		})
+	}
+}
+
+func TestIPSetCompat(t *testing.T) {
+	t.Parallel()
+
+	// Note: The old writeIPSet was buggy (varbin.Write with struct values wrote nothing).
+	// This test verifies the new implementation writes correct data and round-trips correctly.
+
+	cases := []struct {
+		name  string
+		input *netipx.IPSet
+	}{
+		{"single_ipv4", buildIPSet("1.2.3.4")},
+		{"ipv4_range", buildIPSet("192.168.0.0/16")},
+		{"multi_ipv4", buildIPSet("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")},
+		{"single_ipv6", buildIPSet("::1")},
+		{"ipv6_range", buildIPSet("2001:db8::/32")},
+		{"mixed", buildIPSet("10.0.0.0/8", "::1", "2001:db8::/32")},
+		{"large", buildLargeIPSet(100)},
+		{"adjacent_ranges", buildIPSet("192.168.0.0/24", "192.168.1.0/24", "192.168.2.0/24")},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// New write
+			var newBuf bytes.Buffer
+			err := writeIPSet(&newBuf, tc.input)
+			require.NoError(t, err)
+
+			// Verify format starts with version byte (1) + uint64 count
+			require.True(t, len(newBuf.Bytes()) >= 9, "output too short")
+			require.Equal(t, byte(1), newBuf.Bytes()[0], "version byte mismatch")
+
+			// New write -> old read (varbin.Read with pre-allocated slice works correctly)
+			readBack, err := oldReadIPSet(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			requireIPSetEqual(t, tc.input, readBack)
+
+			// New write -> new read
+			readBack2, err := readIPSet(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
+			require.NoError(t, err)
+			requireIPSetEqual(t, tc.input, readBack2)
+		})
+	}
+}
+
+// Helper functions
+
+func generateStrings(count int) []string {
+	result := make([]string, count)
+	for i := range result {
+		result[i] = strings.Repeat("x", i%50)
+	}
+	return result
+}
+
+func generateUint8Slice(count int) []uint8 {
+	result := make([]uint8, count)
+	for i := range result {
+		result[i] = uint8(i % 256)
+	}
+	return result
+}
+
+func generateUint16Slice(count int) []uint16 {
+	result := make([]uint16, count)
+	for i := range result {
+		result[i] = uint16(i * 257)
+	}
+	return result
+}
+
+func buildIPSet(cidrs ...string) *netipx.IPSet {
+	var builder netipx.IPSetBuilder
+	for _, cidr := range cidrs {
+		prefix, err := netip.ParsePrefix(cidr)
+		if err != nil {
+			addr, err := netip.ParseAddr(cidr)
+			if err != nil {
+				panic(err)
+			}
+			builder.Add(addr)
+		} else {
+			builder.AddPrefix(prefix)
+		}
+	}
+	set, _ := builder.IPSet()
+	return set
+}
+
+func buildLargeIPSet(count int) *netipx.IPSet {
+	var builder netipx.IPSetBuilder
+	for i := 0; i < count; i++ {
+		prefix := netip.PrefixFrom(netip.AddrFrom4([4]byte{10, byte(i / 256), byte(i % 256), 0}), 24)
+		builder.AddPrefix(prefix)
+	}
+	set, _ := builder.IPSet()
+	return set
+}
+
+func requireStringSliceEqual(t *testing.T, expected, actual []string) {
+	t.Helper()
+	if len(expected) == 0 && len(actual) == 0 {
+		return
+	}
+	require.Equal(t, expected, actual)
+}
+
+func requireUint8SliceEqual(t *testing.T, expected, actual []uint8) {
+	t.Helper()
+	if len(expected) == 0 && len(actual) == 0 {
+		return
+	}
+	require.Equal(t, expected, actual)
+}
+
+func requireUint16SliceEqual(t *testing.T, expected, actual []uint16) {
+	t.Helper()
+	if len(expected) == 0 && len(actual) == 0 {
+		return
+	}
+	require.Equal(t, expected, actual)
+}
+
+func requireIPSetEqual(t *testing.T, expected, actual *netipx.IPSet) {
+	t.Helper()
+	expectedRanges := expected.Ranges()
+	actualRanges := actual.Ranges()
+	require.Equal(t, len(expectedRanges), len(actualRanges), "range count mismatch")
+	for i := range expectedRanges {
+		require.Equal(t, expectedRanges[i].From(), actualRanges[i].From(), "range[%d].from mismatch", i)
+		require.Equal(t, expectedRanges[i].To(), actualRanges[i].To(), "range[%d].to mismatch", i)
+	}
+}

common/srs/ip_cidr.go

@@ -2,6 +2,7 @@ package srs
 
 import (
 	"encoding/binary"
+	"io"
 	"net/netip"
 
 	M "github.com/sagernet/sing/common/metadata"
@@ -9,11 +10,16 @@ import (
 )
 
 func readPrefix(reader varbin.Reader) (netip.Prefix, error) {
-	addrSlice, err := varbin.ReadValue[[]byte](reader, binary.BigEndian)
+	addrLen, err := binary.ReadUvarint(reader)
 	if err != nil {
 		return netip.Prefix{}, err
 	}
-	prefixBits, err := varbin.ReadValue[uint8](reader, binary.BigEndian)
+	addrSlice := make([]byte, addrLen)
+	_, err = io.ReadFull(reader, addrSlice)
+	if err != nil {
+		return netip.Prefix{}, err
+	}
+	prefixBits, err := reader.ReadByte()
 	if err != nil {
 		return netip.Prefix{}, err
 	}
@@ -21,11 +27,16 @@ func readPrefix(reader varbin.Reader) (netip.Prefix, error) {
 }
 
 func writePrefix(writer varbin.Writer, prefix netip.Prefix) error {
-	err := varbin.Write(writer, binary.BigEndian, prefix.Addr().AsSlice())
+	addrSlice := prefix.Addr().AsSlice()
+	_, err := varbin.WriteUvarint(writer, uint64(len(addrSlice)))
 	if err != nil {
 		return err
 	}
-	err = binary.Write(writer, binary.BigEndian, uint8(prefix.Bits()))
+	_, err = writer.Write(addrSlice)
+	if err != nil {
+		return err
+	}
+	err = writer.WriteByte(uint8(prefix.Bits()))
 	if err != nil {
 		return err
 	}

common/srs/ip_set.go

@@ -2,11 +2,11 @@ package srs
 
 import (
 	"encoding/binary"
+	"io"
 	"net/netip"
 	"os"
 	"unsafe"
 
-	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/varbin"
 
@@ -22,11 +22,6 @@ type myIPRange struct {
 	to   netip.Addr
 }
 
-type myIPRangeData struct {
-	From []byte
-	To   []byte
-}
-
 func readIPSet(reader varbin.Reader) (*netipx.IPSet, error) {
 	version, err := reader.ReadByte()
 	if err != nil {
@@ -41,17 +36,30 @@ func readIPSet(reader varbin.Reader) (*netipx.IPSet, error) {
 	if err != nil {
 		return nil, err
 	}
-	ranges := make([]myIPRangeData, length)
-	err = varbin.Read(reader, binary.BigEndian, &ranges)
-	if err != nil {
-		return nil, err
-	}
 	mySet := &myIPSet{
-		rr: make([]myIPRange, len(ranges)),
+		rr: make([]myIPRange, length),
 	}
-	for i, rangeData := range ranges {
-		mySet.rr[i].from = M.AddrFromIP(rangeData.From)
-		mySet.rr[i].to = M.AddrFromIP(rangeData.To)
+	for i := range mySet.rr {
+		fromLen, err := binary.ReadUvarint(reader)
+		if err != nil {
+			return nil, err
+		}
+		fromBytes := make([]byte, fromLen)
+		_, err = io.ReadFull(reader, fromBytes)
+		if err != nil {
+			return nil, err
+		}
+		toLen, err := binary.ReadUvarint(reader)
+		if err != nil {
+			return nil, err
+		}
+		toBytes := make([]byte, toLen)
+		_, err = io.ReadFull(reader, toBytes)
+		if err != nil {
+			return nil, err
+		}
+		mySet.rr[i].from = M.AddrFromIP(fromBytes)
+		mySet.rr[i].to = M.AddrFromIP(toBytes)
 	}
 	return (*netipx.IPSet)(unsafe.Pointer(mySet)), nil
 }
@@ -61,18 +69,27 @@ func writeIPSet(writer varbin.Writer, set *netipx.IPSet) error {
 	if err != nil {
 		return err
 	}
-	dataList := common.Map((*myIPSet)(unsafe.Pointer(set)).rr, func(rr myIPRange) myIPRangeData {
-		return myIPRangeData{
-			From: rr.from.AsSlice(),
-			To:   rr.to.AsSlice(),
-		}
-	})
-	err = binary.Write(writer, binary.BigEndian, uint64(len(dataList)))
+	mySet := (*myIPSet)(unsafe.Pointer(set))
+	err = binary.Write(writer, binary.BigEndian, uint64(len(mySet.rr)))
 	if err != nil {
 		return err
 	}
-	for _, data := range dataList {
-		err = varbin.Write(writer, binary.BigEndian, data)
+	for _, rr := range mySet.rr {
+		fromBytes := rr.from.AsSlice()
+		_, err = varbin.WriteUvarint(writer, uint64(len(fromBytes)))
+		if err != nil {
+			return err
+		}
+		_, err = writer.Write(fromBytes)
+		if err != nil {
+			return err
+		}
+		toBytes := rr.to.AsSlice()
+		_, err = varbin.WriteUvarint(writer, uint64(len(toBytes)))
+		if err != nil {
+			return err
+		}
+		_, err = writer.Write(toBytes)
 		if err != nil {
 			return err
 		}

common/tls/acme.go

@@ -14,6 +14,7 @@ import (
 	"github.com/sagernet/sing/common/logger"
 
 	"github.com/caddyserver/certmagic"
+	"github.com/libdns/acmedns"
 	"github.com/libdns/alidns"
 	"github.com/libdns/cloudflare"
 	"github.com/mholt/acmez/v3/acme"
@@ -114,13 +115,24 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 		switch dnsOptions.Provider {
 		case C.DNSProviderAliDNS:
 			solver.DNSProvider = &alidns.Provider{
-				AccKeyID:     dnsOptions.AliDNSOptions.AccessKeyID,
-				AccKeySecret: dnsOptions.AliDNSOptions.AccessKeySecret,
-				RegionID:     dnsOptions.AliDNSOptions.RegionID,
+				CredentialInfo: alidns.CredentialInfo{
+					AccessKeyID:     dnsOptions.AliDNSOptions.AccessKeyID,
+					AccessKeySecret: dnsOptions.AliDNSOptions.AccessKeySecret,
+					RegionID:        dnsOptions.AliDNSOptions.RegionID,
+					SecurityToken:   dnsOptions.AliDNSOptions.SecurityToken,
+				},
 			}
 		case C.DNSProviderCloudflare:
 			solver.DNSProvider = &cloudflare.Provider{
-				APIToken: dnsOptions.CloudflareOptions.APIToken,
+				APIToken:  dnsOptions.CloudflareOptions.APIToken,
+				ZoneToken: dnsOptions.CloudflareOptions.ZoneToken,
+			}
+		case C.DNSProviderACMEDNS:
+			solver.DNSProvider = &acmedns.Provider{
+				Username:  dnsOptions.ACMEDNSOptions.Username,
+				Password:  dnsOptions.ACMEDNSOptions.Password,
+				Subdomain: dnsOptions.ACMEDNSOptions.Subdomain,
+				ServerURL: dnsOptions.ACMEDNSOptions.ServerURL,
 			}
 		default:
 			return nil, nil, E.New("unsupported ACME DNS01 provider type: " + dnsOptions.Provider)

common/tls/client.go

@@ -119,21 +119,19 @@ func (d *defaultDialer) dialContext(ctx context.Context, destination M.Socksaddr
 	if err != nil {
 		return nil, err
 	}
-	tlsConn, err := ClientHandshake(ctx, conn, d.config)
-	if err == nil {
-		return tlsConn, nil
-	}
-	conn.Close()
-	if echRetry {
+	tlsConn, err := aTLS.ClientHandshake(ctx, conn, d.config)
+	if err != nil {
+		conn.Close()
 		var echErr *tls.ECHRejectionError
-		if errors.As(err, &echErr) && len(echErr.RetryConfigList) > 0 {
+		if echRetry && errors.As(err, &echErr) && len(echErr.RetryConfigList) > 0 {
 			if echConfig, isECH := d.config.(ECHCapableConfig); isECH {
 				echConfig.SetECHConfigList(echErr.RetryConfigList)
+				return d.dialContext(ctx, destination, false)
 			}
 		}
-		return d.dialContext(ctx, destination, false)
+		return nil, err
 	}
-	return nil, err
+	return tlsConn, nil
 }
 
 func (d *defaultDialer) Upstream() any {

common/tls/ech.go

@@ -51,6 +51,7 @@ func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, op
 		return &ECHClientConfig{
 			ECHCapableConfig: clientConfig,
 			dnsRouter:        service.FromContext[adapter.DNSRouter](ctx),
+			queryServerName:  options.ECH.QueryServerName,
 		}, nil
 	}
 }
@@ -69,11 +70,7 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	} else {
 		return E.New("missing ECH keys")
 	}
-	block, rest := pem.Decode(echKey)
-	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
-		return E.New("invalid ECH keys pem")
-	}
-	echKeys, err := UnmarshalECHKeys(block.Bytes)
+	echKeys, err := parseECHKeys(echKey)
 	if err != nil {
 		return E.Cause(err, "parse ECH keys")
 	}
@@ -85,29 +82,38 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	return nil
 }
 
-func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {
-	echKey, err := os.ReadFile(echKeyPath)
+func (c *STDServerConfig) setECHServerConfig(echKey []byte) error {
+	echKeys, err := parseECHKeys(echKey)
 	if err != nil {
-		return E.Cause(err, "reload ECH keys from ", echKeyPath)
+		return err
 	}
+	c.access.Lock()
+	config := c.config.Clone()
+	config.EncryptedClientHelloKeys = echKeys
+	c.config = config
+	c.access.Unlock()
+	return nil
+}
+
+func parseECHKeys(echKey []byte) ([]tls.EncryptedClientHelloKey, error) {
 	block, _ := pem.Decode(echKey)
 	if block == nil || block.Type != "ECH KEYS" {
-		return E.New("invalid ECH keys pem")
+		return nil, E.New("invalid ECH keys pem")
 	}
 	echKeys, err := UnmarshalECHKeys(block.Bytes)
 	if err != nil {
-		return E.Cause(err, "parse ECH keys")
+		return nil, E.Cause(err, "parse ECH keys")
 	}
-	tlsConfig.EncryptedClientHelloKeys = echKeys
-	return nil
+	return echKeys, nil
 }
 
 type ECHClientConfig struct {
 	ECHCapableConfig
-	access     sync.Mutex
-	dnsRouter  adapter.DNSRouter
-	lastTTL    time.Duration
-	lastUpdate time.Time
+	access          sync.Mutex
+	dnsRouter       adapter.DNSRouter
+	queryServerName string
+	lastTTL         time.Duration
+	lastUpdate      time.Time
 }
 
 func (s *ECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
@@ -126,13 +132,17 @@ func (s *ECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn)
 	s.access.Lock()
 	defer s.access.Unlock()
 	if len(s.ECHConfigList()) == 0 || s.lastTTL == 0 || time.Since(s.lastUpdate) > s.lastTTL {
+		queryServerName := s.queryServerName
+		if queryServerName == "" {
+			queryServerName = s.ServerName()
+		}
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,
 			},
 			Question: []mDNS.Question{
 				{
-					Name:   mDNS.Fqdn(s.ServerName()),
+					Name:   mDNS.Fqdn(queryServerName),
 					Qtype:  mDNS.TypeHTTPS,
 					Qclass: mDNS.ClassINET,
 				},
@@ -171,7 +181,12 @@ func (s *ECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn)
 }
 
 func (s *ECHClientConfig) Clone() Config {
-	return &ECHClientConfig{ECHCapableConfig: s.ECHCapableConfig.Clone().(ECHCapableConfig), dnsRouter: s.dnsRouter, lastUpdate: s.lastUpdate}
+	return &ECHClientConfig{
+		ECHCapableConfig: s.ECHCapableConfig.Clone().(ECHCapableConfig),
+		dnsRouter:        s.dnsRouter,
+		queryServerName:  s.queryServerName,
+		lastUpdate:       s.lastUpdate,
+	}
 }
 
 func UnmarshalECHKeys(raw []byte) ([]tls.EncryptedClientHelloKey, error) {