release: Refactor release tracks for Linux packages and Docker

Support 4 release tracks instead of 2: - sing-box / latest (stable release) - sing-box-beta / latest-beta (stable pre-release) - sing-box-testing / latest-testing (testing branch) - sing-box-oldstable / latest-oldstable (oldstable branch) Track is detected via git branch --contains and git tag, replacing the old version-string hyphen check.
Bump version
2026-04-12 01:57:18 +10:00 · 2026-03-24 15:02:44 +08:00 · 2026-03-15 16:57:08 +08:00 · 2026-03-15 16:57:08 +08:00 · 2026-03-15 16:54:55 +08:00 · 2026-03-15 16:54:11 +08:00
195 changed files with 3351 additions and 7114 deletions
--- a/.fpm_pacman
+++ b/.fpm_pacman
@@ -0,0 +1,23 @@
+-s dir
+--name sing-box
+--category net
+--license GPL-3.0-or-later
+--description "The universal proxy platform."
+--url "https://sing-box.sagernet.org/"
+--maintainer "nekohasekai <contact-git@sekai.icu>"
+--config-files etc/sing-box/config.json
+--after-install release/config/sing-box.postinst
+
+release/config/config.json=/etc/sing-box/config.json
+
+release/config/sing-box.service=/usr/lib/systemd/system/sing-box.service
+release/config/sing-box@.service=/usr/lib/systemd/system/sing-box@.service
+release/config/sing-box.sysusers=/usr/lib/sysusers.d/sing-box.conf
+release/config/sing-box.rules=usr/share/polkit-1/rules.d/sing-box.rules
+release/config/sing-box-split-dns.xml=/usr/share/dbus-1/system.d/sing-box-split-dns.conf
+
+release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
+release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish
+release/completions/sing-box.zsh=/usr/share/zsh/site-functions/_sing-box
+
+LICENSE=/usr/share/licenses/sing-box/LICENSE
--- a/.github/detect_track.sh
+++ b/.github/detect_track.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+branches=$(git branch -r --contains HEAD)
+if echo "$branches" | grep -q 'origin/stable'; then
+  track=stable
+elif echo "$branches" | grep -q 'origin/testing'; then
+  track=testing
+elif echo "$branches" | grep -q 'origin/oldstable'; then
+  track=oldstable
+else
+  echo "ERROR: HEAD is not on any known release branch (stable/testing/oldstable)" >&2
+  exit 1
+fi
+
+if [[ "$track" == "stable" ]]; then
+  tag=$(git describe --tags --exact-match HEAD 2>/dev/null || true)
+  if [[ -n "$tag" && "$tag" == *"-"* ]]; then
+    track=beta
+  fi
+fi
+
+case "$track" in
+  stable)    name=sing-box;           docker_tag=latest ;;
+  beta)      name=sing-box-beta;      docker_tag=latest-beta ;;
+  testing)   name=sing-box-testing;   docker_tag=latest-testing ;;
+  oldstable) name=sing-box-oldstable; docker_tag=latest-oldstable ;;
+esac
+
+echo "track=${track} name=${name} docker_tag=${docker_tag}" >&2
+echo "TRACK=${track}" >> "$GITHUB_ENV"
+echo "NAME=${name}" >> "$GITHUB_ENV"
+echo "DOCKER_TAG=${docker_tag}" >> "$GITHUB_ENV"
--- a/.github/setup_go_for_windows7.sh
+++ b/.github/setup_go_for_windows7.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+VERSION="1.25.8"
+PATCH_COMMITS=(
+  "466f6c7a29bc098b0d4c987b803c779222894a11"
+  "1bdabae205052afe1dadb2ad6f1ba612cdbc532a"
+  "a90777dcf692dd2168577853ba743b4338721b06"
+  "f6bddda4e8ff58a957462a1a09562924d5f3d05c"
+  "bed309eff415bcb3c77dd4bc3277b682b89a388d"
+  "34b899c2fb39b092db4fa67c4417e41dc046be4b"
+)
+CURL_ARGS=(
+  -fL
+  --silent
+  --show-error
+)
+
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
+fi
+
+mkdir -p "$HOME/go"
+cd "$HOME/go"
+wget "https://dl.google.com/go/go${VERSION}.linux-amd64.tar.gz"
+tar -xzf "go${VERSION}.linux-amd64.tar.gz"
+mv go go_win7
+cd go_win7
+
+# modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
+# these patch URLs only work on golang1.25.x
+# that means after golang1.26 release it must be changed
+# see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
+# revert:
+# 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
+# 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
+# 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
+# a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
+# fixes:
+# bed309eff415bcb3c77dd4bc3277b682b89a388d: "Fix os.RemoveAll not working on Windows7"
+# 34b899c2fb39b092db4fa67c4417e41dc046be4b: "Revert \"os: remove 5ms sleep on Windows in (*Process).Wait\""
+
+for patch_commit in "${PATCH_COMMITS[@]}"; do
+  curl "${CURL_ARGS[@]}" "https://github.com/MetaCubeX/go/commit/${patch_commit}.diff" | patch --verbose -p 1
+done
--- a/.github/setup_legacy_go.sh
+++ b/.github/setup_legacy_go.sh
@@ -1,25 +0,0 @@
-#!/usr/bin/env bash
-
-VERSION="1.23.12"
-
-mkdir -p $HOME/go
-cd $HOME/go
-wget "https://dl.google.com/go/go${VERSION}.linux-amd64.tar.gz"
-tar -xzf "go${VERSION}.linux-amd64.tar.gz"
-mv go go_legacy
-cd go_legacy
-
-# modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-# this patch file only works on golang1.23.x
-# that means after golang1.24 release it must be changed
-# see: https://github.com/MetaCubeX/go/commits/release-branch.go1.23/
-# revert:
-# 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
-# 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
-# 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
-# a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
-
-curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/6a31d3fa8e47ddabc10bd97bff10d9a85f4cfb76.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/69e2eed6dd0f6d815ebf15797761c13f31213dd6.diff | patch --verbose -p 1
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,8 +25,7 @@ on:
          - publish-android
  push:
    branches:
-      - main-next
-      - dev-next
+      - oldstable

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }}
@@ -46,7 +45,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.1
+          go-version: ~1.25.8
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -88,9 +87,9 @@ jobs:
          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }

          - { os: windows, arch: amd64 }
-          - { os: windows, arch: amd64, legacy_go123: true, legacy_name: "windows-7" }
+          - { os: windows, arch: amd64, legacy_win7: true, legacy_name: "windows-7" }
          - { os: windows, arch: "386" }
-          - { os: windows, arch: "386", legacy_go123: true, legacy_name: "windows-7" }
+          - { os: windows, arch: "386", legacy_win7: true, legacy_name: "windows-7" }
          - { os: windows, arch: arm64 }

          - { os: darwin, arch: amd64 }
@@ -107,32 +106,32 @@ jobs:
        with:
          fetch-depth: 0
      - name: Setup Go
-        if: ${{ ! (matrix.legacy_go123 || matrix.legacy_go124) }}
+        if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.1
+          go-version: ~1.25.8
      - name: Setup Go 1.24
        if: matrix.legacy_go124
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.24.6
-      - name: Cache Go 1.23
-        if: matrix.legacy_go123
-        id: cache-legacy-go
+          go-version: ~1.24.10
+      - name: Cache Go for Windows 7
+        if: matrix.legacy_win7
+        id: cache-go-for-windows7
        uses: actions/cache@v4
        with:
          path: |
-            ~/go/go_legacy
-          key: go_legacy_12312
-      - name: Setup Go 1.23
-        if: matrix.legacy_go123 && steps.cache-legacy-go.outputs.cache-hit != 'true'
+            ~/go/go_win7
+          key: go_win7_1255
+      - name: Setup Go for Windows 7
+        if: matrix.legacy_win7 && steps.cache-go-for-windows7.outputs.cache-hit != 'true'
        run: |-
-          .github/setup_legacy_go.sh
-      - name: Setup Go 1.23
-        if: matrix.legacy_go123
+          .github/setup_go_for_windows7.sh
+      - name: Setup Go for Windows 7
+        if: matrix.legacy_win7
        run: |-
-          echo "PATH=$HOME/go/go_legacy/bin:$PATH" >> $GITHUB_ENV
-          echo "GOROOT=$HOME/go/go_legacy" >> $GITHUB_ENV
+          echo "PATH=$HOME/go/go_win7/bin:$PATH" >> $GITHUB_ENV
+          echo "GOROOT=$HOME/go/go_win7" >> $GITHUB_ENV
      - name: Setup Android NDK
        if: matrix.os == 'android'
        uses: nttld/setup-ndk@v1
@@ -154,7 +153,7 @@ jobs:
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -174,7 +173,7 @@ jobs:
          export CXX="${CC}++"
          mkdir -p dist
          GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
@@ -243,7 +242,7 @@ jobs:
          sudo gem install fpm
          sudo apt-get update
          sudo apt-get install -y libarchive-tools
-          cp .fpm_systemd .fpm
+          cp .fpm_pacman .fpm
          fpm -t pacman \
            -v "$PKG_VERSION" \
            -p "dist/sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.pacman }}.pkg.tar.zst" \
@@ -287,7 +286,7 @@ jobs:
          path: "dist"
  build_android:
    name: Build Android
-    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
+    if: (github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android') && github.ref != 'refs/heads/oldstable'
    runs-on: ubuntu-latest
    needs:
      - calculate_version
@@ -300,7 +299,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.1
+          go-version: ~1.25.8
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -323,12 +322,12 @@ jobs:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
      - name: Checkout main branch
-        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
        run: |-
          cd clients/android
          git checkout main
      - name: Checkout dev branch
-        if: github.ref == 'refs/heads/dev-next'
+        if: github.ref == 'refs/heads/testing'
        run: |-
          cd clients/android
          git checkout dev
@@ -367,7 +366,7 @@ jobs:
          path: 'dist'
  publish_android:
    name: Publish Android
-    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
+    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android' && github.ref != 'refs/heads/oldstable'
    runs-on: ubuntu-latest
    needs:
      - calculate_version
@@ -380,7 +379,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.1
+          go-version: ~1.25.8
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -403,12 +402,12 @@ jobs:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
      - name: Checkout main branch
-        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
        run: |-
          cd clients/android
          git checkout main
      - name: Checkout dev branch
-        if: github.ref == 'refs/heads/dev-next'
+        if: github.ref == 'refs/heads/testing'
        run: |-
          cd clients/android
          git checkout dev
@@ -479,7 +478,7 @@ jobs:
        if: matrix.if
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.1
+          go-version: ~1.25.8
      - name: Set tag
        if: matrix.if
        run: |-
@@ -487,12 +486,12 @@ jobs:
          git tag v${{ needs.calculate_version.outputs.version }} -f
          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
      - name: Checkout main branch
-        if: matrix.if && github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        if: matrix.if && github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
        run: |-
          cd clients/apple
          git checkout main
      - name: Checkout dev branch
-        if: matrix.if && github.ref == 'refs/heads/dev-next'
+        if: matrix.if && github.ref == 'refs/heads/testing'
        run: |-
          cd clients/apple
          git checkout dev
@@ -578,7 +577,7 @@ jobs:
            -authenticationKeyID $ASC_KEY_ID \
            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
      - name: Publish to TestFlight
-        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/dev-next'
+        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/testing'
        run: |-
          go run -v ./cmd/internal/app_store_connect publish_testflight ${{ matrix.platform }}
      - name: Build image
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -99,13 +99,13 @@ jobs:
          fi
          echo "ref=$ref"
          echo "ref=$ref" >> $GITHUB_OUTPUT
-          if [[ $ref == *"-"* ]]; then
-            latest=latest-beta
-          else
-            latest=latest
-          fi
-          echo "latest=$latest"
-          echo "latest=$latest" >> $GITHUB_OUTPUT
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          ref: ${{ steps.ref.outputs.ref }}
+          fetch-depth: 0
+      - name: Detect track
+        run: bash .github/detect_track.sh
      - name: Download digests
        uses: actions/download-artifact@v5
        with:
@@ -124,10 +124,10 @@ jobs:
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create \
-            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}" \
+            -t "${{ env.REGISTRY_IMAGE }}:${{ env.DOCKER_TAG }}" \
            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}" \
            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
      - name: Inspect image
        run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}
+          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ env.DOCKER_TAG }}
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -3,18 +3,20 @@ name: Lint
 on:
  push:
    branches:
-      - stable-next
-      - main-next
-      - dev-next
+      - oldstable
+      - stable
+      - testing
+      - unstable
    paths-ignore:
      - '**.md'
      - '.github/**'
      - '!.github/workflows/lint.yml'
  pull_request:
    branches:
-      - stable-next
-      - main-next
-      - dev-next
+      - oldstable
+      - stable
+      - testing
+      - unstable

 jobs:
  build:
@@ -28,7 +30,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25
+          go-version: ~1.24.10
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v8
        with:
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -7,11 +7,6 @@ on:
        description: "Version name"
        required: true
        type: string
-      forceBeta:
-        description: "Force beta"
-        required: false
-        type: boolean
-        default: false
  release:
    types:
      - published
@@ -30,7 +25,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.1
+          go-version: ~1.25.8
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -71,7 +66,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.1
+          go-version: ~1.25.8
      - name: Setup Android NDK
        if: matrix.os == 'android'
        uses: nttld/setup-ndk@v1
@@ -92,7 +87,7 @@ jobs:
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -103,14 +98,8 @@ jobs:
      - name: Set mtime
        run: |-
          TZ=UTC touch -t '197001010000' dist/sing-box
-      - name: Set name
-        if: (! contains(needs.calculate_version.outputs.version, '-')) && !inputs.forceBeta
-        run: |-
-          echo "NAME=sing-box" >> "$GITHUB_ENV"
-      - name: Set beta name
-        if: contains(needs.calculate_version.outputs.version, '-') || inputs.forceBeta
-        run: |-
-          echo "NAME=sing-box-beta" >> "$GITHUB_ENV"
+      - name: Detect track
+        run: bash .github/detect_track.sh
      - name: Set version
        run: |-
          PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
--- a/.gitignore
+++ b/.gitignore
@@ -15,4 +15,6 @@
 .DS_Store
 /config.d/
 /venv/
-
+CLAUDE.md
+AGENTS.md
+/.claude/
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,6 +1,6 @@
 version: "2"
 run:
-  go: "1.25"
+  go: "1.24"
  build-tags:
    - with_gvisor
    - with_quic
--- a/6
+++ b/6
@@ -15,13 +15,11 @@ RUN set -ex \
    && go build -v -trimpath -tags \
        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale" \
        -o /go/bin/sing-box \
-        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid= -checklinkname=0" \
+        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
        ./cmd/sing-box
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
-    && apk upgrade \
-    && apk add bash tzdata ca-certificates nftables \
-    && rm -rf /var/cache/apk/*
+    && apk add --no-cache --upgrade bash tzdata ca-certificates nftables
 COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]
--- a/2
+++ b/2
@@ -6,7 +6,7 @@ GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)

-PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid= -checklinkname=0"
+PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
 MAIN_PARAMS = $(PARAMS) -tags "$(TAGS)"
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
--- a/README.md
+++ b/README.md
@@ -1,3 +1,11 @@
+> Sponsored by [Warp](https://go.warp.dev/sing-box), built for coding with multiple AI agents
+
+<a href="https://go.warp.dev/sing-box">
+<img alt="Warp sponsorship" width="400" src="https://github.com/warpdotdev/brand-assets/raw/refs/heads/main/Github/Sponsor/Warp-Github-LG-02.png">
+</a>
+
+---
+
 # sing-box

 The universal proxy platform.
--- a/adapter/dns.go
+++ b/adapter/dns.go
@@ -27,8 +27,6 @@ type DNSClient interface {
 	Start()
 	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error)
 	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error)
-	LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool)
-	ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool)
 	ClearCache()
 }

--- a/adapter/outbound.go
+++ b/adapter/outbound.go
@@ -2,12 +2,9 @@ package adapter

 import (
 	"context"
-	"net/netip"
-	"time"

 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-tun"
 	N "github.com/sagernet/sing/common/network"
 )

@@ -21,17 +18,6 @@ type Outbound interface {
 	N.Dialer
 }

-type OutboundWithPreferredRoutes interface {
-	Outbound
-	PreferredDomain(domain string) bool
-	PreferredAddress(address netip.Addr) bool
-}
-
-type DirectRouteOutbound interface {
-	Outbound
-	NewDirectRouteConnection(metadata InboundContext, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error)
-}
-
 type OutboundRegistry interface {
 	option.OutboundOptionsRegistry
 	CreateOutbound(ctx context.Context, router Router, logger log.ContextLogger, tag string, outboundType string, options any) (Outbound, error)
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -6,10 +6,8 @@ import (
 	"net"
 	"net/http"
 	"sync"
-	"time"

 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-tun"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ntp"
@@ -21,7 +19,7 @@ import (
 type Router interface {
 	Lifecycle
 	ConnectionRouter
-	PreMatch(metadata InboundContext, context tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error)
+	PreMatch(metadata InboundContext) error
 	ConnectionRouterEx
 	RuleSet(tag string) (RuleSet, bool)
 	NeedWIFIState() bool
--- a/adapter/upstream.go
+++ b/adapter/upstream.go
@@ -73,7 +73,7 @@ func NewUpstreamContextHandlerEx(
 }

 func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	myMetadata := ContextFrom(ctx)
+	_, myMetadata := ExtendContext(ctx)
 	if source.IsValid() {
 		myMetadata.Source = source
 	}
@@ -84,7 +84,7 @@ func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context,
 }

 func (w *myUpstreamContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	myMetadata := ContextFrom(ctx)
+	_, myMetadata := ExtendContext(ctx)
 	if source.IsValid() {
 		myMetadata.Source = source
 	}
@@ -146,7 +146,7 @@ type routeContextHandlerWrapperEx struct {
 }

 func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	metadata := ContextFrom(ctx)
+	_, metadata := ExtendContext(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}
@@ -157,7 +157,7 @@ func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn
 }

 func (r *routeContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	metadata := ContextFrom(ctx)
+	_, metadata := ExtendContext(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}
--- a/box.go
+++ b/box.go
@@ -323,14 +323,13 @@ func New(options Options) (*Box, error) {
 			option.DirectOutboundOptions{},
 		)
 	})
-	dnsTransportManager.Initialize(func() (adapter.DNSTransport, error) {
-		return local.NewTransport(
+	dnsTransportManager.Initialize(common.Must1(
+		local.NewTransport(
 			ctx,
 			logFactory.NewLogger("dns/local"),
 			"local",
 			option.LocalDNSServerOptions{},
-		)
-	})
+		)))
 	if platformInterface != nil {
 		err = platformInterface.Initialize(networkManager)
 		if err != nil {
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -46,7 +46,7 @@ var (
 	sharedFlags []string
 	debugFlags  []string
 	sharedTags  []string
-	macOSTags   []string
+	darwinTags  []string
 	memcTags    []string
 	notMemcTags []string
 	debugTags   []string
@@ -59,11 +59,11 @@ func init() {
 	if err != nil {
 		currentTag = "unknown"
 	}
-	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=  -checklinkname=0")
-	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -checklinkname=0")
+	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
+	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag)

 	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api", "with_conntrack")
-	macOSTags = append(macOSTags, "with_dhcp")
+	darwinTags = append(darwinTags, "with_dhcp")
 	memcTags = append(memcTags, "with_tailscale")
 	notMemcTags = append(notMemcTags, "with_low_memory")
 	debugTags = append(debugTags, "debug")
@@ -107,10 +107,10 @@ func buildAndroid() {
 	}

 	if !debugEnabled {
-		// sharedFlags[3] = sharedFlags[3] + " -checklinkname=0"
+		sharedFlags[3] = sharedFlags[3] + " -checklinkname=0"
 		args = append(args, sharedFlags...)
 	} else {
-		// debugFlags[1] = debugFlags[1] + " -checklinkname=0"
+		debugFlags[1] = debugFlags[1] + " -checklinkname=0"
 		args = append(args, debugFlags...)
 	}

@@ -160,9 +160,7 @@ func buildApple() {
 		"-tags-not-macos=with_low_memory",
 	}
 	if !withTailscale {
-		args = append(args, "-tags-macos="+strings.Join(append(macOSTags, memcTags...), ","))
-	} else {
-		args = append(args, "-tags-macos="+strings.Join(macOSTags, ","))
+		args = append(args, "-tags-macos="+strings.Join(memcTags, ","))
 	}

 	if !debugEnabled {
@@ -171,7 +169,7 @@ func buildApple() {
 		args = append(args, debugFlags...)
 	}

-	tags := sharedTags
+	tags := append(sharedTags, darwinTags...)
 	if withTailscale {
 		tags = append(tags, memcTags...)
 	}
--- a/cmd/sing-box/cmd_rule_set_compile.go
+++ b/cmd/sing-box/cmd_rule_set_compile.go
@@ -6,10 +6,8 @@ import (
 	"strings"

 	"github.com/sagernet/sing-box/common/srs"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/route/rule"
 	"github.com/sagernet/sing/common/json"

 	"github.com/spf13/cobra"
@@ -71,7 +69,7 @@ func compileRuleSet(sourcePath string) error {
 	if err != nil {
 		return err
 	}
-	err = srs.Write(outputFile, plainRuleSet.Options, downgradeRuleSetVersion(plainRuleSet.Version, plainRuleSet.Options))
+	err = srs.Write(outputFile, plainRuleSet.Options, plainRuleSet.Version)
 	if err != nil {
 		outputFile.Close()
 		os.Remove(outputPath)
@@ -80,18 +78,3 @@ func compileRuleSet(sourcePath string) error {
 	outputFile.Close()
 	return nil
 }
-
-func downgradeRuleSetVersion(version uint8, options option.PlainRuleSet) uint8 {
-	if version == C.RuleSetVersion4 && !rule.HasHeadlessRule(options.Rules, func(rule option.DefaultHeadlessRule) bool {
-		return rule.NetworkInterfaceAddress != nil && rule.NetworkInterfaceAddress.Size() > 0 ||
-			len(rule.DefaultInterfaceAddress) > 0
-	}) {
-		version = C.RuleSetVersion3
-	}
-	if version == C.RuleSetVersion3 && !rule.HasHeadlessRule(options.Rules, func(rule option.DefaultHeadlessRule) bool {
-		return len(rule.NetworkType) > 0 || rule.NetworkIsExpensive || rule.NetworkIsConstrained
-	}) {
-		version = C.RuleSetVersion2
-	}
-	return version
-}
--- a/common/badtls/raw_conn.go
+++ b/common/badtls/raw_conn.go
@@ -1,176 +0,0 @@
-//go:build go1.25 && !without_badtls
-
-package badtls
-
-import (
-	"bytes"
-	"os"
-	"reflect"
-	"sync/atomic"
-	"unsafe"
-
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/tls"
-)
-
-type RawConn struct {
-	pointer unsafe.Pointer
-	methods *Methods
-
-	IsClient            *bool
-	IsHandshakeComplete *atomic.Bool
-	Vers                *uint16
-	CipherSuite         *uint16
-
-	RawInput *bytes.Buffer
-	Input    *bytes.Reader
-	Hand     *bytes.Buffer
-
-	CloseNotifySent *bool
-	CloseNotifyErr  *error
-
-	In  *RawHalfConn
-	Out *RawHalfConn
-
-	BytesSent   *int64
-	PacketsSent *int64
-
-	ActiveCall *atomic.Int32
-	Tmp        *[16]byte
-}
-
-func NewRawConn(rawTLSConn tls.Conn) (*RawConn, error) {
-	var (
-		pointer unsafe.Pointer
-		methods *Methods
-		loaded  bool
-	)
-	for _, tlsCreator := range methodRegistry {
-		pointer, methods, loaded = tlsCreator(rawTLSConn)
-		if loaded {
-			break
-		}
-	}
-	if !loaded {
-		return nil, os.ErrInvalid
-	}
-
-	conn := &RawConn{
-		pointer: pointer,
-		methods: methods,
-	}
-
-	rawConn := reflect.Indirect(reflect.ValueOf(rawTLSConn))
-
-	rawIsClient := rawConn.FieldByName("isClient")
-	if !rawIsClient.IsValid() || rawIsClient.Kind() != reflect.Bool {
-		return nil, E.New("invalid Conn.isClient")
-	}
-	conn.IsClient = (*bool)(unsafe.Pointer(rawIsClient.UnsafeAddr()))
-
-	rawIsHandshakeComplete := rawConn.FieldByName("isHandshakeComplete")
-	if !rawIsHandshakeComplete.IsValid() || rawIsHandshakeComplete.Kind() != reflect.Struct {
-		return nil, E.New("invalid Conn.isHandshakeComplete")
-	}
-	conn.IsHandshakeComplete = (*atomic.Bool)(unsafe.Pointer(rawIsHandshakeComplete.UnsafeAddr()))
-
-	rawVers := rawConn.FieldByName("vers")
-	if !rawVers.IsValid() || rawVers.Kind() != reflect.Uint16 {
-		return nil, E.New("invalid Conn.vers")
-	}
-	conn.Vers = (*uint16)(unsafe.Pointer(rawVers.UnsafeAddr()))
-
-	rawCipherSuite := rawConn.FieldByName("cipherSuite")
-	if !rawCipherSuite.IsValid() || rawCipherSuite.Kind() != reflect.Uint16 {
-		return nil, E.New("invalid Conn.cipherSuite")
-	}
-	conn.CipherSuite = (*uint16)(unsafe.Pointer(rawCipherSuite.UnsafeAddr()))
-
-	rawRawInput := rawConn.FieldByName("rawInput")
-	if !rawRawInput.IsValid() || rawRawInput.Kind() != reflect.Struct {
-		return nil, E.New("invalid Conn.rawInput")
-	}
-	conn.RawInput = (*bytes.Buffer)(unsafe.Pointer(rawRawInput.UnsafeAddr()))
-
-	rawInput := rawConn.FieldByName("input")
-	if !rawInput.IsValid() || rawInput.Kind() != reflect.Struct {
-		return nil, E.New("invalid Conn.input")
-	}
-	conn.Input = (*bytes.Reader)(unsafe.Pointer(rawInput.UnsafeAddr()))
-
-	rawHand := rawConn.FieldByName("hand")
-	if !rawHand.IsValid() || rawHand.Kind() != reflect.Struct {
-		return nil, E.New("invalid Conn.hand")
-	}
-	conn.Hand = (*bytes.Buffer)(unsafe.Pointer(rawHand.UnsafeAddr()))
-
-	rawCloseNotifySent := rawConn.FieldByName("closeNotifySent")
-	if !rawCloseNotifySent.IsValid() || rawCloseNotifySent.Kind() != reflect.Bool {
-		return nil, E.New("invalid Conn.closeNotifySent")
-	}
-	conn.CloseNotifySent = (*bool)(unsafe.Pointer(rawCloseNotifySent.UnsafeAddr()))
-
-	rawCloseNotifyErr := rawConn.FieldByName("closeNotifyErr")
-	if !rawCloseNotifyErr.IsValid() || rawCloseNotifyErr.Kind() != reflect.Interface {
-		return nil, E.New("invalid Conn.closeNotifyErr")
-	}
-	conn.CloseNotifyErr = (*error)(unsafe.Pointer(rawCloseNotifyErr.UnsafeAddr()))
-
-	rawIn := rawConn.FieldByName("in")
-	if !rawIn.IsValid() || rawIn.Kind() != reflect.Struct {
-		return nil, E.New("invalid Conn.in")
-	}
-	halfIn, err := NewRawHalfConn(rawIn, methods)
-	if err != nil {
-		return nil, E.Cause(err, "invalid Conn.in")
-	}
-	conn.In = halfIn
-
-	rawOut := rawConn.FieldByName("out")
-	if !rawOut.IsValid() || rawOut.Kind() != reflect.Struct {
-		return nil, E.New("invalid Conn.out")
-	}
-	halfOut, err := NewRawHalfConn(rawOut, methods)
-	if err != nil {
-		return nil, E.Cause(err, "invalid Conn.out")
-	}
-	conn.Out = halfOut
-
-	rawBytesSent := rawConn.FieldByName("bytesSent")
-	if !rawBytesSent.IsValid() || rawBytesSent.Kind() != reflect.Int64 {
-		return nil, E.New("invalid Conn.bytesSent")
-	}
-	conn.BytesSent = (*int64)(unsafe.Pointer(rawBytesSent.UnsafeAddr()))
-
-	rawPacketsSent := rawConn.FieldByName("packetsSent")
-	if !rawPacketsSent.IsValid() || rawPacketsSent.Kind() != reflect.Int64 {
-		return nil, E.New("invalid Conn.packetsSent")
-	}
-	conn.PacketsSent = (*int64)(unsafe.Pointer(rawPacketsSent.UnsafeAddr()))
-
-	rawActiveCall := rawConn.FieldByName("activeCall")
-	if !rawActiveCall.IsValid() || rawActiveCall.Kind() != reflect.Struct {
-		return nil, E.New("invalid Conn.activeCall")
-	}
-	conn.ActiveCall = (*atomic.Int32)(unsafe.Pointer(rawActiveCall.UnsafeAddr()))
-
-	rawTmp := rawConn.FieldByName("tmp")
-	if !rawTmp.IsValid() || rawTmp.Kind() != reflect.Array || rawTmp.Len() != 16 || rawTmp.Type().Elem().Kind() != reflect.Uint8 {
-		return nil, E.New("invalid Conn.tmp")
-	}
-	conn.Tmp = (*[16]byte)(unsafe.Pointer(rawTmp.UnsafeAddr()))
-
-	return conn, nil
-}
-
-func (c *RawConn) ReadRecord() error {
-	return c.methods.readRecord(c.pointer)
-}
-
-func (c *RawConn) HandlePostHandshakeMessage() error {
-	return c.methods.handlePostHandshakeMessage(c.pointer)
-}
-
-func (c *RawConn) WriteRecordLocked(typ uint16, data []byte) (int, error) {
-	return c.methods.writeRecordLocked(c.pointer, typ, data)
-}
--- a/common/badtls/raw_half_conn.go
+++ b/common/badtls/raw_half_conn.go
@@ -1,121 +0,0 @@
-//go:build go1.25 && !without_badtls
-
-package badtls
-
-import (
-	"hash"
-	"reflect"
-	"sync"
-	"unsafe"
-
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type RawHalfConn struct {
-	pointer unsafe.Pointer
-	methods *Methods
-	*sync.Mutex
-	Err           *error
-	Version       *uint16
-	Cipher        *any
-	Seq           *[8]byte
-	ScratchBuf    *[13]byte
-	TrafficSecret *[]byte
-	Mac           *hash.Hash
-	RawKey        *[]byte
-	RawIV         *[]byte
-	RawMac        *[]byte
-}
-
-func NewRawHalfConn(rawHalfConn reflect.Value, methods *Methods) (*RawHalfConn, error) {
-	halfConn := &RawHalfConn{
-		pointer: (unsafe.Pointer)(rawHalfConn.UnsafeAddr()),
-		methods: methods,
-	}
-
-	rawMutex := rawHalfConn.FieldByName("Mutex")
-	if !rawMutex.IsValid() || rawMutex.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid halfConn.Mutex")
-	}
-	halfConn.Mutex = (*sync.Mutex)(unsafe.Pointer(rawMutex.UnsafeAddr()))
-
-	rawErr := rawHalfConn.FieldByName("err")
-	if !rawErr.IsValid() || rawErr.Kind() != reflect.Interface {
-		return nil, E.New("badtls: invalid halfConn.err")
-	}
-	halfConn.Err = (*error)(unsafe.Pointer(rawErr.UnsafeAddr()))
-
-	rawVersion := rawHalfConn.FieldByName("version")
-	if !rawVersion.IsValid() || rawVersion.Kind() != reflect.Uint16 {
-		return nil, E.New("badtls: invalid halfConn.version")
-	}
-	halfConn.Version = (*uint16)(unsafe.Pointer(rawVersion.UnsafeAddr()))
-
-	rawCipher := rawHalfConn.FieldByName("cipher")
-	if !rawCipher.IsValid() || rawCipher.Kind() != reflect.Interface {
-		return nil, E.New("badtls: invalid halfConn.cipher")
-	}
-	halfConn.Cipher = (*any)(unsafe.Pointer(rawCipher.UnsafeAddr()))
-
-	rawSeq := rawHalfConn.FieldByName("seq")
-	if !rawSeq.IsValid() || rawSeq.Kind() != reflect.Array || rawSeq.Len() != 8 || rawSeq.Type().Elem().Kind() != reflect.Uint8 {
-		return nil, E.New("badtls: invalid halfConn.seq")
-	}
-	halfConn.Seq = (*[8]byte)(unsafe.Pointer(rawSeq.UnsafeAddr()))
-
-	rawScratchBuf := rawHalfConn.FieldByName("scratchBuf")
-	if !rawScratchBuf.IsValid() || rawScratchBuf.Kind() != reflect.Array || rawScratchBuf.Len() != 13 || rawScratchBuf.Type().Elem().Kind() != reflect.Uint8 {
-		return nil, E.New("badtls: invalid halfConn.scratchBuf")
-	}
-	halfConn.ScratchBuf = (*[13]byte)(unsafe.Pointer(rawScratchBuf.UnsafeAddr()))
-
-	rawTrafficSecret := rawHalfConn.FieldByName("trafficSecret")
-	if !rawTrafficSecret.IsValid() || rawTrafficSecret.Kind() != reflect.Slice || rawTrafficSecret.Type().Elem().Kind() != reflect.Uint8 {
-		return nil, E.New("badtls: invalid halfConn.trafficSecret")
-	}
-	halfConn.TrafficSecret = (*[]byte)(unsafe.Pointer(rawTrafficSecret.UnsafeAddr()))
-
-	rawMac := rawHalfConn.FieldByName("mac")
-	if !rawMac.IsValid() || rawMac.Kind() != reflect.Interface {
-		return nil, E.New("badtls: invalid halfConn.mac")
-	}
-	halfConn.Mac = (*hash.Hash)(unsafe.Pointer(rawMac.UnsafeAddr()))
-
-	rawKey := rawHalfConn.FieldByName("rawKey")
-	if rawKey.IsValid() {
-		if /*!rawKey.IsValid() || */ rawKey.Kind() != reflect.Slice || rawKey.Type().Elem().Kind() != reflect.Uint8 {
-			return nil, E.New("badtls: invalid halfConn.rawKey")
-		}
-		halfConn.RawKey = (*[]byte)(unsafe.Pointer(rawKey.UnsafeAddr()))
-
-		rawIV := rawHalfConn.FieldByName("rawIV")
-		if !rawIV.IsValid() || rawIV.Kind() != reflect.Slice || rawIV.Type().Elem().Kind() != reflect.Uint8 {
-			return nil, E.New("badtls: invalid halfConn.rawIV")
-		}
-		halfConn.RawIV = (*[]byte)(unsafe.Pointer(rawIV.UnsafeAddr()))
-
-		rawMAC := rawHalfConn.FieldByName("rawMac")
-		if !rawMAC.IsValid() || rawMAC.Kind() != reflect.Slice || rawMAC.Type().Elem().Kind() != reflect.Uint8 {
-			return nil, E.New("badtls: invalid halfConn.rawMac")
-		}
-		halfConn.RawMac = (*[]byte)(unsafe.Pointer(rawMAC.UnsafeAddr()))
-	}
-
-	return halfConn, nil
-}
-
-func (hc *RawHalfConn) Decrypt(record []byte) ([]byte, uint8, error) {
-	return hc.methods.decrypt(hc.pointer, record)
-}
-
-func (hc *RawHalfConn) SetErrorLocked(err error) error {
-	return hc.methods.setErrorLocked(hc.pointer, err)
-}
-
-func (hc *RawHalfConn) SetTrafficSecret(suite unsafe.Pointer, level int, secret []byte) {
-	hc.methods.setTrafficSecret(hc.pointer, suite, level, secret)
-}
-
-func (hc *RawHalfConn) ExplicitNonceLen() int {
-	return hc.methods.explicitNonceLen(hc.pointer)
-}
--- a/common/badtls/read_wait.go
+++ b/common/badtls/read_wait.go
@@ -1,9 +1,18 @@
-//go:build go1.25 && !without_badtls
+//go:build go1.21 && !without_badtls

 package badtls

 import (
+	"bytes"
+	"context"
+	"net"
+	"os"
+	"reflect"
+	"sync"
+	"unsafe"
+
 	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/tls"
 )
@@ -12,21 +21,63 @@ var _ N.ReadWaiter = (*ReadWaitConn)(nil)

 type ReadWaitConn struct {
 	tls.Conn
-	rawConn         *RawConn
-	readWaitOptions N.ReadWaitOptions
+	halfAccess                    *sync.Mutex
+	rawInput                      *bytes.Buffer
+	input                         *bytes.Reader
+	hand                          *bytes.Buffer
+	readWaitOptions               N.ReadWaitOptions
+	tlsReadRecord                 func() error
+	tlsHandlePostHandshakeMessage func() error
 }

 func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
-	if _, isReadWaitConn := conn.(N.ReadWaiter); isReadWaitConn {
-		return conn, nil
+	var (
+		loaded                        bool
+		tlsReadRecord                 func() error
+		tlsHandlePostHandshakeMessage func() error
+	)
+	for _, tlsCreator := range tlsRegistry {
+		loaded, tlsReadRecord, tlsHandlePostHandshakeMessage = tlsCreator(conn)
+		if loaded {
+			break
+		}
 	}
-	rawConn, err := NewRawConn(conn)
-	if err != nil {
-		return nil, err
+	if !loaded {
+		return nil, os.ErrInvalid
 	}
+	rawConn := reflect.Indirect(reflect.ValueOf(conn))
+	rawHalfConn := rawConn.FieldByName("in")
+	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid half conn")
+	}
+	rawHalfMutex := rawHalfConn.FieldByName("Mutex")
+	if !rawHalfMutex.IsValid() || rawHalfMutex.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid half mutex")
+	}
+	halfAccess := (*sync.Mutex)(unsafe.Pointer(rawHalfMutex.UnsafeAddr()))
+	rawRawInput := rawConn.FieldByName("rawInput")
+	if !rawRawInput.IsValid() || rawRawInput.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid raw input")
+	}
+	rawInput := (*bytes.Buffer)(unsafe.Pointer(rawRawInput.UnsafeAddr()))
+	rawInput0 := rawConn.FieldByName("input")
+	if !rawInput0.IsValid() || rawInput0.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid input")
+	}
+	input := (*bytes.Reader)(unsafe.Pointer(rawInput0.UnsafeAddr()))
+	rawHand := rawConn.FieldByName("hand")
+	if !rawHand.IsValid() || rawHand.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid hand")
+	}
+	hand := (*bytes.Buffer)(unsafe.Pointer(rawHand.UnsafeAddr()))
 	return &ReadWaitConn{
-		Conn:    conn,
-		rawConn: rawConn,
+		Conn:                          conn,
+		halfAccess:                    halfAccess,
+		rawInput:                      rawInput,
+		input:                         input,
+		hand:                          hand,
+		tlsReadRecord:                 tlsReadRecord,
+		tlsHandlePostHandshakeMessage: tlsHandlePostHandshakeMessage,
 	}, nil
 }

@@ -36,36 +87,36 @@ func (c *ReadWaitConn) InitializeReadWaiter(options N.ReadWaitOptions) (needCopy
 }

 func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
-	//err = c.HandshakeContext(context.Background())
-	//if err != nil {
-	//	return
-	//}
-	c.rawConn.In.Lock()
-	defer c.rawConn.In.Unlock()
-	for c.rawConn.Input.Len() == 0 {
-		err = c.rawConn.ReadRecord()
+	err = c.HandshakeContext(context.Background())
+	if err != nil {
+		return
+	}
+	c.halfAccess.Lock()
+	defer c.halfAccess.Unlock()
+	for c.input.Len() == 0 {
+		err = c.tlsReadRecord()
 		if err != nil {
 			return
 		}
-		for c.rawConn.Hand.Len() > 0 {
-			err = c.rawConn.HandlePostHandshakeMessage()
+		for c.hand.Len() > 0 {
+			err = c.tlsHandlePostHandshakeMessage()
 			if err != nil {
 				return
 			}
 		}
 	}
 	buffer = c.readWaitOptions.NewBuffer()
-	n, err := c.rawConn.Input.Read(buffer.FreeBytes())
+	n, err := c.input.Read(buffer.FreeBytes())
 	if err != nil {
 		buffer.Release()
 		return
 	}
 	buffer.Truncate(n)

-	if n != 0 && c.rawConn.Input.Len() == 0 && c.rawConn.Input.Len() > 0 &&
-		// recordType(c.RawInput.Bytes()[0]) == recordTypeAlert {
-		c.rawConn.RawInput.Bytes()[0] == 21 {
-		_ = c.rawConn.ReadRecord()
+	if n != 0 && c.input.Len() == 0 && c.rawInput.Len() > 0 &&
+		// recordType(c.rawInput.Bytes()[0]) == recordTypeAlert {
+		c.rawInput.Bytes()[0] == 21 {
+		_ = c.tlsReadRecord()
 		// return n, err // will be io.EOF on closeNotify
 	}

@@ -80,3 +131,25 @@ func (c *ReadWaitConn) Upstream() any {
 func (c *ReadWaitConn) ReaderReplaceable() bool {
 	return true
 }
+
+var tlsRegistry []func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error)
+
+func init() {
+	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
+		tlsConn, loaded := conn.(*tls.STDConn)
+		if !loaded {
+			return
+		}
+		return true, func() error {
+				return stdTLSReadRecord(tlsConn)
+			}, func() error {
+				return stdTLSHandlePostHandshakeMessage(tlsConn)
+			}
+	})
+}
+
+//go:linkname stdTLSReadRecord crypto/tls.(*Conn).readRecord
+func stdTLSReadRecord(c *tls.STDConn) error
+
+//go:linkname stdTLSHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
+func stdTLSHandlePostHandshakeMessage(c *tls.STDConn) error
--- a/common/badtls/read_wait_stub.go
+++ b/common/badtls/read_wait_stub.go
@@ -1,4 +1,4 @@
-//go:build !go1.25 || without_badtls
+//go:build !go1.21 || without_badtls

 package badtls

--- a/common/badtls/read_wait_utls.go
+++ b/common/badtls/read_wait_utls.go
@@ -0,0 +1,36 @@
+//go:build go1.21 && !without_badtls && with_utls
+
+package badtls
+
+import (
+	"net"
+	_ "unsafe"
+
+	"github.com/metacubex/utls"
+)
+
+func init() {
+	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
+		switch tlsConn := conn.(type) {
+		case *tls.UConn:
+			return true, func() error {
+					return utlsReadRecord(tlsConn.Conn)
+				}, func() error {
+					return utlsHandlePostHandshakeMessage(tlsConn.Conn)
+				}
+		case *tls.Conn:
+			return true, func() error {
+					return utlsReadRecord(tlsConn)
+				}, func() error {
+					return utlsHandlePostHandshakeMessage(tlsConn)
+				}
+		}
+		return
+	})
+}
+
+//go:linkname utlsReadRecord github.com/metacubex/utls.(*Conn).readRecord
+func utlsReadRecord(c *tls.Conn) error
+
+//go:linkname utlsHandlePostHandshakeMessage github.com/metacubex/utls.(*Conn).handlePostHandshakeMessage
+func utlsHandlePostHandshakeMessage(c *tls.Conn) error
--- a/common/badtls/registry.go
+++ b/common/badtls/registry.go
@@ -1,62 +0,0 @@
-//go:build go1.25 && !without_badtls
-
-package badtls
-
-import (
-	"crypto/tls"
-	"net"
-	"unsafe"
-)
-
-type Methods struct {
-	readRecord                 func(c unsafe.Pointer) error
-	handlePostHandshakeMessage func(c unsafe.Pointer) error
-	writeRecordLocked          func(c unsafe.Pointer, typ uint16, data []byte) (int, error)
-
-	setErrorLocked   func(hc unsafe.Pointer, err error) error
-	decrypt          func(hc unsafe.Pointer, record []byte) ([]byte, uint8, error)
-	setTrafficSecret func(hc unsafe.Pointer, suite unsafe.Pointer, level int, secret []byte)
-	explicitNonceLen func(hc unsafe.Pointer) int
-}
-
-var methodRegistry []func(conn net.Conn) (unsafe.Pointer, *Methods, bool)
-
-func init() {
-	methodRegistry = append(methodRegistry, func(conn net.Conn) (unsafe.Pointer, *Methods, bool) {
-		tlsConn, loaded := conn.(*tls.Conn)
-		if !loaded {
-			return nil, nil, false
-		}
-		return unsafe.Pointer(tlsConn), &Methods{
-			readRecord:                 stdTLSReadRecord,
-			handlePostHandshakeMessage: stdTLSHandlePostHandshakeMessage,
-			writeRecordLocked:          stdWriteRecordLocked,
-
-			setErrorLocked:   stdSetErrorLocked,
-			decrypt:          stdDecrypt,
-			setTrafficSecret: stdSetTrafficSecret,
-			explicitNonceLen: stdExplicitNonceLen,
-		}, true
-	})
-}
-
-//go:linkname stdTLSReadRecord crypto/tls.(*Conn).readRecord
-func stdTLSReadRecord(c unsafe.Pointer) error
-
-//go:linkname stdTLSHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
-func stdTLSHandlePostHandshakeMessage(c unsafe.Pointer) error
-
-//go:linkname stdWriteRecordLocked crypto/tls.(*Conn).writeRecordLocked
-func stdWriteRecordLocked(c unsafe.Pointer, typ uint16, data []byte) (int, error)
-
-//go:linkname stdSetErrorLocked crypto/tls.(*halfConn).setErrorLocked
-func stdSetErrorLocked(hc unsafe.Pointer, err error) error
-
-//go:linkname stdDecrypt crypto/tls.(*halfConn).decrypt
-func stdDecrypt(hc unsafe.Pointer, record []byte) ([]byte, uint8, error)
-
-//go:linkname stdSetTrafficSecret crypto/tls.(*halfConn).setTrafficSecret
-func stdSetTrafficSecret(hc unsafe.Pointer, suite unsafe.Pointer, level int, secret []byte)
-
-//go:linkname stdExplicitNonceLen crypto/tls.(*halfConn).explicitNonceLen
-func stdExplicitNonceLen(hc unsafe.Pointer) int
--- a/common/badtls/registry_utls.go
+++ b/common/badtls/registry_utls.go
@@ -1,56 +0,0 @@
-//go:build go1.25 && !without_badtls
-
-package badtls
-
-import (
-	"net"
-	"unsafe"
-
-	N "github.com/sagernet/sing/common/network"
-
-	"github.com/metacubex/utls"
-)
-
-func init() {
-	methodRegistry = append(methodRegistry, func(conn net.Conn) (unsafe.Pointer, *Methods, bool) {
-		var pointer unsafe.Pointer
-		if uConn, loaded := N.CastReader[*tls.Conn](conn); loaded {
-			pointer = unsafe.Pointer(uConn)
-		} else if uConn, loaded := N.CastReader[*tls.UConn](conn); loaded {
-			pointer = unsafe.Pointer(uConn.Conn)
-		} else {
-			return nil, nil, false
-		}
-		return pointer, &Methods{
-			readRecord:                 utlsReadRecord,
-			handlePostHandshakeMessage: utlsHandlePostHandshakeMessage,
-			writeRecordLocked:          utlsWriteRecordLocked,
-
-			setErrorLocked:   utlsSetErrorLocked,
-			decrypt:          utlsDecrypt,
-			setTrafficSecret: utlsSetTrafficSecret,
-			explicitNonceLen: utlsExplicitNonceLen,
-		}, true
-	})
-}
-
-//go:linkname utlsReadRecord github.com/metacubex/utls.(*Conn).readRecord
-func utlsReadRecord(c unsafe.Pointer) error
-
-//go:linkname utlsHandlePostHandshakeMessage github.com/metacubex/utls.(*Conn).handlePostHandshakeMessage
-func utlsHandlePostHandshakeMessage(c unsafe.Pointer) error
-
-//go:linkname utlsWriteRecordLocked github.com/metacubex/utls.(*Conn).writeRecordLocked
-func utlsWriteRecordLocked(hc unsafe.Pointer, typ uint16, data []byte) (int, error)
-
-//go:linkname utlsSetErrorLocked github.com/metacubex/utls.(*halfConn).setErrorLocked
-func utlsSetErrorLocked(hc unsafe.Pointer, err error) error
-
-//go:linkname utlsDecrypt github.com/metacubex/utls.(*halfConn).decrypt
-func utlsDecrypt(hc unsafe.Pointer, record []byte) ([]byte, uint8, error)
-
-//go:linkname utlsSetTrafficSecret github.com/metacubex/utls.(*halfConn).setTrafficSecret
-func utlsSetTrafficSecret(hc unsafe.Pointer, suite unsafe.Pointer, level int, secret []byte)
-
-//go:linkname utlsExplicitNonceLen github.com/metacubex/utls.(*halfConn).explicitNonceLen
-func utlsExplicitNonceLen(hc unsafe.Pointer) int
--- a/common/badversion/version.go
+++ b/common/badversion/version.go
@@ -5,8 +5,6 @@ import (
 	"strings"

 	F "github.com/sagernet/sing/common/format"
-
-	"golang.org/x/mod/semver"
 )

 type Version struct {
@@ -18,19 +16,7 @@ type Version struct {
 	PreReleaseVersion    int
 }

-func (v Version) LessThan(anotherVersion Version) bool {
-	return !v.GreaterThanOrEqual(anotherVersion)
-}
-
-func (v Version) LessThanOrEqual(anotherVersion Version) bool {
-	return v == anotherVersion || anotherVersion.GreaterThan(v)
-}
-
-func (v Version) GreaterThanOrEqual(anotherVersion Version) bool {
-	return v == anotherVersion || v.GreaterThan(anotherVersion)
-}
-
-func (v Version) GreaterThan(anotherVersion Version) bool {
+func (v Version) After(anotherVersion Version) bool {
 	if v.Major > anotherVersion.Major {
 		return true
 	} else if v.Major < anotherVersion.Major {
@@ -58,29 +44,19 @@ func (v Version) GreaterThan(anotherVersion Version) bool {
 			} else if v.PreReleaseVersion < anotherVersion.PreReleaseVersion {
 				return false
 			}
-		}
-		preReleaseIdentifier := parsePreReleaseIdentifier(v.PreReleaseIdentifier)
-		anotherPreReleaseIdentifier := parsePreReleaseIdentifier(anotherVersion.PreReleaseIdentifier)
-		if preReleaseIdentifier < anotherPreReleaseIdentifier {
+		} else if v.PreReleaseIdentifier == "rc" && anotherVersion.PreReleaseIdentifier == "beta" {
 			return true
-		} else if preReleaseIdentifier > anotherPreReleaseIdentifier {
+		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "rc" {
+			return false
+		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "alpha" {
+			return true
+		} else if v.PreReleaseIdentifier == "alpha" && anotherVersion.PreReleaseIdentifier == "beta" {
 			return false
 		}
 	}
 	return false
 }

-func parsePreReleaseIdentifier(identifier string) int {
-	if strings.HasPrefix(identifier, "rc") {
-		return 1
-	} else if strings.HasPrefix(identifier, "beta") {
-		return 2
-	} else if strings.HasPrefix(identifier, "alpha") {
-		return 3
-	}
-	return 0
-}
-
 func (v Version) VersionString() string {
 	return F.ToString(v.Major, ".", v.Minor, ".", v.Patch)
 }
@@ -107,10 +83,6 @@ func (v Version) BadString() string {
 	return version
 }

-func IsValid(versionName string) bool {
-	return semver.IsValid("v" + versionName)
-}
-
 func Parse(versionName string) (version Version) {
 	if strings.HasPrefix(versionName, "v") {
 		versionName = versionName[1:]
--- a/common/badversion/version_test.go
+++ b/common/badversion/version_test.go
@@ -10,9 +10,9 @@ func TestCompareVersion(t *testing.T) {
 	t.Parallel()
 	require.Equal(t, "1.3.0-beta.1", Parse("v1.3.0-beta1").String())
 	require.Equal(t, "1.3-beta1", Parse("v1.3.0-beta.1").BadString())
-	require.True(t, Parse("1.3.0").GreaterThan(Parse("1.3-beta1")))
-	require.True(t, Parse("1.3.0").GreaterThan(Parse("1.3.0-beta1")))
-	require.True(t, Parse("1.3.0-beta1").GreaterThan(Parse("1.3.0-alpha1")))
-	require.True(t, Parse("1.3.1").GreaterThan(Parse("1.3.0")))
-	require.True(t, Parse("1.4").GreaterThan(Parse("1.3")))
+	require.True(t, Parse("1.3.0").After(Parse("1.3-beta1")))
+	require.True(t, Parse("1.3.0").After(Parse("1.3.0-beta1")))
+	require.True(t, Parse("1.3.0-beta1").After(Parse("1.3.0-alpha1")))
+	require.True(t, Parse("1.3.1").After(Parse("1.3.0")))
+	require.True(t, Parse("1.4").After(Parse("1.3")))
 }
--- a/common/certificate/mozilla.go
+++ b/common/certificate/mozilla.go
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -88,7 +88,7 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial

 	if networkManager != nil {
 		defaultOptions := networkManager.DefaultOptions()
-		if defaultOptions.BindInterface != "" {
+		if defaultOptions.BindInterface != "" && !disableDefaultBind {
 			bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
 			dialer.Control = control.Append(dialer.Control, bindFunc)
 			listener.Control = control.Append(listener.Control, bindFunc)
@@ -142,8 +142,7 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		dialer.Timeout = C.TCPConnectTimeout
 	}
 	// TODO: Add an option to customize the keep alive period
-	dialer.KeepAlive = C.TCPKeepAliveInitial
-	dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(C.TCPKeepAliveInitial, C.TCPKeepAliveInterval))
+	setKeepAliveConfig(&dialer, C.TCPKeepAliveInitial, C.TCPKeepAliveInterval)
 	var udpFragment bool
 	if options.UDPFragment != nil {
 		udpFragment = *options.UDPFragment
@@ -315,14 +314,6 @@ func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	}
 }

-func (d *DefaultDialer) DialerForICMPDestination(destination netip.Addr) net.Dialer {
-	if !destination.Is6() {
-		return dialerFromTCPDialer(d.dialer6)
-	} else {
-		return dialerFromTCPDialer(d.dialer4)
-	}
-}
-
 func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
 	if strategy == nil {
 		strategy = d.networkStrategy
--- a/common/dialer/default_go123.go
+++ b/common/dialer/default_go123.go
@@ -0,0 +1,16 @@
+//go:build go1.23
+
+package dialer
+
+import (
+	"net"
+	"time"
+)
+
+func setKeepAliveConfig(dialer *net.Dialer, idle time.Duration, interval time.Duration) {
+	dialer.KeepAliveConfig = net.KeepAliveConfig{
+		Enable:   true,
+		Idle:     idle,
+		Interval: interval,
+	}
+}
--- a/common/dialer/default_nongo123.go
+++ b/common/dialer/default_nongo123.go
@@ -0,0 +1,15 @@
+//go:build !go1.23
+
+package dialer
+
+import (
+	"net"
+	"time"
+
+	"github.com/sagernet/sing/common/control"
+)
+
+func setKeepAliveConfig(dialer *net.Dialer, idle time.Duration, interval time.Duration) {
+	dialer.KeepAlive = idle
+	dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(idle, interval))
+}
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -145,3 +145,7 @@ type ParallelNetworkDialer interface {
 	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
 	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
 }
+
+type PacketDialerWithDestination interface {
+	ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error)
+}
--- a/common/ktls/ktls.go
+++ b/common/ktls/ktls.go
@@ -1,133 +0,0 @@
-//go:build linux && go1.25 && !without_badtls
-
-package ktls
-
-import (
-	"bytes"
-	"context"
-	"crypto/tls"
-	"errors"
-	"io"
-	"net"
-	"os"
-	"syscall"
-
-	"github.com/sagernet/sing-box/common/badtls"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	N "github.com/sagernet/sing/common/network"
-	aTLS "github.com/sagernet/sing/common/tls"
-
-	"golang.org/x/sys/unix"
-)
-
-type Conn struct {
-	aTLS.Conn
-	ctx             context.Context
-	logger          logger.ContextLogger
-	conn            net.Conn
-	rawConn         *badtls.RawConn
-	syscallConn     syscall.Conn
-	rawSyscallConn  syscall.RawConn
-	readWaitOptions N.ReadWaitOptions
-	kernelTx        bool
-	kernelRx        bool
-	pendingRxSplice bool
-}
-
-func NewConn(ctx context.Context, logger logger.ContextLogger, conn aTLS.Conn, txOffload, rxOffload bool) (aTLS.Conn, error) {
-	err := Load()
-	if err != nil {
-		return nil, err
-	}
-	syscallConn, isSyscallConn := N.CastReader[interface {
-		io.Reader
-		syscall.Conn
-	}](conn.NetConn())
-	if !isSyscallConn {
-		return nil, os.ErrInvalid
-	}
-	rawSyscallConn, err := syscallConn.SyscallConn()
-	if err != nil {
-		return nil, err
-	}
-	rawConn, err := badtls.NewRawConn(conn)
-	if err != nil {
-		return nil, err
-	}
-	if *rawConn.Vers != tls.VersionTLS13 {
-		return nil, os.ErrInvalid
-	}
-	for rawConn.RawInput.Len() > 0 {
-		err = rawConn.ReadRecord()
-		if err != nil {
-			return nil, err
-		}
-		for rawConn.Hand.Len() > 0 {
-			err = rawConn.HandlePostHandshakeMessage()
-			if err != nil {
-				return nil, E.Cause(err, "handle post-handshake messages")
-			}
-		}
-	}
-	kConn := &Conn{
-		Conn:           conn,
-		ctx:            ctx,
-		logger:         logger,
-		conn:           conn.NetConn(),
-		rawConn:        rawConn,
-		syscallConn:    syscallConn,
-		rawSyscallConn: rawSyscallConn,
-	}
-	err = kConn.setupKernel(txOffload, rxOffload)
-	if err != nil {
-		return nil, err
-	}
-	return kConn, nil
-}
-
-func (c *Conn) Upstream() any {
-	return c.Conn
-}
-
-func (c *Conn) SyscallConnForRead() syscall.RawConn {
-	if !c.kernelRx {
-		return nil
-	}
-	if !*c.rawConn.IsClient {
-		c.logger.WarnContext(c.ctx, "ktls: RX splice is unavailable on the server size, since it will cause an unknown failure")
-		return nil
-	}
-	c.logger.DebugContext(c.ctx, "ktls: RX splice requested")
-	return c.rawSyscallConn
-}
-
-func (c *Conn) HandleSyscallReadError(inputErr error) ([]byte, error) {
-	if errors.Is(inputErr, unix.EINVAL) {
-		c.pendingRxSplice = true
-		err := c.readRecord()
-		if err != nil {
-			return nil, E.Cause(err, "ktls: handle non-application-data record")
-		}
-		var input bytes.Buffer
-		if c.rawConn.Input.Len() > 0 {
-			_, err = c.rawConn.Input.WriteTo(&input)
-			if err != nil {
-				return nil, err
-			}
-		}
-		return input.Bytes(), nil
-	} else if errors.Is(inputErr, unix.EBADMSG) {
-		return nil, c.rawConn.In.SetErrorLocked(c.sendAlert(alertBadRecordMAC))
-	} else {
-		return nil, E.Cause(inputErr, "ktls: unexpected errno")
-	}
-}
-
-func (c *Conn) SyscallConnForWrite() syscall.RawConn {
-	if !c.kernelTx {
-		return nil
-	}
-	c.logger.DebugContext(c.ctx, "ktls: TX splice requested")
-	return c.rawSyscallConn
-}
--- a/common/ktls/ktls_alert.go
+++ b/common/ktls/ktls_alert.go
@@ -1,80 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux && go1.25 && !without_badtls
-
-package ktls
-
-import (
-	"crypto/tls"
-	"net"
-)
-
-const (
-	// alert level
-	alertLevelWarning = 1
-	alertLevelError   = 2
-)
-
-const (
-	alertCloseNotify                  = 0
-	alertUnexpectedMessage            = 10
-	alertBadRecordMAC                 = 20
-	alertDecryptionFailed             = 21
-	alertRecordOverflow               = 22
-	alertDecompressionFailure         = 30
-	alertHandshakeFailure             = 40
-	alertBadCertificate               = 42
-	alertUnsupportedCertificate       = 43
-	alertCertificateRevoked           = 44
-	alertCertificateExpired           = 45
-	alertCertificateUnknown           = 46
-	alertIllegalParameter             = 47
-	alertUnknownCA                    = 48
-	alertAccessDenied                 = 49
-	alertDecodeError                  = 50
-	alertDecryptError                 = 51
-	alertExportRestriction            = 60
-	alertProtocolVersion              = 70
-	alertInsufficientSecurity         = 71
-	alertInternalError                = 80
-	alertInappropriateFallback        = 86
-	alertUserCanceled                 = 90
-	alertNoRenegotiation              = 100
-	alertMissingExtension             = 109
-	alertUnsupportedExtension         = 110
-	alertCertificateUnobtainable      = 111
-	alertUnrecognizedName             = 112
-	alertBadCertificateStatusResponse = 113
-	alertBadCertificateHashValue      = 114
-	alertUnknownPSKIdentity           = 115
-	alertCertificateRequired          = 116
-	alertNoApplicationProtocol        = 120
-	alertECHRequired                  = 121
-)
-
-func (c *Conn) sendAlertLocked(err uint8) error {
-	switch err {
-	case alertNoRenegotiation, alertCloseNotify:
-		c.rawConn.Tmp[0] = alertLevelWarning
-	default:
-		c.rawConn.Tmp[0] = alertLevelError
-	}
-	c.rawConn.Tmp[1] = byte(err)
-
-	_, writeErr := c.writeRecordLocked(recordTypeAlert, c.rawConn.Tmp[0:2])
-	if err == alertCloseNotify {
-		// closeNotify is a special case in that it isn't an error.
-		return writeErr
-	}
-
-	return c.rawConn.Out.SetErrorLocked(&net.OpError{Op: "local error", Err: tls.AlertError(err)})
-}
-
-// sendAlert sends a TLS alert message.
-func (c *Conn) sendAlert(err uint8) error {
-	c.rawConn.Out.Lock()
-	defer c.rawConn.Out.Unlock()
-	return c.sendAlertLocked(err)
-}
--- a/common/ktls/ktls_cipher_suites_linux.go
+++ b/common/ktls/ktls_cipher_suites_linux.go
@@ -1,326 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux && go1.25 && !without_badtls
-
-package ktls
-
-import (
-	"crypto/tls"
-	"unsafe"
-
-	"github.com/sagernet/sing-box/common/badtls"
-)
-
-type kernelCryptoCipherType uint16
-
-const (
-	TLS_CIPHER_AES_GCM_128              kernelCryptoCipherType = 51
-	TLS_CIPHER_AES_GCM_128_IV_SIZE      kernelCryptoCipherType = 8
-	TLS_CIPHER_AES_GCM_128_KEY_SIZE     kernelCryptoCipherType = 16
-	TLS_CIPHER_AES_GCM_128_SALT_SIZE    kernelCryptoCipherType = 4
-	TLS_CIPHER_AES_GCM_128_TAG_SIZE     kernelCryptoCipherType = 16
-	TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE kernelCryptoCipherType = 8
-
-	TLS_CIPHER_AES_GCM_256              kernelCryptoCipherType = 52
-	TLS_CIPHER_AES_GCM_256_IV_SIZE      kernelCryptoCipherType = 8
-	TLS_CIPHER_AES_GCM_256_KEY_SIZE     kernelCryptoCipherType = 32
-	TLS_CIPHER_AES_GCM_256_SALT_SIZE    kernelCryptoCipherType = 4
-	TLS_CIPHER_AES_GCM_256_TAG_SIZE     kernelCryptoCipherType = 16
-	TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE kernelCryptoCipherType = 8
-
-	TLS_CIPHER_AES_CCM_128              kernelCryptoCipherType = 53
-	TLS_CIPHER_AES_CCM_128_IV_SIZE      kernelCryptoCipherType = 8
-	TLS_CIPHER_AES_CCM_128_KEY_SIZE     kernelCryptoCipherType = 16
-	TLS_CIPHER_AES_CCM_128_SALT_SIZE    kernelCryptoCipherType = 4
-	TLS_CIPHER_AES_CCM_128_TAG_SIZE     kernelCryptoCipherType = 16
-	TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE kernelCryptoCipherType = 8
-
-	TLS_CIPHER_CHACHA20_POLY1305              kernelCryptoCipherType = 54
-	TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE      kernelCryptoCipherType = 12
-	TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE     kernelCryptoCipherType = 32
-	TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE    kernelCryptoCipherType = 0
-	TLS_CIPHER_CHACHA20_POLY1305_TAG_SIZE     kernelCryptoCipherType = 16
-	TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE kernelCryptoCipherType = 8
-
-	// TLS_CIPHER_SM4_GCM              kernelCryptoCipherType = 55
-	// TLS_CIPHER_SM4_GCM_IV_SIZE      kernelCryptoCipherType = 8
-	// TLS_CIPHER_SM4_GCM_KEY_SIZE     kernelCryptoCipherType = 16
-	// TLS_CIPHER_SM4_GCM_SALT_SIZE    kernelCryptoCipherType = 4
-	// TLS_CIPHER_SM4_GCM_TAG_SIZE     kernelCryptoCipherType = 16
-	// TLS_CIPHER_SM4_GCM_REC_SEQ_SIZE kernelCryptoCipherType = 8
-
-	// TLS_CIPHER_SM4_CCM              kernelCryptoCipherType = 56
-	// TLS_CIPHER_SM4_CCM_IV_SIZE      kernelCryptoCipherType = 8
-	// TLS_CIPHER_SM4_CCM_KEY_SIZE     kernelCryptoCipherType = 16
-	// TLS_CIPHER_SM4_CCM_SALT_SIZE    kernelCryptoCipherType = 4
-	// TLS_CIPHER_SM4_CCM_TAG_SIZE     kernelCryptoCipherType = 16
-	// TLS_CIPHER_SM4_CCM_REC_SEQ_SIZE kernelCryptoCipherType = 8
-
-	TLS_CIPHER_ARIA_GCM_128              kernelCryptoCipherType = 57
-	TLS_CIPHER_ARIA_GCM_128_IV_SIZE      kernelCryptoCipherType = 8
-	TLS_CIPHER_ARIA_GCM_128_KEY_SIZE     kernelCryptoCipherType = 16
-	TLS_CIPHER_ARIA_GCM_128_SALT_SIZE    kernelCryptoCipherType = 4
-	TLS_CIPHER_ARIA_GCM_128_TAG_SIZE     kernelCryptoCipherType = 16
-	TLS_CIPHER_ARIA_GCM_128_REC_SEQ_SIZE kernelCryptoCipherType = 8
-
-	TLS_CIPHER_ARIA_GCM_256              kernelCryptoCipherType = 58
-	TLS_CIPHER_ARIA_GCM_256_IV_SIZE      kernelCryptoCipherType = 8
-	TLS_CIPHER_ARIA_GCM_256_KEY_SIZE     kernelCryptoCipherType = 32
-	TLS_CIPHER_ARIA_GCM_256_SALT_SIZE    kernelCryptoCipherType = 4
-	TLS_CIPHER_ARIA_GCM_256_TAG_SIZE     kernelCryptoCipherType = 16
-	TLS_CIPHER_ARIA_GCM_256_REC_SEQ_SIZE kernelCryptoCipherType = 8
-)
-
-type kernelCrypto interface {
-	String() string
-}
-
-type kernelCryptoInfo struct {
-	version     uint16
-	cipher_type kernelCryptoCipherType
-}
-
-var _ kernelCrypto = &kernelCryptoAES128GCM{}
-
-type kernelCryptoAES128GCM struct {
-	kernelCryptoInfo
-	iv      [TLS_CIPHER_AES_GCM_128_IV_SIZE]byte
-	key     [TLS_CIPHER_AES_GCM_128_KEY_SIZE]byte
-	salt    [TLS_CIPHER_AES_GCM_128_SALT_SIZE]byte
-	rec_seq [TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE]byte
-}
-
-func (crypto *kernelCryptoAES128GCM) String() string {
-	crypto.cipher_type = TLS_CIPHER_AES_GCM_128
-	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
-}
-
-var _ kernelCrypto = &kernelCryptoAES256GCM{}
-
-type kernelCryptoAES256GCM struct {
-	kernelCryptoInfo
-	iv      [TLS_CIPHER_AES_GCM_256_IV_SIZE]byte
-	key     [TLS_CIPHER_AES_GCM_256_KEY_SIZE]byte
-	salt    [TLS_CIPHER_AES_GCM_256_SALT_SIZE]byte
-	rec_seq [TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE]byte
-}
-
-func (crypto *kernelCryptoAES256GCM) String() string {
-	crypto.cipher_type = TLS_CIPHER_AES_GCM_256
-	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
-}
-
-var _ kernelCrypto = &kernelCryptoAES128CCM{}
-
-type kernelCryptoAES128CCM struct {
-	kernelCryptoInfo
-	iv      [TLS_CIPHER_AES_CCM_128_IV_SIZE]byte
-	key     [TLS_CIPHER_AES_CCM_128_KEY_SIZE]byte
-	salt    [TLS_CIPHER_AES_CCM_128_SALT_SIZE]byte
-	rec_seq [TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE]byte
-}
-
-func (crypto *kernelCryptoAES128CCM) String() string {
-	crypto.cipher_type = TLS_CIPHER_AES_CCM_128
-	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
-}
-
-var _ kernelCrypto = &kernelCryptoChacha20Poly1035{}
-
-type kernelCryptoChacha20Poly1035 struct {
-	kernelCryptoInfo
-	iv      [TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE]byte
-	key     [TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE]byte
-	salt    [TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE]byte
-	rec_seq [TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE]byte
-}
-
-func (crypto *kernelCryptoChacha20Poly1035) String() string {
-	crypto.cipher_type = TLS_CIPHER_CHACHA20_POLY1305
-	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
-}
-
-// var _ kernelCrypto = &kernelCryptoSM4GCM{}
-
-// type kernelCryptoSM4GCM struct {
-// 	kernelCryptoInfo
-// 	iv      [TLS_CIPHER_SM4_GCM_IV_SIZE]byte
-// 	key     [TLS_CIPHER_SM4_GCM_KEY_SIZE]byte
-// 	salt    [TLS_CIPHER_SM4_GCM_SALT_SIZE]byte
-// 	rec_seq [TLS_CIPHER_SM4_GCM_REC_SEQ_SIZE]byte
-// }
-
-// func (crypto *kernelCryptoSM4GCM) String() string {
-// 	crypto.cipher_type = TLS_CIPHER_SM4_GCM
-// 	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
-// }
-
-// var _ kernelCrypto = &kernelCryptoSM4CCM{}
-
-// type kernelCryptoSM4CCM struct {
-// 	kernelCryptoInfo
-// 	iv      [TLS_CIPHER_SM4_CCM_IV_SIZE]byte
-// 	key     [TLS_CIPHER_SM4_CCM_KEY_SIZE]byte
-// 	salt    [TLS_CIPHER_SM4_CCM_SALT_SIZE]byte
-// 	rec_seq [TLS_CIPHER_SM4_CCM_REC_SEQ_SIZE]byte
-// }
-
-// func (crypto *kernelCryptoSM4CCM) String() string {
-// 	crypto.cipher_type = TLS_CIPHER_SM4_CCM
-// 	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
-// }
-
-var _ kernelCrypto = &kernelCryptoARIA128GCM{}
-
-type kernelCryptoARIA128GCM struct {
-	kernelCryptoInfo
-	iv      [TLS_CIPHER_ARIA_GCM_128_IV_SIZE]byte
-	key     [TLS_CIPHER_ARIA_GCM_128_KEY_SIZE]byte
-	salt    [TLS_CIPHER_ARIA_GCM_128_SALT_SIZE]byte
-	rec_seq [TLS_CIPHER_ARIA_GCM_128_REC_SEQ_SIZE]byte
-}
-
-func (crypto *kernelCryptoARIA128GCM) String() string {
-	crypto.cipher_type = TLS_CIPHER_ARIA_GCM_128
-	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
-}
-
-var _ kernelCrypto = &kernelCryptoARIA256GCM{}
-
-type kernelCryptoARIA256GCM struct {
-	kernelCryptoInfo
-	iv      [TLS_CIPHER_ARIA_GCM_256_IV_SIZE]byte
-	key     [TLS_CIPHER_ARIA_GCM_256_KEY_SIZE]byte
-	salt    [TLS_CIPHER_ARIA_GCM_256_SALT_SIZE]byte
-	rec_seq [TLS_CIPHER_ARIA_GCM_256_REC_SEQ_SIZE]byte
-}
-
-func (crypto *kernelCryptoARIA256GCM) String() string {
-	crypto.cipher_type = TLS_CIPHER_ARIA_GCM_256
-	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
-}
-
-func kernelCipher(kernel *Support, hc *badtls.RawHalfConn, cipherSuite uint16, isRX bool) kernelCrypto {
-	if !kernel.TLS {
-		return nil
-	}
-
-	switch *hc.Version {
-	case tls.VersionTLS12:
-		if isRX && !kernel.TLS_Version13_RX {
-			return nil
-		}
-
-	case tls.VersionTLS13:
-		if !kernel.TLS_Version13 {
-			return nil
-		}
-
-		if isRX && !kernel.TLS_Version13_RX {
-			return nil
-		}
-
-	default:
-		return nil
-	}
-
-	var key, iv []byte
-	if *hc.Version == tls.VersionTLS13 {
-		key, iv = trafficKey(cipherSuiteTLS13ByID(cipherSuite), *hc.TrafficSecret)
-		/*if isRX {
-			key, iv = trafficKey(cipherSuiteTLS13ByID(cipherSuite), keyLog.RemoteTrafficSecret)
-		} else {
-			key, iv = trafficKey(cipherSuiteTLS13ByID(cipherSuite), keyLog.TrafficSecret)
-		}*/
-	} else {
-		// csPtr := cipherSuiteByID(cipherSuite)
-		// keysFromMasterSecret(*hc.Version, csPtr, keyLog.Secret, keyLog.Random)
-		return nil
-	}
-
-	switch cipherSuite {
-	case tls.TLS_AES_128_GCM_SHA256, tls.TLS_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
-		crypto := new(kernelCryptoAES128GCM)
-
-		crypto.version = *hc.Version
-		copy(crypto.key[:], key)
-		copy(crypto.iv[:], iv[4:])
-		copy(crypto.salt[:], iv[:4])
-		crypto.rec_seq = *hc.Seq
-
-		return crypto
-	case tls.TLS_AES_256_GCM_SHA384, tls.TLS_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
-		if !kernel.TLS_AES_256_GCM {
-			return nil
-		}
-
-		crypto := new(kernelCryptoAES256GCM)
-
-		crypto.version = *hc.Version
-		copy(crypto.key[:], key)
-		copy(crypto.iv[:], iv[4:])
-		copy(crypto.salt[:], iv[:4])
-		crypto.rec_seq = *hc.Seq
-
-		return crypto
-	//case tls.TLS_AES_128_CCM_SHA256, tls.TLS_RSA_WITH_AES_128_CCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_SHA256:
-	//	if !kernel.TLS_AES_128_CCM {
-	//		return nil
-	//	}
-	//
-	//	crypto := new(kernelCryptoAES128CCM)
-	//
-	//	crypto.version = *hc.Version
-	//	copy(crypto.key[:], key)
-	//	copy(crypto.iv[:], iv[4:])
-	//	copy(crypto.salt[:], iv[:4])
-	//	crypto.rec_seq = *hc.Seq
-	//
-	//	return crypto
-	case tls.TLS_CHACHA20_POLY1305_SHA256, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
-		if !kernel.TLS_CHACHA20_POLY1305 {
-			return nil
-		}
-
-		crypto := new(kernelCryptoChacha20Poly1035)
-
-		crypto.version = *hc.Version
-		copy(crypto.key[:], key)
-		copy(crypto.iv[:], iv)
-		crypto.rec_seq = *hc.Seq
-
-		return crypto
-	//case tls.TLS_RSA_WITH_ARIA_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256:
-	//	if !kernel.TLS_ARIA_GCM {
-	//		return nil
-	//	}
-	//
-	//	crypto := new(kernelCryptoARIA128GCM)
-	//
-	//	crypto.version = *hc.Version
-	//	copy(crypto.key[:], key)
-	//	copy(crypto.iv[:], iv[4:])
-	//	copy(crypto.salt[:], iv[:4])
-	//	crypto.rec_seq = *hc.Seq
-	//
-	//	return crypto
-	//case tls.TLS_RSA_WITH_ARIA_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384:
-	//	if !kernel.TLS_ARIA_GCM {
-	//		return nil
-	//	}
-	//
-	//	crypto := new(kernelCryptoARIA256GCM)
-	//
-	//	crypto.version = *hc.Version
-	//	copy(crypto.key[:], key)
-	//	copy(crypto.iv[:], iv[4:])
-	//	copy(crypto.salt[:], iv[:4])
-	//	crypto.rec_seq = *hc.Seq
-	//
-	//	return crypto
-	default:
-		return nil
-	}
-}
--- a/common/ktls/ktls_close.go
+++ b/common/ktls/ktls_close.go
@@ -1,67 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux && go1.25 && !without_badtls
-
-package ktls
-
-import (
-	"fmt"
-	"net"
-	"time"
-)
-
-func (c *Conn) Close() error {
-	if !c.kernelTx {
-		return c.Conn.Close()
-	}
-
-	// Interlock with Conn.Write above.
-	var x int32
-	for {
-		x = c.rawConn.ActiveCall.Load()
-		if x&1 != 0 {
-			return net.ErrClosed
-		}
-		if c.rawConn.ActiveCall.CompareAndSwap(x, x|1) {
-			break
-		}
-	}
-	if x != 0 {
-		// io.Writer and io.Closer should not be used concurrently.
-		// If Close is called while a Write is currently in-flight,
-		// interpret that as a sign that this Close is really just
-		// being used to break the Write and/or clean up resources and
-		// avoid sending the alertCloseNotify, which may block
-		// waiting on handshakeMutex or the c.out mutex.
-		return c.conn.Close()
-	}
-
-	var alertErr error
-	if c.rawConn.IsHandshakeComplete.Load() {
-		if err := c.closeNotify(); err != nil {
-			alertErr = fmt.Errorf("tls: failed to send closeNotify alert (but connection was closed anyway): %w", err)
-		}
-	}
-
-	if err := c.conn.Close(); err != nil {
-		return err
-	}
-	return alertErr
-}
-
-func (c *Conn) closeNotify() error {
-	c.rawConn.Out.Lock()
-	defer c.rawConn.Out.Unlock()
-
-	if !*c.rawConn.CloseNotifySent {
-		// Set a Write Deadline to prevent possibly blocking forever.
-		c.SetWriteDeadline(time.Now().Add(time.Second * 5))
-		*c.rawConn.CloseNotifyErr = c.sendAlertLocked(alertCloseNotify)
-		*c.rawConn.CloseNotifySent = true
-		// Any subsequent writes will fail.
-		c.SetWriteDeadline(time.Now())
-	}
-	return *c.rawConn.CloseNotifyErr
-}
--- a/common/ktls/ktls_const.go
+++ b/common/ktls/ktls_const.go
@@ -1,24 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux && go1.25 && !without_badtls
-
-package ktls
-
-const (
-	maxPlaintext               = 16384        // maximum plaintext payload length
-	maxCiphertext              = 16384 + 2048 // maximum ciphertext payload length
-	maxCiphertextTLS13         = 16384 + 256  // maximum ciphertext length in TLS 1.3
-	recordHeaderLen            = 5            // record header length
-	maxHandshake               = 65536        // maximum handshake we support (protocol max is 16 MB)
-	maxHandshakeCertificateMsg = 262144       // maximum certificate message size (256 KiB)
-	maxUselessRecords          = 16           // maximum number of consecutive non-advancing records
-)
-
-const (
-	recordTypeChangeCipherSpec = 20
-	recordTypeAlert            = 21
-	recordTypeHandshake        = 22
-	recordTypeApplicationData  = 23
-)
--- a/common/ktls/ktls_handshake_messages.go
+++ b/common/ktls/ktls_handshake_messages.go
@@ -1,238 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux && go1.25 && !without_badtls
-
-package ktls
-
-import (
-	"fmt"
-
-	"golang.org/x/crypto/cryptobyte"
-)
-
-// The marshalingFunction type is an adapter to allow the use of ordinary
-// functions as cryptobyte.MarshalingValue.
-type marshalingFunction func(b *cryptobyte.Builder) error
-
-func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error {
-	return f(b)
-}
-
-// addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If
-// the length of the sequence is not the value specified, it produces an error.
-func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) {
-	b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error {
-		if len(v) != n {
-			return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v))
-		}
-		b.AddBytes(v)
-		return nil
-	}))
-}
-
-// addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder.
-func addUint64(b *cryptobyte.Builder, v uint64) {
-	b.AddUint32(uint32(v >> 32))
-	b.AddUint32(uint32(v))
-}
-
-// readUint64 decodes a big-endian, 64-bit value into out and advances over it.
-// It reports whether the read was successful.
-func readUint64(s *cryptobyte.String, out *uint64) bool {
-	var hi, lo uint32
-	if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) {
-		return false
-	}
-	*out = uint64(hi)<<32 | uint64(lo)
-	return true
-}
-
-// readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a
-// []byte instead of a cryptobyte.String.
-func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
-	return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out))
-}
-
-// readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a
-// []byte instead of a cryptobyte.String.
-func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
-	return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out))
-}
-
-// readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a
-// []byte instead of a cryptobyte.String.
-func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
-	return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out))
-}
-
-type keyUpdateMsg struct {
-	updateRequested bool
-}
-
-func (m *keyUpdateMsg) marshal() ([]byte, error) {
-	var b cryptobyte.Builder
-	b.AddUint8(typeKeyUpdate)
-	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
-		if m.updateRequested {
-			b.AddUint8(1)
-		} else {
-			b.AddUint8(0)
-		}
-	})
-
-	return b.Bytes()
-}
-
-func (m *keyUpdateMsg) unmarshal(data []byte) bool {
-	s := cryptobyte.String(data)
-
-	var updateRequested uint8
-	if !s.Skip(4) || // message type and uint24 length field
-		!s.ReadUint8(&updateRequested) || !s.Empty() {
-		return false
-	}
-	switch updateRequested {
-	case 0:
-		m.updateRequested = false
-	case 1:
-		m.updateRequested = true
-	default:
-		return false
-	}
-	return true
-}
-
-// TLS handshake message types.
-const (
-	typeHelloRequest          uint8 = 0
-	typeClientHello           uint8 = 1
-	typeServerHello           uint8 = 2
-	typeNewSessionTicket      uint8 = 4
-	typeEndOfEarlyData        uint8 = 5
-	typeEncryptedExtensions   uint8 = 8
-	typeCertificate           uint8 = 11
-	typeServerKeyExchange     uint8 = 12
-	typeCertificateRequest    uint8 = 13
-	typeServerHelloDone       uint8 = 14
-	typeCertificateVerify     uint8 = 15
-	typeClientKeyExchange     uint8 = 16
-	typeFinished              uint8 = 20
-	typeCertificateStatus     uint8 = 22
-	typeKeyUpdate             uint8 = 24
-	typeCompressedCertificate uint8 = 25
-	typeMessageHash           uint8 = 254 // synthetic message
-)
-
-// TLS compression types.
-const (
-	compressionNone uint8 = 0
-)
-
-// TLS extension numbers
-const (
-	extensionServerName              uint16 = 0
-	extensionStatusRequest           uint16 = 5
-	extensionSupportedCurves         uint16 = 10 // supported_groups in TLS 1.3, see RFC 8446, Section 4.2.7
-	extensionSupportedPoints         uint16 = 11
-	extensionSignatureAlgorithms     uint16 = 13
-	extensionALPN                    uint16 = 16
-	extensionSCT                     uint16 = 18
-	extensionPadding                 uint16 = 21
-	extensionExtendedMasterSecret    uint16 = 23
-	extensionCompressCertificate     uint16 = 27 // compress_certificate in TLS 1.3
-	extensionSessionTicket           uint16 = 35
-	extensionPreSharedKey            uint16 = 41
-	extensionEarlyData               uint16 = 42
-	extensionSupportedVersions       uint16 = 43
-	extensionCookie                  uint16 = 44
-	extensionPSKModes                uint16 = 45
-	extensionCertificateAuthorities  uint16 = 47
-	extensionSignatureAlgorithmsCert uint16 = 50
-	extensionKeyShare                uint16 = 51
-	extensionQUICTransportParameters uint16 = 57
-	extensionALPS                    uint16 = 17513
-	extensionRenegotiationInfo       uint16 = 0xff01
-	extensionECHOuterExtensions      uint16 = 0xfd00
-	extensionEncryptedClientHello    uint16 = 0xfe0d
-)
-
-type handshakeMessage interface {
-	marshal() ([]byte, error)
-	unmarshal([]byte) bool
-}
-type newSessionTicketMsgTLS13 struct {
-	lifetime     uint32
-	ageAdd       uint32
-	nonce        []byte
-	label        []byte
-	maxEarlyData uint32
-}
-
-func (m *newSessionTicketMsgTLS13) marshal() ([]byte, error) {
-	var b cryptobyte.Builder
-	b.AddUint8(typeNewSessionTicket)
-	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
-		b.AddUint32(m.lifetime)
-		b.AddUint32(m.ageAdd)
-		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
-			b.AddBytes(m.nonce)
-		})
-		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
-			b.AddBytes(m.label)
-		})
-
-		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
-			if m.maxEarlyData > 0 {
-				b.AddUint16(extensionEarlyData)
-				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
-					b.AddUint32(m.maxEarlyData)
-				})
-			}
-		})
-	})
-
-	return b.Bytes()
-}
-
-func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool {
-	*m = newSessionTicketMsgTLS13{}
-	s := cryptobyte.String(data)
-
-	var extensions cryptobyte.String
-	if !s.Skip(4) || // message type and uint24 length field
-		!s.ReadUint32(&m.lifetime) ||
-		!s.ReadUint32(&m.ageAdd) ||
-		!readUint8LengthPrefixed(&s, &m.nonce) ||
-		!readUint16LengthPrefixed(&s, &m.label) ||
-		!s.ReadUint16LengthPrefixed(&extensions) ||
-		!s.Empty() {
-		return false
-	}
-
-	for !extensions.Empty() {
-		var extension uint16
-		var extData cryptobyte.String
-		if !extensions.ReadUint16(&extension) ||
-			!extensions.ReadUint16LengthPrefixed(&extData) {
-			return false
-		}
-
-		switch extension {
-		case extensionEarlyData:
-			if !extData.ReadUint32(&m.maxEarlyData) {
-				return false
-			}
-		default:
-			// Ignore unknown extensions.
-			continue
-		}
-
-		if !extData.Empty() {
-			return false
-		}
-	}
-
-	return true
-}
--- a/common/ktls/ktls_key_update.go
+++ b/common/ktls/ktls_key_update.go
@@ -1,173 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux && go1.25 && !without_badtls
-
-package ktls
-
-import (
-	"crypto/tls"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-)
-
-// handlePostHandshakeMessage processes a handshake message arrived after the
-// handshake is complete. Up to TLS 1.2, it indicates the start of a renegotiation.
-func (c *Conn) handlePostHandshakeMessage() error {
-	if *c.rawConn.Vers != tls.VersionTLS13 {
-		return errors.New("ktls: kernel does not support TLS 1.2 renegotiation")
-	}
-
-	msg, err := c.readHandshake(nil)
-	if err != nil {
-		return err
-	}
-	//c.retryCount++
-	//if c.retryCount > maxUselessRecords {
-	//	c.sendAlert(alertUnexpectedMessage)
-	//	return c.in.setErrorLocked(errors.New("tls: too many non-advancing records"))
-	//}
-
-	switch msg := msg.(type) {
-	case *newSessionTicketMsgTLS13:
-		// return errors.New("ktls: received new session ticket")
-		return nil
-	case *keyUpdateMsg:
-		return c.handleKeyUpdate(msg)
-	}
-	// The QUIC layer is supposed to treat an unexpected post-handshake CertificateRequest
-	// as a QUIC-level PROTOCOL_VIOLATION error (RFC 9001, Section 4.4). Returning an
-	// unexpected_message alert here doesn't provide it with enough information to distinguish
-	// this condition from other unexpected messages. This is probably fine.
-	c.sendAlert(alertUnexpectedMessage)
-	return fmt.Errorf("tls: received unexpected handshake message of type %T", msg)
-}
-
-func (c *Conn) handleKeyUpdate(keyUpdate *keyUpdateMsg) error {
-	//if c.quic != nil {
-	//	c.sendAlert(alertUnexpectedMessage)
-	//	return c.in.setErrorLocked(errors.New("tls: received unexpected key update message"))
-	//}
-
-	cipherSuite := cipherSuiteTLS13ByID(*c.rawConn.CipherSuite)
-	if cipherSuite == nil {
-		return c.rawConn.In.SetErrorLocked(c.sendAlert(alertInternalError))
-	}
-
-	newSecret := nextTrafficSecret(cipherSuite, *c.rawConn.In.TrafficSecret)
-	c.rawConn.In.SetTrafficSecret(cipherSuite, 0 /*tls.QUICEncryptionLevelInitial*/, newSecret)
-
-	err := c.resetupRX()
-	if err != nil {
-		c.sendAlert(alertInternalError)
-		return c.rawConn.In.SetErrorLocked(fmt.Errorf("ktls: resetupRX failed: %w", err))
-	}
-
-	if keyUpdate.updateRequested {
-		c.rawConn.Out.Lock()
-		defer c.rawConn.Out.Unlock()
-
-		resetup, err := c.resetupTX()
-		if err != nil {
-			c.sendAlertLocked(alertInternalError)
-			return c.rawConn.Out.SetErrorLocked(fmt.Errorf("ktls: resetupTX failed: %w", err))
-		}
-
-		msg := &keyUpdateMsg{}
-		msgBytes, err := msg.marshal()
-		if err != nil {
-			return err
-		}
-		_, err = c.writeRecordLocked(recordTypeHandshake, msgBytes)
-		if err != nil {
-			// Surface the error at the next write.
-			c.rawConn.Out.SetErrorLocked(err)
-			return nil
-		}
-
-		newSecret := nextTrafficSecret(cipherSuite, *c.rawConn.Out.TrafficSecret)
-		c.rawConn.Out.SetTrafficSecret(cipherSuite, 0 /*QUICEncryptionLevelInitial*/, newSecret)
-
-		err = resetup()
-		if err != nil {
-			return c.rawConn.Out.SetErrorLocked(fmt.Errorf("ktls: resetupTX failed: %w", err))
-		}
-	}
-
-	return nil
-}
-
-func (c *Conn) readHandshakeBytes(n int) error {
-	//if c.quic != nil {
-	//	return c.quicReadHandshakeBytes(n)
-	//}
-	for c.rawConn.Hand.Len() < n {
-		if err := c.readRecord(); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (c *Conn) readHandshake(transcript io.Writer) (any, error) {
-	if err := c.readHandshakeBytes(4); err != nil {
-		return nil, err
-	}
-	data := c.rawConn.Hand.Bytes()
-
-	maxHandshakeSize := maxHandshake
-	// hasVers indicates we're past the first message, forcing someone trying to
-	// make us just allocate a large buffer to at least do the initial part of
-	// the handshake first.
-	//if c.haveVers && data[0] == typeCertificate {
-	// Since certificate messages are likely to be the only messages that
-	// can be larger than maxHandshake, we use a special limit for just
-	// those messages.
-	//maxHandshakeSize = maxHandshakeCertificateMsg
-	//}
-
-	n := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
-	if n > maxHandshakeSize {
-		c.sendAlertLocked(alertInternalError)
-		return nil, c.rawConn.In.SetErrorLocked(fmt.Errorf("tls: handshake message of length %d bytes exceeds maximum of %d bytes", n, maxHandshakeSize))
-	}
-	if err := c.readHandshakeBytes(4 + n); err != nil {
-		return nil, err
-	}
-	data = c.rawConn.Hand.Next(4 + n)
-	return c.unmarshalHandshakeMessage(data, transcript)
-}
-
-func (c *Conn) unmarshalHandshakeMessage(data []byte, transcript io.Writer) (any, error) {
-	var m handshakeMessage
-	switch data[0] {
-	case typeNewSessionTicket:
-		if *c.rawConn.Vers == tls.VersionTLS13 {
-			m = new(newSessionTicketMsgTLS13)
-		} else {
-			return nil, os.ErrInvalid
-		}
-	case typeKeyUpdate:
-		m = new(keyUpdateMsg)
-	default:
-		return nil, c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
-	}
-
-	// The handshake message unmarshalers
-	// expect to be able to keep references to data,
-	// so pass in a fresh copy that won't be overwritten.
-	data = append([]byte(nil), data...)
-
-	if !m.unmarshal(data) {
-		return nil, c.rawConn.In.SetErrorLocked(c.sendAlert(alertDecodeError))
-	}
-
-	if transcript != nil {
-		transcript.Write(data)
-	}
-
-	return m, nil
-}
--- a/common/ktls/ktls_linux.go
+++ b/common/ktls/ktls_linux.go
@@ -1,329 +0,0 @@
-//go:build linux && go1.25 && !without_badtls
-
-package ktls
-
-import (
-	"crypto/tls"
-	"errors"
-	"io"
-	"os"
-	"strings"
-	"sync"
-	"syscall"
-	"unsafe"
-
-	"github.com/sagernet/sing-box/common/badversion"
-	"github.com/sagernet/sing/common/control"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/shell"
-
-	"golang.org/x/sys/unix"
-)
-
-// mod from https://gitlab.com/go-extension/tls
-
-const (
-	TLS_TX               = 1
-	TLS_RX               = 2
-	TLS_TX_ZEROCOPY_RO   = 3 // TX zerocopy (only sendfile now)
-	TLS_RX_EXPECT_NO_PAD = 4 // Attempt opportunistic zero-copy, TLS 1.3 only
-
-	TLS_SET_RECORD_TYPE = 1
-	TLS_GET_RECORD_TYPE = 2
-)
-
-type Support struct {
-	TLS, TLS_RX                     bool
-	TLS_Version13, TLS_Version13_RX bool
-
-	TLS_TX_ZEROCOPY  bool
-	TLS_RX_NOPADDING bool
-
-	TLS_AES_256_GCM       bool
-	TLS_AES_128_CCM       bool
-	TLS_CHACHA20_POLY1305 bool
-	TLS_SM4               bool
-	TLS_ARIA_GCM          bool
-
-	TLS_Version13_KeyUpdate bool
-}
-
-var KernelSupport = sync.OnceValues(func() (*Support, error) {
-	var uname unix.Utsname
-	err := unix.Uname(&uname)
-	if err != nil {
-		return nil, err
-	}
-
-	kernelVersion := badversion.Parse(strings.Trim(string(uname.Release[:]), "\x00"))
-	if err != nil {
-		return nil, err
-	}
-	var support Support
-	switch {
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 6, Minor: 14}):
-		support.TLS_Version13_KeyUpdate = true
-		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 6, Minor: 1}):
-		support.TLS_ARIA_GCM = true
-		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 6}):
-		support.TLS_Version13_RX = true
-		support.TLS_RX_NOPADDING = true
-		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 5, Minor: 19}):
-		support.TLS_TX_ZEROCOPY = true
-		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 5, Minor: 16}):
-		support.TLS_SM4 = true
-		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 5, Minor: 11}):
-		support.TLS_CHACHA20_POLY1305 = true
-		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 5, Minor: 2}):
-		support.TLS_AES_128_CCM = true
-		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 5, Minor: 1}):
-		support.TLS_AES_256_GCM = true
-		support.TLS_Version13 = true
-		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 4, Minor: 17}):
-		support.TLS_RX = true
-		fallthrough
-	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 4, Minor: 13}):
-		support.TLS = true
-	}
-
-	if support.TLS && support.TLS_Version13 {
-		_, err := os.Stat("/sys/module/tls")
-		if err != nil {
-			if os.Getuid() == 0 {
-				output, err := shell.Exec("modprobe", "tls").Read()
-				if err != nil {
-					return nil, E.Extend(E.Cause(err, "modprobe tls"), output)
-				}
-			} else {
-				return nil, E.New("ktls: kernel TLS module not loaded")
-			}
-		}
-	}
-
-	return &support, nil
-})
-
-func Load() error {
-	support, err := KernelSupport()
-	if err != nil {
-		return E.Cause(err, "ktls: check availability")
-	}
-	if !support.TLS || !support.TLS_Version13 {
-		return E.New("ktls: kernel does not support TLS 1.3")
-	}
-	return nil
-}
-
-func (c *Conn) setupKernel(txOffload, rxOffload bool) error {
-	if !txOffload && !rxOffload {
-		return os.ErrInvalid
-	}
-	support, err := KernelSupport()
-	if err != nil {
-		return E.Cause(err, "check availability")
-	}
-	if !support.TLS || !support.TLS_Version13 {
-		return E.New("kernel does not support TLS 1.3")
-	}
-	c.rawConn.Out.Lock()
-	defer c.rawConn.Out.Unlock()
-	err = control.Raw(c.rawSyscallConn, func(fd uintptr) error {
-		return syscall.SetsockoptString(int(fd), unix.SOL_TCP, unix.TCP_ULP, "tls")
-	})
-	if err != nil {
-		return os.NewSyscallError("setsockopt", err)
-	}
-
-	if txOffload {
-		txCrypto := kernelCipher(support, c.rawConn.Out, *c.rawConn.CipherSuite, false)
-		if txCrypto == nil {
-			return E.New("unsupported cipher suite")
-		}
-		err = control.Raw(c.rawSyscallConn, func(fd uintptr) error {
-			return syscall.SetsockoptString(int(fd), unix.SOL_TLS, TLS_TX, txCrypto.String())
-		})
-		if err != nil {
-			return err
-		}
-		if support.TLS_TX_ZEROCOPY {
-			err = control.Raw(c.rawSyscallConn, func(fd uintptr) error {
-				return syscall.SetsockoptInt(int(fd), unix.SOL_TLS, TLS_TX_ZEROCOPY_RO, 1)
-			})
-			if err != nil {
-				return err
-			}
-		}
-		c.kernelTx = true
-		c.logger.DebugContext(c.ctx, "ktls: kernel TLS TX enabled")
-	}
-
-	if rxOffload {
-		rxCrypto := kernelCipher(support, c.rawConn.In, *c.rawConn.CipherSuite, true)
-		if rxCrypto == nil {
-			return E.New("unsupported cipher suite")
-		}
-		err = control.Raw(c.rawSyscallConn, func(fd uintptr) error {
-			return syscall.SetsockoptString(int(fd), unix.SOL_TLS, TLS_RX, rxCrypto.String())
-		})
-		if err != nil {
-			return err
-		}
-		if *c.rawConn.Vers >= tls.VersionTLS13 && support.TLS_RX_NOPADDING {
-			err = control.Raw(c.rawSyscallConn, func(fd uintptr) error {
-				return syscall.SetsockoptInt(int(fd), unix.SOL_TLS, TLS_RX_EXPECT_NO_PAD, 1)
-			})
-			if err != nil {
-				return err
-			}
-		}
-		c.kernelRx = true
-		c.logger.DebugContext(c.ctx, "ktls: kernel TLS RX enabled")
-	}
-	return nil
-}
-
-func (c *Conn) resetupTX() (func() error, error) {
-	if !c.kernelTx {
-		return nil, nil
-	}
-	support, err := KernelSupport()
-	if err != nil {
-		return nil, err
-	}
-	if !support.TLS_Version13_KeyUpdate {
-		return nil, errors.New("ktls: kernel does not support rekey")
-	}
-	txCrypto := kernelCipher(support, c.rawConn.Out, *c.rawConn.CipherSuite, false)
-	if txCrypto == nil {
-		return nil, errors.New("ktls: set kernelCipher on unsupported tls session")
-	}
-	return func() error {
-		return control.Raw(c.rawSyscallConn, func(fd uintptr) error {
-			return syscall.SetsockoptString(int(fd), unix.SOL_TLS, TLS_TX, txCrypto.String())
-		})
-	}, nil
-}
-
-func (c *Conn) resetupRX() error {
-	if !c.kernelRx {
-		return nil
-	}
-	support, err := KernelSupport()
-	if err != nil {
-		return err
-	}
-	if !support.TLS_Version13_KeyUpdate {
-		return errors.New("ktls: kernel does not support rekey")
-	}
-	rxCrypto := kernelCipher(support, c.rawConn.In, *c.rawConn.CipherSuite, true)
-	if rxCrypto == nil {
-		return errors.New("ktls: set kernelCipher on unsupported tls session")
-	}
-	return control.Raw(c.rawSyscallConn, func(fd uintptr) error {
-		return syscall.SetsockoptString(int(fd), unix.SOL_TLS, TLS_RX, rxCrypto.String())
-	})
-}
-
-func (c *Conn) readKernelRecord() (uint8, []byte, error) {
-	if c.rawConn.RawInput.Len() < maxPlaintext {
-		c.rawConn.RawInput.Grow(maxPlaintext - c.rawConn.RawInput.Len())
-	}
-
-	data := c.rawConn.RawInput.Bytes()[:maxPlaintext]
-
-	// cmsg for record type
-	buffer := make([]byte, unix.CmsgSpace(1))
-	cmsg := (*unix.Cmsghdr)(unsafe.Pointer(&buffer[0]))
-	cmsg.SetLen(unix.CmsgLen(1))
-
-	var iov unix.Iovec
-	iov.Base = &data[0]
-	iov.SetLen(len(data))
-
-	var msg unix.Msghdr
-	msg.Control = &buffer[0]
-	msg.Controllen = cmsg.Len
-	msg.Iov = &iov
-	msg.Iovlen = 1
-
-	var n int
-	var err error
-	er := c.rawSyscallConn.Read(func(fd uintptr) bool {
-		n, err = recvmsg(int(fd), &msg, 0)
-		return err != unix.EAGAIN || c.pendingRxSplice
-	})
-	if er != nil {
-		return 0, nil, er
-	}
-	switch err {
-	case nil:
-	case syscall.EINVAL, syscall.EAGAIN:
-		return 0, nil, c.rawConn.In.SetErrorLocked(c.sendAlert(alertProtocolVersion))
-	case syscall.EMSGSIZE:
-		return 0, nil, c.rawConn.In.SetErrorLocked(c.sendAlert(alertRecordOverflow))
-	case syscall.EBADMSG:
-		return 0, nil, c.rawConn.In.SetErrorLocked(c.sendAlert(alertDecryptError))
-	default:
-		return 0, nil, err
-	}
-
-	if n <= 0 {
-		return 0, nil, c.rawConn.In.SetErrorLocked(io.EOF)
-	}
-
-	if cmsg.Level == unix.SOL_TLS && cmsg.Type == TLS_GET_RECORD_TYPE {
-		typ := buffer[unix.CmsgLen(0)]
-		return typ, data[:n], nil
-	}
-
-	return recordTypeApplicationData, data[:n], nil
-}
-
-func (c *Conn) writeKernelRecord(typ uint16, data []byte) (int, error) {
-	if typ == recordTypeApplicationData {
-		return c.conn.Write(data)
-	}
-
-	// cmsg for record type
-	buffer := make([]byte, unix.CmsgSpace(1))
-	cmsg := (*unix.Cmsghdr)(unsafe.Pointer(&buffer[0]))
-	cmsg.SetLen(unix.CmsgLen(1))
-	buffer[unix.CmsgLen(0)] = byte(typ)
-	cmsg.Level = unix.SOL_TLS
-	cmsg.Type = TLS_SET_RECORD_TYPE
-
-	var iov unix.Iovec
-	iov.Base = &data[0]
-	iov.SetLen(len(data))
-
-	var msg unix.Msghdr
-	msg.Control = &buffer[0]
-	msg.Controllen = cmsg.Len
-	msg.Iov = &iov
-	msg.Iovlen = 1
-
-	var n int
-	var err error
-	ew := c.rawSyscallConn.Write(func(fd uintptr) bool {
-		n, err = sendmsg(int(fd), &msg, 0)
-		return err != unix.EAGAIN
-	})
-	if ew != nil {
-		return 0, ew
-	}
-	return n, err
-}
-
-//go:linkname recvmsg golang.org/x/sys/unix.recvmsg
-func recvmsg(fd int, msg *unix.Msghdr, flags int) (n int, err error)
-
-//go:linkname sendmsg golang.org/x/sys/unix.sendmsg
-func sendmsg(fd int, msg *unix.Msghdr, flags int) (n int, err error)
--- a/common/ktls/ktls_prf.go
+++ b/common/ktls/ktls_prf.go
@@ -1,24 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux && go1.25 && !without_badtls
-
-package ktls
-
-import "unsafe"
-
-//go:linkname cipherSuiteByID github.com/metacubex/utls.cipherSuiteByID
-func cipherSuiteByID(id uint16) unsafe.Pointer
-
-//go:linkname keysFromMasterSecret github.com/metacubex/utls.keysFromMasterSecret
-func keysFromMasterSecret(version uint16, suite unsafe.Pointer, masterSecret, clientRandom, serverRandom []byte, macLen, keyLen, ivLen int) (clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV []byte)
-
-//go:linkname cipherSuiteTLS13ByID github.com/metacubex/utls.cipherSuiteTLS13ByID
-func cipherSuiteTLS13ByID(id uint16) unsafe.Pointer
-
-//go:linkname nextTrafficSecret github.com/metacubex/utls.(*cipherSuiteTLS13).nextTrafficSecret
-func nextTrafficSecret(cs unsafe.Pointer, trafficSecret []byte) []byte
-
-//go:linkname trafficKey github.com/metacubex/utls.(*cipherSuiteTLS13).trafficKey
-func trafficKey(cs unsafe.Pointer, trafficSecret []byte) (key, iv []byte)
--- a/common/ktls/ktls_read.go
+++ b/common/ktls/ktls_read.go
@@ -1,292 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux && go1.25 && !without_badtls
-
-package ktls
-
-import (
-	"bytes"
-	"crypto/tls"
-	"fmt"
-	"io"
-	"net"
-)
-
-func (c *Conn) Read(b []byte) (int, error) {
-	if !c.kernelRx {
-		return c.Conn.Read(b)
-	}
-
-	if len(b) == 0 {
-		// Put this after Handshake, in case people were calling
-		// Read(nil) for the side effect of the Handshake.
-		return 0, nil
-	}
-
-	c.rawConn.In.Lock()
-	defer c.rawConn.In.Unlock()
-
-	for c.rawConn.Input.Len() == 0 {
-		if err := c.readRecord(); err != nil {
-			return 0, err
-		}
-		for c.rawConn.Hand.Len() > 0 {
-			if err := c.handlePostHandshakeMessage(); err != nil {
-				return 0, err
-			}
-		}
-	}
-
-	n, _ := c.rawConn.Input.Read(b)
-
-	// If a close-notify alert is waiting, read it so that we can return (n,
-	// EOF) instead of (n, nil), to signal to the HTTP response reading
-	// goroutine that the connection is now closed. This eliminates a race
-	// where the HTTP response reading goroutine would otherwise not observe
-	// the EOF until its next read, by which time a client goroutine might
-	// have already tried to reuse the HTTP connection for a new request.
-	// See https://golang.org/cl/76400046 and https://golang.org/issue/3514
-	if n != 0 && c.rawConn.Input.Len() == 0 && c.rawConn.RawInput.Len() > 0 &&
-		c.rawConn.RawInput.Bytes()[0] == recordTypeAlert {
-		if err := c.readRecord(); err != nil {
-			return n, err // will be io.EOF on closeNotify
-		}
-	}
-
-	return n, nil
-}
-
-func (c *Conn) readRecord() error {
-	if *c.rawConn.In.Err != nil {
-		return *c.rawConn.In.Err
-	}
-
-	typ, data, err := c.readRawRecord()
-	if err != nil {
-		return err
-	}
-
-	if len(data) > maxPlaintext {
-		return c.rawConn.In.SetErrorLocked(c.sendAlert(alertRecordOverflow))
-	}
-
-	// Application Data messages are always protected.
-	if c.rawConn.In.Cipher == nil && typ == recordTypeApplicationData {
-		return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
-	}
-
-	//if typ != recordTypeAlert && typ != recordTypeChangeCipherSpec && len(data) > 0 {
-	// This is a state-advancing message: reset the retry count.
-	// c.retryCount = 0
-	//}
-
-	// Handshake messages MUST NOT be interleaved with other record types in TLS 1.3.
-	if *c.rawConn.Vers == tls.VersionTLS13 && typ != recordTypeHandshake && c.rawConn.Hand.Len() > 0 {
-		return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
-	}
-
-	switch typ {
-	default:
-		return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
-	case recordTypeAlert:
-		//if c.quic != nil {
-		//	return c.rawConn.In.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
-		//}
-		if len(data) != 2 {
-			return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
-		}
-		if data[1] == alertCloseNotify {
-			return c.rawConn.In.SetErrorLocked(io.EOF)
-		}
-		if *c.rawConn.Vers == tls.VersionTLS13 {
-			// TLS 1.3 removed warning-level alerts except for alertUserCanceled
-			// (RFC 8446, § 6.1). Since at least one major implementation
-			// (https://bugs.openjdk.org/browse/JDK-8323517) misuses this alert,
-			// many TLS stacks now ignore it outright when seen in a TLS 1.3
-			// handshake (e.g. BoringSSL, NSS, Rustls).
-			if data[1] == alertUserCanceled {
-				// Like TLS 1.2 alertLevelWarning alerts, we drop the record and retry.
-				return c.retryReadRecord( /*expectChangeCipherSpec*/ )
-			}
-			return c.rawConn.In.SetErrorLocked(&net.OpError{Op: "remote error", Err: tls.AlertError(data[1])})
-		}
-		switch data[0] {
-		case alertLevelWarning:
-			// Drop the record on the floor and retry.
-			return c.retryReadRecord( /*expectChangeCipherSpec*/ )
-		case alertLevelError:
-			return c.rawConn.In.SetErrorLocked(&net.OpError{Op: "remote error", Err: tls.AlertError(data[1])})
-		default:
-			return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
-		}
-
-	case recordTypeChangeCipherSpec:
-		if len(data) != 1 || data[0] != 1 {
-			return c.rawConn.In.SetErrorLocked(c.sendAlert(alertDecodeError))
-		}
-		// Handshake messages are not allowed to fragment across the CCS.
-		if c.rawConn.Hand.Len() > 0 {
-			return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
-		}
-		// In TLS 1.3, change_cipher_spec records are ignored until the
-		// Finished. See RFC 8446, Appendix D.4. Note that according to Section
-		// 5, a server can send a ChangeCipherSpec before its ServerHello, when
-		// c.vers is still unset. That's not useful though and suspicious if the
-		// server then selects a lower protocol version, so don't allow that.
-		if *c.rawConn.Vers == tls.VersionTLS13 {
-			return c.retryReadRecord( /*expectChangeCipherSpec*/ )
-		}
-		// if !expectChangeCipherSpec {
-		return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
-		//}
-		//if err := c.rawConn.In.changeCipherSpec(); err != nil {
-		//	return c.rawConn.In.setErrorLocked(c.sendAlert(err.(alert)))
-		//}
-
-	case recordTypeApplicationData:
-		// Some OpenSSL servers send empty records in order to randomize the
-		// CBC RawIV. Ignore a limited number of empty records.
-		if len(data) == 0 {
-			return c.retryReadRecord( /*expectChangeCipherSpec*/ )
-		}
-		// Note that data is owned by c.rawInput, following the Next call above,
-		// to avoid copying the plaintext. This is safe because c.rawInput is
-		// not read from or written to until c.input is drained.
-		c.rawConn.Input.Reset(data)
-	case recordTypeHandshake:
-		if len(data) == 0 {
-			return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
-		}
-		c.rawConn.Hand.Write(data)
-	}
-
-	return nil
-}
-
-//nolint:staticcheck
-func (c *Conn) readRawRecord() (typ uint8, data []byte, err error) {
-	// Read from kernel.
-	if c.kernelRx {
-		return c.readKernelRecord()
-	}
-
-	// Read header, payload.
-	if err = c.readFromUntil(c.conn, recordHeaderLen); err != nil {
-		// RFC 8446, Section 6.1 suggests that EOF without an alertCloseNotify
-		// is an error, but popular web sites seem to do this, so we accept it
-		// if and only if at the record boundary.
-		if err == io.ErrUnexpectedEOF && c.rawConn.RawInput.Len() == 0 {
-			err = io.EOF
-		}
-		if e, ok := err.(net.Error); !ok || !e.Temporary() {
-			c.rawConn.In.SetErrorLocked(err)
-		}
-		return
-	}
-	hdr := c.rawConn.RawInput.Bytes()[:recordHeaderLen]
-	typ = hdr[0]
-
-	vers := uint16(hdr[1])<<8 | uint16(hdr[2])
-	expectedVers := *c.rawConn.Vers
-	if expectedVers == tls.VersionTLS13 {
-		// All TLS 1.3 records are expected to have 0x0303 (1.2) after
-		// the initial hello (RFC 8446 Section 5.1).
-		expectedVers = tls.VersionTLS12
-	}
-	n := int(hdr[3])<<8 | int(hdr[4])
-	if /*c.haveVers && */ vers != expectedVers {
-		c.sendAlert(alertProtocolVersion)
-		msg := fmt.Sprintf("received record with version %x when expecting version %x", vers, expectedVers)
-		err = c.rawConn.In.SetErrorLocked(c.newRecordHeaderError(nil, msg))
-		return
-	}
-	//if !c.haveVers {
-	//	// First message, be extra suspicious: this might not be a TLS
-	//	// client. Bail out before reading a full 'body', if possible.
-	//	// The current max version is 3.3 so if the version is >= 16.0,
-	//	// it's probably not real.
-	//	if (typ != recordTypeAlert && typ != recordTypeHandshake) || vers >= 0x1000 {
-	//		err = c.rawConn.In.SetErrorLocked(c.newRecordHeaderError(c.conn, "first record does not look like a TLS handshake"))
-	//		return
-	//	}
-	//}
-	if *c.rawConn.Vers == tls.VersionTLS13 && n > maxCiphertextTLS13 || n > maxCiphertext {
-		c.sendAlert(alertRecordOverflow)
-		msg := fmt.Sprintf("oversized record received with length %d", n)
-		err = c.rawConn.In.SetErrorLocked(c.newRecordHeaderError(nil, msg))
-		return
-	}
-	if err = c.readFromUntil(c.conn, recordHeaderLen+n); err != nil {
-		if e, ok := err.(net.Error); !ok || !e.Temporary() {
-			c.rawConn.In.SetErrorLocked(err)
-		}
-		return
-	}
-
-	// Process message.
-	record := c.rawConn.RawInput.Next(recordHeaderLen + n)
-	data, typ, err = c.rawConn.In.Decrypt(record)
-	if err != nil {
-		err = c.rawConn.In.SetErrorLocked(c.sendAlert(uint8(err.(tls.AlertError))))
-		return
-	}
-	return
-}
-
-// retryReadRecord recurs into readRecordOrCCS to drop a non-advancing record, like
-// a warning alert, empty application_data, or a change_cipher_spec in TLS 1.3.
-func (c *Conn) retryReadRecord( /*expectChangeCipherSpec bool*/ ) error {
-	//c.retryCount++
-	//if c.retryCount > maxUselessRecords {
-	//	c.sendAlert(alertUnexpectedMessage)
-	//	return c.in.setErrorLocked(errors.New("tls: too many ignored records"))
-	//}
-	return c.readRecord( /*expectChangeCipherSpec*/ )
-}
-
-// atLeastReader reads from R, stopping with EOF once at least N bytes have been
-// read. It is different from an io.LimitedReader in that it doesn't cut short
-// the last Read call, and in that it considers an early EOF an error.
-type atLeastReader struct {
-	R io.Reader
-	N int64
-}
-
-func (r *atLeastReader) Read(p []byte) (int, error) {
-	if r.N <= 0 {
-		return 0, io.EOF
-	}
-	n, err := r.R.Read(p)
-	r.N -= int64(n) // won't underflow unless len(p) >= n > 9223372036854775809
-	if r.N > 0 && err == io.EOF {
-		return n, io.ErrUnexpectedEOF
-	}
-	if r.N <= 0 && err == nil {
-		return n, io.EOF
-	}
-	return n, err
-}
-
-// readFromUntil reads from r into c.rawConn.RawInput until c.rawConn.RawInput contains
-// at least n bytes or else returns an error.
-func (c *Conn) readFromUntil(r io.Reader, n int) error {
-	if c.rawConn.RawInput.Len() >= n {
-		return nil
-	}
-	needs := n - c.rawConn.RawInput.Len()
-	// There might be extra input waiting on the wire. Make a best effort
-	// attempt to fetch it so that it can be used in (*Conn).Read to
-	// "predict" closeNotify alerts.
-	c.rawConn.RawInput.Grow(needs + bytes.MinRead)
-	_, err := c.rawConn.RawInput.ReadFrom(&atLeastReader{r, int64(needs)})
-	return err
-}
-
-func (c *Conn) newRecordHeaderError(conn net.Conn, msg string) (err tls.RecordHeaderError) {
-	err.Msg = msg
-	err.Conn = conn
-	copy(err.RecordHeader[:], c.rawConn.RawInput.Bytes())
-	return err
-}
--- a/common/ktls/ktls_read_wait.go
+++ b/common/ktls/ktls_read_wait.go
@@ -1,41 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux && go1.25 && !without_badtls
-
-package ktls
-
-import (
-	"github.com/sagernet/sing/common/buf"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func (c *Conn) InitializeReadWaiter(options N.ReadWaitOptions) (needCopy bool) {
-	c.readWaitOptions = options
-	return false
-}
-
-func (c *Conn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
-	c.rawConn.In.Lock()
-	defer c.rawConn.In.Unlock()
-	for c.rawConn.Input.Len() == 0 {
-		err = c.readRecord()
-		if err != nil {
-			return
-		}
-	}
-	buffer = c.readWaitOptions.NewBuffer()
-	n, err := c.rawConn.Input.Read(buffer.FreeBytes())
-	if err != nil {
-		buffer.Release()
-		return
-	}
-	buffer.Truncate(n)
-	if n != 0 && c.rawConn.Input.Len() == 0 && c.rawConn.Input.Len() > 0 &&
-		c.rawConn.RawInput.Bytes()[0] == recordTypeAlert {
-		_ = c.rawConn.ReadRecord()
-	}
-	c.readWaitOptions.PostReturn(buffer)
-	return
-}
--- a/common/ktls/ktls_stub.go
+++ b/common/ktls/ktls_stub.go
@@ -1,15 +0,0 @@
-//go:build !linux || !go1.25 || without_badtls
-
-package ktls
-
-import (
-	"context"
-	"os"
-
-	"github.com/sagernet/sing/common/logger"
-	aTLS "github.com/sagernet/sing/common/tls"
-)
-
-func NewConn(ctx context.Context, logger logger.ContextLogger, conn aTLS.Conn, txOffload, rxOffload bool) (aTLS.Conn, error) {
-	return nil, os.ErrInvalid
-}
--- a/common/ktls/ktls_write.go
+++ b/common/ktls/ktls_write.go
@@ -1,154 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux && go1.25 && !without_badtls
-
-package ktls
-
-import (
-	"crypto/cipher"
-	"crypto/tls"
-	"errors"
-	"net"
-)
-
-func (c *Conn) Write(b []byte) (int, error) {
-	if !c.kernelTx {
-		return c.Conn.Write(b)
-	}
-	// interlock with Close below
-	for {
-		x := c.rawConn.ActiveCall.Load()
-		if x&1 != 0 {
-			return 0, net.ErrClosed
-		}
-		if c.rawConn.ActiveCall.CompareAndSwap(x, x+2) {
-			break
-		}
-	}
-	defer c.rawConn.ActiveCall.Add(-2)
-
-	//if err := c.Conn.HandshakeContext(context.Background()); err != nil {
-	//	return 0, err
-	//}
-
-	c.rawConn.Out.Lock()
-	defer c.rawConn.Out.Unlock()
-
-	if err := *c.rawConn.Out.Err; err != nil {
-		return 0, err
-	}
-
-	if !c.rawConn.IsHandshakeComplete.Load() {
-		return 0, tls.AlertError(alertInternalError)
-	}
-
-	if *c.rawConn.CloseNotifySent {
-		// return 0, errShutdown
-		return 0, errors.New("tls: protocol is shutdown")
-	}
-
-	// TLS 1.0 is susceptible to a chosen-plaintext
-	// attack when using block mode ciphers due to predictable IVs.
-	// This can be prevented by splitting each Application Data
-	// record into two records, effectively randomizing the RawIV.
-	//
-	// https://www.openssl.org/~bodo/tls-cbc.txt
-	// https://bugzilla.mozilla.org/show_bug.cgi?id=665814
-	// https://www.imperialviolet.org/2012/01/15/beastfollowup.html
-
-	var m int
-	if len(b) > 1 && *c.rawConn.Vers == tls.VersionTLS10 {
-		if _, ok := (*c.rawConn.Out.Cipher).(cipher.BlockMode); ok {
-			n, err := c.writeRecordLocked(recordTypeApplicationData, b[:1])
-			if err != nil {
-				return n, c.rawConn.Out.SetErrorLocked(err)
-			}
-			m, b = 1, b[1:]
-		}
-	}
-
-	n, err := c.writeRecordLocked(recordTypeApplicationData, b)
-	return n + m, c.rawConn.Out.SetErrorLocked(err)
-}
-
-func (c *Conn) writeRecordLocked(typ uint16, data []byte) (n int, err error) {
-	if !c.kernelTx {
-		return c.rawConn.WriteRecordLocked(typ, data)
-	}
-	/*for len(data) > 0 {
-		m := len(data)
-		if maxPayload := c.maxPayloadSizeForWrite(typ); m > maxPayload {
-			m = maxPayload
-		}
-		_, err = c.writeKernelRecord(typ, data[:m])
-		if err != nil {
-			return
-		}
-		n += m
-		data = data[m:]
-	}*/
-	return c.writeKernelRecord(typ, data)
-}
-
-const (
-	// tcpMSSEstimate is a conservative estimate of the TCP maximum segment
-	// size (MSS). A constant is used, rather than querying the kernel for
-	// the actual MSS, to avoid complexity. The value here is the IPv6
-	// minimum MTU (1280 bytes) minus the overhead of an IPv6 header (40
-	// bytes) and a TCP header with timestamps (32 bytes).
-	tcpMSSEstimate = 1208
-
-	// recordSizeBoostThreshold is the number of bytes of application data
-	// sent after which the TLS record size will be increased to the
-	// maximum.
-	recordSizeBoostThreshold = 128 * 1024
-)
-
-func (c *Conn) maxPayloadSizeForWrite(typ uint16) int {
-	if /*c.config.DynamicRecordSizingDisabled ||*/ typ != recordTypeApplicationData {
-		return maxPlaintext
-	}
-
-	if *c.rawConn.PacketsSent >= recordSizeBoostThreshold {
-		return maxPlaintext
-	}
-
-	// Subtract TLS overheads to get the maximum payload size.
-	payloadBytes := tcpMSSEstimate - recordHeaderLen - c.rawConn.Out.ExplicitNonceLen()
-	if rawCipher := *c.rawConn.Out.Cipher; rawCipher != nil {
-		switch ciph := rawCipher.(type) {
-		case cipher.Stream:
-			payloadBytes -= (*c.rawConn.Out.Mac).Size()
-		case cipher.AEAD:
-			payloadBytes -= ciph.Overhead()
-		/*case cbcMode:
-		blockSize := ciph.BlockSize()
-		// The payload must fit in a multiple of blockSize, with
-		// room for at least one padding byte.
-		payloadBytes = (payloadBytes & ^(blockSize - 1)) - 1
-		// The RawMac is appended before padding so affects the
-		// payload size directly.
-		payloadBytes -= c.out.mac.Size()*/
-		default:
-			panic("unknown cipher type")
-		}
-	}
-	if *c.rawConn.Vers == tls.VersionTLS13 {
-		payloadBytes-- // encrypted ContentType
-	}
-
-	// Allow packet growth in arithmetic progression up to max.
-	pkt := *c.rawConn.PacketsSent
-	*c.rawConn.PacketsSent++
-	if pkt > 1000 {
-		return maxPlaintext // avoid overflow in multiply below
-	}
-
-	n := payloadBytes * int(pkt+1)
-	if n > maxPlaintext {
-		n = maxPlaintext
-	}
-	return n
-}
--- a/common/listener/listener.go
+++ b/common/listener/listener.go
@@ -151,6 +151,7 @@ func ListenNetworkNamespace[T any](nameOrPath string, block func() (T, error)) (
 		if err != nil {
 			return common.DefaultValue[T](), E.Cause(err, "get current netns")
 		}
+		defer currentNs.Close()
 		defer netns.Set(currentNs)
 		var targetNs netns.NsHandle
 		if strings.HasPrefix(nameOrPath, "/") {
--- a/common/sniff/quic.go
+++ b/common/sniff/quic.go
@@ -303,8 +303,6 @@ find:
 	metadata.Protocol = C.ProtocolQUIC
 	fingerprint, err := ja3.Compute(buffer.Bytes())
 	if err != nil {
-		metadata.Protocol = C.ProtocolQUIC
-		metadata.Client = C.ClientChromium
 		metadata.SniffContext = fragments
 		return E.Cause1(ErrNeedMoreData, err)
 	}
@@ -334,7 +332,7 @@ find:
 		}

 		if count(frameTypeList, frameTypeCrypto) > 1 || count(frameTypeList, frameTypePing) > 0 {
-			if maybeUQUIC(fingerprint) {
+			if isQUICGo(fingerprint) {
 				metadata.Client = C.ClientQUICGo
 			} else {
 				metadata.Client = C.ClientChromium
--- a/common/sniff/quic_blacklist.go
+++ b/common/sniff/quic_blacklist.go
@@ -1,21 +1,29 @@
 package sniff

 import (
-	"crypto/tls"
-
 	"github.com/sagernet/sing-box/common/ja3"
 )

-// Chromium sends separate client hello packets, but UQUIC has not yet implemented this behavior
-// The cronet without this behavior does not have version 115
-var uQUICChrome115 = &ja3.ClientHello{
-	Version:             tls.VersionTLS12,
-	CipherSuites:        []uint16{4865, 4866, 4867},
-	Extensions:          []uint16{0, 10, 13, 16, 27, 43, 45, 51, 57, 17513},
-	EllipticCurves:      []uint16{29, 23, 24},
-	SignatureAlgorithms: []uint16{1027, 2052, 1025, 1283, 2053, 1281, 2054, 1537, 513},
-}
+const (
+	// X25519Kyber768Draft00 - post-quantum curve used by Go crypto/tls
+	x25519Kyber768Draft00 uint16 = 0x11EC // 4588
+	// renegotiation_info extension used by Go crypto/tls
+	extensionRenegotiationInfo uint16 = 0xFF01 // 65281
+)

-func maybeUQUIC(fingerprint *ja3.ClientHello) bool {
-	return !uQUICChrome115.Equals(fingerprint, true)
+// isQUICGo detects native quic-go by checking for Go crypto/tls specific features.
+// Note: uQUIC with Chromium mimicry cannot be reliably distinguished from real Chromium
+// since it uses the same TLS fingerprint, so it will be identified as Chromium.
+func isQUICGo(fingerprint *ja3.ClientHello) bool {
+	for _, curve := range fingerprint.EllipticCurves {
+		if curve == x25519Kyber768Draft00 {
+			return true
+		}
+	}
+	for _, ext := range fingerprint.Extensions {
+		if ext == extensionRenegotiationInfo {
+			return true
+		}
+	}
+	return false
 }
--- a/common/sniff/quic_capture_test.go
+++ b/common/sniff/quic_capture_test.go
@@ -0,0 +1,188 @@
+package sniff_test
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/hex"
+	"errors"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/sagernet/quic-go"
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/sniff"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSniffQUICQuicGoFingerprint(t *testing.T) {
+	t.Parallel()
+	const testSNI = "test.example.com"
+
+	udpConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer udpConn.Close()
+
+	serverAddr := udpConn.LocalAddr().(*net.UDPAddr)
+	packetsChan := make(chan [][]byte, 1)
+
+	go func() {
+		var packets [][]byte
+		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
+		for i := 0; i < 10; i++ {
+			buf := make([]byte, 2048)
+			n, _, err := udpConn.ReadFromUDP(buf)
+			if err != nil {
+				break
+			}
+			packets = append(packets, buf[:n])
+		}
+		packetsChan <- packets
+	}()
+
+	clientConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer clientConn.Close()
+
+	tlsConfig := &tls.Config{
+		ServerName:         testSNI,
+		InsecureSkipVerify: true,
+		NextProtos:         []string{"h3"},
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	_, _ = quic.Dial(ctx, clientConn, serverAddr, tlsConfig, &quic.Config{})
+
+	select {
+	case packets := <-packetsChan:
+		t.Logf("Captured %d packets", len(packets))
+
+		var metadata adapter.InboundContext
+		for i, pkt := range packets {
+			err := sniff.QUICClientHello(context.Background(), &metadata, pkt)
+			t.Logf("Packet %d: err=%v, domain=%s, client=%s", i, err, metadata.Domain, metadata.Client)
+			if metadata.Domain != "" {
+				break
+			}
+		}
+
+		t.Logf("\n=== quic-go TLS Fingerprint Analysis ===")
+		t.Logf("Domain: %s", metadata.Domain)
+		t.Logf("Client: %s", metadata.Client)
+		t.Logf("Protocol: %s", metadata.Protocol)
+
+		// The client should be identified as quic-go, not chromium
+		// Current issue: it's being identified as chromium
+		if metadata.Client == "chromium" {
+			t.Log("WARNING: quic-go is being misidentified as chromium!")
+		}
+
+	case <-time.After(5 * time.Second):
+		t.Fatal("Timeout")
+	}
+}
+
+func TestSniffQUICInitialFromQuicGo(t *testing.T) {
+	t.Parallel()
+
+	const testSNI = "test.example.com"
+
+	// Create UDP listener to capture ALL initial packets
+	udpConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer udpConn.Close()
+
+	serverAddr := udpConn.LocalAddr().(*net.UDPAddr)
+
+	// Channel to receive captured packets
+	packetsChan := make(chan [][]byte, 1)
+
+	// Start goroutine to capture packets
+	go func() {
+		var packets [][]byte
+		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
+		for i := 0; i < 5; i++ { // Capture up to 5 packets
+			buf := make([]byte, 2048)
+			n, _, err := udpConn.ReadFromUDP(buf)
+			if err != nil {
+				break
+			}
+			packets = append(packets, buf[:n])
+		}
+		packetsChan <- packets
+	}()
+
+	// Create QUIC client connection (will fail but we capture the initial packet)
+	clientConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer clientConn.Close()
+
+	tlsConfig := &tls.Config{
+		ServerName:         testSNI,
+		InsecureSkipVerify: true,
+		NextProtos:         []string{"h3"},
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	// This will fail (no server) but sends initial packet
+	_, _ = quic.Dial(ctx, clientConn, serverAddr, tlsConfig, &quic.Config{})
+
+	// Wait for captured packets
+	select {
+	case packets := <-packetsChan:
+		t.Logf("Captured %d QUIC packets", len(packets))
+
+		for i, packet := range packets {
+			t.Logf("Packet %d: length=%d, first 30 bytes: %x", i, len(packet), packet[:min(30, len(packet))])
+		}
+
+		// Test sniffer with first packet
+		if len(packets) > 0 {
+			var metadata adapter.InboundContext
+			err := sniff.QUICClientHello(context.Background(), &metadata, packets[0])
+
+			t.Logf("First packet sniff error: %v", err)
+			t.Logf("Protocol: %s", metadata.Protocol)
+			t.Logf("Domain: %s", metadata.Domain)
+			t.Logf("Client: %s", metadata.Client)
+
+			// If first packet needs more data, try with subsequent packets
+			// IMPORTANT: reuse metadata to accumulate CRYPTO fragments via SniffContext
+			if errors.Is(err, sniff.ErrNeedMoreData) && len(packets) > 1 {
+				t.Log("First packet needs more data, trying subsequent packets with shared context...")
+				for i := 1; i < len(packets); i++ {
+					// Reuse same metadata to accumulate fragments
+					err = sniff.QUICClientHello(context.Background(), &metadata, packets[i])
+					t.Logf("Packet %d sniff result: err=%v, domain=%s, sniffCtx=%v", i, err, metadata.Domain, metadata.SniffContext != nil)
+					if metadata.Domain != "" || (err != nil && !errors.Is(err, sniff.ErrNeedMoreData)) {
+						break
+					}
+				}
+			}
+
+			// Print hex dump for debugging
+			t.Logf("First packet hex:\n%s", hex.Dump(packets[0][:min(256, len(packets[0]))]))
+
+			// Log final results
+			t.Logf("Final: Protocol=%s, Domain=%s, Client=%s", metadata.Protocol, metadata.Domain, metadata.Client)
+
+			// Verify SNI extraction
+			if metadata.Domain == "" {
+				t.Errorf("Failed to extract SNI, expected: %s", testSNI)
+			} else {
+				require.Equal(t, testSNI, metadata.Domain, "SNI should match")
+			}
+
+			// Check client identification - quic-go should be identified as quic-go, not chromium
+			t.Logf("Client identified as: %s (expected: quic-go)", metadata.Client)
+		}
+
+	case <-time.After(5 * time.Second):
+		t.Fatal("Timeout waiting for QUIC packets")
+	}
+}
--- a/common/sniff/quic_test.go
+++ b/common/sniff/quic_test.go
@@ -19,7 +19,7 @@ func TestSniffQUICChromeNew(t *testing.T) {
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Equal(t, metadata.Client, C.ClientChromium)
+	require.Empty(t, metadata.Client)
 	require.ErrorIs(t, err, sniff.ErrNeedMoreData)
 	pkt, err = hex.DecodeString("cc0000000108e241a0c601413b4f004046006d8f15dae9999edf39d58df6762822b9a2ab996d7f6a10044338af3b51b1814bc4ac0fa5a87c34c6ae604af8cabc5957c5240174deefc8e378719ffdab2ae4e15bf4514bea44894b626c685cd5d5c965f7e97b3a1bdc520b75813e747f37a3ae83ad38b9ca2acb0de4fc9424839a50c8fb815a62b498609fbbc59145698860e0509cc08a04d1b119daef844ba2f09c16e2665e5cc0b47624b71f7b950c54fd56b4a1fbb826cba44eeeee3949ced8f5de60d4c81b19ee59f75aa1abb33f22c6b13c27095eb1e99cff01fdc93e6e88da2622ee18c08a79f508befd7e33e99bca60e64bef9a47b764384bd93823daeeb6fcb4d7cfbc4ab53eff59b3636f6dcaaf229b5a94941b5712807166b9bd5e82cb4a9708a71451c4cd6f6e33fb2fe40c8c70dd51a30b37ff9c5e35783debde0093fde19ce074b4887b3c90980b107b9c0f32cf61a66f37c251b789abc4d27fc421207966846c8cc7faa42d9af6ad355a6bc94cb78223b612be8b3e2a4df61fee83a674a0ceb8b7c3a29b97102cda22fecdf6a4628e5b612bc17eab64d6f75feedd0b106c0419e484e66725759964cb5935ac5125e5ae920cd280bd40df57c1d7ae1845700bd4eb7b7ab12bc0850950bfe6e69edd6ac1daa5db2c2b07484327196e561c513462d72872dc6771c39f6b60d46a1f2c92343b7338450a0ef8e39f97fa70652b3a12cd04043698951627aaaa82cc95e76df92021d30e8014c984f12eea0143de8b17e5e4a36ec07bf4814251b391f168a59ef75afcd2319249aaba930f06bb7a11b9491e6f71b3d5774a6503a965e94edd0a67737282fc9cb0271779ff14151b7aa9267bb8f7d643185512515aeea513c0c98bfae782381a3317064195d8825cf8b25c17cdab5fced02612a3f2870e40df57e6ca3f08228a2b04e8de1425eb4b970118f9bbdc212223ff86a5d6b648cdf2366722f21de4b14a1014879eadb69215cdb1aa2a9f4f310ecfe3116214fe3ab0a23f4775a0a54b48d7dfd8f7283ed687b3ac7e1a7e42a0bdc3478aba8651c03e1e9cc9df17d106b8130afe854269b0103b7a696f452721887b19d8181830073c9f10684c65f96d3a6c6efbae044eec03d6399e001fa44d54635dc72f9b8ea6b87d0f452cad1e1e32273e2b47c40f2730235adcae8523b8282f86b8cf1ab63ae54aaa06130df3bbf6ecac7d7d1d43d2a87aea837267ff8ccfaa4b7e47b7ded909e6603d0b928a304f8915c839153598adc4178eb48bc0e98ad7793d7980275e1e491ba4847a4a04ae30fe7f5cc7d4b6f4f63a525e9964d72245860ca76a668a4654adb6619f16e9db79131e5675b93cafb96c92f1da8464d4fef2a22e7f9db695965fe2cc27ea30974629c8fe17cfa2f860179e1eb9faaa88a91ec9ce6da28c1a2894c3b932b5e1c807146718cc77ca13c61eaae00c7c99e019f599772064b198c5c2c5e863336367673630b417ac845ddb7c93b0856317e5d64bab208c5730abc2c63536784fbeaaec139dffc917e775715f1e42164ddef5138d4d163609ab3fbdcab968f8738385c0e7e34ff3cf7771a1dc5ba25a8850fdf96dabafa21f9065f307457ce9af4b7a73450c9d20a3b46fa8d3a1163d22bd01a7d17f0ec274181bf9640fa941427694bfeb1346089f7a851efe0fbb7a2041fa6bb6541ccbad77dd3e1a97999fc05f1fef070e7b5c4b385b8b2a8cc32483fdeba6a373970de2fa4139ba18e5916f949aab0aab2894")
 	require.NoError(t, err)
@@ -39,7 +39,7 @@ func TestSniffQUICChromium(t *testing.T) {
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Equal(t, metadata.Client, C.ClientChromium)
+	require.Empty(t, metadata.Client)
 	require.ErrorIs(t, err, sniff.ErrNeedMoreData)
 	pkt, err = hex.DecodeString("c90000000108f40d654cc09b27f5000044d073eb38807026d4088455e650e7ccf750d01a72f15f9bfc8ff40d223499db1a485cff14dbd45b9be118172834dc35dca3cf62f61a1266f40b92faf3d28d67a466cfdca678ddced15cd606d31959cf441828467857b226d1a241847c82c57312cefe68ba5042d929919bcd4403b39e5699fe87dda05df1b3801e048edee792458e9b1a9b1d4039df05847bcee3be567494b5876e3bd4c3220fe9dfdb2c07d77410f907f744251ef15536cc03b267d3668d5b75bc1ad2fe735cd3bb73519dd9f1625a49e17ad27bdeccf706c83b5ea339a0a05dd0072f4a8f162bd29926b4997f05613c6e4b0270b0c02805ca0543f27c1ff8505a5750bdd33529ee73c491050a10c6903f53c1121dbe0380e84c007c8df74a1b02443ed80ba7766aef5549e618d4fd249844ee28565142005369869299e8c3035ecef3d799f6cada8549e75b4ce4cbf4c85ef071fd7ff067b1ca9b5968dc41d13d011f6d7843823bac97acb1eb8ee45883f0f254b5f9bd4c763b67e2d8c70a7618a0ef0de304cf597a485126e09f8b2fd795b394c0b4bc4cd2634c2057970da2c798c5e8af7aed4f76f5e25d04e3f8c9c5a5b150d17e0d4c74229898c69b8dc7b8bcc9d359eb441de75c68fbdebec62fb669dcccfb1aad03e3fa073adb2ccf7bb14cbaf99e307d2c903ee71a8f028102eb510caee7e7397512086a78d1f95635c7d06845b5a708652dc4e5cd61245aae5b3c05b84815d84d367bce9b9e3f6d6b90701ac3679233c14d5ce2a1eff26469c966266dc6284bdb95c9c6158934c413a872ce22101e4163e3293d236b301592ca4ccacc1fd4c37066e79c2d9857c8a2560dcf0b33b19163c4240c471b19907476e7e25c65f7eb37276594a0f6b4c33c340cc3284178f17ac5e34dbe7509db890e4ddfd0540fbf9deb32a0101d24fe58b26c5f81c627db9d6ae59d7a111a3d5d1f6109f4eec0d0234e6d73c73a44f50999462724b51ce0fd8283535d70d9e83872c79c59897407a0736741011ae5c64862eb0712f9e7b07aa1d5418ca3fde8626257c6fe418f3c5479055bb2b0ab4c25f649923fc2a41c79aaa7d0f3af6d8b8cf06f61f0230d09bbb60bb49b9e49cc5973748a6cf7ffdee7804d424f9423c63e7ff22f4bd24e4867636ef9fe8dd37f59941a8a47c27765caa8e875a30b62834f17c569227e5e6ed15d58e05d36e76332befad065a2cd4079e66d5af189b0337624c89b1560c3b1b0befd5c1f20e6de8e3d664b3ac06b3d154b488983e14aa93266f5f8b621d2a9bb7ccce509eb26e025c9c45f7cccc09ce85b3103af0c93ce9822f82ecb168ca3177829afb2ea0da2c380e7b1728add55a5d42632e2290363d4cbe432b67e13691648e1acfab22cf0d551eee857709b428bb78e27a45aff6eca301c02e4d13cf36cc2494fdd1aef8dede6e18febd79dca4c6964d09b91c25a08f0947c76ab5104de9404459c2edf5f4adb9dfd771be83656f77fbbafb1ad3281717066010be8778952495383c9f2cf0a38527228c662a35171c5981731f1af09bab842fe6c3162ad4152a4221f560eb6f9bea66b294ffbd3643da2fe34096da13c246505452540177a2a0a1a69106e5cfc279a4890fc3be2952f26be245f930e6c2d9e7e26ee960481e72b99594a1185b46b94b6436d00ba6c70ffe135d43907c92c6f1c09fb9453f103730714f5700fa4347f9715c774cb04a7218dacc66d9c2fade18b14e684aa7fc9ebda0a28")
 	require.NoError(t, err)
--- a/common/srs/binary.go
+++ b/common/srs/binary.go
@@ -12,8 +12,6 @@ import (
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/domain"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/json/badjson"
-	"github.com/sagernet/sing/common/json/badoption"
 	"github.com/sagernet/sing/common/varbin"

 	"go4.org/netipx"
@@ -43,8 +41,6 @@ const (
 	ruleItemNetworkType
 	ruleItemNetworkIsExpensive
 	ruleItemNetworkIsConstrained
-	ruleItemNetworkInterfaceAddress
-	ruleItemDefaultInterfaceAddress
 	ruleItemFinal uint8 = 0xFF
 )

@@ -234,51 +230,6 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 			rule.NetworkIsExpensive = true
 		case ruleItemNetworkIsConstrained:
 			rule.NetworkIsConstrained = true
-		case ruleItemNetworkInterfaceAddress:
-			rule.NetworkInterfaceAddress = new(badjson.TypedMap[option.InterfaceType, badoption.Listable[*badoption.Prefixable]])
-			var size uint64
-			size, err = binary.ReadUvarint(reader)
-			if err != nil {
-				return
-			}
-			for i := uint64(0); i < size; i++ {
-				var key uint8
-				err = binary.Read(reader, binary.BigEndian, &key)
-				if err != nil {
-					return
-				}
-				var value []*badoption.Prefixable
-				var prefixCount uint64
-				prefixCount, err = binary.ReadUvarint(reader)
-				if err != nil {
-					return
-				}
-				for j := uint64(0); j < prefixCount; j++ {
-					var prefix netip.Prefix
-					prefix, err = readPrefix(reader)
-					if err != nil {
-						return
-					}
-					value = append(value, common.Ptr(badoption.Prefixable(prefix)))
-				}
-				rule.NetworkInterfaceAddress.Put(option.InterfaceType(key), value)
-			}
-		case ruleItemDefaultInterfaceAddress:
-			var value []*badoption.Prefixable
-			var prefixCount uint64
-			prefixCount, err = binary.ReadUvarint(reader)
-			if err != nil {
-				return
-			}
-			for j := uint64(0); j < prefixCount; j++ {
-				var prefix netip.Prefix
-				prefix, err = readPrefix(reader)
-				if err != nil {
-					return
-				}
-				value = append(value, common.Ptr(badoption.Prefixable(prefix)))
-			}
-			rule.DefaultInterfaceAddress = value
 		case ruleItemFinal:
 			err = binary.Read(reader, binary.BigEndian, &rule.Invert)
 			return
@@ -395,7 +346,7 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 	}
 	if len(rule.NetworkType) > 0 {
 		if generateVersion < C.RuleSetVersion3 {
-			return E.New("`network_type` rule item is only supported in version 3 or later")
+			return E.New("network_type rule item is only supported in version 3 or later")
 		}
 		err = writeRuleItemUint8(writer, ruleItemNetworkType, rule.NetworkType)
 		if err != nil {
@@ -403,71 +354,17 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 		}
 	}
 	if rule.NetworkIsExpensive {
-		if generateVersion < C.RuleSetVersion3 {
-			return E.New("`network_is_expensive` rule item is only supported in version 3 or later")
-		}
 		err = binary.Write(writer, binary.BigEndian, ruleItemNetworkIsExpensive)
 		if err != nil {
 			return err
 		}
 	}
 	if rule.NetworkIsConstrained {
-		if generateVersion < C.RuleSetVersion3 {
-			return E.New("`network_is_constrained` rule item is only supported in version 3 or later")
-		}
 		err = binary.Write(writer, binary.BigEndian, ruleItemNetworkIsConstrained)
 		if err != nil {
 			return err
 		}
 	}
-	if rule.NetworkInterfaceAddress != nil && rule.NetworkInterfaceAddress.Size() > 0 {
-		if generateVersion < C.RuleSetVersion4 {
-			return E.New("`network_interface_address` rule item is only supported in version 4 or later")
-		}
-		err = writer.WriteByte(ruleItemNetworkInterfaceAddress)
-		if err != nil {
-			return err
-		}
-		_, err = varbin.WriteUvarint(writer, uint64(rule.NetworkInterfaceAddress.Size()))
-		if err != nil {
-			return err
-		}
-		for _, entry := range rule.NetworkInterfaceAddress.Entries() {
-			err = binary.Write(writer, binary.BigEndian, uint8(entry.Key.Build()))
-			if err != nil {
-				return err
-			}
-			_, err = varbin.WriteUvarint(writer, uint64(len(entry.Value)))
-			if err != nil {
-				return err
-			}
-			for _, rawPrefix := range entry.Value {
-				err = writePrefix(writer, rawPrefix.Build(netip.Prefix{}))
-				if err != nil {
-					return err
-				}
-			}
-		}
-	}
-	if len(rule.DefaultInterfaceAddress) > 0 {
-		if generateVersion < C.RuleSetVersion4 {
-			return E.New("`default_interface_address` rule item is only supported in version 4 or later")
-		}
-		err = writer.WriteByte(ruleItemDefaultInterfaceAddress)
-		if err != nil {
-			return err
-		}
-		_, err = varbin.WriteUvarint(writer, uint64(len(rule.DefaultInterfaceAddress)))
-		if err != nil {
-			return err
-		}
-		for _, rawPrefix := range rule.DefaultInterfaceAddress {
-			err = writePrefix(writer, rawPrefix.Build(netip.Prefix{}))
-			if err != nil {
-				return err
-			}
-		}
-	}
 	if len(rule.WIFISSID) > 0 {
 		err = writeRuleItemString(writer, ruleItemWIFISSID, rule.WIFISSID)
 		if err != nil {
--- a/common/srs/ip_cidr.go
+++ b/common/srs/ip_cidr.go
@@ -1,33 +0,0 @@
-package srs
-
-import (
-	"encoding/binary"
-	"net/netip"
-
-	M "github.com/sagernet/sing/common/metadata"
-	"github.com/sagernet/sing/common/varbin"
-)
-
-func readPrefix(reader varbin.Reader) (netip.Prefix, error) {
-	addrSlice, err := varbin.ReadValue[[]byte](reader, binary.BigEndian)
-	if err != nil {
-		return netip.Prefix{}, err
-	}
-	prefixBits, err := varbin.ReadValue[uint8](reader, binary.BigEndian)
-	if err != nil {
-		return netip.Prefix{}, err
-	}
-	return netip.PrefixFrom(M.AddrFromIP(addrSlice), int(prefixBits)), nil
-}
-
-func writePrefix(writer varbin.Writer, prefix netip.Prefix) error {
-	err := varbin.Write(writer, binary.BigEndian, prefix.Addr().AsSlice())
-	if err != nil {
-		return err
-	}
-	err = binary.Write(writer, binary.BigEndian, uint8(prefix.Bits()))
-	if err != nil {
-		return err
-	}
-	return nil
-}
--- a/common/tls/client.go
+++ b/common/tls/client.go
@@ -2,71 +2,39 @@ package tls

 import (
 	"context"
-	"crypto/tls"
-	"errors"
 	"net"
 	"os"

+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/badtls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	aTLS "github.com/sagernet/sing/common/tls"
 )

-func NewDialerFromOptions(ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
+func NewDialerFromOptions(ctx context.Context, router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
 	if !options.Enabled {
 		return dialer, nil
 	}
-	config, err := NewClientWithOptions(ClientOptions{
-		Context:       ctx,
-		Logger:        logger,
-		ServerAddress: serverAddress,
-		Options:       options,
-	})
+	config, err := NewClient(ctx, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}
 	return NewDialer(dialer, config), nil
 }

-func NewClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return NewClientWithOptions(ClientOptions{
-		Context:       ctx,
-		Logger:        logger,
-		ServerAddress: serverAddress,
-		Options:       options,
-	})
-}
-
-type ClientOptions struct {
-	Context        context.Context
-	Logger         logger.ContextLogger
-	ServerAddress  string
-	Options        option.OutboundTLSOptions
-	KTLSCompatible bool
-}
-
-func NewClientWithOptions(options ClientOptions) (Config, error) {
-	if !options.Options.Enabled {
+func NewClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+	if !options.Enabled {
 		return nil, nil
 	}
-	if !options.KTLSCompatible {
-		if options.Options.KernelTx {
-			options.Logger.Warn("enabling kTLS TX in current scenarios will definitely reduce performance, please checkout https://sing-box.sagernet.org/configuration/shared/tls/#kernel_tx")
-		}
+	if options.Reality != nil && options.Reality.Enabled {
+		return NewRealityClient(ctx, serverAddress, options)
+	} else if options.UTLS != nil && options.UTLS.Enabled {
+		return NewUTLSClient(ctx, serverAddress, options)
 	}
-	if options.Options.KernelRx {
-		options.Logger.Warn("enabling kTLS RX will definitely reduce performance, please checkout https://sing-box.sagernet.org/configuration/shared/tls/#kernel_rx")
-	}
-	if options.Options.Reality != nil && options.Options.Reality.Enabled {
-		return NewRealityClient(options.Context, options.Logger, options.ServerAddress, options.Options)
-	} else if options.Options.UTLS != nil && options.Options.UTLS.Enabled {
-		return NewUTLSClient(options.Context, options.Logger, options.ServerAddress, options.Options)
-	}
-	return NewSTDClient(options.Context, options.Logger, options.ServerAddress, options.Options)
+	return NewSTDClient(ctx, serverAddress, options)
 }

 func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, error) {
@@ -111,29 +79,20 @@ func (d *defaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 }

 func (d *defaultDialer) DialTLSContext(ctx context.Context, destination M.Socksaddr) (Conn, error) {
-	return d.dialContext(ctx, destination, true)
+	return d.dialContext(ctx, destination)
 }

-func (d *defaultDialer) dialContext(ctx context.Context, destination M.Socksaddr, echRetry bool) (Conn, error) {
+func (d *defaultDialer) dialContext(ctx context.Context, destination M.Socksaddr) (Conn, error) {
 	conn, err := d.dialer.DialContext(ctx, N.NetworkTCP, destination)
 	if err != nil {
 		return nil, err
 	}
-	tlsConn, err := ClientHandshake(ctx, conn, d.config)
-	if err == nil {
-		return tlsConn, nil
+	tlsConn, err := aTLS.ClientHandshake(ctx, conn, d.config)
+	if err != nil {
+		conn.Close()
+		return nil, err
 	}
-	conn.Close()
-	if echRetry {
-		var echErr *tls.ECHRejectionError
-		if errors.As(err, &echErr) && len(echErr.RetryConfigList) > 0 {
-			if echConfig, isECH := d.config.(ECHCapableConfig); isECH {
-				echConfig.SetECHConfigList(echErr.RetryConfigList)
-			}
-		}
-		return d.dialContext(ctx, destination, false)
-	}
-	return nil, err
+	return tlsConn, nil
 }

 func (d *defaultDialer) Upstream() any {
--- a/common/tls/ktls.go
+++ b/common/tls/ktls.go
@@ -1,67 +0,0 @@
-package tls
-
-import (
-	"context"
-	"net"
-
-	"github.com/sagernet/sing-box/common/ktls"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	aTLS "github.com/sagernet/sing/common/tls"
-)
-
-type KTLSClientConfig struct {
-	Config
-	logger             logger.ContextLogger
-	kernelTx, kernelRx bool
-}
-
-func (w *KTLSClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
-	tlsConn, err := aTLS.ClientHandshake(ctx, conn, w.Config)
-	if err != nil {
-		return nil, err
-	}
-	kConn, err := ktls.NewConn(ctx, w.logger, tlsConn, w.kernelTx, w.kernelRx)
-	if err != nil {
-		tlsConn.Close()
-		return nil, E.Cause(err, "initialize kernel TLS")
-	}
-	return kConn, nil
-}
-
-func (w *KTLSClientConfig) Clone() Config {
-	return &KTLSClientConfig{
-		w.Config.Clone(),
-		w.logger,
-		w.kernelTx,
-		w.kernelRx,
-	}
-}
-
-type KTlSServerConfig struct {
-	ServerConfig
-	logger             logger.ContextLogger
-	kernelTx, kernelRx bool
-}
-
-func (w *KTlSServerConfig) ServerHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
-	tlsConn, err := aTLS.ServerHandshake(ctx, conn, w.ServerConfig)
-	if err != nil {
-		return nil, err
-	}
-	kConn, err := ktls.NewConn(ctx, w.logger, tlsConn, w.kernelTx, w.kernelRx)
-	if err != nil {
-		tlsConn.Close()
-		return nil, E.Cause(err, "initialize kernel TLS")
-	}
-	return kConn, nil
-}
-
-func (w *KTlSServerConfig) Clone() Config {
-	return &KTlSServerConfig{
-		w.ServerConfig.Clone().(ServerConfig),
-		w.logger,
-		w.kernelTx,
-		w.kernelRx,
-	}
-}
--- a/common/tls/reality_client.go
+++ b/common/tls/reality_client.go
@@ -28,12 +28,10 @@ import (
 	"unsafe"

 	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
 	"github.com/sagernet/sing/common/ntp"
 	aTLS "github.com/sagernet/sing/common/tls"

@@ -51,12 +49,12 @@ type RealityClientConfig struct {
 	shortID   [8]byte
 }

-func NewRealityClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
 	if options.UTLS == nil || !options.UTLS.Enabled {
 		return nil, E.New("uTLS is required by reality client")
 	}

-	uClient, err := NewUTLSClient(ctx, logger, serverAddress, options)
+	uClient, err := NewUTLSClient(ctx, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}
@@ -76,20 +74,7 @@ func NewRealityClient(ctx context.Context, logger logger.ContextLogger, serverAd
 	if decodedLen > 8 {
 		return nil, E.New("invalid short_id")
 	}
-
-	var config Config = &RealityClientConfig{ctx, uClient.(*UTLSClientConfig), publicKey, shortID}
-	if options.KernelRx || options.KernelTx {
-		if !C.IsLinux {
-			return nil, E.New("kTLS is only supported on Linux")
-		}
-		config = &KTLSClientConfig{
-			Config:   config,
-			logger:   logger,
-			kernelTx: options.KernelTx,
-			kernelRx: options.KernelRx,
-		}
-	}
-	return config, nil
+	return &RealityClientConfig{ctx, uClient.(*UTLSClientConfig), publicKey, shortID}, nil
 }

 func (e *RealityClientConfig) ServerName() string {
@@ -108,7 +93,7 @@ func (e *RealityClientConfig) SetNextProtos(nextProto []string) {
 	e.uClient.SetNextProtos(nextProto)
 }

-func (e *RealityClientConfig) STDConfig() (*STDConfig, error) {
+func (e *RealityClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for reality")
 }

--- a/common/tls/reality_server.go
+++ b/common/tls/reality_server.go
@@ -12,7 +12,6 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/common/dialer"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -29,7 +28,7 @@ type RealityServerConfig struct {
 	config *utls.RealityConfig
 }

-func NewRealityServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
 	var tlsConfig utls.RealityConfig

 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
@@ -120,22 +119,7 @@ func NewRealityServer(ctx context.Context, logger log.ContextLogger, options opt
 		return handshakeDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
 	}

-	if options.ECH != nil && options.ECH.Enabled {
-		return nil, E.New("Reality is conflict with ECH")
-	}
-	var config ServerConfig = &RealityServerConfig{&tlsConfig}
-	if options.KernelTx || options.KernelRx {
-		if !C.IsLinux {
-			return nil, E.New("kTLS is only supported on Linux")
-		}
-		config = &KTlSServerConfig{
-			ServerConfig: config,
-			logger:       logger,
-			kernelTx:     options.KernelTx,
-			kernelRx:     options.KernelRx,
-		}
-	}
-	return config, nil
+	return &RealityServerConfig{&tlsConfig}, nil
 }

 func (c *RealityServerConfig) ServerName() string {
@@ -154,7 +138,7 @@ func (c *RealityServerConfig) SetNextProtos(nextProto []string) {
 	c.config.NextProtos = nextProto
 }

-func (c *RealityServerConfig) STDConfig() (*tls.Config, error) {
+func (c *RealityServerConfig) Config() (*tls.Config, error) {
 	return nil, E.New("unsupported usage for reality")
 }

--- a/common/tls/server.go
+++ b/common/tls/server.go
@@ -12,37 +12,14 @@ import (
 	aTLS "github.com/sagernet/sing/common/tls"
 )

-type ServerOptions struct {
-	Context        context.Context
-	Logger         log.ContextLogger
-	Options        option.InboundTLSOptions
-	KTLSCompatible bool
-}
-
-func NewServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
-	return NewServerWithOptions(ServerOptions{
-		Context: ctx,
-		Logger:  logger,
-		Options: options,
-	})
-}
-
-func NewServerWithOptions(options ServerOptions) (ServerConfig, error) {
-	if !options.Options.Enabled {
+func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+	if !options.Enabled {
 		return nil, nil
 	}
-	if !options.KTLSCompatible {
-		if options.Options.KernelTx {
-			options.Logger.Warn("enabling kTLS TX in current scenarios will definitely reduce performance, please checkout https://sing-box.sagernet.org/configuration/shared/tls/#kernel_tx")
-		}
+	if options.Reality != nil && options.Reality.Enabled {
+		return NewRealityServer(ctx, logger, options)
 	}
-	if options.Options.KernelRx {
-		options.Logger.Warn("enabling kTLS RX will definitely reduce performance, please checkout https://sing-box.sagernet.org/configuration/shared/tls/#kernel_rx")
-	}
-	if options.Options.Reality != nil && options.Options.Reality.Enabled {
-		return NewRealityServer(options.Context, options.Logger, options.Options)
-	}
-	return NewSTDServer(options.Context, options.Logger, options.Options)
+	return NewSTDServer(ctx, logger, options)
 }

 func ServerHandshake(ctx context.Context, conn net.Conn, config ServerConfig) (Conn, error) {
--- a/common/tls/std_client.go
+++ b/common/tls/std_client.go
@@ -11,10 +11,8 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tlsfragment"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
 	"github.com/sagernet/sing/common/ntp"
 )

@@ -42,7 +40,7 @@ func (c *STDClientConfig) SetNextProtos(nextProto []string) {
 	c.config.NextProtos = nextProto
 }

-func (c *STDClientConfig) STDConfig() (*STDConfig, error) {
+func (c *STDClientConfig) Config() (*STDConfig, error) {
 	return c.config, nil
 }

@@ -54,13 +52,7 @@ func (c *STDClientConfig) Client(conn net.Conn) (Conn, error) {
 }

 func (c *STDClientConfig) Clone() Config {
-	return &STDClientConfig{
-		ctx:                   c.ctx,
-		config:                c.config.Clone(),
-		fragment:              c.fragment,
-		fragmentFallbackDelay: c.fragmentFallbackDelay,
-		recordFragment:        c.recordFragment,
-	}
+	return &STDClientConfig{c.ctx, c.config.Clone(), c.fragment, c.fragmentFallbackDelay, c.recordFragment}
 }

 func (c *STDClientConfig) ECHConfigList() []byte {
@@ -71,7 +63,7 @@ func (c *STDClientConfig) SetECHConfigList(EncryptedClientHelloConfigList []byte
 	c.config.EncryptedClientHelloConfigList = EncryptedClientHelloConfigList
 }

-func NewSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewSTDClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -154,24 +146,10 @@ func NewSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 		}
 		tlsConfig.RootCAs = certPool
 	}
-	var config Config = &STDClientConfig{ctx, &tlsConfig, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
+	stdConfig := &STDClientConfig{ctx, &tlsConfig, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
 	if options.ECH != nil && options.ECH.Enabled {
-		var err error
-		config, err = parseECHClientConfig(ctx, config.(ECHCapableConfig), options)
-		if err != nil {
-			return nil, err
-		}
+		return parseECHClientConfig(ctx, stdConfig, options)
+	} else {
+		return stdConfig, nil
 	}
-	if options.KernelRx || options.KernelTx {
-		if !C.IsLinux {
-			return nil, E.New("kTLS is only supported on Linux")
-		}
-		config = &KTLSClientConfig{
-			Config:   config,
-			logger:   logger,
-			kernelTx: options.KernelTx,
-			kernelRx: options.KernelRx,
-		}
-	}
-	return config, nil
 }
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -11,7 +11,6 @@ import (

 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
@@ -70,7 +69,7 @@ func (c *STDServerConfig) SetNextProtos(nextProto []string) {
 	c.config = config
 }

-func (c *STDServerConfig) STDConfig() (*STDConfig, error) {
+func (c *STDServerConfig) Config() (*STDConfig, error) {
 	return c.config, nil
 }

@@ -183,7 +182,7 @@ func (c *STDServerConfig) Close() error {
 	return nil
 }

-func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewSTDServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
@@ -300,17 +299,5 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 		defer serverConfig.access.Unlock()
 		return serverConfig.config, nil
 	}
-	var config ServerConfig = serverConfig
-	if options.KernelTx || options.KernelRx {
-		if !C.IsLinux {
-			return nil, E.New("kTLS is only supported on Linux")
-		}
-		config = &KTlSServerConfig{
-			ServerConfig: config,
-			logger:       logger,
-			kernelTx:     options.KernelTx,
-			kernelRx:     options.KernelRx,
-		}
-	}
-	return config, nil
+	return serverConfig, nil
 }
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -14,11 +14,8 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tlsfragment"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
 	"github.com/sagernet/sing/common/ntp"

 	utls "github.com/metacubex/utls"
@@ -53,7 +50,7 @@ func (c *UTLSClientConfig) SetNextProtos(nextProto []string) {
 	c.config.NextProtos = nextProto
 }

-func (c *UTLSClientConfig) STDConfig() (*STDConfig, error) {
+func (c *UTLSClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for uTLS")
 }

@@ -142,7 +139,7 @@ func (c *utlsALPNWrapper) HandshakeContext(ctx context.Context) error {
 	return c.UConn.HandshakeContext(ctx)
 }

-func NewUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -217,28 +214,15 @@ func NewUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddre
 	if err != nil {
 		return nil, err
 	}
-	var config Config = &UTLSClientConfig{ctx, &tlsConfig, id, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
+	uConfig := &UTLSClientConfig{ctx, &tlsConfig, id, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
 	if options.ECH != nil && options.ECH.Enabled {
 		if options.Reality != nil && options.Reality.Enabled {
 			return nil, E.New("Reality is conflict with ECH")
 		}
-		config, err = parseECHClientConfig(ctx, config.(ECHCapableConfig), options)
-		if err != nil {
-			return nil, err
-		}
+		return parseECHClientConfig(ctx, uConfig, options)
+	} else {
+		return uConfig, nil
 	}
-	if (options.KernelRx || options.KernelTx) && !common.PtrValueOrDefault(options.Reality).Enabled {
-		if !C.IsLinux {
-			return nil, E.New("kTLS is only supported on Linux")
-		}
-		config = &KTLSClientConfig{
-			Config:   config,
-			logger:   logger,
-			kernelTx: options.KernelTx,
-			kernelRx: options.KernelRx,
-		}
-	}
-	return config, nil
 }

 var (
--- a/common/tls/utls_stub.go
+++ b/common/tls/utls_stub.go
@@ -8,14 +8,13 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
 )

-func NewUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS is not included in this build, rebuild with -tags with_utls`)
 }

-func NewRealityClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS, which is required by reality is not included in this build, rebuild with -tags with_utls`)
 }

--- a/common/urltest/urltest.go
+++ b/common/urltest/urltest.go
@@ -11,6 +11,7 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ntp"
@@ -99,7 +100,7 @@ func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err e
 		return
 	}
 	defer instance.Close()
-	if N.NeedHandshakeForWrite(instance) {
+	if earlyConn, isEarlyConn := common.Cast[N.EarlyConn](instance); isEarlyConn && earlyConn.NeedHandshake() {
 		start = time.Now()
 	}
 	req, err := http.NewRequest(http.MethodHead, link, nil)
--- a/constant/rule.go
+++ b/constant/rule.go
@@ -22,8 +22,7 @@ const (
 	RuleSetVersion1 = 1 + iota
 	RuleSetVersion2
 	RuleSetVersion3
-	RuleSetVersion4
-	RuleSetVersionCurrent = RuleSetVersion4
+	RuleSetVersionCurrent = RuleSetVersion3
 )

 const (
@@ -40,5 +39,4 @@ const (
 const (
 	RuleActionRejectMethodDefault = "default"
 	RuleActionRejectMethodDrop    = "drop"
-	RuleActionRejectMethodReply   = "reply"
 )
--- a/dns/client.go
+++ b/dns/client.go
@@ -95,6 +95,20 @@ func (c *Client) Start() {
 	}
 }

+func extractNegativeTTL(response *dns.Msg) (uint32, bool) {
+	for _, record := range response.Ns {
+		if soa, isSOA := record.(*dns.SOA); isSOA {
+			soaTTL := soa.Header().Ttl
+			soaMinimum := soa.Minttl
+			if soaTTL < soaMinimum {
+				return soaTTL, true
+			}
+			return soaMinimum, true
+		}
+	}
+	return 0, false
+}
+
 func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error) {
 	if len(message.Question) == 0 {
 		if c.logger != nil {
@@ -130,7 +144,11 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		if c.cache != nil {
 			cond, loaded := c.cacheLock.LoadOrStore(question, make(chan struct{}))
 			if loaded {
-				<-cond
+				select {
+				case <-cond:
+				case <-ctx.Done():
+					return nil, ctx.Err()
+				}
 			} else {
 				defer func() {
 					c.cacheLock.Delete(question)
@@ -140,7 +158,11 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		} else if c.transportCache != nil {
 			cond, loaded := c.transportCacheLock.LoadOrStore(question, make(chan struct{}))
 			if loaded {
-				<-cond
+				select {
+				case <-cond:
+				case <-ctx.Done():
+					return nil, ctx.Err()
+				}
 			} else {
 				defer func() {
 					c.transportCacheLock.Delete(question)
@@ -214,12 +236,14 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			response.Answer = append(response.Answer, validResponse.Answer...)
 		}
 	}*/
-	disableCache = disableCache || response.Rcode != dns.RcodeSuccess || len(response.Answer) == 0
+	disableCache = disableCache || (response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError)
 	if responseChecker != nil {
 		var rejected bool
 		// TODO: add accept_any rule and support to check response instead of addresses
-		if response.Rcode != dns.RcodeSuccess || len(response.Answer) == 0 {
+		if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
 			rejected = true
+		} else if len(response.Answer) == 0 {
+			rejected = !responseChecker(nil)
 		} else {
 			rejected = !responseChecker(MessageToAddresses(response))
 		}
@@ -251,10 +275,17 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		}
 	}
 	var timeToLive uint32
-	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-		for _, record := range recordList {
-			if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
-				timeToLive = record.Header().Ttl
+	if len(response.Answer) == 0 {
+		if soaTTL, hasSOA := extractNegativeTTL(response); hasSOA {
+			timeToLive = soaTTL
+		}
+	}
+	if timeToLive == 0 {
+		for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+			for _, record := range recordList {
+				if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
+					timeToLive = record.Header().Ttl
+				}
 			}
 		}
 	}
@@ -332,64 +363,6 @@ func (c *Client) ClearCache() {
 	}
 }

-func (c *Client) LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool) {
-	if c.disableCache || c.independentCache {
-		return nil, false
-	}
-	if dns.IsFqdn(domain) {
-		domain = domain[:len(domain)-1]
-	}
-	dnsName := dns.Fqdn(domain)
-	if strategy == C.DomainStrategyIPv4Only {
-		addresses, err := c.questionCache(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		if err != ErrNotCached {
-			return addresses, true
-		}
-	} else if strategy == C.DomainStrategyIPv6Only {
-		addresses, err := c.questionCache(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeAAAA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		if err != ErrNotCached {
-			return addresses, true
-		}
-	} else {
-		response4, _ := c.loadResponse(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		response6, _ := c.loadResponse(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeAAAA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		if response4 != nil || response6 != nil {
-			return sortAddresses(MessageToAddresses(response4), MessageToAddresses(response6), strategy), true
-		}
-	}
-	return nil, false
-}
-
-func (c *Client) ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool) {
-	if c.disableCache || c.independentCache || len(message.Question) != 1 {
-		return nil, false
-	}
-	question := message.Question[0]
-	response, ttl := c.loadResponse(question, nil)
-	if response == nil {
-		return nil, false
-	}
-	logCachedResponse(c.logger, ctx, response, ttl)
-	response.Id = message.Id
-	return response, true
-}
-
 func sortAddresses(response4 []netip.Addr, response6 []netip.Addr, strategy C.DomainStrategy) []netip.Addr {
 	if strategy == C.DomainStrategyPreferIPv6 {
 		return append(response6, response4...)
--- a/dns/client_truncate.go
+++ b/dns/client_truncate.go
@@ -15,8 +15,7 @@ func TruncateDNSMessage(request *dns.Msg, response *dns.Msg, headroom int) (*buf
 	}
 	responseLen := response.Len()
 	if responseLen > maxLen {
-		copyResponse := *response
-		response = &copyResponse
+		response = response.Copy()
 		response.Truncate(maxLen)
 	}
 	buffer := buf.NewSize(headroom*2 + 1 + responseLen)
--- a/dns/router.go
+++ b/dns/router.go
@@ -214,97 +214,89 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 	}
 	r.logger.DebugContext(ctx, "exchange ", FormatQuestion(message.Question[0].String()))
 	var (
+		response  *mDNS.Msg
 		transport adapter.DNSTransport
 		err       error
 	)
-	response, cached := r.client.ExchangeCache(ctx, message)
-	if !cached {
-		var metadata *adapter.InboundContext
-		ctx, metadata = adapter.ExtendContext(ctx)
-		metadata.Destination = M.Socksaddr{}
-		metadata.QueryType = message.Question[0].Qtype
-		switch metadata.QueryType {
-		case mDNS.TypeA:
-			metadata.IPVersion = 4
-		case mDNS.TypeAAAA:
-			metadata.IPVersion = 6
-		}
-		metadata.Domain = FqdnToDomain(message.Question[0].Name)
-		if options.Transport != nil {
-			transport = options.Transport
-			if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-				if options.Strategy == C.DomainStrategyAsIS {
-					options.Strategy = legacyTransport.LegacyStrategy()
-				}
-				if !options.ClientSubnet.IsValid() {
-					options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-				}
-			}
+	var metadata *adapter.InboundContext
+	ctx, metadata = adapter.ExtendContext(ctx)
+	metadata.Destination = M.Socksaddr{}
+	metadata.QueryType = message.Question[0].Qtype
+	switch metadata.QueryType {
+	case mDNS.TypeA:
+		metadata.IPVersion = 4
+	case mDNS.TypeAAAA:
+		metadata.IPVersion = 6
+	}
+	metadata.Domain = FqdnToDomain(message.Question[0].Name)
+	if options.Transport != nil {
+		transport = options.Transport
+		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
 			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = r.defaultDomainStrategy
+				options.Strategy = legacyTransport.LegacyStrategy()
 			}
-			response, err = r.client.Exchange(ctx, transport, message, options, nil)
-		} else {
-			var (
-				rule      adapter.DNSRule
-				ruleIndex int
-			)
-			ruleIndex = -1
-			for {
-				dnsCtx := adapter.OverrideContext(ctx)
-				dnsOptions := options
-				transport, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex, isAddressQuery(message), &dnsOptions)
-				if rule != nil {
-					switch action := rule.Action().(type) {
-					case *R.RuleActionReject:
-						switch action.Method {
-						case C.RuleActionRejectMethodDefault:
-							return &mDNS.Msg{
-								MsgHdr: mDNS.MsgHdr{
-									Id:       message.Id,
-									Rcode:    mDNS.RcodeRefused,
-									Response: true,
-								},
-								Question: []mDNS.Question{message.Question[0]},
-							}, nil
-						case C.RuleActionRejectMethodDrop:
-							return nil, tun.ErrDrop
-						}
-					case *R.RuleActionPredefined:
-						return action.Response(message), nil
-					}
-				}
-				var responseCheck func(responseAddrs []netip.Addr) bool
-				if rule != nil && rule.WithAddressLimit() {
-					responseCheck = func(responseAddrs []netip.Addr) bool {
-						metadata.DestinationAddresses = responseAddrs
-						return rule.MatchAddressLimit(metadata)
-					}
-				}
-				if dnsOptions.Strategy == C.DomainStrategyAsIS {
-					dnsOptions.Strategy = r.defaultDomainStrategy
-				}
-				response, err = r.client.Exchange(dnsCtx, transport, message, dnsOptions, responseCheck)
-				var rejected bool
-				if err != nil {
-					if errors.Is(err, ErrResponseRejectedCached) {
-						rejected = true
-						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())), " (cached)")
-					} else if errors.Is(err, ErrResponseRejected) {
-						rejected = true
-						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
-					} else if len(message.Question) > 0 {
-						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
-					} else {
-						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))
-					}
-				}
-				if responseCheck != nil && rejected {
-					continue
-				}
-				break
+			if !options.ClientSubnet.IsValid() {
+				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
 			}
 		}
+		if options.Strategy == C.DomainStrategyAsIS {
+			options.Strategy = r.defaultDomainStrategy
+		}
+		response, err = r.client.Exchange(ctx, transport, message, options, nil)
+	} else {
+		var (
+			rule      adapter.DNSRule
+			ruleIndex int
+		)
+		ruleIndex = -1
+		for {
+			dnsCtx := adapter.OverrideContext(ctx)
+			dnsOptions := options
+			transport, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex, isAddressQuery(message), &dnsOptions)
+			if rule != nil {
+				switch action := rule.Action().(type) {
+				case *R.RuleActionReject:
+					switch action.Method {
+					case C.RuleActionRejectMethodDefault:
+						return &mDNS.Msg{
+							MsgHdr: mDNS.MsgHdr{
+								Id:       message.Id,
+								Rcode:    mDNS.RcodeRefused,
+								Response: true,
+							},
+							Question: []mDNS.Question{message.Question[0]},
+						}, nil
+					case C.RuleActionRejectMethodDrop:
+						return nil, tun.ErrDrop
+					}
+				case *R.RuleActionPredefined:
+					return action.Response(message), nil
+				}
+			}
+			responseCheck := addressLimitResponseCheck(rule, metadata)
+			if dnsOptions.Strategy == C.DomainStrategyAsIS {
+				dnsOptions.Strategy = r.defaultDomainStrategy
+			}
+			response, err = r.client.Exchange(dnsCtx, transport, message, dnsOptions, responseCheck)
+			var rejected bool
+			if err != nil {
+				if errors.Is(err, ErrResponseRejectedCached) {
+					rejected = true
+					r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())), " (cached)")
+				} else if errors.Is(err, ErrResponseRejected) {
+					rejected = true
+					r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
+				} else if len(message.Question) > 0 {
+					r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
+				} else {
+					r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))
+				}
+			}
+			if responseCheck != nil && rejected {
+				continue
+			}
+			break
+		}
 	}
 	if err != nil {
 		return nil, err
@@ -327,7 +319,6 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
 	var (
 		responseAddrs []netip.Addr
-		cached        bool
 		err           error
 	)
 	printResult := func() {
@@ -347,13 +338,6 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 			err = E.Cause(err, "lookup ", domain)
 		}
 	}
-	responseAddrs, cached = r.client.LookupCache(domain, options.Strategy)
-	if cached {
-		if len(responseAddrs) == 0 {
-			return nil, E.New("lookup ", domain, ": empty result (cached)")
-		}
-		return responseAddrs, nil
-	}
 	r.logger.DebugContext(ctx, "lookup domain ", domain)
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Destination = M.Socksaddr{}
@@ -386,16 +370,13 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 			if rule != nil {
 				switch action := rule.Action().(type) {
 				case *R.RuleActionReject:
-					switch action.Method {
-					case C.RuleActionRejectMethodDefault:
-						return nil, nil
-					case C.RuleActionRejectMethodDrop:
-						return nil, tun.ErrDrop
-					}
+					return nil, &R.RejectedError{Cause: action.Error(ctx)}
 				case *R.RuleActionPredefined:
+					responseAddrs = nil
 					if action.Rcode != mDNS.RcodeSuccess {
 						err = RcodeError(action.Rcode)
 					} else {
+						err = nil
 						for _, answer := range action.Answer {
 							switch record := answer.(type) {
 							case *mDNS.A:
@@ -408,13 +389,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 					goto response
 				}
 			}
-			var responseCheck func(responseAddrs []netip.Addr) bool
-			if rule != nil && rule.WithAddressLimit() {
-				responseCheck = func(responseAddrs []netip.Addr) bool {
-					metadata.DestinationAddresses = responseAddrs
-					return rule.MatchAddressLimit(metadata)
-				}
-			}
+			responseCheck := addressLimitResponseCheck(rule, metadata)
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -442,6 +417,18 @@ func isAddressQuery(message *mDNS.Msg) bool {
 	return false
 }

+func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(responseAddrs []netip.Addr) bool {
+	if rule == nil || !rule.WithAddressLimit() {
+		return nil
+	}
+	responseMetadata := *metadata
+	return func(responseAddrs []netip.Addr) bool {
+		checkMetadata := responseMetadata
+		checkMetadata.DestinationAddresses = responseAddrs
+		return rule.MatchAddressLimit(&checkMetadata)
+	}
+}
+
 func (r *Router) ClearCache() {
 	r.client.ClearCache()
 	if r.platformInterface != nil {
--- a/dns/transport/dhcp/dhcp.go
+++ b/dns/transport/dhcp/dhcp.go
@@ -243,6 +243,7 @@ func (t *Transport) fetchServersResponse(iface *control.Interface, packetConn ne
 	defer buffer.Release()

 	for {
+		buffer.Reset()
 		_, _, err := buffer.ReadPacketFrom(packetConn)
 		if err != nil {
 			if errors.Is(err, io.ErrShortBuffer) {
--- a/dns/transport/fakeip/store.go
+++ b/dns/transport/fakeip/store.go
@@ -17,18 +17,43 @@ type Store struct {
 	logger       logger.Logger
 	inet4Range   netip.Prefix
 	inet6Range   netip.Prefix
+	inet4Last    netip.Addr
+	inet6Last    netip.Addr
 	storage      adapter.FakeIPStorage
 	inet4Current netip.Addr
 	inet6Current netip.Addr
 }

 func NewStore(ctx context.Context, logger logger.Logger, inet4Range netip.Prefix, inet6Range netip.Prefix) *Store {
-	return &Store{
+	store := &Store{
 		ctx:        ctx,
 		logger:     logger,
 		inet4Range: inet4Range,
 		inet6Range: inet6Range,
 	}
+	if inet4Range.IsValid() {
+		store.inet4Last = broadcastAddress(inet4Range)
+	}
+	if inet6Range.IsValid() {
+		store.inet6Last = broadcastAddress(inet6Range)
+	}
+	return store
+}
+
+func broadcastAddress(prefix netip.Prefix) netip.Addr {
+	addr := prefix.Addr()
+	raw := addr.As16()
+	bits := prefix.Bits()
+	if addr.Is4() {
+		bits += 96
+	}
+	for i := bits; i < 128; i++ {
+		raw[i/8] |= 1 << (7 - i%8)
+	}
+	if addr.Is4() {
+		return netip.AddrFrom4([4]byte(raw[12:]))
+	}
+	return netip.AddrFrom16(raw)
 }

 func (s *Store) Start() error {
@@ -46,10 +71,10 @@ func (s *Store) Start() error {
 		s.inet6Current = metadata.Inet6Current
 	} else {
 		if s.inet4Range.IsValid() {
-			s.inet4Current = s.inet4Range.Addr().Next().Next()
+			s.inet4Current = s.inet4Range.Addr().Next()
 		}
 		if s.inet6Range.IsValid() {
-			s.inet6Current = s.inet6Range.Addr().Next().Next()
+			s.inet6Current = s.inet6Range.Addr().Next()
 		}
 		_ = storage.FakeIPReset()
 	}
@@ -83,7 +108,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv4 fakeip address range")
 		}
 		nextAddress := s.inet4Current.Next()
-		if !s.inet4Range.Contains(nextAddress) {
+		if nextAddress == s.inet4Last || !s.inet4Range.Contains(nextAddress) {
 			nextAddress = s.inet4Range.Addr().Next().Next()
 		}
 		s.inet4Current = nextAddress
@@ -93,7 +118,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv6 fakeip address range")
 		}
 		nextAddress := s.inet6Current.Next()
-		if !s.inet6Range.Contains(nextAddress) {
+		if nextAddress == s.inet6Last || !s.inet6Range.Contains(nextAddress) {
 			nextAddress = s.inet6Range.Addr().Next().Next()
 		}
 		s.inet6Current = nextAddress
--- a/dns/transport/https.go
+++ b/dns/transport/https.go
@@ -25,7 +25,6 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	aTLS "github.com/sagernet/sing/common/tls"
 	sHTTP "github.com/sagernet/sing/protocol/http"

 	mDNS "github.com/miekg/dns"
@@ -47,7 +46,7 @@ type HTTPSTransport struct {
 	destination      *url.URL
 	headers          http.Header
 	transportAccess  sync.Mutex
-	transport        *http.Transport
+	transport        *HTTPSTransportWrapper
 	transportResetAt time.Time
 }

@@ -58,15 +57,12 @@ func NewHTTPS(ctx context.Context, logger log.ContextLogger, tag string, options
 	}
 	tlsOptions := common.PtrValueOrDefault(options.TLS)
 	tlsOptions.Enabled = true
-	tlsConfig, err := tls.NewClient(ctx, logger, options.Server, tlsOptions)
+	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
 	if err != nil {
 		return nil, err
 	}
-	if common.Error(tlsConfig.STDConfig()) == nil && !common.Contains(tlsConfig.NextProtos(), http2.NextProtoTLS) {
-		tlsConfig.SetNextProtos(append(tlsConfig.NextProtos(), http2.NextProtoTLS))
-	}
-	if !common.Contains(tlsConfig.NextProtos(), "http/1.1") {
-		tlsConfig.SetNextProtos(append(tlsConfig.NextProtos(), "http/1.1"))
+	if len(tlsConfig.NextProtos()) == 0 {
+		tlsConfig.SetNextProtos([]string{http2.NextProtoTLS, "http/1.1"})
 	}
 	headers := options.Headers.Build()
 	host := headers.Get("Host")
@@ -124,37 +120,13 @@ func NewHTTPSRaw(
 	serverAddr M.Socksaddr,
 	tlsConfig tls.Config,
 ) *HTTPSTransport {
-	var transport *http.Transport
-	if tlsConfig != nil {
-		transport = &http.Transport{
-			ForceAttemptHTTP2: true,
-			DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				tcpConn, hErr := dialer.DialContext(ctx, network, serverAddr)
-				if hErr != nil {
-					return nil, hErr
-				}
-				tlsConn, hErr := aTLS.ClientHandshake(ctx, tcpConn, tlsConfig)
-				if hErr != nil {
-					tcpConn.Close()
-					return nil, hErr
-				}
-				return tlsConn, nil
-			},
-		}
-	} else {
-		transport = &http.Transport{
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				return dialer.DialContext(ctx, network, serverAddr)
-			},
-		}
-	}
 	return &HTTPSTransport{
 		TransportAdapter: adapter,
 		logger:           logger,
 		dialer:           dialer,
 		destination:      destination,
 		headers:          headers,
-		transport:        transport,
+		transport:        NewHTTPSTransportWrapper(tls.NewDialer(dialer, tlsConfig), serverAddr),
 	}
 }

--- a/dns/transport/https_transport.go
+++ b/dns/transport/https_transport.go
@@ -0,0 +1,80 @@
+package transport
+
+import (
+	"context"
+	"errors"
+	"net"
+	"net/http"
+	"sync/atomic"
+
+	"github.com/sagernet/sing-box/common/tls"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+
+	"golang.org/x/net/http2"
+)
+
+var errFallback = E.New("fallback to HTTP/1.1")
+
+type HTTPSTransportWrapper struct {
+	http2Transport *http2.Transport
+	httpTransport  *http.Transport
+	fallback       *atomic.Bool
+}
+
+func NewHTTPSTransportWrapper(dialer tls.Dialer, serverAddr M.Socksaddr) *HTTPSTransportWrapper {
+	var fallback atomic.Bool
+	return &HTTPSTransportWrapper{
+		http2Transport: &http2.Transport{
+			DialTLSContext: func(ctx context.Context, _, _ string, _ *tls.STDConfig) (net.Conn, error) {
+				tlsConn, err := dialer.DialTLSContext(ctx, serverAddr)
+				if err != nil {
+					return nil, err
+				}
+				state := tlsConn.ConnectionState()
+				if state.NegotiatedProtocol == http2.NextProtoTLS {
+					return tlsConn, nil
+				}
+				tlsConn.Close()
+				fallback.Store(true)
+				return nil, errFallback
+			},
+		},
+		httpTransport: &http.Transport{
+			DialTLSContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
+				return dialer.DialTLSContext(ctx, serverAddr)
+			},
+		},
+		fallback: &fallback,
+	}
+}
+
+func (h *HTTPSTransportWrapper) RoundTrip(request *http.Request) (*http.Response, error) {
+	if h.fallback.Load() {
+		return h.httpTransport.RoundTrip(request)
+	} else {
+		response, err := h.http2Transport.RoundTrip(request)
+		if err != nil {
+			if errors.Is(err, errFallback) {
+				return h.httpTransport.RoundTrip(request)
+			}
+			return nil, err
+		}
+		return response, nil
+	}
+}
+
+func (h *HTTPSTransportWrapper) CloseIdleConnections() {
+	h.http2Transport.CloseIdleConnections()
+	h.httpTransport.CloseIdleConnections()
+}
+
+func (h *HTTPSTransportWrapper) Clone() *HTTPSTransportWrapper {
+	return &HTTPSTransportWrapper{
+		httpTransport: h.httpTransport,
+		http2Transport: &http2.Transport{
+			DialTLSContext: h.http2Transport.DialTLSContext,
+		},
+		fallback: h.fallback,
+	}
+}
--- a/dns/transport/local/local.go
+++ b/dns/transport/local/local.go
@@ -1,37 +1,34 @@
-//go:build !darwin
-
 package local

 import (
 	"context"
+	"errors"
+	"math/rand"
+	"syscall"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing-box/dns/transport/hosts"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"

 	mDNS "github.com/miekg/dns"
 )

-func RegisterTransport(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.LocalDNSServerOptions](registry, C.DNSTypeLocal, NewTransport)
-}
-
 var _ adapter.DNSTransport = (*Transport)(nil)

 type Transport struct {
 	dns.TransportAdapter
-	ctx      context.Context
-	logger   logger.ContextLogger
-	hosts    *hosts.File
-	dialer   N.Dialer
-	preferGo bool
-	resolved ResolvedResolver
+	ctx    context.Context
+	hosts  *hosts.File
+	dialer N.Dialer
 }

 func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, options option.LocalDNSServerOptions) (adapter.DNSTransport, error) {
@@ -42,52 +39,195 @@ func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, opt
 	return &Transport{
 		TransportAdapter: dns.NewTransportAdapterWithLocalOptions(C.DNSTypeLocal, tag, options),
 		ctx:              ctx,
-		logger:           logger,
 		hosts:            hosts.NewFile(hosts.DefaultPath),
 		dialer:           transportDialer,
-		preferGo:         options.PreferGo,
 	}, nil
 }

 func (t *Transport) Start(stage adapter.StartStage) error {
-	switch stage {
-	case adapter.StartStateInitialize:
-		if !t.preferGo {
-			resolvedResolver, err := NewResolvedResolver(t.ctx, t.logger)
-			if err == nil {
-				err = resolvedResolver.Start()
-				if err == nil {
-					t.resolved = resolvedResolver
-				} else {
-					t.logger.Warn(E.Cause(err, "initialize resolved resolver"))
-				}
-			}
-		}
-	}
 	return nil
 }

 func (t *Transport) Close() error {
-	if t.resolved != nil {
-		return t.resolved.Close()
-	}
 	return nil
 }

 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	if t.resolved != nil {
-		resolverObject := t.resolved.Object()
-		if resolverObject != nil {
-			return t.resolved.Exchange(resolverObject, ctx, message)
-		}
-	}
 	question := message.Question[0]
-	domain := dns.FqdnToDomain(question.Name)
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
-		addresses := t.hosts.Lookup(domain)
+		addresses := t.hosts.Lookup(dns.FqdnToDomain(question.Name))
 		if len(addresses) > 0 {
 			return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
 		}
 	}
-	return t.exchange(ctx, message, domain)
+	systemConfig := getSystemDNSConfig(t.ctx)
+	if systemConfig.singleRequest || !(message.Question[0].Qtype == mDNS.TypeA || message.Question[0].Qtype == mDNS.TypeAAAA) {
+		return t.exchangeSingleRequest(ctx, systemConfig, message, question.Name)
+	} else {
+		return t.exchangeParallel(ctx, systemConfig, message, question.Name)
+	}
+}
+
+func (t *Transport) exchangeSingleRequest(ctx context.Context, systemConfig *dnsConfig, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
+	var lastErr error
+	for _, fqdn := range systemConfig.nameList(domain) {
+		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
+		if err != nil {
+			lastErr = err
+			continue
+		}
+		return response, nil
+	}
+	return nil, lastErr
+}
+
+func (t *Transport) exchangeParallel(ctx context.Context, systemConfig *dnsConfig, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
+	returned := make(chan struct{})
+	defer close(returned)
+	type queryResult struct {
+		response *mDNS.Msg
+		err      error
+	}
+	results := make(chan queryResult)
+	startRacer := func(ctx context.Context, fqdn string) {
+		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
+		if err == nil {
+			if response.Rcode != mDNS.RcodeSuccess {
+				err = dns.RcodeError(response.Rcode)
+			} else if len(dns.MessageToAddresses(response)) == 0 {
+				err = dns.RcodeSuccess
+			}
+		}
+		select {
+		case results <- queryResult{response, err}:
+		case <-returned:
+		}
+	}
+	queryCtx, queryCancel := context.WithCancel(ctx)
+	defer queryCancel()
+	var nameCount int
+	for _, fqdn := range systemConfig.nameList(domain) {
+		nameCount++
+		go startRacer(queryCtx, fqdn)
+	}
+	var errors []error
+	for {
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case result := <-results:
+			if result.err == nil {
+				return result.response, nil
+			}
+			errors = append(errors, result.err)
+			if len(errors) == nameCount {
+				return nil, E.Errors(errors...)
+			}
+		}
+	}
+}
+
+func (t *Transport) tryOneName(ctx context.Context, config *dnsConfig, fqdn string, message *mDNS.Msg) (*mDNS.Msg, error) {
+	serverOffset := config.serverOffset()
+	sLen := uint32(len(config.servers))
+	var lastErr error
+	for i := 0; i < config.attempts; i++ {
+		for j := uint32(0); j < sLen; j++ {
+			server := config.servers[(serverOffset+j)%sLen]
+			question := message.Question[0]
+			question.Name = fqdn
+			response, err := t.exchangeOne(ctx, M.ParseSocksaddr(server), question, config.timeout, config.useTCP, config.trustAD)
+			if err != nil {
+				lastErr = err
+				continue
+			}
+			return response, nil
+		}
+	}
+	return nil, E.Cause(lastErr, fqdn)
+}
+
+func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, question mDNS.Question, timeout time.Duration, useTCP, ad bool) (*mDNS.Msg, error) {
+	if server.Port == 0 {
+		server.Port = 53
+	}
+	request := &mDNS.Msg{
+		MsgHdr: mDNS.MsgHdr{
+			Id:                uint16(rand.Uint32()),
+			RecursionDesired:  true,
+			AuthenticatedData: ad,
+		},
+		Question: []mDNS.Question{question},
+		Compress: true,
+	}
+	request.SetEdns0(buf.UDPBufferSize, false)
+	if !useTCP {
+		return t.exchangeUDP(ctx, server, request, timeout)
+	} else {
+		return t.exchangeTCP(ctx, server, request, timeout)
+	}
+}
+
+func (t *Transport) exchangeUDP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg, timeout time.Duration) (*mDNS.Msg, error) {
+	conn, err := t.dialer.DialContext(ctx, N.NetworkUDP, server)
+	if err != nil {
+		return nil, err
+	}
+	defer conn.Close()
+	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
+		newDeadline := time.Now().Add(timeout)
+		if deadline.After(newDeadline) {
+			deadline = newDeadline
+		}
+		conn.SetDeadline(deadline)
+	}
+	buffer := buf.Get(buf.UDPBufferSize)
+	defer buf.Put(buffer)
+	rawMessage, err := request.PackBuffer(buffer)
+	if err != nil {
+		return nil, E.Cause(err, "pack request")
+	}
+	_, err = conn.Write(rawMessage)
+	if err != nil {
+		if errors.Is(err, syscall.EMSGSIZE) {
+			return t.exchangeTCP(ctx, server, request, timeout)
+		}
+		return nil, E.Cause(err, "write request")
+	}
+	n, err := conn.Read(buffer)
+	if err != nil {
+		if errors.Is(err, syscall.EMSGSIZE) {
+			return t.exchangeTCP(ctx, server, request, timeout)
+		}
+		return nil, E.Cause(err, "read response")
+	}
+	var response mDNS.Msg
+	err = response.Unpack(buffer[:n])
+	if err != nil {
+		return nil, E.Cause(err, "unpack response")
+	}
+	if response.Truncated {
+		return t.exchangeTCP(ctx, server, request, timeout)
+	}
+	return &response, nil
+}
+
+func (t *Transport) exchangeTCP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg, timeout time.Duration) (*mDNS.Msg, error) {
+	conn, err := t.dialer.DialContext(ctx, N.NetworkTCP, server)
+	if err != nil {
+		return nil, err
+	}
+	defer conn.Close()
+	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
+		newDeadline := time.Now().Add(timeout)
+		if deadline.After(newDeadline) {
+			deadline = newDeadline
+		}
+		conn.SetDeadline(deadline)
+	}
+	err = transport.WriteMessage(conn, 0, request)
+	if err != nil {
+		return nil, err
+	}
+	return transport.ReadMessage(conn)
 }
--- a/dns/transport/local/local_darwin.go
+++ b/dns/transport/local/local_darwin.go
@@ -1,143 +0,0 @@
-//go:build darwin
-
-package local
-
-import (
-	"context"
-	"errors"
-	"net"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/dns/transport/hosts"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
-
-	mDNS "github.com/miekg/dns"
-)
-
-func RegisterTransport(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.LocalDNSServerOptions](registry, C.DNSTypeLocal, NewTransport)
-}
-
-var _ adapter.DNSTransport = (*Transport)(nil)
-
-type Transport struct {
-	dns.TransportAdapter
-	ctx           context.Context
-	logger        logger.ContextLogger
-	hosts         *hosts.File
-	dialer        N.Dialer
-	preferGo      bool
-	fallback      bool
-	dhcpTransport dhcpTransport
-	resolver      net.Resolver
-}
-
-type dhcpTransport interface {
-	adapter.DNSTransport
-	Fetch() ([]M.Socksaddr, error)
-	Exchange0(ctx context.Context, message *mDNS.Msg, servers []M.Socksaddr) (*mDNS.Msg, error)
-}
-
-func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, options option.LocalDNSServerOptions) (adapter.DNSTransport, error) {
-	transportDialer, err := dns.NewLocalDialer(ctx, options)
-	if err != nil {
-		return nil, err
-	}
-	transportAdapter := dns.NewTransportAdapterWithLocalOptions(C.DNSTypeLocal, tag, options)
-	return &Transport{
-		TransportAdapter: transportAdapter,
-		ctx:              ctx,
-		logger:           logger,
-		hosts:            hosts.NewFile(hosts.DefaultPath),
-		dialer:           transportDialer,
-		preferGo:         options.PreferGo,
-	}, nil
-}
-
-func (t *Transport) Start(stage adapter.StartStage) error {
-	if stage != adapter.StartStateStart {
-		return nil
-	}
-	inboundManager := service.FromContext[adapter.InboundManager](t.ctx)
-	for _, inbound := range inboundManager.Inbounds() {
-		if inbound.Type() == C.TypeTun {
-			t.fallback = true
-			break
-		}
-	}
-	if !C.IsIos {
-		if t.fallback {
-			t.dhcpTransport = newDHCPTransport(t.TransportAdapter, log.ContextWithOverrideLevel(t.ctx, log.LevelDebug), t.dialer, t.logger)
-			if t.dhcpTransport != nil {
-				err := t.dhcpTransport.Start(stage)
-				if err != nil {
-					return err
-				}
-			}
-		}
-	}
-	return nil
-}
-
-func (t *Transport) Close() error {
-	return common.Close(
-		t.dhcpTransport,
-	)
-}
-
-func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	question := message.Question[0]
-	domain := dns.FqdnToDomain(question.Name)
-	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
-		addresses := t.hosts.Lookup(domain)
-		if len(addresses) > 0 {
-			return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
-		}
-	}
-	if !t.fallback {
-		return t.exchange(ctx, message, domain)
-	}
-	if !C.IsIos {
-		if t.dhcpTransport != nil {
-			dhcpTransports, _ := t.dhcpTransport.Fetch()
-			if len(dhcpTransports) > 0 {
-				return t.dhcpTransport.Exchange0(ctx, message, dhcpTransports)
-			}
-		}
-	}
-	if t.preferGo {
-		// Assuming the user knows what they are doing, we still execute the query which will fail.
-		return t.exchange(ctx, message, domain)
-	}
-	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
-		var network string
-		if question.Qtype == mDNS.TypeA {
-			network = "ip4"
-		} else {
-			network = "ip6"
-		}
-		addresses, err := t.resolver.LookupNetIP(ctx, network, domain)
-		if err != nil {
-			var dnsError *net.DNSError
-			if errors.As(err, &dnsError) && dnsError.IsNotFound {
-				return nil, dns.RcodeRefused
-			}
-			return nil, err
-		}
-		return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
-	}
-	if C.IsIos {
-		return nil, E.New("only A and AAAA queries are supported on iOS and tvOS when using NetworkExtension.")
-	} else {
-		return nil, E.New("only A and AAAA queries are supported on macOS when using NetworkExtension and DHCP unavailable.")
-	}
-}
--- a/dns/transport/local/local_darwin_dhcp.go
+++ b/dns/transport/local/local_darwin_dhcp.go
@@ -1,16 +0,0 @@
-//go:build darwin && with_dhcp
-
-package local
-
-import (
-	"context"
-
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/dns/transport/dhcp"
-	"github.com/sagernet/sing-box/log"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func newDHCPTransport(transportAdapter dns.TransportAdapter, ctx context.Context, dialer N.Dialer, logger log.ContextLogger) dhcpTransport {
-	return dhcp.NewRawTransport(transportAdapter, ctx, dialer, logger)
-}
--- a/dns/transport/local/local_darwin_nodhcp.go
+++ b/dns/transport/local/local_darwin_nodhcp.go
@@ -1,15 +0,0 @@
-//go:build darwin && !with_dhcp
-
-package local
-
-import (
-	"context"
-
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/log"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func newDHCPTransport(transportAdapter dns.TransportAdapter, ctx context.Context, dialer N.Dialer, logger log.ContextLogger) dhcpTransport {
-	return nil
-}
--- a/dns/transport/local/local_fallback.go
+++ b/dns/transport/local/local_fallback.go
@@ -0,0 +1,204 @@
+package local
+
+import (
+	"context"
+	"errors"
+	"net"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/experimental/libbox/platform"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/service"
+
+	mDNS "github.com/miekg/dns"
+)
+
+func RegisterTransport(registry *dns.TransportRegistry) {
+	dns.RegisterTransport[option.LocalDNSServerOptions](registry, C.DNSTypeLocal, NewFallbackTransport)
+}
+
+type FallbackTransport struct {
+	adapter.DNSTransport
+	ctx      context.Context
+	fallback bool
+	resolver net.Resolver
+}
+
+func NewFallbackTransport(ctx context.Context, logger log.ContextLogger, tag string, options option.LocalDNSServerOptions) (adapter.DNSTransport, error) {
+	transport, err := NewTransport(ctx, logger, tag, options)
+	if err != nil {
+		return nil, err
+	}
+	return &FallbackTransport{
+		DNSTransport: transport,
+		ctx:          ctx,
+	}, nil
+}
+
+func (f *FallbackTransport) Start(stage adapter.StartStage) error {
+	if stage != adapter.StartStateStart {
+		return nil
+	}
+	platformInterface := service.FromContext[platform.Interface](f.ctx)
+	if platformInterface == nil {
+		return nil
+	}
+	inboundManager := service.FromContext[adapter.InboundManager](f.ctx)
+	for _, inbound := range inboundManager.Inbounds() {
+		if inbound.Type() == C.TypeTun {
+			// platform tun hijacks DNS, so we can only use cgo resolver here
+			f.fallback = true
+			break
+		}
+	}
+	return nil
+}
+
+func (f *FallbackTransport) Close() error {
+	return nil
+}
+
+func (f *FallbackTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	if !f.fallback {
+		return f.DNSTransport.Exchange(ctx, message)
+	}
+	question := message.Question[0]
+	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
+		var network string
+		if question.Qtype == mDNS.TypeA {
+			network = "ip4"
+		} else {
+			network = "ip6"
+		}
+		addresses, err := f.resolver.LookupNetIP(ctx, network, question.Name)
+		if err != nil {
+			var dnsError *net.DNSError
+			if errors.As(err, &dnsError) && dnsError.IsNotFound {
+				return nil, dns.RcodeRefused
+			}
+			return nil, err
+		}
+		return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
+	} else if question.Qtype == mDNS.TypeNS {
+		records, err := f.resolver.LookupNS(ctx, question.Name)
+		if err != nil {
+			var dnsError *net.DNSError
+			if errors.As(err, &dnsError) && dnsError.IsNotFound {
+				return nil, dns.RcodeRefused
+			}
+			return nil, err
+		}
+		response := &mDNS.Msg{
+			MsgHdr: mDNS.MsgHdr{
+				Id:       message.Id,
+				Rcode:    mDNS.RcodeSuccess,
+				Response: true,
+			},
+			Question: []mDNS.Question{question},
+		}
+		for _, record := range records {
+			response.Answer = append(response.Answer, &mDNS.NS{
+				Hdr: mDNS.RR_Header{
+					Name:   question.Name,
+					Rrtype: mDNS.TypeNS,
+					Class:  mDNS.ClassINET,
+					Ttl:    C.DefaultDNSTTL,
+				},
+				Ns: record.Host,
+			})
+		}
+		return response, nil
+	} else if question.Qtype == mDNS.TypeCNAME {
+		cname, err := f.resolver.LookupCNAME(ctx, question.Name)
+		if err != nil {
+			var dnsError *net.DNSError
+			if errors.As(err, &dnsError) && dnsError.IsNotFound {
+				return nil, dns.RcodeRefused
+			}
+			return nil, err
+		}
+		return &mDNS.Msg{
+			MsgHdr: mDNS.MsgHdr{
+				Id:       message.Id,
+				Rcode:    mDNS.RcodeSuccess,
+				Response: true,
+			},
+			Question: []mDNS.Question{question},
+			Answer: []mDNS.RR{
+				&mDNS.CNAME{
+					Hdr: mDNS.RR_Header{
+						Name:   question.Name,
+						Rrtype: mDNS.TypeCNAME,
+						Class:  mDNS.ClassINET,
+						Ttl:    C.DefaultDNSTTL,
+					},
+					Target: cname,
+				},
+			},
+		}, nil
+	} else if question.Qtype == mDNS.TypeTXT {
+		records, err := f.resolver.LookupTXT(ctx, question.Name)
+		if err != nil {
+			var dnsError *net.DNSError
+			if errors.As(err, &dnsError) && dnsError.IsNotFound {
+				return nil, dns.RcodeRefused
+			}
+			return nil, err
+		}
+		return &mDNS.Msg{
+			MsgHdr: mDNS.MsgHdr{
+				Id:       message.Id,
+				Rcode:    mDNS.RcodeSuccess,
+				Response: true,
+			},
+			Question: []mDNS.Question{question},
+			Answer: []mDNS.RR{
+				&mDNS.TXT{
+					Hdr: mDNS.RR_Header{
+						Name:   question.Name,
+						Rrtype: mDNS.TypeCNAME,
+						Class:  mDNS.ClassINET,
+						Ttl:    C.DefaultDNSTTL,
+					},
+					Txt: records,
+				},
+			},
+		}, nil
+	} else if question.Qtype == mDNS.TypeMX {
+		records, err := f.resolver.LookupMX(ctx, question.Name)
+		if err != nil {
+			var dnsError *net.DNSError
+			if errors.As(err, &dnsError) && dnsError.IsNotFound {
+				return nil, dns.RcodeRefused
+			}
+			return nil, err
+		}
+		response := &mDNS.Msg{
+			MsgHdr: mDNS.MsgHdr{
+				Id:       message.Id,
+				Rcode:    mDNS.RcodeSuccess,
+				Response: true,
+			},
+			Question: []mDNS.Question{question},
+		}
+		for _, record := range records {
+			response.Answer = append(response.Answer, &mDNS.MX{
+				Hdr: mDNS.RR_Header{
+					Name:   question.Name,
+					Rrtype: mDNS.TypeA,
+					Class:  mDNS.ClassINET,
+					Ttl:    C.DefaultDNSTTL,
+				},
+				Preference: record.Pref,
+				Mx:         record.Host,
+			})
+		}
+		return response, nil
+	} else {
+		return nil, E.New("only A, AAAA, NS, CNAME, TXT, MX queries are supported on current platform when using TUN, please switch to a fixed DNS server.")
+	}
+}
--- a/dns/transport/local/local_resolved.go
+++ b/dns/transport/local/local_resolved.go
@@ -1,14 +0,0 @@
-package local
-
-import (
-	"context"
-
-	mDNS "github.com/miekg/dns"
-)
-
-type ResolvedResolver interface {
-	Start() error
-	Close() error
-	Object() any
-	Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error)
-}
--- a/dns/transport/local/local_resolved_linux.go
+++ b/dns/transport/local/local_resolved_linux.go
@@ -1,230 +0,0 @@
-package local
-
-import (
-	"context"
-	"errors"
-	"os"
-	"sync"
-	"sync/atomic"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/service/resolved"
-	"github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/control"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	"github.com/sagernet/sing/common/x/list"
-	"github.com/sagernet/sing/service"
-
-	"github.com/godbus/dbus/v5"
-	mDNS "github.com/miekg/dns"
-)
-
-type DBusResolvedResolver struct {
-	ctx               context.Context
-	logger            logger.ContextLogger
-	interfaceMonitor  tun.DefaultInterfaceMonitor
-	interfaceCallback *list.Element[tun.DefaultInterfaceUpdateCallback]
-	systemBus         *dbus.Conn
-	resoledObject     atomic.Pointer[ResolvedObject]
-	closeOnce         sync.Once
-}
-
-type ResolvedObject struct {
-	dbus.BusObject
-	InterfaceIndex int32
-}
-
-func NewResolvedResolver(ctx context.Context, logger logger.ContextLogger) (ResolvedResolver, error) {
-	interfaceMonitor := service.FromContext[adapter.NetworkManager](ctx).InterfaceMonitor()
-	if interfaceMonitor == nil {
-		return nil, os.ErrInvalid
-	}
-	systemBus, err := dbus.SystemBus()
-	if err != nil {
-		return nil, err
-	}
-	return &DBusResolvedResolver{
-		ctx:              ctx,
-		logger:           logger,
-		interfaceMonitor: interfaceMonitor,
-		systemBus:        systemBus,
-	}, nil
-}
-
-func (t *DBusResolvedResolver) Start() error {
-	t.updateStatus()
-	t.interfaceCallback = t.interfaceMonitor.RegisterCallback(t.updateDefaultInterface)
-	err := t.systemBus.BusObject().AddMatchSignal(
-		"org.freedesktop.DBus",
-		"NameOwnerChanged",
-		dbus.WithMatchSender("org.freedesktop.DBus"),
-		dbus.WithMatchArg(0, "org.freedesktop.resolve1.Manager"),
-	).Err
-	if err != nil {
-		return E.Cause(err, "configure resolved restart listener")
-	}
-	go t.loopUpdateStatus()
-	return nil
-}
-
-func (t *DBusResolvedResolver) Close() error {
-	t.closeOnce.Do(func() {
-		if t.interfaceCallback != nil {
-			t.interfaceMonitor.UnregisterCallback(t.interfaceCallback)
-		}
-		if t.systemBus != nil {
-			_ = t.systemBus.Close()
-		}
-	})
-	return nil
-}
-
-func (t *DBusResolvedResolver) Object() any {
-	return common.PtrOrNil(t.resoledObject.Load())
-}
-
-func (t *DBusResolvedResolver) Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	question := message.Question[0]
-	resolvedObject := object.(*ResolvedObject)
-	call := resolvedObject.CallWithContext(
-		ctx,
-		"org.freedesktop.resolve1.Manager.ResolveRecord",
-		0,
-		resolvedObject.InterfaceIndex,
-		question.Name,
-		question.Qclass,
-		question.Qtype,
-		uint64(0),
-	)
-	if call.Err != nil {
-		var dbusError dbus.Error
-		if errors.As(call.Err, &dbusError) && dbusError.Name == "org.freedesktop.resolve1.NoNameServers" {
-			t.updateStatus()
-		}
-		return nil, E.Cause(call.Err, " resolve record via resolved")
-	}
-	var (
-		records  []resolved.ResourceRecord
-		outflags uint64
-	)
-	err := call.Store(&records, &outflags)
-	if err != nil {
-		return nil, err
-	}
-	response := &mDNS.Msg{
-		MsgHdr: mDNS.MsgHdr{
-			Id:                 message.Id,
-			Response:           true,
-			Authoritative:      true,
-			RecursionDesired:   true,
-			RecursionAvailable: true,
-			Rcode:              mDNS.RcodeSuccess,
-		},
-		Question: []mDNS.Question{question},
-	}
-	for _, record := range records {
-		var rr mDNS.RR
-		rr, _, err = mDNS.UnpackRR(record.Data, 0)
-		if err != nil {
-			return nil, E.Cause(err, "unpack resource record")
-		}
-		response.Answer = append(response.Answer, rr)
-	}
-	return response, nil
-}
-
-func (t *DBusResolvedResolver) loopUpdateStatus() {
-	signalChan := make(chan *dbus.Signal, 1)
-	t.systemBus.Signal(signalChan)
-	for signal := range signalChan {
-		var restarted bool
-		if signal.Name == "org.freedesktop.DBus.NameOwnerChanged" {
-			if len(signal.Body) != 3 || signal.Body[2].(string) == "" {
-				continue
-			} else {
-				restarted = true
-			}
-		}
-		if restarted {
-			t.updateStatus()
-		}
-	}
-}
-
-func (t *DBusResolvedResolver) updateStatus() {
-	dbusObject, err := t.checkResolved(context.Background())
-	oldValue := t.resoledObject.Swap(dbusObject)
-	if err != nil {
-		var dbusErr dbus.Error
-		if !errors.As(err, &dbusErr) || dbusErr.Name != "org.freedesktop.DBus.Error.NameHasNoOwnerCould" {
-			t.logger.Debug(E.Cause(err, "systemd-resolved service unavailable"))
-		}
-		if oldValue != nil {
-			t.logger.Debug("systemd-resolved service is gone")
-		}
-		return
-	} else if oldValue == nil {
-		t.logger.Debug("using systemd-resolved service as resolver")
-	}
-}
-
-func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObject, error) {
-	dbusObject := t.systemBus.Object("org.freedesktop.resolve1", "/org/freedesktop/resolve1")
-	err := dbusObject.Call("org.freedesktop.DBus.Peer.Ping", 0).Err
-	if err != nil {
-		return nil, err
-	}
-	defaultInterface := t.interfaceMonitor.DefaultInterface()
-	if defaultInterface == nil {
-		return nil, E.New("missing default interface")
-	}
-	call := dbusObject.(*dbus.Object).CallWithContext(
-		ctx,
-		"org.freedesktop.resolve1.Manager.GetLink",
-		0,
-		int32(defaultInterface.Index),
-	)
-	if call.Err != nil {
-		return nil, err
-	}
-	var linkPath dbus.ObjectPath
-	err = call.Store(&linkPath)
-	if err != nil {
-		return nil, err
-	}
-	linkObject := t.systemBus.Object("org.freedesktop.resolve1", linkPath)
-	if linkObject == nil {
-		return nil, E.New("missing link object for default interface")
-	}
-	dnsProp, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNS")
-	if err != nil {
-		return nil, err
-	}
-	var linkDNS []resolved.LinkDNS
-	err = dnsProp.Store(&linkDNS)
-	if err != nil {
-		return nil, err
-	}
-	if len(linkDNS) == 0 {
-		for _, inbound := range service.FromContext[adapter.InboundManager](t.ctx).Inbounds() {
-			if inbound.Type() == C.TypeTun {
-				return nil, E.New("No appropriate name servers or networks for name found")
-			}
-		}
-		return &ResolvedObject{
-			BusObject: dbusObject,
-		}, nil
-	} else {
-		return &ResolvedObject{
-			BusObject:      dbusObject,
-			InterfaceIndex: int32(defaultInterface.Index),
-		}, nil
-	}
-}
-
-func (t *DBusResolvedResolver) updateDefaultInterface(defaultInterface *control.Interface, flags int) {
-	t.updateStatus()
-}
--- a/dns/transport/local/local_resolved_stub.go
+++ b/dns/transport/local/local_resolved_stub.go
@@ -1,14 +0,0 @@
-//go:build !linux
-
-package local
-
-import (
-	"context"
-	"os"
-
-	"github.com/sagernet/sing/common/logger"
-)
-
-func NewResolvedResolver(ctx context.Context, logger logger.ContextLogger) (ResolvedResolver, error) {
-	return nil, os.ErrInvalid
-}
--- a/dns/transport/local/local_shared.go
+++ b/dns/transport/local/local_shared.go
@@ -1,191 +0,0 @@
-package local
-
-import (
-	"context"
-	"errors"
-	"math/rand"
-	"syscall"
-	"time"
-
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/dns/transport"
-	"github.com/sagernet/sing/common/buf"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	mDNS "github.com/miekg/dns"
-)
-
-func (t *Transport) exchange(ctx context.Context, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
-	systemConfig := getSystemDNSConfig(t.ctx)
-	if systemConfig.singleRequest || !(message.Question[0].Qtype == mDNS.TypeA || message.Question[0].Qtype == mDNS.TypeAAAA) {
-		return t.exchangeSingleRequest(ctx, systemConfig, message, domain)
-	} else {
-		return t.exchangeParallel(ctx, systemConfig, message, domain)
-	}
-}
-
-func (t *Transport) exchangeSingleRequest(ctx context.Context, systemConfig *dnsConfig, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
-	var lastErr error
-	for _, fqdn := range systemConfig.nameList(domain) {
-		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
-		if err != nil {
-			lastErr = err
-			continue
-		}
-		return response, nil
-	}
-	return nil, lastErr
-}
-
-func (t *Transport) exchangeParallel(ctx context.Context, systemConfig *dnsConfig, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
-	returned := make(chan struct{})
-	defer close(returned)
-	type queryResult struct {
-		response *mDNS.Msg
-		err      error
-	}
-	results := make(chan queryResult)
-	startRacer := func(ctx context.Context, fqdn string) {
-		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
-		if err == nil {
-			if response.Rcode != mDNS.RcodeSuccess {
-				err = dns.RcodeError(response.Rcode)
-			} else if len(dns.MessageToAddresses(response)) == 0 {
-				err = E.New(fqdn, ": empty result")
-			}
-		}
-		select {
-		case results <- queryResult{response, err}:
-		case <-returned:
-		}
-	}
-	queryCtx, queryCancel := context.WithCancel(ctx)
-	defer queryCancel()
-	var nameCount int
-	for _, fqdn := range systemConfig.nameList(domain) {
-		nameCount++
-		go startRacer(queryCtx, fqdn)
-	}
-	var errors []error
-	for {
-		select {
-		case <-ctx.Done():
-			return nil, ctx.Err()
-		case result := <-results:
-			if result.err == nil {
-				return result.response, nil
-			}
-			errors = append(errors, result.err)
-			if len(errors) == nameCount {
-				return nil, E.Errors(errors...)
-			}
-		}
-	}
-}
-
-func (t *Transport) tryOneName(ctx context.Context, config *dnsConfig, fqdn string, message *mDNS.Msg) (*mDNS.Msg, error) {
-	serverOffset := config.serverOffset()
-	sLen := uint32(len(config.servers))
-	var lastErr error
-	for i := 0; i < config.attempts; i++ {
-		for j := uint32(0); j < sLen; j++ {
-			server := config.servers[(serverOffset+j)%sLen]
-			question := message.Question[0]
-			question.Name = fqdn
-			response, err := t.exchangeOne(ctx, M.ParseSocksaddr(server), question, config.timeout, config.useTCP, config.trustAD)
-			if err != nil {
-				lastErr = err
-				continue
-			}
-			return response, nil
-		}
-	}
-	return nil, E.Cause(lastErr, fqdn)
-}
-
-func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, question mDNS.Question, timeout time.Duration, useTCP, ad bool) (*mDNS.Msg, error) {
-	if server.Port == 0 {
-		server.Port = 53
-	}
-	request := &mDNS.Msg{
-		MsgHdr: mDNS.MsgHdr{
-			Id:                uint16(rand.Uint32()),
-			RecursionDesired:  true,
-			AuthenticatedData: ad,
-		},
-		Question: []mDNS.Question{question},
-		Compress: true,
-	}
-	request.SetEdns0(buf.UDPBufferSize, false)
-	if !useTCP {
-		return t.exchangeUDP(ctx, server, request, timeout)
-	} else {
-		return t.exchangeTCP(ctx, server, request, timeout)
-	}
-}
-
-func (t *Transport) exchangeUDP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg, timeout time.Duration) (*mDNS.Msg, error) {
-	conn, err := t.dialer.DialContext(ctx, N.NetworkUDP, server)
-	if err != nil {
-		return nil, err
-	}
-	defer conn.Close()
-	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
-		newDeadline := time.Now().Add(timeout)
-		if deadline.After(newDeadline) {
-			deadline = newDeadline
-		}
-		conn.SetDeadline(deadline)
-	}
-	buffer := buf.Get(buf.UDPBufferSize)
-	defer buf.Put(buffer)
-	rawMessage, err := request.PackBuffer(buffer)
-	if err != nil {
-		return nil, E.Cause(err, "pack request")
-	}
-	_, err = conn.Write(rawMessage)
-	if err != nil {
-		if errors.Is(err, syscall.EMSGSIZE) {
-			return t.exchangeTCP(ctx, server, request, timeout)
-		}
-		return nil, E.Cause(err, "write request")
-	}
-	n, err := conn.Read(buffer)
-	if err != nil {
-		if errors.Is(err, syscall.EMSGSIZE) {
-			return t.exchangeTCP(ctx, server, request, timeout)
-		}
-		return nil, E.Cause(err, "read response")
-	}
-	var response mDNS.Msg
-	err = response.Unpack(buffer[:n])
-	if err != nil {
-		return nil, E.Cause(err, "unpack response")
-	}
-	if response.Truncated {
-		return t.exchangeTCP(ctx, server, request, timeout)
-	}
-	return &response, nil
-}
-
-func (t *Transport) exchangeTCP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg, timeout time.Duration) (*mDNS.Msg, error) {
-	conn, err := t.dialer.DialContext(ctx, N.NetworkTCP, server)
-	if err != nil {
-		return nil, err
-	}
-	defer conn.Close()
-	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
-		newDeadline := time.Now().Add(timeout)
-		if deadline.After(newDeadline) {
-			deadline = newDeadline
-		}
-		conn.SetDeadline(deadline)
-	}
-	err = transport.WriteMessage(conn, 0, request)
-	if err != nil {
-		return nil, err
-	}
-	return transport.ReadMessage(conn)
-}
--- a/dns/transport/local/resolv_darwin_cgo.go
+++ b/dns/transport/local/resolv_darwin_cgo.go
@@ -0,0 +1,55 @@
+//go:build darwin && cgo
+
+package local
+
+/*
+#include <stdlib.h>
+#include <stdio.h>
+#include <resolv.h>
+#include <arpa/inet.h>
+*/
+import "C"
+
+import (
+	"context"
+	"time"
+
+	E "github.com/sagernet/sing/common/exceptions"
+
+	"github.com/miekg/dns"
+)
+
+func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
+	var state C.struct___res_state
+	if C.res_ninit(&state) != 0 {
+		return &dnsConfig{
+			servers:  defaultNS,
+			search:   dnsDefaultSearch(),
+			ndots:    1,
+			timeout:  5 * time.Second,
+			attempts: 2,
+			err:      E.New("libresolv initialization failed"),
+		}
+	}
+	conf := &dnsConfig{
+		ndots:    1,
+		timeout:  5 * time.Second,
+		attempts: int(state.retry),
+	}
+	for i := 0; i < int(state.nscount); i++ {
+		ns := state.nsaddr_list[i]
+		addr := C.inet_ntoa(ns.sin_addr)
+		if addr == nil {
+			continue
+		}
+		conf.servers = append(conf.servers, C.GoString(addr))
+	}
+	for i := 0; ; i++ {
+		search := state.dnsrch[i]
+		if search == nil {
+			break
+		}
+		conf.search = append(conf.search, dns.Fqdn(C.GoString(search)))
+	}
+	return conf
+}
--- a/dns/transport/local/resolv_unix.go
+++ b/dns/transport/local/resolv_unix.go
@@ -1,4 +1,4 @@
-//go:build !windows
+//go:build !windows && !(darwin && cgo)

 package local

--- a/dns/transport/local/resolv_windows.go
+++ b/dns/transport/local/resolv_windows.go
@@ -5,6 +5,7 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"strconv"
 	"syscall"
 	"time"
 	"unsafe"
@@ -63,6 +64,9 @@ func dnsReadConfig(ctx context.Context, _ string) *dnsConfig {
 					continue
 				}
 				dnsServerAddr = netip.AddrFrom16(sockaddr.Addr)
+				if sockaddr.ZoneId != 0 {
+					dnsServerAddr = dnsServerAddr.WithZone(strconv.FormatInt(int64(sockaddr.ZoneId), 10))
+				}
 			default:
 				// Unexpected type.
 				continue
--- a/dns/transport/quic/http3.go
+++ b/dns/transport/quic/http3.go
@@ -51,11 +51,11 @@ func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options
 	}
 	tlsOptions := common.PtrValueOrDefault(options.TLS)
 	tlsOptions.Enabled = true
-	tlsConfig, err := tls.NewClient(ctx, logger, options.Server, tlsOptions)
+	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
 	if err != nil {
 		return nil, err
 	}
-	stdConfig, err := tlsConfig.STDConfig()
+	stdConfig, err := tlsConfig.Config()
 	if err != nil {
 		return nil, err
 	}
--- a/dns/transport/quic/quic.go
+++ b/dns/transport/quic/quic.go
@@ -48,7 +48,7 @@ func NewQUIC(ctx context.Context, logger log.ContextLogger, tag string, options
 	}
 	tlsOptions := common.PtrValueOrDefault(options.TLS)
 	tlsOptions.Enabled = true
-	tlsConfig, err := tls.NewClient(ctx, logger, options.Server, tlsOptions)
+	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
 	if err != nil {
 		return nil, err
 	}
--- a/dns/transport/tls.go
+++ b/dns/transport/tls.go
@@ -30,7 +30,7 @@ func RegisterTLS(registry *dns.TransportRegistry) {
 type TLSTransport struct {
 	dns.TransportAdapter
 	logger      logger.ContextLogger
-	dialer      tls.Dialer
+	dialer      N.Dialer
 	serverAddr  M.Socksaddr
 	tlsConfig   tls.Config
 	access      sync.Mutex
@@ -49,7 +49,7 @@ func NewTLS(ctx context.Context, logger log.ContextLogger, tag string, options o
 	}
 	tlsOptions := common.PtrValueOrDefault(options.TLS)
 	tlsOptions.Enabled = true
-	tlsConfig, err := tls.NewClient(ctx, logger, options.Server, tlsOptions)
+	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
 	if err != nil {
 		return nil, err
 	}
@@ -67,7 +67,7 @@ func NewTLSRaw(logger logger.ContextLogger, adapter dns.TransportAdapter, dialer
 	return &TLSTransport{
 		TransportAdapter: adapter,
 		logger:           logger,
-		dialer:           tls.NewDialer(dialer, tlsConfig),
+		dialer:           dialer,
 		serverAddr:       serverAddr,
 		tlsConfig:        tlsConfig,
 	}
@@ -100,10 +100,15 @@ func (t *TLSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.M
 			return response, nil
 		}
 	}
-	tlsConn, err := t.dialer.DialTLSContext(ctx, t.serverAddr)
+	tcpConn, err := t.dialer.DialContext(ctx, N.NetworkTCP, t.serverAddr)
 	if err != nil {
 		return nil, err
 	}
+	tlsConn, err := tls.ClientHandshake(ctx, tcpConn, t.tlsConfig)
+	if err != nil {
+		tcpConn.Close()
+		return nil, err
+	}
 	return t.exchange(message, &tlsDNSConn{Conn: tlsConn})
 }

--- a/dns/transport_manager.go
+++ b/dns/transport_manager.go
@@ -30,7 +30,7 @@ type TransportManager struct {
 	transportByTag           map[string]adapter.DNSTransport
 	dependByTag              map[string][]string
 	defaultTransport         adapter.DNSTransport
-	defaultTransportFallback func() (adapter.DNSTransport, error)
+	defaultTransportFallback adapter.DNSTransport
 	fakeIPTransport          adapter.FakeIPTransport
 }

@@ -45,7 +45,7 @@ func NewTransportManager(logger logger.ContextLogger, registry adapter.DNSTransp
 	}
 }

-func (m *TransportManager) Initialize(defaultTransportFallback func() (adapter.DNSTransport, error)) {
+func (m *TransportManager) Initialize(defaultTransportFallback adapter.DNSTransport) {
 	m.defaultTransportFallback = defaultTransportFallback
 }

@@ -56,27 +56,14 @@ func (m *TransportManager) Start(stage adapter.StartStage) error {
 	}
 	m.started = true
 	m.stage = stage
+	transports := m.transports
+	m.access.Unlock()
 	if stage == adapter.StartStateStart {
 		if m.defaultTag != "" && m.defaultTransport == nil {
-			m.access.Unlock()
 			return E.New("default DNS server not found: ", m.defaultTag)
 		}
-		if m.defaultTransport == nil {
-			defaultTransport, err := m.defaultTransportFallback()
-			if err != nil {
-				m.access.Unlock()
-				return E.Cause(err, "default DNS server fallback")
-			}
-			m.transports = append(m.transports, defaultTransport)
-			m.transportByTag[defaultTransport.Tag()] = defaultTransport
-			m.defaultTransport = defaultTransport
-		}
-		transports := m.transports
-		m.access.Unlock()
-		return m.startTransports(transports)
+		return m.startTransports(m.transports)
 	} else {
-		transports := m.transports
-		m.access.Unlock()
 		for _, outbound := range transports {
 			err := adapter.LegacyStart(outbound, stage)
 			if err != nil {
@@ -185,7 +172,11 @@ func (m *TransportManager) Transport(tag string) (adapter.DNSTransport, bool) {
 func (m *TransportManager) Default() adapter.DNSTransport {
 	m.access.RLock()
 	defer m.access.RUnlock()
-	return m.defaultTransport
+	if m.defaultTransport != nil {
+		return m.defaultTransport
+	} else {
+		return m.defaultTransportFallback
+	}
 }

 func (m *TransportManager) FakeIP() adapter.FakeIPTransport {
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,7 +2,101 @@
 icon: material/alert-decagram
 ---

-#### 1.13.0-alpha.14
+#### 1.12.25
+
+* Backport fixes
+
+#### 1.12.25
+
+* Backport fixes
+
+#### 1.12.23
+
+* Fixes and improvements
+
+#### 1.12.22
+
+* Fixes and improvements
+
+#### 1.12.21
+
+* Fixes and improvements
+
+#### 1.12.20
+
+* Fixes and improvements
+
+#### 1.12.19
+
+* Fixes and improvements
+
+#### 1.12.18
+
+* Add fallback routing rule for `auto_redirect` **1**
+* Fixes and improvements
+
+**1**:
+
+Adds a fallback iproute2 rule checked after system default rules (32766: main, 32767: default),
+ensuring traffic is routed to the sing-box table when no route is found in system tables.
+
+The rule index can be customized via `auto_redirect_iproute2_fallback_rule_index` (default: 32768).
+
+#### 1.12.17
+
+* Update uTLS to v1.8.2 **1**
+* Fixes and improvements
+
+**1**:
+
+This update fixes missing padding extension for Chrome 120+ fingerprints.
+
+Also, documentation has been updated with a warning about uTLS fingerprinting vulnerabilities.
+uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
+use NaiveProxy instead for TLS fingerprint resistance.
+
+#### 1.12.16
+
+* Fixes and improvements
+
+#### 1.12.15
+
+* Fixes and improvements
+
+#### 1.12.14
+
+* Fixes and improvements
+
+#### 1.12.13
+
+* Fix naive inbound
+* Fixes and improvements
+
+__Unfortunately, for non-technical reasons, we are currently unable to notarize the standalone version of the macOS client:
+because system extensions require signatures to function, we have had to temporarily halt its release.__
+
+__We plan to fix the App Store release issue and launch a new standalone desktop client, but until then,
+only clients on TestFlight will be available (unless you have an Apple Developer Program and compile from source code).__
+
+#### 1.12.12
+
+* Fixes and improvements
+
+#### 1.12.11
+
+* Fixes and improvements
+
+#### 1.12.10
+
+* Update uTLS to v1.8.1 **1**
+* Fixes and improvements
+
+**1**:
+
+This update fixes an critical issue that could cause simulated Chrome fingerprints to be detected,
+see https://github.com/refraction-networking/utls/pull/375.
+
+#### 1.12.9

 * Fixes and improvements

@@ -10,23 +104,10 @@ icon: material/alert-decagram

 * Fixes and improvements

-#### 1.13.0-alpha.11
-
-* Fixes and improvements
-
 #### 1.12.5

 * Fixes and improvements

-#### 1.13.0-alpha.10
-
-* Improve kTLS support **1**
-* Fixes and improvements
-
-**1**:
-
-kTLS is now compatible with custom TLS implementations other than uTLS.
-
 #### 1.12.4

 * Fixes and improvements
@@ -109,7 +190,8 @@ See [Tailscale](/configuration/endpoint/tailscale/).

 Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.

-For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from [MetaCubeX/go](https://github.com/MetaCubeX/go).
+For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches
+from [MetaCubeX/go](https://github.com/MetaCubeX/go).

 **7**:

@@ -171,7 +253,8 @@ See [Tun](/configuration/inbound/tun/#loopback_address).

 We have significantly improved the performance of tun inbound on Apple platforms, especially in the gVisor stack.

-The following data was tested using [tun_bench](https://github.com/SagerNet/sing-box/blob/dev-next/cmd/internal/tun_bench/main.go) on M4 MacBook pro.
+The following data was tested
+using [tun_bench](https://github.com/SagerNet/sing-box/blob/dev-next/cmd/internal/tun_bench/main.go) on M4 MacBook pro.

 | Version     | Stack  | MTU   | Upload | Download |
 |-------------|--------|-------|--------|----------|
@@ -190,8 +273,8 @@ The following data was tested using [tun_bench](https://github.com/SagerNet/sing

 **18**:

-We continue to experience issues updating our sing-box apps on the App Store and Play Store. 
-Until we rewrite and resubmit the apps, they are considered irrecoverable. 
+We continue to experience issues updating our sing-box apps on the App Store and Play Store.
+Until we rewrite and resubmit the apps, they are considered irrecoverable.
 Therefore, after this release, we will not be repeating this notice unless there is new information.

 ### 1.11.15
@@ -472,7 +555,8 @@ See [AnyTLS Inbound](/configuration/inbound/anytls/) and [AnyTLS Outbound](/conf

 **2**:

-`resolve` route action now accepts `disable_cache` and other options like in DNS route actions, see [Route Action](/configuration/route/rule_action).
+`resolve` route action now accepts `disable_cache` and other options like in DNS route actions,
+see [Route Action](/configuration/route/rule_action).

 **3**:

@@ -503,7 +587,8 @@ See [Tailscale](/configuration/endpoint/tailscale/).

 Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.

-For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from [MetaCubeX/go](https://github.com/MetaCubeX/go).
+For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches
+from [MetaCubeX/go](https://github.com/MetaCubeX/go).

 ### 1.11.3

--- a/docs/clients/apple/index.md
+++ b/docs/clients/apple/index.md
@@ -9,7 +9,7 @@ platform-specific function implementation, such as TUN transparent proxy impleme

 !!! failure ""

-    We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected).
+    Due to non-technical reasons, we are temporarily unable to update the sing-box app on the App Store and release the standalone version of the macOS client (TestFlight users are not affected)

 ## :material-graph: Requirements

@@ -18,7 +18,7 @@ platform-specific function implementation, such as TUN transparent proxy impleme

 ## :material-download: Download

-* [App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)
+* ~~[App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)~~
 * TestFlight (Beta)

 TestFlight quota is only available to [sponsors](https://github.com/sponsors/nekohasekai)
@@ -26,15 +26,15 @@ TestFlight quota is only available to [sponsors](https://github.com/sponsors/nek
 Once you donate, you can get an invitation by join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot)
 or sending us your Apple ID [via email](mailto:contact@sagernet.org).

-## :material-file-download: Download (macOS standalone version)
+## ~~:material-file-download: Download (macOS standalone version)~~

-* [Homebrew Cask](https://formulae.brew.sh/cask/sfm)
+* ~~[Homebrew Cask](https://formulae.brew.sh/cask/sfm)~~

 ```bash
-brew install sfm
+# brew install sfm
 ```

-* [GitHub Releases](https://github.com/SagerNet/sing-box/releases)
+* ~~[GitHub Releases](https://github.com/SagerNet/sing-box/releases)~~

 ## :material-source-repository: Source code

--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -2,12 +2,6 @@
 icon: material/alert-decagram
 ---

-!!! quote "Changes in sing-box 1.13.0"
-
-    :material-plus: [interface_address](#interface_address)  
-    :material-plus: [network_interface_address](#network_interface_address)  
-    :material-plus: [default_interface_address](#default_interface_address)
-
 !!! quote "Changes in sing-box 1.12.0"

    :material-plus: [ip_accept_any](#ip_accept_any)  
@@ -136,19 +130,6 @@ icon: material/alert-decagram
        ],
        "network_is_expensive": false,
        "network_is_constrained": false,
-        "interface_address": {
-          "en0": [
-            "2000::/3"
-          ]
-        },
-        "network_interface_address": {
-          "wifi": [
-            "2000::/3"
-          ]
-        },
-        "default_interface_address": [
-          "2000::/3"
-        ],
        "wifi_ssid": [
          "My WIFI"
        ],
@@ -378,36 +359,6 @@ such as Cellular or a Personal Hotspot (on Apple platforms).

 Match if network is in Low Data Mode.

-#### interface_address
-
-!!! question "Since sing-box 1.13.0"
-
-!!! quote ""
-
-    Only supported on Linux, Windows, and macOS.
-
-Match interface address.
-
-#### network_interface_address
-
-!!! question "Since sing-box 1.13.0"
-
-!!! quote ""
-
-    Only supported in graphical clients on Android and Apple platforms.
-
-Matches network interface (same values as `network_type`) address.
-
-#### default_interface_address
-
-!!! question "Since sing-box 1.13.0"
-
-!!! quote ""
-
-    Only supported on Linux, Windows, and macOS.
-
-Match default interface address.
-
 #### wifi_ssid

 !!! quote ""
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -2,12 +2,6 @@
 icon: material/alert-decagram
 ---

-!!! quote "sing-box 1.13.0 中的更改"
-
-    :material-plus: [interface_address](#interface_address)  
-    :material-plus: [network_interface_address](#network_interface_address)  
-    :material-plus: [default_interface_address](#default_interface_address)
-
 !!! quote "sing-box 1.12.0 中的更改"

    :material-plus: [ip_accept_any](#ip_accept_any)  
@@ -136,19 +130,6 @@ icon: material/alert-decagram
        ],
        "network_is_expensive": false,
        "network_is_constrained": false,
-        "interface_address": {
-          "en0": [
-            "2000::/3"
-          ]
-        },
-        "network_interface_address": {
-          "wifi": [
-            "2000::/3"
-          ]
-        },
-        "default_interface_address": [
-          "2000::/3"
-        ],
        "wifi_ssid": [
          "My WIFI"
        ],
@@ -377,36 +358,6 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 匹配如果网络在低数据模式下。

-#### interface_address
-
-!!! question "自 sing-box 1.13.0 起"
-
-!!! quote ""
-
-    仅支持 Linux、Windows 和 macOS.
-
-匹配接口地址。
-
-#### network_interface_address
-
-!!! question "自 sing-box 1.13.0 起"
-
-!!! quote ""
-
-    仅在 Android 与 Apple 平台图形客户端中支持。
-
-匹配网络接口（可用值同 `network_type`）地址。
-
-#### default_interface_address
-
-!!! question "自 sing-box 1.13.0 起"
-
-!!! quote ""
-
-    仅支持 Linux、Windows 和 macOS.
-
-匹配默认接口地址。
-
 #### wifi_ssid

 !!! quote ""
--- a/docs/configuration/dns/server/local.md
+++ b/docs/configuration/dns/server/local.md
@@ -2,10 +2,6 @@
 icon: material/new-box
 ---

-!!! quote "Changes in sing-box 1.13.0"
-
-    :material-plus: [prefer_go](#prefer_go)  
-
 !!! question "Since sing-box 1.12.0"

 # Local
@@ -19,7 +15,6 @@ icon: material/new-box
      {
        "type": "local",
        "tag": "",
-        "prefer_go": false

        // Dial Fields
      }
@@ -29,33 +24,10 @@ icon: material/new-box
 ```

 !!! info "Difference from legacy local server"
-
+    
    * The old legacy local server only handles IP requests; the new one handles all types of requests and supports concurrent for IP requests.
    * The old local server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.

-### Fields
-
-#### prefer_go
-
-!!! question "Since sing-box 1.13.0"
-
-When enabled, `local` DNS server will resolve DNS by dialing itself whenever possible.
-
-Specifically, it disables following behaviors which was added as features in sing-box 1.13.0:
-
-1. On Apple platforms: Attempt to resolve A/AAAA requests using `getaddrinfo` in NetworkExtension.
-2. On Linux: Resolve through `systemd-resolvd`'s DBus interface when available.
-
-As a sole exception, it cannot disable the following behavior:
-
-1. In the Android graphical client,
-`local` will always resolve DNS through the platform interface,
-as there is no other way to obtain upstream DNS servers;
-On devices running Android versions lower than 10, this interface can only resolve A/AAAA requests.
-
-2. On macOS, `local` will try DHCP first in Network Extension, since DHCP respects DIal Fields,
-it will not be disabled by `prefer_go`.
-
 ### Dial Fields

 See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/endpoint/index.md
+++ b/docs/configuration/endpoint/index.md
@@ -1,3 +1,7 @@
+---
+icon: material/new-box
+---
+
 !!! question "Since sing-box 1.11.0"

 # Endpoint
--- a/docs/configuration/endpoint/index.zh.md
+++ b/docs/configuration/endpoint/index.zh.md
@@ -1,3 +1,7 @@
+---
+icon: material/new-box
+---
+
 !!! question "自 sing-box 1.11.0 起"

 # 端点
--- a/docs/configuration/endpoint/wireguard.md
+++ b/docs/configuration/endpoint/wireguard.md
@@ -1,3 +1,7 @@
+---
+icon: material/new-box
+---
+
 !!! question "Since sing-box 1.11.0"

 ### Structure
--- a/docs/configuration/endpoint/wireguard.zh.md
+++ b/docs/configuration/endpoint/wireguard.zh.md
@@ -1,3 +1,7 @@
+---
+icon: material/new-box
+---
+
 !!! question "自 sing-box 1.11.0 起"

 ### 结构
--- a/docs/configuration/inbound/shadowsocks.md
+++ b/docs/configuration/inbound/shadowsocks.md
@@ -9,6 +9,7 @@

  "method": "2022-blake3-aes-128-gcm",
  "password": "8JCsPssfgS8tiRwiMlhARg==",
+  "managed": false,
  "multiplex": {}
 }
 ```
@@ -86,6 +87,10 @@ Both if empty.
 | 2022 methods  | `sing-box generate rand --base64 <Key Length>` |
 | other methods | any string                                     |

+#### managed
+
+Defaults to `false`. Enable this when the inbound is managed by the [SSM API](/configuration/service/ssm-api) for dynamic user.
+
 #### multiplex

 See [Multiplex](/configuration/shared/multiplex#inbound) for details.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	11077fd3d7	release: Refactor release tracks for Linux packages and Docker Support 4 release tracks instead of 2: - sing-box / latest (stable release) - sing-box-beta / latest-beta (stable pre-release) - sing-box-testing / latest-testing (testing branch) - sing-box-oldstable / latest-oldstable (oldstable branch) Track is detected via git branch --contains and git tag, replacing the old version-string hyphen check.	2026-03-24 15:02:44 +08:00
世界	73bfb99ebc	Bump version	2026-03-15 16:57:08 +08:00
世界	7ed63c5e01	Update Go to 1.25.8	2026-03-15 16:57:08 +08:00
Heng lu	92b24c5ecd	Fix netns fd leak in ListenNetworkNamespace	2026-03-15 16:54:55 +08:00
世界	ec182cd24e	Fix websocket connection and goroutine leaks in Clash API Co-authored-by: traitman <112139837+traitman@users.noreply.github.com>	2026-03-15 16:54:11 +08:00
世界	f411a8a0e5	tun: Backport fixes	2026-03-15 16:53:15 +08:00
世界	bc2b0820a0	Bump version	2026-03-05 21:38:26 +08:00
世界	2c60eebc42	Fix rule_set_ip_cidr_accept_empty not working	2026-03-05 21:25:36 +08:00
世界	0ef1c78c0e	Fix fake-ip address allocation	2026-03-05 21:25:26 +08:00
世界	7a1bc204b2	endpoint: Fix UDP resolved destination	2026-03-05 21:24:57 +08:00
traitman	78f494831d	clash-api: Fix websocket connection not closed after config reload via SIGHUP Co-authored-by: TraitMan <traitman@maildog.top> Co-authored-by: Cursor <cursoragent@cursor.com>	2026-03-05 21:22:53 +08:00
dyhkwong	d07c908e5d	Fix IPv6 local DNS on Windows	2026-03-05 21:22:46 +08:00
世界	6126f8712b	tun: Backport fixes	2026-03-05 21:21:48 +08:00
世界	ea5c2446b2	Rename branches and update release workflows stable-next → oldstable, main-next → stable, dev-next → testing, new unstable	2026-03-05 21:10:46 +08:00
世界	c0fcd6afce	Bump version	2026-02-27 15:06:00 +08:00
世界	795eda967b	Pin Go version to 1.25.7	2026-02-27 15:03:31 +08:00
世界	f2ec82dd2a	dialer: use KeepAliveConfig for TCP keepalive	2026-02-27 14:02:58 +08:00
世界	53853e9ae1	release: Fix pacman package	2026-02-26 22:09:12 +08:00
世界	e663b7f974	Fix per-outbound bind_interface	2026-02-26 21:49:05 +08:00
世界	f63091d14d	Bump version	2026-02-15 21:05:34 +08:00
世界	1c4a01ee90	Fix matching multi predefined	2026-02-15 19:20:31 +08:00
世界	4d7f99310c	Fix matching rule-set invert	2026-02-15 19:20:11 +08:00
世界	6fc511f56e	wireguard: Fix missing fallback for gso	2026-02-15 19:20:03 +08:00
世界	d18d2b352a	Bump version	2026-02-09 13:57:18 +08:00
世界	534128bba9	tuic: Fix udp context	2026-02-09 13:55:09 +08:00
世界	736a7368c6	Fix naive padding	2026-02-09 13:53:32 +08:00
世界	e7a9c90213	Fix DNS cache lock goroutine leak The cache deduplication in Client.Exchange uses a channel-based lock per DNS question. Waiting goroutines blocked on <-cond without context awareness, causing them to accumulate indefinitely when the owning goroutine's transport call stalls. Add select on ctx.Done() so waiters respect context cancellation and timeouts.	2026-02-06 22:28:30 +08:00
世界	0f3774e501	Bump version	2026-02-05 17:13:38 +08:00
世界	2f8e656522	Update Go to 1.25.7	2026-02-05 17:12:42 +08:00
世界	3ba30e3f00	Fix route_address_set duplicated IP sets causing route creation failure The FlatMap calls pre-populated routeAddressSet and routeExcludeAddressSet before the for-loops which appended the same IP sets again, doubling every entry. On Windows this caused CreateIpForwardEntry2 to return ERROR_OBJECT_ALREADY_EXISTS. Fixes #3725	2026-02-02 17:29:21 +08:00
世界	f2639a5829	Fix random iproute2 table index was incorrectly removed	2026-02-02 14:13:49 +08:00
世界	69bebbda82	Bump version	2026-02-01 10:19:35 +08:00
世界	00b2c042ee	Disable rp filter atomically	2026-02-01 10:17:34 +08:00
世界	d9eb8f3ab6	Fix varbin serialization	2026-02-01 10:11:15 +08:00
世界	58025a01f8	Fix auto_redirect fallback rule	2026-01-29 12:07:15 +08:00
世界	99cad72ea8	Bump version	2026-01-28 16:56:08 +08:00
世界	6e96d620fe	Minor fixes	2026-01-28 16:56:08 +08:00
世界	51ce402dbb	Bump version	2026-01-17 05:10:56 +08:00
世界	8b404b5a4c	Update Go to 1.25.6	2026-01-17 05:10:56 +08:00
世界	3ce94d50dd	Update uTLS to v1.8.2	2026-01-17 04:54:18 +08:00
世界	29d56fca9c	Update smux to v1.5.50 & Fix h2mux RST_STREAM on half-close	2026-01-17 04:17:14 +08:00
世界	ab18010ee1	Bump version	2026-01-12 20:38:21 +08:00
世界	e69c202c79	Fix logic issues with BBR impl	2026-01-12 20:34:04 +08:00
世界	0a812f2a46	Bump version	2026-01-07 15:13:35 +08:00
Gavin Luo	fffe9fc566	Fix reset buffer in dhcp response loop Previously, the buffer was not reset within the response loop. If a packet handle failed or completed, the buffer retained its state. Specifically, if `ReadPacketFrom` returned `io.ErrShortBuffer`, the error was ignored via `continue`, but the buffer remained full. This caused the next read attempt to immediately fail with the same error, creating a tight busy-wait loop that consumed 100% CPU. Validates `buffer.Reset()` is called at the start of each iteration to ensure a clean state for 'ReadPacketFrom'.	2026-01-05 17:46:59 +08:00
世界	6fdf27a701	Fix Tailscale endpoint using wrong source IP with advertise_routes	2026-01-04 22:14:54 +08:00
Bruce Wayne	7fa7d4f0a9	ducumentation: update Shadowsocks inbound documentation for SSM API	2026-01-02 19:18:52 +08:00
世界	f511ebc1d4	Fix lint errors	2026-01-02 19:17:53 +08:00
世界	84bbdc2eba	Revert "Pin gofumpt and golangci-lint versions" This reverts commit `d9d7f7880d`.	2026-01-02 19:14:13 +08:00
世界	568612fc70	Fix duplicate tag detection for empty tags Closes https://github.com/SagerNet/sing-box/issues/3665	2026-01-02 19:14:13 +08:00
世界	d78828fd81	Fix quic sniffer	2026-01-02 19:14:13 +08:00
世界	f56d9ab945	Bump version	2025-12-25 14:47:10 +08:00
世界	86fabd6a22	Update Mozilla certificates	2025-12-25 14:42:18 +08:00
世界	24a1e7cee4	Ignore darwin IP_DONTFRAG error when not supported	2025-12-25 14:40:48 +08:00
世界	223dd8bb1a	Fix TCP DNS response buffer	2025-12-22 13:51:00 +08:00
世界	68448de7d0	Fix missing RootPoolFromContext and TimeFuncFromContext in HTTP clients	2025-12-22 13:50:57 +08:00
世界	1ebff74c21	Fix DNS cache not working when domain strategy is set The cache lookup was performed before rule matching, using the caller's strategy (usually AsIS/0) instead of the resolved strategy. This caused cache misses when ipv4_only was configured globally but the cache lookup expected both A and AAAA records. Remove LookupCache and ExchangeCache from Router, as the cache checks inside client.Lookup and client.Exchange already handle caching correctly after rule matching with the proper strategy and transport.	2025-12-21 16:59:10 +08:00
世界	f0cd3422c1	Bump version	2025-12-14 00:09:19 +08:00
世界	e385a98ced	Update Go to 1.25.5	2025-12-13 20:11:29 +08:00
世界	670f32baee	Fix naive inbound	2025-12-12 21:19:28 +08:00
世界	2747a00ba2	Fix tailscale destination	2025-12-01 15:02:04 +08:00
世界	48e76038d0	Update Go to 1.25.4	2025-11-16 09:53:10 +08:00
世界	6421252d44	release: Fix windows7 build	2025-11-16 09:09:34 +08:00
世界	216c4c8bd4	Fix adapter handler	2025-11-16 08:34:46 +08:00
世界	5841d410a1	ssm-api: Fix save cache	2025-11-04 11:00:43 +08:00
Kumiko as a Service	63c8207d7a	Use `--no-cache` `--upgrade` option in `apk add` No need for separate upgrade / cache cleanup steps. Signed-off-by: Kumiko as a Service <Dreista@users.noreply.github.com>	2025-11-04 11:00:41 +08:00
世界	54ed58499d	Bump version	2025-10-27 18:04:24 +08:00
世界	b1bdc18c85	Fix socks response	2025-10-27 18:03:05 +08:00
世界	a38030cc0b	Fix memory leak in hysteria2	2025-10-24 10:52:08 +08:00
世界	4626aa2cb0	Bump version	2025-10-21 21:39:28 +08:00
世界	5a40b673a4	Update dependencies	2025-10-21 21:39:28 +08:00
世界	541f63fee4	redirect: Fix compatibility with `/product/bin/su`	2025-10-21 21:27:15 +08:00
世界	5de6f4a14f	Fix tailscale not enforcing NoLogsNoSupport	2025-10-16 22:30:08 +08:00
世界	5658830077	Fix trailing dot handling in local DNS transport	2025-10-16 21:43:12 +08:00
世界	0e50edc009	documentation: Add appreciate for Warp	2025-10-16 21:43:12 +08:00
世界	444f454810	Bump version	2025-10-14 23:43:36 +08:00
世界	d0e1fd6c7e	Update Go to 1.25.3	2025-10-14 23:43:36 +08:00
世界	17b4d1e010	Update uTLS to v1.8.1	2025-10-14 23:40:19 +08:00
世界	06791470c9	Fix DNS reject panic	2025-10-14 23:40:19 +08:00
世界	ef14c8ca0e	Disable TCP slow open for anytls Fixes #3459	2025-10-14 23:40:19 +08:00
世界	36dc883c7c	Fix DNS negative caching to comply with RFC 2308	2025-10-09 23:45:23 +08:00
Mahdi	6557bd7029	Fix dns cache in lookup	2025-10-09 23:45:23 +08:00
世界	41b30c91d9	Improve HTTPS DNS transport	2025-10-09 23:45:23 +08:00
世界	0f767d5ce1	Update .gitignore	2025-10-07 13:37:11 +08:00
世界	328a6de797	Bump version	2025-10-05 17:58:21 +08:00
Mahdi	886be6414d	Fix dns truncate	2025-10-05 17:58:21 +08:00
世界	9362d3cab3	Attempt to fix leak in quic-go	2025-10-01 11:59:17 +08:00
世界	ced2e39dbf	Update dependencies	2025-10-01 11:55:33 +08:00
anytls	2159d8877b	Update anytls v0.0.11 Co-authored-by: anytls <anytls>	2025-10-01 10:23:15 +08:00
世界	cb7dba3eff	release: Improve publish testflight	2025-10-01 10:22:44 +08:00
世界	d9d7f7880d	Pin gofumpt and golangci-lint versions As we don't want to remove naked returns	2025-09-23 16:33:42 +08:00
世界	a031aaf2c0	Do not reset network on sleep or wake	2025-09-23 16:17:44 +08:00
世界	4bca951773	Fix adguard matcher	2025-09-23 16:12:29 +08:00
世界	140735dbde	Fix websocket log handling	2025-09-23 16:12:29 +08:00
世界	714a68bba1	Update .gitignore	2025-09-23 16:12:29 +08:00