documentation: Bump version

Fix missing relay support for Tailscale
cronet: Fix windows DNS hijack
2026-04-12 01:57:18 +10:00 · 2025-12-30 22:36:38 +08:00 · 2025-12-30 22:36:38 +08:00 · 2025-12-30 18:24:33 +08:00 · 2025-12-30 18:24:33 +08:00 · 2025-12-30 18:24:33 +08:00
66 changed files with 1807 additions and 446 deletions
--- a/.github/CRONET_GO_VERSION
+++ b/.github/CRONET_GO_VERSION
@@ -1 +1 @@
-b0385d27c2ab659d9532d71f301deb6599c44a79
+1cc61ad20399081362ccbc18d650432d1a6d42ec
--- a/3
+++ b/3
@@ -37,6 +37,9 @@ fmt:
 	@gofmt -s -w .
 	@gci write --custom-order -s standard -s "prefix(github.com/sagernet/)" -s "default" .

+fmt_docs:
+	go run ./cmd/internal/format_docs
+
 fmt_install:
 	go install -v mvdan.cc/gofumpt@v0.8.0
 	go install -v github.com/daixiang0/gci@latest
--- a/adapter/dns.go
+++ b/adapter/dns.go
@@ -68,6 +68,7 @@ type DNSTransport interface {
 	Type() string
 	Tag() string
 	Dependencies() []string
+	Reset()
 	Exchange(ctx context.Context, message *dns.Msg) (*dns.Msg, error)
 }

--- a/adapter/router.go
+++ b/adapter/router.go
@@ -21,7 +21,7 @@ import (
 type Router interface {
 	Lifecycle
 	ConnectionRouter
-	PreMatch(metadata InboundContext, context tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error)
+	PreMatch(metadata InboundContext, context tun.DirectRouteContext, timeout time.Duration, supportBypass bool) (tun.DirectRouteDestination, error)
 	ConnectionRouterEx
 	RuleSet(tag string) (RuleSet, bool)
 	Rules() []Rule
--- a/cmd/internal/format_docs/main.go
+++ b/cmd/internal/format_docs/main.go
@@ -0,0 +1,117 @@
+package main
+
+import (
+	"bytes"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/sagernet/sing-box/log"
+)
+
+func main() {
+	err := filepath.Walk("docs", func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if info.IsDir() {
+			return nil
+		}
+		if !strings.HasSuffix(path, ".md") {
+			return nil
+		}
+		return processFile(path)
+	})
+	if err != nil {
+		log.Fatal(err)
+	}
+}
+
+func processFile(path string) error {
+	content, err := os.ReadFile(path)
+	if err != nil {
+		return err
+	}
+
+	lines := strings.Split(string(content), "\n")
+	modified := false
+	result := make([]string, 0, len(lines))
+
+	inQuoteBlock := false
+	materialLines := []int{} // indices of :material- lines in the block
+
+	for _, line := range lines {
+		// Check for quote block start
+		if strings.HasPrefix(line, "!!! quote \"") && strings.Contains(line, "sing-box") {
+			inQuoteBlock = true
+			materialLines = nil
+			result = append(result, line)
+			continue
+		}
+
+		// Inside a quote block
+		if inQuoteBlock {
+			trimmed := strings.TrimPrefix(line, "    ")
+			isMaterialLine := strings.HasPrefix(trimmed, ":material-")
+			isEmpty := strings.TrimSpace(line) == ""
+			isIndented := strings.HasPrefix(line, "    ")
+
+			if isMaterialLine {
+				materialLines = append(materialLines, len(result))
+				result = append(result, line)
+				continue
+			}
+
+			// Block ends when:
+			// - Empty line AFTER we've seen material lines, OR
+			// - Non-indented, non-empty line
+			blockEnds := (isEmpty && len(materialLines) > 0) || (!isEmpty && !isIndented)
+			if blockEnds {
+				// Process collected material lines
+				if len(materialLines) > 0 {
+					for j, idx := range materialLines {
+						isLast := j == len(materialLines)-1
+						resultLine := strings.TrimRight(result[idx], " ")
+						if !isLast {
+							// Add trailing two spaces for non-last lines
+							resultLine += "  "
+						}
+						if result[idx] != resultLine {
+							modified = true
+							result[idx] = resultLine
+						}
+					}
+				}
+				inQuoteBlock = false
+				materialLines = nil
+			}
+		}
+
+		result = append(result, line)
+	}
+
+	// Handle case where file ends while still in a block
+	if inQuoteBlock && len(materialLines) > 0 {
+		for j, idx := range materialLines {
+			isLast := j == len(materialLines)-1
+			resultLine := strings.TrimRight(result[idx], " ")
+			if !isLast {
+				resultLine += "  "
+			}
+			if result[idx] != resultLine {
+				modified = true
+				result[idx] = resultLine
+			}
+		}
+	}
+
+	if modified {
+		newContent := strings.Join(result, "\n")
+		if !bytes.Equal(content, []byte(newContent)) {
+			log.Info("formatted: ", path)
+			return os.WriteFile(path, []byte(newContent), 0o644)
+		}
+	}
+
+	return nil
+}
--- a/constant/rule.go
+++ b/constant/rule.go
@@ -30,6 +30,7 @@ const (
 	RuleActionTypeRoute        = "route"
 	RuleActionTypeRouteOptions = "route-options"
 	RuleActionTypeDirect       = "direct"
+	RuleActionTypeBypass       = "bypass"
 	RuleActionTypeReject       = "reject"
 	RuleActionTypeHijackDNS    = "hijack-dns"
 	RuleActionTypeSniff        = "sniff"
--- a/daemon/started_service.go
+++ b/daemon/started_service.go
@@ -50,6 +50,7 @@ type StartedService struct {
 	logSubscriber           *observable.Subscriber[*log.Entry]
 	logObserver             *observable.Observer[*log.Entry]
 	instance                *Instance
+	startedAt               time.Time
 	urlTestSubscriber       *observable.Subscriber[struct{}]
 	urlTestObserver         *observable.Observer[struct{}]
 	urlTestHistoryStorage   *urltest.HistoryStorage
@@ -193,6 +194,7 @@ func (s *StartedService) StartOrReloadService(profileContent string, options *Ov
 	if err != nil {
 		return s.updateStatusError(err)
 	}
+	s.startedAt = time.Now()
 	s.updateStatus(ServiceStatus_STARTED)
 	s.serviceAccess.Unlock()
 	runtime.GC()
@@ -215,6 +217,7 @@ func (s *StartedService) CloseService() error {
 		}
 	}
 	s.instance = nil
+	s.startedAt = time.Time{}
 	s.updateStatus(ServiceStatus_IDLE)
 	s.serviceAccess.Unlock()
 	runtime.GC()
@@ -734,6 +737,16 @@ func newConnection(connections map[uuid.UUID]*Connection, metadata trafficontrol
 		uplink = 0
 		downlink = 0
 	}
+	var processInfo *ProcessInfo
+	if metadata.Metadata.ProcessInfo != nil {
+		processInfo = &ProcessInfo{
+			ProcessId:   metadata.Metadata.ProcessInfo.ProcessID,
+			UserId:      metadata.Metadata.ProcessInfo.UserId,
+			UserName:    metadata.Metadata.ProcessInfo.UserName,
+			ProcessPath: metadata.Metadata.ProcessInfo.ProcessPath,
+			PackageName: metadata.Metadata.ProcessInfo.AndroidPackageName,
+		}
+	}
 	connection := &Connection{
 		Id:            metadata.ID.String(),
 		Inbound:       metadata.Metadata.Inbound,
@@ -756,6 +769,7 @@ func newConnection(connections map[uuid.UUID]*Connection, metadata trafficontrol
 		Outbound:      metadata.Outbound,
 		OutboundType:  metadata.OutboundType,
 		ChainList:     metadata.Chain,
+		ProcessInfo:   processInfo,
 	}
 	connections[metadata.ID] = connection
 	return connection
@@ -803,6 +817,12 @@ func (s *StartedService) GetDeprecatedWarnings(ctx context.Context, empty *empty
 	}, nil
 }

+func (s *StartedService) GetStartedAt(ctx context.Context, empty *emptypb.Empty) (*StartedAt, error) {
+	s.serviceAccess.RLock()
+	defer s.serviceAccess.RUnlock()
+	return &StartedAt{StartedAt: s.startedAt.UnixMilli()}, nil
+}
+
 func (s *StartedService) SubscribeHelperEvents(empty *emptypb.Empty, server grpc.ServerStreamingServer[HelperRequest]) error {
 	return os.ErrInvalid
 }
--- a/daemon/started_service.pb.go
+++ b/daemon/started_service.pb.go
@@ -1238,6 +1238,7 @@ type Connection struct {
 	Outbound      string                 `protobuf:"bytes,19,opt,name=outbound,proto3" json:"outbound,omitempty"`
 	OutboundType  string                 `protobuf:"bytes,20,opt,name=outboundType,proto3" json:"outboundType,omitempty"`
 	ChainList     []string               `protobuf:"bytes,21,rep,name=chainList,proto3" json:"chainList,omitempty"`
+	ProcessInfo   *ProcessInfo           `protobuf:"bytes,22,opt,name=processInfo,proto3" json:"processInfo,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -1419,6 +1420,89 @@ func (x *Connection) GetChainList() []string {
 	return nil
 }

+func (x *Connection) GetProcessInfo() *ProcessInfo {
+	if x != nil {
+		return x.ProcessInfo
+	}
+	return nil
+}
+
+type ProcessInfo struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	ProcessId     uint32                 `protobuf:"varint,1,opt,name=processId,proto3" json:"processId,omitempty"`
+	UserId        int32                  `protobuf:"varint,2,opt,name=userId,proto3" json:"userId,omitempty"`
+	UserName      string                 `protobuf:"bytes,3,opt,name=userName,proto3" json:"userName,omitempty"`
+	ProcessPath   string                 `protobuf:"bytes,4,opt,name=processPath,proto3" json:"processPath,omitempty"`
+	PackageName   string                 `protobuf:"bytes,5,opt,name=packageName,proto3" json:"packageName,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ProcessInfo) Reset() {
+	*x = ProcessInfo{}
+	mi := &file_daemon_started_service_proto_msgTypes[19]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ProcessInfo) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ProcessInfo) ProtoMessage() {}
+
+func (x *ProcessInfo) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_started_service_proto_msgTypes[19]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ProcessInfo.ProtoReflect.Descriptor instead.
+func (*ProcessInfo) Descriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{19}
+}
+
+func (x *ProcessInfo) GetProcessId() uint32 {
+	if x != nil {
+		return x.ProcessId
+	}
+	return 0
+}
+
+func (x *ProcessInfo) GetUserId() int32 {
+	if x != nil {
+		return x.UserId
+	}
+	return 0
+}
+
+func (x *ProcessInfo) GetUserName() string {
+	if x != nil {
+		return x.UserName
+	}
+	return ""
+}
+
+func (x *ProcessInfo) GetProcessPath() string {
+	if x != nil {
+		return x.ProcessPath
+	}
+	return ""
+}
+
+func (x *ProcessInfo) GetPackageName() string {
+	if x != nil {
+		return x.PackageName
+	}
+	return ""
+}
+
 type CloseConnectionRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Id            string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
@@ -1428,7 +1512,7 @@ type CloseConnectionRequest struct {

 func (x *CloseConnectionRequest) Reset() {
 	*x = CloseConnectionRequest{}
-	mi := &file_daemon_started_service_proto_msgTypes[19]
+	mi := &file_daemon_started_service_proto_msgTypes[20]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1440,7 +1524,7 @@ func (x *CloseConnectionRequest) String() string {
 func (*CloseConnectionRequest) ProtoMessage() {}

 func (x *CloseConnectionRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[19]
+	mi := &file_daemon_started_service_proto_msgTypes[20]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1453,7 +1537,7 @@ func (x *CloseConnectionRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use CloseConnectionRequest.ProtoReflect.Descriptor instead.
 func (*CloseConnectionRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{19}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{20}
 }

 func (x *CloseConnectionRequest) GetId() string {
@@ -1472,7 +1556,7 @@ type DeprecatedWarnings struct {

 func (x *DeprecatedWarnings) Reset() {
 	*x = DeprecatedWarnings{}
-	mi := &file_daemon_started_service_proto_msgTypes[20]
+	mi := &file_daemon_started_service_proto_msgTypes[21]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1484,7 +1568,7 @@ func (x *DeprecatedWarnings) String() string {
 func (*DeprecatedWarnings) ProtoMessage() {}

 func (x *DeprecatedWarnings) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[20]
+	mi := &file_daemon_started_service_proto_msgTypes[21]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1497,7 +1581,7 @@ func (x *DeprecatedWarnings) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DeprecatedWarnings.ProtoReflect.Descriptor instead.
 func (*DeprecatedWarnings) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{20}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{21}
 }

 func (x *DeprecatedWarnings) GetWarnings() []*DeprecatedWarning {
@@ -1518,7 +1602,7 @@ type DeprecatedWarning struct {

 func (x *DeprecatedWarning) Reset() {
 	*x = DeprecatedWarning{}
-	mi := &file_daemon_started_service_proto_msgTypes[21]
+	mi := &file_daemon_started_service_proto_msgTypes[22]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1530,7 +1614,7 @@ func (x *DeprecatedWarning) String() string {
 func (*DeprecatedWarning) ProtoMessage() {}

 func (x *DeprecatedWarning) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[21]
+	mi := &file_daemon_started_service_proto_msgTypes[22]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1543,7 +1627,7 @@ func (x *DeprecatedWarning) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DeprecatedWarning.ProtoReflect.Descriptor instead.
 func (*DeprecatedWarning) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{21}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{22}
 }

 func (x *DeprecatedWarning) GetMessage() string {
@@ -1567,6 +1651,50 @@ func (x *DeprecatedWarning) GetMigrationLink() string {
 	return ""
 }

+type StartedAt struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	StartedAt     int64                  `protobuf:"varint,1,opt,name=startedAt,proto3" json:"startedAt,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *StartedAt) Reset() {
+	*x = StartedAt{}
+	mi := &file_daemon_started_service_proto_msgTypes[23]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *StartedAt) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*StartedAt) ProtoMessage() {}
+
+func (x *StartedAt) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_started_service_proto_msgTypes[23]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use StartedAt.ProtoReflect.Descriptor instead.
+func (*StartedAt) Descriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{23}
+}
+
+func (x *StartedAt) GetStartedAt() int64 {
+	if x != nil {
+		return x.StartedAt
+	}
+	return 0
+}
+
 type Log_Message struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Level         LogLevel               `protobuf:"varint,1,opt,name=level,proto3,enum=daemon.LogLevel" json:"level,omitempty"`
@@ -1577,7 +1705,7 @@ type Log_Message struct {

 func (x *Log_Message) Reset() {
 	*x = Log_Message{}
-	mi := &file_daemon_started_service_proto_msgTypes[22]
+	mi := &file_daemon_started_service_proto_msgTypes[24]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1589,7 +1717,7 @@ func (x *Log_Message) String() string {
 func (*Log_Message) ProtoMessage() {}

 func (x *Log_Message) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[22]
+	mi := &file_daemon_started_service_proto_msgTypes[24]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1696,7 +1824,7 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x06filter\x18\x02 \x01(\x0e2\x18.daemon.ConnectionFilterR\x06filter\x120\n" +
 	"\x06sortBy\x18\x03 \x01(\x0e2\x18.daemon.ConnectionSortByR\x06sortBy\"C\n" +
 	"\vConnections\x124\n" +
-	"\vconnections\x18\x01 \x03(\v2\x12.daemon.ConnectionR\vconnections\"\xde\x04\n" +
+	"\vconnections\x18\x01 \x03(\v2\x12.daemon.ConnectionR\vconnections\"\x95\x05\n" +
 	"\n" +
 	"Connection\x12\x0e\n" +
 	"\x02id\x18\x01 \x01(\tR\x02id\x12\x18\n" +
@@ -1720,7 +1848,14 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x04rule\x18\x12 \x01(\tR\x04rule\x12\x1a\n" +
 	"\boutbound\x18\x13 \x01(\tR\boutbound\x12\"\n" +
 	"\foutboundType\x18\x14 \x01(\tR\foutboundType\x12\x1c\n" +
-	"\tchainList\x18\x15 \x03(\tR\tchainList\"(\n" +
+	"\tchainList\x18\x15 \x03(\tR\tchainList\x125\n" +
+	"\vprocessInfo\x18\x16 \x01(\v2\x13.daemon.ProcessInfoR\vprocessInfo\"\xa3\x01\n" +
+	"\vProcessInfo\x12\x1c\n" +
+	"\tprocessId\x18\x01 \x01(\rR\tprocessId\x12\x16\n" +
+	"\x06userId\x18\x02 \x01(\x05R\x06userId\x12\x1a\n" +
+	"\buserName\x18\x03 \x01(\tR\buserName\x12 \n" +
+	"\vprocessPath\x18\x04 \x01(\tR\vprocessPath\x12 \n" +
+	"\vpackageName\x18\x05 \x01(\tR\vpackageName\"(\n" +
 	"\x16CloseConnectionRequest\x12\x0e\n" +
 	"\x02id\x18\x01 \x01(\tR\x02id\"K\n" +
 	"\x12DeprecatedWarnings\x125\n" +
@@ -1728,7 +1863,9 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x11DeprecatedWarning\x12\x18\n" +
 	"\amessage\x18\x01 \x01(\tR\amessage\x12\x1c\n" +
 	"\timpending\x18\x02 \x01(\bR\timpending\x12$\n" +
-	"\rmigrationLink\x18\x03 \x01(\tR\rmigrationLink*U\n" +
+	"\rmigrationLink\x18\x03 \x01(\tR\rmigrationLink\")\n" +
+	"\tStartedAt\x12\x1c\n" +
+	"\tstartedAt\x18\x01 \x01(\x03R\tstartedAt*U\n" +
 	"\bLogLevel\x12\t\n" +
 	"\x05PANIC\x10\x00\x12\t\n" +
 	"\x05FATAL\x10\x01\x12\t\n" +
@@ -1746,7 +1883,7 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x10ConnectionSortBy\x12\b\n" +
 	"\x04DATE\x10\x00\x12\v\n" +
 	"\aTRAFFIC\x10\x01\x12\x11\n" +
-	"\rTOTAL_TRAFFIC\x10\x022\xb7\f\n" +
+	"\rTOTAL_TRAFFIC\x10\x022\xf4\f\n" +
 	"\x0eStartedService\x12=\n" +
 	"\vStopService\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\x12?\n" +
 	"\rReloadService\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\x12K\n" +
@@ -1767,7 +1904,8 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x14SubscribeConnections\x12#.daemon.SubscribeConnectionsRequest\x1a\x13.daemon.Connections\"\x000\x01\x12K\n" +
 	"\x0fCloseConnection\x12\x1e.daemon.CloseConnectionRequest\x1a\x16.google.protobuf.Empty\"\x00\x12G\n" +
 	"\x13CloseAllConnections\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\"\x00\x12M\n" +
-	"\x15GetDeprecatedWarnings\x12\x16.google.protobuf.Empty\x1a\x1a.daemon.DeprecatedWarnings\"\x00\x12J\n" +
+	"\x15GetDeprecatedWarnings\x12\x16.google.protobuf.Empty\x1a\x1a.daemon.DeprecatedWarnings\"\x00\x12;\n" +
+	"\fGetStartedAt\x12\x16.google.protobuf.Empty\x1a\x11.daemon.StartedAt\"\x00\x12J\n" +
 	"\x15SubscribeHelperEvents\x12\x16.google.protobuf.Empty\x1a\x15.daemon.HelperRequest\"\x000\x01\x12F\n" +
 	"\x12SendHelperResponse\x12\x16.daemon.HelperResponse\x1a\x16.google.protobuf.Empty\"\x00B%Z#github.com/sagernet/sing-box/daemonb\x06proto3"

@@ -1785,7 +1923,7 @@ func file_daemon_started_service_proto_rawDescGZIP() []byte {

 var (
 	file_daemon_started_service_proto_enumTypes = make([]protoimpl.EnumInfo, 4)
-	file_daemon_started_service_proto_msgTypes  = make([]protoimpl.MessageInfo, 23)
+	file_daemon_started_service_proto_msgTypes  = make([]protoimpl.MessageInfo, 25)
 	file_daemon_started_service_proto_goTypes   = []any{
 		(LogLevel)(0),                        // 0: daemon.LogLevel
 		(ConnectionFilter)(0),                // 1: daemon.ConnectionFilter
@@ -1810,76 +1948,81 @@ var (
 		(*SubscribeConnectionsRequest)(nil),  // 20: daemon.SubscribeConnectionsRequest
 		(*Connections)(nil),                  // 21: daemon.Connections
 		(*Connection)(nil),                   // 22: daemon.Connection
-		(*CloseConnectionRequest)(nil),       // 23: daemon.CloseConnectionRequest
-		(*DeprecatedWarnings)(nil),           // 24: daemon.DeprecatedWarnings
-		(*DeprecatedWarning)(nil),            // 25: daemon.DeprecatedWarning
-		(*Log_Message)(nil),                  // 26: daemon.Log.Message
-		(*emptypb.Empty)(nil),                // 27: google.protobuf.Empty
-		(*HelperResponse)(nil),               // 28: daemon.HelperResponse
-		(*HelperRequest)(nil),                // 29: daemon.HelperRequest
+		(*ProcessInfo)(nil),                  // 23: daemon.ProcessInfo
+		(*CloseConnectionRequest)(nil),       // 24: daemon.CloseConnectionRequest
+		(*DeprecatedWarnings)(nil),           // 25: daemon.DeprecatedWarnings
+		(*DeprecatedWarning)(nil),            // 26: daemon.DeprecatedWarning
+		(*StartedAt)(nil),                    // 27: daemon.StartedAt
+		(*Log_Message)(nil),                  // 28: daemon.Log.Message
+		(*emptypb.Empty)(nil),                // 29: google.protobuf.Empty
+		(*HelperResponse)(nil),               // 30: daemon.HelperResponse
+		(*HelperRequest)(nil),                // 31: daemon.HelperRequest
 	}
 )

 var file_daemon_started_service_proto_depIdxs = []int32{
 	3,  // 0: daemon.ServiceStatus.status:type_name -> daemon.ServiceStatus.Type
-	26, // 1: daemon.Log.messages:type_name -> daemon.Log.Message
+	28, // 1: daemon.Log.messages:type_name -> daemon.Log.Message
 	0,  // 2: daemon.DefaultLogLevel.level:type_name -> daemon.LogLevel
 	11, // 3: daemon.Groups.group:type_name -> daemon.Group
 	12, // 4: daemon.Group.items:type_name -> daemon.GroupItem
 	1,  // 5: daemon.SubscribeConnectionsRequest.filter:type_name -> daemon.ConnectionFilter
 	2,  // 6: daemon.SubscribeConnectionsRequest.sortBy:type_name -> daemon.ConnectionSortBy
 	22, // 7: daemon.Connections.connections:type_name -> daemon.Connection
-	25, // 8: daemon.DeprecatedWarnings.warnings:type_name -> daemon.DeprecatedWarning
-	0,  // 9: daemon.Log.Message.level:type_name -> daemon.LogLevel
-	27, // 10: daemon.StartedService.StopService:input_type -> google.protobuf.Empty
-	27, // 11: daemon.StartedService.ReloadService:input_type -> google.protobuf.Empty
-	27, // 12: daemon.StartedService.SubscribeServiceStatus:input_type -> google.protobuf.Empty
-	27, // 13: daemon.StartedService.SubscribeLog:input_type -> google.protobuf.Empty
-	27, // 14: daemon.StartedService.GetDefaultLogLevel:input_type -> google.protobuf.Empty
-	27, // 15: daemon.StartedService.ClearLogs:input_type -> google.protobuf.Empty
-	6,  // 16: daemon.StartedService.SubscribeStatus:input_type -> daemon.SubscribeStatusRequest
-	27, // 17: daemon.StartedService.SubscribeGroups:input_type -> google.protobuf.Empty
-	27, // 18: daemon.StartedService.GetClashModeStatus:input_type -> google.protobuf.Empty
-	27, // 19: daemon.StartedService.SubscribeClashMode:input_type -> google.protobuf.Empty
-	16, // 20: daemon.StartedService.SetClashMode:input_type -> daemon.ClashMode
-	13, // 21: daemon.StartedService.URLTest:input_type -> daemon.URLTestRequest
-	14, // 22: daemon.StartedService.SelectOutbound:input_type -> daemon.SelectOutboundRequest
-	15, // 23: daemon.StartedService.SetGroupExpand:input_type -> daemon.SetGroupExpandRequest
-	27, // 24: daemon.StartedService.GetSystemProxyStatus:input_type -> google.protobuf.Empty
-	19, // 25: daemon.StartedService.SetSystemProxyEnabled:input_type -> daemon.SetSystemProxyEnabledRequest
-	20, // 26: daemon.StartedService.SubscribeConnections:input_type -> daemon.SubscribeConnectionsRequest
-	23, // 27: daemon.StartedService.CloseConnection:input_type -> daemon.CloseConnectionRequest
-	27, // 28: daemon.StartedService.CloseAllConnections:input_type -> google.protobuf.Empty
-	27, // 29: daemon.StartedService.GetDeprecatedWarnings:input_type -> google.protobuf.Empty
-	27, // 30: daemon.StartedService.SubscribeHelperEvents:input_type -> google.protobuf.Empty
-	28, // 31: daemon.StartedService.SendHelperResponse:input_type -> daemon.HelperResponse
-	27, // 32: daemon.StartedService.StopService:output_type -> google.protobuf.Empty
-	27, // 33: daemon.StartedService.ReloadService:output_type -> google.protobuf.Empty
-	4,  // 34: daemon.StartedService.SubscribeServiceStatus:output_type -> daemon.ServiceStatus
-	7,  // 35: daemon.StartedService.SubscribeLog:output_type -> daemon.Log
-	8,  // 36: daemon.StartedService.GetDefaultLogLevel:output_type -> daemon.DefaultLogLevel
-	27, // 37: daemon.StartedService.ClearLogs:output_type -> google.protobuf.Empty
-	9,  // 38: daemon.StartedService.SubscribeStatus:output_type -> daemon.Status
-	10, // 39: daemon.StartedService.SubscribeGroups:output_type -> daemon.Groups
-	17, // 40: daemon.StartedService.GetClashModeStatus:output_type -> daemon.ClashModeStatus
-	16, // 41: daemon.StartedService.SubscribeClashMode:output_type -> daemon.ClashMode
-	27, // 42: daemon.StartedService.SetClashMode:output_type -> google.protobuf.Empty
-	27, // 43: daemon.StartedService.URLTest:output_type -> google.protobuf.Empty
-	27, // 44: daemon.StartedService.SelectOutbound:output_type -> google.protobuf.Empty
-	27, // 45: daemon.StartedService.SetGroupExpand:output_type -> google.protobuf.Empty
-	18, // 46: daemon.StartedService.GetSystemProxyStatus:output_type -> daemon.SystemProxyStatus
-	27, // 47: daemon.StartedService.SetSystemProxyEnabled:output_type -> google.protobuf.Empty
-	21, // 48: daemon.StartedService.SubscribeConnections:output_type -> daemon.Connections
-	27, // 49: daemon.StartedService.CloseConnection:output_type -> google.protobuf.Empty
-	27, // 50: daemon.StartedService.CloseAllConnections:output_type -> google.protobuf.Empty
-	24, // 51: daemon.StartedService.GetDeprecatedWarnings:output_type -> daemon.DeprecatedWarnings
-	29, // 52: daemon.StartedService.SubscribeHelperEvents:output_type -> daemon.HelperRequest
-	27, // 53: daemon.StartedService.SendHelperResponse:output_type -> google.protobuf.Empty
-	32, // [32:54] is the sub-list for method output_type
-	10, // [10:32] is the sub-list for method input_type
-	10, // [10:10] is the sub-list for extension type_name
-	10, // [10:10] is the sub-list for extension extendee
-	0,  // [0:10] is the sub-list for field type_name
+	23, // 8: daemon.Connection.processInfo:type_name -> daemon.ProcessInfo
+	26, // 9: daemon.DeprecatedWarnings.warnings:type_name -> daemon.DeprecatedWarning
+	0,  // 10: daemon.Log.Message.level:type_name -> daemon.LogLevel
+	29, // 11: daemon.StartedService.StopService:input_type -> google.protobuf.Empty
+	29, // 12: daemon.StartedService.ReloadService:input_type -> google.protobuf.Empty
+	29, // 13: daemon.StartedService.SubscribeServiceStatus:input_type -> google.protobuf.Empty
+	29, // 14: daemon.StartedService.SubscribeLog:input_type -> google.protobuf.Empty
+	29, // 15: daemon.StartedService.GetDefaultLogLevel:input_type -> google.protobuf.Empty
+	29, // 16: daemon.StartedService.ClearLogs:input_type -> google.protobuf.Empty
+	6,  // 17: daemon.StartedService.SubscribeStatus:input_type -> daemon.SubscribeStatusRequest
+	29, // 18: daemon.StartedService.SubscribeGroups:input_type -> google.protobuf.Empty
+	29, // 19: daemon.StartedService.GetClashModeStatus:input_type -> google.protobuf.Empty
+	29, // 20: daemon.StartedService.SubscribeClashMode:input_type -> google.protobuf.Empty
+	16, // 21: daemon.StartedService.SetClashMode:input_type -> daemon.ClashMode
+	13, // 22: daemon.StartedService.URLTest:input_type -> daemon.URLTestRequest
+	14, // 23: daemon.StartedService.SelectOutbound:input_type -> daemon.SelectOutboundRequest
+	15, // 24: daemon.StartedService.SetGroupExpand:input_type -> daemon.SetGroupExpandRequest
+	29, // 25: daemon.StartedService.GetSystemProxyStatus:input_type -> google.protobuf.Empty
+	19, // 26: daemon.StartedService.SetSystemProxyEnabled:input_type -> daemon.SetSystemProxyEnabledRequest
+	20, // 27: daemon.StartedService.SubscribeConnections:input_type -> daemon.SubscribeConnectionsRequest
+	24, // 28: daemon.StartedService.CloseConnection:input_type -> daemon.CloseConnectionRequest
+	29, // 29: daemon.StartedService.CloseAllConnections:input_type -> google.protobuf.Empty
+	29, // 30: daemon.StartedService.GetDeprecatedWarnings:input_type -> google.protobuf.Empty
+	29, // 31: daemon.StartedService.GetStartedAt:input_type -> google.protobuf.Empty
+	29, // 32: daemon.StartedService.SubscribeHelperEvents:input_type -> google.protobuf.Empty
+	30, // 33: daemon.StartedService.SendHelperResponse:input_type -> daemon.HelperResponse
+	29, // 34: daemon.StartedService.StopService:output_type -> google.protobuf.Empty
+	29, // 35: daemon.StartedService.ReloadService:output_type -> google.protobuf.Empty
+	4,  // 36: daemon.StartedService.SubscribeServiceStatus:output_type -> daemon.ServiceStatus
+	7,  // 37: daemon.StartedService.SubscribeLog:output_type -> daemon.Log
+	8,  // 38: daemon.StartedService.GetDefaultLogLevel:output_type -> daemon.DefaultLogLevel
+	29, // 39: daemon.StartedService.ClearLogs:output_type -> google.protobuf.Empty
+	9,  // 40: daemon.StartedService.SubscribeStatus:output_type -> daemon.Status
+	10, // 41: daemon.StartedService.SubscribeGroups:output_type -> daemon.Groups
+	17, // 42: daemon.StartedService.GetClashModeStatus:output_type -> daemon.ClashModeStatus
+	16, // 43: daemon.StartedService.SubscribeClashMode:output_type -> daemon.ClashMode
+	29, // 44: daemon.StartedService.SetClashMode:output_type -> google.protobuf.Empty
+	29, // 45: daemon.StartedService.URLTest:output_type -> google.protobuf.Empty
+	29, // 46: daemon.StartedService.SelectOutbound:output_type -> google.protobuf.Empty
+	29, // 47: daemon.StartedService.SetGroupExpand:output_type -> google.protobuf.Empty
+	18, // 48: daemon.StartedService.GetSystemProxyStatus:output_type -> daemon.SystemProxyStatus
+	29, // 49: daemon.StartedService.SetSystemProxyEnabled:output_type -> google.protobuf.Empty
+	21, // 50: daemon.StartedService.SubscribeConnections:output_type -> daemon.Connections
+	29, // 51: daemon.StartedService.CloseConnection:output_type -> google.protobuf.Empty
+	29, // 52: daemon.StartedService.CloseAllConnections:output_type -> google.protobuf.Empty
+	25, // 53: daemon.StartedService.GetDeprecatedWarnings:output_type -> daemon.DeprecatedWarnings
+	27, // 54: daemon.StartedService.GetStartedAt:output_type -> daemon.StartedAt
+	31, // 55: daemon.StartedService.SubscribeHelperEvents:output_type -> daemon.HelperRequest
+	29, // 56: daemon.StartedService.SendHelperResponse:output_type -> google.protobuf.Empty
+	34, // [34:57] is the sub-list for method output_type
+	11, // [11:34] is the sub-list for method input_type
+	11, // [11:11] is the sub-list for extension type_name
+	11, // [11:11] is the sub-list for extension extendee
+	0,  // [0:11] is the sub-list for field type_name
 }

 func init() { file_daemon_started_service_proto_init() }
@@ -1894,7 +2037,7 @@ func file_daemon_started_service_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_started_service_proto_rawDesc), len(file_daemon_started_service_proto_rawDesc)),
 			NumEnums:      4,
-			NumMessages:   23,
+			NumMessages:   25,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/daemon/started_service.proto
+++ b/daemon/started_service.proto
@@ -32,6 +32,7 @@ service StartedService {
  rpc CloseConnection(CloseConnectionRequest) returns(google.protobuf.Empty) {}
  rpc CloseAllConnections(google.protobuf.Empty) returns(google.protobuf.Empty) {}
  rpc GetDeprecatedWarnings(google.protobuf.Empty) returns(DeprecatedWarnings) {}
+  rpc GetStartedAt(google.protobuf.Empty) returns(StartedAt) {}

  rpc SubscribeHelperEvents(google.protobuf.Empty) returns(stream HelperRequest) {}
  rpc SendHelperResponse(HelperResponse) returns(google.protobuf.Empty) {}
@@ -188,6 +189,15 @@ message Connection {
  string outbound = 19;
  string outboundType = 20;
  repeated string chainList = 21;
+  ProcessInfo processInfo = 22;
+}
+
+message ProcessInfo {
+  uint32 processId = 1;
+  int32 userId = 2;
+  string userName = 3;
+  string processPath = 4;
+  string packageName = 5;
 }

 message CloseConnectionRequest {
@@ -202,4 +212,8 @@ message DeprecatedWarning {
  string message = 1;
  bool impending = 2;
  string migrationLink = 3;
+}
+
+message StartedAt {
+  int64 startedAt = 1;
 }
--- a/daemon/started_service_grpc.pb.go
+++ b/daemon/started_service_grpc.pb.go
@@ -35,6 +35,7 @@ const (
 	StartedService_CloseConnection_FullMethodName        = "/daemon.StartedService/CloseConnection"
 	StartedService_CloseAllConnections_FullMethodName    = "/daemon.StartedService/CloseAllConnections"
 	StartedService_GetDeprecatedWarnings_FullMethodName  = "/daemon.StartedService/GetDeprecatedWarnings"
+	StartedService_GetStartedAt_FullMethodName           = "/daemon.StartedService/GetStartedAt"
 	StartedService_SubscribeHelperEvents_FullMethodName  = "/daemon.StartedService/SubscribeHelperEvents"
 	StartedService_SendHelperResponse_FullMethodName     = "/daemon.StartedService/SendHelperResponse"
 )
@@ -63,6 +64,7 @@ type StartedServiceClient interface {
 	CloseConnection(ctx context.Context, in *CloseConnectionRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	CloseAllConnections(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	GetDeprecatedWarnings(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*DeprecatedWarnings, error)
+	GetStartedAt(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*StartedAt, error)
 	SubscribeHelperEvents(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[HelperRequest], error)
 	SendHelperResponse(ctx context.Context, in *HelperResponse, opts ...grpc.CallOption) (*emptypb.Empty, error)
 }
@@ -329,6 +331,16 @@ func (c *startedServiceClient) GetDeprecatedWarnings(ctx context.Context, in *em
 	return out, nil
 }

+func (c *startedServiceClient) GetStartedAt(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*StartedAt, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(StartedAt)
+	err := c.cc.Invoke(ctx, StartedService_GetStartedAt_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *startedServiceClient) SubscribeHelperEvents(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[HelperRequest], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[6], StartedService_SubscribeHelperEvents_FullMethodName, cOpts...)
@@ -382,6 +394,7 @@ type StartedServiceServer interface {
 	CloseConnection(context.Context, *CloseConnectionRequest) (*emptypb.Empty, error)
 	CloseAllConnections(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
 	GetDeprecatedWarnings(context.Context, *emptypb.Empty) (*DeprecatedWarnings, error)
+	GetStartedAt(context.Context, *emptypb.Empty) (*StartedAt, error)
 	SubscribeHelperEvents(*emptypb.Empty, grpc.ServerStreamingServer[HelperRequest]) error
 	SendHelperResponse(context.Context, *HelperResponse) (*emptypb.Empty, error)
 	mustEmbedUnimplementedStartedServiceServer()
@@ -474,6 +487,10 @@ func (UnimplementedStartedServiceServer) GetDeprecatedWarnings(context.Context,
 	return nil, status.Errorf(codes.Unimplemented, "method GetDeprecatedWarnings not implemented")
 }

+func (UnimplementedStartedServiceServer) GetStartedAt(context.Context, *emptypb.Empty) (*StartedAt, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetStartedAt not implemented")
+}
+
 func (UnimplementedStartedServiceServer) SubscribeHelperEvents(*emptypb.Empty, grpc.ServerStreamingServer[HelperRequest]) error {
 	return status.Errorf(codes.Unimplemented, "method SubscribeHelperEvents not implemented")
 }
@@ -820,6 +837,24 @@ func _StartedService_GetDeprecatedWarnings_Handler(srv interface{}, ctx context.
 	return interceptor(ctx, in, info, handler)
 }

+func _StartedService_GetStartedAt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(emptypb.Empty)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(StartedServiceServer).GetStartedAt(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: StartedService_GetStartedAt_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(StartedServiceServer).GetStartedAt(ctx, req.(*emptypb.Empty))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _StartedService_SubscribeHelperEvents_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(emptypb.Empty)
 	if err := stream.RecvMsg(m); err != nil {
@@ -912,6 +947,10 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetDeprecatedWarnings",
 			Handler:    _StartedService_GetDeprecatedWarnings_Handler,
 		},
+		{
+			MethodName: "GetStartedAt",
+			Handler:    _StartedService_GetStartedAt_Handler,
+		},
 		{
 			MethodName: "SendHelperResponse",
 			Handler:    _StartedService_SendHelperResponse_Handler,
--- a/dns/router.go
+++ b/dns/router.go
@@ -444,6 +444,6 @@ func (r *Router) LookupReverseMapping(ip netip.Addr) (string, bool) {
 func (r *Router) ResetNetwork() {
 	r.ClearCache()
 	for _, transport := range r.transport.Transports() {
-		transport.Close()
+		transport.Reset()
 	}
 }
--- a/dns/transport/base.go
+++ b/dns/transport/base.go
@@ -0,0 +1,145 @@
+package transport
+
+import (
+	"context"
+	"os"
+	"sync"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+)
+
+type TransportState int
+
+const (
+	StateNew TransportState = iota
+	StateStarted
+	StateClosing
+	StateClosed
+)
+
+var (
+	ErrTransportClosed = os.ErrClosed
+	ErrConnectionReset = E.New("connection reset")
+)
+
+type BaseTransport struct {
+	dns.TransportAdapter
+	Logger logger.ContextLogger
+
+	mutex           sync.Mutex
+	state           TransportState
+	inFlight        int32
+	queriesComplete chan struct{}
+	closeCtx        context.Context
+	closeCancel     context.CancelFunc
+}
+
+func NewBaseTransport(adapter dns.TransportAdapter, logger logger.ContextLogger) *BaseTransport {
+	ctx, cancel := context.WithCancel(context.Background())
+	return &BaseTransport{
+		TransportAdapter: adapter,
+		Logger:           logger,
+		state:            StateNew,
+		closeCtx:         ctx,
+		closeCancel:      cancel,
+	}
+}
+
+func (t *BaseTransport) State() TransportState {
+	t.mutex.Lock()
+	defer t.mutex.Unlock()
+	return t.state
+}
+
+func (t *BaseTransport) SetStarted() error {
+	t.mutex.Lock()
+	defer t.mutex.Unlock()
+	switch t.state {
+	case StateNew:
+		t.state = StateStarted
+		return nil
+	case StateStarted:
+		return nil
+	default:
+		return ErrTransportClosed
+	}
+}
+
+func (t *BaseTransport) BeginQuery() bool {
+	t.mutex.Lock()
+	defer t.mutex.Unlock()
+	if t.state != StateStarted {
+		return false
+	}
+	t.inFlight++
+	return true
+}
+
+func (t *BaseTransport) EndQuery() {
+	t.mutex.Lock()
+	if t.inFlight > 0 {
+		t.inFlight--
+	}
+	if t.inFlight == 0 && t.queriesComplete != nil {
+		close(t.queriesComplete)
+		t.queriesComplete = nil
+	}
+	t.mutex.Unlock()
+}
+
+func (t *BaseTransport) CloseContext() context.Context {
+	return t.closeCtx
+}
+
+func (t *BaseTransport) Shutdown(ctx context.Context) error {
+	t.mutex.Lock()
+
+	if t.state >= StateClosing {
+		t.mutex.Unlock()
+		return nil
+	}
+
+	if t.state == StateNew {
+		t.state = StateClosed
+		t.mutex.Unlock()
+		t.closeCancel()
+		return nil
+	}
+
+	t.state = StateClosing
+
+	if t.inFlight == 0 {
+		t.state = StateClosed
+		t.mutex.Unlock()
+		t.closeCancel()
+		return nil
+	}
+
+	t.queriesComplete = make(chan struct{})
+	queriesComplete := t.queriesComplete
+	t.mutex.Unlock()
+
+	t.closeCancel()
+
+	select {
+	case <-queriesComplete:
+		t.mutex.Lock()
+		t.state = StateClosed
+		t.mutex.Unlock()
+		return nil
+	case <-ctx.Done():
+		t.mutex.Lock()
+		t.state = StateClosed
+		t.mutex.Unlock()
+		return ctx.Err()
+	}
+}
+
+func (t *BaseTransport) Close() error {
+	ctx, cancel := context.WithTimeout(context.Background(), C.TCPTimeout)
+	defer cancel()
+	return t.Shutdown(ctx)
+}
--- a/dns/transport/connector.go
+++ b/dns/transport/connector.go
@@ -0,0 +1,205 @@
+package transport
+
+import (
+	"context"
+	"net"
+	"sync"
+)
+
+type ConnectorCallbacks[T any] struct {
+	IsClosed func(connection T) bool
+	Close    func(connection T)
+	Reset    func(connection T)
+}
+
+type Connector[T any] struct {
+	dial      func(ctx context.Context) (T, error)
+	callbacks ConnectorCallbacks[T]
+
+	access        sync.Mutex
+	connection    T
+	hasConnection bool
+	connecting    chan struct{}
+
+	closeCtx context.Context
+	closed   bool
+}
+
+func NewConnector[T any](closeCtx context.Context, dial func(context.Context) (T, error), callbacks ConnectorCallbacks[T]) *Connector[T] {
+	return &Connector[T]{
+		dial:      dial,
+		callbacks: callbacks,
+		closeCtx:  closeCtx,
+	}
+}
+
+func NewSingleflightConnector(closeCtx context.Context, dial func(context.Context) (*Connection, error)) *Connector[*Connection] {
+	return NewConnector(closeCtx, dial, ConnectorCallbacks[*Connection]{
+		IsClosed: func(connection *Connection) bool {
+			return connection.IsClosed()
+		},
+		Close: func(connection *Connection) {
+			connection.CloseWithError(ErrTransportClosed)
+		},
+		Reset: func(connection *Connection) {
+			connection.CloseWithError(ErrConnectionReset)
+		},
+	})
+}
+
+func (c *Connector[T]) Get(ctx context.Context) (T, error) {
+	var zero T
+	for {
+		c.access.Lock()
+
+		if c.closed {
+			c.access.Unlock()
+			return zero, ErrTransportClosed
+		}
+
+		if c.hasConnection && !c.callbacks.IsClosed(c.connection) {
+			connection := c.connection
+			c.access.Unlock()
+			return connection, nil
+		}
+
+		c.hasConnection = false
+
+		if c.connecting != nil {
+			connecting := c.connecting
+			c.access.Unlock()
+
+			select {
+			case <-connecting:
+				continue
+			case <-ctx.Done():
+				return zero, ctx.Err()
+			case <-c.closeCtx.Done():
+				return zero, ErrTransportClosed
+			}
+		}
+
+		c.connecting = make(chan struct{})
+		c.access.Unlock()
+
+		connection, err := c.dialWithCancellation(ctx)
+
+		c.access.Lock()
+		close(c.connecting)
+		c.connecting = nil
+
+		if err != nil {
+			c.access.Unlock()
+			return zero, err
+		}
+
+		if c.closed {
+			c.callbacks.Close(connection)
+			c.access.Unlock()
+			return zero, ErrTransportClosed
+		}
+
+		c.connection = connection
+		c.hasConnection = true
+		result := c.connection
+		c.access.Unlock()
+
+		return result, nil
+	}
+}
+
+func (c *Connector[T]) dialWithCancellation(ctx context.Context) (T, error) {
+	dialCtx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	go func() {
+		select {
+		case <-c.closeCtx.Done():
+			cancel()
+		case <-dialCtx.Done():
+		}
+	}()
+
+	return c.dial(dialCtx)
+}
+
+func (c *Connector[T]) Close() error {
+	c.access.Lock()
+	defer c.access.Unlock()
+
+	if c.closed {
+		return nil
+	}
+	c.closed = true
+
+	if c.hasConnection {
+		c.callbacks.Close(c.connection)
+		c.hasConnection = false
+	}
+
+	return nil
+}
+
+func (c *Connector[T]) Reset() {
+	c.access.Lock()
+	defer c.access.Unlock()
+
+	if c.hasConnection {
+		c.callbacks.Reset(c.connection)
+		c.hasConnection = false
+	}
+}
+
+type Connection struct {
+	net.Conn
+
+	closeOnce  sync.Once
+	done       chan struct{}
+	closeError error
+}
+
+func WrapConnection(conn net.Conn) *Connection {
+	return &Connection{
+		Conn: conn,
+		done: make(chan struct{}),
+	}
+}
+
+func (c *Connection) Done() <-chan struct{} {
+	return c.done
+}
+
+func (c *Connection) IsClosed() bool {
+	select {
+	case <-c.done:
+		return true
+	default:
+		return false
+	}
+}
+
+func (c *Connection) CloseError() error {
+	select {
+	case <-c.done:
+		if c.closeError != nil {
+			return c.closeError
+		}
+		return ErrTransportClosed
+	default:
+		return nil
+	}
+}
+
+func (c *Connection) Close() error {
+	return c.CloseWithError(ErrTransportClosed)
+}
+
+func (c *Connection) CloseWithError(err error) error {
+	var returnError error
+	c.closeOnce.Do(func() {
+		c.closeError = err
+		returnError = c.Conn.Close()
+		close(c.done)
+	})
+	return returnError
+}
--- a/dns/transport/dhcp/dhcp.go
+++ b/dns/transport/dhcp/dhcp.go
@@ -108,6 +108,13 @@ func (t *Transport) Close() error {
 	return nil
 }

+func (t *Transport) Reset() {
+	t.transportLock.Lock()
+	t.updatedAt = time.Time{}
+	t.servers = nil
+	t.transportLock.Unlock()
+}
+
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	servers, err := t.fetch()
 	if err != nil {
--- a/dns/transport/fakeip/memory.go
+++ b/dns/transport/fakeip/memory.go
@@ -82,8 +82,12 @@ func (s *MemoryStorage) FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr
 }

 func (s *MemoryStorage) FakeIPReset() error {
+	s.addressAccess.Lock()
+	s.domainAccess.Lock()
 	s.addressCache = make(map[netip.Addr]string)
 	s.domainCache4 = make(map[string]netip.Addr)
 	s.domainCache6 = make(map[string]netip.Addr)
+	s.domainAccess.Unlock()
+	s.addressAccess.Unlock()
 	return nil
 }
--- a/dns/transport/fakeip/store.go
+++ b/dns/transport/fakeip/store.go
@@ -3,6 +3,7 @@ package fakeip
 import (
 	"context"
 	"net/netip"
+	"sync"

 	"github.com/sagernet/sing-box/adapter"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -13,13 +14,15 @@ import (
 var _ adapter.FakeIPStore = (*Store)(nil)

 type Store struct {
-	ctx          context.Context
-	logger       logger.Logger
-	inet4Range   netip.Prefix
-	inet6Range   netip.Prefix
-	storage      adapter.FakeIPStorage
-	inet4Current netip.Addr
-	inet6Current netip.Addr
+	ctx        context.Context
+	logger     logger.Logger
+	inet4Range netip.Prefix
+	inet6Range netip.Prefix
+	storage    adapter.FakeIPStorage
+
+	addressAccess sync.Mutex
+	inet4Current  netip.Addr
+	inet6Current  netip.Addr
 }

 func NewStore(ctx context.Context, logger logger.Logger, inet4Range netip.Prefix, inet6Range netip.Prefix) *Store {
@@ -65,18 +68,30 @@ func (s *Store) Close() error {
 	if s.storage == nil {
 		return nil
 	}
-	return s.storage.FakeIPSaveMetadata(&adapter.FakeIPMetadata{
+	s.addressAccess.Lock()
+	metadata := &adapter.FakeIPMetadata{
 		Inet4Range:   s.inet4Range,
 		Inet6Range:   s.inet6Range,
 		Inet4Current: s.inet4Current,
 		Inet6Current: s.inet6Current,
-	})
+	}
+	s.addressAccess.Unlock()
+	return s.storage.FakeIPSaveMetadata(metadata)
 }

 func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 	if address, loaded := s.storage.FakeIPLoadDomain(domain, isIPv6); loaded {
 		return address, nil
 	}
+
+	s.addressAccess.Lock()
+	defer s.addressAccess.Unlock()
+
+	// Double-check after acquiring lock
+	if address, loaded := s.storage.FakeIPLoadDomain(domain, isIPv6); loaded {
+		return address, nil
+	}
+
 	var address netip.Addr
 	if !isIPv6 {
 		if !s.inet4Current.IsValid() {
@@ -99,7 +114,10 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 		s.inet6Current = nextAddress
 		address = nextAddress
 	}
-	s.storage.FakeIPStoreAsync(address, domain, s.logger)
+	err := s.storage.FakeIPStore(address, domain)
+	if err != nil {
+		s.logger.Warn("save FakeIP cache: ", err)
+	}
 	s.storage.FakeIPSaveMetadataAsync(&adapter.FakeIPMetadata{
 		Inet4Range:   s.inet4Range,
 		Inet6Range:   s.inet6Range,
--- a/dns/transport/hosts/hosts.go
+++ b/dns/transport/hosts/hosts.go
@@ -59,6 +59,9 @@ func (t *Transport) Close() error {
 	return nil
 }

+func (t *Transport) Reset() {
+}
+
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	question := message.Question[0]
 	domain := mDNS.CanonicalName(question.Name)
--- a/dns/transport/https.go
+++ b/dns/transport/https.go
@@ -145,6 +145,13 @@ func (t *HTTPSTransport) Close() error {
 	return nil
 }

+func (t *HTTPSTransport) Reset() {
+	t.transportAccess.Lock()
+	defer t.transportAccess.Unlock()
+	t.transport.CloseIdleConnections()
+	t.transport = t.transport.Clone()
+}
+
 func (t *HTTPSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	startAt := time.Now()
 	response, err := t.exchange(ctx, message)
@@ -182,7 +189,10 @@ func (t *HTTPSTransport) exchange(ctx context.Context, message *mDNS.Msg) (*mDNS
 	request.Header = t.headers.Clone()
 	request.Header.Set("Content-Type", MimeType)
 	request.Header.Set("Accept", MimeType)
-	response, err := t.transport.RoundTrip(request)
+	t.transportAccess.Lock()
+	currentTransport := t.transport
+	t.transportAccess.Unlock()
+	response, err := currentTransport.RoundTrip(request)
 	requestBuffer.Release()
 	if err != nil {
 		return nil, err
@@ -194,12 +204,12 @@ func (t *HTTPSTransport) exchange(ctx context.Context, message *mDNS.Msg) (*mDNS
 	var responseMessage mDNS.Msg
 	if response.ContentLength > 0 {
 		responseBuffer := buf.NewSize(int(response.ContentLength))
+		defer responseBuffer.Release()
 		_, err = responseBuffer.ReadFullFrom(response.Body, int(response.ContentLength))
 		if err != nil {
 			return nil, err
 		}
 		err = responseMessage.Unpack(responseBuffer.Bytes())
-		responseBuffer.Release()
 	} else {
 		rawMessage, err = io.ReadAll(response.Body)
 		if err != nil {
--- a/dns/transport/local/local.go
+++ b/dns/transport/local/local.go
@@ -76,6 +76,9 @@ func (t *Transport) Close() error {
 	return nil
 }

+func (t *Transport) Reset() {
+}
+
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	if t.resolved != nil {
 		resolverObject := t.resolved.Object()
--- a/dns/transport/local/local_darwin.go
+++ b/dns/transport/local/local_darwin.go
@@ -92,6 +92,12 @@ func (t *Transport) Close() error {
 	)
 }

+func (t *Transport) Reset() {
+	if t.dhcpTransport != nil {
+		t.dhcpTransport.Reset()
+	}
+}
+
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	question := message.Question[0]
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
--- a/dns/transport/quic/http3.go
+++ b/dns/transport/quic/http3.go
@@ -8,10 +8,12 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
+	"sync"

 	"github.com/sagernet/quic-go"
 	"github.com/sagernet/quic-go/http3"
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
@@ -23,6 +25,7 @@ import (
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	sHTTP "github.com/sagernet/sing/protocol/http"

@@ -37,11 +40,14 @@ func RegisterHTTP3Transport(registry *dns.TransportRegistry) {

 type HTTP3Transport struct {
 	dns.TransportAdapter
-	logger      logger.ContextLogger
-	dialer      N.Dialer
-	destination *url.URL
-	headers     http.Header
-	transport   *http3.Transport
+	logger          logger.ContextLogger
+	dialer          N.Dialer
+	destination     *url.URL
+	headers         http.Header
+	serverAddr      M.Socksaddr
+	tlsConfig       *tls.STDConfig
+	transportAccess sync.Mutex
+	transport       *http3.Transport
 }

 func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteHTTPSDNSServerOptions) (adapter.DNSTransport, error) {
@@ -95,33 +101,57 @@ func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options
 	if !serverAddr.IsValid() {
 		return nil, E.New("invalid server address: ", serverAddr)
 	}
-	return &HTTP3Transport{
+	t := &HTTP3Transport{
 		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeHTTP3, tag, options.RemoteDNSServerOptions),
 		logger:           logger,
 		dialer:           transportDialer,
 		destination:      &destinationURL,
 		headers:          headers,
-		transport: &http3.Transport{
-			Dial: func(ctx context.Context, addr string, tlsCfg *tls.STDConfig, cfg *quic.Config) (*quic.Conn, error) {
-				conn, dialErr := transportDialer.DialContext(ctx, N.NetworkUDP, serverAddr)
-				if dialErr != nil {
-					return nil, dialErr
-				}
-				return quic.DialEarly(ctx, bufio.NewUnbindPacketConn(conn), conn.RemoteAddr(), tlsCfg, cfg)
-			},
-			TLSClientConfig: stdConfig,
+		serverAddr:       serverAddr,
+		tlsConfig:        stdConfig,
+	}
+	t.transport = t.newTransport()
+	return t, nil
+}
+
+func (t *HTTP3Transport) newTransport() *http3.Transport {
+	return &http3.Transport{
+		Dial: func(ctx context.Context, addr string, tlsCfg *tls.STDConfig, cfg *quic.Config) (*quic.Conn, error) {
+			conn, dialErr := t.dialer.DialContext(ctx, N.NetworkUDP, t.serverAddr)
+			if dialErr != nil {
+				return nil, dialErr
+			}
+			quicConn, dialErr := quic.DialEarly(ctx, bufio.NewUnbindPacketConn(conn), conn.RemoteAddr(), tlsCfg, cfg)
+			if dialErr != nil {
+				conn.Close()
+				return nil, dialErr
+			}
+			return quicConn, nil
 		},
-	}, nil
+		TLSClientConfig: t.tlsConfig,
+	}
 }

 func (t *HTTP3Transport) Start(stage adapter.StartStage) error {
-	return nil
+	if stage != adapter.StartStateStart {
+		return nil
+	}
+	return dialer.InitializeDetour(t.dialer)
 }

 func (t *HTTP3Transport) Close() error {
+	t.transportAccess.Lock()
+	defer t.transportAccess.Unlock()
 	return t.transport.Close()
 }

+func (t *HTTP3Transport) Reset() {
+	t.transportAccess.Lock()
+	defer t.transportAccess.Unlock()
+	t.transport.Close()
+	t.transport = t.newTransport()
+}
+
 func (t *HTTP3Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	exMessage := *message
 	exMessage.Id = 0
@@ -140,7 +170,10 @@ func (t *HTTP3Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS
 	request.Header = t.headers.Clone()
 	request.Header.Set("Content-Type", transport.MimeType)
 	request.Header.Set("Accept", transport.MimeType)
-	response, err := t.transport.RoundTrip(request)
+	t.transportAccess.Lock()
+	currentTransport := t.transport
+	t.transportAccess.Unlock()
+	response, err := currentTransport.RoundTrip(request)
 	requestBuffer.Release()
 	if err != nil {
 		return nil, err
@@ -152,12 +185,12 @@ func (t *HTTP3Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS
 	var responseMessage mDNS.Msg
 	if response.ContentLength > 0 {
 		responseBuffer := buf.NewSize(int(response.ContentLength))
+		defer responseBuffer.Release()
 		_, err = responseBuffer.ReadFullFrom(response.Body, int(response.ContentLength))
 		if err != nil {
 			return nil, err
 		}
 		err = responseMessage.Unpack(responseBuffer.Bytes())
-		responseBuffer.Release()
 	} else {
 		rawMessage, err = io.ReadAll(response.Body)
 		if err != nil {
--- a/dns/transport/quic/quic.go
+++ b/dns/transport/quic/quic.go
@@ -3,10 +3,11 @@ package quic
 import (
 	"context"
 	"errors"
-	"sync"
+	"os"

 	"github.com/sagernet/quic-go"
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
@@ -17,7 +18,6 @@ import (
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"

@@ -31,14 +31,14 @@ func RegisterTransport(registry *dns.TransportRegistry) {
 }

 type Transport struct {
-	dns.TransportAdapter
+	*transport.BaseTransport
+
 	ctx        context.Context
-	logger     logger.ContextLogger
 	dialer     N.Dialer
 	serverAddr M.Socksaddr
 	tlsConfig  tls.Config
-	access     sync.Mutex
-	connection *quic.Conn
+
+	connector *transport.Connector[*quic.Conn]
 }

 func NewQUIC(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteTLSDNSServerOptions) (adapter.DNSTransport, error) {
@@ -62,38 +62,84 @@ func NewQUIC(ctx context.Context, logger log.ContextLogger, tag string, options
 	if !serverAddr.IsValid() {
 		return nil, E.New("invalid server address: ", serverAddr)
 	}
-	return &Transport{
-		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeQUIC, tag, options.RemoteDNSServerOptions),
-		ctx:              ctx,
-		logger:           logger,
-		dialer:           transportDialer,
-		serverAddr:       serverAddr,
-		tlsConfig:        tlsConfig,
-	}, nil
+
+	t := &Transport{
+		BaseTransport: transport.NewBaseTransport(
+			dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeQUIC, tag, options.RemoteDNSServerOptions),
+			logger,
+		),
+		ctx:        ctx,
+		dialer:     transportDialer,
+		serverAddr: serverAddr,
+		tlsConfig:  tlsConfig,
+	}
+
+	t.connector = transport.NewConnector(t.CloseContext(), t.dial, transport.ConnectorCallbacks[*quic.Conn]{
+		IsClosed: func(connection *quic.Conn) bool {
+			return common.Done(connection.Context())
+		},
+		Close: func(connection *quic.Conn) {
+			connection.CloseWithError(0, "")
+		},
+		Reset: func(connection *quic.Conn) {
+			connection.CloseWithError(0, "")
+		},
+	})
+
+	return t, nil
+}
+
+func (t *Transport) dial(ctx context.Context) (*quic.Conn, error) {
+	conn, err := t.dialer.DialContext(ctx, N.NetworkUDP, t.serverAddr)
+	if err != nil {
+		return nil, E.Cause(err, "dial UDP connection")
+	}
+	earlyConnection, err := sQUIC.DialEarly(
+		ctx,
+		bufio.NewUnbindPacketConn(conn),
+		t.serverAddr.UDPAddr(),
+		t.tlsConfig,
+		nil,
+	)
+	if err != nil {
+		conn.Close()
+		return nil, E.Cause(err, "establish QUIC connection")
+	}
+	return earlyConnection, nil
 }

 func (t *Transport) Start(stage adapter.StartStage) error {
-	return nil
+	if stage != adapter.StartStateStart {
+		return nil
+	}
+	err := t.SetStarted()
+	if err != nil {
+		return err
+	}
+	return dialer.InitializeDetour(t.dialer)
 }

 func (t *Transport) Close() error {
-	t.access.Lock()
-	defer t.access.Unlock()
-	connection := t.connection
-	if connection != nil {
-		connection.CloseWithError(0, "")
-	}
-	return nil
+	return E.Errors(t.BaseTransport.Close(), t.connector.Close())
+}
+
+func (t *Transport) Reset() {
+	t.connector.Reset()
 }

 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	if !t.BeginQuery() {
+		return nil, transport.ErrTransportClosed
+	}
+	defer t.EndQuery()
+
 	var (
 		conn     *quic.Conn
 		err      error
 		response *mDNS.Msg
 	)
 	for i := 0; i < 2; i++ {
-		conn, err = t.openConnection()
+		conn, err = t.connector.Get(ctx)
 		if err != nil {
 			return nil, err
 		}
@@ -103,58 +149,38 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 		} else if !isQUICRetryError(err) {
 			return nil, err
 		} else {
-			conn.CloseWithError(quic.ApplicationErrorCode(0), "")
+			t.connector.Reset()
 			continue
 		}
 	}
 	return nil, err
 }

-func (t *Transport) openConnection() (*quic.Conn, error) {
-	connection := t.connection
-	if connection != nil && !common.Done(connection.Context()) {
-		return connection, nil
-	}
-	t.access.Lock()
-	defer t.access.Unlock()
-	connection = t.connection
-	if connection != nil && !common.Done(connection.Context()) {
-		return connection, nil
-	}
-	conn, err := t.dialer.DialContext(t.ctx, N.NetworkUDP, t.serverAddr)
-	if err != nil {
-		return nil, err
-	}
-	earlyConnection, err := sQUIC.DialEarly(
-		t.ctx,
-		bufio.NewUnbindPacketConn(conn),
-		t.serverAddr.UDPAddr(),
-		t.tlsConfig,
-		nil,
-	)
-	if err != nil {
-		return nil, err
-	}
-	t.connection = earlyConnection
-	return earlyConnection, nil
-}
-
 func (t *Transport) exchange(ctx context.Context, message *mDNS.Msg, conn *quic.Conn) (*mDNS.Msg, error) {
 	stream, err := conn.OpenStreamSync(ctx)
 	if err != nil {
-		return nil, err
+		return nil, E.Cause(err, "open stream")
 	}
+	defer stream.CancelRead(0)
 	err = transport.WriteMessage(stream, 0, message)
 	if err != nil {
 		stream.Close()
-		return nil, err
+		return nil, E.Cause(err, "write request")
 	}
 	stream.Close()
-	return transport.ReadMessage(stream)
+	response, err := transport.ReadMessage(stream)
+	if err != nil {
+		return nil, E.Cause(err, "read response")
+	}
+	return response, nil
 }

 // https://github.com/AdguardTeam/dnsproxy/blob/fd1868577652c639cce3da00e12ca548f421baf1/upstream/upstream_quic.go#L394
 func isQUICRetryError(err error) (ok bool) {
+	if errors.Is(err, os.ErrClosed) {
+		return true
+	}
+
 	var qAppErr *quic.ApplicationError
 	if errors.As(err, &qAppErr) && qAppErr.ErrorCode == 0 {
 		return true
--- a/dns/transport/tcp.go
+++ b/dns/transport/tcp.go
@@ -62,17 +62,24 @@ func (t *TCPTransport) Close() error {
 	return nil
 }

+func (t *TCPTransport) Reset() {
+}
+
 func (t *TCPTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	conn, err := t.dialer.DialContext(ctx, N.NetworkTCP, t.serverAddr)
 	if err != nil {
-		return nil, err
+		return nil, E.Cause(err, "dial TCP connection")
 	}
 	defer conn.Close()
 	err = WriteMessage(conn, 0, message)
 	if err != nil {
-		return nil, err
+		return nil, E.Cause(err, "write request")
 	}
-	return ReadMessage(conn)
+	response, err := ReadMessage(conn)
+	if err != nil {
+		return nil, E.Cause(err, "read response")
+	}
+	return response, nil
 }

 func ReadMessage(reader io.Reader) (*mDNS.Msg, error) {
--- a/dns/transport/tls.go
+++ b/dns/transport/tls.go
@@ -3,6 +3,7 @@ package transport
 import (
 	"context"
 	"sync"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
@@ -28,8 +29,8 @@ func RegisterTLS(registry *dns.TransportRegistry) {
 }

 type TLSTransport struct {
-	dns.TransportAdapter
-	logger      logger.ContextLogger
+	*BaseTransport
+
 	dialer      tls.Dialer
 	serverAddr  M.Socksaddr
 	tlsConfig   tls.Config
@@ -65,11 +66,10 @@ func NewTLS(ctx context.Context, logger log.ContextLogger, tag string, options o

 func NewTLSRaw(logger logger.ContextLogger, adapter dns.TransportAdapter, dialer N.Dialer, serverAddr M.Socksaddr, tlsConfig tls.Config) *TLSTransport {
 	return &TLSTransport{
-		TransportAdapter: adapter,
-		logger:           logger,
-		dialer:           tls.NewDialer(dialer, tlsConfig),
-		serverAddr:       serverAddr,
-		tlsConfig:        tlsConfig,
+		BaseTransport: NewBaseTransport(adapter, logger),
+		dialer:        tls.NewDialer(dialer, tlsConfig),
+		serverAddr:    serverAddr,
+		tlsConfig:     tlsConfig,
 	}
 }

@@ -77,37 +77,59 @@ func (t *TLSTransport) Start(stage adapter.StartStage) error {
 	if stage != adapter.StartStateStart {
 		return nil
 	}
+	err := t.SetStarted()
+	if err != nil {
+		return err
+	}
 	return dialer.InitializeDetour(t.dialer)
 }

 func (t *TLSTransport) Close() error {
+	t.access.Lock()
+	for connection := t.connections.Front(); connection != nil; connection = connection.Next() {
+		connection.Value.Close()
+	}
+	t.connections.Init()
+	t.access.Unlock()
+	return t.BaseTransport.Close()
+}
+
+func (t *TLSTransport) Reset() {
 	t.access.Lock()
 	defer t.access.Unlock()
 	for connection := t.connections.Front(); connection != nil; connection = connection.Next() {
 		connection.Value.Close()
 	}
 	t.connections.Init()
-	return nil
 }

 func (t *TLSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	if !t.BeginQuery() {
+		return nil, ErrTransportClosed
+	}
+	defer t.EndQuery()
+
 	t.access.Lock()
 	conn := t.connections.PopFront()
 	t.access.Unlock()
 	if conn != nil {
-		response, err := t.exchange(message, conn)
+		response, err := t.exchange(ctx, message, conn)
 		if err == nil {
 			return response, nil
 		}
+		t.Logger.DebugContext(ctx, "discarded pooled connection: ", err)
 	}
 	tlsConn, err := t.dialer.DialTLSContext(ctx, t.serverAddr)
 	if err != nil {
-		return nil, err
+		return nil, E.Cause(err, "dial TLS connection")
 	}
-	return t.exchange(message, &tlsDNSConn{Conn: tlsConn})
+	return t.exchange(ctx, message, &tlsDNSConn{Conn: tlsConn})
 }

-func (t *TLSTransport) exchange(message *mDNS.Msg, conn *tlsDNSConn) (*mDNS.Msg, error) {
+func (t *TLSTransport) exchange(ctx context.Context, message *mDNS.Msg, conn *tlsDNSConn) (*mDNS.Msg, error) {
+	if deadline, ok := ctx.Deadline(); ok {
+		conn.SetDeadline(deadline)
+	}
 	conn.queryId++
 	err := WriteMessage(conn, conn.queryId, message)
 	if err != nil {
@@ -120,6 +142,12 @@ func (t *TLSTransport) exchange(message *mDNS.Msg, conn *tlsDNSConn) (*mDNS.Msg,
 		return nil, E.Cause(err, "read response")
 	}
 	t.access.Lock()
+	if t.State() >= StateClosing {
+		t.access.Unlock()
+		conn.Close()
+		return response, nil
+	}
+	conn.SetDeadline(time.Time{})
 	t.connections.PushBack(conn)
 	t.access.Unlock()
 	return response, nil
--- a/dns/transport/udp.go
+++ b/dns/transport/udp.go
@@ -2,9 +2,8 @@ package transport

 import (
 	"context"
-	"net"
-	"os"
 	"sync"
+	"sync/atomic"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
@@ -28,15 +27,23 @@ func RegisterUDP(registry *dns.TransportRegistry) {
 }

 type UDPTransport struct {
-	dns.TransportAdapter
-	logger       logger.ContextLogger
-	dialer       N.Dialer
-	serverAddr   M.Socksaddr
-	udpSize      int
-	tcpTransport *TCPTransport
-	access       sync.Mutex
-	conn         *dnsConnection
-	done         chan struct{}
+	*BaseTransport
+
+	dialer     N.Dialer
+	serverAddr M.Socksaddr
+	udpSize    atomic.Int32
+
+	connector *Connector[*Connection]
+
+	callbackAccess sync.RWMutex
+	queryId        uint16
+	callbacks      map[uint16]*udpCallback
+}
+
+type udpCallback struct {
+	access   sync.Mutex
+	response *mDNS.Msg
+	done     chan struct{}
 }

 func NewUDP(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteDNSServerOptions) (adapter.DNSTransport, error) {
@@ -54,180 +61,198 @@ func NewUDP(ctx context.Context, logger log.ContextLogger, tag string, options o
 	return NewUDPRaw(logger, dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeUDP, tag, options), transportDialer, serverAddr), nil
 }

-func NewUDPRaw(logger logger.ContextLogger, adapter dns.TransportAdapter, dialer N.Dialer, serverAddr M.Socksaddr) *UDPTransport {
-	return &UDPTransport{
-		TransportAdapter: adapter,
-		logger:           logger,
-		dialer:           dialer,
-		serverAddr:       serverAddr,
-		udpSize:          2048,
-		tcpTransport: &TCPTransport{
-			dialer:     dialer,
-			serverAddr: serverAddr,
-		},
-		done: make(chan struct{}),
+func NewUDPRaw(logger logger.ContextLogger, adapter dns.TransportAdapter, dialerInstance N.Dialer, serverAddr M.Socksaddr) *UDPTransport {
+	t := &UDPTransport{
+		BaseTransport: NewBaseTransport(adapter, logger),
+		dialer:        dialerInstance,
+		serverAddr:    serverAddr,
+		callbacks:     make(map[uint16]*udpCallback),
 	}
+	t.udpSize.Store(2048)
+	t.connector = NewSingleflightConnector(t.CloseContext(), t.dial)
+	return t
+}
+
+func (t *UDPTransport) dial(ctx context.Context) (*Connection, error) {
+	rawConn, err := t.dialer.DialContext(ctx, N.NetworkUDP, t.serverAddr)
+	if err != nil {
+		return nil, E.Cause(err, "dial UDP connection")
+	}
+	conn := WrapConnection(rawConn)
+	go t.recvLoop(conn)
+	return conn, nil
 }

 func (t *UDPTransport) Start(stage adapter.StartStage) error {
 	if stage != adapter.StartStateStart {
 		return nil
 	}
+	err := t.SetStarted()
+	if err != nil {
+		return err
+	}
 	return dialer.InitializeDetour(t.dialer)
 }

 func (t *UDPTransport) Close() error {
-	t.access.Lock()
-	defer t.access.Unlock()
-	close(t.done)
-	t.done = make(chan struct{})
-	return nil
+	return E.Errors(t.BaseTransport.Close(), t.connector.Close())
+}
+
+func (t *UDPTransport) Reset() {
+	t.connector.Reset()
+}
+
+func (t *UDPTransport) nextAvailableQueryId() (uint16, error) {
+	start := t.queryId
+	for {
+		t.queryId++
+		if _, exists := t.callbacks[t.queryId]; !exists {
+			return t.queryId, nil
+		}
+		if t.queryId == start {
+			return 0, E.New("no available query ID")
+		}
+	}
 }

 func (t *UDPTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	if !t.BeginQuery() {
+		return nil, ErrTransportClosed
+	}
+	defer t.EndQuery()
+
 	response, err := t.exchange(ctx, message)
 	if err != nil {
 		return nil, err
 	}
 	if response.Truncated {
-		t.logger.InfoContext(ctx, "response truncated, retrying with TCP")
-		return t.tcpTransport.Exchange(ctx, message)
+		t.Logger.InfoContext(ctx, "response truncated, retrying with TCP")
+		return t.exchangeTCP(ctx, message)
+	}
+	return response, nil
+}
+
+func (t *UDPTransport) exchangeTCP(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	conn, err := t.dialer.DialContext(ctx, N.NetworkTCP, t.serverAddr)
+	if err != nil {
+		return nil, E.Cause(err, "dial TCP connection")
+	}
+	defer conn.Close()
+	err = WriteMessage(conn, message.Id, message)
+	if err != nil {
+		return nil, E.Cause(err, "write request")
+	}
+	response, err := ReadMessage(conn)
+	if err != nil {
+		return nil, E.Cause(err, "read response")
 	}
 	return response, nil
 }

 func (t *UDPTransport) exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	t.access.Lock()
 	if edns0Opt := message.IsEdns0(); edns0Opt != nil {
-		if udpSize := int(edns0Opt.UDPSize()); udpSize > t.udpSize {
-			t.udpSize = udpSize
-			close(t.done)
-			t.done = make(chan struct{})
+		udpSize := int32(edns0Opt.UDPSize())
+		for {
+			current := t.udpSize.Load()
+			if udpSize <= current {
+				break
+			}
+			if t.udpSize.CompareAndSwap(current, udpSize) {
+				t.connector.Reset()
+				break
+			}
 		}
 	}
-	t.access.Unlock()
-	conn, err := t.open(ctx)
+
+	conn, err := t.connector.Get(ctx)
 	if err != nil {
 		return nil, err
 	}
-	buffer := buf.NewSize(1 + message.Len())
-	defer buffer.Release()
-	exMessage := *message
-	exMessage.Compress = true
-	messageId := message.Id
-	callback := &dnsCallback{
+
+	callback := &udpCallback{
 		done: make(chan struct{}),
 	}
-	conn.access.Lock()
-	conn.queryId++
-	exMessage.Id = conn.queryId
-	conn.callbacks[exMessage.Id] = callback
-	conn.access.Unlock()
+
+	t.callbackAccess.Lock()
+	queryId, err := t.nextAvailableQueryId()
+	if err != nil {
+		t.callbackAccess.Unlock()
+		return nil, err
+	}
+	t.callbacks[queryId] = callback
+	t.callbackAccess.Unlock()
+
 	defer func() {
-		conn.access.Lock()
-		delete(conn.callbacks, exMessage.Id)
-		conn.access.Unlock()
+		t.callbackAccess.Lock()
+		delete(t.callbacks, queryId)
+		t.callbackAccess.Unlock()
 	}()
+
+	buffer := buf.NewSize(1 + message.Len())
+	defer buffer.Release()
+
+	exMessage := *message
+	exMessage.Compress = true
+	originalId := message.Id
+	exMessage.Id = queryId
+
 	rawMessage, err := exMessage.PackBuffer(buffer.FreeBytes())
 	if err != nil {
 		return nil, err
 	}
+
 	_, err = conn.Write(rawMessage)
 	if err != nil {
-		conn.Close(err)
-		return nil, err
+		conn.CloseWithError(err)
+		return nil, E.Cause(err, "write request")
 	}
+
 	select {
 	case <-callback.done:
-		callback.message.Id = messageId
-		return callback.message, nil
-	case <-conn.done:
-		return nil, conn.err
-	case <-t.done:
-		return nil, os.ErrClosed
+		callback.response.Id = originalId
+		return callback.response, nil
+	case <-conn.Done():
+		return nil, conn.CloseError()
+	case <-t.CloseContext().Done():
+		return nil, ErrTransportClosed
 	case <-ctx.Done():
-		conn.Close(ctx.Err())
 		return nil, ctx.Err()
 	}
 }

-func (t *UDPTransport) open(ctx context.Context) (*dnsConnection, error) {
-	t.access.Lock()
-	defer t.access.Unlock()
-	if t.conn != nil {
-		select {
-		case <-t.conn.done:
-		default:
-			return t.conn, nil
-		}
-	}
-	conn, err := t.dialer.DialContext(ctx, N.NetworkUDP, t.serverAddr)
-	if err != nil {
-		return nil, err
-	}
-	dnsConn := &dnsConnection{
-		Conn:      conn,
-		done:      make(chan struct{}),
-		callbacks: make(map[uint16]*dnsCallback),
-	}
-	go t.recvLoop(dnsConn)
-	t.conn = dnsConn
-	return dnsConn, nil
-}
-
-func (t *UDPTransport) recvLoop(conn *dnsConnection) {
+func (t *UDPTransport) recvLoop(conn *Connection) {
 	for {
-		buffer := buf.NewSize(t.udpSize)
+		buffer := buf.NewSize(int(t.udpSize.Load()))
 		_, err := buffer.ReadOnceFrom(conn)
 		if err != nil {
 			buffer.Release()
-			conn.Close(err)
+			conn.CloseWithError(err)
 			return
 		}
+
 		var message mDNS.Msg
 		err = message.Unpack(buffer.Bytes())
 		buffer.Release()
 		if err != nil {
-			conn.Close(err)
-			return
+			t.Logger.Debug("discarded malformed UDP response: ", err)
+			continue
 		}
-		conn.access.RLock()
-		callback, loaded := conn.callbacks[message.Id]
-		conn.access.RUnlock()
+
+		t.callbackAccess.RLock()
+		callback, loaded := t.callbacks[message.Id]
+		t.callbackAccess.RUnlock()
+
 		if !loaded {
 			continue
 		}
+
 		callback.access.Lock()
 		select {
 		case <-callback.done:
 		default:
-			callback.message = &message
+			callback.response = &message
 			close(callback.done)
 		}
 		callback.access.Unlock()
 	}
 }
-
-type dnsConnection struct {
-	net.Conn
-	access    sync.RWMutex
-	done      chan struct{}
-	closeOnce sync.Once
-	err       error
-	queryId   uint16
-	callbacks map[uint16]*dnsCallback
-}
-
-func (c *dnsConnection) Close(err error) {
-	c.closeOnce.Do(func() {
-		c.err = err
-		close(c.done)
-	})
-	c.Conn.Close()
-}
-
-type dnsCallback struct {
-	access  sync.Mutex
-	message *mDNS.Msg
-	done    chan struct{}
-}
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,6 +2,26 @@
 icon: material/alert-decagram
 ---

+#### 1.13.0-alpha.35
+
+* Add pre-match support for `auto_redirect` **1**
+* Fix missing relay support for Tailscale **2**
+* Fixes and improvements
+
+**1**:
+
+`auto_redirect` now allows you to bypass sing-box for connections based on routing rules.
+
+A new rule action `bypass` is introduced to support this feature. When matched during pre-match, the connection will bypass sing-box and connect directly.
+
+This feature requires Linux with `auto_redirect` enabled.
+
+See [Pre-match](/configuration/shared/pre-match/) and [Rule Action](/configuration/route/rule_action/#bypass).
+
+**2**:
+
+See [Tailscale Endpoint](/configuration/endpoint/tailscale/#relay_server_port).
+
 #### 1.13.0-alpha.34

 * Add Chrome Root Store certificate option **1**
--- a/docs/configuration/dns/server/local.md
+++ b/docs/configuration/dns/server/local.md
@@ -4,7 +4,7 @@ icon: material/new-box

 !!! quote "Changes in sing-box 1.13.0"

-    :material-plus: [prefer_go](#prefer_go)  
+    :material-plus: [prefer_go](#prefer_go)

 !!! question "Since sing-box 1.12.0"

--- a/docs/configuration/endpoint/tailscale.md
+++ b/docs/configuration/endpoint/tailscale.md
@@ -2,6 +2,11 @@
 icon: material/new-box
 ---

+!!! quote "Changes in sing-box 1.13.0"
+
+    :material-plus: [relay_server_port](#relay_server_port)  
+    :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)
+
 !!! question "Since sing-box 1.12.0"

 ### Structure
@@ -20,6 +25,8 @@ icon: material/new-box
  "exit_node_allow_lan_access": false,
  "advertise_routes": [],
  "advertise_exit_node": false,
+  "relay_server_port": 0,
+  "relay_server_static_endpoints": [],
  "udp_timeout": "5m",
  
  ... // Dial Fields
@@ -89,6 +96,14 @@ Example: `["192.168.1.1/24"]`

 Indicates whether the node should advertise itself as an exit node.

+#### relay_server_port
+
+The port to listen on for incoming relay connections from other Tailscale nodes.
+
+#### relay_server_static_endpoints
+
+Static endpoints to advertise for the relay server.
+
 #### udp_timeout

 UDP NAT expiration time.
--- a/docs/configuration/endpoint/tailscale.zh.md
+++ b/docs/configuration/endpoint/tailscale.zh.md
@@ -2,6 +2,11 @@
 icon: material/new-box
 ---

+!!! quote "sing-box 1.13.0 中的更改"
+
+    :material-plus: [relay_server_port](#relay_server_port)  
+    :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)
+
 !!! question "自 sing-box 1.12.0 起"

 ### 结构
@@ -20,6 +25,8 @@ icon: material/new-box
  "exit_node_allow_lan_access": false,
  "advertise_routes": [],
  "advertise_exit_node": false,
+  "relay_server_port": 0,
+  "relay_server_static_endpoints": [],
  "udp_timeout": "5m",

  ... // 拨号字段
@@ -88,6 +95,14 @@ icon: material/new-box

 指示节点是否应将自己通告为出口节点。

+#### relay_server_port
+
+监听来自其他 Tailscale 节点的中继连接的端口。
+
+#### relay_server_static_endpoints
+
+为中继服务器通告的静态端点。
+
 #### udp_timeout

 UDP NAT 过期时间。
--- a/docs/configuration/experimental/cache-file.md
+++ b/docs/configuration/experimental/cache-file.md
@@ -3,7 +3,7 @@
 !!! quote "Changes in sing-box 1.9.0"

    :material-plus: [store_rdrc](#store_rdrc)  
-    :material-plus: [rdrc_timeout](#rdrc_timeout)  
+    :material-plus: [rdrc_timeout](#rdrc_timeout)

 ### Structure

--- a/docs/configuration/experimental/cache-file.zh.md
+++ b/docs/configuration/experimental/cache-file.zh.md
@@ -3,7 +3,7 @@
 !!! quote "sing-box 1.9.0 中的更改"

    :material-plus: [store_rdrc](#store_rdrc)  
-    :material-plus: [rdrc_timeout](#rdrc_timeout)  
+    :material-plus: [rdrc_timeout](#rdrc_timeout)

 ### 结构

--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -4,6 +4,8 @@ icon: material/new-box

 !!! quote "Changes in sing-box 1.13.0"

+    :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
+    :material-plus: [auto_redirect_nfqueue](#auto_redirect_nfqueue)  
    :material-plus: [exclude_mptcp](#exclude_mptcp)

 !!! quote "Changes in sing-box 1.12.0"
@@ -38,7 +40,7 @@ icon: material/new-box
 !!! quote "Changes in sing-box 1.9.0"

    :material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)  
-    :material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)  
+    :material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)

 !!! quote "Changes in sing-box 1.8.0"

@@ -67,6 +69,8 @@ icon: material/new-box
  "auto_redirect": true,
  "auto_redirect_input_mark": "0x2023",
  "auto_redirect_output_mark": "0x2024",
+  "auto_redirect_reset_mark": "0x2025",
+  "auto_redirect_nfqueue": 100,
  "exclude_mptcp": false,
  "loopback_address": [
    "10.7.0.1"
@@ -283,6 +287,22 @@ Connection output mark used by `auto_redirect`.

 `0x2024` is used by default.

+#### auto_redirect_reset_mark
+
+!!! question "Since sing-box 1.13.0"
+
+Connection reset mark used by `auto_redirect` pre-matching.
+
+`0x2025` is used by default.
+
+#### auto_redirect_nfqueue
+
+!!! question "Since sing-box 1.13.0"
+
+NFQueue number used by `auto_redirect` pre-matching.
+
+`100` is used by default.
+
 #### exclude_mptcp

 !!! question "Since sing-box 1.13.0"
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -4,6 +4,8 @@ icon: material/new-box

 !!! quote "sing-box 1.13.0 中的更改"

+    :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
+    :material-plus: [auto_redirect_nfqueue](#auto_redirect_nfqueue)  
    :material-plus: [exclude_mptcp](#exclude_mptcp)

 !!! quote "sing-box 1.12.0 中的更改"
@@ -26,7 +28,7 @@ icon: material/new-box
    :material-delete-clock: [inet6_route_address](#inet6_route_address)  
    :material-plus: [route_exclude_address](#route_address)  
    :material-delete-clock: [inet4_route_exclude_address](#inet4_route_exclude_address)  
-    :material-delete-clock: [inet6_route_exclude_address](#inet6_route_exclude_address)   
+    :material-delete-clock: [inet6_route_exclude_address](#inet6_route_exclude_address)  
    :material-plus: [iproute2_table_index](#iproute2_table_index)  
    :material-plus: [iproute2_rule_index](#iproute2_table_index)  
    :material-plus: [auto_redirect](#auto_redirect)  
@@ -38,7 +40,7 @@ icon: material/new-box
 !!! quote "sing-box 1.9.0 中的更改"

    :material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)  
-    :material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)  
+    :material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)

 !!! quote "sing-box 1.8.0 中的更改"

@@ -67,6 +69,8 @@ icon: material/new-box
  "auto_redirect": true,
  "auto_redirect_input_mark": "0x2023",
  "auto_redirect_output_mark": "0x2024",
+  "auto_redirect_reset_mark": "0x2025",
+  "auto_redirect_nfqueue": 100,
  "exclude_mptcp": false,
  "loopback_address": [
    "10.7.0.1"
@@ -282,6 +286,22 @@ tun 接口的 IPv6 前缀。

 默认使用 `0x2024`。

+#### auto_redirect_reset_mark
+
+!!! question "自 sing-box 1.13.0 起"
+
+`auto_redirect` 预匹配使用的连接重置标记。
+
+默认使用 `0x2025`。
+
+#### auto_redirect_nfqueue
+
+!!! question "自 sing-box 1.13.0 起"
+
+`auto_redirect` 预匹配使用的 NFQueue 编号。
+
+默认使用 `100`。
+
 #### exclude_mptcp

 !!! question "自 sing-box 1.13.0 起"
--- a/docs/configuration/outbound/wireguard.md
+++ b/docs/configuration/outbound/wireguard.md
@@ -12,7 +12,7 @@ icon: material/delete-clock

 !!! quote "Changes in sing-box 1.8.0"
    
-    :material-plus: [gso](#gso)  
+    :material-plus: [gso](#gso)

 ### Structure

--- a/docs/configuration/outbound/wireguard.zh.md
+++ b/docs/configuration/outbound/wireguard.zh.md
@@ -12,7 +12,7 @@ icon: material/delete-clock

 !!! quote "sing-box 1.8.0 中的更改"

-    :material-plus: [gso](#gso)  
+    :material-plus: [gso](#gso)

 ### 结构

--- a/docs/configuration/route/rule_action.md
+++ b/docs/configuration/route/rule_action.md
@@ -4,6 +4,7 @@ icon: material/new-box

 !!! quote "Changes in sing-box 1.13.0"

+    :material-plus: [bypass](#bypass)  
    :material-alert: [reject](#reject)

 !!! quote "Changes in sing-box 1.12.0"
@@ -44,6 +45,40 @@ Tag of target outbound.

 See `route-options` fields below.

+### bypass
+
+!!! question "Since sing-box 1.13.0"
+
+!!! quote ""
+
+    Only supported on Linux with `auto_redirect` enabled.
+
+```json
+{
+  "action": "bypass",
+  "outbound": "",
+
+  ... // route-options Fields
+}
+```
+
+`bypass` bypasses sing-box at the kernel level for auto redirect connections in pre-match.
+
+For non-auto-redirect connections and already established connections,
+if `outbound` is specified, the behavior is the same as `route`;
+otherwise, the rule will be skipped.
+
+#### outbound
+
+Tag of target outbound.
+
+If not specified, the rule only matches in [pre-match](/configuration/shared/pre-match/)
+from auto redirect, and will be skipped in other contexts.
+
+#### route-options Fields
+
+See `route-options` fields below.
+
 ### reject

 !!! quote "Changes in sing-box 1.13.0"
--- a/docs/configuration/route/rule_action.zh.md
+++ b/docs/configuration/route/rule_action.zh.md
@@ -4,6 +4,7 @@ icon: material/new-box

 !!! quote "sing-box 1.13.0 中的更改"

+    :material-plus: [bypass](#bypass)  
    :material-alert: [reject](#reject)

 !!! quote "sing-box 1.12.0 中的更改"
@@ -40,6 +41,37 @@ icon: material/new-box

 参阅下方的 `route-options` 字段。

+### bypass
+
+!!! question "自 sing-box 1.13.0 起"
+
+!!! quote ""
+
+    仅支持 Linux，且需要启用 `auto_redirect`。
+
+```json
+{
+  "action": "bypass",
+  "outbound": "",
+
+  ... // route-options 字段
+}
+```
+
+`bypass` 在预匹配中为 auto redirect 连接在内核层面绕过 sing-box。
+
+对于非 auto redirect 连接和已建立的连接，如果指定了 `outbound`，行为与 `route` 相同；否则规则将被跳过。
+
+#### outbound
+
+目标出站的标签。
+
+如果未指定，规则仅在来自 auto redirect 的[预匹配](/configuration/shared/pre-match/)中匹配，在其他场景中将被跳过。
+
+#### route-options 字段
+
+参阅下方的 `route-options` 字段。
+
 ### reject

 !!! quote "sing-box 1.13.0 中的更改"
--- a/docs/configuration/shared/dial.md
+++ b/docs/configuration/shared/dial.md
@@ -4,8 +4,8 @@ icon: material/new-box

 !!! quote "Changes in sing-box 1.13.0"

-    :material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
-    :material-plus: [tcp_keep_alive](#tcp_keep_alive)
+    :material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)  
+    :material-plus: [tcp_keep_alive](#tcp_keep_alive)  
    :material-plus: [tcp_keep_alive_interval](#tcp_keep_alive_interval)

 !!! quote "Changes in sing-box 1.12.0"
--- a/docs/configuration/shared/dial.zh.md
+++ b/docs/configuration/shared/dial.zh.md
@@ -4,8 +4,8 @@ icon: material/new-box

 !!! quote "sing-box 1.13.0 中的更改"

-    :material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
-    :material-plus: [tcp_keep_alive](#tcp_keep_alive)
+    :material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)  
+    :material-plus: [tcp_keep_alive](#tcp_keep_alive)  
    :material-plus: [tcp_keep_alive_interval](#tcp_keep_alive_interval)

 !!! quote "sing-box 1.12.0 中的更改"
--- a/docs/configuration/shared/dns01_challenge.md
+++ b/docs/configuration/shared/dns01_challenge.md
@@ -4,7 +4,7 @@ icon: material/new-box

 !!! quote "Changes in sing-box 1.13.0"

-    :material-plus: [alidns.security_token](#security_token)
+    :material-plus: [alidns.security_token](#security_token)  
    :material-plus: [cloudflare.zone_token](#zone_token)

 ### Structure
--- a/docs/configuration/shared/dns01_challenge.zh.md
+++ b/docs/configuration/shared/dns01_challenge.zh.md
@@ -4,7 +4,7 @@ icon: material/new-box

 !!! quote "sing-box 1.13.0 中的更改"

-    :material-plus: [alidns.security_token](#security_token)
+    :material-plus: [alidns.security_token](#security_token)  
    :material-plus: [cloudflare.zone_token](#zone_token)

 ### 结构
--- a/docs/configuration/shared/listen.md
+++ b/docs/configuration/shared/listen.md
@@ -4,7 +4,7 @@ icon: material/new-box

 !!! quote "Changes in sing-box 1.13.0"

-    :material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
+    :material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)  
    :material-alert: [tcp_keep_alive](#tcp_keep_alive)

 !!! quote "Changes in sing-box 1.12.0"
--- a/docs/configuration/shared/listen.zh.md
+++ b/docs/configuration/shared/listen.zh.md
@@ -4,7 +4,7 @@ icon: material/new-box

 !!! quote "sing-box 1.13.0 中的更改"

-    :material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
+    :material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)  
    :material-alert: [tcp_keep_alive](#tcp_keep_alive)

 !!! quote "sing-box 1.12.0 中的更改"
--- a/docs/configuration/shared/pre-match.md
+++ b/docs/configuration/shared/pre-match.md
@@ -0,0 +1,50 @@
+---
+icon: material/new-box
+---
+
+# Pre-match
+
+!!! quote "Changes in sing-box 1.13.0"
+
+    :material-plus: [bypass](#bypass)
+
+Pre-match is rule matching that runs before the connection is established.
+
+### How it works
+
+When TUN receives a connection request, the connection has not yet been established,
+so no connection data can be read. In this phase, sing-box runs the routing rules in pre-match mode.
+
+Since connection data is unavailable, only actions that do not require connection data can be executed.
+When a rule matches an action that requires an established connection, pre-match stops at that rule.
+
+### Supported actions
+
+#### reject
+
+Reject with TCP RST / ICMP unreachable.
+
+See [reject](/configuration/route/rule_action/#reject) for details.
+
+#### route
+
+Route ICMP connections to the specified outbound for direct reply.
+
+See [route](/configuration/route/rule_action/#route) for details.
+
+#### bypass
+
+!!! question "Since sing-box 1.13.0"
+
+!!! quote ""
+
+    Only supported on Linux with `auto_redirect` enabled.
+
+Bypass sing-box and connect directly at kernel level.
+
+If `outbound` is not specified, the rule only matches in pre-match from auto redirect,
+and will be skipped in other contexts.
+
+For all other contexts, bypass with `outbound` behaves like `route` action.
+
+See [bypass](/configuration/route/rule_action/#bypass) for details.
--- a/docs/configuration/shared/pre-match.zh.md
+++ b/docs/configuration/shared/pre-match.zh.md
@@ -0,0 +1,47 @@
+---
+icon: material/new-box
+---
+
+# 预匹配
+
+!!! quote "sing-box 1.13.0 中的更改"
+
+    :material-plus: [bypass](#bypass)
+
+预匹配是在连接建立之前运行的规则匹配。
+
+### 工作原理
+
+当 TUN 收到连接请求时，连接尚未建立，因此无法读取连接数据。在此阶段，sing-box 在预匹配模式下运行路由规则。
+
+由于连接数据不可用，只有不需要连接数据的动作才能执行。当规则匹配到需要已建立连接的动作时，预匹配将在该规则处停止。
+
+### 支持的动作
+
+#### reject
+
+以 TCP RST / ICMP 不可达拒绝。
+
+详情参阅 [reject](/configuration/route/rule_action/#reject)。
+
+#### route
+
+将 ICMP 连接路由到指定出站以直接回复。
+
+详情参阅 [route](/configuration/route/rule_action/#route)。
+
+#### bypass
+
+!!! question "自 sing-box 1.13.0 起"
+
+!!! quote ""
+
+    仅支持 Linux，且需要启用 `auto_redirect`。
+
+在内核层面绕过 sing-box 直接连接。
+
+如果未指定 `outbound`，规则仅在来自 auto redirect 的预匹配中匹配，在其他场景中将被跳过。
+
+对于其他所有场景，指定了 `outbound` 的 bypass 行为与 `route` 相同。
+
+详情参阅 [bypass](/configuration/route/rule_action/#bypass)。
--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@@ -26,7 +26,7 @@ icon: material/new-box

 !!! quote "Changes in sing-box 1.10.0"

-    :material-alert-decagram: [utls](#utls)  
+    :material-alert-decagram: [utls](#utls)

 ### Inbound

--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@@ -18,15 +18,15 @@ icon: material/new-box

 !!! quote "sing-box 1.12.0 中的更改"

-    :material-plus: [fragment](#fragment)
-    :material-plus: [fragment_fallback_delay](#fragment_fallback_delay)
-    :material-plus: [record_fragment](#record_fragment)
-    :material-delete-clock: [ech.pq_signature_schemes_enabled](#pq_signature_schemes_enabled)
+    :material-plus: [fragment](#fragment)  
+    :material-plus: [fragment_fallback_delay](#fragment_fallback_delay)  
+    :material-plus: [record_fragment](#record_fragment)  
+    :material-delete-clock: [ech.pq_signature_schemes_enabled](#pq_signature_schemes_enabled)  
    :material-delete-clock: [ech.dynamic_record_sizing_disabled](#dynamic_record_sizing_disabled)

 !!! quote "sing-box 1.10.0 中的更改"

-    :material-alert-decagram: [utls](#utls)  
+    :material-alert-decagram: [utls](#utls)

 ### 入站

--- a/docs/configuration/shared/wifi-state.md
+++ b/docs/configuration/shared/wifi-state.md
@@ -6,7 +6,7 @@ icon: material/new-box

 !!! quote "Changes in sing-box 1.13.0"

-    :material-plus: Linux support
+    :material-plus: Linux support  
    :material-plus: Windows support

 sing-box can monitor Wi-Fi state to enable routing rules based on `wifi_ssid` and `wifi_bssid`.
--- a/docs/configuration/shared/wifi-state.zh.md
+++ b/docs/configuration/shared/wifi-state.zh.md
@@ -6,7 +6,7 @@ icon: material/new-box

 !!! quote "sing-box 1.13.0 的变更"

-    :material-plus: Linux 支持
+    :material-plus: Linux 支持  
    :material-plus: Windows 支持

 sing-box 可以监控 Wi-Fi 状态，以启用基于 `wifi_ssid` 和 `wifi_bssid` 的路由规则。
--- a/experimental/libbox/command_client.go
+++ b/experimental/libbox/command_client.go
@@ -466,6 +466,19 @@ func (c *CommandClient) GetDeprecatedNotes() (DeprecatedNoteIterator, error) {
 	return newIterator(notes), nil
 }

+func (c *CommandClient) GetStartedAt() (int64, error) {
+	client, err := c.getClientForCall()
+	if err != nil {
+		return 0, err
+	}
+
+	startedAt, err := client.GetStartedAt(context.Background(), &emptypb.Empty{})
+	if err != nil {
+		return 0, err
+	}
+	return startedAt.StartedAt, nil
+}
+
 func (c *CommandClient) SetGroupExpand(groupTag string, isExpand bool) error {
 	client, err := c.getClientForCall()
 	if err != nil {
--- a/experimental/libbox/command_types.go
+++ b/experimental/libbox/command_types.go
@@ -130,6 +130,14 @@ func (c *Connections) Iterator() ConnectionIterator {
 	return newPtrIterator(c.filtered)
 }

+type ProcessInfo struct {
+	ProcessID   int64
+	UserID      int32
+	UserName    string
+	ProcessPath string
+	PackageName string
+}
+
 type Connection struct {
 	ID            string
 	Inbound       string
@@ -152,6 +160,7 @@ type Connection struct {
 	Outbound      string
 	OutboundType  string
 	ChainList     []string
+	ProcessInfo   *ProcessInfo
 }

 func (c *Connection) Chain() StringIterator {
@@ -219,6 +228,16 @@ func OutboundGroupIteratorFromGRPC(groups *daemon.Groups) OutboundGroupIterator
 }

 func ConnectionFromGRPC(conn *daemon.Connection) Connection {
+	var processInfo *ProcessInfo
+	if conn.ProcessInfo != nil {
+		processInfo = &ProcessInfo{
+			ProcessID:   int64(conn.ProcessInfo.ProcessId),
+			UserID:      conn.ProcessInfo.UserId,
+			UserName:    conn.ProcessInfo.UserName,
+			ProcessPath: conn.ProcessInfo.ProcessPath,
+			PackageName: conn.ProcessInfo.PackageName,
+		}
+	}
 	return Connection{
 		ID:            conn.Id,
 		Inbound:       conn.Inbound,
@@ -241,6 +260,7 @@ func ConnectionFromGRPC(conn *daemon.Connection) Connection {
 		Outbound:      conn.Outbound,
 		OutboundType:  conn.OutboundType,
 		ChainList:     conn.ChainList,
+		ProcessInfo:   processInfo,
 	}
 }

--- a/experimental/libbox/dns.go
+++ b/experimental/libbox/dns.go
@@ -46,6 +46,9 @@ func (p *platformTransport) Close() error {
 	return nil
 }

+func (p *platformTransport) Reset() {
+}
+
 func (p *platformTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	response := &ExchangeContext{
 		context: ctx,
--- a/go.mod
+++ b/go.mod
@@ -26,8 +26,8 @@ require (
 	github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cors v1.2.1
-	github.com/sagernet/cronet-go v0.0.0-20251222042025-2235d8db9f7f
-	github.com/sagernet/cronet-go/all v0.0.0-20251222042025-2235d8db9f7f
+	github.com/sagernet/cronet-go v0.0.0-20251230094758-5aef2a9e7f0d
+	github.com/sagernet/cronet-go/all v0.0.0-20251230094758-5aef2a9e7f0d
 	github.com/sagernet/fswatch v0.1.1
 	github.com/sagernet/gomobile v0.1.10
 	github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1
@@ -38,10 +38,10 @@ require (
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11
-	github.com/sagernet/sing-tun v0.8.0-beta.11.0.20251201004738-e9e3fbf0c15e
+	github.com/sagernet/sing-tun v0.8.0-beta.11.0.20251226064455-a850c4f8a1c8
 	github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1
 	github.com/sagernet/smux v1.5.34-mod.2
-	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.3.0.20251225080651-3b25379a5bf8
+	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.4
 	github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
 	github.com/spf13/cobra v1.10.2
@@ -73,6 +73,7 @@ require (
 	github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa // indirect
 	github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 // indirect
 	github.com/ebitengine/purego v0.9.1 // indirect
+	github.com/florianl/go-nfqueue/v2 v2.0.2 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/gaissmai/bart v0.18.0 // indirect
@@ -101,28 +102,28 @@ require (
 	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
-	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20251222041542-7fa506facd17 // indirect
-	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20251222041542-7fa506facd17 // indirect
+	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20251230094225-9a5fe902f561 // indirect
+	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20251230094225-9a5fe902f561 // indirect
 	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a // indirect
 	github.com/sagernet/nftables v0.3.0-beta.4 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
--- a/go.sum
+++ b/go.sum
@@ -39,6 +39,8 @@ github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 h1:CaO/zOnF8VvUfEbhRatPcwKVWamvbY
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4=
 github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
 github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/florianl/go-nfqueue/v2 v2.0.2 h1:FL5lQTeetgpCvac1TRwSfgaXUn0YSO7WzGvWNIp3JPE=
+github.com/florianl/go-nfqueue/v2 v2.0.2/go.mod h1:VA09+iPOT43OMoCKNfXHyzujQUty2xmzyCRkBOlmabc=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
@@ -143,54 +145,54 @@ github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkk
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cors v1.2.1 h1:Cv5Z8y9YSD6Gm+qSpNrL3LO4lD3eQVvbFYJSG7JCMHQ=
 github.com/sagernet/cors v1.2.1/go.mod h1:O64VyOjjhrkLmQIjF4KGRrJO/5dVXFdpEmCW/eISRAI=
-github.com/sagernet/cronet-go v0.0.0-20251222042025-2235d8db9f7f h1:F8MAWpgYSZp9xAuvmiqRRF2fydn49qbao3pFduuClYw=
-github.com/sagernet/cronet-go v0.0.0-20251222042025-2235d8db9f7f/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
-github.com/sagernet/cronet-go/all v0.0.0-20251222042025-2235d8db9f7f h1:oxWJoIIF19Zcp438OTQLtXhFHcYzjw+QRjwhhOzRRrQ=
-github.com/sagernet/cronet-go/all v0.0.0-20251222042025-2235d8db9f7f/go.mod h1:TTaiEGVltL4Dzde1pL5f8hxbsNhOZmsEBEUC0yqGiyw=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20251222041542-7fa506facd17 h1:Mi/DrxIKK20bkvr8qV6Fxa/dc6yoRpyFkqe/HcVwxYE=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20251222041542-7fa506facd17/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20251222041542-7fa506facd17 h1:T07c63qkYlZCs2nDZL4Tt2FJQFKWoj6GThlw3Osq3PY=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20251222041542-7fa506facd17/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20251222041542-7fa506facd17 h1:wDect54Q6dTMtChbHmpe64KZ/nJjv2o0NcysTyVFq88=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20251222041542-7fa506facd17/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20251222041542-7fa506facd17 h1:DkPqqL8AH/Lj2i+0z7/7qmDCIhveKp+TXNcxI6ZF0Xg=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20251222041542-7fa506facd17/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20251222041542-7fa506facd17 h1:Is0ifg/hoF00wFvaHDLqAuEb4Jl/bENQq6x6jRhubV0=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20251222041542-7fa506facd17/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20251222041542-7fa506facd17 h1:2r2ikm5/GGypJOHfBpCMgOZoYzv+aV3yvaH/SPeHfPI=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20251222041542-7fa506facd17/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20251222041542-7fa506facd17 h1:j3fEUwtZ2LGrO6PzmgEGLMl5fea5wWi3SdilRugIICM=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20251222041542-7fa506facd17/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20251222041542-7fa506facd17 h1:kurrkp2s0NJhjJZYwGX/vi3BxO9Fb35BWApx70G4dlI=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20251222041542-7fa506facd17/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20251222041542-7fa506facd17 h1:cDHzVFgU2ltySWhYWfH2sOuOn+EdgK9z+l46jrIFyhw=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20251222041542-7fa506facd17/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20251222041542-7fa506facd17 h1:7U/ckrSuJ97R8aN+9B2MNc7F2vVE+2yBa5rsojYSJcA=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20251222041542-7fa506facd17/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20251222041542-7fa506facd17 h1:IfmxdknkJuwdMIlMLLtKLUdeZLlUTGmOT9G3AatLQLA=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20251222041542-7fa506facd17/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20251222041542-7fa506facd17 h1:DscNAuZZ8R1ubT6z2pIyZ+sVTIaoE7d7Y+PpJq5pTxY=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20251222041542-7fa506facd17/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20251222041542-7fa506facd17 h1:vNFAvJYE+8eTMbLC4B8Bx6lxG1SFA3yTd7QqFNAo0fE=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20251222041542-7fa506facd17/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20251222041542-7fa506facd17 h1:dEqWelap2tzWTtp7tUGEvvGdgPanBQceU2Kszn2A4Uc=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20251222041542-7fa506facd17/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20251222041542-7fa506facd17 h1:JYD1fglGfabg0/rQv4NT3DpOUMw2cYnp9ywa+zdFjDI=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20251222041542-7fa506facd17/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20251222041542-7fa506facd17 h1:oGurnJbJF2jUx8qt5Hge5m8bZ+bC0bg7Rj1QIy+iIig=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20251222041542-7fa506facd17/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20251222041542-7fa506facd17 h1:3TpHov3UIWwFcoGMO9d4+V6wAZZL2FaGg2YQSKxXT3I=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20251222041542-7fa506facd17/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20251222041542-7fa506facd17 h1:BY6yotGRpBWO++kJ4Y4ny4aJQLLe674KOrZfBT5Kf0A=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20251222041542-7fa506facd17/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20251222041542-7fa506facd17 h1:tKhSyhd0YdwnMMrxionY5Tii3f1S7L8VPn2prliEVrY=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20251222041542-7fa506facd17/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20251222041542-7fa506facd17 h1:4lhYLzCAQVoOzt3IEjSApyIW4yNujJ5ppemztvi4rhE=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20251222041542-7fa506facd17/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20251222041542-7fa506facd17 h1:PQjICo8R+uWDyssgqsno3Xh3YJ/qYQHEqXW3FYPSi+Y=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20251222041542-7fa506facd17/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20251222041542-7fa506facd17 h1:dba+qxmctcQ7jvOufwICi92u7NQ03DGPlB+KPPzpBWg=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20251222041542-7fa506facd17/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
+github.com/sagernet/cronet-go v0.0.0-20251230094758-5aef2a9e7f0d h1:1oTc5+PjhCjdDro0VYZzwPee0CvTmMbDnyxZAThYvq4=
+github.com/sagernet/cronet-go v0.0.0-20251230094758-5aef2a9e7f0d/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
+github.com/sagernet/cronet-go/all v0.0.0-20251230094758-5aef2a9e7f0d h1:lRwTaavH9XOCf3QPEY9FNkOsy1jLWpo5Lg6Vas9XShs=
+github.com/sagernet/cronet-go/all v0.0.0-20251230094758-5aef2a9e7f0d/go.mod h1:Wqam5NDbMkewyy+33wu6wsq4uNHGoskHaon1XsTxQMg=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20251230094225-9a5fe902f561 h1:vjswtG+1CNj4kni3haVLzIn8C7RKa3RnFUXG8OofgSE=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20251230094225-9a5fe902f561/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20251230094225-9a5fe902f561 h1:ciuXFp02usTUyj9MpzwlB0bEyEjF0VVINMl5QG5uIu4=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20251230094225-9a5fe902f561/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20251230094225-9a5fe902f561 h1:qJVWgBiznBwkfQ9EB0TpjgVVeBVHb/COaItekq/EZ5w=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20251230094225-9a5fe902f561/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20251230094225-9a5fe902f561 h1:FEJJEbbmmOv37Lx+JgHlXIdTXzP0TNYHBvzGgbft4fA=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20251230094225-9a5fe902f561/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20251230094225-9a5fe902f561 h1:w9Z3W30bdQrmme2qfJBfkZGUKirPe6N4caCDqp7+ArI=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20251230094225-9a5fe902f561/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20251230094225-9a5fe902f561 h1:7lJXCswd6nIrw31MJYet0sNcIxD9MVxKW/UoSPynBxw=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20251230094225-9a5fe902f561/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20251230094225-9a5fe902f561 h1:dCten+Kq71YCOGxezyIQqpe5zctf4Oxwhk8tgHUuy0g=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20251230094225-9a5fe902f561/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20251230094225-9a5fe902f561 h1:Q6RE/v/XXaCLOh7w7iIuzCRhwWIjk+ikMcKSqO8vA6c=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20251230094225-9a5fe902f561/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20251230094225-9a5fe902f561 h1:bzXuJwzMy/+RLVXYQrNL3cqPYP7pW9OaItF0zyNkBl4=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20251230094225-9a5fe902f561/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20251230094225-9a5fe902f561 h1:bzYwMTJ1nenaNkf/TMTj3Cj1KCq2QAE9pvEy8ARdZsY=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20251230094225-9a5fe902f561/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20251230094225-9a5fe902f561 h1:lfbECpdqczlAvfkpM6q8CjFWLMjRmkf6eHaFgNMOWZ8=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20251230094225-9a5fe902f561/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20251230094225-9a5fe902f561 h1:RlA+oS6G9D5i1RNbUyGdGKTY9fAr9sjQs+zZiEghinU=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20251230094225-9a5fe902f561/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20251230094225-9a5fe902f561 h1:MJLgEelOSdhX/3XU7n9dykExmJ5eoA2rZFXRzbiw+vE=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20251230094225-9a5fe902f561/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20251230094225-9a5fe902f561 h1:0UIPfoF74+vwCIAYlCq8NGq+em+byaMIJLUIksakdCg=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20251230094225-9a5fe902f561/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20251230094225-9a5fe902f561 h1:h8zDiRnLpHY8oidZqIE0SOiDqswCBSskHWPRqHGD3F0=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20251230094225-9a5fe902f561/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20251230094225-9a5fe902f561 h1:N/svqvPrxxjhPAmZ6OwROQiF3Lg/BoViwGZpnxma3U8=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20251230094225-9a5fe902f561/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20251230094225-9a5fe902f561 h1:Hoqa5ub53wdkVKBy0rH0pacg5tDdfJq6ZJ4kORdgr+s=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20251230094225-9a5fe902f561/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20251230094225-9a5fe902f561 h1:w6Y6mcEDFXa8kuLIAlM87TuI4UXK9Nl/CGzYDnroTK8=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20251230094225-9a5fe902f561/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20251230094225-9a5fe902f561 h1:4GmOCqjTzAqRZky/epW0zRgEYGbNXNcupxDf2WwWS4Y=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20251230094225-9a5fe902f561/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20251230094225-9a5fe902f561 h1:dWnsBlKtGwd9qebvReFAL64CZ/DCMo5eZiqS7cwuP38=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20251230094225-9a5fe902f561/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20251230094225-9a5fe902f561 h1:ri/eIHXgK+PrK/Z05Gv+xwI7PsrsANWEB2EDr6NkBTY=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20251230094225-9a5fe902f561/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20251230094225-9a5fe902f561 h1:JGN++AgXz57mkZ4UmxEuuvmaj32+yF2mZLNnsfvOm08=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20251230094225-9a5fe902f561/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
 github.com/sagernet/fswatch v0.1.1 h1:YqID+93B7VRfqIH3PArW/XpJv5H4OLEVWDfProGoRQs=
 github.com/sagernet/fswatch v0.1.1/go.mod h1:nz85laH0mkQqJfaOrqPpkwtU1znMFNVTpT/5oRsVz/o=
 github.com/sagernet/gomobile v0.1.10 h1:ElqZ0OVDvyQlU91MU0C9cfU0FrILBbc65+NOKzZ1t0c=
@@ -216,14 +218,14 @@ github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnq
 github.com/sagernet/sing-shadowsocks2 v0.2.1/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11 h1:tK+75l64tm9WvEFrYRE1t0YxoFdWQqw/h7Uhzj0vJ+w=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11/go.mod h1:sWqKnGlMipCHaGsw1sTTlimyUpgzP4WP3pjhCsYt9oA=
-github.com/sagernet/sing-tun v0.8.0-beta.11.0.20251201004738-e9e3fbf0c15e h1:ZEv+9vy7vC1vbr3LfwZGx3JAOkl/w4+hnGamHw4W36M=
-github.com/sagernet/sing-tun v0.8.0-beta.11.0.20251201004738-e9e3fbf0c15e/go.mod h1:eWETzl4AwaxGKiZTpDIDVJLTBz9cfIdoZwaZY1jlSjg=
+github.com/sagernet/sing-tun v0.8.0-beta.11.0.20251226064455-a850c4f8a1c8 h1:aIgk6YzS/7fNm92CycFWzithdwIc+NAwXGHAJce1dyM=
+github.com/sagernet/sing-tun v0.8.0-beta.11.0.20251226064455-a850c4f8a1c8/go.mod h1:+HAK/y9GZljdT0KYKMYDR8MjjqnqDDQZYp5ZZQoRzS8=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1 h1:aSwUNYUkVyVvdmBSufR8/nRFonwJeKSIROxHcm5br9o=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1/go.mod h1:P11scgTxMxVVQ8dlM27yNm3Cro40mD0+gHbnqrNGDuY=
 github.com/sagernet/smux v1.5.34-mod.2 h1:gkmBjIjlJ2zQKpLigOkFur5kBKdV6bNRoFu2WkltRQ4=
 github.com/sagernet/smux v1.5.34-mod.2/go.mod h1:0KW0+R+ycvA2INW4gbsd7BNyg+HEfLIAxa5N02/28Zc=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.3.0.20251225080651-3b25379a5bf8 h1:+rb3fIFwFxhCkIt8B/V3bXWZmiNwDWBd22jQMxqY92w=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.3.0.20251225080651-3b25379a5bf8/go.mod h1:HZxL3asFIkcIJtHdnqsdcXsY6d+1iMtq0SPUlX17TGM=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.4 h1:p+9JllOL5Q2pj6bmP9gu+LdjyRg/XxHLTpMfuhuQsY4=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.4/go.mod h1:HZxL3asFIkcIJtHdnqsdcXsY6d+1iMtq0SPUlX17TGM=
 github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288 h1:E2tZFeg9mGYGQ7E7BbxMv1cU35HxwgRm6tPKI2Pp7DA=
 github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288/go.mod h1:WUxgxUDZoCF2sxVmW+STSxatP02Qn3FcafTiI2BLtE0=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=
--- a/log/log.go
+++ b/log/log.go
@@ -40,6 +40,7 @@ func New(options Options) (Factory, error) {
 	case "stdout":
 		logWriter = os.Stdout
 	default:
+		logWriter = io.Discard
 		logFilePath = logOptions.Output
 	}
 	logFormatter := Formatter{
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -122,6 +122,7 @@ nav:
          - Dial Fields: configuration/shared/dial.md
          - TLS: configuration/shared/tls.md
          - DNS01 Challenge Fields: configuration/shared/dns01_challenge.md
+          - Pre-match: configuration/shared/pre-match.md
          - Multiplex: configuration/shared/multiplex.md
          - V2Ray Transport: configuration/shared/v2ray-transport.md
          - UDP over TCP: configuration/shared/udp-over-tcp.md
--- a/option/rule_action.go
+++ b/option/rule_action.go
@@ -18,6 +18,7 @@ type _RuleAction struct {
 	RouteOptions        RouteActionOptions        `json:"-"`
 	RouteOptionsOptions RouteOptionsActionOptions `json:"-"`
 	DirectOptions       DirectActionOptions       `json:"-"`
+	BypassOptions       RouteActionOptions        `json:"-"`
 	RejectOptions       RejectActionOptions       `json:"-"`
 	SniffOptions        RouteActionSniff          `json:"-"`
 	ResolveOptions      RouteActionResolve        `json:"-"`
@@ -38,6 +39,8 @@ func (r RuleAction) MarshalJSON() ([]byte, error) {
 		v = r.RouteOptionsOptions
 	case C.RuleActionTypeDirect:
 		v = r.DirectOptions
+	case C.RuleActionTypeBypass:
+		v = r.BypassOptions
 	case C.RuleActionTypeReject:
 		v = r.RejectOptions
 	case C.RuleActionTypeHijackDNS:
@@ -69,6 +72,8 @@ func (r *RuleAction) UnmarshalJSON(data []byte) error {
 		v = &r.RouteOptionsOptions
 	case C.RuleActionTypeDirect:
 		v = &r.DirectOptions
+	case C.RuleActionTypeBypass:
+		v = &r.BypassOptions
 	case C.RuleActionTypeReject:
 		v = &r.RejectOptions
 	case C.RuleActionTypeHijackDNS:
@@ -84,7 +89,11 @@ func (r *RuleAction) UnmarshalJSON(data []byte) error {
 		// check unknown fields
 		return json.UnmarshalDisallowUnknownFields(data, &_RuleAction{})
 	}
-	return badjson.UnmarshallExcluded(data, (*_RuleAction)(r), v)
+	err = badjson.UnmarshallExcluded(data, (*_RuleAction)(r), v)
+	if err != nil {
+		return err
+	}
+	return nil
 }

 type _DNSRuleAction struct {
--- a/option/tailscale.go
+++ b/option/tailscale.go
@@ -12,17 +12,19 @@ import (

 type TailscaleEndpointOptions struct {
 	DialerOptions
-	StateDirectory         string           `json:"state_directory,omitempty"`
-	AuthKey                string           `json:"auth_key,omitempty"`
-	ControlURL             string           `json:"control_url,omitempty"`
-	Ephemeral              bool             `json:"ephemeral,omitempty"`
-	Hostname               string           `json:"hostname,omitempty"`
-	AcceptRoutes           bool             `json:"accept_routes,omitempty"`
-	ExitNode               string           `json:"exit_node,omitempty"`
-	ExitNodeAllowLANAccess bool             `json:"exit_node_allow_lan_access,omitempty"`
-	AdvertiseRoutes        []netip.Prefix   `json:"advertise_routes,omitempty"`
-	AdvertiseExitNode      bool             `json:"advertise_exit_node,omitempty"`
-	UDPTimeout             UDPTimeoutCompat `json:"udp_timeout,omitempty"`
+	StateDirectory             string             `json:"state_directory,omitempty"`
+	AuthKey                    string             `json:"auth_key,omitempty"`
+	ControlURL                 string             `json:"control_url,omitempty"`
+	Ephemeral                  bool               `json:"ephemeral,omitempty"`
+	Hostname                   string             `json:"hostname,omitempty"`
+	AcceptRoutes               bool               `json:"accept_routes,omitempty"`
+	ExitNode                   string             `json:"exit_node,omitempty"`
+	ExitNodeAllowLANAccess     bool               `json:"exit_node_allow_lan_access,omitempty"`
+	AdvertiseRoutes            []netip.Prefix     `json:"advertise_routes,omitempty"`
+	AdvertiseExitNode          bool               `json:"advertise_exit_node,omitempty"`
+	RelayServerPort            *uint16            `json:"relay_server_port,omitempty"`
+	RelayServerStaticEndpoints []netip.AddrPort   `json:"relay_server_static_endpoints,omitempty"`
+	UDPTimeout                 UDPTimeoutCompat   `json:"udp_timeout,omitempty"`
 }

 type TailscaleDNSServerOptions struct {
--- a/option/tun.go
+++ b/option/tun.go
@@ -20,6 +20,8 @@ type TunInboundOptions struct {
 	AutoRedirect           bool                             `json:"auto_redirect,omitempty"`
 	AutoRedirectInputMark  FwMark                           `json:"auto_redirect_input_mark,omitempty"`
 	AutoRedirectOutputMark FwMark                           `json:"auto_redirect_output_mark,omitempty"`
+	AutoRedirectResetMark  FwMark                           `json:"auto_redirect_reset_mark,omitempty"`
+	AutoRedirectNFQueue    uint16                           `json:"auto_redirect_nfqueue,omitempty"`
 	ExcludeMPTCP           bool                             `json:"exclude_mptcp,omitempty"`
 	LoopbackAddress        badoption.Listable[netip.Addr]   `json:"loopback_address,omitempty"`
 	StrictRoute            bool                             `json:"strict_route,omitempty"`
--- a/protocol/tailscale/endpoint.go
+++ b/protocol/tailscale/endpoint.go
@@ -44,6 +44,7 @@ import (
 	"github.com/sagernet/sing/common/ntp"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/filemanager"
+	_ "github.com/sagernet/tailscale/feature/relayserver"
 	"github.com/sagernet/tailscale/ipn"
 	tsDNS "github.com/sagernet/tailscale/net/dns"
 	"github.com/sagernet/tailscale/net/netmon"
@@ -91,11 +92,13 @@ type Endpoint struct {
 	routeDomains  common.TypedValue[map[string]bool]
 	routePrefixes atomic.Pointer[netipx.IPSet]

-	acceptRoutes           bool
-	exitNode               string
-	exitNodeAllowLANAccess bool
-	advertiseRoutes        []netip.Prefix
-	advertiseExitNode      bool
+	acceptRoutes               bool
+	exitNode                   string
+	exitNodeAllowLANAccess     bool
+	advertiseRoutes            []netip.Prefix
+	advertiseExitNode          bool
+	relayServerPort            *uint16
+	relayServerStaticEndpoints []netip.AddrPort

 	udpTimeout time.Duration
 }
@@ -183,20 +186,22 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 		},
 	}
 	return &Endpoint{
-		Adapter:                endpoint.NewAdapter(C.TypeTailscale, tag, []string{N.NetworkTCP, N.NetworkUDP, N.NetworkICMP}, nil),
-		ctx:                    ctx,
-		router:                 router,
-		logger:                 logger,
-		dnsRouter:              dnsRouter,
-		network:                service.FromContext[adapter.NetworkManager](ctx),
-		platformInterface:      service.FromContext[adapter.PlatformInterface](ctx),
-		server:                 server,
-		acceptRoutes:           options.AcceptRoutes,
-		exitNode:               options.ExitNode,
-		exitNodeAllowLANAccess: options.ExitNodeAllowLANAccess,
-		advertiseRoutes:        options.AdvertiseRoutes,
-		advertiseExitNode:      options.AdvertiseExitNode,
-		udpTimeout:             udpTimeout,
+		Adapter:                    endpoint.NewAdapter(C.TypeTailscale, tag, []string{N.NetworkTCP, N.NetworkUDP, N.NetworkICMP}, nil),
+		ctx:                        ctx,
+		router:                     router,
+		logger:                     logger,
+		dnsRouter:                  dnsRouter,
+		network:                    service.FromContext[adapter.NetworkManager](ctx),
+		platformInterface:          service.FromContext[adapter.PlatformInterface](ctx),
+		server:                     server,
+		acceptRoutes:               options.AcceptRoutes,
+		exitNode:                   options.ExitNode,
+		exitNodeAllowLANAccess:     options.ExitNodeAllowLANAccess,
+		advertiseRoutes:            options.AdvertiseRoutes,
+		advertiseExitNode:          options.AdvertiseExitNode,
+		relayServerPort:            options.RelayServerPort,
+		relayServerStaticEndpoints: options.RelayServerStaticEndpoints,
+		udpTimeout:                 udpTimeout,
 	}, nil
 }

@@ -270,6 +275,14 @@ func (t *Endpoint) Start(stage adapter.StartStage) error {
 	if t.advertiseExitNode {
 		perfs.AdvertiseRoutes = append(perfs.AdvertiseRoutes, tsaddr.ExitRoutes()...)
 	}
+	if t.relayServerPort != nil {
+		perfs.RelayServerPort = t.relayServerPort
+		perfs.RelayServerPortSet = true
+	}
+	if len(t.relayServerStaticEndpoints) > 0 {
+		perfs.RelayServerStaticEndpoints = t.relayServerStaticEndpoints
+		perfs.RelayServerStaticEndpointsSet = true
+	}
 	_, err = localBackend.EditPrefs(perfs)
 	if err != nil {
 		return E.Cause(err, "update prefs")
@@ -463,10 +476,17 @@ func (t *Endpoint) PrepareConnection(network string, source M.Socksaddr, destina
 		Network:     network,
 		Source:      source,
 		Destination: destination,
-	}, routeContext, timeout)
+	}, routeContext, timeout, false)
 	if err != nil {
-		if !rule.IsRejected(err) {
-			t.logger.Warn(E.Cause(err, "link ", network, " connection from ", source.AddrString(), " to ", destination.AddrString()))
+		switch {
+		case rule.IsBypassed(err):
+			err = nil
+		case rule.IsRejected(err):
+			t.logger.Trace("reject ", network, " connection from ", source.AddrString(), " to ", destination.AddrString())
+		default:
+			if network == N.NetworkICMP {
+				t.logger.Warn(E.Cause(err, "link ", network, " connection from ", source.AddrString(), " to ", destination.AddrString()))
+			}
 		}
 	}
 	return routeDestination, err
--- a/protocol/tun/inbound.go
+++ b/protocol/tun/inbound.go
@@ -182,6 +182,14 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 	if outputMark == 0 {
 		outputMark = tun.DefaultAutoRedirectOutputMark
 	}
+	resetMark := uint32(options.AutoRedirectResetMark)
+	if resetMark == 0 {
+		resetMark = tun.DefaultAutoRedirectResetMark
+	}
+	nfQueue := options.AutoRedirectNFQueue
+	if nfQueue == 0 {
+		nfQueue = tun.DefaultAutoRedirectNFQueue
+	}
 	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	multiPendingPackets := C.IsDarwin && ((options.Stack == "gvisor" && tunMTU < 32768) || (options.Stack != "gvisor" && options.MTU <= 9000))
 	inbound := &Inbound{
@@ -202,6 +210,8 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 			IPRoute2RuleIndex:        ruleIndex,
 			AutoRedirectInputMark:    inputMark,
 			AutoRedirectOutputMark:   outputMark,
+			AutoRedirectResetMark:    resetMark,
+			AutoRedirectNFQueue:      nfQueue,
 			ExcludeMPTCP:             options.ExcludeMPTCP,
 			Inet4LoopbackAddress:     common.Filter(options.LoopbackAddress, netip.Addr.Is4),
 			Inet6LoopbackAddress:     common.Filter(options.LoopbackAddress, netip.Addr.Is6),
@@ -470,10 +480,17 @@ func (t *Inbound) PrepareConnection(network string, source M.Socksaddr, destinat
 		Source:         source,
 		Destination:    destination,
 		InboundOptions: t.inboundOptions,
-	}, routeContext, timeout)
+	}, routeContext, timeout, false)
 	if err != nil {
-		if !rule.IsRejected(err) {
-			t.logger.Warn(E.Cause(err, "link ", network, " connection from ", source.AddrString(), " to ", destination.AddrString()))
+		switch {
+		case rule.IsBypassed(err):
+			err = nil
+		case rule.IsRejected(err):
+			t.logger.Trace("reject ", network, " connection from ", source.AddrString(), " to ", destination.AddrString())
+		default:
+			if network == N.NetworkICMP {
+				t.logger.Warn(E.Cause(err, "link ", network, " connection from ", source.AddrString(), " to ", destination.AddrString()))
+			}
 		}
 	}
 	return routeDestination, err
@@ -509,6 +526,37 @@ func (t *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,

 type autoRedirectHandler Inbound

+func (t *autoRedirectHandler) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
+	var ipVersion uint8
+	if !destination.IsIPv6() {
+		ipVersion = 4
+	} else {
+		ipVersion = 6
+	}
+	routeDestination, err := t.router.PreMatch(adapter.InboundContext{
+		Inbound:        t.tag,
+		InboundType:    C.TypeTun,
+		IPVersion:      ipVersion,
+		Network:        network,
+		Source:         source,
+		Destination:    destination,
+		InboundOptions: t.inboundOptions,
+	}, routeContext, timeout, true)
+	if err != nil {
+		switch {
+		case rule.IsBypassed(err):
+			t.logger.Trace("bypass ", network, " connection from ", source.AddrString(), " to ", destination.AddrString())
+		case rule.IsRejected(err):
+			t.logger.Trace("reject ", network, " connection from ", source.AddrString(), " to ", destination.AddrString())
+		default:
+			if network == N.NetworkICMP {
+				t.logger.Warn(E.Cause(err, "link ", network, " connection from ", source.AddrString(), " to ", destination.AddrString()))
+			}
+		}
+	}
+	return routeDestination, err
+}
+
 func (t *autoRedirectHandler) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	ctx = log.ContextWithNewID(ctx)
 	var metadata adapter.InboundContext
@@ -522,3 +570,7 @@ func (t *autoRedirectHandler) NewConnectionEx(ctx context.Context, conn net.Conn
 	t.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
 	t.router.RouteConnectionEx(ctx, conn, metadata, onClose)
 }
+
+func (t *autoRedirectHandler) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+	panic("unexcepted")
+}
--- a/protocol/wireguard/endpoint.go
+++ b/protocol/wireguard/endpoint.go
@@ -140,10 +140,17 @@ func (w *Endpoint) PrepareConnection(network string, source M.Socksaddr, destina
 		Network:     network,
 		Source:      source,
 		Destination: destination,
-	}, routeContext, timeout)
+	}, routeContext, timeout, false)
 	if err != nil {
-		if !rule.IsRejected(err) {
-			w.logger.Warn(E.Cause(err, "link ", network, " connection from ", source.AddrString(), " to ", destination.AddrString()))
+		switch {
+		case rule.IsBypassed(err):
+			err = nil
+		case rule.IsRejected(err):
+			w.logger.Trace("reject ", network, " connection from ", source.AddrString(), " to ", destination.AddrString())
+		default:
+			if network == N.NetworkICMP {
+				w.logger.Warn(E.Cause(err, "link ", network, " connection from ", source.AddrString(), " to ", destination.AddrString()))
+			}
 		}
 	}
 	return routeDestination, err
--- a/route/route.go
+++ b/route/route.go
@@ -95,7 +95,7 @@ func (r *Router) routeConnection(ctx context.Context, conn net.Conn, metadata ad
 	if deadline.NeedAdditionalReadDeadline(conn) {
 		conn = deadline.NewConn(conn)
 	}
-	selectedRule, _, buffers, _, err := r.matchRule(ctx, &metadata, false, conn, nil)
+	selectedRule, _, buffers, _, err := r.matchRule(ctx, &metadata, false, false, conn, nil)
 	if err != nil {
 		return err
 	}
@@ -113,6 +113,20 @@ func (r *Router) routeConnection(ctx context.Context, conn net.Conn, metadata ad
 				buf.ReleaseMulti(buffers)
 				return E.New("TCP is not supported by outbound: ", selectedOutbound.Tag())
 			}
+		case *R.RuleActionBypass:
+			if action.Outbound == "" {
+				break
+			}
+			var loaded bool
+			selectedOutbound, loaded = r.outbound.Outbound(action.Outbound)
+			if !loaded {
+				buf.ReleaseMulti(buffers)
+				return E.New("outbound not found: ", action.Outbound)
+			}
+			if !common.Contains(selectedOutbound.Network(), N.NetworkTCP) {
+				buf.ReleaseMulti(buffers)
+				return E.New("TCP is not supported by outbound: ", selectedOutbound.Tag())
+			}
 		case *R.RuleActionReject:
 			buf.ReleaseMulti(buffers)
 			if action.Method == C.RuleActionRejectMethodReply {
@@ -212,7 +226,7 @@ func (r *Router) routePacketConnection(ctx context.Context, conn N.PacketConn, m
 		conn = deadline.NewPacketConn(bufio.NewNetPacketConn(conn))
 	}*/

-	selectedRule, _, _, packetBuffers, err := r.matchRule(ctx, &metadata, false, nil, conn)
+	selectedRule, _, _, packetBuffers, err := r.matchRule(ctx, &metadata, false, false, nil, conn)
 	if err != nil {
 		return err
 	}
@@ -231,6 +245,20 @@ func (r *Router) routePacketConnection(ctx context.Context, conn N.PacketConn, m
 				N.ReleaseMultiPacketBuffer(packetBuffers)
 				return E.New("UDP is not supported by outbound: ", selectedOutbound.Tag())
 			}
+		case *R.RuleActionBypass:
+			if action.Outbound == "" {
+				break
+			}
+			var loaded bool
+			selectedOutbound, loaded = r.outbound.Outbound(action.Outbound)
+			if !loaded {
+				N.ReleaseMultiPacketBuffer(packetBuffers)
+				return E.New("outbound not found: ", action.Outbound)
+			}
+			if !common.Contains(selectedOutbound.Network(), N.NetworkUDP) {
+				N.ReleaseMultiPacketBuffer(packetBuffers)
+				return E.New("UDP is not supported by outbound: ", selectedOutbound.Tag())
+			}
 		case *R.RuleActionReject:
 			N.ReleaseMultiPacketBuffer(packetBuffers)
 			if action.Method == C.RuleActionRejectMethodReply {
@@ -267,8 +295,8 @@ func (r *Router) routePacketConnection(ctx context.Context, conn N.PacketConn, m
 	return nil
 }

-func (r *Router) PreMatch(metadata adapter.InboundContext, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
-	selectedRule, _, _, _, err := r.matchRule(r.ctx, &metadata, true, nil, nil)
+func (r *Router) PreMatch(metadata adapter.InboundContext, routeContext tun.DirectRouteContext, timeout time.Duration, supportBypass bool) (tun.DirectRouteDestination, error) {
+	selectedRule, _, _, _, err := r.matchRule(r.ctx, &metadata, true, supportBypass, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -287,6 +315,21 @@ func (r *Router) PreMatch(metadata adapter.InboundContext, routeContext tun.Dire
 				}
 			}
 			return nil, action.Error(context.Background())
+		case *R.RuleActionBypass:
+			if supportBypass {
+				return nil, &R.BypassedError{Cause: tun.ErrBypass}
+			}
+			if routeContext == nil {
+				return nil, nil
+			}
+			outbound, loaded := r.outbound.Outbound(action.Outbound)
+			if !loaded {
+				return nil, E.New("outbound not found: ", action.Outbound)
+			}
+			if !common.Contains(outbound.Network(), metadata.Network) {
+				return nil, E.New(metadata.Network, " is not supported by outbound: ", action.Outbound)
+			}
+			directRouteOutbound = outbound.(adapter.DirectRouteOutbound)
 		case *R.RuleActionRoute:
 			if routeContext == nil {
 				return nil, nil
@@ -364,7 +407,7 @@ func (r *Router) PreMatch(metadata adapter.InboundContext, routeContext tun.Dire
 }

 func (r *Router) matchRule(
-	ctx context.Context, metadata *adapter.InboundContext, preMatch bool,
+	ctx context.Context, metadata *adapter.InboundContext, preMatch bool, supportBypass bool,
 	inputConn net.Conn, inputPacketConn N.PacketConn,
 ) (
 	selectedRule adapter.Rule, selectedRuleIndex int,
@@ -572,6 +615,15 @@ match:
 			selectedRuleIndex = currentRuleIndex
 			break match
 		}
+		if actionType == C.RuleActionTypeBypass {
+			bypassAction := currentRule.Action().(*R.RuleActionBypass)
+			if !supportBypass && bypassAction.Outbound == "" {
+				continue match
+			}
+			selectedRule = currentRule
+			selectedRuleIndex = currentRuleIndex
+			break match
+		}
 	}
 	return
 }
--- a/route/router.go
+++ b/route/router.go
@@ -118,6 +118,9 @@ func (r *Router) Start(stage adapter.StartStage) error {
 				needFindProcess = true
 			}
 		}
+		if C.IsAndroid && r.platformInterface != nil {
+			needFindProcess = true
+		}
 		if needFindProcess {
 			if r.platformInterface != nil && r.platformInterface.UsePlatformConnectionOwnerFinder() {
 				r.processSearcher = newPlatformSearcher(r.platformInterface)
--- a/route/rule/rule_action.go
+++ b/route/rule/rule_action.go
@@ -56,6 +56,21 @@ func NewRuleAction(ctx context.Context, logger logger.ContextLogger, action opti
 			TLSFragmentFallbackDelay:  time.Duration(action.RouteOptionsOptions.TLSFragmentFallbackDelay),
 			TLSRecordFragment:         action.RouteOptionsOptions.TLSRecordFragment,
 		}, nil
+	case C.RuleActionTypeBypass:
+		return &RuleActionBypass{
+			Outbound: action.BypassOptions.Outbound,
+			RuleActionRouteOptions: RuleActionRouteOptions{
+				OverrideAddress:           M.ParseSocksaddrHostPort(action.BypassOptions.OverrideAddress, 0),
+				OverridePort:              action.BypassOptions.OverridePort,
+				NetworkStrategy:           (*C.NetworkStrategy)(action.BypassOptions.NetworkStrategy),
+				FallbackDelay:             time.Duration(action.BypassOptions.FallbackDelay),
+				UDPDisableDomainUnmapping: action.BypassOptions.UDPDisableDomainUnmapping,
+				UDPConnect:                action.BypassOptions.UDPConnect,
+				TLSFragment:               action.BypassOptions.TLSFragment,
+				TLSFragmentFallbackDelay:  time.Duration(action.BypassOptions.TLSFragmentFallbackDelay),
+				TLSRecordFragment:         action.BypassOptions.TLSRecordFragment,
+			},
+		}, nil
 	case C.RuleActionTypeDirect:
 		directDialer, err := dialer.New(ctx, option.DialerOptions(action.DirectOptions), false)
 		if err != nil {
@@ -158,6 +173,25 @@ func (r *RuleActionRoute) String() string {
 	return F.ToString("route(", strings.Join(descriptions, ","), ")")
 }

+type RuleActionBypass struct {
+	Outbound string
+	RuleActionRouteOptions
+}
+
+func (r *RuleActionBypass) Type() string {
+	return C.RuleActionTypeBypass
+}
+
+func (r *RuleActionBypass) String() string {
+	if r.Outbound == "" {
+		return "bypass()"
+	}
+	var descriptions []string
+	descriptions = append(descriptions, r.Outbound)
+	descriptions = append(descriptions, r.Descriptions()...)
+	return F.ToString("bypass(", strings.Join(descriptions, ","), ")")
+}
+
 type RuleActionRouteOptions struct {
 	OverrideAddress           M.Socksaddr
 	OverridePort              uint16
@@ -301,6 +335,23 @@ func IsRejected(err error) bool {
 	return errors.As(err, &rejected)
 }

+type BypassedError struct {
+	Cause error
+}
+
+func (b *BypassedError) Error() string {
+	return "bypassed"
+}
+
+func (b *BypassedError) Unwrap() error {
+	return b.Cause
+}
+
+func IsBypassed(err error) bool {
+	var bypassed *BypassedError
+	return errors.As(err, &bypassed)
+}
+
 type RuleActionReject struct {
 	Method      string
 	NoDrop      bool
--- a/service/resolved/transport.go
+++ b/service/resolved/transport.go
@@ -110,6 +110,16 @@ func (t *Transport) Close() error {
 	return nil
 }

+func (t *Transport) Reset() {
+	t.linkAccess.RLock()
+	defer t.linkAccess.RUnlock()
+	for _, servers := range t.linkServers {
+		for _, server := range servers.Servers {
+			server.Reset()
+		}
+	}
+}
+
 func (t *Transport) updateTransports(link *TransportLink) error {
 	t.linkAccess.Lock()
 	defer t.linkAccess.Unlock()
Author	SHA1	Message	Date
世界	4637f8182d	documentation: Bump version	2025-12-30 22:36:38 +08:00
世界	b8e441a3c4	Fix missing relay support for Tailscale	2025-12-30 22:36:38 +08:00
世界	97e20090cb	cronet: Fix windows DNS hijack	2025-12-30 18:24:33 +08:00
世界	3bbb23ea3b	Fix DNS transports	2025-12-30 18:24:33 +08:00
世界	7da7601903	platform: Expose process info	2025-12-30 18:24:33 +08:00
世界	eaee6bc493	Update bypass action behavior for auto redirect	2025-12-30 18:24:33 +08:00
世界	b34469986b	platform: Add GetStartedAt for StartedService	2025-12-29 13:31:36 +08:00
世界	0a88fc6314	documentation: Format changes header	2025-12-26 16:30:32 +08:00
世界	e984ad753b	Add format_docs command for documentation trailing space formatting	2025-12-26 16:30:32 +08:00
世界	88bda5c306	Fix panic when closing Box before Start with file log output	2025-12-26 16:30:32 +08:00
世界	3294a46a28	Add pre-match support for auto redirect	2025-12-26 16:30:32 +08:00
世界	ce285f8d79	Fix cronet on iOS	2025-12-26 11:49:49 +08:00