documentation: Bump version

Adds `chrome` as a new certificate store option alongside `mozilla`.
Both stores filter out China-based CA certificates.

.fpm_openwrt

@@ -14,7 +14,6 @@
 --depends kmod-inet-diag
 --depends kmod-tun
 --depends firewall4
---depends kmod-nft-queue
 
 --before-remove release/config/openwrt.prerm
 

.fpm_pacman

@@ -1,23 +0,0 @@
--s dir
---name sing-box
---category net
---license GPL-3.0-or-later
---description "The universal proxy platform."
---url "https://sing-box.sagernet.org/"
---maintainer "nekohasekai <contact-git@sekai.icu>"
---config-files etc/sing-box/config.json
---after-install release/config/sing-box.postinst
-
-release/config/config.json=/etc/sing-box/config.json
-
-release/config/sing-box.service=/usr/lib/systemd/system/sing-box.service
-release/config/sing-box@.service=/usr/lib/systemd/system/sing-box@.service
-release/config/sing-box.sysusers=/usr/lib/sysusers.d/sing-box.conf
-release/config/sing-box.rules=usr/share/polkit-1/rules.d/sing-box.rules
-release/config/sing-box-split-dns.xml=/usr/share/dbus-1/system.d/sing-box-split-dns.conf
-
-release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
-release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish
-release/completions/sing-box.zsh=/usr/share/zsh/site-functions/_sing-box
-
-LICENSE=/usr/share/licenses/sing-box/LICENSE

.github/CRONET_GO_VERSION

@@ -1 +1 @@
-cba7b9ac0399055aa49fbdc57c03c374f58e1597
+1cc61ad20399081362ccbc18d650432d1a6d42ec

.github/renovate.json

@@ -6,7 +6,7 @@
     ":disableRateLimiting"
   ],
   "baseBranches": [
-    "unstable"
+    "dev-next"
   ],
   "golang": {
     "enabled": false

.github/setup_go_for_windows7.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-VERSION="1.25.7"
+VERSION="1.25.5"
 
 mkdir -p $HOME/go
 cd $HOME/go

.github/update_cronet.sh

@@ -10,4 +10,4 @@ git -C $PROJECTS/cronet-go fetch origin go
 go get -x github.com/sagernet/cronet-go/all@$(git -C $PROJECTS/cronet-go rev-parse origin/go)
 go get -x github.com/sagernet/cronet-go@$(git -C $PROJECTS/cronet-go rev-parse origin/go)
 go mod tidy
-git -C $PROJECTS/cronet-go rev-parse origin/go > "$SCRIPT_DIR/CRONET_GO_VERSION"
+git -C $PROJECTS/cronet-go rev-parse origin/HEAD > "$SCRIPT_DIR/CRONET_GO_VERSION"

.github/update_cronet_dev.sh

@@ -1,13 +0,0 @@
-#!/usr/bin/env bash
-
-set -e -o pipefail
-
-SCRIPT_DIR=$(dirname "$0")
-PROJECTS=$SCRIPT_DIR/../..
-
-git -C $PROJECTS/cronet-go fetch origin dev
-git -C $PROJECTS/cronet-go fetch origin go_dev
-go get -x github.com/sagernet/cronet-go/all@$(git -C $PROJECTS/cronet-go rev-parse origin/go_dev)
-go get -x github.com/sagernet/cronet-go@$(git -C $PROJECTS/cronet-go rev-parse origin/go_dev)
-go mod tidy
-git -C $PROJECTS/cronet-go rev-parse origin/dev > "$SCRIPT_DIR/CRONET_GO_VERSION"

.github/workflows/build.yml

@@ -25,9 +25,8 @@ on:
           - publish-android
   push:
     branches:
-      - stable
-      - testing
-      - unstable
+      - main-next
+      - dev-next
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }}
@@ -47,7 +46,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ^1.25.5
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -70,43 +69,35 @@ jobs:
     strategy:
       matrix:
         include:
-          - { os: linux, arch: amd64, variant: purego, naive: true }
+          - { os: linux, arch: amd64, variant: purego, naive: true, openwrt: "x86_64" }
           - { os: linux, arch: amd64, variant: glibc, naive: true }
           - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, openwrt: "x86_64" }
 
-          - { os: linux, arch: arm64, variant: purego, naive: true }
+          - { os: linux, arch: arm64, variant: purego, naive: true, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
           - { os: linux, arch: arm64, variant: glibc, naive: true }
           - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
 
-          - { os: linux, arch: "386", go386: sse2 }
+          - { os: linux, arch: "386", go386: sse2, openwrt: "i386_pentium4" }
           - { os: linux, arch: "386", variant: glibc, naive: true, go386: sse2 }
           - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, openwrt: "i386_pentium4" }
 
-          - { os: linux, arch: arm, goarm: "7" }
+          - { os: linux, arch: arm, goarm: "7", openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
           - { os: linux, arch: arm, variant: glibc, naive: true, goarm: "7" }
           - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
 
-          - { os: linux, arch: mipsle, gomips: hardfloat, naive: true, variant: glibc }
-          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, variant: musl, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
-          - { os: linux, arch: mips64le, gomips: hardfloat, naive: true, variant: glibc, debian: mips64el, rpm: mips64el }
-          - { os: linux, arch: riscv64, naive: true, variant: glibc }
-          - { os: linux, arch: riscv64, naive: true, variant: musl, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
-          - { os: linux, arch: loong64, naive: true, variant: glibc }
-          - { os: linux, arch: loong64, naive: true, variant: musl, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
-
           - { os: linux, arch: "386", go386: softfloat, openwrt: "i386_pentium-mmx" }
           - { os: linux, arch: arm, goarm: "5", openwrt: "arm_arm926ej-s arm_cortex-a7 arm_cortex-a9 arm_fa526 arm_xscale" }
           - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl, openwrt: "arm_arm1176jzf-s_vfp" }
           - { os: linux, arch: mips, gomips: softfloat, openwrt: "mips_24kc mips_4kec mips_mips32" }
-          - { os: linux, arch: mipsle, gomips: hardfloat, openwrt: "mipsel_24kc_24kf" }
-          - { os: linux, arch: mipsle, gomips: softfloat }
+          - { os: linux, arch: mipsle, gomips: hardfloat, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc_24kf" }
+          - { os: linux, arch: mipsle, gomips: softfloat, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
           - { os: linux, arch: mips64, gomips: softfloat, openwrt: "mips64_mips64r2 mips64_octeonplus" }
-          - { os: linux, arch: mips64le, gomips: hardfloat }
+          - { os: linux, arch: mips64le, gomips: hardfloat, debian: mips64el, rpm: mips64el }
           - { os: linux, arch: mips64le, gomips: softfloat, openwrt: "mips64el_mips64r2" }
           - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
           - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
-          - { os: linux, arch: riscv64 }
-          - { os: linux, arch: loong64 }
+          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
+          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
 
           - { os: windows, arch: amd64, legacy_win7: true, legacy_name: "windows-7" }
           - { os: windows, arch: "386", legacy_win7: true, legacy_name: "windows-7" }
@@ -124,7 +115,7 @@ jobs:
         if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ^1.25.5
       - name: Setup Go 1.24
         if: matrix.legacy_go124
         uses: actions/setup-go@v5
@@ -163,23 +154,14 @@ jobs:
           git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
           git -C ~/cronet-go checkout FETCH_HEAD
           git -C ~/cronet-go submodule update --init --recursive --depth=1
-      - name: Regenerate Debian keyring
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
-          cd ~/cronet-go
-          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
       - name: Cache Chromium toolchain
         if: matrix.naive
         id: cache-chromium-toolchain
         uses: actions/cache@v4
         with:
           path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
-            ~/cronet-go/naiveproxy/src/gn/out/
-            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
-            ~/cronet-go/naiveproxy/src/out/sysroot-build/
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
+            ~/cronet-go/naiveproxy/src/out/sysroot-build
           key: chromium-toolchain-${{ matrix.arch }}-${{ matrix.variant }}-${{ hashFiles('.github/CRONET_GO_VERSION') }}
       - name: Download Chromium toolchain
         if: matrix.naive
@@ -208,10 +190,9 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
           if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
-          else
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+            TAGS="${TAGS},with_naive_outbound"
           fi
           if [[ "${{ matrix.variant }}" == "purego" ]]; then
             TAGS="${TAGS},with_purego"
@@ -219,16 +200,13 @@ jobs:
             TAGS="${TAGS},with_musl"
           fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Set shared ldflags
-        run: |
-          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
       - name: Build (purego)
         if: matrix.variant == 'purego'
         run: |
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -250,7 +228,7 @@ jobs:
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -258,8 +236,6 @@ jobs:
           GOARCH: ${{ matrix.arch }}
           GO386: ${{ matrix.go386 }}
           GOARM: ${{ matrix.goarm }}
-          GOMIPS: ${{ matrix.gomips }}
-          GOMIPS64: ${{ matrix.gomips }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Build (musl)
         if: matrix.variant == 'musl'
@@ -267,7 +243,7 @@ jobs:
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -275,8 +251,6 @@ jobs:
           GOARCH: ${{ matrix.arch }}
           GO386: ${{ matrix.go386 }}
           GOARM: ${{ matrix.goarm }}
-          GOMIPS: ${{ matrix.gomips }}
-          GOMIPS64: ${{ matrix.gomips }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Build (non-variant)
         if: matrix.os != 'android' && matrix.variant == ''
@@ -284,7 +258,7 @@ jobs:
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -304,7 +278,7 @@ jobs:
           export CXX="${CC}++"
           mkdir -p dist
           GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -378,7 +352,7 @@ jobs:
           sudo gem install fpm
           sudo apt-get update
           sudo apt-get install -y libarchive-tools
-          cp .fpm_pacman .fpm
+          cp .fpm_systemd .fpm
           fpm -t pacman \
             -v "$PKG_VERSION" \
             -p "dist/sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.pacman }}.pkg.tar.zst" \
@@ -395,8 +369,12 @@ jobs:
             -p "dist/openwrt.deb" \
             --architecture all \
             dist/sing-box=/usr/bin/sing-box
+          SUFFIX=""
+          if [[ "${{ matrix.variant }}" == "musl" ]]; then
+            SUFFIX="_musl"
+          fi
           for architecture in ${{ matrix.openwrt }}; do
-            .github/deb2ipk.sh "$architecture" "dist/openwrt.deb" "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.ipk"
+            .github/deb2ipk.sh "$architecture" "dist/openwrt.deb" "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}${SUFFIX}.ipk"
           done
           rm "dist/openwrt.deb"
       - name: Archive
@@ -457,21 +435,17 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
           if [[ "${{ matrix.legacy_go124 }}" != "true" ]]; then
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
-          else
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+            TAGS="${TAGS},with_naive_outbound"
           fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Set shared ldflags
-        run: |
-          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
       - name: Build
         run: |
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -529,11 +503,9 @@ jobs:
       - name: Build
         if: matrix.naive
         run: |
-          $TAGS = Get-Content release/DEFAULT_BUILD_TAGS_WINDOWS
-          $LDFLAGS_SHARED = Get-Content release/LDFLAGS
           mkdir -p dist
-          go build -v -trimpath -o dist/sing-box.exe -tags "$TAGS" `
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' $LDFLAGS_SHARED -s -w -buildid=" `
+          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,with_purego,badlinkname,tfogo_checklinkname0" `
+          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0" `
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -543,11 +515,9 @@ jobs:
       - name: Build
         if: ${{ !matrix.naive }}
         run: |
-          $TAGS = Get-Content release/DEFAULT_BUILD_TAGS_OTHERS
-          $LDFLAGS_SHARED = Get-Content release/LDFLAGS
           mkdir -p dist
-          go build -v -trimpath -o dist/sing-box.exe -tags "$TAGS" `
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' $LDFLAGS_SHARED -s -w -buildid=" `
+          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" `
+          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0" `
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -592,7 +562,7 @@ jobs:
           path: "dist"
   build_android:
     name: Build Android
-    if: (github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android') && github.ref != 'refs/heads/oldstable'
+    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
     runs-on: ubuntu-latest
     needs:
       - calculate_version
@@ -605,7 +575,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ^1.25.5
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -628,12 +598,12 @@ jobs:
           JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
       - name: Checkout main branch
-        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
         run: |-
           cd clients/android
           git checkout main
       - name: Checkout dev branch
-        if: github.ref == 'refs/heads/testing'
+        if: github.ref == 'refs/heads/dev-next'
         run: |-
           cd clients/android
           git checkout dev
@@ -682,7 +652,7 @@ jobs:
           path: 'dist'
   publish_android:
     name: Publish Android
-    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android' && github.ref != 'refs/heads/oldstable'
+    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
     runs-on: ubuntu-latest
     needs:
       - calculate_version
@@ -695,7 +665,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ^1.25.5
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -718,12 +688,12 @@ jobs:
           JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
           ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
       - name: Checkout main branch
-        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
         run: |-
           cd clients/android
           git checkout main
       - name: Checkout dev branch
-        if: github.ref == 'refs/heads/testing'
+        if: github.ref == 'refs/heads/dev-next'
         run: |-
           cd clients/android
           git checkout dev
@@ -794,7 +764,7 @@ jobs:
         if: matrix.if
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ^1.25.5
       - name: Set tag
         if: matrix.if
         run: |-
@@ -802,12 +772,12 @@ jobs:
           git tag v${{ needs.calculate_version.outputs.version }} -f
           echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
       - name: Checkout main branch
-        if: matrix.if && github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
+        if: matrix.if && github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
         run: |-
           cd clients/apple
           git checkout main
       - name: Checkout dev branch
-        if: matrix.if && github.ref == 'refs/heads/testing'
+        if: matrix.if && github.ref == 'refs/heads/dev-next'
         run: |-
           cd clients/apple
           git checkout dev
@@ -893,7 +863,7 @@ jobs:
             -authenticationKeyID $ASC_KEY_ID \
             -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
       - name: Publish to TestFlight
-        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/testing'
+        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/dev-next'
         run: |-
           go run -v ./cmd/internal/app_store_connect publish_testflight ${{ matrix.platform }}
       - name: Build image

.github/workflows/docker.yml

@@ -3,8 +3,8 @@ name: Publish Docker Images
 on:
   #push:
   #  branches:
-  #    - stable
-  #    - testing
+  #    - main-next
+  #    - dev-next
   release:
     types:
       - published
@@ -19,7 +19,6 @@ env:
 jobs:
   build_binary:
     name: Build binary
-    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
     runs-on: ubuntu-latest
     strategy:
       fail-fast: true
@@ -30,12 +29,10 @@ jobs:
           - { arch: arm64, naive: true, docker_platform: "linux/arm64" }
           - { arch: "386", naive: true, docker_platform: "linux/386" }
           - { arch: arm, goarm: "7", naive: true, docker_platform: "linux/arm/v7" }
-          - { arch: mipsle, gomips: softfloat, naive: true, docker_platform: "linux/mipsle" }
-          - { arch: riscv64, naive: true, docker_platform: "linux/riscv64" }
-          - { arch: loong64, naive: true, docker_platform: "linux/loong64" }
           # Non-naive builds
           - { arch: arm, goarm: "6", docker_platform: "linux/arm/v6" }
           - { arch: ppc64le, docker_platform: "linux/ppc64le" }
+          - { arch: riscv64, docker_platform: "linux/riscv64" }
           - { arch: s390x, docker_platform: "linux/s390x" }
     steps:
       - name: Get commit to build
@@ -56,7 +53,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ^1.25.4
       - name: Clone cronet-go
         if: matrix.naive
         run: |
@@ -67,23 +64,14 @@ jobs:
           git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
           git -C ~/cronet-go checkout FETCH_HEAD
           git -C ~/cronet-go submodule update --init --recursive --depth=1
-      - name: Regenerate Debian keyring
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
-          cd ~/cronet-go
-          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
       - name: Cache Chromium toolchain
         if: matrix.naive
         id: cache-chromium-toolchain
         uses: actions/cache@v4
         with:
           path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
-            ~/cronet-go/naiveproxy/src/gn/out/
-            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
-            ~/cronet-go/naiveproxy/src/out/sysroot-build/
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
+            ~/cronet-go/naiveproxy/src/out/sysroot-build
           key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
       - name: Download Chromium toolchain
         if: matrix.naive
@@ -105,34 +93,29 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
           if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
-          else
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+            TAGS="${TAGS},with_naive_outbound,with_musl"
           fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Set shared ldflags
-        run: |
-          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
       - name: Build (naive)
         if: matrix.naive
         run: |
           set -xeuo pipefail
           go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -s -w -buildid= -checklinkname=0" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
           GOOS: linux
           GOARCH: ${{ matrix.arch }}
           GOARM: ${{ matrix.goarm }}
-          GOMIPS: ${{ matrix.gomips }}
       - name: Build (non-naive)
         if: ${{ ! matrix.naive }}
         run: |
           set -xeuo pipefail
           go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -s -w -buildid= -checklinkname=0" \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -165,17 +148,15 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        include:
-          - { platform: "linux/amd64" }
-          - { platform: "linux/arm/v6" }
-          - { platform: "linux/arm/v7" }
-          - { platform: "linux/arm64" }
-          - { platform: "linux/386" }
-          # mipsle: no base Docker image available for this platform
-          - { platform: "linux/ppc64le" }
-          - { platform: "linux/riscv64" }
-          - { platform: "linux/s390x" }
-          - { platform: "linux/loong64", base_image: "ghcr.io/loong64/alpine:edge" }
+        platform:
+          - linux/amd64
+          - linux/arm/v6
+          - linux/arm/v7
+          - linux/arm64
+          - linux/386
+          - linux/ppc64le
+          - linux/riscv64
+          - linux/s390x
     steps:
       - name: Get commit to build
         id: ref
@@ -228,8 +209,6 @@ jobs:
           platforms: ${{ matrix.platform }}
           context: .
           file: Dockerfile.binary
-          build-args: |
-            BASE_IMAGE=${{ matrix.base_image || 'alpine' }}
           labels: ${{ steps.meta.outputs.labels }}
           outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
       - name: Export digest
@@ -245,7 +224,6 @@ jobs:
           if-no-files-found: error
           retention-days: 1
   merge:
-    if: github.event_name != 'push'
     runs-on: ubuntu-latest
     needs:
       - build_docker

.github/workflows/lint.yml

@@ -3,20 +3,18 @@ name: Lint
 on:
   push:
     branches:
-      - oldstable
-      - stable
-      - testing
-      - unstable
+      - stable-next
+      - main-next
+      - dev-next
     paths-ignore:
       - '**.md'
       - '.github/**'
       - '!.github/workflows/lint.yml'
   pull_request:
     branches:
-      - oldstable
-      - stable
-      - testing
-      - unstable
+      - stable-next
+      - main-next
+      - dev-next
 
 jobs:
   build:
@@ -34,7 +32,7 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v8
         with:
-          version: latest
+          version: v2.4.0
           args: --timeout=30m
           install-mode: binary
           verify: false

.github/workflows/linux.yml

@@ -3,8 +3,8 @@ name: Build Linux Packages
 on:
   #push:
   #  branches:
-  #    - stable
-  #    - testing
+  #    - main-next
+  #    - dev-next
   workflow_dispatch:
     inputs:
       version:
@@ -23,7 +23,6 @@ on:
 jobs:
   calculate_version:
     name: Calculate version
-    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.outputs.outputs.version }}
@@ -35,7 +34,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ^1.25.5
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -62,14 +61,14 @@ jobs:
           - { os: linux, arch: arm64, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64 }
           - { os: linux, arch: "386", naive: true, debian: i386, rpm: i386 }
           - { os: linux, arch: arm, goarm: "7", naive: true, debian: armhf, rpm: armv7hl, pacman: armv7hl }
-          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, debian: mipsel, rpm: mipsel }
-          - { os: linux, arch: riscv64, naive: true, debian: riscv64, rpm: riscv64 }
-          - { os: linux, arch: loong64, naive: true, debian: loongarch64, rpm: loongarch64 }
           # Non-naive builds (unsupported architectures)
           - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
           - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
+          - { os: linux, arch: mipsle, debian: mipsel, rpm: mipsel }
           - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
           - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
+          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64 }
+          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64 }
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
@@ -78,7 +77,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.25.7
+          go-version: ^1.25.5
       - name: Clone cronet-go
         if: matrix.naive
         run: |
@@ -89,23 +88,14 @@ jobs:
           git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
           git -C ~/cronet-go checkout FETCH_HEAD
           git -C ~/cronet-go submodule update --init --recursive --depth=1
-      - name: Regenerate Debian keyring
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
-          cd ~/cronet-go
-          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
       - name: Cache Chromium toolchain
         if: matrix.naive
         id: cache-chromium-toolchain
         uses: actions/cache@v4
         with:
           path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
-            ~/cronet-go/naiveproxy/src/gn/out/
-            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
-            ~/cronet-go/naiveproxy/src/out/sysroot-build/
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
+            ~/cronet-go/naiveproxy/src/out/sysroot-build
           key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
       - name: Download Chromium toolchain
         if: matrix.naive
@@ -126,30 +116,24 @@ jobs:
       - name: Set build tags
         run: |
           set -xeuo pipefail
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
           if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
-          else
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+            TAGS="${TAGS},with_naive_outbound,with_musl"
           fi
           echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Set shared ldflags
-        run: |
-          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
       - name: Build (naive)
         if: matrix.naive
         run: |
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
           GOOS: linux
           GOARCH: ${{ matrix.arch }}
           GOARM: ${{ matrix.goarm }}
-          GOMIPS: ${{ matrix.gomips }}
-          GOMIPS64: ${{ matrix.gomips }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Build (non-naive)
         if: ${{ ! matrix.naive }}
@@ -157,7 +141,7 @@ jobs:
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"

.gitignore

@@ -12,9 +12,6 @@
 /*.jar
 /*.aar
 /*.xcframework/
-/experimental/libbox/*.aar
-/experimental/libbox/*.xcframework/
-/experimental/libbox/*.nupkg
 .DS_Store
 /config.d/
 /venv/

.golangci.yml

@@ -9,11 +9,6 @@ run:
     - with_utls
     - with_acme
     - with_clash_api
-    - with_tailscale
-    - with_ccm
-    - with_ocm
-    - badlinkname
-    - tfogo_checklinkname0
 linters:
   default: none
   enable:

Dockerfile

@@ -12,11 +12,10 @@ RUN set -ex \
     && apk add git build-base \
     && export COMMIT=$(git rev-parse --short HEAD) \
     && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && export TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS) \
-    && export LDFLAGS_SHARED=$(cat release/LDFLAGS) \
-    && go build -v -trimpath -tags "$TAGS" \
+    && go build -v -trimpath -tags \
+        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" \
         -o /go/bin/sing-box \
-        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" $LDFLAGS_SHARED -s -w -buildid=" \
+        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid= -checklinkname=0" \
         ./cmd/sing-box
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"

Dockerfile.binary

@@ -1,14 +1,8 @@
-ARG BASE_IMAGE=alpine
-FROM ${BASE_IMAGE}
+FROM alpine
 ARG TARGETARCH
 ARG TARGETVARIANT
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
-    && if command -v apk > /dev/null; then \
-        apk add --no-cache --upgrade bash tzdata ca-certificates nftables; \
-    else \
-        apt-get update && apt-get install -y --no-install-recommends bash tzdata ca-certificates nftables \
-        && rm -rf /var/lib/apt/lists/*; \
-    fi
+    && apk add --no-cache --upgrade bash tzdata ca-certificates nftables
 COPY sing-box-${TARGETARCH}${TARGETVARIANT} /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]

Makefile

@@ -1,18 +1,15 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= $(shell cat release/DEFAULT_BUILD_TAGS_OTHERS)
+TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)
 
-LDFLAGS_SHARED = $(shell cat release/LDFLAGS)
-PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' $(LDFLAGS_SHARED) -s -w -buildid="
+PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid= -checklinkname=0"
 MAIN_PARAMS = $(PARAMS) -tags "$(TAGS)"
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
-SING_FFI ?= sing-ffi
-LIBBOX_FFI_CONFIG ?= ./experimental/libbox/ffi.json
 
 .PHONY: test release docs build
 
@@ -44,7 +41,7 @@ fmt_docs:
 	go run ./cmd/internal/format_docs
 
 fmt_install:
-	go install -v mvdan.cc/gofumpt@latest
+	go install -v mvdan.cc/gofumpt@v0.8.0
 	go install -v github.com/daixiang0/gci@latest
 
 lint:
@@ -55,7 +52,7 @@ lint:
 	GOOS=freebsd golangci-lint run ./...
 
 lint_install:
-	go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
+	go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.4.0
 
 proto:
 	@go run ./cmd/internal/protogen
@@ -92,12 +89,12 @@ update_android_version:
 	go run ./cmd/internal/update_android_version
 
 build_android:
-	cd ../sing-box-for-android && ./gradlew :app:clean :app:assembleOtherRelease :app:assembleOtherLegacyRelease && ./gradlew --stop
+	cd ../sing-box-for-android && ./gradlew :app:clean :app:assemblePlayRelease :app:assembleOtherRelease && ./gradlew --stop
 
 upload_android:
 	mkdir -p dist/release_android
-	cp ../sing-box-for-android/app/build/outputs/apk/other/release/*.apk dist/release_android
-	cp ../sing-box-for-android/app/build/outputs/apk/otherLegacy/release/*.apk dist/release_android
+	cp ../sing-box-for-android/app/build/outputs/apk/play/release/*.apk dist/release_android
+	cp ../sing-box-for-android/app/build/outputs/apk/other/release/*-universal.apk dist/release_android
 	ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release_android
 	rm -rf dist/release_android
 
@@ -112,7 +109,7 @@ build_ios:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFI.xcarchive && \
 	xcodebuild clean -scheme SFI && \
-	xcodebuild archive -scheme SFI -configuration Release -destination 'generic/platform=iOS' -archivePath build/SFI.xcarchive -allowProvisioningUpdates | xcbeautify | grep -A 10 -e "Archive Succeeded" -e "ARCHIVE FAILED" -e "❌"
+	xcodebuild archive -scheme SFI -configuration Release -destination 'generic/platform=iOS' -archivePath build/SFI.xcarchive -allowProvisioningUpdates
 
 upload_ios_app_store:
 	cd ../sing-box-for-apple && \
@@ -133,7 +130,7 @@ release_ios: build_ios upload_ios_app_store
 build_macos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFM.xcarchive && \
-	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive -allowProvisioningUpdates | xcbeautify | grep -A 10 -e "Archive Succeeded" -e "ARCHIVE FAILED" -e "❌"
+	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive -allowProvisioningUpdates
 
 upload_macos_app_store:
 	cd ../sing-box-for-apple && \
@@ -142,50 +139,54 @@ upload_macos_app_store:
 release_macos: build_macos upload_macos_app_store
 
 build_macos_standalone:
-	$(MAKE) -C ../sing-box-for-apple archive_macos_standalone
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFM.System.xcarchive && \
+	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive -allowProvisioningUpdates
 
 build_macos_dmg:
-	$(MAKE) -C ../sing-box-for-apple build_macos_dmg
-
-build_macos_pkg:
-	$(MAKE) -C ../sing-box-for-apple build_macos_pkg
+	rm -rf dist/SFM
+	mkdir -p dist/SFM
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFM.System && \
+	rm -rf build/SFM.dmg && \
+	xcodebuild -exportArchive \
+		-archivePath "build/SFM.System.xcarchive" \
+		-exportOptionsPlist SFM.System/Export.plist -allowProvisioningUpdates \
+		-exportPath "build/SFM.System" && \
+	create-dmg \
+		--volname "sing-box" \
+		--volicon "build/SFM.System/SFM.app/Contents/Resources/AppIcon.icns" \
+		--icon "SFM.app" 0 0 \
+ 		--hide-extension "SFM.app" \
+ 		--app-drop-link 0 0 \
+ 		--skip-jenkins \
+		"../sing-box/dist/SFM/SFM.dmg" "build/SFM.System/SFM.app"
 
 notarize_macos_dmg:
-	$(MAKE) -C ../sing-box-for-apple notarize_macos_dmg
-
-notarize_macos_pkg:
-	$(MAKE) -C ../sing-box-for-apple notarize_macos_pkg
+	xcrun notarytool submit "dist/SFM/SFM.dmg" --wait \
+	  --keychain-profile "notarytool-password" \
+  	  --no-s3-acceleration
 
 upload_macos_dmg:
-	mkdir -p dist/SFM
-	cp ../sing-box-for-apple/build/SFM-Apple.dmg "dist/SFM/SFM-${VERSION}-Apple.dmg"
-	cp ../sing-box-for-apple/build/SFM-Intel.dmg "dist/SFM/SFM-${VERSION}-Intel.dmg"
-	cp ../sing-box-for-apple/build/SFM-Universal.dmg "dist/SFM/SFM-${VERSION}-Universal.dmg"
-	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Apple.dmg"
-	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Intel.dmg"
-	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Universal.dmg"
-
-upload_macos_pkg:
-	mkdir -p dist/SFM
-	cp ../sing-box-for-apple/build/SFM-Apple.pkg "dist/SFM/SFM-${VERSION}-Apple.pkg"
-	cp ../sing-box-for-apple/build/SFM-Intel.pkg "dist/SFM/SFM-${VERSION}-Intel.pkg"
-	cp ../sing-box-for-apple/build/SFM-Universal.pkg "dist/SFM/SFM-${VERSION}-Universal.pkg"
-	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Apple.pkg"
-	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Intel.pkg"
-	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Universal.pkg"
+	cd dist/SFM && \
+	cp SFM.dmg "SFM-${VERSION}-universal.dmg" && \
+	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dmg"
 
 upload_macos_dsyms:
-	mkdir -p dist/SFM
-	cd ../sing-box-for-apple/build/SFM.System-universal.xcarchive && zip -r SFM.dSYMs.zip dSYMs
-	cp ../sing-box-for-apple/build/SFM.System-universal.xcarchive/SFM.dSYMs.zip "dist/SFM/SFM-${VERSION}.dSYMs.zip"
-	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}.dSYMs.zip"
+	pushd ../sing-box-for-apple/build/SFM.System.xcarchive && \
+	zip -r SFM.dSYMs.zip dSYMs && \
+	mv SFM.dSYMs.zip ../../../sing-box/dist/SFM && \
+	popd && \
+	cd dist/SFM && \
+	cp SFM.dSYMs.zip "SFM-${VERSION}-universal.dSYMs.zip" && \
+	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dSYMs.zip"
 
-release_macos_standalone: build_macos_pkg notarize_macos_pkg upload_macos_pkg upload_macos_dsyms
+release_macos_standalone: build_macos_standalone build_macos_dmg notarize_macos_dmg upload_macos_dmg upload_macos_dsyms
 
 build_tvos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFT.xcarchive && \
-	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive -allowProvisioningUpdates | xcbeautify | grep -A 10 -e "Archive Succeeded" -e "ARCHIVE FAILED" -e "❌"
+	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive -allowProvisioningUpdates
 
 upload_tvos_app_store:
 	cd ../sing-box-for-apple && \
@@ -209,12 +210,12 @@ update_apple_version:
 update_macos_version:
 	MACOS_PROJECT_VERSION=$(shell go run -v ./cmd/internal/app_store_connect next_macos_project_version) go run ./cmd/internal/update_apple_version
 
-release_apple: lib_apple update_apple_version release_ios release_macos release_tvos release_macos_standalone
+release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_standalone
 
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
 
 publish_testflight:
-	go run -v ./cmd/internal/app_store_connect publish_testflight $(filter-out $@,$(MAKECMDGOALS))
+	go run -v ./cmd/internal/app_store_connect publish_testflight
 
 prepare_app_store:
 	go run -v ./cmd/internal/app_store_connect prepare_app_store
@@ -237,21 +238,22 @@ test_stdio:
 lib_android:
 	go run ./cmd/internal/build_libbox -target android
 
+lib_android_debug:
+	go run ./cmd/internal/build_libbox -target android -debug
+
 lib_apple:
 	go run ./cmd/internal/build_libbox -target apple
 
-lib_windows:
-	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type csharp
+lib_ios:
+	go run ./cmd/internal/build_libbox -target apple -platform ios -debug
 
-lib_android_new:
-	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type android
-
-lib_apple_new:
-	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type apple
+lib:
+	go run ./cmd/internal/build_libbox -target android
+	go run ./cmd/internal/build_libbox -target ios
 
 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.12
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.12
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.10
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.10
 
 docs:
 	venv/bin/mkdocs serve
@@ -260,8 +262,8 @@ publish_docs:
 	venv/bin/mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
 
 docs_install:
-	python3 -m venv venv
-	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.7.2" mkdocs-static-i18n=="1.2.*"
+	python -m venv venv
+	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
 
 clean:
 	rm -rf bin dist sing-box
@@ -271,6 +273,3 @@ update:
 	git fetch
 	git reset FETCH_HEAD --hard
 	git clean -fdx
-
-%:
-	@:

adapter/connections.go

@@ -9,10 +9,6 @@ import (
 
 type ConnectionManager interface {
 	Lifecycle
-	Count() int
-	CloseAll()
-	TrackConn(conn net.Conn) net.Conn
-	TrackPacketConn(conn net.PacketConn) net.PacketConn
 	NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
 	NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
 }

adapter/experimental.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
-	"io"
 	"time"
 
 	"github.com/sagernet/sing/common/observable"
@@ -69,11 +68,7 @@ func (s *SavedBinary) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	_, err = varbin.WriteUvarint(&buffer, uint64(len(s.Content)))
-	if err != nil {
-		return nil, err
-	}
-	_, err = buffer.Write(s.Content)
+	err = varbin.Write(&buffer, binary.BigEndian, s.Content)
 	if err != nil {
 		return nil, err
 	}
@@ -81,11 +76,7 @@ func (s *SavedBinary) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	_, err = varbin.WriteUvarint(&buffer, uint64(len(s.LastEtag)))
-	if err != nil {
-		return nil, err
-	}
-	_, err = buffer.WriteString(s.LastEtag)
+	err = varbin.Write(&buffer, binary.BigEndian, s.LastEtag)
 	if err != nil {
 		return nil, err
 	}
@@ -99,12 +90,7 @@ func (s *SavedBinary) UnmarshalBinary(data []byte) error {
 	if err != nil {
 		return err
 	}
-	contentLength, err := binary.ReadUvarint(reader)
-	if err != nil {
-		return err
-	}
-	s.Content = make([]byte, contentLength)
-	_, err = io.ReadFull(reader, s.Content)
+	err = varbin.Read(reader, binary.BigEndian, &s.Content)
 	if err != nil {
 		return err
 	}
@@ -114,16 +100,10 @@ func (s *SavedBinary) UnmarshalBinary(data []byte) error {
 		return err
 	}
 	s.LastUpdated = time.Unix(lastUpdated, 0)
-	etagLength, err := binary.ReadUvarint(reader)
+	err = varbin.Read(reader, binary.BigEndian, &s.LastEtag)
 	if err != nil {
 		return err
 	}
-	etagBytes := make([]byte, etagLength)
-	_, err = io.ReadFull(reader, etagBytes)
-	if err != nil {
-		return err
-	}
-	s.LastEtag = string(etagBytes)
 	return nil
 }
 

adapter/inbound.go

@@ -62,10 +62,13 @@ type InboundContext struct {
 	// cache
 
 	// Deprecated: implement in rule action
-	InboundDetour             string
-	LastInbound               string
-	OriginDestination         M.Socksaddr
-	RouteOriginalDestination  M.Socksaddr
+	InboundDetour            string
+	LastInbound              string
+	OriginDestination        M.Socksaddr
+	RouteOriginalDestination M.Socksaddr
+	// Deprecated: to be removed
+	//nolint:staticcheck
+	InboundOptions            option.InboundOptions
 	UDPDisableDomainUnmapping bool
 	UDPConnect                bool
 	UDPTimeout                time.Duration

adapter/router.go

@@ -25,7 +25,6 @@ type Router interface {
 	ConnectionRouterEx
 	RuleSet(tag string) (RuleSet, bool)
 	Rules() []Rule
-	NeedFindProcess() bool
 	AppendTracker(tracker ConnectionTracker)
 	ResetNetwork()
 }

box.go

@@ -125,10 +125,7 @@ func New(options Options) (*Box, error) {
 
 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
-	err := applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
-	if err != nil {
-		return nil, err
-	}
+	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	var needCacheFile bool
 	var needClashAPI bool
 	var needV2RayAPI bool

cmd/internal/app_store_connect/main.go

@@ -100,32 +100,11 @@ findVersion:
 }
 
 func publishTestflight(ctx context.Context) error {
-	if len(os.Args) < 3 {
-		return E.New("platform required: ios, macos, or tvos")
-	}
-	var platform asc.Platform
-	switch os.Args[2] {
-	case "ios":
-		platform = asc.PlatformIOS
-	case "macos":
-		platform = asc.PlatformMACOS
-	case "tvos":
-		platform = asc.PlatformTVOS
-	default:
-		return E.New("unknown platform: ", os.Args[2])
-	}
-
 	tagVersion, err := build_shared.ReadTagVersion()
 	if err != nil {
 		return err
 	}
 	tag := tagVersion.VersionString()
-
-	releaseNotes := F.ToString("sing-box ", tagVersion.String())
-	if len(os.Args) >= 4 {
-		releaseNotes = strings.Join(os.Args[3:], " ")
-	}
-
 	client := createClient(20 * time.Minute)
 
 	log.Info(tag, " list build IDs")
@@ -136,76 +115,97 @@ func publishTestflight(ctx context.Context) error {
 	buildIDs := common.Map(buildIDsResponse.Data, func(it asc.RelationshipData) string {
 		return it.ID
 	})
-
+	var platforms []asc.Platform
+	if len(os.Args) == 3 {
+		switch os.Args[2] {
+		case "ios":
+			platforms = []asc.Platform{asc.PlatformIOS}
+		case "macos":
+			platforms = []asc.Platform{asc.PlatformMACOS}
+		case "tvos":
+			platforms = []asc.Platform{asc.PlatformTVOS}
+		default:
+			return E.New("unknown platform: ", os.Args[2])
+		}
+	} else {
+		platforms = []asc.Platform{
+			asc.PlatformIOS,
+			asc.PlatformMACOS,
+			asc.PlatformTVOS,
+		}
+	}
 	waitingForProcess := false
-	log.Info(string(platform), " list builds")
-	for {
-		builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
-			FilterApp:                       []string{appID},
-			FilterPreReleaseVersionPlatform: []string{string(platform)},
-		})
-		if err != nil {
-			return err
-		}
-		build := builds.Data[0]
-		log.Info(string(platform), " ", tag, " found build: ", build.ID, " (", *build.Attributes.Version, ")")
-		if !waitingForProcess && (common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 30*time.Minute) {
-			log.Info(string(platform), " ", tag, " waiting for process")
-			time.Sleep(15 * time.Second)
-			continue
-		}
-		if *build.Attributes.ProcessingState != "VALID" {
-			waitingForProcess = true
-			log.Info(string(platform), " ", tag, " waiting for process: ", *build.Attributes.ProcessingState)
-			time.Sleep(15 * time.Second)
-			continue
-		}
-		log.Info(string(platform), " ", tag, " list localizations")
-		localizations, _, err := client.TestFlight.ListBetaBuildLocalizationsForBuild(ctx, build.ID, nil)
-		if err != nil {
-			return err
-		}
-		localization := common.Find(localizations.Data, func(it asc.BetaBuildLocalization) bool {
-			return *it.Attributes.Locale == "en-US"
-		})
-		if localization.ID == "" {
-			log.Fatal(string(platform), " ", tag, " no en-US localization found")
-		}
-		if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
-			log.Info(string(platform), " ", tag, " update localization")
-			_, _, err = client.TestFlight.UpdateBetaBuildLocalization(ctx, localization.ID, common.Ptr(releaseNotes))
+	for _, platform := range platforms {
+		log.Info(string(platform), " list builds")
+		for {
+			builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
+				FilterApp:                       []string{appID},
+				FilterPreReleaseVersionPlatform: []string{string(platform)},
+			})
 			if err != nil {
 				return err
 			}
-		}
-		log.Info(string(platform), " ", tag, " publish")
-		response, err := client.TestFlight.AddBuildsToBetaGroup(ctx, groupID, []string{build.ID})
-		if response != nil && (response.StatusCode == http.StatusUnprocessableEntity || response.StatusCode == http.StatusNotFound) {
-			log.Info("waiting for process")
-			time.Sleep(15 * time.Second)
-			continue
-		} else if err != nil {
-			return err
-		}
-		log.Info(string(platform), " ", tag, " list submissions")
-		betaSubmissions, _, err := client.TestFlight.ListBetaAppReviewSubmissions(ctx, &asc.ListBetaAppReviewSubmissionsQuery{
-			FilterBuild: []string{build.ID},
-		})
-		if err != nil {
-			return err
-		}
-		if len(betaSubmissions.Data) == 0 {
-			log.Info(string(platform), " ", tag, " create submission")
-			_, _, err = client.TestFlight.CreateBetaAppReviewSubmission(ctx, build.ID)
+			build := builds.Data[0]
+			if !waitingForProcess && (common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 30*time.Minute) {
+				log.Info(string(platform), " ", tag, " waiting for process")
+				time.Sleep(15 * time.Second)
+				continue
+			}
+			if *build.Attributes.ProcessingState != "VALID" {
+				waitingForProcess = true
+				log.Info(string(platform), " ", tag, " waiting for process: ", *build.Attributes.ProcessingState)
+				time.Sleep(15 * time.Second)
+				continue
+			}
+			log.Info(string(platform), " ", tag, " list localizations")
+			localizations, _, err := client.TestFlight.ListBetaBuildLocalizationsForBuild(ctx, build.ID, nil)
 			if err != nil {
-				if strings.Contains(err.Error(), "ANOTHER_BUILD_IN_REVIEW") {
-					log.Error(err)
-					break
+				return err
+			}
+			localization := common.Find(localizations.Data, func(it asc.BetaBuildLocalization) bool {
+				return *it.Attributes.Locale == "en-US"
+			})
+			if localization.ID == "" {
+				log.Fatal(string(platform), " ", tag, " no en-US localization found")
+			}
+			if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
+				log.Info(string(platform), " ", tag, " update localization")
+				_, _, err = client.TestFlight.UpdateBetaBuildLocalization(ctx, localization.ID, common.Ptr(
+					F.ToString("sing-box ", tagVersion.String()),
+				))
+				if err != nil {
+					return err
 				}
+			}
+			log.Info(string(platform), " ", tag, " publish")
+			response, err := client.TestFlight.AddBuildsToBetaGroup(ctx, groupID, []string{build.ID})
+			if response != nil && (response.StatusCode == http.StatusUnprocessableEntity || response.StatusCode == http.StatusNotFound) {
+				log.Info("waiting for process")
+				time.Sleep(15 * time.Second)
+				continue
+			} else if err != nil {
 				return err
 			}
+			log.Info(string(platform), " ", tag, " list submissions")
+			betaSubmissions, _, err := client.TestFlight.ListBetaAppReviewSubmissions(ctx, &asc.ListBetaAppReviewSubmissionsQuery{
+				FilterBuild: []string{build.ID},
+			})
+			if err != nil {
+				return err
+			}
+			if len(betaSubmissions.Data) == 0 {
+				log.Info(string(platform), " ", tag, " create submission")
+				_, _, err = client.TestFlight.CreateBetaAppReviewSubmission(ctx, build.ID)
+				if err != nil {
+					if strings.Contains(err.Error(), "ANOTHER_BUILD_IN_REVIEW") {
+						log.Error(err)
+						break
+					}
+					return err
+				}
+			}
+			break
 		}
-		break
 	}
 	return nil
 }

cmd/internal/build_libbox/main.go

@@ -17,17 +17,17 @@ import (
 )
 
 var (
-	debugEnabled bool
-	target       string
-	platform     string
-	// withTailscale bool
+	debugEnabled  bool
+	target        string
+	platform      string
+	withTailscale bool
 )
 
 func init() {
 	flag.BoolVar(&debugEnabled, "debug", false, "enable debug")
 	flag.StringVar(&target, "target", "android", "target platform")
 	flag.StringVar(&platform, "platform", "", "specify platform")
-	// flag.BoolVar(&withTailscale, "with-tailscale", false, "build tailscale for iOS and tvOS")
+	flag.BoolVar(&withTailscale, "with-tailscale", false, "build tailscale for iOS and tvOS")
 }
 
 func main() {
@@ -48,7 +48,7 @@ var (
 	debugFlags  []string
 	sharedTags  []string
 	darwinTags  []string
-	// memcTags    []string
+	memcTags    []string
 	notMemcTags []string
 	debugTags   []string
 )
@@ -60,13 +60,12 @@ func init() {
 	if err != nil {
 		currentTag = "unknown"
 	}
-	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid=  -checklinkname=0")
-	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0")
+	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=  -checklinkname=0")
+	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -checklinkname=0")
 
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_naive_outbound", "with_clash_api", "badlinkname", "tfogo_checklinkname0")
-	darwinTags = append(darwinTags, "with_dhcp", "grpcnotrace")
-	// memcTags = append(memcTags, "with_tailscale")
-	sharedTags = append(sharedTags, "with_tailscale", "ts_omit_logtail", "ts_omit_ssh", "ts_omit_drive", "ts_omit_taildrop", "ts_omit_webclient", "ts_omit_doctor", "ts_omit_capture", "ts_omit_kube", "ts_omit_aws", "ts_omit_synology", "ts_omit_bird")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_naive_outbound", "with_clash_api", "with_conntrack", "badlinkname", "tfogo_checklinkname0")
+	darwinTags = append(darwinTags, "with_dhcp")
+	memcTags = append(memcTags, "with_tailscale")
 	notMemcTags = append(notMemcTags, "with_low_memory")
 	debugTags = append(debugTags, "debug")
 }
@@ -165,7 +164,7 @@ func buildAndroid() {
 
 	// Build main variant (SDK 23)
 	mainTags := append([]string{}, sharedTags...)
-	// mainTags = append(mainTags, memcTags...)
+	mainTags = append(mainTags, memcTags...)
 	if debugEnabled {
 		mainTags = append(mainTags, debugTags...)
 	}
@@ -177,7 +176,7 @@ func buildAndroid() {
 
 	// Build legacy variant (SDK 21, no naive outbound)
 	legacyTags := filterTags(sharedTags, "with_naive_outbound")
-	// legacyTags = append(legacyTags, memcTags...)
+	legacyTags = append(legacyTags, memcTags...)
 	if debugEnabled {
 		legacyTags = append(legacyTags, debugTags...)
 	}
@@ -195,7 +194,7 @@ func buildApple() {
 	} else if debugEnabled {
 		bindTarget = "ios"
 	} else {
-		bindTarget = "ios,iossimulator,tvos,tvossimulator,macos"
+		bindTarget = "ios,tvos,macos"
 	}
 
 	args := []string{
@@ -205,9 +204,9 @@ func buildApple() {
 		"-libname=box",
 		"-tags-not-macos=with_low_memory",
 	}
-	//if !withTailscale {
-	//	args = append(args, "-tags-macos="+strings.Join(memcTags, ","))
-	//}
+	if !withTailscale {
+		args = append(args, "-tags-macos="+strings.Join(memcTags, ","))
+	}
 
 	if !debugEnabled {
 		args = append(args, sharedFlags...)
@@ -216,9 +215,9 @@ func buildApple() {
 	}
 
 	tags := append(sharedTags, darwinTags...)
-	//if withTailscale {
-	//	tags = append(tags, memcTags...)
-	//}
+	if withTailscale {
+		tags = append(tags, memcTags...)
+	}
 	if debugEnabled {
 		tags = append(tags, debugTags...)
 	}

cmd/internal/update_apple_version/main.go

@@ -71,12 +71,12 @@ func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDLi
 		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
 		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "MARKETING_VERSION = ") + 20
 		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
-		version := strings.Trim(projectContent[versionStart:versionEnd], "\"")
+		version := projectContent[versionStart:versionEnd]
 		if version == newVersion {
 			continue
 		}
 		updated = true
-		projectContent = projectContent[:versionStart] + "\"" + newVersion + "\"" + projectContent[versionEnd:]
+		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
 	}
 	return projectContent, updated
 }

common/conntrack/conn.go

@@ -0,0 +1,54 @@
+package conntrack
+
+import (
+	"io"
+	"net"
+
+	"github.com/sagernet/sing/common/x/list"
+)
+
+type Conn struct {
+	net.Conn
+	element *list.Element[io.Closer]
+}
+
+func NewConn(conn net.Conn) (net.Conn, error) {
+	connAccess.Lock()
+	element := openConnection.PushBack(conn)
+	connAccess.Unlock()
+	if KillerEnabled {
+		err := KillerCheck()
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+	}
+	return &Conn{
+		Conn:    conn,
+		element: element,
+	}, nil
+}
+
+func (c *Conn) Close() error {
+	if c.element.Value != nil {
+		connAccess.Lock()
+		if c.element.Value != nil {
+			openConnection.Remove(c.element)
+			c.element.Value = nil
+		}
+		connAccess.Unlock()
+	}
+	return c.Conn.Close()
+}
+
+func (c *Conn) Upstream() any {
+	return c.Conn
+}
+
+func (c *Conn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *Conn) WriterReplaceable() bool {
+	return true
+}

common/conntrack/killer.go

@@ -0,0 +1,35 @@
+package conntrack
+
+import (
+	runtimeDebug "runtime/debug"
+	"time"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/memory"
+)
+
+var (
+	KillerEnabled   bool
+	MemoryLimit     uint64
+	killerLastCheck time.Time
+)
+
+func KillerCheck() error {
+	if !KillerEnabled {
+		return nil
+	}
+	nowTime := time.Now()
+	if nowTime.Sub(killerLastCheck) < 3*time.Second {
+		return nil
+	}
+	killerLastCheck = nowTime
+	if memory.Total() > MemoryLimit {
+		Close()
+		go func() {
+			time.Sleep(time.Second)
+			runtimeDebug.FreeOSMemory()
+		}()
+		return E.New("out of memory")
+	}
+	return nil
+}

common/conntrack/packet_conn.go

@@ -0,0 +1,55 @@
+package conntrack
+
+import (
+	"io"
+	"net"
+
+	"github.com/sagernet/sing/common/bufio"
+	"github.com/sagernet/sing/common/x/list"
+)
+
+type PacketConn struct {
+	net.PacketConn
+	element *list.Element[io.Closer]
+}
+
+func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
+	connAccess.Lock()
+	element := openConnection.PushBack(conn)
+	connAccess.Unlock()
+	if KillerEnabled {
+		err := KillerCheck()
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+	}
+	return &PacketConn{
+		PacketConn: conn,
+		element:    element,
+	}, nil
+}
+
+func (c *PacketConn) Close() error {
+	if c.element.Value != nil {
+		connAccess.Lock()
+		if c.element.Value != nil {
+			openConnection.Remove(c.element)
+			c.element.Value = nil
+		}
+		connAccess.Unlock()
+	}
+	return c.PacketConn.Close()
+}
+
+func (c *PacketConn) Upstream() any {
+	return bufio.NewPacketConn(c.PacketConn)
+}
+
+func (c *PacketConn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *PacketConn) WriterReplaceable() bool {
+	return true
+}

common/conntrack/track.go

@@ -0,0 +1,47 @@
+package conntrack
+
+import (
+	"io"
+	"sync"
+
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/x/list"
+)
+
+var (
+	connAccess     sync.RWMutex
+	openConnection list.List[io.Closer]
+)
+
+func Count() int {
+	if !Enabled {
+		return 0
+	}
+	return openConnection.Len()
+}
+
+func List() []io.Closer {
+	if !Enabled {
+		return nil
+	}
+	connAccess.RLock()
+	defer connAccess.RUnlock()
+	connList := make([]io.Closer, 0, openConnection.Len())
+	for element := openConnection.Front(); element != nil; element = element.Next() {
+		connList = append(connList, element.Value)
+	}
+	return connList
+}
+
+func Close() {
+	if !Enabled {
+		return
+	}
+	connAccess.Lock()
+	defer connAccess.Unlock()
+	for element := openConnection.Front(); element != nil; element = element.Next() {
+		common.Close(element.Value)
+		element.Value = nil
+	}
+	openConnection.Init()
+}

common/conntrack/track_disable.go

@@ -0,0 +1,5 @@
+//go:build !with_conntrack
+
+package conntrack
+
+const Enabled = false

common/conntrack/track_enable.go

@@ -0,0 +1,5 @@
+//go:build with_conntrack
+
+package conntrack
+
+const Enabled = true

common/dialer/default.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/listener"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
@@ -36,7 +37,6 @@ type DefaultDialer struct {
 	udpAddr4               string
 	udpAddr6               string
 	netns                  string
-	connectionManager      adapter.ConnectionManager
 	networkManager         adapter.NetworkManager
 	networkStrategy        *C.NetworkStrategy
 	defaultNetworkStrategy bool
@@ -47,7 +47,6 @@ type DefaultDialer struct {
 }
 
 func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDialer, error) {
-	connectionManager := service.FromContext[adapter.ConnectionManager](ctx)
 	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	platformInterface := service.FromContext[adapter.PlatformInterface](ctx)
 
@@ -90,7 +89,7 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 
 	if networkManager != nil {
 		defaultOptions := networkManager.DefaultOptions()
-		if defaultOptions.BindInterface != "" && !disableDefaultBind {
+		if defaultOptions.BindInterface != "" {
 			bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
 			dialer.Control = control.Append(dialer.Control, bindFunc)
 			listener.Control = control.Append(listener.Control, bindFunc)
@@ -138,12 +137,6 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		dialer.Control = control.Append(dialer.Control, control.ProtectPath(options.ProtectPath))
 		listener.Control = control.Append(listener.Control, control.ProtectPath(options.ProtectPath))
 	}
-	if options.BindAddressNoPort {
-		if !C.IsLinux {
-			return nil, E.New("`bind_address_no_port` is only supported on Linux")
-		}
-		dialer.Control = control.Append(dialer.Control, control.BindAddressNoPort())
-	}
 	if options.ConnectTimeout != 0 {
 		dialer.Timeout = time.Duration(options.ConnectTimeout)
 	} else {
@@ -158,11 +151,8 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		if keepInterval == 0 {
 			keepInterval = C.TCPKeepAliveInterval
 		}
-		dialer.KeepAliveConfig = net.KeepAliveConfig{
-			Enable:   true,
-			Idle:     keepIdle,
-			Interval: keepInterval,
-		}
+		dialer.KeepAlive = keepIdle
+		dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(keepIdle, keepInterval))
 	}
 	var udpFragment bool
 	if options.UDPFragment != nil {
@@ -210,7 +200,6 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		udpAddr4:               udpAddr4,
 		udpAddr6:               udpAddr6,
 		netns:                  options.NetNs,
-		connectionManager:      connectionManager,
 		networkManager:         networkManager,
 		networkStrategy:        networkStrategy,
 		defaultNetworkStrategy: defaultNetworkStrategy,
@@ -243,7 +232,7 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 		return nil, E.New("domain not resolved")
 	}
 	if d.networkStrategy == nil {
-		return d.trackConn(listener.ListenNetworkNamespace[net.Conn](d.netns, func() (net.Conn, error) {
+		return trackConn(listener.ListenNetworkNamespace[net.Conn](d.netns, func() (net.Conn, error) {
 			switch N.NetworkName(network) {
 			case N.NetworkUDP:
 				if !address.IsIPv6() {
@@ -308,12 +297,12 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 	if !fastFallback && !isPrimary {
 		d.networkLastFallback.Store(time.Now())
 	}
-	return d.trackConn(conn, nil)
+	return trackConn(conn, nil)
 }
 
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if d.networkStrategy == nil {
-		return d.trackPacketConn(listener.ListenNetworkNamespace[net.PacketConn](d.netns, func() (net.PacketConn, error) {
+		return trackPacketConn(listener.ListenNetworkNamespace[net.PacketConn](d.netns, func() (net.PacketConn, error) {
 			if destination.IsIPv6() {
 				return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6)
 			} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
@@ -365,23 +354,23 @@ func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destina
 			return nil, err
 		}
 	}
-	return d.trackPacketConn(packetConn, nil)
+	return trackPacketConn(packetConn, nil)
 }
 
 func (d *DefaultDialer) WireGuardControl() control.Func {
 	return d.udpListener.Control
 }
 
-func (d *DefaultDialer) trackConn(conn net.Conn, err error) (net.Conn, error) {
-	if d.connectionManager == nil || err != nil {
+func trackConn(conn net.Conn, err error) (net.Conn, error) {
+	if !conntrack.Enabled || err != nil {
 		return conn, err
 	}
-	return d.connectionManager.TrackConn(conn), nil
+	return conntrack.NewConn(conn)
 }
 
-func (d *DefaultDialer) trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
-	if d.connectionManager == nil || err != nil {
+func trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
+	if !conntrack.Enabled || err != nil {
 		return conn, err
 	}
-	return d.connectionManager.TrackPacketConn(conn), nil
+	return conntrack.NewPacketConn(conn)
 }

common/dialer/dialer.go

@@ -145,7 +145,3 @@ type ParallelNetworkDialer interface {
 	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
 	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
 }
-
-type PacketDialerWithDestination interface {
-	ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error)
-}

common/geosite/compat_test.go

@@ -1,234 +0,0 @@
-package geosite
-
-import (
-	"bufio"
-	"bytes"
-	"encoding/binary"
-	"strings"
-	"testing"
-
-	"github.com/sagernet/sing/common/varbin"
-
-	"github.com/stretchr/testify/require"
-)
-
-// Old implementation using varbin reflection-based serialization
-
-func oldWriteString(writer varbin.Writer, value string) error {
-	//nolint:staticcheck
-	return varbin.Write(writer, binary.BigEndian, value)
-}
-
-func oldWriteItem(writer varbin.Writer, item Item) error {
-	//nolint:staticcheck
-	return varbin.Write(writer, binary.BigEndian, item)
-}
-
-func oldReadString(reader varbin.Reader) (string, error) {
-	//nolint:staticcheck
-	return varbin.ReadValue[string](reader, binary.BigEndian)
-}
-
-func oldReadItem(reader varbin.Reader) (Item, error) {
-	//nolint:staticcheck
-	return varbin.ReadValue[Item](reader, binary.BigEndian)
-}
-
-func TestStringCompat(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name  string
-		input string
-	}{
-		{"empty", ""},
-		{"single_char", "a"},
-		{"ascii", "example.com"},
-		{"utf8", "测试域名.中国"},
-		{"special_chars", "\x00\xff\n\t"},
-		{"127_bytes", strings.Repeat("x", 127)},
-		{"128_bytes", strings.Repeat("x", 128)},
-		{"16383_bytes", strings.Repeat("x", 16383)},
-		{"16384_bytes", strings.Repeat("x", 16384)},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			// Old write
-			var oldBuf bytes.Buffer
-			err := oldWriteString(&oldBuf, tc.input)
-			require.NoError(t, err)
-
-			// New write
-			var newBuf bytes.Buffer
-			err = writeString(&newBuf, tc.input)
-			require.NoError(t, err)
-
-			// Bytes must match
-			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
-				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
-
-			// New write -> old read
-			readBack, err := oldReadString(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
-			require.NoError(t, err)
-			require.Equal(t, tc.input, readBack)
-
-			// Old write -> new read
-			readBack2, err := readString(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
-			require.NoError(t, err)
-			require.Equal(t, tc.input, readBack2)
-		})
-	}
-}
-
-func TestItemCompat(t *testing.T) {
-	t.Parallel()
-
-	// Note: varbin.Write has a bug where struct values (not pointers) don't write their fields
-	// because field.CanSet() returns false for non-addressable values.
-	// The old geosite code passed Item values to varbin.Write, which silently wrote nothing.
-	// The new code correctly writes Type + Value using manual serialization.
-	// This test verifies the new serialization format and round-trip correctness.
-
-	cases := []struct {
-		name  string
-		input Item
-	}{
-		{"domain_empty", Item{Type: RuleTypeDomain, Value: ""}},
-		{"domain_normal", Item{Type: RuleTypeDomain, Value: "example.com"}},
-		{"domain_suffix", Item{Type: RuleTypeDomainSuffix, Value: ".example.com"}},
-		{"domain_keyword", Item{Type: RuleTypeDomainKeyword, Value: "google"}},
-		{"domain_regex", Item{Type: RuleTypeDomainRegex, Value: `^.*\.example\.com$`}},
-		{"utf8_domain", Item{Type: RuleTypeDomain, Value: "测试.com"}},
-		{"long_domain", Item{Type: RuleTypeDomainSuffix, Value: strings.Repeat("a", 200) + ".com"}},
-		{"128_bytes_value", Item{Type: RuleTypeDomain, Value: strings.Repeat("x", 128)}},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			// New write
-			var newBuf bytes.Buffer
-			err := newBuf.WriteByte(byte(tc.input.Type))
-			require.NoError(t, err)
-			err = writeString(&newBuf, tc.input.Value)
-			require.NoError(t, err)
-
-			// Verify format: Type (1 byte) + Value (uvarint len + bytes)
-			require.True(t, len(newBuf.Bytes()) >= 1, "output too short")
-			require.Equal(t, byte(tc.input.Type), newBuf.Bytes()[0], "type byte mismatch")
-
-			// New write -> old read (varbin can read correctly when given addressable target)
-			readBack, err := oldReadItem(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
-			require.NoError(t, err)
-			require.Equal(t, tc.input, readBack)
-
-			// New write -> new read
-			reader := bufio.NewReader(bytes.NewReader(newBuf.Bytes()))
-			typeByte, err := reader.ReadByte()
-			require.NoError(t, err)
-			value, err := readString(reader)
-			require.NoError(t, err)
-			require.Equal(t, tc.input, Item{Type: ItemType(typeByte), Value: value})
-		})
-	}
-}
-
-func TestGeositeWriteReadCompat(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name  string
-		input map[string][]Item
-	}{
-		{
-			"empty_map",
-			map[string][]Item{},
-		},
-		{
-			"single_code_empty_items",
-			map[string][]Item{"test": {}},
-		},
-		{
-			"single_code_single_item",
-			map[string][]Item{"test": {{Type: RuleTypeDomain, Value: "a.com"}}},
-		},
-		{
-			"single_code_multi_items",
-			map[string][]Item{
-				"test": {
-					{Type: RuleTypeDomain, Value: "a.com"},
-					{Type: RuleTypeDomainSuffix, Value: ".b.com"},
-					{Type: RuleTypeDomainKeyword, Value: "keyword"},
-					{Type: RuleTypeDomainRegex, Value: `^.*$`},
-				},
-			},
-		},
-		{
-			"multi_code",
-			map[string][]Item{
-				"cn": {{Type: RuleTypeDomain, Value: "baidu.com"}, {Type: RuleTypeDomainSuffix, Value: ".cn"}},
-				"us": {{Type: RuleTypeDomain, Value: "google.com"}},
-				"jp": {{Type: RuleTypeDomainSuffix, Value: ".jp"}},
-			},
-		},
-		{
-			"utf8_values",
-			map[string][]Item{
-				"test": {
-					{Type: RuleTypeDomain, Value: "测试.中国"},
-					{Type: RuleTypeDomainSuffix, Value: ".テスト"},
-				},
-			},
-		},
-		{
-			"large_items",
-			generateLargeItems(1000),
-		},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			// Write using new implementation
-			var buf bytes.Buffer
-			err := Write(&buf, tc.input)
-			require.NoError(t, err)
-
-			// Read back and verify
-			reader, codes, err := NewReader(bytes.NewReader(buf.Bytes()))
-			require.NoError(t, err)
-
-			// Verify all codes exist
-			codeSet := make(map[string]bool)
-			for _, code := range codes {
-				codeSet[code] = true
-			}
-			for code := range tc.input {
-				require.True(t, codeSet[code], "missing code: %s", code)
-			}
-
-			// Verify items match
-			for code, expectedItems := range tc.input {
-				items, err := reader.Read(code)
-				require.NoError(t, err)
-				require.Equal(t, expectedItems, items, "items mismatch for code: %s", code)
-			}
-		})
-	}
-}
-
-func generateLargeItems(count int) map[string][]Item {
-	items := make([]Item, count)
-	for i := 0; i < count; i++ {
-		items[i] = Item{
-			Type:  ItemType(i % 4),
-			Value: strings.Repeat("x", i%200) + ".com",
-		}
-	}
-	return map[string][]Item{"large": items}
-}

common/geosite/reader.go

@@ -9,6 +9,7 @@ import (
 	"sync/atomic"
 
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/varbin"
 )
 
 type Reader struct {
@@ -77,7 +78,7 @@ func (r *Reader) readMetadata() error {
 			codeIndex  uint64
 			codeLength uint64
 		)
-		code, err = readString(reader)
+		code, err = varbin.ReadValue[string](reader, binary.BigEndian)
 		if err != nil {
 			return err
 		}
@@ -111,16 +112,9 @@ func (r *Reader) Read(code string) ([]Item, error) {
 	}
 	r.bufferedReader.Reset(r.reader)
 	itemList := make([]Item, r.domainLength[code])
-	for i := range itemList {
-		typeByte, err := r.bufferedReader.ReadByte()
-		if err != nil {
-			return nil, err
-		}
-		itemList[i].Type = ItemType(typeByte)
-		itemList[i].Value, err = readString(r.bufferedReader)
-		if err != nil {
-			return nil, err
-		}
+	err = varbin.Read(r.bufferedReader, binary.BigEndian, &itemList)
+	if err != nil {
+		return nil, err
 	}
 	return itemList, nil
 }
@@ -141,18 +135,3 @@ func (r *readCounter) Read(p []byte) (n int, err error) {
 	}
 	return
 }
-
-func readString(reader io.ByteReader) (string, error) {
-	length, err := binary.ReadUvarint(reader)
-	if err != nil {
-		return "", err
-	}
-	bytes := make([]byte, length)
-	for i := range bytes {
-		bytes[i], err = reader.ReadByte()
-		if err != nil {
-			return "", err
-		}
-	}
-	return string(bytes), nil
-}

common/geosite/writer.go

@@ -2,6 +2,7 @@ package geosite
 
 import (
 	"bytes"
+	"encoding/binary"
 	"sort"
 
 	"github.com/sagernet/sing/common/varbin"
@@ -19,11 +20,7 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {
 	for _, code := range keys {
 		index[code] = content.Len()
 		for _, item := range domains[code] {
-			err := content.WriteByte(byte(item.Type))
-			if err != nil {
-				return err
-			}
-			err = writeString(content, item.Value)
+			err := varbin.Write(content, binary.BigEndian, item)
 			if err != nil {
 				return err
 			}
@@ -41,7 +38,7 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {
 	}
 
 	for _, code := range keys {
-		err = writeString(writer, code)
+		err = varbin.Write(writer, binary.BigEndian, code)
 		if err != nil {
 			return err
 		}
@@ -62,12 +59,3 @@ func Write(writer varbin.Writer, domains map[string][]Item) error {
 
 	return nil
 }
-
-func writeString(writer varbin.Writer, value string) error {
-	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
-	if err != nil {
-		return err
-	}
-	_, err = writer.Write([]byte(value))
-	return err
-}

common/listener/listener_tcp.go

@@ -99,6 +99,8 @@ func (l *Listener) loopTCPIn() {
 		}
 		//nolint:staticcheck
 		metadata.InboundDetour = l.listenOptions.Detour
+		//nolint:staticcheck
+		metadata.InboundOptions = l.listenOptions.InboundOptions
 		metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr()).Unwrap()
 		metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
 		ctx := log.ContextWithNewID(l.ctx)

common/sniff/quic.go

@@ -303,6 +303,8 @@ find:
 	metadata.Protocol = C.ProtocolQUIC
 	fingerprint, err := ja3.Compute(buffer.Bytes())
 	if err != nil {
+		metadata.Protocol = C.ProtocolQUIC
+		metadata.Client = C.ClientChromium
 		metadata.SniffContext = fragments
 		return E.Cause1(ErrNeedMoreData, err)
 	}
@@ -332,7 +334,7 @@ find:
 		}
 
 		if count(frameTypeList, frameTypeCrypto) > 1 || count(frameTypeList, frameTypePing) > 0 {
-			if isQUICGo(fingerprint) {
+			if maybeUQUIC(fingerprint) {
 				metadata.Client = C.ClientQUICGo
 			} else {
 				metadata.Client = C.ClientChromium

common/sniff/quic_blacklist.go

@@ -1,29 +1,21 @@
 package sniff
 
 import (
+	"crypto/tls"
+
 	"github.com/sagernet/sing-box/common/ja3"
 )
 
-const (
-	// X25519Kyber768Draft00 - post-quantum curve used by Go crypto/tls
-	x25519Kyber768Draft00 uint16 = 0x11EC // 4588
-	// renegotiation_info extension used by Go crypto/tls
-	extensionRenegotiationInfo uint16 = 0xFF01 // 65281
-)
-
-// isQUICGo detects native quic-go by checking for Go crypto/tls specific features.
-// Note: uQUIC with Chromium mimicry cannot be reliably distinguished from real Chromium
-// since it uses the same TLS fingerprint, so it will be identified as Chromium.
-func isQUICGo(fingerprint *ja3.ClientHello) bool {
-	for _, curve := range fingerprint.EllipticCurves {
-		if curve == x25519Kyber768Draft00 {
-			return true
-		}
-	}
-	for _, ext := range fingerprint.Extensions {
-		if ext == extensionRenegotiationInfo {
-			return true
-		}
-	}
-	return false
+// Chromium sends separate client hello packets, but UQUIC has not yet implemented this behavior
+// The cronet without this behavior does not have version 115
+var uQUICChrome115 = &ja3.ClientHello{
+	Version:             tls.VersionTLS12,
+	CipherSuites:        []uint16{4865, 4866, 4867},
+	Extensions:          []uint16{0, 10, 13, 16, 27, 43, 45, 51, 57, 17513},
+	EllipticCurves:      []uint16{29, 23, 24},
+	SignatureAlgorithms: []uint16{1027, 2052, 1025, 1283, 2053, 1281, 2054, 1537, 513},
+}
+
+func maybeUQUIC(fingerprint *ja3.ClientHello) bool {
+	return !uQUICChrome115.Equals(fingerprint, true)
 }

common/sniff/quic_capture_test.go

@@ -1,188 +0,0 @@
-package sniff_test
-
-import (
-	"context"
-	"crypto/tls"
-	"encoding/hex"
-	"errors"
-	"net"
-	"testing"
-	"time"
-
-	"github.com/sagernet/quic-go"
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/sniff"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestSniffQUICQuicGoFingerprint(t *testing.T) {
-	t.Parallel()
-	const testSNI = "test.example.com"
-
-	udpConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
-	require.NoError(t, err)
-	defer udpConn.Close()
-
-	serverAddr := udpConn.LocalAddr().(*net.UDPAddr)
-	packetsChan := make(chan [][]byte, 1)
-
-	go func() {
-		var packets [][]byte
-		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
-		for i := 0; i < 10; i++ {
-			buf := make([]byte, 2048)
-			n, _, err := udpConn.ReadFromUDP(buf)
-			if err != nil {
-				break
-			}
-			packets = append(packets, buf[:n])
-		}
-		packetsChan <- packets
-	}()
-
-	clientConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
-	require.NoError(t, err)
-	defer clientConn.Close()
-
-	tlsConfig := &tls.Config{
-		ServerName:         testSNI,
-		InsecureSkipVerify: true,
-		NextProtos:         []string{"h3"},
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-	defer cancel()
-
-	_, _ = quic.Dial(ctx, clientConn, serverAddr, tlsConfig, &quic.Config{})
-
-	select {
-	case packets := <-packetsChan:
-		t.Logf("Captured %d packets", len(packets))
-
-		var metadata adapter.InboundContext
-		for i, pkt := range packets {
-			err := sniff.QUICClientHello(context.Background(), &metadata, pkt)
-			t.Logf("Packet %d: err=%v, domain=%s, client=%s", i, err, metadata.Domain, metadata.Client)
-			if metadata.Domain != "" {
-				break
-			}
-		}
-
-		t.Logf("\n=== quic-go TLS Fingerprint Analysis ===")
-		t.Logf("Domain: %s", metadata.Domain)
-		t.Logf("Client: %s", metadata.Client)
-		t.Logf("Protocol: %s", metadata.Protocol)
-
-		// The client should be identified as quic-go, not chromium
-		// Current issue: it's being identified as chromium
-		if metadata.Client == "chromium" {
-			t.Log("WARNING: quic-go is being misidentified as chromium!")
-		}
-
-	case <-time.After(5 * time.Second):
-		t.Fatal("Timeout")
-	}
-}
-
-func TestSniffQUICInitialFromQuicGo(t *testing.T) {
-	t.Parallel()
-
-	const testSNI = "test.example.com"
-
-	// Create UDP listener to capture ALL initial packets
-	udpConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
-	require.NoError(t, err)
-	defer udpConn.Close()
-
-	serverAddr := udpConn.LocalAddr().(*net.UDPAddr)
-
-	// Channel to receive captured packets
-	packetsChan := make(chan [][]byte, 1)
-
-	// Start goroutine to capture packets
-	go func() {
-		var packets [][]byte
-		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
-		for i := 0; i < 5; i++ { // Capture up to 5 packets
-			buf := make([]byte, 2048)
-			n, _, err := udpConn.ReadFromUDP(buf)
-			if err != nil {
-				break
-			}
-			packets = append(packets, buf[:n])
-		}
-		packetsChan <- packets
-	}()
-
-	// Create QUIC client connection (will fail but we capture the initial packet)
-	clientConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
-	require.NoError(t, err)
-	defer clientConn.Close()
-
-	tlsConfig := &tls.Config{
-		ServerName:         testSNI,
-		InsecureSkipVerify: true,
-		NextProtos:         []string{"h3"},
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-	defer cancel()
-
-	// This will fail (no server) but sends initial packet
-	_, _ = quic.Dial(ctx, clientConn, serverAddr, tlsConfig, &quic.Config{})
-
-	// Wait for captured packets
-	select {
-	case packets := <-packetsChan:
-		t.Logf("Captured %d QUIC packets", len(packets))
-
-		for i, packet := range packets {
-			t.Logf("Packet %d: length=%d, first 30 bytes: %x", i, len(packet), packet[:min(30, len(packet))])
-		}
-
-		// Test sniffer with first packet
-		if len(packets) > 0 {
-			var metadata adapter.InboundContext
-			err := sniff.QUICClientHello(context.Background(), &metadata, packets[0])
-
-			t.Logf("First packet sniff error: %v", err)
-			t.Logf("Protocol: %s", metadata.Protocol)
-			t.Logf("Domain: %s", metadata.Domain)
-			t.Logf("Client: %s", metadata.Client)
-
-			// If first packet needs more data, try with subsequent packets
-			// IMPORTANT: reuse metadata to accumulate CRYPTO fragments via SniffContext
-			if errors.Is(err, sniff.ErrNeedMoreData) && len(packets) > 1 {
-				t.Log("First packet needs more data, trying subsequent packets with shared context...")
-				for i := 1; i < len(packets); i++ {
-					// Reuse same metadata to accumulate fragments
-					err = sniff.QUICClientHello(context.Background(), &metadata, packets[i])
-					t.Logf("Packet %d sniff result: err=%v, domain=%s, sniffCtx=%v", i, err, metadata.Domain, metadata.SniffContext != nil)
-					if metadata.Domain != "" || (err != nil && !errors.Is(err, sniff.ErrNeedMoreData)) {
-						break
-					}
-				}
-			}
-
-			// Print hex dump for debugging
-			t.Logf("First packet hex:\n%s", hex.Dump(packets[0][:min(256, len(packets[0]))]))
-
-			// Log final results
-			t.Logf("Final: Protocol=%s, Domain=%s, Client=%s", metadata.Protocol, metadata.Domain, metadata.Client)
-
-			// Verify SNI extraction
-			if metadata.Domain == "" {
-				t.Errorf("Failed to extract SNI, expected: %s", testSNI)
-			} else {
-				require.Equal(t, testSNI, metadata.Domain, "SNI should match")
-			}
-
-			// Check client identification - quic-go should be identified as quic-go, not chromium
-			t.Logf("Client identified as: %s (expected: quic-go)", metadata.Client)
-		}
-
-	case <-time.After(5 * time.Second):
-		t.Fatal("Timeout waiting for QUIC packets")
-	}
-}

common/sniff/quic_test.go

@@ -19,7 +19,7 @@ func TestSniffQUICChromeNew(t *testing.T) {
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Empty(t, metadata.Client)
+	require.Equal(t, metadata.Client, C.ClientChromium)
 	require.ErrorIs(t, err, sniff.ErrNeedMoreData)
 	pkt, err = hex.DecodeString("cc0000000108e241a0c601413b4f004046006d8f15dae9999edf39d58df6762822b9a2ab996d7f6a10044338af3b51b1814bc4ac0fa5a87c34c6ae604af8cabc5957c5240174deefc8e378719ffdab2ae4e15bf4514bea44894b626c685cd5d5c965f7e97b3a1bdc520b75813e747f37a3ae83ad38b9ca2acb0de4fc9424839a50c8fb815a62b498609fbbc59145698860e0509cc08a04d1b119daef844ba2f09c16e2665e5cc0b47624b71f7b950c54fd56b4a1fbb826cba44eeeee3949ced8f5de60d4c81b19ee59f75aa1abb33f22c6b13c27095eb1e99cff01fdc93e6e88da2622ee18c08a79f508befd7e33e99bca60e64bef9a47b764384bd93823daeeb6fcb4d7cfbc4ab53eff59b3636f6dcaaf229b5a94941b5712807166b9bd5e82cb4a9708a71451c4cd6f6e33fb2fe40c8c70dd51a30b37ff9c5e35783debde0093fde19ce074b4887b3c90980b107b9c0f32cf61a66f37c251b789abc4d27fc421207966846c8cc7faa42d9af6ad355a6bc94cb78223b612be8b3e2a4df61fee83a674a0ceb8b7c3a29b97102cda22fecdf6a4628e5b612bc17eab64d6f75feedd0b106c0419e484e66725759964cb5935ac5125e5ae920cd280bd40df57c1d7ae1845700bd4eb7b7ab12bc0850950bfe6e69edd6ac1daa5db2c2b07484327196e561c513462d72872dc6771c39f6b60d46a1f2c92343b7338450a0ef8e39f97fa70652b3a12cd04043698951627aaaa82cc95e76df92021d30e8014c984f12eea0143de8b17e5e4a36ec07bf4814251b391f168a59ef75afcd2319249aaba930f06bb7a11b9491e6f71b3d5774a6503a965e94edd0a67737282fc9cb0271779ff14151b7aa9267bb8f7d643185512515aeea513c0c98bfae782381a3317064195d8825cf8b25c17cdab5fced02612a3f2870e40df57e6ca3f08228a2b04e8de1425eb4b970118f9bbdc212223ff86a5d6b648cdf2366722f21de4b14a1014879eadb69215cdb1aa2a9f4f310ecfe3116214fe3ab0a23f4775a0a54b48d7dfd8f7283ed687b3ac7e1a7e42a0bdc3478aba8651c03e1e9cc9df17d106b8130afe854269b0103b7a696f452721887b19d8181830073c9f10684c65f96d3a6c6efbae044eec03d6399e001fa44d54635dc72f9b8ea6b87d0f452cad1e1e32273e2b47c40f2730235adcae8523b8282f86b8cf1ab63ae54aaa06130df3bbf6ecac7d7d1d43d2a87aea837267ff8ccfaa4b7e47b7ded909e6603d0b928a304f8915c839153598adc4178eb48bc0e98ad7793d7980275e1e491ba4847a4a04ae30fe7f5cc7d4b6f4f63a525e9964d72245860ca76a668a4654adb6619f16e9db79131e5675b93cafb96c92f1da8464d4fef2a22e7f9db695965fe2cc27ea30974629c8fe17cfa2f860179e1eb9faaa88a91ec9ce6da28c1a2894c3b932b5e1c807146718cc77ca13c61eaae00c7c99e019f599772064b198c5c2c5e863336367673630b417ac845ddb7c93b0856317e5d64bab208c5730abc2c63536784fbeaaec139dffc917e775715f1e42164ddef5138d4d163609ab3fbdcab968f8738385c0e7e34ff3cf7771a1dc5ba25a8850fdf96dabafa21f9065f307457ce9af4b7a73450c9d20a3b46fa8d3a1163d22bd01a7d17f0ec274181bf9640fa941427694bfeb1346089f7a851efe0fbb7a2041fa6bb6541ccbad77dd3e1a97999fc05f1fef070e7b5c4b385b8b2a8cc32483fdeba6a373970de2fa4139ba18e5916f949aab0aab2894")
 	require.NoError(t, err)
@@ -39,7 +39,7 @@ func TestSniffQUICChromium(t *testing.T) {
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Empty(t, metadata.Client)
+	require.Equal(t, metadata.Client, C.ClientChromium)
 	require.ErrorIs(t, err, sniff.ErrNeedMoreData)
 	pkt, err = hex.DecodeString("c90000000108f40d654cc09b27f5000044d073eb38807026d4088455e650e7ccf750d01a72f15f9bfc8ff40d223499db1a485cff14dbd45b9be118172834dc35dca3cf62f61a1266f40b92faf3d28d67a466cfdca678ddced15cd606d31959cf441828467857b226d1a241847c82c57312cefe68ba5042d929919bcd4403b39e5699fe87dda05df1b3801e048edee792458e9b1a9b1d4039df05847bcee3be567494b5876e3bd4c3220fe9dfdb2c07d77410f907f744251ef15536cc03b267d3668d5b75bc1ad2fe735cd3bb73519dd9f1625a49e17ad27bdeccf706c83b5ea339a0a05dd0072f4a8f162bd29926b4997f05613c6e4b0270b0c02805ca0543f27c1ff8505a5750bdd33529ee73c491050a10c6903f53c1121dbe0380e84c007c8df74a1b02443ed80ba7766aef5549e618d4fd249844ee28565142005369869299e8c3035ecef3d799f6cada8549e75b4ce4cbf4c85ef071fd7ff067b1ca9b5968dc41d13d011f6d7843823bac97acb1eb8ee45883f0f254b5f9bd4c763b67e2d8c70a7618a0ef0de304cf597a485126e09f8b2fd795b394c0b4bc4cd2634c2057970da2c798c5e8af7aed4f76f5e25d04e3f8c9c5a5b150d17e0d4c74229898c69b8dc7b8bcc9d359eb441de75c68fbdebec62fb669dcccfb1aad03e3fa073adb2ccf7bb14cbaf99e307d2c903ee71a8f028102eb510caee7e7397512086a78d1f95635c7d06845b5a708652dc4e5cd61245aae5b3c05b84815d84d367bce9b9e3f6d6b90701ac3679233c14d5ce2a1eff26469c966266dc6284bdb95c9c6158934c413a872ce22101e4163e3293d236b301592ca4ccacc1fd4c37066e79c2d9857c8a2560dcf0b33b19163c4240c471b19907476e7e25c65f7eb37276594a0f6b4c33c340cc3284178f17ac5e34dbe7509db890e4ddfd0540fbf9deb32a0101d24fe58b26c5f81c627db9d6ae59d7a111a3d5d1f6109f4eec0d0234e6d73c73a44f50999462724b51ce0fd8283535d70d9e83872c79c59897407a0736741011ae5c64862eb0712f9e7b07aa1d5418ca3fde8626257c6fe418f3c5479055bb2b0ab4c25f649923fc2a41c79aaa7d0f3af6d8b8cf06f61f0230d09bbb60bb49b9e49cc5973748a6cf7ffdee7804d424f9423c63e7ff22f4bd24e4867636ef9fe8dd37f59941a8a47c27765caa8e875a30b62834f17c569227e5e6ed15d58e05d36e76332befad065a2cd4079e66d5af189b0337624c89b1560c3b1b0befd5c1f20e6de8e3d664b3ac06b3d154b488983e14aa93266f5f8b621d2a9bb7ccce509eb26e025c9c45f7cccc09ce85b3103af0c93ce9822f82ecb168ca3177829afb2ea0da2c380e7b1728add55a5d42632e2290363d4cbe432b67e13691648e1acfab22cf0d551eee857709b428bb78e27a45aff6eca301c02e4d13cf36cc2494fdd1aef8dede6e18febd79dca4c6964d09b91c25a08f0947c76ab5104de9404459c2edf5f4adb9dfd771be83656f77fbbafb1ad3281717066010be8778952495383c9f2cf0a38527228c662a35171c5981731f1af09bab842fe6c3162ad4152a4221f560eb6f9bea66b294ffbd3643da2fe34096da13c246505452540177a2a0a1a69106e5cfc279a4890fc3be2952f26be245f930e6c2d9e7e26ee960481e72b99594a1185b46b94b6436d00ba6c70ffe135d43907c92c6f1c09fb9453f103730714f5700fa4347f9715c774cb04a7218dacc66d9c2fade18b14e684aa7fc9ebda0a28")
 	require.NoError(t, err)

common/srs/binary.go

@@ -6,7 +6,6 @@ import (
 	"encoding/binary"
 	"io"
 	"net/netip"
-	"unsafe"
 
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
@@ -506,24 +505,7 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 }
 
 func readRuleItemString(reader varbin.Reader) ([]string, error) {
-	length, err := binary.ReadUvarint(reader)
-	if err != nil {
-		return nil, err
-	}
-	result := make([]string, length)
-	for i := range result {
-		strLen, err := binary.ReadUvarint(reader)
-		if err != nil {
-			return nil, err
-		}
-		buf := make([]byte, strLen)
-		_, err = io.ReadFull(reader, buf)
-		if err != nil {
-			return nil, err
-		}
-		result[i] = string(buf)
-	}
-	return result, nil
+	return varbin.ReadValue[[]string](reader, binary.BigEndian)
 }
 
 func writeRuleItemString(writer varbin.Writer, itemType uint8, value []string) error {
@@ -531,34 +513,11 @@ func writeRuleItemString(writer varbin.Writer, itemType uint8, value []string) e
 	if err != nil {
 		return err
 	}
-	_, err = varbin.WriteUvarint(writer, uint64(len(value)))
-	if err != nil {
-		return err
-	}
-	for _, s := range value {
-		_, err = varbin.WriteUvarint(writer, uint64(len(s)))
-		if err != nil {
-			return err
-		}
-		_, err = writer.Write([]byte(s))
-		if err != nil {
-			return err
-		}
-	}
-	return nil
+	return varbin.Write(writer, binary.BigEndian, value)
 }
 
 func readRuleItemUint8[E ~uint8](reader varbin.Reader) ([]E, error) {
-	length, err := binary.ReadUvarint(reader)
-	if err != nil {
-		return nil, err
-	}
-	result := make([]E, length)
-	_, err = io.ReadFull(reader, *(*[]byte)(unsafe.Pointer(&result)))
-	if err != nil {
-		return nil, err
-	}
-	return result, nil
+	return varbin.ReadValue[[]E](reader, binary.BigEndian)
 }
 
 func writeRuleItemUint8[E ~uint8](writer varbin.Writer, itemType uint8, value []E) error {
@@ -566,25 +525,11 @@ func writeRuleItemUint8[E ~uint8](writer varbin.Writer, itemType uint8, value []
 	if err != nil {
 		return err
 	}
-	_, err = varbin.WriteUvarint(writer, uint64(len(value)))
-	if err != nil {
-		return err
-	}
-	_, err = writer.Write(*(*[]byte)(unsafe.Pointer(&value)))
-	return err
+	return varbin.Write(writer, binary.BigEndian, value)
 }
 
 func readRuleItemUint16(reader varbin.Reader) ([]uint16, error) {
-	length, err := binary.ReadUvarint(reader)
-	if err != nil {
-		return nil, err
-	}
-	result := make([]uint16, length)
-	err = binary.Read(reader, binary.BigEndian, result)
-	if err != nil {
-		return nil, err
-	}
-	return result, nil
+	return varbin.ReadValue[[]uint16](reader, binary.BigEndian)
 }
 
 func writeRuleItemUint16(writer varbin.Writer, itemType uint8, value []uint16) error {
@@ -592,11 +537,7 @@ func writeRuleItemUint16(writer varbin.Writer, itemType uint8, value []uint16) e
 	if err != nil {
 		return err
 	}
-	_, err = varbin.WriteUvarint(writer, uint64(len(value)))
-	if err != nil {
-		return err
-	}
-	return binary.Write(writer, binary.BigEndian, value)
+	return varbin.Write(writer, binary.BigEndian, value)
 }
 
 func writeRuleItemCIDR(writer varbin.Writer, itemType uint8, value []string) error {

common/srs/compat_test.go

@@ -1,494 +0,0 @@
-package srs
-
-import (
-	"bufio"
-	"bytes"
-	"encoding/binary"
-	"net/netip"
-	"strings"
-	"testing"
-	"unsafe"
-
-	M "github.com/sagernet/sing/common/metadata"
-	"github.com/sagernet/sing/common/varbin"
-
-	"github.com/stretchr/testify/require"
-	"go4.org/netipx"
-)
-
-// Old implementations using varbin reflection-based serialization
-
-func oldWriteStringSlice(writer varbin.Writer, value []string) error {
-	//nolint:staticcheck
-	return varbin.Write(writer, binary.BigEndian, value)
-}
-
-func oldReadStringSlice(reader varbin.Reader) ([]string, error) {
-	//nolint:staticcheck
-	return varbin.ReadValue[[]string](reader, binary.BigEndian)
-}
-
-func oldWriteUint8Slice[E ~uint8](writer varbin.Writer, value []E) error {
-	//nolint:staticcheck
-	return varbin.Write(writer, binary.BigEndian, value)
-}
-
-func oldReadUint8Slice[E ~uint8](reader varbin.Reader) ([]E, error) {
-	//nolint:staticcheck
-	return varbin.ReadValue[[]E](reader, binary.BigEndian)
-}
-
-func oldWriteUint16Slice(writer varbin.Writer, value []uint16) error {
-	//nolint:staticcheck
-	return varbin.Write(writer, binary.BigEndian, value)
-}
-
-func oldReadUint16Slice(reader varbin.Reader) ([]uint16, error) {
-	//nolint:staticcheck
-	return varbin.ReadValue[[]uint16](reader, binary.BigEndian)
-}
-
-func oldWritePrefix(writer varbin.Writer, prefix netip.Prefix) error {
-	//nolint:staticcheck
-	err := varbin.Write(writer, binary.BigEndian, prefix.Addr().AsSlice())
-	if err != nil {
-		return err
-	}
-	return binary.Write(writer, binary.BigEndian, uint8(prefix.Bits()))
-}
-
-type oldIPRangeData struct {
-	From []byte
-	To   []byte
-}
-
-// Note: The old writeIPSet had a bug where varbin.Write(writer, binary.BigEndian, data)
-// with a struct VALUE (not pointer) silently wrote nothing because field.CanSet() returned false.
-// This caused IP range data to be missing from the output.
-// The new implementation correctly writes all range data.
-//
-// The old readIPSet used varbin.Read with a pre-allocated slice, which worked because
-// slice elements are addressable and CanSet() returns true for them.
-//
-// For compatibility testing, we verify:
-// 1. New write produces correct output with range data
-// 2. New read can parse the new format correctly
-// 3. Round-trip works correctly
-
-func oldReadIPSet(reader varbin.Reader) (*netipx.IPSet, error) {
-	version, err := reader.ReadByte()
-	if err != nil {
-		return nil, err
-	}
-	if version != 1 {
-		return nil, err
-	}
-	var length uint64
-	err = binary.Read(reader, binary.BigEndian, &length)
-	if err != nil {
-		return nil, err
-	}
-	ranges := make([]oldIPRangeData, length)
-	//nolint:staticcheck
-	err = varbin.Read(reader, binary.BigEndian, &ranges)
-	if err != nil {
-		return nil, err
-	}
-	mySet := &myIPSet{
-		rr: make([]myIPRange, len(ranges)),
-	}
-	for i, rangeData := range ranges {
-		mySet.rr[i].from = M.AddrFromIP(rangeData.From)
-		mySet.rr[i].to = M.AddrFromIP(rangeData.To)
-	}
-	return (*netipx.IPSet)(unsafe.Pointer(mySet)), nil
-}
-
-// New write functions (without itemType prefix for testing)
-
-func newWriteStringSlice(writer varbin.Writer, value []string) error {
-	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
-	if err != nil {
-		return err
-	}
-	for _, s := range value {
-		_, err = varbin.WriteUvarint(writer, uint64(len(s)))
-		if err != nil {
-			return err
-		}
-		_, err = writer.Write([]byte(s))
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func newWriteUint8Slice[E ~uint8](writer varbin.Writer, value []E) error {
-	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
-	if err != nil {
-		return err
-	}
-	_, err = writer.Write(*(*[]byte)(unsafe.Pointer(&value)))
-	return err
-}
-
-func newWriteUint16Slice(writer varbin.Writer, value []uint16) error {
-	_, err := varbin.WriteUvarint(writer, uint64(len(value)))
-	if err != nil {
-		return err
-	}
-	return binary.Write(writer, binary.BigEndian, value)
-}
-
-func newWritePrefix(writer varbin.Writer, prefix netip.Prefix) error {
-	addrSlice := prefix.Addr().AsSlice()
-	_, err := varbin.WriteUvarint(writer, uint64(len(addrSlice)))
-	if err != nil {
-		return err
-	}
-	_, err = writer.Write(addrSlice)
-	if err != nil {
-		return err
-	}
-	return writer.WriteByte(uint8(prefix.Bits()))
-}
-
-// Tests
-
-func TestStringSliceCompat(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name  string
-		input []string
-	}{
-		{"nil", nil},
-		{"empty", []string{}},
-		{"single_empty", []string{""}},
-		{"single", []string{"test"}},
-		{"multi", []string{"a", "b", "c"}},
-		{"with_empty", []string{"a", "", "c"}},
-		{"utf8", []string{"测试", "テスト", "тест"}},
-		{"long_string", []string{strings.Repeat("x", 128)}},
-		{"many_elements", generateStrings(128)},
-		{"many_elements_256", generateStrings(256)},
-		{"127_byte_string", []string{strings.Repeat("x", 127)}},
-		{"128_byte_string", []string{strings.Repeat("x", 128)}},
-		{"mixed_lengths", []string{"a", strings.Repeat("b", 100), "", strings.Repeat("c", 200)}},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			// Old write
-			var oldBuf bytes.Buffer
-			err := oldWriteStringSlice(&oldBuf, tc.input)
-			require.NoError(t, err)
-
-			// New write
-			var newBuf bytes.Buffer
-			err = newWriteStringSlice(&newBuf, tc.input)
-			require.NoError(t, err)
-
-			// Bytes must match
-			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
-				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
-
-			// New write -> old read
-			readBack, err := oldReadStringSlice(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
-			require.NoError(t, err)
-			requireStringSliceEqual(t, tc.input, readBack)
-
-			// Old write -> new read
-			readBack2, err := readRuleItemString(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
-			require.NoError(t, err)
-			requireStringSliceEqual(t, tc.input, readBack2)
-		})
-	}
-}
-
-func TestUint8SliceCompat(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name  string
-		input []uint8
-	}{
-		{"nil", nil},
-		{"empty", []uint8{}},
-		{"single_zero", []uint8{0}},
-		{"single_max", []uint8{255}},
-		{"multi", []uint8{0, 1, 127, 128, 255}},
-		{"boundary", []uint8{0x00, 0x7f, 0x80, 0xff}},
-		{"sequential", generateUint8Slice(256)},
-		{"127_elements", generateUint8Slice(127)},
-		{"128_elements", generateUint8Slice(128)},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			// Old write
-			var oldBuf bytes.Buffer
-			err := oldWriteUint8Slice(&oldBuf, tc.input)
-			require.NoError(t, err)
-
-			// New write
-			var newBuf bytes.Buffer
-			err = newWriteUint8Slice(&newBuf, tc.input)
-			require.NoError(t, err)
-
-			// Bytes must match
-			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
-				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
-
-			// New write -> old read
-			readBack, err := oldReadUint8Slice[uint8](bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
-			require.NoError(t, err)
-			requireUint8SliceEqual(t, tc.input, readBack)
-
-			// Old write -> new read
-			readBack2, err := readRuleItemUint8[uint8](bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
-			require.NoError(t, err)
-			requireUint8SliceEqual(t, tc.input, readBack2)
-		})
-	}
-}
-
-func TestUint16SliceCompat(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name  string
-		input []uint16
-	}{
-		{"nil", nil},
-		{"empty", []uint16{}},
-		{"single_zero", []uint16{0}},
-		{"single_max", []uint16{65535}},
-		{"multi", []uint16{0, 255, 256, 32767, 32768, 65535}},
-		{"ports", []uint16{80, 443, 8080, 8443}},
-		{"127_elements", generateUint16Slice(127)},
-		{"128_elements", generateUint16Slice(128)},
-		{"256_elements", generateUint16Slice(256)},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			// Old write
-			var oldBuf bytes.Buffer
-			err := oldWriteUint16Slice(&oldBuf, tc.input)
-			require.NoError(t, err)
-
-			// New write
-			var newBuf bytes.Buffer
-			err = newWriteUint16Slice(&newBuf, tc.input)
-			require.NoError(t, err)
-
-			// Bytes must match
-			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
-				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
-
-			// New write -> old read
-			readBack, err := oldReadUint16Slice(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
-			require.NoError(t, err)
-			requireUint16SliceEqual(t, tc.input, readBack)
-
-			// Old write -> new read
-			readBack2, err := readRuleItemUint16(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
-			require.NoError(t, err)
-			requireUint16SliceEqual(t, tc.input, readBack2)
-		})
-	}
-}
-
-func TestPrefixCompat(t *testing.T) {
-	t.Parallel()
-
-	cases := []struct {
-		name  string
-		input netip.Prefix
-	}{
-		{"ipv4_0", netip.MustParsePrefix("0.0.0.0/0")},
-		{"ipv4_8", netip.MustParsePrefix("10.0.0.0/8")},
-		{"ipv4_16", netip.MustParsePrefix("192.168.0.0/16")},
-		{"ipv4_24", netip.MustParsePrefix("192.168.1.0/24")},
-		{"ipv4_32", netip.MustParsePrefix("1.2.3.4/32")},
-		{"ipv6_0", netip.MustParsePrefix("::/0")},
-		{"ipv6_64", netip.MustParsePrefix("2001:db8::/64")},
-		{"ipv6_128", netip.MustParsePrefix("::1/128")},
-		{"ipv6_full", netip.MustParsePrefix("2001:0db8:85a3:0000:0000:8a2e:0370:7334/128")},
-		{"ipv4_private", netip.MustParsePrefix("172.16.0.0/12")},
-		{"ipv6_link_local", netip.MustParsePrefix("fe80::/10")},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			// Old write
-			var oldBuf bytes.Buffer
-			err := oldWritePrefix(&oldBuf, tc.input)
-			require.NoError(t, err)
-
-			// New write
-			var newBuf bytes.Buffer
-			err = newWritePrefix(&newBuf, tc.input)
-			require.NoError(t, err)
-
-			// Bytes must match
-			require.Equal(t, oldBuf.Bytes(), newBuf.Bytes(),
-				"mismatch for %q\nold: %x\nnew: %x", tc.name, oldBuf.Bytes(), newBuf.Bytes())
-
-			// New write -> new read (no old read for prefix)
-			readBack, err := readPrefix(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
-			require.NoError(t, err)
-			require.Equal(t, tc.input, readBack)
-
-			// Old write -> new read
-			readBack2, err := readPrefix(bufio.NewReader(bytes.NewReader(oldBuf.Bytes())))
-			require.NoError(t, err)
-			require.Equal(t, tc.input, readBack2)
-		})
-	}
-}
-
-func TestIPSetCompat(t *testing.T) {
-	t.Parallel()
-
-	// Note: The old writeIPSet was buggy (varbin.Write with struct values wrote nothing).
-	// This test verifies the new implementation writes correct data and round-trips correctly.
-
-	cases := []struct {
-		name  string
-		input *netipx.IPSet
-	}{
-		{"single_ipv4", buildIPSet("1.2.3.4")},
-		{"ipv4_range", buildIPSet("192.168.0.0/16")},
-		{"multi_ipv4", buildIPSet("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")},
-		{"single_ipv6", buildIPSet("::1")},
-		{"ipv6_range", buildIPSet("2001:db8::/32")},
-		{"mixed", buildIPSet("10.0.0.0/8", "::1", "2001:db8::/32")},
-		{"large", buildLargeIPSet(100)},
-		{"adjacent_ranges", buildIPSet("192.168.0.0/24", "192.168.1.0/24", "192.168.2.0/24")},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			// New write
-			var newBuf bytes.Buffer
-			err := writeIPSet(&newBuf, tc.input)
-			require.NoError(t, err)
-
-			// Verify format starts with version byte (1) + uint64 count
-			require.True(t, len(newBuf.Bytes()) >= 9, "output too short")
-			require.Equal(t, byte(1), newBuf.Bytes()[0], "version byte mismatch")
-
-			// New write -> old read (varbin.Read with pre-allocated slice works correctly)
-			readBack, err := oldReadIPSet(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
-			require.NoError(t, err)
-			requireIPSetEqual(t, tc.input, readBack)
-
-			// New write -> new read
-			readBack2, err := readIPSet(bufio.NewReader(bytes.NewReader(newBuf.Bytes())))
-			require.NoError(t, err)
-			requireIPSetEqual(t, tc.input, readBack2)
-		})
-	}
-}
-
-// Helper functions
-
-func generateStrings(count int) []string {
-	result := make([]string, count)
-	for i := range result {
-		result[i] = strings.Repeat("x", i%50)
-	}
-	return result
-}
-
-func generateUint8Slice(count int) []uint8 {
-	result := make([]uint8, count)
-	for i := range result {
-		result[i] = uint8(i % 256)
-	}
-	return result
-}
-
-func generateUint16Slice(count int) []uint16 {
-	result := make([]uint16, count)
-	for i := range result {
-		result[i] = uint16(i * 257)
-	}
-	return result
-}
-
-func buildIPSet(cidrs ...string) *netipx.IPSet {
-	var builder netipx.IPSetBuilder
-	for _, cidr := range cidrs {
-		prefix, err := netip.ParsePrefix(cidr)
-		if err != nil {
-			addr, err := netip.ParseAddr(cidr)
-			if err != nil {
-				panic(err)
-			}
-			builder.Add(addr)
-		} else {
-			builder.AddPrefix(prefix)
-		}
-	}
-	set, _ := builder.IPSet()
-	return set
-}
-
-func buildLargeIPSet(count int) *netipx.IPSet {
-	var builder netipx.IPSetBuilder
-	for i := 0; i < count; i++ {
-		prefix := netip.PrefixFrom(netip.AddrFrom4([4]byte{10, byte(i / 256), byte(i % 256), 0}), 24)
-		builder.AddPrefix(prefix)
-	}
-	set, _ := builder.IPSet()
-	return set
-}
-
-func requireStringSliceEqual(t *testing.T, expected, actual []string) {
-	t.Helper()
-	if len(expected) == 0 && len(actual) == 0 {
-		return
-	}
-	require.Equal(t, expected, actual)
-}
-
-func requireUint8SliceEqual(t *testing.T, expected, actual []uint8) {
-	t.Helper()
-	if len(expected) == 0 && len(actual) == 0 {
-		return
-	}
-	require.Equal(t, expected, actual)
-}
-
-func requireUint16SliceEqual(t *testing.T, expected, actual []uint16) {
-	t.Helper()
-	if len(expected) == 0 && len(actual) == 0 {
-		return
-	}
-	require.Equal(t, expected, actual)
-}
-
-func requireIPSetEqual(t *testing.T, expected, actual *netipx.IPSet) {
-	t.Helper()
-	expectedRanges := expected.Ranges()
-	actualRanges := actual.Ranges()
-	require.Equal(t, len(expectedRanges), len(actualRanges), "range count mismatch")
-	for i := range expectedRanges {
-		require.Equal(t, expectedRanges[i].From(), actualRanges[i].From(), "range[%d].from mismatch", i)
-		require.Equal(t, expectedRanges[i].To(), actualRanges[i].To(), "range[%d].to mismatch", i)
-	}
-}

common/srs/ip_cidr.go

@@ -2,7 +2,6 @@ package srs
 
 import (
 	"encoding/binary"
-	"io"
 	"net/netip"
 
 	M "github.com/sagernet/sing/common/metadata"
@@ -10,16 +9,11 @@ import (
 )
 
 func readPrefix(reader varbin.Reader) (netip.Prefix, error) {
-	addrLen, err := binary.ReadUvarint(reader)
+	addrSlice, err := varbin.ReadValue[[]byte](reader, binary.BigEndian)
 	if err != nil {
 		return netip.Prefix{}, err
 	}
-	addrSlice := make([]byte, addrLen)
-	_, err = io.ReadFull(reader, addrSlice)
-	if err != nil {
-		return netip.Prefix{}, err
-	}
-	prefixBits, err := reader.ReadByte()
+	prefixBits, err := varbin.ReadValue[uint8](reader, binary.BigEndian)
 	if err != nil {
 		return netip.Prefix{}, err
 	}
@@ -27,16 +21,11 @@ func readPrefix(reader varbin.Reader) (netip.Prefix, error) {
 }
 
 func writePrefix(writer varbin.Writer, prefix netip.Prefix) error {
-	addrSlice := prefix.Addr().AsSlice()
-	_, err := varbin.WriteUvarint(writer, uint64(len(addrSlice)))
+	err := varbin.Write(writer, binary.BigEndian, prefix.Addr().AsSlice())
 	if err != nil {
 		return err
 	}
-	_, err = writer.Write(addrSlice)
-	if err != nil {
-		return err
-	}
-	err = writer.WriteByte(uint8(prefix.Bits()))
+	err = binary.Write(writer, binary.BigEndian, uint8(prefix.Bits()))
 	if err != nil {
 		return err
 	}

common/srs/ip_set.go

@@ -2,11 +2,11 @@ package srs
 
 import (
 	"encoding/binary"
-	"io"
 	"net/netip"
 	"os"
 	"unsafe"
 
+	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/varbin"
 
@@ -22,6 +22,11 @@ type myIPRange struct {
 	to   netip.Addr
 }
 
+type myIPRangeData struct {
+	From []byte
+	To   []byte
+}
+
 func readIPSet(reader varbin.Reader) (*netipx.IPSet, error) {
 	version, err := reader.ReadByte()
 	if err != nil {
@@ -36,30 +41,17 @@ func readIPSet(reader varbin.Reader) (*netipx.IPSet, error) {
 	if err != nil {
 		return nil, err
 	}
-	mySet := &myIPSet{
-		rr: make([]myIPRange, length),
+	ranges := make([]myIPRangeData, length)
+	err = varbin.Read(reader, binary.BigEndian, &ranges)
+	if err != nil {
+		return nil, err
 	}
-	for i := range mySet.rr {
-		fromLen, err := binary.ReadUvarint(reader)
-		if err != nil {
-			return nil, err
-		}
-		fromBytes := make([]byte, fromLen)
-		_, err = io.ReadFull(reader, fromBytes)
-		if err != nil {
-			return nil, err
-		}
-		toLen, err := binary.ReadUvarint(reader)
-		if err != nil {
-			return nil, err
-		}
-		toBytes := make([]byte, toLen)
-		_, err = io.ReadFull(reader, toBytes)
-		if err != nil {
-			return nil, err
-		}
-		mySet.rr[i].from = M.AddrFromIP(fromBytes)
-		mySet.rr[i].to = M.AddrFromIP(toBytes)
+	mySet := &myIPSet{
+		rr: make([]myIPRange, len(ranges)),
+	}
+	for i, rangeData := range ranges {
+		mySet.rr[i].from = M.AddrFromIP(rangeData.From)
+		mySet.rr[i].to = M.AddrFromIP(rangeData.To)
 	}
 	return (*netipx.IPSet)(unsafe.Pointer(mySet)), nil
 }
@@ -69,27 +61,18 @@ func writeIPSet(writer varbin.Writer, set *netipx.IPSet) error {
 	if err != nil {
 		return err
 	}
-	mySet := (*myIPSet)(unsafe.Pointer(set))
-	err = binary.Write(writer, binary.BigEndian, uint64(len(mySet.rr)))
+	dataList := common.Map((*myIPSet)(unsafe.Pointer(set)).rr, func(rr myIPRange) myIPRangeData {
+		return myIPRangeData{
+			From: rr.from.AsSlice(),
+			To:   rr.to.AsSlice(),
+		}
+	})
+	err = binary.Write(writer, binary.BigEndian, uint64(len(dataList)))
 	if err != nil {
 		return err
 	}
-	for _, rr := range mySet.rr {
-		fromBytes := rr.from.AsSlice()
-		_, err = varbin.WriteUvarint(writer, uint64(len(fromBytes)))
-		if err != nil {
-			return err
-		}
-		_, err = writer.Write(fromBytes)
-		if err != nil {
-			return err
-		}
-		toBytes := rr.to.AsSlice()
-		_, err = varbin.WriteUvarint(writer, uint64(len(toBytes)))
-		if err != nil {
-			return err
-		}
-		_, err = writer.Write(toBytes)
+	for _, data := range dataList {
+		err = varbin.Write(writer, binary.BigEndian, data)
 		if err != nil {
 			return err
 		}

common/tls/acme.go

@@ -14,7 +14,6 @@ import (
 	"github.com/sagernet/sing/common/logger"
 
 	"github.com/caddyserver/certmagic"
-	"github.com/libdns/acmedns"
 	"github.com/libdns/alidns"
 	"github.com/libdns/cloudflare"
 	"github.com/mholt/acmez/v3/acme"
@@ -127,13 +126,6 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 				APIToken:  dnsOptions.CloudflareOptions.APIToken,
 				ZoneToken: dnsOptions.CloudflareOptions.ZoneToken,
 			}
-		case C.DNSProviderACMEDNS:
-			solver.DNSProvider = &acmedns.Provider{
-				Username:  dnsOptions.ACMEDNSOptions.Username,
-				Password:  dnsOptions.ACMEDNSOptions.Password,
-				Subdomain: dnsOptions.ACMEDNSOptions.Subdomain,
-				ServerURL: dnsOptions.ACMEDNSOptions.ServerURL,
-			}
 		default:
 			return nil, nil, E.New("unsupported ACME DNS01 provider type: " + dnsOptions.Provider)
 		}

common/tls/ech.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	aTLS "github.com/sagernet/sing/common/tls"
@@ -37,7 +38,7 @@ func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, op
 	}
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
-		return nil, E.New("legacy ECH options are deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0")
+		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
 	}
 	if len(echConfig) > 0 {
 		block, rest := pem.Decode(echConfig)
@@ -76,7 +77,7 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	tlsConfig.EncryptedClientHelloKeys = echKeys
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
-		return E.New("legacy ECH options are deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0")
+		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
 	}
 	return nil
 }

constant/dns.go

@@ -33,5 +33,4 @@ const (
 const (
 	DNSProviderAliDNS     = "alidns"
 	DNSProviderCloudflare = "cloudflare"
-	DNSProviderACMEDNS    = "acmedns"
 )

constant/proxy.go

@@ -30,7 +30,6 @@ const (
 	TypeSSMAPI       = "ssm-api"
 	TypeCCM          = "ccm"
 	TypeOCM          = "ocm"
-	TypeOOMKiller    = "oom-killer"
 )
 
 const (
@@ -86,8 +85,6 @@ func ProxyDisplayName(proxyType string) string {
 		return "Hysteria2"
 	case TypeAnyTLS:
 		return "AnyTLS"
-	case TypeTailscale:
-		return "Tailscale"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:

daemon/helper.pb.go

@@ -0,0 +1,702 @@
+package daemon
+
+import (
+	reflect "reflect"
+	sync "sync"
+	unsafe "unsafe"
+
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	emptypb "google.golang.org/protobuf/types/known/emptypb"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type SubscribeHelperRequestRequest struct {
+	state                             protoimpl.MessageState `protogen:"open.v1"`
+	AcceptGetWIFIStateRequests        bool                   `protobuf:"varint,1,opt,name=acceptGetWIFIStateRequests,proto3" json:"acceptGetWIFIStateRequests,omitempty"`
+	AcceptFindConnectionOwnerRequests bool                   `protobuf:"varint,2,opt,name=acceptFindConnectionOwnerRequests,proto3" json:"acceptFindConnectionOwnerRequests,omitempty"`
+	AcceptSendNotificationRequests    bool                   `protobuf:"varint,3,opt,name=acceptSendNotificationRequests,proto3" json:"acceptSendNotificationRequests,omitempty"`
+	unknownFields                     protoimpl.UnknownFields
+	sizeCache                         protoimpl.SizeCache
+}
+
+func (x *SubscribeHelperRequestRequest) Reset() {
+	*x = SubscribeHelperRequestRequest{}
+	mi := &file_daemon_helper_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SubscribeHelperRequestRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SubscribeHelperRequestRequest) ProtoMessage() {}
+
+func (x *SubscribeHelperRequestRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_helper_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SubscribeHelperRequestRequest.ProtoReflect.Descriptor instead.
+func (*SubscribeHelperRequestRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_helper_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *SubscribeHelperRequestRequest) GetAcceptGetWIFIStateRequests() bool {
+	if x != nil {
+		return x.AcceptGetWIFIStateRequests
+	}
+	return false
+}
+
+func (x *SubscribeHelperRequestRequest) GetAcceptFindConnectionOwnerRequests() bool {
+	if x != nil {
+		return x.AcceptFindConnectionOwnerRequests
+	}
+	return false
+}
+
+func (x *SubscribeHelperRequestRequest) GetAcceptSendNotificationRequests() bool {
+	if x != nil {
+		return x.AcceptSendNotificationRequests
+	}
+	return false
+}
+
+type HelperRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	Id    int64                  `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
+	// Types that are valid to be assigned to Request:
+	//
+	//	*HelperRequest_GetWIFIState
+	//	*HelperRequest_FindConnectionOwner
+	//	*HelperRequest_SendNotification
+	Request       isHelperRequest_Request `protobuf_oneof:"request"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *HelperRequest) Reset() {
+	*x = HelperRequest{}
+	mi := &file_daemon_helper_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *HelperRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*HelperRequest) ProtoMessage() {}
+
+func (x *HelperRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_helper_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use HelperRequest.ProtoReflect.Descriptor instead.
+func (*HelperRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_helper_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *HelperRequest) GetId() int64 {
+	if x != nil {
+		return x.Id
+	}
+	return 0
+}
+
+func (x *HelperRequest) GetRequest() isHelperRequest_Request {
+	if x != nil {
+		return x.Request
+	}
+	return nil
+}
+
+func (x *HelperRequest) GetGetWIFIState() *emptypb.Empty {
+	if x != nil {
+		if x, ok := x.Request.(*HelperRequest_GetWIFIState); ok {
+			return x.GetWIFIState
+		}
+	}
+	return nil
+}
+
+func (x *HelperRequest) GetFindConnectionOwner() *FindConnectionOwnerRequest {
+	if x != nil {
+		if x, ok := x.Request.(*HelperRequest_FindConnectionOwner); ok {
+			return x.FindConnectionOwner
+		}
+	}
+	return nil
+}
+
+func (x *HelperRequest) GetSendNotification() *Notification {
+	if x != nil {
+		if x, ok := x.Request.(*HelperRequest_SendNotification); ok {
+			return x.SendNotification
+		}
+	}
+	return nil
+}
+
+type isHelperRequest_Request interface {
+	isHelperRequest_Request()
+}
+
+type HelperRequest_GetWIFIState struct {
+	GetWIFIState *emptypb.Empty `protobuf:"bytes,2,opt,name=getWIFIState,proto3,oneof"`
+}
+
+type HelperRequest_FindConnectionOwner struct {
+	FindConnectionOwner *FindConnectionOwnerRequest `protobuf:"bytes,3,opt,name=findConnectionOwner,proto3,oneof"`
+}
+
+type HelperRequest_SendNotification struct {
+	SendNotification *Notification `protobuf:"bytes,4,opt,name=sendNotification,proto3,oneof"`
+}
+
+func (*HelperRequest_GetWIFIState) isHelperRequest_Request() {}
+
+func (*HelperRequest_FindConnectionOwner) isHelperRequest_Request() {}
+
+func (*HelperRequest_SendNotification) isHelperRequest_Request() {}
+
+type FindConnectionOwnerRequest struct {
+	state              protoimpl.MessageState `protogen:"open.v1"`
+	IpProtocol         int32                  `protobuf:"varint,1,opt,name=ipProtocol,proto3" json:"ipProtocol,omitempty"`
+	SourceAddress      string                 `protobuf:"bytes,2,opt,name=sourceAddress,proto3" json:"sourceAddress,omitempty"`
+	SourcePort         int32                  `protobuf:"varint,3,opt,name=sourcePort,proto3" json:"sourcePort,omitempty"`
+	DestinationAddress string                 `protobuf:"bytes,4,opt,name=destinationAddress,proto3" json:"destinationAddress,omitempty"`
+	DestinationPort    int32                  `protobuf:"varint,5,opt,name=destinationPort,proto3" json:"destinationPort,omitempty"`
+	unknownFields      protoimpl.UnknownFields
+	sizeCache          protoimpl.SizeCache
+}
+
+func (x *FindConnectionOwnerRequest) Reset() {
+	*x = FindConnectionOwnerRequest{}
+	mi := &file_daemon_helper_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *FindConnectionOwnerRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*FindConnectionOwnerRequest) ProtoMessage() {}
+
+func (x *FindConnectionOwnerRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_helper_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use FindConnectionOwnerRequest.ProtoReflect.Descriptor instead.
+func (*FindConnectionOwnerRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_helper_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *FindConnectionOwnerRequest) GetIpProtocol() int32 {
+	if x != nil {
+		return x.IpProtocol
+	}
+	return 0
+}
+
+func (x *FindConnectionOwnerRequest) GetSourceAddress() string {
+	if x != nil {
+		return x.SourceAddress
+	}
+	return ""
+}
+
+func (x *FindConnectionOwnerRequest) GetSourcePort() int32 {
+	if x != nil {
+		return x.SourcePort
+	}
+	return 0
+}
+
+func (x *FindConnectionOwnerRequest) GetDestinationAddress() string {
+	if x != nil {
+		return x.DestinationAddress
+	}
+	return ""
+}
+
+func (x *FindConnectionOwnerRequest) GetDestinationPort() int32 {
+	if x != nil {
+		return x.DestinationPort
+	}
+	return 0
+}
+
+type Notification struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Identifier    string                 `protobuf:"bytes,1,opt,name=identifier,proto3" json:"identifier,omitempty"`
+	TypeName      string                 `protobuf:"bytes,2,opt,name=typeName,proto3" json:"typeName,omitempty"`
+	TypeId        int32                  `protobuf:"varint,3,opt,name=typeId,proto3" json:"typeId,omitempty"`
+	Title         string                 `protobuf:"bytes,4,opt,name=title,proto3" json:"title,omitempty"`
+	Subtitle      string                 `protobuf:"bytes,5,opt,name=subtitle,proto3" json:"subtitle,omitempty"`
+	Body          string                 `protobuf:"bytes,6,opt,name=body,proto3" json:"body,omitempty"`
+	OpenURL       string                 `protobuf:"bytes,7,opt,name=openURL,proto3" json:"openURL,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *Notification) Reset() {
+	*x = Notification{}
+	mi := &file_daemon_helper_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *Notification) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Notification) ProtoMessage() {}
+
+func (x *Notification) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_helper_proto_msgTypes[3]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Notification.ProtoReflect.Descriptor instead.
+func (*Notification) Descriptor() ([]byte, []int) {
+	return file_daemon_helper_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *Notification) GetIdentifier() string {
+	if x != nil {
+		return x.Identifier
+	}
+	return ""
+}
+
+func (x *Notification) GetTypeName() string {
+	if x != nil {
+		return x.TypeName
+	}
+	return ""
+}
+
+func (x *Notification) GetTypeId() int32 {
+	if x != nil {
+		return x.TypeId
+	}
+	return 0
+}
+
+func (x *Notification) GetTitle() string {
+	if x != nil {
+		return x.Title
+	}
+	return ""
+}
+
+func (x *Notification) GetSubtitle() string {
+	if x != nil {
+		return x.Subtitle
+	}
+	return ""
+}
+
+func (x *Notification) GetBody() string {
+	if x != nil {
+		return x.Body
+	}
+	return ""
+}
+
+func (x *Notification) GetOpenURL() string {
+	if x != nil {
+		return x.OpenURL
+	}
+	return ""
+}
+
+type HelperResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	Id    int64                  `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
+	// Types that are valid to be assigned to Response:
+	//
+	//	*HelperResponse_WifiState
+	//	*HelperResponse_Error
+	//	*HelperResponse_ConnectionOwner
+	Response      isHelperResponse_Response `protobuf_oneof:"response"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *HelperResponse) Reset() {
+	*x = HelperResponse{}
+	mi := &file_daemon_helper_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *HelperResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*HelperResponse) ProtoMessage() {}
+
+func (x *HelperResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_helper_proto_msgTypes[4]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use HelperResponse.ProtoReflect.Descriptor instead.
+func (*HelperResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_helper_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *HelperResponse) GetId() int64 {
+	if x != nil {
+		return x.Id
+	}
+	return 0
+}
+
+func (x *HelperResponse) GetResponse() isHelperResponse_Response {
+	if x != nil {
+		return x.Response
+	}
+	return nil
+}
+
+func (x *HelperResponse) GetWifiState() *WIFIState {
+	if x != nil {
+		if x, ok := x.Response.(*HelperResponse_WifiState); ok {
+			return x.WifiState
+		}
+	}
+	return nil
+}
+
+func (x *HelperResponse) GetError() string {
+	if x != nil {
+		if x, ok := x.Response.(*HelperResponse_Error); ok {
+			return x.Error
+		}
+	}
+	return ""
+}
+
+func (x *HelperResponse) GetConnectionOwner() *ConnectionOwner {
+	if x != nil {
+		if x, ok := x.Response.(*HelperResponse_ConnectionOwner); ok {
+			return x.ConnectionOwner
+		}
+	}
+	return nil
+}
+
+type isHelperResponse_Response interface {
+	isHelperResponse_Response()
+}
+
+type HelperResponse_WifiState struct {
+	WifiState *WIFIState `protobuf:"bytes,2,opt,name=wifiState,proto3,oneof"`
+}
+
+type HelperResponse_Error struct {
+	Error string `protobuf:"bytes,3,opt,name=error,proto3,oneof"`
+}
+
+type HelperResponse_ConnectionOwner struct {
+	ConnectionOwner *ConnectionOwner `protobuf:"bytes,4,opt,name=connectionOwner,proto3,oneof"`
+}
+
+func (*HelperResponse_WifiState) isHelperResponse_Response() {}
+
+func (*HelperResponse_Error) isHelperResponse_Response() {}
+
+func (*HelperResponse_ConnectionOwner) isHelperResponse_Response() {}
+
+type ConnectionOwner struct {
+	state              protoimpl.MessageState `protogen:"open.v1"`
+	UserId             int32                  `protobuf:"varint,1,opt,name=userId,proto3" json:"userId,omitempty"`
+	UserName           string                 `protobuf:"bytes,2,opt,name=userName,proto3" json:"userName,omitempty"`
+	ProcessPath        string                 `protobuf:"bytes,3,opt,name=processPath,proto3" json:"processPath,omitempty"`
+	AndroidPackageName string                 `protobuf:"bytes,4,opt,name=androidPackageName,proto3" json:"androidPackageName,omitempty"`
+	unknownFields      protoimpl.UnknownFields
+	sizeCache          protoimpl.SizeCache
+}
+
+func (x *ConnectionOwner) Reset() {
+	*x = ConnectionOwner{}
+	mi := &file_daemon_helper_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ConnectionOwner) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ConnectionOwner) ProtoMessage() {}
+
+func (x *ConnectionOwner) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_helper_proto_msgTypes[5]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ConnectionOwner.ProtoReflect.Descriptor instead.
+func (*ConnectionOwner) Descriptor() ([]byte, []int) {
+	return file_daemon_helper_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *ConnectionOwner) GetUserId() int32 {
+	if x != nil {
+		return x.UserId
+	}
+	return 0
+}
+
+func (x *ConnectionOwner) GetUserName() string {
+	if x != nil {
+		return x.UserName
+	}
+	return ""
+}
+
+func (x *ConnectionOwner) GetProcessPath() string {
+	if x != nil {
+		return x.ProcessPath
+	}
+	return ""
+}
+
+func (x *ConnectionOwner) GetAndroidPackageName() string {
+	if x != nil {
+		return x.AndroidPackageName
+	}
+	return ""
+}
+
+type WIFIState struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Ssid          string                 `protobuf:"bytes,1,opt,name=ssid,proto3" json:"ssid,omitempty"`
+	Bssid         string                 `protobuf:"bytes,2,opt,name=bssid,proto3" json:"bssid,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *WIFIState) Reset() {
+	*x = WIFIState{}
+	mi := &file_daemon_helper_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *WIFIState) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*WIFIState) ProtoMessage() {}
+
+func (x *WIFIState) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_helper_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use WIFIState.ProtoReflect.Descriptor instead.
+func (*WIFIState) Descriptor() ([]byte, []int) {
+	return file_daemon_helper_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *WIFIState) GetSsid() string {
+	if x != nil {
+		return x.Ssid
+	}
+	return ""
+}
+
+func (x *WIFIState) GetBssid() string {
+	if x != nil {
+		return x.Bssid
+	}
+	return ""
+}
+
+var File_daemon_helper_proto protoreflect.FileDescriptor
+
+const file_daemon_helper_proto_rawDesc = "" +
+	"\n" +
+	"\x13daemon/helper.proto\x12\x06daemon\x1a\x1bgoogle/protobuf/empty.proto\"\xf5\x01\n" +
+	"\x1dSubscribeHelperRequestRequest\x12>\n" +
+	"\x1aacceptGetWIFIStateRequests\x18\x01 \x01(\bR\x1aacceptGetWIFIStateRequests\x12L\n" +
+	"!acceptFindConnectionOwnerRequests\x18\x02 \x01(\bR!acceptFindConnectionOwnerRequests\x12F\n" +
+	"\x1eacceptSendNotificationRequests\x18\x03 \x01(\bR\x1eacceptSendNotificationRequests\"\x84\x02\n" +
+	"\rHelperRequest\x12\x0e\n" +
+	"\x02id\x18\x01 \x01(\x03R\x02id\x12<\n" +
+	"\fgetWIFIState\x18\x02 \x01(\v2\x16.google.protobuf.EmptyH\x00R\fgetWIFIState\x12V\n" +
+	"\x13findConnectionOwner\x18\x03 \x01(\v2\".daemon.FindConnectionOwnerRequestH\x00R\x13findConnectionOwner\x12B\n" +
+	"\x10sendNotification\x18\x04 \x01(\v2\x14.daemon.NotificationH\x00R\x10sendNotificationB\t\n" +
+	"\arequest\"\xdc\x01\n" +
+	"\x1aFindConnectionOwnerRequest\x12\x1e\n" +
+	"\n" +
+	"ipProtocol\x18\x01 \x01(\x05R\n" +
+	"ipProtocol\x12$\n" +
+	"\rsourceAddress\x18\x02 \x01(\tR\rsourceAddress\x12\x1e\n" +
+	"\n" +
+	"sourcePort\x18\x03 \x01(\x05R\n" +
+	"sourcePort\x12.\n" +
+	"\x12destinationAddress\x18\x04 \x01(\tR\x12destinationAddress\x12(\n" +
+	"\x0fdestinationPort\x18\x05 \x01(\x05R\x0fdestinationPort\"\xc2\x01\n" +
+	"\fNotification\x12\x1e\n" +
+	"\n" +
+	"identifier\x18\x01 \x01(\tR\n" +
+	"identifier\x12\x1a\n" +
+	"\btypeName\x18\x02 \x01(\tR\btypeName\x12\x16\n" +
+	"\x06typeId\x18\x03 \x01(\x05R\x06typeId\x12\x14\n" +
+	"\x05title\x18\x04 \x01(\tR\x05title\x12\x1a\n" +
+	"\bsubtitle\x18\x05 \x01(\tR\bsubtitle\x12\x12\n" +
+	"\x04body\x18\x06 \x01(\tR\x04body\x12\x18\n" +
+	"\aopenURL\x18\a \x01(\tR\aopenURL\"\xbc\x01\n" +
+	"\x0eHelperResponse\x12\x0e\n" +
+	"\x02id\x18\x01 \x01(\x03R\x02id\x121\n" +
+	"\twifiState\x18\x02 \x01(\v2\x11.daemon.WIFIStateH\x00R\twifiState\x12\x16\n" +
+	"\x05error\x18\x03 \x01(\tH\x00R\x05error\x12C\n" +
+	"\x0fconnectionOwner\x18\x04 \x01(\v2\x17.daemon.ConnectionOwnerH\x00R\x0fconnectionOwnerB\n" +
+	"\n" +
+	"\bresponse\"\x97\x01\n" +
+	"\x0fConnectionOwner\x12\x16\n" +
+	"\x06userId\x18\x01 \x01(\x05R\x06userId\x12\x1a\n" +
+	"\buserName\x18\x02 \x01(\tR\buserName\x12 \n" +
+	"\vprocessPath\x18\x03 \x01(\tR\vprocessPath\x12.\n" +
+	"\x12androidPackageName\x18\x04 \x01(\tR\x12androidPackageName\"5\n" +
+	"\tWIFIState\x12\x12\n" +
+	"\x04ssid\x18\x01 \x01(\tR\x04ssid\x12\x14\n" +
+	"\x05bssid\x18\x02 \x01(\tR\x05bssidB%Z#github.com/sagernet/sing-box/daemonb\x06proto3"
+
+var (
+	file_daemon_helper_proto_rawDescOnce sync.Once
+	file_daemon_helper_proto_rawDescData []byte
+)
+
+func file_daemon_helper_proto_rawDescGZIP() []byte {
+	file_daemon_helper_proto_rawDescOnce.Do(func() {
+		file_daemon_helper_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_daemon_helper_proto_rawDesc), len(file_daemon_helper_proto_rawDesc)))
+	})
+	return file_daemon_helper_proto_rawDescData
+}
+
+var (
+	file_daemon_helper_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+	file_daemon_helper_proto_goTypes  = []any{
+		(*SubscribeHelperRequestRequest)(nil), // 0: daemon.SubscribeHelperRequestRequest
+		(*HelperRequest)(nil),                 // 1: daemon.HelperRequest
+		(*FindConnectionOwnerRequest)(nil),    // 2: daemon.FindConnectionOwnerRequest
+		(*Notification)(nil),                  // 3: daemon.Notification
+		(*HelperResponse)(nil),                // 4: daemon.HelperResponse
+		(*ConnectionOwner)(nil),               // 5: daemon.ConnectionOwner
+		(*WIFIState)(nil),                     // 6: daemon.WIFIState
+		(*emptypb.Empty)(nil),                 // 7: google.protobuf.Empty
+	}
+)
+
+var file_daemon_helper_proto_depIdxs = []int32{
+	7, // 0: daemon.HelperRequest.getWIFIState:type_name -> google.protobuf.Empty
+	2, // 1: daemon.HelperRequest.findConnectionOwner:type_name -> daemon.FindConnectionOwnerRequest
+	3, // 2: daemon.HelperRequest.sendNotification:type_name -> daemon.Notification
+	6, // 3: daemon.HelperResponse.wifiState:type_name -> daemon.WIFIState
+	5, // 4: daemon.HelperResponse.connectionOwner:type_name -> daemon.ConnectionOwner
+	5, // [5:5] is the sub-list for method output_type
+	5, // [5:5] is the sub-list for method input_type
+	5, // [5:5] is the sub-list for extension type_name
+	5, // [5:5] is the sub-list for extension extendee
+	0, // [0:5] is the sub-list for field type_name
+}
+
+func init() { file_daemon_helper_proto_init() }
+func file_daemon_helper_proto_init() {
+	if File_daemon_helper_proto != nil {
+		return
+	}
+	file_daemon_helper_proto_msgTypes[1].OneofWrappers = []any{
+		(*HelperRequest_GetWIFIState)(nil),
+		(*HelperRequest_FindConnectionOwner)(nil),
+		(*HelperRequest_SendNotification)(nil),
+	}
+	file_daemon_helper_proto_msgTypes[4].OneofWrappers = []any{
+		(*HelperResponse_WifiState)(nil),
+		(*HelperResponse_Error)(nil),
+		(*HelperResponse_ConnectionOwner)(nil),
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_helper_proto_rawDesc), len(file_daemon_helper_proto_rawDesc)),
+			NumEnums:      0,
+			NumMessages:   7,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_daemon_helper_proto_goTypes,
+		DependencyIndexes: file_daemon_helper_proto_depIdxs,
+		MessageInfos:      file_daemon_helper_proto_msgTypes,
+	}.Build()
+	File_daemon_helper_proto = out.File
+	file_daemon_helper_proto_goTypes = nil
+	file_daemon_helper_proto_depIdxs = nil
+}

daemon/helper.proto

@@ -0,0 +1,61 @@
+syntax = "proto3";
+
+package daemon;
+option go_package = "github.com/sagernet/sing-box/daemon";
+
+import "google/protobuf/empty.proto";
+
+message SubscribeHelperRequestRequest {
+  bool acceptGetWIFIStateRequests = 1;
+  bool acceptFindConnectionOwnerRequests = 2;
+  bool acceptSendNotificationRequests = 3;
+}
+
+message HelperRequest {
+  int64 id = 1;
+  oneof request {
+    google.protobuf.Empty getWIFIState = 2;
+    FindConnectionOwnerRequest findConnectionOwner = 3;
+    Notification sendNotification = 4;
+  }
+}
+
+message FindConnectionOwnerRequest {
+  int32 ipProtocol = 1;
+  string sourceAddress = 2;
+  int32 sourcePort = 3;
+  string destinationAddress = 4;
+  int32 destinationPort = 5;
+}
+
+message Notification {
+  string identifier = 1;
+  string typeName = 2;
+  int32 typeId = 3;
+  string title = 4;
+  string subtitle = 5;
+  string body = 6;
+  string openURL = 7;
+}
+
+message HelperResponse {
+  int64 id = 1;
+  oneof response {
+    WIFIState wifiState = 2;
+    string error = 3;
+    ConnectionOwner connectionOwner = 4;
+  }
+}
+
+message ConnectionOwner {
+  int32 userId = 1;
+  string userName = 2;
+  string processPath = 3;
+  string androidPackageName = 4;
+}
+
+message WIFIState {
+  string ssid = 1;
+  string bssid = 2;
+}
+

daemon/instance.go

@@ -7,12 +7,9 @@ import (
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/include"
-	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/service"
@@ -23,7 +20,6 @@ type Instance struct {
 	ctx                   context.Context
 	cancel                context.CancelFunc
 	instance              *box.Box
-	connectionManager     adapter.ConnectionManager
 	clashServer           adapter.ClashServer
 	cacheFile             adapter.CacheFile
 	pauseManager          pause.Manager
@@ -87,15 +83,6 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 			}
 		}
 	}
-	if s.oomKiller && C.IsIos {
-		if !common.Any(options.Services, func(it option.Service) bool {
-			return it.Type == C.TypeOOMKiller
-		}) {
-			options.Services = append(options.Services, option.Service{
-				Type: C.TypeOOMKiller,
-			})
-		}
-	}
 	urlTestHistoryStorage := urltest.NewHistoryStorage()
 	ctx = service.ContextWithPtr(ctx, urlTestHistoryStorage)
 	i := &Instance{
@@ -113,11 +100,9 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 		return nil, err
 	}
 	i.instance = boxInstance
-	i.connectionManager = service.FromContext[adapter.ConnectionManager](ctx)
 	i.clashServer = service.FromContext[adapter.ClashServer](ctx)
 	i.pauseManager = service.FromContext[pause.Manager](ctx)
 	i.cacheFile = service.FromContext[adapter.CacheFile](ctx)
-	log.SetStdLogger(boxInstance.LogFactory().Logger())
 	return i, nil
 }
 

daemon/started_service.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
@@ -35,7 +36,6 @@ type StartedService struct {
 	handler     PlatformHandler
 	debug       bool
 	logMaxLines int
-	oomKiller   bool
 	// workingDirectory string
 	// tempDirectory    string
 	// userID           int
@@ -56,9 +56,6 @@ type StartedService struct {
 	urlTestHistoryStorage   *urltest.HistoryStorage
 	clashModeSubscriber     *observable.Subscriber[struct{}]
 	clashModeObserver       *observable.Observer[struct{}]
-
-	connectionEventSubscriber *observable.Subscriber[trafficontrol.ConnectionEvent]
-	connectionEventObserver   *observable.Observer[trafficontrol.ConnectionEvent]
 }
 
 type ServiceOptions struct {
@@ -67,7 +64,6 @@ type ServiceOptions struct {
 	Handler     PlatformHandler
 	Debug       bool
 	LogMaxLines int
-	OOMKiller   bool
 	// WorkingDirectory   string
 	// TempDirectory      string
 	// UserID             int
@@ -82,25 +78,22 @@ func NewStartedService(options ServiceOptions) *StartedService {
 		handler:     options.Handler,
 		debug:       options.Debug,
 		logMaxLines: options.LogMaxLines,
-		oomKiller:   options.OOMKiller,
 		// workingDirectory: options.WorkingDirectory,
 		// tempDirectory:    options.TempDirectory,
 		// userID:           options.UserID,
 		// groupID:          options.GroupID,
 		// systemProxyEnabled:      options.SystemProxyEnabled,
-		serviceStatus:             &ServiceStatus{Status: ServiceStatus_IDLE},
-		serviceStatusSubscriber:   observable.NewSubscriber[*ServiceStatus](4),
-		logSubscriber:             observable.NewSubscriber[*log.Entry](128),
-		urlTestSubscriber:         observable.NewSubscriber[struct{}](1),
-		urlTestHistoryStorage:     urltest.NewHistoryStorage(),
-		clashModeSubscriber:       observable.NewSubscriber[struct{}](1),
-		connectionEventSubscriber: observable.NewSubscriber[trafficontrol.ConnectionEvent](256),
+		serviceStatus:           &ServiceStatus{Status: ServiceStatus_IDLE},
+		serviceStatusSubscriber: observable.NewSubscriber[*ServiceStatus](4),
+		logSubscriber:           observable.NewSubscriber[*log.Entry](128),
+		urlTestSubscriber:       observable.NewSubscriber[struct{}](1),
+		urlTestHistoryStorage:   urltest.NewHistoryStorage(),
+		clashModeSubscriber:     observable.NewSubscriber[struct{}](1),
 	}
 	s.serviceStatusObserver = observable.NewObserver(s.serviceStatusSubscriber, 2)
 	s.logObserver = observable.NewObserver(s.logSubscriber, 64)
 	s.urlTestObserver = observable.NewObserver(s.urlTestSubscriber, 1)
 	s.clashModeObserver = observable.NewObserver(s.clashModeSubscriber, 1)
-	s.connectionEventObserver = observable.NewObserver(s.connectionEventSubscriber, 64)
 	return s
 }
 
@@ -190,7 +183,6 @@ func (s *StartedService) StartOrReloadService(profileContent string, options *Ov
 	instance.urlTestHistoryStorage.SetHook(s.urlTestSubscriber)
 	if instance.clashServer != nil {
 		instance.clashServer.SetModeUpdateHook(s.clashModeSubscriber)
-		instance.clashServer.(*clashapi.Server).TrafficManager().SetEventHook(s.connectionEventSubscriber)
 	}
 	s.serviceAccess.Unlock()
 	err = instance.Start()
@@ -209,14 +201,6 @@ func (s *StartedService) StartOrReloadService(profileContent string, options *Ov
 	return nil
 }
 
-func (s *StartedService) Close() {
-	s.serviceStatusSubscriber.Close()
-	s.logSubscriber.Close()
-	s.urlTestSubscriber.Close()
-	s.clashModeSubscriber.Close()
-	s.connectionEventSubscriber.Close()
-}
-
 func (s *StartedService) CloseService() error {
 	s.serviceAccess.Lock()
 	switch s.serviceStatus.Status {
@@ -409,14 +393,12 @@ func (s *StartedService) SubscribeStatus(request *SubscribeStatusRequest, server
 
 func (s *StartedService) readStatus() *Status {
 	var status Status
-	status.Memory = memory.Total()
+	status.Memory = memory.Inuse()
 	status.Goroutines = int32(runtime.NumGoroutine())
+	status.ConnectionsOut = int32(conntrack.Count())
 	s.serviceAccess.RLock()
 	nowService := s.instance
 	s.serviceAccess.RUnlock()
-	if nowService != nil && nowService.connectionManager != nil {
-		status.ConnectionsOut = int32(nowService.connectionManager.Count())
-	}
 	if nowService != nil {
 		if clashServer := nowService.clashServer; clashServer != nil {
 			status.TrafficAvailable = true
@@ -684,7 +666,7 @@ func (s *StartedService) SetSystemProxyEnabled(ctx context.Context, request *Set
 	return nil, err
 }
 
-func (s *StartedService) SubscribeConnections(request *SubscribeConnectionsRequest, server grpc.ServerStreamingServer[ConnectionEvents]) error {
+func (s *StartedService) SubscribeConnections(request *SubscribeConnectionsRequest, server grpc.ServerStreamingServer[Connections]) error {
 	err := s.waitForStarted(server.Context())
 	if err != nil {
 		return err
@@ -692,260 +674,69 @@ func (s *StartedService) SubscribeConnections(request *SubscribeConnectionsReque
 	s.serviceAccess.RLock()
 	boxService := s.instance
 	s.serviceAccess.RUnlock()
-
-	if boxService.clashServer == nil {
-		return E.New("clash server not available")
-	}
-
-	trafficManager := boxService.clashServer.(*clashapi.Server).TrafficManager()
-
-	subscription, done, err := s.connectionEventObserver.Subscribe()
-	if err != nil {
-		return err
-	}
-	defer s.connectionEventObserver.UnSubscribe(subscription)
-
-	connectionSnapshots := make(map[uuid.UUID]connectionSnapshot)
-	initialEvents := s.buildInitialConnectionState(trafficManager, connectionSnapshots)
-	err = server.Send(&ConnectionEvents{
-		Events: initialEvents,
-		Reset_: true,
-	})
-	if err != nil {
-		return err
-	}
-
-	interval := time.Duration(request.Interval)
-	if interval <= 0 {
-		interval = time.Second
-	}
-	ticker := time.NewTicker(interval)
+	ticker := time.NewTicker(time.Duration(request.Interval))
 	defer ticker.Stop()
-
+	trafficManager := boxService.clashServer.(*clashapi.Server).TrafficManager()
+	var (
+		connections    = make(map[uuid.UUID]*Connection)
+		outConnections []*Connection
+	)
 	for {
+		outConnections = outConnections[:0]
+		for _, connection := range trafficManager.Connections() {
+			outConnections = append(outConnections, newConnection(connections, connection, false))
+		}
+		for _, connection := range trafficManager.ClosedConnections() {
+			outConnections = append(outConnections, newConnection(connections, connection, true))
+		}
+		err := server.Send(&Connections{Connections: outConnections})
+		if err != nil {
+			return err
+		}
 		select {
 		case <-s.ctx.Done():
 			return s.ctx.Err()
 		case <-server.Context().Done():
 			return server.Context().Err()
-		case <-done:
-			return nil
-
-		case event := <-subscription:
-			var pendingEvents []*ConnectionEvent
-			if protoEvent := s.applyConnectionEvent(event, connectionSnapshots); protoEvent != nil {
-				pendingEvents = append(pendingEvents, protoEvent)
-			}
-		drain:
-			for {
-				select {
-				case event = <-subscription:
-					if protoEvent := s.applyConnectionEvent(event, connectionSnapshots); protoEvent != nil {
-						pendingEvents = append(pendingEvents, protoEvent)
-					}
-				default:
-					break drain
-				}
-			}
-			if len(pendingEvents) > 0 {
-				err = server.Send(&ConnectionEvents{Events: pendingEvents})
-				if err != nil {
-					return err
-				}
-			}
-
 		case <-ticker.C:
-			protoEvents := s.buildTrafficUpdates(trafficManager, connectionSnapshots)
-			if len(protoEvents) == 0 {
-				continue
-			}
-			err = server.Send(&ConnectionEvents{Events: protoEvents})
-			if err != nil {
-				return err
-			}
 		}
 	}
 }
 
-type connectionSnapshot struct {
-	uplink     int64
-	downlink   int64
-	hadTraffic bool
-}
-
-func (s *StartedService) buildInitialConnectionState(manager *trafficontrol.Manager, snapshots map[uuid.UUID]connectionSnapshot) []*ConnectionEvent {
-	var events []*ConnectionEvent
-
-	for _, metadata := range manager.Connections() {
-		events = append(events, &ConnectionEvent{
-			Type:       ConnectionEventType_CONNECTION_EVENT_NEW,
-			Id:         metadata.ID.String(),
-			Connection: buildConnectionProto(metadata),
-		})
-		snapshots[metadata.ID] = connectionSnapshot{
-			uplink:   metadata.Upload.Load(),
-			downlink: metadata.Download.Load(),
-		}
-	}
-
-	for _, metadata := range manager.ClosedConnections() {
-		conn := buildConnectionProto(metadata)
-		conn.ClosedAt = metadata.ClosedAt.UnixMilli()
-		events = append(events, &ConnectionEvent{
-			Type:       ConnectionEventType_CONNECTION_EVENT_NEW,
-			Id:         metadata.ID.String(),
-			Connection: conn,
-		})
-	}
-
-	return events
-}
-
-func (s *StartedService) applyConnectionEvent(event trafficontrol.ConnectionEvent, snapshots map[uuid.UUID]connectionSnapshot) *ConnectionEvent {
-	switch event.Type {
-	case trafficontrol.ConnectionEventNew:
-		if _, exists := snapshots[event.ID]; exists {
-			return nil
-		}
-		snapshots[event.ID] = connectionSnapshot{
-			uplink:   event.Metadata.Upload.Load(),
-			downlink: event.Metadata.Download.Load(),
-		}
-		return &ConnectionEvent{
-			Type:       ConnectionEventType_CONNECTION_EVENT_NEW,
-			Id:         event.ID.String(),
-			Connection: buildConnectionProto(event.Metadata),
-		}
-	case trafficontrol.ConnectionEventClosed:
-		delete(snapshots, event.ID)
-		protoEvent := &ConnectionEvent{
-			Type: ConnectionEventType_CONNECTION_EVENT_CLOSED,
-			Id:   event.ID.String(),
-		}
-		closedAt := event.ClosedAt
-		if closedAt.IsZero() && !event.Metadata.ClosedAt.IsZero() {
-			closedAt = event.Metadata.ClosedAt
-		}
-		if closedAt.IsZero() {
-			closedAt = time.Now()
-		}
-		protoEvent.ClosedAt = closedAt.UnixMilli()
-		if event.Metadata.ID != uuid.Nil {
-			conn := buildConnectionProto(event.Metadata)
-			conn.ClosedAt = protoEvent.ClosedAt
-			protoEvent.Connection = conn
-		}
-		return protoEvent
-	default:
-		return nil
-	}
-}
-
-func (s *StartedService) buildTrafficUpdates(manager *trafficontrol.Manager, snapshots map[uuid.UUID]connectionSnapshot) []*ConnectionEvent {
-	activeConnections := manager.Connections()
-	activeIndex := make(map[uuid.UUID]*trafficontrol.TrackerMetadata, len(activeConnections))
-	var events []*ConnectionEvent
-
-	for _, metadata := range activeConnections {
-		activeIndex[metadata.ID] = metadata
-		currentUpload := metadata.Upload.Load()
-		currentDownload := metadata.Download.Load()
-		snapshot, exists := snapshots[metadata.ID]
-		if !exists {
-			snapshots[metadata.ID] = connectionSnapshot{
-				uplink:   currentUpload,
-				downlink: currentDownload,
+func newConnection(connections map[uuid.UUID]*Connection, metadata trafficontrol.TrackerMetadata, isClosed bool) *Connection {
+	if oldConnection, loaded := connections[metadata.ID]; loaded {
+		if isClosed {
+			if oldConnection.ClosedAt == 0 {
+				oldConnection.Uplink = 0
+				oldConnection.Downlink = 0
+				oldConnection.ClosedAt = metadata.ClosedAt.UnixMilli()
 			}
-			events = append(events, &ConnectionEvent{
-				Type:       ConnectionEventType_CONNECTION_EVENT_NEW,
-				Id:         metadata.ID.String(),
-				Connection: buildConnectionProto(metadata),
-			})
-			continue
-		}
-		uplinkDelta := currentUpload - snapshot.uplink
-		downlinkDelta := currentDownload - snapshot.downlink
-		if uplinkDelta < 0 || downlinkDelta < 0 {
-			if snapshot.hadTraffic {
-				events = append(events, &ConnectionEvent{
-					Type:          ConnectionEventType_CONNECTION_EVENT_UPDATE,
-					Id:            metadata.ID.String(),
-					UplinkDelta:   0,
-					DownlinkDelta: 0,
-				})
-			}
-			snapshot.uplink = currentUpload
-			snapshot.downlink = currentDownload
-			snapshot.hadTraffic = false
-			snapshots[metadata.ID] = snapshot
-			continue
-		}
-		if uplinkDelta > 0 || downlinkDelta > 0 {
-			snapshot.uplink = currentUpload
-			snapshot.downlink = currentDownload
-			snapshot.hadTraffic = true
-			snapshots[metadata.ID] = snapshot
-			events = append(events, &ConnectionEvent{
-				Type:          ConnectionEventType_CONNECTION_EVENT_UPDATE,
-				Id:            metadata.ID.String(),
-				UplinkDelta:   uplinkDelta,
-				DownlinkDelta: downlinkDelta,
-			})
-			continue
-		}
-		if snapshot.hadTraffic {
-			snapshot.uplink = currentUpload
-			snapshot.downlink = currentDownload
-			snapshot.hadTraffic = false
-			snapshots[metadata.ID] = snapshot
-			events = append(events, &ConnectionEvent{
-				Type:          ConnectionEventType_CONNECTION_EVENT_UPDATE,
-				Id:            metadata.ID.String(),
-				UplinkDelta:   0,
-				DownlinkDelta: 0,
-			})
+			return oldConnection
 		}
+		lastUplink := oldConnection.UplinkTotal
+		lastDownlink := oldConnection.DownlinkTotal
+		uplinkTotal := metadata.Upload.Load()
+		downlinkTotal := metadata.Download.Load()
+		oldConnection.Uplink = uplinkTotal - lastUplink
+		oldConnection.Downlink = downlinkTotal - lastDownlink
+		oldConnection.UplinkTotal = uplinkTotal
+		oldConnection.DownlinkTotal = downlinkTotal
+		return oldConnection
 	}
-
-	var closedIndex map[uuid.UUID]*trafficontrol.TrackerMetadata
-	for id := range snapshots {
-		if _, exists := activeIndex[id]; exists {
-			continue
-		}
-		if closedIndex == nil {
-			closedIndex = make(map[uuid.UUID]*trafficontrol.TrackerMetadata)
-			for _, metadata := range manager.ClosedConnections() {
-				closedIndex[metadata.ID] = metadata
-			}
-		}
-		closedAt := time.Now()
-		var conn *Connection
-		if metadata, ok := closedIndex[id]; ok {
-			if !metadata.ClosedAt.IsZero() {
-				closedAt = metadata.ClosedAt
-			}
-			conn = buildConnectionProto(metadata)
-			conn.ClosedAt = closedAt.UnixMilli()
-		}
-		events = append(events, &ConnectionEvent{
-			Type:       ConnectionEventType_CONNECTION_EVENT_CLOSED,
-			Id:         id.String(),
-			ClosedAt:   closedAt.UnixMilli(),
-			Connection: conn,
-		})
-		delete(snapshots, id)
-	}
-
-	return events
-}
-
-func buildConnectionProto(metadata *trafficontrol.TrackerMetadata) *Connection {
 	var rule string
 	if metadata.Rule != nil {
 		rule = metadata.Rule.String()
 	}
 	uplinkTotal := metadata.Upload.Load()
 	downlinkTotal := metadata.Download.Load()
+	uplink := uplinkTotal
+	downlink := downlinkTotal
+	var closedAt int64
+	if !metadata.ClosedAt.IsZero() {
+		closedAt = metadata.ClosedAt.UnixMilli()
+		uplink = 0
+		downlink = 0
+	}
 	var processInfo *ProcessInfo
 	if metadata.Metadata.ProcessInfo != nil {
 		processInfo = &ProcessInfo{
@@ -956,7 +747,7 @@ func buildConnectionProto(metadata *trafficontrol.TrackerMetadata) *Connection {
 			PackageName: metadata.Metadata.ProcessInfo.AndroidPackageName,
 		}
 	}
-	return &Connection{
+	connection := &Connection{
 		Id:            metadata.ID.String(),
 		Inbound:       metadata.Metadata.Inbound,
 		InboundType:   metadata.Metadata.InboundType,
@@ -969,6 +760,9 @@ func buildConnectionProto(metadata *trafficontrol.TrackerMetadata) *Connection {
 		User:          metadata.Metadata.User,
 		FromOutbound:  metadata.Metadata.Outbound,
 		CreatedAt:     metadata.CreatedAt.UnixMilli(),
+		ClosedAt:      closedAt,
+		Uplink:        uplink,
+		Downlink:      downlink,
 		UplinkTotal:   uplinkTotal,
 		DownlinkTotal: downlinkTotal,
 		Rule:          rule,
@@ -977,6 +771,8 @@ func buildConnectionProto(metadata *trafficontrol.TrackerMetadata) *Connection {
 		ChainList:     metadata.Chain,
 		ProcessInfo:   processInfo,
 	}
+	connections[metadata.ID] = connection
+	return connection
 }
 
 func (s *StartedService) CloseConnection(ctx context.Context, request *CloseConnectionRequest) (*emptypb.Empty, error) {
@@ -997,12 +793,7 @@ func (s *StartedService) CloseConnection(ctx context.Context, request *CloseConn
 }
 
 func (s *StartedService) CloseAllConnections(ctx context.Context, empty *emptypb.Empty) (*emptypb.Empty, error) {
-	s.serviceAccess.RLock()
-	nowService := s.instance
-	s.serviceAccess.RUnlock()
-	if nowService != nil && nowService.connectionManager != nil {
-		nowService.connectionManager.CloseAll()
-	}
+	conntrack.Close()
 	return &emptypb.Empty{}, nil
 }
 
@@ -1032,6 +823,14 @@ func (s *StartedService) GetStartedAt(ctx context.Context, empty *emptypb.Empty)
 	return &StartedAt{StartedAt: s.startedAt.UnixMilli()}, nil
 }
 
+func (s *StartedService) SubscribeHelperEvents(empty *emptypb.Empty, server grpc.ServerStreamingServer[HelperRequest]) error {
+	return os.ErrInvalid
+}
+
+func (s *StartedService) SendHelperResponse(ctx context.Context, response *HelperResponse) (*emptypb.Empty, error) {
+	return nil, os.ErrInvalid
+}
+
 func (s *StartedService) mustEmbedUnimplementedStartedServiceServer() {
 }
 

daemon/started_service.pb.go

@@ -78,55 +78,104 @@ func (LogLevel) EnumDescriptor() ([]byte, []int) {
 	return file_daemon_started_service_proto_rawDescGZIP(), []int{0}
 }
 
-type ConnectionEventType int32
+type ConnectionFilter int32
 
 const (
-	ConnectionEventType_CONNECTION_EVENT_NEW    ConnectionEventType = 0
-	ConnectionEventType_CONNECTION_EVENT_UPDATE ConnectionEventType = 1
-	ConnectionEventType_CONNECTION_EVENT_CLOSED ConnectionEventType = 2
+	ConnectionFilter_ALL    ConnectionFilter = 0
+	ConnectionFilter_ACTIVE ConnectionFilter = 1
+	ConnectionFilter_CLOSED ConnectionFilter = 2
 )
 
-// Enum value maps for ConnectionEventType.
+// Enum value maps for ConnectionFilter.
 var (
-	ConnectionEventType_name = map[int32]string{
-		0: "CONNECTION_EVENT_NEW",
-		1: "CONNECTION_EVENT_UPDATE",
-		2: "CONNECTION_EVENT_CLOSED",
+	ConnectionFilter_name = map[int32]string{
+		0: "ALL",
+		1: "ACTIVE",
+		2: "CLOSED",
 	}
-	ConnectionEventType_value = map[string]int32{
-		"CONNECTION_EVENT_NEW":    0,
-		"CONNECTION_EVENT_UPDATE": 1,
-		"CONNECTION_EVENT_CLOSED": 2,
+	ConnectionFilter_value = map[string]int32{
+		"ALL":    0,
+		"ACTIVE": 1,
+		"CLOSED": 2,
 	}
 )
 
-func (x ConnectionEventType) Enum() *ConnectionEventType {
-	p := new(ConnectionEventType)
+func (x ConnectionFilter) Enum() *ConnectionFilter {
+	p := new(ConnectionFilter)
 	*p = x
 	return p
 }
 
-func (x ConnectionEventType) String() string {
+func (x ConnectionFilter) String() string {
 	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
 }
 
-func (ConnectionEventType) Descriptor() protoreflect.EnumDescriptor {
+func (ConnectionFilter) Descriptor() protoreflect.EnumDescriptor {
 	return file_daemon_started_service_proto_enumTypes[1].Descriptor()
 }
 
-func (ConnectionEventType) Type() protoreflect.EnumType {
+func (ConnectionFilter) Type() protoreflect.EnumType {
 	return &file_daemon_started_service_proto_enumTypes[1]
 }
 
-func (x ConnectionEventType) Number() protoreflect.EnumNumber {
+func (x ConnectionFilter) Number() protoreflect.EnumNumber {
 	return protoreflect.EnumNumber(x)
 }
 
-// Deprecated: Use ConnectionEventType.Descriptor instead.
-func (ConnectionEventType) EnumDescriptor() ([]byte, []int) {
+// Deprecated: Use ConnectionFilter.Descriptor instead.
+func (ConnectionFilter) EnumDescriptor() ([]byte, []int) {
 	return file_daemon_started_service_proto_rawDescGZIP(), []int{1}
 }
 
+type ConnectionSortBy int32
+
+const (
+	ConnectionSortBy_DATE          ConnectionSortBy = 0
+	ConnectionSortBy_TRAFFIC       ConnectionSortBy = 1
+	ConnectionSortBy_TOTAL_TRAFFIC ConnectionSortBy = 2
+)
+
+// Enum value maps for ConnectionSortBy.
+var (
+	ConnectionSortBy_name = map[int32]string{
+		0: "DATE",
+		1: "TRAFFIC",
+		2: "TOTAL_TRAFFIC",
+	}
+	ConnectionSortBy_value = map[string]int32{
+		"DATE":          0,
+		"TRAFFIC":       1,
+		"TOTAL_TRAFFIC": 2,
+	}
+)
+
+func (x ConnectionSortBy) Enum() *ConnectionSortBy {
+	p := new(ConnectionSortBy)
+	*p = x
+	return p
+}
+
+func (x ConnectionSortBy) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (ConnectionSortBy) Descriptor() protoreflect.EnumDescriptor {
+	return file_daemon_started_service_proto_enumTypes[2].Descriptor()
+}
+
+func (ConnectionSortBy) Type() protoreflect.EnumType {
+	return &file_daemon_started_service_proto_enumTypes[2]
+}
+
+func (x ConnectionSortBy) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use ConnectionSortBy.Descriptor instead.
+func (ConnectionSortBy) EnumDescriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{2}
+}
+
 type ServiceStatus_Type int32
 
 const (
@@ -166,11 +215,11 @@ func (x ServiceStatus_Type) String() string {
 }
 
 func (ServiceStatus_Type) Descriptor() protoreflect.EnumDescriptor {
-	return file_daemon_started_service_proto_enumTypes[2].Descriptor()
+	return file_daemon_started_service_proto_enumTypes[3].Descriptor()
 }
 
 func (ServiceStatus_Type) Type() protoreflect.EnumType {
-	return &file_daemon_started_service_proto_enumTypes[2]
+	return &file_daemon_started_service_proto_enumTypes[3]
 }
 
 func (x ServiceStatus_Type) Number() protoreflect.EnumNumber {
@@ -1065,6 +1114,8 @@ func (x *SetSystemProxyEnabledRequest) GetEnabled() bool {
 type SubscribeConnectionsRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Interval      int64                  `protobuf:"varint,1,opt,name=interval,proto3" json:"interval,omitempty"`
+	Filter        ConnectionFilter       `protobuf:"varint,2,opt,name=filter,proto3,enum=daemon.ConnectionFilter" json:"filter,omitempty"`
+	SortBy        ConnectionSortBy       `protobuf:"varint,3,opt,name=sortBy,proto3,enum=daemon.ConnectionSortBy" json:"sortBy,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -1106,32 +1157,41 @@ func (x *SubscribeConnectionsRequest) GetInterval() int64 {
 	return 0
 }
 
-type ConnectionEvent struct {
+func (x *SubscribeConnectionsRequest) GetFilter() ConnectionFilter {
+	if x != nil {
+		return x.Filter
+	}
+	return ConnectionFilter_ALL
+}
+
+func (x *SubscribeConnectionsRequest) GetSortBy() ConnectionSortBy {
+	if x != nil {
+		return x.SortBy
+	}
+	return ConnectionSortBy_DATE
+}
+
+type Connections struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
-	Type          ConnectionEventType    `protobuf:"varint,1,opt,name=type,proto3,enum=daemon.ConnectionEventType" json:"type,omitempty"`
-	Id            string                 `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"`
-	Connection    *Connection            `protobuf:"bytes,3,opt,name=connection,proto3" json:"connection,omitempty"`
-	UplinkDelta   int64                  `protobuf:"varint,4,opt,name=uplinkDelta,proto3" json:"uplinkDelta,omitempty"`
-	DownlinkDelta int64                  `protobuf:"varint,5,opt,name=downlinkDelta,proto3" json:"downlinkDelta,omitempty"`
-	ClosedAt      int64                  `protobuf:"varint,6,opt,name=closedAt,proto3" json:"closedAt,omitempty"`
+	Connections   []*Connection          `protobuf:"bytes,1,rep,name=connections,proto3" json:"connections,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
 
-func (x *ConnectionEvent) Reset() {
-	*x = ConnectionEvent{}
+func (x *Connections) Reset() {
+	*x = Connections{}
 	mi := &file_daemon_started_service_proto_msgTypes[17]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 
-func (x *ConnectionEvent) String() string {
+func (x *Connections) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*ConnectionEvent) ProtoMessage() {}
+func (*Connections) ProtoMessage() {}
 
-func (x *ConnectionEvent) ProtoReflect() protoreflect.Message {
+func (x *Connections) ProtoReflect() protoreflect.Message {
 	mi := &file_daemon_started_service_proto_msgTypes[17]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -1143,105 +1203,18 @@ func (x *ConnectionEvent) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use ConnectionEvent.ProtoReflect.Descriptor instead.
-func (*ConnectionEvent) Descriptor() ([]byte, []int) {
+// Deprecated: Use Connections.ProtoReflect.Descriptor instead.
+func (*Connections) Descriptor() ([]byte, []int) {
 	return file_daemon_started_service_proto_rawDescGZIP(), []int{17}
 }
 
-func (x *ConnectionEvent) GetType() ConnectionEventType {
+func (x *Connections) GetConnections() []*Connection {
 	if x != nil {
-		return x.Type
-	}
-	return ConnectionEventType_CONNECTION_EVENT_NEW
-}
-
-func (x *ConnectionEvent) GetId() string {
-	if x != nil {
-		return x.Id
-	}
-	return ""
-}
-
-func (x *ConnectionEvent) GetConnection() *Connection {
-	if x != nil {
-		return x.Connection
+		return x.Connections
 	}
 	return nil
 }
 
-func (x *ConnectionEvent) GetUplinkDelta() int64 {
-	if x != nil {
-		return x.UplinkDelta
-	}
-	return 0
-}
-
-func (x *ConnectionEvent) GetDownlinkDelta() int64 {
-	if x != nil {
-		return x.DownlinkDelta
-	}
-	return 0
-}
-
-func (x *ConnectionEvent) GetClosedAt() int64 {
-	if x != nil {
-		return x.ClosedAt
-	}
-	return 0
-}
-
-type ConnectionEvents struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	Events        []*ConnectionEvent     `protobuf:"bytes,1,rep,name=events,proto3" json:"events,omitempty"`
-	Reset_        bool                   `protobuf:"varint,2,opt,name=reset,proto3" json:"reset,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *ConnectionEvents) Reset() {
-	*x = ConnectionEvents{}
-	mi := &file_daemon_started_service_proto_msgTypes[18]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *ConnectionEvents) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*ConnectionEvents) ProtoMessage() {}
-
-func (x *ConnectionEvents) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[18]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use ConnectionEvents.ProtoReflect.Descriptor instead.
-func (*ConnectionEvents) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{18}
-}
-
-func (x *ConnectionEvents) GetEvents() []*ConnectionEvent {
-	if x != nil {
-		return x.Events
-	}
-	return nil
-}
-
-func (x *ConnectionEvents) GetReset_() bool {
-	if x != nil {
-		return x.Reset_
-	}
-	return false
-}
-
 type Connection struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Id            string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
@@ -1272,7 +1245,7 @@ type Connection struct {
 
 func (x *Connection) Reset() {
 	*x = Connection{}
-	mi := &file_daemon_started_service_proto_msgTypes[19]
+	mi := &file_daemon_started_service_proto_msgTypes[18]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1284,7 +1257,7 @@ func (x *Connection) String() string {
 func (*Connection) ProtoMessage() {}
 
 func (x *Connection) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[19]
+	mi := &file_daemon_started_service_proto_msgTypes[18]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1297,7 +1270,7 @@ func (x *Connection) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use Connection.ProtoReflect.Descriptor instead.
 func (*Connection) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{19}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{18}
 }
 
 func (x *Connection) GetId() string {
@@ -1467,7 +1440,7 @@ type ProcessInfo struct {
 
 func (x *ProcessInfo) Reset() {
 	*x = ProcessInfo{}
-	mi := &file_daemon_started_service_proto_msgTypes[20]
+	mi := &file_daemon_started_service_proto_msgTypes[19]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1479,7 +1452,7 @@ func (x *ProcessInfo) String() string {
 func (*ProcessInfo) ProtoMessage() {}
 
 func (x *ProcessInfo) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[20]
+	mi := &file_daemon_started_service_proto_msgTypes[19]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1492,7 +1465,7 @@ func (x *ProcessInfo) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use ProcessInfo.ProtoReflect.Descriptor instead.
 func (*ProcessInfo) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{20}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{19}
 }
 
 func (x *ProcessInfo) GetProcessId() uint32 {
@@ -1539,7 +1512,7 @@ type CloseConnectionRequest struct {
 
 func (x *CloseConnectionRequest) Reset() {
 	*x = CloseConnectionRequest{}
-	mi := &file_daemon_started_service_proto_msgTypes[21]
+	mi := &file_daemon_started_service_proto_msgTypes[20]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1551,7 +1524,7 @@ func (x *CloseConnectionRequest) String() string {
 func (*CloseConnectionRequest) ProtoMessage() {}
 
 func (x *CloseConnectionRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[21]
+	mi := &file_daemon_started_service_proto_msgTypes[20]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1564,7 +1537,7 @@ func (x *CloseConnectionRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use CloseConnectionRequest.ProtoReflect.Descriptor instead.
 func (*CloseConnectionRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{21}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{20}
 }
 
 func (x *CloseConnectionRequest) GetId() string {
@@ -1583,7 +1556,7 @@ type DeprecatedWarnings struct {
 
 func (x *DeprecatedWarnings) Reset() {
 	*x = DeprecatedWarnings{}
-	mi := &file_daemon_started_service_proto_msgTypes[22]
+	mi := &file_daemon_started_service_proto_msgTypes[21]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1595,7 +1568,7 @@ func (x *DeprecatedWarnings) String() string {
 func (*DeprecatedWarnings) ProtoMessage() {}
 
 func (x *DeprecatedWarnings) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[22]
+	mi := &file_daemon_started_service_proto_msgTypes[21]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1608,7 +1581,7 @@ func (x *DeprecatedWarnings) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use DeprecatedWarnings.ProtoReflect.Descriptor instead.
 func (*DeprecatedWarnings) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{22}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{21}
 }
 
 func (x *DeprecatedWarnings) GetWarnings() []*DeprecatedWarning {
@@ -1629,7 +1602,7 @@ type DeprecatedWarning struct {
 
 func (x *DeprecatedWarning) Reset() {
 	*x = DeprecatedWarning{}
-	mi := &file_daemon_started_service_proto_msgTypes[23]
+	mi := &file_daemon_started_service_proto_msgTypes[22]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1641,7 +1614,7 @@ func (x *DeprecatedWarning) String() string {
 func (*DeprecatedWarning) ProtoMessage() {}
 
 func (x *DeprecatedWarning) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[23]
+	mi := &file_daemon_started_service_proto_msgTypes[22]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1654,7 +1627,7 @@ func (x *DeprecatedWarning) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use DeprecatedWarning.ProtoReflect.Descriptor instead.
 func (*DeprecatedWarning) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{23}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{22}
 }
 
 func (x *DeprecatedWarning) GetMessage() string {
@@ -1687,7 +1660,7 @@ type StartedAt struct {
 
 func (x *StartedAt) Reset() {
 	*x = StartedAt{}
-	mi := &file_daemon_started_service_proto_msgTypes[24]
+	mi := &file_daemon_started_service_proto_msgTypes[23]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1699,7 +1672,7 @@ func (x *StartedAt) String() string {
 func (*StartedAt) ProtoMessage() {}
 
 func (x *StartedAt) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[24]
+	mi := &file_daemon_started_service_proto_msgTypes[23]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1712,7 +1685,7 @@ func (x *StartedAt) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use StartedAt.ProtoReflect.Descriptor instead.
 func (*StartedAt) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{24}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{23}
 }
 
 func (x *StartedAt) GetStartedAt() int64 {
@@ -1732,7 +1705,7 @@ type Log_Message struct {
 
 func (x *Log_Message) Reset() {
 	*x = Log_Message{}
-	mi := &file_daemon_started_service_proto_msgTypes[25]
+	mi := &file_daemon_started_service_proto_msgTypes[24]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1744,7 +1717,7 @@ func (x *Log_Message) String() string {
 func (*Log_Message) ProtoMessage() {}
 
 func (x *Log_Message) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[25]
+	mi := &file_daemon_started_service_proto_msgTypes[24]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1778,7 +1751,7 @@ var File_daemon_started_service_proto protoreflect.FileDescriptor
 
 const file_daemon_started_service_proto_rawDesc = "" +
 	"\n" +
-	"\x1cdaemon/started_service.proto\x12\x06daemon\x1a\x1bgoogle/protobuf/empty.proto\"\xad\x01\n" +
+	"\x1cdaemon/started_service.proto\x12\x06daemon\x1a\x1bgoogle/protobuf/empty.proto\x1a\x13daemon/helper.proto\"\xad\x01\n" +
 	"\rServiceStatus\x122\n" +
 	"\x06status\x18\x01 \x01(\x0e2\x1a.daemon.ServiceStatus.TypeR\x06status\x12\"\n" +
 	"\ferrorMessage\x18\x02 \x01(\tR\ferrorMessage\"D\n" +
@@ -1845,21 +1818,13 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\tavailable\x18\x01 \x01(\bR\tavailable\x12\x18\n" +
 	"\aenabled\x18\x02 \x01(\bR\aenabled\"8\n" +
 	"\x1cSetSystemProxyEnabledRequest\x12\x18\n" +
-	"\aenabled\x18\x01 \x01(\bR\aenabled\"9\n" +
+	"\aenabled\x18\x01 \x01(\bR\aenabled\"\x9d\x01\n" +
 	"\x1bSubscribeConnectionsRequest\x12\x1a\n" +
-	"\binterval\x18\x01 \x01(\x03R\binterval\"\xea\x01\n" +
-	"\x0fConnectionEvent\x12/\n" +
-	"\x04type\x18\x01 \x01(\x0e2\x1b.daemon.ConnectionEventTypeR\x04type\x12\x0e\n" +
-	"\x02id\x18\x02 \x01(\tR\x02id\x122\n" +
-	"\n" +
-	"connection\x18\x03 \x01(\v2\x12.daemon.ConnectionR\n" +
-	"connection\x12 \n" +
-	"\vuplinkDelta\x18\x04 \x01(\x03R\vuplinkDelta\x12$\n" +
-	"\rdownlinkDelta\x18\x05 \x01(\x03R\rdownlinkDelta\x12\x1a\n" +
-	"\bclosedAt\x18\x06 \x01(\x03R\bclosedAt\"Y\n" +
-	"\x10ConnectionEvents\x12/\n" +
-	"\x06events\x18\x01 \x03(\v2\x17.daemon.ConnectionEventR\x06events\x12\x14\n" +
-	"\x05reset\x18\x02 \x01(\bR\x05reset\"\x95\x05\n" +
+	"\binterval\x18\x01 \x01(\x03R\binterval\x120\n" +
+	"\x06filter\x18\x02 \x01(\x0e2\x18.daemon.ConnectionFilterR\x06filter\x120\n" +
+	"\x06sortBy\x18\x03 \x01(\x0e2\x18.daemon.ConnectionSortByR\x06sortBy\"C\n" +
+	"\vConnections\x124\n" +
+	"\vconnections\x18\x01 \x03(\v2\x12.daemon.ConnectionR\vconnections\"\x95\x05\n" +
 	"\n" +
 	"Connection\x12\x0e\n" +
 	"\x02id\x18\x01 \x01(\tR\x02id\x12\x18\n" +
@@ -1908,11 +1873,17 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x04WARN\x10\x03\x12\b\n" +
 	"\x04INFO\x10\x04\x12\t\n" +
 	"\x05DEBUG\x10\x05\x12\t\n" +
-	"\x05TRACE\x10\x06*i\n" +
-	"\x13ConnectionEventType\x12\x18\n" +
-	"\x14CONNECTION_EVENT_NEW\x10\x00\x12\x1b\n" +
-	"\x17CONNECTION_EVENT_UPDATE\x10\x01\x12\x1b\n" +
-	"\x17CONNECTION_EVENT_CLOSED\x10\x022\xe5\v\n" +
+	"\x05TRACE\x10\x06*3\n" +
+	"\x10ConnectionFilter\x12\a\n" +
+	"\x03ALL\x10\x00\x12\n" +
+	"\n" +
+	"\x06ACTIVE\x10\x01\x12\n" +
+	"\n" +
+	"\x06CLOSED\x10\x02*<\n" +
+	"\x10ConnectionSortBy\x12\b\n" +
+	"\x04DATE\x10\x00\x12\v\n" +
+	"\aTRAFFIC\x10\x01\x12\x11\n" +
+	"\rTOTAL_TRAFFIC\x10\x022\xf4\f\n" +
 	"\x0eStartedService\x12=\n" +
 	"\vStopService\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\x12?\n" +
 	"\rReloadService\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\x12K\n" +
@@ -1929,12 +1900,14 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x0eSelectOutbound\x12\x1d.daemon.SelectOutboundRequest\x1a\x16.google.protobuf.Empty\"\x00\x12I\n" +
 	"\x0eSetGroupExpand\x12\x1d.daemon.SetGroupExpandRequest\x1a\x16.google.protobuf.Empty\"\x00\x12K\n" +
 	"\x14GetSystemProxyStatus\x12\x16.google.protobuf.Empty\x1a\x19.daemon.SystemProxyStatus\"\x00\x12W\n" +
-	"\x15SetSystemProxyEnabled\x12$.daemon.SetSystemProxyEnabledRequest\x1a\x16.google.protobuf.Empty\"\x00\x12Y\n" +
-	"\x14SubscribeConnections\x12#.daemon.SubscribeConnectionsRequest\x1a\x18.daemon.ConnectionEvents\"\x000\x01\x12K\n" +
+	"\x15SetSystemProxyEnabled\x12$.daemon.SetSystemProxyEnabledRequest\x1a\x16.google.protobuf.Empty\"\x00\x12T\n" +
+	"\x14SubscribeConnections\x12#.daemon.SubscribeConnectionsRequest\x1a\x13.daemon.Connections\"\x000\x01\x12K\n" +
 	"\x0fCloseConnection\x12\x1e.daemon.CloseConnectionRequest\x1a\x16.google.protobuf.Empty\"\x00\x12G\n" +
 	"\x13CloseAllConnections\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\"\x00\x12M\n" +
 	"\x15GetDeprecatedWarnings\x12\x16.google.protobuf.Empty\x1a\x1a.daemon.DeprecatedWarnings\"\x00\x12;\n" +
-	"\fGetStartedAt\x12\x16.google.protobuf.Empty\x1a\x11.daemon.StartedAt\"\x00B%Z#github.com/sagernet/sing-box/daemonb\x06proto3"
+	"\fGetStartedAt\x12\x16.google.protobuf.Empty\x1a\x11.daemon.StartedAt\"\x00\x12J\n" +
+	"\x15SubscribeHelperEvents\x12\x16.google.protobuf.Empty\x1a\x15.daemon.HelperRequest\"\x000\x01\x12F\n" +
+	"\x12SendHelperResponse\x12\x16.daemon.HelperResponse\x1a\x16.google.protobuf.Empty\"\x00B%Z#github.com/sagernet/sing-box/daemonb\x06proto3"
 
 var (
 	file_daemon_started_service_proto_rawDescOnce sync.Once
@@ -1949,31 +1922,31 @@ func file_daemon_started_service_proto_rawDescGZIP() []byte {
 }
 
 var (
-	file_daemon_started_service_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
-	file_daemon_started_service_proto_msgTypes  = make([]protoimpl.MessageInfo, 26)
+	file_daemon_started_service_proto_enumTypes = make([]protoimpl.EnumInfo, 4)
+	file_daemon_started_service_proto_msgTypes  = make([]protoimpl.MessageInfo, 25)
 	file_daemon_started_service_proto_goTypes   = []any{
 		(LogLevel)(0),                        // 0: daemon.LogLevel
-		(ConnectionEventType)(0),             // 1: daemon.ConnectionEventType
-		(ServiceStatus_Type)(0),              // 2: daemon.ServiceStatus.Type
-		(*ServiceStatus)(nil),                // 3: daemon.ServiceStatus
-		(*ReloadServiceRequest)(nil),         // 4: daemon.ReloadServiceRequest
-		(*SubscribeStatusRequest)(nil),       // 5: daemon.SubscribeStatusRequest
-		(*Log)(nil),                          // 6: daemon.Log
-		(*DefaultLogLevel)(nil),              // 7: daemon.DefaultLogLevel
-		(*Status)(nil),                       // 8: daemon.Status
-		(*Groups)(nil),                       // 9: daemon.Groups
-		(*Group)(nil),                        // 10: daemon.Group
-		(*GroupItem)(nil),                    // 11: daemon.GroupItem
-		(*URLTestRequest)(nil),               // 12: daemon.URLTestRequest
-		(*SelectOutboundRequest)(nil),        // 13: daemon.SelectOutboundRequest
-		(*SetGroupExpandRequest)(nil),        // 14: daemon.SetGroupExpandRequest
-		(*ClashMode)(nil),                    // 15: daemon.ClashMode
-		(*ClashModeStatus)(nil),              // 16: daemon.ClashModeStatus
-		(*SystemProxyStatus)(nil),            // 17: daemon.SystemProxyStatus
-		(*SetSystemProxyEnabledRequest)(nil), // 18: daemon.SetSystemProxyEnabledRequest
-		(*SubscribeConnectionsRequest)(nil),  // 19: daemon.SubscribeConnectionsRequest
-		(*ConnectionEvent)(nil),              // 20: daemon.ConnectionEvent
-		(*ConnectionEvents)(nil),             // 21: daemon.ConnectionEvents
+		(ConnectionFilter)(0),                // 1: daemon.ConnectionFilter
+		(ConnectionSortBy)(0),                // 2: daemon.ConnectionSortBy
+		(ServiceStatus_Type)(0),              // 3: daemon.ServiceStatus.Type
+		(*ServiceStatus)(nil),                // 4: daemon.ServiceStatus
+		(*ReloadServiceRequest)(nil),         // 5: daemon.ReloadServiceRequest
+		(*SubscribeStatusRequest)(nil),       // 6: daemon.SubscribeStatusRequest
+		(*Log)(nil),                          // 7: daemon.Log
+		(*DefaultLogLevel)(nil),              // 8: daemon.DefaultLogLevel
+		(*Status)(nil),                       // 9: daemon.Status
+		(*Groups)(nil),                       // 10: daemon.Groups
+		(*Group)(nil),                        // 11: daemon.Group
+		(*GroupItem)(nil),                    // 12: daemon.GroupItem
+		(*URLTestRequest)(nil),               // 13: daemon.URLTestRequest
+		(*SelectOutboundRequest)(nil),        // 14: daemon.SelectOutboundRequest
+		(*SetGroupExpandRequest)(nil),        // 15: daemon.SetGroupExpandRequest
+		(*ClashMode)(nil),                    // 16: daemon.ClashMode
+		(*ClashModeStatus)(nil),              // 17: daemon.ClashModeStatus
+		(*SystemProxyStatus)(nil),            // 18: daemon.SystemProxyStatus
+		(*SetSystemProxyEnabledRequest)(nil), // 19: daemon.SetSystemProxyEnabledRequest
+		(*SubscribeConnectionsRequest)(nil),  // 20: daemon.SubscribeConnectionsRequest
+		(*Connections)(nil),                  // 21: daemon.Connections
 		(*Connection)(nil),                   // 22: daemon.Connection
 		(*ProcessInfo)(nil),                  // 23: daemon.ProcessInfo
 		(*CloseConnectionRequest)(nil),       // 24: daemon.CloseConnectionRequest
@@ -1982,18 +1955,20 @@ var (
 		(*StartedAt)(nil),                    // 27: daemon.StartedAt
 		(*Log_Message)(nil),                  // 28: daemon.Log.Message
 		(*emptypb.Empty)(nil),                // 29: google.protobuf.Empty
+		(*HelperResponse)(nil),               // 30: daemon.HelperResponse
+		(*HelperRequest)(nil),                // 31: daemon.HelperRequest
 	}
 )
 
 var file_daemon_started_service_proto_depIdxs = []int32{
-	2,  // 0: daemon.ServiceStatus.status:type_name -> daemon.ServiceStatus.Type
+	3,  // 0: daemon.ServiceStatus.status:type_name -> daemon.ServiceStatus.Type
 	28, // 1: daemon.Log.messages:type_name -> daemon.Log.Message
 	0,  // 2: daemon.DefaultLogLevel.level:type_name -> daemon.LogLevel
-	10, // 3: daemon.Groups.group:type_name -> daemon.Group
-	11, // 4: daemon.Group.items:type_name -> daemon.GroupItem
-	1,  // 5: daemon.ConnectionEvent.type:type_name -> daemon.ConnectionEventType
-	22, // 6: daemon.ConnectionEvent.connection:type_name -> daemon.Connection
-	20, // 7: daemon.ConnectionEvents.events:type_name -> daemon.ConnectionEvent
+	11, // 3: daemon.Groups.group:type_name -> daemon.Group
+	12, // 4: daemon.Group.items:type_name -> daemon.GroupItem
+	1,  // 5: daemon.SubscribeConnectionsRequest.filter:type_name -> daemon.ConnectionFilter
+	2,  // 6: daemon.SubscribeConnectionsRequest.sortBy:type_name -> daemon.ConnectionSortBy
+	22, // 7: daemon.Connections.connections:type_name -> daemon.Connection
 	23, // 8: daemon.Connection.processInfo:type_name -> daemon.ProcessInfo
 	26, // 9: daemon.DeprecatedWarnings.warnings:type_name -> daemon.DeprecatedWarning
 	0,  // 10: daemon.Log.Message.level:type_name -> daemon.LogLevel
@@ -2003,44 +1978,48 @@ var file_daemon_started_service_proto_depIdxs = []int32{
 	29, // 14: daemon.StartedService.SubscribeLog:input_type -> google.protobuf.Empty
 	29, // 15: daemon.StartedService.GetDefaultLogLevel:input_type -> google.protobuf.Empty
 	29, // 16: daemon.StartedService.ClearLogs:input_type -> google.protobuf.Empty
-	5,  // 17: daemon.StartedService.SubscribeStatus:input_type -> daemon.SubscribeStatusRequest
+	6,  // 17: daemon.StartedService.SubscribeStatus:input_type -> daemon.SubscribeStatusRequest
 	29, // 18: daemon.StartedService.SubscribeGroups:input_type -> google.protobuf.Empty
 	29, // 19: daemon.StartedService.GetClashModeStatus:input_type -> google.protobuf.Empty
 	29, // 20: daemon.StartedService.SubscribeClashMode:input_type -> google.protobuf.Empty
-	15, // 21: daemon.StartedService.SetClashMode:input_type -> daemon.ClashMode
-	12, // 22: daemon.StartedService.URLTest:input_type -> daemon.URLTestRequest
-	13, // 23: daemon.StartedService.SelectOutbound:input_type -> daemon.SelectOutboundRequest
-	14, // 24: daemon.StartedService.SetGroupExpand:input_type -> daemon.SetGroupExpandRequest
+	16, // 21: daemon.StartedService.SetClashMode:input_type -> daemon.ClashMode
+	13, // 22: daemon.StartedService.URLTest:input_type -> daemon.URLTestRequest
+	14, // 23: daemon.StartedService.SelectOutbound:input_type -> daemon.SelectOutboundRequest
+	15, // 24: daemon.StartedService.SetGroupExpand:input_type -> daemon.SetGroupExpandRequest
 	29, // 25: daemon.StartedService.GetSystemProxyStatus:input_type -> google.protobuf.Empty
-	18, // 26: daemon.StartedService.SetSystemProxyEnabled:input_type -> daemon.SetSystemProxyEnabledRequest
-	19, // 27: daemon.StartedService.SubscribeConnections:input_type -> daemon.SubscribeConnectionsRequest
+	19, // 26: daemon.StartedService.SetSystemProxyEnabled:input_type -> daemon.SetSystemProxyEnabledRequest
+	20, // 27: daemon.StartedService.SubscribeConnections:input_type -> daemon.SubscribeConnectionsRequest
 	24, // 28: daemon.StartedService.CloseConnection:input_type -> daemon.CloseConnectionRequest
 	29, // 29: daemon.StartedService.CloseAllConnections:input_type -> google.protobuf.Empty
 	29, // 30: daemon.StartedService.GetDeprecatedWarnings:input_type -> google.protobuf.Empty
 	29, // 31: daemon.StartedService.GetStartedAt:input_type -> google.protobuf.Empty
-	29, // 32: daemon.StartedService.StopService:output_type -> google.protobuf.Empty
-	29, // 33: daemon.StartedService.ReloadService:output_type -> google.protobuf.Empty
-	3,  // 34: daemon.StartedService.SubscribeServiceStatus:output_type -> daemon.ServiceStatus
-	6,  // 35: daemon.StartedService.SubscribeLog:output_type -> daemon.Log
-	7,  // 36: daemon.StartedService.GetDefaultLogLevel:output_type -> daemon.DefaultLogLevel
-	29, // 37: daemon.StartedService.ClearLogs:output_type -> google.protobuf.Empty
-	8,  // 38: daemon.StartedService.SubscribeStatus:output_type -> daemon.Status
-	9,  // 39: daemon.StartedService.SubscribeGroups:output_type -> daemon.Groups
-	16, // 40: daemon.StartedService.GetClashModeStatus:output_type -> daemon.ClashModeStatus
-	15, // 41: daemon.StartedService.SubscribeClashMode:output_type -> daemon.ClashMode
-	29, // 42: daemon.StartedService.SetClashMode:output_type -> google.protobuf.Empty
-	29, // 43: daemon.StartedService.URLTest:output_type -> google.protobuf.Empty
-	29, // 44: daemon.StartedService.SelectOutbound:output_type -> google.protobuf.Empty
-	29, // 45: daemon.StartedService.SetGroupExpand:output_type -> google.protobuf.Empty
-	17, // 46: daemon.StartedService.GetSystemProxyStatus:output_type -> daemon.SystemProxyStatus
-	29, // 47: daemon.StartedService.SetSystemProxyEnabled:output_type -> google.protobuf.Empty
-	21, // 48: daemon.StartedService.SubscribeConnections:output_type -> daemon.ConnectionEvents
-	29, // 49: daemon.StartedService.CloseConnection:output_type -> google.protobuf.Empty
-	29, // 50: daemon.StartedService.CloseAllConnections:output_type -> google.protobuf.Empty
-	25, // 51: daemon.StartedService.GetDeprecatedWarnings:output_type -> daemon.DeprecatedWarnings
-	27, // 52: daemon.StartedService.GetStartedAt:output_type -> daemon.StartedAt
-	32, // [32:53] is the sub-list for method output_type
-	11, // [11:32] is the sub-list for method input_type
+	29, // 32: daemon.StartedService.SubscribeHelperEvents:input_type -> google.protobuf.Empty
+	30, // 33: daemon.StartedService.SendHelperResponse:input_type -> daemon.HelperResponse
+	29, // 34: daemon.StartedService.StopService:output_type -> google.protobuf.Empty
+	29, // 35: daemon.StartedService.ReloadService:output_type -> google.protobuf.Empty
+	4,  // 36: daemon.StartedService.SubscribeServiceStatus:output_type -> daemon.ServiceStatus
+	7,  // 37: daemon.StartedService.SubscribeLog:output_type -> daemon.Log
+	8,  // 38: daemon.StartedService.GetDefaultLogLevel:output_type -> daemon.DefaultLogLevel
+	29, // 39: daemon.StartedService.ClearLogs:output_type -> google.protobuf.Empty
+	9,  // 40: daemon.StartedService.SubscribeStatus:output_type -> daemon.Status
+	10, // 41: daemon.StartedService.SubscribeGroups:output_type -> daemon.Groups
+	17, // 42: daemon.StartedService.GetClashModeStatus:output_type -> daemon.ClashModeStatus
+	16, // 43: daemon.StartedService.SubscribeClashMode:output_type -> daemon.ClashMode
+	29, // 44: daemon.StartedService.SetClashMode:output_type -> google.protobuf.Empty
+	29, // 45: daemon.StartedService.URLTest:output_type -> google.protobuf.Empty
+	29, // 46: daemon.StartedService.SelectOutbound:output_type -> google.protobuf.Empty
+	29, // 47: daemon.StartedService.SetGroupExpand:output_type -> google.protobuf.Empty
+	18, // 48: daemon.StartedService.GetSystemProxyStatus:output_type -> daemon.SystemProxyStatus
+	29, // 49: daemon.StartedService.SetSystemProxyEnabled:output_type -> google.protobuf.Empty
+	21, // 50: daemon.StartedService.SubscribeConnections:output_type -> daemon.Connections
+	29, // 51: daemon.StartedService.CloseConnection:output_type -> google.protobuf.Empty
+	29, // 52: daemon.StartedService.CloseAllConnections:output_type -> google.protobuf.Empty
+	25, // 53: daemon.StartedService.GetDeprecatedWarnings:output_type -> daemon.DeprecatedWarnings
+	27, // 54: daemon.StartedService.GetStartedAt:output_type -> daemon.StartedAt
+	31, // 55: daemon.StartedService.SubscribeHelperEvents:output_type -> daemon.HelperRequest
+	29, // 56: daemon.StartedService.SendHelperResponse:output_type -> google.protobuf.Empty
+	34, // [34:57] is the sub-list for method output_type
+	11, // [11:34] is the sub-list for method input_type
 	11, // [11:11] is the sub-list for extension type_name
 	11, // [11:11] is the sub-list for extension extendee
 	0,  // [0:11] is the sub-list for field type_name
@@ -2051,13 +2030,14 @@ func file_daemon_started_service_proto_init() {
 	if File_daemon_started_service_proto != nil {
 		return
 	}
+	file_daemon_helper_proto_init()
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_started_service_proto_rawDesc), len(file_daemon_started_service_proto_rawDesc)),
-			NumEnums:      3,
-			NumMessages:   26,
+			NumEnums:      4,
+			NumMessages:   25,
 			NumExtensions: 0,
 			NumServices:   1,
 		},

daemon/started_service.proto

@@ -4,6 +4,7 @@ package daemon;
 option go_package = "github.com/sagernet/sing-box/daemon";
 
 import "google/protobuf/empty.proto";
+import "daemon/helper.proto";
 
 service StartedService {
   rpc StopService(google.protobuf.Empty) returns (google.protobuf.Empty);
@@ -27,11 +28,14 @@ service StartedService {
   rpc GetSystemProxyStatus(google.protobuf.Empty) returns(SystemProxyStatus) {}
   rpc SetSystemProxyEnabled(SetSystemProxyEnabledRequest) returns(google.protobuf.Empty) {}
 
-  rpc SubscribeConnections(SubscribeConnectionsRequest) returns(stream ConnectionEvents) {}
+  rpc SubscribeConnections(SubscribeConnectionsRequest) returns(stream Connections) {}
   rpc CloseConnection(CloseConnectionRequest) returns(google.protobuf.Empty) {}
   rpc CloseAllConnections(google.protobuf.Empty) returns(google.protobuf.Empty) {}
   rpc GetDeprecatedWarnings(google.protobuf.Empty) returns(DeprecatedWarnings) {}
   rpc GetStartedAt(google.protobuf.Empty) returns(StartedAt) {}
+
+  rpc SubscribeHelperEvents(google.protobuf.Empty) returns(stream HelperRequest) {}
+  rpc SendHelperResponse(HelperResponse) returns(google.protobuf.Empty) {}
 }
 
 message ServiceStatus {
@@ -143,26 +147,24 @@ message SetSystemProxyEnabledRequest {
 
 message SubscribeConnectionsRequest {
   int64 interval = 1;
+  ConnectionFilter filter = 2;
+  ConnectionSortBy sortBy = 3;
 }
 
-enum ConnectionEventType {
-  CONNECTION_EVENT_NEW = 0;
-  CONNECTION_EVENT_UPDATE = 1;
-  CONNECTION_EVENT_CLOSED = 2;
+enum ConnectionFilter {
+  ALL = 0;
+  ACTIVE = 1;
+  CLOSED = 2;
 }
 
-message ConnectionEvent {
-  ConnectionEventType type = 1;
-  string id = 2;
-  Connection connection = 3;
-  int64 uplinkDelta = 4;
-  int64 downlinkDelta = 5;
-  int64 closedAt = 6;
+enum ConnectionSortBy {
+  DATE = 0;
+  TRAFFIC = 1;
+  TOTAL_TRAFFIC = 2;
 }
 
-message ConnectionEvents {
-  repeated ConnectionEvent events = 1;
-  bool reset = 2;
+message Connections {
+  repeated Connection connections = 1;
 }
 
 message Connection {

daemon/started_service_grpc.pb.go

@@ -36,6 +36,8 @@ const (
 	StartedService_CloseAllConnections_FullMethodName    = "/daemon.StartedService/CloseAllConnections"
 	StartedService_GetDeprecatedWarnings_FullMethodName  = "/daemon.StartedService/GetDeprecatedWarnings"
 	StartedService_GetStartedAt_FullMethodName           = "/daemon.StartedService/GetStartedAt"
+	StartedService_SubscribeHelperEvents_FullMethodName  = "/daemon.StartedService/SubscribeHelperEvents"
+	StartedService_SendHelperResponse_FullMethodName     = "/daemon.StartedService/SendHelperResponse"
 )
 
 // StartedServiceClient is the client API for StartedService service.
@@ -58,11 +60,13 @@ type StartedServiceClient interface {
 	SetGroupExpand(ctx context.Context, in *SetGroupExpandRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	GetSystemProxyStatus(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(ctx context.Context, in *SetSystemProxyEnabledRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
-	SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ConnectionEvents], error)
+	SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[Connections], error)
 	CloseConnection(ctx context.Context, in *CloseConnectionRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	CloseAllConnections(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	GetDeprecatedWarnings(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*DeprecatedWarnings, error)
 	GetStartedAt(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*StartedAt, error)
+	SubscribeHelperEvents(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[HelperRequest], error)
+	SendHelperResponse(ctx context.Context, in *HelperResponse, opts ...grpc.CallOption) (*emptypb.Empty, error)
 }
 
 type startedServiceClient struct {
@@ -278,13 +282,13 @@ func (c *startedServiceClient) SetSystemProxyEnabled(ctx context.Context, in *Se
 	return out, nil
 }
 
-func (c *startedServiceClient) SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ConnectionEvents], error) {
+func (c *startedServiceClient) SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[Connections], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[5], StartedService_SubscribeConnections_FullMethodName, cOpts...)
 	if err != nil {
 		return nil, err
 	}
-	x := &grpc.GenericClientStream[SubscribeConnectionsRequest, ConnectionEvents]{ClientStream: stream}
+	x := &grpc.GenericClientStream[SubscribeConnectionsRequest, Connections]{ClientStream: stream}
 	if err := x.ClientStream.SendMsg(in); err != nil {
 		return nil, err
 	}
@@ -295,7 +299,7 @@ func (c *startedServiceClient) SubscribeConnections(ctx context.Context, in *Sub
 }
 
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_SubscribeConnectionsClient = grpc.ServerStreamingClient[ConnectionEvents]
+type StartedService_SubscribeConnectionsClient = grpc.ServerStreamingClient[Connections]
 
 func (c *startedServiceClient) CloseConnection(ctx context.Context, in *CloseConnectionRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
@@ -337,6 +341,35 @@ func (c *startedServiceClient) GetStartedAt(ctx context.Context, in *emptypb.Emp
 	return out, nil
 }
 
+func (c *startedServiceClient) SubscribeHelperEvents(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[HelperRequest], error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[6], StartedService_SubscribeHelperEvents_FullMethodName, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &grpc.GenericClientStream[emptypb.Empty, HelperRequest]{ClientStream: stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type StartedService_SubscribeHelperEventsClient = grpc.ServerStreamingClient[HelperRequest]
+
+func (c *startedServiceClient) SendHelperResponse(ctx context.Context, in *HelperResponse, opts ...grpc.CallOption) (*emptypb.Empty, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(emptypb.Empty)
+	err := c.cc.Invoke(ctx, StartedService_SendHelperResponse_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // StartedServiceServer is the server API for StartedService service.
 // All implementations must embed UnimplementedStartedServiceServer
 // for forward compatibility.
@@ -357,11 +390,13 @@ type StartedServiceServer interface {
 	SetGroupExpand(context.Context, *SetGroupExpandRequest) (*emptypb.Empty, error)
 	GetSystemProxyStatus(context.Context, *emptypb.Empty) (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(context.Context, *SetSystemProxyEnabledRequest) (*emptypb.Empty, error)
-	SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[ConnectionEvents]) error
+	SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[Connections]) error
 	CloseConnection(context.Context, *CloseConnectionRequest) (*emptypb.Empty, error)
 	CloseAllConnections(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
 	GetDeprecatedWarnings(context.Context, *emptypb.Empty) (*DeprecatedWarnings, error)
 	GetStartedAt(context.Context, *emptypb.Empty) (*StartedAt, error)
+	SubscribeHelperEvents(*emptypb.Empty, grpc.ServerStreamingServer[HelperRequest]) error
+	SendHelperResponse(context.Context, *HelperResponse) (*emptypb.Empty, error)
 	mustEmbedUnimplementedStartedServiceServer()
 }
 
@@ -373,87 +408,95 @@ type StartedServiceServer interface {
 type UnimplementedStartedServiceServer struct{}
 
 func (UnimplementedStartedServiceServer) StopService(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
-	return nil, status.Error(codes.Unimplemented, "method StopService not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method StopService not implemented")
 }
 
 func (UnimplementedStartedServiceServer) ReloadService(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
-	return nil, status.Error(codes.Unimplemented, "method ReloadService not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method ReloadService not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SubscribeServiceStatus(*emptypb.Empty, grpc.ServerStreamingServer[ServiceStatus]) error {
-	return status.Error(codes.Unimplemented, "method SubscribeServiceStatus not implemented")
+	return status.Errorf(codes.Unimplemented, "method SubscribeServiceStatus not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SubscribeLog(*emptypb.Empty, grpc.ServerStreamingServer[Log]) error {
-	return status.Error(codes.Unimplemented, "method SubscribeLog not implemented")
+	return status.Errorf(codes.Unimplemented, "method SubscribeLog not implemented")
 }
 
 func (UnimplementedStartedServiceServer) GetDefaultLogLevel(context.Context, *emptypb.Empty) (*DefaultLogLevel, error) {
-	return nil, status.Error(codes.Unimplemented, "method GetDefaultLogLevel not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method GetDefaultLogLevel not implemented")
 }
 
 func (UnimplementedStartedServiceServer) ClearLogs(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
-	return nil, status.Error(codes.Unimplemented, "method ClearLogs not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method ClearLogs not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SubscribeStatus(*SubscribeStatusRequest, grpc.ServerStreamingServer[Status]) error {
-	return status.Error(codes.Unimplemented, "method SubscribeStatus not implemented")
+	return status.Errorf(codes.Unimplemented, "method SubscribeStatus not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SubscribeGroups(*emptypb.Empty, grpc.ServerStreamingServer[Groups]) error {
-	return status.Error(codes.Unimplemented, "method SubscribeGroups not implemented")
+	return status.Errorf(codes.Unimplemented, "method SubscribeGroups not implemented")
 }
 
 func (UnimplementedStartedServiceServer) GetClashModeStatus(context.Context, *emptypb.Empty) (*ClashModeStatus, error) {
-	return nil, status.Error(codes.Unimplemented, "method GetClashModeStatus not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method GetClashModeStatus not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SubscribeClashMode(*emptypb.Empty, grpc.ServerStreamingServer[ClashMode]) error {
-	return status.Error(codes.Unimplemented, "method SubscribeClashMode not implemented")
+	return status.Errorf(codes.Unimplemented, "method SubscribeClashMode not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SetClashMode(context.Context, *ClashMode) (*emptypb.Empty, error) {
-	return nil, status.Error(codes.Unimplemented, "method SetClashMode not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method SetClashMode not implemented")
 }
 
 func (UnimplementedStartedServiceServer) URLTest(context.Context, *URLTestRequest) (*emptypb.Empty, error) {
-	return nil, status.Error(codes.Unimplemented, "method URLTest not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method URLTest not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SelectOutbound(context.Context, *SelectOutboundRequest) (*emptypb.Empty, error) {
-	return nil, status.Error(codes.Unimplemented, "method SelectOutbound not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method SelectOutbound not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SetGroupExpand(context.Context, *SetGroupExpandRequest) (*emptypb.Empty, error) {
-	return nil, status.Error(codes.Unimplemented, "method SetGroupExpand not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method SetGroupExpand not implemented")
 }
 
 func (UnimplementedStartedServiceServer) GetSystemProxyStatus(context.Context, *emptypb.Empty) (*SystemProxyStatus, error) {
-	return nil, status.Error(codes.Unimplemented, "method GetSystemProxyStatus not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method GetSystemProxyStatus not implemented")
 }
 
 func (UnimplementedStartedServiceServer) SetSystemProxyEnabled(context.Context, *SetSystemProxyEnabledRequest) (*emptypb.Empty, error) {
-	return nil, status.Error(codes.Unimplemented, "method SetSystemProxyEnabled not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method SetSystemProxyEnabled not implemented")
 }
 
-func (UnimplementedStartedServiceServer) SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[ConnectionEvents]) error {
-	return status.Error(codes.Unimplemented, "method SubscribeConnections not implemented")
+func (UnimplementedStartedServiceServer) SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[Connections]) error {
+	return status.Errorf(codes.Unimplemented, "method SubscribeConnections not implemented")
 }
 
 func (UnimplementedStartedServiceServer) CloseConnection(context.Context, *CloseConnectionRequest) (*emptypb.Empty, error) {
-	return nil, status.Error(codes.Unimplemented, "method CloseConnection not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method CloseConnection not implemented")
 }
 
 func (UnimplementedStartedServiceServer) CloseAllConnections(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
-	return nil, status.Error(codes.Unimplemented, "method CloseAllConnections not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method CloseAllConnections not implemented")
 }
 
 func (UnimplementedStartedServiceServer) GetDeprecatedWarnings(context.Context, *emptypb.Empty) (*DeprecatedWarnings, error) {
-	return nil, status.Error(codes.Unimplemented, "method GetDeprecatedWarnings not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method GetDeprecatedWarnings not implemented")
 }
 
 func (UnimplementedStartedServiceServer) GetStartedAt(context.Context, *emptypb.Empty) (*StartedAt, error) {
-	return nil, status.Error(codes.Unimplemented, "method GetStartedAt not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method GetStartedAt not implemented")
+}
+
+func (UnimplementedStartedServiceServer) SubscribeHelperEvents(*emptypb.Empty, grpc.ServerStreamingServer[HelperRequest]) error {
+	return status.Errorf(codes.Unimplemented, "method SubscribeHelperEvents not implemented")
+}
+
+func (UnimplementedStartedServiceServer) SendHelperResponse(context.Context, *HelperResponse) (*emptypb.Empty, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SendHelperResponse not implemented")
 }
 func (UnimplementedStartedServiceServer) mustEmbedUnimplementedStartedServiceServer() {}
 func (UnimplementedStartedServiceServer) testEmbeddedByValue()                        {}
@@ -466,7 +509,7 @@ type UnsafeStartedServiceServer interface {
 }
 
 func RegisterStartedServiceServer(s grpc.ServiceRegistrar, srv StartedServiceServer) {
-	// If the following call panics, it indicates UnimplementedStartedServiceServer was
+	// If the following call pancis, it indicates UnimplementedStartedServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.
@@ -734,11 +777,11 @@ func _StartedService_SubscribeConnections_Handler(srv interface{}, stream grpc.S
 	if err := stream.RecvMsg(m); err != nil {
 		return err
 	}
-	return srv.(StartedServiceServer).SubscribeConnections(m, &grpc.GenericServerStream[SubscribeConnectionsRequest, ConnectionEvents]{ServerStream: stream})
+	return srv.(StartedServiceServer).SubscribeConnections(m, &grpc.GenericServerStream[SubscribeConnectionsRequest, Connections]{ServerStream: stream})
 }
 
 // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_SubscribeConnectionsServer = grpc.ServerStreamingServer[ConnectionEvents]
+type StartedService_SubscribeConnectionsServer = grpc.ServerStreamingServer[Connections]
 
 func _StartedService_CloseConnection_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(CloseConnectionRequest)
@@ -812,6 +855,35 @@ func _StartedService_GetStartedAt_Handler(srv interface{}, ctx context.Context,
 	return interceptor(ctx, in, info, handler)
 }
 
+func _StartedService_SubscribeHelperEvents_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(emptypb.Empty)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(StartedServiceServer).SubscribeHelperEvents(m, &grpc.GenericServerStream[emptypb.Empty, HelperRequest]{ServerStream: stream})
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type StartedService_SubscribeHelperEventsServer = grpc.ServerStreamingServer[HelperRequest]
+
+func _StartedService_SendHelperResponse_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(HelperResponse)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(StartedServiceServer).SendHelperResponse(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: StartedService_SendHelperResponse_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(StartedServiceServer).SendHelperResponse(ctx, req.(*HelperResponse))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // StartedService_ServiceDesc is the grpc.ServiceDesc for StartedService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -879,6 +951,10 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetStartedAt",
 			Handler:    _StartedService_GetStartedAt_Handler,
 		},
+		{
+			MethodName: "SendHelperResponse",
+			Handler:    _StartedService_SendHelperResponse_Handler,
+		},
 	},
 	Streams: []grpc.StreamDesc{
 		{
@@ -911,6 +987,11 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			Handler:       _StartedService_SubscribeConnections_Handler,
 			ServerStreams: true,
 		},
+		{
+			StreamName:    "SubscribeHelperEvents",
+			Handler:       _StartedService_SubscribeHelperEvents_Handler,
+			ServerStreams: true,
+		},
 	},
 	Metadata: "daemon/started_service.proto",
 }

debug.go

@@ -3,11 +3,11 @@ package box
 import (
 	"runtime/debug"
 
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func applyDebugOptions(options option.DebugOptions) error {
+func applyDebugOptions(options option.DebugOptions) {
 	applyDebugListenOption(options)
 	if options.GCPercent != nil {
 		debug.SetGCPercent(*options.GCPercent)
@@ -26,9 +26,9 @@ func applyDebugOptions(options option.DebugOptions) error {
 	}
 	if options.MemoryLimit.Value() != 0 {
 		debug.SetMemoryLimit(int64(float64(options.MemoryLimit.Value()) / 1.5))
+		conntrack.MemoryLimit = options.MemoryLimit.Value()
 	}
 	if options.OOMKiller != nil {
-		return E.New("legacy oom_killer in debug options is removed, use oom-killer service instead")
+		conntrack.KillerEnabled = *options.OOMKiller
 	}
-	return nil
 }

dns/client.go

@@ -144,11 +144,7 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		if c.cache != nil {
 			cond, loaded := c.cacheLock.LoadOrStore(question, make(chan struct{}))
 			if loaded {
-				select {
-				case <-cond:
-				case <-ctx.Done():
-					return nil, ctx.Err()
-				}
+				<-cond
 			} else {
 				defer func() {
 					c.cacheLock.Delete(question)
@@ -158,11 +154,7 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		} else if c.transportCache != nil {
 			cond, loaded := c.transportCacheLock.LoadOrStore(question, make(chan struct{}))
 			if loaded {
-				select {
-				case <-cond:
-				case <-ctx.Done():
-					return nil, ctx.Err()
-				}
+				<-cond
 			} else {
 				defer func() {
 					c.transportCacheLock.Delete(question)
@@ -240,10 +232,8 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	if responseChecker != nil {
 		var rejected bool
 		// TODO: add accept_any rule and support to check response instead of addresses
-		if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
+		if response.Rcode != dns.RcodeSuccess || len(response.Answer) == 0 {
 			rejected = true
-		} else if len(response.Answer) == 0 {
-			rejected = !responseChecker(nil)
 		} else {
 			rejected = !responseChecker(MessageToAddresses(response))
 		}

dns/router.go

@@ -272,7 +272,13 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 					return action.Response(message), nil
 				}
 			}
-			responseCheck := addressLimitResponseCheck(rule, metadata)
+			var responseCheck func(responseAddrs []netip.Addr) bool
+			if rule != nil && rule.WithAddressLimit() {
+				responseCheck = func(responseAddrs []netip.Addr) bool {
+					metadata.DestinationAddresses = responseAddrs
+					return rule.MatchAddressLimit(metadata)
+				}
+			}
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -371,11 +377,9 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 				case *R.RuleActionReject:
 					return nil, &R.RejectedError{Cause: action.Error(ctx)}
 				case *R.RuleActionPredefined:
-					responseAddrs = nil
 					if action.Rcode != mDNS.RcodeSuccess {
 						err = RcodeError(action.Rcode)
 					} else {
-						err = nil
 						for _, answer := range action.Answer {
 							switch record := answer.(type) {
 							case *mDNS.A:
@@ -388,7 +392,13 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 					goto response
 				}
 			}
-			responseCheck := addressLimitResponseCheck(rule, metadata)
+			var responseCheck func(responseAddrs []netip.Addr) bool
+			if rule != nil && rule.WithAddressLimit() {
+				responseCheck = func(responseAddrs []netip.Addr) bool {
+					metadata.DestinationAddresses = responseAddrs
+					return rule.MatchAddressLimit(metadata)
+				}
+			}
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -416,18 +426,6 @@ func isAddressQuery(message *mDNS.Msg) bool {
 	return false
 }
 
-func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(responseAddrs []netip.Addr) bool {
-	if rule == nil || !rule.WithAddressLimit() {
-		return nil
-	}
-	responseMetadata := *metadata
-	return func(responseAddrs []netip.Addr) bool {
-		checkMetadata := responseMetadata
-		checkMetadata.DestinationAddresses = responseAddrs
-		return rule.MatchAddressLimit(&checkMetadata)
-	}
-}
-
 func (r *Router) ClearCache() {
 	r.client.ClearCache()
 	if r.platformInterface != nil {

dns/transport/dhcp/dhcp.go

@@ -263,7 +263,6 @@ func (t *Transport) fetchServersResponse(iface *control.Interface, packetConn ne
 	defer buffer.Release()
 
 	for {
-		buffer.Reset()
 		_, _, err := buffer.ReadPacketFrom(packetConn)
 		if err != nil {
 			if errors.Is(err, io.ErrShortBuffer) {

dns/transport/fakeip/store.go

@@ -18,8 +18,6 @@ type Store struct {
 	logger     logger.Logger
 	inet4Range netip.Prefix
 	inet6Range netip.Prefix
-	inet4Last  netip.Addr
-	inet6Last  netip.Addr
 	storage    adapter.FakeIPStorage
 
 	addressAccess sync.Mutex
@@ -28,35 +26,12 @@ type Store struct {
 }
 
 func NewStore(ctx context.Context, logger logger.Logger, inet4Range netip.Prefix, inet6Range netip.Prefix) *Store {
-	store := &Store{
+	return &Store{
 		ctx:        ctx,
 		logger:     logger,
 		inet4Range: inet4Range,
 		inet6Range: inet6Range,
 	}
-	if inet4Range.IsValid() {
-		store.inet4Last = broadcastAddress(inet4Range)
-	}
-	if inet6Range.IsValid() {
-		store.inet6Last = broadcastAddress(inet6Range)
-	}
-	return store
-}
-
-func broadcastAddress(prefix netip.Prefix) netip.Addr {
-	addr := prefix.Addr()
-	raw := addr.As16()
-	bits := prefix.Bits()
-	if addr.Is4() {
-		bits += 96
-	}
-	for i := bits; i < 128; i++ {
-		raw[i/8] |= 1 << (7 - i%8)
-	}
-	if addr.Is4() {
-		return netip.AddrFrom4([4]byte(raw[12:]))
-	}
-	return netip.AddrFrom16(raw)
 }
 
 func (s *Store) Start() error {
@@ -74,10 +49,10 @@ func (s *Store) Start() error {
 		s.inet6Current = metadata.Inet6Current
 	} else {
 		if s.inet4Range.IsValid() {
-			s.inet4Current = s.inet4Range.Addr().Next()
+			s.inet4Current = s.inet4Range.Addr().Next().Next()
 		}
 		if s.inet6Range.IsValid() {
-			s.inet6Current = s.inet6Range.Addr().Next()
+			s.inet6Current = s.inet6Range.Addr().Next().Next()
 		}
 		_ = storage.FakeIPReset()
 	}
@@ -123,7 +98,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv4 fakeip address range")
 		}
 		nextAddress := s.inet4Current.Next()
-		if nextAddress == s.inet4Last || !s.inet4Range.Contains(nextAddress) {
+		if !s.inet4Range.Contains(nextAddress) {
 			nextAddress = s.inet4Range.Addr().Next().Next()
 		}
 		s.inet4Current = nextAddress
@@ -133,7 +108,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv6 fakeip address range")
 		}
 		nextAddress := s.inet6Current.Next()
-		if nextAddress == s.inet6Last || !s.inet6Range.Contains(nextAddress) {
+		if !s.inet6Range.Contains(nextAddress) {
 			nextAddress = s.inet6Range.Addr().Next().Next()
 		}
 		s.inet6Current = nextAddress

dns/transport/local/resolv_windows.go

@@ -5,7 +5,6 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strconv"
 	"syscall"
 	"time"
 	"unsafe"
@@ -64,9 +63,6 @@ func dnsReadConfig(ctx context.Context, _ string) *dnsConfig {
 					continue
 				}
 				dnsServerAddr = netip.AddrFrom16(sockaddr.Addr)
-				if sockaddr.ZoneId != 0 {
-					dnsServerAddr = dnsServerAddr.WithZone(strconv.FormatInt(int64(sockaddr.ZoneId), 10))
-				}
 			default:
 				// Unexpected type.
 				continue

docs/changelog.md

@@ -2,317 +2,10 @@
 icon: material/alert-decagram
 ---
 
-#### 1.13.1
-
-* Fixes and improvements
-
-#### 1.12.14
-
-* Backport fixes
-
-#### 1.13.0
-
-Important changes since 1.12:
-
-* Add NaiveProxy outbound **1**
-* Add pre-match support for `auto_redirect` **2**
-* Improve `auto_redirect` **3**
-* Add Chrome Root Store certificate option **4**
-* Add new options for ACME DNS-01 challenge providers **5**
-* Add Wi-Fi state support for Linux and Windows **6**
-* Add curve preferences, pinned public key SHA256, mTLS and ECH `query_server_name` for TLS options **7**
-* Add kTLS support **8**
-* Add ICMP echo (ping) proxy support **9**
-* Add `interface_address`, `network_interface_address` and `default_interface_address` rule items **10**
-* Add `preferred_by` route rule item **11**
-* Improve `local` DNS server **12**
-* Add `disable_tcp_keep_alive`, `tcp_keep_alive` and `tcp_keep_alive_interval` options for listen and dial fields **13**
-* Add `bind_address_no_port` option for dial fields **14**
-* Add system interface, relay server and advertise tags options for Tailscale endpoint **15**
-* Add Claude Code Multiplexer service **16**
-* Add OpenAI Codex Multiplexer service **17**
-* Apple/Android: Refactor GUI
-* Apple/Android: Add support for sharing configurations via [QRS](https://github.com/qifi-dev/qrs)
-* Android: Add support for resisting VPN detection via Xposed
-* Drop support for go1.23 **18**
-* Drop support for Android 5.0 **19**
-* Update uTLS to v1.8.2 **20**
-* Update quic-go to v0.59.0
-* Update gVisor to v20250811
-* Update Tailscale to v1.92.4
-
-**1**:
-
-NaiveProxy outbound now supports QUIC, ECH, UDP over TCP, and configurable QUIC congestion control.
-
-Only available on Apple platforms, Android, Windows and some Linux architectures.
-Each Windows release includes `libcronet.dll` —
-ensure this file is in the same directory as `sing-box.exe` or in a directory listed in `PATH`.
-
-See [NaiveProxy outbound](/configuration/outbound/naive/).
-
-**2**:
-
-`auto_redirect` now allows you to bypass sing-box for connections based on routing rules.
-
-A new rule action `bypass` is introduced to support this feature. When matched during pre-match, the connection will bypass sing-box and connect directly.
-
-This feature requires Linux with `auto_redirect` enabled.
-
-See [Pre-match](/configuration/shared/pre-match/) and [Rule Action](/configuration/route/rule_action/#bypass).
-
-**3**:
-
-`auto_redirect` now rejects MPTCP connections by default to fix compatibility issues.
-You can change it to bypass sing-box via the new `exclude_mptcp` option.
-
-Adds a fallback iproute2 rule checked after system default rules (32766: main, 32767: default),
-ensuring traffic is routed to the sing-box table when no route is found in system tables.
-The rule index can be customized via `auto_redirect_iproute2_fallback_rule_index` (default: 32768).
-
-See [TUN](/configuration/inbound/tun/#exclude_mptcp).
-
-**4**:
-
-Adds `chrome` as a new certificate store option alongside `mozilla`.
-Both stores filter out China-based CA certificates.
-
-See [Certificate](/configuration/certificate/#store).
-
-**5**:
-
-See [DNS-01 Challenge](/configuration/shared/dns01_challenge/).
-
-**6**:
-
-sing-box can now monitor Wi-Fi state on Linux and Windows to enable routing rules based on `wifi_ssid` and `wifi_bssid`.
-
-See [Wi-Fi State](/configuration/shared/wifi-state/).
-
-**7**:
-
-See [TLS](/configuration/shared/tls/).
-
-**8**:
-
-Adds `kernel_tx` and `kernel_rx` options for TLS inbound.
-Enables kernel-level TLS offloading via `splice(2)` on Linux 5.1+ with TLS 1.3.
-
-See [TLS](/configuration/shared/tls/).
-
-**9**:
-
-sing-box can now proxy ICMP echo (ping) requests.
-A new `icmp` network type is available for route rules.
-Supported from TUN, WireGuard and Tailscale inbounds to Direct, WireGuard and Tailscale outbounds.
-The `reject` action can also reply to ICMP echo requests.
-
-**10**:
-
-New rule items for matching based on interface IP addresses, available in route rules, DNS rules and rule-sets.
-
-**11**:
-
-Matches outbounds' preferred routes.
-For Tailscale: MagicDNS domains and peers' allowed IPs. For WireGuard: peers' allowed IPs.
-
-**12**:
-
-The `local` DNS server now uses platform-native resolution:
-`getaddrinfo`/libresolv on Apple platforms, systemd-resolved DBus on Linux.
-A new `prefer_go` option is available to opt out.
-
-See [Local DNS](/configuration/dns/server/local/).
-
-**13**:
-
-The default TCP keep-alive initial period has been updated from 10 minutes to 5 minutes.
-
-See [Dial Fields](/configuration/shared/dial/#tcp_keep_alive).
-
-**14**:
-
-Adds the Linux socket option `IP_BIND_ADDRESS_NO_PORT` support when explicitly binding to a source address.
-
-This allows reusing the same source port for multiple connections, improving scalability for high-concurrency proxy scenarios.
-
-See [Dial Fields](/configuration/shared/dial/#bind_address_no_port).
-
-**15**:
-
-Tailscale endpoint can now create a system TUN interface to handle traffic directly.
-New `relay_server_port` and `relay_server_static_endpoints` options for incoming relay connections.
-New `advertise_tags` option for ACL tag advertisement.
-
-See [Tailscale endpoint](/configuration/endpoint/tailscale/).
-
-**16**:
-
-CCM (Claude Code Multiplexer) service allows you to access your local Claude Code subscription remotely through custom tokens, eliminating the need for OAuth authentication on remote clients.
-
-See [CCM](/configuration/service/ccm).
-
-**17**:
-
-See [OCM](/configuration/service/ocm).
-
-**18**:
-
-Due to maintenance difficulties, sing-box 1.13.0 requires at least Go 1.24 to compile.
-
-**19**:
-
-Due to maintenance difficulties, sing-box 1.13.0 will be the last version to support Android 5.0,
-and only through a separate legacy build (with `-legacy-android-5` suffix).
-
-For standalone binaries, the minimum Android version has been raised to Android 6.0,
-since Termux requires Android 7.0 or later.
-
-**20**:
-
-This update fixes missing padding extension for Chrome 120+ fingerprints.
-
-Also, documentation has been updated with a warning about uTLS fingerprinting vulnerabilities.
-uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
-use NaiveProxy instead for TLS fingerprint resistance.
-
-#### 1.12.23
-
-* Fixes and improvements
-
-#### 1.13.0-rc.5
-
-* Add `mipsle`, `mips64le`, `riscv64` and `loong64` support for NaiveProxy outbound
-
-#### 1.12.22
-
-* Fixes and improvements
-
-#### 1.13.0-rc.3
-
-* Fixes and improvements
-
-#### 1.12.21
-
-* Fixes and improvements
-
-#### 1.13.0-rc.2
-
-* Fixes and improvements
-
-#### 1.12.20
-
-* Fixes and improvements
-
-#### 1.13.0-rc.1
-
-* Fixes and improvements
-
-#### 1.12.19
-
-* Fixes and improvements
-
-#### 1.13.0-beta.8
-
-* Add fallback routing rule for `auto_redirect` **1**
-* Fixes and improvements
-
-**1**:
-
-Adds a fallback iproute2 rule checked after system default rules (32766: main, 32767: default),
-ensuring traffic is routed to the sing-box table when no route is found in system tables.
-
-The rule index can be customized via `auto_redirect_iproute2_fallback_rule_index` (default: 32768).
-
-#### 1.12.18
-
-* Add fallback routing rule for `auto_redirect` **1**
-* Fixes and improvements
-
-**1**:
-
-Adds a fallback iproute2 rule checked after system default rules (32766: main, 32767: default),
-ensuring traffic is routed to the sing-box table when no route is found in system tables.
-
-The rule index can be customized via `auto_redirect_iproute2_fallback_rule_index` (default: 32768).
-
-#### 1.13.0-beta.6
-
-* Update uTLS to v1.8.2 **1**
-* Fixes and improvements
-
-**1**:
-
-This update fixes missing padding extension for Chrome 120+ fingerprints.
-
-Also, documentation has been updated with a warning about uTLS fingerprinting vulnerabilities.
-uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
-use NaiveProxy instead for TLS fingerprint resistance.
-
-#### 1.12.17
-
-* Update uTLS to v1.8.2 **1**
-* Fixes and improvements
-
-**1**:
-
-This update fixes missing padding extension for Chrome 120+ fingerprints.
-
-Also, documentation has been updated with a warning about uTLS fingerprinting vulnerabilities.
-uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
-use NaiveProxy instead for TLS fingerprint resistance.
-
-#### 1.13.0-beta.5
-
-* Fixes and improvements
-
-#### 1.12.16
-
-* Fixes and improvements
-
-#### 1.13.0-beta.4
-
-* Apple/Android: Add support for sharing configurations via [QRS](https://github.com/qifi-dev/qrs)
-* Android: Add support for resisting VPN detection via Xposed
-* Update quic-go to v0.59.0
-* Fixes and improvements
-
-#### 1.13.0-beta.2
-
-* Add `bind_address_no_port` option for dial fields **1**
-* Fixes and improvements
-
-**1**:
-
-Adds the Linux socket option `IP_BIND_ADDRESS_NO_PORT` support when explicitly binding to a source address.
-
-This allows reusing the same source port for multiple connections, improving scalability for high-concurrency proxy scenarios.
-
-See [Dial Fields](/configuration/shared/dial/#bind_address_no_port).
-
-#### 1.13.0-beta.1
-
-* Add system interface support for Tailscale endpoint **1**
-* Fixes and improvements
-
-**1**:
-
-Tailscale endpoint can now create a system TUN interface to handle traffic directly.
-
-See [Tailscale endpoint](/configuration/endpoint/tailscale/#system_interface).
-
-#### 1.12.15
-
-* Fixes and improvements
-
-#### 1.13.0-alpha.36
-
-* Downgrade quic-go to v0.57.1
-* Fixes and improvements
-
 #### 1.13.0-alpha.35
 
 * Add pre-match support for `auto_redirect` **1**
+* Fix missing relay support for Tailscale **2**
 * Fixes and improvements
 
 **1**:
@@ -325,6 +18,10 @@ This feature requires Linux with `auto_redirect` enabled.
 
 See [Pre-match](/configuration/shared/pre-match/) and [Rule Action](/configuration/route/rule_action/#bypass).
 
+**2**:
+
+See [Tailscale Endpoint](/configuration/endpoint/tailscale/#relay_server_port).
+
 #### 1.13.0-alpha.34
 
 * Add Chrome Root Store certificate option **1**

docs/configuration/endpoint/tailscale.md

@@ -5,11 +5,7 @@ icon: material/new-box
 !!! quote "Changes in sing-box 1.13.0"
 
     :material-plus: [relay_server_port](#relay_server_port)  
-    :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)  
-    :material-plus: [system_interface](#system_interface)  
-    :material-plus: [system_interface_name](#system_interface_name)  
-    :material-plus: [system_interface_mtu](#system_interface_mtu)  
-    :material-plus: [advertise_tags](#advertise_tags)
+    :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)
 
 !!! question "Since sing-box 1.12.0"
 
@@ -29,14 +25,10 @@ icon: material/new-box
   "exit_node_allow_lan_access": false,
   "advertise_routes": [],
   "advertise_exit_node": false,
-  "advertise_tags": [],
   "relay_server_port": 0,
   "relay_server_static_endpoints": [],
-  "system_interface": false,
-  "system_interface_name": "",
-  "system_interface_mtu": 0,
   "udp_timeout": "5m",
-
+  
   ... // Dial Fields
 }
 ```
@@ -104,44 +96,14 @@ Example: `["192.168.1.1/24"]`
 
 Indicates whether the node should advertise itself as an exit node.
 
-#### advertise_tags
-
-!!! question "Since sing-box 1.13.0"
-
-Tags to advertise for this node, for ACL enforcement purposes.
-
-Example: `["tag:server"]`
-
 #### relay_server_port
 
-!!! question "Since sing-box 1.13.0"
-
 The port to listen on for incoming relay connections from other Tailscale nodes.
 
 #### relay_server_static_endpoints
 
-!!! question "Since sing-box 1.13.0"
-
 Static endpoints to advertise for the relay server.
 
-#### system_interface
-
-!!! question "Since sing-box 1.13.0"
-
-Create a system TUN interface for Tailscale.
-
-#### system_interface_name
-
-!!! question "Since sing-box 1.13.0"
-
-Custom TUN interface name. By default, `tailscale` (or `utun` on macOS) will be used.
-
-#### system_interface_mtu
-
-!!! question "Since sing-box 1.13.0"
-
-Override the TUN MTU. By default, Tailscale's own MTU is used.
-
 #### udp_timeout
 
 UDP NAT expiration time.

docs/configuration/endpoint/tailscale.zh.md

@@ -5,11 +5,7 @@ icon: material/new-box
 !!! quote "sing-box 1.13.0 中的更改"
 
     :material-plus: [relay_server_port](#relay_server_port)  
-    :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)  
-    :material-plus: [system_interface](#system_interface)  
-    :material-plus: [system_interface_name](#system_interface_name)  
-    :material-plus: [system_interface_mtu](#system_interface_mtu)  
-    :material-plus: [advertise_tags](#advertise_tags)
+    :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)
 
 !!! question "自 sing-box 1.12.0 起"
 
@@ -29,12 +25,8 @@ icon: material/new-box
   "exit_node_allow_lan_access": false,
   "advertise_routes": [],
   "advertise_exit_node": false,
-  "advertise_tags": [],
   "relay_server_port": 0,
   "relay_server_static_endpoints": [],
-  "system_interface": false,
-  "system_interface_name": "",
-  "system_interface_mtu": 0,
   "udp_timeout": "5m",
 
   ... // 拨号字段
@@ -103,44 +95,14 @@ icon: material/new-box
 
 指示节点是否应将自己通告为出口节点。
 
-#### advertise_tags
-
-!!! question "自 sing-box 1.13.0 起"
-
-为此节点通告的标签，用于 ACL 执行。
-
-示例：`["tag:server"]`
-
 #### relay_server_port
 
-!!! question "自 sing-box 1.13.0 起"
-
 监听来自其他 Tailscale 节点的中继连接的端口。
 
 #### relay_server_static_endpoints
 
-!!! question "自 sing-box 1.13.0 起"
-
 为中继服务器通告的静态端点。
 
-#### system_interface
-
-!!! question "自 sing-box 1.13.0 起"
-
-为 Tailscale 创建系统 TUN 接口。
-
-#### system_interface_name
-
-!!! question "自 sing-box 1.13.0 起"
-
-自定义 TUN 接口名。默认使用 `tailscale`（macOS 上为 `utun`）。
-
-#### system_interface_mtu
-
-!!! question "自 sing-box 1.13.0 起"
-
-覆盖 TUN 的 MTU。默认使用 Tailscale 自己的 MTU。
-
 #### udp_timeout
 
 UDP NAT 过期时间。
@@ -153,4 +115,4 @@ UDP NAT 过期时间。
 
     Tailscale 端点中的拨号字段仅控制它如何连接到控制平面，与实际连接无关。
 
-参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。
+参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

docs/configuration/inbound/shadowsocks.md

@@ -9,7 +9,6 @@
 
   "method": "2022-blake3-aes-128-gcm",
   "password": "8JCsPssfgS8tiRwiMlhARg==",
-  "managed": false,
   "multiplex": {}
 }
 ```
@@ -87,10 +86,6 @@ Both if empty.
 | 2022 methods  | `sing-box generate rand --base64 <Key Length>` |
 | other methods | any string                                     |
 
-#### managed
-
-Defaults to `false`. Enable this when the inbound is managed by the [SSM API](/configuration/service/ssm-api) for dynamic user.
-
 #### multiplex
 
 See [Multiplex](/configuration/shared/multiplex#inbound) for details.

docs/configuration/inbound/shadowsocks.zh.md

@@ -9,7 +9,6 @@
 
   "method": "2022-blake3-aes-128-gcm",
   "password": "8JCsPssfgS8tiRwiMlhARg==",
-  "managed": false,
   "multiplex": {}
 }
 ```
@@ -87,10 +86,6 @@
 | 2022 methods  | `sing-box generate rand --base64 <密钥长度>` |
 | other methods | 任意字符串                                    |
 
-#### managed
-
-默认为 `false`。当该入站需要由 [SSM API](/zh/configuration/service/ssm-api) 管理用户时必须启用此字段。
-
 #### multiplex
 
 参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。

docs/configuration/inbound/tun.md

@@ -6,8 +6,7 @@ icon: material/new-box
 
     :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
     :material-plus: [auto_redirect_nfqueue](#auto_redirect_nfqueue)  
-    :material-plus: [exclude_mptcp](#exclude_mptcp)  
-    :material-plus: [auto_redirect_iproute2_fallback_rule_index](#auto_redirect_iproute2_fallback_rule_index)
+    :material-plus: [exclude_mptcp](#exclude_mptcp)
 
 !!! quote "Changes in sing-box 1.12.0"
 
@@ -72,7 +71,6 @@ icon: material/new-box
   "auto_redirect_output_mark": "0x2024",
   "auto_redirect_reset_mark": "0x2025",
   "auto_redirect_nfqueue": 100,
-  "auto_redirect_iproute2_fallback_rule_index": 32768,
   "exclude_mptcp": false,
   "loopback_address": [
     "10.7.0.1"
@@ -305,17 +303,6 @@ NFQueue number used by `auto_redirect` pre-matching.
 
 `100` is used by default.
 
-#### auto_redirect_iproute2_fallback_rule_index
-
-!!! question "Since sing-box 1.12.18"
-
-Linux iproute2 fallback rule index generated by `auto_redirect`.
-
-This rule is checked after system default rules (32766: main, 32767: default),
-routing traffic to the sing-box table only when no route is found in system tables.
-
-`32768` is used by default.
-
 #### exclude_mptcp
 
 !!! question "Since sing-box 1.13.0"

docs/configuration/inbound/tun.zh.md

@@ -6,8 +6,7 @@ icon: material/new-box
 
     :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
     :material-plus: [auto_redirect_nfqueue](#auto_redirect_nfqueue)  
-    :material-plus: [exclude_mptcp](#exclude_mptcp)  
-    :material-plus: [auto_redirect_iproute2_fallback_rule_index](#auto_redirect_iproute2_fallback_rule_index)
+    :material-plus: [exclude_mptcp](#exclude_mptcp)
 
 !!! quote "sing-box 1.12.0 中的更改"
 
@@ -72,7 +71,6 @@ icon: material/new-box
   "auto_redirect_output_mark": "0x2024",
   "auto_redirect_reset_mark": "0x2025",
   "auto_redirect_nfqueue": 100,
-  "auto_redirect_iproute2_fallback_rule_index": 32768,
   "exclude_mptcp": false,
   "loopback_address": [
     "10.7.0.1"
@@ -304,24 +302,13 @@ tun 接口的 IPv6 前缀。
 
 默认使用 `100`。
 
-#### auto_redirect_iproute2_fallback_rule_index
-
-!!! question "自 sing-box 1.12.18 起"
-
-`auto_redirect` 生成的 iproute2 回退规则索引。
-
-此规则在系统默认规则（32766: main，32767: default）之后检查，
-仅当系统路由表中未找到路由时才将流量路由到 sing-box 路由表。
-
-默认使用 `32768`。
-
 #### exclude_mptcp
 
 !!! question "自 sing-box 1.13.0 起"
 
 !!! quote ""
 
-    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。
+    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。 
 
 由于协议限制，MPTCP 无法被透明代理。
 

docs/configuration/shared/dial.md

@@ -6,8 +6,7 @@ icon: material/new-box
 
     :material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)  
     :material-plus: [tcp_keep_alive](#tcp_keep_alive)  
-    :material-plus: [tcp_keep_alive_interval](#tcp_keep_alive_interval)  
-    :material-plus: [bind_address_no_port](#bind_address_no_port)
+    :material-plus: [tcp_keep_alive_interval](#tcp_keep_alive_interval)
 
 !!! quote "Changes in sing-box 1.12.0"
 
@@ -30,7 +29,6 @@ icon: material/new-box
   "bind_interface": "",
   "inet4_bind_address": "",
   "inet6_bind_address": "",
-  "bind_address_no_port": false,
   "routing_mark": 0,
   "reuse_addr": false,
   "netns": "",
@@ -78,18 +76,6 @@ The IPv4 address to bind to.
 
 The IPv6 address to bind to.
 
-#### bind_address_no_port
-
-!!! question "Since sing-box 1.13.0"
-
-!!! quote ""
-
-    Only supported on Linux.
-
-Do not reserve a port when binding to a source address.
-
-This allows reusing the same source port for multiple connections if the full 4-tuple (source IP, source port, destination IP, destination port) remains unique.
-
 #### routing_mark
 
 !!! quote ""

docs/configuration/shared/dial.zh.md

@@ -6,8 +6,7 @@ icon: material/new-box
 
     :material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)  
     :material-plus: [tcp_keep_alive](#tcp_keep_alive)  
-    :material-plus: [tcp_keep_alive_interval](#tcp_keep_alive_interval)  
-    :material-plus: [bind_address_no_port](#bind_address_no_port)
+    :material-plus: [tcp_keep_alive_interval](#tcp_keep_alive_interval)
 
 !!! quote "sing-box 1.12.0 中的更改"
 
@@ -30,7 +29,6 @@ icon: material/new-box
   "bind_interface": "",
   "inet4_bind_address": "",
   "inet6_bind_address": "",
-  "bind_address_no_port": false,
   "routing_mark": 0,
   "reuse_addr": false,
   "netns": "",
@@ -78,18 +76,6 @@ icon: material/new-box
 
 要绑定的 IPv6 地址。
 
-#### bind_address_no_port
-
-!!! question "自 sing-box 1.13.0 起"
-
-!!! quote ""
-
-    仅支持 Linux。
-
-绑定到源地址时不保留端口。
-
-这允许在完整的四元组（源 IP、源端口、目标 IP、目标端口）保持唯一的情况下，为多个连接复用同一源端口。
-
 #### routing_mark
 
 !!! quote ""

docs/configuration/shared/dns01_challenge.md

@@ -5,8 +5,7 @@ icon: material/new-box
 !!! quote "Changes in sing-box 1.13.0"
 
     :material-plus: [alidns.security_token](#security_token)  
-    :material-plus: [cloudflare.zone_token](#zone_token)  
-    :material-plus: [acmedns](#acmedns)
+    :material-plus: [cloudflare.zone_token](#zone_token)
 
 ### Structure
 
@@ -55,19 +54,3 @@ The Security Token for STS temporary credentials.
 Optional API token with `Zone:Read` permission.
 
 When provided, allows `api_token` to be scoped to a single zone.
-
-#### ACME-DNS
-
-!!! question "Since sing-box 1.13.0"
-
-```json
-{
-  "provider": "acmedns",
-  "username": "",
-  "password": "",
-  "subdomain": "",
-  "server_url": ""
-}
-```
-
-See [ACME-DNS](https://github.com/joohoi/acme-dns) for details.

docs/configuration/shared/dns01_challenge.zh.md

@@ -5,8 +5,7 @@ icon: material/new-box
 !!! quote "sing-box 1.13.0 中的更改"
 
     :material-plus: [alidns.security_token](#security_token)  
-    :material-plus: [cloudflare.zone_token](#zone_token)  
-    :material-plus: [acmedns](#acmedns)
+    :material-plus: [cloudflare.zone_token](#zone_token)
 
 ### 结构
 
@@ -55,19 +54,3 @@ icon: material/new-box
 具有 `Zone:Read` 权限的可选 API 令牌。
 
 提供后可将 `api_token` 限定到单个区域。
-
-#### ACME-DNS
-
-!!! question "自 sing-box 1.13.0 起"
-
-```json
-{
-  "provider": "acmedns",
-  "username": "",
-  "password": "",
-  "subdomain": "",
-  "server_url": ""
-}
-```
-
-参阅 [ACME-DNS](https://github.com/joohoi/acme-dns)。

docs/configuration/shared/tls.md

@@ -418,18 +418,9 @@ Enable kernel TLS receive support.
 
 ==Client only==
 
-!!! failure "Not Recommended"
-
-    uTLS has had repeated fingerprinting vulnerabilities discovered by researchers.
-
-    uTLS is a Go library that attempts to imitate browser TLS fingerprints by copying
-    ClientHello structure. However, browsers use completely different TLS stacks
-    (Chrome uses BoringSSL, Firefox uses NSS) with distinct implementation behaviors
-    that cannot be replicated by simply copying the handshake format, making detection possible.
-    Additionally, the library lacks active maintenance and has poor code quality,
-    making it unsuitable for censorship circumvention.
-
-    For TLS fingerprint resistance, use [NaiveProxy](/configuration/inbound/naive/) instead.
+!!! failure ""
+    
+    There is no evidence that GFW detects and blocks servers based on TLS client fingerprinting, and using an imperfect emulation that has not been security reviewed could pose security risks.
 
 uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance.
 

docs/configuration/shared/tls.zh.md

@@ -417,16 +417,9 @@ echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/
 
 ==仅客户端==
 
-!!! failure "不推荐"
+!!! failure ""
 
-    uTLS 已被研究人员多次发现其指纹可被识别的漏洞。
-
-    uTLS 是一个试图通过复制 ClientHello 结构来模仿浏览器 TLS 指纹的 Go 库。
-    然而，浏览器使用完全不同的 TLS 实现（Chrome 使用 BoringSSL，Firefox 使用 NSS），
-    其实现行为无法通过简单复制握手格式来复现，其行为细节必然存在差异，使得检测成为可能。
-    此外，此库缺乏积极维护，且代码质量较差，不建议用于反审查场景。
-
-    如需 TLS 指纹抵抗，请改用 [NaiveProxy](/configuration/inbound/naive/)。
+    没有证据表明 GFW 根据 TLS 客户端指纹检测并阻止服务器，并且，使用一个未经安全审查的不完美模拟可能带来安全隐患。
 
 uTLS 是 "crypto/tls" 的一个分支，它提供了 ClientHello 指纹识别阻力。
 

docs/installation/build-from-source.md

@@ -57,35 +57,11 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | `with_v2ray_api`                   | :material-close:️    | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
 | `with_gvisor`                      | :material-check:     | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️    | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
-| `with_tailscale`                   | :material-check:     | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale).                                                                                                                                                                                                                                     |
-| `with_ccm`                         | :material-check:     | Build with Claude Code Multiplexer service support.                                                                                                                                                                                                                                                                            |
-| `with_ocm`                         | :material-check:     | Build with OpenAI Codex Multiplexer service support.                                                                                                                                                                                                                                                                           |
-| `with_naive_outbound`              | :material-check:     | Build with NaiveProxy outbound support, see [NaiveProxy outbound](/configuration/outbound/naive/).                                                                                                                                                                                                                             |
-| `badlinkname`                      | :material-check:     | Enable `go:linkname` access to internal standard library functions. Required because the Go standard library does not expose many low-level APIs needed by this project, and reimplementing them externally is impractical. Used for kTLS (kernel TLS offload) and raw TLS record manipulation.                                 |
-| `tfogo_checklinkname0`             | :material-check:     | Companion to `badlinkname`. Go 1.23+ enforces `go:linkname` restrictions via the linker; this tag signals the build uses `-checklinkname=0` to bypass that enforcement.                                                                                                                                                       |
+| `with_tailscale`                   | :material-check:     | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
+| `with_naive_outbound`              | :material-close:️    | Build with NaiveProxy outbound support, see [NaiveProxy outbound](/configuration/outbound/naive/).                                                                                                                                                                                                                             |
 
 It is not recommended to change the default build tag list unless you really know what you are adding.
 
-## :material-wrench: Linker Flags
-
-The following `-ldflags` are used in official builds:
-
-| Flag                                                        | Description                                                                                                                                                                                                             |
-|-------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `-X 'internal/godebug.defaultGODEBUG=multipathtcp=0'`      | Go 1.24 enabled Multipath TCP for listeners by default (`multipathtcp=2`). This may cause errors on low-level sockets, and sing-box has its own MPTCP control (`tcp_multi_path` option). This flag disables the Go default. |
-| `-checklinkname=0`                                          | Go 1.23+ linker rejects unauthorized `go:linkname` usage. This flag disables the check, required together with the `badlinkname` build tag.                                                                            |
-
-## :material-package-variant: For Downstream Packagers
-
-The default build tag lists and linker flags are available as files in the repository for downstream packagers to reference directly:
-
-| File | Description |
-|------|-------------|
-| `release/DEFAULT_BUILD_TAGS` | Default for Linux (common architectures), Darwin, and Android. |
-| `release/DEFAULT_BUILD_TAGS_WINDOWS` | Default for Windows (includes `with_purego`). |
-| `release/DEFAULT_BUILD_TAGS_OTHERS` | Default for other platforms (no `with_naive_outbound`). |
-| `release/LDFLAGS` | Required linker flags (see above). |
-
 ## :material-layers: with_naive_outbound
 
 NaiveProxy outbound requires special build configurations depending on your target platform.

docs/installation/build-from-source.zh.md

@@ -61,35 +61,11 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | `with_v2ray_api`                   | :material-close:️ | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
 | `with_gvisor`                      | :material-check:  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️ | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
-| `with_tailscale`                   | :material-check:  | 构建 Tailscale 支持，参阅 [Tailscale 端点](/configuration/endpoint/tailscale)。                                                                                                                                                                                                                                                         |
-| `with_ccm`                         | :material-check:  | 构建 Claude Code Multiplexer 服务支持。                                                                                                                                                                                                                                                                                              |
-| `with_ocm`                         | :material-check:  | 构建 OpenAI Codex Multiplexer 服务支持。                                                                                                                                                                                                                                                                                             |
-| `with_naive_outbound`              | :material-check:  | 构建 NaiveProxy 出站支持，参阅 [NaiveProxy 出站](/configuration/outbound/naive/)。                                                                                                                                                                                                                                                         |
-| `badlinkname`                      | :material-check:  | 启用 `go:linkname` 以访问标准库内部函数。Go 标准库未提供本项目需要的许多底层 API，且在外部重新实现不切实际。用于 kTLS（内核 TLS 卸载）和原始 TLS 记录操作。                                                                                                                                                                                                                           |
-| `tfogo_checklinkname0`             | :material-check:  | `badlinkname` 的伴随标记。Go 1.23+ 链接器强制限制 `go:linkname` 使用；此标记表示构建使用 `-checklinkname=0` 以绕过该限制。                                                                                                                                                                                                                                |
+| `with_tailscale`                   | :material-check:  | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
+| `with_naive_outbound`              | :material-close:️ | 构建 NaiveProxy 出站支持，参阅 [NaiveProxy 出站](/zh/configuration/outbound/naive/)。                                                                                                                                                                                                                                                      |
 
 除非您确实知道您正在启用什么，否则不建议更改默认构建标签列表。
 
-## :material-wrench: 链接器标志
-
-以下 `-ldflags` 在官方构建中使用：
-
-| 标志                                                          | 说明                                                                                                                                                         |
-|-------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `-X 'internal/godebug.defaultGODEBUG=multipathtcp=0'`      | Go 1.24 默认为监听器启用 Multipath TCP（`multipathtcp=2`）。这可能在底层 socket 上导致错误，且 sing-box 有自己的 MPTCP 控制（`tcp_multi_path` 选项）。此标志禁用 Go 的默认行为。                             |
-| `-checklinkname=0`                                          | Go 1.23+ 链接器拒绝未授权的 `go:linkname` 使用。此标志禁用该检查，需要与 `badlinkname` 构建标记一起使用。                                                                                   |
-
-## :material-package-variant: 下游打包者
-
-默认构建标签列表和链接器标志以文件形式存放在仓库中，供下游打包者直接引用：
-
-| 文件 | 说明 |
-|------|------|
-| `release/DEFAULT_BUILD_TAGS` | Linux（常见架构）、Darwin 和 Android 的默认标签。 |
-| `release/DEFAULT_BUILD_TAGS_WINDOWS` | Windows 的默认标签（包含 `with_purego`）。 |
-| `release/DEFAULT_BUILD_TAGS_OTHERS` | 其他平台的默认标签（不含 `with_naive_outbound`）。 |
-| `release/LDFLAGS` | 必需的链接器标志（参见上文）。 |
-
 ## :material-layers: with_naive_outbound
 
 NaiveProxy 出站需要根据目标平台进行特殊的构建配置。

docs/manual/proxy-protocol/trojan.md

@@ -4,7 +4,8 @@ icon: material/horse
 
 # Trojan
 
-Trojan is the most commonly used TLS proxy made in China. It can be used in various combinations.
+Torjan is the most commonly used TLS proxy made in China. It can be used in various combinations,
+but only the combination of uTLS and multiplexing is recommended.
 
 | Protocol and implementation combination | Specification                                                        | Resists passive detection | Resists active probes |
 |-----------------------------------------|----------------------------------------------------------------------|---------------------------|-----------------------|
@@ -139,7 +140,11 @@ Trojan is the most commonly used TLS proxy made in China. It can be used in vari
           "password": "password",
           "tls": {
             "enabled": true,
-            "server_name": "example.org"
+            "server_name": "example.org",
+            "utls": {
+              "enabled": true,
+              "fingerprint": "firefox"
+            }
           },
           "multiplex": {
             "enabled": true
@@ -166,7 +171,11 @@ Trojan is the most commonly used TLS proxy made in China. It can be used in vari
           "tls": {
             "enabled": true,
             "server_name": "example.org",
-            "certificate_path": "/path/to/certificate.pem"
+            "certificate_path": "/path/to/certificate.pem",
+            "utls": {
+              "enabled": true,
+              "fingerprint": "firefox"
+            }
           },
           "multiplex": {
             "enabled": true
@@ -189,7 +198,11 @@ Trojan is the most commonly used TLS proxy made in China. It can be used in vari
           "tls": {
             "enabled": true,
             "server_name": "example.org",
-            "insecure": true
+            "insecure": true,
+            "utls": {
+              "enabled": true,
+              "fingerprint": "firefox"
+            }
           },
           "multiplex": {
             "enabled": true

experimental/cachefile/cache.go

@@ -45,7 +45,6 @@ type CacheFile struct {
 	storeRDRC         bool
 	rdrcTimeout       time.Duration
 	DB                *bbolt.DB
-	resetAccess       sync.Mutex
 	saveMetadataTimer *time.Timer
 	saveFakeIPAccess  sync.RWMutex
 	saveDomain        map[netip.Addr]string
@@ -170,55 +169,13 @@ func (c *CacheFile) Close() error {
 	return c.DB.Close()
 }
 
-func (c *CacheFile) view(fn func(tx *bbolt.Tx) error) (err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			c.resetDB()
-			err = E.New("database corrupted: ", r)
-		}
-	}()
-	return c.DB.View(fn)
-}
-
-func (c *CacheFile) batch(fn func(tx *bbolt.Tx) error) (err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			c.resetDB()
-			err = E.New("database corrupted: ", r)
-		}
-	}()
-	return c.DB.Batch(fn)
-}
-
-func (c *CacheFile) update(fn func(tx *bbolt.Tx) error) (err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			c.resetDB()
-			err = E.New("database corrupted: ", r)
-		}
-	}()
-	return c.DB.Update(fn)
-}
-
-func (c *CacheFile) resetDB() {
-	c.resetAccess.Lock()
-	defer c.resetAccess.Unlock()
-	c.DB.Close()
-	os.Remove(c.path)
-	db, err := bbolt.Open(c.path, 0o666, &bbolt.Options{Timeout: time.Second})
-	if err == nil {
-		_ = filemanager.Chown(c.ctx, c.path)
-		c.DB = db
-	}
-}
-
 func (c *CacheFile) StoreFakeIP() bool {
 	return c.storeFakeIP
 }
 
 func (c *CacheFile) LoadMode() string {
 	var mode string
-	c.view(func(t *bbolt.Tx) error {
+	c.DB.View(func(t *bbolt.Tx) error {
 		bucket := t.Bucket(bucketMode)
 		if bucket == nil {
 			return nil
@@ -236,7 +193,7 @@ func (c *CacheFile) LoadMode() string {
 }
 
 func (c *CacheFile) StoreMode(mode string) error {
-	return c.batch(func(t *bbolt.Tx) error {
+	return c.DB.Batch(func(t *bbolt.Tx) error {
 		bucket, err := t.CreateBucketIfNotExists(bucketMode)
 		if err != nil {
 			return err
@@ -273,7 +230,7 @@ func (c *CacheFile) createBucket(t *bbolt.Tx, key []byte) (*bbolt.Bucket, error)
 
 func (c *CacheFile) LoadSelected(group string) string {
 	var selected string
-	c.view(func(t *bbolt.Tx) error {
+	c.DB.View(func(t *bbolt.Tx) error {
 		bucket := c.bucket(t, bucketSelected)
 		if bucket == nil {
 			return nil
@@ -288,7 +245,7 @@ func (c *CacheFile) LoadSelected(group string) string {
 }
 
 func (c *CacheFile) StoreSelected(group, selected string) error {
-	return c.batch(func(t *bbolt.Tx) error {
+	return c.DB.Batch(func(t *bbolt.Tx) error {
 		bucket, err := c.createBucket(t, bucketSelected)
 		if err != nil {
 			return err
@@ -298,7 +255,7 @@ func (c *CacheFile) StoreSelected(group, selected string) error {
 }
 
 func (c *CacheFile) LoadGroupExpand(group string) (isExpand bool, loaded bool) {
-	c.view(func(t *bbolt.Tx) error {
+	c.DB.View(func(t *bbolt.Tx) error {
 		bucket := c.bucket(t, bucketExpand)
 		if bucket == nil {
 			return nil
@@ -314,7 +271,7 @@ func (c *CacheFile) LoadGroupExpand(group string) (isExpand bool, loaded bool) {
 }
 
 func (c *CacheFile) StoreGroupExpand(group string, isExpand bool) error {
-	return c.batch(func(t *bbolt.Tx) error {
+	return c.DB.Batch(func(t *bbolt.Tx) error {
 		bucket, err := c.createBucket(t, bucketExpand)
 		if err != nil {
 			return err
@@ -329,7 +286,7 @@ func (c *CacheFile) StoreGroupExpand(group string, isExpand bool) error {
 
 func (c *CacheFile) LoadRuleSet(tag string) *adapter.SavedBinary {
 	var savedSet adapter.SavedBinary
-	err := c.view(func(t *bbolt.Tx) error {
+	err := c.DB.View(func(t *bbolt.Tx) error {
 		bucket := c.bucket(t, bucketRuleSet)
 		if bucket == nil {
 			return os.ErrNotExist
@@ -347,7 +304,7 @@ func (c *CacheFile) LoadRuleSet(tag string) *adapter.SavedBinary {
 }
 
 func (c *CacheFile) SaveRuleSet(tag string, set *adapter.SavedBinary) error {
-	return c.batch(func(t *bbolt.Tx) error {
+	return c.DB.Batch(func(t *bbolt.Tx) error {
 		bucket, err := c.createBucket(t, bucketRuleSet)
 		if err != nil {
 			return err

experimental/cachefile/fakeip.go

@@ -23,7 +23,7 @@ var (
 
 func (c *CacheFile) FakeIPMetadata() *adapter.FakeIPMetadata {
 	var metadata adapter.FakeIPMetadata
-	err := c.batch(func(tx *bbolt.Tx) error {
+	err := c.DB.Batch(func(tx *bbolt.Tx) error {
 		bucket := tx.Bucket(bucketFakeIP)
 		if bucket == nil {
 			return os.ErrNotExist
@@ -45,7 +45,7 @@ func (c *CacheFile) FakeIPMetadata() *adapter.FakeIPMetadata {
 }
 
 func (c *CacheFile) FakeIPSaveMetadata(metadata *adapter.FakeIPMetadata) error {
-	return c.batch(func(tx *bbolt.Tx) error {
+	return c.DB.Batch(func(tx *bbolt.Tx) error {
 		bucket, err := tx.CreateBucketIfNotExists(bucketFakeIP)
 		if err != nil {
 			return err
@@ -69,7 +69,7 @@ func (c *CacheFile) FakeIPSaveMetadataAsync(metadata *adapter.FakeIPMetadata) {
 }
 
 func (c *CacheFile) FakeIPStore(address netip.Addr, domain string) error {
-	return c.batch(func(tx *bbolt.Tx) error {
+	return c.DB.Batch(func(tx *bbolt.Tx) error {
 		bucket, err := tx.CreateBucketIfNotExists(bucketFakeIP)
 		if err != nil {
 			return err
@@ -136,7 +136,7 @@ func (c *CacheFile) FakeIPLoad(address netip.Addr) (string, bool) {
 		return cachedDomain, true
 	}
 	var domain string
-	_ = c.view(func(tx *bbolt.Tx) error {
+	_ = c.DB.View(func(tx *bbolt.Tx) error {
 		bucket := tx.Bucket(bucketFakeIP)
 		if bucket == nil {
 			return nil
@@ -163,7 +163,7 @@ func (c *CacheFile) FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr, bo
 		return cachedAddress, true
 	}
 	var address netip.Addr
-	_ = c.view(func(tx *bbolt.Tx) error {
+	_ = c.DB.View(func(tx *bbolt.Tx) error {
 		var bucket *bbolt.Bucket
 		if isIPv6 {
 			bucket = tx.Bucket(bucketFakeIPDomain6)
@@ -180,7 +180,7 @@ func (c *CacheFile) FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr, bo
 }
 
 func (c *CacheFile) FakeIPReset() error {
-	return c.batch(func(tx *bbolt.Tx) error {
+	return c.DB.Batch(func(tx *bbolt.Tx) error {
 		err := tx.DeleteBucket(bucketFakeIP)
 		if err != nil {
 			return err

experimental/cachefile/rdrc.go

@@ -31,7 +31,7 @@ func (c *CacheFile) LoadRDRC(transportName string, qName string, qType uint16) (
 	copy(key[2:], qName)
 	defer buf.Put(key)
 	var deleteCache bool
-	err := c.view(func(tx *bbolt.Tx) error {
+	err := c.DB.View(func(tx *bbolt.Tx) error {
 		bucket := c.bucket(tx, bucketRDRC)
 		if bucket == nil {
 			return nil
@@ -56,7 +56,7 @@ func (c *CacheFile) LoadRDRC(transportName string, qName string, qType uint16) (
 		return
 	}
 	if deleteCache {
-		c.update(func(tx *bbolt.Tx) error {
+		c.DB.Update(func(tx *bbolt.Tx) error {
 			bucket := c.bucket(tx, bucketRDRC)
 			if bucket == nil {
 				return nil
@@ -72,7 +72,7 @@ func (c *CacheFile) LoadRDRC(transportName string, qName string, qType uint16) (
 }
 
 func (c *CacheFile) SaveRDRC(transportName string, qName string, qType uint16) error {
-	return c.batch(func(tx *bbolt.Tx) error {
+	return c.DB.Batch(func(tx *bbolt.Tx) error {
 		bucket, err := c.createBucket(tx, bucketRDRC)
 		if err != nil {
 			return err

experimental/clashapi/connections.go

@@ -2,7 +2,6 @@ package clashapi
 
 import (
 	"bytes"
-	"context"
 	"net/http"
 	"strconv"
 	"time"
@@ -18,15 +17,15 @@ import (
 	"github.com/gofrs/uuid/v5"
 )
 
-func connectionRouter(ctx context.Context, router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
+func connectionRouter(router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
 	r := chi.NewRouter()
-	r.Get("/", getConnections(ctx, trafficManager))
+	r.Get("/", getConnections(trafficManager))
 	r.Delete("/", closeAllConnections(router, trafficManager))
 	r.Delete("/{id}", closeConnection(trafficManager))
 	return r
 }
 
-func getConnections(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func getConnections(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if r.Header.Get("Upgrade") != "websocket" {
 			snapshot := trafficManager.Snapshot()
@@ -68,12 +67,7 @@ func getConnections(ctx context.Context, trafficManager *trafficontrol.Manager)
 
 		tick := time.NewTicker(time.Millisecond * time.Duration(interval))
 		defer tick.Stop()
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-tick.C:
-			}
+		for range tick.C {
 			if err = sendSnapshot(); err != nil {
 				break
 			}

experimental/clashapi/server.go

@@ -116,12 +116,12 @@ func NewServer(ctx context.Context, logFactory log.ObservableFactory, options op
 		r.Use(authentication(options.Secret))
 		r.Get("/", hello(options.ExternalUI != ""))
 		r.Get("/logs", getLogs(logFactory))
-		r.Get("/traffic", traffic(s.ctx, trafficManager))
+		r.Get("/traffic", traffic(trafficManager))
 		r.Get("/version", version)
 		r.Mount("/configs", configRouter(s, logFactory))
 		r.Mount("/proxies", proxyRouter(s, s.router))
 		r.Mount("/rules", ruleRouter(s.router))
-		r.Mount("/connections", connectionRouter(s.ctx, s.router, trafficManager))
+		r.Mount("/connections", connectionRouter(s.router, trafficManager))
 		r.Mount("/providers/proxies", proxyProviderRouter())
 		r.Mount("/providers/rules", ruleProviderRouter())
 		r.Mount("/script", scriptRouter())
@@ -303,7 +303,7 @@ type Traffic struct {
 	Down int64 `json:"down"`
 }
 
-func traffic(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func traffic(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var conn net.Conn
 		if r.Header.Get("Upgrade") == "websocket" {
@@ -324,12 +324,7 @@ func traffic(ctx context.Context, trafficManager *trafficontrol.Manager) func(w
 		defer tick.Stop()
 		buf := &bytes.Buffer{}
 		uploadTotal, downloadTotal := trafficManager.Total()
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-tick.C:
-			}
+		for range tick.C {
 			buf.Reset()
 			uploadTotalNew, downloadTotalNew := trafficManager.Total()
 			err := json.NewEncoder(buf).Encode(Traffic{

experimental/clashapi/trafficontrol/manager.go

@@ -10,31 +10,11 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/json"
-	"github.com/sagernet/sing/common/observable"
 	"github.com/sagernet/sing/common/x/list"
 
 	"github.com/gofrs/uuid/v5"
 )
 
-type ConnectionEventType int
-
-const (
-	ConnectionEventNew ConnectionEventType = iota
-	ConnectionEventUpdate
-	ConnectionEventClosed
-)
-
-type ConnectionEvent struct {
-	Type          ConnectionEventType
-	ID            uuid.UUID
-	Metadata      *TrackerMetadata
-	UplinkDelta   int64
-	DownlinkDelta int64
-	ClosedAt      time.Time
-}
-
-const closedConnectionsLimit = 1000
-
 type Manager struct {
 	uploadTotal   atomic.Int64
 	downloadTotal atomic.Int64
@@ -42,52 +22,29 @@ type Manager struct {
 	connections             compatible.Map[uuid.UUID, Tracker]
 	closedConnectionsAccess sync.Mutex
 	closedConnections       list.List[TrackerMetadata]
-	memory                  uint64
-
-	eventSubscriber *observable.Subscriber[ConnectionEvent]
+	// process     *process.Process
+	memory uint64
 }
 
 func NewManager() *Manager {
 	return &Manager{}
 }
 
-func (m *Manager) SetEventHook(subscriber *observable.Subscriber[ConnectionEvent]) {
-	m.eventSubscriber = subscriber
-}
-
 func (m *Manager) Join(c Tracker) {
-	metadata := c.Metadata()
-	m.connections.Store(metadata.ID, c)
-	if m.eventSubscriber != nil {
-		m.eventSubscriber.Emit(ConnectionEvent{
-			Type:     ConnectionEventNew,
-			ID:       metadata.ID,
-			Metadata: metadata,
-		})
-	}
+	m.connections.Store(c.Metadata().ID, c)
 }
 
 func (m *Manager) Leave(c Tracker) {
 	metadata := c.Metadata()
 	_, loaded := m.connections.LoadAndDelete(metadata.ID)
 	if loaded {
-		closedAt := time.Now()
-		metadata.ClosedAt = closedAt
-		metadataCopy := *metadata
+		metadata.ClosedAt = time.Now()
 		m.closedConnectionsAccess.Lock()
-		if m.closedConnections.Len() >= closedConnectionsLimit {
+		defer m.closedConnectionsAccess.Unlock()
+		if m.closedConnections.Len() >= 1000 {
 			m.closedConnections.PopFront()
 		}
-		m.closedConnections.PushBack(metadataCopy)
-		m.closedConnectionsAccess.Unlock()
-		if m.eventSubscriber != nil {
-			m.eventSubscriber.Emit(ConnectionEvent{
-				Type:     ConnectionEventClosed,
-				ID:       metadata.ID,
-				Metadata: &metadataCopy,
-				ClosedAt: closedAt,
-			})
-		}
+		m.closedConnections.PushBack(metadata)
 	}
 }
 
@@ -107,8 +64,8 @@ func (m *Manager) ConnectionsLen() int {
 	return m.connections.Len()
 }
 
-func (m *Manager) Connections() []*TrackerMetadata {
-	var connections []*TrackerMetadata
+func (m *Manager) Connections() []TrackerMetadata {
+	var connections []TrackerMetadata
 	m.connections.Range(func(_ uuid.UUID, value Tracker) bool {
 		connections = append(connections, value.Metadata())
 		return true
@@ -116,18 +73,10 @@ func (m *Manager) Connections() []*TrackerMetadata {
 	return connections
 }
 
-func (m *Manager) ClosedConnections() []*TrackerMetadata {
+func (m *Manager) ClosedConnections() []TrackerMetadata {
 	m.closedConnectionsAccess.Lock()
-	values := m.closedConnections.Array()
-	m.closedConnectionsAccess.Unlock()
-	if len(values) == 0 {
-		return nil
-	}
-	connections := make([]*TrackerMetadata, len(values))
-	for i := range values {
-		connections[i] = &values[i]
-	}
-	return connections
+	defer m.closedConnectionsAccess.Unlock()
+	return m.closedConnections.Array()
 }
 
 func (m *Manager) Connection(id uuid.UUID) Tracker {
@@ -175,7 +124,7 @@ func (s *Snapshot) MarshalJSON() ([]byte, error) {
 	return json.Marshal(map[string]any{
 		"downloadTotal": s.Download,
 		"uploadTotal":   s.Upload,
-		"connections":   common.Map(s.Connections, func(t Tracker) *TrackerMetadata { return t.Metadata() }),
+		"connections":   common.Map(s.Connections, func(t Tracker) TrackerMetadata { return t.Metadata() }),
 		"memory":        s.Memory,
 	})
 }

experimental/clashapi/trafficontrol/tracker.go

@@ -87,7 +87,7 @@ func (t TrackerMetadata) MarshalJSON() ([]byte, error) {
 }
 
 type Tracker interface {
-	Metadata() *TrackerMetadata
+	Metadata() TrackerMetadata
 	Close() error
 }
 
@@ -97,8 +97,8 @@ type TCPConn struct {
 	manager  *Manager
 }
 
-func (tt *TCPConn) Metadata() *TrackerMetadata {
-	return &tt.metadata
+func (tt *TCPConn) Metadata() TrackerMetadata {
+	return tt.metadata
 }
 
 func (tt *TCPConn) Close() error {
@@ -178,8 +178,8 @@ type UDPConn struct {
 	manager      *Manager
 }
 
-func (ut *UDPConn) Metadata() *TrackerMetadata {
-	return &ut.metadata
+func (ut *UDPConn) Metadata() TrackerMetadata {
+	return ut.metadata
 }
 
 func (ut *UDPConn) Close() error {

experimental/deprecated/constants.go

@@ -57,6 +57,96 @@ func (n Note) MessageWithLink() string {
 	}
 }
 
+var OptionBadMatchSource = Note{
+	Name:              "bad-match-source",
+	Description:       "legacy match source rule item",
+	DeprecatedVersion: "1.10.0",
+	ScheduledVersion:  "1.11.0",
+	EnvName:           "BAD_MATCH_SOURCE",
+	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#match-source-rule-items-are-renamed",
+}
+
+var OptionGEOIP = Note{
+	Name:              "geoip",
+	Description:       "geoip database",
+	DeprecatedVersion: "1.8.0",
+	ScheduledVersion:  "1.12.0",
+	EnvName:           "GEOIP",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-geoip-to-rule-sets",
+}
+
+var OptionGEOSITE = Note{
+	Name:              "geosite",
+	Description:       "geosite database",
+	DeprecatedVersion: "1.8.0",
+	ScheduledVersion:  "1.12.0",
+	EnvName:           "GEOSITE",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-geosite-to-rule-sets",
+}
+
+var OptionTUNAddressX = Note{
+	Name:              "tun-address-x",
+	Description:       "legacy tun address fields",
+	DeprecatedVersion: "1.10.0",
+	ScheduledVersion:  "1.12.0",
+	EnvName:           "TUN_ADDRESS_X",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#tun-address-fields-are-merged",
+}
+
+var OptionSpecialOutbounds = Note{
+	Name:              "special-outbounds",
+	Description:       "legacy special outbounds",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "SPECIAL_OUTBOUNDS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
+}
+
+var OptionInboundOptions = Note{
+	Name:              "inbound-options",
+	Description:       "legacy inbound fields",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "INBOUND_OPTIONS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
+}
+
+var OptionDestinationOverrideFields = Note{
+	Name:              "destination-override-fields",
+	Description:       "destination override fields in direct outbound",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "DESTINATION_OVERRIDE_FIELDS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-destination-override-fields-to-route-options",
+}
+
+var OptionWireGuardOutbound = Note{
+	Name:              "wireguard-outbound",
+	Description:       "legacy wireguard outbound",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "WIREGUARD_OUTBOUND",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-wireguard-outbound-to-endpoint",
+}
+
+var OptionWireGuardGSO = Note{
+	Name:              "wireguard-gso",
+	Description:       "GSO option in wireguard outbound",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "WIREGUARD_GSO",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-wireguard-outbound-to-endpoint",
+}
+
+var OptionTUNGSO = Note{
+	Name:              "tun-gso",
+	Description:       "GSO option in tun",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.12.0",
+	EnvName:           "TUN_GSO",
+	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#gso-option-in-tun",
+}
+
 var OptionLegacyDNSTransport = Note{
 	Name:              "legacy-dns-transport",
 	Description:       "legacy DNS servers",
@@ -93,6 +183,15 @@ var OptionMissingDomainResolver = Note{
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-outbound-dns-rule-items-to-domain-resolver",
 }
 
+var OptionLegacyECHOptions = Note{
+	Name:              "legacy-ech-options",
+	Description:       "legacy ECH options",
+	DeprecatedVersion: "1.12.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "LEGACY_ECH_OPTIONS",
+	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#legacy-ech-fields",
+}
+
 var OptionLegacyDomainStrategyOptions = Note{
 	Name:              "legacy-domain-strategy-options",
 	Description:       "legacy domain strategy options",
@@ -103,9 +202,20 @@ var OptionLegacyDomainStrategyOptions = Note{
 }
 
 var Options = []Note{
+	OptionBadMatchSource,
+	OptionGEOIP,
+	OptionGEOSITE,
+	OptionTUNAddressX,
+	OptionSpecialOutbounds,
+	OptionInboundOptions,
+	OptionDestinationOverrideFields,
+	OptionWireGuardOutbound,
+	OptionWireGuardGSO,
+	OptionTUNGSO,
 	OptionLegacyDNSTransport,
 	OptionLegacyDNSFakeIPOptions,
 	OptionOutboundDNSRuleItem,
 	OptionMissingDomainResolver,
+	OptionLegacyECHOptions,
 	OptionLegacyDomainStrategyOptions,
 }

experimental/libbox/command_client.go

@@ -27,7 +27,6 @@ type CommandClient struct {
 	ctx         context.Context
 	cancel      context.CancelFunc
 	clientMutex sync.RWMutex
-	standalone  bool
 }
 
 type CommandClientOptions struct {
@@ -49,7 +48,7 @@ type CommandClientHandler interface {
 	WriteGroups(message OutboundGroupIterator)
 	InitializeClashMode(modeList StringIterator, currentMode string)
 	UpdateClashMode(newMode string)
-	WriteConnectionEvents(events *ConnectionEvents)
+	WriteConnections(message *Connections)
 }
 
 type LogEntry struct {
@@ -63,18 +62,8 @@ type LogIterator interface {
 	Next() *LogEntry
 }
 
-type XPCDialer interface {
-	DialXPC() (int32, error)
-}
-
-var sXPCDialer XPCDialer
-
-func SetXPCDialer(dialer XPCDialer) {
-	sXPCDialer = dialer
-}
-
 func NewStandaloneCommandClient() *CommandClient {
-	return &CommandClient{standalone: true}
+	return new(CommandClient)
 }
 
 func NewCommandClient(handler CommandClientHandler, options *CommandClientOptions) *CommandClient {
@@ -98,139 +87,47 @@ func streamClientAuthInterceptor(ctx context.Context, desc *grpc.StreamDesc, cc
 	return streamer(ctx, desc, cc, method, opts...)
 }
 
-const (
-	commandClientDialAttempts  = 10
-	commandClientDialBaseDelay = 100 * time.Millisecond
-	commandClientDialStepDelay = 50 * time.Millisecond
-)
-
-func commandClientDialDelay(attempt int) time.Duration {
-	return commandClientDialBaseDelay + time.Duration(attempt)*commandClientDialStepDelay
-}
-
-func dialTarget() (string, func(context.Context, string) (net.Conn, error)) {
-	if sXPCDialer != nil {
-		return "passthrough:///xpc", func(ctx context.Context, _ string) (net.Conn, error) {
-			fileDescriptor, err := sXPCDialer.DialXPC()
-			if err != nil {
-				return nil, err
-			}
-			return networkConnectionFromFileDescriptor(fileDescriptor)
-		}
-	}
+func (c *CommandClient) grpcDial() (*grpc.ClientConn, error) {
+	var target string
 	if sCommandServerListenPort == 0 {
-		socketPath := filepath.Join(sBasePath, "command.sock")
-		return "passthrough:///command-socket", func(ctx context.Context, _ string) (net.Conn, error) {
-			var networkDialer net.Dialer
-			return networkDialer.DialContext(ctx, "unix", socketPath)
-		}
+		target = "unix://" + filepath.Join(sBasePath, "command.sock")
+	} else {
+		target = net.JoinHostPort("127.0.0.1", strconv.Itoa(int(sCommandServerListenPort)))
 	}
-	return net.JoinHostPort("127.0.0.1", strconv.Itoa(int(sCommandServerListenPort))), nil
-}
-
-func networkConnectionFromFileDescriptor(fileDescriptor int32) (net.Conn, error) {
-	file := os.NewFile(uintptr(fileDescriptor), "xpc-command-socket")
-	if file == nil {
-		return nil, E.New("invalid file descriptor")
+	var (
+		conn *grpc.ClientConn
+		err  error
+	)
+	clientOptions := []grpc.DialOption{
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithUnaryInterceptor(unaryClientAuthInterceptor),
+		grpc.WithStreamInterceptor(streamClientAuthInterceptor),
 	}
-	networkConnection, err := net.FileConn(file)
-	if err != nil {
-		file.Close()
-		return nil, E.Cause(err, "create connection from fd")
-	}
-	file.Close()
-	return networkConnection, nil
-}
-
-func (c *CommandClient) dialWithRetry(target string, contextDialer func(context.Context, string) (net.Conn, error), retryDial bool) (*grpc.ClientConn, daemon.StartedServiceClient, error) {
-	var connection *grpc.ClientConn
-	var client daemon.StartedServiceClient
-	var lastError error
-
-	for attempt := 0; attempt < commandClientDialAttempts; attempt++ {
-		if connection == nil {
-			options := []grpc.DialOption{
-				grpc.WithTransportCredentials(insecure.NewCredentials()),
-				grpc.WithUnaryInterceptor(unaryClientAuthInterceptor),
-				grpc.WithStreamInterceptor(streamClientAuthInterceptor),
-			}
-			if contextDialer != nil {
-				options = append(options, grpc.WithContextDialer(contextDialer))
-			}
-			var err error
-			connection, err = grpc.NewClient(target, options...)
-			if err != nil {
-				lastError = err
-				if !retryDial {
-					return nil, nil, err
-				}
-				time.Sleep(commandClientDialDelay(attempt))
-				continue
-			}
-			client = daemon.NewStartedServiceClient(connection)
-		}
-		waitDuration := commandClientDialDelay(attempt)
-		ctx, cancel := context.WithTimeout(context.Background(), waitDuration)
-		_, err := client.GetStartedAt(ctx, &emptypb.Empty{}, grpc.WaitForReady(true))
-		cancel()
+	for i := 0; i < 10; i++ {
+		conn, err = grpc.NewClient(target, clientOptions...)
 		if err == nil {
-			return connection, client, nil
+			return conn, nil
 		}
-		lastError = err
+		time.Sleep(time.Duration(100+i*50) * time.Millisecond)
 	}
-
-	if connection != nil {
-		connection.Close()
-	}
-	return nil, nil, lastError
+	return nil, err
 }
 
 func (c *CommandClient) Connect() error {
 	c.clientMutex.Lock()
 	common.Close(common.PtrOrNil(c.grpcConn))
 
-	target, contextDialer := dialTarget()
-	connection, client, err := c.dialWithRetry(target, contextDialer, true)
+	conn, err := c.grpcDial()
 	if err != nil {
 		c.clientMutex.Unlock()
 		return err
 	}
-	c.grpcConn = connection
-	c.grpcClient = client
+	c.grpcConn = conn
+	c.grpcClient = daemon.NewStartedServiceClient(conn)
 	c.ctx, c.cancel = context.WithCancel(context.Background())
 	c.clientMutex.Unlock()
 
 	c.handler.Connected()
-	return c.dispatchCommands()
-}
-
-func (c *CommandClient) ConnectWithFD(fd int32) error {
-	c.clientMutex.Lock()
-	common.Close(common.PtrOrNil(c.grpcConn))
-
-	networkConnection, err := networkConnectionFromFileDescriptor(fd)
-	if err != nil {
-		c.clientMutex.Unlock()
-		return err
-	}
-	connection, client, err := c.dialWithRetry("passthrough:///xpc", func(ctx context.Context, _ string) (net.Conn, error) {
-		return networkConnection, nil
-	}, false)
-	if err != nil {
-		networkConnection.Close()
-		c.clientMutex.Unlock()
-		return err
-	}
-	c.grpcConn = connection
-	c.grpcClient = client
-	c.ctx, c.cancel = context.WithCancel(context.Background())
-	c.clientMutex.Unlock()
-
-	c.handler.Connected()
-	return c.dispatchCommands()
-}
-
-func (c *CommandClient) dispatchCommands() error {
 	for _, command := range c.options.commands {
 		switch command {
 		case CommandLog:
@@ -274,41 +171,18 @@ func (c *CommandClient) getClientForCall() (daemon.StartedServiceClient, error)
 		return c.grpcClient, nil
 	}
 
-	target, contextDialer := dialTarget()
-	connection, client, err := c.dialWithRetry(target, contextDialer, true)
+	conn, err := c.grpcDial()
 	if err != nil {
 		return nil, err
 	}
-	c.grpcConn = connection
-	c.grpcClient = client
+	c.grpcConn = conn
+	c.grpcClient = daemon.NewStartedServiceClient(conn)
 	if c.ctx == nil {
 		c.ctx, c.cancel = context.WithCancel(context.Background())
 	}
 	return c.grpcClient, nil
 }
 
-func (c *CommandClient) closeConnection() {
-	c.clientMutex.Lock()
-	defer c.clientMutex.Unlock()
-	if c.grpcConn != nil {
-		c.grpcConn.Close()
-		c.grpcConn = nil
-		c.grpcClient = nil
-	}
-}
-
-func callWithResult[T any](c *CommandClient, call func(client daemon.StartedServiceClient) (T, error)) (T, error) {
-	client, err := c.getClientForCall()
-	if err != nil {
-		var zero T
-		return zero, err
-	}
-	if c.standalone {
-		defer c.closeConnection()
-	}
-	return call(client)
-}
-
 func (c *CommandClient) getStreamContext() (daemon.StartedServiceClient, context.Context) {
 	c.clientMutex.RLock()
 	defer c.clientMutex.RUnlock()
@@ -366,7 +240,7 @@ func (c *CommandClient) handleStatusStream() {
 			c.handler.Disconnected(err.Error())
 			return
 		}
-		c.handler.WriteStatus(statusMessageFromGRPC(status))
+		c.handler.WriteStatus(StatusMessageFromGRPC(status))
 	}
 }
 
@@ -385,7 +259,7 @@ func (c *CommandClient) handleGroupStream() {
 			c.handler.Disconnected(err.Error())
 			return
 		}
-		c.handler.WriteGroups(outboundGroupIteratorFromGRPC(groups))
+		c.handler.WriteGroups(OutboundGroupIteratorFromGRPC(groups))
 	}
 }
 
@@ -445,134 +319,175 @@ func (c *CommandClient) handleConnectionsStream() {
 		return
 	}
 
+	var connections Connections
 	for {
-		events, err := stream.Recv()
+		conns, err := stream.Recv()
 		if err != nil {
 			c.handler.Disconnected(err.Error())
 			return
 		}
-		libboxEvents := connectionEventsFromGRPC(events)
-		c.handler.WriteConnectionEvents(libboxEvents)
+		connections.input = ConnectionsFromGRPC(conns)
+		c.handler.WriteConnections(&connections)
 	}
 }
 
 func (c *CommandClient) SelectOutbound(groupTag string, outboundTag string) error {
-	_, err := callWithResult(c, func(client daemon.StartedServiceClient) (*emptypb.Empty, error) {
-		return client.SelectOutbound(context.Background(), &daemon.SelectOutboundRequest{
-			GroupTag:    groupTag,
-			OutboundTag: outboundTag,
-		})
+	client, err := c.getClientForCall()
+	if err != nil {
+		return err
+	}
+
+	_, err = client.SelectOutbound(context.Background(), &daemon.SelectOutboundRequest{
+		GroupTag:    groupTag,
+		OutboundTag: outboundTag,
 	})
 	return err
 }
 
 func (c *CommandClient) URLTest(groupTag string) error {
-	_, err := callWithResult(c, func(client daemon.StartedServiceClient) (*emptypb.Empty, error) {
-		return client.URLTest(context.Background(), &daemon.URLTestRequest{
-			OutboundTag: groupTag,
-		})
+	client, err := c.getClientForCall()
+	if err != nil {
+		return err
+	}
+
+	_, err = client.URLTest(context.Background(), &daemon.URLTestRequest{
+		OutboundTag: groupTag,
 	})
 	return err
 }
 
 func (c *CommandClient) SetClashMode(newMode string) error {
-	_, err := callWithResult(c, func(client daemon.StartedServiceClient) (*emptypb.Empty, error) {
-		return client.SetClashMode(context.Background(), &daemon.ClashMode{
-			Mode: newMode,
-		})
+	client, err := c.getClientForCall()
+	if err != nil {
+		return err
+	}
+
+	_, err = client.SetClashMode(context.Background(), &daemon.ClashMode{
+		Mode: newMode,
 	})
 	return err
 }
 
 func (c *CommandClient) CloseConnection(connId string) error {
-	_, err := callWithResult(c, func(client daemon.StartedServiceClient) (*emptypb.Empty, error) {
-		return client.CloseConnection(context.Background(), &daemon.CloseConnectionRequest{
-			Id: connId,
-		})
+	client, err := c.getClientForCall()
+	if err != nil {
+		return err
+	}
+
+	_, err = client.CloseConnection(context.Background(), &daemon.CloseConnectionRequest{
+		Id: connId,
 	})
 	return err
 }
 
 func (c *CommandClient) CloseConnections() error {
-	_, err := callWithResult(c, func(client daemon.StartedServiceClient) (*emptypb.Empty, error) {
-		return client.CloseAllConnections(context.Background(), &emptypb.Empty{})
-	})
+	client, err := c.getClientForCall()
+	if err != nil {
+		return err
+	}
+
+	_, err = client.CloseAllConnections(context.Background(), &emptypb.Empty{})
 	return err
 }
 
 func (c *CommandClient) ServiceReload() error {
-	_, err := callWithResult(c, func(client daemon.StartedServiceClient) (*emptypb.Empty, error) {
-		return client.ReloadService(context.Background(), &emptypb.Empty{})
-	})
+	client, err := c.getClientForCall()
+	if err != nil {
+		return err
+	}
+
+	_, err = client.ReloadService(context.Background(), &emptypb.Empty{})
 	return err
 }
 
 func (c *CommandClient) ServiceClose() error {
-	_, err := callWithResult(c, func(client daemon.StartedServiceClient) (*emptypb.Empty, error) {
-		return client.StopService(context.Background(), &emptypb.Empty{})
-	})
+	client, err := c.getClientForCall()
+	if err != nil {
+		return err
+	}
+
+	_, err = client.StopService(context.Background(), &emptypb.Empty{})
 	return err
 }
 
 func (c *CommandClient) ClearLogs() error {
-	_, err := callWithResult(c, func(client daemon.StartedServiceClient) (*emptypb.Empty, error) {
-		return client.ClearLogs(context.Background(), &emptypb.Empty{})
-	})
+	client, err := c.getClientForCall()
+	if err != nil {
+		return err
+	}
+
+	_, err = client.ClearLogs(context.Background(), &emptypb.Empty{})
 	return err
 }
 
 func (c *CommandClient) GetSystemProxyStatus() (*SystemProxyStatus, error) {
-	return callWithResult(c, func(client daemon.StartedServiceClient) (*SystemProxyStatus, error) {
-		status, err := client.GetSystemProxyStatus(context.Background(), &emptypb.Empty{})
-		if err != nil {
-			return nil, err
-		}
-		return systemProxyStatusFromGRPC(status), nil
-	})
+	client, err := c.getClientForCall()
+	if err != nil {
+		return nil, err
+	}
+
+	status, err := client.GetSystemProxyStatus(context.Background(), &emptypb.Empty{})
+	if err != nil {
+		return nil, err
+	}
+	return SystemProxyStatusFromGRPC(status), nil
 }
 
 func (c *CommandClient) SetSystemProxyEnabled(isEnabled bool) error {
-	_, err := callWithResult(c, func(client daemon.StartedServiceClient) (*emptypb.Empty, error) {
-		return client.SetSystemProxyEnabled(context.Background(), &daemon.SetSystemProxyEnabledRequest{
-			Enabled: isEnabled,
-		})
+	client, err := c.getClientForCall()
+	if err != nil {
+		return err
+	}
+
+	_, err = client.SetSystemProxyEnabled(context.Background(), &daemon.SetSystemProxyEnabledRequest{
+		Enabled: isEnabled,
 	})
 	return err
 }
 
 func (c *CommandClient) GetDeprecatedNotes() (DeprecatedNoteIterator, error) {
-	return callWithResult(c, func(client daemon.StartedServiceClient) (DeprecatedNoteIterator, error) {
-		warnings, err := client.GetDeprecatedWarnings(context.Background(), &emptypb.Empty{})
-		if err != nil {
-			return nil, err
-		}
-		var notes []*DeprecatedNote
-		for _, warning := range warnings.Warnings {
-			notes = append(notes, &DeprecatedNote{
-				Description:   warning.Message,
-				MigrationLink: warning.MigrationLink,
-			})
-		}
-		return newIterator(notes), nil
-	})
+	client, err := c.getClientForCall()
+	if err != nil {
+		return nil, err
+	}
+
+	warnings, err := client.GetDeprecatedWarnings(context.Background(), &emptypb.Empty{})
+	if err != nil {
+		return nil, err
+	}
+
+	var notes []*DeprecatedNote
+	for _, warning := range warnings.Warnings {
+		notes = append(notes, &DeprecatedNote{
+			Description:   warning.Message,
+			MigrationLink: warning.MigrationLink,
+		})
+	}
+	return newIterator(notes), nil
 }
 
 func (c *CommandClient) GetStartedAt() (int64, error) {
-	return callWithResult(c, func(client daemon.StartedServiceClient) (int64, error) {
-		startedAt, err := client.GetStartedAt(context.Background(), &emptypb.Empty{})
-		if err != nil {
-			return 0, err
-		}
-		return startedAt.StartedAt, nil
-	})
+	client, err := c.getClientForCall()
+	if err != nil {
+		return 0, err
+	}
+
+	startedAt, err := client.GetStartedAt(context.Background(), &emptypb.Empty{})
+	if err != nil {
+		return 0, err
+	}
+	return startedAt.StartedAt, nil
 }
 
 func (c *CommandClient) SetGroupExpand(groupTag string, isExpand bool) error {
-	_, err := callWithResult(c, func(client daemon.StartedServiceClient) (*emptypb.Empty, error) {
-		return client.SetGroupExpand(context.Background(), &daemon.SetGroupExpandRequest{
-			GroupTag: groupTag,
-			IsExpand: isExpand,
-		})
+	client, err := c.getClientForCall()
+	if err != nil {
+		return err
+	}
+
+	_, err = client.SetGroupExpand(context.Background(), &daemon.SetGroupExpandRequest{
+		GroupTag: groupTag,
+		IsExpand: isExpand,
 	})
 	return err
 }

experimental/libbox/command_server.go

@@ -43,7 +43,7 @@ type CommandServerHandler interface {
 }
 
 func NewCommandServer(handler CommandServerHandler, platformInterface PlatformInterface) (*CommandServer, error) {
-	ctx := baseContext(platformInterface)
+	ctx := BaseContext(platformInterface)
 	platformWrapper := &platformInterfaceWrapper{
 		iif:       platformInterface,
 		useProcFS: platformInterface.UseProcFS(),
@@ -60,7 +60,6 @@ func NewCommandServer(handler CommandServerHandler, platformInterface PlatformIn
 		Handler:     (*platformHandler)(server),
 		Debug:       sDebug,
 		LogMaxLines: sLogMaxLines,
-		OOMKiller:   memoryLimitEnabled,
 		// WorkingDirectory: sWorkingPath,
 		// TempDirectory:    sTempPath,
 		// UserID:           sUserID,
@@ -160,7 +159,6 @@ func (s *CommandServer) Close() {
 		s.grpcServer.Stop()
 	}
 	common.Close(s.listener)
-	s.StartedService.Close()
 }
 
 type OverrideOptions struct {
@@ -197,14 +195,6 @@ func (s *CommandServer) NeedWIFIState() bool {
 	return instance.Box().Network().NeedWIFIState()
 }
 
-func (s *CommandServer) NeedFindProcess() bool {
-	instance := s.StartedService.Instance()
-	if instance == nil || instance.Box() == nil {
-		return false
-	}
-	return instance.Box().Router().NeedFindProcess()
-}
-
 func (s *CommandServer) Pause() {
 	instance := s.StartedService.Instance()
 	if instance == nil || instance.PauseManager() == nil {

experimental/libbox/command_types.go

@@ -3,7 +3,6 @@ package libbox
 import (
 	"slices"
 	"strings"
-	"time"
 
 	"github.com/sagernet/sing-box/daemon"
 	M "github.com/sagernet/sing/common/metadata"
@@ -32,11 +31,11 @@ type OutboundGroup struct {
 	Selectable bool
 	Selected   string
 	IsExpand   bool
-	itemList   []*OutboundGroupItem
+	ItemList   []*OutboundGroupItem
 }
 
 func (g *OutboundGroup) GetItems() OutboundGroupItemIterator {
-	return newIterator(g.itemList)
+	return newIterator(g.ItemList)
 }
 
 type OutboundGroupIterator interface {
@@ -62,119 +61,12 @@ const (
 	ConnectionStateClosed
 )
 
-const (
-	ConnectionEventNew = iota
-	ConnectionEventUpdate
-	ConnectionEventClosed
-)
-
-const (
-	closedConnectionMaxAge = int64((5 * time.Minute) / time.Millisecond)
-)
-
-type ConnectionEvent struct {
-	Type          int32
-	ID            string
-	Connection    *Connection
-	UplinkDelta   int64
-	DownlinkDelta int64
-	ClosedAt      int64
-}
-
-type ConnectionEvents struct {
-	Reset  bool
-	events []*ConnectionEvent
-}
-
-func (c *ConnectionEvents) Iterator() ConnectionEventIterator {
-	return newIterator(c.events)
-}
-
-type ConnectionEventIterator interface {
-	Next() *ConnectionEvent
-	HasNext() bool
-}
-
 type Connections struct {
-	connectionMap map[string]*Connection
-	input         []Connection
-	filtered      []Connection
-	filterState   int32
-	filterApplied bool
-}
-
-func NewConnections() *Connections {
-	return &Connections{
-		connectionMap: make(map[string]*Connection),
-	}
-}
-
-func (c *Connections) ApplyEvents(events *ConnectionEvents) {
-	if events == nil {
-		return
-	}
-	if events.Reset {
-		c.connectionMap = make(map[string]*Connection)
-	}
-
-	for _, event := range events.events {
-		switch event.Type {
-		case ConnectionEventNew:
-			if event.Connection != nil {
-				conn := *event.Connection
-				c.connectionMap[event.ID] = &conn
-			}
-		case ConnectionEventUpdate:
-			if conn, ok := c.connectionMap[event.ID]; ok {
-				conn.Uplink = event.UplinkDelta
-				conn.Downlink = event.DownlinkDelta
-				conn.UplinkTotal += event.UplinkDelta
-				conn.DownlinkTotal += event.DownlinkDelta
-			}
-		case ConnectionEventClosed:
-			if event.Connection != nil {
-				conn := *event.Connection
-				conn.ClosedAt = event.ClosedAt
-				conn.Uplink = 0
-				conn.Downlink = 0
-				c.connectionMap[event.ID] = &conn
-				continue
-			}
-			if conn, ok := c.connectionMap[event.ID]; ok {
-				conn.ClosedAt = event.ClosedAt
-				conn.Uplink = 0
-				conn.Downlink = 0
-			}
-		}
-	}
-
-	c.evictClosedConnections(time.Now().UnixMilli())
-	c.input = c.input[:0]
-	for _, conn := range c.connectionMap {
-		c.input = append(c.input, *conn)
-	}
-	if c.filterApplied {
-		c.FilterState(c.filterState)
-	} else {
-		c.filtered = c.filtered[:0]
-		c.filtered = append(c.filtered, c.input...)
-	}
-}
-
-func (c *Connections) evictClosedConnections(nowMilliseconds int64) {
-	for id, conn := range c.connectionMap {
-		if conn.ClosedAt == 0 {
-			continue
-		}
-		if nowMilliseconds-conn.ClosedAt > closedConnectionMaxAge {
-			delete(c.connectionMap, id)
-		}
-	}
+	input    []Connection
+	filtered []Connection
 }
 
 func (c *Connections) FilterState(state int32) {
-	c.filterApplied = true
-	c.filterState = state
 	c.filtered = c.filtered[:0]
 	switch state {
 	case ConnectionStateAll:
@@ -267,12 +159,12 @@ type Connection struct {
 	Rule          string
 	Outbound      string
 	OutboundType  string
-	chainList     []string
+	ChainList     []string
 	ProcessInfo   *ProcessInfo
 }
 
 func (c *Connection) Chain() StringIterator {
-	return newIterator(c.chainList)
+	return newIterator(c.ChainList)
 }
 
 func (c *Connection) DisplayDestination() string {
@@ -292,7 +184,7 @@ type ConnectionIterator interface {
 	HasNext() bool
 }
 
-func statusMessageFromGRPC(status *daemon.Status) *StatusMessage {
+func StatusMessageFromGRPC(status *daemon.Status) *StatusMessage {
 	if status == nil {
 		return nil
 	}
@@ -309,7 +201,7 @@ func statusMessageFromGRPC(status *daemon.Status) *StatusMessage {
 	}
 }
 
-func outboundGroupIteratorFromGRPC(groups *daemon.Groups) OutboundGroupIterator {
+func OutboundGroupIteratorFromGRPC(groups *daemon.Groups) OutboundGroupIterator {
 	if groups == nil || len(groups.Group) == 0 {
 		return newIterator([]*OutboundGroup{})
 	}
@@ -323,7 +215,7 @@ func outboundGroupIteratorFromGRPC(groups *daemon.Groups) OutboundGroupIterator
 			IsExpand:   g.IsExpand,
 		}
 		for _, item := range g.Items {
-			libboxGroup.itemList = append(libboxGroup.itemList, &OutboundGroupItem{
+			libboxGroup.ItemList = append(libboxGroup.ItemList, &OutboundGroupItem{
 				Tag:          item.Tag,
 				Type:         item.Type,
 				URLTestTime:  item.UrlTestTime,
@@ -335,7 +227,7 @@ func outboundGroupIteratorFromGRPC(groups *daemon.Groups) OutboundGroupIterator
 	return newIterator(libboxGroups)
 }
 
-func connectionFromGRPC(conn *daemon.Connection) Connection {
+func ConnectionFromGRPC(conn *daemon.Connection) Connection {
 	var processInfo *ProcessInfo
 	if conn.ProcessInfo != nil {
 		processInfo = &ProcessInfo{
@@ -367,45 +259,23 @@ func connectionFromGRPC(conn *daemon.Connection) Connection {
 		Rule:          conn.Rule,
 		Outbound:      conn.Outbound,
 		OutboundType:  conn.OutboundType,
-		chainList:     conn.ChainList,
+		ChainList:     conn.ChainList,
 		ProcessInfo:   processInfo,
 	}
 }
 
-func connectionEventFromGRPC(event *daemon.ConnectionEvent) *ConnectionEvent {
-	if event == nil {
+func ConnectionsFromGRPC(connections *daemon.Connections) []Connection {
+	if connections == nil || len(connections.Connections) == 0 {
 		return nil
 	}
-	libboxEvent := &ConnectionEvent{
-		Type:          int32(event.Type),
-		ID:            event.Id,
-		UplinkDelta:   event.UplinkDelta,
-		DownlinkDelta: event.DownlinkDelta,
-		ClosedAt:      event.ClosedAt,
+	var libboxConnections []Connection
+	for _, conn := range connections.Connections {
+		libboxConnections = append(libboxConnections, ConnectionFromGRPC(conn))
 	}
-	if event.Connection != nil {
-		conn := connectionFromGRPC(event.Connection)
-		libboxEvent.Connection = &conn
-	}
-	return libboxEvent
+	return libboxConnections
 }
 
-func connectionEventsFromGRPC(events *daemon.ConnectionEvents) *ConnectionEvents {
-	if events == nil {
-		return nil
-	}
-	libboxEvents := &ConnectionEvents{
-		Reset: events.Reset_,
-	}
-	for _, event := range events.Events {
-		if libboxEvent := connectionEventFromGRPC(event); libboxEvent != nil {
-			libboxEvents.events = append(libboxEvents.events, libboxEvent)
-		}
-	}
-	return libboxEvents
-}
-
-func systemProxyStatusFromGRPC(status *daemon.SystemProxyStatus) *SystemProxyStatus {
+func SystemProxyStatusFromGRPC(status *daemon.SystemProxyStatus) *SystemProxyStatus {
 	if status == nil {
 		return nil
 	}
@@ -415,7 +285,7 @@ func systemProxyStatusFromGRPC(status *daemon.SystemProxyStatus) *SystemProxySta
 	}
 }
 
-func systemProxyStatusToGRPC(status *SystemProxyStatus) *daemon.SystemProxyStatus {
+func SystemProxyStatusToGRPC(status *SystemProxyStatus) *daemon.SystemProxyStatus {
 	if status == nil {
 		return nil
 	}

experimental/libbox/config.go

@@ -22,7 +22,7 @@ import (
 	"github.com/sagernet/sing/service/filemanager"
 )
 
-func baseContext(platformInterface PlatformInterface) context.Context {
+func BaseContext(platformInterface PlatformInterface) context.Context {
 	dnsRegistry := include.DNSTransportRegistry()
 	if platformInterface != nil {
 		if localTransport := platformInterface.LocalDNSTransport(); localTransport != nil {
@@ -45,7 +45,7 @@ func parseConfig(ctx context.Context, configContent string) (option.Options, err
 }
 
 func CheckConfig(configContent string) error {
-	ctx := baseContext(nil)
+	ctx := BaseContext(nil)
 	options, err := parseConfig(ctx, configContent)
 	if err != nil {
 		return err
@@ -189,7 +189,7 @@ func (s *interfaceMonitorStub) MyInterface() string {
 }
 
 func FormatConfig(configContent string) (*StringBox, error) {
-	options, err := parseConfig(baseContext(nil), configContent)
+	options, err := parseConfig(BaseContext(nil), configContent)
 	if err != nil {
 		return nil, err
 	}

experimental/libbox/ffi.json

@@ -1,257 +0,0 @@
-{
-  "version": 1,
-  "variables": {
-    "VERSION": "$(go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)",
-    "WORKSPACE_ROOT": "../../..",
-    "DEPLOY_ANDROID": "${WORKSPACE_ROOT}/sing-box-for-android/app/libs",
-    "DEPLOY_APPLE": "${WORKSPACE_ROOT}/sing-box-for-apple",
-    "DEPLOY_WINDOWS": "${WORKSPACE_ROOT}/sing-box-for-windows/local-packages"
-  },
-  "packages": [
-    {
-      "id": "libbox",
-      "path": ".",
-      "java_package": "io.nekohasekai.libbox",
-      "csharp_namespace": "SagerNet",
-      "csharp_entrypoint": "Libbox",
-      "apple_prefix": "Libbox"
-    }
-  ],
-  "builds": [
-    {
-      "id": "android-main",
-      "packages": ["libbox"],
-      "default": {
-        "tags": [
-          "with_gvisor",
-          "with_quic",
-          "with_wireguard",
-          "with_utls",
-          "with_naive_outbound",
-          "with_clash_api",
-          "badlinkname",
-          "tfogo_checklinkname0",
-          "with_tailscale",
-          "ts_omit_logtail",
-          "ts_omit_ssh",
-          "ts_omit_drive",
-          "ts_omit_taildrop",
-          "ts_omit_webclient",
-          "ts_omit_doctor",
-          "ts_omit_capture",
-          "ts_omit_kube",
-          "ts_omit_aws",
-          "ts_omit_synology",
-          "ts_omit_bird"
-        ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
-        "trimpath": true
-      }
-    },
-    {
-      "id": "android-legacy",
-      "packages": ["libbox"],
-      "default": {
-        "tags": [
-          "with_gvisor",
-          "with_quic",
-          "with_wireguard",
-          "with_utls",
-          "with_clash_api",
-          "badlinkname",
-          "tfogo_checklinkname0",
-          "with_tailscale",
-          "ts_omit_logtail",
-          "ts_omit_ssh",
-          "ts_omit_drive",
-          "ts_omit_taildrop",
-          "ts_omit_webclient",
-          "ts_omit_doctor",
-          "ts_omit_capture",
-          "ts_omit_kube",
-          "ts_omit_aws",
-          "ts_omit_synology",
-          "ts_omit_bird"
-        ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
-        "trimpath": true
-      }
-    },
-    {
-      "id": "apple",
-      "packages": ["libbox"],
-      "default": {
-        "tags": [
-          "with_gvisor",
-          "with_quic",
-          "with_wireguard",
-          "with_utls",
-          "with_naive_outbound",
-          "with_clash_api",
-          "badlinkname",
-          "tfogo_checklinkname0",
-          "with_dhcp",
-          "grpcnotrace",
-          "with_tailscale",
-          "ts_omit_logtail",
-          "ts_omit_ssh",
-          "ts_omit_drive",
-          "ts_omit_taildrop",
-          "ts_omit_webclient",
-          "ts_omit_doctor",
-          "ts_omit_capture",
-          "ts_omit_kube",
-          "ts_omit_aws",
-          "ts_omit_synology",
-          "ts_omit_bird"
-        ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
-        "trimpath": true
-      },
-      "overrides": [
-        {
-          "match": { "os": "ios" },
-          "tags_append": ["with_low_memory"]
-        },
-        {
-          "match": { "os": "tvos" },
-          "tags_append": ["with_low_memory"]
-        }
-      ]
-    },
-    {
-      "id": "windows",
-      "packages": ["libbox"],
-      "default": {
-        "tags": [
-          "with_gvisor",
-          "with_quic",
-          "with_wireguard",
-          "with_utls",
-          "with_naive_outbound",
-          "with_purego",
-          "with_clash_api",
-          "badlinkname",
-          "tfogo_checklinkname0",
-          "with_tailscale",
-          "ts_omit_logtail",
-          "ts_omit_ssh",
-          "ts_omit_drive",
-          "ts_omit_taildrop",
-          "ts_omit_webclient",
-          "ts_omit_doctor",
-          "ts_omit_capture",
-          "ts_omit_kube",
-          "ts_omit_aws",
-          "ts_omit_synology",
-          "ts_omit_bird"
-        ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
-        "trimpath": true
-      }
-    }
-  ],
-  "platforms": [
-    {
-      "type": "android",
-      "build": "android-main",
-      "min_sdk": 23,
-      "ndk_version": "28.0.13004108",
-      "lib_name": "box",
-      "languages": [{ "type": "java" }],
-      "artifacts": [
-        {
-          "type": "aar",
-          "output_path": "libbox.aar",
-          "execute_after": [
-            "if [ -d \"${DEPLOY_ANDROID}\" ]; then",
-            "  rm -f \"${DEPLOY_ANDROID}/$$(basename \"${OUTPUT_PATH}\")\"",
-            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_ANDROID}/\"",
-            "fi"
-          ]
-        }
-      ]
-    },
-    {
-      "type": "android",
-      "build": "android-legacy",
-      "min_sdk": 21,
-      "ndk_version": "28.0.13004108",
-      "lib_name": "box",
-      "languages": [{ "type": "java" }],
-      "artifacts": [
-        {
-          "type": "aar",
-          "output_path": "libbox-legacy.aar",
-          "execute_after": [
-            "if [ -d \"${DEPLOY_ANDROID}\" ]; then",
-            "  rm -f \"${DEPLOY_ANDROID}/$$(basename \"${OUTPUT_PATH}\")\"",
-            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_ANDROID}/\"",
-            "fi"
-          ]
-        }
-      ]
-    },
-    {
-      "type": "apple",
-      "build": "apple",
-      "targets": [
-        "ios/arm64",
-        "ios/simulator/arm64",
-        "ios/simulator/amd64",
-        "tvos/arm64",
-        "tvos/simulator/arm64",
-        "tvos/simulator/amd64",
-        "macos/arm64",
-        "macos/amd64"
-      ],
-      "languages": [{ "type": "objc" }],
-      "artifacts": [
-        {
-          "type": "xcframework",
-          "module_name": "Libbox",
-          "execute_after": [
-            "if [ -d \"${DEPLOY_APPLE}\" ]; then",
-            "  rm -rf \"${DEPLOY_APPLE}/${MODULE_NAME}.xcframework\"",
-            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_APPLE}/\"",
-            "fi"
-          ]
-        }
-      ]
-    },
-    {
-      "type": "csharp",
-      "build": "windows",
-      "targets": [
-        "windows/amd64"
-      ],
-      "languages": [{ "type": "csharp" }],
-      "artifacts": [
-        {
-          "type": "nuget",
-          "package_id": "SagerNet.Libbox",
-          "package_version": "0.0.0-local",
-          "execute_after": {
-            "windows": [
-              "$$deployPath = '${DEPLOY_WINDOWS}'",
-              "if (Test-Path $$deployPath) {",
-              "  Remove-Item \"$$deployPath\\${PACKAGE_ID}.*.nupkg\" -ErrorAction SilentlyContinue",
-              "  Move-Item -Force '${OUTPUT_PATH}' \"$$deployPath\\\"",
-              "  $$cachePath = if ($$env:NUGET_PACKAGES) { $$env:NUGET_PACKAGES } else { \"$$env:USERPROFILE\\.nuget\\packages\" }",
-              "  Remove-Item -Recurse -Force \"$$cachePath\\sagernet.libbox\\${PACKAGE_VERSION}\" -ErrorAction SilentlyContinue",
-              "}"
-            ],
-            "default": [
-              "if [ -d \"${DEPLOY_WINDOWS}\" ]; then",
-              "  rm -f \"${DEPLOY_WINDOWS}/${PACKAGE_ID}.*.nupkg\"",
-              "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_WINDOWS}/\"",
-              "  cache_path=\"$${NUGET_PACKAGES:-$${HOME}/.nuget/packages}\"",
-              "  rm -rf \"$${cache_path}/sagernet.libbox/${PACKAGE_VERSION}\"",
-              "fi"
-            ]
-          }
-        }
-      ]
-    }
-  ]
-}

experimental/libbox/memory.go

@@ -4,23 +4,20 @@ import (
 	"math"
 	runtimeDebug "runtime/debug"
 
-	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/common/conntrack"
 )
 
-var memoryLimitEnabled bool
-
 func SetMemoryLimit(enabled bool) {
-	memoryLimitEnabled = enabled
-	const memoryLimitGo = 45 * 1024 * 1024
+	const memoryLimit = 45 * 1024 * 1024
+	const memoryLimitGo = memoryLimit / 1.5
 	if enabled {
 		runtimeDebug.SetGCPercent(10)
-		if C.IsIos {
-			runtimeDebug.SetMemoryLimit(memoryLimitGo)
-		}
+		runtimeDebug.SetMemoryLimit(memoryLimitGo)
+		conntrack.KillerEnabled = true
+		conntrack.MemoryLimit = memoryLimit
 	} else {
 		runtimeDebug.SetGCPercent(100)
-		if C.IsIos {
-			runtimeDebug.SetMemoryLimit(math.MaxInt64)
-		}
+		runtimeDebug.SetMemoryLimit(math.MaxInt64)
+		conntrack.KillerEnabled = false
 	}
 }

experimental/libbox/platform.go

@@ -11,7 +11,9 @@ type PlatformInterface interface {
 	AutoDetectInterfaceControl(fd int32) error
 	OpenTun(options TunOptions) (int32, error)
 	UseProcFS() bool
-	FindConnectionOwner(ipProtocol int32, sourceAddress string, sourcePort int32, destinationAddress string, destinationPort int32) (*ConnectionOwner, error)
+	FindConnectionOwner(ipProtocol int32, sourceAddress string, sourcePort int32, destinationAddress string, destinationPort int32) (int32, error)
+	PackageNameByUid(uid int32) (string, error)
+	UIDByPackageName(packageName string) (int32, error)
 	StartDefaultInterfaceMonitor(listener InterfaceUpdateListener) error
 	CloseDefaultInterfaceMonitor(listener InterfaceUpdateListener) error
 	GetInterfaces() (NetworkInterfaceIterator, error)
@@ -23,13 +25,6 @@ type PlatformInterface interface {
 	SendNotification(notification *Notification) error
 }
 
-type ConnectionOwner struct {
-	UserId             int32
-	UserName           string
-	ProcessPath        string
-	AndroidPackageName string
-}
-
 type InterfaceUpdateListener interface {
 	UpdateDefaultInterface(interfaceName string, interfaceIndex int32, isExpensive bool, isConstrained bool)
 }

experimental/libbox/profile_import.go

@@ -5,7 +5,6 @@ import (
 	"bytes"
 	"compress/gzip"
 	"encoding/binary"
-	"io"
 
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/varbin"
@@ -36,7 +35,7 @@ type ErrorMessage struct {
 func (e *ErrorMessage) Encode() []byte {
 	var buffer bytes.Buffer
 	buffer.WriteByte(MessageTypeError)
-	writeString(&buffer, e.Message)
+	varbin.Write(&buffer, binary.BigEndian, e.Message)
 	return buffer.Bytes()
 }
 
@@ -50,7 +49,7 @@ func DecodeErrorMessage(data []byte) (*ErrorMessage, error) {
 		return nil, E.New("invalid message")
 	}
 	var message ErrorMessage
-	message.Message, err = readString(reader)
+	message.Message, err = varbin.ReadValue[string](reader, binary.BigEndian)
 	if err != nil {
 		return nil, err
 	}
@@ -88,7 +87,7 @@ func (e *ProfileEncoder) Encode() []byte {
 	binary.Write(&buffer, binary.BigEndian, uint16(len(e.profiles)))
 	for _, preview := range e.profiles {
 		binary.Write(&buffer, binary.BigEndian, preview.ProfileID)
-		writeString(&buffer, preview.Name)
+		varbin.Write(&buffer, binary.BigEndian, preview.Name)
 		binary.Write(&buffer, binary.BigEndian, preview.Type)
 	}
 	return buffer.Bytes()
@@ -118,7 +117,7 @@ func (d *ProfileDecoder) Decode(data []byte) error {
 		if err != nil {
 			return err
 		}
-		profile.Name, err = readString(reader)
+		profile.Name, err = varbin.ReadValue[string](reader, binary.BigEndian)
 		if err != nil {
 			return err
 		}
@@ -179,11 +178,11 @@ func (c *ProfileContent) Encode() []byte {
 	buffer.WriteByte(1)
 	gWriter := gzip.NewWriter(buffer)
 	writer := bufio.NewWriter(gWriter)
-	writeStringBuffered(writer, c.Name)
+	varbin.Write(writer, binary.BigEndian, c.Name)
 	binary.Write(writer, binary.BigEndian, c.Type)
-	writeStringBuffered(writer, c.Config)
+	varbin.Write(writer, binary.BigEndian, c.Config)
 	if c.Type != ProfileTypeLocal {
-		writeStringBuffered(writer, c.RemotePath)
+		varbin.Write(writer, binary.BigEndian, c.RemotePath)
 	}
 	if c.Type == ProfileTypeRemote {
 		binary.Write(writer, binary.BigEndian, c.AutoUpdate)
@@ -215,7 +214,7 @@ func DecodeProfileContent(data []byte) (*ProfileContent, error) {
 	}
 	bReader := varbin.StubReader(gReader)
 	var content ProfileContent
-	content.Name, err = readString(bReader)
+	content.Name, err = varbin.ReadValue[string](bReader, binary.BigEndian)
 	if err != nil {
 		return nil, err
 	}
@@ -223,12 +222,12 @@ func DecodeProfileContent(data []byte) (*ProfileContent, error) {
 	if err != nil {
 		return nil, err
 	}
-	content.Config, err = readString(bReader)
+	content.Config, err = varbin.ReadValue[string](bReader, binary.BigEndian)
 	if err != nil {
 		return nil, err
 	}
 	if content.Type != ProfileTypeLocal {
-		content.RemotePath, err = readString(bReader)
+		content.RemotePath, err = varbin.ReadValue[string](bReader, binary.BigEndian)
 		if err != nil {
 			return nil, err
 		}
@@ -251,28 +250,3 @@ func DecodeProfileContent(data []byte) (*ProfileContent, error) {
 	}
 	return &content, nil
 }
-
-func readString(reader io.ByteReader) (string, error) {
-	length, err := binary.ReadUvarint(reader)
-	if err != nil {
-		return "", err
-	}
-	buf := make([]byte, length)
-	for i := range buf {
-		buf[i], err = reader.ReadByte()
-		if err != nil {
-			return "", err
-		}
-	}
-	return string(buf), nil
-}
-
-func writeString(buffer *bytes.Buffer, value string) {
-	varbin.WriteUvarint(buffer, uint64(len(value)))
-	buffer.WriteString(value)
-}
-
-func writeStringBuffered(writer *bufio.Writer, value string) {
-	varbin.WriteUvarint(writer, uint64(len(value)))
-	writer.WriteString(value)
-}

experimental/libbox/semver.go

@@ -1,27 +0,0 @@
-package libbox
-
-import (
-	"strings"
-
-	"golang.org/x/mod/semver"
-)
-
-func CompareSemver(left string, right string) bool {
-	normalizedLeft := normalizeSemver(left)
-	if !semver.IsValid(normalizedLeft) {
-		return false
-	}
-	normalizedRight := normalizeSemver(right)
-	if !semver.IsValid(normalizedRight) {
-		return false
-	}
-	return semver.Compare(normalizedLeft, normalizedRight) > 0
-}
-
-func normalizeSemver(version string) string {
-	trimmedVersion := strings.TrimSpace(version)
-	if strings.HasPrefix(trimmedVersion, "v") {
-		return trimmedVersion
-	}
-	return "v" + trimmedVersion
-}

experimental/libbox/semver_test.go

@@ -1,16 +0,0 @@
-package libbox
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestCompareSemver(t *testing.T) {
-	t.Parallel()
-
-	require.False(t, CompareSemver("1.13.0-rc.4", "1.13.0"))
-	require.True(t, CompareSemver("1.13.1", "1.13.0"))
-	require.False(t, CompareSemver("v1.13.0", "1.13.0"))
-	require.False(t, CompareSemver("1.13.0-", "1.13.0"))
-}

experimental/libbox/service.go

@@ -126,9 +126,6 @@ func (w *platformInterfaceWrapper) NetworkInterfaces() ([]adapter.NetworkInterfa
 			Constrained: isDefault && w.isConstrained,
 		})
 	}
-	interfaces = common.UniqBy(interfaces, func(it adapter.NetworkInterface) string {
-		return it.Name
-	})
 	return interfaces, nil
 }
 
@@ -169,6 +166,7 @@ func (w *platformInterfaceWrapper) UsePlatformConnectionOwnerFinder() bool {
 }
 
 func (w *platformInterfaceWrapper) FindConnectionOwner(request *adapter.FindConnectionOwnerRequest) (*adapter.ConnectionOwner, error) {
+	var uid int32
 	if w.useProcFS {
 		var source netip.AddrPort
 		var destination netip.AddrPort
@@ -187,24 +185,21 @@ func (w *platformInterfaceWrapper) FindConnectionOwner(request *adapter.FindConn
 			return nil, E.New("unknown protocol: ", request.IpProtocol)
 		}
 
-		uid := procfs.ResolveSocketByProcSearch(network, source, destination)
+		uid = procfs.ResolveSocketByProcSearch(network, source, destination)
 		if uid == -1 {
 			return nil, E.New("procfs: not found")
 		}
-		return &adapter.ConnectionOwner{
-			UserId: uid,
-		}, nil
-	}
-
-	result, err := w.iif.FindConnectionOwner(request.IpProtocol, request.SourceAddress, request.SourcePort, request.DestinationAddress, request.DestinationPort)
-	if err != nil {
-		return nil, err
+	} else {
+		var err error
+		uid, err = w.iif.FindConnectionOwner(request.IpProtocol, request.SourceAddress, request.SourcePort, request.DestinationAddress, request.DestinationPort)
+		if err != nil {
+			return nil, err
+		}
 	}
+	packageName, _ := w.iif.PackageNameByUid(uid)
 	return &adapter.ConnectionOwner{
-		UserId:             result.UserId,
-		UserName:           result.UserName,
-		ProcessPath:        result.ProcessPath,
-		AndroidPackageName: result.AndroidPackageName,
+		UserId:             uid,
+		AndroidPackageName: packageName,
 	}, nil
 }
 

experimental/libbox/setup.go

@@ -71,11 +71,11 @@ func Version() string {
 }
 
 func FormatBytes(length int64) string {
-	return byteformats.FormatKBytes(uint64(length))
+	return byteformats.FormatBytes(uint64(length))
 }
 
 func FormatMemoryBytes(length int64) string {
-	return byteformats.FormatMemoryKBytes(uint64(length))
+	return byteformats.FormatMemoryBytes(uint64(length))
 }
 
 func FormatDuration(duration int64) string {

experimental/v2rayapi/stats_grpc.pb.go

@@ -84,15 +84,15 @@ type StatsServiceServer interface {
 type UnimplementedStatsServiceServer struct{}
 
 func (UnimplementedStatsServiceServer) GetStats(context.Context, *GetStatsRequest) (*GetStatsResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "method GetStats not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method GetStats not implemented")
 }
 
 func (UnimplementedStatsServiceServer) QueryStats(context.Context, *QueryStatsRequest) (*QueryStatsResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "method QueryStats not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method QueryStats not implemented")
 }
 
 func (UnimplementedStatsServiceServer) GetSysStats(context.Context, *SysStatsRequest) (*SysStatsResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "method GetSysStats not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method GetSysStats not implemented")
 }
 func (UnimplementedStatsServiceServer) mustEmbedUnimplementedStatsServiceServer() {}
 func (UnimplementedStatsServiceServer) testEmbeddedByValue()                      {}
@@ -105,7 +105,7 @@ type UnsafeStatsServiceServer interface {
 }
 
 func RegisterStatsServiceServer(s grpc.ServiceRegistrar, srv StatsServiceServer) {
-	// If the following call panics, it indicates UnimplementedStatsServiceServer was
+	// If the following call pancis, it indicates UnimplementedStatsServiceServer was
 	// embedded by pointer and is nil.  This will cause panics if an
 	// unimplemented method is ever invoked, so we test this at initialization
 	// time to prevent it from happening at runtime later due to I/O.