Add cloudflared inbound support

Bump version
Fix naive inbound padding bytes
2026-04-12 01:57:18 +10:00 · 2026-04-08 14:39:41 +08:00 · 2026-04-06 23:09:11 +08:00 · 2026-04-06 22:33:11 +08:00 · 2026-04-01 16:16:58 +08:00 · 2026-03-30 23:03:43 +08:00
171 changed files with 5248 additions and 1063 deletions
--- a/.fpm_systemd
+++ b/.fpm_systemd
@@ -4,6 +4,7 @@
 --license GPL-3.0-or-later
 --description "The universal proxy platform."
 --url "https://sing-box.sagernet.org/"
+--vendor SagerNet
 --maintainer "nekohasekai <contact-git@sekai.icu>"
 --deb-field "Bug: https://github.com/SagerNet/sing-box/issues"
 --no-deb-generate-changes
--- a/.github/CRONET_GO_VERSION
+++ b/.github/CRONET_GO_VERSION
@@ -1 +1 @@
-cba7b9ac0399055aa49fbdc57c03c374f58e1597
+2fef65f9dba90ddb89a87d00a6eb6165487c10c1
--- a/.github/build_alpine_apk.sh
+++ b/.github/build_alpine_apk.sh
@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+ARCHITECTURE="$1"
+VERSION="$2"
+BINARY_PATH="$3"
+OUTPUT_PATH="$4"
+
+if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
+  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
+  exit 1
+fi
+
+PROJECT=$(cd "$(dirname "$0")/.."; pwd)
+
+# Convert version to APK format:
+#   1.13.0-beta.8  -> 1.13.0_beta8-r0
+#   1.13.0-rc.3    -> 1.13.0_rc3-r0
+#   1.13.0         -> 1.13.0-r0
+APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
+APK_VERSION="${APK_VERSION}-r0"
+
+ROOT_DIR=$(mktemp -d)
+trap 'rm -rf "$ROOT_DIR"' EXIT
+
+# Binary
+install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
+
+# Config files
+install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
+install -Dm755 "$PROJECT/release/config/sing-box.initd" "$ROOT_DIR/etc/init.d/sing-box"
+install -Dm644 "$PROJECT/release/config/sing-box.confd" "$ROOT_DIR/etc/conf.d/sing-box"
+
+# Service files
+install -Dm644 "$PROJECT/release/config/sing-box.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box.service"
+install -Dm644 "$PROJECT/release/config/sing-box@.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box@.service"
+
+# Completions
+install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
+install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
+install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
+
+# License
+install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
+
+# APK metadata
+PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
+mkdir -p "$PACKAGES_DIR"
+
+# .conffiles
+cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
+/etc/conf.d/sing-box
+/etc/init.d/sing-box
+/etc/sing-box/config.json
+EOF
+
+# .conffiles_static (sha256 checksums)
+while IFS= read -r conffile; do
+  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
+  echo "$conffile $sha256"
+done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
+
+# .list (all files, excluding lib/apk/packages/ metadata)
+(cd "$ROOT_DIR" && find . -type f -o -type l) \
+  | sed 's|^\./|/|' \
+  | grep -v '^/lib/apk/packages/' \
+  | sort > "$PACKAGES_DIR/.list"
+
+# Build APK
+apk mkpkg \
+  --info "name:sing-box" \
+  --info "version:${APK_VERSION}" \
+  --info "description:The universal proxy platform." \
+  --info "arch:${ARCHITECTURE}" \
+  --info "license:GPL-3.0-or-later with name use or association addition" \
+  --info "origin:sing-box" \
+  --info "url:https://sing-box.sagernet.org/" \
+  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
+  --files "$ROOT_DIR" \
+  --output "$OUTPUT_PATH"
--- a/.github/build_openwrt_apk.sh
+++ b/.github/build_openwrt_apk.sh
@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+ARCHITECTURE="$1"
+VERSION="$2"
+BINARY_PATH="$3"
+OUTPUT_PATH="$4"
+
+if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
+  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
+  exit 1
+fi
+
+PROJECT=$(cd "$(dirname "$0")/.."; pwd)
+
+# Convert version to APK format:
+#   1.13.0-beta.8  -> 1.13.0_beta8-r0
+#   1.13.0-rc.3    -> 1.13.0_rc3-r0
+#   1.13.0         -> 1.13.0-r0
+APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
+APK_VERSION="${APK_VERSION}-r0"
+
+ROOT_DIR=$(mktemp -d)
+trap 'rm -rf "$ROOT_DIR"' EXIT
+
+# Binary
+install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
+
+# Config files
+install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
+install -Dm644 "$PROJECT/release/config/openwrt.conf" "$ROOT_DIR/etc/config/sing-box"
+install -Dm755 "$PROJECT/release/config/openwrt.init" "$ROOT_DIR/etc/init.d/sing-box"
+install -Dm644 "$PROJECT/release/config/openwrt.keep" "$ROOT_DIR/lib/upgrade/keep.d/sing-box"
+
+# Completions
+install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
+install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
+install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
+
+# License
+install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
+
+# APK metadata
+PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
+mkdir -p "$PACKAGES_DIR"
+
+# .conffiles
+cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
+/etc/config/sing-box
+/etc/sing-box/config.json
+EOF
+
+# .conffiles_static (sha256 checksums)
+while IFS= read -r conffile; do
+  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
+  echo "$conffile $sha256"
+done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
+
+# .list (all files, excluding lib/apk/packages/ metadata)
+(cd "$ROOT_DIR" && find . -type f -o -type l) \
+  | sed 's|^\./|/|' \
+  | grep -v '^/lib/apk/packages/' \
+  | sort > "$PACKAGES_DIR/.list"
+
+# Build APK
+apk mkpkg \
+  --info "name:sing-box" \
+  --info "version:${APK_VERSION}" \
+  --info "description:The universal proxy platform." \
+  --info "arch:${ARCHITECTURE}" \
+  --info "license:GPL-3.0-or-later" \
+  --info "origin:sing-box" \
+  --info "url:https://sing-box.sagernet.org/" \
+  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
+  --info "depends:ca-bundle kmod-inet-diag kmod-tun firewall4 kmod-nft-queue" \
+  --info "provider-priority:100" \
+  --script "pre-deinstall:${PROJECT}/release/config/openwrt.prerm" \
+  --files "$ROOT_DIR" \
+  --output "$OUTPUT_PATH"
--- a/.github/detect_track.sh
+++ b/.github/detect_track.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+branches=$(git branch -r --contains HEAD)
+if echo "$branches" | grep -q 'origin/stable'; then
+  track=stable
+elif echo "$branches" | grep -q 'origin/testing'; then
+  track=testing
+elif echo "$branches" | grep -q 'origin/oldstable'; then
+  track=oldstable
+else
+  echo "ERROR: HEAD is not on any known release branch (stable/testing/oldstable)" >&2
+  exit 1
+fi
+
+if [[ "$track" == "stable" ]]; then
+  tag=$(git describe --tags --exact-match HEAD 2>/dev/null || true)
+  if [[ -n "$tag" && "$tag" == *"-"* ]]; then
+    track=beta
+  fi
+fi
+
+case "$track" in
+  stable)    name=sing-box;           docker_tag=latest ;;
+  beta)      name=sing-box-beta;      docker_tag=latest-beta ;;
+  testing)   name=sing-box-testing;   docker_tag=latest-testing ;;
+  oldstable) name=sing-box-oldstable; docker_tag=latest-oldstable ;;
+esac
+
+echo "track=${track} name=${name} docker_tag=${docker_tag}" >&2
+echo "TRACK=${track}" >> "$GITHUB_ENV"
+echo "NAME=${name}" >> "$GITHUB_ENV"
+echo "DOCKER_TAG=${docker_tag}" >> "$GITHUB_ENV"
--- a/.github/setup_go_for_macos1013.sh
+++ b/.github/setup_go_for_macos1013.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+VERSION="1.25.8"
+PATCH_COMMITS=(
+  "afe69d3cec1c6dcf0f1797b20546795730850070"
+  "1ed289b0cf87dc5aae9c6fe1aa5f200a83412938"
+)
+CURL_ARGS=(
+  -fL
+  --silent
+  --show-error
+)
+
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
+fi
+
+mkdir -p "$HOME/go"
+cd "$HOME/go"
+wget "https://dl.google.com/go/go${VERSION}.darwin-arm64.tar.gz"
+tar -xzf "go${VERSION}.darwin-arm64.tar.gz"
+#cp -a go go_bootstrap
+mv go go_osx
+cd go_osx
+
+# these patch URLs only work on golang1.25.x
+# that means after golang1.26 release it must be changed
+# see: https://github.com/SagerNet/go/commits/release-branch.go1.25/
+# revert:
+# 33d3f603c1: "cmd/link/internal/ld: use 12.0.0 OS/SDK versions for macOS linking"
+# 937368f84e: "crypto/x509: change how we retrieve chains on darwin"
+
+for patch_commit in "${PATCH_COMMITS[@]}"; do
+  curl "${CURL_ARGS[@]}" "https://github.com/SagerNet/go/commit/${patch_commit}.diff" | patch --verbose -p 1
+done
+
+# Rebuild is not needed: we build with CGO_ENABLED=1, so Apple's external
+# linker handles LC_BUILD_VERSION via MACOSX_DEPLOYMENT_TARGET, and the
+# stdlib (crypto/x509) is compiled from patched src automatically.
+#cd src
+#GOROOT_BOOTSTRAP="$HOME/go/go_bootstrap" ./make.bash
+#cd ../..
+#rm -rf go_bootstrap "go${VERSION}.darwin-arm64.tar.gz"
--- a/.github/setup_go_for_windows7.sh
+++ b/.github/setup_go_for_windows7.sh
@@ -1,16 +1,35 @@
 #!/usr/bin/env bash

-VERSION="1.25.7"
+set -euo pipefail

-mkdir -p $HOME/go
-cd $HOME/go
+VERSION="1.25.8"
+PATCH_COMMITS=(
+  "466f6c7a29bc098b0d4c987b803c779222894a11"
+  "1bdabae205052afe1dadb2ad6f1ba612cdbc532a"
+  "a90777dcf692dd2168577853ba743b4338721b06"
+  "f6bddda4e8ff58a957462a1a09562924d5f3d05c"
+  "bed309eff415bcb3c77dd4bc3277b682b89a388d"
+  "34b899c2fb39b092db4fa67c4417e41dc046be4b"
+)
+CURL_ARGS=(
+  -fL
+  --silent
+  --show-error
+)
+
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
+fi
+
+mkdir -p "$HOME/go"
+cd "$HOME/go"
 wget "https://dl.google.com/go/go${VERSION}.linux-amd64.tar.gz"
 tar -xzf "go${VERSION}.linux-amd64.tar.gz"
 mv go go_win7
 cd go_win7

 # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-# this patch file only works on golang1.25.x
+# these patch URLs only work on golang1.25.x
 # that means after golang1.26 release it must be changed
 # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
 # revert:
@@ -18,10 +37,10 @@ cd go_win7
 # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
 # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
 # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
+# fixes:
+# bed309eff415bcb3c77dd4bc3277b682b89a388d: "Fix os.RemoveAll not working on Windows7"
+# 34b899c2fb39b092db4fa67c4417e41dc046be4b: "Revert \"os: remove 5ms sleep on Windows in (*Process).Wait\""

-alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
-
-curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1
+for patch_commit in "${PATCH_COMMITS[@]}"; do
+  curl "${CURL_ARGS[@]}" "https://github.com/MetaCubeX/go/commit/${patch_commit}.diff" | patch --verbose -p 1
+done
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -47,7 +47,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -72,27 +72,27 @@ jobs:
        include:
          - { os: linux, arch: amd64, variant: purego, naive: true }
          - { os: linux, arch: amd64, variant: glibc, naive: true }
-          - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, openwrt: "x86_64" }
+          - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, alpine: x86_64, openwrt: "x86_64" }

          - { os: linux, arch: arm64, variant: purego, naive: true }
          - { os: linux, arch: arm64, variant: glibc, naive: true }
-          - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
+          - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, alpine: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }

          - { os: linux, arch: "386", go386: sse2 }
          - { os: linux, arch: "386", variant: glibc, naive: true, go386: sse2 }
-          - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, openwrt: "i386_pentium4" }
+          - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, alpine: x86, openwrt: "i386_pentium4" }

          - { os: linux, arch: arm, goarm: "7" }
          - { os: linux, arch: arm, variant: glibc, naive: true, goarm: "7" }
-          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
+          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, alpine: armv7, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }

          - { os: linux, arch: mipsle, gomips: hardfloat, naive: true, variant: glibc }
          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, variant: musl, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
          - { os: linux, arch: mips64le, gomips: hardfloat, naive: true, variant: glibc, debian: mips64el, rpm: mips64el }
          - { os: linux, arch: riscv64, naive: true, variant: glibc }
-          - { os: linux, arch: riscv64, naive: true, variant: musl, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
+          - { os: linux, arch: riscv64, naive: true, variant: musl, debian: riscv64, rpm: riscv64, alpine: riscv64, openwrt: "riscv64_generic" }
          - { os: linux, arch: loong64, naive: true, variant: glibc }
-          - { os: linux, arch: loong64, naive: true, variant: musl, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
+          - { os: linux, arch: loong64, naive: true, variant: musl, debian: loongarch64, rpm: loongarch64, alpine: loongarch64, openwrt: "loongarch64_generic" }

          - { os: linux, arch: "386", go386: softfloat, openwrt: "i386_pentium-mmx" }
          - { os: linux, arch: arm, goarm: "5", openwrt: "arm_arm926ej-s arm_cortex-a7 arm_cortex-a9 arm_fa526 arm_xscale" }
@@ -121,15 +121,10 @@ jobs:
        with:
          fetch-depth: 0
      - name: Setup Go
-        if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
+        if: ${{ ! matrix.legacy_win7 }}
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
-      - name: Setup Go 1.24
-        if: matrix.legacy_go124
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.24.10
+          go-version: ~1.25.8
      - name: Cache Go for Windows 7
        if: matrix.legacy_win7
        id: cache-go-for-windows7
@@ -137,9 +132,11 @@ jobs:
        with:
          path: |
            ~/go/go_win7
-          key: go_win7_1255
+          key: go_win7_1258
      - name: Setup Go for Windows 7
        if: matrix.legacy_win7 && steps.cache-go-for-windows7.outputs.cache-hit != 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
        run: |-
          .github/setup_go_for_windows7.sh
      - name: Setup Go for Windows 7
@@ -399,6 +396,30 @@ jobs:
            .github/deb2ipk.sh "$architecture" "dist/openwrt.deb" "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.ipk"
          done
          rm "dist/openwrt.deb"
+      - name: Install apk-tools
+        if: matrix.openwrt != '' || matrix.alpine != ''
+        run: |-
+          docker run --rm -v /usr/local/bin:/mnt alpine:edge sh -c "apk add --no-cache apk-tools-static && cp /sbin/apk.static /mnt/apk && chmod +x /mnt/apk"
+      - name: Package OpenWrt APK
+        if: matrix.openwrt != ''
+        run: |-
+          set -xeuo pipefail
+          for architecture in ${{ matrix.openwrt }}; do
+            .github/build_openwrt_apk.sh \
+              "$architecture" \
+              "${{ needs.calculate_version.outputs.version }}" \
+              "dist/sing-box" \
+              "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.apk"
+          done
+      - name: Package Alpine APK
+        if: matrix.alpine != ''
+        run: |-
+          set -xeuo pipefail
+          .github/build_alpine_apk.sh \
+            "${{ matrix.alpine }}" \
+            "${{ needs.calculate_version.outputs.version }}" \
+            "dist/sing-box" \
+            "dist/sing-box_${{ needs.calculate_version.outputs.version }}_linux_${{ matrix.alpine }}.apk"
      - name: Archive
        run: |
          set -xeuo pipefail
@@ -434,22 +455,36 @@ jobs:
        include:
          - { arch: amd64 }
          - { arch: arm64 }
-          - { arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
+          - { arch: amd64, legacy_osx: true, legacy_name: "macos-10.13" }
    steps:
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Setup Go
-        if: ${{ ! matrix.legacy_go124 }}
+        if: ${{ ! matrix.legacy_osx }}
        uses: actions/setup-go@v5
        with:
          go-version: ^1.25.3
-      - name: Setup Go 1.24
-        if: matrix.legacy_go124
-        uses: actions/setup-go@v5
+      - name: Cache Go for macOS 10.13
+        if: matrix.legacy_osx
+        id: cache-go-for-macos1013
+        uses: actions/cache@v4
        with:
-          go-version: ~1.24.6
+          path: |
+            ~/go/go_osx
+          key: go_osx_1258
+      - name: Setup Go for macOS 10.13
+        if: matrix.legacy_osx && steps.cache-go-for-macos1013.outputs.cache-hit != 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |-
+          .github/setup_go_for_macos1013.sh
+      - name: Setup Go for macOS 10.13
+        if: matrix.legacy_osx
+        run: |-
+          echo "PATH=$HOME/go/go_osx/bin:$PATH" >> $GITHUB_ENV
+          echo "GOROOT=$HOME/go/go_osx" >> $GITHUB_ENV
      - name: Set tag
        run: |-
          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
@@ -457,7 +492,7 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
-          if [[ "${{ matrix.legacy_go124 }}" != "true" ]]; then
+          if [[ "${{ matrix.legacy_osx }}" != "true" ]]; then
            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
          else
            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
@@ -477,6 +512,7 @@ jobs:
          CGO_ENABLED: "1"
          GOOS: darwin
          GOARCH: ${{ matrix.arch }}
+          MACOSX_DEPLOYMENT_TARGET: ${{ matrix.legacy_osx && '10.13' || '' }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Set name
        run: |-
@@ -605,7 +641,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -695,7 +731,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -794,7 +830,7 @@ jobs:
        if: matrix.if
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
      - name: Set tag
        if: matrix.if
        run: |-
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -19,7 +19,6 @@ env:
 jobs:
  build_binary:
    name: Build binary
-    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true
@@ -56,7 +55,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
      - name: Clone cronet-go
        if: matrix.naive
        run: |
@@ -260,13 +259,13 @@ jobs:
          fi
          echo "ref=$ref"
          echo "ref=$ref" >> $GITHUB_OUTPUT
-          if [[ $ref == *"-"* ]]; then
-            latest=latest-beta
-          else
-            latest=latest
-          fi
-          echo "latest=$latest"
-          echo "latest=$latest" >> $GITHUB_OUTPUT
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          ref: ${{ steps.ref.outputs.ref }}
+          fetch-depth: 0
+      - name: Detect track
+        run: bash .github/detect_track.sh
      - name: Download digests
        uses: actions/download-artifact@v5
        with:
@@ -286,11 +285,11 @@ jobs:
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create \
-            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}" \
+            -t "${{ env.REGISTRY_IMAGE }}:${{ env.DOCKER_TAG }}" \
            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}" \
            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
      - name: Inspect image
        if: github.event_name != 'push'
        run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}
+          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ env.DOCKER_TAG }}
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -11,11 +11,6 @@ on:
        description: "Version name"
        required: true
        type: string
-      forceBeta:
-        description: "Force beta"
-        required: false
-        type: boolean
-        default: false
  release:
    types:
      - published
@@ -23,7 +18,6 @@ on:
 jobs:
  calculate_version:
    name: Calculate version
-    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.outputs.outputs.version }}
@@ -35,7 +29,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -78,7 +72,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
      - name: Clone cronet-go
        if: matrix.naive
        run: |
@@ -168,14 +162,8 @@ jobs:
      - name: Set mtime
        run: |-
          TZ=UTC touch -t '197001010000' dist/sing-box
-      - name: Set name
-        if: (! contains(needs.calculate_version.outputs.version, '-')) && !inputs.forceBeta
-        run: |-
-          echo "NAME=sing-box" >> "$GITHUB_ENV"
-      - name: Set beta name
-        if: contains(needs.calculate_version.outputs.version, '-') || inputs.forceBeta
-        run: |-
-          echo "NAME=sing-box-beta" >> "$GITHUB_ENV"
+      - name: Detect track
+        run: bash .github/detect_track.sh
      - name: Set version
        run: |-
          PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -101,6 +101,10 @@ type InboundContext struct {
 func (c *InboundContext) ResetRuleCache() {
 	c.IPCIDRMatchSource = false
 	c.IPCIDRAcceptEmpty = false
+	c.ResetRuleMatchCache()
+}
+
+func (c *InboundContext) ResetRuleMatchCache() {
 	c.SourceAddressMatch = false
 	c.SourcePortMatch = false
 	c.DestinationAddressMatch = false
--- a/adapter/platform.go
+++ b/adapter/platform.go
@@ -47,11 +47,11 @@ type FindConnectionOwnerRequest struct {
 }

 type ConnectionOwner struct {
-	ProcessID          uint32
-	UserId             int32
-	UserName           string
-	ProcessPath        string
-	AndroidPackageName string
+	ProcessID           uint32
+	UserId              int32
+	UserName            string
+	ProcessPath         string
+	AndroidPackageNames []string
 }

 type Notification struct {
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -239,7 +239,7 @@ func setMarkWrapper(networkManager adapter.NetworkManager, mark uint32, isDefaul
 func (d *DefaultDialer) DialContext(ctx context.Context, network string, address M.Socksaddr) (net.Conn, error) {
 	if !address.IsValid() {
 		return nil, E.New("invalid address")
-	} else if address.IsFqdn() {
+	} else if address.IsDomain() {
 		return nil, E.New("domain not resolved")
 	}
 	if d.networkStrategy == nil {
@@ -329,9 +329,9 @@ func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd

 func (d *DefaultDialer) DialerForICMPDestination(destination netip.Addr) net.Dialer {
 	if !destination.Is6() {
-		return d.dialer6.Dialer
-	} else {
 		return d.dialer4.Dialer
+	} else {
+		return d.dialer6.Dialer
 	}
 }

--- a/common/dialer/resolve.go
+++ b/common/dialer/resolve.go
@@ -96,7 +96,7 @@ func (d *resolveDialer) DialContext(ctx context.Context, network string, destina
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsFqdn() {
+	if !destination.IsDomain() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
@@ -116,7 +116,7 @@ func (d *resolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsFqdn() {
+	if !destination.IsDomain() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
@@ -144,7 +144,7 @@ func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsFqdn() {
+	if !destination.IsDomain() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
@@ -167,7 +167,7 @@ func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.C
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsFqdn() {
+	if !destination.IsDomain() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
--- a/common/ktls/ktls_read.go
+++ b/common/ktls/ktls_read.go
@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"unsafe"
 )

 func (c *Conn) Read(b []byte) (int, error) {
@@ -229,7 +230,7 @@ func (c *Conn) readRawRecord() (typ uint8, data []byte, err error) {
 	record := c.rawConn.RawInput.Next(recordHeaderLen + n)
 	data, typ, err = c.rawConn.In.Decrypt(record)
 	if err != nil {
-		err = c.rawConn.In.SetErrorLocked(c.sendAlert(uint8(err.(tls.AlertError))))
+		err = c.rawConn.In.SetErrorLocked(c.sendAlert(*(*uint8)((*[2]unsafe.Pointer)(unsafe.Pointer(&err))[1])))
 		return
 	}
 	return
--- a/common/listener/listener.go
+++ b/common/listener/listener.go
@@ -151,6 +151,7 @@ func ListenNetworkNamespace[T any](nameOrPath string, block func() (T, error)) (
 		if err != nil {
 			return common.DefaultValue[T](), E.Cause(err, "get current netns")
 		}
+		defer currentNs.Close()
 		defer netns.Set(currentNs)
 		var targetNs netns.NsHandle
 		if strings.HasPrefix(nameOrPath, "/") {
--- a/common/process/searcher.go
+++ b/common/process/searcher.go
@@ -14,6 +14,7 @@ import (

 type Searcher interface {
 	FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error)
+	Close() error
 }

 var ErrNotFound = E.New("process not found")
@@ -28,7 +29,7 @@ func FindProcessInfo(searcher Searcher, ctx context.Context, network string, sou
 	if err != nil {
 		return nil, err
 	}
-	if info.UserId != -1 {
+	if info.UserId != -1 && info.UserName == "" {
 		osUser, _ := user.LookupId(F.ToString(info.UserId))
 		if osUser != nil {
 			info.UserName = osUser.Username
--- a/common/process/searcher_android.go
+++ b/common/process/searcher_android.go
@@ -6,6 +6,7 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
+	"github.com/sagernet/sing/common"
 )

 var _ Searcher = (*androidSearcher)(nil)
@@ -18,22 +19,30 @@ func NewSearcher(config Config) (Searcher, error) {
 	return &androidSearcher{config.PackageManager}, nil
 }

+func (s *androidSearcher) Close() error {
+	return nil
+}
+
 func (s *androidSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	_, uid, err := resolveSocketByNetlink(network, source, destination)
+	family, protocol, err := socketDiagSettings(network, source)
 	if err != nil {
 		return nil, err
 	}
-	if sharedPackage, loaded := s.packageManager.SharedPackageByID(uid % 100000); loaded {
-		return &adapter.ConnectionOwner{
-			UserId:             int32(uid),
-			AndroidPackageName: sharedPackage,
-		}, nil
+	_, uid, err := querySocketDiagOnce(family, protocol, source)
+	if err != nil {
+		return nil, err
 	}
-	if packageName, loaded := s.packageManager.PackageByID(uid % 100000); loaded {
-		return &adapter.ConnectionOwner{
-			UserId:             int32(uid),
-			AndroidPackageName: packageName,
-		}, nil
+	appID := uid % 100000
+	var packageNames []string
+	if sharedPackage, loaded := s.packageManager.SharedPackageByID(appID); loaded {
+		packageNames = append(packageNames, sharedPackage)
 	}
-	return &adapter.ConnectionOwner{UserId: int32(uid)}, nil
+	if packages, loaded := s.packageManager.PackagesByID(appID); loaded {
+		packageNames = append(packageNames, packages...)
+	}
+	packageNames = common.Uniq(packageNames)
+	return &adapter.ConnectionOwner{
+		UserId:              int32(uid),
+		AndroidPackageNames: packageNames,
+	}, nil
 }
--- a/common/process/searcher_darwin.go
+++ b/common/process/searcher_darwin.go
@@ -1,19 +1,15 @@
+//go:build darwin
+
 package process

 import (
 	"context"
-	"encoding/binary"
 	"net/netip"
-	"os"
 	"strconv"
 	"strings"
 	"syscall"
-	"unsafe"

 	"github.com/sagernet/sing-box/adapter"
-	N "github.com/sagernet/sing/common/network"
-
-	"golang.org/x/sys/unix"
 )

 var _ Searcher = (*darwinSearcher)(nil)
@@ -24,12 +20,12 @@ func NewSearcher(_ Config) (Searcher, error) {
 	return &darwinSearcher{}, nil
 }

+func (d *darwinSearcher) Close() error {
+	return nil
+}
+
 func (d *darwinSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	processName, err := findProcessName(network, source.Addr(), int(source.Port()))
-	if err != nil {
-		return nil, err
-	}
-	return &adapter.ConnectionOwner{ProcessPath: processName, UserId: -1}, nil
+	return FindDarwinConnectionOwner(network, source, destination)
 }

 var structSize = func() int {
@@ -47,107 +43,3 @@ var structSize = func() int {
 		return 384
 	}
 }()
-
-func findProcessName(network string, ip netip.Addr, port int) (string, error) {
-	var spath string
-	switch network {
-	case N.NetworkTCP:
-		spath = "net.inet.tcp.pcblist_n"
-	case N.NetworkUDP:
-		spath = "net.inet.udp.pcblist_n"
-	default:
-		return "", os.ErrInvalid
-	}
-
-	isIPv4 := ip.Is4()
-
-	value, err := unix.SysctlRaw(spath)
-	if err != nil {
-		return "", err
-	}
-
-	buf := value
-
-	// from darwin-xnu/bsd/netinet/in_pcblist.c:get_pcblist_n
-	// size/offset are round up (aligned) to 8 bytes in darwin
-	// rup8(sizeof(xinpcb_n)) + rup8(sizeof(xsocket_n)) +
-	// 2 * rup8(sizeof(xsockbuf_n)) + rup8(sizeof(xsockstat_n))
-	itemSize := structSize
-	if network == N.NetworkTCP {
-		// rup8(sizeof(xtcpcb_n))
-		itemSize += 208
-	}
-
-	var fallbackUDPProcess string
-	// skip the first xinpgen(24 bytes) block
-	for i := 24; i+itemSize <= len(buf); i += itemSize {
-		// offset of xinpcb_n and xsocket_n
-		inp, so := i, i+104
-
-		srcPort := binary.BigEndian.Uint16(buf[inp+18 : inp+20])
-		if uint16(port) != srcPort {
-			continue
-		}
-
-		// xinpcb_n.inp_vflag
-		flag := buf[inp+44]
-
-		var srcIP netip.Addr
-		srcIsIPv4 := false
-		switch {
-		case flag&0x1 > 0 && isIPv4:
-			// ipv4
-			srcIP = netip.AddrFrom4([4]byte(buf[inp+76 : inp+80]))
-			srcIsIPv4 = true
-		case flag&0x2 > 0 && !isIPv4:
-			// ipv6
-			srcIP = netip.AddrFrom16([16]byte(buf[inp+64 : inp+80]))
-		default:
-			continue
-		}
-
-		if ip == srcIP {
-			// xsocket_n.so_last_pid
-			pid := readNativeUint32(buf[so+68 : so+72])
-			return getExecPathFromPID(pid)
-		}
-
-		// udp packet connection may be not equal with srcIP
-		if network == N.NetworkUDP && srcIP.IsUnspecified() && isIPv4 == srcIsIPv4 {
-			pid := readNativeUint32(buf[so+68 : so+72])
-			fallbackUDPProcess, _ = getExecPathFromPID(pid)
-		}
-	}
-
-	if network == N.NetworkUDP && len(fallbackUDPProcess) > 0 {
-		return fallbackUDPProcess, nil
-	}
-
-	return "", ErrNotFound
-}
-
-func getExecPathFromPID(pid uint32) (string, error) {
-	const (
-		procpidpathinfo     = 0xb
-		procpidpathinfosize = 1024
-		proccallnumpidinfo  = 0x2
-	)
-	buf := make([]byte, procpidpathinfosize)
-	_, _, errno := syscall.Syscall6(
-		syscall.SYS_PROC_INFO,
-		proccallnumpidinfo,
-		uintptr(pid),
-		procpidpathinfo,
-		0,
-		uintptr(unsafe.Pointer(&buf[0])),
-		procpidpathinfosize)
-	if errno != 0 {
-		return "", errno
-	}
-
-	return unix.ByteSliceToString(buf), nil
-}
-
-func readNativeUint32(b []byte) uint32 {
-	return *(*uint32)(unsafe.Pointer(&b[0]))
-}
--- a/common/process/searcher_darwin_shared.go
+++ b/common/process/searcher_darwin_shared.go
@@ -0,0 +1,269 @@
+//go:build darwin
+
+package process
+
+import (
+	"encoding/binary"
+	"net/netip"
+	"os"
+	"sync"
+	"syscall"
+	"time"
+	"unsafe"
+
+	"github.com/sagernet/sing-box/adapter"
+	N "github.com/sagernet/sing/common/network"
+
+	"golang.org/x/sys/unix"
+)
+
+const (
+	darwinSnapshotTTL = 200 * time.Millisecond
+
+	darwinXinpgenSize        = 24
+	darwinXsocketOffset      = 104
+	darwinXinpcbForeignPort  = 16
+	darwinXinpcbLocalPort    = 18
+	darwinXinpcbVFlag        = 44
+	darwinXinpcbForeignAddr  = 48
+	darwinXinpcbLocalAddr    = 64
+	darwinXinpcbIPv4Addr     = 12
+	darwinXsocketUID         = 64
+	darwinXsocketLastPID     = 68
+	darwinTCPExtraStructSize = 208
+)
+
+type darwinConnectionEntry struct {
+	localAddr  netip.Addr
+	remoteAddr netip.Addr
+	localPort  uint16
+	remotePort uint16
+	pid        uint32
+	uid        int32
+}
+
+type darwinConnectionMatchKind uint8
+
+const (
+	darwinConnectionMatchExact darwinConnectionMatchKind = iota
+	darwinConnectionMatchLocalFallback
+	darwinConnectionMatchWildcardFallback
+)
+
+type darwinSnapshot struct {
+	createdAt time.Time
+	entries   []darwinConnectionEntry
+}
+
+type darwinConnectionFinder struct {
+	access    sync.Mutex
+	ttl       time.Duration
+	snapshots map[string]darwinSnapshot
+	builder   func(string) (darwinSnapshot, error)
+}
+
+var sharedDarwinConnectionFinder = newDarwinConnectionFinder(darwinSnapshotTTL)
+
+func newDarwinConnectionFinder(ttl time.Duration) *darwinConnectionFinder {
+	return &darwinConnectionFinder{
+		ttl:       ttl,
+		snapshots: make(map[string]darwinSnapshot),
+		builder:   buildDarwinSnapshot,
+	}
+}
+
+func FindDarwinConnectionOwner(network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
+	return sharedDarwinConnectionFinder.find(network, source, destination)
+}
+
+func (f *darwinConnectionFinder) find(network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
+	networkName := N.NetworkName(network)
+	source = normalizeDarwinAddrPort(source)
+	destination = normalizeDarwinAddrPort(destination)
+	var lastOwner *adapter.ConnectionOwner
+	for attempt := 0; attempt < 2; attempt++ {
+		snapshot, fromCache, err := f.loadSnapshot(networkName, attempt > 0)
+		if err != nil {
+			return nil, err
+		}
+		entry, matchKind, err := matchDarwinConnectionEntry(snapshot.entries, networkName, source, destination)
+		if err != nil {
+			if err == ErrNotFound && fromCache {
+				continue
+			}
+			return nil, err
+		}
+		if fromCache && matchKind != darwinConnectionMatchExact {
+			continue
+		}
+		owner := &adapter.ConnectionOwner{
+			UserId: entry.uid,
+		}
+		lastOwner = owner
+		if entry.pid == 0 {
+			return owner, nil
+		}
+		processPath, err := getExecPathFromPID(entry.pid)
+		if err == nil {
+			owner.ProcessPath = processPath
+			return owner, nil
+		}
+		if fromCache {
+			continue
+		}
+		return owner, nil
+	}
+	if lastOwner != nil {
+		return lastOwner, nil
+	}
+	return nil, ErrNotFound
+}
+
+func (f *darwinConnectionFinder) loadSnapshot(network string, forceRefresh bool) (darwinSnapshot, bool, error) {
+	f.access.Lock()
+	defer f.access.Unlock()
+	if !forceRefresh {
+		if snapshot, loaded := f.snapshots[network]; loaded && time.Since(snapshot.createdAt) < f.ttl {
+			return snapshot, true, nil
+		}
+	}
+	snapshot, err := f.builder(network)
+	if err != nil {
+		return darwinSnapshot{}, false, err
+	}
+	f.snapshots[network] = snapshot
+	return snapshot, false, nil
+}
+
+func buildDarwinSnapshot(network string) (darwinSnapshot, error) {
+	spath, itemSize, err := darwinSnapshotSettings(network)
+	if err != nil {
+		return darwinSnapshot{}, err
+	}
+	value, err := unix.SysctlRaw(spath)
+	if err != nil {
+		return darwinSnapshot{}, err
+	}
+	return darwinSnapshot{
+		createdAt: time.Now(),
+		entries:   parseDarwinSnapshot(value, itemSize),
+	}, nil
+}
+
+func darwinSnapshotSettings(network string) (string, int, error) {
+	itemSize := structSize
+	switch network {
+	case N.NetworkTCP:
+		return "net.inet.tcp.pcblist_n", itemSize + darwinTCPExtraStructSize, nil
+	case N.NetworkUDP:
+		return "net.inet.udp.pcblist_n", itemSize, nil
+	default:
+		return "", 0, os.ErrInvalid
+	}
+}
+
+func parseDarwinSnapshot(buf []byte, itemSize int) []darwinConnectionEntry {
+	entries := make([]darwinConnectionEntry, 0, (len(buf)-darwinXinpgenSize)/itemSize)
+	for i := darwinXinpgenSize; i+itemSize <= len(buf); i += itemSize {
+		inp := i
+		so := i + darwinXsocketOffset
+		entry, ok := parseDarwinConnectionEntry(buf[inp:so], buf[so:so+structSize-darwinXsocketOffset])
+		if ok {
+			entries = append(entries, entry)
+		}
+	}
+	return entries
+}
+
+func parseDarwinConnectionEntry(inp []byte, so []byte) (darwinConnectionEntry, bool) {
+	if len(inp) < darwinXsocketOffset || len(so) < structSize-darwinXsocketOffset {
+		return darwinConnectionEntry{}, false
+	}
+	entry := darwinConnectionEntry{
+		remotePort: binary.BigEndian.Uint16(inp[darwinXinpcbForeignPort : darwinXinpcbForeignPort+2]),
+		localPort:  binary.BigEndian.Uint16(inp[darwinXinpcbLocalPort : darwinXinpcbLocalPort+2]),
+		pid:        binary.NativeEndian.Uint32(so[darwinXsocketLastPID : darwinXsocketLastPID+4]),
+		uid:        int32(binary.NativeEndian.Uint32(so[darwinXsocketUID : darwinXsocketUID+4])),
+	}
+	flag := inp[darwinXinpcbVFlag]
+	switch {
+	case flag&0x1 != 0:
+		entry.remoteAddr = netip.AddrFrom4([4]byte(inp[darwinXinpcbForeignAddr+darwinXinpcbIPv4Addr : darwinXinpcbForeignAddr+darwinXinpcbIPv4Addr+4]))
+		entry.localAddr = netip.AddrFrom4([4]byte(inp[darwinXinpcbLocalAddr+darwinXinpcbIPv4Addr : darwinXinpcbLocalAddr+darwinXinpcbIPv4Addr+4]))
+		return entry, true
+	case flag&0x2 != 0:
+		entry.remoteAddr = netip.AddrFrom16([16]byte(inp[darwinXinpcbForeignAddr : darwinXinpcbForeignAddr+16]))
+		entry.localAddr = netip.AddrFrom16([16]byte(inp[darwinXinpcbLocalAddr : darwinXinpcbLocalAddr+16]))
+		return entry, true
+	default:
+		return darwinConnectionEntry{}, false
+	}
+}
+
+func matchDarwinConnectionEntry(entries []darwinConnectionEntry, network string, source netip.AddrPort, destination netip.AddrPort) (darwinConnectionEntry, darwinConnectionMatchKind, error) {
+	sourceAddr := source.Addr()
+	if !sourceAddr.IsValid() {
+		return darwinConnectionEntry{}, darwinConnectionMatchExact, os.ErrInvalid
+	}
+	var localFallback darwinConnectionEntry
+	var hasLocalFallback bool
+	var wildcardFallback darwinConnectionEntry
+	var hasWildcardFallback bool
+	for _, entry := range entries {
+		if entry.localPort != source.Port() || sourceAddr.BitLen() != entry.localAddr.BitLen() {
+			continue
+		}
+		if entry.localAddr == sourceAddr && destination.IsValid() && entry.remotePort == destination.Port() && entry.remoteAddr == destination.Addr() {
+			return entry, darwinConnectionMatchExact, nil
+		}
+		if !destination.IsValid() && entry.localAddr == sourceAddr {
+			return entry, darwinConnectionMatchExact, nil
+		}
+		if network != N.NetworkUDP {
+			continue
+		}
+		if !hasLocalFallback && entry.localAddr == sourceAddr {
+			hasLocalFallback = true
+			localFallback = entry
+		}
+		if !hasWildcardFallback && entry.localAddr.IsUnspecified() {
+			hasWildcardFallback = true
+			wildcardFallback = entry
+		}
+	}
+	if hasLocalFallback {
+		return localFallback, darwinConnectionMatchLocalFallback, nil
+	}
+	if hasWildcardFallback {
+		return wildcardFallback, darwinConnectionMatchWildcardFallback, nil
+	}
+	return darwinConnectionEntry{}, darwinConnectionMatchExact, ErrNotFound
+}
+
+func normalizeDarwinAddrPort(addrPort netip.AddrPort) netip.AddrPort {
+	if !addrPort.IsValid() {
+		return addrPort
+	}
+	return netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port())
+}
+
+func getExecPathFromPID(pid uint32) (string, error) {
+	const (
+		procpidpathinfo     = 0xb
+		procpidpathinfosize = 1024
+		proccallnumpidinfo  = 0x2
+	)
+	buf := make([]byte, procpidpathinfosize)
+	_, _, errno := syscall.Syscall6(
+		syscall.SYS_PROC_INFO,
+		proccallnumpidinfo,
+		uintptr(pid),
+		procpidpathinfo,
+		0,
+		uintptr(unsafe.Pointer(&buf[0])),
+		procpidpathinfosize)
+	if errno != 0 {
+		return "", errno
+	}
+	return unix.ByteSliceToString(buf), nil
+}
--- a/common/process/searcher_linux.go
+++ b/common/process/searcher_linux.go
@@ -4,33 +4,82 @@ package process

 import (
 	"context"
+	"errors"
 	"net/netip"
+	"syscall"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
+	E "github.com/sagernet/sing/common/exceptions"
 )

 var _ Searcher = (*linuxSearcher)(nil)

 type linuxSearcher struct {
-	logger log.ContextLogger
+	logger           log.ContextLogger
+	diagConns        [4]*socketDiagConn
+	processPathCache *uidProcessPathCache
 }

 func NewSearcher(config Config) (Searcher, error) {
-	return &linuxSearcher{config.Logger}, nil
+	searcher := &linuxSearcher{
+		logger:           config.Logger,
+		processPathCache: newUIDProcessPathCache(time.Second),
+	}
+	for _, family := range []uint8{syscall.AF_INET, syscall.AF_INET6} {
+		for _, protocol := range []uint8{syscall.IPPROTO_TCP, syscall.IPPROTO_UDP} {
+			searcher.diagConns[socketDiagConnIndex(family, protocol)] = newSocketDiagConn(family, protocol)
+		}
+	}
+	return searcher, nil
+}
+
+func (s *linuxSearcher) Close() error {
+	var errs []error
+	for _, conn := range s.diagConns {
+		if conn == nil {
+			continue
+		}
+		errs = append(errs, conn.Close())
+	}
+	return E.Errors(errs...)
 }

 func (s *linuxSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	inode, uid, err := resolveSocketByNetlink(network, source, destination)
+	inode, uid, err := s.resolveSocketByNetlink(network, source, destination)
 	if err != nil {
 		return nil, err
 	}
-	processPath, err := resolveProcessNameByProcSearch(inode, uid)
+	processInfo := &adapter.ConnectionOwner{
+		UserId: int32(uid),
+	}
+	processPath, err := s.processPathCache.findProcessPath(inode, uid)
 	if err != nil {
 		s.logger.DebugContext(ctx, "find process path: ", err)
+	} else {
+		processInfo.ProcessPath = processPath
 	}
-	return &adapter.ConnectionOwner{
-		UserId:      int32(uid),
-		ProcessPath: processPath,
-	}, nil
+	return processInfo, nil
+}
+
+func (s *linuxSearcher) resolveSocketByNetlink(network string, source netip.AddrPort, destination netip.AddrPort) (inode, uid uint32, err error) {
+	family, protocol, err := socketDiagSettings(network, source)
+	if err != nil {
+		return 0, 0, err
+	}
+	conn := s.diagConns[socketDiagConnIndex(family, protocol)]
+	if conn == nil {
+		return 0, 0, E.New("missing socket diag connection for family=", family, " protocol=", protocol)
+	}
+	if destination.IsValid() && source.Addr().BitLen() == destination.Addr().BitLen() {
+		inode, uid, err = conn.query(source, destination)
+		if err == nil {
+			return inode, uid, nil
+		}
+		if !errors.Is(err, ErrNotFound) {
+			return 0, 0, err
+		}
+	}
+	return querySocketDiagOnce(family, protocol, source)
 }
--- a/common/process/searcher_linux_shared.go
+++ b/common/process/searcher_linux_shared.go
@@ -3,43 +3,67 @@
 package process

 import (
-	"bytes"
 	"encoding/binary"
-	"fmt"
-	"net"
+	"errors"
 	"net/netip"
 	"os"
-	"path"
+	"path/filepath"
 	"strings"
+	"sync"
 	"syscall"
+	"time"
 	"unicode"
-	"unsafe"

-	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/contrab/freelru"
+	"github.com/sagernet/sing/contrab/maphash"
 )

-// from https://github.com/vishvananda/netlink/blob/bca67dfc8220b44ef582c9da4e9172bf1c9ec973/nl/nl_linux.go#L52-L62
-var nativeEndian = func() binary.ByteOrder {
-	var x uint32 = 0x01020304
-	if *(*byte)(unsafe.Pointer(&x)) == 0x01 {
-		return binary.BigEndian
-	}
-
-	return binary.LittleEndian
-}()
-
 const (
-	sizeOfSocketDiagRequest = syscall.SizeofNlMsghdr + 8 + 48
-	socketDiagByFamily      = 20
-	pathProc                = "/proc"
+	sizeOfSocketDiagRequestData = 56
+	sizeOfSocketDiagRequest     = syscall.SizeofNlMsghdr + sizeOfSocketDiagRequestData
+	socketDiagResponseMinSize   = 72
+	socketDiagByFamily          = 20
+	pathProc                    = "/proc"
 )

-func resolveSocketByNetlink(network string, source netip.AddrPort, destination netip.AddrPort) (inode, uid uint32, err error) {
-	var family uint8
-	var protocol uint8
+type socketDiagConn struct {
+	access   sync.Mutex
+	family   uint8
+	protocol uint8
+	fd       int
+}

+type uidProcessPathCache struct {
+	cache freelru.Cache[uint32, *uidProcessPaths]
+}
+
+type uidProcessPaths struct {
+	entries map[uint32]string
+}
+
+func newSocketDiagConn(family, protocol uint8) *socketDiagConn {
+	return &socketDiagConn{
+		family:   family,
+		protocol: protocol,
+		fd:       -1,
+	}
+}
+
+func socketDiagConnIndex(family, protocol uint8) int {
+	index := 0
+	if protocol == syscall.IPPROTO_UDP {
+		index += 2
+	}
+	if family == syscall.AF_INET6 {
+		index++
+	}
+	return index
+}
+
+func socketDiagSettings(network string, source netip.AddrPort) (family, protocol uint8, err error) {
 	switch network {
 	case N.NetworkTCP:
 		protocol = syscall.IPPROTO_TCP
@@ -48,151 +72,308 @@ func resolveSocketByNetlink(network string, source netip.AddrPort, destination n
 	default:
 		return 0, 0, os.ErrInvalid
 	}
-
-	if source.Addr().Is4() {
+	switch {
+	case source.Addr().Is4():
 		family = syscall.AF_INET
-	} else {
+	case source.Addr().Is6():
 		family = syscall.AF_INET6
+	default:
+		return 0, 0, os.ErrInvalid
 	}
-
-	req := packSocketDiagRequest(family, protocol, source)
-
-	socket, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_DGRAM, syscall.NETLINK_INET_DIAG)
-	if err != nil {
-		return 0, 0, E.Cause(err, "dial netlink")
-	}
-	defer syscall.Close(socket)
-
-	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_SNDTIMEO, &syscall.Timeval{Usec: 100})
-	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_RCVTIMEO, &syscall.Timeval{Usec: 100})
-
-	err = syscall.Connect(socket, &syscall.SockaddrNetlink{
-		Family: syscall.AF_NETLINK,
-		Pad:    0,
-		Pid:    0,
-		Groups: 0,
-	})
-	if err != nil {
-		return
-	}
-
-	_, err = syscall.Write(socket, req)
-	if err != nil {
-		return 0, 0, E.Cause(err, "write netlink request")
-	}
-
-	buffer := buf.New()
-	defer buffer.Release()
-
-	n, err := syscall.Read(socket, buffer.FreeBytes())
-	if err != nil {
-		return 0, 0, E.Cause(err, "read netlink response")
-	}
-
-	buffer.Truncate(n)
-
-	messages, err := syscall.ParseNetlinkMessage(buffer.Bytes())
-	if err != nil {
-		return 0, 0, E.Cause(err, "parse netlink message")
-	} else if len(messages) == 0 {
-		return 0, 0, E.New("unexcepted netlink response")
-	}
-
-	message := messages[0]
-	if message.Header.Type&syscall.NLMSG_ERROR != 0 {
-		return 0, 0, E.New("netlink message: NLMSG_ERROR")
-	}
-
-	inode, uid = unpackSocketDiagResponse(&messages[0])
-	return
+	return family, protocol, nil
 }

-func packSocketDiagRequest(family, protocol byte, source netip.AddrPort) []byte {
-	s := make([]byte, 16)
-	copy(s, source.Addr().AsSlice())
-
-	buf := make([]byte, sizeOfSocketDiagRequest)
-
-	nativeEndian.PutUint32(buf[0:4], sizeOfSocketDiagRequest)
-	nativeEndian.PutUint16(buf[4:6], socketDiagByFamily)
-	nativeEndian.PutUint16(buf[6:8], syscall.NLM_F_REQUEST|syscall.NLM_F_DUMP)
-	nativeEndian.PutUint32(buf[8:12], 0)
-	nativeEndian.PutUint32(buf[12:16], 0)
-
-	buf[16] = family
-	buf[17] = protocol
-	buf[18] = 0
-	buf[19] = 0
-	nativeEndian.PutUint32(buf[20:24], 0xFFFFFFFF)
-
-	binary.BigEndian.PutUint16(buf[24:26], source.Port())
-	binary.BigEndian.PutUint16(buf[26:28], 0)
-
-	copy(buf[28:44], s)
-	copy(buf[44:60], net.IPv6zero)
-
-	nativeEndian.PutUint32(buf[60:64], 0)
-	nativeEndian.PutUint64(buf[64:72], 0xFFFFFFFFFFFFFFFF)
-
-	return buf
+func newUIDProcessPathCache(ttl time.Duration) *uidProcessPathCache {
+	cache := common.Must1(freelru.NewSharded[uint32, *uidProcessPaths](64, maphash.NewHasher[uint32]().Hash32))
+	cache.SetLifetime(ttl)
+	return &uidProcessPathCache{cache: cache}
 }

-func unpackSocketDiagResponse(msg *syscall.NetlinkMessage) (inode, uid uint32) {
-	if len(msg.Data) < 72 {
-		return 0, 0
+func (c *uidProcessPathCache) findProcessPath(targetInode, uid uint32) (string, error) {
+	if cached, ok := c.cache.Get(uid); ok {
+		if processPath, found := cached.entries[targetInode]; found {
+			return processPath, nil
+		}
 	}
-
-	data := msg.Data
-
-	uid = nativeEndian.Uint32(data[64:68])
-	inode = nativeEndian.Uint32(data[68:72])
-
-	return
-}
-
-func resolveProcessNameByProcSearch(inode, uid uint32) (string, error) {
-	files, err := os.ReadDir(pathProc)
+	processPaths, err := buildProcessPathByUIDCache(uid)
 	if err != nil {
 		return "", err
 	}
+	c.cache.Add(uid, &uidProcessPaths{entries: processPaths})
+	processPath, found := processPaths[targetInode]
+	if !found {
+		return "", E.New("process of uid(", uid, "), inode(", targetInode, ") not found")
+	}
+	return processPath, nil
+}

+func (c *socketDiagConn) Close() error {
+	c.access.Lock()
+	defer c.access.Unlock()
+	return c.closeLocked()
+}
+
+func (c *socketDiagConn) query(source netip.AddrPort, destination netip.AddrPort) (inode, uid uint32, err error) {
+	c.access.Lock()
+	defer c.access.Unlock()
+	request := packSocketDiagRequest(c.family, c.protocol, source, destination, false)
+	for attempt := 0; attempt < 2; attempt++ {
+		err = c.ensureOpenLocked()
+		if err != nil {
+			return 0, 0, E.Cause(err, "dial netlink")
+		}
+		inode, uid, err = querySocketDiag(c.fd, request)
+		if err == nil || errors.Is(err, ErrNotFound) {
+			return inode, uid, err
+		}
+		if !shouldRetrySocketDiag(err) {
+			return 0, 0, err
+		}
+		_ = c.closeLocked()
+	}
+	return 0, 0, err
+}
+
+func querySocketDiagOnce(family, protocol uint8, source netip.AddrPort) (inode, uid uint32, err error) {
+	fd, err := openSocketDiag()
+	if err != nil {
+		return 0, 0, E.Cause(err, "dial netlink")
+	}
+	defer syscall.Close(fd)
+	return querySocketDiag(fd, packSocketDiagRequest(family, protocol, source, netip.AddrPort{}, true))
+}
+
+func (c *socketDiagConn) ensureOpenLocked() error {
+	if c.fd != -1 {
+		return nil
+	}
+	fd, err := openSocketDiag()
+	if err != nil {
+		return err
+	}
+	c.fd = fd
+	return nil
+}
+
+func openSocketDiag() (int, error) {
+	fd, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_DGRAM|syscall.SOCK_CLOEXEC, syscall.NETLINK_INET_DIAG)
+	if err != nil {
+		return -1, err
+	}
+	timeout := &syscall.Timeval{Usec: 100}
+	if err = syscall.SetsockoptTimeval(fd, syscall.SOL_SOCKET, syscall.SO_SNDTIMEO, timeout); err != nil {
+		syscall.Close(fd)
+		return -1, err
+	}
+	if err = syscall.SetsockoptTimeval(fd, syscall.SOL_SOCKET, syscall.SO_RCVTIMEO, timeout); err != nil {
+		syscall.Close(fd)
+		return -1, err
+	}
+	if err = syscall.Connect(fd, &syscall.SockaddrNetlink{
+		Family: syscall.AF_NETLINK,
+		Pid:    0,
+		Groups: 0,
+	}); err != nil {
+		syscall.Close(fd)
+		return -1, err
+	}
+	return fd, nil
+}
+
+func (c *socketDiagConn) closeLocked() error {
+	if c.fd == -1 {
+		return nil
+	}
+	err := syscall.Close(c.fd)
+	c.fd = -1
+	return err
+}
+
+func packSocketDiagRequest(family, protocol byte, source netip.AddrPort, destination netip.AddrPort, dump bool) []byte {
+	request := make([]byte, sizeOfSocketDiagRequest)
+
+	binary.NativeEndian.PutUint32(request[0:4], sizeOfSocketDiagRequest)
+	binary.NativeEndian.PutUint16(request[4:6], socketDiagByFamily)
+	flags := uint16(syscall.NLM_F_REQUEST)
+	if dump {
+		flags |= syscall.NLM_F_DUMP
+	}
+	binary.NativeEndian.PutUint16(request[6:8], flags)
+	binary.NativeEndian.PutUint32(request[8:12], 0)
+	binary.NativeEndian.PutUint32(request[12:16], 0)
+
+	request[16] = family
+	request[17] = protocol
+	request[18] = 0
+	request[19] = 0
+	if dump {
+		binary.NativeEndian.PutUint32(request[20:24], 0xFFFFFFFF)
+	}
+	requestSource := source
+	requestDestination := destination
+	if protocol == syscall.IPPROTO_UDP && !dump && destination.IsValid() {
+		// udp_dump_one expects the exact-match endpoints reversed for historical reasons.
+		requestSource, requestDestination = destination, source
+	}
+	binary.BigEndian.PutUint16(request[24:26], requestSource.Port())
+	binary.BigEndian.PutUint16(request[26:28], requestDestination.Port())
+	if family == syscall.AF_INET6 {
+		copy(request[28:44], requestSource.Addr().AsSlice())
+		if requestDestination.IsValid() {
+			copy(request[44:60], requestDestination.Addr().AsSlice())
+		}
+	} else {
+		copy(request[28:32], requestSource.Addr().AsSlice())
+		if requestDestination.IsValid() {
+			copy(request[44:48], requestDestination.Addr().AsSlice())
+		}
+	}
+	binary.NativeEndian.PutUint32(request[60:64], 0)
+	binary.NativeEndian.PutUint64(request[64:72], 0xFFFFFFFFFFFFFFFF)
+	return request
+}
+
+func querySocketDiag(fd int, request []byte) (inode, uid uint32, err error) {
+	_, err = syscall.Write(fd, request)
+	if err != nil {
+		return 0, 0, E.Cause(err, "write netlink request")
+	}
+	buffer := make([]byte, 64<<10)
+	n, err := syscall.Read(fd, buffer)
+	if err != nil {
+		return 0, 0, E.Cause(err, "read netlink response")
+	}
+	messages, err := syscall.ParseNetlinkMessage(buffer[:n])
+	if err != nil {
+		return 0, 0, E.Cause(err, "parse netlink message")
+	}
+	return unpackSocketDiagMessages(messages)
+}
+
+func unpackSocketDiagMessages(messages []syscall.NetlinkMessage) (inode, uid uint32, err error) {
+	for _, message := range messages {
+		switch message.Header.Type {
+		case syscall.NLMSG_DONE:
+			continue
+		case syscall.NLMSG_ERROR:
+			err = unpackSocketDiagError(&message)
+			if err != nil {
+				return 0, 0, err
+			}
+		case socketDiagByFamily:
+			inode, uid = unpackSocketDiagResponse(&message)
+			if inode != 0 || uid != 0 {
+				return inode, uid, nil
+			}
+		}
+	}
+	return 0, 0, ErrNotFound
+}
+
+func unpackSocketDiagResponse(msg *syscall.NetlinkMessage) (inode, uid uint32) {
+	if len(msg.Data) < socketDiagResponseMinSize {
+		return 0, 0
+	}
+	uid = binary.NativeEndian.Uint32(msg.Data[64:68])
+	inode = binary.NativeEndian.Uint32(msg.Data[68:72])
+	return inode, uid
+}
+
+func unpackSocketDiagError(msg *syscall.NetlinkMessage) error {
+	if len(msg.Data) < 4 {
+		return E.New("netlink message: NLMSG_ERROR")
+	}
+	errno := int32(binary.NativeEndian.Uint32(msg.Data[:4]))
+	if errno == 0 {
+		return nil
+	}
+	if errno < 0 {
+		errno = -errno
+	}
+	sysErr := syscall.Errno(errno)
+	switch sysErr {
+	case syscall.ENOENT, syscall.ESRCH:
+		return ErrNotFound
+	default:
+		return E.New("netlink message: ", sysErr)
+	}
+}
+
+func shouldRetrySocketDiag(err error) bool {
+	return err != nil && !errors.Is(err, ErrNotFound)
+}
+
+func buildProcessPathByUIDCache(uid uint32) (map[uint32]string, error) {
+	files, err := os.ReadDir(pathProc)
+	if err != nil {
+		return nil, err
+	}
 	buffer := make([]byte, syscall.PathMax)
-	socket := []byte(fmt.Sprintf("socket:[%d]", inode))
-
-	for _, f := range files {
-		if !f.IsDir() || !isPid(f.Name()) {
+	processPaths := make(map[uint32]string)
+	for _, file := range files {
+		if !file.IsDir() || !isPid(file.Name()) {
 			continue
 		}
-
-		info, err := f.Info()
+		info, err := file.Info()
 		if err != nil {
-			return "", err
+			if isIgnorableProcError(err) {
+				continue
+			}
+			return nil, err
 		}
 		if info.Sys().(*syscall.Stat_t).Uid != uid {
 			continue
 		}
-
-		processPath := path.Join(pathProc, f.Name())
-		fdPath := path.Join(processPath, "fd")
-
+		processPath := filepath.Join(pathProc, file.Name())
+		fdPath := filepath.Join(processPath, "fd")
+		exePath, err := os.Readlink(filepath.Join(processPath, "exe"))
+		if err != nil {
+			if isIgnorableProcError(err) {
+				continue
+			}
+			return nil, err
+		}
 		fds, err := os.ReadDir(fdPath)
 		if err != nil {
 			continue
 		}
-
 		for _, fd := range fds {
-			n, err := syscall.Readlink(path.Join(fdPath, fd.Name()), buffer)
+			n, err := syscall.Readlink(filepath.Join(fdPath, fd.Name()), buffer)
 			if err != nil {
 				continue
 			}
-
-			if bytes.Equal(buffer[:n], socket) {
-				return os.Readlink(path.Join(processPath, "exe"))
+			inode, ok := parseSocketInode(buffer[:n])
+			if !ok {
+				continue
+			}
+			if _, loaded := processPaths[inode]; !loaded {
+				processPaths[inode] = exePath
 			}
 		}
 	}
+	return processPaths, nil
+}

-	return "", fmt.Errorf("process of uid(%d),inode(%d) not found", uid, inode)
+func isIgnorableProcError(err error) bool {
+	return os.IsNotExist(err) || os.IsPermission(err)
+}
+
+func parseSocketInode(link []byte) (uint32, bool) {
+	const socketPrefix = "socket:["
+	if len(link) <= len(socketPrefix) || string(link[:len(socketPrefix)]) != socketPrefix || link[len(link)-1] != ']' {
+		return 0, false
+	}
+	var inode uint64
+	for _, char := range link[len(socketPrefix) : len(link)-1] {
+		if char < '0' || char > '9' {
+			return 0, false
+		}
+		inode = inode*10 + uint64(char-'0')
+		if inode > uint64(^uint32(0)) {
+			return 0, false
+		}
+	}
+	return uint32(inode), true
 }

 func isPid(s string) bool {
--- a/common/process/searcher_linux_shared_test.go
+++ b/common/process/searcher_linux_shared_test.go
@@ -0,0 +1,60 @@
+//go:build linux
+
+package process
+
+import (
+	"net"
+	"net/netip"
+	"os"
+	"syscall"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestQuerySocketDiagUDPExact(t *testing.T) {
+	t.Parallel()
+	server, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer server.Close()
+
+	client, err := net.DialUDP("udp4", nil, server.LocalAddr().(*net.UDPAddr))
+	require.NoError(t, err)
+	defer client.Close()
+
+	err = client.SetDeadline(time.Now().Add(time.Second))
+	require.NoError(t, err)
+	_, err = client.Write([]byte{0})
+	require.NoError(t, err)
+
+	err = server.SetReadDeadline(time.Now().Add(time.Second))
+	require.NoError(t, err)
+	buffer := make([]byte, 1)
+	_, _, err = server.ReadFromUDP(buffer)
+	require.NoError(t, err)
+
+	source := addrPortFromUDPAddr(t, client.LocalAddr())
+	destination := addrPortFromUDPAddr(t, client.RemoteAddr())
+
+	fd, err := openSocketDiag()
+	require.NoError(t, err)
+	defer syscall.Close(fd)
+
+	inode, uid, err := querySocketDiag(fd, packSocketDiagRequest(syscall.AF_INET, syscall.IPPROTO_UDP, source, destination, false))
+	require.NoError(t, err)
+	require.NotZero(t, inode)
+	require.EqualValues(t, os.Getuid(), uid)
+}
+
+func addrPortFromUDPAddr(t *testing.T, addr net.Addr) netip.AddrPort {
+	t.Helper()
+
+	udpAddr, ok := addr.(*net.UDPAddr)
+	require.True(t, ok)
+
+	ip, ok := netip.AddrFromSlice(udpAddr.IP)
+	require.True(t, ok)
+
+	return netip.AddrPortFrom(ip.Unmap(), uint16(udpAddr.Port))
+}
--- a/common/process/searcher_windows.go
+++ b/common/process/searcher_windows.go
@@ -28,6 +28,10 @@ func initWin32API() error {
 	return winiphlpapi.LoadExtendedTable()
 }

+func (s *windowsSearcher) Close() error {
+	return nil
+}
+
 func (s *windowsSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
 	pid, err := winiphlpapi.FindPid(network, source)
 	if err != nil {
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -25,6 +25,7 @@ const (
 	TypeTUIC         = "tuic"
 	TypeHysteria2    = "hysteria2"
 	TypeTailscale    = "tailscale"
+	TypeCloudflared  = "cloudflared"
 	TypeDERP         = "derp"
 	TypeResolved     = "resolved"
 	TypeSSMAPI       = "ssm-api"
@@ -88,6 +89,8 @@ func ProxyDisplayName(proxyType string) string {
 		return "AnyTLS"
 	case TypeTailscale:
 		return "Tailscale"
+	case TypeCloudflared:
+		return "Cloudflared"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:
--- a/daemon/started_service.go
+++ b/daemon/started_service.go
@@ -168,7 +168,7 @@ func (s *StartedService) waitForStarted(ctx context.Context) error {
 func (s *StartedService) StartOrReloadService(profileContent string, options *OverrideOptions) error {
 	s.serviceAccess.Lock()
 	switch s.serviceStatus.Status {
-	case ServiceStatus_IDLE, ServiceStatus_STARTED, ServiceStatus_STARTING:
+	case ServiceStatus_IDLE, ServiceStatus_STARTED, ServiceStatus_STARTING, ServiceStatus_FATAL:
 	default:
 		s.serviceAccess.Unlock()
 		return os.ErrInvalid
@@ -226,13 +226,14 @@ func (s *StartedService) CloseService() error {
 		return os.ErrInvalid
 	}
 	s.updateStatus(ServiceStatus_STOPPING)
-	if s.instance != nil {
-		err := s.instance.Close()
+	instance := s.instance
+	s.instance = nil
+	if instance != nil {
+		err := instance.Close()
 		if err != nil {
 			return s.updateStatusError(err)
 		}
 	}
-	s.instance = nil
 	s.startedAt = time.Time{}
 	s.updateStatus(ServiceStatus_IDLE)
 	s.serviceAccess.Unlock()
@@ -949,11 +950,11 @@ func buildConnectionProto(metadata *trafficontrol.TrackerMetadata) *Connection {
 	var processInfo *ProcessInfo
 	if metadata.Metadata.ProcessInfo != nil {
 		processInfo = &ProcessInfo{
-			ProcessId:   metadata.Metadata.ProcessInfo.ProcessID,
-			UserId:      metadata.Metadata.ProcessInfo.UserId,
-			UserName:    metadata.Metadata.ProcessInfo.UserName,
-			ProcessPath: metadata.Metadata.ProcessInfo.ProcessPath,
-			PackageName: metadata.Metadata.ProcessInfo.AndroidPackageName,
+			ProcessId:    metadata.Metadata.ProcessInfo.ProcessID,
+			UserId:       metadata.Metadata.ProcessInfo.UserId,
+			UserName:     metadata.Metadata.ProcessInfo.UserName,
+			ProcessPath:  metadata.Metadata.ProcessInfo.ProcessPath,
+			PackageNames: metadata.Metadata.ProcessInfo.AndroidPackageNames,
 		}
 	}
 	return &Connection{
--- a/daemon/started_service.pb.go
+++ b/daemon/started_service.pb.go
@@ -1460,7 +1460,7 @@ type ProcessInfo struct {
 	UserId        int32                  `protobuf:"varint,2,opt,name=userId,proto3" json:"userId,omitempty"`
 	UserName      string                 `protobuf:"bytes,3,opt,name=userName,proto3" json:"userName,omitempty"`
 	ProcessPath   string                 `protobuf:"bytes,4,opt,name=processPath,proto3" json:"processPath,omitempty"`
-	PackageName   string                 `protobuf:"bytes,5,opt,name=packageName,proto3" json:"packageName,omitempty"`
+	PackageNames  []string               `protobuf:"bytes,5,rep,name=packageNames,proto3" json:"packageNames,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -1523,11 +1523,11 @@ func (x *ProcessInfo) GetProcessPath() string {
 	return ""
 }

-func (x *ProcessInfo) GetPackageName() string {
+func (x *ProcessInfo) GetPackageNames() []string {
 	if x != nil {
-		return x.PackageName
+		return x.PackageNames
 	}
-	return ""
+	return nil
 }

 type CloseConnectionRequest struct {
@@ -1884,13 +1884,13 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\boutbound\x18\x13 \x01(\tR\boutbound\x12\"\n" +
 	"\foutboundType\x18\x14 \x01(\tR\foutboundType\x12\x1c\n" +
 	"\tchainList\x18\x15 \x03(\tR\tchainList\x125\n" +
-	"\vprocessInfo\x18\x16 \x01(\v2\x13.daemon.ProcessInfoR\vprocessInfo\"\xa3\x01\n" +
+	"\vprocessInfo\x18\x16 \x01(\v2\x13.daemon.ProcessInfoR\vprocessInfo\"\xa5\x01\n" +
 	"\vProcessInfo\x12\x1c\n" +
 	"\tprocessId\x18\x01 \x01(\rR\tprocessId\x12\x16\n" +
 	"\x06userId\x18\x02 \x01(\x05R\x06userId\x12\x1a\n" +
 	"\buserName\x18\x03 \x01(\tR\buserName\x12 \n" +
-	"\vprocessPath\x18\x04 \x01(\tR\vprocessPath\x12 \n" +
-	"\vpackageName\x18\x05 \x01(\tR\vpackageName\"(\n" +
+	"\vprocessPath\x18\x04 \x01(\tR\vprocessPath\x12\"\n" +
+	"\fpackageNames\x18\x05 \x03(\tR\fpackageNames\"(\n" +
 	"\x16CloseConnectionRequest\x12\x0e\n" +
 	"\x02id\x18\x01 \x01(\tR\x02id\"K\n" +
 	"\x12DeprecatedWarnings\x125\n" +
--- a/daemon/started_service.proto
+++ b/daemon/started_service.proto
@@ -195,7 +195,7 @@ message ProcessInfo {
  int32 userId = 2;
  string userName = 3;
  string processPath = 4;
-  string packageName = 5;
+  repeated string packageNames = 5;
 }

 message CloseConnectionRequest {
--- a/dns/client.go
+++ b/dns/client.go
@@ -324,16 +324,20 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 	} else {
 		strategy = options.Strategy
 	}
+	lookupOptions := options
+	if options.LookupStrategy != C.DomainStrategyAsIS {
+		lookupOptions.Strategy = strategy
+	}
 	if strategy == C.DomainStrategyIPv4Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, lookupOptions, responseChecker)
 	} else if strategy == C.DomainStrategyIPv6Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, lookupOptions, responseChecker)
 	}
 	var response4 []netip.Addr
 	var response6 []netip.Addr
 	var group task.Group
 	group.Append("exchange4", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, lookupOptions, responseChecker)
 		if err != nil {
 			return err
 		}
@@ -341,7 +345,7 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 		return nil
 	})
 	group.Append("exchange6", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, lookupOptions, responseChecker)
 		if err != nil {
 			return err
 		}
--- a/dns/router.go
+++ b/dns/router.go
@@ -195,7 +195,16 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 			}
 		}
 	}
-	return r.transport.Default(), nil, -1
+	transport := r.transport.Default()
+	if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
+		if options.Strategy == C.DomainStrategyAsIS {
+			options.Strategy = legacyTransport.LegacyStrategy()
+		}
+		if !options.ClientSubnet.IsValid() {
+			options.ClientSubnet = legacyTransport.LegacyClientSubnet()
+		}
+	}
+	return transport, nil, -1
 }

 func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions) (*mDNS.Msg, error) {
@@ -345,7 +354,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 		transport := options.Transport
 		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
 			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = r.defaultDomainStrategy
+				options.Strategy = legacyTransport.LegacyStrategy()
 			}
 			if !options.ClientSubnet.IsValid() {
 				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
--- a/dns/transport/connector.go
+++ b/dns/transport/connector.go
@@ -55,6 +55,12 @@ type contextKeyConnecting struct{}

 var errRecursiveConnectorDial = E.New("recursive connector dial")

+type connectorDialResult[T any] struct {
+	connection T
+	cancel     context.CancelFunc
+	err        error
+}
+
 func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 	var zero T
 	for {
@@ -100,41 +106,37 @@ func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 			return zero, err
 		}

-		c.connecting = make(chan struct{})
+		connecting := make(chan struct{})
+		c.connecting = connecting
+		dialContext := context.WithValue(ctx, contextKeyConnecting{}, c)
+		dialResult := make(chan connectorDialResult[T], 1)
 		c.access.Unlock()

-		dialContext := context.WithValue(ctx, contextKeyConnecting{}, c)
-		connection, cancel, err := c.dialWithCancellation(dialContext)
+		go func() {
+			connection, cancel, err := c.dialWithCancellation(dialContext)
+			dialResult <- connectorDialResult[T]{
+				connection: connection,
+				cancel:     cancel,
+				err:        err,
+			}
+		}()

-		c.access.Lock()
-		close(c.connecting)
-		c.connecting = nil
-
-		if err != nil {
-			c.access.Unlock()
-			return zero, err
-		}
-
-		if c.closed {
-			cancel()
-			c.callbacks.Close(connection)
-			c.access.Unlock()
+		select {
+		case result := <-dialResult:
+			return c.completeDial(ctx, connecting, result)
+		case <-ctx.Done():
+			go func() {
+				result := <-dialResult
+				_, _ = c.completeDial(ctx, connecting, result)
+			}()
+			return zero, ctx.Err()
+		case <-c.closeCtx.Done():
+			go func() {
+				result := <-dialResult
+				_, _ = c.completeDial(ctx, connecting, result)
+			}()
 			return zero, ErrTransportClosed
 		}
-		if err = ctx.Err(); err != nil {
-			cancel()
-			c.callbacks.Close(connection)
-			c.access.Unlock()
-			return zero, err
-		}
-
-		c.connection = connection
-		c.hasConnection = true
-		c.connectionCancel = cancel
-		result := c.connection
-		c.access.Unlock()
-
-		return result, nil
 	}
 }

@@ -143,6 +145,38 @@ func isRecursiveConnectorDial[T any](ctx context.Context, connector *Connector[T
 	return loaded && dialConnector == connector
 }

+func (c *Connector[T]) completeDial(ctx context.Context, connecting chan struct{}, result connectorDialResult[T]) (T, error) {
+	var zero T
+
+	c.access.Lock()
+	defer c.access.Unlock()
+	defer func() {
+		if c.connecting == connecting {
+			c.connecting = nil
+		}
+		close(connecting)
+	}()
+
+	if result.err != nil {
+		return zero, result.err
+	}
+	if c.closed || c.closeCtx.Err() != nil {
+		result.cancel()
+		c.callbacks.Close(result.connection)
+		return zero, ErrTransportClosed
+	}
+	if err := ctx.Err(); err != nil {
+		result.cancel()
+		c.callbacks.Close(result.connection)
+		return zero, err
+	}
+
+	c.connection = result.connection
+	c.hasConnection = true
+	c.connectionCancel = result.cancel
+	return c.connection, nil
+}
+
 func (c *Connector[T]) dialWithCancellation(ctx context.Context) (T, context.CancelFunc, error) {
 	var zero T
 	if err := ctx.Err(); err != nil {
--- a/dns/transport/connector_test.go
+++ b/dns/transport/connector_test.go
@@ -188,13 +188,157 @@ func TestConnectorCanceledRequestDoesNotCacheConnection(t *testing.T) {
 	err := <-result
 	require.ErrorIs(t, err, context.Canceled)
 	require.EqualValues(t, 1, dialCount.Load())
-	require.EqualValues(t, 1, closeCount.Load())
+	require.Eventually(t, func() bool {
+		return closeCount.Load() == 1
+	}, time.Second, 10*time.Millisecond)

 	_, err = connector.Get(context.Background())
 	require.NoError(t, err)
 	require.EqualValues(t, 2, dialCount.Load())
 }

+func TestConnectorCanceledRequestReturnsBeforeIgnoredDialCompletes(t *testing.T) {
+	t.Parallel()
+
+	var (
+		dialCount  atomic.Int32
+		closeCount atomic.Int32
+	)
+	dialStarted := make(chan struct{}, 1)
+	releaseDial := make(chan struct{})
+
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialCount.Add(1)
+		select {
+		case dialStarted <- struct{}{}:
+		default:
+		}
+		<-releaseDial
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {
+			closeCount.Add(1)
+		},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	requestContext, cancel := context.WithCancel(context.Background())
+	result := make(chan error, 1)
+	go func() {
+		_, err := connector.Get(requestContext)
+		result <- err
+	}()
+
+	<-dialStarted
+	cancel()
+
+	select {
+	case err := <-result:
+		require.ErrorIs(t, err, context.Canceled)
+	case <-time.After(time.Second):
+		t.Fatal("Get did not return after request cancel")
+	}
+
+	require.EqualValues(t, 1, dialCount.Load())
+	require.EqualValues(t, 0, closeCount.Load())
+
+	close(releaseDial)
+
+	require.Eventually(t, func() bool {
+		return closeCount.Load() == 1
+	}, time.Second, 10*time.Millisecond)
+
+	_, err := connector.Get(context.Background())
+	require.NoError(t, err)
+	require.EqualValues(t, 2, dialCount.Load())
+}
+
+func TestConnectorWaiterDoesNotStartNewDialBeforeCanceledDialCompletes(t *testing.T) {
+	t.Parallel()
+
+	var (
+		dialCount  atomic.Int32
+		closeCount atomic.Int32
+	)
+	firstDialStarted := make(chan struct{}, 1)
+	secondDialStarted := make(chan struct{}, 1)
+	releaseFirstDial := make(chan struct{})
+
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		attempt := dialCount.Add(1)
+		switch attempt {
+		case 1:
+			select {
+			case firstDialStarted <- struct{}{}:
+			default:
+			}
+			<-releaseFirstDial
+		case 2:
+			select {
+			case secondDialStarted <- struct{}{}:
+			default:
+			}
+		}
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {
+			closeCount.Add(1)
+		},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	requestContext, cancel := context.WithCancel(context.Background())
+	firstResult := make(chan error, 1)
+	go func() {
+		_, err := connector.Get(requestContext)
+		firstResult <- err
+	}()
+
+	<-firstDialStarted
+	cancel()
+
+	secondResult := make(chan error, 1)
+	go func() {
+		_, err := connector.Get(context.Background())
+		secondResult <- err
+	}()
+
+	select {
+	case <-secondDialStarted:
+		t.Fatal("second dial started before first dial completed")
+	case <-time.After(100 * time.Millisecond):
+	}
+
+	select {
+	case err := <-firstResult:
+		require.ErrorIs(t, err, context.Canceled)
+	case <-time.After(time.Second):
+		t.Fatal("first Get did not return after request cancel")
+	}
+
+	close(releaseFirstDial)
+
+	require.Eventually(t, func() bool {
+		return closeCount.Load() == 1
+	}, time.Second, 10*time.Millisecond)
+
+	select {
+	case <-secondDialStarted:
+	case <-time.After(time.Second):
+		t.Fatal("second dial did not start after first dial completed")
+	}
+
+	err := <-secondResult
+	require.NoError(t, err)
+	require.EqualValues(t, 2, dialCount.Load())
+}
+
 func TestConnectorDialContextNotCanceledByRequestContextAfterDial(t *testing.T) {
 	t.Parallel()

--- a/dns/transport/dhcp/dhcp_shared.go
+++ b/dns/transport/dhcp/dhcp_shared.go
@@ -7,7 +7,6 @@ import (
 	"strings"
 	"syscall"

-	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -40,13 +39,6 @@ func (t *Transport) exchangeParallel(ctx context.Context, servers []M.Socksaddr,
 	results := make(chan queryResult)
 	startRacer := func(ctx context.Context, fqdn string) {
 		response, err := t.tryOneName(ctx, servers, fqdn, message)
-		if err == nil {
-			if response.Rcode != mDNS.RcodeSuccess {
-				err = dns.RcodeError(response.Rcode)
-			} else if len(dns.MessageToAddresses(response)) == 0 {
-				err = dns.RcodeSuccess
-			}
-		}
 		select {
 		case results <- queryResult{response, err}:
 		case <-returned:
--- a/dns/transport/local/local.go
+++ b/dns/transport/local/local.go
@@ -81,10 +81,7 @@ func (t *Transport) Reset() {

 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	if t.resolved != nil {
-		resolverObject := t.resolved.Object()
-		if resolverObject != nil {
-			return t.resolved.Exchange(resolverObject, ctx, message)
-		}
+		return t.resolved.Exchange(ctx, message)
 	}
 	question := message.Question[0]
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
--- a/dns/transport/local/local_resolved.go
+++ b/dns/transport/local/local_resolved.go
@@ -9,6 +9,5 @@ import (
 type ResolvedResolver interface {
 	Start() error
 	Close() error
-	Object() any
-	Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error)
+	Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error)
 }
--- a/dns/transport/local/local_resolved_linux.go
+++ b/dns/transport/local/local_resolved_linux.go
@@ -4,19 +4,26 @@ import (
 	"bufio"
 	"context"
 	"errors"
+	"net/netip"
 	"os"
 	"strings"
 	"sync"
 	"sync/atomic"

 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
+	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	dnsTransport "github.com/sagernet/sing-box/dns/transport"
+	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/service/resolved"
 	"github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"

@@ -49,13 +56,23 @@ type DBusResolvedResolver struct {
 	interfaceMonitor  tun.DefaultInterfaceMonitor
 	interfaceCallback *list.Element[tun.DefaultInterfaceUpdateCallback]
 	systemBus         *dbus.Conn
-	resoledObject     atomic.Pointer[ResolvedObject]
+	savedServerSet    atomic.Pointer[resolvedServerSet]
 	closeOnce         sync.Once
 }

-type ResolvedObject struct {
-	dbus.BusObject
-	InterfaceIndex int32
+type resolvedServerSet struct {
+	servers []resolvedServer
+}
+
+type resolvedServer struct {
+	primaryTransport  adapter.DNSTransport
+	fallbackTransport adapter.DNSTransport
+}
+
+type resolvedServerSpecification struct {
+	address    netip.Addr
+	port       uint16
+	serverName string
 }

 func NewResolvedResolver(ctx context.Context, logger logger.ContextLogger) (ResolvedResolver, error) {
@@ -82,17 +99,31 @@ func (t *DBusResolvedResolver) Start() error {
 		"org.freedesktop.DBus",
 		"NameOwnerChanged",
 		dbus.WithMatchSender("org.freedesktop.DBus"),
-		dbus.WithMatchArg(0, "org.freedesktop.resolve1.Manager"),
+		dbus.WithMatchArg(0, "org.freedesktop.resolve1"),
 	).Err
 	if err != nil {
 		return E.Cause(err, "configure resolved restart listener")
 	}
+	err = t.systemBus.BusObject().AddMatchSignal(
+		"org.freedesktop.DBus.Properties",
+		"PropertiesChanged",
+		dbus.WithMatchSender("org.freedesktop.resolve1"),
+		dbus.WithMatchArg(0, "org.freedesktop.resolve1.Manager"),
+	).Err
+	if err != nil {
+		return E.Cause(err, "configure resolved properties listener")
+	}
 	go t.loopUpdateStatus()
 	return nil
 }

 func (t *DBusResolvedResolver) Close() error {
+	var closeErr error
 	t.closeOnce.Do(func() {
+		serverSet := t.savedServerSet.Swap(nil)
+		if serverSet != nil {
+			closeErr = serverSet.Close()
+		}
 		if t.interfaceCallback != nil {
 			t.interfaceMonitor.UnregisterCallback(t.interfaceCallback)
 		}
@@ -100,99 +131,97 @@ func (t *DBusResolvedResolver) Close() error {
 			_ = t.systemBus.Close()
 		}
 	})
-	return nil
+	return closeErr
 }

-func (t *DBusResolvedResolver) Object() any {
-	return common.PtrOrNil(t.resoledObject.Load())
-}
-
-func (t *DBusResolvedResolver) Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	question := message.Question[0]
-	resolvedObject := object.(*ResolvedObject)
-	call := resolvedObject.CallWithContext(
-		ctx,
-		"org.freedesktop.resolve1.Manager.ResolveRecord",
-		0,
-		resolvedObject.InterfaceIndex,
-		question.Name,
-		question.Qclass,
-		question.Qtype,
-		uint64(0),
-	)
-	if call.Err != nil {
-		var dbusError dbus.Error
-		if errors.As(call.Err, &dbusError) && dbusError.Name == "org.freedesktop.resolve1.NoNameServers" {
-			t.updateStatus()
+func (t *DBusResolvedResolver) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	serverSet := t.savedServerSet.Load()
+	if serverSet == nil {
+		var err error
+		serverSet, err = t.checkResolved(context.Background())
+		if err != nil {
+			return nil, err
+		}
+		previousServerSet := t.savedServerSet.Swap(serverSet)
+		if previousServerSet != nil {
+			_ = previousServerSet.Close()
 		}
-		return nil, E.Cause(call.Err, " resolve record via resolved")
 	}
-	var (
-		records  []resolved.ResourceRecord
-		outflags uint64
-	)
-	err := call.Store(&records, &outflags)
-	if err != nil {
+	response, err := t.exchangeServerSet(ctx, message, serverSet)
+	if err == nil {
+		return response, nil
+	}
+	t.updateStatus()
+	refreshedServerSet := t.savedServerSet.Load()
+	if refreshedServerSet == nil || refreshedServerSet == serverSet {
 		return nil, err
 	}
-	response := &mDNS.Msg{
-		MsgHdr: mDNS.MsgHdr{
-			Id:                 message.Id,
-			Response:           true,
-			Authoritative:      true,
-			RecursionDesired:   true,
-			RecursionAvailable: true,
-			Rcode:              mDNS.RcodeSuccess,
-		},
-		Question: []mDNS.Question{question},
-	}
-	for _, record := range records {
-		var rr mDNS.RR
-		rr, _, err = mDNS.UnpackRR(record.Data, 0)
-		if err != nil {
-			return nil, E.Cause(err, "unpack resource record")
-		}
-		response.Answer = append(response.Answer, rr)
-	}
-	return response, nil
+	return t.exchangeServerSet(ctx, message, refreshedServerSet)
 }

 func (t *DBusResolvedResolver) loopUpdateStatus() {
 	signalChan := make(chan *dbus.Signal, 1)
 	t.systemBus.Signal(signalChan)
 	for signal := range signalChan {
-		var restarted bool
-		if signal.Name == "org.freedesktop.DBus.NameOwnerChanged" {
-			if len(signal.Body) != 3 || signal.Body[2].(string) == "" {
+		switch signal.Name {
+		case "org.freedesktop.DBus.NameOwnerChanged":
+			if len(signal.Body) != 3 {
+				continue
+			}
+			newOwner, loaded := signal.Body[2].(string)
+			if !loaded || newOwner == "" {
+				continue
+			}
+			t.updateStatus()
+		case "org.freedesktop.DBus.Properties.PropertiesChanged":
+			if !shouldUpdateResolvedServerSet(signal) {
 				continue
-			} else {
-				restarted = true
 			}
-		}
-		if restarted {
 			t.updateStatus()
 		}
 	}
 }

 func (t *DBusResolvedResolver) updateStatus() {
-	dbusObject, err := t.checkResolved(context.Background())
-	oldValue := t.resoledObject.Swap(dbusObject)
+	serverSet, err := t.checkResolved(context.Background())
+	oldServerSet := t.savedServerSet.Swap(serverSet)
+	if oldServerSet != nil {
+		_ = oldServerSet.Close()
+	}
 	if err != nil {
 		var dbusErr dbus.Error
-		if !errors.As(err, &dbusErr) || dbusErr.Name != "org.freedesktop.DBus.Error.NameHasNoOwnerCould" {
+		if !errors.As(err, &dbusErr) || dbusErr.Name != "org.freedesktop.DBus.Error.NameHasNoOwner" {
 			t.logger.Debug(E.Cause(err, "systemd-resolved service unavailable"))
 		}
-		if oldValue != nil {
+		if oldServerSet != nil {
 			t.logger.Debug("systemd-resolved service is gone")
 		}
 		return
-	} else if oldValue == nil {
+	} else if oldServerSet == nil {
 		t.logger.Debug("using systemd-resolved service as resolver")
 	}
 }

-func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObject, error) {
+func (t *DBusResolvedResolver) exchangeServerSet(ctx context.Context, message *mDNS.Msg, serverSet *resolvedServerSet) (*mDNS.Msg, error) {
+	if serverSet == nil || len(serverSet.servers) == 0 {
+		return nil, E.New("link has no DNS servers configured")
+	}
+	var lastError error
+	for _, server := range serverSet.servers {
+		response, err := server.primaryTransport.Exchange(ctx, message)
+		if err != nil && server.fallbackTransport != nil {
+			response, err = server.fallbackTransport.Exchange(ctx, message)
+		}
+		if err != nil {
+			lastError = err
+			continue
+		}
+		return response, nil
+	}
+	return nil, lastError
+}
+
+func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*resolvedServerSet, error) {
 	dbusObject := t.systemBus.Object("org.freedesktop.resolve1", "/org/freedesktop/resolve1")
 	err := dbusObject.Call("org.freedesktop.DBus.Peer.Ping", 0).Err
 	if err != nil {
@@ -220,16 +249,19 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObje
 	if linkObject == nil {
 		return nil, E.New("missing link object for default interface")
 	}
-	dnsProp, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNS")
+	dnsOverTLSMode, err := loadResolvedLinkDNSOverTLS(linkObject)
 	if err != nil {
 		return nil, err
 	}
-	var linkDNS []resolved.LinkDNS
-	err = dnsProp.Store(&linkDNS)
+	linkDNSEx, err := loadResolvedLinkDNSEx(linkObject)
 	if err != nil {
 		return nil, err
 	}
-	if len(linkDNS) == 0 {
+	linkDNS, err := loadResolvedLinkDNS(linkObject)
+	if err != nil {
+		return nil, err
+	}
+	if len(linkDNSEx) == 0 && len(linkDNS) == 0 {
 		for _, inbound := range service.FromContext[adapter.InboundManager](t.ctx).Inbounds() {
 			if inbound.Type() == C.TypeTun {
 				return nil, E.New("No appropriate name servers or networks for name found")
@@ -237,12 +269,233 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObje
 		}
 		return nil, E.New("link has no DNS servers configured")
 	}
-	return &ResolvedObject{
-		BusObject:      dbusObject,
-		InterfaceIndex: int32(defaultInterface.Index),
+	serverDialer, err := dialer.NewDefault(t.ctx, option.DialerOptions{
+		BindInterface:      defaultInterface.Name,
+		UDPFragmentDefault: true,
+	})
+	if err != nil {
+		return nil, err
+	}
+	var serverSpecifications []resolvedServerSpecification
+	if len(linkDNSEx) > 0 {
+		for _, entry := range linkDNSEx {
+			serverSpecification, loaded := buildResolvedServerSpecification(defaultInterface.Name, entry.Address, entry.Port, entry.Name)
+			if !loaded {
+				continue
+			}
+			serverSpecifications = append(serverSpecifications, serverSpecification)
+		}
+	} else {
+		for _, entry := range linkDNS {
+			serverSpecification, loaded := buildResolvedServerSpecification(defaultInterface.Name, entry.Address, 0, "")
+			if !loaded {
+				continue
+			}
+			serverSpecifications = append(serverSpecifications, serverSpecification)
+		}
+	}
+	if len(serverSpecifications) == 0 {
+		return nil, E.New("no valid DNS servers on link")
+	}
+	serverSet := &resolvedServerSet{
+		servers: make([]resolvedServer, 0, len(serverSpecifications)),
+	}
+	for _, serverSpecification := range serverSpecifications {
+		server, createErr := t.createResolvedServer(serverDialer, dnsOverTLSMode, serverSpecification)
+		if createErr != nil {
+			_ = serverSet.Close()
+			return nil, createErr
+		}
+		serverSet.servers = append(serverSet.servers, server)
+	}
+	return serverSet, nil
+}
+
+func (t *DBusResolvedResolver) createResolvedServer(serverDialer N.Dialer, dnsOverTLSMode string, serverSpecification resolvedServerSpecification) (resolvedServer, error) {
+	if dnsOverTLSMode == "yes" {
+		primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, true)
+		if err != nil {
+			return resolvedServer{}, err
+		}
+		return resolvedServer{
+			primaryTransport: primaryTransport,
+		}, nil
+	}
+	if dnsOverTLSMode == "opportunistic" {
+		primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, true)
+		if err != nil {
+			return resolvedServer{}, err
+		}
+		fallbackTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, false)
+		if err != nil {
+			_ = primaryTransport.Close()
+			return resolvedServer{}, err
+		}
+		return resolvedServer{
+			primaryTransport:  primaryTransport,
+			fallbackTransport: fallbackTransport,
+		}, nil
+	}
+	primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, false)
+	if err != nil {
+		return resolvedServer{}, err
+	}
+	return resolvedServer{
+		primaryTransport: primaryTransport,
 	}, nil
 }

+func (t *DBusResolvedResolver) createResolvedTransport(serverDialer N.Dialer, serverSpecification resolvedServerSpecification, useTLS bool) (adapter.DNSTransport, error) {
+	serverAddress := M.SocksaddrFrom(serverSpecification.address, resolvedServerPort(serverSpecification.port, useTLS))
+	if useTLS {
+		tlsAddress := serverSpecification.address
+		if tlsAddress.Zone() != "" {
+			tlsAddress = tlsAddress.WithZone("")
+		}
+		serverName := serverSpecification.serverName
+		if serverName == "" {
+			serverName = tlsAddress.String()
+		}
+		tlsConfig, err := tls.NewClient(t.ctx, t.logger, tlsAddress.String(), option.OutboundTLSOptions{
+			Enabled:    true,
+			ServerName: serverName,
+		})
+		if err != nil {
+			return nil, err
+		}
+		serverTransport := dnsTransport.NewTLSRaw(t.logger, dns.NewTransportAdapter(C.DNSTypeTLS, "", nil), serverDialer, serverAddress, tlsConfig)
+		err = serverTransport.Start(adapter.StartStateStart)
+		if err != nil {
+			_ = serverTransport.Close()
+			return nil, err
+		}
+		return serverTransport, nil
+	}
+	serverTransport := dnsTransport.NewUDPRaw(t.logger, dns.NewTransportAdapter(C.DNSTypeUDP, "", nil), serverDialer, serverAddress)
+	err := serverTransport.Start(adapter.StartStateStart)
+	if err != nil {
+		_ = serverTransport.Close()
+		return nil, err
+	}
+	return serverTransport, nil
+}
+
+func (s *resolvedServerSet) Close() error {
+	var errors []error
+	for _, server := range s.servers {
+		errors = append(errors, server.primaryTransport.Close())
+		if server.fallbackTransport != nil {
+			errors = append(errors, server.fallbackTransport.Close())
+		}
+	}
+	return E.Errors(errors...)
+}
+
+func buildResolvedServerSpecification(interfaceName string, rawAddress []byte, port uint16, serverName string) (resolvedServerSpecification, bool) {
+	address, loaded := netip.AddrFromSlice(rawAddress)
+	if !loaded {
+		return resolvedServerSpecification{}, false
+	}
+	if address.Is6() && address.IsLinkLocalUnicast() && address.Zone() == "" {
+		address = address.WithZone(interfaceName)
+	}
+	return resolvedServerSpecification{
+		address:    address,
+		port:       port,
+		serverName: serverName,
+	}, true
+}
+
+func resolvedServerPort(port uint16, useTLS bool) uint16 {
+	if port > 0 {
+		return port
+	}
+	if useTLS {
+		return 853
+	}
+	return 53
+}
+
+func loadResolvedLinkDNS(linkObject dbus.BusObject) ([]resolved.LinkDNS, error) {
+	dnsProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNS")
+	if err != nil {
+		if isResolvedUnknownPropertyError(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+	var linkDNS []resolved.LinkDNS
+	err = dnsProperty.Store(&linkDNS)
+	if err != nil {
+		return nil, err
+	}
+	return linkDNS, nil
+}
+
+func loadResolvedLinkDNSEx(linkObject dbus.BusObject) ([]resolved.LinkDNSEx, error) {
+	dnsProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNSEx")
+	if err != nil {
+		if isResolvedUnknownPropertyError(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+	var linkDNSEx []resolved.LinkDNSEx
+	err = dnsProperty.Store(&linkDNSEx)
+	if err != nil {
+		return nil, err
+	}
+	return linkDNSEx, nil
+}
+
+func loadResolvedLinkDNSOverTLS(linkObject dbus.BusObject) (string, error) {
+	dnsOverTLSProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNSOverTLS")
+	if err != nil {
+		if isResolvedUnknownPropertyError(err) {
+			return "", nil
+		}
+		return "", err
+	}
+	var dnsOverTLSMode string
+	err = dnsOverTLSProperty.Store(&dnsOverTLSMode)
+	if err != nil {
+		return "", err
+	}
+	return dnsOverTLSMode, nil
+}
+
+func isResolvedUnknownPropertyError(err error) bool {
+	var dbusError dbus.Error
+	return errors.As(err, &dbusError) && dbusError.Name == "org.freedesktop.DBus.Error.UnknownProperty"
+}
+
+func shouldUpdateResolvedServerSet(signal *dbus.Signal) bool {
+	if len(signal.Body) != 3 {
+		return true
+	}
+	changedProperties, loaded := signal.Body[1].(map[string]dbus.Variant)
+	if !loaded {
+		return true
+	}
+	for propertyName := range changedProperties {
+		switch propertyName {
+		case "DNS", "DNSEx", "DNSOverTLS":
+			return true
+		}
+	}
+	invalidatedProperties, loaded := signal.Body[2].([]string)
+	if !loaded {
+		return true
+	}
+	for _, propertyName := range invalidatedProperties {
+		switch propertyName {
+		case "DNS", "DNSEx", "DNSOverTLS":
+			return true
+		}
+	}
+	return false
+}
+
 func (t *DBusResolvedResolver) updateDefaultInterface(defaultInterface *control.Interface, flags int) {
 	t.updateStatus()
 }
--- a/dns/transport/local/local_shared.go
+++ b/dns/transport/local/local_shared.go
@@ -7,7 +7,6 @@ import (
 	"syscall"
 	"time"

-	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -49,13 +48,6 @@ func (t *Transport) exchangeParallel(ctx context.Context, systemConfig *dnsConfi
 	results := make(chan queryResult)
 	startRacer := func(ctx context.Context, fqdn string) {
 		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
-		if err == nil {
-			if response.Rcode != mDNS.RcodeSuccess {
-				err = dns.RcodeError(response.Rcode)
-			} else if len(dns.MessageToAddresses(response)) == 0 {
-				err = E.New(fqdn, ": empty result")
-			}
-		}
 		select {
 		case results <- queryResult{response, err}:
 		case <-returned:
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,6 +2,46 @@
 icon: material/alert-decagram
 ---

+#### 1.13.6
+
+* Fixes and improvements
+
+#### 1.13.5
+
+* Fixes and improvements
+
+#### 1.13.4
+
+* Fixes and improvements
+
+#### 1.13.3
+
+* Add OpenWrt and Alpine APK packages to release **1**
+* Backport to macOS 10.13 High Sierra **2**
+* OCM service: Add WebSocket support for Responses API **3**
+* Fixes and improvements
+
+**1**:
+
+Alpine APK files use `linux` in the filename to distinguish from OpenWrt APKs which use the `openwrt` prefix:
+
+- OpenWrt: `sing-box_{version}_openwrt_{architecture}.apk`
+- Alpine: `sing-box_{version}_linux_{architecture}.apk`
+
+**2**:
+
+Legacy macOS binaries (with `-legacy-macos-10.13` suffix) now support
+macOS 10.13 High Sierra, built using Go 1.25 with patches
+from [SagerNet/go](https://github.com/SagerNet/go).
+
+**3**:
+
+See [OCM](/configuration/service/ocm).
+
+#### 1.13.2
+
+* Fixes and improvements
+
 #### 1.13.1

 * Fixes and improvements
--- a/docs/configuration/dns/fakeip.zh.md
+++ b/docs/configuration/dns/fakeip.zh.md
@@ -4,7 +4,7 @@ icon: material/delete-clock

 !!! failure "已在 sing-box 1.12.0 废弃"

-    旧的 fake-ip 配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-to-new-dns-servers)。
+    旧的 fake-ip 配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。

 ### 结构

--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -209,7 +209,7 @@ icon: material/alert-decagram
    (`source_port` || `source_port_range`) &&  
    `other fields`

-    Additionally, included rule-sets can be considered merged rather than as a single rule sub-item.
+    Additionally, each branch inside an included rule-set can be considered merged into the outer rule, while different branches keep OR semantics.

 #### inbound

@@ -546,4 +546,4 @@ Match any IP with query response.

 #### rules

-Included rules.
+Included rules.
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -208,7 +208,7 @@ icon: material/alert-decagram
    (`source_port` || `source_port_range`) &&  
    `other fields`

-    另外，引用的规则集可视为被合并，而不是作为一个单独的规则子项。
+    另外，引用规则集中的每个分支都可视为与外层规则合并，不同分支之间仍保持 OR 语义。

 #### inbound

@@ -256,7 +256,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 !!! failure "已在 sing-box 1.12.0 中被移除"

-    GeoSite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geosite)。
+    GeoSite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geosite-到规则集)。

 匹配 Geosite。

@@ -264,7 +264,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 !!! failure "已在 sing-box 1.12.0 中被移除"

-    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。
+    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。

 匹配源 GeoIP。

@@ -453,7 +453,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 !!! failure "已在 sing-box 1.12.0 废弃"

-    `outbound` 规则项已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver)。
+    `outbound` 规则项已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-outbound-dns-规则项到域解析选项)。

 匹配出站。

@@ -505,7 +505,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 !!! failure "已在 sing-box 1.12.0 中被移除"

-    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。
+    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。


 与查询响应匹配 GeoIP。
@@ -550,4 +550,4 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 ==必填==

-包括的规则。
+包括的规则。
--- a/docs/configuration/dns/server/http3.zh.md
+++ b/docs/configuration/dns/server/http3.zh.md
@@ -64,7 +64,7 @@ DNS 服务器的路径。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 ### 拨号字段

--- a/docs/configuration/dns/server/https.zh.md
+++ b/docs/configuration/dns/server/https.zh.md
@@ -64,7 +64,7 @@ DNS 服务器的路径。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 ### 拨号字段

--- a/docs/configuration/dns/server/legacy.zh.md
+++ b/docs/configuration/dns/server/legacy.zh.md
@@ -4,7 +4,7 @@ icon: material/delete-clock

 !!! failure "Deprecated in sing-box 1.12.0"

-    旧的 DNS 服务器配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-to-new-dns-servers)。
+    旧的 DNS 服务器配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。

 !!! quote "sing-box 1.9.0 中的更改"

--- a/docs/configuration/dns/server/quic.zh.md
+++ b/docs/configuration/dns/server/quic.zh.md
@@ -51,7 +51,7 @@ DNS 服务器的端口。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 ### 拨号字段

--- a/docs/configuration/dns/server/tls.zh.md
+++ b/docs/configuration/dns/server/tls.zh.md
@@ -51,7 +51,7 @@ DNS 服务器的端口。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 ### 拨号字段

--- a/docs/configuration/experimental/cache-file.zh.md
+++ b/docs/configuration/experimental/cache-file.zh.md
@@ -42,7 +42,7 @@

 将拒绝的 DNS 响应缓存存储在缓存文件中。

-[地址筛选 DNS 规则项](/zh/configuration/dns/rule/#_3) 的检查结果将被缓存至过期。
+[地址筛选 DNS 规则项](/zh/configuration/dns/rule/#地址筛选字段) 的检查结果将被缓存至过期。

 #### rdrc_timeout

--- a/docs/configuration/experimental/v2ray-api.zh.md
+++ b/docs/configuration/experimental/v2ray-api.zh.md
@@ -1,6 +1,6 @@
 !!! quote ""

-    默认安装不包含 V2Ray API，参阅 [安装](/zh/installation/build-from-source/#_5)。
+    默认安装不包含 V2Ray API，参阅 [安装](/zh/installation/build-from-source/#构建标记)。

 ### 结构

--- a/docs/configuration/inbound/anytls.zh.md
+++ b/docs/configuration/inbound/anytls.zh.md
@@ -58,4 +58,4 @@ AnyTLS 填充方案行数组。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
--- a/docs/configuration/inbound/http.zh.md
+++ b/docs/configuration/inbound/http.zh.md
@@ -26,7 +26,7 @@

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。

 #### users

--- a/docs/configuration/inbound/hysteria.zh.md
+++ b/docs/configuration/inbound/hysteria.zh.md
@@ -104,4 +104,4 @@ base64 编码的认证密码。

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
--- a/docs/configuration/inbound/hysteria2.zh.md
+++ b/docs/configuration/inbound/hysteria2.zh.md
@@ -38,7 +38,7 @@ icon: material/alert-decagram
 !!! warning "与官方 Hysteria2 的区别"

    官方程序支持一种名为 **userpass** 的验证方式，
-    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    本质上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
    要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。

 ### 监听字段
@@ -85,7 +85,7 @@ Hysteria 用户

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。

 #### masquerade

--- a/docs/configuration/inbound/naive.zh.md
+++ b/docs/configuration/inbound/naive.zh.md
@@ -60,4 +60,4 @@ QUIC 拥塞控制算法。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
--- a/docs/configuration/inbound/shadowsocks.zh.md
+++ b/docs/configuration/inbound/shadowsocks.zh.md
@@ -93,4 +93,4 @@

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
--- a/docs/configuration/inbound/trojan.zh.md
+++ b/docs/configuration/inbound/trojan.zh.md
@@ -43,7 +43,7 @@ Trojan 用户。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。

 #### fallback

@@ -61,7 +61,7 @@ TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。

 #### transport

--- a/docs/configuration/inbound/tuic.zh.md
+++ b/docs/configuration/inbound/tuic.zh.md
@@ -75,4 +75,4 @@ QUIC 拥塞控制算法

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -2,6 +2,15 @@
 icon: material/new-box
 ---

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [include_mac_address](#include_mac_address)
+    :material-plus: [exclude_mac_address](#exclude_mac_address)
+
+!!! quote "Changes in sing-box 1.13.3"
+
+    :material-alert: [strict_route](#strict_route)
+
 !!! quote "Changes in sing-box 1.13.0"

    :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
@@ -348,6 +357,9 @@ Enforce strict routing rules when `auto_route` is enabled:

 * Let unsupported network unreachable
 * For legacy reasons, when neither `strict_route` nor `auto_redirect` are enabled, all ICMP traffic will not go through TUN.
+* When `auto_redirect` is enabled, `strict_route` also affects `SO_BINDTODEVICE` traffic:
+    * Enabled: `SO_BINDTODEVICE` traffic is redirected through sing-box.
+    * Disabled: `SO_BINDTODEVICE` traffic bypasses sing-box.

 *In Windows*:

--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -2,6 +2,10 @@
 icon: material/new-box
 ---

+!!! quote "sing-box 1.13.3 中的更改"
+
+    :material-alert: [strict_route](#strict_route)
+
 !!! quote "sing-box 1.13.0 中的更改"

    :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
@@ -347,6 +351,9 @@ tun 接口的 IPv6 前缀。

 * 使不支持的网络不可达。
 * 出于历史遗留原因，当未启用 `strict_route` 或 `auto_redirect` 时，所有 ICMP 流量将不会通过 TUN。
+* 当启用 `auto_redirect` 时，`strict_route` 也影响 `SO_BINDTODEVICE` 流量：
+    * 启用：`SO_BINDTODEVICE` 流量被重定向通过 sing-box。
+    * 禁用：`SO_BINDTODEVICE` 流量绕过 sing-box。

 *在 Windows 中*：

--- a/docs/configuration/inbound/vless.zh.md
+++ b/docs/configuration/inbound/vless.zh.md
@@ -48,11 +48,11 @@ VLESS 子协议。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。

 #### transport

--- a/docs/configuration/inbound/vmess.zh.md
+++ b/docs/configuration/inbound/vmess.zh.md
@@ -43,11 +43,11 @@ VMess 用户。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。

 #### transport

--- a/docs/configuration/outbound/anytls.zh.md
+++ b/docs/configuration/outbound/anytls.zh.md
@@ -59,7 +59,7 @@ AnyTLS 密码。

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 ### 拨号字段

--- a/docs/configuration/outbound/direct.zh.md
+++ b/docs/configuration/outbound/direct.zh.md
@@ -4,8 +4,8 @@ icon: material/alert-decagram

 !!! quote "sing-box 1.11.0 中的更改"

-    :material-alert-decagram: [override_address](#override_address)  
-    :material-alert-decagram: [override_port](#override_port)
+    :material-delete-clock: [override_address](#override_address)  
+    :material-delete-clock: [override_port](#override_port)

 `direct` 出站直接发送请求。

@@ -29,7 +29,7 @@ icon: material/alert-decagram

 !!! failure "已在 sing-box 1.11.0 废弃"

-    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-destination-override-fields-to-route-options)。
+    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-direct-出站中的目标地址覆盖字段到路由字段)。

 覆盖连接目标地址。

@@ -37,7 +37,7 @@ icon: material/alert-decagram

 !!! failure "已在 sing-box 1.11.0 废弃"

-    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-destination-override-fields-to-route-options)。
+    目标覆盖字段在 sing-box 1.11.0 中已废弃，并将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-direct-出站中的目标地址覆盖字段到路由字段)。

 覆盖连接目标端口。

--- a/docs/configuration/outbound/dns.zh.md
+++ b/docs/configuration/outbound/dns.zh.md
@@ -4,7 +4,7 @@ icon: material/delete-clock

 !!! failure "已在 sing-box 1.11.0 废弃"

-    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除, 参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 
+    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除, 参阅 [迁移指南](/zh/migration/#迁移旧的特殊出站到规则动作). 

 `dns` 出站是一个内部 DNS 服务器。

--- a/docs/configuration/outbound/http.zh.md
+++ b/docs/configuration/outbound/http.zh.md
@@ -51,7 +51,7 @@ HTTP 请求的额外标头。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 ### 拨号字段

--- a/docs/configuration/outbound/hysteria.zh.md
+++ b/docs/configuration/outbound/hysteria.zh.md
@@ -134,7 +134,7 @@ base64 编码的认证密码。

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。


 ### 拨号字段
--- a/docs/configuration/outbound/hysteria2.zh.md
+++ b/docs/configuration/outbound/hysteria2.zh.md
@@ -38,7 +38,7 @@
 !!! warning "与官方 Hysteria2 的区别"

    官方程序支持一种名为 **userpass** 的验证方式，
-    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    本质上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
    要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。

 ### 字段
@@ -105,7 +105,7 @@ QUIC 流量混淆器密码.

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 #### brutal_debug

--- a/docs/configuration/outbound/naive.md
+++ b/docs/configuration/outbound/naive.md
@@ -34,10 +34,12 @@ icon: material/new-box

    | Build Variant | Platforms | Description |
    |---------------|-----------|-------------|
-    | (default)     | Linux amd64/arm64 | purego build with `libcronet.so` included |
-    | `-glibc`      | Linux 386/amd64/arm/arm64 | CGO build dynamically linked with glibc, requires glibc >= 2.31 |
-    | `-musl`       | Linux 386/amd64/arm/arm64 | CGO build statically linked with musl, no system requirements |
-    | (default)     | Windows amd64/arm64 | purego build with `libcronet.dll` included |
+    | (no suffix) | Linux amd64/arm64 | purego build, `libcronet.so` included |
+    | `-glibc` | Linux 386/amd64/arm/arm64/mipsle/mips64le/riscv64/loong64 | CGO build, dynamically linked with glibc, requires glibc >= 2.31 (loong64: >= 2.36) |
+    | `-musl` | Linux 386/amd64/arm/arm64/mipsle/riscv64/loong64 | CGO build, statically linked with musl |
+    | (no suffix) | Windows amd64/arm64 | purego build, `libcronet.dll` included |
+
+    For Linux, choose the glibc or musl variant based on your distribution's libc type.

    **Runtime Requirements:**

--- a/docs/configuration/outbound/naive.zh.md
+++ b/docs/configuration/outbound/naive.zh.md
@@ -32,12 +32,14 @@ icon: material/new-box

    **官方发布版本区别：**

-    | 构建变体      | 平台                     | 说明                                       |
-    |-----------|------------------------|------------------------------------------|
-    | (默认)      | Linux amd64/arm64      | purego 构建，包含 `libcronet.so`              |
-    | `-glibc`  | Linux 386/amd64/arm/arm64 | CGO 构建，动态链接 glibc，要求 glibc >= 2.31       |
-    | `-musl`   | Linux 386/amd64/arm/arm64 | CGO 构建，静态链接 musl，无系统要求                   |
-    | (默认)      | Windows amd64/arm64 | purego 构建，包含 `libcronet.dll`             |
+    | 构建变体 | 平台 | 说明 |
+    |---|---|---|
+    | (无后缀) | Linux amd64/arm64 | purego 构建，包含 `libcronet.so` |
+    | `-glibc` | Linux 386/amd64/arm/arm64/mipsle/mips64le/riscv64/loong64 | CGO 构建，动态链接 glibc，要求 glibc >= 2.31（loong64: >= 2.36） |
+    | `-musl` | Linux 386/amd64/arm/arm64/mipsle/riscv64/loong64 | CGO 构建，静态链接 musl |
+    | (无后缀) | Windows amd64/arm64 | purego 构建，包含 `libcronet.dll` |
+
+    对于 Linux，请根据发行版的 libc 类型选择 glibc 或 musl 变体。

    **运行时要求：**

@@ -103,7 +105,7 @@ QUIC 拥塞控制算法。

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 只有 `server_name`、`certificate`、`certificate_path` 和 `ech` 是被支持的。

--- a/docs/configuration/outbound/selector.zh.md
+++ b/docs/configuration/outbound/selector.zh.md
@@ -17,7 +17,7 @@

 !!! quote ""

-    选择器目前只能通过 [Clash API](/zh/configuration/experimental#clash-api) 来控制。
+    选择器目前只能通过 [Clash API](/zh/configuration/experimental/clash-api/) 来控制。

 ### 字段

--- a/docs/configuration/outbound/shadowsocks.zh.md
+++ b/docs/configuration/outbound/shadowsocks.zh.md
@@ -95,7 +95,7 @@ UDP over TCP 配置。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#出站)。

 ### 拨号字段

--- a/docs/configuration/outbound/shadowtls.zh.md
+++ b/docs/configuration/outbound/shadowtls.zh.md
@@ -49,7 +49,7 @@ ShadowTLS 协议版本。

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 ### 拨号字段

--- a/docs/configuration/outbound/tor.zh.md
+++ b/docs/configuration/outbound/tor.zh.md
@@ -18,7 +18,7 @@

 !!! info ""

-    默认安装不包含嵌入式 Tor, 参阅 [安装](/zh/installation/build-from-source/#_5)。
+    默认安装不包含嵌入式 Tor, 参阅 [安装](/zh/installation/build-from-source/#构建标记)。

 ### 字段

--- a/docs/configuration/outbound/trojan.zh.md
+++ b/docs/configuration/outbound/trojan.zh.md
@@ -47,11 +47,11 @@ Trojan 密码。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#出站)。

 #### transport

--- a/docs/configuration/outbound/tuic.zh.md
+++ b/docs/configuration/outbound/tuic.zh.md
@@ -97,7 +97,7 @@ UDP 包中继模式

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 ### 拨号字段

--- a/docs/configuration/outbound/vless.zh.md
+++ b/docs/configuration/outbound/vless.zh.md
@@ -57,7 +57,7 @@ VLESS 子协议。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 #### packet_encoding

@@ -71,7 +71,7 @@ UDP 包编码，默认使用 xudp。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#出站)。

 #### transport

--- a/docs/configuration/outbound/vmess.zh.md
+++ b/docs/configuration/outbound/vmess.zh.md
@@ -82,7 +82,7 @@ VMess 用户 ID。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 #### packet_encoding

@@ -96,7 +96,7 @@ UDP 包编码。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#出站)。

 #### transport

--- a/docs/configuration/outbound/wireguard.zh.md
+++ b/docs/configuration/outbound/wireguard.zh.md
@@ -4,7 +4,7 @@ icon: material/delete-clock

 !!! failure "已在 sing-box 1.11.0 废弃"

-    WireGuard 出站已被弃用，且将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-wireguard-outbound-to-endpoint)。
+    WireGuard 出站已被弃用，且将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-wireguard-出站到端点)。

 !!! quote "sing-box 1.11.0 中的更改"

--- a/docs/configuration/route/geoip.zh.md
+++ b/docs/configuration/route/geoip.zh.md
@@ -4,7 +4,7 @@ icon: material/note-remove

 !!! failure "已在 sing-box 1.12.0 中被移除"

-    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。
+    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。

 ### 结构

--- a/docs/configuration/route/geosite.zh.md
+++ b/docs/configuration/route/geosite.zh.md
@@ -4,7 +4,7 @@ icon: material/note-remove

 !!! failure "已在 sing-box 1.12.0 中被移除"

-    Geosite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geosite)。
+    Geosite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geosite-到规则集)。

 ### 结构

--- a/docs/configuration/route/index.zh.md
+++ b/docs/configuration/route/index.zh.md
@@ -12,7 +12,7 @@ icon: material/alert-decagram

 !!! quote "sing-box 1.11.0 中的更改"

-    :material-plus: [network_strategy](#network_strategy)  
+    :material-plus: [default_network_strategy](#default_network_strategy)  
    :material-plus: [default_network_type](#default_network_type)  
    :material-plus: [default_fallback_network_type](#default_fallback_network_type)  
    :material-plus: [default_fallback_delay](#default_fallback_delay)
@@ -110,7 +110,7 @@ icon: material/alert-decagram

 !!! question "自 sing-box 1.12.0 起"

-详情参阅 [拨号字段](/configuration/shared/dial/#domain_resolver)。
+详情参阅 [拨号字段](/zh/configuration/shared/dial/#domain_resolver)。

 可以被 `outbound.domain_resolver` 覆盖。

@@ -118,7 +118,7 @@ icon: material/alert-decagram

 !!! question "自 sing-box 1.11.0 起"

-详情参阅 [拨号字段](/configuration/shared/dial/#network_strategy)。
+详情参阅 [拨号字段](/zh/configuration/shared/dial/#network_strategy)。

 当 `outbound.bind_interface`, `outbound.inet4_bind_address` 或 `outbound.inet6_bind_address` 已设置时不生效。

@@ -130,16 +130,16 @@ icon: material/alert-decagram

 !!! question "自 sing-box 1.11.0 起"

-详情参阅 [拨号字段](/configuration/shared/dial/#default_network_type)。
+详情参阅 [拨号字段](/zh/configuration/shared/dial/#default_network_type)。

 #### default_fallback_network_type

 !!! question "自 sing-box 1.11.0 起"

-详情参阅 [拨号字段](/configuration/shared/dial/#default_fallback_network_type)。
+详情参阅 [拨号字段](/zh/configuration/shared/dial/#default_fallback_network_type)。

 #### default_fallback_delay

 !!! question "自 sing-box 1.11.0 起"

-详情参阅 [拨号字段](/configuration/shared/dial/#fallback_delay)。
+详情参阅 [拨号字段](/zh/configuration/shared/dial/#fallback_delay)。
--- a/docs/configuration/route/rule.md
+++ b/docs/configuration/route/rule.md
@@ -199,7 +199,7 @@ icon: material/new-box
    (`source_port` || `source_port_range`) &&  
    `other fields`

-    Additionally, included rule-sets can be considered merged rather than as a single rule sub-item.
+    Additionally, each branch inside an included rule-set can be considered merged into the outer rule, while different branches keep OR semantics.

 #### inbound

--- a/docs/configuration/route/rule.zh.md
+++ b/docs/configuration/route/rule.zh.md
@@ -22,6 +22,7 @@ icon: material/new-box

    :material-plus: [client](#client)  
    :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
+    :material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)  
    :material-plus: [process_path_regex](#process_path_regex)

 !!! quote "sing-box 1.8.0 中的更改"
@@ -196,7 +197,7 @@ icon: material/new-box
    (`source_port` || `source_port_range`) &&  
    `other fields`

-    另外，引用的规则集可视为被合并，而不是作为一个单独的规则子项。
+    另外，引用规则集中的每个分支都可视为与外层规则合并，不同分支之间仍保持 OR 语义。

 #### inbound

@@ -254,7 +255,7 @@ icon: material/new-box

 !!! failure "已在 sing-box 1.8.0 废弃"

-    Geosite 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geosite)。
+    Geosite 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#迁移-geosite-到规则集)。

 匹配 Geosite。

@@ -262,7 +263,7 @@ icon: material/new-box

 !!! failure "已在 sing-box 1.8.0 废弃"

-    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geoip)。
+    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。

 匹配源 GeoIP。

@@ -270,7 +271,7 @@ icon: material/new-box

 !!! failure "已在 sing-box 1.8.0 废弃"

-    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geoip)。
+    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。

 匹配 GeoIP。

@@ -500,4 +501,4 @@ icon: material/new-box

 ==必填==

-包括的规则。
+包括的规则。
--- a/docs/configuration/route/rule_action.zh.md
+++ b/docs/configuration/route/rule_action.zh.md
@@ -66,7 +66,7 @@ icon: material/new-box

 目标出站的标签。

-如果未指定，规则仅在来自 auto redirect 的[预匹配](/configuration/shared/pre-match/)中匹配，在其他场景中将被跳过。
+如果未指定，规则仅在来自 auto redirect 的[预匹配](/zh/configuration/shared/pre-match/)中匹配，在其他场景中将被跳过。

 #### route-options 字段

@@ -154,22 +154,22 @@ icon: material/new-box

 #### network_strategy

-详情参阅 [拨号字段](/configuration/shared/dial/#network_strategy)。
+详情参阅 [拨号字段](/zh/configuration/shared/dial/#network_strategy)。

 仅当出站为 `direct` 且 `outbound.bind_interface`, `outbound.inet4_bind_address`
 且 `outbound.inet6_bind_address` 未设置时生效。

 #### network_type

-详情参阅 [拨号字段](/configuration/shared/dial/#network_type)。
+详情参阅 [拨号字段](/zh/configuration/shared/dial/#network_type)。

 #### fallback_network_type

-详情参阅 [拨号字段](/configuration/shared/dial/#fallback_network_type)。
+详情参阅 [拨号字段](/zh/configuration/shared/dial/#fallback_network_type)。

 #### fallback_delay

-详情参阅 [拨号字段](/configuration/shared/dial/#fallback_delay)。
+详情参阅 [拨号字段](/zh/configuration/shared/dial/#fallback_delay)。

 #### udp_disable_domain_unmapping

--- a/docs/configuration/rule-set/headless-rule.zh.md
+++ b/docs/configuration/rule-set/headless-rule.zh.md
@@ -10,8 +10,8 @@ icon: material/new-box
 !!! quote "sing-box 1.11.0 中的更改"

    :material-plus: [network_type](#network_type)  
-    :material-alert: [network_is_expensive](#network_is_expensive)  
-    :material-alert: [network_is_constrained](#network_is_constrained)
+    :material-plus: [network_is_expensive](#network_is_expensive)  
+    :material-plus: [network_is_constrained](#network_is_constrained)

 ### 结构

--- a/docs/configuration/service/ccm.md
+++ b/docs/configuration/service/ccm.md
@@ -66,7 +66,19 @@ List of authorized users for token authentication.

 If empty, no authentication is required.

-Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.
+Object format:
+
+```json
+{
+  "name": "",
+  "token": ""
+}
+```
+
+Object fields:
+
+- `name`: Username identifier for tracking purposes.
+- `token`: Bearer token for authentication. Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.

 #### headers

@@ -84,23 +96,36 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

 ### Example

+#### Server
+
 ```json
 {
  "services": [
    {
      "type": "ccm",
-      "listen": "127.0.0.1",
-      "listen_port": 8080
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "usages_path": "./claude-usages.json",
+      "users": [
+        {
+          "name": "alice",
+          "token": "ak-ccm-hello-world"
+        },
+        {
+          "name": "bob",
+          "token": "ak-ccm-hello-bob"
+        }
+      ]
    }
  ]
 }
 ```

-Connect to the CCM service:
+#### Client

 ```bash
 export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
-export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"
+export ANTHROPIC_AUTH_TOKEN="ak-ccm-hello-world"

 claude
 ```
--- a/docs/configuration/service/ccm.zh.md
+++ b/docs/configuration/service/ccm.zh.md
@@ -66,7 +66,19 @@ Claude Code OAuth 凭据文件的路径。

 如果为空，则不需要身份验证。

-Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进行身份验证。
+对象格式：
+
+```json
+{
+  "name": "",
+  "token": ""
+}
+```
+
+对象字段：
+
+- `name`：用于跟踪的用户名标识符。
+- `token`：用于身份验证的 Bearer 令牌。Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进行身份验证。

 #### headers

@@ -80,27 +92,40 @@ Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。

 ### 示例

+#### 服务端
+
 ```json
 {
  "services": [
    {
      "type": "ccm",
-      "listen": "127.0.0.1",
-      "listen_port": 8080
+      "listen": "0.0.0.0",
+      "listen_port": 8080,
+      "usages_path": "./claude-usages.json",
+      "users": [
+        {
+          "name": "alice",
+          "token": "ak-ccm-hello-world"
+        },
+        {
+          "name": "bob",
+          "token": "ak-ccm-hello-bob"
+        }
+      ]
    }
  ]
 }
 ```

-连接到 CCM 服务：
+#### 客户端

 ```bash
 export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
-export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"
+export ANTHROPIC_AUTH_TOKEN="ak-ccm-hello-world"

 claude
 ```
--- a/docs/configuration/service/derp.zh.md
+++ b/docs/configuration/service/derp.zh.md
@@ -36,7 +36,7 @@ DERP 服务是一个 Tailscale DERP 服务器，类似于 [derper](https://pkg.g

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。

 #### config_path

@@ -96,7 +96,7 @@ Derper 配置文件路径。
 - `server`：**必填** DERP 服务器地址。
 - `server_port`：**必填** DERP 服务器端口。
 - `host`：自定义 DERP 主机名。
- `tls`：[TLS](/zh/configuration/shared/tls/#outbound)
+- `tls`：[TLS](/zh/configuration/shared/tls/#出站)
 - `拨号字段`：[拨号字段](/zh/configuration/shared/dial/)

 #### mesh_psk
--- a/docs/configuration/service/ocm.md
+++ b/docs/configuration/service/ocm.md
@@ -37,7 +37,9 @@ See [Listen Fields](/configuration/shared/listen/) for details.

 Path to the OpenAI OAuth credentials file.

-If not specified, defaults to `~/.codex/auth.json`.
+If not specified, defaults to:
+- `$CODEX_HOME/auth.json` if `CODEX_HOME` environment variable is set
+- `~/.codex/auth.json` otherwise

 Refreshed tokens are automatically written back to the same location.

@@ -111,17 +113,23 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
 Add to `~/.codex/config.toml`:

 ```toml
+# profile = "ocm"                # set as default profile
+
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
+supports_websockets = true
+
+[profiles.ocm]
+model_provider = "ocm"
+# model = "gpt-5.4"              # if the latest model is not yet publicly released
+# model_reasoning_effort = "xhigh"
 ```

 Then run:

 ```bash
-codex --model-provider ocm
+codex --profile ocm
 ```

 ### Example with Authentication
@@ -139,11 +147,11 @@ codex --model-provider ocm
      "users": [
        {
          "name": "alice",
-          "token": "sk-alice-secret-token"
+          "token": "sk-ocm-hello-world"
        },
        {
          "name": "bob",
-          "token": "sk-bob-secret-token"
+          "token": "sk-ocm-hello-bob"
        }
      ]
    }
@@ -156,16 +164,22 @@ codex --model-provider ocm
 Add to `~/.codex/config.toml`:

 ```toml
+# profile = "ocm"                # set as default profile
+
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
-experimental_bearer_token = "sk-alice-secret-token"
+supports_websockets = true
+experimental_bearer_token = "sk-ocm-hello-world"
+
+[profiles.ocm]
+model_provider = "ocm"
+# model = "gpt-5.4"              # if the latest model is not yet publicly released
+# model_reasoning_effort = "xhigh"
 ```

 Then run:

 ```bash
-codex --model-provider ocm
+codex --profile ocm
 ```
--- a/docs/configuration/service/ocm.zh.md
+++ b/docs/configuration/service/ocm.zh.md
@@ -37,7 +37,9 @@ OCM（OpenAI Codex 多路复用器）服务是一个多路复用服务，允许

 OpenAI OAuth 凭据文件的路径。

-如果未指定，默认值为 `~/.codex/auth.json`。
+如果未指定，默认值为：
+- 如果设置了 `CODEX_HOME` 环境变量，则使用 `$CODEX_HOME/auth.json`
+- 否则使用 `~/.codex/auth.json`

 刷新的令牌会自动写回相同位置。

@@ -88,7 +90,7 @@ OpenAI OAuth 凭据文件的路径。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。

 ### 示例

@@ -111,17 +113,24 @@ TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 在 `~/.codex/config.toml` 中添加：

 ```toml
+# profile = "ocm"                # 设为默认配置
+
+
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
+supports_websockets = true
+
+[profiles.ocm]
+model_provider = "ocm"
+# model = "gpt-5.4"              # 如果最新模型尚未公开发布
+# model_reasoning_effort = "xhigh"
 ```

 然后运行：

 ```bash
-codex --model-provider ocm
+codex --profile ocm
 ```

 ### 带身份验证的示例
@@ -139,11 +148,11 @@ codex --model-provider ocm
      "users": [
        {
          "name": "alice",
-          "token": "sk-alice-secret-token"
+          "token": "sk-ocm-hello-world"
        },
        {
          "name": "bob",
-          "token": "sk-bob-secret-token"
+          "token": "sk-ocm-hello-bob"
        }
      ]
    }
@@ -156,16 +165,22 @@ codex --model-provider ocm
 在 `~/.codex/config.toml` 中添加：

 ```toml
+# profile = "ocm"                # 设为默认配置
+
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-wire_api = "responses"
-requires_openai_auth = false
-experimental_bearer_token = "sk-alice-secret-token"
+supports_websockets = true
+experimental_bearer_token = "sk-ocm-hello-world"
+
+[profiles.ocm]
+model_provider = "ocm"
+# model = "gpt-5.4"              # 如果最新模型尚未公开发布
+# model_reasoning_effort = "xhigh"
 ```

 然后运行：

 ```bash
-codex --model-provider ocm
+codex --profile ocm
 ```
--- a/docs/configuration/service/ssm-api.zh.md
+++ b/docs/configuration/service/ssm-api.zh.md
@@ -55,4 +55,4 @@ SSM API 服务是一个用于管理 Shadowsocks 服务器的 RESTful API 服务

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。
--- a/docs/configuration/shared/dial.zh.md
+++ b/docs/configuration/shared/dial.zh.md
@@ -173,7 +173,7 @@ TCP keep alive 间隔。

 用于设置解析域名的域名解析器。

-此选项的格式与 [路由 DNS 规则动作](/configuration/dns/rule_action/#route) 相同，但不包含 `action` 字段。  
+此选项的格式与 [路由 DNS 规则动作](/zh/configuration/dns/rule_action/#route) 相同，但不包含 `action` 字段。  

 若直接将此选项设置为字符串，则等同于设置该选项的 `server` 字段。

@@ -246,7 +246,7 @@ TCP keep alive 间隔。

 !!! failure "已在 sing-box 1.12.0 废弃"

-    `domain_strategy` 已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-outbound-domain-strategy-option-to-domain-resolver)。
+    `domain_strategy` 已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移出站域名策略选项到域名解析器)。

 可选值：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。

--- a/docs/configuration/shared/listen.zh.md
+++ b/docs/configuration/shared/listen.zh.md
@@ -145,13 +145,13 @@ UDP NAT 过期时间。

 如果设置，连接将被转发到指定的入站。

-需要目标入站支持，参阅 [注入支持](/zh/configuration/inbound/#_3)。
+需要目标入站支持，参阅 [注入支持](/zh/configuration/inbound/#字段)。

 #### sniff

 !!! failure "已在 sing-box 1.11.0 废弃"

-    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移旧的入站字段到规则动作).

 启用协议探测。

@@ -171,7 +171,7 @@ UDP NAT 过期时间。

 !!! failure "已在 sing-box 1.11.0 废弃"

-    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移旧的入站字段到规则动作).

 探测超时时间。

@@ -181,7 +181,7 @@ UDP NAT 过期时间。

 !!! failure "已在 sing-box 1.11.0 废弃"

-    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移旧的入站字段到规则动作).

 可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。

@@ -193,7 +193,7 @@ UDP NAT 过期时间。

 !!! failure "已在 sing-box 1.11.0 废弃"

-    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移旧的入站字段到规则动作).

 如果启用，对于地址为域的 UDP 代理请求，将在响应中发送原始包地址而不是映射的域。

--- a/docs/configuration/shared/pre-match.zh.md
+++ b/docs/configuration/shared/pre-match.zh.md
@@ -22,13 +22,13 @@ icon: material/new-box

 以 TCP RST / ICMP 不可达拒绝。

-详情参阅 [reject](/configuration/route/rule_action/#reject)。
+详情参阅 [reject](/zh/configuration/route/rule_action/#reject)。

 #### route

 将 ICMP 连接路由到指定出站以直接回复。

-详情参阅 [route](/configuration/route/rule_action/#route)。
+详情参阅 [route](/zh/configuration/route/rule_action/#route)。

 #### bypass

@@ -44,4 +44,4 @@ icon: material/new-box

 对于其他所有场景，指定了 `outbound` 的 bypass 行为与 `route` 相同。

-详情参阅 [bypass](/configuration/route/rule_action/#bypass)。
+详情参阅 [bypass](/zh/configuration/route/rule_action/#bypass)。
--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@@ -426,7 +426,7 @@ echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/
    其实现行为无法通过简单复制握手格式来复现，其行为细节必然存在差异，使得检测成为可能。
    此外，此库缺乏积极维护，且代码质量较差，不建议用于反审查场景。

-    如需 TLS 指纹抵抗，请改用 [NaiveProxy](/configuration/inbound/naive/)。
+    如需 TLS 指纹抵抗，请改用 [NaiveProxy](/zh/configuration/inbound/naive/)。

 uTLS 是 "crypto/tls" 的一个分支，它提供了 ClientHello 指纹识别阻力。

--- a/docs/configuration/shared/v2ray-transport.zh.md
+++ b/docs/configuration/shared/v2ray-transport.zh.md
@@ -144,7 +144,7 @@ HTTP 请求的额外标头

 !!! note ""

-    默认安装不包含标准 gRPC (兼容性好，但性能较差), 参阅 [安装](/zh/installation/build-from-source/#_5)。
+    默认安装不包含标准 gRPC (兼容性好，但性能较差), 参阅 [安装](/zh/installation/build-from-source/#构建标记)。

 ```json
 {
--- a/docs/configuration/shared/wifi-state.zh.md
+++ b/docs/configuration/shared/wifi-state.zh.md
@@ -4,7 +4,7 @@ icon: material/new-box

 # Wi-Fi 状态

-!!! quote "sing-box 1.13.0 的变更"
+!!! quote "sing-box 1.13.0 中的更改"

    :material-plus: Linux 支持  
    :material-plus: Windows 支持
--- a/docs/deprecated.zh.md
+++ b/docs/deprecated.zh.md
@@ -7,7 +7,7 @@ icon: material/delete-alert
 #### 旧的 DNS 服务器格式

 DNS 服务器已重构，
-参阅 [迁移指南](/migration/#migrate-to-new-dns-servers).
+参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式).

 对旧格式的兼容性将在 sing-box 1.14.0 中被移除。

@@ -15,7 +15,7 @@ DNS 服务器已重构，

 旧的 `outbound` DNS 规则已废弃，
 且可被拨号字段代替，
-参阅 [迁移指南](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver).
+参阅 [迁移指南](/zh/migration/#迁移-outbound-dns-规则项到域解析选项).

 #### 旧的 ECH 字段

@@ -31,28 +31,28 @@ ECH 支持已在 sing-box 1.12.0 迁移至使用标准库，但标准库不支
 #### 旧的特殊出站

 旧的特殊出站（`block` / `dns`）已废弃且可以通过规则动作替代，
-参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions)。
+参阅 [迁移指南](/zh/migration/#迁移旧的特殊出站到规则动作)。

 旧字段将在 sing-box 1.13.0 中被移除。

 #### 旧的入站字段

 旧的入站字段（`inbound.<sniff/domain_strategy/...>`）已废弃且可以通过规则动作替代，
-参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions)。
+参阅 [迁移指南](/zh/migration/#迁移旧的入站字段到规则动作)。

 旧字段将在 sing-box 1.13.0 中被移除。

 #### direct 出站中的目标地址覆盖字段

 direct 出站中的目标地址覆盖字段（`override_address` / `override_port`）已废弃且可以通过规则动作替代，
-参阅 [迁移指南](/migration/#migrate-destination-override-fields-to-route-options)。
+参阅 [迁移指南](/zh/migration/#迁移-direct-出站中的目标地址覆盖字段到路由字段)。

 旧字段将在 sing-box 1.13.0 中被移除。

 #### WireGuard 出站

 WireGuard 出站已废弃且可以通过端点替代，
-参阅 [迁移指南](/migration/#migrate-wireguard-outbound-to-endpoint)。
+参阅 [迁移指南](/zh/migration/#迁移-wireguard-出站到端点)。

 旧出站将在 sing-box 1.13.0 中被移除。

@@ -86,7 +86,7 @@ GSO 对透明代理场景没有优势，已废弃且在 TUN 中不再起作用
 #### Clash API 中的 Cache file 及相关功能

 Clash API 中的 `cache_file` 及相关功能已废弃且已迁移到独立的 `cache_file` 设置，
-参阅 [迁移指南](/zh/migration/#clash-api)。
+参阅 [迁移指南](/zh/migration/#将缓存文件从-clash-api-迁移到独立选项)。

 #### GeoIP

@@ -96,7 +96,7 @@ maxmind GeoIP 国家数据库作为 IP 分类数据库，不完全适合流量
 且现有的实现均存在内存使用大与管理困难的问题。

 sing-box 1.8.0 引入了[规则集](/zh/configuration/rule-set/)，
-可以完全替代 GeoIP， 参阅 [迁移指南](/zh/migration/#geoip)。
+可以完全替代 GeoIP， 参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。

 #### Geosite

@@ -106,7 +106,7 @@ Geosite，即由 V2Ray 维护的 domain-list-community 项目，作为早期流
 存在着包括缺少维护、规则不准确和管理困难内的大量问题。

 sing-box 1.8.0 引入了[规则集](/zh/configuration/rule-set/)，
-可以完全替代 Geosite，参阅 [迁移指南](/zh/migration/#geosite)。
+可以完全替代 Geosite，参阅 [迁移指南](/zh/migration/#迁移-geosite-到规则集)。

 ## 1.6.0

--- a/docs/installation/build-from-source.md
+++ b/docs/installation/build-from-source.md
@@ -92,14 +92,14 @@ NaiveProxy outbound requires special build configurations depending on your targ

 ### Supported Platforms

-| Platform        | Architectures          | Mode   | Requirements                                      |
-|-----------------|------------------------|--------|---------------------------------------------------|
-| Linux           | amd64, arm64           | purego | None (library included in official releases)      |
-| Linux           | 386, amd64, arm, arm64 | CGO    | Chromium toolchain, glibc >= 2.31 at runtime      |
-| Linux (musl)    | 386, amd64, arm, arm64 | CGO    | Chromium toolchain                                |
-| Windows         | amd64, arm64           | purego | None (library included in official releases)      |
-| Apple platforms | *                      | CGO    | Xcode                                             |
-| Android         | *                      | CGO    | Android NDK                                       |
+| Platform        | Architectures                                          | Mode   | Requirements                                                    |
+|-----------------|--------------------------------------------------------|--------|-----------------------------------------------------------------|
+| Linux           | amd64, arm64                                           | purego | None (library included in official releases)                    |
+| Linux           | 386, amd64, arm, arm64, mipsle, mips64le, riscv64, loong64 | CGO    | Chromium toolchain, glibc >= 2.31 (loong64: >= 2.36) at runtime |
+| Linux (musl)    | 386, amd64, arm, arm64, mipsle, riscv64, loong64       | CGO    | Chromium toolchain                                              |
+| Windows         | amd64, arm64                                           | purego | None (library included in official releases)                    |
+| Apple platforms | *                                                      | CGO    | Xcode                                                           |
+| Android         | *                                                      | CGO    | Android NDK                                                     |

 ### Windows

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	1f1ba549fd	Add cloudflared inbound support	2026-04-08 14:39:41 +08:00
世界	813b634d08	Bump version	2026-04-06 23:09:11 +08:00
hdrover	d9b435fb62	Fix naive inbound padding bytes	2026-04-06 22:33:11 +08:00
世界	354b4b040e	sing: Fix vectorised readv iovec length calculation This does not seem to affect any actual paths in the sing-box.	2026-04-01 16:16:58 +08:00
世界	7ffdc48b49	Bump version	2026-03-30 23:03:43 +08:00
世界	e15bdf11eb	sing: Minor fixes	2026-03-30 22:58:11 +08:00
世界	e3bcb06c3e	platform: Add HTTPResponse.WriteToWithProgress	2026-03-30 22:42:36 +08:00
世界	84d2280960	quic: Fix protocol client close & Sync hysteria bbr fix	2026-03-30 22:42:36 +08:00
世界	4fd2532b0a	Fix naive quic error message	2026-03-30 22:42:36 +08:00
Zhengchao Ding	02ccde6c71	fix(rpm): add vendor field to fpm config to avoid (none) vendor Co-authored-by: Hyper <hypar@disroot.org>	2026-03-30 22:09:54 +08:00
世界	e98b4ad449	Fix WireGuard shutdown race crashing Stop peer goroutines before closing the TUN device to prevent RoutineSequentialReceiver from calling Write on a nil dispatcher.	2026-03-26 16:33:21 +08:00
世界	d09182614c	Bump version	2026-03-26 13:28:33 +08:00
世界	6381de7bab	route: Fix query_type never matching in rule_set headless rules	2026-03-26 13:26:18 +08:00
世界	b0c6762bc1	route: merge rule_set branches into outer rules Treat rule_set items as merged branches instead of standalone boolean sub-items. Evaluate each branch inside a referenced rule-set as if it were merged into the outer rule and keep OR semantics between branches. This lets outer grouped fields satisfy matching groups inside a branch without introducing a standalone outer fallback or cross-branch state union. Keep inherited grouped state outside inverted default and logical branches. Negated rule-set branches now evaluate !(...) against their own conditions and only reapply the outer grouped match after negation succeeds, so configs like outer-group && !inner-condition continue to work. Add regression tests for same-group merged matches, cross-group and extra-AND failures, DNS merged-branch behaviour, and inverted merged branches. Update the route and DNS rule docs to clarify that rule-set branches merge into the outer rule while keeping OR semantics between branches.	2026-03-25 14:00:29 +08:00
世界	7425100bac	release: Refactor release tracks for Linux packages and Docker Support 4 release tracks instead of 2: - sing-box / latest (stable release) - sing-box-beta / latest-beta (stable pre-release) - sing-box-testing / latest-testing (testing branch) - sing-box-oldstable / latest-oldstable (oldstable branch) Track is detected via git branch --contains and git tag, replacing the old version-string hyphen check.	2026-03-24 15:03:43 +08:00
世界	d454aa0fdf	route: formalize nested rule_set group-state semantics Before `795d1c289`, nested rule-set evaluation reused the parent rule match cache. In practice, this meant these fields leaked across nested evaluation: - SourceAddressMatch - SourcePortMatch - DestinationAddressMatch - DestinationPortMatch - DidMatch That leak had two opposite effects. First, it made included rule-sets partially behave like the docs' "merged" semantics. For example, if an outer route rule had: rule_set = ["geosite-additional-!cn"] ip_cidr = 104.26.10.0/24 and the inline rule-set matched `domain_suffix = speedtest.net`, the inner match could set `DestinationAddressMatch = true` and the outer rule would then pass its destination-address group check. This is why some `rule_set + ip_cidr` combinations used to work. But the same leak also polluted sibling rules and sibling rule-sets. A branch could partially match one group, then fail later, and still leave that group cache set for the next branch. This broke cases such as gh-3485: with `rule_set = [test1, test2]`, `test1` could touch destination-address cache before an AdGuard `@@` exclusion made the whole branch fail, and `test2` would then run against dirty state. `795d1c289` fixed that by cloning metadata for nested rule-set/rule evaluation and resetting the rule match cache for each branch. That stopped sibling pollution, but it also removed the only mechanism by which a successful nested branch could affect the parent rule's grouped matching state. As a result, nested rule-sets became pure boolean sub-items against the outer rule. The previous example stopped working: the inner `domain_suffix = speedtest.net` still matched, but the outer rule no longer observed any destination-address-group success, so it fell through to `final`. This change makes the semantics explicit instead of relying on cache side effects: - `rule_set: ["a", "b"]` is OR - rules inside one rule-set are OR - each nested branch is evaluated in isolation - failed branches contribute no grouped match state - a successful branch contributes its grouped match state back to the parent rule - grouped state from different rule-sets must not be combined together to satisfy one outer rule In other words, rule-sets now behave as "OR branches whose successful group matches merge into the outer rule", which matches the documented intent without reintroducing cross-branch cache leakage.	2026-03-24 15:03:43 +08:00
世界	a3623eb41a	tun: Fix system stack rewriting TUN subnet destinations to loopback	2026-03-23 19:38:55 +08:00
世界	72bc4c1f87	Fix DNS transport returning error for empty AAAA response Closes #3925	2026-03-23 19:21:55 +08:00
世界	9ac1e2ff32	Match `package_name` in `process_path` rule on Android	2026-03-23 18:57:35 +08:00
世界	0045103d14	Fix `package_name` shared uid matching	2026-03-23 18:57:35 +08:00
世界	d2a933784c	Optimize Darwin process finder	2026-03-23 18:57:35 +08:00
世界	3f05a37f65	Optimize Linux process finder	2026-03-23 18:57:35 +08:00
世界	b8e5a71450	Add process information cache to avoid duplicate lookups PreMatch and full match phases each created a fresh InboundContext, causing process search (expensive OS syscalls) to run twice per connection. Use a freelru ShardedLRU cache with 200ms TTL to serve the second lookup from cache.	2026-03-23 14:26:45 +08:00
世界	c13faa8e3c	tailscale: Only set ProcessLocalIPs/ProcessSubnets for fake TUN	2026-03-23 14:16:40 +08:00
世界	7623bcd19e	Fix DialerForICMPDestination	2026-03-23 13:58:55 +08:00
世界	795d1c2892	Fix nested rule-set match cache isolation	2026-03-23 12:26:19 +08:00
世界	6913b11e0a	Reject removed legacy inbound fields instead of silently ignoring	2026-03-21 17:16:10 +08:00
世界	1e57c06295	daemon: Allow StartOrReloadService to recover from FATAL state	2026-03-21 13:37:14 +08:00
世界	ea464cef8d	daemon: Fix CloseService leaving instance non-nil on close error	2026-03-21 13:23:57 +08:00
Andrew Novikov	a8e3cd3256	tun: Fix nfqueue not working in prerouting	2026-03-17 11:05:40 +08:00
世界	686cf1f304	documentation: Fix Chinese link anchors	2026-03-16 12:24:10 +08:00
世界	9fbfb87723	documentation: Fix unicode heading anchors	2026-03-16 12:10:32 +08:00
世界	d2fa21d07b	Deprecate Socksaddr.IsFqdn: do not reject potentially valid domain names	2026-03-16 09:37:59 +08:00
世界	d3768cca36	Bump version	2026-03-15 17:56:37 +08:00
世界	0889ddd001	Fix connector canceled dial cleanup	2026-03-15 17:56:37 +08:00
深鸣	f46fbf188a	documentation: Minor fixes	2026-03-15 17:56:37 +08:00
世界	f2d15139f5	tun: Fix nftables single include_uid not working	2026-03-15 16:58:34 +08:00
世界	041646b728	Fix kTLS crash	2026-03-14 21:38:38 +08:00
世界	b990de2e12	tun: Fix "Fix auto_redirect dropping SO_BINDTODEVICE traffic"	2026-03-14 21:38:38 +08:00
世界	fe585157d2	Bump version	2026-03-14 21:38:38 +08:00
世界	eed6a36e5d	tun：Fix auto_redirect dropping SO_BINDTODEVICE traffic	2026-03-14 21:38:38 +08:00
世界	eb0f38544c	tailscale: Fix system interface rules	2026-03-14 21:38:38 +08:00
世界	54468a1a2a	platform: Add f-droid update helpers	2026-03-11 20:41:29 +08:00
世界	8289bbd846	Add Alpine APK packaging to CI build Add fpm-based Alpine APK packaging alongside existing DEB/RPM/Pacman packages. Alpine APKs use `linux` in the filename to distinguish from OpenWrt APKs which use the `openwrt` prefix.	2026-03-11 20:41:29 +08:00
世界	49c450d942	ccm/ocm: Fix missing metering for 1M context and /fast mode CCM: Fix 1M context detection - use prefix match for versioned beta strings (e.g. "context-1m-2025-08-07") and include cache tokens in the 200K threshold check per Anthropic billing docs. OCM: Add GPT-5.4 family pricing (standard/priority/flex) with extended context (>272K) premium pricing support. Add context window tracking to usage combinations, mirroring CCM's pattern. Update normalizeGPT5Model defaults to latest known models.	2026-03-11 20:41:29 +08:00
世界	a7ee943216	Fix tailscale connections	2026-03-11 00:27:15 +08:00
世界	8bb4c4dd32	documentation: Update ocm/ccm examples	2026-03-10 22:04:12 +08:00
世界	67621ee6ba	Fix OCM websocket proxy lifecycle and headers	2026-03-10 22:04:11 +08:00
世界	a09ffe6a0f	ccm/ocm: Add `by_user_and_week` cost summary	2026-03-10 22:04:11 +08:00
世界	e0be8743f6	ocm: Add Responses WebSocket API proxy and fix client config docs Support the OpenAI Responses WebSocket API (`wss://.../v1/responses`) for bidirectional frame proxying with usage tracking. Fix Codex CLI client config examples to use profiles and correct flags. Update openai-go v3.24.0 → v3.26.0.	2026-03-10 22:04:11 +08:00
世界	0b04528803	tailscaile: Fix using TUN auto redirect with tailscale system interface	2026-03-10 22:04:11 +08:00
世界	65875e6dac	tailscale: Use system dialer for system interface * Revert "Fix netstack TCP connections with system interface	2026-03-10 19:50:16 +08:00
世界	4d6fb1d38d	Fix legacy DNS `client_subnet` options not working	2026-03-09 20:18:47 +08:00
世界	305b930d90	release: Fix default config	2026-03-09 20:18:43 +08:00
世界	bc3884ca91	release: Add openwrt apk build	2026-03-09 20:18:40 +08:00
世界	df0bf927e4	Fix missing `with_gvisor` build tag for tailscale	2026-03-09 20:18:28 +08:00
世界	efe20ea51c	release: Backport Go 1.25 to macOS 10.13	2026-03-09 20:13:36 +08:00
世界	e21a72fcd1	Fix websocket connection and goroutine leaks in Clash API Co-authored-by: traitman <112139837+traitman@users.noreply.github.com>	2026-03-09 20:06:34 +08:00
世界	e1477bd065	documentation: Update cronet-go descriptions	2026-03-09 20:06:34 +08:00
世界	aa495fce38	Fix local DNS transport CNAME chain broken with systemd-resolved Replace D-Bus ResolveRecord API with direct raw DNS queries to upstream servers obtained from systemd-resolved's per-interface link properties.	2026-03-09 20:06:34 +08:00
世界	9cd60c28c0	tailscale: Fix inbound UDP packet connection	2026-03-09 20:06:34 +08:00
Heng lu	2ba896c5ac	Fix netns fd leak in ListenNetworkNamespace	2026-03-09 20:06:34 +08:00
Oleg Artyomov	1d388547ee	service/ccm: strip Accept-Encoding before forwarding to avoid untracked usage When clients (e.g. Node.js Anthropic SDK) explicitly set Accept-Encoding: gzip, Go's http.Transport does not transparently decompress the response body, because it only does so when it added the header itself. This causes CCM's json.Unmarshal to receive raw gzip bytes, silently failing to parse usage data and leaving the usage counter unchanged. Fix: remove Accept-Encoding from the outgoing proxy request. Transport adds it automatically and transparently decompresses response.Body before CCM reads it. Wire compression (CCM→Anthropic) is preserved — Transport still negotiates gzip. Only CCM→localhost path is affected; compression on loopback has no practical benefit.	2026-03-09 20:06:34 +08:00
世界	e343cec4d5	Fix legacy DNS defaults on final transport	2026-03-09 20:06:34 +08:00
世界	d58efc5d01	cronet-go: Fix library search path	2026-03-09 20:06:34 +08:00
世界	4b26ab16fb	Bump version	2026-03-07 16:13:23 +08:00
世界	0e27312eda	Update Go to 1.25.8	2026-03-07 16:13:23 +08:00