[dependencies] Update golang Docker tag to v1.26

2026-04-13 02:27:19 +10:00 · 2026-02-11 01:37:12 +00:00
148 changed files with 1893 additions and 5687 deletions
--- a/.fpm_pacman
+++ b/.fpm_pacman
@@ -1,23 +0,0 @@
-s dir
--name sing-box
--category net
--license GPL-3.0-or-later
--description "The universal proxy platform."
--url "https://sing-box.sagernet.org/"
--maintainer "nekohasekai <contact-git@sekai.icu>"
--config-files etc/sing-box/config.json
--after-install release/config/sing-box.postinst
-
-release/config/config.json=/etc/sing-box/config.json
-
-release/config/sing-box.service=/usr/lib/systemd/system/sing-box.service
-release/config/sing-box@.service=/usr/lib/systemd/system/sing-box@.service
-release/config/sing-box.sysusers=/usr/lib/sysusers.d/sing-box.conf
-release/config/sing-box.rules=usr/share/polkit-1/rules.d/sing-box.rules
-release/config/sing-box-split-dns.xml=/usr/share/dbus-1/system.d/sing-box-split-dns.conf
-
-release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
-release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish
-release/completions/sing-box.zsh=/usr/share/zsh/site-functions/_sing-box
-
-LICENSE=/usr/share/licenses/sing-box/LICENSE
--- a/.github/CRONET_GO_VERSION
+++ b/.github/CRONET_GO_VERSION
@@ -1 +1 @@
-2fef65f9dba90ddb89a87d00a6eb6165487c10c1
+dc1cda1fe28740ba069934ab62aeb8ef85388332
--- a/.github/build_alpine_apk.sh
+++ b/.github/build_alpine_apk.sh
@@ -1,81 +0,0 @@
-#!/usr/bin/env bash
-
-set -e -o pipefail
-
-ARCHITECTURE="$1"
-VERSION="$2"
-BINARY_PATH="$3"
-OUTPUT_PATH="$4"
-
-if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
-  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
-  exit 1
-fi
-
-PROJECT=$(cd "$(dirname "$0")/.."; pwd)
-
-# Convert version to APK format:
-#   1.13.0-beta.8  -> 1.13.0_beta8-r0
-#   1.13.0-rc.3    -> 1.13.0_rc3-r0
-#   1.13.0         -> 1.13.0-r0
-APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
-APK_VERSION="${APK_VERSION}-r0"
-
-ROOT_DIR=$(mktemp -d)
-trap 'rm -rf "$ROOT_DIR"' EXIT
-
-# Binary
-install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
-
-# Config files
-install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
-install -Dm755 "$PROJECT/release/config/sing-box.initd" "$ROOT_DIR/etc/init.d/sing-box"
-install -Dm644 "$PROJECT/release/config/sing-box.confd" "$ROOT_DIR/etc/conf.d/sing-box"
-
-# Service files
-install -Dm644 "$PROJECT/release/config/sing-box.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box.service"
-install -Dm644 "$PROJECT/release/config/sing-box@.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box@.service"
-
-# Completions
-install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
-install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
-install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
-
-# License
-install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
-
-# APK metadata
-PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
-mkdir -p "$PACKAGES_DIR"
-
-# .conffiles
-cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
-/etc/conf.d/sing-box
-/etc/init.d/sing-box
-/etc/sing-box/config.json
-EOF
-
-# .conffiles_static (sha256 checksums)
-while IFS= read -r conffile; do
-  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
-  echo "$conffile $sha256"
-done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
-
-# .list (all files, excluding lib/apk/packages/ metadata)
-(cd "$ROOT_DIR" && find . -type f -o -type l) \
-  | sed 's|^\./|/|' \
-  | grep -v '^/lib/apk/packages/' \
-  | sort > "$PACKAGES_DIR/.list"
-
-# Build APK
-apk mkpkg \
-  --info "name:sing-box" \
-  --info "version:${APK_VERSION}" \
-  --info "description:The universal proxy platform." \
-  --info "arch:${ARCHITECTURE}" \
-  --info "license:GPL-3.0-or-later with name use or association addition" \
-  --info "origin:sing-box" \
-  --info "url:https://sing-box.sagernet.org/" \
-  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
-  --files "$ROOT_DIR" \
-  --output "$OUTPUT_PATH"
--- a/.github/build_openwrt_apk.sh
+++ b/.github/build_openwrt_apk.sh
@@ -1,80 +0,0 @@
-#!/usr/bin/env bash
-
-set -e -o pipefail
-
-ARCHITECTURE="$1"
-VERSION="$2"
-BINARY_PATH="$3"
-OUTPUT_PATH="$4"
-
-if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
-  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
-  exit 1
-fi
-
-PROJECT=$(cd "$(dirname "$0")/.."; pwd)
-
-# Convert version to APK format:
-#   1.13.0-beta.8  -> 1.13.0_beta8-r0
-#   1.13.0-rc.3    -> 1.13.0_rc3-r0
-#   1.13.0         -> 1.13.0-r0
-APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
-APK_VERSION="${APK_VERSION}-r0"
-
-ROOT_DIR=$(mktemp -d)
-trap 'rm -rf "$ROOT_DIR"' EXIT
-
-# Binary
-install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
-
-# Config files
-install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
-install -Dm644 "$PROJECT/release/config/openwrt.conf" "$ROOT_DIR/etc/config/sing-box"
-install -Dm755 "$PROJECT/release/config/openwrt.init" "$ROOT_DIR/etc/init.d/sing-box"
-install -Dm644 "$PROJECT/release/config/openwrt.keep" "$ROOT_DIR/lib/upgrade/keep.d/sing-box"
-
-# Completions
-install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
-install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
-install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
-
-# License
-install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
-
-# APK metadata
-PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
-mkdir -p "$PACKAGES_DIR"
-
-# .conffiles
-cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
-/etc/config/sing-box
-/etc/sing-box/config.json
-EOF
-
-# .conffiles_static (sha256 checksums)
-while IFS= read -r conffile; do
-  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
-  echo "$conffile $sha256"
-done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
-
-# .list (all files, excluding lib/apk/packages/ metadata)
-(cd "$ROOT_DIR" && find . -type f -o -type l) \
-  | sed 's|^\./|/|' \
-  | grep -v '^/lib/apk/packages/' \
-  | sort > "$PACKAGES_DIR/.list"
-
-# Build APK
-apk mkpkg \
-  --info "name:sing-box" \
-  --info "version:${APK_VERSION}" \
-  --info "description:The universal proxy platform." \
-  --info "arch:${ARCHITECTURE}" \
-  --info "license:GPL-3.0-or-later" \
-  --info "origin:sing-box" \
-  --info "url:https://sing-box.sagernet.org/" \
-  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
-  --info "depends:ca-bundle kmod-inet-diag kmod-tun firewall4 kmod-nft-queue" \
-  --info "provider-priority:100" \
-  --script "pre-deinstall:${PROJECT}/release/config/openwrt.prerm" \
-  --files "$ROOT_DIR" \
-  --output "$OUTPUT_PATH"
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -6,7 +6,7 @@
    ":disableRateLimiting"
  ],
  "baseBranches": [
-    "unstable"
+    "dev-next"
  ],
  "golang": {
    "enabled": false
--- a/.github/setup_go_for_macos1013.sh
+++ b/.github/setup_go_for_macos1013.sh
@@ -1,45 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-VERSION="1.25.8"
-PATCH_COMMITS=(
-  "afe69d3cec1c6dcf0f1797b20546795730850070"
-  "1ed289b0cf87dc5aae9c6fe1aa5f200a83412938"
-)
-CURL_ARGS=(
-  -fL
-  --silent
-  --show-error
-)
-
-if [[ -n "${GITHUB_TOKEN:-}" ]]; then
-  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
-fi
-
-mkdir -p "$HOME/go"
-cd "$HOME/go"
-wget "https://dl.google.com/go/go${VERSION}.darwin-arm64.tar.gz"
-tar -xzf "go${VERSION}.darwin-arm64.tar.gz"
-#cp -a go go_bootstrap
-mv go go_osx
-cd go_osx
-
-# these patch URLs only work on golang1.25.x
-# that means after golang1.26 release it must be changed
-# see: https://github.com/SagerNet/go/commits/release-branch.go1.25/
-# revert:
-# 33d3f603c1: "cmd/link/internal/ld: use 12.0.0 OS/SDK versions for macOS linking"
-# 937368f84e: "crypto/x509: change how we retrieve chains on darwin"
-
-for patch_commit in "${PATCH_COMMITS[@]}"; do
-  curl "${CURL_ARGS[@]}" "https://github.com/SagerNet/go/commit/${patch_commit}.diff" | patch --verbose -p 1
-done
-
-# Rebuild is not needed: we build with CGO_ENABLED=1, so Apple's external
-# linker handles LC_BUILD_VERSION via MACOSX_DEPLOYMENT_TARGET, and the
-# stdlib (crypto/x509) is compiled from patched src automatically.
-#cd src
-#GOROOT_BOOTSTRAP="$HOME/go/go_bootstrap" ./make.bash
-#cd ../..
-#rm -rf go_bootstrap "go${VERSION}.darwin-arm64.tar.gz"
--- a/.github/setup_go_for_windows7.sh
+++ b/.github/setup_go_for_windows7.sh
@@ -1,35 +1,16 @@
 #!/usr/bin/env bash

-set -euo pipefail
+VERSION="1.25.7"

-VERSION="1.25.8"
-PATCH_COMMITS=(
-  "466f6c7a29bc098b0d4c987b803c779222894a11"
-  "1bdabae205052afe1dadb2ad6f1ba612cdbc532a"
-  "a90777dcf692dd2168577853ba743b4338721b06"
-  "f6bddda4e8ff58a957462a1a09562924d5f3d05c"
-  "bed309eff415bcb3c77dd4bc3277b682b89a388d"
-  "34b899c2fb39b092db4fa67c4417e41dc046be4b"
-)
-CURL_ARGS=(
-  -fL
-  --silent
-  --show-error
-)
-
-if [[ -n "${GITHUB_TOKEN:-}" ]]; then
-  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
-fi
-
-mkdir -p "$HOME/go"
-cd "$HOME/go"
+mkdir -p $HOME/go
+cd $HOME/go
 wget "https://dl.google.com/go/go${VERSION}.linux-amd64.tar.gz"
 tar -xzf "go${VERSION}.linux-amd64.tar.gz"
 mv go go_win7
 cd go_win7

 # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-# these patch URLs only work on golang1.25.x
+# this patch file only works on golang1.25.x
 # that means after golang1.26 release it must be changed
 # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
 # revert:
@@ -37,10 +18,10 @@ cd go_win7
 # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
 # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
 # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
-# fixes:
-# bed309eff415bcb3c77dd4bc3277b682b89a388d: "Fix os.RemoveAll not working on Windows7"
-# 34b899c2fb39b092db4fa67c4417e41dc046be4b: "Revert \"os: remove 5ms sleep on Windows in (*Process).Wait\""

-for patch_commit in "${PATCH_COMMITS[@]}"; do
-  curl "${CURL_ARGS[@]}" "https://github.com/MetaCubeX/go/commit/${patch_commit}.diff" | patch --verbose -p 1
-done
+alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
+
+curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,9 +25,8 @@ on:
          - publish-android
  push:
    branches:
-      - stable
-      - testing
-      - unstable
+      - main-next
+      - dev-next

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }}
@@ -47,7 +46,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.7
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -72,41 +71,33 @@ jobs:
        include:
          - { os: linux, arch: amd64, variant: purego, naive: true }
          - { os: linux, arch: amd64, variant: glibc, naive: true }
-          - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, alpine: x86_64, openwrt: "x86_64" }
+          - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, openwrt: "x86_64" }

          - { os: linux, arch: arm64, variant: purego, naive: true }
          - { os: linux, arch: arm64, variant: glibc, naive: true }
-          - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, alpine: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
+          - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }

          - { os: linux, arch: "386", go386: sse2 }
          - { os: linux, arch: "386", variant: glibc, naive: true, go386: sse2 }
-          - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, alpine: x86, openwrt: "i386_pentium4" }
+          - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, openwrt: "i386_pentium4" }

          - { os: linux, arch: arm, goarm: "7" }
          - { os: linux, arch: arm, variant: glibc, naive: true, goarm: "7" }
-          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, alpine: armv7, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
-
-          - { os: linux, arch: mipsle, gomips: hardfloat, naive: true, variant: glibc }
-          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, variant: musl, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
-          - { os: linux, arch: mips64le, gomips: hardfloat, naive: true, variant: glibc, debian: mips64el, rpm: mips64el }
-          - { os: linux, arch: riscv64, naive: true, variant: glibc }
-          - { os: linux, arch: riscv64, naive: true, variant: musl, debian: riscv64, rpm: riscv64, alpine: riscv64, openwrt: "riscv64_generic" }
-          - { os: linux, arch: loong64, naive: true, variant: glibc }
-          - { os: linux, arch: loong64, naive: true, variant: musl, debian: loongarch64, rpm: loongarch64, alpine: loongarch64, openwrt: "loongarch64_generic" }
+          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }

          - { os: linux, arch: "386", go386: softfloat, openwrt: "i386_pentium-mmx" }
          - { os: linux, arch: arm, goarm: "5", openwrt: "arm_arm926ej-s arm_cortex-a7 arm_cortex-a9 arm_fa526 arm_xscale" }
          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl, openwrt: "arm_arm1176jzf-s_vfp" }
          - { os: linux, arch: mips, gomips: softfloat, openwrt: "mips_24kc mips_4kec mips_mips32" }
-          - { os: linux, arch: mipsle, gomips: hardfloat, openwrt: "mipsel_24kc_24kf" }
-          - { os: linux, arch: mipsle, gomips: softfloat }
+          - { os: linux, arch: mipsle, gomips: hardfloat, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc_24kf" }
+          - { os: linux, arch: mipsle, gomips: softfloat, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
          - { os: linux, arch: mips64, gomips: softfloat, openwrt: "mips64_mips64r2 mips64_octeonplus" }
-          - { os: linux, arch: mips64le, gomips: hardfloat }
+          - { os: linux, arch: mips64le, gomips: hardfloat, debian: mips64el, rpm: mips64el }
          - { os: linux, arch: mips64le, gomips: softfloat, openwrt: "mips64el_mips64r2" }
          - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
          - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
-          - { os: linux, arch: riscv64 }
-          - { os: linux, arch: loong64 }
+          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
+          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }

          - { os: windows, arch: amd64, legacy_win7: true, legacy_name: "windows-7" }
          - { os: windows, arch: "386", legacy_win7: true, legacy_name: "windows-7" }
@@ -121,10 +112,15 @@ jobs:
        with:
          fetch-depth: 0
      - name: Setup Go
-        if: ${{ ! matrix.legacy_win7 }}
+        if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.7
+      - name: Setup Go 1.24
+        if: matrix.legacy_go124
+        uses: actions/setup-go@v5
+        with:
+          go-version: ~1.24.10
      - name: Cache Go for Windows 7
        if: matrix.legacy_win7
        id: cache-go-for-windows7
@@ -132,11 +128,9 @@ jobs:
        with:
          path: |
            ~/go/go_win7
-          key: go_win7_1258
+          key: go_win7_1255
      - name: Setup Go for Windows 7
        if: matrix.legacy_win7 && steps.cache-go-for-windows7.outputs.cache-hit != 'true'
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
        run: |-
          .github/setup_go_for_windows7.sh
      - name: Setup Go for Windows 7
@@ -160,23 +154,14 @@ jobs:
          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
          git -C ~/cronet-go checkout FETCH_HEAD
          git -C ~/cronet-go submodule update --init --recursive --depth=1
-      - name: Regenerate Debian keyring
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
-          cd ~/cronet-go
-          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
      - name: Cache Chromium toolchain
        if: matrix.naive
        id: cache-chromium-toolchain
        uses: actions/cache@v4
        with:
          path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
-            ~/cronet-go/naiveproxy/src/gn/out/
-            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
-            ~/cronet-go/naiveproxy/src/out/sysroot-build/
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
+            ~/cronet-go/naiveproxy/src/out/sysroot-build
          key: chromium-toolchain-${{ matrix.arch }}-${{ matrix.variant }}-${{ hashFiles('.github/CRONET_GO_VERSION') }}
      - name: Download Chromium toolchain
        if: matrix.naive
@@ -205,10 +190,9 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
          if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
-          else
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+            TAGS="${TAGS},with_naive_outbound"
          fi
          if [[ "${{ matrix.variant }}" == "purego" ]]; then
            TAGS="${TAGS},with_purego"
@@ -216,16 +200,13 @@ jobs:
            TAGS="${TAGS},with_musl"
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Set shared ldflags
-        run: |
-          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
      - name: Build (purego)
        if: matrix.variant == 'purego'
        run: |
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -247,7 +228,7 @@ jobs:
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
@@ -255,8 +236,6 @@ jobs:
          GOARCH: ${{ matrix.arch }}
          GO386: ${{ matrix.go386 }}
          GOARM: ${{ matrix.goarm }}
-          GOMIPS: ${{ matrix.gomips }}
-          GOMIPS64: ${{ matrix.gomips }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Build (musl)
        if: matrix.variant == 'musl'
@@ -264,7 +243,7 @@ jobs:
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
@@ -272,8 +251,6 @@ jobs:
          GOARCH: ${{ matrix.arch }}
          GO386: ${{ matrix.go386 }}
          GOARM: ${{ matrix.goarm }}
-          GOMIPS: ${{ matrix.gomips }}
-          GOMIPS64: ${{ matrix.gomips }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Build (non-variant)
        if: matrix.os != 'android' && matrix.variant == ''
@@ -281,7 +258,7 @@ jobs:
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -301,7 +278,7 @@ jobs:
          export CXX="${CC}++"
          mkdir -p dist
          GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
@@ -375,7 +352,7 @@ jobs:
          sudo gem install fpm
          sudo apt-get update
          sudo apt-get install -y libarchive-tools
-          cp .fpm_pacman .fpm
+          cp .fpm_systemd .fpm
          fpm -t pacman \
            -v "$PKG_VERSION" \
            -p "dist/sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.pacman }}.pkg.tar.zst" \
@@ -396,30 +373,6 @@ jobs:
            .github/deb2ipk.sh "$architecture" "dist/openwrt.deb" "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.ipk"
          done
          rm "dist/openwrt.deb"
-      - name: Install apk-tools
-        if: matrix.openwrt != '' || matrix.alpine != ''
-        run: |-
-          docker run --rm -v /usr/local/bin:/mnt alpine:edge sh -c "apk add --no-cache apk-tools-static && cp /sbin/apk.static /mnt/apk && chmod +x /mnt/apk"
-      - name: Package OpenWrt APK
-        if: matrix.openwrt != ''
-        run: |-
-          set -xeuo pipefail
-          for architecture in ${{ matrix.openwrt }}; do
-            .github/build_openwrt_apk.sh \
-              "$architecture" \
-              "${{ needs.calculate_version.outputs.version }}" \
-              "dist/sing-box" \
-              "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.apk"
-          done
-      - name: Package Alpine APK
-        if: matrix.alpine != ''
-        run: |-
-          set -xeuo pipefail
-          .github/build_alpine_apk.sh \
-            "${{ matrix.alpine }}" \
-            "${{ needs.calculate_version.outputs.version }}" \
-            "dist/sing-box" \
-            "dist/sing-box_${{ needs.calculate_version.outputs.version }}_linux_${{ matrix.alpine }}.apk"
      - name: Archive
        run: |
          set -xeuo pipefail
@@ -455,36 +408,22 @@ jobs:
        include:
          - { arch: amd64 }
          - { arch: arm64 }
-          - { arch: amd64, legacy_osx: true, legacy_name: "macos-10.13" }
+          - { arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
    steps:
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Setup Go
-        if: ${{ ! matrix.legacy_osx }}
+        if: ${{ ! matrix.legacy_go124 }}
        uses: actions/setup-go@v5
        with:
          go-version: ^1.25.3
-      - name: Cache Go for macOS 10.13
-        if: matrix.legacy_osx
-        id: cache-go-for-macos1013
-        uses: actions/cache@v4
+      - name: Setup Go 1.24
+        if: matrix.legacy_go124
+        uses: actions/setup-go@v5
        with:
-          path: |
-            ~/go/go_osx
-          key: go_osx_1258
-      - name: Setup Go for macOS 10.13
-        if: matrix.legacy_osx && steps.cache-go-for-macos1013.outputs.cache-hit != 'true'
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        run: |-
-          .github/setup_go_for_macos1013.sh
-      - name: Setup Go for macOS 10.13
-        if: matrix.legacy_osx
-        run: |-
-          echo "PATH=$HOME/go/go_osx/bin:$PATH" >> $GITHUB_ENV
-          echo "GOROOT=$HOME/go/go_osx" >> $GITHUB_ENV
+          go-version: ~1.24.6
      - name: Set tag
        run: |-
          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
@@ -492,27 +431,22 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
-          if [[ "${{ matrix.legacy_osx }}" != "true" ]]; then
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
-          else
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
+          if [[ "${{ matrix.legacy_go124 }}" != "true" ]]; then
+            TAGS="${TAGS},with_naive_outbound"
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Set shared ldflags
-        run: |
-          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
      - name: Build
        run: |
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
          GOOS: darwin
          GOARCH: ${{ matrix.arch }}
-          MACOSX_DEPLOYMENT_TARGET: ${{ matrix.legacy_osx && '10.13' || '' }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Set name
        run: |-
@@ -565,11 +499,9 @@ jobs:
      - name: Build
        if: matrix.naive
        run: |
-          $TAGS = Get-Content release/DEFAULT_BUILD_TAGS_WINDOWS
-          $LDFLAGS_SHARED = Get-Content release/LDFLAGS
          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box.exe -tags "$TAGS" `
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' $LDFLAGS_SHARED -s -w -buildid=" `
+          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,with_naive_outbound,with_purego,badlinkname,tfogo_checklinkname0" `
+          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0" `
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -579,11 +511,9 @@ jobs:
      - name: Build
        if: ${{ !matrix.naive }}
        run: |
-          $TAGS = Get-Content release/DEFAULT_BUILD_TAGS_OTHERS
-          $LDFLAGS_SHARED = Get-Content release/LDFLAGS
          mkdir -p dist
-          go build -v -trimpath -o dist/sing-box.exe -tags "$TAGS" `
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' $LDFLAGS_SHARED -s -w -buildid=" `
+          go build -v -trimpath -o dist/sing-box.exe -tags "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" `
+          -ldflags "-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0" `
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -628,7 +558,7 @@ jobs:
          path: "dist"
  build_android:
    name: Build Android
-    if: (github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android') && github.ref != 'refs/heads/oldstable'
+    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
    runs-on: ubuntu-latest
    needs:
      - calculate_version
@@ -641,7 +571,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.7
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -664,12 +594,12 @@ jobs:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
      - name: Checkout main branch
-        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
        run: |-
          cd clients/android
          git checkout main
      - name: Checkout dev branch
-        if: github.ref == 'refs/heads/testing'
+        if: github.ref == 'refs/heads/dev-next'
        run: |-
          cd clients/android
          git checkout dev
@@ -718,7 +648,7 @@ jobs:
          path: 'dist'
  publish_android:
    name: Publish Android
-    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android' && github.ref != 'refs/heads/oldstable'
+    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
    runs-on: ubuntu-latest
    needs:
      - calculate_version
@@ -731,7 +661,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.7
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -754,12 +684,12 @@ jobs:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
      - name: Checkout main branch
-        if: github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
+        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
        run: |-
          cd clients/android
          git checkout main
      - name: Checkout dev branch
-        if: github.ref == 'refs/heads/testing'
+        if: github.ref == 'refs/heads/dev-next'
        run: |-
          cd clients/android
          git checkout dev
@@ -830,7 +760,7 @@ jobs:
        if: matrix.if
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.7
      - name: Set tag
        if: matrix.if
        run: |-
@@ -838,12 +768,12 @@ jobs:
          git tag v${{ needs.calculate_version.outputs.version }} -f
          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
      - name: Checkout main branch
-        if: matrix.if && github.ref == 'refs/heads/stable' && github.event_name != 'workflow_dispatch'
+        if: matrix.if && github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
        run: |-
          cd clients/apple
          git checkout main
      - name: Checkout dev branch
-        if: matrix.if && github.ref == 'refs/heads/testing'
+        if: matrix.if && github.ref == 'refs/heads/dev-next'
        run: |-
          cd clients/apple
          git checkout dev
@@ -929,7 +859,7 @@ jobs:
            -authenticationKeyID $ASC_KEY_ID \
            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
      - name: Publish to TestFlight
-        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/testing'
+        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/dev-next'
        run: |-
          go run -v ./cmd/internal/app_store_connect publish_testflight ${{ matrix.platform }}
      - name: Build image
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -3,8 +3,8 @@ name: Publish Docker Images
 on:
  #push:
  #  branches:
-  #    - stable
-  #    - testing
+  #    - main-next
+  #    - dev-next
  release:
    types:
      - published
@@ -19,7 +19,6 @@ env:
 jobs:
  build_binary:
    name: Build binary
-    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true
@@ -30,12 +29,10 @@ jobs:
          - { arch: arm64, naive: true, docker_platform: "linux/arm64" }
          - { arch: "386", naive: true, docker_platform: "linux/386" }
          - { arch: arm, goarm: "7", naive: true, docker_platform: "linux/arm/v7" }
-          - { arch: mipsle, gomips: softfloat, naive: true, docker_platform: "linux/mipsle" }
-          - { arch: riscv64, naive: true, docker_platform: "linux/riscv64" }
-          - { arch: loong64, naive: true, docker_platform: "linux/loong64" }
          # Non-naive builds
          - { arch: arm, goarm: "6", docker_platform: "linux/arm/v6" }
          - { arch: ppc64le, docker_platform: "linux/ppc64le" }
+          - { arch: riscv64, docker_platform: "linux/riscv64" }
          - { arch: s390x, docker_platform: "linux/s390x" }
    steps:
      - name: Get commit to build
@@ -56,7 +53,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.4
      - name: Clone cronet-go
        if: matrix.naive
        run: |
@@ -67,23 +64,14 @@ jobs:
          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
          git -C ~/cronet-go checkout FETCH_HEAD
          git -C ~/cronet-go submodule update --init --recursive --depth=1
-      - name: Regenerate Debian keyring
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
-          cd ~/cronet-go
-          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
      - name: Cache Chromium toolchain
        if: matrix.naive
        id: cache-chromium-toolchain
        uses: actions/cache@v4
        with:
          path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
-            ~/cronet-go/naiveproxy/src/gn/out/
-            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
-            ~/cronet-go/naiveproxy/src/out/sysroot-build/
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
+            ~/cronet-go/naiveproxy/src/out/sysroot-build
          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
      - name: Download Chromium toolchain
        if: matrix.naive
@@ -105,34 +93,29 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
          if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
-          else
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+            TAGS="${TAGS},with_naive_outbound,with_musl"
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Set shared ldflags
-        run: |
-          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
      - name: Build (naive)
        if: matrix.naive
        run: |
          set -xeuo pipefail
          go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
          GOOS: linux
          GOARCH: ${{ matrix.arch }}
          GOARM: ${{ matrix.goarm }}
-          GOMIPS: ${{ matrix.gomips }}
      - name: Build (non-naive)
        if: ${{ ! matrix.naive }}
        run: |
          set -xeuo pipefail
          go build -v -trimpath -o sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${VERSION}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=${VERSION}\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
@@ -165,17 +148,15 @@ jobs:
    strategy:
      fail-fast: true
      matrix:
-        include:
-          - { platform: "linux/amd64" }
-          - { platform: "linux/arm/v6" }
-          - { platform: "linux/arm/v7" }
-          - { platform: "linux/arm64" }
-          - { platform: "linux/386" }
-          # mipsle: no base Docker image available for this platform
-          - { platform: "linux/ppc64le" }
-          - { platform: "linux/riscv64" }
-          - { platform: "linux/s390x" }
-          - { platform: "linux/loong64", base_image: "ghcr.io/loong64/alpine:edge" }
+        platform:
+          - linux/amd64
+          - linux/arm/v6
+          - linux/arm/v7
+          - linux/arm64
+          - linux/386
+          - linux/ppc64le
+          - linux/riscv64
+          - linux/s390x
    steps:
      - name: Get commit to build
        id: ref
@@ -228,8 +209,6 @@ jobs:
          platforms: ${{ matrix.platform }}
          context: .
          file: Dockerfile.binary
-          build-args: |
-            BASE_IMAGE=${{ matrix.base_image || 'alpine' }}
          labels: ${{ steps.meta.outputs.labels }}
          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
      - name: Export digest
@@ -245,7 +224,6 @@ jobs:
          if-no-files-found: error
          retention-days: 1
  merge:
-    if: github.event_name != 'push'
    runs-on: ubuntu-latest
    needs:
      - build_docker
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -3,20 +3,18 @@ name: Lint
 on:
  push:
    branches:
-      - oldstable
-      - stable
-      - testing
-      - unstable
+      - stable-next
+      - main-next
+      - dev-next
    paths-ignore:
      - '**.md'
      - '.github/**'
      - '!.github/workflows/lint.yml'
  pull_request:
    branches:
-      - oldstable
-      - stable
-      - testing
-      - unstable
+      - stable-next
+      - main-next
+      - dev-next

 jobs:
  build:
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -3,8 +3,8 @@ name: Build Linux Packages
 on:
  #push:
  #  branches:
-  #    - stable
-  #    - testing
+  #    - main-next
+  #    - dev-next
  workflow_dispatch:
    inputs:
      version:
@@ -23,7 +23,6 @@ on:
 jobs:
  calculate_version:
    name: Calculate version
-    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.outputs.outputs.version }}
@@ -35,7 +34,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.7
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -62,14 +61,14 @@ jobs:
          - { os: linux, arch: arm64, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64 }
          - { os: linux, arch: "386", naive: true, debian: i386, rpm: i386 }
          - { os: linux, arch: arm, goarm: "7", naive: true, debian: armhf, rpm: armv7hl, pacman: armv7hl }
-          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, debian: mipsel, rpm: mipsel }
-          - { os: linux, arch: riscv64, naive: true, debian: riscv64, rpm: riscv64 }
-          - { os: linux, arch: loong64, naive: true, debian: loongarch64, rpm: loongarch64 }
          # Non-naive builds (unsupported architectures)
          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
          - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
+          - { os: linux, arch: mipsle, debian: mipsel, rpm: mipsel }
          - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
          - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
+          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64 }
+          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64 }
    steps:
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
@@ -78,7 +77,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.8
+          go-version: ^1.25.7
      - name: Clone cronet-go
        if: matrix.naive
        run: |
@@ -89,23 +88,14 @@ jobs:
          git -C ~/cronet-go fetch --depth=1 origin "$CRONET_GO_VERSION"
          git -C ~/cronet-go checkout FETCH_HEAD
          git -C ~/cronet-go submodule update --init --recursive --depth=1
-      - name: Regenerate Debian keyring
-        if: matrix.naive
-        run: |
-          set -xeuo pipefail
-          rm -f ~/cronet-go/naiveproxy/src/build/linux/sysroot_scripts/keyring.gpg
-          cd ~/cronet-go
-          GPG_TTY=/dev/null ./naiveproxy/src/build/linux/sysroot_scripts/generate_keyring.sh
      - name: Cache Chromium toolchain
        if: matrix.naive
        id: cache-chromium-toolchain
        uses: actions/cache@v4
        with:
          path: |
-            ~/cronet-go/naiveproxy/src/third_party/llvm-build/
-            ~/cronet-go/naiveproxy/src/gn/out/
-            ~/cronet-go/naiveproxy/src/chrome/build/pgo_profiles/
-            ~/cronet-go/naiveproxy/src/out/sysroot-build/
+            ~/cronet-go/naiveproxy/src/third_party/llvm-build/Release+Asserts
+            ~/cronet-go/naiveproxy/src/out/sysroot-build
          key: chromium-toolchain-${{ matrix.arch }}-musl-${{ hashFiles('.github/CRONET_GO_VERSION') }}
      - name: Download Chromium toolchain
        if: matrix.naive
@@ -126,30 +116,24 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0'
          if [[ "${{ matrix.naive }}" == "true" ]]; then
-            TAGS="$(cat release/DEFAULT_BUILD_TAGS),with_musl"
-          else
-            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
+            TAGS="${TAGS},with_naive_outbound,with_musl"
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
-      - name: Set shared ldflags
-        run: |
-          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "${GITHUB_ENV}"
      - name: Build (naive)
        if: matrix.naive
        run: |
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "1"
          GOOS: linux
          GOARCH: ${{ matrix.arch }}
          GOARM: ${{ matrix.goarm }}
-          GOMIPS: ${{ matrix.gomips }}
-          GOMIPS64: ${{ matrix.gomips }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Build (non-naive)
        if: ${{ ! matrix.naive }}
@@ -157,7 +141,7 @@ jobs:
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' ${LDFLAGS_SHARED} -s -w -buildid=" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
--- a/.gitignore
+++ b/.gitignore
@@ -12,9 +12,6 @@
 /*.jar
 /*.aar
 /*.xcframework/
-/experimental/libbox/*.aar
-/experimental/libbox/*.xcframework/
-/experimental/libbox/*.nupkg
 .DS_Store
 /config.d/
 /venv/
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -9,11 +9,6 @@ run:
    - with_utls
    - with_acme
    - with_clash_api
-    - with_tailscale
-    - with_ccm
-    - with_ocm
-    - badlinkname
-    - tfogo_checklinkname0
 linters:
  default: none
  enable:
--- a/9
+++ b/9
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
@@ -12,11 +12,10 @@ RUN set -ex \
    && apk add git build-base \
    && export COMMIT=$(git rev-parse --short HEAD) \
    && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && export TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS) \
-    && export LDFLAGS_SHARED=$(cat release/LDFLAGS) \
-    && go build -v -trimpath -tags "$TAGS" \
+    && go build -v -trimpath -tags \
+        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0" \
        -o /go/bin/sing-box \
-        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" $LDFLAGS_SHARED -s -w -buildid=" \
+        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0" \
        ./cmd/sing-box
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
--- a/Dockerfile.binary
+++ b/Dockerfile.binary
@@ -1,14 +1,8 @@
-ARG BASE_IMAGE=alpine
-FROM ${BASE_IMAGE}
+FROM alpine
 ARG TARGETARCH
 ARG TARGETVARIANT
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
-    && if command -v apk > /dev/null; then \
-        apk add --no-cache --upgrade bash tzdata ca-certificates nftables; \
-    else \
-        apt-get update && apt-get install -y --no-install-recommends bash tzdata ca-certificates nftables \
-        && rm -rf /var/lib/apt/lists/*; \
-    fi
+    && apk add --no-cache --upgrade bash tzdata ca-certificates nftables
 COPY sing-box-${TARGETARCH}${TARGETVARIANT} /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]
--- a/22
+++ b/22
@@ -1,18 +1,15 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= $(shell cat release/DEFAULT_BUILD_TAGS_OTHERS)
+TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,with_ocm,badlinkname,tfogo_checklinkname0

 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)

-LDFLAGS_SHARED = $(shell cat release/LDFLAGS)
-PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' $(LDFLAGS_SHARED) -s -w -buildid="
+PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -X 'internal/godebug.defaultGODEBUG=multipathtcp=0' -s -w -buildid= -checklinkname=0"
 MAIN_PARAMS = $(PARAMS) -tags "$(TAGS)"
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
-SING_FFI ?= sing-ffi
-LIBBOX_FFI_CONFIG ?= ./experimental/libbox/ffi.json

 .PHONY: test release docs build

@@ -240,18 +237,15 @@ lib_android:
 lib_apple:
 	go run ./cmd/internal/build_libbox -target apple

-lib_windows:
-	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type csharp
-
 lib_android_new:
-	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type android
+	go run ./cmd/internal/build_libbox_newffi -target android

 lib_apple_new:
-	$(SING_FFI) generate --config $(LIBBOX_FFI_CONFIG) --platform-type apple
+	go run ./cmd/internal/build_libbox_newffi -target apple

 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.12
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.12
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.11
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.11

 docs:
 	venv/bin/mkdocs serve
@@ -260,8 +254,8 @@ publish_docs:
 	venv/bin/mkdocs gh-deploy -m "Update" --force --ignore-version --no-history

 docs_install:
-	python3 -m venv venv
-	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.7.2" mkdocs-static-i18n=="1.2.*"
+	python -m venv venv
+	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"

 clean:
 	rm -rf bin dist sing-box
--- a/adapter/connections.go
+++ b/adapter/connections.go
@@ -9,10 +9,6 @@ import (

 type ConnectionManager interface {
 	Lifecycle
-	Count() int
-	CloseAll()
-	TrackConn(conn net.Conn) net.Conn
-	TrackPacketConn(conn net.PacketConn) net.PacketConn
 	NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
 	NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
 }
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -62,10 +62,13 @@ type InboundContext struct {
 	// cache

 	// Deprecated: implement in rule action
-	InboundDetour             string
-	LastInbound               string
-	OriginDestination         M.Socksaddr
-	RouteOriginalDestination  M.Socksaddr
+	InboundDetour            string
+	LastInbound              string
+	OriginDestination        M.Socksaddr
+	RouteOriginalDestination M.Socksaddr
+	// Deprecated: to be removed
+	//nolint:staticcheck
+	InboundOptions            option.InboundOptions
 	UDPDisableDomainUnmapping bool
 	UDPConnect                bool
 	UDPTimeout                time.Duration
--- a/box.go
+++ b/box.go
@@ -125,10 +125,7 @@ func New(options Options) (*Box, error) {

 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
-	err := applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
-	if err != nil {
-		return nil, err
-	}
+	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	var needCacheFile bool
 	var needClashAPI bool
 	var needV2RayAPI bool
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -63,7 +63,7 @@ func init() {
 	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid=  -checklinkname=0")
 	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -X internal/godebug.defaultGODEBUG=multipathtcp=0 -checklinkname=0")

-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_naive_outbound", "with_clash_api", "badlinkname", "tfogo_checklinkname0")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_naive_outbound", "with_clash_api", "with_conntrack", "badlinkname", "tfogo_checklinkname0")
 	darwinTags = append(darwinTags, "with_dhcp", "grpcnotrace")
 	// memcTags = append(memcTags, "with_tailscale")
 	sharedTags = append(sharedTags, "with_tailscale", "ts_omit_logtail", "ts_omit_ssh", "ts_omit_drive", "ts_omit_taildrop", "ts_omit_webclient", "ts_omit_doctor", "ts_omit_capture", "ts_omit_kube", "ts_omit_aws", "ts_omit_synology", "ts_omit_bird")
--- a/cmd/internal/build_libbox_newffi/main.go
+++ b/cmd/internal/build_libbox_newffi/main.go
@@ -0,0 +1,93 @@
+package main
+
+import (
+	"flag"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common/rw"
+)
+
+var target string
+
+func init() {
+	flag.StringVar(&target, "target", "android", "target platform (android or apple)")
+}
+
+func main() {
+	flag.Parse()
+
+	args := []string{
+		"generate",
+		"-v",
+		"--config", "experimental/libbox/ffi.json",
+		"--platform-type", target,
+	}
+	command := exec.Command("sing-ffi", args...)
+	command.Stdout = os.Stdout
+	command.Stderr = os.Stderr
+	err := command.Run()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	copyArtifacts(target)
+}
+
+func copyArtifacts(target string) {
+	switch target {
+	case "android":
+		copyPath := filepath.Join("..", "sing-box-for-android", "app", "libs")
+		if rw.IsDir(copyPath) {
+			copyPath, _ = filepath.Abs(copyPath)
+			for _, name := range []string{"libbox.aar", "libbox-legacy.aar"} {
+				artifactPath, found := findArtifactPath(name)
+				if !found {
+					continue
+				}
+				targetPath := filepath.Join(target, artifactPath)
+				os.RemoveAll(targetPath)
+				err := os.Rename(artifactPath, targetPath)
+				if err != nil {
+					log.Fatal(err)
+				}
+				log.Info("copied ", name, " to ", copyPath)
+			}
+		}
+	case "apple":
+		copyPath := filepath.Join("..", "sing-box-for-apple")
+		if rw.IsDir(copyPath) {
+			sourceDir, found := findArtifactPath("Libbox.xcframework")
+			if !found {
+				log.Fatal("Libbox.xcframework not found in current directory or experimental/libbox")
+			}
+
+			targetDir := filepath.Join(copyPath, "Libbox.xcframework")
+			targetDir, _ = filepath.Abs(targetDir)
+			err := os.RemoveAll(targetDir)
+			if err != nil {
+				log.Fatal(err)
+			}
+			err = os.Rename(sourceDir, targetDir)
+			if err != nil {
+				log.Fatal(err)
+			}
+			log.Info("copied ", sourceDir, " to ", targetDir)
+		}
+	}
+}
+
+func findArtifactPath(name string) (string, bool) {
+	candidates := []string{
+		name,
+		filepath.Join("experimental", "libbox", name),
+	}
+	for _, candidate := range candidates {
+		if rw.IsFile(candidate) || rw.IsDir(candidate) {
+			return candidate, true
+		}
+	}
+	return "", false
+}
--- a/cmd/internal/update_apple_version/main.go
+++ b/cmd/internal/update_apple_version/main.go
@@ -71,12 +71,12 @@ func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDLi
 		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
 		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "MARKETING_VERSION = ") + 20
 		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
-		version := strings.Trim(projectContent[versionStart:versionEnd], "\"")
+		version := projectContent[versionStart:versionEnd]
 		if version == newVersion {
 			continue
 		}
 		updated = true
-		projectContent = projectContent[:versionStart] + "\"" + newVersion + "\"" + projectContent[versionEnd:]
+		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
 	}
 	return projectContent, updated
 }
--- a/common/conntrack/conn.go
+++ b/common/conntrack/conn.go
@@ -0,0 +1,54 @@
+package conntrack
+
+import (
+	"io"
+	"net"
+
+	"github.com/sagernet/sing/common/x/list"
+)
+
+type Conn struct {
+	net.Conn
+	element *list.Element[io.Closer]
+}
+
+func NewConn(conn net.Conn) (net.Conn, error) {
+	connAccess.Lock()
+	element := openConnection.PushBack(conn)
+	connAccess.Unlock()
+	if KillerEnabled {
+		err := KillerCheck()
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+	}
+	return &Conn{
+		Conn:    conn,
+		element: element,
+	}, nil
+}
+
+func (c *Conn) Close() error {
+	if c.element.Value != nil {
+		connAccess.Lock()
+		if c.element.Value != nil {
+			openConnection.Remove(c.element)
+			c.element.Value = nil
+		}
+		connAccess.Unlock()
+	}
+	return c.Conn.Close()
+}
+
+func (c *Conn) Upstream() any {
+	return c.Conn
+}
+
+func (c *Conn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *Conn) WriterReplaceable() bool {
+	return true
+}
--- a/common/conntrack/killer.go
+++ b/common/conntrack/killer.go
@@ -0,0 +1,35 @@
+package conntrack
+
+import (
+	runtimeDebug "runtime/debug"
+	"time"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/memory"
+)
+
+var (
+	KillerEnabled   bool
+	MemoryLimit     uint64
+	killerLastCheck time.Time
+)
+
+func KillerCheck() error {
+	if !KillerEnabled {
+		return nil
+	}
+	nowTime := time.Now()
+	if nowTime.Sub(killerLastCheck) < 3*time.Second {
+		return nil
+	}
+	killerLastCheck = nowTime
+	if memory.Total() > MemoryLimit {
+		Close()
+		go func() {
+			time.Sleep(time.Second)
+			runtimeDebug.FreeOSMemory()
+		}()
+		return E.New("out of memory")
+	}
+	return nil
+}
--- a/common/conntrack/packet_conn.go
+++ b/common/conntrack/packet_conn.go
@@ -0,0 +1,55 @@
+package conntrack
+
+import (
+	"io"
+	"net"
+
+	"github.com/sagernet/sing/common/bufio"
+	"github.com/sagernet/sing/common/x/list"
+)
+
+type PacketConn struct {
+	net.PacketConn
+	element *list.Element[io.Closer]
+}
+
+func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
+	connAccess.Lock()
+	element := openConnection.PushBack(conn)
+	connAccess.Unlock()
+	if KillerEnabled {
+		err := KillerCheck()
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+	}
+	return &PacketConn{
+		PacketConn: conn,
+		element:    element,
+	}, nil
+}
+
+func (c *PacketConn) Close() error {
+	if c.element.Value != nil {
+		connAccess.Lock()
+		if c.element.Value != nil {
+			openConnection.Remove(c.element)
+			c.element.Value = nil
+		}
+		connAccess.Unlock()
+	}
+	return c.PacketConn.Close()
+}
+
+func (c *PacketConn) Upstream() any {
+	return bufio.NewPacketConn(c.PacketConn)
+}
+
+func (c *PacketConn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *PacketConn) WriterReplaceable() bool {
+	return true
+}
--- a/common/conntrack/track.go
+++ b/common/conntrack/track.go
@@ -0,0 +1,47 @@
+package conntrack
+
+import (
+	"io"
+	"sync"
+
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/x/list"
+)
+
+var (
+	connAccess     sync.RWMutex
+	openConnection list.List[io.Closer]
+)
+
+func Count() int {
+	if !Enabled {
+		return 0
+	}
+	return openConnection.Len()
+}
+
+func List() []io.Closer {
+	if !Enabled {
+		return nil
+	}
+	connAccess.RLock()
+	defer connAccess.RUnlock()
+	connList := make([]io.Closer, 0, openConnection.Len())
+	for element := openConnection.Front(); element != nil; element = element.Next() {
+		connList = append(connList, element.Value)
+	}
+	return connList
+}
+
+func Close() {
+	if !Enabled {
+		return
+	}
+	connAccess.Lock()
+	defer connAccess.Unlock()
+	for element := openConnection.Front(); element != nil; element = element.Next() {
+		common.Close(element.Value)
+		element.Value = nil
+	}
+	openConnection.Init()
+}
--- a/common/conntrack/track_disable.go
+++ b/common/conntrack/track_disable.go
@@ -0,0 +1,5 @@
+//go:build !with_conntrack
+
+package conntrack
+
+const Enabled = false
--- a/common/conntrack/track_enable.go
+++ b/common/conntrack/track_enable.go
@@ -0,0 +1,5 @@
+//go:build with_conntrack
+
+package conntrack
+
+const Enabled = true
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -9,6 +9,7 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/listener"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
@@ -36,7 +37,6 @@ type DefaultDialer struct {
 	udpAddr4               string
 	udpAddr6               string
 	netns                  string
-	connectionManager      adapter.ConnectionManager
 	networkManager         adapter.NetworkManager
 	networkStrategy        *C.NetworkStrategy
 	defaultNetworkStrategy bool
@@ -47,7 +47,6 @@ type DefaultDialer struct {
 }

 func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDialer, error) {
-	connectionManager := service.FromContext[adapter.ConnectionManager](ctx)
 	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	platformInterface := service.FromContext[adapter.PlatformInterface](ctx)

@@ -90,7 +89,7 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial

 	if networkManager != nil {
 		defaultOptions := networkManager.DefaultOptions()
-		if defaultOptions.BindInterface != "" && !disableDefaultBind {
+		if defaultOptions.BindInterface != "" {
 			bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
 			dialer.Control = control.Append(dialer.Control, bindFunc)
 			listener.Control = control.Append(listener.Control, bindFunc)
@@ -158,11 +157,8 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		if keepInterval == 0 {
 			keepInterval = C.TCPKeepAliveInterval
 		}
-		dialer.KeepAliveConfig = net.KeepAliveConfig{
-			Enable:   true,
-			Idle:     keepIdle,
-			Interval: keepInterval,
-		}
+		dialer.KeepAlive = keepIdle
+		dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(keepIdle, keepInterval))
 	}
 	var udpFragment bool
 	if options.UDPFragment != nil {
@@ -210,7 +206,6 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		udpAddr4:               udpAddr4,
 		udpAddr6:               udpAddr6,
 		netns:                  options.NetNs,
-		connectionManager:      connectionManager,
 		networkManager:         networkManager,
 		networkStrategy:        networkStrategy,
 		defaultNetworkStrategy: defaultNetworkStrategy,
@@ -243,7 +238,7 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 		return nil, E.New("domain not resolved")
 	}
 	if d.networkStrategy == nil {
-		return d.trackConn(listener.ListenNetworkNamespace[net.Conn](d.netns, func() (net.Conn, error) {
+		return trackConn(listener.ListenNetworkNamespace[net.Conn](d.netns, func() (net.Conn, error) {
 			switch N.NetworkName(network) {
 			case N.NetworkUDP:
 				if !address.IsIPv6() {
@@ -308,12 +303,12 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 	if !fastFallback && !isPrimary {
 		d.networkLastFallback.Store(time.Now())
 	}
-	return d.trackConn(conn, nil)
+	return trackConn(conn, nil)
 }

 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if d.networkStrategy == nil {
-		return d.trackPacketConn(listener.ListenNetworkNamespace[net.PacketConn](d.netns, func() (net.PacketConn, error) {
+		return trackPacketConn(listener.ListenNetworkNamespace[net.PacketConn](d.netns, func() (net.PacketConn, error) {
 			if destination.IsIPv6() {
 				return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6)
 			} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
@@ -365,23 +360,23 @@ func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destina
 			return nil, err
 		}
 	}
-	return d.trackPacketConn(packetConn, nil)
+	return trackPacketConn(packetConn, nil)
 }

 func (d *DefaultDialer) WireGuardControl() control.Func {
 	return d.udpListener.Control
 }

-func (d *DefaultDialer) trackConn(conn net.Conn, err error) (net.Conn, error) {
-	if d.connectionManager == nil || err != nil {
+func trackConn(conn net.Conn, err error) (net.Conn, error) {
+	if !conntrack.Enabled || err != nil {
 		return conn, err
 	}
-	return d.connectionManager.TrackConn(conn), nil
+	return conntrack.NewConn(conn)
 }

-func (d *DefaultDialer) trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
-	if d.connectionManager == nil || err != nil {
+func trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
+	if !conntrack.Enabled || err != nil {
 		return conn, err
 	}
-	return d.connectionManager.TrackPacketConn(conn), nil
+	return conntrack.NewPacketConn(conn)
 }
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -145,7 +145,3 @@ type ParallelNetworkDialer interface {
 	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
 	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
 }
-
-type PacketDialerWithDestination interface {
-	ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error)
-}
--- a/common/ktls/ktls_read.go
+++ b/common/ktls/ktls_read.go
@@ -12,7 +12,6 @@ import (
 	"fmt"
 	"io"
 	"net"
-	"unsafe"
 )

 func (c *Conn) Read(b []byte) (int, error) {
@@ -230,7 +229,7 @@ func (c *Conn) readRawRecord() (typ uint8, data []byte, err error) {
 	record := c.rawConn.RawInput.Next(recordHeaderLen + n)
 	data, typ, err = c.rawConn.In.Decrypt(record)
 	if err != nil {
-		err = c.rawConn.In.SetErrorLocked(c.sendAlert(*(*uint8)((*[2]unsafe.Pointer)(unsafe.Pointer(&err))[1])))
+		err = c.rawConn.In.SetErrorLocked(c.sendAlert(uint8(err.(tls.AlertError))))
 		return
 	}
 	return
--- a/common/listener/listener.go
+++ b/common/listener/listener.go
@@ -151,7 +151,6 @@ func ListenNetworkNamespace[T any](nameOrPath string, block func() (T, error)) (
 		if err != nil {
 			return common.DefaultValue[T](), E.Cause(err, "get current netns")
 		}
-		defer currentNs.Close()
 		defer netns.Set(currentNs)
 		var targetNs netns.NsHandle
 		if strings.HasPrefix(nameOrPath, "/") {
--- a/common/listener/listener_tcp.go
+++ b/common/listener/listener_tcp.go
@@ -99,6 +99,8 @@ func (l *Listener) loopTCPIn() {
 		}
 		//nolint:staticcheck
 		metadata.InboundDetour = l.listenOptions.Detour
+		//nolint:staticcheck
+		metadata.InboundOptions = l.listenOptions.InboundOptions
 		metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr()).Unwrap()
 		metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
 		ctx := log.ContextWithNewID(l.ctx)
--- a/common/tls/ech.go
+++ b/common/tls/ech.go
@@ -15,6 +15,7 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	aTLS "github.com/sagernet/sing/common/tls"
@@ -37,7 +38,7 @@ func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, op
 	}
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
-		return nil, E.New("legacy ECH options are deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0")
+		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
 	}
 	if len(echConfig) > 0 {
 		block, rest := pem.Decode(echConfig)
@@ -76,7 +77,7 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	tlsConfig.EncryptedClientHelloKeys = echKeys
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
-		return E.New("legacy ECH options are deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0")
+		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
 	}
 	return nil
 }
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -30,7 +30,6 @@ const (
 	TypeSSMAPI       = "ssm-api"
 	TypeCCM          = "ccm"
 	TypeOCM          = "ocm"
-	TypeOOMKiller    = "oom-killer"
 )

 const (
@@ -86,8 +85,6 @@ func ProxyDisplayName(proxyType string) string {
 		return "Hysteria2"
 	case TypeAnyTLS:
 		return "AnyTLS"
-	case TypeTailscale:
-		return "Tailscale"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:
--- a/daemon/instance.go
+++ b/daemon/instance.go
@@ -7,12 +7,10 @@ import (
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/service"
@@ -23,7 +21,6 @@ type Instance struct {
 	ctx                   context.Context
 	cancel                context.CancelFunc
 	instance              *box.Box
-	connectionManager     adapter.ConnectionManager
 	clashServer           adapter.ClashServer
 	cacheFile             adapter.CacheFile
 	pauseManager          pause.Manager
@@ -87,15 +84,6 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 			}
 		}
 	}
-	if s.oomKiller && C.IsIos {
-		if !common.Any(options.Services, func(it option.Service) bool {
-			return it.Type == C.TypeOOMKiller
-		}) {
-			options.Services = append(options.Services, option.Service{
-				Type: C.TypeOOMKiller,
-			})
-		}
-	}
 	urlTestHistoryStorage := urltest.NewHistoryStorage()
 	ctx = service.ContextWithPtr(ctx, urlTestHistoryStorage)
 	i := &Instance{
@@ -113,7 +101,6 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 		return nil, err
 	}
 	i.instance = boxInstance
-	i.connectionManager = service.FromContext[adapter.ConnectionManager](ctx)
 	i.clashServer = service.FromContext[adapter.ClashServer](ctx)
 	i.pauseManager = service.FromContext[pause.Manager](ctx)
 	i.cacheFile = service.FromContext[adapter.CacheFile](ctx)
--- a/daemon/started_service.go
+++ b/daemon/started_service.go
@@ -8,6 +8,7 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
@@ -35,7 +36,6 @@ type StartedService struct {
 	handler     PlatformHandler
 	debug       bool
 	logMaxLines int
-	oomKiller   bool
 	// workingDirectory string
 	// tempDirectory    string
 	// userID           int
@@ -67,7 +67,6 @@ type ServiceOptions struct {
 	Handler     PlatformHandler
 	Debug       bool
 	LogMaxLines int
-	OOMKiller   bool
 	// WorkingDirectory   string
 	// TempDirectory      string
 	// UserID             int
@@ -82,7 +81,6 @@ func NewStartedService(options ServiceOptions) *StartedService {
 		handler:     options.Handler,
 		debug:       options.Debug,
 		logMaxLines: options.LogMaxLines,
-		oomKiller:   options.OOMKiller,
 		// workingDirectory: options.WorkingDirectory,
 		// tempDirectory:    options.TempDirectory,
 		// userID:           options.UserID,
@@ -209,14 +207,6 @@ func (s *StartedService) StartOrReloadService(profileContent string, options *Ov
 	return nil
 }

-func (s *StartedService) Close() {
-	s.serviceStatusSubscriber.Close()
-	s.logSubscriber.Close()
-	s.urlTestSubscriber.Close()
-	s.clashModeSubscriber.Close()
-	s.connectionEventSubscriber.Close()
-}
-
 func (s *StartedService) CloseService() error {
 	s.serviceAccess.Lock()
 	switch s.serviceStatus.Status {
@@ -409,14 +399,12 @@ func (s *StartedService) SubscribeStatus(request *SubscribeStatusRequest, server

 func (s *StartedService) readStatus() *Status {
 	var status Status
-	status.Memory = memory.Total()
+	status.Memory = memory.Inuse()
 	status.Goroutines = int32(runtime.NumGoroutine())
+	status.ConnectionsOut = int32(conntrack.Count())
 	s.serviceAccess.RLock()
 	nowService := s.instance
 	s.serviceAccess.RUnlock()
-	if nowService != nil && nowService.connectionManager != nil {
-		status.ConnectionsOut = int32(nowService.connectionManager.Count())
-	}
 	if nowService != nil {
 		if clashServer := nowService.clashServer; clashServer != nil {
 			status.TrafficAvailable = true
@@ -997,12 +985,7 @@ func (s *StartedService) CloseConnection(ctx context.Context, request *CloseConn
 }

 func (s *StartedService) CloseAllConnections(ctx context.Context, empty *emptypb.Empty) (*emptypb.Empty, error) {
-	s.serviceAccess.RLock()
-	nowService := s.instance
-	s.serviceAccess.RUnlock()
-	if nowService != nil && nowService.connectionManager != nil {
-		nowService.connectionManager.CloseAll()
-	}
+	conntrack.Close()
 	return &emptypb.Empty{}, nil
 }

--- a/debug.go
+++ b/debug.go
@@ -3,11 +3,11 @@ package box
 import (
 	"runtime/debug"

+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
 )

-func applyDebugOptions(options option.DebugOptions) error {
+func applyDebugOptions(options option.DebugOptions) {
 	applyDebugListenOption(options)
 	if options.GCPercent != nil {
 		debug.SetGCPercent(*options.GCPercent)
@@ -26,9 +26,9 @@ func applyDebugOptions(options option.DebugOptions) error {
 	}
 	if options.MemoryLimit.Value() != 0 {
 		debug.SetMemoryLimit(int64(float64(options.MemoryLimit.Value()) / 1.5))
+		conntrack.MemoryLimit = options.MemoryLimit.Value()
 	}
 	if options.OOMKiller != nil {
-		return E.New("legacy oom_killer in debug options is removed, use oom-killer service instead")
+		conntrack.KillerEnabled = *options.OOMKiller
 	}
-	return nil
 }
--- a/dns/client.go
+++ b/dns/client.go
@@ -240,10 +240,8 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	if responseChecker != nil {
 		var rejected bool
 		// TODO: add accept_any rule and support to check response instead of addresses
-		if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
+		if response.Rcode != dns.RcodeSuccess || len(response.Answer) == 0 {
 			rejected = true
-		} else if len(response.Answer) == 0 {
-			rejected = !responseChecker(nil)
 		} else {
 			rejected = !responseChecker(MessageToAddresses(response))
 		}
@@ -324,20 +322,16 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 	} else {
 		strategy = options.Strategy
 	}
-	lookupOptions := options
-	if options.LookupStrategy != C.DomainStrategyAsIS {
-		lookupOptions.Strategy = strategy
-	}
 	if strategy == C.DomainStrategyIPv4Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, lookupOptions, responseChecker)
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
 	} else if strategy == C.DomainStrategyIPv6Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, lookupOptions, responseChecker)
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
 	}
 	var response4 []netip.Addr
 	var response6 []netip.Addr
 	var group task.Group
 	group.Append("exchange4", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, lookupOptions, responseChecker)
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
 		if err != nil {
 			return err
 		}
@@ -345,7 +339,7 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 		return nil
 	})
 	group.Append("exchange6", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, lookupOptions, responseChecker)
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
 		if err != nil {
 			return err
 		}
--- a/dns/router.go
+++ b/dns/router.go
@@ -195,16 +195,7 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 			}
 		}
 	}
-	transport := r.transport.Default()
-	if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-		if options.Strategy == C.DomainStrategyAsIS {
-			options.Strategy = legacyTransport.LegacyStrategy()
-		}
-		if !options.ClientSubnet.IsValid() {
-			options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-		}
-	}
-	return transport, nil, -1
+	return r.transport.Default(), nil, -1
 }

 func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions) (*mDNS.Msg, error) {
@@ -281,7 +272,13 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 					return action.Response(message), nil
 				}
 			}
-			responseCheck := addressLimitResponseCheck(rule, metadata)
+			var responseCheck func(responseAddrs []netip.Addr) bool
+			if rule != nil && rule.WithAddressLimit() {
+				responseCheck = func(responseAddrs []netip.Addr) bool {
+					metadata.DestinationAddresses = responseAddrs
+					return rule.MatchAddressLimit(metadata)
+				}
+			}
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -354,7 +351,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 		transport := options.Transport
 		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
 			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = legacyTransport.LegacyStrategy()
+				options.Strategy = r.defaultDomainStrategy
 			}
 			if !options.ClientSubnet.IsValid() {
 				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
@@ -380,11 +377,9 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 				case *R.RuleActionReject:
 					return nil, &R.RejectedError{Cause: action.Error(ctx)}
 				case *R.RuleActionPredefined:
-					responseAddrs = nil
 					if action.Rcode != mDNS.RcodeSuccess {
 						err = RcodeError(action.Rcode)
 					} else {
-						err = nil
 						for _, answer := range action.Answer {
 							switch record := answer.(type) {
 							case *mDNS.A:
@@ -397,7 +392,13 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 					goto response
 				}
 			}
-			responseCheck := addressLimitResponseCheck(rule, metadata)
+			var responseCheck func(responseAddrs []netip.Addr) bool
+			if rule != nil && rule.WithAddressLimit() {
+				responseCheck = func(responseAddrs []netip.Addr) bool {
+					metadata.DestinationAddresses = responseAddrs
+					return rule.MatchAddressLimit(metadata)
+				}
+			}
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
@@ -425,18 +426,6 @@ func isAddressQuery(message *mDNS.Msg) bool {
 	return false
 }

-func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(responseAddrs []netip.Addr) bool {
-	if rule == nil || !rule.WithAddressLimit() {
-		return nil
-	}
-	responseMetadata := *metadata
-	return func(responseAddrs []netip.Addr) bool {
-		checkMetadata := responseMetadata
-		checkMetadata.DestinationAddresses = responseAddrs
-		return rule.MatchAddressLimit(&checkMetadata)
-	}
-}
-
 func (r *Router) ClearCache() {
 	r.client.ClearCache()
 	if r.platformInterface != nil {
--- a/dns/transport/connector.go
+++ b/dns/transport/connector.go
@@ -4,9 +4,6 @@ import (
 	"context"
 	"net"
 	"sync"
-	"time"
-
-	E "github.com/sagernet/sing/common/exceptions"
 )

 type ConnectorCallbacks[T any] struct {
@@ -19,11 +16,10 @@ type Connector[T any] struct {
 	dial      func(ctx context.Context) (T, error)
 	callbacks ConnectorCallbacks[T]

-	access           sync.Mutex
-	connection       T
-	hasConnection    bool
-	connectionCancel context.CancelFunc
-	connecting       chan struct{}
+	access        sync.Mutex
+	connection    T
+	hasConnection bool
+	connecting    chan struct{}

 	closeCtx context.Context
 	closed   bool
@@ -51,16 +47,6 @@ func NewSingleflightConnector(closeCtx context.Context, dial func(context.Contex
 	})
 }

-type contextKeyConnecting struct{}
-
-var errRecursiveConnectorDial = E.New("recursive connector dial")
-
-type connectorDialResult[T any] struct {
-	connection T
-	cancel     context.CancelFunc
-	err        error
-}
-
 func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 	var zero T
 	for {
@@ -78,14 +64,6 @@ func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 		}

 		c.hasConnection = false
-		if c.connectionCancel != nil {
-			c.connectionCancel()
-			c.connectionCancel = nil
-		}
-		if isRecursiveConnectorDial(ctx, c) {
-			c.access.Unlock()
-			return zero, errRecursiveConnectorDial
-		}

 		if c.connecting != nil {
 			connecting := c.connecting
@@ -101,134 +79,48 @@ func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 			}
 		}

-		if err := ctx.Err(); err != nil {
+		c.connecting = make(chan struct{})
+		c.access.Unlock()
+
+		connection, err := c.dialWithCancellation(ctx)
+
+		c.access.Lock()
+		close(c.connecting)
+		c.connecting = nil
+
+		if err != nil {
 			c.access.Unlock()
 			return zero, err
 		}

-		connecting := make(chan struct{})
-		c.connecting = connecting
-		dialContext := context.WithValue(ctx, contextKeyConnecting{}, c)
-		dialResult := make(chan connectorDialResult[T], 1)
-		c.access.Unlock()
-
-		go func() {
-			connection, cancel, err := c.dialWithCancellation(dialContext)
-			dialResult <- connectorDialResult[T]{
-				connection: connection,
-				cancel:     cancel,
-				err:        err,
-			}
-		}()
-
-		select {
-		case result := <-dialResult:
-			return c.completeDial(ctx, connecting, result)
-		case <-ctx.Done():
-			go func() {
-				result := <-dialResult
-				_, _ = c.completeDial(ctx, connecting, result)
-			}()
-			return zero, ctx.Err()
-		case <-c.closeCtx.Done():
-			go func() {
-				result := <-dialResult
-				_, _ = c.completeDial(ctx, connecting, result)
-			}()
+		if c.closed {
+			c.callbacks.Close(connection)
+			c.access.Unlock()
 			return zero, ErrTransportClosed
 		}
+
+		c.connection = connection
+		c.hasConnection = true
+		result := c.connection
+		c.access.Unlock()
+
+		return result, nil
 	}
 }

-func isRecursiveConnectorDial[T any](ctx context.Context, connector *Connector[T]) bool {
-	dialConnector, loaded := ctx.Value(contextKeyConnecting{}).(*Connector[T])
-	return loaded && dialConnector == connector
-}
+func (c *Connector[T]) dialWithCancellation(ctx context.Context) (T, error) {
+	dialCtx, cancel := context.WithCancel(ctx)
+	defer cancel()

-func (c *Connector[T]) completeDial(ctx context.Context, connecting chan struct{}, result connectorDialResult[T]) (T, error) {
-	var zero T
-
-	c.access.Lock()
-	defer c.access.Unlock()
-	defer func() {
-		if c.connecting == connecting {
-			c.connecting = nil
+	go func() {
+		select {
+		case <-c.closeCtx.Done():
+			cancel()
+		case <-dialCtx.Done():
 		}
-		close(connecting)
 	}()

-	if result.err != nil {
-		return zero, result.err
-	}
-	if c.closed || c.closeCtx.Err() != nil {
-		result.cancel()
-		c.callbacks.Close(result.connection)
-		return zero, ErrTransportClosed
-	}
-	if err := ctx.Err(); err != nil {
-		result.cancel()
-		c.callbacks.Close(result.connection)
-		return zero, err
-	}
-
-	c.connection = result.connection
-	c.hasConnection = true
-	c.connectionCancel = result.cancel
-	return c.connection, nil
-}
-
-func (c *Connector[T]) dialWithCancellation(ctx context.Context) (T, context.CancelFunc, error) {
-	var zero T
-	if err := ctx.Err(); err != nil {
-		return zero, nil, err
-	}
-	connCtx, cancel := context.WithCancel(c.closeCtx)
-
-	var (
-		stateAccess  sync.Mutex
-		dialComplete bool
-	)
-	stopCancel := context.AfterFunc(ctx, func() {
-		stateAccess.Lock()
-		if !dialComplete {
-			cancel()
-		}
-		stateAccess.Unlock()
-	})
-	select {
-	case <-ctx.Done():
-		stateAccess.Lock()
-		dialComplete = true
-		stateAccess.Unlock()
-		stopCancel()
-		cancel()
-		return zero, nil, ctx.Err()
-	default:
-	}
-
-	connection, err := c.dial(valueContext{connCtx, ctx})
-	stateAccess.Lock()
-	dialComplete = true
-	stateAccess.Unlock()
-	stopCancel()
-	if err != nil {
-		cancel()
-		return zero, nil, err
-	}
-	return connection, cancel, nil
-}
-
-type valueContext struct {
-	context.Context
-	parent context.Context
-}
-
-func (v valueContext) Value(key any) any {
-	return v.parent.Value(key)
-}
-
-func (v valueContext) Deadline() (time.Time, bool) {
-	return v.parent.Deadline()
+	return c.dial(dialCtx)
 }

 func (c *Connector[T]) Close() error {
@@ -240,10 +132,6 @@ func (c *Connector[T]) Close() error {
 	}
 	c.closed = true

-	if c.connectionCancel != nil {
-		c.connectionCancel()
-		c.connectionCancel = nil
-	}
 	if c.hasConnection {
 		c.callbacks.Close(c.connection)
 		c.hasConnection = false
@@ -256,10 +144,6 @@ func (c *Connector[T]) Reset() {
 	c.access.Lock()
 	defer c.access.Unlock()

-	if c.connectionCancel != nil {
-		c.connectionCancel()
-		c.connectionCancel = nil
-	}
 	if c.hasConnection {
 		c.callbacks.Reset(c.connection)
 		c.hasConnection = false
--- a/dns/transport/connector_test.go
+++ b/dns/transport/connector_test.go
@@ -1,407 +0,0 @@
-package transport
-
-import (
-	"context"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-)
-
-type testConnectorConnection struct{}
-
-func TestConnectorRecursiveGetFailsFast(t *testing.T) {
-	t.Parallel()
-
-	var (
-		dialCount  atomic.Int32
-		closeCount atomic.Int32
-		connector  *Connector[*testConnectorConnection]
-	)
-
-	dial := func(ctx context.Context) (*testConnectorConnection, error) {
-		dialCount.Add(1)
-		_, err := connector.Get(ctx)
-		if err != nil {
-			return nil, err
-		}
-		return &testConnectorConnection{}, nil
-	}
-
-	connector = NewConnector(context.Background(), dial, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {
-			closeCount.Add(1)
-		},
-		Reset: func(connection *testConnectorConnection) {
-			closeCount.Add(1)
-		},
-	})
-
-	_, err := connector.Get(context.Background())
-	require.ErrorIs(t, err, errRecursiveConnectorDial)
-	require.EqualValues(t, 1, dialCount.Load())
-	require.EqualValues(t, 0, closeCount.Load())
-}
-
-func TestConnectorRecursiveGetAcrossConnectorsAllowed(t *testing.T) {
-	t.Parallel()
-
-	var (
-		outerDialCount atomic.Int32
-		innerDialCount atomic.Int32
-		outerConnector *Connector[*testConnectorConnection]
-		innerConnector *Connector[*testConnectorConnection]
-	)
-
-	innerConnector = NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		innerDialCount.Add(1)
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	outerConnector = NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		outerDialCount.Add(1)
-		_, err := innerConnector.Get(ctx)
-		if err != nil {
-			return nil, err
-		}
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	_, err := outerConnector.Get(context.Background())
-	require.NoError(t, err)
-	require.EqualValues(t, 1, outerDialCount.Load())
-	require.EqualValues(t, 1, innerDialCount.Load())
-}
-
-func TestConnectorDialContextPreservesValueAndDeadline(t *testing.T) {
-	t.Parallel()
-
-	type contextKey struct{}
-
-	var (
-		dialValue       any
-		dialDeadline    time.Time
-		dialHasDeadline bool
-	)
-
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		dialValue = ctx.Value(contextKey{})
-		dialDeadline, dialHasDeadline = ctx.Deadline()
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	deadline := time.Now().Add(time.Minute)
-	requestContext, cancel := context.WithDeadline(context.WithValue(context.Background(), contextKey{}, "test-value"), deadline)
-	defer cancel()
-
-	_, err := connector.Get(requestContext)
-	require.NoError(t, err)
-	require.Equal(t, "test-value", dialValue)
-	require.True(t, dialHasDeadline)
-	require.WithinDuration(t, deadline, dialDeadline, time.Second)
-}
-
-func TestConnectorDialSkipsCanceledRequest(t *testing.T) {
-	t.Parallel()
-
-	var dialCount atomic.Int32
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		dialCount.Add(1)
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	requestContext, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	_, err := connector.Get(requestContext)
-	require.ErrorIs(t, err, context.Canceled)
-	require.EqualValues(t, 0, dialCount.Load())
-}
-
-func TestConnectorCanceledRequestDoesNotCacheConnection(t *testing.T) {
-	t.Parallel()
-
-	var (
-		dialCount  atomic.Int32
-		closeCount atomic.Int32
-	)
-	dialStarted := make(chan struct{}, 1)
-	releaseDial := make(chan struct{})
-
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		dialCount.Add(1)
-		select {
-		case dialStarted <- struct{}{}:
-		default:
-		}
-		<-releaseDial
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {
-			closeCount.Add(1)
-		},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	requestContext, cancel := context.WithCancel(context.Background())
-	result := make(chan error, 1)
-	go func() {
-		_, err := connector.Get(requestContext)
-		result <- err
-	}()
-
-	<-dialStarted
-	cancel()
-	close(releaseDial)
-
-	err := <-result
-	require.ErrorIs(t, err, context.Canceled)
-	require.EqualValues(t, 1, dialCount.Load())
-	require.Eventually(t, func() bool {
-		return closeCount.Load() == 1
-	}, time.Second, 10*time.Millisecond)
-
-	_, err = connector.Get(context.Background())
-	require.NoError(t, err)
-	require.EqualValues(t, 2, dialCount.Load())
-}
-
-func TestConnectorCanceledRequestReturnsBeforeIgnoredDialCompletes(t *testing.T) {
-	t.Parallel()
-
-	var (
-		dialCount  atomic.Int32
-		closeCount atomic.Int32
-	)
-	dialStarted := make(chan struct{}, 1)
-	releaseDial := make(chan struct{})
-
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		dialCount.Add(1)
-		select {
-		case dialStarted <- struct{}{}:
-		default:
-		}
-		<-releaseDial
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {
-			closeCount.Add(1)
-		},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	requestContext, cancel := context.WithCancel(context.Background())
-	result := make(chan error, 1)
-	go func() {
-		_, err := connector.Get(requestContext)
-		result <- err
-	}()
-
-	<-dialStarted
-	cancel()
-
-	select {
-	case err := <-result:
-		require.ErrorIs(t, err, context.Canceled)
-	case <-time.After(time.Second):
-		t.Fatal("Get did not return after request cancel")
-	}
-
-	require.EqualValues(t, 1, dialCount.Load())
-	require.EqualValues(t, 0, closeCount.Load())
-
-	close(releaseDial)
-
-	require.Eventually(t, func() bool {
-		return closeCount.Load() == 1
-	}, time.Second, 10*time.Millisecond)
-
-	_, err := connector.Get(context.Background())
-	require.NoError(t, err)
-	require.EqualValues(t, 2, dialCount.Load())
-}
-
-func TestConnectorWaiterDoesNotStartNewDialBeforeCanceledDialCompletes(t *testing.T) {
-	t.Parallel()
-
-	var (
-		dialCount  atomic.Int32
-		closeCount atomic.Int32
-	)
-	firstDialStarted := make(chan struct{}, 1)
-	secondDialStarted := make(chan struct{}, 1)
-	releaseFirstDial := make(chan struct{})
-
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		attempt := dialCount.Add(1)
-		switch attempt {
-		case 1:
-			select {
-			case firstDialStarted <- struct{}{}:
-			default:
-			}
-			<-releaseFirstDial
-		case 2:
-			select {
-			case secondDialStarted <- struct{}{}:
-			default:
-			}
-		}
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {
-			closeCount.Add(1)
-		},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	requestContext, cancel := context.WithCancel(context.Background())
-	firstResult := make(chan error, 1)
-	go func() {
-		_, err := connector.Get(requestContext)
-		firstResult <- err
-	}()
-
-	<-firstDialStarted
-	cancel()
-
-	secondResult := make(chan error, 1)
-	go func() {
-		_, err := connector.Get(context.Background())
-		secondResult <- err
-	}()
-
-	select {
-	case <-secondDialStarted:
-		t.Fatal("second dial started before first dial completed")
-	case <-time.After(100 * time.Millisecond):
-	}
-
-	select {
-	case err := <-firstResult:
-		require.ErrorIs(t, err, context.Canceled)
-	case <-time.After(time.Second):
-		t.Fatal("first Get did not return after request cancel")
-	}
-
-	close(releaseFirstDial)
-
-	require.Eventually(t, func() bool {
-		return closeCount.Load() == 1
-	}, time.Second, 10*time.Millisecond)
-
-	select {
-	case <-secondDialStarted:
-	case <-time.After(time.Second):
-		t.Fatal("second dial did not start after first dial completed")
-	}
-
-	err := <-secondResult
-	require.NoError(t, err)
-	require.EqualValues(t, 2, dialCount.Load())
-}
-
-func TestConnectorDialContextNotCanceledByRequestContextAfterDial(t *testing.T) {
-	t.Parallel()
-
-	var dialContext context.Context
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		dialContext = ctx
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	requestContext, cancel := context.WithCancel(context.Background())
-	_, err := connector.Get(requestContext)
-	require.NoError(t, err)
-	require.NotNil(t, dialContext)
-
-	cancel()
-
-	select {
-	case <-dialContext.Done():
-		t.Fatal("dial context canceled by request context after successful dial")
-	case <-time.After(100 * time.Millisecond):
-	}
-
-	err = connector.Close()
-	require.NoError(t, err)
-}
-
-func TestConnectorDialContextCanceledOnClose(t *testing.T) {
-	t.Parallel()
-
-	var dialContext context.Context
-	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
-		dialContext = ctx
-		return &testConnectorConnection{}, nil
-	}, ConnectorCallbacks[*testConnectorConnection]{
-		IsClosed: func(connection *testConnectorConnection) bool {
-			return false
-		},
-		Close: func(connection *testConnectorConnection) {},
-		Reset: func(connection *testConnectorConnection) {},
-	})
-
-	_, err := connector.Get(context.Background())
-	require.NoError(t, err)
-	require.NotNil(t, dialContext)
-
-	select {
-	case <-dialContext.Done():
-		t.Fatal("dial context canceled before connector close")
-	default:
-	}
-
-	err = connector.Close()
-	require.NoError(t, err)
-
-	select {
-	case <-dialContext.Done():
-	case <-time.After(time.Second):
-		t.Fatal("dial context not canceled after connector close")
-	}
-}
--- a/dns/transport/fakeip/store.go
+++ b/dns/transport/fakeip/store.go
@@ -18,8 +18,6 @@ type Store struct {
 	logger     logger.Logger
 	inet4Range netip.Prefix
 	inet6Range netip.Prefix
-	inet4Last  netip.Addr
-	inet6Last  netip.Addr
 	storage    adapter.FakeIPStorage

 	addressAccess sync.Mutex
@@ -28,35 +26,12 @@ type Store struct {
 }

 func NewStore(ctx context.Context, logger logger.Logger, inet4Range netip.Prefix, inet6Range netip.Prefix) *Store {
-	store := &Store{
+	return &Store{
 		ctx:        ctx,
 		logger:     logger,
 		inet4Range: inet4Range,
 		inet6Range: inet6Range,
 	}
-	if inet4Range.IsValid() {
-		store.inet4Last = broadcastAddress(inet4Range)
-	}
-	if inet6Range.IsValid() {
-		store.inet6Last = broadcastAddress(inet6Range)
-	}
-	return store
-}
-
-func broadcastAddress(prefix netip.Prefix) netip.Addr {
-	addr := prefix.Addr()
-	raw := addr.As16()
-	bits := prefix.Bits()
-	if addr.Is4() {
-		bits += 96
-	}
-	for i := bits; i < 128; i++ {
-		raw[i/8] |= 1 << (7 - i%8)
-	}
-	if addr.Is4() {
-		return netip.AddrFrom4([4]byte(raw[12:]))
-	}
-	return netip.AddrFrom16(raw)
 }

 func (s *Store) Start() error {
@@ -74,10 +49,10 @@ func (s *Store) Start() error {
 		s.inet6Current = metadata.Inet6Current
 	} else {
 		if s.inet4Range.IsValid() {
-			s.inet4Current = s.inet4Range.Addr().Next()
+			s.inet4Current = s.inet4Range.Addr().Next().Next()
 		}
 		if s.inet6Range.IsValid() {
-			s.inet6Current = s.inet6Range.Addr().Next()
+			s.inet6Current = s.inet6Range.Addr().Next().Next()
 		}
 		_ = storage.FakeIPReset()
 	}
@@ -123,7 +98,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv4 fakeip address range")
 		}
 		nextAddress := s.inet4Current.Next()
-		if nextAddress == s.inet4Last || !s.inet4Range.Contains(nextAddress) {
+		if !s.inet4Range.Contains(nextAddress) {
 			nextAddress = s.inet4Range.Addr().Next().Next()
 		}
 		s.inet4Current = nextAddress
@@ -133,7 +108,7 @@ func (s *Store) Create(domain string, isIPv6 bool) (netip.Addr, error) {
 			return netip.Addr{}, E.New("missing IPv6 fakeip address range")
 		}
 		nextAddress := s.inet6Current.Next()
-		if nextAddress == s.inet6Last || !s.inet6Range.Contains(nextAddress) {
+		if !s.inet6Range.Contains(nextAddress) {
 			nextAddress = s.inet6Range.Addr().Next().Next()
 		}
 		s.inet6Current = nextAddress
--- a/dns/transport/local/local.go
+++ b/dns/transport/local/local.go
@@ -81,7 +81,10 @@ func (t *Transport) Reset() {

 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	if t.resolved != nil {
-		return t.resolved.Exchange(ctx, message)
+		resolverObject := t.resolved.Object()
+		if resolverObject != nil {
+			return t.resolved.Exchange(resolverObject, ctx, message)
+		}
 	}
 	question := message.Question[0]
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
--- a/dns/transport/local/local_resolved.go
+++ b/dns/transport/local/local_resolved.go
@@ -9,5 +9,6 @@ import (
 type ResolvedResolver interface {
 	Start() error
 	Close() error
-	Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error)
+	Object() any
+	Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error)
 }
--- a/dns/transport/local/local_resolved_linux.go
+++ b/dns/transport/local/local_resolved_linux.go
@@ -4,26 +4,19 @@ import (
 	"bufio"
 	"context"
 	"errors"
-	"net/netip"
 	"os"
 	"strings"
 	"sync"
 	"sync/atomic"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer"
-	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	dnsTransport "github.com/sagernet/sing-box/dns/transport"
-	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/service/resolved"
 	"github.com/sagernet/sing-tun"
+	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"

@@ -56,23 +49,13 @@ type DBusResolvedResolver struct {
 	interfaceMonitor  tun.DefaultInterfaceMonitor
 	interfaceCallback *list.Element[tun.DefaultInterfaceUpdateCallback]
 	systemBus         *dbus.Conn
-	savedServerSet    atomic.Pointer[resolvedServerSet]
+	resoledObject     atomic.Pointer[ResolvedObject]
 	closeOnce         sync.Once
 }

-type resolvedServerSet struct {
-	servers []resolvedServer
-}
-
-type resolvedServer struct {
-	primaryTransport  adapter.DNSTransport
-	fallbackTransport adapter.DNSTransport
-}
-
-type resolvedServerSpecification struct {
-	address    netip.Addr
-	port       uint16
-	serverName string
+type ResolvedObject struct {
+	dbus.BusObject
+	InterfaceIndex int32
 }

 func NewResolvedResolver(ctx context.Context, logger logger.ContextLogger) (ResolvedResolver, error) {
@@ -99,31 +82,17 @@ func (t *DBusResolvedResolver) Start() error {
 		"org.freedesktop.DBus",
 		"NameOwnerChanged",
 		dbus.WithMatchSender("org.freedesktop.DBus"),
-		dbus.WithMatchArg(0, "org.freedesktop.resolve1"),
-	).Err
-	if err != nil {
-		return E.Cause(err, "configure resolved restart listener")
-	}
-	err = t.systemBus.BusObject().AddMatchSignal(
-		"org.freedesktop.DBus.Properties",
-		"PropertiesChanged",
-		dbus.WithMatchSender("org.freedesktop.resolve1"),
 		dbus.WithMatchArg(0, "org.freedesktop.resolve1.Manager"),
 	).Err
 	if err != nil {
-		return E.Cause(err, "configure resolved properties listener")
+		return E.Cause(err, "configure resolved restart listener")
 	}
 	go t.loopUpdateStatus()
 	return nil
 }

 func (t *DBusResolvedResolver) Close() error {
-	var closeErr error
 	t.closeOnce.Do(func() {
-		serverSet := t.savedServerSet.Swap(nil)
-		if serverSet != nil {
-			closeErr = serverSet.Close()
-		}
 		if t.interfaceCallback != nil {
 			t.interfaceMonitor.UnregisterCallback(t.interfaceCallback)
 		}
@@ -131,97 +100,99 @@ func (t *DBusResolvedResolver) Close() error {
 			_ = t.systemBus.Close()
 		}
 	})
-	return closeErr
+	return nil
 }

-func (t *DBusResolvedResolver) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	serverSet := t.savedServerSet.Load()
-	if serverSet == nil {
-		var err error
-		serverSet, err = t.checkResolved(context.Background())
-		if err != nil {
-			return nil, err
-		}
-		previousServerSet := t.savedServerSet.Swap(serverSet)
-		if previousServerSet != nil {
-			_ = previousServerSet.Close()
+func (t *DBusResolvedResolver) Object() any {
+	return common.PtrOrNil(t.resoledObject.Load())
+}
+
+func (t *DBusResolvedResolver) Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	question := message.Question[0]
+	resolvedObject := object.(*ResolvedObject)
+	call := resolvedObject.CallWithContext(
+		ctx,
+		"org.freedesktop.resolve1.Manager.ResolveRecord",
+		0,
+		resolvedObject.InterfaceIndex,
+		question.Name,
+		question.Qclass,
+		question.Qtype,
+		uint64(0),
+	)
+	if call.Err != nil {
+		var dbusError dbus.Error
+		if errors.As(call.Err, &dbusError) && dbusError.Name == "org.freedesktop.resolve1.NoNameServers" {
+			t.updateStatus()
 		}
+		return nil, E.Cause(call.Err, " resolve record via resolved")
 	}
-	response, err := t.exchangeServerSet(ctx, message, serverSet)
-	if err == nil {
-		return response, nil
-	}
-	t.updateStatus()
-	refreshedServerSet := t.savedServerSet.Load()
-	if refreshedServerSet == nil || refreshedServerSet == serverSet {
+	var (
+		records  []resolved.ResourceRecord
+		outflags uint64
+	)
+	err := call.Store(&records, &outflags)
+	if err != nil {
 		return nil, err
 	}
-	return t.exchangeServerSet(ctx, message, refreshedServerSet)
+	response := &mDNS.Msg{
+		MsgHdr: mDNS.MsgHdr{
+			Id:                 message.Id,
+			Response:           true,
+			Authoritative:      true,
+			RecursionDesired:   true,
+			RecursionAvailable: true,
+			Rcode:              mDNS.RcodeSuccess,
+		},
+		Question: []mDNS.Question{question},
+	}
+	for _, record := range records {
+		var rr mDNS.RR
+		rr, _, err = mDNS.UnpackRR(record.Data, 0)
+		if err != nil {
+			return nil, E.Cause(err, "unpack resource record")
+		}
+		response.Answer = append(response.Answer, rr)
+	}
+	return response, nil
 }

 func (t *DBusResolvedResolver) loopUpdateStatus() {
 	signalChan := make(chan *dbus.Signal, 1)
 	t.systemBus.Signal(signalChan)
 	for signal := range signalChan {
-		switch signal.Name {
-		case "org.freedesktop.DBus.NameOwnerChanged":
-			if len(signal.Body) != 3 {
-				continue
-			}
-			newOwner, loaded := signal.Body[2].(string)
-			if !loaded || newOwner == "" {
-				continue
-			}
-			t.updateStatus()
-		case "org.freedesktop.DBus.Properties.PropertiesChanged":
-			if !shouldUpdateResolvedServerSet(signal) {
+		var restarted bool
+		if signal.Name == "org.freedesktop.DBus.NameOwnerChanged" {
+			if len(signal.Body) != 3 || signal.Body[2].(string) == "" {
 				continue
+			} else {
+				restarted = true
 			}
+		}
+		if restarted {
 			t.updateStatus()
 		}
 	}
 }

 func (t *DBusResolvedResolver) updateStatus() {
-	serverSet, err := t.checkResolved(context.Background())
-	oldServerSet := t.savedServerSet.Swap(serverSet)
-	if oldServerSet != nil {
-		_ = oldServerSet.Close()
-	}
+	dbusObject, err := t.checkResolved(context.Background())
+	oldValue := t.resoledObject.Swap(dbusObject)
 	if err != nil {
 		var dbusErr dbus.Error
-		if !errors.As(err, &dbusErr) || dbusErr.Name != "org.freedesktop.DBus.Error.NameHasNoOwner" {
+		if !errors.As(err, &dbusErr) || dbusErr.Name != "org.freedesktop.DBus.Error.NameHasNoOwnerCould" {
 			t.logger.Debug(E.Cause(err, "systemd-resolved service unavailable"))
 		}
-		if oldServerSet != nil {
+		if oldValue != nil {
 			t.logger.Debug("systemd-resolved service is gone")
 		}
 		return
-	} else if oldServerSet == nil {
+	} else if oldValue == nil {
 		t.logger.Debug("using systemd-resolved service as resolver")
 	}
 }

-func (t *DBusResolvedResolver) exchangeServerSet(ctx context.Context, message *mDNS.Msg, serverSet *resolvedServerSet) (*mDNS.Msg, error) {
-	if serverSet == nil || len(serverSet.servers) == 0 {
-		return nil, E.New("link has no DNS servers configured")
-	}
-	var lastError error
-	for _, server := range serverSet.servers {
-		response, err := server.primaryTransport.Exchange(ctx, message)
-		if err != nil && server.fallbackTransport != nil {
-			response, err = server.fallbackTransport.Exchange(ctx, message)
-		}
-		if err != nil {
-			lastError = err
-			continue
-		}
-		return response, nil
-	}
-	return nil, lastError
-}
-
-func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*resolvedServerSet, error) {
+func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObject, error) {
 	dbusObject := t.systemBus.Object("org.freedesktop.resolve1", "/org/freedesktop/resolve1")
 	err := dbusObject.Call("org.freedesktop.DBus.Peer.Ping", 0).Err
 	if err != nil {
@@ -249,19 +220,16 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*resolvedServ
 	if linkObject == nil {
 		return nil, E.New("missing link object for default interface")
 	}
-	dnsOverTLSMode, err := loadResolvedLinkDNSOverTLS(linkObject)
+	dnsProp, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNS")
 	if err != nil {
 		return nil, err
 	}
-	linkDNSEx, err := loadResolvedLinkDNSEx(linkObject)
+	var linkDNS []resolved.LinkDNS
+	err = dnsProp.Store(&linkDNS)
 	if err != nil {
 		return nil, err
 	}
-	linkDNS, err := loadResolvedLinkDNS(linkObject)
-	if err != nil {
-		return nil, err
-	}
-	if len(linkDNSEx) == 0 && len(linkDNS) == 0 {
+	if len(linkDNS) == 0 {
 		for _, inbound := range service.FromContext[adapter.InboundManager](t.ctx).Inbounds() {
 			if inbound.Type() == C.TypeTun {
 				return nil, E.New("No appropriate name servers or networks for name found")
@@ -269,233 +237,12 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*resolvedServ
 		}
 		return nil, E.New("link has no DNS servers configured")
 	}
-	serverDialer, err := dialer.NewDefault(t.ctx, option.DialerOptions{
-		BindInterface:      defaultInterface.Name,
-		UDPFragmentDefault: true,
-	})
-	if err != nil {
-		return nil, err
-	}
-	var serverSpecifications []resolvedServerSpecification
-	if len(linkDNSEx) > 0 {
-		for _, entry := range linkDNSEx {
-			serverSpecification, loaded := buildResolvedServerSpecification(defaultInterface.Name, entry.Address, entry.Port, entry.Name)
-			if !loaded {
-				continue
-			}
-			serverSpecifications = append(serverSpecifications, serverSpecification)
-		}
-	} else {
-		for _, entry := range linkDNS {
-			serverSpecification, loaded := buildResolvedServerSpecification(defaultInterface.Name, entry.Address, 0, "")
-			if !loaded {
-				continue
-			}
-			serverSpecifications = append(serverSpecifications, serverSpecification)
-		}
-	}
-	if len(serverSpecifications) == 0 {
-		return nil, E.New("no valid DNS servers on link")
-	}
-	serverSet := &resolvedServerSet{
-		servers: make([]resolvedServer, 0, len(serverSpecifications)),
-	}
-	for _, serverSpecification := range serverSpecifications {
-		server, createErr := t.createResolvedServer(serverDialer, dnsOverTLSMode, serverSpecification)
-		if createErr != nil {
-			_ = serverSet.Close()
-			return nil, createErr
-		}
-		serverSet.servers = append(serverSet.servers, server)
-	}
-	return serverSet, nil
-}
-
-func (t *DBusResolvedResolver) createResolvedServer(serverDialer N.Dialer, dnsOverTLSMode string, serverSpecification resolvedServerSpecification) (resolvedServer, error) {
-	if dnsOverTLSMode == "yes" {
-		primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, true)
-		if err != nil {
-			return resolvedServer{}, err
-		}
-		return resolvedServer{
-			primaryTransport: primaryTransport,
-		}, nil
-	}
-	if dnsOverTLSMode == "opportunistic" {
-		primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, true)
-		if err != nil {
-			return resolvedServer{}, err
-		}
-		fallbackTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, false)
-		if err != nil {
-			_ = primaryTransport.Close()
-			return resolvedServer{}, err
-		}
-		return resolvedServer{
-			primaryTransport:  primaryTransport,
-			fallbackTransport: fallbackTransport,
-		}, nil
-	}
-	primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, false)
-	if err != nil {
-		return resolvedServer{}, err
-	}
-	return resolvedServer{
-		primaryTransport: primaryTransport,
+	return &ResolvedObject{
+		BusObject:      dbusObject,
+		InterfaceIndex: int32(defaultInterface.Index),
 	}, nil
 }

-func (t *DBusResolvedResolver) createResolvedTransport(serverDialer N.Dialer, serverSpecification resolvedServerSpecification, useTLS bool) (adapter.DNSTransport, error) {
-	serverAddress := M.SocksaddrFrom(serverSpecification.address, resolvedServerPort(serverSpecification.port, useTLS))
-	if useTLS {
-		tlsAddress := serverSpecification.address
-		if tlsAddress.Zone() != "" {
-			tlsAddress = tlsAddress.WithZone("")
-		}
-		serverName := serverSpecification.serverName
-		if serverName == "" {
-			serverName = tlsAddress.String()
-		}
-		tlsConfig, err := tls.NewClient(t.ctx, t.logger, tlsAddress.String(), option.OutboundTLSOptions{
-			Enabled:    true,
-			ServerName: serverName,
-		})
-		if err != nil {
-			return nil, err
-		}
-		serverTransport := dnsTransport.NewTLSRaw(t.logger, dns.NewTransportAdapter(C.DNSTypeTLS, "", nil), serverDialer, serverAddress, tlsConfig)
-		err = serverTransport.Start(adapter.StartStateStart)
-		if err != nil {
-			_ = serverTransport.Close()
-			return nil, err
-		}
-		return serverTransport, nil
-	}
-	serverTransport := dnsTransport.NewUDPRaw(t.logger, dns.NewTransportAdapter(C.DNSTypeUDP, "", nil), serverDialer, serverAddress)
-	err := serverTransport.Start(adapter.StartStateStart)
-	if err != nil {
-		_ = serverTransport.Close()
-		return nil, err
-	}
-	return serverTransport, nil
-}
-
-func (s *resolvedServerSet) Close() error {
-	var errors []error
-	for _, server := range s.servers {
-		errors = append(errors, server.primaryTransport.Close())
-		if server.fallbackTransport != nil {
-			errors = append(errors, server.fallbackTransport.Close())
-		}
-	}
-	return E.Errors(errors...)
-}
-
-func buildResolvedServerSpecification(interfaceName string, rawAddress []byte, port uint16, serverName string) (resolvedServerSpecification, bool) {
-	address, loaded := netip.AddrFromSlice(rawAddress)
-	if !loaded {
-		return resolvedServerSpecification{}, false
-	}
-	if address.Is6() && address.IsLinkLocalUnicast() && address.Zone() == "" {
-		address = address.WithZone(interfaceName)
-	}
-	return resolvedServerSpecification{
-		address:    address,
-		port:       port,
-		serverName: serverName,
-	}, true
-}
-
-func resolvedServerPort(port uint16, useTLS bool) uint16 {
-	if port > 0 {
-		return port
-	}
-	if useTLS {
-		return 853
-	}
-	return 53
-}
-
-func loadResolvedLinkDNS(linkObject dbus.BusObject) ([]resolved.LinkDNS, error) {
-	dnsProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNS")
-	if err != nil {
-		if isResolvedUnknownPropertyError(err) {
-			return nil, nil
-		}
-		return nil, err
-	}
-	var linkDNS []resolved.LinkDNS
-	err = dnsProperty.Store(&linkDNS)
-	if err != nil {
-		return nil, err
-	}
-	return linkDNS, nil
-}
-
-func loadResolvedLinkDNSEx(linkObject dbus.BusObject) ([]resolved.LinkDNSEx, error) {
-	dnsProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNSEx")
-	if err != nil {
-		if isResolvedUnknownPropertyError(err) {
-			return nil, nil
-		}
-		return nil, err
-	}
-	var linkDNSEx []resolved.LinkDNSEx
-	err = dnsProperty.Store(&linkDNSEx)
-	if err != nil {
-		return nil, err
-	}
-	return linkDNSEx, nil
-}
-
-func loadResolvedLinkDNSOverTLS(linkObject dbus.BusObject) (string, error) {
-	dnsOverTLSProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNSOverTLS")
-	if err != nil {
-		if isResolvedUnknownPropertyError(err) {
-			return "", nil
-		}
-		return "", err
-	}
-	var dnsOverTLSMode string
-	err = dnsOverTLSProperty.Store(&dnsOverTLSMode)
-	if err != nil {
-		return "", err
-	}
-	return dnsOverTLSMode, nil
-}
-
-func isResolvedUnknownPropertyError(err error) bool {
-	var dbusError dbus.Error
-	return errors.As(err, &dbusError) && dbusError.Name == "org.freedesktop.DBus.Error.UnknownProperty"
-}
-
-func shouldUpdateResolvedServerSet(signal *dbus.Signal) bool {
-	if len(signal.Body) != 3 {
-		return true
-	}
-	changedProperties, loaded := signal.Body[1].(map[string]dbus.Variant)
-	if !loaded {
-		return true
-	}
-	for propertyName := range changedProperties {
-		switch propertyName {
-		case "DNS", "DNSEx", "DNSOverTLS":
-			return true
-		}
-	}
-	invalidatedProperties, loaded := signal.Body[2].([]string)
-	if !loaded {
-		return true
-	}
-	for _, propertyName := range invalidatedProperties {
-		switch propertyName {
-		case "DNS", "DNSEx", "DNSOverTLS":
-			return true
-		}
-	}
-	return false
-}
-
 func (t *DBusResolvedResolver) updateDefaultInterface(defaultInterface *control.Interface, flags int) {
 	t.updateStatus()
 }
--- a/dns/transport/local/resolv_windows.go
+++ b/dns/transport/local/resolv_windows.go
@@ -5,7 +5,6 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strconv"
 	"syscall"
 	"time"
 	"unsafe"
@@ -64,9 +63,6 @@ func dnsReadConfig(ctx context.Context, _ string) *dnsConfig {
 					continue
 				}
 				dnsServerAddr = netip.AddrFrom16(sockaddr.Addr)
-				if sockaddr.ZoneId != 0 {
-					dnsServerAddr = dnsServerAddr.WithZone(strconv.FormatInt(int64(sockaddr.ZoneId), 10))
-				}
 			default:
 				// Unexpected type.
 				continue
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,44 +2,10 @@
 icon: material/alert-decagram
 ---

-#### 1.13.3
-
-* Add OpenWrt and Alpine APK packages to release **1**
-* Backport to macOS 10.13 High Sierra **2**
-* OCM service: Add WebSocket support for Responses API **3**
-* Fixes and improvements
-
-**1**:
-
-Alpine APK files use `linux` in the filename to distinguish from OpenWrt APKs which use the `openwrt` prefix:
-
- OpenWrt: `sing-box_{version}_openwrt_{architecture}.apk`
- Alpine: `sing-box_{version}_linux_{architecture}.apk`
-
-**2**:
-
-Legacy macOS binaries (with `-legacy-macos-10.13` suffix) now support
-macOS 10.13 High Sierra, built using Go 1.25 with patches
-from [SagerNet/go](https://github.com/SagerNet/go).
-
-**3**:
-
-See [OCM](/configuration/service/ocm).
-
-#### 1.13.2
+#### 1.13.0-rc.3

 * Fixes and improvements

-#### 1.13.1
-
-* Fixes and improvements
-
-#### 1.12.14
-
-* Backport fixes
-
-#### 1.13.0
-
 Important changes since 1.12:

 * Add NaiveProxy outbound **1**
@@ -56,7 +22,7 @@ Important changes since 1.12:
 * Improve `local` DNS server **12**
 * Add `disable_tcp_keep_alive`, `tcp_keep_alive` and `tcp_keep_alive_interval` options for listen and dial fields **13**
 * Add `bind_address_no_port` option for dial fields **14**
-* Add system interface, relay server and advertise tags options for Tailscale endpoint **15**
+* Add system interface and relay server options for Tailscale endpoint **15**
 * Add Claude Code Multiplexer service **16**
 * Add OpenAI Codex Multiplexer service **17**
 * Apple/Android: Refactor GUI
@@ -170,7 +136,6 @@ See [Dial Fields](/configuration/shared/dial/#bind_address_no_port).

 Tailscale endpoint can now create a system TUN interface to handle traffic directly.
 New `relay_server_port` and `relay_server_static_endpoints` options for incoming relay connections.
-New `advertise_tags` option for ACL tag advertisement.

 See [Tailscale endpoint](/configuration/endpoint/tailscale/).

@@ -204,22 +169,6 @@ Also, documentation has been updated with a warning about uTLS fingerprinting vu
 uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
 use NaiveProxy instead for TLS fingerprint resistance.

-#### 1.12.23
-
-* Fixes and improvements
-
-#### 1.13.0-rc.5
-
-* Add `mipsle`, `mips64le`, `riscv64` and `loong64` support for NaiveProxy outbound
-
-#### 1.12.22
-
-* Fixes and improvements
-
-#### 1.13.0-rc.3
-
-* Fixes and improvements
-
 #### 1.12.21

 * Fixes and improvements
--- a/docs/configuration/endpoint/tailscale.md
+++ b/docs/configuration/endpoint/tailscale.md
@@ -8,8 +8,7 @@ icon: material/new-box
    :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)  
    :material-plus: [system_interface](#system_interface)  
    :material-plus: [system_interface_name](#system_interface_name)  
-    :material-plus: [system_interface_mtu](#system_interface_mtu)  
-    :material-plus: [advertise_tags](#advertise_tags)
+    :material-plus: [system_interface_mtu](#system_interface_mtu)

 !!! question "Since sing-box 1.12.0"

@@ -29,7 +28,6 @@ icon: material/new-box
  "exit_node_allow_lan_access": false,
  "advertise_routes": [],
  "advertise_exit_node": false,
-  "advertise_tags": [],
  "relay_server_port": 0,
  "relay_server_static_endpoints": [],
  "system_interface": false,
@@ -104,14 +102,6 @@ Example: `["192.168.1.1/24"]`

 Indicates whether the node should advertise itself as an exit node.

-#### advertise_tags
-
-!!! question "Since sing-box 1.13.0"
-
-Tags to advertise for this node, for ACL enforcement purposes.
-
-Example: `["tag:server"]`
-
 #### relay_server_port

 !!! question "Since sing-box 1.13.0"
--- a/docs/configuration/endpoint/tailscale.zh.md
+++ b/docs/configuration/endpoint/tailscale.zh.md
@@ -8,8 +8,7 @@ icon: material/new-box
    :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)  
    :material-plus: [system_interface](#system_interface)  
    :material-plus: [system_interface_name](#system_interface_name)  
-    :material-plus: [system_interface_mtu](#system_interface_mtu)  
-    :material-plus: [advertise_tags](#advertise_tags)
+    :material-plus: [system_interface_mtu](#system_interface_mtu)

 !!! question "自 sing-box 1.12.0 起"

@@ -29,7 +28,6 @@ icon: material/new-box
  "exit_node_allow_lan_access": false,
  "advertise_routes": [],
  "advertise_exit_node": false,
-  "advertise_tags": [],
  "relay_server_port": 0,
  "relay_server_static_endpoints": [],
  "system_interface": false,
@@ -103,14 +101,6 @@ icon: material/new-box

 指示节点是否应将自己通告为出口节点。

-#### advertise_tags
-
-!!! question "自 sing-box 1.13.0 起"
-
-为此节点通告的标签，用于 ACL 执行。
-
-示例：`["tag:server"]`
-
 #### relay_server_port

 !!! question "自 sing-box 1.13.0 起"
--- a/docs/configuration/inbound/hysteria2.zh.md
+++ b/docs/configuration/inbound/hysteria2.zh.md
@@ -38,7 +38,7 @@ icon: material/alert-decagram
 !!! warning "与官方 Hysteria2 的区别"

    官方程序支持一种名为 **userpass** 的验证方式，
-    本质上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
    要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。

 ### 监听字段
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -2,10 +2,6 @@
 icon: material/new-box
 ---

-!!! quote "Changes in sing-box 1.13.3"
-
-    :material-alert: [strict_route](#strict_route)
-
 !!! quote "Changes in sing-box 1.13.0"

    :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
@@ -352,9 +348,6 @@ Enforce strict routing rules when `auto_route` is enabled:

 * Let unsupported network unreachable
 * For legacy reasons, when neither `strict_route` nor `auto_redirect` are enabled, all ICMP traffic will not go through TUN.
-* When `auto_redirect` is enabled, `strict_route` also affects `SO_BINDTODEVICE` traffic:
-    * Enabled: `SO_BINDTODEVICE` traffic is redirected through sing-box.
-    * Disabled: `SO_BINDTODEVICE` traffic bypasses sing-box.

 *In Windows*:

--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -2,10 +2,6 @@
 icon: material/new-box
 ---

-!!! quote "sing-box 1.13.3 中的更改"
-
-    :material-alert: [strict_route](#strict_route)
-
 !!! quote "sing-box 1.13.0 中的更改"

    :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
@@ -351,9 +347,6 @@ tun 接口的 IPv6 前缀。

 * 使不支持的网络不可达。
 * 出于历史遗留原因，当未启用 `strict_route` 或 `auto_redirect` 时，所有 ICMP 流量将不会通过 TUN。
-* 当启用 `auto_redirect` 时，`strict_route` 也影响 `SO_BINDTODEVICE` 流量：
-    * 启用：`SO_BINDTODEVICE` 流量被重定向通过 sing-box。
-    * 禁用：`SO_BINDTODEVICE` 流量绕过 sing-box。

 *在 Windows 中*：

--- a/docs/configuration/outbound/hysteria2.zh.md
+++ b/docs/configuration/outbound/hysteria2.zh.md
@@ -38,7 +38,7 @@
 !!! warning "与官方 Hysteria2 的区别"

    官方程序支持一种名为 **userpass** 的验证方式，
-    本质上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
    要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。

 ### 字段
--- a/docs/configuration/outbound/naive.md
+++ b/docs/configuration/outbound/naive.md
@@ -34,12 +34,10 @@ icon: material/new-box

    | Build Variant | Platforms | Description |
    |---------------|-----------|-------------|
-    | (no suffix) | Linux amd64/arm64 | purego build, `libcronet.so` included |
-    | `-glibc` | Linux 386/amd64/arm/arm64/mipsle/mips64le/riscv64/loong64 | CGO build, dynamically linked with glibc, requires glibc >= 2.31 (loong64: >= 2.36) |
-    | `-musl` | Linux 386/amd64/arm/arm64/mipsle/riscv64/loong64 | CGO build, statically linked with musl |
-    | (no suffix) | Windows amd64/arm64 | purego build, `libcronet.dll` included |
-
-    For Linux, choose the glibc or musl variant based on your distribution's libc type.
+    | (default)     | Linux amd64/arm64 | purego build with `libcronet.so` included |
+    | `-glibc`      | Linux 386/amd64/arm/arm64 | CGO build dynamically linked with glibc, requires glibc >= 2.31 |
+    | `-musl`       | Linux 386/amd64/arm/arm64 | CGO build statically linked with musl, no system requirements |
+    | (default)     | Windows amd64/arm64 | purego build with `libcronet.dll` included |

    **Runtime Requirements:**

--- a/docs/configuration/outbound/naive.zh.md
+++ b/docs/configuration/outbound/naive.zh.md
@@ -32,14 +32,12 @@ icon: material/new-box

    **官方发布版本区别：**

-    | 构建变体 | 平台 | 说明 |
-    |---|---|---|
-    | (无后缀) | Linux amd64/arm64 | purego 构建，包含 `libcronet.so` |
-    | `-glibc` | Linux 386/amd64/arm/arm64/mipsle/mips64le/riscv64/loong64 | CGO 构建，动态链接 glibc，要求 glibc >= 2.31（loong64: >= 2.36） |
-    | `-musl` | Linux 386/amd64/arm/arm64/mipsle/riscv64/loong64 | CGO 构建，静态链接 musl |
-    | (无后缀) | Windows amd64/arm64 | purego 构建，包含 `libcronet.dll` |
-
-    对于 Linux，请根据发行版的 libc 类型选择 glibc 或 musl 变体。
+    | 构建变体      | 平台                     | 说明                                       |
+    |-----------|------------------------|------------------------------------------|
+    | (默认)      | Linux amd64/arm64      | purego 构建，包含 `libcronet.so`              |
+    | `-glibc`  | Linux 386/amd64/arm/arm64 | CGO 构建，动态链接 glibc，要求 glibc >= 2.31       |
+    | `-musl`   | Linux 386/amd64/arm/arm64 | CGO 构建，静态链接 musl，无系统要求                   |
+    | (默认)      | Windows amd64/arm64 | purego 构建，包含 `libcronet.dll`             |

    **运行时要求：**

--- a/docs/configuration/service/ccm.md
+++ b/docs/configuration/service/ccm.md
@@ -66,19 +66,7 @@ List of authorized users for token authentication.

 If empty, no authentication is required.

-Object format:
-
-```json
-{
-  "name": "",
-  "token": ""
-}
-```
-
-Object fields:
-
- `name`: Username identifier for tracking purposes.
- `token`: Bearer token for authentication. Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.
+Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.

 #### headers

@@ -96,36 +84,23 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

 ### Example

-#### Server
-
 ```json
 {
  "services": [
    {
      "type": "ccm",
-      "listen": "0.0.0.0",
-      "listen_port": 8080,
-      "usages_path": "./claude-usages.json",
-      "users": [
-        {
-          "name": "alice",
-          "token": "ak-ccm-hello-world"
-        },
-        {
-          "name": "bob",
-          "token": "ak-ccm-hello-bob"
-        }
-      ]
+      "listen": "127.0.0.1",
+      "listen_port": 8080
    }
  ]
 }
 ```

-#### Client
+Connect to the CCM service:

 ```bash
 export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
-export ANTHROPIC_AUTH_TOKEN="ak-ccm-hello-world"
+export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"

 claude
 ```
--- a/docs/configuration/service/ccm.zh.md
+++ b/docs/configuration/service/ccm.zh.md
@@ -66,19 +66,7 @@ Claude Code OAuth 凭据文件的路径。

 如果为空，则不需要身份验证。

-对象格式：
-
-```json
-{
-  "name": "",
-  "token": ""
-}
-```
-
-对象字段：
-
- `name`：用于跟踪的用户名标识符。
- `token`：用于身份验证的 Bearer 令牌。Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进行身份验证。
+Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进行身份验证。

 #### headers

@@ -96,36 +84,23 @@ TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 ### 示例

-#### 服务端
-
 ```json
 {
  "services": [
    {
      "type": "ccm",
-      "listen": "0.0.0.0",
-      "listen_port": 8080,
-      "usages_path": "./claude-usages.json",
-      "users": [
-        {
-          "name": "alice",
-          "token": "ak-ccm-hello-world"
-        },
-        {
-          "name": "bob",
-          "token": "ak-ccm-hello-bob"
-        }
-      ]
+      "listen": "127.0.0.1",
+      "listen_port": 8080
    }
  ]
 }
 ```

-#### 客户端
+连接到 CCM 服务：

 ```bash
 export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
-export ANTHROPIC_AUTH_TOKEN="ak-ccm-hello-world"
+export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"

 claude
 ```
--- a/docs/configuration/service/ocm.md
+++ b/docs/configuration/service/ocm.md
@@ -37,9 +37,7 @@ See [Listen Fields](/configuration/shared/listen/) for details.

 Path to the OpenAI OAuth credentials file.

-If not specified, defaults to:
- `$CODEX_HOME/auth.json` if `CODEX_HOME` environment variable is set
- `~/.codex/auth.json` otherwise
+If not specified, defaults to `~/.codex/auth.json`.

 Refreshed tokens are automatically written back to the same location.

@@ -113,23 +111,17 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
 Add to `~/.codex/config.toml`:

 ```toml
-# profile = "ocm"                # set as default profile
-
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-supports_websockets = true
-
-[profiles.ocm]
-model_provider = "ocm"
-# model = "gpt-5.4"              # if the latest model is not yet publicly released
-# model_reasoning_effort = "xhigh"
+wire_api = "responses"
+requires_openai_auth = false
 ```

 Then run:

 ```bash
-codex --profile ocm
+codex --model-provider ocm
 ```

 ### Example with Authentication
@@ -147,11 +139,11 @@ codex --profile ocm
      "users": [
        {
          "name": "alice",
-          "token": "sk-ocm-hello-world"
+          "token": "sk-alice-secret-token"
        },
        {
          "name": "bob",
-          "token": "sk-ocm-hello-bob"
+          "token": "sk-bob-secret-token"
        }
      ]
    }
@@ -164,22 +156,16 @@ codex --profile ocm
 Add to `~/.codex/config.toml`:

 ```toml
-# profile = "ocm"                # set as default profile
-
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-supports_websockets = true
-experimental_bearer_token = "sk-ocm-hello-world"
-
-[profiles.ocm]
-model_provider = "ocm"
-# model = "gpt-5.4"              # if the latest model is not yet publicly released
-# model_reasoning_effort = "xhigh"
+wire_api = "responses"
+requires_openai_auth = false
+experimental_bearer_token = "sk-alice-secret-token"
 ```

 Then run:

 ```bash
-codex --profile ocm
+codex --model-provider ocm
 ```
--- a/docs/configuration/service/ocm.zh.md
+++ b/docs/configuration/service/ocm.zh.md
@@ -37,9 +37,7 @@ OCM（OpenAI Codex 多路复用器）服务是一个多路复用服务，允许

 OpenAI OAuth 凭据文件的路径。

-如果未指定，默认值为：
- 如果设置了 `CODEX_HOME` 环境变量，则使用 `$CODEX_HOME/auth.json`
- 否则使用 `~/.codex/auth.json`
+如果未指定，默认值为 `~/.codex/auth.json`。

 刷新的令牌会自动写回相同位置。

@@ -113,24 +111,17 @@ TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 在 `~/.codex/config.toml` 中添加：

 ```toml
-# profile = "ocm"                # 设为默认配置
-
-
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-supports_websockets = true
-
-[profiles.ocm]
-model_provider = "ocm"
-# model = "gpt-5.4"              # 如果最新模型尚未公开发布
-# model_reasoning_effort = "xhigh"
+wire_api = "responses"
+requires_openai_auth = false
 ```

 然后运行：

 ```bash
-codex --profile ocm
+codex --model-provider ocm
 ```

 ### 带身份验证的示例
@@ -148,11 +139,11 @@ codex --profile ocm
      "users": [
        {
          "name": "alice",
-          "token": "sk-ocm-hello-world"
+          "token": "sk-alice-secret-token"
        },
        {
          "name": "bob",
-          "token": "sk-ocm-hello-bob"
+          "token": "sk-bob-secret-token"
        }
      ]
    }
@@ -165,22 +156,16 @@ codex --profile ocm
 在 `~/.codex/config.toml` 中添加：

 ```toml
-# profile = "ocm"                # 设为默认配置
-
 [model_providers.ocm]
 name = "OCM Proxy"
 base_url = "http://127.0.0.1:8080/v1"
-supports_websockets = true
-experimental_bearer_token = "sk-ocm-hello-world"
-
-[profiles.ocm]
-model_provider = "ocm"
-# model = "gpt-5.4"              # 如果最新模型尚未公开发布
-# model_reasoning_effort = "xhigh"
+wire_api = "responses"
+requires_openai_auth = false
+experimental_bearer_token = "sk-alice-secret-token"
 ```

 然后运行：

 ```bash
-codex --profile ocm
+codex --model-provider ocm
 ```
--- a/docs/installation/build-from-source.md
+++ b/docs/installation/build-from-source.md
@@ -57,49 +57,25 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | `with_v2ray_api`                   | :material-close:️    | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
 | `with_gvisor`                      | :material-check:     | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️    | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
-| `with_tailscale`                   | :material-check:     | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale).                                                                                                                                                                                                                                     |
-| `with_ccm`                         | :material-check:     | Build with Claude Code Multiplexer service support.                                                                                                                                                                                                                                                                            |
-| `with_ocm`                         | :material-check:     | Build with OpenAI Codex Multiplexer service support.                                                                                                                                                                                                                                                                           |
-| `with_naive_outbound`              | :material-check:     | Build with NaiveProxy outbound support, see [NaiveProxy outbound](/configuration/outbound/naive/).                                                                                                                                                                                                                             |
-| `badlinkname`                      | :material-check:     | Enable `go:linkname` access to internal standard library functions. Required because the Go standard library does not expose many low-level APIs needed by this project, and reimplementing them externally is impractical. Used for kTLS (kernel TLS offload) and raw TLS record manipulation.                                 |
-| `tfogo_checklinkname0`             | :material-check:     | Companion to `badlinkname`. Go 1.23+ enforces `go:linkname` restrictions via the linker; this tag signals the build uses `-checklinkname=0` to bypass that enforcement.                                                                                                                                                       |
+| `with_tailscale`                   | :material-check:     | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
+| `with_naive_outbound`              | :material-close:️    | Build with NaiveProxy outbound support, see [NaiveProxy outbound](/configuration/outbound/naive/).                                                                                                                                                                                                                             |

 It is not recommended to change the default build tag list unless you really know what you are adding.

-## :material-wrench: Linker Flags
-
-The following `-ldflags` are used in official builds:
-
-| Flag                                                        | Description                                                                                                                                                                                                             |
-|-------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `-X 'internal/godebug.defaultGODEBUG=multipathtcp=0'`      | Go 1.24 enabled Multipath TCP for listeners by default (`multipathtcp=2`). This may cause errors on low-level sockets, and sing-box has its own MPTCP control (`tcp_multi_path` option). This flag disables the Go default. |
-| `-checklinkname=0`                                          | Go 1.23+ linker rejects unauthorized `go:linkname` usage. This flag disables the check, required together with the `badlinkname` build tag.                                                                            |
-
-## :material-package-variant: For Downstream Packagers
-
-The default build tag lists and linker flags are available as files in the repository for downstream packagers to reference directly:
-
-| File | Description |
-|------|-------------|
-| `release/DEFAULT_BUILD_TAGS` | Default for Linux (common architectures), Darwin, and Android. |
-| `release/DEFAULT_BUILD_TAGS_WINDOWS` | Default for Windows (includes `with_purego`). |
-| `release/DEFAULT_BUILD_TAGS_OTHERS` | Default for other platforms (no `with_naive_outbound`). |
-| `release/LDFLAGS` | Required linker flags (see above). |
-
 ## :material-layers: with_naive_outbound

 NaiveProxy outbound requires special build configurations depending on your target platform.

 ### Supported Platforms

-| Platform        | Architectures                                          | Mode   | Requirements                                                    |
-|-----------------|--------------------------------------------------------|--------|-----------------------------------------------------------------|
-| Linux           | amd64, arm64                                           | purego | None (library included in official releases)                    |
-| Linux           | 386, amd64, arm, arm64, mipsle, mips64le, riscv64, loong64 | CGO    | Chromium toolchain, glibc >= 2.31 (loong64: >= 2.36) at runtime |
-| Linux (musl)    | 386, amd64, arm, arm64, mipsle, riscv64, loong64       | CGO    | Chromium toolchain                                              |
-| Windows         | amd64, arm64                                           | purego | None (library included in official releases)                    |
-| Apple platforms | *                                                      | CGO    | Xcode                                                           |
-| Android         | *                                                      | CGO    | Android NDK                                                     |
+| Platform        | Architectures          | Mode   | Requirements                                      |
+|-----------------|------------------------|--------|---------------------------------------------------|
+| Linux           | amd64, arm64           | purego | None (library included in official releases)      |
+| Linux           | 386, amd64, arm, arm64 | CGO    | Chromium toolchain, glibc >= 2.31 at runtime      |
+| Linux (musl)    | 386, amd64, arm, arm64 | CGO    | Chromium toolchain                                |
+| Windows         | amd64, arm64           | purego | None (library included in official releases)      |
+| Apple platforms | *                      | CGO    | Xcode                                             |
+| Android         | *                      | CGO    | Android NDK                                       |

 ### Windows

--- a/docs/installation/build-from-source.zh.md
+++ b/docs/installation/build-from-source.zh.md
@@ -61,49 +61,25 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | `with_v2ray_api`                   | :material-close:️ | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
 | `with_gvisor`                      | :material-check:  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️ | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
-| `with_tailscale`                   | :material-check:  | 构建 Tailscale 支持，参阅 [Tailscale 端点](/configuration/endpoint/tailscale)。                                                                                                                                                                                                                                                         |
-| `with_ccm`                         | :material-check:  | 构建 Claude Code Multiplexer 服务支持。                                                                                                                                                                                                                                                                                              |
-| `with_ocm`                         | :material-check:  | 构建 OpenAI Codex Multiplexer 服务支持。                                                                                                                                                                                                                                                                                             |
-| `with_naive_outbound`              | :material-check:  | 构建 NaiveProxy 出站支持，参阅 [NaiveProxy 出站](/configuration/outbound/naive/)。                                                                                                                                                                                                                                                         |
-| `badlinkname`                      | :material-check:  | 启用 `go:linkname` 以访问标准库内部函数。Go 标准库未提供本项目需要的许多底层 API，且在外部重新实现不切实际。用于 kTLS（内核 TLS 卸载）和原始 TLS 记录操作。                                                                                                                                                                                                                           |
-| `tfogo_checklinkname0`             | :material-check:  | `badlinkname` 的伴随标记。Go 1.23+ 链接器强制限制 `go:linkname` 使用；此标记表示构建使用 `-checklinkname=0` 以绕过该限制。                                                                                                                                                                                                                                |
+| `with_tailscale`                   | :material-check:  | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
+| `with_naive_outbound`              | :material-close:️ | 构建 NaiveProxy 出站支持，参阅 [NaiveProxy 出站](/zh/configuration/outbound/naive/)。                                                                                                                                                                                                                                                      |

 除非您确实知道您正在启用什么，否则不建议更改默认构建标签列表。

-## :material-wrench: 链接器标志
-
-以下 `-ldflags` 在官方构建中使用：
-
-| 标志                                                          | 说明                                                                                                                                                         |
-|-------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `-X 'internal/godebug.defaultGODEBUG=multipathtcp=0'`      | Go 1.24 默认为监听器启用 Multipath TCP（`multipathtcp=2`）。这可能在底层 socket 上导致错误，且 sing-box 有自己的 MPTCP 控制（`tcp_multi_path` 选项）。此标志禁用 Go 的默认行为。                             |
-| `-checklinkname=0`                                          | Go 1.23+ 链接器拒绝未授权的 `go:linkname` 使用。此标志禁用该检查，需要与 `badlinkname` 构建标记一起使用。                                                                                   |
-
-## :material-package-variant: 下游打包者
-
-默认构建标签列表和链接器标志以文件形式存放在仓库中，供下游打包者直接引用：
-
-| 文件 | 说明 |
-|------|------|
-| `release/DEFAULT_BUILD_TAGS` | Linux（常见架构）、Darwin 和 Android 的默认标签。 |
-| `release/DEFAULT_BUILD_TAGS_WINDOWS` | Windows 的默认标签（包含 `with_purego`）。 |
-| `release/DEFAULT_BUILD_TAGS_OTHERS` | 其他平台的默认标签（不含 `with_naive_outbound`）。 |
-| `release/LDFLAGS` | 必需的链接器标志（参见上文）。 |
-
 ## :material-layers: with_naive_outbound

 NaiveProxy 出站需要根据目标平台进行特殊的构建配置。

 ### 支持的平台

-| 平台           | 架构                                                       | 模式     | 要求                                                  |
-|--------------|----------------------------------------------------------|--------|-----------------------------------------------------|
-| Linux        | amd64, arm64                                             | purego | 无（官方发布版本已包含库文件）                                     |
-| Linux        | 386, amd64, arm, arm64, mipsle, mips64le, riscv64, loong64 | CGO    | Chromium 工具链，运行时需要 glibc >= 2.31（loong64: >= 2.36） |
-| Linux (musl) | 386, amd64, arm, arm64, mipsle, riscv64, loong64          | CGO    | Chromium 工具链                                        |
-| Windows      | amd64, arm64                                             | purego | 无（官方发布版本已包含库文件）                                     |
-| Apple 平台     | *                                                        | CGO    | Xcode                                               |
-| Android      | *                                                        | CGO    | Android NDK                                          |
+| 平台            | 架构                     | 模式     | 要求                             |
+|---------------|------------------------|--------|--------------------------------|
+| Linux         | amd64, arm64           | purego | 无（官方发布版本已包含库文件）                |
+| Linux         | 386, amd64, arm, arm64 | CGO    | Chromium 工具链，运行时需要 glibc >= 2.31 |
+| Linux (musl)  | 386, amd64, arm, arm64 | CGO    | Chromium 工具链                   |
+| Windows       | amd64, arm64           | purego | 无（官方发布版本已包含库文件）                |
+| Apple 平台      | *                      | CGO    | Xcode                          |
+| Android       | *                      | CGO    | Android NDK                    |

 ### Windows

--- a/docs/installation/tools/install.sh
+++ b/docs/installation/tools/install.sh
@@ -47,17 +47,6 @@ elif command -v rpm >/dev/null 2>&1; then
  arch=$(uname -m)
  package_suffix=".rpm"
  package_install="rpm -i"
-elif command -v apk >/dev/null 2>&1 && [ -f /etc/os-release ] && grep -q OPENWRT_ARCH /etc/os-release; then
-  os="openwrt"
-  . /etc/os-release
-  arch="$OPENWRT_ARCH"
-  package_suffix=".apk"
-  package_install="apk add --allow-untrusted"
-elif command -v apk >/dev/null 2>&1; then
-  os="linux"
-  arch=$(apk --print-arch)
-  package_suffix=".apk"
-  package_install="apk add --allow-untrusted"
 elif command -v opkg >/dev/null 2>&1; then
  os="openwrt"
  . /etc/os-release
--- a/experimental/clashapi/api_meta.go
+++ b/experimental/clashapi/api_meta.go
@@ -2,7 +2,6 @@ package clashapi

 import (
 	"bytes"
-	"context"
 	"net"
 	"net/http"
 	"runtime/debug"
@@ -28,7 +27,7 @@ func (s *Server) setupMetaAPI(r chi.Router) {
 		})
 		r.Mount("/", middleware.Profiler())
 	}
-	r.Get("/memory", memory(s.ctx, s.trafficManager))
+	r.Get("/memory", memory(s.trafficManager))
 	r.Mount("/group", groupRouter(s))
 	r.Mount("/upgrade", upgradeRouter(s))
 }
@@ -38,7 +37,7 @@ type Memory struct {
 	OSLimit uint64 `json:"oslimit"` // maybe we need it in the future
 }

-func memory(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func memory(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var conn net.Conn
 		if r.Header.Get("Upgrade") == "websocket" {
@@ -47,7 +46,6 @@ func memory(ctx context.Context, trafficManager *trafficontrol.Manager) func(w h
 			if err != nil {
 				return
 			}
-			defer conn.Close()
 		}

 		if conn == nil {
@@ -60,12 +58,7 @@ func memory(ctx context.Context, trafficManager *trafficontrol.Manager) func(w h
 		buf := &bytes.Buffer{}
 		var err error
 		first := true
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-tick.C:
-			}
+		for range tick.C {
 			buf.Reset()

 			inuse := trafficManager.Snapshot().Memory
--- a/experimental/clashapi/connections.go
+++ b/experimental/clashapi/connections.go
@@ -2,7 +2,6 @@ package clashapi

 import (
 	"bytes"
-	"context"
 	"net/http"
 	"strconv"
 	"time"
@@ -18,15 +17,15 @@ import (
 	"github.com/gofrs/uuid/v5"
 )

-func connectionRouter(ctx context.Context, router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
+func connectionRouter(router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
 	r := chi.NewRouter()
-	r.Get("/", getConnections(ctx, trafficManager))
+	r.Get("/", getConnections(trafficManager))
 	r.Delete("/", closeAllConnections(router, trafficManager))
 	r.Delete("/{id}", closeConnection(trafficManager))
 	return r
 }

-func getConnections(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func getConnections(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if r.Header.Get("Upgrade") != "websocket" {
 			snapshot := trafficManager.Snapshot()
@@ -38,7 +37,6 @@ func getConnections(ctx context.Context, trafficManager *trafficontrol.Manager)
 		if err != nil {
 			return
 		}
-		defer conn.Close()

 		intervalStr := r.URL.Query().Get("interval")
 		interval := 1000
@@ -69,12 +67,7 @@ func getConnections(ctx context.Context, trafficManager *trafficontrol.Manager)

 		tick := time.NewTicker(time.Millisecond * time.Duration(interval))
 		defer tick.Stop()
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-tick.C:
-			}
+		for range tick.C {
 			if err = sendSnapshot(); err != nil {
 				break
 			}
--- a/experimental/clashapi/server.go
+++ b/experimental/clashapi/server.go
@@ -115,13 +115,13 @@ func NewServer(ctx context.Context, logFactory log.ObservableFactory, options op
 	chiRouter.Group(func(r chi.Router) {
 		r.Use(authentication(options.Secret))
 		r.Get("/", hello(options.ExternalUI != ""))
-		r.Get("/logs", getLogs(s.ctx, logFactory))
-		r.Get("/traffic", traffic(s.ctx, trafficManager))
+		r.Get("/logs", getLogs(logFactory))
+		r.Get("/traffic", traffic(trafficManager))
 		r.Get("/version", version)
 		r.Mount("/configs", configRouter(s, logFactory))
 		r.Mount("/proxies", proxyRouter(s, s.router))
 		r.Mount("/rules", ruleRouter(s.router))
-		r.Mount("/connections", connectionRouter(s.ctx, s.router, trafficManager))
+		r.Mount("/connections", connectionRouter(s.router, trafficManager))
 		r.Mount("/providers/proxies", proxyProviderRouter())
 		r.Mount("/providers/rules", ruleProviderRouter())
 		r.Mount("/script", scriptRouter())
@@ -303,7 +303,7 @@ type Traffic struct {
 	Down int64 `json:"down"`
 }

-func traffic(ctx context.Context, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func traffic(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var conn net.Conn
 		if r.Header.Get("Upgrade") == "websocket" {
@@ -324,12 +324,7 @@ func traffic(ctx context.Context, trafficManager *trafficontrol.Manager) func(w
 		defer tick.Stop()
 		buf := &bytes.Buffer{}
 		uploadTotal, downloadTotal := trafficManager.Total()
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-tick.C:
-			}
+		for range tick.C {
 			buf.Reset()
 			uploadTotalNew, downloadTotalNew := trafficManager.Total()
 			err := json.NewEncoder(buf).Encode(Traffic{
@@ -360,7 +355,7 @@ type Log struct {
 	Payload string `json:"payload"`
 }

-func getLogs(ctx context.Context, logFactory log.ObservableFactory) func(w http.ResponseWriter, r *http.Request) {
+func getLogs(logFactory log.ObservableFactory) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		levelText := r.URL.Query().Get("level")
 		if levelText == "" {
@@ -399,8 +394,6 @@ func getLogs(ctx context.Context, logFactory log.ObservableFactory) func(w http.
 		var logEntry log.Entry
 		for {
 			select {
-			case <-ctx.Done():
-				return
 			case <-done:
 				return
 			case logEntry = <-subscription:
--- a/experimental/deprecated/constants.go
+++ b/experimental/deprecated/constants.go
@@ -57,6 +57,96 @@ func (n Note) MessageWithLink() string {
 	}
 }

+var OptionBadMatchSource = Note{
+	Name:              "bad-match-source",
+	Description:       "legacy match source rule item",
+	DeprecatedVersion: "1.10.0",
+	ScheduledVersion:  "1.11.0",
+	EnvName:           "BAD_MATCH_SOURCE",
+	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#match-source-rule-items-are-renamed",
+}
+
+var OptionGEOIP = Note{
+	Name:              "geoip",
+	Description:       "geoip database",
+	DeprecatedVersion: "1.8.0",
+	ScheduledVersion:  "1.12.0",
+	EnvName:           "GEOIP",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-geoip-to-rule-sets",
+}
+
+var OptionGEOSITE = Note{
+	Name:              "geosite",
+	Description:       "geosite database",
+	DeprecatedVersion: "1.8.0",
+	ScheduledVersion:  "1.12.0",
+	EnvName:           "GEOSITE",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-geosite-to-rule-sets",
+}
+
+var OptionTUNAddressX = Note{
+	Name:              "tun-address-x",
+	Description:       "legacy tun address fields",
+	DeprecatedVersion: "1.10.0",
+	ScheduledVersion:  "1.12.0",
+	EnvName:           "TUN_ADDRESS_X",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#tun-address-fields-are-merged",
+}
+
+var OptionSpecialOutbounds = Note{
+	Name:              "special-outbounds",
+	Description:       "legacy special outbounds",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "SPECIAL_OUTBOUNDS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
+}
+
+var OptionInboundOptions = Note{
+	Name:              "inbound-options",
+	Description:       "legacy inbound fields",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "INBOUND_OPTIONS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
+}
+
+var OptionDestinationOverrideFields = Note{
+	Name:              "destination-override-fields",
+	Description:       "destination override fields in direct outbound",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "DESTINATION_OVERRIDE_FIELDS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-destination-override-fields-to-route-options",
+}
+
+var OptionWireGuardOutbound = Note{
+	Name:              "wireguard-outbound",
+	Description:       "legacy wireguard outbound",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "WIREGUARD_OUTBOUND",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-wireguard-outbound-to-endpoint",
+}
+
+var OptionWireGuardGSO = Note{
+	Name:              "wireguard-gso",
+	Description:       "GSO option in wireguard outbound",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "WIREGUARD_GSO",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-wireguard-outbound-to-endpoint",
+}
+
+var OptionTUNGSO = Note{
+	Name:              "tun-gso",
+	Description:       "GSO option in tun",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.12.0",
+	EnvName:           "TUN_GSO",
+	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#gso-option-in-tun",
+}
+
 var OptionLegacyDNSTransport = Note{
 	Name:              "legacy-dns-transport",
 	Description:       "legacy DNS servers",
@@ -93,6 +183,15 @@ var OptionMissingDomainResolver = Note{
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-outbound-dns-rule-items-to-domain-resolver",
 }

+var OptionLegacyECHOptions = Note{
+	Name:              "legacy-ech-options",
+	Description:       "legacy ECH options",
+	DeprecatedVersion: "1.12.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "LEGACY_ECH_OPTIONS",
+	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#legacy-ech-fields",
+}
+
 var OptionLegacyDomainStrategyOptions = Note{
 	Name:              "legacy-domain-strategy-options",
 	Description:       "legacy domain strategy options",
@@ -103,9 +202,20 @@ var OptionLegacyDomainStrategyOptions = Note{
 }

 var Options = []Note{
+	OptionBadMatchSource,
+	OptionGEOIP,
+	OptionGEOSITE,
+	OptionTUNAddressX,
+	OptionSpecialOutbounds,
+	OptionInboundOptions,
+	OptionDestinationOverrideFields,
+	OptionWireGuardOutbound,
+	OptionWireGuardGSO,
+	OptionTUNGSO,
 	OptionLegacyDNSTransport,
 	OptionLegacyDNSFakeIPOptions,
 	OptionOutboundDNSRuleItem,
 	OptionMissingDomainResolver,
+	OptionLegacyECHOptions,
 	OptionLegacyDomainStrategyOptions,
 }
--- a/experimental/libbox/command_client.go
+++ b/experimental/libbox/command_client.go
@@ -119,11 +119,7 @@ func dialTarget() (string, func(context.Context, string) (net.Conn, error)) {
 		}
 	}
 	if sCommandServerListenPort == 0 {
-		socketPath := filepath.Join(sBasePath, "command.sock")
-		return "passthrough:///command-socket", func(ctx context.Context, _ string) (net.Conn, error) {
-			var networkDialer net.Dialer
-			return networkDialer.DialContext(ctx, "unix", socketPath)
-		}
+		return "unix://" + filepath.Join(sBasePath, "command.sock"), nil
 	}
 	return net.JoinHostPort("127.0.0.1", strconv.Itoa(int(sCommandServerListenPort))), nil
 }
--- a/experimental/libbox/command_server.go
+++ b/experimental/libbox/command_server.go
@@ -60,7 +60,6 @@ func NewCommandServer(handler CommandServerHandler, platformInterface PlatformIn
 		Handler:     (*platformHandler)(server),
 		Debug:       sDebug,
 		LogMaxLines: sLogMaxLines,
-		OOMKiller:   memoryLimitEnabled,
 		// WorkingDirectory: sWorkingPath,
 		// TempDirectory:    sTempPath,
 		// UserID:           sUserID,
@@ -160,7 +159,6 @@ func (s *CommandServer) Close() {
 		s.grpcServer.Stop()
 	}
 	common.Close(s.listener)
-	s.StartedService.Close()
 }

 type OverrideOptions struct {
--- a/experimental/libbox/fdroid.go
+++ b/experimental/libbox/fdroid.go
@@ -1,493 +0,0 @@
-package libbox
-
-import (
-	"archive/zip"
-	"bytes"
-	"crypto/tls"
-	"encoding/json"
-	"io"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	"path/filepath"
-	"sort"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-const fdroidUserAgent = "F-Droid 1.21.1"
-
-type FDroidUpdateInfo struct {
-	VersionCode int32
-	VersionName string
-	DownloadURL string
-	FileSize    int64
-	FileSHA256  string
-}
-
-type FDroidPingResult struct {
-	URL       string
-	LatencyMs int32
-	Error     string
-}
-
-type FDroidPingResultIterator interface {
-	Len() int32
-	HasNext() bool
-	Next() *FDroidPingResult
-}
-
-type fdroidAPIResponse struct {
-	PackageName          string             `json:"packageName"`
-	SuggestedVersionCode int32              `json:"suggestedVersionCode"`
-	Packages             []fdroidAPIPackage `json:"packages"`
-}
-
-type fdroidAPIPackage struct {
-	VersionName string `json:"versionName"`
-	VersionCode int32  `json:"versionCode"`
-}
-
-type fdroidEntry struct {
-	Timestamp int64                      `json:"timestamp"`
-	Version   int                        `json:"version"`
-	Index     fdroidEntryFile            `json:"index"`
-	Diffs     map[string]fdroidEntryFile `json:"diffs"`
-}
-
-type fdroidEntryFile struct {
-	Name        string `json:"name"`
-	SHA256      string `json:"sha256"`
-	Size        int64  `json:"size"`
-	NumPackages int    `json:"numPackages"`
-}
-
-type fdroidIndexV2 struct {
-	Packages map[string]fdroidV2Package `json:"packages"`
-}
-
-type fdroidV2Package struct {
-	Versions map[string]fdroidV2Version `json:"versions"`
-}
-
-type fdroidV2Version struct {
-	Manifest fdroidV2Manifest `json:"manifest"`
-	File     fdroidV2File     `json:"file"`
-}
-
-type fdroidV2Manifest struct {
-	VersionCode int32  `json:"versionCode"`
-	VersionName string `json:"versionName"`
-}
-
-type fdroidV2File struct {
-	Name   string `json:"name"`
-	SHA256 string `json:"sha256"`
-	Size   int64  `json:"size"`
-}
-
-type fdroidIndexV1 struct {
-	Packages map[string][]fdroidV1Package `json:"packages"`
-}
-
-type fdroidV1Package struct {
-	VersionCode int32  `json:"versionCode"`
-	VersionName string `json:"versionName"`
-	ApkName     string `json:"apkName"`
-	Size        int64  `json:"size"`
-	Hash        string `json:"hash"`
-	HashType    string `json:"hashType"`
-}
-
-type fdroidCache struct {
-	MirrorURL string `json:"mirrorURL"`
-	Timestamp int64  `json:"timestamp"`
-	ETag      string `json:"etag"`
-	IsV1      bool   `json:"isV1,omitempty"`
-}
-
-func CheckFDroidUpdate(mirrorURL, packageName string, currentVersionCode int32, cachePath string) (*FDroidUpdateInfo, error) {
-	mirrorURL = strings.TrimRight(mirrorURL, "/")
-	if strings.Contains(mirrorURL, "f-droid.org") {
-		return checkFDroidAPI(mirrorURL, packageName, currentVersionCode)
-	}
-	client := newFDroidHTTPClient()
-	defer client.CloseIdleConnections()
-	cache := loadFDroidCache(cachePath, mirrorURL)
-	if cache != nil && cache.IsV1 {
-		return checkFDroidV1(client, mirrorURL, packageName, currentVersionCode, cachePath, cache)
-	}
-	return checkFDroidV2(client, mirrorURL, packageName, currentVersionCode, cachePath, cache)
-}
-
-func PingFDroidMirrors(mirrorURLs string) (FDroidPingResultIterator, error) {
-	urls := strings.Split(mirrorURLs, ",")
-	results := make([]*FDroidPingResult, len(urls))
-	var waitGroup sync.WaitGroup
-	for i, rawURL := range urls {
-		waitGroup.Add(1)
-		go func(index int, target string) {
-			defer waitGroup.Done()
-			target = strings.TrimSpace(target)
-			result := &FDroidPingResult{URL: target}
-			latency, err := pingTLS(target)
-			if err != nil {
-				result.LatencyMs = -1
-				result.Error = err.Error()
-			} else {
-				result.LatencyMs = int32(latency.Milliseconds())
-			}
-			results[index] = result
-		}(i, rawURL)
-	}
-	waitGroup.Wait()
-	sort.Slice(results, func(i, j int) bool {
-		if results[i].LatencyMs < 0 {
-			return false
-		}
-		if results[j].LatencyMs < 0 {
-			return true
-		}
-		return results[i].LatencyMs < results[j].LatencyMs
-	})
-	return newIterator(results), nil
-}
-
-func PingFDroidMirror(mirrorURL string) *FDroidPingResult {
-	mirrorURL = strings.TrimSpace(mirrorURL)
-	result := &FDroidPingResult{URL: mirrorURL}
-	latency, err := pingTLS(mirrorURL)
-	if err != nil {
-		result.LatencyMs = -1
-		result.Error = err.Error()
-	} else {
-		result.LatencyMs = int32(latency.Milliseconds())
-	}
-	return result
-}
-
-func newFDroidHTTPClient() *http.Client {
-	return &http.Client{
-		Timeout: 30 * time.Second,
-	}
-}
-
-func newFDroidRequest(requestURL string) (*http.Request, error) {
-	request, err := http.NewRequest("GET", requestURL, nil)
-	if err != nil {
-		return nil, err
-	}
-	request.Header.Set("User-Agent", fdroidUserAgent)
-	return request, nil
-}
-
-func checkFDroidAPI(mirrorURL, packageName string, currentVersionCode int32) (*FDroidUpdateInfo, error) {
-	client := newFDroidHTTPClient()
-	defer client.CloseIdleConnections()
-
-	apiURL := "https://f-droid.org/api/v1/packages/" + packageName
-	request, err := newFDroidRequest(apiURL)
-	if err != nil {
-		return nil, err
-	}
-
-	response, err := client.Do(request)
-	if err != nil {
-		return nil, err
-	}
-	defer response.Body.Close()
-
-	if response.StatusCode != http.StatusOK {
-		return nil, E.New("HTTP ", response.Status)
-	}
-
-	body, err := io.ReadAll(response.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	var apiResponse fdroidAPIResponse
-	err = json.Unmarshal(body, &apiResponse)
-	if err != nil {
-		return nil, err
-	}
-
-	var bestCode int32
-	var bestName string
-	for _, pkg := range apiResponse.Packages {
-		if pkg.VersionCode > currentVersionCode && pkg.VersionCode > bestCode {
-			bestCode = pkg.VersionCode
-			bestName = pkg.VersionName
-		}
-	}
-
-	if bestCode == 0 {
-		return nil, nil
-	}
-
-	return &FDroidUpdateInfo{
-		VersionCode: bestCode,
-		VersionName: bestName,
-		DownloadURL: "https://f-droid.org/repo/" + packageName + "_" + strconv.FormatInt(int64(bestCode), 10) + ".apk",
-	}, nil
-}
-
-func checkFDroidV2(client *http.Client, mirrorURL, packageName string, currentVersionCode int32, cachePath string, cache *fdroidCache) (*FDroidUpdateInfo, error) {
-	entryURL := mirrorURL + "/entry.jar"
-	request, err := newFDroidRequest(entryURL)
-	if err != nil {
-		return nil, err
-	}
-	if cache != nil && cache.ETag != "" {
-		request.Header.Set("If-None-Match", cache.ETag)
-	}
-
-	response, err := client.Do(request)
-	if err != nil {
-		return nil, err
-	}
-	defer response.Body.Close()
-
-	if response.StatusCode == http.StatusNotModified {
-		return nil, nil
-	}
-	if response.StatusCode == http.StatusNotFound {
-		writeFDroidCache(cachePath, mirrorURL, 0, "", true)
-		return checkFDroidV1(client, mirrorURL, packageName, currentVersionCode, cachePath, nil)
-	}
-	if response.StatusCode != http.StatusOK {
-		return nil, E.New("HTTP ", response.Status, ": ", entryURL)
-	}
-
-	jarData, err := io.ReadAll(response.Body)
-	if err != nil {
-		return nil, err
-	}
-	etag := response.Header.Get("ETag")
-
-	var entry fdroidEntry
-	err = readJSONFromJar(jarData, "entry.json", &entry)
-	if err != nil {
-		return nil, E.Cause(err, "read entry.jar")
-	}
-
-	if entry.Timestamp == 0 {
-		return nil, E.New("entry.json not found in entry.jar")
-	}
-
-	if cache != nil && cache.Timestamp == entry.Timestamp {
-		writeFDroidCache(cachePath, mirrorURL, entry.Timestamp, etag, false)
-		return nil, nil
-	}
-
-	var indexURL string
-	if cache != nil {
-		cachedTimestamp := strconv.FormatInt(cache.Timestamp, 10)
-		if diff, ok := entry.Diffs[cachedTimestamp]; ok {
-			indexURL = mirrorURL + "/" + diff.Name
-		}
-	}
-	if indexURL == "" {
-		indexURL = mirrorURL + "/" + entry.Index.Name
-	}
-
-	indexRequest, err := newFDroidRequest(indexURL)
-	if err != nil {
-		return nil, err
-	}
-
-	indexResponse, err := client.Do(indexRequest)
-	if err != nil {
-		return nil, err
-	}
-	defer indexResponse.Body.Close()
-
-	if indexResponse.StatusCode != http.StatusOK {
-		return nil, E.New("HTTP ", indexResponse.Status, ": ", indexURL)
-	}
-
-	indexData, err := io.ReadAll(indexResponse.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	var index fdroidIndexV2
-	err = json.Unmarshal(indexData, &index)
-	if err != nil {
-		return nil, err
-	}
-
-	writeFDroidCache(cachePath, mirrorURL, entry.Timestamp, etag, false)
-
-	pkg, ok := index.Packages[packageName]
-	if !ok {
-		return nil, nil
-	}
-
-	var bestCode int32
-	var bestVersion fdroidV2Version
-	for _, version := range pkg.Versions {
-		if version.Manifest.VersionCode > currentVersionCode && version.Manifest.VersionCode > bestCode {
-			bestCode = version.Manifest.VersionCode
-			bestVersion = version
-		}
-	}
-
-	if bestCode == 0 {
-		return nil, nil
-	}
-
-	return &FDroidUpdateInfo{
-		VersionCode: bestCode,
-		VersionName: bestVersion.Manifest.VersionName,
-		DownloadURL: mirrorURL + "/" + bestVersion.File.Name,
-		FileSize:    bestVersion.File.Size,
-		FileSHA256:  bestVersion.File.SHA256,
-	}, nil
-}
-
-func checkFDroidV1(client *http.Client, mirrorURL, packageName string, currentVersionCode int32, cachePath string, cache *fdroidCache) (*FDroidUpdateInfo, error) {
-	indexURL := mirrorURL + "/index-v1.jar"
-
-	request, err := newFDroidRequest(indexURL)
-	if err != nil {
-		return nil, err
-	}
-	if cache != nil && cache.ETag != "" {
-		request.Header.Set("If-None-Match", cache.ETag)
-	}
-
-	response, err := client.Do(request)
-	if err != nil {
-		return nil, err
-	}
-	defer response.Body.Close()
-
-	if response.StatusCode == http.StatusNotModified {
-		return nil, nil
-	}
-	if response.StatusCode != http.StatusOK {
-		return nil, E.New("HTTP ", response.Status, ": ", indexURL)
-	}
-
-	jarData, err := io.ReadAll(response.Body)
-	if err != nil {
-		return nil, err
-	}
-	etag := response.Header.Get("ETag")
-
-	var index fdroidIndexV1
-	err = readJSONFromJar(jarData, "index-v1.json", &index)
-	if err != nil {
-		return nil, E.Cause(err, "read index-v1.jar")
-	}
-
-	writeFDroidCache(cachePath, mirrorURL, 0, etag, true)
-
-	packages, ok := index.Packages[packageName]
-	if !ok {
-		return nil, nil
-	}
-
-	var bestCode int32
-	var bestPackage fdroidV1Package
-	for _, pkg := range packages {
-		if pkg.VersionCode > currentVersionCode && pkg.VersionCode > bestCode {
-			bestCode = pkg.VersionCode
-			bestPackage = pkg
-		}
-	}
-
-	if bestCode == 0 {
-		return nil, nil
-	}
-
-	return &FDroidUpdateInfo{
-		VersionCode: bestCode,
-		VersionName: bestPackage.VersionName,
-		DownloadURL: mirrorURL + "/" + bestPackage.ApkName,
-		FileSize:    bestPackage.Size,
-		FileSHA256:  bestPackage.Hash,
-	}, nil
-}
-
-func readJSONFromJar(jarData []byte, fileName string, destination any) error {
-	zipReader, err := zip.NewReader(bytes.NewReader(jarData), int64(len(jarData)))
-	if err != nil {
-		return err
-	}
-	for _, file := range zipReader.File {
-		if file.Name != fileName {
-			continue
-		}
-		reader, err := file.Open()
-		if err != nil {
-			return err
-		}
-		data, err := io.ReadAll(reader)
-		reader.Close()
-		if err != nil {
-			return err
-		}
-		return json.Unmarshal(data, destination)
-	}
-	return nil
-}
-
-func pingTLS(mirrorURL string) (time.Duration, error) {
-	parsed, err := url.Parse(mirrorURL)
-	if err != nil {
-		return 0, err
-	}
-	host := parsed.Host
-	if !strings.Contains(host, ":") {
-		host = host + ":443"
-	}
-
-	dialer := &net.Dialer{Timeout: 5 * time.Second}
-	start := time.Now()
-	conn, err := tls.DialWithDialer(dialer, "tcp", host, &tls.Config{})
-	if err != nil {
-		return 0, err
-	}
-	latency := time.Since(start)
-	conn.Close()
-	return latency, nil
-}
-
-func loadFDroidCache(cachePath, mirrorURL string) *fdroidCache {
-	cacheFile := filepath.Join(cachePath, "fdroid_cache.json")
-	data, err := os.ReadFile(cacheFile)
-	if err != nil {
-		return nil
-	}
-	var cache fdroidCache
-	err = json.Unmarshal(data, &cache)
-	if err != nil {
-		return nil
-	}
-	if cache.MirrorURL != mirrorURL {
-		return nil
-	}
-	return &cache
-}
-
-func writeFDroidCache(cachePath, mirrorURL string, timestamp int64, etag string, isV1 bool) {
-	cache := fdroidCache{
-		MirrorURL: mirrorURL,
-		Timestamp: timestamp,
-		ETag:      etag,
-		IsV1:      isV1,
-	}
-	data, err := json.Marshal(cache)
-	if err != nil {
-		return
-	}
-	os.MkdirAll(cachePath, 0o755)
-	os.WriteFile(filepath.Join(cachePath, "fdroid_cache.json"), data, 0o644)
-}
--- a/experimental/libbox/fdroid_mirrors.go
+++ b/experimental/libbox/fdroid_mirrors.go
@@ -1,92 +0,0 @@
-package libbox
-
-type FDroidMirror struct {
-	URL     string
-	Country string
-	Name    string
-}
-
-type FDroidMirrorIterator interface {
-	Len() int32
-	HasNext() bool
-	Next() *FDroidMirror
-}
-
-var builtinFDroidMirrors = []FDroidMirror{
-	// Official
-	{URL: "https://f-droid.org/repo", Country: "Official", Name: "f-droid.org"},
-	{URL: "https://cloudflare.f-droid.org/repo", Country: "Official", Name: "Cloudflare CDN"},
-
-	// China
-	{URL: "https://mirrors.tuna.tsinghua.edu.cn/fdroid/repo", Country: "China", Name: "Tsinghua TUNA"},
-	{URL: "https://mirrors.nju.edu.cn/fdroid/repo", Country: "China", Name: "Nanjing University"},
-	{URL: "https://mirror.iscas.ac.cn/fdroid/repo", Country: "China", Name: "ISCAS"},
-	{URL: "https://mirror.nyist.edu.cn/fdroid/repo", Country: "China", Name: "NYIST"},
-	{URL: "https://mirrors.cqupt.edu.cn/fdroid/repo", Country: "China", Name: "CQUPT"},
-	{URL: "https://mirrors.shanghaitech.edu.cn/fdroid/repo", Country: "China", Name: "ShanghaiTech"},
-
-	// India
-	{URL: "https://mirror.hyd.albony.in/fdroid/repo", Country: "India", Name: "Albony Hyderabad"},
-	{URL: "https://mirror.del2.albony.in/fdroid/repo", Country: "India", Name: "Albony Delhi"},
-
-	// Taiwan
-	{URL: "https://mirror.ossplanet.net/fdroid/repo", Country: "Taiwan", Name: "OSSPlanet"},
-
-	// France
-	{URL: "https://fdroid.tetaneutral.net/fdroid/repo", Country: "France", Name: "tetaneutral.net"},
-	{URL: "https://mirror.freedif.org/fdroid/repo", Country: "France", Name: "FreeDif"},
-
-	// Germany
-	{URL: "https://ftp.fau.de/fdroid/repo", Country: "Germany", Name: "FAU Erlangen"},
-	{URL: "https://ftp.agdsn.de/fdroid/repo", Country: "Germany", Name: "AGDSN Dresden"},
-	{URL: "https://ftp.gwdg.de/pub/android/fdroid/repo", Country: "Germany", Name: "GWDG"},
-	{URL: "https://mirror.level66.network/fdroid/repo", Country: "Germany", Name: "Level66"},
-	{URL: "https://mirror.mci-1.serverforge.org/fdroid/repo", Country: "Germany", Name: "ServerForge"},
-
-	// Netherlands
-	{URL: "https://ftp.snt.utwente.nl/pub/software/fdroid/repo", Country: "Netherlands", Name: "University of Twente"},
-
-	// Sweden
-	{URL: "https://ftp.lysator.liu.se/pub/fdroid/repo", Country: "Sweden", Name: "Lysator"},
-
-	// Denmark
-	{URL: "https://mirrors.dotsrc.org/fdroid/repo", Country: "Denmark", Name: "dotsrc.org"},
-
-	// Austria
-	{URL: "https://mirror.kumi.systems/fdroid/repo", Country: "Austria", Name: "Kumi Systems"},
-
-	// Switzerland
-	{URL: "https://mirror.init7.net/fdroid/repo", Country: "Switzerland", Name: "Init7"},
-
-	// Romania
-	{URL: "https://mirrors.hostico.ro/fdroid/repo", Country: "Romania", Name: "Hostico"},
-	{URL: "https://mirrors.chroot.ro/fdroid/repo", Country: "Romania", Name: "Chroot"},
-	{URL: "https://ftp.lug.ro/fdroid/repo", Country: "Romania", Name: "LUG Romania"},
-
-	// US
-	{URL: "https://plug-mirror.rcac.purdue.edu/fdroid/repo", Country: "US", Name: "Purdue"},
-	{URL: "https://mirror.fcix.net/fdroid/repo", Country: "US", Name: "FCIX"},
-	{URL: "https://opencolo.mm.fcix.net/fdroid/repo", Country: "US", Name: "OpenColo"},
-	{URL: "https://forksystems.mm.fcix.net/fdroid/repo", Country: "US", Name: "Fork Systems"},
-	{URL: "https://southfront.mm.fcix.net/fdroid/repo", Country: "US", Name: "South Front"},
-	{URL: "https://ziply.mm.fcix.net/fdroid/repo", Country: "US", Name: "Ziply"},
-
-	// Canada
-	{URL: "https://mirror.quantum5.ca/fdroid/repo", Country: "Canada", Name: "Quantum5"},
-
-	// Australia
-	{URL: "https://mirror.aarnet.edu.au/fdroid/repo", Country: "Australia", Name: "AARNet"},
-
-	// Other
-	{URL: "https://mirror.cyberbits.eu/fdroid/repo", Country: "Europe", Name: "Cyberbits EU"},
-	{URL: "https://mirror.eu.ossplanet.net/fdroid/repo", Country: "Europe", Name: "OSSPlanet EU"},
-	{URL: "https://mirror.cyberbits.asia/fdroid/repo", Country: "Asia", Name: "Cyberbits Asia"},
-	{URL: "https://mirrors.jevincanders.net/fdroid/repo", Country: "US", Name: "Jevincanders"},
-	{URL: "https://mirrors.komogoto.com/fdroid/repo", Country: "US", Name: "Komogoto"},
-	{URL: "https://fdroid.rasp.sh/fdroid/repo", Country: "Europe", Name: "rasp.sh"},
-	{URL: "https://mirror.gofoss.xyz/fdroid/repo", Country: "Europe", Name: "GoFOSS"},
-}
-
-func GetFDroidMirrors() FDroidMirrorIterator {
-	return newPtrIterator(builtinFDroidMirrors)
-}
--- a/experimental/libbox/ffi.json
+++ b/experimental/libbox/ffi.json
@@ -1,19 +1,10 @@
 {
  "version": 1,
-  "variables": {
-    "VERSION": "$(go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)",
-    "WORKSPACE_ROOT": "../../..",
-    "DEPLOY_ANDROID": "${WORKSPACE_ROOT}/sing-box-for-android/app/libs",
-    "DEPLOY_APPLE": "${WORKSPACE_ROOT}/sing-box-for-apple",
-    "DEPLOY_WINDOWS": "${WORKSPACE_ROOT}/sing-box-for-windows/local-packages"
-  },
  "packages": [
    {
      "id": "libbox",
      "path": ".",
      "java_package": "io.nekohasekai.libbox",
-      "csharp_namespace": "SagerNet",
-      "csharp_entrypoint": "Libbox",
      "apple_prefix": "Libbox"
    }
  ],
@@ -29,6 +20,7 @@
          "with_utls",
          "with_naive_outbound",
          "with_clash_api",
+          "with_conntrack",
          "badlinkname",
          "tfogo_checklinkname0",
          "with_tailscale",
@@ -44,7 +36,7 @@
          "ts_omit_synology",
          "ts_omit_bird"
        ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=$(CGO_ENABLED=0 go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest) -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
        "trimpath": true
      }
    },
@@ -58,6 +50,7 @@
          "with_wireguard",
          "with_utls",
          "with_clash_api",
+          "with_conntrack",
          "badlinkname",
          "tfogo_checklinkname0",
          "with_tailscale",
@@ -73,7 +66,7 @@
          "ts_omit_synology",
          "ts_omit_bird"
        ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=$(CGO_ENABLED=0 go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest) -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
        "trimpath": true
      }
    },
@@ -88,6 +81,7 @@
          "with_utls",
          "with_naive_outbound",
          "with_clash_api",
+          "with_conntrack",
          "badlinkname",
          "tfogo_checklinkname0",
          "with_dhcp",
@@ -105,7 +99,7 @@
          "ts_omit_synology",
          "ts_omit_bird"
        ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
+        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=$(CGO_ENABLED=0 go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest) -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
        "trimpath": true
      },
      "overrides": [
@@ -118,37 +112,6 @@
          "tags_append": ["with_low_memory"]
        }
      ]
-    },
-    {
-      "id": "windows",
-      "packages": ["libbox"],
-      "default": {
-        "tags": [
-          "with_gvisor",
-          "with_quic",
-          "with_wireguard",
-          "with_utls",
-          "with_naive_outbound",
-          "with_purego",
-          "with_clash_api",
-          "badlinkname",
-          "tfogo_checklinkname0",
-          "with_tailscale",
-          "ts_omit_logtail",
-          "ts_omit_ssh",
-          "ts_omit_drive",
-          "ts_omit_taildrop",
-          "ts_omit_webclient",
-          "ts_omit_doctor",
-          "ts_omit_capture",
-          "ts_omit_kube",
-          "ts_omit_aws",
-          "ts_omit_synology",
-          "ts_omit_bird"
-        ],
-        "ldflags": "-X github.com/sagernet/sing-box/constant.Version=${VERSION} -X internal/godebug.defaultGODEBUG=multipathtcp=0 -s -w -buildid= -checklinkname=0",
-        "trimpath": true
-      }
    }
  ],
  "platforms": [
@@ -156,19 +119,12 @@
      "type": "android",
      "build": "android-main",
      "min_sdk": 23,
-      "ndk_version": "28.0.13004108",
      "lib_name": "box",
      "languages": [{ "type": "java" }],
      "artifacts": [
        {
          "type": "aar",
-          "output_path": "libbox.aar",
-          "execute_after": [
-            "if [ -d \"${DEPLOY_ANDROID}\" ]; then",
-            "  rm -f \"${DEPLOY_ANDROID}/$$(basename \"${OUTPUT_PATH}\")\"",
-            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_ANDROID}/\"",
-            "fi"
-          ]
+          "output_path": "libbox.aar"
        }
      ]
    },
@@ -176,19 +132,12 @@
      "type": "android",
      "build": "android-legacy",
      "min_sdk": 21,
-      "ndk_version": "28.0.13004108",
      "lib_name": "box",
      "languages": [{ "type": "java" }],
      "artifacts": [
        {
          "type": "aar",
-          "output_path": "libbox-legacy.aar",
-          "execute_after": [
-            "if [ -d \"${DEPLOY_ANDROID}\" ]; then",
-            "  rm -f \"${DEPLOY_ANDROID}/$$(basename \"${OUTPUT_PATH}\")\"",
-            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_ANDROID}/\"",
-            "fi"
-          ]
+          "output_path": "libbox-legacy.aar"
        }
      ]
    },
@@ -210,46 +159,7 @@
        {
          "type": "xcframework",
          "module_name": "Libbox",
-          "execute_after": [
-            "if [ -d \"${DEPLOY_APPLE}\" ]; then",
-            "  rm -rf \"${DEPLOY_APPLE}/${MODULE_NAME}.xcframework\"",
-            "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_APPLE}/\"",
-            "fi"
-          ]
-        }
-      ]
-    },
-    {
-      "type": "csharp",
-      "build": "windows",
-      "targets": [
-        "windows/amd64"
-      ],
-      "languages": [{ "type": "csharp" }],
-      "artifacts": [
-        {
-          "type": "nuget",
-          "package_id": "SagerNet.Libbox",
-          "package_version": "0.0.0-local",
-          "execute_after": {
-            "windows": [
-              "$$deployPath = '${DEPLOY_WINDOWS}'",
-              "if (Test-Path $$deployPath) {",
-              "  Remove-Item \"$$deployPath\\${PACKAGE_ID}.*.nupkg\" -ErrorAction SilentlyContinue",
-              "  Move-Item -Force '${OUTPUT_PATH}' \"$$deployPath\\\"",
-              "  $$cachePath = if ($$env:NUGET_PACKAGES) { $$env:NUGET_PACKAGES } else { \"$$env:USERPROFILE\\.nuget\\packages\" }",
-              "  Remove-Item -Recurse -Force \"$$cachePath\\sagernet.libbox\\${PACKAGE_VERSION}\" -ErrorAction SilentlyContinue",
-              "}"
-            ],
-            "default": [
-              "if [ -d \"${DEPLOY_WINDOWS}\" ]; then",
-              "  rm -f \"${DEPLOY_WINDOWS}/${PACKAGE_ID}.*.nupkg\"",
-              "  mv \"${OUTPUT_PATH}\" \"${DEPLOY_WINDOWS}/\"",
-              "  cache_path=\"$${NUGET_PACKAGES:-$${HOME}/.nuget/packages}\"",
-              "  rm -rf \"$${cache_path}/sagernet.libbox/${PACKAGE_VERSION}\"",
-              "fi"
-            ]
-          }
+          "output_path": "Libbox.xcframework"
        }
      ]
    }
--- a/experimental/libbox/memory.go
+++ b/experimental/libbox/memory.go
@@ -4,23 +4,20 @@ import (
 	"math"
 	runtimeDebug "runtime/debug"

-	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/common/conntrack"
 )

-var memoryLimitEnabled bool
-
 func SetMemoryLimit(enabled bool) {
-	memoryLimitEnabled = enabled
-	const memoryLimitGo = 45 * 1024 * 1024
+	const memoryLimit = 45 * 1024 * 1024
+	const memoryLimitGo = memoryLimit / 1.5
 	if enabled {
 		runtimeDebug.SetGCPercent(10)
-		if C.IsIos {
-			runtimeDebug.SetMemoryLimit(memoryLimitGo)
-		}
+		runtimeDebug.SetMemoryLimit(memoryLimitGo)
+		conntrack.KillerEnabled = true
+		conntrack.MemoryLimit = memoryLimit
 	} else {
 		runtimeDebug.SetGCPercent(100)
-		if C.IsIos {
-			runtimeDebug.SetMemoryLimit(math.MaxInt64)
-		}
+		runtimeDebug.SetMemoryLimit(math.MaxInt64)
+		conntrack.KillerEnabled = false
 	}
 }
--- a/experimental/libbox/semver.go
+++ b/experimental/libbox/semver.go
@@ -1,27 +0,0 @@
-package libbox
-
-import (
-	"strings"
-
-	"golang.org/x/mod/semver"
-)
-
-func CompareSemver(left string, right string) bool {
-	normalizedLeft := normalizeSemver(left)
-	if !semver.IsValid(normalizedLeft) {
-		return false
-	}
-	normalizedRight := normalizeSemver(right)
-	if !semver.IsValid(normalizedRight) {
-		return false
-	}
-	return semver.Compare(normalizedLeft, normalizedRight) > 0
-}
-
-func normalizeSemver(version string) string {
-	trimmedVersion := strings.TrimSpace(version)
-	if strings.HasPrefix(trimmedVersion, "v") {
-		return trimmedVersion
-	}
-	return "v" + trimmedVersion
-}
--- a/experimental/libbox/semver_test.go
+++ b/experimental/libbox/semver_test.go
@@ -1,16 +0,0 @@
-package libbox
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestCompareSemver(t *testing.T) {
-	t.Parallel()
-
-	require.False(t, CompareSemver("1.13.0-rc.4", "1.13.0"))
-	require.True(t, CompareSemver("1.13.1", "1.13.0"))
-	require.False(t, CompareSemver("v1.13.0", "1.13.0"))
-	require.False(t, CompareSemver("1.13.0-", "1.13.0"))
-}
--- a/go.mod
+++ b/go.mod
@@ -3,60 +3,60 @@ module github.com/sagernet/sing-box
 go 1.24.7

 require (
-	github.com/anthropics/anthropic-sdk-go v1.26.0
+	github.com/anthropics/anthropic-sdk-go v1.19.0
 	github.com/anytls/sing-anytls v0.0.11
-	github.com/caddyserver/certmagic v0.25.2
+	github.com/caddyserver/certmagic v0.25.0
 	github.com/coder/websocket v1.8.14
 	github.com/cretz/bine v0.2.0
-	github.com/database64128/tfo-go/v2 v2.3.2
-	github.com/go-chi/chi/v5 v5.2.5
+	github.com/database64128/tfo-go/v2 v2.3.1
+	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-chi/render v1.0.3
-	github.com/godbus/dbus/v5 v5.2.2
+	github.com/godbus/dbus/v5 v5.2.1
 	github.com/gofrs/uuid/v5 v5.4.0
-	github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91
+	github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167
 	github.com/keybase/go-keychain v0.0.1
 	github.com/libdns/acmedns v0.5.0
-	github.com/libdns/alidns v1.0.6
+	github.com/libdns/alidns v1.0.6-beta.3
 	github.com/libdns/cloudflare v0.2.2
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/metacubex/utls v1.8.4
-	github.com/mholt/acmez/v3 v3.1.6
-	github.com/miekg/dns v1.1.72
-	github.com/openai/openai-go/v3 v3.26.0
+	github.com/mholt/acmez/v3 v3.1.4
+	github.com/miekg/dns v1.1.69
+	github.com/openai/openai-go/v3 v3.15.0
 	github.com/oschwald/maxminddb-golang v1.13.1
 	github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cors v1.2.1
-	github.com/sagernet/cronet-go v0.0.0-20260309102448-2fef65f9dba9
-	github.com/sagernet/cronet-go/all v0.0.0-20260309102448-2fef65f9dba9
+	github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287
+	github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287
 	github.com/sagernet/fswatch v0.1.1
-	github.com/sagernet/gomobile v0.1.12
+	github.com/sagernet/gomobile v0.1.11
 	github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1
-	github.com/sagernet/quic-go v0.59.0-sing-box-mod.4
-	github.com/sagernet/sing v0.8.2
+	github.com/sagernet/quic-go v0.59.0-sing-box-mod.2
+	github.com/sagernet/sing v0.8.0-beta.16
 	github.com/sagernet/sing-mux v0.3.4
-	github.com/sagernet/sing-quic v0.6.0
+	github.com/sagernet/sing-quic v0.6.0-beta.12
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11
-	github.com/sagernet/sing-tun v0.8.3
+	github.com/sagernet/sing-tun v0.8.0-beta.17
 	github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1
 	github.com/sagernet/smux v1.5.50-sing-box-mod.1
-	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260311131347-f88b27eeb76e
-	github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c
+	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6
+	github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
 	github.com/spf13/cobra v1.10.2
 	github.com/stretchr/testify v1.11.1
 	github.com/vishvananda/netns v0.0.5
 	go.uber.org/zap v1.27.1
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.48.0
+	golang.org/x/crypto v0.46.0
 	golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93
-	golang.org/x/mod v0.33.0
-	golang.org/x/net v0.50.0
-	golang.org/x/sys v0.41.0
+	golang.org/x/mod v0.31.0
+	golang.org/x/net v0.48.0
+	golang.org/x/sys v0.39.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
-	google.golang.org/grpc v1.79.1
+	google.golang.org/grpc v1.77.0
 	google.golang.org/protobuf v1.36.11
 	howett.net/plist v1.0.1
 )
@@ -67,7 +67,7 @@ require (
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
 	github.com/andybalholm/brotli v1.1.0 // indirect
-	github.com/caddyserver/zerossl v0.1.5 // indirect
+	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 // indirect
 	github.com/database64128/netx-go v0.1.1 // indirect
@@ -96,7 +96,7 @@ require (
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/libdns/libdns v1.1.1 // indirect
-	github.com/mdlayher/netlink v1.9.0 // indirect
+	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
@@ -105,35 +105,28 @@ require (
 	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
-	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
-	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260309101654-0cbdcfddded9 // indirect
+	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f // indirect
+	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f // indirect
 	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a // indirect
 	github.com/sagernet/nftables v0.3.0-beta.4 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
@@ -154,15 +147,15 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap/exp v0.3.0 // indirect
 	go4.org/mem v0.0.0-20240501181205-ae6ca9944745 // indirect
-	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/oauth2 v0.32.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/term v0.40.0 // indirect
-	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/term v0.38.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.42.0 // indirect
+	golang.org/x/tools v0.40.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.3.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,3 @@
-code.pfad.fr/check v1.1.0 h1:GWvjdzhSEgHvEHe2uJujDcpmZoySKuHQNrZMfzfO0bE=
-code.pfad.fr/check v1.1.0/go.mod h1:NiUH13DtYsb7xp5wll0U4SXx7KhXQVCtRgdC96IPfoM=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
@@ -10,18 +8,16 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
 github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
-github.com/anthropics/anthropic-sdk-go v1.26.0 h1:oUTzFaUpAevfuELAP1sjL6CQJ9HHAfT7CoSYSac11PY=
-github.com/anthropics/anthropic-sdk-go v1.26.0/go.mod h1:qUKmaW+uuPB64iy1l+4kOSvaLqPXnHTTBKH6RVZ7q5Q=
+github.com/anthropics/anthropic-sdk-go v1.19.0 h1:mO6E+ffSzLRvR/YUH9KJC0uGw0uV8GjISIuzem//3KE=
+github.com/anthropics/anthropic-sdk-go v1.19.0/go.mod h1:WTz31rIUHUHqai2UslPpw5CwXrQP3geYBioRV4WOLvE=
 github.com/anytls/sing-anytls v0.0.11 h1:w8e9Uj1oP3m4zxkyZDewPk0EcQbvVxb7Nn+rapEx4fc=
 github.com/anytls/sing-anytls v0.0.11/go.mod h1:7rjN6IukwysmdusYsrV51Fgu1uW6vsrdd6ctjnEAln8=
-github.com/caddyserver/certmagic v0.25.2 h1:D7xcS7ggX/WEY54x0czj7ioTkmDWKIgxtIi2OcQclUc=
-github.com/caddyserver/certmagic v0.25.2/go.mod h1:llW/CvsNmza8S6hmsuggsZeiX+uS27dkqY27wDIuBWg=
-github.com/caddyserver/zerossl v0.1.5 h1:dkvOjBAEEtY6LIGAHei7sw2UgqSD6TrWweXpV7lvEvE=
-github.com/caddyserver/zerossl v0.1.5/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
+github.com/caddyserver/certmagic v0.25.0 h1:VMleO/XA48gEWes5l+Fh6tRWo9bHkhwAEhx63i+F5ic=
+github.com/caddyserver/certmagic v0.25.0/go.mod h1:m9yB7Mud24OQbPHOiipAoyKPn9pKHhpSJxXR1jydBxA=
+github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA=
+github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
 github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
 github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
@@ -33,8 +29,8 @@ github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
 github.com/database64128/netx-go v0.1.1 h1:dT5LG7Gs7zFZBthFBbzWE6K8wAHjSNAaK7wCYZT7NzM=
 github.com/database64128/netx-go v0.1.1/go.mod h1:LNlYVipaYkQArRFDNNJ02VkNV+My9A5XR/IGS7sIBQc=
-github.com/database64128/tfo-go/v2 v2.3.2 h1:UhZMKiMq3swZGUiETkLBDzQnZBPSAeBMClpJGlnJ5Fw=
-github.com/database64128/tfo-go/v2 v2.3.2/go.mod h1:GC3uB5oa4beGpCUbRb2ZOWP73bJJFmMyAVgQSO7r724=
+github.com/database64128/tfo-go/v2 v2.3.1 h1:EGE+ELd5/AQ0X6YBlQ9RgKs8+kciNhgN3d8lRvfEJQw=
+github.com/database64128/tfo-go/v2 v2.3.1/go.mod h1:k9wcpg/8i5zenspBkc9jUEYehpZZccBnCElzOJB++bU=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -42,8 +38,6 @@ github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa h1:h8TfIT1xc8FWbww
 github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa/go.mod h1:Nx87SkVqTKd8UtT+xu7sM/l+LgXs6c0aHrlKusR+2EQ=
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 h1:CaO/zOnF8VvUfEbhRatPcwKVWamvbYd8tQGRWacE9kU=
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4=
-github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
-github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
 github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/florianl/go-nfqueue/v2 v2.0.2 h1:FL5lQTeetgpCvac1TRwSfgaXUn0YSO7WzGvWNIp3JPE=
@@ -56,12 +50,10 @@ github.com/gaissmai/bart v0.18.0 h1:jQLBT/RduJu0pv/tLwXE+xKPgtWJejbxuXAR+wLJafo=
 github.com/gaissmai/bart v0.18.0/go.mod h1:JJzMAhNF5Rjo4SF4jWBrANuJfqY+FvsFhW7t1UZJ+XY=
 github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
 github.com/github/fakeca v0.1.0/go.mod h1:+bormgoGMMuamOscx7N91aOuUST7wdaJ2rNjeohylyo=
-github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=
-github.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=
+github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
+github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
-github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
-github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced h1:Q311OHjMh/u5E2TITc++WlTP5We0xNseRMkHDyvhW7I=
 github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
@@ -74,8 +66,8 @@ github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
-github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
+github.com/godbus/dbus/v5 v5.2.1 h1:I4wwMdWSkmI57ewd+elNGwLRf2/dtSaFz1DujfWYvOk=
+github.com/godbus/dbus/v5 v5.2.1/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
 github.com/gofrs/uuid/v5 v5.4.0 h1:EfbpCTjqMuGyq5ZJwxqzn3Cbr2d0rUZU7v5ycAk/e/0=
 github.com/gofrs/uuid/v5 v5.4.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
@@ -99,8 +91,8 @@ github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N
 github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91 h1:u9i04mGE3iliBh0EFuWaKsmcwrLacqGmq1G3XoaM7gY=
-github.com/insomniacslk/dhcp v0.0.0-20260220084031-5adc3eb26f91/go.mod h1:qfvBmyDNp+/liLEYWRvqny/PEz9hGe2Dz833eXILSmo=
+github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167 h1:MEufgJohwIjFi2n3eJv4c/8UdRLQVUwPwSWQPoER+eU=
+github.com/insomniacslk/dhcp v0.0.0-20251020182700-175e84fbb167/go.mod h1:qfvBmyDNp+/liLEYWRvqny/PEz9hGe2Dz833eXILSmo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUFKrq2I=
 github.com/jsimonetti/rtnetlink v1.4.0/go.mod h1:5W1jDvWdnthFJ7fxYX1GMK07BUpI4oskfOqvPteYS6E=
@@ -110,36 +102,32 @@ github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zt
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
-github.com/letsencrypt/challtestsrv v1.4.2 h1:0ON3ldMhZyWlfVNYYpFuWRTmZNnyfiL9Hh5YzC3JVwU=
-github.com/letsencrypt/challtestsrv v1.4.2/go.mod h1:GhqMqcSoeGpYd5zX5TgwA6er/1MbWzx/o7yuuVya+Wk=
-github.com/letsencrypt/pebble/v2 v2.10.0 h1:Wq6gYXlsY6ubqI3hhxsTzdyotvfdjFBxuwYqCLCnj/U=
-github.com/letsencrypt/pebble/v2 v2.10.0/go.mod h1:Sk8cmUIPcIdv2nINo+9PB4L+ZBhzY+F9A1a/h/xmWiQ=
 github.com/libdns/acmedns v0.5.0 h1:5pRtmUj4Lb/QkNJSl1xgOGBUJTWW7RjpNaIhjpDXjPE=
 github.com/libdns/acmedns v0.5.0/go.mod h1:X7UAFP1Ep9NpTwWpVlrZzJLR7epynAy0wrIxSPFgKjQ=
-github.com/libdns/alidns v1.0.6 h1:/Ii428ty6WHFJmE24rZxq2taq++gh7rf9jhgLfp8PmM=
-github.com/libdns/alidns v1.0.6/go.mod h1:RECwyQ88e9VqQVtSrvX76o1ux3gQUKGzMgxICi+u7Ec=
+github.com/libdns/alidns v1.0.6-beta.3 h1:KAmb7FQ1tRzKsaAUGa7ZpGKAMRANwg7+1c7tUbSELq8=
+github.com/libdns/alidns v1.0.6-beta.3/go.mod h1:RECwyQ88e9VqQVtSrvX76o1ux3gQUKGzMgxICi+u7Ec=
 github.com/libdns/cloudflare v0.2.2 h1:XWHv+C1dDcApqazlh08Q6pjytYLgR2a+Y3xrXFu0vsI=
 github.com/libdns/cloudflare v0.2.2/go.mod h1:w9uTmRCDlAoafAsTPnn2nJ0XHK/eaUMh86DUk8BWi60=
 github.com/libdns/libdns v1.1.1 h1:wPrHrXILoSHKWJKGd0EiAVmiJbFShguILTg9leS/P/U=
 github.com/libdns/libdns v1.1.1/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
-github.com/mdlayher/netlink v1.9.0 h1:G8+GLq2x3v4D4MVIqDdNUhTUC7TKiCy/6MDkmItfKco=
-github.com/mdlayher/netlink v1.9.0/go.mod h1:YBnl5BXsCoRuwBjKKlZ+aYmEoq0r12FDA/3JC+94KDg=
+github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
+github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
 github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
 github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
 github.com/metacubex/utls v1.8.4 h1:HmL9nUApDdWSkgUyodfwF6hSjtiwCGGdyhaSpEejKpg=
 github.com/metacubex/utls v1.8.4/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko=
-github.com/mholt/acmez/v3 v3.1.6 h1:eGVQNObP0pBN4sxqrXeg7MYqTOWyoiYpQqITVWlrevk=
-github.com/mholt/acmez/v3 v3.1.6/go.mod h1:5nTPosTGosLxF3+LU4ygbgMRFDhbAVpqMI4+a4aHLBY=
-github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
-github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
+github.com/mholt/acmez/v3 v3.1.4 h1:DyzZe/RnAzT3rpZj/2Ii5xZpiEvvYk3cQEN/RmqxwFQ=
+github.com/mholt/acmez/v3 v3.1.4/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
+github.com/miekg/dns v1.1.69 h1:Kb7Y/1Jo+SG+a2GtfoFUfDkG//csdRPwRLkCsxDG9Sc=
+github.com/miekg/dns v1.1.69/go.mod h1:7OyjD9nEba5OkqQ/hB4fy3PIoxafSZJtducccIelz3g=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
-github.com/openai/openai-go/v3 v3.26.0 h1:bRt6H/ozMNt/dDkN4gobnLqaEGrRGBzmbVs0xxJEnQE=
-github.com/openai/openai-go/v3 v3.26.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
+github.com/openai/openai-go/v3 v3.15.0 h1:hk99rM7YPz+M99/5B/zOQcVwFRLLMdprVGx1vaZ8XMo=
+github.com/openai/openai-go/v3 v3.15.0/go.mod h1:cdufnVK14cWcT9qA1rRtrXx4FTRsgbDPW7Ia7SS5cZo=
 github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
 github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
@@ -162,102 +150,88 @@ github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkk
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cors v1.2.1 h1:Cv5Z8y9YSD6Gm+qSpNrL3LO4lD3eQVvbFYJSG7JCMHQ=
 github.com/sagernet/cors v1.2.1/go.mod h1:O64VyOjjhrkLmQIjF4KGRrJO/5dVXFdpEmCW/eISRAI=
-github.com/sagernet/cronet-go v0.0.0-20260309102448-2fef65f9dba9 h1:xq5Yr10jXEppD3cnGjE3WENaB6D0YsZu6KptZ8d3054=
-github.com/sagernet/cronet-go v0.0.0-20260309102448-2fef65f9dba9/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
-github.com/sagernet/cronet-go/all v0.0.0-20260309102448-2fef65f9dba9 h1:uxQyy6Y/boOuecVA66tf79JgtoRGfeDJcfYZZLKVA5E=
-github.com/sagernet/cronet-go/all v0.0.0-20260309102448-2fef65f9dba9/go.mod h1:Xm6cCvs0/twozC1JYNq0sVlOVmcSGzV7YON1XGcD97w=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260309101654-0cbdcfddded9 h1:Qi0IKBpoPP3qZqIXuOKMsT2dv+l/MLWMyBHDMLRw2EA=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:p+wCMjOhj46SpSD/AJeTGgkCcbyA76FyH631XZatyU8=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260309101654-0cbdcfddded9 h1:Y7lWrZwEhC/HX8Pb5C92CrQihuaE7hrHmWB2ykst3iQ=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:3Ggy5wiyjA6t+aVVPnXlSEIVj9zkxd4ybH3NsvsNefs=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:DuFTCnZloblY+7olXiZoRdueWfxi34EV5UheTFKM2rA=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:x/6T2gjpLw9yNdCVR6xBlzMUzED9fxNFNt6U6A6SOh8=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:Lx9PExM70rg8aNxPm0JPeSr5SWC3yFiCz4wIq86ugx8=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:BTEpw7/vKR9BNBsHebfpiGHDCPpjVJ3vLIbHNU3VUfM=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:hdEph9nQXRnKwc/lIDwo15rmzbC6znXF5jJWHPN1Fiw=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260309101654-0cbdcfddded9 h1:Iq++oYV7dtRJHTpu8yclHJdn+1oj2t1e84/YpdXYWW8=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260309101654-0cbdcfddded9 h1:Y43fuLL8cgwRHpEKwxh0O3vYp7g/SZGvbkJj3cQ6USA=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:bX2GJmF0VCC+tBrVAa49YEsmJ4A9dLmwoA6DJUxRtCY=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:gQTR/2azUCInE0r3kmesZT9xu+x801+BmtDY0d0Tw9Y=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260309101654-0cbdcfddded9 h1:X4mP3jlYvxgrKpZLOKMmc/O8T5/zP83/23pgfQOc3tY=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:c6xj2nXr/65EDiRFddUKQIBQ/b/lAPoH8WFYlgadaPc=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:ahbl7yjOvGVVNUwk9TcQk+xejVfoYAYFRlhWnby0/YM=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260309101654-0cbdcfddded9 h1:JC5Zv5+J85da6g5G56VhdaK53fmo6Os2q/wWi5QlxOw=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
-github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260309101654-0cbdcfddded9 h1:4bt7Go588BoM4VjNYMxx0MrvbwlFQn3DdRDCM7BmkRo=
-github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:Wt5uFdU3tnmm8YzobYewwdF7Mt6SucRQg6xeTNWC3Tk=
-github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:E1z0BeLUh8EZfCjIyS9BrfCocZrt+0KPS0bzop3Sxf4=
-github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:lyIF6wKBLwWa5ZXaAKbAoewewl+yCHo2iYev39Mbj4E=
-github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260309101654-0cbdcfddded9 h1:d8ejxRHO7Vi9JqR/6DxR7RyI/swA2JfDWATR4T7otBw=
-github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:H46PnSTTZNcZokLLiDeMDaHiS1l14PH3tzWi0eykjD8=
-github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260309101654-0cbdcfddded9 h1:iUDVEVu3RxL5ArPIY72BesbuX5zQ1la/ZFwKpQcGc5c=
-github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:RBhSUDAKWq7fswtV4nQUQhuaTLcX3ettR7teA7/yf2w=
-github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260309101654-0cbdcfddded9 h1:xB6ikOC/R3n3hjy68EJ0sbZhH4vwEhd6JM9jZ1U2SVY=
-github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:wRzoIOGG4xbpp3Gh3triLKwMwYriScXzFtunLYhY4w0=
-github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260309101654-0cbdcfddded9 h1:mBOuLCPOOMMq8N1+dUM5FqZclqga1+u6fAbPqQcbIhc=
-github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:LNiZXmWil1OPwKCheqQjtakZlJuKGFz+iv2eGF76Hhs=
-github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260309101654-0cbdcfddded9 h1:cwPyDfj+ZNFE7kvcWbayQJyeC/KQA16HTXOxgHphL0w=
-github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:YFDGKTkpkJGc5+hnX/RYosZyTWg9h+68VB55fYRRLYc=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:Zk9zG8kt3mXAboclUXQlvvxKQuhnI8u5NdDEl8uotNY=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:Lu05srGqddQRMnl1MZtGAReln2yJljeGx9b1IadlMJ8=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9 h1:Tk9bDywUmOtc0iMjjCVIwMlAQNsxCy+bK+bTNA0OaBE=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260309101654-0cbdcfddded9 h1:tQqDQw3tEHdQpt7NTdAwF3UvZ3CjNIj/IJKMRFmm388=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260309101654-0cbdcfddded9 h1:biUIbI2YxUrcQikEfS/bwPA8NsHp/WO+VZUG4morUmE=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260309101654-0cbdcfddded9/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
+github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287 h1:0BYNmr0ptjsII948U0oBFmrbo4qEaCFcrE2JPRg3Zlk=
+github.com/sagernet/cronet-go v0.0.0-20260117110918-dc1cda1fe287/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
+github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287 h1:ghxhYSBQpzkakqWqJDvXr/Zmxe0WjTjKuALEGbjGiGY=
+github.com/sagernet/cronet-go/all v0.0.0-20260117110918-dc1cda1fe287/go.mod h1:M+4ZjPhLJXIvoxcQsbDofmc19Wrig59hZ+hLvj6S3To=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f h1:8jZbZ4KBTdcXDFLwUBNQt5Xci6ZuAKh255S8TwuBCaM=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260117110516-f21660bef13f/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f h1:tG0hCx+0u5zca7qQ7AMkcv4DCrBG/DKW1ggs/P+BRRI=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f h1:ZXp5hKJIA7iJ52ZShJCKMQEPLpp/7dDIVZmPGV9Il40=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260117110516-f21660bef13f/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f h1:gL7H8HS8s38adz4/HZtRHh79qMwsbLTRRPz4GQ9LcWI=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f h1:Dchgc0pAY5Jwb5lzUlE+1nhHIzqLx+YOurXLHgvWd/0=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f h1:+MOLSQoduuKDxF410i1LcSPaQGaiP0eZb0INvMlmjM4=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f h1:lIZna05Vn6n8k21p8OpSUnhwGm+E57PrMjiI4ZUfMSg=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f h1:B2aFQ5CRHI20t8YsEizvtguS5W2QfK7D5XV/NzTIxPE=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f h1:qpSwJ1rFGYCfJDenNCZoWYjoG7N+xEa6ke+E7/JO1i4=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f h1:cx7Ipg0tSvTDjS4maMEYz4vuzz93BMPAysmZ1YLrz80=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260117110516-f21660bef13f/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f h1:4jOHuUiBxD8pJEpBBVQfJqyLmxjpd3t4MLRzU7YLFyg=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f h1:OpXBa2WlRU+Mam9oRe9Nn4/zf7gQ+qiBTNK8A5RwbfQ=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f h1:nJpGFi+6hI85tl4zoyNFEnFEQ5+xEV5gyvsUoMvd8g0=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f h1:SEy2rpmgOJgrqcEryJI/RSnqUWIsEsp0cfYoA8y21jc=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260117110516-f21660bef13f/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f h1:EW2TuFMLm0iBGqRZtuGwIZdeYmDtDsDmRcRRJQOMxUo=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f h1:3U5woxrNCkzfv1+UX+mVoWh1228AE1qAiMG02F9oFbY=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f h1:YwFTfuWG3mmctroeDYtFZ6LHjGsedVO+5wInYbbUuUY=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260117110516-f21660bef13f/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f h1:r4V0ddPCRLgGu0VdgR3aUsO9NjpmyjAf+h+3oTD9D6E=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f h1:B8yf4gFvEYUnwWmtVK9sdwUsflYZ387MhYmlOP2ohFQ=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f h1:9YyaMg4rO1/jIgrxmNb0LKH+X7frSYWfX2pFgW5JUVM=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260117110516-f21660bef13f/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f h1:B0fnGu0sh9yT/9JDN5u/GqThGoOzNN/daOAuGWFLXEk=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f h1:lxPcIXKSSI5JDhc7rx/6yufISWM4vtBS2FY9PavWQTs=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260117110516-f21660bef13f/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
 github.com/sagernet/fswatch v0.1.1 h1:YqID+93B7VRfqIH3PArW/XpJv5H4OLEVWDfProGoRQs=
 github.com/sagernet/fswatch v0.1.1/go.mod h1:nz85laH0mkQqJfaOrqPpkwtU1znMFNVTpT/5oRsVz/o=
-github.com/sagernet/gomobile v0.1.12 h1:XwzjZaclFF96deLqwAgK8gU3w0M2A8qxgDmhV+A0wjg=
-github.com/sagernet/gomobile v0.1.12/go.mod h1:A8l3FlHi2D/+mfcd4HHvk5DGFPW/ShFb9jHP5VmSiDY=
+github.com/sagernet/gomobile v0.1.11 h1:niMQAspvuThup5eRZQpsGcbM76zAvnsGr7RUIpnQMDQ=
+github.com/sagernet/gomobile v0.1.11/go.mod h1:A8l3FlHi2D/+mfcd4HHvk5DGFPW/ShFb9jHP5VmSiDY=
 github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1 h1:AzCE2RhBjLJ4WIWc/GejpNh+z30d5H1hwaB0nD9eY3o=
 github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1/go.mod h1:NJKBtm9nVEK3iyOYWsUlrDQuoGh4zJ4KOPhSYVidvQ4=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a h1:ObwtHN2VpqE0ZNjr6sGeT00J8uU7JF4cNUdb44/Duis=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNenDW2zaXr8I=
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
-github.com/sagernet/quic-go v0.59.0-sing-box-mod.4 h1:6qvrUW79S+CrPwWz6cMePXohgjHoKxLo3c+MDhNwc3o=
-github.com/sagernet/quic-go v0.59.0-sing-box-mod.4/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
-github.com/sagernet/sing v0.8.2 h1:kX1IH9SWJv4S0T9M8O+HNahWgbOuY1VauxbF7NU5lOg=
-github.com/sagernet/sing v0.8.2/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/quic-go v0.59.0-sing-box-mod.2 h1:hJUL+HtxEOjxsa0CsucbBVqI/AMS4k52NwNU637zmdw=
+github.com/sagernet/quic-go v0.59.0-sing-box-mod.2/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
+github.com/sagernet/sing v0.8.0-beta.16 h1:Fe+6E9VHYky9Mx4cf0ugbZPWDcXRflpAu7JQ5bWXvaA=
+github.com/sagernet/sing v0.8.0-beta.16/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-mux v0.3.4 h1:ZQplKl8MNXutjzbMVtWvWG31fohhgOfCuUZR4dVQ8+s=
 github.com/sagernet/sing-mux v0.3.4/go.mod h1:QvlKMyNBNrQoyX4x+gq028uPbLM2XeRpWtDsWBJbFSk=
-github.com/sagernet/sing-quic v0.6.0 h1:dhrFnP45wgVKEOT1EvtsToxdzRnHIDIAgj6WHV9pLyM=
-github.com/sagernet/sing-quic v0.6.0/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
+github.com/sagernet/sing-quic v0.6.0-beta.12 h1:njyU2NYGBITShAu31wJRmqAtx7hQBcXqBPowDv+W0sk=
+github.com/sagernet/sing-quic v0.6.0-beta.12/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
 github.com/sagernet/sing-shadowsocks v0.2.8 h1:PURj5PRoAkqeHh2ZW205RWzN9E9RtKCVCzByXruQWfE=
 github.com/sagernet/sing-shadowsocks v0.2.8/go.mod h1:lo7TWEMDcN5/h5B8S0ew+r78ZODn6SwVaFhvB6H+PTI=
 github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnqqs2gQ2/Qioo=
 github.com/sagernet/sing-shadowsocks2 v0.2.1/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11 h1:tK+75l64tm9WvEFrYRE1t0YxoFdWQqw/h7Uhzj0vJ+w=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11/go.mod h1:sWqKnGlMipCHaGsw1sTTlimyUpgzP4WP3pjhCsYt9oA=
-github.com/sagernet/sing-tun v0.8.3 h1:mozxmuIoRhFdVHnheenLpBaammVj7bZPcnkApaYKDPY=
-github.com/sagernet/sing-tun v0.8.3/go.mod h1:pLCo4o+LacXEzz0bhwhJkKBjLlKOGPBNOAZ97ZVZWzs=
+github.com/sagernet/sing-tun v0.8.0-beta.17 h1:6DdbNXeTFYj8Tb4FCh8Mp2boA3rVY6VNqzTOObj7Xis=
+github.com/sagernet/sing-tun v0.8.0-beta.17/go.mod h1:+HAK/y9GZljdT0KYKMYDR8MjjqnqDDQZYp5ZZQoRzS8=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1 h1:aSwUNYUkVyVvdmBSufR8/nRFonwJeKSIROxHcm5br9o=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1/go.mod h1:P11scgTxMxVVQ8dlM27yNm3Cro40mD0+gHbnqrNGDuY=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1 h1:XkJcivBC9V4wBjiGXIXZ229aZCU1hzcbp6kSkkyQ478=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1/go.mod h1:NjhsCEWedJm7eFLyhuBgIEzwfhRmytrUoiLluxs5Sk8=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260311131347-f88b27eeb76e h1:Sv1qUhJIidjSTc24XEknovDZnbmVSlAXj8wNVgIfgGo=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260311131347-f88b27eeb76e/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
-github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c h1:f9cXNB+IOOPnR8DOLMTpr42jf7naxh5Un5Y09BBf5Cg=
-github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c/go.mod h1:WUxgxUDZoCF2sxVmW+STSxatP02Qn3FcafTiI2BLtE0=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6 h1:eYz/OpMqWCvO2++iw3dEuzrlfC2xv78GdlGvprIM6O8=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
+github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288 h1:E2tZFeg9mGYGQ7E7BbxMv1cU35HxwgRm6tPKI2Pp7DA=
+github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20250917110311-16510ac47288/go.mod h1:WUxgxUDZoCF2sxVmW+STSxatP02Qn3FcafTiI2BLtE0=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854/go.mod h1:LtfoSK3+NG57tvnVEHgcuBW9ujgE8enPSgzgwStwCAA=
 github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
@@ -309,16 +283,16 @@ github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
-go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
-go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
-go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
-go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
-go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
-go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
-go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
-go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
-go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
+go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
+go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
+go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
+go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
+go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
+go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
+go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -333,20 +307,20 @@ go4.org/mem v0.0.0-20240501181205-ae6ca9944745/go.mod h1:reUoABIJ9ikfM5sgtSF3Wus
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93 h1:fQsdNF2N+/YewlRZiricy4P1iimyPKZ/xwniHj8Q2a0=
 golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93/go.mod h1:EPRbTFwzwjXj9NpYyyrvenVh9Y+GFeEvMNh7Xuz7xgU=
 golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
 golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
-golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
-golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
+golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
-golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
-golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
+golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
@@ -356,20 +330,20 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
-golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
-golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
+golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -381,17 +355,15 @@ golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
-google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=
-google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 h1:M1rk8KBnUsBDg1oPGHNCxG4vc1f49epmTO7xscSajMk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
+google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/include/oom_killer.go
+++ b/include/oom_killer.go
@@ -1,10 +0,0 @@
-package include
-
-import (
-	"github.com/sagernet/sing-box/adapter/service"
-	"github.com/sagernet/sing-box/service/oomkiller"
-)
-
-func registerOOMKillerService(registry *service.Registry) {
-	oomkiller.RegisterService(registry)
-}
--- a/include/registry.go
+++ b/include/registry.go
@@ -20,6 +20,7 @@ import (
 	"github.com/sagernet/sing-box/protocol/anytls"
 	"github.com/sagernet/sing-box/protocol/block"
 	"github.com/sagernet/sing-box/protocol/direct"
+	protocolDNS "github.com/sagernet/sing-box/protocol/dns"
 	"github.com/sagernet/sing-box/protocol/group"
 	"github.com/sagernet/sing-box/protocol/http"
 	"github.com/sagernet/sing-box/protocol/mixed"
@@ -75,6 +76,7 @@ func OutboundRegistry() *outbound.Registry {
 	direct.RegisterOutbound(registry)

 	block.RegisterOutbound(registry)
+	protocolDNS.RegisterOutbound(registry)

 	group.RegisterSelector(registry)
 	group.RegisterURLTest(registry)
@@ -92,6 +94,7 @@ func OutboundRegistry() *outbound.Registry {
 	anytls.RegisterOutbound(registry)

 	registerQUICOutbounds(registry)
+	registerWireGuardOutbound(registry)
 	registerStubForRemovedOutbounds(registry)

 	return registry
@@ -134,7 +137,6 @@ func ServiceRegistry() *service.Registry {
 	registerDERPService(registry)
 	registerCCMService(registry)
 	registerOCMService(registry)
-	registerOOMKillerService(registry)

 	return registry
 }
@@ -149,7 +151,4 @@ func registerStubForRemovedOutbounds(registry *outbound.Registry) {
 	outbound.Register[option.ShadowsocksROutboundOptions](registry, C.TypeShadowsocksR, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ShadowsocksROutboundOptions) (adapter.Outbound, error) {
 		return nil, E.New("ShadowsocksR is deprecated and removed in sing-box 1.6.0")
 	})
-	outbound.Register[option.StubOptions](registry, C.TypeWireGuard, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.StubOptions) (adapter.Outbound, error) {
-		return nil, E.New("WireGuard outbound is deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use WireGuard endpoint instead")
-	})
 }
--- a/include/wireguard.go
+++ b/include/wireguard.go
@@ -4,9 +4,14 @@ package include

 import (
 	"github.com/sagernet/sing-box/adapter/endpoint"
+	"github.com/sagernet/sing-box/adapter/outbound"
 	"github.com/sagernet/sing-box/protocol/wireguard"
 )

+func registerWireGuardOutbound(registry *outbound.Registry) {
+	wireguard.RegisterOutbound(registry)
+}
+
 func registerWireGuardEndpoint(registry *endpoint.Registry) {
 	wireguard.RegisterEndpoint(registry)
 }
--- a/include/wireguard_stub.go
+++ b/include/wireguard_stub.go
@@ -7,12 +7,19 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/adapter/endpoint"
+	"github.com/sagernet/sing-box/adapter/outbound"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )

+func registerWireGuardOutbound(registry *outbound.Registry) {
+	outbound.Register[option.LegacyWireGuardOutboundOptions](registry, C.TypeWireGuard, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.LegacyWireGuardOutboundOptions) (adapter.Outbound, error) {
+		return nil, E.New(`WireGuard is not included in this build, rebuild with -tags with_wireguard`)
+	})
+}
+
 func registerWireGuardEndpoint(registry *endpoint.Registry) {
 	endpoint.Register[option.WireGuardEndpointOptions](registry, C.TypeWireGuard, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.WireGuardEndpointOptions) (adapter.Endpoint, error) {
 		return nil, E.New(`WireGuard is not included in this build, rebuild with -tags with_wireguard`)
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -1,5 +1,4 @@
 site_name: sing-box
-site_url: https://sing-box.sagernet.org/
 site_author: nekohasekai
 repo_url: https://github.com/SagerNet/sing-box
 repo_name: SagerNet/sing-box
--- a/option/direct.go
+++ b/option/direct.go
@@ -3,7 +3,7 @@ package option
 import (
 	"context"

-	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing/common/json"
 )

@@ -31,9 +31,8 @@ func (d *DirectOutboundOptions) UnmarshalJSONContext(ctx context.Context, conten
 	if err != nil {
 		return err
 	}
-	//nolint:staticcheck
 	if d.OverrideAddress != "" || d.OverridePort != 0 {
-		return E.New("destination override fields in direct outbound are deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use route options instead")
+		deprecated.Report(ctx, deprecated.OptionDestinationOverrideFields)
 	}
 	return nil
 }
--- a/option/inbound.go
+++ b/option/inbound.go
@@ -55,6 +55,7 @@ type InboundOptions struct {
 	SniffTimeout              badoption.Duration `json:"sniff_timeout,omitempty"`
 	DomainStrategy            DomainStrategy     `json:"domain_strategy,omitempty"`
 	UDPDisableDomainUnmapping bool               `json:"udp_disable_domain_unmapping,omitempty"`
+	Detour                    string             `json:"detour,omitempty"`
 }

 type ListenOptions struct {
@@ -72,7 +73,6 @@ type ListenOptions struct {
 	UDPFragment          *bool              `json:"udp_fragment,omitempty"`
 	UDPFragmentDefault   bool               `json:"-"`
 	UDPTimeout           UDPTimeoutCompat   `json:"udp_timeout,omitempty"`
-	Detour               string             `json:"detour,omitempty"`

 	// Deprecated: removed
 	ProxyProtocol bool `json:"proxy_protocol,omitempty"`
--- a/option/naive.go
+++ b/option/naive.go
@@ -2,7 +2,6 @@ package option

 import (
 	"github.com/sagernet/sing/common/auth"
-	"github.com/sagernet/sing/common/byteformats"
 	"github.com/sagernet/sing/common/json/badoption"
 )

@@ -27,14 +26,12 @@ type NaiveInboundOptions struct {
 type NaiveOutboundOptions struct {
 	DialerOptions
 	ServerOptions
-	Username                 string                   `json:"username,omitempty"`
-	Password                 string                   `json:"password,omitempty"`
-	InsecureConcurrency      int                      `json:"insecure_concurrency,omitempty"`
-	ExtraHeaders             badoption.HTTPHeader     `json:"extra_headers,omitempty"`
-	ReceiveWindow            *byteformats.MemoryBytes `json:"stream_receive_window,omitempty"`
-	UDPOverTCP               *UDPOverTCPOptions       `json:"udp_over_tcp,omitempty"`
-	QUIC                     bool                     `json:"quic,omitempty"`
-	QUICCongestionControl    string                   `json:"quic_congestion_control,omitempty"`
-	QUICSessionReceiveWindow *byteformats.MemoryBytes `json:"quic_session_receive_window,omitempty"`
+	Username              string               `json:"username,omitempty"`
+	Password              string               `json:"password,omitempty"`
+	InsecureConcurrency   int                  `json:"insecure_concurrency,omitempty"`
+	ExtraHeaders          badoption.HTTPHeader `json:"extra_headers,omitempty"`
+	UDPOverTCP            *UDPOverTCPOptions   `json:"udp_over_tcp,omitempty"`
+	QUIC                  bool                 `json:"quic,omitempty"`
+	QUICCongestionControl string               `json:"quic_congestion_control,omitempty"`
 	OutboundTLSOptionsContainer
 }
--- a/option/oom_killer.go
+++ b/option/oom_killer.go
@@ -1,14 +0,0 @@
-package option
-
-import (
-	"github.com/sagernet/sing/common/byteformats"
-	"github.com/sagernet/sing/common/json/badoption"
-)
-
-type OOMKillerServiceOptions struct {
-	MemoryLimit       *byteformats.MemoryBytes `json:"memory_limit,omitempty"`
-	SafetyMargin      *byteformats.MemoryBytes `json:"safety_margin,omitempty"`
-	MinInterval       badoption.Duration       `json:"min_interval,omitempty"`
-	MaxInterval       badoption.Duration       `json:"max_interval,omitempty"`
-	ChecksBeforeLimit int                      `json:"checks_before_limit,omitempty"`
-}
--- a/option/outbound.go
+++ b/option/outbound.go
@@ -4,6 +4,7 @@ import (
 	"context"

 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/deprecated"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/common/json/badjson"
@@ -39,7 +40,7 @@ func (h *Outbound) UnmarshalJSONContext(ctx context.Context, content []byte) err
 	}
 	switch h.Type {
 	case C.TypeDNS:
-		return E.New("dns outbound is deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use rule actions instead")
+		deprecated.Report(ctx, deprecated.OptionSpecialOutbounds)
 	}
 	options, loaded := registry.CreateOptions(h.Type)
 	if !loaded {
@@ -50,9 +51,8 @@ func (h *Outbound) UnmarshalJSONContext(ctx context.Context, content []byte) err
 		return err
 	}
 	if listenWrapper, isListen := options.(ListenOptionsWrapper); isListen {
-		//nolint:staticcheck
 		if listenWrapper.TakeListenOptions().InboundOptions != (InboundOptions{}) {
-			return E.New("legacy inbound fields are deprecated in sing-box 1.11.0 and removed in sing-box 1.13.0, use rule actions instead")
+			deprecated.Report(ctx, deprecated.OptionInboundOptions)
 		}
 	}
 	h.Options = options
--- a/option/tailscale.go
+++ b/option/tailscale.go
@@ -12,23 +12,22 @@ import (

 type TailscaleEndpointOptions struct {
 	DialerOptions
-	StateDirectory             string                     `json:"state_directory,omitempty"`
-	AuthKey                    string                     `json:"auth_key,omitempty"`
-	ControlURL                 string                     `json:"control_url,omitempty"`
-	Ephemeral                  bool                       `json:"ephemeral,omitempty"`
-	Hostname                   string                     `json:"hostname,omitempty"`
-	AcceptRoutes               bool                       `json:"accept_routes,omitempty"`
-	ExitNode                   string                     `json:"exit_node,omitempty"`
-	ExitNodeAllowLANAccess     bool                       `json:"exit_node_allow_lan_access,omitempty"`
-	AdvertiseRoutes            []netip.Prefix             `json:"advertise_routes,omitempty"`
-	AdvertiseExitNode          bool                       `json:"advertise_exit_node,omitempty"`
-	AdvertiseTags              badoption.Listable[string] `json:"advertise_tags,omitempty"`
-	RelayServerPort            *uint16                    `json:"relay_server_port,omitempty"`
-	RelayServerStaticEndpoints []netip.AddrPort           `json:"relay_server_static_endpoints,omitempty"`
-	SystemInterface            bool                       `json:"system_interface,omitempty"`
-	SystemInterfaceName        string                     `json:"system_interface_name,omitempty"`
-	SystemInterfaceMTU         uint32                     `json:"system_interface_mtu,omitempty"`
-	UDPTimeout                 UDPTimeoutCompat           `json:"udp_timeout,omitempty"`
+	StateDirectory             string           `json:"state_directory,omitempty"`
+	AuthKey                    string           `json:"auth_key,omitempty"`
+	ControlURL                 string           `json:"control_url,omitempty"`
+	Ephemeral                  bool             `json:"ephemeral,omitempty"`
+	Hostname                   string           `json:"hostname,omitempty"`
+	AcceptRoutes               bool             `json:"accept_routes,omitempty"`
+	ExitNode                   string           `json:"exit_node,omitempty"`
+	ExitNodeAllowLANAccess     bool             `json:"exit_node_allow_lan_access,omitempty"`
+	AdvertiseRoutes            []netip.Prefix   `json:"advertise_routes,omitempty"`
+	AdvertiseExitNode          bool             `json:"advertise_exit_node,omitempty"`
+	RelayServerPort            *uint16          `json:"relay_server_port,omitempty"`
+	RelayServerStaticEndpoints []netip.AddrPort `json:"relay_server_static_endpoints,omitempty"`
+	SystemInterface            bool             `json:"system_interface,omitempty"`
+	SystemInterfaceName        string           `json:"system_interface_name,omitempty"`
+	SystemInterfaceMTU         uint32           `json:"system_interface_mtu,omitempty"`
+	UDPTimeout                 UDPTimeoutCompat `json:"udp_timeout,omitempty"`
 }

 type TailscaleDNSServerOptions struct {
--- a/option/wireguard.go
+++ b/option/wireguard.go
@@ -28,3 +28,28 @@ type WireGuardPeer struct {
 	PersistentKeepaliveInterval uint16                           `json:"persistent_keepalive_interval,omitempty"`
 	Reserved                    []uint8                          `json:"reserved,omitempty"`
 }
+
+type LegacyWireGuardOutboundOptions struct {
+	DialerOptions
+	SystemInterface bool                             `json:"system_interface,omitempty"`
+	GSO             bool                             `json:"gso,omitempty"`
+	InterfaceName   string                           `json:"interface_name,omitempty"`
+	LocalAddress    badoption.Listable[netip.Prefix] `json:"local_address"`
+	PrivateKey      string                           `json:"private_key"`
+	Peers           []LegacyWireGuardPeer            `json:"peers,omitempty"`
+	ServerOptions
+	PeerPublicKey string      `json:"peer_public_key"`
+	PreSharedKey  string      `json:"pre_shared_key,omitempty"`
+	Reserved      []uint8     `json:"reserved,omitempty"`
+	Workers       int         `json:"workers,omitempty"`
+	MTU           uint32      `json:"mtu,omitempty"`
+	Network       NetworkList `json:"network,omitempty"`
+}
+
+type LegacyWireGuardPeer struct {
+	ServerOptions
+	PublicKey    string                           `json:"public_key,omitempty"`
+	PreSharedKey string                           `json:"pre_shared_key,omitempty"`
+	AllowedIPs   badoption.Listable[netip.Prefix] `json:"allowed_ips,omitempty"`
+	Reserved     []uint8                          `json:"reserved,omitempty"`
+}
--- a/protocol/anytls/inbound.go
+++ b/protocol/anytls/inbound.go
@@ -122,6 +122,7 @@ func (h *inboundHandler) NewConnectionEx(ctx context.Context, conn net.Conn, sou
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
+	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.Source = source
 	metadata.Destination = destination.Unwrap()
 	if userName, _ := auth.UserFromContext[string](ctx); userName != "" {
--- a/protocol/direct/inbound.go
+++ b/protocol/direct/inbound.go
@@ -111,6 +111,7 @@ func (i *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	//nolint:staticcheck
 	metadata.InboundDetour = i.listener.ListenOptions().Detour
 	//nolint:staticcheck
+	metadata.InboundOptions = i.listener.ListenOptions().InboundOptions
 	metadata.Source = source
 	destination = i.listener.UDPAddr()
 	switch i.overrideOption {
--- a/protocol/direct/outbound.go
+++ b/protocol/direct/outbound.go
@@ -16,6 +16,7 @@ import (
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing-tun/ping"
 	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
@@ -35,12 +36,14 @@ var (

 type Outbound struct {
 	outbound.Adapter
-	ctx            context.Context
-	logger         logger.ContextLogger
-	dialer         dialer.ParallelInterfaceDialer
-	domainStrategy C.DomainStrategy
-	fallbackDelay  time.Duration
-	isEmpty        bool
+	ctx                 context.Context
+	logger              logger.ContextLogger
+	dialer              dialer.ParallelInterfaceDialer
+	domainStrategy      C.DomainStrategy
+	fallbackDelay       time.Duration
+	overrideOption      int
+	overrideDestination M.Socksaddr
+	isEmpty             bool
 	// loopBack *loopBackDetector
 }

@@ -66,13 +69,25 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		domainStrategy: C.DomainStrategy(options.DomainStrategy),
 		fallbackDelay:  time.Duration(options.FallbackDelay),
 		dialer:         outboundDialer.(dialer.ParallelInterfaceDialer),
-		isEmpty:        reflect.DeepEqual(options.DialerOptions, option.DialerOptions{UDPFragmentDefault: true}),
+		//nolint:staticcheck
+		isEmpty: reflect.DeepEqual(options.DialerOptions, option.DialerOptions{UDPFragmentDefault: true}) && options.OverrideAddress == "" && options.OverridePort == 0,
 		// loopBack:       newLoopBackDetector(router),
 	}
 	//nolint:staticcheck
 	if options.ProxyProtocol != 0 {
 		return nil, E.New("Proxy Protocol is deprecated and removed in sing-box 1.6.0")
 	}
+	//nolint:staticcheck
+	if options.OverrideAddress != "" && options.OverridePort != 0 {
+		outbound.overrideOption = 1
+		outbound.overrideDestination = M.ParseSocksaddrHostPort(options.OverrideAddress, options.OverridePort)
+	} else if options.OverrideAddress != "" {
+		outbound.overrideOption = 2
+		outbound.overrideDestination = M.ParseSocksaddrHostPort(options.OverrideAddress, options.OverridePort)
+	} else if options.OverridePort != 0 {
+		outbound.overrideOption = 3
+		outbound.overrideDestination = M.Socksaddr{Port: options.OverridePort}
+	}
 	return outbound, nil
 }

@@ -80,6 +95,16 @@ func (h *Outbound) DialContext(ctx context.Context, network string, destination
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
+	switch h.overrideOption {
+	case 1:
+		destination = h.overrideDestination
+	case 2:
+		newDestination := h.overrideDestination
+		newDestination.Port = destination.Port
+		destination = newDestination
+	case 3:
+		destination.Port = h.overrideDestination.Port
+	}
 	network = N.NetworkName(network)
 	switch network {
 	case N.NetworkTCP:
@@ -99,12 +124,30 @@ func (h *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
-	h.logger.InfoContext(ctx, "outbound packet connection")
+	originDestination := destination
+	switch h.overrideOption {
+	case 1:
+		destination = h.overrideDestination
+	case 2:
+		newDestination := h.overrideDestination
+		newDestination.Port = destination.Port
+		destination = newDestination
+	case 3:
+		destination.Port = h.overrideDestination.Port
+	}
+	if h.overrideOption == 0 {
+		h.logger.InfoContext(ctx, "outbound packet connection")
+	} else {
+		h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
+	}
 	conn, err := h.dialer.ListenPacket(ctx, destination)
 	if err != nil {
 		return nil, err
 	}
 	// conn = h.loopBack.NewPacketConn(bufio.NewPacketConn(conn), destination)
+	if originDestination != destination {
+		conn = bufio.NewNATPacketConn(bufio.NewPacketConn(conn), destination, originDestination)
+	}
 	return conn, nil
 }

@@ -122,6 +165,13 @@ func (h *Outbound) DialParallel(ctx context.Context, network string, destination
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
+	switch h.overrideOption {
+	case 1, 2:
+		// override address
+		return h.DialContext(ctx, network, destination)
+	case 3:
+		destination.Port = h.overrideDestination.Port
+	}
 	network = N.NetworkName(network)
 	switch network {
 	case N.NetworkTCP:
@@ -136,6 +186,13 @@ func (h *Outbound) DialParallelNetwork(ctx context.Context, network string, dest
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
+	switch h.overrideOption {
+	case 1, 2:
+		// override address
+		return h.DialContext(ctx, network, destination)
+	case 3:
+		destination.Port = h.overrideDestination.Port
+	}
 	network = N.NetworkName(network)
 	switch network {
 	case N.NetworkTCP:
@@ -150,7 +207,21 @@ func (h *Outbound) ListenSerialNetworkPacket(ctx context.Context, destination M.
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Outbound = h.Tag()
 	metadata.Destination = destination
-	h.logger.InfoContext(ctx, "outbound packet connection")
+	switch h.overrideOption {
+	case 1:
+		destination = h.overrideDestination
+	case 2:
+		newDestination := h.overrideDestination
+		newDestination.Port = destination.Port
+		destination = newDestination
+	case 3:
+		destination.Port = h.overrideDestination.Port
+	}
+	if h.overrideOption == 0 {
+		h.logger.InfoContext(ctx, "outbound packet connection")
+	} else {
+		h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
+	}
 	conn, newDestination, err := dialer.ListenSerialNetworkPacket(ctx, h.dialer, destination, destinationAddresses, networkStrategy, networkType, fallbackNetworkType, fallbackDelay)
 	if err != nil {
 		return nil, netip.Addr{}, err
--- a/protocol/hysteria/inbound.go
+++ b/protocol/hysteria/inbound.go
@@ -118,6 +118,7 @@ func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.S
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
+	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
@@ -140,6 +141,7 @@ func (h *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
+	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
--- a/protocol/hysteria2/inbound.go
+++ b/protocol/hysteria2/inbound.go
@@ -151,6 +151,7 @@ func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, source M.S
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
+	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
@@ -173,6 +174,7 @@ func (h *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
+	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	metadata.OriginDestination = h.listener.UDPAddr()
 	metadata.Source = source
 	metadata.Destination = destination
--- a/protocol/naive/inbound.go
+++ b/protocol/naive/inbound.go
@@ -209,6 +209,7 @@ func (n *Inbound) newConnection(ctx context.Context, waitForClose bool, conn net
 	//nolint:staticcheck
 	metadata.InboundDetour = n.listener.ListenOptions().Detour
 	//nolint:staticcheck
+	metadata.InboundOptions = n.listener.ListenOptions().InboundOptions
 	metadata.Source = source
 	metadata.Destination = destination
 	metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
--- a/protocol/naive/outbound.go
+++ b/protocol/naive/outbound.go
@@ -235,7 +235,7 @@ func (h *Outbound) DialContext(ctx context.Context, network string, destination
 	switch N.NetworkName(network) {
 	case N.NetworkTCP:
 		h.logger.InfoContext(ctx, "outbound connection to ", destination)
-		return h.client.DialEarly(ctx, destination)
+		return h.client.DialEarly(destination)
 	case N.NetworkUDP:
 		if h.uotClient == nil {
 			return nil, E.New("UDP is not supported unless UDP over TCP is enabled")
@@ -254,10 +254,6 @@ func (h *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	return h.uotClient.ListenPacket(ctx, destination)
 }

-func (h *Outbound) InterfaceUpdated() {
-	h.client.Engine().CloseAllConnections()
-}
-
 func (h *Outbound) Close() error {
 	return h.client.Close()
 }
@@ -271,5 +267,5 @@ type naiveDialer struct {
 }

 func (d *naiveDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	return d.NaiveClient.DialEarly(ctx, destination)
+	return d.NaiveClient.DialEarly(destination)
 }
--- a/protocol/shadowsocks/inbound_multi.go
+++ b/protocol/shadowsocks/inbound_multi.go
@@ -175,6 +175,7 @@ func (h *MultiInbound) newConnection(ctx context.Context, conn net.Conn, metadat
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
+	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	if h.tracker != nil {
 		conn = h.tracker.TrackConnection(conn, metadata)
 	}
@@ -200,6 +201,7 @@ func (h *MultiInbound) newPacketConnection(ctx context.Context, conn N.PacketCon
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
+	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	if h.tracker != nil {
 		conn = h.tracker.TrackPacketConnection(conn, metadata)
 	}
--- a/protocol/shadowsocks/inbound_relay.go
+++ b/protocol/shadowsocks/inbound_relay.go
@@ -135,6 +135,7 @@ func (h *RelayInbound) newConnection(ctx context.Context, conn net.Conn, metadat
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
+	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	return h.router.RouteConnection(ctx, conn, metadata)
 }

@@ -157,6 +158,7 @@ func (h *RelayInbound) newPacketConnection(ctx context.Context, conn N.PacketCon
 	//nolint:staticcheck
 	metadata.InboundDetour = h.listener.ListenOptions().Detour
 	//nolint:staticcheck
+	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	return h.router.RoutePacketConnection(ctx, conn, metadata)
 }

--- a/Show More
+++ b/Show More