Bump version

The TTL computation and assignment loops treat OPT record's Hdr.Ttl
as a regular TTL, but per RFC 6891 it encodes EDNS0 metadata
(ExtRCode|Version|Flags). This corrupts cached responses causing
systemd-resolved to reject them with EDNS version 255.

Also fix pointer aliasing: storeCache() stored raw *dns.Msg pointer
so subsequent mutations by Exchange() corrupted cached data.

- Skip OPT records in all TTL loops (Exchange + loadResponse)
- Use message.Copy() in storeCache() to isolate cache from mutations

.fpm_systemd

@@ -4,6 +4,7 @@
 --license GPL-3.0-or-later
 --description "The universal proxy platform."
 --url "https://sing-box.sagernet.org/"
+--vendor SagerNet
 --maintainer "nekohasekai <contact-git@sekai.icu>"
 --deb-field "Bug: https://github.com/SagerNet/sing-box/issues"
 --no-deb-generate-changes

box.go

@@ -19,7 +19,6 @@ import (
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/dns/transport/local"
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/cachefile"
 	"github.com/sagernet/sing-box/log"
@@ -326,11 +325,12 @@ func New(options Options) (*Box, error) {
 		)
 	})
 	dnsTransportManager.Initialize(func() (adapter.DNSTransport, error) {
-		return local.NewTransport(
+		return dnsTransportRegistry.CreateDNSTransport(
 			ctx,
 			logFactory.NewLogger("dns/local"),
 			"local",
-			option.LocalDNSServerOptions{},
+			C.DNSTypeLocal,
+			&option.LocalDNSServerOptions{},
 		)
 	})
 	if platformInterface != nil {
@@ -555,6 +555,10 @@ func (s *Box) Outbound() adapter.OutboundManager {
 	return s.outbound
 }
 
+func (s *Box) Endpoint() adapter.EndpointManager {
+	return s.endpoint
+}
+
 func (s *Box) LogFactory() log.Factory {
 	return s.logFactory
 }

common/dialer/default.go

@@ -149,7 +149,10 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 	} else {
 		dialer.Timeout = C.TCPConnectTimeout
 	}
-	if !options.DisableTCPKeepAlive {
+	if options.DisableTCPKeepAlive {
+		dialer.KeepAlive = -1
+		dialer.KeepAliveConfig.Enable = false
+	} else {
 		keepIdle := time.Duration(options.TCPKeepAlive)
 		if keepIdle == 0 {
 			keepIdle = C.TCPKeepAliveInitial

common/listener/listener_tcp.go

@@ -37,7 +37,10 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 	if l.listenOptions.ReuseAddr {
 		listenConfig.Control = control.Append(listenConfig.Control, control.ReuseAddr())
 	}
-	if !l.listenOptions.DisableTCPKeepAlive {
+	if l.listenOptions.DisableTCPKeepAlive {
+		listenConfig.KeepAlive = -1
+		listenConfig.KeepAliveConfig.Enable = false
+	} else {
 		keepIdle := time.Duration(l.listenOptions.TCPKeepAlive)
 		if keepIdle == 0 {
 			keepIdle = C.TCPKeepAliveInitial

dns/client.go

@@ -283,6 +283,9 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	if timeToLive == 0 {
 		for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 			for _, record := range recordList {
+				if record.Header().Rrtype == dns.TypeOPT {
+					continue
+				}
 				if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
 					timeToLive = record.Header().Ttl
 				}
@@ -294,6 +297,9 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	}
 	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 		for _, record := range recordList {
+			if record.Header().Rrtype == dns.TypeOPT {
+				continue
+			}
 			record.Header().Ttl = timeToLive
 		}
 	}
@@ -381,21 +387,21 @@ func (c *Client) storeCache(transport adapter.DNSTransport, question dns.Questio
 	}
 	if c.disableExpire {
 		if !c.independentCache {
-			c.cache.Add(question, message)
+			c.cache.Add(question, message.Copy())
 		} else {
 			c.transportCache.Add(transportCacheKey{
 				Question:     question,
 				transportTag: transport.Tag(),
-			}, message)
+			}, message.Copy())
 		}
 	} else {
 		if !c.independentCache {
-			c.cache.AddWithLifetime(question, message, time.Second*time.Duration(timeToLive))
+			c.cache.AddWithLifetime(question, message.Copy(), time.Second*time.Duration(timeToLive))
 		} else {
 			c.transportCache.AddWithLifetime(transportCacheKey{
 				Question:     question,
 				transportTag: transport.Tag(),
-			}, message, time.Second*time.Duration(timeToLive))
+			}, message.Copy(), time.Second*time.Duration(timeToLive))
 		}
 	}
 }
@@ -486,6 +492,9 @@ func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransp
 		var originTTL int
 		for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 			for _, record := range recordList {
+				if record.Header().Rrtype == dns.TypeOPT {
+					continue
+				}
 				if originTTL == 0 || record.Header().Ttl > 0 && int(record.Header().Ttl) < originTTL {
 					originTTL = int(record.Header().Ttl)
 				}
@@ -500,12 +509,18 @@ func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransp
 			duration := uint32(originTTL - nowTTL)
 			for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 				for _, record := range recordList {
+					if record.Header().Rrtype == dns.TypeOPT {
+						continue
+					}
 					record.Header().Ttl = record.Header().Ttl - duration
 				}
 			}
 		} else {
 			for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 				for _, record := range recordList {
+					if record.Header().Rrtype == dns.TypeOPT {
+						continue
+					}
 					record.Header().Ttl = uint32(nowTTL)
 				}
 			}

docs/changelog.md

@@ -2,6 +2,22 @@
 icon: material/alert-decagram
 ---
 
+#### 1.13.7
+
+* Fixes and improvements
+
+#### 1.13.6
+
+* Fixes and improvements
+
+#### 1.13.5
+
+* Fixes and improvements
+
+#### 1.13.4
+
+* Fixes and improvements
+
 #### 1.13.3
 
 * Add OpenWrt and Alpine APK packages to release **1**

docs/configuration/dns/rule.md

@@ -209,7 +209,7 @@ icon: material/alert-decagram
     (`source_port` || `source_port_range`) &&  
     `other fields`
 
-    Additionally, included rule-sets can be considered merged rather than as a single rule sub-item.
+    Additionally, each branch inside an included rule-set can be considered merged into the outer rule, while different branches keep OR semantics.
 
 #### inbound
 
@@ -546,4 +546,4 @@ Match any IP with query response.
 
 #### rules
 
-Included rules.
+Included rules.

docs/configuration/dns/rule.zh.md

@@ -208,7 +208,7 @@ icon: material/alert-decagram
     (`source_port` || `source_port_range`) &&  
     `other fields`
 
-    另外，引用的规则集可视为被合并，而不是作为一个单独的规则子项。
+    另外，引用规则集中的每个分支都可视为与外层规则合并，不同分支之间仍保持 OR 语义。
 
 #### inbound
 
@@ -550,4 +550,4 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 ==必填==
 
-包括的规则。
+包括的规则。

docs/configuration/route/rule.md

@@ -199,7 +199,7 @@ icon: material/new-box
     (`source_port` || `source_port_range`) &&  
     `other fields`
 
-    Additionally, included rule-sets can be considered merged rather than as a single rule sub-item.
+    Additionally, each branch inside an included rule-set can be considered merged into the outer rule, while different branches keep OR semantics.
 
 #### inbound
 

docs/configuration/route/rule.zh.md

@@ -197,7 +197,7 @@ icon: material/new-box
     (`source_port` || `source_port_range`) &&  
     `other fields`
 
-    另外，引用的规则集可视为被合并，而不是作为一个单独的规则子项。
+    另外，引用规则集中的每个分支都可视为与外层规则合并，不同分支之间仍保持 OR 语义。
 
 #### inbound
 
@@ -501,4 +501,4 @@ icon: material/new-box
 
 ==必填==
 
-包括的规则。
+包括的规则。

experimental/libbox/http.go

@@ -52,6 +52,11 @@ type HTTPRequest interface {
 type HTTPResponse interface {
 	GetContent() (*StringBox, error)
 	WriteTo(path string) error
+	WriteToWithProgress(path string, handler HTTPResponseWriteToProgressHandler) error
+}
+
+type HTTPResponseWriteToProgressHandler interface {
+	Update(progress int64, total int64)
 }
 
 var (
@@ -239,3 +244,31 @@ func (h *httpResponse) WriteTo(path string) error {
 	defer file.Close()
 	return common.Error(bufio.Copy(file, h.Body))
 }
+
+func (h *httpResponse) WriteToWithProgress(path string, handler HTTPResponseWriteToProgressHandler) error {
+	defer h.Body.Close()
+	file, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	return common.Error(bufio.Copy(&progressWriter{
+		writer:  file,
+		handler: handler,
+		total:   h.ContentLength,
+	}, h.Body))
+}
+
+type progressWriter struct {
+	writer  io.Writer
+	handler HTTPResponseWriteToProgressHandler
+	total   int64
+	written int64
+}
+
+func (w *progressWriter) Write(p []byte) (int, error) {
+	n, err := w.writer.Write(p)
+	w.written += int64(n)
+	w.handler.Update(w.written, w.total)
+	return n, err
+}

go.mod

@@ -33,13 +33,13 @@ require (
 	github.com/sagernet/gomobile v0.1.12
 	github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1
 	github.com/sagernet/quic-go v0.59.0-sing-box-mod.4
-	github.com/sagernet/sing v0.8.3-0.20260315153529-ed51f65fbfde
+	github.com/sagernet/sing v0.8.4
 	github.com/sagernet/sing-mux v0.3.4
-	github.com/sagernet/sing-quic v0.6.0
+	github.com/sagernet/sing-quic v0.6.1
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11
-	github.com/sagernet/sing-tun v0.8.6
+	github.com/sagernet/sing-tun v0.8.7
 	github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1
 	github.com/sagernet/smux v1.5.50-sing-box-mod.1
 	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.7

go.sum

@@ -236,20 +236,20 @@ github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNen
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
 github.com/sagernet/quic-go v0.59.0-sing-box-mod.4 h1:6qvrUW79S+CrPwWz6cMePXohgjHoKxLo3c+MDhNwc3o=
 github.com/sagernet/quic-go v0.59.0-sing-box-mod.4/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
-github.com/sagernet/sing v0.8.3-0.20260315153529-ed51f65fbfde h1:RNQzlpnsXIuu1HGts/fIzJ1PR7RhrzaNlU52MDyiX1c=
-github.com/sagernet/sing v0.8.3-0.20260315153529-ed51f65fbfde/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.8.4 h1:Fj+jlY3F8vhcRfz/G/P3Dwcs5wqnmyNPT7u1RVVmjFI=
+github.com/sagernet/sing v0.8.4/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-mux v0.3.4 h1:ZQplKl8MNXutjzbMVtWvWG31fohhgOfCuUZR4dVQ8+s=
 github.com/sagernet/sing-mux v0.3.4/go.mod h1:QvlKMyNBNrQoyX4x+gq028uPbLM2XeRpWtDsWBJbFSk=
-github.com/sagernet/sing-quic v0.6.0 h1:dhrFnP45wgVKEOT1EvtsToxdzRnHIDIAgj6WHV9pLyM=
-github.com/sagernet/sing-quic v0.6.0/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
+github.com/sagernet/sing-quic v0.6.1 h1:lx0tcm99wIA1RkyvILNzRSsMy1k7TTQYIhx71E/WBlw=
+github.com/sagernet/sing-quic v0.6.1/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
 github.com/sagernet/sing-shadowsocks v0.2.8 h1:PURj5PRoAkqeHh2ZW205RWzN9E9RtKCVCzByXruQWfE=
 github.com/sagernet/sing-shadowsocks v0.2.8/go.mod h1:lo7TWEMDcN5/h5B8S0ew+r78ZODn6SwVaFhvB6H+PTI=
 github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnqqs2gQ2/Qioo=
 github.com/sagernet/sing-shadowsocks2 v0.2.1/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11 h1:tK+75l64tm9WvEFrYRE1t0YxoFdWQqw/h7Uhzj0vJ+w=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11/go.mod h1:sWqKnGlMipCHaGsw1sTTlimyUpgzP4WP3pjhCsYt9oA=
-github.com/sagernet/sing-tun v0.8.6 h1:NydXFikSXhiKqhahHKtuZ90HQPZFzlOFVRONmkr4C7I=
-github.com/sagernet/sing-tun v0.8.6/go.mod h1:pLCo4o+LacXEzz0bhwhJkKBjLlKOGPBNOAZ97ZVZWzs=
+github.com/sagernet/sing-tun v0.8.7 h1:q49cI7Cbp+BcgzaJitQ9QdLO77BqnnaQRkSEMoGmF3g=
+github.com/sagernet/sing-tun v0.8.7/go.mod h1:pLCo4o+LacXEzz0bhwhJkKBjLlKOGPBNOAZ97ZVZWzs=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1 h1:aSwUNYUkVyVvdmBSufR8/nRFonwJeKSIROxHcm5br9o=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1/go.mod h1:P11scgTxMxVVQ8dlM27yNm3Cro40mD0+gHbnqrNGDuY=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1 h1:XkJcivBC9V4wBjiGXIXZ229aZCU1hzcbp6kSkkyQ478=

protocol/naive/inbound.go

@@ -29,7 +29,10 @@ import (
 	"golang.org/x/net/http2/h2c"
 )
 
-var ConfigureHTTP3ListenerFunc func(ctx context.Context, logger logger.Logger, listener *listener.Listener, handler http.Handler, tlsConfig tls.ServerConfig, options option.NaiveInboundOptions) (io.Closer, error)
+var (
+	ConfigureHTTP3ListenerFunc func(ctx context.Context, logger logger.Logger, listener *listener.Listener, handler http.Handler, tlsConfig tls.ServerConfig, options option.NaiveInboundOptions) (io.Closer, error)
+	WrapError                  func(error) error
+)
 
 func RegisterInbound(registry *inbound.Registry) {
 	inbound.Register[option.NaiveInboundOptions](registry, C.TypeNaive, NewInbound)

protocol/naive/inbound_conn.go

@@ -95,7 +95,7 @@ func (p *paddingConn) writeWithPadding(writer io.Writer, data []byte) (n int, er
 		binary.BigEndian.PutUint16(header, uint16(len(data)))
 		header[2] = byte(paddingSize)
 		common.Must1(buffer.Write(data))
-		buffer.Extend(paddingSize)
+		common.Must(buffer.WriteZeroN(paddingSize))
 		_, err = writer.Write(buffer.Bytes())
 		if err == nil {
 			n = len(data)
@@ -117,7 +117,7 @@ func (p *paddingConn) writeBufferWithPadding(writer io.Writer, buffer *buf.Buffe
 		header := buffer.ExtendHeader(3)
 		binary.BigEndian.PutUint16(header, uint16(bufferLen))
 		header[2] = byte(paddingSize)
-		buffer.Extend(paddingSize)
+		common.Must(buffer.WriteZeroN(paddingSize))
 		p.writePadding++
 	}
 	return common.Error(writer.Write(buffer.Bytes()))
@@ -179,18 +179,18 @@ type naiveConn struct {
 
 func (c *naiveConn) Read(p []byte) (n int, err error) {
 	n, err = c.readWithPadding(c.Conn, p)
-	return n, baderror.WrapH2(err)
+	return n, wrapError(err)
 }
 
 func (c *naiveConn) Write(p []byte) (n int, err error) {
 	n, err = c.writeChunked(c.Conn, p)
-	return n, baderror.WrapH2(err)
+	return n, wrapError(err)
 }
 
 func (c *naiveConn) WriteBuffer(buffer *buf.Buffer) error {
 	defer buffer.Release()
 	err := c.writeBufferWithPadding(c.Conn, buffer)
-	return baderror.WrapH2(err)
+	return wrapError(err)
 }
 
 func (c *naiveConn) FrontHeadroom() int      { return c.frontHeadroom() }
@@ -210,7 +210,7 @@ type naiveH2Conn struct {
 
 func (c *naiveH2Conn) Read(p []byte) (n int, err error) {
 	n, err = c.readWithPadding(c.reader, p)
-	return n, baderror.WrapH2(err)
+	return n, wrapError(err)
 }
 
 func (c *naiveH2Conn) Write(p []byte) (n int, err error) {
@@ -218,7 +218,7 @@ func (c *naiveH2Conn) Write(p []byte) (n int, err error) {
 	if err == nil {
 		c.flusher.Flush()
 	}
-	return n, baderror.WrapH2(err)
+	return n, wrapError(err)
 }
 
 func (c *naiveH2Conn) WriteBuffer(buffer *buf.Buffer) error {
@@ -227,7 +227,15 @@ func (c *naiveH2Conn) WriteBuffer(buffer *buf.Buffer) error {
 	if err == nil {
 		c.flusher.Flush()
 	}
-	return baderror.WrapH2(err)
+	return wrapError(err)
+}
+
+func wrapError(err error) error {
+	err = baderror.WrapH2(err)
+	if WrapError != nil {
+		err = WrapError(err)
+	}
+	return err
 }
 
 func (c *naiveH2Conn) Close() error {

protocol/naive/quic/inbound_init.go

@@ -124,4 +124,5 @@ func init() {
 
 		return quicListener, nil
 	}
+	naive.WrapError = qtls.WrapError
 }

protocol/tailscale/endpoint.go

@@ -262,9 +262,16 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 }
 
 func (t *Endpoint) Start(stage adapter.StartStage) error {
-	if stage != adapter.StartStateStart {
-		return nil
+	switch stage {
+	case adapter.StartStateStart:
+		return t.start()
+	case adapter.StartStatePostStart:
+		return t.postStart()
 	}
+	return nil
+}
+
+func (t *Endpoint) start() error {
 	if t.platformInterface != nil {
 		err := t.network.UpdateInterfaces()
 		if err != nil {
@@ -347,6 +354,10 @@ func (t *Endpoint) Start(stage adapter.StartStage) error {
 			})
 		})
 	}
+	return nil
+}
+
+func (t *Endpoint) postStart() error {
 	err := t.server.Start()
 	if err != nil {
 		if t.systemTun != nil {
@@ -471,13 +482,13 @@ func (t *Endpoint) watchState() {
 }
 
 func (t *Endpoint) Close() error {
+	err := common.Close(common.PtrOrNil(t.server))
 	netmon.RegisterInterfaceGetter(nil)
 	netns.SetControlFunc(nil)
 	if t.fallbackTCPCloser != nil {
 		t.fallbackTCPCloser()
 		t.fallbackTCPCloser = nil
 	}
-	err := common.Close(common.PtrOrNil(t.server))
 	if t.systemTun != nil {
 		t.systemTun.Close()
 		t.systemTun = nil

route/rule/match_state.go

@@ -87,22 +87,40 @@ type ruleStateMatcher interface {
 	matchStates(metadata *adapter.InboundContext) ruleMatchStateSet
 }
 
+type ruleStateMatcherWithBase interface {
+	matchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet
+}
+
 func matchHeadlessRuleStates(rule adapter.HeadlessRule, metadata *adapter.InboundContext) ruleMatchStateSet {
+	return matchHeadlessRuleStatesWithBase(rule, metadata, 0)
+}
+
+func matchHeadlessRuleStatesWithBase(rule adapter.HeadlessRule, metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet {
+	if matcher, isStateMatcher := rule.(ruleStateMatcherWithBase); isStateMatcher {
+		return matcher.matchStatesWithBase(metadata, base)
+	}
 	if matcher, isStateMatcher := rule.(ruleStateMatcher); isStateMatcher {
-		return matcher.matchStates(metadata)
+		return matcher.matchStates(metadata).withBase(base)
 	}
 	if rule.Match(metadata) {
-		return emptyRuleMatchState()
+		return emptyRuleMatchState().withBase(base)
 	}
 	return 0
 }
 
 func matchRuleItemStates(item RuleItem, metadata *adapter.InboundContext) ruleMatchStateSet {
+	return matchRuleItemStatesWithBase(item, metadata, 0)
+}
+
+func matchRuleItemStatesWithBase(item RuleItem, metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet {
+	if matcher, isStateMatcher := item.(ruleStateMatcherWithBase); isStateMatcher {
+		return matcher.matchStatesWithBase(metadata, base)
+	}
 	if matcher, isStateMatcher := item.(ruleStateMatcher); isStateMatcher {
-		return matcher.matchStates(metadata)
+		return matcher.matchStates(metadata).withBase(base)
 	}
 	if item.Match(metadata) {
-		return emptyRuleMatchState()
+		return emptyRuleMatchState().withBase(base)
 	}
 	return 0
 }

route/rule/rule_abstract.go

@@ -72,10 +72,18 @@ func (r *abstractDefaultRule) requiresDestinationAddressMatch(metadata *adapter.
 }
 
 func (r *abstractDefaultRule) matchStates(metadata *adapter.InboundContext) ruleMatchStateSet {
+	return r.matchStatesWithBase(metadata, 0)
+}
+
+func (r *abstractDefaultRule) matchStatesWithBase(metadata *adapter.InboundContext, inheritedBase ruleMatchState) ruleMatchStateSet {
 	if len(r.allItems) == 0 {
-		return emptyRuleMatchState()
+		return emptyRuleMatchState().withBase(inheritedBase)
 	}
-	var baseState ruleMatchState
+	evaluationBase := inheritedBase
+	if r.invert {
+		evaluationBase = 0
+	}
+	baseState := evaluationBase
 	if len(r.sourceAddressItems) > 0 {
 		metadata.DidMatch = true
 		if matchAnyItem(r.sourceAddressItems, metadata) {
@@ -119,17 +127,15 @@ func (r *abstractDefaultRule) matchStates(metadata *adapter.InboundContext) rule
 	for _, item := range r.items {
 		metadata.DidMatch = true
 		if !item.Match(metadata) {
-			return r.invertedFailure()
+			return r.invertedFailure(inheritedBase)
 		}
 	}
-	stateSet := singleRuleMatchState(baseState)
+	var stateSet ruleMatchStateSet
 	if r.ruleSetItem != nil {
 		metadata.DidMatch = true
-		ruleSetStates := matchRuleItemStates(r.ruleSetItem, metadata)
-		if ruleSetStates.isEmpty() {
-			return r.invertedFailure()
-		}
-		stateSet = ruleSetStates.withBase(baseState)
+		stateSet = matchRuleItemStatesWithBase(r.ruleSetItem, metadata, baseState)
+	} else {
+		stateSet = singleRuleMatchState(baseState)
 	}
 	stateSet = stateSet.filter(func(state ruleMatchState) bool {
 		if r.requiresSourceAddressMatch(metadata) && !state.has(ruleMatchSourceAddress) {
@@ -147,21 +153,21 @@ func (r *abstractDefaultRule) matchStates(metadata *adapter.InboundContext) rule
 		return true
 	})
 	if stateSet.isEmpty() {
-		return r.invertedFailure()
+		return r.invertedFailure(inheritedBase)
 	}
 	if r.invert {
 		// DNS pre-lookup defers destination address-limit checks until the response phase.
 		if metadata.IgnoreDestinationIPCIDRMatch && stateSet == emptyRuleMatchState() && !metadata.DidMatch && len(r.destinationIPCIDRItems) > 0 {
-			return emptyRuleMatchState()
+			return emptyRuleMatchState().withBase(inheritedBase)
 		}
 		return 0
 	}
 	return stateSet
 }
 
-func (r *abstractDefaultRule) invertedFailure() ruleMatchStateSet {
+func (r *abstractDefaultRule) invertedFailure(base ruleMatchState) ruleMatchStateSet {
 	if r.invert {
-		return emptyRuleMatchState()
+		return emptyRuleMatchState().withBase(base)
 	}
 	return 0
 }
@@ -225,16 +231,24 @@ func (r *abstractLogicalRule) Match(metadata *adapter.InboundContext) bool {
 }
 
 func (r *abstractLogicalRule) matchStates(metadata *adapter.InboundContext) ruleMatchStateSet {
+	return r.matchStatesWithBase(metadata, 0)
+}
+
+func (r *abstractLogicalRule) matchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet {
+	evaluationBase := base
+	if r.invert {
+		evaluationBase = 0
+	}
 	var stateSet ruleMatchStateSet
 	if r.mode == C.LogicalTypeAnd {
-		stateSet = emptyRuleMatchState()
+		stateSet = emptyRuleMatchState().withBase(evaluationBase)
 		for _, rule := range r.rules {
 			nestedMetadata := *metadata
 			nestedMetadata.ResetRuleCache()
-			nestedStateSet := matchHeadlessRuleStates(rule, &nestedMetadata)
+			nestedStateSet := matchHeadlessRuleStatesWithBase(rule, &nestedMetadata, evaluationBase)
 			if nestedStateSet.isEmpty() {
 				if r.invert {
-					return emptyRuleMatchState()
+					return emptyRuleMatchState().withBase(base)
 				}
 				return 0
 			}
@@ -244,11 +258,11 @@ func (r *abstractLogicalRule) matchStates(metadata *adapter.InboundContext) rule
 		for _, rule := range r.rules {
 			nestedMetadata := *metadata
 			nestedMetadata.ResetRuleCache()
-			stateSet = stateSet.merge(matchHeadlessRuleStates(rule, &nestedMetadata))
+			stateSet = stateSet.merge(matchHeadlessRuleStatesWithBase(rule, &nestedMetadata, evaluationBase))
 		}
 		if stateSet.isEmpty() {
 			if r.invert {
-				return emptyRuleMatchState()
+				return emptyRuleMatchState().withBase(base)
 			}
 			return 0
 		}

route/rule/rule_headless.go

@@ -45,6 +45,11 @@ func NewDefaultHeadlessRule(ctx context.Context, options option.DefaultHeadlessR
 			invert: options.Invert,
 		},
 	}
+	if len(options.QueryType) > 0 {
+		item := NewQueryTypeItem(options.QueryType)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
 	if len(options.Network) > 0 {
 		item := NewNetworkItem(options.Network)
 		rule.items = append(rule.items, item)

route/rule/rule_item_rule_set.go

@@ -45,13 +45,17 @@ func (r *RuleSetItem) Match(metadata *adapter.InboundContext) bool {
 }
 
 func (r *RuleSetItem) matchStates(metadata *adapter.InboundContext) ruleMatchStateSet {
+	return r.matchStatesWithBase(metadata, 0)
+}
+
+func (r *RuleSetItem) matchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet {
 	var stateSet ruleMatchStateSet
 	for _, ruleSet := range r.setList {
 		nestedMetadata := *metadata
 		nestedMetadata.ResetRuleMatchCache()
 		nestedMetadata.IPCIDRMatchSource = r.ipCidrMatchSource
 		nestedMetadata.IPCIDRAcceptEmpty = r.ipCidrAcceptEmpty
-		stateSet = stateSet.merge(matchHeadlessRuleStates(ruleSet, &nestedMetadata))
+		stateSet = stateSet.merge(matchHeadlessRuleStatesWithBase(ruleSet, &nestedMetadata, base))
 	}
 	return stateSet
 }

route/rule/rule_set_local.go

@@ -206,11 +206,15 @@ func (s *LocalRuleSet) Match(metadata *adapter.InboundContext) bool {
 }
 
 func (s *LocalRuleSet) matchStates(metadata *adapter.InboundContext) ruleMatchStateSet {
+	return s.matchStatesWithBase(metadata, 0)
+}
+
+func (s *LocalRuleSet) matchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet {
 	var stateSet ruleMatchStateSet
 	for _, rule := range s.rules {
 		nestedMetadata := *metadata
 		nestedMetadata.ResetRuleMatchCache()
-		stateSet = stateSet.merge(matchHeadlessRuleStates(rule, &nestedMetadata))
+		stateSet = stateSet.merge(matchHeadlessRuleStatesWithBase(rule, &nestedMetadata, base))
 	}
 	return stateSet
 }

route/rule/rule_set_remote.go

@@ -326,11 +326,15 @@ func (s *RemoteRuleSet) Match(metadata *adapter.InboundContext) bool {
 }
 
 func (s *RemoteRuleSet) matchStates(metadata *adapter.InboundContext) ruleMatchStateSet {
+	return s.matchStatesWithBase(metadata, 0)
+}
+
+func (s *RemoteRuleSet) matchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet {
 	var stateSet ruleMatchStateSet
 	for _, rule := range s.rules {
 		nestedMetadata := *metadata
 		nestedMetadata.ResetRuleMatchCache()
-		stateSet = stateSet.merge(matchHeadlessRuleStates(rule, &nestedMetadata))
+		stateSet = stateSet.merge(matchHeadlessRuleStatesWithBase(rule, &nestedMetadata, base))
 	}
 	return stateSet
 }

route/rule/rule_set_semantics_test.go

@@ -149,6 +149,95 @@ func TestRouteRuleSetMergeSourceAndPortGroups(t *testing.T) {
 	})
 }
 
+func TestRouteRuleSetOuterGroupedStateMergesIntoSameGroup(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		name       string
+		metadata   adapter.InboundContext
+		buildOuter func(*testing.T, *abstractDefaultRule)
+		buildInner func(*testing.T, *abstractDefaultRule)
+	}{
+		{
+			name:     "destination address",
+			metadata: testMetadata("www.example.com"),
+			buildOuter: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addDestinationAddressItem(t, rule, nil, []string{"example.com"})
+			},
+			buildInner: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addDestinationAddressItem(t, rule, nil, []string{"google.com"})
+			},
+		},
+		{
+			name:     "source address",
+			metadata: testMetadata("www.example.com"),
+			buildOuter: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addSourceAddressItem(t, rule, []string{"10.0.0.0/8"})
+			},
+			buildInner: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addSourceAddressItem(t, rule, []string{"198.51.100.0/24"})
+			},
+		},
+		{
+			name:     "source port",
+			metadata: testMetadata("www.example.com"),
+			buildOuter: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addSourcePortItem(rule, []uint16{1000})
+			},
+			buildInner: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addSourcePortItem(rule, []uint16{2000})
+			},
+		},
+		{
+			name:     "destination port",
+			metadata: testMetadata("www.example.com"),
+			buildOuter: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addDestinationPortItem(rule, []uint16{443})
+			},
+			buildInner: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addDestinationPortItem(rule, []uint16{8443})
+			},
+		},
+		{
+			name: "destination ip cidr",
+			metadata: func() adapter.InboundContext {
+				metadata := testMetadata("lookup.example")
+				metadata.DestinationAddresses = []netip.Addr{netip.MustParseAddr("203.0.113.1")}
+				return metadata
+			}(),
+			buildOuter: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addDestinationIPCIDRItem(t, rule, []string{"203.0.113.0/24"})
+			},
+			buildInner: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addDestinationIPCIDRItem(t, rule, []string{"198.51.100.0/24"})
+			},
+		},
+	}
+	for _, testCase := range testCases {
+		testCase := testCase
+		t.Run(testCase.name, func(t *testing.T) {
+			t.Parallel()
+			ruleSet := newLocalRuleSetForTest("outer-merge-"+testCase.name, headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+				testCase.buildInner(t, rule)
+			}))
+			rule := routeRuleForTest(func(rule *abstractDefaultRule) {
+				testCase.buildOuter(t, rule)
+				addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+			})
+			require.True(t, rule.Match(&testCase.metadata))
+		})
+	}
+}
+
 func TestRouteRuleSetOtherFieldsStayAnd(t *testing.T) {
 	t.Parallel()
 	metadata := testMetadata("www.example.com")
@@ -162,6 +251,34 @@ func TestRouteRuleSetOtherFieldsStayAnd(t *testing.T) {
 	require.False(t, rule.Match(&metadata))
 }
 
+func TestRouteRuleSetMergedBranchKeepsAndConstraints(t *testing.T) {
+	t.Parallel()
+	t.Run("outer group does not bypass inner non grouped condition", func(t *testing.T) {
+		t.Parallel()
+		metadata := testMetadata("www.example.com")
+		ruleSet := newLocalRuleSetForTest("network-and", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+			addOtherItem(rule, NewNetworkItem([]string{N.NetworkUDP}))
+		}))
+		rule := routeRuleForTest(func(rule *abstractDefaultRule) {
+			addDestinationAddressItem(t, rule, nil, []string{"example.com"})
+			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+		})
+		require.False(t, rule.Match(&metadata))
+	})
+	t.Run("outer group does not satisfy different grouped branch", func(t *testing.T) {
+		t.Parallel()
+		metadata := testMetadata("www.example.com")
+		ruleSet := newLocalRuleSetForTest("different-group", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+			addDestinationAddressItem(t, rule, nil, []string{"google.com"})
+		}))
+		rule := routeRuleForTest(func(rule *abstractDefaultRule) {
+			addSourcePortItem(rule, []uint16{1000})
+			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+		})
+		require.False(t, rule.Match(&metadata))
+	})
+}
+
 func TestRouteRuleSetOrSemantics(t *testing.T) {
 	t.Parallel()
 	t.Run("later ruleset can satisfy outer group", func(t *testing.T) {
@@ -271,6 +388,68 @@ func TestRouteRuleSetLogicalSemantics(t *testing.T) {
 	})
 }
 
+func TestRouteRuleSetInvertMergedBranchSemantics(t *testing.T) {
+	t.Parallel()
+	t.Run("default invert keeps inherited group outside grouped predicate", func(t *testing.T) {
+		t.Parallel()
+		metadata := testMetadata("www.example.com")
+		ruleSet := newLocalRuleSetForTest("invert-grouped", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+			rule.invert = true
+			addDestinationAddressItem(t, rule, nil, []string{"google.com"})
+		}))
+		rule := routeRuleForTest(func(rule *abstractDefaultRule) {
+			addDestinationAddressItem(t, rule, nil, []string{"example.com"})
+			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+		})
+		require.True(t, rule.Match(&metadata))
+	})
+	t.Run("default invert keeps inherited group after negation succeeds", func(t *testing.T) {
+		t.Parallel()
+		metadata := testMetadata("www.example.com")
+		ruleSet := newLocalRuleSetForTest("invert-network", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+			rule.invert = true
+			addOtherItem(rule, NewNetworkItem([]string{N.NetworkUDP}))
+		}))
+		rule := routeRuleForTest(func(rule *abstractDefaultRule) {
+			addDestinationAddressItem(t, rule, nil, []string{"example.com"})
+			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+		})
+		require.True(t, rule.Match(&metadata))
+	})
+	t.Run("logical invert keeps inherited group outside grouped predicate", func(t *testing.T) {
+		t.Parallel()
+		metadata := testMetadata("www.example.com")
+		ruleSet := newLocalRuleSetForTest("logical-invert-grouped", headlessLogicalRule(
+			C.LogicalTypeOr,
+			true,
+			headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+				addDestinationAddressItem(t, rule, nil, []string{"google.com"})
+			}),
+		))
+		rule := routeRuleForTest(func(rule *abstractDefaultRule) {
+			addDestinationAddressItem(t, rule, nil, []string{"example.com"})
+			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+		})
+		require.True(t, rule.Match(&metadata))
+	})
+	t.Run("logical invert keeps inherited group after negation succeeds", func(t *testing.T) {
+		t.Parallel()
+		metadata := testMetadata("www.example.com")
+		ruleSet := newLocalRuleSetForTest("logical-invert-network", headlessLogicalRule(
+			C.LogicalTypeOr,
+			true,
+			headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+				addOtherItem(rule, NewNetworkItem([]string{N.NetworkUDP}))
+			}),
+		))
+		rule := routeRuleForTest(func(rule *abstractDefaultRule) {
+			addDestinationAddressItem(t, rule, nil, []string{"example.com"})
+			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+		})
+		require.True(t, rule.Match(&metadata))
+	})
+}
+
 func TestRouteRuleSetNoLeakageRegressions(t *testing.T) {
 	t.Parallel()
 	t.Run("same ruleset failed branch does not leak", func(t *testing.T) {
@@ -339,6 +518,59 @@ func TestRouteRuleSetRemoteUsesSameSemantics(t *testing.T) {
 
 func TestDNSRuleSetSemantics(t *testing.T) {
 	t.Parallel()
+	t.Run("outer destination group merges into matching ruleset branch", func(t *testing.T) {
+		t.Parallel()
+		metadata := testMetadata("www.baidu.com")
+		ruleSet := newLocalRuleSetForTest("dns-merged-branch", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+			addDestinationAddressItem(t, rule, nil, []string{"google.com"})
+		}))
+		rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+			addDestinationAddressItem(t, rule, nil, []string{"baidu.com"})
+			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+		})
+		require.True(t, rule.Match(&metadata))
+	})
+	t.Run("outer destination group does not bypass ruleset non grouped condition", func(t *testing.T) {
+		t.Parallel()
+		metadata := testMetadata("www.example.com")
+		ruleSet := newLocalRuleSetForTest("dns-network-and", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+			addOtherItem(rule, NewNetworkItem([]string{N.NetworkUDP}))
+		}))
+		rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+			addDestinationAddressItem(t, rule, nil, []string{"example.com"})
+			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+		})
+		require.False(t, rule.Match(&metadata))
+	})
+	t.Run("outer destination group stays outside inverted grouped branch", func(t *testing.T) {
+		t.Parallel()
+		metadata := testMetadata("www.baidu.com")
+		ruleSet := newLocalRuleSetForTest("dns-invert-grouped", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+			rule.invert = true
+			addDestinationAddressItem(t, rule, nil, []string{"google.com"})
+		}))
+		rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+			addDestinationAddressItem(t, rule, nil, []string{"baidu.com"})
+			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+		})
+		require.True(t, rule.Match(&metadata))
+	})
+	t.Run("outer destination group stays outside inverted logical branch", func(t *testing.T) {
+		t.Parallel()
+		metadata := testMetadata("www.example.com")
+		ruleSet := newLocalRuleSetForTest("dns-logical-invert-network", headlessLogicalRule(
+			C.LogicalTypeOr,
+			true,
+			headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+				addOtherItem(rule, NewNetworkItem([]string{N.NetworkUDP}))
+			}),
+		))
+		rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+			addDestinationAddressItem(t, rule, nil, []string{"example.com"})
+			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+		})
+		require.True(t, rule.Match(&metadata))
+	})
 	t.Run("match address limit merges destination group", func(t *testing.T) {
 		t.Parallel()
 		metadata := testMetadata("www.example.com")

transport/wireguard/endpoint.go

@@ -229,12 +229,13 @@ func (e *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 }
 
 func (e *Endpoint) Close() error {
-	if e.device != nil {
-		e.device.Close()
-	}
 	if e.pauseCallback != nil {
 		e.pause.UnregisterCallback(e.pauseCallback)
 	}
+	if e.device != nil {
+		e.device.Down()
+		e.device.Close()
+	}
 	return nil
 }