Update documentation

Update dependencies
Update UoT protocol
2026-04-12 01:57:18 +10:00 · 2023-03-17 13:07:22 +08:00 · 2023-03-17 12:59:12 +08:00 · 2023-03-17 12:57:48 +08:00 · 2023-03-16 11:28:54 +08:00 · 2023-03-16 11:28:54 +08:00
144 changed files with 2939 additions and 1223 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,7 @@
 /bin/
 /dist/
 /sing-box
+/sing-box.exe
 /build/
 /*.jar
 /*.aar
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -10,7 +10,7 @@ builds:
    gcflags:
      - all=-trimpath={{.Env.GOPATH}}
    ldflags:
-      - -s -w -buildid=
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
    tags:
      - with_gvisor
      - with_quic
@@ -43,7 +43,7 @@ builds:
    gcflags:
      - all=-trimpath={{.Env.GOPATH}}
    ldflags:
-      - -s -w -buildid=
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
    tags:
      - with_gvisor
      - with_quic
--- a/3
+++ b/3
@@ -8,9 +8,10 @@ ENV CGO_ENABLED=0
 RUN set -ex \
    && apk add git build-base \
    && export COMMIT=$(git rev-parse --short HEAD) \
+    && export VERSION=$(go run ./cmd/internal/read_tag) \
    && go build -v -trimpath -tags with_quic,with_wireguard,with_acme \
        -o /go/bin/sing-box \
-        -ldflags "-s -w -buildid=" \
+        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
        ./cmd/sing-box
 FROM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
--- a/10
+++ b/10
@@ -2,8 +2,14 @@ NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
 TAGS ?= with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server,with_shadowsocksr
-PARAMS = -v -trimpath -tags "$(TAGS)" -ldflags "-s -w -buildid="
+
+GOHOSTOS = $(shell go env GOHOSTOS)
+GOHOSTARCH = $(shell go env GOHOSTARCH)
+VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run ./cmd/internal/read_tag)
+
+PARAMS = -v -trimpath -tags "$(TAGS)" -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$(VERSION)\" -s -w -buildid="
 MAIN = ./cmd/sing-box
+PREFIX ?= $(shell go env GOPATH)

 .PHONY: test release

@@ -11,7 +17,7 @@ build:
 	go build $(PARAMS) $(MAIN)

 install:
-	go install $(PARAMS) $(MAIN)
+	go build -o $(PREFIX)/bin/$(NAME) $(PARAMS) $(MAIN)

 fmt:
 	@gofumpt -l -w .
--- a/box.go
+++ b/box.go
@@ -11,6 +11,7 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental"
+	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/inbound"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
@@ -36,7 +37,7 @@ type Box struct {
 	done        chan struct{}
 }

-func New(ctx context.Context, options option.Options) (*Box, error) {
+func New(ctx context.Context, options option.Options, platformInterface platform.Interface) (*Box, error) {
 	createdAt := time.Now()
 	logOptions := common.PtrValueOrDefault(options.Log)

@@ -61,7 +62,7 @@ func New(ctx context.Context, options option.Options) (*Box, error) {
 	} else {
 		switch logOptions.Output {
 		case "":
-			if options.PlatformInterface != nil {
+			if platformInterface != nil {
 				logWriter = io.Discard
 			} else {
 				logWriter = os.Stdout
@@ -86,10 +87,10 @@ func New(ctx context.Context, options option.Options) (*Box, error) {
 			TimestampFormat:  "-0700 2006-01-02 15:04:05",
 		}
 		if needClashAPI {
-			observableLogFactory = log.NewObservableFactory(logFormatter, logWriter, options.PlatformInterface)
+			observableLogFactory = log.NewObservableFactory(logFormatter, logWriter, platformInterface)
 			logFactory = observableLogFactory
 		} else {
-			logFactory = log.NewFactory(logFormatter, logWriter, options.PlatformInterface)
+			logFactory = log.NewFactory(logFormatter, logWriter, platformInterface)
 		}
 		if logOptions.Level != "" {
 			logLevel, err := log.ParseLevel(logOptions.Level)
@@ -109,7 +110,7 @@ func New(ctx context.Context, options option.Options) (*Box, error) {
 		common.PtrValueOrDefault(options.DNS),
 		common.PtrValueOrDefault(options.NTP),
 		options.Inbounds,
-		options.PlatformInterface,
+		platformInterface,
 	)
 	if err != nil {
 		return nil, E.Cause(err, "parse route options")
@@ -129,7 +130,7 @@ func New(ctx context.Context, options option.Options) (*Box, error) {
 			router,
 			logFactory.NewLogger(F.ToString("inbound/", inboundOptions.Type, "[", tag, "]")),
 			inboundOptions,
-			options.PlatformInterface,
+			platformInterface,
 		)
 		if err != nil {
 			return nil, E.Cause(err, "parse inbound[", i, "]")
@@ -212,6 +213,18 @@ func (s *Box) Start() error {
 }

 func (s *Box) start() error {
+	if s.clashServer != nil {
+		err := s.clashServer.Start()
+		if err != nil {
+			return E.Cause(err, "start clash api server")
+		}
+	}
+	if s.v2rayServer != nil {
+		err := s.v2rayServer.Start()
+		if err != nil {
+			return E.Cause(err, "start v2ray api server")
+		}
+	}
 	for i, out := range s.outbounds {
 		if starter, isStarter := out.(common.Starter); isStarter {
 			err := starter.Start()
@@ -242,18 +255,7 @@ func (s *Box) start() error {
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
-	if s.clashServer != nil {
-		err = s.clashServer.Start()
-		if err != nil {
-			return E.Cause(err, "start clash api server")
-		}
-	}
-	if s.v2rayServer != nil {
-		err = s.v2rayServer.Start()
-		if err != nil {
-			return E.Cause(err, "start v2ray api server")
-		}
-	}
+
 	s.logger.Info("sing-box started (", F.Seconds(time.Since(s.createdAt).Seconds()), "s)")
 	return nil
 }
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -6,7 +6,7 @@ import (
 	"os/exec"
 	"path/filepath"

-	_ "github.com/sagernet/gomobile/asset"
+	_ "github.com/sagernet/gomobile/event/key"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common/rw"
@@ -35,6 +35,23 @@ func main() {
 	}
 }

+var (
+	sharedFlags []string
+	debugFlags  []string
+)
+
+func init() {
+	sharedFlags = append(sharedFlags, "-trimpath")
+	sharedFlags = append(sharedFlags, "-ldflags")
+
+	currentTag, err := build_shared.ReadTag()
+	if err != nil {
+		currentTag = "unknown"
+	}
+	sharedFlags = append(sharedFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
+	debugFlags = append(debugFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
+}
+
 func buildAndroid() {
 	build_shared.FindSDK()

@@ -46,14 +63,17 @@ func buildAndroid() {
 		"-libname=box",
 	}
 	if !debugEnabled {
-		args = append(args,
-			"-trimpath", "-ldflags=-s -w -buildid=",
-			"-tags", "with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api",
-		)
+		args = append(args, sharedFlags...)
 	} else {
-		args = append(args, "-tags", "with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api,debug")
+		args = append(args, debugFlags...)
 	}

+	args = append(args, "-tags")
+	if !debugEnabled {
+		args = append(args, "with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api")
+	} else {
+		args = append(args, "with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api,debug")
+	}
 	args = append(args, "./experimental/libbox")

 	command := exec.Command(build_shared.GoBinPath+"/gomobile", args...)
@@ -84,13 +104,17 @@ func buildiOS() {
 		"-libname=box",
 	}
 	if !debugEnabled {
-		args = append(args,
-			"-trimpath", "-ldflags=-s -w -buildid=",
-		)
+		args = append(args, sharedFlags...)
 	} else {
-		args = append(args, "-tags", "debug")
+		args = append(args, debugFlags...)
 	}

+	args = append(args, "-tags")
+	if !debugEnabled {
+		args = append(args, "with_gvisor,with_quic,with_utls,with_clash_api,with_low_memory,with_conntrack")
+	} else {
+		args = append(args, "with_gvisor,with_quic,with_utls,with_clash_api,with_low_memory,with_conntrack,debug")
+	}
 	args = append(args, "./experimental/libbox")

 	command := exec.Command(build_shared.GoBinPath+"/gomobile", args...)
@@ -101,7 +125,7 @@ func buildiOS() {
 		log.Fatal(err)
 	}

-	copyPath := filepath.Join("..", "sfi")
+	copyPath := filepath.Join("..", "sing-box-for-ios")
 	if rw.FileExists(copyPath) {
 		targetDir := filepath.Join(copyPath, "Libbox.xcframework")
 		targetDir, _ = filepath.Abs(targetDir)
--- a/cmd/internal/build_shared/tag.go
+++ b/cmd/internal/build_shared/tag.go
@@ -0,0 +1,16 @@
+package build_shared
+
+import "github.com/sagernet/sing/common/shell"
+
+func ReadTag() (string, error) {
+	currentTag, err := shell.Exec("git", "describe", "--tags").ReadOutput()
+	if err != nil {
+		return currentTag, err
+	}
+	currentTagRev, _ := shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput()
+	if currentTagRev == currentTag {
+		return currentTag[1:], nil
+	}
+	shortCommit, _ := shell.Exec("git", "rev-parse", "--short", "HEAD").ReadOutput()
+	return currentTagRev[1:] + "-" + shortCommit, nil
+}
--- a/cmd/internal/read_tag/main.go
+++ b/cmd/internal/read_tag/main.go
@@ -0,0 +1,21 @@
+package main
+
+import (
+	"os"
+
+	"github.com/sagernet/sing-box/cmd/internal/build_shared"
+	"github.com/sagernet/sing-box/log"
+)
+
+func main() {
+	currentTag, err := build_shared.ReadTag()
+	if err != nil {
+		log.Error(err)
+		_, err = os.Stdout.WriteString("unknown\n")
+	} else {
+		_, err = os.Stdout.WriteString(currentTag + "\n")
+	}
+	if err != nil {
+		log.Error(err)
+	}
+}
--- a/cmd/sing-box/cmd_check.go
+++ b/cmd/sing-box/cmd_check.go
@@ -31,7 +31,10 @@ func check() error {
 		return err
 	}
 	ctx, cancel := context.WithCancel(context.Background())
-	_, err = box.New(ctx, options)
+	instance, err := box.New(ctx, options, nil)
+	if err == nil {
+		instance.Close()
+	}
 	cancel()
 	return err
 }
--- a/cmd/sing-box/cmd_generate.go
+++ b/cmd/sing-box/cmd_generate.go
@@ -0,0 +1,139 @@
+package main
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/hex"
+	"os"
+	"strconv"
+
+	"github.com/sagernet/sing-box/log"
+
+	"github.com/gofrs/uuid"
+	"github.com/spf13/cobra"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+var commandGenerate = &cobra.Command{
+	Use:   "generate",
+	Short: "Generate things",
+}
+
+func init() {
+	commandGenerate.AddCommand(commandGenerateUUID)
+	commandGenerate.AddCommand(commandGenerateRandom)
+	commandGenerate.AddCommand(commandGenerateWireGuardKeyPair)
+	commandGenerate.AddCommand(commandGenerateRealityKeyPair)
+	mainCommand.AddCommand(commandGenerate)
+}
+
+var (
+	outputBase64 bool
+	outputHex    bool
+)
+
+var commandGenerateRandom = &cobra.Command{
+	Use:   "rand <length>",
+	Short: "Generate random bytes",
+	Args:  cobra.ExactArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateRandom(args)
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	commandGenerateRandom.Flags().BoolVar(&outputBase64, "base64", false, "Generate base64 string")
+	commandGenerateRandom.Flags().BoolVar(&outputHex, "hex", false, "Generate hex string")
+}
+
+func generateRandom(args []string) error {
+	length, err := strconv.Atoi(args[0])
+	if err != nil {
+		return err
+	}
+
+	randomBytes := make([]byte, length)
+	_, err = rand.Read(randomBytes)
+	if err != nil {
+		return err
+	}
+
+	if outputBase64 {
+		_, err = os.Stdout.WriteString(base64.StdEncoding.EncodeToString(randomBytes) + "\n")
+	} else if outputHex {
+		_, err = os.Stdout.WriteString(hex.EncodeToString(randomBytes) + "\n")
+	} else {
+		_, err = os.Stdout.Write(randomBytes)
+	}
+
+	return err
+}
+
+var commandGenerateUUID = &cobra.Command{
+	Use:   "uuid",
+	Short: "Generate UUID string",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateUUID()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func generateUUID() error {
+	newUUID, err := uuid.NewV4()
+	if err != nil {
+		return err
+	}
+	_, err = os.Stdout.WriteString(newUUID.String() + "\n")
+	return err
+}
+
+var commandGenerateWireGuardKeyPair = &cobra.Command{
+	Use:   "wg-keypair",
+	Short: "Generate WireGuard key pair",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateWireGuardKey()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func generateWireGuardKey() error {
+	privateKey, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		return err
+	}
+	os.Stdout.WriteString("PrivateKey: " + privateKey.String() + "\n")
+	os.Stdout.WriteString("PublicKey: " + privateKey.PublicKey().String() + "\n")
+	return nil
+}
+
+var commandGenerateRealityKeyPair = &cobra.Command{
+	Use:   "reality-keypair",
+	Short: "Generate reality key pair",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateRealityKey()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func generateRealityKey() error {
+	privateKey, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		return err
+	}
+	publicKey := privateKey.PublicKey()
+	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]) + "\n")
+	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]) + "\n")
+	return nil
+}
--- a/cmd/sing-box/cmd_run.go
+++ b/cmd/sing-box/cmd_run.go
@@ -64,7 +64,7 @@ func create() (*box.Box, context.CancelFunc, error) {
 		options.Log.DisableColor = true
 	}
 	ctx, cancel := context.WithCancel(context.Background())
-	instance, err := box.New(ctx, options)
+	instance, err := box.New(ctx, options, nil)
 	if err != nil {
 		cancel()
 		return nil, nil, E.Cause(err, "create service")
--- a/cmd/sing-box/debug.go
+++ b/cmd/sing-box/debug.go
@@ -25,9 +25,9 @@ func init() {
 		runtime.ReadMemStats(&memStats)

 		var memObject badjson.JSONObject
-		memObject.Put("heap", humanize.Bytes(memStats.HeapInuse))
-		memObject.Put("stack", humanize.Bytes(memStats.StackInuse))
-		memObject.Put("idle", humanize.Bytes(memStats.HeapIdle-memStats.HeapReleased))
+		memObject.Put("heap", humanize.IBytes(memStats.HeapInuse))
+		memObject.Put("stack", humanize.IBytes(memStats.StackInuse))
+		memObject.Put("idle", humanize.IBytes(memStats.HeapIdle-memStats.HeapReleased))
 		memObject.Put("goroutines", runtime.NumGoroutine())
 		memObject.Put("rss", rusageMaxRSS())

--- a/cmd/sing-box/main.go
+++ b/cmd/sing-box/main.go
@@ -2,6 +2,7 @@ package main

 import (
 	"os"
+	"time"

 	_ "github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
@@ -33,6 +34,9 @@ func main() {
 }

 func preRun(cmd *cobra.Command, args []string) {
+	if disableColor {
+		log.SetStdLogger(log.NewFactory(log.Formatter{BaseTime: time.Now(), DisableColors: true}, os.Stderr, nil).Logger())
+	}
 	if workingDir != "" {
 		if err := os.Chdir(workingDir); err != nil {
 			log.Fatal(err)
--- a/common/dialer/conntrack/conn.go
+++ b/common/dialer/conntrack/conn.go
@@ -0,0 +1,54 @@
+package conntrack
+
+import (
+	"io"
+	"net"
+
+	"github.com/sagernet/sing/common/x/list"
+)
+
+type Conn struct {
+	net.Conn
+	element *list.Element[io.Closer]
+}
+
+func NewConn(conn net.Conn) (*Conn, error) {
+	connAccess.Lock()
+	element := openConnection.PushBack(conn)
+	connAccess.Unlock()
+	if KillerEnabled {
+		err := killerCheck()
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+	}
+	return &Conn{
+		Conn:    conn,
+		element: element,
+	}, nil
+}
+
+func (c *Conn) Close() error {
+	if c.element.Value != nil {
+		connAccess.Lock()
+		if c.element.Value != nil {
+			openConnection.Remove(c.element)
+			c.element.Value = nil
+		}
+		connAccess.Unlock()
+	}
+	return c.Conn.Close()
+}
+
+func (c *Conn) Upstream() any {
+	return c.Conn
+}
+
+func (c *Conn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *Conn) WriterReplaceable() bool {
+	return true
+}
--- a/common/dialer/conntrack/killer.go
+++ b/common/dialer/conntrack/killer.go
@@ -0,0 +1,38 @@
+package conntrack
+
+import (
+	"runtime"
+	runtimeDebug "runtime/debug"
+	"time"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+var (
+	KillerEnabled   bool
+	MemoryLimit     int64
+	killerLastCheck time.Time
+)
+
+func killerCheck() error {
+	if !KillerEnabled {
+		return nil
+	}
+	nowTime := time.Now()
+	if nowTime.Sub(killerLastCheck) < 3*time.Second {
+		return nil
+	}
+	killerLastCheck = nowTime
+	var memStats runtime.MemStats
+	runtime.ReadMemStats(&memStats)
+	inuseMemory := int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
+	if inuseMemory > MemoryLimit {
+		Close()
+		go func() {
+			time.Sleep(time.Second)
+			runtimeDebug.FreeOSMemory()
+		}()
+		return E.New("out of memory")
+	}
+	return nil
+}
--- a/common/dialer/conntrack/packet_conn.go
+++ b/common/dialer/conntrack/packet_conn.go
@@ -0,0 +1,54 @@
+package conntrack
+
+import (
+	"io"
+	"net"
+
+	"github.com/sagernet/sing/common/x/list"
+)
+
+type PacketConn struct {
+	net.PacketConn
+	element *list.Element[io.Closer]
+}
+
+func NewPacketConn(conn net.PacketConn) (*PacketConn, error) {
+	connAccess.Lock()
+	element := openConnection.PushBack(conn)
+	connAccess.Unlock()
+	if KillerEnabled {
+		err := killerCheck()
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+	}
+	return &PacketConn{
+		PacketConn: conn,
+		element:    element,
+	}, nil
+}
+
+func (c *PacketConn) Close() error {
+	if c.element.Value != nil {
+		connAccess.Lock()
+		if c.element.Value != nil {
+			openConnection.Remove(c.element)
+			c.element.Value = nil
+		}
+		connAccess.Unlock()
+	}
+	return c.PacketConn.Close()
+}
+
+func (c *PacketConn) Upstream() any {
+	return c.PacketConn
+}
+
+func (c *PacketConn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *PacketConn) WriterReplaceable() bool {
+	return true
+}
--- a/common/dialer/conntrack/track.go
+++ b/common/dialer/conntrack/track.go
@@ -0,0 +1,38 @@
+package conntrack
+
+import (
+	"io"
+	"sync"
+
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/x/list"
+)
+
+var (
+	connAccess     sync.RWMutex
+	openConnection list.List[io.Closer]
+)
+
+func Count() int {
+	return openConnection.Len()
+}
+
+func List() []io.Closer {
+	connAccess.RLock()
+	defer connAccess.RUnlock()
+	connList := make([]io.Closer, 0, openConnection.Len())
+	for element := openConnection.Front(); element != nil; element = element.Next() {
+		connList = append(connList, element.Value)
+	}
+	return connList
+}
+
+func Close() {
+	connAccess.Lock()
+	defer connAccess.Unlock()
+	for element := openConnection.Front(); element != nil; element = element.Next() {
+		common.Close(element.Value)
+		element.Value = nil
+	}
+	openConnection.Init()
+}
--- a/common/dialer/conntrack/track_disable.go
+++ b/common/dialer/conntrack/track_disable.go
@@ -0,0 +1,5 @@
+//go:build !with_conntrack
+
+package conntrack
+
+const Enabled = false
--- a/common/dialer/conntrack/track_enable.go
+++ b/common/dialer/conntrack/track_enable.go
@@ -0,0 +1,5 @@
+//go:build with_conntrack
+
+package conntrack
+
+const Enabled = true
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -6,6 +6,7 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
 	"github.com/sagernet/sing-box/common/warning"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
@@ -159,16 +160,30 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 		}
 	}
 	if !address.IsIPv6() {
-		return DialSlowContext(&d.dialer4, ctx, network, address)
+		return trackConn(DialSlowContext(&d.dialer4, ctx, network, address))
 	} else {
-		return DialSlowContext(&d.dialer6, ctx, network, address)
+		return trackConn(DialSlowContext(&d.dialer6, ctx, network, address))
 	}
 }

 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if !destination.IsIPv6() {
-		return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4)
+		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4))
 	} else {
-		return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6)
+		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
 	}
 }
+
+func trackConn(conn net.Conn, err error) (net.Conn, error) {
+	if !conntrack.Enabled || err != nil {
+		return conn, err
+	}
+	return conntrack.NewConn(conn)
+}
+
+func trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
+	if !conntrack.Enabled || err != nil {
+		return conn, err
+	}
+	return conntrack.NewPacketConn(conn)
+}
--- a/common/proxyproto/listener.go
+++ b/common/proxyproto/listener.go
@@ -24,13 +24,13 @@ func (l *Listener) Accept() (net.Conn, error) {
 	bufReader := std_bufio.NewReader(conn)
 	header, err := proxyproto.Read(bufReader)
 	if err != nil && !(l.AcceptNoHeader && err == proxyproto.ErrNoProxyProtocol) {
-		return nil, err
+		return nil, &Error{err}
 	}
 	if bufReader.Buffered() > 0 {
 		cache := buf.NewSize(bufReader.Buffered())
 		_, err = cache.ReadFullFrom(bufReader, cache.FreeLen())
 		if err != nil {
-			return nil, err
+			return nil, &Error{err}
 		}
 		conn = bufio.NewCachedConn(conn, cache)
 	}
@@ -42,3 +42,21 @@ func (l *Listener) Accept() (net.Conn, error) {
 	}
 	return conn, nil
 }
+
+var _ net.Error = (*Error)(nil)
+
+type Error struct {
+	error
+}
+
+func (e *Error) Unwrap() error {
+	return e.error
+}
+
+func (e *Error) Timeout() bool {
+	return false
+}
+
+func (e *Error) Temporary() bool {
+	return true
+}
--- a/common/settings/proxy_android.go
+++ b/common/settings/proxy_android.go
@@ -6,8 +6,8 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common"
 	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/common/shell"
 )

 var (
@@ -26,9 +26,9 @@ func init() {

 func runAndroidShell(name string, args ...string) error {
 	if !useRish {
-		return common.Exec(name, args...).Attach().Run()
+		return shell.Exec(name, args...).Attach().Run()
 	} else {
-		return common.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+		return shell.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	}
 }

--- a/common/settings/proxy_darwin.go
+++ b/common/settings/proxy_darwin.go
@@ -6,9 +6,9 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/common/shell"
 	"github.com/sagernet/sing/common/x/list"
 )

@@ -34,13 +34,13 @@ func (p *systemProxy) update(event int) error {
 		return err
 	}
 	if p.isMixed {
-		err = common.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	if err == nil {
-		err = common.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+		err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	if err == nil {
-		err = common.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+		err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	return err
 }
@@ -51,19 +51,19 @@ func (p *systemProxy) unset() error {
 		return err
 	}
 	if p.isMixed {
-		err = common.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
+		err = shell.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
-		err = common.Exec("networksetup", "-setwebproxystate", interfaceDisplayName, "off").Attach().Run()
+		err = shell.Exec("networksetup", "-setwebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
-		err = common.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
+		err = shell.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	return err
 }

 func getInterfaceDisplayName(name string) (string, error) {
-	content, err := common.Exec("networksetup", "-listallhardwareports").Read()
+	content, err := shell.Exec("networksetup", "-listallhardwareports").ReadOutput()
 	if err != nil {
 		return "", err
 	}
--- a/common/settings/proxy_linux.go
+++ b/common/settings/proxy_linux.go
@@ -11,6 +11,7 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/common/shell"
 )

 var (
@@ -27,9 +28,9 @@ func init() {

 func runAsUser(name string, args ...string) error {
 	if os.Getuid() != 0 {
-		return common.Exec(name, args...).Attach().Run()
+		return shell.Exec(name, args...).Attach().Run()
 	} else if sudoUser != "" {
-		return common.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+		return shell.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	} else {
 		return E.New("set system proxy: unable to set as root")
 	}
--- a/common/tls/client.go
+++ b/common/tls/client.go
@@ -2,16 +2,15 @@ package tls

 import (
 	"context"
-	"crypto/tls"
 	"net"
 	"os"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/badtls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	aTLS "github.com/sagernet/sing/common/tls"
 )

 func NewDialerFromOptions(router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
@@ -43,22 +42,7 @@ func NewClient(router adapter.Router, serverAddress string, options option.Outbo
 func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, error) {
 	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
 	defer cancel()
-	tlsConn, err := config.Client(conn)
-	if err != nil {
-		return nil, err
-	}
-	err = tlsConn.HandshakeContext(ctx)
-	if err != nil {
-		return nil, err
-	}
-	if stdConn, isSTD := tlsConn.(*tls.Conn); isSTD {
-		var badConn badtls.TLSConn
-		badConn, err = badtls.Create(stdConn)
-		if err == nil {
-			return badConn, nil
-		}
-	}
-	return tlsConn, nil
+	return aTLS.ClientHandshake(ctx, conn, config)
 }

 type Dialer struct {
--- a/common/tls/config.go
+++ b/common/tls/config.go
@@ -1,51 +1,25 @@
 package tls

 import (
-	"context"
 	"crypto/tls"
-	"net"

-	"github.com/sagernet/sing-box/adapter"
 	E "github.com/sagernet/sing/common/exceptions"
+	aTLS "github.com/sagernet/sing/common/tls"
 )

 type (
+	Config                 = aTLS.Config
+	ConfigCompat           = aTLS.ConfigCompat
+	ServerConfig           = aTLS.ServerConfig
+	ServerConfigCompat     = aTLS.ServerConfigCompat
+	WithSessionIDGenerator = aTLS.WithSessionIDGenerator
+	Conn                   = aTLS.Conn
+
 	STDConfig       = tls.Config
 	STDConn         = tls.Conn
 	ConnectionState = tls.ConnectionState
 )

-type Config interface {
-	ServerName() string
-	SetServerName(serverName string)
-	NextProtos() []string
-	SetNextProtos(nextProto []string)
-	Config() (*STDConfig, error)
-	Client(conn net.Conn) (Conn, error)
-	Clone() Config
-}
-
-type ConfigWithSessionIDGenerator interface {
-	SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error)
-}
-
-type ServerConfig interface {
-	Config
-	adapter.Service
-	Server(conn net.Conn) (Conn, error)
-}
-
-type ServerConfigCompat interface {
-	ServerConfig
-	ServerHandshake(ctx context.Context, conn net.Conn) (Conn, error)
-}
-
-type Conn interface {
-	net.Conn
-	HandshakeContext(ctx context.Context) error
-	ConnectionState() ConnectionState
-}
-
 func ParseTLSVersion(version string) (uint16, error) {
 	switch version {
 	case "1.0":
--- a/common/tls/reality_client.go
+++ b/common/tls/reality_client.go
@@ -4,19 +4,25 @@ package tls

 import (
 	"bytes"
+	"context"
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/ed25519"
 	"crypto/hmac"
 	"crypto/sha256"
 	"crypto/sha512"
+	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/binary"
 	"encoding/hex"
 	"fmt"
+	"io"
+	mRand "math/rand"
 	"net"
+	"net/http"
 	"reflect"
+	"strings"
 	"time"
 	"unsafe"

@@ -24,17 +30,19 @@ import (
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
+	aTLS "github.com/sagernet/sing/common/tls"
 	utls "github.com/sagernet/utls"

 	"golang.org/x/crypto/hkdf"
+	"golang.org/x/net/http2"
 )

-var _ Config = (*RealityClientConfig)(nil)
+var _ ConfigCompat = (*RealityClientConfig)(nil)

 type RealityClientConfig struct {
 	uClient   *UTLSClientConfig
 	publicKey []byte
-	shortID   []byte
+	shortID   [8]byte
 }

 func NewRealityClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
@@ -54,11 +62,12 @@ func NewRealityClient(router adapter.Router, serverAddress string, options optio
 	if len(publicKey) != 32 {
 		return nil, E.New("invalid public_key")
 	}
-	shortID, err := hex.DecodeString(options.Reality.ShortID)
+	var shortID [8]byte
+	decodedLen, err := hex.Decode(shortID[:], []byte(options.Reality.ShortID))
 	if err != nil {
 		return nil, E.Cause(err, "decode short_id")
 	}
-	if len(shortID) != 8 {
+	if decodedLen > 8 {
 		return nil, E.New("invalid short_id")
 	}
 	return &RealityClientConfig{uClient, publicKey, shortID}, nil
@@ -85,6 +94,10 @@ func (e *RealityClientConfig) Config() (*STDConfig, error) {
 }

 func (e *RealityClientConfig) Client(conn net.Conn) (Conn, error) {
+	return ClientHandshake(context.Background(), conn, e)
+}
+
+func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
 	verifier := &realityVerifier{
 		serverName: e.uClient.ServerName(),
 	}
@@ -113,7 +126,7 @@ func (e *RealityClientConfig) Client(conn net.Conn) (Conn, error) {
 	hello.SessionId[0] = 1
 	hello.SessionId[1] = 7
 	hello.SessionId[2] = 5
-	copy(hello.SessionId[8:], e.shortID)
+	copy(hello.SessionId[8:], e.shortID[:])

 	if debug.Enabled {
 		fmt.Printf("REALITY hello.sessionId[:16]: %v\n", hello.SessionId[:16])
@@ -137,9 +150,43 @@ func (e *RealityClientConfig) Client(conn net.Conn) (Conn, error) {
 		fmt.Printf("REALITY uConn.AuthKey: %v\n", authKey)
 	}

+	err = uConn.HandshakeContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	if debug.Enabled {
+		fmt.Printf("REALITY Conn.Verified: %v\n", verifier.verified)
+	}
+
+	if !verifier.verified {
+		go realityClientFallback(uConn, e.uClient.ServerName(), e.uClient.id)
+		return nil, E.New("reality verification failed")
+	}
+
 	return &utlsConnWrapper{uConn}, nil
 }

+func realityClientFallback(uConn net.Conn, serverName string, fingerprint utls.ClientHelloID) {
+	defer uConn.Close()
+	client := &http.Client{
+		Transport: &http2.Transport{
+			DialTLSContext: func(ctx context.Context, network, addr string, config *tls.Config) (net.Conn, error) {
+				return uConn, nil
+			},
+		},
+	}
+	request, _ := http.NewRequest("GET", "https://"+serverName, nil)
+	request.Header.Set("User-Agent", fingerprint.Client)
+	request.AddCookie(&http.Cookie{Name: "padding", Value: strings.Repeat("0", mRand.Intn(32)+30)})
+	response, err := client.Do(request)
+	if err != nil {
+		return
+	}
+	_, _ = io.Copy(io.Discard, response.Body)
+	response.Body.Close()
+}
+
 func (e *RealityClientConfig) SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error) {
 	e.uClient.config.SessionIDGenerator = generator
 }
@@ -180,8 +227,5 @@ func (c *realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChain
 	if _, err := certs[0].Verify(opts); err != nil {
 		return err
 	}
-	if !c.verified {
-		return E.New("reality verification failed")
-	}
 	return nil
 }
--- a/common/tls/reality_server.go
+++ b/common/tls/reality_server.go
@@ -8,9 +8,9 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"net"
-	"os"
 	"time"

+	"github.com/sagernet/reality"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/log"
@@ -19,8 +19,6 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-
-	"github.com/nekohasekai/reality"
 )

 var _ ServerConfigCompat = (*RealityServerConfig)(nil)
@@ -91,16 +89,16 @@ func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Log
 	tlsConfig.MaxTimeDiff = time.Duration(options.Reality.MaxTimeDifference)

 	tlsConfig.ShortIds = make(map[[8]byte]bool)
-	for i, shortID := range options.Reality.ShortID {
-		var shortIDBytesArray [8]byte
-		decodedLen, err := hex.Decode(shortIDBytesArray[:], []byte(shortID))
+	for i, shortIDString := range options.Reality.ShortID {
+		var shortID [8]byte
+		decodedLen, err := hex.Decode(shortID[:], []byte(shortIDString))
 		if err != nil {
-			return nil, E.Cause(err, "decode short_id[", i, "]: ", shortID)
+			return nil, E.Cause(err, "decode short_id[", i, "]: ", shortIDString)
 		}
-		if decodedLen != 8 {
-			return nil, E.New("invalid short_id[", i, "]: ", shortID)
+		if decodedLen > 8 {
+			return nil, E.New("invalid short_id[", i, "]: ", shortIDString)
 		}
-		tlsConfig.ShortIds[shortIDBytesArray] = true
+		tlsConfig.ShortIds[shortID] = true
 	}

 	handshakeDialer := dialer.New(router, options.Reality.Handshake.DialerOptions)
@@ -136,7 +134,7 @@ func (c *RealityServerConfig) Config() (*tls.Config, error) {
 }

 func (c *RealityServerConfig) Client(conn net.Conn) (Conn, error) {
-	return nil, os.ErrInvalid
+	return ClientHandshake(context.Background(), conn, c)
 }

 func (c *RealityServerConfig) Start() error {
@@ -148,7 +146,7 @@ func (c *RealityServerConfig) Close() error {
 }

 func (c *RealityServerConfig) Server(conn net.Conn) (Conn, error) {
-	return nil, os.ErrInvalid
+	return ServerHandshake(context.Background(), conn, c)
 }

 func (c *RealityServerConfig) ServerHandshake(ctx context.Context, conn net.Conn) (Conn, error) {
--- a/common/tls/server.go
+++ b/common/tls/server.go
@@ -2,14 +2,13 @@ package tls

 import (
 	"context"
-	"crypto/tls"
 	"net"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/badtls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	aTLS "github.com/sagernet/sing/common/tls"
 )

 func NewServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
@@ -26,23 +25,5 @@ func NewServer(ctx context.Context, router adapter.Router, logger log.Logger, op
 func ServerHandshake(ctx context.Context, conn net.Conn, config ServerConfig) (Conn, error) {
 	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
 	defer cancel()
-	if compatServer, isCompat := config.(ServerConfigCompat); isCompat {
-		return compatServer.ServerHandshake(ctx, conn)
-	}
-	tlsConn, err := config.Server(conn)
-	if err != nil {
-		return nil, err
-	}
-	err = tlsConn.HandshakeContext(ctx)
-	if err != nil {
-		return nil, err
-	}
-	if stdConn, isSTD := tlsConn.(*tls.Conn); isSTD {
-		var badConn badtls.TLSConn
-		badConn, err = badtls.Create(stdConn)
-		if err == nil {
-			return badConn, nil
-		}
-	}
-	return tlsConn, nil
+	return aTLS.ServerHandshake(ctx, conn, config)
 }
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -5,6 +5,7 @@ package tls
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"math/rand"
 	"net"
 	"net/netip"
 	"os"
@@ -13,6 +14,8 @@ import (
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	utls "github.com/sagernet/utls"
+
+	"golang.org/x/net/http2"
 )

 type UTLSClientConfig struct {
@@ -33,6 +36,9 @@ func (e *UTLSClientConfig) NextProtos() []string {
 }

 func (e *UTLSClientConfig) SetNextProtos(nextProto []string) {
+	if len(nextProto) == 1 && nextProto[0] == http2.NextProtoTLS {
+		nextProto = append(nextProto, "http/1.1")
+	}
 	e.config.NextProtos = nextProto
 }

@@ -159,6 +165,29 @@ func NewUTLSClient(router adapter.Router, serverAddress string, options option.O
 	return &UTLSClientConfig{&tlsConfig, id}, nil
 }

+var (
+	randomFingerprint     utls.ClientHelloID
+	randomizedFingerprint utls.ClientHelloID
+)
+
+func init() {
+	modernFingerprints := []utls.ClientHelloID{
+		utls.HelloChrome_Auto,
+		utls.HelloFirefox_Auto,
+		utls.HelloEdge_Auto,
+		utls.HelloSafari_Auto,
+		utls.HelloIOS_Auto,
+	}
+	randomFingerprint = modernFingerprints[rand.Intn(len(modernFingerprints))]
+
+	weights := utls.DefaultWeights
+	weights.TLSVersMax_Set_VersionTLS13 = 1
+	weights.FirstKeyShare_Set_CurveP256 = 0
+	randomizedFingerprint = utls.HelloRandomized
+	randomizedFingerprint.Seed, _ = utls.NewPRNGSeed()
+	randomizedFingerprint.Weights = &weights
+}
+
 func uTLSClientHelloID(name string) (utls.ClientHelloID, error) {
 	switch name {
 	case "chrome", "":
@@ -178,7 +207,9 @@ func uTLSClientHelloID(name string) (utls.ClientHelloID, error) {
 	case "android":
 		return utls.HelloAndroid_11_OkHttp, nil
 	case "random":
-		return utls.HelloRandomized, nil
+		return randomFingerprint, nil
+	case "randomized":
+		return randomizedFingerprint, nil
 	default:
 		return utls.ClientHelloID{}, E.New("unknown uTLS fingerprint: ", name)
 	}
--- a/constant/version.go
+++ b/constant/version.go
@@ -1,3 +1,3 @@
 package constant

-var Version = "1.2-beta5"
+var Version = "unknown"
--- a/docs/assets/icon.svg
+++ b/docs/assets/icon.svg
@@ -0,0 +1,37 @@
+<svg width="1027" height="1109" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" overflow="hidden">
+  <defs>
+    <filter id="fx0" x="-10%" y="-10%" width="120%" height="120%" filterUnits="userSpaceOnUse" primitiveUnits="userSpaceOnUse">
+      <feComponentTransfer color-interpolation-filters="sRGB">
+        <feFuncR type="discrete" tableValues="0 0" />
+          <feFuncG type="discrete" tableValues="0 0" />
+          <feFuncB type="discrete" tableValues="0 0" />
+          <feFuncA type="linear" slope="0.4" intercept="0" />
+      </feComponentTransfer>
+        <feGaussianBlur stdDeviation="4.58333 4.58333" />
+    </filter>
+      <clipPath id="clip1">
+      <rect x="692" y="855" width="1027" height="1109" />
+    </clipPath>
+      <clipPath id="clip2">
+      <rect x="-2" y="-2" width="541" height="786" />
+    </clipPath>
+      <clipPath id="clip3">
+      <rect x="0" y="0" width="535" height="782" />
+    </clipPath>
+  </defs>
+    <g clip-path="url(#clip1)" transform="translate(-692 -855)">
+    <path d="M692 1191 692 1575.69C692 1640.41 731.499 1651.19 731.499 1651.19L1148.03 1931.62C1212.66 1974.77 1194.71 1881.29 1194.71 1881.29L1194.71 1528.96 692 1191Z" fill="#37474F" fill-rule="evenodd" />
+        <g clip-path="url(#clip2)" filter="url(#fx0)" transform="translate(1184 1182)">
+      <g clip-path="url(#clip3)">
+        <path d="M520.482 15.4819 520.482 400.176C520.482 464.89 480.983 475.676 480.983 475.676 480.983 475.676 129.086 712.963 64.4523 756.106-0.181814 799.25 17.7721 705.773 17.7721 705.773L17.7721 353.437 520.482 15.4819Z" fill="#455A64" fill-rule="evenodd" />
+      </g>
+    </g>
+        <path d="M1698 1191 1698 1575.69C1698 1640.41 1658.5 1651.19 1658.5 1651.19 1658.5 1651.19 1306.6 1888.48 1241.97 1931.62 1177.34 1974.77 1195.29 1881.29 1195.29 1881.29L1195.29 1528.96 1698 1191Z" fill="#455A64" fill-rule="evenodd" />
+        <path d="M1241.71 868.473C1212.96 850.509 1169.85 850.509 1144.7 868.473L713.557 1163.07C684.814 1181.04 684.814 1213.37 713.557 1231.33L1144.7 1529.53C1173.44 1547.49 1216.56 1547.49 1241.71 1529.53L1676.44 1227.74C1705.19 1209.78 1705.19 1177.44 1676.44 1159.48L1241.71 868.473Z" fill="#546E7A" fill-rule="evenodd" />
+        <path d="M1195 1949C1173.4 1949 1159 1935.19 1159 1917.92L1159 1531.08C1159 1513.82 1173.4 1500 1195 1500 1216.6 1500 1231 1513.82 1231 1531.08L1231 1914.46C1231 1935.19 1216.6 1949 1195 1949Z" fill="#546E7A" fill-rule="evenodd" />
+        <path d="M1553.92 1435.92C1553.92 1471.89 1557.5 1486.27 1518.03 1511.45L1428.32 1568.99C1388.85 1594.17 1374.5 1572.59 1374.5 1540.22L1374.5 1446.71C1374.5 1439.52 1374.5 1435.92 1363.73 1428.73 1270.43 1363.99 911.591 1115.84 847 1069.09L1012.07 954C1058.72 982.772 1399.61 1209.35 1539.56 1306.45 1546.74 1310.05 1550.33 1317.24 1550.33 1320.84L1550.33 1435.92Z" fill="#99AAB5" fill-rule="evenodd" />
+        <path d="M1543.41 1310.21C1399.82 1213.17 1058.79 986.752 1015.72 958L951.103 997.534 847 1069.41C911.615 1116.14 1270.59 1360.53 1363.92 1425.22 1371.1 1428.81 1371.1 1432.41 1371.1 1436L1547 1313.8C1547 1313.8 1547 1310.21 1543.41 1310.21Z" fill="#CCD6DD" fill-rule="evenodd" />
+        <path d="M1554.9 1435.48 1554.9 1324.19C1554.9 1317.01 1551.3 1313.42 1544.11 1309.83 1400.28 1212.89 1058.67 986.721 1015.51 958L940 1008.26C1062.26 1090.83 1389.49 1306.24 1475.79 1367.27 1486.58 1374.45 1486.58 1381.63 1486.58 1385.22L1486.58 1536 1522.54 1510.87C1558.5 1485.74 1554.9 1467.79 1554.9 1435.48Z" fill="#CCD6DD" fill-rule="evenodd" />
+        <path d="M1543.23 1309.95C1399.6 1212.98 1058.49 986.731 1015.4 958L940 1008.28C1062.08 1090.88 1388.83 1306.36 1475.01 1367.41 1475.01 1367.41 1478.6 1371 1478.6 1371L1554 1317.13C1546.82 1313.54 1546.82 1309.95 1543.23 1309.95Z" fill="#E1E8ED" fill-rule="evenodd" />
+  </g>
+</svg>
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,3 +1,33 @@
+#### 1.2-beta9
+
+* Introducing the [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp)
+* Add health check support for http-based v2ray transports
+* Remove length limit on short_id for reality TLS config
+* Fix bugs and update dependencies
+
+#### 1.2-beta8
+
+* Update reality and uTLS libraries
+* Fix `auto_detect_interface` incorrectly identifying the default interface on Windows
+
+#### 1.2-beta7
+
+* Fix the compatibility issue between VLESS's vision sub-protocol and the Xray-core client
+* Improve the stability of the VMESS server
+
+#### 1.2-beta6
+
+* Introducing our [new iOS client application](/installation/clients/sfi)
+* Add [platform options](/configuration/inbound/tun#platform) for tun inbound
+* Add custom TLS server support for http based v2ray transports
+* Add generate commands
+* Enable XUDP by default in VLESS
+* Update reality server
+* Update vision protocol
+* Fixed [user flow in vless server](/configuration/inbound/vless#usersflow)
+* Bug fixes
+* Update dependencies
+
 #### 1.2-beta5

 * Add [VLESS server](/configuration/inbound/vless) and [vision](/configuration/outbound/vless#flow) support
@@ -92,7 +122,7 @@ Important changes since 1.0:
 * Add VLESS outbound and XUDP
 * Skip wait for hysteria tcp handshake response
 * Add v2ray mux support for all inbound
-* Add XUDP support for VMess 
+* Add XUDP support for VMess
 * Improve websocket writer
 * Refine tproxy write back
 * Fix DNS leak caused by
--- a/docs/configuration/inbound/shadowsocks.md
+++ b/docs/configuration/inbound/shadowsocks.md
@@ -77,11 +77,11 @@ Both if empty.

 ==Required==

-| Method        | Password Format                     |
-|---------------|-------------------------------------|
-| none          | /                                   |
-| 2022 methods  | `openssl rand -base64 <Key Length>` |
-| other methods | any string                          |
+| Method        | Password Format                                |
+|---------------|------------------------------------------------|
+| none          | /                                              |
+| 2022 methods  | `sing-box generate rand --base64 <Key Length>` |
+| other methods | any string                                     |

 ### Listen Fields

--- a/docs/configuration/inbound/shadowsocks.zh.md
+++ b/docs/configuration/inbound/shadowsocks.zh.md
@@ -77,8 +77,8 @@ See [Listen Fields](/configuration/shared/listen) for details.

 ==必填==

-| 方法            | 密码格式                          |
-|---------------|-------------------------------|
-| none          | /                             |
-| 2022 methods  | `openssl rand -base64 <密钥长度>` |
-| other methods | 任意字符串                         |
+| 方法            | 密码格式                                     |
+|---------------|------------------------------------------|
+| none          | /                                        |
+| 2022 methods  | `sing-box generate rand --base64 <密钥长度>` |
+| other methods | 任意字符串                                    |
--- a/docs/configuration/inbound/shadowtls.md
+++ b/docs/configuration/inbound/shadowtls.md
@@ -68,7 +68,7 @@ Only available in the ShadowTLS protocol 3.

 Handshake server address and [Dial options](/configuration/shared/dial).

-#### handshake
+#### handshake_for_server_name

 Handshake server address and [Dial options](/configuration/shared/dial) for specific server name.

--- a/docs/configuration/inbound/shadowtls.zh.md
+++ b/docs/configuration/inbound/shadowtls.zh.md
@@ -67,7 +67,7 @@ ShadowTLS 用户。

 握手服务器地址和 [拨号参数](/zh/configuration/shared/dial/)。

-#### handshake
+#### handshake_for_server_name

 ==必填==

--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -46,8 +46,15 @@
  "exclude_package": [
    "com.android.captiveportallogin"
  ],
-  ...
-  // Listen Fields
+  "platform": {
+    "http_proxy": {
+      "enabled": false,
+      "server": "127.0.0.1",
+      "server_port": 8080
+    }
+  },
+  
+  ... // Listen Fields
 }
 ```

@@ -187,6 +194,14 @@ Limit android packages in route.

 Exclude android packages in route.

+#### platform
+
+Platform-specific settings, provided by client applications.
+
+#### platform.http_proxy
+
+System HTTP proxy settings.
+
 ### Listen Fields

 See [Listen Fields](/configuration/shared/listen) for details.
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -46,8 +46,15 @@
  "exclude_package": [
    "com.android.captiveportallogin"
  ],
-  ...
-  // 监听字段
+  "platform": {
+    "http_proxy": {
+      "enabled": false,
+      "server": "127.0.0.1",
+      "server_port": 8080
+    }
+  },
+  
+  ... // 监听字段
 }
 ```

@@ -148,19 +155,19 @@ TCP/IP 栈。

    UID 规则仅在 Linux 下被支持，并且需要 `auto_route`。

-限制被路由的的用户。默认不限制。
+限制被路由的用户。默认不限制。

 #### include_uid_range

-限制被路由的的用户范围。
+限制被路由的用户范围。

 #### exclude_uid

-排除路由的的用户。
+排除路由的用户。

 #### exclude_uid_range

-排除路由的的用户范围。
+排除路由的用户范围。

 #### include_android_user

@@ -183,6 +190,14 @@ TCP/IP 栈。

 排除路由的 Android 应用包名。

+#### platform
+
+平台特定的设置，由客户端应用提供。
+
+#### platform.http_proxy
+
+系统 HTTP 代理设置。
+
 ### 监听字段

 参阅 [监听字段](/zh/configuration/shared/listen/)。
--- a/docs/configuration/inbound/vless.md
+++ b/docs/configuration/inbound/vless.md
@@ -10,7 +10,8 @@
  "users": [
    {
      "name": "sekai",
-      "uuid": "bf000d23-0752-40b4-affe-68f7707a9661"
+      "uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
+      "flow": ""
    }
  ],
  "tls": {},
@@ -30,6 +31,20 @@ See [Listen Fields](/configuration/shared/listen) for details.

 VLESS users.

+#### users.uuid
+
+==Required==
+
+VLESS user id.
+
+#### users.flow
+
+VLESS Sub-protocol.
+
+Available values:
+
+* `xtls-rprx-vision`
+
 #### tls

 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
--- a/docs/configuration/inbound/vless.zh.md
+++ b/docs/configuration/inbound/vless.zh.md
@@ -10,7 +10,8 @@
  "users": [
    {
      "name": "sekai",
-      "uuid": "bf000d23-0752-40b4-affe-68f7707a9661"
+      "uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
+      "flow": ""
    }
  ],
  "tls": {},
@@ -30,6 +31,20 @@

 VLESS 用户。

+#### users.uuid
+
+==必填==
+
+VLESS 用户 ID。
+
+#### users.flow
+
+VLESS 子协议。
+
+可用值：
+
+* `xtls-rprx-vision`
+
 #### tls

 TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
--- a/docs/configuration/outbound/shadowsocks.md
+++ b/docs/configuration/outbound/shadowsocks.md
@@ -12,7 +12,7 @@
  "plugin": "",
  "plugin_opts": "",
  "network": "udp",
-  "udp_over_tcp": false,
+  "udp_over_tcp": false | {},
  "multiplex": {},

  ... // Dial Fields
@@ -87,7 +87,9 @@ Both is enabled by default.

 #### udp_over_tcp

-Enable the UDP over TCP protocol.
+UDP over TCP configuration.
+
+See [UDP Over TCP](/configuration/shared/udp-over-tcp) for details.

 Conflict with `multiplex`.

--- a/docs/configuration/outbound/shadowsocks.zh.md
+++ b/docs/configuration/outbound/shadowsocks.zh.md
@@ -12,7 +12,7 @@
  "plugin": "",
  "plugin_opts": "",
  "network": "udp",
-  "udp_over_tcp": false,
+  "udp_over_tcp": false | {},
  "multiplex": {},

  ... // 拨号字段
@@ -87,7 +87,9 @@ Shadowsocks SIP003 插件参数。

 #### udp_over_tcp

-启用 UDP over TCP 协议。
+UDP over TCP 配置。
+
+参阅 [UDP Over TCP](/zh/configuration/shared/udp-over-tcp)。

 与 `multiplex` 冲突。

--- a/docs/configuration/outbound/socks.md
+++ b/docs/configuration/outbound/socks.md
@@ -13,7 +13,7 @@
  "username": "sekai",
  "password": "admin",
  "network": "udp",
-  "udp_over_tcp": false,
+  "udp_over_tcp": false | {},

  ... // Dial Fields
 }
@@ -57,7 +57,9 @@ Both is enabled by default.

 #### udp_over_tcp

-Enable the UDP over TCP protocol.
+UDP over TCP protocol settings.
+
+See [UDP Over TCP](/configuration/shared/udp-over-tcp) for details.

 ### Dial Fields

--- a/docs/configuration/outbound/socks.zh.md
+++ b/docs/configuration/outbound/socks.zh.md
@@ -13,7 +13,7 @@
  "username": "sekai",
  "password": "admin",
  "network": "udp",
-  "udp_over_tcp": false,
+  "udp_over_tcp": false | {},

  ... // 拨号字段
 }
@@ -57,7 +57,9 @@ SOCKS5 密码。

 #### udp_over_tcp

-启用 UDP over TCP 协议。
+UDP over TCP 配置。
+
+参阅 [UDP Over TCP](/zh/configuration/shared/udp-over-tcp)。

 ### 拨号字段

--- a/docs/configuration/outbound/vless.md
+++ b/docs/configuration/outbound/vless.md
@@ -36,7 +36,7 @@ The server port.

 ==Required==

-The VLESS user id.
+VLESS user id.

 #### flow

@@ -60,6 +60,8 @@ TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

 #### packet_encoding

+UDP packet encoding, xudp is used by default.
+
 | Encoding   | Description           |
 |------------|-----------------------|
 | (none)     | Disabled              |
--- a/docs/configuration/outbound/vless.zh.md
+++ b/docs/configuration/outbound/vless.zh.md
@@ -60,6 +60,8 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 #### packet_encoding

+UDP 包编码，默认使用 xudp。
+
 | 编码         | 描述            |
 |------------|---------------|
 | (空)        | 禁用            |
--- a/docs/configuration/outbound/vmess.md
+++ b/docs/configuration/outbound/vmess.md
@@ -50,7 +50,7 @@ Encryption methods:
 * `none`
 * `zero`
 * `aes-128-gcm`
-* `chancha20-poly1305`
+* `chacha20-poly1305`

 Legacy encryption methods:

@@ -86,6 +86,8 @@ TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

 #### packet_encoding

+UDP packet encoding.
+
 | Encoding   | Description           |
 |------------|-----------------------|
 | (none)     | Disabled              |
--- a/docs/configuration/outbound/vmess.zh.md
+++ b/docs/configuration/outbound/vmess.zh.md
@@ -50,7 +50,7 @@ VMess 用户 ID。
 * `none`
 * `zero`
 * `aes-128-gcm`
-* `chancha20-poly1305`
+* `chacha20-poly1305`

 旧加密方法：

@@ -86,6 +86,8 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 #### packet_encoding

+UDP 包编码。
+
 | 编码         | 描述            |
 |------------|---------------|
 | (空)        | 禁用            |
--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@@ -218,6 +218,7 @@ Available fingerprint values:
 * ios
 * android
 * random
+* randomized

 Chrome fingerprint will be used if empty.

@@ -318,7 +319,7 @@ Handshake server address and [Dial options](/configuration/shared/dial).

 ==Required==

-Private key, generated by `./xray x25519`.
+Private key, generated by `sing-box generate reality-keypair`.

 #### public_key

@@ -326,13 +327,13 @@ Private key, generated by `./xray x25519`.

 ==Required==

-Public key, generated by `./xray x25519`.
+Public key, generated by `sing-box generate reality-keypair`.

 #### short_id

 ==Required==

-A 8-bit hex string.
+A hexadecimal string with zero to eight digits.

 #### max_time_difference

--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@@ -218,6 +218,7 @@ uTLS 是 "crypto/tls" 的一个分支，它提供了 ClientHello 指纹识别阻
 * ios
 * android
 * random
+* randomized

 默认使用 chrome 指纹。

@@ -314,7 +315,7 @@ MAC 密钥。

 ==必填==

-私钥，由 `./xray x25519` 生成。
+私钥，由 `sing-box generate reality-keypair` 生成。

 #### public_key

@@ -322,13 +323,13 @@ MAC 密钥。

 ==必填==

-公钥，由 `./xray x25519` 生成。
+公钥，由 `sing-box generate reality-keypair` 生成。

 #### short_id

 ==必填==

-一个八位十六进制的字符串。
+一个零到八位的十六进制字符串。

 #### max_time_difference

--- a/docs/configuration/shared/udp-over-tcp.md
+++ b/docs/configuration/shared/udp-over-tcp.md
@@ -0,0 +1,81 @@
+# UDP over TCP
+
+!!! warning ""
+
+    It's a proprietary protocol created by SagerNet, not part of shadowsocks.
+
+The UDP over TCP protocol is used to transmit UDP packets in TCP.
+
+### Structure
+
+```json
+{
+  "enabled": true,
+  "version": 2
+}
+```
+
+!!! info ""
+
+    The structure can be replaced with a boolean value when the version is not specified.
+
+### Fields
+
+#### enabled
+
+Enable the UDP over TCP protocol.
+
+#### version
+
+The protocol version, `1` or `2`.
+
+2 is used by default.
+
+### Application support
+
+| Project      | UoT v1               | UoT v2     |
+|--------------|----------------------|------------|
+| sing-box     | v0 (2022/08/11)      | v1.2-beta9 |
+| Xray-core    | v1.5.7 (2022/06/05)  | /          |
+| Clash.Meta   | v1.12.0 (2022/07/02) | /          |
+| Shadowrocket | v2.2.12 (2022/08/13) | /          |
+
+### Protocol details
+
+#### Protocol version 1
+
+The client requests the magic address to the upper layer proxy protocol to indicate the request: `sp.udp-over-tcp.arpa`
+
+#### Stream format
+
+| ATYP | address  | port  | length | data     |
+|------|----------|-------|--------|----------|
+| u8   | variable | u16be | u16be  | variable |
+
+**ATYP / address / port**: Uses the SOCKS address format.
+
+#### Protocol version 2
+
+Protocol version 2 uses a new magic address: `sp.v2.udp-over-tcp.arpa`
+
+##### Request format
+
+| isConnect | ATYP | address  | port  |
+|-----------|------|----------|-------|
+| u8        | u8   | variable | u16be |
+
+**version**: Fixed to 2.
+
+**isConnect**: Set to 1 to indicates that the stream uses the connect format, 0 to disable.
+
+**ATYP / address / port**: Request destination, uses the SOCKS address format.
+
+##### Connect stream format
+
+| length | data     |
+|--------|----------|
+| u16be  | variable |
+
+##### Non-connect stream format
+
+As the same as the stream format in protocol version 1.
--- a/docs/configuration/shared/v2ray-transport.md
+++ b/docs/configuration/shared/v2ray-transport.md
@@ -34,7 +34,9 @@ Available transports:
  "host": [],
  "path": "",
  "method": "",
-  "headers": {}
+  "headers": {},
+  "idle_timeout": "15s",
+  "ping_timeout": "15s"
 }
 ```

@@ -66,6 +68,24 @@ Extra headers of HTTP request.

 The server will write in response if not empty.

+#### idle_timeout
+
+In HTTP2 server:
+
+Specifies the time until idle clients should be closed with a GOAWAY frame. PING frames are not considered as activity.
+
+In HTTP2 client:
+
+Specifies the period of time after which a health check will be performed using a ping frame if no frames have been received on the connection. Please note that a ping response is considered a received frame, so if there is no other traffic on the connection, the health check will be executed every interval. If the value is zero, no health check will be performed.
+
+Zero is used by default.
+
+#### ping_timeout
+
+In HTTP2 client:
+
+Specifies the timeout duration after sending a PING frame, within which a response must be received. If a response to the PING frame is not received within the specified timeout duration, the connection will be closed. The default timeout duration is 15 seconds.
+
 ### WebSocket

 ```json
@@ -126,10 +146,41 @@ It needs to be consistent with the server.
 ```json
 {
  "type": "grpc",
-  "service_name": "TunService"
+  "service_name": "TunService",
+  "idle_timeout": "15s",
+  "ping_timeout": "15s",
+  "permit_without_stream": false
 }
 ```

 #### service_name

-Service name of gRPC.
+Service name of gRPC.
+
+#### idle_timeout
+
+In standard gRPC server/client:
+
+If the transport doesn't see any activity after a duration of this time, it pings the client to check if the connection is still active.
+
+In default gRPC server/client:
+
+It has the same behavior as the corresponding setting in HTTP transport.
+
+#### ping_timeout
+
+In standard gRPC server/client:
+
+The timeout that after performing a keepalive check, the client will wait for activity. If no activity is detected, the connection will be closed.
+
+In default gRPC server/client:
+
+It has the same behavior as the corresponding setting in HTTP transport.
+
+#### permit_without_stream
+
+In standard gRPC client:
+
+If enabled, the client transport sends keepalive pings even with no active connections. If disabled, when there are no active connections, `idle_timeout` and `ping_timeout` will be ignored and no keepalive pings will be sent.
+
+Disabled by default.
--- a/docs/configuration/shared/v2ray-transport.zh.md
+++ b/docs/configuration/shared/v2ray-transport.zh.md
@@ -33,7 +33,9 @@ V2Ray Transport 是 v2ray 发明的一组私有协议，并污染了其他协议
  "host": [],
  "path": "",
  "method": "",
-  "headers": {}
+  "headers": {},
+  "idle_timeout": "15s",
+  "ping_timeout": "15s"
 }
 ```

@@ -65,6 +67,24 @@ HTTP 请求的额外标头

 默认服务器将写入响应。

+#### idle_timeout
+
+在 HTTP2 服务器中：
+
+指定闲置客户端应在多长时间内使用 GOAWAY 帧关闭。PING 帧不被视为活动。
+
+在 HTTP2 客户端中：
+
+如果连接上没有收到任何帧，指定一段时间后将使用 PING 帧执行健康检查。需要注意的是，PING 响应被视为已接收的帧，因此如果连接上没有其他流量，则健康检查将在每个间隔执行一次。如果值为零，则不会执行健康检查。
+
+默认使用零。
+
+#### ping_timeout
+
+在 HTTP2 客户端中：
+
+指定发送 PING 帧后，在指定的超时时间内必须接收到响应。如果在指定的超时时间内没有收到 PING 帧的响应，则连接将关闭。默认超时持续时间为 15 秒。
+
 ### WebSocket

 ```json
@@ -125,10 +145,41 @@ HTTP 请求的额外标头。
 ```json
 {
  "type": "grpc",
-  "service_name": "TunService"
+  "service_name": "TunService",
+  "idle_timeout": "15s",
+  "ping_timeout": "15s",
+  "permit_without_stream": false
 }
 ```

 #### service_name

-gRPC 服务名称。
+gRPC 服务名称。
+
+#### idle_timeout
+
+在标准 gRPC 服务器/客户端：
+
+如果传输在此时间段后没有看到任何活动，它会向客户端发送 ping 请求以检查连接是否仍然活动。
+
+在默认 gRPC 服务器/客户端：
+
+它的行为与 HTTP 传输层中的相应设置相同。
+
+#### ping_timeout
+
+在标准 gRPC 服务器/客户端：
+
+经过一段时间之后，客户端将执行 keepalive 检查并等待活动。如果没有检测到任何活动，则会关闭连接。
+
+在默认 gRPC 服务器/客户端：
+
+它的行为与 HTTP 传输层中的相应设置相同。
+
+#### permit_without_stream
+
+在标准 gRPC 客户端：
+
+如果启用，客户端传输即使没有活动连接也会发送 keepalive ping。如果禁用，则在没有活动连接时，将忽略 `idle_timeout` 和 `ping_timeout`，并且不会发送 keepalive ping。
+
+默认禁用。
--- a/docs/examples/shadowsocks.md
+++ b/docs/examples/shadowsocks.md
@@ -1,5 +1,9 @@
 # Shadowsocks

+!!! warning ""
+
+    For censorship bypass usage in China, we recommend using UDP over TCP and disabling UDP on the server.
+
 ## Single User

 #### Server
@@ -11,6 +15,7 @@
      "type": "shadowsocks",
      "listen": "::",
      "listen_port": 8080,
+      "network": "tcp",
      "method": "2022-blake3-aes-128-gcm",
      "password": "8JCsPssfgS8tiRwiMlhARg=="
    }
@@ -35,7 +40,8 @@
      "server": "127.0.0.1",
      "server_port": 8080,
      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
+      "password": "8JCsPssfgS8tiRwiMlhARg==",
+      "udp_over_tcp": true
    }
  ]
 }
--- a/docs/examples/shadowtls.md
+++ b/docs/examples/shadowtls.md
@@ -24,6 +24,7 @@
      "type": "shadowsocks",
      "tag": "shadowsocks-in",
      "listen": "127.0.0.1",
+      "network": "tcp",
      "method": "2022-blake3-aes-128-gcm",
      "password": "8JCsPssfgS8tiRwiMlhARg=="
    }
@@ -46,6 +47,7 @@
        "max_connections": 4,
        "min_streams": 4
      }
+      // or "udp_over_tcp": true
    },
    {
      "type": "shadowtls",
@@ -53,7 +55,7 @@
      "server": "127.0.0.1",
      "server_port": 4443,
      "version": 3,
-      "password": "fuck me till the daylight",
+      "password": "8JCsPssfgS8tiRwiMlhARg==",
      "tls": {
        "enabled": true,
        "server_name": "google.com",
--- a/docs/index.md
+++ b/docs/index.md
@@ -8,45 +8,6 @@ Welcome to the wiki page for the sing-box project.

 The universal proxy platform.

-## Installation
-
-sing-box requires Golang **1.18.5** or a higher version.
-
-```bash
-go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
-```
-
-Install with options:
-
-```bash
-go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@latest
-```
-
-| Build Tag                          | Description                                                                                                                                                                                                                                                                                                                     |
-|------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `with_quic`                        | Build with QUIC support, see [QUIC and HTTP3 DNS transports](./configuration/dns/server), [Naive inbound](./configuration/inbound/naive), [Hysteria Inbound](./configuration/inbound/hysteria), [Hysteria Outbound](./configuration/outbound/hysteria) and [V2Ray Transport#QUIC](./configuration/shared/v2ray-transport#quic). |
-| `with_grpc`                        | Build with standard gRPC support, see [V2Ray Transport#gRPC](./configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
-| `with_dhcp`                        | Build with DHCP support, see [DHCP DNS transport](./configuration/dns/server).                                                                                                                                                                                                                                                  |
-| `with_wireguard`                   | Build with WireGuard support, see [WireGuard outbound](./configuration/outbound/wireguard).                                                                                                                                                                                                                                     |
-| `with_shadowsocksr`                | Build with ShadowsocksR support, see [ShadowsocksR outbound](./configuration/outbound/shadowsocksr).                                                                                                                                                                                                                            |
-| `with_ech`                         | Build with TLS ECH extension support for TLS outbound, see [TLS](./configuration/shared/tls#ech).                                                                                                                                                                                                                               |
-| `with_utls`                        | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](./configuration/shared/tls#utls).                                                                                                                                                                                          |
-| `with_acme`                        | Build with ACME TLS certificate issuer support, see [TLS](./configuration/shared/tls).                                                                                                                                                                                                                                          |
-| `with_clash_api`                   | Build with Clash API support, see [Experimental](./configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
-| `with_v2ray_api`                   | Build with V2Ray API support, see [Experimental](./configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
-| `with_gvisor`                      | Build with gVisor support, see [Tun inbound](./configuration/inbound/tun#stack) and [WireGuard outbound](./configuration/outbound/wireguard#system_interface).                                                                                                                                                                  |
-| `with_embedded_tor` (CGO required) | Build with embedded Tor support, see [Tor outbound](./configuration/outbound/tor).                                                                                                                                                                                                                                              |
-| `with_lwip` (CGO required)         | Build with LWIP Tun stack support, see [Tun inbound](./configuration/inbound/tun#stack).                                                                                                                                                                                                                                        |
-
-The binary is built under $GOPATH/bin
-
-```bash
-sing-box version
-```
-
-It is also recommended to use systemd to manage sing-box service,
-see [Linux server installation example](./examples/linux-server-installation).
-
 ## License

 ```
--- a/docs/index.zh.md
+++ b/docs/index.zh.md
@@ -8,45 +8,6 @@ description: 欢迎来到该 sing-box 项目的文档页。

 通用代理平台。

-## 安装
-
-sing-box 需要 Golang **1.18.5** 或更高版本。
-
-```bash
-go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
-```
-
-自定义安装：
-
-```bash
-go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@latest
-```
-
-| 构建标志                         | 描述                                                                                                                                                                                                                                                                           |
-|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `with_quic`                  | 启用 QUIC 支持，参阅 [QUIC 和 HTTP3 DNS 传输层](./configuration/dns/server)，[Naive 入站](./configuration/inbound/naive)，[Hysteria 入站](./configuration/inbound/hysteria)，[Hysteria 出站](./configuration/outbound/hysteria) 和 [V2Ray 传输层#QUIC](./configuration/shared/v2ray-transport#quic)。 |
-| `with_grpc`                  | 启用标准 gRPC 支持，参阅 [V2Ray 传输层#gRPC](./configuration/shared/v2ray-transport#grpc)。                                                                                                                                                                                               |
-| `with_dhcp`                  | 启用 DHCP 支持，参阅 [DHCP DNS 传输层](./configuration/dns/server)。                                                                                                                                                                                                                    |
-| `with_wireguard`             | 启用 WireGuard 支持，参阅 [WireGuard 出站](./configuration/outbound/wireguard)。                                                                                                                                                                                                       |
-| `with_shadowsocksr`          | 启用 ShadowsocksR 支持，参阅 [ShadowsocksR 出站](./configuration/outbound/shadowsocksr)。                                                                                                                                                                                              |
-| `with_ech`                   | 启用 TLS ECH 扩展支持，参阅 [TLS](./configuration/shared/tls#ech)。                                                                                                                                                                                                                    |
-| `with_utls`                  | 启用 uTLS 支持，参阅 [实验性](./configuration/experimental#clash-api-fields)。                                                                                                                                                                                                          |
-| `with_acme`                  | 启用 ACME TLS 证书签发支持，参阅 [TLS](./configuration/shared/tls)。                                                                                                                                                                                                                     |
-| `with_clash_api`             | 启用 Clash API 支持，参阅 [实验性](./configuration/experimental#clash-api-fields)。                                                                                                                                                                                                     |
-| `with_v2ray_api`             | 启用 V2Rat API 支持，参阅 [实验性](./configuration/experimental#v2ray-api-fields)。                                                                                                                                                                                                     |
-| `with_gvisor`                | 启用 gVisor 支持，参阅 [Tun 入站](./configuration/inbound/tun#stack) 和 [WireGuard 出站](./configuration/outbound/wireguard#system_interface)。                                                                                                                                           |
-| `with_embedded_tor` (需要 CGO) | 启用 嵌入式 Tor 支持，参阅 [Tor 出站](./configuration/outbound/tor)。                                                                                                                                                                                                                     |
-| `with_lwip` (需要 CGO)         | 启用 LWIP Tun 栈支持，参阅 [Tun 入站](./configuration/inbound/tun#stack)。                                                                                                                                                                                                              |
-
-二进制文件将被构建在 `$GOPATH/bin` 下。
-
-```bash
-sing-box version
-```
-
-同时推荐使用 systemd 来管理 sing-box 服务器实例。
-参阅 [Linux 服务器安装示例](./examples/linux-server-installation)。
-
 ## 授权

 ```
--- a/docs/installation/clients/sfi/index.md
+++ b/docs/installation/clients/sfi/index.md
@@ -0,0 +1,21 @@
+# SFI
+
+Experimental official iOS client for sing-box.
+
+#### Requirements
+
+* iOS 15.0+
+* macOS 12.0+ with Apple Silicon
+
+#### Download
+
+* [TestFlight](https://testflight.apple.com/join/c6ylui2j)
+
+#### Limit
+
+* `system` tun stack not working
+
+#### Privacy policy
+
+* SFI did not collect or share personal data.
+* The data generated by the software is always on your device.
--- a/docs/installation/clients/sfi/index.zh.md
+++ b/docs/installation/clients/sfi/index.zh.md
@@ -0,0 +1,21 @@
+# SFI
+
+实验性的官方 iOS sing-box 客户端。
+
+#### 要求
+
+* iOS 15.0+
+* macOS 12.0+ with Apple Silicon
+
+#### 下载
+
+* [TestFlight](https://testflight.apple.com/join/c6ylui2j)
+
+#### 限制
+
+* `system` tun stack 不工作
+
+#### 隐私政策
+
+* SFI 不收集或共享个人数据。
+* 软件生成的数据始终在您的设备上。
--- a/docs/installation/from-source.md
+++ b/docs/installation/from-source.md
@@ -0,0 +1,39 @@
+# Install from source
+
+sing-box requires Golang **1.18.5** or a higher version.
+
+```bash
+go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
+```
+
+Install with options:
+
+```bash
+go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@latest
+```
+
+| Build Tag                          | Description                                                                                                                                                                                                                                                                                                                |
+|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `with_quic`                        | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server), [Naive inbound](/configuration/inbound/naive), [Hysteria Inbound](/configuration/inbound/hysteria), [Hysteria Outbound](/configuration/outbound/hysteria) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
+| `with_grpc`                        | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                  |
+| `with_dhcp`                        | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server).                                                                                                                                                                                                                                              |
+| `with_wireguard`                   | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard).                                                                                                                                                                                                                                 |
+| `with_shadowsocksr`                | Build with ShadowsocksR support, see [ShadowsocksR outbound](/configuration/outbound/shadowsocksr).                                                                                                                                                                                                                        |
+| `with_ech`                         | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                           |
+| `with_utls`                        | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                      |
+| `with_reality_server`              | Build with reality TLS server support,  see [TLS](/configuration/shared/tls).                                                                                                                                                                                                                                              |
+| `with_acme`                        | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls).                                                                                                                                                                                                                                      |
+| `with_clash_api`                   | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                            |
+| `with_v2ray_api`                   | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                            |
+| `with_gvisor`                      | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                               |
+| `with_embedded_tor` (CGO required) | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor).                                                                                                                                                                                                                                          |
+| `with_lwip` (CGO required)         | Build with LWIP Tun stack support, see [Tun inbound](/configuration/inbound/tun#stack).                                                                                                                                                                                                                                    |
+
+The binary is built under $GOPATH/bin
+
+```bash
+sing-box version
+```
+
+It is also recommended to use systemd to manage sing-box service,
+see [Linux server installation example](./examples/linux-server-installation).
--- a/docs/installation/from-source.zh.md
+++ b/docs/installation/from-source.zh.md
@@ -0,0 +1,39 @@
+# 从源代码安装
+
+sing-box 需要 Golang **1.18.5** 或更高版本。
+
+```bash
+go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
+```
+
+自定义安装：
+
+```bash
+go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@latest
+```
+
+| 构建标志                         | 描述                                                                                                                                                                                                                                                                      |
+|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `with_quic`                  | 启用 QUIC 支持，参阅 [QUIC 和 HTTP3 DNS 传输层](/configuration/dns/server)，[Naive 入站](/configuration/inbound/naive)，[Hysteria 入站](/configuration/inbound/hysteria)，[Hysteria 出站](/configuration/outbound/hysteria) 和 [V2Ray 传输层#QUIC](/configuration/shared/v2ray-transport#quic)。 |
+| `with_grpc`                  | 启用标准 gRPC 支持，参阅 [V2Ray 传输层#gRPC](/configuration/shared/v2ray-transport#grpc)。                                                                                                                                                                                           |
+| `with_dhcp`                  | 启用 DHCP 支持，参阅 [DHCP DNS 传输层](/configuration/dns/server)。                                                                                                                                                                                                                |
+| `with_wireguard`             | 启用 WireGuard 支持，参阅 [WireGuard 出站](/configuration/outbound/wireguard)。                                                                                                                                                                                                   |
+| `with_shadowsocksr`          | 启用 ShadowsocksR 支持，参阅 [ShadowsocksR 出站](/configuration/outbound/shadowsocksr)。                                                                                                                                                                                          |
+| `with_ech`                   | 启用 TLS ECH 扩展支持，参阅 [TLS](/configuration/shared/tls#ech)。                                                                                                                                                                                                                |
+| `with_utls`                  | 启用 [uTLS](https://github.com/refraction-networking/utls) 支持，参阅 [TLS](/configuration/shared/tls#utls)。                                                                                                                                                                   |
+| `with_reality_server`        | 启用 reality TLS 服务器支持，参阅 [TLS](/configuration/shared/tls)。                                                                                                                                                                                                               |
+| `with_acme`                  | 启用 ACME TLS 证书签发支持，参阅 [TLS](/configuration/shared/tls)。                                                                                                                                                                                                                 |
+| `with_clash_api`             | 启用 Clash API 支持，参阅 [实验性](/configuration/experimental#clash-api-fields)。                                                                                                                                                                                                 |
+| `with_v2ray_api`             | 启用 V2Ray API 支持，参阅 [实验性](/configuration/experimental#v2ray-api-fields)。                                                                                                                                                                                                 |
+| `with_gvisor`                | 启用 gVisor 支持，参阅 [Tun 入站](/configuration/inbound/tun#stack) 和 [WireGuard 出站](/configuration/outbound/wireguard#system_interface)。                                                                                                                                        |
+| `with_embedded_tor` (需要 CGO) | 启用 嵌入式 Tor 支持，参阅 [Tor 出站](/configuration/outbound/tor)。                                                                                                                                                                                                                 |
+| `with_lwip` (需要 CGO)         | 启用 LWIP Tun 栈支持，参阅 [Tun 入站](/configuration/inbound/tun#stack)。                                                                                                                                                                                                          |
+
+二进制文件将被构建在 `$GOPATH/bin` 下。
+
+```bash
+sing-box version
+```
+
+同时推荐使用 systemd 来管理 sing-box 服务器实例。
+参阅 [Linux 服务器安装示例](./examples/linux-server-installation)。
--- a/experimental/clashapi/server.go
+++ b/experimental/clashapi/server.go
@@ -44,6 +44,7 @@ type Server struct {
 	urlTestHistory *urltest.HistoryStorage
 	mode           string
 	storeSelected  bool
+	cacheFilePath  string
 	cacheFile      adapter.ClashCacheFile
 }

@@ -75,11 +76,7 @@ func NewServer(router adapter.Router, logFactory log.ObservableFactory, options
 		} else {
 			cachePath = C.BasePath(cachePath)
 		}
-		cacheFile, err := cachefile.Open(cachePath)
-		if err != nil {
-			return nil, E.Cause(err, "open cache file")
-		}
-		server.cacheFile = cacheFile
+		server.cacheFilePath = cachePath
 	}
 	cors := cors.New(cors.Options{
 		AllowedOrigins: []string{"*"},
@@ -118,6 +115,13 @@ func NewServer(router adapter.Router, logFactory log.ObservableFactory, options
 }

 func (s *Server) Start() error {
+	if s.cacheFilePath != "" {
+		cacheFile, err := cachefile.Open(s.cacheFilePath)
+		if err != nil {
+			return E.Cause(err, "open cache file")
+		}
+		s.cacheFile = cacheFile
+	}
 	listener, err := net.Listen("tcp", s.httpServer.Addr)
 	if err != nil {
 		return E.Cause(err, "external controller listen error")
--- a/experimental/libbox/command.go
+++ b/experimental/libbox/command.go
@@ -0,0 +1,11 @@
+//go:build darwin
+
+package libbox
+
+const (
+	CommandLog int32 = iota
+	CommandStatus
+	CommandServiceStop
+	CommandServiceReload
+	CommandCloseConnections
+)
--- a/experimental/libbox/command_client.go
+++ b/experimental/libbox/command_client.go
@@ -0,0 +1,75 @@
+//go:build darwin
+
+package libbox
+
+import (
+	"encoding/binary"
+	"net"
+	"path/filepath"
+
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type CommandClient struct {
+	sharedDirectory string
+	handler         CommandClientHandler
+	conn            net.Conn
+	options         CommandClientOptions
+}
+
+type CommandClientOptions struct {
+	Command        int32
+	StatusInterval int64
+}
+
+type CommandClientHandler interface {
+	Connected()
+	Disconnected(message string)
+	WriteLog(message string)
+	WriteStatus(message *StatusMessage)
+}
+
+func NewCommandClient(sharedDirectory string, handler CommandClientHandler, options *CommandClientOptions) *CommandClient {
+	return &CommandClient{
+		sharedDirectory: sharedDirectory,
+		handler:         handler,
+		options:         common.PtrValueOrDefault(options),
+	}
+}
+
+func clientConnect(sharedDirectory string) (net.Conn, error) {
+	return net.DialUnix("unix", nil, &net.UnixAddr{
+		Name: filepath.Join(sharedDirectory, "command.sock"),
+		Net:  "unix",
+	})
+}
+
+func (c *CommandClient) Connect() error {
+	conn, err := clientConnect(c.sharedDirectory)
+	if err != nil {
+		return err
+	}
+	c.conn = conn
+	err = binary.Write(conn, binary.BigEndian, uint8(c.options.Command))
+	if err != nil {
+		return err
+	}
+	switch c.options.Command {
+	case CommandLog:
+		c.handler.Connected()
+		go c.handleLogConn(conn)
+	case CommandStatus:
+		err = binary.Write(conn, binary.BigEndian, c.options.StatusInterval)
+		if err != nil {
+			return E.Cause(err, "write interval")
+		}
+		c.handler.Connected()
+		go c.handleStatusConn(conn)
+	}
+	return nil
+}
+
+func (c *CommandClient) Disconnect() error {
+	return common.Close(c.conn)
+}
--- a/experimental/libbox/command_conntrack.go
+++ b/experimental/libbox/command_conntrack.go
@@ -0,0 +1,30 @@
+//go:build darwin
+
+package libbox
+
+import (
+	"encoding/binary"
+	"net"
+	runtimeDebug "runtime/debug"
+	"time"
+
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
+)
+
+func ClientCloseConnections(sharedDirectory string) error {
+	conn, err := clientConnect(sharedDirectory)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+	return binary.Write(conn, binary.BigEndian, uint8(CommandCloseConnections))
+}
+
+func (s *CommandServer) handleCloseConnections(conn net.Conn) error {
+	conntrack.Close()
+	go func() {
+		time.Sleep(time.Second)
+		runtimeDebug.FreeOSMemory()
+	}()
+	return nil
+}
--- a/experimental/libbox/command_log.go
+++ b/experimental/libbox/command_log.go
@@ -0,0 +1,103 @@
+//go:build darwin
+
+package libbox
+
+import (
+	"context"
+	"encoding/binary"
+	"io"
+	"net"
+)
+
+func (s *CommandServer) WriteMessage(message string) {
+	s.subscriber.Emit(message)
+	s.access.Lock()
+	s.savedLines.PushBack(message)
+	if s.savedLines.Len() > 100 {
+		s.savedLines.Remove(s.savedLines.Front())
+	}
+	s.access.Unlock()
+}
+
+func readLog(reader io.Reader) ([]byte, error) {
+	var messageLength uint16
+	err := binary.Read(reader, binary.BigEndian, &messageLength)
+	if err != nil {
+		return nil, err
+	}
+	data := make([]byte, messageLength)
+	_, err = io.ReadFull(reader, data)
+	if err != nil {
+		return nil, err
+	}
+	return data, nil
+}
+
+func writeLog(writer io.Writer, message []byte) error {
+	err := binary.Write(writer, binary.BigEndian, uint16(len(message)))
+	if err != nil {
+		return err
+	}
+	_, err = writer.Write(message)
+	return err
+}
+
+func (s *CommandServer) handleLogConn(conn net.Conn) error {
+	var savedLines []string
+	s.access.Lock()
+	savedLines = make([]string, 0, s.savedLines.Len())
+	for element := s.savedLines.Front(); element != nil; element = element.Next() {
+		savedLines = append(savedLines, element.Value)
+	}
+	s.access.Unlock()
+	subscription, done, err := s.observer.Subscribe()
+	if err != nil {
+		return err
+	}
+	defer s.observer.UnSubscribe(subscription)
+	for _, line := range savedLines {
+		err = writeLog(conn, []byte(line))
+		if err != nil {
+			return err
+		}
+	}
+	ctx := connKeepAlive(conn)
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case message := <-subscription:
+			err = writeLog(conn, []byte(message))
+			if err != nil {
+				return err
+			}
+		case <-done:
+			return nil
+		}
+	}
+}
+
+func (c *CommandClient) handleLogConn(conn net.Conn) {
+	for {
+		message, err := readLog(conn)
+		if err != nil {
+			c.handler.Disconnected(err.Error())
+			return
+		}
+		c.handler.WriteLog(string(message))
+	}
+}
+
+func connKeepAlive(reader io.Reader) context.Context {
+	ctx, cancel := context.WithCancelCause(context.Background())
+	go func() {
+		for {
+			_, err := readLog(reader)
+			if err != nil {
+				cancel(err)
+				return
+			}
+		}
+	}()
+	return ctx
+}
--- a/experimental/libbox/command_reload.go
+++ b/experimental/libbox/command_reload.go
@@ -0,0 +1,48 @@
+//go:build darwin
+
+package libbox
+
+import (
+	"encoding/binary"
+	"net"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/rw"
+)
+
+func ClientServiceReload(sharedDirectory string) error {
+	conn, err := clientConnect(sharedDirectory)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+	err = binary.Write(conn, binary.BigEndian, uint8(CommandServiceReload))
+	if err != nil {
+		return err
+	}
+	var hasError bool
+	err = binary.Read(conn, binary.BigEndian, &hasError)
+	if err != nil {
+		return err
+	}
+	if hasError {
+		errorMessage, err := rw.ReadVString(conn)
+		if err != nil {
+			return err
+		}
+		return E.New(errorMessage)
+	}
+	return nil
+}
+
+func (s *CommandServer) handleServiceReload(conn net.Conn) error {
+	rErr := s.handler.ServiceReload()
+	err := binary.Write(conn, binary.BigEndian, rErr != nil)
+	if err != nil {
+		return err
+	}
+	if rErr != nil {
+		return rw.WriteVString(conn, rErr.Error())
+	}
+	return nil
+}
--- a/experimental/libbox/command_server.go
+++ b/experimental/libbox/command_server.go
@@ -0,0 +1,99 @@
+//go:build darwin
+
+package libbox
+
+import (
+	"encoding/binary"
+	"net"
+	"os"
+	"path/filepath"
+	"sync"
+
+	"github.com/sagernet/sing-box/log"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/observable"
+	"github.com/sagernet/sing/common/x/list"
+)
+
+type CommandServer struct {
+	sockPath string
+	listener net.Listener
+	handler  CommandServerHandler
+
+	access     sync.Mutex
+	savedLines *list.List[string]
+	subscriber *observable.Subscriber[string]
+	observer   *observable.Observer[string]
+}
+
+type CommandServerHandler interface {
+	ServiceStop() error
+	ServiceReload() error
+}
+
+func NewCommandServer(sharedDirectory string, handler CommandServerHandler) *CommandServer {
+	server := &CommandServer{
+		sockPath:   filepath.Join(sharedDirectory, "command.sock"),
+		handler:    handler,
+		savedLines: new(list.List[string]),
+		subscriber: observable.NewSubscriber[string](128),
+	}
+	server.observer = observable.NewObserver[string](server.subscriber, 64)
+	return server
+}
+
+func (s *CommandServer) Start() error {
+	os.Remove(s.sockPath)
+	listener, err := net.ListenUnix("unix", &net.UnixAddr{
+		Name: s.sockPath,
+		Net:  "unix",
+	})
+	if err != nil {
+		return err
+	}
+	s.listener = listener
+	go s.loopConnection(listener)
+	return nil
+}
+
+func (s *CommandServer) Close() error {
+	return s.listener.Close()
+}
+
+func (s *CommandServer) loopConnection(listener net.Listener) {
+	for {
+		conn, err := listener.Accept()
+		if err != nil {
+			return
+		}
+		go func() {
+			hErr := s.handleConnection(conn)
+			if hErr != nil && !E.IsClosed(err) {
+				log.Warn("log-server: process connection: ", hErr)
+			}
+		}()
+	}
+}
+
+func (s *CommandServer) handleConnection(conn net.Conn) error {
+	defer conn.Close()
+	var command uint8
+	err := binary.Read(conn, binary.BigEndian, &command)
+	if err != nil {
+		return E.Cause(err, "read command")
+	}
+	switch int32(command) {
+	case CommandLog:
+		return s.handleLogConn(conn)
+	case CommandStatus:
+		return s.handleStatusConn(conn)
+	case CommandServiceStop:
+		return s.handleServiceStop(conn)
+	case CommandServiceReload:
+		return s.handleServiceReload(conn)
+	case CommandCloseConnections:
+		return s.handleCloseConnections(conn)
+	default:
+		return E.New("unknown command: ", command)
+	}
+}
--- a/experimental/libbox/command_status.go
+++ b/experimental/libbox/command_status.go
@@ -0,0 +1,63 @@
+//go:build darwin
+
+package libbox
+
+import (
+	"encoding/binary"
+	"net"
+	"runtime"
+	"time"
+
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type StatusMessage struct {
+	Memory      int64
+	Goroutines  int32
+	Connections int32
+}
+
+func readStatus() StatusMessage {
+	var memStats runtime.MemStats
+	runtime.ReadMemStats(&memStats)
+	var message StatusMessage
+	message.Memory = int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
+	message.Goroutines = int32(runtime.NumGoroutine())
+	message.Connections = int32(conntrack.Count())
+	return message
+}
+
+func (s *CommandServer) handleStatusConn(conn net.Conn) error {
+	var interval int64
+	err := binary.Read(conn, binary.BigEndian, &interval)
+	if err != nil {
+		return E.Cause(err, "read interval")
+	}
+	ticker := time.NewTicker(time.Duration(interval))
+	defer ticker.Stop()
+	ctx := connKeepAlive(conn)
+	for {
+		err = binary.Write(conn, binary.BigEndian, readStatus())
+		if err != nil {
+			return err
+		}
+		select {
+		case <-ctx.Done():
+			return nil
+		case <-ticker.C:
+		}
+	}
+}
+
+func (c *CommandClient) handleStatusConn(conn net.Conn) {
+	for {
+		var message StatusMessage
+		err := binary.Read(conn, binary.BigEndian, &message)
+		if err != nil {
+			c.handler.Disconnected(err.Error())
+			return
+		}
+		c.handler.WriteStatus(&message)
+	}
+}
--- a/experimental/libbox/command_stop.go
+++ b/experimental/libbox/command_stop.go
@@ -0,0 +1,50 @@
+//go:build darwin
+
+package libbox
+
+import (
+	"encoding/binary"
+	"net"
+	"runtime/debug"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/rw"
+)
+
+func ClientServiceStop(sharedDirectory string) error {
+	conn, err := clientConnect(sharedDirectory)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+	err = binary.Write(conn, binary.BigEndian, uint8(CommandServiceStop))
+	if err != nil {
+		return err
+	}
+	var hasError bool
+	err = binary.Read(conn, binary.BigEndian, &hasError)
+	if err != nil {
+		return err
+	}
+	if hasError {
+		errorMessage, err := rw.ReadVString(conn)
+		if err != nil {
+			return err
+		}
+		return E.New(errorMessage)
+	}
+	return nil
+}
+
+func (s *CommandServer) handleServiceStop(conn net.Conn) error {
+	rErr := s.handler.ServiceStop()
+	err := binary.Write(conn, binary.BigEndian, rErr != nil)
+	if err != nil {
+		return err
+	}
+	if rErr != nil {
+		return rw.WriteVString(conn, rErr.Error())
+	}
+	debug.FreeOSMemory()
+	return nil
+}
--- a/experimental/libbox/config.go
+++ b/experimental/libbox/config.go
@@ -1,3 +1,5 @@
+//go:build linux || darwin
+
 package libbox

 import (
--- a/experimental/libbox/iterator.go
+++ b/experimental/libbox/iterator.go
@@ -1,3 +1,5 @@
+//go:build linux || darwin
+
 package libbox

 import "github.com/sagernet/sing/common"
--- a/experimental/libbox/log.go
+++ b/experimental/libbox/log.go
@@ -1,54 +0,0 @@
-package libbox
-
-import (
-	"bufio"
-	"log"
-	"os"
-)
-
-type StandardOutput interface {
-	WriteOutput(message string)
-	WriteErrorOutput(message string)
-}
-
-func SetOutput(output StandardOutput) {
-	log.SetOutput(logWriter{output})
-	pipeIn, pipeOut, err := os.Pipe()
-	if err != nil {
-		panic(err)
-	}
-	os.Stdout = os.NewFile(pipeOut.Fd(), "stdout")
-	go lineLog(pipeIn, output.WriteOutput)
-
-	pipeIn, pipeOut, err = os.Pipe()
-	if err != nil {
-		panic(err)
-	}
-	os.Stderr = os.NewFile(pipeOut.Fd(), "srderr")
-	go lineLog(pipeIn, output.WriteErrorOutput)
-}
-
-type logWriter struct {
-	output StandardOutput
-}
-
-func (w logWriter) Write(p []byte) (n int, err error) {
-	w.output.WriteOutput(string(p))
-	return len(p), nil
-}
-
-func lineLog(f *os.File, output func(string)) {
-	const logSize = 1024 // matches android/log.h.
-	r := bufio.NewReaderSize(f, logSize)
-	for {
-		line, _, err := r.ReadLine()
-		str := string(line)
-		if err != nil {
-			str += " " + err.Error()
-		}
-		output(str)
-		if err != nil {
-			break
-		}
-	}
-}
--- a/experimental/libbox/log_client.go
+++ b/experimental/libbox/log_client.go
@@ -1,59 +0,0 @@
-//go:build ios
-
-package libbox
-
-import (
-	"net"
-	"path/filepath"
-
-	"github.com/sagernet/sing/common"
-)
-
-type LogClient struct {
-	sockPath string
-	handler  LogClientHandler
-	conn     net.Conn
-}
-
-type LogClientHandler interface {
-	Connected()
-	Disconnected()
-	WriteLog(message string)
-}
-
-func NewLogClient(sharedDirectory string, handler LogClientHandler) *LogClient {
-	return &LogClient{
-		sockPath: filepath.Join(sharedDirectory, "log.sock"),
-		handler:  handler,
-	}
-}
-
-func (c *LogClient) Connect() error {
-	conn, err := net.DialUnix("unix", nil, &net.UnixAddr{
-		Name: c.sockPath,
-		Net:  "unix",
-	})
-	if err != nil {
-		return err
-	}
-	c.conn = conn
-	go c.loopConnection(&messageConn{conn})
-	return nil
-}
-
-func (c *LogClient) Disconnect() error {
-	return common.Close(c.conn)
-}
-
-func (c *LogClient) loopConnection(conn *messageConn) {
-	c.handler.Connected()
-	defer c.handler.Disconnected()
-	for {
-		message, err := conn.Read()
-		if err != nil {
-			c.handler.WriteLog("(log client error) " + err.Error())
-			return
-		}
-		c.handler.WriteLog(string(message))
-	}
-}
--- a/experimental/libbox/log_server.go
+++ b/experimental/libbox/log_server.go
@@ -1,139 +0,0 @@
-//go:build ios
-
-package libbox
-
-import (
-	"encoding/binary"
-	"io"
-	"net"
-	"os"
-	"path/filepath"
-	"sync"
-
-	"github.com/sagernet/sing-box/log"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/observable"
-	"github.com/sagernet/sing/common/x/list"
-)
-
-type LogServer struct {
-	sockPath string
-	listener net.Listener
-
-	access     sync.Mutex
-	savedLines *list.List[string]
-	subscriber *observable.Subscriber[string]
-	observer   *observable.Observer[string]
-}
-
-func NewLogServer(sharedDirectory string) *LogServer {
-	server := &LogServer{
-		sockPath:   filepath.Join(sharedDirectory, "log.sock"),
-		savedLines: new(list.List[string]),
-		subscriber: observable.NewSubscriber[string](128),
-	}
-	server.observer = observable.NewObserver[string](server.subscriber, 64)
-	return server
-}
-
-func (s *LogServer) Start() error {
-	os.Remove(s.sockPath)
-	listener, err := net.ListenUnix("unix", &net.UnixAddr{
-		Name: s.sockPath,
-		Net:  "unix",
-	})
-	if err != nil {
-		return err
-	}
-	go s.loopConnection(listener)
-	return nil
-}
-
-func (s *LogServer) Close() error {
-	return s.listener.Close()
-}
-
-func (s *LogServer) WriteMessage(message string) {
-	s.subscriber.Emit(message)
-	s.access.Lock()
-	s.savedLines.PushBack(message)
-	if s.savedLines.Len() > 100 {
-		s.savedLines.Remove(s.savedLines.Front())
-	}
-	s.access.Unlock()
-}
-
-func (s *LogServer) loopConnection(listener net.Listener) {
-	for {
-		conn, err := listener.Accept()
-		if err != nil {
-			return
-		}
-		go func() {
-			hErr := s.handleConnection(&messageConn{conn})
-			if hErr != nil && !E.IsClosed(err) {
-				log.Warn("log-server: process connection: ", hErr)
-			}
-		}()
-	}
-}
-
-func (s *LogServer) handleConnection(conn *messageConn) error {
-	var savedLines []string
-	s.access.Lock()
-	savedLines = make([]string, 0, s.savedLines.Len())
-	for element := s.savedLines.Front(); element != nil; element = element.Next() {
-		savedLines = append(savedLines, element.Value)
-	}
-	s.access.Unlock()
-	subscription, done, err := s.observer.Subscribe()
-	if err != nil {
-		return err
-	}
-	defer s.observer.UnSubscribe(subscription)
-	for _, line := range savedLines {
-		err = conn.Write([]byte(line))
-		if err != nil {
-			return err
-		}
-	}
-	for {
-		select {
-		case message := <-subscription:
-			err = conn.Write([]byte(message))
-			if err != nil {
-				return err
-			}
-		case <-done:
-			conn.Close()
-			return nil
-		}
-	}
-}
-
-type messageConn struct {
-	net.Conn
-}
-
-func (c *messageConn) Read() ([]byte, error) {
-	var messageLength uint16
-	err := binary.Read(c.Conn, binary.BigEndian, &messageLength)
-	if err != nil {
-		return nil, err
-	}
-	data := make([]byte, messageLength)
-	_, err = io.ReadFull(c.Conn, data)
-	if err != nil {
-		return nil, err
-	}
-	return data, nil
-}
-
-func (c *messageConn) Write(message []byte) error {
-	err := binary.Write(c.Conn, binary.BigEndian, uint16(len(message)))
-	if err != nil {
-		return err
-	}
-	_, err = c.Conn.Write(message)
-	return err
-}
--- a/experimental/libbox/memory.go
+++ b/experimental/libbox/memory.go
@@ -0,0 +1,18 @@
+//go:build darwin
+
+package libbox
+
+import (
+	runtimeDebug "runtime/debug"
+
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
+)
+
+const memoryLimit = 30 * 1024 * 1024
+
+func SetMemoryLimit() {
+	runtimeDebug.SetGCPercent(10)
+	runtimeDebug.SetMemoryLimit(memoryLimit)
+	conntrack.KillerEnabled = true
+	conntrack.MemoryLimit = memoryLimit
+}
--- a/experimental/libbox/platform.go
+++ b/experimental/libbox/platform.go
@@ -1,8 +1,12 @@
+//go:build linux || darwin
+
 package libbox

+import "github.com/sagernet/sing-box/option"
+
 type PlatformInterface interface {
 	AutoDetectInterfaceControl(fd int32) error
-	OpenTun(options TunOptions) (TunInterface, error)
+	OpenTun(options TunOptions) (int32, error)
 	WriteLog(message string)
 	UseProcFS() bool
 	FindConnectionOwner(ipProtocol int32, sourceAddress string, sourcePort int32, destinationAddress string, destinationPort int32) (int32, error)
@@ -14,3 +18,51 @@ type TunInterface interface {
 	FileDescriptor() int32
 	Close() error
 }
+
+type OnDemandRuleIterator interface {
+	Next() OnDemandRule
+	HasNext() bool
+}
+
+type OnDemandRule interface {
+	Target() int32
+	DNSSearchDomainMatch() StringIterator
+	DNSServerAddressMatch() StringIterator
+	InterfaceTypeMatch() int32
+	SSIDMatch() StringIterator
+	ProbeURL() string
+}
+
+type onDemandRule struct {
+	option.OnDemandRule
+}
+
+func (r *onDemandRule) Target() int32 {
+	if r.OnDemandRule.Action == nil {
+		return -1
+	}
+	return int32(*r.OnDemandRule.Action)
+}
+
+func (r *onDemandRule) DNSSearchDomainMatch() StringIterator {
+	return newIterator(r.OnDemandRule.DNSSearchDomainMatch)
+}
+
+func (r *onDemandRule) DNSServerAddressMatch() StringIterator {
+	return newIterator(r.OnDemandRule.DNSServerAddressMatch)
+}
+
+func (r *onDemandRule) InterfaceTypeMatch() int32 {
+	if r.OnDemandRule.InterfaceTypeMatch == nil {
+		return -1
+	}
+	return int32(*r.OnDemandRule.InterfaceTypeMatch)
+}
+
+func (r *onDemandRule) SSIDMatch() StringIterator {
+	return newIterator(r.OnDemandRule.SSIDMatch)
+}
+
+func (r *onDemandRule) ProbeURL() string {
+	return r.OnDemandRule.ProbeURL
+}
--- a/experimental/libbox/platform/interface.go
+++ b/experimental/libbox/platform/interface.go
@@ -4,13 +4,14 @@ import (
 	"io"

 	"github.com/sagernet/sing-box/common/process"
+	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
 )

 type Interface interface {
 	AutoDetectInterfaceControl() control.Func
-	OpenTun(options tun.Options) (tun.Tun, error)
+	OpenTun(options tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error)
 	process.Searcher
 	io.Writer
 }
--- a/experimental/libbox/pprof.go
+++ b/experimental/libbox/pprof.go
@@ -1,4 +1,4 @@
-//go:build debug
+//go:build linux || darwin

 package libbox

--- a/experimental/libbox/pprof_stub.go
+++ b/experimental/libbox/pprof_stub.go
@@ -1,21 +0,0 @@
-//go:build !debug
-
-package libbox
-
-import (
-	"os"
-)
-
-type PProfServer struct{}
-
-func NewPProfServer(port int) *PProfServer {
-	return &PProfServer{}
-}
-
-func (s *PProfServer) Start() error {
-	return os.ErrInvalid
-}
-
-func (s *PProfServer) Close() error {
-	return os.ErrInvalid
-}
--- a/experimental/libbox/service.go
+++ b/experimental/libbox/service.go
@@ -1,16 +1,17 @@
+//go:build linux || darwin
+
 package libbox

 import (
 	"context"
 	"net/netip"
-	"os"
-	"runtime"
 	"syscall"

 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/common/process"
 	"github.com/sagernet/sing-box/experimental/libbox/internal/procfs"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
+	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -28,10 +29,8 @@ func NewService(configContent string, platformInterface PlatformInterface) (*Box
 	if err != nil {
 		return nil, err
 	}
-	platformInterface.WriteLog("Hello " + runtime.GOOS + "/" + runtime.GOARCH)
-	options.PlatformInterface = &platformInterfaceWrapper{platformInterface, platformInterface.UseProcFS()}
 	ctx, cancel := context.WithCancel(context.Background())
-	instance, err := box.New(ctx, options)
+	instance, err := box.New(ctx, options, &platformInterfaceWrapper{platformInterface, platformInterface.UseProcFS()})
 	if err != nil {
 		cancel()
 		return nil, E.Cause(err, "create service")
@@ -67,26 +66,23 @@ func (w *platformInterfaceWrapper) AutoDetectInterfaceControl() control.Func {
 	}
 }

-func (w *platformInterfaceWrapper) OpenTun(options tun.Options) (tun.Tun, error) {
+func (w *platformInterfaceWrapper) OpenTun(options tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error) {
 	if len(options.IncludeUID) > 0 || len(options.ExcludeUID) > 0 {
 		return nil, E.New("android: unsupported uid options")
 	}
 	if len(options.IncludeAndroidUser) > 0 {
 		return nil, E.New("android: unsupported android_user option")
 	}
-
-	optionsWrapper := tunOptions(options)
-	tunInterface, err := w.iif.OpenTun(&optionsWrapper)
+	tunFd, err := w.iif.OpenTun(&tunOptions{options, platformOptions})
 	if err != nil {
 		return nil, err
 	}
-	tunFd := tunInterface.FileDescriptor()
-	return &nativeTun{
-		tunFd:   int(tunFd),
-		tunFile: os.NewFile(uintptr(tunFd), "tun"),
-		tunMTU:  options.MTU,
-		closer:  tunInterface,
-	}, nil
+	dupFd, err := syscall.Dup(int(tunFd))
+	if err != nil {
+		return nil, E.Cause(err, "dup tun file descriptor")
+	}
+	options.FileDescriptor = dupFd
+	return tun.New(options)
 }

 func (w *platformInterfaceWrapper) Write(p []byte) (n int, err error) {
--- a/experimental/libbox/setup.go
+++ b/experimental/libbox/setup.go
@@ -1,6 +1,12 @@
+//go:build linux || darwin
+
 package libbox

-import C "github.com/sagernet/sing-box/constant"
+import (
+	C "github.com/sagernet/sing-box/constant"
+
+	"github.com/dustin/go-humanize"
+)

 func SetBasePath(path string) {
 	C.SetBasePath(path)
@@ -9,3 +15,7 @@ func SetBasePath(path string) {
 func Version() string {
 	return C.Version
 }
+
+func FormatBytes(length int64) string {
+	return humanize.IBytes(uint64(length))
+}
--- a/experimental/libbox/tun.go
+++ b/experimental/libbox/tun.go
@@ -1,13 +1,16 @@
+//go:build linux || darwin
+
 package libbox

 import (
-	"io"
+	"net"
 	"net/netip"
-	"os"

+	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
 )

 type TunOptions interface {
@@ -21,6 +24,9 @@ type TunOptions interface {
 	GetInet6RouteAddress() RoutePrefixIterator
 	GetIncludePackage() StringIterator
 	GetExcludePackage() StringIterator
+	IsHTTPProxyEnabled() bool
+	GetHTTPProxyServer() string
+	GetHTTPProxyServerPort() int32
 }

 type RoutePrefix struct {
@@ -28,6 +34,16 @@ type RoutePrefix struct {
 	Prefix  int32
 }

+func (p *RoutePrefix) Mask() string {
+	var bits int
+	if M.ParseSocksaddr(p.Address).Addr.Is6() {
+		bits = 128
+	} else {
+		bits = 32
+	}
+	return net.IP(net.CIDRMask(int(p.Prefix), bits)).String()
+}
+
 type RoutePrefixIterator interface {
 	Next() *RoutePrefix
 	HasNext() bool
@@ -44,7 +60,10 @@ func mapRoutePrefix(prefixes []netip.Prefix) RoutePrefixIterator {

 var _ TunOptions = (*tunOptions)(nil)

-type tunOptions tun.Options
+type tunOptions struct {
+	tun.Options
+	option.TunPlatformOptions
+}

 func (o *tunOptions) GetInet4Address() RoutePrefixIterator {
 	return mapRoutePrefix(o.Inet4Address)
@@ -89,21 +108,17 @@ func (o *tunOptions) GetExcludePackage() StringIterator {
 	return newIterator(o.ExcludePackage)
 }

-type nativeTun struct {
-	tunFd   int
-	tunFile *os.File
-	tunMTU  uint32
-	closer  io.Closer
+func (o *tunOptions) IsHTTPProxyEnabled() bool {
+	if o.TunPlatformOptions.HTTPProxy == nil {
+		return false
+	}
+	return o.TunPlatformOptions.HTTPProxy.Enabled
 }

-func (t *nativeTun) Read(p []byte) (n int, err error) {
-	return t.tunFile.Read(p)
+func (o *tunOptions) GetHTTPProxyServer() string {
+	return o.TunPlatformOptions.HTTPProxy.Server
 }

-func (t *nativeTun) Write(p []byte) (n int, err error) {
-	return t.tunFile.Write(p)
-}
-
-func (t *nativeTun) Close() error {
-	return t.closer.Close()
+func (o *tunOptions) GetHTTPProxyServerPort() int32 {
+	return int32(o.TunPlatformOptions.HTTPProxy.ServerPort)
 }
--- a/experimental/libbox/tun_darwin.go
+++ b/experimental/libbox/tun_darwin.go
@@ -0,0 +1,34 @@
+package libbox
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+// kanged from wireauard-apple
+
+const utunControlName = "com.apple.net.utun_control"
+
+func GetTunnelFileDescriptor() int32 {
+	ctlInfo := &unix.CtlInfo{}
+	copy(ctlInfo.Name[:], utunControlName)
+	for fd := 0; fd < 1024; fd++ {
+		addr, err := unix.Getpeername(fd)
+		if err != nil {
+			continue
+		}
+		addrCTL, loaded := addr.(*unix.SockaddrCtl)
+		if !loaded {
+			continue
+		}
+		if ctlInfo.Id == 0 {
+			err = unix.IoctlCtlInfo(fd, ctlInfo)
+			if err != nil {
+				continue
+			}
+		}
+		if addrCTL.ID == ctlInfo.Id {
+			return int32(fd)
+		}
+	}
+	return -1
+}
--- a/experimental/libbox/tun_gvisor.go
+++ b/experimental/libbox/tun_gvisor.go
@@ -1,19 +0,0 @@
-//go:build with_gvisor && linux
-
-package libbox
-
-import (
-	"github.com/sagernet/sing-tun"
-
-	"gvisor.dev/gvisor/pkg/tcpip/link/fdbased"
-	"gvisor.dev/gvisor/pkg/tcpip/stack"
-)
-
-var _ tun.GVisorTun = (*nativeTun)(nil)
-
-func (t *nativeTun) NewEndpoint() (stack.LinkEndpoint, error) {
-	return fdbased.New(&fdbased.Options{
-		FDs: []int{t.tunFd},
-		MTU: t.tunMTU,
-	})
-}
--- a/go.mod
+++ b/go.mod
@@ -14,42 +14,46 @@ require (
 	github.com/go-chi/render v1.0.2
 	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/hashicorp/yamux v0.1.1
-	github.com/insomniacslk/dhcp v0.0.0-20230220010740-598984875576
+	github.com/insomniacslk/dhcp v0.0.0-20230307103557-e252950ab961
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/mholt/acmez v1.1.0
-	github.com/miekg/dns v1.1.50
-	github.com/nekohasekai/reality v0.0.0-20230225080858-d70c703b04cd
+	github.com/miekg/dns v1.1.52
+	github.com/ooni/go-libtor v1.1.7
 	github.com/oschwald/maxminddb-golang v1.10.0
-	github.com/pires/go-proxyproto v0.6.2
+	github.com/pires/go-proxyproto v0.7.0
 	github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0
 	github.com/sagernet/gomobile v0.0.0-20221130124640-349ebaa752ca
 	github.com/sagernet/quic-go v0.0.0-20230202071646-a8c8afb18b32
-	github.com/sagernet/sing v0.1.8-0.20230221060643-3401d210384b
+	github.com/sagernet/reality v0.0.0-20230312150606-35ea9af0e0b8
+	github.com/sagernet/sing v0.1.9-0.20230317044231-85a9429eadb6
 	github.com/sagernet/sing-dns v0.1.4
 	github.com/sagernet/sing-shadowsocks v0.1.2-0.20230221080503-769c01d6bba9
-	github.com/sagernet/sing-shadowtls v0.0.0-20230221123345-78e50cd7b587
-	github.com/sagernet/sing-tun v0.1.1
-	github.com/sagernet/sing-vmess v0.1.2
-	github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195
-	github.com/sagernet/tfo-go v0.0.0-20230207095944-549363a7327d
-	github.com/sagernet/utls v0.0.0-20230225061716-536a007c8b01
+	github.com/sagernet/sing-shadowtls v0.1.0
+	github.com/sagernet/sing-tun v0.1.3-0.20230315134716-fe89bbded22d
+	github.com/sagernet/sing-vmess v0.1.3
+	github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37
+	github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9
+	github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2
 	github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e
 	github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c
 	github.com/spf13/cobra v1.6.1
-	github.com/stretchr/testify v1.8.1
+	github.com/stretchr/testify v1.8.2
 	go.etcd.io/bbolt v1.3.7
 	go.uber.org/atomic v1.10.0
 	go.uber.org/zap v1.24.0
-	go4.org/netipx v0.0.0-20230125063823-8449b0a6169f
-	golang.org/x/crypto v0.6.0
-	golang.org/x/exp v0.0.0-20230213192124-5e25df0256eb
-	golang.org/x/net v0.7.0
-	golang.org/x/sys v0.5.0
+	go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35
+	golang.org/x/crypto v0.7.0
+	golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0
+	golang.org/x/net v0.8.0
+	golang.org/x/sys v0.6.0
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230215201556-9c5414ab4bde
 	google.golang.org/grpc v1.53.0
-	google.golang.org/protobuf v1.28.1
+	google.golang.org/protobuf v1.30.0
 	gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c
 )

+//replace github.com/sagernet/sing => ../sing
+
 require (
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.5 // indirect
@@ -76,13 +80,13 @@ require (
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/u-root/uio v0.0.0-20230215032506-9aa6f7e2d72c // indirect
+	github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
-	golang.org/x/mod v0.6.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/mod v0.8.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
-	golang.org/x/tools v0.2.0 // indirect
+	golang.org/x/tools v0.6.0 // indirect
 	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -23,7 +23,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/fanliao/go-promise v0.0.0-20141029170127-1890db352a72/go.mod h1:PjfxuH4FZdUyfMdtBio2lsRr1AKEaVPwelzuHuh8Lqc=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/go-chi/chi/v5 v5.0.8 h1:lD+NLqFcAi1ovnVZpsnObHGW4xb4J8lNmoYVfECH1Y0=
@@ -43,32 +42,20 @@ github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
 github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
 github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
-github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20230220010740-598984875576 h1:ehee0+xI4xtJTRJhN+PVA2GzCLB6KRgHRoZMg2lHwJU=
-github.com/insomniacslk/dhcp v0.0.0-20230220010740-598984875576/go.mod h1:yGKD3yZIGAjEZXiIjVQ0SQ09Y/RzETOoqEOi6nXqX0Y=
+github.com/insomniacslk/dhcp v0.0.0-20230307103557-e252950ab961 h1:x/YtdDlmypenG1te/FfH6LVM+3krhXk5CFV8VYNNX5M=
+github.com/insomniacslk/dhcp v0.0.0-20230307103557-e252950ab961/go.mod h1:IKrnDWs3/Mqq5n0lI+RxA2sB7MvN/vbMBP3ehXg65UI=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
-github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
-github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ=
-github.com/jsimonetti/rtnetlink v0.0.0-20201009170750-9c6f07d100c1/go.mod h1:hqoO/u39cqLeBLebZ8fWdE96O7FxrAsRYhnVOdgHxok=
-github.com/jsimonetti/rtnetlink v0.0.0-20201110080708-d2c240429e6c/go.mod h1:huN4d1phzjhlOsNIjFsw2SVRbwIHj3fJDMEU2SDPTmg=
-github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/klauspost/compress v1.15.15 h1:EF27CXIuDsYJ6mmvtBRlEuB2UVOqHG1tAXgZ7yIO+lw=
 github.com/klauspost/compress v1.15.15/go.mod h1:ZcK2JAFqKOpnBlxcLsJzYfrS9X1akm9fHZNnD9+Vo/4=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
@@ -81,30 +68,23 @@ github.com/libdns/libdns v0.2.1 h1:Wu59T7wSHRgtA0cfxC+n1c/e+O3upJGWytknkmFEDis=
 github.com/libdns/libdns v0.2.1/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
-github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7/go.mod h1:U6ZQobyTjI/tJyq2HG+i/dfSoFUt8/aZCM+GKtmFk/Y=
-github.com/mdlayher/netlink v0.0.0-20190409211403-11939a169225/go.mod h1:eQB3mZE4aiYnlUsyGGCOpPETfdQq4Jhsgf1fk3cwQaA=
-github.com/mdlayher/netlink v1.0.0/go.mod h1:KxeJAFOFLG6AjpyDkQ/iIhxygIUKD+vcwqcnu43w/+M=
-github.com/mdlayher/netlink v1.1.0/go.mod h1:H4WCitaheIsdF9yOYu8CFmCgQthAPIWZmcKp9uZHgmY=
-github.com/mdlayher/netlink v1.1.1/go.mod h1:WTYpFb/WTvlRJAyKhZL5/uy69TDDpHHu2VZmb2XgV7o=
-github.com/mdlayher/raw v0.0.0-20190606142536-fef19f00fc18/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
-github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
 github.com/mholt/acmez v1.1.0 h1:IQ9CGHKOHokorxnffsqDvmmE30mDenO1lptYZ1AYkHY=
 github.com/mholt/acmez v1.1.0/go.mod h1:zwo5+fbLLTowAX8o8ETfQzbDtwGEXnPhkmGdKIP+bgs=
-github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
-github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
-github.com/nekohasekai/reality v0.0.0-20230225080858-d70c703b04cd h1:vd4qbG9ZTW10e1uqo8PDLshe5XL2yPhdINhGlJYaOoQ=
-github.com/nekohasekai/reality v0.0.0-20230225080858-d70c703b04cd/go.mod h1:C+iqSNDBQ8qMhlNZ0JSUO9POEWq8qX87hukGfmO7/fA=
+github.com/miekg/dns v1.1.52 h1:Bmlc/qsNNULOe6bpXcUTsuOajd0DzRHwup6D9k1An0c=
+github.com/miekg/dns v1.1.52/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/onsi/ginkgo/v2 v2.2.0 h1:3ZNA3L1c5FYDFTTxbFeVGGD8jYvjYauHD30YgLxVsNI=
 github.com/onsi/ginkgo/v2 v2.2.0/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk=
 github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q=
+github.com/ooni/go-libtor v1.1.7 h1:ooVcdEPBqDox5OfeXAfXIeQFCbqMLJVfIpO+Irr7N9A=
+github.com/ooni/go-libtor v1.1.7/go.mod h1:q1YyLwRD9GeMyeerVvwc0vJ2YgwDLTp2bdVcrh/JXyI=
 github.com/oschwald/maxminddb-golang v1.10.0 h1:Xp1u0ZhqkSuopaKmk1WwHtjF0H9Hd9181uj2MQ5Vndg=
 github.com/oschwald/maxminddb-golang v1.10.0/go.mod h1:Y2ELenReaLAZ0b400URyGwvYxHV1dLIxBuyOsyYjHK0=
 github.com/pierrec/lz4/v4 v4.1.14 h1:+fL8AQEZtz/ijeNnpduH0bROTu0O3NZAlPjQxGn8LwE=
 github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pires/go-proxyproto v0.6.2 h1:KAZ7UteSOt6urjme6ZldyFm4wDe/z0ZUP0Yv0Dos0d8=
-github.com/pires/go-proxyproto v0.6.2/go.mod h1:Odh9VFOZJCf9G8cLW5o435Xf1J95Jw9Gw5rnCjcwzAY=
+github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs=
+github.com/pires/go-proxyproto v0.7.0/go.mod h1:Vz/1JPY/OACxWGQNIRY2BeyDmpoaWmEP40O9LbuiFR4=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -127,32 +107,32 @@ github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6E
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/quic-go v0.0.0-20230202071646-a8c8afb18b32 h1:tztuJB+giOWNRKQEBVY2oI3PsheTooMdh+/yxemYQYY=
 github.com/sagernet/quic-go v0.0.0-20230202071646-a8c8afb18b32/go.mod h1:QMCkxXAC3CvBgDZVIJp43NWTuwGBScCzMLVLynjERL8=
-github.com/sagernet/sing v0.0.0-20220812082120-05f9836bff8f/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
+github.com/sagernet/reality v0.0.0-20230312150606-35ea9af0e0b8 h1:4M3+0/kqvJuTsimEORH0/vUYTpMDUETBH2zNUU38SUw=
+github.com/sagernet/reality v0.0.0-20230312150606-35ea9af0e0b8/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
-github.com/sagernet/sing v0.1.8-0.20230221060643-3401d210384b h1:Ji2AfGlc4j9AitobOx4k3BCj7eS5nSxL1cgaL81zvlo=
-github.com/sagernet/sing v0.1.8-0.20230221060643-3401d210384b/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
+github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
+github.com/sagernet/sing v0.1.9-0.20230317044231-85a9429eadb6 h1:h1wGLPBJLjujj9kYSbLiP1Tt6+IQnZ7Ok7jQd4u3xxk=
+github.com/sagernet/sing v0.1.9-0.20230317044231-85a9429eadb6/go.mod h1:9uHswk2hITw8leDbiLS/xn0t9nzBcbePxzm9PJhwdlw=
 github.com/sagernet/sing-dns v0.1.4 h1:7VxgeoSCiiazDSaXXQVcvrTBxFpOePPq/4XdgnUDN+0=
 github.com/sagernet/sing-dns v0.1.4/go.mod h1:1+6pCa48B1AI78lD+/i/dLgpw4MwfnsSpZo0Ds8wzzk=
 github.com/sagernet/sing-shadowsocks v0.1.2-0.20230221080503-769c01d6bba9 h1:qS39eA4C7x+zhEkySbASrtmb6ebdy5v0y2M6mgkmSO0=
 github.com/sagernet/sing-shadowsocks v0.1.2-0.20230221080503-769c01d6bba9/go.mod h1:f3mHTy5shnVM9l8UocMlJgC/1G/zdj5FuEuVXhDinGU=
-github.com/sagernet/sing-shadowtls v0.0.0-20230221123345-78e50cd7b587 h1:OjIXlHT2bblZfp+ciupM4xY9+Ccpj9FsuHRtKRBv+Pg=
-github.com/sagernet/sing-shadowtls v0.0.0-20230221123345-78e50cd7b587/go.mod h1:Kn1VUIprdkwCgkS6SXYaLmIpKzQbqBIKJBMY+RvBhYc=
-github.com/sagernet/sing-tun v0.1.1 h1:2Hg3GAyJWzQ7Ua1j74dE+mI06vaqSBO9yD4tkTjggn4=
-github.com/sagernet/sing-tun v0.1.1/go.mod h1:WzW/SkT+Nh9uJn/FIYUE2YJHYuPwfbh8sATOzU9QDGw=
-github.com/sagernet/sing-vmess v0.1.2 h1:RbOZNAId2LrCai8epMoQXlf0XTrou0bfcw08hNBg6lM=
-github.com/sagernet/sing-vmess v0.1.2/go.mod h1:9NSj8mZTx1JIY/HF9LaYRppUsVkysIN5tEFpNZujXxY=
-github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195 h1:5VBIbVw9q7aKbrFdT83mjkyvQ+VaRsQ6yflTepfln38=
-github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195/go.mod h1:yedWtra8nyGJ+SyI+ziwuaGMzBatbB10P1IOOZbbSK8=
-github.com/sagernet/tfo-go v0.0.0-20230207095944-549363a7327d h1:trP/l6ZPWvQ/5Gv99Z7/t/v8iYy06akDMejxW1sznUk=
-github.com/sagernet/tfo-go v0.0.0-20230207095944-549363a7327d/go.mod h1:jk6Ii8Y3En+j2KQDLgdgQGwb3M6y7EL567jFnGYhN9g=
-github.com/sagernet/utls v0.0.0-20230225061716-536a007c8b01 h1:m4MI13+NRKddIvbdSN0sFHK8w5ROTa60Zi9diZ7EE08=
-github.com/sagernet/utls v0.0.0-20230225061716-536a007c8b01/go.mod h1:JKQMZq/O2qnZjdrt+B57olmfgEmLtY9iiSIEYtWvoSM=
+github.com/sagernet/sing-shadowtls v0.1.0 h1:05MYce8aR5xfKIn+y7xRFsdKhKt44QZTSEQW+lG5IWQ=
+github.com/sagernet/sing-shadowtls v0.1.0/go.mod h1:Kn1VUIprdkwCgkS6SXYaLmIpKzQbqBIKJBMY+RvBhYc=
+github.com/sagernet/sing-tun v0.1.3-0.20230315134716-fe89bbded22d h1:1gt4Hu2fHCrmL2NZYCNJ3nCgeczuhK09oCMni9mZmZk=
+github.com/sagernet/sing-tun v0.1.3-0.20230315134716-fe89bbded22d/go.mod h1:KnRkwaDHbb06zgeNPu0LQ8A+vA9myMxKEgHN1brCPHg=
+github.com/sagernet/sing-vmess v0.1.3 h1:q/+tsF46dvvapL6CpQBgPHJ6nQrDUZqEtLHCbsjO7iM=
+github.com/sagernet/sing-vmess v0.1.3/go.mod h1:GVXqAHwe9U21uS+Voh4YBIrADQyE4F9v0ayGSixSQAE=
+github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 h1:HuE6xSwco/Xed8ajZ+coeYLmioq0Qp1/Z2zczFaV8as=
+github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37/go.mod h1:3skNSftZDJWTGVtVaM2jfbce8qHnmH/AGDRe62iNOg0=
+github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9 h1:2ItpW1nMNkPzmBTxV0/eClCklHrFSQMnUGcpUmJxVeE=
+github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9/go.mod h1:FUyTEc5ye5NjKnDTDMuiLF2M6T4BE6y6KZuax//UCEg=
+github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2 h1:kDUqhc9Vsk5HJuhfIATJ8oQwBmpOZJuozQG7Vk88lL4=
+github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2/go.mod h1:JKQMZq/O2qnZjdrt+B57olmfgEmLtY9iiSIEYtWvoSM=
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e h1:7uw2njHFGE+VpWamge6o56j2RWk4omF6uLKKxMmcWvs=
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e/go.mod h1:45TUl8+gH4SIKr4ykREbxKWTxkDlSzFENzctB1dVRRY=
 github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c h1:vK2wyt9aWYHHvNLWniwijBu/n4pySypiKRhN32u/JGo=
 github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c/go.mod h1:euOmN6O5kk9dQmgSS8Df4psAl3TCjxOz0NW60EWkSaI=
-github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
-github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA=
 github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -162,14 +142,13 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/u-root/uio v0.0.0-20230215032506-9aa6f7e2d72c h1:PHoGTnweZP+KIg/8Zc6+iOesrIF5yHkpb4GBDxHm7yE=
-github.com/u-root/uio v0.0.0-20230215032506-9aa6f7e2d72c/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
+github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
+github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 h1:tHNk7XK9GkmKUR6Gh8gVBKXc2MVSZ4G/NnWLtzw4gNA=
+github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
@@ -183,93 +162,73 @@ go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
 go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
-go4.org/netipx v0.0.0-20230125063823-8449b0a6169f h1:ketMxHg+vWm3yccyYiq+uK8D3fRmna2Fcj+awpQp84s=
-go4.org/netipx v0.0.0-20230125063823-8449b0a6169f/go.mod h1:tgPU4N2u9RByaTN3NC2p9xOzyFpte4jYwsIIRF7XlSc=
+go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35 h1:nJAwRlGWZZDOD+6wni9KVUNHMpHko/OnRwsrCYeAzPo=
+go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35/go.mod h1:TQvodOM+hJTioNQJilmLXu08JNb8i+ccq418+KWu1/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/exp v0.0.0-20230213192124-5e25df0256eb h1:PaBZQdo+iSDyHT053FjUCgZQ/9uqVwPOcl7KSWhKn6w=
-golang.org/x/exp v0.0.0-20230213192124-5e25df0256eb/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
+golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0 h1:pVgRXcIictcr+lBQIFeiwuwtDIs4eL21OuM9nyAADmo=
+golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I=
-golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190419010253-1f3472d942ba/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190418153312-f0ce4c0180be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606122018-79a91cf218c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
+golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE=
-golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
+golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230215201556-9c5414ab4bde h1:ybF7AMzIUikL9x4LgwEmzhXtzRpKNqngme1VGDWz+Nk=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230215201556-9c5414ab4bde/go.mod h1:mQqgjkW8GQQcJQsbBvK890TKqUK1DfKWkuBGbOkuMHQ=
 google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f h1:BWUVssLB0HVOSY78gIdvk1dTVYtT1y8SBWtPYuTJ/6w=
 google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
 google.golang.org/grpc v1.53.0 h1:LAv2ds7cmFV/XTS3XG1NneeENYrXGmorPxsBbptIjNc=
 google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
+google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/inbound/default.go
+++ b/inbound/default.go
@@ -13,6 +13,8 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+
+	"go.uber.org/atomic"
 )

 var _ adapter.Inbound = (*myInboundAdapter)(nil)
@@ -42,6 +44,8 @@ type myInboundAdapter struct {
 	udpAddr              M.Socksaddr
 	packetOutboundClosed chan struct{}
 	packetOutbound       chan *myInboundPacket
+
+	inShutdown atomic.Bool
 }

 func (a *myInboundAdapter) Type() string {
@@ -97,6 +101,7 @@ func (a *myInboundAdapter) Start() error {
 }

 func (a *myInboundAdapter) Close() error {
+	a.inShutdown.Store(true)
 	var err error
 	if a.clearSystemProxy != nil {
 		err = a.clearSystemProxy()
--- a/inbound/default_tcp.go
+++ b/inbound/default_tcp.go
@@ -39,10 +39,17 @@ func (a *myInboundAdapter) loopTCPIn() {
 	for {
 		conn, err := tcpListener.Accept()
 		if err != nil {
-			if E.IsClosed(err) {
+			//goland:noinspection GoDeprecation
+			//nolint:staticcheck
+			if netError, isNetError := err.(net.Error); isNetError && netError.Temporary() {
+				a.logger.Error(err)
+				continue
+			}
+			if a.inShutdown.Load() && E.IsClosed(err) {
 				return
 			}
-			a.logger.Error("accept: ", err)
+			a.tcpListener.Close()
+			a.logger.Error("serve error: ", err)
 			continue
 		}
 		go a.injectTCP(conn, adapter.InboundContext{})
--- a/inbound/shadowtls.go
+++ b/inbound/shadowtls.go
@@ -32,6 +32,10 @@ func NewShadowTLS(ctx context.Context, router adapter.Router, logger log.Context
 		},
 	}

+	if options.Version == 0 {
+		options.Version = 1
+	}
+
 	var handshakeForServerName map[string]shadowtls.HandshakeConfig
 	if options.Version > 1 {
 		handshakeForServerName = make(map[string]shadowtls.HandshakeConfig)
--- a/inbound/tun.go
+++ b/inbound/tun.go
@@ -36,6 +36,7 @@ type Tun struct {
 	tunIf                  tun.Tun
 	tunStack               tun.Stack
 	platformInterface      platform.Interface
+	platformOptions        option.TunPlatformOptions
 }

 func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TunInboundOptions, platformInterface platform.Interface) (*Tun, error) {
@@ -96,6 +97,7 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 		udpTimeout:             udpTimeout,
 		stack:                  options.Stack,
 		platformInterface:      platformInterface,
+		platformOptions:        common.PtrValueOrDefault(options.Platform),
 	}, nil
 }

@@ -148,9 +150,9 @@ func (t *Tun) Start() error {
 		err          error
 	)
 	if t.platformInterface != nil {
-		tunInterface, err = t.platformInterface.OpenTun(t.tunOptions)
+		tunInterface, err = t.platformInterface.OpenTun(t.tunOptions, t.platformOptions)
 	} else {
-		tunInterface, err = tun.Open(t.tunOptions)
+		tunInterface, err = tun.New(t.tunOptions)
 	}
 	if err != nil {
 		return E.Cause(err, "configure tun interface")
@@ -167,6 +169,7 @@ func (t *Tun) Start() error {
 		UDPTimeout:             t.udpTimeout,
 		Handler:                t,
 		Logger:                 t.logger,
+		UnderPlatform:          t.platformInterface != nil,
 	})
 	if err != nil {
 		return err
--- a/inbound/vless.go
+++ b/inbound/vless.go
@@ -50,11 +50,13 @@ func NewVLESS(ctx context.Context, router adapter.Router, logger log.ContextLogg
 		ctx:   ctx,
 		users: options.Users,
 	}
-	service := vless.NewService[int](adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound))
+	service := vless.NewService[int](logger, adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound))
 	service.UpdateUsers(common.MapIndexed(inbound.users, func(index int, _ option.VLESSUser) int {
 		return index
 	}), common.Map(inbound.users, func(it option.VLESSUser) string {
 		return it.UUID
+	}), common.Map(inbound.users, func(it option.VLESSUser) string {
+		return it.Flow
 	}))
 	inbound.service = service
 	var err error
--- a/log/default.go
+++ b/log/default.go
@@ -25,7 +25,7 @@ func NewFactory(formatter Formatter, writer io.Writer, platformWriter io.Writer)
 		formatter: formatter,
 		platformFormatter: Formatter{
 			BaseTime:      formatter.BaseTime,
-			DisableColors: C.IsIos,
+			DisableColors: C.IsDarwin || C.IsIos,
 		},
 		writer:         writer,
 		platformWriter: platformWriter,
--- a/log/export.go
+++ b/log/export.go
@@ -16,6 +16,10 @@ func StdLogger() ContextLogger {
 	return std
 }

+func SetStdLogger(logger ContextLogger) {
+	std = logger
+}
+
 func Trace(args ...any) {
 	std.Trace(args...)
 }
--- a/log/factory.go
+++ b/log/factory.go
@@ -1,11 +1,15 @@
 package log

 import (
-	"context"
-
+	"github.com/sagernet/sing/common/logger"
 	"github.com/sagernet/sing/common/observable"
 )

+type (
+	Logger        logger.Logger
+	ContextLogger logger.ContextLogger
+)
+
 type Factory interface {
 	Level() Level
 	SetLevel(level Level)
@@ -22,24 +26,3 @@ type Entry struct {
 	Level   Level
 	Message string
 }
-
-type Logger interface {
-	Trace(args ...any)
-	Debug(args ...any)
-	Info(args ...any)
-	Warn(args ...any)
-	Error(args ...any)
-	Fatal(args ...any)
-	Panic(args ...any)
-}
-
-type ContextLogger interface {
-	Logger
-	TraceContext(ctx context.Context, args ...any)
-	DebugContext(ctx context.Context, args ...any)
-	InfoContext(ctx context.Context, args ...any)
-	WarnContext(ctx context.Context, args ...any)
-	ErrorContext(ctx context.Context, args ...any)
-	FatalContext(ctx context.Context, args ...any)
-	PanicContext(ctx context.Context, args ...any)
-}
--- a/log/observable.go
+++ b/log/observable.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"time"

+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/observable"
@@ -27,7 +28,8 @@ func NewObservableFactory(formatter Formatter, writer io.Writer, platformWriter
 	factory := &observableFactory{
 		formatter: formatter,
 		platformFormatter: Formatter{
-			BaseTime: formatter.BaseTime,
+			BaseTime:      formatter.BaseTime,
+			DisableColors: C.IsDarwin || C.IsIos,
 		},
 		writer:         writer,
 		platformWriter: platformWriter,
@@ -91,7 +93,7 @@ func (l *observableLogger) Log(ctx context.Context, level Level, args []any) {
 	}
 	l.subscriber.Emit(Entry{level, messageSimple})
 	if l.platformWriter != nil {
-		l.platformWriter.Write([]byte(l.formatter.Format(ctx, level, l.tag, F.ToString(args...), nowTime)))
+		l.platformWriter.Write([]byte(l.platformFormatter.Format(ctx, level, l.tag, F.ToString(args...), nowTime)))
 	}
 }

--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -8,8 +8,8 @@ remote_branch: docs
 edit_uri: ""
 theme:
  name: material
-  icon:
-    logo: material/tools
+  logo: assets/icon.svg
+  favicon: assets/icon.svg
  palette:
    - scheme: default
      primary: white
@@ -35,6 +35,11 @@ nav:
      - Features: features.md
      - Support: support.md
      - Change Log: changelog.md
+  - Installation:
+      - From source: installation/from-source.md
+      - Clients:
+          - SFI:
+            - installation/clients/sfi/index.md
  - Configuration:
      - configuration/index.md
      - Log:
@@ -59,6 +64,7 @@ nav:
          - TLS: configuration/shared/tls.md
          - Multiplex: configuration/shared/multiplex.md
          - V2Ray Transport: configuration/shared/v2ray-transport.md
+          - UDP over TCP: configuration/shared/udp-over-tcp.md
      - Inbound:
          - configuration/inbound/index.md
          - Direct: configuration/inbound/direct.md
@@ -153,6 +159,10 @@ plugins:
          Support: 支持
          Change Log: 更新日志

+          Installation: 安装
+          From source: 从源代码
+          Clients: 客户端
+
          Configuration: 配置
          Log: 日志
          DNS Server: DNS 服务器
--- a/option/config.go
+++ b/option/config.go
@@ -5,19 +5,18 @@ import (
 	"strings"

 	"github.com/sagernet/sing-box/common/json"
-	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	E "github.com/sagernet/sing/common/exceptions"
 )

 type _Options struct {
-	Log               *LogOptions          `json:"log,omitempty"`
-	DNS               *DNSOptions          `json:"dns,omitempty"`
-	NTP               *NTPOptions          `json:"ntp,omitempty"`
-	Inbounds          []Inbound            `json:"inbounds,omitempty"`
-	Outbounds         []Outbound           `json:"outbounds,omitempty"`
-	Route             *RouteOptions        `json:"route,omitempty"`
-	Experimental      *ExperimentalOptions `json:"experimental,omitempty"`
-	PlatformInterface platform.Interface   `json:"-"`
+	Schema       string               `json:"$schema,omitempty"`
+	Log          *LogOptions          `json:"log,omitempty"`
+	DNS          *DNSOptions          `json:"dns,omitempty"`
+	NTP          *NTPOptions          `json:"ntp,omitempty"`
+	Inbounds     []Inbound            `json:"inbounds,omitempty"`
+	Outbounds    []Outbound           `json:"outbounds,omitempty"`
+	Route        *RouteOptions        `json:"route,omitempty"`
+	Experimental *ExperimentalOptions `json:"experimental,omitempty"`
 }

 type Options _Options
--- a/option/platform.go
+++ b/option/platform.go
@@ -0,0 +1,104 @@
+package option
+
+import (
+	"github.com/sagernet/sing-box/common/json"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type OnDemandOptions struct {
+	Enabled bool           `json:"enabled,omitempty"`
+	Rules   []OnDemandRule `json:"rules,omitempty"`
+}
+
+type OnDemandRule struct {
+	Action                *OnDemandRuleAction        `json:"action,omitempty"`
+	DNSSearchDomainMatch  Listable[string]           `json:"dns_search_domain_match,omitempty"`
+	DNSServerAddressMatch Listable[string]           `json:"dns_server_address_match,omitempty"`
+	InterfaceTypeMatch    *OnDemandRuleInterfaceType `json:"interface_type_match,omitempty"`
+	SSIDMatch             Listable[string]           `json:"ssid_match,omitempty"`
+	ProbeURL              string                     `json:"probe_url,omitempty"`
+}
+
+type OnDemandRuleAction int
+
+func (r *OnDemandRuleAction) MarshalJSON() ([]byte, error) {
+	if r == nil {
+		return nil, nil
+	}
+	value := *r
+	var actionName string
+	switch value {
+	case 1:
+		actionName = "connect"
+	case 2:
+		actionName = "disconnect"
+	case 3:
+		actionName = "evaluate_connection"
+	default:
+		return nil, E.New("unknown action: ", value)
+	}
+	return json.Marshal(actionName)
+}
+
+func (r *OnDemandRuleAction) UnmarshalJSON(bytes []byte) error {
+	var actionName string
+	if err := json.Unmarshal(bytes, &actionName); err != nil {
+		return err
+	}
+	var actionValue int
+	switch actionName {
+	case "connect":
+		actionValue = 1
+	case "disconnect":
+		actionValue = 2
+	case "evaluate_connection":
+		actionValue = 3
+	case "ignore":
+		actionValue = 4
+	default:
+		return E.New("unknown action name: ", actionName)
+	}
+	*r = OnDemandRuleAction(actionValue)
+	return nil
+}
+
+type OnDemandRuleInterfaceType int
+
+func (r *OnDemandRuleInterfaceType) MarshalJSON() ([]byte, error) {
+	if r == nil {
+		return nil, nil
+	}
+	value := *r
+	var interfaceTypeName string
+	switch value {
+	case 1:
+		interfaceTypeName = "any"
+	case 2:
+		interfaceTypeName = "wifi"
+	case 3:
+		interfaceTypeName = "cellular"
+	default:
+		return nil, E.New("unknown interface type: ", value)
+	}
+	return json.Marshal(interfaceTypeName)
+}
+
+func (r *OnDemandRuleInterfaceType) UnmarshalJSON(bytes []byte) error {
+	var interfaceTypeName string
+	if err := json.Unmarshal(bytes, &interfaceTypeName); err != nil {
+		return err
+	}
+	var interfaceTypeValue int
+	switch interfaceTypeName {
+	case "any":
+		interfaceTypeValue = 1
+	case "wifi":
+		interfaceTypeValue = 2
+	case "cellular":
+		interfaceTypeValue = 3
+	default:
+		return E.New("unknown interface type name: ", interfaceTypeName)
+	}
+	*r = OnDemandRuleInterfaceType(interfaceTypeValue)
+	return nil
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	ce6d186345	Update documentation	2023-03-17 13:07:22 +08:00
世界	32bc4450a7	Update dependencies	2023-03-17 12:59:12 +08:00
世界	43f31b40ba	Update UoT protocol	2023-03-17 12:57:48 +08:00
世界	a3a5185b15	platform: Fix bytes format	2023-03-16 11:28:54 +08:00
世界	14a0f180c8	ios: Add `with_quic` tag in build	2023-03-16 11:28:54 +08:00
世界	cc9cb0b477	platform: Add oom killer	2023-03-16 11:28:54 +08:00
世界	2cb0e37f50	platform: Add low memory interface	2023-03-16 00:36:04 +08:00
世界	dbd5be55b0	tun: Create gVisor stack by default in Apple Network Extension	2023-03-15 21:50:18 +08:00
世界	f674b4fbd5	Fix build embed tor for mobile	2023-03-15 20:59:45 +08:00
世界	5a4e8fea81	Fix lint	2023-03-15 14:56:06 +08:00
世界	78e02b52ca	Update UoT protocol	2023-03-15 14:52:32 +08:00
世界	ffdaae90d7	Update dependencies	2023-03-15 11:59:15 +08:00
世界	c77681ea17	Fix close platform tun	2023-03-13 19:47:00 +08:00
世界	d824390167	Fix cross make build	2023-03-13 19:46:20 +08:00
世界	70cf681ff2	Remove length limit on short_id for reality TLS config	2023-03-13 19:46:16 +08:00
wwqgtxx	b004b9ec81	Fix stack wireguard device returning non-nil interface containing nil pointer	2023-03-13 19:46:16 +08:00
世界	657b05fd96	Print command to shell error	2023-03-13 19:46:16 +08:00
世界	caad60da45	Apply `--disable-color` to global logger	2023-03-13 11:23:00 +08:00
世界	7d22cf9b45	Support $schema in configuration file	2023-03-13 10:58:29 +08:00
世界	5cb178ca93	Update documentation	2023-03-12 23:07:38 +08:00
世界	16788008b6	Update dependencies	2023-03-12 23:07:24 +08:00
世界	6ec7a33046	Fix make install	2023-03-11 19:24:19 +08:00
世界	6af9c2b3ca	Add health check support for http-based v2ray transport	2023-03-11 15:49:02 +08:00
世界	bdc620dab1	Fix http server usage	2023-03-11 15:05:07 +08:00
世界	a88820af31	Fix missing default shadowtls version	2023-03-11 10:12:46 +08:00
世界	3688f2e114	Update documentation	2023-03-10 11:15:00 +08:00
世界	a183958d53	Update dependencies	2023-03-09 23:24:05 +08:00
世界	1c8a9e91b7	Generate version during compilation	2023-03-09 23:24:05 +08:00
世界	325f6c71ff	Fix windows interface monitor	2023-03-09 16:00:57 +08:00
世界	6c6c0792ad	Update reality and uTLS	2023-03-09 10:51:01 +08:00
世界	9264f2307c	Fix link broken in installation documentation page	2023-03-08 15:56:41 +08:00
世界	87dd328700	Fix build check	2023-03-08 15:23:46 +08:00
世界	0cec92dd0f	Update documentation	2023-03-08 14:59:09 +08:00
世界	e88afa9665	Fix vmess server buffer	2023-03-07 17:07:37 +08:00
世界	3883a81315	Check constant.Version before build release	2023-03-06 16:34:44 +08:00
Dmitry R	c919ad079a	systemd: Add reload command	2023-03-06 16:32:54 +08:00
世界	83593aee70	Fix vless read cache	2023-03-06 11:19:38 +08:00
世界	ac7cc09694	Update documentation	2023-03-05 23:37:12 +08:00
世界	d032e3568b	Update dependencies	2023-03-05 21:38:02 +08:00
世界	c24df037ac	Add documentation for tun platform options	2023-03-05 15:19:13 +08:00
世界	a2d43b3746	Fix open cache file	2023-03-05 14:57:50 +08:00
世界	5b3b74bd0f	Fix vision read	2023-03-05 14:57:50 +08:00
世界	d24d3b26dc	Fix uTLS randomized fingerprint	2023-03-05 14:57:50 +08:00
seiuneko	5db3cd7781	Fix documentation typo	2023-03-05 14:57:50 +08:00
世界	c88af8b081	Fix documentation	2023-03-05 14:57:50 +08:00
世界	45852ca3e7	Fix check config	2023-03-05 14:57:50 +08:00
Hellojack	03ce555104	Add generate commands	2023-03-05 11:21:32 +08:00
世界	dd0a07624e	Add stop platform command	2023-03-04 00:40:47 +08:00
世界	b9b2b77814	Add reload platform command	2023-03-03 21:59:54 +08:00
世界	2366835121	Fix close conn	2023-03-03 19:27:30 +08:00
database64128	42e1dea7d2	Update .gitignore	2023-03-03 18:51:33 +08:00
Ella Hollywood	13d7716b02	Fix documentation typo	2023-03-03 16:35:06 +08:00
世界	7ecb9fc738	Minor fixes	2023-03-03 16:31:07 +08:00
世界	19b15e0d10	Fix UoT UDP address	2023-03-03 11:34:51 +08:00
database64128	0b15de461b	Update tfo-go	2023-03-03 10:16:38 +08:00
世界	27aba99e6c	Fix command client connect	2023-03-02 16:40:28 +08:00
世界	8151bcfd6b	Add ios memory limit	2023-03-02 15:04:59 +08:00
世界	e8802357e1	Fix vless tests	2023-03-02 00:31:56 +08:00
世界	6e22c004f6	Improve server error handling	2023-03-02 00:18:35 +08:00
世界	20e1caa531	Fix custom tls server listener	2023-03-02 00:01:40 +08:00
世界	32ad3c3db3	Remove okhttp form modern fingerprint list	2023-03-01 21:17:30 +08:00
世界	1f5f8a7dde	Fixed user flow in vless server	2023-03-01 20:28:40 +08:00
世界	6da1460795	Fix geo resource download path	2023-03-01 19:09:21 +08:00
世界	b14ae51f71	Fix create badhttp2 server	2023-03-01 19:09:21 +08:00
世界	5af8d001ae	Refactor platform command api	2023-03-01 19:09:21 +08:00
世界	0ca344df5f	Fix uTLS ALPN	2023-02-28 21:16:31 +08:00
世界	49f568abbd	Separate uTLS random fingerprint	2023-02-28 21:10:11 +08:00
世界	3b4e811907	Add reality client fallback	2023-02-28 20:55:14 +08:00
世界	d0e9443031	Enable XUDP by default in VLESS	2023-02-28 20:52:26 +08:00
世界	f7e9d9ab1f	Fix check early conn	2023-02-28 20:16:15 +08:00
世界	7834d6bca7	Add tun platform options	2023-02-28 19:02:27 +08:00
世界	ed50257735	Add custom TLS server support for http based v2ray transports	2023-02-28 13:03:44 +08:00
世界	f15f525c5c	Merge tls interface to library	2023-02-28 11:30:46 +08:00
世界	e4bff0460d	Update vision protocol	2023-02-27 15:07:15 +08:00
世界	5ce3ddee9b	Add early conn interface	2023-02-26 23:08:20 +08:00
世界	22bf7a9509	Update reality server	2023-02-26 20:55:36 +08:00
世界	842730707c	Update TUN creation	2023-02-26 20:55:15 +08:00
世界	a8f13bd956	Fix documentation	2023-02-25 17:25:56 +08:00