documentation: Update changelog

Signed-off-by: Larvan2 <78135608+Larvan2@users.noreply.github.com>

.github/workflows/debug.yml

@@ -28,15 +28,9 @@ jobs:
         run: |
           echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ steps.version.outputs.go_version }}
-      - name: Cache go module
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/go/pkg/mod
-          key: go-${{ hashFiles('**/go.sum') }}
       - name: Add cache to Go proxy
         run: |
           version=`git rev-parse HEAD`
@@ -58,7 +52,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: 1.18.10
       - name: Cache go module
@@ -193,15 +187,9 @@ jobs:
         run: |
           echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ steps.version.outputs.go_version }}
-      - name: Cache go module
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/go/pkg/mod
-          key: go-${{ hashFiles('**/go.sum') }}
       - name: Build
         id: build
         run: make

.github/workflows/lint.yml

@@ -28,15 +28,9 @@ jobs:
         run: |
           echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ steps.version.outputs.go_version }}
-      - name: Cache go module
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/go/pkg/mod
-          key: go-${{ hashFiles('**/go.sum') }}
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:

.gitignore

@@ -12,3 +12,4 @@
 /*.aar
 /*.xcframework/
 .DS_Store
+/config.d/

.goreleaser.yaml

@@ -10,12 +10,13 @@ builds:
     gcflags:
       - all=-trimpath={{.Env.GOPATH}}
     ldflags:
-      - -s -w -buildid=
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
     tags:
       - with_gvisor
       - with_quic
       - with_wireguard
       - with_utls
+      - with_reality_server
       - with_clash_api
     env:
       - CGO_ENABLED=0
@@ -43,7 +44,7 @@ builds:
     gcflags:
       - all=-trimpath={{.Env.GOPATH}}
     ldflags:
-      - -s -w -buildid=
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
     tags:
       - with_gvisor
       - with_quic
@@ -116,9 +117,6 @@ nfpms:
         dst: /etc/systemd/system/sing-box@.service
       - src: LICENSE
         dst: /usr/share/licenses/sing-box/LICENSE
-    scripts:
-      postinstall: release/config/postinstall.sh
-      postremove: release/config/postremove.sh
 source:
   enabled: false
   name_template: '{{ .ProjectName }}-{{ .Version }}.source'

Dockerfile

@@ -8,9 +8,10 @@ ENV CGO_ENABLED=0
 RUN set -ex \
     && apk add git build-base \
     && export COMMIT=$(git rev-parse --short HEAD) \
-    && go build -v -trimpath -tags with_quic,with_wireguard,with_acme \
+    && export VERSION=$(go run ./cmd/internal/read_tag) \
+    && go build -v -trimpath -tags with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api,with_acme \
         -o /go/bin/sing-box \
-        -ldflags "-s -w -buildid=" \
+        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
         ./cmd/sing-box
 FROM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"

LICENSE

@@ -11,4 +11,7 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
-along with this program. If not, see <http://www.gnu.org/licenses/>.
+along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+In addition, no derivative work may use the name or imply association
+with this application without prior consent.

Makefile

@@ -2,8 +2,14 @@ NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
 TAGS ?= with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server,with_shadowsocksr
-PARAMS = -v -trimpath -tags "$(TAGS)" -ldflags "-s -w -buildid="
+
+GOHOSTOS = $(shell go env GOHOSTOS)
+GOHOSTARCH = $(shell go env GOHOSTARCH)
+VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run ./cmd/internal/read_tag)
+
+PARAMS = -v -trimpath -tags "$(TAGS)" -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
 MAIN = ./cmd/sing-box
+PREFIX ?= $(shell go env GOPATH)
 
 .PHONY: test release
 
@@ -11,12 +17,12 @@ build:
 	go build $(PARAMS) $(MAIN)
 
 install:
-	go install $(PARAMS) $(MAIN)
+	go build -o $(PREFIX)/bin/$(NAME) $(PARAMS) $(MAIN)
 
 fmt:
 	@gofumpt -l -w .
 	@gofmt -s -w .
-	@gci write --custom-order -s "standard,prefix(github.com/sagernet/),default" .
+	@gci write --custom-order -s standard -s "prefix(github.com/sagernet/)" -s "default" .
 
 fmt_install:
 	go install -v mvdan.cc/gofumpt@latest
@@ -71,13 +77,20 @@ test_stdio:
 	go mod tidy && \
 	go test -v -tags "$(TAGS_TEST),force_stdio" .
 
+android:
+	go run ./cmd/internal/build_libbox -target android
+
+ios:
+	go run ./cmd/internal/build_libbox -target ios
+
 lib:
-	go run ./cmd/internal/build_libbox
+	go run ./cmd/internal/build_libbox -target android
+	go run ./cmd/internal/build_libbox -target ios
 
 lib_install:
 	go get -v -d
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20221130124640-349ebaa752ca
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20221130124640-349ebaa752ca
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230413023804-244d7ff07035
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230413023804-244d7ff07035
 
 clean:
 	rm -rf bin dist sing-box

README.md

@@ -2,10 +2,16 @@
 
 The universal proxy platform.
 
+[![Packaging status](https://repology.org/badge/vertical-allrepos/sing-box.svg)](https://repology.org/project/sing-box/versions)
+
 ## Documentation
 
 https://sing-box.sagernet.org
 
+## Support
+
+https://community.sagernet.org/c/sing-box/
+
 ## License
 
 ```
@@ -23,4 +29,7 @@ GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
 along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+In addition, no derivative work may use the name or imply association
+with this application without prior consent.
 ```

adapter/experimental.go

@@ -10,6 +10,7 @@ import (
 
 type ClashServer interface {
 	Service
+	PreStarter
 	Mode() string
 	StoreSelected() bool
 	CacheFile() ClashCacheFile

adapter/prestart.go

@@ -0,0 +1,15 @@
+package adapter
+
+type PreStarter interface {
+	PreStart() error
+}
+
+func PreStart(starter any) error {
+	if preService, ok := starter.(PreStarter); ok {
+		err := preService.PreStart()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

adapter/router.go

@@ -32,6 +32,7 @@ type Router interface {
 	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
 
 	InterfaceFinder() control.InterfaceFinder
+	UpdateInterfaces() error
 	DefaultInterface() string
 	AutoDetectInterface() bool
 	AutoDetectInterfaceFunc() control.Func

box.go

@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/inbound"
@@ -25,84 +24,53 @@ import (
 var _ adapter.Service = (*Box)(nil)
 
 type Box struct {
-	createdAt   time.Time
-	router      adapter.Router
-	inbounds    []adapter.Inbound
-	outbounds   []adapter.Outbound
-	logFactory  log.Factory
-	logger      log.ContextLogger
-	logFile     *os.File
-	clashServer adapter.ClashServer
-	v2rayServer adapter.V2RayServer
-	done        chan struct{}
+	createdAt    time.Time
+	router       adapter.Router
+	inbounds     []adapter.Inbound
+	outbounds    []adapter.Outbound
+	logFactory   log.Factory
+	logger       log.ContextLogger
+	preServices  map[string]adapter.Service
+	postServices map[string]adapter.Service
+	done         chan struct{}
 }
 
-func New(ctx context.Context, options option.Options, platformInterface platform.Interface) (*Box, error) {
-	createdAt := time.Now()
-	logOptions := common.PtrValueOrDefault(options.Log)
+type Options struct {
+	option.Options
+	Context           context.Context
+	PlatformInterface platform.Interface
+}
 
+func New(options Options) (*Box, error) {
+	ctx := options.Context
+	if ctx == nil {
+		ctx = context.Background()
+	}
+	createdAt := time.Now()
+	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
+	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	var needClashAPI bool
 	var needV2RayAPI bool
-	if options.Experimental != nil {
-		if options.Experimental.ClashAPI != nil && options.Experimental.ClashAPI.ExternalController != "" {
-			needClashAPI = true
-		}
-		if options.Experimental.V2RayAPI != nil && options.Experimental.V2RayAPI.Listen != "" {
-			needV2RayAPI = true
-		}
+	if experimentalOptions.ClashAPI != nil && experimentalOptions.ClashAPI.ExternalController != "" {
+		needClashAPI = true
 	}
-
-	var logFactory log.Factory
-	var observableLogFactory log.ObservableFactory
-	var logFile *os.File
-	var logWriter io.Writer
-	if logOptions.Disabled {
-		observableLogFactory = log.NewNOPFactory()
-		logFactory = observableLogFactory
-	} else {
-		switch logOptions.Output {
-		case "":
-			if platformInterface != nil {
-				logWriter = io.Discard
-			} else {
-				logWriter = os.Stdout
-			}
-		case "stderr":
-			logWriter = os.Stderr
-		case "stdout":
-			logWriter = os.Stdout
-		default:
-			var err error
-			logFile, err = os.OpenFile(C.BasePath(logOptions.Output), os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644)
-			if err != nil {
-				return nil, err
-			}
-			logWriter = logFile
-		}
-		logFormatter := log.Formatter{
-			BaseTime:         createdAt,
-			DisableColors:    logOptions.DisableColor || logFile != nil,
-			DisableTimestamp: !logOptions.Timestamp && logFile != nil,
-			FullTimestamp:    logOptions.Timestamp,
-			TimestampFormat:  "-0700 2006-01-02 15:04:05",
-		}
-		if needClashAPI {
-			observableLogFactory = log.NewObservableFactory(logFormatter, logWriter, platformInterface)
-			logFactory = observableLogFactory
-		} else {
-			logFactory = log.NewFactory(logFormatter, logWriter, platformInterface)
-		}
-		if logOptions.Level != "" {
-			logLevel, err := log.ParseLevel(logOptions.Level)
-			if err != nil {
-				return nil, E.Cause(err, "parse log level")
-			}
-			logFactory.SetLevel(logLevel)
-		} else {
-			logFactory.SetLevel(log.LevelTrace)
-		}
+	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
+		needV2RayAPI = true
+	}
+	var defaultLogWriter io.Writer
+	if options.PlatformInterface != nil {
+		defaultLogWriter = io.Discard
+	}
+	logFactory, err := log.New(log.Options{
+		Options:        common.PtrValueOrDefault(options.Log),
+		Observable:     needClashAPI,
+		DefaultWriter:  defaultLogWriter,
+		BaseTime:       createdAt,
+		PlatformWriter: options.PlatformInterface,
+	})
+	if err != nil {
+		return nil, E.Cause(err, "create log factory")
 	}
-
 	router, err := route.NewRouter(
 		ctx,
 		logFactory,
@@ -110,7 +78,7 @@ func New(ctx context.Context, options option.Options, platformInterface platform
 		common.PtrValueOrDefault(options.DNS),
 		common.PtrValueOrDefault(options.NTP),
 		options.Inbounds,
-		platformInterface,
+		options.PlatformInterface,
 	)
 	if err != nil {
 		return nil, E.Cause(err, "parse route options")
@@ -130,7 +98,7 @@ func New(ctx context.Context, options option.Options, platformInterface platform
 			router,
 			logFactory.NewLogger(F.ToString("inbound/", inboundOptions.Type, "[", tag, "]")),
 			inboundOptions,
-			platformInterface,
+			options.PlatformInterface,
 		)
 		if err != nil {
 			return nil, E.Cause(err, "parse inbound[", i, "]")
@@ -149,6 +117,7 @@ func New(ctx context.Context, options option.Options, platformInterface platform
 			ctx,
 			router,
 			logFactory.NewLogger(F.ToString("outbound/", outboundOptions.Type, "[", tag, "]")),
+			tag,
 			outboundOptions)
 		if err != nil {
 			return nil, E.Cause(err, "parse outbound[", i, "]")
@@ -156,7 +125,7 @@ func New(ctx context.Context, options option.Options, platformInterface platform
 		outbounds = append(outbounds, out)
 	}
 	err = router.Initialize(inbounds, outbounds, func() adapter.Outbound {
-		out, oErr := outbound.New(ctx, router, logFactory.NewLogger("outbound/direct"), option.Outbound{Type: "direct", Tag: "default"})
+		out, oErr := outbound.New(ctx, router, logFactory.NewLogger("outbound/direct"), "direct", option.Outbound{Type: "direct", Tag: "default"})
 		common.Must(oErr)
 		outbounds = append(outbounds, out)
 		return out
@@ -164,37 +133,62 @@ func New(ctx context.Context, options option.Options, platformInterface platform
 	if err != nil {
 		return nil, err
 	}
-
-	var clashServer adapter.ClashServer
-	var v2rayServer adapter.V2RayServer
+	if options.PlatformInterface != nil {
+		err = options.PlatformInterface.Initialize(ctx, router)
+		if err != nil {
+			return nil, E.Cause(err, "initialize platform interface")
+		}
+	}
+	preServices := make(map[string]adapter.Service)
+	postServices := make(map[string]adapter.Service)
 	if needClashAPI {
-		clashServer, err = experimental.NewClashServer(router, observableLogFactory, common.PtrValueOrDefault(options.Experimental.ClashAPI))
+		clashServer, err := experimental.NewClashServer(router, logFactory.(log.ObservableFactory), common.PtrValueOrDefault(options.Experimental.ClashAPI))
 		if err != nil {
 			return nil, E.Cause(err, "create clash api server")
 		}
 		router.SetClashServer(clashServer)
+		preServices["clash api"] = clashServer
 	}
 	if needV2RayAPI {
-		v2rayServer, err = experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(options.Experimental.V2RayAPI))
+		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(options.Experimental.V2RayAPI))
 		if err != nil {
 			return nil, E.Cause(err, "create v2ray api server")
 		}
 		router.SetV2RayServer(v2rayServer)
+		preServices["v2ray api"] = v2rayServer
 	}
 	return &Box{
-		router:      router,
-		inbounds:    inbounds,
-		outbounds:   outbounds,
-		createdAt:   createdAt,
-		logFactory:  logFactory,
-		logger:      logFactory.Logger(),
-		logFile:     logFile,
-		clashServer: clashServer,
-		v2rayServer: v2rayServer,
-		done:        make(chan struct{}),
+		router:       router,
+		inbounds:     inbounds,
+		outbounds:    outbounds,
+		createdAt:    createdAt,
+		logFactory:   logFactory,
+		logger:       logFactory.Logger(),
+		preServices:  preServices,
+		postServices: postServices,
+		done:         make(chan struct{}),
 	}, nil
 }
 
+func (s *Box) PreStart() error {
+	err := s.preStart()
+	if err != nil {
+		// TODO: remove catch error
+		defer func() {
+			v := recover()
+			if v != nil {
+				log.Error(E.Cause(err, "origin error"))
+				debug.PrintStack()
+				panic("panic on early close: " + fmt.Sprint(v))
+			}
+		}()
+		s.Close()
+		return err
+	}
+	s.logger.Info("sing-box pre-started (", F.Seconds(time.Since(s.createdAt).Seconds()), "s)")
+	return nil
+}
+
 func (s *Box) Start() error {
 	err := s.start()
 	if err != nil {
@@ -208,55 +202,70 @@ func (s *Box) Start() error {
 			}
 		}()
 		s.Close()
+		return err
 	}
-	return err
+	s.logger.Info("sing-box started (", F.Seconds(time.Since(s.createdAt).Seconds()), "s)")
+	return nil
 }
 
-func (s *Box) start() error {
-	if s.clashServer != nil {
-		err := s.clashServer.Start()
+func (s *Box) preStart() error {
+	for serviceName, service := range s.preServices {
+		s.logger.Trace("pre-start ", serviceName)
+		err := adapter.PreStart(service)
 		if err != nil {
-			return E.Cause(err, "start clash api server")
-		}
-	}
-	if s.v2rayServer != nil {
-		err := s.v2rayServer.Start()
-		if err != nil {
-			return E.Cause(err, "start v2ray api server")
+			return E.Cause(err, "pre-starting ", serviceName)
 		}
 	}
 	for i, out := range s.outbounds {
+		var tag string
+		if out.Tag() == "" {
+			tag = F.ToString(i)
+		} else {
+			tag = out.Tag()
+		}
 		if starter, isStarter := out.(common.Starter); isStarter {
+			s.logger.Trace("initializing outbound/", out.Type(), "[", tag, "]")
 			err := starter.Start()
 			if err != nil {
-				var tag string
-				if out.Tag() == "" {
-					tag = F.ToString(i)
-				} else {
-					tag = out.Tag()
-				}
 				return E.Cause(err, "initialize outbound/", out.Type(), "[", tag, "]")
 			}
 		}
 	}
-	err := s.router.Start()
+	return s.router.Start()
+}
+
+func (s *Box) start() error {
+	err := s.preStart()
 	if err != nil {
 		return err
 	}
+	for serviceName, service := range s.preServices {
+		s.logger.Trace("starting ", serviceName)
+		err = service.Start()
+		if err != nil {
+			return E.Cause(err, "start ", serviceName)
+		}
+	}
 	for i, in := range s.inbounds {
+		var tag string
+		if in.Tag() == "" {
+			tag = F.ToString(i)
+		} else {
+			tag = in.Tag()
+		}
+		s.logger.Trace("initializing inbound/", in.Type(), "[", tag, "]")
 		err = in.Start()
 		if err != nil {
-			var tag string
-			if in.Tag() == "" {
-				tag = F.ToString(i)
-			} else {
-				tag = in.Tag()
-			}
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
-
-	s.logger.Info("sing-box started (", F.Seconds(time.Since(s.createdAt).Seconds()), "s)")
+	for serviceName, service := range s.postServices {
+		s.logger.Trace("starting ", service)
+		err = service.Start()
+		if err != nil {
+			return E.Cause(err, "start ", serviceName)
+		}
+	}
 	return nil
 }
 
@@ -268,41 +277,42 @@ func (s *Box) Close() error {
 		close(s.done)
 	}
 	var errors error
+	for serviceName, service := range s.postServices {
+		s.logger.Trace("closing ", serviceName)
+		errors = E.Append(errors, service.Close(), func(err error) error {
+			return E.Cause(err, "close ", serviceName)
+		})
+	}
 	for i, in := range s.inbounds {
+		s.logger.Trace("closing inbound/", in.Type(), "[", i, "]")
 		errors = E.Append(errors, in.Close(), func(err error) error {
 			return E.Cause(err, "close inbound/", in.Type(), "[", i, "]")
 		})
 	}
 	for i, out := range s.outbounds {
+		s.logger.Trace("closing outbound/", out.Type(), "[", i, "]")
 		errors = E.Append(errors, common.Close(out), func(err error) error {
-			return E.Cause(err, "close inbound/", out.Type(), "[", i, "]")
+			return E.Cause(err, "close outbound/", out.Type(), "[", i, "]")
 		})
 	}
+	s.logger.Trace("closing router")
 	if err := common.Close(s.router); err != nil {
 		errors = E.Append(errors, err, func(err error) error {
 			return E.Cause(err, "close router")
 		})
 	}
+	for serviceName, service := range s.preServices {
+		s.logger.Trace("closing ", serviceName)
+		errors = E.Append(errors, service.Close(), func(err error) error {
+			return E.Cause(err, "close ", serviceName)
+		})
+	}
+	s.logger.Trace("closing log factory")
 	if err := common.Close(s.logFactory); err != nil {
 		errors = E.Append(errors, err, func(err error) error {
 			return E.Cause(err, "close log factory")
 		})
 	}
-	if err := common.Close(s.clashServer); err != nil {
-		errors = E.Append(errors, err, func(err error) error {
-			return E.Cause(err, "close clash api server")
-		})
-	}
-	if err := common.Close(s.v2rayServer); err != nil {
-		errors = E.Append(errors, err, func(err error) error {
-			return E.Cause(err, "close v2ray api server")
-		})
-	}
-	if s.logFile != nil {
-		errors = E.Append(errors, s.logFile.Close(), func(err error) error {
-			return E.Cause(err, "close log file")
-		})
-	}
 	return errors
 }
 

cmd/internal/build/main.go

@@ -3,32 +3,18 @@ package main
 import (
 	"os"
 	"os/exec"
-	"strings"
 
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
 )
 
 func main() {
 	build_shared.FindSDK()
 
-	currentTag, err := common.Exec("git", "describe", "--tags", "--abbrev=0").Read()
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	currentTag = strings.TrimSpace(currentTag)
-
-	if "v"+C.Version != currentTag {
-		log.Fatal("version mismatch, update constant.Version (", C.Version, ")", " to ", currentTag[1:])
-	}
-
 	command := exec.Command(os.Args[1], os.Args[2:]...)
 	command.Stdout = os.Stdout
 	command.Stderr = os.Stderr
-	err = command.Run()
+	err := command.Run()
 	if err != nil {
 		log.Fatal(err)
 	}

cmd/internal/build_libbox/main.go

@@ -35,6 +35,23 @@ func main() {
 	}
 }
 
+var (
+	sharedFlags []string
+	debugFlags  []string
+)
+
+func init() {
+	sharedFlags = append(sharedFlags, "-trimpath")
+	sharedFlags = append(sharedFlags, "-ldflags")
+
+	currentTag, err := build_shared.ReadTag()
+	if err != nil {
+		currentTag = "unknown"
+	}
+	sharedFlags = append(sharedFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
+	debugFlags = append(debugFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
+}
+
 func buildAndroid() {
 	build_shared.FindSDK()
 
@@ -46,14 +63,17 @@ func buildAndroid() {
 		"-libname=box",
 	}
 	if !debugEnabled {
-		args = append(args,
-			"-trimpath", "-ldflags=-s -w -buildid=",
-			"-tags", "with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api",
-		)
+		args = append(args, sharedFlags...)
 	} else {
-		args = append(args, "-tags", "with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api,debug")
+		args = append(args, debugFlags...)
 	}
 
+	args = append(args, "-tags")
+	if !debugEnabled {
+		args = append(args, "with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api")
+	} else {
+		args = append(args, "with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api,debug")
+	}
 	args = append(args, "./experimental/libbox")
 
 	command := exec.Command(build_shared.GoBinPath+"/gomobile", args...)
@@ -84,14 +104,17 @@ func buildiOS() {
 		"-libname=box",
 	}
 	if !debugEnabled {
-		args = append(
-			args, "-trimpath", "-ldflags=-s -w -buildid=",
-			"-tags", "with_gvisor,with_utls,with_clash_api,with_conntrack",
-		)
+		args = append(args, sharedFlags...)
 	} else {
-		args = append(args, "-tags", "with_gvisor,with_utls,with_clash_api,with_conntrack,debug")
+		args = append(args, debugFlags...)
 	}
 
+	args = append(args, "-tags")
+	if !debugEnabled {
+		args = append(args, "with_gvisor,with_quic,with_utls,with_clash_api,with_low_memory,with_conntrack")
+	} else {
+		args = append(args, "with_gvisor,with_quic,with_utls,with_clash_api,with_low_memory,with_conntrack,debug")
+	}
 	args = append(args, "./experimental/libbox")
 
 	command := exec.Command(build_shared.GoBinPath+"/gomobile", args...)

cmd/internal/build_shared/tag.go

@@ -0,0 +1,16 @@
+package build_shared
+
+import "github.com/sagernet/sing/common/shell"
+
+func ReadTag() (string, error) {
+	currentTag, err := shell.Exec("git", "describe", "--tags").ReadOutput()
+	if err != nil {
+		return currentTag, err
+	}
+	currentTagRev, _ := shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput()
+	if currentTagRev == currentTag {
+		return currentTag[1:], nil
+	}
+	shortCommit, _ := shell.Exec("git", "rev-parse", "--short", "HEAD").ReadOutput()
+	return currentTagRev[1:] + "-" + shortCommit, nil
+}

cmd/internal/read_tag/main.go

@@ -0,0 +1,21 @@
+package main
+
+import (
+	"os"
+
+	"github.com/sagernet/sing-box/cmd/internal/build_shared"
+	"github.com/sagernet/sing-box/log"
+)
+
+func main() {
+	currentTag, err := build_shared.ReadTag()
+	if err != nil {
+		log.Error(err)
+		_, err = os.Stdout.WriteString("unknown\n")
+	} else {
+		_, err = os.Stdout.WriteString(currentTag + "\n")
+	}
+	if err != nil {
+		log.Error(err)
+	}
+}

cmd/sing-box/cmd_check.go

@@ -26,12 +26,15 @@ func init() {
 }
 
 func check() error {
-	options, err := readConfig()
+	options, err := readConfigAndMerge()
 	if err != nil {
 		return err
 	}
 	ctx, cancel := context.WithCancel(context.Background())
-	instance, err := box.New(ctx, options, nil)
+	instance, err := box.New(box.Options{
+		Context: ctx,
+		Options: options,
+	})
 	if err == nil {
 		instance.Close()
 	}

cmd/sing-box/cmd_format.go

@@ -33,6 +33,44 @@ func init() {
 }
 
 func format() error {
+	optionsList, err := readConfig()
+	if err != nil {
+		return err
+	}
+	for _, optionsEntry := range optionsList {
+		buffer := new(bytes.Buffer)
+		encoder := json.NewEncoder(buffer)
+		encoder.SetIndent("", "  ")
+		err = encoder.Encode(optionsEntry.options)
+		if err != nil {
+			return E.Cause(err, "encode config")
+		}
+		outputPath, _ := filepath.Abs(optionsEntry.path)
+		if !commandFormatFlagWrite {
+			if len(optionsList) > 1 {
+				os.Stdout.WriteString(outputPath + "\n")
+			}
+			os.Stdout.WriteString(buffer.String() + "\n")
+			continue
+		}
+		if bytes.Equal(optionsEntry.content, buffer.Bytes()) {
+			continue
+		}
+		output, err := os.Create(optionsEntry.path)
+		if err != nil {
+			return E.Cause(err, "open output")
+		}
+		_, err = output.Write(buffer.Bytes())
+		output.Close()
+		if err != nil {
+			return E.Cause(err, "write output")
+		}
+		os.Stderr.WriteString(outputPath + "\n")
+	}
+	return nil
+}
+
+func formatOne(configPath string) error {
 	configContent, err := os.ReadFile(configPath)
 	if err != nil {
 		return E.Cause(err, "read config")

cmd/sing-box/cmd_generate.go

@@ -9,7 +9,7 @@ import (
 
 	"github.com/sagernet/sing-box/log"
 
-	"github.com/gofrs/uuid"
+	"github.com/gofrs/uuid/v5"
 	"github.com/spf13/cobra"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )

cmd/sing-box/cmd_run.go

@@ -5,10 +5,15 @@ import (
 	"io"
 	"os"
 	"os/signal"
+	"path/filepath"
 	runtimeDebug "runtime/debug"
+	"sort"
+	"strings"
 	"syscall"
+	"time"
 
 	"github.com/sagernet/sing-box"
+	"github.com/sagernet/sing-box/common/badjsonmerge"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -31,29 +36,88 @@ func init() {
 	mainCommand.AddCommand(commandRun)
 }
 
-func readConfig() (option.Options, error) {
+type OptionsEntry struct {
+	content []byte
+	path    string
+	options option.Options
+}
+
+func readConfigAt(path string) (*OptionsEntry, error) {
 	var (
 		configContent []byte
 		err           error
 	)
-	if configPath == "stdin" {
+	if path == "stdin" {
 		configContent, err = io.ReadAll(os.Stdin)
 	} else {
-		configContent, err = os.ReadFile(configPath)
+		configContent, err = os.ReadFile(path)
 	}
 	if err != nil {
-		return option.Options{}, E.Cause(err, "read config")
+		return nil, E.Cause(err, "read config at ", path)
 	}
 	var options option.Options
 	err = options.UnmarshalJSON(configContent)
 	if err != nil {
-		return option.Options{}, E.Cause(err, "decode config")
+		return nil, E.Cause(err, "decode config at ", path)
 	}
-	return options, nil
+	return &OptionsEntry{
+		content: configContent,
+		path:    path,
+		options: options,
+	}, nil
+}
+
+func readConfig() ([]*OptionsEntry, error) {
+	var optionsList []*OptionsEntry
+	for _, path := range configPaths {
+		optionsEntry, err := readConfigAt(path)
+		if err != nil {
+			return nil, err
+		}
+		optionsList = append(optionsList, optionsEntry)
+	}
+	for _, directory := range configDirectories {
+		entries, err := os.ReadDir(directory)
+		if err != nil {
+			return nil, E.Cause(err, "read config directory at ", directory)
+		}
+		for _, entry := range entries {
+			if !strings.HasSuffix(entry.Name(), ".json") || entry.IsDir() {
+				continue
+			}
+			optionsEntry, err := readConfigAt(filepath.Join(directory, entry.Name()))
+			if err != nil {
+				return nil, err
+			}
+			optionsList = append(optionsList, optionsEntry)
+		}
+	}
+	sort.Slice(optionsList, func(i, j int) bool {
+		return optionsList[i].path < optionsList[j].path
+	})
+	return optionsList, nil
+}
+
+func readConfigAndMerge() (option.Options, error) {
+	optionsList, err := readConfig()
+	if err != nil {
+		return option.Options{}, err
+	}
+	if len(optionsList) == 1 {
+		return optionsList[0].options, nil
+	}
+	var mergedOptions option.Options
+	for _, options := range optionsList {
+		mergedOptions, err = badjsonmerge.MergeOptions(options.options, mergedOptions)
+		if err != nil {
+			return option.Options{}, E.Cause(err, "merge config at ", options.path)
+		}
+	}
+	return mergedOptions, nil
 }
 
 func create() (*box.Box, context.CancelFunc, error) {
-	options, err := readConfig()
+	options, err := readConfigAndMerge()
 	if err != nil {
 		return nil, nil, err
 	}
@@ -64,7 +128,10 @@ func create() (*box.Box, context.CancelFunc, error) {
 		options.Log.DisableColor = true
 	}
 	ctx, cancel := context.WithCancel(context.Background())
-	instance, err := box.New(ctx, options, nil)
+	instance, err := box.New(box.Options{
+		Context: ctx,
+		Options: options,
+	})
 	if err != nil {
 		cancel()
 		return nil, nil, E.Cause(err, "create service")
@@ -111,7 +178,10 @@ func run() error {
 				}
 			}
 			cancel()
+			closeCtx, closed := context.WithCancel(context.Background())
+			go closeMonitor(closeCtx)
 			instance.Close()
+			closed()
 			if osSignal != syscall.SIGHUP {
 				return nil
 			}
@@ -119,3 +189,13 @@ func run() error {
 		}
 	}
 }
+
+func closeMonitor(ctx context.Context) {
+	time.Sleep(3 * time.Second)
+	select {
+	case <-ctx.Done():
+		return
+	default:
+	}
+	log.Fatal("sing-box did not close!")
+}

cmd/sing-box/cmd_tools.go

@@ -0,0 +1,53 @@
+package main
+
+import (
+	"github.com/sagernet/sing-box"
+	E "github.com/sagernet/sing/common/exceptions"
+	N "github.com/sagernet/sing/common/network"
+
+	"github.com/spf13/cobra"
+)
+
+var commandToolsFlagOutbound string
+
+var commandTools = &cobra.Command{
+	Use:   "tools",
+	Short: "Experimental tools",
+}
+
+func init() {
+	commandTools.PersistentFlags().StringVarP(&commandToolsFlagOutbound, "outbound", "o", "", "Use specified tag instead of default outbound")
+	mainCommand.AddCommand(commandTools)
+}
+
+func createPreStartedClient() (*box.Box, error) {
+	options, err := readConfigAndMerge()
+	if err != nil {
+		return nil, err
+	}
+	instance, err := box.New(box.Options{Options: options})
+	if err != nil {
+		return nil, E.Cause(err, "create service")
+	}
+	err = instance.PreStart()
+	if err != nil {
+		return nil, E.Cause(err, "start service")
+	}
+	return instance, nil
+}
+
+func createDialer(instance *box.Box, network string, outboundTag string) (N.Dialer, error) {
+	if outboundTag == "" {
+		outbound := instance.Router().DefaultOutbound(N.NetworkName(network))
+		if outbound == nil {
+			return nil, E.New("missing default outbound")
+		}
+		return outbound, nil
+	} else {
+		outbound, loaded := instance.Router().Outbound(outboundTag)
+		if !loaded {
+			return nil, E.New("outbound not found: ", outboundTag)
+		}
+		return outbound, nil
+	}
+}

cmd/sing-box/cmd_tools_connect.go

@@ -0,0 +1,73 @@
+package main
+
+import (
+	"context"
+	"os"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/task"
+
+	"github.com/spf13/cobra"
+)
+
+var commandConnectFlagNetwork string
+
+var commandConnect = &cobra.Command{
+	Use:   "connect [address]",
+	Short: "Connect to an address",
+	Args:  cobra.ExactArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		err := connect(args[0])
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	commandConnect.Flags().StringVarP(&commandConnectFlagNetwork, "network", "n", "tcp", "network type")
+	commandTools.AddCommand(commandConnect)
+}
+
+func connect(address string) error {
+	switch N.NetworkName(commandConnectFlagNetwork) {
+	case N.NetworkTCP, N.NetworkUDP:
+	default:
+		return E.Cause(N.ErrUnknownNetwork, commandConnectFlagNetwork)
+	}
+	instance, err := createPreStartedClient()
+	if err != nil {
+		return err
+	}
+	defer instance.Close()
+	dialer, err := createDialer(instance, commandConnectFlagNetwork, commandToolsFlagOutbound)
+	if err != nil {
+		return err
+	}
+	conn, err := dialer.DialContext(context.Background(), commandConnectFlagNetwork, M.ParseSocksaddr(address))
+	if err != nil {
+		return E.Cause(err, "connect to server")
+	}
+	var group task.Group
+	group.Append("upload", func(ctx context.Context) error {
+		return common.Error(bufio.Copy(conn, os.Stdin))
+	})
+	group.Append("download", func(ctx context.Context) error {
+		return common.Error(bufio.Copy(os.Stdout, conn))
+	})
+	group.Cleanup(func() {
+		conn.Close()
+	})
+	err = group.Run(context.Background())
+	if E.IsClosed(err) {
+		log.Info(err)
+	} else {
+		log.Error(err)
+	}
+	return nil
+}

cmd/sing-box/cmd_tools_fetch.go

@@ -0,0 +1,91 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common/bufio"
+	M "github.com/sagernet/sing/common/metadata"
+
+	"github.com/spf13/cobra"
+)
+
+var commandFetch = &cobra.Command{
+	Use:   "fetch",
+	Short: "Fetch an URL",
+	Args:  cobra.MinimumNArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		err := fetch(args)
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	commandTools.AddCommand(commandFetch)
+}
+
+var httpClient *http.Client
+
+func fetch(args []string) error {
+	instance, err := createPreStartedClient()
+	if err != nil {
+		return err
+	}
+	defer instance.Close()
+	httpClient = &http.Client{
+		Transport: &http.Transport{
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				dialer, err := createDialer(instance, network, commandToolsFlagOutbound)
+				if err != nil {
+					return nil, err
+				}
+				return dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
+			},
+			ForceAttemptHTTP2: true,
+		},
+	}
+	defer httpClient.CloseIdleConnections()
+	for _, urlString := range args {
+		parsedURL, err := url.Parse(urlString)
+		if err != nil {
+			return err
+		}
+		switch parsedURL.Scheme {
+		case "":
+			parsedURL.Scheme = "http"
+			fallthrough
+		case "http", "https":
+			err = fetchHTTP(parsedURL)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func fetchHTTP(parsedURL *url.URL) error {
+	request, err := http.NewRequest("GET", parsedURL.String(), nil)
+	if err != nil {
+		return err
+	}
+	request.Header.Add("User-Agent", "curl/7.88.0")
+	response, err := httpClient.Do(request)
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+	_, err = bufio.Copy(os.Stdout, response.Body)
+	if errors.Is(err, io.EOF) {
+		return nil
+	}
+	return err
+}

cmd/sing-box/cmd_tools_synctime.go

@@ -0,0 +1,69 @@
+package main
+
+import (
+	"context"
+	"os"
+
+	"github.com/sagernet/sing-box/common/settings"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/ntp"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	commandSyncTimeFlagServer   string
+	commandSyncTimeOutputFormat string
+	commandSyncTimeWrite        bool
+)
+
+var commandSyncTime = &cobra.Command{
+	Use:   "synctime",
+	Short: "Sync time using the NTP protocol",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := syncTime()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	commandSyncTime.Flags().StringVarP(&commandSyncTimeFlagServer, "server", "s", "time.apple.com", "Set NTP server")
+	commandSyncTime.Flags().StringVarP(&commandSyncTimeOutputFormat, "format", "f", C.TimeLayout, "Set output format")
+	commandSyncTime.Flags().BoolVarP(&commandSyncTimeWrite, "write", "w", false, "Write time to system")
+	commandTools.AddCommand(commandSyncTime)
+}
+
+func syncTime() error {
+	instance, err := createPreStartedClient()
+	if err != nil {
+		return err
+	}
+	dialer, err := createDialer(instance, N.NetworkUDP, commandToolsFlagOutbound)
+	if err != nil {
+		return err
+	}
+	defer instance.Close()
+	serverAddress := M.ParseSocksaddr(commandSyncTimeFlagServer)
+	if serverAddress.Port == 0 {
+		serverAddress.Port = 123
+	}
+	response, err := ntp.Exchange(context.Background(), dialer, serverAddress)
+	if err != nil {
+		return err
+	}
+	if commandSyncTimeWrite {
+		err = settings.SetSystemTime(response.Time)
+		if err != nil {
+			return E.Cause(err, "write time to system")
+		}
+	}
+	os.Stdout.WriteString(response.Time.Local().Format(commandSyncTimeOutputFormat))
+	return nil
+}

cmd/sing-box/debug.go

@@ -25,9 +25,9 @@ func init() {
 		runtime.ReadMemStats(&memStats)
 
 		var memObject badjson.JSONObject
-		memObject.Put("heap", humanize.Bytes(memStats.HeapInuse))
-		memObject.Put("stack", humanize.Bytes(memStats.StackInuse))
-		memObject.Put("idle", humanize.Bytes(memStats.HeapIdle-memStats.HeapReleased))
+		memObject.Put("heap", humanize.IBytes(memStats.HeapInuse))
+		memObject.Put("stack", humanize.IBytes(memStats.StackInuse))
+		memObject.Put("idle", humanize.IBytes(memStats.HeapIdle-memStats.HeapReleased))
 		memObject.Put("goroutines", runtime.NumGoroutine())
 		memObject.Put("rss", rusageMaxRSS())
 

cmd/sing-box/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"os"
+	"time"
 
 	_ "github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
@@ -10,9 +11,10 @@ import (
 )
 
 var (
-	configPath   string
-	workingDir   string
-	disableColor bool
+	configPaths       []string
+	configDirectories []string
+	workingDir        string
+	disableColor      bool
 )
 
 var mainCommand = &cobra.Command{
@@ -21,7 +23,8 @@ var mainCommand = &cobra.Command{
 }
 
 func init() {
-	mainCommand.PersistentFlags().StringVarP(&configPath, "config", "c", "config.json", "set configuration file path")
+	mainCommand.PersistentFlags().StringArrayVarP(&configPaths, "config", "c", nil, "set configuration file path")
+	mainCommand.PersistentFlags().StringArrayVarP(&configDirectories, "config-directory", "C", nil, "set configuration directory path")
 	mainCommand.PersistentFlags().StringVarP(&workingDir, "directory", "D", "", "set working directory")
 	mainCommand.PersistentFlags().BoolVarP(&disableColor, "disable-color", "", false, "disable color output")
 }
@@ -33,9 +36,19 @@ func main() {
 }
 
 func preRun(cmd *cobra.Command, args []string) {
+	if disableColor {
+		log.SetStdLogger(log.NewFactory(log.Formatter{BaseTime: time.Now(), DisableColors: true}, os.Stderr, nil).Logger())
+	}
 	if workingDir != "" {
+		_, err := os.Stat(workingDir)
+		if err != nil {
+			os.MkdirAll(workingDir, 0o777)
+		}
 		if err := os.Chdir(workingDir); err != nil {
 			log.Fatal(err)
 		}
 	}
+	if len(configPaths) == 0 && len(configDirectories) == 0 {
+		configPaths = append(configPaths, "config.json")
+	}
 }

common/badjsonmerge/merge.go

@@ -0,0 +1,80 @@
+package badjsonmerge
+
+import (
+	"encoding/json"
+	"reflect"
+
+	"github.com/sagernet/sing-box/common/badjson"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func MergeOptions(source option.Options, destination option.Options) (option.Options, error) {
+	rawSource, err := json.Marshal(source)
+	if err != nil {
+		return option.Options{}, E.Cause(err, "marshal source")
+	}
+	rawDestination, err := json.Marshal(destination)
+	if err != nil {
+		return option.Options{}, E.Cause(err, "marshal destination")
+	}
+	rawMerged, err := MergeJSON(rawSource, rawDestination)
+	if err != nil {
+		return option.Options{}, E.Cause(err, "merge options")
+	}
+	var merged option.Options
+	err = json.Unmarshal(rawMerged, &merged)
+	if err != nil {
+		return option.Options{}, E.Cause(err, "unmarshal merged options")
+	}
+	return merged, nil
+}
+
+func MergeJSON(rawSource json.RawMessage, rawDestination json.RawMessage) (json.RawMessage, error) {
+	source, err := badjson.Decode(rawSource)
+	if err != nil {
+		return nil, E.Cause(err, "decode source")
+	}
+	destination, err := badjson.Decode(rawDestination)
+	if err != nil {
+		return nil, E.Cause(err, "decode destination")
+	}
+	merged, err := mergeJSON(source, destination)
+	if err != nil {
+		return nil, err
+	}
+	return json.Marshal(merged)
+}
+
+func mergeJSON(anySource any, anyDestination any) (any, error) {
+	switch destination := anyDestination.(type) {
+	case badjson.JSONArray:
+		switch source := anySource.(type) {
+		case badjson.JSONArray:
+			destination = append(destination, source...)
+		default:
+			destination = append(destination, source)
+		}
+		return destination, nil
+	case *badjson.JSONObject:
+		switch source := anySource.(type) {
+		case *badjson.JSONObject:
+			for _, entry := range source.Entries() {
+				oldValue, loaded := destination.Get(entry.Key)
+				if loaded {
+					var err error
+					entry.Value, err = mergeJSON(entry.Value, oldValue)
+					if err != nil {
+						return nil, E.Cause(err, "merge object item ", entry.Key)
+					}
+				}
+				destination.Put(entry.Key, entry.Value)
+			}
+		default:
+			return nil, E.New("cannot merge json object into ", reflect.TypeOf(destination))
+		}
+		return destination, nil
+	default:
+		return destination, nil
+	}
+}

common/badjsonmerge/merge_test.go

@@ -0,0 +1,59 @@
+package badjsonmerge
+
+import (
+	"testing"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	N "github.com/sagernet/sing/common/network"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestMergeJSON(t *testing.T) {
+	t.Parallel()
+	options := option.Options{
+		Log: &option.LogOptions{
+			Level: "info",
+		},
+		Route: &option.RouteOptions{
+			Rules: []option.Rule{
+				{
+					Type: C.RuleTypeDefault,
+					DefaultOptions: option.DefaultRule{
+						Network:  N.NetworkTCP,
+						Outbound: "direct",
+					},
+				},
+			},
+		},
+	}
+	anotherOptions := option.Options{
+		Outbounds: []option.Outbound{
+			{
+				Type: C.TypeDirect,
+				Tag:  "direct",
+			},
+		},
+	}
+	thirdOptions := option.Options{
+		Route: &option.RouteOptions{
+			Rules: []option.Rule{
+				{
+					Type: C.RuleTypeDefault,
+					DefaultOptions: option.DefaultRule{
+						Network:  N.NetworkUDP,
+						Outbound: "direct",
+					},
+				},
+			},
+		},
+	}
+	mergeOptions, err := MergeOptions(options, anotherOptions)
+	require.NoError(t, err)
+	mergeOptions, err = MergeOptions(thirdOptions, mergeOptions)
+	require.NoError(t, err)
+	require.Equal(t, "info", mergeOptions.Log.Level)
+	require.Equal(t, 2, len(mergeOptions.Route.Rules))
+	require.Equal(t, C.TypeDirect, mergeOptions.Outbounds[0].Type)
+}

common/badtls/badtls.go

@@ -1,4 +1,4 @@
-//go:build go1.19 && !go1.20
+//go:build go1.20 && !go1.21
 
 package badtls
 
@@ -14,39 +14,60 @@ import (
 	"sync/atomic"
 	"unsafe"
 
+	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
+	aTLS "github.com/sagernet/sing/common/tls"
 )
 
 type Conn struct {
 	*tls.Conn
-	writer           N.ExtendedWriter
-	activeCall       *int32
-	closeNotifySent  *bool
-	version          *uint16
-	rand             io.Reader
-	halfAccess       *sync.Mutex
-	halfError        *error
-	cipher           cipher.AEAD
-	explicitNonceLen int
-	halfPtr          uintptr
-	halfSeq          []byte
-	halfScratchBuf   []byte
+	writer              N.ExtendedWriter
+	isHandshakeComplete *atomic.Bool
+	activeCall          *atomic.Int32
+	closeNotifySent     *bool
+	version             *uint16
+	rand                io.Reader
+	halfAccess          *sync.Mutex
+	halfError           *error
+	cipher              cipher.AEAD
+	explicitNonceLen    int
+	halfPtr             uintptr
+	halfSeq             []byte
+	halfScratchBuf      []byte
 }
 
-func Create(conn *tls.Conn) (TLSConn, error) {
-	if !handshakeComplete(conn) {
+func TryCreate(conn aTLS.Conn) aTLS.Conn {
+	tlsConn, ok := conn.(*tls.Conn)
+	if !ok {
+		return conn
+	}
+	badConn, err := Create(tlsConn)
+	if err != nil {
+		log.Warn("initialize badtls: ", err)
+		return conn
+	}
+	return badConn
+}
+
+func Create(conn *tls.Conn) (aTLS.Conn, error) {
+	rawConn := reflect.Indirect(reflect.ValueOf(conn))
+	rawIsHandshakeComplete := rawConn.FieldByName("isHandshakeComplete")
+	if !rawIsHandshakeComplete.IsValid() || rawIsHandshakeComplete.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid isHandshakeComplete")
+	}
+	isHandshakeComplete := (*atomic.Bool)(unsafe.Pointer(rawIsHandshakeComplete.UnsafeAddr()))
+	if !isHandshakeComplete.Load() {
 		return nil, E.New("handshake not finished")
 	}
-	rawConn := reflect.Indirect(reflect.ValueOf(conn))
 	rawActiveCall := rawConn.FieldByName("activeCall")
-	if !rawActiveCall.IsValid() || rawActiveCall.Kind() != reflect.Int32 {
+	if !rawActiveCall.IsValid() || rawActiveCall.Kind() != reflect.Struct {
 		return nil, E.New("badtls: invalid active call")
 	}
-	activeCall := (*int32)(unsafe.Pointer(rawActiveCall.UnsafeAddr()))
+	activeCall := (*atomic.Int32)(unsafe.Pointer(rawActiveCall.UnsafeAddr()))
 	rawHalfConn := rawConn.FieldByName("out")
 	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
 		return nil, E.New("badtls: invalid half conn")
@@ -108,19 +129,20 @@ func Create(conn *tls.Conn) (TLSConn, error) {
 	}
 	halfScratchBuf := rawHalfScratchBuf.Bytes()
 	return &Conn{
-		Conn:             conn,
-		writer:           bufio.NewExtendedWriter(conn.NetConn()),
-		activeCall:       activeCall,
-		closeNotifySent:  closeNotifySent,
-		version:          version,
-		halfAccess:       halfAccess,
-		halfError:        halfError,
-		cipher:           aeadCipher,
-		explicitNonceLen: explicitNonceLen,
-		rand:             randReader,
-		halfPtr:          rawHalfConn.UnsafeAddr(),
-		halfSeq:          halfSeq,
-		halfScratchBuf:   halfScratchBuf,
+		Conn:                conn,
+		writer:              bufio.NewExtendedWriter(conn.NetConn()),
+		isHandshakeComplete: isHandshakeComplete,
+		activeCall:          activeCall,
+		closeNotifySent:     closeNotifySent,
+		version:             version,
+		halfAccess:          halfAccess,
+		halfError:           halfError,
+		cipher:              aeadCipher,
+		explicitNonceLen:    explicitNonceLen,
+		rand:                randReader,
+		halfPtr:             rawHalfConn.UnsafeAddr(),
+		halfSeq:             halfSeq,
+		halfScratchBuf:      halfScratchBuf,
 	}, nil
 }
 
@@ -130,15 +152,15 @@ func (c *Conn) WriteBuffer(buffer *buf.Buffer) error {
 		return common.Error(c.Write(buffer.Bytes()))
 	}
 	for {
-		x := atomic.LoadInt32(c.activeCall)
+		x := c.activeCall.Load()
 		if x&1 != 0 {
 			return net.ErrClosed
 		}
-		if atomic.CompareAndSwapInt32(c.activeCall, x, x+2) {
+		if c.activeCall.CompareAndSwap(x, x+2) {
 			break
 		}
 	}
-	defer atomic.AddInt32(c.activeCall, -2)
+	defer c.activeCall.Add(-2)
 	c.halfAccess.Lock()
 	defer c.halfAccess.Unlock()
 	if err := *c.halfError; err != nil {
@@ -186,6 +208,7 @@ func (c *Conn) WriteBuffer(buffer *buf.Buffer) error {
 		binary.BigEndian.PutUint16(outBuf[3:], uint16(dataLen+c.explicitNonceLen+c.cipher.Overhead()))
 	}
 	incSeq(c.halfPtr)
+	log.Trace("badtls write ", buffer.Len())
 	return c.writer.WriteBuffer(buffer)
 }
 

common/badtls/badtls_stub.go

@@ -1,4 +1,4 @@
-//go:build !go1.19 || go1.20
+//go:build !go1.19 || go1.21
 
 package badtls
 

common/badtls/conn.go

@@ -1,13 +0,0 @@
-package badtls
-
-import (
-	"context"
-	"crypto/tls"
-	"net"
-)
-
-type TLSConn interface {
-	net.Conn
-	HandshakeContext(ctx context.Context) error
-	ConnectionState() tls.ConnectionState
-}

common/badtls/link.go

@@ -1,9 +1,8 @@
-//go:build go1.19 && !go.1.20
+//go:build go1.20 && !go.1.21
 
 package badtls
 
 import (
-	"crypto/tls"
 	"reflect"
 	_ "unsafe"
 )
@@ -16,9 +15,6 @@ const (
 //go:linkname errShutdown crypto/tls.errShutdown
 var errShutdown error
 
-//go:linkname handshakeComplete crypto/tls.(*Conn).handshakeComplete
-func handshakeComplete(conn *tls.Conn) bool
-
 //go:linkname incSeq crypto/tls.(*halfConn).incSeq
 func incSeq(conn uintptr)
 

common/canceler/instance.go

@@ -1,48 +0,0 @@
-package canceler
-
-import (
-	"context"
-	"time"
-)
-
-type Instance struct {
-	ctx        context.Context
-	cancelFunc context.CancelFunc
-	timer      *time.Timer
-	timeout    time.Duration
-}
-
-func New(ctx context.Context, cancelFunc context.CancelFunc, timeout time.Duration) *Instance {
-	instance := &Instance{
-		ctx,
-		cancelFunc,
-		time.NewTimer(timeout),
-		timeout,
-	}
-	go instance.wait()
-	return instance
-}
-
-func (i *Instance) Update() bool {
-	if !i.timer.Stop() {
-		return false
-	}
-	if !i.timer.Reset(i.timeout) {
-		return false
-	}
-	return true
-}
-
-func (i *Instance) wait() {
-	select {
-	case <-i.timer.C:
-	case <-i.ctx.Done():
-	}
-	i.Close()
-}
-
-func (i *Instance) Close() error {
-	i.timer.Stop()
-	i.cancelFunc()
-	return nil
-}

common/canceler/packet.go

@@ -1,49 +0,0 @@
-package canceler
-
-import (
-	"context"
-	"time"
-
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type PacketConn struct {
-	N.PacketConn
-	instance *Instance
-}
-
-func NewPacketConn(ctx context.Context, conn N.PacketConn, timeout time.Duration) (context.Context, N.PacketConn) {
-	ctx, cancel := context.WithCancel(ctx)
-	instance := New(ctx, cancel, timeout)
-	return ctx, &PacketConn{conn, instance}
-}
-
-func (c *PacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
-	destination, err = c.PacketConn.ReadPacket(buffer)
-	if err == nil {
-		c.instance.Update()
-	}
-	return
-}
-
-func (c *PacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
-	err := c.PacketConn.WritePacket(buffer, destination)
-	if err == nil {
-		c.instance.Update()
-	}
-	return err
-}
-
-func (c *PacketConn) Close() error {
-	return common.Close(
-		c.PacketConn,
-		c.instance,
-	)
-}
-
-func (c *PacketConn) Upstream() any {
-	return c.PacketConn
-}

common/dialer/conntrack/conn.go

@@ -1,29 +1,32 @@
 package conntrack
 
 import (
+	"io"
 	"net"
-	"runtime/debug"
 
 	"github.com/sagernet/sing/common/x/list"
 )
 
 type Conn struct {
 	net.Conn
-	element *list.Element[*ConnEntry]
+	element *list.Element[io.Closer]
 }
 
-func NewConn(conn net.Conn) *Conn {
-	entry := &ConnEntry{
-		Conn:  conn,
-		Stack: debug.Stack(),
-	}
+func NewConn(conn net.Conn) (net.Conn, error) {
 	connAccess.Lock()
-	element := openConnection.PushBack(entry)
+	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
+	if KillerEnabled {
+		err := killerCheck()
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+	}
 	return &Conn{
 		Conn:    conn,
 		element: element,
-	}
+	}, nil
 }
 
 func (c *Conn) Close() error {

common/dialer/conntrack/killer.go

@@ -0,0 +1,38 @@
+package conntrack
+
+import (
+	"runtime"
+	runtimeDebug "runtime/debug"
+	"time"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+var (
+	KillerEnabled   bool
+	MemoryLimit     int64
+	killerLastCheck time.Time
+)
+
+func killerCheck() error {
+	if !KillerEnabled {
+		return nil
+	}
+	nowTime := time.Now()
+	if nowTime.Sub(killerLastCheck) < 3*time.Second {
+		return nil
+	}
+	killerLastCheck = nowTime
+	var memStats runtime.MemStats
+	runtime.ReadMemStats(&memStats)
+	inuseMemory := int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
+	if inuseMemory > MemoryLimit {
+		Close()
+		go func() {
+			time.Sleep(time.Second)
+			runtimeDebug.FreeOSMemory()
+		}()
+		return E.New("out of memory")
+	}
+	return nil
+}

common/dialer/conntrack/packet_conn.go

@@ -1,29 +1,32 @@
 package conntrack
 
 import (
+	"io"
 	"net"
-	"runtime/debug"
 
 	"github.com/sagernet/sing/common/x/list"
 )
 
 type PacketConn struct {
 	net.PacketConn
-	element *list.Element[*ConnEntry]
+	element *list.Element[io.Closer]
 }
 
-func NewPacketConn(conn net.PacketConn) *PacketConn {
-	entry := &ConnEntry{
-		Conn:  conn,
-		Stack: debug.Stack(),
-	}
+func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
 	connAccess.Lock()
-	element := openConnection.PushBack(entry)
+	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
+	if KillerEnabled {
+		err := killerCheck()
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+	}
 	return &PacketConn{
 		PacketConn: conn,
 		element:    element,
-	}
+	}, nil
 }
 
 func (c *PacketConn) Close() error {

common/dialer/conntrack/track.go

@@ -10,22 +10,23 @@ import (
 
 var (
 	connAccess     sync.RWMutex
-	openConnection list.List[*ConnEntry]
+	openConnection list.List[io.Closer]
 )
 
-type ConnEntry struct {
-	Conn  io.Closer
-	Stack []byte
-}
-
 func Count() int {
+	if !Enabled {
+		return 0
+	}
 	return openConnection.Len()
 }
 
-func List() []*ConnEntry {
+func List() []io.Closer {
+	if !Enabled {
+		return nil
+	}
 	connAccess.RLock()
 	defer connAccess.RUnlock()
-	connList := make([]*ConnEntry, 0, openConnection.Len())
+	connList := make([]io.Closer, 0, openConnection.Len())
 	for element := openConnection.Front(); element != nil; element = element.Next() {
 		connList = append(connList, element.Value)
 	}
@@ -33,11 +34,14 @@ func List() []*ConnEntry {
 }
 
 func Close() {
+	if !Enabled {
+		return
+	}
 	connAccess.Lock()
 	defer connAccess.Unlock()
 	for element := openConnection.Front(); element != nil; element = element.Next() {
-		common.Close(element.Value.Conn)
+		common.Close(element.Value)
 		element.Value = nil
 	}
-	openConnection = list.List[*ConnEntry]{}
+	openConnection.Init()
 }

common/dialer/default.go

@@ -7,7 +7,6 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer/conntrack"
-	"github.com/sagernet/sing-box/common/warning"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/control"
@@ -17,41 +16,6 @@ import (
 	"github.com/sagernet/tfo-go"
 )
 
-var warnBindInterfaceOnUnsupportedPlatform = warning.New(
-	func() bool {
-		return !(C.IsLinux || C.IsWindows || C.IsDarwin)
-	},
-	"outbound option `bind_interface` is only supported on Linux and Windows",
-)
-
-var warnRoutingMarkOnUnsupportedPlatform = warning.New(
-	func() bool {
-		return !C.IsLinux
-	},
-	"outbound option `routing_mark` is only supported on Linux",
-)
-
-var warnReuseAdderOnUnsupportedPlatform = warning.New(
-	func() bool {
-		return !(C.IsDarwin || C.IsDragonfly || C.IsFreebsd || C.IsLinux || C.IsNetbsd || C.IsOpenbsd || C.IsSolaris || C.IsWindows)
-	},
-	"outbound option `reuse_addr` is unsupported on current platform",
-)
-
-var warnProtectPathOnNonAndroid = warning.New(
-	func() bool {
-		return !C.IsAndroid
-	},
-	"outbound option `protect_path` is only supported on Android",
-)
-
-var warnTFOOnUnsupportedPlatform = warning.New(
-	func() bool {
-		return !(C.IsDarwin || C.IsFreebsd || C.IsLinux || C.IsWindows)
-	},
-	"outbound option `tcp_fast_open` is unsupported on current platform",
-)
-
 type DefaultDialer struct {
 	dialer4     tfo.Dialer
 	dialer6     tfo.Dialer
@@ -66,7 +30,6 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 	var dialer net.Dialer
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
-		warnBindInterfaceOnUnsupportedPlatform.Check()
 		bindFunc := control.BindToInterface(router.InterfaceFinder(), options.BindInterface, -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
@@ -80,7 +43,6 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 		listener.Control = control.Append(listener.Control, bindFunc)
 	}
 	if options.RoutingMark != 0 {
-		warnRoutingMarkOnUnsupportedPlatform.Check()
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(options.RoutingMark))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(options.RoutingMark))
 	} else if router.DefaultMark() != 0 {
@@ -88,11 +50,9 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 		listener.Control = control.Append(listener.Control, control.RoutingMark(router.DefaultMark()))
 	}
 	if options.ReuseAddr {
-		warnReuseAdderOnUnsupportedPlatform.Check()
 		listener.Control = control.Append(listener.Control, control.ReuseAddr())
 	}
 	if options.ProtectPath != "" {
-		warnProtectPathOnNonAndroid.Check()
 		dialer.Control = control.Append(dialer.Control, control.ProtectPath(options.ProtectPath))
 		listener.Control = control.Append(listener.Control, control.ProtectPath(options.ProtectPath))
 	}
@@ -101,9 +61,6 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 	} else {
 		dialer.Timeout = C.TCPTimeout
 	}
-	if options.TCPFastOpen {
-		warnTFOOnUnsupportedPlatform.Check()
-	}
 	var udpFragment bool
 	if options.UDPFragment != nil {
 		udpFragment = *options.UDPFragment
@@ -154,9 +111,9 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 	switch N.NetworkName(network) {
 	case N.NetworkUDP:
 		if !address.IsIPv6() {
-			return d.udpDialer4.DialContext(ctx, network, address.String())
+			return trackConn(d.udpDialer4.DialContext(ctx, network, address.String()))
 		} else {
-			return d.udpDialer6.DialContext(ctx, network, address.String())
+			return trackConn(d.udpDialer6.DialContext(ctx, network, address.String()))
 		}
 	}
 	if !address.IsIPv6() {
@@ -178,12 +135,12 @@ func trackConn(conn net.Conn, err error) (net.Conn, error) {
 	if !conntrack.Enabled || err != nil {
 		return conn, err
 	}
-	return conntrack.NewConn(conn), nil
+	return conntrack.NewConn(conn)
 }
 
 func trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
 	if !conntrack.Enabled || err != nil {
 		return conn, err
 	}
-	return conntrack.NewPacketConn(conn), nil
+	return conntrack.NewPacketConn(conn)
 }

common/dialer/resolve.go

@@ -9,6 +9,7 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-dns"
+	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -68,11 +69,11 @@ func (d *ResolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	if err != nil {
 		return nil, err
 	}
-	conn, err := N.ListenSerial(ctx, d.dialer, destination, addresses)
+	conn, destinationAddress, err := N.ListenSerial(ctx, d.dialer, destination, addresses)
 	if err != nil {
 		return nil, err
 	}
-	return NewResolvePacketConn(ctx, d.router, d.strategy, conn), nil
+	return bufio.NewNATPacketConn(bufio.NewPacketConn(conn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
 }
 
 func (d *ResolveDialer) Upstream() any {

common/dialer/resolve_conn.go

@@ -1,84 +0,0 @@
-package dialer
-
-import (
-	"context"
-	"net"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-dns"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func NewResolvePacketConn(ctx context.Context, router adapter.Router, strategy dns.DomainStrategy, conn net.PacketConn) N.NetPacketConn {
-	if udpConn, ok := conn.(*net.UDPConn); ok {
-		return &ResolveUDPConn{udpConn, ctx, router, strategy}
-	} else {
-		return &ResolvePacketConn{conn, ctx, router, strategy}
-	}
-}
-
-type ResolveUDPConn struct {
-	*net.UDPConn
-	ctx      context.Context
-	router   adapter.Router
-	strategy dns.DomainStrategy
-}
-
-func (w *ResolveUDPConn) ReadPacket(buffer *buf.Buffer) (M.Socksaddr, error) {
-	n, addr, err := w.ReadFromUDPAddrPort(buffer.FreeBytes())
-	if err != nil {
-		return M.Socksaddr{}, err
-	}
-	buffer.Truncate(n)
-	return M.SocksaddrFromNetIP(addr), nil
-}
-
-func (w *ResolveUDPConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
-	defer buffer.Release()
-	if destination.IsFqdn() {
-		addresses, err := w.router.Lookup(w.ctx, destination.Fqdn, w.strategy)
-		if err != nil {
-			return err
-		}
-		return common.Error(w.UDPConn.WriteToUDPAddrPort(buffer.Bytes(), M.SocksaddrFrom(addresses[0], destination.Port).AddrPort()))
-	}
-	return common.Error(w.UDPConn.WriteToUDPAddrPort(buffer.Bytes(), destination.AddrPort()))
-}
-
-func (w *ResolveUDPConn) Upstream() any {
-	return w.UDPConn
-}
-
-type ResolvePacketConn struct {
-	net.PacketConn
-	ctx      context.Context
-	router   adapter.Router
-	strategy dns.DomainStrategy
-}
-
-func (w *ResolvePacketConn) ReadPacket(buffer *buf.Buffer) (M.Socksaddr, error) {
-	_, addr, err := buffer.ReadPacketFrom(w)
-	if err != nil {
-		return M.Socksaddr{}, err
-	}
-	return M.SocksaddrFromNet(addr), err
-}
-
-func (w *ResolvePacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
-	defer buffer.Release()
-	if destination.IsFqdn() {
-		addresses, err := w.router.Lookup(w.ctx, destination.Fqdn, w.strategy)
-		if err != nil {
-			return err
-		}
-		return common.Error(w.WriteTo(buffer.Bytes(), M.SocksaddrFrom(addresses[0], destination.Port).UDPAddr()))
-	}
-	return common.Error(w.WriteTo(buffer.Bytes(), destination.UDPAddr()))
-}
-
-func (w *ResolvePacketConn) Upstream() any {
-	return w.PacketConn
-}

common/dialer/tfo.go

@@ -119,6 +119,10 @@ func (c *slowOpenConn) LazyHeadroom() bool {
 	return c.conn == nil
 }
 
+func (c *slowOpenConn) NeedHandshake() bool {
+	return c.conn == nil
+}
+
 func (c *slowOpenConn) ReadFrom(r io.Reader) (n int64, err error) {
 	if c.conn != nil {
 		return bufio.Copy(c.conn, r)

common/mux/client.go

@@ -249,6 +249,10 @@ func (c *ClientConn) WriterReplaceable() bool {
 	return c.requestWrite
 }
 
+func (c *ClientConn) NeedAdditionalReadDeadline() bool {
+	return true
+}
+
 func (c *ClientConn) Upstream() any {
 	return c.Conn
 }
@@ -377,6 +381,10 @@ func (c *ClientPacketConn) RemoteAddr() net.Addr {
 	return c.destination.UDPAddr()
 }
 
+func (c *ClientPacketConn) NeedAdditionalReadDeadline() bool {
+	return true
+}
+
 func (c *ClientPacketConn) Upstream() any {
 	return c.ExtendedConn
 }
@@ -413,7 +421,11 @@ func (c *ClientPacketAddrConn) ReadFrom(p []byte) (n int, addr net.Addr, err err
 	if err != nil {
 		return
 	}
-	addr = destination.UDPAddr()
+	if destination.IsFqdn() {
+		addr = destination
+	} else {
+		addr = destination.UDPAddr()
+	}
 	var length uint16
 	err = binary.Read(c.ExtendedConn, binary.BigEndian, &length)
 	if err != nil {
@@ -514,6 +526,10 @@ func (c *ClientPacketAddrConn) FrontHeadroom() int {
 	return 2 + M.MaxSocksaddrLength
 }
 
+func (c *ClientPacketAddrConn) NeedAdditionalReadDeadline() bool {
+	return true
+}
+
 func (c *ClientPacketAddrConn) Upstream() any {
 	return c.ExtendedConn
 }

common/mux/service.go

@@ -131,6 +131,10 @@ func (c *ServerConn) FrontHeadroom() int {
 	return 0
 }
 
+func (c *ServerConn) NeedAdditionalReadDeadline() bool {
+	return true
+}
+
 func (c *ServerConn) Upstream() any {
 	return c.ExtendedConn
 }
@@ -183,6 +187,10 @@ func (c *ServerPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksad
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 
+func (c *ServerPacketConn) NeedAdditionalReadDeadline() bool {
+	return true
+}
+
 func (c *ServerPacketConn) Upstream() any {
 	return c.ExtendedConn
 }
@@ -245,6 +253,10 @@ func (c *ServerPacketAddrConn) WritePacket(buffer *buf.Buffer, destination M.Soc
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 
+func (c *ServerPacketAddrConn) NeedAdditionalReadDeadline() bool {
+	return true
+}
+
 func (c *ServerPacketAddrConn) Upstream() any {
 	return c.ExtendedConn
 }

common/process/searcher.go

@@ -3,10 +3,12 @@ package process
 import (
 	"context"
 	"net/netip"
+	"os/user"
 
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-tun"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 )
 
 type Searcher interface {
@@ -28,5 +30,15 @@ type Info struct {
 }
 
 func FindProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
-	return findProcessInfo(searcher, ctx, network, source, destination)
+	info, err := searcher.FindProcessInfo(ctx, network, source, destination)
+	if err != nil {
+		return nil, err
+	}
+	if info.UserId != -1 {
+		osUser, _ := user.LookupId(F.ToString(info.UserId))
+		if osUser != nil {
+			info.User = osUser.Username
+		}
+	}
+	return info, nil
 }

common/process/searcher_with_name.go

@@ -1,25 +0,0 @@
-//go:build linux && !android
-
-package process
-
-import (
-	"context"
-	"net/netip"
-	"os/user"
-
-	F "github.com/sagernet/sing/common/format"
-)
-
-func findProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
-	info, err := searcher.FindProcessInfo(ctx, network, source, destination)
-	if err != nil {
-		return nil, err
-	}
-	if info.UserId != -1 {
-		osUser, _ := user.LookupId(F.ToString(info.UserId))
-		if osUser != nil {
-			info.User = osUser.Username
-		}
-	}
-	return info, nil
-}

common/process/searcher_without_name.go

@@ -1,12 +0,0 @@
-//go:build !linux || android
-
-package process
-
-import (
-	"context"
-	"net/netip"
-)
-
-func findProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
-	return searcher.FindProcessInfo(ctx, network, source, destination)
-}

common/settings/proxy_android.go

@@ -6,8 +6,8 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common"
 	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/common/shell"
 )
 
 var (
@@ -26,9 +26,9 @@ func init() {
 
 func runAndroidShell(name string, args ...string) error {
 	if !useRish {
-		return common.Exec(name, args...).Attach().Run()
+		return shell.Exec(name, args...).Attach().Run()
 	} else {
-		return common.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+		return shell.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	}
 }
 

common/settings/proxy_darwin.go

@@ -6,9 +6,9 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/common/shell"
 	"github.com/sagernet/sing/common/x/list"
 )
 
@@ -34,13 +34,13 @@ func (p *systemProxy) update(event int) error {
 		return err
 	}
 	if p.isMixed {
-		err = common.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	if err == nil {
-		err = common.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+		err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	if err == nil {
-		err = common.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+		err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	return err
 }
@@ -51,19 +51,19 @@ func (p *systemProxy) unset() error {
 		return err
 	}
 	if p.isMixed {
-		err = common.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
+		err = shell.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
-		err = common.Exec("networksetup", "-setwebproxystate", interfaceDisplayName, "off").Attach().Run()
+		err = shell.Exec("networksetup", "-setwebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
-		err = common.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
+		err = shell.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	return err
 }
 
 func getInterfaceDisplayName(name string) (string, error) {
-	content, err := common.Exec("networksetup", "-listallhardwareports").Read()
+	content, err := shell.Exec("networksetup", "-listallhardwareports").ReadOutput()
 	if err != nil {
 		return "", err
 	}

common/settings/proxy_linux.go

@@ -11,6 +11,7 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/common/shell"
 )
 
 var (
@@ -27,9 +28,9 @@ func init() {
 
 func runAsUser(name string, args ...string) error {
 	if os.Getuid() != 0 {
-		return common.Exec(name, args...).Attach().Run()
+		return shell.Exec(name, args...).Attach().Run()
 	} else if sudoUser != "" {
-		return common.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+		return shell.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	} else {
 		return E.New("set system proxy: unable to set as root")
 	}

common/settings/time_stub.go

@@ -0,0 +1,12 @@
+//go:build !(windows || linux || darwin)
+
+package settings
+
+import (
+	"os"
+	"time"
+)
+
+func SetSystemTime(nowTime time.Time) error {
+	return os.ErrInvalid
+}

common/settings/time_unix.go

@@ -0,0 +1,14 @@
+//go:build linux || darwin
+
+package settings
+
+import (
+	"time"
+
+	"golang.org/x/sys/unix"
+)
+
+func SetSystemTime(nowTime time.Time) error {
+	timeVal := unix.NsecToTimeval(nowTime.UnixNano())
+	return unix.Settimeofday(&timeVal)
+}

common/settings/time_windows.go

@@ -0,0 +1,32 @@
+package settings
+
+import (
+	"time"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+func SetSystemTime(nowTime time.Time) error {
+	var systemTime windows.Systemtime
+	systemTime.Year = uint16(nowTime.Year())
+	systemTime.Month = uint16(nowTime.Month())
+	systemTime.Day = uint16(nowTime.Day())
+	systemTime.Hour = uint16(nowTime.Hour())
+	systemTime.Minute = uint16(nowTime.Minute())
+	systemTime.Second = uint16(nowTime.Second())
+	systemTime.Milliseconds = uint16(nowTime.UnixMilli() - nowTime.Unix()*1000)
+
+	dllKernel32 := windows.NewLazySystemDLL("kernel32.dll")
+	proc := dllKernel32.NewProc("SetSystemTime")
+
+	_, _, err := proc.Call(
+		uintptr(unsafe.Pointer(&systemTime)),
+	)
+
+	if err != nil && err.Error() != "The operation completed successfully." {
+		return err
+	}
+
+	return nil
+}

common/sniff/http.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
+	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/protocol/http"
 )
 
@@ -15,5 +16,5 @@ func HTTPHost(ctx context.Context, reader io.Reader) (*adapter.InboundContext, e
 	if err != nil {
 		return nil, err
 	}
-	return &adapter.InboundContext{Protocol: C.ProtocolHTTP, Domain: request.Host}, nil
+	return &adapter.InboundContext{Protocol: C.ProtocolHTTP, Domain: M.ParseSocksaddr(request.Host).AddrString()}, nil
 }

common/sniff/http_test.go

@@ -0,0 +1,27 @@
+package sniff_test
+
+import (
+	"context"
+	"strings"
+	"testing"
+
+	"github.com/sagernet/sing-box/common/sniff"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSniffHTTP1(t *testing.T) {
+	t.Parallel()
+	pkt := "GET / HTTP/1.1\r\nHost: www.google.com\r\nAccept: */*\r\n\r\n"
+	metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
+	require.NoError(t, err)
+	require.Equal(t, metadata.Domain, "www.google.com")
+}
+
+func TestSniffHTTP1WithPort(t *testing.T) {
+	t.Parallel()
+	pkt := "GET / HTTP/1.1\r\nHost: www.gov.cn:8080\r\nAccept: */*\r\n\r\n"
+	metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
+	require.NoError(t, err)
+	require.Equal(t, metadata.Domain, "www.gov.cn")
+}

common/sniff/sniff.go

@@ -24,12 +24,12 @@ func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout
 	}
 	err := conn.SetReadDeadline(time.Now().Add(timeout))
 	if err != nil {
-		return nil, err
+		return nil, E.Cause(err, "set read deadline")
 	}
 	_, err = buffer.ReadOnceFrom(conn)
 	err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
 	if err != nil {
-		return nil, err
+		return nil, E.Cause(err, "read payload")
 	}
 	var metadata *adapter.InboundContext
 	var errors []error

common/tls/reality_client.go

@@ -42,7 +42,7 @@ var _ ConfigCompat = (*RealityClientConfig)(nil)
 type RealityClientConfig struct {
 	uClient   *UTLSClientConfig
 	publicKey []byte
-	shortID   []byte
+	shortID   [8]byte
 }
 
 func NewRealityClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
@@ -62,11 +62,12 @@ func NewRealityClient(router adapter.Router, serverAddress string, options optio
 	if len(publicKey) != 32 {
 		return nil, E.New("invalid public_key")
 	}
-	shortID, err := hex.DecodeString(options.Reality.ShortID)
+	var shortID [8]byte
+	decodedLen, err := hex.Decode(shortID[:], []byte(options.Reality.ShortID))
 	if err != nil {
 		return nil, E.Cause(err, "decode short_id")
 	}
-	if len(shortID) != 8 {
+	if decodedLen > 8 {
 		return nil, E.New("invalid short_id")
 	}
 	return &RealityClientConfig{uClient, publicKey, shortID}, nil
@@ -110,6 +111,16 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 	if err != nil {
 		return nil, err
 	}
+
+	if len(uConfig.NextProtos) > 0 {
+		for _, extension := range uConn.Extensions {
+			if alpnExtension, isALPN := extension.(*utls.ALPNExtension); isALPN {
+				alpnExtension.AlpnProtocols = uConfig.NextProtos
+				break
+			}
+		}
+	}
+
 	hello := uConn.HandshakeState.Hello
 	hello.SessionId = make([]byte, 32)
 	copy(hello.Raw[39:], hello.SessionId)
@@ -123,9 +134,10 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 	binary.BigEndian.PutUint64(hello.SessionId, uint64(nowTime.Unix()))
 
 	hello.SessionId[0] = 1
-	hello.SessionId[1] = 7
-	hello.SessionId[2] = 5
-	copy(hello.SessionId[8:], e.shortID)
+	hello.SessionId[1] = 8
+	hello.SessionId[2] = 0
+	binary.BigEndian.PutUint32(hello.SessionId[4:], uint32(time.Now().Unix()))
+	copy(hello.SessionId[8:], e.shortID[:])
 
 	if debug.Enabled {
 		fmt.Printf("REALITY hello.sessionId[:16]: %v\n", hello.SessionId[:16])

common/tls/reality_server.go

@@ -89,16 +89,16 @@ func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Log
 	tlsConfig.MaxTimeDiff = time.Duration(options.Reality.MaxTimeDifference)
 
 	tlsConfig.ShortIds = make(map[[8]byte]bool)
-	for i, shortID := range options.Reality.ShortID {
-		var shortIDBytesArray [8]byte
-		decodedLen, err := hex.Decode(shortIDBytesArray[:], []byte(shortID))
+	for i, shortIDString := range options.Reality.ShortID {
+		var shortID [8]byte
+		decodedLen, err := hex.Decode(shortID[:], []byte(shortIDString))
 		if err != nil {
-			return nil, E.Cause(err, "decode short_id[", i, "]: ", shortID)
+			return nil, E.Cause(err, "decode short_id[", i, "]: ", shortIDString)
 		}
-		if decodedLen != 8 {
-			return nil, E.New("invalid short_id[", i, "]: ", shortID)
+		if decodedLen > 8 {
+			return nil, E.New("invalid short_id[", i, "]: ", shortIDString)
 		}
-		tlsConfig.ShortIds[shortIDBytesArray] = true
+		tlsConfig.ShortIds[shortID] = true
 	}
 
 	handshakeDialer := dialer.New(router, options.Reality.Handshake.DialerOptions)

common/tls/std_server.go

@@ -180,7 +180,7 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 		tlsConfig.ServerName = options.ServerName
 	}
 	if len(options.ALPN) > 0 {
-		tlsConfig.NextProtos = append(tlsConfig.NextProtos, options.ALPN...)
+		tlsConfig.NextProtos = append(options.ALPN, tlsConfig.NextProtos...)
 	}
 	if options.MinVersion != "" {
 		minVersion, err := ParseTLSVersion(options.MinVersion)

common/tls/utls_client.go

@@ -3,6 +3,7 @@
 package tls
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"math/rand"
@@ -47,7 +48,7 @@ func (e *UTLSClientConfig) Config() (*STDConfig, error) {
 }
 
 func (e *UTLSClientConfig) Client(conn net.Conn) (Conn, error) {
-	return &utlsConnWrapper{utls.UClient(conn, e.config.Clone(), e.id)}, nil
+	return &utlsALPNWrapper{utlsConnWrapper{utls.UClient(conn, e.config.Clone(), e.id)}, e.config.NextProtos}, nil
 }
 
 func (e *UTLSClientConfig) SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error) {
@@ -87,6 +88,31 @@ func (c *utlsConnWrapper) Upstream() any {
 	return c.UConn
 }
 
+type utlsALPNWrapper struct {
+	utlsConnWrapper
+	nextProtocols []string
+}
+
+func (c *utlsALPNWrapper) HandshakeContext(ctx context.Context) error {
+	if len(c.nextProtocols) > 0 {
+		err := c.BuildHandshakeState()
+		if err != nil {
+			return err
+		}
+		for _, extension := range c.Extensions {
+			if alpnExtension, isALPN := extension.(*utls.ALPNExtension); isALPN {
+				alpnExtension.AlpnProtocols = c.nextProtocols
+				err = c.BuildHandshakeState()
+				if err != nil {
+					return err
+				}
+				break
+			}
+		}
+	}
+	return c.UConn.HandshakeContext(ctx)
+}
+
 func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
 	var serverName string
 	if options.ServerName != "" {

common/warning/warning.go

@@ -1,31 +0,0 @@
-package warning
-
-import (
-	"sync"
-
-	"github.com/sagernet/sing-box/log"
-)
-
-type Warning struct {
-	logger    log.Logger
-	check     CheckFunc
-	message   string
-	checkOnce sync.Once
-}
-
-type CheckFunc = func() bool
-
-func New(checkFunc CheckFunc, message string) Warning {
-	return Warning{
-		check:   checkFunc,
-		message: message,
-	}
-}
-
-func (w *Warning) Check() {
-	w.checkOnce.Do(func() {
-		if w.check() {
-			log.Warn(w.message)
-		}
-	})
-}

constant/time.go

@@ -0,0 +1,3 @@
+package constant
+
+const TimeLayout = "2006-01-02 15:04:05 -0700"

constant/version.go

@@ -1,3 +1,3 @@
 package constant
 
-var Version = "1.2-beta7"
+var Version = "unknown"

debug.go

@@ -0,0 +1,35 @@
+//go:build go1.19
+
+package box
+
+import (
+	"runtime/debug"
+
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/option"
+)
+
+func applyDebugOptions(options option.DebugOptions) {
+	if options.GCPercent != nil {
+		debug.SetGCPercent(*options.GCPercent)
+	}
+	if options.MaxStack != nil {
+		debug.SetMaxStack(*options.MaxStack)
+	}
+	if options.MaxThreads != nil {
+		debug.SetMaxThreads(*options.MaxThreads)
+	}
+	if options.PanicOnFault != nil {
+		debug.SetPanicOnFault(*options.PanicOnFault)
+	}
+	if options.TraceBack != "" {
+		debug.SetTraceback(options.TraceBack)
+	}
+	if options.MemoryLimit != 0 {
+		debug.SetMemoryLimit(int64(options.MemoryLimit))
+		conntrack.MemoryLimit = int64(options.MemoryLimit)
+	}
+	if options.OOMKiller != nil {
+		conntrack.KillerEnabled = *options.OOMKiller
+	}
+}

debug_go118.go

@@ -0,0 +1,35 @@
+//go:build !go1.19
+
+package box
+
+import (
+	"runtime/debug"
+
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/option"
+)
+
+func applyDebugOptions(options option.DebugOptions) {
+	if options.GCPercent != nil {
+		debug.SetGCPercent(*options.GCPercent)
+	}
+	if options.MaxStack != nil {
+		debug.SetMaxStack(*options.MaxStack)
+	}
+	if options.MaxThreads != nil {
+		debug.SetMaxThreads(*options.MaxThreads)
+	}
+	if options.PanicOnFault != nil {
+		debug.SetPanicOnFault(*options.PanicOnFault)
+	}
+	if options.TraceBack != "" {
+		debug.SetTraceback(options.TraceBack)
+	}
+	if options.MemoryLimit != 0 {
+		// debug.SetMemoryLimit(int64(options.MemoryLimit))
+		conntrack.MemoryLimit = int64(options.MemoryLimit)
+	}
+	if options.OOMKiller != nil {
+		conntrack.KillerEnabled = *options.OOMKiller
+	}
+}

docs/changelog.md

@@ -1,3 +1,92 @@
+#### 1.2.7
+
+* Fix bugs and update dependencies
+
+#### 1.2.6
+
+* Fix bugs and update dependencies
+
+#### 1.2.3
+
+* Introducing our [new Android client application](/installation/clients/sfa)
+* Improve UDP domain destination NAT
+* Update reality protocol
+* Fix TTL calculation for DNS response
+* Fix v2ray HTTP transport compatibility
+* Fix bugs and update dependencies
+
+#### 1.2.2
+
+* Accept `any` outbound in dns rule **1**
+* Fix bugs and update dependencies
+
+*1*:
+
+Now you can use the `any` outbound rule to match server address queries instead of filling in all server domains
+to `domain` rule.
+
+#### 1.2.1
+
+* Fix missing default host in v2ray http transport`s request
+* Flush DNS cache for macOS when tun start/close
+* Fix tun's DNS hijacking compatibility with systemd-resolved
+
+#### 1.2.0
+
+* Fix bugs and update dependencies
+
+Important changes since 1.1:
+
+* Introducing our [new iOS client application](/installation/clients/sfi)
+* Introducing [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp)
+* Add [platform options](/configuration/inbound/tun#platform) for tun inbound
+* Add [ShadowTLS protocol v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md)
+* Add [VLESS server](/configuration/inbound/vless) and [vision](/configuration/outbound/vless#flow) support
+* Add [reality TLS](/configuration/shared/tls) support
+* Add [NTP service](/configuration/ntp)
+* Add [DHCP DNS server](/configuration/dns/server) support
+* Add SSH [host key validation](/configuration/outbound/ssh) support
+* Add [query_type](/configuration/dns/rule) DNS rule item
+* Add fallback support for v2ray transport
+* Add custom TLS server support for http based v2ray transports
+* Add health check support for http-based v2ray transports
+* Add multiple configuration support
+
+#### 1.2-rc1
+
+* Fix bugs and update dependencies
+
+#### 1.2-beta10
+
+* Add multiple configuration support **1**
+* Fix bugs and update dependencies
+
+*1*:
+
+Now you can pass the parameter `--config` or `-c` multiple times, or use the new parameter `--config-directory` or `-C`
+to load all configuration files in a directory.
+
+Loaded configuration files are sorted by name. If you want to control the merge order, add a numeric prefix to the file
+name.
+
+#### 1.1.7
+
+* Improve the stability of the VMESS server
+* Fix `auto_detect_interface` incorrectly identifying the default interface on Windows
+* Fix bugs and update dependencies
+
+#### 1.2-beta9
+
+* Introducing the [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp)
+* Add health check support for http-based v2ray transports
+* Remove length limit on short_id for reality TLS config
+* Fix bugs and update dependencies
+
+#### 1.2-beta8
+
+* Update reality and uTLS libraries
+* Fix `auto_detect_interface` incorrectly identifying the default interface on Windows
+
 #### 1.2-beta7
 
 * Fix the compatibility issue between VLESS's vision sub-protocol and the Xray-core client
@@ -110,7 +199,7 @@ Important changes since 1.0:
 * Add VLESS outbound and XUDP
 * Skip wait for hysteria tcp handshake response
 * Add v2ray mux support for all inbound
-* Add XUDP support for VMess 
+* Add XUDP support for VMess
 * Improve websocket writer
 * Refine tproxy write back
 * Fix DNS leak caused by

docs/configuration/dns/rule.md

@@ -232,6 +232,8 @@ Invert match result.
 
 Match outbound.
 
+`any` can be used as a value to match any outbound.
+
 #### server
 
 ==Required==
@@ -254,18 +256,4 @@ Disable cache and save cache in this query.
 
 #### rules
 
-Included default rules.
-
-#### invert
-
-Invert match result.
-
-#### server
-
-==Required==
-
-Tag of the target dns server.
-
-#### disable_cache
-
-Disable cache and save cache in this query.
+Included default rules.

docs/configuration/dns/rule.zh.md

@@ -231,6 +231,8 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 匹配出站。
 
+`any` 可作为值用于匹配任意出站。
+
 #### server
 
 ==必填==
@@ -253,18 +255,4 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### rules
 
-包括的默认规则。
-
-#### invert
-
-反选匹配结果。
-
-#### server
-
-==必填==
-
-目标 DNS 服务器的标签。
-
-#### disable_cache
-
-在此查询中禁用缓存。
+包括的默认规则。

docs/configuration/inbound/http.md

@@ -40,4 +40,8 @@ No authentication required if empty.
 
     Only supported on Linux, Android, Windows, and macOS.
 
+!!! warning ""
+
+    To work on Android and iOS without privileges, use tun.platform.http_proxy instead.
+
 Automatically set system proxy configuration when start and clean up when stop.

docs/configuration/inbound/http.zh.md

@@ -40,4 +40,8 @@ HTTP 用户
 
     仅支持 Linux、Android、Windows 和 macOS。
 
+!!! warning ""
+
+    要在无特权的 Android 和 iOS 上工作，请改用 tun.platform.http_proxy。
+
 启动时自动设置系统代理，停止时自动清理。

docs/configuration/inbound/hysteria.md

@@ -74,14 +74,10 @@ Hysteria users
 
 #### users.auth
 
-==Required if `auth_str` is empty==
-
 Authentication password, in base64.
 
 #### users.auth_str
 
-==Required if `auth` is empty==
-
 Authentication password.
 
 #### recv_window_conn

docs/configuration/inbound/hysteria.zh.md

@@ -74,14 +74,10 @@ Hysteria 用户
 
 #### users.auth
 
-==与 auth_str 必填一个==
-
 base64 编码的认证密码。
 
 #### users.auth_str
 
-==与 auth 必填一个==
-
 认证密码。
 
 #### recv_window_conn

docs/configuration/inbound/mixed.md

@@ -37,4 +37,8 @@ No authentication required if empty.
 
     Only supported on Linux, Android, Windows, and macOS.
 
-Automatically set system proxy configuration when start and clean up when stop.
+!!! warning ""
+
+    To work on Android and iOS without privileges, use tun.platform.http_proxy instead.
+
+Automatically set system proxy configuration when start and clean up when stop.

docs/configuration/inbound/mixed.zh.md

@@ -37,4 +37,8 @@ SOCKS 和 HTTP 用户
 
     仅支持 Linux、Android、Windows 和 macOS。
 
+!!! warning ""
+
+    要在无特权的 Android 和 iOS 上工作，请改用 tun.platform.http_proxy。
+
 启动时自动设置系统代理，停止时自动清理。

docs/configuration/inbound/tun.md

@@ -107,8 +107,7 @@ Enforce strict routing rules when `auto_route` is enabled:
 * Let unsupported network unreachable
 * Route all connections to tun
 
-It prevents address leaks and makes DNS hijacking work on Android and Linux with systemd-resolved, but your device will
-not be accessible by others.
+It prevents address leaks and makes DNS hijacking work on Android, but your device will not be accessible by others.
 
 *In Windows*:
 

docs/configuration/inbound/tun.zh.md

@@ -107,7 +107,7 @@ tun 接口的 IPv6 前缀。
 * 让不支持的网络无法到达
 * 将所有连接路由到 tun
 
-它可以防止地址泄漏，并使 DNS 劫持在 Android 和使用 systemd-resolved 的 Linux 上工作，但你的设备将无法其他设备被访问。
+它可以防止地址泄漏，并使 DNS 劫持在 Android 上工作，但你的设备将无法其他设备被访问。
 
 *在 Windows 中*:
 

docs/configuration/outbound/shadowsocks.md

@@ -12,7 +12,7 @@
   "plugin": "",
   "plugin_opts": "",
   "network": "udp",
-  "udp_over_tcp": false,
+  "udp_over_tcp": false | {},
   "multiplex": {},
 
   ... // Dial Fields
@@ -87,7 +87,9 @@ Both is enabled by default.
 
 #### udp_over_tcp
 
-Enable the UDP over TCP protocol.
+UDP over TCP configuration.
+
+See [UDP Over TCP](/configuration/shared/udp-over-tcp) for details.
 
 Conflict with `multiplex`.
 

docs/configuration/outbound/shadowsocks.zh.md

@@ -12,7 +12,7 @@
   "plugin": "",
   "plugin_opts": "",
   "network": "udp",
-  "udp_over_tcp": false,
+  "udp_over_tcp": false | {},
   "multiplex": {},
 
   ... // 拨号字段
@@ -87,7 +87,9 @@ Shadowsocks SIP003 插件参数。
 
 #### udp_over_tcp
 
-启用 UDP over TCP 协议。
+UDP over TCP 配置。
+
+参阅 [UDP Over TCP](/zh/configuration/shared/udp-over-tcp)。
 
 与 `multiplex` 冲突。
 

docs/configuration/outbound/socks.md

@@ -13,7 +13,7 @@
   "username": "sekai",
   "password": "admin",
   "network": "udp",
-  "udp_over_tcp": false,
+  "udp_over_tcp": false | {},
 
   ... // Dial Fields
 }
@@ -57,7 +57,9 @@ Both is enabled by default.
 
 #### udp_over_tcp
 
-Enable the UDP over TCP protocol.
+UDP over TCP protocol settings.
+
+See [UDP Over TCP](/configuration/shared/udp-over-tcp) for details.
 
 ### Dial Fields
 

docs/configuration/outbound/socks.zh.md

@@ -13,7 +13,7 @@
   "username": "sekai",
   "password": "admin",
   "network": "udp",
-  "udp_over_tcp": false,
+  "udp_over_tcp": false | {},
 
   ... // 拨号字段
 }
@@ -57,7 +57,9 @@ SOCKS5 密码。
 
 #### udp_over_tcp
 
-启用 UDP over TCP 协议。
+UDP over TCP 配置。
+
+参阅 [UDP Over TCP](/zh/configuration/shared/udp-over-tcp)。
 
 ### 拨号字段
 

docs/configuration/shared/tls.md

@@ -333,7 +333,7 @@ Public key, generated by `sing-box generate reality-keypair`.
 
 ==Required==
 
-A 8-bit hex string.
+A hexadecimal string with zero to eight digits.
 
 #### max_time_difference
 

docs/configuration/shared/tls.zh.md

@@ -329,7 +329,7 @@ MAC 密钥。
 
 ==必填==
 
-一个八位十六进制的字符串。
+一个零到八位的十六进制字符串。
 
 #### max_time_difference
 

docs/configuration/shared/udp-over-tcp.md

@@ -0,0 +1,79 @@
+# UDP over TCP
+
+!!! warning ""
+
+    It's a proprietary protocol created by SagerNet, not part of shadowsocks.
+
+The UDP over TCP protocol is used to transmit UDP packets in TCP.
+
+### Structure
+
+```json
+{
+  "enabled": true,
+  "version": 2
+}
+```
+
+!!! info ""
+
+    The structure can be replaced with a boolean value when the version is not specified.
+
+### Fields
+
+#### enabled
+
+Enable the UDP over TCP protocol.
+
+#### version
+
+The protocol version, `1` or `2`.
+
+2 is used by default.
+
+### Application support
+
+| Project      | UoT v1               | UoT v2                                                                                                            |
+|--------------|----------------------|-------------------------------------------------------------------------------------------------------------------|
+| sing-box     | v0 (2022/08/11)      | v1.2-beta9                                                                                                        |
+| Xray-core    | v1.5.7 (2022/06/05)  | [f57ec13](https://github.com/XTLS/Xray-core/commit/f57ec1388084df041a2289bacab14e446bf1b357) (Not released)       |
+| Clash.Meta   | v1.12.0 (2022/07/02) | [8cb67b6](https://github.com/MetaCubeX/Clash.Meta/commit/8cb67b6480649edfa45dcc9ac89ce0789651e8b3) (Not released) |
+| Shadowrocket | v2.2.12 (2022/08/13) | /                                                                                                                 |
+
+### Protocol details
+
+#### Protocol version 1
+
+The client requests the magic address to the upper layer proxy protocol to indicate the request: `sp.udp-over-tcp.arpa`
+
+#### Stream format
+
+| ATYP | address  | port  | length | data     |
+|------|----------|-------|--------|----------|
+| u8   | variable | u16be | u16be  | variable |
+
+**ATYP / address / port**: Uses the SOCKS address format.
+
+#### Protocol version 2
+
+Protocol version 2 uses a new magic address: `sp.v2.udp-over-tcp.arpa`
+
+##### Request format
+
+| isConnect | ATYP | address  | port  |
+|-----------|------|----------|-------|
+| u8        | u8   | variable | u16be |
+
+**isConnect**: Set to 1 to indicates that the stream uses the connect format, 0 to disable.
+
+**ATYP / address / port**: Request destination, uses the SOCKS address format.
+
+##### Connect stream format
+
+| length | data     |
+|--------|----------|
+| u16be  | variable |
+
+##### Non-connect stream format
+
+As the same as the stream format in protocol version 1.

docs/configuration/shared/v2ray-transport.md

@@ -34,7 +34,9 @@ Available transports:
   "host": [],
   "path": "",
   "method": "",
-  "headers": {}
+  "headers": {},
+  "idle_timeout": "15s",
+  "ping_timeout": "15s"
 }
 ```
 
@@ -66,6 +68,24 @@ Extra headers of HTTP request.
 
 The server will write in response if not empty.
 
+#### idle_timeout
+
+In HTTP2 server:
+
+Specifies the time until idle clients should be closed with a GOAWAY frame. PING frames are not considered as activity.
+
+In HTTP2 client:
+
+Specifies the period of time after which a health check will be performed using a ping frame if no frames have been received on the connection. Please note that a ping response is considered a received frame, so if there is no other traffic on the connection, the health check will be executed every interval. If the value is zero, no health check will be performed.
+
+Zero is used by default.
+
+#### ping_timeout
+
+In HTTP2 client:
+
+Specifies the timeout duration after sending a PING frame, within which a response must be received. If a response to the PING frame is not received within the specified timeout duration, the connection will be closed. The default timeout duration is 15 seconds.
+
 ### WebSocket
 
 ```json
@@ -126,10 +146,41 @@ It needs to be consistent with the server.
 ```json
 {
   "type": "grpc",
-  "service_name": "TunService"
+  "service_name": "TunService",
+  "idle_timeout": "15s",
+  "ping_timeout": "15s",
+  "permit_without_stream": false
 }
 ```
 
 #### service_name
 
-Service name of gRPC.
+Service name of gRPC.
+
+#### idle_timeout
+
+In standard gRPC server/client:
+
+If the transport doesn't see any activity after a duration of this time, it pings the client to check if the connection is still active.
+
+In default gRPC server/client:
+
+It has the same behavior as the corresponding setting in HTTP transport.
+
+#### ping_timeout
+
+In standard gRPC server/client:
+
+The timeout that after performing a keepalive check, the client will wait for activity. If no activity is detected, the connection will be closed.
+
+In default gRPC server/client:
+
+It has the same behavior as the corresponding setting in HTTP transport.
+
+#### permit_without_stream
+
+In standard gRPC client:
+
+If enabled, the client transport sends keepalive pings even with no active connections. If disabled, when there are no active connections, `idle_timeout` and `ping_timeout` will be ignored and no keepalive pings will be sent.
+
+Disabled by default.

docs/configuration/shared/v2ray-transport.zh.md

@@ -33,7 +33,9 @@ V2Ray Transport 是 v2ray 发明的一组私有协议，并污染了其他协议
   "host": [],
   "path": "",
   "method": "",
-  "headers": {}
+  "headers": {},
+  "idle_timeout": "15s",
+  "ping_timeout": "15s"
 }
 ```
 
@@ -65,6 +67,24 @@ HTTP 请求的额外标头
 
 默认服务器将写入响应。
 
+#### idle_timeout
+
+在 HTTP2 服务器中：
+
+指定闲置客户端应在多长时间内使用 GOAWAY 帧关闭。PING 帧不被视为活动。
+
+在 HTTP2 客户端中：
+
+如果连接上没有收到任何帧，指定一段时间后将使用 PING 帧执行健康检查。需要注意的是，PING 响应被视为已接收的帧，因此如果连接上没有其他流量，则健康检查将在每个间隔执行一次。如果值为零，则不会执行健康检查。
+
+默认使用零。
+
+#### ping_timeout
+
+在 HTTP2 客户端中：
+
+指定发送 PING 帧后，在指定的超时时间内必须接收到响应。如果在指定的超时时间内没有收到 PING 帧的响应，则连接将关闭。默认超时持续时间为 15 秒。
+
 ### WebSocket
 
 ```json
@@ -125,10 +145,41 @@ HTTP 请求的额外标头。
 ```json
 {
   "type": "grpc",
-  "service_name": "TunService"
+  "service_name": "TunService",
+  "idle_timeout": "15s",
+  "ping_timeout": "15s",
+  "permit_without_stream": false
 }
 ```
 
 #### service_name
 
-gRPC 服务名称。
+gRPC 服务名称。
+
+#### idle_timeout
+
+在标准 gRPC 服务器/客户端：
+
+如果传输在此时间段后没有看到任何活动，它会向客户端发送 ping 请求以检查连接是否仍然活动。
+
+在默认 gRPC 服务器/客户端：
+
+它的行为与 HTTP 传输层中的相应设置相同。
+
+#### ping_timeout
+
+在标准 gRPC 服务器/客户端：
+
+经过一段时间之后，客户端将执行 keepalive 检查并等待活动。如果没有检测到任何活动，则会关闭连接。
+
+在默认 gRPC 服务器/客户端：
+
+它的行为与 HTTP 传输层中的相应设置相同。
+
+#### permit_without_stream
+
+在标准 gRPC 客户端：
+
+如果启用，客户端传输即使没有活动连接也会发送 keepalive ping。如果禁用，则在没有活动连接时，将忽略 `idle_timeout` 和 `ping_timeout`，并且不会发送 keepalive ping。
+
+默认禁用。

docs/examples/linux-server-installation.md

@@ -7,9 +7,9 @@
 #### Install
 
 ```shell
-git clone https://github.com/SagerNet/sing-box
+git clone -b main https://github.com/SagerNet/sing-box
 cd sing-box
-./release/local/install_go.sh # skip if you have go1.19 already installed
+./release/local/install_go.sh # skip if you have golang already installed
 ./release/local/install.sh
 ```
 

docs/examples/linux-server-installation.zh.md

@@ -7,9 +7,9 @@
 #### 安装
 
 ```shell
-git clone https://github.com/SagerNet/sing-box
+git clone -b main https://github.com/SagerNet/sing-box
 cd sing-box
-./release/local/install_go.sh # 如果已安装 go1.19 则跳过
+./release/local/install_go.sh # 如果已安装 golang 则跳过
 ./release/local/install.sh
 ```
 

docs/examples/shadowsocks.md

@@ -1,5 +1,9 @@
 # Shadowsocks
 
+!!! warning ""
+
+    For censorship bypass usage in China, we recommend using UDP over TCP and disabling UDP on the server.
+
 ## Single User
 
 #### Server
@@ -11,6 +15,7 @@
       "type": "shadowsocks",
       "listen": "::",
       "listen_port": 8080,
+      "network": "tcp",
       "method": "2022-blake3-aes-128-gcm",
       "password": "8JCsPssfgS8tiRwiMlhARg=="
     }
@@ -35,7 +40,8 @@
       "server": "127.0.0.1",
       "server_port": 8080,
       "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
+      "password": "8JCsPssfgS8tiRwiMlhARg==",
+      "udp_over_tcp": true
     }
   ]
 }

docs/examples/shadowtls.md

@@ -24,6 +24,7 @@
       "type": "shadowsocks",
       "tag": "shadowsocks-in",
       "listen": "127.0.0.1",
+      "network": "tcp",
       "method": "2022-blake3-aes-128-gcm",
       "password": "8JCsPssfgS8tiRwiMlhARg=="
     }
@@ -46,6 +47,7 @@
         "max_connections": 4,
         "min_streams": 4
       }
+      // or "udp_over_tcp": true
     },
     {
       "type": "shadowtls",

docs/examples/tun.md

@@ -23,7 +23,10 @@
         "disable_cache": true
       },
       {
-        "domain": "mydomain.com",
+        "outbound": "any",
+        "server": "local"
+      },
+      {
         "geosite": "cn",
         "server": "local"
       }

docs/faq/known-issues.md

@@ -9,10 +9,6 @@ the public internet.
 
 `auto-route` cannot automatically hijack DNS requests when Android's `Private DNS` enabled or `strict_route` disabled.
 
-##### on Linux
-
-`auto-route` cannot automatically hijack DNS requests with `systemd-resolved` enabled and `strict_route` disabled.
-
 #### System proxy
 
 ##### on Linux

docs/faq/known-issues.zh.md

@@ -8,10 +8,6 @@
 
 `auto-route` 无法自动劫持 DNS 请求如果 `私人 DNS` 开启或 `strict_route` 禁用。
 
-##### Linux
-
-`auto-route` 无法自动劫持 DNS 请求如果 `systemd-resolved` 开启且 `strict_route` 禁用。
-
 #### 系统代理
 
 ##### Linux

docs/index.md

@@ -25,4 +25,7 @@ GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
 along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+In addition, no derivative work may use the name or imply association
+with this application without prior consent.
 ```

docs/index.zh.md

@@ -25,4 +25,7 @@ GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
 along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+In addition, no derivative work may use the name or imply association
+with this application without prior consent.
 ```

docs/installation/clients/sfa.md

@@ -0,0 +1,17 @@
+# SFA
+
+Experimental Android client for sing-box.
+
+#### Requirements
+
+* Android 5.0+
+
+#### Download
+
+* [AppCenter](https://install.appcenter.ms/users/nekohasekai/apps/sfa/distribution_groups/publictest)
+
+#### Note
+
+* User Agent in remote profile request is `SFA/$version ($version_code; sing-box $sing_box_version)`
+* The working directory is located at `/sdcard/Android/data/io.nekohasekai.sfa/files` (External files directory)
+* Crash logs is located in `$working_directory/stderr.log`

docs/installation/clients/sfa.zh.md

@@ -0,0 +1,17 @@
+# SFA
+
+实验性的 Android sing-box 客户端。
+
+#### 要求
+
+* Android 5.0+
+
+#### 下载
+
+* [AppCenter](https://install.appcenter.ms/users/nekohasekai/apps/sfa/distribution_groups/publictest)
+
+#### 注意事项
+
+* 远程配置文件请求中的 User Agent 为 `SFA/$version ($version_code; sing-box $sing_box_version)`
+* 工作目录位于 `/sdcard/Android/data/io.nekohasekai.sfa/files` (外部文件目录)
+* 崩溃日志位于 `$working_directory/stderr.log`

docs/installation/clients/sfi.md

@@ -1,6 +1,6 @@
 # SFI
 
-Experimental official iOS client for sing-box.
+Experimental iOS client for sing-box.
 
 #### Requirements
 
@@ -11,9 +11,10 @@ Experimental official iOS client for sing-box.
 
 * [TestFlight](https://testflight.apple.com/join/c6ylui2j)
 
-#### Limit
+#### Note
 
-* `system` tun stack not working
+* User Agent in remote profile request is `SFI/$version ($version_code; sing-box $sing_box_version)`
+* Crash logs is located in `Settings` -> `View Service Log`
 
 #### Privacy policy
 

docs/installation/clients/sfi.zh.md

@@ -1,6 +1,6 @@
 # SFI
 
-实验性的官方 iOS sing-box 客户端。
+实验性的 iOS sing-box 客户端。
 
 #### 要求
 
@@ -11,9 +11,10 @@
 
 * [TestFlight](https://testflight.apple.com/join/c6ylui2j)
 
-#### 限制
+#### 注意事项
 
-* `system` tun stack 不工作
+* 远程配置文件请求中的 User Agent 为 `SFI/$version ($version_code; sing-box $sing_box_version)`
+* 崩溃日志位于 `设置` -> `查看服务日志`
 
 #### 隐私政策
 

docs/installation/from-source.md

@@ -12,22 +12,22 @@ Install with options:
 go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@latest
 ```
 
-| Build Tag                          | Description                                                                                                                                                                                                                                                                                                                     |
-|------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `with_quic`                        | Build with QUIC support, see [QUIC and HTTP3 DNS transports](./configuration/dns/server), [Naive inbound](./configuration/inbound/naive), [Hysteria Inbound](./configuration/inbound/hysteria), [Hysteria Outbound](./configuration/outbound/hysteria) and [V2Ray Transport#QUIC](./configuration/shared/v2ray-transport#quic). |
-| `with_grpc`                        | Build with standard gRPC support, see [V2Ray Transport#gRPC](./configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
-| `with_dhcp`                        | Build with DHCP support, see [DHCP DNS transport](./configuration/dns/server).                                                                                                                                                                                                                                                  |
-| `with_wireguard`                   | Build with WireGuard support, see [WireGuard outbound](./configuration/outbound/wireguard).                                                                                                                                                                                                                                     |
-| `with_shadowsocksr`                | Build with ShadowsocksR support, see [ShadowsocksR outbound](./configuration/outbound/shadowsocksr).                                                                                                                                                                                                                            |
-| `with_ech`                         | Build with TLS ECH extension support for TLS outbound, see [TLS](./configuration/shared/tls#ech).                                                                                                                                                                                                                               |
-| `with_utls`                        | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](./configuration/shared/tls#utls).                                                                                                                                                                                          |
-| `with_reality_server`              | Build with reality TLS server support,  see [TLS](./configuration/shared/tls).                                                                                                                                                                                                                                                  |
-| `with_acme`                        | Build with ACME TLS certificate issuer support, see [TLS](./configuration/shared/tls).                                                                                                                                                                                                                                          |
-| `with_clash_api`                   | Build with Clash API support, see [Experimental](./configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
-| `with_v2ray_api`                   | Build with V2Ray API support, see [Experimental](./configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
-| `with_gvisor`                      | Build with gVisor support, see [Tun inbound](./configuration/inbound/tun#stack) and [WireGuard outbound](./configuration/outbound/wireguard#system_interface).                                                                                                                                                                  |
-| `with_embedded_tor` (CGO required) | Build with embedded Tor support, see [Tor outbound](./configuration/outbound/tor).                                                                                                                                                                                                                                              |
-| `with_lwip` (CGO required)         | Build with LWIP Tun stack support, see [Tun inbound](./configuration/inbound/tun#stack).                                                                                                                                                                                                                                        |
+| Build Tag                          | Description                                                                                                                                                                                                                                                                                                                |
+|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `with_quic`                        | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server), [Naive inbound](/configuration/inbound/naive), [Hysteria Inbound](/configuration/inbound/hysteria), [Hysteria Outbound](/configuration/outbound/hysteria) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
+| `with_grpc`                        | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                  |
+| `with_dhcp`                        | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server).                                                                                                                                                                                                                                              |
+| `with_wireguard`                   | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard).                                                                                                                                                                                                                                 |
+| `with_shadowsocksr`                | Build with ShadowsocksR support, see [ShadowsocksR outbound](/configuration/outbound/shadowsocksr).                                                                                                                                                                                                                        |
+| `with_ech`                         | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                           |
+| `with_utls`                        | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                      |
+| `with_reality_server`              | Build with reality TLS server support,  see [TLS](/configuration/shared/tls).                                                                                                                                                                                                                                              |
+| `with_acme`                        | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls).                                                                                                                                                                                                                                      |
+| `with_clash_api`                   | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                            |
+| `with_v2ray_api`                   | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                            |
+| `with_gvisor`                      | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                               |
+| `with_embedded_tor` (CGO required) | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor).                                                                                                                                                                                                                                          |
+| `with_lwip` (CGO required)         | Build with LWIP Tun stack support, see [Tun inbound](/configuration/inbound/tun#stack).                                                                                                                                                                                                                                    |
 
 The binary is built under $GOPATH/bin
 
@@ -36,4 +36,4 @@ sing-box version
 ```
 
 It is also recommended to use systemd to manage sing-box service,
-see [Linux server installation example](./examples/linux-server-installation).
+see [Linux server installation example](/examples/linux-server-installation).

docs/installation/from-source.zh.md

@@ -12,22 +12,22 @@ go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
 go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@latest
 ```
 
-| 构建标志                         | 描述                                                                                                                                                                                                                                                                           |
-|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `with_quic`                  | 启用 QUIC 支持，参阅 [QUIC 和 HTTP3 DNS 传输层](./configuration/dns/server)，[Naive 入站](./configuration/inbound/naive)，[Hysteria 入站](./configuration/inbound/hysteria)，[Hysteria 出站](./configuration/outbound/hysteria) 和 [V2Ray 传输层#QUIC](./configuration/shared/v2ray-transport#quic)。 |
-| `with_grpc`                  | 启用标准 gRPC 支持，参阅 [V2Ray 传输层#gRPC](./configuration/shared/v2ray-transport#grpc)。                                                                                                                                                                                               |
-| `with_dhcp`                  | 启用 DHCP 支持，参阅 [DHCP DNS 传输层](./configuration/dns/server)。                                                                                                                                                                                                                    |
-| `with_wireguard`             | 启用 WireGuard 支持，参阅 [WireGuard 出站](./configuration/outbound/wireguard)。                                                                                                                                                                                                       |
-| `with_shadowsocksr`          | 启用 ShadowsocksR 支持，参阅 [ShadowsocksR 出站](./configuration/outbound/shadowsocksr)。                                                                                                                                                                                              |
-| `with_ech`                   | 启用 TLS ECH 扩展支持，参阅 [TLS](./configuration/shared/tls#ech)。                                                                                                                                                                                                                    |
-| `with_utls`                  | 启用 [uTLS](https://github.com/refraction-networking/utls) 支持，参阅 [TLS](./configuration/shared/tls#utls)。                                                                                                                                                                       |
-| `with_reality_server`        | 启用 reality TLS 服务器支持，参阅 [TLS](./configuration/shared/tls)。                                                                                                                                                                                                                   |
-| `with_acme`                  | 启用 ACME TLS 证书签发支持，参阅 [TLS](./configuration/shared/tls)。                                                                                                                                                                                                                     |
-| `with_clash_api`             | 启用 Clash API 支持，参阅 [实验性](./configuration/experimental#clash-api-fields)。                                                                                                                                                                                                     |
-| `with_v2ray_api`             | 启用 V2Ray API 支持，参阅 [实验性](./configuration/experimental#v2ray-api-fields)。                                                                                                                                                                                                     |
-| `with_gvisor`                | 启用 gVisor 支持，参阅 [Tun 入站](./configuration/inbound/tun#stack) 和 [WireGuard 出站](./configuration/outbound/wireguard#system_interface)。                                                                                                                                           |
-| `with_embedded_tor` (需要 CGO) | 启用 嵌入式 Tor 支持，参阅 [Tor 出站](./configuration/outbound/tor)。                                                                                                                                                                                                                     |
-| `with_lwip` (需要 CGO)         | 启用 LWIP Tun 栈支持，参阅 [Tun 入站](./configuration/inbound/tun#stack)。                                                                                                                                                                                                              |
+| 构建标志                         | 描述                                                                                                                                                                                                                                                                      |
+|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `with_quic`                  | 启用 QUIC 支持，参阅 [QUIC 和 HTTP3 DNS 传输层](/configuration/dns/server)，[Naive 入站](/configuration/inbound/naive)，[Hysteria 入站](/configuration/inbound/hysteria)，[Hysteria 出站](/configuration/outbound/hysteria) 和 [V2Ray 传输层#QUIC](/configuration/shared/v2ray-transport#quic)。 |
+| `with_grpc`                  | 启用标准 gRPC 支持，参阅 [V2Ray 传输层#gRPC](/configuration/shared/v2ray-transport#grpc)。                                                                                                                                                                                           |
+| `with_dhcp`                  | 启用 DHCP 支持，参阅 [DHCP DNS 传输层](/configuration/dns/server)。                                                                                                                                                                                                                |
+| `with_wireguard`             | 启用 WireGuard 支持，参阅 [WireGuard 出站](/configuration/outbound/wireguard)。                                                                                                                                                                                                   |
+| `with_shadowsocksr`          | 启用 ShadowsocksR 支持，参阅 [ShadowsocksR 出站](/configuration/outbound/shadowsocksr)。                                                                                                                                                                                          |
+| `with_ech`                   | 启用 TLS ECH 扩展支持，参阅 [TLS](/configuration/shared/tls#ech)。                                                                                                                                                                                                                |
+| `with_utls`                  | 启用 [uTLS](https://github.com/refraction-networking/utls) 支持，参阅 [TLS](/configuration/shared/tls#utls)。                                                                                                                                                                   |
+| `with_reality_server`        | 启用 reality TLS 服务器支持，参阅 [TLS](/configuration/shared/tls)。                                                                                                                                                                                                               |
+| `with_acme`                  | 启用 ACME TLS 证书签发支持，参阅 [TLS](/configuration/shared/tls)。                                                                                                                                                                                                                 |
+| `with_clash_api`             | 启用 Clash API 支持，参阅 [实验性](/configuration/experimental#clash-api-fields)。                                                                                                                                                                                                 |
+| `with_v2ray_api`             | 启用 V2Ray API 支持，参阅 [实验性](/configuration/experimental#v2ray-api-fields)。                                                                                                                                                                                                 |
+| `with_gvisor`                | 启用 gVisor 支持，参阅 [Tun 入站](/configuration/inbound/tun#stack) 和 [WireGuard 出站](/configuration/outbound/wireguard#system_interface)。                                                                                                                                        |
+| `with_embedded_tor` (需要 CGO) | 启用 嵌入式 Tor 支持，参阅 [Tor 出站](/configuration/outbound/tor)。                                                                                                                                                                                                                 |
+| `with_lwip` (需要 CGO)         | 启用 LWIP Tun 栈支持，参阅 [Tun 入站](/configuration/inbound/tun#stack)。                                                                                                                                                                                                          |
 
 二进制文件将被构建在 `$GOPATH/bin` 下。
 
@@ -36,4 +36,4 @@ sing-box version
 ```
 
 同时推荐使用 systemd 来管理 sing-box 服务器实例。
-参阅 [Linux 服务器安装示例](./examples/linux-server-installation)。
+参阅 [Linux 服务器安装示例](/examples/linux-server-installation)。