documentation: Update changelog

Fix cache file
Add support for macOS system extension
2023-07-24 17:56:39 +08:00 · 2023-07-24 16:51:03 +08:00 · 2023-07-24 16:51:03 +08:00 · 2023-07-23 14:23:51 +08:00 · 2023-07-20 20:03:20 +08:00 · 2023-07-20 19:59:04 +08:00
137 changed files with 2398 additions and 1821 deletions
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -14,6 +14,7 @@ builds:
    tags:
      - with_gvisor
      - with_quic
      - with_dhcp
      - with_wireguard
      - with_utls
      - with_reality_server
@@ -48,6 +49,7 @@ builds:
    tags:
      - with_gvisor
      - with_quic
      - with_dhcp
      - with_wireguard
      - with_utls
      - with_clash_api
--- a/2
+++ b/2
@@ -9,7 +9,7 @@ RUN set -ex \
    && apk add git build-base \
    && export COMMIT=$(git rev-parse --short HEAD) \
    && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api,with_acme \
+    && go build -v -trimpath -tags with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api,with_acme \
        -o /go/bin/sing-box \
        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
        ./cmd/sing-box
--- a/12
+++ b/12
@@ -1,6 +1,6 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api
+TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server,with_shadowsocksr
 GOHOSTOS = $(shell go env GOHOSTOS)
@@ -22,7 +22,7 @@ install:
 fmt:
 	@gofumpt -l -w .
 	@gofmt -s -w .
-	@gci write --custom-order -s "standard,prefix(github.com/sagernet/),default" .
+	@gci write --custom-order -s standard -s "prefix(github.com/sagernet/)" -s "default" .
 fmt_install:
 	go install -v mvdan.cc/gofumpt@latest
@@ -48,14 +48,14 @@ proto_install:
 	go install -v google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
 snapshot:
-	go run ./cmd/internal/build goreleaser release --rm-dist --snapshot || exit 1
+	go run ./cmd/internal/build goreleaser release --clean --snapshot || exit 1
 	mkdir dist/release
 	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
 	ghr --delete --draft --prerelease -p 1 nightly dist/release
 	rm -r dist
 release:
-	go run ./cmd/internal/build goreleaser release --rm-dist --skip-publish || exit 1
+	go run ./cmd/internal/build goreleaser release --clean --skip-publish || exit 1
 	mkdir dist/release
 	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
 	ghr --delete --draft --prerelease -p 3 $(shell git describe --tags) dist/release
@@ -89,8 +89,8 @@ lib:
 lib_install:
 	go get -v -d
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230413023804-244d7ff07035
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230701084532-493ee2e45182
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230413023804-244d7ff07035
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230701084532-493ee2e45182
 clean:
 	rm -rf bin dist sing-box
--- a/adapter/experimental.go
+++ b/adapter/experimental.go
@@ -31,6 +31,7 @@ type Tracker interface {
 }
 type OutboundGroup interface {
 	Outbound
 	Now() string
 	All() []string
 }
--- a/adapter/fakeip.go
+++ b/adapter/fakeip.go
@@ -4,12 +4,13 @@ import (
 	"net/netip"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/logger"
 )
 type FakeIPStore interface {
 	Service
 	Contains(address netip.Addr) bool
-	Create(domain string, strategy dns.DomainStrategy) (netip.Addr, error)
+	Create(domain string, isIPv6 bool) (netip.Addr, error)
 	Lookup(address netip.Addr) (string, bool)
 	Reset() error
 }
@@ -18,6 +19,13 @@ type FakeIPStorage interface {
 	FakeIPMetadata() *FakeIPMetadata
 	FakeIPSaveMetadata(metadata *FakeIPMetadata) error
 	FakeIPStore(address netip.Addr, domain string) error
 	FakeIPStoreAsync(address netip.Addr, domain string, logger logger.Logger)
 	FakeIPLoad(address netip.Addr) (string, bool)
 	FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr, bool)
 	FakeIPReset() error
 }
 type FakeIPTransport interface {
 	dns.Transport
 	Store() FakeIPStore
 }
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -46,6 +46,7 @@ type InboundContext struct {
 	SourceGeoIPCode      string
 	GeoIPCode            string
 	ProcessInfo          *process.Info
 	FakeIP               bool
 	// dns cache
--- a/adapter/outbound.go
+++ b/adapter/outbound.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"net"
 	"github.com/sagernet/sing-tun"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -14,12 +13,8 @@ type Outbound interface {
 	Type() string
 	Tag() string
 	Network() []string
 	Dependencies() []string
 	N.Dialer
 	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }
 type IPOutbound interface {
 	Outbound
 	NewIPConnection(ctx context.Context, conn tun.RouteContext, metadata InboundContext) (tun.DirectDestination, error)
 }
--- a/adapter/prestart.go
+++ b/adapter/prestart.go
@@ -4,12 +4,6 @@ type PreStarter interface {
 	PreStart() error
 }
-func PreStart(starter any) error {
+type PostStarter interface {
-	if preService, ok := starter.(PreStarter); ok {
+	PostStart() error
 		err := preService.PreStart()
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -25,9 +25,6 @@ type Router interface {
 	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 	RouteIPConnection(ctx context.Context, conn tun.RouteContext, metadata InboundContext) tun.RouteAction
 	NatRequired(outbound string) bool
 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
@@ -45,9 +42,7 @@ type Router interface {
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
 	Rules() []Rule
 	IPRules() []IPRule
 	TimeService
@@ -89,11 +84,6 @@ type DNSRule interface {
 	RewriteTTL() *uint32
 }
 type IPRule interface {
 	Rule
 	Action() tun.ActionType
 }
 type InterfaceUpdateListener interface {
 	InterfaceUpdated() error
 }
--- a/box.go
+++ b/box.go
@@ -211,27 +211,18 @@ func (s *Box) Start() error {
 func (s *Box) preStart() error {
 	for serviceName, service := range s.preServices {
-		s.logger.Trace("pre-start ", serviceName)
+		if preService, isPreService := service.(adapter.PreStarter); isPreService {
-		err := adapter.PreStart(service)
+			s.logger.Trace("pre-start ", serviceName)
-		if err != nil {
+			err := preService.PreStart()
 			return E.Cause(err, "pre-starting ", serviceName)
 		}
 	}
 	for i, out := range s.outbounds {
 		var tag string
 		if out.Tag() == "" {
 			tag = F.ToString(i)
 		} else {
 			tag = out.Tag()
 		}
 		if starter, isStarter := out.(common.Starter); isStarter {
 			s.logger.Trace("initializing outbound/", out.Type(), "[", tag, "]")
 			err := starter.Start()
 			if err != nil {
-				return E.Cause(err, "initialize outbound/", out.Type(), "[", tag, "]")
+				return E.Cause(err, "pre-starting ", serviceName)
 			}
 		}
 	}
 	err := s.startOutbounds()
 	if err != nil {
 		return err
 	}
 	return s.router.Start()
 }
@@ -260,13 +251,26 @@ func (s *Box) start() error {
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
 	return nil
 }
 func (s *Box) postStart() error {
 	for serviceName, service := range s.postServices {
 		s.logger.Trace("starting ", service)
-		err = service.Start()
+		err := service.Start()
 		if err != nil {
 			return E.Cause(err, "start ", serviceName)
 		}
 	}
 	for serviceName, service := range s.outbounds {
 		if lateService, isLateService := service.(adapter.PostStarter); isLateService {
 			s.logger.Trace("post-starting ", service)
 			err := lateService.PostStart()
 			if err != nil {
 				return E.Cause(err, "post-start ", serviceName)
 			}
 		}
 	}
 	return nil
 }
--- a/box_outbound.go
+++ b/box_outbound.go
@@ -0,0 +1,79 @@
 package box
 import (
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 )
 func (s *Box) startOutbounds() error {
 	outboundTags := make(map[adapter.Outbound]string)
 	outbounds := make(map[string]adapter.Outbound)
 	for i, outboundToStart := range s.outbounds {
 		var outboundTag string
 		if outboundToStart.Tag() == "" {
 			outboundTag = F.ToString(i)
 		} else {
 			outboundTag = outboundToStart.Tag()
 		}
 		if _, exists := outbounds[outboundTag]; exists {
 			return E.New("outbound tag ", outboundTag, " duplicated")
 		}
 		outboundTags[outboundToStart] = outboundTag
 		outbounds[outboundTag] = outboundToStart
 	}
 	started := make(map[string]bool)
 	for {
 		canContinue := false
 	startOne:
 		for _, outboundToStart := range s.outbounds {
 			outboundTag := outboundTags[outboundToStart]
 			if started[outboundTag] {
 				continue
 			}
 			dependencies := outboundToStart.Dependencies()
 			for _, dependency := range dependencies {
 				if !started[dependency] {
 					continue startOne
 				}
 			}
 			started[outboundTag] = true
 			canContinue = true
 			if starter, isStarter := outboundToStart.(common.Starter); isStarter {
 				s.logger.Trace("initializing outbound/", outboundToStart.Type(), "[", outboundTag, "]")
 				err := starter.Start()
 				if err != nil {
 					return E.Cause(err, "initialize outbound/", outboundToStart.Type(), "[", outboundTag, "]")
 				}
 			}
 		}
 		if len(started) == len(s.outbounds) {
 			break
 		}
 		if canContinue {
 			continue
 		}
 		currentOutbound := common.Find(s.outbounds, func(it adapter.Outbound) bool {
 			return !started[outboundTags[it]]
 		})
 		var lintOutbound func(oTree []string, oCurrent adapter.Outbound) error
 		lintOutbound = func(oTree []string, oCurrent adapter.Outbound) error {
 			problemOutboundTag := common.Find(oCurrent.Dependencies(), func(it string) bool {
 				return !started[it]
 			})
 			if common.Contains(oTree, problemOutboundTag) {
 				return E.New("circular outbound dependency: ", strings.Join(oTree, " -> "), " -> ", problemOutboundTag)
 			}
 			problemOutbound := outbounds[problemOutboundTag]
 			if problemOutbound == nil {
 				return E.New("dependency[", problemOutbound, "] not found for outbound[", outboundTags[oCurrent], "]")
 			}
 			return lintOutbound(append(oTree, problemOutboundTag), problemOutbound)
 		}
 		return lintOutbound([]string{outboundTags[currentOutbound]}, currentOutbound)
 	}
 	return nil
 }
--- a/cmd/internal/build/main.go
+++ b/cmd/internal/build/main.go
@@ -1,6 +1,7 @@
 package main
 import (
 	"go/build"
 	"os"
 	"os/exec"
@@ -11,6 +12,10 @@ import (
 func main() {
 	build_shared.FindSDK()
 	if os.Getenv("build.Default.GOPATH") == "" {
 		os.Setenv("GOPATH", build.Default.GOPATH)
 	}
 	command := exec.Command(os.Args[1], os.Args[2:]...)
 	command.Stdout = os.Stdout
 	command.Stderr = os.Stderr
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -40,6 +40,7 @@ var (
 	sharedFlags []string
 	debugFlags  []string
 	sharedTags  []string
 	iosTags     []string
 	debugTags   []string
 )
@@ -54,7 +55,7 @@ func init() {
 	debugFlags = append(debugFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
 	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api")
-	sharedTags = append(sharedTags, "test_sing_shadowsocks2")
+	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
 	debugTags = append(debugTags, "debug")
 }
@@ -115,7 +116,7 @@ func buildiOS() {
 		args = append(args, debugFlags...)
 	}
-	tags := append(sharedTags, "with_low_memory", "with_conntrack")
+	tags := append(sharedTags, iosTags...)
 	args = append(args, "-tags")
 	if !debugEnabled {
 		args = append(args, strings.Join(tags, ","))
@@ -132,7 +133,7 @@ func buildiOS() {
 		log.Fatal(err)
 	}
-	copyPath := filepath.Join("..", "sing-box-for-ios")
+	copyPath := filepath.Join("..", "sing-box-for-apple")
 	if rw.FileExists(copyPath) {
 		targetDir := filepath.Join(copyPath, "Libbox.xcframework")
 		targetDir, _ = filepath.Abs(targetDir)
--- a/common/baderror/baderror.go
+++ b/common/baderror/baderror.go
@@ -55,7 +55,7 @@ func WrapQUIC(err error) error {
 	if err == nil {
 		return nil
 	}
-	if Contains(err, "canceled with error code 0") {
+	if Contains(err, "canceled by local with error code 0") {
 		return net.ErrClosed
 	}
 	return err
--- a/common/debugio/log.go
+++ b/common/debugio/log.go
@@ -1,87 +0,0 @@
 package debugio
 import (
 	"net"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 type LogConn struct {
 	N.ExtendedConn
 	logger log.Logger
 	prefix string
 }
 func NewLogConn(conn net.Conn, logger log.Logger, prefix string) N.ExtendedConn {
 	return &LogConn{bufio.NewExtendedConn(conn), logger, prefix}
 }
 func (c *LogConn) Read(p []byte) (n int, err error) {
 	n, err = c.ExtendedConn.Read(p)
 	if n > 0 {
 		c.logger.Debug(c.prefix, " read ", buf.EncodeHexString(p[:n]))
 	}
 	return
 }
 func (c *LogConn) Write(p []byte) (n int, err error) {
 	c.logger.Debug(c.prefix, " write ", buf.EncodeHexString(p))
 	return c.ExtendedConn.Write(p)
 }
 func (c *LogConn) ReadBuffer(buffer *buf.Buffer) error {
 	err := c.ExtendedConn.ReadBuffer(buffer)
 	if err == nil {
 		c.logger.Debug(c.prefix, " read buffer ", buf.EncodeHexString(buffer.Bytes()))
 	}
 	return err
 }
 func (c *LogConn) WriteBuffer(buffer *buf.Buffer) error {
 	c.logger.Debug(c.prefix, " write buffer ", buf.EncodeHexString(buffer.Bytes()))
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 func (c *LogConn) Upstream() any {
 	return c.ExtendedConn
 }
 type LogPacketConn struct {
 	N.NetPacketConn
 	logger log.Logger
 	prefix string
 }
 func NewLogPacketConn(conn net.PacketConn, logger log.Logger, prefix string) N.NetPacketConn {
 	return &LogPacketConn{bufio.NewPacketConn(conn), logger, prefix}
 }
 func (c *LogPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
 	n, addr, err = c.NetPacketConn.ReadFrom(p)
 	if n > 0 {
 		c.logger.Debug(c.prefix, " read from ", addr, " ", buf.EncodeHexString(p[:n]))
 	}
 	return
 }
 func (c *LogPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
 	c.logger.Debug(c.prefix, " write to ", addr, " ", buf.EncodeHexString(p))
 	return c.NetPacketConn.WriteTo(p, addr)
 }
 func (c *LogPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
 	destination, err = c.NetPacketConn.ReadPacket(buffer)
 	if err == nil {
 		c.logger.Debug(c.prefix, " read packet from ", destination, " ", buf.EncodeHexString(buffer.Bytes()))
 	}
 	return
 }
 func (c *LogPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	c.logger.Debug(c.prefix, " write packet to ", destination, " ", buf.EncodeHexString(buffer.Bytes()))
 	return c.NetPacketConn.WritePacket(buffer, destination)
 }
--- a/common/debugio/print.go
+++ b/common/debugio/print.go
@@ -1,19 +0,0 @@
 package debugio
 import (
 	"fmt"
 	"reflect"
 	"github.com/sagernet/sing/common"
 )
 func PrintUpstream(obj any) {
 	for obj != nil {
 		fmt.Println(reflect.TypeOf(obj))
 		if u, ok := obj.(common.WithUpstream); !ok {
 			break
 		} else {
 			obj = u.Upstream()
 		}
 	}
 }
--- a/common/debugio/race.go
+++ b/common/debugio/race.go
@@ -1,48 +0,0 @@
 package debugio
 import (
 	"net"
 	"sync"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	N "github.com/sagernet/sing/common/network"
 )
 type RaceConn struct {
 	N.ExtendedConn
 	readAccess  sync.Mutex
 	writeAccess sync.Mutex
 }
 func NewRaceConn(conn net.Conn) N.ExtendedConn {
 	return &RaceConn{ExtendedConn: bufio.NewExtendedConn(conn)}
 }
 func (c *RaceConn) Read(p []byte) (n int, err error) {
 	c.readAccess.Lock()
 	defer c.readAccess.Unlock()
 	return c.ExtendedConn.Read(p)
 }
 func (c *RaceConn) Write(p []byte) (n int, err error) {
 	c.writeAccess.Lock()
 	defer c.writeAccess.Unlock()
 	return c.ExtendedConn.Write(p)
 }
 func (c *RaceConn) ReadBuffer(buffer *buf.Buffer) error {
 	c.readAccess.Lock()
 	defer c.readAccess.Unlock()
 	return c.ExtendedConn.ReadBuffer(buffer)
 }
 func (c *RaceConn) WriteBuffer(buffer *buf.Buffer) error {
 	c.writeAccess.Lock()
 	defer c.writeAccess.Unlock()
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 func (c *RaceConn) Upstream() any {
 	return c.ExtendedConn
 }
--- a/common/dialer/tfo.go
+++ b/common/dialer/tfo.go
@@ -128,13 +128,6 @@ func (c *slowOpenConn) NeedHandshake() bool {
 	return c.conn == nil
 }
 func (c *slowOpenConn) ReadFrom(r io.Reader) (n int64, err error) {
 	if c.conn != nil {
 		return bufio.Copy(c.conn, r)
 	}
 	return bufio.ReadFrom0(c, r)
 }
 func (c *slowOpenConn) WriteTo(w io.Writer) (n int64, err error) {
 	if c.conn == nil {
 		select {
--- a/common/process/searcher_linux_shared.go
+++ b/common/process/searcher_linux_shared.go
@@ -15,7 +15,6 @@ import (
 	"unicode"
 	"unsafe"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
@@ -82,9 +81,7 @@ func resolveSocketByNetlink(network string, source netip.AddrPort, destination n
 		return 0, 0, E.Cause(err, "write netlink request")
 	}
-	_buffer := buf.StackNew()
+	buffer := buf.New()
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	n, err := syscall.Read(socket, buffer.FreeBytes())
--- a/common/sniff/dns.go
+++ b/common/sniff/dns.go
@@ -26,9 +26,7 @@ func StreamDomainNameQuery(readCtx context.Context, reader io.Reader) (*adapter.
 	if length == 0 {
 		return nil, os.ErrInvalid
 	}
-	_buffer := buf.StackNewSize(int(length))
+	buffer := buf.NewSize(int(length))
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	readCtx, cancel := context.WithTimeout(readCtx, time.Millisecond*100)
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -21,6 +21,7 @@ import (
 type acmeWrapper struct {
 	ctx    context.Context
 	cfg    *certmagic.Config
 	cache  *certmagic.Cache
 	domain []string
 }
@@ -29,7 +30,7 @@ func (w *acmeWrapper) Start() error {
 }
 func (w *acmeWrapper) Close() error {
-	w.cfg.Unmanage(w.domain)
+	w.cache.Stop()
 	return nil
 }
@@ -77,10 +78,11 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		acmeConfig.ExternalAccount = (*acme.EAB)(options.ExternalAccount)
 	}
 	config.Issuers = []certmagic.Issuer{certmagic.NewACMEIssuer(config, acmeConfig)}
-	config = certmagic.New(certmagic.NewCache(certmagic.CacheOptions{
+	cache := certmagic.NewCache(certmagic.CacheOptions{
 		GetConfigForCert: func(certificate certmagic.Certificate) (*certmagic.Config, error) {
 			return config, nil
 		},
-	}), *config)
+	})
-	return config.TLSConfig(), &acmeWrapper{ctx, config, options.Domain}, nil
+	config = certmagic.New(cache, *config)
 	return config.TLSConfig(), &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
 }
--- a/common/tls/reality_client.go
+++ b/common/tls/reality_client.go
@@ -111,6 +111,16 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 	if err != nil {
 		return nil, err
 	}
 	if len(uConfig.NextProtos) > 0 {
 		for _, extension := range uConn.Extensions {
 			if alpnExtension, isALPN := extension.(*utls.ALPNExtension); isALPN {
 				alpnExtension.AlpnProtocols = uConfig.NextProtos
 				break
 			}
 		}
 	}
 	hello := uConn.HandshakeState.Hello
 	hello.SessionId = make([]byte, 32)
 	copy(hello.Raw[39:], hello.SessionId)
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -3,6 +3,7 @@
 package tls
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"math/rand"
@@ -47,7 +48,7 @@ func (e *UTLSClientConfig) Config() (*STDConfig, error) {
 }
 func (e *UTLSClientConfig) Client(conn net.Conn) (Conn, error) {
-	return &utlsConnWrapper{utls.UClient(conn, e.config.Clone(), e.id)}, nil
+	return &utlsALPNWrapper{utlsConnWrapper{utls.UClient(conn, e.config.Clone(), e.id)}, e.config.NextProtos}, nil
 }
 func (e *UTLSClientConfig) SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error) {
@@ -87,6 +88,31 @@ func (c *utlsConnWrapper) Upstream() any {
 	return c.UConn
 }
 type utlsALPNWrapper struct {
 	utlsConnWrapper
 	nextProtocols []string
 }
 func (c *utlsALPNWrapper) HandshakeContext(ctx context.Context) error {
 	if len(c.nextProtocols) > 0 {
 		err := c.BuildHandshakeState()
 		if err != nil {
 			return err
 		}
 		for _, extension := range c.Extensions {
 			if alpnExtension, isALPN := extension.(*utls.ALPNExtension); isALPN {
 				alpnExtension.AlpnProtocols = c.nextProtocols
 				err = c.BuildHandshakeState()
 				if err != nil {
 					return err
 				}
 				break
 			}
 		}
 	}
 	return c.UConn.HandshakeContext(ctx)
 }
 func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
 	var serverName string
 	if options.ServerName != "" {
--- a/common/urltest/urltest.go
+++ b/common/urltest/urltest.go
@@ -10,6 +10,7 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"
 )
 type History struct {
@@ -20,6 +21,7 @@ type History struct {
 type HistoryStorage struct {
 	access       sync.RWMutex
 	delayHistory map[string]*History
 	callbacks    list.List[func()]
 }
 func NewHistoryStorage() *HistoryStorage {
@@ -28,6 +30,18 @@ func NewHistoryStorage() *HistoryStorage {
 	}
 }
 func (s *HistoryStorage) AddListener(listener func()) *list.Element[func()] {
 	s.access.Lock()
 	defer s.access.Unlock()
 	return s.callbacks.PushBack(listener)
 }
 func (s *HistoryStorage) RemoveListener(element *list.Element[func()]) {
 	s.access.Lock()
 	defer s.access.Unlock()
 	s.callbacks.Remove(element)
 }
 func (s *HistoryStorage) LoadURLTestHistory(tag string) *History {
 	if s == nil {
 		return nil
@@ -39,14 +53,24 @@ func (s *HistoryStorage) LoadURLTestHistory(tag string) *History {
 func (s *HistoryStorage) DeleteURLTestHistory(tag string) {
 	s.access.Lock()
 	defer s.access.Unlock()
 	delete(s.delayHistory, tag)
 	s.access.Unlock()
 	s.notifyUpdated()
 }
 func (s *HistoryStorage) StoreURLTestHistory(tag string, history *History) {
 	s.access.Lock()
 	defer s.access.Unlock()
 	s.delayHistory[tag] = history
 	s.access.Unlock()
 	s.notifyUpdated()
 }
 func (s *HistoryStorage) notifyUpdated() {
 	s.access.RLock()
 	defer s.access.RUnlock()
 	for element := s.callbacks.Front(); element != nil; element = element.Next() {
 		element.Value()
 	}
 }
 func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err error) {
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,3 +1,101 @@
 #### 1.3.3
 * Fixes and improvements
 #### 1.3.1-rc.1
 * Fix bugs and update dependencies
 #### 1.3.1-beta.3
 * Introducing our [new iOS](/installation/clients/sfi) and [macOS](/installation/clients/sfm) client applications **1**
 * Fixes and improvements
 **1**:
 The old testflight link and app are no longer valid.
 #### 1.3.1-beta.2
 * Fix bugs and update dependencies
 #### 1.3.1-beta.1
 * Fixes and improvements
 #### 1.3.0
 * Fix bugs and update dependencies
 Important changes since 1.2:
 * Add [FakeIP](/configuration/dns/fakeip) support **1**
 * Improve multiplex **2**
 * Add [DNS reverse mapping](/configuration/dns#reverse_mapping) support
 * Add `rewrite_ttl` DNS rule action
 * Add `store_fakeip` Clash API option
 * Add multi-peer support for [WireGuard](/configuration/outbound/wireguard#peers) outbound
 * Add loopback detect
 * Add Clash.Meta API compatibility for Clash API
 * Download Yacd-meta by default if the specified Clash `external_ui` directory is empty
 * Add path and headers option for HTTP outbound
 * Perform URLTest recheck after network changes
 * Fix `system` tun stack for ios
 * Fix network monitor for android/ios
 * Update VLESS and XUDP protocol
 * Make splice work with traffic statistics systems like Clash API
 * Significantly reduces memory usage of idle connections
 * Improve DNS caching
 * Add `independent_cache` [option](/configuration/dns#independent_cache) for DNS
 * Reimplemented shadowsocks client
 * Add multiplex support for VLESS outbound
 * Automatically add Windows firewall rules in order for the system tun stack to work
 * Fix TLS 1.2 support for shadow-tls client
 * Add `cache_id` [option](/configuration/experimental#cache_id) for Clash cache file
 * Fix `local` DNS transport for Android
 *1*:
 See [FAQ](/faq/fakeip) for more information.
 *2*:
 Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex).
 #### 1.3-rc2
 * Fix `local` DNS transport for Android
 * Fix bugs and update dependencies
 #### 1.3-rc1
 * Fix bugs and update dependencies
 #### 1.3-beta14
 * Fixes and improvements
 #### 1.3-beta13
 * Fix resolving fakeip domains  **1**
 * Deprecate L3 routing
 * Fix bugs and update dependencies
 **1**:
 If the destination address of the connection is obtained from fakeip, dns rules with server type fakeip will be skipped.
 #### 1.3-beta12
 * Automatically add Windows firewall rules in order for the system tun stack to work
 * Fix TLS 1.2 support for shadow-tls client
 * Add `cache_id` [option](/configuration/experimental#cache_id) for Clash cache file
 * Fixes and improvements
 #### 1.3-beta11
 * Fix bugs and update dependencies
 #### 1.3-beta10
 * Improve direct copy **1**
--- a/docs/configuration/experimental/index.md
+++ b/docs/configuration/experimental/index.md
@@ -7,13 +7,14 @@
  "experimental": {
    "clash_api": {
      "external_controller": "127.0.0.1:9090",
-      "external_ui": "folder",
+      "external_ui": "",
      "external_ui_download_url": "",
      "external_ui_download_detour": "",
      "secret": "",
-      "default_mode": "rule",
+      "default_mode": "",
      "store_selected": false,
-      "cache_file": "cache.db"
+      "cache_file": "",
      "cache_id": ""
    },
    "v2ray_api": {
      "listen": "127.0.0.1:8080",
@@ -91,6 +92,12 @@ Store selected outbound for the `Selector` outbound in cache file.
 Cache file path, `cache.db` will be used if empty.
 #### cache_id
 Cache ID.
 If not empty, `store_selected` will use a separate store keyed by it.
 ### V2Ray API Fields
 !!! error ""
--- a/docs/configuration/experimental/index.zh.md
+++ b/docs/configuration/experimental/index.zh.md
@@ -7,13 +7,14 @@
  "experimental": {
    "clash_api": {
      "external_controller": "127.0.0.1:9090",
-      "external_ui": "folder",
+      "external_ui": "",
      "external_ui_download_url": "",
      "external_ui_download_detour": "",
      "secret": "",
-      "default_mode": "rule",
+      "default_mode": "",
      "store_selected": false,
-      "cache_file": "cache.db"
+      "cache_file": "",
      "cache_id": ""
    },
    "v2ray_api": {
      "listen": "127.0.0.1:8080",
@@ -89,6 +90,12 @@ Clash 中的默认模式，默认使用 `rule`。
 缓存文件路径，默认使用`cache.db`。
 #### cache_id
 缓存 ID。
 如果不为空，`store_selected` 将会使用以此为键的独立存储。
 ### V2Ray API 字段
 !!! error ""
--- a/docs/configuration/route/index.md
+++ b/docs/configuration/route/index.md
@@ -7,7 +7,6 @@
  "route": {
    "geoip": {},
    "geosite": {},
    "ip_rules": [],
    "rules": [],
    "final": "",
    "auto_detect_interface": false,
@@ -24,7 +23,6 @@
 |------------|------------------------------------|
 | `geoip`    | [GeoIP](./geoip)                   |
 | `geosite`  | [Geosite](./geosite)               |
 | `ip_rules` | List of [IP Route Rule](./ip-rule) |
 | `rules`    | List of [Route Rule](./rule)       |
 #### final
--- a/docs/examples/fakeip.md
+++ b/docs/examples/fakeip.md
@@ -0,0 +1,106 @@
 ```json
 {
  "dns": {
    "servers": [
      {
        "tag": "google",
        "address": "tls://8.8.8.8"
      },
      {
        "tag": "local",
        "address": "223.5.5.5",
        "detour": "direct"
      },
      {
        "tag": "remote",
        "address": "fakeip"
      },
      {
        "tag": "block",
        "address": "rcode://success"
      }
    ],
    "rules": [
      {
        "geosite": "category-ads-all",
        "server": "block",
        "disable_cache": true
      },
      {
        "outbound": "any",
        "server": "local"
      },
      {
        "geosite": "cn",
        "server": "local"
      },
      {
        "query_type": [
          "A",
          "AAAA"
        ],
        "server": "remote"
      }
    ],
    "fakeip": {
      "enabled": true,
      "inet4_range": "198.18.0.0/15",
      "inet6_range": "fc00::/18"
    },
    "independent_cache": true,
    "strategy": "ipv4_only"
  },
  "inbounds": [
    {
      "type": "tun",
      "inet4_address": "172.19.0.1/30",
      "auto_route": true,
      "sniff": true,
      "domain_strategy": "ipv4_only" // remove this line if you want to resolve the domain remotely (if the server is not sing-box, UDP may not work due to wrong behavior).
    }
  ],
  "outbounds": [
    {
      "type": "shadowsocks",
      "tag": "proxy",
      "server": "mydomain.com",
      "server_port": 8080,
      "method": "2022-blake3-aes-128-gcm",
      "password": "8JCsPssfgS8tiRwiMlhARg=="
    },
    {
      "type": "direct",
      "tag": "direct"
    },
    {
      "type": "block",
      "tag": "block"
    },
    {
      "type": "dns",
      "tag": "dns-out"
    }
  ],
  "route": {
    "rules": [
      {
        "protocol": "dns",
        "outbound": "dns-out"
      },
      {
        "geosite": "cn",
        "geoip": [
          "private",
          "cn"
        ],
        "outbound": "direct"
      },
      {
        "geosite": "category-ads-all",
        "outbound": "block"
      }
    ],
    "auto_detect_interface": true
  }
 }
 ```
--- a/docs/examples/fakeip.zh.md
+++ b/docs/examples/fakeip.zh.md
@@ -0,0 +1,106 @@
 ```json
 {
  "dns": {
    "servers": [
      {
        "tag": "google",
        "address": "tls://8.8.8.8"
      },
      {
        "tag": "local",
        "address": "223.5.5.5",
        "detour": "direct"
      },
      {
        "tag": "remote",
        "address": "fakeip"
      },
      {
        "tag": "block",
        "address": "rcode://success"
      }
    ],
    "rules": [
      {
        "geosite": "category-ads-all",
        "server": "block",
        "disable_cache": true
      },
      {
        "outbound": "any",
        "server": "local"
      },
      {
        "geosite": "cn",
        "server": "local"
      },
      {
        "query_type": [
          "A",
          "AAAA"
        ],
        "server": "remote"
      }
    ],
    "fakeip": {
      "enabled": true,
      "inet4_range": "198.18.0.0/15",
      "inet6_range": "fc00::/18"
    },
    "independent_cache": true,
    "strategy": "ipv4_only"
  },
  "inbounds": [
    {
      "type": "tun",
      "inet4_address": "172.19.0.1/30",
      "auto_route": true,
      "sniff": true,
      "domain_strategy": "ipv4_only" // 如果您想在远程解析域，删除此行 (如果服务器程序不为 sing-box，可能由于错误的行为导致 UDP 无法使用)。
    }
  ],
  "outbounds": [
    {
      "type": "shadowsocks",
      "tag": "proxy",
      "server": "mydomain.com",
      "server_port": 8080,
      "method": "2022-blake3-aes-128-gcm",
      "password": "8JCsPssfgS8tiRwiMlhARg=="
    },
    {
      "type": "direct",
      "tag": "direct"
    },
    {
      "type": "block",
      "tag": "block"
    },
    {
      "type": "dns",
      "tag": "dns-out"
    }
  ],
  "route": {
    "rules": [
      {
        "protocol": "dns",
        "outbound": "dns-out"
      },
      {
        "geosite": "cn",
        "geoip": [
          "private",
          "cn"
        ],
        "outbound": "direct"
      },
      {
        "geosite": "category-ads-all",
        "outbound": "block"
      }
    ],
    "auto_detect_interface": true
  }
 }
 ```
--- a/docs/examples/index.md
+++ b/docs/examples/index.md
@@ -9,3 +9,4 @@ Configuration examples for sing-box.
 * [ShadowTLS](./shadowtls)
 * [Clash API](./clash-api)
 * [WireGuard Direct](./wireguard-direct)
 * [FakeIP](./fakeip)
--- a/docs/examples/index.zh.md
+++ b/docs/examples/index.zh.md
@@ -9,3 +9,4 @@ sing-box 的配置示例。
 * [ShadowTLS](./shadowtls)
 * [Clash API](./clash-api)
 * [WireGuard Direct](./wireguard-direct)
 * [FakeIP](./fakeip)
--- a/docs/faq/fakeip.md
+++ b/docs/faq/fakeip.md
@@ -5,8 +5,7 @@ responds to DNS requests with virtual results and restores mapping when acceptin
 #### Advantage
-* Retrieve the requested domain in places like IP routing (L3) where traffic detection is not possible to assist with routing.
+*
 * Decrease an RTT on the first TCP request to a domain (the most common reason).
 #### Limitation
@@ -15,6 +14,6 @@ responds to DNS requests with virtual results and restores mapping when acceptin
 #### Recommendation
-* Do not use if you do not need L3 routing.
+* Enable `dns.independent_cache` unless you always resolve FakeIP domains remotely.
 * If using tun, make sure FakeIP ranges is included in the tun's routes.
 * Enable `experimental.clash_api.store_fakeip` to persist FakeIP records, or use `dns.rules.rewrite_ttl` to avoid losing records after program restart in DNS cached environments.
--- a/docs/faq/fakeip.zh.md
+++ b/docs/faq/fakeip.zh.md
@@ -4,8 +4,7 @@ FakeIP 是指同时劫持 DNS 和连接请求的程序中的一种行为。它
 #### 优点
-* 在像 L3 路由这样无法进行流量探测的地方检索所请求的域名，以协助路由。
+*
 * 减少对一个域的第一个 TCP 请求的 RTT（这是最常见的原因）。
 #### 限制
@@ -14,6 +13,6 @@ FakeIP 是指同时劫持 DNS 和连接请求的程序中的一种行为。它
 #### 建议
-* 如果不需要 L3 路由，请勿使用。
+* 启用 `dns.independent_cache` 除非您始终远程解析 FakeIP 域。
 * 如果使用 tun，请确保 tun 路由中包含 FakeIP 地址范围。
 * 启用 `experimental.clash_api.store_fakeip` 以持久化 FakeIP 记录，或者使用 `dns.rules.rewrite_ttl` 避免程序重启后在 DNS 被缓存的环境中丢失记录。
--- a/docs/installation/clients/sfi.md
+++ b/docs/installation/clients/sfi.md
@@ -9,7 +9,7 @@ Experimental iOS client for sing-box.
 #### Download
-* [TestFlight](https://testflight.apple.com/join/c6ylui2j)
+* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
 #### Note
--- a/docs/installation/clients/sfi.zh.md
+++ b/docs/installation/clients/sfi.zh.md
@@ -9,7 +9,7 @@
 #### 下载
-* [TestFlight](https://testflight.apple.com/join/c6ylui2j)
+* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
 #### 注意事项
--- a/docs/installation/clients/sfm.md
+++ b/docs/installation/clients/sfm.md
@@ -0,0 +1,21 @@
 # SFM
 Experimental macOS client for sing-box.
 #### Requirements
 * macOS 13.0+
 #### Download
 * [TestFlight](https://testflight.apple.com/join/AcqO44FH)
 #### Note
 * User Agent in remote profile request is `SFM/$version ($version_code; sing-box $sing_box_version)`
 * Crash logs is located in `Settings` -> `View Service Log`
 #### Privacy policy
 * SFI did not collect or share personal data.
 * The data generated by the software is always on your device.
--- a/docs/installation/clients/sfm.zh.md
+++ b/docs/installation/clients/sfm.zh.md
@@ -0,0 +1,21 @@
 # SFM
 实验性的 macOS sing-box 客户端。
 #### 要求
 * macOS 13.0+
 #### 下载
 * [TestFlight](https://testflight.apple.com/join/AcqO44FH)
 #### 注意事项
 * 远程配置文件请求中的 User Agent 为 `SFM/$version ($version_code; sing-box $sing_box_version)`
 * 崩溃日志位于 `设置` -> `查看服务日志`
 #### 隐私政策
 * SFM 不收集或共享个人数据。
 * 软件生成的数据始终在您的设备上。
--- a/docs/support.md
+++ b/docs/support.md
@@ -1,8 +1,4 @@
-#### Github
+Github Issue: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)  
-
+Telegram Notification channel: [@yapnc](https://t.me/yapnc)  
-Issue: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)
+Telegram User group: [@yapug](https://t.me/yapug)  
-
+Email: [contact@sagernet.org](mailto:contact@sagernet.org)
 #### Telegram
 Notification channel: [@yapnc](https://t.me/yapnc)  
 User group: [@yapug](https://t.me/yapug)
--- a/docs/support.zh.md
+++ b/docs/support.zh.md
@@ -1,8 +1,4 @@
-#### Github
+Github 工单: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)  
-
+Telegram 通知频道: [@yapnc](https://t.me/yapnc)  
-工单: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)
+Telegram 用户组: [@yapug](https://t.me/yapug)  
-
+Email: [contact@sagernet.org](mailto:contact@sagernet.org)
 #### Telegram
 通知频道: [@yapnc](https://t.me/yapnc)  
 用户组: [@yapug](https://t.me/yapug)
--- a/experimental/clashapi/cachefile/cache.go
+++ b/experimental/clashapi/cachefile/cache.go
@@ -1,7 +1,10 @@
 package cachefile
 import (
 	"net/netip"
 	"os"
 	"strings"
 	"sync"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
@@ -14,10 +17,15 @@ var bucketSelected = []byte("selected")
 var _ adapter.ClashCacheFile = (*CacheFile)(nil)
 type CacheFile struct {
-	DB *bbolt.DB
+	DB           *bbolt.DB
 	cacheID      []byte
 	saveAccess   sync.RWMutex
 	saveDomain   map[netip.Addr]string
 	saveAddress4 map[string]netip.Addr
 	saveAddress6 map[string]netip.Addr
 }
-func Open(path string) (*CacheFile, error) {
+func Open(path string, cacheID string) (*CacheFile, error) {
 	const fileMode = 0o666
 	options := bbolt.Options{Timeout: time.Second}
 	db, err := bbolt.Open(path, fileMode, &options)
@@ -31,13 +39,73 @@ func Open(path string) (*CacheFile, error) {
 	if err != nil {
 		return nil, err
 	}
-	return &CacheFile{db}, nil
+	var cacheIDBytes []byte
 	if cacheID != "" {
 		cacheIDBytes = append([]byte{0}, []byte(cacheID)...)
 	}
 	err = db.Batch(func(tx *bbolt.Tx) error {
 		return tx.ForEach(func(name []byte, b *bbolt.Bucket) error {
 			if name[0] == 0 {
 				return b.ForEachBucket(func(k []byte) error {
 					bucketName := string(k)
 					if !(bucketName == string(bucketSelected)) {
 						delErr := b.DeleteBucket(name)
 						if delErr != nil {
 							return delErr
 						}
 					}
 					return nil
 				})
 			} else {
 				bucketName := string(name)
 				if !(bucketName == string(bucketSelected) || strings.HasPrefix(bucketName, fakeipBucketPrefix)) {
 					delErr := tx.DeleteBucket(name)
 					if delErr != nil {
 						return delErr
 					}
 				}
 			}
 			return nil
 		})
 	})
 	if err != nil {
 		return nil, err
 	}
 	return &CacheFile{
 		DB:           db,
 		cacheID:      cacheIDBytes,
 		saveDomain:   make(map[netip.Addr]string),
 		saveAddress4: make(map[string]netip.Addr),
 		saveAddress6: make(map[string]netip.Addr),
 	}, nil
 }
 func (c *CacheFile) bucket(t *bbolt.Tx, key []byte) *bbolt.Bucket {
 	if c.cacheID == nil {
 		return t.Bucket(key)
 	}
 	bucket := t.Bucket(c.cacheID)
 	if bucket == nil {
 		return nil
 	}
 	return bucket.Bucket(key)
 }
 func (c *CacheFile) createBucket(t *bbolt.Tx, key []byte) (*bbolt.Bucket, error) {
 	if c.cacheID == nil {
 		return t.CreateBucketIfNotExists(key)
 	}
 	bucket, err := t.CreateBucketIfNotExists(c.cacheID)
 	if bucket == nil {
 		return nil, err
 	}
 	return bucket.CreateBucketIfNotExists(key)
 }
 func (c *CacheFile) LoadSelected(group string) string {
 	var selected string
 	c.DB.View(func(t *bbolt.Tx) error {
-		bucket := t.Bucket(bucketSelected)
+		bucket := c.bucket(t, bucketSelected)
 		if bucket == nil {
 			return nil
 		}
@@ -52,7 +120,7 @@ func (c *CacheFile) LoadSelected(group string) string {
 func (c *CacheFile) StoreSelected(group, selected string) error {
 	return c.DB.Batch(func(t *bbolt.Tx) error {
-		bucket, err := t.CreateBucketIfNotExists(bucketSelected)
+		bucket, err := c.createBucket(t, bucketSelected)
 		if err != nil {
 			return err
 		}
--- a/experimental/clashapi/cachefile/fakeip.go
+++ b/experimental/clashapi/cachefile/fakeip.go
@@ -5,18 +5,24 @@ import (
 	"os"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	"go.etcd.io/bbolt"
 )
 const fakeipBucketPrefix = "fakeip_"
 var (
-	bucketFakeIP = []byte("fakeip")
+	bucketFakeIP        = []byte(fakeipBucketPrefix + "address")
-	keyMetadata  = []byte("metadata")
+	bucketFakeIPDomain4 = []byte(fakeipBucketPrefix + "domain4")
 	bucketFakeIPDomain6 = []byte(fakeipBucketPrefix + "domain6")
 	keyMetadata         = []byte(fakeipBucketPrefix + "metadata")
 )
 func (c *CacheFile) FakeIPMetadata() *adapter.FakeIPMetadata {
 	var metadata adapter.FakeIPMetadata
-	err := c.DB.View(func(tx *bbolt.Tx) error {
+	err := c.DB.Batch(func(tx *bbolt.Tx) error {
 		bucket := tx.Bucket(bucketFakeIP)
 		if bucket == nil {
 			return nil
@@ -25,6 +31,10 @@ func (c *CacheFile) FakeIPMetadata() *adapter.FakeIPMetadata {
 		if len(metadataBinary) == 0 {
 			return os.ErrInvalid
 		}
 		err := bucket.Delete(keyMetadata)
 		if err != nil {
 			return err
 		}
 		return metadata.UnmarshalBinary(metadataBinary)
 	})
 	if err != nil {
@@ -53,11 +63,54 @@ func (c *CacheFile) FakeIPStore(address netip.Addr, domain string) error {
 		if err != nil {
 			return err
 		}
-		return bucket.Put(address.AsSlice(), []byte(domain))
+		err = bucket.Put(address.AsSlice(), []byte(domain))
 		if err != nil {
 			return err
 		}
 		if address.Is4() {
 			bucket, err = tx.CreateBucketIfNotExists(bucketFakeIPDomain4)
 		} else {
 			bucket, err = tx.CreateBucketIfNotExists(bucketFakeIPDomain6)
 		}
 		if err != nil {
 			return err
 		}
 		return bucket.Put([]byte(domain), address.AsSlice())
 	})
 }
 func (c *CacheFile) FakeIPStoreAsync(address netip.Addr, domain string, logger logger.Logger) {
 	c.saveAccess.Lock()
 	c.saveDomain[address] = domain
 	if address.Is4() {
 		c.saveAddress4[domain] = address
 	} else {
 		c.saveAddress6[domain] = address
 	}
 	c.saveAccess.Unlock()
 	go func() {
 		err := c.FakeIPStore(address, domain)
 		if err != nil {
 			logger.Warn("save FakeIP address pair: ", err)
 		}
 		c.saveAccess.Lock()
 		delete(c.saveDomain, address)
 		if address.Is4() {
 			delete(c.saveAddress4, domain)
 		} else {
 			delete(c.saveAddress6, domain)
 		}
 		c.saveAccess.Unlock()
 	}()
 }
 func (c *CacheFile) FakeIPLoad(address netip.Addr) (string, bool) {
 	c.saveAccess.RLock()
 	cachedDomain, cached := c.saveDomain[address]
 	c.saveAccess.RUnlock()
 	if cached {
 		return cachedDomain, true
 	}
 	var domain string
 	_ = c.DB.View(func(tx *bbolt.Tx) error {
 		bucket := tx.Bucket(bucketFakeIP)
@@ -70,8 +123,48 @@ func (c *CacheFile) FakeIPLoad(address netip.Addr) (string, bool) {
 	return domain, domain != ""
 }
 func (c *CacheFile) FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr, bool) {
 	var (
 		cachedAddress netip.Addr
 		cached        bool
 	)
 	c.saveAccess.RLock()
 	if !isIPv6 {
 		cachedAddress, cached = c.saveAddress4[domain]
 	} else {
 		cachedAddress, cached = c.saveAddress6[domain]
 	}
 	c.saveAccess.RUnlock()
 	if cached {
 		return cachedAddress, true
 	}
 	var address netip.Addr
 	_ = c.DB.View(func(tx *bbolt.Tx) error {
 		var bucket *bbolt.Bucket
 		if isIPv6 {
 			bucket = tx.Bucket(bucketFakeIPDomain6)
 		} else {
 			bucket = tx.Bucket(bucketFakeIPDomain4)
 		}
 		if bucket == nil {
 			return nil
 		}
 		address = M.AddrFromIP(bucket.Get([]byte(domain)))
 		return nil
 	})
 	return address, address.IsValid()
 }
 func (c *CacheFile) FakeIPReset() error {
 	return c.DB.Batch(func(tx *bbolt.Tx) error {
-		return tx.DeleteBucket(bucketFakeIP)
+		err := tx.DeleteBucket(bucketFakeIP)
 		if err != nil {
 			return err
 		}
 		err = tx.DeleteBucket(bucketFakeIPDomain4)
 		if err != nil {
 			return err
 		}
 		return tx.DeleteBucket(bucketFakeIPDomain6)
 	})
 }
--- a/experimental/clashapi/compatible/map.go
+++ b/experimental/clashapi/compatible/map.go
@@ -7,6 +7,15 @@ type Map[K comparable, V any] struct {
 	m sync.Map
 }
 func (m *Map[K, V]) Len() int {
 	var count int
 	m.m.Range(func(key, value any) bool {
 		count++
 		return true
 	})
 	return count
 }
 func (m *Map[K, V]) Load(key K) (V, bool) {
 	v, ok := m.m.Load(key)
 	if !ok {
--- a/experimental/clashapi/server.go
+++ b/experimental/clashapi/server.go
@@ -23,6 +23,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/filemanager"
 	"github.com/sagernet/websocket"
@@ -48,6 +49,7 @@ type Server struct {
 	storeSelected  bool
 	storeFakeIP    bool
 	cacheFilePath  string
 	cacheID        string
 	cacheFile      adapter.ClashCacheFile
 	externalUI               string
@@ -67,13 +69,16 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 			Handler: chiRouter,
 		},
 		trafficManager:           trafficManager,
 		urlTestHistory:           urltest.NewHistoryStorage(),
 		mode:                     strings.ToLower(options.DefaultMode),
 		storeSelected:            options.StoreSelected,
 		storeFakeIP:              options.StoreFakeIP,
 		externalUIDownloadURL:    options.ExternalUIDownloadURL,
 		externalUIDownloadDetour: options.ExternalUIDownloadDetour,
 	}
 	server.urlTestHistory = service.PtrFromContext[urltest.HistoryStorage](ctx)
 	if server.urlTestHistory == nil {
 		server.urlTestHistory = urltest.NewHistoryStorage()
 	}
 	if server.mode == "" {
 		server.mode = "rule"
 	}
@@ -88,6 +93,7 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 			cachePath = filemanager.BasePath(ctx, cachePath)
 		}
 		server.cacheFilePath = cachePath
 		server.cacheID = options.CacheID
 	}
 	cors := cors.New(cors.Options{
 		AllowedOrigins: []string{"*"},
@@ -130,7 +136,7 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 func (s *Server) PreStart() error {
 	if s.cacheFilePath != "" {
-		cacheFile, err := cachefile.Open(s.cacheFilePath)
+		cacheFile, err := cachefile.Open(s.cacheFilePath, s.cacheID)
 		if err != nil {
 			return E.Cause(err, "open cache file")
 		}
@@ -183,6 +189,10 @@ func (s *Server) HistoryStorage() *urltest.HistoryStorage {
 	return s.urlTestHistory
 }
 func (s *Server) TrafficManager() *trafficontrol.Manager {
 	return s.trafficManager
 }
 func (s *Server) RoutedConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, matchedRule adapter.Rule) (net.Conn, adapter.Tracker) {
 	tracker := trafficontrol.NewTCPTracker(conn, s.trafficManager, castMetadata(metadata), s.router, matchedRule)
 	return tracker, tracker
--- a/experimental/clashapi/trafficontrol/manager.go
+++ b/experimental/clashapi/trafficontrol/manager.go
@@ -55,6 +55,14 @@ func (m *Manager) Now() (up int64, down int64) {
 	return m.uploadBlip.Load(), m.downloadBlip.Load()
 }
 func (m *Manager) Total() (up int64, down int64) {
 	return m.uploadTotal.Load(), m.downloadTotal.Load()
 }
 func (m *Manager) Connections() int {
 	return m.connections.Len()
 }
 func (m *Manager) Snapshot() *Snapshot {
 	var connections []tracker
 	m.connections.Range(func(_ string, value tracker) bool {
--- a/experimental/libbox/command.go
+++ b/experimental/libbox/command.go
@@ -3,7 +3,9 @@ package libbox
 const (
 	CommandLog int32 = iota
 	CommandStatus
 	CommandServiceStop
 	CommandServiceReload
 	CommandCloseConnections
 	CommandGroup
 	CommandSelectOutbound
 	CommandURLTest
 )
--- a/experimental/libbox/command_client.go
+++ b/experimental/libbox/command_client.go
@@ -26,6 +26,13 @@ type CommandClientHandler interface {
 	Disconnected(message string)
 	WriteLog(message string)
 	WriteStatus(message *StatusMessage)
 	WriteGroups(message OutboundGroupIterator)
 }
 func NewStandaloneCommandClient(sharedDirectory string) *CommandClient {
 	return &CommandClient{
 		sharedDirectory: sharedDirectory,
 	}
 }
 func NewCommandClient(sharedDirectory string, handler CommandClientHandler, options *CommandClientOptions) *CommandClient {
@@ -36,16 +43,16 @@ func NewCommandClient(sharedDirectory string, handler CommandClientHandler, opti
 	}
 }
-func clientConnect(sharedDirectory string) (net.Conn, error) {
+func (c *CommandClient) directConnect() (net.Conn, error) {
 	return net.DialUnix("unix", nil, &net.UnixAddr{
-		Name: filepath.Join(sharedDirectory, "command.sock"),
+		Name: filepath.Join(c.sharedDirectory, "command.sock"),
 		Net:  "unix",
 	})
 }
 func (c *CommandClient) Connect() error {
 	common.Close(c.conn)
-	conn, err := clientConnect(c.sharedDirectory)
+	conn, err := c.directConnect()
 	if err != nil {
 		return err
 	}
@@ -65,6 +72,13 @@ func (c *CommandClient) Connect() error {
 		}
 		c.handler.Connected()
 		go c.handleStatusConn(conn)
 	case CommandGroup:
 		err = binary.Write(conn, binary.BigEndian, c.options.StatusInterval)
 		if err != nil {
 			return E.Cause(err, "write interval")
 		}
 		c.handler.Connected()
 		go c.handleGroupConn(conn)
 	}
 	return nil
 }
--- a/experimental/libbox/command_conntrack.go
+++ b/experimental/libbox/command_conntrack.go
@@ -9,8 +9,8 @@ import (
 	"github.com/sagernet/sing-box/common/dialer/conntrack"
 )
-func ClientCloseConnections(sharedDirectory string) error {
+func (c *CommandClient) CloseConnections() error {
-	conn, err := clientConnect(sharedDirectory)
+	conn, err := c.directConnect()
 	if err != nil {
 		return err
 	}
--- a/experimental/libbox/command_group.go
+++ b/experimental/libbox/command_group.go
@@ -0,0 +1,228 @@
 package libbox
 import (
 	"encoding/binary"
 	"io"
 	"net"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/outbound"
 	"github.com/sagernet/sing/common/rw"
 	"github.com/sagernet/sing/service"
 )
 type OutboundGroup struct {
 	Tag        string
 	Type       string
 	Selectable bool
 	Selected   string
 	items      []*OutboundGroupItem
 }
 func (g *OutboundGroup) GetItems() OutboundGroupItemIterator {
 	return newIterator(g.items)
 }
 type OutboundGroupIterator interface {
 	Next() *OutboundGroup
 	HasNext() bool
 }
 type OutboundGroupItem struct {
 	Tag          string
 	Type         string
 	URLTestTime  int64
 	URLTestDelay int32
 }
 type OutboundGroupItemIterator interface {
 	Next() *OutboundGroupItem
 	HasNext() bool
 }
 func (c *CommandClient) handleGroupConn(conn net.Conn) {
 	defer conn.Close()
 	for {
 		groups, err := readGroups(conn)
 		if err != nil {
 			c.handler.Disconnected(err.Error())
 			return
 		}
 		c.handler.WriteGroups(groups)
 	}
 }
 func (s *CommandServer) handleGroupConn(conn net.Conn) error {
 	defer conn.Close()
 	ctx := connKeepAlive(conn)
 	for {
 		service := s.service
 		if service != nil {
 			err := writeGroups(conn, service)
 			if err != nil {
 				return err
 			}
 		} else {
 			err := binary.Write(conn, binary.BigEndian, uint16(0))
 			if err != nil {
 				return err
 			}
 		}
 		select {
 		case <-ctx.Done():
 			return ctx.Err()
 		case <-s.urlTestUpdate:
 		}
 	}
 }
 func readGroups(reader io.Reader) (OutboundGroupIterator, error) {
 	var groupLength uint16
 	err := binary.Read(reader, binary.BigEndian, &groupLength)
 	if err != nil {
 		return nil, err
 	}
 	groups := make([]*OutboundGroup, 0, groupLength)
 	for i := 0; i < int(groupLength); i++ {
 		var group OutboundGroup
 		group.Tag, err = rw.ReadVString(reader)
 		if err != nil {
 			return nil, err
 		}
 		group.Type, err = rw.ReadVString(reader)
 		if err != nil {
 			return nil, err
 		}
 		err = binary.Read(reader, binary.BigEndian, &group.Selectable)
 		if err != nil {
 			return nil, err
 		}
 		group.Selected, err = rw.ReadVString(reader)
 		if err != nil {
 			return nil, err
 		}
 		var itemLength uint16
 		err = binary.Read(reader, binary.BigEndian, &itemLength)
 		if err != nil {
 			return nil, err
 		}
 		group.items = make([]*OutboundGroupItem, itemLength)
 		for j := 0; j < int(itemLength); j++ {
 			var item OutboundGroupItem
 			item.Tag, err = rw.ReadVString(reader)
 			if err != nil {
 				return nil, err
 			}
 			item.Type, err = rw.ReadVString(reader)
 			if err != nil {
 				return nil, err
 			}
 			err = binary.Read(reader, binary.BigEndian, &item.URLTestTime)
 			if err != nil {
 				return nil, err
 			}
 			err = binary.Read(reader, binary.BigEndian, &item.URLTestDelay)
 			if err != nil {
 				return nil, err
 			}
 			group.items[j] = &item
 		}
 		groups = append(groups, &group)
 	}
 	return newIterator(groups), nil
 }
 func writeGroups(writer io.Writer, boxService *BoxService) error {
 	historyStorage := service.PtrFromContext[urltest.HistoryStorage](boxService.ctx)
 	outbounds := boxService.instance.Router().Outbounds()
 	var iGroups []adapter.OutboundGroup
 	for _, it := range outbounds {
 		if group, isGroup := it.(adapter.OutboundGroup); isGroup {
 			iGroups = append(iGroups, group)
 		}
 	}
 	var groups []OutboundGroup
 	for _, iGroup := range iGroups {
 		var group OutboundGroup
 		group.Tag = iGroup.Tag()
 		group.Type = iGroup.Type()
 		_, group.Selectable = iGroup.(*outbound.Selector)
 		group.Selected = iGroup.Now()
 		for _, itemTag := range iGroup.All() {
 			itemOutbound, isLoaded := boxService.instance.Router().Outbound(itemTag)
 			if !isLoaded {
 				continue
 			}
 			var item OutboundGroupItem
 			item.Tag = itemTag
 			item.Type = itemOutbound.Type()
 			if history := historyStorage.LoadURLTestHistory(adapter.OutboundTag(itemOutbound)); history != nil {
 				item.URLTestTime = history.Time.Unix()
 				item.URLTestDelay = int32(history.Delay)
 			}
 			group.items = append(group.items, &item)
 		}
 		groups = append(groups, group)
 	}
 	err := binary.Write(writer, binary.BigEndian, uint16(len(groups)))
 	if err != nil {
 		return err
 	}
 	for _, group := range groups {
 		err = rw.WriteVString(writer, group.Tag)
 		if err != nil {
 			return err
 		}
 		err = rw.WriteVString(writer, group.Type)
 		if err != nil {
 			return err
 		}
 		err = binary.Write(writer, binary.BigEndian, group.Selectable)
 		if err != nil {
 			return err
 		}
 		err = rw.WriteVString(writer, group.Selected)
 		if err != nil {
 			return err
 		}
 		err = binary.Write(writer, binary.BigEndian, uint16(len(group.items)))
 		if err != nil {
 			return err
 		}
 		for _, item := range group.items {
 			err = rw.WriteVString(writer, item.Tag)
 			if err != nil {
 				return err
 			}
 			err = rw.WriteVString(writer, item.Type)
 			if err != nil {
 				return err
 			}
 			err = binary.Write(writer, binary.BigEndian, item.URLTestTime)
 			if err != nil {
 				return err
 			}
 			err = binary.Write(writer, binary.BigEndian, item.URLTestDelay)
 			if err != nil {
 				return err
 			}
 		}
 	}
 	return nil
 }
--- a/experimental/libbox/command_log.go
+++ b/experimental/libbox/command_log.go
@@ -11,7 +11,7 @@ func (s *CommandServer) WriteMessage(message string) {
 	s.subscriber.Emit(message)
 	s.access.Lock()
 	s.savedLines.PushBack(message)
-	if s.savedLines.Len() > 100 {
+	if s.savedLines.Len() > s.maxLines {
 		s.savedLines.Remove(s.savedLines.Front())
 	}
 	s.access.Unlock()
--- a/experimental/libbox/command_reload.go
+++ b/experimental/libbox/command_reload.go
@@ -8,8 +8,8 @@ import (
 	"github.com/sagernet/sing/common/rw"
 )
-func ClientServiceReload(sharedDirectory string) error {
+func (c *CommandClient) ServiceReload() error {
-	conn, err := clientConnect(sharedDirectory)
+	conn, err := c.directConnect()
 	if err != nil {
 		return err
 	}
--- a/experimental/libbox/command_select.go
+++ b/experimental/libbox/command_select.go
@@ -0,0 +1,59 @@
 package libbox
 import (
 	"encoding/binary"
 	"net"
 	"github.com/sagernet/sing-box/outbound"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
 )
 func (c *CommandClient) SelectOutbound(groupTag string, outboundTag string) error {
 	conn, err := c.directConnect()
 	if err != nil {
 		return err
 	}
 	defer conn.Close()
 	err = binary.Write(conn, binary.BigEndian, uint8(CommandSelectOutbound))
 	if err != nil {
 		return err
 	}
 	err = rw.WriteVString(conn, groupTag)
 	if err != nil {
 		return err
 	}
 	err = rw.WriteVString(conn, outboundTag)
 	if err != nil {
 		return err
 	}
 	return readError(conn)
 }
 func (s *CommandServer) handleSelectOutbound(conn net.Conn) error {
 	defer conn.Close()
 	groupTag, err := rw.ReadVString(conn)
 	if err != nil {
 		return err
 	}
 	outboundTag, err := rw.ReadVString(conn)
 	if err != nil {
 		return err
 	}
 	service := s.service
 	if service == nil {
 		return writeError(conn, E.New("service not ready"))
 	}
 	outboundGroup, isLoaded := service.instance.Router().Outbound(groupTag)
 	if !isLoaded {
 		return writeError(conn, E.New("selector not found: ", groupTag))
 	}
 	selector, isSelector := outboundGroup.(*outbound.Selector)
 	if !isSelector {
 		return writeError(conn, E.New("outbound is not a selector: ", groupTag))
 	}
 	if !selector.SelectOutbound(outboundTag) {
 		return writeError(conn, E.New("outbound not found in selector: ", outboundTag))
 	}
 	return writeError(conn, nil)
 }
--- a/experimental/libbox/command_server.go
+++ b/experimental/libbox/command_server.go
@@ -7,12 +7,14 @@ import (
 	"path/filepath"
 	"sync"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/observable"
 	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"
 )
 type CommandServer struct {
@@ -22,26 +24,51 @@ type CommandServer struct {
 	access     sync.Mutex
 	savedLines *list.List[string]
 	maxLines   int
 	subscriber *observable.Subscriber[string]
 	observer   *observable.Observer[string]
 	service    *BoxService
 	urlTestListener *list.Element[func()]
 	urlTestUpdate   chan struct{}
 }
 type CommandServerHandler interface {
 	ServiceStop() error
 	ServiceReload() error
 }
-func NewCommandServer(sharedDirectory string, handler CommandServerHandler) *CommandServer {
+func NewCommandServer(sharedDirectory string, handler CommandServerHandler, maxLines int32) *CommandServer {
 	server := &CommandServer{
-		sockPath:   filepath.Join(sharedDirectory, "command.sock"),
+		sockPath:      filepath.Join(sharedDirectory, "command.sock"),
-		handler:    handler,
+		handler:       handler,
-		savedLines: new(list.List[string]),
+		savedLines:    new(list.List[string]),
-		subscriber: observable.NewSubscriber[string](128),
+		maxLines:      int(maxLines),
 		subscriber:    observable.NewSubscriber[string](128),
 		urlTestUpdate: make(chan struct{}, 1),
 	}
 	server.observer = observable.NewObserver[string](server.subscriber, 64)
 	return server
 }
 func (s *CommandServer) SetService(newService *BoxService) {
 	if s.service != nil && s.listener != nil {
 		service.PtrFromContext[urltest.HistoryStorage](s.service.ctx).RemoveListener(s.urlTestListener)
 		s.urlTestListener = nil
 	}
 	s.service = newService
 	if newService != nil {
 		s.urlTestListener = service.PtrFromContext[urltest.HistoryStorage](newService.ctx).AddListener(s.notifyURLTestUpdate)
 	}
 	s.notifyURLTestUpdate()
 }
 func (s *CommandServer) notifyURLTestUpdate() {
 	select {
 	case s.urlTestUpdate <- struct{}{}:
 	default:
 	}
 }
 func (s *CommandServer) Start() error {
 	os.Remove(s.sockPath)
 	listener, err := net.ListenUnix("unix", &net.UnixAddr{
@@ -51,6 +78,14 @@ func (s *CommandServer) Start() error {
 	if err != nil {
 		return err
 	}
 	if sUserID > 0 {
 		err = os.Chown(s.sockPath, sUserID, sGroupID)
 		if err != nil {
 			listener.Close()
 			os.Remove(s.sockPath)
 			return err
 		}
 	}
 	s.listener = listener
 	go s.loopConnection(listener)
 	return nil
@@ -92,12 +127,16 @@ func (s *CommandServer) handleConnection(conn net.Conn) error {
 		return s.handleLogConn(conn)
 	case CommandStatus:
 		return s.handleStatusConn(conn)
 	case CommandServiceStop:
 		return s.handleServiceStop(conn)
 	case CommandServiceReload:
 		return s.handleServiceReload(conn)
 	case CommandCloseConnections:
 		return s.handleCloseConnections(conn)
 	case CommandGroup:
 		return s.handleGroupConn(conn)
 	case CommandSelectOutbound:
 		return s.handleSelectOutbound(conn)
 	case CommandURLTest:
 		return s.handleURLTest(conn)
 	default:
 		return E.New("unknown command: ", command)
 	}
--- a/experimental/libbox/command_shared.go
+++ b/experimental/libbox/command_shared.go
@@ -0,0 +1,39 @@
 package libbox
 import (
 	"encoding/binary"
 	"io"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
 )
 func readError(reader io.Reader) error {
 	var hasError bool
 	err := binary.Read(reader, binary.BigEndian, &hasError)
 	if err != nil {
 		return err
 	}
 	if hasError {
 		errorMessage, err := rw.ReadVString(reader)
 		if err != nil {
 			return err
 		}
 		return E.New(errorMessage)
 	}
 	return nil
 }
 func writeError(writer io.Writer, wErr error) error {
 	err := binary.Write(writer, binary.BigEndian, wErr != nil)
 	if err != nil {
 		return err
 	}
 	if wErr != nil {
 		err = rw.WriteVString(writer, wErr.Error())
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
--- a/experimental/libbox/command_status.go
+++ b/experimental/libbox/command_status.go
@@ -7,22 +7,40 @@ import (
 	"time"
 	"github.com/sagernet/sing-box/common/dialer/conntrack"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 type StatusMessage struct {
-	Memory      int64
+	Memory           int64
-	Goroutines  int32
+	Goroutines       int32
-	Connections int32
+	ConnectionsIn    int32
 	ConnectionsOut   int32
 	TrafficAvailable bool
 	Uplink           int64
 	Downlink         int64
 	UplinkTotal      int64
 	DownlinkTotal    int64
 }
-func readStatus() StatusMessage {
+func (s *CommandServer) readStatus() StatusMessage {
 	var memStats runtime.MemStats
 	runtime.ReadMemStats(&memStats)
 	var message StatusMessage
 	message.Memory = int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
 	message.Goroutines = int32(runtime.NumGoroutine())
-	message.Connections = int32(conntrack.Count())
+	message.ConnectionsOut = int32(conntrack.Count())
 	if s.service != nil {
 		if clashServer := s.service.instance.Router().ClashServer(); clashServer != nil {
 			message.TrafficAvailable = true
 			trafficManager := clashServer.(*clashapi.Server).TrafficManager()
 			message.Uplink, message.Downlink = trafficManager.Now()
 			message.UplinkTotal, message.DownlinkTotal = trafficManager.Total()
 			message.ConnectionsIn = int32(trafficManager.Connections())
 		}
 	}
 	return message
 }
@@ -36,7 +54,7 @@ func (s *CommandServer) handleStatusConn(conn net.Conn) error {
 	defer ticker.Stop()
 	ctx := connKeepAlive(conn)
 	for {
-		err = binary.Write(conn, binary.BigEndian, readStatus())
+		err = binary.Write(conn, binary.BigEndian, s.readStatus())
 		if err != nil {
 			return err
 		}
--- a/experimental/libbox/command_stop.go
+++ b/experimental/libbox/command_stop.go
@@ -1,48 +0,0 @@
 package libbox
 import (
 	"encoding/binary"
 	"net"
 	"runtime/debug"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
 )
 func ClientServiceStop(sharedDirectory string) error {
 	conn, err := clientConnect(sharedDirectory)
 	if err != nil {
 		return err
 	}
 	defer conn.Close()
 	err = binary.Write(conn, binary.BigEndian, uint8(CommandServiceStop))
 	if err != nil {
 		return err
 	}
 	var hasError bool
 	err = binary.Read(conn, binary.BigEndian, &hasError)
 	if err != nil {
 		return err
 	}
 	if hasError {
 		errorMessage, err := rw.ReadVString(conn)
 		if err != nil {
 			return err
 		}
 		return E.New(errorMessage)
 	}
 	return nil
 }
 func (s *CommandServer) handleServiceStop(conn net.Conn) error {
 	rErr := s.handler.ServiceStop()
 	err := binary.Write(conn, binary.BigEndian, rErr != nil)
 	if err != nil {
 		return err
 	}
 	if rErr != nil {
 		return rw.WriteVString(conn, rErr.Error())
 	}
 	debug.FreeOSMemory()
 	return nil
 }
--- a/experimental/libbox/command_urltest.go
+++ b/experimental/libbox/command_urltest.go
@@ -0,0 +1,95 @@
 package libbox
 import (
 	"encoding/binary"
 	"net"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/outbound"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/batch"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
 )
 func (c *CommandClient) URLTest(groupTag string) error {
 	conn, err := c.directConnect()
 	if err != nil {
 		return err
 	}
 	defer conn.Close()
 	err = binary.Write(conn, binary.BigEndian, uint8(CommandURLTest))
 	if err != nil {
 		return err
 	}
 	err = rw.WriteVString(conn, groupTag)
 	if err != nil {
 		return err
 	}
 	return readError(conn)
 }
 func (s *CommandServer) handleURLTest(conn net.Conn) error {
 	defer conn.Close()
 	groupTag, err := rw.ReadVString(conn)
 	if err != nil {
 		return err
 	}
 	service := s.service
 	if service == nil {
 		return nil
 	}
 	abstractOutboundGroup, isLoaded := service.instance.Router().Outbound(groupTag)
 	if !isLoaded {
 		return writeError(conn, E.New("outbound group not found: ", groupTag))
 	}
 	outboundGroup, isOutboundGroup := abstractOutboundGroup.(adapter.OutboundGroup)
 	if !isOutboundGroup {
 		return writeError(conn, E.New("outbound is not a group: ", groupTag))
 	}
 	urlTest, isURLTest := abstractOutboundGroup.(*outbound.URLTest)
 	if isURLTest {
 		go urlTest.CheckOutbounds()
 	} else {
 		var historyStorage *urltest.HistoryStorage
 		if clashServer := service.instance.Router().ClashServer(); clashServer != nil {
 			historyStorage = clashServer.HistoryStorage()
 		} else {
 			return writeError(conn, E.New("Clash API is required for URLTest on non-URLTest group"))
 		}
 		outbounds := common.Filter(common.Map(outboundGroup.All(), func(it string) adapter.Outbound {
 			itOutbound, _ := service.instance.Router().Outbound(it)
 			return itOutbound
 		}), func(it adapter.Outbound) bool {
 			if it == nil {
 				return false
 			}
 			_, isGroup := it.(adapter.OutboundGroup)
 			if isGroup {
 				return false
 			}
 			return true
 		})
 		b, _ := batch.New(service.ctx, batch.WithConcurrencyNum[any](10))
 		for _, detour := range outbounds {
 			outboundToTest := detour
 			outboundTag := outboundToTest.Tag()
 			b.Go(outboundTag, func() (any, error) {
 				t, err := urltest.URLTest(service.ctx, "", outboundToTest)
 				if err != nil {
 					historyStorage.DeleteURLTestHistory(outboundTag)
 				} else {
 					historyStorage.StoreURLTestHistory(outboundTag, &urltest.History{
 						Time:  time.Now(),
 						Delay: t,
 					})
 				}
 				return nil, nil
 			})
 		}
 	}
 	return writeError(conn, nil)
 }
--- a/experimental/libbox/dns.go
+++ b/experimental/libbox/dns.go
@@ -0,0 +1,162 @@
 package libbox
 import (
 	"context"
 	"net/netip"
 	"strings"
 	"syscall"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/task"
 	mDNS "github.com/miekg/dns"
 )
 type LocalDNSTransport interface {
 	Raw() bool
 	Lookup(ctx *ExchangeContext, network string, domain string) error
 	Exchange(ctx *ExchangeContext, message []byte) error
 }
 func RegisterLocalDNSTransport(transport LocalDNSTransport) {
 	if transport == nil {
 		dns.RegisterTransport([]string{"local"}, dns.CreateLocalTransport)
 	} else {
 		dns.RegisterTransport([]string{"local"}, func(name string, ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, link string) (dns.Transport, error) {
 			return &platformLocalDNSTransport{
 				iif: transport,
 			}, nil
 		})
 	}
 }
 var _ dns.Transport = (*platformLocalDNSTransport)(nil)
 type platformLocalDNSTransport struct {
 	iif LocalDNSTransport
 }
 func (p *platformLocalDNSTransport) Name() string {
 	return "local"
 }
 func (p *platformLocalDNSTransport) Start() error {
 	return nil
 }
 func (p *platformLocalDNSTransport) Close() error {
 	return nil
 }
 func (p *platformLocalDNSTransport) Raw() bool {
 	return p.iif.Raw()
 }
 func (p *platformLocalDNSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	messageBytes, err := message.Pack()
 	if err != nil {
 		return nil, err
 	}
 	response := &ExchangeContext{
 		context: ctx,
 	}
 	var responseMessage *mDNS.Msg
 	return responseMessage, task.Run(ctx, func() error {
 		err = p.iif.Exchange(response, messageBytes)
 		if err != nil {
 			return err
 		}
 		if response.error != nil {
 			return response.error
 		}
 		responseMessage = &response.message
 		return nil
 	})
 }
 func (p *platformLocalDNSTransport) Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error) {
 	var network string
 	switch strategy {
 	case dns.DomainStrategyUseIPv4:
 		network = "ip4"
 	case dns.DomainStrategyPreferIPv6:
 		network = "ip6"
 	default:
 		network = "ip"
 	}
 	response := &ExchangeContext{
 		context: ctx,
 	}
 	var responseAddr []netip.Addr
 	return responseAddr, task.Run(ctx, func() error {
 		err := p.iif.Lookup(response, network, domain)
 		if err != nil {
 			return err
 		}
 		if response.error != nil {
 			return response.error
 		}
 		switch strategy {
 		case dns.DomainStrategyUseIPv4:
 			responseAddr = common.Filter(response.addresses, func(it netip.Addr) bool {
 				return it.Is4()
 			})
 		case dns.DomainStrategyPreferIPv6:
 			responseAddr = common.Filter(response.addresses, func(it netip.Addr) bool {
 				return it.Is6()
 			})
 		default:
 			responseAddr = response.addresses
 		}
 		/*if len(responseAddr) == 0 {
 			response.error = dns.RCodeSuccess
 		}*/
 		return nil
 	})
 }
 type Func interface {
 	Invoke() error
 }
 type ExchangeContext struct {
 	context   context.Context
 	message   mDNS.Msg
 	addresses []netip.Addr
 	error     error
 }
 func (c *ExchangeContext) OnCancel(callback Func) {
 	go func() {
 		<-c.context.Done()
 		callback.Invoke()
 	}()
 }
 func (c *ExchangeContext) Success(result string) {
 	c.addresses = common.Map(common.Filter(strings.Split(result, "\n"), func(it string) bool {
 		return !common.IsEmpty(it)
 	}), func(it string) netip.Addr {
 		return M.ParseSocksaddrHostPort(it, 0).Unwrap().Addr
 	})
 }
 func (c *ExchangeContext) RawSuccess(result []byte) {
 	err := c.message.Unpack(result)
 	if err != nil {
 		c.error = E.Cause(err, "parse response")
 	}
 }
 func (c *ExchangeContext) ErrorCode(code int32) {
 	c.error = dns.RCodeError(code)
 }
 func (c *ExchangeContext) ErrnoCode(code int32) {
 	c.error = syscall.Errno(code)
 }
--- a/experimental/libbox/log.go
+++ b/experimental/libbox/log.go
@@ -18,29 +18,13 @@ func RedirectStderr(path string) error {
 	if err != nil {
 		return err
 	}
-	err = unix.Dup2(int(outputFile.Fd()), int(os.Stderr.Fd()))
+	if sUserID > 0 {
-	if err != nil {
+		err = outputFile.Chown(sUserID, sGroupID)
-		outputFile.Close()
+		if err != nil {
-		os.Remove(outputFile.Name())
+			outputFile.Close()
-		return err
+			os.Remove(outputFile.Name())
-	}
+			return err
-	stderrFile = outputFile
+		}
 	return nil
 }
 func RedirectStderrAsUser(path string, uid, gid int) error {
 	if stats, err := os.Stat(path); err == nil && stats.Size() > 0 {
 		_ = os.Rename(path, path+".old")
 	}
 	outputFile, err := os.Create(path)
 	if err != nil {
 		return err
 	}
 	err = outputFile.Chown(uid, gid)
 	if err != nil {
 		outputFile.Close()
 		os.Remove(outputFile.Name())
 		return err
 	}
 	err = unix.Dup2(int(outputFile.Fd()), int(os.Stderr.Fd()))
 	if err != nil {
--- a/experimental/libbox/memory.go
+++ b/experimental/libbox/memory.go
@@ -1,18 +1,22 @@
 //go:build darwin
 package libbox
 import (
 	"math"
 	runtimeDebug "runtime/debug"
 	"github.com/sagernet/sing-box/common/dialer/conntrack"
 )
-const memoryLimit = 30 * 1024 * 1024
+func SetMemoryLimit(enabled bool) {
-
+	const memoryLimit = 30 * 1024 * 1024
-func SetMemoryLimit() {
+	if enabled {
-	runtimeDebug.SetGCPercent(10)
+		runtimeDebug.SetGCPercent(10)
-	runtimeDebug.SetMemoryLimit(memoryLimit)
+		runtimeDebug.SetMemoryLimit(memoryLimit)
-	conntrack.KillerEnabled = true
+		conntrack.KillerEnabled = true
-	conntrack.MemoryLimit = memoryLimit
+		conntrack.MemoryLimit = memoryLimit
 	} else {
 		runtimeDebug.SetGCPercent(100)
 		runtimeDebug.SetMemoryLimit(math.MaxInt64)
 		conntrack.KillerEnabled = false
 	}
 }
--- a/experimental/libbox/platform.go
+++ b/experimental/libbox/platform.go
@@ -18,6 +18,7 @@ type PlatformInterface interface {
 	CloseDefaultInterfaceMonitor(listener InterfaceUpdateListener) error
 	UsePlatformInterfaceGetter() bool
 	GetInterfaces() (NetworkInterfaceIterator, error)
 	UnderNetworkExtension() bool
 }
 type TunInterface interface {
--- a/experimental/libbox/platform/interface.go
+++ b/experimental/libbox/platform/interface.go
@@ -22,6 +22,7 @@ type Interface interface {
 	CreateDefaultInterfaceMonitor(errorHandler E.Handler) tun.DefaultInterfaceMonitor
 	UsePlatformInterfaceGetter() bool
 	Interfaces() ([]NetworkInterface, error)
 	UnderNetworkExtension() bool
 	process.Searcher
 	io.Writer
 }
--- a/experimental/libbox/service.go
+++ b/experimental/libbox/service.go
@@ -8,6 +8,7 @@ import (
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/process"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/experimental/libbox/internal/procfs"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/option"
@@ -16,6 +17,7 @@ import (
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/filemanager"
 )
@@ -32,6 +34,7 @@ func NewService(configContent string, platformInterface PlatformInterface) (*Box
 	}
 	ctx, cancel := context.WithCancel(context.Background())
 	ctx = filemanager.WithDefault(ctx, sBasePath, sTempPath, sUserID, sGroupID)
 	ctx = service.ContextWithPtr(ctx, urltest.NewHistoryStorage())
 	instance, err := box.New(box.Options{
 		Context:           ctx,
 		Options:           options,
@@ -169,3 +172,7 @@ func (w *platformInterfaceWrapper) Interfaces() ([]platform.NetworkInterface, er
 	}
 	return interfaces, nil
 }
 func (w *platformInterfaceWrapper) UnderNetworkExtension() bool {
 	return w.iif.UnderNetworkExtension()
 }
--- a/experimental/libbox/setup.go
+++ b/experimental/libbox/setup.go
@@ -2,6 +2,8 @@ package libbox
 import (
 	"os"
 	"os/user"
 	"strconv"
 	C "github.com/sagernet/sing-box/constant"
@@ -15,17 +17,23 @@ var (
 	sGroupID  int
 )
-func Setup(basePath string, tempPath string, userID int, groupID int) {
+func Setup(basePath string, tempPath string) {
 	sBasePath = basePath
 	sTempPath = tempPath
-	sUserID = userID
+	sUserID = os.Getuid()
-	sGroupID = groupID
+	sGroupID = os.Getgid()
-	if sUserID == -1 {
+}
-		sUserID = os.Getuid()
+
-	}
+func SetupWithUsername(basePath string, tempPath string, username string) error {
-	if sGroupID == -1 {
+	sBasePath = basePath
-		sGroupID = os.Getgid()
+	sTempPath = tempPath
 	sUser, err := user.Lookup(username)
 	if err != nil {
 		return err
 	}
 	sUserID, _ = strconv.Atoi(sUser.Uid)
 	sGroupID, _ = strconv.Atoi(sUser.Gid)
 	return nil
 }
 func Version() string {
--- a/go.mod
+++ b/go.mod
@@ -4,93 +4,97 @@ go 1.18
 require (
 	berty.tech/go-libtor v1.0.385
-	github.com/Dreamacro/clash v1.15.0
+	github.com/Dreamacro/clash v1.17.0
-	github.com/caddyserver/certmagic v0.17.2
+	github.com/caddyserver/certmagic v0.19.0
 	github.com/cretz/bine v0.2.0
 	github.com/dustin/go-humanize v1.0.1
 	github.com/fsnotify/fsnotify v1.6.0
-	github.com/go-chi/chi/v5 v5.0.8
+	github.com/go-chi/chi/v5 v5.0.10
 	github.com/go-chi/cors v1.2.1
-	github.com/go-chi/render v1.0.2
+	github.com/go-chi/render v1.0.3
 	github.com/gofrs/uuid/v5 v5.0.0
-	github.com/insomniacslk/dhcp v0.0.0-20230407062729-974c6f05fe16
+	github.com/insomniacslk/dhcp v0.0.0-20230612134759-b20c9ba983df
 	github.com/logrusorgru/aurora v2.0.3+incompatible
-	github.com/mholt/acmez v1.1.0
+	github.com/mholt/acmez v1.2.0
-	github.com/miekg/dns v1.1.53
+	github.com/miekg/dns v1.1.55
-	github.com/ooni/go-libtor v1.1.7
+	github.com/ooni/go-libtor v1.1.8
-	github.com/oschwald/maxminddb-golang v1.10.0
+	github.com/oschwald/maxminddb-golang v1.11.0
 	github.com/pires/go-proxyproto v0.7.0
 	github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0
-	github.com/sagernet/gomobile v0.0.0-20230413023804-244d7ff07035
+	github.com/sagernet/gomobile v0.0.0-20230701084532-493ee2e45182
-	github.com/sagernet/quic-go v0.0.0-20230202071646-a8c8afb18b32
+	github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2
 	github.com/sagernet/quic-go v0.0.0-20230615020047-10f05c797c02
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.2.5-0.20230427151730-ed2d05ab518a
+	github.com/sagernet/sing v0.2.9
-	github.com/sagernet/sing-dns v0.1.5-0.20230426113254-25d948c44223
+	github.com/sagernet/sing-dns v0.1.8
-	github.com/sagernet/sing-mux v0.0.0-20230425130511-b0a6ffd8406f
+	github.com/sagernet/sing-mux v0.1.2
-	github.com/sagernet/sing-shadowsocks v0.2.2-0.20230417102954-f77257340507
+	github.com/sagernet/sing-shadowsocks v0.2.4
-	github.com/sagernet/sing-shadowsocks2 v0.0.0-20230430083720-38321e1355cc
+	github.com/sagernet/sing-shadowsocks2 v0.1.3
-	github.com/sagernet/sing-shadowtls v0.1.2-0.20230417103049-4f682e05f19b
+	github.com/sagernet/sing-shadowtls v0.1.4
-	github.com/sagernet/sing-tun v0.1.5-0.20230422121432-209ec123ca7b
+	github.com/sagernet/sing-tun v0.1.10
-	github.com/sagernet/sing-vmess v0.1.5-0.20230417103030-8c3070ae3fb3
+	github.com/sagernet/sing-vmess v0.1.7
 	github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37
 	github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9
 	github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2
 	github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e
 	github.com/sagernet/wireguard-go v0.0.0-20230420044414-a7bac1754e77
 	github.com/spf13/cobra v1.7.0
-	github.com/stretchr/testify v1.8.2
+	github.com/stretchr/testify v1.8.4
 	go.etcd.io/bbolt v1.3.7
 	go.uber.org/zap v1.24.0
 	go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35
-	golang.org/x/crypto v0.8.0
+	golang.org/x/crypto v0.11.0
-	golang.org/x/exp v0.0.0-20230321023759-10a507213a29
+	golang.org/x/exp v0.0.0-20230626212559-97b1e661b5df
-	golang.org/x/net v0.9.0
+	golang.org/x/net v0.12.0
-	golang.org/x/sys v0.7.0
+	golang.org/x/sys v0.10.0
-	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230215201556-9c5414ab4bde
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
-	google.golang.org/grpc v1.54.0
+	google.golang.org/grpc v1.56.2
-	google.golang.org/protobuf v1.30.0
+	google.golang.org/protobuf v1.31.0
 	gvisor.dev/gvisor v0.0.0-20230415003630-3981d5d5e523
 )
 //replace github.com/sagernet/sing => ../sing
 require (
 	github.com/Dreamacro/protobytes v0.0.0-20230617041236-6500a9f4f158 // indirect
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.5 // indirect
 	github.com/cloudflare/circl v1.2.1-0.20221019164342-6ab4dfed8f3c // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
-	github.com/golang/mock v1.6.0 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/btree v1.1.2 // indirect
 	github.com/google/btree v1.0.1 // indirect
 	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/native v1.1.0 // indirect
 	github.com/klauspost/compress v1.15.15 // indirect
-	github.com/klauspost/cpuid/v2 v2.1.1 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/onsi/ginkgo/v2 v2.2.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.14 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/quic-go/qtls-go1-18 v0.2.0 // indirect
-	github.com/quic-go/qtls-go1-19 v0.2.0 // indirect
+	github.com/quic-go/qtls-go1-19 v0.3.2 // indirect
-	github.com/quic-go/qtls-go1-20 v0.1.0 // indirect
+	github.com/quic-go/qtls-go1-20 v0.2.2 // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
 	github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
-	go.uber.org/atomic v1.10.0 // indirect
+	github.com/zeebo/blake3 v0.2.3 // indirect
-	go.uber.org/multierr v1.6.0 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/mod v0.8.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/mod v0.11.0 // indirect
-	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
+	golang.org/x/text v0.11.0 // indirect
-	golang.org/x/tools v0.6.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
-	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
+	golang.org/x/tools v0.10.0 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	lukechampine.com/blake3 v1.1.7 // indirect
+	lukechampine.com/blake3 v1.2.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,14 +1,16 @@
 berty.tech/go-libtor v1.0.385 h1:RWK94C3hZj6Z2GdvePpHJLnWYobFr3bY/OdUJ5aoEXw=
 berty.tech/go-libtor v1.0.385/go.mod h1:9swOOQVb+kmvuAlsgWUK/4c52pm69AdbJsxLzk+fJEw=
-github.com/Dreamacro/clash v1.15.0 h1:mlpD950VEggXZBNahV66hyKDRxcczkj3vymoAt78KyE=
+github.com/Dreamacro/clash v1.17.0 h1:LWtp6KcnrCiujY58ufI8pylI+hbCBgSCsLI90EWhpi4=
-github.com/Dreamacro/clash v1.15.0/go.mod h1:WNH69bN11LiAdgdSr4hpkEuXVMfBbWyhEKMCTx9BtNE=
+github.com/Dreamacro/clash v1.17.0/go.mod h1:PtcAft7sdsK325BD6uwm8wvhOkMV3TCeED6dfZ/lnfE=
 github.com/Dreamacro/protobytes v0.0.0-20230617041236-6500a9f4f158 h1:JFnwKplz9hj8ubqYjm8HkgZS1Rvz9yW+u/XCNNTxr0k=
 github.com/Dreamacro/protobytes v0.0.0-20230617041236-6500a9f4f158/go.mod h1:QvmEZ/h6KXszPOr2wUFl7Zn3hfFNYdfbXwPVDTyZs6k=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
 github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
-github.com/caddyserver/certmagic v0.17.2 h1:o30seC1T/dBqBCNNGNHWwj2i5/I/FMjBbTAhjADP3nE=
+github.com/caddyserver/certmagic v0.19.0 h1:HuJ1Yf1H1jAfmBGrSSQN1XRkafnWcpDtyIiyMV6vmpM=
-github.com/caddyserver/certmagic v0.17.2/go.mod h1:ouWUuC490GOLJzkyN35eXfV8bSbwMwSf4bdhkIxtdQE=
+github.com/caddyserver/certmagic v0.19.0/go.mod h1:fsL01NomQ6N+kE2j37ZCnig2MFosG+MIO4ztnmG/zz8=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
@@ -25,23 +27,24 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
-github.com/go-chi/chi/v5 v5.0.8 h1:lD+NLqFcAi1ovnVZpsnObHGW4xb4J8lNmoYVfECH1Y0=
+github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
-github.com/go-chi/chi/v5 v5.0.8/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
-github.com/go-chi/render v1.0.2 h1:4ER/udB0+fMWB2Jlf15RV3F4A2FDuYi/9f+lFttR/Lg=
+github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
-github.com/go-chi/render v1.0.2/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
+github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/gofrs/uuid/v5 v5.0.0 h1:p544++a97kEL+svbcFbCQVM9KFu0Yo25UoISXGNNH9M=
 github.com/gofrs/uuid/v5 v5.0.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
+github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
-github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
+github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE=
@@ -51,16 +54,16 @@ github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbg
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20230407062729-974c6f05fe16 h1:+aAGyK41KRn8jbF2Q7PLL0Sxwg6dShGcQSeCC7nZQ8E=
+github.com/insomniacslk/dhcp v0.0.0-20230612134759-b20c9ba983df h1:pF1MMIzEJzJ/MyI4bXYXVYyN8CJgoQ2PPKT2z3O/Cl4=
-github.com/insomniacslk/dhcp v0.0.0-20230407062729-974c6f05fe16/go.mod h1:IKrnDWs3/Mqq5n0lI+RxA2sB7MvN/vbMBP3ehXg65UI=
+github.com/insomniacslk/dhcp v0.0.0-20230612134759-b20c9ba983df/go.mod h1:7474bZ1YNCvarT6WFKie4kEET6J0KYRDC4XJqqXzQW4=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/klauspost/compress v1.15.15 h1:EF27CXIuDsYJ6mmvtBRlEuB2UVOqHG1tAXgZ7yIO+lw=
 github.com/klauspost/compress v1.15.15/go.mod h1:ZcK2JAFqKOpnBlxcLsJzYfrS9X1akm9fHZNnD9+Vo/4=
-github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
+github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
-github.com/klauspost/cpuid/v2 v2.1.1 h1:t0wUqjowdm8ezddV5k0tLWVklVuvLJpoHeb4WBdydm0=
+github.com/klauspost/cpuid/v2 v2.2.5 h1:0E5MSMDEoAulmXNFquVs//DdoomxaoTY1kUhbc/qbZg=
-github.com/klauspost/cpuid/v2 v2.1.1/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
+github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -68,65 +71,68 @@ github.com/libdns/libdns v0.2.1 h1:Wu59T7wSHRgtA0cfxC+n1c/e+O3upJGWytknkmFEDis=
 github.com/libdns/libdns v0.2.1/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
-github.com/mholt/acmez v1.1.0 h1:IQ9CGHKOHokorxnffsqDvmmE30mDenO1lptYZ1AYkHY=
+github.com/mholt/acmez v1.2.0 h1:1hhLxSgY5FvH5HCnGUuwbKY2VQVo8IU7rxXKSnZ7F30=
-github.com/mholt/acmez v1.1.0/go.mod h1:zwo5+fbLLTowAX8o8ETfQzbDtwGEXnPhkmGdKIP+bgs=
+github.com/mholt/acmez v1.2.0/go.mod h1:VT9YwH1xgNX1kmYY89gY8xPJC84BFAisjo8Egigt4kE=
-github.com/miekg/dns v1.1.53 h1:ZBkuHr5dxHtB1caEOlZTLPo7D3L3TWckgUUs/RHfDxw=
+github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
-github.com/miekg/dns v1.1.53/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
+github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/onsi/ginkgo/v2 v2.2.0 h1:3ZNA3L1c5FYDFTTxbFeVGGD8jYvjYauHD30YgLxVsNI=
 github.com/onsi/ginkgo/v2 v2.2.0/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk=
 github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q=
-github.com/ooni/go-libtor v1.1.7 h1:ooVcdEPBqDox5OfeXAfXIeQFCbqMLJVfIpO+Irr7N9A=
+github.com/ooni/go-libtor v1.1.8 h1:Wo3V3DVTxl5vZdxtQakqYP+DAHx7pPtAFSl1bnAa08w=
-github.com/ooni/go-libtor v1.1.7/go.mod h1:q1YyLwRD9GeMyeerVvwc0vJ2YgwDLTp2bdVcrh/JXyI=
+github.com/ooni/go-libtor v1.1.8/go.mod h1:q1YyLwRD9GeMyeerVvwc0vJ2YgwDLTp2bdVcrh/JXyI=
-github.com/oschwald/maxminddb-golang v1.10.0 h1:Xp1u0ZhqkSuopaKmk1WwHtjF0H9Hd9181uj2MQ5Vndg=
+github.com/oschwald/maxminddb-golang v1.11.0 h1:aSXMqYR/EPNjGE8epgqwDay+P30hCBZIveY0WZbAWh0=
-github.com/oschwald/maxminddb-golang v1.10.0/go.mod h1:Y2ELenReaLAZ0b400URyGwvYxHV1dLIxBuyOsyYjHK0=
+github.com/oschwald/maxminddb-golang v1.11.0/go.mod h1:YmVI+H0zh3ySFR3w+oz8PCfglAFj3PuCmui13+P9zDg=
 github.com/pierrec/lz4/v4 v4.1.14 h1:+fL8AQEZtz/ijeNnpduH0bROTu0O3NZAlPjQxGn8LwE=
 github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs=
 github.com/pires/go-proxyproto v0.7.0/go.mod h1:Vz/1JPY/OACxWGQNIRY2BeyDmpoaWmEP40O9LbuiFR4=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
 github.com/quic-go/qtls-go1-18 v0.2.0 h1:5ViXqBZ90wpUcZS0ge79rf029yx0dYB0McyPJwqqj7U=
 github.com/quic-go/qtls-go1-18 v0.2.0/go.mod h1:moGulGHK7o6O8lSPSZNoOwcLvJKJ85vVNc7oJFD65bc=
-github.com/quic-go/qtls-go1-19 v0.2.0 h1:Cvn2WdhyViFUHoOqK52i51k4nDX8EwIh5VJiVM4nttk=
+github.com/quic-go/qtls-go1-19 v0.3.2 h1:tFxjCFcTQzK+oMxG6Zcvp4Dq8dx4yD3dDiIiyc86Z5U=
-github.com/quic-go/qtls-go1-19 v0.2.0/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
+github.com/quic-go/qtls-go1-19 v0.3.2/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
-github.com/quic-go/qtls-go1-20 v0.1.0 h1:d1PK3ErFy9t7zxKsG3NXBJXZjp/kMLoIb3y/kV54oAI=
+github.com/quic-go/qtls-go1-20 v0.2.2 h1:WLOPx6OY/hxtTxKV1Zrq20FtXtDEkeY00CGQm8GEa3E=
-github.com/quic-go/qtls-go1-20 v0.1.0/go.mod h1:JKtK6mjbAVcUTN/9jZpvLbGxvdWIKS8uT7EiStoU1SM=
+github.com/quic-go/qtls-go1-20 v0.2.2/go.mod h1:JKtK6mjbAVcUTN/9jZpvLbGxvdWIKS8uT7EiStoU1SM=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0 h1:KyhtFFt1Jtp5vW2ohNvstvQffTOQ/s5vENuGXzdA+TM=
 github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0/go.mod h1:D4SFEOkJK+4W1v86ZhX0jPM0rAL498fyQAChqMtes/I=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c6AkmAylhauulqN/c5dnh8/KssrE9c93TQrXldA=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms=
-github.com/sagernet/gomobile v0.0.0-20230413023804-244d7ff07035 h1:KttYh6bBhIw8Y6/Ljn7CGwC3CKZn788rzMJmeAKjY+8=
+github.com/sagernet/gomobile v0.0.0-20230701084532-493ee2e45182 h1:sD5g92IO15RAX2DvA4Cq3Uc7tcgqNWVi8K3VTCI6sEo=
-github.com/sagernet/gomobile v0.0.0-20230413023804-244d7ff07035/go.mod h1:5YE39YkJkCcMsfq1jMKkjsrM2GfBoF9JVWnvU89hmvU=
+github.com/sagernet/gomobile v0.0.0-20230701084532-493ee2e45182/go.mod h1:5YE39YkJkCcMsfq1jMKkjsrM2GfBoF9JVWnvU89hmvU=
 github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2 h1:dnkKrzapqtAwjTSWt6hdPrARORfoYvuUczynvRLrueo=
 github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2/go.mod h1:1JUiV7nGuf++YFm9eWZ8q2lrwHmhcUGzptMl/vL1+LA=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.0.0-20230202071646-a8c8afb18b32 h1:tztuJB+giOWNRKQEBVY2oI3PsheTooMdh+/yxemYQYY=
+github.com/sagernet/quic-go v0.0.0-20230615020047-10f05c797c02 h1:9S+L1n/4hbe1pCLNTZnnddSNseQda8tuSm/+uRy6p8s=
-github.com/sagernet/quic-go v0.0.0-20230202071646-a8c8afb18b32/go.mod h1:QMCkxXAC3CvBgDZVIJp43NWTuwGBScCzMLVLynjERL8=
+github.com/sagernet/quic-go v0.0.0-20230615020047-10f05c797c02/go.mod h1:rth94YcHJfkC4mG03JTXmv7mJsDc8MOIIqQrCtoaV4U=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
-github.com/sagernet/sing v0.2.5-0.20230427151730-ed2d05ab518a h1:qQ4fG1XrlTbLvtkJK5SbtIGJ4cIjObvVjL1AvhD+vrI=
+github.com/sagernet/sing v0.2.9 h1:3wsTz+JG5Wzy65eZnh6AuCrD2QqcRF6Iq6f7ttmJsAo=
-github.com/sagernet/sing v0.2.5-0.20230427151730-ed2d05ab518a/go.mod h1:Ta8nHnDLAwqySzKhGoKk4ZIB+vJ3GTKj7UPrWYvM+4w=
+github.com/sagernet/sing v0.2.9/go.mod h1:Ta8nHnDLAwqySzKhGoKk4ZIB+vJ3GTKj7UPrWYvM+4w=
-github.com/sagernet/sing-dns v0.1.5-0.20230426113254-25d948c44223 h1:L4eMuM07iSHY3UCknFnuFuHoe5clZuF2Xnf2wwA6Lwc=
+github.com/sagernet/sing-dns v0.1.8 h1:zTYnxzA7mssg/Lwd70+RFPi8i3djioGnVS7zKwSF6cg=
-github.com/sagernet/sing-dns v0.1.5-0.20230426113254-25d948c44223/go.mod h1:ZKuuqgsHRxDahYrzgSgy4vIAGGuKPlIf4hLcNzYzLkY=
+github.com/sagernet/sing-dns v0.1.8/go.mod h1:lHv8WMl9GKfMV8Wt1AJTtjVTF/h5/owpGY2YutYZF6g=
-github.com/sagernet/sing-mux v0.0.0-20230425130511-b0a6ffd8406f h1:iEpOTgBTjt0vZJVXMTqYq13XyIu/337TWbq6WZ3CMWc=
+github.com/sagernet/sing-mux v0.1.2 h1:av2/m6e+Gh+ECTuJZqYCjJz55BNkot0VyRMkREqyF/g=
-github.com/sagernet/sing-mux v0.0.0-20230425130511-b0a6ffd8406f/go.mod h1:pF+RnLvCAOhECrvauy6LYOpBakJ/vuaF1Wm4lPsWryI=
+github.com/sagernet/sing-mux v0.1.2/go.mod h1:r2V8AlOzXaRCHXK7fILCUGzuI2iILweTaG8C5xlpHxo=
-github.com/sagernet/sing-shadowsocks v0.2.2-0.20230417102954-f77257340507 h1:bAHZCdWqJkb8LEW98+YsMVDXGRMUVjka8IC+St6ot88=
+github.com/sagernet/sing-shadowsocks v0.2.4 h1:s/CqXlvFAZhlIoHWUwPw5CoNnQ9Ibki9pckjuugtVfY=
-github.com/sagernet/sing-shadowsocks v0.2.2-0.20230417102954-f77257340507/go.mod h1:UJjvQGw0lyYaDGIDvUraL16fwaAEH1WFw1Y6sUcMPog=
+github.com/sagernet/sing-shadowsocks v0.2.4/go.mod h1:80fNKP0wnqlu85GZXV1H1vDPC/2t+dQbFggOw4XuFUM=
-github.com/sagernet/sing-shadowsocks2 v0.0.0-20230430083720-38321e1355cc h1:Jvm/7wtYYRP4mrZtUpWJxNxwnntqK+n8e/xgMHkOyP0=
+github.com/sagernet/sing-shadowsocks2 v0.1.3 h1:WXoLvCFi5JTFBRYorf1YePGYIQyJ/zbsBM6Fwbl5kGA=
-github.com/sagernet/sing-shadowsocks2 v0.0.0-20230430083720-38321e1355cc/go.mod h1:Dpib342FFR68SZ3CSRYxk/zWbanAqRBrCxoLuda5I0A=
+github.com/sagernet/sing-shadowsocks2 v0.1.3/go.mod h1:DOhJc/cLeqRv0wuePrQso+iUmDxOnWF4eT/oMcRzYFw=
-github.com/sagernet/sing-shadowtls v0.1.2-0.20230417103049-4f682e05f19b h1:ouW/6IDCrxkBe19YSbdCd7buHix7b+UZ6BM4Zz74XF4=
+github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
-github.com/sagernet/sing-shadowtls v0.1.2-0.20230417103049-4f682e05f19b/go.mod h1:oG8bPerYI6cZ74KquY3DvA7ynECyrILPBnce6wtBqeI=
+github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
-github.com/sagernet/sing-tun v0.1.5-0.20230422121432-209ec123ca7b h1:9NsciSJGwzdkXwVvT2c2g+RvkTVkANeBLr2l+soJ7LM=
+github.com/sagernet/sing-tun v0.1.10 h1:DSYGK+slViKQAZ6tRydSrHfouV/D1gu0eohIwbeYAXI=
-github.com/sagernet/sing-tun v0.1.5-0.20230422121432-209ec123ca7b/go.mod h1:DD7Ce2Gt0GFc6I/1+Uw4D/aUlBsGqrQsC52CMK/V818=
+github.com/sagernet/sing-tun v0.1.10/go.mod h1:XsyIVKd/Qp+2SdLZWGbavHtcpE7J7XU3S1zJmcoj9Ck=
-github.com/sagernet/sing-vmess v0.1.5-0.20230417103030-8c3070ae3fb3 h1:BHOnxrbC929JonuKqFdJ7ZbDp7zs4oTlH5KFvKtWu9U=
+github.com/sagernet/sing-vmess v0.1.7 h1:TM8FFLsXmlXH9XT8/oDgc6PC5BOzrg6OzyEe01is2r4=
-github.com/sagernet/sing-vmess v0.1.5-0.20230417103030-8c3070ae3fb3/go.mod h1:yKrAr+dqZd64DxBXCHWrYicp+n4qbqO73mtwv3dck8U=
+github.com/sagernet/sing-vmess v0.1.7/go.mod h1:1qkC1L1T2sxnS/NuO6HU72S8TkltV+EXoKGR29m/Yss=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 h1:HuE6xSwco/Xed8ajZ+coeYLmioq0Qp1/Z2zczFaV8as=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37/go.mod h1:3skNSftZDJWTGVtVaM2jfbce8qHnmH/AGDRe62iNOg0=
 github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9 h1:2ItpW1nMNkPzmBTxV0/eClCklHrFSQMnUGcpUmJxVeE=
@@ -137,102 +143,86 @@ github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e h1:7uw2njHFGE+V
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e/go.mod h1:45TUl8+gH4SIKr4ykREbxKWTxkDlSzFENzctB1dVRRY=
 github.com/sagernet/wireguard-go v0.0.0-20230420044414-a7bac1754e77 h1:g6QtRWQ2dKX7EQP++1JLNtw4C2TNxd4/ov8YUpOPOSo=
 github.com/sagernet/wireguard-go v0.0.0-20230420044414-a7bac1754e77/go.mod h1:pJDdXzZIwJ+2vmnT0TKzmf8meeum+e2mTDSehw79eE0=
 github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 h1:rc/CcqLH3lh8n+csdOuDfP+NuykE0U6AeYSJJHKDgSg=
 github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9/go.mod h1:a/83NAfUXvEuLpmxDssAXxgUgrEy12MId3Wd7OTs76s=
 github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
 github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 h1:tHNk7XK9GkmKUR6Gh8gVBKXc2MVSZ4G/NnWLtzw4gNA=
 github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
 github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
 github.com/zeebo/blake3 v0.2.3/go.mod h1:mjJjZpnsyIVtVgTOSpJ9vmRE4wgDeyt2HU3qXvvKCaQ=
 github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
 go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
 go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
-go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
-go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
-go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
-go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
 go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
 go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35 h1:nJAwRlGWZZDOD+6wni9KVUNHMpHko/OnRwsrCYeAzPo=
 go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35/go.mod h1:TQvodOM+hJTioNQJilmLXu08JNb8i+ccq418+KWu1/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
+golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
-golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
+golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
-golang.org/x/exp v0.0.0-20230321023759-10a507213a29 h1:ooxPy7fPvB4kwsA2h+iBNHkAbp/4JxTSwCmvdjEYmug=
+golang.org/x/exp v0.0.0-20230626212559-97b1e661b5df h1:UA2aFVmmsIlefxMk29Dp2juaUSth8Pyn3Tq5Y5mJGME=
-golang.org/x/exp v0.0.0-20230321023759-10a507213a29/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
+golang.org/x/exp v0.0.0-20230626212559-97b1e661b5df/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
-golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
+golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
+golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
-golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ=
+golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
+golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
-golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg=
-golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
 golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230215201556-9c5414ab4bde h1:ybF7AMzIUikL9x4LgwEmzhXtzRpKNqngme1VGDWz+Nk=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230215201556-9c5414ab4bde/go.mod h1:mQqgjkW8GQQcJQsbBvK890TKqUK1DfKWkuBGbOkuMHQ=
+google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A=
-google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f h1:BWUVssLB0HVOSY78gIdvk1dTVYtT1y8SBWtPYuTJ/6w=
+google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU=
-google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
+google.golang.org/grpc v1.56.2 h1:fVRFRnXvU+x6C4IlHZewvJOVHoOv1TUuQyoRsYnB4bI=
-google.golang.org/grpc v1.54.0 h1:EhTqbhiYeixwWQtAEZAxmV9MGqcjEU2mFx52xCzNyag=
+google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
 google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -240,7 +230,5 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gvisor.dev/gvisor v0.0.0-20230415003630-3981d5d5e523 h1:zUQYeyyPLnSR6yMvLSOmLH37xDWCZ7BqlpE69fE5K3Q=
+lukechampine.com/blake3 v1.2.1 h1:YuqqRuaqsGV71BV/nm9xlI0MKUv4QC54jQnBChWbGnI=
-gvisor.dev/gvisor v0.0.0-20230415003630-3981d5d5e523/go.mod h1:pzr6sy8gDLfVmDAg8OYrlKvGEHw5C3PGTiBXBTCx76Q=
+lukechampine.com/blake3 v1.2.1/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
 lukechampine.com/blake3 v1.1.7 h1:GgRMhmdsuK8+ii6UZFDL8Nb+VyMwadAgcJyfYHxG6n0=
 lukechampine.com/blake3 v1.1.7/go.mod h1:tkKEOtDkNtklkXtLNEOGNq5tcV90tJiA1vAA12R78LA=
--- a/inbound/default_udp.go
+++ b/inbound/default_udp.go
@@ -38,9 +38,7 @@ func (a *myInboundAdapter) ListenUDP() (net.PacketConn, error) {
 func (a *myInboundAdapter) loopUDPIn() {
 	defer close(a.packetOutboundClosed)
-	_buffer := buf.StackNewPacket()
+	buffer := buf.NewPacket()
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	buffer.IncRef()
 	defer buffer.DecRef()
@@ -67,9 +65,7 @@ func (a *myInboundAdapter) loopUDPIn() {
 func (a *myInboundAdapter) loopUDPOOBIn() {
 	defer close(a.packetOutboundClosed)
-	_buffer := buf.StackNewPacket()
+	buffer := buf.NewPacket()
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	buffer.IncRef()
 	defer buffer.DecRef()
--- a/inbound/hysteria.go
+++ b/inbound/hysteria.go
@@ -35,7 +35,7 @@ type Hysteria struct {
 	xplusKey     []byte
 	sendBPS      uint64
 	recvBPS      uint64
-	listener     quic.Listener
+	listener     *quic.Listener
 	udpAccess    sync.RWMutex
 	udpSessionId uint32
 	udpSessions  map[uint32]chan *hysteria.UDPMessage
@@ -283,6 +283,7 @@ func (h *Hysteria) acceptStream(ctx context.Context, conn quic.Connection, strea
 	metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr()).Unwrap()
 	metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
 	metadata.Destination = M.ParseSocksaddrHostPort(request.Host, request.Port).Unwrap()
 	metadata.User, _ = auth.UserFromContext[string](ctx)
 	if !request.UDP {
 		err = hysteria.WriteServerResponse(stream, hysteria.ServerResponse{
@@ -332,7 +333,7 @@ func (h *Hysteria) Close() error {
 	h.udpAccess.Unlock()
 	return common.Close(
 		&h.myInboundAdapter,
-		h.listener,
+		common.PtrOrNil(h.listener),
 		h.tlsConfig,
 	)
 }
--- a/inbound/naive.go
+++ b/inbound/naive.go
@@ -270,9 +270,7 @@ func (c *naiveH1Conn) read(p []byte) (n int, err error) {
 		if len(p) >= 3 {
 			paddingHdr = p[:3]
 		} else {
-			_paddingHdr := make([]byte, 3)
+			paddingHdr = make([]byte, 3)
 			defer common.KeepAlive(_paddingHdr)
 			paddingHdr = common.Dup(_paddingHdr)
 		}
 		_, err = io.ReadFull(c.Conn, paddingHdr)
 		if err != nil {
@@ -320,9 +318,7 @@ func (c *naiveH1Conn) write(p []byte) (n int, err error) {
 	if c.writePadding < kFirstPaddings {
 		paddingSize := rand.Intn(256)
-		_buffer := buf.StackNewSize(3 + len(p) + paddingSize)
+		buffer := buf.NewSize(3 + len(p) + paddingSize)
 		defer common.KeepAlive(_buffer)
 		buffer := common.Dup(_buffer)
 		defer buffer.Release()
 		header := buffer.Extend(3)
 		binary.BigEndian.PutUint16(header, uint16(len(p)))
@@ -449,9 +445,7 @@ func (c *naiveH2Conn) read(p []byte) (n int, err error) {
 		if len(p) >= 3 {
 			paddingHdr = p[:3]
 		} else {
-			_paddingHdr := make([]byte, 3)
+			paddingHdr = make([]byte, 3)
 			defer common.KeepAlive(_paddingHdr)
 			paddingHdr = common.Dup(_paddingHdr)
 		}
 		_, err = io.ReadFull(c.reader, paddingHdr)
 		if err != nil {
@@ -502,9 +496,7 @@ func (c *naiveH2Conn) write(p []byte) (n int, err error) {
 	if c.writePadding < kFirstPaddings {
 		paddingSize := rand.Intn(256)
-		_buffer := buf.StackNewSize(3 + len(p) + paddingSize)
+		buffer := buf.NewSize(3 + len(p) + paddingSize)
 		defer common.KeepAlive(_buffer)
 		buffer := common.Dup(_buffer)
 		defer buffer.Release()
 		header := buffer.Extend(3)
 		binary.BigEndian.PutUint16(header, uint16(len(p)))
--- a/inbound/tun.go
+++ b/inbound/tun.go
@@ -19,10 +19,7 @@ import (
 	"github.com/sagernet/sing/common/ranges"
 )
-var (
+var _ adapter.Inbound = (*Tun)(nil)
 	_ adapter.Inbound = (*Tun)(nil)
 	_ tun.Router      = (*Tun)(nil)
 )
 type Tun struct {
 	tag                    string
@@ -161,10 +158,6 @@ func (t *Tun) Start() error {
 	}
 	t.logger.Trace("creating stack")
 	t.tunIf = tunInterface
 	var tunRouter tun.Router
 	if len(t.router.IPRules()) > 0 {
 		tunRouter = t
 	}
 	t.tunStack, err = tun.NewStack(t.stack, tun.StackOptions{
 		Context:                t.ctx,
 		Tun:                    tunInterface,
@@ -174,7 +167,6 @@ func (t *Tun) Start() error {
 		Inet6Address:           t.tunOptions.Inet6Address,
 		EndpointIndependentNat: t.endpointIndependentNat,
 		UDPTimeout:             t.udpTimeout,
 		Router:                 tunRouter,
 		Handler:                t,
 		Logger:                 t.logger,
 		ForwarderBindInterface: t.platformInterface != nil,
@@ -199,21 +191,6 @@ func (t *Tun) Close() error {
 	)
 }
 func (t *Tun) RouteConnection(session tun.RouteSession, conn tun.RouteContext) tun.RouteAction {
 	ctx := log.ContextWithNewID(t.ctx)
 	var metadata adapter.InboundContext
 	metadata.Inbound = t.tag
 	metadata.InboundType = C.TypeTun
 	metadata.IPVersion = session.IPVersion
 	metadata.Network = tun.NetworkName(session.Network)
 	metadata.Source = M.SocksaddrFromNetIP(session.Source)
 	metadata.Destination = M.SocksaddrFromNetIP(session.Destination)
 	metadata.InboundOptions = t.inboundOptions
 	t.logger.DebugContext(ctx, "incoming connection from ", metadata.Source)
 	t.logger.DebugContext(ctx, "incoming connection to ", metadata.Destination)
 	return t.router.RouteIPConnection(ctx, conn, metadata)
 }
 func (t *Tun) NewConnection(ctx context.Context, conn net.Conn, upstreamMetadata M.Metadata) error {
 	ctx = log.ContextWithNewID(ctx)
 	var metadata adapter.InboundContext
--- a/log/default.go
+++ b/log/default.go
@@ -24,8 +24,9 @@ func NewFactory(formatter Formatter, writer io.Writer, platformWriter io.Writer)
 	return &simpleFactory{
 		formatter: formatter,
 		platformFormatter: Formatter{
-			BaseTime:      formatter.BaseTime,
+			BaseTime:         formatter.BaseTime,
-			DisableColors: C.IsDarwin || C.IsIos,
+			DisableColors:    C.IsDarwin || C.IsIos,
 			DisableLineBreak: true,
 		},
 		writer:         writer,
 		platformWriter: platformWriter,
--- a/log/format.go
+++ b/log/format.go
@@ -17,6 +17,7 @@ type Formatter struct {
 	DisableTimestamp bool
 	FullTimestamp    bool
 	TimestampFormat  string
 	DisableLineBreak bool
 }
 func (f Formatter) Format(ctx context.Context, level Level, tag string, message string, timestamp time.Time) string {
@@ -76,8 +77,14 @@ func (f Formatter) Format(ctx context.Context, level Level, tag string, message
 	default:
 		message = levelString + "[" + xd(int(timestamp.Sub(f.BaseTime)/time.Second), 4) + "] " + message
 	}
-	if message[len(message)-1] != '\n' {
+	if f.DisableLineBreak {
-		message += "\n"
+		if message[len(message)-1] == '\n' {
 			message = message[:len(message)-1]
 		}
 	} else {
 		if message[len(message)-1] != '\n' {
 			message += "\n"
 		}
 	}
 	return message
 }
--- a/log/observable.go
+++ b/log/observable.go
@@ -28,8 +28,9 @@ func NewObservableFactory(formatter Formatter, writer io.Writer, platformWriter
 	factory := &observableFactory{
 		formatter: formatter,
 		platformFormatter: Formatter{
-			BaseTime:      formatter.BaseTime,
+			BaseTime:         formatter.BaseTime,
-			DisableColors: C.IsDarwin || C.IsIos,
+			DisableColors:    C.IsDarwin || C.IsIos,
 			DisableLineBreak: true,
 		},
 		writer:         writer,
 		platformWriter: platformWriter,
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -39,6 +39,7 @@ nav:
      - From source: installation/from-source.md
      - Clients:
          - iOS: installation/clients/sfi.md
          - macOS: installation/clients/sfm.md
          - Android: installation/clients/sfa.md
  - Configuration:
      - configuration/index.md
@@ -55,7 +56,6 @@ nav:
          - configuration/route/index.md
          - GeoIP: configuration/route/geoip.md
          - Geosite: configuration/route/geosite.md
          - IP Route Rule: configuration/route/ip-rule.md
          - Route Rule: configuration/route/rule.md
          - Protocol Sniff: configuration/route/sniff.md
      - Experimental:
@@ -115,6 +115,7 @@ nav:
      - ShadowTLS: examples/shadowtls.md
      - Clash API: examples/clash-api.md
      - WireGuard Direct: examples/wireguard-direct.md
      - FakeIP: examples/fakeip.md
  - Contributing:
      - contributing/index.md
      - Developing:
@@ -174,7 +175,6 @@ plugins:
          DNS Rule: DNS 规则
          Route: 路由
          IP Route Rule: IP 路由规则
          Route Rule: 路由规则
          Protocol Sniff: 协议探测
--- a/option/clash.go
+++ b/option/clash.go
@@ -10,6 +10,7 @@ type ClashAPIOptions struct {
 	StoreSelected            bool   `json:"store_selected,omitempty"`
 	StoreFakeIP              bool   `json:"store_fakeip,omitempty"`
 	CacheFile                string `json:"cache_file,omitempty"`
 	CacheID                  string `json:"cache_id,omitempty"`
 }
 type SelectorOutboundOptions struct {
--- a/option/route.go
+++ b/option/route.go
@@ -3,7 +3,6 @@ package option
 type RouteOptions struct {
 	GeoIP               *GeoIPOptions   `json:"geoip,omitempty"`
 	Geosite             *GeositeOptions `json:"geosite,omitempty"`
 	IPRules             []IPRule        `json:"ip_rules,omitempty"`
 	Rules               []Rule          `json:"rules,omitempty"`
 	Final               string          `json:"final,omitempty"`
 	FindProcess         bool            `json:"find_process,omitempty"`
--- a/option/rule_ip.go
+++ b/option/rule_ip.go
@@ -1,120 +0,0 @@
 package option
 import (
 	"reflect"
 	"github.com/sagernet/sing-box/common/json"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 type _IPRule struct {
 	Type           string        `json:"type,omitempty"`
 	DefaultOptions DefaultIPRule `json:"-"`
 	LogicalOptions LogicalIPRule `json:"-"`
 }
 type IPRule _IPRule
 func (r IPRule) MarshalJSON() ([]byte, error) {
 	var v any
 	switch r.Type {
 	case C.RuleTypeDefault:
 		r.Type = ""
 		v = r.DefaultOptions
 	case C.RuleTypeLogical:
 		v = r.LogicalOptions
 	default:
 		return nil, E.New("unknown rule type: " + r.Type)
 	}
 	return MarshallObjects((_IPRule)(r), v)
 }
 func (r *IPRule) UnmarshalJSON(bytes []byte) error {
 	err := json.Unmarshal(bytes, (*_IPRule)(r))
 	if err != nil {
 		return err
 	}
 	var v any
 	switch r.Type {
 	case "", C.RuleTypeDefault:
 		r.Type = C.RuleTypeDefault
 		v = &r.DefaultOptions
 	case C.RuleTypeLogical:
 		v = &r.LogicalOptions
 	default:
 		return E.New("unknown rule type: " + r.Type)
 	}
 	err = UnmarshallExcluded(bytes, (*_IPRule)(r), v)
 	if err != nil {
 		return E.Cause(err, "ip route rule")
 	}
 	return nil
 }
 type DefaultIPRule struct {
 	Inbound         Listable[string] `json:"inbound,omitempty"`
 	IPVersion       int              `json:"ip_version,omitempty"`
 	Network         Listable[string] `json:"network,omitempty"`
 	Domain          Listable[string] `json:"domain,omitempty"`
 	DomainSuffix    Listable[string] `json:"domain_suffix,omitempty"`
 	DomainKeyword   Listable[string] `json:"domain_keyword,omitempty"`
 	DomainRegex     Listable[string] `json:"domain_regex,omitempty"`
 	Geosite         Listable[string] `json:"geosite,omitempty"`
 	SourceGeoIP     Listable[string] `json:"source_geoip,omitempty"`
 	GeoIP           Listable[string] `json:"geoip,omitempty"`
 	SourceIPCIDR    Listable[string] `json:"source_ip_cidr,omitempty"`
 	IPCIDR          Listable[string] `json:"ip_cidr,omitempty"`
 	SourcePort      Listable[uint16] `json:"source_port,omitempty"`
 	SourcePortRange Listable[string] `json:"source_port_range,omitempty"`
 	Port            Listable[uint16] `json:"port,omitempty"`
 	PortRange       Listable[string] `json:"port_range,omitempty"`
 	Invert          bool             `json:"invert,omitempty"`
 	Action          RouteAction      `json:"action,omitempty"`
 	Outbound        string           `json:"outbound,omitempty"`
 }
 type RouteAction tun.ActionType
 func (a RouteAction) MarshalJSON() ([]byte, error) {
 	typeName, err := tun.ActionTypeName(tun.ActionType(a))
 	if err != nil {
 		return nil, err
 	}
 	return json.Marshal(typeName)
 }
 func (a *RouteAction) UnmarshalJSON(bytes []byte) error {
 	var value string
 	err := json.Unmarshal(bytes, &value)
 	if err != nil {
 		return err
 	}
 	actionType, err := tun.ParseActionType(value)
 	if err != nil {
 		return err
 	}
 	*a = RouteAction(actionType)
 	return nil
 }
 func (r DefaultIPRule) IsValid() bool {
 	var defaultValue DefaultIPRule
 	defaultValue.Invert = r.Invert
 	defaultValue.Outbound = r.Outbound
 	return !reflect.DeepEqual(r, defaultValue)
 }
 type LogicalIPRule struct {
 	Mode     string          `json:"mode"`
 	Rules    []DefaultIPRule `json:"rules,omitempty"`
 	Invert   bool            `json:"invert,omitempty"`
 	Action   RouteAction     `json:"action,omitempty"`
 	Outbound string          `json:"outbound,omitempty"`
 }
 func (r LogicalIPRule) IsValid() bool {
 	return len(r.Rules) > 0 && common.All(r.Rules, DefaultIPRule.IsValid)
 }
--- a/option/wireguard.go
+++ b/option/wireguard.go
@@ -14,7 +14,6 @@ type WireGuardOutboundOptions struct {
 	Workers       int         `json:"workers,omitempty"`
 	MTU           uint32      `json:"mtu,omitempty"`
 	Network       NetworkList `json:"network,omitempty"`
 	IPRewrite     bool        `json:"ip_rewrite,omitempty"`
 }
 type WireGuardPeer struct {
--- a/outbound/default.go
+++ b/outbound/default.go
@@ -5,12 +5,12 @@ import (
 	"net"
 	"net/netip"
 	"os"
 	"runtime"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
@@ -20,11 +20,12 @@ import (
 )
 type myOutboundAdapter struct {
-	protocol string
+	protocol     string
-	network  []string
+	network      []string
-	router   adapter.Router
+	router       adapter.Router
-	logger   log.ContextLogger
+	logger       log.ContextLogger
-	tag      string
+	tag          string
 	dependencies []string
 }
 func (a *myOutboundAdapter) Type() string {
@@ -39,10 +40,21 @@ func (a *myOutboundAdapter) Network() []string {
 	return a.network
 }
 func (a *myOutboundAdapter) Dependencies() []string {
 	return a.dependencies
 }
 func (a *myOutboundAdapter) NewError(ctx context.Context, err error) {
 	NewError(a.logger, ctx, err)
 }
 func withDialerDependency(options option.DialerOptions) []string {
 	if options.Detour != "" {
 		return []string{options.Detour}
 	}
 	return nil
 }
 func NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata adapter.InboundContext) error {
 	ctx = adapter.WithContext(ctx, &metadata)
 	var outConn net.Conn
@@ -99,8 +111,7 @@ func CopyEarlyConn(ctx context.Context, conn net.Conn, serverConn net.Conn) erro
 		}
 	}
 	if earlyConn, isEarlyConn := common.Cast[N.EarlyConn](serverConn); isEarlyConn && earlyConn.NeedHandshake() {
-		_payload := buf.StackNew()
+		payload := buf.NewPacket()
 		payload := common.Dup(_payload)
 		err := conn.SetReadDeadline(time.Now().Add(C.ReadPayloadTimeout))
 		if err != os.ErrInvalid {
 			if err != nil {
@@ -120,7 +131,6 @@ func CopyEarlyConn(ctx context.Context, conn net.Conn, serverConn net.Conn) erro
 		if err != nil {
 			return N.HandshakeFailure(conn, err)
 		}
 		runtime.KeepAlive(_payload)
 		payload.Release()
 	}
 	return bufio.CopyConn(ctx, conn, serverConn)
--- a/outbound/direct.go
+++ b/outbound/direct.go
@@ -40,11 +40,12 @@ func NewDirect(router adapter.Router, logger log.ContextLogger, tag string, opti
 	options.UDPFragmentDefault = true
 	outbound := &Direct{
 		myOutboundAdapter: myOutboundAdapter{
-			protocol: C.TypeDirect,
+			protocol:     C.TypeDirect,
-			network:  []string{N.NetworkTCP, N.NetworkUDP},
+			network:      []string{N.NetworkTCP, N.NetworkUDP},
-			router:   router,
+			router:       router,
-			logger:   logger,
+			logger:       logger,
-			tag:      tag,
+			tag:          tag,
 			dependencies: withDialerDependency(options.DialerOptions),
 		},
 		domainStrategy: dns.DomainStrategy(options.DomainStrategy),
 		fallbackDelay:  time.Duration(options.FallbackDelay),
--- a/outbound/dns.go
+++ b/outbound/dns.go
@@ -65,9 +65,7 @@ func (d *DNS) handleConnection(ctx context.Context, conn net.Conn, metadata adap
 	if queryLength == 0 {
 		return dns.RCodeFormatError
 	}
-	_buffer := buf.StackNewSize(int(queryLength))
+	buffer := buf.NewSize(int(queryLength))
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	_, err = buffer.ReadFullFrom(conn, int(queryLength))
 	if err != nil {
@@ -84,9 +82,7 @@ func (d *DNS) handleConnection(ctx context.Context, conn net.Conn, metadata adap
 		if err != nil {
 			return err
 		}
-		_responseBuffer := buf.StackNewPacket()
+		responseBuffer := buf.NewPacket()
 		defer common.KeepAlive(_responseBuffer)
 		responseBuffer := common.Dup(_responseBuffer)
 		defer responseBuffer.Release()
 		responseBuffer.Resize(2, 0)
 		n, err := response.PackBuffer(responseBuffer.FreeBytes())
@@ -119,30 +115,47 @@ func (d *DNS) NewPacketConnection(ctx context.Context, conn N.PacketConn, metada
 		}
 		break
 	}
 	ctx = adapter.WithContext(ctx, &metadata)
 	fastClose, cancel := common.ContextWithCancelCause(ctx)
 	timeout := canceler.New(fastClose, cancel, C.DNSTimeout)
 	var group task.Group
 	group.Append0(func(ctx context.Context) error {
 		_buffer := buf.StackNewSize(dns.FixedPacketSize)
 		defer common.KeepAlive(_buffer)
 		buffer := common.Dup(_buffer)
 		defer buffer.Release()
 		for {
 			buffer.FullReset()
 			destination, err := conn.ReadPacket(buffer)
 			if err != nil {
 				cancel(err)
 				return err
 			}
 			var message mDNS.Msg
-			err = message.Unpack(buffer.Bytes())
+			var destination M.Socksaddr
-			if err != nil {
+			var err error
-				cancel(err)
+			if len(cachedPackets) > 0 {
-				return err
+				packet := cachedPackets[0]
 				cachedPackets = cachedPackets[1:]
 				for _, counter := range counters {
 					counter(int64(packet.Buffer.Len()))
 				}
 				err = message.Unpack(packet.Buffer.Bytes())
 				packet.Buffer.Release()
 				if err != nil {
 					cancel(err)
 					return err
 				}
 				destination = packet.Destination
 			} else {
 				buffer := buf.NewPacket()
 				destination, err = conn.ReadPacket(buffer)
 				if err != nil {
 					buffer.Release()
 					cancel(err)
 					return err
 				}
 				for _, counter := range counters {
 					counter(int64(buffer.Len()))
 				}
 				err = message.Unpack(buffer.Bytes())
 				buffer.Release()
 				if err != nil {
 					cancel(err)
 					return err
 				}
 				timeout.Update()
 			}
 			timeout.Update()
 			metadataInQuery := metadata
 			go func() error {
 				response, err := d.router.Exchange(adapter.WithContext(ctx, &metadataInQuery), &message)
@@ -180,14 +193,12 @@ func (d *DNS) newPacketConnection(ctx context.Context, conn N.PacketConn, readWa
 	var group task.Group
 	group.Append0(func(ctx context.Context) error {
 		var buffer *buf.Buffer
-		newBuffer := func() *buf.Buffer {
+		readWaiter.InitializeReadWaiter(func() *buf.Buffer {
 			if buffer != nil {
 				buffer.Release()
 			}
 			buffer = buf.NewSize(dns.FixedPacketSize)
 			buffer.FullReset()
 			return buffer
-		}
+		})
 		defer readWaiter.InitializeReadWaiter(nil)
 		for {
 			var message mDNS.Msg
 			var destination M.Socksaddr
@@ -206,11 +217,9 @@ func (d *DNS) newPacketConnection(ctx context.Context, conn N.PacketConn, readWa
 				}
 				destination = packet.Destination
 			} else {
-				destination, err = readWaiter.WaitReadPacket(newBuffer)
+				destination, err = readWaiter.WaitReadPacket()
 				if err != nil {
-					if buffer != nil {
+					buffer.Release()
 						buffer.Release()
 					}
 					cancel(err)
 					return err
 				}
--- a/outbound/http.go
+++ b/outbound/http.go
@@ -39,11 +39,12 @@ func NewHTTP(router adapter.Router, logger log.ContextLogger, tag string, option
 	}
 	return &HTTP{
 		myOutboundAdapter{
-			protocol: C.TypeHTTP,
+			protocol:     C.TypeHTTP,
-			network:  []string{N.NetworkTCP},
+			network:      []string{N.NetworkTCP},
-			router:   router,
+			router:       router,
-			logger:   logger,
+			logger:       logger,
-			tag:      tag,
+			tag:          tag,
 			dependencies: withDialerDependency(options.DialerOptions),
 		},
 		sHTTP.NewClient(sHTTP.Options{
 			Dialer:   detour,
--- a/outbound/hysteria.go
+++ b/outbound/hysteria.go
@@ -119,11 +119,12 @@ func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextL
 	}
 	return &Hysteria{
 		myOutboundAdapter: myOutboundAdapter{
-			protocol: C.TypeHysteria,
+			protocol:     C.TypeHysteria,
-			network:  options.Network.Build(),
+			network:      options.Network.Build(),
-			router:   router,
+			router:       router,
-			logger:   logger,
+			logger:       logger,
-			tag:      tag,
+			tag:          tag,
 			dependencies: withDialerDependency(options.DialerOptions),
 		},
 		ctx:        ctx,
 		dialer:     dialer.New(router, options.DialerOptions),
@@ -150,6 +151,7 @@ func (h *Hysteria) offer(ctx context.Context) (quic.Connection, error) {
 	if conn != nil && !common.Done(conn.Context()) {
 		return conn, nil
 	}
 	common.Close(h.rawConn)
 	conn, err := h.offerNew(ctx)
 	if err != nil {
 		return nil, err
@@ -176,7 +178,7 @@ func (h *Hysteria) offerNew(ctx context.Context) (quic.Connection, error) {
 		packetConn = hysteria.NewXPlusPacketConn(packetConn, h.xplusKey)
 	}
 	packetConn = &hysteria.PacketConnWrapper{PacketConn: packetConn}
-	quicConn, err := quic.Dial(packetConn, udpConn.RemoteAddr(), h.serverAddr.AddrString(), h.tlsConfig, h.quicConfig)
+	quicConn, err := quic.Dial(h.ctx, packetConn, udpConn.RemoteAddr(), h.tlsConfig, h.quicConfig)
 	if err != nil {
 		packetConn.Close()
 		return nil, err
@@ -260,13 +262,19 @@ func (h *Hysteria) Close() error {
 	return nil
 }
-func (h *Hysteria) open(ctx context.Context) (quic.Connection, quic.Stream, error) {
+func (h *Hysteria) open(ctx context.Context, reconnect bool) (quic.Connection, quic.Stream, error) {
 	conn, err := h.offer(ctx)
 	if err != nil {
 		if nErr, ok := err.(net.Error); ok && !nErr.Temporary() && reconnect {
 			return h.open(ctx, false)
 		}
 		return nil, nil, err
 	}
 	stream, err := conn.OpenStream()
 	if err != nil {
 		if nErr, ok := err.(net.Error); ok && !nErr.Temporary() && reconnect {
 			return h.open(ctx, false)
 		}
 		return nil, nil, err
 	}
 	return conn, &hysteria.StreamWrapper{Stream: stream}, nil
@@ -276,7 +284,7 @@ func (h *Hysteria) DialContext(ctx context.Context, network string, destination
 	switch N.NetworkName(network) {
 	case N.NetworkTCP:
 		h.logger.InfoContext(ctx, "outbound connection to ", destination)
-		_, stream, err := h.open(ctx)
+		_, stream, err := h.open(ctx, true)
 		if err != nil {
 			return nil, err
 		}
@@ -302,7 +310,7 @@ func (h *Hysteria) DialContext(ctx context.Context, network string, destination
 func (h *Hysteria) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
-	conn, stream, err := h.open(ctx)
+	conn, stream, err := h.open(ctx, true)
 	if err != nil {
 		return nil, err
 	}
--- a/outbound/selector.go
+++ b/outbound/selector.go
@@ -29,10 +29,11 @@ type Selector struct {
 func NewSelector(router adapter.Router, logger log.ContextLogger, tag string, options option.SelectorOutboundOptions) (*Selector, error) {
 	outbound := &Selector{
 		myOutboundAdapter: myOutboundAdapter{
-			protocol: C.TypeSelector,
+			protocol:     C.TypeSelector,
-			router:   router,
+			router:       router,
-			logger:   logger,
+			logger:       logger,
-			tag:      tag,
+			tag:          tag,
 			dependencies: options.Outbounds,
 		},
 		tags:       options.Outbounds,
 		defaultTag: options.Default,
--- a/outbound/shadowsocks.go
+++ b/outbound/shadowsocks.go
@@ -41,11 +41,12 @@ func NewShadowsocks(ctx context.Context, router adapter.Router, logger log.Conte
 	}
 	outbound := &Shadowsocks{
 		myOutboundAdapter: myOutboundAdapter{
-			protocol: C.TypeShadowsocks,
+			protocol:     C.TypeShadowsocks,
-			network:  options.Network.Build(),
+			network:      options.Network.Build(),
-			router:   router,
+			router:       router,
-			logger:   logger,
+			logger:       logger,
-			tag:      tag,
+			tag:          tag,
 			dependencies: withDialerDependency(options.DialerOptions),
 		},
 		dialer:     dialer.New(router, options.DialerOptions),
 		method:     method,
--- a/outbound/shadowsocksr.go
+++ b/outbound/shadowsocksr.go
@@ -39,11 +39,12 @@ type ShadowsocksR struct {
 func NewShadowsocksR(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ShadowsocksROutboundOptions) (*ShadowsocksR, error) {
 	outbound := &ShadowsocksR{
 		myOutboundAdapter: myOutboundAdapter{
-			protocol: C.TypeShadowsocksR,
+			protocol:     C.TypeShadowsocksR,
-			network:  options.Network.Build(),
+			network:      options.Network.Build(),
-			router:   router,
+			router:       router,
-			logger:   logger,
+			logger:       logger,
-			tag:      tag,
+			tag:          tag,
 			dependencies: withDialerDependency(options.DialerOptions),
 		},
 		dialer:     dialer.New(router, options.DialerOptions),
 		serverAddr: options.ServerOptions.Build(),
--- a/outbound/shadowtls.go
+++ b/outbound/shadowtls.go
@@ -27,11 +27,12 @@ type ShadowTLS struct {
 func NewShadowTLS(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ShadowTLSOutboundOptions) (*ShadowTLS, error) {
 	outbound := &ShadowTLS{
 		myOutboundAdapter: myOutboundAdapter{
-			protocol: C.TypeShadowTLS,
+			protocol:     C.TypeShadowTLS,
-			network:  []string{N.NetworkTCP},
+			network:      []string{N.NetworkTCP},
-			router:   router,
+			router:       router,
-			logger:   logger,
+			logger:       logger,
-			tag:      tag,
+			tag:          tag,
 			dependencies: withDialerDependency(options.DialerOptions),
 		},
 	}
 	if options.TLS == nil || !options.TLS.Enabled {
--- a/outbound/socks.go
+++ b/outbound/socks.go
@@ -39,11 +39,12 @@ func NewSocks(router adapter.Router, logger log.ContextLogger, tag string, optio
 	}
 	outbound := &Socks{
 		myOutboundAdapter: myOutboundAdapter{
-			protocol: C.TypeSocks,
+			protocol:     C.TypeSocks,
-			network:  options.Network.Build(),
+			network:      options.Network.Build(),
-			router:   router,
+			router:       router,
-			logger:   logger,
+			logger:       logger,
-			tag:      tag,
+			tag:          tag,
 			dependencies: withDialerDependency(options.DialerOptions),
 		},
 		client:  socks.NewClient(dialer.New(router, options.DialerOptions), options.ServerOptions.Build(), version, options.Username, options.Password),
 		resolve: version == socks.Version4,
--- a/outbound/ssh.go
+++ b/outbound/ssh.go
@@ -46,11 +46,12 @@ type SSH struct {
 func NewSSH(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.SSHOutboundOptions) (*SSH, error) {
 	outbound := &SSH{
 		myOutboundAdapter: myOutboundAdapter{
-			protocol: C.TypeSSH,
+			protocol:     C.TypeSSH,
-			network:  []string{N.NetworkTCP},
+			network:      []string{N.NetworkTCP},
-			router:   router,
+			router:       router,
-			logger:   logger,
+			logger:       logger,
-			tag:      tag,
+			tag:          tag,
 			dependencies: withDialerDependency(options.DialerOptions),
 		},
 		ctx:               ctx,
 		dialer:            dialer.New(router, options.DialerOptions),
--- a/outbound/tor.go
+++ b/outbound/tor.go
@@ -68,11 +68,12 @@ func NewTor(ctx context.Context, router adapter.Router, logger log.ContextLogger
 	}
 	return &Tor{
 		myOutboundAdapter: myOutboundAdapter{
-			protocol: C.TypeTor,
+			protocol:     C.TypeTor,
-			network:  []string{N.NetworkTCP},
+			network:      []string{N.NetworkTCP},
-			router:   router,
+			router:       router,
-			logger:   logger,
+			logger:       logger,
-			tag:      tag,
+			tag:          tag,
 			dependencies: withDialerDependency(options.DialerOptions),
 		},
 		ctx:       ctx,
 		proxy:     NewProxyListener(ctx, logger, dialer.New(router, options.DialerOptions)),
--- a/outbound/trojan.go
+++ b/outbound/trojan.go
@@ -35,11 +35,12 @@ type Trojan struct {
 func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TrojanOutboundOptions) (*Trojan, error) {
 	outbound := &Trojan{
 		myOutboundAdapter: myOutboundAdapter{
-			protocol: C.TypeTrojan,
+			protocol:     C.TypeTrojan,
-			network:  options.Network.Build(),
+			network:      options.Network.Build(),
-			router:   router,
+			router:       router,
-			logger:   logger,
+			logger:       logger,
-			tag:      tag,
+			tag:          tag,
 			dependencies: withDialerDependency(options.DialerOptions),
 		},
 		dialer:     dialer.New(router, options.DialerOptions),
 		serverAddr: options.ServerOptions.Build(),
--- a/outbound/urltest.go
+++ b/outbound/urltest.go
@@ -18,6 +18,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
 )
 var (
@@ -39,10 +40,11 @@ type URLTest struct {
 func NewURLTest(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.URLTestOutboundOptions) (*URLTest, error) {
 	outbound := &URLTest{
 		myOutboundAdapter: myOutboundAdapter{
-			protocol: C.TypeURLTest,
+			protocol:     C.TypeURLTest,
-			router:   router,
+			router:       router,
-			logger:   logger,
+			logger:       logger,
-			tag:      tag,
+			tag:          tag,
 			dependencies: options.Outbounds,
 		},
 		ctx:       ctx,
 		tags:      options.Outbounds,
@@ -73,7 +75,11 @@ func (s *URLTest) Start() error {
 		outbounds = append(outbounds, detour)
 	}
 	s.group = NewURLTestGroup(s.ctx, s.router, s.logger, outbounds, s.link, s.interval, s.tolerance)
-	go s.group.CheckOutbounds(false)
+	return nil
 }
 func (s *URLTest) PostStart() error {
 	go s.CheckOutbounds()
 	return nil
 }
@@ -95,6 +101,10 @@ func (s *URLTest) URLTest(ctx context.Context, link string) (map[string]uint16,
 	return s.group.URLTest(ctx, link)
 }
 func (s *URLTest) CheckOutbounds() {
 	s.group.CheckOutbounds(true)
 }
 func (s *URLTest) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	s.group.Start()
 	outbound := s.group.Select(network)
@@ -156,7 +166,8 @@ func NewURLTestGroup(ctx context.Context, router adapter.Router, logger log.Logg
 		tolerance = 50
 	}
 	var history *urltest.HistoryStorage
-	if clashServer := router.ClashServer(); clashServer != nil {
+	if history = service.PtrFromContext[urltest.HistoryStorage](ctx); history != nil {
 	} else if clashServer := router.ClashServer(); clashServer != nil {
 		history = clashServer.HistoryStorage()
 	} else {
 		history = urltest.NewHistoryStorage()
--- a/outbound/vless.go
+++ b/outbound/vless.go
@@ -38,11 +38,12 @@ type VLESS struct {
 func NewVLESS(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.VLESSOutboundOptions) (*VLESS, error) {
 	outbound := &VLESS{
 		myOutboundAdapter: myOutboundAdapter{
-			protocol: C.TypeVLESS,
+			protocol:     C.TypeVLESS,
-			network:  options.Network.Build(),
+			network:      options.Network.Build(),
-			router:   router,
+			router:       router,
-			logger:   logger,
+			logger:       logger,
-			tag:      tag,
+			tag:          tag,
 			dependencies: withDialerDependency(options.DialerOptions),
 		},
 		dialer:     dialer.New(router, options.DialerOptions),
 		serverAddr: options.ServerOptions.Build(),
--- a/outbound/vmess.go
+++ b/outbound/vmess.go
@@ -37,11 +37,12 @@ type VMess struct {
 func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.VMessOutboundOptions) (*VMess, error) {
 	outbound := &VMess{
 		myOutboundAdapter: myOutboundAdapter{
-			protocol: C.TypeVMess,
+			protocol:     C.TypeVMess,
-			network:  options.Network.Build(),
+			network:      options.Network.Build(),
-			router:   router,
+			router:       router,
-			logger:   logger,
+			logger:       logger,
-			tag:      tag,
+			tag:          tag,
 			dependencies: withDialerDependency(options.DialerOptions),
 		},
 		dialer:     dialer.New(router, options.DialerOptions),
 		serverAddr: options.ServerOptions.Build(),
--- a/outbound/wireguard.go
+++ b/outbound/wireguard.go
@@ -8,9 +8,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"net"
 	"os"
 	"strings"
 	"syscall"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
@@ -28,7 +26,7 @@ import (
 )
 var (
-	_ adapter.IPOutbound              = (*WireGuard)(nil)
+	_ adapter.Outbound                = (*WireGuard)(nil)
 	_ adapter.InterfaceUpdateListener = (*WireGuard)(nil)
 )
@@ -36,18 +34,18 @@ type WireGuard struct {
 	myOutboundAdapter
 	bind      *wireguard.ClientBind
 	device    *device.Device
 	natDevice wireguard.NatDevice
 	tunDevice wireguard.Device
 }
 func NewWireGuard(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.WireGuardOutboundOptions) (*WireGuard, error) {
 	outbound := &WireGuard{
 		myOutboundAdapter: myOutboundAdapter{
-			protocol: C.TypeWireGuard,
+			protocol:     C.TypeWireGuard,
-			network:  options.Network.Build(),
+			network:      options.Network.Build(),
-			router:   router,
+			router:       router,
-			logger:   logger,
+			logger:       logger,
-			tag:      tag,
+			tag:          tag,
 			dependencies: withDialerDependency(options.DialerOptions),
 		},
 	}
 	var reserved [3]uint8
@@ -158,25 +156,17 @@ func NewWireGuard(ctx context.Context, router adapter.Router, logger log.Context
 	if mtu == 0 {
 		mtu = 1408
 	}
-	var tunDevice wireguard.Device
+	var wireTunDevice wireguard.Device
 	var err error
 	if !options.SystemInterface && tun.WithGVisor {
-		tunDevice, err = wireguard.NewStackDevice(localPrefixes, mtu, options.IPRewrite)
+		wireTunDevice, err = wireguard.NewStackDevice(localPrefixes, mtu)
 	} else {
-		tunDevice, err = wireguard.NewSystemDevice(router, options.InterfaceName, localPrefixes, mtu)
+		wireTunDevice, err = wireguard.NewSystemDevice(router, options.InterfaceName, localPrefixes, mtu)
 	}
 	if err != nil {
 		return nil, E.Cause(err, "create WireGuard device")
 	}
-	natDevice, isNatDevice := tunDevice.(wireguard.NatDevice)
+	wgDevice := device.NewDevice(wireTunDevice, outbound.bind, &device.Logger{
 	if !isNatDevice && router.NatRequired(tag) {
 		natDevice = wireguard.NewNATDevice(tunDevice, options.IPRewrite)
 	}
 	deviceInput := tunDevice
 	if natDevice != nil {
 		deviceInput = natDevice
 	}
 	wgDevice := device.NewDevice(deviceInput, outbound.bind, &device.Logger{
 		Verbosef: func(format string, args ...interface{}) {
 			logger.Debug(fmt.Sprintf(strings.ToLower(format), args...))
 		},
@@ -192,8 +182,7 @@ func NewWireGuard(ctx context.Context, router adapter.Router, logger log.Context
 		return nil, E.Cause(err, "setup wireguard")
 	}
 	outbound.device = wgDevice
-	outbound.natDevice = natDevice
+	outbound.tunDevice = wireTunDevice
 	outbound.tunDevice = tunDevice
 	return outbound, nil
 }
@@ -232,27 +221,6 @@ func (w *WireGuard) NewPacketConnection(ctx context.Context, conn N.PacketConn,
 	return NewPacketConnection(ctx, w, conn, metadata)
 }
 func (w *WireGuard) NewIPConnection(ctx context.Context, conn tun.RouteContext, metadata adapter.InboundContext) (tun.DirectDestination, error) {
 	if w.natDevice == nil {
 		return nil, os.ErrInvalid
 	}
 	session := tun.RouteSession{
 		IPVersion:   metadata.IPVersion,
 		Network:     tun.NetworkFromName(metadata.Network),
 		Source:      metadata.Source.AddrPort(),
 		Destination: metadata.Destination.AddrPort(),
 	}
 	switch session.Network {
 	case syscall.IPPROTO_TCP:
 		w.logger.InfoContext(ctx, "linked connection to ", metadata.Destination)
 	case syscall.IPPROTO_UDP:
 		w.logger.InfoContext(ctx, "linked packet connection to ", metadata.Destination)
 	default:
 		w.logger.InfoContext(ctx, "linked ", metadata.Network, " connection to ", metadata.Destination.AddrString())
 	}
 	return w.natDevice.CreateDestination(session, conn), nil
 }
 func (w *WireGuard) Start() error {
 	return w.tunDevice.Start()
 }
--- a/route/router.go
+++ b/route/router.go
@@ -50,7 +50,6 @@ type Router struct {
 	outbounds                          []adapter.Outbound
 	outboundByTag                      map[string]adapter.Outbound
 	rules                              []adapter.Rule
 	ipRules                            []adapter.IPRule
 	defaultDetour                      string
 	defaultOutboundForConnection       adapter.Outbound
 	defaultOutboundForPacketConnection adapter.Outbound
@@ -99,7 +98,6 @@ func NewRouter(
 		dnsLogger:             logFactory.NewLogger("dns"),
 		outboundByTag:         make(map[string]adapter.Outbound),
 		rules:                 make([]adapter.Rule, 0, len(options.Rules)),
 		ipRules:               make([]adapter.IPRule, 0, len(options.IPRules)),
 		dnsRules:              make([]adapter.DNSRule, 0, len(dnsOptions.Rules)),
 		needGeoIPDatabase:     hasRule(options.Rules, isGeoIPRule) || hasDNSRule(dnsOptions.Rules, isGeoIPDNSRule),
 		needGeositeDatabase:   hasRule(options.Rules, isGeositeRule) || hasDNSRule(dnsOptions.Rules, isGeositeDNSRule),
@@ -126,13 +124,6 @@ func NewRouter(
 		}
 		router.rules = append(router.rules, routeRule)
 	}
 	for i, ipRuleOptions := range options.IPRules {
 		ipRule, err := NewIPRule(router, router.logger, ipRuleOptions)
 		if err != nil {
 			return nil, E.Cause(err, "parse ip rule[", i, "]")
 		}
 		router.ipRules = append(router.ipRules, ipRule)
 	}
 	for i, dnsRuleOptions := range dnsOptions.Rules {
 		dnsRule, err := NewDNSRule(router, router.logger, dnsRuleOptions)
 		if err != nil {
@@ -261,7 +252,7 @@ func NewRouter(
 		if fakeIPOptions.Inet6Range != nil {
 			inet6Range = fakeIPOptions.Inet6Range.Build()
 		}
-		router.fakeIPStore = fakeip.NewStore(router, inet4Range, inet6Range)
+		router.fakeIPStore = fakeip.NewStore(router, router.logger, inet4Range, inet6Range)
 	}
 	usePlatformDefaultInterfaceMonitor := platformInterface != nil && platformInterface.UsePlatformDefaultInterfaceMonitor()
@@ -279,7 +270,8 @@ func NewRouter(
 				router.networkMonitor = networkMonitor
 				networkMonitor.RegisterCallback(router.interfaceFinder.update)
 				interfaceMonitor, err := tun.NewDefaultInterfaceMonitor(router.networkMonitor, tun.DefaultInterfaceMonitorOptions{
-					OverrideAndroidVPN: options.OverrideAndroidVPN,
+					OverrideAndroidVPN:    options.OverrideAndroidVPN,
 					UnderNetworkExtension: platformInterface != nil && platformInterface.UnderNetworkExtension(),
 				})
 				if err != nil {
 					return nil, E.New("auto_detect_interface unsupported on current platform")
@@ -637,6 +629,7 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
 			Fqdn: domain,
 			Port: metadata.Destination.Port,
 		}
 		metadata.FakeIP = true
 		r.logger.DebugContext(ctx, "found fakeip domain: ", domain)
 	}
@@ -746,6 +739,7 @@ func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, m
 			Fqdn: domain,
 			Port: metadata.Destination.Port,
 		}
 		metadata.FakeIP = true
 		r.logger.DebugContext(ctx, "found fakeip domain: ", domain)
 	}
@@ -928,10 +922,6 @@ func (r *Router) Rules() []adapter.Rule {
 	return r.rules
 }
 func (r *Router) IPRules() []adapter.IPRule {
 	return r.ipRules
 }
 func (r *Router) NetworkMonitor() tun.NetworkUpdateMonitor {
 	return r.networkMonitor
 }
--- a/route/router_dns.go
+++ b/route/router_dns.go
@@ -44,22 +44,27 @@ func (r *Router) matchDNS(ctx context.Context) (context.Context, dns.Transport,
 	}
 	for i, rule := range r.dnsRules {
 		if rule.Match(metadata) {
 			detour := rule.Outbound()
 			transport, loaded := r.transportMap[detour]
 			if !loaded {
 				r.dnsLogger.ErrorContext(ctx, "transport not found: ", detour)
 				continue
 			}
 			if _, isFakeIP := transport.(adapter.FakeIPTransport); isFakeIP && metadata.FakeIP {
 				continue
 			}
 			r.dnsLogger.DebugContext(ctx, "match[", i, "] ", rule.String(), " => ", detour)
 			if rule.DisableCache() {
 				ctx = dns.ContextWithDisableCache(ctx, true)
 			}
 			if rewriteTTL := rule.RewriteTTL(); rewriteTTL != nil {
 				ctx = dns.ContextWithRewriteTTL(ctx, *rewriteTTL)
 			}
-			detour := rule.Outbound()
+			if domainStrategy, dsLoaded := r.transportDomainStrategy[transport]; dsLoaded {
-			r.dnsLogger.DebugContext(ctx, "match[", i, "] ", rule.String(), " => ", detour)
+				return ctx, transport, domainStrategy
-			if transport, loaded := r.transportMap[detour]; loaded {
+			} else {
-				if domainStrategy, dsLoaded := r.transportDomainStrategy[transport]; dsLoaded {
+				return ctx, transport, r.defaultDomainStrategy
 					return ctx, transport, domainStrategy
 				} else {
 					return ctx, transport, r.defaultDomainStrategy
 				}
 			}
 			r.dnsLogger.ErrorContext(ctx, "transport not found: ", detour)
 		}
 	}
 	if domainStrategy, dsLoaded := r.transportDomainStrategy[r.defaultTransport]; dsLoaded {
--- a/route/router_geo_resources.go
+++ b/route/router_geo_resources.go
@@ -52,13 +52,15 @@ func (r *Router) prepareGeoIPDatabase() error {
 			geoPath = foundPath
 		}
 	}
-	geoPath = filemanager.BasePath(r.ctx, geoPath)
+	if !rw.FileExists(geoPath) {
-	if rw.FileExists(geoPath) {
+		geoPath = filemanager.BasePath(r.ctx, geoPath)
-		geoReader, codes, err := geoip.Open(geoPath)
+	}
-		if err == nil {
+	if stat, err := os.Stat(geoPath); err == nil {
-			r.logger.Info("loaded geoip database: ", len(codes), " codes")
+		if stat.IsDir() {
-			r.geoIPReader = geoReader
+			return E.New("geoip path is a directory: ", geoPath)
-			return nil
+		}
 		if stat.Size() == 0 {
 			os.Remove(geoPath)
 		}
 	}
 	if !rw.FileExists(geoPath) {
@@ -96,7 +98,17 @@ func (r *Router) prepareGeositeDatabase() error {
 			geoPath = foundPath
 		}
 	}
-	geoPath = filemanager.BasePath(r.ctx, geoPath)
+	if !rw.FileExists(geoPath) {
 		geoPath = filemanager.BasePath(r.ctx, geoPath)
 	}
 	if stat, err := os.Stat(geoPath); err == nil {
 		if stat.IsDir() {
 			return E.New("geoip path is a directory: ", geoPath)
 		}
 		if stat.Size() == 0 {
 			os.Remove(geoPath)
 		}
 	}
 	if !rw.FileExists(geoPath) {
 		r.logger.Warn("geosite database not exists: ", geoPath)
 		var err error
@@ -107,7 +119,6 @@ func (r *Router) prepareGeositeDatabase() error {
 			}
 			r.logger.Error("download geosite database: ", err)
 			os.Remove(geoPath)
 			// time.Sleep(10 * time.Second)
 		}
 		if err != nil {
 			return err
--- a/route/router_ip.go
+++ b/route/router_ip.go
@@ -1,79 +0,0 @@
 package route
 import (
 	"context"
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-tun"
 	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 )
 func (r *Router) RouteIPConnection(ctx context.Context, conn tun.RouteContext, metadata adapter.InboundContext) tun.RouteAction {
 	if r.fakeIPStore != nil && r.fakeIPStore.Contains(metadata.Destination.Addr) {
 		domain, loaded := r.fakeIPStore.Lookup(metadata.Destination.Addr)
 		if !loaded {
 			r.logger.ErrorContext(ctx, "missing fakeip context")
 			return (*tun.ActionReturn)(nil)
 		}
 		metadata.Destination = M.Socksaddr{
 			Fqdn: domain,
 			Port: metadata.Destination.Port,
 		}
 		r.logger.DebugContext(ctx, "found fakeip domain: ", domain)
 	}
 	if r.dnsReverseMapping != nil && metadata.Domain == "" {
 		domain, loaded := r.dnsReverseMapping.Query(metadata.Destination.Addr)
 		if loaded {
 			metadata.Domain = domain
 			r.logger.DebugContext(ctx, "found reserve mapped domain: ", metadata.Domain)
 		}
 	}
 	if metadata.Destination.IsFqdn() && dns.DomainStrategy(metadata.InboundOptions.DomainStrategy) != dns.DomainStrategyAsIS {
 		addresses, err := r.Lookup(adapter.WithContext(ctx, &metadata), metadata.Destination.Fqdn, dns.DomainStrategy(metadata.InboundOptions.DomainStrategy))
 		if err != nil {
 			r.logger.ErrorContext(ctx, err)
 			return (*tun.ActionReturn)(nil)
 		}
 		metadata.DestinationAddresses = addresses
 		r.dnsLogger.DebugContext(ctx, "resolved [", strings.Join(F.MapToString(metadata.DestinationAddresses), " "), "]")
 	}
 	for i, rule := range r.ipRules {
 		if rule.Match(&metadata) {
 			if rule.Action() == tun.ActionTypeBlock {
 				r.logger.InfoContext(ctx, "match[", i, "] ", rule.String(), " => block")
 				return (*tun.ActionBlock)(nil)
 			}
 			detour := rule.Outbound()
 			r.logger.InfoContext(ctx, "match[", i, "] ", rule.String(), " => ", detour)
 			outbound, loaded := r.Outbound(detour)
 			if !loaded {
 				r.logger.ErrorContext(ctx, "outbound not found: ", detour)
 				break
 			}
 			ipOutbound, loaded := outbound.(adapter.IPOutbound)
 			if !loaded {
 				r.logger.ErrorContext(ctx, "outbound have no ip connection support: ", detour)
 				break
 			}
 			destination, err := ipOutbound.NewIPConnection(ctx, conn, metadata)
 			if err != nil {
 				r.logger.ErrorContext(ctx, err)
 				break
 			}
 			return &tun.ActionDirect{DirectDestination: destination}
 		}
 	}
 	return (*tun.ActionReturn)(nil)
 }
 func (r *Router) NatRequired(outbound string) bool {
 	for _, ipRule := range r.ipRules {
 		if ipRule.Outbound() == outbound {
 			return true
 		}
 	}
 	return false
 }
--- a/route/rule_ip.go
+++ b/route/rule_ip.go
@@ -1,189 +0,0 @@
 package route
 import (
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 func NewIPRule(router adapter.Router, logger log.ContextLogger, options option.IPRule) (adapter.IPRule, error) {
 	switch options.Type {
 	case "", C.RuleTypeDefault:
 		if !options.DefaultOptions.IsValid() {
 			return nil, E.New("missing conditions")
 		}
 		if common.IsEmpty(options.DefaultOptions.Action) {
 			return nil, E.New("missing action")
 		}
 		return NewDefaultIPRule(router, logger, options.DefaultOptions)
 	case C.RuleTypeLogical:
 		if !options.LogicalOptions.IsValid() {
 			return nil, E.New("missing conditions")
 		}
 		if common.IsEmpty(options.DefaultOptions.Action) {
 			return nil, E.New("missing action")
 		}
 		return NewLogicalIPRule(router, logger, options.LogicalOptions)
 	default:
 		return nil, E.New("unknown rule type: ", options.Type)
 	}
 }
 var _ adapter.IPRule = (*DefaultIPRule)(nil)
 type DefaultIPRule struct {
 	abstractDefaultRule
 	action tun.ActionType
 }
 func NewDefaultIPRule(router adapter.Router, logger log.ContextLogger, options option.DefaultIPRule) (*DefaultIPRule, error) {
 	rule := &DefaultIPRule{
 		abstractDefaultRule: abstractDefaultRule{
 			invert:   options.Invert,
 			outbound: options.Outbound,
 		},
 		action: tun.ActionType(options.Action),
 	}
 	if len(options.Inbound) > 0 {
 		item := NewInboundRule(options.Inbound)
 		rule.items = append(rule.items, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if options.IPVersion > 0 {
 		switch options.IPVersion {
 		case 4, 6:
 			item := NewIPVersionItem(options.IPVersion == 6)
 			rule.items = append(rule.items, item)
 			rule.allItems = append(rule.allItems, item)
 		default:
 			return nil, E.New("invalid ip version: ", options.IPVersion)
 		}
 	}
 	if len(options.Network) > 0 {
 		item := NewNetworkItem(options.Network)
 		rule.items = append(rule.items, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.Domain) > 0 || len(options.DomainSuffix) > 0 {
 		item := NewDomainItem(options.Domain, options.DomainSuffix)
 		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.DomainKeyword) > 0 {
 		item := NewDomainKeywordItem(options.DomainKeyword)
 		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.DomainRegex) > 0 {
 		item, err := NewDomainRegexItem(options.DomainRegex)
 		if err != nil {
 			return nil, E.Cause(err, "domain_regex")
 		}
 		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.Geosite) > 0 {
 		item := NewGeositeItem(router, logger, options.Geosite)
 		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.SourceGeoIP) > 0 {
 		item := NewGeoIPItem(router, logger, true, options.SourceGeoIP)
 		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.GeoIP) > 0 {
 		item := NewGeoIPItem(router, logger, false, options.GeoIP)
 		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.SourceIPCIDR) > 0 {
 		item, err := NewIPCIDRItem(true, options.SourceIPCIDR)
 		if err != nil {
 			return nil, E.Cause(err, "source_ipcidr")
 		}
 		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.IPCIDR) > 0 {
 		item, err := NewIPCIDRItem(false, options.IPCIDR)
 		if err != nil {
 			return nil, E.Cause(err, "ipcidr")
 		}
 		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.SourcePort) > 0 {
 		item := NewPortItem(true, options.SourcePort)
 		rule.sourcePortItems = append(rule.sourcePortItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.SourcePortRange) > 0 {
 		item, err := NewPortRangeItem(true, options.SourcePortRange)
 		if err != nil {
 			return nil, E.Cause(err, "source_port_range")
 		}
 		rule.sourcePortItems = append(rule.sourcePortItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.Port) > 0 {
 		item := NewPortItem(false, options.Port)
 		rule.destinationPortItems = append(rule.destinationPortItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.PortRange) > 0 {
 		item, err := NewPortRangeItem(false, options.PortRange)
 		if err != nil {
 			return nil, E.Cause(err, "port_range")
 		}
 		rule.destinationPortItems = append(rule.destinationPortItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	return rule, nil
 }
 func (r *DefaultIPRule) Action() tun.ActionType {
 	return r.action
 }
 var _ adapter.IPRule = (*LogicalIPRule)(nil)
 type LogicalIPRule struct {
 	abstractLogicalRule
 	action tun.ActionType
 }
 func NewLogicalIPRule(router adapter.Router, logger log.ContextLogger, options option.LogicalIPRule) (*LogicalIPRule, error) {
 	r := &LogicalIPRule{
 		abstractLogicalRule: abstractLogicalRule{
 			rules:    make([]adapter.Rule, len(options.Rules)),
 			invert:   options.Invert,
 			outbound: options.Outbound,
 		},
 		action: tun.ActionType(options.Action),
 	}
 	switch options.Mode {
 	case C.LogicalTypeAnd:
 		r.mode = C.LogicalTypeAnd
 	case C.LogicalTypeOr:
 		r.mode = C.LogicalTypeOr
 	default:
 		return nil, E.New("unknown logical mode: ", options.Mode)
 	}
 	for i, subRule := range options.Rules {
 		rule, err := NewDefaultIPRule(router, logger, subRule)
 		if err != nil {
 			return nil, E.Cause(err, "sub rule[", i, "]")
 		}
 		r.rules[i] = rule
 	}
 	return r, nil
 }
 func (r *LogicalIPRule) Action() tun.ActionType {
 	return r.action
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	4a986459ee	documentation: Update changelog	2023-07-24 17:56:39 +08:00
世界	9532d0cba4	Fix cache file	2023-07-24 16:51:03 +08:00
世界	cadc34f3ad	Add support for macOS system extension	2023-07-24 16:51:03 +08:00
世界	db23a48b36	Update dependencies	2023-07-23 14:23:51 +08:00
世界	407cf68e59	Fix certmagic usage	2023-07-20 20:03:20 +08:00
世界	e0058ca9c5	Fix fakeip unsaved state	2023-07-20 19:59:04 +08:00
世界	8140af01aa	Fix download geo resources	2023-07-20 19:41:22 +08:00
世界	98bf696d01	Fix cache file	2023-07-20 19:41:22 +08:00
世界	e075bb5c8d	Update changelog	2023-07-19 14:59:30 +08:00
世界	c6baabedef	Update dependencies	2023-07-19 14:45:30 +08:00
世界	6e6998dab7	Improve platform status	2023-07-16 14:08:45 +08:00
世界	1a29c23263	documentation: Update changelog	2023-07-15 14:53:48 +08:00
世界	0f87396ab6	Fix abx reader for some malformed formats	2023-07-15 14:46:15 +08:00
世界	ffde948860	Update support page	2023-07-15 14:46:09 +08:00
世界	69b5dbdcc3	Build memory limiter for android	2023-07-15 14:46:06 +08:00
世界	1121517755	Fix hysteria inbound context	2023-07-11 20:58:20 +08:00
世界	6879def619	Fix test	2023-07-11 15:44:03 +08:00
世界	5c0f6d0a6f	Fix vmess legacy server	2023-07-11 15:44:03 +08:00
世界	d74abbd20e	Fix v2ray websocket transport	2023-07-11 15:44:03 +08:00
世界	120dae4eed	Fix fakeip lookup	2023-07-11 15:44:02 +08:00
世界	bb651db2d2	platform: Fix output format	2023-07-09 12:24:43 +08:00
世界	e929dde13e	documentation: Update changelog	2023-07-09 07:54:08 +08:00
世界	9d75385bbb	Fix async FakeIP save	2023-07-08 16:21:11 +08:00
世界	1c526feec1	Update dependencies	2023-07-08 16:19:28 +08:00
世界	7df26986de	documentation: Update changelog	2023-07-07 14:23:45 +08:00
世界	5f2d23a12d	Fix multi error	2023-07-07 13:57:28 +08:00
世界	d9e65c0969	Fix syscall copy packet	2023-07-07 13:42:42 +08:00
世界	ec1160924f	Fix save FakeIP cache	2023-07-07 12:51:38 +08:00
世界	230e8f895d	Fix close quic.Listener	2023-07-07 12:43:22 +08:00
世界	af79378734	Update dependencies	2023-07-03 21:47:32 +08:00
世界	07ce5e0d22	Remove stack buffer usage	2023-07-03 21:45:32 +08:00
世界	9c8565cf21	platform: Add group interface	2023-07-02 18:46:41 +08:00
世界	5ad0ea2b5a	Try fix StreamDomainNameQuery	2023-07-02 16:38:38 +08:00
世界	e482053c8a	documentation: Update changelog	2023-06-27 11:31:24 +08:00
世界	945713d886	Update dependencies	2023-06-27 11:13:30 +08:00
世界	9bb62ad6b5	Check duplicated outbound tag	2023-06-26 18:47:52 +08:00
世界	c2bda9fbde	Fix DNS `rewrite_ttl` logic	2023-06-23 16:12:25 +08:00
世界	1d1db62a44	Prevent write packet IPv6 packet to tun IPv4 connection	2023-06-21 13:29:24 +08:00
世界	39405373f8	documentation: Update changelog	2023-06-19 14:11:41 +08:00
世界	22a7988d3f	Update dependencies	2023-06-19 14:11:41 +08:00
世界	b2092fafb7	Fix ios build Cannot use errno as method and variable due to conflict with objc	2023-06-19 14:11:40 +08:00
世界	cc7b5d8280	Unwrap 4in6 address received by client packet conn	2023-06-19 13:29:41 +08:00
世界	702d96a738	platform: Improve `local` DNS transport	2023-06-18 10:00:32 +08:00
世界	b9f34f1309	documentation: Update changelog	2023-06-17 12:21:18 +08:00
世界	07724a0ddd	Update dependencies	2023-06-17 12:17:43 +08:00
世界	83c3454685	Update quic-go	2023-06-15 14:52:25 +08:00
世界	7d263eb733	documentation: Update changelog	2023-06-14 16:28:44 +08:00
世界	222687d9c5	Update goreleaser usage	2023-06-14 09:39:13 +08:00
世界	07d3652e30	Build `with_dhcp` by default	2023-06-14 09:14:45 +08:00
世界	8d5b9d240a	Fix outbound start sequence	2023-06-13 22:38:05 +08:00
世界	4f12eba944	Fix hysteria outbound	2023-06-13 21:41:33 +08:00
世界	a7f77d59c1	Update documentation	2023-06-11 22:38:37 +08:00
shadow750d6	597248130f	Reconnect once if hysteria request fails This allows graceful recovery when network isn't good enough. [Original hysteria source code](`13d46da998/core/cs/client.go (L182)`) has similar mechanism.	2023-06-11 22:21:32 +08:00
世界	3c2c9cf317	Migrate gVisor to fork	2023-06-11 22:07:36 +08:00
世界	e572b9d0cd	Update dependencies	2023-06-11 20:58:59 +08:00
世界	52e9059a8d	Fix fakeip routing	2023-06-11 20:58:59 +08:00
世界	0cb9cff690	Fix shadowsocks none client	2023-06-08 10:23:39 +08:00
世界	c0669cb2a5	Fix TLS 1.2 support for shadow-tls client	2023-06-07 21:03:39 +08:00
世界	c5902f2473	Fix using v2ray websocket transport with detour	2023-06-07 21:03:21 +08:00
世界	22028602e8	Improve read waiter interface	2023-06-07 21:03:11 +08:00
世界	bd54608473	Fix DNS outbound	2023-06-07 21:03:08 +08:00
世界	3741394269	Add `cache_id` option for Clash cache file	2023-06-07 21:03:06 +08:00
世界	6266d2df7e	Fix shadowsocks AEAD UDP server	2023-06-07 21:02:52 +08:00
世界	01dfba722a	Use API to create windows firewall rule	2023-06-07 21:01:29 +08:00
世界	f8d5f01665	Reimplemented shadowsocks client	2023-06-07 20:57:07 +08:00
Hellojack	ad999d4791	Fix UVariantLen usage	2023-06-07 20:56:57 +08:00
世界	6f1b258501	Improve DNS caching	2023-06-07 20:56:55 +08:00
世界	f949ddc0ab	Set TCP keepalive for WireGuard gVisor TCP connections	2023-06-07 20:53:26 +08:00
Weltolk	f53007cbf3	documentation: Fix fakeip link broken	2023-06-07 20:53:13 +08:00
世界	c287731df9	Improve direct copy	2023-06-07 20:53:00 +08:00
世界	bc32c78d03	Improve multiplex	2023-06-07 20:46:34 +08:00
世界	daee0db7bb	clash-api: Reset outbounds in DELETE /connections	2023-06-07 20:45:39 +08:00
世界	91fbf4c79b	Add multiplexer for VLESS outbound	2023-06-07 20:45:39 +08:00
世界	54d9ef2f2a	Update gVisor to 20230417.0	2023-06-07 20:45:25 +08:00
世界	e056d4502b	Add debug http server	2023-06-07 20:45:25 +08:00
世界	98c2c439aa	Add filemanager api	2023-06-07 20:45:25 +08:00
世界	b6068cea6b	Update wireguard-go	2023-06-07 20:38:30 +08:00
世界	9c9affa719	Ignore system tun stack bind interface error	2023-06-07 20:35:02 +08:00
世界	8eb7dd0059	Improve VLESS request	2023-06-07 20:35:00 +08:00
世界	a62ad44883	Add deadline interface	2023-06-07 20:34:56 +08:00
世界	2850354070	shadowsocks: Multi-user support for legacy AEAD inbound Signed-off-by: wwqgtxx <wwqgtxx@gmail.com>	2023-06-07 20:34:54 +08:00
世界	0a4abcbbc8	Add headers option for HTTP outbound	2023-06-07 20:34:52 +08:00
世界	b491c350ae	URLTest improvements	2023-06-07 20:33:56 +08:00
世界	1fbe7c54bf	Fix wireguard reconnect	2023-06-07 20:33:53 +08:00
世界	9d32fc9bd1	Use HTTPS URLTest source	2023-06-07 20:33:50 +08:00
世界	542612129d	clash-api: Add Clash.Meta APIs	2023-06-07 20:33:41 +08:00
世界	750f87bb0a	clash api: download clash-dashboard if external-ui directory is empty	2023-06-07 20:33:06 +08:00
世界	e168de79c7	Add multi-peer support for wireguard outbound	2023-06-07 20:33:04 +08:00
世界	9bca5a517f	Add fakeip support	2023-06-07 20:31:26 +08:00
世界	aa94cfb876	Refactor rules	2023-06-07 20:28:21 +08:00
世界	52b776b561	Add dns reverse mapping	2023-06-07 20:19:46 +08:00
世界	c74d3a53d4	documentation: Update changelog	2023-05-19 15:48:35 +08:00
世界	fe7ac80a6c	Update dependencies	2023-05-19 15:48:35 +08:00
世界	e50b334b9a	Fix uTLS ALPN	2023-05-19 15:41:18 +08:00
XYenon	a0d8e374fb	Fix incorrect use of sort.Slice	2023-05-19 15:40:48 +08:00
Larvan2	d3a67cb5ae	Enable mkdocs search in documentation Signed-off-by: Larvan2 <78135608+Larvan2@users.noreply.github.com>	2023-05-19 15:40:42 +08:00
世界	e69e98b185	Fix documentation	2023-05-19 15:40:13 +08:00
世界	5e1499d67b	Update badtls	2023-05-19 15:39:40 +08:00