Initialize L3 routing support

2026-04-13 20:28:32 +10:00 · 2023-03-22 01:36:17 +08:00
232 changed files with 1557 additions and 4876 deletions
--- a/.github/workflows/debug.yml
+++ b/.github/workflows/debug.yml
@@ -31,6 +31,12 @@ jobs:
        uses: actions/setup-go@v4
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: Cache go module
        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
          key: go-${{ hashFiles('**/go.sum') }}
      - name: Add cache to Go proxy
        run: |
          version=`git rev-parse HEAD`
@@ -190,6 +196,12 @@ jobs:
        uses: actions/setup-go@v4
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: Cache go module
        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
          key: go-${{ hashFiles('**/go.sum') }}
      - name: Build
        id: build
        run: make
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -31,6 +31,12 @@ jobs:
        uses: actions/setup-go@v4
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: Cache go module
        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
          key: go-${{ hashFiles('**/go.sum') }}
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
        with:
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -117,6 +117,8 @@ nfpms:
        dst: /etc/systemd/system/sing-box@.service
      - src: LICENSE
        dst: /usr/share/licenses/sing-box/LICENSE
    scripts:
      postremove: release/config/postremove.sh
 source:
  enabled: false
  name_template: '{{ .ProjectName }}-{{ .Version }}.source'
--- a/2
+++ b/2
@@ -9,7 +9,7 @@ RUN set -ex \
    && apk add git build-base \
    && export COMMIT=$(git rev-parse --short HEAD) \
    && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api,with_acme \
+    && go build -v -trimpath -tags with_quic,with_wireguard,with_reality_server,with_acme \
        -o /go/bin/sing-box \
        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
        ./cmd/sing-box
--- a/5
+++ b/5
@@ -11,7 +11,4 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
-along with this program. If not, see <http://www.gnu.org/licenses/>.
+along with this program. If not, see <http://www.gnu.org/licenses/>.
 In addition, no derivative work may use the name or imply association
 with this application without prior consent.
--- a/13
+++ b/13
@@ -77,20 +77,13 @@ test_stdio:
 	go mod tidy && \
 	go test -v -tags "$(TAGS_TEST),force_stdio" .
 android:
 	go run ./cmd/internal/build_libbox -target android
 ios:
 	go run ./cmd/internal/build_libbox -target ios
 lib:
-	go run ./cmd/internal/build_libbox -target android
+	go run ./cmd/internal/build_libbox
 	go run ./cmd/internal/build_libbox -target ios
 lib_install:
 	go get -v -d
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230413023804-244d7ff07035
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20221130124640-349ebaa752ca
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230413023804-244d7ff07035
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20221130124640-349ebaa752ca
 clean:
 	rm -rf bin dist sing-box
--- a/README.md
+++ b/README.md
@@ -8,10 +8,6 @@ The universal proxy platform.
 https://sing-box.sagernet.org
 ## Support
 https://community.sagernet.org/c/sing-box/
 ## License
 ```
@@ -29,7 +25,4 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program. If not, see <http://www.gnu.org/licenses/>.
 In addition, no derivative work may use the name or imply association
 with this application without prior consent.
 ```
--- a/adapter/experimental.go
+++ b/adapter/experimental.go
@@ -13,7 +13,6 @@ type ClashServer interface {
 	PreStarter
 	Mode() string
 	StoreSelected() bool
 	StoreFakeIP() bool
 	CacheFile() ClashCacheFile
 	HistoryStorage() *urltest.HistoryStorage
 	RoutedConnection(ctx context.Context, conn net.Conn, metadata InboundContext, matchedRule Rule) (net.Conn, Tracker)
@@ -23,7 +22,6 @@ type ClashServer interface {
 type ClashCacheFile interface {
 	LoadSelected(group string) string
 	StoreSelected(group string, selected string) error
 	FakeIPStorage
 }
 type Tracker interface {
@@ -35,11 +33,6 @@ type OutboundGroup interface {
 	All() []string
 }
 type URLTestGroup interface {
 	OutboundGroup
 	URLTest(ctx context.Context, url string) (map[string]uint16, error)
 }
 func OutboundTag(detour Outbound) string {
 	if group, isGroup := detour.(OutboundGroup); isGroup {
 		return group.Now()
--- a/adapter/fakeip.go
+++ b/adapter/fakeip.go
@@ -1,23 +0,0 @@
 package adapter
 import (
 	"net/netip"
 	"github.com/sagernet/sing-dns"
 )
 type FakeIPStore interface {
 	Service
 	Contains(address netip.Addr) bool
 	Create(domain string, strategy dns.DomainStrategy) (netip.Addr, error)
 	Lookup(address netip.Addr) (string, bool)
 	Reset() error
 }
 type FakeIPStorage interface {
 	FakeIPMetadata() *FakeIPMetadata
 	FakeIPSaveMetadata(metadata *FakeIPMetadata) error
 	FakeIPStore(address netip.Addr, domain string) error
 	FakeIPLoad(address netip.Addr) (string, bool)
 	FakeIPReset() error
 }
--- a/adapter/fakeip_metadata.go
+++ b/adapter/fakeip_metadata.go
@@ -1,50 +0,0 @@
 package adapter
 import (
 	"bytes"
 	"encoding"
 	"encoding/binary"
 	"io"
 	"net/netip"
 	"github.com/sagernet/sing/common"
 )
 type FakeIPMetadata struct {
 	Inet4Range   netip.Prefix
 	Inet6Range   netip.Prefix
 	Inet4Current netip.Addr
 	Inet6Current netip.Addr
 }
 func (m *FakeIPMetadata) MarshalBinary() (data []byte, err error) {
 	var buffer bytes.Buffer
 	for _, marshaler := range []encoding.BinaryMarshaler{m.Inet4Range, m.Inet6Range, m.Inet4Current, m.Inet6Current} {
 		data, err = marshaler.MarshalBinary()
 		if err != nil {
 			return
 		}
 		common.Must(binary.Write(&buffer, binary.BigEndian, uint16(len(data))))
 		buffer.Write(data)
 	}
 	data = buffer.Bytes()
 	return
 }
 func (m *FakeIPMetadata) UnmarshalBinary(data []byte) error {
 	reader := bytes.NewReader(data)
 	for _, unmarshaler := range []encoding.BinaryUnmarshaler{&m.Inet4Range, &m.Inet6Range, &m.Inet4Current, &m.Inet6Current} {
 		var length uint16
 		common.Must(binary.Read(reader, binary.BigEndian, &length))
 		element := make([]byte, length)
 		_, err := io.ReadFull(reader, element)
 		if err != nil {
 			return err
 		}
 		err = unmarshaler.UnmarshalBinary(element)
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
--- a/adapter/outbound.go
+++ b/adapter/outbound.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"net"
-	"github.com/sagernet/sing-tun"
+	tun "github.com/sagernet/sing-tun"
 	N "github.com/sagernet/sing/common/network"
 )
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -21,8 +21,6 @@ type Router interface {
 	Outbound(tag string) (Outbound, bool)
 	DefaultOutbound(network string) Outbound
 	FakeIPStore() FakeIPStore
 	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 	RouteIPConnection(ctx context.Context, conn tun.RouteContext, metadata InboundContext) tun.RouteAction
@@ -37,7 +35,6 @@ type Router interface {
 	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
 	InterfaceFinder() control.InterfaceFinder
 	UpdateInterfaces() error
 	DefaultInterface() string
 	AutoDetectInterface() bool
 	AutoDetectInterfaceFunc() control.Func
@@ -84,7 +81,6 @@ type Rule interface {
 type DNSRule interface {
 	Rule
 	DisableCache() bool
 	RewriteTTL() *uint32
 }
 type IPRule interface {
--- a/box.go
+++ b/box.go
@@ -9,6 +9,7 @@ import (
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/inbound"
@@ -30,25 +31,18 @@ type Box struct {
 	outbounds    []adapter.Outbound
 	logFactory   log.Factory
 	logger       log.ContextLogger
 	logFile      *os.File
 	preServices  map[string]adapter.Service
 	postServices map[string]adapter.Service
 	done         chan struct{}
 }
-type Options struct {
+func New(ctx context.Context, options option.Options, platformInterface platform.Interface) (*Box, error) {
 	option.Options
 	Context           context.Context
 	PlatformInterface platform.Interface
 }
 func New(options Options) (*Box, error) {
 	ctx := options.Context
 	if ctx == nil {
 		ctx = context.Background()
 	}
 	createdAt := time.Now()
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
 	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	var needClashAPI bool
 	var needV2RayAPI bool
 	if experimentalOptions.ClashAPI != nil && experimentalOptions.ClashAPI.ExternalController != "" {
@@ -57,20 +51,60 @@ func New(options Options) (*Box, error) {
 	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
 		needV2RayAPI = true
 	}
-	var defaultLogWriter io.Writer
+
-	if options.PlatformInterface != nil {
+	logOptions := common.PtrValueOrDefault(options.Log)
-		defaultLogWriter = io.Discard
+
-	}
+	var logFactory log.Factory
-	logFactory, err := log.New(log.Options{
+	var observableLogFactory log.ObservableFactory
-		Options:        common.PtrValueOrDefault(options.Log),
+	var logFile *os.File
-		Observable:     needClashAPI,
+	var logWriter io.Writer
-		DefaultWriter:  defaultLogWriter,
+	if logOptions.Disabled {
-		BaseTime:       createdAt,
+		observableLogFactory = log.NewNOPFactory()
-		PlatformWriter: options.PlatformInterface,
+		logFactory = observableLogFactory
-	})
+	} else {
-	if err != nil {
+		switch logOptions.Output {
-		return nil, E.Cause(err, "create log factory")
+		case "":
 			if platformInterface != nil {
 				logWriter = io.Discard
 			} else {
 				logWriter = os.Stdout
 			}
 		case "stderr":
 			logWriter = os.Stderr
 		case "stdout":
 			logWriter = os.Stdout
 		default:
 			var err error
 			logFile, err = os.OpenFile(C.BasePath(logOptions.Output), os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644)
 			if err != nil {
 				return nil, err
 			}
 			logWriter = logFile
 		}
 		logFormatter := log.Formatter{
 			BaseTime:         createdAt,
 			DisableColors:    logOptions.DisableColor || logFile != nil,
 			DisableTimestamp: !logOptions.Timestamp && logFile != nil,
 			FullTimestamp:    logOptions.Timestamp,
 			TimestampFormat:  "-0700 2006-01-02 15:04:05",
 		}
 		if needClashAPI {
 			observableLogFactory = log.NewObservableFactory(logFormatter, logWriter, platformInterface)
 			logFactory = observableLogFactory
 		} else {
 			logFactory = log.NewFactory(logFormatter, logWriter, platformInterface)
 		}
 		if logOptions.Level != "" {
 			logLevel, err := log.ParseLevel(logOptions.Level)
 			if err != nil {
 				return nil, E.Cause(err, "parse log level")
 			}
 			logFactory.SetLevel(logLevel)
 		} else {
 			logFactory.SetLevel(log.LevelTrace)
 		}
 	}
 	router, err := route.NewRouter(
 		ctx,
 		logFactory,
@@ -78,7 +112,7 @@ func New(options Options) (*Box, error) {
 		common.PtrValueOrDefault(options.DNS),
 		common.PtrValueOrDefault(options.NTP),
 		options.Inbounds,
-		options.PlatformInterface,
+		platformInterface,
 	)
 	if err != nil {
 		return nil, E.Cause(err, "parse route options")
@@ -98,7 +132,7 @@ func New(options Options) (*Box, error) {
 			router,
 			logFactory.NewLogger(F.ToString("inbound/", inboundOptions.Type, "[", tag, "]")),
 			inboundOptions,
-			options.PlatformInterface,
+			platformInterface,
 		)
 		if err != nil {
 			return nil, E.Cause(err, "parse inbound[", i, "]")
@@ -117,7 +151,6 @@ func New(options Options) (*Box, error) {
 			ctx,
 			router,
 			logFactory.NewLogger(F.ToString("outbound/", outboundOptions.Type, "[", tag, "]")),
 			tag,
 			outboundOptions)
 		if err != nil {
 			return nil, E.Cause(err, "parse outbound[", i, "]")
@@ -125,7 +158,7 @@ func New(options Options) (*Box, error) {
 		outbounds = append(outbounds, out)
 	}
 	err = router.Initialize(inbounds, outbounds, func() adapter.Outbound {
-		out, oErr := outbound.New(ctx, router, logFactory.NewLogger("outbound/direct"), "direct", option.Outbound{Type: "direct", Tag: "default"})
+		out, oErr := outbound.New(ctx, router, logFactory.NewLogger("outbound/direct"), option.Outbound{Type: "direct", Tag: "default"})
 		common.Must(oErr)
 		outbounds = append(outbounds, out)
 		return out
@@ -133,16 +166,10 @@ func New(options Options) (*Box, error) {
 	if err != nil {
 		return nil, err
 	}
 	if options.PlatformInterface != nil {
 		err = options.PlatformInterface.Initialize(ctx, router)
 		if err != nil {
 			return nil, E.Cause(err, "initialize platform interface")
 		}
 	}
 	preServices := make(map[string]adapter.Service)
 	postServices := make(map[string]adapter.Service)
 	if needClashAPI {
-		clashServer, err := experimental.NewClashServer(router, logFactory.(log.ObservableFactory), common.PtrValueOrDefault(options.Experimental.ClashAPI))
+		clashServer, err := experimental.NewClashServer(router, observableLogFactory, common.PtrValueOrDefault(options.Experimental.ClashAPI))
 		if err != nil {
 			return nil, E.Cause(err, "create clash api server")
 		}
@@ -164,6 +191,7 @@ func New(options Options) (*Box, error) {
 		createdAt:    createdAt,
 		logFactory:   logFactory,
 		logger:       logFactory.Logger(),
 		logFile:      logFile,
 		preServices:  preServices,
 		postServices: postServices,
 		done:         make(chan struct{}),
@@ -210,21 +238,21 @@ func (s *Box) Start() error {
 func (s *Box) preStart() error {
 	for serviceName, service := range s.preServices {
-		s.logger.Trace("pre-start ", serviceName)
+		s.logger.Trace("pre-starting ", serviceName)
 		err := adapter.PreStart(service)
 		if err != nil {
-			return E.Cause(err, "pre-starting ", serviceName)
+			return E.Cause(err, "pre-start ", serviceName)
 		}
 	}
 	for i, out := range s.outbounds {
 		var tag string
 		if out.Tag() == "" {
 			tag = F.ToString(i)
 		} else {
 			tag = out.Tag()
 		}
 		if starter, isStarter := out.(common.Starter); isStarter {
-			s.logger.Trace("initializing outbound/", out.Type(), "[", tag, "]")
+			var tag string
 			if out.Tag() == "" {
 				tag = F.ToString(i)
 			} else {
 				tag = out.Tag()
 			}
 			s.logger.Trace("initializing outbound ", tag)
 			err := starter.Start()
 			if err != nil {
 				return E.Cause(err, "initialize outbound/", out.Type(), "[", tag, "]")
@@ -253,17 +281,17 @@ func (s *Box) start() error {
 		} else {
 			tag = in.Tag()
 		}
-		s.logger.Trace("initializing inbound/", in.Type(), "[", tag, "]")
+		s.logger.Trace("initializing inbound ", tag)
 		err = in.Start()
 		if err != nil {
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
 	for serviceName, service := range s.postServices {
-		s.logger.Trace("starting ", service)
+		s.logger.Trace("start ", serviceName)
 		err = service.Start()
 		if err != nil {
-			return E.Cause(err, "start ", serviceName)
+			return E.Cause(err, "starting ", serviceName)
 		}
 	}
 	return nil
@@ -278,21 +306,33 @@ func (s *Box) Close() error {
 	}
 	var errors error
 	for serviceName, service := range s.postServices {
 		s.logger.Trace("closing ", serviceName)
 		errors = E.Append(errors, service.Close(), func(err error) error {
 			s.logger.Trace("closing ", serviceName)
 			return E.Cause(err, "close ", serviceName)
 		})
 	}
 	for i, in := range s.inbounds {
-		s.logger.Trace("closing inbound/", in.Type(), "[", i, "]")
+		var tag string
 		if in.Tag() == "" {
 			tag = F.ToString(i)
 		} else {
 			tag = in.Tag()
 		}
 		s.logger.Trace("closing inbound ", tag)
 		errors = E.Append(errors, in.Close(), func(err error) error {
 			return E.Cause(err, "close inbound/", in.Type(), "[", i, "]")
 		})
 	}
 	for i, out := range s.outbounds {
-		s.logger.Trace("closing outbound/", out.Type(), "[", i, "]")
+		var tag string
 		if out.Tag() == "" {
 			tag = F.ToString(i)
 		} else {
 			tag = out.Tag()
 		}
 		s.logger.Trace("closing outbound ", tag)
 		errors = E.Append(errors, common.Close(out), func(err error) error {
-			return E.Cause(err, "close outbound/", out.Type(), "[", i, "]")
+			return E.Cause(err, "close inbound/", out.Type(), "[", i, "]")
 		})
 	}
 	s.logger.Trace("closing router")
@@ -307,12 +347,17 @@ func (s *Box) Close() error {
 			return E.Cause(err, "close ", serviceName)
 		})
 	}
-	s.logger.Trace("closing log factory")
+	s.logger.Trace("closing logger")
 	if err := common.Close(s.logFactory); err != nil {
 		errors = E.Append(errors, err, func(err error) error {
 			return E.Cause(err, "close log factory")
 		})
 	}
 	if s.logFile != nil {
 		errors = E.Append(errors, s.logFile.Close(), func(err error) error {
 			return E.Cause(err, "close log file")
 		})
 	}
 	return errors
 }
--- a/cmd/sing-box/cmd_check.go
+++ b/cmd/sing-box/cmd_check.go
@@ -31,10 +31,7 @@ func check() error {
 		return err
 	}
 	ctx, cancel := context.WithCancel(context.Background())
-	instance, err := box.New(box.Options{
+	instance, err := box.New(ctx, options, nil)
 		Context: ctx,
 		Options: options,
 	})
 	if err == nil {
 		instance.Close()
 	}
--- a/cmd/sing-box/cmd_generate.go
+++ b/cmd/sing-box/cmd_generate.go
@@ -9,7 +9,7 @@ import (
 	"github.com/sagernet/sing-box/log"
-	"github.com/gofrs/uuid/v5"
+	"github.com/gofrs/uuid"
 	"github.com/spf13/cobra"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
--- a/cmd/sing-box/cmd_run.go
+++ b/cmd/sing-box/cmd_run.go
@@ -10,7 +10,6 @@ import (
 	"sort"
 	"strings"
 	"syscall"
 	"time"
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/common/badjsonmerge"
@@ -128,10 +127,7 @@ func create() (*box.Box, context.CancelFunc, error) {
 		options.Log.DisableColor = true
 	}
 	ctx, cancel := context.WithCancel(context.Background())
-	instance, err := box.New(box.Options{
+	instance, err := box.New(ctx, options, nil)
 		Context: ctx,
 		Options: options,
 	})
 	if err != nil {
 		cancel()
 		return nil, nil, E.Cause(err, "create service")
@@ -178,10 +174,7 @@ func run() error {
 				}
 			}
 			cancel()
 			closeCtx, closed := context.WithCancel(context.Background())
 			go closeMonitor(closeCtx)
 			instance.Close()
 			closed()
 			if osSignal != syscall.SIGHUP {
 				return nil
 			}
@@ -189,13 +182,3 @@ func run() error {
 		}
 	}
 }
 func closeMonitor(ctx context.Context) {
 	time.Sleep(3 * time.Second)
 	select {
 	case <-ctx.Done():
 		return
 	default:
 	}
 	log.Fatal("sing-box did not close!")
 }
--- a/cmd/sing-box/cmd_tools.go
+++ b/cmd/sing-box/cmd_tools.go
@@ -1,6 +1,8 @@
 package main
 import (
 	"context"
 	"github.com/sagernet/sing-box"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
@@ -25,7 +27,7 @@ func createPreStartedClient() (*box.Box, error) {
 	if err != nil {
 		return nil, err
 	}
-	instance, err := box.New(box.Options{Options: options})
+	instance, err := box.New(context.Background(), options, nil)
 	if err != nil {
 		return nil, E.Cause(err, "create service")
 	}
--- a/common/badjsonmerge/merge_test.go
+++ b/common/badjsonmerge/merge_test.go
@@ -21,7 +21,7 @@ func TestMergeJSON(t *testing.T) {
 				{
 					Type: C.RuleTypeDefault,
 					DefaultOptions: option.DefaultRule{
-						Network:  []string{N.NetworkTCP},
+						Network:  N.NetworkTCP,
 						Outbound: "direct",
 					},
 				},
@@ -42,7 +42,7 @@ func TestMergeJSON(t *testing.T) {
 				{
 					Type: C.RuleTypeDefault,
 					DefaultOptions: option.DefaultRule{
-						Network:  []string{N.NetworkUDP},
+						Network:  N.NetworkUDP,
 						Outbound: "direct",
 					},
 				},
--- a/common/badtls/badtls.go
+++ b/common/badtls/badtls.go
@@ -1,4 +1,4 @@
-//go:build go1.20 && !go1.21
+//go:build go1.19 && !go1.20
 package badtls
@@ -14,60 +14,39 @@ import (
 	"sync/atomic"
 	"unsafe"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
 	aTLS "github.com/sagernet/sing/common/tls"
 )
 type Conn struct {
 	*tls.Conn
-	writer              N.ExtendedWriter
+	writer           N.ExtendedWriter
-	isHandshakeComplete *atomic.Bool
+	activeCall       *int32
-	activeCall          *atomic.Int32
+	closeNotifySent  *bool
-	closeNotifySent     *bool
+	version          *uint16
-	version             *uint16
+	rand             io.Reader
-	rand                io.Reader
+	halfAccess       *sync.Mutex
-	halfAccess          *sync.Mutex
+	halfError        *error
-	halfError           *error
+	cipher           cipher.AEAD
-	cipher              cipher.AEAD
+	explicitNonceLen int
-	explicitNonceLen    int
+	halfPtr          uintptr
-	halfPtr             uintptr
+	halfSeq          []byte
-	halfSeq             []byte
+	halfScratchBuf   []byte
 	halfScratchBuf      []byte
 }
-func TryCreate(conn aTLS.Conn) aTLS.Conn {
+func Create(conn *tls.Conn) (TLSConn, error) {
-	tlsConn, ok := conn.(*tls.Conn)
+	if !handshakeComplete(conn) {
 	if !ok {
 		return conn
 	}
 	badConn, err := Create(tlsConn)
 	if err != nil {
 		log.Warn("initialize badtls: ", err)
 		return conn
 	}
 	return badConn
 }
 func Create(conn *tls.Conn) (aTLS.Conn, error) {
 	rawConn := reflect.Indirect(reflect.ValueOf(conn))
 	rawIsHandshakeComplete := rawConn.FieldByName("isHandshakeComplete")
 	if !rawIsHandshakeComplete.IsValid() || rawIsHandshakeComplete.Kind() != reflect.Struct {
 		return nil, E.New("badtls: invalid isHandshakeComplete")
 	}
 	isHandshakeComplete := (*atomic.Bool)(unsafe.Pointer(rawIsHandshakeComplete.UnsafeAddr()))
 	if !isHandshakeComplete.Load() {
 		return nil, E.New("handshake not finished")
 	}
 	rawConn := reflect.Indirect(reflect.ValueOf(conn))
 	rawActiveCall := rawConn.FieldByName("activeCall")
-	if !rawActiveCall.IsValid() || rawActiveCall.Kind() != reflect.Struct {
+	if !rawActiveCall.IsValid() || rawActiveCall.Kind() != reflect.Int32 {
 		return nil, E.New("badtls: invalid active call")
 	}
-	activeCall := (*atomic.Int32)(unsafe.Pointer(rawActiveCall.UnsafeAddr()))
+	activeCall := (*int32)(unsafe.Pointer(rawActiveCall.UnsafeAddr()))
 	rawHalfConn := rawConn.FieldByName("out")
 	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
 		return nil, E.New("badtls: invalid half conn")
@@ -129,20 +108,19 @@ func Create(conn *tls.Conn) (aTLS.Conn, error) {
 	}
 	halfScratchBuf := rawHalfScratchBuf.Bytes()
 	return &Conn{
-		Conn:                conn,
+		Conn:             conn,
-		writer:              bufio.NewExtendedWriter(conn.NetConn()),
+		writer:           bufio.NewExtendedWriter(conn.NetConn()),
-		isHandshakeComplete: isHandshakeComplete,
+		activeCall:       activeCall,
-		activeCall:          activeCall,
+		closeNotifySent:  closeNotifySent,
-		closeNotifySent:     closeNotifySent,
+		version:          version,
-		version:             version,
+		halfAccess:       halfAccess,
-		halfAccess:          halfAccess,
+		halfError:        halfError,
-		halfError:           halfError,
+		cipher:           aeadCipher,
-		cipher:              aeadCipher,
+		explicitNonceLen: explicitNonceLen,
-		explicitNonceLen:    explicitNonceLen,
+		rand:             randReader,
-		rand:                randReader,
+		halfPtr:          rawHalfConn.UnsafeAddr(),
-		halfPtr:             rawHalfConn.UnsafeAddr(),
+		halfSeq:          halfSeq,
-		halfSeq:             halfSeq,
+		halfScratchBuf:   halfScratchBuf,
 		halfScratchBuf:      halfScratchBuf,
 	}, nil
 }
@@ -152,15 +130,15 @@ func (c *Conn) WriteBuffer(buffer *buf.Buffer) error {
 		return common.Error(c.Write(buffer.Bytes()))
 	}
 	for {
-		x := c.activeCall.Load()
+		x := atomic.LoadInt32(c.activeCall)
 		if x&1 != 0 {
 			return net.ErrClosed
 		}
-		if c.activeCall.CompareAndSwap(x, x+2) {
+		if atomic.CompareAndSwapInt32(c.activeCall, x, x+2) {
 			break
 		}
 	}
-	defer c.activeCall.Add(-2)
+	defer atomic.AddInt32(c.activeCall, -2)
 	c.halfAccess.Lock()
 	defer c.halfAccess.Unlock()
 	if err := *c.halfError; err != nil {
@@ -208,7 +186,6 @@ func (c *Conn) WriteBuffer(buffer *buf.Buffer) error {
 		binary.BigEndian.PutUint16(outBuf[3:], uint16(dataLen+c.explicitNonceLen+c.cipher.Overhead()))
 	}
 	incSeq(c.halfPtr)
 	log.Trace("badtls write ", buffer.Len())
 	return c.writer.WriteBuffer(buffer)
 }
--- a/common/badtls/badtls_stub.go
+++ b/common/badtls/badtls_stub.go
@@ -1,4 +1,4 @@
-//go:build !go1.19 || go1.21
+//go:build !go1.19 || go1.20
 package badtls
--- a/common/badtls/conn.go
+++ b/common/badtls/conn.go
@@ -0,0 +1,13 @@
 package badtls
 import (
 	"context"
 	"crypto/tls"
 	"net"
 )
 type TLSConn interface {
 	net.Conn
 	HandshakeContext(ctx context.Context) error
 	ConnectionState() tls.ConnectionState
 }
--- a/common/badtls/link.go
+++ b/common/badtls/link.go
@@ -1,8 +1,9 @@
-//go:build go1.20 && !go.1.21
+//go:build go1.19 && !go.1.20
 package badtls
 import (
 	"crypto/tls"
 	"reflect"
 	_ "unsafe"
 )
@@ -15,6 +16,9 @@ const (
 //go:linkname errShutdown crypto/tls.errShutdown
 var errShutdown error
 //go:linkname handshakeComplete crypto/tls.(*Conn).handshakeComplete
 func handshakeComplete(conn *tls.Conn) bool
 //go:linkname incSeq crypto/tls.(*halfConn).incSeq
 func incSeq(conn uintptr)
--- a/common/badversion/version.go
+++ b/common/badversion/version.go
@@ -1,114 +0,0 @@
 package badversion
 import (
 	"strconv"
 	"strings"
 	F "github.com/sagernet/sing/common/format"
 )
 type Version struct {
 	Major                int
 	Minor                int
 	Patch                int
 	PreReleaseIdentifier string
 	PreReleaseVersion    int
 }
 func (v Version) After(anotherVersion Version) bool {
 	if v.Major > anotherVersion.Major {
 		return true
 	} else if v.Major < anotherVersion.Major {
 		return false
 	}
 	if v.Minor > anotherVersion.Minor {
 		return true
 	} else if v.Minor < anotherVersion.Minor {
 		return false
 	}
 	if v.Patch > anotherVersion.Patch {
 		return true
 	} else if v.Patch < anotherVersion.Patch {
 		return false
 	}
 	if v.PreReleaseIdentifier == "" && anotherVersion.PreReleaseIdentifier != "" {
 		return true
 	} else if v.PreReleaseIdentifier != "" && anotherVersion.PreReleaseIdentifier == "" {
 		return false
 	}
 	if v.PreReleaseIdentifier != "" && anotherVersion.PreReleaseIdentifier != "" {
 		if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "alpha" {
 			return true
 		} else if v.PreReleaseIdentifier == "alpha" && anotherVersion.PreReleaseIdentifier == "beta" {
 			return false
 		}
 		if v.PreReleaseVersion > anotherVersion.PreReleaseVersion {
 			return true
 		} else if v.PreReleaseVersion < anotherVersion.PreReleaseVersion {
 			return false
 		}
 	}
 	return false
 }
 func (v Version) String() string {
 	version := F.ToString(v.Major, ".", v.Minor, ".", v.Patch)
 	if v.PreReleaseIdentifier != "" {
 		version = F.ToString(version, "-", v.PreReleaseIdentifier, ".", v.PreReleaseVersion)
 	}
 	return version
 }
 func (v Version) BadString() string {
 	version := F.ToString(v.Major, ".", v.Minor)
 	if v.Patch > 0 {
 		version = F.ToString(version, ".", v.Patch)
 	}
 	if v.PreReleaseIdentifier != "" {
 		version = F.ToString(version, "-", v.PreReleaseIdentifier)
 		if v.PreReleaseVersion > 0 {
 			version = F.ToString(version, v.PreReleaseVersion)
 		}
 	}
 	return version
 }
 func Parse(versionName string) (version Version) {
 	if strings.HasPrefix(versionName, "v") {
 		versionName = versionName[1:]
 	}
 	if strings.Contains(versionName, "-") {
 		parts := strings.Split(versionName, "-")
 		versionName = parts[0]
 		identifier := parts[1]
 		if strings.Contains(identifier, ".") {
 			identifierParts := strings.Split(identifier, ".")
 			version.PreReleaseIdentifier = identifierParts[0]
 			if len(identifierParts) >= 2 {
 				version.PreReleaseVersion, _ = strconv.Atoi(identifierParts[1])
 			}
 		} else {
 			if strings.HasPrefix(identifier, "alpha") {
 				version.PreReleaseIdentifier = "alpha"
 				version.PreReleaseVersion, _ = strconv.Atoi(identifier[5:])
 			} else if strings.HasPrefix(identifier, "beta") {
 				version.PreReleaseIdentifier = "beta"
 				version.PreReleaseVersion, _ = strconv.Atoi(identifier[4:])
 			} else {
 				version.PreReleaseIdentifier = identifier
 			}
 		}
 	}
 	versionElements := strings.Split(versionName, ".")
 	versionLen := len(versionElements)
 	if versionLen >= 1 {
 		version.Major, _ = strconv.Atoi(versionElements[0])
 	}
 	if versionLen >= 2 {
 		version.Minor, _ = strconv.Atoi(versionElements[1])
 	}
 	if versionLen >= 3 {
 		version.Patch, _ = strconv.Atoi(versionElements[2])
 	}
 	return
 }
--- a/common/badversion/version_json.go
+++ b/common/badversion/version_json.go
@@ -1,17 +0,0 @@
 package badversion
 import "github.com/sagernet/sing-box/common/json"
 func (v Version) MarshalJSON() ([]byte, error) {
 	return json.Marshal(v.String())
 }
 func (v *Version) UnmarshalJSON(data []byte) error {
 	var version string
 	err := json.Unmarshal(data, &version)
 	if err != nil {
 		return err
 	}
 	*v = Parse(version)
 	return nil
 }
--- a/common/badversion/version_test.go
+++ b/common/badversion/version_test.go
@@ -1,18 +0,0 @@
 package badversion
 import (
 	"testing"
 	"github.com/stretchr/testify/require"
 )
 func TestCompareVersion(t *testing.T) {
 	t.Parallel()
 	require.Equal(t, "1.3.0-beta.1", Parse("v1.3.0-beta1").String())
 	require.Equal(t, "1.3-beta1", Parse("v1.3.0-beta.1").BadString())
 	require.True(t, Parse("1.3.0").After(Parse("1.3-beta1")))
 	require.True(t, Parse("1.3.0").After(Parse("1.3.0-beta1")))
 	require.True(t, Parse("1.3.0-beta1").After(Parse("1.3.0-alpha1")))
 	require.True(t, Parse("1.3.1").After(Parse("1.3.0")))
 	require.True(t, Parse("1.4").After(Parse("1.3")))
 }
--- a/common/canceler/instance.go
+++ b/common/canceler/instance.go
@@ -0,0 +1,48 @@
 package canceler
 import (
 	"context"
 	"time"
 )
 type Instance struct {
 	ctx        context.Context
 	cancelFunc context.CancelFunc
 	timer      *time.Timer
 	timeout    time.Duration
 }
 func New(ctx context.Context, cancelFunc context.CancelFunc, timeout time.Duration) *Instance {
 	instance := &Instance{
 		ctx,
 		cancelFunc,
 		time.NewTimer(timeout),
 		timeout,
 	}
 	go instance.wait()
 	return instance
 }
 func (i *Instance) Update() bool {
 	if !i.timer.Stop() {
 		return false
 	}
 	if !i.timer.Reset(i.timeout) {
 		return false
 	}
 	return true
 }
 func (i *Instance) wait() {
 	select {
 	case <-i.timer.C:
 	case <-i.ctx.Done():
 	}
 	i.Close()
 }
 func (i *Instance) Close() error {
 	i.timer.Stop()
 	i.cancelFunc()
 	return nil
 }
--- a/common/canceler/packet.go
+++ b/common/canceler/packet.go
@@ -0,0 +1,49 @@
 package canceler
 import (
 	"context"
 	"time"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 type PacketConn struct {
 	N.PacketConn
 	instance *Instance
 }
 func NewPacketConn(ctx context.Context, conn N.PacketConn, timeout time.Duration) (context.Context, N.PacketConn) {
 	ctx, cancel := context.WithCancel(ctx)
 	instance := New(ctx, cancel, timeout)
 	return ctx, &PacketConn{conn, instance}
 }
 func (c *PacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
 	destination, err = c.PacketConn.ReadPacket(buffer)
 	if err == nil {
 		c.instance.Update()
 	}
 	return
 }
 func (c *PacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	err := c.PacketConn.WritePacket(buffer, destination)
 	if err == nil {
 		c.instance.Update()
 	}
 	return err
 }
 func (c *PacketConn) Close() error {
 	return common.Close(
 		c.PacketConn,
 		c.instance,
 	)
 }
 func (c *PacketConn) Upstream() any {
 	return c.PacketConn
 }
--- a/common/dialer/conntrack/conn.go
+++ b/common/dialer/conntrack/conn.go
@@ -12,7 +12,7 @@ type Conn struct {
 	element *list.Element[io.Closer]
 }
-func NewConn(conn net.Conn) (net.Conn, error) {
+func NewConn(conn net.Conn) (*Conn, error) {
 	connAccess.Lock()
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
--- a/common/dialer/conntrack/packet_conn.go
+++ b/common/dialer/conntrack/packet_conn.go
@@ -12,7 +12,7 @@ type PacketConn struct {
 	element *list.Element[io.Closer]
 }
-func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
+func NewPacketConn(conn net.PacketConn) (*PacketConn, error) {
 	connAccess.Lock()
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
--- a/common/dialer/conntrack/track.go
+++ b/common/dialer/conntrack/track.go
@@ -14,16 +14,10 @@ var (
 )
 func Count() int {
 	if !Enabled {
 		return 0
 	}
 	return openConnection.Len()
 }
 func List() []io.Closer {
 	if !Enabled {
 		return nil
 	}
 	connAccess.RLock()
 	defer connAccess.RUnlock()
 	connList := make([]io.Closer, 0, openConnection.Len())
@@ -34,9 +28,6 @@ func List() []io.Closer {
 }
 func Close() {
 	if !Enabled {
 		return
 	}
 	connAccess.Lock()
 	defer connAccess.Unlock()
 	for element := openConnection.Front(); element != nil; element = element.Next() {
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -7,6 +7,7 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer/conntrack"
 	"github.com/sagernet/sing-box/common/warning"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/control"
@@ -16,6 +17,41 @@ import (
 	"github.com/sagernet/tfo-go"
 )
 var warnBindInterfaceOnUnsupportedPlatform = warning.New(
 	func() bool {
 		return !(C.IsLinux || C.IsWindows || C.IsDarwin)
 	},
 	"outbound option `bind_interface` is only supported on Linux and Windows",
 )
 var warnRoutingMarkOnUnsupportedPlatform = warning.New(
 	func() bool {
 		return !C.IsLinux
 	},
 	"outbound option `routing_mark` is only supported on Linux",
 )
 var warnReuseAdderOnUnsupportedPlatform = warning.New(
 	func() bool {
 		return !(C.IsDarwin || C.IsDragonfly || C.IsFreebsd || C.IsLinux || C.IsNetbsd || C.IsOpenbsd || C.IsSolaris || C.IsWindows)
 	},
 	"outbound option `reuse_addr` is unsupported on current platform",
 )
 var warnProtectPathOnNonAndroid = warning.New(
 	func() bool {
 		return !C.IsAndroid
 	},
 	"outbound option `protect_path` is only supported on Android",
 )
 var warnTFOOnUnsupportedPlatform = warning.New(
 	func() bool {
 		return !(C.IsDarwin || C.IsFreebsd || C.IsLinux || C.IsWindows)
 	},
 	"outbound option `tcp_fast_open` is unsupported on current platform",
 )
 type DefaultDialer struct {
 	dialer4     tfo.Dialer
 	dialer6     tfo.Dialer
@@ -30,6 +66,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 	var dialer net.Dialer
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
 		warnBindInterfaceOnUnsupportedPlatform.Check()
 		bindFunc := control.BindToInterface(router.InterfaceFinder(), options.BindInterface, -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
@@ -43,6 +80,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 		listener.Control = control.Append(listener.Control, bindFunc)
 	}
 	if options.RoutingMark != 0 {
 		warnRoutingMarkOnUnsupportedPlatform.Check()
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(options.RoutingMark))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(options.RoutingMark))
 	} else if router.DefaultMark() != 0 {
@@ -50,9 +88,11 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 		listener.Control = control.Append(listener.Control, control.RoutingMark(router.DefaultMark()))
 	}
 	if options.ReuseAddr {
 		warnReuseAdderOnUnsupportedPlatform.Check()
 		listener.Control = control.Append(listener.Control, control.ReuseAddr())
 	}
 	if options.ProtectPath != "" {
 		warnProtectPathOnNonAndroid.Check()
 		dialer.Control = control.Append(dialer.Control, control.ProtectPath(options.ProtectPath))
 		listener.Control = control.Append(listener.Control, control.ProtectPath(options.ProtectPath))
 	}
@@ -61,6 +101,9 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 	} else {
 		dialer.Timeout = C.TCPTimeout
 	}
 	if options.TCPFastOpen {
 		warnTFOOnUnsupportedPlatform.Check()
 	}
 	var udpFragment bool
 	if options.UDPFragment != nil {
 		udpFragment = *options.UDPFragment
@@ -111,9 +154,9 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 	switch N.NetworkName(network) {
 	case N.NetworkUDP:
 		if !address.IsIPv6() {
-			return trackConn(d.udpDialer4.DialContext(ctx, network, address.String()))
+			return d.udpDialer4.DialContext(ctx, network, address.String())
 		} else {
-			return trackConn(d.udpDialer6.DialContext(ctx, network, address.String()))
+			return d.udpDialer6.DialContext(ctx, network, address.String())
 		}
 	}
 	if !address.IsIPv6() {
--- a/common/dialer/resolve.go
+++ b/common/dialer/resolve.go
@@ -9,7 +9,6 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -69,11 +68,11 @@ func (d *ResolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	if err != nil {
 		return nil, err
 	}
-	conn, destinationAddress, err := N.ListenSerial(ctx, d.dialer, destination, addresses)
+	conn, err := N.ListenSerial(ctx, d.dialer, destination, addresses)
 	if err != nil {
 		return nil, err
 	}
-	return bufio.NewNATPacketConn(bufio.NewPacketConn(conn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
+	return NewResolvePacketConn(ctx, d.router, d.strategy, conn), nil
 }
 func (d *ResolveDialer) Upstream() any {
--- a/common/dialer/resolve_conn.go
+++ b/common/dialer/resolve_conn.go
@@ -0,0 +1,84 @@
 package dialer
 import (
 	"context"
 	"net"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 func NewResolvePacketConn(ctx context.Context, router adapter.Router, strategy dns.DomainStrategy, conn net.PacketConn) N.NetPacketConn {
 	if udpConn, ok := conn.(*net.UDPConn); ok {
 		return &ResolveUDPConn{udpConn, ctx, router, strategy}
 	} else {
 		return &ResolvePacketConn{conn, ctx, router, strategy}
 	}
 }
 type ResolveUDPConn struct {
 	*net.UDPConn
 	ctx      context.Context
 	router   adapter.Router
 	strategy dns.DomainStrategy
 }
 func (w *ResolveUDPConn) ReadPacket(buffer *buf.Buffer) (M.Socksaddr, error) {
 	n, addr, err := w.ReadFromUDPAddrPort(buffer.FreeBytes())
 	if err != nil {
 		return M.Socksaddr{}, err
 	}
 	buffer.Truncate(n)
 	return M.SocksaddrFromNetIP(addr), nil
 }
 func (w *ResolveUDPConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	defer buffer.Release()
 	if destination.IsFqdn() {
 		addresses, err := w.router.Lookup(w.ctx, destination.Fqdn, w.strategy)
 		if err != nil {
 			return err
 		}
 		return common.Error(w.UDPConn.WriteToUDPAddrPort(buffer.Bytes(), M.SocksaddrFrom(addresses[0], destination.Port).AddrPort()))
 	}
 	return common.Error(w.UDPConn.WriteToUDPAddrPort(buffer.Bytes(), destination.AddrPort()))
 }
 func (w *ResolveUDPConn) Upstream() any {
 	return w.UDPConn
 }
 type ResolvePacketConn struct {
 	net.PacketConn
 	ctx      context.Context
 	router   adapter.Router
 	strategy dns.DomainStrategy
 }
 func (w *ResolvePacketConn) ReadPacket(buffer *buf.Buffer) (M.Socksaddr, error) {
 	_, addr, err := buffer.ReadPacketFrom(w)
 	if err != nil {
 		return M.Socksaddr{}, err
 	}
 	return M.SocksaddrFromNet(addr), err
 }
 func (w *ResolvePacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	defer buffer.Release()
 	if destination.IsFqdn() {
 		addresses, err := w.router.Lookup(w.ctx, destination.Fqdn, w.strategy)
 		if err != nil {
 			return err
 		}
 		return common.Error(w.WriteTo(buffer.Bytes(), M.SocksaddrFrom(addresses[0], destination.Port).UDPAddr()))
 	}
 	return common.Error(w.WriteTo(buffer.Bytes(), destination.UDPAddr()))
 }
 func (w *ResolvePacketConn) Upstream() any {
 	return w.PacketConn
 }
--- a/common/dialer/tfo.go
+++ b/common/dialer/tfo.go
@@ -124,10 +124,6 @@ func (c *slowOpenConn) LazyHeadroom() bool {
 	return c.conn == nil
 }
 func (c *slowOpenConn) NeedHandshake() bool {
 	return c.conn == nil
 }
 func (c *slowOpenConn) ReadFrom(r io.Reader) (n int64, err error) {
 	if c.conn != nil {
 		return bufio.Copy(c.conn, r)
--- a/common/mux/client.go
+++ b/common/mux/client.go
@@ -249,10 +249,6 @@ func (c *ClientConn) WriterReplaceable() bool {
 	return c.requestWrite
 }
 func (c *ClientConn) NeedAdditionalReadDeadline() bool {
 	return true
 }
 func (c *ClientConn) Upstream() any {
 	return c.Conn
 }
@@ -381,10 +377,6 @@ func (c *ClientPacketConn) RemoteAddr() net.Addr {
 	return c.destination.UDPAddr()
 }
 func (c *ClientPacketConn) NeedAdditionalReadDeadline() bool {
 	return true
 }
 func (c *ClientPacketConn) Upstream() any {
 	return c.ExtendedConn
 }
@@ -421,11 +413,7 @@ func (c *ClientPacketAddrConn) ReadFrom(p []byte) (n int, addr net.Addr, err err
 	if err != nil {
 		return
 	}
-	if destination.IsFqdn() {
+	addr = destination.UDPAddr()
 		addr = destination
 	} else {
 		addr = destination.UDPAddr()
 	}
 	var length uint16
 	err = binary.Read(c.ExtendedConn, binary.BigEndian, &length)
 	if err != nil {
@@ -526,10 +514,6 @@ func (c *ClientPacketAddrConn) FrontHeadroom() int {
 	return 2 + M.MaxSocksaddrLength
 }
 func (c *ClientPacketAddrConn) NeedAdditionalReadDeadline() bool {
 	return true
 }
 func (c *ClientPacketAddrConn) Upstream() any {
 	return c.ExtendedConn
 }
--- a/common/mux/service.go
+++ b/common/mux/service.go
@@ -131,10 +131,6 @@ func (c *ServerConn) FrontHeadroom() int {
 	return 0
 }
 func (c *ServerConn) NeedAdditionalReadDeadline() bool {
 	return true
 }
 func (c *ServerConn) Upstream() any {
 	return c.ExtendedConn
 }
@@ -187,10 +183,6 @@ func (c *ServerPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksad
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 func (c *ServerPacketConn) NeedAdditionalReadDeadline() bool {
 	return true
 }
 func (c *ServerPacketConn) Upstream() any {
 	return c.ExtendedConn
 }
@@ -253,10 +245,6 @@ func (c *ServerPacketAddrConn) WritePacket(buffer *buf.Buffer, destination M.Soc
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 func (c *ServerPacketAddrConn) NeedAdditionalReadDeadline() bool {
 	return true
 }
 func (c *ServerPacketAddrConn) Upstream() any {
 	return c.ExtendedConn
 }
--- a/common/process/searcher.go
+++ b/common/process/searcher.go
@@ -3,12 +3,10 @@ package process
 import (
 	"context"
 	"net/netip"
 	"os/user"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-tun"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 )
 type Searcher interface {
@@ -30,15 +28,5 @@ type Info struct {
 }
 func FindProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
-	info, err := searcher.FindProcessInfo(ctx, network, source, destination)
+	return findProcessInfo(searcher, ctx, network, source, destination)
 	if err != nil {
 		return nil, err
 	}
 	if info.UserId != -1 {
 		osUser, _ := user.LookupId(F.ToString(info.UserId))
 		if osUser != nil {
 			info.User = osUser.Username
 		}
 	}
 	return info, nil
 }
--- a/common/process/searcher_with_name.go
+++ b/common/process/searcher_with_name.go
@@ -0,0 +1,25 @@
 //go:build linux && !android
 package process
 import (
 	"context"
 	"net/netip"
 	"os/user"
 	F "github.com/sagernet/sing/common/format"
 )
 func findProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
 	info, err := searcher.FindProcessInfo(ctx, network, source, destination)
 	if err != nil {
 		return nil, err
 	}
 	if info.UserId != -1 {
 		osUser, _ := user.LookupId(F.ToString(info.UserId))
 		if osUser != nil {
 			info.User = osUser.Username
 		}
 	}
 	return info, nil
 }
--- a/common/process/searcher_without_name.go
+++ b/common/process/searcher_without_name.go
@@ -0,0 +1,12 @@
 //go:build !linux || android
 package process
 import (
 	"context"
 	"net/netip"
 )
 func findProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
 	return searcher.FindProcessInfo(ctx, network, source, destination)
 }
--- a/common/sniff/http.go
+++ b/common/sniff/http.go
@@ -7,7 +7,6 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/protocol/http"
 )
@@ -16,5 +15,5 @@ func HTTPHost(ctx context.Context, reader io.Reader) (*adapter.InboundContext, e
 	if err != nil {
 		return nil, err
 	}
-	return &adapter.InboundContext{Protocol: C.ProtocolHTTP, Domain: M.ParseSocksaddr(request.Host).AddrString()}, nil
+	return &adapter.InboundContext{Protocol: C.ProtocolHTTP, Domain: request.Host}, nil
 }
--- a/common/sniff/http_test.go
+++ b/common/sniff/http_test.go
@@ -1,27 +0,0 @@
 package sniff_test
 import (
 	"context"
 	"strings"
 	"testing"
 	"github.com/sagernet/sing-box/common/sniff"
 	"github.com/stretchr/testify/require"
 )
 func TestSniffHTTP1(t *testing.T) {
 	t.Parallel()
 	pkt := "GET / HTTP/1.1\r\nHost: www.google.com\r\nAccept: */*\r\n\r\n"
 	metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
 	require.NoError(t, err)
 	require.Equal(t, metadata.Domain, "www.google.com")
 }
 func TestSniffHTTP1WithPort(t *testing.T) {
 	t.Parallel()
 	pkt := "GET / HTTP/1.1\r\nHost: www.gov.cn:8080\r\nAccept: */*\r\n\r\n"
 	metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
 	require.NoError(t, err)
 	require.Equal(t, metadata.Domain, "www.gov.cn")
 }
--- a/common/sniff/sniff.go
+++ b/common/sniff/sniff.go
@@ -24,12 +24,12 @@ func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout
 	}
 	err := conn.SetReadDeadline(time.Now().Add(timeout))
 	if err != nil {
-		return nil, E.Cause(err, "set read deadline")
+		return nil, err
 	}
 	_, err = buffer.ReadOnceFrom(conn)
 	err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
 	if err != nil {
-		return nil, E.Cause(err, "read payload")
+		return nil, err
 	}
 	var metadata *adapter.InboundContext
 	var errors []error
--- a/common/tls/reality_client.go
+++ b/common/tls/reality_client.go
@@ -124,9 +124,8 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 	binary.BigEndian.PutUint64(hello.SessionId, uint64(nowTime.Unix()))
 	hello.SessionId[0] = 1
-	hello.SessionId[1] = 8
+	hello.SessionId[1] = 7
-	hello.SessionId[2] = 1
+	hello.SessionId[2] = 5
 	binary.BigEndian.PutUint32(hello.SessionId[4:], uint32(time.Now().Unix()))
 	copy(hello.SessionId[8:], e.shortID[:])
 	if debug.Enabled {
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -180,7 +180,7 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 		tlsConfig.ServerName = options.ServerName
 	}
 	if len(options.ALPN) > 0 {
-		tlsConfig.NextProtos = append(options.ALPN, tlsConfig.NextProtos...)
+		tlsConfig.NextProtos = append(tlsConfig.NextProtos, options.ALPN...)
 	}
 	if options.MinVersion != "" {
 		minVersion, err := ParseTLSVersion(options.MinVersion)
--- a/common/urltest/urltest.go
+++ b/common/urltest/urltest.go
@@ -50,9 +50,6 @@ func (s *HistoryStorage) StoreURLTestHistory(tag string, history *History) {
 }
 func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err error) {
 	if link == "" {
 		link = "https://www.gstatic.com/generate_204"
 	}
 	linkURL, err := url.Parse(link)
 	if err != nil {
 		return
--- a/common/warning/warning.go
+++ b/common/warning/warning.go
@@ -0,0 +1,31 @@
 package warning
 import (
 	"sync"
 	"github.com/sagernet/sing-box/log"
 )
 type Warning struct {
 	logger    log.Logger
 	check     CheckFunc
 	message   string
 	checkOnce sync.Once
 }
 type CheckFunc = func() bool
 func New(checkFunc CheckFunc, message string) Warning {
 	return Warning{
 		check:   checkFunc,
 		message: message,
 	}
 }
 func (w *Warning) Check() {
 	w.checkOnce.Do(func() {
 		if w.check() {
 			log.Warn(w.message)
 		}
 	})
 }
--- a/constant/path.go
+++ b/constant/path.go
@@ -12,7 +12,6 @@ const dirName = "sing-box"
 var (
 	basePath      string
 	tempPath      string
 	resourcePaths []string
 )
@@ -23,21 +22,10 @@ func BasePath(name string) string {
 	return filepath.Join(basePath, name)
 }
 func CreateTemp(pattern string) (*os.File, error) {
 	if tempPath == "" {
 		tempPath = os.TempDir()
 	}
 	return os.CreateTemp(tempPath, pattern)
 }
 func SetBasePath(path string) {
 	basePath = path
 }
 func SetTempPath(path string) {
 	tempPath = path
 }
 func FindPath(name string) (string, bool) {
 	name = os.ExpandEnv(name)
 	if rw.FileExists(name) {
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,115 +1,3 @@
 #### 1.3-beta8
 * Fix `system` tun stack for ios
 * Fix network monitor for android/ios
 * Update VLESS and XUDP protocol **1**
 * Fixes and improvements
 *1:
 As in Xray, this is an incompatible update for XUDP in VLESS if vision flow is enabled.
 #### 1.3-beta7
 * Add `path` and `headers` options for HTTP outbound
 * Add multi-user support for Shadowsocks legacy AEAD inbound
 * Fixes and improvements
 #### 1.2.4
 * Fixes and improvements
 #### 1.3-beta6
 * Fix WireGuard reconnect
 * Perform URLTest recheck after network changes
 * Fix bugs and update dependencies
 #### 1.3-beta5
 * Add Clash.Meta API compatibility for Clash API
 * Download Yacd-meta by default if the specified Clash `external_ui` directory is empty
 * Add path and headers option for HTTP outbound
 * Fixes and improvements
 #### 1.3-beta4
 * Fix bugs
 #### 1.3-beta2
 * Download clash-dashboard if the specified Clash `external_ui` directory is empty
 * Fix bugs and update dependencies
 #### 1.3-beta1
 * Add [DNS reverse mapping](/configuration/dns#reverse_mapping) support
 * Add [L3 routing](/configuration/route/ip-rule) support **1**
 * Add `rewrite_ttl` DNS rule action
 * Add [FakeIP](/configuration/dns/fakeip) support **2**
 * Add `store_fakeip` Clash API option
 * Add multi-peer support for [WireGuard](/configuration/outbound/wireguard#peers) outbound
 * Add loopback detect
 *1*:
 It can currently be used to [route connections directly to WireGuard](/examples/wireguard-direct) or block connections
 at the IP layer.
 *2*:
 See [FAQ](/faq/fakeip) for more information.
 #### 1.2.3
 * Introducing our [new Android client application](/installation/clients/sfa)
 * Improve UDP domain destination NAT
 * Update reality protocol
 * Fix TTL calculation for DNS response
 * Fix v2ray HTTP transport compatibility
 * Fix bugs and update dependencies
 #### 1.2.2
 * Accept `any` outbound in dns rule **1**
 * Fix bugs and update dependencies
 *1*:
 Now you can use the `any` outbound rule to match server address queries instead of filling in all server domains
 to `domain` rule.
 #### 1.2.1
 * Fix missing default host in v2ray http transport`s request
 * Flush DNS cache for macOS when tun start/close
 * Fix tun's DNS hijacking compatibility with systemd-resolved
 #### 1.2.0
 * Fix bugs and update dependencies
 Important changes since 1.1:
 * Introducing our [new iOS client application](/installation/clients/sfi)
 * Introducing [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp)
 * Add [platform options](/configuration/inbound/tun#platform) for tun inbound
 * Add [ShadowTLS protocol v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md)
 * Add [VLESS server](/configuration/inbound/vless) and [vision](/configuration/outbound/vless#flow) support
 * Add [reality TLS](/configuration/shared/tls) support
 * Add [NTP service](/configuration/ntp)
 * Add [DHCP DNS server](/configuration/dns/server) support
 * Add SSH [host key validation](/configuration/outbound/ssh) support
 * Add [query_type](/configuration/dns/rule) DNS rule item
 * Add fallback support for v2ray transport
 * Add custom TLS server support for http based v2ray transports
 * Add health check support for http-based v2ray transports
 * Add multiple configuration support
 #### 1.2-rc1
 * Fix bugs and update dependencies
 #### 1.2-beta10
 * Add multiple configuration support **1**
@@ -117,11 +5,9 @@ Important changes since 1.1:
 *1*:
-Now you can pass the parameter `--config` or `-c` multiple times, or use the new parameter `--config-directory` or `-C`
+Now you can pass the parameter `--config` or `-c` multiple times, or use the new parameter `--config-directory` or `-C` to load all configuration files in a directory.
 to load all configuration files in a directory.
-Loaded configuration files are sorted by name. If you want to control the merge order, add a numeric prefix to the file
+Loaded configuration files are sorted by name. If you want to control the merge order, add a numeric prefix to the file name.
 name.
 #### 1.1.7
--- a/docs/configuration/dns/fakeip.md
+++ b/docs/configuration/dns/fakeip.md
@@ -1,25 +0,0 @@
 # FakeIP
 ### Structure
 ```json
 {
  "enabled": true,
  "inet4_range": "198.18.0.0/15",
  "inet6_range": "fc00::/18"
 }
 ```
 ### Fields
 #### enabled
 Enable FakeIP service.
 #### inet4_range
 IPv4 address range for FakeIP.
 #### inet6_address
 IPv6 address range for FakeIP.
--- a/docs/configuration/dns/fakeip.zh.md
+++ b/docs/configuration/dns/fakeip.zh.md
@@ -1,25 +0,0 @@
 # FakeIP
 ### 结构
 ```json
 {
  "enabled": true,
  "inet4_range": "198.18.0.0/15",
  "inet6_range": "fc00::/18"
 }
 ```
 ### 字段
 #### enabled
 启用 FakeIP 服务。
 #### inet4_range
 用于 FakeIP 的 IPv4 地址范围。
 #### inet6_range
 用于 FakeIP 的 IPv6 地址范围。
--- a/docs/configuration/dns/index.md
+++ b/docs/configuration/dns/index.md
@@ -10,9 +10,7 @@
    "final": "",
    "strategy": "",
    "disable_cache": false,
-    "disable_expire": false,
+    "disable_expire": false
    "reverse_mapping": false,
    "fakeip": {}
  }
 }
@@ -24,7 +22,6 @@
 |----------|--------------------------------|
 | `server` | List of [DNS Server](./server) |
 | `rules`  | List of [DNS Rule](./rule)     |
 | `fakeip` | [FakeIP](./fakeip)             |
 #### final
@@ -46,15 +43,4 @@ Disable dns cache.
 #### disable_expire
-Disable dns cache expire.
+Disable dns cache expire.
 #### reverse_mapping
 Stores a reverse mapping of IP addresses after responding to a DNS query in order to provide domain names when routing.
 Since this process relies on the act of resolving domain names by an application before making a request, it can be
 problematic in environments such as macOS, where DNS is proxied and cached by the system.
 #### fakeip
 [FakeIP](./fakeip) settings.
--- a/docs/configuration/dns/index.zh.md
+++ b/docs/configuration/dns/index.zh.md
@@ -10,9 +10,7 @@
    "final": "",
    "strategy": "",
    "disable_cache": false,
-    "disable_expire": false,
+    "disable_expire": false
    "reverse_mapping": false,
    "fakeip": {}
  }
 }
@@ -45,14 +43,4 @@
 #### disable_expire
-禁用 DNS 缓存过期。
+禁用 DNS 缓存过期。
 #### reverse_mapping
 在响应 DNS 查询后存储 IP 地址的反向映射以为路由目的提供域名。
 由于此过程依赖于应用程序在发出请求之前解析域名的行为，因此在 macOS 等 DNS 由系统代理和缓存的环境中可能会出现问题。
 #### fakeip
 [FakeIP](./fakeip) 设置。
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -84,16 +84,14 @@
          "direct"
        ],
        "server": "local",
-        "disable_cache": false,
+        "disable_cache": false
        "rewrite_ttl": 100
      },
      {
        "type": "logical",
        "mode": "and",
        "rules": [],
        "server": "local",
-        "disable_cache": false,
+        "disable_cache": false
        "rewrite_ttl": 100
      }
    ]
  }
@@ -234,8 +232,6 @@ Invert match result.
 Match outbound.
 `any` can be used as a value to match any outbound.
 #### server
 ==Required==
@@ -246,10 +242,6 @@ Tag of the target dns server.
 Disable cache and save cache in this query.
 #### rewrite_ttl
 Rewrite TTL in DNS responses.
 ### Logical Fields
 #### type
@@ -262,4 +254,18 @@ Rewrite TTL in DNS responses.
 #### rules
-Included default rules.
+Included default rules.
 #### invert
 Invert match result.
 #### server
 ==Required==
 Tag of the target dns server.
 #### disable_cache
 Disable cache and save cache in this query.
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -231,8 +231,6 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 匹配出站。
 `any` 可作为值用于匹配任意出站。
 #### server
 ==必填==
@@ -243,10 +241,6 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 在此查询中禁用缓存。
 #### rewrite_ttl
 重写 DNS 回应中的 TTL。
 ### 逻辑字段
 #### type
@@ -259,4 +253,18 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 #### rules
-包括的默认规则。
+包括的默认规则。
 #### invert
 反选匹配结果。
 #### server
 ==必填==
 目标 DNS 服务器的标签。
 #### disable_cache
 在此查询中禁用缓存。
--- a/docs/configuration/dns/server.md
+++ b/docs/configuration/dns/server.md
@@ -30,18 +30,17 @@ The tag of the dns server.
 The address of the dns server.
-| Protocol            | Format                        |
+| Protocol | Format                        |
-|---------------------|-------------------------------|
+|----------|-------------------------------|
-| `System`            | `local`                       |
+| `System` | `local`                       |
-| `TCP`               | `tcp://1.0.0.1`               |
+| `TCP`    | `tcp://1.0.0.1`               |
-| `UDP`               | `8.8.8.8` `udp://8.8.4.4`     |
+| `UDP`    | `8.8.8.8` `udp://8.8.4.4`     |
-| `TLS`               | `tls://dns.google`            |
+| `TLS`    | `tls://dns.google`            |
-| `HTTPS`             | `https://1.1.1.1/dns-query`   |
+| `HTTPS`  | `https://1.1.1.1/dns-query`   |
-| `QUIC`              | `quic://dns.adguard.com`      |
+| `QUIC`   | `quic://dns.adguard.com`      |
-| `HTTP3`             | `h3://8.8.8.8/dns-query`      |
+| `HTTP3`  | `h3://8.8.8.8/dns-query`      |
-| `RCode`             | `rcode://refused`             |
+| `RCode`  | `rcode://refused`             |
-| `DHCP`              | `dhcp://auto` or `dhcp://en0` |
+| `DHCP`   | `dhcp://auto` or `dhcp://en0` |
 |  [FakeIP](./fakeip) | `fakeip`                      |
 !!! warning ""
--- a/docs/configuration/dns/server.zh.md
+++ b/docs/configuration/dns/server.zh.md
@@ -30,18 +30,17 @@ DNS 服务器的标签。
 DNS 服务器的地址。
-| 协议                 | 格式                           |
+| 协议       | 格式                           |
-|--------------------|------------------------------|
+|----------|------------------------------|
-| `System`           | `local`                      |
+| `System` | `local`                      |
-| `TCP`              | `tcp://1.0.0.1`              |
+| `TCP`    | `tcp://1.0.0.1`              |
-| `UDP`              | `8.8.8.8` `udp://8.8.4.4`    |
+| `UDP`    | `8.8.8.8` `udp://8.8.4.4`    |
-| `TLS`              | `tls://dns.google`           |
+| `TLS`    | `tls://dns.google`           |
-| `HTTPS`            | `https://1.1.1.1/dns-query`  |
+| `HTTPS`  | `https://1.1.1.1/dns-query`  |
-| `QUIC`             | `quic://dns.adguard.com`     |
+| `QUIC`   | `quic://dns.adguard.com`     |
-| `HTTP3`            | `h3://8.8.8.8/dns-query`     |
+| `HTTP3`  | `h3://8.8.8.8/dns-query`     |
-| `RCode`            | `rcode://refused`            |
+| `RCode`  | `rcode://refused`            |
-| `DHCP`             | `dhcp://auto` 或 `dhcp://en0` |
+| `DHCP`   | `dhcp://auto` 或 `dhcp://en0` |
 | [FakeIP](./fakeip) | `fakeip`                     |
 !!! warning ""
--- a/docs/configuration/experimental/index.md
+++ b/docs/configuration/experimental/index.md
@@ -8,8 +8,6 @@
    "clash_api": {
      "external_controller": "127.0.0.1:9090",
      "external_ui": "folder",
      "external_ui_download_url": "",
      "external_ui_download_detour": "",
      "secret": "",
      "default_mode": "rule",
      "store_selected": false,
@@ -55,18 +53,6 @@ A relative path to the configuration directory or an absolute path to a
 directory in which you put some static web resource. sing-box will then
 serve it at `http://{{external-controller}}/ui`.
 #### external_ui_download_url
 ZIP download URL for the external UI, will be used if the specified `external_ui` directory is empty.
 `https://github.com/MetaCubeX/Yacd-meta/archive/gh-pages.zip` will be used if empty.
 #### external_ui_download_detour
 The tag of the outbound to download the external UI.
 Default outbound will be used if empty.
 #### secret
 Secret for the RESTful API (optional)
--- a/docs/configuration/experimental/index.zh.md
+++ b/docs/configuration/experimental/index.zh.md
@@ -8,8 +8,6 @@
    "clash_api": {
      "external_controller": "127.0.0.1:9090",
      "external_ui": "folder",
      "external_ui_download_url": "",
      "external_ui_download_detour": "",
      "secret": "",
      "default_mode": "rule",
      "store_selected": false,
@@ -53,18 +51,6 @@ RESTful web API 监听地址。如果为空，则禁用 Clash API。
 到静态网页资源目录的相对路径或绝对路径。sing-box 会在 `http://{{external-controller}}/ui` 下提供它。
 #### external_ui_download_url
 静态网页资源的 ZIP 下载 URL，如果指定的 `external_ui` 目录为空，将使用。
 默认使用 `https://github.com/MetaCubeX/Yacd-meta/archive/gh-pages.zip`。
 #### external_ui_download_detour
 用于下载静态网页资源的出站的标签。
 如果为空，将使用默认出站。
 #### secret
 RESTful API 的密钥（可选）
--- a/docs/configuration/inbound/http.md
+++ b/docs/configuration/inbound/http.md
@@ -40,8 +40,4 @@ No authentication required if empty.
    Only supported on Linux, Android, Windows, and macOS.
 !!! warning ""
    To work on Android and iOS without privileges, use tun.platform.http_proxy instead.
 Automatically set system proxy configuration when start and clean up when stop.
--- a/docs/configuration/inbound/http.zh.md
+++ b/docs/configuration/inbound/http.zh.md
@@ -40,8 +40,4 @@ HTTP 用户
    仅支持 Linux、Android、Windows 和 macOS。
 !!! warning ""
    要在无特权的 Android 和 iOS 上工作，请改用 tun.platform.http_proxy。
 启动时自动设置系统代理，停止时自动清理。
--- a/docs/configuration/inbound/mixed.md
+++ b/docs/configuration/inbound/mixed.md
@@ -37,8 +37,4 @@ No authentication required if empty.
    Only supported on Linux, Android, Windows, and macOS.
-!!! warning ""
+Automatically set system proxy configuration when start and clean up when stop.
    To work on Android and iOS without privileges, use tun.platform.http_proxy instead.
 Automatically set system proxy configuration when start and clean up when stop.
--- a/docs/configuration/inbound/mixed.zh.md
+++ b/docs/configuration/inbound/mixed.zh.md
@@ -37,8 +37,4 @@ SOCKS 和 HTTP 用户
    仅支持 Linux、Android、Windows 和 macOS。
 !!! warning ""
    要在无特权的 Android 和 iOS 上工作，请改用 tun.platform.http_proxy。
 启动时自动设置系统代理，停止时自动清理。
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -107,7 +107,8 @@ Enforce strict routing rules when `auto_route` is enabled:
 * Let unsupported network unreachable
 * Route all connections to tun
-It prevents address leaks and makes DNS hijacking work on Android, but your device will not be accessible by others.
+It prevents address leaks and makes DNS hijacking work on Android and Linux with systemd-resolved, but your device will
 not be accessible by others.
 *In Windows*:
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -107,7 +107,7 @@ tun 接口的 IPv6 前缀。
 * 让不支持的网络无法到达
 * 将所有连接路由到 tun
-它可以防止地址泄漏，并使 DNS 劫持在 Android 上工作，但你的设备将无法其他设备被访问。
+它可以防止地址泄漏，并使 DNS 劫持在 Android 和使用 systemd-resolved 的 Linux 上工作，但你的设备将无法其他设备被访问。
 *在 Windows 中*:
--- a/docs/configuration/outbound/http.md
+++ b/docs/configuration/outbound/http.md
@@ -11,8 +11,6 @@
  "server_port": 1080,
  "username": "sekai",
  "password": "admin",
  "path": "",
  "headers": {},
  "tls": {},
  ... // Dial Fields
@@ -41,14 +39,6 @@ Basic authorization username.
 Basic authorization password.
 #### path
 Path of HTTP request.
 #### headers
 Extra headers of HTTP request.
 #### tls
 TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
--- a/docs/configuration/outbound/http.zh.md
+++ b/docs/configuration/outbound/http.zh.md
@@ -11,8 +11,6 @@
  "server_port": 1080,
  "username": "sekai",
  "password": "admin",
  "path": "",
  "headers": {},
  "tls": {},
  ... // 拨号字段
@@ -41,14 +39,6 @@ Basic 认证用户名。
 Basic 认证密码。
 #### path
 HTTP 请求路径。
 #### headers
 HTTP 请求的额外标头。
 #### tls
 TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
--- a/docs/configuration/outbound/index.md
+++ b/docs/configuration/outbound/index.md
@@ -37,10 +37,4 @@
 #### tag
-The tag of the outbound.
+The tag of the outbound.
 ### Features
 #### Outbounds that support IP connection
 * `WireGuard`
--- a/docs/configuration/outbound/index.zh.md
+++ b/docs/configuration/outbound/index.zh.md
@@ -36,10 +36,4 @@
 #### tag
-出站的标签。
+出站的标签。
 ### 特性
 #### 支持 IP 连接的出站
 * `WireGuard`
--- a/docs/configuration/outbound/urltest.md
+++ b/docs/configuration/outbound/urltest.md
@@ -10,7 +10,7 @@
    "proxy-b",
    "proxy-c"
  ],
-  "url": "https://www.gstatic.com/generate_204",
+  "url": "http://www.gstatic.com/generate_204",
  "interval": "1m",
  "tolerance": 50
 }
@@ -26,7 +26,7 @@ List of outbound tags to test.
 #### url
-The URL to test. `https://www.gstatic.com/generate_204` will be used if empty.
+The URL to test. `http://www.gstatic.com/generate_204` will be used if empty.
 #### interval
--- a/docs/configuration/outbound/urltest.zh.md
+++ b/docs/configuration/outbound/urltest.zh.md
@@ -10,7 +10,7 @@
    "proxy-b",
    "proxy-c"
  ],
-  "url": "https://www.gstatic.com/generate_204",
+  "url": "http://www.gstatic.com/generate_204",
  "interval": "1m",
  "tolerance": 50
 }
@@ -26,7 +26,7 @@
 #### url
-用于测试的链接。默认使用 `https://www.gstatic.com/generate_204`。
+用于测试的链接。默认使用 `http://www.gstatic.com/generate_204`。
 #### interval
--- a/docs/configuration/outbound/wireguard.md
+++ b/docs/configuration/outbound/wireguard.md
@@ -13,18 +13,6 @@
    "10.0.0.2/32"
  ],
  "private_key": "YNXtAzepDqRv9H52osJVDQnznT5AM11eCK3ESpwSt04=",
  "peers": [
    {
      "server": "127.0.0.1",
      "server_port": 1080,
      "public_key": "Z1XXLsKYkYxuiYjJIkRvtIKFepCYHTgON+GwPq7SOV4=",
      "pre_shared_key": "31aIhAPwktDGpH4JDhA8GNvjFXEf/a6+UaQRyOAiyfM=",
      "allowed_ips": [
        "0.0.0.0/0"
      ],
      "reserved": [0, 0, 0]
    }
  ],
  "peer_public_key": "Z1XXLsKYkYxuiYjJIkRvtIKFepCYHTgON+GwPq7SOV4=",
  "pre_shared_key": "31aIhAPwktDGpH4JDhA8GNvjFXEf/a6+UaQRyOAiyfM=",
  "reserved": [0, 0, 0],
@@ -48,13 +36,13 @@
 #### server
-==Required if multi-peer disabled==
+==Required==
 The server address.
 #### server_port
-==Required if multi-peer disabled==
+==Required==
 The server port.
@@ -87,25 +75,9 @@ wg genkey
 echo "private key" || wg pubkey
 ```
 #### peers
 Multi-peer support. 
 If enabled, `server, server_port, peer_public_key, pre_shared_key` will be ignored.
 #### peers.allowed_ips
 WireGuard allowed IPs.
 #### peers.reserved
 WireGuard reserved field bytes.
 `$outbound.reserved` will be used if empty.
 #### peer_public_key
-==Required if multi-peer disabled==
+==Required==
 WireGuard peer public key.
--- a/docs/configuration/route/index.md
+++ b/docs/configuration/route/index.md
@@ -7,7 +7,6 @@
  "route": {
    "geoip": {},
    "geosite": {},
    "ip_rules": [],
    "rules": [],
    "final": "",
    "auto_detect_interface": false,
@@ -20,12 +19,11 @@
 ### Fields
-| Key        | Format                             |
+| Key       | Format                       |
-|------------|------------------------------------|
+|-----------|------------------------------|
-| `geoip`    | [GeoIP](./geoip)                   |
+| `geoip`   | [GeoIP](./geoip)             |
-| `geosite`  | [Geosite](./geosite)               |
+| `geosite` | [Geosite](./geosite)         |
-| `ip_rules` | List of [IP Route Rule](./ip-rule) |
+| `rules`   | List of [Route Rule](./rule) |
 | `rules`    | List of [Route Rule](./rule)       |
 #### final
--- a/docs/configuration/route/index.zh.md
+++ b/docs/configuration/route/index.zh.md
@@ -7,7 +7,6 @@
  "route": {
    "geoip": {},
    "geosite": {},
    "ip_rules": [],
    "rules": [],
    "final": "",
    "auto_detect_interface": false,
@@ -20,12 +19,11 @@
 ### 字段
-| 键          | 格式                      |
+| 键         | 格式                   |
-|------------|-------------------------|
+|-----------|----------------------|
-| `geoip`    | [GeoIP](./geoip)        |
+| `geoip`   | [GeoIP](./geoip)     |
-| `geosite`  | [GeoSite](./geosite)    |
+| `geosite` | [GeoSite](./geosite) |
-| `ip_rules` | 一组 [IP 路由规则](./ip-rule) |
+| `rules`   | 一组 [路由规则](./rule)    |
 | `rules`    | 一组 [路由规则](./rule)       |
 #### final
@@ -67,4 +65,4 @@
 默认为出站连接设置路由标记。
-如果设置了 `outbound.routing_mark` 设置，则不生效。
+如果设置了 `outbound.routing_mark` 设置，则不生效。
--- a/docs/configuration/route/ip-rule.md
+++ b/docs/configuration/route/ip-rule.md
@@ -1,205 +0,0 @@
 ### Structure
 ```json
 {
  "route": {
    "ip_rules": [
      {
        "inbound": [
          "mixed-in"
        ],
        "ip_version": 6,
        "network": [
          "tcp"
        ],
        "domain": [
          "test.com"
        ],
        "domain_suffix": [
          ".cn"
        ],
        "domain_keyword": [
          "test"
        ],
        "domain_regex": [
          "^stun\\..+"
        ],
        "geosite": [
          "cn"
        ],
        "source_geoip": [
          "private"
        ],
        "geoip": [
          "cn"
        ],
        "source_ip_cidr": [
          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "ip_cidr": [
          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "source_port": [
          12345
        ],
        "source_port_range": [
          "1000:2000",
          ":3000",
          "4000:"
        ],
        "port": [
          80,
          443
        ],
        "port_range": [
          "1000:2000",
          ":3000",
          "4000:"
        ],
        "invert": false,
        "action": "direct",
        "outbound": "wireguard"
      },
      {
        "type": "logical",
        "mode": "and",
        "rules": [],
        "invert": false,
        "action": "direct",
        "outbound": "wireguard"
      }
    ]
  }
 }
 ```
 !!! note ""
    You can ignore the JSON Array [] tag when the content is only one item
 ### Default Fields
 !!! note ""
    The default rule uses the following matching logic:  
    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) &&  
    (`port` || `port_range`) &&  
    (`source_geoip` || `source_ip_cidr`) &&  
    (`source_port` || `source_port_range`) &&  
    `other fields`
 #### inbound
 Tags of [Inbound](/configuration/inbound).
 #### ip_version
 4 or 6.
 Not limited if empty.
 #### network
 Match network protocol.
 Available values:
 * `tcp`
 * `udp`
 * `icmpv4`
 * `icmpv6`
 #### domain
 Match full domain.
 #### domain_suffix
 Match domain suffix.
 #### domain_keyword
 Match domain using keyword.
 #### domain_regex
 Match domain using regular expression.
 #### geosite
 Match geosite.
 #### source_geoip
 Match source geoip.
 #### geoip
 Match geoip.
 #### source_ip_cidr
 Match source ip cidr.
 #### ip_cidr
 Match ip cidr.
 #### source_port
 Match source port.
 #### source_port_range
 Match source port range.
 #### port
 Match port.
 #### port_range
 Match port range.
 #### invert
 Invert match result.
 #### action
 ==Required==
 | Action | Description                                                        |
 |--------|--------------------------------------------------------------------|
 | return | Stop IP routing and assemble the connection to the transport layer |
 | block  | Block the connection                                               |
 | direct | Directly forward the connection                                    |
 #### outbound
 ==Required if action is direct==
 Tag of the target outbound.
 Only outbound which supports IP connection can be used, see [Outbounds that support IP connection](/configuration/outbound/#outbounds-that-support-ip-connection).
 ### Logical Fields
 #### type
 `logical`
 #### mode
 ==Required==
 `and` or `or`
 #### rules
 ==Required==
 Included default rules.
--- a/docs/configuration/route/ip-rule.zh.md
+++ b/docs/configuration/route/ip-rule.zh.md
@@ -1,204 +0,0 @@
 ### 结构
 ```json
 {
  "route": {
    "ip_rules": [
      {
        "inbound": [
          "mixed-in"
        ],
        "ip_version": 6,
        "network": [
          "tcp"
        ],
        "domain": [
          "test.com"
        ],
        "domain_suffix": [
          ".cn"
        ],
        "domain_keyword": [
          "test"
        ],
        "domain_regex": [
          "^stun\\..+"
        ],
        "geosite": [
          "cn"
        ],
        "source_geoip": [
          "private"
        ],
        "geoip": [
          "cn"
        ],
        "source_ip_cidr": [
          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "ip_cidr": [
          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "source_port": [
          12345
        ],
        "source_port_range": [
          "1000:2000",
          ":3000",
          "4000:"
        ],
        "port": [
          80,
          443
        ],
        "port_range": [
          "1000:2000",
          ":3000",
          "4000:"
        ],
        "invert": false,
        "action": "direct",
        "outbound": "wireguard"
      },
      {
        "type": "logical",
        "mode": "and",
        "rules": [],
        "invert": false,
        "action": "direct",
        "outbound": "wireguard"
      }
    ]
  }
 }
 ```
 !!! note ""
    当内容只有一项时，可以忽略 JSON 数组 [] 标签。
 ### Default Fields
 !!! note ""
    默认规则使用以下匹配逻辑:  
    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) &&  
    (`port` || `port_range`) &&  
    (`source_geoip` || `source_ip_cidr`) &&  
    (`source_port` || `source_port_range`) &&  
    `other fields`
 #### inbound
 [入站](/zh/configuration/inbound) 标签。
 #### ip_version
 4 或 6。
 默认不限制。
 #### network
 匹配网络协议。
 可用值：
 * `tcp`
 * `udp`
 * `icmpv4`
 * `icmpv6`
 #### domain
 匹配完整域名。
 #### domain_suffix
 匹配域名后缀。
 #### domain_keyword
 匹配域名关键字。
 #### domain_regex
 匹配域名正则表达式。
 #### geosite
 匹配 GeoSite。
 #### source_geoip
 匹配源 GeoIP。
 #### geoip
 匹配 GeoIP。
 #### source_ip_cidr
 匹配源 IP CIDR。
 #### ip_cidr
 匹配 IP CIDR。
 #### source_port
 匹配源端口。
 #### source_port_range
 匹配源端口范围。
 #### port
 匹配端口。
 #### port_range
 匹配端口范围。
 #### invert
 反选匹配结果。
 #### action
 ==必填==
 | Action | 描述                  |
 |--------|---------------------|
 | return | 停止 IP 路由并将该连接组装到传输层 |
 | block  | 屏蔽该连接               |
 | direct | 直接转发该连接             |
 #### outbound
 ==action 为 direct 则必填==
 目标出站的标签。
 ### 逻辑字段
 #### type
 `logical`
 #### mode
 ==必填==
 `and` 或 `or`
 #### rules
 ==必填==
 包括的默认规则。
--- a/docs/configuration/route/rule.md
+++ b/docs/configuration/route/rule.md
@@ -9,9 +9,7 @@
          "mixed-in"
        ],
        "ip_version": 6,
-        "network": [
+        "network": "tcp",
          "tcp"
        ],
        "auth_user": [
          "usera",
          "userb"
@@ -246,12 +244,18 @@ Tag of the target outbound.
 #### mode
 ==Required==
 `and` or `or`
 #### rules
 Included default rules.
 #### invert
 Invert match result.
 #### outbound
 ==Required==
-Included default rules.
+Tag of the target outbound.
--- a/docs/configuration/route/rule.zh.md
+++ b/docs/configuration/route/rule.zh.md
@@ -9,9 +9,7 @@
          "mixed-in"
        ],
        "ip_version": 6,
-        "network": [
+        "network": "tcp",
          "tcp"
        ],
        "auth_user": [
          "usera",
          "userb"
@@ -244,12 +242,18 @@
 #### mode
 ==必填==
 `and` 或 `or`
 #### rules
 包括的默认规则。
 #### invert
 反选匹配结果。
 #### outbound
 ==必填==
-包括的默认规则。
+目标出站的标签。
--- a/docs/examples/index.md
+++ b/docs/examples/index.md
@@ -8,4 +8,3 @@ Configuration examples for sing-box.
 * [Shadowsocks](./shadowsocks)
 * [ShadowTLS](./shadowtls)
 * [Clash API](./clash-api)
 * [WireGuard Direct](./wireguard-direct)
--- a/docs/examples/index.zh.md
+++ b/docs/examples/index.zh.md
@@ -8,4 +8,3 @@ sing-box 的配置示例。
 * [Shadowsocks](./shadowsocks)
 * [ShadowTLS](./shadowtls)
 * [Clash API](./clash-api)
 * [WireGuard Direct](./wireguard-direct)
--- a/docs/examples/linux-server-installation.md
+++ b/docs/examples/linux-server-installation.md
@@ -7,9 +7,9 @@
 #### Install
 ```shell
-git clone -b main https://github.com/SagerNet/sing-box
+git clone https://github.com/SagerNet/sing-box
 cd sing-box
-./release/local/install_go.sh # skip if you have golang already installed
+./release/local/install_go.sh # skip if you have go1.19 already installed
 ./release/local/install.sh
 ```
--- a/docs/examples/linux-server-installation.zh.md
+++ b/docs/examples/linux-server-installation.zh.md
@@ -7,9 +7,9 @@
 #### 安装
 ```shell
-git clone -b main https://github.com/SagerNet/sing-box
+git clone https://github.com/SagerNet/sing-box
 cd sing-box
-./release/local/install_go.sh # 如果已安装 golang 则跳过
+./release/local/install_go.sh # 如果已安装 go1.19 则跳过
 ./release/local/install.sh
 ```
--- a/docs/examples/tun.md
+++ b/docs/examples/tun.md
@@ -23,10 +23,7 @@
        "disable_cache": true
      },
      {
-        "outbound": "any",
+        "domain": "mydomain.com",
        "server": "local"
      },
      {
        "geosite": "cn",
        "server": "local"
      }
--- a/docs/examples/wireguard-direct.md
+++ b/docs/examples/wireguard-direct.md
@@ -1,90 +0,0 @@
 # WireGuard Direct
 ```json
 {
  "dns": {
    "servers": [
      {
        "tag": "google",
        "address": "tls://8.8.8.8"
      },
      {
        "tag": "local",
        "address": "223.5.5.5",
        "detour": "direct"
      }
    ],
    "rules": [
      {
        "geoip": "cn",
        "server": "direct"
      }
    ],
    "reverse_mapping": true
  },
  "inbounds": [
    {
      "type": "tun",
      "tag": "tun",
      "inet4_address": "172.19.0.1/30",
      "auto_route": true,
      "sniff": true,
      "stack": "system"
    }
  ],
  "outbounds": [
    {
      "type": "wireguard",
      "tag": "wg",
      "server": "127.0.0.1",
      "server_port": 2345,
      "local_address": [
        "172.19.0.1/128"
      ],
      "private_key": "KLTnpPY03pig/WC3zR8U7VWmpANHPFh2/4pwICGJ5Fk=",
      "peer_public_key": "uvNabcamf6Rs0vzmcw99jsjTJbxo6eWGOykSY66zsUk="
    },
    {
      "type": "dns",
      "tag": "dns"
    },
    {
      "type": "direct",
      "tag": "direct"
    },
    {
      "type": "block",
      "tag": "block"
    }
  ],
  "route": {
    "ip_rules": [
      {
        "port": 53,
        "action": "return"
      },
      {
        "geoip": "cn",
        "geosite": "cn",
        "action": "return"
      },
      {
        "action": "direct",
        "outbound": "wg"
      }
    ],
    "rules": [
      {
        "protocol": "dns",
        "outbound": "dns"
      },
      {
        "geoip": "cn",
        "geosite": "cn",
        "outbound": "direct"
      }
    ],
    "auto_detect_interface": true
  }
 }
 ```
--- a/docs/faq/fakeip.md
+++ b/docs/faq/fakeip.md
@@ -1,20 +0,0 @@
 # FakeIP
 FakeIP refers to a type of behavior in a program that simultaneously hijacks both DNS and connection requests. It
 responds to DNS requests with virtual results and restores mapping when accepting connections.
 #### Advantage
 * Retrieve the requested domain in places like IP routing (L3) where traffic detection is not possible to assist with routing.
 * Decrease an RTT on the first TCP request to a domain (the most common reason).
 #### Limitation
 * Its mechanism breaks applications that depend on returning correct remote addresses.
 * Only A and AAAA (IP) requests are supported, which may break applications that rely on other requests.
 #### Recommendation
 * Do not use if you do not need L3 routing.
 * If using tun, make sure FakeIP ranges is included in the tun's routes.
 * Enable `experimental.clash_api.store_fakeip` to persist FakeIP records, or use `dns.rules.rewrite_ttl` to avoid losing records after program restart in DNS cached environments.
--- a/docs/faq/fakeip.zh.md
+++ b/docs/faq/fakeip.zh.md
@@ -1,19 +0,0 @@
 # FakeIP
 FakeIP 是指同时劫持 DNS 和连接请求的程序中的一种行为。它通过虚拟结果响应 DNS 请求，在接受连接时恢复映射。
 #### 优点
 * 在像 L3 路由这样无法进行流量探测的地方检索所请求的域名，以协助路由。
 * 减少对一个域的第一个 TCP 请求的 RTT（这是最常见的原因）。
 #### 限制
 * 它的机制会破坏依赖于返回正确远程地址的应用程序。
 * 仅支持 A 和 AAAA（IP）请求，这可能会破坏依赖于其他请求的应用程序。
 #### 建议
 * 如果不需要 L3 路由，请勿使用。
 * 如果使用 tun，请确保 tun 路由中包含 FakeIP 地址范围。
 * 启用 `experimental.clash_api.store_fakeip` 以持久化 FakeIP 记录，或者使用 `dns.rules.rewrite_ttl` 避免程序重启后在 DNS 被缓存的环境中丢失记录。
--- a/docs/faq/index.md
+++ b/docs/faq/index.md
@@ -11,6 +11,12 @@ it doesn't fit, because it compromises performance or design clarity, or because
 If it bothers you that sing-box is missing feature X, please forgive us and investigate the features that sing-box does
 have. You might find that they compensate in interesting ways for the lack of X.
 #### Fake IP
 Fake IP (also called Fake DNS) is an invasive and imperfect DNS solution that breaks expected behavior, causes DNS leaks
 and makes many software unusable. It is recommended by some software that lacks DNS processing and caching, but sing-box
 does not need this.
 #### Naive outbound
 NaïveProxy's main function is chromium's network stack, and it makes no sense to implement only its transport protocol.
--- a/docs/faq/index.zh.md
+++ b/docs/faq/index.zh.md
@@ -9,6 +9,11 @@
 如果 sing-box 缺少功能 X 让您感到困扰，请原谅我们并调查 sing-box 确实有的功能。 您可能会发现它们以有趣的方式弥补了 X 的缺失。
 #### Fake IP
 Fake IP（也称 Fake DNS）是一种侵入性和不完善的 DNS 解决方案，它打破了预期的行为，导致 DNS 泄漏并使许多软件无法使用。
 一些缺乏 DNS 处理和缓存的软件推荐使用它，但 sing-box 不需要。
 #### Naive 出站
 NaïveProxy 的主要功能是 chromium 的网络栈，仅实现它的传输协议是舍本逐末的。
--- a/docs/faq/known-issues.md
+++ b/docs/faq/known-issues.md
@@ -9,6 +9,10 @@ the public internet.
 `auto-route` cannot automatically hijack DNS requests when Android's `Private DNS` enabled or `strict_route` disabled.
 ##### on Linux
 `auto-route` cannot automatically hijack DNS requests with `systemd-resolved` enabled and `strict_route` disabled.
 #### System proxy
 ##### on Linux
--- a/docs/faq/known-issues.zh.md
+++ b/docs/faq/known-issues.zh.md
@@ -8,6 +8,10 @@
 `auto-route` 无法自动劫持 DNS 请求如果 `私人 DNS` 开启或 `strict_route` 禁用。
 ##### Linux
 `auto-route` 无法自动劫持 DNS 请求如果 `systemd-resolved` 开启且 `strict_route` 禁用。
 #### 系统代理
 ##### Linux
--- a/docs/index.md
+++ b/docs/index.md
@@ -25,7 +25,4 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program. If not, see <http://www.gnu.org/licenses/>.
 In addition, no derivative work may use the name or imply association
 with this application without prior consent.
 ```
--- a/docs/index.zh.md
+++ b/docs/index.zh.md
@@ -25,7 +25,4 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program. If not, see <http://www.gnu.org/licenses/>.
 In addition, no derivative work may use the name or imply association
 with this application without prior consent.
 ```
--- a/docs/installation/clients/sfa.md
+++ b/docs/installation/clients/sfa.md
@@ -1,17 +0,0 @@
 # SFA
 Experimental Android client for sing-box.
 #### Requirements
 * Android 5.0+
 #### Download
 * [AppCenter](https://install.appcenter.ms/users/nekohasekai/apps/sfa/distribution_groups/publictest)
 #### Note
 * User Agent in remote profile request is `SFA/$version ($version_code; sing-box $sing_box_version)`
 * The working directory is located at `/sdcard/Android/data/io.nekohasekai.sfa/files` (External files directory)
 * Crash logs is located in `$working_directory/stderr.log`
--- a/docs/installation/clients/sfa.zh.md
+++ b/docs/installation/clients/sfa.zh.md
@@ -1,17 +0,0 @@
 # SFA
 实验性的 Android sing-box 客户端。
 #### 要求
 * Android 5.0+
 #### 下载
 * [AppCenter](https://install.appcenter.ms/users/nekohasekai/apps/sfa/distribution_groups/publictest)
 #### 注意事项
 * 远程配置文件请求中的 User Agent 为 `SFA/$version ($version_code; sing-box $sing_box_version)`
 * 工作目录位于 `/sdcard/Android/data/io.nekohasekai.sfa/files` (外部文件目录)
 * 崩溃日志位于 `$working_directory/stderr.log`
--- a/docs/installation/clients/sfi/index.md
+++ b/docs/installation/clients/sfi/index.md
@@ -1,6 +1,6 @@
 # SFI
-Experimental iOS client for sing-box.
+Experimental official iOS client for sing-box.
 #### Requirements
@@ -11,10 +11,9 @@ Experimental iOS client for sing-box.
 * [TestFlight](https://testflight.apple.com/join/c6ylui2j)
-#### Note
+#### Limit
-* User Agent in remote profile request is `SFA/$version ($version_code; sing-box $sing_box_version)`
+* `system` tun stack not working
 * Crash logs is located in `Settings` -> `View Service Log`
 #### Privacy policy
--- a/docs/installation/clients/sfi/index.zh.md
+++ b/docs/installation/clients/sfi/index.zh.md
@@ -1,6 +1,6 @@
 # SFI
-实验性的 iOS sing-box 客户端。
+实验性的官方 iOS sing-box 客户端。
 #### 要求
@@ -11,10 +11,9 @@
 * [TestFlight](https://testflight.apple.com/join/c6ylui2j)
-#### 注意事项
+#### 限制
-* 远程配置文件请求中的 User Agent 为 `SFI/$version ($version_code; sing-box $sing_box_version)`
+* `system` tun stack 不工作
 * 崩溃日志位于 `设置` -> `查看服务日志`
 #### 隐私政策
--- a/experimental/clashapi/api_meta.go
+++ b/experimental/clashapi/api_meta.go
@@ -1,78 +0,0 @@
 package clashapi
 import (
 	"bytes"
 	"net/http"
 	"time"
 	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
 	"github.com/sagernet/websocket"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/render"
 )
 // API created by Clash.Meta
 func (s *Server) setupMetaAPI(r chi.Router) {
 	r.Get("/memory", memory(s.trafficManager))
 	r.Mount("/group", groupRouter(s))
 }
 type Memory struct {
 	Inuse   uint64 `json:"inuse"`
 	OSLimit uint64 `json:"oslimit"` // maybe we need it in the future
 }
 func memory(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var wsConn *websocket.Conn
 		if websocket.IsWebSocketUpgrade(r) {
 			var err error
 			wsConn, err = upgrader.Upgrade(w, r, nil)
 			if err != nil {
 				return
 			}
 		}
 		if wsConn == nil {
 			w.Header().Set("Content-Type", "application/json")
 			render.Status(r, http.StatusOK)
 		}
 		tick := time.NewTicker(time.Second)
 		defer tick.Stop()
 		buf := &bytes.Buffer{}
 		var err error
 		first := true
 		for range tick.C {
 			buf.Reset()
 			inuse := trafficManager.Snapshot().Memory
 			// make chat.js begin with zero
 			// this is shit var,but we need output 0 for first time
 			if first {
 				first = false
 				inuse = 0
 			}
 			if err := json.NewEncoder(buf).Encode(Memory{
 				Inuse:   inuse,
 				OSLimit: 0,
 			}); err != nil {
 				break
 			}
 			if wsConn == nil {
 				_, err = w.Write(buf.Bytes())
 				w.(http.Flusher).Flush()
 			} else {
 				err = wsConn.WriteMessage(websocket.TextMessage, buf.Bytes())
 			}
 			if err != nil {
 				break
 			}
 		}
 	}
 }
--- a/experimental/clashapi/api_meta_group.go
+++ b/experimental/clashapi/api_meta_group.go
@@ -1,136 +0,0 @@
 package clashapi
 import (
 	"context"
 	"net/http"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/badjson"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/outbound"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/batch"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/render"
 )
 func groupRouter(server *Server) http.Handler {
 	r := chi.NewRouter()
 	r.Get("/", getGroups(server))
 	r.Route("/{name}", func(r chi.Router) {
 		r.Use(parseProxyName, findProxyByName(server.router))
 		r.Get("/", getGroup(server))
 		r.Get("/delay", getGroupDelay(server))
 	})
 	return r
 }
 func getGroups(server *Server) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		groups := common.Map(common.Filter(server.router.Outbounds(), func(it adapter.Outbound) bool {
 			_, isGroup := it.(adapter.OutboundGroup)
 			return isGroup
 		}), func(it adapter.Outbound) *badjson.JSONObject {
 			return proxyInfo(server, it)
 		})
 		render.JSON(w, r, render.M{
 			"proxies": groups,
 		})
 	}
 }
 func getGroup(server *Server) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		proxy := r.Context().Value(CtxKeyProxy).(adapter.Outbound)
 		if _, ok := proxy.(adapter.OutboundGroup); ok {
 			render.JSON(w, r, proxyInfo(server, proxy))
 			return
 		}
 		render.Status(r, http.StatusNotFound)
 		render.JSON(w, r, ErrNotFound)
 	}
 }
 func getGroupDelay(server *Server) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		proxy := r.Context().Value(CtxKeyProxy).(adapter.Outbound)
 		group, ok := proxy.(adapter.OutboundGroup)
 		if !ok {
 			render.Status(r, http.StatusNotFound)
 			render.JSON(w, r, ErrNotFound)
 			return
 		}
 		query := r.URL.Query()
 		url := query.Get("url")
 		if strings.HasPrefix(url, "http://") {
 			url = ""
 		}
 		timeout, err := strconv.ParseInt(query.Get("timeout"), 10, 32)
 		if err != nil {
 			render.Status(r, http.StatusBadRequest)
 			render.JSON(w, r, ErrBadRequest)
 			return
 		}
 		ctx, cancel := context.WithTimeout(r.Context(), time.Millisecond*time.Duration(timeout))
 		defer cancel()
 		var result map[string]uint16
 		if urlTestGroup, isURLTestGroup := group.(adapter.URLTestGroup); isURLTestGroup {
 			result, err = urlTestGroup.URLTest(ctx, url)
 		} else {
 			outbounds := common.FilterNotNil(common.Map(group.All(), func(it string) adapter.Outbound {
 				itOutbound, _ := server.router.Outbound(it)
 				return itOutbound
 			}))
 			b, _ := batch.New(ctx, batch.WithConcurrencyNum[any](10))
 			checked := make(map[string]bool)
 			result = make(map[string]uint16)
 			var resultAccess sync.Mutex
 			for _, detour := range outbounds {
 				tag := detour.Tag()
 				realTag := outbound.RealTag(detour)
 				if checked[realTag] {
 					continue
 				}
 				checked[realTag] = true
 				p, loaded := server.router.Outbound(realTag)
 				if !loaded {
 					continue
 				}
 				b.Go(realTag, func() (any, error) {
 					t, err := urltest.URLTest(ctx, url, p)
 					if err != nil {
 						server.logger.Debug("outbound ", tag, " unavailable: ", err)
 						server.urlTestHistory.DeleteURLTestHistory(realTag)
 					} else {
 						server.logger.Debug("outbound ", tag, " available: ", t, "ms")
 						server.urlTestHistory.StoreURLTestHistory(realTag, &urltest.History{
 							Time:  time.Now(),
 							Delay: t,
 						})
 						resultAccess.Lock()
 						result[tag] = t
 						resultAccess.Unlock()
 					}
 					return nil, nil
 				})
 			}
 			b.Wait()
 		}
 		if err != nil {
 			render.Status(r, http.StatusGatewayTimeout)
 			render.JSON(w, r, newError(err.Error()))
 			return
 		}
 		render.JSON(w, r, result)
 	}
 }
--- a/experimental/clashapi/cache.go
+++ b/experimental/clashapi/cache.go
@@ -3,28 +3,21 @@ package clashapi
 import (
 	"net/http"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/render"
 )
-func cacheRouter(router adapter.Router) http.Handler {
+func cacheRouter() http.Handler {
 	r := chi.NewRouter()
-	r.Post("/fakeip/flush", flushFakeip(router))
+	r.Post("/fakeip/flush", flushFakeip)
 	return r
 }
-func flushFakeip(router adapter.Router) func(w http.ResponseWriter, r *http.Request) {
+func flushFakeip(w http.ResponseWriter, r *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
+	/*if err := cachefile.Cache().FlushFakeip(); err != nil {
-		if cacheFile := router.ClashServer().CacheFile(); cacheFile != nil {
+		render.Status(r, http.StatusInternalServerError)
-			err := cacheFile.FakeIPReset()
+		render.JSON(w, r, newError(err.Error()))
-			if err != nil {
+		return
-				render.Status(r, http.StatusInternalServerError)
+	}*/
-				render.JSON(w, r, newError(err.Error()))
+	render.NoContent(w, r)
 				return
 			}
 		}
 		render.NoContent(w, r)
 	}
 }
--- a/experimental/clashapi/cachefile/fakeip.go
+++ b/experimental/clashapi/cachefile/fakeip.go
@@ -1,77 +0,0 @@
 package cachefile
 import (
 	"net/netip"
 	"os"
 	"github.com/sagernet/sing-box/adapter"
 	"go.etcd.io/bbolt"
 )
 var (
 	bucketFakeIP = []byte("fakeip")
 	keyMetadata  = []byte("metadata")
 )
 func (c *CacheFile) FakeIPMetadata() *adapter.FakeIPMetadata {
 	var metadata adapter.FakeIPMetadata
 	err := c.DB.View(func(tx *bbolt.Tx) error {
 		bucket := tx.Bucket(bucketFakeIP)
 		if bucket == nil {
 			return nil
 		}
 		metadataBinary := bucket.Get(keyMetadata)
 		if len(metadataBinary) == 0 {
 			return os.ErrInvalid
 		}
 		return metadata.UnmarshalBinary(metadataBinary)
 	})
 	if err != nil {
 		return nil
 	}
 	return &metadata
 }
 func (c *CacheFile) FakeIPSaveMetadata(metadata *adapter.FakeIPMetadata) error {
 	return c.DB.Batch(func(tx *bbolt.Tx) error {
 		bucket, err := tx.CreateBucketIfNotExists(bucketFakeIP)
 		if err != nil {
 			return err
 		}
 		metadataBinary, err := metadata.MarshalBinary()
 		if err != nil {
 			return err
 		}
 		return bucket.Put(keyMetadata, metadataBinary)
 	})
 }
 func (c *CacheFile) FakeIPStore(address netip.Addr, domain string) error {
 	return c.DB.Batch(func(tx *bbolt.Tx) error {
 		bucket, err := tx.CreateBucketIfNotExists(bucketFakeIP)
 		if err != nil {
 			return err
 		}
 		return bucket.Put(address.AsSlice(), []byte(domain))
 	})
 }
 func (c *CacheFile) FakeIPLoad(address netip.Addr) (string, bool) {
 	var domain string
 	_ = c.DB.View(func(tx *bbolt.Tx) error {
 		bucket := tx.Bucket(bucketFakeIP)
 		if bucket == nil {
 			return nil
 		}
 		domain = string(bucket.Get(address.AsSlice()))
 		return nil
 	})
 	return domain, domain != ""
 }
 func (c *CacheFile) FakeIPReset() error {
 	return c.DB.Batch(func(tx *bbolt.Tx) error {
 		return tx.DeleteBucket(bucketFakeIP)
 	})
 }
--- a/experimental/clashapi/proxies.go
+++ b/experimental/clashapi/proxies.go
@@ -6,7 +6,6 @@ import (
 	"net/http"
 	"sort"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
@@ -215,9 +214,6 @@ func getProxyDelay(server *Server) func(w http.ResponseWriter, r *http.Request)
 	return func(w http.ResponseWriter, r *http.Request) {
 		query := r.URL.Query()
 		url := query.Get("url")
 		if strings.HasPrefix(url, "http://") {
 			url = ""
 		}
 		timeout, err := strconv.ParseInt(query.Get("timeout"), 10, 16)
 		if err != nil {
 			render.Status(r, http.StatusBadRequest)
--- a/Show More
+++ b/Show More
`@@ -1,4 +1,4 @@`
	`//go:build !go1.19 \|\| go1.21`	`//go:build !go1.19 \|\| go1.20`

	`package badtls`	`package badtls`