Fix payload not return to pool

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,70 +1,77 @@
-name: Bug Report
-description: "Create a report to help us improve."
+name: Bug report
+description: "Report sing-box bug"
 body:
-  - type: checkboxes
-    id: terms
+  - type: dropdown
     attributes:
-      label: Welcome
+      label: Operating system
+      description: Operating system type
       options:
-        - label: Yes, I'm using the latest major release. Only such installations are supported.
-          required: true
-        - label: Yes, I'm using the latest Golang release. Only such installations are supported.
-          required: true
-        - label: Yes, I've searched similar issues on GitHub and didn't find any.
-          required: true
-        - label: Yes, I've included all information below (version, **FULL** config, **FULL** log, etc).
-          required: true
-
-  - type: textarea
-    id: problem
-    attributes:
-      label: Description of the problem
-      placeholder: Your problem description
+        - iOS
+        - macOS
+        - Apple tvOS
+        - Android
+        - Windows
+        - Linux
+        - Others
     validations:
       required: true
-
-  - type: textarea
-    id: version
+  - type: input
     attributes:
-      label: Version of sing-box
+      label: System version
+      description: Please provide the operating system version
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Installation type
+      description: Please provide the sing-box installation type
+      options:
+        - Original sing-box Command Line
+        - sing-box for iOS Graphical Client
+        - sing-box for macOS Graphical Client
+        - sing-box for Apple tvOS Graphical Client
+        - sing-box for Android Graphical Client
+        - Third-party graphical clients that advertise themselves as using sing-box (Windows)
+        - Third-party graphical clients that advertise themselves as using sing-box (Android)
+        - Others
+    validations:
+      required: true
+  - type: input
+    attributes:
+      description: Graphical client version
+      label: If you are using a graphical client, please provide the version of the client.
+  - type: textarea
+    attributes:
+      label: Version
+      description: If you are using the original command line program, please provide the output of the `sing-box version` command.
       value: |-
         <details>
-
         ```console
-        $ sing-box version
-        # Paste output here
+        # Replace this line with the output
         ```
-
         </details>
+  - type: textarea
+    attributes:
+      label: Description
+      description: Please provide a detailed description of the error.
     validations:
       required: true
-
   - type: textarea
-    id: config
     attributes:
-      label: Server and client configuration file
+      label: Reproduction
+      description: Please provide the steps to reproduce the error, including the configuration files and procedures that can locally (not dependent on the remote server) reproduce the error using the original command line program of sing-box.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Logs
+      description: |-
+        If you encounter a crash with the graphical client, please provide crash logs.
+        For Apple platform clients, please check `Settings - View Service Log` for crash logs.
+        For the Android client, please check the `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` file for crash logs.
       value: |-
         <details>
-
         ```console
-        # paste json here
+        # Replace this line with logs
         ```
-
-        </details>
-    validations:
-      required: true
-
-  - type: textarea
-    id: log
-    attributes:
-      label: Server and client log file
-      value: |-
-        <details>
-
-        ```console
-        # paste log here
-        ```
-
-        </details>
-    validations:
-      required: true
+        </details>

.github/ISSUE_TEMPLATE/bug_report_zh.yml

@@ -0,0 +1,77 @@
+name: 错误反馈
+description: "提交 sing-box 漏洞"
+body:
+  - type: dropdown
+    attributes:
+      label: 操作系统
+      description: 请提供操作系统类型
+      options:
+        - iOS
+        - macOS
+        - Apple tvOS
+        - Android
+        - Windows
+        - Linux
+        - 其他
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: 系统版本
+      description: 请提供操作系统版本
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: 安装类型
+      description: 请提供该 sing-box 安装类型
+      options:
+        - sing-box 原始命令行程序
+        - sing-box for iOS 图形客户端程序
+        - sing-box for macOS 图形客户端程序
+        - sing-box for Apple tvOS 图形客户端程序
+        - sing-box for Android 图形客户端程序
+        - 宣传使用 sing-box 的第三方图形客户端程序 (Windows)
+        - 宣传使用 sing-box 的第三方图形客户端程序 (Android)
+        - 其他
+    validations:
+      required: true
+  - type: input
+    attributes:
+      description: 图形客户端版本
+      label: 如果您使用图形客户端程序，请提供该程序版本。
+  - type: textarea
+    attributes:
+      label: 版本
+      description: 如果您使用原始命令行程序，请提供 `sing-box version` 命令的输出。
+      value: |-
+        <details>
+        ```console
+        # 使用输出内容覆盖此行
+        ```
+        </details>
+  - type: textarea
+    attributes:
+      label: 描述
+      description: 请提供错误的详细描述。
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: 重现方式
+      description: 请提供重现错误的步骤，必须包括可以在本地（不依赖与远程服务器）使用 sing-box 原始命令行程序重现错误的配置文件与流程。
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: 日志
+      description: |-
+        如果您遭遇图形界面应用程序崩溃，请提供崩溃日志。
+        对于 Apple 平台图形客户端程序，请检查 `Settings - View Service Log` 以导出崩溃日志。
+        对于 Android 图形客户端程序，请检查 `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` 文件以导出崩溃日志。
+      value: |-
+        <details>
+        ```console
+        # 使用日志内容覆盖此行
+        ```
+        </details>

.github/workflows/debug.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Get latest go version
@@ -48,7 +48,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -62,7 +62,27 @@ jobs:
             ~/go/pkg/mod
           key: go118-${{ hashFiles('**/go.sum') }}
       - name: Run Test
-        run: make
+        run: make ci_build_go118
+  build_go120:
+    name: Debug build (Go 1.20)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.20.7
+      - name: Cache go module
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+          key: go118-${{ hashFiles('**/go.sum') }}
+      - name: Run Test
+        run: make ci_build
   cross:
     strategy:
       matrix:
@@ -179,7 +199,7 @@ jobs:
       TAGS: with_clash_api,with_quic
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Get latest go version

.github/workflows/docker.yml

@@ -9,20 +9,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Setup QEMU for Docker Buildx
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Docker metadata
         id: metadata
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ghcr.io/sagernet/sing-box
       - name: Get tag to build
@@ -35,7 +35,7 @@ jobs:
             echo "versioned=ghcr.io/sagernet/sing-box:${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
           fi
       - name: Build and release Docker images
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
           target: dist

.github/workflows/lint.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Get latest go version

.github/workflows/mkdocs.yml

@@ -1,20 +0,0 @@
-name: Generate Documents
-on:
-  push:
-    branches:
-      - dev
-    paths:
-      - docs/**
-      - .github/workflows/mkdocs.yml
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
-        with:
-          python-version: 3.x
-      - run: |
-          pip install mkdocs-material=="9.*" mkdocs-static-i18n=="0.53"
-      - run: |
-          mkdocs gh-deploy -m "{sha}" --force --ignore-version --no-history

.github/workflows/stale.yml

@@ -8,7 +8,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v7
+      - uses: actions/stale@v8
         with:
           stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
           days-before-stale: 60

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.20-alpine AS builder
+FROM golang:1.21-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box

Makefile

@@ -1,20 +1,31 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
+TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
+TAGS_GO120 = with_quic
+TAGS ?= $(TAGS_GO118),$(TAGS_GO120)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server,with_shadowsocksr
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run ./cmd/internal/read_tag)
 
-PARAMS = -v -trimpath -tags "$(TAGS)" -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
+PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
+MAIN_PARAMS = $(PARAMS) -tags $(TAGS)
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
 
 .PHONY: test release
 
 build:
+	go build $(MAIN_PARAMS) $(MAIN)
+
+ci_build_go118:
 	go build $(PARAMS) $(MAIN)
+	go build $(PARAMS) -tags "$(TAGS_GO118)" $(MAIN)
+
+ci_build:
+	go build $(PARAMS) $(MAIN)
+	go build $(MAIN_PARAMS) $(MAIN)
 
 install:
 	go build -o $(PREFIX)/bin/$(NAME) $(PARAMS) $(MAIN)
@@ -47,24 +58,102 @@ proto_install:
 	go install -v google.golang.org/protobuf/cmd/protoc-gen-go@latest
 	go install -v google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
 
-snapshot:
-	go run ./cmd/internal/build goreleaser release --clean --snapshot || exit 1
-	mkdir dist/release
-	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
-	ghr --delete --draft --prerelease -p 1 nightly dist/release
-	rm -r dist
-
 release:
 	go run ./cmd/internal/build goreleaser release --clean --skip-publish || exit 1
 	mkdir dist/release
 	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
-	ghr --delete --draft --prerelease -p 3 $(shell git describe --tags) dist/release
+	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
 	rm -r dist
 
 release_install:
 	go install -v github.com/goreleaser/goreleaser@latest
 	go install -v github.com/tcnksm/ghr@latest
 
+update_android_version:
+	go run ./cmd/internal/update_android_version
+
+build_android:
+	cd ../sing-box-for-android && ./gradlew :app:assembleRelease && ./gradlew --stop
+
+upload_android:
+	mkdir -p dist/release_android
+	cp ../sing-box-for-android/app/build/outputs/apk/release/*.apk dist/release_android
+	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release_android
+	rm -rf dist/release_android
+
+release_android: lib_android update_android_version build_android upload_android
+
+publish_android:
+	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadRelease && ./gradlew --stop
+
+build_ios:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFI.xcarchive && \
+	xcodebuild archive -scheme SFI -configuration Release -archivePath build/SFI.xcarchive
+
+upload_ios_app_store:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Upload.plist
+
+release_ios: build_ios upload_ios_app_store
+
+build_macos:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFM.xcarchive && \
+	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive
+
+upload_macos_app_store:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist
+
+release_macos: build_macos upload_macos_app_store
+
+build_macos_independent:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFT.System.xcarchive && \
+	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive
+
+notarize_macos_independent:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist
+
+wait_notarize_macos_independent:
+	sleep 60
+
+export_macos_independent:
+	rm -rf dist/SFM
+	mkdir -p dist/SFM
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportNotarizedApp -archivePath build/SFM.System.xcarchive -exportPath "../sing-box/dist/SFM"
+
+upload_macos_independent:
+	cd dist/SFM && \
+	rm -f *.zip && \
+	zip -ry "SFM-${VERSION}-universal.zip" SFM.app && \
+	ghr --replace --draft --prerelease "v${VERSION}" *.zip
+
+release_macos_independent: build_macos_independent notarize_macos_independent wait_notarize_macos_independent export_macos_independent upload_macos_independent
+
+build_tvos:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFT.xcarchive && \
+	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive
+
+upload_tvos_app_store:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist
+
+release_tvos: build_tvos upload_tvos_app_store
+
+update_apple_version:
+	go run ./cmd/internal/update_apple_version
+
+release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_independent
+	rm -rf dist
+
+release_apple_beta: update_apple_version release_ios release_macos release_tvos
+	rm -rf dist
+
 test:
 	@go test -v ./... && \
 	cd test && \
@@ -77,10 +166,10 @@ test_stdio:
 	go mod tidy && \
 	go test -v -tags "$(TAGS_TEST),force_stdio" .
 
-android:
+lib_android:
 	go run ./cmd/internal/build_libbox -target android
 
-ios:
+lib_ios:
 	go run ./cmd/internal/build_libbox -target ios
 
 lib:
@@ -89,8 +178,8 @@ lib:
 
 lib_install:
 	go get -v -d
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230701084532-493ee2e45182
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230701084532-493ee2e45182
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230915142329-c6740b6d2950
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230915142329-c6740b6d2950
 
 clean:
 	rm -rf bin dist sing-box

adapter/experimental.go

@@ -12,6 +12,7 @@ type ClashServer interface {
 	Service
 	PreStarter
 	Mode() string
+	ModeList() []string
 	StoreSelected() bool
 	StoreFakeIP() bool
 	CacheFile() ClashCacheFile
@@ -21,8 +22,12 @@ type ClashServer interface {
 }
 
 type ClashCacheFile interface {
+	LoadMode() string
+	StoreMode(mode string) error
 	LoadSelected(group string) string
 	StoreSelected(group string, selected string) error
+	LoadGroupExpand(group string) (isExpand bool, loaded bool)
+	StoreGroupExpand(group string, expand bool) error
 	FakeIPStorage
 }
 

adapter/fakeip.go

@@ -10,7 +10,7 @@ import (
 type FakeIPStore interface {
 	Service
 	Contains(address netip.Addr) bool
-	Create(domain string, strategy dns.DomainStrategy) (netip.Addr, error)
+	Create(domain string, isIPv6 bool) (netip.Addr, error)
 	Lookup(address netip.Addr) (string, bool)
 	Reset() error
 }
@@ -18,9 +18,11 @@ type FakeIPStore interface {
 type FakeIPStorage interface {
 	FakeIPMetadata() *FakeIPMetadata
 	FakeIPSaveMetadata(metadata *FakeIPMetadata) error
+	FakeIPSaveMetadataAsync(metadata *FakeIPMetadata)
 	FakeIPStore(address netip.Addr, domain string) error
 	FakeIPStoreAsync(address netip.Addr, domain string, logger logger.Logger)
 	FakeIPLoad(address netip.Addr) (string, bool)
+	FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr, bool)
 	FakeIPReset() error
 }
 

adapter/router.go

@@ -32,6 +32,7 @@ type Router interface {
 	Exchange(ctx context.Context, message *mdns.Msg) (*mdns.Msg, error)
 	Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error)
 	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
+	ClearDNSCache()
 
 	InterfaceFinder() control.InterfaceFinder
 	UpdateInterfaces() error
@@ -85,5 +86,5 @@ type DNSRule interface {
 }
 
 type InterfaceUpdateListener interface {
-	InterfaceUpdated() error
+	InterfaceUpdated()
 }

box.go

@@ -19,6 +19,7 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/service/pause"
 )
 
 var _ adapter.Service = (*Box)(nil)
@@ -46,12 +47,13 @@ func New(options Options) (*Box, error) {
 	if ctx == nil {
 		ctx = context.Background()
 	}
+	ctx = pause.ContextWithDefaultManager(ctx)
 	createdAt := time.Now()
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
 	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	var needClashAPI bool
 	var needV2RayAPI bool
-	if experimentalOptions.ClashAPI != nil && experimentalOptions.ClashAPI.ExternalController != "" {
+	if experimentalOptions.ClashAPI != nil || options.PlatformInterface != nil {
 		needClashAPI = true
 	}
 	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
@@ -143,7 +145,9 @@ func New(options Options) (*Box, error) {
 	preServices := make(map[string]adapter.Service)
 	postServices := make(map[string]adapter.Service)
 	if needClashAPI {
-		clashServer, err := experimental.NewClashServer(ctx, router, logFactory.(log.ObservableFactory), common.PtrValueOrDefault(options.Experimental.ClashAPI))
+		clashAPIOptions := common.PtrValueOrDefault(experimentalOptions.ClashAPI)
+		clashAPIOptions.ModeList = experimental.CalculateClashModeList(options.Options)
+		clashServer, err := experimental.NewClashServer(ctx, router, logFactory.(log.ObservableFactory), clashAPIOptions)
 		if err != nil {
 			return nil, E.Cause(err, "create clash api server")
 		}
@@ -151,7 +155,7 @@ func New(options Options) (*Box, error) {
 		preServices["clash api"] = clashServer
 	}
 	if needV2RayAPI {
-		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(options.Experimental.V2RayAPI))
+		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(experimentalOptions.V2RayAPI))
 		if err != nil {
 			return nil, E.Cause(err, "create v2ray api server")
 		}

cmd/internal/build_libbox/main.go

@@ -107,7 +107,7 @@ func buildiOS() {
 	args := []string{
 		"bind",
 		"-v",
-		"-target", "ios,iossimulator,macos",
+		"-target", "ios,iossimulator,tvos,tvossimulator,macos",
 		"-libname=box",
 	}
 	if !debugEnabled {

cmd/internal/build_shared/tag.go

@@ -1,6 +1,10 @@
 package build_shared
 
-import "github.com/sagernet/sing/common/shell"
+import (
+	"github.com/sagernet/sing-box/common/badversion"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/shell"
+)
 
 func ReadTag() (string, error) {
 	currentTag, err := shell.Exec("git", "describe", "--tags").ReadOutput()
@@ -12,5 +16,21 @@ func ReadTag() (string, error) {
 		return currentTag[1:], nil
 	}
 	shortCommit, _ := shell.Exec("git", "rev-parse", "--short", "HEAD").ReadOutput()
-	return currentTagRev[1:] + "-" + shortCommit, nil
+	version := badversion.Parse(currentTagRev[1:])
+	if version.PreReleaseIdentifier == "" {
+		version.Patch++
+	}
+	return version.String() + "-" + shortCommit, nil
+}
+
+func ReadTagVersion() (badversion.Version, error) {
+	currentTag := common.Must1(shell.Exec("git", "describe", "--tags").ReadOutput())
+	currentTagRev := common.Must1(shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput())
+	version := badversion.Parse(currentTagRev[1:])
+	if currentTagRev != currentTag {
+		if version.PreReleaseIdentifier == "" {
+			version.Patch++
+		}
+	}
+	return version, nil
 }

cmd/internal/update_android_version/main.go

@@ -0,0 +1,51 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/sagernet/sing-box/cmd/internal/build_shared"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+)
+
+func main() {
+	newVersion := common.Must1(build_shared.ReadTagVersion())
+	androidPath, err := filepath.Abs("../sing-box-for-android")
+	if err != nil {
+		log.Fatal(err)
+	}
+	common.Must(os.Chdir(androidPath))
+	localProps := common.Must1(os.ReadFile("local.properties"))
+	var propsList [][]string
+	for _, propLine := range strings.Split(string(localProps), "\n") {
+		propsList = append(propsList, strings.Split(propLine, "="))
+	}
+	for _, propPair := range propsList {
+		if propPair[0] == "VERSION_NAME" {
+			if propPair[1] == newVersion.String() {
+				log.Info("version not changed")
+				return
+			}
+			propPair[1] = newVersion.String()
+			log.Info("updated version to ", newVersion.String())
+		}
+	}
+	for _, propPair := range propsList {
+		switch propPair[0] {
+		case "VERSION_CODE":
+			versionCode := common.Must1(strconv.ParseInt(propPair[1], 10, 64))
+			propPair[1] = strconv.Itoa(int(versionCode + 1))
+			log.Info("updated version code to ", propPair[1])
+		case "RELEASE_NOTES":
+			propPair[1] = "sing-box " + newVersion.String()
+		}
+	}
+	var newProps []string
+	for _, propPair := range propsList {
+		newProps = append(newProps, strings.Join(propPair, "="))
+	}
+	common.Must(os.WriteFile("local.properties", []byte(strings.Join(newProps, "\n")), 0o644))
+}

cmd/internal/update_apple_version/main.go

@@ -0,0 +1,80 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/sagernet/sing-box/cmd/internal/build_shared"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+
+	"howett.net/plist"
+)
+
+func main() {
+	newVersion := common.Must1(build_shared.ReadTagVersion())
+	applePath, err := filepath.Abs("../sing-box-for-apple")
+	if err != nil {
+		log.Fatal(err)
+	}
+	common.Must(os.Chdir(applePath))
+	projectFile := common.Must1(os.Open("sing-box.xcodeproj/project.pbxproj"))
+	var project map[string]any
+	decoder := plist.NewDecoder(projectFile)
+	common.Must(decoder.Decode(&project))
+	objectsMap := project["objects"].(map[string]any)
+	projectContent := string(common.Must1(os.ReadFile("sing-box.xcodeproj/project.pbxproj")))
+	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
+	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
+	if updated0 || updated1 {
+		log.Info("updated version to ", newVersion.VersionString())
+		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj.bak", []byte(projectContent), 0o644))
+		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj", []byte(newContent), 0o644))
+	} else {
+		log.Info("version not changed")
+	}
+}
+
+func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDList []string, newVersion string) (string, bool) {
+	objectKeyList := findObjectKey(objectsMap, bundleIDList)
+	var updated bool
+	for _, objectKey := range objectKeyList {
+		matchRegexp := common.Must1(regexp.Compile(objectKey + ".*= \\{"))
+		indexes := matchRegexp.FindStringIndex(projectContent)
+		if len(indexes) < 2 {
+			println(projectContent)
+			log.Fatal("failed to find object key ", objectKey, ": ", strings.Index(projectContent, objectKey))
+		}
+		indexStart := indexes[1]
+		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
+		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "MARKETING_VERSION = ") + 20
+		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
+		version := projectContent[versionStart:versionEnd]
+		if version == newVersion {
+			continue
+		}
+		updated = true
+		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
+	}
+	return projectContent, updated
+}
+
+func findObjectKey(objectsMap map[string]any, bundleIDList []string) []string {
+	var objectKeyList []string
+	for objectKey, object := range objectsMap {
+		buildSettings := object.(map[string]any)["buildSettings"]
+		if buildSettings == nil {
+			continue
+		}
+		bundleIDObject := buildSettings.(map[string]any)["PRODUCT_BUNDLE_IDENTIFIER"]
+		if bundleIDObject == nil {
+			continue
+		}
+		if common.Contains(bundleIDList, bundleIDObject.(string)) {
+			objectKeyList = append(objectKeyList, objectKey)
+		}
+	}
+	return objectKeyList
+}

cmd/sing-box/cmd_run.go

@@ -143,14 +143,16 @@ func create() (*box.Box, context.CancelFunc, error) {
 		signal.Stop(osSignals)
 		close(osSignals)
 	}()
-
+	startCtx, finishStart := context.WithCancel(context.Background())
 	go func() {
 		_, loaded := <-osSignals
 		if loaded {
 			cancel()
+			closeMonitor(startCtx)
 		}
 	}()
 	err = instance.Start()
+	finishStart()
 	if err != nil {
 		cancel()
 		return nil, nil, E.Cause(err, "start service")

common/baderror/baderror.go

@@ -1,62 +0,0 @@
-package baderror
-
-import (
-	"context"
-	"io"
-	"net"
-	"strings"
-
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-func Contains(err error, msgList ...string) bool {
-	for _, msg := range msgList {
-		if strings.Contains(err.Error(), msg) {
-			return true
-		}
-	}
-	return false
-}
-
-func WrapH2(err error) error {
-	if err == nil {
-		return nil
-	}
-	err = E.Unwrap(err)
-	if err == io.ErrUnexpectedEOF {
-		return io.EOF
-	}
-	if Contains(err, "client disconnected", "body closed by handler", "response body closed", "; CANCEL") {
-		return net.ErrClosed
-	}
-	return err
-}
-
-func WrapGRPC(err error) error {
-	// grpc uses stupid internal error types
-	if err == nil {
-		return nil
-	}
-	if Contains(err, "EOF") {
-		return io.EOF
-	}
-	if Contains(err, "Canceled") {
-		return context.Canceled
-	}
-	if Contains(err,
-		"the client connection is closing",
-		"server closed the stream without sending trailers") {
-		return net.ErrClosed
-	}
-	return err
-}
-
-func WrapQUIC(err error) error {
-	if err == nil {
-		return nil
-	}
-	if Contains(err, "canceled with error code 0") {
-		return net.ErrClosed
-	}
-	return err
-}

common/badtls/badtls_stub.go

@@ -5,8 +5,10 @@ package badtls
 import (
 	"crypto/tls"
 	"os"
+
+	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-func Create(conn *tls.Conn) (TLSConn, error) {
+func Create(conn *tls.Conn) (aTLS.Conn, error) {
 	return nil, os.ErrInvalid
 }

common/badversion/version.go

@@ -11,6 +11,7 @@ type Version struct {
 	Major                int
 	Minor                int
 	Patch                int
+	Commit               string
 	PreReleaseIdentifier string
 	PreReleaseVersion    int
 }
@@ -37,20 +38,29 @@ func (v Version) After(anotherVersion Version) bool {
 		return false
 	}
 	if v.PreReleaseIdentifier != "" && anotherVersion.PreReleaseIdentifier != "" {
-		if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "alpha" {
+		if v.PreReleaseIdentifier == anotherVersion.PreReleaseIdentifier {
+			if v.PreReleaseVersion > anotherVersion.PreReleaseVersion {
+				return true
+			} else if v.PreReleaseVersion < anotherVersion.PreReleaseVersion {
+				return false
+			}
+		} else if v.PreReleaseIdentifier == "rc" && anotherVersion.PreReleaseIdentifier == "beta" {
+			return true
+		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "rc" {
+			return false
+		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "alpha" {
 			return true
 		} else if v.PreReleaseIdentifier == "alpha" && anotherVersion.PreReleaseIdentifier == "beta" {
 			return false
 		}
-		if v.PreReleaseVersion > anotherVersion.PreReleaseVersion {
-			return true
-		} else if v.PreReleaseVersion < anotherVersion.PreReleaseVersion {
-			return false
-		}
 	}
 	return false
 }
 
+func (v Version) VersionString() string {
+	return F.ToString(v.Major, ".", v.Minor, ".", v.Patch)
+}
+
 func (v Version) String() string {
 	version := F.ToString(v.Major, ".", v.Minor, ".", v.Patch)
 	if v.PreReleaseIdentifier != "" {
@@ -95,7 +105,7 @@ func Parse(versionName string) (version Version) {
 				version.PreReleaseIdentifier = "beta"
 				version.PreReleaseVersion, _ = strconv.Atoi(identifier[4:])
 			} else {
-				version.PreReleaseIdentifier = identifier
+				version.Commit = identifier
 			}
 		}
 	}

common/conntrack/conn.go

@@ -17,7 +17,7 @@ func NewConn(conn net.Conn) (net.Conn, error) {
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
-		err := killerCheck()
+		err := KillerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err

common/conntrack/killer.go

@@ -1,20 +1,20 @@
 package conntrack
 
 import (
-	"runtime"
 	runtimeDebug "runtime/debug"
 	"time"
 
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/memory"
 )
 
 var (
 	KillerEnabled   bool
-	MemoryLimit     int64
+	MemoryLimit     uint64
 	killerLastCheck time.Time
 )
 
-func killerCheck() error {
+func KillerCheck() error {
 	if !KillerEnabled {
 		return nil
 	}
@@ -23,10 +23,7 @@ func killerCheck() error {
 		return nil
 	}
 	killerLastCheck = nowTime
-	var memStats runtime.MemStats
-	runtime.ReadMemStats(&memStats)
-	inuseMemory := int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
-	if inuseMemory > MemoryLimit {
+	if memory.Total() > MemoryLimit {
 		Close()
 		go func() {
 			time.Sleep(time.Second)

common/conntrack/packet_conn.go

@@ -18,7 +18,7 @@ func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
-		err := killerCheck()
+		err := KillerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err

common/dialer/default.go

@@ -6,19 +6,18 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/tfo-go"
 )
 
 type DefaultDialer struct {
-	dialer4     tfo.Dialer
-	dialer6     tfo.Dialer
+	dialer4     tcpDialer
+	dialer6     tcpDialer
 	udpDialer4  net.Dialer
 	udpDialer6  net.Dialer
 	udpListener net.ListenConfig
@@ -26,7 +25,7 @@ type DefaultDialer struct {
 	udpAddr6    string
 }
 
-func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDialer {
+func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDialer, error) {
 	var dialer net.Dialer
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
@@ -93,15 +92,29 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 		udpDialer6.LocalAddr = &net.UDPAddr{IP: bindAddr.AsSlice()}
 		udpAddr6 = M.SocksaddrFrom(bindAddr, 0).String()
 	}
+	if options.TCPMultiPath {
+		if !go121Available {
+			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
+		}
+		setMultiPathTCP(&dialer4)
+	}
+	tcpDialer4, err := newTCPDialer(dialer4, options.TCPFastOpen)
+	if err != nil {
+		return nil, err
+	}
+	tcpDialer6, err := newTCPDialer(dialer6, options.TCPFastOpen)
+	if err != nil {
+		return nil, err
+	}
 	return &DefaultDialer{
-		tfo.Dialer{Dialer: dialer4, DisableTFO: !options.TCPFastOpen},
-		tfo.Dialer{Dialer: dialer6, DisableTFO: !options.TCPFastOpen},
+		tcpDialer4,
+		tcpDialer6,
 		udpDialer4,
 		udpDialer6,
 		listener,
 		udpAddr4,
 		udpAddr6,
-	}
+	}, nil
 }
 
 func (d *DefaultDialer) DialContext(ctx context.Context, network string, address M.Socksaddr) (net.Conn, error) {

common/dialer/default_go1.20.go

@@ -0,0 +1,15 @@
+//go:build go1.20
+
+package dialer
+
+import (
+	"net"
+
+	"github.com/sagernet/tfo-go"
+)
+
+type tcpDialer = tfo.Dialer
+
+func newTCPDialer(dialer net.Dialer, tfoEnabled bool) (tcpDialer, error) {
+	return tfo.Dialer{Dialer: dialer, DisableTFO: !tfoEnabled}, nil
+}

common/dialer/default_go1.21.go

@@ -0,0 +1,11 @@
+//go:build go1.21
+
+package dialer
+
+import "net"
+
+const go121Available = true
+
+func setMultiPathTCP(dialer *net.Dialer) {
+	dialer.SetMultipathTCP(true)
+}

common/dialer/default_nongo1.20.go

@@ -0,0 +1,18 @@
+//go:build !go1.20
+
+package dialer
+
+import (
+	"net"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type tcpDialer = net.Dialer
+
+func newTCPDialer(dialer net.Dialer, tfoEnabled bool) (tcpDialer, error) {
+	if tfoEnabled {
+		return dialer, E.New("TCP Fast Open requires go1.20, please recompile your binary.")
+	}
+	return dialer, nil
+}

common/dialer/default_nongo1.21.go

@@ -0,0 +1,12 @@
+//go:build !go1.21
+
+package dialer
+
+import (
+	"net"
+)
+
+const go121Available = false
+
+func setMultiPathTCP(dialer *net.Dialer) {
+}

common/dialer/dialer.go

@@ -6,13 +6,24 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
+	"github.com/sagernet/sing/common"
 	N "github.com/sagernet/sing/common/network"
 )
 
-func New(router adapter.Router, options option.DialerOptions) N.Dialer {
-	var dialer N.Dialer
+func MustNew(router adapter.Router, options option.DialerOptions) N.Dialer {
+	return common.Must1(New(router, options))
+}
+
+func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error) {
+	var (
+		dialer N.Dialer
+		err    error
+	)
 	if options.Detour == "" {
-		dialer = NewDefault(router, options)
+		dialer, err = NewDefault(router, options)
+		if err != nil {
+			return nil, err
+		}
 	} else {
 		dialer = NewDetour(router, options.Detour)
 	}
@@ -20,5 +31,5 @@ func New(router adapter.Router, options option.DialerOptions) N.Dialer {
 	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
 		dialer = NewResolveDialer(router, dialer, domainStrategy, time.Duration(options.FallbackDelay))
 	}
-	return dialer
+	return dialer, nil
 }

common/dialer/tfo.go

@@ -1,3 +1,5 @@
+//go:build go1.20
+
 package dialer
 
 import (
@@ -5,6 +7,7 @@ import (
 	"io"
 	"net"
 	"os"
+	"sync"
 	"time"
 
 	"github.com/sagernet/sing/common"
@@ -22,10 +25,11 @@ type slowOpenConn struct {
 	destination M.Socksaddr
 	conn        net.Conn
 	create      chan struct{}
+	access      sync.Mutex
 	err         error
 }
 
-func DialSlowContext(dialer *tfo.Dialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	if dialer.DisableTFO || N.NetworkName(network) != N.NetworkTCP {
 		switch N.NetworkName(network) {
 		case N.NetworkTCP, N.NetworkUDP:
@@ -58,15 +62,26 @@ func (c *slowOpenConn) Read(b []byte) (n int, err error) {
 }
 
 func (c *slowOpenConn) Write(b []byte) (n int, err error) {
-	if c.conn == nil {
-		c.conn, err = c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
-		if err != nil {
-			c.err = E.Cause(err, "dial tcp fast open")
-		}
-		close(c.create)
-		return
+	if c.conn != nil {
+		return c.conn.Write(b)
 	}
-	return c.conn.Write(b)
+	c.access.Lock()
+	defer c.access.Unlock()
+	select {
+	case <-c.create:
+		if c.err != nil {
+			return 0, c.err
+		}
+		return c.conn.Write(b)
+	default:
+	}
+	c.conn, err = c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
+	if err != nil {
+		c.conn = nil
+		c.err = E.Cause(err, "dial tcp fast open")
+	}
+	close(c.create)
+	return
 }
 
 func (c *slowOpenConn) Close() error {

common/dialer/tfo_stub.go

@@ -0,0 +1,20 @@
+//go:build !go1.20
+
+package dialer
+
+import (
+	"context"
+	"net"
+
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	switch N.NetworkName(network) {
+	case N.NetworkTCP, N.NetworkUDP:
+		return dialer.DialContext(ctx, network, destination.String())
+	default:
+		return dialer.DialContext(ctx, network, destination.AddrString())
+	}
+}

common/humanize/bytes.go

@@ -0,0 +1,158 @@
+package humanize
+
+import (
+	"fmt"
+	"math"
+	"strconv"
+	"strings"
+	"unicode"
+)
+
+// IEC Sizes.
+// kibis of bits
+const (
+	Byte = 1 << (iota * 10)
+	KiByte
+	MiByte
+	GiByte
+	TiByte
+	PiByte
+	EiByte
+)
+
+// SI Sizes.
+const (
+	IByte = 1
+	KByte = IByte * 1000
+	MByte = KByte * 1000
+	GByte = MByte * 1000
+	TByte = GByte * 1000
+	PByte = TByte * 1000
+	EByte = PByte * 1000
+)
+
+var defaultSizeTable = map[string]uint64{
+	"b":   Byte,
+	"kib": KiByte,
+	"kb":  KByte,
+	"mib": MiByte,
+	"mb":  MByte,
+	"gib": GiByte,
+	"gb":  GByte,
+	"tib": TiByte,
+	"tb":  TByte,
+	"pib": PiByte,
+	"pb":  PByte,
+	"eib": EiByte,
+	"eb":  EByte,
+	// Without suffix
+	"":   Byte,
+	"ki": KiByte,
+	"k":  KByte,
+	"mi": MiByte,
+	"m":  MByte,
+	"gi": GiByte,
+	"g":  GByte,
+	"ti": TiByte,
+	"t":  TByte,
+	"pi": PiByte,
+	"p":  PByte,
+	"ei": EiByte,
+	"e":  EByte,
+}
+
+var memorysSizeTable = map[string]uint64{
+	"b":  Byte,
+	"kb": KiByte,
+	"mb": MiByte,
+	"gb": GiByte,
+	"tb": TiByte,
+	"pb": PiByte,
+	"eb": EiByte,
+	"":   Byte,
+	"k":  KiByte,
+	"m":  MiByte,
+	"g":  GiByte,
+	"t":  TiByte,
+	"p":  PiByte,
+	"e":  EiByte,
+}
+
+var (
+	defaultSizes = []string{"B", "kB", "MB", "GB", "TB", "PB", "EB"}
+	iSizes       = []string{"B", "KiB", "MiB", "GiB", "TiB", "PiB", "EiB"}
+)
+
+func Bytes(s uint64) string {
+	return humanateBytes(s, 1000, defaultSizes)
+}
+
+func MemoryBytes(s uint64) string {
+	return humanateBytes(s, 1024, defaultSizes)
+}
+
+func IBytes(s uint64) string {
+	return humanateBytes(s, 1024, iSizes)
+}
+
+func logn(n, b float64) float64 {
+	return math.Log(n) / math.Log(b)
+}
+
+func humanateBytes(s uint64, base float64, sizes []string) string {
+	if s < 10 {
+		return fmt.Sprintf("%d B", s)
+	}
+	e := math.Floor(logn(float64(s), base))
+	suffix := sizes[int(e)]
+	val := math.Floor(float64(s)/math.Pow(base, e)*10+0.5) / 10
+	f := "%.0f %s"
+	if val < 10 {
+		f = "%.1f %s"
+	}
+
+	return fmt.Sprintf(f, val, suffix)
+}
+
+func ParseBytes(s string) (uint64, error) {
+	return parseBytes0(s, defaultSizeTable)
+}
+
+func ParseMemoryBytes(s string) (uint64, error) {
+	return parseBytes0(s, memorysSizeTable)
+}
+
+func parseBytes0(s string, sizeTable map[string]uint64) (uint64, error) {
+	lastDigit := 0
+	hasComma := false
+	for _, r := range s {
+		if !(unicode.IsDigit(r) || r == '.' || r == ',') {
+			break
+		}
+		if r == ',' {
+			hasComma = true
+		}
+		lastDigit++
+	}
+
+	num := s[:lastDigit]
+	if hasComma {
+		num = strings.Replace(num, ",", "", -1)
+	}
+
+	f, err := strconv.ParseFloat(num, 64)
+	if err != nil {
+		return 0, err
+	}
+
+	extra := strings.ToLower(strings.TrimSpace(s[lastDigit:]))
+	if m, ok := sizeTable[extra]; ok {
+		f *= float64(m)
+		if f >= math.MaxUint64 {
+			return 0, fmt.Errorf("too large: %v", s)
+		}
+		return uint64(f), nil
+	}
+
+	return 0, fmt.Errorf("unhandled size name: %v", extra)
+}

common/settings/proxy_darwin.go

@@ -20,10 +20,10 @@ type systemProxy struct {
 	isMixed       bool
 }
 
-func (p *systemProxy) update(event int) error {
+func (p *systemProxy) update(event int) {
 	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
 	if p.interfaceName == newInterfaceName {
-		return nil
+		return
 	}
 	if p.interfaceName != "" {
 		_ = p.unset()
@@ -31,7 +31,7 @@ func (p *systemProxy) update(event int) error {
 	p.interfaceName = newInterfaceName
 	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
 	if err != nil {
-		return err
+		return
 	}
 	if p.isMixed {
 		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
@@ -40,9 +40,9 @@ func (p *systemProxy) update(event int) error {
 		err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	if err == nil {
-		err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+		_ = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
-	return err
+	return
 }
 
 func (p *systemProxy) unset() error {
@@ -88,10 +88,7 @@ func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() er
 		port:    port,
 		isMixed: isMixed,
 	}
-	err := proxy.update(tun.EventInterfaceUpdate)
-	if err != nil {
-		return nil, err
-	}
+	proxy.update(tun.EventInterfaceUpdate)
 	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
 	return func() error {
 		interfaceMonitor.UnregisterCallback(proxy.element)

common/sniff/sniff.go

@@ -22,23 +22,29 @@ func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout
 	if timeout == 0 {
 		timeout = C.ReadPayloadTimeout
 	}
-	err := conn.SetReadDeadline(time.Now().Add(timeout))
-	if err != nil {
-		return nil, E.Cause(err, "set read deadline")
-	}
-	_, err = buffer.ReadOnceFrom(conn)
-	err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
-	if err != nil {
-		return nil, E.Cause(err, "read payload")
-	}
-	var metadata *adapter.InboundContext
+	deadline := time.Now().Add(timeout)
 	var errors []error
-	for _, sniffer := range sniffers {
-		metadata, err = sniffer(ctx, bytes.NewReader(buffer.Bytes()))
-		if metadata != nil {
-			return metadata, nil
+
+	for i := 0; i < 3; i++ {
+		err := conn.SetReadDeadline(deadline)
+		if err != nil {
+			return nil, E.Cause(err, "set read deadline")
+		}
+		_, err = buffer.ReadOnceFrom(conn)
+		err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
+		if err != nil {
+			if i > 0 {
+				break
+			}
+			return nil, E.Cause(err, "read payload")
+		}
+		for _, sniffer := range sniffers {
+			metadata, err := sniffer(ctx, bytes.NewReader(buffer.Bytes()))
+			if metadata != nil {
+				return metadata, nil
+			}
+			errors = append(errors, err)
 		}
-		errors = append(errors, err)
 	}
 	return nil, E.Errors(errors...)
 }

common/tls/acme.go

@@ -21,6 +21,7 @@ import (
 type acmeWrapper struct {
 	ctx    context.Context
 	cfg    *certmagic.Config
+	cache  *certmagic.Cache
 	domain []string
 }
 
@@ -29,7 +30,7 @@ func (w *acmeWrapper) Start() error {
 }
 
 func (w *acmeWrapper) Close() error {
-	w.cfg.Unmanage(w.domain)
+	w.cache.Stop()
 	return nil
 }
 
@@ -77,10 +78,11 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		acmeConfig.ExternalAccount = (*acme.EAB)(options.ExternalAccount)
 	}
 	config.Issuers = []certmagic.Issuer{certmagic.NewACMEIssuer(config, acmeConfig)}
-	config = certmagic.New(certmagic.NewCache(certmagic.CacheOptions{
+	cache := certmagic.NewCache(certmagic.CacheOptions{
 		GetConfigForCert: func(certificate certmagic.Certificate) (*certmagic.Config, error) {
 			return config, nil
 		},
-	}), *config)
-	return config.TLSConfig(), &acmeWrapper{ctx, config, options.Domain}, nil
+	})
+	config = certmagic.New(cache, *config)
+	return config.TLSConfig(), &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
 }

common/tls/reality_server.go

@@ -101,7 +101,10 @@ func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Log
 		tlsConfig.ShortIds[shortID] = true
 	}
 
-	handshakeDialer := dialer.New(router, options.Reality.Handshake.DialerOptions)
+	handshakeDialer, err := dialer.New(router, options.Reality.Handshake.DialerOptions)
+	if err != nil {
+		return nil, err
+	}
 	tlsConfig.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
 		return handshakeDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
 	}

common/tls/std_server.go

@@ -164,8 +164,8 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 	var acmeService adapter.Service
 	var err error
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
-		tlsConfig, acmeService, err = startACME(ctx, common.PtrValueOrDefault(options.ACME))
 		//nolint:staticcheck
+		tlsConfig, acmeService, err = startACME(ctx, common.PtrValueOrDefault(options.ACME))
 		if err != nil {
 			return nil, err
 		}

common/urltest/urltest.go

@@ -10,7 +10,6 @@ import (
 
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/x/list"
 )
 
 type History struct {
@@ -21,7 +20,7 @@ type History struct {
 type HistoryStorage struct {
 	access       sync.RWMutex
 	delayHistory map[string]*History
-	callbacks    list.List[func()]
+	updateHook   chan<- struct{}
 }
 
 func NewHistoryStorage() *HistoryStorage {
@@ -30,16 +29,8 @@ func NewHistoryStorage() *HistoryStorage {
 	}
 }
 
-func (s *HistoryStorage) AddListener(listener func()) *list.Element[func()] {
-	s.access.Lock()
-	defer s.access.Unlock()
-	return s.callbacks.PushBack(listener)
-}
-
-func (s *HistoryStorage) RemoveListener(element *list.Element[func()]) {
-	s.access.Lock()
-	defer s.access.Unlock()
-	s.callbacks.Remove(element)
+func (s *HistoryStorage) SetHook(hook chan<- struct{}) {
+	s.updateHook = hook
 }
 
 func (s *HistoryStorage) LoadURLTestHistory(tag string) *History {
@@ -66,13 +57,20 @@ func (s *HistoryStorage) StoreURLTestHistory(tag string, history *History) {
 }
 
 func (s *HistoryStorage) notifyUpdated() {
-	s.access.RLock()
-	defer s.access.RUnlock()
-	for element := s.callbacks.Front(); element != nil; element = element.Next() {
-		element.Value()
+	updateHook := s.updateHook
+	if updateHook != nil {
+		select {
+		case updateHook <- struct{}{}:
+		default:
+		}
 	}
 }
 
+func (s *HistoryStorage) Close() error {
+	s.updateHook = nil
+	return nil
+}
+
 func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err error) {
 	if link == "" {
 		link = "https://www.gstatic.com/generate_204"

constant/proxy.go

@@ -7,7 +7,7 @@ const (
 	TypeDirect       = "direct"
 	TypeBlock        = "block"
 	TypeDNS          = "dns"
-	TypeSocks        = "socks"
+	TypeSOCKS        = "socks"
 	TypeHTTP         = "http"
 	TypeMixed        = "mixed"
 	TypeShadowsocks  = "shadowsocks"
@@ -21,9 +21,55 @@ const (
 	TypeShadowTLS    = "shadowtls"
 	TypeShadowsocksR = "shadowsocksr"
 	TypeVLESS        = "vless"
+	TypeTUIC         = "tuic"
 )
 
 const (
 	TypeSelector = "selector"
 	TypeURLTest  = "urltest"
 )
+
+func ProxyDisplayName(proxyType string) string {
+	switch proxyType {
+	case TypeDirect:
+		return "Direct"
+	case TypeBlock:
+		return "Block"
+	case TypeDNS:
+		return "DNS"
+	case TypeSOCKS:
+		return "SOCKS"
+	case TypeHTTP:
+		return "HTTP"
+	case TypeShadowsocks:
+		return "Shadowsocks"
+	case TypeVMess:
+		return "VMess"
+	case TypeTrojan:
+		return "Trojan"
+	case TypeNaive:
+		return "Naive"
+	case TypeWireGuard:
+		return "WireGuard"
+	case TypeHysteria:
+		return "Hysteria"
+	case TypeTor:
+		return "Tor"
+	case TypeSSH:
+		return "SSH"
+	case TypeShadowTLS:
+		return "ShadowTLS"
+	case TypeShadowsocksR:
+		return "ShadowsocksR"
+	case TypeVLESS:
+		return "VLESS"
+	case TypeTUIC:
+		return "TUIC"
+	case TypeSelector:
+		return "Selector"
+	case TypeURLTest:
+		return "URLTest"
+	default:
+		return "Unknown"
+	}
+}

debug_go118.go

@@ -5,7 +5,7 @@ package box
 import (
 	"runtime/debug"
 
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
 
@@ -28,7 +28,7 @@ func applyDebugOptions(options option.DebugOptions) {
 	}
 	if options.MemoryLimit != 0 {
 		// debug.SetMemoryLimit(int64(options.MemoryLimit))
-		conntrack.MemoryLimit = int64(options.MemoryLimit)
+		conntrack.MemoryLimit = uint64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller

debug_go119.go

@@ -5,7 +5,7 @@ package box
 import (
 	"runtime/debug"
 
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
 
@@ -27,8 +27,8 @@ func applyDebugOptions(options option.DebugOptions) {
 		debug.SetTraceback(options.TraceBack)
 	}
 	if options.MemoryLimit != 0 {
-		debug.SetMemoryLimit(int64(options.MemoryLimit))
-		conntrack.MemoryLimit = int64(options.MemoryLimit)
+		debug.SetMemoryLimit(int64(float64(options.MemoryLimit) / 1.5))
+		conntrack.MemoryLimit = uint64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller

debug_http.go

@@ -7,12 +7,12 @@ import (
 	"runtime/debug"
 
 	"github.com/sagernet/sing-box/common/badjson"
+	"github.com/sagernet/sing-box/common/humanize"
 	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 
-	"github.com/dustin/go-humanize"
 	"github.com/go-chi/chi/v5"
 )
 
@@ -37,9 +37,9 @@ func applyDebugListenOption(options option.DebugOptions) {
 			runtime.ReadMemStats(&memStats)
 
 			var memObject badjson.JSONObject
-			memObject.Put("heap", humanize.IBytes(memStats.HeapInuse))
-			memObject.Put("stack", humanize.IBytes(memStats.StackInuse))
-			memObject.Put("idle", humanize.IBytes(memStats.HeapIdle-memStats.HeapReleased))
+			memObject.Put("heap", humanize.MemoryBytes(memStats.HeapInuse))
+			memObject.Put("stack", humanize.MemoryBytes(memStats.StackInuse))
+			memObject.Put("idle", humanize.MemoryBytes(memStats.HeapIdle-memStats.HeapReleased))
 			memObject.Put("goroutines", runtime.NumGoroutine())
 			memObject.Put("rss", rusageMaxRSS())
 

docs/changelog.md

@@ -1,3 +1,140 @@
+#### 1.4.1
+
+* Fixes and improvements
+
+#### 1.4.0
+
+* Fix bugs and update dependencies
+
+Important changes since 1.3:
+
+* Add TUIC support **1**
+* Add `udp_over_stream` option for TUIC client **2**
+* Add MultiPath TCP support **3**
+* Add `include_interface` and `exclude_interface` options for tun inbound
+* Pause recurring tasks when no network or device idle
+* Improve Android and Apple platform clients
+
+*1*:
+
+See [TUIC inbound](/configuration/inbound/tuic)
+and [TUIC outbound](/configuration/outbound/tuic)
+
+**2**:
+
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
+another program compatible with the protocol as a server.
+
+This mode has no positive effect in a proper UDP proxy scenario and should only be applied to relay streaming UDP
+traffic (basically QUIC streams).
+
+*3*:
+
+Requires sing-box to be compiled with Go 1.21.
+
+#### 1.4.0-rc.3
+
+* Fixes and improvements
+
+#### 1.4.0-rc.2
+
+* Fixes and improvements
+
+#### 1.4.0-rc.1
+
+* Fix TUIC UDP
+
+#### 1.4.0-beta.6
+
+* Add `udp_over_stream` option for TUIC client **1**
+* Add `include_interface` and `exclude_interface` options for tun inbound
+* Fixes and improvements
+
+**1**:
+
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
+another program compatible with the protocol as a server.
+
+This mode has no positive effect in a proper UDP proxy scenario and should only be applied to relay streaming UDP
+traffic (basically QUIC streams).
+
+#### 1.4.0-beta.5
+
+* Fixes and improvements
+
+#### 1.4.0-beta.4
+
+* Graphical clients: Persistence group expansion state
+* Fixes and improvements
+
+#### 1.4.0-beta.3
+
+* Fixes and improvements
+
+#### 1.4.0-beta.2
+
+* Add MultiPath TCP support **1**
+* Drop QUIC support for Go 1.18 and 1.19 due to upstream changes
+* Fixes and improvements
+
+*1*:
+
+Requires sing-box to be compiled with Go 1.21.
+
+#### 1.4.0-beta.1
+
+* Add TUIC support **1**
+* Pause recurring tasks when no network or device idle
+* Fixes and improvements
+
+*1*:
+
+See [TUIC inbound](/configuration/inbound/tuic)
+and [TUIC outbound](/configuration/outbound/tuic)
+
+#### 1.3.6
+
+* Fixes and improvements
+
+#### 1.3.5
+
+* Fixes and improvements
+* Introducing our [Apple tvOS](/installation/clients/sft) client applications **1**
+* Add per app proxy and app installed/updated trigger support for Android client
+* Add profile sharing support for Android/iOS/macOS clients
+
+**1**:
+
+Due to the requirement of tvOS 17, the app cannot be submitted to the App Store for the time being, and can only be
+downloaded through TestFlight.
+
+#### 1.3.4
+
+* Fixes and improvements
+* We're now on the [App Store](https://apps.apple.com/us/app/sing-box/id6451272673), always free! It should be noted
+  that due to stricter and slower review, the release of Store versions will be delayed.
+* We've made a standalone version of the macOS client (the original Application Extension relies on App Store
+  distribution), which you can download as SFM-version-universal.zip in the release artifacts.
+
+#### 1.3.3
+
+* Fixes and improvements
+
+#### 1.3.1-rc.1
+
+* Fix bugs and update dependencies
+
+#### 1.3.1-beta.3
+
+* Introducing our [new iOS](/installation/clients/sfi) and [macOS](/installation/clients/sfm) client applications **1**
+* Fixes and improvements
+
+**1**:
+
+The old testflight link and app are no longer valid.
+
 #### 1.3.1-beta.2
 
 * Fix bugs and update dependencies

docs/configuration/experimental/index.md

@@ -12,7 +12,9 @@
       "external_ui_download_detour": "",
       "secret": "",
       "default_mode": "",
+      "store_mode": false,
       "store_selected": false,
+      "store_fakeip": false,
       "cache_file": "",
       "cache_id": ""
     },
@@ -80,6 +82,10 @@ Default mode in clash, `rule` will be used if empty.
 
 This setting has no direct effect, but can be used in routing and DNS rules via the `clash_mode` rule item.
 
+#### store_mode
+
+Store Clash mode in cache file.
+
 #### store_selected
 
 !!! note ""
@@ -88,6 +94,10 @@ This setting has no direct effect, but can be used in routing and DNS rules via
 
 Store selected outbound for the `Selector` outbound in cache file.
 
+#### store_fakeip
+
+Store fakeip in cache file.
+
 #### cache_file
 
 Cache file path, `cache.db` will be used if empty.

docs/configuration/experimental/index.zh.md

@@ -12,7 +12,9 @@
       "external_ui_download_detour": "",
       "secret": "",
       "default_mode": "",
+      "store_mode": false,
       "store_selected": false,
+      "store_fakeip": false,
       "cache_file": "",
       "cache_id": ""
     },
@@ -78,6 +80,10 @@ Clash 中的默认模式，默认使用 `rule`。
 
 此设置没有直接影响，但可以通过 `clash_mode` 规则项在路由和 DNS 规则中使用。
 
+#### store_mode
+
+将 Clash 模式存储在缓存文件中。
+
 #### store_selected
 
 !!! note ""
@@ -86,6 +92,10 @@ Clash 中的默认模式，默认使用 `rule`。
 
 将 `Selector` 中出站的选定的目标出站存储在缓存文件中。
 
+#### store_fakeip
+
+将 fakeip 存储在缓存文件中。
+
 #### cache_file
 
 缓存文件路径，默认使用`cache.db`。

docs/configuration/inbound/tuic.md

@@ -0,0 +1,82 @@
+### Structure
+
+```json
+{
+  "type": "tuic",
+  "tag": "tuic-in",
+  
+  ... // Listen Fields
+
+  "users": [
+    {
+      "name": "sekai",
+      "uuid": "059032A9-7D40-4A96-9BB1-36823D848068",
+      "password": "hello"
+    }
+  ],
+  "congestion_control": "cubic",
+  "auth_timeout": "3s",
+  "zero_rtt_handshake": false,
+  "heartbeat": "10s",
+  "tls": {}
+}
+```
+
+!!! warning ""
+
+    QUIC, which is required by TUIC is not included by default, see [Installation](/#installation).
+
+### Listen Fields
+
+See [Listen Fields](/configuration/shared/listen) for details.
+
+### Fields
+
+#### users
+
+TUIC users
+
+#### users.uuid
+
+==Required==
+
+TUIC user uuid
+
+#### users.password
+
+TUIC user password
+
+#### congestion_control
+
+QUIC congestion control algorithm
+
+One of: `cubic`, `new_reno`, `bbr`
+
+`cubic` is used by default.
+
+#### auth_timeout
+
+How long the server should wait for the client to send the authentication command
+
+`3s` is used by default.
+
+#### zero_rtt_handshake
+
+Enable 0-RTT QUIC connection handshake on the client side  
+This is not impacting much on the performance, as the protocol is fully multiplexed  
+
+!!! warning ""
+    Disabling this is highly recommended, as it is vulnerable to replay attacks.
+    See [Attack of the clones](https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones)
+
+#### heartbeat
+
+Interval for sending heartbeat packets for keeping the connection alive
+
+`10s` is used by default.
+
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

docs/configuration/inbound/tuic.zh.md

@@ -0,0 +1,82 @@
+### 结构
+
+```json
+{
+  "type": "tuic",
+  "tag": "tuic-in",
+
+  ... // 监听字段
+
+  "users": [
+    {
+      "name": "sekai",
+      "uuid": "059032A9-7D40-4A96-9BB1-36823D848068",
+      "password": "hello"
+    }
+  ],
+  "congestion_control": "cubic",
+  "auth_timeout": "3s",
+  "zero_rtt_handshake": false,
+  "heartbeat": "10s",
+  "tls": {}
+}
+```
+
+!!! warning ""
+
+    默认安装不包含被 TUI 依赖的 QUIC，参阅 [安装](/zh/#_2)。
+
+### 监听字段
+
+参阅 [监听字段](/zh/configuration/shared/listen/)。
+
+### 字段
+
+#### users
+
+TUIC 用户
+
+#### users.uuid
+
+==必填==
+
+TUIC 用户 UUID
+
+#### users.password
+
+TUIC 用户密码
+
+#### congestion_control
+
+QUIC 流量控制算法
+
+可选值: `cubic`, `new_reno`, `bbr`
+
+默认使用 `cubic`。
+
+#### auth_timeout
+
+服务器等待客户端发送认证命令的时间
+
+默认使用 `3s`。
+
+#### zero_rtt_handshake
+
+在客户端启用 0-RTT QUIC 连接握手
+这对性能影响不大，因为协议是完全复用的
+
+!!! warning ""
+强烈建议禁用此功能，因为它容易受到重放攻击。
+请参阅 [Attack of the clones](https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones)
+
+#### heartbeat
+
+发送心跳包以保持连接存活的时间间隔
+
+默认使用 `10s`。
+
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/tun.md

@@ -24,6 +24,12 @@
   ],
   "endpoint_independent_nat": false,
   "stack": "system",
+  "include_interface": [
+    "lan0"
+  ],
+  "exclude_interface": [
+    "lan1"
+  ],
   "include_uid": [
     0
   ],
@@ -142,16 +148,33 @@ UDP NAT expiration time in seconds, default is 300 (5 minutes).
 
 TCP/IP stack.
 
-| Stack            | Description                                                                      | Status            |
-|------------------|----------------------------------------------------------------------------------|-------------------|
-| system (default) | Sometimes better performance                                                     | recommended       |
-| gVisor           | Better compatibility, based on [google/gvisor](https://github.com/google/gvisor) | recommended       |
-| LWIP             | Based on [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks)   | upstream archived |
+| Stack  | Description                                                                      | Status            |
+|--------|----------------------------------------------------------------------------------|-------------------|
+| system | Sometimes better performance                                                     | recommended       |
+| gVisor | Better compatibility, based on [google/gvisor](https://github.com/google/gvisor) | recommended       |
+| mixed  | Mixed `system` TCP stack and `gVisor` UDP stack                                  | recommended       |
+| LWIP   | Based on [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks)   | upstream archived |
 
 !!! warning ""
 
     gVisor and LWIP stacks is not included by default, see [Installation](/#installation).
 
+#### include_interface
+
+!!! error ""
+
+    Interface rules are only supported on Linux and require auto_route.
+
+Limit interfaces in route. Not limited by default.
+
+Conflict with `exclude_interface`.
+
+#### exclude_interface
+
+Exclude interfaces in route.
+
+Conflict with `include_interface`.
+
 #### include_uid
 
 !!! error ""

docs/configuration/inbound/tun.zh.md

@@ -24,6 +24,12 @@
   ],
   "endpoint_independent_nat": false,
   "stack": "system",
+  "include_interface": [
+    "lan0"
+  ],
+  "exclude_interface": [
+    "lan1"
+  ],
   "include_uid": [
     0
   ],
@@ -149,6 +155,22 @@ TCP/IP 栈。
 
     默认安装不包含 gVisor 和 LWIP 栈，请参阅 [安装](/zh/#_2)。
 
+#### include_interface
+
+!!! error ""
+
+    接口规则仅在 Linux 下被支持，并且需要 `auto_route`。
+
+限制被路由的接口。默认不限制。
+
+与 `exclude_interface` 冲突。
+
+#### exclude_interface
+
+排除路由的接口。
+
+与 `include_interface` 冲突。
+
 #### include_uid
 
 !!! error ""

docs/configuration/outbound/hysteria.md

@@ -97,12 +97,6 @@ Disables Path MTU Discovery (RFC 8899). Packets will then be at most 1252 (IPv4)
 
 Force enabled on for systems other than Linux and Windows (according to upstream).
 
-#### tls
-
-==Required==
-
-TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
-
 #### network
 
 Enabled network
@@ -111,6 +105,12 @@ One of `tcp` `udp`.
 
 Both is enabled by default.
 
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
+
 ### Dial Fields
 
 See [Dial Fields](/configuration/shared/dial) for details.

docs/configuration/outbound/hysteria.zh.md

@@ -97,10 +97,6 @@ base64 编码的认证密码。
 
 强制为 Linux 和 Windows 以外的系统启用（根据上游）。
 
-==必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
-
 #### network
 
 启用的网络协议。
@@ -109,6 +105,13 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 默认所有。
 
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+
+
 ### 拨号字段
 
 参阅 [拨号字段](/zh/configuration/shared/dial/)。

docs/configuration/outbound/tuic.md

@@ -0,0 +1,100 @@
+### Structure
+
+```json
+{
+  "type": "tuic",
+  "tag": "tuic-out",
+  
+  "server": "127.0.0.1",
+  "server_port": 1080,
+  "uuid": "2DD61D93-75D8-4DA4-AC0E-6AECE7EAC365",
+  "password": "hello",
+  "congestion_control": "cubic",
+  "udp_relay_mode": "native",
+  "udp_over_stream": false,
+  "zero_rtt_handshake": false,
+  "heartbeat": "10s",
+  "network": "tcp",
+  "tls": {},
+  
+  ... // Dial Fields
+}
+```
+
+!!! warning ""
+
+    QUIC, which is required by TUIC is not included by default, see [Installation](/#installation).
+
+### Fields
+
+#### server
+
+==Required==
+
+The server address.
+
+#### server_port
+
+==Required==
+
+The server port.
+
+#### uuid
+
+==Required==
+
+TUIC user uuid
+
+#### password
+
+TUIC user password
+
+#### congestion_control
+
+QUIC congestion control algorithm
+
+One of: `cubic`, `new_reno`, `bbr`
+
+`cubic` is used by default.
+
+#### udp_relay_mode
+
+UDP packet relay mode
+
+| Mode   | Description                                                              |
+|:-------|:-------------------------------------------------------------------------|
+| native | native UDP characteristics                                               |
+| quic   | lossless UDP relay using QUIC streams, additional overhead is introduced |
+
+`native` is used by default.
+
+Conflict with `udp_over_stream`.
+
+#### udp_over_stream
+
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
+another program compatible with the protocol as a server.
+
+This mode has no positive effect in a proper UDP proxy scenario and should only be applied to relay streaming UDP
+traffic (basically QUIC streams).
+
+Conflict with `udp_relay_mode`.
+
+#### network
+
+Enabled network
+
+One of `tcp` `udp`.
+
+Both is enabled by default.
+
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
+
+### Dial Fields
+
+See [Dial Fields](/configuration/shared/dial) for details.

docs/configuration/outbound/tuic.zh.md

@@ -0,0 +1,108 @@
+### 结构
+
+```json
+{
+  "type": "tuic",
+  "tag": "tuic-out",
+  
+  "server": "127.0.0.1",
+  "server_port": 1080,
+  "uuid": "2DD61D93-75D8-4DA4-AC0E-6AECE7EAC365",
+  "password": "hello",
+  "congestion_control": "cubic",
+  "udp_relay_mode": "native",
+  "udp_over_stream": false,
+  "zero_rtt_handshake": false,
+  "heartbeat": "10s",
+  "network": "tcp",
+  "tls": {},
+  
+  ... // 拨号字段
+}
+```
+
+!!! warning ""
+
+    默认安装不包含被 TUI 依赖的 QUIC，参阅 [安装](/zh/#_2)。
+
+### 字段
+
+#### server
+
+==必填==
+
+服务器地址。
+
+#### server_port
+
+==必填==
+
+服务器端口。
+
+#### uuid
+
+==必填==
+
+TUIC 用户 UUID
+
+#### password
+
+TUIC 用户密码
+
+#### congestion_control
+
+QUIC 流量控制算法
+
+可选值: `cubic`, `new_reno`, `bbr`
+
+默认使用 `cubic`。
+
+#### udp_relay_mode
+
+UDP 包中继模式
+
+| 模式     | 描述                           |
+|--------|------------------------------|
+| native | 原生 UDP                       |
+| quic   | 使用 QUIC 流的无损 UDP 中继，引入了额外的开销 |
+
+与 `udp_over_stream` 冲突。
+
+#### udp_over_stream
+
+这是 TUIC 的 [UDP over TCP 协议](/configuration/shared/udp-over-tcp) 移植， 旨在提供 TUIC 不提供的 基于 QUIC 流的 UDP 中继模式。 由于它是一个附加协议，因此您需要使用 sing-box 或其他兼容的程序作为服务器。
+
+此模式在正确的 UDP 代理场景中没有任何积极作用，仅适用于中继流式 UDP 流量（基本上是 QUIC 流）。
+
+与 `udp_relay_mode` 冲突。
+
+#### zero_rtt_handshake
+
+在客户端启用 0-RTT QUIC 连接握手
+这对性能影响不大，因为协议是完全复用的
+
+!!! warning ""
+强烈建议禁用此功能，因为它容易受到重放攻击。
+请参阅 [Attack of the clones](https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones)
+
+#### heartbeat
+
+发送心跳包以保持连接存活的时间间隔
+
+#### network
+
+启用的网络协议。
+
+`tcp` 或 `udp`。
+
+默认所有。
+
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+
+### 拨号字段
+
+参阅 [拨号字段](/zh/configuration/shared/dial/)。

docs/configuration/route/index.zh.md

@@ -24,7 +24,6 @@
 |------------|-------------------------|
 | `geoip`    | [GeoIP](./geoip)        |
 | `geosite`  | [GeoSite](./geosite)    |
-| `ip_rules` | 一组 [IP 路由规则](./ip-rule) |
 | `rules`    | 一组 [路由规则](./rule)       |
 
 #### final

docs/configuration/route/ip-rule.md

@@ -1,205 +0,0 @@
-### Structure
-
-```json
-{
-  "route": {
-    "ip_rules": [
-      {
-        "inbound": [
-          "mixed-in"
-        ],
-        "ip_version": 6,
-        "network": [
-          "tcp"
-        ],
-        "domain": [
-          "test.com"
-        ],
-        "domain_suffix": [
-          ".cn"
-        ],
-        "domain_keyword": [
-          "test"
-        ],
-        "domain_regex": [
-          "^stun\\..+"
-        ],
-        "geosite": [
-          "cn"
-        ],
-        "source_geoip": [
-          "private"
-        ],
-        "geoip": [
-          "cn"
-        ],
-        "source_ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "source_port": [
-          12345
-        ],
-        "source_port_range": [
-          "1000:2000",
-          ":3000",
-          "4000:"
-        ],
-        "port": [
-          80,
-          443
-        ],
-        "port_range": [
-          "1000:2000",
-          ":3000",
-          "4000:"
-        ],
-        "invert": false,
-        "action": "direct",
-        "outbound": "wireguard"
-      },
-      {
-        "type": "logical",
-        "mode": "and",
-        "rules": [],
-        "invert": false,
-        "action": "direct",
-        "outbound": "wireguard"
-      }
-    ]
-  }
-}
-
-```
-
-!!! note ""
-
-    You can ignore the JSON Array [] tag when the content is only one item
-
-### Default Fields
-
-!!! note ""
-
-    The default rule uses the following matching logic:  
-    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) &&  
-    (`port` || `port_range`) &&  
-    (`source_geoip` || `source_ip_cidr`) &&  
-    (`source_port` || `source_port_range`) &&  
-    `other fields`
-
-#### inbound
-
-Tags of [Inbound](/configuration/inbound).
-
-#### ip_version
-
-4 or 6.
-
-Not limited if empty.
-
-#### network
-
-Match network protocol.
-
-Available values:
-
-* `tcp`
-* `udp`
-* `icmpv4`
-* `icmpv6`
-
-#### domain
-
-Match full domain.
-
-#### domain_suffix
-
-Match domain suffix.
-
-#### domain_keyword
-
-Match domain using keyword.
-
-#### domain_regex
-
-Match domain using regular expression.
-
-#### geosite
-
-Match geosite.
-
-#### source_geoip
-
-Match source geoip.
-
-#### geoip
-
-Match geoip.
-
-#### source_ip_cidr
-
-Match source ip cidr.
-
-#### ip_cidr
-
-Match ip cidr.
-
-#### source_port
-
-Match source port.
-
-#### source_port_range
-
-Match source port range.
-
-#### port
-
-Match port.
-
-#### port_range
-
-Match port range.
-
-#### invert
-
-Invert match result.
-
-#### action
-
-==Required==
-
-| Action | Description                                                        |
-|--------|--------------------------------------------------------------------|
-| return | Stop IP routing and assemble the connection to the transport layer |
-| block  | Block the connection                                               |
-| direct | Directly forward the connection                                    |
-
-#### outbound
-
-==Required if action is direct==
-
-Tag of the target outbound.
-
-Only outbound which supports IP connection can be used, see [Outbounds that support IP connection](/configuration/outbound/#outbounds-that-support-ip-connection).
-
-### Logical Fields
-
-#### type
-
-`logical`
-
-#### mode
-
-==Required==
-
-`and` or `or`
-
-#### rules
-
-==Required==
-
-Included default rules.

docs/configuration/route/ip-rule.zh.md

@@ -1,204 +0,0 @@
-### 结构
-
-```json
-{
-  "route": {
-    "ip_rules": [
-      {
-        "inbound": [
-          "mixed-in"
-        ],
-        "ip_version": 6,
-        "network": [
-          "tcp"
-        ],
-        "domain": [
-          "test.com"
-        ],
-        "domain_suffix": [
-          ".cn"
-        ],
-        "domain_keyword": [
-          "test"
-        ],
-        "domain_regex": [
-          "^stun\\..+"
-        ],
-        "geosite": [
-          "cn"
-        ],
-        "source_geoip": [
-          "private"
-        ],
-        "geoip": [
-          "cn"
-        ],
-        "source_ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "source_port": [
-          12345
-        ],
-        "source_port_range": [
-          "1000:2000",
-          ":3000",
-          "4000:"
-        ],
-        "port": [
-          80,
-          443
-        ],
-        "port_range": [
-          "1000:2000",
-          ":3000",
-          "4000:"
-        ],
-        "invert": false,
-        "action": "direct",
-        "outbound": "wireguard"
-      },
-      {
-        "type": "logical",
-        "mode": "and",
-        "rules": [],
-        "invert": false,
-        "action": "direct",
-        "outbound": "wireguard"
-      }
-    ]
-  }
-}
-
-```
-
-!!! note ""
-
-    当内容只有一项时，可以忽略 JSON 数组 [] 标签。
-
-### Default Fields
-
-!!! note ""
-
-    默认规则使用以下匹配逻辑:  
-    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) &&  
-    (`port` || `port_range`) &&  
-    (`source_geoip` || `source_ip_cidr`) &&  
-    (`source_port` || `source_port_range`) &&  
-    `other fields`
-
-#### inbound
-
-[入站](/zh/configuration/inbound) 标签。
-
-#### ip_version
-
-4 或 6。
-
-默认不限制。
-
-#### network
-
-匹配网络协议。
-
-可用值：
-
-* `tcp`
-* `udp`
-* `icmpv4`
-* `icmpv6`
-
-#### domain
-
-匹配完整域名。
-
-#### domain_suffix
-
-匹配域名后缀。
-
-#### domain_keyword
-
-匹配域名关键字。
-
-#### domain_regex
-
-匹配域名正则表达式。
-
-#### geosite
-
-匹配 GeoSite。
-
-#### source_geoip
-
-匹配源 GeoIP。
-
-#### geoip
-
-匹配 GeoIP。
-
-#### source_ip_cidr
-
-匹配源 IP CIDR。
-
-#### ip_cidr
-
-匹配 IP CIDR。
-
-#### source_port
-
-匹配源端口。
-
-#### source_port_range
-
-匹配源端口范围。
-
-#### port
-
-匹配端口。
-
-#### port_range
-
-匹配端口范围。
-
-#### invert
-
-反选匹配结果。
-
-#### action
-
-==必填==
-
-| Action | 描述                  |
-|--------|---------------------|
-| return | 停止 IP 路由并将该连接组装到传输层 |
-| block  | 屏蔽该连接               |
-| direct | 直接转发该连接             |
-
-
-#### outbound
-
-==action 为 direct 则必填==
-
-目标出站的标签。
-
-### 逻辑字段
-
-#### type
-
-`logical`
-
-#### mode
-
-==必填==
-
-`and` 或 `or`
-
-#### rules
-
-==必填==
-
-包括的默认规则。

docs/configuration/shared/dial.md

@@ -10,6 +10,7 @@
   "reuse_addr": false,
   "connect_timeout": "5s",
   "tcp_fast_open": false,
+  "tcp_multi_path": false,
   "udp_fragment": false,
   "domain_strategy": "prefer_ipv6",
   "fallback_delay": "300ms"
@@ -18,9 +19,9 @@
 
 ### Fields
 
-| Field                                                                                                                | Available Context |
-|----------------------------------------------------------------------------------------------------------------------|-------------------|
-| `bind_interface` /`*bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open`/ `udp_fragment` /`connect_timeout` | `detour` not set  |
+| Field                                                                                                                                    | Available Context |
+|------------------------------------------------------------------------------------------------------------------------------------------|-------------------|
+| `bind_interface` /`*bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open` / `tcp_multi_path` / `udp_fragment` /`connect_timeout` | `detour` not set  |
 
 #### detour
 
@@ -54,6 +55,14 @@ Reuse listener address.
 
 Enable TCP Fast Open.
 
+#### tcp_multi_path
+
+!!! warning ""
+
+    Go 1.21 required.
+
+Enable TCP Multi Path.
+
 #### udp_fragment
 
 Enable UDP fragmentation.

docs/configuration/shared/dial.zh.md

@@ -10,6 +10,7 @@
   "reuse_addr": false,
   "connect_timeout": "5s",
   "tcp_fast_open": false,
+  "tcp_multi_path": false,
   "udp_fragment": false,
   "domain_strategy": "prefer_ipv6",
   "fallback_delay": "300ms"
@@ -18,9 +19,9 @@
 
 ### 字段
 
-| 字段                                                                                                                   | 可用上下文        |
-|----------------------------------------------------------------------------------------------------------------------|--------------|
-| `bind_interface` /`*bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open`/ `udp_fragment` /`connect_timeout` | `detour` 未设置 |
+| 字段                                                                                                                                       | 可用上下文        |
+|------------------------------------------------------------------------------------------------------------------------------------------|--------------|
+| `bind_interface` /`*bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open` / `tcp_mutli_path` / `udp_fragment` /`connect_timeout` | `detour` 未设置 |
 
 
 #### detour
@@ -57,6 +58,14 @@
 
 启用 TCP Fast Open。
 
+#### tcp_multi_path
+
+!!! warning ""
+
+    需要 Go 1.21。
+
+启用 TCP Multi Path。
+
 #### udp_fragment
 
 启用 UDP 分段。

docs/configuration/shared/listen.md

@@ -5,6 +5,7 @@
   "listen": "::",
   "listen_port": 5353,
   "tcp_fast_open": false,
+  "tcp_multi_path": false,
   "udp_fragment": false,
   "sniff": false,
   "sniff_override_destination": false,
@@ -24,6 +25,7 @@
 | `listen`                          | Needs to listen on TCP or UDP.                                    |
 | `listen_port`                     | Needs to listen on TCP or UDP.                                    |
 | `tcp_fast_open`                   | Needs to listen on TCP.                                           |
+| `tcp_multi_path`                  | Needs to listen on TCP.                                           |
 | `udp_timeout`                     | Needs to assemble UDP connections, currently Tun and Shadowsocks. |
 | `proxy_protocol`                  | Needs to listen on TCP.                                           |
 | `proxy_protocol_accept_no_header` | When `proxy_protocol` enabled                                     |
@@ -42,6 +44,14 @@ Listen port.
 
 Enable TCP Fast Open.
 
+#### tcp_multi_path
+
+!!! warning ""
+
+    Go 1.21 required.
+
+Enable TCP Multi Path.
+
 #### udp_fragment
 
 Enable UDP fragmentation.

docs/configuration/shared/listen.zh.md

@@ -5,6 +5,7 @@
   "listen": "::",
   "listen_port": 5353,
   "tcp_fast_open": false,
+  "tcp_multi_path": false,
   "udp_fragment": false,
   "sniff": false,
   "sniff_override_destination": false,
@@ -23,6 +24,7 @@
 | `listen`                          | 需要监听 TCP 或 UDP。                     |
 | `listen_port`                     | 需要监听 TCP 或 UDP。                     |
 | `tcp_fast_open`                   | 需要监听 TCP。                           |
+| `tcp_multi_path`                  | 需要监听 TCP。                           |
 | `udp_timeout`                     | 需要组装 UDP 连接, 当前为 Tun 和 Shadowsocks。 |
 | `proxy_protocol`                  | 需要监听 TCP。                           |
 | `proxy_protocol_accept_no_header` | `proxy_protocol` 启用时                |
@@ -43,6 +45,14 @@
 
 启用 TCP Fast Open。
 
+#### tcp_multi_path
+
+!!! warning ""
+
+    需要 Go 1.21。
+
+启用 TCP Multi Path。
+
 #### udp_fragment
 
 启用 UDP 分段。

docs/examples/index.md

@@ -8,5 +8,4 @@ Configuration examples for sing-box.
 * [Shadowsocks](./shadowsocks)
 * [ShadowTLS](./shadowtls)
 * [Clash API](./clash-api)
-* [WireGuard Direct](./wireguard-direct)
 * [FakeIP](./fakeip)

docs/examples/index.zh.md

@@ -8,5 +8,4 @@ sing-box 的配置示例。
 * [Shadowsocks](./shadowsocks)
 * [ShadowTLS](./shadowtls)
 * [Clash API](./clash-api)
-* [WireGuard Direct](./wireguard-direct)
 * [FakeIP](./fakeip)

docs/examples/wireguard-direct.md

@@ -1,90 +0,0 @@
-# WireGuard Direct
-
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "tag": "google",
-        "address": "tls://8.8.8.8"
-      },
-      {
-        "tag": "local",
-        "address": "223.5.5.5",
-        "detour": "direct"
-      }
-    ],
-    "rules": [
-      {
-        "geoip": "cn",
-        "server": "direct"
-      }
-    ],
-    "reverse_mapping": true
-  },
-  "inbounds": [
-    {
-      "type": "tun",
-      "tag": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true,
-      "stack": "system"
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "wireguard",
-      "tag": "wg",
-      "server": "127.0.0.1",
-      "server_port": 2345,
-      "local_address": [
-        "172.19.0.1/128"
-      ],
-      "private_key": "KLTnpPY03pig/WC3zR8U7VWmpANHPFh2/4pwICGJ5Fk=",
-      "peer_public_key": "uvNabcamf6Rs0vzmcw99jsjTJbxo6eWGOykSY66zsUk="
-    },
-    {
-      "type": "dns",
-      "tag": "dns"
-    },
-    {
-      "type": "direct",
-      "tag": "direct"
-    },
-    {
-      "type": "block",
-      "tag": "block"
-    }
-  ],
-  "route": {
-    "ip_rules": [
-      {
-        "port": 53,
-        "action": "return"
-      },
-      {
-        "geoip": "cn",
-        "geosite": "cn",
-        "action": "return"
-      },
-      {
-        "action": "direct",
-        "outbound": "wg"
-      }
-    ],
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns"
-      },
-      {
-        "geoip": "cn",
-        "geosite": "cn",
-        "outbound": "direct"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```

docs/installation/clients/sfa.md

@@ -9,6 +9,7 @@ Experimental Android client for sing-box.
 #### Download
 
 * [AppCenter](https://install.appcenter.ms/users/nekohasekai/apps/sfa/distribution_groups/publictest)
+* [Github Releases](https://github.com/SagerNet/sing-box/releases)
 
 #### Note
 

docs/installation/clients/sfa.zh.md

@@ -9,6 +9,7 @@
 #### 下载
 
 * [AppCenter](https://install.appcenter.ms/users/nekohasekai/apps/sfa/distribution_groups/publictest)
+* [Github Releases](https://github.com/SagerNet/sing-box/releases)
 
 #### 注意事项
 

docs/installation/clients/sfi.md

@@ -5,11 +5,12 @@ Experimental iOS client for sing-box.
 #### Requirements
 
 * iOS 15.0+
-* macOS 12.0+ with Apple Silicon
+* An Apple account outside of mainland China
 
 #### Download
 
-* [TestFlight](https://testflight.apple.com/join/c6ylui2j)
+* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
+* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
 
 #### Note
 

docs/installation/clients/sfi.zh.md

@@ -5,11 +5,12 @@
 #### 要求
 
 * iOS 15.0+
-* macOS 12.0+ with Apple Silicon
+* 一个非中国大陆地区的 Apple 账号
 
 #### 下载
 
-* [TestFlight](https://testflight.apple.com/join/c6ylui2j)
+* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
+* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
 
 #### 注意事项
 

docs/installation/clients/sfm.md

@@ -0,0 +1,29 @@
+# SFM
+
+Experimental macOS client for sing-box.
+
+#### Requirements
+
+* macOS 13.0+
+* An Apple account outside of mainland China (App Store Version)
+
+#### Download (App Store Version)
+
+* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
+* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
+
+#### Download (Independent Version)
+
+* [GitHub Release](https://github.com/SagerNet/sing-box/releases/latest)
+* Homebrew (Cask): `brew install sfm`
+* Homebrew (Tap): `brew tap sagernet/sing-box && brew install sagernet/sing-box/sfm`
+
+#### Note
+
+* User Agent in remote profile request is `SFM/$version ($version_code; sing-box $sing_box_version)`
+* Crash logs is located in `Settings` -> `View Service Log`
+
+#### Privacy policy
+
+* SFM did not collect or share personal data.
+* The data generated by the software is always on your device.

docs/installation/clients/sfm.zh.md

@@ -0,0 +1,29 @@
+# SFM
+
+实验性的 macOS sing-box 客户端。
+
+#### 要求
+
+* macOS 13.0+
+* 一个非中国大陆地区的 Apple 账号 (商店版本)
+
+#### 下载 (商店版本)
+
+* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
+* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
+
+#### 下载 (独立版本)
+
+* [GitHub Release](https://github.com/SagerNet/sing-box/releases/latest)
+* Homebrew (Cask): `brew install sfm`
+* Homebrew (Tap): `brew tap sagernet/sing-box && brew install sagernet/sing-box/sfm`
+
+#### 注意事项
+
+* 远程配置文件请求中的 User Agent 为 `SFM/$version ($version_code; sing-box $sing_box_version)`
+* 崩溃日志位于 `设置` -> `查看服务日志`
+
+#### 隐私政策
+
+* SFM 不收集或共享个人数据。
+* 软件生成的数据始终在您的设备上。

docs/installation/clients/sft.md

@@ -0,0 +1,29 @@
+# SFT
+
+Experimental Apple tvOS client for sing-box.
+
+#### Requirements
+
+* tvOS 17.0+
+
+#### Download
+
+* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
+
+#### Features
+
+Full functionality, except for:
+
+* Only remote configuration files can be created manually
+* You need to update SFI to the latest beta version to import profiles from iPhone/iPad
+* No iCloud profile support
+
+#### Note
+
+* User Agent in remote profile request is `SFT/$version ($version_code; sing-box $sing_box_version)`
+* Crash logs is located in `Settings` -> `View Service Log`
+
+#### Privacy policy
+
+* SFT did not collect or share personal data.
+* The data generated by the software is always on your device.

docs/installation/clients/specification.md

@@ -0,0 +1,25 @@
+# Specification
+
+## Profile
+
+Profile defines a sing-box configuration with metadata in a GUI client.
+
+## Profile Types
+
+### Local
+
+Create a empty configuration or import from a local file.
+
+### iCloud (on Apple platforms)
+
+Create a new configuration or use an existing configuration on iCloud. 
+
+### Remote
+
+Use a remote URL as the configuration source, with HTTP basic authentication and automatic update support.
+
+#### URL specification
+
+```
+sing-box://import-remote-profile?url=urlEncodedURL#urlEncodedName
+```

docs/installation/from-source.md

@@ -1,6 +1,17 @@
 # Install from source
 
-sing-box requires Golang **1.18.5** or a higher version.
+## Requirements
+
+Before sing-box 1.4.0:
+
+* Go 1.18.5 - 1.20.x
+
+Since sing-box 1.4.0:
+
+* Go 1.18.5 - ~
+* Go 1.20.0 - ~ if `with_quic` tag enabled
+
+## Installation
 
 ```bash
 go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
@@ -9,7 +20,7 @@ go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
 Install with options:
 
 ```bash
-go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@latest
+go install -v -tags with_quic,with_wireguard github.com/sagernet/sing-box/cmd/sing-box@latest
 ```
 
 | Build Tag                          | Description                                                                                                                                                                                                                                                                                                                |

docs/installation/package-manager/android.md

@@ -0,0 +1,7 @@
+# Android
+
+## Termux
+
+```shell
+pkg add sing-box
+```

docs/installation/package-manager/macOS.md

@@ -0,0 +1,14 @@
+# macOS
+
+## Homebrew (core)
+
+```shell
+brew install sing-box
+```
+
+## Homebrew (Tap)
+
+```shell
+brew tap sagernet/sing-box
+brew install sagernet/sing-box/sing-box
+```

docs/installation/package-manager/windows.md

@@ -0,0 +1,13 @@
+# Windows
+
+## Chocolatey
+
+```shell
+choco install sing-box
+```
+
+## winget
+
+```shell
+winget install sing-box
+```

docs/support.md

@@ -1,8 +1,4 @@
-#### Github
-
-Issue: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)
-
-#### Telegram
-
-Notification channel: [@yapnc](https://t.me/yapnc)  
-User group: [@yapug](https://t.me/yapug)
+Github Issue: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)  
+Telegram Notification channel: [@yapnc](https://t.me/yapnc)  
+Telegram User group: [@yapug](https://t.me/yapug)  
+Email: [contact@sagernet.org](mailto:contact@sagernet.org)

docs/support.zh.md

@@ -1,8 +1,4 @@
-#### Github
-
-工单: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)
-
-#### Telegram
-
-通知频道: [@yapnc](https://t.me/yapnc)  
-用户组: [@yapug](https://t.me/yapug)
+Github 工单: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)  
+Telegram 通知频道: [@yapnc](https://t.me/yapnc)  
+Telegram 用户组: [@yapug](https://t.me/yapug)  
+Email: [contact@sagernet.org](mailto:contact@sagernet.org)

experimental/clashapi.go

@@ -7,6 +7,7 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
 )
 
 type ClashServerConstructor = func(ctx context.Context, router adapter.Router, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error)
@@ -23,3 +24,28 @@ func NewClashServer(ctx context.Context, router adapter.Router, logFactory log.O
 	}
 	return clashServerConstructor(ctx, router, logFactory, options)
 }
+
+func CalculateClashModeList(options option.Options) []string {
+	var clashMode []string
+	for _, dnsRule := range common.PtrValueOrDefault(options.DNS).Rules {
+		if dnsRule.DefaultOptions.ClashMode != "" && !common.Contains(clashMode, dnsRule.DefaultOptions.ClashMode) {
+			clashMode = append(clashMode, dnsRule.DefaultOptions.ClashMode)
+		}
+		for _, defaultRule := range dnsRule.LogicalOptions.Rules {
+			if defaultRule.ClashMode != "" && !common.Contains(clashMode, defaultRule.ClashMode) {
+				clashMode = append(clashMode, defaultRule.ClashMode)
+			}
+		}
+	}
+	for _, rule := range common.PtrValueOrDefault(options.Route).Rules {
+		if rule.DefaultOptions.ClashMode != "" && !common.Contains(clashMode, rule.DefaultOptions.ClashMode) {
+			clashMode = append(clashMode, rule.DefaultOptions.ClashMode)
+		}
+		for _, defaultRule := range rule.LogicalOptions.Rules {
+			if defaultRule.ClashMode != "" && !common.Contains(clashMode, defaultRule.ClashMode) {
+				clashMode = append(clashMode, defaultRule.ClashMode)
+			}
+		}
+	}
+	return clashMode
+}

experimental/clashapi/cachefile/cache.go

@@ -3,23 +3,40 @@ package cachefile
 import (
 	"net/netip"
 	"os"
+	"strings"
 	"sync"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing/common"
 
 	"go.etcd.io/bbolt"
 )
 
-var bucketSelected = []byte("selected")
+var (
+	bucketSelected = []byte("selected")
+	bucketExpand   = []byte("group_expand")
+	bucketMode     = []byte("clash_mode")
+
+	bucketNameList = []string{
+		string(bucketSelected),
+		string(bucketExpand),
+		string(bucketMode),
+	}
+
+	cacheIDDefault = []byte("default")
+)
 
 var _ adapter.ClashCacheFile = (*CacheFile)(nil)
 
 type CacheFile struct {
-	DB         *bbolt.DB
-	cacheID    []byte
-	saveAccess sync.RWMutex
-	saveCache  map[netip.Addr]string
+	DB                *bbolt.DB
+	cacheID           []byte
+	saveAccess        sync.RWMutex
+	saveDomain        map[netip.Addr]string
+	saveAddress4      map[string]netip.Addr
+	saveAddress6      map[string]netip.Addr
+	saveMetadataTimer *time.Timer
 }
 
 func Open(path string, cacheID string) (*CacheFile, error) {
@@ -40,13 +57,70 @@ func Open(path string, cacheID string) (*CacheFile, error) {
 	if cacheID != "" {
 		cacheIDBytes = append([]byte{0}, []byte(cacheID)...)
 	}
+	err = db.Batch(func(tx *bbolt.Tx) error {
+		return tx.ForEach(func(name []byte, b *bbolt.Bucket) error {
+			if name[0] == 0 {
+				return b.ForEachBucket(func(k []byte) error {
+					bucketName := string(k)
+					if !(common.Contains(bucketNameList, bucketName)) {
+						_ = b.DeleteBucket(name)
+					}
+					return nil
+				})
+			} else {
+				bucketName := string(name)
+				if !(common.Contains(bucketNameList, bucketName) || strings.HasPrefix(bucketName, fakeipBucketPrefix)) {
+					_ = tx.DeleteBucket(name)
+				}
+			}
+			return nil
+		})
+	})
+	if err != nil {
+		return nil, err
+	}
 	return &CacheFile{
-		DB:        db,
-		cacheID:   cacheIDBytes,
-		saveCache: make(map[netip.Addr]string),
+		DB:           db,
+		cacheID:      cacheIDBytes,
+		saveDomain:   make(map[netip.Addr]string),
+		saveAddress4: make(map[string]netip.Addr),
+		saveAddress6: make(map[string]netip.Addr),
 	}, nil
 }
 
+func (c *CacheFile) LoadMode() string {
+	var mode string
+	c.DB.View(func(t *bbolt.Tx) error {
+		bucket := t.Bucket(bucketMode)
+		if bucket == nil {
+			return nil
+		}
+		var modeBytes []byte
+		if len(c.cacheID) > 0 {
+			modeBytes = bucket.Get(c.cacheID)
+		} else {
+			modeBytes = bucket.Get(cacheIDDefault)
+		}
+		mode = string(modeBytes)
+		return nil
+	})
+	return mode
+}
+
+func (c *CacheFile) StoreMode(mode string) error {
+	return c.DB.Batch(func(t *bbolt.Tx) error {
+		bucket, err := t.CreateBucketIfNotExists(bucketMode)
+		if err != nil {
+			return err
+		}
+		if len(c.cacheID) > 0 {
+			return bucket.Put(c.cacheID, []byte(mode))
+		} else {
+			return bucket.Put(cacheIDDefault, []byte(mode))
+		}
+	})
+}
+
 func (c *CacheFile) bucket(t *bbolt.Tx, key []byte) *bbolt.Bucket {
 	if c.cacheID == nil {
 		return t.Bucket(key)
@@ -95,6 +169,36 @@ func (c *CacheFile) StoreSelected(group, selected string) error {
 	})
 }
 
+func (c *CacheFile) LoadGroupExpand(group string) (isExpand bool, loaded bool) {
+	c.DB.View(func(t *bbolt.Tx) error {
+		bucket := c.bucket(t, bucketExpand)
+		if bucket == nil {
+			return nil
+		}
+		expandBytes := bucket.Get([]byte(group))
+		if len(expandBytes) == 1 {
+			isExpand = expandBytes[0] == 1
+			loaded = true
+		}
+		return nil
+	})
+	return
+}
+
+func (c *CacheFile) StoreGroupExpand(group string, isExpand bool) error {
+	return c.DB.Batch(func(t *bbolt.Tx) error {
+		bucket, err := c.createBucket(t, bucketExpand)
+		if err != nil {
+			return err
+		}
+		if isExpand {
+			return bucket.Put([]byte(group), []byte{1})
+		} else {
+			return bucket.Put([]byte(group), []byte{0})
+		}
+	})
+}
+
 func (c *CacheFile) Close() error {
 	return c.DB.Close()
 }

experimental/clashapi/cachefile/fakeip.go

@@ -3,21 +3,27 @@ package cachefile
 import (
 	"net/netip"
 	"os"
+	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
 
 	"go.etcd.io/bbolt"
 )
 
+const fakeipBucketPrefix = "fakeip_"
+
 var (
-	bucketFakeIP = []byte("fakeip")
-	keyMetadata  = []byte("metadata")
+	bucketFakeIP        = []byte(fakeipBucketPrefix + "address")
+	bucketFakeIPDomain4 = []byte(fakeipBucketPrefix + "domain4")
+	bucketFakeIPDomain6 = []byte(fakeipBucketPrefix + "domain6")
+	keyMetadata         = []byte(fakeipBucketPrefix + "metadata")
 )
 
 func (c *CacheFile) FakeIPMetadata() *adapter.FakeIPMetadata {
 	var metadata adapter.FakeIPMetadata
-	err := c.DB.View(func(tx *bbolt.Tx) error {
+	err := c.DB.Batch(func(tx *bbolt.Tx) error {
 		bucket := tx.Bucket(bucketFakeIP)
 		if bucket == nil {
 			return nil
@@ -26,6 +32,10 @@ func (c *CacheFile) FakeIPMetadata() *adapter.FakeIPMetadata {
 		if len(metadataBinary) == 0 {
 			return os.ErrInvalid
 		}
+		err := bucket.Delete(keyMetadata)
+		if err != nil {
+			return err
+		}
 		return metadata.UnmarshalBinary(metadataBinary)
 	})
 	if err != nil {
@@ -48,19 +58,45 @@ func (c *CacheFile) FakeIPSaveMetadata(metadata *adapter.FakeIPMetadata) error {
 	})
 }
 
+func (c *CacheFile) FakeIPSaveMetadataAsync(metadata *adapter.FakeIPMetadata) {
+	if timer := c.saveMetadataTimer; timer != nil {
+		timer.Stop()
+	}
+	c.saveMetadataTimer = time.AfterFunc(10*time.Second, func() {
+		_ = c.FakeIPSaveMetadata(metadata)
+	})
+}
+
 func (c *CacheFile) FakeIPStore(address netip.Addr, domain string) error {
 	return c.DB.Batch(func(tx *bbolt.Tx) error {
 		bucket, err := tx.CreateBucketIfNotExists(bucketFakeIP)
 		if err != nil {
 			return err
 		}
-		return bucket.Put(address.AsSlice(), []byte(domain))
+		err = bucket.Put(address.AsSlice(), []byte(domain))
+		if err != nil {
+			return err
+		}
+		if address.Is4() {
+			bucket, err = tx.CreateBucketIfNotExists(bucketFakeIPDomain4)
+		} else {
+			bucket, err = tx.CreateBucketIfNotExists(bucketFakeIPDomain6)
+		}
+		if err != nil {
+			return err
+		}
+		return bucket.Put([]byte(domain), address.AsSlice())
 	})
 }
 
 func (c *CacheFile) FakeIPStoreAsync(address netip.Addr, domain string, logger logger.Logger) {
 	c.saveAccess.Lock()
-	c.saveCache[address] = domain
+	c.saveDomain[address] = domain
+	if address.Is4() {
+		c.saveAddress4[domain] = address
+	} else {
+		c.saveAddress6[domain] = address
+	}
 	c.saveAccess.Unlock()
 	go func() {
 		err := c.FakeIPStore(address, domain)
@@ -68,14 +104,19 @@ func (c *CacheFile) FakeIPStoreAsync(address netip.Addr, domain string, logger l
 			logger.Warn("save FakeIP address pair: ", err)
 		}
 		c.saveAccess.Lock()
-		delete(c.saveCache, address)
+		delete(c.saveDomain, address)
+		if address.Is4() {
+			delete(c.saveAddress4, domain)
+		} else {
+			delete(c.saveAddress6, domain)
+		}
 		c.saveAccess.Unlock()
 	}()
 }
 
 func (c *CacheFile) FakeIPLoad(address netip.Addr) (string, bool) {
 	c.saveAccess.RLock()
-	cachedDomain, cached := c.saveCache[address]
+	cachedDomain, cached := c.saveDomain[address]
 	c.saveAccess.RUnlock()
 	if cached {
 		return cachedDomain, true
@@ -92,8 +133,48 @@ func (c *CacheFile) FakeIPLoad(address netip.Addr) (string, bool) {
 	return domain, domain != ""
 }
 
+func (c *CacheFile) FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr, bool) {
+	var (
+		cachedAddress netip.Addr
+		cached        bool
+	)
+	c.saveAccess.RLock()
+	if !isIPv6 {
+		cachedAddress, cached = c.saveAddress4[domain]
+	} else {
+		cachedAddress, cached = c.saveAddress6[domain]
+	}
+	c.saveAccess.RUnlock()
+	if cached {
+		return cachedAddress, true
+	}
+	var address netip.Addr
+	_ = c.DB.View(func(tx *bbolt.Tx) error {
+		var bucket *bbolt.Bucket
+		if isIPv6 {
+			bucket = tx.Bucket(bucketFakeIPDomain6)
+		} else {
+			bucket = tx.Bucket(bucketFakeIPDomain4)
+		}
+		if bucket == nil {
+			return nil
+		}
+		address = M.AddrFromIP(bucket.Get([]byte(domain)))
+		return nil
+	})
+	return address, address.IsValid()
+}
+
 func (c *CacheFile) FakeIPReset() error {
 	return c.DB.Batch(func(tx *bbolt.Tx) error {
-		return tx.DeleteBucket(bucketFakeIP)
+		err := tx.DeleteBucket(bucketFakeIP)
+		if err != nil {
+			return err
+		}
+		err = tx.DeleteBucket(bucketFakeIPDomain4)
+		if err != nil {
+			return err
+		}
+		return tx.DeleteBucket(bucketFakeIPDomain6)
 	})
 }

experimental/clashapi/compatible/map.go

@@ -7,6 +7,15 @@ type Map[K comparable, V any] struct {
 	m sync.Map
 }
 
+func (m *Map[K, V]) Len() int {
+	var count int
+	m.m.Range(func(key, value any) bool {
+		count++
+		return true
+	})
+	return count
+}
+
 func (m *Map[K, V]) Load(key K) (V, bool) {
 	v, ok := m.m.Load(key)
 	if !ok {

experimental/clashapi/configs.go

@@ -2,7 +2,6 @@ package clashapi
 
 import (
 	"net/http"
-	"strings"
 
 	"github.com/sagernet/sing-box/log"
 
@@ -10,11 +9,11 @@ import (
 	"github.com/go-chi/render"
 )
 
-func configRouter(server *Server, logFactory log.Factory, logger log.Logger) http.Handler {
+func configRouter(server *Server, logFactory log.Factory) http.Handler {
 	r := chi.NewRouter()
 	r.Get("/", getConfigs(server, logFactory))
 	r.Put("/", updateConfigs)
-	r.Patch("/", patchConfigs(server, logger))
+	r.Patch("/", patchConfigs(server))
 	return r
 }
 
@@ -48,7 +47,7 @@ func getConfigs(server *Server, logFactory log.Factory) func(w http.ResponseWrit
 	}
 }
 
-func patchConfigs(server *Server, logger log.Logger) func(w http.ResponseWriter, r *http.Request) {
+func patchConfigs(server *Server) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var newConfig configSchema
 		err := render.DecodeJSON(r.Body, &newConfig)
@@ -58,11 +57,7 @@ func patchConfigs(server *Server, logger log.Logger) func(w http.ResponseWriter,
 			return
 		}
 		if newConfig.Mode != "" {
-			mode := strings.ToLower(newConfig.Mode)
-			if server.mode != mode {
-				server.mode = mode
-				logger.Info("updated mode: ", mode)
-			}
+			server.SetMode(newConfig.Mode)
 		}
 		render.NoContent(w, r)
 	}

experimental/clashapi/proxies.go

@@ -63,38 +63,10 @@ func proxyInfo(server *Server, detour adapter.Outbound) *badjson.JSONObject {
 	var info badjson.JSONObject
 	var clashType string
 	switch detour.Type() {
-	case C.TypeDirect:
-		clashType = "Direct"
 	case C.TypeBlock:
 		clashType = "Reject"
-	case C.TypeSocks:
-		clashType = "Socks"
-	case C.TypeHTTP:
-		clashType = "HTTP"
-	case C.TypeShadowsocks:
-		clashType = "Shadowsocks"
-	case C.TypeVMess:
-		clashType = "VMess"
-	case C.TypeTrojan:
-		clashType = "Trojan"
-	case C.TypeHysteria:
-		clashType = "Hysteria"
-	case C.TypeWireGuard:
-		clashType = "WireGuard"
-	case C.TypeShadowsocksR:
-		clashType = "ShadowsocksR"
-	case C.TypeVLESS:
-		clashType = "VLESS"
-	case C.TypeTor:
-		clashType = "Tor"
-	case C.TypeSSH:
-		clashType = "SSH"
-	case C.TypeSelector:
-		clashType = "Selector"
-	case C.TypeURLTest:
-		clashType = "URLTest"
 	default:
-		clashType = "Direct"
+		clashType = C.ProxyDisplayName(detour.Type())
 	}
 	info.Put("type", clashType)
 	info.Put("name", detour.Tag())

experimental/clashapi/server.go

@@ -46,12 +46,16 @@ type Server struct {
 	trafficManager *trafficontrol.Manager
 	urlTestHistory *urltest.HistoryStorage
 	mode           string
+	modeList       []string
+	modeUpdateHook chan<- struct{}
+	storeMode      bool
 	storeSelected  bool
 	storeFakeIP    bool
 	cacheFilePath  string
 	cacheID        string
 	cacheFile      adapter.ClashCacheFile
 
+	externalController       bool
 	externalUI               string
 	externalUIDownloadURL    string
 	externalUIDownloadDetour string
@@ -69,7 +73,9 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 			Handler: chiRouter,
 		},
 		trafficManager:           trafficManager,
-		mode:                     strings.ToLower(options.DefaultMode),
+		modeList:                 options.ModeList,
+		externalController:       options.ExternalController != "",
+		storeMode:                options.StoreMode,
 		storeSelected:            options.StoreSelected,
 		storeFakeIP:              options.StoreFakeIP,
 		externalUIDownloadURL:    options.ExternalUIDownloadURL,
@@ -79,10 +85,15 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 	if server.urlTestHistory == nil {
 		server.urlTestHistory = urltest.NewHistoryStorage()
 	}
-	if server.mode == "" {
-		server.mode = "rule"
+	defaultMode := "Rule"
+	if options.DefaultMode != "" {
+		defaultMode = options.DefaultMode
 	}
-	if options.StoreSelected || options.StoreFakeIP {
+	if !common.Contains(server.modeList, defaultMode) {
+		server.modeList = append([]string{defaultMode}, server.modeList...)
+	}
+	server.mode = defaultMode
+	if options.StoreMode || options.StoreSelected || options.StoreFakeIP || options.ExternalController == "" {
 		cachePath := os.ExpandEnv(options.CacheFile)
 		if cachePath == "" {
 			cachePath = "cache.db"
@@ -108,7 +119,7 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 		r.Get("/logs", getLogs(logFactory))
 		r.Get("/traffic", traffic(trafficManager))
 		r.Get("/version", version)
-		r.Mount("/configs", configRouter(server, logFactory, server.logger))
+		r.Mount("/configs", configRouter(server, logFactory))
 		r.Mount("/proxies", proxyRouter(server, router))
 		r.Mount("/rules", ruleRouter(router))
 		r.Mount("/connections", connectionRouter(router, trafficManager))
@@ -141,23 +152,33 @@ func (s *Server) PreStart() error {
 			return E.Cause(err, "open cache file")
 		}
 		s.cacheFile = cacheFile
+		if s.storeMode {
+			mode := s.cacheFile.LoadMode()
+			if common.Any(s.modeList, func(it string) bool {
+				return strings.EqualFold(it, mode)
+			}) {
+				s.mode = mode
+			}
+		}
 	}
 	return nil
 }
 
 func (s *Server) Start() error {
-	s.checkAndDownloadExternalUI()
-	listener, err := net.Listen("tcp", s.httpServer.Addr)
-	if err != nil {
-		return E.Cause(err, "external controller listen error")
-	}
-	s.logger.Info("restful api listening at ", listener.Addr())
-	go func() {
-		err = s.httpServer.Serve(listener)
-		if err != nil && !errors.Is(err, http.ErrServerClosed) {
-			s.logger.Error("external controller serve error: ", err)
+	if s.externalController {
+		s.checkAndDownloadExternalUI()
+		listener, err := net.Listen("tcp", s.httpServer.Addr)
+		if err != nil {
+			return E.Cause(err, "external controller listen error")
 		}
-	}()
+		s.logger.Info("restful api listening at ", listener.Addr())
+		go func() {
+			err = s.httpServer.Serve(listener)
+			if err != nil && !errors.Is(err, http.ErrServerClosed) {
+				s.logger.Error("external controller serve error: ", err)
+			}
+		}()
+	}
 	return nil
 }
 
@@ -166,6 +187,7 @@ func (s *Server) Close() error {
 		common.PtrOrNil(s.httpServer),
 		s.trafficManager,
 		s.cacheFile,
+		s.urlTestHistory,
 	)
 }
 
@@ -173,6 +195,43 @@ func (s *Server) Mode() string {
 	return s.mode
 }
 
+func (s *Server) ModeList() []string {
+	return s.modeList
+}
+
+func (s *Server) SetModeUpdateHook(hook chan<- struct{}) {
+	s.modeUpdateHook = hook
+}
+
+func (s *Server) SetMode(newMode string) {
+	if !common.Contains(s.modeList, newMode) {
+		newMode = common.Find(s.modeList, func(it string) bool {
+			return strings.EqualFold(it, newMode)
+		})
+	}
+	if !common.Contains(s.modeList, newMode) {
+		return
+	}
+	if newMode == s.mode {
+		return
+	}
+	s.mode = newMode
+	if s.modeUpdateHook != nil {
+		select {
+		case s.modeUpdateHook <- struct{}{}:
+		default:
+		}
+	}
+	s.router.ClearDNSCache()
+	if s.storeMode {
+		err := s.cacheFile.StoreMode(newMode)
+		if err != nil {
+			s.logger.Error(E.Cause(err, "save mode"))
+		}
+	}
+	s.logger.Info("updated mode: ", newMode)
+}
+
 func (s *Server) StoreSelected() bool {
 	return s.storeSelected
 }
@@ -189,6 +248,10 @@ func (s *Server) HistoryStorage() *urltest.HistoryStorage {
 	return s.urlTestHistory
 }
 
+func (s *Server) TrafficManager() *trafficontrol.Manager {
+	return s.trafficManager
+}
+
 func (s *Server) RoutedConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, matchedRule adapter.Rule) (net.Conn, adapter.Tracker) {
 	tracker := trafficontrol.NewTCPTracker(conn, s.trafficManager, castMetadata(metadata), s.router, matchedRule)
 	return tracker, tracker

experimental/clashapi/trafficontrol/manager.go

@@ -55,6 +55,14 @@ func (m *Manager) Now() (up int64, down int64) {
 	return m.uploadBlip.Load(), m.downloadBlip.Load()
 }
 
+func (m *Manager) Total() (up int64, down int64) {
+	return m.uploadTotal.Load(), m.downloadTotal.Load()
+}
+
+func (m *Manager) Connections() int {
+	return m.connections.Len()
+}
+
 func (m *Manager) Snapshot() *Snapshot {
 	var connections []tracker
 	m.connections.Range(func(_ string, value tracker) bool {

experimental/libbox/command.go

@@ -8,4 +8,9 @@ const (
 	CommandGroup
 	CommandSelectOutbound
 	CommandURLTest
+	CommandGroupExpand
+	CommandClashMode
+	CommandSetClashMode
+	CommandGetSystemProxyStatus
+	CommandSetSystemProxyEnabled
 )

experimental/libbox/command_clash_mode.go

@@ -0,0 +1,135 @@
+package libbox
+
+import (
+	"encoding/binary"
+	"io"
+	"net"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/experimental/clashapi"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/rw"
+)
+
+func (c *CommandClient) SetClashMode(newMode string) error {
+	conn, err := c.directConnect()
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+	err = binary.Write(conn, binary.BigEndian, uint8(CommandSetClashMode))
+	if err != nil {
+		return err
+	}
+	err = rw.WriteVString(conn, newMode)
+	if err != nil {
+		return err
+	}
+	return readError(conn)
+}
+
+func (s *CommandServer) handleSetClashMode(conn net.Conn) error {
+	defer conn.Close()
+	newMode, err := rw.ReadVString(conn)
+	if err != nil {
+		return err
+	}
+	service := s.service
+	if service == nil {
+		return writeError(conn, E.New("service not ready"))
+	}
+	clashServer := service.instance.Router().ClashServer()
+	if clashServer == nil {
+		return writeError(conn, E.New("Clash API disabled"))
+	}
+	clashServer.(*clashapi.Server).SetMode(newMode)
+	return writeError(conn, nil)
+}
+
+func (c *CommandClient) handleModeConn(conn net.Conn) {
+	defer conn.Close()
+
+	for {
+		newMode, err := rw.ReadVString(conn)
+		if err != nil {
+			c.handler.Disconnected(err.Error())
+			return
+		}
+		c.handler.UpdateClashMode(newMode)
+	}
+}
+
+func (s *CommandServer) handleModeConn(conn net.Conn) error {
+	defer conn.Close()
+	ctx := connKeepAlive(conn)
+	for s.service == nil {
+		select {
+		case <-time.After(time.Second):
+			continue
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}
+	clashServer := s.service.instance.Router().ClashServer()
+	if clashServer == nil {
+		defer conn.Close()
+		return binary.Write(conn, binary.BigEndian, uint16(0))
+	}
+	err := writeClashModeList(conn, clashServer)
+	if err != nil {
+		return err
+	}
+	for {
+		select {
+		case <-s.modeUpdate:
+			err = rw.WriteVString(conn, clashServer.Mode())
+			if err != nil {
+				return err
+			}
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}
+}
+
+func readClashModeList(reader io.Reader) (modeList []string, currentMode string, err error) {
+	var modeListLength uint16
+	err = binary.Read(reader, binary.BigEndian, &modeListLength)
+	if err != nil {
+		return
+	}
+	if modeListLength == 0 {
+		return
+	}
+	modeList = make([]string, modeListLength)
+	for i := 0; i < int(modeListLength); i++ {
+		modeList[i], err = rw.ReadVString(reader)
+		if err != nil {
+			return
+		}
+	}
+	currentMode, err = rw.ReadVString(reader)
+	return
+}
+
+func writeClashModeList(writer io.Writer, clashServer adapter.ClashServer) error {
+	modeList := clashServer.ModeList()
+	err := binary.Write(writer, binary.BigEndian, uint16(len(modeList)))
+	if err != nil {
+		return err
+	}
+	if len(modeList) > 0 {
+		for _, mode := range modeList {
+			err = rw.WriteVString(writer, mode)
+			if err != nil {
+				return err
+			}
+		}
+		err = rw.WriteVString(writer, clashServer.Mode())
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

experimental/libbox/command_client.go

@@ -3,17 +3,18 @@ package libbox
 import (
 	"encoding/binary"
 	"net"
+	"os"
 	"path/filepath"
+	"time"
 
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
 type CommandClient struct {
-	sharedDirectory string
-	handler         CommandClientHandler
-	conn            net.Conn
-	options         CommandClientOptions
+	handler CommandClientHandler
+	conn    net.Conn
+	options CommandClientOptions
 }
 
 type CommandClientOptions struct {
@@ -27,32 +28,50 @@ type CommandClientHandler interface {
 	WriteLog(message string)
 	WriteStatus(message *StatusMessage)
 	WriteGroups(message OutboundGroupIterator)
+	InitializeClashMode(modeList StringIterator, currentMode string)
+	UpdateClashMode(newMode string)
 }
 
-func NewStandaloneCommandClient(sharedDirectory string) *CommandClient {
-	return &CommandClient{
-		sharedDirectory: sharedDirectory,
-	}
+func NewStandaloneCommandClient() *CommandClient {
+	return new(CommandClient)
 }
 
-func NewCommandClient(sharedDirectory string, handler CommandClientHandler, options *CommandClientOptions) *CommandClient {
+func NewCommandClient(handler CommandClientHandler, options *CommandClientOptions) *CommandClient {
 	return &CommandClient{
-		sharedDirectory: sharedDirectory,
-		handler:         handler,
-		options:         common.PtrValueOrDefault(options),
+		handler: handler,
+		options: common.PtrValueOrDefault(options),
 	}
 }
 
 func (c *CommandClient) directConnect() (net.Conn, error) {
-	return net.DialUnix("unix", nil, &net.UnixAddr{
-		Name: filepath.Join(c.sharedDirectory, "command.sock"),
-		Net:  "unix",
-	})
+	if !sTVOS {
+		return net.DialUnix("unix", nil, &net.UnixAddr{
+			Name: filepath.Join(sBasePath, "command.sock"),
+			Net:  "unix",
+		})
+	} else {
+		return net.Dial("tcp", "127.0.0.1:8964")
+	}
+}
+
+func (c *CommandClient) directConnectWithRetry() (net.Conn, error) {
+	var (
+		conn net.Conn
+		err  error
+	)
+	for i := 0; i < 10; i++ {
+		conn, err = c.directConnect()
+		if err == nil {
+			return conn, nil
+		}
+		time.Sleep(time.Duration(100+i*50) * time.Millisecond)
+	}
+	return nil, err
 }
 
 func (c *CommandClient) Connect() error {
 	common.Close(c.conn)
-	conn, err := c.directConnect()
+	conn, err := c.directConnectWithRetry()
 	if err != nil {
 		return err
 	}
@@ -79,6 +98,23 @@ func (c *CommandClient) Connect() error {
 		}
 		c.handler.Connected()
 		go c.handleGroupConn(conn)
+	case CommandClashMode:
+		var (
+			modeList    []string
+			currentMode string
+		)
+		modeList, currentMode, err = readClashModeList(conn)
+		if err != nil {
+			return err
+		}
+		c.handler.Connected()
+		c.handler.InitializeClashMode(newIterator(modeList), currentMode)
+		if len(modeList) == 0 {
+			conn.Close()
+			c.handler.Disconnected(os.ErrInvalid.Error())
+			return nil
+		}
+		go c.handleModeConn(conn)
 	}
 	return nil
 }

experimental/libbox/command_conntrack.go

@@ -6,7 +6,7 @@ import (
 	runtimeDebug "runtime/debug"
 	"time"
 
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 )
 
 func (c *CommandClient) CloseConnections() error {

experimental/libbox/command_group.go

@@ -4,10 +4,12 @@ import (
 	"encoding/binary"
 	"io"
 	"net"
+	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/outbound"
+	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
 	"github.com/sagernet/sing/service"
 )
@@ -17,6 +19,7 @@ type OutboundGroup struct {
 	Type       string
 	Selectable bool
 	Selected   string
+	IsExpand   bool
 	items      []*OutboundGroupItem
 }
 
@@ -71,6 +74,11 @@ func (s *CommandServer) handleGroupConn(conn net.Conn) error {
 			}
 		}
 		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-time.After(2 * time.Second):
+		}
+		select {
 		case <-ctx.Done():
 			return ctx.Err()
 		case <-s.urlTestUpdate:
@@ -108,6 +116,11 @@ func readGroups(reader io.Reader) (OutboundGroupIterator, error) {
 			return nil, err
 		}
 
+		err = binary.Read(reader, binary.BigEndian, &group.IsExpand)
+		if err != nil {
+			return nil, err
+		}
+
 		var itemLength uint16
 		err = binary.Read(reader, binary.BigEndian, &itemLength)
 		if err != nil {
@@ -146,6 +159,10 @@ func readGroups(reader io.Reader) (OutboundGroupIterator, error) {
 
 func writeGroups(writer io.Writer, boxService *BoxService) error {
 	historyStorage := service.PtrFromContext[urltest.HistoryStorage](boxService.ctx)
+	var cacheFile adapter.ClashCacheFile
+	if clashServer := boxService.instance.Router().ClashServer(); clashServer != nil {
+		cacheFile = clashServer.CacheFile()
+	}
 
 	outbounds := boxService.instance.Router().Outbounds()
 	var iGroups []adapter.OutboundGroup
@@ -161,6 +178,11 @@ func writeGroups(writer io.Writer, boxService *BoxService) error {
 		group.Type = iGroup.Type()
 		_, group.Selectable = iGroup.(*outbound.Selector)
 		group.Selected = iGroup.Now()
+		if cacheFile != nil {
+			if isExpand, loaded := cacheFile.LoadGroupExpand(group.Tag); loaded {
+				group.IsExpand = isExpand
+			}
+		}
 
 		for _, itemTag := range iGroup.All() {
 			itemOutbound, isLoaded := boxService.instance.Router().Outbound(itemTag)
@@ -177,6 +199,9 @@ func writeGroups(writer io.Writer, boxService *BoxService) error {
 			}
 			group.items = append(group.items, &item)
 		}
+		if len(group.items) < 2 {
+			continue
+		}
 		groups = append(groups, group)
 	}
 
@@ -201,6 +226,10 @@ func writeGroups(writer io.Writer, boxService *BoxService) error {
 		if err != nil {
 			return err
 		}
+		err = binary.Write(writer, binary.BigEndian, group.IsExpand)
+		if err != nil {
+			return err
+		}
 		err = binary.Write(writer, binary.BigEndian, uint16(len(group.items)))
 		if err != nil {
 			return err
@@ -226,3 +255,50 @@ func writeGroups(writer io.Writer, boxService *BoxService) error {
 	}
 	return nil
 }
+
+func (c *CommandClient) SetGroupExpand(groupTag string, isExpand bool) error {
+	conn, err := c.directConnect()
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+	err = binary.Write(conn, binary.BigEndian, uint8(CommandGroupExpand))
+	if err != nil {
+		return err
+	}
+	err = rw.WriteVString(conn, groupTag)
+	if err != nil {
+		return err
+	}
+	err = binary.Write(conn, binary.BigEndian, isExpand)
+	if err != nil {
+		return err
+	}
+	return readError(conn)
+}
+
+func (s *CommandServer) handleSetGroupExpand(conn net.Conn) error {
+	defer conn.Close()
+	groupTag, err := rw.ReadVString(conn)
+	if err != nil {
+		return err
+	}
+	var isExpand bool
+	err = binary.Read(conn, binary.BigEndian, &isExpand)
+	if err != nil {
+		return err
+	}
+	service := s.service
+	if service == nil {
+		return writeError(conn, E.New("service not ready"))
+	}
+	if clashServer := service.instance.Router().ClashServer(); clashServer != nil {
+		if cacheFile := clashServer.CacheFile(); cacheFile != nil {
+			err = cacheFile.StoreGroupExpand(groupTag, isExpand)
+			if err != nil {
+				return writeError(conn, err)
+			}
+		}
+	}
+	return writeError(conn, nil)
+}

experimental/libbox/command_server.go

@@ -8,6 +8,7 @@ import (
 	"sync"
 
 	"github.com/sagernet/sing-box/common/urltest"
+	"github.com/sagernet/sing-box/experimental/clashapi"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/debug"
@@ -18,7 +19,6 @@ import (
 )
 
 type CommandServer struct {
-	sockPath string
 	listener net.Listener
 	handler  CommandServerHandler
 
@@ -29,36 +29,35 @@ type CommandServer struct {
 	observer   *observable.Observer[string]
 	service    *BoxService
 
-	urlTestListener *list.Element[func()]
-	urlTestUpdate   chan struct{}
+	urlTestUpdate chan struct{}
+	modeUpdate    chan struct{}
 }
 
 type CommandServerHandler interface {
 	ServiceReload() error
+	GetSystemProxyStatus() *SystemProxyStatus
+	SetSystemProxyEnabled(isEnabled bool) error
 }
 
-func NewCommandServer(sharedDirectory string, handler CommandServerHandler, maxLines int32) *CommandServer {
+func NewCommandServer(handler CommandServerHandler, maxLines int32) *CommandServer {
 	server := &CommandServer{
-		sockPath:      filepath.Join(sharedDirectory, "command.sock"),
 		handler:       handler,
 		savedLines:    new(list.List[string]),
 		maxLines:      int(maxLines),
 		subscriber:    observable.NewSubscriber[string](128),
 		urlTestUpdate: make(chan struct{}, 1),
+		modeUpdate:    make(chan struct{}, 1),
 	}
 	server.observer = observable.NewObserver[string](server.subscriber, 64)
 	return server
 }
 
 func (s *CommandServer) SetService(newService *BoxService) {
-	if s.service != nil && s.listener != nil {
-		service.PtrFromContext[urltest.HistoryStorage](s.service.ctx).RemoveListener(s.urlTestListener)
-		s.urlTestListener = nil
+	if newService != nil {
+		service.PtrFromContext[urltest.HistoryStorage](newService.ctx).SetHook(s.urlTestUpdate)
+		newService.instance.Router().ClashServer().(*clashapi.Server).SetModeUpdateHook(s.modeUpdate)
 	}
 	s.service = newService
-	if newService != nil {
-		s.urlTestListener = service.PtrFromContext[urltest.HistoryStorage](newService.ctx).AddListener(s.notifyURLTestUpdate)
-	}
 	s.notifyURLTestUpdate()
 }
 
@@ -70,13 +69,40 @@ func (s *CommandServer) notifyURLTestUpdate() {
 }
 
 func (s *CommandServer) Start() error {
-	os.Remove(s.sockPath)
+	if !sTVOS {
+		return s.listenUNIX()
+	} else {
+		return s.listenTCP()
+	}
+}
+
+func (s *CommandServer) listenUNIX() error {
+	sockPath := filepath.Join(sBasePath, "command.sock")
+	os.Remove(sockPath)
 	listener, err := net.ListenUnix("unix", &net.UnixAddr{
-		Name: s.sockPath,
+		Name: sockPath,
 		Net:  "unix",
 	})
 	if err != nil {
-		return err
+		return E.Cause(err, "listen ", sockPath)
+	}
+	if sUserID > 0 {
+		err = os.Chown(sockPath, sUserID, sGroupID)
+		if err != nil {
+			listener.Close()
+			os.Remove(sockPath)
+			return E.Cause(err, "chown")
+		}
+	}
+	s.listener = listener
+	go s.loopConnection(listener)
+	return nil
+}
+
+func (s *CommandServer) listenTCP() error {
+	listener, err := net.Listen("tcp", "127.0.0.1:8964")
+	if err != nil {
+		return E.Cause(err, "listen")
 	}
 	s.listener = listener
 	go s.loopConnection(listener)
@@ -129,6 +155,16 @@ func (s *CommandServer) handleConnection(conn net.Conn) error {
 		return s.handleSelectOutbound(conn)
 	case CommandURLTest:
 		return s.handleURLTest(conn)
+	case CommandGroupExpand:
+		return s.handleSetGroupExpand(conn)
+	case CommandClashMode:
+		return s.handleModeConn(conn)
+	case CommandSetClashMode:
+		return s.handleSetClashMode(conn)
+	case CommandGetSystemProxyStatus:
+		return s.handleGetSystemProxyStatus(conn)
+	case CommandSetSystemProxyEnabled:
+		return s.handleSetSystemProxyEnabled(conn)
 	default:
 		return E.New("unknown command: ", command)
 	}

experimental/libbox/command_status.go

@@ -6,23 +6,41 @@ import (
 	"runtime"
 	"time"
 
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/experimental/clashapi"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/memory"
 )
 
 type StatusMessage struct {
-	Memory      int64
-	Goroutines  int32
-	Connections int32
+	Memory           int64
+	MemoryInuse      int64
+	Goroutines       int32
+	ConnectionsIn    int32
+	ConnectionsOut   int32
+	TrafficAvailable bool
+	Uplink           int64
+	Downlink         int64
+	UplinkTotal      int64
+	DownlinkTotal    int64
 }
 
-func readStatus() StatusMessage {
-	var memStats runtime.MemStats
-	runtime.ReadMemStats(&memStats)
+func (s *CommandServer) readStatus() StatusMessage {
 	var message StatusMessage
-	message.Memory = int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
+	message.Memory = int64(memory.Inuse())
 	message.Goroutines = int32(runtime.NumGoroutine())
-	message.Connections = int32(conntrack.Count())
+	message.ConnectionsOut = int32(conntrack.Count())
+
+	if s.service != nil {
+		if clashServer := s.service.instance.Router().ClashServer(); clashServer != nil {
+			message.TrafficAvailable = true
+			trafficManager := clashServer.(*clashapi.Server).TrafficManager()
+			message.Uplink, message.Downlink = trafficManager.Now()
+			message.UplinkTotal, message.DownlinkTotal = trafficManager.Total()
+			message.ConnectionsIn = int32(trafficManager.Connections())
+		}
+	}
+
 	return message
 }
 
@@ -36,7 +54,7 @@ func (s *CommandServer) handleStatusConn(conn net.Conn) error {
 	defer ticker.Stop()
 	ctx := connKeepAlive(conn)
 	for {
-		err = binary.Write(conn, binary.BigEndian, readStatus())
+		err = binary.Write(conn, binary.BigEndian, s.readStatus())
 		if err != nil {
 			return err
 		}

experimental/libbox/command_system_proxy.go

@@ -0,0 +1,82 @@
+package libbox
+
+import (
+	"encoding/binary"
+	"net"
+)
+
+type SystemProxyStatus struct {
+	Available bool
+	Enabled   bool
+}
+
+func (c *CommandClient) GetSystemProxyStatus() (*SystemProxyStatus, error) {
+	conn, err := c.directConnectWithRetry()
+	if err != nil {
+		return nil, err
+	}
+	defer conn.Close()
+	err = binary.Write(conn, binary.BigEndian, uint8(CommandGetSystemProxyStatus))
+	if err != nil {
+		return nil, err
+	}
+	var status SystemProxyStatus
+	err = binary.Read(conn, binary.BigEndian, &status.Available)
+	if err != nil {
+		return nil, err
+	}
+	if status.Available {
+		err = binary.Read(conn, binary.BigEndian, &status.Enabled)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return &status, nil
+}
+
+func (s *CommandServer) handleGetSystemProxyStatus(conn net.Conn) error {
+	defer conn.Close()
+	status := s.handler.GetSystemProxyStatus()
+	err := binary.Write(conn, binary.BigEndian, status.Available)
+	if err != nil {
+		return err
+	}
+	if status.Available {
+		err = binary.Write(conn, binary.BigEndian, status.Enabled)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (c *CommandClient) SetSystemProxyEnabled(isEnabled bool) error {
+	conn, err := c.directConnect()
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+	err = binary.Write(conn, binary.BigEndian, uint8(CommandSetSystemProxyEnabled))
+	if err != nil {
+		return err
+	}
+	err = binary.Write(conn, binary.BigEndian, isEnabled)
+	if err != nil {
+		return err
+	}
+	return readError(conn)
+}
+
+func (s *CommandServer) handleSetSystemProxyEnabled(conn net.Conn) error {
+	defer conn.Close()
+	var isEnabled bool
+	err := binary.Read(conn, binary.BigEndian, &isEnabled)
+	if err != nil {
+		return err
+	}
+	err = s.handler.SetSystemProxyEnabled(isEnabled)
+	if err != nil {
+		return writeError(conn, err)
+	}
+	return writeError(conn, nil)
+}

experimental/libbox/dns.go

@@ -49,6 +49,9 @@ func (p *platformLocalDNSTransport) Start() error {
 	return nil
 }
 
+func (p *platformLocalDNSTransport) Reset() {
+}
+
 func (p *platformLocalDNSTransport) Close() error {
 	return nil
 }

experimental/libbox/log.go

@@ -4,6 +4,7 @@ package libbox
 
 import (
 	"os"
+	"runtime"
 
 	"golang.org/x/sys/unix"
 )
@@ -18,29 +19,15 @@ func RedirectStderr(path string) error {
 	if err != nil {
 		return err
 	}
-	err = unix.Dup2(int(outputFile.Fd()), int(os.Stderr.Fd()))
-	if err != nil {
-		outputFile.Close()
-		os.Remove(outputFile.Name())
-		return err
-	}
-	stderrFile = outputFile
-	return nil
-}
-
-func RedirectStderrAsUser(path string, uid, gid int) error {
-	if stats, err := os.Stat(path); err == nil && stats.Size() > 0 {
-		_ = os.Rename(path, path+".old")
-	}
-	outputFile, err := os.Create(path)
-	if err != nil {
-		return err
-	}
-	err = outputFile.Chown(uid, gid)
-	if err != nil {
-		outputFile.Close()
-		os.Remove(outputFile.Name())
-		return err
+	if runtime.GOOS != "android" {
+		if sUserID > 0 {
+			err = outputFile.Chown(sUserID, sGroupID)
+			if err != nil {
+				outputFile.Close()
+				os.Remove(outputFile.Name())
+				return err
+			}
+		}
 	}
 	err = unix.Dup2(int(outputFile.Fd()), int(os.Stderr.Fd()))
 	if err != nil {

experimental/libbox/memory.go

@@ -1,18 +1,23 @@
-//go:build darwin
-
 package libbox
 
 import (
+	"math"
 	runtimeDebug "runtime/debug"
 
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 )
 
-const memoryLimit = 30 * 1024 * 1024
-
-func SetMemoryLimit() {
-	runtimeDebug.SetGCPercent(10)
-	runtimeDebug.SetMemoryLimit(memoryLimit)
-	conntrack.KillerEnabled = true
-	conntrack.MemoryLimit = memoryLimit
+func SetMemoryLimit(enabled bool) {
+	const memoryLimit = 45 * 1024 * 1024
+	const memoryLimitGo = memoryLimit / 1.5
+	if enabled {
+		runtimeDebug.SetGCPercent(10)
+		runtimeDebug.SetMemoryLimit(memoryLimitGo)
+		conntrack.KillerEnabled = true
+		conntrack.MemoryLimit = memoryLimit
+	} else {
+		runtimeDebug.SetGCPercent(100)
+		runtimeDebug.SetMemoryLimit(math.MaxInt64)
+		conntrack.KillerEnabled = false
+	}
 }