Fix resolve dialer

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,70 +1,77 @@
-name: Bug Report
-description: "Create a report to help us improve."
+name: Bug report
+description: "Report sing-box bug"
 body:
-  - type: checkboxes
-    id: terms
+  - type: dropdown
     attributes:
-      label: Welcome
+      label: Operating system
+      description: Operating system type
       options:
-        - label: Yes, I'm using the latest major release. Only such installations are supported.
-          required: true
-        - label: Yes, I'm using the latest Golang release. Only such installations are supported.
-          required: true
-        - label: Yes, I've searched similar issues on GitHub and didn't find any.
-          required: true
-        - label: Yes, I've included all information below (version, **FULL** config, **FULL** log, etc).
-          required: true
-
-  - type: textarea
-    id: problem
-    attributes:
-      label: Description of the problem
-      placeholder: Your problem description
+        - iOS
+        - macOS
+        - Apple tvOS
+        - Android
+        - Windows
+        - Linux
+        - Others
     validations:
       required: true
-
-  - type: textarea
-    id: version
+  - type: input
     attributes:
-      label: Version of sing-box
+      label: System version
+      description: Please provide the operating system version
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Installation type
+      description: Please provide the sing-box installation type
+      options:
+        - Original sing-box Command Line
+        - sing-box for iOS Graphical Client
+        - sing-box for macOS Graphical Client
+        - sing-box for Apple tvOS Graphical Client
+        - sing-box for Android Graphical Client
+        - Third-party graphical clients that advertise themselves as using sing-box (Windows)
+        - Third-party graphical clients that advertise themselves as using sing-box (Android)
+        - Others
+    validations:
+      required: true
+  - type: input
+    attributes:
+      description: Graphical client version
+      label: If you are using a graphical client, please provide the version of the client.
+  - type: textarea
+    attributes:
+      label: Version
+      description: If you are using the original command line program, please provide the output of the `sing-box version` command.
       value: |-
         <details>
-
         ```console
-        $ sing-box version
-        # Paste output here
+        # Replace this line with the output
         ```
-
         </details>
+  - type: textarea
+    attributes:
+      label: Description
+      description: Please provide a detailed description of the error.
     validations:
       required: true
-
   - type: textarea
-    id: config
     attributes:
-      label: Server and client configuration file
+      label: Reproduction
+      description: Please provide the steps to reproduce the error, including the configuration files and procedures that can locally (not dependent on the remote server) reproduce the error using the original command line program of sing-box.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Logs
+      description: |-
+        If you encounter a crash with the graphical client, please provide crash logs.
+        For Apple platform clients, please check `Settings - View Service Log` for crash logs.
+        For the Android client, please check the `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` file for crash logs.
       value: |-
         <details>
-
         ```console
-        # paste json here
+        # Replace this line with logs
         ```
-
-        </details>
-    validations:
-      required: true
-
-  - type: textarea
-    id: log
-    attributes:
-      label: Server and client log file
-      value: |-
-        <details>
-
-        ```console
-        # paste log here
-        ```
-
-        </details>
-    validations:
-      required: true
+        </details>

.github/ISSUE_TEMPLATE/bug_report_zh.yml

@@ -0,0 +1,77 @@
+name: 错误反馈
+description: "提交 sing-box 漏洞"
+body:
+  - type: dropdown
+    attributes:
+      label: 操作系统
+      description: 请提供操作系统类型
+      options:
+        - iOS
+        - macOS
+        - Apple tvOS
+        - Android
+        - Windows
+        - Linux
+        - 其他
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: 系统版本
+      description: 请提供操作系统版本
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: 安装类型
+      description: 请提供该 sing-box 安装类型
+      options:
+        - sing-box 原始命令行程序
+        - sing-box for iOS 图形客户端程序
+        - sing-box for macOS 图形客户端程序
+        - sing-box for Apple tvOS 图形客户端程序
+        - sing-box for Android 图形客户端程序
+        - 宣传使用 sing-box 的第三方图形客户端程序 (Windows)
+        - 宣传使用 sing-box 的第三方图形客户端程序 (Android)
+        - 其他
+    validations:
+      required: true
+  - type: input
+    attributes:
+      description: 图形客户端版本
+      label: 如果您使用图形客户端程序，请提供该程序版本。
+  - type: textarea
+    attributes:
+      label: 版本
+      description: 如果您使用原始命令行程序，请提供 `sing-box version` 命令的输出。
+      value: |-
+        <details>
+        ```console
+        # 使用输出内容覆盖此行
+        ```
+        </details>
+  - type: textarea
+    attributes:
+      label: 描述
+      description: 请提供错误的详细描述。
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: 重现方式
+      description: 请提供重现错误的步骤，必须包括可以在本地（不依赖与远程服务器）使用 sing-box 原始命令行程序重现错误的配置文件与流程。
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: 日志
+      description: |-
+        如果您遭遇图形界面应用程序崩溃，请提供崩溃日志。
+        对于 Apple 平台图形客户端程序，请检查 `Settings - View Service Log` 以导出崩溃日志。
+        对于 Android 图形客户端程序，请检查 `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` 文件以导出崩溃日志。
+      value: |-
+        <details>
+        ```console
+        # 使用日志内容覆盖此行
+        ```
+        </details>

.github/workflows/debug.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Get latest go version
@@ -48,7 +48,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -62,7 +62,27 @@ jobs:
             ~/go/pkg/mod
           key: go118-${{ hashFiles('**/go.sum') }}
       - name: Run Test
-        run: make
+        run: make ci_build_go118
+  build_go120:
+    name: Debug build (Go 1.20)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.20.7
+      - name: Cache go module
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+          key: go118-${{ hashFiles('**/go.sum') }}
+      - name: Run Test
+        run: make ci_build
   cross:
     strategy:
       matrix:
@@ -179,7 +199,7 @@ jobs:
       TAGS: with_clash_api,with_quic
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Get latest go version

.github/workflows/docker.yml

@@ -9,20 +9,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Setup QEMU for Docker Buildx
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Docker metadata
         id: metadata
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ghcr.io/sagernet/sing-box
       - name: Get tag to build
@@ -35,7 +35,7 @@ jobs:
             echo "versioned=ghcr.io/sagernet/sing-box:${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
           fi
       - name: Build and release Docker images
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
           target: dist

.github/workflows/lint.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Get latest go version

.github/workflows/mkdocs.yml

@@ -1,20 +0,0 @@
-name: Generate Documents
-on:
-  push:
-    branches:
-      - dev
-    paths:
-      - docs/**
-      - .github/workflows/mkdocs.yml
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
-        with:
-          python-version: 3.x
-      - run: |
-          pip install mkdocs-material=="9.*" mkdocs-static-i18n=="0.53"
-      - run: |
-          mkdocs gh-deploy -m "{sha}" --force --ignore-version --no-history

.github/workflows/stale.yml

@@ -8,7 +8,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v7
+      - uses: actions/stale@v8
         with:
           stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
           days-before-stale: 60

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.20-alpine AS builder
+FROM golang:1.21-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box

Makefile

@@ -1,20 +1,31 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
+TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
+TAGS_GO120 = with_quic
+TAGS ?= $(TAGS_GO118),$(TAGS_GO120)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server,with_shadowsocksr
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run ./cmd/internal/read_tag)
 
-PARAMS = -v -trimpath -tags "$(TAGS)" -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
+PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
+MAIN_PARAMS = $(PARAMS) -tags $(TAGS)
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
 
 .PHONY: test release
 
 build:
+	go build $(MAIN_PARAMS) $(MAIN)
+
+ci_build_go118:
 	go build $(PARAMS) $(MAIN)
+	go build $(PARAMS) -tags "$(TAGS_GO118)" $(MAIN)
+
+ci_build:
+	go build $(PARAMS) $(MAIN)
+	go build $(MAIN_PARAMS) $(MAIN)
 
 install:
 	go build -o $(PREFIX)/bin/$(NAME) $(PARAMS) $(MAIN)
@@ -47,24 +58,102 @@ proto_install:
 	go install -v google.golang.org/protobuf/cmd/protoc-gen-go@latest
 	go install -v google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
 
-snapshot:
-	go run ./cmd/internal/build goreleaser release --clean --snapshot || exit 1
-	mkdir dist/release
-	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
-	ghr --delete --draft --prerelease -p 1 nightly dist/release
-	rm -r dist
-
 release:
 	go run ./cmd/internal/build goreleaser release --clean --skip-publish || exit 1
 	mkdir dist/release
 	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
-	ghr --delete --draft --prerelease -p 3 $(shell git describe --tags) dist/release
+	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
 	rm -r dist
 
 release_install:
 	go install -v github.com/goreleaser/goreleaser@latest
 	go install -v github.com/tcnksm/ghr@latest
 
+update_android_version:
+	go run ./cmd/internal/update_android_version
+
+build_android:
+	cd ../sing-box-for-android && ./gradlew :app:assembleRelease && ./gradlew --stop
+
+upload_android:
+	mkdir -p dist/release_android
+	cp ../sing-box-for-android/app/build/outputs/apk/release/*.apk dist/release_android
+	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release_android
+	rm -rf dist/release_android
+
+release_android: lib_android update_android_version build_android upload_android
+
+publish_android:
+	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadRelease && ./gradlew --stop
+
+build_ios:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFI.xcarchive && \
+	xcodebuild archive -scheme SFI -configuration Release -archivePath build/SFI.xcarchive
+
+upload_ios_app_store:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Upload.plist
+
+release_ios: build_ios upload_ios_app_store
+
+build_macos:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFM.xcarchive && \
+	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive
+
+upload_macos_app_store:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist
+
+release_macos: build_macos upload_macos_app_store
+
+build_macos_independent:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFT.System.xcarchive && \
+	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive
+
+notarize_macos_independent:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist
+
+wait_notarize_macos_independent:
+	sleep 60
+
+export_macos_independent:
+	rm -rf dist/SFM
+	mkdir -p dist/SFM
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportNotarizedApp -archivePath build/SFM.System.xcarchive -exportPath "../sing-box/dist/SFM"
+
+upload_macos_independent:
+	cd dist/SFM && \
+	rm -f *.zip && \
+	zip -ry "SFM-${VERSION}-universal.zip" SFM.app && \
+	ghr --replace --draft --prerelease "v${VERSION}" *.zip
+
+release_macos_independent: build_macos_independent notarize_macos_independent wait_notarize_macos_independent export_macos_independent upload_macos_independent
+
+build_tvos:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFT.xcarchive && \
+	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive
+
+upload_tvos_app_store:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist
+
+release_tvos: build_tvos upload_tvos_app_store
+
+update_apple_version:
+	go run ./cmd/internal/update_apple_version
+
+release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_independent
+	rm -rf dist
+
+release_apple_beta: update_apple_version release_ios release_macos release_tvos
+	rm -rf dist
+
 test:
 	@go test -v ./... && \
 	cd test && \
@@ -77,10 +166,10 @@ test_stdio:
 	go mod tidy && \
 	go test -v -tags "$(TAGS_TEST),force_stdio" .
 
-android:
+lib_android:
 	go run ./cmd/internal/build_libbox -target android
 
-ios:
+lib_ios:
 	go run ./cmd/internal/build_libbox -target ios
 
 lib:
@@ -89,8 +178,8 @@ lib:
 
 lib_install:
 	go get -v -d
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230701084532-493ee2e45182
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230701084532-493ee2e45182
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230915142329-c6740b6d2950
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230915142329-c6740b6d2950
 
 clean:
 	rm -rf bin dist sing-box

adapter/experimental.go

@@ -12,6 +12,7 @@ type ClashServer interface {
 	Service
 	PreStarter
 	Mode() string
+	ModeList() []string
 	StoreSelected() bool
 	StoreFakeIP() bool
 	CacheFile() ClashCacheFile
@@ -21,8 +22,12 @@ type ClashServer interface {
 }
 
 type ClashCacheFile interface {
+	LoadMode() string
+	StoreMode(mode string) error
 	LoadSelected(group string) string
 	StoreSelected(group string, selected string) error
+	LoadGroupExpand(group string) (isExpand bool, loaded bool)
+	StoreGroupExpand(group string, expand bool) error
 	FakeIPStorage
 }
 

adapter/fakeip.go

@@ -18,6 +18,7 @@ type FakeIPStore interface {
 type FakeIPStorage interface {
 	FakeIPMetadata() *FakeIPMetadata
 	FakeIPSaveMetadata(metadata *FakeIPMetadata) error
+	FakeIPSaveMetadataAsync(metadata *FakeIPMetadata)
 	FakeIPStore(address netip.Addr, domain string) error
 	FakeIPStoreAsync(address netip.Addr, domain string, logger logger.Logger)
 	FakeIPLoad(address netip.Addr) (string, bool)

adapter/router.go

@@ -32,6 +32,7 @@ type Router interface {
 	Exchange(ctx context.Context, message *mdns.Msg) (*mdns.Msg, error)
 	Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error)
 	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
+	ClearDNSCache()
 
 	InterfaceFinder() control.InterfaceFinder
 	UpdateInterfaces() error
@@ -85,5 +86,5 @@ type DNSRule interface {
 }
 
 type InterfaceUpdateListener interface {
-	InterfaceUpdated() error
+	InterfaceUpdated()
 }

box.go

@@ -19,6 +19,7 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/service/pause"
 )
 
 var _ adapter.Service = (*Box)(nil)
@@ -46,12 +47,13 @@ func New(options Options) (*Box, error) {
 	if ctx == nil {
 		ctx = context.Background()
 	}
+	ctx = pause.ContextWithDefaultManager(ctx)
 	createdAt := time.Now()
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
 	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	var needClashAPI bool
 	var needV2RayAPI bool
-	if experimentalOptions.ClashAPI != nil && experimentalOptions.ClashAPI.ExternalController != "" {
+	if experimentalOptions.ClashAPI != nil || options.PlatformInterface != nil {
 		needClashAPI = true
 	}
 	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
@@ -143,7 +145,9 @@ func New(options Options) (*Box, error) {
 	preServices := make(map[string]adapter.Service)
 	postServices := make(map[string]adapter.Service)
 	if needClashAPI {
-		clashServer, err := experimental.NewClashServer(ctx, router, logFactory.(log.ObservableFactory), common.PtrValueOrDefault(options.Experimental.ClashAPI))
+		clashAPIOptions := common.PtrValueOrDefault(experimentalOptions.ClashAPI)
+		clashAPIOptions.ModeList = experimental.CalculateClashModeList(options.Options)
+		clashServer, err := experimental.NewClashServer(ctx, router, logFactory.(log.ObservableFactory), clashAPIOptions)
 		if err != nil {
 			return nil, E.Cause(err, "create clash api server")
 		}
@@ -151,7 +155,7 @@ func New(options Options) (*Box, error) {
 		preServices["clash api"] = clashServer
 	}
 	if needV2RayAPI {
-		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(options.Experimental.V2RayAPI))
+		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(experimentalOptions.V2RayAPI))
 		if err != nil {
 			return nil, E.Cause(err, "create v2ray api server")
 		}

cmd/internal/build_libbox/main.go

@@ -107,7 +107,7 @@ func buildiOS() {
 	args := []string{
 		"bind",
 		"-v",
-		"-target", "ios,iossimulator,macos",
+		"-target", "ios,iossimulator,tvos,tvossimulator,macos",
 		"-libname=box",
 	}
 	if !debugEnabled {

cmd/internal/build_shared/tag.go

@@ -1,6 +1,10 @@
 package build_shared
 
-import "github.com/sagernet/sing/common/shell"
+import (
+	"github.com/sagernet/sing-box/common/badversion"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/shell"
+)
 
 func ReadTag() (string, error) {
 	currentTag, err := shell.Exec("git", "describe", "--tags").ReadOutput()
@@ -12,5 +16,21 @@ func ReadTag() (string, error) {
 		return currentTag[1:], nil
 	}
 	shortCommit, _ := shell.Exec("git", "rev-parse", "--short", "HEAD").ReadOutput()
-	return currentTagRev[1:] + "-" + shortCommit, nil
+	version := badversion.Parse(currentTagRev[1:])
+	if version.PreReleaseIdentifier == "" {
+		version.Patch++
+	}
+	return version.String() + "-" + shortCommit, nil
+}
+
+func ReadTagVersion() (badversion.Version, error) {
+	currentTag := common.Must1(shell.Exec("git", "describe", "--tags").ReadOutput())
+	currentTagRev := common.Must1(shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput())
+	version := badversion.Parse(currentTagRev[1:])
+	if currentTagRev != currentTag {
+		if version.PreReleaseIdentifier == "" {
+			version.Patch++
+		}
+	}
+	return version, nil
 }

cmd/internal/update_android_version/main.go

@@ -0,0 +1,51 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/sagernet/sing-box/cmd/internal/build_shared"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+)
+
+func main() {
+	newVersion := common.Must1(build_shared.ReadTagVersion())
+	androidPath, err := filepath.Abs("../sing-box-for-android")
+	if err != nil {
+		log.Fatal(err)
+	}
+	common.Must(os.Chdir(androidPath))
+	localProps := common.Must1(os.ReadFile("local.properties"))
+	var propsList [][]string
+	for _, propLine := range strings.Split(string(localProps), "\n") {
+		propsList = append(propsList, strings.Split(propLine, "="))
+	}
+	for _, propPair := range propsList {
+		if propPair[0] == "VERSION_NAME" {
+			if propPair[1] == newVersion.String() {
+				log.Info("version not changed")
+				return
+			}
+			propPair[1] = newVersion.String()
+			log.Info("updated version to ", newVersion.String())
+		}
+	}
+	for _, propPair := range propsList {
+		switch propPair[0] {
+		case "VERSION_CODE":
+			versionCode := common.Must1(strconv.ParseInt(propPair[1], 10, 64))
+			propPair[1] = strconv.Itoa(int(versionCode + 1))
+			log.Info("updated version code to ", propPair[1])
+		case "RELEASE_NOTES":
+			propPair[1] = "sing-box " + newVersion.String()
+		}
+	}
+	var newProps []string
+	for _, propPair := range propsList {
+		newProps = append(newProps, strings.Join(propPair, "="))
+	}
+	common.Must(os.WriteFile("local.properties", []byte(strings.Join(newProps, "\n")), 0o644))
+}

cmd/internal/update_apple_version/main.go

@@ -0,0 +1,80 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/sagernet/sing-box/cmd/internal/build_shared"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+
+	"howett.net/plist"
+)
+
+func main() {
+	newVersion := common.Must1(build_shared.ReadTagVersion())
+	applePath, err := filepath.Abs("../sing-box-for-apple")
+	if err != nil {
+		log.Fatal(err)
+	}
+	common.Must(os.Chdir(applePath))
+	projectFile := common.Must1(os.Open("sing-box.xcodeproj/project.pbxproj"))
+	var project map[string]any
+	decoder := plist.NewDecoder(projectFile)
+	common.Must(decoder.Decode(&project))
+	objectsMap := project["objects"].(map[string]any)
+	projectContent := string(common.Must1(os.ReadFile("sing-box.xcodeproj/project.pbxproj")))
+	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
+	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
+	if updated0 || updated1 {
+		log.Info("updated version to ", newVersion.VersionString())
+		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj.bak", []byte(projectContent), 0o644))
+		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj", []byte(newContent), 0o644))
+	} else {
+		log.Info("version not changed")
+	}
+}
+
+func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDList []string, newVersion string) (string, bool) {
+	objectKeyList := findObjectKey(objectsMap, bundleIDList)
+	var updated bool
+	for _, objectKey := range objectKeyList {
+		matchRegexp := common.Must1(regexp.Compile(objectKey + ".*= \\{"))
+		indexes := matchRegexp.FindStringIndex(projectContent)
+		if len(indexes) < 2 {
+			println(projectContent)
+			log.Fatal("failed to find object key ", objectKey, ": ", strings.Index(projectContent, objectKey))
+		}
+		indexStart := indexes[1]
+		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
+		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "MARKETING_VERSION = ") + 20
+		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
+		version := projectContent[versionStart:versionEnd]
+		if version == newVersion {
+			continue
+		}
+		updated = true
+		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
+	}
+	return projectContent, updated
+}
+
+func findObjectKey(objectsMap map[string]any, bundleIDList []string) []string {
+	var objectKeyList []string
+	for objectKey, object := range objectsMap {
+		buildSettings := object.(map[string]any)["buildSettings"]
+		if buildSettings == nil {
+			continue
+		}
+		bundleIDObject := buildSettings.(map[string]any)["PRODUCT_BUNDLE_IDENTIFIER"]
+		if bundleIDObject == nil {
+			continue
+		}
+		if common.Contains(bundleIDList, bundleIDObject.(string)) {
+			objectKeyList = append(objectKeyList, objectKey)
+		}
+	}
+	return objectKeyList
+}

cmd/sing-box/cmd_run.go

@@ -143,14 +143,16 @@ func create() (*box.Box, context.CancelFunc, error) {
 		signal.Stop(osSignals)
 		close(osSignals)
 	}()
-
+	startCtx, finishStart := context.WithCancel(context.Background())
 	go func() {
 		_, loaded := <-osSignals
 		if loaded {
 			cancel()
+			closeMonitor(startCtx)
 		}
 	}()
 	err = instance.Start()
+	finishStart()
 	if err != nil {
 		cancel()
 		return nil, nil, E.Cause(err, "start service")

common/baderror/baderror.go

@@ -1,62 +0,0 @@
-package baderror
-
-import (
-	"context"
-	"io"
-	"net"
-	"strings"
-
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-func Contains(err error, msgList ...string) bool {
-	for _, msg := range msgList {
-		if strings.Contains(err.Error(), msg) {
-			return true
-		}
-	}
-	return false
-}
-
-func WrapH2(err error) error {
-	if err == nil {
-		return nil
-	}
-	err = E.Unwrap(err)
-	if err == io.ErrUnexpectedEOF {
-		return io.EOF
-	}
-	if Contains(err, "client disconnected", "body closed by handler", "response body closed", "; CANCEL") {
-		return net.ErrClosed
-	}
-	return err
-}
-
-func WrapGRPC(err error) error {
-	// grpc uses stupid internal error types
-	if err == nil {
-		return nil
-	}
-	if Contains(err, "EOF") {
-		return io.EOF
-	}
-	if Contains(err, "Canceled") {
-		return context.Canceled
-	}
-	if Contains(err,
-		"the client connection is closing",
-		"server closed the stream without sending trailers") {
-		return net.ErrClosed
-	}
-	return err
-}
-
-func WrapQUIC(err error) error {
-	if err == nil {
-		return nil
-	}
-	if Contains(err, "canceled by local with error code 0") {
-		return net.ErrClosed
-	}
-	return err
-}

common/badtls/badtls_stub.go

@@ -5,8 +5,10 @@ package badtls
 import (
 	"crypto/tls"
 	"os"
+
+	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-func Create(conn *tls.Conn) (TLSConn, error) {
+func Create(conn *tls.Conn) (aTLS.Conn, error) {
 	return nil, os.ErrInvalid
 }

common/badversion/version.go

@@ -11,6 +11,7 @@ type Version struct {
 	Major                int
 	Minor                int
 	Patch                int
+	Commit               string
 	PreReleaseIdentifier string
 	PreReleaseVersion    int
 }
@@ -37,20 +38,29 @@ func (v Version) After(anotherVersion Version) bool {
 		return false
 	}
 	if v.PreReleaseIdentifier != "" && anotherVersion.PreReleaseIdentifier != "" {
-		if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "alpha" {
+		if v.PreReleaseIdentifier == anotherVersion.PreReleaseIdentifier {
+			if v.PreReleaseVersion > anotherVersion.PreReleaseVersion {
+				return true
+			} else if v.PreReleaseVersion < anotherVersion.PreReleaseVersion {
+				return false
+			}
+		} else if v.PreReleaseIdentifier == "rc" && anotherVersion.PreReleaseIdentifier == "beta" {
+			return true
+		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "rc" {
+			return false
+		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "alpha" {
 			return true
 		} else if v.PreReleaseIdentifier == "alpha" && anotherVersion.PreReleaseIdentifier == "beta" {
 			return false
 		}
-		if v.PreReleaseVersion > anotherVersion.PreReleaseVersion {
-			return true
-		} else if v.PreReleaseVersion < anotherVersion.PreReleaseVersion {
-			return false
-		}
 	}
 	return false
 }
 
+func (v Version) VersionString() string {
+	return F.ToString(v.Major, ".", v.Minor, ".", v.Patch)
+}
+
 func (v Version) String() string {
 	version := F.ToString(v.Major, ".", v.Minor, ".", v.Patch)
 	if v.PreReleaseIdentifier != "" {
@@ -95,7 +105,7 @@ func Parse(versionName string) (version Version) {
 				version.PreReleaseIdentifier = "beta"
 				version.PreReleaseVersion, _ = strconv.Atoi(identifier[4:])
 			} else {
-				version.PreReleaseIdentifier = identifier
+				version.Commit = identifier
 			}
 		}
 	}

common/conntrack/conn.go

@@ -17,7 +17,7 @@ func NewConn(conn net.Conn) (net.Conn, error) {
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
-		err := killerCheck()
+		err := KillerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err

common/conntrack/killer.go

@@ -1,20 +1,20 @@
 package conntrack
 
 import (
-	"runtime"
 	runtimeDebug "runtime/debug"
 	"time"
 
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/memory"
 )
 
 var (
 	KillerEnabled   bool
-	MemoryLimit     int64
+	MemoryLimit     uint64
 	killerLastCheck time.Time
 )
 
-func killerCheck() error {
+func KillerCheck() error {
 	if !KillerEnabled {
 		return nil
 	}
@@ -23,10 +23,7 @@ func killerCheck() error {
 		return nil
 	}
 	killerLastCheck = nowTime
-	var memStats runtime.MemStats
-	runtime.ReadMemStats(&memStats)
-	inuseMemory := int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
-	if inuseMemory > MemoryLimit {
+	if memory.Total() > MemoryLimit {
 		Close()
 		go func() {
 			time.Sleep(time.Second)

common/conntrack/packet_conn.go

@@ -18,7 +18,7 @@ func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
-		err := killerCheck()
+		err := KillerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err

common/dialer/default.go

@@ -6,19 +6,18 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/tfo-go"
 )
 
 type DefaultDialer struct {
-	dialer4     tfo.Dialer
-	dialer6     tfo.Dialer
+	dialer4     tcpDialer
+	dialer6     tcpDialer
 	udpDialer4  net.Dialer
 	udpDialer6  net.Dialer
 	udpListener net.ListenConfig
@@ -26,7 +25,7 @@ type DefaultDialer struct {
 	udpAddr6    string
 }
 
-func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDialer {
+func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDialer, error) {
 	var dialer net.Dialer
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
@@ -93,15 +92,29 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 		udpDialer6.LocalAddr = &net.UDPAddr{IP: bindAddr.AsSlice()}
 		udpAddr6 = M.SocksaddrFrom(bindAddr, 0).String()
 	}
+	if options.TCPMultiPath {
+		if !go121Available {
+			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
+		}
+		setMultiPathTCP(&dialer4)
+	}
+	tcpDialer4, err := newTCPDialer(dialer4, options.TCPFastOpen)
+	if err != nil {
+		return nil, err
+	}
+	tcpDialer6, err := newTCPDialer(dialer6, options.TCPFastOpen)
+	if err != nil {
+		return nil, err
+	}
 	return &DefaultDialer{
-		tfo.Dialer{Dialer: dialer4, DisableTFO: !options.TCPFastOpen},
-		tfo.Dialer{Dialer: dialer6, DisableTFO: !options.TCPFastOpen},
+		tcpDialer4,
+		tcpDialer6,
 		udpDialer4,
 		udpDialer6,
 		listener,
 		udpAddr4,
 		udpAddr6,
-	}
+	}, nil
 }
 
 func (d *DefaultDialer) DialContext(ctx context.Context, network string, address M.Socksaddr) (net.Conn, error) {

common/dialer/default_go1.20.go

@@ -0,0 +1,15 @@
+//go:build go1.20
+
+package dialer
+
+import (
+	"net"
+
+	"github.com/sagernet/tfo-go"
+)
+
+type tcpDialer = tfo.Dialer
+
+func newTCPDialer(dialer net.Dialer, tfoEnabled bool) (tcpDialer, error) {
+	return tfo.Dialer{Dialer: dialer, DisableTFO: !tfoEnabled}, nil
+}

common/dialer/default_go1.21.go

@@ -0,0 +1,11 @@
+//go:build go1.21
+
+package dialer
+
+import "net"
+
+const go121Available = true
+
+func setMultiPathTCP(dialer *net.Dialer) {
+	dialer.SetMultipathTCP(true)
+}

common/dialer/default_nongo1.20.go

@@ -0,0 +1,18 @@
+//go:build !go1.20
+
+package dialer
+
+import (
+	"net"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type tcpDialer = net.Dialer
+
+func newTCPDialer(dialer net.Dialer, tfoEnabled bool) (tcpDialer, error) {
+	if tfoEnabled {
+		return dialer, E.New("TCP Fast Open requires go1.20, please recompile your binary.")
+	}
+	return dialer, nil
+}

common/dialer/default_nongo1.21.go

@@ -0,0 +1,12 @@
+//go:build !go1.21
+
+package dialer
+
+import (
+	"net"
+)
+
+const go121Available = false
+
+func setMultiPathTCP(dialer *net.Dialer) {
+}

common/dialer/dialer.go

@@ -6,19 +6,35 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
+	"github.com/sagernet/sing/common"
 	N "github.com/sagernet/sing/common/network"
 )
 
-func New(router adapter.Router, options option.DialerOptions) N.Dialer {
-	var dialer N.Dialer
+func MustNew(router adapter.Router, options option.DialerOptions) N.Dialer {
+	return common.Must1(New(router, options))
+}
+
+func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error) {
+	var (
+		dialer N.Dialer
+		err    error
+	)
 	if options.Detour == "" {
-		dialer = NewDefault(router, options)
+		dialer, err = NewDefault(router, options)
+		if err != nil {
+			return nil, err
+		}
 	} else {
 		dialer = NewDetour(router, options.Detour)
 	}
 	domainStrategy := dns.DomainStrategy(options.DomainStrategy)
 	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
-		dialer = NewResolveDialer(router, dialer, domainStrategy, time.Duration(options.FallbackDelay))
+		dialer = NewResolveDialer(
+			router,
+			dialer,
+			options.Detour == "" && !options.TCPFastOpen,
+			domainStrategy,
+			time.Duration(options.FallbackDelay))
 	}
-	return dialer
+	return dialer, nil
 }

common/dialer/resolve.go

@@ -16,14 +16,16 @@ import (
 
 type ResolveDialer struct {
 	dialer        N.Dialer
+	parallel      bool
 	router        adapter.Router
 	strategy      dns.DomainStrategy
 	fallbackDelay time.Duration
 }
 
-func NewResolveDialer(router adapter.Router, dialer N.Dialer, strategy dns.DomainStrategy, fallbackDelay time.Duration) *ResolveDialer {
+func NewResolveDialer(router adapter.Router, dialer N.Dialer, parallel bool, strategy dns.DomainStrategy, fallbackDelay time.Duration) *ResolveDialer {
 	return &ResolveDialer{
 		dialer,
+		parallel,
 		router,
 		strategy,
 		fallbackDelay,
@@ -48,7 +50,11 @@ func (d *ResolveDialer) DialContext(ctx context.Context, network string, destina
 	if err != nil {
 		return nil, err
 	}
-	return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
+	if d.parallel {
+		return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
+	} else {
+		return N.DialSerial(ctx, d.dialer, network, destination, addresses)
+	}
 }
 
 func (d *ResolveDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {

common/dialer/tfo.go

@@ -1,3 +1,5 @@
+//go:build go1.20
+
 package dialer
 
 import (
@@ -5,6 +7,7 @@ import (
 	"io"
 	"net"
 	"os"
+	"sync"
 	"time"
 
 	"github.com/sagernet/sing/common"
@@ -22,10 +25,11 @@ type slowOpenConn struct {
 	destination M.Socksaddr
 	conn        net.Conn
 	create      chan struct{}
+	access      sync.Mutex
 	err         error
 }
 
-func DialSlowContext(dialer *tfo.Dialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	if dialer.DisableTFO || N.NetworkName(network) != N.NetworkTCP {
 		switch N.NetworkName(network) {
 		case N.NetworkTCP, N.NetworkUDP:
@@ -58,15 +62,26 @@ func (c *slowOpenConn) Read(b []byte) (n int, err error) {
 }
 
 func (c *slowOpenConn) Write(b []byte) (n int, err error) {
-	if c.conn == nil {
-		c.conn, err = c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
-		if err != nil {
-			c.err = E.Cause(err, "dial tcp fast open")
-		}
-		close(c.create)
-		return
+	if c.conn != nil {
+		return c.conn.Write(b)
 	}
-	return c.conn.Write(b)
+	c.access.Lock()
+	defer c.access.Unlock()
+	select {
+	case <-c.create:
+		if c.err != nil {
+			return 0, c.err
+		}
+		return c.conn.Write(b)
+	default:
+	}
+	c.conn, err = c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
+	if err != nil {
+		c.conn = nil
+		c.err = E.Cause(err, "dial tcp fast open")
+	}
+	close(c.create)
+	return
 }
 
 func (c *slowOpenConn) Close() error {

common/dialer/tfo_stub.go

@@ -0,0 +1,20 @@
+//go:build !go1.20
+
+package dialer
+
+import (
+	"context"
+	"net"
+
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	switch N.NetworkName(network) {
+	case N.NetworkTCP, N.NetworkUDP:
+		return dialer.DialContext(ctx, network, destination.String())
+	default:
+		return dialer.DialContext(ctx, network, destination.AddrString())
+	}
+}

common/humanize/bytes.go

@@ -0,0 +1,158 @@
+package humanize
+
+import (
+	"fmt"
+	"math"
+	"strconv"
+	"strings"
+	"unicode"
+)
+
+// IEC Sizes.
+// kibis of bits
+const (
+	Byte = 1 << (iota * 10)
+	KiByte
+	MiByte
+	GiByte
+	TiByte
+	PiByte
+	EiByte
+)
+
+// SI Sizes.
+const (
+	IByte = 1
+	KByte = IByte * 1000
+	MByte = KByte * 1000
+	GByte = MByte * 1000
+	TByte = GByte * 1000
+	PByte = TByte * 1000
+	EByte = PByte * 1000
+)
+
+var defaultSizeTable = map[string]uint64{
+	"b":   Byte,
+	"kib": KiByte,
+	"kb":  KByte,
+	"mib": MiByte,
+	"mb":  MByte,
+	"gib": GiByte,
+	"gb":  GByte,
+	"tib": TiByte,
+	"tb":  TByte,
+	"pib": PiByte,
+	"pb":  PByte,
+	"eib": EiByte,
+	"eb":  EByte,
+	// Without suffix
+	"":   Byte,
+	"ki": KiByte,
+	"k":  KByte,
+	"mi": MiByte,
+	"m":  MByte,
+	"gi": GiByte,
+	"g":  GByte,
+	"ti": TiByte,
+	"t":  TByte,
+	"pi": PiByte,
+	"p":  PByte,
+	"ei": EiByte,
+	"e":  EByte,
+}
+
+var memorysSizeTable = map[string]uint64{
+	"b":  Byte,
+	"kb": KiByte,
+	"mb": MiByte,
+	"gb": GiByte,
+	"tb": TiByte,
+	"pb": PiByte,
+	"eb": EiByte,
+	"":   Byte,
+	"k":  KiByte,
+	"m":  MiByte,
+	"g":  GiByte,
+	"t":  TiByte,
+	"p":  PiByte,
+	"e":  EiByte,
+}
+
+var (
+	defaultSizes = []string{"B", "kB", "MB", "GB", "TB", "PB", "EB"}
+	iSizes       = []string{"B", "KiB", "MiB", "GiB", "TiB", "PiB", "EiB"}
+)
+
+func Bytes(s uint64) string {
+	return humanateBytes(s, 1000, defaultSizes)
+}
+
+func MemoryBytes(s uint64) string {
+	return humanateBytes(s, 1024, defaultSizes)
+}
+
+func IBytes(s uint64) string {
+	return humanateBytes(s, 1024, iSizes)
+}
+
+func logn(n, b float64) float64 {
+	return math.Log(n) / math.Log(b)
+}
+
+func humanateBytes(s uint64, base float64, sizes []string) string {
+	if s < 10 {
+		return fmt.Sprintf("%d B", s)
+	}
+	e := math.Floor(logn(float64(s), base))
+	suffix := sizes[int(e)]
+	val := math.Floor(float64(s)/math.Pow(base, e)*10+0.5) / 10
+	f := "%.0f %s"
+	if val < 10 {
+		f = "%.1f %s"
+	}
+
+	return fmt.Sprintf(f, val, suffix)
+}
+
+func ParseBytes(s string) (uint64, error) {
+	return parseBytes0(s, defaultSizeTable)
+}
+
+func ParseMemoryBytes(s string) (uint64, error) {
+	return parseBytes0(s, memorysSizeTable)
+}
+
+func parseBytes0(s string, sizeTable map[string]uint64) (uint64, error) {
+	lastDigit := 0
+	hasComma := false
+	for _, r := range s {
+		if !(unicode.IsDigit(r) || r == '.' || r == ',') {
+			break
+		}
+		if r == ',' {
+			hasComma = true
+		}
+		lastDigit++
+	}
+
+	num := s[:lastDigit]
+	if hasComma {
+		num = strings.Replace(num, ",", "", -1)
+	}
+
+	f, err := strconv.ParseFloat(num, 64)
+	if err != nil {
+		return 0, err
+	}
+
+	extra := strings.ToLower(strings.TrimSpace(s[lastDigit:]))
+	if m, ok := sizeTable[extra]; ok {
+		f *= float64(m)
+		if f >= math.MaxUint64 {
+			return 0, fmt.Errorf("too large: %v", s)
+		}
+		return uint64(f), nil
+	}
+
+	return 0, fmt.Errorf("unhandled size name: %v", extra)
+}

common/settings/proxy_darwin.go

@@ -20,10 +20,10 @@ type systemProxy struct {
 	isMixed       bool
 }
 
-func (p *systemProxy) update(event int) error {
+func (p *systemProxy) update(event int) {
 	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
 	if p.interfaceName == newInterfaceName {
-		return nil
+		return
 	}
 	if p.interfaceName != "" {
 		_ = p.unset()
@@ -31,7 +31,7 @@ func (p *systemProxy) update(event int) error {
 	p.interfaceName = newInterfaceName
 	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
 	if err != nil {
-		return err
+		return
 	}
 	if p.isMixed {
 		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
@@ -40,9 +40,9 @@ func (p *systemProxy) update(event int) error {
 		err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	if err == nil {
-		err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+		_ = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
-	return err
+	return
 }
 
 func (p *systemProxy) unset() error {
@@ -88,10 +88,7 @@ func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() er
 		port:    port,
 		isMixed: isMixed,
 	}
-	err := proxy.update(tun.EventInterfaceUpdate)
-	if err != nil {
-		return nil, err
-	}
+	proxy.update(tun.EventInterfaceUpdate)
 	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
 	return func() error {
 		interfaceMonitor.UnregisterCallback(proxy.element)

common/sniff/sniff.go

@@ -22,23 +22,29 @@ func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout
 	if timeout == 0 {
 		timeout = C.ReadPayloadTimeout
 	}
-	err := conn.SetReadDeadline(time.Now().Add(timeout))
-	if err != nil {
-		return nil, E.Cause(err, "set read deadline")
-	}
-	_, err = buffer.ReadOnceFrom(conn)
-	err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
-	if err != nil {
-		return nil, E.Cause(err, "read payload")
-	}
-	var metadata *adapter.InboundContext
+	deadline := time.Now().Add(timeout)
 	var errors []error
-	for _, sniffer := range sniffers {
-		metadata, err = sniffer(ctx, bytes.NewReader(buffer.Bytes()))
-		if metadata != nil {
-			return metadata, nil
+
+	for i := 0; i < 3; i++ {
+		err := conn.SetReadDeadline(deadline)
+		if err != nil {
+			return nil, E.Cause(err, "set read deadline")
+		}
+		_, err = buffer.ReadOnceFrom(conn)
+		err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
+		if err != nil {
+			if i > 0 {
+				break
+			}
+			return nil, E.Cause(err, "read payload")
+		}
+		for _, sniffer := range sniffers {
+			metadata, err := sniffer(ctx, bytes.NewReader(buffer.Bytes()))
+			if metadata != nil {
+				return metadata, nil
+			}
+			errors = append(errors, err)
 		}
-		errors = append(errors, err)
 	}
 	return nil, E.Errors(errors...)
 }

common/tls/reality_server.go

@@ -101,7 +101,10 @@ func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Log
 		tlsConfig.ShortIds[shortID] = true
 	}
 
-	handshakeDialer := dialer.New(router, options.Reality.Handshake.DialerOptions)
+	handshakeDialer, err := dialer.New(router, options.Reality.Handshake.DialerOptions)
+	if err != nil {
+		return nil, err
+	}
 	tlsConfig.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
 		return handshakeDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
 	}

common/tls/std_server.go

@@ -164,8 +164,8 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 	var acmeService adapter.Service
 	var err error
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
-		tlsConfig, acmeService, err = startACME(ctx, common.PtrValueOrDefault(options.ACME))
 		//nolint:staticcheck
+		tlsConfig, acmeService, err = startACME(ctx, common.PtrValueOrDefault(options.ACME))
 		if err != nil {
 			return nil, err
 		}

common/urltest/urltest.go

@@ -10,7 +10,6 @@ import (
 
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/x/list"
 )
 
 type History struct {
@@ -21,7 +20,7 @@ type History struct {
 type HistoryStorage struct {
 	access       sync.RWMutex
 	delayHistory map[string]*History
-	callbacks    list.List[func()]
+	updateHook   chan<- struct{}
 }
 
 func NewHistoryStorage() *HistoryStorage {
@@ -30,16 +29,8 @@ func NewHistoryStorage() *HistoryStorage {
 	}
 }
 
-func (s *HistoryStorage) AddListener(listener func()) *list.Element[func()] {
-	s.access.Lock()
-	defer s.access.Unlock()
-	return s.callbacks.PushBack(listener)
-}
-
-func (s *HistoryStorage) RemoveListener(element *list.Element[func()]) {
-	s.access.Lock()
-	defer s.access.Unlock()
-	s.callbacks.Remove(element)
+func (s *HistoryStorage) SetHook(hook chan<- struct{}) {
+	s.updateHook = hook
 }
 
 func (s *HistoryStorage) LoadURLTestHistory(tag string) *History {
@@ -66,13 +57,20 @@ func (s *HistoryStorage) StoreURLTestHistory(tag string, history *History) {
 }
 
 func (s *HistoryStorage) notifyUpdated() {
-	s.access.RLock()
-	defer s.access.RUnlock()
-	for element := s.callbacks.Front(); element != nil; element = element.Next() {
-		element.Value()
+	updateHook := s.updateHook
+	if updateHook != nil {
+		select {
+		case updateHook <- struct{}{}:
+		default:
+		}
 	}
 }
 
+func (s *HistoryStorage) Close() error {
+	s.updateHook = nil
+	return nil
+}
+
 func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err error) {
 	if link == "" {
 		link = "https://www.gstatic.com/generate_204"

constant/proxy.go

@@ -7,7 +7,7 @@ const (
 	TypeDirect       = "direct"
 	TypeBlock        = "block"
 	TypeDNS          = "dns"
-	TypeSocks        = "socks"
+	TypeSOCKS        = "socks"
 	TypeHTTP         = "http"
 	TypeMixed        = "mixed"
 	TypeShadowsocks  = "shadowsocks"
@@ -21,9 +21,55 @@ const (
 	TypeShadowTLS    = "shadowtls"
 	TypeShadowsocksR = "shadowsocksr"
 	TypeVLESS        = "vless"
+	TypeTUIC         = "tuic"
 )
 
 const (
 	TypeSelector = "selector"
 	TypeURLTest  = "urltest"
 )
+
+func ProxyDisplayName(proxyType string) string {
+	switch proxyType {
+	case TypeDirect:
+		return "Direct"
+	case TypeBlock:
+		return "Block"
+	case TypeDNS:
+		return "DNS"
+	case TypeSOCKS:
+		return "SOCKS"
+	case TypeHTTP:
+		return "HTTP"
+	case TypeShadowsocks:
+		return "Shadowsocks"
+	case TypeVMess:
+		return "VMess"
+	case TypeTrojan:
+		return "Trojan"
+	case TypeNaive:
+		return "Naive"
+	case TypeWireGuard:
+		return "WireGuard"
+	case TypeHysteria:
+		return "Hysteria"
+	case TypeTor:
+		return "Tor"
+	case TypeSSH:
+		return "SSH"
+	case TypeShadowTLS:
+		return "ShadowTLS"
+	case TypeShadowsocksR:
+		return "ShadowsocksR"
+	case TypeVLESS:
+		return "VLESS"
+	case TypeTUIC:
+		return "TUIC"
+	case TypeSelector:
+		return "Selector"
+	case TypeURLTest:
+		return "URLTest"
+	default:
+		return "Unknown"
+	}
+}

debug_go118.go

@@ -5,7 +5,7 @@ package box
 import (
 	"runtime/debug"
 
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
 
@@ -28,7 +28,7 @@ func applyDebugOptions(options option.DebugOptions) {
 	}
 	if options.MemoryLimit != 0 {
 		// debug.SetMemoryLimit(int64(options.MemoryLimit))
-		conntrack.MemoryLimit = int64(options.MemoryLimit)
+		conntrack.MemoryLimit = uint64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller

debug_go119.go

@@ -5,7 +5,7 @@ package box
 import (
 	"runtime/debug"
 
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
 
@@ -27,8 +27,8 @@ func applyDebugOptions(options option.DebugOptions) {
 		debug.SetTraceback(options.TraceBack)
 	}
 	if options.MemoryLimit != 0 {
-		debug.SetMemoryLimit(int64(options.MemoryLimit))
-		conntrack.MemoryLimit = int64(options.MemoryLimit)
+		debug.SetMemoryLimit(int64(float64(options.MemoryLimit) / 1.5))
+		conntrack.MemoryLimit = uint64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller

debug_http.go

@@ -7,12 +7,12 @@ import (
 	"runtime/debug"
 
 	"github.com/sagernet/sing-box/common/badjson"
+	"github.com/sagernet/sing-box/common/humanize"
 	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 
-	"github.com/dustin/go-humanize"
 	"github.com/go-chi/chi/v5"
 )
 
@@ -37,9 +37,9 @@ func applyDebugListenOption(options option.DebugOptions) {
 			runtime.ReadMemStats(&memStats)
 
 			var memObject badjson.JSONObject
-			memObject.Put("heap", humanize.IBytes(memStats.HeapInuse))
-			memObject.Put("stack", humanize.IBytes(memStats.StackInuse))
-			memObject.Put("idle", humanize.IBytes(memStats.HeapIdle-memStats.HeapReleased))
+			memObject.Put("heap", humanize.MemoryBytes(memStats.HeapInuse))
+			memObject.Put("stack", humanize.MemoryBytes(memStats.StackInuse))
+			memObject.Put("idle", humanize.MemoryBytes(memStats.HeapIdle-memStats.HeapReleased))
 			memObject.Put("goroutines", runtime.NumGoroutine())
 			memObject.Put("rss", rusageMaxRSS())
 

docs/changelog.md

@@ -1,3 +1,123 @@
+#### 1.4.1
+
+* Fixes and improvements
+
+#### 1.4.0
+
+* Fix bugs and update dependencies
+
+Important changes since 1.3:
+
+* Add TUIC support **1**
+* Add `udp_over_stream` option for TUIC client **2**
+* Add MultiPath TCP support **3**
+* Add `include_interface` and `exclude_interface` options for tun inbound
+* Pause recurring tasks when no network or device idle
+* Improve Android and Apple platform clients
+
+*1*:
+
+See [TUIC inbound](/configuration/inbound/tuic)
+and [TUIC outbound](/configuration/outbound/tuic)
+
+**2**:
+
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
+another program compatible with the protocol as a server.
+
+This mode has no positive effect in a proper UDP proxy scenario and should only be applied to relay streaming UDP
+traffic (basically QUIC streams).
+
+*3*:
+
+Requires sing-box to be compiled with Go 1.21.
+
+#### 1.4.0-rc.3
+
+* Fixes and improvements
+
+#### 1.4.0-rc.2
+
+* Fixes and improvements
+
+#### 1.4.0-rc.1
+
+* Fix TUIC UDP
+
+#### 1.4.0-beta.6
+
+* Add `udp_over_stream` option for TUIC client **1**
+* Add `include_interface` and `exclude_interface` options for tun inbound
+* Fixes and improvements
+
+**1**:
+
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
+another program compatible with the protocol as a server.
+
+This mode has no positive effect in a proper UDP proxy scenario and should only be applied to relay streaming UDP
+traffic (basically QUIC streams).
+
+#### 1.4.0-beta.5
+
+* Fixes and improvements
+
+#### 1.4.0-beta.4
+
+* Graphical clients: Persistence group expansion state
+* Fixes and improvements
+
+#### 1.4.0-beta.3
+
+* Fixes and improvements
+
+#### 1.4.0-beta.2
+
+* Add MultiPath TCP support **1**
+* Drop QUIC support for Go 1.18 and 1.19 due to upstream changes
+* Fixes and improvements
+
+*1*:
+
+Requires sing-box to be compiled with Go 1.21.
+
+#### 1.4.0-beta.1
+
+* Add TUIC support **1**
+* Pause recurring tasks when no network or device idle
+* Fixes and improvements
+
+*1*:
+
+See [TUIC inbound](/configuration/inbound/tuic)
+and [TUIC outbound](/configuration/outbound/tuic)
+
+#### 1.3.6
+
+* Fixes and improvements
+
+#### 1.3.5
+
+* Fixes and improvements
+* Introducing our [Apple tvOS](/installation/clients/sft) client applications **1**
+* Add per app proxy and app installed/updated trigger support for Android client
+* Add profile sharing support for Android/iOS/macOS clients
+
+**1**:
+
+Due to the requirement of tvOS 17, the app cannot be submitted to the App Store for the time being, and can only be
+downloaded through TestFlight.
+
+#### 1.3.4
+
+* Fixes and improvements
+* We're now on the [App Store](https://apps.apple.com/us/app/sing-box/id6451272673), always free! It should be noted
+  that due to stricter and slower review, the release of Store versions will be delayed.
+* We've made a standalone version of the macOS client (the original Application Extension relies on App Store
+  distribution), which you can download as SFM-version-universal.zip in the release artifacts.
+
 #### 1.3.3
 
 * Fixes and improvements

docs/configuration/experimental/index.md

@@ -12,7 +12,9 @@
       "external_ui_download_detour": "",
       "secret": "",
       "default_mode": "",
+      "store_mode": false,
       "store_selected": false,
+      "store_fakeip": false,
       "cache_file": "",
       "cache_id": ""
     },
@@ -80,6 +82,10 @@ Default mode in clash, `rule` will be used if empty.
 
 This setting has no direct effect, but can be used in routing and DNS rules via the `clash_mode` rule item.
 
+#### store_mode
+
+Store Clash mode in cache file.
+
 #### store_selected
 
 !!! note ""
@@ -88,6 +94,10 @@ This setting has no direct effect, but can be used in routing and DNS rules via
 
 Store selected outbound for the `Selector` outbound in cache file.
 
+#### store_fakeip
+
+Store fakeip in cache file.
+
 #### cache_file
 
 Cache file path, `cache.db` will be used if empty.

docs/configuration/experimental/index.zh.md

@@ -12,7 +12,9 @@
       "external_ui_download_detour": "",
       "secret": "",
       "default_mode": "",
+      "store_mode": false,
       "store_selected": false,
+      "store_fakeip": false,
       "cache_file": "",
       "cache_id": ""
     },
@@ -78,6 +80,10 @@ Clash 中的默认模式，默认使用 `rule`。
 
 此设置没有直接影响，但可以通过 `clash_mode` 规则项在路由和 DNS 规则中使用。
 
+#### store_mode
+
+将 Clash 模式存储在缓存文件中。
+
 #### store_selected
 
 !!! note ""
@@ -86,6 +92,10 @@ Clash 中的默认模式，默认使用 `rule`。
 
 将 `Selector` 中出站的选定的目标出站存储在缓存文件中。
 
+#### store_fakeip
+
+将 fakeip 存储在缓存文件中。
+
 #### cache_file
 
 缓存文件路径，默认使用`cache.db`。

docs/configuration/inbound/tuic.md

@@ -0,0 +1,82 @@
+### Structure
+
+```json
+{
+  "type": "tuic",
+  "tag": "tuic-in",
+  
+  ... // Listen Fields
+
+  "users": [
+    {
+      "name": "sekai",
+      "uuid": "059032A9-7D40-4A96-9BB1-36823D848068",
+      "password": "hello"
+    }
+  ],
+  "congestion_control": "cubic",
+  "auth_timeout": "3s",
+  "zero_rtt_handshake": false,
+  "heartbeat": "10s",
+  "tls": {}
+}
+```
+
+!!! warning ""
+
+    QUIC, which is required by TUIC is not included by default, see [Installation](/#installation).
+
+### Listen Fields
+
+See [Listen Fields](/configuration/shared/listen) for details.
+
+### Fields
+
+#### users
+
+TUIC users
+
+#### users.uuid
+
+==Required==
+
+TUIC user uuid
+
+#### users.password
+
+TUIC user password
+
+#### congestion_control
+
+QUIC congestion control algorithm
+
+One of: `cubic`, `new_reno`, `bbr`
+
+`cubic` is used by default.
+
+#### auth_timeout
+
+How long the server should wait for the client to send the authentication command
+
+`3s` is used by default.
+
+#### zero_rtt_handshake
+
+Enable 0-RTT QUIC connection handshake on the client side  
+This is not impacting much on the performance, as the protocol is fully multiplexed  
+
+!!! warning ""
+    Disabling this is highly recommended, as it is vulnerable to replay attacks.
+    See [Attack of the clones](https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones)
+
+#### heartbeat
+
+Interval for sending heartbeat packets for keeping the connection alive
+
+`10s` is used by default.
+
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

docs/configuration/inbound/tuic.zh.md

@@ -0,0 +1,82 @@
+### 结构
+
+```json
+{
+  "type": "tuic",
+  "tag": "tuic-in",
+
+  ... // 监听字段
+
+  "users": [
+    {
+      "name": "sekai",
+      "uuid": "059032A9-7D40-4A96-9BB1-36823D848068",
+      "password": "hello"
+    }
+  ],
+  "congestion_control": "cubic",
+  "auth_timeout": "3s",
+  "zero_rtt_handshake": false,
+  "heartbeat": "10s",
+  "tls": {}
+}
+```
+
+!!! warning ""
+
+    默认安装不包含被 TUI 依赖的 QUIC，参阅 [安装](/zh/#_2)。
+
+### 监听字段
+
+参阅 [监听字段](/zh/configuration/shared/listen/)。
+
+### 字段
+
+#### users
+
+TUIC 用户
+
+#### users.uuid
+
+==必填==
+
+TUIC 用户 UUID
+
+#### users.password
+
+TUIC 用户密码
+
+#### congestion_control
+
+QUIC 流量控制算法
+
+可选值: `cubic`, `new_reno`, `bbr`
+
+默认使用 `cubic`。
+
+#### auth_timeout
+
+服务器等待客户端发送认证命令的时间
+
+默认使用 `3s`。
+
+#### zero_rtt_handshake
+
+在客户端启用 0-RTT QUIC 连接握手
+这对性能影响不大，因为协议是完全复用的
+
+!!! warning ""
+强烈建议禁用此功能，因为它容易受到重放攻击。
+请参阅 [Attack of the clones](https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones)
+
+#### heartbeat
+
+发送心跳包以保持连接存活的时间间隔
+
+默认使用 `10s`。
+
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/tun.md

@@ -24,6 +24,12 @@
   ],
   "endpoint_independent_nat": false,
   "stack": "system",
+  "include_interface": [
+    "lan0"
+  ],
+  "exclude_interface": [
+    "lan1"
+  ],
   "include_uid": [
     0
   ],
@@ -142,16 +148,33 @@ UDP NAT expiration time in seconds, default is 300 (5 minutes).
 
 TCP/IP stack.
 
-| Stack            | Description                                                                      | Status            |
-|------------------|----------------------------------------------------------------------------------|-------------------|
-| system (default) | Sometimes better performance                                                     | recommended       |
-| gVisor           | Better compatibility, based on [google/gvisor](https://github.com/google/gvisor) | recommended       |
-| LWIP             | Based on [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks)   | upstream archived |
+| Stack  | Description                                                                      | Status            |
+|--------|----------------------------------------------------------------------------------|-------------------|
+| system | Sometimes better performance                                                     | recommended       |
+| gVisor | Better compatibility, based on [google/gvisor](https://github.com/google/gvisor) | recommended       |
+| mixed  | Mixed `system` TCP stack and `gVisor` UDP stack                                  | recommended       |
+| LWIP   | Based on [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks)   | upstream archived |
 
 !!! warning ""
 
     gVisor and LWIP stacks is not included by default, see [Installation](/#installation).
 
+#### include_interface
+
+!!! error ""
+
+    Interface rules are only supported on Linux and require auto_route.
+
+Limit interfaces in route. Not limited by default.
+
+Conflict with `exclude_interface`.
+
+#### exclude_interface
+
+Exclude interfaces in route.
+
+Conflict with `include_interface`.
+
 #### include_uid
 
 !!! error ""

docs/configuration/inbound/tun.zh.md

@@ -24,6 +24,12 @@
   ],
   "endpoint_independent_nat": false,
   "stack": "system",
+  "include_interface": [
+    "lan0"
+  ],
+  "exclude_interface": [
+    "lan1"
+  ],
   "include_uid": [
     0
   ],
@@ -149,6 +155,22 @@ TCP/IP 栈。
 
     默认安装不包含 gVisor 和 LWIP 栈，请参阅 [安装](/zh/#_2)。
 
+#### include_interface
+
+!!! error ""
+
+    接口规则仅在 Linux 下被支持，并且需要 `auto_route`。
+
+限制被路由的接口。默认不限制。
+
+与 `exclude_interface` 冲突。
+
+#### exclude_interface
+
+排除路由的接口。
+
+与 `include_interface` 冲突。
+
 #### include_uid
 
 !!! error ""

docs/configuration/outbound/hysteria.md

@@ -97,12 +97,6 @@ Disables Path MTU Discovery (RFC 8899). Packets will then be at most 1252 (IPv4)
 
 Force enabled on for systems other than Linux and Windows (according to upstream).
 
-#### tls
-
-==Required==
-
-TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
-
 #### network
 
 Enabled network
@@ -111,6 +105,12 @@ One of `tcp` `udp`.
 
 Both is enabled by default.
 
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
+
 ### Dial Fields
 
 See [Dial Fields](/configuration/shared/dial) for details.

docs/configuration/outbound/hysteria.zh.md

@@ -97,10 +97,6 @@ base64 编码的认证密码。
 
 强制为 Linux 和 Windows 以外的系统启用（根据上游）。
 
-==必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
-
 #### network
 
 启用的网络协议。
@@ -109,6 +105,13 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 默认所有。
 
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+
+
 ### 拨号字段
 
 参阅 [拨号字段](/zh/configuration/shared/dial/)。

docs/configuration/outbound/tuic.md

@@ -0,0 +1,100 @@
+### Structure
+
+```json
+{
+  "type": "tuic",
+  "tag": "tuic-out",
+  
+  "server": "127.0.0.1",
+  "server_port": 1080,
+  "uuid": "2DD61D93-75D8-4DA4-AC0E-6AECE7EAC365",
+  "password": "hello",
+  "congestion_control": "cubic",
+  "udp_relay_mode": "native",
+  "udp_over_stream": false,
+  "zero_rtt_handshake": false,
+  "heartbeat": "10s",
+  "network": "tcp",
+  "tls": {},
+  
+  ... // Dial Fields
+}
+```
+
+!!! warning ""
+
+    QUIC, which is required by TUIC is not included by default, see [Installation](/#installation).
+
+### Fields
+
+#### server
+
+==Required==
+
+The server address.
+
+#### server_port
+
+==Required==
+
+The server port.
+
+#### uuid
+
+==Required==
+
+TUIC user uuid
+
+#### password
+
+TUIC user password
+
+#### congestion_control
+
+QUIC congestion control algorithm
+
+One of: `cubic`, `new_reno`, `bbr`
+
+`cubic` is used by default.
+
+#### udp_relay_mode
+
+UDP packet relay mode
+
+| Mode   | Description                                                              |
+|:-------|:-------------------------------------------------------------------------|
+| native | native UDP characteristics                                               |
+| quic   | lossless UDP relay using QUIC streams, additional overhead is introduced |
+
+`native` is used by default.
+
+Conflict with `udp_over_stream`.
+
+#### udp_over_stream
+
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
+another program compatible with the protocol as a server.
+
+This mode has no positive effect in a proper UDP proxy scenario and should only be applied to relay streaming UDP
+traffic (basically QUIC streams).
+
+Conflict with `udp_relay_mode`.
+
+#### network
+
+Enabled network
+
+One of `tcp` `udp`.
+
+Both is enabled by default.
+
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
+
+### Dial Fields
+
+See [Dial Fields](/configuration/shared/dial) for details.

docs/configuration/outbound/tuic.zh.md

@@ -0,0 +1,108 @@
+### 结构
+
+```json
+{
+  "type": "tuic",
+  "tag": "tuic-out",
+  
+  "server": "127.0.0.1",
+  "server_port": 1080,
+  "uuid": "2DD61D93-75D8-4DA4-AC0E-6AECE7EAC365",
+  "password": "hello",
+  "congestion_control": "cubic",
+  "udp_relay_mode": "native",
+  "udp_over_stream": false,
+  "zero_rtt_handshake": false,
+  "heartbeat": "10s",
+  "network": "tcp",
+  "tls": {},
+  
+  ... // 拨号字段
+}
+```
+
+!!! warning ""
+
+    默认安装不包含被 TUI 依赖的 QUIC，参阅 [安装](/zh/#_2)。
+
+### 字段
+
+#### server
+
+==必填==
+
+服务器地址。
+
+#### server_port
+
+==必填==
+
+服务器端口。
+
+#### uuid
+
+==必填==
+
+TUIC 用户 UUID
+
+#### password
+
+TUIC 用户密码
+
+#### congestion_control
+
+QUIC 流量控制算法
+
+可选值: `cubic`, `new_reno`, `bbr`
+
+默认使用 `cubic`。
+
+#### udp_relay_mode
+
+UDP 包中继模式
+
+| 模式     | 描述                           |
+|--------|------------------------------|
+| native | 原生 UDP                       |
+| quic   | 使用 QUIC 流的无损 UDP 中继，引入了额外的开销 |
+
+与 `udp_over_stream` 冲突。
+
+#### udp_over_stream
+
+这是 TUIC 的 [UDP over TCP 协议](/configuration/shared/udp-over-tcp) 移植， 旨在提供 TUIC 不提供的 基于 QUIC 流的 UDP 中继模式。 由于它是一个附加协议，因此您需要使用 sing-box 或其他兼容的程序作为服务器。
+
+此模式在正确的 UDP 代理场景中没有任何积极作用，仅适用于中继流式 UDP 流量（基本上是 QUIC 流）。
+
+与 `udp_relay_mode` 冲突。
+
+#### zero_rtt_handshake
+
+在客户端启用 0-RTT QUIC 连接握手
+这对性能影响不大，因为协议是完全复用的
+
+!!! warning ""
+强烈建议禁用此功能，因为它容易受到重放攻击。
+请参阅 [Attack of the clones](https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones)
+
+#### heartbeat
+
+发送心跳包以保持连接存活的时间间隔
+
+#### network
+
+启用的网络协议。
+
+`tcp` 或 `udp`。
+
+默认所有。
+
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+
+### 拨号字段
+
+参阅 [拨号字段](/zh/configuration/shared/dial/)。

docs/configuration/route/index.zh.md

@@ -24,7 +24,6 @@
 |------------|-------------------------|
 | `geoip`    | [GeoIP](./geoip)        |
 | `geosite`  | [GeoSite](./geosite)    |
-| `ip_rules` | 一组 [IP 路由规则](./ip-rule) |
 | `rules`    | 一组 [路由规则](./rule)       |
 
 #### final

docs/configuration/route/ip-rule.md

@@ -1,205 +0,0 @@
-### Structure
-
-```json
-{
-  "route": {
-    "ip_rules": [
-      {
-        "inbound": [
-          "mixed-in"
-        ],
-        "ip_version": 6,
-        "network": [
-          "tcp"
-        ],
-        "domain": [
-          "test.com"
-        ],
-        "domain_suffix": [
-          ".cn"
-        ],
-        "domain_keyword": [
-          "test"
-        ],
-        "domain_regex": [
-          "^stun\\..+"
-        ],
-        "geosite": [
-          "cn"
-        ],
-        "source_geoip": [
-          "private"
-        ],
-        "geoip": [
-          "cn"
-        ],
-        "source_ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "source_port": [
-          12345
-        ],
-        "source_port_range": [
-          "1000:2000",
-          ":3000",
-          "4000:"
-        ],
-        "port": [
-          80,
-          443
-        ],
-        "port_range": [
-          "1000:2000",
-          ":3000",
-          "4000:"
-        ],
-        "invert": false,
-        "action": "direct",
-        "outbound": "wireguard"
-      },
-      {
-        "type": "logical",
-        "mode": "and",
-        "rules": [],
-        "invert": false,
-        "action": "direct",
-        "outbound": "wireguard"
-      }
-    ]
-  }
-}
-
-```
-
-!!! note ""
-
-    You can ignore the JSON Array [] tag when the content is only one item
-
-### Default Fields
-
-!!! note ""
-
-    The default rule uses the following matching logic:  
-    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) &&  
-    (`port` || `port_range`) &&  
-    (`source_geoip` || `source_ip_cidr`) &&  
-    (`source_port` || `source_port_range`) &&  
-    `other fields`
-
-#### inbound
-
-Tags of [Inbound](/configuration/inbound).
-
-#### ip_version
-
-4 or 6.
-
-Not limited if empty.
-
-#### network
-
-Match network protocol.
-
-Available values:
-
-* `tcp`
-* `udp`
-* `icmpv4`
-* `icmpv6`
-
-#### domain
-
-Match full domain.
-
-#### domain_suffix
-
-Match domain suffix.
-
-#### domain_keyword
-
-Match domain using keyword.
-
-#### domain_regex
-
-Match domain using regular expression.
-
-#### geosite
-
-Match geosite.
-
-#### source_geoip
-
-Match source geoip.
-
-#### geoip
-
-Match geoip.
-
-#### source_ip_cidr
-
-Match source ip cidr.
-
-#### ip_cidr
-
-Match ip cidr.
-
-#### source_port
-
-Match source port.
-
-#### source_port_range
-
-Match source port range.
-
-#### port
-
-Match port.
-
-#### port_range
-
-Match port range.
-
-#### invert
-
-Invert match result.
-
-#### action
-
-==Required==
-
-| Action | Description                                                        |
-|--------|--------------------------------------------------------------------|
-| return | Stop IP routing and assemble the connection to the transport layer |
-| block  | Block the connection                                               |
-| direct | Directly forward the connection                                    |
-
-#### outbound
-
-==Required if action is direct==
-
-Tag of the target outbound.
-
-Only outbound which supports IP connection can be used, see [Outbounds that support IP connection](/configuration/outbound/#outbounds-that-support-ip-connection).
-
-### Logical Fields
-
-#### type
-
-`logical`
-
-#### mode
-
-==Required==
-
-`and` or `or`
-
-#### rules
-
-==Required==
-
-Included default rules.

docs/configuration/route/ip-rule.zh.md

@@ -1,204 +0,0 @@
-### 结构
-
-```json
-{
-  "route": {
-    "ip_rules": [
-      {
-        "inbound": [
-          "mixed-in"
-        ],
-        "ip_version": 6,
-        "network": [
-          "tcp"
-        ],
-        "domain": [
-          "test.com"
-        ],
-        "domain_suffix": [
-          ".cn"
-        ],
-        "domain_keyword": [
-          "test"
-        ],
-        "domain_regex": [
-          "^stun\\..+"
-        ],
-        "geosite": [
-          "cn"
-        ],
-        "source_geoip": [
-          "private"
-        ],
-        "geoip": [
-          "cn"
-        ],
-        "source_ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "source_port": [
-          12345
-        ],
-        "source_port_range": [
-          "1000:2000",
-          ":3000",
-          "4000:"
-        ],
-        "port": [
-          80,
-          443
-        ],
-        "port_range": [
-          "1000:2000",
-          ":3000",
-          "4000:"
-        ],
-        "invert": false,
-        "action": "direct",
-        "outbound": "wireguard"
-      },
-      {
-        "type": "logical",
-        "mode": "and",
-        "rules": [],
-        "invert": false,
-        "action": "direct",
-        "outbound": "wireguard"
-      }
-    ]
-  }
-}
-
-```
-
-!!! note ""
-
-    当内容只有一项时，可以忽略 JSON 数组 [] 标签。
-
-### Default Fields
-
-!!! note ""
-
-    默认规则使用以下匹配逻辑:  
-    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) &&  
-    (`port` || `port_range`) &&  
-    (`source_geoip` || `source_ip_cidr`) &&  
-    (`source_port` || `source_port_range`) &&  
-    `other fields`
-
-#### inbound
-
-[入站](/zh/configuration/inbound) 标签。
-
-#### ip_version
-
-4 或 6。
-
-默认不限制。
-
-#### network
-
-匹配网络协议。
-
-可用值：
-
-* `tcp`
-* `udp`
-* `icmpv4`
-* `icmpv6`
-
-#### domain
-
-匹配完整域名。
-
-#### domain_suffix
-
-匹配域名后缀。
-
-#### domain_keyword
-
-匹配域名关键字。
-
-#### domain_regex
-
-匹配域名正则表达式。
-
-#### geosite
-
-匹配 GeoSite。
-
-#### source_geoip
-
-匹配源 GeoIP。
-
-#### geoip
-
-匹配 GeoIP。
-
-#### source_ip_cidr
-
-匹配源 IP CIDR。
-
-#### ip_cidr
-
-匹配 IP CIDR。
-
-#### source_port
-
-匹配源端口。
-
-#### source_port_range
-
-匹配源端口范围。
-
-#### port
-
-匹配端口。
-
-#### port_range
-
-匹配端口范围。
-
-#### invert
-
-反选匹配结果。
-
-#### action
-
-==必填==
-
-| Action | 描述                  |
-|--------|---------------------|
-| return | 停止 IP 路由并将该连接组装到传输层 |
-| block  | 屏蔽该连接               |
-| direct | 直接转发该连接             |
-
-
-#### outbound
-
-==action 为 direct 则必填==
-
-目标出站的标签。
-
-### 逻辑字段
-
-#### type
-
-`logical`
-
-#### mode
-
-==必填==
-
-`and` 或 `or`
-
-#### rules
-
-==必填==
-
-包括的默认规则。

docs/configuration/shared/dial.md

@@ -10,6 +10,7 @@
   "reuse_addr": false,
   "connect_timeout": "5s",
   "tcp_fast_open": false,
+  "tcp_multi_path": false,
   "udp_fragment": false,
   "domain_strategy": "prefer_ipv6",
   "fallback_delay": "300ms"
@@ -18,9 +19,9 @@
 
 ### Fields
 
-| Field                                                                                                                | Available Context |
-|----------------------------------------------------------------------------------------------------------------------|-------------------|
-| `bind_interface` /`*bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open`/ `udp_fragment` /`connect_timeout` | `detour` not set  |
+| Field                                                                                                                                    | Available Context |
+|------------------------------------------------------------------------------------------------------------------------------------------|-------------------|
+| `bind_interface` /`*bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open` / `tcp_multi_path` / `udp_fragment` /`connect_timeout` | `detour` not set  |
 
 #### detour
 
@@ -54,6 +55,14 @@ Reuse listener address.
 
 Enable TCP Fast Open.
 
+#### tcp_multi_path
+
+!!! warning ""
+
+    Go 1.21 required.
+
+Enable TCP Multi Path.
+
 #### udp_fragment
 
 Enable UDP fragmentation.

docs/configuration/shared/dial.zh.md

@@ -10,6 +10,7 @@
   "reuse_addr": false,
   "connect_timeout": "5s",
   "tcp_fast_open": false,
+  "tcp_multi_path": false,
   "udp_fragment": false,
   "domain_strategy": "prefer_ipv6",
   "fallback_delay": "300ms"
@@ -18,9 +19,9 @@
 
 ### 字段
 
-| 字段                                                                                                                   | 可用上下文        |
-|----------------------------------------------------------------------------------------------------------------------|--------------|
-| `bind_interface` /`*bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open`/ `udp_fragment` /`connect_timeout` | `detour` 未设置 |
+| 字段                                                                                                                                       | 可用上下文        |
+|------------------------------------------------------------------------------------------------------------------------------------------|--------------|
+| `bind_interface` /`*bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open` / `tcp_mutli_path` / `udp_fragment` /`connect_timeout` | `detour` 未设置 |
 
 
 #### detour
@@ -57,6 +58,14 @@
 
 启用 TCP Fast Open。
 
+#### tcp_multi_path
+
+!!! warning ""
+
+    需要 Go 1.21。
+
+启用 TCP Multi Path。
+
 #### udp_fragment
 
 启用 UDP 分段。

docs/configuration/shared/listen.md

@@ -5,6 +5,7 @@
   "listen": "::",
   "listen_port": 5353,
   "tcp_fast_open": false,
+  "tcp_multi_path": false,
   "udp_fragment": false,
   "sniff": false,
   "sniff_override_destination": false,
@@ -24,6 +25,7 @@
 | `listen`                          | Needs to listen on TCP or UDP.                                    |
 | `listen_port`                     | Needs to listen on TCP or UDP.                                    |
 | `tcp_fast_open`                   | Needs to listen on TCP.                                           |
+| `tcp_multi_path`                  | Needs to listen on TCP.                                           |
 | `udp_timeout`                     | Needs to assemble UDP connections, currently Tun and Shadowsocks. |
 | `proxy_protocol`                  | Needs to listen on TCP.                                           |
 | `proxy_protocol_accept_no_header` | When `proxy_protocol` enabled                                     |
@@ -42,6 +44,14 @@ Listen port.
 
 Enable TCP Fast Open.
 
+#### tcp_multi_path
+
+!!! warning ""
+
+    Go 1.21 required.
+
+Enable TCP Multi Path.
+
 #### udp_fragment
 
 Enable UDP fragmentation.

docs/configuration/shared/listen.zh.md

@@ -5,6 +5,7 @@
   "listen": "::",
   "listen_port": 5353,
   "tcp_fast_open": false,
+  "tcp_multi_path": false,
   "udp_fragment": false,
   "sniff": false,
   "sniff_override_destination": false,
@@ -23,6 +24,7 @@
 | `listen`                          | 需要监听 TCP 或 UDP。                     |
 | `listen_port`                     | 需要监听 TCP 或 UDP。                     |
 | `tcp_fast_open`                   | 需要监听 TCP。                           |
+| `tcp_multi_path`                  | 需要监听 TCP。                           |
 | `udp_timeout`                     | 需要组装 UDP 连接, 当前为 Tun 和 Shadowsocks。 |
 | `proxy_protocol`                  | 需要监听 TCP。                           |
 | `proxy_protocol_accept_no_header` | `proxy_protocol` 启用时                |
@@ -43,6 +45,14 @@
 
 启用 TCP Fast Open。
 
+#### tcp_multi_path
+
+!!! warning ""
+
+    需要 Go 1.21。
+
+启用 TCP Multi Path。
+
 #### udp_fragment
 
 启用 UDP 分段。

docs/examples/index.md

@@ -8,5 +8,4 @@ Configuration examples for sing-box.
 * [Shadowsocks](./shadowsocks)
 * [ShadowTLS](./shadowtls)
 * [Clash API](./clash-api)
-* [WireGuard Direct](./wireguard-direct)
 * [FakeIP](./fakeip)

docs/examples/index.zh.md

@@ -8,5 +8,4 @@ sing-box 的配置示例。
 * [Shadowsocks](./shadowsocks)
 * [ShadowTLS](./shadowtls)
 * [Clash API](./clash-api)
-* [WireGuard Direct](./wireguard-direct)
 * [FakeIP](./fakeip)

docs/examples/wireguard-direct.md

@@ -1,90 +0,0 @@
-# WireGuard Direct
-
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "tag": "google",
-        "address": "tls://8.8.8.8"
-      },
-      {
-        "tag": "local",
-        "address": "223.5.5.5",
-        "detour": "direct"
-      }
-    ],
-    "rules": [
-      {
-        "geoip": "cn",
-        "server": "direct"
-      }
-    ],
-    "reverse_mapping": true
-  },
-  "inbounds": [
-    {
-      "type": "tun",
-      "tag": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true,
-      "stack": "system"
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "wireguard",
-      "tag": "wg",
-      "server": "127.0.0.1",
-      "server_port": 2345,
-      "local_address": [
-        "172.19.0.1/128"
-      ],
-      "private_key": "KLTnpPY03pig/WC3zR8U7VWmpANHPFh2/4pwICGJ5Fk=",
-      "peer_public_key": "uvNabcamf6Rs0vzmcw99jsjTJbxo6eWGOykSY66zsUk="
-    },
-    {
-      "type": "dns",
-      "tag": "dns"
-    },
-    {
-      "type": "direct",
-      "tag": "direct"
-    },
-    {
-      "type": "block",
-      "tag": "block"
-    }
-  ],
-  "route": {
-    "ip_rules": [
-      {
-        "port": 53,
-        "action": "return"
-      },
-      {
-        "geoip": "cn",
-        "geosite": "cn",
-        "action": "return"
-      },
-      {
-        "action": "direct",
-        "outbound": "wg"
-      }
-    ],
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns"
-      },
-      {
-        "geoip": "cn",
-        "geosite": "cn",
-        "outbound": "direct"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```

docs/installation/clients/sfa.md

@@ -9,6 +9,7 @@ Experimental Android client for sing-box.
 #### Download
 
 * [AppCenter](https://install.appcenter.ms/users/nekohasekai/apps/sfa/distribution_groups/publictest)
+* [Github Releases](https://github.com/SagerNet/sing-box/releases)
 
 #### Note
 

docs/installation/clients/sfa.zh.md

@@ -9,6 +9,7 @@
 #### 下载
 
 * [AppCenter](https://install.appcenter.ms/users/nekohasekai/apps/sfa/distribution_groups/publictest)
+* [Github Releases](https://github.com/SagerNet/sing-box/releases)
 
 #### 注意事项
 

docs/installation/clients/sfi.md

@@ -5,10 +5,11 @@ Experimental iOS client for sing-box.
 #### Requirements
 
 * iOS 15.0+
-* macOS 12.0+ with Apple Silicon
+* An Apple account outside of mainland China
 
 #### Download
 
+* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
 * [TestFlight](https://testflight.apple.com/join/AcqO44FH)
 
 #### Note

docs/installation/clients/sfi.zh.md

@@ -5,10 +5,11 @@
 #### 要求
 
 * iOS 15.0+
-* macOS 12.0+ with Apple Silicon
+* 一个非中国大陆地区的 Apple 账号
 
 #### 下载
 
+* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
 * [TestFlight](https://testflight.apple.com/join/AcqO44FH)
 
 #### 注意事项

docs/installation/clients/sfm.md

@@ -5,11 +5,19 @@ Experimental macOS client for sing-box.
 #### Requirements
 
 * macOS 13.0+
+* An Apple account outside of mainland China (App Store Version)
 
-#### Download
+#### Download (App Store Version)
 
+* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
 * [TestFlight](https://testflight.apple.com/join/AcqO44FH)
 
+#### Download (Independent Version)
+
+* [GitHub Release](https://github.com/SagerNet/sing-box/releases/latest)
+* Homebrew (Cask): `brew install sfm`
+* Homebrew (Tap): `brew tap sagernet/sing-box && brew install sagernet/sing-box/sfm`
+
 #### Note
 
 * User Agent in remote profile request is `SFM/$version ($version_code; sing-box $sing_box_version)`
@@ -17,5 +25,5 @@ Experimental macOS client for sing-box.
 
 #### Privacy policy
 
-* SFI did not collect or share personal data.
+* SFM did not collect or share personal data.
 * The data generated by the software is always on your device.

docs/installation/clients/sfm.zh.md

@@ -5,11 +5,19 @@
 #### 要求
 
 * macOS 13.0+
+* 一个非中国大陆地区的 Apple 账号 (商店版本)
 
-#### 下载
+#### 下载 (商店版本)
 
+* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
 * [TestFlight](https://testflight.apple.com/join/AcqO44FH)
 
+#### 下载 (独立版本)
+
+* [GitHub Release](https://github.com/SagerNet/sing-box/releases/latest)
+* Homebrew (Cask): `brew install sfm`
+* Homebrew (Tap): `brew tap sagernet/sing-box && brew install sagernet/sing-box/sfm`
+
 #### 注意事项
 
 * 远程配置文件请求中的 User Agent 为 `SFM/$version ($version_code; sing-box $sing_box_version)`

docs/installation/clients/sft.md

@@ -0,0 +1,29 @@
+# SFT
+
+Experimental Apple tvOS client for sing-box.
+
+#### Requirements
+
+* tvOS 17.0+
+
+#### Download
+
+* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
+
+#### Features
+
+Full functionality, except for:
+
+* Only remote configuration files can be created manually
+* You need to update SFI to the latest beta version to import profiles from iPhone/iPad
+* No iCloud profile support
+
+#### Note
+
+* User Agent in remote profile request is `SFT/$version ($version_code; sing-box $sing_box_version)`
+* Crash logs is located in `Settings` -> `View Service Log`
+
+#### Privacy policy
+
+* SFT did not collect or share personal data.
+* The data generated by the software is always on your device.

docs/installation/clients/specification.md

@@ -0,0 +1,25 @@
+# Specification
+
+## Profile
+
+Profile defines a sing-box configuration with metadata in a GUI client.
+
+## Profile Types
+
+### Local
+
+Create a empty configuration or import from a local file.
+
+### iCloud (on Apple platforms)
+
+Create a new configuration or use an existing configuration on iCloud. 
+
+### Remote
+
+Use a remote URL as the configuration source, with HTTP basic authentication and automatic update support.
+
+#### URL specification
+
+```
+sing-box://import-remote-profile?url=urlEncodedURL#urlEncodedName
+```

docs/installation/from-source.md

@@ -1,6 +1,17 @@
 # Install from source
 
-sing-box requires Golang **1.18.5** or a higher version.
+## Requirements
+
+Before sing-box 1.4.0:
+
+* Go 1.18.5 - 1.20.x
+
+Since sing-box 1.4.0:
+
+* Go 1.18.5 - ~
+* Go 1.20.0 - ~ if `with_quic` tag enabled
+
+## Installation
 
 ```bash
 go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
@@ -9,7 +20,7 @@ go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
 Install with options:
 
 ```bash
-go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@latest
+go install -v -tags with_quic,with_wireguard github.com/sagernet/sing-box/cmd/sing-box@latest
 ```
 
 | Build Tag                          | Description                                                                                                                                                                                                                                                                                                                |

docs/installation/package-manager/android.md

@@ -0,0 +1,7 @@
+# Android
+
+## Termux
+
+```shell
+pkg add sing-box
+```

docs/installation/package-manager/macOS.md

@@ -0,0 +1,14 @@
+# macOS
+
+## Homebrew (core)
+
+```shell
+brew install sing-box
+```
+
+## Homebrew (Tap)
+
+```shell
+brew tap sagernet/sing-box
+brew install sagernet/sing-box/sing-box
+```

docs/installation/package-manager/windows.md

@@ -0,0 +1,13 @@
+# Windows
+
+## Chocolatey
+
+```shell
+choco install sing-box
+```
+
+## winget
+
+```shell
+winget install sing-box
+```

experimental/clashapi.go

@@ -7,6 +7,7 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
 )
 
 type ClashServerConstructor = func(ctx context.Context, router adapter.Router, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error)
@@ -23,3 +24,28 @@ func NewClashServer(ctx context.Context, router adapter.Router, logFactory log.O
 	}
 	return clashServerConstructor(ctx, router, logFactory, options)
 }
+
+func CalculateClashModeList(options option.Options) []string {
+	var clashMode []string
+	for _, dnsRule := range common.PtrValueOrDefault(options.DNS).Rules {
+		if dnsRule.DefaultOptions.ClashMode != "" && !common.Contains(clashMode, dnsRule.DefaultOptions.ClashMode) {
+			clashMode = append(clashMode, dnsRule.DefaultOptions.ClashMode)
+		}
+		for _, defaultRule := range dnsRule.LogicalOptions.Rules {
+			if defaultRule.ClashMode != "" && !common.Contains(clashMode, defaultRule.ClashMode) {
+				clashMode = append(clashMode, defaultRule.ClashMode)
+			}
+		}
+	}
+	for _, rule := range common.PtrValueOrDefault(options.Route).Rules {
+		if rule.DefaultOptions.ClashMode != "" && !common.Contains(clashMode, rule.DefaultOptions.ClashMode) {
+			clashMode = append(clashMode, rule.DefaultOptions.ClashMode)
+		}
+		for _, defaultRule := range rule.LogicalOptions.Rules {
+			if defaultRule.ClashMode != "" && !common.Contains(clashMode, defaultRule.ClashMode) {
+				clashMode = append(clashMode, defaultRule.ClashMode)
+			}
+		}
+	}
+	return clashMode
+}

experimental/clashapi/cachefile/cache.go

@@ -8,21 +8,35 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing/common"
 
 	"go.etcd.io/bbolt"
 )
 
-var bucketSelected = []byte("selected")
+var (
+	bucketSelected = []byte("selected")
+	bucketExpand   = []byte("group_expand")
+	bucketMode     = []byte("clash_mode")
+
+	bucketNameList = []string{
+		string(bucketSelected),
+		string(bucketExpand),
+		string(bucketMode),
+	}
+
+	cacheIDDefault = []byte("default")
+)
 
 var _ adapter.ClashCacheFile = (*CacheFile)(nil)
 
 type CacheFile struct {
-	DB           *bbolt.DB
-	cacheID      []byte
-	saveAccess   sync.RWMutex
-	saveDomain   map[netip.Addr]string
-	saveAddress4 map[string]netip.Addr
-	saveAddress6 map[string]netip.Addr
+	DB                *bbolt.DB
+	cacheID           []byte
+	saveAccess        sync.RWMutex
+	saveDomain        map[netip.Addr]string
+	saveAddress4      map[string]netip.Addr
+	saveAddress6      map[string]netip.Addr
+	saveMetadataTimer *time.Timer
 }
 
 func Open(path string, cacheID string) (*CacheFile, error) {
@@ -48,21 +62,15 @@ func Open(path string, cacheID string) (*CacheFile, error) {
 			if name[0] == 0 {
 				return b.ForEachBucket(func(k []byte) error {
 					bucketName := string(k)
-					if !(bucketName == string(bucketSelected)) {
-						delErr := b.DeleteBucket(name)
-						if delErr != nil {
-							return delErr
-						}
+					if !(common.Contains(bucketNameList, bucketName)) {
+						_ = b.DeleteBucket(name)
 					}
 					return nil
 				})
 			} else {
 				bucketName := string(name)
-				if !(bucketName == string(bucketSelected) || strings.HasPrefix(bucketName, fakeipBucketPrefix)) {
-					delErr := tx.DeleteBucket(name)
-					if delErr != nil {
-						return delErr
-					}
+				if !(common.Contains(bucketNameList, bucketName) || strings.HasPrefix(bucketName, fakeipBucketPrefix)) {
+					_ = tx.DeleteBucket(name)
 				}
 			}
 			return nil
@@ -80,6 +88,39 @@ func Open(path string, cacheID string) (*CacheFile, error) {
 	}, nil
 }
 
+func (c *CacheFile) LoadMode() string {
+	var mode string
+	c.DB.View(func(t *bbolt.Tx) error {
+		bucket := t.Bucket(bucketMode)
+		if bucket == nil {
+			return nil
+		}
+		var modeBytes []byte
+		if len(c.cacheID) > 0 {
+			modeBytes = bucket.Get(c.cacheID)
+		} else {
+			modeBytes = bucket.Get(cacheIDDefault)
+		}
+		mode = string(modeBytes)
+		return nil
+	})
+	return mode
+}
+
+func (c *CacheFile) StoreMode(mode string) error {
+	return c.DB.Batch(func(t *bbolt.Tx) error {
+		bucket, err := t.CreateBucketIfNotExists(bucketMode)
+		if err != nil {
+			return err
+		}
+		if len(c.cacheID) > 0 {
+			return bucket.Put(c.cacheID, []byte(mode))
+		} else {
+			return bucket.Put(cacheIDDefault, []byte(mode))
+		}
+	})
+}
+
 func (c *CacheFile) bucket(t *bbolt.Tx, key []byte) *bbolt.Bucket {
 	if c.cacheID == nil {
 		return t.Bucket(key)
@@ -128,6 +169,36 @@ func (c *CacheFile) StoreSelected(group, selected string) error {
 	})
 }
 
+func (c *CacheFile) LoadGroupExpand(group string) (isExpand bool, loaded bool) {
+	c.DB.View(func(t *bbolt.Tx) error {
+		bucket := c.bucket(t, bucketExpand)
+		if bucket == nil {
+			return nil
+		}
+		expandBytes := bucket.Get([]byte(group))
+		if len(expandBytes) == 1 {
+			isExpand = expandBytes[0] == 1
+			loaded = true
+		}
+		return nil
+	})
+	return
+}
+
+func (c *CacheFile) StoreGroupExpand(group string, isExpand bool) error {
+	return c.DB.Batch(func(t *bbolt.Tx) error {
+		bucket, err := c.createBucket(t, bucketExpand)
+		if err != nil {
+			return err
+		}
+		if isExpand {
+			return bucket.Put([]byte(group), []byte{1})
+		} else {
+			return bucket.Put([]byte(group), []byte{0})
+		}
+	})
+}
+
 func (c *CacheFile) Close() error {
 	return c.DB.Close()
 }

experimental/clashapi/cachefile/fakeip.go

@@ -3,6 +3,7 @@ package cachefile
 import (
 	"net/netip"
 	"os"
+	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common/logger"
@@ -57,6 +58,15 @@ func (c *CacheFile) FakeIPSaveMetadata(metadata *adapter.FakeIPMetadata) error {
 	})
 }
 
+func (c *CacheFile) FakeIPSaveMetadataAsync(metadata *adapter.FakeIPMetadata) {
+	if timer := c.saveMetadataTimer; timer != nil {
+		timer.Stop()
+	}
+	c.saveMetadataTimer = time.AfterFunc(10*time.Second, func() {
+		_ = c.FakeIPSaveMetadata(metadata)
+	})
+}
+
 func (c *CacheFile) FakeIPStore(address netip.Addr, domain string) error {
 	return c.DB.Batch(func(tx *bbolt.Tx) error {
 		bucket, err := tx.CreateBucketIfNotExists(bucketFakeIP)

experimental/clashapi/configs.go

@@ -2,7 +2,6 @@ package clashapi
 
 import (
 	"net/http"
-	"strings"
 
 	"github.com/sagernet/sing-box/log"
 
@@ -10,11 +9,11 @@ import (
 	"github.com/go-chi/render"
 )
 
-func configRouter(server *Server, logFactory log.Factory, logger log.Logger) http.Handler {
+func configRouter(server *Server, logFactory log.Factory) http.Handler {
 	r := chi.NewRouter()
 	r.Get("/", getConfigs(server, logFactory))
 	r.Put("/", updateConfigs)
-	r.Patch("/", patchConfigs(server, logger))
+	r.Patch("/", patchConfigs(server))
 	return r
 }
 
@@ -48,7 +47,7 @@ func getConfigs(server *Server, logFactory log.Factory) func(w http.ResponseWrit
 	}
 }
 
-func patchConfigs(server *Server, logger log.Logger) func(w http.ResponseWriter, r *http.Request) {
+func patchConfigs(server *Server) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var newConfig configSchema
 		err := render.DecodeJSON(r.Body, &newConfig)
@@ -58,11 +57,7 @@ func patchConfigs(server *Server, logger log.Logger) func(w http.ResponseWriter,
 			return
 		}
 		if newConfig.Mode != "" {
-			mode := strings.ToLower(newConfig.Mode)
-			if server.mode != mode {
-				server.mode = mode
-				logger.Info("updated mode: ", mode)
-			}
+			server.SetMode(newConfig.Mode)
 		}
 		render.NoContent(w, r)
 	}

experimental/clashapi/proxies.go

@@ -63,38 +63,10 @@ func proxyInfo(server *Server, detour adapter.Outbound) *badjson.JSONObject {
 	var info badjson.JSONObject
 	var clashType string
 	switch detour.Type() {
-	case C.TypeDirect:
-		clashType = "Direct"
 	case C.TypeBlock:
 		clashType = "Reject"
-	case C.TypeSocks:
-		clashType = "Socks"
-	case C.TypeHTTP:
-		clashType = "HTTP"
-	case C.TypeShadowsocks:
-		clashType = "Shadowsocks"
-	case C.TypeVMess:
-		clashType = "VMess"
-	case C.TypeTrojan:
-		clashType = "Trojan"
-	case C.TypeHysteria:
-		clashType = "Hysteria"
-	case C.TypeWireGuard:
-		clashType = "WireGuard"
-	case C.TypeShadowsocksR:
-		clashType = "ShadowsocksR"
-	case C.TypeVLESS:
-		clashType = "VLESS"
-	case C.TypeTor:
-		clashType = "Tor"
-	case C.TypeSSH:
-		clashType = "SSH"
-	case C.TypeSelector:
-		clashType = "Selector"
-	case C.TypeURLTest:
-		clashType = "URLTest"
 	default:
-		clashType = "Direct"
+		clashType = C.ProxyDisplayName(detour.Type())
 	}
 	info.Put("type", clashType)
 	info.Put("name", detour.Tag())

experimental/clashapi/server.go

@@ -46,12 +46,16 @@ type Server struct {
 	trafficManager *trafficontrol.Manager
 	urlTestHistory *urltest.HistoryStorage
 	mode           string
+	modeList       []string
+	modeUpdateHook chan<- struct{}
+	storeMode      bool
 	storeSelected  bool
 	storeFakeIP    bool
 	cacheFilePath  string
 	cacheID        string
 	cacheFile      adapter.ClashCacheFile
 
+	externalController       bool
 	externalUI               string
 	externalUIDownloadURL    string
 	externalUIDownloadDetour string
@@ -69,7 +73,9 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 			Handler: chiRouter,
 		},
 		trafficManager:           trafficManager,
-		mode:                     strings.ToLower(options.DefaultMode),
+		modeList:                 options.ModeList,
+		externalController:       options.ExternalController != "",
+		storeMode:                options.StoreMode,
 		storeSelected:            options.StoreSelected,
 		storeFakeIP:              options.StoreFakeIP,
 		externalUIDownloadURL:    options.ExternalUIDownloadURL,
@@ -79,10 +85,15 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 	if server.urlTestHistory == nil {
 		server.urlTestHistory = urltest.NewHistoryStorage()
 	}
-	if server.mode == "" {
-		server.mode = "rule"
+	defaultMode := "Rule"
+	if options.DefaultMode != "" {
+		defaultMode = options.DefaultMode
 	}
-	if options.StoreSelected || options.StoreFakeIP {
+	if !common.Contains(server.modeList, defaultMode) {
+		server.modeList = append([]string{defaultMode}, server.modeList...)
+	}
+	server.mode = defaultMode
+	if options.StoreMode || options.StoreSelected || options.StoreFakeIP || options.ExternalController == "" {
 		cachePath := os.ExpandEnv(options.CacheFile)
 		if cachePath == "" {
 			cachePath = "cache.db"
@@ -108,7 +119,7 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 		r.Get("/logs", getLogs(logFactory))
 		r.Get("/traffic", traffic(trafficManager))
 		r.Get("/version", version)
-		r.Mount("/configs", configRouter(server, logFactory, server.logger))
+		r.Mount("/configs", configRouter(server, logFactory))
 		r.Mount("/proxies", proxyRouter(server, router))
 		r.Mount("/rules", ruleRouter(router))
 		r.Mount("/connections", connectionRouter(router, trafficManager))
@@ -141,23 +152,33 @@ func (s *Server) PreStart() error {
 			return E.Cause(err, "open cache file")
 		}
 		s.cacheFile = cacheFile
+		if s.storeMode {
+			mode := s.cacheFile.LoadMode()
+			if common.Any(s.modeList, func(it string) bool {
+				return strings.EqualFold(it, mode)
+			}) {
+				s.mode = mode
+			}
+		}
 	}
 	return nil
 }
 
 func (s *Server) Start() error {
-	s.checkAndDownloadExternalUI()
-	listener, err := net.Listen("tcp", s.httpServer.Addr)
-	if err != nil {
-		return E.Cause(err, "external controller listen error")
-	}
-	s.logger.Info("restful api listening at ", listener.Addr())
-	go func() {
-		err = s.httpServer.Serve(listener)
-		if err != nil && !errors.Is(err, http.ErrServerClosed) {
-			s.logger.Error("external controller serve error: ", err)
+	if s.externalController {
+		s.checkAndDownloadExternalUI()
+		listener, err := net.Listen("tcp", s.httpServer.Addr)
+		if err != nil {
+			return E.Cause(err, "external controller listen error")
 		}
-	}()
+		s.logger.Info("restful api listening at ", listener.Addr())
+		go func() {
+			err = s.httpServer.Serve(listener)
+			if err != nil && !errors.Is(err, http.ErrServerClosed) {
+				s.logger.Error("external controller serve error: ", err)
+			}
+		}()
+	}
 	return nil
 }
 
@@ -166,6 +187,7 @@ func (s *Server) Close() error {
 		common.PtrOrNil(s.httpServer),
 		s.trafficManager,
 		s.cacheFile,
+		s.urlTestHistory,
 	)
 }
 
@@ -173,6 +195,43 @@ func (s *Server) Mode() string {
 	return s.mode
 }
 
+func (s *Server) ModeList() []string {
+	return s.modeList
+}
+
+func (s *Server) SetModeUpdateHook(hook chan<- struct{}) {
+	s.modeUpdateHook = hook
+}
+
+func (s *Server) SetMode(newMode string) {
+	if !common.Contains(s.modeList, newMode) {
+		newMode = common.Find(s.modeList, func(it string) bool {
+			return strings.EqualFold(it, newMode)
+		})
+	}
+	if !common.Contains(s.modeList, newMode) {
+		return
+	}
+	if newMode == s.mode {
+		return
+	}
+	s.mode = newMode
+	if s.modeUpdateHook != nil {
+		select {
+		case s.modeUpdateHook <- struct{}{}:
+		default:
+		}
+	}
+	s.router.ClearDNSCache()
+	if s.storeMode {
+		err := s.cacheFile.StoreMode(newMode)
+		if err != nil {
+			s.logger.Error(E.Cause(err, "save mode"))
+		}
+	}
+	s.logger.Info("updated mode: ", newMode)
+}
+
 func (s *Server) StoreSelected() bool {
 	return s.storeSelected
 }

experimental/libbox/command.go

@@ -8,4 +8,9 @@ const (
 	CommandGroup
 	CommandSelectOutbound
 	CommandURLTest
+	CommandGroupExpand
+	CommandClashMode
+	CommandSetClashMode
+	CommandGetSystemProxyStatus
+	CommandSetSystemProxyEnabled
 )

experimental/libbox/command_clash_mode.go

@@ -0,0 +1,135 @@
+package libbox
+
+import (
+	"encoding/binary"
+	"io"
+	"net"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/experimental/clashapi"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/rw"
+)
+
+func (c *CommandClient) SetClashMode(newMode string) error {
+	conn, err := c.directConnect()
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+	err = binary.Write(conn, binary.BigEndian, uint8(CommandSetClashMode))
+	if err != nil {
+		return err
+	}
+	err = rw.WriteVString(conn, newMode)
+	if err != nil {
+		return err
+	}
+	return readError(conn)
+}
+
+func (s *CommandServer) handleSetClashMode(conn net.Conn) error {
+	defer conn.Close()
+	newMode, err := rw.ReadVString(conn)
+	if err != nil {
+		return err
+	}
+	service := s.service
+	if service == nil {
+		return writeError(conn, E.New("service not ready"))
+	}
+	clashServer := service.instance.Router().ClashServer()
+	if clashServer == nil {
+		return writeError(conn, E.New("Clash API disabled"))
+	}
+	clashServer.(*clashapi.Server).SetMode(newMode)
+	return writeError(conn, nil)
+}
+
+func (c *CommandClient) handleModeConn(conn net.Conn) {
+	defer conn.Close()
+
+	for {
+		newMode, err := rw.ReadVString(conn)
+		if err != nil {
+			c.handler.Disconnected(err.Error())
+			return
+		}
+		c.handler.UpdateClashMode(newMode)
+	}
+}
+
+func (s *CommandServer) handleModeConn(conn net.Conn) error {
+	defer conn.Close()
+	ctx := connKeepAlive(conn)
+	for s.service == nil {
+		select {
+		case <-time.After(time.Second):
+			continue
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}
+	clashServer := s.service.instance.Router().ClashServer()
+	if clashServer == nil {
+		defer conn.Close()
+		return binary.Write(conn, binary.BigEndian, uint16(0))
+	}
+	err := writeClashModeList(conn, clashServer)
+	if err != nil {
+		return err
+	}
+	for {
+		select {
+		case <-s.modeUpdate:
+			err = rw.WriteVString(conn, clashServer.Mode())
+			if err != nil {
+				return err
+			}
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}
+}
+
+func readClashModeList(reader io.Reader) (modeList []string, currentMode string, err error) {
+	var modeListLength uint16
+	err = binary.Read(reader, binary.BigEndian, &modeListLength)
+	if err != nil {
+		return
+	}
+	if modeListLength == 0 {
+		return
+	}
+	modeList = make([]string, modeListLength)
+	for i := 0; i < int(modeListLength); i++ {
+		modeList[i], err = rw.ReadVString(reader)
+		if err != nil {
+			return
+		}
+	}
+	currentMode, err = rw.ReadVString(reader)
+	return
+}
+
+func writeClashModeList(writer io.Writer, clashServer adapter.ClashServer) error {
+	modeList := clashServer.ModeList()
+	err := binary.Write(writer, binary.BigEndian, uint16(len(modeList)))
+	if err != nil {
+		return err
+	}
+	if len(modeList) > 0 {
+		for _, mode := range modeList {
+			err = rw.WriteVString(writer, mode)
+			if err != nil {
+				return err
+			}
+		}
+		err = rw.WriteVString(writer, clashServer.Mode())
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

experimental/libbox/command_client.go

@@ -3,17 +3,18 @@ package libbox
 import (
 	"encoding/binary"
 	"net"
+	"os"
 	"path/filepath"
+	"time"
 
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
 type CommandClient struct {
-	sharedDirectory string
-	handler         CommandClientHandler
-	conn            net.Conn
-	options         CommandClientOptions
+	handler CommandClientHandler
+	conn    net.Conn
+	options CommandClientOptions
 }
 
 type CommandClientOptions struct {
@@ -27,32 +28,50 @@ type CommandClientHandler interface {
 	WriteLog(message string)
 	WriteStatus(message *StatusMessage)
 	WriteGroups(message OutboundGroupIterator)
+	InitializeClashMode(modeList StringIterator, currentMode string)
+	UpdateClashMode(newMode string)
 }
 
-func NewStandaloneCommandClient(sharedDirectory string) *CommandClient {
-	return &CommandClient{
-		sharedDirectory: sharedDirectory,
-	}
+func NewStandaloneCommandClient() *CommandClient {
+	return new(CommandClient)
 }
 
-func NewCommandClient(sharedDirectory string, handler CommandClientHandler, options *CommandClientOptions) *CommandClient {
+func NewCommandClient(handler CommandClientHandler, options *CommandClientOptions) *CommandClient {
 	return &CommandClient{
-		sharedDirectory: sharedDirectory,
-		handler:         handler,
-		options:         common.PtrValueOrDefault(options),
+		handler: handler,
+		options: common.PtrValueOrDefault(options),
 	}
 }
 
 func (c *CommandClient) directConnect() (net.Conn, error) {
-	return net.DialUnix("unix", nil, &net.UnixAddr{
-		Name: filepath.Join(c.sharedDirectory, "command.sock"),
-		Net:  "unix",
-	})
+	if !sTVOS {
+		return net.DialUnix("unix", nil, &net.UnixAddr{
+			Name: filepath.Join(sBasePath, "command.sock"),
+			Net:  "unix",
+		})
+	} else {
+		return net.Dial("tcp", "127.0.0.1:8964")
+	}
+}
+
+func (c *CommandClient) directConnectWithRetry() (net.Conn, error) {
+	var (
+		conn net.Conn
+		err  error
+	)
+	for i := 0; i < 10; i++ {
+		conn, err = c.directConnect()
+		if err == nil {
+			return conn, nil
+		}
+		time.Sleep(time.Duration(100+i*50) * time.Millisecond)
+	}
+	return nil, err
 }
 
 func (c *CommandClient) Connect() error {
 	common.Close(c.conn)
-	conn, err := c.directConnect()
+	conn, err := c.directConnectWithRetry()
 	if err != nil {
 		return err
 	}
@@ -79,6 +98,23 @@ func (c *CommandClient) Connect() error {
 		}
 		c.handler.Connected()
 		go c.handleGroupConn(conn)
+	case CommandClashMode:
+		var (
+			modeList    []string
+			currentMode string
+		)
+		modeList, currentMode, err = readClashModeList(conn)
+		if err != nil {
+			return err
+		}
+		c.handler.Connected()
+		c.handler.InitializeClashMode(newIterator(modeList), currentMode)
+		if len(modeList) == 0 {
+			conn.Close()
+			c.handler.Disconnected(os.ErrInvalid.Error())
+			return nil
+		}
+		go c.handleModeConn(conn)
 	}
 	return nil
 }

experimental/libbox/command_conntrack.go

@@ -6,7 +6,7 @@ import (
 	runtimeDebug "runtime/debug"
 	"time"
 
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 )
 
 func (c *CommandClient) CloseConnections() error {

experimental/libbox/command_group.go

@@ -4,10 +4,12 @@ import (
 	"encoding/binary"
 	"io"
 	"net"
+	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/outbound"
+	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
 	"github.com/sagernet/sing/service"
 )
@@ -17,6 +19,7 @@ type OutboundGroup struct {
 	Type       string
 	Selectable bool
 	Selected   string
+	IsExpand   bool
 	items      []*OutboundGroupItem
 }
 
@@ -71,6 +74,11 @@ func (s *CommandServer) handleGroupConn(conn net.Conn) error {
 			}
 		}
 		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-time.After(2 * time.Second):
+		}
+		select {
 		case <-ctx.Done():
 			return ctx.Err()
 		case <-s.urlTestUpdate:
@@ -108,6 +116,11 @@ func readGroups(reader io.Reader) (OutboundGroupIterator, error) {
 			return nil, err
 		}
 
+		err = binary.Read(reader, binary.BigEndian, &group.IsExpand)
+		if err != nil {
+			return nil, err
+		}
+
 		var itemLength uint16
 		err = binary.Read(reader, binary.BigEndian, &itemLength)
 		if err != nil {
@@ -146,6 +159,10 @@ func readGroups(reader io.Reader) (OutboundGroupIterator, error) {
 
 func writeGroups(writer io.Writer, boxService *BoxService) error {
 	historyStorage := service.PtrFromContext[urltest.HistoryStorage](boxService.ctx)
+	var cacheFile adapter.ClashCacheFile
+	if clashServer := boxService.instance.Router().ClashServer(); clashServer != nil {
+		cacheFile = clashServer.CacheFile()
+	}
 
 	outbounds := boxService.instance.Router().Outbounds()
 	var iGroups []adapter.OutboundGroup
@@ -161,6 +178,11 @@ func writeGroups(writer io.Writer, boxService *BoxService) error {
 		group.Type = iGroup.Type()
 		_, group.Selectable = iGroup.(*outbound.Selector)
 		group.Selected = iGroup.Now()
+		if cacheFile != nil {
+			if isExpand, loaded := cacheFile.LoadGroupExpand(group.Tag); loaded {
+				group.IsExpand = isExpand
+			}
+		}
 
 		for _, itemTag := range iGroup.All() {
 			itemOutbound, isLoaded := boxService.instance.Router().Outbound(itemTag)
@@ -177,6 +199,9 @@ func writeGroups(writer io.Writer, boxService *BoxService) error {
 			}
 			group.items = append(group.items, &item)
 		}
+		if len(group.items) < 2 {
+			continue
+		}
 		groups = append(groups, group)
 	}
 
@@ -201,6 +226,10 @@ func writeGroups(writer io.Writer, boxService *BoxService) error {
 		if err != nil {
 			return err
 		}
+		err = binary.Write(writer, binary.BigEndian, group.IsExpand)
+		if err != nil {
+			return err
+		}
 		err = binary.Write(writer, binary.BigEndian, uint16(len(group.items)))
 		if err != nil {
 			return err
@@ -226,3 +255,50 @@ func writeGroups(writer io.Writer, boxService *BoxService) error {
 	}
 	return nil
 }
+
+func (c *CommandClient) SetGroupExpand(groupTag string, isExpand bool) error {
+	conn, err := c.directConnect()
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+	err = binary.Write(conn, binary.BigEndian, uint8(CommandGroupExpand))
+	if err != nil {
+		return err
+	}
+	err = rw.WriteVString(conn, groupTag)
+	if err != nil {
+		return err
+	}
+	err = binary.Write(conn, binary.BigEndian, isExpand)
+	if err != nil {
+		return err
+	}
+	return readError(conn)
+}
+
+func (s *CommandServer) handleSetGroupExpand(conn net.Conn) error {
+	defer conn.Close()
+	groupTag, err := rw.ReadVString(conn)
+	if err != nil {
+		return err
+	}
+	var isExpand bool
+	err = binary.Read(conn, binary.BigEndian, &isExpand)
+	if err != nil {
+		return err
+	}
+	service := s.service
+	if service == nil {
+		return writeError(conn, E.New("service not ready"))
+	}
+	if clashServer := service.instance.Router().ClashServer(); clashServer != nil {
+		if cacheFile := clashServer.CacheFile(); cacheFile != nil {
+			err = cacheFile.StoreGroupExpand(groupTag, isExpand)
+			if err != nil {
+				return writeError(conn, err)
+			}
+		}
+	}
+	return writeError(conn, nil)
+}

experimental/libbox/command_server.go

@@ -8,6 +8,7 @@ import (
 	"sync"
 
 	"github.com/sagernet/sing-box/common/urltest"
+	"github.com/sagernet/sing-box/experimental/clashapi"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/debug"
@@ -18,7 +19,6 @@ import (
 )
 
 type CommandServer struct {
-	sockPath string
 	listener net.Listener
 	handler  CommandServerHandler
 
@@ -29,36 +29,35 @@ type CommandServer struct {
 	observer   *observable.Observer[string]
 	service    *BoxService
 
-	urlTestListener *list.Element[func()]
-	urlTestUpdate   chan struct{}
+	urlTestUpdate chan struct{}
+	modeUpdate    chan struct{}
 }
 
 type CommandServerHandler interface {
 	ServiceReload() error
+	GetSystemProxyStatus() *SystemProxyStatus
+	SetSystemProxyEnabled(isEnabled bool) error
 }
 
-func NewCommandServer(sharedDirectory string, handler CommandServerHandler, maxLines int32) *CommandServer {
+func NewCommandServer(handler CommandServerHandler, maxLines int32) *CommandServer {
 	server := &CommandServer{
-		sockPath:      filepath.Join(sharedDirectory, "command.sock"),
 		handler:       handler,
 		savedLines:    new(list.List[string]),
 		maxLines:      int(maxLines),
 		subscriber:    observable.NewSubscriber[string](128),
 		urlTestUpdate: make(chan struct{}, 1),
+		modeUpdate:    make(chan struct{}, 1),
 	}
 	server.observer = observable.NewObserver[string](server.subscriber, 64)
 	return server
 }
 
 func (s *CommandServer) SetService(newService *BoxService) {
-	if s.service != nil && s.listener != nil {
-		service.PtrFromContext[urltest.HistoryStorage](s.service.ctx).RemoveListener(s.urlTestListener)
-		s.urlTestListener = nil
+	if newService != nil {
+		service.PtrFromContext[urltest.HistoryStorage](newService.ctx).SetHook(s.urlTestUpdate)
+		newService.instance.Router().ClashServer().(*clashapi.Server).SetModeUpdateHook(s.modeUpdate)
 	}
 	s.service = newService
-	if newService != nil {
-		s.urlTestListener = service.PtrFromContext[urltest.HistoryStorage](newService.ctx).AddListener(s.notifyURLTestUpdate)
-	}
 	s.notifyURLTestUpdate()
 }
 
@@ -70,20 +69,29 @@ func (s *CommandServer) notifyURLTestUpdate() {
 }
 
 func (s *CommandServer) Start() error {
-	os.Remove(s.sockPath)
+	if !sTVOS {
+		return s.listenUNIX()
+	} else {
+		return s.listenTCP()
+	}
+}
+
+func (s *CommandServer) listenUNIX() error {
+	sockPath := filepath.Join(sBasePath, "command.sock")
+	os.Remove(sockPath)
 	listener, err := net.ListenUnix("unix", &net.UnixAddr{
-		Name: s.sockPath,
+		Name: sockPath,
 		Net:  "unix",
 	})
 	if err != nil {
-		return err
+		return E.Cause(err, "listen ", sockPath)
 	}
 	if sUserID > 0 {
-		err = os.Chown(s.sockPath, sUserID, sGroupID)
+		err = os.Chown(sockPath, sUserID, sGroupID)
 		if err != nil {
 			listener.Close()
-			os.Remove(s.sockPath)
-			return err
+			os.Remove(sockPath)
+			return E.Cause(err, "chown")
 		}
 	}
 	s.listener = listener
@@ -91,6 +99,16 @@ func (s *CommandServer) Start() error {
 	return nil
 }
 
+func (s *CommandServer) listenTCP() error {
+	listener, err := net.Listen("tcp", "127.0.0.1:8964")
+	if err != nil {
+		return E.Cause(err, "listen")
+	}
+	s.listener = listener
+	go s.loopConnection(listener)
+	return nil
+}
+
 func (s *CommandServer) Close() error {
 	return common.Close(
 		s.listener,
@@ -137,6 +155,16 @@ func (s *CommandServer) handleConnection(conn net.Conn) error {
 		return s.handleSelectOutbound(conn)
 	case CommandURLTest:
 		return s.handleURLTest(conn)
+	case CommandGroupExpand:
+		return s.handleSetGroupExpand(conn)
+	case CommandClashMode:
+		return s.handleModeConn(conn)
+	case CommandSetClashMode:
+		return s.handleSetClashMode(conn)
+	case CommandGetSystemProxyStatus:
+		return s.handleGetSystemProxyStatus(conn)
+	case CommandSetSystemProxyEnabled:
+		return s.handleSetSystemProxyEnabled(conn)
 	default:
 		return E.New("unknown command: ", command)
 	}

experimental/libbox/command_status.go

@@ -6,13 +6,15 @@ import (
 	"runtime"
 	"time"
 
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/memory"
 )
 
 type StatusMessage struct {
 	Memory           int64
+	MemoryInuse      int64
 	Goroutines       int32
 	ConnectionsIn    int32
 	ConnectionsOut   int32
@@ -24,10 +26,8 @@ type StatusMessage struct {
 }
 
 func (s *CommandServer) readStatus() StatusMessage {
-	var memStats runtime.MemStats
-	runtime.ReadMemStats(&memStats)
 	var message StatusMessage
-	message.Memory = int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
+	message.Memory = int64(memory.Inuse())
 	message.Goroutines = int32(runtime.NumGoroutine())
 	message.ConnectionsOut = int32(conntrack.Count())
 

experimental/libbox/command_system_proxy.go

@@ -0,0 +1,82 @@
+package libbox
+
+import (
+	"encoding/binary"
+	"net"
+)
+
+type SystemProxyStatus struct {
+	Available bool
+	Enabled   bool
+}
+
+func (c *CommandClient) GetSystemProxyStatus() (*SystemProxyStatus, error) {
+	conn, err := c.directConnectWithRetry()
+	if err != nil {
+		return nil, err
+	}
+	defer conn.Close()
+	err = binary.Write(conn, binary.BigEndian, uint8(CommandGetSystemProxyStatus))
+	if err != nil {
+		return nil, err
+	}
+	var status SystemProxyStatus
+	err = binary.Read(conn, binary.BigEndian, &status.Available)
+	if err != nil {
+		return nil, err
+	}
+	if status.Available {
+		err = binary.Read(conn, binary.BigEndian, &status.Enabled)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return &status, nil
+}
+
+func (s *CommandServer) handleGetSystemProxyStatus(conn net.Conn) error {
+	defer conn.Close()
+	status := s.handler.GetSystemProxyStatus()
+	err := binary.Write(conn, binary.BigEndian, status.Available)
+	if err != nil {
+		return err
+	}
+	if status.Available {
+		err = binary.Write(conn, binary.BigEndian, status.Enabled)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (c *CommandClient) SetSystemProxyEnabled(isEnabled bool) error {
+	conn, err := c.directConnect()
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+	err = binary.Write(conn, binary.BigEndian, uint8(CommandSetSystemProxyEnabled))
+	if err != nil {
+		return err
+	}
+	err = binary.Write(conn, binary.BigEndian, isEnabled)
+	if err != nil {
+		return err
+	}
+	return readError(conn)
+}
+
+func (s *CommandServer) handleSetSystemProxyEnabled(conn net.Conn) error {
+	defer conn.Close()
+	var isEnabled bool
+	err := binary.Read(conn, binary.BigEndian, &isEnabled)
+	if err != nil {
+		return err
+	}
+	err = s.handler.SetSystemProxyEnabled(isEnabled)
+	if err != nil {
+		return writeError(conn, err)
+	}
+	return writeError(conn, nil)
+}

experimental/libbox/dns.go

@@ -49,6 +49,9 @@ func (p *platformLocalDNSTransport) Start() error {
 	return nil
 }
 
+func (p *platformLocalDNSTransport) Reset() {
+}
+
 func (p *platformLocalDNSTransport) Close() error {
 	return nil
 }

experimental/libbox/log.go

@@ -4,6 +4,7 @@ package libbox
 
 import (
 	"os"
+	"runtime"
 
 	"golang.org/x/sys/unix"
 )
@@ -18,12 +19,14 @@ func RedirectStderr(path string) error {
 	if err != nil {
 		return err
 	}
-	if sUserID > 0 {
-		err = outputFile.Chown(sUserID, sGroupID)
-		if err != nil {
-			outputFile.Close()
-			os.Remove(outputFile.Name())
-			return err
+	if runtime.GOOS != "android" {
+		if sUserID > 0 {
+			err = outputFile.Chown(sUserID, sGroupID)
+			if err != nil {
+				outputFile.Close()
+				os.Remove(outputFile.Name())
+				return err
+			}
 		}
 	}
 	err = unix.Dup2(int(outputFile.Fd()), int(os.Stderr.Fd()))

experimental/libbox/memory.go

@@ -4,14 +4,15 @@ import (
 	"math"
 	runtimeDebug "runtime/debug"
 
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 )
 
 func SetMemoryLimit(enabled bool) {
-	const memoryLimit = 30 * 1024 * 1024
+	const memoryLimit = 45 * 1024 * 1024
+	const memoryLimitGo = memoryLimit / 1.5
 	if enabled {
 		runtimeDebug.SetGCPercent(10)
-		runtimeDebug.SetMemoryLimit(memoryLimit)
+		runtimeDebug.SetMemoryLimit(memoryLimitGo)
 		conntrack.KillerEnabled = true
 		conntrack.MemoryLimit = memoryLimit
 	} else {

experimental/libbox/monitor.go

@@ -1,7 +1,6 @@
 package libbox
 
 import (
-	"context"
 	"net"
 	"net/netip"
 	"sync"
@@ -9,6 +8,7 @@ import (
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/x/list"
 )
@@ -20,13 +20,13 @@ var (
 
 type platformDefaultInterfaceMonitor struct {
 	*platformInterfaceWrapper
-	errorHandler          E.Handler
 	networkAddresses      []networkAddress
 	defaultInterfaceName  string
 	defaultInterfaceIndex int
 	element               *list.Element[tun.NetworkUpdateCallback]
 	access                sync.Mutex
 	callbacks             list.List[tun.DefaultInterfaceUpdateCallback]
+	logger                logger.Logger
 }
 
 type networkAddress struct {
@@ -96,7 +96,7 @@ func (m *platformDefaultInterfaceMonitor) UpdateDefaultInterface(interfaceName s
 		err = m.router.UpdateInterfaces()
 	}
 	if err != nil {
-		m.errorHandler.NewError(context.Background(), E.Cause(err, "update interfaces"))
+		m.logger.Error(E.Cause(err, "update interfaces"))
 	}
 	interfaceIndex := int(interfaceIndex32)
 	if interfaceName == "" {
@@ -115,10 +115,10 @@ func (m *platformDefaultInterfaceMonitor) UpdateDefaultInterface(interfaceName s
 		}
 	}
 	if interfaceName == "" {
-		m.errorHandler.NewError(context.Background(), E.New("invalid interface name for ", interfaceIndex))
+		m.logger.Error(E.New("invalid interface name for ", interfaceIndex))
 		return
 	} else if interfaceIndex == -1 {
-		m.errorHandler.NewError(context.Background(), E.New("invalid interface index for ", interfaceName))
+		m.logger.Error(E.New("invalid interface index for ", interfaceName))
 		return
 	}
 	if m.defaultInterfaceName == interfaceName && m.defaultInterfaceIndex == interfaceIndex {
@@ -130,10 +130,7 @@ func (m *platformDefaultInterfaceMonitor) UpdateDefaultInterface(interfaceName s
 	callbacks := m.callbacks.Array()
 	m.access.Unlock()
 	for _, callback := range callbacks {
-		err = callback(tun.EventInterfaceUpdate)
-		if err != nil {
-			m.errorHandler.NewError(context.Background(), err)
-		}
+		callback(tun.EventInterfaceUpdate)
 	}
 }
 

experimental/libbox/platform.go

@@ -19,6 +19,7 @@ type PlatformInterface interface {
 	UsePlatformInterfaceGetter() bool
 	GetInterfaces() (NetworkInterfaceIterator, error)
 	UnderNetworkExtension() bool
+	ClearDNSCache()
 }
 
 type TunInterface interface {

experimental/libbox/platform/interface.go

@@ -10,7 +10,7 @@ import (
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
-	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 )
 
 type Interface interface {
@@ -19,10 +19,11 @@ type Interface interface {
 	AutoDetectInterfaceControl() control.Func
 	OpenTun(options *tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error)
 	UsePlatformDefaultInterfaceMonitor() bool
-	CreateDefaultInterfaceMonitor(errorHandler E.Handler) tun.DefaultInterfaceMonitor
+	CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor
 	UsePlatformInterfaceGetter() bool
 	Interfaces() ([]NetworkInterface, error)
 	UnderNetworkExtension() bool
+	ClearDNSCache()
 	process.Searcher
 	io.Writer
 }

experimental/libbox/profile_import.go

@@ -0,0 +1,249 @@
+package libbox
+
+import (
+	"bytes"
+	"compress/gzip"
+	"encoding/binary"
+	"io"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/rw"
+)
+
+func EncodeChunkedMessage(data []byte) []byte {
+	var buffer bytes.Buffer
+	binary.Write(&buffer, binary.BigEndian, uint16(len(data)))
+	buffer.Write(data)
+	return buffer.Bytes()
+}
+
+func DecodeLengthChunk(data []byte) int32 {
+	return int32(binary.BigEndian.Uint16(data))
+}
+
+const (
+	MessageTypeError = iota
+	MessageTypeProfileList
+	MessageTypeProfileContentRequest
+	MessageTypeProfileContent
+)
+
+type ErrorMessage struct {
+	Message string
+}
+
+func (e *ErrorMessage) Encode() []byte {
+	var buffer bytes.Buffer
+	buffer.WriteByte(MessageTypeError)
+	rw.WriteVString(&buffer, e.Message)
+	return buffer.Bytes()
+}
+
+func DecodeErrorMessage(data []byte) (*ErrorMessage, error) {
+	reader := bytes.NewReader(data)
+	messageType, err := rw.ReadByte(reader)
+	if err != nil {
+		return nil, err
+	}
+	if messageType != MessageTypeError {
+		return nil, E.New("invalid message")
+	}
+	var message ErrorMessage
+	message.Message, err = rw.ReadVString(reader)
+	if err != nil {
+		return nil, err
+	}
+	return &message, nil
+}
+
+const (
+	ProfileTypeLocal int32 = iota
+	ProfileTypeiCloud
+	ProfileTypeRemote
+)
+
+type ProfilePreview struct {
+	ProfileID int64
+	Name      string
+	Type      int32
+}
+
+type ProfilePreviewIterator interface {
+	Next() *ProfilePreview
+	HasNext() bool
+}
+
+type ProfileEncoder struct {
+	profiles []ProfilePreview
+}
+
+func (e *ProfileEncoder) Append(profile *ProfilePreview) {
+	e.profiles = append(e.profiles, *profile)
+}
+
+func (e *ProfileEncoder) Encode() []byte {
+	var buffer bytes.Buffer
+	buffer.WriteByte(MessageTypeProfileList)
+	binary.Write(&buffer, binary.BigEndian, uint16(len(e.profiles)))
+	for _, preview := range e.profiles {
+		binary.Write(&buffer, binary.BigEndian, preview.ProfileID)
+		rw.WriteVString(&buffer, preview.Name)
+		binary.Write(&buffer, binary.BigEndian, preview.Type)
+	}
+	return buffer.Bytes()
+}
+
+type ProfileDecoder struct {
+	profiles []*ProfilePreview
+}
+
+func (d *ProfileDecoder) Decode(data []byte) error {
+	reader := bytes.NewReader(data)
+	messageType, err := reader.ReadByte()
+	if err != nil {
+		return err
+	}
+	if messageType != MessageTypeProfileList {
+		return E.New("invalid message")
+	}
+	var profileCount uint16
+	err = binary.Read(reader, binary.BigEndian, &profileCount)
+	if err != nil {
+		return err
+	}
+	for i := 0; i < int(profileCount); i++ {
+		var profile ProfilePreview
+		err = binary.Read(reader, binary.BigEndian, &profile.ProfileID)
+		if err != nil {
+			return err
+		}
+		profile.Name, err = rw.ReadVString(reader)
+		if err != nil {
+			return err
+		}
+		err = binary.Read(reader, binary.BigEndian, &profile.Type)
+		if err != nil {
+			return err
+		}
+		d.profiles = append(d.profiles, &profile)
+	}
+	return nil
+}
+
+func (d *ProfileDecoder) Iterator() ProfilePreviewIterator {
+	return newIterator(d.profiles)
+}
+
+type ProfileContentRequest struct {
+	ProfileID int64
+}
+
+func (r *ProfileContentRequest) Encode() []byte {
+	var buffer bytes.Buffer
+	buffer.WriteByte(MessageTypeProfileContentRequest)
+	binary.Write(&buffer, binary.BigEndian, r.ProfileID)
+	return buffer.Bytes()
+}
+
+func DecodeProfileContentRequest(data []byte) (*ProfileContentRequest, error) {
+	reader := bytes.NewReader(data)
+	messageType, err := rw.ReadByte(reader)
+	if err != nil {
+		return nil, err
+	}
+	if messageType != MessageTypeProfileContentRequest {
+		return nil, E.New("invalid message")
+	}
+	var request ProfileContentRequest
+	err = binary.Read(reader, binary.BigEndian, &request.ProfileID)
+	if err != nil {
+		return nil, err
+	}
+	return &request, nil
+}
+
+type ProfileContent struct {
+	Name               string
+	Type               int32
+	Config             string
+	RemotePath         string
+	AutoUpdate         bool
+	AutoUpdateInterval int32
+	LastUpdated        int64
+}
+
+func (c *ProfileContent) Encode() []byte {
+	buffer := new(bytes.Buffer)
+	buffer.WriteByte(MessageTypeProfileContent)
+	buffer.WriteByte(1)
+	writer := gzip.NewWriter(buffer)
+	rw.WriteVString(writer, c.Name)
+	binary.Write(writer, binary.BigEndian, c.Type)
+	rw.WriteVString(writer, c.Config)
+	if c.Type != ProfileTypeLocal {
+		rw.WriteVString(writer, c.RemotePath)
+	}
+	if c.Type == ProfileTypeRemote {
+		binary.Write(writer, binary.BigEndian, c.AutoUpdate)
+		binary.Write(writer, binary.BigEndian, c.AutoUpdateInterval)
+		binary.Write(writer, binary.BigEndian, c.LastUpdated)
+	}
+	writer.Flush()
+	writer.Close()
+	return buffer.Bytes()
+}
+
+func DecodeProfileContent(data []byte) (*ProfileContent, error) {
+	var reader io.Reader = bytes.NewReader(data)
+	messageType, err := rw.ReadByte(reader)
+	if err != nil {
+		return nil, err
+	}
+	if messageType != MessageTypeProfileContent {
+		return nil, E.New("invalid message")
+	}
+	version, err := rw.ReadByte(reader)
+	if err != nil {
+		return nil, err
+	}
+	reader, err = gzip.NewReader(reader)
+	if err != nil {
+		return nil, E.Cause(err, "unsupported profile")
+	}
+	var content ProfileContent
+	content.Name, err = rw.ReadVString(reader)
+	if err != nil {
+		return nil, err
+	}
+	err = binary.Read(reader, binary.BigEndian, &content.Type)
+	if err != nil {
+		return nil, err
+	}
+	content.Config, err = rw.ReadVString(reader)
+	if err != nil {
+		return nil, err
+	}
+	if content.Type != ProfileTypeLocal {
+		content.RemotePath, err = rw.ReadVString(reader)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if content.Type == ProfileTypeRemote || (version == 0 && content.Type != ProfileTypeLocal) {
+		err = binary.Read(reader, binary.BigEndian, &content.AutoUpdate)
+		if err != nil {
+			return nil, err
+		}
+		if version >= 1 {
+			err = binary.Read(reader, binary.BigEndian, &content.AutoUpdateInterval)
+			if err != nil {
+				return nil, err
+			}
+		}
+		err = binary.Read(reader, binary.BigEndian, &content.LastUpdated)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return &content, nil
+}