documentation: Bump version

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,70 +1,77 @@
-name: Bug Report
-description: "Create a report to help us improve."
+name: Bug report
+description: "Report sing-box bug"
 body:
-  - type: checkboxes
-    id: terms
+  - type: dropdown
     attributes:
-      label: Welcome
+      label: Operating system
+      description: Operating system type
       options:
-        - label: Yes, I'm using the latest major release. Only such installations are supported.
-          required: true
-        - label: Yes, I'm using the latest Golang release. Only such installations are supported.
-          required: true
-        - label: Yes, I've searched similar issues on GitHub and didn't find any.
-          required: true
-        - label: Yes, I've included all information below (version, **FULL** config, **FULL** log, etc).
-          required: true
-
-  - type: textarea
-    id: problem
-    attributes:
-      label: Description of the problem
-      placeholder: Your problem description
+        - iOS
+        - macOS
+        - Apple tvOS
+        - Android
+        - Windows
+        - Linux
+        - Others
     validations:
       required: true
-
-  - type: textarea
-    id: version
+  - type: input
     attributes:
-      label: Version of sing-box
+      label: System version
+      description: Please provide the operating system version
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Installation type
+      description: Please provide the sing-box installation type
+      options:
+        - Original sing-box Command Line
+        - sing-box for iOS Graphical Client
+        - sing-box for macOS Graphical Client
+        - sing-box for Apple tvOS Graphical Client
+        - sing-box for Android Graphical Client
+        - Third-party graphical clients that advertise themselves as using sing-box (Windows)
+        - Third-party graphical clients that advertise themselves as using sing-box (Android)
+        - Others
+    validations:
+      required: true
+  - type: input
+    attributes:
+      description: Graphical client version
+      label: If you are using a graphical client, please provide the version of the client.
+  - type: textarea
+    attributes:
+      label: Version
+      description: If you are using the original command line program, please provide the output of the `sing-box version` command.
       value: |-
         <details>
-
         ```console
-        $ sing-box version
-        # Paste output here
+        # Replace this line with the output
         ```
-
         </details>
+  - type: textarea
+    attributes:
+      label: Description
+      description: Please provide a detailed description of the error.
     validations:
       required: true
-
   - type: textarea
-    id: config
     attributes:
-      label: Server and client configuration file
+      label: Reproduction
+      description: Please provide the steps to reproduce the error, including the configuration files and procedures that can locally (not dependent on the remote server) reproduce the error using the original command line program of sing-box.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Logs
+      description: |-
+        If you encounter a crash with the graphical client, please provide crash logs.
+        For Apple platform clients, please check `Settings - View Service Log` for crash logs.
+        For the Android client, please check the `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` file for crash logs.
       value: |-
         <details>
-
         ```console
-        # paste json here
+        # Replace this line with logs
         ```
-
-        </details>
-    validations:
-      required: true
-
-  - type: textarea
-    id: log
-    attributes:
-      label: Server and client log file
-      value: |-
-        <details>
-
-        ```console
-        # paste log here
-        ```
-
-        </details>
-    validations:
-      required: true
+        </details>

.github/ISSUE_TEMPLATE/bug_report_zh.yml

@@ -0,0 +1,77 @@
+name: 错误反馈
+description: "提交 sing-box 漏洞"
+body:
+  - type: dropdown
+    attributes:
+      label: 操作系统
+      description: 请提供操作系统类型
+      options:
+        - iOS
+        - macOS
+        - Apple tvOS
+        - Android
+        - Windows
+        - Linux
+        - 其他
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: 系统版本
+      description: 请提供操作系统版本
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: 安装类型
+      description: 请提供该 sing-box 安装类型
+      options:
+        - sing-box 原始命令行程序
+        - sing-box for iOS 图形客户端程序
+        - sing-box for macOS 图形客户端程序
+        - sing-box for Apple tvOS 图形客户端程序
+        - sing-box for Android 图形客户端程序
+        - 宣传使用 sing-box 的第三方图形客户端程序 (Windows)
+        - 宣传使用 sing-box 的第三方图形客户端程序 (Android)
+        - 其他
+    validations:
+      required: true
+  - type: input
+    attributes:
+      description: 图形客户端版本
+      label: 如果您使用图形客户端程序，请提供该程序版本。
+  - type: textarea
+    attributes:
+      label: 版本
+      description: 如果您使用原始命令行程序，请提供 `sing-box version` 命令的输出。
+      value: |-
+        <details>
+        ```console
+        # 使用输出内容覆盖此行
+        ```
+        </details>
+  - type: textarea
+    attributes:
+      label: 描述
+      description: 请提供错误的详细描述。
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: 重现方式
+      description: 请提供重现错误的步骤，必须包括可以在本地（不依赖与远程服务器）使用 sing-box 原始命令行程序重现错误的配置文件与流程。
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: 日志
+      description: |-
+        如果您遭遇图形界面应用程序崩溃，请提供崩溃日志。
+        对于 Apple 平台图形客户端程序，请检查 `Settings - View Service Log` 以导出崩溃日志。
+        对于 Android 图形客户端程序，请检查 `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` 文件以导出崩溃日志。
+      value: |-
+        <details>
+        ```console
+        # 使用日志内容覆盖此行
+        ```
+        </details>

.github/workflows/debug.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Get latest go version
@@ -48,7 +48,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -62,7 +62,27 @@ jobs:
             ~/go/pkg/mod
           key: go118-${{ hashFiles('**/go.sum') }}
       - name: Run Test
-        run: make
+        run: make ci_build_go118
+  build_go120:
+    name: Debug build (Go 1.20)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.20.7
+      - name: Cache go module
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+          key: go118-${{ hashFiles('**/go.sum') }}
+      - name: Run Test
+        run: make ci_build
   cross:
     strategy:
       matrix:
@@ -179,7 +199,7 @@ jobs:
       TAGS: with_clash_api,with_quic
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Get latest go version

.github/workflows/docker.yml

@@ -9,20 +9,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Setup QEMU for Docker Buildx
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Docker metadata
         id: metadata
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ghcr.io/sagernet/sing-box
       - name: Get tag to build
@@ -35,7 +35,7 @@ jobs:
             echo "versioned=ghcr.io/sagernet/sing-box:${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
           fi
       - name: Build and release Docker images
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
           target: dist

.github/workflows/lint.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Get latest go version

.github/workflows/mkdocs.yml

@@ -1,20 +0,0 @@
-name: Generate Documents
-on:
-  push:
-    branches:
-      - dev
-    paths:
-      - docs/**
-      - .github/workflows/mkdocs.yml
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
-        with:
-          python-version: 3.x
-      - run: |
-          pip install mkdocs-material=="9.*" mkdocs-static-i18n=="0.53"
-      - run: |
-          mkdocs gh-deploy -m "{sha}" --force --ignore-version --no-history

.github/workflows/stale.yml

@@ -8,7 +8,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v7
+      - uses: actions/stale@v8
         with:
           stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
           days-before-stale: 60

.goreleaser.yaml

@@ -16,6 +16,7 @@ builds:
       - with_quic
       - with_dhcp
       - with_wireguard
+      - with_ech
       - with_utls
       - with_reality_server
       - with_clash_api
@@ -51,6 +52,7 @@ builds:
       - with_quic
       - with_dhcp
       - with_wireguard
+      - with_ech
       - with_utls
       - with_clash_api
     env:

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.20-alpine AS builder
+FROM golang:1.21-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
@@ -9,7 +9,7 @@ RUN set -ex \
     && apk add git build-base \
     && export COMMIT=$(git rev-parse --short HEAD) \
     && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api,with_acme \
+    && go build -v -trimpath -tags with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_clash_api,with_acme \
         -o /go/bin/sing-box \
         -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
         ./cmd/sing-box

Makefile

@@ -1,23 +1,34 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
+TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
+TAGS_GO120 = with_quic,with_ech
+TAGS ?= $(TAGS_GO118),$(TAGS_GO120)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server,with_shadowsocksr
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run ./cmd/internal/read_tag)
 
-PARAMS = -v -trimpath -tags "$(TAGS)" -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
+PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
+MAIN_PARAMS = $(PARAMS) -tags $(TAGS)
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
 
 .PHONY: test release
 
 build:
+	go build $(MAIN_PARAMS) $(MAIN)
+
+ci_build_go118:
 	go build $(PARAMS) $(MAIN)
+	go build $(PARAMS) -tags "$(TAGS_GO118)" $(MAIN)
+
+ci_build:
+	go build $(PARAMS) $(MAIN)
+	go build $(MAIN_PARAMS) $(MAIN)
 
 install:
-	go build -o $(PREFIX)/bin/$(NAME) $(PARAMS) $(MAIN)
+	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)
 
 fmt:
 	@gofumpt -l -w .
@@ -47,24 +58,102 @@ proto_install:
 	go install -v google.golang.org/protobuf/cmd/protoc-gen-go@latest
 	go install -v google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
 
-snapshot:
-	go run ./cmd/internal/build goreleaser release --clean --snapshot || exit 1
-	mkdir dist/release
-	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
-	ghr --delete --draft --prerelease -p 1 nightly dist/release
-	rm -r dist
-
 release:
 	go run ./cmd/internal/build goreleaser release --clean --skip-publish || exit 1
 	mkdir dist/release
 	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
-	ghr --delete --draft --prerelease -p 3 $(shell git describe --tags) dist/release
+	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
 	rm -r dist
 
 release_install:
 	go install -v github.com/goreleaser/goreleaser@latest
 	go install -v github.com/tcnksm/ghr@latest
 
+update_android_version:
+	go run ./cmd/internal/update_android_version
+
+build_android:
+	cd ../sing-box-for-android && ./gradlew :app:assembleRelease && ./gradlew --stop
+
+upload_android:
+	mkdir -p dist/release_android
+	cp ../sing-box-for-android/app/build/outputs/apk/release/*.apk dist/release_android
+	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release_android
+	rm -rf dist/release_android
+
+release_android: lib_android update_android_version build_android upload_android
+
+publish_android:
+	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadRelease
+
+build_ios:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFI.xcarchive && \
+	xcodebuild archive -scheme SFI -configuration Release -archivePath build/SFI.xcarchive
+
+upload_ios_app_store:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Upload.plist
+
+release_ios: build_ios upload_ios_app_store
+
+build_macos:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFM.xcarchive && \
+	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive
+
+upload_macos_app_store:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist
+
+release_macos: build_macos upload_macos_app_store
+
+build_macos_independent:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFT.System.xcarchive && \
+	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive
+
+notarize_macos_independent:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist
+
+wait_notarize_macos_independent:
+	sleep 60
+
+export_macos_independent:
+	rm -rf dist/SFM
+	mkdir -p dist/SFM
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportNotarizedApp -archivePath build/SFM.System.xcarchive -exportPath "../sing-box/dist/SFM"
+
+upload_macos_independent:
+	cd dist/SFM && \
+	rm -f *.zip && \
+	zip -ry "SFM-${VERSION}-universal.zip" SFM.app && \
+	ghr --replace --draft --prerelease "v${VERSION}" *.zip
+
+release_macos_independent: build_macos_independent notarize_macos_independent wait_notarize_macos_independent export_macos_independent upload_macos_independent
+
+build_tvos:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFT.xcarchive && \
+	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive
+
+upload_tvos_app_store:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist
+
+release_tvos: build_tvos upload_tvos_app_store
+
+update_apple_version:
+	go run ./cmd/internal/update_apple_version
+
+release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_independent
+	rm -rf dist
+
+release_apple_beta: update_apple_version release_ios release_macos release_tvos
+	rm -rf dist
+
 test:
 	@go test -v ./... && \
 	cd test && \
@@ -77,10 +166,10 @@ test_stdio:
 	go mod tidy && \
 	go test -v -tags "$(TAGS_TEST),force_stdio" .
 
-android:
+lib_android:
 	go run ./cmd/internal/build_libbox -target android
 
-ios:
+lib_ios:
 	go run ./cmd/internal/build_libbox -target ios
 
 lib:
@@ -89,8 +178,8 @@ lib:
 
 lib_install:
 	go get -v -d
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230701084532-493ee2e45182
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230701084532-493ee2e45182
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230915142329-c6740b6d2950
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230915142329-c6740b6d2950
 
 clean:
 	rm -rf bin dist sing-box

adapter/experimental.go

@@ -12,6 +12,7 @@ type ClashServer interface {
 	Service
 	PreStarter
 	Mode() string
+	ModeList() []string
 	StoreSelected() bool
 	StoreFakeIP() bool
 	CacheFile() ClashCacheFile
@@ -21,8 +22,12 @@ type ClashServer interface {
 }
 
 type ClashCacheFile interface {
+	LoadMode() string
+	StoreMode(mode string) error
 	LoadSelected(group string) string
 	StoreSelected(group string, selected string) error
+	LoadGroupExpand(group string) (isExpand bool, loaded bool)
+	StoreGroupExpand(group string, expand bool) error
 	FakeIPStorage
 }
 

adapter/fakeip.go

@@ -18,6 +18,7 @@ type FakeIPStore interface {
 type FakeIPStorage interface {
 	FakeIPMetadata() *FakeIPMetadata
 	FakeIPSaveMetadata(metadata *FakeIPMetadata) error
+	FakeIPSaveMetadataAsync(metadata *FakeIPMetadata)
 	FakeIPStore(address netip.Addr, domain string) error
 	FakeIPStoreAsync(address netip.Addr, domain string, logger logger.Logger)
 	FakeIPLoad(address netip.Addr) (string, bool)

adapter/router.go

@@ -10,6 +10,7 @@ import (
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
 
 	mdns "github.com/miekg/dns"
 )
@@ -32,6 +33,7 @@ type Router interface {
 	Exchange(ctx context.Context, message *mdns.Msg) (*mdns.Msg, error)
 	Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error)
 	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
+	ClearDNSCache()
 
 	InterfaceFinder() control.InterfaceFinder
 	UpdateInterfaces() error
@@ -44,8 +46,6 @@ type Router interface {
 	PackageManager() tun.PackageManager
 	Rules() []Rule
 
-	TimeService
-
 	ClashServer() ClashServer
 	SetClashServer(server ClashServer)
 
@@ -55,18 +55,12 @@ type Router interface {
 	ResetNetwork() error
 }
 
-type routerContextKey struct{}
-
 func ContextWithRouter(ctx context.Context, router Router) context.Context {
-	return context.WithValue(ctx, (*routerContextKey)(nil), router)
+	return service.ContextWith(ctx, router)
 }
 
 func RouterFromContext(ctx context.Context) Router {
-	metadata := ctx.Value((*routerContextKey)(nil))
-	if metadata == nil {
-		return nil
-	}
-	return metadata.(Router)
+	return service.FromContext[Router](ctx)
 }
 
 type Rule interface {
@@ -85,5 +79,5 @@ type DNSRule interface {
 }
 
 type InterfaceUpdateListener interface {
-	InterfaceUpdated() error
+	InterfaceUpdated()
 }

adapter/v2ray.go

@@ -5,7 +5,6 @@ import (
 	"net"
 
 	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
@@ -19,7 +18,6 @@ type V2RayServerTransport interface {
 type V2RayServerTransportHandler interface {
 	N.TCPConnectionHandler
 	E.Handler
-	FallbackConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error
 }
 
 type V2RayClientTransport interface {

box.go

@@ -19,6 +19,8 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/service"
+	"github.com/sagernet/sing/service/pause"
 )
 
 var _ adapter.Service = (*Box)(nil)
@@ -46,12 +48,14 @@ func New(options Options) (*Box, error) {
 	if ctx == nil {
 		ctx = context.Background()
 	}
+	ctx = service.ContextWithDefaultRegistry(ctx)
+	ctx = pause.ContextWithDefaultManager(ctx)
 	createdAt := time.Now()
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
 	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	var needClashAPI bool
 	var needV2RayAPI bool
-	if experimentalOptions.ClashAPI != nil && experimentalOptions.ClashAPI.ExternalController != "" {
+	if experimentalOptions.ClashAPI != nil || options.PlatformInterface != nil {
 		needClashAPI = true
 	}
 	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
@@ -143,7 +147,9 @@ func New(options Options) (*Box, error) {
 	preServices := make(map[string]adapter.Service)
 	postServices := make(map[string]adapter.Service)
 	if needClashAPI {
-		clashServer, err := experimental.NewClashServer(ctx, router, logFactory.(log.ObservableFactory), common.PtrValueOrDefault(options.Experimental.ClashAPI))
+		clashAPIOptions := common.PtrValueOrDefault(experimentalOptions.ClashAPI)
+		clashAPIOptions.ModeList = experimental.CalculateClashModeList(options.Options)
+		clashServer, err := experimental.NewClashServer(ctx, router, logFactory.(log.ObservableFactory), clashAPIOptions)
 		if err != nil {
 			return nil, E.Cause(err, "create clash api server")
 		}
@@ -151,7 +157,7 @@ func New(options Options) (*Box, error) {
 		preServices["clash api"] = clashServer
 	}
 	if needV2RayAPI {
-		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(options.Experimental.V2RayAPI))
+		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(experimentalOptions.V2RayAPI))
 		if err != nil {
 			return nil, E.Cause(err, "create v2ray api server")
 		}

cmd/internal/build_libbox/main.go

@@ -54,7 +54,7 @@ func init() {
 	sharedFlags = append(sharedFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
 	debugFlags = append(debugFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
 
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_ech", "with_utls", "with_clash_api")
 	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
 	debugTags = append(debugTags, "debug")
 }
@@ -107,7 +107,7 @@ func buildiOS() {
 	args := []string{
 		"bind",
 		"-v",
-		"-target", "ios,iossimulator,macos",
+		"-target", "ios,iossimulator,tvos,tvossimulator,macos",
 		"-libname=box",
 	}
 	if !debugEnabled {

cmd/internal/build_shared/tag.go

@@ -1,6 +1,10 @@
 package build_shared
 
-import "github.com/sagernet/sing/common/shell"
+import (
+	"github.com/sagernet/sing-box/common/badversion"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/shell"
+)
 
 func ReadTag() (string, error) {
 	currentTag, err := shell.Exec("git", "describe", "--tags").ReadOutput()
@@ -12,5 +16,21 @@ func ReadTag() (string, error) {
 		return currentTag[1:], nil
 	}
 	shortCommit, _ := shell.Exec("git", "rev-parse", "--short", "HEAD").ReadOutput()
-	return currentTagRev[1:] + "-" + shortCommit, nil
+	version := badversion.Parse(currentTagRev[1:])
+	if version.PreReleaseIdentifier == "" {
+		version.Patch++
+	}
+	return version.String() + "-" + shortCommit, nil
+}
+
+func ReadTagVersion() (badversion.Version, error) {
+	currentTag := common.Must1(shell.Exec("git", "describe", "--tags").ReadOutput())
+	currentTagRev := common.Must1(shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput())
+	version := badversion.Parse(currentTagRev[1:])
+	if currentTagRev != currentTag {
+		if version.PreReleaseIdentifier == "" {
+			version.Patch++
+		}
+	}
+	return version, nil
 }

cmd/internal/update_android_version/main.go

@@ -0,0 +1,51 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/sagernet/sing-box/cmd/internal/build_shared"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+)
+
+func main() {
+	newVersion := common.Must1(build_shared.ReadTagVersion())
+	androidPath, err := filepath.Abs("../sing-box-for-android")
+	if err != nil {
+		log.Fatal(err)
+	}
+	common.Must(os.Chdir(androidPath))
+	localProps := common.Must1(os.ReadFile("local.properties"))
+	var propsList [][]string
+	for _, propLine := range strings.Split(string(localProps), "\n") {
+		propsList = append(propsList, strings.Split(propLine, "="))
+	}
+	for _, propPair := range propsList {
+		if propPair[0] == "VERSION_NAME" {
+			if propPair[1] == newVersion.String() {
+				log.Info("version not changed")
+				return
+			}
+			propPair[1] = newVersion.String()
+			log.Info("updated version to ", newVersion.String())
+		}
+	}
+	for _, propPair := range propsList {
+		switch propPair[0] {
+		case "VERSION_CODE":
+			versionCode := common.Must1(strconv.ParseInt(propPair[1], 10, 64))
+			propPair[1] = strconv.Itoa(int(versionCode + 1))
+			log.Info("updated version code to ", propPair[1])
+		case "RELEASE_NOTES":
+			propPair[1] = "sing-box " + newVersion.String()
+		}
+	}
+	var newProps []string
+	for _, propPair := range propsList {
+		newProps = append(newProps, strings.Join(propPair, "="))
+	}
+	common.Must(os.WriteFile("local.properties", []byte(strings.Join(newProps, "\n")), 0o644))
+}

cmd/internal/update_apple_version/main.go

@@ -0,0 +1,131 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/sagernet/sing-box/cmd/internal/build_shared"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+
+	"howett.net/plist"
+)
+
+func main() {
+	newVersion := common.Must1(build_shared.ReadTagVersion())
+	applePath, err := filepath.Abs("../sing-box-for-apple")
+	if err != nil {
+		log.Fatal(err)
+	}
+	common.Must(os.Chdir(applePath))
+	projectFile := common.Must1(os.Open("sing-box.xcodeproj/project.pbxproj"))
+	var project map[string]any
+	decoder := plist.NewDecoder(projectFile)
+	common.Must(decoder.Decode(&project))
+	objectsMap := project["objects"].(map[string]any)
+	projectContent := string(common.Must1(os.ReadFile("sing-box.xcodeproj/project.pbxproj")))
+	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
+	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
+	if updated0 || updated1 {
+		log.Info("updated version to ", newVersion.VersionString(), " (", newVersion.String(), ")")
+	}
+	var updated2 bool
+	if macProjectVersion := os.Getenv("MACOS_PROJECT_VERSION"); macProjectVersion != "" {
+		newContent, updated2 = findAndReplaceProjectVersion(objectsMap, newContent, []string{"SFM"}, macProjectVersion)
+		if updated2 {
+			log.Info("updated macos project version to ", macProjectVersion)
+		}
+	}
+	if updated0 || updated1 || updated2 {
+		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj", []byte(newContent), 0o644))
+	}
+}
+
+func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDList []string, newVersion string) (string, bool) {
+	objectKeyList := findObjectKey(objectsMap, bundleIDList)
+	var updated bool
+	for _, objectKey := range objectKeyList {
+		matchRegexp := common.Must1(regexp.Compile(objectKey + ".*= \\{"))
+		indexes := matchRegexp.FindStringIndex(projectContent)
+		if len(indexes) < 2 {
+			println(projectContent)
+			log.Fatal("failed to find object key ", objectKey, ": ", strings.Index(projectContent, objectKey))
+		}
+		indexStart := indexes[1]
+		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
+		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "MARKETING_VERSION = ") + 20
+		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
+		version := projectContent[versionStart:versionEnd]
+		if version == newVersion {
+			continue
+		}
+		updated = true
+		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
+	}
+	return projectContent, updated
+}
+
+func findAndReplaceProjectVersion(objectsMap map[string]any, projectContent string, directoryList []string, newVersion string) (string, bool) {
+	objectKeyList := findObjectKeyByDirectory(objectsMap, directoryList)
+	var updated bool
+	for _, objectKey := range objectKeyList {
+		matchRegexp := common.Must1(regexp.Compile(objectKey + ".*= \\{"))
+		indexes := matchRegexp.FindStringIndex(projectContent)
+		if len(indexes) < 2 {
+			println(projectContent)
+			log.Fatal("failed to find object key ", objectKey, ": ", strings.Index(projectContent, objectKey))
+		}
+		indexStart := indexes[1]
+		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
+		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "CURRENT_PROJECT_VERSION = ") + 26
+		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
+		version := projectContent[versionStart:versionEnd]
+		if version == newVersion {
+			continue
+		}
+		updated = true
+		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
+	}
+	return projectContent, updated
+}
+
+func findObjectKey(objectsMap map[string]any, bundleIDList []string) []string {
+	var objectKeyList []string
+	for objectKey, object := range objectsMap {
+		buildSettings := object.(map[string]any)["buildSettings"]
+		if buildSettings == nil {
+			continue
+		}
+		bundleIDObject := buildSettings.(map[string]any)["PRODUCT_BUNDLE_IDENTIFIER"]
+		if bundleIDObject == nil {
+			continue
+		}
+		if common.Contains(bundleIDList, bundleIDObject.(string)) {
+			objectKeyList = append(objectKeyList, objectKey)
+		}
+	}
+	return objectKeyList
+}
+
+func findObjectKeyByDirectory(objectsMap map[string]any, directoryList []string) []string {
+	var objectKeyList []string
+	for objectKey, object := range objectsMap {
+		buildSettings := object.(map[string]any)["buildSettings"]
+		if buildSettings == nil {
+			continue
+		}
+		infoPListFile := buildSettings.(map[string]any)["INFOPLIST_FILE"]
+		if infoPListFile == nil {
+			continue
+		}
+		for _, searchDirectory := range directoryList {
+			if strings.HasPrefix(infoPListFile.(string), searchDirectory+"/") {
+				objectKeyList = append(objectKeyList, objectKey)
+			}
+		}
+
+	}
+	return objectKeyList
+}

cmd/sing-box/cmd_generate_ech.go

@@ -0,0 +1,39 @@
+package main
+
+import (
+	"os"
+
+	"github.com/sagernet/sing-box/common/tls"
+	"github.com/sagernet/sing-box/log"
+
+	"github.com/spf13/cobra"
+)
+
+var pqSignatureSchemesEnabled bool
+
+var commandGenerateECHKeyPair = &cobra.Command{
+	Use:   "ech-keypair <plain_server_name>",
+	Short: "Generate TLS ECH key pair",
+	Args:  cobra.ExactArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateECHKeyPair(args[0])
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	commandGenerateECHKeyPair.Flags().BoolVar(&pqSignatureSchemesEnabled, "pq-signature-schemes-enabled", false, "Enable PQ signature schemes")
+	commandGenerate.AddCommand(commandGenerateECHKeyPair)
+}
+
+func generateECHKeyPair(serverName string) error {
+	configPem, keyPem, err := tls.ECHKeygenDefault(serverName, pqSignatureSchemesEnabled)
+	if err != nil {
+		return err
+	}
+	os.Stdout.WriteString(configPem)
+	os.Stdout.WriteString(keyPem)
+	return nil
+}

cmd/sing-box/cmd_merge.go

@@ -0,0 +1,174 @@
+package main
+
+import (
+	"bytes"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/sagernet/sing-box/common/json"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/rw"
+
+	"github.com/spf13/cobra"
+)
+
+var commandMerge = &cobra.Command{
+	Use:   "merge [output]",
+	Short: "Merge configurations",
+	Run: func(cmd *cobra.Command, args []string) {
+		err := merge(args[0])
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+	Args: cobra.ExactArgs(1),
+}
+
+func init() {
+	mainCommand.AddCommand(commandMerge)
+}
+
+func merge(outputPath string) error {
+	mergedOptions, err := readConfigAndMerge()
+	if err != nil {
+		return err
+	}
+	err = mergePathResources(&mergedOptions)
+	if err != nil {
+		return err
+	}
+	buffer := new(bytes.Buffer)
+	encoder := json.NewEncoder(buffer)
+	encoder.SetIndent("", "  ")
+	err = encoder.Encode(mergedOptions)
+	if err != nil {
+		return E.Cause(err, "encode config")
+	}
+	if existsContent, err := os.ReadFile(outputPath); err != nil {
+		if string(existsContent) == buffer.String() {
+			return nil
+		}
+	}
+	err = rw.WriteFile(outputPath, buffer.Bytes())
+	if err != nil {
+		return err
+	}
+	outputPath, _ = filepath.Abs(outputPath)
+	os.Stderr.WriteString(outputPath + "\n")
+	return nil
+}
+
+func mergePathResources(options *option.Options) error {
+	for index, inbound := range options.Inbounds {
+		switch inbound.Type {
+		case C.TypeHTTP:
+			inbound.HTTPOptions.TLS = mergeTLSInboundOptions(inbound.HTTPOptions.TLS)
+		case C.TypeMixed:
+			inbound.MixedOptions.TLS = mergeTLSInboundOptions(inbound.MixedOptions.TLS)
+		case C.TypeVMess:
+			inbound.VMessOptions.TLS = mergeTLSInboundOptions(inbound.VMessOptions.TLS)
+		case C.TypeTrojan:
+			inbound.TrojanOptions.TLS = mergeTLSInboundOptions(inbound.TrojanOptions.TLS)
+		case C.TypeNaive:
+			inbound.NaiveOptions.TLS = mergeTLSInboundOptions(inbound.NaiveOptions.TLS)
+		case C.TypeHysteria:
+			inbound.HysteriaOptions.TLS = mergeTLSInboundOptions(inbound.HysteriaOptions.TLS)
+		case C.TypeVLESS:
+			inbound.VLESSOptions.TLS = mergeTLSInboundOptions(inbound.VLESSOptions.TLS)
+		case C.TypeTUIC:
+			inbound.TUICOptions.TLS = mergeTLSInboundOptions(inbound.TUICOptions.TLS)
+		case C.TypeHysteria2:
+			inbound.Hysteria2Options.TLS = mergeTLSInboundOptions(inbound.Hysteria2Options.TLS)
+		default:
+			continue
+		}
+		options.Inbounds[index] = inbound
+	}
+	for index, outbound := range options.Outbounds {
+		switch outbound.Type {
+		case C.TypeHTTP:
+			outbound.HTTPOptions.TLS = mergeTLSOutboundOptions(outbound.HTTPOptions.TLS)
+		case C.TypeVMess:
+			outbound.VMessOptions.TLS = mergeTLSOutboundOptions(outbound.VMessOptions.TLS)
+		case C.TypeTrojan:
+			outbound.TrojanOptions.TLS = mergeTLSOutboundOptions(outbound.TrojanOptions.TLS)
+		case C.TypeHysteria:
+			outbound.HysteriaOptions.TLS = mergeTLSOutboundOptions(outbound.HysteriaOptions.TLS)
+		case C.TypeSSH:
+			outbound.SSHOptions = mergeSSHOutboundOptions(outbound.SSHOptions)
+		case C.TypeVLESS:
+			outbound.VLESSOptions.TLS = mergeTLSOutboundOptions(outbound.VLESSOptions.TLS)
+		case C.TypeTUIC:
+			outbound.TUICOptions.TLS = mergeTLSOutboundOptions(outbound.TUICOptions.TLS)
+		case C.TypeHysteria2:
+			outbound.Hysteria2Options.TLS = mergeTLSOutboundOptions(outbound.Hysteria2Options.TLS)
+		default:
+			continue
+		}
+		options.Outbounds[index] = outbound
+	}
+	return nil
+}
+
+func mergeTLSInboundOptions(options *option.InboundTLSOptions) *option.InboundTLSOptions {
+	if options == nil {
+		return nil
+	}
+	if options.CertificatePath != "" {
+		if content, err := os.ReadFile(options.CertificatePath); err == nil {
+			options.Certificate = trimStringArray(strings.Split(string(content), "\n"))
+		}
+	}
+	if options.KeyPath != "" {
+		if content, err := os.ReadFile(options.KeyPath); err == nil {
+			options.Key = trimStringArray(strings.Split(string(content), "\n"))
+		}
+	}
+	if options.ECH != nil {
+		if options.ECH.KeyPath != "" {
+			if content, err := os.ReadFile(options.ECH.KeyPath); err == nil {
+				options.ECH.Key = trimStringArray(strings.Split(string(content), "\n"))
+			}
+		}
+	}
+	return options
+}
+
+func mergeTLSOutboundOptions(options *option.OutboundTLSOptions) *option.OutboundTLSOptions {
+	if options == nil {
+		return nil
+	}
+	if options.CertificatePath != "" {
+		if content, err := os.ReadFile(options.CertificatePath); err == nil {
+			options.Certificate = trimStringArray(strings.Split(string(content), "\n"))
+		}
+	}
+	if options.ECH != nil {
+		if options.ECH.ConfigPath != "" {
+			if content, err := os.ReadFile(options.ECH.ConfigPath); err == nil {
+				options.ECH.Config = trimStringArray(strings.Split(string(content), "\n"))
+			}
+		}
+	}
+	return options
+}
+
+func mergeSSHOutboundOptions(options option.SSHOutboundOptions) option.SSHOutboundOptions {
+	if options.PrivateKeyPath != "" {
+		if content, err := os.ReadFile(os.ExpandEnv(options.PrivateKeyPath)); err == nil {
+			options.PrivateKey = trimStringArray(strings.Split(string(content), "\n"))
+		}
+	}
+	return options
+}
+
+func trimStringArray(array []string) []string {
+	return common.Filter(array, func(it string) bool {
+		return strings.TrimSpace(it) != ""
+	})
+}

cmd/sing-box/cmd_run.go

@@ -143,14 +143,16 @@ func create() (*box.Box, context.CancelFunc, error) {
 		signal.Stop(osSignals)
 		close(osSignals)
 	}()
-
+	startCtx, finishStart := context.WithCancel(context.Background())
 	go func() {
 		_, loaded := <-osSignals
 		if loaded {
 			cancel()
+			closeMonitor(startCtx)
 		}
 	}()
 	err = instance.Start()
+	finishStart()
 	if err != nil {
 		cancel()
 		return nil, nil, E.Cause(err, "start service")

common/baderror/baderror.go

@@ -1,62 +0,0 @@
-package baderror
-
-import (
-	"context"
-	"io"
-	"net"
-	"strings"
-
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-func Contains(err error, msgList ...string) bool {
-	for _, msg := range msgList {
-		if strings.Contains(err.Error(), msg) {
-			return true
-		}
-	}
-	return false
-}
-
-func WrapH2(err error) error {
-	if err == nil {
-		return nil
-	}
-	err = E.Unwrap(err)
-	if err == io.ErrUnexpectedEOF {
-		return io.EOF
-	}
-	if Contains(err, "client disconnected", "body closed by handler", "response body closed", "; CANCEL") {
-		return net.ErrClosed
-	}
-	return err
-}
-
-func WrapGRPC(err error) error {
-	// grpc uses stupid internal error types
-	if err == nil {
-		return nil
-	}
-	if Contains(err, "EOF") {
-		return io.EOF
-	}
-	if Contains(err, "Canceled") {
-		return context.Canceled
-	}
-	if Contains(err,
-		"the client connection is closing",
-		"server closed the stream without sending trailers") {
-		return net.ErrClosed
-	}
-	return err
-}
-
-func WrapQUIC(err error) error {
-	if err == nil {
-		return nil
-	}
-	if Contains(err, "canceled by local with error code 0") {
-		return net.ErrClosed
-	}
-	return err
-}

common/badtls/badtls_stub.go

@@ -5,8 +5,10 @@ package badtls
 import (
 	"crypto/tls"
 	"os"
+
+	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-func Create(conn *tls.Conn) (TLSConn, error) {
+func Create(conn *tls.Conn) (aTLS.Conn, error) {
 	return nil, os.ErrInvalid
 }

common/badversion/version.go

@@ -11,6 +11,7 @@ type Version struct {
 	Major                int
 	Minor                int
 	Patch                int
+	Commit               string
 	PreReleaseIdentifier string
 	PreReleaseVersion    int
 }
@@ -37,20 +38,29 @@ func (v Version) After(anotherVersion Version) bool {
 		return false
 	}
 	if v.PreReleaseIdentifier != "" && anotherVersion.PreReleaseIdentifier != "" {
-		if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "alpha" {
+		if v.PreReleaseIdentifier == anotherVersion.PreReleaseIdentifier {
+			if v.PreReleaseVersion > anotherVersion.PreReleaseVersion {
+				return true
+			} else if v.PreReleaseVersion < anotherVersion.PreReleaseVersion {
+				return false
+			}
+		} else if v.PreReleaseIdentifier == "rc" && anotherVersion.PreReleaseIdentifier == "beta" {
+			return true
+		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "rc" {
+			return false
+		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "alpha" {
 			return true
 		} else if v.PreReleaseIdentifier == "alpha" && anotherVersion.PreReleaseIdentifier == "beta" {
 			return false
 		}
-		if v.PreReleaseVersion > anotherVersion.PreReleaseVersion {
-			return true
-		} else if v.PreReleaseVersion < anotherVersion.PreReleaseVersion {
-			return false
-		}
 	}
 	return false
 }
 
+func (v Version) VersionString() string {
+	return F.ToString(v.Major, ".", v.Minor, ".", v.Patch)
+}
+
 func (v Version) String() string {
 	version := F.ToString(v.Major, ".", v.Minor, ".", v.Patch)
 	if v.PreReleaseIdentifier != "" {
@@ -95,7 +105,7 @@ func Parse(versionName string) (version Version) {
 				version.PreReleaseIdentifier = "beta"
 				version.PreReleaseVersion, _ = strconv.Atoi(identifier[4:])
 			} else {
-				version.PreReleaseIdentifier = identifier
+				version.Commit = identifier
 			}
 		}
 	}

common/conntrack/conn.go

@@ -17,7 +17,7 @@ func NewConn(conn net.Conn) (net.Conn, error) {
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
-		err := killerCheck()
+		err := KillerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err

common/conntrack/killer.go

@@ -1,20 +1,20 @@
 package conntrack
 
 import (
-	"runtime"
 	runtimeDebug "runtime/debug"
 	"time"
 
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/memory"
 )
 
 var (
 	KillerEnabled   bool
-	MemoryLimit     int64
+	MemoryLimit     uint64
 	killerLastCheck time.Time
 )
 
-func killerCheck() error {
+func KillerCheck() error {
 	if !KillerEnabled {
 		return nil
 	}
@@ -23,10 +23,7 @@ func killerCheck() error {
 		return nil
 	}
 	killerLastCheck = nowTime
-	var memStats runtime.MemStats
-	runtime.ReadMemStats(&memStats)
-	inuseMemory := int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
-	if inuseMemory > MemoryLimit {
+	if memory.Total() > MemoryLimit {
 		Close()
 		go func() {
 			time.Sleep(time.Second)

common/conntrack/packet_conn.go

@@ -18,7 +18,7 @@ func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
-		err := killerCheck()
+		err := KillerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err

common/dialer/default.go

@@ -6,19 +6,18 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/tfo-go"
 )
 
 type DefaultDialer struct {
-	dialer4     tfo.Dialer
-	dialer6     tfo.Dialer
+	dialer4     tcpDialer
+	dialer6     tcpDialer
 	udpDialer4  net.Dialer
 	udpDialer6  net.Dialer
 	udpListener net.ListenConfig
@@ -26,7 +25,7 @@ type DefaultDialer struct {
 	udpAddr6    string
 }
 
-func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDialer {
+func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDialer, error) {
 	var dialer net.Dialer
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
@@ -93,15 +92,29 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 		udpDialer6.LocalAddr = &net.UDPAddr{IP: bindAddr.AsSlice()}
 		udpAddr6 = M.SocksaddrFrom(bindAddr, 0).String()
 	}
+	if options.TCPMultiPath {
+		if !go121Available {
+			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
+		}
+		setMultiPathTCP(&dialer4)
+	}
+	tcpDialer4, err := newTCPDialer(dialer4, options.TCPFastOpen)
+	if err != nil {
+		return nil, err
+	}
+	tcpDialer6, err := newTCPDialer(dialer6, options.TCPFastOpen)
+	if err != nil {
+		return nil, err
+	}
 	return &DefaultDialer{
-		tfo.Dialer{Dialer: dialer4, DisableTFO: !options.TCPFastOpen},
-		tfo.Dialer{Dialer: dialer6, DisableTFO: !options.TCPFastOpen},
+		tcpDialer4,
+		tcpDialer6,
 		udpDialer4,
 		udpDialer6,
 		listener,
 		udpAddr4,
 		udpAddr6,
-	}
+	}, nil
 }
 
 func (d *DefaultDialer) DialContext(ctx context.Context, network string, address M.Socksaddr) (net.Conn, error) {
@@ -124,10 +137,12 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 }
 
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if !destination.IsIPv6() {
-		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4))
-	} else {
+	if destination.IsIPv6() {
 		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
+	} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
+		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP+"4", d.udpAddr4))
+	} else {
+		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4))
 	}
 }
 

common/dialer/default_go1.20.go

@@ -0,0 +1,15 @@
+//go:build go1.20
+
+package dialer
+
+import (
+	"net"
+
+	"github.com/sagernet/tfo-go"
+)
+
+type tcpDialer = tfo.Dialer
+
+func newTCPDialer(dialer net.Dialer, tfoEnabled bool) (tcpDialer, error) {
+	return tfo.Dialer{Dialer: dialer, DisableTFO: !tfoEnabled}, nil
+}

common/dialer/default_go1.21.go

@@ -0,0 +1,11 @@
+//go:build go1.21
+
+package dialer
+
+import "net"
+
+const go121Available = true
+
+func setMultiPathTCP(dialer *net.Dialer) {
+	dialer.SetMultipathTCP(true)
+}

common/dialer/default_nongo1.20.go

@@ -0,0 +1,18 @@
+//go:build !go1.20
+
+package dialer
+
+import (
+	"net"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type tcpDialer = net.Dialer
+
+func newTCPDialer(dialer net.Dialer, tfoEnabled bool) (tcpDialer, error) {
+	if tfoEnabled {
+		return dialer, E.New("TCP Fast Open requires go1.20, please recompile your binary.")
+	}
+	return dialer, nil
+}

common/dialer/default_nongo1.21.go

@@ -0,0 +1,12 @@
+//go:build !go1.21
+
+package dialer
+
+import (
+	"net"
+)
+
+const go121Available = false
+
+func setMultiPathTCP(dialer *net.Dialer) {
+}

common/dialer/dialer.go

@@ -6,19 +6,35 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
+	"github.com/sagernet/sing/common"
 	N "github.com/sagernet/sing/common/network"
 )
 
-func New(router adapter.Router, options option.DialerOptions) N.Dialer {
-	var dialer N.Dialer
+func MustNew(router adapter.Router, options option.DialerOptions) N.Dialer {
+	return common.Must1(New(router, options))
+}
+
+func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error) {
+	var (
+		dialer N.Dialer
+		err    error
+	)
 	if options.Detour == "" {
-		dialer = NewDefault(router, options)
+		dialer, err = NewDefault(router, options)
+		if err != nil {
+			return nil, err
+		}
 	} else {
 		dialer = NewDetour(router, options.Detour)
 	}
 	domainStrategy := dns.DomainStrategy(options.DomainStrategy)
 	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
-		dialer = NewResolveDialer(router, dialer, domainStrategy, time.Duration(options.FallbackDelay))
+		dialer = NewResolveDialer(
+			router,
+			dialer,
+			options.Detour == "" && !options.TCPFastOpen,
+			domainStrategy,
+			time.Duration(options.FallbackDelay))
 	}
-	return dialer
+	return dialer, nil
 }

common/dialer/resolve.go

@@ -16,14 +16,16 @@ import (
 
 type ResolveDialer struct {
 	dialer        N.Dialer
+	parallel      bool
 	router        adapter.Router
 	strategy      dns.DomainStrategy
 	fallbackDelay time.Duration
 }
 
-func NewResolveDialer(router adapter.Router, dialer N.Dialer, strategy dns.DomainStrategy, fallbackDelay time.Duration) *ResolveDialer {
+func NewResolveDialer(router adapter.Router, dialer N.Dialer, parallel bool, strategy dns.DomainStrategy, fallbackDelay time.Duration) *ResolveDialer {
 	return &ResolveDialer{
 		dialer,
+		parallel,
 		router,
 		strategy,
 		fallbackDelay,
@@ -48,7 +50,11 @@ func (d *ResolveDialer) DialContext(ctx context.Context, network string, destina
 	if err != nil {
 		return nil, err
 	}
-	return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
+	if d.parallel {
+		return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
+	} else {
+		return N.DialSerial(ctx, d.dialer, network, destination, addresses)
+	}
 }
 
 func (d *ResolveDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {

common/dialer/tfo.go

@@ -1,3 +1,5 @@
+//go:build go1.20
+
 package dialer
 
 import (
@@ -5,6 +7,7 @@ import (
 	"io"
 	"net"
 	"os"
+	"sync"
 	"time"
 
 	"github.com/sagernet/sing/common"
@@ -22,10 +25,11 @@ type slowOpenConn struct {
 	destination M.Socksaddr
 	conn        net.Conn
 	create      chan struct{}
+	access      sync.Mutex
 	err         error
 }
 
-func DialSlowContext(dialer *tfo.Dialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	if dialer.DisableTFO || N.NetworkName(network) != N.NetworkTCP {
 		switch N.NetworkName(network) {
 		case N.NetworkTCP, N.NetworkUDP:
@@ -58,15 +62,26 @@ func (c *slowOpenConn) Read(b []byte) (n int, err error) {
 }
 
 func (c *slowOpenConn) Write(b []byte) (n int, err error) {
-	if c.conn == nil {
-		c.conn, err = c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
-		if err != nil {
-			c.err = E.Cause(err, "dial tcp fast open")
-		}
-		close(c.create)
-		return
+	if c.conn != nil {
+		return c.conn.Write(b)
 	}
-	return c.conn.Write(b)
+	c.access.Lock()
+	defer c.access.Unlock()
+	select {
+	case <-c.create:
+		if c.err != nil {
+			return 0, c.err
+		}
+		return c.conn.Write(b)
+	default:
+	}
+	c.conn, err = c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
+	if err != nil {
+		c.conn = nil
+		c.err = E.Cause(err, "dial tcp fast open")
+	}
+	close(c.create)
+	return
 }
 
 func (c *slowOpenConn) Close() error {

common/dialer/tfo_stub.go

@@ -0,0 +1,20 @@
+//go:build !go1.20
+
+package dialer
+
+import (
+	"context"
+	"net"
+
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	switch N.NetworkName(network) {
+	case N.NetworkTCP, N.NetworkUDP:
+		return dialer.DialContext(ctx, network, destination.String())
+	default:
+		return dialer.DialContext(ctx, network, destination.AddrString())
+	}
+}

common/humanize/bytes.go

@@ -0,0 +1,158 @@
+package humanize
+
+import (
+	"fmt"
+	"math"
+	"strconv"
+	"strings"
+	"unicode"
+)
+
+// IEC Sizes.
+// kibis of bits
+const (
+	Byte = 1 << (iota * 10)
+	KiByte
+	MiByte
+	GiByte
+	TiByte
+	PiByte
+	EiByte
+)
+
+// SI Sizes.
+const (
+	IByte = 1
+	KByte = IByte * 1000
+	MByte = KByte * 1000
+	GByte = MByte * 1000
+	TByte = GByte * 1000
+	PByte = TByte * 1000
+	EByte = PByte * 1000
+)
+
+var defaultSizeTable = map[string]uint64{
+	"b":   Byte,
+	"kib": KiByte,
+	"kb":  KByte,
+	"mib": MiByte,
+	"mb":  MByte,
+	"gib": GiByte,
+	"gb":  GByte,
+	"tib": TiByte,
+	"tb":  TByte,
+	"pib": PiByte,
+	"pb":  PByte,
+	"eib": EiByte,
+	"eb":  EByte,
+	// Without suffix
+	"":   Byte,
+	"ki": KiByte,
+	"k":  KByte,
+	"mi": MiByte,
+	"m":  MByte,
+	"gi": GiByte,
+	"g":  GByte,
+	"ti": TiByte,
+	"t":  TByte,
+	"pi": PiByte,
+	"p":  PByte,
+	"ei": EiByte,
+	"e":  EByte,
+}
+
+var memorysSizeTable = map[string]uint64{
+	"b":  Byte,
+	"kb": KiByte,
+	"mb": MiByte,
+	"gb": GiByte,
+	"tb": TiByte,
+	"pb": PiByte,
+	"eb": EiByte,
+	"":   Byte,
+	"k":  KiByte,
+	"m":  MiByte,
+	"g":  GiByte,
+	"t":  TiByte,
+	"p":  PiByte,
+	"e":  EiByte,
+}
+
+var (
+	defaultSizes = []string{"B", "kB", "MB", "GB", "TB", "PB", "EB"}
+	iSizes       = []string{"B", "KiB", "MiB", "GiB", "TiB", "PiB", "EiB"}
+)
+
+func Bytes(s uint64) string {
+	return humanateBytes(s, 1000, defaultSizes)
+}
+
+func MemoryBytes(s uint64) string {
+	return humanateBytes(s, 1024, defaultSizes)
+}
+
+func IBytes(s uint64) string {
+	return humanateBytes(s, 1024, iSizes)
+}
+
+func logn(n, b float64) float64 {
+	return math.Log(n) / math.Log(b)
+}
+
+func humanateBytes(s uint64, base float64, sizes []string) string {
+	if s < 10 {
+		return fmt.Sprintf("%d B", s)
+	}
+	e := math.Floor(logn(float64(s), base))
+	suffix := sizes[int(e)]
+	val := math.Floor(float64(s)/math.Pow(base, e)*10+0.5) / 10
+	f := "%.0f %s"
+	if val < 10 {
+		f = "%.1f %s"
+	}
+
+	return fmt.Sprintf(f, val, suffix)
+}
+
+func ParseBytes(s string) (uint64, error) {
+	return parseBytes0(s, defaultSizeTable)
+}
+
+func ParseMemoryBytes(s string) (uint64, error) {
+	return parseBytes0(s, memorysSizeTable)
+}
+
+func parseBytes0(s string, sizeTable map[string]uint64) (uint64, error) {
+	lastDigit := 0
+	hasComma := false
+	for _, r := range s {
+		if !(unicode.IsDigit(r) || r == '.' || r == ',') {
+			break
+		}
+		if r == ',' {
+			hasComma = true
+		}
+		lastDigit++
+	}
+
+	num := s[:lastDigit]
+	if hasComma {
+		num = strings.Replace(num, ",", "", -1)
+	}
+
+	f, err := strconv.ParseFloat(num, 64)
+	if err != nil {
+		return 0, err
+	}
+
+	extra := strings.ToLower(strings.TrimSpace(s[lastDigit:]))
+	if m, ok := sizeTable[extra]; ok {
+		f *= float64(m)
+		if f >= math.MaxUint64 {
+			return 0, fmt.Errorf("too large: %v", s)
+		}
+		return uint64(f), nil
+	}
+
+	return 0, fmt.Errorf("unhandled size name: %v", extra)
+}

common/interrupt/conn.go

@@ -0,0 +1,75 @@
+package interrupt
+
+import (
+	"net"
+
+	"github.com/sagernet/sing/common/x/list"
+)
+
+/*type GroupedConn interface {
+	MarkAsInternal()
+}
+
+func MarkAsInternal(conn any) {
+	if groupedConn, isGroupConn := common.Cast[GroupedConn](conn); isGroupConn {
+		groupedConn.MarkAsInternal()
+	}
+}*/
+
+type Conn struct {
+	net.Conn
+	group   *Group
+	element *list.Element[*groupConnItem]
+}
+
+/*func (c *Conn) MarkAsInternal() {
+	c.element.Value.internal = true
+}*/
+
+func (c *Conn) Close() error {
+	c.group.access.Lock()
+	defer c.group.access.Unlock()
+	c.group.connections.Remove(c.element)
+	return c.Conn.Close()
+}
+
+func (c *Conn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *Conn) WriterReplaceable() bool {
+	return true
+}
+
+func (c *Conn) Upstream() any {
+	return c.Conn
+}
+
+type PacketConn struct {
+	net.PacketConn
+	group   *Group
+	element *list.Element[*groupConnItem]
+}
+
+/*func (c *PacketConn) MarkAsInternal() {
+	c.element.Value.internal = true
+}*/
+
+func (c *PacketConn) Close() error {
+	c.group.access.Lock()
+	defer c.group.access.Unlock()
+	c.group.connections.Remove(c.element)
+	return c.PacketConn.Close()
+}
+
+func (c *PacketConn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *PacketConn) WriterReplaceable() bool {
+	return true
+}
+
+func (c *PacketConn) Upstream() any {
+	return c.PacketConn
+}

common/interrupt/context.go

@@ -0,0 +1,13 @@
+package interrupt
+
+import "context"
+
+type contextKeyIsExternalConnection struct{}
+
+func ContextWithIsExternalConnection(ctx context.Context) context.Context {
+	return context.WithValue(ctx, contextKeyIsExternalConnection{}, true)
+}
+
+func IsExternalConnectionFromContext(ctx context.Context) bool {
+	return ctx.Value(contextKeyIsExternalConnection{}) != nil
+}

common/interrupt/group.go

@@ -0,0 +1,52 @@
+package interrupt
+
+import (
+	"io"
+	"net"
+	"sync"
+
+	"github.com/sagernet/sing/common/x/list"
+)
+
+type Group struct {
+	access      sync.Mutex
+	connections list.List[*groupConnItem]
+}
+
+type groupConnItem struct {
+	conn       io.Closer
+	isExternal bool
+}
+
+func NewGroup() *Group {
+	return &Group{}
+}
+
+func (g *Group) NewConn(conn net.Conn, isExternal bool) net.Conn {
+	g.access.Lock()
+	defer g.access.Unlock()
+	item := g.connections.PushBack(&groupConnItem{conn, isExternal})
+	return &Conn{Conn: conn, group: g, element: item}
+}
+
+func (g *Group) NewPacketConn(conn net.PacketConn, isExternal bool) net.PacketConn {
+	g.access.Lock()
+	defer g.access.Unlock()
+	item := g.connections.PushBack(&groupConnItem{conn, isExternal})
+	return &PacketConn{PacketConn: conn, group: g, element: item}
+}
+
+func (g *Group) Interrupt(interruptExternalConnections bool) {
+	g.access.Lock()
+	defer g.access.Unlock()
+	var toDelete []*list.Element[*groupConnItem]
+	for element := g.connections.Front(); element != nil; element = element.Next() {
+		if !element.Value.isExternal || interruptExternalConnections {
+			element.Value.conn.Close()
+			toDelete = append(toDelete, element)
+		}
+	}
+	for _, element := range toDelete {
+		g.connections.Remove(element)
+	}
+}

common/settings/proxy_android.go

@@ -1,43 +1,73 @@
 package settings
 
 import (
+	"context"
 	"os"
 	"strings"
 
-	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
+	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )
 
-var (
-	useRish  bool
-	rishPath string
-)
+type AndroidSystemProxy struct {
+	useRish      bool
+	rishPath     string
+	serverAddr   M.Socksaddr
+	supportSOCKS bool
+	isEnabled    bool
+}
 
-func init() {
+func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*AndroidSystemProxy, error) {
 	userId := os.Getuid()
+	var (
+		useRish  bool
+		rishPath string
+	)
 	if userId == 0 || userId == 1000 || userId == 2000 {
 		useRish = false
 	} else {
 		rishPath, useRish = C.FindPath("rish")
+		if !useRish {
+			return nil, E.Cause(os.ErrPermission, "root or system (adb) permission is required for set system proxy")
+		}
 	}
-}
-
-func runAndroidShell(name string, args ...string) error {
-	if !useRish {
-		return shell.Exec(name, args...).Attach().Run()
-	} else {
-		return shell.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
-	}
-}
-
-func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	err := runAndroidShell("settings", "put", "global", "http_proxy", F.ToString("127.0.0.1:", port))
-	if err != nil {
-		return nil, err
-	}
-	return func() error {
-		return runAndroidShell("settings", "put", "global", "http_proxy", ":0")
+	return &AndroidSystemProxy{
+		useRish:      useRish,
+		rishPath:     rishPath,
+		serverAddr:   serverAddr,
+		supportSOCKS: supportSOCKS,
 	}, nil
 }
+
+func (p *AndroidSystemProxy) IsEnabled() bool {
+	return p.isEnabled
+}
+
+func (p *AndroidSystemProxy) Enable() error {
+	err := p.runAndroidShell("settings", "put", "global", "http_proxy", p.serverAddr.String())
+	if err != nil {
+		return err
+	}
+	p.isEnabled = true
+	return nil
+}
+
+func (p *AndroidSystemProxy) Disable() error {
+	err := p.runAndroidShell("settings", "put", "global", "http_proxy", ":0")
+	if err != nil {
+		return err
+	}
+	p.isEnabled = false
+	return nil
+}
+
+func (p *AndroidSystemProxy) runAndroidShell(name string, args ...string) error {
+	if !p.useRish {
+		return shell.Exec(name, args...).Attach().Run()
+	} else {
+		return shell.Exec("sh", p.rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+	}
+}

common/settings/proxy_darwin.go

@@ -1,56 +1,56 @@
 package settings
 
 import (
+	"context"
 	"net/netip"
+	"strconv"
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
 	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
+	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 	"github.com/sagernet/sing/common/x/list"
 )
 
-type systemProxy struct {
+type DarwinSystemProxy struct {
 	monitor       tun.DefaultInterfaceMonitor
 	interfaceName string
 	element       *list.Element[tun.DefaultInterfaceUpdateCallback]
-	port          uint16
-	isMixed       bool
+	serverAddr    M.Socksaddr
+	supportSOCKS  bool
+	isEnabled     bool
 }
 
-func (p *systemProxy) update(event int) error {
-	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
-	if p.interfaceName == newInterfaceName {
-		return nil
+func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*DarwinSystemProxy, error) {
+	interfaceMonitor := adapter.RouterFromContext(ctx).InterfaceMonitor()
+	if interfaceMonitor == nil {
+		return nil, E.New("missing interface monitor")
 	}
-	if p.interfaceName != "" {
-		_ = p.unset()
+	proxy := &DarwinSystemProxy{
+		monitor:      interfaceMonitor,
+		serverAddr:   serverAddr,
+		supportSOCKS: supportSOCKS,
 	}
-	p.interfaceName = newInterfaceName
+	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
+	return proxy, nil
+}
+
+func (p *DarwinSystemProxy) IsEnabled() bool {
+	return p.isEnabled
+}
+
+func (p *DarwinSystemProxy) Enable() error {
+	return p.update0()
+}
+
+func (p *DarwinSystemProxy) Disable() error {
 	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
 	if err != nil {
 		return err
 	}
-	if p.isMixed {
-		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
-	}
-	if err == nil {
-		err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
-	}
-	if err == nil {
-		err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
-	}
-	return err
-}
-
-func (p *systemProxy) unset() error {
-	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
-	if err != nil {
-		return err
-	}
-	if p.isMixed {
+	if p.supportSOCKS {
 		err = shell.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
@@ -59,9 +59,53 @@ func (p *systemProxy) unset() error {
 	if err == nil {
 		err = shell.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
+	if err == nil {
+		p.isEnabled = false
+	}
 	return err
 }
 
+func (p *DarwinSystemProxy) update(event int) {
+	if event&tun.EventInterfaceUpdate == 0 {
+		return
+	}
+	if !p.isEnabled {
+		return
+	}
+	_ = p.update0()
+}
+
+func (p *DarwinSystemProxy) update0() error {
+	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
+	if p.interfaceName == newInterfaceName {
+		return nil
+	}
+	if p.interfaceName != "" {
+		_ = p.Disable()
+	}
+	p.interfaceName = newInterfaceName
+	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
+	if err != nil {
+		return err
+	}
+	if p.supportSOCKS {
+		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
+	}
+	if err != nil {
+		return err
+	}
+	err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
+	if err != nil {
+		return err
+	}
+	err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
+	if err != nil {
+		return err
+	}
+	p.isEnabled = true
+	return nil
+}
+
 func getInterfaceDisplayName(name string) (string, error) {
 	content, err := shell.Exec("networksetup", "-listallhardwareports").ReadOutput()
 	if err != nil {
@@ -77,24 +121,3 @@ func getInterfaceDisplayName(name string) (string, error) {
 	}
 	return "", E.New(name, " not found in networksetup -listallhardwareports")
 }
-
-func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	interfaceMonitor := router.InterfaceMonitor()
-	if interfaceMonitor == nil {
-		return nil, E.New("missing interface monitor")
-	}
-	proxy := &systemProxy{
-		monitor: interfaceMonitor,
-		port:    port,
-		isMixed: isMixed,
-	}
-	err := proxy.update(tun.EventInterfaceUpdate)
-	if err != nil {
-		return nil, err
-	}
-	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
-	return func() error {
-		interfaceMonitor.UnregisterCallback(proxy.element)
-		return proxy.unset()
-	}, nil
-}

common/settings/proxy_linux.go

@@ -3,75 +3,161 @@
 package settings
 
 import (
+	"context"
 	"os"
 	"os/exec"
 	"strings"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )
 
-var (
-	hasGSettings bool
-	sudoUser     string
-)
+type LinuxSystemProxy struct {
+	hasGSettings     bool
+	hasKWriteConfig5 bool
+	sudoUser         string
+	serverAddr       M.Socksaddr
+	supportSOCKS     bool
+	isEnabled        bool
+}
 
-func init() {
-	hasGSettings = common.Error(exec.LookPath("gsettings")) == nil
+func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*LinuxSystemProxy, error) {
+	hasGSettings := common.Error(exec.LookPath("gsettings")) == nil
+	hasKWriteConfig5 := common.Error(exec.LookPath("kwriteconfig5")) == nil
+	var sudoUser string
 	if os.Getuid() == 0 {
 		sudoUser = os.Getenv("SUDO_USER")
 	}
+	if !hasGSettings && !hasKWriteConfig5 {
+		return nil, E.New("unsupported desktop environment")
+	}
+	return &LinuxSystemProxy{
+		hasGSettings:     hasGSettings,
+		hasKWriteConfig5: hasKWriteConfig5,
+		sudoUser:         sudoUser,
+		serverAddr:       serverAddr,
+		supportSOCKS:     supportSOCKS,
+	}, nil
 }
 
-func runAsUser(name string, args ...string) error {
+func (p *LinuxSystemProxy) IsEnabled() bool {
+	return p.isEnabled
+}
+
+func (p *LinuxSystemProxy) Enable() error {
+	if p.hasGSettings {
+		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
+		if err != nil {
+			return err
+		}
+		if p.supportSOCKS {
+			err = p.setGnomeProxy("ftp", "http", "https", "socks")
+		} else {
+			err = p.setGnomeProxy("http", "https")
+		}
+		if err != nil {
+			return err
+		}
+		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(p.supportSOCKS))
+		if err != nil {
+			return err
+		}
+		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
+		if err != nil {
+			return err
+		}
+	}
+	if p.hasKWriteConfig5 {
+		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "1")
+		if err != nil {
+			return err
+		}
+		if p.supportSOCKS {
+			err = p.setKDEProxy("ftp", "http", "https", "socks")
+		} else {
+			err = p.setKDEProxy("http", "https")
+		}
+		if err != nil {
+			return err
+		}
+		err = p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "Authmode", "0")
+		if err != nil {
+			return err
+		}
+		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
+		if err != nil {
+			return err
+		}
+	}
+	p.isEnabled = true
+	return nil
+}
+
+func (p *LinuxSystemProxy) Disable() error {
+	if p.hasGSettings {
+		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
+		if err != nil {
+			return err
+		}
+	}
+	if p.hasKWriteConfig5 {
+		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "0")
+		if err != nil {
+			return err
+		}
+		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
+		if err != nil {
+			return err
+		}
+	}
+	p.isEnabled = false
+	return nil
+}
+
+func (p *LinuxSystemProxy) runAsUser(name string, args ...string) error {
 	if os.Getuid() != 0 {
 		return shell.Exec(name, args...).Attach().Run()
-	} else if sudoUser != "" {
-		return shell.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+	} else if p.sudoUser != "" {
+		return shell.Exec("su", "-", p.sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	} else {
 		return E.New("set system proxy: unable to set as root")
 	}
 }
 
-func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	if !hasGSettings {
-		return nil, E.New("unsupported desktop environment")
-	}
-	err := runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
-	if err != nil {
-		return nil, err
-	}
-	if isMixed {
-		err = setGnomeProxy(port, "ftp", "http", "https", "socks")
-	} else {
-		err = setGnomeProxy(port, "http", "https")
-	}
-	if err != nil {
-		return nil, err
-	}
-	err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(isMixed))
-	if err != nil {
-		return nil, err
-	}
-	err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
-	if err != nil {
-		return nil, err
-	}
-	return func() error {
-		return runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
-	}, nil
-}
-
-func setGnomeProxy(port uint16, proxyTypes ...string) error {
+func (p *LinuxSystemProxy) setGnomeProxy(proxyTypes ...string) error {
 	for _, proxyType := range proxyTypes {
-		err := runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", "127.0.0.1")
+		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", p.serverAddr.AddrString())
 		if err != nil {
 			return err
 		}
-		err = runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(port))
+		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(p.serverAddr.Port))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (p *LinuxSystemProxy) setKDEProxy(proxyTypes ...string) error {
+	for _, proxyType := range proxyTypes {
+		var proxyUrl string
+		if proxyType == "socks" {
+			proxyUrl = "socks://" + p.serverAddr.String()
+		} else {
+			proxyUrl = "http://" + p.serverAddr.String()
+		}
+		err := p.runAsUser(
+			"kwriteconfig5",
+			"--file",
+			"kioslaverc",
+			"--group",
+			"Proxy Settings",
+			"--key", proxyType+"Proxy",
+			proxyUrl,
+		)
 		if err != nil {
 			return err
 		}

common/settings/proxy_stub.go

@@ -3,11 +3,12 @@
 package settings
 
 import (
+	"context"
 	"os"
 
-	"github.com/sagernet/sing-box/adapter"
+	M "github.com/sagernet/sing/common/metadata"
 )
 
-func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (SystemProxy, error) {
 	return nil, os.ErrInvalid
 }

common/settings/proxy_windows.go

@@ -1,17 +1,43 @@
 package settings
 
 import (
-	"github.com/sagernet/sing-box/adapter"
-	F "github.com/sagernet/sing/common/format"
+	"context"
+
+	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/wininet"
 )
 
-func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	err := wininet.SetSystemProxy(F.ToString("http://127.0.0.1:", port), "")
-	if err != nil {
-		return nil, err
-	}
-	return func() error {
-		return wininet.ClearSystemProxy()
+type WindowsSystemProxy struct {
+	serverAddr   M.Socksaddr
+	supportSOCKS bool
+	isEnabled    bool
+}
+
+func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*WindowsSystemProxy, error) {
+	return &WindowsSystemProxy{
+		serverAddr:   serverAddr,
+		supportSOCKS: supportSOCKS,
 	}, nil
 }
+
+func (p *WindowsSystemProxy) IsEnabled() bool {
+	return p.isEnabled
+}
+
+func (p *WindowsSystemProxy) Enable() error {
+	err := wininet.SetSystemProxy("http://"+p.serverAddr.String(), "")
+	if err != nil {
+		return err
+	}
+	p.isEnabled = true
+	return nil
+}
+
+func (p *WindowsSystemProxy) Disable() error {
+	err := wininet.ClearSystemProxy()
+	if err != nil {
+		return err
+	}
+	p.isEnabled = false
+	return nil
+}

common/settings/system_proxy.go

@@ -0,0 +1,7 @@
+package settings
+
+type SystemProxy interface {
+	IsEnabled() bool
+	Enable() error
+	Disable() error
+}

common/sniff/sniff.go

@@ -22,23 +22,29 @@ func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout
 	if timeout == 0 {
 		timeout = C.ReadPayloadTimeout
 	}
-	err := conn.SetReadDeadline(time.Now().Add(timeout))
-	if err != nil {
-		return nil, E.Cause(err, "set read deadline")
-	}
-	_, err = buffer.ReadOnceFrom(conn)
-	err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
-	if err != nil {
-		return nil, E.Cause(err, "read payload")
-	}
-	var metadata *adapter.InboundContext
+	deadline := time.Now().Add(timeout)
 	var errors []error
-	for _, sniffer := range sniffers {
-		metadata, err = sniffer(ctx, bytes.NewReader(buffer.Bytes()))
-		if metadata != nil {
-			return metadata, nil
+
+	for i := 0; i < 3; i++ {
+		err := conn.SetReadDeadline(deadline)
+		if err != nil {
+			return nil, E.Cause(err, "set read deadline")
+		}
+		_, err = buffer.ReadOnceFrom(conn)
+		err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
+		if err != nil {
+			if i > 0 {
+				break
+			}
+			return nil, E.Cause(err, "read payload")
+		}
+		for _, sniffer := range sniffers {
+			metadata, err := sniffer(ctx, bytes.NewReader(buffer.Bytes()))
+			if metadata != nil {
+				return metadata, nil
+			}
+			errors = append(errors, err)
 		}
-		errors = append(errors, err)
 	}
 	return nil, E.Errors(errors...)
 }

common/tls/acme.go

@@ -9,10 +9,13 @@ import (
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 
 	"github.com/caddyserver/certmagic"
+	"github.com/libdns/alidns"
+	"github.com/libdns/cloudflare"
 	"github.com/mholt/acmez/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@@ -74,6 +77,24 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		AltTLSALPNPort:          int(options.AlternativeTLSPort),
 		Logger:                  config.Logger,
 	}
+	if dnsOptions := options.DNS01Challenge; dnsOptions != nil && dnsOptions.Provider != "" {
+		var solver certmagic.DNS01Solver
+		switch dnsOptions.Provider {
+		case C.DNSProviderAliDNS:
+			solver.DNSProvider = &alidns.Provider{
+				AccKeyID:     dnsOptions.AliDNSOptions.AccessKeyID,
+				AccKeySecret: dnsOptions.AliDNSOptions.AccessKeySecret,
+				RegionID:     dnsOptions.AliDNSOptions.RegionID,
+			}
+		case C.DNSProviderCloudflare:
+			solver.DNSProvider = &cloudflare.Provider{
+				APIToken: dnsOptions.CloudflareOptions.APIToken,
+			}
+		default:
+			return nil, nil, E.New("unsupported ACME DNS01 provider type: " + dnsOptions.Provider)
+		}
+		acmeConfig.DNS01Solver = &solver
+	}
 	if options.ExternalAccount != nil && options.ExternalAccount.KeyID != "" {
 		acmeConfig.ExternalAccount = (*acme.EAB)(options.ExternalAccount)
 	}

common/tls/client.go

@@ -13,29 +13,29 @@ import (
 	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-func NewDialerFromOptions(router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
+func NewDialerFromOptions(ctx context.Context, router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
 	if !options.Enabled {
 		return dialer, nil
 	}
-	config, err := NewClient(router, serverAddress, options)
+	config, err := NewClient(ctx, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}
 	return NewDialer(dialer, config), nil
 }
 
-func NewClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
 	if options.ECH != nil && options.ECH.Enabled {
-		return NewECHClient(router, serverAddress, options)
+		return NewECHClient(ctx, serverAddress, options)
 	} else if options.Reality != nil && options.Reality.Enabled {
-		return NewRealityClient(router, serverAddress, options)
+		return NewRealityClient(ctx, serverAddress, options)
 	} else if options.UTLS != nil && options.UTLS.Enabled {
-		return NewUTLSClient(router, serverAddress, options)
+		return NewUTLSClient(ctx, serverAddress, options)
 	} else {
-		return NewSTDClient(router, serverAddress, options)
+		return NewSTDClient(ctx, serverAddress, options)
 	}
 }
 

common/tls/ech_client.go

@@ -7,50 +7,53 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/pem"
 	"net"
 	"net/netip"
 	"os"
+	"strings"
 
 	cftls "github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/ntp"
 
 	mDNS "github.com/miekg/dns"
 )
 
-type ECHClientConfig struct {
+type echClientConfig struct {
 	config *cftls.Config
 }
 
-func (e *ECHClientConfig) ServerName() string {
-	return e.config.ServerName
+func (c *echClientConfig) ServerName() string {
+	return c.config.ServerName
 }
 
-func (e *ECHClientConfig) SetServerName(serverName string) {
-	e.config.ServerName = serverName
+func (c *echClientConfig) SetServerName(serverName string) {
+	c.config.ServerName = serverName
 }
 
-func (e *ECHClientConfig) NextProtos() []string {
-	return e.config.NextProtos
+func (c *echClientConfig) NextProtos() []string {
+	return c.config.NextProtos
 }
 
-func (e *ECHClientConfig) SetNextProtos(nextProto []string) {
-	e.config.NextProtos = nextProto
+func (c *echClientConfig) SetNextProtos(nextProto []string) {
+	c.config.NextProtos = nextProto
 }
 
-func (e *ECHClientConfig) Config() (*STDConfig, error) {
+func (c *echClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for ECH")
 }
 
-func (e *ECHClientConfig) Client(conn net.Conn) (Conn, error) {
-	return &echConnWrapper{cftls.Client(conn, e.config)}, nil
+func (c *echClientConfig) Client(conn net.Conn) (Conn, error) {
+	return &echConnWrapper{cftls.Client(conn, c.config)}, nil
 }
 
-func (e *ECHClientConfig) Clone() Config {
-	return &ECHClientConfig{
-		config: e.config.Clone(),
+func (c *echClientConfig) Clone() Config {
+	return &echClientConfig{
+		config: c.config.Clone(),
 	}
 }
 
@@ -80,7 +83,7 @@ func (c *echConnWrapper) Upstream() any {
 	return c.Conn
 }
 
-func NewECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewECHClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -94,7 +97,7 @@ func NewECHClient(router adapter.Router, serverAddress string, options option.Ou
 	}
 
 	var tlsConfig cftls.Config
-	tlsConfig.Time = router.TimeFunc()
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -146,8 +149,8 @@ func NewECHClient(router adapter.Router, serverAddress string, options option.Ou
 		}
 	}
 	var certificate []byte
-	if options.Certificate != "" {
-		certificate = []byte(options.Certificate)
+	if len(options.Certificate) > 0 {
+		certificate = []byte(strings.Join(options.Certificate, "\n"))
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {
@@ -168,24 +171,36 @@ func NewECHClient(router adapter.Router, serverAddress string, options option.Ou
 	tlsConfig.ECHEnabled = true
 	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
 	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
-	if options.ECH.Config != "" {
-		clientConfigContent, err := base64.StdEncoding.DecodeString(options.ECH.Config)
+
+	var echConfig []byte
+	if len(options.ECH.Config) > 0 {
+		echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
+	} else if options.ECH.ConfigPath != "" {
+		content, err := os.ReadFile(options.ECH.ConfigPath)
 		if err != nil {
-			return nil, err
+			return nil, E.Cause(err, "read ECH config")
 		}
-		clientConfig, err := cftls.UnmarshalECHConfigs(clientConfigContent)
-		if err != nil {
-			return nil, err
-		}
-		tlsConfig.ClientECHConfigs = clientConfig
-	} else {
-		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(router)
+		echConfig = content
 	}
-	return &ECHClientConfig{&tlsConfig}, nil
+
+	if len(echConfig) > 0 {
+		block, rest := pem.Decode(echConfig)
+		if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 {
+			return nil, E.New("invalid ECH configs pem")
+		}
+		echConfigs, err := cftls.UnmarshalECHConfigs(block.Bytes)
+		if err != nil {
+			return nil, E.Cause(err, "parse ECH configs")
+		}
+		tlsConfig.ClientECHConfigs = echConfigs
+	} else {
+		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(ctx)
+	}
+	return &echClientConfig{&tlsConfig}, nil
 }
 
-func fetchECHClientConfig(router adapter.Router) func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
-	return func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
+func fetchECHClientConfig(ctx context.Context) func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
+	return func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,
@@ -198,7 +213,7 @@ func fetchECHClientConfig(router adapter.Router) func(ctx context.Context, serve
 				},
 			},
 		}
-		response, err := router.Exchange(ctx, message)
+		response, err := adapter.RouterFromContext(ctx).Exchange(ctx, message)
 		if err != nil {
 			return nil, err
 		}

common/tls/ech_keygen.go

@@ -0,0 +1,169 @@
+//go:build with_ech
+
+package tls
+
+import (
+	"bytes"
+	"encoding/binary"
+	"encoding/pem"
+
+	cftls "github.com/sagernet/cloudflare-tls"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	"github.com/cloudflare/circl/hpke"
+	"github.com/cloudflare/circl/kem"
+)
+
+func ECHKeygenDefault(serverName string, pqSignatureSchemesEnabled bool) (configPem string, keyPem string, err error) {
+	cipherSuites := []echCipherSuite{
+		{
+			kdf:  hpke.KDF_HKDF_SHA256,
+			aead: hpke.AEAD_AES128GCM,
+		}, {
+			kdf:  hpke.KDF_HKDF_SHA256,
+			aead: hpke.AEAD_ChaCha20Poly1305,
+		},
+	}
+
+	keyConfig := []myECHKeyConfig{
+		{id: 0, kem: hpke.KEM_X25519_HKDF_SHA256},
+	}
+	if pqSignatureSchemesEnabled {
+		keyConfig = append(keyConfig, myECHKeyConfig{id: 1, kem: hpke.KEM_X25519_KYBER768_DRAFT00})
+	}
+
+	keyPairs, err := echKeygen(0xfe0d, serverName, keyConfig, cipherSuites)
+	if err != nil {
+		return
+	}
+
+	var configBuffer bytes.Buffer
+	var totalLen uint16
+	for _, keyPair := range keyPairs {
+		totalLen += uint16(len(keyPair.rawConf))
+	}
+	binary.Write(&configBuffer, binary.BigEndian, totalLen)
+	for _, keyPair := range keyPairs {
+		configBuffer.Write(keyPair.rawConf)
+	}
+
+	var keyBuffer bytes.Buffer
+	for _, keyPair := range keyPairs {
+		keyBuffer.Write(keyPair.rawKey)
+	}
+
+	configPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH CONFIGS", Bytes: configBuffer.Bytes()}))
+	keyPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH KEYS", Bytes: keyBuffer.Bytes()}))
+	return
+}
+
+type echKeyConfigPair struct {
+	id      uint8
+	key     cftls.EXP_ECHKey
+	rawKey  []byte
+	conf    myECHKeyConfig
+	rawConf []byte
+}
+
+type echCipherSuite struct {
+	kdf  hpke.KDF
+	aead hpke.AEAD
+}
+
+type myECHKeyConfig struct {
+	id   uint8
+	kem  hpke.KEM
+	seed []byte
+}
+
+func echKeygen(version uint16, serverName string, conf []myECHKeyConfig, suite []echCipherSuite) ([]echKeyConfigPair, error) {
+	be := binary.BigEndian
+	// prepare for future update
+	if version != 0xfe0d {
+		return nil, E.New("unsupported ECH version", version)
+	}
+
+	suiteBuf := make([]byte, 0, len(suite)*4+2)
+	suiteBuf = be.AppendUint16(suiteBuf, uint16(len(suite))*4)
+	for _, s := range suite {
+		if !s.kdf.IsValid() || !s.aead.IsValid() {
+			return nil, E.New("invalid HPKE cipher suite")
+		}
+		suiteBuf = be.AppendUint16(suiteBuf, uint16(s.kdf))
+		suiteBuf = be.AppendUint16(suiteBuf, uint16(s.aead))
+	}
+
+	pairs := []echKeyConfigPair{}
+	for _, c := range conf {
+		pair := echKeyConfigPair{}
+		pair.id = c.id
+		pair.conf = c
+
+		if !c.kem.IsValid() {
+			return nil, E.New("invalid HPKE KEM")
+		}
+
+		kpGenerator := c.kem.Scheme().GenerateKeyPair
+		if len(c.seed) > 0 {
+			kpGenerator = func() (kem.PublicKey, kem.PrivateKey, error) {
+				pub, sec := c.kem.Scheme().DeriveKeyPair(c.seed)
+				return pub, sec, nil
+			}
+			if len(c.seed) < c.kem.Scheme().PrivateKeySize() {
+				return nil, E.New("HPKE KEM seed too short")
+			}
+		}
+
+		pub, sec, err := kpGenerator()
+		if err != nil {
+			return nil, E.Cause(err, "generate ECH config key pair")
+		}
+		b := []byte{}
+		b = be.AppendUint16(b, version)
+		b = be.AppendUint16(b, 0) // length field
+		// contents
+		// key config
+		b = append(b, c.id)
+		b = be.AppendUint16(b, uint16(c.kem))
+		pubBuf, err := pub.MarshalBinary()
+		if err != nil {
+			return nil, E.Cause(err, "serialize ECH public key")
+		}
+		b = be.AppendUint16(b, uint16(len(pubBuf)))
+		b = append(b, pubBuf...)
+
+		b = append(b, suiteBuf...)
+		// end key config
+		// max name len, not supported
+		b = append(b, 0)
+		// server name
+		b = append(b, byte(len(serverName)))
+		b = append(b, []byte(serverName)...)
+		// extensions, not supported
+		b = be.AppendUint16(b, 0)
+
+		be.PutUint16(b[2:], uint16(len(b)-4))
+
+		pair.rawConf = b
+
+		secBuf, err := sec.MarshalBinary()
+		sk := []byte{}
+		sk = be.AppendUint16(sk, uint16(len(secBuf)))
+		sk = append(sk, secBuf...)
+		sk = be.AppendUint16(sk, uint16(len(b)))
+		sk = append(sk, b...)
+
+		cfECHKeys, err := cftls.EXP_UnmarshalECHKeys(sk)
+		if err != nil {
+			return nil, E.Cause(err, "bug: can't parse generated ECH server key")
+		}
+		if len(cfECHKeys) != 1 {
+			return nil, E.New("bug: unexpected server key count")
+		}
+		pair.key = cfECHKeys[0]
+		pair.rawKey = sk
+
+		pairs = append(pairs, pair)
+	}
+	return pairs, nil
+}

common/tls/ech_quic.go

@@ -0,0 +1,56 @@
+//go:build with_quic && with_ech
+
+package tls
+
+import (
+	"context"
+	"net"
+	"net/http"
+
+	"github.com/sagernet/cloudflare-tls"
+	"github.com/sagernet/quic-go/ech"
+	"github.com/sagernet/quic-go/http3_ech"
+	"github.com/sagernet/sing-quic"
+	M "github.com/sagernet/sing/common/metadata"
+)
+
+var (
+	_ qtls.Config       = (*echClientConfig)(nil)
+	_ qtls.ServerConfig = (*echServerConfig)(nil)
+)
+
+func (c *echClientConfig) Dial(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.Connection, error) {
+	return quic.Dial(ctx, conn, addr, c.config, config)
+}
+
+func (c *echClientConfig) DialEarly(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.EarlyConnection, error) {
+	return quic.DialEarly(ctx, conn, addr, c.config, config)
+}
+
+func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config, enableDatagrams bool) http.RoundTripper {
+	return &http3.RoundTripper{
+		TLSClientConfig: c.config,
+		QuicConfig:      quicConfig,
+		EnableDatagrams: enableDatagrams,
+		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
+			quicConn, err := quic.DialEarly(ctx, conn, serverAddr.UDPAddr(), tlsCfg, cfg)
+			if err != nil {
+				return nil, err
+			}
+			*quicConnPtr = quicConn
+			return quicConn, nil
+		},
+	}
+}
+
+func (c *echServerConfig) Listen(conn net.PacketConn, config *quic.Config) (qtls.Listener, error) {
+	return quic.Listen(conn, c.config, config)
+}
+
+func (c *echServerConfig) ListenEarly(conn net.PacketConn, config *quic.Config) (qtls.EarlyListener, error) {
+	return quic.ListenEarly(conn, c.config, config)
+}
+
+func (c *echServerConfig) ConfigureHTTP3() {
+	http3.ConfigureTLSConfig(c.config)
+}

common/tls/ech_server.go

@@ -0,0 +1,343 @@
+//go:build with_ech
+
+package tls
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/pem"
+	"net"
+	"os"
+	"strings"
+
+	cftls "github.com/sagernet/cloudflare-tls"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/ntp"
+
+	"github.com/fsnotify/fsnotify"
+)
+
+type echServerConfig struct {
+	config          *cftls.Config
+	logger          log.Logger
+	certificate     []byte
+	key             []byte
+	certificatePath string
+	keyPath         string
+	watcher         *fsnotify.Watcher
+	echKeyPath      string
+	echWatcher      *fsnotify.Watcher
+}
+
+func (c *echServerConfig) ServerName() string {
+	return c.config.ServerName
+}
+
+func (c *echServerConfig) SetServerName(serverName string) {
+	c.config.ServerName = serverName
+}
+
+func (c *echServerConfig) NextProtos() []string {
+	return c.config.NextProtos
+}
+
+func (c *echServerConfig) SetNextProtos(nextProto []string) {
+	c.config.NextProtos = nextProto
+}
+
+func (c *echServerConfig) Config() (*STDConfig, error) {
+	return nil, E.New("unsupported usage for ECH")
+}
+
+func (c *echServerConfig) Client(conn net.Conn) (Conn, error) {
+	return &echConnWrapper{cftls.Client(conn, c.config)}, nil
+}
+
+func (c *echServerConfig) Server(conn net.Conn) (Conn, error) {
+	return &echConnWrapper{cftls.Server(conn, c.config)}, nil
+}
+
+func (c *echServerConfig) Clone() Config {
+	return &echServerConfig{
+		config: c.config.Clone(),
+	}
+}
+
+func (c *echServerConfig) Start() error {
+	if c.certificatePath != "" && c.keyPath != "" {
+		err := c.startWatcher()
+		if err != nil {
+			c.logger.Warn("create fsnotify watcher: ", err)
+		}
+	}
+	if c.echKeyPath != "" {
+		err := c.startECHWatcher()
+		if err != nil {
+			c.logger.Warn("create fsnotify watcher: ", err)
+		}
+	}
+	return nil
+}
+
+func (c *echServerConfig) startWatcher() error {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return err
+	}
+	if c.certificatePath != "" {
+		err = watcher.Add(c.certificatePath)
+		if err != nil {
+			return err
+		}
+	}
+	if c.keyPath != "" {
+		err = watcher.Add(c.keyPath)
+		if err != nil {
+			return err
+		}
+	}
+	c.watcher = watcher
+	go c.loopUpdate()
+	return nil
+}
+
+func (c *echServerConfig) loopUpdate() {
+	for {
+		select {
+		case event, ok := <-c.watcher.Events:
+			if !ok {
+				return
+			}
+			if event.Op&fsnotify.Write != fsnotify.Write {
+				continue
+			}
+			err := c.reloadKeyPair()
+			if err != nil {
+				c.logger.Error(E.Cause(err, "reload TLS key pair"))
+			}
+		case err, ok := <-c.watcher.Errors:
+			if !ok {
+				return
+			}
+			c.logger.Error(E.Cause(err, "fsnotify error"))
+		}
+	}
+}
+
+func (c *echServerConfig) reloadKeyPair() error {
+	if c.certificatePath != "" {
+		certificate, err := os.ReadFile(c.certificatePath)
+		if err != nil {
+			return E.Cause(err, "reload certificate from ", c.certificatePath)
+		}
+		c.certificate = certificate
+	}
+	if c.keyPath != "" {
+		key, err := os.ReadFile(c.keyPath)
+		if err != nil {
+			return E.Cause(err, "reload key from ", c.keyPath)
+		}
+		c.key = key
+	}
+	keyPair, err := cftls.X509KeyPair(c.certificate, c.key)
+	if err != nil {
+		return E.Cause(err, "reload key pair")
+	}
+	c.config.Certificates = []cftls.Certificate{keyPair}
+	c.logger.Info("reloaded TLS certificate")
+	return nil
+}
+
+func (c *echServerConfig) startECHWatcher() error {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return err
+	}
+	err = watcher.Add(c.echKeyPath)
+	if err != nil {
+		return err
+	}
+	c.echWatcher = watcher
+	go c.loopECHUpdate()
+	return nil
+}
+
+func (c *echServerConfig) loopECHUpdate() {
+	for {
+		select {
+		case event, ok := <-c.echWatcher.Events:
+			if !ok {
+				return
+			}
+			if event.Op&fsnotify.Write != fsnotify.Write {
+				continue
+			}
+			err := c.reloadECHKey()
+			if err != nil {
+				c.logger.Error(E.Cause(err, "reload ECH key"))
+			}
+		case err, ok := <-c.echWatcher.Errors:
+			if !ok {
+				return
+			}
+			c.logger.Error(E.Cause(err, "fsnotify error"))
+		}
+	}
+}
+
+func (c *echServerConfig) reloadECHKey() error {
+	echKeyContent, err := os.ReadFile(c.echKeyPath)
+	if err != nil {
+		return err
+	}
+	block, rest := pem.Decode(echKeyContent)
+	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
+		return E.New("invalid ECH keys pem")
+	}
+	echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
+	if err != nil {
+		return E.Cause(err, "parse ECH keys")
+	}
+	echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
+	if err != nil {
+		return E.Cause(err, "create ECH key set")
+	}
+	c.config.ServerECHProvider = echKeySet
+	c.logger.Info("reloaded ECH keys")
+	return nil
+}
+
+func (c *echServerConfig) Close() error {
+	var err error
+	if c.watcher != nil {
+		err = E.Append(err, c.watcher.Close(), func(err error) error {
+			return E.Cause(err, "close certificate watcher")
+		})
+	}
+	if c.echWatcher != nil {
+		err = E.Append(err, c.echWatcher.Close(), func(err error) error {
+			return E.Cause(err, "close ECH key watcher")
+		})
+	}
+	return err
+}
+
+func NewECHServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+	if !options.Enabled {
+		return nil, nil
+	}
+	var tlsConfig cftls.Config
+	if options.ACME != nil && len(options.ACME.Domain) > 0 {
+		return nil, E.New("acme is unavailable in ech")
+	}
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
+	if options.ServerName != "" {
+		tlsConfig.ServerName = options.ServerName
+	}
+	if len(options.ALPN) > 0 {
+		tlsConfig.NextProtos = append(options.ALPN, tlsConfig.NextProtos...)
+	}
+	if options.MinVersion != "" {
+		minVersion, err := ParseTLSVersion(options.MinVersion)
+		if err != nil {
+			return nil, E.Cause(err, "parse min_version")
+		}
+		tlsConfig.MinVersion = minVersion
+	}
+	if options.MaxVersion != "" {
+		maxVersion, err := ParseTLSVersion(options.MaxVersion)
+		if err != nil {
+			return nil, E.Cause(err, "parse max_version")
+		}
+		tlsConfig.MaxVersion = maxVersion
+	}
+	if options.CipherSuites != nil {
+	find:
+		for _, cipherSuite := range options.CipherSuites {
+			for _, tlsCipherSuite := range tls.CipherSuites() {
+				if cipherSuite == tlsCipherSuite.Name {
+					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
+					continue find
+				}
+			}
+			return nil, E.New("unknown cipher_suite: ", cipherSuite)
+		}
+	}
+	var certificate []byte
+	var key []byte
+	if len(options.Certificate) > 0 {
+		certificate = []byte(strings.Join(options.Certificate, "\n"))
+	} else if options.CertificatePath != "" {
+		content, err := os.ReadFile(options.CertificatePath)
+		if err != nil {
+			return nil, E.Cause(err, "read certificate")
+		}
+		certificate = content
+	}
+	if len(options.Key) > 0 {
+		key = []byte(strings.Join(options.Key, "\n"))
+	} else if options.KeyPath != "" {
+		content, err := os.ReadFile(options.KeyPath)
+		if err != nil {
+			return nil, E.Cause(err, "read key")
+		}
+		key = content
+	}
+
+	if certificate == nil {
+		return nil, E.New("missing certificate")
+	} else if key == nil {
+		return nil, E.New("missing key")
+	}
+
+	keyPair, err := cftls.X509KeyPair(certificate, key)
+	if err != nil {
+		return nil, E.Cause(err, "parse x509 key pair")
+	}
+	tlsConfig.Certificates = []cftls.Certificate{keyPair}
+
+	var echKey []byte
+	if len(options.ECH.Key) > 0 {
+		echKey = []byte(strings.Join(options.ECH.Key, "\n"))
+	} else if options.KeyPath != "" {
+		content, err := os.ReadFile(options.ECH.KeyPath)
+		if err != nil {
+			return nil, E.Cause(err, "read ECH key")
+		}
+		echKey = content
+	} else {
+		return nil, E.New("missing ECH key")
+	}
+
+	block, rest := pem.Decode(echKey)
+	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
+		return nil, E.New("invalid ECH keys pem")
+	}
+
+	echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
+	if err != nil {
+		return nil, E.Cause(err, "parse ECH keys")
+	}
+
+	echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
+	if err != nil {
+		return nil, E.Cause(err, "create ECH key set")
+	}
+
+	tlsConfig.ECHEnabled = true
+	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
+	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
+	tlsConfig.ServerECHProvider = echKeySet
+
+	return &echServerConfig{
+		config:          &tlsConfig,
+		logger:          logger,
+		certificate:     certificate,
+		key:             key,
+		certificatePath: options.CertificatePath,
+		keyPath:         options.KeyPath,
+		echKeyPath:      options.ECH.KeyPath,
+	}, nil
+}

common/tls/ech_stub.go

@@ -3,11 +3,23 @@
 package tls
 
 import (
-	"github.com/sagernet/sing-box/adapter"
+	"context"
+
+	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func NewECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return nil, E.New(`ECH is not included in this build, rebuild with -tags with_ech`)
+var errECHNotIncluded = E.New(`ECH is not included in this build, rebuild with -tags with_ech`)
+
+func NewECHServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+	return nil, errECHNotIncluded
+}
+
+func NewECHClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+	return nil, errECHNotIncluded
+}
+
+func ECHKeygenDefault(host string, pqSignatureSchemesEnabled bool) (configPem string, keyPem string, err error) {
+	return "", "", errECHNotIncluded
 }

common/tls/reality_client.go

@@ -26,7 +26,6 @@ import (
 	"time"
 	"unsafe"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -45,12 +44,12 @@ type RealityClientConfig struct {
 	shortID   [8]byte
 }
 
-func NewRealityClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
+func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
 	if options.UTLS == nil || !options.UTLS.Enabled {
 		return nil, E.New("uTLS is required by reality client")
 	}
 
-	uClient, err := NewUTLSClient(router, serverAddress, options)
+	uClient, err := NewUTLSClient(ctx, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}

common/tls/reality_server.go

@@ -19,6 +19,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/ntp"
 )
 
 var _ ServerConfigCompat = (*RealityServerConfig)(nil)
@@ -27,13 +28,13 @@ type RealityServerConfig struct {
 	config *reality.Config
 }
 
-func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
+func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
 	var tlsConfig reality.Config
 
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		return nil, E.New("acme is unavailable in reality")
 	}
-	tlsConfig.Time = router.TimeFunc()
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.ServerName != "" {
 		tlsConfig.ServerName = options.ServerName
 	}
@@ -66,10 +67,10 @@ func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Log
 			return nil, E.New("unknown cipher_suite: ", cipherSuite)
 		}
 	}
-	if options.Certificate != "" || options.CertificatePath != "" {
+	if len(options.Certificate) > 0 || options.CertificatePath != "" {
 		return nil, E.New("certificate is unavailable in reality")
 	}
-	if options.Key != "" || options.KeyPath != "" {
+	if len(options.Key) > 0 || options.KeyPath != "" {
 		return nil, E.New("key is unavailable in reality")
 	}
 
@@ -101,7 +102,10 @@ func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Log
 		tlsConfig.ShortIds[shortID] = true
 	}
 
-	handshakeDialer := dialer.New(router, options.Reality.Handshake.DialerOptions)
+	handshakeDialer, err := dialer.New(adapter.RouterFromContext(ctx), options.Reality.Handshake.DialerOptions)
+	if err != nil {
+		return nil, err
+	}
 	tlsConfig.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
 		return handshakeDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
 	}

common/tls/reality_stub.go

@@ -5,12 +5,11 @@ package tls
 import (
 	"context"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	return nil, E.New(`reality server is not included in this build, rebuild with -tags with_reality_server`)
 }

common/tls/server.go

@@ -4,21 +4,22 @@ import (
 	"context"
 	"net"
 
-	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-func NewServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
-	if options.Reality != nil && options.Reality.Enabled {
-		return NewRealityServer(ctx, router, logger, options)
+	if options.ECH != nil && options.ECH.Enabled {
+		return NewECHServer(ctx, logger, options)
+	} else if options.Reality != nil && options.Reality.Enabled {
+		return NewRealityServer(ctx, logger, options)
 	} else {
-		return NewSTDServer(ctx, router, logger, options)
+		return NewSTDServer(ctx, logger, options)
 	}
 }
 

common/tls/std_client.go

@@ -1,15 +1,17 @@
 package tls
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"net"
 	"net/netip"
 	"os"
+	"strings"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/ntp"
 )
 
 type STDClientConfig struct {
@@ -44,7 +46,7 @@ func (s *STDClientConfig) Clone() Config {
 	return &STDClientConfig{s.config.Clone()}
 }
 
-func NewSTDClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewSTDClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -58,7 +60,7 @@ func NewSTDClient(router adapter.Router, serverAddress string, options option.Ou
 	}
 
 	var tlsConfig tls.Config
-	tlsConfig.Time = router.TimeFunc()
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -110,8 +112,8 @@ func NewSTDClient(router adapter.Router, serverAddress string, options option.Ou
 		}
 	}
 	var certificate []byte
-	if options.Certificate != "" {
-		certificate = []byte(options.Certificate)
+	if len(options.Certificate) > 0 {
+		certificate = []byte(strings.Join(options.Certificate, "\n"))
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {

common/tls/std_server.go

@@ -5,12 +5,14 @@ import (
 	"crypto/tls"
 	"net"
 	"os"
+	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/ntp"
 
 	"github.com/fsnotify/fsnotify"
 )
@@ -156,7 +158,7 @@ func (c *STDServerConfig) Close() error {
 	return nil
 }
 
-func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewSTDServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
@@ -164,8 +166,8 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 	var acmeService adapter.Service
 	var err error
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
-		tlsConfig, acmeService, err = startACME(ctx, common.PtrValueOrDefault(options.ACME))
 		//nolint:staticcheck
+		tlsConfig, acmeService, err = startACME(ctx, common.PtrValueOrDefault(options.ACME))
 		if err != nil {
 			return nil, err
 		}
@@ -175,7 +177,7 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 	} else {
 		tlsConfig = &tls.Config{}
 	}
-	tlsConfig.Time = router.TimeFunc()
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.ServerName != "" {
 		tlsConfig.ServerName = options.ServerName
 	}
@@ -211,8 +213,8 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 	var certificate []byte
 	var key []byte
 	if acmeService == nil {
-		if options.Certificate != "" {
-			certificate = []byte(options.Certificate)
+		if len(options.Certificate) > 0 {
+			certificate = []byte(strings.Join(options.Certificate, "\n"))
 		} else if options.CertificatePath != "" {
 			content, err := os.ReadFile(options.CertificatePath)
 			if err != nil {
@@ -220,8 +222,8 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 			}
 			certificate = content
 		}
-		if options.Key != "" {
-			key = []byte(options.Key)
+		if len(options.Key) > 0 {
+			key = []byte(strings.Join(options.Key, "\n"))
 		} else if options.KeyPath != "" {
 			content, err := os.ReadFile(options.KeyPath)
 			if err != nil {
@@ -231,7 +233,7 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 		}
 		if certificate == nil && key == nil && options.Insecure {
 			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				return GenerateKeyPair(router.TimeFunc(), info.ServerName)
+				return GenerateKeyPair(ntp.TimeFuncFromContext(ctx), info.ServerName)
 			}
 		} else {
 			if certificate == nil {

common/tls/utls_client.go

@@ -10,10 +10,11 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"strings"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/ntp"
 	utls "github.com/sagernet/utls"
 
 	"golang.org/x/net/http2"
@@ -113,7 +114,7 @@ func (c *utlsALPNWrapper) HandshakeContext(ctx context.Context) error {
 	return c.UConn.HandshakeContext(ctx)
 }
 
-func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
+func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -127,7 +128,7 @@ func NewUTLSClient(router adapter.Router, serverAddress string, options option.O
 	}
 
 	var tlsConfig utls.Config
-	tlsConfig.Time = router.TimeFunc()
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -168,8 +169,8 @@ func NewUTLSClient(router adapter.Router, serverAddress string, options option.O
 		}
 	}
 	var certificate []byte
-	if options.Certificate != "" {
-		certificate = []byte(options.Certificate)
+	if len(options.Certificate) > 0 {
+		certificate = []byte(strings.Join(options.Certificate, "\n"))
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {

common/tls/utls_stub.go

@@ -3,15 +3,16 @@
 package tls
 
 import (
-	"github.com/sagernet/sing-box/adapter"
+	"context"
+
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS is not included in this build, rebuild with -tags with_utls`)
 }
 
-func NewRealityClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS, which is required by reality client is not included in this build, rebuild with -tags with_utls`)
 }

common/urltest/urltest.go

@@ -8,9 +8,9 @@ import (
 	"sync"
 	"time"
 
+	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/x/list"
 )
 
 type History struct {
@@ -21,7 +21,7 @@ type History struct {
 type HistoryStorage struct {
 	access       sync.RWMutex
 	delayHistory map[string]*History
-	callbacks    list.List[func()]
+	updateHook   chan<- struct{}
 }
 
 func NewHistoryStorage() *HistoryStorage {
@@ -30,16 +30,8 @@ func NewHistoryStorage() *HistoryStorage {
 	}
 }
 
-func (s *HistoryStorage) AddListener(listener func()) *list.Element[func()] {
-	s.access.Lock()
-	defer s.access.Unlock()
-	return s.callbacks.PushBack(listener)
-}
-
-func (s *HistoryStorage) RemoveListener(element *list.Element[func()]) {
-	s.access.Lock()
-	defer s.access.Unlock()
-	s.callbacks.Remove(element)
+func (s *HistoryStorage) SetHook(hook chan<- struct{}) {
+	s.updateHook = hook
 }
 
 func (s *HistoryStorage) LoadURLTestHistory(tag string) *History {
@@ -66,13 +58,20 @@ func (s *HistoryStorage) StoreURLTestHistory(tag string, history *History) {
 }
 
 func (s *HistoryStorage) notifyUpdated() {
-	s.access.RLock()
-	defer s.access.RUnlock()
-	for element := s.callbacks.Front(); element != nil; element = element.Next() {
-		element.Value()
+	updateHook := s.updateHook
+	if updateHook != nil {
+		select {
+		case updateHook <- struct{}{}:
+		default:
+		}
 	}
 }
 
+func (s *HistoryStorage) Close() error {
+	s.updateHook = nil
+	return nil
+}
+
 func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err error) {
 	if link == "" {
 		link = "https://www.gstatic.com/generate_204"
@@ -98,33 +97,25 @@ func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err e
 		return
 	}
 	defer instance.Close()
-
+	if earlyConn, isEarlyConn := common.Cast[N.EarlyConn](instance); isEarlyConn && earlyConn.NeedHandshake() {
+		start = time.Now()
+	}
 	req, err := http.NewRequest(http.MethodHead, link, nil)
 	if err != nil {
 		return
 	}
-	req = req.WithContext(ctx)
-
-	transport := &http.Transport{
-		Dial: func(string, string) (net.Conn, error) {
-			return instance, nil
-		},
-		// from http.DefaultTransport
-		MaxIdleConns:          100,
-		IdleConnTimeout:       90 * time.Second,
-		TLSHandshakeTimeout:   10 * time.Second,
-		ExpectContinueTimeout: 1 * time.Second,
-	}
-
 	client := http.Client{
-		Transport: transport,
+		Transport: &http.Transport{
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				return instance, nil
+			},
+		},
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		},
 	}
 	defer client.CloseIdleConnections()
-
-	resp, err := client.Do(req)
+	resp, err := client.Do(req.WithContext(ctx))
 	if err != nil {
 		return
 	}

constant/dns.go

@@ -0,0 +1,6 @@
+package constant
+
+const (
+	DNSProviderAliDNS     = "alidns"
+	DNSProviderCloudflare = "cloudflare"
+)

constant/proxy.go

@@ -7,7 +7,7 @@ const (
 	TypeDirect       = "direct"
 	TypeBlock        = "block"
 	TypeDNS          = "dns"
-	TypeSocks        = "socks"
+	TypeSOCKS        = "socks"
 	TypeHTTP         = "http"
 	TypeMixed        = "mixed"
 	TypeShadowsocks  = "shadowsocks"
@@ -21,9 +21,58 @@ const (
 	TypeShadowTLS    = "shadowtls"
 	TypeShadowsocksR = "shadowsocksr"
 	TypeVLESS        = "vless"
+	TypeTUIC         = "tuic"
+	TypeHysteria2    = "hysteria2"
 )
 
 const (
 	TypeSelector = "selector"
 	TypeURLTest  = "urltest"
 )
+
+func ProxyDisplayName(proxyType string) string {
+	switch proxyType {
+	case TypeDirect:
+		return "Direct"
+	case TypeBlock:
+		return "Block"
+	case TypeDNS:
+		return "DNS"
+	case TypeSOCKS:
+		return "SOCKS"
+	case TypeHTTP:
+		return "HTTP"
+	case TypeShadowsocks:
+		return "Shadowsocks"
+	case TypeVMess:
+		return "VMess"
+	case TypeTrojan:
+		return "Trojan"
+	case TypeNaive:
+		return "Naive"
+	case TypeWireGuard:
+		return "WireGuard"
+	case TypeHysteria:
+		return "Hysteria"
+	case TypeTor:
+		return "Tor"
+	case TypeSSH:
+		return "SSH"
+	case TypeShadowTLS:
+		return "ShadowTLS"
+	case TypeShadowsocksR:
+		return "ShadowsocksR"
+	case TypeVLESS:
+		return "VLESS"
+	case TypeTUIC:
+		return "TUIC"
+	case TypeHysteria2:
+		return "Hysteria2"
+	case TypeSelector:
+		return "Selector"
+	case TypeURLTest:
+		return "URLTest"
+	default:
+		return "Unknown"
+	}
+}

debug_go118.go

@@ -5,7 +5,7 @@ package box
 import (
 	"runtime/debug"
 
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
 
@@ -28,7 +28,7 @@ func applyDebugOptions(options option.DebugOptions) {
 	}
 	if options.MemoryLimit != 0 {
 		// debug.SetMemoryLimit(int64(options.MemoryLimit))
-		conntrack.MemoryLimit = int64(options.MemoryLimit)
+		conntrack.MemoryLimit = uint64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller

debug_go119.go

@@ -5,7 +5,7 @@ package box
 import (
 	"runtime/debug"
 
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
 
@@ -27,8 +27,8 @@ func applyDebugOptions(options option.DebugOptions) {
 		debug.SetTraceback(options.TraceBack)
 	}
 	if options.MemoryLimit != 0 {
-		debug.SetMemoryLimit(int64(options.MemoryLimit))
-		conntrack.MemoryLimit = int64(options.MemoryLimit)
+		debug.SetMemoryLimit(int64(float64(options.MemoryLimit) / 1.5))
+		conntrack.MemoryLimit = uint64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller

debug_http.go

@@ -7,12 +7,12 @@ import (
 	"runtime/debug"
 
 	"github.com/sagernet/sing-box/common/badjson"
+	"github.com/sagernet/sing-box/common/humanize"
 	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 
-	"github.com/dustin/go-humanize"
 	"github.com/go-chi/chi/v5"
 )
 
@@ -37,9 +37,9 @@ func applyDebugListenOption(options option.DebugOptions) {
 			runtime.ReadMemStats(&memStats)
 
 			var memObject badjson.JSONObject
-			memObject.Put("heap", humanize.IBytes(memStats.HeapInuse))
-			memObject.Put("stack", humanize.IBytes(memStats.StackInuse))
-			memObject.Put("idle", humanize.IBytes(memStats.HeapIdle-memStats.HeapReleased))
+			memObject.Put("heap", humanize.MemoryBytes(memStats.HeapInuse))
+			memObject.Put("stack", humanize.MemoryBytes(memStats.StackInuse))
+			memObject.Put("idle", humanize.MemoryBytes(memStats.HeapIdle-memStats.HeapReleased))
 			memObject.Put("goroutines", runtime.NumGoroutine())
 			memObject.Put("rss", rusageMaxRSS())
 

docs/changelog.md

@@ -1,8 +1,321 @@
+#### 1.5.2
+
+* Our [Apple tvOS client](/installation/clients/sft) is now available in the App Store 🍎
+* Fixes and improvements
+
+#### 1.5.1
+
+* Fixes and improvements
+
+#### 1.5.0
+
+* Fixes and improvements
+
+Important changes since 1.4:
+
+* Add TLS [ECH server](/configuration/shared/tls) support
+* Improve TLS TCH client configuration
+* Add TLS ECH key pair generator **1**
+* Add TLS ECH support for QUIC based protocols **2**
+* Add KDE support for the `set_system_proxy` option in HTTP inbound
+* Add Hysteria2 protocol support **3**
+* Add `interrupt_exist_connections` option for `Selector` and `URLTest` outbounds **4**
+* Add DNS01 challenge support for ACME TLS certificate issuer **5**
+* Add `merge` command **6**
+* Mark [Deprecated Features](/deprecated)
+
+**1**:
+
+Command: `sing-box generate ech-keypair <plain_server_name> [--pq-signature-schemes-enabled]`
+
+**2**:
+
+All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria[/2]`, `TUIC` and `V2ray QUIC transport`.
+
+**3**:
+
+See [Hysteria2 inbound](/configuration/inbound/hysteria2) and [Hysteria2 outbound](/configuration/outbound/hysteria2)
+
+For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)
+
+**4**:
+
+Interrupt existing connections when the selected outbound has changed.
+
+Only inbound connections are affected by this setting, internal connections will always be interrupted.
+
+**5**:
+
+Only `Alibaba Cloud DNS` and `Cloudflare` are supported, see [ACME Fields](/configuration/shared/tls#acme-fields)
+and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge).
+
+**6**:
+
+This command also parses path resources that appear in the configuration file and replaces them with embedded
+configuration, such as TLS certificates or SSH private keys.
+
+#### 1.5.0-rc.6
+
+* Fixes and improvements
+
+#### 1.4.6
+
+* Fixes and improvements
+
+#### 1.5.0-rc.5
+
+* Fixed an improper authentication vulnerability in the SOCKS5 inbound
+* Fixes and improvements
+
+**Security Advisory**
+
+This update fixes an improper authentication vulnerability in the sing-box SOCKS inbound. This vulnerability allows an
+attacker to craft special requests to bypass user authentication. All users exposing SOCKS servers with user
+authentication in an insecure environment are advised to update immediately.
+
+此更新修复了 sing-box SOCKS 入站中的一个不正确身份验证漏洞。 该漏洞允许攻击者制作特殊请求来绕过用户身份验证。建议所有将使用用户认证的
+SOCKS 服务器暴露在不安全环境下的用户立更新。
+
+#### 1.4.5
+
+* Fixed an improper authentication vulnerability in the SOCKS5 inbound
+* Fixes and improvements
+
+**Security Advisory**
+
+This update fixes an improper authentication vulnerability in the sing-box SOCKS inbound. This vulnerability allows an
+attacker to craft special requests to bypass user authentication. All users exposing SOCKS servers with user
+authentication in an insecure environment are advised to update immediately.
+
+此更新修复了 sing-box SOCKS 入站中的一个不正确身份验证漏洞。 该漏洞允许攻击者制作特殊请求来绕过用户身份验证。建议所有将使用用户认证的
+SOCKS 服务器暴露在不安全环境下的用户立更新。
+
+#### 1.5.0-rc.3
+
+* Fixes and improvements
+
+#### 1.5.0-beta.12
+
+* Add `merge` command **1**
+* Fixes and improvements
+
+**1**:
+
+This command also parses path resources that appear in the configuration file and replaces them with embedded
+configuration, such as TLS certificates or SSH private keys.
+
+```
+Merge configurations
+
+Usage:
+  sing-box merge [output] [flags]
+
+Flags:
+  -h, --help   help for merge
+
+Global Flags:
+  -c, --config stringArray             set configuration file path
+  -C, --config-directory stringArray   set configuration directory path
+  -D, --directory string               set working directory
+      --disable-color                  disable color output
+```
+
+#### 1.5.0-beta.11
+
+* Add DNS01 challenge support for ACME TLS certificate issuer **1**
+* Fixes and improvements
+
+**1**:
+
+Only `Alibaba Cloud DNS` and `Cloudflare` are supported,
+see [ACME Fields](/configuration/shared/tls#acme-fields)
+and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge).
+
+#### 1.5.0-beta.10
+
+* Add `interrupt_exist_connections` option for `Selector` and `URLTest` outbounds **1**
+* Fixes and improvements
+
+**1**:
+
+Interrupt existing connections when the selected outbound has changed.
+
+Only inbound connections are affected by this setting, internal connections will always be interrupted.
+
+#### 1.4.3
+
+* Fixes and improvements
+
+#### 1.5.0-beta.8
+
+* Fixes and improvements
+
+#### 1.4.2
+
+* Fixes and improvements
+
+#### 1.5.0-beta.6
+
+* Fix compatibility issues with official Hysteria2 server and client
+* Fixes and improvements
+* Mark [deprecated features](/deprecated)
+
+#### 1.5.0-beta.3
+
+* Fixes and improvements
+* Updated Hysteria2 documentation **1**
+
+**1**:
+
+Added notes indicating compatibility issues with the official
+Hysteria2 server and client when using `fastOpen=false` or UDP MTU >= 1200.
+
+#### 1.5.0-beta.2
+
+* Add hysteria2 protocol support **1**
+* Fixes and improvements
+
+**1**:
+
+See [Hysteria2 inbound](/configuration/inbound/hysteria2) and [Hysteria2 outbound](/configuration/outbound/hysteria2)
+
+For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)
+
+#### 1.5.0-beta.1
+
+* Add TLS [ECH server](/configuration/shared/tls) support
+* Improve TLS TCH client configuration
+* Add TLS ECH key pair generator **1**
+* Add TLS ECH support for QUIC based protocols **2**
+* Add KDE support for the `set_system_proxy` option in HTTP inbound
+
+**1**:
+
+Command: `sing-box generate ech-keypair <plain_server_name> [--pq-signature-schemes-enabled]`
+
+**2**:
+
+All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria`, `TUIC` and `V2ray QUIC transport`.
+
+#### 1.4.1
+
+* Fixes and improvements
+
+#### 1.4.0
+
+* Fix bugs and update dependencies
+
+Important changes since 1.3:
+
+* Add TUIC support **1**
+* Add `udp_over_stream` option for TUIC client **2**
+* Add MultiPath TCP support **3**
+* Add `include_interface` and `exclude_interface` options for tun inbound
+* Pause recurring tasks when no network or device idle
+* Improve Android and Apple platform clients
+
+*1*:
+
+See [TUIC inbound](/configuration/inbound/tuic)
+and [TUIC outbound](/configuration/outbound/tuic)
+
+**2**:
+
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
+another program compatible with the protocol as a server.
+
+This mode has no positive effect in a proper UDP proxy scenario and should only be applied to relay streaming UDP
+traffic (basically QUIC streams).
+
+*3*:
+
+Requires sing-box to be compiled with Go 1.21.
+
+#### 1.4.0-rc.3
+
+* Fixes and improvements
+
+#### 1.4.0-rc.2
+
+* Fixes and improvements
+
+#### 1.4.0-rc.1
+
+* Fix TUIC UDP
+
+#### 1.4.0-beta.6
+
+* Add `udp_over_stream` option for TUIC client **1**
+* Add `include_interface` and `exclude_interface` options for tun inbound
+* Fixes and improvements
+
+**1**:
+
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
+another program compatible with the protocol as a server.
+
+This mode has no positive effect in a proper UDP proxy scenario and should only be applied to relay streaming UDP
+traffic (basically QUIC streams).
+
+#### 1.4.0-beta.5
+
+* Fixes and improvements
+
+#### 1.4.0-beta.4
+
+* Graphical clients: Persistence group expansion state
+* Fixes and improvements
+
+#### 1.4.0-beta.3
+
+* Fixes and improvements
+
+#### 1.4.0-beta.2
+
+* Add MultiPath TCP support **1**
+* Drop QUIC support for Go 1.18 and 1.19 due to upstream changes
+* Fixes and improvements
+
+*1*:
+
+Requires sing-box to be compiled with Go 1.21.
+
+#### 1.4.0-beta.1
+
+* Add TUIC support **1**
+* Pause recurring tasks when no network or device idle
+* Fixes and improvements
+
+*1*:
+
+See [TUIC inbound](/configuration/inbound/tuic)
+and [TUIC outbound](/configuration/outbound/tuic)
+
+#### 1.3.6
+
+* Fixes and improvements
+
+#### 1.3.5
+
+* Fixes and improvements
+* Introducing our [Apple tvOS](/installation/clients/sft) client applications **1**
+* Add per app proxy and app installed/updated trigger support for Android client
+* Add profile sharing support for Android/iOS/macOS clients
+
+**1**:
+
+Due to the requirement of tvOS 17, the app cannot be submitted to the App Store for the time being, and can only be
+downloaded through TestFlight.
+
 #### 1.3.4
 
 * Fixes and improvements
-* We're now on the [App Store](https://apps.apple.com/us/app/sing-box/id6451272673), always free! It should be noted that due to stricter and slower review, the release of Store versions will be delayed.
-* We've made a standalone version of the macOS client (the original Application Extension relies on App Store distribution), which you can download as SFM-version-universal.zip in the release artifacts.
+* We're now on the [App Store](https://apps.apple.com/us/app/sing-box/id6451272673), always free! It should be noted
+  that due to stricter and slower review, the release of Store versions will be delayed.
+* We've made a standalone version of the macOS client (the original Application Extension relies on App Store
+  distribution), which you can download as SFM-version-universal.zip in the release artifacts.
 
 #### 1.3.3
 

docs/configuration/experimental/index.md

@@ -12,7 +12,9 @@
       "external_ui_download_detour": "",
       "secret": "",
       "default_mode": "",
+      "store_mode": false,
       "store_selected": false,
+      "store_fakeip": false,
       "cache_file": "",
       "cache_id": ""
     },
@@ -76,10 +78,14 @@ ALWAYS set a secret if RESTful API is listening on 0.0.0.0
 
 #### default_mode
 
-Default mode in clash, `rule` will be used if empty.
+Default mode in clash, `Rule` will be used if empty.
 
 This setting has no direct effect, but can be used in routing and DNS rules via the `clash_mode` rule item.
 
+#### store_mode
+
+Store Clash mode in cache file.
+
 #### store_selected
 
 !!! note ""
@@ -88,6 +94,10 @@ This setting has no direct effect, but can be used in routing and DNS rules via
 
 Store selected outbound for the `Selector` outbound in cache file.
 
+#### store_fakeip
+
+Store fakeip in cache file.
+
 #### cache_file
 
 Cache file path, `cache.db` will be used if empty.

docs/configuration/experimental/index.zh.md

@@ -12,7 +12,9 @@
       "external_ui_download_detour": "",
       "secret": "",
       "default_mode": "",
+      "store_mode": false,
       "store_selected": false,
+      "store_fakeip": false,
       "cache_file": "",
       "cache_id": ""
     },
@@ -74,10 +76,14 @@ RESTful API 的密钥（可选）
 
 #### default_mode
 
-Clash 中的默认模式，默认使用 `rule`。
+Clash 中的默认模式，默认使用 `Rule`。
 
 此设置没有直接影响，但可以通过 `clash_mode` 规则项在路由和 DNS 规则中使用。
 
+#### store_mode
+
+将 Clash 模式存储在缓存文件中。
+
 #### store_selected
 
 !!! note ""
@@ -86,6 +92,10 @@ Clash 中的默认模式，默认使用 `rule`。
 
 将 `Selector` 中出站的选定的目标出站存储在缓存文件中。
 
+#### store_fakeip
+
+将 fakeip 存储在缓存文件中。
+
 #### cache_file
 
 缓存文件路径，默认使用`cache.db`。

docs/configuration/inbound/hysteria2.md

@@ -0,0 +1,85 @@
+### Structure
+
+```json
+{
+  "type": "hysteria2",
+  "tag": "hy2-in",
+  
+  ... // Listen Fields
+
+  "up_mbps": 100,
+  "down_mbps": 100,
+  "obfs": {
+    "type": "salamander",
+    "password": "cry_me_a_r1ver"
+  },
+  "users": [
+    {
+      "name": "tobyxdd",
+      "password": "goofy_ahh_password"
+    }
+  ],
+  "ignore_client_bandwidth": false,
+  "masquerade": "",
+  "tls": {}
+}
+```
+
+!!! warning ""
+
+    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
+
+### Listen Fields
+
+See [Listen Fields](/configuration/shared/listen) for details.
+
+### Fields
+
+#### up_mbps, down_mbps
+
+Max bandwidth, in Mbps.
+
+Not limited if empty.
+
+Conflict with `ignore_client_bandwidth`.
+
+#### obfs.type
+
+QUIC traffic obfuscator type, only available with `salamander`.
+
+Disabled if empty.
+
+#### obfs.password
+
+QUIC traffic obfuscator password.
+
+#### users
+
+Hysteria2 users
+
+#### users.password
+
+Authentication password
+
+#### ignore_client_bandwidth
+
+Commands the client to use the BBR flow control algorithm instead of Hysteria CC.
+
+Conflict with `up_mbps` and `down_mbps`.
+
+#### masquerade
+
+HTTP3 server behavior when authentication fails.
+
+| Scheme       | Example                 | Description        |
+|--------------|-------------------------|--------------------|
+| `file`       | `file:///var/www`       | As a file server   |
+| `http/https` | `http://127.0.0.1:8080` | As a reverse proxy |
+
+A 404 page will be returned if empty.
+
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

docs/configuration/inbound/hysteria2.zh.md

@@ -0,0 +1,83 @@
+### 结构
+
+```json
+{
+  "type": "hysteria2",
+  "tag": "hy2-in",
+  
+  ... // 监听字段
+
+  "up_mbps": 100,
+  "down_mbps": 100,
+  "obfs": {
+    "type": "salamander",
+    "password": "cry_me_a_r1ver"
+  },
+  "users": [
+    {
+      "name": "tobyxdd",
+      "password": "goofy_ahh_password"
+    }
+  ],
+  "ignore_client_bandwidth": false,
+  "masquerade": "",
+  "tls": {}
+}
+```
+
+!!! warning ""
+
+    默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。
+
+### 监听字段
+
+参阅 [监听字段](/zh/configuration/shared/listen/)。
+
+### 字段
+
+#### up_mbps, down_mbps
+
+支持的速率，默认不限制。
+
+与 `ignore_client_bandwidth` 冲突。
+
+#### obfs.type
+
+QUIC 流量混淆器类型，仅可设为 `salamander`。
+
+如果为空则禁用。
+
+#### obfs.password
+
+QUIC 流量混淆器密码.
+
+#### users
+
+Hysteria 用户
+
+#### users.password
+
+认证密码。
+
+#### ignore_client_bandwidth
+
+命令客户端使用 BBR 流量控制算法而不是 Hysteria CC。
+
+与 `up_mbps` 和 `down_mbps` 冲突。
+
+#### masquerade
+
+HTTP3 服务器认证失败时的行为。
+
+| Scheme       | 示例                      | 描述      |
+|--------------|-------------------------|---------|
+| `file`       | `file:///var/www`       | 作为文件服务器 |
+| `http/https` | `http://127.0.0.1:8080` | 作为反向代理  |
+
+如果为空，则返回 404 页。
+
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/index.md

@@ -27,6 +27,8 @@
 | `naive`       | [Naive](./naive)             | X          |
 | `hysteria`    | [Hysteria](./hysteria)       | X          |
 | `shadowtls`   | [ShadowTLS](./shadowtls)     | TCP        |
+| `tuic`        | [TUIC](./tuic)               | X          |
+| `hysteria2`   | [Hysteria2](./hysteria2)     | X          |
 | `vless`       | [VLESS](./vless)             | TCP        |
 | `tun`         | [Tun](./tun)                 | X          |
 | `redirect`    | [Redirect](./redirect)       | X          |

docs/configuration/inbound/index.zh.md

@@ -26,6 +26,10 @@
 | `trojan`      | [Trojan](./trojan)           | TCP  |
 | `naive`       | [Naive](./naive)             | X    |
 | `hysteria`    | [Hysteria](./hysteria)       | X    |
+| `shadowtls`   | [ShadowTLS](./shadowtls)     | TCP  |
+| `tuic`        | [TUIC](./tuic)               | X    |
+| `hysteria2`   | [Hysteria2](./hysteria2)     | X    |
+| `vless`       | [VLESS](./vless)             | TCP  |
 | `tun`         | [Tun](./tun)                 | X    |
 | `redirect`    | [Redirect](./redirect)       | X    |
 | `tproxy`      | [TProxy](./tproxy)           | X    |

docs/configuration/inbound/tuic.md

@@ -0,0 +1,82 @@
+### Structure
+
+```json
+{
+  "type": "tuic",
+  "tag": "tuic-in",
+  
+  ... // Listen Fields
+
+  "users": [
+    {
+      "name": "sekai",
+      "uuid": "059032A9-7D40-4A96-9BB1-36823D848068",
+      "password": "hello"
+    }
+  ],
+  "congestion_control": "cubic",
+  "auth_timeout": "3s",
+  "zero_rtt_handshake": false,
+  "heartbeat": "10s",
+  "tls": {}
+}
+```
+
+!!! warning ""
+
+    QUIC, which is required by TUIC is not included by default, see [Installation](/#installation).
+
+### Listen Fields
+
+See [Listen Fields](/configuration/shared/listen) for details.
+
+### Fields
+
+#### users
+
+TUIC users
+
+#### users.uuid
+
+==Required==
+
+TUIC user uuid
+
+#### users.password
+
+TUIC user password
+
+#### congestion_control
+
+QUIC congestion control algorithm
+
+One of: `cubic`, `new_reno`, `bbr`
+
+`cubic` is used by default.
+
+#### auth_timeout
+
+How long the server should wait for the client to send the authentication command
+
+`3s` is used by default.
+
+#### zero_rtt_handshake
+
+Enable 0-RTT QUIC connection handshake on the client side  
+This is not impacting much on the performance, as the protocol is fully multiplexed  
+
+!!! warning ""
+    Disabling this is highly recommended, as it is vulnerable to replay attacks.
+    See [Attack of the clones](https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones)
+
+#### heartbeat
+
+Interval for sending heartbeat packets for keeping the connection alive
+
+`10s` is used by default.
+
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

docs/configuration/inbound/tuic.zh.md

@@ -0,0 +1,82 @@
+### 结构
+
+```json
+{
+  "type": "tuic",
+  "tag": "tuic-in",
+
+  ... // 监听字段
+
+  "users": [
+    {
+      "name": "sekai",
+      "uuid": "059032A9-7D40-4A96-9BB1-36823D848068",
+      "password": "hello"
+    }
+  ],
+  "congestion_control": "cubic",
+  "auth_timeout": "3s",
+  "zero_rtt_handshake": false,
+  "heartbeat": "10s",
+  "tls": {}
+}
+```
+
+!!! warning ""
+
+    默认安装不包含被 TUI 依赖的 QUIC，参阅 [安装](/zh/#_2)。
+
+### 监听字段
+
+参阅 [监听字段](/zh/configuration/shared/listen/)。
+
+### 字段
+
+#### users
+
+TUIC 用户
+
+#### users.uuid
+
+==必填==
+
+TUIC 用户 UUID
+
+#### users.password
+
+TUIC 用户密码
+
+#### congestion_control
+
+QUIC 流量控制算法
+
+可选值: `cubic`, `new_reno`, `bbr`
+
+默认使用 `cubic`。
+
+#### auth_timeout
+
+服务器等待客户端发送认证命令的时间
+
+默认使用 `3s`。
+
+#### zero_rtt_handshake
+
+在客户端启用 0-RTT QUIC 连接握手
+这对性能影响不大，因为协议是完全复用的
+
+!!! warning ""
+强烈建议禁用此功能，因为它容易受到重放攻击。
+请参阅 [Attack of the clones](https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones)
+
+#### heartbeat
+
+发送心跳包以保持连接存活的时间间隔
+
+默认使用 `10s`。
+
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/tun.md

@@ -24,6 +24,12 @@
   ],
   "endpoint_independent_nat": false,
   "stack": "system",
+  "include_interface": [
+    "lan0"
+  ],
+  "exclude_interface": [
+    "lan1"
+  ],
   "include_uid": [
     0
   ],
@@ -142,16 +148,33 @@ UDP NAT expiration time in seconds, default is 300 (5 minutes).
 
 TCP/IP stack.
 
-| Stack            | Description                                                                      | Status            |
-|------------------|----------------------------------------------------------------------------------|-------------------|
-| system (default) | Sometimes better performance                                                     | recommended       |
-| gVisor           | Better compatibility, based on [google/gvisor](https://github.com/google/gvisor) | recommended       |
-| LWIP             | Based on [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks)   | upstream archived |
+| Stack  | Description                                                                      | Status            |
+|--------|----------------------------------------------------------------------------------|-------------------|
+| system | Sometimes better performance                                                     | recommended       |
+| gVisor | Better compatibility, based on [google/gvisor](https://github.com/google/gvisor) | recommended       |
+| mixed  | Mixed `system` TCP stack and `gVisor` UDP stack                                  | recommended       |
+| LWIP   | Based on [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks)   | upstream archived |
 
 !!! warning ""
 
     gVisor and LWIP stacks is not included by default, see [Installation](/#installation).
 
+#### include_interface
+
+!!! error ""
+
+    Interface rules are only supported on Linux and require auto_route.
+
+Limit interfaces in route. Not limited by default.
+
+Conflict with `exclude_interface`.
+
+#### exclude_interface
+
+Exclude interfaces in route.
+
+Conflict with `include_interface`.
+
 #### include_uid
 
 !!! error ""

docs/configuration/inbound/tun.zh.md

@@ -24,6 +24,12 @@
   ],
   "endpoint_independent_nat": false,
   "stack": "system",
+  "include_interface": [
+    "lan0"
+  ],
+  "exclude_interface": [
+    "lan1"
+  ],
   "include_uid": [
     0
   ],
@@ -149,6 +155,22 @@ TCP/IP 栈。
 
     默认安装不包含 gVisor 和 LWIP 栈，请参阅 [安装](/zh/#_2)。
 
+#### include_interface
+
+!!! error ""
+
+    接口规则仅在 Linux 下被支持，并且需要 `auto_route`。
+
+限制被路由的接口。默认不限制。
+
+与 `exclude_interface` 冲突。
+
+#### exclude_interface
+
+排除路由的接口。
+
+与 `include_interface` 冲突。
+
 #### include_uid
 
 !!! error ""

docs/configuration/index.md

@@ -31,11 +31,17 @@ sing-box uses JSON for configuration files.
 ### Check
 
 ```bash
-$ sing-box check
+sing-box check
 ```
 
 ### Format
 
 ```bash
-$ sing-box format -w
+sing-box format -w -c config.json -D config_directory
+```
+
+### Merge
+
+```bash
+sing-box merge output.json -c config.json -D config_directory
 ```

docs/configuration/index.zh.md

@@ -29,11 +29,17 @@ sing-box 使用 JSON 作为配置文件格式。
 ### 检查
 
 ```bash
-$ sing-box check
+sing-box check
 ```
 
 ### 格式化
 
 ```bash
-$ sing-box format -w
+sing-box format -w -c config.json -D config_directory
+```
+
+### 合并
+
+```bash
+sing-box merge output.json -c config.json -D config_directory
 ```

docs/configuration/outbound/hysteria.md

@@ -97,12 +97,6 @@ Disables Path MTU Discovery (RFC 8899). Packets will then be at most 1252 (IPv4)
 
 Force enabled on for systems other than Linux and Windows (according to upstream).
 
-#### tls
-
-==Required==
-
-TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
-
 #### network
 
 Enabled network
@@ -111,6 +105,12 @@ One of `tcp` `udp`.
 
 Both is enabled by default.
 
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
+
 ### Dial Fields
 
 See [Dial Fields](/configuration/shared/dial) for details.

docs/configuration/outbound/hysteria.zh.md

@@ -97,10 +97,6 @@ base64 编码的认证密码。
 
 强制为 Linux 和 Windows 以外的系统启用（根据上游）。
 
-==必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
-
 #### network
 
 启用的网络协议。
@@ -109,6 +105,13 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 默认所有。
 
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+
+
 ### 拨号字段
 
 参阅 [拨号字段](/zh/configuration/shared/dial/)。

docs/configuration/outbound/hysteria2.md

@@ -0,0 +1,78 @@
+### Structure
+
+```json
+{
+  "type": "hysteria2",
+  "tag": "hy2-out",
+  
+  "server": "127.0.0.1",
+  "server_port": 1080,
+  "up_mbps": 100,
+  "down_mbps": 100,
+  "obfs": {
+    "type": "salamander",
+    "password": "cry_me_a_r1ver"
+  },
+  "password": "goofy_ahh_password",
+  "network": "tcp",
+  "tls": {},
+  
+  ... // Dial Fields
+}
+```
+
+!!! warning ""
+
+    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
+
+### Fields
+
+#### server
+
+==Required==
+
+The server address.
+
+#### server_port
+
+==Required==
+
+The server port.
+
+#### up_mbps, down_mbps
+
+Max bandwidth, in Mbps.
+
+If empty, the BBR congestion control algorithm will be used instead of Hysteria CC.
+
+#### obfs.type
+
+QUIC traffic obfuscator type, only available with `salamander`.
+
+Disabled if empty.
+
+#### obfs.password
+
+QUIC traffic obfuscator password.
+
+#### password
+
+Authentication password.
+
+#### network
+
+Enabled network
+
+One of `tcp` `udp`.
+
+Both is enabled by default.
+
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
+
+### Dial Fields
+
+See [Dial Fields](/configuration/shared/dial) for details.

docs/configuration/outbound/hysteria2.zh.md

@@ -0,0 +1,79 @@
+### 结构
+
+```json
+{
+  "type": "hysteria2",
+  "tag": "hy2-out",
+
+  "server": "127.0.0.1",
+  "server_port": 1080,
+  "up_mbps": 100,
+  "down_mbps": 100,
+  "obfs": {
+    "type": "salamander",
+    "password": "cry_me_a_r1ver"
+  },
+  "password": "goofy_ahh_password",
+  "network": "tcp",
+  "tls": {},
+  
+  ... // 拨号字段
+}
+```
+
+!!! warning ""
+
+    默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。
+
+### 字段
+
+#### server
+
+==必填==
+
+服务器地址。
+
+#### server_port
+
+==必填==
+
+服务器端口。
+
+#### up_mbps, down_mbps
+
+最大带宽。
+
+如果为空，将使用 BBR 流量控制算法而不是 Hysteria CC。
+
+#### obfs.type
+
+QUIC 流量混淆器类型，仅可设为 `salamander`。
+
+如果为空则禁用。
+
+#### obfs.password
+
+QUIC 流量混淆器密码.
+
+#### password
+
+认证密码。
+
+#### network
+
+启用的网络协议。
+
+`tcp` 或 `udp`。
+
+默认所有。
+
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+
+
+### 拨号字段
+
+参阅 [拨号字段](/zh/configuration/shared/dial/)。

docs/configuration/outbound/index.md

@@ -29,6 +29,8 @@
 | `shadowsocksr` | [ShadowsocksR](./shadowsocksr) |
 | `vless`        | [VLESS](./vless)               |
 | `shadowtls`    | [ShadowTLS](./shadowtls)       |
+| `tuic`         | [TUIC](./tuic)                 |
+| `hysteria2`    | [Hysteria2](./hysteria2)       |
 | `tor`          | [Tor](./tor)                   |
 | `ssh`          | [SSH](./ssh)                   |
 | `dns`          | [DNS](./dns)                   |

docs/configuration/outbound/index.zh.md

@@ -28,6 +28,9 @@
 | `hysteria`     | [Hysteria](./hysteria)         |
 | `shadowsocksr` | [ShadowsocksR](./shadowsocksr) |
 | `vless`        | [VLESS](./vless)               |
+| `shadowtls`    | [ShadowTLS](./shadowtls)       |
+| `tuic`         | [TUIC](./tuic)                 |
+| `hysteria2`    | [Hysteria2](./hysteria2)       |
 | `tor`          | [Tor](./tor)                   |
 | `ssh`          | [SSH](./ssh)                   |
 | `dns`          | [DNS](./dns)                   |

docs/configuration/outbound/selector.md

@@ -10,7 +10,8 @@
     "proxy-b",
     "proxy-c"
   ],
-  "default": "proxy-c"
+  "default": "proxy-c",
+  "interrupt_exist_connections": false
 }
 ```
 
@@ -28,4 +29,10 @@ List of outbound tags to select.
 
 #### default
 
-The default outbound tag. The first outbound will be used if empty.
+The default outbound tag. The first outbound will be used if empty.
+
+#### interrupt_exist_connections
+
+Interrupt existing connections when the selected outbound has changed.
+
+Only inbound connections are affected by this setting, internal connections will always be interrupted.

docs/configuration/outbound/selector.zh.md

@@ -10,7 +10,8 @@
     "proxy-b",
     "proxy-c"
   ],
-  "default": "proxy-c"
+  "default": "proxy-c",
+  "interrupt_exist_connections": false
 }
 ```
 
@@ -29,3 +30,9 @@
 #### default
 
 默认的出站标签。默认使用第一个出站。
+
+#### interrupt_exist_connections
+
+当选定的出站发生更改时，中断现有连接。
+
+仅入站连接受此设置影响，内部连接将始终被中断。

docs/configuration/outbound/tuic.md

@@ -0,0 +1,100 @@
+### Structure
+
+```json
+{
+  "type": "tuic",
+  "tag": "tuic-out",
+  
+  "server": "127.0.0.1",
+  "server_port": 1080,
+  "uuid": "2DD61D93-75D8-4DA4-AC0E-6AECE7EAC365",
+  "password": "hello",
+  "congestion_control": "cubic",
+  "udp_relay_mode": "native",
+  "udp_over_stream": false,
+  "zero_rtt_handshake": false,
+  "heartbeat": "10s",
+  "network": "tcp",
+  "tls": {},
+  
+  ... // Dial Fields
+}
+```
+
+!!! warning ""
+
+    QUIC, which is required by TUIC is not included by default, see [Installation](/#installation).
+
+### Fields
+
+#### server
+
+==Required==
+
+The server address.
+
+#### server_port
+
+==Required==
+
+The server port.
+
+#### uuid
+
+==Required==
+
+TUIC user uuid
+
+#### password
+
+TUIC user password
+
+#### congestion_control
+
+QUIC congestion control algorithm
+
+One of: `cubic`, `new_reno`, `bbr`
+
+`cubic` is used by default.
+
+#### udp_relay_mode
+
+UDP packet relay mode
+
+| Mode   | Description                                                              |
+|:-------|:-------------------------------------------------------------------------|
+| native | native UDP characteristics                                               |
+| quic   | lossless UDP relay using QUIC streams, additional overhead is introduced |
+
+`native` is used by default.
+
+Conflict with `udp_over_stream`.
+
+#### udp_over_stream
+
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
+another program compatible with the protocol as a server.
+
+This mode has no positive effect in a proper UDP proxy scenario and should only be applied to relay streaming UDP
+traffic (basically QUIC streams).
+
+Conflict with `udp_relay_mode`.
+
+#### network
+
+Enabled network
+
+One of `tcp` `udp`.
+
+Both is enabled by default.
+
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
+
+### Dial Fields
+
+See [Dial Fields](/configuration/shared/dial) for details.

docs/configuration/outbound/tuic.zh.md

@@ -0,0 +1,108 @@
+### 结构
+
+```json
+{
+  "type": "tuic",
+  "tag": "tuic-out",
+  
+  "server": "127.0.0.1",
+  "server_port": 1080,
+  "uuid": "2DD61D93-75D8-4DA4-AC0E-6AECE7EAC365",
+  "password": "hello",
+  "congestion_control": "cubic",
+  "udp_relay_mode": "native",
+  "udp_over_stream": false,
+  "zero_rtt_handshake": false,
+  "heartbeat": "10s",
+  "network": "tcp",
+  "tls": {},
+  
+  ... // 拨号字段
+}
+```
+
+!!! warning ""
+
+    默认安装不包含被 TUI 依赖的 QUIC，参阅 [安装](/zh/#_2)。
+
+### 字段
+
+#### server
+
+==必填==
+
+服务器地址。
+
+#### server_port
+
+==必填==
+
+服务器端口。
+
+#### uuid
+
+==必填==
+
+TUIC 用户 UUID
+
+#### password
+
+TUIC 用户密码
+
+#### congestion_control
+
+QUIC 流量控制算法
+
+可选值: `cubic`, `new_reno`, `bbr`
+
+默认使用 `cubic`。
+
+#### udp_relay_mode
+
+UDP 包中继模式
+
+| 模式     | 描述                           |
+|--------|------------------------------|
+| native | 原生 UDP                       |
+| quic   | 使用 QUIC 流的无损 UDP 中继，引入了额外的开销 |
+
+与 `udp_over_stream` 冲突。
+
+#### udp_over_stream
+
+这是 TUIC 的 [UDP over TCP 协议](/configuration/shared/udp-over-tcp) 移植， 旨在提供 TUIC 不提供的 基于 QUIC 流的 UDP 中继模式。 由于它是一个附加协议，因此您需要使用 sing-box 或其他兼容的程序作为服务器。
+
+此模式在正确的 UDP 代理场景中没有任何积极作用，仅适用于中继流式 UDP 流量（基本上是 QUIC 流）。
+
+与 `udp_relay_mode` 冲突。
+
+#### zero_rtt_handshake
+
+在客户端启用 0-RTT QUIC 连接握手
+这对性能影响不大，因为协议是完全复用的
+
+!!! warning ""
+强烈建议禁用此功能，因为它容易受到重放攻击。
+请参阅 [Attack of the clones](https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones)
+
+#### heartbeat
+
+发送心跳包以保持连接存活的时间间隔
+
+#### network
+
+启用的网络协议。
+
+`tcp` 或 `udp`。
+
+默认所有。
+
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+
+### 拨号字段
+
+参阅 [拨号字段](/zh/configuration/shared/dial/)。

docs/configuration/outbound/urltest.md

@@ -12,7 +12,8 @@
   ],
   "url": "https://www.gstatic.com/generate_204",
   "interval": "1m",
-  "tolerance": 50
+  "tolerance": 50,
+  "interrupt_exist_connections": false
 }
 ```
 
@@ -35,3 +36,9 @@ The test interval. `1m` will be used if empty.
 #### tolerance
 
 The test tolerance in milliseconds. `50` will be used if empty.
+
+#### interrupt_exist_connections
+
+Interrupt existing connections when the selected outbound has changed.
+
+Only inbound connections are affected by this setting, internal connections will always be interrupted.

docs/configuration/outbound/urltest.zh.md

@@ -12,7 +12,8 @@
   ],
   "url": "https://www.gstatic.com/generate_204",
   "interval": "1m",
-  "tolerance": 50
+  "tolerance": 50,
+  "interrupt_exist_connections": false
 }
 ```
 
@@ -35,3 +36,9 @@
 #### tolerance
 
 以毫秒为单位的测试容差。 默认使用 `50`。
+
+#### interrupt_exist_connections
+
+当选定的出站发生更改时，中断现有连接。
+
+仅入站连接受此设置影响，内部连接将始终被中断。

docs/configuration/route/index.zh.md

@@ -24,7 +24,6 @@
 |------------|-------------------------|
 | `geoip`    | [GeoIP](./geoip)        |
 | `geosite`  | [GeoSite](./geosite)    |
-| `ip_rules` | 一组 [IP 路由规则](./ip-rule) |
 | `rules`    | 一组 [路由规则](./rule)       |
 
 #### final

docs/configuration/route/ip-rule.md

@@ -1,205 +0,0 @@
-### Structure
-
-```json
-{
-  "route": {
-    "ip_rules": [
-      {
-        "inbound": [
-          "mixed-in"
-        ],
-        "ip_version": 6,
-        "network": [
-          "tcp"
-        ],
-        "domain": [
-          "test.com"
-        ],
-        "domain_suffix": [
-          ".cn"
-        ],
-        "domain_keyword": [
-          "test"
-        ],
-        "domain_regex": [
-          "^stun\\..+"
-        ],
-        "geosite": [
-          "cn"
-        ],
-        "source_geoip": [
-          "private"
-        ],
-        "geoip": [
-          "cn"
-        ],
-        "source_ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "source_port": [
-          12345
-        ],
-        "source_port_range": [
-          "1000:2000",
-          ":3000",
-          "4000:"
-        ],
-        "port": [
-          80,
-          443
-        ],
-        "port_range": [
-          "1000:2000",
-          ":3000",
-          "4000:"
-        ],
-        "invert": false,
-        "action": "direct",
-        "outbound": "wireguard"
-      },
-      {
-        "type": "logical",
-        "mode": "and",
-        "rules": [],
-        "invert": false,
-        "action": "direct",
-        "outbound": "wireguard"
-      }
-    ]
-  }
-}
-
-```
-
-!!! note ""
-
-    You can ignore the JSON Array [] tag when the content is only one item
-
-### Default Fields
-
-!!! note ""
-
-    The default rule uses the following matching logic:  
-    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) &&  
-    (`port` || `port_range`) &&  
-    (`source_geoip` || `source_ip_cidr`) &&  
-    (`source_port` || `source_port_range`) &&  
-    `other fields`
-
-#### inbound
-
-Tags of [Inbound](/configuration/inbound).
-
-#### ip_version
-
-4 or 6.
-
-Not limited if empty.
-
-#### network
-
-Match network protocol.
-
-Available values:
-
-* `tcp`
-* `udp`
-* `icmpv4`
-* `icmpv6`
-
-#### domain
-
-Match full domain.
-
-#### domain_suffix
-
-Match domain suffix.
-
-#### domain_keyword
-
-Match domain using keyword.
-
-#### domain_regex
-
-Match domain using regular expression.
-
-#### geosite
-
-Match geosite.
-
-#### source_geoip
-
-Match source geoip.
-
-#### geoip
-
-Match geoip.
-
-#### source_ip_cidr
-
-Match source ip cidr.
-
-#### ip_cidr
-
-Match ip cidr.
-
-#### source_port
-
-Match source port.
-
-#### source_port_range
-
-Match source port range.
-
-#### port
-
-Match port.
-
-#### port_range
-
-Match port range.
-
-#### invert
-
-Invert match result.
-
-#### action
-
-==Required==
-
-| Action | Description                                                        |
-|--------|--------------------------------------------------------------------|
-| return | Stop IP routing and assemble the connection to the transport layer |
-| block  | Block the connection                                               |
-| direct | Directly forward the connection                                    |
-
-#### outbound
-
-==Required if action is direct==
-
-Tag of the target outbound.
-
-Only outbound which supports IP connection can be used, see [Outbounds that support IP connection](/configuration/outbound/#outbounds-that-support-ip-connection).
-
-### Logical Fields
-
-#### type
-
-`logical`
-
-#### mode
-
-==Required==
-
-`and` or `or`
-
-#### rules
-
-==Required==
-
-Included default rules.

docs/configuration/route/ip-rule.zh.md

@@ -1,204 +0,0 @@
-### 结构
-
-```json
-{
-  "route": {
-    "ip_rules": [
-      {
-        "inbound": [
-          "mixed-in"
-        ],
-        "ip_version": 6,
-        "network": [
-          "tcp"
-        ],
-        "domain": [
-          "test.com"
-        ],
-        "domain_suffix": [
-          ".cn"
-        ],
-        "domain_keyword": [
-          "test"
-        ],
-        "domain_regex": [
-          "^stun\\..+"
-        ],
-        "geosite": [
-          "cn"
-        ],
-        "source_geoip": [
-          "private"
-        ],
-        "geoip": [
-          "cn"
-        ],
-        "source_ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "source_port": [
-          12345
-        ],
-        "source_port_range": [
-          "1000:2000",
-          ":3000",
-          "4000:"
-        ],
-        "port": [
-          80,
-          443
-        ],
-        "port_range": [
-          "1000:2000",
-          ":3000",
-          "4000:"
-        ],
-        "invert": false,
-        "action": "direct",
-        "outbound": "wireguard"
-      },
-      {
-        "type": "logical",
-        "mode": "and",
-        "rules": [],
-        "invert": false,
-        "action": "direct",
-        "outbound": "wireguard"
-      }
-    ]
-  }
-}
-
-```
-
-!!! note ""
-
-    当内容只有一项时，可以忽略 JSON 数组 [] 标签。
-
-### Default Fields
-
-!!! note ""
-
-    默认规则使用以下匹配逻辑:  
-    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) &&  
-    (`port` || `port_range`) &&  
-    (`source_geoip` || `source_ip_cidr`) &&  
-    (`source_port` || `source_port_range`) &&  
-    `other fields`
-
-#### inbound
-
-[入站](/zh/configuration/inbound) 标签。
-
-#### ip_version
-
-4 或 6。
-
-默认不限制。
-
-#### network
-
-匹配网络协议。
-
-可用值：
-
-* `tcp`
-* `udp`
-* `icmpv4`
-* `icmpv6`
-
-#### domain
-
-匹配完整域名。
-
-#### domain_suffix
-
-匹配域名后缀。
-
-#### domain_keyword
-
-匹配域名关键字。
-
-#### domain_regex
-
-匹配域名正则表达式。
-
-#### geosite
-
-匹配 GeoSite。
-
-#### source_geoip
-
-匹配源 GeoIP。
-
-#### geoip
-
-匹配 GeoIP。
-
-#### source_ip_cidr
-
-匹配源 IP CIDR。
-
-#### ip_cidr
-
-匹配 IP CIDR。
-
-#### source_port
-
-匹配源端口。
-
-#### source_port_range
-
-匹配源端口范围。
-
-#### port
-
-匹配端口。
-
-#### port_range
-
-匹配端口范围。
-
-#### invert
-
-反选匹配结果。
-
-#### action
-
-==必填==
-
-| Action | 描述                  |
-|--------|---------------------|
-| return | 停止 IP 路由并将该连接组装到传输层 |
-| block  | 屏蔽该连接               |
-| direct | 直接转发该连接             |
-
-
-#### outbound
-
-==action 为 direct 则必填==
-
-目标出站的标签。
-
-### 逻辑字段
-
-#### type
-
-`logical`
-
-#### mode
-
-==必填==
-
-`and` 或 `or`
-
-#### rules
-
-==必填==
-
-包括的默认规则。