documentation: Update changelog

Signed-off-by: Larvan2 <78135608+Larvan2@users.noreply.github.com>

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,77 +1,70 @@
-name: Bug report
-description: "Report sing-box bug"
+name: Bug Report
+description: "Create a report to help us improve."
 body:
-  - type: dropdown
+  - type: checkboxes
+    id: terms
     attributes:
-      label: Operating system
-      description: Operating system type
+      label: Welcome
       options:
-        - iOS
-        - macOS
-        - Apple tvOS
-        - Android
-        - Windows
-        - Linux
-        - Others
-    validations:
-      required: true
-  - type: input
-    attributes:
-      label: System version
-      description: Please provide the operating system version
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Installation type
-      description: Please provide the sing-box installation type
-      options:
-        - Original sing-box Command Line
-        - sing-box for iOS Graphical Client
-        - sing-box for macOS Graphical Client
-        - sing-box for Apple tvOS Graphical Client
-        - sing-box for Android Graphical Client
-        - Third-party graphical clients that advertise themselves as using sing-box (Windows)
-        - Third-party graphical clients that advertise themselves as using sing-box (Android)
-        - Others
-    validations:
-      required: true
-  - type: input
-    attributes:
-      description: Graphical client version
-      label: If you are using a graphical client, please provide the version of the client.
+        - label: Yes, I'm using the latest major release. Only such installations are supported.
+          required: true
+        - label: Yes, I'm using the latest Golang release. Only such installations are supported.
+          required: true
+        - label: Yes, I've searched similar issues on GitHub and didn't find any.
+          required: true
+        - label: Yes, I've included all information below (version, **FULL** config, **FULL** log, etc).
+          required: true
+
   - type: textarea
+    id: problem
     attributes:
-      label: Version
-      description: If you are using the original command line program, please provide the output of the `sing-box version` command.
+      label: Description of the problem
+      placeholder: Your problem description
+    validations:
+      required: true
+
+  - type: textarea
+    id: version
+    attributes:
+      label: Version of sing-box
       value: |-
         <details>
+
         ```console
-        # Replace this line with the output
+        $ sing-box version
+        # Paste output here
         ```
+
         </details>
-  - type: textarea
-    attributes:
-      label: Description
-      description: Please provide a detailed description of the error.
     validations:
       required: true
+
   - type: textarea
+    id: config
     attributes:
-      label: Reproduction
-      description: Please provide the steps to reproduce the error, including the configuration files and procedures that can locally (not dependent on the remote server) reproduce the error using the original command line program of sing-box.
-    validations:
-      required: true
-  - type: textarea
-    attributes:
-      label: Logs
-      description: |-
-        If you encounter a crash with the graphical client, please provide crash logs.
-        For Apple platform clients, please check `Settings - View Service Log` for crash logs.
-        For the Android client, please check the `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` file for crash logs.
+      label: Server and client configuration file
       value: |-
         <details>
+
         ```console
-        # Replace this line with logs
+        # paste json here
         ```
-        </details>
+
+        </details>
+    validations:
+      required: true
+
+  - type: textarea
+    id: log
+    attributes:
+      label: Server and client log file
+      value: |-
+        <details>
+
+        ```console
+        # paste log here
+        ```
+
+        </details>
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/bug_report_zh.yml

@@ -1,77 +0,0 @@
-name: 错误反馈
-description: "提交 sing-box 漏洞"
-body:
-  - type: dropdown
-    attributes:
-      label: 操作系统
-      description: 请提供操作系统类型
-      options:
-        - iOS
-        - macOS
-        - Apple tvOS
-        - Android
-        - Windows
-        - Linux
-        - 其他
-    validations:
-      required: true
-  - type: input
-    attributes:
-      label: 系统版本
-      description: 请提供操作系统版本
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: 安装类型
-      description: 请提供该 sing-box 安装类型
-      options:
-        - sing-box 原始命令行程序
-        - sing-box for iOS 图形客户端程序
-        - sing-box for macOS 图形客户端程序
-        - sing-box for Apple tvOS 图形客户端程序
-        - sing-box for Android 图形客户端程序
-        - 宣传使用 sing-box 的第三方图形客户端程序 (Windows)
-        - 宣传使用 sing-box 的第三方图形客户端程序 (Android)
-        - 其他
-    validations:
-      required: true
-  - type: input
-    attributes:
-      description: 图形客户端版本
-      label: 如果您使用图形客户端程序，请提供该程序版本。
-  - type: textarea
-    attributes:
-      label: 版本
-      description: 如果您使用原始命令行程序，请提供 `sing-box version` 命令的输出。
-      value: |-
-        <details>
-        ```console
-        # 使用输出内容覆盖此行
-        ```
-        </details>
-  - type: textarea
-    attributes:
-      label: 描述
-      description: 请提供错误的详细描述。
-    validations:
-      required: true
-  - type: textarea
-    attributes:
-      label: 重现方式
-      description: 请提供重现错误的步骤，必须包括可以在本地（不依赖与远程服务器）使用 sing-box 原始命令行程序重现错误的配置文件与流程。
-    validations:
-      required: true
-  - type: textarea
-    attributes:
-      label: 日志
-      description: |-
-        如果您遭遇图形界面应用程序崩溃，请提供崩溃日志。
-        对于 Apple 平台图形客户端程序，请检查 `Settings - View Service Log` 以导出崩溃日志。
-        对于 Android 图形客户端程序，请检查 `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` 文件以导出崩溃日志。
-      value: |-
-        <details>
-        ```console
-        # 使用日志内容覆盖此行
-        ```
-        </details>

.github/workflows/debug.yml

@@ -62,27 +62,7 @@ jobs:
             ~/go/pkg/mod
           key: go118-${{ hashFiles('**/go.sum') }}
       - name: Run Test
-        run: make ci_build_go118
-  build_go120:
-    name: Debug build (Go 1.20)
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v4
-        with:
-          go-version: 1.20.7
-      - name: Cache go module
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/go/pkg/mod
-          key: go118-${{ hashFiles('**/go.sum') }}
-      - name: Run Test
-        run: make ci_build
+        run: make
   cross:
     strategy:
       matrix:

.goreleaser.yaml

@@ -14,7 +14,6 @@ builds:
     tags:
       - with_gvisor
       - with_quic
-      - with_dhcp
       - with_wireguard
       - with_utls
       - with_reality_server
@@ -49,7 +48,6 @@ builds:
     tags:
       - with_gvisor
       - with_quic
-      - with_dhcp
       - with_wireguard
       - with_utls
       - with_clash_api

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.21-alpine AS builder
+FROM golang:1.20-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
@@ -9,7 +9,7 @@ RUN set -ex \
     && apk add git build-base \
     && export COMMIT=$(git rev-parse --short HEAD) \
     && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api,with_acme \
+    && go build -v -trimpath -tags with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api,with_acme \
         -o /go/bin/sing-box \
         -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
         ./cmd/sing-box

Makefile

@@ -1,30 +1,20 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
-TAGS_GO120 ?= with_quic
+TAGS ?= with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server,with_shadowsocksr
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run ./cmd/internal/read_tag)
 
-PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
-MAIN_PARAMS = $(PARAMS) -tags "$(TAGS_GO118),$(TAGS_GO120)"
+PARAMS = -v -trimpath -tags "$(TAGS)" -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
 
 .PHONY: test release
 
 build:
-	go build $(MAIN_PARAMS) $(MAIN)
-
-ci_build_go118:
 	go build $(PARAMS) $(MAIN)
-	go build $(PARAMS) -tags "$(TAGS_GO118)" $(MAIN)
-
-ci_build:
-	go build $(PARAMS) $(MAIN)
-	go build $(MAIN_PARAMS) $(MAIN)
 
 install:
 	go build -o $(PREFIX)/bin/$(NAME) $(PARAMS) $(MAIN)
@@ -32,7 +22,7 @@ install:
 fmt:
 	@gofumpt -l -w .
 	@gofmt -s -w .
-	@gci write --custom-order -s standard -s "prefix(github.com/sagernet/)" -s "default" .
+	@gci write --custom-order -s "standard,prefix(github.com/sagernet/),default" .
 
 fmt_install:
 	go install -v mvdan.cc/gofumpt@latest
@@ -58,14 +48,14 @@ proto_install:
 	go install -v google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
 
 snapshot:
-	go run ./cmd/internal/build goreleaser release --clean --snapshot || exit 1
+	go run ./cmd/internal/build goreleaser release --rm-dist --snapshot || exit 1
 	mkdir dist/release
 	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
 	ghr --delete --draft --prerelease -p 1 nightly dist/release
 	rm -r dist
 
 release:
-	go run ./cmd/internal/build goreleaser release --clean --skip-publish || exit 1
+	go run ./cmd/internal/build goreleaser release --rm-dist --skip-publish || exit 1
 	mkdir dist/release
 	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
 	ghr --delete --draft --prerelease -p 3 $(shell git describe --tags) dist/release
@@ -99,8 +89,8 @@ lib:
 
 lib_install:
 	go get -v -d
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230728014906-3de089147f59
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230728014906-3de089147f59
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230413023804-244d7ff07035
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230413023804-244d7ff07035
 
 clean:
 	rm -rf bin dist sing-box

adapter/experimental.go

@@ -23,8 +23,6 @@ type ClashServer interface {
 type ClashCacheFile interface {
 	LoadSelected(group string) string
 	StoreSelected(group string, selected string) error
-	LoadGroupExpand(group string) (isExpand bool, loaded bool)
-	StoreGroupExpand(group string, expand bool) error
 	FakeIPStorage
 }
 
@@ -33,7 +31,6 @@ type Tracker interface {
 }
 
 type OutboundGroup interface {
-	Outbound
 	Now() string
 	All() []string
 }

adapter/fakeip.go

@@ -4,13 +4,12 @@ import (
 	"net/netip"
 
 	"github.com/sagernet/sing-dns"
-	"github.com/sagernet/sing/common/logger"
 )
 
 type FakeIPStore interface {
 	Service
 	Contains(address netip.Addr) bool
-	Create(domain string, isIPv6 bool) (netip.Addr, error)
+	Create(domain string, strategy dns.DomainStrategy) (netip.Addr, error)
 	Lookup(address netip.Addr) (string, bool)
 	Reset() error
 }
@@ -18,15 +17,7 @@ type FakeIPStore interface {
 type FakeIPStorage interface {
 	FakeIPMetadata() *FakeIPMetadata
 	FakeIPSaveMetadata(metadata *FakeIPMetadata) error
-	FakeIPSaveMetadataAsync(metadata *FakeIPMetadata)
 	FakeIPStore(address netip.Addr, domain string) error
-	FakeIPStoreAsync(address netip.Addr, domain string, logger logger.Logger)
 	FakeIPLoad(address netip.Addr) (string, bool)
-	FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr, bool)
 	FakeIPReset() error
 }
-
-type FakeIPTransport interface {
-	dns.Transport
-	Store() FakeIPStore
-}

adapter/inbound.go

@@ -46,7 +46,6 @@ type InboundContext struct {
 	SourceGeoIPCode      string
 	GeoIPCode            string
 	ProcessInfo          *process.Info
-	FakeIP               bool
 
 	// dns cache
 

adapter/outbound.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 
+	"github.com/sagernet/sing-tun"
 	N "github.com/sagernet/sing/common/network"
 )
 
@@ -13,8 +14,12 @@ type Outbound interface {
 	Type() string
 	Tag() string
 	Network() []string
-	Dependencies() []string
 	N.Dialer
 	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }
+
+type IPOutbound interface {
+	Outbound
+	NewIPConnection(ctx context.Context, conn tun.RouteContext, metadata InboundContext) (tun.DirectDestination, error)
+}

adapter/prestart.go

@@ -4,6 +4,12 @@ type PreStarter interface {
 	PreStart() error
 }
 
-type PostStarter interface {
-	PostStart() error
+func PreStart(starter any) error {
+	if preService, ok := starter.(PreStarter); ok {
+		err := preService.PreStart()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }

adapter/router.go

@@ -25,6 +25,9 @@ type Router interface {
 
 	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+	RouteIPConnection(ctx context.Context, conn tun.RouteContext, metadata InboundContext) tun.RouteAction
+
+	NatRequired(outbound string) bool
 
 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
@@ -42,7 +45,9 @@ type Router interface {
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
+
 	Rules() []Rule
+	IPRules() []IPRule
 
 	TimeService
 
@@ -84,6 +89,11 @@ type DNSRule interface {
 	RewriteTTL() *uint32
 }
 
-type InterfaceUpdateListener interface {
-	InterfaceUpdated()
+type IPRule interface {
+	Rule
+	Action() tun.ActionType
+}
+
+type InterfaceUpdateListener interface {
+	InterfaceUpdated() error
 }

box.go

@@ -19,7 +19,6 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
-	"github.com/sagernet/sing/service/pause"
 )
 
 var _ adapter.Service = (*Box)(nil)
@@ -47,13 +46,12 @@ func New(options Options) (*Box, error) {
 	if ctx == nil {
 		ctx = context.Background()
 	}
-	ctx = pause.ContextWithDefaultManager(ctx)
 	createdAt := time.Now()
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
 	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	var needClashAPI bool
 	var needV2RayAPI bool
-	if experimentalOptions.ClashAPI != nil || options.PlatformInterface != nil {
+	if experimentalOptions.ClashAPI != nil && experimentalOptions.ClashAPI.ExternalController != "" {
 		needClashAPI = true
 	}
 	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
@@ -145,7 +143,7 @@ func New(options Options) (*Box, error) {
 	preServices := make(map[string]adapter.Service)
 	postServices := make(map[string]adapter.Service)
 	if needClashAPI {
-		clashServer, err := experimental.NewClashServer(ctx, router, logFactory.(log.ObservableFactory), common.PtrValueOrDefault(experimentalOptions.ClashAPI))
+		clashServer, err := experimental.NewClashServer(ctx, router, logFactory.(log.ObservableFactory), common.PtrValueOrDefault(options.Experimental.ClashAPI))
 		if err != nil {
 			return nil, E.Cause(err, "create clash api server")
 		}
@@ -153,7 +151,7 @@ func New(options Options) (*Box, error) {
 		preServices["clash api"] = clashServer
 	}
 	if needV2RayAPI {
-		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(experimentalOptions.V2RayAPI))
+		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(options.Experimental.V2RayAPI))
 		if err != nil {
 			return nil, E.Cause(err, "create v2ray api server")
 		}
@@ -213,17 +211,26 @@ func (s *Box) Start() error {
 
 func (s *Box) preStart() error {
 	for serviceName, service := range s.preServices {
-		if preService, isPreService := service.(adapter.PreStarter); isPreService {
-			s.logger.Trace("pre-start ", serviceName)
-			err := preService.PreStart()
-			if err != nil {
-				return E.Cause(err, "pre-starting ", serviceName)
-			}
+		s.logger.Trace("pre-start ", serviceName)
+		err := adapter.PreStart(service)
+		if err != nil {
+			return E.Cause(err, "pre-starting ", serviceName)
 		}
 	}
-	err := s.startOutbounds()
-	if err != nil {
-		return err
+	for i, out := range s.outbounds {
+		var tag string
+		if out.Tag() == "" {
+			tag = F.ToString(i)
+		} else {
+			tag = out.Tag()
+		}
+		if starter, isStarter := out.(common.Starter); isStarter {
+			s.logger.Trace("initializing outbound/", out.Type(), "[", tag, "]")
+			err := starter.Start()
+			if err != nil {
+				return E.Cause(err, "initialize outbound/", out.Type(), "[", tag, "]")
+			}
+		}
 	}
 	return s.router.Start()
 }
@@ -253,26 +260,13 @@ func (s *Box) start() error {
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
-	return nil
-}
-
-func (s *Box) postStart() error {
 	for serviceName, service := range s.postServices {
 		s.logger.Trace("starting ", service)
-		err := service.Start()
+		err = service.Start()
 		if err != nil {
 			return E.Cause(err, "start ", serviceName)
 		}
 	}
-	for serviceName, service := range s.outbounds {
-		if lateService, isLateService := service.(adapter.PostStarter); isLateService {
-			s.logger.Trace("post-starting ", service)
-			err := lateService.PostStart()
-			if err != nil {
-				return E.Cause(err, "post-start ", serviceName)
-			}
-		}
-	}
 	return nil
 }
 

box_outbound.go

@@ -1,79 +0,0 @@
-package box
-
-import (
-	"strings"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
-)
-
-func (s *Box) startOutbounds() error {
-	outboundTags := make(map[adapter.Outbound]string)
-	outbounds := make(map[string]adapter.Outbound)
-	for i, outboundToStart := range s.outbounds {
-		var outboundTag string
-		if outboundToStart.Tag() == "" {
-			outboundTag = F.ToString(i)
-		} else {
-			outboundTag = outboundToStart.Tag()
-		}
-		if _, exists := outbounds[outboundTag]; exists {
-			return E.New("outbound tag ", outboundTag, " duplicated")
-		}
-		outboundTags[outboundToStart] = outboundTag
-		outbounds[outboundTag] = outboundToStart
-	}
-	started := make(map[string]bool)
-	for {
-		canContinue := false
-	startOne:
-		for _, outboundToStart := range s.outbounds {
-			outboundTag := outboundTags[outboundToStart]
-			if started[outboundTag] {
-				continue
-			}
-			dependencies := outboundToStart.Dependencies()
-			for _, dependency := range dependencies {
-				if !started[dependency] {
-					continue startOne
-				}
-			}
-			started[outboundTag] = true
-			canContinue = true
-			if starter, isStarter := outboundToStart.(common.Starter); isStarter {
-				s.logger.Trace("initializing outbound/", outboundToStart.Type(), "[", outboundTag, "]")
-				err := starter.Start()
-				if err != nil {
-					return E.Cause(err, "initialize outbound/", outboundToStart.Type(), "[", outboundTag, "]")
-				}
-			}
-		}
-		if len(started) == len(s.outbounds) {
-			break
-		}
-		if canContinue {
-			continue
-		}
-		currentOutbound := common.Find(s.outbounds, func(it adapter.Outbound) bool {
-			return !started[outboundTags[it]]
-		})
-		var lintOutbound func(oTree []string, oCurrent adapter.Outbound) error
-		lintOutbound = func(oTree []string, oCurrent adapter.Outbound) error {
-			problemOutboundTag := common.Find(oCurrent.Dependencies(), func(it string) bool {
-				return !started[it]
-			})
-			if common.Contains(oTree, problemOutboundTag) {
-				return E.New("circular outbound dependency: ", strings.Join(oTree, " -> "), " -> ", problemOutboundTag)
-			}
-			problemOutbound := outbounds[problemOutboundTag]
-			if problemOutbound == nil {
-				return E.New("dependency[", problemOutbound, "] not found for outbound[", outboundTags[oCurrent], "]")
-			}
-			return lintOutbound(append(oTree, problemOutboundTag), problemOutbound)
-		}
-		return lintOutbound([]string{outboundTags[currentOutbound]}, currentOutbound)
-	}
-	return nil
-}

cmd/internal/build/main.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"go/build"
 	"os"
 	"os/exec"
 
@@ -12,10 +11,6 @@ import (
 func main() {
 	build_shared.FindSDK()
 
-	if os.Getenv("build.Default.GOPATH") == "" {
-		os.Setenv("GOPATH", build.Default.GOPATH)
-	}
-
 	command := exec.Command(os.Args[1], os.Args[2:]...)
 	command.Stdout = os.Stdout
 	command.Stderr = os.Stderr

cmd/internal/build_libbox/main.go

@@ -40,7 +40,6 @@ var (
 	sharedFlags []string
 	debugFlags  []string
 	sharedTags  []string
-	iosTags     []string
 	debugTags   []string
 )
 
@@ -55,7 +54,7 @@ func init() {
 	debugFlags = append(debugFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
 
 	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api")
-	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
+	sharedTags = append(sharedTags, "test_sing_shadowsocks2")
 	debugTags = append(debugTags, "debug")
 }
 
@@ -107,7 +106,7 @@ func buildiOS() {
 	args := []string{
 		"bind",
 		"-v",
-		"-target", "ios,iossimulator,tvos,tvossimulator,macos",
+		"-target", "ios,iossimulator,macos",
 		"-libname=box",
 	}
 	if !debugEnabled {
@@ -116,7 +115,7 @@ func buildiOS() {
 		args = append(args, debugFlags...)
 	}
 
-	tags := append(sharedTags, iosTags...)
+	tags := append(sharedTags, "with_low_memory", "with_conntrack")
 	args = append(args, "-tags")
 	if !debugEnabled {
 		args = append(args, strings.Join(tags, ","))
@@ -133,7 +132,7 @@ func buildiOS() {
 		log.Fatal(err)
 	}
 
-	copyPath := filepath.Join("..", "sing-box-for-apple")
+	copyPath := filepath.Join("..", "sing-box-for-ios")
 	if rw.FileExists(copyPath) {
 		targetDir := filepath.Join(copyPath, "Libbox.xcframework")
 		targetDir, _ = filepath.Abs(targetDir)

cmd/internal/build_shared/tag.go

@@ -1,9 +1,6 @@
 package build_shared
 
-import (
-	"github.com/sagernet/sing-box/common/badversion"
-	"github.com/sagernet/sing/common/shell"
-)
+import "github.com/sagernet/sing/common/shell"
 
 func ReadTag() (string, error) {
 	currentTag, err := shell.Exec("git", "describe", "--tags").ReadOutput()
@@ -15,9 +12,5 @@ func ReadTag() (string, error) {
 		return currentTag[1:], nil
 	}
 	shortCommit, _ := shell.Exec("git", "rev-parse", "--short", "HEAD").ReadOutput()
-	version := badversion.Parse(currentTagRev[1:])
-	if version.PreReleaseIdentifier == "" {
-		version.Patch++
-	}
-	return version.String() + "-" + shortCommit, nil
+	return currentTagRev[1:] + "-" + shortCommit, nil
 }

common/baderror/baderror.go

@@ -55,7 +55,7 @@ func WrapQUIC(err error) error {
 	if err == nil {
 		return nil
 	}
-	if Contains(err, "canceled by local with error code 0") {
+	if Contains(err, "canceled with error code 0") {
 		return net.ErrClosed
 	}
 	return err

common/badtls/badtls_stub.go

@@ -5,10 +5,8 @@ package badtls
 import (
 	"crypto/tls"
 	"os"
-
-	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-func Create(conn *tls.Conn) (aTLS.Conn, error) {
+func Create(conn *tls.Conn) (TLSConn, error) {
 	return nil, os.ErrInvalid
 }

common/badversion/version.go

@@ -11,7 +11,6 @@ type Version struct {
 	Major                int
 	Minor                int
 	Patch                int
-	Commit               string
 	PreReleaseIdentifier string
 	PreReleaseVersion    int
 }
@@ -38,21 +37,16 @@ func (v Version) After(anotherVersion Version) bool {
 		return false
 	}
 	if v.PreReleaseIdentifier != "" && anotherVersion.PreReleaseIdentifier != "" {
-		if v.PreReleaseIdentifier == anotherVersion.PreReleaseIdentifier {
-			if v.PreReleaseVersion > anotherVersion.PreReleaseVersion {
-				return true
-			} else if v.PreReleaseVersion < anotherVersion.PreReleaseVersion {
-				return false
-			}
-		} else if v.PreReleaseIdentifier == "rc" && anotherVersion.PreReleaseIdentifier == "beta" {
-			return true
-		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "rc" {
-			return false
-		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "alpha" {
+		if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "alpha" {
 			return true
 		} else if v.PreReleaseIdentifier == "alpha" && anotherVersion.PreReleaseIdentifier == "beta" {
 			return false
 		}
+		if v.PreReleaseVersion > anotherVersion.PreReleaseVersion {
+			return true
+		} else if v.PreReleaseVersion < anotherVersion.PreReleaseVersion {
+			return false
+		}
 	}
 	return false
 }
@@ -101,7 +95,7 @@ func Parse(versionName string) (version Version) {
 				version.PreReleaseIdentifier = "beta"
 				version.PreReleaseVersion, _ = strconv.Atoi(identifier[4:])
 			} else {
-				version.Commit = identifier
+				version.PreReleaseIdentifier = identifier
 			}
 		}
 	}

common/debugio/log.go

@@ -0,0 +1,87 @@
+package debugio
+
+import (
+	"net"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type LogConn struct {
+	N.ExtendedConn
+	logger log.Logger
+	prefix string
+}
+
+func NewLogConn(conn net.Conn, logger log.Logger, prefix string) N.ExtendedConn {
+	return &LogConn{bufio.NewExtendedConn(conn), logger, prefix}
+}
+
+func (c *LogConn) Read(p []byte) (n int, err error) {
+	n, err = c.ExtendedConn.Read(p)
+	if n > 0 {
+		c.logger.Debug(c.prefix, " read ", buf.EncodeHexString(p[:n]))
+	}
+	return
+}
+
+func (c *LogConn) Write(p []byte) (n int, err error) {
+	c.logger.Debug(c.prefix, " write ", buf.EncodeHexString(p))
+	return c.ExtendedConn.Write(p)
+}
+
+func (c *LogConn) ReadBuffer(buffer *buf.Buffer) error {
+	err := c.ExtendedConn.ReadBuffer(buffer)
+	if err == nil {
+		c.logger.Debug(c.prefix, " read buffer ", buf.EncodeHexString(buffer.Bytes()))
+	}
+	return err
+}
+
+func (c *LogConn) WriteBuffer(buffer *buf.Buffer) error {
+	c.logger.Debug(c.prefix, " write buffer ", buf.EncodeHexString(buffer.Bytes()))
+	return c.ExtendedConn.WriteBuffer(buffer)
+}
+
+func (c *LogConn) Upstream() any {
+	return c.ExtendedConn
+}
+
+type LogPacketConn struct {
+	N.NetPacketConn
+	logger log.Logger
+	prefix string
+}
+
+func NewLogPacketConn(conn net.PacketConn, logger log.Logger, prefix string) N.NetPacketConn {
+	return &LogPacketConn{bufio.NewPacketConn(conn), logger, prefix}
+}
+
+func (c *LogPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
+	n, addr, err = c.NetPacketConn.ReadFrom(p)
+	if n > 0 {
+		c.logger.Debug(c.prefix, " read from ", addr, " ", buf.EncodeHexString(p[:n]))
+	}
+	return
+}
+
+func (c *LogPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
+	c.logger.Debug(c.prefix, " write to ", addr, " ", buf.EncodeHexString(p))
+	return c.NetPacketConn.WriteTo(p, addr)
+}
+
+func (c *LogPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
+	destination, err = c.NetPacketConn.ReadPacket(buffer)
+	if err == nil {
+		c.logger.Debug(c.prefix, " read packet from ", destination, " ", buf.EncodeHexString(buffer.Bytes()))
+	}
+	return
+}
+
+func (c *LogPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	c.logger.Debug(c.prefix, " write packet to ", destination, " ", buf.EncodeHexString(buffer.Bytes()))
+	return c.NetPacketConn.WritePacket(buffer, destination)
+}

common/debugio/print.go

@@ -0,0 +1,19 @@
+package debugio
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/sagernet/sing/common"
+)
+
+func PrintUpstream(obj any) {
+	for obj != nil {
+		fmt.Println(reflect.TypeOf(obj))
+		if u, ok := obj.(common.WithUpstream); !ok {
+			break
+		} else {
+			obj = u.Upstream()
+		}
+	}
+}

common/debugio/race.go

@@ -0,0 +1,48 @@
+package debugio
+
+import (
+	"net"
+	"sync"
+
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type RaceConn struct {
+	N.ExtendedConn
+	readAccess  sync.Mutex
+	writeAccess sync.Mutex
+}
+
+func NewRaceConn(conn net.Conn) N.ExtendedConn {
+	return &RaceConn{ExtendedConn: bufio.NewExtendedConn(conn)}
+}
+
+func (c *RaceConn) Read(p []byte) (n int, err error) {
+	c.readAccess.Lock()
+	defer c.readAccess.Unlock()
+	return c.ExtendedConn.Read(p)
+}
+
+func (c *RaceConn) Write(p []byte) (n int, err error) {
+	c.writeAccess.Lock()
+	defer c.writeAccess.Unlock()
+	return c.ExtendedConn.Write(p)
+}
+
+func (c *RaceConn) ReadBuffer(buffer *buf.Buffer) error {
+	c.readAccess.Lock()
+	defer c.readAccess.Unlock()
+	return c.ExtendedConn.ReadBuffer(buffer)
+}
+
+func (c *RaceConn) WriteBuffer(buffer *buf.Buffer) error {
+	c.writeAccess.Lock()
+	defer c.writeAccess.Unlock()
+	return c.ExtendedConn.WriteBuffer(buffer)
+}
+
+func (c *RaceConn) Upstream() any {
+	return c.ExtendedConn
+}

common/dialer/default.go

@@ -26,7 +26,7 @@ type DefaultDialer struct {
 	udpAddr6    string
 }
 
-func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDialer, error) {
+func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDialer {
 	var dialer net.Dialer
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
@@ -93,12 +93,6 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		udpDialer6.LocalAddr = &net.UDPAddr{IP: bindAddr.AsSlice()}
 		udpAddr6 = M.SocksaddrFrom(bindAddr, 0).String()
 	}
-	if options.TCPMultiPath {
-		if !multipathTCPAvailable {
-			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
-		}
-		setMultiPathTCP(&dialer4)
-	}
 	return &DefaultDialer{
 		tfo.Dialer{Dialer: dialer4, DisableTFO: !options.TCPFastOpen},
 		tfo.Dialer{Dialer: dialer6, DisableTFO: !options.TCPFastOpen},
@@ -107,7 +101,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		listener,
 		udpAddr4,
 		udpAddr6,
-	}, nil
+	}
 }
 
 func (d *DefaultDialer) DialContext(ctx context.Context, network string, address M.Socksaddr) (net.Conn, error) {

common/dialer/default_go1.21.go

@@ -1,11 +0,0 @@
-//go:build go1.21
-
-package dialer
-
-import "net"
-
-const multipathTCPAvailable = true
-
-func setMultiPathTCP(dialer *net.Dialer) {
-	dialer.SetMultipathTCP(true)
-}

common/dialer/default_nongo1.21.go

@@ -1,12 +0,0 @@
-//go:build !go1.21
-
-package dialer
-
-import (
-	"net"
-)
-
-const multipathTCPAvailable = false
-
-func setMultiPathTCP(dialer *net.Dialer) {
-}

common/dialer/dialer.go

@@ -6,24 +6,13 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
-	"github.com/sagernet/sing/common"
 	N "github.com/sagernet/sing/common/network"
 )
 
-func MustNew(router adapter.Router, options option.DialerOptions) N.Dialer {
-	return common.Must1(New(router, options))
-}
-
-func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error) {
-	var (
-		dialer N.Dialer
-		err    error
-	)
+func New(router adapter.Router, options option.DialerOptions) N.Dialer {
+	var dialer N.Dialer
 	if options.Detour == "" {
-		dialer, err = NewDefault(router, options)
-		if err != nil {
-			return nil, err
-		}
+		dialer = NewDefault(router, options)
 	} else {
 		dialer = NewDetour(router, options.Detour)
 	}
@@ -31,5 +20,5 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
 		dialer = NewResolveDialer(router, dialer, domainStrategy, time.Duration(options.FallbackDelay))
 	}
-	return dialer, nil
+	return dialer
 }

common/dialer/tfo.go

@@ -128,6 +128,13 @@ func (c *slowOpenConn) NeedHandshake() bool {
 	return c.conn == nil
 }
 
+func (c *slowOpenConn) ReadFrom(r io.Reader) (n int64, err error) {
+	if c.conn != nil {
+		return bufio.Copy(c.conn, r)
+	}
+	return bufio.ReadFrom0(c, r)
+}
+
 func (c *slowOpenConn) WriteTo(w io.Writer) (n int64, err error) {
 	if c.conn == nil {
 		select {

common/process/searcher_linux_shared.go

@@ -15,6 +15,7 @@ import (
 	"unicode"
 	"unsafe"
 
+	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
@@ -81,7 +82,9 @@ func resolveSocketByNetlink(network string, source netip.AddrPort, destination n
 		return 0, 0, E.Cause(err, "write netlink request")
 	}
 
-	buffer := buf.New()
+	_buffer := buf.StackNew()
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 
 	n, err := syscall.Read(socket, buffer.FreeBytes())

common/settings/proxy_darwin.go

@@ -20,10 +20,10 @@ type systemProxy struct {
 	isMixed       bool
 }
 
-func (p *systemProxy) update(event int) {
+func (p *systemProxy) update(event int) error {
 	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
 	if p.interfaceName == newInterfaceName {
-		return
+		return nil
 	}
 	if p.interfaceName != "" {
 		_ = p.unset()
@@ -31,7 +31,7 @@ func (p *systemProxy) update(event int) {
 	p.interfaceName = newInterfaceName
 	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
 	if err != nil {
-		return
+		return err
 	}
 	if p.isMixed {
 		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
@@ -40,9 +40,9 @@ func (p *systemProxy) update(event int) {
 		err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	if err == nil {
-		_ = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+		err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
-	return
+	return err
 }
 
 func (p *systemProxy) unset() error {
@@ -88,7 +88,10 @@ func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() er
 		port:    port,
 		isMixed: isMixed,
 	}
-	proxy.update(tun.EventInterfaceUpdate)
+	err := proxy.update(tun.EventInterfaceUpdate)
+	if err != nil {
+		return nil, err
+	}
 	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
 	return func() error {
 		interfaceMonitor.UnregisterCallback(proxy.element)

common/sniff/dns.go

@@ -26,7 +26,9 @@ func StreamDomainNameQuery(readCtx context.Context, reader io.Reader) (*adapter.
 	if length == 0 {
 		return nil, os.ErrInvalid
 	}
-	buffer := buf.NewSize(int(length))
+	_buffer := buf.StackNewSize(int(length))
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 
 	readCtx, cancel := context.WithTimeout(readCtx, time.Millisecond*100)

common/tls/acme.go

@@ -21,7 +21,6 @@ import (
 type acmeWrapper struct {
 	ctx    context.Context
 	cfg    *certmagic.Config
-	cache  *certmagic.Cache
 	domain []string
 }
 
@@ -30,7 +29,7 @@ func (w *acmeWrapper) Start() error {
 }
 
 func (w *acmeWrapper) Close() error {
-	w.cache.Stop()
+	w.cfg.Unmanage(w.domain)
 	return nil
 }
 
@@ -78,11 +77,10 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		acmeConfig.ExternalAccount = (*acme.EAB)(options.ExternalAccount)
 	}
 	config.Issuers = []certmagic.Issuer{certmagic.NewACMEIssuer(config, acmeConfig)}
-	cache := certmagic.NewCache(certmagic.CacheOptions{
+	config = certmagic.New(certmagic.NewCache(certmagic.CacheOptions{
 		GetConfigForCert: func(certificate certmagic.Certificate) (*certmagic.Config, error) {
 			return config, nil
 		},
-	})
-	config = certmagic.New(cache, *config)
-	return config.TLSConfig(), &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
+	}), *config)
+	return config.TLSConfig(), &acmeWrapper{ctx, config, options.Domain}, nil
 }

common/tls/reality_client.go

@@ -111,16 +111,6 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 	if err != nil {
 		return nil, err
 	}
-
-	if len(uConfig.NextProtos) > 0 {
-		for _, extension := range uConn.Extensions {
-			if alpnExtension, isALPN := extension.(*utls.ALPNExtension); isALPN {
-				alpnExtension.AlpnProtocols = uConfig.NextProtos
-				break
-			}
-		}
-	}
-
 	hello := uConn.HandshakeState.Hello
 	hello.SessionId = make([]byte, 32)
 	copy(hello.Raw[39:], hello.SessionId)

common/tls/reality_server.go

@@ -101,10 +101,7 @@ func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Log
 		tlsConfig.ShortIds[shortID] = true
 	}
 
-	handshakeDialer, err := dialer.New(router, options.Reality.Handshake.DialerOptions)
-	if err != nil {
-		return nil, err
-	}
+	handshakeDialer := dialer.New(router, options.Reality.Handshake.DialerOptions)
 	tlsConfig.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
 		return handshakeDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
 	}

common/tls/std_server.go

@@ -164,8 +164,8 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 	var acmeService adapter.Service
 	var err error
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
-		//nolint:staticcheck
 		tlsConfig, acmeService, err = startACME(ctx, common.PtrValueOrDefault(options.ACME))
+		//nolint:staticcheck
 		if err != nil {
 			return nil, err
 		}

common/tls/utls_client.go

@@ -3,7 +3,6 @@
 package tls
 
 import (
-	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"math/rand"
@@ -48,7 +47,7 @@ func (e *UTLSClientConfig) Config() (*STDConfig, error) {
 }
 
 func (e *UTLSClientConfig) Client(conn net.Conn) (Conn, error) {
-	return &utlsALPNWrapper{utlsConnWrapper{utls.UClient(conn, e.config.Clone(), e.id)}, e.config.NextProtos}, nil
+	return &utlsConnWrapper{utls.UClient(conn, e.config.Clone(), e.id)}, nil
 }
 
 func (e *UTLSClientConfig) SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error) {
@@ -88,31 +87,6 @@ func (c *utlsConnWrapper) Upstream() any {
 	return c.UConn
 }
 
-type utlsALPNWrapper struct {
-	utlsConnWrapper
-	nextProtocols []string
-}
-
-func (c *utlsALPNWrapper) HandshakeContext(ctx context.Context) error {
-	if len(c.nextProtocols) > 0 {
-		err := c.BuildHandshakeState()
-		if err != nil {
-			return err
-		}
-		for _, extension := range c.Extensions {
-			if alpnExtension, isALPN := extension.(*utls.ALPNExtension); isALPN {
-				alpnExtension.AlpnProtocols = c.nextProtocols
-				err = c.BuildHandshakeState()
-				if err != nil {
-					return err
-				}
-				break
-			}
-		}
-	}
-	return c.UConn.HandshakeContext(ctx)
-}
-
 func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
 	var serverName string
 	if options.ServerName != "" {

common/urltest/urltest.go

@@ -10,7 +10,6 @@ import (
 
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/x/list"
 )
 
 type History struct {
@@ -21,7 +20,6 @@ type History struct {
 type HistoryStorage struct {
 	access       sync.RWMutex
 	delayHistory map[string]*History
-	callbacks    list.List[func()]
 }
 
 func NewHistoryStorage() *HistoryStorage {
@@ -30,18 +28,6 @@ func NewHistoryStorage() *HistoryStorage {
 	}
 }
 
-func (s *HistoryStorage) AddListener(listener func()) *list.Element[func()] {
-	s.access.Lock()
-	defer s.access.Unlock()
-	return s.callbacks.PushBack(listener)
-}
-
-func (s *HistoryStorage) RemoveListener(element *list.Element[func()]) {
-	s.access.Lock()
-	defer s.access.Unlock()
-	s.callbacks.Remove(element)
-}
-
 func (s *HistoryStorage) LoadURLTestHistory(tag string) *History {
 	if s == nil {
 		return nil
@@ -53,24 +39,14 @@ func (s *HistoryStorage) LoadURLTestHistory(tag string) *History {
 
 func (s *HistoryStorage) DeleteURLTestHistory(tag string) {
 	s.access.Lock()
+	defer s.access.Unlock()
 	delete(s.delayHistory, tag)
-	s.access.Unlock()
-	s.notifyUpdated()
 }
 
 func (s *HistoryStorage) StoreURLTestHistory(tag string, history *History) {
 	s.access.Lock()
+	defer s.access.Unlock()
 	s.delayHistory[tag] = history
-	s.access.Unlock()
-	s.notifyUpdated()
-}
-
-func (s *HistoryStorage) notifyUpdated() {
-	s.access.RLock()
-	defer s.access.RUnlock()
-	for element := s.callbacks.Front(); element != nil; element = element.Next() {
-		element.Value()
-	}
 }
 
 func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err error) {

constant/proxy.go

@@ -7,7 +7,7 @@ const (
 	TypeDirect       = "direct"
 	TypeBlock        = "block"
 	TypeDNS          = "dns"
-	TypeSOCKS        = "socks"
+	TypeSocks        = "socks"
 	TypeHTTP         = "http"
 	TypeMixed        = "mixed"
 	TypeShadowsocks  = "shadowsocks"
@@ -21,55 +21,9 @@ const (
 	TypeShadowTLS    = "shadowtls"
 	TypeShadowsocksR = "shadowsocksr"
 	TypeVLESS        = "vless"
-	TypeTUIC         = "tuic"
 )
 
 const (
 	TypeSelector = "selector"
 	TypeURLTest  = "urltest"
 )
-
-func ProxyDisplayName(proxyType string) string {
-	switch proxyType {
-	case TypeDirect:
-		return "Direct"
-	case TypeBlock:
-		return "Block"
-	case TypeDNS:
-		return "DNS"
-	case TypeSOCKS:
-		return "SOCKS"
-	case TypeHTTP:
-		return "HTTP"
-	case TypeShadowsocks:
-		return "Shadowsocks"
-	case TypeVMess:
-		return "VMess"
-	case TypeTrojan:
-		return "Trojan"
-	case TypeNaive:
-		return "Naive"
-	case TypeWireGuard:
-		return "WireGuard"
-	case TypeHysteria:
-		return "Hysteria"
-	case TypeTor:
-		return "Tor"
-	case TypeSSH:
-		return "SSH"
-	case TypeShadowTLS:
-		return "ShadowTLS"
-	case TypeShadowsocksR:
-		return "ShadowsocksR"
-	case TypeVLESS:
-		return "VLESS"
-	case TypeTUIC:
-		return "TUIC"
-	case TypeSelector:
-		return "Selector"
-	case TypeURLTest:
-		return "URLTest"
-	default:
-		return "Unknown"
-	}
-}

docs/changelog.md

@@ -1,122 +1,3 @@
-#### 1.3.6
-
-* Fixes and improvements
-
-#### 1.3.5
-
-* Fixes and improvements
-* Introducing our [Apple tvOS](/installation/clients/sft) client applications **1**
-* Add per app proxy and app installed/updated trigger support for Android client
-* Add profile sharing support for Android/iOS/macOS clients
-
-**1**:
-
-Due to the requirement of tvOS 17, the app cannot be submitted to the App Store for the time being, and can only be downloaded through TestFlight.
-
-#### 1.3.4
-
-* Fixes and improvements
-* We're now on the [App Store](https://apps.apple.com/us/app/sing-box/id6451272673), always free! It should be noted that due to stricter and slower review, the release of Store versions will be delayed.
-* We've made a standalone version of the macOS client (the original Application Extension relies on App Store distribution), which you can download as SFM-version-universal.zip in the release artifacts.
-
-#### 1.3.3
-
-* Fixes and improvements
-
-#### 1.3.1-rc.1
-
-* Fix bugs and update dependencies
-
-#### 1.3.1-beta.3
-
-* Introducing our [new iOS](/installation/clients/sfi) and [macOS](/installation/clients/sfm) client applications **1**
-* Fixes and improvements
-
-**1**:
-
-The old testflight link and app are no longer valid.
-
-#### 1.3.1-beta.2
-
-* Fix bugs and update dependencies
-
-#### 1.3.1-beta.1
-
-* Fixes and improvements
-
-#### 1.3.0
-
-* Fix bugs and update dependencies
-
-Important changes since 1.2:
-
-* Add [FakeIP](/configuration/dns/fakeip) support **1**
-* Improve multiplex **2**
-* Add [DNS reverse mapping](/configuration/dns#reverse_mapping) support
-* Add `rewrite_ttl` DNS rule action
-* Add `store_fakeip` Clash API option
-* Add multi-peer support for [WireGuard](/configuration/outbound/wireguard#peers) outbound
-* Add loopback detect
-* Add Clash.Meta API compatibility for Clash API
-* Download Yacd-meta by default if the specified Clash `external_ui` directory is empty
-* Add path and headers option for HTTP outbound
-* Perform URLTest recheck after network changes
-* Fix `system` tun stack for ios
-* Fix network monitor for android/ios
-* Update VLESS and XUDP protocol
-* Make splice work with traffic statistics systems like Clash API
-* Significantly reduces memory usage of idle connections
-* Improve DNS caching
-* Add `independent_cache` [option](/configuration/dns#independent_cache) for DNS
-* Reimplemented shadowsocks client
-* Add multiplex support for VLESS outbound
-* Automatically add Windows firewall rules in order for the system tun stack to work
-* Fix TLS 1.2 support for shadow-tls client
-* Add `cache_id` [option](/configuration/experimental#cache_id) for Clash cache file
-* Fix `local` DNS transport for Android
-
-*1*:
-
-See [FAQ](/faq/fakeip) for more information.
-
-*2*:
-
-Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex).
-
-#### 1.3-rc2
-
-* Fix `local` DNS transport for Android
-* Fix bugs and update dependencies
-
-#### 1.3-rc1
-
-* Fix bugs and update dependencies
-
-#### 1.3-beta14
-
-* Fixes and improvements
-
-#### 1.3-beta13
-
-* Fix resolving fakeip domains  **1**
-* Deprecate L3 routing
-* Fix bugs and update dependencies
-
-**1**:
-
-If the destination address of the connection is obtained from fakeip, dns rules with server type fakeip will be skipped.
-
-#### 1.3-beta12
-
-* Automatically add Windows firewall rules in order for the system tun stack to work
-* Fix TLS 1.2 support for shadow-tls client
-* Add `cache_id` [option](/configuration/experimental#cache_id) for Clash cache file
-* Fixes and improvements
-
-#### 1.3-beta11
-
-* Fix bugs and update dependencies
-
 #### 1.3-beta10
 
 * Improve direct copy **1**

docs/configuration/experimental/index.md

@@ -7,14 +7,13 @@
   "experimental": {
     "clash_api": {
       "external_controller": "127.0.0.1:9090",
-      "external_ui": "",
+      "external_ui": "folder",
       "external_ui_download_url": "",
       "external_ui_download_detour": "",
       "secret": "",
-      "default_mode": "",
+      "default_mode": "rule",
       "store_selected": false,
-      "cache_file": "",
-      "cache_id": ""
+      "cache_file": "cache.db"
     },
     "v2ray_api": {
       "listen": "127.0.0.1:8080",
@@ -92,12 +91,6 @@ Store selected outbound for the `Selector` outbound in cache file.
 
 Cache file path, `cache.db` will be used if empty.
 
-#### cache_id
-
-Cache ID.
-
-If not empty, `store_selected` will use a separate store keyed by it.
-
 ### V2Ray API Fields
 
 !!! error ""

docs/configuration/experimental/index.zh.md

@@ -7,14 +7,13 @@
   "experimental": {
     "clash_api": {
       "external_controller": "127.0.0.1:9090",
-      "external_ui": "",
+      "external_ui": "folder",
       "external_ui_download_url": "",
       "external_ui_download_detour": "",
       "secret": "",
-      "default_mode": "",
+      "default_mode": "rule",
       "store_selected": false,
-      "cache_file": "",
-      "cache_id": ""
+      "cache_file": "cache.db"
     },
     "v2ray_api": {
       "listen": "127.0.0.1:8080",
@@ -90,12 +89,6 @@ Clash 中的默认模式，默认使用 `rule`。
 
 缓存文件路径，默认使用`cache.db`。
 
-#### cache_id
-
-缓存 ID。
-
-如果不为空，`store_selected` 将会使用以此为键的独立存储。
-
 ### V2Ray API 字段
 
 !!! error ""

docs/configuration/inbound/tuic.md

@@ -1,82 +0,0 @@
-### Structure
-
-```json
-{
-  "type": "tuic",
-  "tag": "tuic-in",
-  
-  ... // Listen Fields
-
-  "users": [
-    {
-      "name": "sekai",
-      "uuid": "059032A9-7D40-4A96-9BB1-36823D848068",
-      "password": "hello"
-    }
-  ],
-  "congestion_control": "cubic",
-  "auth_timeout": "3s",
-  "zero_rtt_handshake": false,
-  "heartbeat": "10s",
-  "tls": {}
-}
-```
-
-!!! warning ""
-
-    QUIC, which is required by TUIC is not included by default, see [Installation](/#installation).
-
-### Listen Fields
-
-See [Listen Fields](/configuration/shared/listen) for details.
-
-### Fields
-
-#### users
-
-TUIC users
-
-#### users.uuid
-
-==Required==
-
-TUIC user uuid
-
-#### users.password
-
-TUIC user password
-
-#### congestion_control
-
-QUIC congestion control algorithm
-
-One of: `cubic`, `new_reno`, `bbr`
-
-`cubic` is used by default.
-
-#### auth_timeout
-
-How long the server should wait for the client to send the authentication command
-
-`3s` is used by default.
-
-#### zero_rtt_handshake
-
-Enable 0-RTT QUIC connection handshake on the client side  
-This is not impacting much on the performance, as the protocol is fully multiplexed  
-
-!!! warning ""
-    Disabling this is highly recommended, as it is vulnerable to replay attacks.
-    See [Attack of the clones](https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones)
-
-#### heartbeat
-
-Interval for sending heartbeat packets for keeping the connection alive
-
-`10s` is used by default.
-
-#### tls
-
-==Required==
-
-TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

docs/configuration/inbound/tuic.zh.md

@@ -1,82 +0,0 @@
-### 结构
-
-```json
-{
-  "type": "tuic",
-  "tag": "tuic-in",
-
-  ... // 监听字段
-
-  "users": [
-    {
-      "name": "sekai",
-      "uuid": "059032A9-7D40-4A96-9BB1-36823D848068",
-      "password": "hello"
-    }
-  ],
-  "congestion_control": "cubic",
-  "auth_timeout": "3s",
-  "zero_rtt_handshake": false,
-  "heartbeat": "10s",
-  "tls": {}
-}
-```
-
-!!! warning ""
-
-    默认安装不包含被 TUI 依赖的 QUIC，参阅 [安装](/zh/#_2)。
-
-### 监听字段
-
-参阅 [监听字段](/zh/configuration/shared/listen/)。
-
-### 字段
-
-#### users
-
-TUIC 用户
-
-#### users.uuid
-
-==必填==
-
-TUIC 用户 UUID
-
-#### users.password
-
-TUIC 用户密码
-
-#### congestion_control
-
-QUIC 流量控制算法
-
-可选值: `cubic`, `new_reno`, `bbr`
-
-默认使用 `cubic`。
-
-#### auth_timeout
-
-服务器等待客户端发送认证命令的时间
-
-默认使用 `3s`。
-
-#### zero_rtt_handshake
-
-在客户端启用 0-RTT QUIC 连接握手
-这对性能影响不大，因为协议是完全复用的
-
-!!! warning ""
-强烈建议禁用此功能，因为它容易受到重放攻击。
-请参阅 [Attack of the clones](https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones)
-
-#### heartbeat
-
-发送心跳包以保持连接存活的时间间隔
-
-默认使用 `10s`。
-
-#### tls
-
-==必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/tun.md

@@ -142,12 +142,11 @@ UDP NAT expiration time in seconds, default is 300 (5 minutes).
 
 TCP/IP stack.
 
-| Stack  | Description                                                                      | Status            |
-|--------|----------------------------------------------------------------------------------|-------------------|
-| system | Sometimes better performance                                                     | recommended       |
-| gVisor | Better compatibility, based on [google/gvisor](https://github.com/google/gvisor) | recommended       |
-| mixed  | Mixed `system` TCP stack and `gVisor` UDP stack                                  | recommended       |
-| LWIP   | Based on [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks)   | upstream archived |
+| Stack            | Description                                                                      | Status            |
+|------------------|----------------------------------------------------------------------------------|-------------------|
+| system (default) | Sometimes better performance                                                     | recommended       |
+| gVisor           | Better compatibility, based on [google/gvisor](https://github.com/google/gvisor) | recommended       |
+| LWIP             | Based on [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks)   | upstream archived |
 
 !!! warning ""
 

docs/configuration/outbound/hysteria.md

@@ -97,6 +97,12 @@ Disables Path MTU Discovery (RFC 8899). Packets will then be at most 1252 (IPv4)
 
 Force enabled on for systems other than Linux and Windows (according to upstream).
 
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
+
 #### network
 
 Enabled network
@@ -105,12 +111,6 @@ One of `tcp` `udp`.
 
 Both is enabled by default.
 
-#### tls
-
-==Required==
-
-TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
-
 ### Dial Fields
 
 See [Dial Fields](/configuration/shared/dial) for details.

docs/configuration/outbound/hysteria.zh.md

@@ -97,6 +97,10 @@ base64 编码的认证密码。
 
 强制为 Linux 和 Windows 以外的系统启用（根据上游）。
 
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+
 #### network
 
 启用的网络协议。
@@ -105,13 +109,6 @@ base64 编码的认证密码。
 
 默认所有。
 
-#### tls
-
-==必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
-
-
 ### 拨号字段
 
 参阅 [拨号字段](/zh/configuration/shared/dial/)。

docs/configuration/outbound/tuic.md

@@ -1,86 +0,0 @@
-### Structure
-
-```json
-{
-  "type": "tuic",
-  "tag": "tuic-out",
-  
-  "server": "127.0.0.1",
-  "server_port": 1080,
-  "uuid": "2DD61D93-75D8-4DA4-AC0E-6AECE7EAC365",
-  "password": "hello",
-  "congestion_control": "cubic",
-  "udp_relay_mode": "native",
-  "zero_rtt_handshake": false,
-  "heartbeat": "10s",
-  "network": "tcp",
-  "tls": {},
-  
-  ... // Dial Fields
-}
-```
-
-!!! warning ""
-
-    QUIC, which is required by TUIC is not included by default, see [Installation](/#installation).
-
-### Fields
-
-#### server
-
-==Required==
-
-The server address.
-
-#### server_port
-
-==Required==
-
-The server port.
-
-#### uuid
-
-==Required==
-
-TUIC user uuid
-
-#### password
-
-TUIC user password
-
-#### congestion_control
-
-QUIC congestion control algorithm
-
-One of: `cubic`, `new_reno`, `bbr`
-
-`cubic` is used by default.
-
-#### udp_relay_mode
-
-UDP packet relay mode
-
-| Mode   | Description                                                              |
-|:-------|:-------------------------------------------------------------------------|
-| native | native UDP characteristics                                               |
-| quic   | lossless UDP relay using QUIC streams, additional overhead is introduced |
-
-`native` is used by default.
-
-#### network
-
-Enabled network
-
-One of `tcp` `udp`.
-
-Both is enabled by default.
-
-#### tls
-
-==Required==
-
-TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
-
-### Dial Fields
-
-See [Dial Fields](/configuration/shared/dial) for details.

docs/configuration/outbound/tuic.zh.md

@@ -1,98 +0,0 @@
-### 结构
-
-```json
-{
-  "type": "tuic",
-  "tag": "tuic-out",
-  
-  "server": "127.0.0.1",
-  "server_port": 1080,
-  "uuid": "2DD61D93-75D8-4DA4-AC0E-6AECE7EAC365",
-  "password": "hello",
-  "congestion_control": "cubic",
-  "udp_relay_mode": "native",
-  "zero_rtt_handshake": false,
-  "heartbeat": "10s",
-  "network": "tcp",
-  "tls": {},
-  
-  ... // 拨号字段
-}
-```
-
-!!! warning ""
-
-    默认安装不包含被 TUI 依赖的 QUIC，参阅 [安装](/zh/#_2)。
-
-### 字段
-
-#### server
-
-==必填==
-
-服务器地址。
-
-#### server_port
-
-==必填==
-
-服务器端口。
-
-#### uuid
-
-==必填==
-
-TUIC 用户 UUID
-
-#### password
-
-TUIC 用户密码
-
-#### congestion_control
-
-QUIC 流量控制算法
-
-可选值: `cubic`, `new_reno`, `bbr`
-
-默认使用 `cubic`。
-
-#### udp_relay_mode
-
-UDP 包中继模式
-
-| 模式     | 描述                           |
-|--------|------------------------------|
-| native | 原生 UDP                       |
-| quic   | 使用 QUIC 流的无损 UDP 中继，引入了额外的开销 |
-
-
-#### zero_rtt_handshake
-
-在客户端启用 0-RTT QUIC 连接握手
-这对性能影响不大，因为协议是完全复用的
-
-!!! warning ""
-强烈建议禁用此功能，因为它容易受到重放攻击。
-请参阅 [Attack of the clones](https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones)
-
-#### heartbeat
-
-发送心跳包以保持连接存活的时间间隔
-
-#### network
-
-启用的网络协议。
-
-`tcp` 或 `udp`。
-
-默认所有。
-
-#### tls
-
-==必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
-
-### 拨号字段
-
-参阅 [拨号字段](/zh/configuration/shared/dial/)。

docs/configuration/route/index.md

@@ -7,6 +7,7 @@
   "route": {
     "geoip": {},
     "geosite": {},
+    "ip_rules": [],
     "rules": [],
     "final": "",
     "auto_detect_interface": false,
@@ -23,6 +24,7 @@
 |------------|------------------------------------|
 | `geoip`    | [GeoIP](./geoip)                   |
 | `geosite`  | [Geosite](./geosite)               |
+| `ip_rules` | List of [IP Route Rule](./ip-rule) |
 | `rules`    | List of [Route Rule](./rule)       |
 
 #### final

docs/configuration/route/index.zh.md

@@ -24,6 +24,7 @@
 |------------|-------------------------|
 | `geoip`    | [GeoIP](./geoip)        |
 | `geosite`  | [GeoSite](./geosite)    |
+| `ip_rules` | 一组 [IP 路由规则](./ip-rule) |
 | `rules`    | 一组 [路由规则](./rule)       |
 
 #### final

docs/configuration/route/ip-rule.md

@@ -0,0 +1,205 @@
+### Structure
+
+```json
+{
+  "route": {
+    "ip_rules": [
+      {
+        "inbound": [
+          "mixed-in"
+        ],
+        "ip_version": 6,
+        "network": [
+          "tcp"
+        ],
+        "domain": [
+          "test.com"
+        ],
+        "domain_suffix": [
+          ".cn"
+        ],
+        "domain_keyword": [
+          "test"
+        ],
+        "domain_regex": [
+          "^stun\\..+"
+        ],
+        "geosite": [
+          "cn"
+        ],
+        "source_geoip": [
+          "private"
+        ],
+        "geoip": [
+          "cn"
+        ],
+        "source_ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "source_port": [
+          12345
+        ],
+        "source_port_range": [
+          "1000:2000",
+          ":3000",
+          "4000:"
+        ],
+        "port": [
+          80,
+          443
+        ],
+        "port_range": [
+          "1000:2000",
+          ":3000",
+          "4000:"
+        ],
+        "invert": false,
+        "action": "direct",
+        "outbound": "wireguard"
+      },
+      {
+        "type": "logical",
+        "mode": "and",
+        "rules": [],
+        "invert": false,
+        "action": "direct",
+        "outbound": "wireguard"
+      }
+    ]
+  }
+}
+
+```
+
+!!! note ""
+
+    You can ignore the JSON Array [] tag when the content is only one item
+
+### Default Fields
+
+!!! note ""
+
+    The default rule uses the following matching logic:  
+    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) &&  
+    (`port` || `port_range`) &&  
+    (`source_geoip` || `source_ip_cidr`) &&  
+    (`source_port` || `source_port_range`) &&  
+    `other fields`
+
+#### inbound
+
+Tags of [Inbound](/configuration/inbound).
+
+#### ip_version
+
+4 or 6.
+
+Not limited if empty.
+
+#### network
+
+Match network protocol.
+
+Available values:
+
+* `tcp`
+* `udp`
+* `icmpv4`
+* `icmpv6`
+
+#### domain
+
+Match full domain.
+
+#### domain_suffix
+
+Match domain suffix.
+
+#### domain_keyword
+
+Match domain using keyword.
+
+#### domain_regex
+
+Match domain using regular expression.
+
+#### geosite
+
+Match geosite.
+
+#### source_geoip
+
+Match source geoip.
+
+#### geoip
+
+Match geoip.
+
+#### source_ip_cidr
+
+Match source ip cidr.
+
+#### ip_cidr
+
+Match ip cidr.
+
+#### source_port
+
+Match source port.
+
+#### source_port_range
+
+Match source port range.
+
+#### port
+
+Match port.
+
+#### port_range
+
+Match port range.
+
+#### invert
+
+Invert match result.
+
+#### action
+
+==Required==
+
+| Action | Description                                                        |
+|--------|--------------------------------------------------------------------|
+| return | Stop IP routing and assemble the connection to the transport layer |
+| block  | Block the connection                                               |
+| direct | Directly forward the connection                                    |
+
+#### outbound
+
+==Required if action is direct==
+
+Tag of the target outbound.
+
+Only outbound which supports IP connection can be used, see [Outbounds that support IP connection](/configuration/outbound/#outbounds-that-support-ip-connection).
+
+### Logical Fields
+
+#### type
+
+`logical`
+
+#### mode
+
+==Required==
+
+`and` or `or`
+
+#### rules
+
+==Required==
+
+Included default rules.

docs/configuration/route/ip-rule.zh.md

@@ -0,0 +1,204 @@
+### 结构
+
+```json
+{
+  "route": {
+    "ip_rules": [
+      {
+        "inbound": [
+          "mixed-in"
+        ],
+        "ip_version": 6,
+        "network": [
+          "tcp"
+        ],
+        "domain": [
+          "test.com"
+        ],
+        "domain_suffix": [
+          ".cn"
+        ],
+        "domain_keyword": [
+          "test"
+        ],
+        "domain_regex": [
+          "^stun\\..+"
+        ],
+        "geosite": [
+          "cn"
+        ],
+        "source_geoip": [
+          "private"
+        ],
+        "geoip": [
+          "cn"
+        ],
+        "source_ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "source_port": [
+          12345
+        ],
+        "source_port_range": [
+          "1000:2000",
+          ":3000",
+          "4000:"
+        ],
+        "port": [
+          80,
+          443
+        ],
+        "port_range": [
+          "1000:2000",
+          ":3000",
+          "4000:"
+        ],
+        "invert": false,
+        "action": "direct",
+        "outbound": "wireguard"
+      },
+      {
+        "type": "logical",
+        "mode": "and",
+        "rules": [],
+        "invert": false,
+        "action": "direct",
+        "outbound": "wireguard"
+      }
+    ]
+  }
+}
+
+```
+
+!!! note ""
+
+    当内容只有一项时，可以忽略 JSON 数组 [] 标签。
+
+### Default Fields
+
+!!! note ""
+
+    默认规则使用以下匹配逻辑:  
+    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) &&  
+    (`port` || `port_range`) &&  
+    (`source_geoip` || `source_ip_cidr`) &&  
+    (`source_port` || `source_port_range`) &&  
+    `other fields`
+
+#### inbound
+
+[入站](/zh/configuration/inbound) 标签。
+
+#### ip_version
+
+4 或 6。
+
+默认不限制。
+
+#### network
+
+匹配网络协议。
+
+可用值：
+
+* `tcp`
+* `udp`
+* `icmpv4`
+* `icmpv6`
+
+#### domain
+
+匹配完整域名。
+
+#### domain_suffix
+
+匹配域名后缀。
+
+#### domain_keyword
+
+匹配域名关键字。
+
+#### domain_regex
+
+匹配域名正则表达式。
+
+#### geosite
+
+匹配 GeoSite。
+
+#### source_geoip
+
+匹配源 GeoIP。
+
+#### geoip
+
+匹配 GeoIP。
+
+#### source_ip_cidr
+
+匹配源 IP CIDR。
+
+#### ip_cidr
+
+匹配 IP CIDR。
+
+#### source_port
+
+匹配源端口。
+
+#### source_port_range
+
+匹配源端口范围。
+
+#### port
+
+匹配端口。
+
+#### port_range
+
+匹配端口范围。
+
+#### invert
+
+反选匹配结果。
+
+#### action
+
+==必填==
+
+| Action | 描述                  |
+|--------|---------------------|
+| return | 停止 IP 路由并将该连接组装到传输层 |
+| block  | 屏蔽该连接               |
+| direct | 直接转发该连接             |
+
+
+#### outbound
+
+==action 为 direct 则必填==
+
+目标出站的标签。
+
+### 逻辑字段
+
+#### type
+
+`logical`
+
+#### mode
+
+==必填==
+
+`and` 或 `or`
+
+#### rules
+
+==必填==
+
+包括的默认规则。

docs/configuration/shared/dial.md

@@ -10,7 +10,6 @@
   "reuse_addr": false,
   "connect_timeout": "5s",
   "tcp_fast_open": false,
-  "tcp_multi_path": false,
   "udp_fragment": false,
   "domain_strategy": "prefer_ipv6",
   "fallback_delay": "300ms"
@@ -19,9 +18,9 @@
 
 ### Fields
 
-| Field                                                                                                                                    | Available Context |
-|------------------------------------------------------------------------------------------------------------------------------------------|-------------------|
-| `bind_interface` /`*bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open` / `tcp_multi_path` / `udp_fragment` /`connect_timeout` | `detour` not set  |
+| Field                                                                                                                | Available Context |
+|----------------------------------------------------------------------------------------------------------------------|-------------------|
+| `bind_interface` /`*bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open`/ `udp_fragment` /`connect_timeout` | `detour` not set  |
 
 #### detour
 
@@ -55,14 +54,6 @@ Reuse listener address.
 
 Enable TCP Fast Open.
 
-#### tcp_multi_path
-
-!!! warning ""
-
-    Go 1.21 required.
-
-Enable TCP Multi Path.
-
 #### udp_fragment
 
 Enable UDP fragmentation.

docs/configuration/shared/dial.zh.md

@@ -10,7 +10,6 @@
   "reuse_addr": false,
   "connect_timeout": "5s",
   "tcp_fast_open": false,
-  "tcp_multi_path": false,
   "udp_fragment": false,
   "domain_strategy": "prefer_ipv6",
   "fallback_delay": "300ms"
@@ -19,9 +18,9 @@
 
 ### 字段
 
-| 字段                                                                                                                                       | 可用上下文        |
-|------------------------------------------------------------------------------------------------------------------------------------------|--------------|
-| `bind_interface` /`*bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open` / `tcp_mutli_path` / `udp_fragment` /`connect_timeout` | `detour` 未设置 |
+| 字段                                                                                                                   | 可用上下文        |
+|----------------------------------------------------------------------------------------------------------------------|--------------|
+| `bind_interface` /`*bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open`/ `udp_fragment` /`connect_timeout` | `detour` 未设置 |
 
 
 #### detour
@@ -58,14 +57,6 @@
 
 启用 TCP Fast Open。
 
-#### tcp_multi_path
-
-!!! warning ""
-
-    需要 Go 1.21。
-
-启用 TCP Multi Path。
-
 #### udp_fragment
 
 启用 UDP 分段。

docs/configuration/shared/listen.md

@@ -5,7 +5,6 @@
   "listen": "::",
   "listen_port": 5353,
   "tcp_fast_open": false,
-  "tcp_multi_path": false,
   "udp_fragment": false,
   "sniff": false,
   "sniff_override_destination": false,
@@ -25,7 +24,6 @@
 | `listen`                          | Needs to listen on TCP or UDP.                                    |
 | `listen_port`                     | Needs to listen on TCP or UDP.                                    |
 | `tcp_fast_open`                   | Needs to listen on TCP.                                           |
-| `tcp_multi_path`                  | Needs to listen on TCP.                                           |
 | `udp_timeout`                     | Needs to assemble UDP connections, currently Tun and Shadowsocks. |
 | `proxy_protocol`                  | Needs to listen on TCP.                                           |
 | `proxy_protocol_accept_no_header` | When `proxy_protocol` enabled                                     |
@@ -44,14 +42,6 @@ Listen port.
 
 Enable TCP Fast Open.
 
-#### tcp_multi_path
-
-!!! warning ""
-
-    Go 1.21 required.
-
-Enable TCP Multi Path.
-
 #### udp_fragment
 
 Enable UDP fragmentation.

docs/configuration/shared/listen.zh.md

@@ -5,7 +5,6 @@
   "listen": "::",
   "listen_port": 5353,
   "tcp_fast_open": false,
-  "tcp_multi_path": false,
   "udp_fragment": false,
   "sniff": false,
   "sniff_override_destination": false,
@@ -24,7 +23,6 @@
 | `listen`                          | 需要监听 TCP 或 UDP。                     |
 | `listen_port`                     | 需要监听 TCP 或 UDP。                     |
 | `tcp_fast_open`                   | 需要监听 TCP。                           |
-| `tcp_multi_path`                  | 需要监听 TCP。                           |
 | `udp_timeout`                     | 需要组装 UDP 连接, 当前为 Tun 和 Shadowsocks。 |
 | `proxy_protocol`                  | 需要监听 TCP。                           |
 | `proxy_protocol_accept_no_header` | `proxy_protocol` 启用时                |
@@ -45,14 +43,6 @@
 
 启用 TCP Fast Open。
 
-#### tcp_multi_path
-
-!!! warning ""
-
-    需要 Go 1.21。
-
-启用 TCP Multi Path。
-
 #### udp_fragment
 
 启用 UDP 分段。

docs/examples/fakeip.md

@@ -1,106 +0,0 @@
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "tag": "google",
-        "address": "tls://8.8.8.8"
-      },
-      {
-        "tag": "local",
-        "address": "223.5.5.5",
-        "detour": "direct"
-      },
-      {
-        "tag": "remote",
-        "address": "fakeip"
-      },
-      {
-        "tag": "block",
-        "address": "rcode://success"
-      }
-    ],
-    "rules": [
-      {
-        "geosite": "category-ads-all",
-        "server": "block",
-        "disable_cache": true
-      },
-      {
-        "outbound": "any",
-        "server": "local"
-      },
-      {
-        "geosite": "cn",
-        "server": "local"
-      },
-      {
-        "query_type": [
-          "A",
-          "AAAA"
-        ],
-        "server": "remote"
-      }
-    ],
-    "fakeip": {
-      "enabled": true,
-      "inet4_range": "198.18.0.0/15",
-      "inet6_range": "fc00::/18"
-    },
-    "independent_cache": true,
-    "strategy": "ipv4_only"
-  },
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true,
-      "domain_strategy": "ipv4_only" // remove this line if you want to resolve the domain remotely (if the server is not sing-box, UDP may not work due to wrong behavior).
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "tag": "proxy",
-      "server": "mydomain.com",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    },
-    {
-      "type": "direct",
-      "tag": "direct"
-    },
-    {
-      "type": "block",
-      "tag": "block"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns-out"
-      },
-      {
-        "geosite": "cn",
-        "geoip": [
-          "private",
-          "cn"
-        ],
-        "outbound": "direct"
-      },
-      {
-        "geosite": "category-ads-all",
-        "outbound": "block"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```

docs/examples/fakeip.zh.md

@@ -1,106 +0,0 @@
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "tag": "google",
-        "address": "tls://8.8.8.8"
-      },
-      {
-        "tag": "local",
-        "address": "223.5.5.5",
-        "detour": "direct"
-      },
-      {
-        "tag": "remote",
-        "address": "fakeip"
-      },
-      {
-        "tag": "block",
-        "address": "rcode://success"
-      }
-    ],
-    "rules": [
-      {
-        "geosite": "category-ads-all",
-        "server": "block",
-        "disable_cache": true
-      },
-      {
-        "outbound": "any",
-        "server": "local"
-      },
-      {
-        "geosite": "cn",
-        "server": "local"
-      },
-      {
-        "query_type": [
-          "A",
-          "AAAA"
-        ],
-        "server": "remote"
-      }
-    ],
-    "fakeip": {
-      "enabled": true,
-      "inet4_range": "198.18.0.0/15",
-      "inet6_range": "fc00::/18"
-    },
-    "independent_cache": true,
-    "strategy": "ipv4_only"
-  },
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true,
-      "domain_strategy": "ipv4_only" // 如果您想在远程解析域，删除此行 (如果服务器程序不为 sing-box，可能由于错误的行为导致 UDP 无法使用)。
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "tag": "proxy",
-      "server": "mydomain.com",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    },
-    {
-      "type": "direct",
-      "tag": "direct"
-    },
-    {
-      "type": "block",
-      "tag": "block"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns-out"
-      },
-      {
-        "geosite": "cn",
-        "geoip": [
-          "private",
-          "cn"
-        ],
-        "outbound": "direct"
-      },
-      {
-        "geosite": "category-ads-all",
-        "outbound": "block"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```

docs/examples/index.md

@@ -8,4 +8,4 @@ Configuration examples for sing-box.
 * [Shadowsocks](./shadowsocks)
 * [ShadowTLS](./shadowtls)
 * [Clash API](./clash-api)
-* [FakeIP](./fakeip)
+* [WireGuard Direct](./wireguard-direct)

docs/examples/index.zh.md

@@ -8,4 +8,4 @@ sing-box 的配置示例。
 * [Shadowsocks](./shadowsocks)
 * [ShadowTLS](./shadowtls)
 * [Clash API](./clash-api)
-* [FakeIP](./fakeip)
+* [WireGuard Direct](./wireguard-direct)

docs/examples/wireguard-direct.md

@@ -0,0 +1,90 @@
+# WireGuard Direct
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "tag": "google",
+        "address": "tls://8.8.8.8"
+      },
+      {
+        "tag": "local",
+        "address": "223.5.5.5",
+        "detour": "direct"
+      }
+    ],
+    "rules": [
+      {
+        "geoip": "cn",
+        "server": "direct"
+      }
+    ],
+    "reverse_mapping": true
+  },
+  "inbounds": [
+    {
+      "type": "tun",
+      "tag": "tun",
+      "inet4_address": "172.19.0.1/30",
+      "auto_route": true,
+      "sniff": true,
+      "stack": "system"
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "wireguard",
+      "tag": "wg",
+      "server": "127.0.0.1",
+      "server_port": 2345,
+      "local_address": [
+        "172.19.0.1/128"
+      ],
+      "private_key": "KLTnpPY03pig/WC3zR8U7VWmpANHPFh2/4pwICGJ5Fk=",
+      "peer_public_key": "uvNabcamf6Rs0vzmcw99jsjTJbxo6eWGOykSY66zsUk="
+    },
+    {
+      "type": "dns",
+      "tag": "dns"
+    },
+    {
+      "type": "direct",
+      "tag": "direct"
+    },
+    {
+      "type": "block",
+      "tag": "block"
+    }
+  ],
+  "route": {
+    "ip_rules": [
+      {
+        "port": 53,
+        "action": "return"
+      },
+      {
+        "geoip": "cn",
+        "geosite": "cn",
+        "action": "return"
+      },
+      {
+        "action": "direct",
+        "outbound": "wg"
+      }
+    ],
+    "rules": [
+      {
+        "protocol": "dns",
+        "outbound": "dns"
+      },
+      {
+        "geoip": "cn",
+        "geosite": "cn",
+        "outbound": "direct"
+      }
+    ],
+    "auto_detect_interface": true
+  }
+}
+```

docs/faq/fakeip.md

@@ -5,7 +5,8 @@ responds to DNS requests with virtual results and restores mapping when acceptin
 
 #### Advantage
 
-*
+* Retrieve the requested domain in places like IP routing (L3) where traffic detection is not possible to assist with routing.
+* Decrease an RTT on the first TCP request to a domain (the most common reason).
 
 #### Limitation
 
@@ -14,6 +15,6 @@ responds to DNS requests with virtual results and restores mapping when acceptin
 
 #### Recommendation
 
-* Enable `dns.independent_cache` unless you always resolve FakeIP domains remotely.
+* Do not use if you do not need L3 routing.
 * If using tun, make sure FakeIP ranges is included in the tun's routes.
 * Enable `experimental.clash_api.store_fakeip` to persist FakeIP records, or use `dns.rules.rewrite_ttl` to avoid losing records after program restart in DNS cached environments.

docs/faq/fakeip.zh.md

@@ -4,7 +4,8 @@ FakeIP 是指同时劫持 DNS 和连接请求的程序中的一种行为。它
 
 #### 优点
 
-*
+* 在像 L3 路由这样无法进行流量探测的地方检索所请求的域名，以协助路由。
+* 减少对一个域的第一个 TCP 请求的 RTT（这是最常见的原因）。
 
 #### 限制
 
@@ -13,6 +14,6 @@ FakeIP 是指同时劫持 DNS 和连接请求的程序中的一种行为。它
 
 #### 建议
 
-* 启用 `dns.independent_cache` 除非您始终远程解析 FakeIP 域。
+* 如果不需要 L3 路由，请勿使用。
 * 如果使用 tun，请确保 tun 路由中包含 FakeIP 地址范围。
 * 启用 `experimental.clash_api.store_fakeip` 以持久化 FakeIP 记录，或者使用 `dns.rules.rewrite_ttl` 避免程序重启后在 DNS 被缓存的环境中丢失记录。

docs/installation/clients/sfa.md

@@ -9,7 +9,6 @@ Experimental Android client for sing-box.
 #### Download
 
 * [AppCenter](https://install.appcenter.ms/users/nekohasekai/apps/sfa/distribution_groups/publictest)
-* [Github Releases](https://github.com/SagerNet/sing-box/releases)
 
 #### Note
 

docs/installation/clients/sfa.zh.md

@@ -9,7 +9,6 @@
 #### 下载
 
 * [AppCenter](https://install.appcenter.ms/users/nekohasekai/apps/sfa/distribution_groups/publictest)
-* [Github Releases](https://github.com/SagerNet/sing-box/releases)
 
 #### 注意事项
 

docs/installation/clients/sfi.md

@@ -5,12 +5,11 @@ Experimental iOS client for sing-box.
 #### Requirements
 
 * iOS 15.0+
-* An Apple account outside of mainland China
+* macOS 12.0+ with Apple Silicon
 
 #### Download
 
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
+* [TestFlight](https://testflight.apple.com/join/c6ylui2j)
 
 #### Note
 

docs/installation/clients/sfi.zh.md

@@ -5,12 +5,11 @@
 #### 要求
 
 * iOS 15.0+
-* 一个非中国大陆地区的 Apple 账号
+* macOS 12.0+ with Apple Silicon
 
 #### 下载
 
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
+* [TestFlight](https://testflight.apple.com/join/c6ylui2j)
 
 #### 注意事项
 

docs/installation/clients/sfm.md

@@ -1,29 +0,0 @@
-# SFM
-
-Experimental macOS client for sing-box.
-
-#### Requirements
-
-* macOS 13.0+
-* An Apple account outside of mainland China (App Store Version)
-
-#### Download (App Store Version)
-
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
-
-#### Download (Independent Version)
-
-* [GitHub Release](https://github.com/SagerNet/sing-box/releases/latest)
-* Homebrew (Cask): `brew install sfm`
-* Homebrew (Tap): `brew tap sagernet/sing-box && brew install sagernet/sing-box/sfm`
-
-#### Note
-
-* User Agent in remote profile request is `SFM/$version ($version_code; sing-box $sing_box_version)`
-* Crash logs is located in `Settings` -> `View Service Log`
-
-#### Privacy policy
-
-* SFM did not collect or share personal data.
-* The data generated by the software is always on your device.

docs/installation/clients/sfm.zh.md

@@ -1,29 +0,0 @@
-# SFM
-
-实验性的 macOS sing-box 客户端。
-
-#### 要求
-
-* macOS 13.0+
-* 一个非中国大陆地区的 Apple 账号 (商店版本)
-
-#### 下载 (商店版本)
-
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
-
-#### 下载 (独立版本)
-
-* [GitHub Release](https://github.com/SagerNet/sing-box/releases/latest)
-* Homebrew (Cask): `brew install sfm`
-* Homebrew (Tap): `brew tap sagernet/sing-box && brew install sagernet/sing-box/sfm`
-
-#### 注意事项
-
-* 远程配置文件请求中的 User Agent 为 `SFM/$version ($version_code; sing-box $sing_box_version)`
-* 崩溃日志位于 `设置` -> `查看服务日志`
-
-#### 隐私政策
-
-* SFM 不收集或共享个人数据。
-* 软件生成的数据始终在您的设备上。

docs/installation/clients/sft.md

@@ -1,29 +0,0 @@
-# SFT
-
-Experimental Apple tvOS client for sing-box.
-
-#### Requirements
-
-* tvOS 17.0+
-
-#### Download
-
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
-
-#### Features
-
-Full functionality, except for:
-
-* Only remote configuration files can be created manually
-* You need to update SFI to the latest beta version to import profiles from iPhone/iPad
-* No iCloud profile support
-
-#### Note
-
-* User Agent in remote profile request is `SFT/$version ($version_code; sing-box $sing_box_version)`
-* Crash logs is located in `Settings` -> `View Service Log`
-
-#### Privacy policy
-
-* SFT did not collect or share personal data.
-* The data generated by the software is always on your device.

docs/installation/clients/specification.md

@@ -1,25 +0,0 @@
-# Specification
-
-## Profile
-
-Profile defines a sing-box configuration with metadata in a GUI client.
-
-## Profile Types
-
-### Local
-
-Create a empty configuration or import from a local file.
-
-### iCloud (on Apple platforms)
-
-Create a new configuration or use an existing configuration on iCloud. 
-
-### Remote
-
-Use a remote URL as the configuration source, with HTTP basic authentication and automatic update support.
-
-#### URL specification
-
-```
-sing-box://import-remote-profile?url=urlEncodedURL#urlEncodedName
-```

docs/installation/from-source.md

@@ -1,17 +1,6 @@
 # Install from source
 
-## Requirements
-
-Before sing-box 1.4.0:
-
-* Go 1.18.5 - 1.20.x
-
-Since sing-box 1.4.0:
-
-* Go 1.18.5 - ~
-* Go 1.20.0 - ~ if `with_quic` tag enabled
-
-## Installation
+sing-box requires Golang **1.18.5** or a higher version.
 
 ```bash
 go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
@@ -20,7 +9,7 @@ go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
 Install with options:
 
 ```bash
-go install -v -tags with_quic,with_wireguard github.com/sagernet/sing-box/cmd/sing-box@latest
+go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@latest
 ```
 
 | Build Tag                          | Description                                                                                                                                                                                                                                                                                                                |

docs/installation/package-manager/android.md

@@ -1,7 +0,0 @@
-# Android
-
-## Termux
-
-```shell
-pkg add sing-box
-```

docs/installation/package-manager/macOS.md

@@ -1,14 +0,0 @@
-# macOS
-
-## Homebrew (core)
-
-```shell
-brew install sing-box
-```
-
-## Homebrew (Tap)
-
-```shell
-brew tap sagernet/sing-box
-brew install sagernet/sing-box/sing-box
-```

docs/installation/package-manager/windows.md

@@ -1,13 +0,0 @@
-# Windows
-
-## Chocolatey
-
-```shell
-choco install sing-box
-```
-
-## winget
-
-```shell
-winget install sing-box
-```

docs/support.md

@@ -1,4 +1,8 @@
-Github Issue: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)  
-Telegram Notification channel: [@yapnc](https://t.me/yapnc)  
-Telegram User group: [@yapug](https://t.me/yapug)  
-Email: [contact@sagernet.org](mailto:contact@sagernet.org)
+#### Github
+
+Issue: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)
+
+#### Telegram
+
+Notification channel: [@yapnc](https://t.me/yapnc)  
+User group: [@yapug](https://t.me/yapug)

docs/support.zh.md

@@ -1,4 +1,8 @@
-Github 工单: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)  
-Telegram 通知频道: [@yapnc](https://t.me/yapnc)  
-Telegram 用户组: [@yapug](https://t.me/yapug)  
-Email: [contact@sagernet.org](mailto:contact@sagernet.org)
+#### Github
+
+工单: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)
+
+#### Telegram
+
+通知频道: [@yapnc](https://t.me/yapnc)  
+用户组: [@yapug](https://t.me/yapug)

experimental/clashapi/cachefile/cache.go

@@ -1,10 +1,7 @@
 package cachefile
 
 import (
-	"net/netip"
 	"os"
-	"strings"
-	"sync"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
@@ -12,24 +9,15 @@ import (
 	"go.etcd.io/bbolt"
 )
 
-var (
-	bucketSelected = []byte("selected")
-	bucketExpand   = []byte("group_expand")
-)
+var bucketSelected = []byte("selected")
 
 var _ adapter.ClashCacheFile = (*CacheFile)(nil)
 
 type CacheFile struct {
-	DB                *bbolt.DB
-	cacheID           []byte
-	saveAccess        sync.RWMutex
-	saveDomain        map[netip.Addr]string
-	saveAddress4      map[string]netip.Addr
-	saveAddress6      map[string]netip.Addr
-	saveMetadataTimer *time.Timer
+	DB *bbolt.DB
 }
 
-func Open(path string, cacheID string) (*CacheFile, error) {
+func Open(path string) (*CacheFile, error) {
 	const fileMode = 0o666
 	options := bbolt.Options{Timeout: time.Second}
 	db, err := bbolt.Open(path, fileMode, &options)
@@ -43,67 +31,13 @@ func Open(path string, cacheID string) (*CacheFile, error) {
 	if err != nil {
 		return nil, err
 	}
-	var cacheIDBytes []byte
-	if cacheID != "" {
-		cacheIDBytes = append([]byte{0}, []byte(cacheID)...)
-	}
-	err = db.Batch(func(tx *bbolt.Tx) error {
-		return tx.ForEach(func(name []byte, b *bbolt.Bucket) error {
-			if name[0] == 0 {
-				return b.ForEachBucket(func(k []byte) error {
-					bucketName := string(k)
-					if !(bucketName == string(bucketSelected) || bucketName == string(bucketExpand)) {
-						_ = b.DeleteBucket(name)
-					}
-					return nil
-				})
-			} else {
-				bucketName := string(name)
-				if !(bucketName == string(bucketSelected) || bucketName == string(bucketExpand) || strings.HasPrefix(bucketName, fakeipBucketPrefix)) {
-					_ = tx.DeleteBucket(name)
-				}
-			}
-			return nil
-		})
-	})
-	if err != nil {
-		return nil, err
-	}
-	return &CacheFile{
-		DB:           db,
-		cacheID:      cacheIDBytes,
-		saveDomain:   make(map[netip.Addr]string),
-		saveAddress4: make(map[string]netip.Addr),
-		saveAddress6: make(map[string]netip.Addr),
-	}, nil
-}
-
-func (c *CacheFile) bucket(t *bbolt.Tx, key []byte) *bbolt.Bucket {
-	if c.cacheID == nil {
-		return t.Bucket(key)
-	}
-	bucket := t.Bucket(c.cacheID)
-	if bucket == nil {
-		return nil
-	}
-	return bucket.Bucket(key)
-}
-
-func (c *CacheFile) createBucket(t *bbolt.Tx, key []byte) (*bbolt.Bucket, error) {
-	if c.cacheID == nil {
-		return t.CreateBucketIfNotExists(key)
-	}
-	bucket, err := t.CreateBucketIfNotExists(c.cacheID)
-	if bucket == nil {
-		return nil, err
-	}
-	return bucket.CreateBucketIfNotExists(key)
+	return &CacheFile{db}, nil
 }
 
 func (c *CacheFile) LoadSelected(group string) string {
 	var selected string
 	c.DB.View(func(t *bbolt.Tx) error {
-		bucket := c.bucket(t, bucketSelected)
+		bucket := t.Bucket(bucketSelected)
 		if bucket == nil {
 			return nil
 		}
@@ -118,7 +52,7 @@ func (c *CacheFile) LoadSelected(group string) string {
 
 func (c *CacheFile) StoreSelected(group, selected string) error {
 	return c.DB.Batch(func(t *bbolt.Tx) error {
-		bucket, err := c.createBucket(t, bucketSelected)
+		bucket, err := t.CreateBucketIfNotExists(bucketSelected)
 		if err != nil {
 			return err
 		}
@@ -126,36 +60,6 @@ func (c *CacheFile) StoreSelected(group, selected string) error {
 	})
 }
 
-func (c *CacheFile) LoadGroupExpand(group string) (isExpand bool, loaded bool) {
-	c.DB.View(func(t *bbolt.Tx) error {
-		bucket := c.bucket(t, bucketExpand)
-		if bucket == nil {
-			return nil
-		}
-		expandBytes := bucket.Get([]byte(group))
-		if len(expandBytes) == 1 {
-			isExpand = expandBytes[0] == 1
-			loaded = true
-		}
-		return nil
-	})
-	return
-}
-
-func (c *CacheFile) StoreGroupExpand(group string, isExpand bool) error {
-	return c.DB.Batch(func(t *bbolt.Tx) error {
-		bucket, err := c.createBucket(t, bucketExpand)
-		if err != nil {
-			return err
-		}
-		if isExpand {
-			return bucket.Put([]byte(group), []byte{1})
-		} else {
-			return bucket.Put([]byte(group), []byte{0})
-		}
-	})
-}
-
 func (c *CacheFile) Close() error {
 	return c.DB.Close()
 }

experimental/clashapi/cachefile/fakeip.go

@@ -3,27 +3,20 @@ package cachefile
 import (
 	"net/netip"
 	"os"
-	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
 
 	"go.etcd.io/bbolt"
 )
 
-const fakeipBucketPrefix = "fakeip_"
-
 var (
-	bucketFakeIP        = []byte(fakeipBucketPrefix + "address")
-	bucketFakeIPDomain4 = []byte(fakeipBucketPrefix + "domain4")
-	bucketFakeIPDomain6 = []byte(fakeipBucketPrefix + "domain6")
-	keyMetadata         = []byte(fakeipBucketPrefix + "metadata")
+	bucketFakeIP = []byte("fakeip")
+	keyMetadata  = []byte("metadata")
 )
 
 func (c *CacheFile) FakeIPMetadata() *adapter.FakeIPMetadata {
 	var metadata adapter.FakeIPMetadata
-	err := c.DB.Batch(func(tx *bbolt.Tx) error {
+	err := c.DB.View(func(tx *bbolt.Tx) error {
 		bucket := tx.Bucket(bucketFakeIP)
 		if bucket == nil {
 			return nil
@@ -32,10 +25,6 @@ func (c *CacheFile) FakeIPMetadata() *adapter.FakeIPMetadata {
 		if len(metadataBinary) == 0 {
 			return os.ErrInvalid
 		}
-		err := bucket.Delete(keyMetadata)
-		if err != nil {
-			return err
-		}
 		return metadata.UnmarshalBinary(metadataBinary)
 	})
 	if err != nil {
@@ -58,69 +47,17 @@ func (c *CacheFile) FakeIPSaveMetadata(metadata *adapter.FakeIPMetadata) error {
 	})
 }
 
-func (c *CacheFile) FakeIPSaveMetadataAsync(metadata *adapter.FakeIPMetadata) {
-	if timer := c.saveMetadataTimer; timer != nil {
-		timer.Stop()
-	}
-	c.saveMetadataTimer = time.AfterFunc(10*time.Second, func() {
-		_ = c.FakeIPSaveMetadata(metadata)
-	})
-}
-
 func (c *CacheFile) FakeIPStore(address netip.Addr, domain string) error {
 	return c.DB.Batch(func(tx *bbolt.Tx) error {
 		bucket, err := tx.CreateBucketIfNotExists(bucketFakeIP)
 		if err != nil {
 			return err
 		}
-		err = bucket.Put(address.AsSlice(), []byte(domain))
-		if err != nil {
-			return err
-		}
-		if address.Is4() {
-			bucket, err = tx.CreateBucketIfNotExists(bucketFakeIPDomain4)
-		} else {
-			bucket, err = tx.CreateBucketIfNotExists(bucketFakeIPDomain6)
-		}
-		if err != nil {
-			return err
-		}
-		return bucket.Put([]byte(domain), address.AsSlice())
+		return bucket.Put(address.AsSlice(), []byte(domain))
 	})
 }
 
-func (c *CacheFile) FakeIPStoreAsync(address netip.Addr, domain string, logger logger.Logger) {
-	c.saveAccess.Lock()
-	c.saveDomain[address] = domain
-	if address.Is4() {
-		c.saveAddress4[domain] = address
-	} else {
-		c.saveAddress6[domain] = address
-	}
-	c.saveAccess.Unlock()
-	go func() {
-		err := c.FakeIPStore(address, domain)
-		if err != nil {
-			logger.Warn("save FakeIP address pair: ", err)
-		}
-		c.saveAccess.Lock()
-		delete(c.saveDomain, address)
-		if address.Is4() {
-			delete(c.saveAddress4, domain)
-		} else {
-			delete(c.saveAddress6, domain)
-		}
-		c.saveAccess.Unlock()
-	}()
-}
-
 func (c *CacheFile) FakeIPLoad(address netip.Addr) (string, bool) {
-	c.saveAccess.RLock()
-	cachedDomain, cached := c.saveDomain[address]
-	c.saveAccess.RUnlock()
-	if cached {
-		return cachedDomain, true
-	}
 	var domain string
 	_ = c.DB.View(func(tx *bbolt.Tx) error {
 		bucket := tx.Bucket(bucketFakeIP)
@@ -133,48 +70,8 @@ func (c *CacheFile) FakeIPLoad(address netip.Addr) (string, bool) {
 	return domain, domain != ""
 }
 
-func (c *CacheFile) FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr, bool) {
-	var (
-		cachedAddress netip.Addr
-		cached        bool
-	)
-	c.saveAccess.RLock()
-	if !isIPv6 {
-		cachedAddress, cached = c.saveAddress4[domain]
-	} else {
-		cachedAddress, cached = c.saveAddress6[domain]
-	}
-	c.saveAccess.RUnlock()
-	if cached {
-		return cachedAddress, true
-	}
-	var address netip.Addr
-	_ = c.DB.View(func(tx *bbolt.Tx) error {
-		var bucket *bbolt.Bucket
-		if isIPv6 {
-			bucket = tx.Bucket(bucketFakeIPDomain6)
-		} else {
-			bucket = tx.Bucket(bucketFakeIPDomain4)
-		}
-		if bucket == nil {
-			return nil
-		}
-		address = M.AddrFromIP(bucket.Get([]byte(domain)))
-		return nil
-	})
-	return address, address.IsValid()
-}
-
 func (c *CacheFile) FakeIPReset() error {
 	return c.DB.Batch(func(tx *bbolt.Tx) error {
-		err := tx.DeleteBucket(bucketFakeIP)
-		if err != nil {
-			return err
-		}
-		err = tx.DeleteBucket(bucketFakeIPDomain4)
-		if err != nil {
-			return err
-		}
-		return tx.DeleteBucket(bucketFakeIPDomain6)
+		return tx.DeleteBucket(bucketFakeIP)
 	})
 }

experimental/clashapi/compatible/map.go

@@ -7,15 +7,6 @@ type Map[K comparable, V any] struct {
 	m sync.Map
 }
 
-func (m *Map[K, V]) Len() int {
-	var count int
-	m.m.Range(func(key, value any) bool {
-		count++
-		return true
-	})
-	return count
-}
-
 func (m *Map[K, V]) Load(key K) (V, bool) {
 	v, ok := m.m.Load(key)
 	if !ok {

experimental/clashapi/proxies.go

@@ -63,10 +63,38 @@ func proxyInfo(server *Server, detour adapter.Outbound) *badjson.JSONObject {
 	var info badjson.JSONObject
 	var clashType string
 	switch detour.Type() {
+	case C.TypeDirect:
+		clashType = "Direct"
 	case C.TypeBlock:
 		clashType = "Reject"
+	case C.TypeSocks:
+		clashType = "Socks"
+	case C.TypeHTTP:
+		clashType = "HTTP"
+	case C.TypeShadowsocks:
+		clashType = "Shadowsocks"
+	case C.TypeVMess:
+		clashType = "VMess"
+	case C.TypeTrojan:
+		clashType = "Trojan"
+	case C.TypeHysteria:
+		clashType = "Hysteria"
+	case C.TypeWireGuard:
+		clashType = "WireGuard"
+	case C.TypeShadowsocksR:
+		clashType = "ShadowsocksR"
+	case C.TypeVLESS:
+		clashType = "VLESS"
+	case C.TypeTor:
+		clashType = "Tor"
+	case C.TypeSSH:
+		clashType = "SSH"
+	case C.TypeSelector:
+		clashType = "Selector"
+	case C.TypeURLTest:
+		clashType = "URLTest"
 	default:
-		clashType = C.ProxyDisplayName(detour.Type())
+		clashType = "Direct"
 	}
 	info.Put("type", clashType)
 	info.Put("name", detour.Tag())

experimental/clashapi/server.go

@@ -23,7 +23,6 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/filemanager"
 	"github.com/sagernet/websocket"
 
@@ -49,10 +48,8 @@ type Server struct {
 	storeSelected  bool
 	storeFakeIP    bool
 	cacheFilePath  string
-	cacheID        string
 	cacheFile      adapter.ClashCacheFile
 
-	externalController       bool
 	externalUI               string
 	externalUIDownloadURL    string
 	externalUIDownloadDetour string
@@ -70,21 +67,17 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 			Handler: chiRouter,
 		},
 		trafficManager:           trafficManager,
+		urlTestHistory:           urltest.NewHistoryStorage(),
 		mode:                     strings.ToLower(options.DefaultMode),
 		storeSelected:            options.StoreSelected,
-		externalController:       options.ExternalController != "",
 		storeFakeIP:              options.StoreFakeIP,
 		externalUIDownloadURL:    options.ExternalUIDownloadURL,
 		externalUIDownloadDetour: options.ExternalUIDownloadDetour,
 	}
-	server.urlTestHistory = service.PtrFromContext[urltest.HistoryStorage](ctx)
-	if server.urlTestHistory == nil {
-		server.urlTestHistory = urltest.NewHistoryStorage()
-	}
 	if server.mode == "" {
 		server.mode = "rule"
 	}
-	if options.StoreSelected || options.StoreFakeIP || options.ExternalController == "" {
+	if options.StoreSelected || options.StoreFakeIP {
 		cachePath := os.ExpandEnv(options.CacheFile)
 		if cachePath == "" {
 			cachePath = "cache.db"
@@ -95,7 +88,6 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 			cachePath = filemanager.BasePath(ctx, cachePath)
 		}
 		server.cacheFilePath = cachePath
-		server.cacheID = options.CacheID
 	}
 	cors := cors.New(cors.Options{
 		AllowedOrigins: []string{"*"},
@@ -138,7 +130,7 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 
 func (s *Server) PreStart() error {
 	if s.cacheFilePath != "" {
-		cacheFile, err := cachefile.Open(s.cacheFilePath, s.cacheID)
+		cacheFile, err := cachefile.Open(s.cacheFilePath)
 		if err != nil {
 			return E.Cause(err, "open cache file")
 		}
@@ -148,20 +140,18 @@ func (s *Server) PreStart() error {
 }
 
 func (s *Server) Start() error {
-	if s.externalController {
-		s.checkAndDownloadExternalUI()
-		listener, err := net.Listen("tcp", s.httpServer.Addr)
-		if err != nil {
-			return E.Cause(err, "external controller listen error")
-		}
-		s.logger.Info("restful api listening at ", listener.Addr())
-		go func() {
-			err = s.httpServer.Serve(listener)
-			if err != nil && !errors.Is(err, http.ErrServerClosed) {
-				s.logger.Error("external controller serve error: ", err)
-			}
-		}()
+	s.checkAndDownloadExternalUI()
+	listener, err := net.Listen("tcp", s.httpServer.Addr)
+	if err != nil {
+		return E.Cause(err, "external controller listen error")
 	}
+	s.logger.Info("restful api listening at ", listener.Addr())
+	go func() {
+		err = s.httpServer.Serve(listener)
+		if err != nil && !errors.Is(err, http.ErrServerClosed) {
+			s.logger.Error("external controller serve error: ", err)
+		}
+	}()
 	return nil
 }
 
@@ -193,10 +183,6 @@ func (s *Server) HistoryStorage() *urltest.HistoryStorage {
 	return s.urlTestHistory
 }
 
-func (s *Server) TrafficManager() *trafficontrol.Manager {
-	return s.trafficManager
-}
-
 func (s *Server) RoutedConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, matchedRule adapter.Rule) (net.Conn, adapter.Tracker) {
 	tracker := trafficontrol.NewTCPTracker(conn, s.trafficManager, castMetadata(metadata), s.router, matchedRule)
 	return tracker, tracker

experimental/clashapi/trafficontrol/manager.go

@@ -55,14 +55,6 @@ func (m *Manager) Now() (up int64, down int64) {
 	return m.uploadBlip.Load(), m.downloadBlip.Load()
 }
 
-func (m *Manager) Total() (up int64, down int64) {
-	return m.uploadTotal.Load(), m.downloadTotal.Load()
-}
-
-func (m *Manager) Connections() int {
-	return m.connections.Len()
-}
-
 func (m *Manager) Snapshot() *Snapshot {
 	var connections []tracker
 	m.connections.Range(func(_ string, value tracker) bool {

experimental/libbox/command.go

@@ -3,10 +3,7 @@ package libbox
 const (
 	CommandLog int32 = iota
 	CommandStatus
+	CommandServiceStop
 	CommandServiceReload
 	CommandCloseConnections
-	CommandGroup
-	CommandSelectOutbound
-	CommandURLTest
-	CommandGroupExpand
 )

experimental/libbox/command_client.go

@@ -10,9 +10,10 @@ import (
 )
 
 type CommandClient struct {
-	handler CommandClientHandler
-	conn    net.Conn
-	options CommandClientOptions
+	sharedDirectory string
+	handler         CommandClientHandler
+	conn            net.Conn
+	options         CommandClientOptions
 }
 
 type CommandClientOptions struct {
@@ -25,34 +26,26 @@ type CommandClientHandler interface {
 	Disconnected(message string)
 	WriteLog(message string)
 	WriteStatus(message *StatusMessage)
-	WriteGroups(message OutboundGroupIterator)
-}
-
-func NewStandaloneCommandClient() *CommandClient {
-	return new(CommandClient)
 }
 
 func NewCommandClient(sharedDirectory string, handler CommandClientHandler, options *CommandClientOptions) *CommandClient {
 	return &CommandClient{
-		handler: handler,
-		options: common.PtrValueOrDefault(options),
+		sharedDirectory: sharedDirectory,
+		handler:         handler,
+		options:         common.PtrValueOrDefault(options),
 	}
 }
 
-func (c *CommandClient) directConnect() (net.Conn, error) {
-	if !sTVOS {
-		return net.DialUnix("unix", nil, &net.UnixAddr{
-			Name: filepath.Join(sBasePath, "command.sock"),
-			Net:  "unix",
-		})
-	} else {
-		return net.Dial("tcp", "127.0.0.1:8964")
-	}
+func clientConnect(sharedDirectory string) (net.Conn, error) {
+	return net.DialUnix("unix", nil, &net.UnixAddr{
+		Name: filepath.Join(sharedDirectory, "command.sock"),
+		Net:  "unix",
+	})
 }
 
 func (c *CommandClient) Connect() error {
 	common.Close(c.conn)
-	conn, err := c.directConnect()
+	conn, err := clientConnect(c.sharedDirectory)
 	if err != nil {
 		return err
 	}
@@ -72,13 +65,6 @@ func (c *CommandClient) Connect() error {
 		}
 		c.handler.Connected()
 		go c.handleStatusConn(conn)
-	case CommandGroup:
-		err = binary.Write(conn, binary.BigEndian, c.options.StatusInterval)
-		if err != nil {
-			return E.Cause(err, "write interval")
-		}
-		c.handler.Connected()
-		go c.handleGroupConn(conn)
 	}
 	return nil
 }

experimental/libbox/command_conntrack.go

@@ -9,8 +9,8 @@ import (
 	"github.com/sagernet/sing-box/common/dialer/conntrack"
 )
 
-func (c *CommandClient) CloseConnections() error {
-	conn, err := c.directConnect()
+func ClientCloseConnections(sharedDirectory string) error {
+	conn, err := clientConnect(sharedDirectory)
 	if err != nil {
 		return err
 	}

experimental/libbox/command_group.go

@@ -1,318 +0,0 @@
-package libbox
-
-import (
-	"encoding/binary"
-	"io"
-	"net"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/urltest"
-	"github.com/sagernet/sing-box/outbound"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/rw"
-	"github.com/sagernet/sing/service"
-)
-
-type OutboundGroup struct {
-	Tag        string
-	Type       string
-	Selectable bool
-	Selected   string
-	isExpand   int8
-	items      []*OutboundGroupItem
-}
-
-func (g *OutboundGroup) GetItems() OutboundGroupItemIterator {
-	return newIterator(g.items)
-}
-
-func (g *OutboundGroup) IsExpand() bool {
-	switch g.isExpand {
-	case -1:
-		return g.Selectable
-	case 0:
-		return false
-	case 1:
-		return true
-	default:
-		panic("unexpected expand value")
-	}
-}
-
-type OutboundGroupIterator interface {
-	Next() *OutboundGroup
-	HasNext() bool
-}
-
-type OutboundGroupItem struct {
-	Tag          string
-	Type         string
-	URLTestTime  int64
-	URLTestDelay int32
-}
-
-type OutboundGroupItemIterator interface {
-	Next() *OutboundGroupItem
-	HasNext() bool
-}
-
-func (c *CommandClient) handleGroupConn(conn net.Conn) {
-	defer conn.Close()
-
-	for {
-		groups, err := readGroups(conn)
-		if err != nil {
-			c.handler.Disconnected(err.Error())
-			return
-		}
-		c.handler.WriteGroups(groups)
-	}
-}
-
-func (s *CommandServer) handleGroupConn(conn net.Conn) error {
-	defer conn.Close()
-	ctx := connKeepAlive(conn)
-	for {
-		service := s.service
-		if service != nil {
-			err := writeGroups(conn, service)
-			if err != nil {
-				return err
-			}
-		} else {
-			err := binary.Write(conn, binary.BigEndian, uint16(0))
-			if err != nil {
-				return err
-			}
-		}
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		case <-time.After(2 * time.Second):
-		}
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		case <-s.urlTestUpdate:
-		}
-	}
-}
-
-func readGroups(reader io.Reader) (OutboundGroupIterator, error) {
-	var groupLength uint16
-	err := binary.Read(reader, binary.BigEndian, &groupLength)
-	if err != nil {
-		return nil, err
-	}
-
-	groups := make([]*OutboundGroup, 0, groupLength)
-	for i := 0; i < int(groupLength); i++ {
-		var group OutboundGroup
-		group.Tag, err = rw.ReadVString(reader)
-		if err != nil {
-			return nil, err
-		}
-
-		group.Type, err = rw.ReadVString(reader)
-		if err != nil {
-			return nil, err
-		}
-
-		err = binary.Read(reader, binary.BigEndian, &group.Selectable)
-		if err != nil {
-			return nil, err
-		}
-
-		group.Selected, err = rw.ReadVString(reader)
-		if err != nil {
-			return nil, err
-		}
-
-		err = binary.Read(reader, binary.BigEndian, &group.isExpand)
-		if err != nil {
-			return nil, err
-		}
-
-		var itemLength uint16
-		err = binary.Read(reader, binary.BigEndian, &itemLength)
-		if err != nil {
-			return nil, err
-		}
-
-		group.items = make([]*OutboundGroupItem, itemLength)
-		for j := 0; j < int(itemLength); j++ {
-			var item OutboundGroupItem
-			item.Tag, err = rw.ReadVString(reader)
-			if err != nil {
-				return nil, err
-			}
-
-			item.Type, err = rw.ReadVString(reader)
-			if err != nil {
-				return nil, err
-			}
-
-			err = binary.Read(reader, binary.BigEndian, &item.URLTestTime)
-			if err != nil {
-				return nil, err
-			}
-
-			err = binary.Read(reader, binary.BigEndian, &item.URLTestDelay)
-			if err != nil {
-				return nil, err
-			}
-
-			group.items[j] = &item
-		}
-		groups = append(groups, &group)
-	}
-	return newIterator(groups), nil
-}
-
-func writeGroups(writer io.Writer, boxService *BoxService) error {
-	historyStorage := service.PtrFromContext[urltest.HistoryStorage](boxService.ctx)
-	var cacheFile adapter.ClashCacheFile
-	if clashServer := boxService.instance.Router().ClashServer(); clashServer != nil {
-		cacheFile = clashServer.CacheFile()
-	}
-
-	outbounds := boxService.instance.Router().Outbounds()
-	var iGroups []adapter.OutboundGroup
-	for _, it := range outbounds {
-		if group, isGroup := it.(adapter.OutboundGroup); isGroup {
-			iGroups = append(iGroups, group)
-		}
-	}
-	var groups []OutboundGroup
-	for _, iGroup := range iGroups {
-		var group OutboundGroup
-		group.Tag = iGroup.Tag()
-		group.Type = iGroup.Type()
-		_, group.Selectable = iGroup.(*outbound.Selector)
-		group.Selected = iGroup.Now()
-		if cacheFile != nil {
-			if isExpand, loaded := cacheFile.LoadGroupExpand(group.Tag); !loaded {
-				group.isExpand = -1
-			} else if isExpand {
-				group.isExpand = 1
-			} else {
-				group.isExpand = 0
-			}
-		}
-
-		for _, itemTag := range iGroup.All() {
-			itemOutbound, isLoaded := boxService.instance.Router().Outbound(itemTag)
-			if !isLoaded {
-				continue
-			}
-
-			var item OutboundGroupItem
-			item.Tag = itemTag
-			item.Type = itemOutbound.Type()
-			if history := historyStorage.LoadURLTestHistory(adapter.OutboundTag(itemOutbound)); history != nil {
-				item.URLTestTime = history.Time.Unix()
-				item.URLTestDelay = int32(history.Delay)
-			}
-			group.items = append(group.items, &item)
-		}
-		groups = append(groups, group)
-	}
-
-	err := binary.Write(writer, binary.BigEndian, uint16(len(groups)))
-	if err != nil {
-		return err
-	}
-	for _, group := range groups {
-		err = rw.WriteVString(writer, group.Tag)
-		if err != nil {
-			return err
-		}
-		err = rw.WriteVString(writer, group.Type)
-		if err != nil {
-			return err
-		}
-		err = binary.Write(writer, binary.BigEndian, group.Selectable)
-		if err != nil {
-			return err
-		}
-		err = rw.WriteVString(writer, group.Selected)
-		if err != nil {
-			return err
-		}
-		err = binary.Write(writer, binary.BigEndian, group.isExpand)
-		if err != nil {
-			return err
-		}
-		err = binary.Write(writer, binary.BigEndian, uint16(len(group.items)))
-		if err != nil {
-			return err
-		}
-		for _, item := range group.items {
-			err = rw.WriteVString(writer, item.Tag)
-			if err != nil {
-				return err
-			}
-			err = rw.WriteVString(writer, item.Type)
-			if err != nil {
-				return err
-			}
-			err = binary.Write(writer, binary.BigEndian, item.URLTestTime)
-			if err != nil {
-				return err
-			}
-			err = binary.Write(writer, binary.BigEndian, item.URLTestDelay)
-			if err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-func (c *CommandClient) SetGroupExpand(groupTag string, isExpand bool) error {
-	conn, err := c.directConnect()
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-	err = binary.Write(conn, binary.BigEndian, uint8(CommandGroupExpand))
-	if err != nil {
-		return err
-	}
-	err = rw.WriteVString(conn, groupTag)
-	if err != nil {
-		return err
-	}
-	err = binary.Write(conn, binary.BigEndian, isExpand)
-	if err != nil {
-		return err
-	}
-	return readError(conn)
-}
-
-func (s *CommandServer) handleSetGroupExpand(conn net.Conn) error {
-	defer conn.Close()
-	groupTag, err := rw.ReadVString(conn)
-	if err != nil {
-		return err
-	}
-	var isExpand bool
-	err = binary.Read(conn, binary.BigEndian, &isExpand)
-	if err != nil {
-		return err
-	}
-	service := s.service
-	if service == nil {
-		return writeError(conn, E.New("service not ready"))
-	}
-	if clashServer := service.instance.Router().ClashServer(); clashServer != nil {
-		if cacheFile := clashServer.CacheFile(); cacheFile != nil {
-			err = cacheFile.StoreGroupExpand(groupTag, isExpand)
-			if err != nil {
-				return writeError(conn, err)
-			}
-		}
-	}
-	return writeError(conn, nil)
-}

experimental/libbox/command_log.go

@@ -11,7 +11,7 @@ func (s *CommandServer) WriteMessage(message string) {
 	s.subscriber.Emit(message)
 	s.access.Lock()
 	s.savedLines.PushBack(message)
-	if s.savedLines.Len() > s.maxLines {
+	if s.savedLines.Len() > 100 {
 		s.savedLines.Remove(s.savedLines.Front())
 	}
 	s.access.Unlock()

experimental/libbox/command_reload.go

@@ -8,8 +8,8 @@ import (
 	"github.com/sagernet/sing/common/rw"
 )
 
-func (c *CommandClient) ServiceReload() error {
-	conn, err := c.directConnect()
+func ClientServiceReload(sharedDirectory string) error {
+	conn, err := clientConnect(sharedDirectory)
 	if err != nil {
 		return err
 	}

experimental/libbox/command_select.go

@@ -1,59 +0,0 @@
-package libbox
-
-import (
-	"encoding/binary"
-	"net"
-
-	"github.com/sagernet/sing-box/outbound"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/rw"
-)
-
-func (c *CommandClient) SelectOutbound(groupTag string, outboundTag string) error {
-	conn, err := c.directConnect()
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-	err = binary.Write(conn, binary.BigEndian, uint8(CommandSelectOutbound))
-	if err != nil {
-		return err
-	}
-	err = rw.WriteVString(conn, groupTag)
-	if err != nil {
-		return err
-	}
-	err = rw.WriteVString(conn, outboundTag)
-	if err != nil {
-		return err
-	}
-	return readError(conn)
-}
-
-func (s *CommandServer) handleSelectOutbound(conn net.Conn) error {
-	defer conn.Close()
-	groupTag, err := rw.ReadVString(conn)
-	if err != nil {
-		return err
-	}
-	outboundTag, err := rw.ReadVString(conn)
-	if err != nil {
-		return err
-	}
-	service := s.service
-	if service == nil {
-		return writeError(conn, E.New("service not ready"))
-	}
-	outboundGroup, isLoaded := service.instance.Router().Outbound(groupTag)
-	if !isLoaded {
-		return writeError(conn, E.New("selector not found: ", groupTag))
-	}
-	selector, isSelector := outboundGroup.(*outbound.Selector)
-	if !isSelector {
-		return writeError(conn, E.New("outbound is not a selector: ", groupTag))
-	}
-	if !selector.SelectOutbound(outboundTag) {
-		return writeError(conn, E.New("outbound not found in selector: ", outboundTag))
-	}
-	return writeError(conn, nil)
-}

experimental/libbox/command_server.go

@@ -7,101 +7,49 @@ import (
 	"path/filepath"
 	"sync"
 
-	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/observable"
 	"github.com/sagernet/sing/common/x/list"
-	"github.com/sagernet/sing/service"
 )
 
 type CommandServer struct {
+	sockPath string
 	listener net.Listener
 	handler  CommandServerHandler
 
 	access     sync.Mutex
 	savedLines *list.List[string]
-	maxLines   int
 	subscriber *observable.Subscriber[string]
 	observer   *observable.Observer[string]
-	service    *BoxService
-
-	urlTestListener *list.Element[func()]
-	urlTestUpdate   chan struct{}
 }
 
 type CommandServerHandler interface {
+	ServiceStop() error
 	ServiceReload() error
 }
 
-func NewCommandServer(handler CommandServerHandler, maxLines int32) *CommandServer {
+func NewCommandServer(sharedDirectory string, handler CommandServerHandler) *CommandServer {
 	server := &CommandServer{
-		handler:       handler,
-		savedLines:    new(list.List[string]),
-		maxLines:      int(maxLines),
-		subscriber:    observable.NewSubscriber[string](128),
-		urlTestUpdate: make(chan struct{}, 1),
+		sockPath:   filepath.Join(sharedDirectory, "command.sock"),
+		handler:    handler,
+		savedLines: new(list.List[string]),
+		subscriber: observable.NewSubscriber[string](128),
 	}
 	server.observer = observable.NewObserver[string](server.subscriber, 64)
 	return server
 }
 
-func (s *CommandServer) SetService(newService *BoxService) {
-	if s.service != nil && s.listener != nil {
-		service.PtrFromContext[urltest.HistoryStorage](s.service.ctx).RemoveListener(s.urlTestListener)
-		s.urlTestListener = nil
-	}
-	s.service = newService
-	if newService != nil {
-		s.urlTestListener = service.PtrFromContext[urltest.HistoryStorage](newService.ctx).AddListener(s.notifyURLTestUpdate)
-	}
-	s.notifyURLTestUpdate()
-}
-
-func (s *CommandServer) notifyURLTestUpdate() {
-	select {
-	case s.urlTestUpdate <- struct{}{}:
-	default:
-	}
-}
-
 func (s *CommandServer) Start() error {
-	if !sTVOS {
-		return s.listenUNIX()
-	} else {
-		return s.listenTCP()
-	}
-}
-
-func (s *CommandServer) listenUNIX() error {
-	sockPath := filepath.Join(sBasePath, "command.sock")
-	os.Remove(sockPath)
+	os.Remove(s.sockPath)
 	listener, err := net.ListenUnix("unix", &net.UnixAddr{
-		Name: sockPath,
+		Name: s.sockPath,
 		Net:  "unix",
 	})
 	if err != nil {
-		return E.Cause(err, "listen ", sockPath)
-	}
-	if sUserID > 0 {
-		err = os.Chown(sockPath, sUserID, sGroupID)
-		if err != nil {
-			listener.Close()
-			os.Remove(sockPath)
-			return E.Cause(err, "chown")
-		}
-	}
-	s.listener = listener
-	go s.loopConnection(listener)
-	return nil
-}
-
-func (s *CommandServer) listenTCP() error {
-	listener, err := net.Listen("tcp", "127.0.0.1:8964")
-	if err != nil {
-		return E.Cause(err, "listen")
+		return err
 	}
 	s.listener = listener
 	go s.loopConnection(listener)
@@ -144,18 +92,12 @@ func (s *CommandServer) handleConnection(conn net.Conn) error {
 		return s.handleLogConn(conn)
 	case CommandStatus:
 		return s.handleStatusConn(conn)
+	case CommandServiceStop:
+		return s.handleServiceStop(conn)
 	case CommandServiceReload:
 		return s.handleServiceReload(conn)
 	case CommandCloseConnections:
 		return s.handleCloseConnections(conn)
-	case CommandGroup:
-		return s.handleGroupConn(conn)
-	case CommandSelectOutbound:
-		return s.handleSelectOutbound(conn)
-	case CommandURLTest:
-		return s.handleURLTest(conn)
-	case CommandGroupExpand:
-		return s.handleSetGroupExpand(conn)
 	default:
 		return E.New("unknown command: ", command)
 	}

experimental/libbox/command_shared.go

@@ -1,39 +0,0 @@
-package libbox
-
-import (
-	"encoding/binary"
-	"io"
-
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/rw"
-)
-
-func readError(reader io.Reader) error {
-	var hasError bool
-	err := binary.Read(reader, binary.BigEndian, &hasError)
-	if err != nil {
-		return err
-	}
-	if hasError {
-		errorMessage, err := rw.ReadVString(reader)
-		if err != nil {
-			return err
-		}
-		return E.New(errorMessage)
-	}
-	return nil
-}
-
-func writeError(writer io.Writer, wErr error) error {
-	err := binary.Write(writer, binary.BigEndian, wErr != nil)
-	if err != nil {
-		return err
-	}
-	if wErr != nil {
-		err = rw.WriteVString(writer, wErr.Error())
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}

experimental/libbox/command_status.go

@@ -7,40 +7,22 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/common/dialer/conntrack"
-	"github.com/sagernet/sing-box/experimental/clashapi"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
 type StatusMessage struct {
-	Memory           int64
-	Goroutines       int32
-	ConnectionsIn    int32
-	ConnectionsOut   int32
-	TrafficAvailable bool
-	Uplink           int64
-	Downlink         int64
-	UplinkTotal      int64
-	DownlinkTotal    int64
+	Memory      int64
+	Goroutines  int32
+	Connections int32
 }
 
-func (s *CommandServer) readStatus() StatusMessage {
+func readStatus() StatusMessage {
 	var memStats runtime.MemStats
 	runtime.ReadMemStats(&memStats)
 	var message StatusMessage
 	message.Memory = int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
 	message.Goroutines = int32(runtime.NumGoroutine())
-	message.ConnectionsOut = int32(conntrack.Count())
-
-	if s.service != nil {
-		if clashServer := s.service.instance.Router().ClashServer(); clashServer != nil {
-			message.TrafficAvailable = true
-			trafficManager := clashServer.(*clashapi.Server).TrafficManager()
-			message.Uplink, message.Downlink = trafficManager.Now()
-			message.UplinkTotal, message.DownlinkTotal = trafficManager.Total()
-			message.ConnectionsIn = int32(trafficManager.Connections())
-		}
-	}
-
+	message.Connections = int32(conntrack.Count())
 	return message
 }
 
@@ -54,7 +36,7 @@ func (s *CommandServer) handleStatusConn(conn net.Conn) error {
 	defer ticker.Stop()
 	ctx := connKeepAlive(conn)
 	for {
-		err = binary.Write(conn, binary.BigEndian, s.readStatus())
+		err = binary.Write(conn, binary.BigEndian, readStatus())
 		if err != nil {
 			return err
 		}

experimental/libbox/command_stop.go

@@ -0,0 +1,48 @@
+package libbox
+
+import (
+	"encoding/binary"
+	"net"
+	"runtime/debug"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/rw"
+)
+
+func ClientServiceStop(sharedDirectory string) error {
+	conn, err := clientConnect(sharedDirectory)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+	err = binary.Write(conn, binary.BigEndian, uint8(CommandServiceStop))
+	if err != nil {
+		return err
+	}
+	var hasError bool
+	err = binary.Read(conn, binary.BigEndian, &hasError)
+	if err != nil {
+		return err
+	}
+	if hasError {
+		errorMessage, err := rw.ReadVString(conn)
+		if err != nil {
+			return err
+		}
+		return E.New(errorMessage)
+	}
+	return nil
+}
+
+func (s *CommandServer) handleServiceStop(conn net.Conn) error {
+	rErr := s.handler.ServiceStop()
+	err := binary.Write(conn, binary.BigEndian, rErr != nil)
+	if err != nil {
+		return err
+	}
+	if rErr != nil {
+		return rw.WriteVString(conn, rErr.Error())
+	}
+	debug.FreeOSMemory()
+	return nil
+}

experimental/libbox/command_urltest.go

@@ -1,95 +0,0 @@
-package libbox
-
-import (
-	"encoding/binary"
-	"net"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/urltest"
-	"github.com/sagernet/sing-box/outbound"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/batch"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/rw"
-)
-
-func (c *CommandClient) URLTest(groupTag string) error {
-	conn, err := c.directConnect()
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-	err = binary.Write(conn, binary.BigEndian, uint8(CommandURLTest))
-	if err != nil {
-		return err
-	}
-	err = rw.WriteVString(conn, groupTag)
-	if err != nil {
-		return err
-	}
-	return readError(conn)
-}
-
-func (s *CommandServer) handleURLTest(conn net.Conn) error {
-	defer conn.Close()
-	groupTag, err := rw.ReadVString(conn)
-	if err != nil {
-		return err
-	}
-	service := s.service
-	if service == nil {
-		return nil
-	}
-	abstractOutboundGroup, isLoaded := service.instance.Router().Outbound(groupTag)
-	if !isLoaded {
-		return writeError(conn, E.New("outbound group not found: ", groupTag))
-	}
-	outboundGroup, isOutboundGroup := abstractOutboundGroup.(adapter.OutboundGroup)
-	if !isOutboundGroup {
-		return writeError(conn, E.New("outbound is not a group: ", groupTag))
-	}
-	urlTest, isURLTest := abstractOutboundGroup.(*outbound.URLTest)
-	if isURLTest {
-		go urlTest.CheckOutbounds()
-	} else {
-		var historyStorage *urltest.HistoryStorage
-		if clashServer := service.instance.Router().ClashServer(); clashServer != nil {
-			historyStorage = clashServer.HistoryStorage()
-		} else {
-			return writeError(conn, E.New("Clash API is required for URLTest on non-URLTest group"))
-		}
-
-		outbounds := common.Filter(common.Map(outboundGroup.All(), func(it string) adapter.Outbound {
-			itOutbound, _ := service.instance.Router().Outbound(it)
-			return itOutbound
-		}), func(it adapter.Outbound) bool {
-			if it == nil {
-				return false
-			}
-			_, isGroup := it.(adapter.OutboundGroup)
-			if isGroup {
-				return false
-			}
-			return true
-		})
-		b, _ := batch.New(service.ctx, batch.WithConcurrencyNum[any](10))
-		for _, detour := range outbounds {
-			outboundToTest := detour
-			outboundTag := outboundToTest.Tag()
-			b.Go(outboundTag, func() (any, error) {
-				t, err := urltest.URLTest(service.ctx, "", outboundToTest)
-				if err != nil {
-					historyStorage.DeleteURLTestHistory(outboundTag)
-				} else {
-					historyStorage.StoreURLTestHistory(outboundTag, &urltest.History{
-						Time:  time.Now(),
-						Delay: t,
-					})
-				}
-				return nil, nil
-			})
-		}
-	}
-	return writeError(conn, nil)
-}

experimental/libbox/dns.go

@@ -1,162 +0,0 @@
-package libbox
-
-import (
-	"context"
-	"net/netip"
-	"strings"
-	"syscall"
-
-	"github.com/sagernet/sing-dns"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/task"
-
-	mDNS "github.com/miekg/dns"
-)
-
-type LocalDNSTransport interface {
-	Raw() bool
-	Lookup(ctx *ExchangeContext, network string, domain string) error
-	Exchange(ctx *ExchangeContext, message []byte) error
-}
-
-func RegisterLocalDNSTransport(transport LocalDNSTransport) {
-	if transport == nil {
-		dns.RegisterTransport([]string{"local"}, dns.CreateLocalTransport)
-	} else {
-		dns.RegisterTransport([]string{"local"}, func(name string, ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, link string) (dns.Transport, error) {
-			return &platformLocalDNSTransport{
-				iif: transport,
-			}, nil
-		})
-	}
-}
-
-var _ dns.Transport = (*platformLocalDNSTransport)(nil)
-
-type platformLocalDNSTransport struct {
-	iif LocalDNSTransport
-}
-
-func (p *platformLocalDNSTransport) Name() string {
-	return "local"
-}
-
-func (p *platformLocalDNSTransport) Start() error {
-	return nil
-}
-
-func (p *platformLocalDNSTransport) Close() error {
-	return nil
-}
-
-func (p *platformLocalDNSTransport) Raw() bool {
-	return p.iif.Raw()
-}
-
-func (p *platformLocalDNSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	messageBytes, err := message.Pack()
-	if err != nil {
-		return nil, err
-	}
-	response := &ExchangeContext{
-		context: ctx,
-	}
-	var responseMessage *mDNS.Msg
-	return responseMessage, task.Run(ctx, func() error {
-		err = p.iif.Exchange(response, messageBytes)
-		if err != nil {
-			return err
-		}
-		if response.error != nil {
-			return response.error
-		}
-		responseMessage = &response.message
-		return nil
-	})
-}
-
-func (p *platformLocalDNSTransport) Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error) {
-	var network string
-	switch strategy {
-	case dns.DomainStrategyUseIPv4:
-		network = "ip4"
-	case dns.DomainStrategyPreferIPv6:
-		network = "ip6"
-	default:
-		network = "ip"
-	}
-	response := &ExchangeContext{
-		context: ctx,
-	}
-	var responseAddr []netip.Addr
-	return responseAddr, task.Run(ctx, func() error {
-		err := p.iif.Lookup(response, network, domain)
-		if err != nil {
-			return err
-		}
-		if response.error != nil {
-			return response.error
-		}
-		switch strategy {
-		case dns.DomainStrategyUseIPv4:
-			responseAddr = common.Filter(response.addresses, func(it netip.Addr) bool {
-				return it.Is4()
-			})
-		case dns.DomainStrategyPreferIPv6:
-			responseAddr = common.Filter(response.addresses, func(it netip.Addr) bool {
-				return it.Is6()
-			})
-		default:
-			responseAddr = response.addresses
-		}
-		/*if len(responseAddr) == 0 {
-			response.error = dns.RCodeSuccess
-		}*/
-		return nil
-	})
-}
-
-type Func interface {
-	Invoke() error
-}
-
-type ExchangeContext struct {
-	context   context.Context
-	message   mDNS.Msg
-	addresses []netip.Addr
-	error     error
-}
-
-func (c *ExchangeContext) OnCancel(callback Func) {
-	go func() {
-		<-c.context.Done()
-		callback.Invoke()
-	}()
-}
-
-func (c *ExchangeContext) Success(result string) {
-	c.addresses = common.Map(common.Filter(strings.Split(result, "\n"), func(it string) bool {
-		return !common.IsEmpty(it)
-	}), func(it string) netip.Addr {
-		return M.ParseSocksaddrHostPort(it, 0).Unwrap().Addr
-	})
-}
-
-func (c *ExchangeContext) RawSuccess(result []byte) {
-	err := c.message.Unpack(result)
-	if err != nil {
-		c.error = E.Cause(err, "parse response")
-	}
-}
-
-func (c *ExchangeContext) ErrorCode(code int32) {
-	c.error = dns.RCodeError(code)
-}
-
-func (c *ExchangeContext) ErrnoCode(code int32) {
-	c.error = syscall.Errno(code)
-}

experimental/libbox/log.go

@@ -18,13 +18,29 @@ func RedirectStderr(path string) error {
 	if err != nil {
 		return err
 	}
-	if sUserID > 0 {
-		err = outputFile.Chown(sUserID, sGroupID)
-		if err != nil {
-			outputFile.Close()
-			os.Remove(outputFile.Name())
-			return err
-		}
+	err = unix.Dup2(int(outputFile.Fd()), int(os.Stderr.Fd()))
+	if err != nil {
+		outputFile.Close()
+		os.Remove(outputFile.Name())
+		return err
+	}
+	stderrFile = outputFile
+	return nil
+}
+
+func RedirectStderrAsUser(path string, uid, gid int) error {
+	if stats, err := os.Stat(path); err == nil && stats.Size() > 0 {
+		_ = os.Rename(path, path+".old")
+	}
+	outputFile, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	err = outputFile.Chown(uid, gid)
+	if err != nil {
+		outputFile.Close()
+		os.Remove(outputFile.Name())
+		return err
 	}
 	err = unix.Dup2(int(outputFile.Fd()), int(os.Stderr.Fd()))
 	if err != nil {

experimental/libbox/memory.go

@@ -1,22 +1,18 @@
+//go:build darwin
+
 package libbox
 
 import (
-	"math"
 	runtimeDebug "runtime/debug"
 
 	"github.com/sagernet/sing-box/common/dialer/conntrack"
 )
 
-func SetMemoryLimit(enabled bool) {
-	const memoryLimit = 30 * 1024 * 1024
-	if enabled {
-		runtimeDebug.SetGCPercent(10)
-		runtimeDebug.SetMemoryLimit(memoryLimit)
-		conntrack.KillerEnabled = true
-		conntrack.MemoryLimit = memoryLimit
-	} else {
-		runtimeDebug.SetGCPercent(100)
-		runtimeDebug.SetMemoryLimit(math.MaxInt64)
-		conntrack.KillerEnabled = false
-	}
+const memoryLimit = 30 * 1024 * 1024
+
+func SetMemoryLimit() {
+	runtimeDebug.SetGCPercent(10)
+	runtimeDebug.SetMemoryLimit(memoryLimit)
+	conntrack.KillerEnabled = true
+	conntrack.MemoryLimit = memoryLimit
 }

experimental/libbox/monitor.go

@@ -1,6 +1,7 @@
 package libbox
 
 import (
+	"context"
 	"net"
 	"net/netip"
 	"sync"
@@ -8,7 +9,6 @@ import (
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/x/list"
 )
@@ -20,13 +20,13 @@ var (
 
 type platformDefaultInterfaceMonitor struct {
 	*platformInterfaceWrapper
+	errorHandler          E.Handler
 	networkAddresses      []networkAddress
 	defaultInterfaceName  string
 	defaultInterfaceIndex int
 	element               *list.Element[tun.NetworkUpdateCallback]
 	access                sync.Mutex
 	callbacks             list.List[tun.DefaultInterfaceUpdateCallback]
-	logger                logger.Logger
 }
 
 type networkAddress struct {
@@ -96,7 +96,7 @@ func (m *platformDefaultInterfaceMonitor) UpdateDefaultInterface(interfaceName s
 		err = m.router.UpdateInterfaces()
 	}
 	if err != nil {
-		m.logger.Error(E.Cause(err, "update interfaces"))
+		m.errorHandler.NewError(context.Background(), E.Cause(err, "update interfaces"))
 	}
 	interfaceIndex := int(interfaceIndex32)
 	if interfaceName == "" {
@@ -115,10 +115,10 @@ func (m *platformDefaultInterfaceMonitor) UpdateDefaultInterface(interfaceName s
 		}
 	}
 	if interfaceName == "" {
-		m.logger.Error(E.New("invalid interface name for ", interfaceIndex))
+		m.errorHandler.NewError(context.Background(), E.New("invalid interface name for ", interfaceIndex))
 		return
 	} else if interfaceIndex == -1 {
-		m.logger.Error(E.New("invalid interface index for ", interfaceName))
+		m.errorHandler.NewError(context.Background(), E.New("invalid interface index for ", interfaceName))
 		return
 	}
 	if m.defaultInterfaceName == interfaceName && m.defaultInterfaceIndex == interfaceIndex {
@@ -130,7 +130,10 @@ func (m *platformDefaultInterfaceMonitor) UpdateDefaultInterface(interfaceName s
 	callbacks := m.callbacks.Array()
 	m.access.Unlock()
 	for _, callback := range callbacks {
-		callback(tun.EventInterfaceUpdate)
+		err = callback(tun.EventInterfaceUpdate)
+		if err != nil {
+			m.errorHandler.NewError(context.Background(), err)
+		}
 	}
 }
 

experimental/libbox/platform.go

@@ -18,7 +18,6 @@ type PlatformInterface interface {
 	CloseDefaultInterfaceMonitor(listener InterfaceUpdateListener) error
 	UsePlatformInterfaceGetter() bool
 	GetInterfaces() (NetworkInterfaceIterator, error)
-	UnderNetworkExtension() bool
 }
 
 type TunInterface interface {