documentation: Bump version

Enhanced the issue reporting templates for both English and Chinese versions by adding more structured and comprehensive guideline checkboxes. This aims to ensure contributors provide sufficient and beneficial information for reproducing and resolving issues, thereby improving the quality of reports and making issue tracking more efficient.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -44,12 +44,7 @@ body:
     attributes:
       label: Version
       description: If you are using the original command line program, please provide the output of the `sing-box version` command.
-      value: |-
-        <details>
-        ```console
-        # Replace this line with the output
-        ```
-        </details>
+      render: shell
   - type: textarea
     attributes:
       label: Description
@@ -66,12 +61,22 @@ body:
     attributes:
       label: Logs
       description: |-
-        If you encounter a crash with the graphical client, please provide crash logs.
+        In addition, if you encounter a crash with the graphical client, please also provide crash logs.
         For Apple platform clients, please check `Settings - View Service Log` for crash logs.
         For the Android client, please check the `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` file for crash logs.
-      value: |-
-        <details>
-        ```console
-        # Replace this line with logs
-        ```
-        </details>
+      render: shell
+  - type: checkboxes
+    attributes:
+      label: Integrity requirements
+      description: |-
+        Please check all of the following options to prove that you have read and understood the requirements, otherwise this issue will be closed.
+        Sing-box is not a project aimed to please users who can't make any meaningful contributions and gain unethical influence. If you deceive here to deliberately waste the time of the developers, you will be permanently blocked.
+      options:
+        - label: I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
+          required: true
+        - label: I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
+          required: true
+        - label: I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
+          required: true
+        - label: I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.
+          required: true

.github/ISSUE_TEMPLATE/bug_report_zh.yml

@@ -44,12 +44,7 @@ body:
     attributes:
       label: 版本
       description: 如果您使用原始命令行程序，请提供 `sing-box version` 命令的输出。
-      value: |-
-        <details>
-        ```console
-        # 使用输出内容覆盖此行
-        ```
-        </details>
+      render: shell
   - type: textarea
     attributes:
       label: 描述
@@ -66,12 +61,22 @@ body:
     attributes:
       label: 日志
       description: |-
-        如果您遭遇图形界面应用程序崩溃，请提供崩溃日志。
+        此外，如果您遭遇图形界面应用程序崩溃，请附加提供崩溃日志。
         对于 Apple 平台图形客户端程序，请检查 `Settings - View Service Log` 以导出崩溃日志。
         对于 Android 图形客户端程序，请检查 `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` 文件以导出崩溃日志。
-      value: |-
-        <details>
-        ```console
-        # 使用日志内容覆盖此行
-        ```
-        </details>
+      render: shell
+  - type: checkboxes
+    attributes:
+      label: 完整性要求
+      description: |-
+        请勾选以下所有选项以证明您已经阅读并理解了以下要求，否则该 issue 将被关闭。
+        sing-box 不是讨好无法作出任何意义上的贡献的最终用户并获取非道德影响力的项目，如果您在此处欺骗以故意浪费开发者的时间，您将被永久封锁。
+      options:
+        - label: 我保证阅读了文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值。
+          required: true
+        - label: 我保证提供了可以在本地重现该问题的服务器、客户端配置文件与流程，而不是一个脱敏的复杂客户端配置文件。
+          required: true
+        - label: 我保证提供了可用于重现我报告的错误的最简配置，而不是依赖远程服务器、TUN、图形界面客户端或者其他闭源软件。
+          required: true
+        - label: 我保证提供了完整的配置文件与日志，而不是出于对自身智力的自信而仅提供了部分认为有用的部分。
+          required: true

.github/workflows/debug.yml

@@ -3,6 +3,7 @@ name: Debug build
 on:
   push:
     branches:
+      - stable-next
       - main-next
       - dev-next
     paths-ignore:
@@ -11,6 +12,7 @@ on:
       - '!.github/workflows/debug.yml'
   pull_request:
     branches:
+      - stable-next
       - main-next
       - dev-next
 
@@ -20,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
       - name: Get latest go version
@@ -28,7 +30,7 @@ jobs:
         run: |
           echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
       - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ steps.version.outputs.go_version }}
       - name: Add cache to Go proxy
@@ -48,11 +50,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: 1.18.10
       - name: Cache go module
@@ -68,11 +70,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: 1.20.7
       - name: Cache go module
@@ -199,7 +201,7 @@ jobs:
       TAGS: with_clash_api,with_quic
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
       - name: Get latest go version
@@ -207,14 +209,14 @@ jobs:
         run: |
           echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
       - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ steps.version.outputs.go_version }}
       - name: Build
         id: build
         run: make
       - name: Upload artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: sing-box-${{ matrix.name }}
           path: sing-box*

.github/workflows/docker.yml

@@ -9,20 +9,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Setup QEMU for Docker Buildx
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Docker metadata
         id: metadata
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ghcr.io/sagernet/sing-box
       - name: Get tag to build
@@ -35,10 +35,12 @@ jobs:
             echo "versioned=ghcr.io/sagernet/sing-box:${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
           fi
       - name: Build and release Docker images
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
           target: dist
+          build-args: |
+            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
           tags: |
             ${{ steps.tag.outputs.latest }}
             ${{ steps.tag.outputs.versioned }}

.github/workflows/lint.yml

@@ -3,6 +3,7 @@ name: Lint
 on:
   push:
     branches:
+      - stable-next
       - main-next
       - dev-next
     paths-ignore:
@@ -11,6 +12,7 @@ on:
       - '!.github/workflows/lint.yml'
   pull_request:
     branches:
+      - stable-next
       - main-next
       - dev-next
 
@@ -20,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
       - name: Get latest go version
@@ -28,10 +30,12 @@ jobs:
         run: |
           echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
       - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ steps.version.outputs.go_version }}
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
-          version: latest
+          version: latest
+          args: --timeout=30m
+          install-mode: binary

.github/workflows/stale.yml

@@ -8,7 +8,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v8
+      - uses: actions/stale@v9
         with:
           stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
           days-before-stale: 60

.goreleaser.yaml

@@ -16,12 +16,15 @@ builds:
       - with_quic
       - with_dhcp
       - with_wireguard
+      - with_ech
       - with_utls
       - with_reality_server
+      - with_acme
       - with_clash_api
     env:
       - CGO_ENABLED=0
     targets:
+      - linux_386
       - linux_amd64_v1
       - linux_amd64_v3
       - linux_arm64
@@ -35,6 +38,36 @@ builds:
       - darwin_amd64_v3
       - darwin_arm64
     mod_timestamp: '{{ .CommitTimestamp }}'
+  - id: legacy
+    main: ./cmd/sing-box
+    flags:
+      - -v
+      - -trimpath
+    asmflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    gcflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    ldflags:
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
+    tags:
+      - with_gvisor
+      - with_quic
+      - with_dhcp
+      - with_wireguard
+      - with_ech
+      - with_utls
+      - with_reality_server
+      - with_acme
+      - with_clash_api
+    env:
+      - CGO_ENABLED=0
+      - GOROOT=/nix/store/kg6i737jjqs923jcijnm003h68c1dghj-go-1.20.11/share/go
+    gobinary: /nix/store/kg6i737jjqs923jcijnm003h68c1dghj-go-1.20.11/bin/go
+    targets:
+      - windows_amd64_v1
+      - windows_386
+      - darwin_amd64_v1
+    mod_timestamp: '{{ .CommitTimestamp }}'
   - id: android
     main: ./cmd/sing-box
     flags:
@@ -51,7 +84,10 @@ builds:
       - with_quic
       - with_dhcp
       - with_wireguard
+      - with_ech
       - with_utls
+      - with_reality_server
+      - with_acme
       - with_clash_api
     env:
       - CGO_ENABLED=1
@@ -88,6 +124,9 @@ snapshot:
   name_template: "{{ .Version }}.{{ .ShortCommit }}"
 archives:
   - id: archive
+    builds:
+      - main
+      - android
     format: tar.gz
     format_overrides:
       - goos: windows
@@ -96,6 +135,17 @@ archives:
     files:
       - LICENSE
     name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+  - id: archive-legacy
+    builds:
+      - legacy
+    format: tar.gz
+    format_overrides:
+      - goos: windows
+        format: zip
+    wrap_in_directory: true
+    files:
+      - LICENSE
+    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}-legacy'
 nfpms:
   - id: package
     package_name: sing-box
@@ -108,6 +158,7 @@ nfpms:
     formats:
       - deb
       - rpm
+      - archlinux
     priority: extra
     contents:
       - src: release/config/config.json

Dockerfile

@@ -1,23 +1,27 @@
-FROM golang:1.21-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.21-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
+ARG TARGETOS TARGETARCH
 ARG GOPROXY=""
 ENV GOPROXY ${GOPROXY}
 ENV CGO_ENABLED=0
+ENV GOOS=$TARGETOS
+ENV GOARCH=$TARGETARCH
 RUN set -ex \
     && apk add git build-base \
     && export COMMIT=$(git rev-parse --short HEAD) \
     && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api,with_acme \
+    && go build -v -trimpath -tags \
+        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api" \
         -o /go/bin/sing-box \
         -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
         ./cmd/sing-box
-FROM alpine AS dist
+FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
     && apk upgrade \
     && apk add bash tzdata ca-certificates \
     && rm -rf /var/cache/apk/*
 COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
-ENTRYPOINT ["sing-box"]
+ENTRYPOINT ["sing-box"]

Makefile

@@ -1,9 +1,9 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
 TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
-TAGS_GO120 = with_quic
+TAGS_GO120 = with_quic,with_ech
 TAGS ?= $(TAGS_GO118),$(TAGS_GO120)
-TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server,with_shadowsocksr
+TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
@@ -14,7 +14,7 @@ MAIN_PARAMS = $(PARAMS) -tags $(TAGS)
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
 
-.PHONY: test release
+.PHONY: test release docs
 
 build:
 	go build $(MAIN_PARAMS) $(MAIN)
@@ -28,7 +28,7 @@ ci_build:
 	go build $(MAIN_PARAMS) $(MAIN)
 
 install:
-	go build -o $(PREFIX)/bin/$(NAME) $(PARAMS) $(MAIN)
+	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)
 
 fmt:
 	@gofumpt -l -w .
@@ -61,9 +61,9 @@ proto_install:
 release:
 	go run ./cmd/internal/build goreleaser release --clean --skip-publish || exit 1
 	mkdir dist/release
-	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
+	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/*.pkg.tar.zst dist/release
 	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
-	rm -r dist
+	rm -r dist/release
 
 release_install:
 	go install -v github.com/goreleaser/goreleaser@latest
@@ -73,18 +73,21 @@ update_android_version:
 	go run ./cmd/internal/update_android_version
 
 build_android:
-	cd ../sing-box-for-android && ./gradlew :app:assembleRelease
+	cd ../sing-box-for-android && ./gradlew :app:assemblePlayRelease && ./gradlew --stop
 
 upload_android:
 	mkdir -p dist/release_android
-	cp ../sing-box-for-android/app/build/outputs/apk/release/*.apk dist/release_android
+	cp ../sing-box-for-android/app/build/outputs/apk/play/release/*.apk dist/release_android
 	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release_android
 	rm -rf dist/release_android
 
 release_android: lib_android update_android_version build_android upload_android
 
 publish_android:
-	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadRelease
+	cd ../sing-box-for-android && ./gradlew :app:publishPlayReleaseBundle
+
+publish_android_appcenter:
+	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadPlayRelease
 
 build_ios:
 	cd ../sing-box-for-apple && \
@@ -93,7 +96,7 @@ build_ios:
 
 upload_ios_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Upload.plist
+	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
 
 release_ios: build_ios upload_ios_app_store
 
@@ -104,7 +107,7 @@ build_macos:
 
 upload_macos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist
+	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
 
 release_macos: build_macos upload_macos_app_store
 
@@ -115,7 +118,7 @@ build_macos_independent:
 
 notarize_macos_independent:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist
+	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist  -allowProvisioningUpdates
 
 wait_notarize_macos_independent:
 	sleep 60
@@ -137,12 +140,11 @@ release_macos_independent: build_macos_independent notarize_macos_independent wa
 build_tvos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFT.xcarchive && \
-	export DEVELOPER_DIR=/Applications/Xcode-beta.app/Contents/Developer && \
 	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive
 
 upload_tvos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist
+	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
 
 release_tvos: build_tvos upload_tvos_app_store
 
@@ -150,10 +152,8 @@ update_apple_version:
 	go run ./cmd/internal/update_apple_version
 
 release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_independent
-	rm -rf dist
 
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
-	rm -rf dist
 
 test:
 	@go test -v ./... && \
@@ -179,9 +179,17 @@ lib:
 
 lib_install:
 	go get -v -d
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230728014906-3de089147f59
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230728014906-3de089147f59
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230915142329-c6740b6d2950
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230915142329-c6740b6d2950
 
+docs:
+	mkdocs serve
+
+publish_docs:
+	mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
+
+docs_install:
+	pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
 clean:
 	rm -rf bin dist sing-box
 	rm -f $(shell go env GOPATH)/sing-box

adapter/conn_router.go

@@ -0,0 +1,104 @@
+package adapter
+
+import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type ConnectionRouter interface {
+	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
+	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+}
+
+func NewRouteHandler(
+	metadata InboundContext,
+	router ConnectionRouter,
+	logger logger.ContextLogger,
+) UpstreamHandlerAdapter {
+	return &routeHandlerWrapper{
+		metadata: metadata,
+		router:   router,
+		logger:   logger,
+	}
+}
+
+func NewRouteContextHandler(
+	router ConnectionRouter,
+	logger logger.ContextLogger,
+) UpstreamHandlerAdapter {
+	return &routeContextHandlerWrapper{
+		router: router,
+		logger: logger,
+	}
+}
+
+var _ UpstreamHandlerAdapter = (*routeHandlerWrapper)(nil)
+
+type routeHandlerWrapper struct {
+	metadata InboundContext
+	router   ConnectionRouter
+	logger   logger.ContextLogger
+}
+
+func (w *routeHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RouteConnection(ctx, conn, myMetadata)
+}
+
+func (w *routeHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RoutePacketConnection(ctx, conn, myMetadata)
+}
+
+func (w *routeHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.logger.ErrorContext(ctx, err)
+}
+
+var _ UpstreamHandlerAdapter = (*routeContextHandlerWrapper)(nil)
+
+type routeContextHandlerWrapper struct {
+	router ConnectionRouter
+	logger logger.ContextLogger
+}
+
+func (w *routeContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RouteConnection(ctx, conn, *myMetadata)
+}
+
+func (w *routeContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RoutePacketConnection(ctx, conn, *myMetadata)
+}
+
+func (w *routeContextHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.logger.ErrorContext(ctx, err)
+}

adapter/experimental.go

@@ -43,7 +43,7 @@ type OutboundGroup interface {
 
 type URLTestGroup interface {
 	OutboundGroup
-	URLTest(ctx context.Context, url string) (map[string]uint16, error)
+	URLTest(ctx context.Context) (map[string]uint16, error)
 }
 
 func OutboundTag(detour Outbound) string {

adapter/inbound.go

@@ -75,3 +75,11 @@ func AppendContext(ctx context.Context) (context.Context, *InboundContext) {
 	metadata = new(InboundContext)
 	return WithContext(ctx, metadata), metadata
 }
+
+func ExtendContext(ctx context.Context) (context.Context, *InboundContext) {
+	var newMetadata InboundContext
+	if metadata := ContextFrom(ctx); metadata != nil {
+		newMetadata = *metadata
+	}
+	return WithContext(ctx, &newMetadata), &newMetadata
+}

adapter/router.go

@@ -2,20 +2,20 @@ package adapter
 
 import (
 	"context"
-	"net"
 	"net/netip"
 
 	"github.com/sagernet/sing-box/common/geoip"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
-	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
 
 	mdns "github.com/miekg/dns"
 )
 
 type Router interface {
 	Service
+	PostStarter
 
 	Outbounds() []Outbound
 	Outbound(tag string) (Outbound, bool)
@@ -23,8 +23,7 @@ type Router interface {
 
 	FakeIPStore() FakeIPStore
 
-	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
-	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+	ConnectionRouter
 
 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
@@ -43,10 +42,9 @@ type Router interface {
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
+	WIFIState() WIFIState
 	Rules() []Rule
 
-	TimeService
-
 	ClashServer() ClashServer
 	SetClashServer(server ClashServer)
 
@@ -56,18 +54,12 @@ type Router interface {
 	ResetNetwork() error
 }
 
-type routerContextKey struct{}
-
 func ContextWithRouter(ctx context.Context, router Router) context.Context {
-	return context.WithValue(ctx, (*routerContextKey)(nil), router)
+	return service.ContextWith(ctx, router)
 }
 
 func RouterFromContext(ctx context.Context) Router {
-	metadata := ctx.Value((*routerContextKey)(nil))
-	if metadata == nil {
-		return nil
-	}
-	return metadata.(Router)
+	return service.FromContext[Router](ctx)
 }
 
 type Rule interface {
@@ -88,3 +80,8 @@ type DNSRule interface {
 type InterfaceUpdateListener interface {
 	InterfaceUpdated()
 }
+
+type WIFIState struct {
+	SSID  string
+	BSSID string
+}

adapter/v2ray.go

@@ -5,7 +5,6 @@ import (
 	"net"
 
 	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
@@ -19,7 +18,6 @@ type V2RayServerTransport interface {
 type V2RayServerTransportHandler interface {
 	N.TCPConnectionHandler
 	E.Handler
-	FallbackConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error
 }
 
 type V2RayClientTransport interface {

box.go

@@ -19,6 +19,7 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/pause"
 )
 
@@ -40,6 +41,7 @@ type Options struct {
 	option.Options
 	Context           context.Context
 	PlatformInterface platform.Interface
+	PlatformLogWriter log.PlatformWriter
 }
 
 func New(options Options) (*Box, error) {
@@ -47,13 +49,14 @@ func New(options Options) (*Box, error) {
 	if ctx == nil {
 		ctx = context.Background()
 	}
+	ctx = service.ContextWithDefaultRegistry(ctx)
 	ctx = pause.ContextWithDefaultManager(ctx)
 	createdAt := time.Now()
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
 	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	var needClashAPI bool
 	var needV2RayAPI bool
-	if experimentalOptions.ClashAPI != nil || options.PlatformInterface != nil {
+	if experimentalOptions.ClashAPI != nil || options.PlatformLogWriter != nil {
 		needClashAPI = true
 	}
 	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
@@ -69,7 +72,7 @@ func New(options Options) (*Box, error) {
 		Observable:     needClashAPI,
 		DefaultWriter:  defaultLogWriter,
 		BaseTime:       createdAt,
-		PlatformWriter: options.PlatformInterface,
+		PlatformWriter: options.PlatformLogWriter,
 	})
 	if err != nil {
 		return nil, E.Cause(err, "create log factory")
@@ -255,7 +258,7 @@ func (s *Box) start() error {
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
-	return nil
+	return s.postStart()
 }
 
 func (s *Box) postStart() error {
@@ -266,16 +269,17 @@ func (s *Box) postStart() error {
 			return E.Cause(err, "start ", serviceName)
 		}
 	}
-	for serviceName, service := range s.outbounds {
-		if lateService, isLateService := service.(adapter.PostStarter); isLateService {
-			s.logger.Trace("post-starting ", service)
-			err := lateService.PostStart()
+	for _, outbound := range s.outbounds {
+		if lateOutbound, isLateOutbound := outbound.(adapter.PostStarter); isLateOutbound {
+			s.logger.Trace("post-starting outbound/", outbound.Tag())
+			err := lateOutbound.PostStart()
 			if err != nil {
-				return E.Cause(err, "post-start ", serviceName)
+				return E.Cause(err, "post-start outbound/", outbound.Tag())
 			}
 		}
 	}
-	return nil
+	s.logger.Trace("post-starting router")
+	return s.router.PostStart()
 }
 
 func (s *Box) Close() error {

box_outbound.go

@@ -69,7 +69,7 @@ func (s *Box) startOutbounds() error {
 			}
 			problemOutbound := outbounds[problemOutboundTag]
 			if problemOutbound == nil {
-				return E.New("dependency[", problemOutbound, "] not found for outbound[", outboundTags[oCurrent], "]")
+				return E.New("dependency[", problemOutboundTag, "] not found for outbound[", outboundTags[oCurrent], "]")
 			}
 			return lintOutbound(append(oTree, problemOutboundTag), problemOutbound)
 		}

cmd/internal/build/main.go

@@ -12,7 +12,7 @@ import (
 func main() {
 	build_shared.FindSDK()
 
-	if os.Getenv("build.Default.GOPATH") == "" {
+	if os.Getenv("GOPATH") == "" {
 		os.Setenv("GOPATH", build.Default.GOPATH)
 	}
 

cmd/internal/build_libbox/main.go

@@ -54,7 +54,7 @@ func init() {
 	sharedFlags = append(sharedFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
 	debugFlags = append(debugFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
 
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_ech", "with_utls", "with_clash_api")
 	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
 	debugTags = append(debugTags, "debug")
 }

cmd/internal/build_shared/tag.go

@@ -17,9 +17,6 @@ func ReadTag() (string, error) {
 	}
 	shortCommit, _ := shell.Exec("git", "rev-parse", "--short", "HEAD").ReadOutput()
 	version := badversion.Parse(currentTagRev[1:])
-	if version.PreReleaseIdentifier == "" {
-		version.Patch++
-	}
 	return version.String() + "-" + shortCommit, nil
 }
 

cmd/internal/update_apple_version/main.go

@@ -29,11 +29,17 @@ func main() {
 	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
 	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
 	if updated0 || updated1 {
-		log.Info("updated version to ", newVersion.VersionString())
-		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj.bak", []byte(projectContent), 0o644))
+		log.Info("updated version to ", newVersion.VersionString(), " (", newVersion.String(), ")")
+	}
+	var updated2 bool
+	if macProjectVersion := os.Getenv("MACOS_PROJECT_VERSION"); macProjectVersion != "" {
+		newContent, updated2 = findAndReplaceProjectVersion(objectsMap, newContent, []string{"SFM"}, macProjectVersion)
+		if updated2 {
+			log.Info("updated macos project version to ", macProjectVersion)
+		}
+	}
+	if updated0 || updated1 || updated2 {
 		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj", []byte(newContent), 0o644))
-	} else {
-		log.Info("version not changed")
 	}
 }
 
@@ -61,6 +67,30 @@ func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDLi
 	return projectContent, updated
 }
 
+func findAndReplaceProjectVersion(objectsMap map[string]any, projectContent string, directoryList []string, newVersion string) (string, bool) {
+	objectKeyList := findObjectKeyByDirectory(objectsMap, directoryList)
+	var updated bool
+	for _, objectKey := range objectKeyList {
+		matchRegexp := common.Must1(regexp.Compile(objectKey + ".*= \\{"))
+		indexes := matchRegexp.FindStringIndex(projectContent)
+		if len(indexes) < 2 {
+			println(projectContent)
+			log.Fatal("failed to find object key ", objectKey, ": ", strings.Index(projectContent, objectKey))
+		}
+		indexStart := indexes[1]
+		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
+		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "CURRENT_PROJECT_VERSION = ") + 26
+		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
+		version := projectContent[versionStart:versionEnd]
+		if version == newVersion {
+			continue
+		}
+		updated = true
+		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
+	}
+	return projectContent, updated
+}
+
 func findObjectKey(objectsMap map[string]any, bundleIDList []string) []string {
 	var objectKeyList []string
 	for objectKey, object := range objectsMap {
@@ -78,3 +108,24 @@ func findObjectKey(objectsMap map[string]any, bundleIDList []string) []string {
 	}
 	return objectKeyList
 }
+
+func findObjectKeyByDirectory(objectsMap map[string]any, directoryList []string) []string {
+	var objectKeyList []string
+	for objectKey, object := range objectsMap {
+		buildSettings := object.(map[string]any)["buildSettings"]
+		if buildSettings == nil {
+			continue
+		}
+		infoPListFile := buildSettings.(map[string]any)["INFOPLIST_FILE"]
+		if infoPListFile == nil {
+			continue
+		}
+		for _, searchDirectory := range directoryList {
+			if strings.HasPrefix(infoPListFile.(string), searchDirectory+"/") {
+				objectKeyList = append(objectKeyList, objectKey)
+			}
+		}
+
+	}
+	return objectKeyList
+}

cmd/sing-box/cmd_generate.go

@@ -11,7 +11,6 @@ import (
 
 	"github.com/gofrs/uuid/v5"
 	"github.com/spf13/cobra"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
 var commandGenerate = &cobra.Command{
@@ -22,8 +21,7 @@ var commandGenerate = &cobra.Command{
 func init() {
 	commandGenerate.AddCommand(commandGenerateUUID)
 	commandGenerate.AddCommand(commandGenerateRandom)
-	commandGenerate.AddCommand(commandGenerateWireGuardKeyPair)
-	commandGenerate.AddCommand(commandGenerateRealityKeyPair)
+
 	mainCommand.AddCommand(commandGenerate)
 }
 
@@ -92,48 +90,3 @@ func generateUUID() error {
 	_, err = os.Stdout.WriteString(newUUID.String() + "\n")
 	return err
 }
-
-var commandGenerateWireGuardKeyPair = &cobra.Command{
-	Use:   "wg-keypair",
-	Short: "Generate WireGuard key pair",
-	Args:  cobra.NoArgs,
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateWireGuardKey()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func generateWireGuardKey() error {
-	privateKey, err := wgtypes.GeneratePrivateKey()
-	if err != nil {
-		return err
-	}
-	os.Stdout.WriteString("PrivateKey: " + privateKey.String() + "\n")
-	os.Stdout.WriteString("PublicKey: " + privateKey.PublicKey().String() + "\n")
-	return nil
-}
-
-var commandGenerateRealityKeyPair = &cobra.Command{
-	Use:   "reality-keypair",
-	Short: "Generate reality key pair",
-	Args:  cobra.NoArgs,
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateRealityKey()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func generateRealityKey() error {
-	privateKey, err := wgtypes.GeneratePrivateKey()
-	if err != nil {
-		return err
-	}
-	publicKey := privateKey.PublicKey()
-	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]) + "\n")
-	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]) + "\n")
-	return nil
-}

cmd/sing-box/cmd_generate_ech.go

@@ -0,0 +1,39 @@
+package main
+
+import (
+	"os"
+
+	"github.com/sagernet/sing-box/common/tls"
+	"github.com/sagernet/sing-box/log"
+
+	"github.com/spf13/cobra"
+)
+
+var pqSignatureSchemesEnabled bool
+
+var commandGenerateECHKeyPair = &cobra.Command{
+	Use:   "ech-keypair <plain_server_name>",
+	Short: "Generate TLS ECH key pair",
+	Args:  cobra.ExactArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateECHKeyPair(args[0])
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	commandGenerateECHKeyPair.Flags().BoolVar(&pqSignatureSchemesEnabled, "pq-signature-schemes-enabled", false, "Enable PQ signature schemes")
+	commandGenerate.AddCommand(commandGenerateECHKeyPair)
+}
+
+func generateECHKeyPair(serverName string) error {
+	configPem, keyPem, err := tls.ECHKeygenDefault(serverName, pqSignatureSchemesEnabled)
+	if err != nil {
+		return err
+	}
+	os.Stdout.WriteString(configPem)
+	os.Stdout.WriteString(keyPem)
+	return nil
+}

cmd/sing-box/cmd_generate_tls.go

@@ -0,0 +1,40 @@
+package main
+
+import (
+	"os"
+	"time"
+
+	"github.com/sagernet/sing-box/common/tls"
+	"github.com/sagernet/sing-box/log"
+
+	"github.com/spf13/cobra"
+)
+
+var flagGenerateTLSKeyPairMonths int
+
+var commandGenerateTLSKeyPair = &cobra.Command{
+	Use:   "tls-keypair <server_name>",
+	Short: "Generate TLS self sign key pair",
+	Args:  cobra.ExactArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateTLSKeyPair(args[0])
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	commandGenerateTLSKeyPair.Flags().IntVarP(&flagGenerateTLSKeyPairMonths, "months", "m", 1, "Valid months")
+	commandGenerate.AddCommand(commandGenerateTLSKeyPair)
+}
+
+func generateTLSKeyPair(serverName string) error {
+	privateKeyPem, publicKeyPem, err := tls.GenerateKeyPair(time.Now, serverName, time.Now().AddDate(0, flagGenerateTLSKeyPairMonths, 0))
+	if err != nil {
+		return err
+	}
+	os.Stdout.WriteString(string(privateKeyPem) + "\n")
+	os.Stdout.WriteString(string(publicKeyPem) + "\n")
+	return nil
+}

cmd/sing-box/cmd_generate_vapid.go

@@ -0,0 +1,40 @@
+//go:build go1.20
+
+package main
+
+import (
+	"crypto/ecdh"
+	"crypto/rand"
+	"encoding/base64"
+	"os"
+
+	"github.com/sagernet/sing-box/log"
+
+	"github.com/spf13/cobra"
+)
+
+var commandGenerateVAPIDKeyPair = &cobra.Command{
+	Use:   "vapid-keypair",
+	Short: "Generate VAPID key pair",
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateVAPIDKeyPair()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	commandGenerate.AddCommand(commandGenerateVAPIDKeyPair)
+}
+
+func generateVAPIDKeyPair() error {
+	privateKey, err := ecdh.P256().GenerateKey(rand.Reader)
+	if err != nil {
+		return err
+	}
+	publicKey := privateKey.PublicKey()
+	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey.Bytes()) + "\n")
+	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey.Bytes()) + "\n")
+	return nil
+}

cmd/sing-box/cmd_generate_wireguard.go

@@ -0,0 +1,61 @@
+package main
+
+import (
+	"encoding/base64"
+	"os"
+
+	"github.com/sagernet/sing-box/log"
+
+	"github.com/spf13/cobra"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+func init() {
+	commandGenerate.AddCommand(commandGenerateWireGuardKeyPair)
+	commandGenerate.AddCommand(commandGenerateRealityKeyPair)
+}
+
+var commandGenerateWireGuardKeyPair = &cobra.Command{
+	Use:   "wg-keypair",
+	Short: "Generate WireGuard key pair",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateWireGuardKey()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func generateWireGuardKey() error {
+	privateKey, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		return err
+	}
+	os.Stdout.WriteString("PrivateKey: " + privateKey.String() + "\n")
+	os.Stdout.WriteString("PublicKey: " + privateKey.PublicKey().String() + "\n")
+	return nil
+}
+
+var commandGenerateRealityKeyPair = &cobra.Command{
+	Use:   "reality-keypair",
+	Short: "Generate reality key pair",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateRealityKey()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func generateRealityKey() error {
+	privateKey, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		return err
+	}
+	publicKey := privateKey.PublicKey()
+	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]) + "\n")
+	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]) + "\n")
+	return nil
+}

cmd/sing-box/cmd_merge.go

@@ -0,0 +1,174 @@
+package main
+
+import (
+	"bytes"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/sagernet/sing-box/common/json"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/rw"
+
+	"github.com/spf13/cobra"
+)
+
+var commandMerge = &cobra.Command{
+	Use:   "merge [output]",
+	Short: "Merge configurations",
+	Run: func(cmd *cobra.Command, args []string) {
+		err := merge(args[0])
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+	Args: cobra.ExactArgs(1),
+}
+
+func init() {
+	mainCommand.AddCommand(commandMerge)
+}
+
+func merge(outputPath string) error {
+	mergedOptions, err := readConfigAndMerge()
+	if err != nil {
+		return err
+	}
+	err = mergePathResources(&mergedOptions)
+	if err != nil {
+		return err
+	}
+	buffer := new(bytes.Buffer)
+	encoder := json.NewEncoder(buffer)
+	encoder.SetIndent("", "  ")
+	err = encoder.Encode(mergedOptions)
+	if err != nil {
+		return E.Cause(err, "encode config")
+	}
+	if existsContent, err := os.ReadFile(outputPath); err != nil {
+		if string(existsContent) == buffer.String() {
+			return nil
+		}
+	}
+	err = rw.WriteFile(outputPath, buffer.Bytes())
+	if err != nil {
+		return err
+	}
+	outputPath, _ = filepath.Abs(outputPath)
+	os.Stderr.WriteString(outputPath + "\n")
+	return nil
+}
+
+func mergePathResources(options *option.Options) error {
+	for index, inbound := range options.Inbounds {
+		switch inbound.Type {
+		case C.TypeHTTP:
+			inbound.HTTPOptions.TLS = mergeTLSInboundOptions(inbound.HTTPOptions.TLS)
+		case C.TypeMixed:
+			inbound.MixedOptions.TLS = mergeTLSInboundOptions(inbound.MixedOptions.TLS)
+		case C.TypeVMess:
+			inbound.VMessOptions.TLS = mergeTLSInboundOptions(inbound.VMessOptions.TLS)
+		case C.TypeTrojan:
+			inbound.TrojanOptions.TLS = mergeTLSInboundOptions(inbound.TrojanOptions.TLS)
+		case C.TypeNaive:
+			inbound.NaiveOptions.TLS = mergeTLSInboundOptions(inbound.NaiveOptions.TLS)
+		case C.TypeHysteria:
+			inbound.HysteriaOptions.TLS = mergeTLSInboundOptions(inbound.HysteriaOptions.TLS)
+		case C.TypeVLESS:
+			inbound.VLESSOptions.TLS = mergeTLSInboundOptions(inbound.VLESSOptions.TLS)
+		case C.TypeTUIC:
+			inbound.TUICOptions.TLS = mergeTLSInboundOptions(inbound.TUICOptions.TLS)
+		case C.TypeHysteria2:
+			inbound.Hysteria2Options.TLS = mergeTLSInboundOptions(inbound.Hysteria2Options.TLS)
+		default:
+			continue
+		}
+		options.Inbounds[index] = inbound
+	}
+	for index, outbound := range options.Outbounds {
+		switch outbound.Type {
+		case C.TypeHTTP:
+			outbound.HTTPOptions.TLS = mergeTLSOutboundOptions(outbound.HTTPOptions.TLS)
+		case C.TypeVMess:
+			outbound.VMessOptions.TLS = mergeTLSOutboundOptions(outbound.VMessOptions.TLS)
+		case C.TypeTrojan:
+			outbound.TrojanOptions.TLS = mergeTLSOutboundOptions(outbound.TrojanOptions.TLS)
+		case C.TypeHysteria:
+			outbound.HysteriaOptions.TLS = mergeTLSOutboundOptions(outbound.HysteriaOptions.TLS)
+		case C.TypeSSH:
+			outbound.SSHOptions = mergeSSHOutboundOptions(outbound.SSHOptions)
+		case C.TypeVLESS:
+			outbound.VLESSOptions.TLS = mergeTLSOutboundOptions(outbound.VLESSOptions.TLS)
+		case C.TypeTUIC:
+			outbound.TUICOptions.TLS = mergeTLSOutboundOptions(outbound.TUICOptions.TLS)
+		case C.TypeHysteria2:
+			outbound.Hysteria2Options.TLS = mergeTLSOutboundOptions(outbound.Hysteria2Options.TLS)
+		default:
+			continue
+		}
+		options.Outbounds[index] = outbound
+	}
+	return nil
+}
+
+func mergeTLSInboundOptions(options *option.InboundTLSOptions) *option.InboundTLSOptions {
+	if options == nil {
+		return nil
+	}
+	if options.CertificatePath != "" {
+		if content, err := os.ReadFile(options.CertificatePath); err == nil {
+			options.Certificate = trimStringArray(strings.Split(string(content), "\n"))
+		}
+	}
+	if options.KeyPath != "" {
+		if content, err := os.ReadFile(options.KeyPath); err == nil {
+			options.Key = trimStringArray(strings.Split(string(content), "\n"))
+		}
+	}
+	if options.ECH != nil {
+		if options.ECH.KeyPath != "" {
+			if content, err := os.ReadFile(options.ECH.KeyPath); err == nil {
+				options.ECH.Key = trimStringArray(strings.Split(string(content), "\n"))
+			}
+		}
+	}
+	return options
+}
+
+func mergeTLSOutboundOptions(options *option.OutboundTLSOptions) *option.OutboundTLSOptions {
+	if options == nil {
+		return nil
+	}
+	if options.CertificatePath != "" {
+		if content, err := os.ReadFile(options.CertificatePath); err == nil {
+			options.Certificate = trimStringArray(strings.Split(string(content), "\n"))
+		}
+	}
+	if options.ECH != nil {
+		if options.ECH.ConfigPath != "" {
+			if content, err := os.ReadFile(options.ECH.ConfigPath); err == nil {
+				options.ECH.Config = trimStringArray(strings.Split(string(content), "\n"))
+			}
+		}
+	}
+	return options
+}
+
+func mergeSSHOutboundOptions(options option.SSHOutboundOptions) option.SSHOutboundOptions {
+	if options.PrivateKeyPath != "" {
+		if content, err := os.ReadFile(os.ExpandEnv(options.PrivateKeyPath)); err == nil {
+			options.PrivateKey = trimStringArray(strings.Split(string(content), "\n"))
+		}
+	}
+	return options
+}
+
+func trimStringArray(array []string) []string {
+	return common.Filter(array, func(it string) bool {
+		return strings.TrimSpace(it) != ""
+	})
+}

cmd/sing-box/cmd_run.go

@@ -143,14 +143,16 @@ func create() (*box.Box, context.CancelFunc, error) {
 		signal.Stop(osSignals)
 		close(osSignals)
 	}()
-
+	startCtx, finishStart := context.WithCancel(context.Background())
 	go func() {
 		_, loaded := <-osSignals
 		if loaded {
 			cancel()
+			closeMonitor(startCtx)
 		}
 	}()
 	err = instance.Start()
+	finishStart()
 	if err != nil {
 		cancel()
 		return nil, nil, E.Cause(err, "start service")

common/conntrack/conn.go

@@ -17,7 +17,7 @@ func NewConn(conn net.Conn) (net.Conn, error) {
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
-		err := killerCheck()
+		err := KillerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err

common/conntrack/killer.go

@@ -1,20 +1,20 @@
 package conntrack
 
 import (
-	"runtime"
 	runtimeDebug "runtime/debug"
 	"time"
 
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/memory"
 )
 
 var (
 	KillerEnabled   bool
-	MemoryLimit     int64
+	MemoryLimit     uint64
 	killerLastCheck time.Time
 )
 
-func killerCheck() error {
+func KillerCheck() error {
 	if !KillerEnabled {
 		return nil
 	}
@@ -23,10 +23,7 @@ func killerCheck() error {
 		return nil
 	}
 	killerLastCheck = nowTime
-	var memStats runtime.MemStats
-	runtime.ReadMemStats(&memStats)
-	inuseMemory := int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
-	if inuseMemory > MemoryLimit {
+	if memory.Total() > MemoryLimit {
 		Close()
 		go func() {
 			time.Sleep(time.Second)

common/conntrack/packet_conn.go

@@ -18,7 +18,7 @@ func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
-		err := killerCheck()
+		err := KillerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err

common/dialer/default.go

@@ -6,7 +6,7 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/control"
@@ -137,10 +137,12 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 }
 
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if !destination.IsIPv6() {
-		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4))
-	} else {
+	if destination.IsIPv6() {
 		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
+	} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
+		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP+"4", d.udpAddr4))
+	} else {
+		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4))
 	}
 }
 

common/dialer/dialer.go

@@ -29,7 +29,12 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 	}
 	domainStrategy := dns.DomainStrategy(options.DomainStrategy)
 	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
-		dialer = NewResolveDialer(router, dialer, domainStrategy, time.Duration(options.FallbackDelay))
+		dialer = NewResolveDialer(
+			router,
+			dialer,
+			options.Detour == "" && !options.TCPFastOpen,
+			domainStrategy,
+			time.Duration(options.FallbackDelay))
 	}
 	return dialer, nil
 }

common/dialer/resolve.go

@@ -16,14 +16,16 @@ import (
 
 type ResolveDialer struct {
 	dialer        N.Dialer
+	parallel      bool
 	router        adapter.Router
 	strategy      dns.DomainStrategy
 	fallbackDelay time.Duration
 }
 
-func NewResolveDialer(router adapter.Router, dialer N.Dialer, strategy dns.DomainStrategy, fallbackDelay time.Duration) *ResolveDialer {
+func NewResolveDialer(router adapter.Router, dialer N.Dialer, parallel bool, strategy dns.DomainStrategy, fallbackDelay time.Duration) *ResolveDialer {
 	return &ResolveDialer{
 		dialer,
+		parallel,
 		router,
 		strategy,
 		fallbackDelay,
@@ -34,7 +36,7 @@ func (d *ResolveDialer) DialContext(ctx context.Context, network string, destina
 	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
-	ctx, metadata := adapter.AppendContext(ctx)
+	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
 	metadata.Destination = destination
 	metadata.Domain = ""
@@ -48,14 +50,18 @@ func (d *ResolveDialer) DialContext(ctx context.Context, network string, destina
 	if err != nil {
 		return nil, err
 	}
-	return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
+	if d.parallel {
+		return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
+	} else {
+		return N.DialSerial(ctx, d.dialer, network, destination, addresses)
+	}
 }
 
 func (d *ResolveDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
-	ctx, metadata := adapter.AppendContext(ctx)
+	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
 	metadata.Destination = destination
 	metadata.Domain = ""

common/geoip/reader.go

@@ -32,3 +32,7 @@ func (r *Reader) Lookup(addr netip.Addr) string {
 	}
 	return "unknown"
 }
+
+func (r *Reader) Close() error {
+	return r.reader.Close()
+}

common/humanize/bytes.go

@@ -0,0 +1,158 @@
+package humanize
+
+import (
+	"fmt"
+	"math"
+	"strconv"
+	"strings"
+	"unicode"
+)
+
+// IEC Sizes.
+// kibis of bits
+const (
+	Byte = 1 << (iota * 10)
+	KiByte
+	MiByte
+	GiByte
+	TiByte
+	PiByte
+	EiByte
+)
+
+// SI Sizes.
+const (
+	IByte = 1
+	KByte = IByte * 1000
+	MByte = KByte * 1000
+	GByte = MByte * 1000
+	TByte = GByte * 1000
+	PByte = TByte * 1000
+	EByte = PByte * 1000
+)
+
+var defaultSizeTable = map[string]uint64{
+	"b":   Byte,
+	"kib": KiByte,
+	"kb":  KByte,
+	"mib": MiByte,
+	"mb":  MByte,
+	"gib": GiByte,
+	"gb":  GByte,
+	"tib": TiByte,
+	"tb":  TByte,
+	"pib": PiByte,
+	"pb":  PByte,
+	"eib": EiByte,
+	"eb":  EByte,
+	// Without suffix
+	"":   Byte,
+	"ki": KiByte,
+	"k":  KByte,
+	"mi": MiByte,
+	"m":  MByte,
+	"gi": GiByte,
+	"g":  GByte,
+	"ti": TiByte,
+	"t":  TByte,
+	"pi": PiByte,
+	"p":  PByte,
+	"ei": EiByte,
+	"e":  EByte,
+}
+
+var memorysSizeTable = map[string]uint64{
+	"b":  Byte,
+	"kb": KiByte,
+	"mb": MiByte,
+	"gb": GiByte,
+	"tb": TiByte,
+	"pb": PiByte,
+	"eb": EiByte,
+	"":   Byte,
+	"k":  KiByte,
+	"m":  MiByte,
+	"g":  GiByte,
+	"t":  TiByte,
+	"p":  PiByte,
+	"e":  EiByte,
+}
+
+var (
+	defaultSizes = []string{"B", "kB", "MB", "GB", "TB", "PB", "EB"}
+	iSizes       = []string{"B", "KiB", "MiB", "GiB", "TiB", "PiB", "EiB"}
+)
+
+func Bytes(s uint64) string {
+	return humanateBytes(s, 1000, defaultSizes)
+}
+
+func MemoryBytes(s uint64) string {
+	return humanateBytes(s, 1024, defaultSizes)
+}
+
+func IBytes(s uint64) string {
+	return humanateBytes(s, 1024, iSizes)
+}
+
+func logn(n, b float64) float64 {
+	return math.Log(n) / math.Log(b)
+}
+
+func humanateBytes(s uint64, base float64, sizes []string) string {
+	if s < 10 {
+		return fmt.Sprintf("%d B", s)
+	}
+	e := math.Floor(logn(float64(s), base))
+	suffix := sizes[int(e)]
+	val := math.Floor(float64(s)/math.Pow(base, e)*10+0.5) / 10
+	f := "%.0f %s"
+	if val < 10 {
+		f = "%.1f %s"
+	}
+
+	return fmt.Sprintf(f, val, suffix)
+}
+
+func ParseBytes(s string) (uint64, error) {
+	return parseBytes0(s, defaultSizeTable)
+}
+
+func ParseMemoryBytes(s string) (uint64, error) {
+	return parseBytes0(s, memorysSizeTable)
+}
+
+func parseBytes0(s string, sizeTable map[string]uint64) (uint64, error) {
+	lastDigit := 0
+	hasComma := false
+	for _, r := range s {
+		if !(unicode.IsDigit(r) || r == '.' || r == ',') {
+			break
+		}
+		if r == ',' {
+			hasComma = true
+		}
+		lastDigit++
+	}
+
+	num := s[:lastDigit]
+	if hasComma {
+		num = strings.Replace(num, ",", "", -1)
+	}
+
+	f, err := strconv.ParseFloat(num, 64)
+	if err != nil {
+		return 0, err
+	}
+
+	extra := strings.ToLower(strings.TrimSpace(s[lastDigit:]))
+	if m, ok := sizeTable[extra]; ok {
+		f *= float64(m)
+		if f >= math.MaxUint64 {
+			return 0, fmt.Errorf("too large: %v", s)
+		}
+		return uint64(f), nil
+	}
+
+	return 0, fmt.Errorf("unhandled size name: %v", extra)
+}

common/interrupt/conn.go

@@ -0,0 +1,75 @@
+package interrupt
+
+import (
+	"net"
+
+	"github.com/sagernet/sing/common/x/list"
+)
+
+/*type GroupedConn interface {
+	MarkAsInternal()
+}
+
+func MarkAsInternal(conn any) {
+	if groupedConn, isGroupConn := common.Cast[GroupedConn](conn); isGroupConn {
+		groupedConn.MarkAsInternal()
+	}
+}*/
+
+type Conn struct {
+	net.Conn
+	group   *Group
+	element *list.Element[*groupConnItem]
+}
+
+/*func (c *Conn) MarkAsInternal() {
+	c.element.Value.internal = true
+}*/
+
+func (c *Conn) Close() error {
+	c.group.access.Lock()
+	defer c.group.access.Unlock()
+	c.group.connections.Remove(c.element)
+	return c.Conn.Close()
+}
+
+func (c *Conn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *Conn) WriterReplaceable() bool {
+	return true
+}
+
+func (c *Conn) Upstream() any {
+	return c.Conn
+}
+
+type PacketConn struct {
+	net.PacketConn
+	group   *Group
+	element *list.Element[*groupConnItem]
+}
+
+/*func (c *PacketConn) MarkAsInternal() {
+	c.element.Value.internal = true
+}*/
+
+func (c *PacketConn) Close() error {
+	c.group.access.Lock()
+	defer c.group.access.Unlock()
+	c.group.connections.Remove(c.element)
+	return c.PacketConn.Close()
+}
+
+func (c *PacketConn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *PacketConn) WriterReplaceable() bool {
+	return true
+}
+
+func (c *PacketConn) Upstream() any {
+	return c.PacketConn
+}

common/interrupt/context.go

@@ -0,0 +1,13 @@
+package interrupt
+
+import "context"
+
+type contextKeyIsExternalConnection struct{}
+
+func ContextWithIsExternalConnection(ctx context.Context) context.Context {
+	return context.WithValue(ctx, contextKeyIsExternalConnection{}, true)
+}
+
+func IsExternalConnectionFromContext(ctx context.Context) bool {
+	return ctx.Value(contextKeyIsExternalConnection{}) != nil
+}

common/interrupt/group.go

@@ -0,0 +1,52 @@
+package interrupt
+
+import (
+	"io"
+	"net"
+	"sync"
+
+	"github.com/sagernet/sing/common/x/list"
+)
+
+type Group struct {
+	access      sync.Mutex
+	connections list.List[*groupConnItem]
+}
+
+type groupConnItem struct {
+	conn       io.Closer
+	isExternal bool
+}
+
+func NewGroup() *Group {
+	return &Group{}
+}
+
+func (g *Group) NewConn(conn net.Conn, isExternal bool) net.Conn {
+	g.access.Lock()
+	defer g.access.Unlock()
+	item := g.connections.PushBack(&groupConnItem{conn, isExternal})
+	return &Conn{Conn: conn, group: g, element: item}
+}
+
+func (g *Group) NewPacketConn(conn net.PacketConn, isExternal bool) net.PacketConn {
+	g.access.Lock()
+	defer g.access.Unlock()
+	item := g.connections.PushBack(&groupConnItem{conn, isExternal})
+	return &PacketConn{PacketConn: conn, group: g, element: item}
+}
+
+func (g *Group) Interrupt(interruptExternalConnections bool) {
+	g.access.Lock()
+	defer g.access.Unlock()
+	var toDelete []*list.Element[*groupConnItem]
+	for element := g.connections.Front(); element != nil; element = element.Next() {
+		if !element.Value.isExternal || interruptExternalConnections {
+			element.Value.conn.Close()
+			toDelete = append(toDelete, element)
+		}
+	}
+	for _, element := range toDelete {
+		g.connections.Remove(element)
+	}
+}

common/mux/client.go

@@ -1,21 +1,42 @@
 package mux
 
 import (
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-mux"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 	N "github.com/sagernet/sing/common/network"
 )
 
-func NewClientWithOptions(dialer N.Dialer, options option.MultiplexOptions) (*Client, error) {
+type Client = mux.Client
+
+func NewClientWithOptions(dialer N.Dialer, logger logger.Logger, options option.OutboundMultiplexOptions) (*Client, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
+	var brutalOptions mux.BrutalOptions
+	if options.Brutal != nil && options.Brutal.Enabled {
+		brutalOptions = mux.BrutalOptions{
+			Enabled:    true,
+			SendBPS:    uint64(options.Brutal.UpMbps * C.MbpsToBps),
+			ReceiveBPS: uint64(options.Brutal.DownMbps * C.MbpsToBps),
+		}
+		if brutalOptions.SendBPS < mux.BrutalMinSpeedBPS {
+			return nil, E.New("brutal: invalid upload speed")
+		}
+		if brutalOptions.ReceiveBPS < mux.BrutalMinSpeedBPS {
+			return nil, E.New("brutal: invalid download speed")
+		}
+	}
 	return mux.NewClient(mux.Options{
 		Dialer:         dialer,
+		Logger:         logger,
 		Protocol:       options.Protocol,
 		MaxConnections: options.MaxConnections,
 		MinStreams:     options.MinStreams,
 		MaxStreams:     options.MaxStreams,
 		Padding:        options.Padding,
+		Brutal:         brutalOptions,
 	})
 }

common/mux/protocol.go

@@ -1,14 +0,0 @@
-package mux
-
-import (
-	"github.com/sagernet/sing-mux"
-)
-
-type (
-	Client = mux.Client
-)
-
-var (
-	Destination      = mux.Destination
-	HandleConnection = mux.HandleConnection
-)

common/mux/router.go

@@ -0,0 +1,65 @@
+package mux
+
+import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-mux"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type Router struct {
+	router  adapter.ConnectionRouter
+	service *mux.Service
+}
+
+func NewRouterWithOptions(router adapter.ConnectionRouter, logger logger.ContextLogger, options option.InboundMultiplexOptions) (adapter.ConnectionRouter, error) {
+	if !options.Enabled {
+		return router, nil
+	}
+	var brutalOptions mux.BrutalOptions
+	if options.Brutal != nil && options.Brutal.Enabled {
+		brutalOptions = mux.BrutalOptions{
+			Enabled:    true,
+			SendBPS:    uint64(options.Brutal.UpMbps * C.MbpsToBps),
+			ReceiveBPS: uint64(options.Brutal.DownMbps * C.MbpsToBps),
+		}
+		if brutalOptions.SendBPS < mux.BrutalMinSpeedBPS {
+			return nil, E.New("brutal: invalid upload speed")
+		}
+		if brutalOptions.ReceiveBPS < mux.BrutalMinSpeedBPS {
+			return nil, E.New("brutal: invalid download speed")
+		}
+	}
+	service, err := mux.NewService(mux.ServiceOptions{
+		NewStreamContext: func(ctx context.Context, conn net.Conn) context.Context {
+			return log.ContextWithNewID(ctx)
+		},
+		Logger:  logger,
+		Handler: adapter.NewRouteContextHandler(router, logger),
+		Padding: options.Padding,
+		Brutal:  brutalOptions,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &Router{router, service}, nil
+}
+
+func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	if metadata.Destination == mux.Destination {
+		return r.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, adapter.UpstreamMetadata(metadata))
+	} else {
+		return r.router.RouteConnection(ctx, conn, metadata)
+	}
+}
+
+func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+	return r.router.RoutePacketConnection(ctx, conn, metadata)
+}

common/mux/v2ray_legacy.go

@@ -0,0 +1,32 @@
+package mux
+
+import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing-box/adapter"
+	vmess "github.com/sagernet/sing-vmess"
+	"github.com/sagernet/sing/common/logger"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type V2RayLegacyRouter struct {
+	router adapter.ConnectionRouter
+	logger logger.ContextLogger
+}
+
+func NewV2RayLegacyRouter(router adapter.ConnectionRouter, logger logger.ContextLogger) adapter.ConnectionRouter {
+	return &V2RayLegacyRouter{router, logger}
+}
+
+func (r *V2RayLegacyRouter) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	if metadata.Destination.Fqdn == vmess.MuxDestination.Fqdn {
+		r.logger.InfoContext(ctx, "inbound legacy multiplex connection")
+		return vmess.HandleMuxConnection(ctx, conn, adapter.NewRouteHandler(metadata, r.router, r.logger))
+	}
+	return r.router.RouteConnection(ctx, conn, metadata)
+}
+
+func (r *V2RayLegacyRouter) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+	return r.router.RoutePacketConnection(ctx, conn, metadata)
+}

common/proxyproto/dialer.go

@@ -1,50 +0,0 @@
-package proxyproto
-
-import (
-	"context"
-	"net"
-	"net/netip"
-
-	"github.com/sagernet/sing-box/adapter"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	"github.com/pires/go-proxyproto"
-)
-
-var _ N.Dialer = (*Dialer)(nil)
-
-type Dialer struct {
-	N.Dialer
-}
-
-func (d *Dialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	switch N.NetworkName(network) {
-	case N.NetworkTCP:
-		conn, err := d.Dialer.DialContext(ctx, network, destination)
-		if err != nil {
-			return nil, err
-		}
-		var source M.Socksaddr
-		metadata := adapter.ContextFrom(ctx)
-		if metadata != nil {
-			source = metadata.Source
-		}
-		if !source.IsValid() {
-			source = M.SocksaddrFromNet(conn.LocalAddr())
-		}
-		if destination.Addr.Is6() {
-			source = M.SocksaddrFrom(netip.AddrFrom16(source.Addr.As16()), source.Port)
-		}
-		h := proxyproto.HeaderProxyFromAddrs(1, source.TCPAddr(), destination.TCPAddr())
-		_, err = h.WriteTo(conn)
-		if err != nil {
-			conn.Close()
-			return nil, E.Cause(err, "write proxy protocol header")
-		}
-		return conn, nil
-	default:
-		return d.Dialer.DialContext(ctx, network, destination)
-	}
-}

common/proxyproto/listener.go

@@ -1,62 +0,0 @@
-package proxyproto
-
-import (
-	std_bufio "bufio"
-	"net"
-
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	M "github.com/sagernet/sing/common/metadata"
-
-	"github.com/pires/go-proxyproto"
-)
-
-type Listener struct {
-	net.Listener
-	AcceptNoHeader bool
-}
-
-func (l *Listener) Accept() (net.Conn, error) {
-	conn, err := l.Listener.Accept()
-	if err != nil {
-		return nil, err
-	}
-	bufReader := std_bufio.NewReader(conn)
-	header, err := proxyproto.Read(bufReader)
-	if err != nil && !(l.AcceptNoHeader && err == proxyproto.ErrNoProxyProtocol) {
-		return nil, &Error{err}
-	}
-	if bufReader.Buffered() > 0 {
-		cache := buf.NewSize(bufReader.Buffered())
-		_, err = cache.ReadFullFrom(bufReader, cache.FreeLen())
-		if err != nil {
-			return nil, &Error{err}
-		}
-		conn = bufio.NewCachedConn(conn, cache)
-	}
-	if header != nil {
-		return &bufio.AddrConn{Conn: conn, Metadata: M.Metadata{
-			Source:      M.SocksaddrFromNet(header.SourceAddr).Unwrap(),
-			Destination: M.SocksaddrFromNet(header.DestinationAddr).Unwrap(),
-		}}, nil
-	}
-	return conn, nil
-}
-
-var _ net.Error = (*Error)(nil)
-
-type Error struct {
-	error
-}
-
-func (e *Error) Unwrap() error {
-	return e.error
-}
-
-func (e *Error) Timeout() bool {
-	return false
-}
-
-func (e *Error) Temporary() bool {
-	return true
-}

common/settings/proxy_android.go

@@ -1,43 +1,73 @@
 package settings
 
 import (
+	"context"
 	"os"
 	"strings"
 
-	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
+	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )
 
-var (
-	useRish  bool
-	rishPath string
-)
+type AndroidSystemProxy struct {
+	useRish      bool
+	rishPath     string
+	serverAddr   M.Socksaddr
+	supportSOCKS bool
+	isEnabled    bool
+}
 
-func init() {
+func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*AndroidSystemProxy, error) {
 	userId := os.Getuid()
+	var (
+		useRish  bool
+		rishPath string
+	)
 	if userId == 0 || userId == 1000 || userId == 2000 {
 		useRish = false
 	} else {
 		rishPath, useRish = C.FindPath("rish")
+		if !useRish {
+			return nil, E.Cause(os.ErrPermission, "root or system (adb) permission is required for set system proxy")
+		}
 	}
-}
-
-func runAndroidShell(name string, args ...string) error {
-	if !useRish {
-		return shell.Exec(name, args...).Attach().Run()
-	} else {
-		return shell.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
-	}
-}
-
-func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	err := runAndroidShell("settings", "put", "global", "http_proxy", F.ToString("127.0.0.1:", port))
-	if err != nil {
-		return nil, err
-	}
-	return func() error {
-		return runAndroidShell("settings", "put", "global", "http_proxy", ":0")
+	return &AndroidSystemProxy{
+		useRish:      useRish,
+		rishPath:     rishPath,
+		serverAddr:   serverAddr,
+		supportSOCKS: supportSOCKS,
 	}, nil
 }
+
+func (p *AndroidSystemProxy) IsEnabled() bool {
+	return p.isEnabled
+}
+
+func (p *AndroidSystemProxy) Enable() error {
+	err := p.runAndroidShell("settings", "put", "global", "http_proxy", p.serverAddr.String())
+	if err != nil {
+		return err
+	}
+	p.isEnabled = true
+	return nil
+}
+
+func (p *AndroidSystemProxy) Disable() error {
+	err := p.runAndroidShell("settings", "put", "global", "http_proxy", ":0")
+	if err != nil {
+		return err
+	}
+	p.isEnabled = false
+	return nil
+}
+
+func (p *AndroidSystemProxy) runAndroidShell(name string, args ...string) error {
+	if !p.useRish {
+		return shell.Exec(name, args...).Attach().Run()
+	} else {
+		return shell.Exec("sh", p.rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+	}
+}

common/settings/proxy_darwin.go

@@ -1,56 +1,56 @@
 package settings
 
 import (
+	"context"
 	"net/netip"
+	"strconv"
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
 	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
+	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 	"github.com/sagernet/sing/common/x/list"
 )
 
-type systemProxy struct {
+type DarwinSystemProxy struct {
 	monitor       tun.DefaultInterfaceMonitor
 	interfaceName string
 	element       *list.Element[tun.DefaultInterfaceUpdateCallback]
-	port          uint16
-	isMixed       bool
+	serverAddr    M.Socksaddr
+	supportSOCKS  bool
+	isEnabled     bool
 }
 
-func (p *systemProxy) update(event int) {
-	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
-	if p.interfaceName == newInterfaceName {
-		return
+func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*DarwinSystemProxy, error) {
+	interfaceMonitor := adapter.RouterFromContext(ctx).InterfaceMonitor()
+	if interfaceMonitor == nil {
+		return nil, E.New("missing interface monitor")
 	}
-	if p.interfaceName != "" {
-		_ = p.unset()
+	proxy := &DarwinSystemProxy{
+		monitor:      interfaceMonitor,
+		serverAddr:   serverAddr,
+		supportSOCKS: supportSOCKS,
 	}
-	p.interfaceName = newInterfaceName
-	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
-	if err != nil {
-		return
-	}
-	if p.isMixed {
-		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
-	}
-	if err == nil {
-		err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
-	}
-	if err == nil {
-		_ = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
-	}
-	return
+	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
+	return proxy, nil
 }
 
-func (p *systemProxy) unset() error {
+func (p *DarwinSystemProxy) IsEnabled() bool {
+	return p.isEnabled
+}
+
+func (p *DarwinSystemProxy) Enable() error {
+	return p.update0()
+}
+
+func (p *DarwinSystemProxy) Disable() error {
 	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
 	if err != nil {
 		return err
 	}
-	if p.isMixed {
+	if p.supportSOCKS {
 		err = shell.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
@@ -59,9 +59,53 @@ func (p *systemProxy) unset() error {
 	if err == nil {
 		err = shell.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
+	if err == nil {
+		p.isEnabled = false
+	}
 	return err
 }
 
+func (p *DarwinSystemProxy) update(event int) {
+	if event&tun.EventInterfaceUpdate == 0 {
+		return
+	}
+	if !p.isEnabled {
+		return
+	}
+	_ = p.update0()
+}
+
+func (p *DarwinSystemProxy) update0() error {
+	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
+	if p.interfaceName == newInterfaceName {
+		return nil
+	}
+	if p.interfaceName != "" {
+		_ = p.Disable()
+	}
+	p.interfaceName = newInterfaceName
+	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
+	if err != nil {
+		return err
+	}
+	if p.supportSOCKS {
+		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
+	}
+	if err != nil {
+		return err
+	}
+	err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
+	if err != nil {
+		return err
+	}
+	err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
+	if err != nil {
+		return err
+	}
+	p.isEnabled = true
+	return nil
+}
+
 func getInterfaceDisplayName(name string) (string, error) {
 	content, err := shell.Exec("networksetup", "-listallhardwareports").ReadOutput()
 	if err != nil {
@@ -77,21 +121,3 @@ func getInterfaceDisplayName(name string) (string, error) {
 	}
 	return "", E.New(name, " not found in networksetup -listallhardwareports")
 }
-
-func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	interfaceMonitor := router.InterfaceMonitor()
-	if interfaceMonitor == nil {
-		return nil, E.New("missing interface monitor")
-	}
-	proxy := &systemProxy{
-		monitor: interfaceMonitor,
-		port:    port,
-		isMixed: isMixed,
-	}
-	proxy.update(tun.EventInterfaceUpdate)
-	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
-	return func() error {
-		interfaceMonitor.UnregisterCallback(proxy.element)
-		return proxy.unset()
-	}, nil
-}

common/settings/proxy_linux.go

@@ -3,75 +3,161 @@
 package settings
 
 import (
+	"context"
 	"os"
 	"os/exec"
 	"strings"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )
 
-var (
-	hasGSettings bool
-	sudoUser     string
-)
+type LinuxSystemProxy struct {
+	hasGSettings     bool
+	hasKWriteConfig5 bool
+	sudoUser         string
+	serverAddr       M.Socksaddr
+	supportSOCKS     bool
+	isEnabled        bool
+}
 
-func init() {
-	hasGSettings = common.Error(exec.LookPath("gsettings")) == nil
+func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*LinuxSystemProxy, error) {
+	hasGSettings := common.Error(exec.LookPath("gsettings")) == nil
+	hasKWriteConfig5 := common.Error(exec.LookPath("kwriteconfig5")) == nil
+	var sudoUser string
 	if os.Getuid() == 0 {
 		sudoUser = os.Getenv("SUDO_USER")
 	}
+	if !hasGSettings && !hasKWriteConfig5 {
+		return nil, E.New("unsupported desktop environment")
+	}
+	return &LinuxSystemProxy{
+		hasGSettings:     hasGSettings,
+		hasKWriteConfig5: hasKWriteConfig5,
+		sudoUser:         sudoUser,
+		serverAddr:       serverAddr,
+		supportSOCKS:     supportSOCKS,
+	}, nil
 }
 
-func runAsUser(name string, args ...string) error {
+func (p *LinuxSystemProxy) IsEnabled() bool {
+	return p.isEnabled
+}
+
+func (p *LinuxSystemProxy) Enable() error {
+	if p.hasGSettings {
+		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
+		if err != nil {
+			return err
+		}
+		if p.supportSOCKS {
+			err = p.setGnomeProxy("ftp", "http", "https", "socks")
+		} else {
+			err = p.setGnomeProxy("http", "https")
+		}
+		if err != nil {
+			return err
+		}
+		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(p.supportSOCKS))
+		if err != nil {
+			return err
+		}
+		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
+		if err != nil {
+			return err
+		}
+	}
+	if p.hasKWriteConfig5 {
+		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "1")
+		if err != nil {
+			return err
+		}
+		if p.supportSOCKS {
+			err = p.setKDEProxy("ftp", "http", "https", "socks")
+		} else {
+			err = p.setKDEProxy("http", "https")
+		}
+		if err != nil {
+			return err
+		}
+		err = p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "Authmode", "0")
+		if err != nil {
+			return err
+		}
+		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
+		if err != nil {
+			return err
+		}
+	}
+	p.isEnabled = true
+	return nil
+}
+
+func (p *LinuxSystemProxy) Disable() error {
+	if p.hasGSettings {
+		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
+		if err != nil {
+			return err
+		}
+	}
+	if p.hasKWriteConfig5 {
+		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "0")
+		if err != nil {
+			return err
+		}
+		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
+		if err != nil {
+			return err
+		}
+	}
+	p.isEnabled = false
+	return nil
+}
+
+func (p *LinuxSystemProxy) runAsUser(name string, args ...string) error {
 	if os.Getuid() != 0 {
 		return shell.Exec(name, args...).Attach().Run()
-	} else if sudoUser != "" {
-		return shell.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+	} else if p.sudoUser != "" {
+		return shell.Exec("su", "-", p.sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	} else {
 		return E.New("set system proxy: unable to set as root")
 	}
 }
 
-func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	if !hasGSettings {
-		return nil, E.New("unsupported desktop environment")
-	}
-	err := runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
-	if err != nil {
-		return nil, err
-	}
-	if isMixed {
-		err = setGnomeProxy(port, "ftp", "http", "https", "socks")
-	} else {
-		err = setGnomeProxy(port, "http", "https")
-	}
-	if err != nil {
-		return nil, err
-	}
-	err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(isMixed))
-	if err != nil {
-		return nil, err
-	}
-	err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
-	if err != nil {
-		return nil, err
-	}
-	return func() error {
-		return runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
-	}, nil
-}
-
-func setGnomeProxy(port uint16, proxyTypes ...string) error {
+func (p *LinuxSystemProxy) setGnomeProxy(proxyTypes ...string) error {
 	for _, proxyType := range proxyTypes {
-		err := runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", "127.0.0.1")
+		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", p.serverAddr.AddrString())
 		if err != nil {
 			return err
 		}
-		err = runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(port))
+		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(p.serverAddr.Port))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (p *LinuxSystemProxy) setKDEProxy(proxyTypes ...string) error {
+	for _, proxyType := range proxyTypes {
+		var proxyUrl string
+		if proxyType == "socks" {
+			proxyUrl = "socks://" + p.serverAddr.String()
+		} else {
+			proxyUrl = "http://" + p.serverAddr.String()
+		}
+		err := p.runAsUser(
+			"kwriteconfig5",
+			"--file",
+			"kioslaverc",
+			"--group",
+			"Proxy Settings",
+			"--key", proxyType+"Proxy",
+			proxyUrl,
+		)
 		if err != nil {
 			return err
 		}

common/settings/proxy_stub.go

@@ -3,11 +3,12 @@
 package settings
 
 import (
+	"context"
 	"os"
 
-	"github.com/sagernet/sing-box/adapter"
+	M "github.com/sagernet/sing/common/metadata"
 )
 
-func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (SystemProxy, error) {
 	return nil, os.ErrInvalid
 }

common/settings/proxy_windows.go

@@ -1,17 +1,43 @@
 package settings
 
 import (
-	"github.com/sagernet/sing-box/adapter"
-	F "github.com/sagernet/sing/common/format"
+	"context"
+
+	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/wininet"
 )
 
-func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	err := wininet.SetSystemProxy(F.ToString("http://127.0.0.1:", port), "")
-	if err != nil {
-		return nil, err
-	}
-	return func() error {
-		return wininet.ClearSystemProxy()
+type WindowsSystemProxy struct {
+	serverAddr   M.Socksaddr
+	supportSOCKS bool
+	isEnabled    bool
+}
+
+func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*WindowsSystemProxy, error) {
+	return &WindowsSystemProxy{
+		serverAddr:   serverAddr,
+		supportSOCKS: supportSOCKS,
 	}, nil
 }
+
+func (p *WindowsSystemProxy) IsEnabled() bool {
+	return p.isEnabled
+}
+
+func (p *WindowsSystemProxy) Enable() error {
+	err := wininet.SetSystemProxy("http://"+p.serverAddr.String(), "")
+	if err != nil {
+		return err
+	}
+	p.isEnabled = true
+	return nil
+}
+
+func (p *WindowsSystemProxy) Disable() error {
+	err := wininet.ClearSystemProxy()
+	if err != nil {
+		return err
+	}
+	p.isEnabled = false
+	return nil
+}

common/settings/system_proxy.go

@@ -0,0 +1,7 @@
+package settings
+
+type SystemProxy interface {
+	IsEnabled() bool
+	Enable() error
+	Disable() error
+}

common/sniff/quic.go

@@ -182,11 +182,52 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
 			break
 		}
 		switch frameType {
-		case 0x0:
+		case 0x00: // PADDING
 			continue
-		case 0x1:
+		case 0x01: // PING
 			continue
-		case 0x6:
+		case 0x02, 0x03: // ACK
+			_, err = qtls.ReadUvarint(decryptedReader) // Largest Acknowledged
+			if err != nil {
+				return nil, err
+			}
+			_, err = qtls.ReadUvarint(decryptedReader) // ACK Delay
+			if err != nil {
+				return nil, err
+			}
+			ackRangeCount, err := qtls.ReadUvarint(decryptedReader) // ACK Range Count
+			if err != nil {
+				return nil, err
+			}
+			_, err = qtls.ReadUvarint(decryptedReader) // First ACK Range
+			if err != nil {
+				return nil, err
+			}
+			for i := 0; i < int(ackRangeCount); i++ {
+				_, err = qtls.ReadUvarint(decryptedReader) // Gap
+				if err != nil {
+					return nil, err
+				}
+				_, err = qtls.ReadUvarint(decryptedReader) // ACK Range Length
+				if err != nil {
+					return nil, err
+				}
+			}
+			if frameType == 0x03 {
+				_, err = qtls.ReadUvarint(decryptedReader) // ECT0 Count
+				if err != nil {
+					return nil, err
+				}
+				_, err = qtls.ReadUvarint(decryptedReader) // ECT1 Count
+				if err != nil {
+					return nil, err
+				}
+				_, err = qtls.ReadUvarint(decryptedReader) // ECN-CE Count
+				if err != nil {
+					return nil, err
+				}
+			}
+		case 0x06: // CRYPTO
 			var offset uint64
 			offset, err = qtls.ReadUvarint(decryptedReader)
 			if err != nil {
@@ -208,8 +249,26 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
 			if err != nil {
 				return nil, err
 			}
+		case 0x1c: // CONNECTION_CLOSE
+			_, err = qtls.ReadUvarint(decryptedReader) // Error Code
+			if err != nil {
+				return nil, err
+			}
+			_, err = qtls.ReadUvarint(decryptedReader) // Frame Type
+			if err != nil {
+				return nil, err
+			}
+			var length uint64
+			length, err = qtls.ReadUvarint(decryptedReader) // Reason Phrase Length
+			if err != nil {
+				return nil, err
+			}
+			_, err = decryptedReader.Seek(int64(length), io.SeekCurrent) // Reason Phrase
+			if err != nil {
+				return nil, err
+			}
 		default:
-			// ignore unknown frame type
+			return nil, os.ErrInvalid
 		}
 	}
 	tlsHdr := make([]byte, 5)

common/tls/acme.go

@@ -9,10 +9,13 @@ import (
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 
 	"github.com/caddyserver/certmagic"
+	"github.com/libdns/alidns"
+	"github.com/libdns/cloudflare"
 	"github.com/mholt/acmez/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@@ -74,6 +77,24 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		AltTLSALPNPort:          int(options.AlternativeTLSPort),
 		Logger:                  config.Logger,
 	}
+	if dnsOptions := options.DNS01Challenge; dnsOptions != nil && dnsOptions.Provider != "" {
+		var solver certmagic.DNS01Solver
+		switch dnsOptions.Provider {
+		case C.DNSProviderAliDNS:
+			solver.DNSProvider = &alidns.Provider{
+				AccKeyID:     dnsOptions.AliDNSOptions.AccessKeyID,
+				AccKeySecret: dnsOptions.AliDNSOptions.AccessKeySecret,
+				RegionID:     dnsOptions.AliDNSOptions.RegionID,
+			}
+		case C.DNSProviderCloudflare:
+			solver.DNSProvider = &cloudflare.Provider{
+				APIToken: dnsOptions.CloudflareOptions.APIToken,
+			}
+		default:
+			return nil, nil, E.New("unsupported ACME DNS01 provider type: " + dnsOptions.Provider)
+		}
+		acmeConfig.DNS01Solver = &solver
+	}
 	if options.ExternalAccount != nil && options.ExternalAccount.KeyID != "" {
 		acmeConfig.ExternalAccount = (*acme.EAB)(options.ExternalAccount)
 	}
@@ -84,5 +105,16 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		},
 	})
 	config = certmagic.New(cache, *config)
-	return config.TLSConfig(), &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
+	var tlsConfig *tls.Config
+	if acmeConfig.DisableTLSALPNChallenge || acmeConfig.DNS01Solver != nil {
+		tlsConfig = &tls.Config{
+			GetCertificate: config.GetCertificate,
+		}
+	} else {
+		tlsConfig = &tls.Config{
+			GetCertificate: config.GetCertificate,
+			NextProtos:     []string{ACMETLS1Protocol},
+		}
+	}
+	return tlsConfig, &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
 }

common/tls/acme_contstant.go

@@ -0,0 +1,3 @@
+package tls
+
+const ACMETLS1Protocol = "acme-tls/1"

common/tls/client.go

@@ -13,29 +13,29 @@ import (
 	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-func NewDialerFromOptions(router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
+func NewDialerFromOptions(ctx context.Context, router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
 	if !options.Enabled {
 		return dialer, nil
 	}
-	config, err := NewClient(router, serverAddress, options)
+	config, err := NewClient(ctx, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}
 	return NewDialer(dialer, config), nil
 }
 
-func NewClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
 	if options.ECH != nil && options.ECH.Enabled {
-		return NewECHClient(router, serverAddress, options)
+		return NewECHClient(ctx, serverAddress, options)
 	} else if options.Reality != nil && options.Reality.Enabled {
-		return NewRealityClient(router, serverAddress, options)
+		return NewRealityClient(ctx, serverAddress, options)
 	} else if options.UTLS != nil && options.UTLS.Enabled {
-		return NewUTLSClient(router, serverAddress, options)
+		return NewUTLSClient(ctx, serverAddress, options)
 	} else {
-		return NewSTDClient(router, serverAddress, options)
+		return NewSTDClient(ctx, serverAddress, options)
 	}
 }
 

common/tls/ech_client.go

@@ -7,50 +7,53 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/pem"
 	"net"
 	"net/netip"
 	"os"
+	"strings"
 
 	cftls "github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/ntp"
 
 	mDNS "github.com/miekg/dns"
 )
 
-type ECHClientConfig struct {
+type echClientConfig struct {
 	config *cftls.Config
 }
 
-func (e *ECHClientConfig) ServerName() string {
-	return e.config.ServerName
+func (c *echClientConfig) ServerName() string {
+	return c.config.ServerName
 }
 
-func (e *ECHClientConfig) SetServerName(serverName string) {
-	e.config.ServerName = serverName
+func (c *echClientConfig) SetServerName(serverName string) {
+	c.config.ServerName = serverName
 }
 
-func (e *ECHClientConfig) NextProtos() []string {
-	return e.config.NextProtos
+func (c *echClientConfig) NextProtos() []string {
+	return c.config.NextProtos
 }
 
-func (e *ECHClientConfig) SetNextProtos(nextProto []string) {
-	e.config.NextProtos = nextProto
+func (c *echClientConfig) SetNextProtos(nextProto []string) {
+	c.config.NextProtos = nextProto
 }
 
-func (e *ECHClientConfig) Config() (*STDConfig, error) {
+func (c *echClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for ECH")
 }
 
-func (e *ECHClientConfig) Client(conn net.Conn) (Conn, error) {
-	return &echConnWrapper{cftls.Client(conn, e.config)}, nil
+func (c *echClientConfig) Client(conn net.Conn) (Conn, error) {
+	return &echConnWrapper{cftls.Client(conn, c.config)}, nil
 }
 
-func (e *ECHClientConfig) Clone() Config {
-	return &ECHClientConfig{
-		config: e.config.Clone(),
+func (c *echClientConfig) Clone() Config {
+	return &echClientConfig{
+		config: c.config.Clone(),
 	}
 }
 
@@ -80,7 +83,7 @@ func (c *echConnWrapper) Upstream() any {
 	return c.Conn
 }
 
-func NewECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewECHClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -94,7 +97,7 @@ func NewECHClient(router adapter.Router, serverAddress string, options option.Ou
 	}
 
 	var tlsConfig cftls.Config
-	tlsConfig.Time = router.TimeFunc()
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -146,8 +149,8 @@ func NewECHClient(router adapter.Router, serverAddress string, options option.Ou
 		}
 	}
 	var certificate []byte
-	if options.Certificate != "" {
-		certificate = []byte(options.Certificate)
+	if len(options.Certificate) > 0 {
+		certificate = []byte(strings.Join(options.Certificate, "\n"))
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {
@@ -168,24 +171,36 @@ func NewECHClient(router adapter.Router, serverAddress string, options option.Ou
 	tlsConfig.ECHEnabled = true
 	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
 	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
-	if options.ECH.Config != "" {
-		clientConfigContent, err := base64.StdEncoding.DecodeString(options.ECH.Config)
+
+	var echConfig []byte
+	if len(options.ECH.Config) > 0 {
+		echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
+	} else if options.ECH.ConfigPath != "" {
+		content, err := os.ReadFile(options.ECH.ConfigPath)
 		if err != nil {
-			return nil, err
+			return nil, E.Cause(err, "read ECH config")
 		}
-		clientConfig, err := cftls.UnmarshalECHConfigs(clientConfigContent)
-		if err != nil {
-			return nil, err
-		}
-		tlsConfig.ClientECHConfigs = clientConfig
-	} else {
-		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(router)
+		echConfig = content
 	}
-	return &ECHClientConfig{&tlsConfig}, nil
+
+	if len(echConfig) > 0 {
+		block, rest := pem.Decode(echConfig)
+		if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 {
+			return nil, E.New("invalid ECH configs pem")
+		}
+		echConfigs, err := cftls.UnmarshalECHConfigs(block.Bytes)
+		if err != nil {
+			return nil, E.Cause(err, "parse ECH configs")
+		}
+		tlsConfig.ClientECHConfigs = echConfigs
+	} else {
+		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(ctx)
+	}
+	return &echClientConfig{&tlsConfig}, nil
 }
 
-func fetchECHClientConfig(router adapter.Router) func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
-	return func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
+func fetchECHClientConfig(ctx context.Context) func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
+	return func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,
@@ -198,7 +213,7 @@ func fetchECHClientConfig(router adapter.Router) func(ctx context.Context, serve
 				},
 			},
 		}
-		response, err := router.Exchange(ctx, message)
+		response, err := adapter.RouterFromContext(ctx).Exchange(ctx, message)
 		if err != nil {
 			return nil, err
 		}

common/tls/ech_keygen.go

@@ -0,0 +1,169 @@
+//go:build with_ech
+
+package tls
+
+import (
+	"bytes"
+	"encoding/binary"
+	"encoding/pem"
+
+	cftls "github.com/sagernet/cloudflare-tls"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	"github.com/cloudflare/circl/hpke"
+	"github.com/cloudflare/circl/kem"
+)
+
+func ECHKeygenDefault(serverName string, pqSignatureSchemesEnabled bool) (configPem string, keyPem string, err error) {
+	cipherSuites := []echCipherSuite{
+		{
+			kdf:  hpke.KDF_HKDF_SHA256,
+			aead: hpke.AEAD_AES128GCM,
+		}, {
+			kdf:  hpke.KDF_HKDF_SHA256,
+			aead: hpke.AEAD_ChaCha20Poly1305,
+		},
+	}
+
+	keyConfig := []myECHKeyConfig{
+		{id: 0, kem: hpke.KEM_X25519_HKDF_SHA256},
+	}
+	if pqSignatureSchemesEnabled {
+		keyConfig = append(keyConfig, myECHKeyConfig{id: 1, kem: hpke.KEM_X25519_KYBER768_DRAFT00})
+	}
+
+	keyPairs, err := echKeygen(0xfe0d, serverName, keyConfig, cipherSuites)
+	if err != nil {
+		return
+	}
+
+	var configBuffer bytes.Buffer
+	var totalLen uint16
+	for _, keyPair := range keyPairs {
+		totalLen += uint16(len(keyPair.rawConf))
+	}
+	binary.Write(&configBuffer, binary.BigEndian, totalLen)
+	for _, keyPair := range keyPairs {
+		configBuffer.Write(keyPair.rawConf)
+	}
+
+	var keyBuffer bytes.Buffer
+	for _, keyPair := range keyPairs {
+		keyBuffer.Write(keyPair.rawKey)
+	}
+
+	configPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH CONFIGS", Bytes: configBuffer.Bytes()}))
+	keyPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH KEYS", Bytes: keyBuffer.Bytes()}))
+	return
+}
+
+type echKeyConfigPair struct {
+	id      uint8
+	key     cftls.EXP_ECHKey
+	rawKey  []byte
+	conf    myECHKeyConfig
+	rawConf []byte
+}
+
+type echCipherSuite struct {
+	kdf  hpke.KDF
+	aead hpke.AEAD
+}
+
+type myECHKeyConfig struct {
+	id   uint8
+	kem  hpke.KEM
+	seed []byte
+}
+
+func echKeygen(version uint16, serverName string, conf []myECHKeyConfig, suite []echCipherSuite) ([]echKeyConfigPair, error) {
+	be := binary.BigEndian
+	// prepare for future update
+	if version != 0xfe0d {
+		return nil, E.New("unsupported ECH version", version)
+	}
+
+	suiteBuf := make([]byte, 0, len(suite)*4+2)
+	suiteBuf = be.AppendUint16(suiteBuf, uint16(len(suite))*4)
+	for _, s := range suite {
+		if !s.kdf.IsValid() || !s.aead.IsValid() {
+			return nil, E.New("invalid HPKE cipher suite")
+		}
+		suiteBuf = be.AppendUint16(suiteBuf, uint16(s.kdf))
+		suiteBuf = be.AppendUint16(suiteBuf, uint16(s.aead))
+	}
+
+	pairs := []echKeyConfigPair{}
+	for _, c := range conf {
+		pair := echKeyConfigPair{}
+		pair.id = c.id
+		pair.conf = c
+
+		if !c.kem.IsValid() {
+			return nil, E.New("invalid HPKE KEM")
+		}
+
+		kpGenerator := c.kem.Scheme().GenerateKeyPair
+		if len(c.seed) > 0 {
+			kpGenerator = func() (kem.PublicKey, kem.PrivateKey, error) {
+				pub, sec := c.kem.Scheme().DeriveKeyPair(c.seed)
+				return pub, sec, nil
+			}
+			if len(c.seed) < c.kem.Scheme().PrivateKeySize() {
+				return nil, E.New("HPKE KEM seed too short")
+			}
+		}
+
+		pub, sec, err := kpGenerator()
+		if err != nil {
+			return nil, E.Cause(err, "generate ECH config key pair")
+		}
+		b := []byte{}
+		b = be.AppendUint16(b, version)
+		b = be.AppendUint16(b, 0) // length field
+		// contents
+		// key config
+		b = append(b, c.id)
+		b = be.AppendUint16(b, uint16(c.kem))
+		pubBuf, err := pub.MarshalBinary()
+		if err != nil {
+			return nil, E.Cause(err, "serialize ECH public key")
+		}
+		b = be.AppendUint16(b, uint16(len(pubBuf)))
+		b = append(b, pubBuf...)
+
+		b = append(b, suiteBuf...)
+		// end key config
+		// max name len, not supported
+		b = append(b, 0)
+		// server name
+		b = append(b, byte(len(serverName)))
+		b = append(b, []byte(serverName)...)
+		// extensions, not supported
+		b = be.AppendUint16(b, 0)
+
+		be.PutUint16(b[2:], uint16(len(b)-4))
+
+		pair.rawConf = b
+
+		secBuf, err := sec.MarshalBinary()
+		sk := []byte{}
+		sk = be.AppendUint16(sk, uint16(len(secBuf)))
+		sk = append(sk, secBuf...)
+		sk = be.AppendUint16(sk, uint16(len(b)))
+		sk = append(sk, b...)
+
+		cfECHKeys, err := cftls.EXP_UnmarshalECHKeys(sk)
+		if err != nil {
+			return nil, E.Cause(err, "bug: can't parse generated ECH server key")
+		}
+		if len(cfECHKeys) != 1 {
+			return nil, E.New("bug: unexpected server key count")
+		}
+		pair.key = cfECHKeys[0]
+		pair.rawKey = sk
+
+		pairs = append(pairs, pair)
+	}
+	return pairs, nil
+}

common/tls/ech_quic.go

@@ -0,0 +1,56 @@
+//go:build with_quic && with_ech
+
+package tls
+
+import (
+	"context"
+	"net"
+	"net/http"
+
+	"github.com/sagernet/cloudflare-tls"
+	"github.com/sagernet/quic-go/ech"
+	"github.com/sagernet/quic-go/http3_ech"
+	"github.com/sagernet/sing-quic"
+	M "github.com/sagernet/sing/common/metadata"
+)
+
+var (
+	_ qtls.Config       = (*echClientConfig)(nil)
+	_ qtls.ServerConfig = (*echServerConfig)(nil)
+)
+
+func (c *echClientConfig) Dial(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.Connection, error) {
+	return quic.Dial(ctx, conn, addr, c.config, config)
+}
+
+func (c *echClientConfig) DialEarly(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.EarlyConnection, error) {
+	return quic.DialEarly(ctx, conn, addr, c.config, config)
+}
+
+func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config, enableDatagrams bool) http.RoundTripper {
+	return &http3.RoundTripper{
+		TLSClientConfig: c.config,
+		QuicConfig:      quicConfig,
+		EnableDatagrams: enableDatagrams,
+		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
+			quicConn, err := quic.DialEarly(ctx, conn, serverAddr.UDPAddr(), tlsCfg, cfg)
+			if err != nil {
+				return nil, err
+			}
+			*quicConnPtr = quicConn
+			return quicConn, nil
+		},
+	}
+}
+
+func (c *echServerConfig) Listen(conn net.PacketConn, config *quic.Config) (qtls.Listener, error) {
+	return quic.Listen(conn, c.config, config)
+}
+
+func (c *echServerConfig) ListenEarly(conn net.PacketConn, config *quic.Config) (qtls.EarlyListener, error) {
+	return quic.ListenEarly(conn, c.config, config)
+}
+
+func (c *echServerConfig) ConfigureHTTP3() {
+	http3.ConfigureTLSConfig(c.config)
+}

common/tls/ech_server.go

@@ -0,0 +1,343 @@
+//go:build with_ech
+
+package tls
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/pem"
+	"net"
+	"os"
+	"strings"
+
+	cftls "github.com/sagernet/cloudflare-tls"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/ntp"
+
+	"github.com/fsnotify/fsnotify"
+)
+
+type echServerConfig struct {
+	config          *cftls.Config
+	logger          log.Logger
+	certificate     []byte
+	key             []byte
+	certificatePath string
+	keyPath         string
+	watcher         *fsnotify.Watcher
+	echKeyPath      string
+	echWatcher      *fsnotify.Watcher
+}
+
+func (c *echServerConfig) ServerName() string {
+	return c.config.ServerName
+}
+
+func (c *echServerConfig) SetServerName(serverName string) {
+	c.config.ServerName = serverName
+}
+
+func (c *echServerConfig) NextProtos() []string {
+	return c.config.NextProtos
+}
+
+func (c *echServerConfig) SetNextProtos(nextProto []string) {
+	c.config.NextProtos = nextProto
+}
+
+func (c *echServerConfig) Config() (*STDConfig, error) {
+	return nil, E.New("unsupported usage for ECH")
+}
+
+func (c *echServerConfig) Client(conn net.Conn) (Conn, error) {
+	return &echConnWrapper{cftls.Client(conn, c.config)}, nil
+}
+
+func (c *echServerConfig) Server(conn net.Conn) (Conn, error) {
+	return &echConnWrapper{cftls.Server(conn, c.config)}, nil
+}
+
+func (c *echServerConfig) Clone() Config {
+	return &echServerConfig{
+		config: c.config.Clone(),
+	}
+}
+
+func (c *echServerConfig) Start() error {
+	if c.certificatePath != "" && c.keyPath != "" {
+		err := c.startWatcher()
+		if err != nil {
+			c.logger.Warn("create fsnotify watcher: ", err)
+		}
+	}
+	if c.echKeyPath != "" {
+		err := c.startECHWatcher()
+		if err != nil {
+			c.logger.Warn("create fsnotify watcher: ", err)
+		}
+	}
+	return nil
+}
+
+func (c *echServerConfig) startWatcher() error {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return err
+	}
+	if c.certificatePath != "" {
+		err = watcher.Add(c.certificatePath)
+		if err != nil {
+			return err
+		}
+	}
+	if c.keyPath != "" {
+		err = watcher.Add(c.keyPath)
+		if err != nil {
+			return err
+		}
+	}
+	c.watcher = watcher
+	go c.loopUpdate()
+	return nil
+}
+
+func (c *echServerConfig) loopUpdate() {
+	for {
+		select {
+		case event, ok := <-c.watcher.Events:
+			if !ok {
+				return
+			}
+			if event.Op&fsnotify.Write != fsnotify.Write {
+				continue
+			}
+			err := c.reloadKeyPair()
+			if err != nil {
+				c.logger.Error(E.Cause(err, "reload TLS key pair"))
+			}
+		case err, ok := <-c.watcher.Errors:
+			if !ok {
+				return
+			}
+			c.logger.Error(E.Cause(err, "fsnotify error"))
+		}
+	}
+}
+
+func (c *echServerConfig) reloadKeyPair() error {
+	if c.certificatePath != "" {
+		certificate, err := os.ReadFile(c.certificatePath)
+		if err != nil {
+			return E.Cause(err, "reload certificate from ", c.certificatePath)
+		}
+		c.certificate = certificate
+	}
+	if c.keyPath != "" {
+		key, err := os.ReadFile(c.keyPath)
+		if err != nil {
+			return E.Cause(err, "reload key from ", c.keyPath)
+		}
+		c.key = key
+	}
+	keyPair, err := cftls.X509KeyPair(c.certificate, c.key)
+	if err != nil {
+		return E.Cause(err, "reload key pair")
+	}
+	c.config.Certificates = []cftls.Certificate{keyPair}
+	c.logger.Info("reloaded TLS certificate")
+	return nil
+}
+
+func (c *echServerConfig) startECHWatcher() error {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return err
+	}
+	err = watcher.Add(c.echKeyPath)
+	if err != nil {
+		return err
+	}
+	c.echWatcher = watcher
+	go c.loopECHUpdate()
+	return nil
+}
+
+func (c *echServerConfig) loopECHUpdate() {
+	for {
+		select {
+		case event, ok := <-c.echWatcher.Events:
+			if !ok {
+				return
+			}
+			if event.Op&fsnotify.Write != fsnotify.Write {
+				continue
+			}
+			err := c.reloadECHKey()
+			if err != nil {
+				c.logger.Error(E.Cause(err, "reload ECH key"))
+			}
+		case err, ok := <-c.echWatcher.Errors:
+			if !ok {
+				return
+			}
+			c.logger.Error(E.Cause(err, "fsnotify error"))
+		}
+	}
+}
+
+func (c *echServerConfig) reloadECHKey() error {
+	echKeyContent, err := os.ReadFile(c.echKeyPath)
+	if err != nil {
+		return err
+	}
+	block, rest := pem.Decode(echKeyContent)
+	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
+		return E.New("invalid ECH keys pem")
+	}
+	echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
+	if err != nil {
+		return E.Cause(err, "parse ECH keys")
+	}
+	echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
+	if err != nil {
+		return E.Cause(err, "create ECH key set")
+	}
+	c.config.ServerECHProvider = echKeySet
+	c.logger.Info("reloaded ECH keys")
+	return nil
+}
+
+func (c *echServerConfig) Close() error {
+	var err error
+	if c.watcher != nil {
+		err = E.Append(err, c.watcher.Close(), func(err error) error {
+			return E.Cause(err, "close certificate watcher")
+		})
+	}
+	if c.echWatcher != nil {
+		err = E.Append(err, c.echWatcher.Close(), func(err error) error {
+			return E.Cause(err, "close ECH key watcher")
+		})
+	}
+	return err
+}
+
+func NewECHServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+	if !options.Enabled {
+		return nil, nil
+	}
+	var tlsConfig cftls.Config
+	if options.ACME != nil && len(options.ACME.Domain) > 0 {
+		return nil, E.New("acme is unavailable in ech")
+	}
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
+	if options.ServerName != "" {
+		tlsConfig.ServerName = options.ServerName
+	}
+	if len(options.ALPN) > 0 {
+		tlsConfig.NextProtos = append(options.ALPN, tlsConfig.NextProtos...)
+	}
+	if options.MinVersion != "" {
+		minVersion, err := ParseTLSVersion(options.MinVersion)
+		if err != nil {
+			return nil, E.Cause(err, "parse min_version")
+		}
+		tlsConfig.MinVersion = minVersion
+	}
+	if options.MaxVersion != "" {
+		maxVersion, err := ParseTLSVersion(options.MaxVersion)
+		if err != nil {
+			return nil, E.Cause(err, "parse max_version")
+		}
+		tlsConfig.MaxVersion = maxVersion
+	}
+	if options.CipherSuites != nil {
+	find:
+		for _, cipherSuite := range options.CipherSuites {
+			for _, tlsCipherSuite := range tls.CipherSuites() {
+				if cipherSuite == tlsCipherSuite.Name {
+					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
+					continue find
+				}
+			}
+			return nil, E.New("unknown cipher_suite: ", cipherSuite)
+		}
+	}
+	var certificate []byte
+	var key []byte
+	if len(options.Certificate) > 0 {
+		certificate = []byte(strings.Join(options.Certificate, "\n"))
+	} else if options.CertificatePath != "" {
+		content, err := os.ReadFile(options.CertificatePath)
+		if err != nil {
+			return nil, E.Cause(err, "read certificate")
+		}
+		certificate = content
+	}
+	if len(options.Key) > 0 {
+		key = []byte(strings.Join(options.Key, "\n"))
+	} else if options.KeyPath != "" {
+		content, err := os.ReadFile(options.KeyPath)
+		if err != nil {
+			return nil, E.Cause(err, "read key")
+		}
+		key = content
+	}
+
+	if certificate == nil {
+		return nil, E.New("missing certificate")
+	} else if key == nil {
+		return nil, E.New("missing key")
+	}
+
+	keyPair, err := cftls.X509KeyPair(certificate, key)
+	if err != nil {
+		return nil, E.Cause(err, "parse x509 key pair")
+	}
+	tlsConfig.Certificates = []cftls.Certificate{keyPair}
+
+	var echKey []byte
+	if len(options.ECH.Key) > 0 {
+		echKey = []byte(strings.Join(options.ECH.Key, "\n"))
+	} else if options.KeyPath != "" {
+		content, err := os.ReadFile(options.ECH.KeyPath)
+		if err != nil {
+			return nil, E.Cause(err, "read ECH key")
+		}
+		echKey = content
+	} else {
+		return nil, E.New("missing ECH key")
+	}
+
+	block, rest := pem.Decode(echKey)
+	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
+		return nil, E.New("invalid ECH keys pem")
+	}
+
+	echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
+	if err != nil {
+		return nil, E.Cause(err, "parse ECH keys")
+	}
+
+	echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
+	if err != nil {
+		return nil, E.Cause(err, "create ECH key set")
+	}
+
+	tlsConfig.ECHEnabled = true
+	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
+	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
+	tlsConfig.ServerECHProvider = echKeySet
+
+	return &echServerConfig{
+		config:          &tlsConfig,
+		logger:          logger,
+		certificate:     certificate,
+		key:             key,
+		certificatePath: options.CertificatePath,
+		keyPath:         options.KeyPath,
+		echKeyPath:      options.ECH.KeyPath,
+	}, nil
+}

common/tls/ech_stub.go

@@ -3,11 +3,23 @@
 package tls
 
 import (
-	"github.com/sagernet/sing-box/adapter"
+	"context"
+
+	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func NewECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return nil, E.New(`ECH is not included in this build, rebuild with -tags with_ech`)
+var errECHNotIncluded = E.New(`ECH is not included in this build, rebuild with -tags with_ech`)
+
+func NewECHServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+	return nil, errECHNotIncluded
+}
+
+func NewECHClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+	return nil, errECHNotIncluded
+}
+
+func ECHKeygenDefault(host string, pqSignatureSchemesEnabled bool) (configPem string, keyPem string, err error) {
+	return "", "", errECHNotIncluded
 }

common/tls/mkcert.go

@@ -11,22 +11,34 @@ import (
 	"time"
 )
 
-func GenerateKeyPair(timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
+func GenerateCertificate(timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
+	privateKeyPem, publicKeyPem, err := GenerateKeyPair(timeFunc, serverName, timeFunc().Add(time.Hour))
+	if err != nil {
+		return nil, err
+	}
+	certificate, err := tls.X509KeyPair(publicKeyPem, privateKeyPem)
+	if err != nil {
+		return nil, err
+	}
+	return &certificate, err
+}
+
+func GenerateKeyPair(timeFunc func() time.Time, serverName string, expire time.Time) (privateKeyPem []byte, publicKeyPem []byte, err error) {
 	if timeFunc == nil {
 		timeFunc = time.Now
 	}
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
-		return nil, err
+		return
 	}
 	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
 	if err != nil {
-		return nil, err
+		return
 	}
 	template := &x509.Certificate{
 		SerialNumber:          serialNumber,
 		NotBefore:             timeFunc().Add(time.Hour * -1),
-		NotAfter:              timeFunc().Add(time.Hour),
+		NotAfter:              expire,
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
@@ -37,17 +49,13 @@ func GenerateKeyPair(timeFunc func() time.Time, serverName string) (*tls.Certifi
 	}
 	publicDer, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
 	if err != nil {
-		return nil, err
+		return
 	}
 	privateDer, err := x509.MarshalPKCS8PrivateKey(key)
 	if err != nil {
-		return nil, err
+		return
 	}
-	publicPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: publicDer})
-	privPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateDer})
-	keyPair, err := tls.X509KeyPair(publicPem, privPem)
-	if err != nil {
-		return nil, err
-	}
-	return &keyPair, err
+	publicKeyPem = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: publicDer})
+	privateKeyPem = pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateDer})
+	return
 }

common/tls/reality_client.go

@@ -26,7 +26,6 @@ import (
 	"time"
 	"unsafe"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -45,12 +44,12 @@ type RealityClientConfig struct {
 	shortID   [8]byte
 }
 
-func NewRealityClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
+func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
 	if options.UTLS == nil || !options.UTLS.Enabled {
 		return nil, E.New("uTLS is required by reality client")
 	}
 
-	uClient, err := NewUTLSClient(router, serverAddress, options)
+	uClient, err := NewUTLSClient(ctx, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}

common/tls/reality_server.go

@@ -19,6 +19,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/ntp"
 )
 
 var _ ServerConfigCompat = (*RealityServerConfig)(nil)
@@ -27,13 +28,13 @@ type RealityServerConfig struct {
 	config *reality.Config
 }
 
-func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
+func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
 	var tlsConfig reality.Config
 
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		return nil, E.New("acme is unavailable in reality")
 	}
-	tlsConfig.Time = router.TimeFunc()
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.ServerName != "" {
 		tlsConfig.ServerName = options.ServerName
 	}
@@ -66,10 +67,10 @@ func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Log
 			return nil, E.New("unknown cipher_suite: ", cipherSuite)
 		}
 	}
-	if options.Certificate != "" || options.CertificatePath != "" {
+	if len(options.Certificate) > 0 || options.CertificatePath != "" {
 		return nil, E.New("certificate is unavailable in reality")
 	}
-	if options.Key != "" || options.KeyPath != "" {
+	if len(options.Key) > 0 || options.KeyPath != "" {
 		return nil, E.New("key is unavailable in reality")
 	}
 
@@ -101,7 +102,7 @@ func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Log
 		tlsConfig.ShortIds[shortID] = true
 	}
 
-	handshakeDialer, err := dialer.New(router, options.Reality.Handshake.DialerOptions)
+	handshakeDialer, err := dialer.New(adapter.RouterFromContext(ctx), options.Reality.Handshake.DialerOptions)
 	if err != nil {
 		return nil, err
 	}

common/tls/reality_stub.go

@@ -5,12 +5,11 @@ package tls
 import (
 	"context"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	return nil, E.New(`reality server is not included in this build, rebuild with -tags with_reality_server`)
 }

common/tls/server.go

@@ -4,21 +4,22 @@ import (
 	"context"
 	"net"
 
-	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-func NewServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
-	if options.Reality != nil && options.Reality.Enabled {
-		return NewRealityServer(ctx, router, logger, options)
+	if options.ECH != nil && options.ECH.Enabled {
+		return NewECHServer(ctx, logger, options)
+	} else if options.Reality != nil && options.Reality.Enabled {
+		return NewRealityServer(ctx, logger, options)
 	} else {
-		return NewSTDServer(ctx, router, logger, options)
+		return NewSTDServer(ctx, logger, options)
 	}
 }
 

common/tls/std_client.go

@@ -1,15 +1,17 @@
 package tls
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"net"
 	"net/netip"
 	"os"
+	"strings"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/ntp"
 )
 
 type STDClientConfig struct {
@@ -44,7 +46,7 @@ func (s *STDClientConfig) Clone() Config {
 	return &STDClientConfig{s.config.Clone()}
 }
 
-func NewSTDClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewSTDClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -58,7 +60,7 @@ func NewSTDClient(router adapter.Router, serverAddress string, options option.Ou
 	}
 
 	var tlsConfig tls.Config
-	tlsConfig.Time = router.TimeFunc()
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -110,8 +112,8 @@ func NewSTDClient(router adapter.Router, serverAddress string, options option.Ou
 		}
 	}
 	var certificate []byte
-	if options.Certificate != "" {
-		certificate = []byte(options.Certificate)
+	if len(options.Certificate) > 0 {
+		certificate = []byte(strings.Join(options.Certificate, "\n"))
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {

common/tls/std_server.go

@@ -5,12 +5,14 @@ import (
 	"crypto/tls"
 	"net"
 	"os"
+	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/ntp"
 
 	"github.com/fsnotify/fsnotify"
 )
@@ -37,11 +39,19 @@ func (c *STDServerConfig) SetServerName(serverName string) {
 }
 
 func (c *STDServerConfig) NextProtos() []string {
-	return c.config.NextProtos
+	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
+		return c.config.NextProtos[1:]
+	} else {
+		return c.config.NextProtos
+	}
 }
 
 func (c *STDServerConfig) SetNextProtos(nextProto []string) {
-	c.config.NextProtos = nextProto
+	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
+		c.config.NextProtos = append(c.config.NextProtos[:1], nextProto...)
+	} else {
+		c.config.NextProtos = nextProto
+	}
 }
 
 func (c *STDServerConfig) Config() (*STDConfig, error) {
@@ -156,7 +166,7 @@ func (c *STDServerConfig) Close() error {
 	return nil
 }
 
-func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewSTDServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
@@ -175,7 +185,7 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 	} else {
 		tlsConfig = &tls.Config{}
 	}
-	tlsConfig.Time = router.TimeFunc()
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.ServerName != "" {
 		tlsConfig.ServerName = options.ServerName
 	}
@@ -211,8 +221,8 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 	var certificate []byte
 	var key []byte
 	if acmeService == nil {
-		if options.Certificate != "" {
-			certificate = []byte(options.Certificate)
+		if len(options.Certificate) > 0 {
+			certificate = []byte(strings.Join(options.Certificate, "\n"))
 		} else if options.CertificatePath != "" {
 			content, err := os.ReadFile(options.CertificatePath)
 			if err != nil {
@@ -220,8 +230,8 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 			}
 			certificate = content
 		}
-		if options.Key != "" {
-			key = []byte(options.Key)
+		if len(options.Key) > 0 {
+			key = []byte(strings.Join(options.Key, "\n"))
 		} else if options.KeyPath != "" {
 			content, err := os.ReadFile(options.KeyPath)
 			if err != nil {
@@ -231,7 +241,7 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 		}
 		if certificate == nil && key == nil && options.Insecure {
 			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				return GenerateKeyPair(router.TimeFunc(), info.ServerName)
+				return GenerateCertificate(ntp.TimeFuncFromContext(ctx), info.ServerName)
 			}
 		} else {
 			if certificate == nil {

common/tls/utls_client.go

@@ -10,10 +10,11 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"strings"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/ntp"
 	utls "github.com/sagernet/utls"
 
 	"golang.org/x/net/http2"
@@ -113,7 +114,7 @@ func (c *utlsALPNWrapper) HandshakeContext(ctx context.Context) error {
 	return c.UConn.HandshakeContext(ctx)
 }
 
-func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
+func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -127,7 +128,7 @@ func NewUTLSClient(router adapter.Router, serverAddress string, options option.O
 	}
 
 	var tlsConfig utls.Config
-	tlsConfig.Time = router.TimeFunc()
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -168,8 +169,8 @@ func NewUTLSClient(router adapter.Router, serverAddress string, options option.O
 		}
 	}
 	var certificate []byte
-	if options.Certificate != "" {
-		certificate = []byte(options.Certificate)
+	if len(options.Certificate) > 0 {
+		certificate = []byte(strings.Join(options.Certificate, "\n"))
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {

common/tls/utls_stub.go

@@ -3,15 +3,16 @@
 package tls
 
 import (
-	"github.com/sagernet/sing-box/adapter"
+	"context"
+
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS is not included in this build, rebuild with -tags with_utls`)
 }
 
-func NewRealityClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS, which is required by reality client is not included in this build, rebuild with -tags with_utls`)
 }

common/uot/router.go

@@ -0,0 +1,53 @@
+package uot
+
+import (
+	"context"
+	"net"
+	"net/netip"
+
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/uot"
+)
+
+var _ adapter.ConnectionRouter = (*Router)(nil)
+
+type Router struct {
+	router adapter.ConnectionRouter
+	logger logger.ContextLogger
+}
+
+func NewRouter(router adapter.ConnectionRouter, logger logger.ContextLogger) *Router {
+	return &Router{router, logger}
+}
+
+func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	switch metadata.Destination.Fqdn {
+	case uot.MagicAddress:
+		request, err := uot.ReadRequest(conn)
+		if err != nil {
+			return E.Cause(err, "read UoT request")
+		}
+		if request.IsConnect {
+			r.logger.InfoContext(ctx, "inbound UoT connect connection to ", request.Destination)
+		} else {
+			r.logger.InfoContext(ctx, "inbound UoT connection to ", request.Destination)
+		}
+		metadata.Domain = metadata.Destination.Fqdn
+		metadata.Destination = request.Destination
+		return r.router.RoutePacketConnection(ctx, uot.NewConn(conn, *request), metadata)
+	case uot.LegacyMagicAddress:
+		r.logger.InfoContext(ctx, "inbound legacy UoT connection")
+		metadata.Domain = metadata.Destination.Fqdn
+		metadata.Destination = M.Socksaddr{Addr: netip.IPv4Unspecified()}
+		return r.RoutePacketConnection(ctx, uot.NewConn(conn, uot.Request{}), metadata)
+	}
+	return r.router.RouteConnection(ctx, conn, metadata)
+}
+
+func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+	return r.router.RoutePacketConnection(ctx, conn, metadata)
+}

common/urltest/urltest.go

@@ -8,6 +8,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -96,33 +97,25 @@ func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err e
 		return
 	}
 	defer instance.Close()
-
+	if earlyConn, isEarlyConn := common.Cast[N.EarlyConn](instance); isEarlyConn && earlyConn.NeedHandshake() {
+		start = time.Now()
+	}
 	req, err := http.NewRequest(http.MethodHead, link, nil)
 	if err != nil {
 		return
 	}
-	req = req.WithContext(ctx)
-
-	transport := &http.Transport{
-		Dial: func(string, string) (net.Conn, error) {
-			return instance, nil
-		},
-		// from http.DefaultTransport
-		MaxIdleConns:          100,
-		IdleConnTimeout:       90 * time.Second,
-		TLSHandshakeTimeout:   10 * time.Second,
-		ExpectContinueTimeout: 1 * time.Second,
-	}
-
 	client := http.Client{
-		Transport: transport,
+		Transport: &http.Transport{
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				return instance, nil
+			},
+		},
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		},
 	}
 	defer client.CloseIdleConnections()
-
-	resp, err := client.Do(req)
+	resp, err := client.Do(req.WithContext(ctx))
 	if err != nil {
 		return
 	}

constant/dns.go

@@ -0,0 +1,6 @@
+package constant
+
+const (
+	DNSProviderAliDNS     = "alidns"
+	DNSProviderCloudflare = "cloudflare"
+)

constant/proxy.go

@@ -22,6 +22,7 @@ const (
 	TypeShadowsocksR = "shadowsocksr"
 	TypeVLESS        = "vless"
 	TypeTUIC         = "tuic"
+	TypeHysteria2    = "hysteria2"
 )
 
 const (
@@ -65,6 +66,8 @@ func ProxyDisplayName(proxyType string) string {
 		return "VLESS"
 	case TypeTUIC:
 		return "TUIC"
+	case TypeHysteria2:
+		return "Hysteria2"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:

constant/speed.go

@@ -0,0 +1,3 @@
+package constant
+
+const MbpsToBps = 125000

constant/v2ray.go

@@ -1,8 +1,9 @@
 package constant
 
 const (
-	V2RayTransportTypeHTTP      = "http"
-	V2RayTransportTypeWebsocket = "ws"
-	V2RayTransportTypeQUIC      = "quic"
-	V2RayTransportTypeGRPC      = "grpc"
+	V2RayTransportTypeHTTP        = "http"
+	V2RayTransportTypeWebsocket   = "ws"
+	V2RayTransportTypeQUIC        = "quic"
+	V2RayTransportTypeGRPC        = "grpc"
+	V2RayTransportTypeHTTPUpgrade = "httpupgrade"
 )

debug_go118.go

@@ -5,7 +5,7 @@ package box
 import (
 	"runtime/debug"
 
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
 
@@ -28,7 +28,7 @@ func applyDebugOptions(options option.DebugOptions) {
 	}
 	if options.MemoryLimit != 0 {
 		// debug.SetMemoryLimit(int64(options.MemoryLimit))
-		conntrack.MemoryLimit = int64(options.MemoryLimit)
+		conntrack.MemoryLimit = uint64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller

debug_go119.go

@@ -5,7 +5,7 @@ package box
 import (
 	"runtime/debug"
 
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
 
@@ -27,8 +27,8 @@ func applyDebugOptions(options option.DebugOptions) {
 		debug.SetTraceback(options.TraceBack)
 	}
 	if options.MemoryLimit != 0 {
-		debug.SetMemoryLimit(int64(options.MemoryLimit))
-		conntrack.MemoryLimit = int64(options.MemoryLimit)
+		debug.SetMemoryLimit(int64(float64(options.MemoryLimit) / 1.5))
+		conntrack.MemoryLimit = uint64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller

debug_http.go

@@ -5,14 +5,15 @@ import (
 	"net/http/pprof"
 	"runtime"
 	"runtime/debug"
+	"strings"
 
 	"github.com/sagernet/sing-box/common/badjson"
+	"github.com/sagernet/sing-box/common/humanize"
 	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 
-	"github.com/dustin/go-humanize"
 	"github.com/go-chi/chi/v5"
 )
 
@@ -37,9 +38,9 @@ func applyDebugListenOption(options option.DebugOptions) {
 			runtime.ReadMemStats(&memStats)
 
 			var memObject badjson.JSONObject
-			memObject.Put("heap", humanize.IBytes(memStats.HeapInuse))
-			memObject.Put("stack", humanize.IBytes(memStats.StackInuse))
-			memObject.Put("idle", humanize.IBytes(memStats.HeapIdle-memStats.HeapReleased))
+			memObject.Put("heap", humanize.MemoryBytes(memStats.HeapInuse))
+			memObject.Put("stack", humanize.MemoryBytes(memStats.StackInuse))
+			memObject.Put("idle", humanize.MemoryBytes(memStats.HeapIdle-memStats.HeapReleased))
 			memObject.Put("goroutines", runtime.NumGoroutine())
 			memObject.Put("rss", rusageMaxRSS())
 
@@ -47,12 +48,20 @@ func applyDebugListenOption(options option.DebugOptions) {
 			encoder.SetIndent("", "  ")
 			encoder.Encode(memObject)
 		})
-		r.HandleFunc("/pprof", pprof.Index)
-		r.HandleFunc("/pprof/*", pprof.Index)
-		r.HandleFunc("/pprof/cmdline", pprof.Cmdline)
-		r.HandleFunc("/pprof/profile", pprof.Profile)
-		r.HandleFunc("/pprof/symbol", pprof.Symbol)
-		r.HandleFunc("/pprof/trace", pprof.Trace)
+		r.Route("/pprof", func(r chi.Router) {
+			r.HandleFunc("/", func(writer http.ResponseWriter, request *http.Request) {
+				if !strings.HasSuffix(request.URL.Path, "/") {
+					http.Redirect(writer, request, request.URL.Path+"/", http.StatusMovedPermanently)
+				} else {
+					pprof.Index(writer, request)
+				}
+			})
+			r.HandleFunc("/*", pprof.Index)
+			r.HandleFunc("/cmdline", pprof.Cmdline)
+			r.HandleFunc("/profile", pprof.Profile)
+			r.HandleFunc("/symbol", pprof.Symbol)
+			r.HandleFunc("/trace", pprof.Trace)
+		})
 	})
 	debugHTTPServer = &http.Server{
 		Addr:    options.Listen,

debug_stub.go

@@ -1,4 +1,4 @@
-//go:build !linux
+//go:build !(linux || darwin)
 
 package box
 

debug_unix.go

@@ -1,3 +1,5 @@
+//go:build linux || darwin
+
 package box
 
 import (

docs/changelog.md

@@ -1,3 +1,571 @@
+---
+icon: material/alert-decagram
+---
+
+# ChangeLog
+
+#### 1.7.8
+
+* Fixes and improvements
+
+#### 1.7.7
+
+* Fix V2Ray transport `path` validation behavior **1**
+* Fixes and improvements
+
+**1**:
+
+See [V2Ray transport](/configuration/shared/v2ray-transport/).
+
+#### 1.7.6
+
+* Fixes and improvements
+
+#### 1.7.5
+
+* Fixes and improvements
+
+#### 1.7.4
+
+* Fixes and improvements
+
+_Due to the long waiting time, this version is no longer waiting for approval 
+by the Apple App Store, so updates to Apple Platforms will be delayed._
+
+#### 1.7.2
+
+* Fixes and improvements
+
+#### 1.7.1
+
+* Fixes and improvements
+
+#### 1.7.0
+
+* Fixes and improvements
+
+Important changes since 1.6:
+
+* Add [exclude route support](/configuration/inbound/tun/) for TUN inbound
+* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen/) **1**
+* Add [HTTPUpgrade V2Ray transport](/configuration/shared/v2ray-transport#HTTPUpgrade) support **2**
+* Migrate multiplex and UoT server to inbound **3**
+* Add TCP Brutal support for multiplex **4**
+* Add `wifi_ssid` and `wifi_bssid` route and DNS rules **5**
+* Update quic-go to v0.40.0
+* Update gVisor to 20231113.0
+
+**1**:
+
+If enabled, for UDP proxy requests addressed to a domain,
+the original packet address will be sent in the response instead of the mapped domain.
+
+This option is used for compatibility with clients that
+do not support receiving UDP packets with domain addresses, such as Surge.
+
+**2**:
+
+Introduced in V2Ray 5.10.0.
+
+The new HTTPUpgrade transport has better performance than WebSocket and is better suited for CDN abuse.
+
+**3**:
+
+Starting in 1.7.0, multiplexing support is no longer enabled by default
+and needs to be turned on explicitly in inbound options.
+
+**4**
+
+Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server,
+see [TCP Brutal](/configuration/shared/tcp-brutal/) for details.
+
+**5**:
+
+Only supported in graphical clients on Android and iOS.
+
+#### 1.7.0-rc.3
+
+* Fixes and improvements
+
+#### 1.6.7
+
+* macOS: Add button for uninstall SystemExtension in the standalone graphical client
+* Fix missing UDP user context on TUIC/Hysteria2 inbounds
+* Fixes and improvements
+
+#### 1.7.0-rc.2
+
+* Fix missing UDP user context on TUIC/Hysteria2 inbounds
+* macOS: Add button for uninstall SystemExtension in the standalone graphical client
+
+#### 1.6.6
+
+* Fixes and improvements
+
+#### 1.7.0-rc.1
+
+* Fixes and improvements
+
+#### 1.7.0-beta.5
+
+* Update gVisor to 20231113.0
+* Fixes and improvements
+
+#### 1.7.0-beta.4
+
+* Add `wifi_ssid` and `wifi_bssid` route and DNS rules **1**
+* Fixes and improvements
+
+**1**:
+
+Only supported in graphical clients on Android and iOS.
+
+#### 1.7.0-beta.3
+
+* Fix zero TTL was incorrectly reset
+* Fixes and improvements
+
+#### 1.6.5
+
+* Fix crash if TUIC inbound authentication failed
+* Fixes and improvements
+
+#### 1.7.0-beta.2
+
+* Fix crash if TUIC inbound authentication failed
+* Update quic-go to v0.40.0
+* Fixes and improvements
+
+#### 1.6.4
+
+* Fixes and improvements
+
+#### 1.7.0-beta.1
+
+* Fixes and improvements
+
+#### 1.6.3
+
+* iOS/Android: Fix profile auto update
+* Fixes and improvements
+
+#### 1.7.0-alpha.11
+
+* iOS/Android: Fix profile auto update
+* Fixes and improvements
+
+#### 1.7.0-alpha.10
+
+* Fix tcp-brutal not working with TLS
+* Fix Android client not closing in some cases
+* Fixes and improvements
+
+#### 1.6.2
+
+* Fixes and improvements
+
+#### 1.6.1
+
+* Our [Android client](/installation/clients/sfa/) is now available in the Google Play Store ▶️
+* Fixes and improvements
+
+#### 1.7.0-alpha.6
+
+* Fixes and improvements
+
+#### 1.7.0-alpha.4
+
+* Migrate multiplex and UoT server to inbound **1**
+* Add TCP Brutal support for multiplex **2**
+
+**1**:
+
+Starting in 1.7.0, multiplexing support is no longer enabled by default and needs to be turned on explicitly in inbound
+options.
+
+**2**
+
+Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server,
+see [TCP Brutal](/configuration/shared/tcp-brutal/) for details.
+
+#### 1.7.0-alpha.3
+
+* Add [HTTPUpgrade V2Ray transport](/configuration/shared/v2ray-transport#HTTPUpgrade) support **1**
+* Fixes and improvements
+
+**1**:
+
+Introduced in V2Ray 5.10.0.
+
+The new HTTPUpgrade transport has better performance than WebSocket and is better suited for CDN abuse.
+
+#### 1.6.0
+
+* Fixes and improvements
+
+Important changes since 1.5:
+
+* Our [Apple tvOS client](/installation/clients/sft/) is now available in the App Store 🍎
+* Update BBR congestion control for TUIC and Hysteria2 **1**
+* Update brutal congestion control for Hysteria2
+* Add `brutal_debug` option for Hysteria2
+* Update legacy Hysteria protocol **2**
+* Add TLS self sign key pair generate command
+* Remove [Deprecated Features](/deprecated/) by agreement
+
+**1**:
+
+None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
+This update is intended to address the multi-send defects of the old implementation and may introduce new issues.
+
+**2**
+
+Based on discussions with the original author, the brutal CC and QUIC protocol parameters of
+the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
+
+#### 1.7.0-alpha.2
+
+* Fix bugs introduced in 1.7.0-alpha.1
+
+#### 1.7.0-alpha.1
+
+* Add [exclude route support](/configuration/inbound/tun/) for TUN inbound
+* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen/) **1**
+* Fixes and improvements
+
+**1**:
+
+If enabled, for UDP proxy requests addressed to a domain,
+the original packet address will be sent in the response instead of the mapped domain.
+
+This option is used for compatibility with clients that
+do not support receiving UDP packets with domain addresses, such as Surge.
+
+#### 1.5.5
+
+* Fix IPv6 `auto_route` for Linux **1**
+* Add legacy builds for old Windows and macOS systems **2**
+* Fixes and improvements
+
+**1**:
+
+When `auto_route` is enabled and `strict_route` is disabled, the device can now be reached from external IPv6 addresses.
+
+**2**:
+
+Built using Go 1.20, the last version that will run on
+Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High Sierra, 10.14 Mojave.
+
+#### 1.6.0-rc.4
+
+* Fixes and improvements
+
+#### 1.6.0-rc.1
+
+* Add legacy builds for old Windows and macOS systems **1**
+* Fixes and improvements
+
+**1**:
+
+Built using Go 1.20, the last version that will run on
+Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High Sierra, 10.14 Mojave.
+
+#### 1.6.0-beta.4
+
+* Fix IPv6 `auto_route` for Linux **1**
+* Fixes and improvements
+
+**1**:
+
+When `auto_route` is enabled and `strict_route` is disabled, the device can now be reached from external IPv6 addresses.
+
+#### 1.5.4
+
+* Fix Clash cache crash on arm32 devices
+* Fixes and improvements
+
+#### 1.6.0-beta.3
+
+* Update the legacy Hysteria protocol **1**
+* Fixes and improvements
+
+**1**
+
+Based on discussions with the original author, the brutal CC and QUIC protocol parameters of
+the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
+
+#### 1.6.0-beta.2
+
+* Add TLS self sign key pair generate command
+* Update brutal congestion control for Hysteria2
+* Fix Clash cache crash on arm32 devices
+* Update golang.org/x/net to v0.17.0
+* Fixes and improvements
+
+#### 1.6.0-beta.3
+
+* Update the legacy Hysteria protocol **1**
+* Fixes and improvements
+
+**1**
+
+Based on discussions with the original author, the brutal CC and QUIC protocol parameters of
+the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
+
+#### 1.6.0-beta.2
+
+* Add TLS self sign key pair generate command
+* Update brutal congestion control for Hysteria2
+* Fix Clash cache crash on arm32 devices
+* Update golang.org/x/net to v0.17.0
+* Fixes and improvements
+
+#### 1.5.3
+
+* Fix compatibility with Android 14
+* Fixes and improvements
+
+#### 1.6.0-beta.1
+
+* Fixes and improvements
+
+#### 1.6.0-alpha.5
+
+* Fix compatibility with Android 14
+* Update BBR congestion control for TUIC and Hysteria2 **1**
+* Fixes and improvements
+
+**1**:
+
+None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
+This update is intended to fix a memory leak flaw in the new implementation introduced in 1.6.0-alpha.1 and may
+introduce new issues.
+
+#### 1.6.0-alpha.4
+
+* Add `brutal_debug` option for Hysteria2
+* Fixes and improvements
+
+#### 1.5.2
+
+* Our [Apple tvOS client](/installation/clients/sft/) is now available in the App Store 🍎
+* Fixes and improvements
+
+#### 1.6.0-alpha.3
+
+* Fixes and improvements
+
+#### 1.6.0-alpha.2
+
+* Fixes and improvements
+
+#### 1.5.1
+
+* Fixes and improvements
+
+#### 1.6.0-alpha.1
+
+* Update BBR congestion control for TUIC and Hysteria2 **1**
+* Update quic-go to v0.39.0
+* Update gVisor to 20230814.0
+* Remove [Deprecated Features](/deprecated/) by agreement
+* Fixes and improvements
+
+**1**:
+
+None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
+This update is intended to address the multi-send defects of the old implementation and may introduce new issues.
+
+#### 1.5.0
+
+* Fixes and improvements
+
+Important changes since 1.4:
+
+* Add TLS [ECH server](/configuration/shared/tls/) support
+* Improve TLS TCH client configuration
+* Add TLS ECH key pair generator **1**
+* Add TLS ECH support for QUIC based protocols **2**
+* Add KDE support for the `set_system_proxy` option in HTTP inbound
+* Add Hysteria2 protocol support **3**
+* Add `interrupt_exist_connections` option for `Selector` and `URLTest` outbounds **4**
+* Add DNS01 challenge support for ACME TLS certificate issuer **5**
+* Add `merge` command **6**
+* Mark [Deprecated Features](/deprecated/)
+
+**1**:
+
+Command: `sing-box generate ech-keypair <plain_server_name> [--pq-signature-schemes-enabled]`
+
+**2**:
+
+All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria[/2]`, `TUIC` and `V2ray QUIC transport`.
+
+**3**:
+
+See [Hysteria2 inbound](/configuration/inbound/hysteria2/) and [Hysteria2 outbound](/configuration/outbound/hysteria2/)
+
+For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)
+
+**4**:
+
+Interrupt existing connections when the selected outbound has changed.
+
+Only inbound connections are affected by this setting, internal connections will always be interrupted.
+
+**5**:
+
+Only `Alibaba Cloud DNS` and `Cloudflare` are supported, see [ACME Fields](/configuration/shared/tls#acme-fields)
+and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/).
+
+**6**:
+
+This command also parses path resources that appear in the configuration file and replaces them with embedded
+configuration, such as TLS certificates or SSH private keys.
+
+#### 1.5.0-rc.6
+
+* Fixes and improvements
+
+#### 1.4.6
+
+* Fixes and improvements
+
+#### 1.5.0-rc.5
+
+* Fixed an improper authentication vulnerability in the SOCKS5 inbound
+* Fixes and improvements
+
+**Security Advisory**
+
+This update fixes an improper authentication vulnerability in the sing-box SOCKS inbound. This vulnerability allows an
+attacker to craft special requests to bypass user authentication. All users exposing SOCKS servers with user
+authentication in an insecure environment are advised to update immediately.
+
+此更新修复了 sing-box SOCKS 入站中的一个不正确身份验证漏洞。 该漏洞允许攻击者制作特殊请求来绕过用户身份验证。建议所有将使用用户认证的
+SOCKS 服务器暴露在不安全环境下的用户立更新。
+
+#### 1.4.5
+
+* Fixed an improper authentication vulnerability in the SOCKS5 inbound
+* Fixes and improvements
+
+**Security Advisory**
+
+This update fixes an improper authentication vulnerability in the sing-box SOCKS inbound. This vulnerability allows an
+attacker to craft special requests to bypass user authentication. All users exposing SOCKS servers with user
+authentication in an insecure environment are advised to update immediately.
+
+此更新修复了 sing-box SOCKS 入站中的一个不正确身份验证漏洞。 该漏洞允许攻击者制作特殊请求来绕过用户身份验证。建议所有将使用用户认证的
+SOCKS 服务器暴露在不安全环境下的用户立更新。
+
+#### 1.5.0-rc.3
+
+* Fixes and improvements
+
+#### 1.5.0-beta.12
+
+* Add `merge` command **1**
+* Fixes and improvements
+
+**1**:
+
+This command also parses path resources that appear in the configuration file and replaces them with embedded
+configuration, such as TLS certificates or SSH private keys.
+
+```
+Merge configurations
+
+Usage:
+  sing-box merge [output] [flags]
+
+Flags:
+  -h, --help   help for merge
+
+Global Flags:
+  -c, --config stringArray             set configuration file path
+  -C, --config-directory stringArray   set configuration directory path
+  -D, --directory string               set working directory
+      --disable-color                  disable color output
+```
+
+#### 1.5.0-beta.11
+
+* Add DNS01 challenge support for ACME TLS certificate issuer **1**
+* Fixes and improvements
+
+**1**:
+
+Only `Alibaba Cloud DNS` and `Cloudflare` are supported,
+see [ACME Fields](/configuration/shared/tls#acme-fields)
+and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/).
+
+#### 1.5.0-beta.10
+
+* Add `interrupt_exist_connections` option for `Selector` and `URLTest` outbounds **1**
+* Fixes and improvements
+
+**1**:
+
+Interrupt existing connections when the selected outbound has changed.
+
+Only inbound connections are affected by this setting, internal connections will always be interrupted.
+
+#### 1.4.3
+
+* Fixes and improvements
+
+#### 1.5.0-beta.8
+
+* Fixes and improvements
+
+#### 1.4.2
+
+* Fixes and improvements
+
+#### 1.5.0-beta.6
+
+* Fix compatibility issues with official Hysteria2 server and client
+* Fixes and improvements
+* Mark [deprecated features](/deprecated/)
+
+#### 1.5.0-beta.3
+
+* Fixes and improvements
+* Updated Hysteria2 documentation **1**
+
+**1**:
+
+Added notes indicating compatibility issues with the official
+Hysteria2 server and client when using `fastOpen=false` or UDP MTU >= 1200.
+
+#### 1.5.0-beta.2
+
+* Add hysteria2 protocol support **1**
+* Fixes and improvements
+
+**1**:
+
+See [Hysteria2 inbound](/configuration/inbound/hysteria2/) and [Hysteria2 outbound](/configuration/outbound/hysteria2/)
+
+For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)
+
+#### 1.5.0-beta.1
+
+* Add TLS [ECH server](/configuration/shared/tls/) support
+* Improve TLS TCH client configuration
+* Add TLS ECH key pair generator **1**
+* Add TLS ECH support for QUIC based protocols **2**
+* Add KDE support for the `set_system_proxy` option in HTTP inbound
+
+**1**:
+
+Command: `sing-box generate ech-keypair <plain_server_name> [--pq-signature-schemes-enabled]`
+
+**2**:
+
+All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria`, `TUIC` and `V2ray QUIC transport`.
+
 #### 1.4.1
 
 * Fixes and improvements
@@ -17,12 +585,12 @@ Important changes since 1.3:
 
 *1*:
 
-See [TUIC inbound](/configuration/inbound/tuic)
-and [TUIC outbound](/configuration/outbound/tuic)
+See [TUIC inbound](/configuration/inbound/tuic/)
+and [TUIC outbound](/configuration/outbound/tuic/)
 
 **2**:
 
-This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp/), designed to provide a QUIC
 stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
 another program compatible with the protocol as a server.
 
@@ -53,7 +621,7 @@ Requires sing-box to be compiled with Go 1.21.
 
 **1**:
 
-This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp/), designed to provide a QUIC
 stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
 another program compatible with the protocol as a server.
 
@@ -91,8 +659,8 @@ Requires sing-box to be compiled with Go 1.21.
 
 *1*:
 
-See [TUIC inbound](/configuration/inbound/tuic)
-and [TUIC outbound](/configuration/outbound/tuic)
+See [TUIC inbound](/configuration/inbound/tuic/)
+and [TUIC outbound](/configuration/outbound/tuic/)
 
 #### 1.3.6
 
@@ -101,7 +669,7 @@ and [TUIC outbound](/configuration/outbound/tuic)
 #### 1.3.5
 
 * Fixes and improvements
-* Introducing our [Apple tvOS](/installation/clients/sft) client applications **1**
+* Introducing our [Apple tvOS](/installation/clients/sft/) client applications **1**
 * Add per app proxy and app installed/updated trigger support for Android client
 * Add profile sharing support for Android/iOS/macOS clients
 
@@ -128,7 +696,7 @@ downloaded through TestFlight.
 
 #### 1.3.1-beta.3
 
-* Introducing our [new iOS](/installation/clients/sfi) and [macOS](/installation/clients/sfm) client applications **1**
+* Introducing our [new iOS](/installation/clients/sfi/) and [macOS](/installation/clients/sfm/) client applications **1**
 * Fixes and improvements
 
 **1**:
@@ -149,7 +717,7 @@ The old testflight link and app are no longer valid.
 
 Important changes since 1.2:
 
-* Add [FakeIP](/configuration/dns/fakeip) support **1**
+* Add [FakeIP](/configuration/dns/fakeip/) support **1**
 * Improve multiplex **2**
 * Add [DNS reverse mapping](/configuration/dns#reverse_mapping) support
 * Add `rewrite_ttl` DNS rule action
@@ -176,11 +744,11 @@ Important changes since 1.2:
 
 *1*:
 
-See [FAQ](/faq/fakeip) for more information.
+See [FAQ](/faq/fakeip/) for more information.
 
 *2*:
 
-Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex).
+Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex/).
 
 #### 1.3-rc2
 
@@ -242,7 +810,7 @@ Improved performance and reduced memory usage.
 
 *1*:
 
-Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex).
+Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex/).
 
 #### 1.2.6
 
@@ -294,25 +862,25 @@ This is an incompatible update for XUDP in VLESS if vision flow is enabled.
 #### 1.3-beta1
 
 * Add [DNS reverse mapping](/configuration/dns#reverse_mapping) support
-* Add [L3 routing](/configuration/route/ip-rule) support **1**
+* Add [L3 routing](/configuration/route/ip-rule/) support **1**
 * Add `rewrite_ttl` DNS rule action
-* Add [FakeIP](/configuration/dns/fakeip) support **2**
+* Add [FakeIP](/configuration/dns/fakeip/) support **2**
 * Add `store_fakeip` Clash API option
 * Add multi-peer support for [WireGuard](/configuration/outbound/wireguard#peers) outbound
 * Add loopback detect
 
 *1*:
 
-It can currently be used to [route connections directly to WireGuard](/examples/wireguard-direct) or block connections
+It can currently be used to [route connections directly to WireGuard](/examples/wireguard-direct/) or block connections
 at the IP layer.
 
 *2*:
 
-See [FAQ](/faq/fakeip) for more information.
+See [FAQ](/faq/fakeip/) for more information.
 
 #### 1.2.3
 
-* Introducing our [new Android client application](/installation/clients/sfa)
+* Introducing our [new Android client application](/installation/clients/sfa/)
 * Improve UDP domain destination NAT
 * Update reality protocol
 * Fix TTL calculation for DNS response
@@ -341,16 +909,16 @@ to `domain` rule.
 
 Important changes since 1.1:
 
-* Introducing our [new iOS client application](/installation/clients/sfi)
-* Introducing [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp)
+* Introducing our [new iOS client application](/installation/clients/sfi/)
+* Introducing [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp/)
 * Add [platform options](/configuration/inbound/tun#platform) for tun inbound
 * Add [ShadowTLS protocol v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md)
-* Add [VLESS server](/configuration/inbound/vless) and [vision](/configuration/outbound/vless#flow) support
-* Add [reality TLS](/configuration/shared/tls) support
-* Add [NTP service](/configuration/ntp)
-* Add [DHCP DNS server](/configuration/dns/server) support
-* Add SSH [host key validation](/configuration/outbound/ssh) support
-* Add [query_type](/configuration/dns/rule) DNS rule item
+* Add [VLESS server](/configuration/inbound/vless/) and [vision](/configuration/outbound/vless#flow) support
+* Add [reality TLS](/configuration/shared/tls/) support
+* Add [NTP service](/configuration/ntp/)
+* Add [DHCP DNS server](/configuration/dns/server/) support
+* Add SSH [host key validation](/configuration/outbound/ssh/) support
+* Add [query_type](/configuration/dns/rule/) DNS rule item
 * Add fallback support for v2ray transport
 * Add custom TLS server support for http based v2ray transports
 * Add health check support for http-based v2ray transports
@@ -381,7 +949,7 @@ name.
 
 #### 1.2-beta9
 
-* Introducing the [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp)
+* Introducing the [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp/)
 * Add health check support for http-based v2ray transports
 * Remove length limit on short_id for reality TLS config
 * Fix bugs and update dependencies
@@ -398,7 +966,7 @@ name.
 
 #### 1.2-beta6
 
-* Introducing our [new iOS client application](/installation/clients/sfi)
+* Introducing our [new iOS client application](/installation/clients/sfi/)
 * Add [platform options](/configuration/inbound/tun#platform) for tun inbound
 * Add custom TLS server support for http based v2ray transports
 * Add generate commands
@@ -411,8 +979,8 @@ name.
 
 #### 1.2-beta5
 
-* Add [VLESS server](/configuration/inbound/vless) and [vision](/configuration/outbound/vless#flow) support
-* Add [reality TLS](/configuration/shared/tls) support
+* Add [VLESS server](/configuration/inbound/vless/) and [vision](/configuration/outbound/vless#flow) support
+* Add [reality TLS](/configuration/shared/tls/) support
 * Fix match private address
 
 #### 1.1.6
@@ -427,7 +995,7 @@ name.
 
 #### 1.2-beta4
 
-* Add [NTP service](/configuration/ntp)
+* Add [NTP service](/configuration/ntp/)
 * Add Add multiple server names and multi-user support for shadowtls
 * Add strict mode support for shadowtls v3
 * Add uTLS support for shadowtls v3
@@ -447,9 +1015,9 @@ name.
 
 #### 1.2-beta1
 
-* Add [DHCP DNS server](/configuration/dns/server) support
-* Add SSH [host key validation](/configuration/outbound/ssh) support
-* Add [query_type](/configuration/dns/rule) DNS rule item
+* Add [DHCP DNS server](/configuration/dns/server/) support
+* Add SSH [host key validation](/configuration/outbound/ssh/) support
+* Add [query_type](/configuration/dns/rule/) DNS rule item
 * Add v2ray [user stats](/configuration/experimental#statsusers) api
 * Add new clash DNS query api
 * Improve vmess request
@@ -678,7 +1246,7 @@ and [ShadowTLS outbound](/configuration/outbound/shadowtls#version)
 
 #### 1.1-beta6
 
-* Add [URLTest outbound](/configuration/outbound/urltest)
+* Add [URLTest outbound](/configuration/outbound/urltest/)
 * Fix bugs in 1.1-beta5
 
 #### 1.1-beta5
@@ -710,8 +1278,8 @@ The default tun stack is changed to system.
 #### 1.1-beta4
 
 * Add internal simple-obfs and v2ray-plugin [Shadowsocks plugins](/configuration/outbound/shadowsocks#plugin)
-* Add [ShadowsocksR outbound](/configuration/outbound/shadowsocksr)
-* Add [VLESS outbound and XUDP](/configuration/outbound/vless)
+* Add [ShadowsocksR outbound](/configuration/outbound/shadowsocksr/)
+* Add [VLESS outbound and XUDP](/configuration/outbound/vless/)
 * Skip wait for hysteria tcp handshake response
 * Fix socks4 client
 * Fix hysteria inbound
@@ -738,7 +1306,7 @@ The default tun stack is changed to system.
 *1*:
 
 Switching modes using the Clash API, and `store-selected` are now supported,
-see [Experimental](/configuration/experimental).
+see [Experimental](/configuration/experimental/).
 
 *2*:
 
@@ -819,15 +1387,15 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).
 * Fix write trojan udp
 * Fix DNS routing
 * Add attribute support for geosite
-* Update documentation for [Dial Fields](/configuration/shared/dial)
+* Update documentation for [Dial Fields](/configuration/shared/dial/)
 
 #### 1.0-beta3
 
 * Add [chained inbound](/configuration/shared/listen#detour) support
 * Add process_path rule item
 * Add macOS redirect support
-* Add ShadowTLS [Inbound](/configuration/inbound/shadowtls), [Outbound](/configuration/outbound/shadowtls)
-  and [Examples](/examples/shadowtls)
+* Add ShadowTLS [Inbound](/configuration/inbound/shadowtls/), [Outbound](/configuration/outbound/shadowtls/)
+  and [Examples](/examples/shadowtls/)
 * Fix search android package in non-owner users
 * Fix socksaddr type condition
 * Fix smux session status
@@ -871,7 +1439,7 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).
 
 ##### 2022/08/23
 
-* Add [V2Ray Transport](/configuration/shared/v2ray-transport) support for VMess and Trojan
+* Add [V2Ray Transport](/configuration/shared/v2ray-transport/) support for VMess and Trojan
 * Allow plain http request in Naive inbound (It can now be used with nginx)
 * Add proxy protocol support
 * Free memory after start
@@ -880,13 +1448,13 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).
 
 ##### 2022/08/22
 
-* Add strategy setting for each [DNS server](/configuration/dns/server)
+* Add strategy setting for each [DNS server](/configuration/dns/server/)
 * Add bind address to outbound options
 
 ##### 2022/08/21
 
-* Add [Tor outbound](/configuration/outbound/tor)
-* Add [SSH outbound](/configuration/outbound/ssh)
+* Add [Tor outbound](/configuration/outbound/tor/)
+* Add [SSH outbound](/configuration/outbound/ssh/)
 
 ##### 2022/08/20
 
@@ -900,8 +1468,8 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).
 
 ##### 2022/08/19
 
-* Add Hysteria [Inbound](/configuration/inbound/hysteria) and [Outbund](/configuration/outbound/hysteria)
-* Add [ACME TLS certificate issuer](/configuration/shared/tls)
+* Add Hysteria [Inbound](/configuration/inbound/hysteria/) and [Outbund](/configuration/outbound/hysteria/)
+* Add [ACME TLS certificate issuer](/configuration/shared/tls/)
 * Allow read config from stdin (-c stdin)
 * Update gVisor to 20220815.0
 
@@ -919,11 +1487,11 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).
 ##### 2022/08/16
 
 * Add ip_version (route/dns) rule item
-* Add [WireGuard](/configuration/outbound/wireguard) outbound
+* Add [WireGuard](/configuration/outbound/wireguard/) outbound
 
 ##### 2022/08/15
 
-* Add uid, android user and package rules support in [Tun](/configuration/inbound/tun) routing.
+* Add uid, android user and package rules support in [Tun](/configuration/inbound/tun/) routing.
 
 ##### 2022/08/13
 
@@ -932,15 +1500,15 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).
 ##### 2022/08/12
 
 * Performance improvements
-* Add UoT option for [SOCKS](/configuration/outbound/socks) outbound
+* Add UoT option for [SOCKS](/configuration/outbound/socks/) outbound
 
 ##### 2022/08/11
 
-* Add UoT option for [Shadowsocks](/configuration/outbound/shadowsocks) outbound, UoT support for all inbounds
+* Add UoT option for [Shadowsocks](/configuration/outbound/shadowsocks/) outbound, UoT support for all inbounds
 
 ##### 2022/08/10
 
-* Add full-featured [Naive](/configuration/inbound/naive) inbound
+* Add full-featured [Naive](/configuration/inbound/naive/) inbound
 * Fix default dns server option [#9] by iKirby
 
 ##### 2022/08/09

docs/clients/android/features.md

@@ -0,0 +1,64 @@
+# :material-decagram: Features
+
+#### UI options
+
+* Display realtime network speed in the notification
+
+#### Service
+
+SFA allows you to run sing-box through ForegroundService or VpnService (when TUN is required).
+
+#### TUN
+
+SFA provides an unprivileged TUN implementation through Android VpnService.
+
+| TUN inbound option            | Available        | Note               |
+|-------------------------------|------------------|--------------------|
+| `interface_name`              | :material-close: | Managed by Android |
+| `inet4_address`               | :material-check: | /                  |
+| `inet6_address`               | :material-check: | /                  |
+| `mtu`                         | :material-check: | /                  |
+| `auto_route`                  | :material-check: | /                  |
+| `strict_route`                | :material-close: | Not implemented    |
+| `inet4_route_address`         | :material-check: | /                  |
+| `inet6_route_address`         | :material-check: | /                  |
+| `inet4_route_exclude_address` | :material-check: | /                  |
+| `inet6_route_exclude_address` | :material-check: | /                  |
+| `endpoint_independent_nat`    | :material-check: | /                  |
+| `stack`                       | :material-check: | /                  |
+| `include_interface`           | :material-close: | No permission      |
+| `exclude_interface`           | :material-close: | No permission      |
+| `include_uid`                 | :material-close: | No permission      |
+| `exclude_uid`                 | :material-close: | No permission      |
+| `include_android_user`        | :material-close: | No permission      |
+| `include_package`             | :material-check: | /                  |
+| `exclude_package`             | :material-check: | /                  |
+| `platform`                    | :material-check: | /                  |
+
+| Route/DNS rule option | Available        | Note                              |
+|-----------------------|------------------|-----------------------------------|
+| `process_name`        | :material-close: | No permission                     |
+| `process_path`        | :material-close: | No permission                     |
+| `package_name`        | :material-check: | /                                 |
+| `user`                | :material-close: | Use `package_name` instead        |
+| `user_id`             | :material-close: | Use `package_name` instead        |
+| `wifi_ssid`           | :material-check: | Fine location permission required |
+| `wifi_bssid`          | :material-check: | Fine location permission required |
+
+### Override
+
+Overrides profile configuration items with platform-specific values.
+
+#### Per-app proxy
+
+SFA allows you to select a list of Android apps that require proxying or bypassing in the graphical interface to
+override the `include_package` and `exclude_package` configuration items.
+
+In particular, the selector also provides the “China apps” scanning feature, providing Chinese users with an excellent
+experience to bypass apps that do not require a proxy. Specifically, by scanning China application or SDK
+characteristics through dex class path and other means, there will be almost no missed reports.
+
+### Chore
+
+* The working directory is located at `/sdcard/Android/data/io.nekohasekai.sfa/files` (External files directory)
+* Crash logs is located in `$working_directory/stderr.log`

docs/clients/android/index.md

@@ -0,0 +1,22 @@
+---
+icon: material/android
+---
+
+# sing-box for Android
+
+SFA allows users to manage and run local or remote sing-box configuration files, and provides
+platform-specific function implementation, such as TUN transparent proxy implementation.
+
+## :material-graph: Requirements
+
+* Android 5.0+
+
+## :material-download: Download
+
+* [Play Store](https://play.google.com/store/apps/details?id=io.nekohasekai.sfa)
+* [Play Store (Beta)](https://play.google.com/apps/testing/io.nekohasekai.sfa)
+* [GitHub Releases](https://github.com/SagerNet/sing-box/releases)
+
+## :material-source-repository: Source code
+
+* [GitHub](https://github.com/SagerNet/sing-box-for-android)

docs/clients/apple/features.md

@@ -0,0 +1,52 @@
+# :material-decagram: Features
+
+#### UI options
+
+* Always On
+* Include All Networks (Proxy traffic for LAN and cellular services)
+* (Apple tvOS) Import profile from iPhone/iPad
+
+#### Service
+
+SFI/SFM/SFT allows you to run sing-box through NetworkExtension with Application Extension or System Extension.
+
+#### TUN
+
+SFI/SFM/SFT provides an unprivileged TUN implementation through NetworkExtension.
+
+| TUN inbound option            | Available | Note              |
+|-------------------------------|-----------|-------------------|
+| `interface_name`              | ✖️        | Managed by Darwin |
+| `inet4_address`               | ✔️        | /                 |
+| `inet6_address`               | ✔️        | /                 |
+| `mtu`                         | ✔️        | /                 |
+| `auto_route`                  | ✔️        | /                 |
+| `strict_route`                | ✖️        | Not implemented   |
+| `inet4_route_address`         | ✔️        | /                 |
+| `inet6_route_address`         | ✔️        | /                 |
+| `inet4_route_exclude_address` | ✔️        | /                 |
+| `inet6_route_exclude_address` | ✔️        | /                 |
+| `endpoint_independent_nat`    | ✔️        | /                 |
+| `stack`                       | ✔️        | /                 |
+| `include_interface`           | ✖️        | Not implemented   |
+| `exclude_interface`           | ✖️        | Not implemented   |
+| `include_uid`                 | ✖️        | Not implemented   |
+| `exclude_uid`                 | ✖️        | Not implemented   |
+| `include_android_user`        | ✖️        | Not implemented   |
+| `include_package`             | ✖️        | Not implemented   |
+| `exclude_package`             | ✖️        | Not implemented   |
+| `platform`                    | ✔️        | /                 |
+
+| Route/DNS rule option | Available        | Note                  |
+|-----------------------|------------------|-----------------------|
+| `process_name`        | :material-close: | No permission         |
+| `process_path`        | :material-close: | No permission         |
+| `package_name`        | :material-close: | /                     |
+| `user`                | :material-close: | No permission         |
+| `user_id`             | :material-close: | No permission         |
+| `wifi_ssid`           | :material-alert: | Only supported on iOS |
+| `wifi_bssid`          | :material-alert: | Only supported on iOS |
+
+### Chore
+
+* Crash logs is located in `Settings` -> `View Service Log`

docs/clients/apple/index.md

@@ -0,0 +1,32 @@
+---
+icon: material/apple
+---
+
+# sing-box for Apple platforms
+
+SFI/SFM/SFT allows users to manage and run local or remote sing-box configuration files, and provides
+platform-specific function implementation, such as TUN transparent proxy implementation.
+
+## :material-graph: Requirements
+
+* iOS 15.0+ / macOS 13.0+ / Apple tvOS 17.0+
+* An Apple account outside of mainland China
+
+## :material-download: Download
+
+* [App Store](https://apps.apple.com/us/app/sing-box/id6451272673)
+* [TestFlight (Beta)](https://testflight.apple.com/join/AcqO44FH)
+
+## :material-file-download: Download (macOS standalone version)
+
+* [Homebrew Cask](https://formulae.brew.sh/cask/sfm)
+
+```bash
+brew install sfm
+```
+
+* [GitHub Releases](https://github.com/SagerNet/sing-box/releases)
+
+## :material-source-repository: Source code
+
+* [GitHub](https://github.com/SagerNet/sing-box-for-apple)

docs/clients/general.md

@@ -0,0 +1,63 @@
+---
+icon: material/pencil-ruler
+---
+
+# General
+
+Describes and explains the functions implemented uniformly by sing-box graphical clients.
+
+### Profile
+
+Profile describes a sing-box configuration file and its state.
+
+#### Local
+
+* Local Profile represents a local sing-box configuration with minimal state
+* The graphical client must provide an editor to modify configuration content
+
+#### iCloud (on iOS and macOS)
+
+* iCloud Profile represents a remote sing-box configuration with iCloud as the update source
+* The configuration file is stored in the sing-box folder under iCloud
+* The graphical client must provide an editor to modify configuration content
+
+#### Remote
+
+* Remote Profile represents a remote sing-box configuration with a URL as the update source.
+* The graphical client should provide a configuration content viewer
+* The graphical client must implement automatic profile update (default interval is 60 minutes) and HTTP Basic
+  authorization.
+
+At the same time, the graphical client must provide support for importing remote profiles
+through a specific URL Scheme. The URL is defined as follows:
+
+```
+sing-box://import-remote-profile?url=urlEncodedURL#urlEncodedName
+```
+
+### Dashboard
+
+While the sing-box service is running, the graphical client should provide a Dashboard interface to manage the service.
+
+#### Status
+
+Dashboard should display status information such as memory, connection, and traffic.
+
+#### Mode
+
+Dashboard should provide a Mode selector for switching when the configuration uses at least two `clash_mode` values.
+
+#### Groups
+
+When the configuration includes group outbounds (specifically, Selector or URLTest),
+the dashboard should provide a Group selector for status display or switching.
+
+### Chore
+
+#### Core
+
+Graphical clients should provide a Core region:
+
+* Display the current sing-box version
+* Provides a button to clean the working directory
+* Provides a memory limiter switch

docs/clients/index.md

@@ -0,0 +1,13 @@
+# :material-cellphone-link: Graphical Clients
+
+Maintained by Project S to provide a unified experience and platform-specific functionality.
+
+| Platform                              | Client                                   |
+|---------------------------------------|------------------------------------------|
+| :material-android: Android            | [sing-box for Android](./android/)       |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
+| :material-laptop: Desktop             | Working in progress                      |
+
+Some third-party projects that claim to use sing-box or use sing-box as a selling point are not listed here. The core
+motivation of the maintainers of such projects is to acquire more users, and even though they provide friendly VPN
+client features, the code is usually of poor quality and contains ads.

docs/clients/index.zh.md

@@ -0,0 +1,12 @@
+# :material-cellphone-link: 图形界面客户端
+
+由 Project S 维护，提供统一的体验与平台特定的功能。
+
+| 平台                                    | 客户端                                     |
+|---------------------------------------|-----------------------------------------|
+| :material-android: Android            | [sing-box for Android](./android/)       |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
+| :material-laptop: Desktop             | 施工中                                     |
+
+此处没有列出一些声称使用或以 sing-box 为卖点的第三方项目。此类项目维护者的动机是获得更多用户，即使它们提供友好的商业
+VPN 客户端功能， 但代码质量很差且包含广告。

docs/clients/privacy.md

@@ -0,0 +1,8 @@
+---
+icon: material/security
+---
+
+# Privacy policy
+
+sing-box and official graphics clients do not collect or share personal data,
+and the data generated by the software is always on your device.

docs/configuration/dns/index.md

@@ -23,9 +23,9 @@
 
 | Key      | Format                         |
 |----------|--------------------------------|
-| `server` | List of [DNS Server](./server) |
-| `rules`  | List of [DNS Rule](./rule)     |
-| `fakeip` | [FakeIP](./fakeip)             |
+| `server` | List of [DNS Server](./server/) |
+| `rules`  | List of [DNS Rule](./rule/)     |
+| `fakeip` | [FakeIP](./fakeip/)             |
 
 #### final
 
@@ -62,4 +62,4 @@ problematic in environments such as macOS, where DNS is proxied and cached by th
 
 #### fakeip
 
-[FakeIP](./fakeip) settings.
+[FakeIP](./fakeip/) settings.

docs/configuration/dns/index.zh.md

@@ -21,10 +21,10 @@
 
 ### 字段
 
-| 键        | 格式                     |
-|----------|------------------------|
-| `server` | 一组 [DNS 服务器](./server) |
-| `rules`  | 一组 [DNS 规则](./rule)    |
+| 键        | 格式                      |
+|----------|-------------------------|
+| `server` | 一组 [DNS 服务器](./server/) |
+| `rules`  | 一组 [DNS 规则](./rule/)    |
 
 #### final
 
@@ -60,4 +60,4 @@
 
 #### fakeip
 
-[FakeIP](./fakeip) 设置。
+[FakeIP](./fakeip/) 设置。

docs/configuration/dns/rule.md

@@ -79,6 +79,12 @@
           1000
         ],
         "clash_mode": "direct",
+        "wifi_ssid": [
+          "My WIFI"
+        ],
+        "wifi_bssid": [
+          "00:00:00:00:00:00"
+        ],
         "invert": false,
         "outbound": [
           "direct"
@@ -118,7 +124,7 @@
 
 #### inbound
 
-Tags of [Inbound](/configuration/inbound).
+Tags of [Inbound](/configuration/inbound/).
 
 #### ip_version
 
@@ -188,7 +194,7 @@ Match port range.
 
 #### process_name
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows, and macOS.
 
@@ -196,7 +202,7 @@ Match process name.
 
 #### process_path
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows, and macOS.
 
@@ -208,7 +214,7 @@ Match android package name.
 
 #### user
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 
@@ -216,7 +222,7 @@ Match user name.
 
 #### user_id
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 
@@ -226,6 +232,24 @@ Match user id.
 
 Match Clash mode.
 
+#### wifi_ssid
+
+<!-- md:version 1.7.0-beta.4 -->
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and iOS.
+
+Match WiFi SSID.
+
+#### wifi_bssid
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and iOS.
+
+Match WiFi BSSID.
+
 #### invert
 
 Invert match result.

docs/configuration/dns/rule.zh.md

@@ -78,6 +78,12 @@
           1000
         ],
         "clash_mode": "direct",
+        "wifi_ssid": [
+          "My WIFI"
+        ],
+        "wifi_bssid": [
+          "00:00:00:00:00:00"
+        ],
         "invert": false,
         "outbound": [
           "direct"
@@ -115,7 +121,7 @@
 
 #### inbound
 
-[入站](/zh/configuration/inbound) 标签.
+[入站](/zh/configuration/inbound/) 标签.
 
 #### ip_version
 
@@ -185,7 +191,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### process_name
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS.
 
@@ -193,7 +199,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### process_path
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS.
 
@@ -205,7 +211,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### user
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux。
 
@@ -213,7 +219,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### user_id
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux。
 
@@ -223,6 +229,22 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 匹配 Clash 模式。
 
+#### wifi_ssid
+
+!!! quote ""
+
+    仅在 Android 与 iOS 的图形客户端中支持。
+
+匹配 WiFi SSID。
+
+#### wifi_bssid
+
+!!! quote ""
+
+    仅在 Android 与 iOS 的图形客户端中支持。
+
+匹配 WiFi BSSID。
+
 #### invert
 
 反选匹配结果。

docs/configuration/dns/server.md

@@ -30,18 +30,18 @@ The tag of the dns server.
 
 The address of the dns server.
 
-| Protocol                            | Format                        |
-|-------------------------------------|-------------------------------|
-| `System`                            | `local`                       |
-| `TCP`                               | `tcp://1.0.0.1`               |
-| `UDP`                               | `8.8.8.8` `udp://8.8.4.4`     |
-| `TLS`                               | `tls://dns.google`            |
-| `HTTPS`                             | `https://1.1.1.1/dns-query`   |
-| `QUIC`                              | `quic://dns.adguard.com`      |
-| `HTTP3`                             | `h3://8.8.8.8/dns-query`      |
-| `RCode`                             | `rcode://refused`             |
-| `DHCP`                              | `dhcp://auto` or `dhcp://en0` |
-| [FakeIP](/configuration/dns/fakeip) | `fakeip`                      |
+| Protocol                             | Format                        |
+|--------------------------------------|-------------------------------|
+| `System`                             | `local`                       |
+| `TCP`                                | `tcp://1.0.0.1`               |
+| `UDP`                                | `8.8.8.8` `udp://8.8.4.4`     |
+| `TLS`                                | `tls://dns.google`            |
+| `HTTPS`                              | `https://1.1.1.1/dns-query`   |
+| `QUIC`                               | `quic://dns.adguard.com`      |
+| `HTTP3`                              | `h3://8.8.8.8/dns-query`      |
+| `RCode`                              | `rcode://refused`             |
+| `DHCP`                               | `dhcp://auto` or `dhcp://en0` |
+| [FakeIP](/configuration/dns/fakeip/) | `fakeip`                      |
 
 !!! warning ""
 
@@ -49,7 +49,7 @@ The address of the dns server.
 
 !!! warning ""
 
-    QUIC and HTTP3 transport is not included by default, see [Installation](/#installation).
+    QUIC and HTTP3 transport is not included by default, see [Installation](./#installation).
 
 !!! info ""
 
@@ -57,7 +57,7 @@ The address of the dns server.
 
 !!! warning ""
 
-    DHCP transport is not included by default, see [Installation](/#installation).
+    DHCP transport is not included by default, see [Installation](./#installation).
 
 | RCode             | Description           | 
 |-------------------|-----------------------|

docs/configuration/dns/server.zh.md

@@ -30,18 +30,18 @@ DNS 服务器的标签。
 
 DNS 服务器的地址。
 
-| 协议                                  | 格式                           |
-|-------------------------------------|------------------------------|
-| `System`                            | `local`                      |
-| `TCP`                               | `tcp://1.0.0.1`              |
-| `UDP`                               | `8.8.8.8` `udp://8.8.4.4`    |
-| `TLS`                               | `tls://dns.google`           |
-| `HTTPS`                             | `https://1.1.1.1/dns-query`  |
-| `QUIC`                              | `quic://dns.adguard.com`     |
-| `HTTP3`                             | `h3://8.8.8.8/dns-query`     |
-| `RCode`                             | `rcode://refused`            |
-| `DHCP`                              | `dhcp://auto` 或 `dhcp://en0` |
-| [FakeIP](/configuration/dns/fakeip) | `fakeip`                     |
+| 协议                                   | 格式                           |
+|--------------------------------------|------------------------------|
+| `System`                             | `local`                      |
+| `TCP`                                | `tcp://1.0.0.1`              |
+| `UDP`                                | `8.8.8.8` `udp://8.8.4.4`    |
+| `TLS`                                | `tls://dns.google`           |
+| `HTTPS`                              | `https://1.1.1.1/dns-query`  |
+| `QUIC`                               | `quic://dns.adguard.com`     |
+| `HTTP3`                              | `h3://8.8.8.8/dns-query`     |
+| `RCode`                              | `rcode://refused`            |
+| `DHCP`                               | `dhcp://auto` 或 `dhcp://en0` |
+| [FakeIP](/configuration/dns/fakeip/) | `fakeip`                     |
 
 !!! warning ""
 

docs/configuration/experimental/index.md

@@ -44,9 +44,9 @@
 
 ### Clash API Fields
 
-!!! error ""
+!!! quote ""
 
-    Clash API is not included by default, see [Installation](/#installation).
+    Clash API is not included by default, see [Installation](./#installation).
 
 #### external_controller
 
@@ -78,7 +78,7 @@ ALWAYS set a secret if RESTful API is listening on 0.0.0.0
 
 #### default_mode
 
-Default mode in clash, `rule` will be used if empty.
+Default mode in clash, `Rule` will be used if empty.
 
 This setting has no direct effect, but can be used in routing and DNS rules via the `clash_mode` rule item.
 
@@ -110,9 +110,9 @@ If not empty, `store_selected` will use a separate store keyed by it.
 
 ### V2Ray API Fields
 
-!!! error ""
+!!! quote ""
 
-    V2Ray API is not included by default, see [Installation](/#installation).
+    V2Ray API is not included by default, see [Installation](./#installation).
 
 #### listen
 

docs/configuration/experimental/index.zh.md

@@ -44,7 +44,7 @@
 
 ### Clash API 字段
 
-!!! error ""
+!!! quote ""
 
     默认安装不包含 Clash API，参阅 [安装](/zh/#_2)。
 
@@ -76,7 +76,7 @@ RESTful API 的密钥（可选）
 
 #### default_mode
 
-Clash 中的默认模式，默认使用 `rule`。
+Clash 中的默认模式，默认使用 `Rule`。
 
 此设置没有直接影响，但可以通过 `clash_mode` 规则项在路由和 DNS 规则中使用。
 
@@ -108,7 +108,7 @@ Clash 中的默认模式，默认使用 `rule`。
 
 ### V2Ray API 字段
 
-!!! error ""
+!!! quote ""
 
     默认安装不包含 V2Ray API，参阅 [安装](/zh/#_2)。
 

docs/configuration/inbound/direct.md

@@ -17,7 +17,7 @@
 
 ### Listen Fields
 
-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.
 
 ### Fields