documentation: Bump version

Update gVisor to 20231113.0

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -46,6 +46,7 @@ body:
       description: If you are using the original command line program, please provide the output of the `sing-box version` command.
       value: |-
         <details>
+
         ```console
         # Replace this line with the output
         ```
@@ -71,6 +72,7 @@ body:
         For the Android client, please check the `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` file for crash logs.
       value: |-
         <details>
+        
         ```console
         # Replace this line with logs
         ```

.github/ISSUE_TEMPLATE/bug_report_zh.yml

@@ -46,6 +46,7 @@ body:
       description: 如果您使用原始命令行程序，请提供 `sing-box version` 命令的输出。
       value: |-
         <details>
+
         ```console
         # 使用输出内容覆盖此行
         ```
@@ -71,6 +72,7 @@ body:
         对于 Android 图形客户端程序，请检查 `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` 文件以导出崩溃日志。
       value: |-
         <details>
+        
         ```console
         # 使用日志内容覆盖此行
         ```

.github/workflows/debug.yml

@@ -3,6 +3,7 @@ name: Debug build
 on:
   push:
     branches:
+      - stable-next
       - main-next
       - dev-next
     paths-ignore:
@@ -11,6 +12,7 @@ on:
       - '!.github/workflows/debug.yml'
   pull_request:
     branches:
+      - stable-next
       - main-next
       - dev-next
 
@@ -20,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
       - name: Get latest go version
@@ -48,7 +50,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -68,7 +70,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -199,7 +201,7 @@ jobs:
       TAGS: with_clash_api,with_quic
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
       - name: Get latest go version

.github/workflows/docker.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Setup QEMU for Docker Buildx
@@ -39,6 +39,8 @@ jobs:
         with:
           platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
           target: dist
+          build-args: |
+            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
           tags: |
             ${{ steps.tag.outputs.latest }}
             ${{ steps.tag.outputs.versioned }}

.github/workflows/lint.yml

@@ -3,6 +3,7 @@ name: Lint
 on:
   push:
     branches:
+      - stable-next
       - main-next
       - dev-next
     paths-ignore:
@@ -11,6 +12,7 @@ on:
       - '!.github/workflows/lint.yml'
   pull_request:
     branches:
+      - stable-next
       - main-next
       - dev-next
 
@@ -20,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
       - name: Get latest go version
@@ -34,4 +36,6 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
-          version: latest
+          version: latest
+          args: --timeout=30m
+          install-mode: binary

.goreleaser.yaml

@@ -19,10 +19,12 @@ builds:
       - with_ech
       - with_utls
       - with_reality_server
+      - with_acme
       - with_clash_api
     env:
       - CGO_ENABLED=0
     targets:
+      - linux_386
       - linux_amd64_v1
       - linux_amd64_v3
       - linux_arm64
@@ -36,6 +38,36 @@ builds:
       - darwin_amd64_v3
       - darwin_arm64
     mod_timestamp: '{{ .CommitTimestamp }}'
+  - id: legacy
+    main: ./cmd/sing-box
+    flags:
+      - -v
+      - -trimpath
+    asmflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    gcflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    ldflags:
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
+    tags:
+      - with_gvisor
+      - with_quic
+      - with_dhcp
+      - with_wireguard
+      - with_ech
+      - with_utls
+      - with_reality_server
+      - with_acme
+      - with_clash_api
+    env:
+      - CGO_ENABLED=0
+      - GOROOT=/nix/store/kg6i737jjqs923jcijnm003h68c1dghj-go-1.20.11/share/go
+    gobinary: /nix/store/kg6i737jjqs923jcijnm003h68c1dghj-go-1.20.11/bin/go
+    targets:
+      - windows_amd64_v1
+      - windows_386
+      - darwin_amd64_v1
+    mod_timestamp: '{{ .CommitTimestamp }}'
   - id: android
     main: ./cmd/sing-box
     flags:
@@ -54,6 +86,8 @@ builds:
       - with_wireguard
       - with_ech
       - with_utls
+      - with_reality_server
+      - with_acme
       - with_clash_api
     env:
       - CGO_ENABLED=1
@@ -90,6 +124,9 @@ snapshot:
   name_template: "{{ .Version }}.{{ .ShortCommit }}"
 archives:
   - id: archive
+    builds:
+      - main
+      - android
     format: tar.gz
     format_overrides:
       - goos: windows
@@ -98,6 +135,17 @@ archives:
     files:
       - LICENSE
     name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+  - id: archive-legacy
+    builds:
+      - legacy
+    format: tar.gz
+    format_overrides:
+      - goos: windows
+        format: zip
+    wrap_in_directory: true
+    files:
+      - LICENSE
+    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}-legacy'
 nfpms:
   - id: package
     package_name: sing-box
@@ -110,6 +158,7 @@ nfpms:
     formats:
       - deb
       - rpm
+      - archlinux
     priority: extra
     contents:
       - src: release/config/config.json

Dockerfile

@@ -1,23 +1,27 @@
-FROM golang:1.21-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.21-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
+ARG TARGETOS TARGETARCH
 ARG GOPROXY=""
 ENV GOPROXY ${GOPROXY}
 ENV CGO_ENABLED=0
+ENV GOOS=$TARGETOS
+ENV GOARCH=$TARGETARCH
 RUN set -ex \
     && apk add git build-base \
     && export COMMIT=$(git rev-parse --short HEAD) \
     && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_clash_api,with_acme \
+    && go build -v -trimpath -tags \
+        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api" \
         -o /go/bin/sing-box \
         -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
         ./cmd/sing-box
-FROM alpine AS dist
+FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
     && apk upgrade \
     && apk add bash tzdata ca-certificates \
     && rm -rf /var/cache/apk/*
 COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
-ENTRYPOINT ["sing-box"]
+ENTRYPOINT ["sing-box"]

Makefile

@@ -3,7 +3,7 @@ COMMIT = $(shell git rev-parse --short HEAD)
 TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
 TAGS_GO120 = with_quic,with_ech
 TAGS ?= $(TAGS_GO118),$(TAGS_GO120)
-TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server,with_shadowsocksr
+TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
@@ -14,7 +14,7 @@ MAIN_PARAMS = $(PARAMS) -tags $(TAGS)
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
 
-.PHONY: test release
+.PHONY: test release docs
 
 build:
 	go build $(MAIN_PARAMS) $(MAIN)
@@ -61,9 +61,9 @@ proto_install:
 release:
 	go run ./cmd/internal/build goreleaser release --clean --skip-publish || exit 1
 	mkdir dist/release
-	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
+	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/*.pkg.tar.zst dist/release
 	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
-	rm -r dist
+	rm -r dist/release
 
 release_install:
 	go install -v github.com/goreleaser/goreleaser@latest
@@ -73,18 +73,21 @@ update_android_version:
 	go run ./cmd/internal/update_android_version
 
 build_android:
-	cd ../sing-box-for-android && ./gradlew :app:assembleRelease && ./gradlew --stop
+	cd ../sing-box-for-android && ./gradlew :app:assemblePlayRelease && ./gradlew --stop
 
 upload_android:
 	mkdir -p dist/release_android
-	cp ../sing-box-for-android/app/build/outputs/apk/release/*.apk dist/release_android
+	cp ../sing-box-for-android/app/build/outputs/apk/play/release/*.apk dist/release_android
 	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release_android
 	rm -rf dist/release_android
 
 release_android: lib_android update_android_version build_android upload_android
 
 publish_android:
-	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadRelease
+	cd ../sing-box-for-android && ./gradlew :app:publishPlayReleaseBundle
+
+publish_android_appcenter:
+	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadPlayRelease
 
 build_ios:
 	cd ../sing-box-for-apple && \
@@ -149,10 +152,8 @@ update_apple_version:
 	go run ./cmd/internal/update_apple_version
 
 release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_independent
-	rm -rf dist
 
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
-	rm -rf dist
 
 test:
 	@go test -v ./... && \
@@ -181,6 +182,14 @@ lib_install:
 	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230915142329-c6740b6d2950
 	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230915142329-c6740b6d2950
 
+docs:
+	mkdocs serve
+
+publish_docs:
+	mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
+
+docs_install:
+	pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
 clean:
 	rm -rf bin dist sing-box
 	rm -f $(shell go env GOPATH)/sing-box

adapter/conn_router.go

@@ -0,0 +1,104 @@
+package adapter
+
+import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type ConnectionRouter interface {
+	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
+	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+}
+
+func NewRouteHandler(
+	metadata InboundContext,
+	router ConnectionRouter,
+	logger logger.ContextLogger,
+) UpstreamHandlerAdapter {
+	return &routeHandlerWrapper{
+		metadata: metadata,
+		router:   router,
+		logger:   logger,
+	}
+}
+
+func NewRouteContextHandler(
+	router ConnectionRouter,
+	logger logger.ContextLogger,
+) UpstreamHandlerAdapter {
+	return &routeContextHandlerWrapper{
+		router: router,
+		logger: logger,
+	}
+}
+
+var _ UpstreamHandlerAdapter = (*routeHandlerWrapper)(nil)
+
+type routeHandlerWrapper struct {
+	metadata InboundContext
+	router   ConnectionRouter
+	logger   logger.ContextLogger
+}
+
+func (w *routeHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RouteConnection(ctx, conn, myMetadata)
+}
+
+func (w *routeHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RoutePacketConnection(ctx, conn, myMetadata)
+}
+
+func (w *routeHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.logger.ErrorContext(ctx, err)
+}
+
+var _ UpstreamHandlerAdapter = (*routeContextHandlerWrapper)(nil)
+
+type routeContextHandlerWrapper struct {
+	router ConnectionRouter
+	logger logger.ContextLogger
+}
+
+func (w *routeContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RouteConnection(ctx, conn, *myMetadata)
+}
+
+func (w *routeContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RoutePacketConnection(ctx, conn, *myMetadata)
+}
+
+func (w *routeContextHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.logger.ErrorContext(ctx, err)
+}

adapter/inbound.go

@@ -75,3 +75,11 @@ func AppendContext(ctx context.Context) (context.Context, *InboundContext) {
 	metadata = new(InboundContext)
 	return WithContext(ctx, metadata), metadata
 }
+
+func ExtendContext(ctx context.Context) (context.Context, *InboundContext) {
+	var newMetadata InboundContext
+	if metadata := ContextFrom(ctx); metadata != nil {
+		newMetadata = *metadata
+	}
+	return WithContext(ctx, &newMetadata), &newMetadata
+}

adapter/router.go

@@ -2,14 +2,12 @@ package adapter
 
 import (
 	"context"
-	"net"
 	"net/netip"
 
 	"github.com/sagernet/sing-box/common/geoip"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
-	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
 
 	mdns "github.com/miekg/dns"
@@ -24,8 +22,7 @@ type Router interface {
 
 	FakeIPStore() FakeIPStore
 
-	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
-	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+	ConnectionRouter
 
 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
@@ -44,6 +41,7 @@ type Router interface {
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
+	WIFIState() WIFIState
 	Rules() []Rule
 
 	ClashServer() ClashServer
@@ -81,3 +79,8 @@ type DNSRule interface {
 type InterfaceUpdateListener interface {
 	InterfaceUpdated()
 }
+
+type WIFIState struct {
+	SSID  string
+	BSSID string
+}

box.go

@@ -41,6 +41,7 @@ type Options struct {
 	option.Options
 	Context           context.Context
 	PlatformInterface platform.Interface
+	PlatformLogWriter log.PlatformWriter
 }
 
 func New(options Options) (*Box, error) {
@@ -55,7 +56,7 @@ func New(options Options) (*Box, error) {
 	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	var needClashAPI bool
 	var needV2RayAPI bool
-	if experimentalOptions.ClashAPI != nil || options.PlatformInterface != nil {
+	if experimentalOptions.ClashAPI != nil || options.PlatformLogWriter != nil {
 		needClashAPI = true
 	}
 	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
@@ -71,7 +72,7 @@ func New(options Options) (*Box, error) {
 		Observable:     needClashAPI,
 		DefaultWriter:  defaultLogWriter,
 		BaseTime:       createdAt,
-		PlatformWriter: options.PlatformInterface,
+		PlatformWriter: options.PlatformLogWriter,
 	})
 	if err != nil {
 		return nil, E.Cause(err, "create log factory")

box_outbound.go

@@ -69,7 +69,7 @@ func (s *Box) startOutbounds() error {
 			}
 			problemOutbound := outbounds[problemOutboundTag]
 			if problemOutbound == nil {
-				return E.New("dependency[", problemOutbound, "] not found for outbound[", outboundTags[oCurrent], "]")
+				return E.New("dependency[", problemOutboundTag, "] not found for outbound[", outboundTags[oCurrent], "]")
 			}
 			return lintOutbound(append(oTree, problemOutboundTag), problemOutbound)
 		}

cmd/internal/build/main.go

@@ -12,7 +12,7 @@ import (
 func main() {
 	build_shared.FindSDK()
 
-	if os.Getenv("build.Default.GOPATH") == "" {
+	if os.Getenv("GOPATH") == "" {
 		os.Setenv("GOPATH", build.Default.GOPATH)
 	}
 

cmd/internal/build_shared/tag.go

@@ -17,9 +17,6 @@ func ReadTag() (string, error) {
 	}
 	shortCommit, _ := shell.Exec("git", "rev-parse", "--short", "HEAD").ReadOutput()
 	version := badversion.Parse(currentTagRev[1:])
-	if version.PreReleaseIdentifier == "" {
-		version.Patch++
-	}
 	return version.String() + "-" + shortCommit, nil
 }
 

cmd/sing-box/cmd_generate.go

@@ -11,7 +11,6 @@ import (
 
 	"github.com/gofrs/uuid/v5"
 	"github.com/spf13/cobra"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
 var commandGenerate = &cobra.Command{
@@ -22,8 +21,7 @@ var commandGenerate = &cobra.Command{
 func init() {
 	commandGenerate.AddCommand(commandGenerateUUID)
 	commandGenerate.AddCommand(commandGenerateRandom)
-	commandGenerate.AddCommand(commandGenerateWireGuardKeyPair)
-	commandGenerate.AddCommand(commandGenerateRealityKeyPair)
+
 	mainCommand.AddCommand(commandGenerate)
 }
 
@@ -92,48 +90,3 @@ func generateUUID() error {
 	_, err = os.Stdout.WriteString(newUUID.String() + "\n")
 	return err
 }
-
-var commandGenerateWireGuardKeyPair = &cobra.Command{
-	Use:   "wg-keypair",
-	Short: "Generate WireGuard key pair",
-	Args:  cobra.NoArgs,
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateWireGuardKey()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func generateWireGuardKey() error {
-	privateKey, err := wgtypes.GeneratePrivateKey()
-	if err != nil {
-		return err
-	}
-	os.Stdout.WriteString("PrivateKey: " + privateKey.String() + "\n")
-	os.Stdout.WriteString("PublicKey: " + privateKey.PublicKey().String() + "\n")
-	return nil
-}
-
-var commandGenerateRealityKeyPair = &cobra.Command{
-	Use:   "reality-keypair",
-	Short: "Generate reality key pair",
-	Args:  cobra.NoArgs,
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateRealityKey()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func generateRealityKey() error {
-	privateKey, err := wgtypes.GeneratePrivateKey()
-	if err != nil {
-		return err
-	}
-	publicKey := privateKey.PublicKey()
-	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]) + "\n")
-	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]) + "\n")
-	return nil
-}

cmd/sing-box/cmd_generate_tls.go

@@ -0,0 +1,40 @@
+package main
+
+import (
+	"os"
+	"time"
+
+	"github.com/sagernet/sing-box/common/tls"
+	"github.com/sagernet/sing-box/log"
+
+	"github.com/spf13/cobra"
+)
+
+var flagGenerateTLSKeyPairMonths int
+
+var commandGenerateTLSKeyPair = &cobra.Command{
+	Use:   "tls-keypair <server_name>",
+	Short: "Generate TLS self sign key pair",
+	Args:  cobra.ExactArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateTLSKeyPair(args[0])
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	commandGenerateTLSKeyPair.Flags().IntVarP(&flagGenerateTLSKeyPairMonths, "months", "m", 1, "Valid months")
+	commandGenerate.AddCommand(commandGenerateTLSKeyPair)
+}
+
+func generateTLSKeyPair(serverName string) error {
+	privateKeyPem, publicKeyPem, err := tls.GenerateKeyPair(time.Now, serverName, time.Now().AddDate(0, flagGenerateTLSKeyPairMonths, 0))
+	if err != nil {
+		return err
+	}
+	os.Stdout.WriteString(string(privateKeyPem) + "\n")
+	os.Stdout.WriteString(string(publicKeyPem) + "\n")
+	return nil
+}

cmd/sing-box/cmd_generate_vapid.go

@@ -0,0 +1,40 @@
+//go:build go1.20
+
+package main
+
+import (
+	"crypto/ecdh"
+	"crypto/rand"
+	"encoding/base64"
+	"os"
+
+	"github.com/sagernet/sing-box/log"
+
+	"github.com/spf13/cobra"
+)
+
+var commandGenerateVAPIDKeyPair = &cobra.Command{
+	Use:   "vapid-keypair",
+	Short: "Generate VAPID key pair",
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateVAPIDKeyPair()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	commandGenerate.AddCommand(commandGenerateVAPIDKeyPair)
+}
+
+func generateVAPIDKeyPair() error {
+	privateKey, err := ecdh.P256().GenerateKey(rand.Reader)
+	if err != nil {
+		return err
+	}
+	publicKey := privateKey.PublicKey()
+	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey.Bytes()) + "\n")
+	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey.Bytes()) + "\n")
+	return nil
+}

cmd/sing-box/cmd_generate_wireguard.go

@@ -0,0 +1,61 @@
+package main
+
+import (
+	"encoding/base64"
+	"os"
+
+	"github.com/sagernet/sing-box/log"
+
+	"github.com/spf13/cobra"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+func init() {
+	commandGenerate.AddCommand(commandGenerateWireGuardKeyPair)
+	commandGenerate.AddCommand(commandGenerateRealityKeyPair)
+}
+
+var commandGenerateWireGuardKeyPair = &cobra.Command{
+	Use:   "wg-keypair",
+	Short: "Generate WireGuard key pair",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateWireGuardKey()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func generateWireGuardKey() error {
+	privateKey, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		return err
+	}
+	os.Stdout.WriteString("PrivateKey: " + privateKey.String() + "\n")
+	os.Stdout.WriteString("PublicKey: " + privateKey.PublicKey().String() + "\n")
+	return nil
+}
+
+var commandGenerateRealityKeyPair = &cobra.Command{
+	Use:   "reality-keypair",
+	Short: "Generate reality key pair",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateRealityKey()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func generateRealityKey() error {
+	privateKey, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		return err
+	}
+	publicKey := privateKey.PublicKey()
+	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]) + "\n")
+	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]) + "\n")
+	return nil
+}

common/dialer/resolve.go

@@ -36,7 +36,7 @@ func (d *ResolveDialer) DialContext(ctx context.Context, network string, destina
 	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
-	ctx, metadata := adapter.AppendContext(ctx)
+	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
 	metadata.Destination = destination
 	metadata.Domain = ""
@@ -61,7 +61,7 @@ func (d *ResolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
-	ctx, metadata := adapter.AppendContext(ctx)
+	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
 	metadata.Destination = destination
 	metadata.Domain = ""

common/mux/client.go

@@ -1,21 +1,42 @@
 package mux
 
 import (
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-mux"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 	N "github.com/sagernet/sing/common/network"
 )
 
-func NewClientWithOptions(dialer N.Dialer, options option.MultiplexOptions) (*Client, error) {
+type Client = mux.Client
+
+func NewClientWithOptions(dialer N.Dialer, logger logger.Logger, options option.OutboundMultiplexOptions) (*Client, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
+	var brutalOptions mux.BrutalOptions
+	if options.Brutal != nil && options.Brutal.Enabled {
+		brutalOptions = mux.BrutalOptions{
+			Enabled:    true,
+			SendBPS:    uint64(options.Brutal.UpMbps * C.MbpsToBps),
+			ReceiveBPS: uint64(options.Brutal.DownMbps * C.MbpsToBps),
+		}
+		if brutalOptions.SendBPS < mux.BrutalMinSpeedBPS {
+			return nil, E.New("brutal: invalid upload speed")
+		}
+		if brutalOptions.ReceiveBPS < mux.BrutalMinSpeedBPS {
+			return nil, E.New("brutal: invalid download speed")
+		}
+	}
 	return mux.NewClient(mux.Options{
 		Dialer:         dialer,
+		Logger:         logger,
 		Protocol:       options.Protocol,
 		MaxConnections: options.MaxConnections,
 		MinStreams:     options.MinStreams,
 		MaxStreams:     options.MaxStreams,
 		Padding:        options.Padding,
+		Brutal:         brutalOptions,
 	})
 }

common/mux/protocol.go

@@ -1,14 +0,0 @@
-package mux
-
-import (
-	"github.com/sagernet/sing-mux"
-)
-
-type (
-	Client = mux.Client
-)
-
-var (
-	Destination      = mux.Destination
-	HandleConnection = mux.HandleConnection
-)

common/mux/router.go

@@ -0,0 +1,65 @@
+package mux
+
+import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-mux"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type Router struct {
+	router  adapter.ConnectionRouter
+	service *mux.Service
+}
+
+func NewRouterWithOptions(router adapter.ConnectionRouter, logger logger.ContextLogger, options option.InboundMultiplexOptions) (adapter.ConnectionRouter, error) {
+	if !options.Enabled {
+		return router, nil
+	}
+	var brutalOptions mux.BrutalOptions
+	if options.Brutal != nil && options.Brutal.Enabled {
+		brutalOptions = mux.BrutalOptions{
+			Enabled:    true,
+			SendBPS:    uint64(options.Brutal.UpMbps * C.MbpsToBps),
+			ReceiveBPS: uint64(options.Brutal.DownMbps * C.MbpsToBps),
+		}
+		if brutalOptions.SendBPS < mux.BrutalMinSpeedBPS {
+			return nil, E.New("brutal: invalid upload speed")
+		}
+		if brutalOptions.ReceiveBPS < mux.BrutalMinSpeedBPS {
+			return nil, E.New("brutal: invalid download speed")
+		}
+	}
+	service, err := mux.NewService(mux.ServiceOptions{
+		NewStreamContext: func(ctx context.Context, conn net.Conn) context.Context {
+			return log.ContextWithNewID(ctx)
+		},
+		Logger:  logger,
+		Handler: adapter.NewRouteContextHandler(router, logger),
+		Padding: options.Padding,
+		Brutal:  brutalOptions,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &Router{router, service}, nil
+}
+
+func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	if metadata.Destination == mux.Destination {
+		return r.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, adapter.UpstreamMetadata(metadata))
+	} else {
+		return r.router.RouteConnection(ctx, conn, metadata)
+	}
+}
+
+func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+	return r.router.RoutePacketConnection(ctx, conn, metadata)
+}

common/mux/v2ray_legacy.go

@@ -0,0 +1,32 @@
+package mux
+
+import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing-box/adapter"
+	vmess "github.com/sagernet/sing-vmess"
+	"github.com/sagernet/sing/common/logger"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type V2RayLegacyRouter struct {
+	router adapter.ConnectionRouter
+	logger logger.ContextLogger
+}
+
+func NewV2RayLegacyRouter(router adapter.ConnectionRouter, logger logger.ContextLogger) adapter.ConnectionRouter {
+	return &V2RayLegacyRouter{router, logger}
+}
+
+func (r *V2RayLegacyRouter) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	if metadata.Destination.Fqdn == vmess.MuxDestination.Fqdn {
+		r.logger.InfoContext(ctx, "inbound legacy multiplex connection")
+		return vmess.HandleMuxConnection(ctx, conn, adapter.NewRouteHandler(metadata, r.router, r.logger))
+	}
+	return r.router.RouteConnection(ctx, conn, metadata)
+}
+
+func (r *V2RayLegacyRouter) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+	return r.router.RoutePacketConnection(ctx, conn, metadata)
+}

common/proxyproto/dialer.go

@@ -1,50 +0,0 @@
-package proxyproto
-
-import (
-	"context"
-	"net"
-	"net/netip"
-
-	"github.com/sagernet/sing-box/adapter"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	"github.com/pires/go-proxyproto"
-)
-
-var _ N.Dialer = (*Dialer)(nil)
-
-type Dialer struct {
-	N.Dialer
-}
-
-func (d *Dialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	switch N.NetworkName(network) {
-	case N.NetworkTCP:
-		conn, err := d.Dialer.DialContext(ctx, network, destination)
-		if err != nil {
-			return nil, err
-		}
-		var source M.Socksaddr
-		metadata := adapter.ContextFrom(ctx)
-		if metadata != nil {
-			source = metadata.Source
-		}
-		if !source.IsValid() {
-			source = M.SocksaddrFromNet(conn.LocalAddr())
-		}
-		if destination.Addr.Is6() {
-			source = M.SocksaddrFrom(netip.AddrFrom16(source.Addr.As16()), source.Port)
-		}
-		h := proxyproto.HeaderProxyFromAddrs(1, source.TCPAddr(), destination.TCPAddr())
-		_, err = h.WriteTo(conn)
-		if err != nil {
-			conn.Close()
-			return nil, E.Cause(err, "write proxy protocol header")
-		}
-		return conn, nil
-	default:
-		return d.Dialer.DialContext(ctx, network, destination)
-	}
-}

common/proxyproto/listener.go

@@ -1,62 +0,0 @@
-package proxyproto
-
-import (
-	std_bufio "bufio"
-	"net"
-
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	M "github.com/sagernet/sing/common/metadata"
-
-	"github.com/pires/go-proxyproto"
-)
-
-type Listener struct {
-	net.Listener
-	AcceptNoHeader bool
-}
-
-func (l *Listener) Accept() (net.Conn, error) {
-	conn, err := l.Listener.Accept()
-	if err != nil {
-		return nil, err
-	}
-	bufReader := std_bufio.NewReader(conn)
-	header, err := proxyproto.Read(bufReader)
-	if err != nil && !(l.AcceptNoHeader && err == proxyproto.ErrNoProxyProtocol) {
-		return nil, &Error{err}
-	}
-	if bufReader.Buffered() > 0 {
-		cache := buf.NewSize(bufReader.Buffered())
-		_, err = cache.ReadFullFrom(bufReader, cache.FreeLen())
-		if err != nil {
-			return nil, &Error{err}
-		}
-		conn = bufio.NewCachedConn(conn, cache)
-	}
-	if header != nil {
-		return &bufio.AddrConn{Conn: conn, Metadata: M.Metadata{
-			Source:      M.SocksaddrFromNet(header.SourceAddr).Unwrap(),
-			Destination: M.SocksaddrFromNet(header.DestinationAddr).Unwrap(),
-		}}, nil
-	}
-	return conn, nil
-}
-
-var _ net.Error = (*Error)(nil)
-
-type Error struct {
-	error
-}
-
-func (e *Error) Unwrap() error {
-	return e.error
-}
-
-func (e *Error) Timeout() bool {
-	return false
-}
-
-func (e *Error) Temporary() bool {
-	return true
-}

common/sniff/quic.go

@@ -182,11 +182,52 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
 			break
 		}
 		switch frameType {
-		case 0x0:
+		case 0x00: // PADDING
 			continue
-		case 0x1:
+		case 0x01: // PING
 			continue
-		case 0x6:
+		case 0x02, 0x03: // ACK
+			_, err = qtls.ReadUvarint(decryptedReader) // Largest Acknowledged
+			if err != nil {
+				return nil, err
+			}
+			_, err = qtls.ReadUvarint(decryptedReader) // ACK Delay
+			if err != nil {
+				return nil, err
+			}
+			ackRangeCount, err := qtls.ReadUvarint(decryptedReader) // ACK Range Count
+			if err != nil {
+				return nil, err
+			}
+			_, err = qtls.ReadUvarint(decryptedReader) // First ACK Range
+			if err != nil {
+				return nil, err
+			}
+			for i := 0; i < int(ackRangeCount); i++ {
+				_, err = qtls.ReadUvarint(decryptedReader) // Gap
+				if err != nil {
+					return nil, err
+				}
+				_, err = qtls.ReadUvarint(decryptedReader) // ACK Range Length
+				if err != nil {
+					return nil, err
+				}
+			}
+			if frameType == 0x03 {
+				_, err = qtls.ReadUvarint(decryptedReader) // ECT0 Count
+				if err != nil {
+					return nil, err
+				}
+				_, err = qtls.ReadUvarint(decryptedReader) // ECT1 Count
+				if err != nil {
+					return nil, err
+				}
+				_, err = qtls.ReadUvarint(decryptedReader) // ECN-CE Count
+				if err != nil {
+					return nil, err
+				}
+			}
+		case 0x06: // CRYPTO
 			var offset uint64
 			offset, err = qtls.ReadUvarint(decryptedReader)
 			if err != nil {
@@ -208,8 +249,26 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
 			if err != nil {
 				return nil, err
 			}
+		case 0x1c: // CONNECTION_CLOSE
+			_, err = qtls.ReadUvarint(decryptedReader) // Error Code
+			if err != nil {
+				return nil, err
+			}
+			_, err = qtls.ReadUvarint(decryptedReader) // Frame Type
+			if err != nil {
+				return nil, err
+			}
+			var length uint64
+			length, err = qtls.ReadUvarint(decryptedReader) // Reason Phrase Length
+			if err != nil {
+				return nil, err
+			}
+			_, err = decryptedReader.Seek(int64(length), io.SeekCurrent) // Reason Phrase
+			if err != nil {
+				return nil, err
+			}
 		default:
-			// ignore unknown frame type
+			return nil, os.ErrInvalid
 		}
 	}
 	tlsHdr := make([]byte, 5)

common/tls/mkcert.go

@@ -11,22 +11,34 @@ import (
 	"time"
 )
 
-func GenerateKeyPair(timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
+func GenerateCertificate(timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
+	privateKeyPem, publicKeyPem, err := GenerateKeyPair(timeFunc, serverName, timeFunc().Add(time.Hour))
+	if err != nil {
+		return nil, err
+	}
+	certificate, err := tls.X509KeyPair(publicKeyPem, privateKeyPem)
+	if err != nil {
+		return nil, err
+	}
+	return &certificate, err
+}
+
+func GenerateKeyPair(timeFunc func() time.Time, serverName string, expire time.Time) (privateKeyPem []byte, publicKeyPem []byte, err error) {
 	if timeFunc == nil {
 		timeFunc = time.Now
 	}
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
-		return nil, err
+		return
 	}
 	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
 	if err != nil {
-		return nil, err
+		return
 	}
 	template := &x509.Certificate{
 		SerialNumber:          serialNumber,
 		NotBefore:             timeFunc().Add(time.Hour * -1),
-		NotAfter:              timeFunc().Add(time.Hour),
+		NotAfter:              expire,
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
@@ -37,17 +49,13 @@ func GenerateKeyPair(timeFunc func() time.Time, serverName string) (*tls.Certifi
 	}
 	publicDer, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
 	if err != nil {
-		return nil, err
+		return
 	}
 	privateDer, err := x509.MarshalPKCS8PrivateKey(key)
 	if err != nil {
-		return nil, err
+		return
 	}
-	publicPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: publicDer})
-	privPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateDer})
-	keyPair, err := tls.X509KeyPair(publicPem, privPem)
-	if err != nil {
-		return nil, err
-	}
-	return &keyPair, err
+	publicKeyPem = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: publicDer})
+	privateKeyPem = pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateDer})
+	return
 }

common/tls/std_server.go

@@ -233,7 +233,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		}
 		if certificate == nil && key == nil && options.Insecure {
 			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				return GenerateKeyPair(ntp.TimeFuncFromContext(ctx), info.ServerName)
+				return GenerateCertificate(ntp.TimeFuncFromContext(ctx), info.ServerName)
 			}
 		} else {
 			if certificate == nil {

common/uot/router.go

@@ -0,0 +1,53 @@
+package uot
+
+import (
+	"context"
+	"net"
+	"net/netip"
+
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/uot"
+)
+
+var _ adapter.ConnectionRouter = (*Router)(nil)
+
+type Router struct {
+	router adapter.ConnectionRouter
+	logger logger.ContextLogger
+}
+
+func NewRouter(router adapter.ConnectionRouter, logger logger.ContextLogger) *Router {
+	return &Router{router, logger}
+}
+
+func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	switch metadata.Destination.Fqdn {
+	case uot.MagicAddress:
+		request, err := uot.ReadRequest(conn)
+		if err != nil {
+			return E.Cause(err, "read UoT request")
+		}
+		if request.IsConnect {
+			r.logger.InfoContext(ctx, "inbound UoT connect connection to ", request.Destination)
+		} else {
+			r.logger.InfoContext(ctx, "inbound UoT connection to ", request.Destination)
+		}
+		metadata.Domain = metadata.Destination.Fqdn
+		metadata.Destination = request.Destination
+		return r.router.RoutePacketConnection(ctx, uot.NewConn(conn, *request), metadata)
+	case uot.LegacyMagicAddress:
+		r.logger.InfoContext(ctx, "inbound legacy UoT connection")
+		metadata.Domain = metadata.Destination.Fqdn
+		metadata.Destination = M.Socksaddr{Addr: netip.IPv4Unspecified()}
+		return r.RoutePacketConnection(ctx, uot.NewConn(conn, uot.Request{}), metadata)
+	}
+	return r.router.RouteConnection(ctx, conn, metadata)
+}
+
+func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+	return r.router.RoutePacketConnection(ctx, conn, metadata)
+}

constant/speed.go

@@ -0,0 +1,3 @@
+package constant
+
+const MbpsToBps = 125000

constant/v2ray.go

@@ -1,8 +1,9 @@
 package constant
 
 const (
-	V2RayTransportTypeHTTP      = "http"
-	V2RayTransportTypeWebsocket = "ws"
-	V2RayTransportTypeQUIC      = "quic"
-	V2RayTransportTypeGRPC      = "grpc"
+	V2RayTransportTypeHTTP        = "http"
+	V2RayTransportTypeWebsocket   = "ws"
+	V2RayTransportTypeQUIC        = "quic"
+	V2RayTransportTypeGRPC        = "grpc"
+	V2RayTransportTypeHTTPUpgrade = "httpupgrade"
 )

docs/changelog.md

@@ -1,17 +1,344 @@
+---
+icon: material/alert-decagram
+---
+
+# ChangeLog
+
+#### 1.7.1
+
+* Fixes and improvements
+
+#### 1.7.0
+
+* Fixes and improvements
+
+Important changes since 1.6:
+
+* Add [exclude route support](/configuration/inbound/tun) for TUN inbound
+* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen) **1**
+* Add [HTTPUpgrade V2Ray transport](/configuration/shared/v2ray-transport#HTTPUpgrade) support **2**
+* Migrate multiplex and UoT server to inbound **3**
+* Add TCP Brutal support for multiplex **4**
+* Add `wifi_ssid` and `wifi_bssid` route and DNS rules **5**
+* Update quic-go to v0.40.0
+* Update gVisor to 20231113.0
+
+**1**:
+
+If enabled, for UDP proxy requests addressed to a domain,
+the original packet address will be sent in the response instead of the mapped domain.
+
+This option is used for compatibility with clients that
+do not support receiving UDP packets with domain addresses, such as Surge.
+
+**2**:
+
+Introduced in V2Ray 5.10.0.
+
+The new HTTPUpgrade transport has better performance than WebSocket and is better suited for CDN abuse.
+
+**3**:
+
+Starting in 1.7.0, multiplexing support is no longer enabled by default and needs to be turned on explicitly in inbound options.
+
+**4**
+
+Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server, see [TCP Brutal](/configuration/shared/tcp-brutal) for details.
+
+**5**:
+
+Only supported in graphical clients on Android and iOS.
+
+#### 1.7.0-rc.3
+
+* Fixes and improvements
+
+#### 1.6.7
+
+* macOS: Add button for uninstall SystemExtension in the standalone graphical client
+* Fix missing UDP user context on TUIC/Hysteria2 inbounds
+* Fixes and improvements
+
+#### 1.7.0-rc.2
+
+* Fix missing UDP user context on TUIC/Hysteria2 inbounds
+* macOS: Add button for uninstall SystemExtension in the standalone graphical client
+
+#### 1.6.6
+
+* Fixes and improvements
+
+#### 1.7.0-rc.1
+
+* Fixes and improvements
+
+#### 1.7.0-beta.5
+
+* Update gVisor to 20231113.0
+* Fixes and improvements
+
+#### 1.7.0-beta.4
+
+* Add `wifi_ssid` and `wifi_bssid` route and DNS rules **1**
+* Fixes and improvements
+
+**1**:
+
+Only supported in graphical clients on Android and iOS.
+
+#### 1.7.0-beta.3
+
+* Fix zero TTL was incorrectly reset
+* Fixes and improvements
+
+#### 1.6.5
+
+* Fix crash if TUIC inbound authentication failed
+* Fixes and improvements
+
+#### 1.7.0-beta.2
+
+* Fix crash if TUIC inbound authentication failed
+* Update quic-go to v0.40.0
+* Fixes and improvements
+
+#### 1.6.4
+
+* Fixes and improvements
+
+#### 1.7.0-beta.1
+
+* Fixes and improvements
+
+#### 1.6.3
+
+* iOS/Android: Fix profile auto update
+* Fixes and improvements
+
+#### 1.7.0-alpha.11
+
+* iOS/Android: Fix profile auto update
+* Fixes and improvements
+
+#### 1.7.0-alpha.10
+
+* Fix tcp-brutal not working with TLS
+* Fix Android client not closing in some cases
+* Fixes and improvements
+
+#### 1.6.2
+
+* Fixes and improvements
+
+#### 1.6.1
+
+* Our [Android client](/installation/clients/sfa) is now available in the Google Play Store ▶️
+* Fixes and improvements
+
+#### 1.7.0-alpha.6
+
+* Fixes and improvements
+
+#### 1.7.0-alpha.4
+
+* Migrate multiplex and UoT server to inbound **1**
+* Add TCP Brutal support for multiplex **2**
+
+**1**:
+
+Starting in 1.7.0, multiplexing support is no longer enabled by default and needs to be turned on explicitly in inbound options.
+
+**2**
+
+Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server, see [TCP Brutal](/configuration/shared/tcp-brutal) for details.
+
+#### 1.7.0-alpha.3
+
+* Add [HTTPUpgrade V2Ray transport](/configuration/shared/v2ray-transport#HTTPUpgrade) support **1**
+* Fixes and improvements
+
+**1**:
+
+Introduced in V2Ray 5.10.0.
+
+The new HTTPUpgrade transport has better performance than WebSocket and is better suited for CDN abuse.
+
+#### 1.6.0
+
+* Fixes and improvements
+
+Important changes since 1.5:
+
+* Our [Apple tvOS client](/installation/clients/sft) is now available in the App Store 🍎
+* Update BBR congestion control for TUIC and Hysteria2 **1**
+* Update brutal congestion control for Hysteria2
+* Add `brutal_debug` option for Hysteria2
+* Update legacy Hysteria protocol **2**
+* Add TLS self sign key pair generate command
+* Remove [Deprecated Features](/deprecated) by agreement
+
+**1**:
+
+None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
+This update is intended to address the multi-send defects of the old implementation and may introduce new issues.
+
+**2**
+
+Based on discussions with the original author, the brutal CC and QUIC protocol parameters of
+the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
+
+#### 1.7.0-alpha.2
+
+* Fix bugs introduced in 1.7.0-alpha.1
+
+#### 1.7.0-alpha.1
+
+* Add [exclude route support](/configuration/inbound/tun) for TUN inbound
+* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen) **1**
+* Fixes and improvements
+
+**1**:
+
+If enabled, for UDP proxy requests addressed to a domain,
+the original packet address will be sent in the response instead of the mapped domain.
+
+This option is used for compatibility with clients that
+do not support receiving UDP packets with domain addresses, such as Surge.
+
+#### 1.5.5
+
+* Fix IPv6 `auto_route` for Linux **1**
+* Add legacy builds for old Windows and macOS systems **2**
+* Fixes and improvements
+
+**1**:
+
+When `auto_route` is enabled and `strict_route` is disabled, the device can now be reached from external IPv6 addresses.
+
+**2**:
+
+Built using Go 1.20, the last version that will run on Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High Sierra, 10.14 Mojave.
+
+
+#### 1.6.0-rc.4
+
+* Fixes and improvements
+
+#### 1.6.0-rc.1
+
+* Add legacy builds for old Windows and macOS systems **1**
+* Fixes and improvements
+
+**1**:
+
+Built using Go 1.20, the last version that will run on Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High Sierra, 10.14 Mojave.
+
+#### 1.6.0-beta.4
+
+* Fix IPv6 `auto_route` for Linux **1**
+* Fixes and improvements
+
+**1**:
+
+When `auto_route` is enabled and `strict_route` is disabled, the device can now be reached from external IPv6 addresses.
+
+#### 1.5.4
+
+* Fix Clash cache crash on arm32 devices
+* Fixes and improvements
+
+#### 1.6.0-beta.3
+
+* Update the legacy Hysteria protocol **1**
+* Fixes and improvements
+
+**1**
+
+Based on discussions with the original author, the brutal CC and QUIC protocol parameters of
+the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
+
+#### 1.6.0-beta.2
+
+* Add TLS self sign key pair generate command
+* Update brutal congestion control for Hysteria2
+* Fix Clash cache crash on arm32 devices
+* Update golang.org/x/net to v0.17.0
+* Fixes and improvements
+
+#### 1.6.0-beta.3
+
+* Update the legacy Hysteria protocol **1**
+* Fixes and improvements
+
+**1**
+
+Based on discussions with the original author, the brutal CC and QUIC protocol parameters of
+the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
+
+#### 1.6.0-beta.2
+
+* Add TLS self sign key pair generate command
+* Update brutal congestion control for Hysteria2
+* Fix Clash cache crash on arm32 devices
+* Update golang.org/x/net to v0.17.0
+* Fixes and improvements
+
 #### 1.5.3
 
 * Fix compatibility with Android 14
 * Fixes and improvements
 
+#### 1.6.0-beta.1
+
+* Fixes and improvements
+
+#### 1.6.0-alpha.5
+
+* Fix compatibility with Android 14
+* Update BBR congestion control for TUIC and Hysteria2 **1**
+* Fixes and improvements
+
+**1**:
+
+None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
+This update is intended to fix a memory leak flaw in the new implementation introduced in 1.6.0-alpha.1 and may
+introduce new issues.
+
+#### 1.6.0-alpha.4
+
+* Add `brutal_debug` option for Hysteria2
+* Fixes and improvements
+
 #### 1.5.2
 
 * Our [Apple tvOS client](/installation/clients/sft) is now available in the App Store 🍎
 * Fixes and improvements
 
+#### 1.6.0-alpha.3
+
+* Fixes and improvements
+
+#### 1.6.0-alpha.2
+
+* Fixes and improvements
+
 #### 1.5.1
 
 * Fixes and improvements
 
+#### 1.6.0-alpha.1
+
+* Update BBR congestion control for TUIC and Hysteria2 **1**
+* Update quic-go to v0.39.0
+* Update gVisor to 20230814.0
+* Remove [Deprecated Features](/deprecated) by agreement
+* Fixes and improvements
+
+**1**:
+
+None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
+This update is intended to address the multi-send defects of the old implementation and may introduce new issues.
+
 #### 1.5.0
 
 * Fixes and improvements

docs/clients/android/features.md

@@ -0,0 +1,64 @@
+# :material-decagram: Features
+
+#### UI options
+
+* Display realtime network speed in the notification
+
+#### Service
+
+SFA allows you to run sing-box through ForegroundService or VpnService (when TUN is required).
+
+#### TUN
+
+SFA provides an unprivileged TUN implementation through Android VpnService.
+
+| TUN inbound option            | Available        | Note               |
+|-------------------------------|------------------|--------------------|
+| `interface_name`              | :material-close: | Managed by Android |
+| `inet4_address`               | :material-check: | /                  |
+| `inet6_address`               | :material-check: | /                  |
+| `mtu`                         | :material-check: | /                  |
+| `auto_route`                  | :material-check: | /                  |
+| `strict_route`                | :material-close: | Not implemented    |
+| `inet4_route_address`         | :material-check: | /                  |
+| `inet6_route_address`         | :material-check: | /                  |
+| `inet4_route_exclude_address` | :material-check: | /                  |
+| `inet6_route_exclude_address` | :material-check: | /                  |
+| `endpoint_independent_nat`    | :material-check: | /                  |
+| `stack`                       | :material-check: | /                  |
+| `include_interface`           | :material-close: | No permission      |
+| `exclude_interface`           | :material-close: | No permission      |
+| `include_uid`                 | :material-close: | No permission      |
+| `exclude_uid`                 | :material-close: | No permission      |
+| `include_android_user`        | :material-close: | No permission      |
+| `include_package`             | :material-check: | /                  |
+| `exclude_package`             | :material-check: | /                  |
+| `platform`                    | :material-check: | /                  |
+
+| Route/DNS rule option | Available        | Note                              |
+|-----------------------|------------------|-----------------------------------|
+| `process_name`        | :material-close: | No permission                     |
+| `process_path`        | :material-close: | No permission                     |
+| `package_name`        | :material-check: | /                                 |
+| `user`                | :material-close: | Use `package_name` instead        |
+| `user_id`             | :material-close: | Use `package_name` instead        |
+| `wifi_ssid`           | :material-check: | Fine location permission required |
+| `wifi_bssid`          | :material-check: | Fine location permission required |
+
+### Override
+
+Overrides profile configuration items with platform-specific values.
+
+#### Per-app proxy
+
+SFA allows you to select a list of Android apps that require proxying or bypassing in the graphical interface to
+override the `include_package` and `exclude_package` configuration items.
+
+In particular, the selector also provides the “China apps” scanning feature, providing Chinese users with an excellent
+experience to bypass apps that do not require a proxy. Specifically, by scanning China application or SDK
+characteristics through dex class path and other means, there will be almost no missed reports.
+
+### Chore
+
+* The working directory is located at `/sdcard/Android/data/io.nekohasekai.sfa/files` (External files directory)
+* Crash logs is located in `$working_directory/stderr.log`

docs/clients/android/index.md

@@ -0,0 +1,22 @@
+---
+icon: material/android
+---
+
+# sing-box for Android
+
+SFA allows users to manage and run local or remote sing-box configuration files, and provides
+platform-specific function implementation, such as TUN transparent proxy implementation.
+
+## :material-graph: Requirements
+
+* Android 5.0+
+
+## :material-download: Download
+
+* [Play Store](https://play.google.com/store/apps/details?id=io.nekohasekai.sfa)
+* [Play Store (Beta)](https://play.google.com/apps/testing/io.nekohasekai.sfa)
+* [GitHub Releases](https://github.com/SagerNet/sing-box/releases)
+
+## :material-source-repository: Source code
+
+* [GitHub](https://github.com/SagerNet/sing-box-for-android)

docs/clients/apple/features.md

@@ -0,0 +1,52 @@
+# :material-decagram: Features
+
+#### UI options
+
+* Always On
+* Include All Networks (Proxy traffic for LAN and cellular services)
+* (Apple tvOS) Import profile from iPhone/iPad
+
+#### Service
+
+SFI/SFM/SFT allows you to run sing-box through NetworkExtension with Application Extension or System Extension.
+
+#### TUN
+
+SFI/SFM/SFT provides an unprivileged TUN implementation through NetworkExtension.
+
+| TUN inbound option            | Available | Note              |
+|-------------------------------|-----------|-------------------|
+| `interface_name`              | ✖️        | Managed by Darwin |
+| `inet4_address`               | ✔️        | /                 |
+| `inet6_address`               | ✔️        | /                 |
+| `mtu`                         | ✔️        | /                 |
+| `auto_route`                  | ✔️        | /                 |
+| `strict_route`                | ✖️        | Not implemented   |
+| `inet4_route_address`         | ✔️        | /                 |
+| `inet6_route_address`         | ✔️        | /                 |
+| `inet4_route_exclude_address` | ✔️        | /                 |
+| `inet6_route_exclude_address` | ✔️        | /                 |
+| `endpoint_independent_nat`    | ✔️        | /                 |
+| `stack`                       | ✔️        | /                 |
+| `include_interface`           | ✖️        | Not implemented   |
+| `exclude_interface`           | ✖️        | Not implemented   |
+| `include_uid`                 | ✖️        | Not implemented   |
+| `exclude_uid`                 | ✖️        | Not implemented   |
+| `include_android_user`        | ✖️        | Not implemented   |
+| `include_package`             | ✖️        | Not implemented   |
+| `exclude_package`             | ✖️        | Not implemented   |
+| `platform`                    | ✔️        | /                 |
+
+| Route/DNS rule option | Available        | Note                  |
+|-----------------------|------------------|-----------------------|
+| `process_name`        | :material-close: | No permission         |
+| `process_path`        | :material-close: | No permission         |
+| `package_name`        | :material-close: | /                     |
+| `user`                | :material-close: | No permission         |
+| `user_id`             | :material-close: | No permission         |
+| `wifi_ssid`           | :material-alert: | Only supported on iOS |
+| `wifi_bssid`          | :material-alert: | Only supported on iOS |
+
+### Chore
+
+* Crash logs is located in `Settings` -> `View Service Log`

docs/clients/apple/index.md

@@ -0,0 +1,32 @@
+---
+icon: material/apple
+---
+
+# sing-box for Apple platforms
+
+SFI/SFM/SFT allows users to manage and run local or remote sing-box configuration files, and provides
+platform-specific function implementation, such as TUN transparent proxy implementation.
+
+## :material-graph: Requirements
+
+* iOS 15.0+ / macOS 13.0+ / Apple tvOS 17.0+
+* An Apple account outside of mainland China
+
+## :material-download: Download
+
+* [App Store](https://apps.apple.com/us/app/sing-box/id6451272673)
+* [TestFlight (Beta)](https://testflight.apple.com/join/AcqO44FH)
+
+## :material-file-download: Download (macOS standalone version)
+
+* [Homebrew Cask](https://formulae.brew.sh/cask/sfm)
+
+```bash
+brew install sfm
+```
+
+* [GitHub Releases](https://github.com/SagerNet/sing-box/releases)
+
+## :material-source-repository: Source code
+
+* [GitHub](https://github.com/SagerNet/sing-box-for-apple)

docs/clients/general.md

@@ -0,0 +1,63 @@
+---
+icon: material/pencil-ruler
+---
+
+# General
+
+Describes and explains the functions implemented uniformly by sing-box graphical clients.
+
+### Profile
+
+Profile describes a sing-box configuration file and its state.
+
+#### Local
+
+* Local Profile represents a local sing-box configuration with minimal state
+* The graphical client must provide an editor to modify configuration content
+
+#### iCloud (on iOS and macOS)
+
+* iCloud Profile represents a remote sing-box configuration with iCloud as the update source
+* The configuration file is stored in the sing-box folder under iCloud
+* The graphical client must provide an editor to modify configuration content
+
+#### Remote
+
+* Remote Profile represents a remote sing-box configuration with a URL as the update source.
+* The graphical client should provide a configuration content viewer
+* The graphical client must implement automatic profile update (default interval is 60 minutes) and HTTP Basic
+  authorization.
+
+At the same time, the graphical client must provide support for importing remote profiles
+through a specific URL Scheme. The URL is defined as follows:
+
+```
+sing-box://import-remote-profile?url=urlEncodedURL#urlEncodedName
+```
+
+### Dashboard
+
+While the sing-box service is running, the graphical client should provide a Dashboard interface to manage the service.
+
+#### Status
+
+Dashboard should display status information such as memory, connection, and traffic.
+
+#### Mode
+
+Dashboard should provide a Mode selector for switching when the configuration uses at least two `clash_mode` values.
+
+#### Groups
+
+When the configuration includes group outbounds (specifically, Selector or URLTest),
+the dashboard should provide a Group selector for status display or switching.
+
+### Chore
+
+#### Core
+
+Graphical clients should provide a Core region:
+
+* Display the current sing-box version
+* Provides a button to clean the working directory
+* Provides a memory limiter switch

docs/clients/index.md

@@ -0,0 +1,13 @@
+# :material-cellphone-link: Graphical Clients
+
+Maintained by Project S to provide a unified experience and platform-specific functionality.
+
+| Platform                              | Client                                  |
+|---------------------------------------|-----------------------------------------|
+| :material-android: Android            | [sing-box for Android](./android)       |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple) |
+| :material-laptop: Desktop             | Working in progress                     |
+
+Some third-party projects that claim to use sing-box or use sing-box as a selling point are not listed here. The core
+motivation of the maintainers of such projects is to acquire more users, and even though they provide friendly VPN
+client features, the code is usually of poor quality and contains ads.

docs/clients/index.zh.md

@@ -0,0 +1,12 @@
+# :material-cellphone-link: 图形界面客户端
+
+由 Project S 维护，提供统一的体验与平台特定的功能。
+
+| 平台                                    | 客户端                                     |
+|---------------------------------------|-----------------------------------------|
+| :material-android: Android            | [sing-box for Android](./android)       |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple) |
+| :material-laptop: Desktop             | 施工中                                     |
+
+此处没有列出一些声称使用或以 sing-box 为卖点的第三方项目。此类项目维护者的动机是获得更多用户，即使它们提供友好的商业
+VPN 客户端功能， 但代码质量很差且包含广告。

docs/clients/privacy.md

@@ -0,0 +1,8 @@
+---
+icon: material/security
+---
+
+# Privacy policy
+
+sing-box and official graphics clients do not collect or share personal data,
+and the data generated by the software is always on your device.

docs/configuration/dns/rule.md

@@ -79,6 +79,12 @@
           1000
         ],
         "clash_mode": "direct",
+        "wifi_ssid": [
+          "My WIFI"
+        ],
+        "wifi_bssid": [
+          "00:00:00:00:00:00"
+        ],
         "invert": false,
         "outbound": [
           "direct"
@@ -188,7 +194,7 @@ Match port range.
 
 #### process_name
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows, and macOS.
 
@@ -196,7 +202,7 @@ Match process name.
 
 #### process_path
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows, and macOS.
 
@@ -208,7 +214,7 @@ Match android package name.
 
 #### user
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 
@@ -216,7 +222,7 @@ Match user name.
 
 #### user_id
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 
@@ -226,6 +232,24 @@ Match user id.
 
 Match Clash mode.
 
+#### wifi_ssid
+
+<!-- md:version 1.7.0-beta.4 -->
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and iOS.
+
+Match WiFi SSID.
+
+#### wifi_bssid
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and iOS.
+
+Match WiFi BSSID.
+
 #### invert
 
 Invert match result.

docs/configuration/dns/rule.zh.md

@@ -78,6 +78,12 @@
           1000
         ],
         "clash_mode": "direct",
+        "wifi_ssid": [
+          "My WIFI"
+        ],
+        "wifi_bssid": [
+          "00:00:00:00:00:00"
+        ],
         "invert": false,
         "outbound": [
           "direct"
@@ -185,7 +191,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### process_name
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS.
 
@@ -193,7 +199,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### process_path
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS.
 
@@ -205,7 +211,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### user
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux。
 
@@ -213,7 +219,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### user_id
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux。
 
@@ -223,6 +229,22 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 匹配 Clash 模式。
 
+#### wifi_ssid
+
+!!! quote ""
+
+    仅在 Android 与 iOS 的图形客户端中支持。
+
+匹配 WiFi SSID。
+
+#### wifi_bssid
+
+!!! quote ""
+
+    仅在 Android 与 iOS 的图形客户端中支持。
+
+匹配 WiFi BSSID。
+
 #### invert
 
 反选匹配结果。

docs/configuration/dns/server.md

@@ -49,7 +49,7 @@ The address of the dns server.
 
 !!! warning ""
 
-    QUIC and HTTP3 transport is not included by default, see [Installation](/#installation).
+    QUIC and HTTP3 transport is not included by default, see [Installation](./#installation).
 
 !!! info ""
 
@@ -57,7 +57,7 @@ The address of the dns server.
 
 !!! warning ""
 
-    DHCP transport is not included by default, see [Installation](/#installation).
+    DHCP transport is not included by default, see [Installation](./#installation).
 
 | RCode             | Description           | 
 |-------------------|-----------------------|

docs/configuration/experimental/index.md

@@ -44,9 +44,9 @@
 
 ### Clash API Fields
 
-!!! error ""
+!!! quote ""
 
-    Clash API is not included by default, see [Installation](/#installation).
+    Clash API is not included by default, see [Installation](./#installation).
 
 #### external_controller
 
@@ -110,9 +110,9 @@ If not empty, `store_selected` will use a separate store keyed by it.
 
 ### V2Ray API Fields
 
-!!! error ""
+!!! quote ""
 
-    V2Ray API is not included by default, see [Installation](/#installation).
+    V2Ray API is not included by default, see [Installation](./#installation).
 
 #### listen
 

docs/configuration/experimental/index.zh.md

@@ -44,7 +44,7 @@
 
 ### Clash API 字段
 
-!!! error ""
+!!! quote ""
 
     默认安装不包含 Clash API，参阅 [安装](/zh/#_2)。
 
@@ -108,7 +108,7 @@ Clash 中的默认模式，默认使用 `Rule`。
 
 ### V2Ray API 字段
 
-!!! error ""
+!!! quote ""
 
     默认安装不包含 V2Ray API，参阅 [安装](/zh/#_2)。
 

docs/configuration/inbound/http.md

@@ -36,7 +36,7 @@ No authentication required if empty.
 
 #### set_system_proxy
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Android, Windows, and macOS.
 

docs/configuration/inbound/http.zh.md

@@ -36,7 +36,7 @@ HTTP 用户
 
 #### set_system_proxy
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Android、Windows 和 macOS。
 

docs/configuration/inbound/hysteria.md

@@ -31,7 +31,7 @@
 
 !!! warning ""
 
-    QUIC, which is required by hysteria is not included by default, see [Installation](/#installation).
+    QUIC, which is required by hysteria is not included by default, see [Installation](./#installation).
 
 ### Listen Fields
 

docs/configuration/inbound/hysteria2.md

@@ -4,8 +4,8 @@
 {
   "type": "hysteria2",
   "tag": "hy2-in",
-  
-  ... // Listen Fields
+  ...
+  // Listen Fields
 
   "up_mbps": 100,
   "down_mbps": 100,
@@ -20,14 +20,22 @@
     }
   ],
   "ignore_client_bandwidth": false,
+  "tls": {},
   "masquerade": "",
-  "tls": {}
+  "brutal_debug": false
 }
 ```
 
 !!! warning ""
 
-    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
+    QUIC, which is required by Hysteria2 is not included by default, see [Installation](./#installation).
+
+!!! warning "Difference from official Hysteria2"
+
+    The official program supports an authentication method called **userpass**,
+    which essentially uses a combination of `<username>:<password>` as the actual password,
+    while sing-box does not provide this alias.
+    To use sing-box with the official program, you need to fill in that combination as the actual password.
 
 ### Listen Fields
 
@@ -67,6 +75,12 @@ Commands the client to use the BBR flow control algorithm instead of Hysteria CC
 
 Conflict with `up_mbps` and `down_mbps`.
 
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
+
 #### masquerade
 
 HTTP3 server behavior when authentication fails.
@@ -78,8 +92,6 @@ HTTP3 server behavior when authentication fails.
 
 A 404 page will be returned if empty.
 
-#### tls
+#### brutal_debug
 
-==Required==
-
-TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
+Enable debug information logging for Hysteria Brutal CC.

docs/configuration/inbound/hysteria2.zh.md

@@ -4,8 +4,8 @@
 {
   "type": "hysteria2",
   "tag": "hy2-in",
-  
-  ... // 监听字段
+  ...
+  // 监听字段
 
   "up_mbps": 100,
   "down_mbps": 100,
@@ -20,8 +20,9 @@
     }
   ],
   "ignore_client_bandwidth": false,
+  "tls": {},
   "masquerade": "",
-  "tls": {}
+  "brutal_debug": false
 }
 ```
 
@@ -29,6 +30,12 @@
 
     默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。
 
+!!! warning "与官方 Hysteria2 的区别"
+
+    官方程序支持一种名为 **userpass** 的验证方式，
+    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。
+
 ### 监听字段
 
 参阅 [监听字段](/zh/configuration/shared/listen/)。
@@ -61,10 +68,16 @@ Hysteria 用户
 
 #### ignore_client_bandwidth
 
-命令客户端使用 BBR 流量控制算法而不是 Hysteria CC。
+命令客户端使用 BBR 拥塞控制算法而不是 Hysteria CC。
 
 与 `up_mbps` 和 `down_mbps` 冲突。
 
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+
 #### masquerade
 
 HTTP3 服务器认证失败时的行为。
@@ -76,8 +89,6 @@ HTTP3 服务器认证失败时的行为。
 
 如果为空，则返回 404 页。
 
-#### tls
+#### brutal_debug
 
-==必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+启用 Hysteria Brutal CC 的调试信息日志记录。

docs/configuration/inbound/mixed.md

@@ -33,7 +33,7 @@ No authentication required if empty.
 
 #### set_system_proxy
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Android, Windows, and macOS.
 

docs/configuration/inbound/mixed.zh.md

@@ -33,7 +33,7 @@ SOCKS 和 HTTP 用户
 
 #### set_system_proxy
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Android、Windows 和 macOS。
 

docs/configuration/inbound/naive.md

@@ -20,7 +20,7 @@
 
 !!! warning ""
 
-    HTTP3 transport is not included by default, see [Installation](/#installation).
+    HTTP3 transport is not included by default, see [Installation](./#installation).
 
 ### Listen Fields
 

docs/configuration/inbound/redirect.md

@@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""
 
     Only supported on Linux and macOS.
 

docs/configuration/inbound/redirect.zh.md

@@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""
 
     仅支持 Linux 和 macOS。
 

docs/configuration/inbound/shadowsocks.md

@@ -8,7 +8,8 @@
   ... // Listen Fields
 
   "method": "2022-blake3-aes-128-gcm",
-  "password": "8JCsPssfgS8tiRwiMlhARg=="
+  "password": "8JCsPssfgS8tiRwiMlhARg==",
+  "multiplex": {}
 }
 ```
 
@@ -23,7 +24,8 @@
       "name": "sekai",
       "password": "PCD2Z4o12bKUoFa3cC97Hw=="
     }
-  ]
+  ],
+  "multiplex": {}
 }
 ```
 
@@ -41,7 +43,8 @@
       "server_port": 8080,
       "password": "PCD2Z4o12bKUoFa3cC97Hw=="
     }
-  ]
+  ],
+  "multiplex": {}
 }
 ```
 
@@ -83,48 +86,6 @@ Both if empty.
 | 2022 methods  | `sing-box generate rand --base64 <Key Length>` |
 | other methods | any string                                     |
 
-### Listen Fields
+#### multiplex
 
-#### listen
-
-==Required==
-
-Listen address.
-
-#### listen_port
-
-==Required==
-
-Listen port.
-
-#### tcp_fast_open
-
-Enable tcp fast open for listener.
-
-#### sniff
-
-Enable sniffing.
-
-See [Protocol Sniff](/configuration/route/sniff/) for details.
-
-#### sniff_override_destination
-
-Override the connection destination address with the sniffed domain.
-
-If the domain name is invalid (like tor), this will not work.
-
-#### domain_strategy
-
-One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
-
-If set, the requested domain name will be resolved to IP before routing.
-
-If `sniff_override_destination` is in effect, its value will be taken as a fallback.
-
-#### udp_timeout
-
-UDP NAT expiration time in seconds, default is 300 (5 minutes).
-
-#### proxy_protocol
-
-Parse [Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) in the connection header.
+See [Multiplex](/configuration/shared/multiplex#inbound) for details.

docs/configuration/inbound/shadowsocks.zh.md

@@ -8,7 +8,8 @@
   ... // 监听字段
 
   "method": "2022-blake3-aes-128-gcm",
-  "password": "8JCsPssfgS8tiRwiMlhARg=="
+  "password": "8JCsPssfgS8tiRwiMlhARg==",
+  "multiplex": {}
 }
 ```
 
@@ -23,7 +24,8 @@
       "name": "sekai",
       "password": "PCD2Z4o12bKUoFa3cC97Hw=="
     }
-  ]
+  ],
+  "multiplex": {}
 }
 ```
 
@@ -41,7 +43,8 @@
       "server_port": 8080,
       "password": "PCD2Z4o12bKUoFa3cC97Hw=="
     }
-  ]
+  ],
+  "multiplex": {}
 }
 ```
 
@@ -81,4 +84,8 @@ See [Listen Fields](/configuration/shared/listen) for details.
 |---------------|------------------------------------------|
 | none          | /                                        |
 | 2022 methods  | `sing-box generate rand --base64 <密钥长度>` |
-| other methods | 任意字符串                                    |
+| other methods | 任意字符串                                    |
+
+#### multiplex
+
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。

docs/configuration/inbound/tproxy.md

@@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 

docs/configuration/inbound/tproxy.zh.md

@@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""
 
     仅支持 Linux。
 

docs/configuration/inbound/trojan.md

@@ -24,6 +24,7 @@
       "server_port": 8081
     }
   },
+  "multiplex": {},
   "transport": {}
 }
 ```
@@ -46,7 +47,7 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
 
 #### fallback
 
-!!! error ""
+!!! quote ""
 
     There is no evidence that GFW detects and blocks Trojan servers based on HTTP responses, and opening the standard http/s port on the server is a much bigger signature.
 
@@ -58,6 +59,10 @@ Fallback server configuration for specified ALPN.
 
 If not empty, TLS fallback requests with ALPN not in this table will be rejected.
 
+#### multiplex
+
+See [Multiplex](/configuration/shared/multiplex#inbound) for details.
+
 #### transport
 
 V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).

docs/configuration/inbound/trojan.zh.md

@@ -24,6 +24,7 @@
       "server_port": 8081
     }
   },
+  "multiplex": {},
   "transport": {}
 }
 ```
@@ -48,7 +49,7 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 #### fallback
 
-!!! error ""
+!!! quote ""
 
     没有证据表明 GFW 基于 HTTP 响应检测并阻止 Trojan 服务器，并且在服务器上打开标准 http/s 端口是一个更大的特征。
 
@@ -60,6 +61,10 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 如果不为空，ALPN 不在此列表中的 TLS 回退请求将被拒绝。
 
+#### multiplex
+
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
+
 #### transport
 
 V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。

docs/configuration/inbound/tuic.md

@@ -24,7 +24,7 @@
 
 !!! warning ""
 
-    QUIC, which is required by TUIC is not included by default, see [Installation](/#installation).
+    QUIC, which is required by TUIC is not included by default, see [Installation](./#installation).
 
 ### Listen Fields
 

docs/configuration/inbound/tuic.zh.md

@@ -48,7 +48,7 @@ TUIC 用户密码
 
 #### congestion_control
 
-QUIC 流量控制算法
+QUIC 拥塞控制算法
 
 可选值: `cubic`, `new_reno`, `bbr`
 

docs/configuration/inbound/tun.md

@@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows and macOS.
 
@@ -22,6 +22,12 @@
     "::/1",
     "8000::/1"
   ],
+  "inet4_route_exclude_address": [
+    "192.168.0.0/16"
+  ],
+  "inet6_route_exclude_address": [
+    "fc00::/7"
+  ],
   "endpoint_independent_nat": false,
   "stack": "system",
   "include_interface": [
@@ -96,7 +102,7 @@ The maximum transmission unit.
 
 Set the default route to the Tun.
 
-!!! error ""
+!!! quote ""
 
     To avoid traffic loopback, set `route.auto_detect_interface` or `route.default_interface` or `outbound.bind_interface`
 
@@ -130,6 +136,14 @@ Use custom routes instead of default when `auto_route` is enabled.
 
 Use custom routes instead of default when `auto_route` is enabled.
 
+#### inet4_route_exclude_address
+
+Exclude custom routes when `auto_route` is enabled.
+
+#### inet6_route_exclude_address
+
+Exclude custom routes when `auto_route` is enabled.
+
 #### endpoint_independent_nat
 
 !!! info ""
@@ -157,11 +171,11 @@ TCP/IP stack.
 
 !!! warning ""
 
-    gVisor and LWIP stacks is not included by default, see [Installation](/#installation).
+    gVisor and LWIP stacks is not included by default, see [Installation](./#installation).
 
 #### include_interface
 
-!!! error ""
+!!! quote ""
 
     Interface rules are only supported on Linux and require auto_route.
 
@@ -177,7 +191,7 @@ Conflict with `include_interface`.
 
 #### include_uid
 
-!!! error ""
+!!! quote ""
 
     UID rules are only supported on Linux and require auto_route.
 
@@ -197,7 +211,7 @@ Exclude users in route, but in range.
 
 #### include_android_user
 
-!!! error ""
+!!! quote ""
 
     Android user and package rules are only supported on Android and require auto_route.
 

docs/configuration/inbound/tun.zh.md

@@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS。
 
@@ -22,6 +22,12 @@
     "::/1",
     "8000::/1"
   ],
+  "inet4_route_exclude_address": [
+    "192.168.0.0/16"
+  ],
+  "inet6_route_exclude_address": [
+    "fc00::/7"
+  ],
   "endpoint_independent_nat": false,
   "stack": "system",
   "include_interface": [
@@ -96,7 +102,7 @@ tun 接口的 IPv6 前缀。
 
 设置到 Tun 的默认路由。
 
-!!! error ""
+!!! quote ""
 
     为避免流量环回，请设置 `route.auto_detect_interface` 或 `route.default_interface` 或 `outbound.bind_interface`。
 
@@ -131,6 +137,14 @@ tun 接口的 IPv6 前缀。
 
 启用 `auto_route` 时使用自定义路由而不是默认路由。
 
+#### inet4_route_exclude_address
+
+启用 `auto_route` 时排除自定义路由。
+
+#### inet6_route_exclude_address
+
+启用 `auto_route` 时排除自定义路由。
+
 #### endpoint_independent_nat
 
 启用独立于端点的 NAT。
@@ -157,7 +171,7 @@ TCP/IP 栈。
 
 #### include_interface
 
-!!! error ""
+!!! quote ""
 
     接口规则仅在 Linux 下被支持，并且需要 `auto_route`。
 
@@ -173,7 +187,7 @@ TCP/IP 栈。
 
 #### include_uid
 
-!!! error ""
+!!! quote ""
 
     UID 规则仅在 Linux 下被支持，并且需要 `auto_route`。
 
@@ -193,7 +207,7 @@ TCP/IP 栈。
 
 #### include_android_user
 
-!!! error ""
+!!! quote ""
 
     Android 用户和应用规则仅在 Android 下被支持，并且需要 `auto_route`。
 

docs/configuration/inbound/vless.md

@@ -15,6 +15,7 @@
     }
   ],
   "tls": {},
+  "multiplex": {},
   "transport": {}
 }
 ```
@@ -49,6 +50,10 @@ Available values:
 
 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
 
+#### multiplex
+
+See [Multiplex](/configuration/shared/multiplex#inbound) for details.
+
 #### transport
 
 V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).

docs/configuration/inbound/vless.zh.md

@@ -15,6 +15,7 @@
     }
   ],
   "tls": {},
+  "multiplex": {},
   "transport": {}
 }
 ```
@@ -49,6 +50,10 @@ VLESS 子协议。
 
 TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
+#### multiplex
+
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
+
 #### transport
 
 V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。

docs/configuration/inbound/vmess.md

@@ -15,6 +15,7 @@
     }
   ],
   "tls": {},
+  "multiplex": {},
   "transport": {}
 }
 ```
@@ -44,6 +45,10 @@ VMess users.
 
 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
 
+#### multiplex
+
+See [Multiplex](/configuration/shared/multiplex#inbound) for details.
+
 #### transport
 
 V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).

docs/configuration/inbound/vmess.zh.md

@@ -15,6 +15,7 @@
     }
   ],
   "tls": {},
+  "multiplex": {},
   "transport": {}
 }
 ```
@@ -44,6 +45,10 @@ VMess 用户。
 
 TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
+#### multiplex
+
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
+
 #### transport
 
 V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。

docs/configuration/outbound/hysteria.md

@@ -26,7 +26,7 @@
 
 !!! warning ""
 
-    QUIC, which is required by hysteria is not included by default, see [Installation](/#installation).
+    QUIC, which is required by hysteria is not included by default, see [Installation](./#installation).
 
 ### Fields
 

docs/configuration/outbound/hysteria2.md

@@ -16,6 +16,7 @@
   "password": "goofy_ahh_password",
   "network": "tcp",
   "tls": {},
+  "brutal_debug": false,
   
   ... // Dial Fields
 }
@@ -23,7 +24,15 @@
 
 !!! warning ""
 
-    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
+    QUIC, which is required by Hysteria2 is not included by default, see [Installation](./#installation).
+
+!!! warning "Difference from official Hysteria2"
+
+    The official Hysteria2 supports an authentication method called **userpass**,
+    which essentially uses a combination of `<username>:<password>` as the actual password,
+    while sing-box does not provide this alias.
+    If you are planning to use sing-box with the official program,
+    please note that you will need to fill the combination as the password.
 
 ### Fields
 
@@ -73,6 +82,10 @@ Both is enabled by default.
 
 TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
 
+#### brutal_debug
+
+Enable debug information logging for Hysteria Brutal CC.
+
 ### Dial Fields
 
 See [Dial Fields](/configuration/shared/dial) for details.

docs/configuration/outbound/hysteria2.zh.md

@@ -16,6 +16,7 @@
   "password": "goofy_ahh_password",
   "network": "tcp",
   "tls": {},
+  "brutal_debug": false,
   
   ... // 拨号字段
 }
@@ -25,6 +26,12 @@
 
     默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。
 
+!!! warning "与官方 Hysteria2 的区别"
+
+    官方程序支持一种名为 **userpass** 的验证方式，
+    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。
+
 ### 字段
 
 #### server
@@ -43,7 +50,7 @@
 
 最大带宽。
 
-如果为空，将使用 BBR 流量控制算法而不是 Hysteria CC。
+如果为空，将使用 BBR 拥塞控制算法而不是 Hysteria CC。
 
 #### obfs.type
 
@@ -73,6 +80,9 @@ QUIC 流量混淆器密码.
 
 TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
+#### brutal_debug
+
+启用 Hysteria Brutal CC 的调试信息日志记录。
 
 ### 拨号字段
 

docs/configuration/outbound/selector.md

@@ -15,7 +15,7 @@
 }
 ```
 
-!!! error ""
+!!! quote ""
 
     The selector can only be controlled through the [Clash API](/configuration/experimental#clash-api-fields) currently.
 

docs/configuration/outbound/selector.zh.md

@@ -15,7 +15,7 @@
 }
 ```
 
-!!! error ""
+!!! quote ""
 
     选择器目前只能通过 [Clash API](/zh/configuration/experimental#clash-api) 来控制。
 

docs/configuration/outbound/shadowsocks.md

@@ -95,7 +95,7 @@ Conflict with `multiplex`.
 
 #### multiplex
 
-Multiplex configuration, see [Multiplex](/configuration/shared/multiplex).
+See [Multiplex](/configuration/shared/multiplex#outbound) for details.
 
 ### Dial Fields
 

docs/configuration/outbound/shadowsocks.zh.md

@@ -95,7 +95,7 @@ UDP over TCP 配置。
 
 #### multiplex
 
-多路复用配置, 参阅 [多路复用](/zh/configuration/shared/multiplex)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
 
 ### 拨号字段
 

docs/configuration/outbound/shadowsocksr.md

@@ -25,7 +25,7 @@
 
 !!! warning ""
 
-    ShadowsocksR is not included by default, see [Installation](/#installation).
+    ShadowsocksR is not included by default, see [Installation](./#installation).
 
 ### Fields
 

docs/configuration/outbound/tor.md

@@ -18,7 +18,7 @@
 
 !!! info ""
 
-    Embedded tor is not included by default, see [Installation](/#installation).
+    Embedded tor is not included by default, see [Installation](./#installation).
 
 ### Fields
 

docs/configuration/outbound/trojan.md

@@ -51,7 +51,7 @@ TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
 
 #### multiplex
 
-Multiplex configuration, see [Multiplex](/configuration/shared/multiplex).
+See [Multiplex](/configuration/shared/multiplex#outbound) for details.
 
 #### transport
 

docs/configuration/outbound/trojan.zh.md

@@ -51,7 +51,7 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 #### multiplex
 
-多路复用配置, 参阅 [多路复用](/zh/configuration/shared/multiplex)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
 
 #### transport
 

docs/configuration/outbound/tuic.md

@@ -23,7 +23,7 @@
 
 !!! warning ""
 
-    QUIC, which is required by TUIC is not included by default, see [Installation](/#installation).
+    QUIC, which is required by TUIC is not included by default, see [Installation](./#installation).
 
 ### Fields
 

docs/configuration/outbound/tuic.zh.md

@@ -51,7 +51,7 @@ TUIC 用户密码
 
 #### congestion_control
 
-QUIC 流量控制算法
+QUIC 拥塞控制算法
 
 可选值: `cubic`, `new_reno`, `bbr`
 

docs/configuration/outbound/vless.md

@@ -12,6 +12,7 @@
   "network": "tcp",
   "tls": {},
   "packet_encoding": "",
+  "multiplex": {},
   "transport": {},
 
   ... // Dial Fields
@@ -68,6 +69,10 @@ UDP packet encoding, xudp is used by default.
 | packetaddr | Supported by v2ray 5+ |
 | xudp       | Supported by xray     |
 
+#### multiplex
+
+See [Multiplex](/configuration/shared/multiplex#outbound) for details.
+
 #### transport
 
 V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).

docs/configuration/outbound/vless.zh.md

@@ -12,6 +12,7 @@
   "network": "tcp",
   "tls": {},
   "packet_encoding": "",
+  "multiplex": {},
   "transport": {},
   
   ... // 拨号字段
@@ -68,6 +69,10 @@ UDP 包编码，默认使用 xudp。
 | packetaddr | 由 v2ray 5+ 支持 |
 | xudp       | 由 xray 支持     |
 
+#### multiplex
+
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
+
 #### transport
 
 V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。

docs/configuration/outbound/vmess.md

@@ -15,8 +15,8 @@
   "network": "tcp",
   "tls": {},
   "packet_encoding": "",
-  "multiplex": {},
   "transport": {},
+  "multiplex": {},
 
   ... // Dial Fields
 }
@@ -96,7 +96,7 @@ UDP packet encoding.
 
 #### multiplex
 
-Multiplex configuration, see [Multiplex](/configuration/shared/multiplex).
+See [Multiplex](/configuration/shared/multiplex#outbound) for details.
 
 #### transport
 

docs/configuration/outbound/vmess.zh.md

@@ -96,7 +96,7 @@ UDP 包编码。
 
 #### multiplex
 
-多路复用配置, 参阅 [多路复用](/zh/configuration/shared/multiplex)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
 
 #### transport
 

docs/configuration/outbound/wireguard.md

@@ -38,11 +38,11 @@
 
 !!! warning ""
 
-    WireGuard is not included by default, see [Installation](/#installation).
+    WireGuard is not included by default, see [Installation](./#installation).
 
 !!! warning ""
 
-    gVisor, which is required by the unprivileged WireGuard is not included by default, see [Installation](/#installation).
+    gVisor, which is required by the unprivileged WireGuard is not included by default, see [Installation](./#installation).
 
 ### Fields
 

docs/configuration/route/index.md

@@ -31,7 +31,7 @@ Default outbound tag. the first outbound will be used if empty.
 
 #### auto_detect_interface
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows and macOS.
 
@@ -41,7 +41,7 @@ Takes no effect if `outbound.bind_interface` is set.
 
 #### override_android_vpn
 
-!!! error ""
+!!! quote ""
 
     Only supported on Android.
 
@@ -49,7 +49,7 @@ Accept Android VPN as upstream NIC when `auto_detect_interface` enabled.
 
 #### default_interface
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows and macOS.
 
@@ -59,7 +59,7 @@ Takes no effect if `auto_detect_interface` is set.
 
 #### default_mark
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 

docs/configuration/route/index.zh.md

@@ -28,11 +28,11 @@
 
 #### final
 
-默认出站标签。如果未空，将使用第一个可用于对应协议的出站。
+默认出站标签。如果为空，将使用第一个可用于对应协议的出站。
 
 #### auto_detect_interface
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS。
 
@@ -42,7 +42,7 @@
 
 #### override_android_vpn
 
-!!! error ""
+!!! quote ""
 
     仅支持 Android。
 
@@ -50,7 +50,7 @@
 
 #### default_interface
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS。
 
@@ -60,10 +60,10 @@
 
 #### default_mark
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux。
 
 默认为出站连接设置路由标记。
 
-如果设置了 `outbound.routing_mark` 设置，则不生效。
+如果设置了 `outbound.routing_mark` 设置，则不生效。

docs/configuration/route/rule.md

@@ -83,6 +83,12 @@
           1000
         ],
         "clash_mode": "direct",
+        "wifi_ssid": [
+          "My WIFI"
+        ],
+        "wifi_bssid": [
+          "00:00:00:00:00:00"
+        ],
         "invert": false,
         "outbound": "direct"
       },
@@ -190,7 +196,7 @@ Match port range.
 
 #### process_name
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows, and macOS.
 
@@ -198,7 +204,7 @@ Match process name.
 
 #### process_path
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows, and macOS.
 
@@ -210,7 +216,7 @@ Match android package name.
 
 #### user
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 
@@ -218,7 +224,7 @@ Match user name.
 
 #### user_id
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 
@@ -228,6 +234,22 @@ Match user id.
 
 Match Clash mode.
 
+#### wifi_ssid
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and iOS.
+
+Match WiFi SSID.
+
+#### wifi_bssid
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and iOS.
+
+Match WiFi BSSID.
+
 #### invert
 
 Invert match result.

docs/configuration/route/rule.zh.md

@@ -81,6 +81,12 @@
           1000
         ],
         "clash_mode": "direct",
+        "wifi_ssid": [
+          "My WIFI"
+        ],
+        "wifi_bssid": [
+          "00:00:00:00:00:00"
+        ],
         "invert": false,
         "outbound": "direct"
       },
@@ -188,7 +194,7 @@
 
 #### process_name
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS。
 
@@ -196,7 +202,7 @@
 
 #### process_path
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS.
 
@@ -208,7 +214,7 @@
 
 #### user
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux.
 
@@ -216,7 +222,7 @@
 
 #### user_id
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux.
 
@@ -226,6 +232,22 @@
 
 匹配 Clash 模式。
 
+#### wifi_ssid
+
+!!! quote ""
+
+    仅在 Android 与 iOS 的图形客户端中支持。
+
+匹配 WiFi SSID。
+
+#### wifi_bssid
+
+!!! quote ""
+
+    仅在 Android 与 iOS 的图形客户端中支持。
+
+匹配 WiFi BSSID。
+
 #### invert
 
 反选匹配结果。

docs/configuration/shared/dial.md

@@ -41,7 +41,7 @@ The IPv6 address to bind to.
 
 #### routing_mark
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 

docs/configuration/shared/dial.zh.md

@@ -44,7 +44,7 @@
 
 #### routing_mark
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux。
 

docs/configuration/shared/listen.md

@@ -7,28 +7,26 @@
   "tcp_fast_open": false,
   "tcp_multi_path": false,
   "udp_fragment": false,
+  "udp_timeout": 300,
+  "detour": "another-in",
   "sniff": false,
   "sniff_override_destination": false,
   "sniff_timeout": "300ms",
   "domain_strategy": "prefer_ipv6",
-  "udp_timeout": 300,
-  "proxy_protocol": false,
-  "proxy_protocol_accept_no_header": false,
-  "detour": "another-in"
+  "udp_disable_domain_unmapping": false
 }
 ```
 
 ### Fields
 
-| Field                             | Available Context                                                 |
-|-----------------------------------|-------------------------------------------------------------------|
-| `listen`                          | Needs to listen on TCP or UDP.                                    |
-| `listen_port`                     | Needs to listen on TCP or UDP.                                    |
-| `tcp_fast_open`                   | Needs to listen on TCP.                                           |
-| `tcp_multi_path`                  | Needs to listen on TCP.                                           |
-| `udp_timeout`                     | Needs to assemble UDP connections, currently Tun and Shadowsocks. |
-| `proxy_protocol`                  | Needs to listen on TCP.                                           |
-| `proxy_protocol_accept_no_header` | When `proxy_protocol` enabled                                     |
+| Field                          | Available Context                                                 |
+|--------------------------------|-------------------------------------------------------------------|
+| `listen`                       | Needs to listen on TCP or UDP.                                    |
+| `listen_port`                  | Needs to listen on TCP or UDP.                                    |
+| `tcp_fast_open`                | Needs to listen on TCP.                                           |
+| `tcp_multi_path`               | Needs to listen on TCP.                                           |
+| `udp_timeout`                  | Needs to assemble UDP connections, currently Tun and Shadowsocks. |
+| `udp_disable_domain_unmapping` | Needs to listen on UDP and accept domain UDP addresses.           |
 
 #### listen
 
@@ -56,6 +54,16 @@ Enable TCP Multi Path.
 
 Enable UDP fragmentation.
 
+#### udp_timeout
+
+UDP NAT expiration time in seconds, default is 300 (5 minutes).
+
+#### detour
+
+If set, connections will be forwarded to the specified inbound.
+
+Requires target inbound support, see [Injectable](/configuration/inbound/#fields).
+
 #### sniff
 
 Enable sniffing.
@@ -82,20 +90,10 @@ If set, the requested domain name will be resolved to IP before routing.
 
 If `sniff_override_destination` is in effect, its value will be taken as a fallback.
 
-#### udp_timeout
+#### udp_disable_domain_unmapping
 
-UDP NAT expiration time in seconds, default is 300 (5 minutes).
+If enabled, for UDP proxy requests addressed to a domain, 
+the original packet address will be sent in the response instead of the mapped domain.
 
-#### proxy_protocol
-
-Parse [Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) in the connection header.
-
-#### proxy_protocol_accept_no_header
-
-Accept connections without Proxy Protocol header.
-
-#### detour
-
-If set, connections will be forwarded to the specified inbound.
-
-Requires target inbound support, see [Injectable](/configuration/inbound/#fields).
+This option is used for compatibility with clients that 
+do not support receiving UDP packets with domain addresses, such as Surge.

docs/configuration/shared/listen.zh.md

@@ -7,14 +7,13 @@
   "tcp_fast_open": false,
   "tcp_multi_path": false,
   "udp_fragment": false,
+  "udp_timeout": 300,
+  "detour": "another-in",
   "sniff": false,
   "sniff_override_destination": false,
   "sniff_timeout": "300ms",
   "domain_strategy": "prefer_ipv6",
-  "udp_timeout": 300,
-  "proxy_protocol": false,
-  "proxy_protocol_accept_no_header": false,
-  "detour": "another-in"
+  "udp_disable_domain_unmapping": false
 }
 ```
 
@@ -26,8 +25,7 @@
 | `tcp_fast_open`                   | 需要监听 TCP。                           |
 | `tcp_multi_path`                  | 需要监听 TCP。                           |
 | `udp_timeout`                     | 需要组装 UDP 连接, 当前为 Tun 和 Shadowsocks。 |
-| `proxy_protocol`                  | 需要监听 TCP。                           |
-| `proxy_protocol_accept_no_header` | `proxy_protocol` 启用时                |
+| 
 
 ### 字段
 
@@ -57,6 +55,16 @@
 
 启用 UDP 分段。
 
+#### udp_timeout
+
+UDP NAT 过期时间，以秒为单位，默认为 300（5 分钟）。
+
+#### detour
+
+如果设置，连接将被转发到指定的入站。
+
+需要目标入站支持，参阅 [注入支持](/zh/configuration/inbound/#_3)。
+
 #### sniff
 
 启用协议探测。
@@ -83,20 +91,8 @@
 
 如果 `sniff_override_destination` 生效，它的值将作为后备。
 
-#### udp_timeout
+#### udp_disable_domain_unmapping
 
-UDP NAT 过期时间，以秒为单位，默认为 300（5 分钟）。
+如果启用，对于地址为域的 UDP 代理请求，将在响应中发送原始包地址而不是映射的域。
 
-#### proxy_protocol
-
-解析连接头中的 [代理协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)。
-
-#### proxy_protocol_accept_no_header
-
-接受没有代理协议标头的连接。
-
-#### detour
-
-如果设置，连接将被转发到指定的入站。
-
-需要目标入站支持，参阅 [注入支持](/zh/configuration/inbound/#_3)。
+此选项用于兼容不支持接收带有域地址的 UDP 包的客户端，如 Surge。

docs/configuration/shared/multiplex.md

@@ -1,8 +1,14 @@
-### Server Requirements
+### Inbound
 
-`sing-box` :)
+```json
+{
+  "enabled": true,
+  "padding": false,
+  "brutal": {}
+}
+```
 
-### Structure
+### Outbound
 
 ```json
 {
@@ -11,11 +17,27 @@
   "max_connections": 4,
   "min_streams": 4,
   "max_streams": 0,
-  "padding": false
+  "padding": false,
+  "brutal": {}
 }
 ```
 
-### Fields
+
+### Inbound Fields
+
+#### enabled
+
+Enable multiplex support.
+
+#### padding
+
+If enabled, non-padded connections will be rejected.
+
+#### brutal
+
+See [TCP Brutal](/configuration/shared/tcp-brutal) for details.
+
+### Outbound Fields
 
 #### enabled
 
@@ -59,3 +81,6 @@ Conflict with `max_connections` and `min_streams`.
 
 Enable padding.
 
+#### brutal
+
+See [TCP Brutal](/configuration/shared/tcp-brutal) for details.

docs/configuration/shared/multiplex.zh.md

@@ -1,8 +1,14 @@
-### 服务器要求
+### 入站
 
-`sing-box` :)
+```json
+{
+  "enabled": true,
+  "padding": false,
+  "brutal": {}
+}
+```
 
-### 结构
+### 出站
 
 ```json
 {
@@ -10,11 +16,27 @@
   "protocol": "smux",
   "max_connections": 4,
   "min_streams": 4,
-  "max_streams": 0
+  "max_streams": 0,
+  "padding": false,
+  "brutal": {}
 }
 ```
 
-### 字段
+### 入站字段
+
+#### enabled
+
+启用多路复用支持。
+
+#### padding
+
+如果启用，将拒绝非填充连接。
+
+#### brutal
+
+参阅 [TCP Brutal](/zh/configuration/shared/tcp-brutal)。
+
+### 出站字段
 
 #### enabled
 
@@ -58,3 +80,6 @@
 
 启用填充。
 
+#### brutal
+
+参阅 [TCP Brutal](/zh/configuration/shared/tcp-brutal)。

docs/configuration/shared/tcp-brutal.md

@@ -0,0 +1,28 @@
+### Server Requirements
+
+* Linux
+* `brutal` congestion control algorithm kernel module installed
+
+See [tcp-brutal](https://github.com/apernet/tcp-brutal) for details.
+
+### Structure
+
+```json
+{
+  "enabled": true,
+  "up_mbps": 100,
+  "down_mbps": 100
+}
+```
+
+### Fields
+
+#### enabled
+
+Enable TCP Brutal congestion control algorithm。
+
+#### up_mbps, down_mbps
+
+==Required==
+
+Upload and download bandwidth, in Mbps.

docs/configuration/shared/tcp-brutal.zh.md

@@ -0,0 +1,28 @@
+### 服务器要求
+
+* Linux
+* `brutal` 拥塞控制算法内核模块已安装
+
+参阅 [tcp-brutal](https://github.com/apernet/tcp-brutal)。
+
+### 结构
+
+```json
+{
+  "enabled": true,
+  "up_mbps": 100,
+  "down_mbps": 100
+}
+```
+
+### 字段
+
+#### enabled
+
+启用 TCP Brutal 拥塞控制算法。
+
+#### up_mbps, down_mbps
+
+==必填==
+
+上传和下载带宽，以 Mbps 为单位。