documentation: Update changelog

Co-authored-by: Hiddify <114227601+hiddify1@users.noreply.github.com>

.github/workflows/debug.yml

@@ -3,7 +3,6 @@ name: Debug build
 on:
   push:
     branches:
-      - stable-next
       - main-next
       - dev-next
     paths-ignore:
@@ -12,7 +11,6 @@ on:
       - '!.github/workflows/debug.yml'
   pull_request:
     branches:
-      - stable-next
       - main-next
       - dev-next
 
@@ -22,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Get latest go version
@@ -50,7 +48,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -70,7 +68,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -201,7 +199,7 @@ jobs:
       TAGS: with_clash_api,with_quic
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Get latest go version

.github/workflows/docker.yml

@@ -9,20 +9,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@v3
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v2
       - name: Setup QEMU for Docker Buildx
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v2
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Docker metadata
         id: metadata
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v4
         with:
           images: ghcr.io/sagernet/sing-box
       - name: Get tag to build
@@ -35,7 +35,7 @@ jobs:
             echo "versioned=ghcr.io/sagernet/sing-box:${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
           fi
       - name: Build and release Docker images
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v4
         with:
           platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
           target: dist

.github/workflows/lint.yml

@@ -3,7 +3,6 @@ name: Lint
 on:
   push:
     branches:
-      - stable-next
       - main-next
       - dev-next
     paths-ignore:
@@ -12,7 +11,6 @@ on:
       - '!.github/workflows/lint.yml'
   pull_request:
     branches:
-      - stable-next
       - main-next
       - dev-next
 
@@ -22,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Get latest go version
@@ -36,6 +34,4 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
-          version: latest
-          args: --timeout=30m
-          install-mode: binary
+          version: latest

.goreleaser.yaml

@@ -16,7 +16,6 @@ builds:
       - with_quic
       - with_dhcp
       - with_wireguard
-      - with_ech
       - with_utls
       - with_reality_server
       - with_clash_api
@@ -36,35 +35,6 @@ builds:
       - darwin_amd64_v3
       - darwin_arm64
     mod_timestamp: '{{ .CommitTimestamp }}'
-  - id: legacy
-    main: ./cmd/sing-box
-    flags:
-      - -v
-      - -trimpath
-    asmflags:
-      - all=-trimpath={{.Env.GOPATH}}
-    gcflags:
-      - all=-trimpath={{.Env.GOPATH}}
-    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
-    tags:
-      - with_gvisor
-      - with_quic
-      - with_dhcp
-      - with_wireguard
-      - with_ech
-      - with_utls
-      - with_reality_server
-      - with_clash_api
-    env:
-      - CGO_ENABLED=0
-      - GOROOT=/nix/store/5h8gjl89zx8qxgc572wa3k81zplv8v4z-go-1.20.10/share/go
-    gobinary: /nix/store/5h8gjl89zx8qxgc572wa3k81zplv8v4z-go-1.20.10/bin/go
-    targets:
-      - windows_amd64_v1
-      - windows_386
-      - darwin_amd64_v1
-    mod_timestamp: '{{ .CommitTimestamp }}'
   - id: android
     main: ./cmd/sing-box
     flags:
@@ -81,7 +51,6 @@ builds:
       - with_quic
       - with_dhcp
       - with_wireguard
-      - with_ech
       - with_utls
       - with_clash_api
     env:
@@ -119,9 +88,6 @@ snapshot:
   name_template: "{{ .Version }}.{{ .ShortCommit }}"
 archives:
   - id: archive
-    builds:
-      - main
-      - android
     format: tar.gz
     format_overrides:
       - goos: windows
@@ -130,17 +96,6 @@ archives:
     files:
       - LICENSE
     name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-  - id: archive-legacy
-    builds:
-      - legacy
-    format: tar.gz
-    format_overrides:
-      - goos: windows
-        format: zip
-    wrap_in_directory: true
-    files:
-      - LICENSE
-    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}-legacy'
 nfpms:
   - id: package
     package_name: sing-box

Makefile

@@ -28,7 +28,7 @@ ci_build:
 	go build $(MAIN_PARAMS) $(MAIN)
 
 install:
-	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)
+	go build -o $(PREFIX)/bin/$(NAME) $(PARAMS) $(MAIN)
 
 fmt:
 	@gofumpt -l -w .
@@ -63,7 +63,7 @@ release:
 	mkdir dist/release
 	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
 	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
-	rm -r dist/release
+	rm -r dist
 
 release_install:
 	go install -v github.com/goreleaser/goreleaser@latest
@@ -73,21 +73,18 @@ update_android_version:
 	go run ./cmd/internal/update_android_version
 
 build_android:
-	cd ../sing-box-for-android && ./gradlew :app:assemblePlayRelease && ./gradlew --stop
+	cd ../sing-box-for-android && ./gradlew :app:assembleRelease
 
 upload_android:
 	mkdir -p dist/release_android
-	cp ../sing-box-for-android/app/build/outputs/apk/play/release/*.apk dist/release_android
+	cp ../sing-box-for-android/app/build/outputs/apk/release/*.apk dist/release_android
 	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release_android
 	rm -rf dist/release_android
 
 release_android: lib_android update_android_version build_android upload_android
 
 publish_android:
-	cd ../sing-box-for-android && ./gradlew :app:publishPlayReleaseBundle
-
-publish_android_appcenter:
-	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadPlayRelease
+	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadRelease
 
 build_ios:
 	cd ../sing-box-for-apple && \
@@ -96,7 +93,7 @@ build_ios:
 
 upload_ios_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Upload.plist
 
 release_ios: build_ios upload_ios_app_store
 
@@ -107,7 +104,7 @@ build_macos:
 
 upload_macos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist
 
 release_macos: build_macos upload_macos_app_store
 
@@ -118,7 +115,7 @@ build_macos_independent:
 
 notarize_macos_independent:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist  -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist
 
 wait_notarize_macos_independent:
 	sleep 60
@@ -140,11 +137,12 @@ release_macos_independent: build_macos_independent notarize_macos_independent wa
 build_tvos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFT.xcarchive && \
+	export DEVELOPER_DIR=/Applications/Xcode-beta.app/Contents/Developer && \
 	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive
 
 upload_tvos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist
 
 release_tvos: build_tvos upload_tvos_app_store
 
@@ -152,8 +150,10 @@ update_apple_version:
 	go run ./cmd/internal/update_apple_version
 
 release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_independent
+	rm -rf dist
 
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
+	rm -rf dist
 
 test:
 	@go test -v ./... && \
@@ -179,8 +179,8 @@ lib:
 
 lib_install:
 	go get -v -d
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230915142329-c6740b6d2950
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230915142329-c6740b6d2950
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230728014906-3de089147f59
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230728014906-3de089147f59
 
 clean:
 	rm -rf bin dist sing-box

adapter/inbound.go

@@ -75,11 +75,3 @@ func AppendContext(ctx context.Context) (context.Context, *InboundContext) {
 	metadata = new(InboundContext)
 	return WithContext(ctx, metadata), metadata
 }
-
-func ExtendContext(ctx context.Context) (context.Context, *InboundContext) {
-	var newMetadata InboundContext
-	if metadata := ContextFrom(ctx); metadata != nil {
-		newMetadata = *metadata
-	}
-	return WithContext(ctx, &newMetadata), &newMetadata
-}

adapter/v2ray.go

@@ -5,6 +5,7 @@ import (
 	"net"
 
 	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
@@ -18,6 +19,7 @@ type V2RayServerTransport interface {
 type V2RayServerTransportHandler interface {
 	N.TCPConnectionHandler
 	E.Handler
+	FallbackConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error
 }
 
 type V2RayClientTransport interface {

box_outbound.go

@@ -69,7 +69,7 @@ func (s *Box) startOutbounds() error {
 			}
 			problemOutbound := outbounds[problemOutboundTag]
 			if problemOutbound == nil {
-				return E.New("dependency[", problemOutboundTag, "] not found for outbound[", outboundTags[oCurrent], "]")
+				return E.New("dependency[", problemOutbound, "] not found for outbound[", outboundTags[oCurrent], "]")
 			}
 			return lintOutbound(append(oTree, problemOutboundTag), problemOutbound)
 		}

cmd/internal/build_libbox/main.go

@@ -54,7 +54,7 @@ func init() {
 	sharedFlags = append(sharedFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
 	debugFlags = append(debugFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
 
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_ech", "with_utls", "with_clash_api")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api")
 	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
 	debugTags = append(debugTags, "debug")
 }

cmd/internal/build_shared/tag.go

@@ -17,6 +17,9 @@ func ReadTag() (string, error) {
 	}
 	shortCommit, _ := shell.Exec("git", "rev-parse", "--short", "HEAD").ReadOutput()
 	version := badversion.Parse(currentTagRev[1:])
+	if version.PreReleaseIdentifier == "" {
+		version.Patch++
+	}
 	return version.String() + "-" + shortCommit, nil
 }
 

cmd/internal/update_apple_version/main.go

@@ -29,17 +29,11 @@ func main() {
 	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
 	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
 	if updated0 || updated1 {
-		log.Info("updated version to ", newVersion.VersionString(), " (", newVersion.String(), ")")
-	}
-	var updated2 bool
-	if macProjectVersion := os.Getenv("MACOS_PROJECT_VERSION"); macProjectVersion != "" {
-		newContent, updated2 = findAndReplaceProjectVersion(objectsMap, newContent, []string{"SFM"}, macProjectVersion)
-		if updated2 {
-			log.Info("updated macos project version to ", macProjectVersion)
-		}
-	}
-	if updated0 || updated1 || updated2 {
+		log.Info("updated version to ", newVersion.VersionString())
+		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj.bak", []byte(projectContent), 0o644))
 		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj", []byte(newContent), 0o644))
+	} else {
+		log.Info("version not changed")
 	}
 }
 
@@ -67,30 +61,6 @@ func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDLi
 	return projectContent, updated
 }
 
-func findAndReplaceProjectVersion(objectsMap map[string]any, projectContent string, directoryList []string, newVersion string) (string, bool) {
-	objectKeyList := findObjectKeyByDirectory(objectsMap, directoryList)
-	var updated bool
-	for _, objectKey := range objectKeyList {
-		matchRegexp := common.Must1(regexp.Compile(objectKey + ".*= \\{"))
-		indexes := matchRegexp.FindStringIndex(projectContent)
-		if len(indexes) < 2 {
-			println(projectContent)
-			log.Fatal("failed to find object key ", objectKey, ": ", strings.Index(projectContent, objectKey))
-		}
-		indexStart := indexes[1]
-		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
-		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "CURRENT_PROJECT_VERSION = ") + 26
-		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
-		version := projectContent[versionStart:versionEnd]
-		if version == newVersion {
-			continue
-		}
-		updated = true
-		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
-	}
-	return projectContent, updated
-}
-
 func findObjectKey(objectsMap map[string]any, bundleIDList []string) []string {
 	var objectKeyList []string
 	for objectKey, object := range objectsMap {
@@ -108,24 +78,3 @@ func findObjectKey(objectsMap map[string]any, bundleIDList []string) []string {
 	}
 	return objectKeyList
 }
-
-func findObjectKeyByDirectory(objectsMap map[string]any, directoryList []string) []string {
-	var objectKeyList []string
-	for objectKey, object := range objectsMap {
-		buildSettings := object.(map[string]any)["buildSettings"]
-		if buildSettings == nil {
-			continue
-		}
-		infoPListFile := buildSettings.(map[string]any)["INFOPLIST_FILE"]
-		if infoPListFile == nil {
-			continue
-		}
-		for _, searchDirectory := range directoryList {
-			if strings.HasPrefix(infoPListFile.(string), searchDirectory+"/") {
-				objectKeyList = append(objectKeyList, objectKey)
-			}
-		}
-
-	}
-	return objectKeyList
-}

cmd/sing-box/cmd_generate.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/gofrs/uuid/v5"
 	"github.com/spf13/cobra"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
 var commandGenerate = &cobra.Command{
@@ -21,7 +22,8 @@ var commandGenerate = &cobra.Command{
 func init() {
 	commandGenerate.AddCommand(commandGenerateUUID)
 	commandGenerate.AddCommand(commandGenerateRandom)
-
+	commandGenerate.AddCommand(commandGenerateWireGuardKeyPair)
+	commandGenerate.AddCommand(commandGenerateRealityKeyPair)
 	mainCommand.AddCommand(commandGenerate)
 }
 
@@ -90,3 +92,48 @@ func generateUUID() error {
 	_, err = os.Stdout.WriteString(newUUID.String() + "\n")
 	return err
 }
+
+var commandGenerateWireGuardKeyPair = &cobra.Command{
+	Use:   "wg-keypair",
+	Short: "Generate WireGuard key pair",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateWireGuardKey()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func generateWireGuardKey() error {
+	privateKey, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		return err
+	}
+	os.Stdout.WriteString("PrivateKey: " + privateKey.String() + "\n")
+	os.Stdout.WriteString("PublicKey: " + privateKey.PublicKey().String() + "\n")
+	return nil
+}
+
+var commandGenerateRealityKeyPair = &cobra.Command{
+	Use:   "reality-keypair",
+	Short: "Generate reality key pair",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateRealityKey()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func generateRealityKey() error {
+	privateKey, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		return err
+	}
+	publicKey := privateKey.PublicKey()
+	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]) + "\n")
+	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]) + "\n")
+	return nil
+}

cmd/sing-box/cmd_generate_tls.go

@@ -1,40 +0,0 @@
-package main
-
-import (
-	"os"
-	"time"
-
-	"github.com/sagernet/sing-box/common/tls"
-	"github.com/sagernet/sing-box/log"
-
-	"github.com/spf13/cobra"
-)
-
-var flagGenerateTLSKeyPairMonths int
-
-var commandGenerateTLSKeyPair = &cobra.Command{
-	Use:   "tls-keypair <server_name>",
-	Short: "Generate TLS self sign key pair",
-	Args:  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateTLSKeyPair(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGenerateTLSKeyPair.Flags().IntVarP(&flagGenerateTLSKeyPairMonths, "months", "m", 1, "Valid months")
-	commandGenerate.AddCommand(commandGenerateTLSKeyPair)
-}
-
-func generateTLSKeyPair(serverName string) error {
-	privateKeyPem, publicKeyPem, err := tls.GenerateKeyPair(time.Now, serverName, time.Now().AddDate(0, flagGenerateTLSKeyPairMonths, 0))
-	if err != nil {
-		return err
-	}
-	os.Stdout.WriteString(string(privateKeyPem) + "\n")
-	os.Stdout.WriteString(string(publicKeyPem) + "\n")
-	return nil
-}

cmd/sing-box/cmd_generate_vapid.go

@@ -1,40 +0,0 @@
-//go:build go1.20
-
-package main
-
-import (
-	"crypto/ecdh"
-	"crypto/rand"
-	"encoding/base64"
-	"os"
-
-	"github.com/sagernet/sing-box/log"
-
-	"github.com/spf13/cobra"
-)
-
-var commandGenerateVAPIDKeyPair = &cobra.Command{
-	Use:   "vapid-keypair",
-	Short: "Generate VAPID key pair",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateVAPIDKeyPair()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGenerate.AddCommand(commandGenerateVAPIDKeyPair)
-}
-
-func generateVAPIDKeyPair() error {
-	privateKey, err := ecdh.P256().GenerateKey(rand.Reader)
-	if err != nil {
-		return err
-	}
-	publicKey := privateKey.PublicKey()
-	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey.Bytes()) + "\n")
-	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey.Bytes()) + "\n")
-	return nil
-}

cmd/sing-box/cmd_generate_wireguard.go

@@ -1,61 +0,0 @@
-package main
-
-import (
-	"encoding/base64"
-	"os"
-
-	"github.com/sagernet/sing-box/log"
-
-	"github.com/spf13/cobra"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-)
-
-func init() {
-	commandGenerate.AddCommand(commandGenerateWireGuardKeyPair)
-	commandGenerate.AddCommand(commandGenerateRealityKeyPair)
-}
-
-var commandGenerateWireGuardKeyPair = &cobra.Command{
-	Use:   "wg-keypair",
-	Short: "Generate WireGuard key pair",
-	Args:  cobra.NoArgs,
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateWireGuardKey()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func generateWireGuardKey() error {
-	privateKey, err := wgtypes.GeneratePrivateKey()
-	if err != nil {
-		return err
-	}
-	os.Stdout.WriteString("PrivateKey: " + privateKey.String() + "\n")
-	os.Stdout.WriteString("PublicKey: " + privateKey.PublicKey().String() + "\n")
-	return nil
-}
-
-var commandGenerateRealityKeyPair = &cobra.Command{
-	Use:   "reality-keypair",
-	Short: "Generate reality key pair",
-	Args:  cobra.NoArgs,
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateRealityKey()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func generateRealityKey() error {
-	privateKey, err := wgtypes.GeneratePrivateKey()
-	if err != nil {
-		return err
-	}
-	publicKey := privateKey.PublicKey()
-	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]) + "\n")
-	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]) + "\n")
-	return nil
-}

cmd/sing-box/cmd_merge.go

@@ -1,174 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/sagernet/sing-box/common/json"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/rw"
-
-	"github.com/spf13/cobra"
-)
-
-var commandMerge = &cobra.Command{
-	Use:   "merge [output]",
-	Short: "Merge configurations",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := merge(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.ExactArgs(1),
-}
-
-func init() {
-	mainCommand.AddCommand(commandMerge)
-}
-
-func merge(outputPath string) error {
-	mergedOptions, err := readConfigAndMerge()
-	if err != nil {
-		return err
-	}
-	err = mergePathResources(&mergedOptions)
-	if err != nil {
-		return err
-	}
-	buffer := new(bytes.Buffer)
-	encoder := json.NewEncoder(buffer)
-	encoder.SetIndent("", "  ")
-	err = encoder.Encode(mergedOptions)
-	if err != nil {
-		return E.Cause(err, "encode config")
-	}
-	if existsContent, err := os.ReadFile(outputPath); err != nil {
-		if string(existsContent) == buffer.String() {
-			return nil
-		}
-	}
-	err = rw.WriteFile(outputPath, buffer.Bytes())
-	if err != nil {
-		return err
-	}
-	outputPath, _ = filepath.Abs(outputPath)
-	os.Stderr.WriteString(outputPath + "\n")
-	return nil
-}
-
-func mergePathResources(options *option.Options) error {
-	for index, inbound := range options.Inbounds {
-		switch inbound.Type {
-		case C.TypeHTTP:
-			inbound.HTTPOptions.TLS = mergeTLSInboundOptions(inbound.HTTPOptions.TLS)
-		case C.TypeMixed:
-			inbound.MixedOptions.TLS = mergeTLSInboundOptions(inbound.MixedOptions.TLS)
-		case C.TypeVMess:
-			inbound.VMessOptions.TLS = mergeTLSInboundOptions(inbound.VMessOptions.TLS)
-		case C.TypeTrojan:
-			inbound.TrojanOptions.TLS = mergeTLSInboundOptions(inbound.TrojanOptions.TLS)
-		case C.TypeNaive:
-			inbound.NaiveOptions.TLS = mergeTLSInboundOptions(inbound.NaiveOptions.TLS)
-		case C.TypeHysteria:
-			inbound.HysteriaOptions.TLS = mergeTLSInboundOptions(inbound.HysteriaOptions.TLS)
-		case C.TypeVLESS:
-			inbound.VLESSOptions.TLS = mergeTLSInboundOptions(inbound.VLESSOptions.TLS)
-		case C.TypeTUIC:
-			inbound.TUICOptions.TLS = mergeTLSInboundOptions(inbound.TUICOptions.TLS)
-		case C.TypeHysteria2:
-			inbound.Hysteria2Options.TLS = mergeTLSInboundOptions(inbound.Hysteria2Options.TLS)
-		default:
-			continue
-		}
-		options.Inbounds[index] = inbound
-	}
-	for index, outbound := range options.Outbounds {
-		switch outbound.Type {
-		case C.TypeHTTP:
-			outbound.HTTPOptions.TLS = mergeTLSOutboundOptions(outbound.HTTPOptions.TLS)
-		case C.TypeVMess:
-			outbound.VMessOptions.TLS = mergeTLSOutboundOptions(outbound.VMessOptions.TLS)
-		case C.TypeTrojan:
-			outbound.TrojanOptions.TLS = mergeTLSOutboundOptions(outbound.TrojanOptions.TLS)
-		case C.TypeHysteria:
-			outbound.HysteriaOptions.TLS = mergeTLSOutboundOptions(outbound.HysteriaOptions.TLS)
-		case C.TypeSSH:
-			outbound.SSHOptions = mergeSSHOutboundOptions(outbound.SSHOptions)
-		case C.TypeVLESS:
-			outbound.VLESSOptions.TLS = mergeTLSOutboundOptions(outbound.VLESSOptions.TLS)
-		case C.TypeTUIC:
-			outbound.TUICOptions.TLS = mergeTLSOutboundOptions(outbound.TUICOptions.TLS)
-		case C.TypeHysteria2:
-			outbound.Hysteria2Options.TLS = mergeTLSOutboundOptions(outbound.Hysteria2Options.TLS)
-		default:
-			continue
-		}
-		options.Outbounds[index] = outbound
-	}
-	return nil
-}
-
-func mergeTLSInboundOptions(options *option.InboundTLSOptions) *option.InboundTLSOptions {
-	if options == nil {
-		return nil
-	}
-	if options.CertificatePath != "" {
-		if content, err := os.ReadFile(options.CertificatePath); err == nil {
-			options.Certificate = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	if options.KeyPath != "" {
-		if content, err := os.ReadFile(options.KeyPath); err == nil {
-			options.Key = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	if options.ECH != nil {
-		if options.ECH.KeyPath != "" {
-			if content, err := os.ReadFile(options.ECH.KeyPath); err == nil {
-				options.ECH.Key = trimStringArray(strings.Split(string(content), "\n"))
-			}
-		}
-	}
-	return options
-}
-
-func mergeTLSOutboundOptions(options *option.OutboundTLSOptions) *option.OutboundTLSOptions {
-	if options == nil {
-		return nil
-	}
-	if options.CertificatePath != "" {
-		if content, err := os.ReadFile(options.CertificatePath); err == nil {
-			options.Certificate = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	if options.ECH != nil {
-		if options.ECH.ConfigPath != "" {
-			if content, err := os.ReadFile(options.ECH.ConfigPath); err == nil {
-				options.ECH.Config = trimStringArray(strings.Split(string(content), "\n"))
-			}
-		}
-	}
-	return options
-}
-
-func mergeSSHOutboundOptions(options option.SSHOutboundOptions) option.SSHOutboundOptions {
-	if options.PrivateKeyPath != "" {
-		if content, err := os.ReadFile(os.ExpandEnv(options.PrivateKeyPath)); err == nil {
-			options.PrivateKey = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	return options
-}
-
-func trimStringArray(array []string) []string {
-	return common.Filter(array, func(it string) bool {
-		return strings.TrimSpace(it) != ""
-	})
-}

cmd/sing-box/cmd_run.go

@@ -143,16 +143,14 @@ func create() (*box.Box, context.CancelFunc, error) {
 		signal.Stop(osSignals)
 		close(osSignals)
 	}()
-	startCtx, finishStart := context.WithCancel(context.Background())
+
 	go func() {
 		_, loaded := <-osSignals
 		if loaded {
 			cancel()
-			closeMonitor(startCtx)
 		}
 	}()
 	err = instance.Start()
-	finishStart()
 	if err != nil {
 		cancel()
 		return nil, nil, E.Cause(err, "start service")

common/baderror/baderror.go

@@ -0,0 +1,62 @@
+package baderror
+
+import (
+	"context"
+	"io"
+	"net"
+	"strings"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func Contains(err error, msgList ...string) bool {
+	for _, msg := range msgList {
+		if strings.Contains(err.Error(), msg) {
+			return true
+		}
+	}
+	return false
+}
+
+func WrapH2(err error) error {
+	if err == nil {
+		return nil
+	}
+	err = E.Unwrap(err)
+	if err == io.ErrUnexpectedEOF {
+		return io.EOF
+	}
+	if Contains(err, "client disconnected", "body closed by handler", "response body closed", "; CANCEL") {
+		return net.ErrClosed
+	}
+	return err
+}
+
+func WrapGRPC(err error) error {
+	// grpc uses stupid internal error types
+	if err == nil {
+		return nil
+	}
+	if Contains(err, "EOF") {
+		return io.EOF
+	}
+	if Contains(err, "Canceled") {
+		return context.Canceled
+	}
+	if Contains(err,
+		"the client connection is closing",
+		"server closed the stream without sending trailers") {
+		return net.ErrClosed
+	}
+	return err
+}
+
+func WrapQUIC(err error) error {
+	if err == nil {
+		return nil
+	}
+	if Contains(err, "canceled by local with error code 0") {
+		return net.ErrClosed
+	}
+	return err
+}

common/dialer/conntrack/conn.go

@@ -17,7 +17,7 @@ func NewConn(conn net.Conn) (net.Conn, error) {
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
-		err := KillerCheck()
+		err := killerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err

common/dialer/conntrack/killer.go

@@ -1,20 +1,20 @@
 package conntrack
 
 import (
+	"runtime"
 	runtimeDebug "runtime/debug"
 	"time"
 
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/memory"
 )
 
 var (
 	KillerEnabled   bool
-	MemoryLimit     uint64
+	MemoryLimit     int64
 	killerLastCheck time.Time
 )
 
-func KillerCheck() error {
+func killerCheck() error {
 	if !KillerEnabled {
 		return nil
 	}
@@ -23,7 +23,10 @@ func KillerCheck() error {
 		return nil
 	}
 	killerLastCheck = nowTime
-	if memory.Total() > MemoryLimit {
+	var memStats runtime.MemStats
+	runtime.ReadMemStats(&memStats)
+	inuseMemory := int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
+	if inuseMemory > MemoryLimit {
 		Close()
 		go func() {
 			time.Sleep(time.Second)

common/dialer/conntrack/packet_conn.go

@@ -18,7 +18,7 @@ func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
-		err := KillerCheck()
+		err := killerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err

common/dialer/default.go

@@ -6,7 +6,7 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/control"
@@ -137,12 +137,10 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 }
 
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if destination.IsIPv6() {
-		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
-	} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
-		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP+"4", d.udpAddr4))
-	} else {
+	if !destination.IsIPv6() {
 		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4))
+	} else {
+		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
 	}
 }
 

common/dialer/dialer.go

@@ -29,12 +29,7 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 	}
 	domainStrategy := dns.DomainStrategy(options.DomainStrategy)
 	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
-		dialer = NewResolveDialer(
-			router,
-			dialer,
-			options.Detour == "" && !options.TCPFastOpen,
-			domainStrategy,
-			time.Duration(options.FallbackDelay))
+		dialer = NewResolveDialer(router, dialer, domainStrategy, time.Duration(options.FallbackDelay))
 	}
 	return dialer, nil
 }

common/dialer/resolve.go

@@ -16,16 +16,14 @@ import (
 
 type ResolveDialer struct {
 	dialer        N.Dialer
-	parallel      bool
 	router        adapter.Router
 	strategy      dns.DomainStrategy
 	fallbackDelay time.Duration
 }
 
-func NewResolveDialer(router adapter.Router, dialer N.Dialer, parallel bool, strategy dns.DomainStrategy, fallbackDelay time.Duration) *ResolveDialer {
+func NewResolveDialer(router adapter.Router, dialer N.Dialer, strategy dns.DomainStrategy, fallbackDelay time.Duration) *ResolveDialer {
 	return &ResolveDialer{
 		dialer,
-		parallel,
 		router,
 		strategy,
 		fallbackDelay,
@@ -36,7 +34,7 @@ func (d *ResolveDialer) DialContext(ctx context.Context, network string, destina
 	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
 	metadata.Destination = destination
 	metadata.Domain = ""
@@ -50,18 +48,14 @@ func (d *ResolveDialer) DialContext(ctx context.Context, network string, destina
 	if err != nil {
 		return nil, err
 	}
-	if d.parallel {
-		return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
-	} else {
-		return N.DialSerial(ctx, d.dialer, network, destination, addresses)
-	}
+	return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
 }
 
 func (d *ResolveDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
 	metadata.Destination = destination
 	metadata.Domain = ""

common/dialer/tfo.go

@@ -7,7 +7,6 @@ import (
 	"io"
 	"net"
 	"os"
-	"sync"
 	"time"
 
 	"github.com/sagernet/sing/common"
@@ -25,7 +24,6 @@ type slowOpenConn struct {
 	destination M.Socksaddr
 	conn        net.Conn
 	create      chan struct{}
-	access      sync.Mutex
 	err         error
 }
 
@@ -62,26 +60,16 @@ func (c *slowOpenConn) Read(b []byte) (n int, err error) {
 }
 
 func (c *slowOpenConn) Write(b []byte) (n int, err error) {
-	if c.conn != nil {
-		return c.conn.Write(b)
-	}
-	c.access.Lock()
-	defer c.access.Unlock()
-	select {
-	case <-c.create:
-		if c.err != nil {
-			return 0, c.err
+	if c.conn == nil {
+		c.conn, err = c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
+		if err != nil {
+			c.conn = nil
+			c.err = E.Cause(err, "dial tcp fast open")
 		}
-		return c.conn.Write(b)
-	default:
+		close(c.create)
+		return
 	}
-	c.conn, err = c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
-	if err != nil {
-		c.conn = nil
-		c.err = E.Cause(err, "dial tcp fast open")
-	}
-	close(c.create)
-	return
+	return c.conn.Write(b)
 }
 
 func (c *slowOpenConn) Close() error {

common/humanize/bytes.go

@@ -1,158 +0,0 @@
-package humanize
-
-import (
-	"fmt"
-	"math"
-	"strconv"
-	"strings"
-	"unicode"
-)
-
-// IEC Sizes.
-// kibis of bits
-const (
-	Byte = 1 << (iota * 10)
-	KiByte
-	MiByte
-	GiByte
-	TiByte
-	PiByte
-	EiByte
-)
-
-// SI Sizes.
-const (
-	IByte = 1
-	KByte = IByte * 1000
-	MByte = KByte * 1000
-	GByte = MByte * 1000
-	TByte = GByte * 1000
-	PByte = TByte * 1000
-	EByte = PByte * 1000
-)
-
-var defaultSizeTable = map[string]uint64{
-	"b":   Byte,
-	"kib": KiByte,
-	"kb":  KByte,
-	"mib": MiByte,
-	"mb":  MByte,
-	"gib": GiByte,
-	"gb":  GByte,
-	"tib": TiByte,
-	"tb":  TByte,
-	"pib": PiByte,
-	"pb":  PByte,
-	"eib": EiByte,
-	"eb":  EByte,
-	// Without suffix
-	"":   Byte,
-	"ki": KiByte,
-	"k":  KByte,
-	"mi": MiByte,
-	"m":  MByte,
-	"gi": GiByte,
-	"g":  GByte,
-	"ti": TiByte,
-	"t":  TByte,
-	"pi": PiByte,
-	"p":  PByte,
-	"ei": EiByte,
-	"e":  EByte,
-}
-
-var memorysSizeTable = map[string]uint64{
-	"b":  Byte,
-	"kb": KiByte,
-	"mb": MiByte,
-	"gb": GiByte,
-	"tb": TiByte,
-	"pb": PiByte,
-	"eb": EiByte,
-	"":   Byte,
-	"k":  KiByte,
-	"m":  MiByte,
-	"g":  GiByte,
-	"t":  TiByte,
-	"p":  PiByte,
-	"e":  EiByte,
-}
-
-var (
-	defaultSizes = []string{"B", "kB", "MB", "GB", "TB", "PB", "EB"}
-	iSizes       = []string{"B", "KiB", "MiB", "GiB", "TiB", "PiB", "EiB"}
-)
-
-func Bytes(s uint64) string {
-	return humanateBytes(s, 1000, defaultSizes)
-}
-
-func MemoryBytes(s uint64) string {
-	return humanateBytes(s, 1024, defaultSizes)
-}
-
-func IBytes(s uint64) string {
-	return humanateBytes(s, 1024, iSizes)
-}
-
-func logn(n, b float64) float64 {
-	return math.Log(n) / math.Log(b)
-}
-
-func humanateBytes(s uint64, base float64, sizes []string) string {
-	if s < 10 {
-		return fmt.Sprintf("%d B", s)
-	}
-	e := math.Floor(logn(float64(s), base))
-	suffix := sizes[int(e)]
-	val := math.Floor(float64(s)/math.Pow(base, e)*10+0.5) / 10
-	f := "%.0f %s"
-	if val < 10 {
-		f = "%.1f %s"
-	}
-
-	return fmt.Sprintf(f, val, suffix)
-}
-
-func ParseBytes(s string) (uint64, error) {
-	return parseBytes0(s, defaultSizeTable)
-}
-
-func ParseMemoryBytes(s string) (uint64, error) {
-	return parseBytes0(s, memorysSizeTable)
-}
-
-func parseBytes0(s string, sizeTable map[string]uint64) (uint64, error) {
-	lastDigit := 0
-	hasComma := false
-	for _, r := range s {
-		if !(unicode.IsDigit(r) || r == '.' || r == ',') {
-			break
-		}
-		if r == ',' {
-			hasComma = true
-		}
-		lastDigit++
-	}
-
-	num := s[:lastDigit]
-	if hasComma {
-		num = strings.Replace(num, ",", "", -1)
-	}
-
-	f, err := strconv.ParseFloat(num, 64)
-	if err != nil {
-		return 0, err
-	}
-
-	extra := strings.ToLower(strings.TrimSpace(s[lastDigit:]))
-	if m, ok := sizeTable[extra]; ok {
-		f *= float64(m)
-		if f >= math.MaxUint64 {
-			return 0, fmt.Errorf("too large: %v", s)
-		}
-		return uint64(f), nil
-	}
-
-	return 0, fmt.Errorf("unhandled size name: %v", extra)
-}

common/interrupt/conn.go

@@ -1,75 +0,0 @@
-package interrupt
-
-import (
-	"net"
-
-	"github.com/sagernet/sing/common/x/list"
-)
-
-/*type GroupedConn interface {
-	MarkAsInternal()
-}
-
-func MarkAsInternal(conn any) {
-	if groupedConn, isGroupConn := common.Cast[GroupedConn](conn); isGroupConn {
-		groupedConn.MarkAsInternal()
-	}
-}*/
-
-type Conn struct {
-	net.Conn
-	group   *Group
-	element *list.Element[*groupConnItem]
-}
-
-/*func (c *Conn) MarkAsInternal() {
-	c.element.Value.internal = true
-}*/
-
-func (c *Conn) Close() error {
-	c.group.access.Lock()
-	defer c.group.access.Unlock()
-	c.group.connections.Remove(c.element)
-	return c.Conn.Close()
-}
-
-func (c *Conn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *Conn) WriterReplaceable() bool {
-	return true
-}
-
-func (c *Conn) Upstream() any {
-	return c.Conn
-}
-
-type PacketConn struct {
-	net.PacketConn
-	group   *Group
-	element *list.Element[*groupConnItem]
-}
-
-/*func (c *PacketConn) MarkAsInternal() {
-	c.element.Value.internal = true
-}*/
-
-func (c *PacketConn) Close() error {
-	c.group.access.Lock()
-	defer c.group.access.Unlock()
-	c.group.connections.Remove(c.element)
-	return c.PacketConn.Close()
-}
-
-func (c *PacketConn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *PacketConn) WriterReplaceable() bool {
-	return true
-}
-
-func (c *PacketConn) Upstream() any {
-	return c.PacketConn
-}

common/interrupt/context.go

@@ -1,13 +0,0 @@
-package interrupt
-
-import "context"
-
-type contextKeyIsExternalConnection struct{}
-
-func ContextWithIsExternalConnection(ctx context.Context) context.Context {
-	return context.WithValue(ctx, contextKeyIsExternalConnection{}, true)
-}
-
-func IsExternalConnectionFromContext(ctx context.Context) bool {
-	return ctx.Value(contextKeyIsExternalConnection{}) != nil
-}

common/interrupt/group.go

@@ -1,52 +0,0 @@
-package interrupt
-
-import (
-	"io"
-	"net"
-	"sync"
-
-	"github.com/sagernet/sing/common/x/list"
-)
-
-type Group struct {
-	access      sync.Mutex
-	connections list.List[*groupConnItem]
-}
-
-type groupConnItem struct {
-	conn       io.Closer
-	isExternal bool
-}
-
-func NewGroup() *Group {
-	return &Group{}
-}
-
-func (g *Group) NewConn(conn net.Conn, isExternal bool) net.Conn {
-	g.access.Lock()
-	defer g.access.Unlock()
-	item := g.connections.PushBack(&groupConnItem{conn, isExternal})
-	return &Conn{Conn: conn, group: g, element: item}
-}
-
-func (g *Group) NewPacketConn(conn net.PacketConn, isExternal bool) net.PacketConn {
-	g.access.Lock()
-	defer g.access.Unlock()
-	item := g.connections.PushBack(&groupConnItem{conn, isExternal})
-	return &PacketConn{PacketConn: conn, group: g, element: item}
-}
-
-func (g *Group) Interrupt(interruptExternalConnections bool) {
-	g.access.Lock()
-	defer g.access.Unlock()
-	var toDelete []*list.Element[*groupConnItem]
-	for element := g.connections.Front(); element != nil; element = element.Next() {
-		if !element.Value.isExternal || interruptExternalConnections {
-			element.Value.conn.Close()
-			toDelete = append(toDelete, element)
-		}
-	}
-	for _, element := range toDelete {
-		g.connections.Remove(element)
-	}
-}

common/proxyproto/dialer.go

@@ -0,0 +1,50 @@
+package proxyproto
+
+import (
+	"context"
+	"net"
+	"net/netip"
+
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+
+	"github.com/pires/go-proxyproto"
+)
+
+var _ N.Dialer = (*Dialer)(nil)
+
+type Dialer struct {
+	N.Dialer
+}
+
+func (d *Dialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	switch N.NetworkName(network) {
+	case N.NetworkTCP:
+		conn, err := d.Dialer.DialContext(ctx, network, destination)
+		if err != nil {
+			return nil, err
+		}
+		var source M.Socksaddr
+		metadata := adapter.ContextFrom(ctx)
+		if metadata != nil {
+			source = metadata.Source
+		}
+		if !source.IsValid() {
+			source = M.SocksaddrFromNet(conn.LocalAddr())
+		}
+		if destination.Addr.Is6() {
+			source = M.SocksaddrFrom(netip.AddrFrom16(source.Addr.As16()), source.Port)
+		}
+		h := proxyproto.HeaderProxyFromAddrs(1, source.TCPAddr(), destination.TCPAddr())
+		_, err = h.WriteTo(conn)
+		if err != nil {
+			conn.Close()
+			return nil, E.Cause(err, "write proxy protocol header")
+		}
+		return conn, nil
+	default:
+		return d.Dialer.DialContext(ctx, network, destination)
+	}
+}

common/proxyproto/listener.go

@@ -0,0 +1,62 @@
+package proxyproto
+
+import (
+	std_bufio "bufio"
+	"net"
+
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	M "github.com/sagernet/sing/common/metadata"
+
+	"github.com/pires/go-proxyproto"
+)
+
+type Listener struct {
+	net.Listener
+	AcceptNoHeader bool
+}
+
+func (l *Listener) Accept() (net.Conn, error) {
+	conn, err := l.Listener.Accept()
+	if err != nil {
+		return nil, err
+	}
+	bufReader := std_bufio.NewReader(conn)
+	header, err := proxyproto.Read(bufReader)
+	if err != nil && !(l.AcceptNoHeader && err == proxyproto.ErrNoProxyProtocol) {
+		return nil, &Error{err}
+	}
+	if bufReader.Buffered() > 0 {
+		cache := buf.NewSize(bufReader.Buffered())
+		_, err = cache.ReadFullFrom(bufReader, cache.FreeLen())
+		if err != nil {
+			return nil, &Error{err}
+		}
+		conn = bufio.NewCachedConn(conn, cache)
+	}
+	if header != nil {
+		return &bufio.AddrConn{Conn: conn, Metadata: M.Metadata{
+			Source:      M.SocksaddrFromNet(header.SourceAddr).Unwrap(),
+			Destination: M.SocksaddrFromNet(header.DestinationAddr).Unwrap(),
+		}}, nil
+	}
+	return conn, nil
+}
+
+var _ net.Error = (*Error)(nil)
+
+type Error struct {
+	error
+}
+
+func (e *Error) Unwrap() error {
+	return e.error
+}
+
+func (e *Error) Timeout() bool {
+	return false
+}
+
+func (e *Error) Temporary() bool {
+	return true
+}

common/qtls/wrapper.go

@@ -0,0 +1,120 @@
+package qtls
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+	"net/http"
+
+	"github.com/sagernet/quic-go"
+	"github.com/sagernet/quic-go/http3"
+	M "github.com/sagernet/sing/common/metadata"
+	aTLS "github.com/sagernet/sing/common/tls"
+)
+
+type QUICConfig interface {
+	Dial(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.Connection, error)
+	DialEarly(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.EarlyConnection, error)
+	CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config, enableDatagrams bool) http.RoundTripper
+}
+
+type QUICServerConfig interface {
+	Listen(conn net.PacketConn, config *quic.Config) (QUICListener, error)
+	ListenEarly(conn net.PacketConn, config *quic.Config) (QUICEarlyListener, error)
+	ConfigureHTTP3()
+}
+
+type QUICListener interface {
+	Accept(ctx context.Context) (quic.Connection, error)
+	Close() error
+	Addr() net.Addr
+}
+
+type QUICEarlyListener interface {
+	Accept(ctx context.Context) (quic.EarlyConnection, error)
+	Close() error
+	Addr() net.Addr
+}
+
+func Dial(ctx context.Context, conn net.PacketConn, addr net.Addr, config aTLS.Config, quicConfig *quic.Config) (quic.Connection, error) {
+	if quicTLSConfig, isQUICConfig := config.(QUICConfig); isQUICConfig {
+		return quicTLSConfig.Dial(ctx, conn, addr, quicConfig)
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return nil, err
+	}
+	return quic.Dial(ctx, conn, addr, tlsConfig, quicConfig)
+}
+
+func DialEarly(ctx context.Context, conn net.PacketConn, addr net.Addr, config aTLS.Config, quicConfig *quic.Config) (quic.EarlyConnection, error) {
+	if quicTLSConfig, isQUICConfig := config.(QUICConfig); isQUICConfig {
+		return quicTLSConfig.DialEarly(ctx, conn, addr, quicConfig)
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return nil, err
+	}
+	return quic.DialEarly(ctx, conn, addr, tlsConfig, quicConfig)
+}
+
+func CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, config aTLS.Config, quicConfig *quic.Config, enableDatagrams bool) (http.RoundTripper, error) {
+	if quicTLSConfig, isQUICConfig := config.(QUICConfig); isQUICConfig {
+		return quicTLSConfig.CreateTransport(conn, quicConnPtr, serverAddr, quicConfig, enableDatagrams), nil
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return nil, err
+	}
+	return &http3.RoundTripper{
+		TLSClientConfig: tlsConfig,
+		QuicConfig:      quicConfig,
+		EnableDatagrams: enableDatagrams,
+		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
+			quicConn, err := quic.DialEarly(ctx, conn, serverAddr.UDPAddr(), tlsCfg, cfg)
+			if err != nil {
+				return nil, err
+			}
+			*quicConnPtr = quicConn
+			return quicConn, nil
+		},
+	}, nil
+}
+
+func Listen(conn net.PacketConn, config aTLS.ServerConfig, quicConfig *quic.Config) (QUICListener, error) {
+	if quicTLSConfig, isQUICConfig := config.(QUICServerConfig); isQUICConfig {
+		return quicTLSConfig.Listen(conn, quicConfig)
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return nil, err
+	}
+	return quic.Listen(conn, tlsConfig, quicConfig)
+}
+
+func ListenEarly(conn net.PacketConn, config aTLS.ServerConfig, quicConfig *quic.Config) (QUICEarlyListener, error) {
+	if quicTLSConfig, isQUICConfig := config.(QUICServerConfig); isQUICConfig {
+		return quicTLSConfig.ListenEarly(conn, quicConfig)
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return nil, err
+	}
+	return quic.ListenEarly(conn, tlsConfig, quicConfig)
+}
+
+func ConfigureHTTP3(config aTLS.ServerConfig) error {
+	if len(config.NextProtos()) == 0 {
+		config.SetNextProtos([]string{http3.NextProtoH3})
+	}
+	if quicTLSConfig, isQUICConfig := config.(QUICServerConfig); isQUICConfig {
+		quicTLSConfig.ConfigureHTTP3()
+		return nil
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return err
+	}
+	http3.ConfigureTLSConfig(tlsConfig)
+	return nil
+}

common/settings/proxy_android.go

@@ -1,73 +1,43 @@
 package settings
 
 import (
-	"context"
 	"os"
 	"strings"
 
+	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
-	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )
 
-type AndroidSystemProxy struct {
-	useRish      bool
-	rishPath     string
-	serverAddr   M.Socksaddr
-	supportSOCKS bool
-	isEnabled    bool
-}
+var (
+	useRish  bool
+	rishPath string
+)
 
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*AndroidSystemProxy, error) {
+func init() {
 	userId := os.Getuid()
-	var (
-		useRish  bool
-		rishPath string
-	)
 	if userId == 0 || userId == 1000 || userId == 2000 {
 		useRish = false
 	} else {
 		rishPath, useRish = C.FindPath("rish")
-		if !useRish {
-			return nil, E.Cause(os.ErrPermission, "root or system (adb) permission is required for set system proxy")
-		}
 	}
-	return &AndroidSystemProxy{
-		useRish:      useRish,
-		rishPath:     rishPath,
-		serverAddr:   serverAddr,
-		supportSOCKS: supportSOCKS,
-	}, nil
 }
 
-func (p *AndroidSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *AndroidSystemProxy) Enable() error {
-	err := p.runAndroidShell("settings", "put", "global", "http_proxy", p.serverAddr.String())
-	if err != nil {
-		return err
-	}
-	p.isEnabled = true
-	return nil
-}
-
-func (p *AndroidSystemProxy) Disable() error {
-	err := p.runAndroidShell("settings", "put", "global", "http_proxy", ":0")
-	if err != nil {
-		return err
-	}
-	p.isEnabled = false
-	return nil
-}
-
-func (p *AndroidSystemProxy) runAndroidShell(name string, args ...string) error {
-	if !p.useRish {
+func runAndroidShell(name string, args ...string) error {
+	if !useRish {
 		return shell.Exec(name, args...).Attach().Run()
 	} else {
-		return shell.Exec("sh", p.rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+		return shell.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	}
 }
+
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	err := runAndroidShell("settings", "put", "global", "http_proxy", F.ToString("127.0.0.1:", port))
+	if err != nil {
+		return nil, err
+	}
+	return func() error {
+		return runAndroidShell("settings", "put", "global", "http_proxy", ":0")
+	}, nil
+}

common/settings/proxy_darwin.go

@@ -1,56 +1,56 @@
 package settings
 
 import (
-	"context"
 	"net/netip"
-	"strconv"
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
 	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/shell"
 	"github.com/sagernet/sing/common/x/list"
 )
 
-type DarwinSystemProxy struct {
+type systemProxy struct {
 	monitor       tun.DefaultInterfaceMonitor
 	interfaceName string
 	element       *list.Element[tun.DefaultInterfaceUpdateCallback]
-	serverAddr    M.Socksaddr
-	supportSOCKS  bool
-	isEnabled     bool
+	port          uint16
+	isMixed       bool
 }
 
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*DarwinSystemProxy, error) {
-	interfaceMonitor := adapter.RouterFromContext(ctx).InterfaceMonitor()
-	if interfaceMonitor == nil {
-		return nil, E.New("missing interface monitor")
+func (p *systemProxy) update(event int) {
+	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
+	if p.interfaceName == newInterfaceName {
+		return
 	}
-	proxy := &DarwinSystemProxy{
-		monitor:      interfaceMonitor,
-		serverAddr:   serverAddr,
-		supportSOCKS: supportSOCKS,
+	if p.interfaceName != "" {
+		_ = p.unset()
 	}
-	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
-	return proxy, nil
+	p.interfaceName = newInterfaceName
+	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
+	if err != nil {
+		return
+	}
+	if p.isMixed {
+		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+	}
+	if err == nil {
+		err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+	}
+	if err == nil {
+		_ = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+	}
+	return
 }
 
-func (p *DarwinSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *DarwinSystemProxy) Enable() error {
-	return p.update0()
-}
-
-func (p *DarwinSystemProxy) Disable() error {
+func (p *systemProxy) unset() error {
 	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
 	if err != nil {
 		return err
 	}
-	if p.supportSOCKS {
+	if p.isMixed {
 		err = shell.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
@@ -59,53 +59,9 @@ func (p *DarwinSystemProxy) Disable() error {
 	if err == nil {
 		err = shell.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
-	if err == nil {
-		p.isEnabled = false
-	}
 	return err
 }
 
-func (p *DarwinSystemProxy) update(event int) {
-	if event&tun.EventInterfaceUpdate == 0 {
-		return
-	}
-	if !p.isEnabled {
-		return
-	}
-	_ = p.update0()
-}
-
-func (p *DarwinSystemProxy) update0() error {
-	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
-	if p.interfaceName == newInterfaceName {
-		return nil
-	}
-	if p.interfaceName != "" {
-		_ = p.Disable()
-	}
-	p.interfaceName = newInterfaceName
-	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
-	if err != nil {
-		return err
-	}
-	if p.supportSOCKS {
-		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
-	}
-	if err != nil {
-		return err
-	}
-	err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
-	if err != nil {
-		return err
-	}
-	err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
-	if err != nil {
-		return err
-	}
-	p.isEnabled = true
-	return nil
-}
-
 func getInterfaceDisplayName(name string) (string, error) {
 	content, err := shell.Exec("networksetup", "-listallhardwareports").ReadOutput()
 	if err != nil {
@@ -121,3 +77,21 @@ func getInterfaceDisplayName(name string) (string, error) {
 	}
 	return "", E.New(name, " not found in networksetup -listallhardwareports")
 }
+
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	interfaceMonitor := router.InterfaceMonitor()
+	if interfaceMonitor == nil {
+		return nil, E.New("missing interface monitor")
+	}
+	proxy := &systemProxy{
+		monitor: interfaceMonitor,
+		port:    port,
+		isMixed: isMixed,
+	}
+	proxy.update(tun.EventInterfaceUpdate)
+	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
+	return func() error {
+		interfaceMonitor.UnregisterCallback(proxy.element)
+		return proxy.unset()
+	}, nil
+}

common/settings/proxy_linux.go

@@ -3,137 +3,106 @@
 package settings
 
 import (
-	"context"
 	"os"
 	"os/exec"
 	"strings"
 
+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
-	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )
 
-type LinuxSystemProxy struct {
-	hasGSettings     bool
-	hasKWriteConfig5 bool
-	sudoUser         string
-	serverAddr       M.Socksaddr
-	supportSOCKS     bool
-	isEnabled        bool
-}
+var (
+	hasGSettings bool
+	isKDE5       bool
+	sudoUser     string
+)
 
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*LinuxSystemProxy, error) {
-	hasGSettings := common.Error(exec.LookPath("gsettings")) == nil
-	hasKWriteConfig5 := common.Error(exec.LookPath("kwriteconfig5")) == nil
-	var sudoUser string
+func init() {
+	isKDE5 = common.Error(exec.LookPath("kwriteconfig5")) == nil
+	hasGSettings = common.Error(exec.LookPath("gsettings")) == nil
 	if os.Getuid() == 0 {
 		sudoUser = os.Getenv("SUDO_USER")
 	}
-	if !hasGSettings && !hasKWriteConfig5 {
-		return nil, E.New("unsupported desktop environment")
-	}
-	return &LinuxSystemProxy{
-		hasGSettings:     hasGSettings,
-		hasKWriteConfig5: hasKWriteConfig5,
-		sudoUser:         sudoUser,
-		serverAddr:       serverAddr,
-		supportSOCKS:     supportSOCKS,
-	}, nil
 }
 
-func (p *LinuxSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *LinuxSystemProxy) Enable() error {
-	if p.hasGSettings {
-		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
-		if err != nil {
-			return err
-		}
-		if p.supportSOCKS {
-			err = p.setGnomeProxy("ftp", "http", "https", "socks")
-		} else {
-			err = p.setGnomeProxy("http", "https")
-		}
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(p.supportSOCKS))
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
-		if err != nil {
-			return err
-		}
-	}
-	if p.hasKWriteConfig5 {
-		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "1")
-		if err != nil {
-			return err
-		}
-		if p.supportSOCKS {
-			err = p.setKDEProxy("ftp", "http", "https", "socks")
-		} else {
-			err = p.setKDEProxy("http", "https")
-		}
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "Authmode", "0")
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
-		if err != nil {
-			return err
-		}
-	}
-	p.isEnabled = true
-	return nil
-}
-
-func (p *LinuxSystemProxy) Disable() error {
-	if p.hasGSettings {
-		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
-		if err != nil {
-			return err
-		}
-	}
-	if p.hasKWriteConfig5 {
-		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "0")
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
-		if err != nil {
-			return err
-		}
-	}
-	p.isEnabled = false
-	return nil
-}
-
-func (p *LinuxSystemProxy) runAsUser(name string, args ...string) error {
+func runAsUser(name string, args ...string) error {
 	if os.Getuid() != 0 {
 		return shell.Exec(name, args...).Attach().Run()
-	} else if p.sudoUser != "" {
-		return shell.Exec("su", "-", p.sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+	} else if sudoUser != "" {
+		return shell.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	} else {
 		return E.New("set system proxy: unable to set as root")
 	}
 }
 
-func (p *LinuxSystemProxy) setGnomeProxy(proxyTypes ...string) error {
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	if hasGSettings {
+		err := runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
+		if err != nil {
+			return nil, err
+		}
+		if isMixed {
+			err = setGnomeProxy(port, "ftp", "http", "https", "socks")
+		} else {
+			err = setGnomeProxy(port, "http", "https")
+		}
+		if err != nil {
+			return nil, err
+		}
+		err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(isMixed))
+		if err != nil {
+			return nil, err
+		}
+		err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
+		if err != nil {
+			return nil, err
+		}
+		return func() error {
+			return runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
+		}, nil
+	}
+	if isKDE5 {
+		err := runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "ProxyType", "1")
+		if err != nil {
+			return nil, err
+		}
+		if isMixed {
+			err = setKDEProxy(port, "ftp", "http", "https", "socks")
+		} else {
+			err = setKDEProxy(port, "http", "https")
+		}
+		if err != nil {
+			return nil, err
+		}
+		err = runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "Authmode", "0")
+		if err != nil {
+			return nil, err
+		}
+		err = runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
+		if err != nil {
+			return nil, err
+		}
+		return func() error {
+			err = runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "ProxyType", "0")
+			if err != nil {
+				return err
+			}
+			return runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
+		}, nil
+	}
+	return nil, E.New("unsupported desktop environment")
+}
+
+func setGnomeProxy(port uint16, proxyTypes ...string) error {
 	for _, proxyType := range proxyTypes {
-		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", p.serverAddr.AddrString())
+		err := runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", "127.0.0.1")
 		if err != nil {
 			return err
 		}
-		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(p.serverAddr.Port))
+		err = runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(port))
 		if err != nil {
 			return err
 		}
@@ -141,20 +110,20 @@ func (p *LinuxSystemProxy) setGnomeProxy(proxyTypes ...string) error {
 	return nil
 }
 
-func (p *LinuxSystemProxy) setKDEProxy(proxyTypes ...string) error {
+func setKDEProxy(port uint16, proxyTypes ...string) error {
 	for _, proxyType := range proxyTypes {
 		var proxyUrl string
 		if proxyType == "socks" {
-			proxyUrl = "socks://" + p.serverAddr.String()
+			proxyUrl = "socks://127.0.0.1:" + F.ToString(port)
 		} else {
-			proxyUrl = "http://" + p.serverAddr.String()
+			proxyUrl = "http://127.0.0.1:" + F.ToString(port)
 		}
-		err := p.runAsUser(
+		err := runAsUser(
 			"kwriteconfig5",
 			"--file",
 			"kioslaverc",
 			"--group",
-			"Proxy Settings",
+			"'Proxy Settings'",
 			"--key", proxyType+"Proxy",
 			proxyUrl,
 		)

common/settings/proxy_stub.go

@@ -3,12 +3,11 @@
 package settings
 
 import (
-	"context"
 	"os"
 
-	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing-box/adapter"
 )
 
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (SystemProxy, error) {
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
 	return nil, os.ErrInvalid
 }

common/settings/proxy_windows.go

@@ -1,43 +1,17 @@
 package settings
 
 import (
-	"context"
-
-	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/wininet"
 )
 
-type WindowsSystemProxy struct {
-	serverAddr   M.Socksaddr
-	supportSOCKS bool
-	isEnabled    bool
-}
-
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*WindowsSystemProxy, error) {
-	return &WindowsSystemProxy{
-		serverAddr:   serverAddr,
-		supportSOCKS: supportSOCKS,
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	err := wininet.SetSystemProxy(F.ToString("http://127.0.0.1:", port), "")
+	if err != nil {
+		return nil, err
+	}
+	return func() error {
+		return wininet.ClearSystemProxy()
 	}, nil
 }
-
-func (p *WindowsSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *WindowsSystemProxy) Enable() error {
-	err := wininet.SetSystemProxy("http://"+p.serverAddr.String(), "")
-	if err != nil {
-		return err
-	}
-	p.isEnabled = true
-	return nil
-}
-
-func (p *WindowsSystemProxy) Disable() error {
-	err := wininet.ClearSystemProxy()
-	if err != nil {
-		return err
-	}
-	p.isEnabled = false
-	return nil
-}

common/settings/system_proxy.go

@@ -1,7 +0,0 @@
-package settings
-
-type SystemProxy interface {
-	IsEnabled() bool
-	Enable() error
-	Disable() error
-}

common/tls/acme.go

@@ -9,13 +9,10 @@ import (
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 
 	"github.com/caddyserver/certmagic"
-	"github.com/libdns/alidns"
-	"github.com/libdns/cloudflare"
 	"github.com/mholt/acmez/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@@ -77,24 +74,6 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		AltTLSALPNPort:          int(options.AlternativeTLSPort),
 		Logger:                  config.Logger,
 	}
-	if dnsOptions := options.DNS01Challenge; dnsOptions != nil && dnsOptions.Provider != "" {
-		var solver certmagic.DNS01Solver
-		switch dnsOptions.Provider {
-		case C.DNSProviderAliDNS:
-			solver.DNSProvider = &alidns.Provider{
-				AccKeyID:     dnsOptions.AliDNSOptions.AccessKeyID,
-				AccKeySecret: dnsOptions.AliDNSOptions.AccessKeySecret,
-				RegionID:     dnsOptions.AliDNSOptions.RegionID,
-			}
-		case C.DNSProviderCloudflare:
-			solver.DNSProvider = &cloudflare.Provider{
-				APIToken: dnsOptions.CloudflareOptions.APIToken,
-			}
-		default:
-			return nil, nil, E.New("unsupported ACME DNS01 provider type: " + dnsOptions.Provider)
-		}
-		acmeConfig.DNS01Solver = &solver
-	}
 	if options.ExternalAccount != nil && options.ExternalAccount.KeyID != "" {
 		acmeConfig.ExternalAccount = (*acme.EAB)(options.ExternalAccount)
 	}

common/tls/ech_client.go

@@ -149,8 +149,8 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 	}
 	var certificate []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
+	if options.Certificate != "" {
+		certificate = []byte(options.Certificate)
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {
@@ -178,7 +178,7 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb
 	} else if options.ECH.ConfigPath != "" {
 		content, err := os.ReadFile(options.ECH.ConfigPath)
 		if err != nil {
-			return nil, E.Cause(err, "read ECH config")
+			return nil, E.Cause(err, "read key")
 		}
 		echConfig = content
 	}

common/tls/ech_quic.go

@@ -10,13 +10,13 @@ import (
 	"github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/quic-go/ech"
 	"github.com/sagernet/quic-go/http3_ech"
-	"github.com/sagernet/sing-quic"
+	"github.com/sagernet/sing-box/common/qtls"
 	M "github.com/sagernet/sing/common/metadata"
 )
 
 var (
-	_ qtls.Config       = (*echClientConfig)(nil)
-	_ qtls.ServerConfig = (*echServerConfig)(nil)
+	_ qtls.QUICConfig       = (*echClientConfig)(nil)
+	_ qtls.QUICServerConfig = (*echServerConfig)(nil)
 )
 
 func (c *echClientConfig) Dial(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.Connection, error) {
@@ -43,11 +43,11 @@ func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic
 	}
 }
 
-func (c *echServerConfig) Listen(conn net.PacketConn, config *quic.Config) (qtls.Listener, error) {
+func (c *echServerConfig) Listen(conn net.PacketConn, config *quic.Config) (qtls.QUICListener, error) {
 	return quic.Listen(conn, c.config, config)
 }
 
-func (c *echServerConfig) ListenEarly(conn net.PacketConn, config *quic.Config) (qtls.EarlyListener, error) {
+func (c *echServerConfig) ListenEarly(conn net.PacketConn, config *quic.Config) (qtls.QUICEarlyListener, error) {
 	return quic.ListenEarly(conn, c.config, config)
 }
 

common/tls/ech_server.go

@@ -159,7 +159,7 @@ func (c *echServerConfig) startECHWatcher() error {
 	if err != nil {
 		return err
 	}
-	c.echWatcher = watcher
+	c.watcher = watcher
 	go c.loopECHUpdate()
 	return nil
 }
@@ -178,7 +178,7 @@ func (c *echServerConfig) loopECHUpdate() {
 			if err != nil {
 				c.logger.Error(E.Cause(err, "reload ECH key"))
 			}
-		case err, ok := <-c.echWatcher.Errors:
+		case err, ok := <-c.watcher.Errors:
 			if !ok {
 				return
 			}
@@ -304,7 +304,7 @@ func NewECHServer(ctx context.Context, logger log.Logger, options option.Inbound
 	} else if options.KeyPath != "" {
 		content, err := os.ReadFile(options.ECH.KeyPath)
 		if err != nil {
-			return nil, E.Cause(err, "read ECH key")
+			return nil, E.Cause(err, "read key")
 		}
 		echKey = content
 	} else {

common/tls/mkcert.go

@@ -11,34 +11,22 @@ import (
 	"time"
 )
 
-func GenerateCertificate(timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
-	privateKeyPem, publicKeyPem, err := GenerateKeyPair(timeFunc, serverName, timeFunc().Add(time.Hour))
-	if err != nil {
-		return nil, err
-	}
-	certificate, err := tls.X509KeyPair(publicKeyPem, privateKeyPem)
-	if err != nil {
-		return nil, err
-	}
-	return &certificate, err
-}
-
-func GenerateKeyPair(timeFunc func() time.Time, serverName string, expire time.Time) (privateKeyPem []byte, publicKeyPem []byte, err error) {
+func GenerateKeyPair(timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
 	if timeFunc == nil {
 		timeFunc = time.Now
 	}
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
-		return
+		return nil, err
 	}
 	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
 	if err != nil {
-		return
+		return nil, err
 	}
 	template := &x509.Certificate{
 		SerialNumber:          serialNumber,
 		NotBefore:             timeFunc().Add(time.Hour * -1),
-		NotAfter:              expire,
+		NotAfter:              timeFunc().Add(time.Hour),
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
@@ -49,13 +37,17 @@ func GenerateKeyPair(timeFunc func() time.Time, serverName string, expire time.T
 	}
 	publicDer, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
 	if err != nil {
-		return
+		return nil, err
 	}
 	privateDer, err := x509.MarshalPKCS8PrivateKey(key)
 	if err != nil {
-		return
+		return nil, err
 	}
-	publicKeyPem = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: publicDer})
-	privateKeyPem = pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateDer})
-	return
+	publicPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: publicDer})
+	privPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateDer})
+	keyPair, err := tls.X509KeyPair(publicPem, privPem)
+	if err != nil {
+		return nil, err
+	}
+	return &keyPair, err
 }

common/tls/std_client.go

@@ -7,7 +7,6 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strings"
 
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -112,8 +111,8 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 	}
 	var certificate []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
+	if options.Certificate != "" {
+		certificate = []byte(options.Certificate)
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {

common/tls/std_server.go

@@ -233,7 +233,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		}
 		if certificate == nil && key == nil && options.Insecure {
 			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				return GenerateCertificate(ntp.TimeFuncFromContext(ctx), info.ServerName)
+				return GenerateKeyPair(ntp.TimeFuncFromContext(ctx), info.ServerName)
 			}
 		} else {
 			if certificate == nil {

common/tls/utls_client.go

@@ -10,7 +10,6 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strings"
 
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -169,8 +168,8 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 		}
 	}
 	var certificate []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
+	if options.Certificate != "" {
+		certificate = []byte(options.Certificate)
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {

common/urltest/urltest.go

@@ -8,7 +8,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -97,25 +96,33 @@ func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err e
 		return
 	}
 	defer instance.Close()
-	if earlyConn, isEarlyConn := common.Cast[N.EarlyConn](instance); isEarlyConn && earlyConn.NeedHandshake() {
-		start = time.Now()
-	}
+
 	req, err := http.NewRequest(http.MethodHead, link, nil)
 	if err != nil {
 		return
 	}
-	client := http.Client{
-		Transport: &http.Transport{
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				return instance, nil
-			},
+	req = req.WithContext(ctx)
+
+	transport := &http.Transport{
+		Dial: func(string, string) (net.Conn, error) {
+			return instance, nil
 		},
+		// from http.DefaultTransport
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+
+	client := http.Client{
+		Transport: transport,
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		},
 	}
 	defer client.CloseIdleConnections()
-	resp, err := client.Do(req.WithContext(ctx))
+
+	resp, err := client.Do(req)
 	if err != nil {
 		return
 	}

constant/dns.go

@@ -1,6 +0,0 @@
-package constant
-
-const (
-	DNSProviderAliDNS     = "alidns"
-	DNSProviderCloudflare = "cloudflare"
-)

debug_go118.go

@@ -5,7 +5,7 @@ package box
 import (
 	"runtime/debug"
 
-	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
 
@@ -28,7 +28,7 @@ func applyDebugOptions(options option.DebugOptions) {
 	}
 	if options.MemoryLimit != 0 {
 		// debug.SetMemoryLimit(int64(options.MemoryLimit))
-		conntrack.MemoryLimit = uint64(options.MemoryLimit)
+		conntrack.MemoryLimit = int64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller

debug_go119.go

@@ -5,7 +5,7 @@ package box
 import (
 	"runtime/debug"
 
-	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
 
@@ -27,8 +27,8 @@ func applyDebugOptions(options option.DebugOptions) {
 		debug.SetTraceback(options.TraceBack)
 	}
 	if options.MemoryLimit != 0 {
-		debug.SetMemoryLimit(int64(float64(options.MemoryLimit) / 1.5))
-		conntrack.MemoryLimit = uint64(options.MemoryLimit)
+		debug.SetMemoryLimit(int64(options.MemoryLimit))
+		conntrack.MemoryLimit = int64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller

debug_http.go

@@ -7,12 +7,12 @@ import (
 	"runtime/debug"
 
 	"github.com/sagernet/sing-box/common/badjson"
-	"github.com/sagernet/sing-box/common/humanize"
 	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 
+	"github.com/dustin/go-humanize"
 	"github.com/go-chi/chi/v5"
 )
 
@@ -37,9 +37,9 @@ func applyDebugListenOption(options option.DebugOptions) {
 			runtime.ReadMemStats(&memStats)
 
 			var memObject badjson.JSONObject
-			memObject.Put("heap", humanize.MemoryBytes(memStats.HeapInuse))
-			memObject.Put("stack", humanize.MemoryBytes(memStats.StackInuse))
-			memObject.Put("idle", humanize.MemoryBytes(memStats.HeapIdle-memStats.HeapReleased))
+			memObject.Put("heap", humanize.IBytes(memStats.HeapInuse))
+			memObject.Put("stack", humanize.IBytes(memStats.StackInuse))
+			memObject.Put("idle", humanize.IBytes(memStats.HeapIdle-memStats.HeapReleased))
 			memObject.Put("goroutines", runtime.NumGoroutine())
 			memObject.Put("rss", rusageMaxRSS())
 

docs/changelog.md

@@ -1,321 +1,3 @@
-#### 1.6.3
-
-* iOS/Android: Fix profile auto update
-* Fixes and improvements
-
-#### 1.6.2
-
-* Fixes and improvements
-
-#### 1.6.1
-
-* Our [Android client](/installation/clients/sfa) is now available in the Google Play Store ▶️
-* Fixes and improvements
-
-#### 1.6.0
-
-* Fixes and improvements
-
-Important changes since 1.5:
-
-* Our [Apple tvOS client](/installation/clients/sft) is now available in the App Store 🍎
-* Update BBR congestion control for TUIC and Hysteria2 **1**
-* Update brutal congestion control for Hysteria2
-* Add `brutal_debug` option for Hysteria2
-* Update legacy Hysteria protocol **2**
-* Add TLS self sign key pair generate command
-* Remove [Deprecated Features](/deprecated) by agreement
-
-**1**:
-
-None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
-This update is intended to address the multi-send defects of the old implementation and may introduce new issues.
-
-**2**
-
-Based on discussions with the original author, the brutal CC and QUIC protocol parameters of
-the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
-
-
-#### 1.5.5
-
-* Fix IPv6 `auto_route` for Linux **1**
-* Add legacy builds for old Windows and macOS systems **2**
-* Fixes and improvements
-
-**1**:
-
-When `auto_route` is enabled and `strict_route` is disabled, the device can now be reached from external IPv6 addresses.
-
-**2**:
-
-Built using Go 1.20, the last version that will run on Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High Sierra, 10.14 Mojave.
-
-
-#### 1.6.0-rc.4
-
-* Fixes and improvements
-
-#### 1.6.0-rc.1
-
-* Add legacy builds for old Windows and macOS systems **1**
-* Fixes and improvements
-
-**1**:
-
-Built using Go 1.20, the last version that will run on Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High Sierra, 10.14 Mojave.
-
-#### 1.6.0-beta.4
-
-* Fix IPv6 `auto_route` for Linux **1**
-* Fixes and improvements
-
-**1**:
-
-When `auto_route` is enabled and `strict_route` is disabled, the device can now be reached from external IPv6 addresses.
-
-#### 1.5.4
-
-* Fix Clash cache crash on arm32 devices
-* Fixes and improvements
-
-#### 1.6.0-beta.3
-
-* Update the legacy Hysteria protocol **1**
-* Fixes and improvements
-
-**1**
-
-Based on discussions with the original author, the brutal CC and QUIC protocol parameters of
-the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
-
-#### 1.6.0-beta.2
-
-* Add TLS self sign key pair generate command
-* Update brutal congestion control for Hysteria2
-* Fix Clash cache crash on arm32 devices
-* Update golang.org/x/net to v0.17.0
-* Fixes and improvements
-
-#### 1.5.3
-
-* Fix compatibility with Android 14
-* Fixes and improvements
-
-#### 1.6.0-beta.1
-
-* Fixes and improvements
-
-#### 1.6.0-alpha.5
-
-* Fix compatibility with Android 14
-* Update BBR congestion control for TUIC and Hysteria2 **1**
-* Fixes and improvements
-
-**1**:
-
-None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
-This update is intended to fix a memory leak flaw in the new implementation introduced in 1.6.0-alpha.1 and may
-introduce new issues.
-
-#### 1.6.0-alpha.4
-
-* Add `brutal_debug` option for Hysteria2
-* Fixes and improvements
-
-#### 1.5.2
-
-* Our [Apple tvOS client](/installation/clients/sft) is now available in the App Store 🍎
-* Fixes and improvements
-
-#### 1.6.0-alpha.3
-
-* Fixes and improvements
-
-#### 1.6.0-alpha.2
-
-* Fixes and improvements
-
-#### 1.5.1
-
-* Fixes and improvements
-
-#### 1.6.0-alpha.1
-
-* Update BBR congestion control for TUIC and Hysteria2 **1**
-* Update quic-go to v0.39.0
-* Update gVisor to 20230814.0
-* Remove [Deprecated Features](/deprecated) by agreement
-* Fixes and improvements
-
-**1**:
-
-None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
-This update is intended to address the multi-send defects of the old implementation and may introduce new issues.
-
-#### 1.5.0
-
-* Fixes and improvements
-
-Important changes since 1.4:
-
-* Add TLS [ECH server](/configuration/shared/tls) support
-* Improve TLS TCH client configuration
-* Add TLS ECH key pair generator **1**
-* Add TLS ECH support for QUIC based protocols **2**
-* Add KDE support for the `set_system_proxy` option in HTTP inbound
-* Add Hysteria2 protocol support **3**
-* Add `interrupt_exist_connections` option for `Selector` and `URLTest` outbounds **4**
-* Add DNS01 challenge support for ACME TLS certificate issuer **5**
-* Add `merge` command **6**
-* Mark [Deprecated Features](/deprecated)
-
-**1**:
-
-Command: `sing-box generate ech-keypair <plain_server_name> [--pq-signature-schemes-enabled]`
-
-**2**:
-
-All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria[/2]`, `TUIC` and `V2ray QUIC transport`.
-
-**3**:
-
-See [Hysteria2 inbound](/configuration/inbound/hysteria2) and [Hysteria2 outbound](/configuration/outbound/hysteria2)
-
-For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)
-
-**4**:
-
-Interrupt existing connections when the selected outbound has changed.
-
-Only inbound connections are affected by this setting, internal connections will always be interrupted.
-
-**5**:
-
-Only `Alibaba Cloud DNS` and `Cloudflare` are supported, see [ACME Fields](/configuration/shared/tls#acme-fields)
-and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge).
-
-**6**:
-
-This command also parses path resources that appear in the configuration file and replaces them with embedded
-configuration, such as TLS certificates or SSH private keys.
-
-#### 1.5.0-rc.6
-
-* Fixes and improvements
-
-#### 1.4.6
-
-* Fixes and improvements
-
-#### 1.5.0-rc.5
-
-* Fixed an improper authentication vulnerability in the SOCKS5 inbound
-* Fixes and improvements
-
-**Security Advisory**
-
-This update fixes an improper authentication vulnerability in the sing-box SOCKS inbound. This vulnerability allows an
-attacker to craft special requests to bypass user authentication. All users exposing SOCKS servers with user
-authentication in an insecure environment are advised to update immediately.
-
-此更新修复了 sing-box SOCKS 入站中的一个不正确身份验证漏洞。 该漏洞允许攻击者制作特殊请求来绕过用户身份验证。建议所有将使用用户认证的
-SOCKS 服务器暴露在不安全环境下的用户立更新。
-
-#### 1.4.5
-
-* Fixed an improper authentication vulnerability in the SOCKS5 inbound
-* Fixes and improvements
-
-**Security Advisory**
-
-This update fixes an improper authentication vulnerability in the sing-box SOCKS inbound. This vulnerability allows an
-attacker to craft special requests to bypass user authentication. All users exposing SOCKS servers with user
-authentication in an insecure environment are advised to update immediately.
-
-此更新修复了 sing-box SOCKS 入站中的一个不正确身份验证漏洞。 该漏洞允许攻击者制作特殊请求来绕过用户身份验证。建议所有将使用用户认证的
-SOCKS 服务器暴露在不安全环境下的用户立更新。
-
-#### 1.5.0-rc.3
-
-* Fixes and improvements
-
-#### 1.5.0-beta.12
-
-* Add `merge` command **1**
-* Fixes and improvements
-
-**1**:
-
-This command also parses path resources that appear in the configuration file and replaces them with embedded
-configuration, such as TLS certificates or SSH private keys.
-
-```
-Merge configurations
-
-Usage:
-  sing-box merge [output] [flags]
-
-Flags:
-  -h, --help   help for merge
-
-Global Flags:
-  -c, --config stringArray             set configuration file path
-  -C, --config-directory stringArray   set configuration directory path
-  -D, --directory string               set working directory
-      --disable-color                  disable color output
-```
-
-#### 1.5.0-beta.11
-
-* Add DNS01 challenge support for ACME TLS certificate issuer **1**
-* Fixes and improvements
-
-**1**:
-
-Only `Alibaba Cloud DNS` and `Cloudflare` are supported,
-see [ACME Fields](/configuration/shared/tls#acme-fields)
-and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge).
-
-#### 1.5.0-beta.10
-
-* Add `interrupt_exist_connections` option for `Selector` and `URLTest` outbounds **1**
-* Fixes and improvements
-
-**1**:
-
-Interrupt existing connections when the selected outbound has changed.
-
-Only inbound connections are affected by this setting, internal connections will always be interrupted.
-
-#### 1.4.3
-
-* Fixes and improvements
-
-#### 1.5.0-beta.8
-
-* Fixes and improvements
-
-#### 1.4.2
-
-* Fixes and improvements
-
-#### 1.5.0-beta.6
-
-* Fix compatibility issues with official Hysteria2 server and client
-* Fixes and improvements
-* Mark [deprecated features](/deprecated)
-
-#### 1.5.0-beta.3
-
-* Fixes and improvements
-* Updated Hysteria2 documentation **1**
-
-**1**:
-
-Added notes indicating compatibility issues with the official
-Hysteria2 server and client when using `fastOpen=false` or UDP MTU >= 1200.
-
 #### 1.5.0-beta.2
 
 * Add hysteria2 protocol support **1**
@@ -337,7 +19,7 @@ For protocol description, please refer to [https://v2.hysteria.network](https://
 
 **1**:
 
-Command: `sing-box generate ech-keypair <plain_server_name> [--pq-signature-schemes-enabled]`
+Command: `sing-box generate ech-keypair <plain_server_name> [-pq-signature-schemes-enabled]`
 
 **2**:
 

docs/configuration/experimental/index.md

@@ -78,7 +78,7 @@ ALWAYS set a secret if RESTful API is listening on 0.0.0.0
 
 #### default_mode
 
-Default mode in clash, `Rule` will be used if empty.
+Default mode in clash, `rule` will be used if empty.
 
 This setting has no direct effect, but can be used in routing and DNS rules via the `clash_mode` rule item.
 

docs/configuration/experimental/index.zh.md

@@ -76,7 +76,7 @@ RESTful API 的密钥（可选）
 
 #### default_mode
 
-Clash 中的默认模式，默认使用 `Rule`。
+Clash 中的默认模式，默认使用 `rule`。
 
 此设置没有直接影响，但可以通过 `clash_mode` 规则项在路由和 DNS 规则中使用。
 

docs/configuration/inbound/hysteria2.md

@@ -20,9 +20,8 @@
     }
   ],
   "ignore_client_bandwidth": false,
-  "tls": {},
   "masquerade": "",
-  "brutal_debug": false
+  "tls": {}
 }
 ```
 
@@ -68,12 +67,6 @@ Commands the client to use the BBR flow control algorithm instead of Hysteria CC
 
 Conflict with `up_mbps` and `down_mbps`.
 
-#### tls
-
-==Required==
-
-TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
-
 #### masquerade
 
 HTTP3 server behavior when authentication fails.
@@ -85,6 +78,8 @@ HTTP3 server behavior when authentication fails.
 
 A 404 page will be returned if empty.
 
-#### brutal_debug
+#### tls
 
-Enable debug information logging for Hysteria Brutal CC.
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

docs/configuration/inbound/hysteria2.zh.md

@@ -20,9 +20,8 @@
     }
   ],
   "ignore_client_bandwidth": false,
-  "tls": {},
   "masquerade": "",
-  "brutal_debug": false
+  "tls": {}
 }
 ```
 
@@ -66,12 +65,6 @@ Hysteria 用户
 
 与 `up_mbps` 和 `down_mbps` 冲突。
 
-#### tls
-
-==必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
-
 #### masquerade
 
 HTTP3 服务器认证失败时的行为。
@@ -83,6 +76,8 @@ HTTP3 服务器认证失败时的行为。
 
 如果为空，则返回 404 页。
 
-#### brutal_debug
+#### tls
 
-启用 Hysteria Brutal CC 的调试信息日志记录。
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/shadowsocks.md

@@ -82,3 +82,49 @@ Both if empty.
 | none          | /                                              |
 | 2022 methods  | `sing-box generate rand --base64 <Key Length>` |
 | other methods | any string                                     |
+
+### Listen Fields
+
+#### listen
+
+==Required==
+
+Listen address.
+
+#### listen_port
+
+==Required==
+
+Listen port.
+
+#### tcp_fast_open
+
+Enable tcp fast open for listener.
+
+#### sniff
+
+Enable sniffing.
+
+See [Protocol Sniff](/configuration/route/sniff/) for details.
+
+#### sniff_override_destination
+
+Override the connection destination address with the sniffed domain.
+
+If the domain name is invalid (like tor), this will not work.
+
+#### domain_strategy
+
+One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
+
+If set, the requested domain name will be resolved to IP before routing.
+
+If `sniff_override_destination` is in effect, its value will be taken as a fallback.
+
+#### udp_timeout
+
+UDP NAT expiration time in seconds, default is 300 (5 minutes).
+
+#### proxy_protocol
+
+Parse [Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) in the connection header.

docs/configuration/index.md

@@ -31,17 +31,11 @@ sing-box uses JSON for configuration files.
 ### Check
 
 ```bash
-sing-box check
+$ sing-box check
 ```
 
 ### Format
 
 ```bash
-sing-box format -w -c config.json -D config_directory
-```
-
-### Merge
-
-```bash
-sing-box merge output.json -c config.json -D config_directory
+$ sing-box format -w
 ```

docs/configuration/index.zh.md

@@ -29,17 +29,11 @@ sing-box 使用 JSON 作为配置文件格式。
 ### 检查
 
 ```bash
-sing-box check
+$ sing-box check
 ```
 
 ### 格式化
 
 ```bash
-sing-box format -w -c config.json -D config_directory
-```
-
-### 合并
-
-```bash
-sing-box merge output.json -c config.json -D config_directory
+$ sing-box format -w
 ```

docs/configuration/outbound/hysteria2.md

@@ -16,7 +16,6 @@
   "password": "goofy_ahh_password",
   "network": "tcp",
   "tls": {},
-  "brutal_debug": false,
   
   ... // Dial Fields
 }
@@ -74,10 +73,6 @@ Both is enabled by default.
 
 TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
 
-#### brutal_debug
-
-Enable debug information logging for Hysteria Brutal CC.
-
 ### Dial Fields
 
 See [Dial Fields](/configuration/shared/dial) for details.

docs/configuration/outbound/hysteria2.zh.md

@@ -16,7 +16,6 @@
   "password": "goofy_ahh_password",
   "network": "tcp",
   "tls": {},
-  "brutal_debug": false,
   
   ... // 拨号字段
 }
@@ -74,9 +73,6 @@ QUIC 流量混淆器密码.
 
 TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
-#### brutal_debug
-
-启用 Hysteria Brutal CC 的调试信息日志记录。
 
 ### 拨号字段
 

docs/configuration/outbound/selector.md

@@ -10,8 +10,7 @@
     "proxy-b",
     "proxy-c"
   ],
-  "default": "proxy-c",
-  "interrupt_exist_connections": false
+  "default": "proxy-c"
 }
 ```
 
@@ -29,10 +28,4 @@ List of outbound tags to select.
 
 #### default
 
-The default outbound tag. The first outbound will be used if empty.
-
-#### interrupt_exist_connections
-
-Interrupt existing connections when the selected outbound has changed.
-
-Only inbound connections are affected by this setting, internal connections will always be interrupted.
+The default outbound tag. The first outbound will be used if empty.

docs/configuration/outbound/selector.zh.md

@@ -10,8 +10,7 @@
     "proxy-b",
     "proxy-c"
   ],
-  "default": "proxy-c",
-  "interrupt_exist_connections": false
+  "default": "proxy-c"
 }
 ```
 
@@ -30,9 +29,3 @@
 #### default
 
 默认的出站标签。默认使用第一个出站。
-
-#### interrupt_exist_connections
-
-当选定的出站发生更改时，中断现有连接。
-
-仅入站连接受此设置影响，内部连接将始终被中断。

docs/configuration/outbound/urltest.md

@@ -12,8 +12,7 @@
   ],
   "url": "https://www.gstatic.com/generate_204",
   "interval": "1m",
-  "tolerance": 50,
-  "interrupt_exist_connections": false
+  "tolerance": 50
 }
 ```
 
@@ -36,9 +35,3 @@ The test interval. `1m` will be used if empty.
 #### tolerance
 
 The test tolerance in milliseconds. `50` will be used if empty.
-
-#### interrupt_exist_connections
-
-Interrupt existing connections when the selected outbound has changed.
-
-Only inbound connections are affected by this setting, internal connections will always be interrupted.

docs/configuration/outbound/urltest.zh.md

@@ -12,8 +12,7 @@
   ],
   "url": "https://www.gstatic.com/generate_204",
   "interval": "1m",
-  "tolerance": 50,
-  "interrupt_exist_connections": false
+  "tolerance": 50
 }
 ```
 
@@ -36,9 +35,3 @@
 #### tolerance
 
 以毫秒为单位的测试容差。 默认使用 `50`。
-
-#### interrupt_exist_connections
-
-当选定的出站发生更改时，中断现有连接。
-
-仅入站连接受此设置影响，内部连接将始终被中断。

docs/configuration/shared/dns01_challenge.md

@@ -1,31 +0,0 @@
-### Structure
-
-```json
-{
-  "provider": "",
-  
-  ... // Provider Fields
-}
-```
-
-### Provider Fields
-
-#### Alibaba Cloud DNS
-
-```json
-{
-  "provider": "alidns",
-  "access_key_id": "",
-  "access_key_secret": "",
-  "region_id": ""
-}
-```
-
-#### Cloudflare
-
-```json
-{
-  "provider": "cloudflare",
-  "api_token": ""
-}
-```

docs/configuration/shared/dns01_challenge.zh.md

@@ -1,31 +0,0 @@
-### 结构
-
-```json
-{
-  "provider": "",
-  
-  ... // 提供商字段
-}
-```
-
-### 提供商字段
-
-#### Alibaba Cloud DNS
-
-```json
-{
-  "provider": "alidns",
-  "access_key_id": "",
-  "access_key_secret": "",
-  "region_id": ""
-}
-```
-
-#### Cloudflare
-
-```json
-{
-  "provider": "cloudflare",
-  "api_token": ""
-}
-```

docs/configuration/shared/tls.md

@@ -25,8 +25,7 @@
     "external_account": {
       "key_id": "",
       "mac_key": ""
-    },
-    "dns01_challenge": {}
+    }
   },
   "ech": {
     "enabled": false,
@@ -233,7 +232,7 @@ Chrome fingerprint will be used if empty.
 ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
 message.
 
-The ECH key and configuration can be generated by `sing-box generate ech-keypair [--pq-signature-schemes-enabled]`.
+The ECH key and configuration can be generated by `sing-box generate ech-keypair [-pq-signature-schemes-enabled]`.
 
 #### pq_signature_schemes_enabled
 
@@ -349,12 +348,6 @@ The key identifier.
 
 The MAC key.
 
-#### dns01_challenge
-
-ACME DNS01 challenge field. If configured, other challenge methods will be disabled.
-
-See [DNS01 Challenge Fields](/configuration/shared/dns01_challenge) for details.
-
 ### Reality Fields
 
 !!! warning ""

docs/configuration/shared/tls.zh.md

@@ -25,8 +25,7 @@
     "external_account": {
       "key_id": "",
       "mac_key": ""
-    },
-    "dns01_challenge": {}
+    }
   },
   "ech": {
     "enabled": false,
@@ -228,13 +227,13 @@ ECH (Encrypted Client Hello) 是一个 TLS 扩展，它允许客户端加密其
 信息。
 
 
-ECH 配置和密钥可以通过 `sing-box generate ech-keypair [--pq-signature-schemes-enabled]` 生成。
+ECH 配置和密钥可以通过 `sing-box generated ech-keypair [-pq-signature-schemes-enabled]` 生成。
 
 #### pq_signature_schemes_enabled
 
 启用对后量子对等证书签名方案的支持。
 
-建议匹配 `sing-box generate ech-keypair` 的参数。
+建议匹配 `sing-box generated ech-keypair` 的参数。
 
 #### dynamic_record_sizing_disabled
 
@@ -340,12 +339,6 @@ EAB（外部帐户绑定）包含将 ACME 帐户绑定或映射到其他已知
 
 MAC 密钥。
 
-#### dns01_challenge
-
-ACME DNS01 验证字段。如果配置，将禁用其他验证方法。
-
-参阅 [DNS01 验证字段](/configuration/shared/dns01_challenge)。
-
 ### Reality 字段
 
 !!! warning ""

docs/deprecated.md

@@ -1,13 +0,0 @@
-# Deprecated Feature List
-
-The following features will be marked deprecated in 1.5.0 and removed entirely in 1.6.0.
-
-#### ShadowsocksR
-
-ShadowsocksR support has never been enabled by default, since the most commonly used proxy sales panel in the
-illegal industry stopped using this protocol, it does not make sense to continue to maintain it.
-
-#### Proxy Protocol
-
-Proxy Protocol is added by Pull Request, has problems, is only used by the backend of HTTP multiplexers such as nginx,
-is intrusive, and is meaningless for proxy purposes.

docs/installation/clients/sfa.md

@@ -8,7 +8,7 @@ Experimental Android client for sing-box.
 
 #### Download
 
-* [Play Store](https://play.google.com/store/apps/details?id=io.nekohasekai.sfa)
+* [AppCenter](https://install.appcenter.ms/users/nekohasekai/apps/sfa/distribution_groups/publictest)
 * [Github Releases](https://github.com/SagerNet/sing-box/releases)
 
 #### Note
@@ -16,8 +16,3 @@ Experimental Android client for sing-box.
 * User Agent in remote profile request is `SFA/$version ($version_code; sing-box $sing_box_version)`
 * The working directory is located at `/sdcard/Android/data/io.nekohasekai.sfa/files` (External files directory)
 * Crash logs is located in `$working_directory/stderr.log`
-
-#### Privacy policy
-
-* SFA did not collect or share personal data.
-* The data generated by the software is always on your device.

docs/installation/clients/sfa.zh.md

@@ -16,8 +16,3 @@
 * 远程配置文件请求中的 User Agent 为 `SFA/$version ($version_code; sing-box $sing_box_version)`
 * 工作目录位于 `/sdcard/Android/data/io.nekohasekai.sfa/files` (外部文件目录)
 * 崩溃日志位于 `$working_directory/stderr.log`
-
-#### 隐私政策
-
-* SFA 不收集或共享个人数据。
-* 软件生成的数据始终在您的设备上。

docs/installation/clients/sfi.zh.md

@@ -15,7 +15,7 @@
 #### 注意事项
 
 * 远程配置文件请求中的 User Agent 为 `SFI/$version ($version_code; sing-box $sing_box_version)`
-* 崩溃日志位于 `Settings` -> `View Service Log`
+* 崩溃日志位于 `设置` -> `查看服务日志`
 
 #### 隐私政策
 

docs/installation/clients/sfm.zh.md

@@ -21,7 +21,7 @@
 #### 注意事项
 
 * 远程配置文件请求中的 User Agent 为 `SFM/$version ($version_code; sing-box $sing_box_version)`
-* 崩溃日志位于 `Settings` -> `View Service Log`
+* 崩溃日志位于 `设置` -> `查看服务日志`
 
 #### 隐私政策
 

docs/installation/clients/sft.md

@@ -8,7 +8,6 @@ Experimental Apple tvOS client for sing-box.
 
 #### Download
 
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
 * [TestFlight](https://testflight.apple.com/join/AcqO44FH)
 
 #### Features
@@ -16,7 +15,7 @@ Experimental Apple tvOS client for sing-box.
 Full functionality, except for:
 
 * Only remote configuration files can be created manually
-* You need to update SFI to the latest version to import profiles from iPhone/iPad
+* You need to update SFI to the latest beta version to import profiles from iPhone/iPad
 * No iCloud profile support
 
 #### Note

docs/installation/clients/sft.zh.md

@@ -1,31 +0,0 @@
-# SFI
-
-实验性的 Apple tvOS sing-box 客户端。
-
-#### 要求
-
-* tvOS 17.0+
-* 一个非中国大陆地区的 Apple 账号
-
-#### 下载
-
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
-
-#### 特性
-
-完整的功能，除了：
-
-* 只能手动创建远程配置文件
-* 您需要将 SFI 更新到最新版本才能从 iPhone/iPad 导入配置文件
-* 没有 iCloud 配置文件支持
-
-#### 注意事项
-
-* 远程配置文件请求中的 User Agent 为 `SFT/$version ($version_code; sing-box $sing_box_version)`
-* 崩溃日志位于 `Settings` -> `View Service Log`
-
-#### 隐私政策
-
-* SFT 不收集或共享个人数据。
-* 软件生成的数据始终在您的设备上。

experimental/clashapi/cachefile/cache.go

@@ -1,18 +1,16 @@
 package cachefile
 
 import (
-	"errors"
 	"net/netip"
 	"os"
 	"strings"
 	"sync"
 	"time"
 
-	"github.com/sagernet/bbolt"
-	bboltErrors "github.com/sagernet/bbolt/errors"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
+
+	"go.etcd.io/bbolt"
 )
 
 var (
@@ -44,25 +42,13 @@ type CacheFile struct {
 func Open(path string, cacheID string) (*CacheFile, error) {
 	const fileMode = 0o666
 	options := bbolt.Options{Timeout: time.Second}
-	var (
-		db  *bbolt.DB
-		err error
-	)
-	for i := 0; i < 10; i++ {
-		db, err = bbolt.Open(path, fileMode, &options)
-		if err == nil {
+	db, err := bbolt.Open(path, fileMode, &options)
+	switch err {
+	case bbolt.ErrInvalid, bbolt.ErrChecksum, bbolt.ErrVersionMismatch:
+		if err = os.Remove(path); err != nil {
 			break
 		}
-		if errors.Is(err, bboltErrors.ErrTimeout) {
-			continue
-		}
-		if E.IsMulti(err, bboltErrors.ErrInvalid, bboltErrors.ErrChecksum, bboltErrors.ErrVersionMismatch) {
-			rmErr := os.Remove(path)
-			if rmErr != nil {
-				return nil, err
-			}
-		}
-		time.Sleep(100 * time.Millisecond)
+		db, err = bbolt.Open(path, 0o666, &options)
 	}
 	if err != nil {
 		return nil, err

experimental/clashapi/cachefile/fakeip.go

@@ -5,10 +5,11 @@ import (
 	"os"
 	"time"
 
-	"github.com/sagernet/bbolt"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
+
+	"go.etcd.io/bbolt"
 )
 
 const fakeipBucketPrefix = "fakeip_"

experimental/clashapi/server.go

@@ -90,7 +90,7 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 		defaultMode = options.DefaultMode
 	}
 	if !common.Contains(server.modeList, defaultMode) {
-		server.modeList = append([]string{defaultMode}, server.modeList...)
+		server.modeList = append(server.modeList, defaultMode)
 	}
 	server.mode = defaultMode
 	if options.StoreMode || options.StoreSelected || options.StoreFakeIP || options.ExternalController == "" {

experimental/libbox/build_info.go

@@ -1,234 +0,0 @@
-//go:build android
-
-package libbox
-
-import (
-	"archive/zip"
-	"bytes"
-	"debug/buildinfo"
-	"io"
-	"runtime/debug"
-	"strings"
-
-	"github.com/sagernet/sing/common"
-)
-
-const (
-	androidVPNCoreTypeOpenVPN     = "OpenVPN"
-	androidVPNCoreTypeShadowsocks = "Shadowsocks"
-	androidVPNCoreTypeClash       = "Clash"
-	androidVPNCoreTypeV2Ray       = "V2Ray"
-	androidVPNCoreTypeWireGuard   = "WireGuard"
-	androidVPNCoreTypeSingBox     = "sing-box"
-	androidVPNCoreTypeUnknown     = "Unknown"
-)
-
-type AndroidVPNType struct {
-	CoreType  string
-	CorePath  string
-	GoVersion string
-}
-
-func ReadAndroidVPNType(publicSourceDirList StringIterator) (*AndroidVPNType, error) {
-	apkPathList := iteratorToArray[string](publicSourceDirList)
-	var lastError error
-	for _, apkPath := range apkPathList {
-		androidVPNType, err := readAndroidVPNType(apkPath)
-		if androidVPNType == nil {
-			if err != nil {
-				lastError = err
-			}
-			continue
-		}
-		return androidVPNType, nil
-	}
-	return nil, lastError
-}
-
-func readAndroidVPNType(publicSourceDir string) (*AndroidVPNType, error) {
-	reader, err := zip.OpenReader(publicSourceDir)
-	if err != nil {
-		return nil, err
-	}
-	defer reader.Close()
-	var lastError error
-	for _, file := range reader.File {
-		if !strings.HasPrefix(file.Name, "lib/") {
-			continue
-		}
-		vpnType, err := readAndroidVPNTypeEntry(file)
-		if err != nil {
-			lastError = err
-			continue
-		}
-		return vpnType, nil
-	}
-	for _, file := range reader.File {
-		if !strings.HasPrefix(file.Name, "lib/") {
-			continue
-		}
-		if strings.Contains(file.Name, androidVPNCoreTypeOpenVPN) || strings.Contains(file.Name, "ovpn") {
-			return &AndroidVPNType{CoreType: androidVPNCoreTypeOpenVPN}, nil
-		}
-		if strings.Contains(file.Name, androidVPNCoreTypeShadowsocks) {
-			return &AndroidVPNType{CoreType: androidVPNCoreTypeShadowsocks}, nil
-		}
-	}
-	return nil, lastError
-}
-
-func readAndroidVPNTypeEntry(zipFile *zip.File) (*AndroidVPNType, error) {
-	readCloser, err := zipFile.Open()
-	if err != nil {
-		return nil, err
-	}
-	libContent := make([]byte, zipFile.UncompressedSize64)
-	_, err = io.ReadFull(readCloser, libContent)
-	readCloser.Close()
-	if err != nil {
-		return nil, err
-	}
-	buildInfo, err := buildinfo.Read(bytes.NewReader(libContent))
-	if err != nil {
-		return nil, err
-	}
-	var vpnType AndroidVPNType
-	vpnType.GoVersion = buildInfo.GoVersion
-	if !strings.HasPrefix(vpnType.GoVersion, "go") {
-		vpnType.GoVersion = "obfuscated"
-	} else {
-		vpnType.GoVersion = vpnType.GoVersion[2:]
-	}
-	vpnType.CoreType = androidVPNCoreTypeUnknown
-	if len(buildInfo.Deps) == 0 {
-		vpnType.CoreType = "obfuscated"
-		return &vpnType, nil
-	}
-
-	dependencies := make(map[string]bool)
-	dependencies[buildInfo.Path] = true
-	for _, module := range buildInfo.Deps {
-		dependencies[module.Path] = true
-		if module.Replace != nil {
-			dependencies[module.Replace.Path] = true
-		}
-	}
-	for dependency := range dependencies {
-		pkgType, loaded := determinePkgType(dependency)
-		if loaded {
-			vpnType.CoreType = pkgType
-		}
-	}
-	if vpnType.CoreType == androidVPNCoreTypeUnknown {
-		for dependency := range dependencies {
-			pkgType, loaded := determinePkgTypeSecondary(dependency)
-			if loaded {
-				vpnType.CoreType = pkgType
-				return &vpnType, nil
-			}
-		}
-	}
-	if vpnType.CoreType != androidVPNCoreTypeUnknown {
-		vpnType.CorePath, _ = determineCorePath(buildInfo, vpnType.CoreType)
-		return &vpnType, nil
-	}
-	if dependencies["github.com/golang/protobuf"] && dependencies["github.com/v2fly/ss-bloomring"] {
-		vpnType.CoreType = androidVPNCoreTypeV2Ray
-		return &vpnType, nil
-	}
-	return &vpnType, nil
-}
-
-func determinePkgType(pkgName string) (string, bool) {
-	pkgNameLower := strings.ToLower(pkgName)
-	if strings.Contains(pkgNameLower, "clash") {
-		return androidVPNCoreTypeClash, true
-	}
-	if strings.Contains(pkgNameLower, "v2ray") || strings.Contains(pkgNameLower, "xray") {
-		return androidVPNCoreTypeV2Ray, true
-	}
-
-	if strings.Contains(pkgNameLower, "sing-box") {
-		return androidVPNCoreTypeSingBox, true
-	}
-	return "", false
-}
-
-func determinePkgTypeSecondary(pkgName string) (string, bool) {
-	pkgNameLower := strings.ToLower(pkgName)
-	if strings.Contains(pkgNameLower, "wireguard") {
-		return androidVPNCoreTypeWireGuard, true
-	}
-	return "", false
-}
-
-func determineCorePath(pkgInfo *buildinfo.BuildInfo, pkgType string) (string, bool) {
-	switch pkgType {
-	case androidVPNCoreTypeClash:
-		return determineCorePathForPkgs(pkgInfo, []string{"github.com/Dreamacro/clash"}, []string{"clash"})
-	case androidVPNCoreTypeV2Ray:
-		if v2rayVersion, loaded := determineCorePathForPkgs(pkgInfo, []string{
-			"github.com/v2fly/v2ray-core",
-			"github.com/v2fly/v2ray-core/v4",
-			"github.com/v2fly/v2ray-core/v5",
-		}, []string{
-			"v2ray",
-		}); loaded {
-			return v2rayVersion, true
-		}
-		if xrayVersion, loaded := determineCorePathForPkgs(pkgInfo, []string{
-			"github.com/xtls/xray-core",
-		}, []string{
-			"xray",
-		}); loaded {
-			return xrayVersion, true
-		}
-		return "", false
-	case androidVPNCoreTypeSingBox:
-		return determineCorePathForPkgs(pkgInfo, []string{"github.com/sagernet/sing-box"}, []string{"sing-box"})
-	case androidVPNCoreTypeWireGuard:
-		return determineCorePathForPkgs(pkgInfo, []string{"golang.zx2c4.com/wireguard"}, []string{"wireguard"})
-	default:
-		return "", false
-	}
-}
-
-func determineCorePathForPkgs(pkgInfo *buildinfo.BuildInfo, pkgs []string, names []string) (string, bool) {
-	for _, pkg := range pkgs {
-		if pkgInfo.Path == pkg {
-			return pkg, true
-		}
-		strictDependency := common.Find(pkgInfo.Deps, func(module *debug.Module) bool {
-			return module.Path == pkg
-		})
-		if strictDependency != nil {
-			if isValidVersion(strictDependency.Version) {
-				return strictDependency.Path + " " + strictDependency.Version, true
-			} else {
-				return strictDependency.Path, true
-			}
-		}
-	}
-	for _, name := range names {
-		if strings.Contains(pkgInfo.Path, name) {
-			return pkgInfo.Path, true
-		}
-		looseDependency := common.Find(pkgInfo.Deps, func(module *debug.Module) bool {
-			return strings.Contains(module.Path, name) || (module.Replace != nil && strings.Contains(module.Replace.Path, name))
-		})
-		if looseDependency != nil {
-			return looseDependency.Path, true
-		}
-	}
-	return "", false
-}
-
-func isValidVersion(version string) bool {
-	if version == "(devel)" {
-		return false
-	}
-	if strings.Contains(version, "v0.0.0") {
-		return false
-	}
-	return true
-}

experimental/libbox/command.go

@@ -11,6 +11,4 @@ const (
 	CommandGroupExpand
 	CommandClashMode
 	CommandSetClashMode
-	CommandGetSystemProxyStatus
-	CommandSetSystemProxyEnabled
 )

experimental/libbox/command_client.go

@@ -5,7 +5,6 @@ import (
 	"net"
 	"os"
 	"path/filepath"
-	"time"
 
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -25,7 +24,6 @@ type CommandClientOptions struct {
 type CommandClientHandler interface {
 	Connected()
 	Disconnected(message string)
-	ClearLog()
 	WriteLog(message string)
 	WriteStatus(message *StatusMessage)
 	WriteGroups(message OutboundGroupIterator)
@@ -55,24 +53,9 @@ func (c *CommandClient) directConnect() (net.Conn, error) {
 	}
 }
 
-func (c *CommandClient) directConnectWithRetry() (net.Conn, error) {
-	var (
-		conn net.Conn
-		err  error
-	)
-	for i := 0; i < 10; i++ {
-		conn, err = c.directConnect()
-		if err == nil {
-			return conn, nil
-		}
-		time.Sleep(time.Duration(100+i*50) * time.Millisecond)
-	}
-	return nil, err
-}
-
 func (c *CommandClient) Connect() error {
 	common.Close(c.conn)
-	conn, err := c.directConnectWithRetry()
+	conn, err := c.directConnect()
 	if err != nil {
 		return err
 	}

experimental/libbox/command_conntrack.go

@@ -6,7 +6,7 @@ import (
 	runtimeDebug "runtime/debug"
 	"time"
 
-	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
 )
 
 func (c *CommandClient) CloseConnections() error {

experimental/libbox/command_log.go

@@ -23,9 +23,6 @@ func readLog(reader io.Reader) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	if messageLength == 0 {
-		return nil, nil
-	}
 	data := make([]byte, messageLength)
 	_, err = io.ReadFull(reader, data)
 	if err != nil {
@@ -35,24 +32,14 @@ func readLog(reader io.Reader) ([]byte, error) {
 }
 
 func writeLog(writer io.Writer, message []byte) error {
-	err := binary.Write(writer, binary.BigEndian, uint8(0))
+	err := binary.Write(writer, binary.BigEndian, uint16(len(message)))
 	if err != nil {
 		return err
 	}
-	err = binary.Write(writer, binary.BigEndian, uint16(len(message)))
-	if err != nil {
-		return err
-	}
-	if len(message) > 0 {
-		_, err = writer.Write(message)
-	}
+	_, err = writer.Write(message)
 	return err
 }
 
-func writeClearLog(writer io.Writer) error {
-	return binary.Write(writer, binary.BigEndian, uint8(1))
-}
-
 func (s *CommandServer) handleLogConn(conn net.Conn) error {
 	var savedLines []string
 	s.access.Lock()
@@ -82,11 +69,6 @@ func (s *CommandServer) handleLogConn(conn net.Conn) error {
 			if err != nil {
 				return err
 			}
-		case <-s.logReset:
-			err = writeClearLog(conn)
-			if err != nil {
-				return err
-			}
 		case <-done:
 			return nil
 		}
@@ -95,24 +77,12 @@ func (s *CommandServer) handleLogConn(conn net.Conn) error {
 
 func (c *CommandClient) handleLogConn(conn net.Conn) {
 	for {
-		var messageType uint8
-		err := binary.Read(conn, binary.BigEndian, &messageType)
+		message, err := readLog(conn)
 		if err != nil {
 			c.handler.Disconnected(err.Error())
 			return
 		}
-		var message []byte
-		switch messageType {
-		case 0:
-			message, err = readLog(conn)
-			if err != nil {
-				c.handler.Disconnected(err.Error())
-				return
-			}
-			c.handler.WriteLog(string(message))
-		case 1:
-			c.handler.ClearLog()
-		}
+		c.handler.WriteLog(string(message))
 	}
 }
 

experimental/libbox/command_server.go

@@ -23,32 +23,28 @@ type CommandServer struct {
 	handler  CommandServerHandler
 
 	access     sync.Mutex
-	savedLines list.List[string]
+	savedLines *list.List[string]
 	maxLines   int
 	subscriber *observable.Subscriber[string]
 	observer   *observable.Observer[string]
 	service    *BoxService
 
-	// These channels only work with a single client. if multi-client support is needed, replace with Subscriber/Observer
 	urlTestUpdate chan struct{}
 	modeUpdate    chan struct{}
-	logReset      chan struct{}
 }
 
 type CommandServerHandler interface {
 	ServiceReload() error
-	GetSystemProxyStatus() *SystemProxyStatus
-	SetSystemProxyEnabled(isEnabled bool) error
 }
 
 func NewCommandServer(handler CommandServerHandler, maxLines int32) *CommandServer {
 	server := &CommandServer{
 		handler:       handler,
+		savedLines:    new(list.List[string]),
 		maxLines:      int(maxLines),
 		subscriber:    observable.NewSubscriber[string](128),
 		urlTestUpdate: make(chan struct{}, 1),
 		modeUpdate:    make(chan struct{}, 1),
-		logReset:      make(chan struct{}, 1),
 	}
 	server.observer = observable.NewObserver[string](server.subscriber, 64)
 	return server
@@ -58,11 +54,6 @@ func (s *CommandServer) SetService(newService *BoxService) {
 	if newService != nil {
 		service.PtrFromContext[urltest.HistoryStorage](newService.ctx).SetHook(s.urlTestUpdate)
 		newService.instance.Router().ClashServer().(*clashapi.Server).SetModeUpdateHook(s.modeUpdate)
-		s.savedLines.Init()
-		select {
-		case s.logReset <- struct{}{}:
-		default:
-		}
 	}
 	s.service = newService
 	s.notifyURLTestUpdate()
@@ -168,10 +159,6 @@ func (s *CommandServer) handleConnection(conn net.Conn) error {
 		return s.handleModeConn(conn)
 	case CommandSetClashMode:
 		return s.handleSetClashMode(conn)
-	case CommandGetSystemProxyStatus:
-		return s.handleGetSystemProxyStatus(conn)
-	case CommandSetSystemProxyEnabled:
-		return s.handleSetSystemProxyEnabled(conn)
 	default:
 		return E.New("unknown command: ", command)
 	}

experimental/libbox/command_status.go

@@ -6,15 +6,13 @@ import (
 	"runtime"
 	"time"
 
-	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/memory"
 )
 
 type StatusMessage struct {
 	Memory           int64
-	MemoryInuse      int64
 	Goroutines       int32
 	ConnectionsIn    int32
 	ConnectionsOut   int32
@@ -26,8 +24,10 @@ type StatusMessage struct {
 }
 
 func (s *CommandServer) readStatus() StatusMessage {
+	var memStats runtime.MemStats
+	runtime.ReadMemStats(&memStats)
 	var message StatusMessage
-	message.Memory = int64(memory.Inuse())
+	message.Memory = int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
 	message.Goroutines = int32(runtime.NumGoroutine())
 	message.ConnectionsOut = int32(conntrack.Count())
 

experimental/libbox/command_system_proxy.go

@@ -1,82 +0,0 @@
-package libbox
-
-import (
-	"encoding/binary"
-	"net"
-)
-
-type SystemProxyStatus struct {
-	Available bool
-	Enabled   bool
-}
-
-func (c *CommandClient) GetSystemProxyStatus() (*SystemProxyStatus, error) {
-	conn, err := c.directConnectWithRetry()
-	if err != nil {
-		return nil, err
-	}
-	defer conn.Close()
-	err = binary.Write(conn, binary.BigEndian, uint8(CommandGetSystemProxyStatus))
-	if err != nil {
-		return nil, err
-	}
-	var status SystemProxyStatus
-	err = binary.Read(conn, binary.BigEndian, &status.Available)
-	if err != nil {
-		return nil, err
-	}
-	if status.Available {
-		err = binary.Read(conn, binary.BigEndian, &status.Enabled)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return &status, nil
-}
-
-func (s *CommandServer) handleGetSystemProxyStatus(conn net.Conn) error {
-	defer conn.Close()
-	status := s.handler.GetSystemProxyStatus()
-	err := binary.Write(conn, binary.BigEndian, status.Available)
-	if err != nil {
-		return err
-	}
-	if status.Available {
-		err = binary.Write(conn, binary.BigEndian, status.Enabled)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (c *CommandClient) SetSystemProxyEnabled(isEnabled bool) error {
-	conn, err := c.directConnect()
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-	err = binary.Write(conn, binary.BigEndian, uint8(CommandSetSystemProxyEnabled))
-	if err != nil {
-		return err
-	}
-	err = binary.Write(conn, binary.BigEndian, isEnabled)
-	if err != nil {
-		return err
-	}
-	return readError(conn)
-}
-
-func (s *CommandServer) handleSetSystemProxyEnabled(conn net.Conn) error {
-	defer conn.Close()
-	var isEnabled bool
-	err := binary.Read(conn, binary.BigEndian, &isEnabled)
-	if err != nil {
-		return err
-	}
-	err = s.handler.SetSystemProxyEnabled(isEnabled)
-	if err != nil {
-		return writeError(conn, err)
-	}
-	return writeError(conn, nil)
-}

experimental/libbox/http.go

@@ -17,8 +17,8 @@ import (
 	"os"
 	"strconv"
 	"sync"
-	"time"
 
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -69,7 +69,7 @@ type httpClient struct {
 
 func NewHTTPClient() HTTPClient {
 	client := new(httpClient)
-	client.client.Timeout = 15 * time.Second
+	client.client.Timeout = C.TCPTimeout
 	client.client.Transport = &client.transport
 	client.transport.TLSClientConfig = &client.tls
 	client.transport.DisableKeepAlives = true
@@ -151,9 +151,6 @@ type httpRequest struct {
 
 func (r *httpRequest) SetURL(link string) (err error) {
 	r.request.URL, err = url.Parse(link)
-	if err != nil {
-		return
-	}
 	if r.request.URL.User != nil {
 		user := r.request.URL.User.Username()
 		password, _ := r.request.URL.User.Password()

experimental/libbox/log.go

@@ -4,7 +4,6 @@ package libbox
 
 import (
 	"os"
-	"runtime"
 
 	"golang.org/x/sys/unix"
 )
@@ -19,14 +18,12 @@ func RedirectStderr(path string) error {
 	if err != nil {
 		return err
 	}
-	if runtime.GOOS != "android" {
-		if sUserID > 0 {
-			err = outputFile.Chown(sUserID, sGroupID)
-			if err != nil {
-				outputFile.Close()
-				os.Remove(outputFile.Name())
-				return err
-			}
+	if sUserID > 0 {
+		err = outputFile.Chown(sUserID, sGroupID)
+		if err != nil {
+			outputFile.Close()
+			os.Remove(outputFile.Name())
+			return err
 		}
 	}
 	err = unix.Dup2(int(outputFile.Fd()), int(os.Stderr.Fd()))

experimental/libbox/memory.go

@@ -4,15 +4,14 @@ import (
 	"math"
 	runtimeDebug "runtime/debug"
 
-	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
 )
 
 func SetMemoryLimit(enabled bool) {
-	const memoryLimit = 45 * 1024 * 1024
-	const memoryLimitGo = memoryLimit / 1.5
+	const memoryLimit = 30 * 1024 * 1024
 	if enabled {
 		runtimeDebug.SetGCPercent(10)
-		runtimeDebug.SetMemoryLimit(memoryLimitGo)
+		runtimeDebug.SetMemoryLimit(memoryLimit)
 		conntrack.KillerEnabled = true
 		conntrack.MemoryLimit = memoryLimit
 	} else {

experimental/libbox/monitor.go

@@ -65,17 +65,6 @@ func (m *platformDefaultInterfaceMonitor) DefaultInterfaceIndex(destination neti
 	return m.defaultInterfaceIndex
 }
 
-func (m *platformDefaultInterfaceMonitor) DefaultInterface(destination netip.Addr) (string, int) {
-	for _, address := range m.networkAddresses {
-		for _, prefix := range address.addresses {
-			if prefix.Contains(destination) {
-				return address.interfaceName, address.interfaceIndex
-			}
-		}
-	}
-	return m.defaultInterfaceName, m.defaultInterfaceIndex
-}
-
 func (m *platformDefaultInterfaceMonitor) OverrideAndroidVPN() bool {
 	return false
 }

experimental/libbox/profile_import.go

@@ -163,29 +163,25 @@ func DecodeProfileContentRequest(data []byte) (*ProfileContentRequest, error) {
 }
 
 type ProfileContent struct {
-	Name               string
-	Type               int32
-	Config             string
-	RemotePath         string
-	AutoUpdate         bool
-	AutoUpdateInterval int32
-	LastUpdated        int64
+	Name        string
+	Type        int32
+	Config      string
+	RemotePath  string
+	AutoUpdate  bool
+	LastUpdated int64
 }
 
 func (c *ProfileContent) Encode() []byte {
 	buffer := new(bytes.Buffer)
 	buffer.WriteByte(MessageTypeProfileContent)
-	buffer.WriteByte(1)
+	buffer.WriteByte(0)
 	writer := gzip.NewWriter(buffer)
 	rw.WriteVString(writer, c.Name)
 	binary.Write(writer, binary.BigEndian, c.Type)
 	rw.WriteVString(writer, c.Config)
 	if c.Type != ProfileTypeLocal {
 		rw.WriteVString(writer, c.RemotePath)
-	}
-	if c.Type == ProfileTypeRemote {
 		binary.Write(writer, binary.BigEndian, c.AutoUpdate)
-		binary.Write(writer, binary.BigEndian, c.AutoUpdateInterval)
 		binary.Write(writer, binary.BigEndian, c.LastUpdated)
 	}
 	writer.Flush()
@@ -206,8 +202,12 @@ func DecodeProfileContent(data []byte) (*ProfileContent, error) {
 	if err != nil {
 		return nil, err
 	}
-	reader, err = gzip.NewReader(reader)
-	if err != nil {
+	if version == 0 {
+		reader, err = gzip.NewReader(reader)
+		if err != nil {
+			return nil, E.Cause(err, "unsupported profile")
+		}
+	} else {
 		return nil, E.Cause(err, "unsupported profile")
 	}
 	var content ProfileContent
@@ -228,18 +228,10 @@ func DecodeProfileContent(data []byte) (*ProfileContent, error) {
 		if err != nil {
 			return nil, err
 		}
-	}
-	if content.Type == ProfileTypeRemote || (version == 0 && content.Type != ProfileTypeLocal) {
 		err = binary.Read(reader, binary.BigEndian, &content.AutoUpdate)
 		if err != nil {
 			return nil, err
 		}
-		if version >= 1 {
-			err = binary.Read(reader, binary.BigEndian, &content.AutoUpdateInterval)
-			if err != nil {
-				return nil, err
-			}
-		}
 		err = binary.Read(reader, binary.BigEndian, &content.LastUpdated)
 		if err != nil {
 			return nil, err

experimental/libbox/service.go

@@ -80,7 +80,6 @@ func (s *BoxService) Sleep() {
 
 func (s *BoxService) Wake() {
 	s.pauseManager.DeviceWake()
-	_ = s.instance.Router().ResetNetwork()
 }
 
 var _ platform.Interface = (*platformInterfaceWrapper)(nil)

experimental/libbox/setup.go

@@ -5,8 +5,9 @@ import (
 	"os/user"
 	"strconv"
 
-	"github.com/sagernet/sing-box/common/humanize"
 	C "github.com/sagernet/sing-box/constant"
+
+	"github.com/dustin/go-humanize"
 )
 
 var (
@@ -45,11 +46,7 @@ func Version() string {
 }
 
 func FormatBytes(length int64) string {
-	return humanize.Bytes(uint64(length))
-}
-
-func FormatMemoryBytes(length int64) string {
-	return humanize.MemoryBytes(uint64(length))
+	return humanize.IBytes(uint64(length))
 }
 
 func ProxyDisplayType(proxyType string) string {

go.mod

@@ -4,51 +4,52 @@ go 1.20
 
 require (
 	berty.tech/go-libtor v1.0.385
+	github.com/Dreamacro/clash v1.17.0
 	github.com/caddyserver/certmagic v0.19.2
-	github.com/cloudflare/circl v1.3.6
+	github.com/cloudflare/circl v1.3.3
 	github.com/cretz/bine v0.2.0
-	github.com/fsnotify/fsnotify v1.7.0
+	github.com/dustin/go-humanize v1.0.1
+	github.com/fsnotify/fsnotify v1.6.0
 	github.com/go-chi/chi/v5 v5.0.10
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.3
 	github.com/gofrs/uuid/v5 v5.0.0
-	github.com/insomniacslk/dhcp v0.0.0-20231016090811-6a2c8fbdcc1c
-	github.com/libdns/alidns v1.0.3
-	github.com/libdns/cloudflare v0.1.0
+	github.com/insomniacslk/dhcp v0.0.0-20230816195147-b3ca2534940d
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/mholt/acmez v1.2.0
-	github.com/miekg/dns v1.1.56
+	github.com/miekg/dns v1.1.55
 	github.com/ooni/go-libtor v1.1.8
 	github.com/oschwald/maxminddb-golang v1.12.0
-	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
+	github.com/pires/go-proxyproto v0.7.0
 	github.com/sagernet/cloudflare-tls v0.0.0-20230829051644-4a68352d0c4a
-	github.com/sagernet/gomobile v0.0.0-20230915142329-c6740b6d2950
-	github.com/sagernet/gvisor v0.0.0-20230930141345-5fef6f2e17ab
-	github.com/sagernet/quic-go v0.0.0-20231008035953-32727fef9460
+	github.com/sagernet/gomobile v0.0.0-20230728014906-3de089147f59
+	github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2
+	github.com/sagernet/quic-go v0.0.0-20230831052420-45809eee2e86
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.2.17
-	github.com/sagernet/sing-dns v0.1.10
-	github.com/sagernet/sing-mux v0.1.4
-	github.com/sagernet/sing-quic v0.1.3
-	github.com/sagernet/sing-shadowsocks v0.2.5
-	github.com/sagernet/sing-shadowsocks2 v0.1.4
+	github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c
+	github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1
+	github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8
+	github.com/sagernet/sing-shadowsocks v0.2.4
+	github.com/sagernet/sing-shadowsocks2 v0.1.3
 	github.com/sagernet/sing-shadowtls v0.1.4
-	github.com/sagernet/sing-tun v0.1.19
-	github.com/sagernet/sing-vmess v0.1.8
+	github.com/sagernet/sing-tun v0.1.12-0.20230821065522-7545dc2d5641
+	github.com/sagernet/sing-vmess v0.1.7
 	github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37
 	github.com/sagernet/tfo-go v0.0.0-20230816093905-5a5c285d44a6
 	github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2
 	github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e
 	github.com/sagernet/wireguard-go v0.0.0-20230807125731-5d4a7ef2dc5f
-	github.com/spf13/cobra v1.8.0
+	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.4
-	go.uber.org/zap v1.26.0
+	go.etcd.io/bbolt v1.3.7
+	go.uber.org/zap v1.25.0
 	go4.org/netipx v0.0.0-20230824141953-6213f710f925
-	golang.org/x/crypto v0.15.0
-	golang.org/x/net v0.18.0
-	golang.org/x/sys v0.14.0
+	golang.org/x/crypto v0.12.0
+	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
+	golang.org/x/net v0.14.0
+	golang.org/x/sys v0.11.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
-	google.golang.org/grpc v1.59.0
+	google.golang.org/grpc v1.57.0
 	google.golang.org/protobuf v1.31.0
 	howett.net/plist v1.0.0
 )
@@ -56,6 +57,7 @@ require (
 //replace github.com/sagernet/sing => ../sing
 
 require (
+	github.com/Dreamacro/protobytes v0.0.0-20230617041236-6500a9f4f158 // indirect
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -75,7 +77,7 @@ require (
 	github.com/pierrec/lz4/v4 v4.1.14 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-20 v0.3.4 // indirect
+	github.com/quic-go/qtls-go1-20 v0.3.3 // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
 	github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 // indirect
@@ -84,12 +86,11 @@ require (
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
-	golang.org/x/mod v0.13.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/mod v0.12.0 // indirect
+	golang.org/x/text v0.12.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.14.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
+	golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.2.1 // indirect

go.sum

@@ -1,25 +1,32 @@
 berty.tech/go-libtor v1.0.385 h1:RWK94C3hZj6Z2GdvePpHJLnWYobFr3bY/OdUJ5aoEXw=
 berty.tech/go-libtor v1.0.385/go.mod h1:9swOOQVb+kmvuAlsgWUK/4c52pm69AdbJsxLzk+fJEw=
+github.com/Dreamacro/clash v1.17.0 h1:LWtp6KcnrCiujY58ufI8pylI+hbCBgSCsLI90EWhpi4=
+github.com/Dreamacro/clash v1.17.0/go.mod h1:PtcAft7sdsK325BD6uwm8wvhOkMV3TCeED6dfZ/lnfE=
+github.com/Dreamacro/protobytes v0.0.0-20230617041236-6500a9f4f158 h1:JFnwKplz9hj8ubqYjm8HkgZS1Rvz9yW+u/XCNNTxr0k=
+github.com/Dreamacro/protobytes v0.0.0-20230617041236-6500a9f4f158/go.mod h1:QvmEZ/h6KXszPOr2wUFl7Zn3hfFNYdfbXwPVDTyZs6k=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
 github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
 github.com/caddyserver/certmagic v0.19.2 h1:HZd1AKLx4592MalEGQS39DKs2ZOAJCEM/xYPMQ2/ui0=
 github.com/caddyserver/certmagic v0.19.2/go.mod h1:fsL01NomQ6N+kE2j37ZCnig2MFosG+MIO4ztnmG/zz8=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cloudflare/circl v1.3.6 h1:/xbKIqSHbZXHwkhbrhrt2YOHIwYJlXH94E3tI/gDlUg=
-github.com/cloudflare/circl v1.3.6/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
-github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
+github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cretz/bine v0.1.0/go.mod h1:6PF6fWAvYtwjRGkAuDEJeWNOv3a2hUouSP/yRYXmvHw=
 github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
-github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
+github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
 github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
@@ -47,8 +54,8 @@ github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbg
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20231016090811-6a2c8fbdcc1c h1:PgxFEySCI41sH0mB7/2XswdXbUykQsRUGod8Rn+NubM=
-github.com/insomniacslk/dhcp v0.0.0-20231016090811-6a2c8fbdcc1c/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
+github.com/insomniacslk/dhcp v0.0.0-20230816195147-b3ca2534940d h1:Ka64cclWedOkGzm9M2/XYuwJUdmWRUozmsxW0PyKA3A=
+github.com/insomniacslk/dhcp v0.0.0-20230816195147-b3ca2534940d/go.mod h1:7474bZ1YNCvarT6WFKie4kEET6J0KYRDC4XJqqXzQW4=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
@@ -61,19 +68,14 @@ github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZY
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/libdns/alidns v1.0.3 h1:LFHuGnbseq5+HCeGa1aW8awyX/4M2psB9962fdD2+yQ=
-github.com/libdns/alidns v1.0.3/go.mod h1:e18uAG6GanfRhcJj6/tps2rCMzQJaYVcGKT+ELjdjGE=
-github.com/libdns/cloudflare v0.1.0 h1:93WkJaGaiXCe353LHEP36kAWCUw0YjFqwhkBkU2/iic=
-github.com/libdns/cloudflare v0.1.0/go.mod h1:a44IP6J1YH6nvcNl1PverfJviADgXUnsozR3a7vBKN8=
-github.com/libdns/libdns v0.2.0/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
 github.com/libdns/libdns v0.2.1 h1:Wu59T7wSHRgtA0cfxC+n1c/e+O3upJGWytknkmFEDis=
 github.com/libdns/libdns v0.2.1/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/mholt/acmez v1.2.0 h1:1hhLxSgY5FvH5HCnGUuwbKY2VQVo8IU7rxXKSnZ7F30=
 github.com/mholt/acmez v1.2.0/go.mod h1:VT9YwH1xgNX1kmYY89gY8xPJC84BFAisjo8Egigt4kE=
-github.com/miekg/dns v1.1.56 h1:5imZaSeoRNvpM9SzWNhEcP9QliKiz20/dA2QabIGVnE=
-github.com/miekg/dns v1.1.56/go.mod h1:cRm6Oo2C8TY9ZS/TqsSrseAcncm74lfK5G+ikN2SWWY=
+github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
+github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
@@ -85,49 +87,47 @@ github.com/oschwald/maxminddb-golang v1.12.0 h1:9FnTOD0YOhP7DGxGsq4glzpGy5+w7pq5
 github.com/oschwald/maxminddb-golang v1.12.0/go.mod h1:q0Nob5lTCqyQ8WT6FYgS1L7PXKVVbgiymefNwIjPzgY=
 github.com/pierrec/lz4/v4 v4.1.14 h1:+fL8AQEZtz/ijeNnpduH0bROTu0O3NZAlPjQxGn8LwE=
 github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs=
+github.com/pires/go-proxyproto v0.7.0/go.mod h1:Vz/1JPY/OACxWGQNIRY2BeyDmpoaWmEP40O9LbuiFR4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
-github.com/quic-go/qtls-go1-20 v0.3.4 h1:MfFAPULvst4yoMgY9QmtpYmfij/em7O8UUi+bNVm7Cg=
-github.com/quic-go/qtls-go1-20 v0.3.4/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
+github.com/quic-go/qtls-go1-20 v0.3.3 h1:17/glZSLI9P9fDAeyCHBFSWSqJcwx1byhLwP5eUIDCM=
+github.com/quic-go/qtls-go1-20 v0.3.3/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkkD2QgdTuzQG263YZ+2emfpeyGqW0=
-github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cloudflare-tls v0.0.0-20230829051644-4a68352d0c4a h1:wZHruBxZCsQLXHAozWpnJBL3wJ/XufDpz0qKtgpSnA4=
 github.com/sagernet/cloudflare-tls v0.0.0-20230829051644-4a68352d0c4a/go.mod h1:dNV1ZP9y3qx5ltULeKaQZTZWTLHflgW5DES+Ses7cMI=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c6AkmAylhauulqN/c5dnh8/KssrE9c93TQrXldA=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms=
-github.com/sagernet/gomobile v0.0.0-20230915142329-c6740b6d2950 h1:hUz/2mJLgi7l2H36JGpDY+jou9FmI6kAm0ZkU+xPpgE=
-github.com/sagernet/gomobile v0.0.0-20230915142329-c6740b6d2950/go.mod h1:5YE39YkJkCcMsfq1jMKkjsrM2GfBoF9JVWnvU89hmvU=
-github.com/sagernet/gvisor v0.0.0-20230930141345-5fef6f2e17ab h1:u+xQoi/Yc6bNUvTfrDD6HhGRybn2lzrhf5vmS+wb4Ho=
-github.com/sagernet/gvisor v0.0.0-20230930141345-5fef6f2e17ab/go.mod h1:3akUhSHSVtLuJaYcW5JPepUraBOW06Ibz2HKwaK5rOk=
+github.com/sagernet/gomobile v0.0.0-20230728014906-3de089147f59 h1:vN4divY6LYHcYmiTsCHNPmGZtEsEKJzh81LyvgAQfEQ=
+github.com/sagernet/gomobile v0.0.0-20230728014906-3de089147f59/go.mod h1:5YE39YkJkCcMsfq1jMKkjsrM2GfBoF9JVWnvU89hmvU=
+github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2 h1:dnkKrzapqtAwjTSWt6hdPrARORfoYvuUczynvRLrueo=
+github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2/go.mod h1:1JUiV7nGuf++YFm9eWZ8q2lrwHmhcUGzptMl/vL1+LA=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.0.0-20231008035953-32727fef9460 h1:dAe4OIJAtE0nHOzTHhAReQteh3+sa63rvXbuIpbeOTY=
-github.com/sagernet/quic-go v0.0.0-20231008035953-32727fef9460/go.mod h1:uJGpmJCOcMQqMlHKc3P1Vz6uygmpz4bPeVIoOhdVQnM=
+github.com/sagernet/quic-go v0.0.0-20230831052420-45809eee2e86 h1:g4TEg9inAtA1FDTXpNrvmx72nN5mTOLQrJce6fVxF9g=
+github.com/sagernet/quic-go v0.0.0-20230831052420-45809eee2e86/go.mod h1:O4Cj7TmMOvqD6S0XMqJRZfcYzA3m0H0ARbbaJFB0p7A=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
-github.com/sagernet/sing v0.2.17 h1:vMPKb3MV0Aa5ws4dCJkRI8XEjrsUcDn810czd0FwmzI=
-github.com/sagernet/sing v0.2.17/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing-dns v0.1.10 h1:iIU7nRBlUYj+fF2TaktGIvRiTFFrHwSMedLQsvlTZCI=
-github.com/sagernet/sing-dns v0.1.10/go.mod h1:vtUimtf7Nq9EdvD5WTpfCr69KL1M7bcgOVKiYBiAY/c=
-github.com/sagernet/sing-mux v0.1.4 h1:BPNPOQr6HkXG3iY/BrfvUKUl+A7gYsGKVSxvoR3PO50=
-github.com/sagernet/sing-mux v0.1.4/go.mod h1:dKvcu/sb3fZ88uGv9vzAqUej6J4W+pHu5GqjRuFwAWs=
-github.com/sagernet/sing-quic v0.1.3 h1:YfSPGQdlE6YspjPSlQJaVH333leFiYQM8JX7TumsWQs=
-github.com/sagernet/sing-quic v0.1.3/go.mod h1:wvGU7MYih+cpJV2VrrpSGyjZIFSmUyqzawzmDyqeWJA=
-github.com/sagernet/sing-shadowsocks v0.2.5 h1:qxIttos4xu6ii7MTVJYA8EFQR7Q3KG6xMqmLJIFtBaY=
-github.com/sagernet/sing-shadowsocks v0.2.5/go.mod h1:MGWGkcU2xW2G2mfArT9/QqpVLOGU+dBaahZCtPHdt7A=
-github.com/sagernet/sing-shadowsocks2 v0.1.4 h1:vht2M8t3m5DTgXR2j24KbYOygG5aOp+MUhpQnAux728=
-github.com/sagernet/sing-shadowsocks2 v0.1.4/go.mod h1:Mgdee99NxxNd5Zld3ixIs18yVs4x2dI2VTDDE1N14Wc=
+github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c h1:J2ptRncTNy+ZHfcFYSBfTmpvmgNlSEUZz6sDjh1np/Y=
+github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c/go.mod h1:9uOZwWkhT2Z2WldolLxX34s+1svAX4i4vvz5hy8u1MA=
+github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1 h1:5w+jXz8y/8UQAxO74TjftN5okYkpg5mGvVxXunlKdqI=
+github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1/go.mod h1:Kg98PBJEg/08jsNFtmZWmPomhskn9Ausn50ecNm4M+8=
+github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8 h1:UyUkEUEGqfIGqzOJ7OuJry4slgcT/qb0etDJ+89LTAs=
+github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8/go.mod h1:TKxqIvfQQgd36jp2tzsPavGjYTVZilV+atip1cssjIY=
+github.com/sagernet/sing-shadowsocks v0.2.4 h1:s/CqXlvFAZhlIoHWUwPw5CoNnQ9Ibki9pckjuugtVfY=
+github.com/sagernet/sing-shadowsocks v0.2.4/go.mod h1:80fNKP0wnqlu85GZXV1H1vDPC/2t+dQbFggOw4XuFUM=
+github.com/sagernet/sing-shadowsocks2 v0.1.3 h1:WXoLvCFi5JTFBRYorf1YePGYIQyJ/zbsBM6Fwbl5kGA=
+github.com/sagernet/sing-shadowsocks2 v0.1.3/go.mod h1:DOhJc/cLeqRv0wuePrQso+iUmDxOnWF4eT/oMcRzYFw=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
-github.com/sagernet/sing-tun v0.1.19 h1:Xp69PWltr0Ga8GFhVusQEV4rx7XUMlqSV/FZnJcWF/k=
-github.com/sagernet/sing-tun v0.1.19/go.mod h1:YA4MqRgYbO+igD07xt5WyRLjmwcXD5oRFy2itQbUVK0=
-github.com/sagernet/sing-vmess v0.1.8 h1:XVWad1RpTy9b5tPxdm5MCU8cGfrTGdR8qCq6HV2aCNc=
-github.com/sagernet/sing-vmess v0.1.8/go.mod h1:vhx32UNzTDUkNwOyIjcZQohre1CaytquC5mPplId8uA=
+github.com/sagernet/sing-tun v0.1.12-0.20230821065522-7545dc2d5641 h1:a8lktNrCWZJisB+nPraW+qB73ZofgPtGmlfqNYcO79g=
+github.com/sagernet/sing-tun v0.1.12-0.20230821065522-7545dc2d5641/go.mod h1:+YImslQMLgMQcVgZZ9IK4ue1o/605VSU90amHUcp4hA=
+github.com/sagernet/sing-vmess v0.1.7 h1:TM8FFLsXmlXH9XT8/oDgc6PC5BOzrg6OzyEe01is2r4=
+github.com/sagernet/sing-vmess v0.1.7/go.mod h1:1qkC1L1T2sxnS/NuO6HU72S8TkltV+EXoKGR29m/Yss=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 h1:HuE6xSwco/Xed8ajZ+coeYLmioq0Qp1/Z2zczFaV8as=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37/go.mod h1:3skNSftZDJWTGVtVaM2jfbce8qHnmH/AGDRe62iNOg0=
 github.com/sagernet/tfo-go v0.0.0-20230816093905-5a5c285d44a6 h1:Px+hN4Vzgx+iCGVnWH5A8eR7JhNnIV3rGQmBxA7cw6Q=
@@ -140,8 +140,8 @@ github.com/sagernet/wireguard-go v0.0.0-20230807125731-5d4a7ef2dc5f h1:Kvo8w8Y9l
 github.com/sagernet/wireguard-go v0.0.0-20230807125731-5d4a7ef2dc5f/go.mod h1:mySs0abhpc/gLlvhoq7HP1RzOaRmIXVeZGCh++zoApk=
 github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 h1:rc/CcqLH3lh8n+csdOuDfP+NuykE0U6AeYSJJHKDgSg=
 github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9/go.mod h1:a/83NAfUXvEuLpmxDssAXxgUgrEy12MId3Wd7OTs76s=
-github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
-github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
+github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -160,26 +160,28 @@ github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
 github.com/zeebo/blake3 v0.2.3/go.mod h1:mjJjZpnsyIVtVgTOSpJ9vmRE4wgDeyt2HU3qXvvKCaQ=
 github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
+go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
+go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
 go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
-go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
+go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c=
+go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk=
 go4.org/netipx v0.0.0-20230824141953-6213f710f925 h1:eeQDDVKFkx0g4Hyy8pHgmZaK0EqB4SD6rvKbUdN3ziQ=
 go4.org/netipx v0.0.0-20230824141953-6213f710f925/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA=
-golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
-golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY=
-golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
+golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ=
+golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
-golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
-golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
+golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
+golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -187,28 +189,29 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
+golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.14.0 h1:LGK9IlZ8T9jvdy6cTdfKUCltatMFOehAQo9SRC46UQ8=
+golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
+golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc=
-golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
+golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 h1:Vve/L0v7CXXuxUmaMGIEK/dEeq7uiqb5qBgQrZzIE7E=
+golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M=
-google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=
-google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 h1:0nDDozoAU19Qb2HwhXadU8OcsiO/09cnTqhUtq2MEOM=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
+google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw=
+google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=

inbound/default.go

@@ -33,8 +33,8 @@ type myInboundAdapter struct {
 
 	// http mixed
 
-	setSystemProxy bool
-	systemProxy    settings.SystemProxy
+	setSystemProxy   bool
+	clearSystemProxy func() error
 
 	// internal
 
@@ -91,24 +91,10 @@ func (a *myInboundAdapter) Start() error {
 		}
 	}
 	if a.setSystemProxy {
-		listenPort := M.SocksaddrFromNet(a.tcpListener.Addr()).Port
-		var listenAddrString string
-		listenAddr := a.listenOptions.Listen.Build()
-		if listenAddr.IsUnspecified() {
-			listenAddrString = "127.0.0.1"
-		} else {
-			listenAddrString = listenAddr.String()
-		}
-		var systemProxy settings.SystemProxy
-		systemProxy, err = settings.NewSystemProxy(a.ctx, M.ParseSocksaddrHostPort(listenAddrString, listenPort), a.protocol == C.TypeMixed)
-		if err != nil {
-			return E.Cause(err, "initialize system proxy")
-		}
-		err = systemProxy.Enable()
+		a.clearSystemProxy, err = settings.SetSystemProxy(a.router, M.SocksaddrFromNet(a.tcpListener.Addr()).Port, a.protocol == C.TypeMixed)
 		if err != nil {
 			return E.Cause(err, "set system proxy")
 		}
-		a.systemProxy = systemProxy
 	}
 	return nil
 }
@@ -116,8 +102,8 @@ func (a *myInboundAdapter) Start() error {
 func (a *myInboundAdapter) Close() error {
 	a.inShutdown.Store(true)
 	var err error
-	if a.systemProxy != nil && a.systemProxy.IsEnabled() {
-		err = a.systemProxy.Disable()
+	if a.clearSystemProxy != nil {
+		err = a.clearSystemProxy()
 	}
 	return E.Errors(err, common.Close(
 		a.tcpListener,