documentation: Bump version

Update gVisor to 20231113.0

adapter/experimental.go

@@ -43,7 +43,7 @@ type OutboundGroup interface {
 
 type URLTestGroup interface {
 	OutboundGroup
-	URLTest(ctx context.Context, url string) (map[string]uint16, error)
+	URLTest(ctx context.Context) (map[string]uint16, error)
 }
 
 func OutboundTag(detour Outbound) string {

adapter/router.go

@@ -15,6 +15,7 @@ import (
 
 type Router interface {
 	Service
+	PostStarter
 
 	Outbounds() []Outbound
 	Outbound(tag string) (Outbound, bool)

box.go

@@ -258,7 +258,7 @@ func (s *Box) start() error {
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
-	return nil
+	return s.postStart()
 }
 
 func (s *Box) postStart() error {
@@ -269,16 +269,17 @@ func (s *Box) postStart() error {
 			return E.Cause(err, "start ", serviceName)
 		}
 	}
-	for serviceName, service := range s.outbounds {
-		if lateService, isLateService := service.(adapter.PostStarter); isLateService {
-			s.logger.Trace("post-starting ", service)
-			err := lateService.PostStart()
+	for _, outbound := range s.outbounds {
+		if lateOutbound, isLateOutbound := outbound.(adapter.PostStarter); isLateOutbound {
+			s.logger.Trace("post-starting outbound/", outbound.Tag())
+			err := lateOutbound.PostStart()
 			if err != nil {
-				return E.Cause(err, "post-start ", serviceName)
+				return E.Cause(err, "post-start outbound/", outbound.Tag())
 			}
 		}
 	}
-	return nil
+	s.logger.Trace("post-starting router")
+	return s.router.PostStart()
 }
 
 func (s *Box) Close() error {

common/dialer/detour.go

@@ -6,7 +6,6 @@ import (
 	"sync"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing/common/bufio/deadline"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -45,14 +44,7 @@ func (d *DetourDialer) DialContext(ctx context.Context, network string, destinat
 	if err != nil {
 		return nil, err
 	}
-	conn, err := dialer.DialContext(ctx, network, destination)
-	if err != nil {
-		return nil, err
-	}
-	if deadline.NeedAdditionalReadDeadline(conn) {
-		conn = deadline.NewConn(conn)
-	}
-	return conn, nil
+	return dialer.DialContext(ctx, network, destination)
 }
 
 func (d *DetourDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {

docs/changelog.md

@@ -4,6 +4,65 @@ icon: material/alert-decagram
 
 # ChangeLog
 
+#### 1.7.2
+
+* Fixes and improvements
+
+#### 1.7.1
+
+* Fixes and improvements
+
+#### 1.7.0
+
+* Fixes and improvements
+
+Important changes since 1.6:
+
+* Add [exclude route support](/configuration/inbound/tun) for TUN inbound
+* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen) **1**
+* Add [HTTPUpgrade V2Ray transport](/configuration/shared/v2ray-transport#HTTPUpgrade) support **2**
+* Migrate multiplex and UoT server to inbound **3**
+* Add TCP Brutal support for multiplex **4**
+* Add `wifi_ssid` and `wifi_bssid` route and DNS rules **5**
+* Update quic-go to v0.40.0
+* Update gVisor to 20231113.0
+
+**1**:
+
+If enabled, for UDP proxy requests addressed to a domain,
+the original packet address will be sent in the response instead of the mapped domain.
+
+This option is used for compatibility with clients that
+do not support receiving UDP packets with domain addresses, such as Surge.
+
+**2**:
+
+Introduced in V2Ray 5.10.0.
+
+The new HTTPUpgrade transport has better performance than WebSocket and is better suited for CDN abuse.
+
+**3**:
+
+Starting in 1.7.0, multiplexing support is no longer enabled by default and needs to be turned on explicitly in inbound options.
+
+**4**
+
+Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server, see [TCP Brutal](/configuration/shared/tcp-brutal) for details.
+
+**5**:
+
+Only supported in graphical clients on Android and iOS.
+
+#### 1.7.0-rc.3
+
+* Fixes and improvements
+
+#### 1.6.7
+
+* macOS: Add button for uninstall SystemExtension in the standalone graphical client
+* Fix missing UDP user context on TUIC/Hysteria2 inbounds
+* Fixes and improvements
+
 #### 1.7.0-rc.2
 
 * Fix missing UDP user context on TUIC/Hysteria2 inbounds

docs/manual/proxy/client.md

@@ -70,7 +70,7 @@ flowchart TB
     assemble --> conn[TCP and UDP connections]
     conn --> router[sing-box Router]
     router --> direct[Direct outbound]
-    router -->  proxy[Proxy outbounds]
+    router --> proxy[Proxy outbounds]
     router -- DNS hijack --> dns_out[DNS outbound]
     dns_out --> dns_router[DNS router]
     dns_router --> router
@@ -284,4 +284,142 @@ flowchart TB
         "auto_detect_interface": true
       }
     }
+    ```
+
+### Traffic bypass usage for Chinese users
+
+=== ":material-dns: DNS rules"
+
+    !!! info
+    
+        DNS rules are optional if FakeIP is used.
+
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            "tag": "google",
+            "address": "tls://8.8.8.8"
+          },
+          {
+            "tag": "local",
+            "address": "223.5.5.5",
+            "detour": "direct"
+          }
+        ],
+        "rules": [
+          {
+            "outbound": "any",
+            "server": "local"
+          },
+          {
+            "clash_mode": "Direct",
+            "server": "local"
+          },
+          {
+            "clash_mode": "Global",
+            "server": "google"
+          },
+          {
+            "type": "logical",
+            "mode": "and",
+            "rules": [
+              {
+                "geosite": "geolocation-!cn",
+                "invert": true
+              },
+              {
+                "geosite": [
+                  "cn",
+                  "category-companies@cn"
+                ],
+              }
+            ],
+            "server": "local"
+          }
+        ]
+      }
+    }
+    ```
+
+=== ":material-router-network: Route rules"
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "direct",
+          "tag": "direct"
+        },
+        {
+          "type": "block",
+          "tag": "block"
+        }
+      ],
+      "route": {
+        "rules": [
+          {
+            "type": "logical",
+            "mode": "or",
+            "rules": [
+              {
+                "protocol": "dns"
+              },
+              {
+                "port": 53
+              }
+            ],
+            "outbound": "dns"
+          },
+          {
+            "geoip": "private",
+            "outbound": "direct"
+          },
+          {
+            "clash_mode": "Direct",
+            "outbound": "direct"
+          },
+          {
+            "clash_mode": "Global",
+            "outbound": "default"
+          },
+          {
+            "type": "logical",
+            "mode": "or",
+            "rules": [
+              {
+                "port": 853
+              },
+              {
+                "network": "udp",
+                "port": 443
+              },
+              {
+                "protocol": "stun"
+              }
+            ],
+            "outbound": "block"
+          },
+          {
+            "type": "logical",
+            "mode": "and",
+            "rules": [
+              {
+                "geosite": "geolocation-!cn",
+                "invert": true
+              },
+              {
+                "geosite": [
+                  "cn",
+                  "category-companies@cn"
+                ],
+                "geoip": "cn"
+              }
+            ],
+            "outbound": "direct"
+          }
+        ]
+      }
+    }
     ```

docs/manual/proxy/tun.md

@@ -1,66 +0,0 @@
-# :material-expansion-card: TUN
-
-## :material-text-box: Definition
-
-Refers to TUNnel, a virtual network device supported by the kernel.
-It’s also used in sing-box to denote the extensive functionality surrounding TUN inbound:
-including traffic assembly, automatic routing, and network and default interface monitoring.
-
-The following flow chart describes the minimal TUN-based transparent proxy process in sing-box:
-
-``` mermaid
-flowchart LR
-    subgraph inbound [Inbound]
-        direction TB
-        packet[IP Packet]
-        packet --> windows[Windows / macOS]
-        packet --> linux[Linux]
-        tun[TUN interface]
-        windows -. route .-> tun
-        linux -. iproute2 route/rule .-> tun
-        tun --> gvisor[gVisor TUN stack]
-        tun --> system[system TUN stack]
-        assemble([L3 to L4 assemble])
-        gvisor --> assemble
-        system --> assemble
-        assemble --> conn[TCP and UDP connections]
-        conn --> router[sing-box Router]
-    end
-
-    subgraph outbound [Outbound]
-        direction TB
-        direct[Direct outbound]
-        proxy[Proxy outbounds]
-        direct --> adi([auto detect interface])
-        proxy --> adi
-        adi --> default[Default network interface in the system]
-        default --> destination[Destination server]
-        default --> proxy_server[Proxy server]
-        proxy_server --> destination
-    end
-
-    inbound --> outbound
-```
-
-## :material-help-box: How to
-
-A basic TUN-based transparent proxy configuration file includes: an TUN inbound, `route.auto_detect_interface`, like:
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "inet6_address": "fdfe:dcba:9876::1/126",
-      "auto_route": true,
-      "strict_route": true
-    }
-  ],
-  "route": {
-    "auto_detect_interface": true
-  }
-}
-```
-
-TODO: finish this wiki

experimental/clashapi/api_meta_group.go

@@ -83,7 +83,7 @@ func getGroupDelay(server *Server) func(w http.ResponseWriter, r *http.Request)
 
 		var result map[string]uint16
 		if urlTestGroup, isURLTestGroup := group.(adapter.URLTestGroup); isURLTestGroup {
-			result, err = urlTestGroup.URLTest(ctx, url)
+			result, err = urlTestGroup.URLTest(ctx)
 		} else {
 			outbounds := common.FilterNotNil(common.Map(group.All(), func(it string) adapter.Outbound {
 				itOutbound, _ := server.router.Outbound(it)

experimental/libbox/command_log.go

@@ -60,11 +60,11 @@ func (s *CommandServer) handleLogConn(conn net.Conn) error {
 	for element := s.savedLines.Front(); element != nil; element = element.Next() {
 		savedLines = append(savedLines, element.Value)
 	}
+	s.access.Unlock()
 	subscription, done, err := s.observer.Subscribe()
 	if err != nil {
 		return err
 	}
-	s.access.Unlock()
 	defer s.observer.UnSubscribe(subscription)
 	for _, line := range savedLines {
 		err = writeLog(conn, []byte(line))

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.3
 	github.com/gofrs/uuid/v5 v5.0.0
-	github.com/insomniacslk/dhcp v0.0.0-20231016090811-6a2c8fbdcc1c
+	github.com/insomniacslk/dhcp v0.0.0-20231126010706-b0416c0f187a
 	github.com/libdns/alidns v1.0.3
 	github.com/libdns/cloudflare v0.1.0
 	github.com/logrusorgru/aurora v2.0.3+incompatible
@@ -26,7 +26,7 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20231119034329-07cfb6aaf930
 	github.com/sagernet/quic-go v0.40.0
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.2.18-0.20231119032432-6a556bfa50cc
+	github.com/sagernet/sing v0.2.18-0.20231203085253-0ba5576c7be8
 	github.com/sagernet/sing-dns v0.1.11
 	github.com/sagernet/sing-mux v0.1.5-0.20231109075101-6b086ed6bb07
 	github.com/sagernet/sing-quic v0.1.5-0.20231123150216-00957d136203
@@ -44,9 +44,9 @@ require (
 	github.com/stretchr/testify v1.8.4
 	go.uber.org/zap v1.26.0
 	go4.org/netipx v0.0.0-20230824141953-6213f710f925
-	golang.org/x/crypto v0.15.0
-	golang.org/x/net v0.18.0
-	golang.org/x/sys v0.14.0
+	golang.org/x/crypto v0.16.0
+	golang.org/x/net v0.19.0
+	golang.org/x/sys v0.15.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	google.golang.org/grpc v1.59.0
 	google.golang.org/protobuf v1.31.0

go.sum

@@ -47,8 +47,8 @@ github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE
 github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20231016090811-6a2c8fbdcc1c h1:PgxFEySCI41sH0mB7/2XswdXbUykQsRUGod8Rn+NubM=
-github.com/insomniacslk/dhcp v0.0.0-20231016090811-6a2c8fbdcc1c/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
+github.com/insomniacslk/dhcp v0.0.0-20231126010706-b0416c0f187a h1:biHpNhTkyeXNEzLqTOM6DkIkMedNh/j+ft+POj0Xcko=
+github.com/insomniacslk/dhcp v0.0.0-20231126010706-b0416c0f187a/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
@@ -110,8 +110,8 @@ github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byL
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
-github.com/sagernet/sing v0.2.18-0.20231119032432-6a556bfa50cc h1:dmU0chO0QrBpARo8sqyOc+mvPLW+qux4ca16kb2WIc8=
-github.com/sagernet/sing v0.2.18-0.20231119032432-6a556bfa50cc/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
+github.com/sagernet/sing v0.2.18-0.20231203085253-0ba5576c7be8 h1:wQuG3Kfob9jppmkamoRmvUE4nwTltxLhDGeeGUD66Dk=
+github.com/sagernet/sing v0.2.18-0.20231203085253-0ba5576c7be8/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
 github.com/sagernet/sing-dns v0.1.11 h1:PPrMCVVrAeR3f5X23I+cmvacXJ+kzuyAsBiWyUKhGSE=
 github.com/sagernet/sing-dns v0.1.11/go.mod h1:zJ/YjnYB61SYE+ubMcMqVdpaSvsyQ2iShQGO3vuLvvE=
 github.com/sagernet/sing-mux v0.1.5-0.20231109075101-6b086ed6bb07 h1:ncKb5tVOsCQgCsv6UpsA0jinbNb5OQ5GMPJlyQP3EHM=
@@ -169,16 +169,16 @@ go4.org/netipx v0.0.0-20230824141953-6213f710f925 h1:eeQDDVKFkx0g4Hyy8pHgmZaK0Eq
 go4.org/netipx v0.0.0-20230824141953-6213f710f925/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA=
-golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
+golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ=
 golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE=
 golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
 golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
-golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -189,10 +189,10 @@ golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.14.0 h1:LGK9IlZ8T9jvdy6cTdfKUCltatMFOehAQo9SRC46UQ8=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=

outbound/urltest.go

@@ -3,7 +3,6 @@ package outbound
 import (
 	"context"
 	"net"
-	"sort"
 	"sync"
 	"time"
 
@@ -83,7 +82,7 @@ func (s *URLTest) Start() error {
 }
 
 func (s *URLTest) PostStart() error {
-	go s.CheckOutbounds()
+	s.group.PostStart()
 	return nil
 }
 
@@ -101,8 +100,8 @@ func (s *URLTest) All() []string {
 	return s.tags
 }
 
-func (s *URLTest) URLTest(ctx context.Context, link string) (map[string]uint16, error) {
-	return s.group.URLTest(ctx, link)
+func (s *URLTest) URLTest(ctx context.Context) (map[string]uint16, error) {
+	return s.group.URLTest(ctx)
 }
 
 func (s *URLTest) CheckOutbounds() {
@@ -110,7 +109,7 @@ func (s *URLTest) CheckOutbounds() {
 }
 
 func (s *URLTest) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	s.group.Start()
+	s.group.Touch()
 	outbound := s.group.Select(network)
 	conn, err := outbound.DialContext(ctx, network, destination)
 	if err == nil {
@@ -122,7 +121,7 @@ func (s *URLTest) DialContext(ctx context.Context, network string, destination M
 }
 
 func (s *URLTest) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	s.group.Start()
+	s.group.Touch()
 	outbound := s.group.Select(N.NetworkUDP)
 	conn, err := outbound.ListenPacket(ctx, destination)
 	if err == nil {
@@ -164,9 +163,11 @@ type URLTestGroup struct {
 	interruptGroup               *interrupt.Group
 	interruptExternalConnections bool
 
-	access sync.Mutex
-	ticker *time.Ticker
-	close  chan struct{}
+	access     sync.Mutex
+	ticker     *time.Ticker
+	close      chan struct{}
+	started    bool
+	lastActive atomic.TypedValue[time.Time]
 }
 
 func NewURLTestGroup(
@@ -208,8 +209,18 @@ func NewURLTestGroup(
 	}
 }
 
-func (g *URLTestGroup) Start() {
+func (g *URLTestGroup) PostStart() {
+	g.started = true
+	g.lastActive.Store(time.Now())
+	go g.CheckOutbounds(false)
+}
+
+func (g *URLTestGroup) Touch() {
+	if !g.started {
+		return
+	}
 	if g.ticker != nil {
+		g.lastActive.Store(time.Now())
 		return
 	}
 	g.access.Lock()
@@ -260,51 +271,30 @@ func (g *URLTestGroup) Select(network string) adapter.Outbound {
 	return minOutbound
 }
 
-func (g *URLTestGroup) Fallback(used adapter.Outbound) []adapter.Outbound {
-	outbounds := make([]adapter.Outbound, 0, len(g.outbounds)-1)
-	for _, detour := range g.outbounds {
-		if detour != used {
-			outbounds = append(outbounds, detour)
-		}
-	}
-	sort.SliceStable(outbounds, func(i, j int) bool {
-		oi := outbounds[i]
-		oj := outbounds[j]
-		hi := g.history.LoadURLTestHistory(RealTag(oi))
-		if hi == nil {
-			return false
-		}
-		hj := g.history.LoadURLTestHistory(RealTag(oj))
-		if hj == nil {
-			return false
-		}
-		return hi.Delay < hj.Delay
-	})
-	return outbounds
-}
-
 func (g *URLTestGroup) loopCheck() {
-	go g.CheckOutbounds(true)
+	if time.Now().Sub(g.lastActive.Load()) > g.interval {
+		g.CheckOutbounds(false)
+	}
 	for {
-		g.pauseManager.WaitActive()
 		select {
 		case <-g.close:
 			return
 		case <-g.ticker.C:
-			g.CheckOutbounds(false)
 		}
+		g.pauseManager.WaitActive()
+		g.CheckOutbounds(false)
 	}
 }
 
 func (g *URLTestGroup) CheckOutbounds(force bool) {
-	_, _ = g.urlTest(g.ctx, g.link, force)
+	_, _ = g.urlTest(g.ctx, force)
 }
 
-func (g *URLTestGroup) URLTest(ctx context.Context, link string) (map[string]uint16, error) {
-	return g.urlTest(ctx, link, false)
+func (g *URLTestGroup) URLTest(ctx context.Context) (map[string]uint16, error) {
+	return g.urlTest(ctx, false)
 }
 
-func (g *URLTestGroup) urlTest(ctx context.Context, link string, force bool) (map[string]uint16, error) {
+func (g *URLTestGroup) urlTest(ctx context.Context, force bool) (map[string]uint16, error) {
 	result := make(map[string]uint16)
 	if g.checking.Swap(true) {
 		return result, nil
@@ -331,7 +321,7 @@ func (g *URLTestGroup) urlTest(ctx context.Context, link string, force bool) (ma
 		b.Go(realTag, func() (any, error) {
 			ctx, cancel := context.WithTimeout(context.Background(), C.TCPTimeout)
 			defer cancel()
-			t, err := urltest.URLTest(ctx, link, p)
+			t, err := urltest.URLTest(ctx, g.link, p)
 			if err != nil {
 				g.logger.Debug("outbound ", tag, " unavailable: ", err)
 				g.history.DeleteURLTestHistory(realTag)

route/router.go

@@ -88,6 +88,7 @@ type Router struct {
 	platformInterface                  platform.Interface
 	needWIFIState                      bool
 	wifiState                          adapter.WIFIState
+	started                            bool
 }
 
 func NewRouter(
@@ -571,6 +572,11 @@ func (r *Router) Close() error {
 	return err
 }
 
+func (r *Router) PostStart() error {
+	r.started = true
+	return nil
+}
+
 func (r *Router) Outbound(tag string) (adapter.Outbound, bool) {
 	outbound, loaded := r.outboundByTag[tag]
 	return outbound, loaded
@@ -1015,8 +1021,11 @@ func (r *Router) notifyNetworkUpdate(event int) {
 		}
 	}
 
-	r.ResetNetwork()
-	return
+	if !r.started {
+		return
+	}
+
+	_ = r.ResetNetwork()
 }
 
 func (r *Router) ResetNetwork() error {

transport/dhcp/server.go

@@ -87,9 +87,15 @@ func (t *Transport) Start() error {
 }
 
 func (t *Transport) Reset() {
+	for _, transport := range t.transports {
+		transport.Reset()
+	}
 }
 
 func (t *Transport) Close() error {
+	for _, transport := range t.transports {
+		transport.Close()
+	}
 	if t.interfaceCallback != nil {
 		t.router.InterfaceMonitor().UnregisterCallback(t.interfaceCallback)
 	}
@@ -266,6 +272,9 @@ func (t *Transport) recreateServers(iface *net.Interface, serverAddrs []netip.Ad
 		}
 		transports = append(transports, serverTransport)
 	}
+	for _, transport := range t.transports {
+		transport.Close()
+	}
 	t.transports = transports
 	return nil
 }

transport/v2raywebsocket/client.go

@@ -12,6 +12,9 @@ import (
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	"github.com/sagernet/sing/common/bufio/deadline"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -87,18 +90,35 @@ func (c *Client) dialContext(ctx context.Context, requestURL *url.URL, headers h
 			return nil, err
 		}
 	}
-	conn.SetDeadline(time.Now().Add(C.TCPTimeout))
+	var deadlineConn net.Conn
+	if deadline.NeedAdditionalReadDeadline(conn) {
+		deadlineConn = deadline.NewConn(conn)
+	} else {
+		deadlineConn = conn
+	}
+	err = deadlineConn.SetDeadline(time.Now().Add(C.TCPTimeout))
+	if err != nil {
+		return nil, E.Cause(err, "set read deadline")
+	}
 	var protocols []string
 	if protocolHeader := headers.Get("Sec-WebSocket-Protocol"); protocolHeader != "" {
 		protocols = []string{protocolHeader}
 		headers.Del("Sec-WebSocket-Protocol")
 	}
-	reader, _, err := ws.Dialer{Header: ws.HandshakeHeaderHTTP(headers), Protocols: protocols}.Upgrade(conn, requestURL)
-	conn.SetDeadline(time.Time{})
+	reader, _, err := ws.Dialer{Header: ws.HandshakeHeaderHTTP(headers), Protocols: protocols}.Upgrade(deadlineConn, requestURL)
+	deadlineConn.SetDeadline(time.Time{})
 	if err != nil {
 		return nil, err
 	}
-	return NewConn(conn, reader, nil, ws.StateClientSide), nil
+	if reader != nil {
+		buffer := buf.NewSize(reader.Buffered())
+		_, err = buffer.ReadFullFrom(reader, buffer.Len())
+		if err != nil {
+			return nil, err
+		}
+		conn = bufio.NewCachedConn(conn, buffer)
+	}
+	return NewConn(conn, nil, ws.StateClientSide), nil
 }
 
 func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {

transport/v2raywebsocket/conn.go

@@ -1,7 +1,6 @@
 package v2raywebsocket
 
 import (
-	"bufio"
 	"context"
 	"encoding/base64"
 	"io"
@@ -28,19 +27,13 @@ type WebsocketConn struct {
 	remoteAddr     net.Addr
 }
 
-func NewConn(conn net.Conn, br *bufio.Reader, remoteAddr net.Addr, state ws.State) *WebsocketConn {
+func NewConn(conn net.Conn, remoteAddr net.Addr, state ws.State) *WebsocketConn {
 	controlHandler := wsutil.ControlFrameHandler(conn, state)
-	var reader io.Reader
-	if br != nil && br.Buffered() > 0 {
-		reader = br
-	} else {
-		reader = conn
-	}
 	return &WebsocketConn{
 		Conn:  conn,
 		state: state,
 		reader: &wsutil.Reader{
-			Source:          reader,
+			Source:          conn,
 			State:           state,
 			SkipHeaderCheck: !debug.Enabled,
 			OnIntermediate:  controlHandler,

transport/v2raywebsocket/server.go

@@ -88,14 +88,14 @@ func (s *Server) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 		s.invalidRequest(writer, request, http.StatusBadRequest, E.Cause(err, "decode early data"))
 		return
 	}
-	wsConn, reader, _, err := ws.UpgradeHTTP(request, writer)
+	wsConn, _, _, err := ws.UpgradeHTTP(request, writer)
 	if err != nil {
 		s.invalidRequest(writer, request, 0, E.Cause(err, "upgrade websocket connection"))
 		return
 	}
 	var metadata M.Metadata
 	metadata.Source = sHttp.SourceAddress(request)
-	conn = NewConn(wsConn, reader.Reader, metadata.Source.TCPAddr(), ws.StateServerSide)
+	conn = NewConn(wsConn, metadata.Source.TCPAddr(), ws.StateServerSide)
 	if len(earlyData) > 0 {
 		conn = bufio.NewCachedConn(conn, buf.As(earlyData))
 	}