documentation: Bump version

documentation: Update package managers
documentation: Fix link format
2026-04-13 20:28:32 +10:00 · 2023-12-21 10:51:57 +08:00 · 2023-12-21 10:50:32 +08:00 · 2023-12-21 10:50:32 +08:00 · 2023-12-21 10:50:27 +08:00 · 2023-12-21 10:50:27 +08:00
227 changed files with 2881 additions and 6693 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -44,13 +44,7 @@ body:
    attributes:
      label: Version
      description: If you are using the original command line program, please provide the output of the `sing-box version` command.
-      value: |-
-        <details>
-
-        ```console
-        # Replace this line with the output
-        ```
-        </details>
+      render: shell
  - type: textarea
    attributes:
      label: Description
@@ -70,10 +64,4 @@ body:
        If you encounter a crash with the graphical client, please provide crash logs.
        For Apple platform clients, please check `Settings - View Service Log` for crash logs.
        For the Android client, please check the `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` file for crash logs.
-      value: |-
-        <details>
-        
-        ```console
-        # Replace this line with logs
-        ```
-        </details>
+      render: shell
--- a/.github/ISSUE_TEMPLATE/bug_report_zh.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report_zh.yml
@@ -44,13 +44,7 @@ body:
    attributes:
      label: 版本
      description: 如果您使用原始命令行程序，请提供 `sing-box version` 命令的输出。
-      value: |-
-        <details>
-
-        ```console
-        # 使用输出内容覆盖此行
-        ```
-        </details>
+      render: shell
  - type: textarea
    attributes:
      label: 描述
@@ -70,10 +64,18 @@ body:
        如果您遭遇图形界面应用程序崩溃，请提供崩溃日志。
        对于 Apple 平台图形客户端程序，请检查 `Settings - View Service Log` 以导出崩溃日志。
        对于 Android 图形客户端程序，请检查 `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` 文件以导出崩溃日志。
-      value: |-
-        <details>
-        
-        ```console
-        # 使用日志内容覆盖此行
-        ```
-        </details>
+      render: shell
+  - type: checkboxes
+    attributes:
+      label: 完整性要求
+      description: 我保证我提供了完整的可以在本地重现该问题的服务器、客户端配置文件与流程，而不是一个脱敏的复杂客户端配置文件，否则该 issue 将被关闭。
+      options:
+        - label: 我保证
+          required: true
+  - type: checkboxes
+    attributes:
+      label: 负责性要求
+      description: 我保证我阅读了文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值，否则该 issue 将被关闭。
+      options:
+        - label: 我保证
+          required: true
--- a/.github/workflows/debug.yml
+++ b/.github/workflows/debug.yml
@@ -30,7 +30,7 @@ jobs:
        run: |
          echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
      - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: Add cache to Go proxy
@@ -54,7 +54,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version: 1.18.10
      - name: Cache go module
@@ -74,7 +74,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version: 1.20.7
      - name: Cache go module
@@ -209,7 +209,7 @@ jobs:
        run: |
          echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
      - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: Build
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -30,7 +30,7 @@ jobs:
        run: |
          echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
      - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: golangci-lint
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,7 +8,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v8
+      - uses: actions/stale@v9
        with:
          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
          days-before-stale: 60
--- a/9
+++ b/9
@@ -1,7 +1,7 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
-TAGS_GO120 = with_quic,with_ech
+TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api
+TAGS_GO120 = with_quic,with_ech,with_utls
 TAGS ?= $(TAGS_GO118),$(TAGS_GO120)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server

@@ -178,9 +178,8 @@ lib:
 	go run ./cmd/internal/build_libbox -target ios

 lib_install:
-	go get -v -d
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230915142329-c6740b6d2950
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230915142329-c6740b6d2950
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.1
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.1

 docs:
 	mkdocs serve
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -17,6 +17,7 @@ import (

 type Router interface {
 	Service
+	PreStarter
 	PostStarter

 	Outbounds() []Outbound
--- a/box.go
+++ b/box.go
@@ -55,7 +55,7 @@ func New(options Options) (*Box, error) {
 		ctx = context.Background()
 	}
 	ctx = service.ContextWithDefaultRegistry(ctx)
-	ctx = pause.ContextWithDefaultManager(ctx)
+	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
 	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	var needCacheFile bool
@@ -157,9 +157,12 @@ func New(options Options) (*Box, error) {
 	preServices2 := make(map[string]adapter.Service)
 	postServices := make(map[string]adapter.Service)
 	if needCacheFile {
-		cacheFile := cachefile.NewCacheFile(ctx, common.PtrValueOrDefault(experimentalOptions.CacheFile))
+		cacheFile := service.FromContext[adapter.CacheFile](ctx)
+		if cacheFile == nil {
+			cacheFile = cachefile.New(ctx, common.PtrValueOrDefault(experimentalOptions.CacheFile))
+			service.MustRegister[adapter.CacheFile](ctx, cacheFile)
+		}
 		preServices1["cache file"] = cacheFile
-		service.MustRegister[adapter.CacheFile](ctx, cacheFile)
 	}
 	if needClashAPI {
 		clashAPIOptions := common.PtrValueOrDefault(experimentalOptions.ClashAPI)
@@ -259,6 +262,10 @@ func (s *Box) preStart() error {
 			}
 		}
 	}
+	err = s.router.PreStart()
+	if err != nil {
+		return E.Cause(err, "pre-start router")
+	}
 	err = s.startOutbounds()
 	if err != nil {
 		return err
@@ -313,10 +320,7 @@ func (s *Box) postStart() error {
 			}
 		}
 	}
-	err := s.router.PostStart()
-	if err != nil {
-		return E.Cause(err, "post-start router")
-	}
+
 	return s.router.PostStart()
 }

--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -7,7 +7,7 @@ import (
 	"path/filepath"
 	"strings"

-	_ "github.com/sagernet/gomobile/event/key"
+	_ "github.com/sagernet/gomobile"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common/rw"
--- a/cmd/sing-box/cmd_format.go
+++ b/cmd/sing-box/cmd_format.go
@@ -5,9 +5,10 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/json/badjson"

 	"github.com/spf13/cobra"
 )
@@ -37,6 +38,10 @@ func format() error {
 		return err
 	}
 	for _, optionsEntry := range optionsList {
+		optionsEntry.options, err = badjson.Omitempty(optionsEntry.options)
+		if err != nil {
+			return err
+		}
 		buffer := new(bytes.Buffer)
 		encoder := json.NewEncoder(buffer)
 		encoder.SetIndent("", "  ")
--- a/cmd/sing-box/cmd_geoip_export.go
+++ b/cmd/sing-box/cmd_geoip_export.go
@@ -6,11 +6,11 @@ import (
 	"os"
 	"strings"

-	"github.com/sagernet/sing-box/common/json"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"

 	"github.com/oschwald/maxminddb-golang"
 	"github.com/spf13/cobra"
--- a/cmd/sing-box/cmd_geosite_export.go
+++ b/cmd/sing-box/cmd_geosite_export.go
@@ -1,11 +1,11 @@
 package main

 import (
+	"encoding/json"
 	"io"
 	"os"

 	"github.com/sagernet/sing-box/common/geosite"
-	"github.com/sagernet/sing-box/common/json"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
--- a/cmd/sing-box/cmd_merge.go
+++ b/cmd/sing-box/cmd_merge.go
@@ -6,12 +6,12 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/sagernet/sing-box/common/json"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/common/rw"

 	"github.com/spf13/cobra"
@@ -65,50 +65,26 @@ func merge(outputPath string) error {

 func mergePathResources(options *option.Options) error {
 	for index, inbound := range options.Inbounds {
-		switch inbound.Type {
-		case C.TypeHTTP:
-			inbound.HTTPOptions.TLS = mergeTLSInboundOptions(inbound.HTTPOptions.TLS)
-		case C.TypeMixed:
-			inbound.MixedOptions.TLS = mergeTLSInboundOptions(inbound.MixedOptions.TLS)
-		case C.TypeVMess:
-			inbound.VMessOptions.TLS = mergeTLSInboundOptions(inbound.VMessOptions.TLS)
-		case C.TypeTrojan:
-			inbound.TrojanOptions.TLS = mergeTLSInboundOptions(inbound.TrojanOptions.TLS)
-		case C.TypeNaive:
-			inbound.NaiveOptions.TLS = mergeTLSInboundOptions(inbound.NaiveOptions.TLS)
-		case C.TypeHysteria:
-			inbound.HysteriaOptions.TLS = mergeTLSInboundOptions(inbound.HysteriaOptions.TLS)
-		case C.TypeVLESS:
-			inbound.VLESSOptions.TLS = mergeTLSInboundOptions(inbound.VLESSOptions.TLS)
-		case C.TypeTUIC:
-			inbound.TUICOptions.TLS = mergeTLSInboundOptions(inbound.TUICOptions.TLS)
-		case C.TypeHysteria2:
-			inbound.Hysteria2Options.TLS = mergeTLSInboundOptions(inbound.Hysteria2Options.TLS)
-		default:
-			continue
+		rawOptions, err := inbound.RawOptions()
+		if err != nil {
+			return err
+		}
+		if tlsOptions, containsTLSOptions := rawOptions.(option.InboundTLSOptionsWrapper); containsTLSOptions {
+			tlsOptions.ReplaceInboundTLSOptions(mergeTLSInboundOptions(tlsOptions.TakeInboundTLSOptions()))
 		}
 		options.Inbounds[index] = inbound
 	}
 	for index, outbound := range options.Outbounds {
+		rawOptions, err := outbound.RawOptions()
+		if err != nil {
+			return err
+		}
 		switch outbound.Type {
-		case C.TypeHTTP:
-			outbound.HTTPOptions.TLS = mergeTLSOutboundOptions(outbound.HTTPOptions.TLS)
-		case C.TypeVMess:
-			outbound.VMessOptions.TLS = mergeTLSOutboundOptions(outbound.VMessOptions.TLS)
-		case C.TypeTrojan:
-			outbound.TrojanOptions.TLS = mergeTLSOutboundOptions(outbound.TrojanOptions.TLS)
-		case C.TypeHysteria:
-			outbound.HysteriaOptions.TLS = mergeTLSOutboundOptions(outbound.HysteriaOptions.TLS)
 		case C.TypeSSH:
 			outbound.SSHOptions = mergeSSHOutboundOptions(outbound.SSHOptions)
-		case C.TypeVLESS:
-			outbound.VLESSOptions.TLS = mergeTLSOutboundOptions(outbound.VLESSOptions.TLS)
-		case C.TypeTUIC:
-			outbound.TUICOptions.TLS = mergeTLSOutboundOptions(outbound.TUICOptions.TLS)
-		case C.TypeHysteria2:
-			outbound.Hysteria2Options.TLS = mergeTLSOutboundOptions(outbound.Hysteria2Options.TLS)
-		default:
-			continue
+		}
+		if tlsOptions, containsTLSOptions := rawOptions.(option.OutboundTLSOptionsWrapper); containsTLSOptions {
+			tlsOptions.ReplaceOutboundTLSOptions(mergeTLSOutboundOptions(tlsOptions.TakeOutboundTLSOptions()))
 		}
 		options.Outbounds[index] = outbound
 	}
--- a/cmd/sing-box/cmd_rule_set_compile.go
+++ b/cmd/sing-box/cmd_rule_set_compile.go
@@ -5,10 +5,10 @@ import (
 	"os"
 	"strings"

-	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/common/srs"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common/json"

 	"github.com/spf13/cobra"
 )
--- a/cmd/sing-box/cmd_rule_set_format.go
+++ b/cmd/sing-box/cmd_rule_set_format.go
@@ -6,10 +6,10 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"

 	"github.com/spf13/cobra"
 )
--- a/cmd/sing-box/cmd_run.go
+++ b/cmd/sing-box/cmd_run.go
@@ -13,11 +13,12 @@ import (
 	"time"

 	"github.com/sagernet/sing-box"
-	"github.com/sagernet/sing-box/common/badjsonmerge"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/json/badjson"

 	"github.com/spf13/cobra"
 )
@@ -56,8 +57,7 @@ func readConfigAt(path string) (*OptionsEntry, error) {
 	if err != nil {
 		return nil, E.Cause(err, "read config at ", path)
 	}
-	var options option.Options
-	err = options.UnmarshalJSON(configContent)
+	options, err := json.UnmarshalExtended[option.Options](configContent)
 	if err != nil {
 		return nil, E.Cause(err, "decode config at ", path)
 	}
@@ -107,13 +107,18 @@ func readConfigAndMerge() (option.Options, error) {
 	if len(optionsList) == 1 {
 		return optionsList[0].options, nil
 	}
-	var mergedOptions option.Options
+	var mergedMessage json.RawMessage
 	for _, options := range optionsList {
-		mergedOptions, err = badjsonmerge.MergeOptions(options.options, mergedOptions)
+		mergedMessage, err = badjson.MergeJSON(options.options.RawMessage, mergedMessage)
 		if err != nil {
 			return option.Options{}, E.Cause(err, "merge config at ", options.path)
 		}
 	}
+	var mergedOptions option.Options
+	err = mergedOptions.UnmarshalJSON(mergedMessage)
+	if err != nil {
+		return option.Options{}, E.Cause(err, "unmarshal merged config")
+	}
 	return mergedOptions, nil
 }

@@ -128,7 +133,7 @@ func create() (*box.Box, context.CancelFunc, error) {
 		}
 		options.Log.DisableColor = true
 	}
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(globalCtx)
 	instance, err := box.New(box.Options{
 		Context: ctx,
 		Options: options,
--- a/cmd/sing-box/main.go
+++ b/cmd/sing-box/main.go
@@ -3,15 +3,19 @@ package main
 import (
 	"context"
 	"os"
+	"os/user"
+	"strconv"
 	"time"

 	_ "github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/service/filemanager"

 	"github.com/spf13/cobra"
 )

 var (
+	globalCtx         context.Context
 	configPaths       []string
 	configDirectories []string
 	workingDir        string
@@ -37,15 +41,30 @@ func main() {
 }

 func preRun(cmd *cobra.Command, args []string) {
+	globalCtx = context.Background()
+	sudoUser := os.Getenv("SUDO_USER")
+	sudoUID, _ := strconv.Atoi(os.Getenv("SUDO_UID"))
+	sudoGID, _ := strconv.Atoi(os.Getenv("SUDO_GID"))
+	if sudoUID == 0 && sudoGID == 0 && sudoUser != "" {
+		sudoUserObject, _ := user.Lookup(sudoUser)
+		if sudoUserObject != nil {
+			sudoUID, _ = strconv.Atoi(sudoUserObject.Uid)
+			sudoGID, _ = strconv.Atoi(sudoUserObject.Gid)
+		}
+	}
+	if sudoUID > 0 && sudoGID > 0 {
+		globalCtx = filemanager.WithDefault(globalCtx, "", "", sudoUID, sudoGID)
+	}
 	if disableColor {
 		log.SetStdLogger(log.NewDefaultFactory(context.Background(), log.Formatter{BaseTime: time.Now(), DisableColors: true}, os.Stderr, "", nil, false).Logger())
 	}
 	if workingDir != "" {
 		_, err := os.Stat(workingDir)
 		if err != nil {
-			os.MkdirAll(workingDir, 0o777)
+			filemanager.MkdirAll(globalCtx, workingDir, 0o777)
 		}
-		if err := os.Chdir(workingDir); err != nil {
+		err = os.Chdir(workingDir)
+		if err != nil {
 			log.Fatal(err)
 		}
 	}
--- a/common/badjson/array.go
+++ b/common/badjson/array.go
@@ -1,46 +0,0 @@
-package badjson
-
-import (
-	"bytes"
-
-	"github.com/sagernet/sing-box/common/json"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type JSONArray []any
-
-func (a JSONArray) MarshalJSON() ([]byte, error) {
-	return json.Marshal([]any(a))
-}
-
-func (a *JSONArray) UnmarshalJSON(content []byte) error {
-	decoder := json.NewDecoder(bytes.NewReader(content))
-	arrayStart, err := decoder.Token()
-	if err != nil {
-		return err
-	} else if arrayStart != json.Delim('[') {
-		return E.New("excepted array start, but got ", arrayStart)
-	}
-	err = a.decodeJSON(decoder)
-	if err != nil {
-		return err
-	}
-	arrayEnd, err := decoder.Token()
-	if err != nil {
-		return err
-	} else if arrayEnd != json.Delim(']') {
-		return E.New("excepted array end, but got ", arrayEnd)
-	}
-	return nil
-}
-
-func (a *JSONArray) decodeJSON(decoder *json.Decoder) error {
-	for decoder.More() {
-		item, err := decodeJSON(decoder)
-		if err != nil {
-			return err
-		}
-		*a = append(*a, item)
-	}
-	return nil
-}
--- a/common/badjson/json.go
+++ b/common/badjson/json.go
@@ -1,54 +0,0 @@
-package badjson
-
-import (
-	"bytes"
-
-	"github.com/sagernet/sing-box/common/json"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-func Decode(content []byte) (any, error) {
-	decoder := json.NewDecoder(bytes.NewReader(content))
-	return decodeJSON(decoder)
-}
-
-func decodeJSON(decoder *json.Decoder) (any, error) {
-	rawToken, err := decoder.Token()
-	if err != nil {
-		return nil, err
-	}
-	switch token := rawToken.(type) {
-	case json.Delim:
-		switch token {
-		case '{':
-			var object JSONObject
-			err = object.decodeJSON(decoder)
-			if err != nil {
-				return nil, err
-			}
-			rawToken, err = decoder.Token()
-			if err != nil {
-				return nil, err
-			} else if rawToken != json.Delim('}') {
-				return nil, E.New("excepted object end, but got ", rawToken)
-			}
-			return &object, nil
-		case '[':
-			var array JSONArray
-			err = array.decodeJSON(decoder)
-			if err != nil {
-				return nil, err
-			}
-			rawToken, err = decoder.Token()
-			if err != nil {
-				return nil, err
-			} else if rawToken != json.Delim(']') {
-				return nil, E.New("excepted array end, but got ", rawToken)
-			}
-			return array, nil
-		default:
-			return nil, E.New("excepted object or array end: ", token)
-		}
-	}
-	return rawToken, nil
-}
--- a/common/badjson/object.go
+++ b/common/badjson/object.go
@@ -1,79 +0,0 @@
-package badjson
-
-import (
-	"bytes"
-	"strings"
-
-	"github.com/sagernet/sing-box/common/json"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/x/linkedhashmap"
-)
-
-type JSONObject struct {
-	linkedhashmap.Map[string, any]
-}
-
-func (m JSONObject) MarshalJSON() ([]byte, error) {
-	buffer := new(bytes.Buffer)
-	buffer.WriteString("{")
-	items := m.Entries()
-	iLen := len(items)
-	for i, entry := range items {
-		keyContent, err := json.Marshal(entry.Key)
-		if err != nil {
-			return nil, err
-		}
-		buffer.WriteString(strings.TrimSpace(string(keyContent)))
-		buffer.WriteString(": ")
-		valueContent, err := json.Marshal(entry.Value)
-		if err != nil {
-			return nil, err
-		}
-		buffer.WriteString(strings.TrimSpace(string(valueContent)))
-		if i < iLen-1 {
-			buffer.WriteString(", ")
-		}
-	}
-	buffer.WriteString("}")
-	return buffer.Bytes(), nil
-}
-
-func (m *JSONObject) UnmarshalJSON(content []byte) error {
-	decoder := json.NewDecoder(bytes.NewReader(content))
-	m.Clear()
-	objectStart, err := decoder.Token()
-	if err != nil {
-		return err
-	} else if objectStart != json.Delim('{') {
-		return E.New("expected json object start, but starts with ", objectStart)
-	}
-	err = m.decodeJSON(decoder)
-	if err != nil {
-		return E.Cause(err, "decode json object content")
-	}
-	objectEnd, err := decoder.Token()
-	if err != nil {
-		return err
-	} else if objectEnd != json.Delim('}') {
-		return E.New("expected json object end, but ends with ", objectEnd)
-	}
-	return nil
-}
-
-func (m *JSONObject) decodeJSON(decoder *json.Decoder) error {
-	for decoder.More() {
-		var entryKey string
-		keyToken, err := decoder.Token()
-		if err != nil {
-			return err
-		}
-		entryKey = keyToken.(string)
-		var entryValue any
-		entryValue, err = decodeJSON(decoder)
-		if err != nil {
-			return E.Cause(err, "decode value for ", entryKey)
-		}
-		m.Put(entryKey, entryValue)
-	}
-	return nil
-}
--- a/common/badjsonmerge/merge.go
+++ b/common/badjsonmerge/merge.go
@@ -1,80 +0,0 @@
-package badjsonmerge
-
-import (
-	"reflect"
-
-	"github.com/sagernet/sing-box/common/badjson"
-	"github.com/sagernet/sing-box/common/json"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-func MergeOptions(source option.Options, destination option.Options) (option.Options, error) {
-	rawSource, err := json.Marshal(source)
-	if err != nil {
-		return option.Options{}, E.Cause(err, "marshal source")
-	}
-	rawDestination, err := json.Marshal(destination)
-	if err != nil {
-		return option.Options{}, E.Cause(err, "marshal destination")
-	}
-	rawMerged, err := MergeJSON(rawSource, rawDestination)
-	if err != nil {
-		return option.Options{}, E.Cause(err, "merge options")
-	}
-	var merged option.Options
-	err = json.Unmarshal(rawMerged, &merged)
-	if err != nil {
-		return option.Options{}, E.Cause(err, "unmarshal merged options")
-	}
-	return merged, nil
-}
-
-func MergeJSON(rawSource json.RawMessage, rawDestination json.RawMessage) (json.RawMessage, error) {
-	source, err := badjson.Decode(rawSource)
-	if err != nil {
-		return nil, E.Cause(err, "decode source")
-	}
-	destination, err := badjson.Decode(rawDestination)
-	if err != nil {
-		return nil, E.Cause(err, "decode destination")
-	}
-	merged, err := mergeJSON(source, destination)
-	if err != nil {
-		return nil, err
-	}
-	return json.Marshal(merged)
-}
-
-func mergeJSON(anySource any, anyDestination any) (any, error) {
-	switch destination := anyDestination.(type) {
-	case badjson.JSONArray:
-		switch source := anySource.(type) {
-		case badjson.JSONArray:
-			destination = append(destination, source...)
-		default:
-			destination = append(destination, source)
-		}
-		return destination, nil
-	case *badjson.JSONObject:
-		switch source := anySource.(type) {
-		case *badjson.JSONObject:
-			for _, entry := range source.Entries() {
-				oldValue, loaded := destination.Get(entry.Key)
-				if loaded {
-					var err error
-					entry.Value, err = mergeJSON(entry.Value, oldValue)
-					if err != nil {
-						return nil, E.Cause(err, "merge object item ", entry.Key)
-					}
-				}
-				destination.Put(entry.Key, entry.Value)
-			}
-		default:
-			return nil, E.New("cannot merge json object into ", reflect.TypeOf(destination))
-		}
-		return destination, nil
-	default:
-		return destination, nil
-	}
-}
--- a/common/badjsonmerge/merge_test.go
+++ b/common/badjsonmerge/merge_test.go
@@ -1,59 +0,0 @@
-package badjsonmerge
-
-import (
-	"testing"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	N "github.com/sagernet/sing/common/network"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestMergeJSON(t *testing.T) {
-	t.Parallel()
-	options := option.Options{
-		Log: &option.LogOptions{
-			Level: "info",
-		},
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					Type: C.RuleTypeDefault,
-					DefaultOptions: option.DefaultRule{
-						Network:  []string{N.NetworkTCP},
-						Outbound: "direct",
-					},
-				},
-			},
-		},
-	}
-	anotherOptions := option.Options{
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeDirect,
-				Tag:  "direct",
-			},
-		},
-	}
-	thirdOptions := option.Options{
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					Type: C.RuleTypeDefault,
-					DefaultOptions: option.DefaultRule{
-						Network:  []string{N.NetworkUDP},
-						Outbound: "direct",
-					},
-				},
-			},
-		},
-	}
-	mergeOptions, err := MergeOptions(options, anotherOptions)
-	require.NoError(t, err)
-	mergeOptions, err = MergeOptions(thirdOptions, mergeOptions)
-	require.NoError(t, err)
-	require.Equal(t, "info", mergeOptions.Log.Level)
-	require.Equal(t, 2, len(mergeOptions.Route.Rules))
-	require.Equal(t, C.TypeDirect, mergeOptions.Outbounds[0].Type)
-}
--- a/common/badtls/badtls.go
+++ b/common/badtls/badtls.go
@@ -1,233 +0,0 @@
-//go:build go1.20 && !go1.21
-
-package badtls
-
-import (
-	"crypto/cipher"
-	"crypto/rand"
-	"crypto/tls"
-	"encoding/binary"
-	"io"
-	"net"
-	"reflect"
-	"sync"
-	"sync/atomic"
-	"unsafe"
-
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
-	N "github.com/sagernet/sing/common/network"
-	aTLS "github.com/sagernet/sing/common/tls"
-)
-
-type Conn struct {
-	*tls.Conn
-	writer              N.ExtendedWriter
-	isHandshakeComplete *atomic.Bool
-	activeCall          *atomic.Int32
-	closeNotifySent     *bool
-	version             *uint16
-	rand                io.Reader
-	halfAccess          *sync.Mutex
-	halfError           *error
-	cipher              cipher.AEAD
-	explicitNonceLen    int
-	halfPtr             uintptr
-	halfSeq             []byte
-	halfScratchBuf      []byte
-}
-
-func TryCreate(conn aTLS.Conn) aTLS.Conn {
-	tlsConn, ok := conn.(*tls.Conn)
-	if !ok {
-		return conn
-	}
-	badConn, err := Create(tlsConn)
-	if err != nil {
-		log.Warn("initialize badtls: ", err)
-		return conn
-	}
-	return badConn
-}
-
-func Create(conn *tls.Conn) (aTLS.Conn, error) {
-	rawConn := reflect.Indirect(reflect.ValueOf(conn))
-	rawIsHandshakeComplete := rawConn.FieldByName("isHandshakeComplete")
-	if !rawIsHandshakeComplete.IsValid() || rawIsHandshakeComplete.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid isHandshakeComplete")
-	}
-	isHandshakeComplete := (*atomic.Bool)(unsafe.Pointer(rawIsHandshakeComplete.UnsafeAddr()))
-	if !isHandshakeComplete.Load() {
-		return nil, E.New("handshake not finished")
-	}
-	rawActiveCall := rawConn.FieldByName("activeCall")
-	if !rawActiveCall.IsValid() || rawActiveCall.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid active call")
-	}
-	activeCall := (*atomic.Int32)(unsafe.Pointer(rawActiveCall.UnsafeAddr()))
-	rawHalfConn := rawConn.FieldByName("out")
-	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid half conn")
-	}
-	rawVersion := rawConn.FieldByName("vers")
-	if !rawVersion.IsValid() || rawVersion.Kind() != reflect.Uint16 {
-		return nil, E.New("badtls: invalid version")
-	}
-	version := (*uint16)(unsafe.Pointer(rawVersion.UnsafeAddr()))
-	rawCloseNotifySent := rawConn.FieldByName("closeNotifySent")
-	if !rawCloseNotifySent.IsValid() || rawCloseNotifySent.Kind() != reflect.Bool {
-		return nil, E.New("badtls: invalid notify")
-	}
-	closeNotifySent := (*bool)(unsafe.Pointer(rawCloseNotifySent.UnsafeAddr()))
-	rawConfig := reflect.Indirect(rawConn.FieldByName("config"))
-	if !rawConfig.IsValid() || rawConfig.Kind() != reflect.Struct {
-		return nil, E.New("badtls: bad config")
-	}
-	config := (*tls.Config)(unsafe.Pointer(rawConfig.UnsafeAddr()))
-	randReader := config.Rand
-	if randReader == nil {
-		randReader = rand.Reader
-	}
-	rawHalfMutex := rawHalfConn.FieldByName("Mutex")
-	if !rawHalfMutex.IsValid() || rawHalfMutex.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid half mutex")
-	}
-	halfAccess := (*sync.Mutex)(unsafe.Pointer(rawHalfMutex.UnsafeAddr()))
-	rawHalfError := rawHalfConn.FieldByName("err")
-	if !rawHalfError.IsValid() || rawHalfError.Kind() != reflect.Interface {
-		return nil, E.New("badtls: invalid half error")
-	}
-	halfError := (*error)(unsafe.Pointer(rawHalfError.UnsafeAddr()))
-	rawHalfCipherInterface := rawHalfConn.FieldByName("cipher")
-	if !rawHalfCipherInterface.IsValid() || rawHalfCipherInterface.Kind() != reflect.Interface {
-		return nil, E.New("badtls: invalid cipher interface")
-	}
-	rawHalfCipher := rawHalfCipherInterface.Elem()
-	aeadCipher, loaded := valueInterface(rawHalfCipher, false).(cipher.AEAD)
-	if !loaded {
-		return nil, E.New("badtls: invalid AEAD cipher")
-	}
-	var explicitNonceLen int
-	switch cipherName := reflect.Indirect(rawHalfCipher).Type().String(); cipherName {
-	case "tls.prefixNonceAEAD":
-		explicitNonceLen = aeadCipher.NonceSize()
-	case "tls.xorNonceAEAD":
-	default:
-		return nil, E.New("badtls: unknown cipher type: ", cipherName)
-	}
-	rawHalfSeq := rawHalfConn.FieldByName("seq")
-	if !rawHalfSeq.IsValid() || rawHalfSeq.Kind() != reflect.Array {
-		return nil, E.New("badtls: invalid seq")
-	}
-	halfSeq := rawHalfSeq.Bytes()
-	rawHalfScratchBuf := rawHalfConn.FieldByName("scratchBuf")
-	if !rawHalfScratchBuf.IsValid() || rawHalfScratchBuf.Kind() != reflect.Array {
-		return nil, E.New("badtls: invalid scratchBuf")
-	}
-	halfScratchBuf := rawHalfScratchBuf.Bytes()
-	return &Conn{
-		Conn:                conn,
-		writer:              bufio.NewExtendedWriter(conn.NetConn()),
-		isHandshakeComplete: isHandshakeComplete,
-		activeCall:          activeCall,
-		closeNotifySent:     closeNotifySent,
-		version:             version,
-		halfAccess:          halfAccess,
-		halfError:           halfError,
-		cipher:              aeadCipher,
-		explicitNonceLen:    explicitNonceLen,
-		rand:                randReader,
-		halfPtr:             rawHalfConn.UnsafeAddr(),
-		halfSeq:             halfSeq,
-		halfScratchBuf:      halfScratchBuf,
-	}, nil
-}
-
-func (c *Conn) WriteBuffer(buffer *buf.Buffer) error {
-	if buffer.Len() > maxPlaintext {
-		defer buffer.Release()
-		return common.Error(c.Write(buffer.Bytes()))
-	}
-	for {
-		x := c.activeCall.Load()
-		if x&1 != 0 {
-			return net.ErrClosed
-		}
-		if c.activeCall.CompareAndSwap(x, x+2) {
-			break
-		}
-	}
-	defer c.activeCall.Add(-2)
-	c.halfAccess.Lock()
-	defer c.halfAccess.Unlock()
-	if err := *c.halfError; err != nil {
-		return err
-	}
-	if *c.closeNotifySent {
-		return errShutdown
-	}
-	dataLen := buffer.Len()
-	dataBytes := buffer.Bytes()
-	outBuf := buffer.ExtendHeader(recordHeaderLen + c.explicitNonceLen)
-	outBuf[0] = 23
-	version := *c.version
-	if version == 0 {
-		version = tls.VersionTLS10
-	} else if version == tls.VersionTLS13 {
-		version = tls.VersionTLS12
-	}
-	binary.BigEndian.PutUint16(outBuf[1:], version)
-	var nonce []byte
-	if c.explicitNonceLen > 0 {
-		nonce = outBuf[5 : 5+c.explicitNonceLen]
-		if c.explicitNonceLen < 16 {
-			copy(nonce, c.halfSeq)
-		} else {
-			if _, err := io.ReadFull(c.rand, nonce); err != nil {
-				return err
-			}
-		}
-	}
-	if len(nonce) == 0 {
-		nonce = c.halfSeq
-	}
-	if *c.version == tls.VersionTLS13 {
-		buffer.FreeBytes()[0] = 23
-		binary.BigEndian.PutUint16(outBuf[3:], uint16(dataLen+1+c.cipher.Overhead()))
-		c.cipher.Seal(outBuf, nonce, outBuf[recordHeaderLen:recordHeaderLen+c.explicitNonceLen+dataLen+1], outBuf[:recordHeaderLen])
-		buffer.Extend(1 + c.cipher.Overhead())
-	} else {
-		binary.BigEndian.PutUint16(outBuf[3:], uint16(dataLen))
-		additionalData := append(c.halfScratchBuf[:0], c.halfSeq...)
-		additionalData = append(additionalData, outBuf[:recordHeaderLen]...)
-		c.cipher.Seal(outBuf, nonce, dataBytes, additionalData)
-		buffer.Extend(c.cipher.Overhead())
-		binary.BigEndian.PutUint16(outBuf[3:], uint16(dataLen+c.explicitNonceLen+c.cipher.Overhead()))
-	}
-	incSeq(c.halfPtr)
-	log.Trace("badtls write ", buffer.Len())
-	return c.writer.WriteBuffer(buffer)
-}
-
-func (c *Conn) FrontHeadroom() int {
-	return recordHeaderLen + c.explicitNonceLen
-}
-
-func (c *Conn) RearHeadroom() int {
-	return 1 + c.cipher.Overhead()
-}
-
-func (c *Conn) WriterMTU() int {
-	return maxPlaintext
-}
-
-func (c *Conn) Upstream() any {
-	return c.Conn
-}
-
-func (c *Conn) UpstreamWriter() any {
-	return c.NetConn()
-}
--- a/common/badtls/badtls_stub.go
+++ b/common/badtls/badtls_stub.go
@@ -1,14 +0,0 @@
-//go:build !go1.19 || go1.21
-
-package badtls
-
-import (
-	"crypto/tls"
-	"os"
-
-	aTLS "github.com/sagernet/sing/common/tls"
-)
-
-func Create(conn *tls.Conn) (aTLS.Conn, error) {
-	return nil, os.ErrInvalid
-}
--- a/common/badtls/link.go
+++ b/common/badtls/link.go
@@ -1,22 +0,0 @@
-//go:build go1.20 && !go.1.21
-
-package badtls
-
-import (
-	"reflect"
-	_ "unsafe"
-)
-
-const (
-	maxPlaintext    = 16384 // maximum plaintext payload length
-	recordHeaderLen = 5     // record header length
-)
-
-//go:linkname errShutdown crypto/tls.errShutdown
-var errShutdown error
-
-//go:linkname incSeq crypto/tls.(*halfConn).incSeq
-func incSeq(conn uintptr)
-
-//go:linkname valueInterface reflect.valueInterface
-func valueInterface(v reflect.Value, safe bool) any
--- a/common/badtls/read_wait.go
+++ b/common/badtls/read_wait.go
@@ -0,0 +1,115 @@
+//go:build go1.21 && !without_badtls
+
+package badtls
+
+import (
+	"bytes"
+	"os"
+	"reflect"
+	"sync"
+	"unsafe"
+
+	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/tls"
+)
+
+var _ N.ReadWaiter = (*ReadWaitConn)(nil)
+
+type ReadWaitConn struct {
+	*tls.STDConn
+	halfAccess      *sync.Mutex
+	rawInput        *bytes.Buffer
+	input           *bytes.Reader
+	hand            *bytes.Buffer
+	readWaitOptions N.ReadWaitOptions
+}
+
+func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
+	stdConn, isSTDConn := conn.(*tls.STDConn)
+	if !isSTDConn {
+		return nil, os.ErrInvalid
+	}
+	rawConn := reflect.Indirect(reflect.ValueOf(stdConn))
+	rawHalfConn := rawConn.FieldByName("in")
+	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid half conn")
+	}
+	rawHalfMutex := rawHalfConn.FieldByName("Mutex")
+	if !rawHalfMutex.IsValid() || rawHalfMutex.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid half mutex")
+	}
+	halfAccess := (*sync.Mutex)(unsafe.Pointer(rawHalfMutex.UnsafeAddr()))
+	rawRawInput := rawConn.FieldByName("rawInput")
+	if !rawRawInput.IsValid() || rawRawInput.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid raw input")
+	}
+	rawInput := (*bytes.Buffer)(unsafe.Pointer(rawRawInput.UnsafeAddr()))
+	rawInput0 := rawConn.FieldByName("input")
+	if !rawInput0.IsValid() || rawInput0.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid input")
+	}
+	input := (*bytes.Reader)(unsafe.Pointer(rawInput0.UnsafeAddr()))
+	rawHand := rawConn.FieldByName("hand")
+	if !rawHand.IsValid() || rawHand.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid hand")
+	}
+	hand := (*bytes.Buffer)(unsafe.Pointer(rawHand.UnsafeAddr()))
+	return &ReadWaitConn{
+		STDConn:    stdConn,
+		halfAccess: halfAccess,
+		rawInput:   rawInput,
+		input:      input,
+		hand:       hand,
+	}, nil
+}
+
+func (c *ReadWaitConn) InitializeReadWaiter(options N.ReadWaitOptions) (needCopy bool) {
+	c.readWaitOptions = options
+	return false
+}
+
+func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
+	err = c.Handshake()
+	if err != nil {
+		return
+	}
+	c.halfAccess.Lock()
+	defer c.halfAccess.Unlock()
+	for c.input.Len() == 0 {
+		err = tlsReadRecord(c.STDConn)
+		if err != nil {
+			return
+		}
+		for c.hand.Len() > 0 {
+			err = tlsHandlePostHandshakeMessage(c.STDConn)
+			if err != nil {
+				return
+			}
+		}
+	}
+	buffer = c.readWaitOptions.NewBuffer()
+	n, err := c.input.Read(buffer.FreeBytes())
+	if err != nil {
+		buffer.Release()
+		return
+	}
+	buffer.Truncate(n)
+
+	if n != 0 && c.input.Len() == 0 && c.rawInput.Len() > 0 &&
+		// recordType(c.rawInput.Bytes()[0]) == recordTypeAlert {
+		c.rawInput.Bytes()[0] == 21 {
+		_ = tlsReadRecord(c.STDConn)
+		// return n, err // will be io.EOF on closeNotify
+	}
+
+	c.readWaitOptions.PostReturn(buffer)
+	return
+}
+
+//go:linkname tlsReadRecord crypto/tls.(*Conn).readRecord
+func tlsReadRecord(c *tls.STDConn) error
+
+//go:linkname tlsHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
+func tlsHandlePostHandshakeMessage(c *tls.STDConn) error
--- a/common/badtls/read_wait_stub.go
+++ b/common/badtls/read_wait_stub.go
@@ -0,0 +1,13 @@
+//go:build !go1.21 || without_badtls
+
+package badtls
+
+import (
+	"os"
+
+	"github.com/sagernet/sing/common/tls"
+)
+
+func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
+	return nil, os.ErrInvalid
+}
--- a/common/badversion/version_json.go
+++ b/common/badversion/version_json.go
@@ -1,6 +1,6 @@
 package badversion

-import "github.com/sagernet/sing-box/common/json"
+import "github.com/sagernet/sing/common/json"

 func (v Version) MarshalJSON() ([]byte, error) {
 	return json.Marshal(v.String())
--- a/common/contextjson/README.md
+++ b/common/contextjson/README.md
@@ -1,3 +0,0 @@
-# contextjson
-
-mod from go1.21.4
--- a/common/contextjson/decode.go
+++ b/common/contextjson/decode.go
--- a/common/contextjson/decode_context.go
+++ b/common/contextjson/decode_context.go
@@ -1,49 +0,0 @@
-package json
-
-import "strconv"
-
-type decodeContext struct {
-	parent *decodeContext
-	index  int
-	key    string
-}
-
-func (d *decodeState) formatContext() string {
-	var description string
-	context := d.context
-	var appendDot bool
-	for context != nil {
-		if appendDot {
-			description = "." + description
-		}
-		if context.key != "" {
-			description = context.key + description
-			appendDot = true
-		} else {
-			description = "[" + strconv.Itoa(context.index) + "]" + description
-			appendDot = false
-		}
-		context = context.parent
-	}
-	return description
-}
-
-type contextError struct {
-	parent  error
-	context string
-	index   bool
-}
-
-func (c *contextError) Unwrap() error {
-	return c.parent
-}
-
-func (c *contextError) Error() string {
-	//goland:noinspection GoTypeAssertionOnErrors
-	switch c.parent.(type) {
-	case *contextError:
-		return c.context + "." + c.parent.Error()
-	default:
-		return c.context + ": " + c.parent.Error()
-	}
-}
--- a/common/contextjson/encode.go
+++ b/common/contextjson/encode.go
--- a/common/contextjson/fold.go
+++ b/common/contextjson/fold.go
@@ -1,48 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"unicode"
-	"unicode/utf8"
-)
-
-// foldName returns a folded string such that foldName(x) == foldName(y)
-// is identical to bytes.EqualFold(x, y).
-func foldName(in []byte) []byte {
-	// This is inlinable to take advantage of "function outlining".
-	var arr [32]byte // large enough for most JSON names
-	return appendFoldedName(arr[:0], in)
-}
-
-func appendFoldedName(out, in []byte) []byte {
-	for i := 0; i < len(in); {
-		// Handle single-byte ASCII.
-		if c := in[i]; c < utf8.RuneSelf {
-			if 'a' <= c && c <= 'z' {
-				c -= 'a' - 'A'
-			}
-			out = append(out, c)
-			i++
-			continue
-		}
-		// Handle multi-byte Unicode.
-		r, n := utf8.DecodeRune(in[i:])
-		out = utf8.AppendRune(out, foldRune(r))
-		i += n
-	}
-	return out
-}
-
-// foldRune is returns the smallest rune for all runes in the same fold set.
-func foldRune(r rune) rune {
-	for {
-		r2 := unicode.SimpleFold(r)
-		if r2 <= r {
-			return r2
-		}
-		r = r2
-	}
-}
--- a/common/contextjson/indent.go
+++ b/common/contextjson/indent.go
@@ -1,174 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import "bytes"
-
-// HTMLEscape appends to dst the JSON-encoded src with <, >, &, U+2028 and U+2029
-// characters inside string literals changed to \u003c, \u003e, \u0026, \u2028, \u2029
-// so that the JSON will be safe to embed inside HTML <script> tags.
-// For historical reasons, web browsers don't honor standard HTML
-// escaping within <script> tags, so an alternative JSON encoding must be used.
-func HTMLEscape(dst *bytes.Buffer, src []byte) {
-	dst.Grow(len(src))
-	dst.Write(appendHTMLEscape(dst.AvailableBuffer(), src))
-}
-
-func appendHTMLEscape(dst, src []byte) []byte {
-	// The characters can only appear in string literals,
-	// so just scan the string one byte at a time.
-	start := 0
-	for i, c := range src {
-		if c == '<' || c == '>' || c == '&' {
-			dst = append(dst, src[start:i]...)
-			dst = append(dst, '\\', 'u', '0', '0', hex[c>>4], hex[c&0xF])
-			start = i + 1
-		}
-		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
-		if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
-			dst = append(dst, src[start:i]...)
-			dst = append(dst, '\\', 'u', '2', '0', '2', hex[src[i+2]&0xF])
-			start = i + len("\u2029")
-		}
-	}
-	return append(dst, src[start:]...)
-}
-
-// Compact appends to dst the JSON-encoded src with
-// insignificant space characters elided.
-func Compact(dst *bytes.Buffer, src []byte) error {
-	dst.Grow(len(src))
-	b := dst.AvailableBuffer()
-	b, err := appendCompact(b, src, false)
-	dst.Write(b)
-	return err
-}
-
-func appendCompact(dst, src []byte, escape bool) ([]byte, error) {
-	origLen := len(dst)
-	scan := newScanner()
-	defer freeScanner(scan)
-	start := 0
-	for i, c := range src {
-		if escape && (c == '<' || c == '>' || c == '&') {
-			dst = append(dst, src[start:i]...)
-			dst = append(dst, '\\', 'u', '0', '0', hex[c>>4], hex[c&0xF])
-			start = i + 1
-		}
-		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
-		if escape && c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
-			dst = append(dst, src[start:i]...)
-			dst = append(dst, '\\', 'u', '2', '0', '2', hex[src[i+2]&0xF])
-			start = i + len("\u2029")
-		}
-		v := scan.step(scan, c)
-		if v >= scanSkipSpace {
-			if v == scanError {
-				break
-			}
-			dst = append(dst, src[start:i]...)
-			start = i + 1
-		}
-	}
-	if scan.eof() == scanError {
-		return dst[:origLen], scan.err
-	}
-	dst = append(dst, src[start:]...)
-	return dst, nil
-}
-
-func appendNewline(dst []byte, prefix, indent string, depth int) []byte {
-	dst = append(dst, '\n')
-	dst = append(dst, prefix...)
-	for i := 0; i < depth; i++ {
-		dst = append(dst, indent...)
-	}
-	return dst
-}
-
-// indentGrowthFactor specifies the growth factor of indenting JSON input.
-// Empirically, the growth factor was measured to be between 1.4x to 1.8x
-// for some set of compacted JSON with the indent being a single tab.
-// Specify a growth factor slightly larger than what is observed
-// to reduce probability of allocation in appendIndent.
-// A factor no higher than 2 ensures that wasted space never exceeds 50%.
-const indentGrowthFactor = 2
-
-// Indent appends to dst an indented form of the JSON-encoded src.
-// Each element in a JSON object or array begins on a new,
-// indented line beginning with prefix followed by one or more
-// copies of indent according to the indentation nesting.
-// The data appended to dst does not begin with the prefix nor
-// any indentation, to make it easier to embed inside other formatted JSON data.
-// Although leading space characters (space, tab, carriage return, newline)
-// at the beginning of src are dropped, trailing space characters
-// at the end of src are preserved and copied to dst.
-// For example, if src has no trailing spaces, neither will dst;
-// if src ends in a trailing newline, so will dst.
-func Indent(dst *bytes.Buffer, src []byte, prefix, indent string) error {
-	dst.Grow(indentGrowthFactor * len(src))
-	b := dst.AvailableBuffer()
-	b, err := appendIndent(b, src, prefix, indent)
-	dst.Write(b)
-	return err
-}
-
-func appendIndent(dst, src []byte, prefix, indent string) ([]byte, error) {
-	origLen := len(dst)
-	scan := newScanner()
-	defer freeScanner(scan)
-	needIndent := false
-	depth := 0
-	for _, c := range src {
-		scan.bytes++
-		v := scan.step(scan, c)
-		if v == scanSkipSpace {
-			continue
-		}
-		if v == scanError {
-			break
-		}
-		if needIndent && v != scanEndObject && v != scanEndArray {
-			needIndent = false
-			depth++
-			dst = appendNewline(dst, prefix, indent, depth)
-		}
-
-		// Emit semantically uninteresting bytes
-		// (in particular, punctuation in strings) unmodified.
-		if v == scanContinue {
-			dst = append(dst, c)
-			continue
-		}
-
-		// Add spacing around real punctuation.
-		switch c {
-		case '{', '[':
-			// delay indent so that empty object and array are formatted as {} and [].
-			needIndent = true
-			dst = append(dst, c)
-		case ',':
-			dst = append(dst, c)
-			dst = appendNewline(dst, prefix, indent, depth)
-		case ':':
-			dst = append(dst, c, ' ')
-		case '}', ']':
-			if needIndent {
-				// suppress indent in empty object/array
-				needIndent = false
-			} else {
-				depth--
-				dst = appendNewline(dst, prefix, indent, depth)
-			}
-			dst = append(dst, c)
-		default:
-			dst = append(dst, c)
-		}
-	}
-	if scan.eof() == scanError {
-		return dst[:origLen], scan.err
-	}
-	return dst, nil
-}
--- a/common/contextjson/scanner.go
+++ b/common/contextjson/scanner.go
@@ -1,610 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-// JSON value parser state machine.
-// Just about at the limit of what is reasonable to write by hand.
-// Some parts are a bit tedious, but overall it nicely factors out the
-// otherwise common code from the multiple scanning functions
-// in this package (Compact, Indent, checkValid, etc).
-//
-// This file starts with two simple examples using the scanner
-// before diving into the scanner itself.
-
-import (
-	"strconv"
-	"sync"
-)
-
-// Valid reports whether data is a valid JSON encoding.
-func Valid(data []byte) bool {
-	scan := newScanner()
-	defer freeScanner(scan)
-	return checkValid(data, scan) == nil
-}
-
-// checkValid verifies that data is valid JSON-encoded data.
-// scan is passed in for use by checkValid to avoid an allocation.
-// checkValid returns nil or a SyntaxError.
-func checkValid(data []byte, scan *scanner) error {
-	scan.reset()
-	for _, c := range data {
-		scan.bytes++
-		if scan.step(scan, c) == scanError {
-			return scan.err
-		}
-	}
-	if scan.eof() == scanError {
-		return scan.err
-	}
-	return nil
-}
-
-// A SyntaxError is a description of a JSON syntax error.
-// Unmarshal will return a SyntaxError if the JSON can't be parsed.
-type SyntaxError struct {
-	msg    string // description of error
-	Offset int64  // error occurred after reading Offset bytes
-}
-
-func (e *SyntaxError) Error() string { return e.msg }
-
-// A scanner is a JSON scanning state machine.
-// Callers call scan.reset and then pass bytes in one at a time
-// by calling scan.step(&scan, c) for each byte.
-// The return value, referred to as an opcode, tells the
-// caller about significant parsing events like beginning
-// and ending literals, objects, and arrays, so that the
-// caller can follow along if it wishes.
-// The return value scanEnd indicates that a single top-level
-// JSON value has been completed, *before* the byte that
-// just got passed in.  (The indication must be delayed in order
-// to recognize the end of numbers: is 123 a whole value or
-// the beginning of 12345e+6?).
-type scanner struct {
-	// The step is a func to be called to execute the next transition.
-	// Also tried using an integer constant and a single func
-	// with a switch, but using the func directly was 10% faster
-	// on a 64-bit Mac Mini, and it's nicer to read.
-	step func(*scanner, byte) int
-
-	// Reached end of top-level value.
-	endTop bool
-
-	// Stack of what we're in the middle of - array values, object keys, object values.
-	parseState []int
-
-	// Error that happened, if any.
-	err error
-
-	// total bytes consumed, updated by decoder.Decode (and deliberately
-	// not set to zero by scan.reset)
-	bytes int64
-}
-
-var scannerPool = sync.Pool{
-	New: func() any {
-		return &scanner{}
-	},
-}
-
-func newScanner() *scanner {
-	scan := scannerPool.Get().(*scanner)
-	// scan.reset by design doesn't set bytes to zero
-	scan.bytes = 0
-	scan.reset()
-	return scan
-}
-
-func freeScanner(scan *scanner) {
-	// Avoid hanging on to too much memory in extreme cases.
-	if len(scan.parseState) > 1024 {
-		scan.parseState = nil
-	}
-	scannerPool.Put(scan)
-}
-
-// These values are returned by the state transition functions
-// assigned to scanner.state and the method scanner.eof.
-// They give details about the current state of the scan that
-// callers might be interested to know about.
-// It is okay to ignore the return value of any particular
-// call to scanner.state: if one call returns scanError,
-// every subsequent call will return scanError too.
-const (
-	// Continue.
-	scanContinue     = iota // uninteresting byte
-	scanBeginLiteral        // end implied by next result != scanContinue
-	scanBeginObject         // begin object
-	scanObjectKey           // just finished object key (string)
-	scanObjectValue         // just finished non-last object value
-	scanEndObject           // end object (implies scanObjectValue if possible)
-	scanBeginArray          // begin array
-	scanArrayValue          // just finished array value
-	scanEndArray            // end array (implies scanArrayValue if possible)
-	scanSkipSpace           // space byte; can skip; known to be last "continue" result
-
-	// Stop.
-	scanEnd   // top-level value ended *before* this byte; known to be first "stop" result
-	scanError // hit an error, scanner.err.
-)
-
-// These values are stored in the parseState stack.
-// They give the current state of a composite value
-// being scanned. If the parser is inside a nested value
-// the parseState describes the nested state, outermost at entry 0.
-const (
-	parseObjectKey   = iota // parsing object key (before colon)
-	parseObjectValue        // parsing object value (after colon)
-	parseArrayValue         // parsing array value
-)
-
-// This limits the max nesting depth to prevent stack overflow.
-// This is permitted by https://tools.ietf.org/html/rfc7159#section-9
-const maxNestingDepth = 10000
-
-// reset prepares the scanner for use.
-// It must be called before calling s.step.
-func (s *scanner) reset() {
-	s.step = stateBeginValue
-	s.parseState = s.parseState[0:0]
-	s.err = nil
-	s.endTop = false
-}
-
-// eof tells the scanner that the end of input has been reached.
-// It returns a scan status just as s.step does.
-func (s *scanner) eof() int {
-	if s.err != nil {
-		return scanError
-	}
-	if s.endTop {
-		return scanEnd
-	}
-	s.step(s, ' ')
-	if s.endTop {
-		return scanEnd
-	}
-	if s.err == nil {
-		s.err = &SyntaxError{"unexpected end of JSON input", s.bytes}
-	}
-	return scanError
-}
-
-// pushParseState pushes a new parse state p onto the parse stack.
-// an error state is returned if maxNestingDepth was exceeded, otherwise successState is returned.
-func (s *scanner) pushParseState(c byte, newParseState int, successState int) int {
-	s.parseState = append(s.parseState, newParseState)
-	if len(s.parseState) <= maxNestingDepth {
-		return successState
-	}
-	return s.error(c, "exceeded max depth")
-}
-
-// popParseState pops a parse state (already obtained) off the stack
-// and updates s.step accordingly.
-func (s *scanner) popParseState() {
-	n := len(s.parseState) - 1
-	s.parseState = s.parseState[0:n]
-	if n == 0 {
-		s.step = stateEndTop
-		s.endTop = true
-	} else {
-		s.step = stateEndValue
-	}
-}
-
-func isSpace(c byte) bool {
-	return c <= ' ' && (c == ' ' || c == '\t' || c == '\r' || c == '\n')
-}
-
-// stateBeginValueOrEmpty is the state after reading `[`.
-func stateBeginValueOrEmpty(s *scanner, c byte) int {
-	if isSpace(c) {
-		return scanSkipSpace
-	}
-	if c == ']' {
-		return stateEndValue(s, c)
-	}
-	return stateBeginValue(s, c)
-}
-
-// stateBeginValue is the state at the beginning of the input.
-func stateBeginValue(s *scanner, c byte) int {
-	if isSpace(c) {
-		return scanSkipSpace
-	}
-	switch c {
-	case '{':
-		s.step = stateBeginStringOrEmpty
-		return s.pushParseState(c, parseObjectKey, scanBeginObject)
-	case '[':
-		s.step = stateBeginValueOrEmpty
-		return s.pushParseState(c, parseArrayValue, scanBeginArray)
-	case '"':
-		s.step = stateInString
-		return scanBeginLiteral
-	case '-':
-		s.step = stateNeg
-		return scanBeginLiteral
-	case '0': // beginning of 0.123
-		s.step = state0
-		return scanBeginLiteral
-	case 't': // beginning of true
-		s.step = stateT
-		return scanBeginLiteral
-	case 'f': // beginning of false
-		s.step = stateF
-		return scanBeginLiteral
-	case 'n': // beginning of null
-		s.step = stateN
-		return scanBeginLiteral
-	}
-	if '1' <= c && c <= '9' { // beginning of 1234.5
-		s.step = state1
-		return scanBeginLiteral
-	}
-	return s.error(c, "looking for beginning of value")
-}
-
-// stateBeginStringOrEmpty is the state after reading `{`.
-func stateBeginStringOrEmpty(s *scanner, c byte) int {
-	if isSpace(c) {
-		return scanSkipSpace
-	}
-	if c == '}' {
-		n := len(s.parseState)
-		s.parseState[n-1] = parseObjectValue
-		return stateEndValue(s, c)
-	}
-	return stateBeginString(s, c)
-}
-
-// stateBeginString is the state after reading `{"key": value,`.
-func stateBeginString(s *scanner, c byte) int {
-	if isSpace(c) {
-		return scanSkipSpace
-	}
-	if c == '"' {
-		s.step = stateInString
-		return scanBeginLiteral
-	}
-	return s.error(c, "looking for beginning of object key string")
-}
-
-// stateEndValue is the state after completing a value,
-// such as after reading `{}` or `true` or `["x"`.
-func stateEndValue(s *scanner, c byte) int {
-	n := len(s.parseState)
-	if n == 0 {
-		// Completed top-level before the current byte.
-		s.step = stateEndTop
-		s.endTop = true
-		return stateEndTop(s, c)
-	}
-	if isSpace(c) {
-		s.step = stateEndValue
-		return scanSkipSpace
-	}
-	ps := s.parseState[n-1]
-	switch ps {
-	case parseObjectKey:
-		if c == ':' {
-			s.parseState[n-1] = parseObjectValue
-			s.step = stateBeginValue
-			return scanObjectKey
-		}
-		return s.error(c, "after object key")
-	case parseObjectValue:
-		if c == ',' {
-			s.parseState[n-1] = parseObjectKey
-			s.step = stateBeginString
-			return scanObjectValue
-		}
-		if c == '}' {
-			s.popParseState()
-			return scanEndObject
-		}
-		return s.error(c, "after object key:value pair")
-	case parseArrayValue:
-		if c == ',' {
-			s.step = stateBeginValue
-			return scanArrayValue
-		}
-		if c == ']' {
-			s.popParseState()
-			return scanEndArray
-		}
-		return s.error(c, "after array element")
-	}
-	return s.error(c, "")
-}
-
-// stateEndTop is the state after finishing the top-level value,
-// such as after reading `{}` or `[1,2,3]`.
-// Only space characters should be seen now.
-func stateEndTop(s *scanner, c byte) int {
-	if !isSpace(c) {
-		// Complain about non-space byte on next call.
-		s.error(c, "after top-level value")
-	}
-	return scanEnd
-}
-
-// stateInString is the state after reading `"`.
-func stateInString(s *scanner, c byte) int {
-	if c == '"' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	if c == '\\' {
-		s.step = stateInStringEsc
-		return scanContinue
-	}
-	if c < 0x20 {
-		return s.error(c, "in string literal")
-	}
-	return scanContinue
-}
-
-// stateInStringEsc is the state after reading `"\` during a quoted string.
-func stateInStringEsc(s *scanner, c byte) int {
-	switch c {
-	case 'b', 'f', 'n', 'r', 't', '\\', '/', '"':
-		s.step = stateInString
-		return scanContinue
-	case 'u':
-		s.step = stateInStringEscU
-		return scanContinue
-	}
-	return s.error(c, "in string escape code")
-}
-
-// stateInStringEscU is the state after reading `"\u` during a quoted string.
-func stateInStringEscU(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU1
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU1 is the state after reading `"\u1` during a quoted string.
-func stateInStringEscU1(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU12
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU12 is the state after reading `"\u12` during a quoted string.
-func stateInStringEscU12(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU123
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU123 is the state after reading `"\u123` during a quoted string.
-func stateInStringEscU123(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInString
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateNeg is the state after reading `-` during a number.
-func stateNeg(s *scanner, c byte) int {
-	if c == '0' {
-		s.step = state0
-		return scanContinue
-	}
-	if '1' <= c && c <= '9' {
-		s.step = state1
-		return scanContinue
-	}
-	return s.error(c, "in numeric literal")
-}
-
-// state1 is the state after reading a non-zero integer during a number,
-// such as after reading `1` or `100` but not `0`.
-func state1(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		s.step = state1
-		return scanContinue
-	}
-	return state0(s, c)
-}
-
-// state0 is the state after reading `0` during a number.
-func state0(s *scanner, c byte) int {
-	if c == '.' {
-		s.step = stateDot
-		return scanContinue
-	}
-	if c == 'e' || c == 'E' {
-		s.step = stateE
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateDot is the state after reading the integer and decimal point in a number,
-// such as after reading `1.`.
-func stateDot(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		s.step = stateDot0
-		return scanContinue
-	}
-	return s.error(c, "after decimal point in numeric literal")
-}
-
-// stateDot0 is the state after reading the integer, decimal point, and subsequent
-// digits of a number, such as after reading `3.14`.
-func stateDot0(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		return scanContinue
-	}
-	if c == 'e' || c == 'E' {
-		s.step = stateE
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateE is the state after reading the mantissa and e in a number,
-// such as after reading `314e` or `0.314e`.
-func stateE(s *scanner, c byte) int {
-	if c == '+' || c == '-' {
-		s.step = stateESign
-		return scanContinue
-	}
-	return stateESign(s, c)
-}
-
-// stateESign is the state after reading the mantissa, e, and sign in a number,
-// such as after reading `314e-` or `0.314e+`.
-func stateESign(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		s.step = stateE0
-		return scanContinue
-	}
-	return s.error(c, "in exponent of numeric literal")
-}
-
-// stateE0 is the state after reading the mantissa, e, optional sign,
-// and at least one digit of the exponent in a number,
-// such as after reading `314e-2` or `0.314e+1` or `3.14e0`.
-func stateE0(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateT is the state after reading `t`.
-func stateT(s *scanner, c byte) int {
-	if c == 'r' {
-		s.step = stateTr
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'r')")
-}
-
-// stateTr is the state after reading `tr`.
-func stateTr(s *scanner, c byte) int {
-	if c == 'u' {
-		s.step = stateTru
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'u')")
-}
-
-// stateTru is the state after reading `tru`.
-func stateTru(s *scanner, c byte) int {
-	if c == 'e' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'e')")
-}
-
-// stateF is the state after reading `f`.
-func stateF(s *scanner, c byte) int {
-	if c == 'a' {
-		s.step = stateFa
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'a')")
-}
-
-// stateFa is the state after reading `fa`.
-func stateFa(s *scanner, c byte) int {
-	if c == 'l' {
-		s.step = stateFal
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'l')")
-}
-
-// stateFal is the state after reading `fal`.
-func stateFal(s *scanner, c byte) int {
-	if c == 's' {
-		s.step = stateFals
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 's')")
-}
-
-// stateFals is the state after reading `fals`.
-func stateFals(s *scanner, c byte) int {
-	if c == 'e' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'e')")
-}
-
-// stateN is the state after reading `n`.
-func stateN(s *scanner, c byte) int {
-	if c == 'u' {
-		s.step = stateNu
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'u')")
-}
-
-// stateNu is the state after reading `nu`.
-func stateNu(s *scanner, c byte) int {
-	if c == 'l' {
-		s.step = stateNul
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'l')")
-}
-
-// stateNul is the state after reading `nul`.
-func stateNul(s *scanner, c byte) int {
-	if c == 'l' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'l')")
-}
-
-// stateError is the state after reaching a syntax error,
-// such as after reading `[1}` or `5.1.2`.
-func stateError(s *scanner, c byte) int {
-	return scanError
-}
-
-// error records an error and switches to the error state.
-func (s *scanner) error(c byte, context string) int {
-	s.step = stateError
-	s.err = &SyntaxError{"invalid character " + quoteChar(c) + " " + context, s.bytes}
-	return scanError
-}
-
-// quoteChar formats c as a quoted character literal.
-func quoteChar(c byte) string {
-	// special cases - different from quoted strings
-	if c == '\'' {
-		return `'\''`
-	}
-	if c == '"' {
-		return `'"'`
-	}
-
-	// use quoted string with different quotation marks
-	s := strconv.Quote(string(c))
-	return "'" + s[1:len(s)-1] + "'"
-}
--- a/common/contextjson/stream.go
+++ b/common/contextjson/stream.go
@@ -1,513 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"bytes"
-	"errors"
-	"io"
-)
-
-// A Decoder reads and decodes JSON values from an input stream.
-type Decoder struct {
-	r       io.Reader
-	buf     []byte
-	d       decodeState
-	scanp   int   // start of unread data in buf
-	scanned int64 // amount of data already scanned
-	scan    scanner
-	err     error
-
-	tokenState int
-	tokenStack []int
-}
-
-// NewDecoder returns a new decoder that reads from r.
-//
-// The decoder introduces its own buffering and may
-// read data from r beyond the JSON values requested.
-func NewDecoder(r io.Reader) *Decoder {
-	return &Decoder{r: r}
-}
-
-// UseNumber causes the Decoder to unmarshal a number into an interface{} as a
-// Number instead of as a float64.
-func (dec *Decoder) UseNumber() { dec.d.useNumber = true }
-
-// DisallowUnknownFields causes the Decoder to return an error when the destination
-// is a struct and the input contains object keys which do not match any
-// non-ignored, exported fields in the destination.
-func (dec *Decoder) DisallowUnknownFields() { dec.d.disallowUnknownFields = true }
-
-// Decode reads the next JSON-encoded value from its
-// input and stores it in the value pointed to by v.
-//
-// See the documentation for Unmarshal for details about
-// the conversion of JSON into a Go value.
-func (dec *Decoder) Decode(v any) error {
-	if dec.err != nil {
-		return dec.err
-	}
-
-	if err := dec.tokenPrepareForDecode(); err != nil {
-		return err
-	}
-
-	if !dec.tokenValueAllowed() {
-		return &SyntaxError{msg: "not at beginning of value", Offset: dec.InputOffset()}
-	}
-
-	// Read whole value into buffer.
-	n, err := dec.readValue()
-	if err != nil {
-		return err
-	}
-	dec.d.init(dec.buf[dec.scanp : dec.scanp+n])
-	dec.scanp += n
-
-	// Don't save err from unmarshal into dec.err:
-	// the connection is still usable since we read a complete JSON
-	// object from it before the error happened.
-	err = dec.d.unmarshal(v)
-
-	// fixup token streaming state
-	dec.tokenValueEnd()
-
-	return err
-}
-
-// Buffered returns a reader of the data remaining in the Decoder's
-// buffer. The reader is valid until the next call to Decode.
-func (dec *Decoder) Buffered() io.Reader {
-	return bytes.NewReader(dec.buf[dec.scanp:])
-}
-
-// readValue reads a JSON value into dec.buf.
-// It returns the length of the encoding.
-func (dec *Decoder) readValue() (int, error) {
-	dec.scan.reset()
-
-	scanp := dec.scanp
-	var err error
-Input:
-	// help the compiler see that scanp is never negative, so it can remove
-	// some bounds checks below.
-	for scanp >= 0 {
-
-		// Look in the buffer for a new value.
-		for ; scanp < len(dec.buf); scanp++ {
-			c := dec.buf[scanp]
-			dec.scan.bytes++
-			switch dec.scan.step(&dec.scan, c) {
-			case scanEnd:
-				// scanEnd is delayed one byte so we decrement
-				// the scanner bytes count by 1 to ensure that
-				// this value is correct in the next call of Decode.
-				dec.scan.bytes--
-				break Input
-			case scanEndObject, scanEndArray:
-				// scanEnd is delayed one byte.
-				// We might block trying to get that byte from src,
-				// so instead invent a space byte.
-				if stateEndValue(&dec.scan, ' ') == scanEnd {
-					scanp++
-					break Input
-				}
-			case scanError:
-				dec.err = dec.scan.err
-				return 0, dec.scan.err
-			}
-		}
-
-		// Did the last read have an error?
-		// Delayed until now to allow buffer scan.
-		if err != nil {
-			if err == io.EOF {
-				if dec.scan.step(&dec.scan, ' ') == scanEnd {
-					break Input
-				}
-				if nonSpace(dec.buf) {
-					err = io.ErrUnexpectedEOF
-				}
-			}
-			dec.err = err
-			return 0, err
-		}
-
-		n := scanp - dec.scanp
-		err = dec.refill()
-		scanp = dec.scanp + n
-	}
-	return scanp - dec.scanp, nil
-}
-
-func (dec *Decoder) refill() error {
-	// Make room to read more into the buffer.
-	// First slide down data already consumed.
-	if dec.scanp > 0 {
-		dec.scanned += int64(dec.scanp)
-		n := copy(dec.buf, dec.buf[dec.scanp:])
-		dec.buf = dec.buf[:n]
-		dec.scanp = 0
-	}
-
-	// Grow buffer if not large enough.
-	const minRead = 512
-	if cap(dec.buf)-len(dec.buf) < minRead {
-		newBuf := make([]byte, len(dec.buf), 2*cap(dec.buf)+minRead)
-		copy(newBuf, dec.buf)
-		dec.buf = newBuf
-	}
-
-	// Read. Delay error for next iteration (after scan).
-	n, err := dec.r.Read(dec.buf[len(dec.buf):cap(dec.buf)])
-	dec.buf = dec.buf[0 : len(dec.buf)+n]
-
-	return err
-}
-
-func nonSpace(b []byte) bool {
-	for _, c := range b {
-		if !isSpace(c) {
-			return true
-		}
-	}
-	return false
-}
-
-// An Encoder writes JSON values to an output stream.
-type Encoder struct {
-	w          io.Writer
-	err        error
-	escapeHTML bool
-
-	indentBuf    []byte
-	indentPrefix string
-	indentValue  string
-}
-
-// NewEncoder returns a new encoder that writes to w.
-func NewEncoder(w io.Writer) *Encoder {
-	return &Encoder{w: w, escapeHTML: true}
-}
-
-// Encode writes the JSON encoding of v to the stream,
-// followed by a newline character.
-//
-// See the documentation for Marshal for details about the
-// conversion of Go values to JSON.
-func (enc *Encoder) Encode(v any) error {
-	if enc.err != nil {
-		return enc.err
-	}
-
-	e := newEncodeState()
-	defer encodeStatePool.Put(e)
-
-	err := e.marshal(v, encOpts{escapeHTML: enc.escapeHTML})
-	if err != nil {
-		return err
-	}
-
-	// Terminate each value with a newline.
-	// This makes the output look a little nicer
-	// when debugging, and some kind of space
-	// is required if the encoded value was a number,
-	// so that the reader knows there aren't more
-	// digits coming.
-	e.WriteByte('\n')
-
-	b := e.Bytes()
-	if enc.indentPrefix != "" || enc.indentValue != "" {
-		enc.indentBuf, err = appendIndent(enc.indentBuf[:0], b, enc.indentPrefix, enc.indentValue)
-		if err != nil {
-			return err
-		}
-		b = enc.indentBuf
-	}
-	if _, err = enc.w.Write(b); err != nil {
-		enc.err = err
-	}
-	return err
-}
-
-// SetIndent instructs the encoder to format each subsequent encoded
-// value as if indented by the package-level function Indent(dst, src, prefix, indent).
-// Calling SetIndent("", "") disables indentation.
-func (enc *Encoder) SetIndent(prefix, indent string) {
-	enc.indentPrefix = prefix
-	enc.indentValue = indent
-}
-
-// SetEscapeHTML specifies whether problematic HTML characters
-// should be escaped inside JSON quoted strings.
-// The default behavior is to escape &, <, and > to \u0026, \u003c, and \u003e
-// to avoid certain safety problems that can arise when embedding JSON in HTML.
-//
-// In non-HTML settings where the escaping interferes with the readability
-// of the output, SetEscapeHTML(false) disables this behavior.
-func (enc *Encoder) SetEscapeHTML(on bool) {
-	enc.escapeHTML = on
-}
-
-// RawMessage is a raw encoded JSON value.
-// It implements Marshaler and Unmarshaler and can
-// be used to delay JSON decoding or precompute a JSON encoding.
-type RawMessage []byte
-
-// MarshalJSON returns m as the JSON encoding of m.
-func (m RawMessage) MarshalJSON() ([]byte, error) {
-	if m == nil {
-		return []byte("null"), nil
-	}
-	return m, nil
-}
-
-// UnmarshalJSON sets *m to a copy of data.
-func (m *RawMessage) UnmarshalJSON(data []byte) error {
-	if m == nil {
-		return errors.New("json.RawMessage: UnmarshalJSON on nil pointer")
-	}
-	*m = append((*m)[0:0], data...)
-	return nil
-}
-
-var (
-	_ Marshaler   = (*RawMessage)(nil)
-	_ Unmarshaler = (*RawMessage)(nil)
-)
-
-// A Token holds a value of one of these types:
-//
-//	Delim, for the four JSON delimiters [ ] { }
-//	bool, for JSON booleans
-//	float64, for JSON numbers
-//	Number, for JSON numbers
-//	string, for JSON string literals
-//	nil, for JSON null
-type Token any
-
-const (
-	tokenTopValue = iota
-	tokenArrayStart
-	tokenArrayValue
-	tokenArrayComma
-	tokenObjectStart
-	tokenObjectKey
-	tokenObjectColon
-	tokenObjectValue
-	tokenObjectComma
-)
-
-// advance tokenstate from a separator state to a value state
-func (dec *Decoder) tokenPrepareForDecode() error {
-	// Note: Not calling peek before switch, to avoid
-	// putting peek into the standard Decode path.
-	// peek is only called when using the Token API.
-	switch dec.tokenState {
-	case tokenArrayComma:
-		c, err := dec.peek()
-		if err != nil {
-			return err
-		}
-		if c != ',' {
-			return &SyntaxError{"expected comma after array element", dec.InputOffset()}
-		}
-		dec.scanp++
-		dec.tokenState = tokenArrayValue
-	case tokenObjectColon:
-		c, err := dec.peek()
-		if err != nil {
-			return err
-		}
-		if c != ':' {
-			return &SyntaxError{"expected colon after object key", dec.InputOffset()}
-		}
-		dec.scanp++
-		dec.tokenState = tokenObjectValue
-	}
-	return nil
-}
-
-func (dec *Decoder) tokenValueAllowed() bool {
-	switch dec.tokenState {
-	case tokenTopValue, tokenArrayStart, tokenArrayValue, tokenObjectValue:
-		return true
-	}
-	return false
-}
-
-func (dec *Decoder) tokenValueEnd() {
-	switch dec.tokenState {
-	case tokenArrayStart, tokenArrayValue:
-		dec.tokenState = tokenArrayComma
-	case tokenObjectValue:
-		dec.tokenState = tokenObjectComma
-	}
-}
-
-// A Delim is a JSON array or object delimiter, one of [ ] { or }.
-type Delim rune
-
-func (d Delim) String() string {
-	return string(d)
-}
-
-// Token returns the next JSON token in the input stream.
-// At the end of the input stream, Token returns nil, io.EOF.
-//
-// Token guarantees that the delimiters [ ] { } it returns are
-// properly nested and matched: if Token encounters an unexpected
-// delimiter in the input, it will return an error.
-//
-// The input stream consists of basic JSON values—bool, string,
-// number, and null—along with delimiters [ ] { } of type Delim
-// to mark the start and end of arrays and objects.
-// Commas and colons are elided.
-func (dec *Decoder) Token() (Token, error) {
-	for {
-		c, err := dec.peek()
-		if err != nil {
-			return nil, err
-		}
-		switch c {
-		case '[':
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
-			dec.tokenState = tokenArrayStart
-			return Delim('['), nil
-
-		case ']':
-			if dec.tokenState != tokenArrayStart && dec.tokenState != tokenArrayComma {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
-			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
-			dec.tokenValueEnd()
-			return Delim(']'), nil
-
-		case '{':
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
-			dec.tokenState = tokenObjectStart
-			return Delim('{'), nil
-
-		case '}':
-			if dec.tokenState != tokenObjectStart && dec.tokenState != tokenObjectComma {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
-			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
-			dec.tokenValueEnd()
-			return Delim('}'), nil
-
-		case ':':
-			if dec.tokenState != tokenObjectColon {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = tokenObjectValue
-			continue
-
-		case ',':
-			if dec.tokenState == tokenArrayComma {
-				dec.scanp++
-				dec.tokenState = tokenArrayValue
-				continue
-			}
-			if dec.tokenState == tokenObjectComma {
-				dec.scanp++
-				dec.tokenState = tokenObjectKey
-				continue
-			}
-			return dec.tokenError(c)
-
-		case '"':
-			if dec.tokenState == tokenObjectStart || dec.tokenState == tokenObjectKey {
-				var x string
-				old := dec.tokenState
-				dec.tokenState = tokenTopValue
-				err := dec.Decode(&x)
-				dec.tokenState = old
-				if err != nil {
-					return nil, err
-				}
-				dec.tokenState = tokenObjectColon
-				return x, nil
-			}
-			fallthrough
-
-		default:
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			var x any
-			if err := dec.Decode(&x); err != nil {
-				return nil, err
-			}
-			return x, nil
-		}
-	}
-}
-
-func (dec *Decoder) tokenError(c byte) (Token, error) {
-	var context string
-	switch dec.tokenState {
-	case tokenTopValue:
-		context = " looking for beginning of value"
-	case tokenArrayStart, tokenArrayValue, tokenObjectValue:
-		context = " looking for beginning of value"
-	case tokenArrayComma:
-		context = " after array element"
-	case tokenObjectKey:
-		context = " looking for beginning of object key string"
-	case tokenObjectColon:
-		context = " after object key"
-	case tokenObjectComma:
-		context = " after object key:value pair"
-	}
-	return nil, &SyntaxError{"invalid character " + quoteChar(c) + context, dec.InputOffset()}
-}
-
-// More reports whether there is another element in the
-// current array or object being parsed.
-func (dec *Decoder) More() bool {
-	c, err := dec.peek()
-	return err == nil && c != ']' && c != '}'
-}
-
-func (dec *Decoder) peek() (byte, error) {
-	var err error
-	for {
-		for i := dec.scanp; i < len(dec.buf); i++ {
-			c := dec.buf[i]
-			if isSpace(c) {
-				continue
-			}
-			dec.scanp = i
-			return c, nil
-		}
-		// buffer has been scanned, now report any error
-		if err != nil {
-			return 0, err
-		}
-		err = dec.refill()
-	}
-}
-
-// InputOffset returns the input stream byte offset of the current decoder position.
-// The offset gives the location of the end of the most recently returned token
-// and the beginning of the next token.
-func (dec *Decoder) InputOffset() int64 {
-	return dec.scanned + int64(dec.scanp)
-}
--- a/common/contextjson/tables.go
+++ b/common/contextjson/tables.go
@@ -1,218 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import "unicode/utf8"
-
-// safeSet holds the value true if the ASCII character with the given array
-// position can be represented inside a JSON string without any further
-// escaping.
-//
-// All values are true except for the ASCII control characters (0-31), the
-// double quote ("), and the backslash character ("\").
-var safeSet = [utf8.RuneSelf]bool{
-	' ':      true,
-	'!':      true,
-	'"':      false,
-	'#':      true,
-	'$':      true,
-	'%':      true,
-	'&':      true,
-	'\'':     true,
-	'(':      true,
-	')':      true,
-	'*':      true,
-	'+':      true,
-	',':      true,
-	'-':      true,
-	'.':      true,
-	'/':      true,
-	'0':      true,
-	'1':      true,
-	'2':      true,
-	'3':      true,
-	'4':      true,
-	'5':      true,
-	'6':      true,
-	'7':      true,
-	'8':      true,
-	'9':      true,
-	':':      true,
-	';':      true,
-	'<':      true,
-	'=':      true,
-	'>':      true,
-	'?':      true,
-	'@':      true,
-	'A':      true,
-	'B':      true,
-	'C':      true,
-	'D':      true,
-	'E':      true,
-	'F':      true,
-	'G':      true,
-	'H':      true,
-	'I':      true,
-	'J':      true,
-	'K':      true,
-	'L':      true,
-	'M':      true,
-	'N':      true,
-	'O':      true,
-	'P':      true,
-	'Q':      true,
-	'R':      true,
-	'S':      true,
-	'T':      true,
-	'U':      true,
-	'V':      true,
-	'W':      true,
-	'X':      true,
-	'Y':      true,
-	'Z':      true,
-	'[':      true,
-	'\\':     false,
-	']':      true,
-	'^':      true,
-	'_':      true,
-	'`':      true,
-	'a':      true,
-	'b':      true,
-	'c':      true,
-	'd':      true,
-	'e':      true,
-	'f':      true,
-	'g':      true,
-	'h':      true,
-	'i':      true,
-	'j':      true,
-	'k':      true,
-	'l':      true,
-	'm':      true,
-	'n':      true,
-	'o':      true,
-	'p':      true,
-	'q':      true,
-	'r':      true,
-	's':      true,
-	't':      true,
-	'u':      true,
-	'v':      true,
-	'w':      true,
-	'x':      true,
-	'y':      true,
-	'z':      true,
-	'{':      true,
-	'|':      true,
-	'}':      true,
-	'~':      true,
-	'\u007f': true,
-}
-
-// htmlSafeSet holds the value true if the ASCII character with the given
-// array position can be safely represented inside a JSON string, embedded
-// inside of HTML <script> tags, without any additional escaping.
-//
-// All values are true except for the ASCII control characters (0-31), the
-// double quote ("), the backslash character ("\"), HTML opening and closing
-// tags ("<" and ">"), and the ampersand ("&").
-var htmlSafeSet = [utf8.RuneSelf]bool{
-	' ':      true,
-	'!':      true,
-	'"':      false,
-	'#':      true,
-	'$':      true,
-	'%':      true,
-	'&':      false,
-	'\'':     true,
-	'(':      true,
-	')':      true,
-	'*':      true,
-	'+':      true,
-	',':      true,
-	'-':      true,
-	'.':      true,
-	'/':      true,
-	'0':      true,
-	'1':      true,
-	'2':      true,
-	'3':      true,
-	'4':      true,
-	'5':      true,
-	'6':      true,
-	'7':      true,
-	'8':      true,
-	'9':      true,
-	':':      true,
-	';':      true,
-	'<':      false,
-	'=':      true,
-	'>':      false,
-	'?':      true,
-	'@':      true,
-	'A':      true,
-	'B':      true,
-	'C':      true,
-	'D':      true,
-	'E':      true,
-	'F':      true,
-	'G':      true,
-	'H':      true,
-	'I':      true,
-	'J':      true,
-	'K':      true,
-	'L':      true,
-	'M':      true,
-	'N':      true,
-	'O':      true,
-	'P':      true,
-	'Q':      true,
-	'R':      true,
-	'S':      true,
-	'T':      true,
-	'U':      true,
-	'V':      true,
-	'W':      true,
-	'X':      true,
-	'Y':      true,
-	'Z':      true,
-	'[':      true,
-	'\\':     false,
-	']':      true,
-	'^':      true,
-	'_':      true,
-	'`':      true,
-	'a':      true,
-	'b':      true,
-	'c':      true,
-	'd':      true,
-	'e':      true,
-	'f':      true,
-	'g':      true,
-	'h':      true,
-	'i':      true,
-	'j':      true,
-	'k':      true,
-	'l':      true,
-	'm':      true,
-	'n':      true,
-	'o':      true,
-	'p':      true,
-	'q':      true,
-	'r':      true,
-	's':      true,
-	't':      true,
-	'u':      true,
-	'v':      true,
-	'w':      true,
-	'x':      true,
-	'y':      true,
-	'z':      true,
-	'{':      true,
-	'|':      true,
-	'}':      true,
-	'~':      true,
-	'\u007f': true,
-}
--- a/common/contextjson/tags.go
+++ b/common/contextjson/tags.go
@@ -1,38 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"strings"
-)
-
-// tagOptions is the string following a comma in a struct field's "json"
-// tag, or the empty string. It does not include the leading comma.
-type tagOptions string
-
-// parseTag splits a struct field's json tag into its name and
-// comma-separated options.
-func parseTag(tag string) (string, tagOptions) {
-	tag, opt, _ := strings.Cut(tag, ",")
-	return tag, tagOptions(opt)
-}
-
-// Contains reports whether a comma-separated list of options
-// contains a particular substr flag. substr must be surrounded by a
-// string boundary or commas.
-func (o tagOptions) Contains(optionName string) bool {
-	if len(o) == 0 {
-		return false
-	}
-	s := string(o)
-	for s != "" {
-		var name string
-		name, s, _ = strings.Cut(s, ",")
-		if name == optionName {
-			return true
-		}
-	}
-	return false
-}
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -15,14 +15,17 @@ import (
 	N "github.com/sagernet/sing/common/network"
 )

+var _ WireGuardListener = (*DefaultDialer)(nil)
+
 type DefaultDialer struct {
-	dialer4     tcpDialer
-	dialer6     tcpDialer
-	udpDialer4  net.Dialer
-	udpDialer6  net.Dialer
-	udpListener net.ListenConfig
-	udpAddr4    string
-	udpAddr6    string
+	dialer4             tcpDialer
+	dialer6             tcpDialer
+	udpDialer4          net.Dialer
+	udpDialer6          net.Dialer
+	udpListener         net.ListenConfig
+	udpAddr4            string
+	udpAddr6            string
+	isWireGuardListener bool
 }

 func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDialer, error) {
@@ -98,6 +101,11 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		}
 		setMultiPathTCP(&dialer4)
 	}
+	if options.IsWireGuardListener {
+		for _, controlFn := range wgControlFns {
+			listener.Control = control.Append(listener.Control, controlFn)
+		}
+	}
 	tcpDialer4, err := newTCPDialer(dialer4, options.TCPFastOpen)
 	if err != nil {
 		return nil, err
@@ -114,6 +122,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		listener,
 		udpAddr4,
 		udpAddr6,
+		options.IsWireGuardListener,
 	}, nil
 }

@@ -146,6 +155,10 @@ func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	}
 }

+func (d *DefaultDialer) ListenPacketCompat(network, address string) (net.PacketConn, error) {
+	return trackPacketConn(d.udpListener.ListenPacket(context.Background(), network, address))
+}
+
 func trackConn(conn net.Conn, err error) (net.Conn, error) {
 	if !conntrack.Enabled || err != nil {
 		return conn, err
--- a/common/dialer/detour.go
+++ b/common/dialer/detour.go
@@ -6,21 +6,27 @@ import (
 	"sync"

 	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )

 type DetourDialer struct {
-	router   adapter.Router
-	detour   string
-	dialer   N.Dialer
-	initOnce sync.Once
-	initErr  error
+	router            adapter.Router
+	detour            string
+	allowNestedDirect bool
+	dialer            N.Dialer
+	initOnce          sync.Once
+	initErr           error
 }

-func NewDetour(router adapter.Router, detour string) N.Dialer {
-	return &DetourDialer{router: router, detour: detour}
+func NewDetour(router adapter.Router, detour string, allowNestedDirect bool) N.Dialer {
+	return &DetourDialer{
+		router:            router,
+		detour:            detour,
+		allowNestedDirect: allowNestedDirect,
+	}
 }

 func (d *DetourDialer) Start() error {
@@ -30,10 +36,17 @@ func (d *DetourDialer) Start() error {

 func (d *DetourDialer) Dialer() (N.Dialer, error) {
 	d.initOnce.Do(func() {
-		var loaded bool
-		d.dialer, loaded = d.router.Outbound(d.detour)
+		var (
+			dialer adapter.Outbound
+			loaded bool
+		)
+		dialer, loaded = d.router.Outbound(d.detour)
 		if !loaded {
 			d.initErr = E.New("outbound detour not found: ", d.detour)
+		} else if !d.allowNestedDirect && dialer.Type() == C.TypeDirect {
+			d.initErr = E.New("using a direct outbound as a detour is illegal")
+		} else {
+			d.dialer = dialer
 		}
 	})
 	return d.dialer, d.initErr
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -6,15 +6,13 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
-	"github.com/sagernet/sing/common"
 	N "github.com/sagernet/sing/common/network"
 )

-func MustNew(router adapter.Router, options option.DialerOptions) N.Dialer {
-	return common.Must1(New(router, options))
-}
-
 func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error) {
+	if options.IsWireGuardListener {
+		return NewDefault(router, options)
+	}
 	var (
 		dialer N.Dialer
 		err    error
@@ -25,7 +23,7 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 			return nil, err
 		}
 	} else {
-		dialer = NewDetour(router, options.Detour)
+		dialer = NewDetour(router, options.Detour, false)
 	}
 	domainStrategy := dns.DomainStrategy(options.DomainStrategy)
 	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
--- a/common/dialer/wireguard.go
+++ b/common/dialer/wireguard.go
@@ -0,0 +1,9 @@
+package dialer
+
+import (
+	"net"
+)
+
+type WireGuardListener interface {
+	ListenPacketCompat(network, address string) (net.PacketConn, error)
+}
--- a/common/dialer/wireguard_control.go
+++ b/common/dialer/wireguard_control.go
@@ -0,0 +1,11 @@
+//go:build with_wireguard
+
+package dialer
+
+import (
+	"github.com/sagernet/wireguard-go/conn"
+)
+
+var _ WireGuardListener = (conn.Listener)(nil)
+
+var wgControlFns = conn.ControlFns
--- a/common/dialer/wiregurad_stub.go
+++ b/common/dialer/wiregurad_stub.go
@@ -0,0 +1,9 @@
+//go:build !with_wireguard
+
+package dialer
+
+import (
+	"github.com/sagernet/sing/common/control"
+)
+
+var wgControlFns []control.Func
--- a/common/json/comment.go
+++ b/common/json/comment.go
@@ -1,128 +0,0 @@
-package json
-
-import (
-	"bufio"
-	"io"
-)
-
-// kanged from v2ray
-
-type commentFilterState = byte
-
-const (
-	commentFilterStateContent commentFilterState = iota
-	commentFilterStateEscape
-	commentFilterStateDoubleQuote
-	commentFilterStateDoubleQuoteEscape
-	commentFilterStateSingleQuote
-	commentFilterStateSingleQuoteEscape
-	commentFilterStateComment
-	commentFilterStateSlash
-	commentFilterStateMultilineComment
-	commentFilterStateMultilineCommentStar
-)
-
-type CommentFilter struct {
-	br    *bufio.Reader
-	state commentFilterState
-}
-
-func NewCommentFilter(reader io.Reader) io.Reader {
-	return &CommentFilter{br: bufio.NewReader(reader)}
-}
-
-func (v *CommentFilter) Read(b []byte) (int, error) {
-	p := b[:0]
-	for len(p) < len(b)-2 {
-		x, err := v.br.ReadByte()
-		if err != nil {
-			if len(p) == 0 {
-				return 0, err
-			}
-			return len(p), nil
-		}
-		switch v.state {
-		case commentFilterStateContent:
-			switch x {
-			case '"':
-				v.state = commentFilterStateDoubleQuote
-				p = append(p, x)
-			case '\'':
-				v.state = commentFilterStateSingleQuote
-				p = append(p, x)
-			case '\\':
-				v.state = commentFilterStateEscape
-			case '#':
-				v.state = commentFilterStateComment
-			case '/':
-				v.state = commentFilterStateSlash
-			default:
-				p = append(p, x)
-			}
-		case commentFilterStateEscape:
-			p = append(p, '\\', x)
-			v.state = commentFilterStateContent
-		case commentFilterStateDoubleQuote:
-			switch x {
-			case '"':
-				v.state = commentFilterStateContent
-				p = append(p, x)
-			case '\\':
-				v.state = commentFilterStateDoubleQuoteEscape
-			default:
-				p = append(p, x)
-			}
-		case commentFilterStateDoubleQuoteEscape:
-			p = append(p, '\\', x)
-			v.state = commentFilterStateDoubleQuote
-		case commentFilterStateSingleQuote:
-			switch x {
-			case '\'':
-				v.state = commentFilterStateContent
-				p = append(p, x)
-			case '\\':
-				v.state = commentFilterStateSingleQuoteEscape
-			default:
-				p = append(p, x)
-			}
-		case commentFilterStateSingleQuoteEscape:
-			p = append(p, '\\', x)
-			v.state = commentFilterStateSingleQuote
-		case commentFilterStateComment:
-			if x == '\n' {
-				v.state = commentFilterStateContent
-				p = append(p, '\n')
-			}
-		case commentFilterStateSlash:
-			switch x {
-			case '/':
-				v.state = commentFilterStateComment
-			case '*':
-				v.state = commentFilterStateMultilineComment
-			default:
-				p = append(p, '/', x)
-			}
-		case commentFilterStateMultilineComment:
-			switch x {
-			case '*':
-				v.state = commentFilterStateMultilineCommentStar
-			case '\n':
-				p = append(p, '\n')
-			}
-		case commentFilterStateMultilineCommentStar:
-			switch x {
-			case '/':
-				v.state = commentFilterStateContent
-			case '*':
-				// Stay
-			case '\n':
-				p = append(p, '\n')
-			default:
-				v.state = commentFilterStateMultilineComment
-			}
-		default:
-			panic("Unknown state.")
-		}
-	}
-	return len(p), nil
-}
--- a/common/json/context.go
+++ b/common/json/context.go
@@ -1,21 +0,0 @@
-//go:build go1.21 && !without_contextjson
-
-package json
-
-import "github.com/sagernet/sing-box/common/contextjson"
-
-var (
-	Marshal    = json.Marshal
-	Unmarshal  = json.Unmarshal
-	NewEncoder = json.NewEncoder
-	NewDecoder = json.NewDecoder
-)
-
-type (
-	Encoder     = json.Encoder
-	Decoder     = json.Decoder
-	Token       = json.Token
-	Delim       = json.Delim
-	SyntaxError = json.SyntaxError
-	RawMessage  = json.RawMessage
-)
--- a/common/json/std.go
+++ b/common/json/std.go
@@ -1,21 +0,0 @@
-//go:build !go1.21 || without_contextjson
-
-package json
-
-import "encoding/json"
-
-var (
-	Marshal    = json.Marshal
-	Unmarshal  = json.Unmarshal
-	NewEncoder = json.NewEncoder
-	NewDecoder = json.NewDecoder
-)
-
-type (
-	Encoder     = json.Encoder
-	Decoder     = json.Decoder
-	Token       = json.Token
-	Delim       = json.Delim
-	SyntaxError = json.SyntaxError
-	RawMessage  = json.RawMessage
-)
--- a/common/srs/binary.go
+++ b/common/srs/binary.go
@@ -109,8 +109,10 @@ func readRule(reader io.Reader, recovery bool) (rule option.HeadlessRule, err er
 	}
 	switch ruleType {
 	case 0:
+		rule.Type = C.RuleTypeDefault
 		rule.DefaultOptions, err = readDefaultRule(reader, recovery)
 	case 1:
+		rule.Type = C.RuleTypeLogical
 		rule.LogicalOptions, err = readLogicalRule(reader, recovery)
 	default:
 		err = E.New("unknown rule type: ", ruleType)
--- a/common/tls/client.go
+++ b/common/tls/client.go
@@ -6,6 +6,7 @@ import (
 	"os"

 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/badtls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	M "github.com/sagernet/sing/common/metadata"
@@ -42,7 +43,17 @@ func NewClient(ctx context.Context, serverAddress string, options option.Outboun
 func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, error) {
 	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
 	defer cancel()
-	return aTLS.ClientHandshake(ctx, conn, config)
+	tlsConn, err := aTLS.ClientHandshake(ctx, conn, config)
+	if err != nil {
+		return nil, err
+	}
+	readWaitConn, err := badtls.NewReadWaitConn(tlsConn)
+	if err == nil {
+		return readWaitConn, nil
+	} else if err != os.ErrInvalid {
+		return nil, err
+	}
+	return tlsConn, nil
 }

 type Dialer struct {
--- a/common/tls/reality_client.go
+++ b/common/tls/reality_client.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"crypto/aes"
 	"crypto/cipher"
+	"crypto/ecdh"
 	"crypto/ed25519"
 	"crypto/hmac"
 	"crypto/sha256"
@@ -137,12 +138,21 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 	hello.SessionId[2] = 1
 	binary.BigEndian.PutUint32(hello.SessionId[4:], uint32(time.Now().Unix()))
 	copy(hello.SessionId[8:], e.shortID[:])
-
 	if debug.Enabled {
 		fmt.Printf("REALITY hello.sessionId[:16]: %v\n", hello.SessionId[:16])
 	}
-
-	authKey := uConn.HandshakeState.State13.EcdheParams.SharedKey(e.publicKey)
+	publicKey, err := ecdh.X25519().NewPublicKey(e.publicKey)
+	if err != nil {
+		return nil, err
+	}
+	ecdheKey := uConn.HandshakeState.State13.EcdheKey
+	if ecdheKey == nil {
+		return nil, E.New("nil ecdhe_key")
+	}
+	authKey, err := ecdheKey.ECDH(publicKey)
+	if err != nil {
+		return nil, err
+	}
 	if authKey == nil {
 		return nil, E.New("nil auth_key")
 	}
--- a/common/tls/server.go
+++ b/common/tls/server.go
@@ -3,7 +3,9 @@ package tls
 import (
 	"context"
 	"net"
+	"os"

+	"github.com/sagernet/sing-box/common/badtls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
@@ -26,5 +28,15 @@ func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLS
 func ServerHandshake(ctx context.Context, conn net.Conn, config ServerConfig) (Conn, error) {
 	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
 	defer cancel()
-	return aTLS.ServerHandshake(ctx, conn, config)
+	tlsConn, err := aTLS.ServerHandshake(ctx, conn, config)
+	if err != nil {
+		return nil, err
+	}
+	readWaitConn, err := badtls.NewReadWaitConn(tlsConn)
+	if err == nil {
+		return readWaitConn, nil
+	} else if err != os.ErrInvalid {
+		return nil, err
+	}
+	return tlsConn, nil
 }
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -219,6 +219,16 @@ func uTLSClientHelloID(name string) (utls.ClientHelloID, error) {
 	switch name {
 	case "chrome", "":
 		return utls.HelloChrome_Auto, nil
+	case "chrome_psk":
+		return utls.HelloChrome_100_PSK, nil
+	case "chrome_psk_shuffle":
+		return utls.HelloChrome_112_PSK_Shuf, nil
+	case "chrome_padding_psk_shuffle":
+		return utls.HelloChrome_114_Padding_PSK_Shuf, nil
+	case "chrome_pq":
+		return utls.HelloChrome_115_PQ, nil
+	case "chrome_pq_psk":
+		return utls.HelloChrome_115_PQ_PSK, nil
 	case "firefox":
 		return utls.HelloFirefox_Auto, nil
 	case "edge":
--- a/debug_http.go
+++ b/debug_http.go
@@ -6,12 +6,12 @@ import (
 	"runtime"
 	"runtime/debug"

-	"github.com/sagernet/sing-box/common/badjson"
 	"github.com/sagernet/sing-box/common/humanize"
-	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/json/badjson"

 	"github.com/go-chi/chi/v5"
 )
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,7 +2,75 @@
 icon: material/alert-decagram
 ---

-#### 1.8.0-alpha.11
+#### 1.8.0-rc.1
+
+* Fixes and improvements
+
+#### 1.8.0-beta.9
+
+* Add simple loopback detect
+* Fixes and improvements
+
+#### 1.7.5
+
+* Fixes and improvements
+
+#### 1.8.0-alpha.17
+
+* Add GSO support for TUN and WireGuard system interface **1**
+* Update uTLS to 1.5.4 **2**
+* Update dependencies **3**
+* Fixes and improvements
+
+**1**:
+
+See [TUN](/configuration/inbound/tun/) inbound and [WireGuard](/configuration/outbound/wireguard/) outbound.
+
+**2**:
+
+Added some new [fingerprints](/configuration/shared/tls#utls).
+Also, starting with this release, uTLS requires at least Go 1.20.
+
+**3**:
+
+Updated `cloudflare-tls`, `gomobile`, `smux`, `tfo-go` and `wireguard-go` to latest, and `gvisor` to `20231204.0`
+
+This may break something, good luck!
+
+#### 1.7.4
+
+* Fixes and improvements
+
+_Due to the long waiting time, this version is no longer waiting for approval
+by the Apple App Store, so updates to Apple Platforms will be delayed._
+
+#### 1.8.0-alpha.16
+
+* Fixes and improvements
+
+#### 1.8.0-alpha.15
+
+* Some chaotic changes **1**
+* Fixes and improvements
+
+**1**:
+
+Designed to optimize memory usage of idle connections, may take effect on the following protocols:
+
+| Protocol                                             | TCP              | UDP              |
+|------------------------------------------------------|------------------|------------------|
+| HTTP proxy server                                    | :material-check: | /                |
+| SOCKS5                                               | :material-close: | :material-check: |
+| Shadowsocks none/AEAD/AEAD2022                       | :material-check: | :material-check: |
+| Trojan                                               | /                | :material-check: |
+| TUIC/Hysteria/Hysteria2                              | :material-close: | :material-check: |
+| Multiplex                                            | :material-close: | :material-check: |
+| Plain TLS (Trojan/VLESS without extra sub-protocols) | :material-check: | /                |
+| Other protocols                                      | :material-close: | :material-close: |
+
+At the same time, everything existing may be broken, please actively report problems with this version.
+
+#### 1.8.0-alpha.13

 * Fixes and improvements

@@ -68,13 +136,13 @@ Since GeoIP was deprecated, we made this rule independent, see [Migration](/migr
 #### 1.8.0-alpha.1

 * Migrate cache file from Clash API to independent options **1**
-* Introducing [Rule Set](/configuration/rule-set) **2**
+* Introducing [Rule Set](/configuration/rule-set/) **2**
 * Add `sing-box geoip`, `sing-box geosite` and `sing-box rule-set` commands **3**
 * Allow nested logical rules **4**

 **1**:

-See [Cache File](/configuration/experimental/cache-file) and
+See [Cache File](/configuration/experimental/cache-file/) and
 [Migration](/migration/#migrate-cache-file-from-clash-api-to-independent-options).

 **2**:
@@ -85,11 +153,11 @@ it can include more types of rules, load faster,
 use less memory, and update automatically.

 See [Route#rule_set](/configuration/route/#rule_set),
-[Route Rule](/configuration/route/rule),
-[DNS Rule](/configuration/dns/rule),
-[Rule Set](/configuration/rule-set),
-[Source Format](/configuration/rule-set/source-format) and
-[Headless Rule](/configuration/rule-set/headless-rule).
+[Route Rule](/configuration/route/rule/),
+[DNS Rule](/configuration/dns/rule/),
+[Rule Set](/configuration/rule-set/),
+[Source Format](/configuration/rule-set/source-format/) and
+[Headless Rule](/configuration/rule-set/headless-rule/).

 For GEO resources migration, see [Migrate GeoIP to rule sets](/migration/#migrate-geoip-to-rule-sets) and
 [Migrate Geosite to rule sets](/migration/#migrate-geosite-to-rule-sets).
@@ -108,8 +176,8 @@ Logical rules in route rules, DNS rules, and the new headless rule now allow nes

 Important changes since 1.6:

-* Add [exclude route support](/configuration/inbound/tun) for TUN inbound
-* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen) **1**
+* Add [exclude route support](/configuration/inbound/tun/) for TUN inbound
+* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen/) **1**
 * Add [HTTPUpgrade V2Ray transport](/configuration/shared/v2ray-transport#HTTPUpgrade) support **2**
 * Migrate multiplex and UoT server to inbound **3**
 * Add TCP Brutal support for multiplex **4**
@@ -133,11 +201,14 @@ The new HTTPUpgrade transport has better performance than WebSocket and is bette

 **3**:

-Starting in 1.7.0, multiplexing support is no longer enabled by default and needs to be turned on explicitly in inbound options.
+Starting in 1.7.0, multiplexing support is no longer enabled by default
+and needs to be turned on explicitly in inbound
+options.

 **4**

-Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server, see [TCP Brutal](/configuration/shared/tcp-brutal) for details.
+Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server,
+see [TCP Brutal](/configuration/shared/tcp-brutal/) for details.

 **5**:

@@ -226,7 +297,7 @@ Only supported in graphical clients on Android and iOS.

 #### 1.6.1

-* Our [Android client](/installation/clients/sfa) is now available in the Google Play Store ▶️
+* Our [Android client](/installation/clients/sfa/) is now available in the Google Play Store ▶️
 * Fixes and improvements

 #### 1.7.0-alpha.6
@@ -246,7 +317,7 @@ options.
 **2**

 Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server,
-see [TCP Brutal](/configuration/shared/tcp-brutal) for details.
+see [TCP Brutal](/configuration/shared/tcp-brutal/) for details.

 #### 1.7.0-alpha.3

@@ -265,13 +336,13 @@ The new HTTPUpgrade transport has better performance than WebSocket and is bette

 Important changes since 1.5:

-* Our [Apple tvOS client](/installation/clients/sft) is now available in the App Store 🍎
+* Our [Apple tvOS client](/installation/clients/sft/) is now available in the App Store 🍎
 * Update BBR congestion control for TUIC and Hysteria2 **1**
 * Update brutal congestion control for Hysteria2
 * Add `brutal_debug` option for Hysteria2
 * Update legacy Hysteria protocol **2**
 * Add TLS self sign key pair generate command
-* Remove [Deprecated Features](/deprecated) by agreement
+* Remove [Deprecated Features](/deprecated/) by agreement

 **1**:

@@ -289,8 +360,8 @@ the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2

 #### 1.7.0-alpha.1

-* Add [exclude route support](/configuration/inbound/tun) for TUN inbound
-* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen) **1**
+* Add [exclude route support](/configuration/inbound/tun/) for TUN inbound
+* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen/) **1**
 * Fixes and improvements

 **1**:
@@ -313,7 +384,8 @@ When `auto_route` is enabled and `strict_route` is disabled, the device can now

 **2**:

-Built using Go 1.20, the last version that will run on Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High
+Built using Go 1.20, the last version that will run on
+Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High
 Sierra, 10.14 Mojave.

 #### 1.6.0-rc.4
@@ -327,7 +399,8 @@ Sierra, 10.14 Mojave.

 **1**:

-Built using Go 1.20, the last version that will run on Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High
+Built using Go 1.20, the last version that will run on
+Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High
 Sierra, 10.14 Mojave.

 #### 1.6.0-beta.4
@@ -408,7 +481,7 @@ introduce new issues.

 #### 1.5.2

-* Our [Apple tvOS client](/installation/clients/sft) is now available in the App Store 🍎
+* Our [Apple tvOS client](/installation/clients/sft/) is now available in the App Store 🍎
 * Fixes and improvements

 #### 1.6.0-alpha.3
@@ -428,7 +501,7 @@ introduce new issues.
 * Update BBR congestion control for TUIC and Hysteria2 **1**
 * Update quic-go to v0.39.0
 * Update gVisor to 20230814.0
-* Remove [Deprecated Features](/deprecated) by agreement
+* Remove [Deprecated Features](/deprecated/) by agreement
 * Fixes and improvements

 **1**:
@@ -442,7 +515,7 @@ This update is intended to address the multi-send defects of the old implementat

 Important changes since 1.4:

-* Add TLS [ECH server](/configuration/shared/tls) support
+* Add TLS [ECH server](/configuration/shared/tls/) support
 * Improve TLS TCH client configuration
 * Add TLS ECH key pair generator **1**
 * Add TLS ECH support for QUIC based protocols **2**
@@ -451,7 +524,7 @@ Important changes since 1.4:
 * Add `interrupt_exist_connections` option for `Selector` and `URLTest` outbounds **4**
 * Add DNS01 challenge support for ACME TLS certificate issuer **5**
 * Add `merge` command **6**
-* Mark [Deprecated Features](/deprecated)
+* Mark [Deprecated Features](/deprecated/)

 **1**:

@@ -463,7 +536,7 @@ All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria[/2]`

 **3**:

-See [Hysteria2 inbound](/configuration/inbound/hysteria2) and [Hysteria2 outbound](/configuration/outbound/hysteria2)
+See [Hysteria2 inbound](/configuration/inbound/hysteria2/) and [Hysteria2 outbound](/configuration/outbound/hysteria2/)

 For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)

@@ -476,7 +549,7 @@ Only inbound connections are affected by this setting, internal connections will
 **5**:

 Only `Alibaba Cloud DNS` and `Cloudflare` are supported, see [ACME Fields](/configuration/shared/tls#acme-fields)
-and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge).
+and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/).

 **6**:

@@ -558,7 +631,7 @@ Global Flags:

 Only `Alibaba Cloud DNS` and `Cloudflare` are supported,
 see [ACME Fields](/configuration/shared/tls#acme-fields)
-and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge).
+and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/).

 #### 1.5.0-beta.10

@@ -587,7 +660,7 @@ Only inbound connections are affected by this setting, internal connections will

 * Fix compatibility issues with official Hysteria2 server and client
 * Fixes and improvements
-* Mark [deprecated features](/deprecated)
+* Mark [deprecated features](/deprecated/)

 #### 1.5.0-beta.3

@@ -606,13 +679,13 @@ Hysteria2 server and client when using `fastOpen=false` or UDP MTU >= 1200.

 **1**:

-See [Hysteria2 inbound](/configuration/inbound/hysteria2) and [Hysteria2 outbound](/configuration/outbound/hysteria2)
+See [Hysteria2 inbound](/configuration/inbound/hysteria2/) and [Hysteria2 outbound](/configuration/outbound/hysteria2/)

 For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)

 #### 1.5.0-beta.1

-* Add TLS [ECH server](/configuration/shared/tls) support
+* Add TLS [ECH server](/configuration/shared/tls/) support
 * Improve TLS TCH client configuration
 * Add TLS ECH key pair generator **1**
 * Add TLS ECH support for QUIC based protocols **2**
@@ -645,12 +718,12 @@ Important changes since 1.3:

 *1*:

-See [TUIC inbound](/configuration/inbound/tuic)
-and [TUIC outbound](/configuration/outbound/tuic)
+See [TUIC inbound](/configuration/inbound/tuic/)
+and [TUIC outbound](/configuration/outbound/tuic/)

 **2**:

-This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp/), designed to provide a QUIC
 stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
 another program compatible with the protocol as a server.

@@ -681,7 +754,7 @@ Requires sing-box to be compiled with Go 1.21.

 **1**:

-This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp/), designed to provide a QUIC
 stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
 another program compatible with the protocol as a server.

@@ -719,8 +792,8 @@ Requires sing-box to be compiled with Go 1.21.

 *1*:

-See [TUIC inbound](/configuration/inbound/tuic)
-and [TUIC outbound](/configuration/outbound/tuic)
+See [TUIC inbound](/configuration/inbound/tuic/)
+and [TUIC outbound](/configuration/outbound/tuic/)

 #### 1.3.6

@@ -729,7 +802,7 @@ and [TUIC outbound](/configuration/outbound/tuic)
 #### 1.3.5

 * Fixes and improvements
-* Introducing our [Apple tvOS](/installation/clients/sft) client applications **1**
+* Introducing our [Apple tvOS](/installation/clients/sft/) client applications **1**
 * Add per app proxy and app installed/updated trigger support for Android client
 * Add profile sharing support for Android/iOS/macOS clients

@@ -756,7 +829,8 @@ downloaded through TestFlight.

 #### 1.3.1-beta.3

-* Introducing our [new iOS](/installation/clients/sfi) and [macOS](/installation/clients/sfm) client applications **1**
+* Introducing our [new iOS](/installation/clients/sfi/) and [macOS](/installation/clients/sfm/) client applications **1
+  **
 * Fixes and improvements

 **1**:
@@ -777,7 +851,7 @@ The old testflight link and app are no longer valid.

 Important changes since 1.2:

-* Add [FakeIP](/configuration/dns/fakeip) support **1**
+* Add [FakeIP](/configuration/dns/fakeip/) support **1**
 * Improve multiplex **2**
 * Add [DNS reverse mapping](/configuration/dns#reverse_mapping) support
 * Add `rewrite_ttl` DNS rule action
@@ -804,11 +878,11 @@ Important changes since 1.2:

 *1*:

-See [FAQ](/faq/fakeip) for more information.
+See [FAQ](/faq/fakeip/) for more information.

 *2*:

-Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex).
+Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex/).

 #### 1.3-rc2

@@ -870,7 +944,7 @@ Improved performance and reduced memory usage.

 *1*:

-Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex).
+Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex/).

 #### 1.2.6

@@ -922,25 +996,25 @@ This is an incompatible update for XUDP in VLESS if vision flow is enabled.
 #### 1.3-beta1

 * Add [DNS reverse mapping](/configuration/dns#reverse_mapping) support
-* Add [L3 routing](/configuration/route/ip-rule) support **1**
+* Add [L3 routing](/configuration/route/ip-rule/) support **1**
 * Add `rewrite_ttl` DNS rule action
-* Add [FakeIP](/configuration/dns/fakeip) support **2**
+* Add [FakeIP](/configuration/dns/fakeip/) support **2**
 * Add `store_fakeip` Clash API option
 * Add multi-peer support for [WireGuard](/configuration/outbound/wireguard#peers) outbound
 * Add loopback detect

 *1*:

-It can currently be used to [route connections directly to WireGuard](/examples/wireguard-direct) or block connections
+It can currently be used to [route connections directly to WireGuard](/examples/wireguard-direct/) or block connections
 at the IP layer.

 *2*:

-See [FAQ](/faq/fakeip) for more information.
+See [FAQ](/faq/fakeip/) for more information.

 #### 1.2.3

-* Introducing our [new Android client application](/installation/clients/sfa)
+* Introducing our [new Android client application](/installation/clients/sfa/)
 * Improve UDP domain destination NAT
 * Update reality protocol
 * Fix TTL calculation for DNS response
@@ -969,16 +1043,16 @@ to `domain` rule.

 Important changes since 1.1:

-* Introducing our [new iOS client application](/installation/clients/sfi)
-* Introducing [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp)
+* Introducing our [new iOS client application](/installation/clients/sfi/)
+* Introducing [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp/)
 * Add [platform options](/configuration/inbound/tun#platform) for tun inbound
 * Add [ShadowTLS protocol v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md)
-* Add [VLESS server](/configuration/inbound/vless) and [vision](/configuration/outbound/vless#flow) support
-* Add [reality TLS](/configuration/shared/tls) support
-* Add [NTP service](/configuration/ntp)
-* Add [DHCP DNS server](/configuration/dns/server) support
-* Add SSH [host key validation](/configuration/outbound/ssh) support
-* Add [query_type](/configuration/dns/rule) DNS rule item
+* Add [VLESS server](/configuration/inbound/vless/) and [vision](/configuration/outbound/vless#flow) support
+* Add [reality TLS](/configuration/shared/tls/) support
+* Add [NTP service](/configuration/ntp/)
+* Add [DHCP DNS server](/configuration/dns/server/) support
+* Add SSH [host key validation](/configuration/outbound/ssh/) support
+* Add [query_type](/configuration/dns/rule/) DNS rule item
 * Add fallback support for v2ray transport
 * Add custom TLS server support for http based v2ray transports
 * Add health check support for http-based v2ray transports
@@ -1009,7 +1083,7 @@ name.

 #### 1.2-beta9

-* Introducing the [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp)
+* Introducing the [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp/)
 * Add health check support for http-based v2ray transports
 * Remove length limit on short_id for reality TLS config
 * Fix bugs and update dependencies
@@ -1026,7 +1100,7 @@ name.

 #### 1.2-beta6

-* Introducing our [new iOS client application](/installation/clients/sfi)
+* Introducing our [new iOS client application](/installation/clients/sfi/)
 * Add [platform options](/configuration/inbound/tun#platform) for tun inbound
 * Add custom TLS server support for http based v2ray transports
 * Add generate commands
@@ -1039,8 +1113,8 @@ name.

 #### 1.2-beta5

-* Add [VLESS server](/configuration/inbound/vless) and [vision](/configuration/outbound/vless#flow) support
-* Add [reality TLS](/configuration/shared/tls) support
+* Add [VLESS server](/configuration/inbound/vless/) and [vision](/configuration/outbound/vless#flow) support
+* Add [reality TLS](/configuration/shared/tls/) support
 * Fix match private address

 #### 1.1.6
@@ -1055,7 +1129,7 @@ name.

 #### 1.2-beta4

-* Add [NTP service](/configuration/ntp)
+* Add [NTP service](/configuration/ntp/)
 * Add Add multiple server names and multi-user support for shadowtls
 * Add strict mode support for shadowtls v3
 * Add uTLS support for shadowtls v3
@@ -1075,9 +1149,9 @@ name.

 #### 1.2-beta1

-* Add [DHCP DNS server](/configuration/dns/server) support
-* Add SSH [host key validation](/configuration/outbound/ssh) support
-* Add [query_type](/configuration/dns/rule) DNS rule item
+* Add [DHCP DNS server](/configuration/dns/server/) support
+* Add SSH [host key validation](/configuration/outbound/ssh/) support
+* Add [query_type](/configuration/dns/rule/) DNS rule item
 * Add v2ray [user stats](/configuration/experimental#statsusers) api
 * Add new clash DNS query api
 * Improve vmess request
@@ -1306,7 +1380,7 @@ and [ShadowTLS outbound](/configuration/outbound/shadowtls#version)

 #### 1.1-beta6

-* Add [URLTest outbound](/configuration/outbound/urltest)
+* Add [URLTest outbound](/configuration/outbound/urltest/)
 * Fix bugs in 1.1-beta5

 #### 1.1-beta5
@@ -1338,8 +1412,8 @@ The default tun stack is changed to system.
 #### 1.1-beta4

 * Add internal simple-obfs and v2ray-plugin [Shadowsocks plugins](/configuration/outbound/shadowsocks#plugin)
-* Add [ShadowsocksR outbound](/configuration/outbound/shadowsocksr)
-* Add [VLESS outbound and XUDP](/configuration/outbound/vless)
+* Add [ShadowsocksR outbound](/configuration/outbound/shadowsocksr/)
+* Add [VLESS outbound and XUDP](/configuration/outbound/vless/)
 * Skip wait for hysteria tcp handshake response
 * Fix socks4 client
 * Fix hysteria inbound
@@ -1366,7 +1440,7 @@ The default tun stack is changed to system.
 *1*:

 Switching modes using the Clash API, and `store-selected` are now supported,
-see [Experimental](/configuration/experimental).
+see [Experimental](/configuration/experimental/).

 *2*:

@@ -1447,15 +1521,15 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).
 * Fix write trojan udp
 * Fix DNS routing
 * Add attribute support for geosite
-* Update documentation for [Dial Fields](/configuration/shared/dial)
+* Update documentation for [Dial Fields](/configuration/shared/dial/)

 #### 1.0-beta3

 * Add [chained inbound](/configuration/shared/listen#detour) support
 * Add process_path rule item
 * Add macOS redirect support
-* Add ShadowTLS [Inbound](/configuration/inbound/shadowtls), [Outbound](/configuration/outbound/shadowtls)
-  and [Examples](/examples/shadowtls)
+* Add ShadowTLS [Inbound](/configuration/inbound/shadowtls/), [Outbound](/configuration/outbound/shadowtls/)
+  and [Examples](/examples/shadowtls/)
 * Fix search android package in non-owner users
 * Fix socksaddr type condition
 * Fix smux session status
@@ -1499,7 +1573,7 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).

 ##### 2022/08/23

-* Add [V2Ray Transport](/configuration/shared/v2ray-transport) support for VMess and Trojan
+* Add [V2Ray Transport](/configuration/shared/v2ray-transport/) support for VMess and Trojan
 * Allow plain http request in Naive inbound (It can now be used with nginx)
 * Add proxy protocol support
 * Free memory after start
@@ -1508,13 +1582,13 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).

 ##### 2022/08/22

-* Add strategy setting for each [DNS server](/configuration/dns/server)
+* Add strategy setting for each [DNS server](/configuration/dns/server/)
 * Add bind address to outbound options

 ##### 2022/08/21

-* Add [Tor outbound](/configuration/outbound/tor)
-* Add [SSH outbound](/configuration/outbound/ssh)
+* Add [Tor outbound](/configuration/outbound/tor/)
+* Add [SSH outbound](/configuration/outbound/ssh/)

 ##### 2022/08/20

@@ -1528,8 +1602,8 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).

 ##### 2022/08/19

-* Add Hysteria [Inbound](/configuration/inbound/hysteria) and [Outbund](/configuration/outbound/hysteria)
-* Add [ACME TLS certificate issuer](/configuration/shared/tls)
+* Add Hysteria [Inbound](/configuration/inbound/hysteria/) and [Outbund](/configuration/outbound/hysteria/)
+* Add [ACME TLS certificate issuer](/configuration/shared/tls/)
 * Allow read config from stdin (-c stdin)
 * Update gVisor to 20220815.0

@@ -1547,11 +1621,11 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).
 ##### 2022/08/16

 * Add ip_version (route/dns) rule item
-* Add [WireGuard](/configuration/outbound/wireguard) outbound
+* Add [WireGuard](/configuration/outbound/wireguard/) outbound

 ##### 2022/08/15

-* Add uid, android user and package rules support in [Tun](/configuration/inbound/tun) routing.
+* Add uid, android user and package rules support in [Tun](/configuration/inbound/tun/) routing.

 ##### 2022/08/13

@@ -1560,15 +1634,15 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).
 ##### 2022/08/12

 * Performance improvements
-* Add UoT option for [SOCKS](/configuration/outbound/socks) outbound
+* Add UoT option for [SOCKS](/configuration/outbound/socks/) outbound

 ##### 2022/08/11

-* Add UoT option for [Shadowsocks](/configuration/outbound/shadowsocks) outbound, UoT support for all inbounds
+* Add UoT option for [Shadowsocks](/configuration/outbound/shadowsocks/) outbound, UoT support for all inbounds

 ##### 2022/08/10

-* Add full-featured [Naive](/configuration/inbound/naive) inbound
+* Add full-featured [Naive](/configuration/inbound/naive/) inbound
 * Fix default dns server option [#9] by iKirby

 ##### 2022/08/09
--- a/docs/clients/android/features.md
+++ b/docs/clients/android/features.md
@@ -18,6 +18,7 @@ SFA provides an unprivileged TUN implementation through Android VpnService.
 | `inet4_address`               | :material-check: | /                  |
 | `inet6_address`               | :material-check: | /                  |
 | `mtu`                         | :material-check: | /                  |
+| `gso`                         | :material-close: | No permission      |
 | `auto_route`                  | :material-check: | /                  |
 | `strict_route`                | :material-close: | Not implemented    |
 | `inet4_route_address`         | :material-check: | /                  |
--- a/docs/clients/apple/features.md
+++ b/docs/clients/apple/features.md
@@ -14,28 +14,29 @@ SFI/SFM/SFT allows you to run sing-box through NetworkExtension with Application

 SFI/SFM/SFT provides an unprivileged TUN implementation through NetworkExtension.

-| TUN inbound option            | Available | Note              |
-|-------------------------------|-----------|-------------------|
-| `interface_name`              | ✖️        | Managed by Darwin |
-| `inet4_address`               | ✔️        | /                 |
-| `inet6_address`               | ✔️        | /                 |
-| `mtu`                         | ✔️        | /                 |
-| `auto_route`                  | ✔️        | /                 |
-| `strict_route`                | ✖️        | Not implemented   |
-| `inet4_route_address`         | ✔️        | /                 |
-| `inet6_route_address`         | ✔️        | /                 |
-| `inet4_route_exclude_address` | ✔️        | /                 |
-| `inet6_route_exclude_address` | ✔️        | /                 |
-| `endpoint_independent_nat`    | ✔️        | /                 |
-| `stack`                       | ✔️        | /                 |
-| `include_interface`           | ✖️        | Not implemented   |
-| `exclude_interface`           | ✖️        | Not implemented   |
-| `include_uid`                 | ✖️        | Not implemented   |
-| `exclude_uid`                 | ✖️        | Not implemented   |
-| `include_android_user`        | ✖️        | Not implemented   |
-| `include_package`             | ✖️        | Not implemented   |
-| `exclude_package`             | ✖️        | Not implemented   |
-| `platform`                    | ✔️        | /                 |
+| TUN inbound option            | Available         | Note              |
+|-------------------------------|-------------------|-------------------|
+| `interface_name`              | :material-close:️ | Managed by Darwin |
+| `inet4_address`               | :material-check:  | /                 |
+| `inet6_address`               | :material-check:  | /                 |
+| `mtu`                         | :material-check:  | /                 |
+| `gso`                         | :material-close:  | Not implemented   |
+| `auto_route`                  | :material-check:  | /                 |
+| `strict_route`                | :material-close:️ | Not implemented   |
+| `inet4_route_address`         | :material-check:  | /                 |
+| `inet6_route_address`         | :material-check:  | /                 |
+| `inet4_route_exclude_address` | :material-check:  | /                 |
+| `inet6_route_exclude_address` | :material-check:  | /                 |
+| `endpoint_independent_nat`    | :material-check:  | /                 |
+| `stack`                       | :material-check:  | /                 |
+| `include_interface`           | :material-close:️ | Not implemented   |
+| `exclude_interface`           | :material-close:️ | Not implemented   |
+| `include_uid`                 | :material-close:️ | Not implemented   |
+| `exclude_uid`                 | :material-close:️ | Not implemented   |
+| `include_android_user`        | :material-close:️ | Not implemented   |
+| `include_package`             | :material-close:️ | Not implemented   |
+| `exclude_package`             | :material-close:️ | Not implemented   |
+| `platform`                    | :material-check:  | /                 |

 | Route/DNS rule option | Available        | Note                  |
 |-----------------------|------------------|-----------------------|
--- a/docs/clients/index.md
+++ b/docs/clients/index.md
@@ -4,8 +4,8 @@ Maintained by Project S to provide a unified experience and platform-specific fu

 | Platform                              | Client                                  |
 |---------------------------------------|-----------------------------------------|
-| :material-android: Android            | [sing-box for Android](./android)       |
-| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple) |
+| :material-android: Android            | [sing-box for Android](./android/)       |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
 | :material-laptop: Desktop             | Working in progress                     |

 Some third-party projects that claim to use sing-box or use sing-box as a selling point are not listed here. The core
--- a/docs/clients/index.zh.md
+++ b/docs/clients/index.zh.md
@@ -4,8 +4,8 @@

 | 平台                                    | 客户端                                     |
 |---------------------------------------|-----------------------------------------|
-| :material-android: Android            | [sing-box for Android](./android)       |
-| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple) |
+| :material-android: Android            | [sing-box for Android](./android/)       |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
 | :material-laptop: Desktop             | 施工中                                     |

 此处没有列出一些声称使用或以 sing-box 为卖点的第三方项目。此类项目维护者的动机是获得更多用户，即使它们提供友好的商业
--- a/docs/configuration/dns/index.md
+++ b/docs/configuration/dns/index.md
@@ -23,9 +23,9 @@

 | Key      | Format                         |
 |----------|--------------------------------|
-| `server` | List of [DNS Server](./server) |
-| `rules`  | List of [DNS Rule](./rule)     |
-| `fakeip` | [FakeIP](./fakeip)             |
+| `server` | List of [DNS Server](./server/) |
+| `rules`  | List of [DNS Rule](./rule/)     |
+| `fakeip` | [FakeIP](./fakeip/)             |

 #### final

@@ -62,4 +62,4 @@ problematic in environments such as macOS, where DNS is proxied and cached by th

 #### fakeip

-[FakeIP](./fakeip) settings.
+[FakeIP](./fakeip/) settings.
--- a/docs/configuration/dns/index.zh.md
+++ b/docs/configuration/dns/index.zh.md
@@ -23,8 +23,8 @@

 | 键        | 格式                     |
 |----------|------------------------|
-| `server` | 一组 [DNS 服务器](./server) |
-| `rules`  | 一组 [DNS 规则](./rule)    |
+| `server` | 一组 [DNS 服务器](./server/) |
+| `rules`  | 一组 [DNS 规则](./rule/)    |

 #### final

@@ -60,4 +60,4 @@

 #### fakeip

-[FakeIP](./fakeip) 设置。
+[FakeIP](./fakeip/) 设置。
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -134,13 +134,15 @@ icon: material/alert-decagram
    The default rule uses the following matching logic:  
    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite`) &&  
    (`port` || `port_range`) &&  
-    (`source_geoip` || `source_ip_cidr`) &&  
+    (`source_geoip` || `source_ip_cidr` ｜｜ `source_ip_is_private`) &&  
    (`source_port` || `source_port_range`) &&  
    `other fields`

+    Additionally, included rule sets can be considered merged rather than as a single rule sub-item.
+
 #### inbound

-Tags of [Inbound](/configuration/inbound).
+Tags of [Inbound](/configuration/inbound/).

 #### ip_version

--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -131,13 +131,15 @@ icon: material/alert-decagram
    默认规则使用以下匹配逻辑:  
    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite`) &&  
    (`port` || `port_range`) &&  
-    (`source_geoip` || `source_ip_cidr`) &&  
+    (`source_geoip` || `source_ip_cidr` || `source_ip_is_private`) &&  
    (`source_port` || `source_port_range`) &&  
    `other fields`

+    另外，引用的规则集可视为被合并，而不是作为一个单独的规则子项。
+
 #### inbound

-[入站](/zh/configuration/inbound) 标签.
+[入站](/zh/configuration/inbound/) 标签.

 #### ip_version

--- a/docs/configuration/dns/server.md
+++ b/docs/configuration/dns/server.md
@@ -41,7 +41,7 @@ The address of the dns server.
 | `HTTP3`                             | `h3://8.8.8.8/dns-query`      |
 | `RCode`                             | `rcode://refused`             |
 | `DHCP`                              | `dhcp://auto` or `dhcp://en0` |
-| [FakeIP](/configuration/dns/fakeip) | `fakeip`                      |
+| [FakeIP](/configuration/dns/fakeip/) | `fakeip`                      |

 !!! warning ""

--- a/docs/configuration/dns/server.zh.md
+++ b/docs/configuration/dns/server.zh.md
@@ -41,7 +41,7 @@ DNS 服务器的地址。
 | `HTTP3`                             | `h3://8.8.8.8/dns-query`     |
 | `RCode`                             | `rcode://refused`            |
 | `DHCP`                              | `dhcp://auto` 或 `dhcp://en0` |
-| [FakeIP](/configuration/dns/fakeip) | `fakeip`                     |
+| [FakeIP](/configuration/dns/fakeip/) | `fakeip`                     |

 !!! warning ""

--- a/docs/configuration/experimental/index.md
+++ b/docs/configuration/experimental/index.md
@@ -25,6 +25,6 @@ icon: material/alert-decagram

 | Key          | Format                     |
 |--------------|----------------------------|
-| `cache_file` | [Cache File](./cache-file) |
-| `clash_api`  | [Clash API](./clash-api)   |
-| `v2ray_api`  | [V2Ray API](./v2ray-api)   |
+| `cache_file` | [Cache File](./cache-file/) |
+| `clash_api`  | [Clash API](./clash-api/)   |
+| `v2ray_api`  | [V2Ray API](./v2ray-api/)   |
--- a/docs/configuration/experimental/index.zh.md
+++ b/docs/configuration/experimental/index.zh.md
@@ -25,6 +25,6 @@ icon: material/alert-decagram

 | 键            | 格式                       |
 |--------------|--------------------------|
-| `cache_file` | [缓存文件](./cache-file)     |
-| `clash_api`  | [Clash API](./clash-api) |
-| `v2ray_api`  | [V2Ray API](./v2ray-api) |
+| `cache_file` | [缓存文件](./cache-file/)     |
+| `clash_api`  | [Clash API](./clash-api/) |
+| `v2ray_api`  | [V2Ray API](./v2ray-api/) |
--- a/docs/configuration/inbound/direct.md
+++ b/docs/configuration/inbound/direct.md
@@ -17,7 +17,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/http.md
+++ b/docs/configuration/inbound/http.md
@@ -20,7 +20,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/hysteria.md
+++ b/docs/configuration/inbound/hysteria.md
@@ -31,7 +31,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/hysteria2.md
+++ b/docs/configuration/inbound/hysteria2.md
@@ -35,7 +35,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/index.md
+++ b/docs/configuration/inbound/index.md
@@ -17,22 +17,22 @@

 | Type          | Format                       | Injectable |
 |---------------|------------------------------|------------|
-| `direct`      | [Direct](./direct)           | X          |
-| `mixed`       | [Mixed](./mixed)             | TCP        |
-| `socks`       | [SOCKS](./socks)             | TCP        |
-| `http`        | [HTTP](./http)               | TCP        |
-| `shadowsocks` | [Shadowsocks](./shadowsocks) | TCP        |
-| `vmess`       | [VMess](./vmess)             | TCP        |
-| `trojan`      | [Trojan](./trojan)           | TCP        |
-| `naive`       | [Naive](./naive)             | X          |
-| `hysteria`    | [Hysteria](./hysteria)       | X          |
-| `shadowtls`   | [ShadowTLS](./shadowtls)     | TCP        |
-| `tuic`        | [TUIC](./tuic)               | X          |
-| `hysteria2`   | [Hysteria2](./hysteria2)     | X          |
-| `vless`       | [VLESS](./vless)             | TCP        |
-| `tun`         | [Tun](./tun)                 | X          |
-| `redirect`    | [Redirect](./redirect)       | X          |
-| `tproxy`      | [TProxy](./tproxy)           | X          |
+| `direct`      | [Direct](./direct/)           | X          |
+| `mixed`       | [Mixed](./mixed/)             | TCP        |
+| `socks`       | [SOCKS](./socks/)             | TCP        |
+| `http`        | [HTTP](./http/)               | TCP        |
+| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP        |
+| `vmess`       | [VMess](./vmess/)             | TCP        |
+| `trojan`      | [Trojan](./trojan/)           | TCP        |
+| `naive`       | [Naive](./naive/)             | X          |
+| `hysteria`    | [Hysteria](./hysteria/)       | X          |
+| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP        |
+| `tuic`        | [TUIC](./tuic/)               | X          |
+| `hysteria2`   | [Hysteria2](./hysteria2/)     | X          |
+| `vless`       | [VLESS](./vless/)             | TCP        |
+| `tun`         | [Tun](./tun/)                 | X          |
+| `redirect`    | [Redirect](./redirect/)       | X          |
+| `tproxy`      | [TProxy](./tproxy/)           | X          |

 #### tag

--- a/docs/configuration/inbound/index.zh.md
+++ b/docs/configuration/inbound/index.zh.md
@@ -17,22 +17,22 @@

 | 类型            | 格式                           | 注入支持 |
 |---------------|------------------------------|------|
-| `direct`      | [Direct](./direct)           | X    |
-| `mixed`       | [Mixed](./mixed)             | TCP  |
-| `socks`       | [SOCKS](./socks)             | TCP  |
-| `http`        | [HTTP](./http)               | TCP  |
-| `shadowsocks` | [Shadowsocks](./shadowsocks) | TCP  |
-| `vmess`       | [VMess](./vmess)             | TCP  |
-| `trojan`      | [Trojan](./trojan)           | TCP  |
-| `naive`       | [Naive](./naive)             | X    |
-| `hysteria`    | [Hysteria](./hysteria)       | X    |
-| `shadowtls`   | [ShadowTLS](./shadowtls)     | TCP  |
-| `tuic`        | [TUIC](./tuic)               | X    |
-| `hysteria2`   | [Hysteria2](./hysteria2)     | X    |
-| `vless`       | [VLESS](./vless)             | TCP  |
-| `tun`         | [Tun](./tun)                 | X    |
-| `redirect`    | [Redirect](./redirect)       | X    |
-| `tproxy`      | [TProxy](./tproxy)           | X    |
+| `direct`      | [Direct](./direct/)           | X    |
+| `mixed`       | [Mixed](./mixed/)             | TCP  |
+| `socks`       | [SOCKS](./socks/)             | TCP  |
+| `http`        | [HTTP](./http/)               | TCP  |
+| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP  |
+| `vmess`       | [VMess](./vmess/)             | TCP  |
+| `trojan`      | [Trojan](./trojan/)           | TCP  |
+| `naive`       | [Naive](./naive/)             | X    |
+| `hysteria`    | [Hysteria](./hysteria/)       | X    |
+| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP  |
+| `tuic`        | [TUIC](./tuic/)               | X    |
+| `hysteria2`   | [Hysteria2](./hysteria2/)     | X    |
+| `vless`       | [VLESS](./vless/)             | TCP  |
+| `tun`         | [Tun](./tun/)                 | X    |
+| `redirect`    | [Redirect](./redirect/)       | X    |
+| `tproxy`      | [TProxy](./tproxy/)           | X    |

 #### tag

--- a/docs/configuration/inbound/mixed.md
+++ b/docs/configuration/inbound/mixed.md
@@ -21,7 +21,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/naive.md
+++ b/docs/configuration/inbound/naive.md
@@ -20,7 +20,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/redirect.md
+++ b/docs/configuration/inbound/redirect.md
@@ -15,4 +15,4 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.
--- a/docs/configuration/inbound/shadowsocks.md
+++ b/docs/configuration/inbound/shadowsocks.md
@@ -50,7 +50,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/shadowsocks.zh.md
+++ b/docs/configuration/inbound/shadowsocks.zh.md
@@ -50,7 +50,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### 字段

--- a/docs/configuration/inbound/shadowtls.md
+++ b/docs/configuration/inbound/shadowtls.md
@@ -35,7 +35,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

@@ -66,11 +66,11 @@ Only available in the ShadowTLS protocol 3.

 ==Required==

-Handshake server address and [Dial options](/configuration/shared/dial).
+Handshake server address and [Dial options](/configuration/shared/dial/).

 #### handshake_for_server_name

-Handshake server address and [Dial options](/configuration/shared/dial) for specific server name.
+Handshake server address and [Dial options](/configuration/shared/dial/) for specific server name.

 Only available in the ShadowTLS protocol 2/3.

--- a/docs/configuration/inbound/socks.md
+++ b/docs/configuration/inbound/socks.md
@@ -20,7 +20,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/tproxy.md
+++ b/docs/configuration/inbound/tproxy.md
@@ -17,7 +17,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/trojan.md
+++ b/docs/configuration/inbound/trojan.md
@@ -31,7 +31,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

@@ -65,4 +65,4 @@ See [Multiplex](/configuration/shared/multiplex#inbound) for details.

 #### transport

-V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
+V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).
--- a/docs/configuration/inbound/trojan.zh.md
+++ b/docs/configuration/inbound/trojan.zh.md
@@ -67,4 +67,4 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### transport

-V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
+V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport/)。
--- a/docs/configuration/inbound/tuic.md
+++ b/docs/configuration/inbound/tuic.md
@@ -24,7 +24,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -1,3 +1,12 @@
+---
+icon: material/alert-decagram
+---
+
+!!! quote "Changes in sing-box 1.8.0"
+
+    :material-plus: [gso](#gso)  
+    :material-alert-decagram: [stack](#stack)
+
 !!! quote ""

    Only supported on Linux, Windows and macOS.
@@ -12,6 +21,7 @@
  "inet4_address": "172.19.0.1/30",
  "inet6_address": "fdfe:dcba:9876::1/126",
  "mtu": 9000,
+  "gso": false,
  "auto_route": true,
  "strict_route": true,
  "inet4_route_address": [
@@ -29,6 +39,7 @@
    "fc00::/7"
  ],
  "endpoint_independent_nat": false,
+  "udp_timeout": "5m",
  "stack": "system",
  "include_interface": [
    "lan0"
@@ -98,6 +109,16 @@ IPv6 prefix for the tun interface.

 The maximum transmission unit.

+#### gso
+
+!!! question "Since sing-box 1.8.0"
+
+!!! quote ""
+
+    Only supported on Linux.
+
+Enable generic segmentation offload.
+
 #### auto_route

 Set the default route to the Tun.
@@ -160,18 +181,19 @@ UDP NAT expiration time in seconds, default is 300 (5 minutes).

 #### stack

+!!! quote "Changes in sing-box 1.8.0"
+
+    :material-delete-alert: The legacy LWIP stack has been deprecated and removed.
+
 TCP/IP stack.

-| Stack  | Description                                                                      | Status            |
-|--------|----------------------------------------------------------------------------------|-------------------|
-| system | Sometimes better performance                                                     | recommended       |
-| gVisor | Better compatibility, based on [google/gvisor](https://github.com/google/gvisor) | recommended       |
-| mixed  | Mixed `system` TCP stack and `gVisor` UDP stack                                  | recommended       |
-| LWIP   | Based on [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks)   | upstream archived |
+| Stack    | Description                                                                                           | 
+|----------|-------------------------------------------------------------------------------------------------------|
+| `system` | Perform L3 to L4 translation using the system network stack                                           |
+| `gvisor` | Perform L3 to L4 translation using [gVisor](https://github.com/google/gvisor)'s virtual network stack |
+| `mixed`  | Mixed `system` TCP stack and `gvisor` UDP stack                                                       |

-!!! warning ""
-
-    LWIP stacks is not included by default, see [Installation](/installation/build-from-source/#build-tags).
+Defaults to the `mixed` stack if the gVisor build tag is enabled, otherwise defaults to the `system` stack.

 #### include_interface

@@ -217,10 +239,10 @@ Exclude users in route, but in range.

 Limit android users in route.

-| Common user  | ID  |
-|--------------|-----|
-| Main         | 0   |
-| Work Profile | 10  |
+| Common user  | ID |
+|--------------|----|
+| Main         | 0  |
+| Work Profile | 10 |

 #### include_package

@@ -240,4 +262,4 @@ System HTTP proxy settings.

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -1,3 +1,12 @@
+---
+icon: material/alert-decagram
+---
+
+!!! quote "sing-box 1.8.0 中的更改"
+
+    :material-plus: [gso](#gso)  
+    :material-alert-decagram: [stack](#stack)
+
 !!! quote ""

    仅支持 Linux、Windows 和 macOS。
@@ -12,6 +21,7 @@
  "inet4_address": "172.19.0.1/30",
  "inet6_address": "fdfe:dcba:9876::1/126",
  "mtu": 9000,
+  "gso": false,
  "auto_route": true,
  "strict_route": true,
  "inet4_route_address": [
@@ -29,6 +39,7 @@
    "fc00::/7"
  ],
  "endpoint_independent_nat": false,
+  "udp_timeout": "5m",
  "stack": "system",
  "include_interface": [
    "lan0"
@@ -98,6 +109,16 @@ tun 接口的 IPv6 前缀。

 最大传输单元。

+#### gso
+
+!!! question "自 sing-box 1.8.0 起"
+
+!!! quote ""
+
+    仅支持 Linux。
+
+启用通用分段卸载。
+
 #### auto_route

 设置到 Tun 的默认路由。
@@ -157,17 +178,19 @@ UDP NAT 过期时间，以秒为单位，默认为 300（5 分钟）。

 #### stack

+!!! quote "sing-box 1.8.0 中的更改"
+
+    :material-delete-alert: 旧的 LWIP 栈已被弃用并移除。
+
 TCP/IP 栈。

-| 栈           | 描述                                                                       | 状态    |
-|-------------|--------------------------------------------------------------------------|-------|
-| system （默认） | 有时性能更好                                                                   | 推荐    |
-| gVisor      | 兼容性较好，基于 [google/gvisor](https://github.com/google/gvisor)               | 推荐    |
-| LWIP        | 基于 [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks) | 上游已存档 |
+| 栈      | 描述                                                               |
+|--------|------------------------------------------------------------------|
+| system | 基于系统网络栈执行 L3 到 L4 转换                                             |
+| gVisor | 基于 [gVisor](https://github.com/google/gvisor) 虚拟网络栈执行 L3 到 L4 转换 |
+| mixed  | 混合 `system` TCP 栈与 `gvisor` UDP 栈                                |

-!!! warning ""
-
-    默认安装不包含 LWIP 栈，参阅 [安装](/zh/installation/build-from-source/#_5)。
+默认使用 `mixed` 栈如果 gVisor 构建标记已启用，否则默认使用 `system` 栈。

 #### include_interface

@@ -214,8 +237,8 @@ TCP/IP 栈。
 限制被路由的 Android 用户。

 | 常用用户 | ID |
-|--|-----|
-| 您 | 0 |
+|------|----|
+| 您    | 0  |
 | 工作资料 | 10 |

 #### include_package
--- a/docs/configuration/inbound/vless.md
+++ b/docs/configuration/inbound/vless.md
@@ -22,7 +22,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

@@ -56,4 +56,4 @@ See [Multiplex](/configuration/shared/multiplex#inbound) for details.

 #### transport

-V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
+V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).
--- a/docs/configuration/inbound/vless.zh.md
+++ b/docs/configuration/inbound/vless.zh.md
@@ -56,4 +56,4 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### transport

-V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
+V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport/)。
--- a/docs/configuration/inbound/vmess.md
+++ b/docs/configuration/inbound/vmess.md
@@ -22,7 +22,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

@@ -51,4 +51,4 @@ See [Multiplex](/configuration/shared/multiplex#inbound) for details.

 #### transport

-V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
+V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).
--- a/docs/configuration/inbound/vmess.zh.md
+++ b/docs/configuration/inbound/vmess.zh.md
@@ -51,4 +51,4 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### transport

-V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
+V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport/)。
--- a/docs/configuration/index.md
+++ b/docs/configuration/index.md
@@ -20,13 +20,13 @@ sing-box uses JSON for configuration files.

 | Key            | Format                         |
 |----------------|--------------------------------|
-| `log`          | [Log](./log)                   |
-| `dns`          | [DNS](./dns)                   |
-| `ntp`          | [NTP](./ntp)                   |
-| `inbounds`     | [Inbound](./inbound)           |
-| `outbounds`    | [Outbound](./outbound)         |
-| `route`        | [Route](./route)               |
-| `experimental` | [Experimental](./experimental) |
+| `log`          | [Log](./log/)                   |
+| `dns`          | [DNS](./dns/)                   |
+| `ntp`          | [NTP](./ntp/)                   |
+| `inbounds`     | [Inbound](./inbound/)           |
+| `outbounds`    | [Outbound](./outbound/)         |
+| `route`        | [Route](./route/)               |
+| `experimental` | [Experimental](./experimental/) |

 ### Check

--- a/docs/configuration/index.zh.md
+++ b/docs/configuration/index.zh.md
@@ -19,12 +19,12 @@ sing-box 使用 JSON 作为配置文件格式。

 | Key            | Format                |
 |----------------|-----------------------|
-| `log`          | [日志](./log)           |
-| `dns`          | [DNS](./dns)          |
-| `inbounds`     | [入站](./inbound)       |
-| `outbounds`    | [出站](./outbound)      |
-| `route`        | [路由](./route)         |
-| `experimental` | [实验性](./experimental) |
+| `log`          | [日志](./log/)           |
+| `dns`          | [DNS](./dns/)          |
+| `inbounds`     | [入站](./inbound/)       |
+| `outbounds`    | [出站](./outbound/)      |
+| `route`        | [路由](./route/)         |
+| `experimental` | [实验性](./experimental/) |

 ### 检查

--- a/docs/configuration/ntp/index.md
+++ b/docs/configuration/ntp/index.md
@@ -47,4 +47,4 @@ Time synchronization interval.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/direct.md
+++ b/docs/configuration/outbound/direct.md
@@ -33,4 +33,4 @@ Protocol value can be `1` or `2`.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/http.md
+++ b/docs/configuration/outbound/http.md
@@ -55,4 +55,4 @@ TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/hysteria.md
+++ b/docs/configuration/outbound/hysteria.md
@@ -109,4 +109,4 @@ TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/hysteria2.md
+++ b/docs/configuration/outbound/hysteria2.md
@@ -84,4 +84,4 @@ Enable debug information logging for Hysteria Brutal CC.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/index.md
+++ b/docs/configuration/outbound/index.md
@@ -17,24 +17,24 @@

 | Type           | Format                         |
 |----------------|--------------------------------|
-| `direct`       | [Direct](./direct)             |
-| `block`        | [Block](./block)               |
-| `socks`        | [SOCKS](./socks)               |
-| `http`         | [HTTP](./http)                 |
-| `shadowsocks`  | [Shadowsocks](./shadowsocks)   |
-| `vmess`        | [VMess](./vmess)               |
-| `trojan`       | [Trojan](./trojan)             |
-| `wireguard`    | [Wireguard](./wireguard)       |
-| `hysteria`     | [Hysteria](./hysteria)         |
-| `vless`        | [VLESS](./vless)               |
-| `shadowtls`    | [ShadowTLS](./shadowtls)       |
-| `tuic`         | [TUIC](./tuic)                 |
-| `hysteria2`    | [Hysteria2](./hysteria2)       |
-| `tor`          | [Tor](./tor)                   |
-| `ssh`          | [SSH](./ssh)                   |
-| `dns`          | [DNS](./dns)                   |
-| `selector`     | [Selector](./selector)         |
-| `urltest`      | [URLTest](./urltest)           |
+| `direct`       | [Direct](./direct/)             |
+| `block`        | [Block](./block/)               |
+| `socks`        | [SOCKS](./socks/)               |
+| `http`         | [HTTP](./http/)                 |
+| `shadowsocks`  | [Shadowsocks](./shadowsocks/)   |
+| `vmess`        | [VMess](./vmess/)               |
+| `trojan`       | [Trojan](./trojan/)             |
+| `wireguard`    | [Wireguard](./wireguard/)       |
+| `hysteria`     | [Hysteria](./hysteria/)         |
+| `vless`        | [VLESS](./vless/)               |
+| `shadowtls`    | [ShadowTLS](./shadowtls/)       |
+| `tuic`         | [TUIC](./tuic/)                 |
+| `hysteria2`    | [Hysteria2](./hysteria2/)       |
+| `tor`          | [Tor](./tor/)                   |
+| `ssh`          | [SSH](./ssh/)                   |
+| `dns`          | [DNS](./dns/)                   |
+| `selector`     | [Selector](./selector/)         |
+| `urltest`      | [URLTest](./urltest/)           |

 #### tag

--- a/docs/configuration/outbound/index.zh.md
+++ b/docs/configuration/outbound/index.zh.md
@@ -17,24 +17,24 @@

 | 类型             | 格式                             |
 |----------------|--------------------------------|
-| `direct`       | [Direct](./direct)             |
-| `block`        | [Block](./block)               |
-| `socks`        | [SOCKS](./socks)               |
-| `http`         | [HTTP](./http)                 |
-| `shadowsocks`  | [Shadowsocks](./shadowsocks)   |
-| `vmess`        | [VMess](./vmess)               |
-| `trojan`       | [Trojan](./trojan)             |
-| `wireguard`    | [Wireguard](./wireguard)       |
-| `hysteria`     | [Hysteria](./hysteria)         |
-| `vless`        | [VLESS](./vless)               |
-| `shadowtls`    | [ShadowTLS](./shadowtls)       |
-| `tuic`         | [TUIC](./tuic)                 |
-| `hysteria2`    | [Hysteria2](./hysteria2)       |
-| `tor`          | [Tor](./tor)                   |
-| `ssh`          | [SSH](./ssh)                   |
-| `dns`          | [DNS](./dns)                   |
-| `selector`     | [Selector](./selector)         |
-| `urltest`      | [URLTest](./urltest)           |
+| `direct`       | [Direct](./direct/)             |
+| `block`        | [Block](./block/)               |
+| `socks`        | [SOCKS](./socks/)               |
+| `http`         | [HTTP](./http/)                 |
+| `shadowsocks`  | [Shadowsocks](./shadowsocks/)   |
+| `vmess`        | [VMess](./vmess/)               |
+| `trojan`       | [Trojan](./trojan/)             |
+| `wireguard`    | [Wireguard](./wireguard/)       |
+| `hysteria`     | [Hysteria](./hysteria/)         |
+| `vless`        | [VLESS](./vless/)               |
+| `shadowtls`    | [ShadowTLS](./shadowtls/)       |
+| `tuic`         | [TUIC](./tuic/)                 |
+| `hysteria2`    | [Hysteria2](./hysteria2/)       |
+| `tor`          | [Tor](./tor/)                   |
+| `ssh`          | [SSH](./ssh/)                   |
+| `dns`          | [DNS](./dns/)                   |
+| `selector`     | [Selector](./selector/)         |
+| `urltest`      | [URLTest](./urltest/)           |

 #### tag

--- a/docs/configuration/outbound/shadowsocks.md
+++ b/docs/configuration/outbound/shadowsocks.md
@@ -89,7 +89,7 @@ Both is enabled by default.

 UDP over TCP configuration.

-See [UDP Over TCP](/configuration/shared/udp-over-tcp) for details.
+See [UDP Over TCP](/configuration/shared/udp-over-tcp/) for details.

 Conflict with `multiplex`.

@@ -99,4 +99,4 @@ See [Multiplex](/configuration/shared/multiplex#outbound) for details.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/shadowsocks.zh.md
+++ b/docs/configuration/outbound/shadowsocks.zh.md
@@ -89,7 +89,7 @@ Shadowsocks SIP003 插件参数。

 UDP over TCP 配置。

-参阅 [UDP Over TCP](/zh/configuration/shared/udp-over-tcp)。
+参阅 [UDP Over TCP](/zh/configuration/shared/udp-over-tcp/)。

 与 `multiplex` 冲突。

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	e458398bb2	documentation: Bump version	2023-12-21 10:51:57 +08:00
世界	a5d324177b	documentation: Update package managers	2023-12-21 10:50:32 +08:00
世界	34d5441d56	documentation: Fix link format	2023-12-21 10:50:32 +08:00
世界	9713dfb29c	Fix missing UDP timeout for QUIC protocols	2023-12-21 10:50:27 +08:00
世界	c0483a2b37	Migrate `udp_timeout` from seconds to duration format	2023-12-21 10:50:27 +08:00
世界	6fe582fcd7	Avoid nested direct outbound usage	2023-12-21 10:50:27 +08:00
世界	081c45b9d7	Add loopback detect for direct outbound	2023-12-21 10:50:27 +08:00
世界	4e02b9ea94	Fix missing handshake timeout for multiplex	2023-12-21 10:50:21 +08:00
世界	0b2023660b	Fix DNS dial context	2023-12-21 10:50:18 +08:00
世界	dee6fffa23	Make generated files have `SUDO_USER`'s permissions if possible.	2023-12-21 10:49:02 +08:00
世界	26d29761df	Refactor inbound/outbound options struct	2023-12-21 10:49:02 +08:00
世界	4e4d220bbe	Improve configuration merge	2023-12-21 10:49:02 +08:00
世界	d38336bec4	Update uTLS to 1.5.4	2023-12-21 10:49:02 +08:00
世界	de4f167402	Update tfo-go	2023-12-21 10:49:02 +08:00
世界	b9439b8fbd	Update gomobile and add tag	2023-12-21 10:49:02 +08:00
世界	817be7af6e	Update cloudflare-tls to go1.21.5	2023-12-21 10:49:02 +08:00
世界	f57e98dbb0	Remove unnecessary context wrappers	2023-12-21 10:49:02 +08:00
世界	47213f0616	Improve read wait interface & Refactor Authenticator interface to struct & Update smux & Update gVisor to 20231204.0 & Update wireguard-go & Add GSO support for TUN/WireGuard & Fix router pre-start & Fix bind forwarder to interface for systems stack	2023-12-21 10:48:41 +08:00
世界	2f4f4e18ee	Make type check strict	2023-12-18 22:26:02 +08:00
世界	bc2d73b2d6	Remove comparable limit for Listable	2023-12-18 22:26:01 +08:00
世界	abd4d8b367	Avoid opening log output before start & Replace tracing logs with task monitor	2023-12-18 22:26:01 +08:00
世界	f998ccecde	Update documentation	2023-12-18 22:26:01 +08:00
世界	fc9804b20f	Add `idle_timeout` for URLTest outbound	2023-12-18 22:26:01 +08:00
世界	d1ad342cb0	Skip internal fake-ip queries	2023-12-18 22:26:01 +08:00
世界	80cc0cd5db	Migrate contentjson and badjson to library & Add omitempty in format	2023-12-18 22:25:54 +08:00
世界	3041f34dfa	Update documentation	2023-12-18 22:25:54 +08:00
世界	3a9b787a6e	Independent `source_ip_is_private` and `ip_is_private` rules	2023-12-18 22:25:53 +08:00
世界	bb70e8267e	Add rule-set	2023-12-18 22:25:53 +08:00
世界	411f02ee4f	Update buffer usage	2023-12-18 22:25:53 +08:00
世界	340e74eed4	Allow nested logical rules	2023-12-18 22:25:53 +08:00
世界	ad93b45021	Migrate to independent cache file	2023-12-18 22:25:53 +08:00
世界	d0aaf71770	Fix direct UDP override	2023-12-18 21:48:59 +08:00
世界	2f31202c6b	documentation: Update shadowsocks example Remove the information on password generation for `2022-blake3-aes-128-gcm` cipher from the Server Example section in the shadowsocks.md file as it is no longer needed.	2023-12-14 21:05:41 +08:00
renovate[bot]	e4cc510712	[dependencies] Update github-actions	2023-12-14 15:14:22 +08:00
世界	e329bf6865	Update dependencies	2023-12-14 15:09:03 +08:00
世界	2badcec765	platform: Fix check config	2023-12-12 20:26:41 +08:00
世界	e71c13b1a2	documentation: Bump version	2023-12-12 13:54:23 +08:00
世界	a959a67ed3	FIx error handling for netlink banned in Android	2023-12-12 13:54:23 +08:00
世界	a1044af579	platform: Fix VPN route	2023-12-11 21:59:59 +08:00
世界	a64b57451a	Update dependencies	2023-12-11 21:40:11 +08:00
世界	f0e2318cbd	Fix auto-route IPv6 on darwin	2023-12-11 21:39:29 +08:00
世界	ebec308fd8	documentation: Bump version	2023-12-09 00:22:27 +08:00
世界	ca094587be	Fix incorrect dependency	2023-12-09 00:22:27 +08:00
世界	ca3b86c781	Update bug report template	2023-12-08 21:56:30 +08:00
世界	5a1d0047b9	documentation: Bump version	2023-12-08 21:38:34 +08:00
世界	4669854039	Fix method check for v2ray HTTP transport	2023-12-08 21:12:52 +08:00
世界	2eecdc38a4	Fix gun conn setup	2023-12-08 21:10:36 +08:00
世界	83581b7c1a	Update dependencies	2023-12-08 11:18:52 +08:00
世界	d346f0023d	Fix HTTP connect client again	2023-12-08 11:18:52 +08:00
世界	47b7a29cbd	Fix fallback packet conn	2023-12-06 18:47:50 +08:00
世界	cffc07579d	Fix missing omitempty for NTP server fields	2023-12-05 18:32:21 +08:00
世界	0ef268637e	Prevent nil LocalAddr or RemoteAddr	2023-12-05 15:11:09 +08:00
世界	50f5a76380	Update dependencies	2023-12-04 21:06:15 +08:00
世界	20ca05dd36	Fix crash on websocket concurrent request	2023-12-04 20:42:01 +08:00