documentation: Bump version

documentation: Update package managers
Remove unnecessary context wrappers
2026-04-13 20:28:32 +10:00 · 2024-01-01 16:21:56 +08:00 · 2024-01-01 16:21:44 +08:00 · 2024-01-01 16:21:44 +08:00 · 2024-01-01 16:21:39 +08:00 · 2024-01-01 16:20:23 +08:00
238 changed files with 2980 additions and 6857 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -44,13 +44,7 @@ body:
    attributes:
      label: Version
      description: If you are using the original command line program, please provide the output of the `sing-box version` command.
-      value: |-
-        <details>
-
-        ```console
-        # Replace this line with the output
-        ```
-        </details>
+      render: shell
  - type: textarea
    attributes:
      label: Description
@@ -67,13 +61,22 @@ body:
    attributes:
      label: Logs
      description: |-
-        If you encounter a crash with the graphical client, please provide crash logs.
+        In addition, if you encounter a crash with the graphical client, please also provide crash logs.
        For Apple platform clients, please check `Settings - View Service Log` for crash logs.
        For the Android client, please check the `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` file for crash logs.
-      value: |-
-        <details>
-        
-        ```console
-        # Replace this line with logs
-        ```
-        </details>
+      render: shell
+  - type: checkboxes
+    attributes:
+      label: Integrity requirements
+      description: |-
+        Please check all of the following options to prove that you have read and understood the requirements, otherwise this issue will be closed.
+        Sing-box is not a project aimed to please users who can't make any meaningful contributions and gain unethical influence. If you deceive here to deliberately waste the time of the developers, you will be permanently blocked.
+      options:
+        - label: I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
+          required: true
+        - label: I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
+          required: true
+        - label: I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
+          required: true
+        - label: I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.
+          required: true
--- a/.github/ISSUE_TEMPLATE/bug_report_zh.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report_zh.yml
@@ -44,13 +44,7 @@ body:
    attributes:
      label: 版本
      description: 如果您使用原始命令行程序，请提供 `sing-box version` 命令的输出。
-      value: |-
-        <details>
-
-        ```console
-        # 使用输出内容覆盖此行
-        ```
-        </details>
+      render: shell
  - type: textarea
    attributes:
      label: 描述
@@ -67,13 +61,22 @@ body:
    attributes:
      label: 日志
      description: |-
-        如果您遭遇图形界面应用程序崩溃，请提供崩溃日志。
+        此外，如果您遭遇图形界面应用程序崩溃，请附加提供崩溃日志。
        对于 Apple 平台图形客户端程序，请检查 `Settings - View Service Log` 以导出崩溃日志。
        对于 Android 图形客户端程序，请检查 `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` 文件以导出崩溃日志。
-      value: |-
-        <details>
-        
-        ```console
-        # 使用日志内容覆盖此行
-        ```
-        </details>
+      render: shell
+  - type: checkboxes
+    attributes:
+      label: 完整性要求
+      description: |-
+        请勾选以下所有选项以证明您已经阅读并理解了以下要求，否则该 issue 将被关闭。
+        sing-box 不是讨好无法作出任何意义上的贡献的最终用户并获取非道德影响力的项目，如果您在此处欺骗以故意浪费开发者的时间，您将被永久封锁。
+      options:
+        - label: 我保证阅读了文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值。
+          required: true
+        - label: 我保证提供了可以在本地重现该问题的服务器、客户端配置文件与流程，而不是一个脱敏的复杂客户端配置文件。
+          required: true
+        - label: 我保证提供了可用于重现我报告的错误的最简配置，而不是依赖远程服务器、TUN、图形界面客户端或者其他闭源软件。
+          required: true
+        - label: 我保证提供了完整的配置文件与日志，而不是出于对自身智力的自信而仅提供了部分认为有用的部分。
+          required: true
--- a/.github/workflows/debug.yml
+++ b/.github/workflows/debug.yml
@@ -30,7 +30,7 @@ jobs:
        run: |
          echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
      - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: Add cache to Go proxy
@@ -54,7 +54,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version: 1.18.10
      - name: Cache go module
@@ -74,7 +74,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version: 1.20.7
      - name: Cache go module
@@ -209,14 +209,14 @@ jobs:
        run: |
          echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
      - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: Build
        id: build
        run: make
      - name: Upload artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: sing-box-${{ matrix.name }}
          path: sing-box*
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -30,7 +30,7 @@ jobs:
        run: |
          echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
      - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: golangci-lint
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,7 +8,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v8
+      - uses: actions/stale@v9
        with:
          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
          days-before-stale: 60
--- a/9
+++ b/9
@@ -1,7 +1,7 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
-TAGS_GO120 = with_quic,with_ech
+TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api
+TAGS_GO120 = with_quic,with_ech,with_utls
 TAGS ?= $(TAGS_GO118),$(TAGS_GO120)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server

@@ -178,9 +178,8 @@ lib:
 	go run ./cmd/internal/build_libbox -target ios

 lib_install:
-	go get -v -d
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230915142329-c6740b6d2950
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230915142329-c6740b6d2950
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.1
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.1

 docs:
 	mkdocs serve
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -17,6 +17,7 @@ import (

 type Router interface {
 	Service
+	PreStarter
 	PostStarter

 	Outbounds() []Outbound
--- a/box.go
+++ b/box.go
@@ -55,7 +55,7 @@ func New(options Options) (*Box, error) {
 		ctx = context.Background()
 	}
 	ctx = service.ContextWithDefaultRegistry(ctx)
-	ctx = pause.ContextWithDefaultManager(ctx)
+	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
 	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	var needCacheFile bool
@@ -157,9 +157,12 @@ func New(options Options) (*Box, error) {
 	preServices2 := make(map[string]adapter.Service)
 	postServices := make(map[string]adapter.Service)
 	if needCacheFile {
-		cacheFile := cachefile.NewCacheFile(ctx, common.PtrValueOrDefault(experimentalOptions.CacheFile))
+		cacheFile := service.FromContext[adapter.CacheFile](ctx)
+		if cacheFile == nil {
+			cacheFile = cachefile.New(ctx, common.PtrValueOrDefault(experimentalOptions.CacheFile))
+			service.MustRegister[adapter.CacheFile](ctx, cacheFile)
+		}
 		preServices1["cache file"] = cacheFile
-		service.MustRegister[adapter.CacheFile](ctx, cacheFile)
 	}
 	if needClashAPI {
 		clashAPIOptions := common.PtrValueOrDefault(experimentalOptions.ClashAPI)
@@ -259,6 +262,10 @@ func (s *Box) preStart() error {
 			}
 		}
 	}
+	err = s.router.PreStart()
+	if err != nil {
+		return E.Cause(err, "pre-start router")
+	}
 	err = s.startOutbounds()
 	if err != nil {
 		return err
@@ -313,10 +320,7 @@ func (s *Box) postStart() error {
 			}
 		}
 	}
-	err := s.router.PostStart()
-	if err != nil {
-		return E.Cause(err, "post-start router")
-	}
+
 	return s.router.PostStart()
 }

--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -7,7 +7,7 @@ import (
 	"path/filepath"
 	"strings"

-	_ "github.com/sagernet/gomobile/event/key"
+	_ "github.com/sagernet/gomobile"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common/rw"
--- a/cmd/sing-box/cmd_format.go
+++ b/cmd/sing-box/cmd_format.go
@@ -5,9 +5,10 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/json/badjson"

 	"github.com/spf13/cobra"
 )
@@ -37,6 +38,10 @@ func format() error {
 		return err
 	}
 	for _, optionsEntry := range optionsList {
+		optionsEntry.options, err = badjson.Omitempty(optionsEntry.options)
+		if err != nil {
+			return err
+		}
 		buffer := new(bytes.Buffer)
 		encoder := json.NewEncoder(buffer)
 		encoder.SetIndent("", "  ")
--- a/cmd/sing-box/cmd_geoip_export.go
+++ b/cmd/sing-box/cmd_geoip_export.go
@@ -6,11 +6,11 @@ import (
 	"os"
 	"strings"

-	"github.com/sagernet/sing-box/common/json"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"

 	"github.com/oschwald/maxminddb-golang"
 	"github.com/spf13/cobra"
--- a/cmd/sing-box/cmd_geosite_export.go
+++ b/cmd/sing-box/cmd_geosite_export.go
@@ -5,10 +5,10 @@ import (
 	"os"

 	"github.com/sagernet/sing-box/common/geosite"
-	"github.com/sagernet/sing-box/common/json"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common/json"

 	"github.com/spf13/cobra"
 )
--- a/cmd/sing-box/cmd_merge.go
+++ b/cmd/sing-box/cmd_merge.go
@@ -6,12 +6,12 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/sagernet/sing-box/common/json"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/common/rw"

 	"github.com/spf13/cobra"
@@ -65,50 +65,26 @@ func merge(outputPath string) error {

 func mergePathResources(options *option.Options) error {
 	for index, inbound := range options.Inbounds {
-		switch inbound.Type {
-		case C.TypeHTTP:
-			inbound.HTTPOptions.TLS = mergeTLSInboundOptions(inbound.HTTPOptions.TLS)
-		case C.TypeMixed:
-			inbound.MixedOptions.TLS = mergeTLSInboundOptions(inbound.MixedOptions.TLS)
-		case C.TypeVMess:
-			inbound.VMessOptions.TLS = mergeTLSInboundOptions(inbound.VMessOptions.TLS)
-		case C.TypeTrojan:
-			inbound.TrojanOptions.TLS = mergeTLSInboundOptions(inbound.TrojanOptions.TLS)
-		case C.TypeNaive:
-			inbound.NaiveOptions.TLS = mergeTLSInboundOptions(inbound.NaiveOptions.TLS)
-		case C.TypeHysteria:
-			inbound.HysteriaOptions.TLS = mergeTLSInboundOptions(inbound.HysteriaOptions.TLS)
-		case C.TypeVLESS:
-			inbound.VLESSOptions.TLS = mergeTLSInboundOptions(inbound.VLESSOptions.TLS)
-		case C.TypeTUIC:
-			inbound.TUICOptions.TLS = mergeTLSInboundOptions(inbound.TUICOptions.TLS)
-		case C.TypeHysteria2:
-			inbound.Hysteria2Options.TLS = mergeTLSInboundOptions(inbound.Hysteria2Options.TLS)
-		default:
-			continue
+		rawOptions, err := inbound.RawOptions()
+		if err != nil {
+			return err
+		}
+		if tlsOptions, containsTLSOptions := rawOptions.(option.InboundTLSOptionsWrapper); containsTLSOptions {
+			tlsOptions.ReplaceInboundTLSOptions(mergeTLSInboundOptions(tlsOptions.TakeInboundTLSOptions()))
 		}
 		options.Inbounds[index] = inbound
 	}
 	for index, outbound := range options.Outbounds {
+		rawOptions, err := outbound.RawOptions()
+		if err != nil {
+			return err
+		}
 		switch outbound.Type {
-		case C.TypeHTTP:
-			outbound.HTTPOptions.TLS = mergeTLSOutboundOptions(outbound.HTTPOptions.TLS)
-		case C.TypeVMess:
-			outbound.VMessOptions.TLS = mergeTLSOutboundOptions(outbound.VMessOptions.TLS)
-		case C.TypeTrojan:
-			outbound.TrojanOptions.TLS = mergeTLSOutboundOptions(outbound.TrojanOptions.TLS)
-		case C.TypeHysteria:
-			outbound.HysteriaOptions.TLS = mergeTLSOutboundOptions(outbound.HysteriaOptions.TLS)
 		case C.TypeSSH:
 			outbound.SSHOptions = mergeSSHOutboundOptions(outbound.SSHOptions)
-		case C.TypeVLESS:
-			outbound.VLESSOptions.TLS = mergeTLSOutboundOptions(outbound.VLESSOptions.TLS)
-		case C.TypeTUIC:
-			outbound.TUICOptions.TLS = mergeTLSOutboundOptions(outbound.TUICOptions.TLS)
-		case C.TypeHysteria2:
-			outbound.Hysteria2Options.TLS = mergeTLSOutboundOptions(outbound.Hysteria2Options.TLS)
-		default:
-			continue
+		}
+		if tlsOptions, containsTLSOptions := rawOptions.(option.OutboundTLSOptionsWrapper); containsTLSOptions {
+			tlsOptions.ReplaceOutboundTLSOptions(mergeTLSOutboundOptions(tlsOptions.TakeOutboundTLSOptions()))
 		}
 		options.Outbounds[index] = outbound
 	}
--- a/cmd/sing-box/cmd_rule_set_compile.go
+++ b/cmd/sing-box/cmd_rule_set_compile.go
@@ -5,10 +5,10 @@ import (
 	"os"
 	"strings"

-	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/common/srs"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common/json"

 	"github.com/spf13/cobra"
 )
@@ -47,10 +47,14 @@ func compileRuleSet(sourcePath string) error {
 			return err
 		}
 	}
-	decoder := json.NewDecoder(json.NewCommentFilter(reader))
-	decoder.DisallowUnknownFields()
-	var plainRuleSet option.PlainRuleSetCompat
-	err = decoder.Decode(&plainRuleSet)
+	content, err := io.ReadAll(reader)
+	if err != nil {
+		return err
+	}
+	plainRuleSet, err := json.UnmarshalExtended[option.PlainRuleSetCompat](content)
+	if err != nil {
+		return err
+	}
 	if err != nil {
 		return err
 	}
--- a/cmd/sing-box/cmd_rule_set_format.go
+++ b/cmd/sing-box/cmd_rule_set_format.go
@@ -6,10 +6,10 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"

 	"github.com/spf13/cobra"
 )
@@ -50,18 +50,14 @@ func formatRuleSet(sourcePath string) error {
 	if err != nil {
 		return err
 	}
-	decoder := json.NewDecoder(json.NewCommentFilter(bytes.NewReader(content)))
-	decoder.DisallowUnknownFields()
-	var plainRuleSet option.PlainRuleSetCompat
-	err = decoder.Decode(&plainRuleSet)
+	plainRuleSet, err := json.UnmarshalExtended[option.PlainRuleSetCompat](content)
 	if err != nil {
 		return err
 	}
-	ruleSet := plainRuleSet.Upgrade()
 	buffer := new(bytes.Buffer)
 	encoder := json.NewEncoder(buffer)
 	encoder.SetIndent("", "  ")
-	err = encoder.Encode(ruleSet)
+	err = encoder.Encode(plainRuleSet)
 	if err != nil {
 		return E.Cause(err, "encode config")
 	}
--- a/cmd/sing-box/cmd_run.go
+++ b/cmd/sing-box/cmd_run.go
@@ -13,11 +13,12 @@ import (
 	"time"

 	"github.com/sagernet/sing-box"
-	"github.com/sagernet/sing-box/common/badjsonmerge"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/json/badjson"

 	"github.com/spf13/cobra"
 )
@@ -56,8 +57,7 @@ func readConfigAt(path string) (*OptionsEntry, error) {
 	if err != nil {
 		return nil, E.Cause(err, "read config at ", path)
 	}
-	var options option.Options
-	err = options.UnmarshalJSON(configContent)
+	options, err := json.UnmarshalExtended[option.Options](configContent)
 	if err != nil {
 		return nil, E.Cause(err, "decode config at ", path)
 	}
@@ -107,13 +107,18 @@ func readConfigAndMerge() (option.Options, error) {
 	if len(optionsList) == 1 {
 		return optionsList[0].options, nil
 	}
-	var mergedOptions option.Options
+	var mergedMessage json.RawMessage
 	for _, options := range optionsList {
-		mergedOptions, err = badjsonmerge.MergeOptions(options.options, mergedOptions)
+		mergedMessage, err = badjson.MergeJSON(options.options.RawMessage, mergedMessage)
 		if err != nil {
 			return option.Options{}, E.Cause(err, "merge config at ", options.path)
 		}
 	}
+	var mergedOptions option.Options
+	err = mergedOptions.UnmarshalJSON(mergedMessage)
+	if err != nil {
+		return option.Options{}, E.Cause(err, "unmarshal merged config")
+	}
 	return mergedOptions, nil
 }

@@ -128,7 +133,7 @@ func create() (*box.Box, context.CancelFunc, error) {
 		}
 		options.Log.DisableColor = true
 	}
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(globalCtx)
 	instance, err := box.New(box.Options{
 		Context: ctx,
 		Options: options,
--- a/cmd/sing-box/main.go
+++ b/cmd/sing-box/main.go
@@ -3,15 +3,19 @@ package main
 import (
 	"context"
 	"os"
+	"os/user"
+	"strconv"
 	"time"

 	_ "github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/service/filemanager"

 	"github.com/spf13/cobra"
 )

 var (
+	globalCtx         context.Context
 	configPaths       []string
 	configDirectories []string
 	workingDir        string
@@ -37,15 +41,30 @@ func main() {
 }

 func preRun(cmd *cobra.Command, args []string) {
+	globalCtx = context.Background()
+	sudoUser := os.Getenv("SUDO_USER")
+	sudoUID, _ := strconv.Atoi(os.Getenv("SUDO_UID"))
+	sudoGID, _ := strconv.Atoi(os.Getenv("SUDO_GID"))
+	if sudoUID == 0 && sudoGID == 0 && sudoUser != "" {
+		sudoUserObject, _ := user.Lookup(sudoUser)
+		if sudoUserObject != nil {
+			sudoUID, _ = strconv.Atoi(sudoUserObject.Uid)
+			sudoGID, _ = strconv.Atoi(sudoUserObject.Gid)
+		}
+	}
+	if sudoUID > 0 && sudoGID > 0 {
+		globalCtx = filemanager.WithDefault(globalCtx, "", "", sudoUID, sudoGID)
+	}
 	if disableColor {
 		log.SetStdLogger(log.NewDefaultFactory(context.Background(), log.Formatter{BaseTime: time.Now(), DisableColors: true}, os.Stderr, "", nil, false).Logger())
 	}
 	if workingDir != "" {
 		_, err := os.Stat(workingDir)
 		if err != nil {
-			os.MkdirAll(workingDir, 0o777)
+			filemanager.MkdirAll(globalCtx, workingDir, 0o777)
 		}
-		if err := os.Chdir(workingDir); err != nil {
+		err = os.Chdir(workingDir)
+		if err != nil {
 			log.Fatal(err)
 		}
 	}
--- a/common/badjson/array.go
+++ b/common/badjson/array.go
@@ -1,46 +0,0 @@
-package badjson
-
-import (
-	"bytes"
-
-	"github.com/sagernet/sing-box/common/json"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type JSONArray []any
-
-func (a JSONArray) MarshalJSON() ([]byte, error) {
-	return json.Marshal([]any(a))
-}
-
-func (a *JSONArray) UnmarshalJSON(content []byte) error {
-	decoder := json.NewDecoder(bytes.NewReader(content))
-	arrayStart, err := decoder.Token()
-	if err != nil {
-		return err
-	} else if arrayStart != json.Delim('[') {
-		return E.New("excepted array start, but got ", arrayStart)
-	}
-	err = a.decodeJSON(decoder)
-	if err != nil {
-		return err
-	}
-	arrayEnd, err := decoder.Token()
-	if err != nil {
-		return err
-	} else if arrayEnd != json.Delim(']') {
-		return E.New("excepted array end, but got ", arrayEnd)
-	}
-	return nil
-}
-
-func (a *JSONArray) decodeJSON(decoder *json.Decoder) error {
-	for decoder.More() {
-		item, err := decodeJSON(decoder)
-		if err != nil {
-			return err
-		}
-		*a = append(*a, item)
-	}
-	return nil
-}
--- a/common/badjson/json.go
+++ b/common/badjson/json.go
@@ -1,54 +0,0 @@
-package badjson
-
-import (
-	"bytes"
-
-	"github.com/sagernet/sing-box/common/json"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-func Decode(content []byte) (any, error) {
-	decoder := json.NewDecoder(bytes.NewReader(content))
-	return decodeJSON(decoder)
-}
-
-func decodeJSON(decoder *json.Decoder) (any, error) {
-	rawToken, err := decoder.Token()
-	if err != nil {
-		return nil, err
-	}
-	switch token := rawToken.(type) {
-	case json.Delim:
-		switch token {
-		case '{':
-			var object JSONObject
-			err = object.decodeJSON(decoder)
-			if err != nil {
-				return nil, err
-			}
-			rawToken, err = decoder.Token()
-			if err != nil {
-				return nil, err
-			} else if rawToken != json.Delim('}') {
-				return nil, E.New("excepted object end, but got ", rawToken)
-			}
-			return &object, nil
-		case '[':
-			var array JSONArray
-			err = array.decodeJSON(decoder)
-			if err != nil {
-				return nil, err
-			}
-			rawToken, err = decoder.Token()
-			if err != nil {
-				return nil, err
-			} else if rawToken != json.Delim(']') {
-				return nil, E.New("excepted array end, but got ", rawToken)
-			}
-			return array, nil
-		default:
-			return nil, E.New("excepted object or array end: ", token)
-		}
-	}
-	return rawToken, nil
-}
--- a/common/badjson/object.go
+++ b/common/badjson/object.go
@@ -1,79 +0,0 @@
-package badjson
-
-import (
-	"bytes"
-	"strings"
-
-	"github.com/sagernet/sing-box/common/json"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/x/linkedhashmap"
-)
-
-type JSONObject struct {
-	linkedhashmap.Map[string, any]
-}
-
-func (m JSONObject) MarshalJSON() ([]byte, error) {
-	buffer := new(bytes.Buffer)
-	buffer.WriteString("{")
-	items := m.Entries()
-	iLen := len(items)
-	for i, entry := range items {
-		keyContent, err := json.Marshal(entry.Key)
-		if err != nil {
-			return nil, err
-		}
-		buffer.WriteString(strings.TrimSpace(string(keyContent)))
-		buffer.WriteString(": ")
-		valueContent, err := json.Marshal(entry.Value)
-		if err != nil {
-			return nil, err
-		}
-		buffer.WriteString(strings.TrimSpace(string(valueContent)))
-		if i < iLen-1 {
-			buffer.WriteString(", ")
-		}
-	}
-	buffer.WriteString("}")
-	return buffer.Bytes(), nil
-}
-
-func (m *JSONObject) UnmarshalJSON(content []byte) error {
-	decoder := json.NewDecoder(bytes.NewReader(content))
-	m.Clear()
-	objectStart, err := decoder.Token()
-	if err != nil {
-		return err
-	} else if objectStart != json.Delim('{') {
-		return E.New("expected json object start, but starts with ", objectStart)
-	}
-	err = m.decodeJSON(decoder)
-	if err != nil {
-		return E.Cause(err, "decode json object content")
-	}
-	objectEnd, err := decoder.Token()
-	if err != nil {
-		return err
-	} else if objectEnd != json.Delim('}') {
-		return E.New("expected json object end, but ends with ", objectEnd)
-	}
-	return nil
-}
-
-func (m *JSONObject) decodeJSON(decoder *json.Decoder) error {
-	for decoder.More() {
-		var entryKey string
-		keyToken, err := decoder.Token()
-		if err != nil {
-			return err
-		}
-		entryKey = keyToken.(string)
-		var entryValue any
-		entryValue, err = decodeJSON(decoder)
-		if err != nil {
-			return E.Cause(err, "decode value for ", entryKey)
-		}
-		m.Put(entryKey, entryValue)
-	}
-	return nil
-}
--- a/common/badjsonmerge/merge.go
+++ b/common/badjsonmerge/merge.go
@@ -1,80 +0,0 @@
-package badjsonmerge
-
-import (
-	"reflect"
-
-	"github.com/sagernet/sing-box/common/badjson"
-	"github.com/sagernet/sing-box/common/json"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-func MergeOptions(source option.Options, destination option.Options) (option.Options, error) {
-	rawSource, err := json.Marshal(source)
-	if err != nil {
-		return option.Options{}, E.Cause(err, "marshal source")
-	}
-	rawDestination, err := json.Marshal(destination)
-	if err != nil {
-		return option.Options{}, E.Cause(err, "marshal destination")
-	}
-	rawMerged, err := MergeJSON(rawSource, rawDestination)
-	if err != nil {
-		return option.Options{}, E.Cause(err, "merge options")
-	}
-	var merged option.Options
-	err = json.Unmarshal(rawMerged, &merged)
-	if err != nil {
-		return option.Options{}, E.Cause(err, "unmarshal merged options")
-	}
-	return merged, nil
-}
-
-func MergeJSON(rawSource json.RawMessage, rawDestination json.RawMessage) (json.RawMessage, error) {
-	source, err := badjson.Decode(rawSource)
-	if err != nil {
-		return nil, E.Cause(err, "decode source")
-	}
-	destination, err := badjson.Decode(rawDestination)
-	if err != nil {
-		return nil, E.Cause(err, "decode destination")
-	}
-	merged, err := mergeJSON(source, destination)
-	if err != nil {
-		return nil, err
-	}
-	return json.Marshal(merged)
-}
-
-func mergeJSON(anySource any, anyDestination any) (any, error) {
-	switch destination := anyDestination.(type) {
-	case badjson.JSONArray:
-		switch source := anySource.(type) {
-		case badjson.JSONArray:
-			destination = append(destination, source...)
-		default:
-			destination = append(destination, source)
-		}
-		return destination, nil
-	case *badjson.JSONObject:
-		switch source := anySource.(type) {
-		case *badjson.JSONObject:
-			for _, entry := range source.Entries() {
-				oldValue, loaded := destination.Get(entry.Key)
-				if loaded {
-					var err error
-					entry.Value, err = mergeJSON(entry.Value, oldValue)
-					if err != nil {
-						return nil, E.Cause(err, "merge object item ", entry.Key)
-					}
-				}
-				destination.Put(entry.Key, entry.Value)
-			}
-		default:
-			return nil, E.New("cannot merge json object into ", reflect.TypeOf(destination))
-		}
-		return destination, nil
-	default:
-		return destination, nil
-	}
-}
--- a/common/badjsonmerge/merge_test.go
+++ b/common/badjsonmerge/merge_test.go
@@ -1,59 +0,0 @@
-package badjsonmerge
-
-import (
-	"testing"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	N "github.com/sagernet/sing/common/network"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestMergeJSON(t *testing.T) {
-	t.Parallel()
-	options := option.Options{
-		Log: &option.LogOptions{
-			Level: "info",
-		},
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					Type: C.RuleTypeDefault,
-					DefaultOptions: option.DefaultRule{
-						Network:  []string{N.NetworkTCP},
-						Outbound: "direct",
-					},
-				},
-			},
-		},
-	}
-	anotherOptions := option.Options{
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeDirect,
-				Tag:  "direct",
-			},
-		},
-	}
-	thirdOptions := option.Options{
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					Type: C.RuleTypeDefault,
-					DefaultOptions: option.DefaultRule{
-						Network:  []string{N.NetworkUDP},
-						Outbound: "direct",
-					},
-				},
-			},
-		},
-	}
-	mergeOptions, err := MergeOptions(options, anotherOptions)
-	require.NoError(t, err)
-	mergeOptions, err = MergeOptions(thirdOptions, mergeOptions)
-	require.NoError(t, err)
-	require.Equal(t, "info", mergeOptions.Log.Level)
-	require.Equal(t, 2, len(mergeOptions.Route.Rules))
-	require.Equal(t, C.TypeDirect, mergeOptions.Outbounds[0].Type)
-}
--- a/common/badtls/badtls.go
+++ b/common/badtls/badtls.go
@@ -1,233 +0,0 @@
-//go:build go1.20 && !go1.21
-
-package badtls
-
-import (
-	"crypto/cipher"
-	"crypto/rand"
-	"crypto/tls"
-	"encoding/binary"
-	"io"
-	"net"
-	"reflect"
-	"sync"
-	"sync/atomic"
-	"unsafe"
-
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
-	N "github.com/sagernet/sing/common/network"
-	aTLS "github.com/sagernet/sing/common/tls"
-)
-
-type Conn struct {
-	*tls.Conn
-	writer              N.ExtendedWriter
-	isHandshakeComplete *atomic.Bool
-	activeCall          *atomic.Int32
-	closeNotifySent     *bool
-	version             *uint16
-	rand                io.Reader
-	halfAccess          *sync.Mutex
-	halfError           *error
-	cipher              cipher.AEAD
-	explicitNonceLen    int
-	halfPtr             uintptr
-	halfSeq             []byte
-	halfScratchBuf      []byte
-}
-
-func TryCreate(conn aTLS.Conn) aTLS.Conn {
-	tlsConn, ok := conn.(*tls.Conn)
-	if !ok {
-		return conn
-	}
-	badConn, err := Create(tlsConn)
-	if err != nil {
-		log.Warn("initialize badtls: ", err)
-		return conn
-	}
-	return badConn
-}
-
-func Create(conn *tls.Conn) (aTLS.Conn, error) {
-	rawConn := reflect.Indirect(reflect.ValueOf(conn))
-	rawIsHandshakeComplete := rawConn.FieldByName("isHandshakeComplete")
-	if !rawIsHandshakeComplete.IsValid() || rawIsHandshakeComplete.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid isHandshakeComplete")
-	}
-	isHandshakeComplete := (*atomic.Bool)(unsafe.Pointer(rawIsHandshakeComplete.UnsafeAddr()))
-	if !isHandshakeComplete.Load() {
-		return nil, E.New("handshake not finished")
-	}
-	rawActiveCall := rawConn.FieldByName("activeCall")
-	if !rawActiveCall.IsValid() || rawActiveCall.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid active call")
-	}
-	activeCall := (*atomic.Int32)(unsafe.Pointer(rawActiveCall.UnsafeAddr()))
-	rawHalfConn := rawConn.FieldByName("out")
-	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid half conn")
-	}
-	rawVersion := rawConn.FieldByName("vers")
-	if !rawVersion.IsValid() || rawVersion.Kind() != reflect.Uint16 {
-		return nil, E.New("badtls: invalid version")
-	}
-	version := (*uint16)(unsafe.Pointer(rawVersion.UnsafeAddr()))
-	rawCloseNotifySent := rawConn.FieldByName("closeNotifySent")
-	if !rawCloseNotifySent.IsValid() || rawCloseNotifySent.Kind() != reflect.Bool {
-		return nil, E.New("badtls: invalid notify")
-	}
-	closeNotifySent := (*bool)(unsafe.Pointer(rawCloseNotifySent.UnsafeAddr()))
-	rawConfig := reflect.Indirect(rawConn.FieldByName("config"))
-	if !rawConfig.IsValid() || rawConfig.Kind() != reflect.Struct {
-		return nil, E.New("badtls: bad config")
-	}
-	config := (*tls.Config)(unsafe.Pointer(rawConfig.UnsafeAddr()))
-	randReader := config.Rand
-	if randReader == nil {
-		randReader = rand.Reader
-	}
-	rawHalfMutex := rawHalfConn.FieldByName("Mutex")
-	if !rawHalfMutex.IsValid() || rawHalfMutex.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid half mutex")
-	}
-	halfAccess := (*sync.Mutex)(unsafe.Pointer(rawHalfMutex.UnsafeAddr()))
-	rawHalfError := rawHalfConn.FieldByName("err")
-	if !rawHalfError.IsValid() || rawHalfError.Kind() != reflect.Interface {
-		return nil, E.New("badtls: invalid half error")
-	}
-	halfError := (*error)(unsafe.Pointer(rawHalfError.UnsafeAddr()))
-	rawHalfCipherInterface := rawHalfConn.FieldByName("cipher")
-	if !rawHalfCipherInterface.IsValid() || rawHalfCipherInterface.Kind() != reflect.Interface {
-		return nil, E.New("badtls: invalid cipher interface")
-	}
-	rawHalfCipher := rawHalfCipherInterface.Elem()
-	aeadCipher, loaded := valueInterface(rawHalfCipher, false).(cipher.AEAD)
-	if !loaded {
-		return nil, E.New("badtls: invalid AEAD cipher")
-	}
-	var explicitNonceLen int
-	switch cipherName := reflect.Indirect(rawHalfCipher).Type().String(); cipherName {
-	case "tls.prefixNonceAEAD":
-		explicitNonceLen = aeadCipher.NonceSize()
-	case "tls.xorNonceAEAD":
-	default:
-		return nil, E.New("badtls: unknown cipher type: ", cipherName)
-	}
-	rawHalfSeq := rawHalfConn.FieldByName("seq")
-	if !rawHalfSeq.IsValid() || rawHalfSeq.Kind() != reflect.Array {
-		return nil, E.New("badtls: invalid seq")
-	}
-	halfSeq := rawHalfSeq.Bytes()
-	rawHalfScratchBuf := rawHalfConn.FieldByName("scratchBuf")
-	if !rawHalfScratchBuf.IsValid() || rawHalfScratchBuf.Kind() != reflect.Array {
-		return nil, E.New("badtls: invalid scratchBuf")
-	}
-	halfScratchBuf := rawHalfScratchBuf.Bytes()
-	return &Conn{
-		Conn:                conn,
-		writer:              bufio.NewExtendedWriter(conn.NetConn()),
-		isHandshakeComplete: isHandshakeComplete,
-		activeCall:          activeCall,
-		closeNotifySent:     closeNotifySent,
-		version:             version,
-		halfAccess:          halfAccess,
-		halfError:           halfError,
-		cipher:              aeadCipher,
-		explicitNonceLen:    explicitNonceLen,
-		rand:                randReader,
-		halfPtr:             rawHalfConn.UnsafeAddr(),
-		halfSeq:             halfSeq,
-		halfScratchBuf:      halfScratchBuf,
-	}, nil
-}
-
-func (c *Conn) WriteBuffer(buffer *buf.Buffer) error {
-	if buffer.Len() > maxPlaintext {
-		defer buffer.Release()
-		return common.Error(c.Write(buffer.Bytes()))
-	}
-	for {
-		x := c.activeCall.Load()
-		if x&1 != 0 {
-			return net.ErrClosed
-		}
-		if c.activeCall.CompareAndSwap(x, x+2) {
-			break
-		}
-	}
-	defer c.activeCall.Add(-2)
-	c.halfAccess.Lock()
-	defer c.halfAccess.Unlock()
-	if err := *c.halfError; err != nil {
-		return err
-	}
-	if *c.closeNotifySent {
-		return errShutdown
-	}
-	dataLen := buffer.Len()
-	dataBytes := buffer.Bytes()
-	outBuf := buffer.ExtendHeader(recordHeaderLen + c.explicitNonceLen)
-	outBuf[0] = 23
-	version := *c.version
-	if version == 0 {
-		version = tls.VersionTLS10
-	} else if version == tls.VersionTLS13 {
-		version = tls.VersionTLS12
-	}
-	binary.BigEndian.PutUint16(outBuf[1:], version)
-	var nonce []byte
-	if c.explicitNonceLen > 0 {
-		nonce = outBuf[5 : 5+c.explicitNonceLen]
-		if c.explicitNonceLen < 16 {
-			copy(nonce, c.halfSeq)
-		} else {
-			if _, err := io.ReadFull(c.rand, nonce); err != nil {
-				return err
-			}
-		}
-	}
-	if len(nonce) == 0 {
-		nonce = c.halfSeq
-	}
-	if *c.version == tls.VersionTLS13 {
-		buffer.FreeBytes()[0] = 23
-		binary.BigEndian.PutUint16(outBuf[3:], uint16(dataLen+1+c.cipher.Overhead()))
-		c.cipher.Seal(outBuf, nonce, outBuf[recordHeaderLen:recordHeaderLen+c.explicitNonceLen+dataLen+1], outBuf[:recordHeaderLen])
-		buffer.Extend(1 + c.cipher.Overhead())
-	} else {
-		binary.BigEndian.PutUint16(outBuf[3:], uint16(dataLen))
-		additionalData := append(c.halfScratchBuf[:0], c.halfSeq...)
-		additionalData = append(additionalData, outBuf[:recordHeaderLen]...)
-		c.cipher.Seal(outBuf, nonce, dataBytes, additionalData)
-		buffer.Extend(c.cipher.Overhead())
-		binary.BigEndian.PutUint16(outBuf[3:], uint16(dataLen+c.explicitNonceLen+c.cipher.Overhead()))
-	}
-	incSeq(c.halfPtr)
-	log.Trace("badtls write ", buffer.Len())
-	return c.writer.WriteBuffer(buffer)
-}
-
-func (c *Conn) FrontHeadroom() int {
-	return recordHeaderLen + c.explicitNonceLen
-}
-
-func (c *Conn) RearHeadroom() int {
-	return 1 + c.cipher.Overhead()
-}
-
-func (c *Conn) WriterMTU() int {
-	return maxPlaintext
-}
-
-func (c *Conn) Upstream() any {
-	return c.Conn
-}
-
-func (c *Conn) UpstreamWriter() any {
-	return c.NetConn()
-}
--- a/common/badtls/badtls_stub.go
+++ b/common/badtls/badtls_stub.go
@@ -1,14 +0,0 @@
-//go:build !go1.19 || go1.21
-
-package badtls
-
-import (
-	"crypto/tls"
-	"os"
-
-	aTLS "github.com/sagernet/sing/common/tls"
-)
-
-func Create(conn *tls.Conn) (aTLS.Conn, error) {
-	return nil, os.ErrInvalid
-}
--- a/common/badtls/link.go
+++ b/common/badtls/link.go
@@ -1,22 +0,0 @@
-//go:build go1.20 && !go.1.21
-
-package badtls
-
-import (
-	"reflect"
-	_ "unsafe"
-)
-
-const (
-	maxPlaintext    = 16384 // maximum plaintext payload length
-	recordHeaderLen = 5     // record header length
-)
-
-//go:linkname errShutdown crypto/tls.errShutdown
-var errShutdown error
-
-//go:linkname incSeq crypto/tls.(*halfConn).incSeq
-func incSeq(conn uintptr)
-
-//go:linkname valueInterface reflect.valueInterface
-func valueInterface(v reflect.Value, safe bool) any
--- a/common/badtls/read_wait.go
+++ b/common/badtls/read_wait.go
@@ -0,0 +1,115 @@
+//go:build go1.21 && !without_badtls
+
+package badtls
+
+import (
+	"bytes"
+	"os"
+	"reflect"
+	"sync"
+	"unsafe"
+
+	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/tls"
+)
+
+var _ N.ReadWaiter = (*ReadWaitConn)(nil)
+
+type ReadWaitConn struct {
+	*tls.STDConn
+	halfAccess      *sync.Mutex
+	rawInput        *bytes.Buffer
+	input           *bytes.Reader
+	hand            *bytes.Buffer
+	readWaitOptions N.ReadWaitOptions
+}
+
+func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
+	stdConn, isSTDConn := conn.(*tls.STDConn)
+	if !isSTDConn {
+		return nil, os.ErrInvalid
+	}
+	rawConn := reflect.Indirect(reflect.ValueOf(stdConn))
+	rawHalfConn := rawConn.FieldByName("in")
+	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid half conn")
+	}
+	rawHalfMutex := rawHalfConn.FieldByName("Mutex")
+	if !rawHalfMutex.IsValid() || rawHalfMutex.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid half mutex")
+	}
+	halfAccess := (*sync.Mutex)(unsafe.Pointer(rawHalfMutex.UnsafeAddr()))
+	rawRawInput := rawConn.FieldByName("rawInput")
+	if !rawRawInput.IsValid() || rawRawInput.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid raw input")
+	}
+	rawInput := (*bytes.Buffer)(unsafe.Pointer(rawRawInput.UnsafeAddr()))
+	rawInput0 := rawConn.FieldByName("input")
+	if !rawInput0.IsValid() || rawInput0.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid input")
+	}
+	input := (*bytes.Reader)(unsafe.Pointer(rawInput0.UnsafeAddr()))
+	rawHand := rawConn.FieldByName("hand")
+	if !rawHand.IsValid() || rawHand.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid hand")
+	}
+	hand := (*bytes.Buffer)(unsafe.Pointer(rawHand.UnsafeAddr()))
+	return &ReadWaitConn{
+		STDConn:    stdConn,
+		halfAccess: halfAccess,
+		rawInput:   rawInput,
+		input:      input,
+		hand:       hand,
+	}, nil
+}
+
+func (c *ReadWaitConn) InitializeReadWaiter(options N.ReadWaitOptions) (needCopy bool) {
+	c.readWaitOptions = options
+	return false
+}
+
+func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
+	err = c.Handshake()
+	if err != nil {
+		return
+	}
+	c.halfAccess.Lock()
+	defer c.halfAccess.Unlock()
+	for c.input.Len() == 0 {
+		err = tlsReadRecord(c.STDConn)
+		if err != nil {
+			return
+		}
+		for c.hand.Len() > 0 {
+			err = tlsHandlePostHandshakeMessage(c.STDConn)
+			if err != nil {
+				return
+			}
+		}
+	}
+	buffer = c.readWaitOptions.NewBuffer()
+	n, err := c.input.Read(buffer.FreeBytes())
+	if err != nil {
+		buffer.Release()
+		return
+	}
+	buffer.Truncate(n)
+
+	if n != 0 && c.input.Len() == 0 && c.rawInput.Len() > 0 &&
+		// recordType(c.rawInput.Bytes()[0]) == recordTypeAlert {
+		c.rawInput.Bytes()[0] == 21 {
+		_ = tlsReadRecord(c.STDConn)
+		// return n, err // will be io.EOF on closeNotify
+	}
+
+	c.readWaitOptions.PostReturn(buffer)
+	return
+}
+
+//go:linkname tlsReadRecord crypto/tls.(*Conn).readRecord
+func tlsReadRecord(c *tls.STDConn) error
+
+//go:linkname tlsHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
+func tlsHandlePostHandshakeMessage(c *tls.STDConn) error
--- a/common/badtls/read_wait_stub.go
+++ b/common/badtls/read_wait_stub.go
@@ -0,0 +1,13 @@
+//go:build !go1.21 || without_badtls
+
+package badtls
+
+import (
+	"os"
+
+	"github.com/sagernet/sing/common/tls"
+)
+
+func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
+	return nil, os.ErrInvalid
+}
--- a/common/badversion/version_json.go
+++ b/common/badversion/version_json.go
@@ -1,6 +1,6 @@
 package badversion

-import "github.com/sagernet/sing-box/common/json"
+import "github.com/sagernet/sing/common/json"

 func (v Version) MarshalJSON() ([]byte, error) {
 	return json.Marshal(v.String())
--- a/common/contextjson/README.md
+++ b/common/contextjson/README.md
@@ -1,3 +0,0 @@
-# contextjson
-
-mod from go1.21.4
--- a/common/contextjson/decode.go
+++ b/common/contextjson/decode.go
--- a/common/contextjson/decode_context.go
+++ b/common/contextjson/decode_context.go
@@ -1,49 +0,0 @@
-package json
-
-import "strconv"
-
-type decodeContext struct {
-	parent *decodeContext
-	index  int
-	key    string
-}
-
-func (d *decodeState) formatContext() string {
-	var description string
-	context := d.context
-	var appendDot bool
-	for context != nil {
-		if appendDot {
-			description = "." + description
-		}
-		if context.key != "" {
-			description = context.key + description
-			appendDot = true
-		} else {
-			description = "[" + strconv.Itoa(context.index) + "]" + description
-			appendDot = false
-		}
-		context = context.parent
-	}
-	return description
-}
-
-type contextError struct {
-	parent  error
-	context string
-	index   bool
-}
-
-func (c *contextError) Unwrap() error {
-	return c.parent
-}
-
-func (c *contextError) Error() string {
-	//goland:noinspection GoTypeAssertionOnErrors
-	switch c.parent.(type) {
-	case *contextError:
-		return c.context + "." + c.parent.Error()
-	default:
-		return c.context + ": " + c.parent.Error()
-	}
-}
--- a/common/contextjson/encode.go
+++ b/common/contextjson/encode.go
--- a/common/contextjson/fold.go
+++ b/common/contextjson/fold.go
@@ -1,48 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"unicode"
-	"unicode/utf8"
-)
-
-// foldName returns a folded string such that foldName(x) == foldName(y)
-// is identical to bytes.EqualFold(x, y).
-func foldName(in []byte) []byte {
-	// This is inlinable to take advantage of "function outlining".
-	var arr [32]byte // large enough for most JSON names
-	return appendFoldedName(arr[:0], in)
-}
-
-func appendFoldedName(out, in []byte) []byte {
-	for i := 0; i < len(in); {
-		// Handle single-byte ASCII.
-		if c := in[i]; c < utf8.RuneSelf {
-			if 'a' <= c && c <= 'z' {
-				c -= 'a' - 'A'
-			}
-			out = append(out, c)
-			i++
-			continue
-		}
-		// Handle multi-byte Unicode.
-		r, n := utf8.DecodeRune(in[i:])
-		out = utf8.AppendRune(out, foldRune(r))
-		i += n
-	}
-	return out
-}
-
-// foldRune is returns the smallest rune for all runes in the same fold set.
-func foldRune(r rune) rune {
-	for {
-		r2 := unicode.SimpleFold(r)
-		if r2 <= r {
-			return r2
-		}
-		r = r2
-	}
-}
--- a/common/contextjson/indent.go
+++ b/common/contextjson/indent.go
@@ -1,174 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import "bytes"
-
-// HTMLEscape appends to dst the JSON-encoded src with <, >, &, U+2028 and U+2029
-// characters inside string literals changed to \u003c, \u003e, \u0026, \u2028, \u2029
-// so that the JSON will be safe to embed inside HTML <script> tags.
-// For historical reasons, web browsers don't honor standard HTML
-// escaping within <script> tags, so an alternative JSON encoding must be used.
-func HTMLEscape(dst *bytes.Buffer, src []byte) {
-	dst.Grow(len(src))
-	dst.Write(appendHTMLEscape(dst.AvailableBuffer(), src))
-}
-
-func appendHTMLEscape(dst, src []byte) []byte {
-	// The characters can only appear in string literals,
-	// so just scan the string one byte at a time.
-	start := 0
-	for i, c := range src {
-		if c == '<' || c == '>' || c == '&' {
-			dst = append(dst, src[start:i]...)
-			dst = append(dst, '\\', 'u', '0', '0', hex[c>>4], hex[c&0xF])
-			start = i + 1
-		}
-		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
-		if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
-			dst = append(dst, src[start:i]...)
-			dst = append(dst, '\\', 'u', '2', '0', '2', hex[src[i+2]&0xF])
-			start = i + len("\u2029")
-		}
-	}
-	return append(dst, src[start:]...)
-}
-
-// Compact appends to dst the JSON-encoded src with
-// insignificant space characters elided.
-func Compact(dst *bytes.Buffer, src []byte) error {
-	dst.Grow(len(src))
-	b := dst.AvailableBuffer()
-	b, err := appendCompact(b, src, false)
-	dst.Write(b)
-	return err
-}
-
-func appendCompact(dst, src []byte, escape bool) ([]byte, error) {
-	origLen := len(dst)
-	scan := newScanner()
-	defer freeScanner(scan)
-	start := 0
-	for i, c := range src {
-		if escape && (c == '<' || c == '>' || c == '&') {
-			dst = append(dst, src[start:i]...)
-			dst = append(dst, '\\', 'u', '0', '0', hex[c>>4], hex[c&0xF])
-			start = i + 1
-		}
-		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
-		if escape && c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
-			dst = append(dst, src[start:i]...)
-			dst = append(dst, '\\', 'u', '2', '0', '2', hex[src[i+2]&0xF])
-			start = i + len("\u2029")
-		}
-		v := scan.step(scan, c)
-		if v >= scanSkipSpace {
-			if v == scanError {
-				break
-			}
-			dst = append(dst, src[start:i]...)
-			start = i + 1
-		}
-	}
-	if scan.eof() == scanError {
-		return dst[:origLen], scan.err
-	}
-	dst = append(dst, src[start:]...)
-	return dst, nil
-}
-
-func appendNewline(dst []byte, prefix, indent string, depth int) []byte {
-	dst = append(dst, '\n')
-	dst = append(dst, prefix...)
-	for i := 0; i < depth; i++ {
-		dst = append(dst, indent...)
-	}
-	return dst
-}
-
-// indentGrowthFactor specifies the growth factor of indenting JSON input.
-// Empirically, the growth factor was measured to be between 1.4x to 1.8x
-// for some set of compacted JSON with the indent being a single tab.
-// Specify a growth factor slightly larger than what is observed
-// to reduce probability of allocation in appendIndent.
-// A factor no higher than 2 ensures that wasted space never exceeds 50%.
-const indentGrowthFactor = 2
-
-// Indent appends to dst an indented form of the JSON-encoded src.
-// Each element in a JSON object or array begins on a new,
-// indented line beginning with prefix followed by one or more
-// copies of indent according to the indentation nesting.
-// The data appended to dst does not begin with the prefix nor
-// any indentation, to make it easier to embed inside other formatted JSON data.
-// Although leading space characters (space, tab, carriage return, newline)
-// at the beginning of src are dropped, trailing space characters
-// at the end of src are preserved and copied to dst.
-// For example, if src has no trailing spaces, neither will dst;
-// if src ends in a trailing newline, so will dst.
-func Indent(dst *bytes.Buffer, src []byte, prefix, indent string) error {
-	dst.Grow(indentGrowthFactor * len(src))
-	b := dst.AvailableBuffer()
-	b, err := appendIndent(b, src, prefix, indent)
-	dst.Write(b)
-	return err
-}
-
-func appendIndent(dst, src []byte, prefix, indent string) ([]byte, error) {
-	origLen := len(dst)
-	scan := newScanner()
-	defer freeScanner(scan)
-	needIndent := false
-	depth := 0
-	for _, c := range src {
-		scan.bytes++
-		v := scan.step(scan, c)
-		if v == scanSkipSpace {
-			continue
-		}
-		if v == scanError {
-			break
-		}
-		if needIndent && v != scanEndObject && v != scanEndArray {
-			needIndent = false
-			depth++
-			dst = appendNewline(dst, prefix, indent, depth)
-		}
-
-		// Emit semantically uninteresting bytes
-		// (in particular, punctuation in strings) unmodified.
-		if v == scanContinue {
-			dst = append(dst, c)
-			continue
-		}
-
-		// Add spacing around real punctuation.
-		switch c {
-		case '{', '[':
-			// delay indent so that empty object and array are formatted as {} and [].
-			needIndent = true
-			dst = append(dst, c)
-		case ',':
-			dst = append(dst, c)
-			dst = appendNewline(dst, prefix, indent, depth)
-		case ':':
-			dst = append(dst, c, ' ')
-		case '}', ']':
-			if needIndent {
-				// suppress indent in empty object/array
-				needIndent = false
-			} else {
-				depth--
-				dst = appendNewline(dst, prefix, indent, depth)
-			}
-			dst = append(dst, c)
-		default:
-			dst = append(dst, c)
-		}
-	}
-	if scan.eof() == scanError {
-		return dst[:origLen], scan.err
-	}
-	return dst, nil
-}
--- a/common/contextjson/scanner.go
+++ b/common/contextjson/scanner.go
@@ -1,610 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-// JSON value parser state machine.
-// Just about at the limit of what is reasonable to write by hand.
-// Some parts are a bit tedious, but overall it nicely factors out the
-// otherwise common code from the multiple scanning functions
-// in this package (Compact, Indent, checkValid, etc).
-//
-// This file starts with two simple examples using the scanner
-// before diving into the scanner itself.
-
-import (
-	"strconv"
-	"sync"
-)
-
-// Valid reports whether data is a valid JSON encoding.
-func Valid(data []byte) bool {
-	scan := newScanner()
-	defer freeScanner(scan)
-	return checkValid(data, scan) == nil
-}
-
-// checkValid verifies that data is valid JSON-encoded data.
-// scan is passed in for use by checkValid to avoid an allocation.
-// checkValid returns nil or a SyntaxError.
-func checkValid(data []byte, scan *scanner) error {
-	scan.reset()
-	for _, c := range data {
-		scan.bytes++
-		if scan.step(scan, c) == scanError {
-			return scan.err
-		}
-	}
-	if scan.eof() == scanError {
-		return scan.err
-	}
-	return nil
-}
-
-// A SyntaxError is a description of a JSON syntax error.
-// Unmarshal will return a SyntaxError if the JSON can't be parsed.
-type SyntaxError struct {
-	msg    string // description of error
-	Offset int64  // error occurred after reading Offset bytes
-}
-
-func (e *SyntaxError) Error() string { return e.msg }
-
-// A scanner is a JSON scanning state machine.
-// Callers call scan.reset and then pass bytes in one at a time
-// by calling scan.step(&scan, c) for each byte.
-// The return value, referred to as an opcode, tells the
-// caller about significant parsing events like beginning
-// and ending literals, objects, and arrays, so that the
-// caller can follow along if it wishes.
-// The return value scanEnd indicates that a single top-level
-// JSON value has been completed, *before* the byte that
-// just got passed in.  (The indication must be delayed in order
-// to recognize the end of numbers: is 123 a whole value or
-// the beginning of 12345e+6?).
-type scanner struct {
-	// The step is a func to be called to execute the next transition.
-	// Also tried using an integer constant and a single func
-	// with a switch, but using the func directly was 10% faster
-	// on a 64-bit Mac Mini, and it's nicer to read.
-	step func(*scanner, byte) int
-
-	// Reached end of top-level value.
-	endTop bool
-
-	// Stack of what we're in the middle of - array values, object keys, object values.
-	parseState []int
-
-	// Error that happened, if any.
-	err error
-
-	// total bytes consumed, updated by decoder.Decode (and deliberately
-	// not set to zero by scan.reset)
-	bytes int64
-}
-
-var scannerPool = sync.Pool{
-	New: func() any {
-		return &scanner{}
-	},
-}
-
-func newScanner() *scanner {
-	scan := scannerPool.Get().(*scanner)
-	// scan.reset by design doesn't set bytes to zero
-	scan.bytes = 0
-	scan.reset()
-	return scan
-}
-
-func freeScanner(scan *scanner) {
-	// Avoid hanging on to too much memory in extreme cases.
-	if len(scan.parseState) > 1024 {
-		scan.parseState = nil
-	}
-	scannerPool.Put(scan)
-}
-
-// These values are returned by the state transition functions
-// assigned to scanner.state and the method scanner.eof.
-// They give details about the current state of the scan that
-// callers might be interested to know about.
-// It is okay to ignore the return value of any particular
-// call to scanner.state: if one call returns scanError,
-// every subsequent call will return scanError too.
-const (
-	// Continue.
-	scanContinue     = iota // uninteresting byte
-	scanBeginLiteral        // end implied by next result != scanContinue
-	scanBeginObject         // begin object
-	scanObjectKey           // just finished object key (string)
-	scanObjectValue         // just finished non-last object value
-	scanEndObject           // end object (implies scanObjectValue if possible)
-	scanBeginArray          // begin array
-	scanArrayValue          // just finished array value
-	scanEndArray            // end array (implies scanArrayValue if possible)
-	scanSkipSpace           // space byte; can skip; known to be last "continue" result
-
-	// Stop.
-	scanEnd   // top-level value ended *before* this byte; known to be first "stop" result
-	scanError // hit an error, scanner.err.
-)
-
-// These values are stored in the parseState stack.
-// They give the current state of a composite value
-// being scanned. If the parser is inside a nested value
-// the parseState describes the nested state, outermost at entry 0.
-const (
-	parseObjectKey   = iota // parsing object key (before colon)
-	parseObjectValue        // parsing object value (after colon)
-	parseArrayValue         // parsing array value
-)
-
-// This limits the max nesting depth to prevent stack overflow.
-// This is permitted by https://tools.ietf.org/html/rfc7159#section-9
-const maxNestingDepth = 10000
-
-// reset prepares the scanner for use.
-// It must be called before calling s.step.
-func (s *scanner) reset() {
-	s.step = stateBeginValue
-	s.parseState = s.parseState[0:0]
-	s.err = nil
-	s.endTop = false
-}
-
-// eof tells the scanner that the end of input has been reached.
-// It returns a scan status just as s.step does.
-func (s *scanner) eof() int {
-	if s.err != nil {
-		return scanError
-	}
-	if s.endTop {
-		return scanEnd
-	}
-	s.step(s, ' ')
-	if s.endTop {
-		return scanEnd
-	}
-	if s.err == nil {
-		s.err = &SyntaxError{"unexpected end of JSON input", s.bytes}
-	}
-	return scanError
-}
-
-// pushParseState pushes a new parse state p onto the parse stack.
-// an error state is returned if maxNestingDepth was exceeded, otherwise successState is returned.
-func (s *scanner) pushParseState(c byte, newParseState int, successState int) int {
-	s.parseState = append(s.parseState, newParseState)
-	if len(s.parseState) <= maxNestingDepth {
-		return successState
-	}
-	return s.error(c, "exceeded max depth")
-}
-
-// popParseState pops a parse state (already obtained) off the stack
-// and updates s.step accordingly.
-func (s *scanner) popParseState() {
-	n := len(s.parseState) - 1
-	s.parseState = s.parseState[0:n]
-	if n == 0 {
-		s.step = stateEndTop
-		s.endTop = true
-	} else {
-		s.step = stateEndValue
-	}
-}
-
-func isSpace(c byte) bool {
-	return c <= ' ' && (c == ' ' || c == '\t' || c == '\r' || c == '\n')
-}
-
-// stateBeginValueOrEmpty is the state after reading `[`.
-func stateBeginValueOrEmpty(s *scanner, c byte) int {
-	if isSpace(c) {
-		return scanSkipSpace
-	}
-	if c == ']' {
-		return stateEndValue(s, c)
-	}
-	return stateBeginValue(s, c)
-}
-
-// stateBeginValue is the state at the beginning of the input.
-func stateBeginValue(s *scanner, c byte) int {
-	if isSpace(c) {
-		return scanSkipSpace
-	}
-	switch c {
-	case '{':
-		s.step = stateBeginStringOrEmpty
-		return s.pushParseState(c, parseObjectKey, scanBeginObject)
-	case '[':
-		s.step = stateBeginValueOrEmpty
-		return s.pushParseState(c, parseArrayValue, scanBeginArray)
-	case '"':
-		s.step = stateInString
-		return scanBeginLiteral
-	case '-':
-		s.step = stateNeg
-		return scanBeginLiteral
-	case '0': // beginning of 0.123
-		s.step = state0
-		return scanBeginLiteral
-	case 't': // beginning of true
-		s.step = stateT
-		return scanBeginLiteral
-	case 'f': // beginning of false
-		s.step = stateF
-		return scanBeginLiteral
-	case 'n': // beginning of null
-		s.step = stateN
-		return scanBeginLiteral
-	}
-	if '1' <= c && c <= '9' { // beginning of 1234.5
-		s.step = state1
-		return scanBeginLiteral
-	}
-	return s.error(c, "looking for beginning of value")
-}
-
-// stateBeginStringOrEmpty is the state after reading `{`.
-func stateBeginStringOrEmpty(s *scanner, c byte) int {
-	if isSpace(c) {
-		return scanSkipSpace
-	}
-	if c == '}' {
-		n := len(s.parseState)
-		s.parseState[n-1] = parseObjectValue
-		return stateEndValue(s, c)
-	}
-	return stateBeginString(s, c)
-}
-
-// stateBeginString is the state after reading `{"key": value,`.
-func stateBeginString(s *scanner, c byte) int {
-	if isSpace(c) {
-		return scanSkipSpace
-	}
-	if c == '"' {
-		s.step = stateInString
-		return scanBeginLiteral
-	}
-	return s.error(c, "looking for beginning of object key string")
-}
-
-// stateEndValue is the state after completing a value,
-// such as after reading `{}` or `true` or `["x"`.
-func stateEndValue(s *scanner, c byte) int {
-	n := len(s.parseState)
-	if n == 0 {
-		// Completed top-level before the current byte.
-		s.step = stateEndTop
-		s.endTop = true
-		return stateEndTop(s, c)
-	}
-	if isSpace(c) {
-		s.step = stateEndValue
-		return scanSkipSpace
-	}
-	ps := s.parseState[n-1]
-	switch ps {
-	case parseObjectKey:
-		if c == ':' {
-			s.parseState[n-1] = parseObjectValue
-			s.step = stateBeginValue
-			return scanObjectKey
-		}
-		return s.error(c, "after object key")
-	case parseObjectValue:
-		if c == ',' {
-			s.parseState[n-1] = parseObjectKey
-			s.step = stateBeginString
-			return scanObjectValue
-		}
-		if c == '}' {
-			s.popParseState()
-			return scanEndObject
-		}
-		return s.error(c, "after object key:value pair")
-	case parseArrayValue:
-		if c == ',' {
-			s.step = stateBeginValue
-			return scanArrayValue
-		}
-		if c == ']' {
-			s.popParseState()
-			return scanEndArray
-		}
-		return s.error(c, "after array element")
-	}
-	return s.error(c, "")
-}
-
-// stateEndTop is the state after finishing the top-level value,
-// such as after reading `{}` or `[1,2,3]`.
-// Only space characters should be seen now.
-func stateEndTop(s *scanner, c byte) int {
-	if !isSpace(c) {
-		// Complain about non-space byte on next call.
-		s.error(c, "after top-level value")
-	}
-	return scanEnd
-}
-
-// stateInString is the state after reading `"`.
-func stateInString(s *scanner, c byte) int {
-	if c == '"' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	if c == '\\' {
-		s.step = stateInStringEsc
-		return scanContinue
-	}
-	if c < 0x20 {
-		return s.error(c, "in string literal")
-	}
-	return scanContinue
-}
-
-// stateInStringEsc is the state after reading `"\` during a quoted string.
-func stateInStringEsc(s *scanner, c byte) int {
-	switch c {
-	case 'b', 'f', 'n', 'r', 't', '\\', '/', '"':
-		s.step = stateInString
-		return scanContinue
-	case 'u':
-		s.step = stateInStringEscU
-		return scanContinue
-	}
-	return s.error(c, "in string escape code")
-}
-
-// stateInStringEscU is the state after reading `"\u` during a quoted string.
-func stateInStringEscU(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU1
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU1 is the state after reading `"\u1` during a quoted string.
-func stateInStringEscU1(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU12
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU12 is the state after reading `"\u12` during a quoted string.
-func stateInStringEscU12(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU123
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU123 is the state after reading `"\u123` during a quoted string.
-func stateInStringEscU123(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInString
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateNeg is the state after reading `-` during a number.
-func stateNeg(s *scanner, c byte) int {
-	if c == '0' {
-		s.step = state0
-		return scanContinue
-	}
-	if '1' <= c && c <= '9' {
-		s.step = state1
-		return scanContinue
-	}
-	return s.error(c, "in numeric literal")
-}
-
-// state1 is the state after reading a non-zero integer during a number,
-// such as after reading `1` or `100` but not `0`.
-func state1(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		s.step = state1
-		return scanContinue
-	}
-	return state0(s, c)
-}
-
-// state0 is the state after reading `0` during a number.
-func state0(s *scanner, c byte) int {
-	if c == '.' {
-		s.step = stateDot
-		return scanContinue
-	}
-	if c == 'e' || c == 'E' {
-		s.step = stateE
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateDot is the state after reading the integer and decimal point in a number,
-// such as after reading `1.`.
-func stateDot(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		s.step = stateDot0
-		return scanContinue
-	}
-	return s.error(c, "after decimal point in numeric literal")
-}
-
-// stateDot0 is the state after reading the integer, decimal point, and subsequent
-// digits of a number, such as after reading `3.14`.
-func stateDot0(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		return scanContinue
-	}
-	if c == 'e' || c == 'E' {
-		s.step = stateE
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateE is the state after reading the mantissa and e in a number,
-// such as after reading `314e` or `0.314e`.
-func stateE(s *scanner, c byte) int {
-	if c == '+' || c == '-' {
-		s.step = stateESign
-		return scanContinue
-	}
-	return stateESign(s, c)
-}
-
-// stateESign is the state after reading the mantissa, e, and sign in a number,
-// such as after reading `314e-` or `0.314e+`.
-func stateESign(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		s.step = stateE0
-		return scanContinue
-	}
-	return s.error(c, "in exponent of numeric literal")
-}
-
-// stateE0 is the state after reading the mantissa, e, optional sign,
-// and at least one digit of the exponent in a number,
-// such as after reading `314e-2` or `0.314e+1` or `3.14e0`.
-func stateE0(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateT is the state after reading `t`.
-func stateT(s *scanner, c byte) int {
-	if c == 'r' {
-		s.step = stateTr
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'r')")
-}
-
-// stateTr is the state after reading `tr`.
-func stateTr(s *scanner, c byte) int {
-	if c == 'u' {
-		s.step = stateTru
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'u')")
-}
-
-// stateTru is the state after reading `tru`.
-func stateTru(s *scanner, c byte) int {
-	if c == 'e' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'e')")
-}
-
-// stateF is the state after reading `f`.
-func stateF(s *scanner, c byte) int {
-	if c == 'a' {
-		s.step = stateFa
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'a')")
-}
-
-// stateFa is the state after reading `fa`.
-func stateFa(s *scanner, c byte) int {
-	if c == 'l' {
-		s.step = stateFal
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'l')")
-}
-
-// stateFal is the state after reading `fal`.
-func stateFal(s *scanner, c byte) int {
-	if c == 's' {
-		s.step = stateFals
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 's')")
-}
-
-// stateFals is the state after reading `fals`.
-func stateFals(s *scanner, c byte) int {
-	if c == 'e' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'e')")
-}
-
-// stateN is the state after reading `n`.
-func stateN(s *scanner, c byte) int {
-	if c == 'u' {
-		s.step = stateNu
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'u')")
-}
-
-// stateNu is the state after reading `nu`.
-func stateNu(s *scanner, c byte) int {
-	if c == 'l' {
-		s.step = stateNul
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'l')")
-}
-
-// stateNul is the state after reading `nul`.
-func stateNul(s *scanner, c byte) int {
-	if c == 'l' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'l')")
-}
-
-// stateError is the state after reaching a syntax error,
-// such as after reading `[1}` or `5.1.2`.
-func stateError(s *scanner, c byte) int {
-	return scanError
-}
-
-// error records an error and switches to the error state.
-func (s *scanner) error(c byte, context string) int {
-	s.step = stateError
-	s.err = &SyntaxError{"invalid character " + quoteChar(c) + " " + context, s.bytes}
-	return scanError
-}
-
-// quoteChar formats c as a quoted character literal.
-func quoteChar(c byte) string {
-	// special cases - different from quoted strings
-	if c == '\'' {
-		return `'\''`
-	}
-	if c == '"' {
-		return `'"'`
-	}
-
-	// use quoted string with different quotation marks
-	s := strconv.Quote(string(c))
-	return "'" + s[1:len(s)-1] + "'"
-}
--- a/common/contextjson/stream.go
+++ b/common/contextjson/stream.go
@@ -1,513 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"bytes"
-	"errors"
-	"io"
-)
-
-// A Decoder reads and decodes JSON values from an input stream.
-type Decoder struct {
-	r       io.Reader
-	buf     []byte
-	d       decodeState
-	scanp   int   // start of unread data in buf
-	scanned int64 // amount of data already scanned
-	scan    scanner
-	err     error
-
-	tokenState int
-	tokenStack []int
-}
-
-// NewDecoder returns a new decoder that reads from r.
-//
-// The decoder introduces its own buffering and may
-// read data from r beyond the JSON values requested.
-func NewDecoder(r io.Reader) *Decoder {
-	return &Decoder{r: r}
-}
-
-// UseNumber causes the Decoder to unmarshal a number into an interface{} as a
-// Number instead of as a float64.
-func (dec *Decoder) UseNumber() { dec.d.useNumber = true }
-
-// DisallowUnknownFields causes the Decoder to return an error when the destination
-// is a struct and the input contains object keys which do not match any
-// non-ignored, exported fields in the destination.
-func (dec *Decoder) DisallowUnknownFields() { dec.d.disallowUnknownFields = true }
-
-// Decode reads the next JSON-encoded value from its
-// input and stores it in the value pointed to by v.
-//
-// See the documentation for Unmarshal for details about
-// the conversion of JSON into a Go value.
-func (dec *Decoder) Decode(v any) error {
-	if dec.err != nil {
-		return dec.err
-	}
-
-	if err := dec.tokenPrepareForDecode(); err != nil {
-		return err
-	}
-
-	if !dec.tokenValueAllowed() {
-		return &SyntaxError{msg: "not at beginning of value", Offset: dec.InputOffset()}
-	}
-
-	// Read whole value into buffer.
-	n, err := dec.readValue()
-	if err != nil {
-		return err
-	}
-	dec.d.init(dec.buf[dec.scanp : dec.scanp+n])
-	dec.scanp += n
-
-	// Don't save err from unmarshal into dec.err:
-	// the connection is still usable since we read a complete JSON
-	// object from it before the error happened.
-	err = dec.d.unmarshal(v)
-
-	// fixup token streaming state
-	dec.tokenValueEnd()
-
-	return err
-}
-
-// Buffered returns a reader of the data remaining in the Decoder's
-// buffer. The reader is valid until the next call to Decode.
-func (dec *Decoder) Buffered() io.Reader {
-	return bytes.NewReader(dec.buf[dec.scanp:])
-}
-
-// readValue reads a JSON value into dec.buf.
-// It returns the length of the encoding.
-func (dec *Decoder) readValue() (int, error) {
-	dec.scan.reset()
-
-	scanp := dec.scanp
-	var err error
-Input:
-	// help the compiler see that scanp is never negative, so it can remove
-	// some bounds checks below.
-	for scanp >= 0 {
-
-		// Look in the buffer for a new value.
-		for ; scanp < len(dec.buf); scanp++ {
-			c := dec.buf[scanp]
-			dec.scan.bytes++
-			switch dec.scan.step(&dec.scan, c) {
-			case scanEnd:
-				// scanEnd is delayed one byte so we decrement
-				// the scanner bytes count by 1 to ensure that
-				// this value is correct in the next call of Decode.
-				dec.scan.bytes--
-				break Input
-			case scanEndObject, scanEndArray:
-				// scanEnd is delayed one byte.
-				// We might block trying to get that byte from src,
-				// so instead invent a space byte.
-				if stateEndValue(&dec.scan, ' ') == scanEnd {
-					scanp++
-					break Input
-				}
-			case scanError:
-				dec.err = dec.scan.err
-				return 0, dec.scan.err
-			}
-		}
-
-		// Did the last read have an error?
-		// Delayed until now to allow buffer scan.
-		if err != nil {
-			if err == io.EOF {
-				if dec.scan.step(&dec.scan, ' ') == scanEnd {
-					break Input
-				}
-				if nonSpace(dec.buf) {
-					err = io.ErrUnexpectedEOF
-				}
-			}
-			dec.err = err
-			return 0, err
-		}
-
-		n := scanp - dec.scanp
-		err = dec.refill()
-		scanp = dec.scanp + n
-	}
-	return scanp - dec.scanp, nil
-}
-
-func (dec *Decoder) refill() error {
-	// Make room to read more into the buffer.
-	// First slide down data already consumed.
-	if dec.scanp > 0 {
-		dec.scanned += int64(dec.scanp)
-		n := copy(dec.buf, dec.buf[dec.scanp:])
-		dec.buf = dec.buf[:n]
-		dec.scanp = 0
-	}
-
-	// Grow buffer if not large enough.
-	const minRead = 512
-	if cap(dec.buf)-len(dec.buf) < minRead {
-		newBuf := make([]byte, len(dec.buf), 2*cap(dec.buf)+minRead)
-		copy(newBuf, dec.buf)
-		dec.buf = newBuf
-	}
-
-	// Read. Delay error for next iteration (after scan).
-	n, err := dec.r.Read(dec.buf[len(dec.buf):cap(dec.buf)])
-	dec.buf = dec.buf[0 : len(dec.buf)+n]
-
-	return err
-}
-
-func nonSpace(b []byte) bool {
-	for _, c := range b {
-		if !isSpace(c) {
-			return true
-		}
-	}
-	return false
-}
-
-// An Encoder writes JSON values to an output stream.
-type Encoder struct {
-	w          io.Writer
-	err        error
-	escapeHTML bool
-
-	indentBuf    []byte
-	indentPrefix string
-	indentValue  string
-}
-
-// NewEncoder returns a new encoder that writes to w.
-func NewEncoder(w io.Writer) *Encoder {
-	return &Encoder{w: w, escapeHTML: true}
-}
-
-// Encode writes the JSON encoding of v to the stream,
-// followed by a newline character.
-//
-// See the documentation for Marshal for details about the
-// conversion of Go values to JSON.
-func (enc *Encoder) Encode(v any) error {
-	if enc.err != nil {
-		return enc.err
-	}
-
-	e := newEncodeState()
-	defer encodeStatePool.Put(e)
-
-	err := e.marshal(v, encOpts{escapeHTML: enc.escapeHTML})
-	if err != nil {
-		return err
-	}
-
-	// Terminate each value with a newline.
-	// This makes the output look a little nicer
-	// when debugging, and some kind of space
-	// is required if the encoded value was a number,
-	// so that the reader knows there aren't more
-	// digits coming.
-	e.WriteByte('\n')
-
-	b := e.Bytes()
-	if enc.indentPrefix != "" || enc.indentValue != "" {
-		enc.indentBuf, err = appendIndent(enc.indentBuf[:0], b, enc.indentPrefix, enc.indentValue)
-		if err != nil {
-			return err
-		}
-		b = enc.indentBuf
-	}
-	if _, err = enc.w.Write(b); err != nil {
-		enc.err = err
-	}
-	return err
-}
-
-// SetIndent instructs the encoder to format each subsequent encoded
-// value as if indented by the package-level function Indent(dst, src, prefix, indent).
-// Calling SetIndent("", "") disables indentation.
-func (enc *Encoder) SetIndent(prefix, indent string) {
-	enc.indentPrefix = prefix
-	enc.indentValue = indent
-}
-
-// SetEscapeHTML specifies whether problematic HTML characters
-// should be escaped inside JSON quoted strings.
-// The default behavior is to escape &, <, and > to \u0026, \u003c, and \u003e
-// to avoid certain safety problems that can arise when embedding JSON in HTML.
-//
-// In non-HTML settings where the escaping interferes with the readability
-// of the output, SetEscapeHTML(false) disables this behavior.
-func (enc *Encoder) SetEscapeHTML(on bool) {
-	enc.escapeHTML = on
-}
-
-// RawMessage is a raw encoded JSON value.
-// It implements Marshaler and Unmarshaler and can
-// be used to delay JSON decoding or precompute a JSON encoding.
-type RawMessage []byte
-
-// MarshalJSON returns m as the JSON encoding of m.
-func (m RawMessage) MarshalJSON() ([]byte, error) {
-	if m == nil {
-		return []byte("null"), nil
-	}
-	return m, nil
-}
-
-// UnmarshalJSON sets *m to a copy of data.
-func (m *RawMessage) UnmarshalJSON(data []byte) error {
-	if m == nil {
-		return errors.New("json.RawMessage: UnmarshalJSON on nil pointer")
-	}
-	*m = append((*m)[0:0], data...)
-	return nil
-}
-
-var (
-	_ Marshaler   = (*RawMessage)(nil)
-	_ Unmarshaler = (*RawMessage)(nil)
-)
-
-// A Token holds a value of one of these types:
-//
-//	Delim, for the four JSON delimiters [ ] { }
-//	bool, for JSON booleans
-//	float64, for JSON numbers
-//	Number, for JSON numbers
-//	string, for JSON string literals
-//	nil, for JSON null
-type Token any
-
-const (
-	tokenTopValue = iota
-	tokenArrayStart
-	tokenArrayValue
-	tokenArrayComma
-	tokenObjectStart
-	tokenObjectKey
-	tokenObjectColon
-	tokenObjectValue
-	tokenObjectComma
-)
-
-// advance tokenstate from a separator state to a value state
-func (dec *Decoder) tokenPrepareForDecode() error {
-	// Note: Not calling peek before switch, to avoid
-	// putting peek into the standard Decode path.
-	// peek is only called when using the Token API.
-	switch dec.tokenState {
-	case tokenArrayComma:
-		c, err := dec.peek()
-		if err != nil {
-			return err
-		}
-		if c != ',' {
-			return &SyntaxError{"expected comma after array element", dec.InputOffset()}
-		}
-		dec.scanp++
-		dec.tokenState = tokenArrayValue
-	case tokenObjectColon:
-		c, err := dec.peek()
-		if err != nil {
-			return err
-		}
-		if c != ':' {
-			return &SyntaxError{"expected colon after object key", dec.InputOffset()}
-		}
-		dec.scanp++
-		dec.tokenState = tokenObjectValue
-	}
-	return nil
-}
-
-func (dec *Decoder) tokenValueAllowed() bool {
-	switch dec.tokenState {
-	case tokenTopValue, tokenArrayStart, tokenArrayValue, tokenObjectValue:
-		return true
-	}
-	return false
-}
-
-func (dec *Decoder) tokenValueEnd() {
-	switch dec.tokenState {
-	case tokenArrayStart, tokenArrayValue:
-		dec.tokenState = tokenArrayComma
-	case tokenObjectValue:
-		dec.tokenState = tokenObjectComma
-	}
-}
-
-// A Delim is a JSON array or object delimiter, one of [ ] { or }.
-type Delim rune
-
-func (d Delim) String() string {
-	return string(d)
-}
-
-// Token returns the next JSON token in the input stream.
-// At the end of the input stream, Token returns nil, io.EOF.
-//
-// Token guarantees that the delimiters [ ] { } it returns are
-// properly nested and matched: if Token encounters an unexpected
-// delimiter in the input, it will return an error.
-//
-// The input stream consists of basic JSON values—bool, string,
-// number, and null—along with delimiters [ ] { } of type Delim
-// to mark the start and end of arrays and objects.
-// Commas and colons are elided.
-func (dec *Decoder) Token() (Token, error) {
-	for {
-		c, err := dec.peek()
-		if err != nil {
-			return nil, err
-		}
-		switch c {
-		case '[':
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
-			dec.tokenState = tokenArrayStart
-			return Delim('['), nil
-
-		case ']':
-			if dec.tokenState != tokenArrayStart && dec.tokenState != tokenArrayComma {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
-			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
-			dec.tokenValueEnd()
-			return Delim(']'), nil
-
-		case '{':
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
-			dec.tokenState = tokenObjectStart
-			return Delim('{'), nil
-
-		case '}':
-			if dec.tokenState != tokenObjectStart && dec.tokenState != tokenObjectComma {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
-			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
-			dec.tokenValueEnd()
-			return Delim('}'), nil
-
-		case ':':
-			if dec.tokenState != tokenObjectColon {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = tokenObjectValue
-			continue
-
-		case ',':
-			if dec.tokenState == tokenArrayComma {
-				dec.scanp++
-				dec.tokenState = tokenArrayValue
-				continue
-			}
-			if dec.tokenState == tokenObjectComma {
-				dec.scanp++
-				dec.tokenState = tokenObjectKey
-				continue
-			}
-			return dec.tokenError(c)
-
-		case '"':
-			if dec.tokenState == tokenObjectStart || dec.tokenState == tokenObjectKey {
-				var x string
-				old := dec.tokenState
-				dec.tokenState = tokenTopValue
-				err := dec.Decode(&x)
-				dec.tokenState = old
-				if err != nil {
-					return nil, err
-				}
-				dec.tokenState = tokenObjectColon
-				return x, nil
-			}
-			fallthrough
-
-		default:
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			var x any
-			if err := dec.Decode(&x); err != nil {
-				return nil, err
-			}
-			return x, nil
-		}
-	}
-}
-
-func (dec *Decoder) tokenError(c byte) (Token, error) {
-	var context string
-	switch dec.tokenState {
-	case tokenTopValue:
-		context = " looking for beginning of value"
-	case tokenArrayStart, tokenArrayValue, tokenObjectValue:
-		context = " looking for beginning of value"
-	case tokenArrayComma:
-		context = " after array element"
-	case tokenObjectKey:
-		context = " looking for beginning of object key string"
-	case tokenObjectColon:
-		context = " after object key"
-	case tokenObjectComma:
-		context = " after object key:value pair"
-	}
-	return nil, &SyntaxError{"invalid character " + quoteChar(c) + context, dec.InputOffset()}
-}
-
-// More reports whether there is another element in the
-// current array or object being parsed.
-func (dec *Decoder) More() bool {
-	c, err := dec.peek()
-	return err == nil && c != ']' && c != '}'
-}
-
-func (dec *Decoder) peek() (byte, error) {
-	var err error
-	for {
-		for i := dec.scanp; i < len(dec.buf); i++ {
-			c := dec.buf[i]
-			if isSpace(c) {
-				continue
-			}
-			dec.scanp = i
-			return c, nil
-		}
-		// buffer has been scanned, now report any error
-		if err != nil {
-			return 0, err
-		}
-		err = dec.refill()
-	}
-}
-
-// InputOffset returns the input stream byte offset of the current decoder position.
-// The offset gives the location of the end of the most recently returned token
-// and the beginning of the next token.
-func (dec *Decoder) InputOffset() int64 {
-	return dec.scanned + int64(dec.scanp)
-}
--- a/common/contextjson/tables.go
+++ b/common/contextjson/tables.go
@@ -1,218 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import "unicode/utf8"
-
-// safeSet holds the value true if the ASCII character with the given array
-// position can be represented inside a JSON string without any further
-// escaping.
-//
-// All values are true except for the ASCII control characters (0-31), the
-// double quote ("), and the backslash character ("\").
-var safeSet = [utf8.RuneSelf]bool{
-	' ':      true,
-	'!':      true,
-	'"':      false,
-	'#':      true,
-	'$':      true,
-	'%':      true,
-	'&':      true,
-	'\'':     true,
-	'(':      true,
-	')':      true,
-	'*':      true,
-	'+':      true,
-	',':      true,
-	'-':      true,
-	'.':      true,
-	'/':      true,
-	'0':      true,
-	'1':      true,
-	'2':      true,
-	'3':      true,
-	'4':      true,
-	'5':      true,
-	'6':      true,
-	'7':      true,
-	'8':      true,
-	'9':      true,
-	':':      true,
-	';':      true,
-	'<':      true,
-	'=':      true,
-	'>':      true,
-	'?':      true,
-	'@':      true,
-	'A':      true,
-	'B':      true,
-	'C':      true,
-	'D':      true,
-	'E':      true,
-	'F':      true,
-	'G':      true,
-	'H':      true,
-	'I':      true,
-	'J':      true,
-	'K':      true,
-	'L':      true,
-	'M':      true,
-	'N':      true,
-	'O':      true,
-	'P':      true,
-	'Q':      true,
-	'R':      true,
-	'S':      true,
-	'T':      true,
-	'U':      true,
-	'V':      true,
-	'W':      true,
-	'X':      true,
-	'Y':      true,
-	'Z':      true,
-	'[':      true,
-	'\\':     false,
-	']':      true,
-	'^':      true,
-	'_':      true,
-	'`':      true,
-	'a':      true,
-	'b':      true,
-	'c':      true,
-	'd':      true,
-	'e':      true,
-	'f':      true,
-	'g':      true,
-	'h':      true,
-	'i':      true,
-	'j':      true,
-	'k':      true,
-	'l':      true,
-	'm':      true,
-	'n':      true,
-	'o':      true,
-	'p':      true,
-	'q':      true,
-	'r':      true,
-	's':      true,
-	't':      true,
-	'u':      true,
-	'v':      true,
-	'w':      true,
-	'x':      true,
-	'y':      true,
-	'z':      true,
-	'{':      true,
-	'|':      true,
-	'}':      true,
-	'~':      true,
-	'\u007f': true,
-}
-
-// htmlSafeSet holds the value true if the ASCII character with the given
-// array position can be safely represented inside a JSON string, embedded
-// inside of HTML <script> tags, without any additional escaping.
-//
-// All values are true except for the ASCII control characters (0-31), the
-// double quote ("), the backslash character ("\"), HTML opening and closing
-// tags ("<" and ">"), and the ampersand ("&").
-var htmlSafeSet = [utf8.RuneSelf]bool{
-	' ':      true,
-	'!':      true,
-	'"':      false,
-	'#':      true,
-	'$':      true,
-	'%':      true,
-	'&':      false,
-	'\'':     true,
-	'(':      true,
-	')':      true,
-	'*':      true,
-	'+':      true,
-	',':      true,
-	'-':      true,
-	'.':      true,
-	'/':      true,
-	'0':      true,
-	'1':      true,
-	'2':      true,
-	'3':      true,
-	'4':      true,
-	'5':      true,
-	'6':      true,
-	'7':      true,
-	'8':      true,
-	'9':      true,
-	':':      true,
-	';':      true,
-	'<':      false,
-	'=':      true,
-	'>':      false,
-	'?':      true,
-	'@':      true,
-	'A':      true,
-	'B':      true,
-	'C':      true,
-	'D':      true,
-	'E':      true,
-	'F':      true,
-	'G':      true,
-	'H':      true,
-	'I':      true,
-	'J':      true,
-	'K':      true,
-	'L':      true,
-	'M':      true,
-	'N':      true,
-	'O':      true,
-	'P':      true,
-	'Q':      true,
-	'R':      true,
-	'S':      true,
-	'T':      true,
-	'U':      true,
-	'V':      true,
-	'W':      true,
-	'X':      true,
-	'Y':      true,
-	'Z':      true,
-	'[':      true,
-	'\\':     false,
-	']':      true,
-	'^':      true,
-	'_':      true,
-	'`':      true,
-	'a':      true,
-	'b':      true,
-	'c':      true,
-	'd':      true,
-	'e':      true,
-	'f':      true,
-	'g':      true,
-	'h':      true,
-	'i':      true,
-	'j':      true,
-	'k':      true,
-	'l':      true,
-	'm':      true,
-	'n':      true,
-	'o':      true,
-	'p':      true,
-	'q':      true,
-	'r':      true,
-	's':      true,
-	't':      true,
-	'u':      true,
-	'v':      true,
-	'w':      true,
-	'x':      true,
-	'y':      true,
-	'z':      true,
-	'{':      true,
-	'|':      true,
-	'}':      true,
-	'~':      true,
-	'\u007f': true,
-}
--- a/common/contextjson/tags.go
+++ b/common/contextjson/tags.go
@@ -1,38 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"strings"
-)
-
-// tagOptions is the string following a comma in a struct field's "json"
-// tag, or the empty string. It does not include the leading comma.
-type tagOptions string
-
-// parseTag splits a struct field's json tag into its name and
-// comma-separated options.
-func parseTag(tag string) (string, tagOptions) {
-	tag, opt, _ := strings.Cut(tag, ",")
-	return tag, tagOptions(opt)
-}
-
-// Contains reports whether a comma-separated list of options
-// contains a particular substr flag. substr must be surrounded by a
-// string boundary or commas.
-func (o tagOptions) Contains(optionName string) bool {
-	if len(o) == 0 {
-		return false
-	}
-	s := string(o)
-	for s != "" {
-		var name string
-		name, s, _ = strings.Cut(s, ",")
-		if name == optionName {
-			return true
-		}
-	}
-	return false
-}
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -15,14 +15,17 @@ import (
 	N "github.com/sagernet/sing/common/network"
 )

+var _ WireGuardListener = (*DefaultDialer)(nil)
+
 type DefaultDialer struct {
-	dialer4     tcpDialer
-	dialer6     tcpDialer
-	udpDialer4  net.Dialer
-	udpDialer6  net.Dialer
-	udpListener net.ListenConfig
-	udpAddr4    string
-	udpAddr6    string
+	dialer4             tcpDialer
+	dialer6             tcpDialer
+	udpDialer4          net.Dialer
+	udpDialer6          net.Dialer
+	udpListener         net.ListenConfig
+	udpAddr4            string
+	udpAddr6            string
+	isWireGuardListener bool
 }

 func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDialer, error) {
@@ -98,6 +101,11 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		}
 		setMultiPathTCP(&dialer4)
 	}
+	if options.IsWireGuardListener {
+		for _, controlFn := range wgControlFns {
+			listener.Control = control.Append(listener.Control, controlFn)
+		}
+	}
 	tcpDialer4, err := newTCPDialer(dialer4, options.TCPFastOpen)
 	if err != nil {
 		return nil, err
@@ -114,6 +122,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		listener,
 		udpAddr4,
 		udpAddr6,
+		options.IsWireGuardListener,
 	}, nil
 }

@@ -146,6 +155,10 @@ func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	}
 }

+func (d *DefaultDialer) ListenPacketCompat(network, address string) (net.PacketConn, error) {
+	return trackPacketConn(d.udpListener.ListenPacket(context.Background(), network, address))
+}
+
 func trackConn(conn net.Conn, err error) (net.Conn, error) {
 	if !conntrack.Enabled || err != nil {
 		return conn, err
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -6,15 +6,13 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
-	"github.com/sagernet/sing/common"
 	N "github.com/sagernet/sing/common/network"
 )

-func MustNew(router adapter.Router, options option.DialerOptions) N.Dialer {
-	return common.Must1(New(router, options))
-}
-
 func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error) {
+	if options.IsWireGuardListener {
+		return NewDefault(router, options)
+	}
 	var (
 		dialer N.Dialer
 		err    error
--- a/common/dialer/wireguard.go
+++ b/common/dialer/wireguard.go
@@ -0,0 +1,9 @@
+package dialer
+
+import (
+	"net"
+)
+
+type WireGuardListener interface {
+	ListenPacketCompat(network, address string) (net.PacketConn, error)
+}
--- a/common/dialer/wireguard_control.go
+++ b/common/dialer/wireguard_control.go
@@ -0,0 +1,11 @@
+//go:build with_wireguard
+
+package dialer
+
+import (
+	"github.com/sagernet/wireguard-go/conn"
+)
+
+var _ WireGuardListener = (conn.Listener)(nil)
+
+var wgControlFns = conn.ControlFns
--- a/common/dialer/wiregurad_stub.go
+++ b/common/dialer/wiregurad_stub.go
@@ -0,0 +1,9 @@
+//go:build !with_wireguard
+
+package dialer
+
+import (
+	"github.com/sagernet/sing/common/control"
+)
+
+var wgControlFns []control.Func
--- a/common/json/comment.go
+++ b/common/json/comment.go
@@ -1,128 +0,0 @@
-package json
-
-import (
-	"bufio"
-	"io"
-)
-
-// kanged from v2ray
-
-type commentFilterState = byte
-
-const (
-	commentFilterStateContent commentFilterState = iota
-	commentFilterStateEscape
-	commentFilterStateDoubleQuote
-	commentFilterStateDoubleQuoteEscape
-	commentFilterStateSingleQuote
-	commentFilterStateSingleQuoteEscape
-	commentFilterStateComment
-	commentFilterStateSlash
-	commentFilterStateMultilineComment
-	commentFilterStateMultilineCommentStar
-)
-
-type CommentFilter struct {
-	br    *bufio.Reader
-	state commentFilterState
-}
-
-func NewCommentFilter(reader io.Reader) io.Reader {
-	return &CommentFilter{br: bufio.NewReader(reader)}
-}
-
-func (v *CommentFilter) Read(b []byte) (int, error) {
-	p := b[:0]
-	for len(p) < len(b)-2 {
-		x, err := v.br.ReadByte()
-		if err != nil {
-			if len(p) == 0 {
-				return 0, err
-			}
-			return len(p), nil
-		}
-		switch v.state {
-		case commentFilterStateContent:
-			switch x {
-			case '"':
-				v.state = commentFilterStateDoubleQuote
-				p = append(p, x)
-			case '\'':
-				v.state = commentFilterStateSingleQuote
-				p = append(p, x)
-			case '\\':
-				v.state = commentFilterStateEscape
-			case '#':
-				v.state = commentFilterStateComment
-			case '/':
-				v.state = commentFilterStateSlash
-			default:
-				p = append(p, x)
-			}
-		case commentFilterStateEscape:
-			p = append(p, '\\', x)
-			v.state = commentFilterStateContent
-		case commentFilterStateDoubleQuote:
-			switch x {
-			case '"':
-				v.state = commentFilterStateContent
-				p = append(p, x)
-			case '\\':
-				v.state = commentFilterStateDoubleQuoteEscape
-			default:
-				p = append(p, x)
-			}
-		case commentFilterStateDoubleQuoteEscape:
-			p = append(p, '\\', x)
-			v.state = commentFilterStateDoubleQuote
-		case commentFilterStateSingleQuote:
-			switch x {
-			case '\'':
-				v.state = commentFilterStateContent
-				p = append(p, x)
-			case '\\':
-				v.state = commentFilterStateSingleQuoteEscape
-			default:
-				p = append(p, x)
-			}
-		case commentFilterStateSingleQuoteEscape:
-			p = append(p, '\\', x)
-			v.state = commentFilterStateSingleQuote
-		case commentFilterStateComment:
-			if x == '\n' {
-				v.state = commentFilterStateContent
-				p = append(p, '\n')
-			}
-		case commentFilterStateSlash:
-			switch x {
-			case '/':
-				v.state = commentFilterStateComment
-			case '*':
-				v.state = commentFilterStateMultilineComment
-			default:
-				p = append(p, '/', x)
-			}
-		case commentFilterStateMultilineComment:
-			switch x {
-			case '*':
-				v.state = commentFilterStateMultilineCommentStar
-			case '\n':
-				p = append(p, '\n')
-			}
-		case commentFilterStateMultilineCommentStar:
-			switch x {
-			case '/':
-				v.state = commentFilterStateContent
-			case '*':
-				// Stay
-			case '\n':
-				p = append(p, '\n')
-			default:
-				v.state = commentFilterStateMultilineComment
-			}
-		default:
-			panic("Unknown state.")
-		}
-	}
-	return len(p), nil
-}
--- a/common/json/context.go
+++ b/common/json/context.go
@@ -1,21 +0,0 @@
-//go:build go1.21 && !without_contextjson
-
-package json
-
-import "github.com/sagernet/sing-box/common/contextjson"
-
-var (
-	Marshal    = json.Marshal
-	Unmarshal  = json.Unmarshal
-	NewEncoder = json.NewEncoder
-	NewDecoder = json.NewDecoder
-)
-
-type (
-	Encoder     = json.Encoder
-	Decoder     = json.Decoder
-	Token       = json.Token
-	Delim       = json.Delim
-	SyntaxError = json.SyntaxError
-	RawMessage  = json.RawMessage
-)
--- a/common/json/std.go
+++ b/common/json/std.go
@@ -1,21 +0,0 @@
-//go:build !go1.21 || without_contextjson
-
-package json
-
-import "encoding/json"
-
-var (
-	Marshal    = json.Marshal
-	Unmarshal  = json.Unmarshal
-	NewEncoder = json.NewEncoder
-	NewDecoder = json.NewDecoder
-)
-
-type (
-	Encoder     = json.Encoder
-	Decoder     = json.Decoder
-	Token       = json.Token
-	Delim       = json.Delim
-	SyntaxError = json.SyntaxError
-	RawMessage  = json.RawMessage
-)
--- a/common/srs/binary.go
+++ b/common/srs/binary.go
@@ -109,8 +109,10 @@ func readRule(reader io.Reader, recovery bool) (rule option.HeadlessRule, err er
 	}
 	switch ruleType {
 	case 0:
+		rule.Type = C.RuleTypeDefault
 		rule.DefaultOptions, err = readDefaultRule(reader, recovery)
 	case 1:
+		rule.Type = C.RuleTypeLogical
 		rule.LogicalOptions, err = readLogicalRule(reader, recovery)
 	default:
 		err = E.New("unknown rule type: ", ruleType)
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -105,5 +105,16 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		},
 	})
 	config = certmagic.New(cache, *config)
-	return config.TLSConfig(), &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
+	var tlsConfig *tls.Config
+	if acmeConfig.DisableTLSALPNChallenge || acmeConfig.DNS01Solver != nil {
+		tlsConfig = &tls.Config{
+			GetCertificate: config.GetCertificate,
+		}
+	} else {
+		tlsConfig = &tls.Config{
+			GetCertificate: config.GetCertificate,
+			NextProtos:     []string{ACMETLS1Protocol},
+		}
+	}
+	return tlsConfig, &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
 }
--- a/common/tls/acme_contstant.go
+++ b/common/tls/acme_contstant.go
@@ -0,0 +1,3 @@
+package tls
+
+const ACMETLS1Protocol = "acme-tls/1"
--- a/common/tls/client.go
+++ b/common/tls/client.go
@@ -6,6 +6,7 @@ import (
 	"os"

 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/badtls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	M "github.com/sagernet/sing/common/metadata"
@@ -42,7 +43,17 @@ func NewClient(ctx context.Context, serverAddress string, options option.Outboun
 func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, error) {
 	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
 	defer cancel()
-	return aTLS.ClientHandshake(ctx, conn, config)
+	tlsConn, err := aTLS.ClientHandshake(ctx, conn, config)
+	if err != nil {
+		return nil, err
+	}
+	readWaitConn, err := badtls.NewReadWaitConn(tlsConn)
+	if err == nil {
+		return readWaitConn, nil
+	} else if err != os.ErrInvalid {
+		return nil, err
+	}
+	return tlsConn, nil
 }

 type Dialer struct {
--- a/common/tls/reality_client.go
+++ b/common/tls/reality_client.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"crypto/aes"
 	"crypto/cipher"
+	"crypto/ecdh"
 	"crypto/ed25519"
 	"crypto/hmac"
 	"crypto/sha256"
@@ -137,12 +138,21 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 	hello.SessionId[2] = 1
 	binary.BigEndian.PutUint32(hello.SessionId[4:], uint32(time.Now().Unix()))
 	copy(hello.SessionId[8:], e.shortID[:])
-
 	if debug.Enabled {
 		fmt.Printf("REALITY hello.sessionId[:16]: %v\n", hello.SessionId[:16])
 	}
-
-	authKey := uConn.HandshakeState.State13.EcdheParams.SharedKey(e.publicKey)
+	publicKey, err := ecdh.X25519().NewPublicKey(e.publicKey)
+	if err != nil {
+		return nil, err
+	}
+	ecdheKey := uConn.HandshakeState.State13.EcdheKey
+	if ecdheKey == nil {
+		return nil, E.New("nil ecdhe_key")
+	}
+	authKey, err := ecdheKey.ECDH(publicKey)
+	if err != nil {
+		return nil, err
+	}
 	if authKey == nil {
 		return nil, E.New("nil auth_key")
 	}
--- a/common/tls/server.go
+++ b/common/tls/server.go
@@ -3,7 +3,9 @@ package tls
 import (
 	"context"
 	"net"
+	"os"

+	"github.com/sagernet/sing-box/common/badtls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
@@ -26,5 +28,15 @@ func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLS
 func ServerHandshake(ctx context.Context, conn net.Conn, config ServerConfig) (Conn, error) {
 	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
 	defer cancel()
-	return aTLS.ServerHandshake(ctx, conn, config)
+	tlsConn, err := aTLS.ServerHandshake(ctx, conn, config)
+	if err != nil {
+		return nil, err
+	}
+	readWaitConn, err := badtls.NewReadWaitConn(tlsConn)
+	if err == nil {
+		return readWaitConn, nil
+	} else if err != os.ErrInvalid {
+		return nil, err
+	}
+	return tlsConn, nil
 }
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -39,11 +39,19 @@ func (c *STDServerConfig) SetServerName(serverName string) {
 }

 func (c *STDServerConfig) NextProtos() []string {
-	return c.config.NextProtos
+	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
+		return c.config.NextProtos[1:]
+	} else {
+		return c.config.NextProtos
+	}
 }

 func (c *STDServerConfig) SetNextProtos(nextProto []string) {
-	c.config.NextProtos = nextProto
+	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
+		c.config.NextProtos = append(c.config.NextProtos[:1], nextProto...)
+	} else {
+		c.config.NextProtos = nextProto
+	}
 }

 func (c *STDServerConfig) Config() (*STDConfig, error) {
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -219,6 +219,16 @@ func uTLSClientHelloID(name string) (utls.ClientHelloID, error) {
 	switch name {
 	case "chrome", "":
 		return utls.HelloChrome_Auto, nil
+	case "chrome_psk":
+		return utls.HelloChrome_100_PSK, nil
+	case "chrome_psk_shuffle":
+		return utls.HelloChrome_112_PSK_Shuf, nil
+	case "chrome_padding_psk_shuffle":
+		return utls.HelloChrome_114_Padding_PSK_Shuf, nil
+	case "chrome_pq":
+		return utls.HelloChrome_115_PQ, nil
+	case "chrome_pq_psk":
+		return utls.HelloChrome_115_PQ_PSK, nil
 	case "firefox":
 		return utls.HelloFirefox_Auto, nil
 	case "edge":
--- a/debug_http.go
+++ b/debug_http.go
@@ -5,13 +5,14 @@ import (
 	"net/http/pprof"
 	"runtime"
 	"runtime/debug"
+	"strings"

-	"github.com/sagernet/sing-box/common/badjson"
 	"github.com/sagernet/sing-box/common/humanize"
-	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/json/badjson"

 	"github.com/go-chi/chi/v5"
 )
@@ -47,12 +48,20 @@ func applyDebugListenOption(options option.DebugOptions) {
 			encoder.SetIndent("", "  ")
 			encoder.Encode(memObject)
 		})
-		r.HandleFunc("/pprof", pprof.Index)
-		r.HandleFunc("/pprof/*", pprof.Index)
-		r.HandleFunc("/pprof/cmdline", pprof.Cmdline)
-		r.HandleFunc("/pprof/profile", pprof.Profile)
-		r.HandleFunc("/pprof/symbol", pprof.Symbol)
-		r.HandleFunc("/pprof/trace", pprof.Trace)
+		r.Route("/pprof", func(r chi.Router) {
+			r.HandleFunc("/", func(writer http.ResponseWriter, request *http.Request) {
+				if !strings.HasSuffix(request.URL.Path, "/") {
+					http.Redirect(writer, request, request.URL.Path+"/", http.StatusMovedPermanently)
+				} else {
+					pprof.Index(writer, request)
+				}
+			})
+			r.HandleFunc("/*", pprof.Index)
+			r.HandleFunc("/cmdline", pprof.Cmdline)
+			r.HandleFunc("/profile", pprof.Profile)
+			r.HandleFunc("/symbol", pprof.Symbol)
+			r.HandleFunc("/trace", pprof.Trace)
+		})
 	})
 	debugHTTPServer = &http.Server{
 		Addr:    options.Listen,
--- a/debug_stub.go
+++ b/debug_stub.go
@@ -1,4 +1,4 @@
-//go:build !linux
+//go:build !(linux || darwin)

 package box

--- a/debug_linux.go
+++ b/debug_linux.go
@@ -1,3 +1,5 @@
+//go:build linux || darwin
+
 package box

 import (
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,7 +2,105 @@
 icon: material/alert-decagram
 ---

-#### 1.8.0-alpha.11
+#### 1.8.0-rc.10
+
+* Fixes and improvements
+
+#### 1.7.7
+
+* Fix V2Ray transport `path` validation behavior **1**
+* Fixes and improvements
+
+**1**:
+
+See [V2Ray transport](/configuration/shared/v2ray-transport/).
+
+#### 1.8.0-rc.7
+
+* Fixes and improvements
+
+#### 1.8.0-rc.3
+
+* Fix V2Ray transport `path` validation behavior **1**
+* Fixes and improvements
+
+**1**:
+
+See [V2Ray transport](/configuration/shared/v2ray-transport/).
+
+#### 1.7.6
+
+* Fixes and improvements
+
+#### 1.8.0-rc.1
+
+* Fixes and improvements
+
+#### 1.8.0-beta.9
+
+* Add simple loopback detect
+* Fixes and improvements
+
+#### 1.7.5
+
+* Fixes and improvements
+
+#### 1.8.0-alpha.17
+
+* Add GSO support for TUN and WireGuard system interface **1**
+* Update uTLS to 1.5.4 **2**
+* Update dependencies **3**
+* Fixes and improvements
+
+**1**:
+
+See [TUN](/configuration/inbound/tun/) inbound and [WireGuard](/configuration/outbound/wireguard/) outbound.
+
+**2**:
+
+Added some new [fingerprints](/configuration/shared/tls#utls).
+Also, starting with this release, uTLS requires at least Go 1.20.
+
+**3**:
+
+Updated `cloudflare-tls`, `gomobile`, `smux`, `tfo-go` and `wireguard-go` to latest, and `gvisor` to `20231204.0`
+
+This may break something, good luck!
+
+#### 1.7.4
+
+* Fixes and improvements
+
+_Due to the long waiting time, this version is no longer waiting for approval
+by the Apple App Store, so updates to Apple Platforms will be delayed._
+
+#### 1.8.0-alpha.16
+
+* Fixes and improvements
+
+#### 1.8.0-alpha.15
+
+* Some chaotic changes **1**
+* Fixes and improvements
+
+**1**:
+
+Designed to optimize memory usage of idle connections, may take effect on the following protocols:
+
+| Protocol                                             | TCP              | UDP              |
+|------------------------------------------------------|------------------|------------------|
+| HTTP proxy server                                    | :material-check: | /                |
+| SOCKS5                                               | :material-close: | :material-check: |
+| Shadowsocks none/AEAD/AEAD2022                       | :material-check: | :material-check: |
+| Trojan                                               | /                | :material-check: |
+| TUIC/Hysteria/Hysteria2                              | :material-close: | :material-check: |
+| Multiplex                                            | :material-close: | :material-check: |
+| Plain TLS (Trojan/VLESS without extra sub-protocols) | :material-check: | /                |
+| Other protocols                                      | :material-close: | :material-close: |
+
+At the same time, everything existing may be broken, please actively report problems with this version.
+
+#### 1.8.0-alpha.13

 * Fixes and improvements

@@ -68,13 +166,13 @@ Since GeoIP was deprecated, we made this rule independent, see [Migration](/migr
 #### 1.8.0-alpha.1

 * Migrate cache file from Clash API to independent options **1**
-* Introducing [Rule Set](/configuration/rule-set) **2**
+* Introducing [Rule Set](/configuration/rule-set/) **2**
 * Add `sing-box geoip`, `sing-box geosite` and `sing-box rule-set` commands **3**
 * Allow nested logical rules **4**

 **1**:

-See [Cache File](/configuration/experimental/cache-file) and
+See [Cache File](/configuration/experimental/cache-file/) and
 [Migration](/migration/#migrate-cache-file-from-clash-api-to-independent-options).

 **2**:
@@ -85,11 +183,11 @@ it can include more types of rules, load faster,
 use less memory, and update automatically.

 See [Route#rule_set](/configuration/route/#rule_set),
-[Route Rule](/configuration/route/rule),
-[DNS Rule](/configuration/dns/rule),
-[Rule Set](/configuration/rule-set),
-[Source Format](/configuration/rule-set/source-format) and
-[Headless Rule](/configuration/rule-set/headless-rule).
+[Route Rule](/configuration/route/rule/),
+[DNS Rule](/configuration/dns/rule/),
+[Rule Set](/configuration/rule-set/),
+[Source Format](/configuration/rule-set/source-format/) and
+[Headless Rule](/configuration/rule-set/headless-rule/).

 For GEO resources migration, see [Migrate GeoIP to rule sets](/migration/#migrate-geoip-to-rule-sets) and
 [Migrate Geosite to rule sets](/migration/#migrate-geosite-to-rule-sets).
@@ -108,8 +206,8 @@ Logical rules in route rules, DNS rules, and the new headless rule now allow nes

 Important changes since 1.6:

-* Add [exclude route support](/configuration/inbound/tun) for TUN inbound
-* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen) **1**
+* Add [exclude route support](/configuration/inbound/tun/) for TUN inbound
+* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen/) **1**
 * Add [HTTPUpgrade V2Ray transport](/configuration/shared/v2ray-transport#HTTPUpgrade) support **2**
 * Migrate multiplex and UoT server to inbound **3**
 * Add TCP Brutal support for multiplex **4**
@@ -133,11 +231,14 @@ The new HTTPUpgrade transport has better performance than WebSocket and is bette

 **3**:

-Starting in 1.7.0, multiplexing support is no longer enabled by default and needs to be turned on explicitly in inbound options.
+Starting in 1.7.0, multiplexing support is no longer enabled by default
+and needs to be turned on explicitly in inbound
+options.

 **4**

-Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server, see [TCP Brutal](/configuration/shared/tcp-brutal) for details.
+Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server,
+see [TCP Brutal](/configuration/shared/tcp-brutal/) for details.

 **5**:

@@ -226,7 +327,7 @@ Only supported in graphical clients on Android and iOS.

 #### 1.6.1

-* Our [Android client](/installation/clients/sfa) is now available in the Google Play Store ▶️
+* Our [Android client](/installation/clients/sfa/) is now available in the Google Play Store ▶️
 * Fixes and improvements

 #### 1.7.0-alpha.6
@@ -246,7 +347,7 @@ options.
 **2**

 Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server,
-see [TCP Brutal](/configuration/shared/tcp-brutal) for details.
+see [TCP Brutal](/configuration/shared/tcp-brutal/) for details.

 #### 1.7.0-alpha.3

@@ -265,13 +366,13 @@ The new HTTPUpgrade transport has better performance than WebSocket and is bette

 Important changes since 1.5:

-* Our [Apple tvOS client](/installation/clients/sft) is now available in the App Store 🍎
+* Our [Apple tvOS client](/installation/clients/sft/) is now available in the App Store 🍎
 * Update BBR congestion control for TUIC and Hysteria2 **1**
 * Update brutal congestion control for Hysteria2
 * Add `brutal_debug` option for Hysteria2
 * Update legacy Hysteria protocol **2**
 * Add TLS self sign key pair generate command
-* Remove [Deprecated Features](/deprecated) by agreement
+* Remove [Deprecated Features](/deprecated/) by agreement

 **1**:

@@ -289,8 +390,8 @@ the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2

 #### 1.7.0-alpha.1

-* Add [exclude route support](/configuration/inbound/tun) for TUN inbound
-* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen) **1**
+* Add [exclude route support](/configuration/inbound/tun/) for TUN inbound
+* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen/) **1**
 * Fixes and improvements

 **1**:
@@ -313,7 +414,8 @@ When `auto_route` is enabled and `strict_route` is disabled, the device can now

 **2**:

-Built using Go 1.20, the last version that will run on Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High
+Built using Go 1.20, the last version that will run on
+Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High
 Sierra, 10.14 Mojave.

 #### 1.6.0-rc.4
@@ -327,7 +429,8 @@ Sierra, 10.14 Mojave.

 **1**:

-Built using Go 1.20, the last version that will run on Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High
+Built using Go 1.20, the last version that will run on
+Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High
 Sierra, 10.14 Mojave.

 #### 1.6.0-beta.4
@@ -408,7 +511,7 @@ introduce new issues.

 #### 1.5.2

-* Our [Apple tvOS client](/installation/clients/sft) is now available in the App Store 🍎
+* Our [Apple tvOS client](/installation/clients/sft/) is now available in the App Store 🍎
 * Fixes and improvements

 #### 1.6.0-alpha.3
@@ -428,7 +531,7 @@ introduce new issues.
 * Update BBR congestion control for TUIC and Hysteria2 **1**
 * Update quic-go to v0.39.0
 * Update gVisor to 20230814.0
-* Remove [Deprecated Features](/deprecated) by agreement
+* Remove [Deprecated Features](/deprecated/) by agreement
 * Fixes and improvements

 **1**:
@@ -442,7 +545,7 @@ This update is intended to address the multi-send defects of the old implementat

 Important changes since 1.4:

-* Add TLS [ECH server](/configuration/shared/tls) support
+* Add TLS [ECH server](/configuration/shared/tls/) support
 * Improve TLS TCH client configuration
 * Add TLS ECH key pair generator **1**
 * Add TLS ECH support for QUIC based protocols **2**
@@ -451,7 +554,7 @@ Important changes since 1.4:
 * Add `interrupt_exist_connections` option for `Selector` and `URLTest` outbounds **4**
 * Add DNS01 challenge support for ACME TLS certificate issuer **5**
 * Add `merge` command **6**
-* Mark [Deprecated Features](/deprecated)
+* Mark [Deprecated Features](/deprecated/)

 **1**:

@@ -463,7 +566,7 @@ All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria[/2]`

 **3**:

-See [Hysteria2 inbound](/configuration/inbound/hysteria2) and [Hysteria2 outbound](/configuration/outbound/hysteria2)
+See [Hysteria2 inbound](/configuration/inbound/hysteria2/) and [Hysteria2 outbound](/configuration/outbound/hysteria2/)

 For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)

@@ -476,7 +579,7 @@ Only inbound connections are affected by this setting, internal connections will
 **5**:

 Only `Alibaba Cloud DNS` and `Cloudflare` are supported, see [ACME Fields](/configuration/shared/tls#acme-fields)
-and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge).
+and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/).

 **6**:

@@ -558,7 +661,7 @@ Global Flags:

 Only `Alibaba Cloud DNS` and `Cloudflare` are supported,
 see [ACME Fields](/configuration/shared/tls#acme-fields)
-and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge).
+and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/).

 #### 1.5.0-beta.10

@@ -587,7 +690,7 @@ Only inbound connections are affected by this setting, internal connections will

 * Fix compatibility issues with official Hysteria2 server and client
 * Fixes and improvements
-* Mark [deprecated features](/deprecated)
+* Mark [deprecated features](/deprecated/)

 #### 1.5.0-beta.3

@@ -606,13 +709,13 @@ Hysteria2 server and client when using `fastOpen=false` or UDP MTU >= 1200.

 **1**:

-See [Hysteria2 inbound](/configuration/inbound/hysteria2) and [Hysteria2 outbound](/configuration/outbound/hysteria2)
+See [Hysteria2 inbound](/configuration/inbound/hysteria2/) and [Hysteria2 outbound](/configuration/outbound/hysteria2/)

 For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)

 #### 1.5.0-beta.1

-* Add TLS [ECH server](/configuration/shared/tls) support
+* Add TLS [ECH server](/configuration/shared/tls/) support
 * Improve TLS TCH client configuration
 * Add TLS ECH key pair generator **1**
 * Add TLS ECH support for QUIC based protocols **2**
@@ -645,12 +748,12 @@ Important changes since 1.3:

 *1*:

-See [TUIC inbound](/configuration/inbound/tuic)
-and [TUIC outbound](/configuration/outbound/tuic)
+See [TUIC inbound](/configuration/inbound/tuic/)
+and [TUIC outbound](/configuration/outbound/tuic/)

 **2**:

-This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp/), designed to provide a QUIC
 stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
 another program compatible with the protocol as a server.

@@ -681,7 +784,7 @@ Requires sing-box to be compiled with Go 1.21.

 **1**:

-This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp/), designed to provide a QUIC
 stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
 another program compatible with the protocol as a server.

@@ -719,8 +822,8 @@ Requires sing-box to be compiled with Go 1.21.

 *1*:

-See [TUIC inbound](/configuration/inbound/tuic)
-and [TUIC outbound](/configuration/outbound/tuic)
+See [TUIC inbound](/configuration/inbound/tuic/)
+and [TUIC outbound](/configuration/outbound/tuic/)

 #### 1.3.6

@@ -729,7 +832,7 @@ and [TUIC outbound](/configuration/outbound/tuic)
 #### 1.3.5

 * Fixes and improvements
-* Introducing our [Apple tvOS](/installation/clients/sft) client applications **1**
+* Introducing our [Apple tvOS](/installation/clients/sft/) client applications **1**
 * Add per app proxy and app installed/updated trigger support for Android client
 * Add profile sharing support for Android/iOS/macOS clients

@@ -756,7 +859,8 @@ downloaded through TestFlight.

 #### 1.3.1-beta.3

-* Introducing our [new iOS](/installation/clients/sfi) and [macOS](/installation/clients/sfm) client applications **1**
+* Introducing our [new iOS](/installation/clients/sfi/) and [macOS](/installation/clients/sfm/) client applications **1
+  **
 * Fixes and improvements

 **1**:
@@ -777,7 +881,7 @@ The old testflight link and app are no longer valid.

 Important changes since 1.2:

-* Add [FakeIP](/configuration/dns/fakeip) support **1**
+* Add [FakeIP](/configuration/dns/fakeip/) support **1**
 * Improve multiplex **2**
 * Add [DNS reverse mapping](/configuration/dns#reverse_mapping) support
 * Add `rewrite_ttl` DNS rule action
@@ -804,11 +908,11 @@ Important changes since 1.2:

 *1*:

-See [FAQ](/faq/fakeip) for more information.
+See [FAQ](/faq/fakeip/) for more information.

 *2*:

-Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex).
+Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex/).

 #### 1.3-rc2

@@ -870,7 +974,7 @@ Improved performance and reduced memory usage.

 *1*:

-Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex).
+Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex/).

 #### 1.2.6

@@ -922,25 +1026,25 @@ This is an incompatible update for XUDP in VLESS if vision flow is enabled.
 #### 1.3-beta1

 * Add [DNS reverse mapping](/configuration/dns#reverse_mapping) support
-* Add [L3 routing](/configuration/route/ip-rule) support **1**
+* Add [L3 routing](/configuration/route/ip-rule/) support **1**
 * Add `rewrite_ttl` DNS rule action
-* Add [FakeIP](/configuration/dns/fakeip) support **2**
+* Add [FakeIP](/configuration/dns/fakeip/) support **2**
 * Add `store_fakeip` Clash API option
 * Add multi-peer support for [WireGuard](/configuration/outbound/wireguard#peers) outbound
 * Add loopback detect

 *1*:

-It can currently be used to [route connections directly to WireGuard](/examples/wireguard-direct) or block connections
+It can currently be used to [route connections directly to WireGuard](/examples/wireguard-direct/) or block connections
 at the IP layer.

 *2*:

-See [FAQ](/faq/fakeip) for more information.
+See [FAQ](/faq/fakeip/) for more information.

 #### 1.2.3

-* Introducing our [new Android client application](/installation/clients/sfa)
+* Introducing our [new Android client application](/installation/clients/sfa/)
 * Improve UDP domain destination NAT
 * Update reality protocol
 * Fix TTL calculation for DNS response
@@ -969,16 +1073,16 @@ to `domain` rule.

 Important changes since 1.1:

-* Introducing our [new iOS client application](/installation/clients/sfi)
-* Introducing [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp)
+* Introducing our [new iOS client application](/installation/clients/sfi/)
+* Introducing [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp/)
 * Add [platform options](/configuration/inbound/tun#platform) for tun inbound
 * Add [ShadowTLS protocol v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md)
-* Add [VLESS server](/configuration/inbound/vless) and [vision](/configuration/outbound/vless#flow) support
-* Add [reality TLS](/configuration/shared/tls) support
-* Add [NTP service](/configuration/ntp)
-* Add [DHCP DNS server](/configuration/dns/server) support
-* Add SSH [host key validation](/configuration/outbound/ssh) support
-* Add [query_type](/configuration/dns/rule) DNS rule item
+* Add [VLESS server](/configuration/inbound/vless/) and [vision](/configuration/outbound/vless#flow) support
+* Add [reality TLS](/configuration/shared/tls/) support
+* Add [NTP service](/configuration/ntp/)
+* Add [DHCP DNS server](/configuration/dns/server/) support
+* Add SSH [host key validation](/configuration/outbound/ssh/) support
+* Add [query_type](/configuration/dns/rule/) DNS rule item
 * Add fallback support for v2ray transport
 * Add custom TLS server support for http based v2ray transports
 * Add health check support for http-based v2ray transports
@@ -1009,7 +1113,7 @@ name.

 #### 1.2-beta9

-* Introducing the [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp)
+* Introducing the [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp/)
 * Add health check support for http-based v2ray transports
 * Remove length limit on short_id for reality TLS config
 * Fix bugs and update dependencies
@@ -1026,7 +1130,7 @@ name.

 #### 1.2-beta6

-* Introducing our [new iOS client application](/installation/clients/sfi)
+* Introducing our [new iOS client application](/installation/clients/sfi/)
 * Add [platform options](/configuration/inbound/tun#platform) for tun inbound
 * Add custom TLS server support for http based v2ray transports
 * Add generate commands
@@ -1039,8 +1143,8 @@ name.

 #### 1.2-beta5

-* Add [VLESS server](/configuration/inbound/vless) and [vision](/configuration/outbound/vless#flow) support
-* Add [reality TLS](/configuration/shared/tls) support
+* Add [VLESS server](/configuration/inbound/vless/) and [vision](/configuration/outbound/vless#flow) support
+* Add [reality TLS](/configuration/shared/tls/) support
 * Fix match private address

 #### 1.1.6
@@ -1055,7 +1159,7 @@ name.

 #### 1.2-beta4

-* Add [NTP service](/configuration/ntp)
+* Add [NTP service](/configuration/ntp/)
 * Add Add multiple server names and multi-user support for shadowtls
 * Add strict mode support for shadowtls v3
 * Add uTLS support for shadowtls v3
@@ -1075,9 +1179,9 @@ name.

 #### 1.2-beta1

-* Add [DHCP DNS server](/configuration/dns/server) support
-* Add SSH [host key validation](/configuration/outbound/ssh) support
-* Add [query_type](/configuration/dns/rule) DNS rule item
+* Add [DHCP DNS server](/configuration/dns/server/) support
+* Add SSH [host key validation](/configuration/outbound/ssh/) support
+* Add [query_type](/configuration/dns/rule/) DNS rule item
 * Add v2ray [user stats](/configuration/experimental#statsusers) api
 * Add new clash DNS query api
 * Improve vmess request
@@ -1306,7 +1410,7 @@ and [ShadowTLS outbound](/configuration/outbound/shadowtls#version)

 #### 1.1-beta6

-* Add [URLTest outbound](/configuration/outbound/urltest)
+* Add [URLTest outbound](/configuration/outbound/urltest/)
 * Fix bugs in 1.1-beta5

 #### 1.1-beta5
@@ -1338,8 +1442,8 @@ The default tun stack is changed to system.
 #### 1.1-beta4

 * Add internal simple-obfs and v2ray-plugin [Shadowsocks plugins](/configuration/outbound/shadowsocks#plugin)
-* Add [ShadowsocksR outbound](/configuration/outbound/shadowsocksr)
-* Add [VLESS outbound and XUDP](/configuration/outbound/vless)
+* Add [ShadowsocksR outbound](/configuration/outbound/shadowsocksr/)
+* Add [VLESS outbound and XUDP](/configuration/outbound/vless/)
 * Skip wait for hysteria tcp handshake response
 * Fix socks4 client
 * Fix hysteria inbound
@@ -1366,7 +1470,7 @@ The default tun stack is changed to system.
 *1*:

 Switching modes using the Clash API, and `store-selected` are now supported,
-see [Experimental](/configuration/experimental).
+see [Experimental](/configuration/experimental/).

 *2*:

@@ -1447,15 +1551,15 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).
 * Fix write trojan udp
 * Fix DNS routing
 * Add attribute support for geosite
-* Update documentation for [Dial Fields](/configuration/shared/dial)
+* Update documentation for [Dial Fields](/configuration/shared/dial/)

 #### 1.0-beta3

 * Add [chained inbound](/configuration/shared/listen#detour) support
 * Add process_path rule item
 * Add macOS redirect support
-* Add ShadowTLS [Inbound](/configuration/inbound/shadowtls), [Outbound](/configuration/outbound/shadowtls)
-  and [Examples](/examples/shadowtls)
+* Add ShadowTLS [Inbound](/configuration/inbound/shadowtls/), [Outbound](/configuration/outbound/shadowtls/)
+  and [Examples](/examples/shadowtls/)
 * Fix search android package in non-owner users
 * Fix socksaddr type condition
 * Fix smux session status
@@ -1499,7 +1603,7 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).

 ##### 2022/08/23

-* Add [V2Ray Transport](/configuration/shared/v2ray-transport) support for VMess and Trojan
+* Add [V2Ray Transport](/configuration/shared/v2ray-transport/) support for VMess and Trojan
 * Allow plain http request in Naive inbound (It can now be used with nginx)
 * Add proxy protocol support
 * Free memory after start
@@ -1508,13 +1612,13 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).

 ##### 2022/08/22

-* Add strategy setting for each [DNS server](/configuration/dns/server)
+* Add strategy setting for each [DNS server](/configuration/dns/server/)
 * Add bind address to outbound options

 ##### 2022/08/21

-* Add [Tor outbound](/configuration/outbound/tor)
-* Add [SSH outbound](/configuration/outbound/ssh)
+* Add [Tor outbound](/configuration/outbound/tor/)
+* Add [SSH outbound](/configuration/outbound/ssh/)

 ##### 2022/08/20

@@ -1528,8 +1632,8 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).

 ##### 2022/08/19

-* Add Hysteria [Inbound](/configuration/inbound/hysteria) and [Outbund](/configuration/outbound/hysteria)
-* Add [ACME TLS certificate issuer](/configuration/shared/tls)
+* Add Hysteria [Inbound](/configuration/inbound/hysteria/) and [Outbund](/configuration/outbound/hysteria/)
+* Add [ACME TLS certificate issuer](/configuration/shared/tls/)
 * Allow read config from stdin (-c stdin)
 * Update gVisor to 20220815.0

@@ -1547,11 +1651,11 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).
 ##### 2022/08/16

 * Add ip_version (route/dns) rule item
-* Add [WireGuard](/configuration/outbound/wireguard) outbound
+* Add [WireGuard](/configuration/outbound/wireguard/) outbound

 ##### 2022/08/15

-* Add uid, android user and package rules support in [Tun](/configuration/inbound/tun) routing.
+* Add uid, android user and package rules support in [Tun](/configuration/inbound/tun/) routing.

 ##### 2022/08/13

@@ -1560,15 +1664,15 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).
 ##### 2022/08/12

 * Performance improvements
-* Add UoT option for [SOCKS](/configuration/outbound/socks) outbound
+* Add UoT option for [SOCKS](/configuration/outbound/socks/) outbound

 ##### 2022/08/11

-* Add UoT option for [Shadowsocks](/configuration/outbound/shadowsocks) outbound, UoT support for all inbounds
+* Add UoT option for [Shadowsocks](/configuration/outbound/shadowsocks/) outbound, UoT support for all inbounds

 ##### 2022/08/10

-* Add full-featured [Naive](/configuration/inbound/naive) inbound
+* Add full-featured [Naive](/configuration/inbound/naive/) inbound
 * Fix default dns server option [#9] by iKirby

 ##### 2022/08/09
--- a/docs/clients/android/features.md
+++ b/docs/clients/android/features.md
@@ -18,6 +18,7 @@ SFA provides an unprivileged TUN implementation through Android VpnService.
 | `inet4_address`               | :material-check: | /                  |
 | `inet6_address`               | :material-check: | /                  |
 | `mtu`                         | :material-check: | /                  |
+| `gso`                         | :material-close: | No permission      |
 | `auto_route`                  | :material-check: | /                  |
 | `strict_route`                | :material-close: | Not implemented    |
 | `inet4_route_address`         | :material-check: | /                  |
--- a/docs/clients/apple/features.md
+++ b/docs/clients/apple/features.md
@@ -14,28 +14,29 @@ SFI/SFM/SFT allows you to run sing-box through NetworkExtension with Application

 SFI/SFM/SFT provides an unprivileged TUN implementation through NetworkExtension.

-| TUN inbound option            | Available | Note              |
-|-------------------------------|-----------|-------------------|
-| `interface_name`              | ✖️        | Managed by Darwin |
-| `inet4_address`               | ✔️        | /                 |
-| `inet6_address`               | ✔️        | /                 |
-| `mtu`                         | ✔️        | /                 |
-| `auto_route`                  | ✔️        | /                 |
-| `strict_route`                | ✖️        | Not implemented   |
-| `inet4_route_address`         | ✔️        | /                 |
-| `inet6_route_address`         | ✔️        | /                 |
-| `inet4_route_exclude_address` | ✔️        | /                 |
-| `inet6_route_exclude_address` | ✔️        | /                 |
-| `endpoint_independent_nat`    | ✔️        | /                 |
-| `stack`                       | ✔️        | /                 |
-| `include_interface`           | ✖️        | Not implemented   |
-| `exclude_interface`           | ✖️        | Not implemented   |
-| `include_uid`                 | ✖️        | Not implemented   |
-| `exclude_uid`                 | ✖️        | Not implemented   |
-| `include_android_user`        | ✖️        | Not implemented   |
-| `include_package`             | ✖️        | Not implemented   |
-| `exclude_package`             | ✖️        | Not implemented   |
-| `platform`                    | ✔️        | /                 |
+| TUN inbound option            | Available         | Note              |
+|-------------------------------|-------------------|-------------------|
+| `interface_name`              | :material-close:️ | Managed by Darwin |
+| `inet4_address`               | :material-check:  | /                 |
+| `inet6_address`               | :material-check:  | /                 |
+| `mtu`                         | :material-check:  | /                 |
+| `gso`                         | :material-close:  | Not implemented   |
+| `auto_route`                  | :material-check:  | /                 |
+| `strict_route`                | :material-close:️ | Not implemented   |
+| `inet4_route_address`         | :material-check:  | /                 |
+| `inet6_route_address`         | :material-check:  | /                 |
+| `inet4_route_exclude_address` | :material-check:  | /                 |
+| `inet6_route_exclude_address` | :material-check:  | /                 |
+| `endpoint_independent_nat`    | :material-check:  | /                 |
+| `stack`                       | :material-check:  | /                 |
+| `include_interface`           | :material-close:️ | Not implemented   |
+| `exclude_interface`           | :material-close:️ | Not implemented   |
+| `include_uid`                 | :material-close:️ | Not implemented   |
+| `exclude_uid`                 | :material-close:️ | Not implemented   |
+| `include_android_user`        | :material-close:️ | Not implemented   |
+| `include_package`             | :material-close:️ | Not implemented   |
+| `exclude_package`             | :material-close:️ | Not implemented   |
+| `platform`                    | :material-check:  | /                 |

 | Route/DNS rule option | Available        | Note                  |
 |-----------------------|------------------|-----------------------|
--- a/docs/clients/index.md
+++ b/docs/clients/index.md
@@ -2,11 +2,11 @@

 Maintained by Project S to provide a unified experience and platform-specific functionality.

-| Platform                              | Client                                  |
-|---------------------------------------|-----------------------------------------|
-| :material-android: Android            | [sing-box for Android](./android)       |
-| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple) |
-| :material-laptop: Desktop             | Working in progress                     |
+| Platform                              | Client                                   |
+|---------------------------------------|------------------------------------------|
+| :material-android: Android            | [sing-box for Android](./android/)       |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
+| :material-laptop: Desktop             | Working in progress                      |

 Some third-party projects that claim to use sing-box or use sing-box as a selling point are not listed here. The core
 motivation of the maintainers of such projects is to acquire more users, and even though they provide friendly VPN
--- a/docs/clients/index.zh.md
+++ b/docs/clients/index.zh.md
@@ -4,8 +4,8 @@

 | 平台                                    | 客户端                                     |
 |---------------------------------------|-----------------------------------------|
-| :material-android: Android            | [sing-box for Android](./android)       |
-| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple) |
+| :material-android: Android            | [sing-box for Android](./android/)       |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
 | :material-laptop: Desktop             | 施工中                                     |

 此处没有列出一些声称使用或以 sing-box 为卖点的第三方项目。此类项目维护者的动机是获得更多用户，即使它们提供友好的商业
--- a/docs/configuration/dns/index.md
+++ b/docs/configuration/dns/index.md
@@ -23,9 +23,9 @@

 | Key      | Format                         |
 |----------|--------------------------------|
-| `server` | List of [DNS Server](./server) |
-| `rules`  | List of [DNS Rule](./rule)     |
-| `fakeip` | [FakeIP](./fakeip)             |
+| `server` | List of [DNS Server](./server/) |
+| `rules`  | List of [DNS Rule](./rule/)     |
+| `fakeip` | [FakeIP](./fakeip/)             |

 #### final

@@ -62,4 +62,4 @@ problematic in environments such as macOS, where DNS is proxied and cached by th

 #### fakeip

-[FakeIP](./fakeip) settings.
+[FakeIP](./fakeip/) settings.
--- a/docs/configuration/dns/index.zh.md
+++ b/docs/configuration/dns/index.zh.md
@@ -21,10 +21,10 @@

 ### 字段

-| 键        | 格式                     |
-|----------|------------------------|
-| `server` | 一组 [DNS 服务器](./server) |
-| `rules`  | 一组 [DNS 规则](./rule)    |
+| 键        | 格式                      |
+|----------|-------------------------|
+| `server` | 一组 [DNS 服务器](./server/) |
+| `rules`  | 一组 [DNS 规则](./rule/)    |

 #### final

@@ -60,4 +60,4 @@

 #### fakeip

-[FakeIP](./fakeip) 设置。
+[FakeIP](./fakeip/) 设置。
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -134,13 +134,15 @@ icon: material/alert-decagram
    The default rule uses the following matching logic:  
    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite`) &&  
    (`port` || `port_range`) &&  
-    (`source_geoip` || `source_ip_cidr`) &&  
+    (`source_geoip` || `source_ip_cidr` ｜｜ `source_ip_is_private`) &&  
    (`source_port` || `source_port_range`) &&  
    `other fields`

+    Additionally, included rule sets can be considered merged rather than as a single rule sub-item.
+
 #### inbound

-Tags of [Inbound](/configuration/inbound).
+Tags of [Inbound](/configuration/inbound/).

 #### ip_version

--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -131,13 +131,15 @@ icon: material/alert-decagram
    默认规则使用以下匹配逻辑:  
    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite`) &&  
    (`port` || `port_range`) &&  
-    (`source_geoip` || `source_ip_cidr`) &&  
+    (`source_geoip` || `source_ip_cidr` || `source_ip_is_private`) &&  
    (`source_port` || `source_port_range`) &&  
    `other fields`

+    另外，引用的规则集可视为被合并，而不是作为一个单独的规则子项。
+
 #### inbound

-[入站](/zh/configuration/inbound) 标签.
+[入站](/zh/configuration/inbound/) 标签.

 #### ip_version

--- a/docs/configuration/dns/server.md
+++ b/docs/configuration/dns/server.md
@@ -30,18 +30,18 @@ The tag of the dns server.

 The address of the dns server.

-| Protocol                            | Format                        |
-|-------------------------------------|-------------------------------|
-| `System`                            | `local`                       |
-| `TCP`                               | `tcp://1.0.0.1`               |
-| `UDP`                               | `8.8.8.8` `udp://8.8.4.4`     |
-| `TLS`                               | `tls://dns.google`            |
-| `HTTPS`                             | `https://1.1.1.1/dns-query`   |
-| `QUIC`                              | `quic://dns.adguard.com`      |
-| `HTTP3`                             | `h3://8.8.8.8/dns-query`      |
-| `RCode`                             | `rcode://refused`             |
-| `DHCP`                              | `dhcp://auto` or `dhcp://en0` |
-| [FakeIP](/configuration/dns/fakeip) | `fakeip`                      |
+| Protocol                             | Format                        |
+|--------------------------------------|-------------------------------|
+| `System`                             | `local`                       |
+| `TCP`                                | `tcp://1.0.0.1`               |
+| `UDP`                                | `8.8.8.8` `udp://8.8.4.4`     |
+| `TLS`                                | `tls://dns.google`            |
+| `HTTPS`                              | `https://1.1.1.1/dns-query`   |
+| `QUIC`                               | `quic://dns.adguard.com`      |
+| `HTTP3`                              | `h3://8.8.8.8/dns-query`      |
+| `RCode`                              | `rcode://refused`             |
+| `DHCP`                               | `dhcp://auto` or `dhcp://en0` |
+| [FakeIP](/configuration/dns/fakeip/) | `fakeip`                      |

 !!! warning ""

--- a/docs/configuration/dns/server.zh.md
+++ b/docs/configuration/dns/server.zh.md
@@ -30,18 +30,18 @@ DNS 服务器的标签。

 DNS 服务器的地址。

-| 协议                                  | 格式                           |
-|-------------------------------------|------------------------------|
-| `System`                            | `local`                      |
-| `TCP`                               | `tcp://1.0.0.1`              |
-| `UDP`                               | `8.8.8.8` `udp://8.8.4.4`    |
-| `TLS`                               | `tls://dns.google`           |
-| `HTTPS`                             | `https://1.1.1.1/dns-query`  |
-| `QUIC`                              | `quic://dns.adguard.com`     |
-| `HTTP3`                             | `h3://8.8.8.8/dns-query`     |
-| `RCode`                             | `rcode://refused`            |
-| `DHCP`                              | `dhcp://auto` 或 `dhcp://en0` |
-| [FakeIP](/configuration/dns/fakeip) | `fakeip`                     |
+| 协议                                   | 格式                           |
+|--------------------------------------|------------------------------|
+| `System`                             | `local`                      |
+| `TCP`                                | `tcp://1.0.0.1`              |
+| `UDP`                                | `8.8.8.8` `udp://8.8.4.4`    |
+| `TLS`                                | `tls://dns.google`           |
+| `HTTPS`                              | `https://1.1.1.1/dns-query`  |
+| `QUIC`                               | `quic://dns.adguard.com`     |
+| `HTTP3`                              | `h3://8.8.8.8/dns-query`     |
+| `RCode`                              | `rcode://refused`            |
+| `DHCP`                               | `dhcp://auto` 或 `dhcp://en0` |
+| [FakeIP](/configuration/dns/fakeip/) | `fakeip`                     |

 !!! warning ""

--- a/docs/configuration/experimental/index.md
+++ b/docs/configuration/experimental/index.md
@@ -25,6 +25,6 @@ icon: material/alert-decagram

 | Key          | Format                     |
 |--------------|----------------------------|
-| `cache_file` | [Cache File](./cache-file) |
-| `clash_api`  | [Clash API](./clash-api)   |
-| `v2ray_api`  | [V2Ray API](./v2ray-api)   |
+| `cache_file` | [Cache File](./cache-file/) |
+| `clash_api`  | [Clash API](./clash-api/)   |
+| `v2ray_api`  | [V2Ray API](./v2ray-api/)   |
--- a/docs/configuration/experimental/index.zh.md
+++ b/docs/configuration/experimental/index.zh.md
@@ -25,6 +25,6 @@ icon: material/alert-decagram

 | 键            | 格式                       |
 |--------------|--------------------------|
-| `cache_file` | [缓存文件](./cache-file)     |
-| `clash_api`  | [Clash API](./clash-api) |
-| `v2ray_api`  | [V2Ray API](./v2ray-api) |
+| `cache_file` | [缓存文件](./cache-file/)     |
+| `clash_api`  | [Clash API](./clash-api/) |
+| `v2ray_api`  | [V2Ray API](./v2ray-api/) |
--- a/docs/configuration/inbound/direct.md
+++ b/docs/configuration/inbound/direct.md
@@ -17,7 +17,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/http.md
+++ b/docs/configuration/inbound/http.md
@@ -20,7 +20,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/hysteria.md
+++ b/docs/configuration/inbound/hysteria.md
@@ -31,7 +31,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/hysteria2.md
+++ b/docs/configuration/inbound/hysteria2.md
@@ -35,7 +35,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/index.md
+++ b/docs/configuration/inbound/index.md
@@ -15,24 +15,24 @@

 ### Fields

-| Type          | Format                       | Injectable |
-|---------------|------------------------------|------------|
-| `direct`      | [Direct](./direct)           | X          |
-| `mixed`       | [Mixed](./mixed)             | TCP        |
-| `socks`       | [SOCKS](./socks)             | TCP        |
-| `http`        | [HTTP](./http)               | TCP        |
-| `shadowsocks` | [Shadowsocks](./shadowsocks) | TCP        |
-| `vmess`       | [VMess](./vmess)             | TCP        |
-| `trojan`      | [Trojan](./trojan)           | TCP        |
-| `naive`       | [Naive](./naive)             | X          |
-| `hysteria`    | [Hysteria](./hysteria)       | X          |
-| `shadowtls`   | [ShadowTLS](./shadowtls)     | TCP        |
-| `tuic`        | [TUIC](./tuic)               | X          |
-| `hysteria2`   | [Hysteria2](./hysteria2)     | X          |
-| `vless`       | [VLESS](./vless)             | TCP        |
-| `tun`         | [Tun](./tun)                 | X          |
-| `redirect`    | [Redirect](./redirect)       | X          |
-| `tproxy`      | [TProxy](./tproxy)           | X          |
+| Type          | Format                        | Injectable |
+|---------------|-------------------------------|------------|
+| `direct`      | [Direct](./direct/)           | X          |
+| `mixed`       | [Mixed](./mixed/)             | TCP        |
+| `socks`       | [SOCKS](./socks/)             | TCP        |
+| `http`        | [HTTP](./http/)               | TCP        |
+| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP        |
+| `vmess`       | [VMess](./vmess/)             | TCP        |
+| `trojan`      | [Trojan](./trojan/)           | TCP        |
+| `naive`       | [Naive](./naive/)             | X          |
+| `hysteria`    | [Hysteria](./hysteria/)       | X          |
+| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP        |
+| `tuic`        | [TUIC](./tuic/)               | X          |
+| `hysteria2`   | [Hysteria2](./hysteria2/)     | X          |
+| `vless`       | [VLESS](./vless/)             | TCP        |
+| `tun`         | [Tun](./tun/)                 | X          |
+| `redirect`    | [Redirect](./redirect/)       | X          |
+| `tproxy`      | [TProxy](./tproxy/)           | X          |

 #### tag

--- a/docs/configuration/inbound/index.zh.md
+++ b/docs/configuration/inbound/index.zh.md
@@ -17,22 +17,22 @@

 | 类型            | 格式                           | 注入支持 |
 |---------------|------------------------------|------|
-| `direct`      | [Direct](./direct)           | X    |
-| `mixed`       | [Mixed](./mixed)             | TCP  |
-| `socks`       | [SOCKS](./socks)             | TCP  |
-| `http`        | [HTTP](./http)               | TCP  |
-| `shadowsocks` | [Shadowsocks](./shadowsocks) | TCP  |
-| `vmess`       | [VMess](./vmess)             | TCP  |
-| `trojan`      | [Trojan](./trojan)           | TCP  |
-| `naive`       | [Naive](./naive)             | X    |
-| `hysteria`    | [Hysteria](./hysteria)       | X    |
-| `shadowtls`   | [ShadowTLS](./shadowtls)     | TCP  |
-| `tuic`        | [TUIC](./tuic)               | X    |
-| `hysteria2`   | [Hysteria2](./hysteria2)     | X    |
-| `vless`       | [VLESS](./vless)             | TCP  |
-| `tun`         | [Tun](./tun)                 | X    |
-| `redirect`    | [Redirect](./redirect)       | X    |
-| `tproxy`      | [TProxy](./tproxy)           | X    |
+| `direct`      | [Direct](./direct/)           | X    |
+| `mixed`       | [Mixed](./mixed/)             | TCP  |
+| `socks`       | [SOCKS](./socks/)             | TCP  |
+| `http`        | [HTTP](./http/)               | TCP  |
+| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP  |
+| `vmess`       | [VMess](./vmess/)             | TCP  |
+| `trojan`      | [Trojan](./trojan/)           | TCP  |
+| `naive`       | [Naive](./naive/)             | X    |
+| `hysteria`    | [Hysteria](./hysteria/)       | X    |
+| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP  |
+| `tuic`        | [TUIC](./tuic/)               | X    |
+| `hysteria2`   | [Hysteria2](./hysteria2/)     | X    |
+| `vless`       | [VLESS](./vless/)             | TCP  |
+| `tun`         | [Tun](./tun/)                 | X    |
+| `redirect`    | [Redirect](./redirect/)       | X    |
+| `tproxy`      | [TProxy](./tproxy/)           | X    |

 #### tag

--- a/docs/configuration/inbound/mixed.md
+++ b/docs/configuration/inbound/mixed.md
@@ -21,7 +21,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/naive.md
+++ b/docs/configuration/inbound/naive.md
@@ -20,7 +20,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/redirect.md
+++ b/docs/configuration/inbound/redirect.md
@@ -15,4 +15,4 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.
--- a/docs/configuration/inbound/shadowsocks.md
+++ b/docs/configuration/inbound/shadowsocks.md
@@ -50,7 +50,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/shadowsocks.zh.md
+++ b/docs/configuration/inbound/shadowsocks.zh.md
@@ -50,7 +50,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### 字段

--- a/docs/configuration/inbound/shadowtls.md
+++ b/docs/configuration/inbound/shadowtls.md
@@ -35,7 +35,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

@@ -66,11 +66,11 @@ Only available in the ShadowTLS protocol 3.

 ==Required==

-Handshake server address and [Dial options](/configuration/shared/dial).
+Handshake server address and [Dial options](/configuration/shared/dial/).

 #### handshake_for_server_name

-Handshake server address and [Dial options](/configuration/shared/dial) for specific server name.
+Handshake server address and [Dial options](/configuration/shared/dial/) for specific server name.

 Only available in the ShadowTLS protocol 2/3.

--- a/docs/configuration/inbound/socks.md
+++ b/docs/configuration/inbound/socks.md
@@ -20,7 +20,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/tproxy.md
+++ b/docs/configuration/inbound/tproxy.md
@@ -17,7 +17,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/trojan.md
+++ b/docs/configuration/inbound/trojan.md
@@ -31,7 +31,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

@@ -65,4 +65,4 @@ See [Multiplex](/configuration/shared/multiplex#inbound) for details.

 #### transport

-V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
+V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).
--- a/docs/configuration/inbound/trojan.zh.md
+++ b/docs/configuration/inbound/trojan.zh.md
@@ -67,4 +67,4 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### transport

-V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
+V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport/)。
--- a/docs/configuration/inbound/tuic.md
+++ b/docs/configuration/inbound/tuic.md
@@ -24,7 +24,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -1,3 +1,12 @@
+---
+icon: material/alert-decagram
+---
+
+!!! quote "Changes in sing-box 1.8.0"
+
+    :material-plus: [gso](#gso)  
+    :material-alert-decagram: [stack](#stack)
+
 !!! quote ""

    Only supported on Linux, Windows and macOS.
@@ -12,6 +21,7 @@
  "inet4_address": "172.19.0.1/30",
  "inet6_address": "fdfe:dcba:9876::1/126",
  "mtu": 9000,
+  "gso": false,
  "auto_route": true,
  "strict_route": true,
  "inet4_route_address": [
@@ -29,6 +39,7 @@
    "fc00::/7"
  ],
  "endpoint_independent_nat": false,
+  "udp_timeout": "5m",
  "stack": "system",
  "include_interface": [
    "lan0"
@@ -98,6 +109,16 @@ IPv6 prefix for the tun interface.

 The maximum transmission unit.

+#### gso
+
+!!! question "Since sing-box 1.8.0"
+
+!!! quote ""
+
+    Only supported on Linux.
+
+Enable generic segmentation offload.
+
 #### auto_route

 Set the default route to the Tun.
@@ -160,18 +181,19 @@ UDP NAT expiration time in seconds, default is 300 (5 minutes).

 #### stack

+!!! quote "Changes in sing-box 1.8.0"
+
+    :material-delete-alert: The legacy LWIP stack has been deprecated and removed.
+
 TCP/IP stack.

-| Stack  | Description                                                                      | Status            |
-|--------|----------------------------------------------------------------------------------|-------------------|
-| system | Sometimes better performance                                                     | recommended       |
-| gVisor | Better compatibility, based on [google/gvisor](https://github.com/google/gvisor) | recommended       |
-| mixed  | Mixed `system` TCP stack and `gVisor` UDP stack                                  | recommended       |
-| LWIP   | Based on [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks)   | upstream archived |
+| Stack    | Description                                                                                           | 
+|----------|-------------------------------------------------------------------------------------------------------|
+| `system` | Perform L3 to L4 translation using the system network stack                                           |
+| `gvisor` | Perform L3 to L4 translation using [gVisor](https://github.com/google/gvisor)'s virtual network stack |
+| `mixed`  | Mixed `system` TCP stack and `gvisor` UDP stack                                                       |

-!!! warning ""
-
-    LWIP stacks is not included by default, see [Installation](/installation/build-from-source/#build-tags).
+Defaults to the `mixed` stack if the gVisor build tag is enabled, otherwise defaults to the `system` stack.

 #### include_interface

@@ -217,10 +239,10 @@ Exclude users in route, but in range.

 Limit android users in route.

-| Common user  | ID  |
-|--------------|-----|
-| Main         | 0   |
-| Work Profile | 10  |
+| Common user  | ID |
+|--------------|----|
+| Main         | 0  |
+| Work Profile | 10 |

 #### include_package

@@ -240,4 +262,4 @@ System HTTP proxy settings.

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -1,3 +1,12 @@
+---
+icon: material/alert-decagram
+---
+
+!!! quote "sing-box 1.8.0 中的更改"
+
+    :material-plus: [gso](#gso)  
+    :material-alert-decagram: [stack](#stack)
+
 !!! quote ""

    仅支持 Linux、Windows 和 macOS。
@@ -12,6 +21,7 @@
  "inet4_address": "172.19.0.1/30",
  "inet6_address": "fdfe:dcba:9876::1/126",
  "mtu": 9000,
+  "gso": false,
  "auto_route": true,
  "strict_route": true,
  "inet4_route_address": [
@@ -29,6 +39,7 @@
    "fc00::/7"
  ],
  "endpoint_independent_nat": false,
+  "udp_timeout": "5m",
  "stack": "system",
  "include_interface": [
    "lan0"
@@ -98,6 +109,16 @@ tun 接口的 IPv6 前缀。

 最大传输单元。

+#### gso
+
+!!! question "自 sing-box 1.8.0 起"
+
+!!! quote ""
+
+    仅支持 Linux。
+
+启用通用分段卸载。
+
 #### auto_route

 设置到 Tun 的默认路由。
@@ -157,17 +178,19 @@ UDP NAT 过期时间，以秒为单位，默认为 300（5 分钟）。

 #### stack

+!!! quote "sing-box 1.8.0 中的更改"
+
+    :material-delete-alert: 旧的 LWIP 栈已被弃用并移除。
+
 TCP/IP 栈。

-| 栈           | 描述                                                                       | 状态    |
-|-------------|--------------------------------------------------------------------------|-------|
-| system （默认） | 有时性能更好                                                                   | 推荐    |
-| gVisor      | 兼容性较好，基于 [google/gvisor](https://github.com/google/gvisor)               | 推荐    |
-| LWIP        | 基于 [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks) | 上游已存档 |
+| 栈      | 描述                                                               |
+|--------|------------------------------------------------------------------|
+| system | 基于系统网络栈执行 L3 到 L4 转换                                             |
+| gVisor | 基于 [gVisor](https://github.com/google/gvisor) 虚拟网络栈执行 L3 到 L4 转换 |
+| mixed  | 混合 `system` TCP 栈与 `gvisor` UDP 栈                                |

-!!! warning ""
-
-    默认安装不包含 LWIP 栈，参阅 [安装](/zh/installation/build-from-source/#_5)。
+默认使用 `mixed` 栈如果 gVisor 构建标记已启用，否则默认使用 `system` 栈。

 #### include_interface

@@ -214,8 +237,8 @@ TCP/IP 栈。
 限制被路由的 Android 用户。

 | 常用用户 | ID |
-|--|-----|
-| 您 | 0 |
+|------|----|
+| 您    | 0  |
 | 工作资料 | 10 |

 #### include_package
--- a/docs/configuration/inbound/vless.md
+++ b/docs/configuration/inbound/vless.md
@@ -22,7 +22,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

@@ -56,4 +56,4 @@ See [Multiplex](/configuration/shared/multiplex#inbound) for details.

 #### transport

-V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
+V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).
--- a/docs/configuration/inbound/vless.zh.md
+++ b/docs/configuration/inbound/vless.zh.md
@@ -56,4 +56,4 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### transport

-V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
+V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport/)。
--- a/docs/configuration/inbound/vmess.md
+++ b/docs/configuration/inbound/vmess.md
@@ -22,7 +22,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

@@ -51,4 +51,4 @@ See [Multiplex](/configuration/shared/multiplex#inbound) for details.

 #### transport

-V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
+V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).
--- a/docs/configuration/inbound/vmess.zh.md
+++ b/docs/configuration/inbound/vmess.zh.md
@@ -51,4 +51,4 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### transport

-V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
+V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport/)。
--- a/docs/configuration/index.md
+++ b/docs/configuration/index.md
@@ -18,15 +18,15 @@ sing-box uses JSON for configuration files.

 ### Fields

-| Key            | Format                         |
-|----------------|--------------------------------|
-| `log`          | [Log](./log)                   |
-| `dns`          | [DNS](./dns)                   |
-| `ntp`          | [NTP](./ntp)                   |
-| `inbounds`     | [Inbound](./inbound)           |
-| `outbounds`    | [Outbound](./outbound)         |
-| `route`        | [Route](./route)               |
-| `experimental` | [Experimental](./experimental) |
+| Key            | Format                          |
+|----------------|---------------------------------|
+| `log`          | [Log](./log/)                   |
+| `dns`          | [DNS](./dns/)                   |
+| `ntp`          | [NTP](./ntp/)                   |
+| `inbounds`     | [Inbound](./inbound/)           |
+| `outbounds`    | [Outbound](./outbound/)         |
+| `route`        | [Route](./route/)               |
+| `experimental` | [Experimental](./experimental/) |

 ### Check

--- a/docs/configuration/index.zh.md
+++ b/docs/configuration/index.zh.md
@@ -17,14 +17,14 @@ sing-box 使用 JSON 作为配置文件格式。

 ### 字段

-| Key            | Format                |
-|----------------|-----------------------|
-| `log`          | [日志](./log)           |
-| `dns`          | [DNS](./dns)          |
-| `inbounds`     | [入站](./inbound)       |
-| `outbounds`    | [出站](./outbound)      |
-| `route`        | [路由](./route)         |
-| `experimental` | [实验性](./experimental) |
+| Key            | Format                 |
+|----------------|------------------------|
+| `log`          | [日志](./log/)           |
+| `dns`          | [DNS](./dns/)          |
+| `inbounds`     | [入站](./inbound/)       |
+| `outbounds`    | [出站](./outbound/)      |
+| `route`        | [路由](./route/)         |
+| `experimental` | [实验性](./experimental/) |

 ### 检查

--- a/docs/configuration/ntp/index.md
+++ b/docs/configuration/ntp/index.md
@@ -47,4 +47,4 @@ Time synchronization interval.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/direct.md
+++ b/docs/configuration/outbound/direct.md
@@ -33,4 +33,4 @@ Protocol value can be `1` or `2`.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/http.md
+++ b/docs/configuration/outbound/http.md
@@ -55,4 +55,4 @@ TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/hysteria.md
+++ b/docs/configuration/outbound/hysteria.md
@@ -109,4 +109,4 @@ TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/hysteria2.md
+++ b/docs/configuration/outbound/hysteria2.md
@@ -84,4 +84,4 @@ Enable debug information logging for Hysteria Brutal CC.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	88fad9fdad	documentation: Bump version	2024-01-01 16:21:56 +08:00
世界	d7ba184657	documentation: Update package managers	2024-01-01 16:21:44 +08:00
世界	7a6028f0e3	Remove unnecessary context wrappers	2024-01-01 16:21:44 +08:00
世界	ce52ce0ca1	Improve read wait interface & Refactor Authenticator interface to struct & Update smux & Update gVisor to 20231204.0 & Update quic-go to v0.40.1 & Update wireguard-go & Add GSO support for TUN/WireGuard & Fix router pre-start & Fix bind forwarder to interface for systems stack	2024-01-01 16:21:39 +08:00
世界	68f9ef47a6	Make generated files have `SUDO_USER`'s permissions if possible.	2024-01-01 16:20:23 +08:00
世界	27e68df931	Refactor inbound/outbound options struct	2024-01-01 16:20:22 +08:00
世界	6c7c7a14e9	Improve configuration merge	2024-01-01 16:20:22 +08:00
世界	0aec78b2c4	Update uTLS to 1.5.4	2024-01-01 16:20:22 +08:00
世界	baa80a918c	Update tfo-go	2024-01-01 16:20:22 +08:00
世界	8f3c59f340	Update gomobile and add tag	2024-01-01 16:20:21 +08:00
世界	57713be425	Update cloudflare-tls to go1.21.5	2024-01-01 16:20:21 +08:00
世界	778f0d35d5	Make type check strict	2024-01-01 16:20:21 +08:00
世界	41874babf7	Remove comparable limit for Listable	2024-01-01 16:20:21 +08:00
世界	ff6d867e11	Avoid opening log output before start & Replace tracing logs with task monitor	2024-01-01 16:20:20 +08:00
世界	c6729cd8b3	Update documentation	2024-01-01 16:20:19 +08:00
世界	26b7568145	Add `idle_timeout` for URLTest outbound	2024-01-01 16:20:19 +08:00
世界	d8feebfcba	Skip internal fake-ip queries	2024-01-01 16:20:18 +08:00
世界	dfc32d4591	Migrate contentjson and badjson to library & Add omitempty in format	2024-01-01 16:20:18 +08:00
世界	c2602e437f	Update documentation	2024-01-01 16:20:17 +08:00
世界	6deb50ce1f	Independent `source_ip_is_private` and `ip_is_private` rules	2024-01-01 16:20:17 +08:00
世界	9d2808b2d1	Add rule-set	2024-01-01 16:20:17 +08:00
世界	2ef67c5f95	Update buffer usage	2024-01-01 16:20:16 +08:00
世界	d2423dc5fb	Allow nested logical rules	2024-01-01 16:20:16 +08:00
世界	a70d0177fa	Migrate to independent cache file	2024-01-01 16:20:16 +08:00
世界	c506255e0f	Fix grpc lite transport encoding	2024-01-01 16:16:58 +08:00
世界	87c6fd4c0f	Fix h2mux request context	2024-01-01 16:15:49 +08:00
世界	19c445d28e	documentation: Bump version	2023-12-29 18:00:40 +08:00
世界	9119a5209b	dcoumentation: Fix description of `cipher_suites`	2023-12-29 18:00:40 +08:00
世界	46c8d6e61f	Fix pprof URL path	2023-12-29 18:00:40 +08:00
世界	ea17c2786d	Update dependencies	2023-12-27 10:37:18 +08:00
世界	12ababd911	Fix mux test	2023-12-27 10:30:19 +08:00
世界	0523845833	Update issue reporting templates Enhanced the issue reporting templates for both English and Chinese versions by adding more structured and comprehensive guideline checkboxes. This aims to ensure contributors provide sufficient and beneficial information for reproducing and resolving issues, thereby improving the quality of reports and making issue tracking more efficient.	2023-12-26 19:05:19 +08:00
renovate[bot]	57794919fa	[dependencies] Update actions/upload-artifact action to v4	2023-12-26 19:04:51 +08:00
世界	f5bb5cf343	Fix missing marshal for `udp_timeout`	2023-12-26 10:52:46 +08:00
世界	3eed614dea	Fix ACME ALPN conflict	2023-12-26 09:02:58 +08:00
世界	76a295a660	Fix missing nil check for URLTest	2023-12-26 09:02:58 +08:00
世界	082e3fb8df	Fix V2Ray transport `path` validation behavior	2023-12-26 09:02:58 +08:00
世界	a0cab4f563	Fix websocket client initialize	2023-12-22 20:38:06 +08:00
世界	aeb7308e81	documentation: Bump version	2023-12-21 15:25:19 +08:00
世界	bb1ebfda83	documentation: Fix link format	2023-12-21 15:24:05 +08:00
世界	c05c798221	Fix missing UDP timeout for QUIC protocols	2023-12-21 15:16:36 +08:00
世界	55b1bcc6a5	Migrate `udp_timeout` from seconds to duration format	2023-12-21 14:50:33 +08:00
世界	d6eddce420	Fix missing handshake timeout for multiplex	2023-12-21 14:21:59 +08:00
世界	4bf057139b	Fix DNS dial context	2023-12-21 14:19:27 +08:00
世界	a1b28b8282	Try to fix HTTP server leak again	2023-12-21 14:16:16 +08:00
世界	d0aaf71770	Fix direct UDP override	2023-12-18 21:48:59 +08:00
世界	2f31202c6b	documentation: Update shadowsocks example Remove the information on password generation for `2022-blake3-aes-128-gcm` cipher from the Server Example section in the shadowsocks.md file as it is no longer needed.	2023-12-14 21:05:41 +08:00
renovate[bot]	e4cc510712	[dependencies] Update github-actions	2023-12-14 15:14:22 +08:00
世界	e329bf6865	Update dependencies	2023-12-14 15:09:03 +08:00
世界	2badcec765	platform: Fix check config	2023-12-12 20:26:41 +08:00
世界	e71c13b1a2	documentation: Bump version	2023-12-12 13:54:23 +08:00
世界	a959a67ed3	FIx error handling for netlink banned in Android	2023-12-12 13:54:23 +08:00
世界	a1044af579	platform: Fix VPN route	2023-12-11 21:59:59 +08:00
世界	a64b57451a	Update dependencies	2023-12-11 21:40:11 +08:00
世界	f0e2318cbd	Fix auto-route IPv6 on darwin	2023-12-11 21:39:29 +08:00
世界	ebec308fd8	documentation: Bump version	2023-12-09 00:22:27 +08:00
世界	ca094587be	Fix incorrect dependency	2023-12-09 00:22:27 +08:00
世界	ca3b86c781	Update bug report template	2023-12-08 21:56:30 +08:00
世界	5a1d0047b9	documentation: Bump version	2023-12-08 21:38:34 +08:00
世界	4669854039	Fix method check for v2ray HTTP transport	2023-12-08 21:12:52 +08:00
世界	2eecdc38a4	Fix gun conn setup	2023-12-08 21:10:36 +08:00
世界	83581b7c1a	Update dependencies	2023-12-08 11:18:52 +08:00
世界	d346f0023d	Fix HTTP connect client again	2023-12-08 11:18:52 +08:00
世界	47b7a29cbd	Fix fallback packet conn	2023-12-06 18:47:50 +08:00
世界	cffc07579d	Fix missing omitempty for NTP server fields	2023-12-05 18:32:21 +08:00
世界	0ef268637e	Prevent nil LocalAddr or RemoteAddr	2023-12-05 15:11:09 +08:00
世界	50f5a76380	Update dependencies	2023-12-04 21:06:15 +08:00
世界	20ca05dd36	Fix crash on websocket concurrent request	2023-12-04 20:42:01 +08:00