Fix payload not return to pool

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -44,7 +44,12 @@ body:
     attributes:
       label: Version
       description: If you are using the original command line program, please provide the output of the `sing-box version` command.
-      render: shell
+      value: |-
+        <details>
+        ```console
+        # Replace this line with the output
+        ```
+        </details>
   - type: textarea
     attributes:
       label: Description
@@ -61,22 +66,12 @@ body:
     attributes:
       label: Logs
       description: |-
-        In addition, if you encounter a crash with the graphical client, please also provide crash logs.
+        If you encounter a crash with the graphical client, please provide crash logs.
         For Apple platform clients, please check `Settings - View Service Log` for crash logs.
         For the Android client, please check the `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` file for crash logs.
-      render: shell
-  - type: checkboxes
-    attributes:
-      label: Integrity requirements
-      description: |-
-        Please check all of the following options to prove that you have read and understood the requirements, otherwise this issue will be closed.
-        Sing-box is not a project aimed to please users who can't make any meaningful contributions and gain unethical influence. If you deceive here to deliberately waste the time of the developers, you will be permanently blocked.
-      options:
-        - label: I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
-          required: true
-        - label: I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
-          required: true
-        - label: I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
-          required: true
-        - label: I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.
-          required: true
+      value: |-
+        <details>
+        ```console
+        # Replace this line with logs
+        ```
+        </details>

.github/ISSUE_TEMPLATE/bug_report_zh.yml

@@ -44,7 +44,12 @@ body:
     attributes:
       label: 版本
       description: 如果您使用原始命令行程序，请提供 `sing-box version` 命令的输出。
-      render: shell
+      value: |-
+        <details>
+        ```console
+        # 使用输出内容覆盖此行
+        ```
+        </details>
   - type: textarea
     attributes:
       label: 描述
@@ -61,22 +66,12 @@ body:
     attributes:
       label: 日志
       description: |-
-        此外，如果您遭遇图形界面应用程序崩溃，请附加提供崩溃日志。
+        如果您遭遇图形界面应用程序崩溃，请提供崩溃日志。
         对于 Apple 平台图形客户端程序，请检查 `Settings - View Service Log` 以导出崩溃日志。
         对于 Android 图形客户端程序，请检查 `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` 文件以导出崩溃日志。
-      render: shell
-  - type: checkboxes
-    attributes:
-      label: 完整性要求
-      description: |-
-        请勾选以下所有选项以证明您已经阅读并理解了以下要求，否则该 issue 将被关闭。
-        sing-box 不是讨好无法作出任何意义上的贡献的最终用户并获取非道德影响力的项目，如果您在此处欺骗以故意浪费开发者的时间，您将被永久封锁。
-      options:
-        - label: 我保证阅读了文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值。
-          required: true
-        - label: 我保证提供了可以在本地重现该问题的服务器、客户端配置文件与流程，而不是一个脱敏的复杂客户端配置文件。
-          required: true
-        - label: 我保证提供了可用于重现我报告的错误的最简配置，而不是依赖远程服务器、TUN、图形界面客户端或者其他闭源软件。
-          required: true
-        - label: 我保证提供了完整的配置文件与日志，而不是出于对自身智力的自信而仅提供了部分认为有用的部分。
-          required: true
+      value: |-
+        <details>
+        ```console
+        # 使用日志内容覆盖此行
+        ```
+        </details>

.github/workflows/debug.yml

@@ -3,7 +3,6 @@ name: Debug build
 on:
   push:
     branches:
-      - stable-next
       - main-next
       - dev-next
     paths-ignore:
@@ -12,7 +11,6 @@ on:
       - '!.github/workflows/debug.yml'
   pull_request:
     branches:
-      - stable-next
       - main-next
       - dev-next
 
@@ -22,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Get latest go version
@@ -30,7 +28,7 @@ jobs:
         run: |
           echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ steps.version.outputs.go_version }}
       - name: Add cache to Go proxy
@@ -50,11 +48,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
         with:
           go-version: 1.18.10
       - name: Cache go module
@@ -70,11 +68,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
         with:
           go-version: 1.20.7
       - name: Cache go module
@@ -201,7 +199,7 @@ jobs:
       TAGS: with_clash_api,with_quic
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Get latest go version
@@ -209,14 +207,14 @@ jobs:
         run: |
           echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ steps.version.outputs.go_version }}
       - name: Build
         id: build
         run: make
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
         with:
           name: sing-box-${{ matrix.name }}
           path: sing-box*

.github/workflows/docker.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Setup QEMU for Docker Buildx
@@ -39,8 +39,6 @@ jobs:
         with:
           platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
           target: dist
-          build-args: |
-            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
           tags: |
             ${{ steps.tag.outputs.latest }}
             ${{ steps.tag.outputs.versioned }}

.github/workflows/lint.yml

@@ -3,7 +3,6 @@ name: Lint
 on:
   push:
     branches:
-      - stable-next
       - main-next
       - dev-next
     paths-ignore:
@@ -12,7 +11,6 @@ on:
       - '!.github/workflows/lint.yml'
   pull_request:
     branches:
-      - stable-next
       - main-next
       - dev-next
 
@@ -22,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
         with:
           fetch-depth: 0
       - name: Get latest go version
@@ -30,12 +28,10 @@ jobs:
         run: |
           echo go_version=$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g') >> $GITHUB_OUTPUT
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ steps.version.outputs.go_version }}
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
-          version: latest
-          args: --timeout=30m
-          install-mode: binary
+          version: latest

.github/workflows/stale.yml

@@ -8,7 +8,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v8
         with:
           stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
           days-before-stale: 60

.gitignore

@@ -1,7 +1,6 @@
 /.idea/
 /vendor/
 /*.json
-/*.srs
 /*.db
 /site/
 /bin/

.goreleaser.yaml

@@ -16,15 +16,12 @@ builds:
       - with_quic
       - with_dhcp
       - with_wireguard
-      - with_ech
       - with_utls
       - with_reality_server
-      - with_acme
       - with_clash_api
     env:
       - CGO_ENABLED=0
     targets:
-      - linux_386
       - linux_amd64_v1
       - linux_amd64_v3
       - linux_arm64
@@ -38,36 +35,6 @@ builds:
       - darwin_amd64_v3
       - darwin_arm64
     mod_timestamp: '{{ .CommitTimestamp }}'
-  - id: legacy
-    main: ./cmd/sing-box
-    flags:
-      - -v
-      - -trimpath
-    asmflags:
-      - all=-trimpath={{.Env.GOPATH}}
-    gcflags:
-      - all=-trimpath={{.Env.GOPATH}}
-    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
-    tags:
-      - with_gvisor
-      - with_quic
-      - with_dhcp
-      - with_wireguard
-      - with_ech
-      - with_utls
-      - with_reality_server
-      - with_acme
-      - with_clash_api
-    env:
-      - CGO_ENABLED=0
-      - GOROOT=/nix/store/kg6i737jjqs923jcijnm003h68c1dghj-go-1.20.11/share/go
-    gobinary: /nix/store/kg6i737jjqs923jcijnm003h68c1dghj-go-1.20.11/bin/go
-    targets:
-      - windows_amd64_v1
-      - windows_386
-      - darwin_amd64_v1
-    mod_timestamp: '{{ .CommitTimestamp }}'
   - id: android
     main: ./cmd/sing-box
     flags:
@@ -84,10 +51,7 @@ builds:
       - with_quic
       - with_dhcp
       - with_wireguard
-      - with_ech
       - with_utls
-      - with_reality_server
-      - with_acme
       - with_clash_api
     env:
       - CGO_ENABLED=1
@@ -124,9 +88,6 @@ snapshot:
   name_template: "{{ .Version }}.{{ .ShortCommit }}"
 archives:
   - id: archive
-    builds:
-      - main
-      - android
     format: tar.gz
     format_overrides:
       - goos: windows
@@ -135,17 +96,6 @@ archives:
     files:
       - LICENSE
     name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-  - id: archive-legacy
-    builds:
-      - legacy
-    format: tar.gz
-    format_overrides:
-      - goos: windows
-        format: zip
-    wrap_in_directory: true
-    files:
-      - LICENSE
-    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}-legacy'
 nfpms:
   - id: package
     package_name: sing-box
@@ -158,7 +108,6 @@ nfpms:
     formats:
       - deb
       - rpm
-      - archlinux
     priority: extra
     contents:
       - src: release/config/config.json

Dockerfile

@@ -1,27 +1,23 @@
-FROM --platform=$BUILDPLATFORM golang:1.21-alpine AS builder
+FROM golang:1.21-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
-ARG TARGETOS TARGETARCH
 ARG GOPROXY=""
 ENV GOPROXY ${GOPROXY}
 ENV CGO_ENABLED=0
-ENV GOOS=$TARGETOS
-ENV GOARCH=$TARGETARCH
 RUN set -ex \
     && apk add git build-base \
     && export COMMIT=$(git rev-parse --short HEAD) \
     && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags \
-        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api" \
+    && go build -v -trimpath -tags with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api,with_acme \
         -o /go/bin/sing-box \
         -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
         ./cmd/sing-box
-FROM --platform=$TARGETPLATFORM alpine AS dist
+FROM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
     && apk upgrade \
     && apk add bash tzdata ca-certificates \
     && rm -rf /var/cache/apk/*
 COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
-ENTRYPOINT ["sing-box"]
+ENTRYPOINT ["sing-box"]

Makefile

@@ -1,9 +1,9 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api
-TAGS_GO120 = with_quic,with_ech,with_utls
+TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
+TAGS_GO120 = with_quic
 TAGS ?= $(TAGS_GO118),$(TAGS_GO120)
-TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server
+TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server,with_shadowsocksr
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
@@ -14,7 +14,7 @@ MAIN_PARAMS = $(PARAMS) -tags $(TAGS)
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
 
-.PHONY: test release docs
+.PHONY: test release
 
 build:
 	go build $(MAIN_PARAMS) $(MAIN)
@@ -28,7 +28,7 @@ ci_build:
 	go build $(MAIN_PARAMS) $(MAIN)
 
 install:
-	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)
+	go build -o $(PREFIX)/bin/$(NAME) $(PARAMS) $(MAIN)
 
 fmt:
 	@gofumpt -l -w .
@@ -61,9 +61,9 @@ proto_install:
 release:
 	go run ./cmd/internal/build goreleaser release --clean --skip-publish || exit 1
 	mkdir dist/release
-	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/*.pkg.tar.zst dist/release
+	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
 	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
-	rm -r dist/release
+	rm -r dist
 
 release_install:
 	go install -v github.com/goreleaser/goreleaser@latest
@@ -73,21 +73,18 @@ update_android_version:
 	go run ./cmd/internal/update_android_version
 
 build_android:
-	cd ../sing-box-for-android && ./gradlew :app:assemblePlayRelease && ./gradlew --stop
+	cd ../sing-box-for-android && ./gradlew :app:assembleRelease && ./gradlew --stop
 
 upload_android:
 	mkdir -p dist/release_android
-	cp ../sing-box-for-android/app/build/outputs/apk/play/release/*.apk dist/release_android
+	cp ../sing-box-for-android/app/build/outputs/apk/release/*.apk dist/release_android
 	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release_android
 	rm -rf dist/release_android
 
 release_android: lib_android update_android_version build_android upload_android
 
 publish_android:
-	cd ../sing-box-for-android && ./gradlew :app:publishPlayReleaseBundle
-
-publish_android_appcenter:
-	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadPlayRelease
+	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadRelease && ./gradlew --stop
 
 build_ios:
 	cd ../sing-box-for-apple && \
@@ -96,7 +93,7 @@ build_ios:
 
 upload_ios_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Upload.plist
 
 release_ios: build_ios upload_ios_app_store
 
@@ -107,7 +104,7 @@ build_macos:
 
 upload_macos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist
 
 release_macos: build_macos upload_macos_app_store
 
@@ -118,7 +115,7 @@ build_macos_independent:
 
 notarize_macos_independent:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist  -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist
 
 wait_notarize_macos_independent:
 	sleep 60
@@ -144,7 +141,7 @@ build_tvos:
 
 upload_tvos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist
 
 release_tvos: build_tvos upload_tvos_app_store
 
@@ -152,8 +149,10 @@ update_apple_version:
 	go run ./cmd/internal/update_apple_version
 
 release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_independent
+	rm -rf dist
 
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
+	rm -rf dist
 
 test:
 	@go test -v ./... && \
@@ -178,17 +177,10 @@ lib:
 	go run ./cmd/internal/build_libbox -target ios
 
 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.1
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.1
+	go get -v -d
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230915142329-c6740b6d2950
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230915142329-c6740b6d2950
 
-docs:
-	mkdocs serve
-
-publish_docs:
-	mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
-
-docs_install:
-	pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
 clean:
 	rm -rf bin dist sing-box
 	rm -f $(shell go env GOPATH)/sing-box

adapter/conn_router.go

@@ -1,104 +0,0 @@
-package adapter
-
-import (
-	"context"
-	"net"
-
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type ConnectionRouter interface {
-	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
-	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
-}
-
-func NewRouteHandler(
-	metadata InboundContext,
-	router ConnectionRouter,
-	logger logger.ContextLogger,
-) UpstreamHandlerAdapter {
-	return &routeHandlerWrapper{
-		metadata: metadata,
-		router:   router,
-		logger:   logger,
-	}
-}
-
-func NewRouteContextHandler(
-	router ConnectionRouter,
-	logger logger.ContextLogger,
-) UpstreamHandlerAdapter {
-	return &routeContextHandlerWrapper{
-		router: router,
-		logger: logger,
-	}
-}
-
-var _ UpstreamHandlerAdapter = (*routeHandlerWrapper)(nil)
-
-type routeHandlerWrapper struct {
-	metadata InboundContext
-	router   ConnectionRouter
-	logger   logger.ContextLogger
-}
-
-func (w *routeHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
-	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RouteConnection(ctx, conn, myMetadata)
-}
-
-func (w *routeHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
-	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RoutePacketConnection(ctx, conn, myMetadata)
-}
-
-func (w *routeHandlerWrapper) NewError(ctx context.Context, err error) {
-	w.logger.ErrorContext(ctx, err)
-}
-
-var _ UpstreamHandlerAdapter = (*routeContextHandlerWrapper)(nil)
-
-type routeContextHandlerWrapper struct {
-	router ConnectionRouter
-	logger logger.ContextLogger
-}
-
-func (w *routeContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
-	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RouteConnection(ctx, conn, *myMetadata)
-}
-
-func (w *routeContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
-	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RoutePacketConnection(ctx, conn, *myMetadata)
-}
-
-func (w *routeContextHandlerWrapper) NewError(ctx context.Context, err error) {
-	w.logger.ErrorContext(ctx, err)
-}

adapter/experimental.go

@@ -1,16 +1,11 @@
 package adapter
 
 import (
-	"bytes"
 	"context"
-	"encoding/binary"
-	"io"
 	"net"
-	"time"
 
 	"github.com/sagernet/sing-box/common/urltest"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/rw"
 )
 
 type ClashServer interface {
@@ -18,83 +13,22 @@ type ClashServer interface {
 	PreStarter
 	Mode() string
 	ModeList() []string
+	StoreSelected() bool
+	StoreFakeIP() bool
+	CacheFile() ClashCacheFile
 	HistoryStorage() *urltest.HistoryStorage
 	RoutedConnection(ctx context.Context, conn net.Conn, metadata InboundContext, matchedRule Rule) (net.Conn, Tracker)
 	RoutedPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext, matchedRule Rule) (N.PacketConn, Tracker)
 }
 
-type CacheFile interface {
-	Service
-	PreStarter
-
-	StoreFakeIP() bool
-	FakeIPStorage
-
+type ClashCacheFile interface {
 	LoadMode() string
 	StoreMode(mode string) error
 	LoadSelected(group string) string
 	StoreSelected(group string, selected string) error
 	LoadGroupExpand(group string) (isExpand bool, loaded bool)
 	StoreGroupExpand(group string, expand bool) error
-	LoadRuleSet(tag string) *SavedRuleSet
-	SaveRuleSet(tag string, set *SavedRuleSet) error
-}
-
-type SavedRuleSet struct {
-	Content     []byte
-	LastUpdated time.Time
-	LastEtag    string
-}
-
-func (s *SavedRuleSet) MarshalBinary() ([]byte, error) {
-	var buffer bytes.Buffer
-	err := binary.Write(&buffer, binary.BigEndian, uint8(1))
-	if err != nil {
-		return nil, err
-	}
-	err = rw.WriteUVariant(&buffer, uint64(len(s.Content)))
-	if err != nil {
-		return nil, err
-	}
-	buffer.Write(s.Content)
-	err = binary.Write(&buffer, binary.BigEndian, s.LastUpdated.Unix())
-	if err != nil {
-		return nil, err
-	}
-	err = rw.WriteVString(&buffer, s.LastEtag)
-	if err != nil {
-		return nil, err
-	}
-	return buffer.Bytes(), nil
-}
-
-func (s *SavedRuleSet) UnmarshalBinary(data []byte) error {
-	reader := bytes.NewReader(data)
-	var version uint8
-	err := binary.Read(reader, binary.BigEndian, &version)
-	if err != nil {
-		return err
-	}
-	contentLen, err := rw.ReadUVariant(reader)
-	if err != nil {
-		return err
-	}
-	s.Content = make([]byte, contentLen)
-	_, err = io.ReadFull(reader, s.Content)
-	if err != nil {
-		return err
-	}
-	var lastUpdated int64
-	err = binary.Read(reader, binary.BigEndian, &lastUpdated)
-	if err != nil {
-		return err
-	}
-	s.LastUpdated = time.Unix(lastUpdated, 0)
-	s.LastEtag, err = rw.ReadVString(reader)
-	if err != nil {
-		return err
-	}
-	return nil
+	FakeIPStorage
 }
 
 type Tracker interface {
@@ -109,7 +43,7 @@ type OutboundGroup interface {
 
 type URLTestGroup interface {
 	OutboundGroup
-	URLTest(ctx context.Context) (map[string]uint16, error)
+	URLTest(ctx context.Context, url string) (map[string]uint16, error)
 }
 
 func OutboundTag(detour Outbound) string {

adapter/inbound.go

@@ -46,24 +46,11 @@ type InboundContext struct {
 	SourceGeoIPCode      string
 	GeoIPCode            string
 	ProcessInfo          *process.Info
-	QueryType            uint16
 	FakeIP               bool
 
-	// rule cache
+	// dns cache
 
-	IPCIDRMatchSource       bool
-	SourceAddressMatch      bool
-	SourcePortMatch         bool
-	DestinationAddressMatch bool
-	DestinationPortMatch    bool
-}
-
-func (c *InboundContext) ResetRuleCache() {
-	c.IPCIDRMatchSource = false
-	c.SourceAddressMatch = false
-	c.SourcePortMatch = false
-	c.DestinationAddressMatch = false
-	c.DestinationPortMatch = false
+	QueryType uint16
 }
 
 type inboundContextKey struct{}
@@ -88,11 +75,3 @@ func AppendContext(ctx context.Context) (context.Context, *InboundContext) {
 	metadata = new(InboundContext)
 	return WithContext(ctx, metadata), metadata
 }
-
-func ExtendContext(ctx context.Context) (context.Context, *InboundContext) {
-	var newMetadata InboundContext
-	if metadata := ContextFrom(ctx); metadata != nil {
-		newMetadata = *metadata
-	}
-	return WithContext(ctx, &newMetadata), &newMetadata
-}

adapter/router.go

@@ -2,7 +2,7 @@ package adapter
 
 import (
 	"context"
-	"net/http"
+	"net"
 	"net/netip"
 
 	"github.com/sagernet/sing-box/common/geoip"
@@ -10,29 +10,25 @@ import (
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
 
 	mdns "github.com/miekg/dns"
 )
 
 type Router interface {
 	Service
-	PreStarter
-	PostStarter
 
 	Outbounds() []Outbound
 	Outbound(tag string) (Outbound, bool)
-	DefaultOutbound(network string) (Outbound, error)
+	DefaultOutbound(network string) Outbound
 
 	FakeIPStore() FakeIPStore
 
-	ConnectionRouter
+	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
+	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 
 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
 
-	RuleSet(tag string) (RuleSet, bool)
-
 	Exchange(ctx context.Context, message *mdns.Msg) (*mdns.Msg, error)
 	Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error)
 	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
@@ -47,9 +43,10 @@ type Router interface {
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
-	WIFIState() WIFIState
 	Rules() []Rule
 
+	TimeService
+
 	ClashServer() ClashServer
 	SetClashServer(server ClashServer)
 
@@ -59,23 +56,25 @@ type Router interface {
 	ResetNetwork() error
 }
 
+type routerContextKey struct{}
+
 func ContextWithRouter(ctx context.Context, router Router) context.Context {
-	return service.ContextWith(ctx, router)
+	return context.WithValue(ctx, (*routerContextKey)(nil), router)
 }
 
 func RouterFromContext(ctx context.Context) Router {
-	return service.FromContext[Router](ctx)
-}
-
-type HeadlessRule interface {
-	Match(metadata *InboundContext) bool
+	metadata := ctx.Value((*routerContextKey)(nil))
+	if metadata == nil {
+		return nil
+	}
+	return metadata.(Router)
 }
 
 type Rule interface {
-	HeadlessRule
 	Service
 	Type() string
 	UpdateGeosite() error
+	Match(metadata *InboundContext) bool
 	Outbound() string
 	String() string
 }
@@ -86,29 +85,6 @@ type DNSRule interface {
 	RewriteTTL() *uint32
 }
 
-type RuleSet interface {
-	StartContext(ctx context.Context, startContext RuleSetStartContext) error
-	PostStart() error
-	Metadata() RuleSetMetadata
-	Close() error
-	HeadlessRule
-}
-
-type RuleSetMetadata struct {
-	ContainsProcessRule bool
-	ContainsWIFIRule    bool
-}
-
-type RuleSetStartContext interface {
-	HTTPClient(detour string, dialer N.Dialer) *http.Client
-	Close()
-}
-
 type InterfaceUpdateListener interface {
 	InterfaceUpdated()
 }
-
-type WIFIState struct {
-	SSID  string
-	BSSID string
-}

adapter/v2ray.go

@@ -5,6 +5,7 @@ import (
 	"net"
 
 	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
@@ -18,6 +19,7 @@ type V2RayServerTransport interface {
 type V2RayServerTransportHandler interface {
 	N.TCPConnectionHandler
 	E.Handler
+	FallbackConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error
 }
 
 type V2RayClientTransport interface {

box.go

@@ -9,10 +9,7 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/taskmonitor"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental"
-	"github.com/sagernet/sing-box/experimental/cachefile"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/inbound"
 	"github.com/sagernet/sing-box/log"
@@ -22,7 +19,6 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
-	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/pause"
 )
 
@@ -35,8 +31,7 @@ type Box struct {
 	outbounds    []adapter.Outbound
 	logFactory   log.Factory
 	logger       log.ContextLogger
-	preServices1 map[string]adapter.Service
-	preServices2 map[string]adapter.Service
+	preServices  map[string]adapter.Service
 	postServices map[string]adapter.Service
 	done         chan struct{}
 }
@@ -45,26 +40,20 @@ type Options struct {
 	option.Options
 	Context           context.Context
 	PlatformInterface platform.Interface
-	PlatformLogWriter log.PlatformWriter
 }
 
 func New(options Options) (*Box, error) {
-	createdAt := time.Now()
 	ctx := options.Context
 	if ctx == nil {
 		ctx = context.Background()
 	}
-	ctx = service.ContextWithDefaultRegistry(ctx)
-	ctx = pause.WithDefaultManager(ctx)
+	ctx = pause.ContextWithDefaultManager(ctx)
+	createdAt := time.Now()
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
 	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
-	var needCacheFile bool
 	var needClashAPI bool
 	var needV2RayAPI bool
-	if experimentalOptions.CacheFile != nil && experimentalOptions.CacheFile.Enabled || options.PlatformLogWriter != nil {
-		needCacheFile = true
-	}
-	if experimentalOptions.ClashAPI != nil || options.PlatformLogWriter != nil {
+	if experimentalOptions.ClashAPI != nil || options.PlatformInterface != nil {
 		needClashAPI = true
 	}
 	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
@@ -80,7 +69,7 @@ func New(options Options) (*Box, error) {
 		Observable:     needClashAPI,
 		DefaultWriter:  defaultLogWriter,
 		BaseTime:       createdAt,
-		PlatformWriter: options.PlatformLogWriter,
+		PlatformWriter: options.PlatformInterface,
 	})
 	if err != nil {
 		return nil, E.Cause(err, "create log factory")
@@ -153,17 +142,8 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "initialize platform interface")
 		}
 	}
-	preServices1 := make(map[string]adapter.Service)
-	preServices2 := make(map[string]adapter.Service)
+	preServices := make(map[string]adapter.Service)
 	postServices := make(map[string]adapter.Service)
-	if needCacheFile {
-		cacheFile := service.FromContext[adapter.CacheFile](ctx)
-		if cacheFile == nil {
-			cacheFile = cachefile.New(ctx, common.PtrValueOrDefault(experimentalOptions.CacheFile))
-			service.MustRegister[adapter.CacheFile](ctx, cacheFile)
-		}
-		preServices1["cache file"] = cacheFile
-	}
 	if needClashAPI {
 		clashAPIOptions := common.PtrValueOrDefault(experimentalOptions.ClashAPI)
 		clashAPIOptions.ModeList = experimental.CalculateClashModeList(options.Options)
@@ -172,7 +152,7 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "create clash api server")
 		}
 		router.SetClashServer(clashServer)
-		preServices2["clash api"] = clashServer
+		preServices["clash api"] = clashServer
 	}
 	if needV2RayAPI {
 		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(experimentalOptions.V2RayAPI))
@@ -180,7 +160,7 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "create v2ray api server")
 		}
 		router.SetV2RayServer(v2rayServer)
-		preServices2["v2ray api"] = v2rayServer
+		preServices["v2ray api"] = v2rayServer
 	}
 	return &Box{
 		router:       router,
@@ -189,8 +169,7 @@ func New(options Options) (*Box, error) {
 		createdAt:    createdAt,
 		logFactory:   logFactory,
 		logger:       logFactory.Logger(),
-		preServices1: preServices1,
-		preServices2: preServices2,
+		preServices:  preServices,
 		postServices: postServices,
 		done:         make(chan struct{}),
 	}, nil
@@ -235,38 +214,16 @@ func (s *Box) Start() error {
 }
 
 func (s *Box) preStart() error {
-	monitor := taskmonitor.New(s.logger, C.DefaultStartTimeout)
-	monitor.Start("start logger")
-	err := s.logFactory.Start()
-	monitor.Finish()
-	if err != nil {
-		return E.Cause(err, "start logger")
-	}
-	for serviceName, service := range s.preServices1 {
+	for serviceName, service := range s.preServices {
 		if preService, isPreService := service.(adapter.PreStarter); isPreService {
-			monitor.Start("pre-start ", serviceName)
+			s.logger.Trace("pre-start ", serviceName)
 			err := preService.PreStart()
-			monitor.Finish()
 			if err != nil {
-				return E.Cause(err, "pre-start ", serviceName)
+				return E.Cause(err, "pre-starting ", serviceName)
 			}
 		}
 	}
-	for serviceName, service := range s.preServices2 {
-		if preService, isPreService := service.(adapter.PreStarter); isPreService {
-			monitor.Start("pre-start ", serviceName)
-			err := preService.PreStart()
-			monitor.Finish()
-			if err != nil {
-				return E.Cause(err, "pre-start ", serviceName)
-			}
-		}
-	}
-	err = s.router.PreStart()
-	if err != nil {
-		return E.Cause(err, "pre-start router")
-	}
-	err = s.startOutbounds()
+	err := s.startOutbounds()
 	if err != nil {
 		return err
 	}
@@ -278,13 +235,8 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	for serviceName, service := range s.preServices1 {
-		err = service.Start()
-		if err != nil {
-			return E.Cause(err, "start ", serviceName)
-		}
-	}
-	for serviceName, service := range s.preServices2 {
+	for serviceName, service := range s.preServices {
+		s.logger.Trace("starting ", serviceName)
 		err = service.Start()
 		if err != nil {
 			return E.Cause(err, "start ", serviceName)
@@ -297,31 +249,33 @@ func (s *Box) start() error {
 		} else {
 			tag = in.Tag()
 		}
+		s.logger.Trace("initializing inbound/", in.Type(), "[", tag, "]")
 		err = in.Start()
 		if err != nil {
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
-	return s.postStart()
+	return nil
 }
 
 func (s *Box) postStart() error {
 	for serviceName, service := range s.postServices {
+		s.logger.Trace("starting ", service)
 		err := service.Start()
 		if err != nil {
 			return E.Cause(err, "start ", serviceName)
 		}
 	}
-	for _, outbound := range s.outbounds {
-		if lateOutbound, isLateOutbound := outbound.(adapter.PostStarter); isLateOutbound {
-			err := lateOutbound.PostStart()
+	for serviceName, service := range s.outbounds {
+		if lateService, isLateService := service.(adapter.PostStarter); isLateService {
+			s.logger.Trace("post-starting ", service)
+			err := lateService.PostStart()
 			if err != nil {
-				return E.Cause(err, "post-start outbound/", outbound.Tag())
+				return E.Cause(err, "post-start ", serviceName)
 			}
 		}
 	}
-
-	return s.router.PostStart()
+	return nil
 }
 
 func (s *Box) Close() error {
@@ -331,53 +285,41 @@ func (s *Box) Close() error {
 	default:
 		close(s.done)
 	}
-	monitor := taskmonitor.New(s.logger, C.DefaultStopTimeout)
 	var errors error
 	for serviceName, service := range s.postServices {
-		monitor.Start("close ", serviceName)
+		s.logger.Trace("closing ", serviceName)
 		errors = E.Append(errors, service.Close(), func(err error) error {
 			return E.Cause(err, "close ", serviceName)
 		})
-		monitor.Finish()
 	}
 	for i, in := range s.inbounds {
-		monitor.Start("close inbound/", in.Type(), "[", i, "]")
+		s.logger.Trace("closing inbound/", in.Type(), "[", i, "]")
 		errors = E.Append(errors, in.Close(), func(err error) error {
 			return E.Cause(err, "close inbound/", in.Type(), "[", i, "]")
 		})
-		monitor.Finish()
 	}
 	for i, out := range s.outbounds {
-		monitor.Start("close outbound/", out.Type(), "[", i, "]")
+		s.logger.Trace("closing outbound/", out.Type(), "[", i, "]")
 		errors = E.Append(errors, common.Close(out), func(err error) error {
 			return E.Cause(err, "close outbound/", out.Type(), "[", i, "]")
 		})
-		monitor.Finish()
 	}
-	monitor.Start("close router")
+	s.logger.Trace("closing router")
 	if err := common.Close(s.router); err != nil {
 		errors = E.Append(errors, err, func(err error) error {
 			return E.Cause(err, "close router")
 		})
 	}
-	monitor.Finish()
-	for serviceName, service := range s.preServices1 {
-		monitor.Start("close ", serviceName)
+	for serviceName, service := range s.preServices {
+		s.logger.Trace("closing ", serviceName)
 		errors = E.Append(errors, service.Close(), func(err error) error {
 			return E.Cause(err, "close ", serviceName)
 		})
-		monitor.Finish()
-	}
-	for serviceName, service := range s.preServices2 {
-		monitor.Start("close ", serviceName)
-		errors = E.Append(errors, service.Close(), func(err error) error {
-			return E.Cause(err, "close ", serviceName)
-		})
-		monitor.Finish()
 	}
+	s.logger.Trace("closing log factory")
 	if err := common.Close(s.logFactory); err != nil {
 		errors = E.Append(errors, err, func(err error) error {
-			return E.Cause(err, "close logger")
+			return E.Cause(err, "close log factory")
 		})
 	}
 	return errors

box_outbound.go

@@ -4,15 +4,12 @@ import (
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/taskmonitor"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 )
 
 func (s *Box) startOutbounds() error {
-	monitor := taskmonitor.New(s.logger, C.DefaultStartTimeout)
 	outboundTags := make(map[adapter.Outbound]string)
 	outbounds := make(map[string]adapter.Outbound)
 	for i, outboundToStart := range s.outbounds {
@@ -46,9 +43,8 @@ func (s *Box) startOutbounds() error {
 			started[outboundTag] = true
 			canContinue = true
 			if starter, isStarter := outboundToStart.(common.Starter); isStarter {
-				monitor.Start("initialize outbound/", outboundToStart.Type(), "[", outboundTag, "]")
+				s.logger.Trace("initializing outbound/", outboundToStart.Type(), "[", outboundTag, "]")
 				err := starter.Start()
-				monitor.Finish()
 				if err != nil {
 					return E.Cause(err, "initialize outbound/", outboundToStart.Type(), "[", outboundTag, "]")
 				}
@@ -73,7 +69,7 @@ func (s *Box) startOutbounds() error {
 			}
 			problemOutbound := outbounds[problemOutboundTag]
 			if problemOutbound == nil {
-				return E.New("dependency[", problemOutboundTag, "] not found for outbound[", outboundTags[oCurrent], "]")
+				return E.New("dependency[", problemOutbound, "] not found for outbound[", outboundTags[oCurrent], "]")
 			}
 			return lintOutbound(append(oTree, problemOutboundTag), problemOutbound)
 		}

cmd/internal/build/main.go

@@ -12,7 +12,7 @@ import (
 func main() {
 	build_shared.FindSDK()
 
-	if os.Getenv("GOPATH") == "" {
+	if os.Getenv("build.Default.GOPATH") == "" {
 		os.Setenv("GOPATH", build.Default.GOPATH)
 	}
 

cmd/internal/build_libbox/main.go

@@ -7,7 +7,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	_ "github.com/sagernet/gomobile"
+	_ "github.com/sagernet/gomobile/event/key"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common/rw"
@@ -54,7 +54,7 @@ func init() {
 	sharedFlags = append(sharedFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
 	debugFlags = append(debugFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
 
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_ech", "with_utls", "with_clash_api")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api")
 	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
 	debugTags = append(debugTags, "debug")
 }

cmd/internal/build_shared/tag.go

@@ -17,6 +17,9 @@ func ReadTag() (string, error) {
 	}
 	shortCommit, _ := shell.Exec("git", "rev-parse", "--short", "HEAD").ReadOutput()
 	version := badversion.Parse(currentTagRev[1:])
+	if version.PreReleaseIdentifier == "" {
+		version.Patch++
+	}
 	return version.String() + "-" + shortCommit, nil
 }
 

cmd/internal/update_apple_version/main.go

@@ -29,17 +29,11 @@ func main() {
 	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
 	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
 	if updated0 || updated1 {
-		log.Info("updated version to ", newVersion.VersionString(), " (", newVersion.String(), ")")
-	}
-	var updated2 bool
-	if macProjectVersion := os.Getenv("MACOS_PROJECT_VERSION"); macProjectVersion != "" {
-		newContent, updated2 = findAndReplaceProjectVersion(objectsMap, newContent, []string{"SFM"}, macProjectVersion)
-		if updated2 {
-			log.Info("updated macos project version to ", macProjectVersion)
-		}
-	}
-	if updated0 || updated1 || updated2 {
+		log.Info("updated version to ", newVersion.VersionString())
+		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj.bak", []byte(projectContent), 0o644))
 		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj", []byte(newContent), 0o644))
+	} else {
+		log.Info("version not changed")
 	}
 }
 
@@ -67,30 +61,6 @@ func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDLi
 	return projectContent, updated
 }
 
-func findAndReplaceProjectVersion(objectsMap map[string]any, projectContent string, directoryList []string, newVersion string) (string, bool) {
-	objectKeyList := findObjectKeyByDirectory(objectsMap, directoryList)
-	var updated bool
-	for _, objectKey := range objectKeyList {
-		matchRegexp := common.Must1(regexp.Compile(objectKey + ".*= \\{"))
-		indexes := matchRegexp.FindStringIndex(projectContent)
-		if len(indexes) < 2 {
-			println(projectContent)
-			log.Fatal("failed to find object key ", objectKey, ": ", strings.Index(projectContent, objectKey))
-		}
-		indexStart := indexes[1]
-		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
-		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "CURRENT_PROJECT_VERSION = ") + 26
-		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
-		version := projectContent[versionStart:versionEnd]
-		if version == newVersion {
-			continue
-		}
-		updated = true
-		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
-	}
-	return projectContent, updated
-}
-
 func findObjectKey(objectsMap map[string]any, bundleIDList []string) []string {
 	var objectKeyList []string
 	for objectKey, object := range objectsMap {
@@ -108,24 +78,3 @@ func findObjectKey(objectsMap map[string]any, bundleIDList []string) []string {
 	}
 	return objectKeyList
 }
-
-func findObjectKeyByDirectory(objectsMap map[string]any, directoryList []string) []string {
-	var objectKeyList []string
-	for objectKey, object := range objectsMap {
-		buildSettings := object.(map[string]any)["buildSettings"]
-		if buildSettings == nil {
-			continue
-		}
-		infoPListFile := buildSettings.(map[string]any)["INFOPLIST_FILE"]
-		if infoPListFile == nil {
-			continue
-		}
-		for _, searchDirectory := range directoryList {
-			if strings.HasPrefix(infoPListFile.(string), searchDirectory+"/") {
-				objectKeyList = append(objectKeyList, objectKey)
-			}
-		}
-
-	}
-	return objectKeyList
-}

cmd/sing-box/cmd_format.go

@@ -5,10 +5,10 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/json"
-	"github.com/sagernet/sing/common/json/badjson"
 
 	"github.com/spf13/cobra"
 )
@@ -38,10 +38,6 @@ func format() error {
 		return err
 	}
 	for _, optionsEntry := range optionsList {
-		optionsEntry.options, err = badjson.Omitempty(optionsEntry.options)
-		if err != nil {
-			return err
-		}
 		buffer := new(bytes.Buffer)
 		encoder := json.NewEncoder(buffer)
 		encoder.SetIndent("", "  ")
@@ -73,3 +69,41 @@ func format() error {
 	}
 	return nil
 }
+
+func formatOne(configPath string) error {
+	configContent, err := os.ReadFile(configPath)
+	if err != nil {
+		return E.Cause(err, "read config")
+	}
+	var options option.Options
+	err = options.UnmarshalJSON(configContent)
+	if err != nil {
+		return E.Cause(err, "decode config")
+	}
+	buffer := new(bytes.Buffer)
+	encoder := json.NewEncoder(buffer)
+	encoder.SetIndent("", "  ")
+	err = encoder.Encode(options)
+	if err != nil {
+		return E.Cause(err, "encode config")
+	}
+	if !commandFormatFlagWrite {
+		os.Stdout.WriteString(buffer.String() + "\n")
+		return nil
+	}
+	if bytes.Equal(configContent, buffer.Bytes()) {
+		return nil
+	}
+	output, err := os.Create(configPath)
+	if err != nil {
+		return E.Cause(err, "open output")
+	}
+	_, err = output.Write(buffer.Bytes())
+	output.Close()
+	if err != nil {
+		return E.Cause(err, "write output")
+	}
+	outputPath, _ := filepath.Abs(configPath)
+	os.Stderr.WriteString(outputPath + "\n")
+	return nil
+}

cmd/sing-box/cmd_generate.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/gofrs/uuid/v5"
 	"github.com/spf13/cobra"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
 var commandGenerate = &cobra.Command{
@@ -21,7 +22,8 @@ var commandGenerate = &cobra.Command{
 func init() {
 	commandGenerate.AddCommand(commandGenerateUUID)
 	commandGenerate.AddCommand(commandGenerateRandom)
-
+	commandGenerate.AddCommand(commandGenerateWireGuardKeyPair)
+	commandGenerate.AddCommand(commandGenerateRealityKeyPair)
 	mainCommand.AddCommand(commandGenerate)
 }
 
@@ -90,3 +92,48 @@ func generateUUID() error {
 	_, err = os.Stdout.WriteString(newUUID.String() + "\n")
 	return err
 }
+
+var commandGenerateWireGuardKeyPair = &cobra.Command{
+	Use:   "wg-keypair",
+	Short: "Generate WireGuard key pair",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateWireGuardKey()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func generateWireGuardKey() error {
+	privateKey, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		return err
+	}
+	os.Stdout.WriteString("PrivateKey: " + privateKey.String() + "\n")
+	os.Stdout.WriteString("PublicKey: " + privateKey.PublicKey().String() + "\n")
+	return nil
+}
+
+var commandGenerateRealityKeyPair = &cobra.Command{
+	Use:   "reality-keypair",
+	Short: "Generate reality key pair",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateRealityKey()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func generateRealityKey() error {
+	privateKey, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		return err
+	}
+	publicKey := privateKey.PublicKey()
+	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]) + "\n")
+	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]) + "\n")
+	return nil
+}

cmd/sing-box/cmd_generate_ech.go

@@ -1,39 +0,0 @@
-package main
-
-import (
-	"os"
-
-	"github.com/sagernet/sing-box/common/tls"
-	"github.com/sagernet/sing-box/log"
-
-	"github.com/spf13/cobra"
-)
-
-var pqSignatureSchemesEnabled bool
-
-var commandGenerateECHKeyPair = &cobra.Command{
-	Use:   "ech-keypair <plain_server_name>",
-	Short: "Generate TLS ECH key pair",
-	Args:  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateECHKeyPair(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGenerateECHKeyPair.Flags().BoolVar(&pqSignatureSchemesEnabled, "pq-signature-schemes-enabled", false, "Enable PQ signature schemes")
-	commandGenerate.AddCommand(commandGenerateECHKeyPair)
-}
-
-func generateECHKeyPair(serverName string) error {
-	configPem, keyPem, err := tls.ECHKeygenDefault(serverName, pqSignatureSchemesEnabled)
-	if err != nil {
-		return err
-	}
-	os.Stdout.WriteString(configPem)
-	os.Stdout.WriteString(keyPem)
-	return nil
-}

cmd/sing-box/cmd_generate_tls.go

@@ -1,40 +0,0 @@
-package main
-
-import (
-	"os"
-	"time"
-
-	"github.com/sagernet/sing-box/common/tls"
-	"github.com/sagernet/sing-box/log"
-
-	"github.com/spf13/cobra"
-)
-
-var flagGenerateTLSKeyPairMonths int
-
-var commandGenerateTLSKeyPair = &cobra.Command{
-	Use:   "tls-keypair <server_name>",
-	Short: "Generate TLS self sign key pair",
-	Args:  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateTLSKeyPair(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGenerateTLSKeyPair.Flags().IntVarP(&flagGenerateTLSKeyPairMonths, "months", "m", 1, "Valid months")
-	commandGenerate.AddCommand(commandGenerateTLSKeyPair)
-}
-
-func generateTLSKeyPair(serverName string) error {
-	privateKeyPem, publicKeyPem, err := tls.GenerateKeyPair(time.Now, serverName, time.Now().AddDate(0, flagGenerateTLSKeyPairMonths, 0))
-	if err != nil {
-		return err
-	}
-	os.Stdout.WriteString(string(privateKeyPem) + "\n")
-	os.Stdout.WriteString(string(publicKeyPem) + "\n")
-	return nil
-}

cmd/sing-box/cmd_generate_vapid.go

@@ -1,40 +0,0 @@
-//go:build go1.20
-
-package main
-
-import (
-	"crypto/ecdh"
-	"crypto/rand"
-	"encoding/base64"
-	"os"
-
-	"github.com/sagernet/sing-box/log"
-
-	"github.com/spf13/cobra"
-)
-
-var commandGenerateVAPIDKeyPair = &cobra.Command{
-	Use:   "vapid-keypair",
-	Short: "Generate VAPID key pair",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateVAPIDKeyPair()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGenerate.AddCommand(commandGenerateVAPIDKeyPair)
-}
-
-func generateVAPIDKeyPair() error {
-	privateKey, err := ecdh.P256().GenerateKey(rand.Reader)
-	if err != nil {
-		return err
-	}
-	publicKey := privateKey.PublicKey()
-	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey.Bytes()) + "\n")
-	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey.Bytes()) + "\n")
-	return nil
-}

cmd/sing-box/cmd_generate_wireguard.go

@@ -1,61 +0,0 @@
-package main
-
-import (
-	"encoding/base64"
-	"os"
-
-	"github.com/sagernet/sing-box/log"
-
-	"github.com/spf13/cobra"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-)
-
-func init() {
-	commandGenerate.AddCommand(commandGenerateWireGuardKeyPair)
-	commandGenerate.AddCommand(commandGenerateRealityKeyPair)
-}
-
-var commandGenerateWireGuardKeyPair = &cobra.Command{
-	Use:   "wg-keypair",
-	Short: "Generate WireGuard key pair",
-	Args:  cobra.NoArgs,
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateWireGuardKey()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func generateWireGuardKey() error {
-	privateKey, err := wgtypes.GeneratePrivateKey()
-	if err != nil {
-		return err
-	}
-	os.Stdout.WriteString("PrivateKey: " + privateKey.String() + "\n")
-	os.Stdout.WriteString("PublicKey: " + privateKey.PublicKey().String() + "\n")
-	return nil
-}
-
-var commandGenerateRealityKeyPair = &cobra.Command{
-	Use:   "reality-keypair",
-	Short: "Generate reality key pair",
-	Args:  cobra.NoArgs,
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateRealityKey()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func generateRealityKey() error {
-	privateKey, err := wgtypes.GeneratePrivateKey()
-	if err != nil {
-		return err
-	}
-	publicKey := privateKey.PublicKey()
-	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]) + "\n")
-	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]) + "\n")
-	return nil
-}

cmd/sing-box/cmd_geoip.go

@@ -1,43 +0,0 @@
-package main
-
-import (
-	"github.com/sagernet/sing-box/log"
-	E "github.com/sagernet/sing/common/exceptions"
-
-	"github.com/oschwald/maxminddb-golang"
-	"github.com/spf13/cobra"
-)
-
-var (
-	geoipReader          *maxminddb.Reader
-	commandGeoIPFlagFile string
-)
-
-var commandGeoip = &cobra.Command{
-	Use:   "geoip",
-	Short: "GeoIP tools",
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		err := geoipPreRun()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGeoip.PersistentFlags().StringVarP(&commandGeoIPFlagFile, "file", "f", "geoip.db", "geoip file")
-	mainCommand.AddCommand(commandGeoip)
-}
-
-func geoipPreRun() error {
-	reader, err := maxminddb.Open(commandGeoIPFlagFile)
-	if err != nil {
-		return err
-	}
-	if reader.Metadata.DatabaseType != "sing-geoip" {
-		reader.Close()
-		return E.New("incorrect database type, expected sing-geoip, got ", reader.Metadata.DatabaseType)
-	}
-	geoipReader = reader
-	return nil
-}

cmd/sing-box/cmd_geoip_export.go

@@ -1,98 +0,0 @@
-package main
-
-import (
-	"io"
-	"net"
-	"os"
-	"strings"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/json"
-
-	"github.com/oschwald/maxminddb-golang"
-	"github.com/spf13/cobra"
-)
-
-var flagGeoipExportOutput string
-
-const flagGeoipExportDefaultOutput = "geoip-<country>.srs"
-
-var commandGeoipExport = &cobra.Command{
-	Use:   "export <country>",
-	Short: "Export geoip country as rule-set",
-	Args:  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		err := geoipExport(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGeoipExport.Flags().StringVarP(&flagGeoipExportOutput, "output", "o", flagGeoipExportDefaultOutput, "Output path")
-	commandGeoip.AddCommand(commandGeoipExport)
-}
-
-func geoipExport(countryCode string) error {
-	networks := geoipReader.Networks(maxminddb.SkipAliasedNetworks)
-	countryMap := make(map[string][]*net.IPNet)
-	var (
-		ipNet           *net.IPNet
-		nextCountryCode string
-		err             error
-	)
-	for networks.Next() {
-		ipNet, err = networks.Network(&nextCountryCode)
-		if err != nil {
-			return err
-		}
-		countryMap[nextCountryCode] = append(countryMap[nextCountryCode], ipNet)
-	}
-	ipNets := countryMap[strings.ToLower(countryCode)]
-	if len(ipNets) == 0 {
-		return E.New("country code not found: ", countryCode)
-	}
-
-	var (
-		outputFile   *os.File
-		outputWriter io.Writer
-	)
-	if flagGeoipExportOutput == "stdout" {
-		outputWriter = os.Stdout
-	} else if flagGeoipExportOutput == flagGeoipExportDefaultOutput {
-		outputFile, err = os.Create("geoip-" + countryCode + ".json")
-		if err != nil {
-			return err
-		}
-		defer outputFile.Close()
-		outputWriter = outputFile
-	} else {
-		outputFile, err = os.Create(flagGeoipExportOutput)
-		if err != nil {
-			return err
-		}
-		defer outputFile.Close()
-		outputWriter = outputFile
-	}
-
-	encoder := json.NewEncoder(outputWriter)
-	encoder.SetIndent("", "  ")
-	var headlessRule option.DefaultHeadlessRule
-	headlessRule.IPCIDR = make([]string, 0, len(ipNets))
-	for _, cidr := range ipNets {
-		headlessRule.IPCIDR = append(headlessRule.IPCIDR, cidr.String())
-	}
-	var plainRuleSet option.PlainRuleSetCompat
-	plainRuleSet.Version = C.RuleSetVersion1
-	plainRuleSet.Options.Rules = []option.HeadlessRule{
-		{
-			Type:           C.RuleTypeDefault,
-			DefaultOptions: headlessRule,
-		},
-	}
-	return encoder.Encode(plainRuleSet)
-}

cmd/sing-box/cmd_geoip_list.go

@@ -1,31 +0,0 @@
-package main
-
-import (
-	"os"
-
-	"github.com/sagernet/sing-box/log"
-
-	"github.com/spf13/cobra"
-)
-
-var commandGeoipList = &cobra.Command{
-	Use:   "list",
-	Short: "List geoip country codes",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := listGeoip()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGeoip.AddCommand(commandGeoipList)
-}
-
-func listGeoip() error {
-	for _, code := range geoipReader.Metadata.Languages {
-		os.Stdout.WriteString(code + "\n")
-	}
-	return nil
-}

cmd/sing-box/cmd_geoip_lookup.go

@@ -1,47 +0,0 @@
-package main
-
-import (
-	"net/netip"
-	"os"
-
-	"github.com/sagernet/sing-box/log"
-	E "github.com/sagernet/sing/common/exceptions"
-	N "github.com/sagernet/sing/common/network"
-
-	"github.com/spf13/cobra"
-)
-
-var commandGeoipLookup = &cobra.Command{
-	Use:   "lookup <address>",
-	Short: "Lookup if an IP address is contained in the GeoIP database",
-	Args:  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		err := geoipLookup(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGeoip.AddCommand(commandGeoipLookup)
-}
-
-func geoipLookup(address string) error {
-	addr, err := netip.ParseAddr(address)
-	if err != nil {
-		return E.Cause(err, "parse address")
-	}
-	if !N.IsPublicAddr(addr) {
-		os.Stdout.WriteString("private\n")
-		return nil
-	}
-	var code string
-	_ = geoipReader.Lookup(addr.AsSlice(), &code)
-	if code != "" {
-		os.Stdout.WriteString(code + "\n")
-		return nil
-	}
-	os.Stdout.WriteString("unknown\n")
-	return nil
-}

cmd/sing-box/cmd_geosite.go

@@ -1,41 +0,0 @@
-package main
-
-import (
-	"github.com/sagernet/sing-box/common/geosite"
-	"github.com/sagernet/sing-box/log"
-	E "github.com/sagernet/sing/common/exceptions"
-
-	"github.com/spf13/cobra"
-)
-
-var (
-	commandGeoSiteFlagFile string
-	geositeReader          *geosite.Reader
-	geositeCodeList        []string
-)
-
-var commandGeoSite = &cobra.Command{
-	Use:   "geosite",
-	Short: "Geosite tools",
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		err := geositePreRun()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGeoSite.PersistentFlags().StringVarP(&commandGeoSiteFlagFile, "file", "f", "geosite.db", "geosite file")
-	mainCommand.AddCommand(commandGeoSite)
-}
-
-func geositePreRun() error {
-	reader, codeList, err := geosite.Open(commandGeoSiteFlagFile)
-	if err != nil {
-		return E.Cause(err, "open geosite file")
-	}
-	geositeReader = reader
-	geositeCodeList = codeList
-	return nil
-}

cmd/sing-box/cmd_geosite_export.go

@@ -1,81 +0,0 @@
-package main
-
-import (
-	"io"
-	"os"
-
-	"github.com/sagernet/sing-box/common/geosite"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/json"
-
-	"github.com/spf13/cobra"
-)
-
-var commandGeositeExportOutput string
-
-const commandGeositeExportDefaultOutput = "geosite-<category>.json"
-
-var commandGeositeExport = &cobra.Command{
-	Use:   "export <category>",
-	Short: "Export geosite category as rule-set",
-	Args:  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		err := geositeExport(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGeositeExport.Flags().StringVarP(&commandGeositeExportOutput, "output", "o", commandGeositeExportDefaultOutput, "Output path")
-	commandGeoSite.AddCommand(commandGeositeExport)
-}
-
-func geositeExport(category string) error {
-	sourceSet, err := geositeReader.Read(category)
-	if err != nil {
-		return err
-	}
-	var (
-		outputFile   *os.File
-		outputWriter io.Writer
-	)
-	if commandGeositeExportOutput == "stdout" {
-		outputWriter = os.Stdout
-	} else if commandGeositeExportOutput == commandGeositeExportDefaultOutput {
-		outputFile, err = os.Create("geosite-" + category + ".json")
-		if err != nil {
-			return err
-		}
-		defer outputFile.Close()
-		outputWriter = outputFile
-	} else {
-		outputFile, err = os.Create(commandGeositeExportOutput)
-		if err != nil {
-			return err
-		}
-		defer outputFile.Close()
-		outputWriter = outputFile
-	}
-
-	encoder := json.NewEncoder(outputWriter)
-	encoder.SetIndent("", "  ")
-	var headlessRule option.DefaultHeadlessRule
-	defaultRule := geosite.Compile(sourceSet)
-	headlessRule.Domain = defaultRule.Domain
-	headlessRule.DomainSuffix = defaultRule.DomainSuffix
-	headlessRule.DomainKeyword = defaultRule.DomainKeyword
-	headlessRule.DomainRegex = defaultRule.DomainRegex
-	var plainRuleSet option.PlainRuleSetCompat
-	plainRuleSet.Version = C.RuleSetVersion1
-	plainRuleSet.Options.Rules = []option.HeadlessRule{
-		{
-			Type:           C.RuleTypeDefault,
-			DefaultOptions: headlessRule,
-		},
-	}
-	return encoder.Encode(plainRuleSet)
-}

cmd/sing-box/cmd_geosite_list.go

@@ -1,50 +0,0 @@
-package main
-
-import (
-	"os"
-	"sort"
-
-	"github.com/sagernet/sing-box/log"
-	F "github.com/sagernet/sing/common/format"
-
-	"github.com/spf13/cobra"
-)
-
-var commandGeositeList = &cobra.Command{
-	Use:   "list <category>",
-	Short: "List geosite categories",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := geositeList()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGeoSite.AddCommand(commandGeositeList)
-}
-
-func geositeList() error {
-	var geositeEntry []struct {
-		category string
-		items    int
-	}
-	for _, category := range geositeCodeList {
-		sourceSet, err := geositeReader.Read(category)
-		if err != nil {
-			return err
-		}
-		geositeEntry = append(geositeEntry, struct {
-			category string
-			items    int
-		}{category, len(sourceSet)})
-	}
-	sort.SliceStable(geositeEntry, func(i, j int) bool {
-		return geositeEntry[i].items < geositeEntry[j].items
-	})
-	for _, entry := range geositeEntry {
-		os.Stdout.WriteString(F.ToString(entry.category, " (", entry.items, ")\n"))
-	}
-	return nil
-}

cmd/sing-box/cmd_geosite_lookup.go

@@ -1,97 +0,0 @@
-package main
-
-import (
-	"os"
-	"sort"
-
-	"github.com/sagernet/sing-box/log"
-	E "github.com/sagernet/sing/common/exceptions"
-
-	"github.com/spf13/cobra"
-)
-
-var commandGeositeLookup = &cobra.Command{
-	Use:   "lookup [category] <domain>",
-	Short: "Check if a domain is in the geosite",
-	Args:  cobra.RangeArgs(1, 2),
-	Run: func(cmd *cobra.Command, args []string) {
-		var (
-			source string
-			target string
-		)
-		switch len(args) {
-		case 1:
-			target = args[0]
-		case 2:
-			source = args[0]
-			target = args[1]
-		}
-		err := geositeLookup(source, target)
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGeoSite.AddCommand(commandGeositeLookup)
-}
-
-func geositeLookup(source string, target string) error {
-	var sourceMatcherList []struct {
-		code    string
-		matcher *searchGeositeMatcher
-	}
-	if source != "" {
-		sourceSet, err := geositeReader.Read(source)
-		if err != nil {
-			return err
-		}
-		sourceMatcher, err := newSearchGeositeMatcher(sourceSet)
-		if err != nil {
-			return E.Cause(err, "compile code: "+source)
-		}
-		sourceMatcherList = []struct {
-			code    string
-			matcher *searchGeositeMatcher
-		}{
-			{
-				code:    source,
-				matcher: sourceMatcher,
-			},
-		}
-
-	} else {
-		for _, code := range geositeCodeList {
-			sourceSet, err := geositeReader.Read(code)
-			if err != nil {
-				return err
-			}
-			sourceMatcher, err := newSearchGeositeMatcher(sourceSet)
-			if err != nil {
-				return E.Cause(err, "compile code: "+code)
-			}
-			sourceMatcherList = append(sourceMatcherList, struct {
-				code    string
-				matcher *searchGeositeMatcher
-			}{
-				code:    code,
-				matcher: sourceMatcher,
-			})
-		}
-	}
-	sort.SliceStable(sourceMatcherList, func(i, j int) bool {
-		return sourceMatcherList[i].code < sourceMatcherList[j].code
-	})
-
-	for _, matcherItem := range sourceMatcherList {
-		if matchRule := matcherItem.matcher.Match(target); matchRule != "" {
-			os.Stdout.WriteString("Match code (")
-			os.Stdout.WriteString(matcherItem.code)
-			os.Stdout.WriteString(") ")
-			os.Stdout.WriteString(matchRule)
-			os.Stdout.WriteString("\n")
-		}
-	}
-	return nil
-}

cmd/sing-box/cmd_geosite_matcher.go

@@ -1,56 +0,0 @@
-package main
-
-import (
-	"regexp"
-	"strings"
-
-	"github.com/sagernet/sing-box/common/geosite"
-)
-
-type searchGeositeMatcher struct {
-	domainMap   map[string]bool
-	suffixList  []string
-	keywordList []string
-	regexList   []string
-}
-
-func newSearchGeositeMatcher(items []geosite.Item) (*searchGeositeMatcher, error) {
-	options := geosite.Compile(items)
-	domainMap := make(map[string]bool)
-	for _, domain := range options.Domain {
-		domainMap[domain] = true
-	}
-	rule := &searchGeositeMatcher{
-		domainMap:   domainMap,
-		suffixList:  options.DomainSuffix,
-		keywordList: options.DomainKeyword,
-		regexList:   options.DomainRegex,
-	}
-	return rule, nil
-}
-
-func (r *searchGeositeMatcher) Match(domain string) string {
-	if r.domainMap[domain] {
-		return "domain=" + domain
-	}
-	for _, suffix := range r.suffixList {
-		if strings.HasSuffix(domain, suffix) {
-			return "domain_suffix=" + suffix
-		}
-	}
-	for _, keyword := range r.keywordList {
-		if strings.Contains(domain, keyword) {
-			return "domain_keyword=" + keyword
-		}
-	}
-	for _, regexStr := range r.regexList {
-		regex, err := regexp.Compile(regexStr)
-		if err != nil {
-			continue
-		}
-		if regex.MatchString(domain) {
-			return "domain_regex=" + regexStr
-		}
-	}
-	return ""
-}

cmd/sing-box/cmd_merge.go

@@ -1,150 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"os"
-	"path/filepath"
-	"strings"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/json"
-	"github.com/sagernet/sing/common/rw"
-
-	"github.com/spf13/cobra"
-)
-
-var commandMerge = &cobra.Command{
-	Use:   "merge <output>",
-	Short: "Merge configurations",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := merge(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.ExactArgs(1),
-}
-
-func init() {
-	mainCommand.AddCommand(commandMerge)
-}
-
-func merge(outputPath string) error {
-	mergedOptions, err := readConfigAndMerge()
-	if err != nil {
-		return err
-	}
-	err = mergePathResources(&mergedOptions)
-	if err != nil {
-		return err
-	}
-	buffer := new(bytes.Buffer)
-	encoder := json.NewEncoder(buffer)
-	encoder.SetIndent("", "  ")
-	err = encoder.Encode(mergedOptions)
-	if err != nil {
-		return E.Cause(err, "encode config")
-	}
-	if existsContent, err := os.ReadFile(outputPath); err != nil {
-		if string(existsContent) == buffer.String() {
-			return nil
-		}
-	}
-	err = rw.WriteFile(outputPath, buffer.Bytes())
-	if err != nil {
-		return err
-	}
-	outputPath, _ = filepath.Abs(outputPath)
-	os.Stderr.WriteString(outputPath + "\n")
-	return nil
-}
-
-func mergePathResources(options *option.Options) error {
-	for index, inbound := range options.Inbounds {
-		rawOptions, err := inbound.RawOptions()
-		if err != nil {
-			return err
-		}
-		if tlsOptions, containsTLSOptions := rawOptions.(option.InboundTLSOptionsWrapper); containsTLSOptions {
-			tlsOptions.ReplaceInboundTLSOptions(mergeTLSInboundOptions(tlsOptions.TakeInboundTLSOptions()))
-		}
-		options.Inbounds[index] = inbound
-	}
-	for index, outbound := range options.Outbounds {
-		rawOptions, err := outbound.RawOptions()
-		if err != nil {
-			return err
-		}
-		switch outbound.Type {
-		case C.TypeSSH:
-			outbound.SSHOptions = mergeSSHOutboundOptions(outbound.SSHOptions)
-		}
-		if tlsOptions, containsTLSOptions := rawOptions.(option.OutboundTLSOptionsWrapper); containsTLSOptions {
-			tlsOptions.ReplaceOutboundTLSOptions(mergeTLSOutboundOptions(tlsOptions.TakeOutboundTLSOptions()))
-		}
-		options.Outbounds[index] = outbound
-	}
-	return nil
-}
-
-func mergeTLSInboundOptions(options *option.InboundTLSOptions) *option.InboundTLSOptions {
-	if options == nil {
-		return nil
-	}
-	if options.CertificatePath != "" {
-		if content, err := os.ReadFile(options.CertificatePath); err == nil {
-			options.Certificate = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	if options.KeyPath != "" {
-		if content, err := os.ReadFile(options.KeyPath); err == nil {
-			options.Key = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	if options.ECH != nil {
-		if options.ECH.KeyPath != "" {
-			if content, err := os.ReadFile(options.ECH.KeyPath); err == nil {
-				options.ECH.Key = trimStringArray(strings.Split(string(content), "\n"))
-			}
-		}
-	}
-	return options
-}
-
-func mergeTLSOutboundOptions(options *option.OutboundTLSOptions) *option.OutboundTLSOptions {
-	if options == nil {
-		return nil
-	}
-	if options.CertificatePath != "" {
-		if content, err := os.ReadFile(options.CertificatePath); err == nil {
-			options.Certificate = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	if options.ECH != nil {
-		if options.ECH.ConfigPath != "" {
-			if content, err := os.ReadFile(options.ECH.ConfigPath); err == nil {
-				options.ECH.Config = trimStringArray(strings.Split(string(content), "\n"))
-			}
-		}
-	}
-	return options
-}
-
-func mergeSSHOutboundOptions(options option.SSHOutboundOptions) option.SSHOutboundOptions {
-	if options.PrivateKeyPath != "" {
-		if content, err := os.ReadFile(os.ExpandEnv(options.PrivateKeyPath)); err == nil {
-			options.PrivateKey = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	return options
-}
-
-func trimStringArray(array []string) []string {
-	return common.Filter(array, func(it string) bool {
-		return strings.TrimSpace(it) != ""
-	})
-}

cmd/sing-box/cmd_rule_set.go

@@ -1,14 +0,0 @@
-package main
-
-import (
-	"github.com/spf13/cobra"
-)
-
-var commandRuleSet = &cobra.Command{
-	Use:   "rule-set",
-	Short: "Manage rule sets",
-}
-
-func init() {
-	mainCommand.AddCommand(commandRuleSet)
-}

cmd/sing-box/cmd_rule_set_compile.go

@@ -1,84 +0,0 @@
-package main
-
-import (
-	"io"
-	"os"
-	"strings"
-
-	"github.com/sagernet/sing-box/common/srs"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/json"
-
-	"github.com/spf13/cobra"
-)
-
-var flagRuleSetCompileOutput string
-
-const flagRuleSetCompileDefaultOutput = "<file_name>.srs"
-
-var commandRuleSetCompile = &cobra.Command{
-	Use:   "compile [source-path]",
-	Short: "Compile rule-set json to binary",
-	Args:  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		err := compileRuleSet(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandRuleSet.AddCommand(commandRuleSetCompile)
-	commandRuleSetCompile.Flags().StringVarP(&flagRuleSetCompileOutput, "output", "o", flagRuleSetCompileDefaultOutput, "Output file")
-}
-
-func compileRuleSet(sourcePath string) error {
-	var (
-		reader io.Reader
-		err    error
-	)
-	if sourcePath == "stdin" {
-		reader = os.Stdin
-	} else {
-		reader, err = os.Open(sourcePath)
-		if err != nil {
-			return err
-		}
-	}
-	content, err := io.ReadAll(reader)
-	if err != nil {
-		return err
-	}
-	plainRuleSet, err := json.UnmarshalExtended[option.PlainRuleSetCompat](content)
-	if err != nil {
-		return err
-	}
-	if err != nil {
-		return err
-	}
-	ruleSet := plainRuleSet.Upgrade()
-	var outputPath string
-	if flagRuleSetCompileOutput == flagRuleSetCompileDefaultOutput {
-		if strings.HasSuffix(sourcePath, ".json") {
-			outputPath = sourcePath[:len(sourcePath)-5] + ".srs"
-		} else {
-			outputPath = sourcePath + ".srs"
-		}
-	} else {
-		outputPath = flagRuleSetCompileOutput
-	}
-	outputFile, err := os.Create(outputPath)
-	if err != nil {
-		return err
-	}
-	err = srs.Write(outputFile, ruleSet)
-	if err != nil {
-		outputFile.Close()
-		os.Remove(outputPath)
-		return err
-	}
-	outputFile.Close()
-	return nil
-}

cmd/sing-box/cmd_rule_set_format.go

@@ -1,83 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"io"
-	"os"
-	"path/filepath"
-
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/json"
-
-	"github.com/spf13/cobra"
-)
-
-var commandRuleSetFormatFlagWrite bool
-
-var commandRuleSetFormat = &cobra.Command{
-	Use:   "format <source-path>",
-	Short: "Format rule-set json",
-	Args:  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		err := formatRuleSet(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandRuleSetFormat.Flags().BoolVarP(&commandRuleSetFormatFlagWrite, "write", "w", false, "write result to (source) file instead of stdout")
-	commandRuleSet.AddCommand(commandRuleSetFormat)
-}
-
-func formatRuleSet(sourcePath string) error {
-	var (
-		reader io.Reader
-		err    error
-	)
-	if sourcePath == "stdin" {
-		reader = os.Stdin
-	} else {
-		reader, err = os.Open(sourcePath)
-		if err != nil {
-			return err
-		}
-	}
-	content, err := io.ReadAll(reader)
-	if err != nil {
-		return err
-	}
-	plainRuleSet, err := json.UnmarshalExtended[option.PlainRuleSetCompat](content)
-	if err != nil {
-		return err
-	}
-	buffer := new(bytes.Buffer)
-	encoder := json.NewEncoder(buffer)
-	encoder.SetIndent("", "  ")
-	err = encoder.Encode(plainRuleSet)
-	if err != nil {
-		return E.Cause(err, "encode config")
-	}
-	outputPath, _ := filepath.Abs(sourcePath)
-	if !commandRuleSetFormatFlagWrite || sourcePath == "stdin" {
-		os.Stdout.WriteString(buffer.String() + "\n")
-		return nil
-	}
-	if bytes.Equal(content, buffer.Bytes()) {
-		return nil
-	}
-	output, err := os.Create(sourcePath)
-	if err != nil {
-		return E.Cause(err, "open output")
-	}
-	_, err = output.Write(buffer.Bytes())
-	output.Close()
-	if err != nil {
-		return E.Cause(err, "write output")
-	}
-	os.Stderr.WriteString(outputPath + "\n")
-	return nil
-}

cmd/sing-box/cmd_run.go

@@ -13,12 +13,10 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box"
-	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/common/badjsonmerge"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/json"
-	"github.com/sagernet/sing/common/json/badjson"
 
 	"github.com/spf13/cobra"
 )
@@ -57,7 +55,8 @@ func readConfigAt(path string) (*OptionsEntry, error) {
 	if err != nil {
 		return nil, E.Cause(err, "read config at ", path)
 	}
-	options, err := json.UnmarshalExtended[option.Options](configContent)
+	var options option.Options
+	err = options.UnmarshalJSON(configContent)
 	if err != nil {
 		return nil, E.Cause(err, "decode config at ", path)
 	}
@@ -107,18 +106,13 @@ func readConfigAndMerge() (option.Options, error) {
 	if len(optionsList) == 1 {
 		return optionsList[0].options, nil
 	}
-	var mergedMessage json.RawMessage
+	var mergedOptions option.Options
 	for _, options := range optionsList {
-		mergedMessage, err = badjson.MergeJSON(options.options.RawMessage, mergedMessage)
+		mergedOptions, err = badjsonmerge.MergeOptions(options.options, mergedOptions)
 		if err != nil {
 			return option.Options{}, E.Cause(err, "merge config at ", options.path)
 		}
 	}
-	var mergedOptions option.Options
-	err = mergedOptions.UnmarshalJSON(mergedMessage)
-	if err != nil {
-		return option.Options{}, E.Cause(err, "unmarshal merged config")
-	}
 	return mergedOptions, nil
 }
 
@@ -133,7 +127,7 @@ func create() (*box.Box, context.CancelFunc, error) {
 		}
 		options.Log.DisableColor = true
 	}
-	ctx, cancel := context.WithCancel(globalCtx)
+	ctx, cancel := context.WithCancel(context.Background())
 	instance, err := box.New(box.Options{
 		Context: ctx,
 		Options: options,
@@ -199,7 +193,7 @@ func run() error {
 }
 
 func closeMonitor(ctx context.Context) {
-	time.Sleep(C.DefaultStopFatalTimeout)
+	time.Sleep(3 * time.Second)
 	select {
 	case <-ctx.Done():
 		return

cmd/sing-box/cmd_tools.go

@@ -38,7 +38,11 @@ func createPreStartedClient() (*box.Box, error) {
 
 func createDialer(instance *box.Box, network string, outboundTag string) (N.Dialer, error) {
 	if outboundTag == "" {
-		return instance.Router().DefaultOutbound(N.NetworkName(network))
+		outbound := instance.Router().DefaultOutbound(N.NetworkName(network))
+		if outbound == nil {
+			return nil, E.New("missing default outbound")
+		}
+		return outbound, nil
 	} else {
 		outbound, loaded := instance.Router().Outbound(outboundTag)
 		if !loaded {

cmd/sing-box/cmd_tools_connect.go

@@ -18,7 +18,7 @@ import (
 var commandConnectFlagNetwork string
 
 var commandConnect = &cobra.Command{
-	Use:   "connect <address>",
+	Use:   "connect [address]",
 	Short: "Connect to an address",
 	Args:  cobra.ExactArgs(1),
 	Run: func(cmd *cobra.Command, args []string) {

cmd/sing-box/main.go

@@ -1,21 +1,16 @@
 package main
 
 import (
-	"context"
 	"os"
-	"os/user"
-	"strconv"
 	"time"
 
 	_ "github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/service/filemanager"
 
 	"github.com/spf13/cobra"
 )
 
 var (
-	globalCtx         context.Context
 	configPaths       []string
 	configDirectories []string
 	workingDir        string
@@ -41,30 +36,15 @@ func main() {
 }
 
 func preRun(cmd *cobra.Command, args []string) {
-	globalCtx = context.Background()
-	sudoUser := os.Getenv("SUDO_USER")
-	sudoUID, _ := strconv.Atoi(os.Getenv("SUDO_UID"))
-	sudoGID, _ := strconv.Atoi(os.Getenv("SUDO_GID"))
-	if sudoUID == 0 && sudoGID == 0 && sudoUser != "" {
-		sudoUserObject, _ := user.Lookup(sudoUser)
-		if sudoUserObject != nil {
-			sudoUID, _ = strconv.Atoi(sudoUserObject.Uid)
-			sudoGID, _ = strconv.Atoi(sudoUserObject.Gid)
-		}
-	}
-	if sudoUID > 0 && sudoGID > 0 {
-		globalCtx = filemanager.WithDefault(globalCtx, "", "", sudoUID, sudoGID)
-	}
 	if disableColor {
-		log.SetStdLogger(log.NewDefaultFactory(context.Background(), log.Formatter{BaseTime: time.Now(), DisableColors: true}, os.Stderr, "", nil, false).Logger())
+		log.SetStdLogger(log.NewFactory(log.Formatter{BaseTime: time.Now(), DisableColors: true}, os.Stderr, nil).Logger())
 	}
 	if workingDir != "" {
 		_, err := os.Stat(workingDir)
 		if err != nil {
-			filemanager.MkdirAll(globalCtx, workingDir, 0o777)
+			os.MkdirAll(workingDir, 0o777)
 		}
-		err = os.Chdir(workingDir)
-		if err != nil {
+		if err := os.Chdir(workingDir); err != nil {
 			log.Fatal(err)
 		}
 	}

common/badjson/array.go

@@ -0,0 +1,46 @@
+package badjson
+
+import (
+	"bytes"
+
+	"github.com/sagernet/sing-box/common/json"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type JSONArray []any
+
+func (a JSONArray) MarshalJSON() ([]byte, error) {
+	return json.Marshal([]any(a))
+}
+
+func (a *JSONArray) UnmarshalJSON(content []byte) error {
+	decoder := json.NewDecoder(bytes.NewReader(content))
+	arrayStart, err := decoder.Token()
+	if err != nil {
+		return err
+	} else if arrayStart != json.Delim('[') {
+		return E.New("excepted array start, but got ", arrayStart)
+	}
+	err = a.decodeJSON(decoder)
+	if err != nil {
+		return err
+	}
+	arrayEnd, err := decoder.Token()
+	if err != nil {
+		return err
+	} else if arrayEnd != json.Delim(']') {
+		return E.New("excepted array end, but got ", arrayEnd)
+	}
+	return nil
+}
+
+func (a *JSONArray) decodeJSON(decoder *json.Decoder) error {
+	for decoder.More() {
+		item, err := decodeJSON(decoder)
+		if err != nil {
+			return err
+		}
+		*a = append(*a, item)
+	}
+	return nil
+}

common/badjson/json.go

@@ -0,0 +1,54 @@
+package badjson
+
+import (
+	"bytes"
+
+	"github.com/sagernet/sing-box/common/json"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func Decode(content []byte) (any, error) {
+	decoder := json.NewDecoder(bytes.NewReader(content))
+	return decodeJSON(decoder)
+}
+
+func decodeJSON(decoder *json.Decoder) (any, error) {
+	rawToken, err := decoder.Token()
+	if err != nil {
+		return nil, err
+	}
+	switch token := rawToken.(type) {
+	case json.Delim:
+		switch token {
+		case '{':
+			var object JSONObject
+			err = object.decodeJSON(decoder)
+			if err != nil {
+				return nil, err
+			}
+			rawToken, err = decoder.Token()
+			if err != nil {
+				return nil, err
+			} else if rawToken != json.Delim('}') {
+				return nil, E.New("excepted object end, but got ", rawToken)
+			}
+			return &object, nil
+		case '[':
+			var array JSONArray
+			err = array.decodeJSON(decoder)
+			if err != nil {
+				return nil, err
+			}
+			rawToken, err = decoder.Token()
+			if err != nil {
+				return nil, err
+			} else if rawToken != json.Delim(']') {
+				return nil, E.New("excepted array end, but got ", rawToken)
+			}
+			return array, nil
+		default:
+			return nil, E.New("excepted object or array end: ", token)
+		}
+	}
+	return rawToken, nil
+}

common/badjson/object.go

@@ -0,0 +1,79 @@
+package badjson
+
+import (
+	"bytes"
+	"strings"
+
+	"github.com/sagernet/sing-box/common/json"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/x/linkedhashmap"
+)
+
+type JSONObject struct {
+	linkedhashmap.Map[string, any]
+}
+
+func (m JSONObject) MarshalJSON() ([]byte, error) {
+	buffer := new(bytes.Buffer)
+	buffer.WriteString("{")
+	items := m.Entries()
+	iLen := len(items)
+	for i, entry := range items {
+		keyContent, err := json.Marshal(entry.Key)
+		if err != nil {
+			return nil, err
+		}
+		buffer.WriteString(strings.TrimSpace(string(keyContent)))
+		buffer.WriteString(": ")
+		valueContent, err := json.Marshal(entry.Value)
+		if err != nil {
+			return nil, err
+		}
+		buffer.WriteString(strings.TrimSpace(string(valueContent)))
+		if i < iLen-1 {
+			buffer.WriteString(", ")
+		}
+	}
+	buffer.WriteString("}")
+	return buffer.Bytes(), nil
+}
+
+func (m *JSONObject) UnmarshalJSON(content []byte) error {
+	decoder := json.NewDecoder(bytes.NewReader(content))
+	m.Clear()
+	objectStart, err := decoder.Token()
+	if err != nil {
+		return err
+	} else if objectStart != json.Delim('{') {
+		return E.New("expected json object start, but starts with ", objectStart)
+	}
+	err = m.decodeJSON(decoder)
+	if err != nil {
+		return E.Cause(err, "decode json object content")
+	}
+	objectEnd, err := decoder.Token()
+	if err != nil {
+		return err
+	} else if objectEnd != json.Delim('}') {
+		return E.New("expected json object end, but ends with ", objectEnd)
+	}
+	return nil
+}
+
+func (m *JSONObject) decodeJSON(decoder *json.Decoder) error {
+	for decoder.More() {
+		var entryKey string
+		keyToken, err := decoder.Token()
+		if err != nil {
+			return err
+		}
+		entryKey = keyToken.(string)
+		var entryValue any
+		entryValue, err = decodeJSON(decoder)
+		if err != nil {
+			return E.Cause(err, "decode value for ", entryKey)
+		}
+		m.Put(entryKey, entryValue)
+	}
+	return nil
+}

common/badjsonmerge/merge.go

@@ -0,0 +1,80 @@
+package badjsonmerge
+
+import (
+	"encoding/json"
+	"reflect"
+
+	"github.com/sagernet/sing-box/common/badjson"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func MergeOptions(source option.Options, destination option.Options) (option.Options, error) {
+	rawSource, err := json.Marshal(source)
+	if err != nil {
+		return option.Options{}, E.Cause(err, "marshal source")
+	}
+	rawDestination, err := json.Marshal(destination)
+	if err != nil {
+		return option.Options{}, E.Cause(err, "marshal destination")
+	}
+	rawMerged, err := MergeJSON(rawSource, rawDestination)
+	if err != nil {
+		return option.Options{}, E.Cause(err, "merge options")
+	}
+	var merged option.Options
+	err = json.Unmarshal(rawMerged, &merged)
+	if err != nil {
+		return option.Options{}, E.Cause(err, "unmarshal merged options")
+	}
+	return merged, nil
+}
+
+func MergeJSON(rawSource json.RawMessage, rawDestination json.RawMessage) (json.RawMessage, error) {
+	source, err := badjson.Decode(rawSource)
+	if err != nil {
+		return nil, E.Cause(err, "decode source")
+	}
+	destination, err := badjson.Decode(rawDestination)
+	if err != nil {
+		return nil, E.Cause(err, "decode destination")
+	}
+	merged, err := mergeJSON(source, destination)
+	if err != nil {
+		return nil, err
+	}
+	return json.Marshal(merged)
+}
+
+func mergeJSON(anySource any, anyDestination any) (any, error) {
+	switch destination := anyDestination.(type) {
+	case badjson.JSONArray:
+		switch source := anySource.(type) {
+		case badjson.JSONArray:
+			destination = append(destination, source...)
+		default:
+			destination = append(destination, source)
+		}
+		return destination, nil
+	case *badjson.JSONObject:
+		switch source := anySource.(type) {
+		case *badjson.JSONObject:
+			for _, entry := range source.Entries() {
+				oldValue, loaded := destination.Get(entry.Key)
+				if loaded {
+					var err error
+					entry.Value, err = mergeJSON(entry.Value, oldValue)
+					if err != nil {
+						return nil, E.Cause(err, "merge object item ", entry.Key)
+					}
+				}
+				destination.Put(entry.Key, entry.Value)
+			}
+		default:
+			return nil, E.New("cannot merge json object into ", reflect.TypeOf(destination))
+		}
+		return destination, nil
+	default:
+		return destination, nil
+	}
+}

common/badjsonmerge/merge_test.go

@@ -0,0 +1,59 @@
+package badjsonmerge
+
+import (
+	"testing"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	N "github.com/sagernet/sing/common/network"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestMergeJSON(t *testing.T) {
+	t.Parallel()
+	options := option.Options{
+		Log: &option.LogOptions{
+			Level: "info",
+		},
+		Route: &option.RouteOptions{
+			Rules: []option.Rule{
+				{
+					Type: C.RuleTypeDefault,
+					DefaultOptions: option.DefaultRule{
+						Network:  []string{N.NetworkTCP},
+						Outbound: "direct",
+					},
+				},
+			},
+		},
+	}
+	anotherOptions := option.Options{
+		Outbounds: []option.Outbound{
+			{
+				Type: C.TypeDirect,
+				Tag:  "direct",
+			},
+		},
+	}
+	thirdOptions := option.Options{
+		Route: &option.RouteOptions{
+			Rules: []option.Rule{
+				{
+					Type: C.RuleTypeDefault,
+					DefaultOptions: option.DefaultRule{
+						Network:  []string{N.NetworkUDP},
+						Outbound: "direct",
+					},
+				},
+			},
+		},
+	}
+	mergeOptions, err := MergeOptions(options, anotherOptions)
+	require.NoError(t, err)
+	mergeOptions, err = MergeOptions(thirdOptions, mergeOptions)
+	require.NoError(t, err)
+	require.Equal(t, "info", mergeOptions.Log.Level)
+	require.Equal(t, 2, len(mergeOptions.Route.Rules))
+	require.Equal(t, C.TypeDirect, mergeOptions.Outbounds[0].Type)
+}

common/badtls/badtls.go

@@ -0,0 +1,233 @@
+//go:build go1.20 && !go1.21
+
+package badtls
+
+import (
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/tls"
+	"encoding/binary"
+	"io"
+	"net"
+	"reflect"
+	"sync"
+	"sync/atomic"
+	"unsafe"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	N "github.com/sagernet/sing/common/network"
+	aTLS "github.com/sagernet/sing/common/tls"
+)
+
+type Conn struct {
+	*tls.Conn
+	writer              N.ExtendedWriter
+	isHandshakeComplete *atomic.Bool
+	activeCall          *atomic.Int32
+	closeNotifySent     *bool
+	version             *uint16
+	rand                io.Reader
+	halfAccess          *sync.Mutex
+	halfError           *error
+	cipher              cipher.AEAD
+	explicitNonceLen    int
+	halfPtr             uintptr
+	halfSeq             []byte
+	halfScratchBuf      []byte
+}
+
+func TryCreate(conn aTLS.Conn) aTLS.Conn {
+	tlsConn, ok := conn.(*tls.Conn)
+	if !ok {
+		return conn
+	}
+	badConn, err := Create(tlsConn)
+	if err != nil {
+		log.Warn("initialize badtls: ", err)
+		return conn
+	}
+	return badConn
+}
+
+func Create(conn *tls.Conn) (aTLS.Conn, error) {
+	rawConn := reflect.Indirect(reflect.ValueOf(conn))
+	rawIsHandshakeComplete := rawConn.FieldByName("isHandshakeComplete")
+	if !rawIsHandshakeComplete.IsValid() || rawIsHandshakeComplete.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid isHandshakeComplete")
+	}
+	isHandshakeComplete := (*atomic.Bool)(unsafe.Pointer(rawIsHandshakeComplete.UnsafeAddr()))
+	if !isHandshakeComplete.Load() {
+		return nil, E.New("handshake not finished")
+	}
+	rawActiveCall := rawConn.FieldByName("activeCall")
+	if !rawActiveCall.IsValid() || rawActiveCall.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid active call")
+	}
+	activeCall := (*atomic.Int32)(unsafe.Pointer(rawActiveCall.UnsafeAddr()))
+	rawHalfConn := rawConn.FieldByName("out")
+	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid half conn")
+	}
+	rawVersion := rawConn.FieldByName("vers")
+	if !rawVersion.IsValid() || rawVersion.Kind() != reflect.Uint16 {
+		return nil, E.New("badtls: invalid version")
+	}
+	version := (*uint16)(unsafe.Pointer(rawVersion.UnsafeAddr()))
+	rawCloseNotifySent := rawConn.FieldByName("closeNotifySent")
+	if !rawCloseNotifySent.IsValid() || rawCloseNotifySent.Kind() != reflect.Bool {
+		return nil, E.New("badtls: invalid notify")
+	}
+	closeNotifySent := (*bool)(unsafe.Pointer(rawCloseNotifySent.UnsafeAddr()))
+	rawConfig := reflect.Indirect(rawConn.FieldByName("config"))
+	if !rawConfig.IsValid() || rawConfig.Kind() != reflect.Struct {
+		return nil, E.New("badtls: bad config")
+	}
+	config := (*tls.Config)(unsafe.Pointer(rawConfig.UnsafeAddr()))
+	randReader := config.Rand
+	if randReader == nil {
+		randReader = rand.Reader
+	}
+	rawHalfMutex := rawHalfConn.FieldByName("Mutex")
+	if !rawHalfMutex.IsValid() || rawHalfMutex.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid half mutex")
+	}
+	halfAccess := (*sync.Mutex)(unsafe.Pointer(rawHalfMutex.UnsafeAddr()))
+	rawHalfError := rawHalfConn.FieldByName("err")
+	if !rawHalfError.IsValid() || rawHalfError.Kind() != reflect.Interface {
+		return nil, E.New("badtls: invalid half error")
+	}
+	halfError := (*error)(unsafe.Pointer(rawHalfError.UnsafeAddr()))
+	rawHalfCipherInterface := rawHalfConn.FieldByName("cipher")
+	if !rawHalfCipherInterface.IsValid() || rawHalfCipherInterface.Kind() != reflect.Interface {
+		return nil, E.New("badtls: invalid cipher interface")
+	}
+	rawHalfCipher := rawHalfCipherInterface.Elem()
+	aeadCipher, loaded := valueInterface(rawHalfCipher, false).(cipher.AEAD)
+	if !loaded {
+		return nil, E.New("badtls: invalid AEAD cipher")
+	}
+	var explicitNonceLen int
+	switch cipherName := reflect.Indirect(rawHalfCipher).Type().String(); cipherName {
+	case "tls.prefixNonceAEAD":
+		explicitNonceLen = aeadCipher.NonceSize()
+	case "tls.xorNonceAEAD":
+	default:
+		return nil, E.New("badtls: unknown cipher type: ", cipherName)
+	}
+	rawHalfSeq := rawHalfConn.FieldByName("seq")
+	if !rawHalfSeq.IsValid() || rawHalfSeq.Kind() != reflect.Array {
+		return nil, E.New("badtls: invalid seq")
+	}
+	halfSeq := rawHalfSeq.Bytes()
+	rawHalfScratchBuf := rawHalfConn.FieldByName("scratchBuf")
+	if !rawHalfScratchBuf.IsValid() || rawHalfScratchBuf.Kind() != reflect.Array {
+		return nil, E.New("badtls: invalid scratchBuf")
+	}
+	halfScratchBuf := rawHalfScratchBuf.Bytes()
+	return &Conn{
+		Conn:                conn,
+		writer:              bufio.NewExtendedWriter(conn.NetConn()),
+		isHandshakeComplete: isHandshakeComplete,
+		activeCall:          activeCall,
+		closeNotifySent:     closeNotifySent,
+		version:             version,
+		halfAccess:          halfAccess,
+		halfError:           halfError,
+		cipher:              aeadCipher,
+		explicitNonceLen:    explicitNonceLen,
+		rand:                randReader,
+		halfPtr:             rawHalfConn.UnsafeAddr(),
+		halfSeq:             halfSeq,
+		halfScratchBuf:      halfScratchBuf,
+	}, nil
+}
+
+func (c *Conn) WriteBuffer(buffer *buf.Buffer) error {
+	if buffer.Len() > maxPlaintext {
+		defer buffer.Release()
+		return common.Error(c.Write(buffer.Bytes()))
+	}
+	for {
+		x := c.activeCall.Load()
+		if x&1 != 0 {
+			return net.ErrClosed
+		}
+		if c.activeCall.CompareAndSwap(x, x+2) {
+			break
+		}
+	}
+	defer c.activeCall.Add(-2)
+	c.halfAccess.Lock()
+	defer c.halfAccess.Unlock()
+	if err := *c.halfError; err != nil {
+		return err
+	}
+	if *c.closeNotifySent {
+		return errShutdown
+	}
+	dataLen := buffer.Len()
+	dataBytes := buffer.Bytes()
+	outBuf := buffer.ExtendHeader(recordHeaderLen + c.explicitNonceLen)
+	outBuf[0] = 23
+	version := *c.version
+	if version == 0 {
+		version = tls.VersionTLS10
+	} else if version == tls.VersionTLS13 {
+		version = tls.VersionTLS12
+	}
+	binary.BigEndian.PutUint16(outBuf[1:], version)
+	var nonce []byte
+	if c.explicitNonceLen > 0 {
+		nonce = outBuf[5 : 5+c.explicitNonceLen]
+		if c.explicitNonceLen < 16 {
+			copy(nonce, c.halfSeq)
+		} else {
+			if _, err := io.ReadFull(c.rand, nonce); err != nil {
+				return err
+			}
+		}
+	}
+	if len(nonce) == 0 {
+		nonce = c.halfSeq
+	}
+	if *c.version == tls.VersionTLS13 {
+		buffer.FreeBytes()[0] = 23
+		binary.BigEndian.PutUint16(outBuf[3:], uint16(dataLen+1+c.cipher.Overhead()))
+		c.cipher.Seal(outBuf, nonce, outBuf[recordHeaderLen:recordHeaderLen+c.explicitNonceLen+dataLen+1], outBuf[:recordHeaderLen])
+		buffer.Extend(1 + c.cipher.Overhead())
+	} else {
+		binary.BigEndian.PutUint16(outBuf[3:], uint16(dataLen))
+		additionalData := append(c.halfScratchBuf[:0], c.halfSeq...)
+		additionalData = append(additionalData, outBuf[:recordHeaderLen]...)
+		c.cipher.Seal(outBuf, nonce, dataBytes, additionalData)
+		buffer.Extend(c.cipher.Overhead())
+		binary.BigEndian.PutUint16(outBuf[3:], uint16(dataLen+c.explicitNonceLen+c.cipher.Overhead()))
+	}
+	incSeq(c.halfPtr)
+	log.Trace("badtls write ", buffer.Len())
+	return c.writer.WriteBuffer(buffer)
+}
+
+func (c *Conn) FrontHeadroom() int {
+	return recordHeaderLen + c.explicitNonceLen
+}
+
+func (c *Conn) RearHeadroom() int {
+	return 1 + c.cipher.Overhead()
+}
+
+func (c *Conn) WriterMTU() int {
+	return maxPlaintext
+}
+
+func (c *Conn) Upstream() any {
+	return c.Conn
+}
+
+func (c *Conn) UpstreamWriter() any {
+	return c.NetConn()
+}

common/badtls/badtls_stub.go

@@ -0,0 +1,14 @@
+//go:build !go1.19 || go1.21
+
+package badtls
+
+import (
+	"crypto/tls"
+	"os"
+
+	aTLS "github.com/sagernet/sing/common/tls"
+)
+
+func Create(conn *tls.Conn) (aTLS.Conn, error) {
+	return nil, os.ErrInvalid
+}

common/badtls/link.go

@@ -0,0 +1,22 @@
+//go:build go1.20 && !go.1.21
+
+package badtls
+
+import (
+	"reflect"
+	_ "unsafe"
+)
+
+const (
+	maxPlaintext    = 16384 // maximum plaintext payload length
+	recordHeaderLen = 5     // record header length
+)
+
+//go:linkname errShutdown crypto/tls.errShutdown
+var errShutdown error
+
+//go:linkname incSeq crypto/tls.(*halfConn).incSeq
+func incSeq(conn uintptr)
+
+//go:linkname valueInterface reflect.valueInterface
+func valueInterface(v reflect.Value, safe bool) any

common/badtls/read_wait.go

@@ -1,119 +0,0 @@
-//go:build go1.21 && !without_badtls
-
-package badtls
-
-import (
-	"bytes"
-	"os"
-	"reflect"
-	"sync"
-	"unsafe"
-
-	"github.com/sagernet/sing/common/buf"
-	E "github.com/sagernet/sing/common/exceptions"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/tls"
-)
-
-var _ N.ReadWaiter = (*ReadWaitConn)(nil)
-
-type ReadWaitConn struct {
-	*tls.STDConn
-	halfAccess      *sync.Mutex
-	rawInput        *bytes.Buffer
-	input           *bytes.Reader
-	hand            *bytes.Buffer
-	readWaitOptions N.ReadWaitOptions
-}
-
-func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
-	stdConn, isSTDConn := conn.(*tls.STDConn)
-	if !isSTDConn {
-		return nil, os.ErrInvalid
-	}
-	rawConn := reflect.Indirect(reflect.ValueOf(stdConn))
-	rawHalfConn := rawConn.FieldByName("in")
-	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid half conn")
-	}
-	rawHalfMutex := rawHalfConn.FieldByName("Mutex")
-	if !rawHalfMutex.IsValid() || rawHalfMutex.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid half mutex")
-	}
-	halfAccess := (*sync.Mutex)(unsafe.Pointer(rawHalfMutex.UnsafeAddr()))
-	rawRawInput := rawConn.FieldByName("rawInput")
-	if !rawRawInput.IsValid() || rawRawInput.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid raw input")
-	}
-	rawInput := (*bytes.Buffer)(unsafe.Pointer(rawRawInput.UnsafeAddr()))
-	rawInput0 := rawConn.FieldByName("input")
-	if !rawInput0.IsValid() || rawInput0.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid input")
-	}
-	input := (*bytes.Reader)(unsafe.Pointer(rawInput0.UnsafeAddr()))
-	rawHand := rawConn.FieldByName("hand")
-	if !rawHand.IsValid() || rawHand.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid hand")
-	}
-	hand := (*bytes.Buffer)(unsafe.Pointer(rawHand.UnsafeAddr()))
-	return &ReadWaitConn{
-		STDConn:    stdConn,
-		halfAccess: halfAccess,
-		rawInput:   rawInput,
-		input:      input,
-		hand:       hand,
-	}, nil
-}
-
-func (c *ReadWaitConn) InitializeReadWaiter(options N.ReadWaitOptions) (needCopy bool) {
-	c.readWaitOptions = options
-	return false
-}
-
-func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
-	err = c.Handshake()
-	if err != nil {
-		return
-	}
-	c.halfAccess.Lock()
-	defer c.halfAccess.Unlock()
-	for c.input.Len() == 0 {
-		err = tlsReadRecord(c.STDConn)
-		if err != nil {
-			return
-		}
-		for c.hand.Len() > 0 {
-			err = tlsHandlePostHandshakeMessage(c.STDConn)
-			if err != nil {
-				return
-			}
-		}
-	}
-	buffer = c.readWaitOptions.NewBuffer()
-	n, err := c.input.Read(buffer.FreeBytes())
-	if err != nil {
-		buffer.Release()
-		return
-	}
-	buffer.Truncate(n)
-
-	if n != 0 && c.input.Len() == 0 && c.rawInput.Len() > 0 &&
-		// recordType(c.rawInput.Bytes()[0]) == recordTypeAlert {
-		c.rawInput.Bytes()[0] == 21 {
-		_ = tlsReadRecord(c.STDConn)
-		// return n, err // will be io.EOF on closeNotify
-	}
-
-	c.readWaitOptions.PostReturn(buffer)
-	return
-}
-
-func (c *ReadWaitConn) Upstream() any {
-	return c.STDConn
-}
-
-//go:linkname tlsReadRecord crypto/tls.(*Conn).readRecord
-func tlsReadRecord(c *tls.STDConn) error
-
-//go:linkname tlsHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
-func tlsHandlePostHandshakeMessage(c *tls.STDConn) error

common/badtls/read_wait_stub.go

@@ -1,13 +0,0 @@
-//go:build !go1.21 || without_badtls
-
-package badtls
-
-import (
-	"os"
-
-	"github.com/sagernet/sing/common/tls"
-)
-
-func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
-	return nil, os.ErrInvalid
-}

common/badversion/version_json.go

@@ -1,6 +1,6 @@
 package badversion
 
-import "github.com/sagernet/sing/common/json"
+import "github.com/sagernet/sing-box/common/json"
 
 func (v Version) MarshalJSON() ([]byte, error) {
 	return json.Marshal(v.String())

common/dialer/default.go

@@ -15,17 +15,14 @@ import (
 	N "github.com/sagernet/sing/common/network"
 )
 
-var _ WireGuardListener = (*DefaultDialer)(nil)
-
 type DefaultDialer struct {
-	dialer4             tcpDialer
-	dialer6             tcpDialer
-	udpDialer4          net.Dialer
-	udpDialer6          net.Dialer
-	udpListener         net.ListenConfig
-	udpAddr4            string
-	udpAddr6            string
-	isWireGuardListener bool
+	dialer4     tcpDialer
+	dialer6     tcpDialer
+	udpDialer4  net.Dialer
+	udpDialer6  net.Dialer
+	udpListener net.ListenConfig
+	udpAddr4    string
+	udpAddr6    string
 }
 
 func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDialer, error) {
@@ -101,11 +98,6 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		}
 		setMultiPathTCP(&dialer4)
 	}
-	if options.IsWireGuardListener {
-		for _, controlFn := range wgControlFns {
-			listener.Control = control.Append(listener.Control, controlFn)
-		}
-	}
 	tcpDialer4, err := newTCPDialer(dialer4, options.TCPFastOpen)
 	if err != nil {
 		return nil, err
@@ -122,7 +114,6 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		listener,
 		udpAddr4,
 		udpAddr6,
-		options.IsWireGuardListener,
 	}, nil
 }
 
@@ -146,19 +137,13 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 }
 
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if destination.IsIPv6() {
-		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
-	} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
-		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP+"4", d.udpAddr4))
-	} else {
+	if !destination.IsIPv6() {
 		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4))
+	} else {
+		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
 	}
 }
 
-func (d *DefaultDialer) ListenPacketCompat(network, address string) (net.PacketConn, error) {
-	return trackPacketConn(d.udpListener.ListenPacket(context.Background(), network, address))
-}
-
 func trackConn(conn net.Conn, err error) (net.Conn, error) {
 	if !conntrack.Enabled || err != nil {
 		return conn, err

common/dialer/dialer.go

@@ -6,13 +6,15 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
+	"github.com/sagernet/sing/common"
 	N "github.com/sagernet/sing/common/network"
 )
 
+func MustNew(router adapter.Router, options option.DialerOptions) N.Dialer {
+	return common.Must1(New(router, options))
+}
+
 func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error) {
-	if options.IsWireGuardListener {
-		return NewDefault(router, options)
-	}
 	var (
 		dialer N.Dialer
 		err    error
@@ -27,12 +29,7 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 	}
 	domainStrategy := dns.DomainStrategy(options.DomainStrategy)
 	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
-		dialer = NewResolveDialer(
-			router,
-			dialer,
-			options.Detour == "" && !options.TCPFastOpen,
-			domainStrategy,
-			time.Duration(options.FallbackDelay))
+		dialer = NewResolveDialer(router, dialer, domainStrategy, time.Duration(options.FallbackDelay))
 	}
 	return dialer, nil
 }

common/dialer/resolve.go

@@ -16,16 +16,14 @@ import (
 
 type ResolveDialer struct {
 	dialer        N.Dialer
-	parallel      bool
 	router        adapter.Router
 	strategy      dns.DomainStrategy
 	fallbackDelay time.Duration
 }
 
-func NewResolveDialer(router adapter.Router, dialer N.Dialer, parallel bool, strategy dns.DomainStrategy, fallbackDelay time.Duration) *ResolveDialer {
+func NewResolveDialer(router adapter.Router, dialer N.Dialer, strategy dns.DomainStrategy, fallbackDelay time.Duration) *ResolveDialer {
 	return &ResolveDialer{
 		dialer,
-		parallel,
 		router,
 		strategy,
 		fallbackDelay,
@@ -36,7 +34,7 @@ func (d *ResolveDialer) DialContext(ctx context.Context, network string, destina
 	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
 	metadata.Destination = destination
 	metadata.Domain = ""
@@ -50,18 +48,14 @@ func (d *ResolveDialer) DialContext(ctx context.Context, network string, destina
 	if err != nil {
 		return nil, err
 	}
-	if d.parallel {
-		return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
-	} else {
-		return N.DialSerial(ctx, d.dialer, network, destination, addresses)
-	}
+	return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
 }
 
 func (d *ResolveDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
 	metadata.Destination = destination
 	metadata.Domain = ""

common/dialer/router.go

@@ -18,19 +18,11 @@ func NewRouter(router adapter.Router) N.Dialer {
 }
 
 func (d *RouterDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	dialer, err := d.router.DefaultOutbound(network)
-	if err != nil {
-		return nil, err
-	}
-	return dialer.DialContext(ctx, network, destination)
+	return d.router.DefaultOutbound(network).DialContext(ctx, network, destination)
 }
 
 func (d *RouterDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	dialer, err := d.router.DefaultOutbound(N.NetworkUDP)
-	if err != nil {
-		return nil, err
-	}
-	return dialer.ListenPacket(ctx, destination)
+	return d.router.DefaultOutbound(N.NetworkUDP).ListenPacket(ctx, destination)
 }
 
 func (d *RouterDialer) Upstream() any {

common/dialer/wireguard.go

@@ -1,9 +0,0 @@
-package dialer
-
-import (
-	"net"
-)
-
-type WireGuardListener interface {
-	ListenPacketCompat(network, address string) (net.PacketConn, error)
-}

common/dialer/wireguard_control.go

@@ -1,11 +0,0 @@
-//go:build with_wireguard
-
-package dialer
-
-import (
-	"github.com/sagernet/wireguard-go/conn"
-)
-
-var _ WireGuardListener = (conn.Listener)(nil)
-
-var wgControlFns = conn.ControlFns

common/dialer/wiregurad_stub.go

@@ -1,9 +0,0 @@
-//go:build !with_wireguard
-
-package dialer
-
-import (
-	"github.com/sagernet/sing/common/control"
-)
-
-var wgControlFns []control.Func

common/geoip/reader.go

@@ -32,7 +32,3 @@ func (r *Reader) Lookup(addr netip.Addr) string {
 	}
 	return "unknown"
 }
-
-func (r *Reader) Close() error {
-	return r.reader.Close()
-}

common/interrupt/conn.go

@@ -1,75 +0,0 @@
-package interrupt
-
-import (
-	"net"
-
-	"github.com/sagernet/sing/common/x/list"
-)
-
-/*type GroupedConn interface {
-	MarkAsInternal()
-}
-
-func MarkAsInternal(conn any) {
-	if groupedConn, isGroupConn := common.Cast[GroupedConn](conn); isGroupConn {
-		groupedConn.MarkAsInternal()
-	}
-}*/
-
-type Conn struct {
-	net.Conn
-	group   *Group
-	element *list.Element[*groupConnItem]
-}
-
-/*func (c *Conn) MarkAsInternal() {
-	c.element.Value.internal = true
-}*/
-
-func (c *Conn) Close() error {
-	c.group.access.Lock()
-	defer c.group.access.Unlock()
-	c.group.connections.Remove(c.element)
-	return c.Conn.Close()
-}
-
-func (c *Conn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *Conn) WriterReplaceable() bool {
-	return true
-}
-
-func (c *Conn) Upstream() any {
-	return c.Conn
-}
-
-type PacketConn struct {
-	net.PacketConn
-	group   *Group
-	element *list.Element[*groupConnItem]
-}
-
-/*func (c *PacketConn) MarkAsInternal() {
-	c.element.Value.internal = true
-}*/
-
-func (c *PacketConn) Close() error {
-	c.group.access.Lock()
-	defer c.group.access.Unlock()
-	c.group.connections.Remove(c.element)
-	return c.PacketConn.Close()
-}
-
-func (c *PacketConn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *PacketConn) WriterReplaceable() bool {
-	return true
-}
-
-func (c *PacketConn) Upstream() any {
-	return c.PacketConn
-}

common/interrupt/context.go

@@ -1,13 +0,0 @@
-package interrupt
-
-import "context"
-
-type contextKeyIsExternalConnection struct{}
-
-func ContextWithIsExternalConnection(ctx context.Context) context.Context {
-	return context.WithValue(ctx, contextKeyIsExternalConnection{}, true)
-}
-
-func IsExternalConnectionFromContext(ctx context.Context) bool {
-	return ctx.Value(contextKeyIsExternalConnection{}) != nil
-}

common/interrupt/group.go

@@ -1,52 +0,0 @@
-package interrupt
-
-import (
-	"io"
-	"net"
-	"sync"
-
-	"github.com/sagernet/sing/common/x/list"
-)
-
-type Group struct {
-	access      sync.Mutex
-	connections list.List[*groupConnItem]
-}
-
-type groupConnItem struct {
-	conn       io.Closer
-	isExternal bool
-}
-
-func NewGroup() *Group {
-	return &Group{}
-}
-
-func (g *Group) NewConn(conn net.Conn, isExternal bool) net.Conn {
-	g.access.Lock()
-	defer g.access.Unlock()
-	item := g.connections.PushBack(&groupConnItem{conn, isExternal})
-	return &Conn{Conn: conn, group: g, element: item}
-}
-
-func (g *Group) NewPacketConn(conn net.PacketConn, isExternal bool) net.PacketConn {
-	g.access.Lock()
-	defer g.access.Unlock()
-	item := g.connections.PushBack(&groupConnItem{conn, isExternal})
-	return &PacketConn{PacketConn: conn, group: g, element: item}
-}
-
-func (g *Group) Interrupt(interruptExternalConnections bool) {
-	g.access.Lock()
-	defer g.access.Unlock()
-	var toDelete []*list.Element[*groupConnItem]
-	for element := g.connections.Front(); element != nil; element = element.Next() {
-		if !element.Value.isExternal || interruptExternalConnections {
-			element.Value.conn.Close()
-			toDelete = append(toDelete, element)
-		}
-	}
-	for _, element := range toDelete {
-		g.connections.Remove(element)
-	}
-}

common/json/comment.go

@@ -0,0 +1,128 @@
+package json
+
+import (
+	"bufio"
+	"io"
+)
+
+// kanged from v2ray
+
+type commentFilterState = byte
+
+const (
+	commentFilterStateContent commentFilterState = iota
+	commentFilterStateEscape
+	commentFilterStateDoubleQuote
+	commentFilterStateDoubleQuoteEscape
+	commentFilterStateSingleQuote
+	commentFilterStateSingleQuoteEscape
+	commentFilterStateComment
+	commentFilterStateSlash
+	commentFilterStateMultilineComment
+	commentFilterStateMultilineCommentStar
+)
+
+type CommentFilter struct {
+	br    *bufio.Reader
+	state commentFilterState
+}
+
+func NewCommentFilter(reader io.Reader) io.Reader {
+	return &CommentFilter{br: bufio.NewReader(reader)}
+}
+
+func (v *CommentFilter) Read(b []byte) (int, error) {
+	p := b[:0]
+	for len(p) < len(b)-2 {
+		x, err := v.br.ReadByte()
+		if err != nil {
+			if len(p) == 0 {
+				return 0, err
+			}
+			return len(p), nil
+		}
+		switch v.state {
+		case commentFilterStateContent:
+			switch x {
+			case '"':
+				v.state = commentFilterStateDoubleQuote
+				p = append(p, x)
+			case '\'':
+				v.state = commentFilterStateSingleQuote
+				p = append(p, x)
+			case '\\':
+				v.state = commentFilterStateEscape
+			case '#':
+				v.state = commentFilterStateComment
+			case '/':
+				v.state = commentFilterStateSlash
+			default:
+				p = append(p, x)
+			}
+		case commentFilterStateEscape:
+			p = append(p, '\\', x)
+			v.state = commentFilterStateContent
+		case commentFilterStateDoubleQuote:
+			switch x {
+			case '"':
+				v.state = commentFilterStateContent
+				p = append(p, x)
+			case '\\':
+				v.state = commentFilterStateDoubleQuoteEscape
+			default:
+				p = append(p, x)
+			}
+		case commentFilterStateDoubleQuoteEscape:
+			p = append(p, '\\', x)
+			v.state = commentFilterStateDoubleQuote
+		case commentFilterStateSingleQuote:
+			switch x {
+			case '\'':
+				v.state = commentFilterStateContent
+				p = append(p, x)
+			case '\\':
+				v.state = commentFilterStateSingleQuoteEscape
+			default:
+				p = append(p, x)
+			}
+		case commentFilterStateSingleQuoteEscape:
+			p = append(p, '\\', x)
+			v.state = commentFilterStateSingleQuote
+		case commentFilterStateComment:
+			if x == '\n' {
+				v.state = commentFilterStateContent
+				p = append(p, '\n')
+			}
+		case commentFilterStateSlash:
+			switch x {
+			case '/':
+				v.state = commentFilterStateComment
+			case '*':
+				v.state = commentFilterStateMultilineComment
+			default:
+				p = append(p, '/', x)
+			}
+		case commentFilterStateMultilineComment:
+			switch x {
+			case '*':
+				v.state = commentFilterStateMultilineCommentStar
+			case '\n':
+				p = append(p, '\n')
+			}
+		case commentFilterStateMultilineCommentStar:
+			switch x {
+			case '/':
+				v.state = commentFilterStateContent
+			case '*':
+				// Stay
+			case '\n':
+				p = append(p, '\n')
+			default:
+				v.state = commentFilterStateMultilineComment
+			}
+		default:
+			panic("Unknown state.")
+		}
+	}
+	return len(p), nil
+}

common/json/std.go

@@ -0,0 +1,18 @@
+package json
+
+import "encoding/json"
+
+var (
+	Marshal    = json.Marshal
+	Unmarshal  = json.Unmarshal
+	NewEncoder = json.NewEncoder
+	NewDecoder = json.NewDecoder
+)
+
+type (
+	Encoder     = json.Encoder
+	Decoder     = json.Decoder
+	Token       = json.Token
+	Delim       = json.Delim
+	SyntaxError = json.SyntaxError
+)

common/mux/client.go

@@ -1,42 +1,21 @@
 package mux
 
 import (
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-mux"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
 	N "github.com/sagernet/sing/common/network"
 )
 
-type Client = mux.Client
-
-func NewClientWithOptions(dialer N.Dialer, logger logger.Logger, options option.OutboundMultiplexOptions) (*Client, error) {
+func NewClientWithOptions(dialer N.Dialer, options option.MultiplexOptions) (*Client, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
-	var brutalOptions mux.BrutalOptions
-	if options.Brutal != nil && options.Brutal.Enabled {
-		brutalOptions = mux.BrutalOptions{
-			Enabled:    true,
-			SendBPS:    uint64(options.Brutal.UpMbps * C.MbpsToBps),
-			ReceiveBPS: uint64(options.Brutal.DownMbps * C.MbpsToBps),
-		}
-		if brutalOptions.SendBPS < mux.BrutalMinSpeedBPS {
-			return nil, E.New("brutal: invalid upload speed")
-		}
-		if brutalOptions.ReceiveBPS < mux.BrutalMinSpeedBPS {
-			return nil, E.New("brutal: invalid download speed")
-		}
-	}
 	return mux.NewClient(mux.Options{
 		Dialer:         dialer,
-		Logger:         logger,
 		Protocol:       options.Protocol,
 		MaxConnections: options.MaxConnections,
 		MinStreams:     options.MinStreams,
 		MaxStreams:     options.MaxStreams,
 		Padding:        options.Padding,
-		Brutal:         brutalOptions,
 	})
 }

common/mux/protocol.go

@@ -0,0 +1,14 @@
+package mux
+
+import (
+	"github.com/sagernet/sing-mux"
+)
+
+type (
+	Client = mux.Client
+)
+
+var (
+	Destination      = mux.Destination
+	HandleConnection = mux.HandleConnection
+)

common/mux/router.go

@@ -1,65 +0,0 @@
-package mux
-
-import (
-	"context"
-	"net"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-mux"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type Router struct {
-	router  adapter.ConnectionRouter
-	service *mux.Service
-}
-
-func NewRouterWithOptions(router adapter.ConnectionRouter, logger logger.ContextLogger, options option.InboundMultiplexOptions) (adapter.ConnectionRouter, error) {
-	if !options.Enabled {
-		return router, nil
-	}
-	var brutalOptions mux.BrutalOptions
-	if options.Brutal != nil && options.Brutal.Enabled {
-		brutalOptions = mux.BrutalOptions{
-			Enabled:    true,
-			SendBPS:    uint64(options.Brutal.UpMbps * C.MbpsToBps),
-			ReceiveBPS: uint64(options.Brutal.DownMbps * C.MbpsToBps),
-		}
-		if brutalOptions.SendBPS < mux.BrutalMinSpeedBPS {
-			return nil, E.New("brutal: invalid upload speed")
-		}
-		if brutalOptions.ReceiveBPS < mux.BrutalMinSpeedBPS {
-			return nil, E.New("brutal: invalid download speed")
-		}
-	}
-	service, err := mux.NewService(mux.ServiceOptions{
-		NewStreamContext: func(ctx context.Context, conn net.Conn) context.Context {
-			return log.ContextWithNewID(ctx)
-		},
-		Logger:  logger,
-		Handler: adapter.NewRouteContextHandler(router, logger),
-		Padding: options.Padding,
-		Brutal:  brutalOptions,
-	})
-	if err != nil {
-		return nil, err
-	}
-	return &Router{router, service}, nil
-}
-
-func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	if metadata.Destination == mux.Destination {
-		return r.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, adapter.UpstreamMetadata(metadata))
-	} else {
-		return r.router.RouteConnection(ctx, conn, metadata)
-	}
-}
-
-func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
-	return r.router.RoutePacketConnection(ctx, conn, metadata)
-}

common/mux/v2ray_legacy.go

@@ -1,32 +0,0 @@
-package mux
-
-import (
-	"context"
-	"net"
-
-	"github.com/sagernet/sing-box/adapter"
-	vmess "github.com/sagernet/sing-vmess"
-	"github.com/sagernet/sing/common/logger"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type V2RayLegacyRouter struct {
-	router adapter.ConnectionRouter
-	logger logger.ContextLogger
-}
-
-func NewV2RayLegacyRouter(router adapter.ConnectionRouter, logger logger.ContextLogger) adapter.ConnectionRouter {
-	return &V2RayLegacyRouter{router, logger}
-}
-
-func (r *V2RayLegacyRouter) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	if metadata.Destination.Fqdn == vmess.MuxDestination.Fqdn {
-		r.logger.InfoContext(ctx, "inbound legacy multiplex connection")
-		return vmess.HandleMuxConnection(ctx, conn, adapter.NewRouteHandler(metadata, r.router, r.logger))
-	}
-	return r.router.RouteConnection(ctx, conn, metadata)
-}
-
-func (r *V2RayLegacyRouter) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
-	return r.router.RoutePacketConnection(ctx, conn, metadata)
-}

common/proxyproto/dialer.go

@@ -0,0 +1,50 @@
+package proxyproto
+
+import (
+	"context"
+	"net"
+	"net/netip"
+
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+
+	"github.com/pires/go-proxyproto"
+)
+
+var _ N.Dialer = (*Dialer)(nil)
+
+type Dialer struct {
+	N.Dialer
+}
+
+func (d *Dialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	switch N.NetworkName(network) {
+	case N.NetworkTCP:
+		conn, err := d.Dialer.DialContext(ctx, network, destination)
+		if err != nil {
+			return nil, err
+		}
+		var source M.Socksaddr
+		metadata := adapter.ContextFrom(ctx)
+		if metadata != nil {
+			source = metadata.Source
+		}
+		if !source.IsValid() {
+			source = M.SocksaddrFromNet(conn.LocalAddr())
+		}
+		if destination.Addr.Is6() {
+			source = M.SocksaddrFrom(netip.AddrFrom16(source.Addr.As16()), source.Port)
+		}
+		h := proxyproto.HeaderProxyFromAddrs(1, source.TCPAddr(), destination.TCPAddr())
+		_, err = h.WriteTo(conn)
+		if err != nil {
+			conn.Close()
+			return nil, E.Cause(err, "write proxy protocol header")
+		}
+		return conn, nil
+	default:
+		return d.Dialer.DialContext(ctx, network, destination)
+	}
+}

common/proxyproto/listener.go

@@ -0,0 +1,62 @@
+package proxyproto
+
+import (
+	std_bufio "bufio"
+	"net"
+
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	M "github.com/sagernet/sing/common/metadata"
+
+	"github.com/pires/go-proxyproto"
+)
+
+type Listener struct {
+	net.Listener
+	AcceptNoHeader bool
+}
+
+func (l *Listener) Accept() (net.Conn, error) {
+	conn, err := l.Listener.Accept()
+	if err != nil {
+		return nil, err
+	}
+	bufReader := std_bufio.NewReader(conn)
+	header, err := proxyproto.Read(bufReader)
+	if err != nil && !(l.AcceptNoHeader && err == proxyproto.ErrNoProxyProtocol) {
+		return nil, &Error{err}
+	}
+	if bufReader.Buffered() > 0 {
+		cache := buf.NewSize(bufReader.Buffered())
+		_, err = cache.ReadFullFrom(bufReader, cache.FreeLen())
+		if err != nil {
+			return nil, &Error{err}
+		}
+		conn = bufio.NewCachedConn(conn, cache)
+	}
+	if header != nil {
+		return &bufio.AddrConn{Conn: conn, Metadata: M.Metadata{
+			Source:      M.SocksaddrFromNet(header.SourceAddr).Unwrap(),
+			Destination: M.SocksaddrFromNet(header.DestinationAddr).Unwrap(),
+		}}, nil
+	}
+	return conn, nil
+}
+
+var _ net.Error = (*Error)(nil)
+
+type Error struct {
+	error
+}
+
+func (e *Error) Unwrap() error {
+	return e.error
+}
+
+func (e *Error) Timeout() bool {
+	return false
+}
+
+func (e *Error) Temporary() bool {
+	return true
+}

common/settings/proxy_android.go

@@ -1,73 +1,43 @@
 package settings
 
 import (
-	"context"
 	"os"
 	"strings"
 
+	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
-	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )
 
-type AndroidSystemProxy struct {
-	useRish      bool
-	rishPath     string
-	serverAddr   M.Socksaddr
-	supportSOCKS bool
-	isEnabled    bool
-}
+var (
+	useRish  bool
+	rishPath string
+)
 
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*AndroidSystemProxy, error) {
+func init() {
 	userId := os.Getuid()
-	var (
-		useRish  bool
-		rishPath string
-	)
 	if userId == 0 || userId == 1000 || userId == 2000 {
 		useRish = false
 	} else {
 		rishPath, useRish = C.FindPath("rish")
-		if !useRish {
-			return nil, E.Cause(os.ErrPermission, "root or system (adb) permission is required for set system proxy")
-		}
 	}
-	return &AndroidSystemProxy{
-		useRish:      useRish,
-		rishPath:     rishPath,
-		serverAddr:   serverAddr,
-		supportSOCKS: supportSOCKS,
-	}, nil
 }
 
-func (p *AndroidSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *AndroidSystemProxy) Enable() error {
-	err := p.runAndroidShell("settings", "put", "global", "http_proxy", p.serverAddr.String())
-	if err != nil {
-		return err
-	}
-	p.isEnabled = true
-	return nil
-}
-
-func (p *AndroidSystemProxy) Disable() error {
-	err := p.runAndroidShell("settings", "put", "global", "http_proxy", ":0")
-	if err != nil {
-		return err
-	}
-	p.isEnabled = false
-	return nil
-}
-
-func (p *AndroidSystemProxy) runAndroidShell(name string, args ...string) error {
-	if !p.useRish {
+func runAndroidShell(name string, args ...string) error {
+	if !useRish {
 		return shell.Exec(name, args...).Attach().Run()
 	} else {
-		return shell.Exec("sh", p.rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+		return shell.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	}
 }
+
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	err := runAndroidShell("settings", "put", "global", "http_proxy", F.ToString("127.0.0.1:", port))
+	if err != nil {
+		return nil, err
+	}
+	return func() error {
+		return runAndroidShell("settings", "put", "global", "http_proxy", ":0")
+	}, nil
+}

common/settings/proxy_darwin.go

@@ -1,56 +1,56 @@
 package settings
 
 import (
-	"context"
 	"net/netip"
-	"strconv"
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
 	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/shell"
 	"github.com/sagernet/sing/common/x/list"
 )
 
-type DarwinSystemProxy struct {
+type systemProxy struct {
 	monitor       tun.DefaultInterfaceMonitor
 	interfaceName string
 	element       *list.Element[tun.DefaultInterfaceUpdateCallback]
-	serverAddr    M.Socksaddr
-	supportSOCKS  bool
-	isEnabled     bool
+	port          uint16
+	isMixed       bool
 }
 
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*DarwinSystemProxy, error) {
-	interfaceMonitor := adapter.RouterFromContext(ctx).InterfaceMonitor()
-	if interfaceMonitor == nil {
-		return nil, E.New("missing interface monitor")
+func (p *systemProxy) update(event int) {
+	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
+	if p.interfaceName == newInterfaceName {
+		return
 	}
-	proxy := &DarwinSystemProxy{
-		monitor:      interfaceMonitor,
-		serverAddr:   serverAddr,
-		supportSOCKS: supportSOCKS,
+	if p.interfaceName != "" {
+		_ = p.unset()
 	}
-	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
-	return proxy, nil
+	p.interfaceName = newInterfaceName
+	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
+	if err != nil {
+		return
+	}
+	if p.isMixed {
+		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+	}
+	if err == nil {
+		err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+	}
+	if err == nil {
+		_ = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+	}
+	return
 }
 
-func (p *DarwinSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *DarwinSystemProxy) Enable() error {
-	return p.update0()
-}
-
-func (p *DarwinSystemProxy) Disable() error {
+func (p *systemProxy) unset() error {
 	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
 	if err != nil {
 		return err
 	}
-	if p.supportSOCKS {
+	if p.isMixed {
 		err = shell.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
@@ -59,53 +59,9 @@ func (p *DarwinSystemProxy) Disable() error {
 	if err == nil {
 		err = shell.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
-	if err == nil {
-		p.isEnabled = false
-	}
 	return err
 }
 
-func (p *DarwinSystemProxy) update(event int) {
-	if event&tun.EventInterfaceUpdate == 0 {
-		return
-	}
-	if !p.isEnabled {
-		return
-	}
-	_ = p.update0()
-}
-
-func (p *DarwinSystemProxy) update0() error {
-	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
-	if p.interfaceName == newInterfaceName {
-		return nil
-	}
-	if p.interfaceName != "" {
-		_ = p.Disable()
-	}
-	p.interfaceName = newInterfaceName
-	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
-	if err != nil {
-		return err
-	}
-	if p.supportSOCKS {
-		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
-	}
-	if err != nil {
-		return err
-	}
-	err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
-	if err != nil {
-		return err
-	}
-	err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
-	if err != nil {
-		return err
-	}
-	p.isEnabled = true
-	return nil
-}
-
 func getInterfaceDisplayName(name string) (string, error) {
 	content, err := shell.Exec("networksetup", "-listallhardwareports").ReadOutput()
 	if err != nil {
@@ -121,3 +77,21 @@ func getInterfaceDisplayName(name string) (string, error) {
 	}
 	return "", E.New(name, " not found in networksetup -listallhardwareports")
 }
+
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	interfaceMonitor := router.InterfaceMonitor()
+	if interfaceMonitor == nil {
+		return nil, E.New("missing interface monitor")
+	}
+	proxy := &systemProxy{
+		monitor: interfaceMonitor,
+		port:    port,
+		isMixed: isMixed,
+	}
+	proxy.update(tun.EventInterfaceUpdate)
+	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
+	return func() error {
+		interfaceMonitor.UnregisterCallback(proxy.element)
+		return proxy.unset()
+	}, nil
+}

common/settings/proxy_linux.go

@@ -3,161 +3,75 @@
 package settings
 
 import (
-	"context"
 	"os"
 	"os/exec"
 	"strings"
 
+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
-	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )
 
-type LinuxSystemProxy struct {
-	hasGSettings     bool
-	hasKWriteConfig5 bool
-	sudoUser         string
-	serverAddr       M.Socksaddr
-	supportSOCKS     bool
-	isEnabled        bool
-}
+var (
+	hasGSettings bool
+	sudoUser     string
+)
 
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*LinuxSystemProxy, error) {
-	hasGSettings := common.Error(exec.LookPath("gsettings")) == nil
-	hasKWriteConfig5 := common.Error(exec.LookPath("kwriteconfig5")) == nil
-	var sudoUser string
+func init() {
+	hasGSettings = common.Error(exec.LookPath("gsettings")) == nil
 	if os.Getuid() == 0 {
 		sudoUser = os.Getenv("SUDO_USER")
 	}
-	if !hasGSettings && !hasKWriteConfig5 {
-		return nil, E.New("unsupported desktop environment")
-	}
-	return &LinuxSystemProxy{
-		hasGSettings:     hasGSettings,
-		hasKWriteConfig5: hasKWriteConfig5,
-		sudoUser:         sudoUser,
-		serverAddr:       serverAddr,
-		supportSOCKS:     supportSOCKS,
-	}, nil
 }
 
-func (p *LinuxSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *LinuxSystemProxy) Enable() error {
-	if p.hasGSettings {
-		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
-		if err != nil {
-			return err
-		}
-		if p.supportSOCKS {
-			err = p.setGnomeProxy("ftp", "http", "https", "socks")
-		} else {
-			err = p.setGnomeProxy("http", "https")
-		}
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(p.supportSOCKS))
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
-		if err != nil {
-			return err
-		}
-	}
-	if p.hasKWriteConfig5 {
-		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "1")
-		if err != nil {
-			return err
-		}
-		if p.supportSOCKS {
-			err = p.setKDEProxy("ftp", "http", "https", "socks")
-		} else {
-			err = p.setKDEProxy("http", "https")
-		}
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "Authmode", "0")
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
-		if err != nil {
-			return err
-		}
-	}
-	p.isEnabled = true
-	return nil
-}
-
-func (p *LinuxSystemProxy) Disable() error {
-	if p.hasGSettings {
-		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
-		if err != nil {
-			return err
-		}
-	}
-	if p.hasKWriteConfig5 {
-		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "0")
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
-		if err != nil {
-			return err
-		}
-	}
-	p.isEnabled = false
-	return nil
-}
-
-func (p *LinuxSystemProxy) runAsUser(name string, args ...string) error {
+func runAsUser(name string, args ...string) error {
 	if os.Getuid() != 0 {
 		return shell.Exec(name, args...).Attach().Run()
-	} else if p.sudoUser != "" {
-		return shell.Exec("su", "-", p.sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+	} else if sudoUser != "" {
+		return shell.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	} else {
 		return E.New("set system proxy: unable to set as root")
 	}
 }
 
-func (p *LinuxSystemProxy) setGnomeProxy(proxyTypes ...string) error {
-	for _, proxyType := range proxyTypes {
-		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", p.serverAddr.AddrString())
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(p.serverAddr.Port))
-		if err != nil {
-			return err
-		}
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	if !hasGSettings {
+		return nil, E.New("unsupported desktop environment")
 	}
-	return nil
+	err := runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
+	if err != nil {
+		return nil, err
+	}
+	if isMixed {
+		err = setGnomeProxy(port, "ftp", "http", "https", "socks")
+	} else {
+		err = setGnomeProxy(port, "http", "https")
+	}
+	if err != nil {
+		return nil, err
+	}
+	err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(isMixed))
+	if err != nil {
+		return nil, err
+	}
+	err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
+	if err != nil {
+		return nil, err
+	}
+	return func() error {
+		return runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
+	}, nil
 }
 
-func (p *LinuxSystemProxy) setKDEProxy(proxyTypes ...string) error {
+func setGnomeProxy(port uint16, proxyTypes ...string) error {
 	for _, proxyType := range proxyTypes {
-		var proxyUrl string
-		if proxyType == "socks" {
-			proxyUrl = "socks://" + p.serverAddr.String()
-		} else {
-			proxyUrl = "http://" + p.serverAddr.String()
+		err := runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", "127.0.0.1")
+		if err != nil {
+			return err
 		}
-		err := p.runAsUser(
-			"kwriteconfig5",
-			"--file",
-			"kioslaverc",
-			"--group",
-			"Proxy Settings",
-			"--key", proxyType+"Proxy",
-			proxyUrl,
-		)
+		err = runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(port))
 		if err != nil {
 			return err
 		}

common/settings/proxy_stub.go

@@ -3,12 +3,11 @@
 package settings
 
 import (
-	"context"
 	"os"
 
-	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing-box/adapter"
 )
 
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (SystemProxy, error) {
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
 	return nil, os.ErrInvalid
 }

common/settings/proxy_windows.go

@@ -1,43 +1,17 @@
 package settings
 
 import (
-	"context"
-
-	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/wininet"
 )
 
-type WindowsSystemProxy struct {
-	serverAddr   M.Socksaddr
-	supportSOCKS bool
-	isEnabled    bool
-}
-
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*WindowsSystemProxy, error) {
-	return &WindowsSystemProxy{
-		serverAddr:   serverAddr,
-		supportSOCKS: supportSOCKS,
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	err := wininet.SetSystemProxy(F.ToString("http://127.0.0.1:", port), "")
+	if err != nil {
+		return nil, err
+	}
+	return func() error {
+		return wininet.ClearSystemProxy()
 	}, nil
 }
-
-func (p *WindowsSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *WindowsSystemProxy) Enable() error {
-	err := wininet.SetSystemProxy("http://"+p.serverAddr.String(), "")
-	if err != nil {
-		return err
-	}
-	p.isEnabled = true
-	return nil
-}
-
-func (p *WindowsSystemProxy) Disable() error {
-	err := wininet.ClearSystemProxy()
-	if err != nil {
-		return err
-	}
-	p.isEnabled = false
-	return nil
-}

common/settings/system_proxy.go

@@ -1,7 +0,0 @@
-package settings
-
-type SystemProxy interface {
-	IsEnabled() bool
-	Enable() error
-	Disable() error
-}

common/sniff/quic.go

@@ -182,52 +182,11 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
 			break
 		}
 		switch frameType {
-		case 0x00: // PADDING
+		case 0x0:
 			continue
-		case 0x01: // PING
+		case 0x1:
 			continue
-		case 0x02, 0x03: // ACK
-			_, err = qtls.ReadUvarint(decryptedReader) // Largest Acknowledged
-			if err != nil {
-				return nil, err
-			}
-			_, err = qtls.ReadUvarint(decryptedReader) // ACK Delay
-			if err != nil {
-				return nil, err
-			}
-			ackRangeCount, err := qtls.ReadUvarint(decryptedReader) // ACK Range Count
-			if err != nil {
-				return nil, err
-			}
-			_, err = qtls.ReadUvarint(decryptedReader) // First ACK Range
-			if err != nil {
-				return nil, err
-			}
-			for i := 0; i < int(ackRangeCount); i++ {
-				_, err = qtls.ReadUvarint(decryptedReader) // Gap
-				if err != nil {
-					return nil, err
-				}
-				_, err = qtls.ReadUvarint(decryptedReader) // ACK Range Length
-				if err != nil {
-					return nil, err
-				}
-			}
-			if frameType == 0x03 {
-				_, err = qtls.ReadUvarint(decryptedReader) // ECT0 Count
-				if err != nil {
-					return nil, err
-				}
-				_, err = qtls.ReadUvarint(decryptedReader) // ECT1 Count
-				if err != nil {
-					return nil, err
-				}
-				_, err = qtls.ReadUvarint(decryptedReader) // ECN-CE Count
-				if err != nil {
-					return nil, err
-				}
-			}
-		case 0x06: // CRYPTO
+		case 0x6:
 			var offset uint64
 			offset, err = qtls.ReadUvarint(decryptedReader)
 			if err != nil {
@@ -249,26 +208,8 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
 			if err != nil {
 				return nil, err
 			}
-		case 0x1c: // CONNECTION_CLOSE
-			_, err = qtls.ReadUvarint(decryptedReader) // Error Code
-			if err != nil {
-				return nil, err
-			}
-			_, err = qtls.ReadUvarint(decryptedReader) // Frame Type
-			if err != nil {
-				return nil, err
-			}
-			var length uint64
-			length, err = qtls.ReadUvarint(decryptedReader) // Reason Phrase Length
-			if err != nil {
-				return nil, err
-			}
-			_, err = decryptedReader.Seek(int64(length), io.SeekCurrent) // Reason Phrase
-			if err != nil {
-				return nil, err
-			}
 		default:
-			return nil, os.ErrInvalid
+			// ignore unknown frame type
 		}
 	}
 	tlsHdr := make([]byte, 5)

common/srs/binary.go

@@ -1,487 +0,0 @@
-package srs
-
-import (
-	"compress/zlib"
-	"encoding/binary"
-	"io"
-	"net/netip"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/domain"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/rw"
-
-	"go4.org/netipx"
-)
-
-var MagicBytes = [3]byte{0x53, 0x52, 0x53} // SRS
-
-const (
-	ruleItemQueryType uint8 = iota
-	ruleItemNetwork
-	ruleItemDomain
-	ruleItemDomainKeyword
-	ruleItemDomainRegex
-	ruleItemSourceIPCIDR
-	ruleItemIPCIDR
-	ruleItemSourcePort
-	ruleItemSourcePortRange
-	ruleItemPort
-	ruleItemPortRange
-	ruleItemProcessName
-	ruleItemProcessPath
-	ruleItemPackageName
-	ruleItemWIFISSID
-	ruleItemWIFIBSSID
-	ruleItemFinal uint8 = 0xFF
-)
-
-func Read(reader io.Reader, recovery bool) (ruleSet option.PlainRuleSet, err error) {
-	var magicBytes [3]byte
-	_, err = io.ReadFull(reader, magicBytes[:])
-	if err != nil {
-		return
-	}
-	if magicBytes != MagicBytes {
-		err = E.New("invalid sing-box rule set file")
-		return
-	}
-	var version uint8
-	err = binary.Read(reader, binary.BigEndian, &version)
-	if err != nil {
-		return ruleSet, err
-	}
-	if version != 1 {
-		return ruleSet, E.New("unsupported version: ", version)
-	}
-	zReader, err := zlib.NewReader(reader)
-	if err != nil {
-		return
-	}
-	length, err := rw.ReadUVariant(zReader)
-	if err != nil {
-		return
-	}
-	ruleSet.Rules = make([]option.HeadlessRule, length)
-	for i := uint64(0); i < length; i++ {
-		ruleSet.Rules[i], err = readRule(zReader, recovery)
-		if err != nil {
-			err = E.Cause(err, "read rule[", i, "]")
-			return
-		}
-	}
-	return
-}
-
-func Write(writer io.Writer, ruleSet option.PlainRuleSet) error {
-	_, err := writer.Write(MagicBytes[:])
-	if err != nil {
-		return err
-	}
-	err = binary.Write(writer, binary.BigEndian, uint8(1))
-	if err != nil {
-		return err
-	}
-	zWriter, err := zlib.NewWriterLevel(writer, zlib.BestCompression)
-	if err != nil {
-		return err
-	}
-	err = rw.WriteUVariant(zWriter, uint64(len(ruleSet.Rules)))
-	if err != nil {
-		return err
-	}
-	for _, rule := range ruleSet.Rules {
-		err = writeRule(zWriter, rule)
-		if err != nil {
-			return err
-		}
-	}
-	return zWriter.Close()
-}
-
-func readRule(reader io.Reader, recovery bool) (rule option.HeadlessRule, err error) {
-	var ruleType uint8
-	err = binary.Read(reader, binary.BigEndian, &ruleType)
-	if err != nil {
-		return
-	}
-	switch ruleType {
-	case 0:
-		rule.Type = C.RuleTypeDefault
-		rule.DefaultOptions, err = readDefaultRule(reader, recovery)
-	case 1:
-		rule.Type = C.RuleTypeLogical
-		rule.LogicalOptions, err = readLogicalRule(reader, recovery)
-	default:
-		err = E.New("unknown rule type: ", ruleType)
-	}
-	return
-}
-
-func writeRule(writer io.Writer, rule option.HeadlessRule) error {
-	switch rule.Type {
-	case C.RuleTypeDefault:
-		return writeDefaultRule(writer, rule.DefaultOptions)
-	case C.RuleTypeLogical:
-		return writeLogicalRule(writer, rule.LogicalOptions)
-	default:
-		panic("unknown rule type: " + rule.Type)
-	}
-}
-
-func readDefaultRule(reader io.Reader, recovery bool) (rule option.DefaultHeadlessRule, err error) {
-	var lastItemType uint8
-	for {
-		var itemType uint8
-		err = binary.Read(reader, binary.BigEndian, &itemType)
-		if err != nil {
-			return
-		}
-		switch itemType {
-		case ruleItemQueryType:
-			var rawQueryType []uint16
-			rawQueryType, err = readRuleItemUint16(reader)
-			if err != nil {
-				return
-			}
-			rule.QueryType = common.Map(rawQueryType, func(it uint16) option.DNSQueryType {
-				return option.DNSQueryType(it)
-			})
-		case ruleItemNetwork:
-			rule.Network, err = readRuleItemString(reader)
-		case ruleItemDomain:
-			var matcher *domain.Matcher
-			matcher, err = domain.ReadMatcher(reader)
-			if err != nil {
-				return
-			}
-			rule.DomainMatcher = matcher
-		case ruleItemDomainKeyword:
-			rule.DomainKeyword, err = readRuleItemString(reader)
-		case ruleItemDomainRegex:
-			rule.DomainRegex, err = readRuleItemString(reader)
-		case ruleItemSourceIPCIDR:
-			rule.SourceIPSet, err = readIPSet(reader)
-			if err != nil {
-				return
-			}
-			if recovery {
-				rule.SourceIPCIDR = common.Map(rule.SourceIPSet.Prefixes(), netip.Prefix.String)
-			}
-		case ruleItemIPCIDR:
-			rule.IPSet, err = readIPSet(reader)
-			if err != nil {
-				return
-			}
-			if recovery {
-				rule.IPCIDR = common.Map(rule.IPSet.Prefixes(), netip.Prefix.String)
-			}
-		case ruleItemSourcePort:
-			rule.SourcePort, err = readRuleItemUint16(reader)
-		case ruleItemSourcePortRange:
-			rule.SourcePortRange, err = readRuleItemString(reader)
-		case ruleItemPort:
-			rule.Port, err = readRuleItemUint16(reader)
-		case ruleItemPortRange:
-			rule.PortRange, err = readRuleItemString(reader)
-		case ruleItemProcessName:
-			rule.ProcessName, err = readRuleItemString(reader)
-		case ruleItemProcessPath:
-			rule.ProcessPath, err = readRuleItemString(reader)
-		case ruleItemPackageName:
-			rule.PackageName, err = readRuleItemString(reader)
-		case ruleItemWIFISSID:
-			rule.WIFISSID, err = readRuleItemString(reader)
-		case ruleItemWIFIBSSID:
-			rule.WIFIBSSID, err = readRuleItemString(reader)
-		case ruleItemFinal:
-			err = binary.Read(reader, binary.BigEndian, &rule.Invert)
-			return
-		default:
-			err = E.New("unknown rule item type: ", itemType, ", last type: ", lastItemType)
-		}
-		if err != nil {
-			return
-		}
-		lastItemType = itemType
-	}
-}
-
-func writeDefaultRule(writer io.Writer, rule option.DefaultHeadlessRule) error {
-	err := binary.Write(writer, binary.BigEndian, uint8(0))
-	if err != nil {
-		return err
-	}
-	if len(rule.QueryType) > 0 {
-		err = writeRuleItemUint16(writer, ruleItemQueryType, common.Map(rule.QueryType, func(it option.DNSQueryType) uint16 {
-			return uint16(it)
-		}))
-		if err != nil {
-			return err
-		}
-	}
-	if len(rule.Network) > 0 {
-		err = writeRuleItemString(writer, ruleItemNetwork, rule.Network)
-		if err != nil {
-			return err
-		}
-	}
-	if len(rule.Domain) > 0 || len(rule.DomainSuffix) > 0 {
-		err = binary.Write(writer, binary.BigEndian, ruleItemDomain)
-		if err != nil {
-			return err
-		}
-		err = domain.NewMatcher(rule.Domain, rule.DomainSuffix).Write(writer)
-		if err != nil {
-			return err
-		}
-	}
-	if len(rule.DomainKeyword) > 0 {
-		err = writeRuleItemString(writer, ruleItemDomainKeyword, rule.DomainKeyword)
-		if err != nil {
-			return err
-		}
-	}
-	if len(rule.DomainRegex) > 0 {
-		err = writeRuleItemString(writer, ruleItemDomainRegex, rule.DomainRegex)
-		if err != nil {
-			return err
-		}
-	}
-	if len(rule.SourceIPCIDR) > 0 {
-		err = writeRuleItemCIDR(writer, ruleItemSourceIPCIDR, rule.SourceIPCIDR)
-		if err != nil {
-			return E.Cause(err, "source_ip_cidr")
-		}
-	}
-	if len(rule.IPCIDR) > 0 {
-		err = writeRuleItemCIDR(writer, ruleItemIPCIDR, rule.IPCIDR)
-		if err != nil {
-			return E.Cause(err, "ipcidr")
-		}
-	}
-	if len(rule.SourcePort) > 0 {
-		err = writeRuleItemUint16(writer, ruleItemSourcePort, rule.SourcePort)
-		if err != nil {
-			return err
-		}
-	}
-	if len(rule.SourcePortRange) > 0 {
-		err = writeRuleItemString(writer, ruleItemSourcePortRange, rule.SourcePortRange)
-		if err != nil {
-			return err
-		}
-	}
-	if len(rule.Port) > 0 {
-		err = writeRuleItemUint16(writer, ruleItemPort, rule.Port)
-		if err != nil {
-			return err
-		}
-	}
-	if len(rule.PortRange) > 0 {
-		err = writeRuleItemString(writer, ruleItemPortRange, rule.PortRange)
-		if err != nil {
-			return err
-		}
-	}
-	if len(rule.ProcessName) > 0 {
-		err = writeRuleItemString(writer, ruleItemProcessName, rule.ProcessName)
-		if err != nil {
-			return err
-		}
-	}
-	if len(rule.ProcessPath) > 0 {
-		err = writeRuleItemString(writer, ruleItemProcessPath, rule.ProcessPath)
-		if err != nil {
-			return err
-		}
-	}
-	if len(rule.PackageName) > 0 {
-		err = writeRuleItemString(writer, ruleItemPackageName, rule.PackageName)
-		if err != nil {
-			return err
-		}
-	}
-	if len(rule.WIFISSID) > 0 {
-		err = writeRuleItemString(writer, ruleItemWIFISSID, rule.WIFISSID)
-		if err != nil {
-			return err
-		}
-	}
-	if len(rule.WIFIBSSID) > 0 {
-		err = writeRuleItemString(writer, ruleItemWIFIBSSID, rule.WIFIBSSID)
-		if err != nil {
-			return err
-		}
-	}
-	err = binary.Write(writer, binary.BigEndian, ruleItemFinal)
-	if err != nil {
-		return err
-	}
-	err = binary.Write(writer, binary.BigEndian, rule.Invert)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func readRuleItemString(reader io.Reader) ([]string, error) {
-	length, err := rw.ReadUVariant(reader)
-	if err != nil {
-		return nil, err
-	}
-	value := make([]string, length)
-	for i := uint64(0); i < length; i++ {
-		value[i], err = rw.ReadVString(reader)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return value, nil
-}
-
-func writeRuleItemString(writer io.Writer, itemType uint8, value []string) error {
-	err := binary.Write(writer, binary.BigEndian, itemType)
-	if err != nil {
-		return err
-	}
-	err = rw.WriteUVariant(writer, uint64(len(value)))
-	if err != nil {
-		return err
-	}
-	for _, item := range value {
-		err = rw.WriteVString(writer, item)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func readRuleItemUint16(reader io.Reader) ([]uint16, error) {
-	length, err := rw.ReadUVariant(reader)
-	if err != nil {
-		return nil, err
-	}
-	value := make([]uint16, length)
-	for i := uint64(0); i < length; i++ {
-		err = binary.Read(reader, binary.BigEndian, &value[i])
-		if err != nil {
-			return nil, err
-		}
-	}
-	return value, nil
-}
-
-func writeRuleItemUint16(writer io.Writer, itemType uint8, value []uint16) error {
-	err := binary.Write(writer, binary.BigEndian, itemType)
-	if err != nil {
-		return err
-	}
-	err = rw.WriteUVariant(writer, uint64(len(value)))
-	if err != nil {
-		return err
-	}
-	for _, item := range value {
-		err = binary.Write(writer, binary.BigEndian, item)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func writeRuleItemCIDR(writer io.Writer, itemType uint8, value []string) error {
-	var builder netipx.IPSetBuilder
-	for i, prefixString := range value {
-		prefix, err := netip.ParsePrefix(prefixString)
-		if err == nil {
-			builder.AddPrefix(prefix)
-			continue
-		}
-		addr, addrErr := netip.ParseAddr(prefixString)
-		if addrErr == nil {
-			builder.Add(addr)
-			continue
-		}
-		return E.Cause(err, "parse [", i, "]")
-	}
-	ipSet, err := builder.IPSet()
-	if err != nil {
-		return err
-	}
-	err = binary.Write(writer, binary.BigEndian, itemType)
-	if err != nil {
-		return err
-	}
-	return writeIPSet(writer, ipSet)
-}
-
-func readLogicalRule(reader io.Reader, recovery bool) (logicalRule option.LogicalHeadlessRule, err error) {
-	var mode uint8
-	err = binary.Read(reader, binary.BigEndian, &mode)
-	if err != nil {
-		return
-	}
-	switch mode {
-	case 0:
-		logicalRule.Mode = C.LogicalTypeAnd
-	case 1:
-		logicalRule.Mode = C.LogicalTypeOr
-	default:
-		err = E.New("unknown logical mode: ", mode)
-		return
-	}
-	length, err := rw.ReadUVariant(reader)
-	if err != nil {
-		return
-	}
-	logicalRule.Rules = make([]option.HeadlessRule, length)
-	for i := uint64(0); i < length; i++ {
-		logicalRule.Rules[i], err = readRule(reader, recovery)
-		if err != nil {
-			err = E.Cause(err, "read logical rule [", i, "]")
-			return
-		}
-	}
-	err = binary.Read(reader, binary.BigEndian, &logicalRule.Invert)
-	if err != nil {
-		return
-	}
-	return
-}
-
-func writeLogicalRule(writer io.Writer, logicalRule option.LogicalHeadlessRule) error {
-	err := binary.Write(writer, binary.BigEndian, uint8(1))
-	if err != nil {
-		return err
-	}
-	switch logicalRule.Mode {
-	case C.LogicalTypeAnd:
-		err = binary.Write(writer, binary.BigEndian, uint8(0))
-	case C.LogicalTypeOr:
-		err = binary.Write(writer, binary.BigEndian, uint8(1))
-	default:
-		panic("unknown logical mode: " + logicalRule.Mode)
-	}
-	if err != nil {
-		return err
-	}
-	err = rw.WriteUVariant(writer, uint64(len(logicalRule.Rules)))
-	if err != nil {
-		return err
-	}
-	for _, rule := range logicalRule.Rules {
-		err = writeRule(writer, rule)
-		if err != nil {
-			return err
-		}
-	}
-	err = binary.Write(writer, binary.BigEndian, logicalRule.Invert)
-	if err != nil {
-		return err
-	}
-	return nil
-}

common/srs/ip_set.go

@@ -1,116 +0,0 @@
-package srs
-
-import (
-	"encoding/binary"
-	"io"
-	"net/netip"
-	"unsafe"
-
-	"github.com/sagernet/sing/common/rw"
-
-	"go4.org/netipx"
-)
-
-type myIPSet struct {
-	rr []myIPRange
-}
-
-type myIPRange struct {
-	from netip.Addr
-	to   netip.Addr
-}
-
-func readIPSet(reader io.Reader) (*netipx.IPSet, error) {
-	var version uint8
-	err := binary.Read(reader, binary.BigEndian, &version)
-	if err != nil {
-		return nil, err
-	}
-	var length uint64
-	err = binary.Read(reader, binary.BigEndian, &length)
-	if err != nil {
-		return nil, err
-	}
-	mySet := &myIPSet{
-		rr: make([]myIPRange, length),
-	}
-	for i := uint64(0); i < length; i++ {
-		var (
-			fromLen  uint64
-			toLen    uint64
-			fromAddr netip.Addr
-			toAddr   netip.Addr
-		)
-		fromLen, err = rw.ReadUVariant(reader)
-		if err != nil {
-			return nil, err
-		}
-		fromBytes := make([]byte, fromLen)
-		_, err = io.ReadFull(reader, fromBytes)
-		if err != nil {
-			return nil, err
-		}
-		err = fromAddr.UnmarshalBinary(fromBytes)
-		if err != nil {
-			return nil, err
-		}
-		toLen, err = rw.ReadUVariant(reader)
-		if err != nil {
-			return nil, err
-		}
-		toBytes := make([]byte, toLen)
-		_, err = io.ReadFull(reader, toBytes)
-		if err != nil {
-			return nil, err
-		}
-		err = toAddr.UnmarshalBinary(toBytes)
-		if err != nil {
-			return nil, err
-		}
-		mySet.rr[i] = myIPRange{fromAddr, toAddr}
-	}
-	return (*netipx.IPSet)(unsafe.Pointer(mySet)), nil
-}
-
-func writeIPSet(writer io.Writer, set *netipx.IPSet) error {
-	err := binary.Write(writer, binary.BigEndian, uint8(1))
-	if err != nil {
-		return err
-	}
-	mySet := (*myIPSet)(unsafe.Pointer(set))
-	err = binary.Write(writer, binary.BigEndian, uint64(len(mySet.rr)))
-	if err != nil {
-		return err
-	}
-	for _, rr := range mySet.rr {
-		var (
-			fromBinary []byte
-			toBinary   []byte
-		)
-		fromBinary, err = rr.from.MarshalBinary()
-		if err != nil {
-			return err
-		}
-		err = rw.WriteUVariant(writer, uint64(len(fromBinary)))
-		if err != nil {
-			return err
-		}
-		_, err = writer.Write(fromBinary)
-		if err != nil {
-			return err
-		}
-		toBinary, err = rr.to.MarshalBinary()
-		if err != nil {
-			return err
-		}
-		err = rw.WriteUVariant(writer, uint64(len(toBinary)))
-		if err != nil {
-			return err
-		}
-		_, err = writer.Write(toBinary)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}

common/taskmonitor/monitor.go

@@ -1,31 +0,0 @@
-package taskmonitor
-
-import (
-	"time"
-
-	F "github.com/sagernet/sing/common/format"
-	"github.com/sagernet/sing/common/logger"
-)
-
-type Monitor struct {
-	logger  logger.Logger
-	timeout time.Duration
-	timer   *time.Timer
-}
-
-func New(logger logger.Logger, timeout time.Duration) *Monitor {
-	return &Monitor{
-		logger:  logger,
-		timeout: timeout,
-	}
-}
-
-func (m *Monitor) Start(taskName ...any) {
-	m.timer = time.AfterFunc(m.timeout, func() {
-		m.logger.Warn(F.ToString(taskName...), " take too much time to finish!")
-	})
-}
-
-func (m *Monitor) Finish() {
-	m.timer.Stop()
-}

common/tls/acme.go

@@ -9,13 +9,10 @@ import (
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 
 	"github.com/caddyserver/certmagic"
-	"github.com/libdns/alidns"
-	"github.com/libdns/cloudflare"
 	"github.com/mholt/acmez/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@@ -77,24 +74,6 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		AltTLSALPNPort:          int(options.AlternativeTLSPort),
 		Logger:                  config.Logger,
 	}
-	if dnsOptions := options.DNS01Challenge; dnsOptions != nil && dnsOptions.Provider != "" {
-		var solver certmagic.DNS01Solver
-		switch dnsOptions.Provider {
-		case C.DNSProviderAliDNS:
-			solver.DNSProvider = &alidns.Provider{
-				AccKeyID:     dnsOptions.AliDNSOptions.AccessKeyID,
-				AccKeySecret: dnsOptions.AliDNSOptions.AccessKeySecret,
-				RegionID:     dnsOptions.AliDNSOptions.RegionID,
-			}
-		case C.DNSProviderCloudflare:
-			solver.DNSProvider = &cloudflare.Provider{
-				APIToken: dnsOptions.CloudflareOptions.APIToken,
-			}
-		default:
-			return nil, nil, E.New("unsupported ACME DNS01 provider type: " + dnsOptions.Provider)
-		}
-		acmeConfig.DNS01Solver = &solver
-	}
 	if options.ExternalAccount != nil && options.ExternalAccount.KeyID != "" {
 		acmeConfig.ExternalAccount = (*acme.EAB)(options.ExternalAccount)
 	}
@@ -105,16 +84,5 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		},
 	})
 	config = certmagic.New(cache, *config)
-	var tlsConfig *tls.Config
-	if acmeConfig.DisableTLSALPNChallenge || acmeConfig.DNS01Solver != nil {
-		tlsConfig = &tls.Config{
-			GetCertificate: config.GetCertificate,
-		}
-	} else {
-		tlsConfig = &tls.Config{
-			GetCertificate: config.GetCertificate,
-			NextProtos:     []string{ACMETLS1Protocol},
-		}
-	}
-	return tlsConfig, &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
+	return config.TLSConfig(), &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
 }

common/tls/acme_contstant.go

@@ -1,3 +0,0 @@
-package tls
-
-const ACMETLS1Protocol = "acme-tls/1"

common/tls/client.go

@@ -6,7 +6,6 @@ import (
 	"os"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/badtls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	M "github.com/sagernet/sing/common/metadata"
@@ -14,46 +13,36 @@ import (
 	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-func NewDialerFromOptions(ctx context.Context, router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
+func NewDialerFromOptions(router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
 	if !options.Enabled {
 		return dialer, nil
 	}
-	config, err := NewClient(ctx, serverAddress, options)
+	config, err := NewClient(router, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}
 	return NewDialer(dialer, config), nil
 }
 
-func NewClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
 	if options.ECH != nil && options.ECH.Enabled {
-		return NewECHClient(ctx, serverAddress, options)
+		return NewECHClient(router, serverAddress, options)
 	} else if options.Reality != nil && options.Reality.Enabled {
-		return NewRealityClient(ctx, serverAddress, options)
+		return NewRealityClient(router, serverAddress, options)
 	} else if options.UTLS != nil && options.UTLS.Enabled {
-		return NewUTLSClient(ctx, serverAddress, options)
+		return NewUTLSClient(router, serverAddress, options)
 	} else {
-		return NewSTDClient(ctx, serverAddress, options)
+		return NewSTDClient(router, serverAddress, options)
 	}
 }
 
 func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, error) {
 	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
 	defer cancel()
-	tlsConn, err := aTLS.ClientHandshake(ctx, conn, config)
-	if err != nil {
-		return nil, err
-	}
-	readWaitConn, err := badtls.NewReadWaitConn(tlsConn)
-	if err == nil {
-		return readWaitConn, nil
-	} else if err != os.ErrInvalid {
-		return nil, err
-	}
-	return tlsConn, nil
+	return aTLS.ClientHandshake(ctx, conn, config)
 }
 
 type Dialer struct {

common/tls/ech_client.go

@@ -7,53 +7,50 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
-	"encoding/pem"
 	"net"
 	"net/netip"
 	"os"
-	"strings"
 
 	cftls "github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/ntp"
 
 	mDNS "github.com/miekg/dns"
 )
 
-type echClientConfig struct {
+type ECHClientConfig struct {
 	config *cftls.Config
 }
 
-func (c *echClientConfig) ServerName() string {
-	return c.config.ServerName
+func (e *ECHClientConfig) ServerName() string {
+	return e.config.ServerName
 }
 
-func (c *echClientConfig) SetServerName(serverName string) {
-	c.config.ServerName = serverName
+func (e *ECHClientConfig) SetServerName(serverName string) {
+	e.config.ServerName = serverName
 }
 
-func (c *echClientConfig) NextProtos() []string {
-	return c.config.NextProtos
+func (e *ECHClientConfig) NextProtos() []string {
+	return e.config.NextProtos
 }
 
-func (c *echClientConfig) SetNextProtos(nextProto []string) {
-	c.config.NextProtos = nextProto
+func (e *ECHClientConfig) SetNextProtos(nextProto []string) {
+	e.config.NextProtos = nextProto
 }
 
-func (c *echClientConfig) Config() (*STDConfig, error) {
+func (e *ECHClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for ECH")
 }
 
-func (c *echClientConfig) Client(conn net.Conn) (Conn, error) {
-	return &echConnWrapper{cftls.Client(conn, c.config)}, nil
+func (e *ECHClientConfig) Client(conn net.Conn) (Conn, error) {
+	return &echConnWrapper{cftls.Client(conn, e.config)}, nil
 }
 
-func (c *echClientConfig) Clone() Config {
-	return &echClientConfig{
-		config: c.config.Clone(),
+func (e *ECHClientConfig) Clone() Config {
+	return &ECHClientConfig{
+		config: e.config.Clone(),
 	}
 }
 
@@ -83,7 +80,7 @@ func (c *echConnWrapper) Upstream() any {
 	return c.Conn
 }
 
-func NewECHClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -97,7 +94,7 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb
 	}
 
 	var tlsConfig cftls.Config
-	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
+	tlsConfig.Time = router.TimeFunc()
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -149,8 +146,8 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 	}
 	var certificate []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
+	if options.Certificate != "" {
+		certificate = []byte(options.Certificate)
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {
@@ -171,36 +168,24 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb
 	tlsConfig.ECHEnabled = true
 	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
 	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
-
-	var echConfig []byte
-	if len(options.ECH.Config) > 0 {
-		echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
-	} else if options.ECH.ConfigPath != "" {
-		content, err := os.ReadFile(options.ECH.ConfigPath)
+	if options.ECH.Config != "" {
+		clientConfigContent, err := base64.StdEncoding.DecodeString(options.ECH.Config)
 		if err != nil {
-			return nil, E.Cause(err, "read ECH config")
+			return nil, err
 		}
-		echConfig = content
-	}
-
-	if len(echConfig) > 0 {
-		block, rest := pem.Decode(echConfig)
-		if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 {
-			return nil, E.New("invalid ECH configs pem")
-		}
-		echConfigs, err := cftls.UnmarshalECHConfigs(block.Bytes)
+		clientConfig, err := cftls.UnmarshalECHConfigs(clientConfigContent)
 		if err != nil {
-			return nil, E.Cause(err, "parse ECH configs")
+			return nil, err
 		}
-		tlsConfig.ClientECHConfigs = echConfigs
+		tlsConfig.ClientECHConfigs = clientConfig
 	} else {
-		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(ctx)
+		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(router)
 	}
-	return &echClientConfig{&tlsConfig}, nil
+	return &ECHClientConfig{&tlsConfig}, nil
 }
 
-func fetchECHClientConfig(ctx context.Context) func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
-	return func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
+func fetchECHClientConfig(router adapter.Router) func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
+	return func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,
@@ -213,7 +198,7 @@ func fetchECHClientConfig(ctx context.Context) func(_ context.Context, serverNam
 				},
 			},
 		}
-		response, err := adapter.RouterFromContext(ctx).Exchange(ctx, message)
+		response, err := router.Exchange(ctx, message)
 		if err != nil {
 			return nil, err
 		}

common/tls/ech_keygen.go

@@ -1,169 +0,0 @@
-//go:build with_ech
-
-package tls
-
-import (
-	"bytes"
-	"encoding/binary"
-	"encoding/pem"
-
-	cftls "github.com/sagernet/cloudflare-tls"
-	E "github.com/sagernet/sing/common/exceptions"
-
-	"github.com/cloudflare/circl/hpke"
-	"github.com/cloudflare/circl/kem"
-)
-
-func ECHKeygenDefault(serverName string, pqSignatureSchemesEnabled bool) (configPem string, keyPem string, err error) {
-	cipherSuites := []echCipherSuite{
-		{
-			kdf:  hpke.KDF_HKDF_SHA256,
-			aead: hpke.AEAD_AES128GCM,
-		}, {
-			kdf:  hpke.KDF_HKDF_SHA256,
-			aead: hpke.AEAD_ChaCha20Poly1305,
-		},
-	}
-
-	keyConfig := []myECHKeyConfig{
-		{id: 0, kem: hpke.KEM_X25519_HKDF_SHA256},
-	}
-	if pqSignatureSchemesEnabled {
-		keyConfig = append(keyConfig, myECHKeyConfig{id: 1, kem: hpke.KEM_X25519_KYBER768_DRAFT00})
-	}
-
-	keyPairs, err := echKeygen(0xfe0d, serverName, keyConfig, cipherSuites)
-	if err != nil {
-		return
-	}
-
-	var configBuffer bytes.Buffer
-	var totalLen uint16
-	for _, keyPair := range keyPairs {
-		totalLen += uint16(len(keyPair.rawConf))
-	}
-	binary.Write(&configBuffer, binary.BigEndian, totalLen)
-	for _, keyPair := range keyPairs {
-		configBuffer.Write(keyPair.rawConf)
-	}
-
-	var keyBuffer bytes.Buffer
-	for _, keyPair := range keyPairs {
-		keyBuffer.Write(keyPair.rawKey)
-	}
-
-	configPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH CONFIGS", Bytes: configBuffer.Bytes()}))
-	keyPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH KEYS", Bytes: keyBuffer.Bytes()}))
-	return
-}
-
-type echKeyConfigPair struct {
-	id      uint8
-	key     cftls.EXP_ECHKey
-	rawKey  []byte
-	conf    myECHKeyConfig
-	rawConf []byte
-}
-
-type echCipherSuite struct {
-	kdf  hpke.KDF
-	aead hpke.AEAD
-}
-
-type myECHKeyConfig struct {
-	id   uint8
-	kem  hpke.KEM
-	seed []byte
-}
-
-func echKeygen(version uint16, serverName string, conf []myECHKeyConfig, suite []echCipherSuite) ([]echKeyConfigPair, error) {
-	be := binary.BigEndian
-	// prepare for future update
-	if version != 0xfe0d {
-		return nil, E.New("unsupported ECH version", version)
-	}
-
-	suiteBuf := make([]byte, 0, len(suite)*4+2)
-	suiteBuf = be.AppendUint16(suiteBuf, uint16(len(suite))*4)
-	for _, s := range suite {
-		if !s.kdf.IsValid() || !s.aead.IsValid() {
-			return nil, E.New("invalid HPKE cipher suite")
-		}
-		suiteBuf = be.AppendUint16(suiteBuf, uint16(s.kdf))
-		suiteBuf = be.AppendUint16(suiteBuf, uint16(s.aead))
-	}
-
-	pairs := []echKeyConfigPair{}
-	for _, c := range conf {
-		pair := echKeyConfigPair{}
-		pair.id = c.id
-		pair.conf = c
-
-		if !c.kem.IsValid() {
-			return nil, E.New("invalid HPKE KEM")
-		}
-
-		kpGenerator := c.kem.Scheme().GenerateKeyPair
-		if len(c.seed) > 0 {
-			kpGenerator = func() (kem.PublicKey, kem.PrivateKey, error) {
-				pub, sec := c.kem.Scheme().DeriveKeyPair(c.seed)
-				return pub, sec, nil
-			}
-			if len(c.seed) < c.kem.Scheme().PrivateKeySize() {
-				return nil, E.New("HPKE KEM seed too short")
-			}
-		}
-
-		pub, sec, err := kpGenerator()
-		if err != nil {
-			return nil, E.Cause(err, "generate ECH config key pair")
-		}
-		b := []byte{}
-		b = be.AppendUint16(b, version)
-		b = be.AppendUint16(b, 0) // length field
-		// contents
-		// key config
-		b = append(b, c.id)
-		b = be.AppendUint16(b, uint16(c.kem))
-		pubBuf, err := pub.MarshalBinary()
-		if err != nil {
-			return nil, E.Cause(err, "serialize ECH public key")
-		}
-		b = be.AppendUint16(b, uint16(len(pubBuf)))
-		b = append(b, pubBuf...)
-
-		b = append(b, suiteBuf...)
-		// end key config
-		// max name len, not supported
-		b = append(b, 0)
-		// server name
-		b = append(b, byte(len(serverName)))
-		b = append(b, []byte(serverName)...)
-		// extensions, not supported
-		b = be.AppendUint16(b, 0)
-
-		be.PutUint16(b[2:], uint16(len(b)-4))
-
-		pair.rawConf = b
-
-		secBuf, err := sec.MarshalBinary()
-		sk := []byte{}
-		sk = be.AppendUint16(sk, uint16(len(secBuf)))
-		sk = append(sk, secBuf...)
-		sk = be.AppendUint16(sk, uint16(len(b)))
-		sk = append(sk, b...)
-
-		cfECHKeys, err := cftls.EXP_UnmarshalECHKeys(sk)
-		if err != nil {
-			return nil, E.Cause(err, "bug: can't parse generated ECH server key")
-		}
-		if len(cfECHKeys) != 1 {
-			return nil, E.New("bug: unexpected server key count")
-		}
-		pair.key = cfECHKeys[0]
-		pair.rawKey = sk
-
-		pairs = append(pairs, pair)
-	}
-	return pairs, nil
-}

common/tls/ech_quic.go

@@ -1,56 +0,0 @@
-//go:build with_quic && with_ech
-
-package tls
-
-import (
-	"context"
-	"net"
-	"net/http"
-
-	"github.com/sagernet/cloudflare-tls"
-	"github.com/sagernet/quic-go/ech"
-	"github.com/sagernet/quic-go/http3_ech"
-	"github.com/sagernet/sing-quic"
-	M "github.com/sagernet/sing/common/metadata"
-)
-
-var (
-	_ qtls.Config       = (*echClientConfig)(nil)
-	_ qtls.ServerConfig = (*echServerConfig)(nil)
-)
-
-func (c *echClientConfig) Dial(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.Connection, error) {
-	return quic.Dial(ctx, conn, addr, c.config, config)
-}
-
-func (c *echClientConfig) DialEarly(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.EarlyConnection, error) {
-	return quic.DialEarly(ctx, conn, addr, c.config, config)
-}
-
-func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config, enableDatagrams bool) http.RoundTripper {
-	return &http3.RoundTripper{
-		TLSClientConfig: c.config,
-		QuicConfig:      quicConfig,
-		EnableDatagrams: enableDatagrams,
-		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
-			quicConn, err := quic.DialEarly(ctx, conn, serverAddr.UDPAddr(), tlsCfg, cfg)
-			if err != nil {
-				return nil, err
-			}
-			*quicConnPtr = quicConn
-			return quicConn, nil
-		},
-	}
-}
-
-func (c *echServerConfig) Listen(conn net.PacketConn, config *quic.Config) (qtls.Listener, error) {
-	return quic.Listen(conn, c.config, config)
-}
-
-func (c *echServerConfig) ListenEarly(conn net.PacketConn, config *quic.Config) (qtls.EarlyListener, error) {
-	return quic.ListenEarly(conn, c.config, config)
-}
-
-func (c *echServerConfig) ConfigureHTTP3() {
-	http3.ConfigureTLSConfig(c.config)
-}

common/tls/ech_server.go

@@ -1,343 +0,0 @@
-//go:build with_ech
-
-package tls
-
-import (
-	"context"
-	"crypto/tls"
-	"encoding/pem"
-	"net"
-	"os"
-	"strings"
-
-	cftls "github.com/sagernet/cloudflare-tls"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/ntp"
-
-	"github.com/fsnotify/fsnotify"
-)
-
-type echServerConfig struct {
-	config          *cftls.Config
-	logger          log.Logger
-	certificate     []byte
-	key             []byte
-	certificatePath string
-	keyPath         string
-	watcher         *fsnotify.Watcher
-	echKeyPath      string
-	echWatcher      *fsnotify.Watcher
-}
-
-func (c *echServerConfig) ServerName() string {
-	return c.config.ServerName
-}
-
-func (c *echServerConfig) SetServerName(serverName string) {
-	c.config.ServerName = serverName
-}
-
-func (c *echServerConfig) NextProtos() []string {
-	return c.config.NextProtos
-}
-
-func (c *echServerConfig) SetNextProtos(nextProto []string) {
-	c.config.NextProtos = nextProto
-}
-
-func (c *echServerConfig) Config() (*STDConfig, error) {
-	return nil, E.New("unsupported usage for ECH")
-}
-
-func (c *echServerConfig) Client(conn net.Conn) (Conn, error) {
-	return &echConnWrapper{cftls.Client(conn, c.config)}, nil
-}
-
-func (c *echServerConfig) Server(conn net.Conn) (Conn, error) {
-	return &echConnWrapper{cftls.Server(conn, c.config)}, nil
-}
-
-func (c *echServerConfig) Clone() Config {
-	return &echServerConfig{
-		config: c.config.Clone(),
-	}
-}
-
-func (c *echServerConfig) Start() error {
-	if c.certificatePath != "" && c.keyPath != "" {
-		err := c.startWatcher()
-		if err != nil {
-			c.logger.Warn("create fsnotify watcher: ", err)
-		}
-	}
-	if c.echKeyPath != "" {
-		err := c.startECHWatcher()
-		if err != nil {
-			c.logger.Warn("create fsnotify watcher: ", err)
-		}
-	}
-	return nil
-}
-
-func (c *echServerConfig) startWatcher() error {
-	watcher, err := fsnotify.NewWatcher()
-	if err != nil {
-		return err
-	}
-	if c.certificatePath != "" {
-		err = watcher.Add(c.certificatePath)
-		if err != nil {
-			return err
-		}
-	}
-	if c.keyPath != "" {
-		err = watcher.Add(c.keyPath)
-		if err != nil {
-			return err
-		}
-	}
-	c.watcher = watcher
-	go c.loopUpdate()
-	return nil
-}
-
-func (c *echServerConfig) loopUpdate() {
-	for {
-		select {
-		case event, ok := <-c.watcher.Events:
-			if !ok {
-				return
-			}
-			if event.Op&fsnotify.Write != fsnotify.Write {
-				continue
-			}
-			err := c.reloadKeyPair()
-			if err != nil {
-				c.logger.Error(E.Cause(err, "reload TLS key pair"))
-			}
-		case err, ok := <-c.watcher.Errors:
-			if !ok {
-				return
-			}
-			c.logger.Error(E.Cause(err, "fsnotify error"))
-		}
-	}
-}
-
-func (c *echServerConfig) reloadKeyPair() error {
-	if c.certificatePath != "" {
-		certificate, err := os.ReadFile(c.certificatePath)
-		if err != nil {
-			return E.Cause(err, "reload certificate from ", c.certificatePath)
-		}
-		c.certificate = certificate
-	}
-	if c.keyPath != "" {
-		key, err := os.ReadFile(c.keyPath)
-		if err != nil {
-			return E.Cause(err, "reload key from ", c.keyPath)
-		}
-		c.key = key
-	}
-	keyPair, err := cftls.X509KeyPair(c.certificate, c.key)
-	if err != nil {
-		return E.Cause(err, "reload key pair")
-	}
-	c.config.Certificates = []cftls.Certificate{keyPair}
-	c.logger.Info("reloaded TLS certificate")
-	return nil
-}
-
-func (c *echServerConfig) startECHWatcher() error {
-	watcher, err := fsnotify.NewWatcher()
-	if err != nil {
-		return err
-	}
-	err = watcher.Add(c.echKeyPath)
-	if err != nil {
-		return err
-	}
-	c.echWatcher = watcher
-	go c.loopECHUpdate()
-	return nil
-}
-
-func (c *echServerConfig) loopECHUpdate() {
-	for {
-		select {
-		case event, ok := <-c.echWatcher.Events:
-			if !ok {
-				return
-			}
-			if event.Op&fsnotify.Write != fsnotify.Write {
-				continue
-			}
-			err := c.reloadECHKey()
-			if err != nil {
-				c.logger.Error(E.Cause(err, "reload ECH key"))
-			}
-		case err, ok := <-c.echWatcher.Errors:
-			if !ok {
-				return
-			}
-			c.logger.Error(E.Cause(err, "fsnotify error"))
-		}
-	}
-}
-
-func (c *echServerConfig) reloadECHKey() error {
-	echKeyContent, err := os.ReadFile(c.echKeyPath)
-	if err != nil {
-		return err
-	}
-	block, rest := pem.Decode(echKeyContent)
-	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
-		return E.New("invalid ECH keys pem")
-	}
-	echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
-	if err != nil {
-		return E.Cause(err, "parse ECH keys")
-	}
-	echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
-	if err != nil {
-		return E.Cause(err, "create ECH key set")
-	}
-	c.config.ServerECHProvider = echKeySet
-	c.logger.Info("reloaded ECH keys")
-	return nil
-}
-
-func (c *echServerConfig) Close() error {
-	var err error
-	if c.watcher != nil {
-		err = E.Append(err, c.watcher.Close(), func(err error) error {
-			return E.Cause(err, "close certificate watcher")
-		})
-	}
-	if c.echWatcher != nil {
-		err = E.Append(err, c.echWatcher.Close(), func(err error) error {
-			return E.Cause(err, "close ECH key watcher")
-		})
-	}
-	return err
-}
-
-func NewECHServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
-	if !options.Enabled {
-		return nil, nil
-	}
-	var tlsConfig cftls.Config
-	if options.ACME != nil && len(options.ACME.Domain) > 0 {
-		return nil, E.New("acme is unavailable in ech")
-	}
-	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
-	if options.ServerName != "" {
-		tlsConfig.ServerName = options.ServerName
-	}
-	if len(options.ALPN) > 0 {
-		tlsConfig.NextProtos = append(options.ALPN, tlsConfig.NextProtos...)
-	}
-	if options.MinVersion != "" {
-		minVersion, err := ParseTLSVersion(options.MinVersion)
-		if err != nil {
-			return nil, E.Cause(err, "parse min_version")
-		}
-		tlsConfig.MinVersion = minVersion
-	}
-	if options.MaxVersion != "" {
-		maxVersion, err := ParseTLSVersion(options.MaxVersion)
-		if err != nil {
-			return nil, E.Cause(err, "parse max_version")
-		}
-		tlsConfig.MaxVersion = maxVersion
-	}
-	if options.CipherSuites != nil {
-	find:
-		for _, cipherSuite := range options.CipherSuites {
-			for _, tlsCipherSuite := range tls.CipherSuites() {
-				if cipherSuite == tlsCipherSuite.Name {
-					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
-					continue find
-				}
-			}
-			return nil, E.New("unknown cipher_suite: ", cipherSuite)
-		}
-	}
-	var certificate []byte
-	var key []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
-	} else if options.CertificatePath != "" {
-		content, err := os.ReadFile(options.CertificatePath)
-		if err != nil {
-			return nil, E.Cause(err, "read certificate")
-		}
-		certificate = content
-	}
-	if len(options.Key) > 0 {
-		key = []byte(strings.Join(options.Key, "\n"))
-	} else if options.KeyPath != "" {
-		content, err := os.ReadFile(options.KeyPath)
-		if err != nil {
-			return nil, E.Cause(err, "read key")
-		}
-		key = content
-	}
-
-	if certificate == nil {
-		return nil, E.New("missing certificate")
-	} else if key == nil {
-		return nil, E.New("missing key")
-	}
-
-	keyPair, err := cftls.X509KeyPair(certificate, key)
-	if err != nil {
-		return nil, E.Cause(err, "parse x509 key pair")
-	}
-	tlsConfig.Certificates = []cftls.Certificate{keyPair}
-
-	var echKey []byte
-	if len(options.ECH.Key) > 0 {
-		echKey = []byte(strings.Join(options.ECH.Key, "\n"))
-	} else if options.KeyPath != "" {
-		content, err := os.ReadFile(options.ECH.KeyPath)
-		if err != nil {
-			return nil, E.Cause(err, "read ECH key")
-		}
-		echKey = content
-	} else {
-		return nil, E.New("missing ECH key")
-	}
-
-	block, rest := pem.Decode(echKey)
-	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
-		return nil, E.New("invalid ECH keys pem")
-	}
-
-	echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
-	if err != nil {
-		return nil, E.Cause(err, "parse ECH keys")
-	}
-
-	echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
-	if err != nil {
-		return nil, E.Cause(err, "create ECH key set")
-	}
-
-	tlsConfig.ECHEnabled = true
-	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
-	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
-	tlsConfig.ServerECHProvider = echKeySet
-
-	return &echServerConfig{
-		config:          &tlsConfig,
-		logger:          logger,
-		certificate:     certificate,
-		key:             key,
-		certificatePath: options.CertificatePath,
-		keyPath:         options.KeyPath,
-		echKeyPath:      options.ECH.KeyPath,
-	}, nil
-}

common/tls/ech_stub.go

@@ -3,23 +3,11 @@
 package tls
 
 import (
-	"context"
-
-	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-var errECHNotIncluded = E.New(`ECH is not included in this build, rebuild with -tags with_ech`)
-
-func NewECHServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
-	return nil, errECHNotIncluded
-}
-
-func NewECHClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return nil, errECHNotIncluded
-}
-
-func ECHKeygenDefault(host string, pqSignatureSchemesEnabled bool) (configPem string, keyPem string, err error) {
-	return "", "", errECHNotIncluded
+func NewECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+	return nil, E.New(`ECH is not included in this build, rebuild with -tags with_ech`)
 }

common/tls/mkcert.go

@@ -11,34 +11,22 @@ import (
 	"time"
 )
 
-func GenerateCertificate(timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
-	privateKeyPem, publicKeyPem, err := GenerateKeyPair(timeFunc, serverName, timeFunc().Add(time.Hour))
-	if err != nil {
-		return nil, err
-	}
-	certificate, err := tls.X509KeyPair(publicKeyPem, privateKeyPem)
-	if err != nil {
-		return nil, err
-	}
-	return &certificate, err
-}
-
-func GenerateKeyPair(timeFunc func() time.Time, serverName string, expire time.Time) (privateKeyPem []byte, publicKeyPem []byte, err error) {
+func GenerateKeyPair(timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
 	if timeFunc == nil {
 		timeFunc = time.Now
 	}
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
-		return
+		return nil, err
 	}
 	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
 	if err != nil {
-		return
+		return nil, err
 	}
 	template := &x509.Certificate{
 		SerialNumber:          serialNumber,
 		NotBefore:             timeFunc().Add(time.Hour * -1),
-		NotAfter:              expire,
+		NotAfter:              timeFunc().Add(time.Hour),
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
@@ -49,13 +37,17 @@ func GenerateKeyPair(timeFunc func() time.Time, serverName string, expire time.T
 	}
 	publicDer, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
 	if err != nil {
-		return
+		return nil, err
 	}
 	privateDer, err := x509.MarshalPKCS8PrivateKey(key)
 	if err != nil {
-		return
+		return nil, err
 	}
-	publicKeyPem = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: publicDer})
-	privateKeyPem = pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateDer})
-	return
+	publicPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: publicDer})
+	privPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateDer})
+	keyPair, err := tls.X509KeyPair(publicPem, privPem)
+	if err != nil {
+		return nil, err
+	}
+	return &keyPair, err
 }

common/tls/reality_client.go

@@ -7,7 +7,6 @@ import (
 	"context"
 	"crypto/aes"
 	"crypto/cipher"
-	"crypto/ecdh"
 	"crypto/ed25519"
 	"crypto/hmac"
 	"crypto/sha256"
@@ -27,6 +26,7 @@ import (
 	"time"
 	"unsafe"
 
+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -45,12 +45,12 @@ type RealityClientConfig struct {
 	shortID   [8]byte
 }
 
-func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
+func NewRealityClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
 	if options.UTLS == nil || !options.UTLS.Enabled {
 		return nil, E.New("uTLS is required by reality client")
 	}
 
-	uClient, err := NewUTLSClient(ctx, serverAddress, options)
+	uClient, err := NewUTLSClient(router, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}
@@ -138,21 +138,12 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 	hello.SessionId[2] = 1
 	binary.BigEndian.PutUint32(hello.SessionId[4:], uint32(time.Now().Unix()))
 	copy(hello.SessionId[8:], e.shortID[:])
+
 	if debug.Enabled {
 		fmt.Printf("REALITY hello.sessionId[:16]: %v\n", hello.SessionId[:16])
 	}
-	publicKey, err := ecdh.X25519().NewPublicKey(e.publicKey)
-	if err != nil {
-		return nil, err
-	}
-	ecdheKey := uConn.HandshakeState.State13.EcdheKey
-	if ecdheKey == nil {
-		return nil, E.New("nil ecdhe_key")
-	}
-	authKey, err := ecdheKey.ECDH(publicKey)
-	if err != nil {
-		return nil, err
-	}
+
+	authKey := uConn.HandshakeState.State13.EcdheParams.SharedKey(e.publicKey)
 	if authKey == nil {
 		return nil, E.New("nil auth_key")
 	}

common/tls/reality_server.go

@@ -19,7 +19,6 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/ntp"
 )
 
 var _ ServerConfigCompat = (*RealityServerConfig)(nil)
@@ -28,13 +27,13 @@ type RealityServerConfig struct {
 	config *reality.Config
 }
 
-func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
+func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
 	var tlsConfig reality.Config
 
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		return nil, E.New("acme is unavailable in reality")
 	}
-	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
+	tlsConfig.Time = router.TimeFunc()
 	if options.ServerName != "" {
 		tlsConfig.ServerName = options.ServerName
 	}
@@ -67,10 +66,10 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 			return nil, E.New("unknown cipher_suite: ", cipherSuite)
 		}
 	}
-	if len(options.Certificate) > 0 || options.CertificatePath != "" {
+	if options.Certificate != "" || options.CertificatePath != "" {
 		return nil, E.New("certificate is unavailable in reality")
 	}
-	if len(options.Key) > 0 || options.KeyPath != "" {
+	if options.Key != "" || options.KeyPath != "" {
 		return nil, E.New("key is unavailable in reality")
 	}
 
@@ -102,7 +101,7 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 		tlsConfig.ShortIds[shortID] = true
 	}
 
-	handshakeDialer, err := dialer.New(adapter.RouterFromContext(ctx), options.Reality.Handshake.DialerOptions)
+	handshakeDialer, err := dialer.New(router, options.Reality.Handshake.DialerOptions)
 	if err != nil {
 		return nil, err
 	}

common/tls/reality_stub.go

@@ -5,11 +5,12 @@ package tls
 import (
 	"context"
 
+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	return nil, E.New(`reality server is not included in this build, rebuild with -tags with_reality_server`)
 }

common/tls/server.go

@@ -3,40 +3,27 @@ package tls
 import (
 	"context"
 	"net"
-	"os"
 
-	"github.com/sagernet/sing-box/common/badtls"
+	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
-	if options.ECH != nil && options.ECH.Enabled {
-		return NewECHServer(ctx, logger, options)
-	} else if options.Reality != nil && options.Reality.Enabled {
-		return NewRealityServer(ctx, logger, options)
+	if options.Reality != nil && options.Reality.Enabled {
+		return NewRealityServer(ctx, router, logger, options)
 	} else {
-		return NewSTDServer(ctx, logger, options)
+		return NewSTDServer(ctx, router, logger, options)
 	}
 }
 
 func ServerHandshake(ctx context.Context, conn net.Conn, config ServerConfig) (Conn, error) {
 	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
 	defer cancel()
-	tlsConn, err := aTLS.ServerHandshake(ctx, conn, config)
-	if err != nil {
-		return nil, err
-	}
-	readWaitConn, err := badtls.NewReadWaitConn(tlsConn)
-	if err == nil {
-		return readWaitConn, nil
-	} else if err != os.ErrInvalid {
-		return nil, err
-	}
-	return tlsConn, nil
+	return aTLS.ServerHandshake(ctx, conn, config)
 }

common/tls/std_client.go

@@ -1,17 +1,15 @@
 package tls
 
 import (
-	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"net"
 	"net/netip"
 	"os"
-	"strings"
 
+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/ntp"
 )
 
 type STDClientConfig struct {
@@ -46,7 +44,7 @@ func (s *STDClientConfig) Clone() Config {
 	return &STDClientConfig{s.config.Clone()}
 }
 
-func NewSTDClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewSTDClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -60,7 +58,7 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 	}
 
 	var tlsConfig tls.Config
-	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
+	tlsConfig.Time = router.TimeFunc()
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -112,8 +110,8 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 	}
 	var certificate []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
+	if options.Certificate != "" {
+		certificate = []byte(options.Certificate)
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {

common/tls/std_server.go

@@ -5,14 +5,12 @@ import (
 	"crypto/tls"
 	"net"
 	"os"
-	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/ntp"
 
 	"github.com/fsnotify/fsnotify"
 )
@@ -39,19 +37,11 @@ func (c *STDServerConfig) SetServerName(serverName string) {
 }
 
 func (c *STDServerConfig) NextProtos() []string {
-	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
-		return c.config.NextProtos[1:]
-	} else {
-		return c.config.NextProtos
-	}
+	return c.config.NextProtos
 }
 
 func (c *STDServerConfig) SetNextProtos(nextProto []string) {
-	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
-		c.config.NextProtos = append(c.config.NextProtos[:1], nextProto...)
-	} else {
-		c.config.NextProtos = nextProto
-	}
+	c.config.NextProtos = nextProto
 }
 
 func (c *STDServerConfig) Config() (*STDConfig, error) {
@@ -166,7 +156,7 @@ func (c *STDServerConfig) Close() error {
 	return nil
 }
 
-func NewSTDServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
@@ -185,7 +175,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 	} else {
 		tlsConfig = &tls.Config{}
 	}
-	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
+	tlsConfig.Time = router.TimeFunc()
 	if options.ServerName != "" {
 		tlsConfig.ServerName = options.ServerName
 	}
@@ -221,8 +211,8 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 	var certificate []byte
 	var key []byte
 	if acmeService == nil {
-		if len(options.Certificate) > 0 {
-			certificate = []byte(strings.Join(options.Certificate, "\n"))
+		if options.Certificate != "" {
+			certificate = []byte(options.Certificate)
 		} else if options.CertificatePath != "" {
 			content, err := os.ReadFile(options.CertificatePath)
 			if err != nil {
@@ -230,8 +220,8 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 			}
 			certificate = content
 		}
-		if len(options.Key) > 0 {
-			key = []byte(strings.Join(options.Key, "\n"))
+		if options.Key != "" {
+			key = []byte(options.Key)
 		} else if options.KeyPath != "" {
 			content, err := os.ReadFile(options.KeyPath)
 			if err != nil {
@@ -241,7 +231,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		}
 		if certificate == nil && key == nil && options.Insecure {
 			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				return GenerateCertificate(ntp.TimeFuncFromContext(ctx), info.ServerName)
+				return GenerateKeyPair(router.TimeFunc(), info.ServerName)
 			}
 		} else {
 			if certificate == nil {

common/tls/utls_client.go

@@ -10,11 +10,10 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strings"
 
+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/ntp"
 	utls "github.com/sagernet/utls"
 
 	"golang.org/x/net/http2"
@@ -114,7 +113,7 @@ func (c *utlsALPNWrapper) HandshakeContext(ctx context.Context) error {
 	return c.UConn.HandshakeContext(ctx)
 }
 
-func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
+func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -128,7 +127,7 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 	}
 
 	var tlsConfig utls.Config
-	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
+	tlsConfig.Time = router.TimeFunc()
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -169,8 +168,8 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 		}
 	}
 	var certificate []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
+	if options.Certificate != "" {
+		certificate = []byte(options.Certificate)
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {
@@ -219,16 +218,6 @@ func uTLSClientHelloID(name string) (utls.ClientHelloID, error) {
 	switch name {
 	case "chrome", "":
 		return utls.HelloChrome_Auto, nil
-	case "chrome_psk":
-		return utls.HelloChrome_100_PSK, nil
-	case "chrome_psk_shuffle":
-		return utls.HelloChrome_112_PSK_Shuf, nil
-	case "chrome_padding_psk_shuffle":
-		return utls.HelloChrome_114_Padding_PSK_Shuf, nil
-	case "chrome_pq":
-		return utls.HelloChrome_115_PQ, nil
-	case "chrome_pq_psk":
-		return utls.HelloChrome_115_PQ_PSK, nil
 	case "firefox":
 		return utls.HelloFirefox_Auto, nil
 	case "edge":