documentation: Bump version

Signed-off-by: 气息 <qdshizh@gmail.com>

.github/workflows/debug.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -38,7 +38,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -58,7 +58,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -78,7 +78,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -208,7 +208,7 @@ jobs:
       TAGS: with_clash_api,with_quic
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           fetch-depth: 0
       - name: Setup Go

.github/workflows/docker.yml

@@ -4,13 +4,35 @@ on:
   release:
     types:
       - released
-
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "The tag version you want to build"
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+      - name: Get commit to build
+        id: ref
+        run: |-
+          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
+            ref="${{ github.ref_name }}"
+          else
+            ref="${{ github.event.inputs.tag }}"
+          fi
+          echo "ref=$ref"
+          echo "ref=$ref" >> $GITHUB_OUTPUT
+          if [[ $ref == *"-"* ]]; then
+            latest=latest-beta
+          else
+            latest=latest
+          fi
+          echo "latest=$latest"
+          echo "latest=$latest" >> $GITHUB_OUTPUT
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        with:
+          ref: ${{ steps.ref.outputs.ref }}
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Setup QEMU for Docker Buildx
@@ -30,10 +52,11 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
+          context: .
           target: dist
           build-args: |
             BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
           tags: |
-            ghcr.io/sagernet/sing-box:latest
-            ghcr.io/sagernet/sing-box:${{ github.ref_name }}
+            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.latest }}
+            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.ref }}
           push: true

.github/workflows/lint.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -30,7 +30,7 @@ jobs:
         with:
           go-version: ^1.22
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v6
         with:
           version: latest
           args: --timeout=30m

.github/workflows/linux.yml

@@ -10,13 +10,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
           go-version: ^1.22
+      - name: Extract signing key
+        run: |-
+          mkdir -p $HOME/.gnupg
+          cat > $HOME/.gnupg/sagernet.key <<EOF
+          ${{ secrets.GPG_KEY }}
+          echo "HOME=$HOME" >> "$GITHUB_ENV"
+          EOF
+          echo "HOME=$HOME" >> "$GITHUB_ENV"
       - name: Publish release
         uses: goreleaser/goreleaser-action@v5
         with:
@@ -27,3 +35,5 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
           FURY_TOKEN: ${{ secrets.FURY_TOKEN }}
+          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
+          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

.goreleaser.fury.yaml

@@ -55,11 +55,20 @@ nfpms:
         dst: /usr/lib/systemd/system/sing-box@.service
       - src: LICENSE
         dst: /usr/share/licenses/sing-box/LICENSE
+    deb:
+      signature:
+        key_file: "{{ .Env.NFPM_KEY_PATH }}"
+      fields:
+        Bugs: https://github.com/SagerNet/sing-box/issues
+    rpm:
+      signature:
+        key_file: "{{ .Env.NFPM_KEY_PATH }}"
     conflicts:
       - sing-box-beta
   - id: package_beta
     <<: *template
     package_name: sing-box-beta
+    file_name_template: '{{ .ProjectName }}-beta_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
     formats:
       - deb
       - rpm
@@ -71,10 +80,8 @@ furies:
   - account: sagernet
     ids:
       - package
-    skip: |-
-      {{ eq .Prerelease "" }}
+    disable: "{{ not (not .Prerelease) }}"
   - account: sagernet
     ids:
       - package_beta
-    skip: |-
-      {{ ne .Prerelease "" }}
+    disable: "{{ not .Prerelease }}"

.goreleaser.yaml

@@ -136,6 +136,8 @@ nfpms:
     deb:
       signature:
         key_file: "{{ .Env.NFPM_KEY_PATH }}"
+      fields:
+        Bugs: https://github.com/SagerNet/sing-box/issues
     rpm:
       signature:
         key_file: "{{ .Env.NFPM_KEY_PATH }}"

Makefile

@@ -81,7 +81,6 @@ release_repo:
 	go run ./cmd/internal/build goreleaser release -f .goreleaser.fury.yaml --clean
 
 release_install:
-	go install -v github.com/goreleaser/goreleaser@latest
 	go install -v github.com/tcnksm/ghr@latest
 
 update_android_version:

adapter/inbound.go

@@ -61,16 +61,12 @@ type InboundContext struct {
 }
 
 func (c *InboundContext) ResetRuleCache() {
-	c.ResetRuleCacheContext()
-	c.DidMatch = false
-}
-
-func (c *InboundContext) ResetRuleCacheContext() {
 	c.IPCIDRMatchSource = false
 	c.SourceAddressMatch = false
 	c.SourcePortMatch = false
 	c.DestinationAddressMatch = false
 	c.DestinationPortMatch = false
+	c.DidMatch = false
 }
 
 type inboundContextKey struct{}
@@ -103,3 +99,12 @@ func ExtendContext(ctx context.Context) (context.Context, *InboundContext) {
 	}
 	return WithContext(ctx, &newMetadata), &newMetadata
 }
+
+func OverrideContext(ctx context.Context) context.Context {
+	if metadata := ContextFrom(ctx); metadata != nil {
+		var newMetadata InboundContext
+		newMetadata = *metadata
+		return WithContext(ctx, &newMetadata)
+	}
+	return ctx
+}

adapter/router.go

@@ -71,6 +71,7 @@ func RouterFromContext(ctx context.Context) Router {
 
 type HeadlessRule interface {
 	Match(metadata *InboundContext) bool
+	String() string
 }
 
 type Rule interface {
@@ -79,14 +80,13 @@ type Rule interface {
 	Type() string
 	UpdateGeosite() error
 	Outbound() string
-	String() string
 }
 
 type DNSRule interface {
 	Rule
 	DisableCache() bool
 	RewriteTTL() *uint32
-	ClientSubnet() *netip.Addr
+	ClientSubnet() *netip.Prefix
 	WithAddressLimit() bool
 	MatchAddressLimit(metadata *InboundContext) bool
 }

box.go

@@ -235,7 +235,7 @@ func (s *Box) Start() error {
 }
 
 func (s *Box) preStart() error {
-	monitor := taskmonitor.New(s.logger, C.DefaultStartTimeout)
+	monitor := taskmonitor.New(s.logger, C.StartTimeout)
 	monitor.Start("start logger")
 	err := s.logFactory.Start()
 	monitor.Finish()
@@ -331,7 +331,7 @@ func (s *Box) Close() error {
 	default:
 		close(s.done)
 	}
-	monitor := taskmonitor.New(s.logger, C.DefaultStopTimeout)
+	monitor := taskmonitor.New(s.logger, C.StopTimeout)
 	var errors error
 	for serviceName, service := range s.postServices {
 		monitor.Start("close ", serviceName)

box_outbound.go

@@ -12,7 +12,7 @@ import (
 )
 
 func (s *Box) startOutbounds() error {
-	monitor := taskmonitor.New(s.logger, C.DefaultStartTimeout)
+	monitor := taskmonitor.New(s.logger, C.StartTimeout)
 	outboundTags := make(map[adapter.Outbound]string)
 	outbounds := make(map[string]adapter.Outbound)
 	for i, outboundToStart := range s.outbounds {

cmd/sing-box/cmd_rule_set_match.go

@@ -0,0 +1,86 @@
+package main
+
+import (
+	"bytes"
+	"io"
+	"os"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/srs"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/route"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+
+	"github.com/spf13/cobra"
+)
+
+var flagRuleSetMatchFormat string
+
+var commandRuleSetMatch = &cobra.Command{
+	Use:   "match <rule-set path> <domain>",
+	Short: "Check if a domain matches the rule set",
+	Args:  cobra.ExactArgs(2),
+	Run: func(cmd *cobra.Command, args []string) {
+		err := ruleSetMatch(args[0], args[1])
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	commandRuleSetMatch.Flags().StringVarP(&flagRuleSetMatchFormat, "format", "f", "source", "rule-set format")
+	commandRuleSet.AddCommand(commandRuleSetMatch)
+}
+
+func ruleSetMatch(sourcePath string, domain string) error {
+	var (
+		reader io.Reader
+		err    error
+	)
+	if sourcePath == "stdin" {
+		reader = os.Stdin
+	} else {
+		reader, err = os.Open(sourcePath)
+		if err != nil {
+			return E.Cause(err, "read rule-set")
+		}
+	}
+	content, err := io.ReadAll(reader)
+	if err != nil {
+		return E.Cause(err, "read rule-set")
+	}
+	var plainRuleSet option.PlainRuleSet
+	switch flagRuleSetMatchFormat {
+	case C.RuleSetFormatSource:
+		var compat option.PlainRuleSetCompat
+		compat, err = json.UnmarshalExtended[option.PlainRuleSetCompat](content)
+		if err != nil {
+			return err
+		}
+		plainRuleSet = compat.Upgrade()
+	case C.RuleSetFormatBinary:
+		plainRuleSet, err = srs.Read(bytes.NewReader(content), false)
+		if err != nil {
+			return err
+		}
+	default:
+		return E.New("unknown rule set format: ", flagRuleSetMatchFormat)
+	}
+	for i, ruleOptions := range plainRuleSet.Rules {
+		var currentRule adapter.HeadlessRule
+		currentRule, err = route.NewHeadlessRule(nil, ruleOptions)
+		if err != nil {
+			return E.Cause(err, "parse rule_set.rules.[", i, "]")
+		}
+		if currentRule.Match(&adapter.InboundContext{
+			Domain: domain,
+		}) {
+			println("match rules.[", i, "]: "+currentRule.String())
+		}
+	}
+	return nil
+}

cmd/sing-box/cmd_run.go

@@ -199,7 +199,7 @@ func run() error {
 }
 
 func closeMonitor(ctx context.Context) {
-	time.Sleep(C.DefaultStopFatalTimeout)
+	time.Sleep(C.FatalStopTimeout)
 	select {
 	case <-ctx.Done():
 		return

common/dialer/default.go

@@ -32,14 +32,20 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 	var dialer net.Dialer
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
-		bindFunc := control.BindToInterface(router.InterfaceFinder(), options.BindInterface, -1)
+		var interfaceFinder control.InterfaceFinder
+		if router != nil {
+			interfaceFinder = router.InterfaceFinder()
+		} else {
+			interfaceFinder = control.NewDefaultInterfaceFinder()
+		}
+		bindFunc := control.BindToInterface(interfaceFinder, options.BindInterface, -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
-	} else if router.AutoDetectInterface() {
+	} else if router != nil && router.AutoDetectInterface() {
 		bindFunc := router.AutoDetectInterfaceFunc()
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
-	} else if router.DefaultInterface() != "" {
+	} else if router != nil && router.DefaultInterface() != "" {
 		bindFunc := control.BindToInterface(router.InterfaceFinder(), router.DefaultInterface(), -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
@@ -47,7 +53,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 	if options.RoutingMark != 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(options.RoutingMark))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(options.RoutingMark))
-	} else if router.DefaultMark() != 0 {
+	} else if router != nil && router.DefaultMark() != 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(router.DefaultMark()))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(router.DefaultMark()))
 	}
@@ -63,6 +69,9 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 	} else {
 		dialer.Timeout = C.TCPTimeout
 	}
+	// TODO: Add an option to customize the keep alive period
+	dialer.KeepAlive = C.TCPKeepAliveInitial
+	dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(C.TCPKeepAliveInitial, C.TCPKeepAliveInterval))
 	var udpFragment bool
 	if options.UDPFragment != nil {
 		udpFragment = *options.UDPFragment

common/dialer/dialer.go

@@ -13,6 +13,9 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 	if options.IsWireGuardListener {
 		return NewDefault(router, options)
 	}
+	if router == nil {
+		return NewDefault(nil, options)
+	}
 	var (
 		dialer N.Dialer
 		err    error

common/mux/client.go

@@ -1,11 +1,16 @@
 package mux
 
 import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-mux"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
@@ -30,7 +35,7 @@ func NewClientWithOptions(dialer N.Dialer, logger logger.Logger, options option.
 		}
 	}
 	return mux.NewClient(mux.Options{
-		Dialer:         dialer,
+		Dialer:         &clientDialer{dialer},
 		Logger:         logger,
 		Protocol:       options.Protocol,
 		MaxConnections: options.MaxConnections,
@@ -40,3 +45,15 @@ func NewClientWithOptions(dialer N.Dialer, logger logger.Logger, options option.
 		Brutal:         brutalOptions,
 	})
 }
+
+type clientDialer struct {
+	N.Dialer
+}
+
+func (d *clientDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	return d.Dialer.DialContext(adapter.OverrideContext(ctx), network, destination)
+}
+
+func (d *clientDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	return d.Dialer.ListenPacket(adapter.OverrideContext(ctx), destination)
+}

common/tls/ech_quic.go

@@ -27,11 +27,10 @@ func (c *echClientConfig) DialEarly(ctx context.Context, conn net.PacketConn, ad
 	return quic.DialEarly(ctx, conn, addr, c.config, config)
 }
 
-func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config, enableDatagrams bool) http.RoundTripper {
+func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config) http.RoundTripper {
 	return &http3.RoundTripper{
 		TLSClientConfig: c.config,
-		QuicConfig:      quicConfig,
-		EnableDatagrams: enableDatagrams,
+		QUICConfig:      quicConfig,
 		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
 			quicConn, err := quic.DialEarly(ctx, conn, serverAddr.UDPAddr(), tlsCfg, cfg)
 			if err != nil {

constant/timeout.go

@@ -3,15 +3,18 @@ package constant
 import "time"
 
 const (
-	TCPTimeout                = 5 * time.Second
-	ReadPayloadTimeout        = 300 * time.Millisecond
-	DNSTimeout                = 10 * time.Second
-	QUICTimeout               = 30 * time.Second
-	STUNTimeout               = 15 * time.Second
-	UDPTimeout                = 5 * time.Minute
-	DefaultURLTestInterval    = 3 * time.Minute
-	DefaultURLTestIdleTimeout = 30 * time.Minute
-	DefaultStartTimeout       = 10 * time.Second
-	DefaultStopTimeout        = 5 * time.Second
-	DefaultStopFatalTimeout   = 10 * time.Second
+	TCPKeepAliveInitial        = 10 * time.Minute
+	TCPKeepAliveInterval       = 75 * time.Second
+	TCPTimeout                 = 5 * time.Second
+	ReadPayloadTimeout         = 300 * time.Millisecond
+	DNSTimeout                 = 10 * time.Second
+	QUICTimeout                = 30 * time.Second
+	STUNTimeout                = 15 * time.Second
+	UDPTimeout                 = 5 * time.Minute
+	DefaultURLTestInterval     = 3 * time.Minute
+	DefaultURLTestIdleTimeout  = 30 * time.Minute
+	StartTimeout               = 10 * time.Second
+	StopTimeout                = 5 * time.Second
+	FatalStopTimeout           = 10 * time.Second
+	FakeIPMetadataSaveInterval = 10 * time.Second
 )

docs/changelog.md

@@ -2,7 +2,58 @@
 icon: material/alert-decagram
 ---
 
-#### 1.9.0-rc.1
+#### 1.9.0-rc.18
+
+* Add custom prefix support in EDNS0 client subnet options
+* Fix hysteria2 crash
+* Fix `store_rdrc` corrupted
+* Update quic-go to v0.43.1
+* Fixes and improvements
+
+#### 1.9.0-rc.16
+
+* Mitigating TunnelVision attacks **1**
+* Fixes and improvements
+
+**1**:
+
+See [TunnelVision](/manual/misc/tunnelvision).
+
+#### 1.9.0-rc.15
+
+* Fixes and improvements
+
+#### 1.8.13
+
+* Fix fake-ip mapping
+* Fixes and improvements
+
+#### 1.9.0-rc.14
+
+* Fixes and improvements
+
+#### 1.9.0-rc.13
+
+* Update Hysteria protocol
+* Update quic-go to v0.43.0
+* Update gVisor to 20240422.0
+* Fixes and improvements
+
+#### 1.8.12
+
+* Now we have official APT and DNF repositories **1**
+* Fix packet MTU for QUIC protocols
+* Fixes and improvements
+
+**1**:
+
+Including stable and beta versions, see https://sing-box.sagernet.org/installation/package-manager/
+
+#### 1.9.0-rc.11
+
+* Fixes and improvements
+
+#### 1.8.11
 
 * Fixes and improvements
 

docs/clients/apple/index.md

@@ -15,11 +15,12 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 ## :material-download: Download
 
 * [App Store](https://apps.apple.com/us/app/sing-box/id6451272673)
-* ~~[TestFlight (Beta)](https://testflight.apple.com/join/AcqO44FH)~~
+* ~~TestFlight (Beta)~~
 
-_Our Testflight distribution has been temporarily blocked by Apple (possibly due to too many beta versions)
-and you cannot join the test, install or update the sing-box beta app right now.
-Please wait patiently for processing._
+TestFlight quota is only available to [sponsors](https://github.com/sponsors/nekohasekai)
+(one-time sponsorships are accepted).
+Once you donate, you can get an invitation by sending us your Apple ID [via email](mailto:contact@sagernet.org),
+or join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot).
 
 ## :material-file-download: Download (macOS standalone version)
 

docs/configuration/dns/index.md

@@ -73,6 +73,8 @@ problematic in environments such as macOS, where DNS is proxied and cached by th
 
 !!! question "Since sing-box 1.9.0"
 
-Append a `edns0-subnet` OPT extra record with the specified IP address to every query by default.
+Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+
+If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
 
 Can be overrides by `servers.[].client_subnet` or `rules.[].client_subnet`.

docs/configuration/dns/index.zh.md

@@ -71,8 +71,10 @@ icon: material/new-box
 
 !!! question "自 sing-box 1.9.0 起"
 
-默认情况下，将带有指定 IP 地址的 `edns0-subnet` OPT 附加记录附加到每个查询。
- 
+默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
+
+如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
+
 可以被 `servers.[].client_subnet` 或 `rules.[].client_subnet` 覆盖。
 
 #### fakeip

docs/configuration/dns/rule.md

@@ -125,7 +125,7 @@ icon: material/new-box
         "server": "local",
         "disable_cache": false,
         "rewrite_ttl": 100,
-        "client_subnet": "127.0.0.1"
+        "client_subnet": "127.0.0.1/24"
       },
       {
         "type": "logical",
@@ -134,7 +134,7 @@ icon: material/new-box
         "server": "local",
         "disable_cache": false,
         "rewrite_ttl": 100,
-        "client_subnet": "127.0.0.1"
+        "client_subnet": "127.0.0.1/24"
       }
     ]
   }
@@ -339,7 +339,9 @@ Rewrite TTL in DNS responses.
 
 !!! question "Since sing-box 1.9.0"
 
-Append a `edns0-subnet` OPT extra record with the specified IP address to every query by default.
+Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+
+If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
 
 Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
 

docs/configuration/dns/rule.zh.md

@@ -124,7 +124,7 @@ icon: material/new-box
         ],
         "server": "local",
         "disable_cache": false,
-        "client_subnet": "127.0.0.1"
+        "client_subnet": "127.0.0.1/24"
       },
       {
         "type": "logical",
@@ -132,7 +132,7 @@ icon: material/new-box
         "rules": [],
         "server": "local",
         "disable_cache": false,
-        "client_subnet": "127.0.0.1"
+        "client_subnet": "127.0.0.1/24"
       }
     ]
   }
@@ -337,7 +337,9 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 !!! question "自 sing-box 1.9.0 起"
 
-默认情况下，将带有指定 IP 地址的 `edns0-subnet` OPT 附加记录附加到每个查询。
+默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
+
+如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
 
 将覆盖 `dns.client_subnet` 与 `servers.[].client_subnet`。
 

docs/configuration/dns/server.md

@@ -100,7 +100,9 @@ Default outbound will be used if empty.
 
 !!! question "Since sing-box 1.9.0"
 
-Append a `edns0-subnet` OPT extra record with the specified IP address to every query by default.
+Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+
+If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
 
 Can be overrides by `rules.[].client_subnet`.
 

docs/configuration/dns/server.zh.md

@@ -100,7 +100,9 @@ DNS 服务器的地址。
 
 !!! question "自 sing-box 1.9.0 起"
 
-默认情况下，将带有指定 IP 地址的 `edns0-subnet` OPT 附加记录附加到每个查询。
+默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
+
+如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
 
 可以被 `rules.[].client_subnet` 覆盖。
 

docs/configuration/inbound/tun.md

@@ -147,7 +147,7 @@ Enforce strict routing rules when `auto_route` is enabled:
 * Let unsupported network unreachable
 * Route all connections to tun
 
-It prevents address leaks and makes DNS hijacking work on Android, but your device will not be accessible by others.
+It prevents address leaks and makes DNS hijacking work on Android.
 
 *In Windows*:
 

docs/configuration/inbound/tun.zh.md

@@ -147,7 +147,7 @@ tun 接口的 IPv6 前缀。
 * 让不支持的网络无法到达
 * 将所有连接路由到 tun
 
-它可以防止地址泄漏，并使 DNS 劫持在 Android 上工作，但你的设备将无法其他设备被访问。
+它可以防止地址泄漏，并使 DNS 劫持在 Android 上工作。
 
 *在 Windows 中*:
 

docs/installation/build-from-source.md

@@ -57,16 +57,16 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | Build Tag                          | Enabled by default | Description                                                                                                                                                                                                                                                                                                                    |
 |------------------------------------|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `with_quic`                        | :material-check:   | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server/), [Naive inbound](/configuration/inbound/naive/), [Hysteria Inbound](/configuration/inbound/hysteria/), [Hysteria Outbound](/configuration/outbound/hysteria/) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
-| `with_grpc`                        | :material-close:️                 | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
+| `with_grpc`                        | :material-close:️  | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
 | `with_dhcp`                        | :material-check:   | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server/).                                                                                                                                                                                                                                                 |
 | `with_wireguard`                   | :material-check:   | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard/).                                                                                                                                                                                                                                    |
-| `with_ech`                         | :material-check:                  | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                               |
-| `with_utls`                        | :material-check:                  | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                          |
+| `with_ech`                         | :material-check:   | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                               |
+| `with_utls`                        | :material-check:   | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                          |
 | `with_reality_server`              | :material-check:   | Build with reality TLS server support,  see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                                 |
 | `with_acme`                        | :material-check:   | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                         |
-| `with_clash_api`                   | :material-check:                  | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
-| `with_v2ray_api`                   | :material-close:️                 | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
-| `with_gvisor`                      | :material-check:                  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
+| `with_clash_api`                   | :material-check:   | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
+| `with_v2ray_api`                   | :material-close:️  | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
+| `with_gvisor`                      | :material-check:   | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️  | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
 
 It is not recommended to change the default build tag list unless you really know what you are adding.

docs/installation/build-from-source.zh.md

@@ -54,19 +54,19 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 
 ## :material-folder-settings: 构建标记
 
-| 构建标记                               | 默认启动              | 说明                                                                                                                                                                                                                                                                                                                         |
-|------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 构建标记                               | 默认启动              | 说明                                                                                                                                                                                                                                                                                                                             |
+|------------------------------------|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `with_quic`                        | :material-check:  | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server/), [Naive inbound](/configuration/inbound/naive/), [Hysteria Inbound](/configuration/inbound/hysteria/), [Hysteria Outbound](/configuration/outbound/hysteria/) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
-| `with_grpc`                        | :material-close:️ | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                  |
-| `with_dhcp`                        | :material-check:  | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server/).                                                                                                                                                                                                                                              |
-| `with_wireguard`                   | :material-check:  | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard/).                                                                                                                                                                                                                                 |
-| `with_ech`                         | :material-check:  | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                           |
-| `with_utls`                        | :material-check:  | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                      |
-| `with_reality_server`              | :material-check:  | Build with reality TLS server support,  see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                              |
-| `with_acme`                        | :material-check:  | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                      |
-| `with_clash_api`                   | :material-check:  | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                            |
-| `with_v2ray_api`                   | :material-close:️ | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                            |
-| `with_gvisor`                      | :material-check:  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                               |
-| `with_embedded_tor` (CGO required) | :material-close:️ | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                          |
+| `with_grpc`                        | :material-close:️ | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
+| `with_dhcp`                        | :material-check:  | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server/).                                                                                                                                                                                                                                                 |
+| `with_wireguard`                   | :material-check:  | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard/).                                                                                                                                                                                                                                    |
+| `with_ech`                         | :material-check:  | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                               |
+| `with_utls`                        | :material-check:  | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                          |
+| `with_reality_server`              | :material-check:  | Build with reality TLS server support,  see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                                 |
+| `with_acme`                        | :material-check:  | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                         |
+| `with_clash_api`                   | :material-check:  | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
+| `with_v2ray_api`                   | :material-close:️ | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
+| `with_gvisor`                      | :material-check:  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
+| `with_embedded_tor` (CGO required) | :material-close:️ | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
 
 除非您确实知道您正在启用什么，否则不建议更改默认构建标签列表。

docs/installation/package-manager.md

@@ -9,7 +9,7 @@ icon: material/package
 === ":material-debian: Debian / APT"
 
     ```bash
-    sudo curl -fsSL https://deb.sagernet.org/gpg.key -o /etc/apt/keyrings/sagernet.asc
+    sudo curl -fsSL https://sing-box.app/gpg.key -o /etc/apt/keyrings/sagernet.asc
     sudo chmod a+r /etc/apt/keyrings/sagernet.asc
     echo "deb [arch=`dpkg --print-architecture` signed-by=/etc/apt/keyrings/sagernet.asc] https://deb.sagernet.org/ * *" | \
       sudo tee /etc/apt/sources.list.d/sagernet.list > /dev/null
@@ -21,7 +21,7 @@ icon: material/package
 
     ```bash
     sudo dnf -y install dnf-plugins-core
-    sudo dnf config-manager --add-repo https://sing-box.app/rpm.repo
+    sudo dnf config-manager --add-repo https://sing-box.app/sing-box.repo
     sudo dnf install sing-box # or sing-box-beta
     ```
 
@@ -29,7 +29,7 @@ icon: material/package
 
     ```bash
     sudo yum install -y yum-utils
-    sudo yum-config-manager --add-repo https://sing-box.app/rpm.repo
+    sudo yum-config-manager --add-repo https://sing-box.app/sing-box.repo
     sudo yum install sing-box # or sing-box-beta
     ```
 
@@ -57,38 +57,38 @@ icon: material/package
 
 === ":material-linux: Linux"
 
-    | Type     | Platform      | Link                    | Command                      | Actively maintained |
-    |----------|---------------|-------------------------|------------------------------|---------------------|
-    | APK      | Alpine        | [sing-box][alpine]      | `apk add sing-box`           | :material-check:    |
-    | AUR      | Arch Linux    | [sing-box][aur] ᴬᵁᴿ     | `? -S sing-box`              | :material-check:    |
-    | nixpkgs  | NixOS         | [sing-box][nixpkgs]     | `nix-env -iA nixos.sing-box` | :material-check:    |
-    | Homebrew | macOS / Linux | [sing-box][brew]        | `brew install sing-box`      | :material-check:    |
+    | Type     | Platform      | Command                      | Link                                                                                                          |
+    |----------|---------------|------------------------------|---------------------------------------------------------------------------------------------------------------|
+    | AUR      | Arch Linux    | `? -S sing-box`              | [![AUR package](https://repology.org/badge/version-for-repo/aur/sing-box.svg)][aur]                           |
+    | nixpkgs  | NixOS         | `nix-env -iA nixos.sing-box` | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/sing-box.svg)][nixpkgs] |
+    | Homebrew | macOS / Linux | `brew install sing-box`      | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew]                |
+    | APK      | Alpine        | `apk add sing-box`           | [![Alpine Linux Edge package](https://repology.org/badge/version-for-repo/alpine_edge/sing-box.svg)][alpine]  |
 
 === ":material-apple: macOS"
 
-    | Type     | Platform | Link             | Command                 | Actively maintained |
-    |----------|----------|------------------|-------------------------|---------------------|
-    | Homebrew | macOS    | [sing-box][brew] | `brew install sing-box` | :material-check:    |
+    | Type     | Platform | Command                 | Link                                                                                           |
+    |----------|----------|-------------------------|------------------------------------------------------------------------------------------------|
+    | Homebrew | macOS    | `brew install sing-box` | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew] |
 
 === ":material-microsoft-windows: Windows"
 
-    | Type       | Platform           | Link                | Command                      | Actively maintained |
-    |------------|--------------------|---------------------|------------------------------|---------------------|
-    | Scoop      | Windows            | [sing-box][scoop]   | `scoop install sing-box`     | :material-check:    |
-    | Chocolatey | Windows            | [sing-box][choco]   | `choco install sing-box`     | :material-check:    |
-    | winget     | Windows            | [sing-box][winget]  | `winget install sing-box`    | :material-alert:    |
+    | Type       | Platform | Command                   | Link                                                                                                |
+    |------------|----------|---------------------------|-----------------------------------------------------------------------------------------------------|
+    | Scoop      | Windows  | `scoop install sing-box`  | [![Scoop package](https://repology.org/badge/version-for-repo/scoop/sing-box.svg)][scoop]           |
+    | Chocolatey | Windows  | `choco install sing-box`  | [![Chocolatey package](https://repology.org/badge/version-for-repo/chocolatey/sing-box.svg)][choco] |
+    | winget     | Windows  | `winget install sing-box` | [![winget package](https://repology.org/badge/version-for-repo/winget/sing-box.svg)][winget]        |
 
 === ":material-android: Android"
 
-    | Type       | Platform           | Link                | Command                      | Actively maintained |
-    |------------|--------------------|---------------------|------------------------------|---------------------|
-    | Termux     | Android            | [sing-box][termux]  | `pkg add sing-box`           | :material-check:    |
+    | Type   | Platform | Command            | Link                                                                                         |
+    |--------|----------|--------------------|----------------------------------------------------------------------------------------------|
+    | Termux | Android  | `pkg add sing-box` | [![Termux package](https://repology.org/badge/version-for-repo/termux/sing-box.svg)][termux] |
 
 === ":material-freebsd: FreeBSD"
 
-    | Type       | Platform | Link              | Command                | Actively maintained |
-    |------------|----------|-------------------|------------------------|---------------------|
-    | FreshPorts | FreeBSD  | [sing-box][ports] | `pkg install sing-box` | :material-alert:    |
+    | Type       | Platform | Command                | Link                                                                                       |
+    |------------|----------|------------------------|--------------------------------------------------------------------------------------------|
+    | FreshPorts | FreeBSD  | `pkg install sing-box` | [![FreeBSD port](https://repology.org/badge/version-for-repo/freebsd/sing-box.svg)][ports] |
 
 ## :material-book-multiple: Service Management
 

docs/installation/package-manager.zh.md

@@ -9,7 +9,7 @@ icon: material/package
 === ":material-debian: Debian / APT"
 
     ```bash
-    sudo curl -fsSL https://deb.sagernet.org/gpg.key -o /etc/apt/keyrings/sagernet.asc
+    sudo curl -fsSL https://sing-box.app/gpg.key -o /etc/apt/keyrings/sagernet.asc
     sudo chmod a+r /etc/apt/keyrings/sagernet.asc
     echo "deb [arch=`dpkg --print-architecture` signed-by=/etc/apt/keyrings/sagernet.asc] https://deb.sagernet.org/ * *" | \
       sudo tee /etc/apt/sources.list.d/sagernet.list > /dev/null
@@ -21,7 +21,7 @@ icon: material/package
 
     ```bash
     sudo dnf -y install dnf-plugins-core
-    sudo dnf config-manager --add-repo https://sing-box.app/rpm.repo
+    sudo dnf config-manager --add-repo https://sing-box.app/sing-box.repo
     sudo dnf install sing-box # or sing-box-beta
     ```
 
@@ -29,7 +29,7 @@ icon: material/package
 
     ```bash
     sudo yum install -y yum-utils
-    sudo yum-config-manager --add-repo https://sing-box.app/rpm.repo
+    sudo yum-config-manager --add-repo https://sing-box.app/sing-box.repo
     sudo yum install sing-box # or sing-box-beta
     ```
 
@@ -57,38 +57,38 @@ icon: material/package
 
 === ":material-linux: Linux"
 
-    | 类型       | 平台         | 链接                  | 命令                           | 活跃维护             |
-    |----------|------------|---------------------|------------------------------|------------------|
-    | Alpine   | Alpine     | [sing-box][alpine]  | `apk add sing-box`           | :material-check: |
-    | AUR      | Arch Linux | [sing-box][aur] ᴬᵁᴿ | `? -S sing-box`              | :material-check: |
-    | nixpkgs  | NixOS      | [sing-box][nixpkgs] | `nix-env -iA nixos.sing-box` | :material-check: |
-    | Homebrew | Linux      | [sing-box][brew]    | `brew install sing-box`      | :material-check: |
+    | 类型       | 平台            | 链接                           | 命令                                                                                                            |
+    |----------|---------------|------------------------------|---------------------------------------------------------------------------------------------------------------|
+    | AUR      | Arch Linux    | `? -S sing-box`              | [![AUR package](https://repology.org/badge/version-for-repo/aur/sing-box.svg)][aur]                           |
+    | nixpkgs  | NixOS         | `nix-env -iA nixos.sing-box` | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/sing-box.svg)][nixpkgs] |
+    | Homebrew | macOS / Linux | `brew install sing-box`      | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew]                |
+    | APK      | Alpine        | `apk add sing-box`           | [![Alpine Linux Edge package](https://repology.org/badge/version-for-repo/alpine_edge/sing-box.svg)][alpine]  |
 
 === ":material-apple: macOS"
 
-    | 类型       | 平台    | 链接               | 命令                      | 活跃维护             |
-    |----------|-------|------------------|-------------------------|------------------|
-    | Homebrew | macOS | [sing-box][brew] | `brew install sing-box` | :material-check: |
+    | 类型       | 平台    | 链接                      | 命令                                                                                             |
+    |----------|-------|-------------------------|------------------------------------------------------------------------------------------------|
+    | Homebrew | macOS | `brew install sing-box` | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew] |
 
 === ":material-microsoft-windows: Windows"
 
-    | 类型         | 平台      | 链接                 | 命令                        | 活跃维护             |
-    |------------|---------|--------------------|---------------------------|------------------|
-    | Scoop      | Windows | [sing-box][scoop]  | `scoop install sing-box`  | :material-check: |
-    | Chocolatey | Windows | [sing-box][choco]  | `choco install sing-box`  | :material-check: |
-    | winget     | Windows | [sing-box][winget] | `winget install sing-box` | :material-alert: |
+    | 类型         | 平台      | 链接                        | 命令                                                                                                  |
+    |------------|---------|---------------------------|-----------------------------------------------------------------------------------------------------|
+    | Scoop      | Windows | `scoop install sing-box`  | [![Scoop package](https://repology.org/badge/version-for-repo/scoop/sing-box.svg)][scoop]           |
+    | Chocolatey | Windows | `choco install sing-box`  | [![Chocolatey package](https://repology.org/badge/version-for-repo/chocolatey/sing-box.svg)][choco] |
+    | winget     | Windows | `winget install sing-box` | [![winget package](https://repology.org/badge/version-for-repo/winget/sing-box.svg)][winget]        |
 
 === ":material-android: Android"
 
-    | 类型     | 平台      | 链接                 | 命令                 | 活跃维护             |
-    |--------|---------|--------------------|--------------------|------------------|
-    | Termux | Android | [sing-box][termux] | `pkg add sing-box` | :material-check: |
+    | 类型     | 平台      | 链接                 | 命令                                                                                           |
+    |--------|---------|--------------------|----------------------------------------------------------------------------------------------|
+    | Termux | Android | `pkg add sing-box` | [![Termux package](https://repology.org/badge/version-for-repo/termux/sing-box.svg)][termux] |
 
 === ":material-freebsd: FreeBSD"
 
-    | 类型         | 平台      | 链接                | 命令                     | 活跃维护             |
-    |------------|---------|-------------------|------------------------|------------------|
-    | FreshPorts | FreeBSD | [sing-box][ports] | `pkg install sing-box` | :material-alert: |
+    | 类型         | 平台      | 链接                     | 命令                                                                                         |
+    |------------|---------|------------------------|--------------------------------------------------------------------------------------------|
+    | FreshPorts | FreeBSD | `pkg install sing-box` | [![FreeBSD port](https://repology.org/badge/version-for-repo/freebsd/sing-box.svg)][ports] |
 
 ## :material-book-multiple: 服务管理
 

docs/installation/tools/sing-box.repo

@@ -2,5 +2,6 @@
 name=sing-box
 baseurl=https://rpm.sagernet.org/
 enabled=1
+repo_gpgcheck=1
 gpgcheck=1
-gpgkey=https://deb.sagernet.org/gpg.key
+gpgkey=https://sing-box.app/gpg.key

docs/manual/misc/tunnelvision.md

@@ -0,0 +1,38 @@
+---
+icon: material/book-lock-open
+---
+
+# TunnelVision
+
+TunnelVision is an attack that uses DHCP option 121 to set higher priority routes
+so that traffic does not go through the VPN.
+
+Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3661
+
+## Status
+
+### Android
+
+Android does not handle DHCP option 121 and is not affected.
+
+### Apple platforms
+
+Update [sing-box graphical client](/clients/apple/#download) to `1.9.0-rc.16` or newer,
+then enable `includeAllNetworks` in `Settings` — `Packet Tunnel` and you will be unaffected.
+
+Note: when `includeAllNetworks` is enabled, the default TUN stack is changed to `gvisor`,
+and the `system` and `mixed` stacks are not available.
+
+### Linux
+
+Update sing-box to `1.9.0-rc.16` or newer, rules generated by `auto-route` are unaffected.
+
+### Windows
+
+No solution yet.
+
+## Workarounds
+
+* Don't connect to untrusted networks
+* Relay untrusted network through another device
+* Just ignore it

docs/manual/proxy-protocol/tuic.md

@@ -1,208 +0,0 @@
----
-icon: material/alpha-t-box
----
-
-# TUIC
-
-A recently popular Chinese-made simple protocol based on QUIC, the selling point is the BBR congestion control algorithm.
-
-!!! warning
-
-    Even though GFW rarely blocks UDP-based proxies, such protocols actually have far more characteristics than TCP based proxies.
-
-| Specification                                             | Binary Characteristics | Active Detect Hiddenness |
-|-----------------------------------------------------------|------------------------|--------------------------|
-| [GitHub](https://github.com/EAimTY/tuic/blob/dev/SPEC.md) | :material-alert:       | :material-check:         | 
-
-## Password Generator
-
-| Generated UUID         | Generated  Password        | Action                                                          |
-|------------------------|----------------------------|-----------------------------------------------------------------|
-| <code id="uuid"><code> | <code id="password"><code> | <button class="md-button" onclick="generate()">Refresh</button> |
-
-<script>
-    function generateUUID() {
-        const uuid = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
-            let r = Math.random() * 16 | 0,
-            v = c === 'x' ? r : (r & 0x3 | 0x8);
-            return v.toString(16);
-        });
-        document.getElementById("uuid").textContent = uuid;
-    }
-    function generatePassword() {
-        const array = new Uint8Array(16);
-        window.crypto.getRandomValues(array);
-        document.getElementById("password").textContent = btoa(String.fromCharCode.apply(null, array));
-    }
-    function generate() {
-        generateUUID();
-        generatePassword();
-    }
-    generate();
-</script>
-
-## :material-server: Server Example
-
-=== ":material-harddisk: With local certificate"
-
-    ```json
-     {
-      "inbounds": [
-        {
-          "type": "tuic",
-          "listen": "::",
-          "listen_port": 8080,
-          "users": [
-            {
-              "name": "sekai",
-              "uuid": "<uuid>",
-              "password": "<password>"
-            }
-          ],
-          "congestion_control": "bbr",
-          "tls": {
-            "enabled": true,
-            "server_name": "example.org",
-            "key_path": "/path/to/key.pem",
-            "certificate_path": "/path/to/certificate.pem"
-          }
-        }
-      ]
-    }
-    ```
-
-=== ":material-auto-fix: With ACME"
-
-    ```json
-    {
-      "inbounds": [
-        {
-          "type": "tuic",
-          "listen": "::",
-          "listen_port": 8080,
-          "users": [
-            {
-              "name": "sekai",
-              "uuid": "<uuid>",
-              "password": "<password>"
-            }
-          ],
-          "congestion_control": "bbr",
-          "tls": {
-            "enabled": true,
-            "server_name": "example.org",
-            "acme": {
-              "domain": "example.org",
-              "email": "admin@example.org"
-            }
-          }
-        }
-      ]
-    }
-    ```
-
-=== ":material-cloud: With ACME and Cloudflare API"
-
-    ```json
-    {
-      "inbounds": [
-        {
-          "type": "tuic",
-          "listen": "::",
-          "listen_port": 8080,
-          "users": [
-            {
-              "name": "sekai",
-              "uuid": "<uuid>",
-              "password": "<password>"
-            }
-          ],
-          "congestion_control": "bbr",
-          "tls": {
-            "enabled": true,
-            "server_name": "example.org",
-            "acme": {
-              "domain": "example.org",
-              "email": "admin@example.org",
-              "dns01_challenge": {
-                "provider": "cloudflare",
-                "api_token": "my_token"
-              }
-            }
-          }
-        }
-      ]
-    }
-    ```
-
-## :material-cellphone-link: Client Example
-
-=== ":material-web-check: With valid certificate"
-
-    ```json
-    {
-      "outbounds": [
-        {
-          "type": "tuic",
-          "server": "127.0.0.1",
-          "server_port": 8080,
-          "uuid": "<uuid>",
-          "password": "<password>",
-          "congestion_control": "bbr",
-          "tls": {
-            "enabled": true,
-            "server_name": "example.org"
-          }
-        }
-      ]
-    }
-    ```
-
-=== ":material-check: With self-sign certificate"
-
-    !!! info "Tip"
-        
-        Use `sing-box merge` command to merge configuration and certificate into one file.
-
-    ```json
-    {
-      "outbounds": [
-        {
-          "type": "tuic",
-          "server": "127.0.0.1",
-          "server_port": 8080,
-          "uuid": "<uuid>",
-          "password": "<password>",
-          "congestion_control": "bbr",
-          "tls": {
-            "enabled": true,
-            "server_name": "example.org",
-            "certificate_path": "/path/to/certificate.pem"
-          }
-        }
-      ]
-    }
-    ```
-
-=== ":material-alert: Ignore certificate verification"
-
-    ```json
-    {
-      "outbounds": [
-        {
-          "type": "tuic",
-          "server": "127.0.0.1",
-          "server_port": 8080,
-          "uuid": "<uuid>",
-          "password": "<password>",
-          "congestion_control": "bbr",
-          "tls": {
-            "enabled": true,
-            "server_name": "example.org",
-            "insecure": true
-          }
-        }
-      ]
-    }
-    ```
-

docs/manual/proxy/client.md

@@ -380,7 +380,8 @@ flowchart TB
                 "mode": "and",
                 "rules": [
                   {
-                    "rule_set": "geosite-geolocation-!cn"
+                    "rule_set": "geosite-geolocation-!cn",
+                    "invert": true
                   },
                   {
                     "rule_set": "geoip-cn"
@@ -462,14 +463,15 @@ flowchart TB
                 "mode": "and",
                 "rules": [
                   {
-                    "rule_set": "geosite-geolocation-!cn"
+                    "rule_set": "geosite-geolocation-!cn",
+                    "invert": true
                   },
                   {
                     "rule_set": "geoip-cn"
                   }
                 ],
                 "server": "google",
-                "client_subnet": "114.114.114.114" // Any China client IP address
+                "client_subnet": "114.114.114.114/24" // Any China client IP address
               }
             ]
           },

experimental/cachefile/cache.go

@@ -57,6 +57,7 @@ type CacheFile struct {
 type saveRDRCCacheKey struct {
 	TransportName string
 	QuestionName  string
+	QType         uint16
 }
 
 func New(ctx context.Context, options option.CacheFileOptions) *CacheFile {

experimental/cachefile/fakeip.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/sagernet/bbolt"
 	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 )
@@ -58,12 +59,13 @@ func (c *CacheFile) FakeIPSaveMetadata(metadata *adapter.FakeIPMetadata) error {
 }
 
 func (c *CacheFile) FakeIPSaveMetadataAsync(metadata *adapter.FakeIPMetadata) {
-	if timer := c.saveMetadataTimer; timer != nil {
-		timer.Stop()
+	if c.saveMetadataTimer == nil {
+		c.saveMetadataTimer = time.AfterFunc(C.FakeIPMetadataSaveInterval, func() {
+			_ = c.FakeIPSaveMetadata(metadata)
+		})
+	} else {
+		c.saveMetadataTimer.Reset(C.FakeIPMetadataSaveInterval)
 	}
-	c.saveMetadataTimer = time.AfterFunc(10*time.Second, func() {
-		_ = c.FakeIPSaveMetadata(metadata)
-	})
 }
 
 func (c *CacheFile) FakeIPStore(address netip.Addr, domain string) error {
@@ -72,6 +74,7 @@ func (c *CacheFile) FakeIPStore(address netip.Addr, domain string) error {
 		if err != nil {
 			return err
 		}
+		oldDomain := bucket.Get(address.AsSlice())
 		err = bucket.Put(address.AsSlice(), []byte(domain))
 		if err != nil {
 			return err
@@ -84,12 +87,24 @@ func (c *CacheFile) FakeIPStore(address netip.Addr, domain string) error {
 		if err != nil {
 			return err
 		}
+		if oldDomain != nil {
+			if err := bucket.Delete(oldDomain); err != nil {
+				return err
+			}
+		}
 		return bucket.Put([]byte(domain), address.AsSlice())
 	})
 }
 
 func (c *CacheFile) FakeIPStoreAsync(address netip.Addr, domain string, logger logger.Logger) {
 	c.saveFakeIPAccess.Lock()
+	if oldDomain, loaded := c.saveDomain[address]; loaded {
+		if address.Is4() {
+			delete(c.saveAddress4, oldDomain)
+		} else {
+			delete(c.saveAddress6, oldDomain)
+		}
+	}
 	c.saveDomain[address] = domain
 	if address.Is4() {
 		c.saveAddress4[domain] = address

experimental/cachefile/rdrc.go

@@ -9,7 +9,7 @@ import (
 	"github.com/sagernet/sing/common/logger"
 )
 
-var bucketRDRC = []byte("rdrc")
+var bucketRDRC = []byte("rdrc2")
 
 func (c *CacheFile) StoreRDRC() bool {
 	return c.storeRDRC
@@ -19,13 +19,17 @@ func (c *CacheFile) RDRCTimeout() time.Duration {
 	return c.rdrcTimeout
 }
 
-func (c *CacheFile) LoadRDRC(transportName string, qName string) (rejected bool) {
+func (c *CacheFile) LoadRDRC(transportName string, qName string, qType uint16) (rejected bool) {
 	c.saveRDRCAccess.RLock()
-	rejected, cached := c.saveRDRC[saveRDRCCacheKey{transportName, qName}]
+	rejected, cached := c.saveRDRC[saveRDRCCacheKey{transportName, qName, qType}]
 	c.saveRDRCAccess.RUnlock()
 	if cached {
 		return
 	}
+	key := buf.Get(2 + len(qName))
+	binary.BigEndian.PutUint16(key, qType)
+	copy(key[2:], qName)
+	defer buf.Put(key)
 	var deleteCache bool
 	err := c.DB.View(func(tx *bbolt.Tx) error {
 		bucket := c.bucket(tx, bucketRDRC)
@@ -36,7 +40,7 @@ func (c *CacheFile) LoadRDRC(transportName string, qName string) (rejected bool)
 		if bucket == nil {
 			return nil
 		}
-		content := bucket.Get([]byte(qName))
+		content := bucket.Get(key)
 		if content == nil {
 			return nil
 		}
@@ -61,13 +65,13 @@ func (c *CacheFile) LoadRDRC(transportName string, qName string) (rejected bool)
 			if bucket == nil {
 				return nil
 			}
-			return bucket.Delete([]byte(qName))
+			return bucket.Delete(key)
 		})
 	}
 	return
 }
 
-func (c *CacheFile) SaveRDRC(transportName string, qName string) error {
+func (c *CacheFile) SaveRDRC(transportName string, qName string, qType uint16) error {
 	return c.DB.Batch(func(tx *bbolt.Tx) error {
 		bucket, err := c.createBucket(tx, bucketRDRC)
 		if err != nil {
@@ -77,20 +81,24 @@ func (c *CacheFile) SaveRDRC(transportName string, qName string) error {
 		if err != nil {
 			return err
 		}
+		key := buf.Get(2 + len(qName))
+		binary.BigEndian.PutUint16(key, qType)
+		copy(key[2:], qName)
+		defer buf.Put(key)
 		expiresAt := buf.Get(8)
 		defer buf.Put(expiresAt)
 		binary.BigEndian.PutUint64(expiresAt, uint64(time.Now().Add(c.rdrcTimeout).Unix()))
-		return bucket.Put([]byte(qName), expiresAt)
+		return bucket.Put(key, expiresAt)
 	})
 }
 
-func (c *CacheFile) SaveRDRCAsync(transportName string, qName string, logger logger.Logger) {
-	saveKey := saveRDRCCacheKey{transportName, qName}
+func (c *CacheFile) SaveRDRCAsync(transportName string, qName string, qType uint16, logger logger.Logger) {
+	saveKey := saveRDRCCacheKey{transportName, qName, qType}
 	c.saveRDRCAccess.Lock()
 	c.saveRDRC[saveKey] = true
 	c.saveRDRCAccess.Unlock()
 	go func() {
-		err := c.SaveRDRC(transportName, qName)
+		err := c.SaveRDRC(transportName, qName, qType)
 		if err != nil {
 			logger.Warn("save RDRC: ", err)
 		}

experimental/libbox/config.go

@@ -9,7 +9,6 @@ import (
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/process"
-	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
@@ -75,7 +74,7 @@ func (s *platformInterfaceStub) UsePlatformInterfaceGetter() bool {
 	return true
 }
 
-func (s *platformInterfaceStub) Interfaces() ([]platform.NetworkInterface, error) {
+func (s *platformInterfaceStub) Interfaces() ([]control.Interface, error) {
 	return nil, os.ErrInvalid
 }
 
@@ -83,6 +82,10 @@ func (s *platformInterfaceStub) UnderNetworkExtension() bool {
 	return false
 }
 
+func (s *platformInterfaceStub) IncludeAllNetworks() bool {
+	return false
+}
+
 func (s *platformInterfaceStub) ClearDNSCache() {
 }
 
@@ -137,7 +140,6 @@ func FormatConfig(configContent string) (string, error) {
 		return "", err
 	}
 	var buffer bytes.Buffer
-	json.NewEncoder(&buffer)
 	encoder := json.NewEncoder(&buffer)
 	encoder.SetIndent("", "  ")
 	err = encoder.Encode(options)

experimental/libbox/platform.go

@@ -19,6 +19,7 @@ type PlatformInterface interface {
 	UsePlatformInterfaceGetter() bool
 	GetInterfaces() (NetworkInterfaceIterator, error)
 	UnderNetworkExtension() bool
+	IncludeAllNetworks() bool
 	ReadWIFIState() *WIFIState
 	ClearDNSCache()
 }

experimental/libbox/platform/interface.go

@@ -2,7 +2,6 @@ package platform
 
 import (
 	"context"
-	"net/netip"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/process"
@@ -20,16 +19,10 @@ type Interface interface {
 	UsePlatformDefaultInterfaceMonitor() bool
 	CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor
 	UsePlatformInterfaceGetter() bool
-	Interfaces() ([]NetworkInterface, error)
+	Interfaces() ([]control.Interface, error)
 	UnderNetworkExtension() bool
+	IncludeAllNetworks() bool
 	ClearDNSCache()
 	ReadWIFIState() adapter.WIFIState
 	process.Searcher
 }
-
-type NetworkInterface struct {
-	Index     int
-	MTU       int
-	Name      string
-	Addresses []netip.Prefix
-}

experimental/libbox/service.go

@@ -81,7 +81,7 @@ func (s *BoxService) Close() error {
 		select {
 		case <-done:
 			return
-		case <-time.After(C.DefaultStopFatalTimeout):
+		case <-time.After(C.FatalStopTimeout):
 			os.Exit(1)
 		}
 	}()
@@ -192,14 +192,14 @@ func (w *platformInterfaceWrapper) UsePlatformInterfaceGetter() bool {
 	return w.iif.UsePlatformInterfaceGetter()
 }
 
-func (w *platformInterfaceWrapper) Interfaces() ([]platform.NetworkInterface, error) {
+func (w *platformInterfaceWrapper) Interfaces() ([]control.Interface, error) {
 	interfaceIterator, err := w.iif.GetInterfaces()
 	if err != nil {
 		return nil, err
 	}
-	var interfaces []platform.NetworkInterface
+	var interfaces []control.Interface
 	for _, netInterface := range iteratorToArray[*NetworkInterface](interfaceIterator) {
-		interfaces = append(interfaces, platform.NetworkInterface{
+		interfaces = append(interfaces, control.Interface{
 			Index:     int(netInterface.Index),
 			MTU:       int(netInterface.MTU),
 			Name:      netInterface.Name,
@@ -213,6 +213,10 @@ func (w *platformInterfaceWrapper) UnderNetworkExtension() bool {
 	return w.iif.UnderNetworkExtension()
 }
 
+func (w *platformInterfaceWrapper) IncludeAllNetworks() bool {
+	return w.iif.IncludeAllNetworks()
+}
+
 func (w *platformInterfaceWrapper) ClearDNSCache() {
 	w.iif.ClearDNSCache()
 }

go.mod

@@ -11,29 +11,29 @@ require (
 	github.com/go-chi/chi/v5 v5.0.12
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.3
-	github.com/gofrs/uuid/v5 v5.0.0
+	github.com/gofrs/uuid/v5 v5.2.0
 	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2
 	github.com/libdns/alidns v1.0.3
-	github.com/libdns/cloudflare v0.1.0
+	github.com/libdns/cloudflare v0.1.1
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/mholt/acmez v1.2.0
-	github.com/miekg/dns v1.1.58
+	github.com/miekg/dns v1.1.59
 	github.com/ooni/go-libtor v1.1.8
 	github.com/oschwald/maxminddb-golang v1.12.0
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1
 	github.com/sagernet/gomobile v0.1.3
-	github.com/sagernet/gvisor v0.0.0-20240315080113-799fb6b6d311
-	github.com/sagernet/quic-go v0.42.0-beta.2
+	github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f
+	github.com/sagernet/quic-go v0.43.1-beta.1
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.4.0-beta.3
-	github.com/sagernet/sing-dns v0.2.0-beta.16
+	github.com/sagernet/sing v0.4.0-beta.18
+	github.com/sagernet/sing-dns v0.2.0-beta.18
 	github.com/sagernet/sing-mux v0.2.0
-	github.com/sagernet/sing-quic v0.1.9-beta.3
+	github.com/sagernet/sing-quic v0.2.0-beta.4
 	github.com/sagernet/sing-shadowsocks v0.2.6
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.1.4
-	github.com/sagernet/sing-tun v0.2.6-beta.1
+	github.com/sagernet/sing-tun v0.3.0-beta.2
 	github.com/sagernet/sing-vmess v0.1.8
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
 	github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6
@@ -44,11 +44,11 @@ require (
 	github.com/stretchr/testify v1.9.0
 	go.uber.org/zap v1.27.0
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.21.0
-	golang.org/x/net v0.22.0
-	golang.org/x/sys v0.18.0
+	golang.org/x/crypto v0.23.0
+	golang.org/x/net v0.25.0
+	golang.org/x/sys v0.20.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
-	google.golang.org/grpc v1.62.1
+	google.golang.org/grpc v1.63.2
 	google.golang.org/protobuf v1.33.0
 	howett.net/plist v1.0.1
 )
@@ -64,7 +64,6 @@ require (
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
 	github.com/gobwas/pool v0.2.1 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
@@ -72,7 +71,7 @@ require (
 	github.com/josharian/native v1.1.0 // indirect
 	github.com/klauspost/compress v1.17.4 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
-	github.com/libdns/libdns v0.2.1 // indirect
+	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/onsi/ginkgo/v2 v2.9.7 // indirect
 	github.com/pierrec/lz4/v4 v4.1.14 // indirect
@@ -85,12 +84,13 @@ require (
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81 // indirect
-	golang.org/x/mod v0.16.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.19.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect
+	golang.org/x/tools v0.21.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.2.1 // indirect

go.sum

@@ -34,14 +34,11 @@ github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/gofrs/uuid/v5 v5.0.0 h1:p544++a97kEL+svbcFbCQVM9KFu0Yo25UoISXGNNH9M=
-github.com/gofrs/uuid/v5 v5.0.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/gofrs/uuid/v5 v5.2.0 h1:qw1GMx6/y8vhVsx626ImfKMuS5CvJmhIKKtuyvfajMM=
+github.com/gofrs/uuid/v5 v5.2.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a h1:fEBsGL/sjAuJrgah5XqmmYsTLzJp/TO9Lhy39gkverk=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
@@ -65,17 +62,17 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/libdns/alidns v1.0.3 h1:LFHuGnbseq5+HCeGa1aW8awyX/4M2psB9962fdD2+yQ=
 github.com/libdns/alidns v1.0.3/go.mod h1:e18uAG6GanfRhcJj6/tps2rCMzQJaYVcGKT+ELjdjGE=
-github.com/libdns/cloudflare v0.1.0 h1:93WkJaGaiXCe353LHEP36kAWCUw0YjFqwhkBkU2/iic=
-github.com/libdns/cloudflare v0.1.0/go.mod h1:a44IP6J1YH6nvcNl1PverfJviADgXUnsozR3a7vBKN8=
+github.com/libdns/cloudflare v0.1.1 h1:FVPfWwP8zZCqj268LZjmkDleXlHPlFU9KC4OJ3yn054=
+github.com/libdns/cloudflare v0.1.1/go.mod h1:9VK91idpOjg6v7/WbjkEW49bSCxj00ALesIFDhJ8PBU=
 github.com/libdns/libdns v0.2.0/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
-github.com/libdns/libdns v0.2.1 h1:Wu59T7wSHRgtA0cfxC+n1c/e+O3upJGWytknkmFEDis=
-github.com/libdns/libdns v0.2.1/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
+github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s=
+github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/mholt/acmez v1.2.0 h1:1hhLxSgY5FvH5HCnGUuwbKY2VQVo8IU7rxXKSnZ7F30=
 github.com/mholt/acmez v1.2.0/go.mod h1:VT9YwH1xgNX1kmYY89gY8xPJC84BFAisjo8Egigt4kE=
-github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
-github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
+github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
+github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/onsi/ginkgo/v2 v2.9.7 h1:06xGQy5www2oN160RtEZoTvnP2sPhEfePYmCDc2szss=
@@ -100,31 +97,31 @@ github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1 h1:YbmpqPQ
 github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1/go.mod h1:J2yAxTFPDjrDPhuAi9aWFz2L3ox9it4qAluBBbN0H5k=
 github.com/sagernet/gomobile v0.1.3 h1:ohjIb1Ou2+1558PnZour3od69suSuvkdSVOlO1tC4B8=
 github.com/sagernet/gomobile v0.1.3/go.mod h1:Pqq2+ZVvs10U7xK+UwJgwYWUykewi8H6vlslAO73n9E=
-github.com/sagernet/gvisor v0.0.0-20240315080113-799fb6b6d311 h1:eUQ6kJZXK77xYZeeNrBb/7JMv0S0Wkk7EpmKUb3fsfc=
-github.com/sagernet/gvisor v0.0.0-20240315080113-799fb6b6d311/go.mod h1:mDrXZSv401qiaFiiIUC59Zp4VG5f4nqXFqDmp5o3hYI=
+github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f h1:NkhuupzH5ch7b/Y/6ZHJWrnNLoiNnSJaow6DPb8VW2I=
+github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f/go.mod h1:KXmw+ouSJNOsuRpg4wgwwCQuunrGz4yoAqQjsLjc6N0=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.42.0-beta.2 h1:E6vTGhveFE9Tnhu5rrt3M5fnENuqBJOv8gPcFPz0cSM=
-github.com/sagernet/quic-go v0.42.0-beta.2/go.mod h1:lf8OYop+fMxIlrfM/ZHpENt/7ZD4JaVNqMhOlq2QMwg=
+github.com/sagernet/quic-go v0.43.1-beta.1 h1:alizUjpvWYcz08dBCQsULOd+1xu0o7UtlyYf6SLbRNg=
+github.com/sagernet/quic-go v0.43.1-beta.1/go.mod h1:BkrQYeop7Jx3hN3TW8/76CXcdhYiNPyYEBL/BVJ1ifc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.4.0-beta.3 h1:TYA4DJtxs0dWDG6ahjU/Fh+eg6vintiqGjXN4h9BbiA=
-github.com/sagernet/sing v0.4.0-beta.3/go.mod h1:+60H3Cm91RnL9dpVGWDPHt0zTQImO9Vfqt9a4rSambI=
-github.com/sagernet/sing-dns v0.2.0-beta.16 h1:bzd4B8eHD7/WO3HrYknvgE8A56/R3n5oXBjNF97iPzQ=
-github.com/sagernet/sing-dns v0.2.0-beta.16/go.mod h1:XU6Vqr6aHcMz/34Fcv8jmXpRCEuShzW+B7Qg1Xe1nxY=
+github.com/sagernet/sing v0.4.0-beta.18 h1:oK+pvyXnFwxwvQkeUqgxIeATiMHcrH5doLKKDGNmQkU=
+github.com/sagernet/sing v0.4.0-beta.18/go.mod h1:PFQKbElc2Pke7faBLv8oEba5ehtKO21Ho+TkYemTI3Y=
+github.com/sagernet/sing-dns v0.2.0-beta.18 h1:6vzXZThRdA7YUzBOpSbUT48XRumtl/KIpIHFSOP0za8=
+github.com/sagernet/sing-dns v0.2.0-beta.18/go.mod h1:k/dmFcQpg6+m08gC1yQBy+13+QkuLqpKr4bIreq4U24=
 github.com/sagernet/sing-mux v0.2.0 h1:4C+vd8HztJCWNYfufvgL49xaOoOHXty2+EAjnzN3IYo=
 github.com/sagernet/sing-mux v0.2.0/go.mod h1:khzr9AOPocLa+g53dBplwNDz4gdsyx/YM3swtAhlkHQ=
-github.com/sagernet/sing-quic v0.1.9-beta.3 h1:turuRtN6xfAxWMseZEzwNOA6EO2ZAW82BrfPJUrtN3Q=
-github.com/sagernet/sing-quic v0.1.9-beta.3/go.mod h1:oXe0g8T7edh2Xxl0QcpTO4Tret8M478LpMcr3CPuqWE=
+github.com/sagernet/sing-quic v0.2.0-beta.4 h1:d3wwt73CywsjQc40buw0pMoLxQwBlJM+U1WQ9GJOjuI=
+github.com/sagernet/sing-quic v0.2.0-beta.4/go.mod h1:/mqrmlTsoHPiXLuTeH4+uGOwLXxgYrJQqywXdU8SB/U=
 github.com/sagernet/sing-shadowsocks v0.2.6 h1:xr7ylAS/q1cQYS8oxKKajhuQcchd5VJJ4K4UZrrpp0s=
 github.com/sagernet/sing-shadowsocks v0.2.6/go.mod h1:j2YZBIpWIuElPFL/5sJAj470bcn/3QQ5lxZUNKLDNAM=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
-github.com/sagernet/sing-tun v0.2.6-beta.1 h1:6yfOJQaa706/VAKb7SVa8ziXppTxVOg/p9p63qk2N/o=
-github.com/sagernet/sing-tun v0.2.6-beta.1/go.mod h1:E+KwQKzYkdGEhfIxjmoaB1ZkADaxeXUNzx6GRDRKOfE=
+github.com/sagernet/sing-tun v0.3.0-beta.2 h1:sfeHWnBTKGpFUjXpT+O/JEwFP8oVAo3M0Xx94ghesjU=
+github.com/sagernet/sing-tun v0.3.0-beta.2/go.mod h1:xPaOkQhngPMILx+/9DMLCFl4vSxUU2tMnCPSlf05HLo=
 github.com/sagernet/sing-vmess v0.1.8 h1:XVWad1RpTy9b5tPxdm5MCU8cGfrTGdR8qCq6HV2aCNc=
 github.com/sagernet/sing-vmess v0.1.8/go.mod h1:vhx32UNzTDUkNwOyIjcZQohre1CaytquC5mPplId8uA=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
@@ -166,17 +163,18 @@ go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBs
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
-golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81 h1:6R2FC06FonbXQ8pK11/PDFY6N6LWlf9KlzibaCapmqc=
-golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81/go.mod h1:CQ1k9gNrJ50XIzaKCRR2hssIjF07kZFEiieALBM/ARQ=
-golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic=
-golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
-golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
-golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
+golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -186,28 +184,25 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
+golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw=
-golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
+golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 h1:AjyfHzEPEFp/NpvfN5g+KDla3EMojjhRVZc1i7cj+oM=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80/go.mod h1:PAREbraiVEVGVdTZsVWjSbbTtSyGbAgIIvni8a8CD5s=
-google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk=
-google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:H4O17MA/PE9BsGx3w+a+W2VOLLD1Qf7oJneAoU6WktY=
+google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
+google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
 google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

inbound/default_tcp.go

@@ -5,7 +5,9 @@ import (
 	"net"
 
 	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -16,6 +18,9 @@ func (a *myInboundAdapter) ListenTCP() (net.Listener, error) {
 	bindAddr := M.SocksaddrFrom(a.listenOptions.Listen.Build(), a.listenOptions.ListenPort)
 	var tcpListener net.Listener
 	var listenConfig net.ListenConfig
+	// TODO: Add an option to customize the keep alive period
+	listenConfig.KeepAlive = C.TCPKeepAliveInitial
+	listenConfig.Control = control.Append(listenConfig.Control, control.SetKeepAlivePeriod(C.TCPKeepAliveInitial, C.TCPKeepAliveInterval))
 	if a.listenOptions.TCPMultiPath {
 		if !go121Available {
 			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")

inbound/tun.go

@@ -153,7 +153,7 @@ func (t *Tun) Start() error {
 		tunInterface tun.Tun
 		err          error
 	)
-	monitor := taskmonitor.New(t.logger, C.DefaultStartTimeout)
+	monitor := taskmonitor.New(t.logger, C.StartTimeout)
 	monitor.Start("open tun interface")
 	if t.platformInterface != nil {
 		tunInterface, err = t.platformInterface.OpenTun(&t.tunOptions, t.platformOptions)
@@ -166,6 +166,14 @@ func (t *Tun) Start() error {
 	}
 	t.logger.Trace("creating stack")
 	t.tunIf = tunInterface
+	var (
+		forwarderBindInterface bool
+		includeAllNetworks     bool
+	)
+	if t.platformInterface != nil {
+		forwarderBindInterface = true
+		includeAllNetworks = t.platformInterface.IncludeAllNetworks()
+	}
 	t.tunStack, err = tun.NewStack(t.stack, tun.StackOptions{
 		Context:                t.ctx,
 		Tun:                    tunInterface,
@@ -174,8 +182,9 @@ func (t *Tun) Start() error {
 		UDPTimeout:             t.udpTimeout,
 		Handler:                t,
 		Logger:                 t.logger,
-		ForwarderBindInterface: t.platformInterface != nil,
+		ForwarderBindInterface: forwarderBindInterface,
 		InterfaceFinder:        t.router.InterfaceFinder(),
+		IncludeAllNetworks:     includeAllNetworks,
 	})
 	if err != nil {
 		return err

log/observable.go

@@ -53,7 +53,9 @@ func NewDefaultFactory(
 	if platformWriter != nil {
 		factory.platformFormatter.DisableColors = platformWriter.DisableColors()
 	}
-	factory.observer = observable.NewObserver[Entry](factory.subscriber, 64)
+	if needObservable {
+		factory.observer = observable.NewObserver[Entry](factory.subscriber, 64)
+	}
 	return factory
 }
 
@@ -72,7 +74,7 @@ func (f *defaultFactory) Start() error {
 func (f *defaultFactory) Close() error {
 	return common.Close(
 		common.PtrOrNil(f.file),
-		f.observer,
+		f.subscriber,
 	)
 }
 

mkdocs.yml

@@ -66,8 +66,9 @@ nav:
       - Proxy Protocol:
           - Shadowsocks: manual/proxy-protocol/shadowsocks.md
           - Trojan: manual/proxy-protocol/trojan.md
-          - TUIC: manual/proxy-protocol/tuic.md
           - Hysteria 2: manual/proxy-protocol/hysteria2.md
+      - Misc:
+          - TunnelVision: manual/misc/tunnelvision.md
   - Configuration:
       - configuration/index.md
       - Log:

ntp/service.go

@@ -1,112 +0,0 @@
-package ntp
-
-import (
-	"context"
-	"os"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer"
-	"github.com/sagernet/sing-box/common/settings"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/ntp"
-)
-
-var _ ntp.TimeService = (*Service)(nil)
-
-type Service struct {
-	ctx           context.Context
-	cancel        common.ContextCancelCauseFunc
-	server        M.Socksaddr
-	writeToSystem bool
-	dialer        N.Dialer
-	logger        logger.Logger
-	ticker        *time.Ticker
-	clockOffset   time.Duration
-}
-
-func NewService(ctx context.Context, router adapter.Router, logger logger.Logger, options option.NTPOptions) (*Service, error) {
-	ctx, cancel := common.ContextWithCancelCause(ctx)
-	server := M.ParseSocksaddrHostPort(options.Server, options.ServerPort)
-	if server.Port == 0 {
-		server.Port = 123
-	}
-	var interval time.Duration
-	if options.Interval > 0 {
-		interval = time.Duration(options.Interval)
-	} else {
-		interval = 30 * time.Minute
-	}
-	outboundDialer, err := dialer.New(router, options.DialerOptions)
-	if err != nil {
-		return nil, err
-	}
-	return &Service{
-		ctx:           ctx,
-		cancel:        cancel,
-		server:        server,
-		writeToSystem: options.WriteToSystem,
-		dialer:        outboundDialer,
-		logger:        logger,
-		ticker:        time.NewTicker(interval),
-	}, nil
-}
-
-func (s *Service) Start() error {
-	err := s.update()
-	if err != nil {
-		return E.Cause(err, "initialize time")
-	}
-	s.logger.Info("updated time: ", s.TimeFunc()().Local().Format(C.TimeLayout))
-	go s.loopUpdate()
-	return nil
-}
-
-func (s *Service) Close() error {
-	s.ticker.Stop()
-	s.cancel(os.ErrClosed)
-	return nil
-}
-
-func (s *Service) TimeFunc() func() time.Time {
-	return func() time.Time {
-		return time.Now().Add(s.clockOffset)
-	}
-}
-
-func (s *Service) loopUpdate() {
-	for {
-		select {
-		case <-s.ctx.Done():
-			return
-		case <-s.ticker.C:
-		}
-		err := s.update()
-		if err == nil {
-			s.logger.Debug("updated time: ", s.TimeFunc()().Local().Format(C.TimeLayout))
-		} else {
-			s.logger.Warn("update time: ", err)
-		}
-	}
-}
-
-func (s *Service) update() error {
-	response, err := ntp.Exchange(s.ctx, s.dialer, s.server)
-	if err != nil {
-		return err
-	}
-	s.clockOffset = response.ClockOffset
-	if s.writeToSystem {
-		writeErr := settings.SetSystemTime(s.TimeFunc()())
-		if writeErr != nil {
-			s.logger.Warn("write time to system: ", writeErr)
-		}
-	}
-	return nil
-}

option/dns.go

@@ -19,7 +19,7 @@ type DNSServerOptions struct {
 	AddressFallbackDelay Duration       `json:"address_fallback_delay,omitempty"`
 	Strategy             DomainStrategy `json:"strategy,omitempty"`
 	Detour               string         `json:"detour,omitempty"`
-	ClientSubnet         *ListenAddress `json:"client_subnet,omitempty"`
+	ClientSubnet         *AddrPrefix    `json:"client_subnet,omitempty"`
 }
 
 type DNSClientOptions struct {
@@ -27,7 +27,7 @@ type DNSClientOptions struct {
 	DisableCache     bool           `json:"disable_cache,omitempty"`
 	DisableExpire    bool           `json:"disable_expire,omitempty"`
 	IndependentCache bool           `json:"independent_cache,omitempty"`
-	ClientSubnet     *ListenAddress `json:"client_subnet,omitempty"`
+	ClientSubnet     *AddrPrefix    `json:"client_subnet,omitempty"`
 }
 
 type DNSFakeIPOptions struct {

option/ntp.go

@@ -2,9 +2,8 @@ package option
 
 type NTPOptions struct {
 	Enabled       bool     `json:"enabled,omitempty"`
-	Server        string   `json:"server,omitempty"`
-	ServerPort    uint16   `json:"server_port,omitempty"`
 	Interval      Duration `json:"interval,omitempty"`
 	WriteToSystem bool     `json:"write_to_system,omitempty"`
+	ServerOptions
 	DialerOptions
 }

option/rule_dns.go

@@ -101,7 +101,7 @@ type DefaultDNSRule struct {
 	Server                   string                 `json:"server,omitempty"`
 	DisableCache             bool                   `json:"disable_cache,omitempty"`
 	RewriteTTL               *uint32                `json:"rewrite_ttl,omitempty"`
-	ClientSubnet             *ListenAddress         `json:"client_subnet,omitempty"`
+	ClientSubnet             *AddrPrefix            `json:"client_subnet,omitempty"`
 }
 
 func (r DefaultDNSRule) IsValid() bool {
@@ -115,13 +115,13 @@ func (r DefaultDNSRule) IsValid() bool {
 }
 
 type LogicalDNSRule struct {
-	Mode         string         `json:"mode"`
-	Rules        []DNSRule      `json:"rules,omitempty"`
-	Invert       bool           `json:"invert,omitempty"`
-	Server       string         `json:"server,omitempty"`
-	DisableCache bool           `json:"disable_cache,omitempty"`
-	RewriteTTL   *uint32        `json:"rewrite_ttl,omitempty"`
-	ClientSubnet *ListenAddress `json:"client_subnet,omitempty"`
+	Mode         string      `json:"mode"`
+	Rules        []DNSRule   `json:"rules,omitempty"`
+	Invert       bool        `json:"invert,omitempty"`
+	Server       string      `json:"server,omitempty"`
+	DisableCache bool        `json:"disable_cache,omitempty"`
+	RewriteTTL   *uint32     `json:"rewrite_ttl,omitempty"`
+	ClientSubnet *AddrPrefix `json:"client_subnet,omitempty"`
 }
 
 func (r LogicalDNSRule) IsValid() bool {

option/types.go

@@ -51,6 +51,40 @@ func (a *ListenAddress) Build() netip.Addr {
 	return (netip.Addr)(*a)
 }
 
+type AddrPrefix netip.Prefix
+
+func (a AddrPrefix) MarshalJSON() ([]byte, error) {
+	prefix := netip.Prefix(a)
+	if prefix.Bits() == prefix.Addr().BitLen() {
+		return json.Marshal(prefix.Addr().String())
+	} else {
+		return json.Marshal(prefix.String())
+	}
+}
+
+func (a *AddrPrefix) UnmarshalJSON(content []byte) error {
+	var value string
+	err := json.Unmarshal(content, &value)
+	if err != nil {
+		return err
+	}
+	prefix, prefixErr := netip.ParsePrefix(value)
+	if prefixErr == nil {
+		*a = AddrPrefix(prefix)
+		return nil
+	}
+	addr, addrErr := netip.ParseAddr(value)
+	if addrErr == nil {
+		*a = AddrPrefix(netip.PrefixFrom(addr, addr.BitLen()))
+		return nil
+	}
+	return prefixErr
+}
+
+func (a AddrPrefix) Build() netip.Prefix {
+	return netip.Prefix(a)
+}
+
 type NetworkList string
 
 func (v *NetworkList) UnmarshalJSON(content []byte) error {

outbound/direct.go

@@ -51,7 +51,7 @@ func NewDirect(router adapter.Router, logger log.ContextLogger, tag string, opti
 		domainStrategy: dns.DomainStrategy(options.DomainStrategy),
 		fallbackDelay:  time.Duration(options.FallbackDelay),
 		dialer:         outboundDialer,
-		loopBack:       newLoopBackDetector(),
+		loopBack:       newLoopBackDetector(router),
 	}
 	if options.ProxyProtocol != 0 {
 		return nil, E.New("Proxy Protocol is deprecated and removed in sing-box 1.6.0")
@@ -148,7 +148,7 @@ func (h *Direct) ListenPacket(ctx context.Context, destination M.Socksaddr) (net
 	if err != nil {
 		return nil, err
 	}
-	conn = h.loopBack.NewPacketConn(bufio.NewPacketConn(conn))
+	conn = h.loopBack.NewPacketConn(bufio.NewPacketConn(conn), destination)
 	if originDestination != destination {
 		conn = bufio.NewNATPacketConn(bufio.NewPacketConn(conn), destination, originDestination)
 	}
@@ -156,14 +156,14 @@ func (h *Direct) ListenPacket(ctx context.Context, destination M.Socksaddr) (net
 }
 
 func (h *Direct) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	if h.loopBack.CheckConn(metadata.Source.AddrPort()) {
+	if h.loopBack.CheckConn(metadata.Source.AddrPort(), M.AddrPortFromNet(conn.LocalAddr())) {
 		return E.New("reject loopback connection to ", metadata.Destination)
 	}
 	return NewConnection(ctx, h, conn, metadata)
 }
 
 func (h *Direct) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
-	if h.loopBack.CheckPacketConn(metadata.Source.AddrPort()) {
+	if h.loopBack.CheckPacketConn(metadata.Source.AddrPort(), M.AddrPortFromNet(conn.LocalAddr())) {
 		return E.New("reject loopback packet connection to ", metadata.Destination)
 	}
 	return NewPacketConnection(ctx, h, conn, metadata)

outbound/direct_loopback_detect.go

@@ -5,63 +5,95 @@ import (
 	"net/netip"
 	"sync"
 
+	"github.com/sagernet/sing-box/adapter"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
 type loopBackDetector struct {
+	router           adapter.Router
 	connAccess       sync.RWMutex
 	packetConnAccess sync.RWMutex
-	connMap          map[netip.AddrPort]bool
-	packetConnMap    map[netip.AddrPort]bool
+	connMap          map[netip.AddrPort]netip.AddrPort
+	packetConnMap    map[uint16]uint16
 }
 
-func newLoopBackDetector() *loopBackDetector {
+func newLoopBackDetector(router adapter.Router) *loopBackDetector {
 	return &loopBackDetector{
-		connMap:       make(map[netip.AddrPort]bool),
-		packetConnMap: make(map[netip.AddrPort]bool),
+		router:        router,
+		connMap:       make(map[netip.AddrPort]netip.AddrPort),
+		packetConnMap: make(map[uint16]uint16),
 	}
 }
 
 func (l *loopBackDetector) NewConn(conn net.Conn) net.Conn {
-	connAddr := M.AddrPortFromNet(conn.LocalAddr())
-	if !connAddr.IsValid() {
+	source := M.AddrPortFromNet(conn.LocalAddr())
+	if !source.IsValid() {
 		return conn
 	}
 	if udpConn, isUDPConn := conn.(abstractUDPConn); isUDPConn {
+		if !source.Addr().IsLoopback() {
+			_, err := l.router.InterfaceFinder().InterfaceByAddr(source.Addr())
+			if err != nil {
+				return conn
+			}
+		}
+		if !N.IsPublicAddr(source.Addr()) {
+			return conn
+		}
 		l.packetConnAccess.Lock()
-		l.packetConnMap[connAddr] = true
+		l.packetConnMap[source.Port()] = M.AddrPortFromNet(conn.RemoteAddr()).Port()
 		l.packetConnAccess.Unlock()
-		return &loopBackDetectUDPWrapper{abstractUDPConn: udpConn, detector: l, connAddr: connAddr}
+		return &loopBackDetectUDPWrapper{abstractUDPConn: udpConn, detector: l, connPort: source.Port()}
 	} else {
 		l.connAccess.Lock()
-		l.connMap[connAddr] = true
+		l.connMap[source] = M.AddrPortFromNet(conn.RemoteAddr())
 		l.connAccess.Unlock()
-		return &loopBackDetectWrapper{Conn: conn, detector: l, connAddr: connAddr}
+		return &loopBackDetectWrapper{Conn: conn, detector: l, connAddr: source}
 	}
 }
 
-func (l *loopBackDetector) NewPacketConn(conn N.NetPacketConn) N.NetPacketConn {
-	connAddr := M.AddrPortFromNet(conn.LocalAddr())
-	if !connAddr.IsValid() {
+func (l *loopBackDetector) NewPacketConn(conn N.NetPacketConn, destination M.Socksaddr) N.NetPacketConn {
+	source := M.AddrPortFromNet(conn.LocalAddr())
+	if !source.IsValid() {
 		return conn
 	}
+	if !source.Addr().IsLoopback() {
+		_, err := l.router.InterfaceFinder().InterfaceByAddr(source.Addr())
+		if err != nil {
+			return conn
+		}
+	}
 	l.packetConnAccess.Lock()
-	l.packetConnMap[connAddr] = true
+	l.packetConnMap[source.Port()] = destination.AddrPort().Port()
 	l.packetConnAccess.Unlock()
-	return &loopBackDetectPacketWrapper{NetPacketConn: conn, detector: l, connAddr: connAddr}
+	return &loopBackDetectPacketWrapper{NetPacketConn: conn, detector: l, connPort: source.Port()}
 }
 
-func (l *loopBackDetector) CheckConn(connAddr netip.AddrPort) bool {
+func (l *loopBackDetector) CheckConn(source netip.AddrPort, local netip.AddrPort) bool {
 	l.connAccess.RLock()
 	defer l.connAccess.RUnlock()
-	return l.connMap[connAddr]
+	destination, loaded := l.connMap[source]
+	return loaded && destination != local
 }
 
-func (l *loopBackDetector) CheckPacketConn(connAddr netip.AddrPort) bool {
+func (l *loopBackDetector) CheckPacketConn(source netip.AddrPort, local netip.AddrPort) bool {
+	if !source.IsValid() {
+		return false
+	}
+	if !source.Addr().IsLoopback() {
+		_, err := l.router.InterfaceFinder().InterfaceByAddr(source.Addr())
+		if err != nil {
+			return false
+		}
+	}
+	if N.IsPublicAddr(source.Addr()) {
+		return false
+	}
 	l.packetConnAccess.RLock()
 	defer l.packetConnAccess.RUnlock()
-	return l.packetConnMap[connAddr]
+	destinationPort, loaded := l.packetConnMap[source.Port()]
+	return loaded && destinationPort != local.Port()
 }
 
 type loopBackDetectWrapper struct {
@@ -95,14 +127,14 @@ func (w *loopBackDetectWrapper) Upstream() any {
 type loopBackDetectPacketWrapper struct {
 	N.NetPacketConn
 	detector  *loopBackDetector
-	connAddr  netip.AddrPort
+	connPort  uint16
 	closeOnce sync.Once
 }
 
 func (w *loopBackDetectPacketWrapper) Close() error {
 	w.closeOnce.Do(func() {
 		w.detector.packetConnAccess.Lock()
-		delete(w.detector.packetConnMap, w.connAddr)
+		delete(w.detector.packetConnMap, w.connPort)
 		w.detector.packetConnAccess.Unlock()
 	})
 	return w.NetPacketConn.Close()
@@ -128,14 +160,14 @@ type abstractUDPConn interface {
 type loopBackDetectUDPWrapper struct {
 	abstractUDPConn
 	detector  *loopBackDetector
-	connAddr  netip.AddrPort
+	connPort  uint16
 	closeOnce sync.Once
 }
 
 func (w *loopBackDetectUDPWrapper) Close() error {
 	w.closeOnce.Do(func() {
 		w.detector.packetConnAccess.Lock()
-		delete(w.detector.packetConnMap, w.connAddr)
+		delete(w.detector.packetConnMap, w.connPort)
 		w.detector.packetConnAccess.Unlock()
 	})
 	return w.abstractUDPConn.Close()

outbound/urltest.go

@@ -287,8 +287,23 @@ func (g *URLTestGroup) Close() error {
 
 func (g *URLTestGroup) Select(network string) (adapter.Outbound, bool) {
 	var minDelay uint16
-	var minTime time.Time
 	var minOutbound adapter.Outbound
+	switch network {
+	case N.NetworkTCP:
+		if g.selectedOutboundTCP != nil {
+			if history := g.history.LoadURLTestHistory(RealTag(g.selectedOutboundTCP)); history != nil {
+				minOutbound = g.selectedOutboundTCP
+				minDelay = history.Delay
+			}
+		}
+	case N.NetworkUDP:
+		if g.selectedOutboundUDP != nil {
+			if history := g.history.LoadURLTestHistory(RealTag(g.selectedOutboundUDP)); history != nil {
+				minOutbound = g.selectedOutboundUDP
+				minDelay = history.Delay
+			}
+		}
+	}
 	for _, detour := range g.outbounds {
 		if !common.Contains(detour.Network(), network) {
 			continue
@@ -297,9 +312,8 @@ func (g *URLTestGroup) Select(network string) (adapter.Outbound, bool) {
 		if history == nil {
 			continue
 		}
-		if minDelay == 0 || minDelay > history.Delay+g.tolerance || minDelay > history.Delay-g.tolerance && minTime.Before(history.Time) {
+		if minDelay == 0 || minDelay > history.Delay+g.tolerance {
 			minDelay = history.Delay
-			minTime = history.Time
 			minOutbound = detour
 		}
 	}

route/interface_finder.go

@@ -1,54 +0,0 @@
-package route
-
-import (
-	"net"
-
-	"github.com/sagernet/sing/common/control"
-)
-
-var _ control.InterfaceFinder = (*myInterfaceFinder)(nil)
-
-type myInterfaceFinder struct {
-	interfaces []net.Interface
-}
-
-func (f *myInterfaceFinder) update() error {
-	ifs, err := net.Interfaces()
-	if err != nil {
-		return err
-	}
-	f.interfaces = ifs
-	return nil
-}
-
-func (f *myInterfaceFinder) updateInterfaces(interfaces []net.Interface) {
-	f.interfaces = interfaces
-}
-
-func (f *myInterfaceFinder) InterfaceIndexByName(name string) (interfaceIndex int, err error) {
-	for _, netInterface := range f.interfaces {
-		if netInterface.Name == name {
-			return netInterface.Index, nil
-		}
-	}
-	netInterface, err := net.InterfaceByName(name)
-	if err != nil {
-		return
-	}
-	f.update()
-	return netInterface.Index, nil
-}
-
-func (f *myInterfaceFinder) InterfaceNameByIndex(index int) (interfaceName string, err error) {
-	for _, netInterface := range f.interfaces {
-		if netInterface.Index == index {
-			return netInterface.Name, nil
-		}
-	}
-	netInterface, err := net.InterfaceByIndex(index)
-	if err != nil {
-		return
-	}
-	f.update()
-	return netInterface.Name, nil
-}

route/router.go

@@ -23,12 +23,11 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/ntp"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/outbound"
 	"github.com/sagernet/sing-box/transport/fakeip"
 	"github.com/sagernet/sing-dns"
-	mux "github.com/sagernet/sing-mux"
+	"github.com/sagernet/sing-mux"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing/common"
@@ -40,7 +39,7 @@ import (
 	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	serviceNTP "github.com/sagernet/sing/common/ntp"
+	"github.com/sagernet/sing/common/ntp"
 	"github.com/sagernet/sing/common/task"
 	"github.com/sagernet/sing/common/uot"
 	"github.com/sagernet/sing/common/winpowrprof"
@@ -70,7 +69,6 @@ type Router struct {
 	geositeCache                       map[string]adapter.Rule
 	needFindProcess                    bool
 	dnsClient                          *dns.Client
-	dnsIndependentCache                bool
 	defaultDomainStrategy              dns.DomainStrategy
 	dnsRules                           []adapter.DNSRule
 	ruleSets                           []adapter.RuleSet
@@ -81,7 +79,7 @@ type Router struct {
 	transportDomainStrategy            map[dns.Transport]dns.DomainStrategy
 	dnsReverseMapping                  *DNSReverseMapping
 	fakeIPStore                        adapter.FakeIPStore
-	interfaceFinder                    myInterfaceFinder
+	interfaceFinder                    *control.DefaultInterfaceFinder
 	autoDetectInterface                bool
 	defaultInterface                   string
 	defaultMark                        int
@@ -124,9 +122,9 @@ func NewRouter(
 		geositeOptions:        common.PtrValueOrDefault(options.Geosite),
 		geositeCache:          make(map[string]adapter.Rule),
 		needFindProcess:       hasRule(options.Rules, isProcessRule) || hasDNSRule(dnsOptions.Rules, isProcessDNSRule) || options.FindProcess,
-		dnsIndependentCache:   dnsOptions.IndependentCache,
 		defaultDetour:         options.Final,
 		defaultDomainStrategy: dns.DomainStrategy(dnsOptions.Strategy),
+		interfaceFinder:       control.NewDefaultInterfaceFinder(),
 		autoDetectInterface:   options.AutoDetectInterface,
 		defaultInterface:      options.DefaultInterface,
 		defaultMark:           options.DefaultMark,
@@ -237,7 +235,7 @@ func NewRouter(
 					return nil, E.New("parse dns server[", tag, "]: missing address_resolver")
 				}
 			}
-			var clientSubnet netip.Addr
+			var clientSubnet netip.Prefix
 			if server.ClientSubnet != nil {
 				clientSubnet = server.ClientSubnet.Build()
 			} else if dnsOptions.ClientSubnet != nil {
@@ -336,7 +334,7 @@ func NewRouter(
 			}
 			router.networkMonitor = networkMonitor
 			networkMonitor.RegisterCallback(func() {
-				_ = router.interfaceFinder.update()
+				_ = router.interfaceFinder.Update()
 			})
 			interfaceMonitor, err := tun.NewDefaultInterfaceMonitor(router.networkMonitor, router.logger, tun.DefaultInterfaceMonitorOptions{
 				OverrideAndroidVPN:    options.OverrideAndroidVPN,
@@ -363,11 +361,19 @@ func NewRouter(
 	}
 
 	if ntpOptions.Enabled {
-		timeService, err := ntp.NewService(ctx, router, logFactory.NewLogger("ntp"), ntpOptions)
+		ntpDialer, err := dialer.New(router, ntpOptions.DialerOptions)
 		if err != nil {
-			return nil, err
+			return nil, E.Cause(err, "create NTP service")
 		}
-		service.ContextWith[serviceNTP.TimeService](ctx, timeService)
+		timeService := ntp.NewService(ntp.Options{
+			Context:       ctx,
+			Dialer:        ntpDialer,
+			Logger:        logFactory.NewLogger("ntp"),
+			Server:        ntpOptions.ServerOptions.Build(),
+			Interval:      time.Duration(ntpOptions.Interval),
+			WriteToSystem: ntpOptions.WriteToSystem,
+		})
+		service.MustRegister[ntp.TimeService](ctx, timeService)
 		router.timeService = timeService
 	}
 	return router, nil
@@ -463,7 +469,7 @@ func (r *Router) Outbounds() []adapter.Outbound {
 }
 
 func (r *Router) PreStart() error {
-	monitor := taskmonitor.New(r.logger, C.DefaultStartTimeout)
+	monitor := taskmonitor.New(r.logger, C.StartTimeout)
 	if r.interfaceMonitor != nil {
 		monitor.Start("initialize interface monitor")
 		err := r.interfaceMonitor.Start()
@@ -492,7 +498,7 @@ func (r *Router) PreStart() error {
 }
 
 func (r *Router) Start() error {
-	monitor := taskmonitor.New(r.logger, C.DefaultStartTimeout)
+	monitor := taskmonitor.New(r.logger, C.StartTimeout)
 	if r.needGeoIPDatabase {
 		monitor.Start("initialize geoip database")
 		err := r.prepareGeoIPDatabase()
@@ -662,7 +668,7 @@ func (r *Router) Start() error {
 }
 
 func (r *Router) Close() error {
-	monitor := taskmonitor.New(r.logger, C.DefaultStopTimeout)
+	monitor := taskmonitor.New(r.logger, C.StopTimeout)
 	var err error
 	for i, rule := range r.rules {
 		monitor.Start("close rule[", i, "]")
@@ -1091,24 +1097,18 @@ func (r *Router) match0(ctx context.Context, metadata *adapter.InboundContext, d
 }
 
 func (r *Router) InterfaceFinder() control.InterfaceFinder {
-	return &r.interfaceFinder
+	return r.interfaceFinder
 }
 
 func (r *Router) UpdateInterfaces() error {
 	if r.platformInterface == nil || !r.platformInterface.UsePlatformInterfaceGetter() {
-		return r.interfaceFinder.update()
+		return r.interfaceFinder.Update()
 	} else {
 		interfaces, err := r.platformInterface.Interfaces()
 		if err != nil {
 			return err
 		}
-		r.interfaceFinder.updateInterfaces(common.Map(interfaces, func(it platform.NetworkInterface) net.Interface {
-			return net.Interface{
-				Name:  it.Name,
-				Index: it.Index,
-				MTU:   it.MTU,
-			}
-		}))
+		r.interfaceFinder.UpdateInterfaces(interfaces)
 		return nil
 	}
 }

route/router_dns.go

@@ -65,7 +65,7 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, index int) (con
 					ruleIndex += index + 1
 				}
 				r.dnsLogger.DebugContext(ctx, "match[", ruleIndex, "] ", rule.String(), " => ", detour)
-				if (isFakeIP && !r.dnsIndependentCache) || rule.DisableCache() {
+				if isFakeIP || rule.DisableCache() {
 					ctx = dns.ContextWithDisableCache(ctx, true)
 				}
 				if rewriteTTL := rule.RewriteTTL(); rewriteTTL != nil {

route/rule_abstract.go

@@ -211,12 +211,12 @@ func (r *abstractLogicalRule) Close() error {
 func (r *abstractLogicalRule) Match(metadata *adapter.InboundContext) bool {
 	if r.mode == C.LogicalTypeAnd {
 		return common.All(r.rules, func(it adapter.HeadlessRule) bool {
-			metadata.ResetRuleCacheContext()
+			metadata.ResetRuleCache()
 			return it.Match(metadata)
 		}) != r.invert
 	} else {
 		return common.Any(r.rules, func(it adapter.HeadlessRule) bool {
-			metadata.ResetRuleCacheContext()
+			metadata.ResetRuleCache()
 			return it.Match(metadata)
 		}) != r.invert
 	}

route/rule_dns.go

@@ -40,7 +40,7 @@ type DefaultDNSRule struct {
 	abstractDefaultRule
 	disableCache bool
 	rewriteTTL   *uint32
-	clientSubnet *netip.Addr
+	clientSubnet *netip.Prefix
 }
 
 func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options option.DefaultDNSRule) (*DefaultDNSRule, error) {
@@ -51,7 +51,7 @@ func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options
 		},
 		disableCache: options.DisableCache,
 		rewriteTTL:   options.RewriteTTL,
-		clientSubnet: (*netip.Addr)(options.ClientSubnet),
+		clientSubnet: (*netip.Prefix)(options.ClientSubnet),
 	}
 	if len(options.Inbound) > 0 {
 		item := NewInboundRule(options.Inbound)
@@ -234,7 +234,7 @@ func (r *DefaultDNSRule) RewriteTTL() *uint32 {
 	return r.rewriteTTL
 }
 
-func (r *DefaultDNSRule) ClientSubnet() *netip.Addr {
+func (r *DefaultDNSRule) ClientSubnet() *netip.Prefix {
 	return r.clientSubnet
 }
 
@@ -272,7 +272,7 @@ type LogicalDNSRule struct {
 	abstractLogicalRule
 	disableCache bool
 	rewriteTTL   *uint32
-	clientSubnet *netip.Addr
+	clientSubnet *netip.Prefix
 }
 
 func NewLogicalDNSRule(router adapter.Router, logger log.ContextLogger, options option.LogicalDNSRule) (*LogicalDNSRule, error) {
@@ -284,6 +284,7 @@ func NewLogicalDNSRule(router adapter.Router, logger log.ContextLogger, options
 		},
 		disableCache: options.DisableCache,
 		rewriteTTL:   options.RewriteTTL,
+		clientSubnet: (*netip.Prefix)(options.ClientSubnet),
 	}
 	switch options.Mode {
 	case C.LogicalTypeAnd:
@@ -311,7 +312,7 @@ func (r *LogicalDNSRule) RewriteTTL() *uint32 {
 	return r.rewriteTTL
 }
 
-func (r *LogicalDNSRule) ClientSubnet() *netip.Addr {
+func (r *LogicalDNSRule) ClientSubnet() *netip.Prefix {
 	return r.clientSubnet
 }
 
@@ -334,12 +335,12 @@ func (r *LogicalDNSRule) WithAddressLimit() bool {
 func (r *LogicalDNSRule) Match(metadata *adapter.InboundContext) bool {
 	if r.mode == C.LogicalTypeAnd {
 		return common.All(r.rules, func(it adapter.HeadlessRule) bool {
-			metadata.ResetRuleCacheContext()
+			metadata.ResetRuleCache()
 			return it.(adapter.DNSRule).Match(metadata)
 		}) != r.invert
 	} else {
 		return common.Any(r.rules, func(it adapter.HeadlessRule) bool {
-			metadata.ResetRuleCacheContext()
+			metadata.ResetRuleCache()
 			return it.(adapter.DNSRule).Match(metadata)
 		}) != r.invert
 	}
@@ -348,12 +349,12 @@ func (r *LogicalDNSRule) Match(metadata *adapter.InboundContext) bool {
 func (r *LogicalDNSRule) MatchAddressLimit(metadata *adapter.InboundContext) bool {
 	if r.mode == C.LogicalTypeAnd {
 		return common.All(r.rules, func(it adapter.HeadlessRule) bool {
-			metadata.ResetRuleCacheContext()
+			metadata.ResetRuleCache()
 			return it.(adapter.DNSRule).MatchAddressLimit(metadata)
 		}) != r.invert
 	} else {
 		return common.Any(r.rules, func(it adapter.HeadlessRule) bool {
-			metadata.ResetRuleCacheContext()
+			metadata.ResetRuleCache()
 			return it.(adapter.DNSRule).MatchAddressLimit(metadata)
 		}) != r.invert
 	}

route/rule_headless.go

@@ -129,14 +129,18 @@ func NewDefaultHeadlessRule(router adapter.Router, options option.DefaultHeadles
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.WIFISSID) > 0 {
-		item := NewWIFISSIDItem(router, options.WIFISSID)
-		rule.items = append(rule.items, item)
-		rule.allItems = append(rule.allItems, item)
+		if router != nil {
+			item := NewWIFISSIDItem(router, options.WIFISSID)
+			rule.items = append(rule.items, item)
+			rule.allItems = append(rule.allItems, item)
+		}
 	}
 	if len(options.WIFIBSSID) > 0 {
-		item := NewWIFIBSSIDItem(router, options.WIFIBSSID)
-		rule.items = append(rule.items, item)
-		rule.allItems = append(rule.allItems, item)
+		if router != nil {
+			item := NewWIFIBSSIDItem(router, options.WIFIBSSID)
+			rule.items = append(rule.items, item)
+			rule.allItems = append(rule.allItems, item)
+		}
 	}
 	return rule, nil
 }

route/rule_item_ip_is_private.go

@@ -24,12 +24,14 @@ func (r *IPIsPrivateItem) Match(metadata *adapter.InboundContext) bool {
 	} else {
 		destination = metadata.Destination.Addr
 	}
-	if destination.IsValid() && !N.IsPublicAddr(destination) {
-		return true
+	if destination.IsValid() {
+		return !N.IsPublicAddr(destination)
 	}
-	for _, destinationAddress := range metadata.DestinationAddresses {
-		if !N.IsPublicAddr(destinationAddress) {
-			return true
+	if !r.isSource {
+		for _, destinationAddress := range metadata.DestinationAddresses {
+			if !N.IsPublicAddr(destinationAddress) {
+				return true
+			}
 		}
 	}
 	return false

route/rule_set_local.go

@@ -3,12 +3,14 @@ package route
 import (
 	"context"
 	"os"
+	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/srs"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
 )
 
@@ -68,6 +70,10 @@ func (s *LocalRuleSet) Match(metadata *adapter.InboundContext) bool {
 	return false
 }
 
+func (s *LocalRuleSet) String() string {
+	return strings.Join(F.MapToString(s.rules), " ")
+}
+
 func (s *LocalRuleSet) StartContext(ctx context.Context, startContext adapter.RuleSetStartContext) error {
 	return nil
 }

route/rule_set_remote.go

@@ -7,6 +7,7 @@ import (
 	"net"
 	"net/http"
 	"runtime"
+	"strings"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
@@ -14,6 +15,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
@@ -68,6 +70,10 @@ func (s *RemoteRuleSet) Match(metadata *adapter.InboundContext) bool {
 	return false
 }
 
+func (s *RemoteRuleSet) String() string {
+	return strings.Join(F.MapToString(s.rules), " ")
+}
+
 func (s *RemoteRuleSet) StartContext(ctx context.Context, startContext adapter.RuleSetStartContext) error {
 	var dialer N.Dialer
 	if s.options.RemoteOptions.DownloadDetour != "" {

transport/fakeip/memory.go

@@ -40,6 +40,13 @@ func (s *MemoryStorage) FakeIPSaveMetadataAsync(metadata *adapter.FakeIPMetadata
 func (s *MemoryStorage) FakeIPStore(address netip.Addr, domain string) error {
 	s.addressAccess.Lock()
 	s.domainAccess.Lock()
+	if oldDomain, loaded := s.addressCache[address]; loaded {
+		if address.Is4() {
+			delete(s.domainCache4, oldDomain)
+		} else {
+			delete(s.domainCache6, oldDomain)
+		}
+	}
 	s.addressCache[address] = domain
 	if address.Is4() {
 		s.domainCache4[domain] = address

transport/fakeip/packet.go

@@ -1,55 +0,0 @@
-package fakeip
-
-import (
-	"github.com/sagernet/sing/common/buf"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-var _ N.PacketConn = (*NATPacketConn)(nil)
-
-type NATPacketConn struct {
-	N.PacketConn
-	origin      M.Socksaddr
-	destination M.Socksaddr
-}
-
-func NewNATPacketConn(conn N.PacketConn, origin M.Socksaddr, destination M.Socksaddr) *NATPacketConn {
-	return &NATPacketConn{
-		PacketConn:  conn,
-		origin:      socksaddrWithoutPort(origin),
-		destination: socksaddrWithoutPort(destination),
-	}
-}
-
-func (c *NATPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
-	destination, err = c.PacketConn.ReadPacket(buffer)
-	if socksaddrWithoutPort(destination) == c.origin {
-		destination = M.Socksaddr{
-			Addr: c.destination.Addr,
-			Fqdn: c.destination.Fqdn,
-			Port: destination.Port,
-		}
-	}
-	return
-}
-
-func (c *NATPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
-	if socksaddrWithoutPort(destination) == c.destination {
-		destination = M.Socksaddr{
-			Addr: c.origin.Addr,
-			Fqdn: c.origin.Fqdn,
-			Port: destination.Port,
-		}
-	}
-	return c.PacketConn.WritePacket(buffer, destination)
-}
-
-func (c *NATPacketConn) Upstream() any {
-	return c.PacketConn
-}
-
-func socksaddrWithoutPort(destination M.Socksaddr) M.Socksaddr {
-	destination.Port = 0
-	return destination
-}

transport/fakeip/packet_wait.go

@@ -1,37 +0,0 @@
-package fakeip
-
-import (
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func (c *NATPacketConn) CreatePacketReadWaiter() (N.PacketReadWaiter, bool) {
-	waiter, created := bufio.CreatePacketReadWaiter(c.PacketConn)
-	if !created {
-		return nil, false
-	}
-	return &waitNATPacketConn{c, waiter}, true
-}
-
-type waitNATPacketConn struct {
-	*NATPacketConn
-	readWaiter N.PacketReadWaiter
-}
-
-func (c *waitNATPacketConn) InitializeReadWaiter(options N.ReadWaitOptions) (needCopy bool) {
-	return c.readWaiter.InitializeReadWaiter(options)
-}
-
-func (c *waitNATPacketConn) WaitReadPacket() (buffer *buf.Buffer, destination M.Socksaddr, err error) {
-	buffer, destination, err = c.readWaiter.WaitReadPacket()
-	if err == nil && socksaddrWithoutPort(destination) == c.origin {
-		destination = M.Socksaddr{
-			Addr: c.destination.Addr,
-			Fqdn: c.destination.Fqdn,
-			Port: destination.Port,
-		}
-	}
-	return
-}

transport/v2raygrpc/client.go

@@ -89,6 +89,8 @@ func (c *Client) connect() (*grpc.ClientConn, error) {
 	if conn != nil && conn.GetState() != connectivity.Shutdown {
 		return conn, nil
 	}
+	//nolint:staticcheck
+	//goland:noinspection GoDeprecation
 	conn, err := grpc.DialContext(c.ctx, c.serverAddr, c.dialOptions...)
 	if err != nil {
 		return nil, err