documentation: Bump version

* Introduce bittorrent related protocol sniffers

including, sniffers of
1. BitTorrent Protocol (TCP)
2. uTorrent Transport Protocol (UDP)

Signed-off-by: iosmanthus <myosmanthustree@gmail.com>
Co-authored-by: 世界 <i@sekai.icu>

.github/workflows/docker.yml

@@ -4,13 +4,35 @@ on:
   release:
     types:
       - released
-
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "The tag version you want to build"
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+      - name: Get commit to build
+        id: ref
+        run: |-
+          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
+            ref="${{ github.ref_name }}"
+          else
+            ref="${{ github.event.inputs.tag }}"
+          fi
+          echo "ref=$ref"
+          echo "ref=$ref" >> $GITHUB_OUTPUT
+          if [[ $ref == *"-"* ]]; then
+            latest=latest-beta
+          else
+            latest=latest
+          fi
+          echo "latest=$latest"
+          echo "latest=$latest" >> $GITHUB_OUTPUT
       - name: Checkout
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        with:
+          ref: ${{ steps.ref.outputs.ref }}
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Setup QEMU for Docker Buildx
@@ -30,10 +52,11 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
+          context: .
           target: dist
           build-args: |
             BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
           tags: |
-            ghcr.io/sagernet/sing-box:latest
-            ghcr.io/sagernet/sing-box:${{ github.ref_name }}
+            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.latest }}
+            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.ref }}
           push: true

.github/workflows/lint.yml

@@ -30,7 +30,7 @@ jobs:
         with:
           go-version: ^1.22
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v5
+        uses: golangci/golangci-lint-action@v6
         with:
           version: latest
           args: --timeout=30m

.goreleaser.fury.yaml

@@ -36,7 +36,6 @@ nfpms:
     file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
     builds:
       - main
-    vendor: sagernet
     homepage: https://sing-box.sagernet.org/
     maintainer: nekohasekai <contact-git@sekai.icu>
     description: The universal proxy platform.

.goreleaser.yaml

@@ -113,7 +113,6 @@ nfpms:
     file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
     builds:
       - main
-    vendor: sagernet
     homepage: https://sing-box.sagernet.org/
     maintainer: nekohasekai <contact-git@sekai.icu>
     description: The universal proxy platform.

adapter/experimental.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/common/urltest"
+	"github.com/sagernet/sing-dns"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/rw"
 )
@@ -30,6 +31,9 @@ type CacheFile interface {
 	StoreFakeIP() bool
 	FakeIPStorage
 
+	StoreRDRC() bool
+	dns.RDRCStore
+
 	LoadMode() string
 	StoreMode(mode string) error
 	LoadSelected(group string) string

adapter/inbound.go

@@ -51,11 +51,13 @@ type InboundContext struct {
 
 	// rule cache
 
-	IPCIDRMatchSource       bool
-	SourceAddressMatch      bool
-	SourcePortMatch         bool
-	DestinationAddressMatch bool
-	DestinationPortMatch    bool
+	IPCIDRMatchSource            bool
+	SourceAddressMatch           bool
+	SourcePortMatch              bool
+	DestinationAddressMatch      bool
+	DestinationPortMatch         bool
+	DidMatch                     bool
+	IgnoreDestinationIPCIDRMatch bool
 }
 
 func (c *InboundContext) ResetRuleCache() {
@@ -64,6 +66,7 @@ func (c *InboundContext) ResetRuleCache() {
 	c.SourcePortMatch = false
 	c.DestinationAddressMatch = false
 	c.DestinationPortMatch = false
+	c.DidMatch = false
 }
 
 type inboundContextKey struct{}

adapter/router.go

@@ -71,6 +71,7 @@ func RouterFromContext(ctx context.Context) Router {
 
 type HeadlessRule interface {
 	Match(metadata *InboundContext) bool
+	String() string
 }
 
 type Rule interface {
@@ -79,13 +80,15 @@ type Rule interface {
 	Type() string
 	UpdateGeosite() error
 	Outbound() string
-	String() string
 }
 
 type DNSRule interface {
 	Rule
 	DisableCache() bool
 	RewriteTTL() *uint32
+	ClientSubnet() *netip.Prefix
+	WithAddressLimit() bool
+	MatchAddressLimit(metadata *InboundContext) bool
 }
 
 type RuleSet interface {
@@ -99,6 +102,7 @@ type RuleSet interface {
 type RuleSetMetadata struct {
 	ContainsProcessRule bool
 	ContainsWIFIRule    bool
+	ContainsIPCIDRRule  bool
 }
 
 type RuleSetStartContext interface {

cmd/sing-box/cmd_rule_set_match.go

@@ -0,0 +1,86 @@
+package main
+
+import (
+	"bytes"
+	"io"
+	"os"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/srs"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/route"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+
+	"github.com/spf13/cobra"
+)
+
+var flagRuleSetMatchFormat string
+
+var commandRuleSetMatch = &cobra.Command{
+	Use:   "match <rule-set path> <domain>",
+	Short: "Check if a domain matches the rule set",
+	Args:  cobra.ExactArgs(2),
+	Run: func(cmd *cobra.Command, args []string) {
+		err := ruleSetMatch(args[0], args[1])
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	commandRuleSetMatch.Flags().StringVarP(&flagRuleSetMatchFormat, "format", "f", "source", "rule-set format")
+	commandRuleSet.AddCommand(commandRuleSetMatch)
+}
+
+func ruleSetMatch(sourcePath string, domain string) error {
+	var (
+		reader io.Reader
+		err    error
+	)
+	if sourcePath == "stdin" {
+		reader = os.Stdin
+	} else {
+		reader, err = os.Open(sourcePath)
+		if err != nil {
+			return E.Cause(err, "read rule-set")
+		}
+	}
+	content, err := io.ReadAll(reader)
+	if err != nil {
+		return E.Cause(err, "read rule-set")
+	}
+	var plainRuleSet option.PlainRuleSet
+	switch flagRuleSetMatchFormat {
+	case C.RuleSetFormatSource:
+		var compat option.PlainRuleSetCompat
+		compat, err = json.UnmarshalExtended[option.PlainRuleSetCompat](content)
+		if err != nil {
+			return err
+		}
+		plainRuleSet = compat.Upgrade()
+	case C.RuleSetFormatBinary:
+		plainRuleSet, err = srs.Read(bytes.NewReader(content), false)
+		if err != nil {
+			return err
+		}
+	default:
+		return E.New("unknown rule set format: ", flagRuleSetMatchFormat)
+	}
+	for i, ruleOptions := range plainRuleSet.Rules {
+		var currentRule adapter.HeadlessRule
+		currentRule, err = route.NewHeadlessRule(nil, ruleOptions)
+		if err != nil {
+			return E.Cause(err, "parse rule_set.rules.[", i, "]")
+		}
+		if currentRule.Match(&adapter.InboundContext{
+			Domain: domain,
+		}) {
+			println("match rules.[", i, "]: "+currentRule.String())
+		}
+	}
+	return nil
+}

common/badtls/read_wait.go

@@ -4,6 +4,8 @@ package badtls
 
 import (
 	"bytes"
+	"context"
+	"net"
 	"os"
 	"reflect"
 	"sync"
@@ -18,20 +20,32 @@ import (
 var _ N.ReadWaiter = (*ReadWaitConn)(nil)
 
 type ReadWaitConn struct {
-	*tls.STDConn
-	halfAccess      *sync.Mutex
-	rawInput        *bytes.Buffer
-	input           *bytes.Reader
-	hand            *bytes.Buffer
-	readWaitOptions N.ReadWaitOptions
+	tls.Conn
+	halfAccess                    *sync.Mutex
+	rawInput                      *bytes.Buffer
+	input                         *bytes.Reader
+	hand                          *bytes.Buffer
+	readWaitOptions               N.ReadWaitOptions
+	tlsReadRecord                 func() error
+	tlsHandlePostHandshakeMessage func() error
 }
 
 func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
-	stdConn, isSTDConn := conn.(*tls.STDConn)
-	if !isSTDConn {
+	var (
+		loaded                        bool
+		tlsReadRecord                 func() error
+		tlsHandlePostHandshakeMessage func() error
+	)
+	for _, tlsCreator := range tlsRegistry {
+		loaded, tlsReadRecord, tlsHandlePostHandshakeMessage = tlsCreator(conn)
+		if loaded {
+			break
+		}
+	}
+	if !loaded {
 		return nil, os.ErrInvalid
 	}
-	rawConn := reflect.Indirect(reflect.ValueOf(stdConn))
+	rawConn := reflect.Indirect(reflect.ValueOf(conn))
 	rawHalfConn := rawConn.FieldByName("in")
 	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
 		return nil, E.New("badtls: invalid half conn")
@@ -57,11 +71,13 @@ func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
 	}
 	hand := (*bytes.Buffer)(unsafe.Pointer(rawHand.UnsafeAddr()))
 	return &ReadWaitConn{
-		STDConn:    stdConn,
-		halfAccess: halfAccess,
-		rawInput:   rawInput,
-		input:      input,
-		hand:       hand,
+		Conn:                          conn,
+		halfAccess:                    halfAccess,
+		rawInput:                      rawInput,
+		input:                         input,
+		hand:                          hand,
+		tlsReadRecord:                 tlsReadRecord,
+		tlsHandlePostHandshakeMessage: tlsHandlePostHandshakeMessage,
 	}, nil
 }
 
@@ -71,19 +87,19 @@ func (c *ReadWaitConn) InitializeReadWaiter(options N.ReadWaitOptions) (needCopy
 }
 
 func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
-	err = c.Handshake()
+	err = c.HandshakeContext(context.Background())
 	if err != nil {
 		return
 	}
 	c.halfAccess.Lock()
 	defer c.halfAccess.Unlock()
 	for c.input.Len() == 0 {
-		err = tlsReadRecord(c.STDConn)
+		err = c.tlsReadRecord()
 		if err != nil {
 			return
 		}
 		for c.hand.Len() > 0 {
-			err = tlsHandlePostHandshakeMessage(c.STDConn)
+			err = c.tlsHandlePostHandshakeMessage()
 			if err != nil {
 				return
 			}
@@ -100,7 +116,7 @@ func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
 	if n != 0 && c.input.Len() == 0 && c.rawInput.Len() > 0 &&
 		// recordType(c.rawInput.Bytes()[0]) == recordTypeAlert {
 		c.rawInput.Bytes()[0] == 21 {
-		_ = tlsReadRecord(c.STDConn)
+		_ = c.tlsReadRecord()
 		// return n, err // will be io.EOF on closeNotify
 	}
 
@@ -109,11 +125,27 @@ func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
 }
 
 func (c *ReadWaitConn) Upstream() any {
-	return c.STDConn
+	return c.Conn
 }
 
-//go:linkname tlsReadRecord crypto/tls.(*Conn).readRecord
-func tlsReadRecord(c *tls.STDConn) error
+var tlsRegistry []func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error)
 
-//go:linkname tlsHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
-func tlsHandlePostHandshakeMessage(c *tls.STDConn) error
+func init() {
+	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
+		tlsConn, loaded := conn.(*tls.STDConn)
+		if !loaded {
+			return
+		}
+		return true, func() error {
+				return stdTLSReadRecord(tlsConn)
+			}, func() error {
+				return stdTLSHandlePostHandshakeMessage(tlsConn)
+			}
+	})
+}
+
+//go:linkname stdTLSReadRecord crypto/tls.(*Conn).readRecord
+func stdTLSReadRecord(c *tls.STDConn) error
+
+//go:linkname stdTLSHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
+func stdTLSHandlePostHandshakeMessage(c *tls.STDConn) error

common/badtls/read_wait_ech.go

@@ -0,0 +1,31 @@
+//go:build go1.21 && !without_badtls && with_ech
+
+package badtls
+
+import (
+	"net"
+	_ "unsafe"
+
+	"github.com/sagernet/cloudflare-tls"
+	"github.com/sagernet/sing/common"
+)
+
+func init() {
+	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
+		tlsConn, loaded := common.Cast[*tls.Conn](conn)
+		if !loaded {
+			return
+		}
+		return true, func() error {
+				return echReadRecord(tlsConn)
+			}, func() error {
+				return echHandlePostHandshakeMessage(tlsConn)
+			}
+	})
+}
+
+//go:linkname echReadRecord github.com/sagernet/cloudflare-tls.(*Conn).readRecord
+func echReadRecord(c *tls.Conn) error
+
+//go:linkname echHandlePostHandshakeMessage github.com/sagernet/cloudflare-tls.(*Conn).handlePostHandshakeMessage
+func echHandlePostHandshakeMessage(c *tls.Conn) error

common/badtls/read_wait_utls.go

@@ -0,0 +1,31 @@
+//go:build go1.21 && !without_badtls && with_utls
+
+package badtls
+
+import (
+	"net"
+	_ "unsafe"
+
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/utls"
+)
+
+func init() {
+	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
+		tlsConn, loaded := common.Cast[*tls.UConn](conn)
+		if !loaded {
+			return
+		}
+		return true, func() error {
+				return utlsReadRecord(tlsConn.Conn)
+			}, func() error {
+				return utlsHandlePostHandshakeMessage(tlsConn.Conn)
+			}
+	})
+}
+
+//go:linkname utlsReadRecord github.com/sagernet/utls.(*Conn).readRecord
+func utlsReadRecord(c *tls.Conn) error
+
+//go:linkname utlsHandlePostHandshakeMessage github.com/sagernet/utls.(*Conn).handlePostHandshakeMessage
+func utlsHandlePostHandshakeMessage(c *tls.Conn) error

common/dialer/default.go

@@ -32,14 +32,20 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 	var dialer net.Dialer
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
-		bindFunc := control.BindToInterface(router.InterfaceFinder(), options.BindInterface, -1)
+		var interfaceFinder control.InterfaceFinder
+		if router != nil {
+			interfaceFinder = router.InterfaceFinder()
+		} else {
+			interfaceFinder = control.NewDefaultInterfaceFinder()
+		}
+		bindFunc := control.BindToInterface(interfaceFinder, options.BindInterface, -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
-	} else if router.AutoDetectInterface() {
+	} else if router != nil && router.AutoDetectInterface() {
 		bindFunc := router.AutoDetectInterfaceFunc()
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
-	} else if router.DefaultInterface() != "" {
+	} else if router != nil && router.DefaultInterface() != "" {
 		bindFunc := control.BindToInterface(router.InterfaceFinder(), router.DefaultInterface(), -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
@@ -47,7 +53,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 	if options.RoutingMark != 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(options.RoutingMark))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(options.RoutingMark))
-	} else if router.DefaultMark() != 0 {
+	} else if router != nil && router.DefaultMark() != 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(router.DefaultMark()))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(router.DefaultMark()))
 	}
@@ -63,6 +69,9 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 	} else {
 		dialer.Timeout = C.TCPTimeout
 	}
+	// TODO: Add an option to customize the keep alive period
+	dialer.KeepAlive = C.TCPKeepAliveInitial
+	dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(C.TCPKeepAliveInitial, C.TCPKeepAliveInterval))
 	var udpFragment bool
 	if options.UDPFragment != nil {
 		udpFragment = *options.UDPFragment

common/dialer/dialer.go

@@ -13,6 +13,9 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 	if options.IsWireGuardListener {
 		return NewDefault(router, options)
 	}
+	if router == nil {
+		return NewDefault(nil, options)
+	}
 	var (
 		dialer N.Dialer
 		err    error

common/process/searcher_windows.go

@@ -223,7 +223,7 @@ func getExecPathFromPID(pid uint32) (string, error) {
 	r1, _, err := syscall.SyscallN(
 		procQueryFullProcessImageNameW.Addr(),
 		uintptr(h),
-		uintptr(1),
+		uintptr(0),
 		uintptr(unsafe.Pointer(&buf[0])),
 		uintptr(unsafe.Pointer(&size)),
 	)

common/sniff/bittorrent.go

@@ -0,0 +1,113 @@
+package sniff
+
+import (
+	"bytes"
+	"context"
+	"encoding/binary"
+	"io"
+	"os"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+)
+
+const (
+	trackerConnectFlag = iota
+	trackerAnnounceFlag
+	trackerScrapeFlag
+
+	trackerProtocolID = 0x41727101980
+
+	trackerConnectMinSize  = 16
+	trackerAnnounceMinSize = 20
+	trackerScrapeMinSize   = 8
+)
+
+// BitTorrent detects if the stream is a BitTorrent connection.
+// For the BitTorrent protocol specification, see https://www.bittorrent.org/beps/bep_0003.html
+func BitTorrent(_ context.Context, reader io.Reader) (*adapter.InboundContext, error) {
+	var first byte
+	err := binary.Read(reader, binary.BigEndian, &first)
+	if err != nil {
+		return nil, err
+	}
+
+	if first != 19 {
+		return nil, os.ErrInvalid
+	}
+
+	var protocol [19]byte
+	_, err = reader.Read(protocol[:])
+	if err != nil {
+		return nil, err
+	}
+	if string(protocol[:]) != "BitTorrent protocol" {
+		return nil, os.ErrInvalid
+	}
+
+	return &adapter.InboundContext{
+		Protocol: C.ProtocolBitTorrent,
+	}, nil
+}
+
+// UTP detects if the packet is a uTP connection packet.
+// For the uTP protocol specification, see
+//  1. https://www.bittorrent.org/beps/bep_0029.html
+//  2. https://github.com/bittorrent/libutp/blob/2b364cbb0650bdab64a5de2abb4518f9f228ec44/utp_internal.cpp#L112
+func UTP(_ context.Context, packet []byte) (*adapter.InboundContext, error) {
+	// A valid uTP packet must be at least 20 bytes long.
+	if len(packet) < 20 {
+		return nil, os.ErrInvalid
+	}
+
+	version := packet[0] & 0x0F
+	ty := packet[0] >> 4
+	if version != 1 || ty > 4 {
+		return nil, os.ErrInvalid
+	}
+
+	// Validate the extensions
+	extension := packet[1]
+	reader := bytes.NewReader(packet[20:])
+	for extension != 0 {
+		err := binary.Read(reader, binary.BigEndian, &extension)
+		if err != nil {
+			return nil, err
+		}
+
+		var length byte
+		err = binary.Read(reader, binary.BigEndian, &length)
+		if err != nil {
+			return nil, err
+		}
+		_, err = reader.Seek(int64(length), io.SeekCurrent)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return &adapter.InboundContext{
+		Protocol: C.ProtocolBitTorrent,
+	}, nil
+}
+
+// UDPTracker detects if the packet is a UDP Tracker Protocol packet.
+// For the UDP Tracker Protocol specification, see https://www.bittorrent.org/beps/bep_0015.html
+func UDPTracker(_ context.Context, packet []byte) (*adapter.InboundContext, error) {
+	switch {
+	case len(packet) >= trackerConnectMinSize &&
+		binary.BigEndian.Uint64(packet[:8]) == trackerProtocolID &&
+		binary.BigEndian.Uint32(packet[8:12]) == trackerConnectFlag:
+		fallthrough
+	case len(packet) >= trackerAnnounceMinSize &&
+		binary.BigEndian.Uint32(packet[8:12]) == trackerAnnounceFlag:
+		fallthrough
+	case len(packet) >= trackerScrapeMinSize &&
+		binary.BigEndian.Uint32(packet[8:12]) == trackerScrapeFlag:
+		return &adapter.InboundContext{
+			Protocol: C.ProtocolBitTorrent,
+		}, nil
+	default:
+		return nil, os.ErrInvalid
+	}
+}

common/sniff/bittorrent_test.go

@@ -0,0 +1,81 @@
+package sniff_test
+
+import (
+	"bytes"
+	"context"
+	"encoding/hex"
+	"testing"
+
+	"github.com/sagernet/sing-box/common/sniff"
+	C "github.com/sagernet/sing-box/constant"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSniffBittorrent(t *testing.T) {
+	t.Parallel()
+
+	packets := []string{
+		"13426974546f7272656e742070726f746f636f6c0000000000100000e21ea9569b69bab33c97851d0298bdfa89bc90922d5554313631302dea812fcd6a3563e3be40c1d1",
+		"13426974546f7272656e742070726f746f636f6c00000000001000052aa4f5a7e209e54b32803d43670971c4c8caaa052d5452333030302d653369733079647675763638",
+		"13426974546f7272656e742070726f746f636f6c00000000001000052aa4f5a7e209e54b32803d43670971c4c8caaa052d5452343035302d6f7a316c6e79377931716130",
+	}
+
+	for _, pkt := range packets {
+		pkt, err := hex.DecodeString(pkt)
+		require.NoError(t, err)
+		metadata, err := sniff.BitTorrent(context.TODO(), bytes.NewReader(pkt))
+		require.NoError(t, err)
+		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
+	}
+}
+
+func TestSniffUTP(t *testing.T) {
+	t.Parallel()
+
+	packets := []string{
+		"010041a282d7ee7b583afb160004000006d8318da776968f92d666f7963f32dae23ba0d2c810d8b8209cc4939f54fde9eeaa521c2c20c9ba7f43f4fb0375f28de06643b5e3ca4685ab7ac76adca99783be72ef05ed59ef4234f5712b75b4c7c0d7bee8fe2ca20ad626ba5bb0ffcc16bf06790896f888048cf72716419a07db1a3dca4550fbcea75b53e97235168a221cf3e553dfbb723961bd719fab038d86e0ecb74747f5a2cd669de1c4b9ad375f3a492d09d98cdfad745435625401315bbba98d35d32086299801377b93495a63a9efddb8d05f5b37a5c5b1c0a25e917f12007bb5e05013ada8aff544fab8cadf61d80ddb0b60f12741e44515a109d144fd53ef845acb4b5ccf0d6fc302d7003d76df3fc3423bb0237301c9e88f900c2d392a8e0fdb36d143cf7527a93fd0a2638b746e72f6699fffcd4fd15348fce780d4caa04382fd9faf1ca0ae377ca805da7536662b84f5ee18dd3ae38fcb095a7543e55f9069ae92c8cf54ae44e97b558d35e2545c66601ed2149cbc32bd6df199a2be7cf0da8b2ff137e0d23e776bc87248425013876d3a3cc31a83b424b752bd0346437f24b532978005d8f5b1b0be1a37a2489c32a18a9ad3118e3f9d30eb299bffae18e1f0677c2a5c185e62519093fe6bc2b7339299ea50a587989f726ca6443a75dd5bb936f6367c6355d80fae53ff529d740b2e5576e3eefdf1fdbfc69c3c8d8ac750512635de63e054bee1d3b689bc1b2bc3d2601e42a00b5c89066d173d4ae7ffedfd2274e5cf6d868fbe640aedb69b8246142f00b32d459974287537ddd5373460dcbc92f5cfdd7a3ed6020822ae922d947893752ca1983d0d32977374c384ac8f5ab566859019b7351526b9f13e932037a55bb052d9deb3b3c23317e0784fdc51a64f2159bfea3b069cf5caf02ee2c3c1a6b6b427bb16165713e8802d95b5c8ed77953690e994bd38c9ae113fedaf6ee7fc2b96c032ceafc2a530ad0422e84546b9c6ad8ef6ea02fa508abddd1805c38a7b42e9b7c971b1b636865ebec06ed754bb404cd6b4e6cc8cb77bd4a0c43410d5cd5ef8fe853a66d49b3b9e06cb141236cdbfdd5761601dc54d1250b86c660e0f898fe62526fdd9acf0eab60a3bbbb2151970461f28f10b31689594bea646c4b03ee197d63bdef4e5a7c22716b3bb9494a83b78ecd81b338b80ac6c09c43485b1b09ba41c74343832c78f0520c1d659ac9eb1502094141e82fb9e5e620970ebc0655514c43c294a7714cbf9a499d277daf089f556398a01589a77494bec8bfb60a108f3813b55368672b88c1af40f6b3c8b513f7c70c3e0efce85228b8b9ec67ba0393f9f7305024d8e2da6a26cf85613d14f249170ce1000089df4c9c260df7f8292aa2ecb5d5bac97656d59aa248caedea2d198e51ce87baece338716d114b458de02d65c9ff808ca5b5b73723b4d1e962d9ac2d98176544dc9984cf8554d07820ef3dd0861cfe57b478328046380de589adad94ee44743ffac73bb7361feca5d56f07cf8ce75080e261282ae30350d7882679b15cab9e7e53ddf93310b33f7390ae5d318bb53f387e6af5d0ef4f947fc9cb8e7e38b52c7f8d772ece6156b38d88796ea19df02c53723b44df7c76315a0de9462f27287e682d2b4cda1a68fe00d7e48c51ee981be44e1ca940fb5190c12655edb4a83c3a4f33e48a015692df4f0b3d61656e362aca657b5ae8c12db5a0db3db1e45135ee918b66918f40e53c4f83e9da0cddfe63f736ae751ab3837a30ae3220d8e8e311487093a7b90c7e7e40dd54ca750e19452f9193aa892aa6a6229ab493dadae988b1724f7898ee69c36d3eb7364c4adbeca811cfe2065873e78c2b6dfdf1595f7a7831c07e03cda82e4f86f76438dfb2b07c13638ce7b509cfa71b88b5102b39a203b423202088e1c2103319cb32c13c1e546ff8612fa194c95a7808ab767c265a1bd5fa0efed5c8ec1701876a00ec8",
+		"01001ecb68176f215d04326300100000dbcf30292d14b54e9ee2d115ee5b8ebc7fad3e882d4fcdd0c14c6b917c11cb4c6a9f410b52a33ae97c2ac77c7a2b122b8955e09af3c5c595f1b2e79ca57cfe44c44e069610773b9bc9ba223d7f6b383e3adddd03fb88a8476028e30979c2ef321ffc97c5c132bcf9ac5b410bbb5ec6cefca3c7209202a14c5ae922b6b157b0a80249d13ffe5b996af0bc8e54ba576d148372494303e7ead0602b05b9c8fc97d48508a028a04d63a1fd28b0edfcd5c51715f63188b53eefede98a76912dca98518551a8856567307a56a702cbfcc115ea0c755b418bc2c7b57721239b82f09fb24328a4b0ce0f109bcb2a64e04b8aadb1f8487585425acdf8fc4ec8ea93cfcec5ac098bb29d42ddef6e46b03f34a5de28316726699b7cb5195c33e5c48abe87d591d63f9991c84c30819d186d6e0e95fd83c8dff07aa669c4430989bcaccfeacb9bcadbdb4d8f1964dbeb9687745656edd30b21c66cc0a1d742a78717d134a19a7f02d285a4973b1a198c00cfdff4676608dc4f3e817e3463c3b4e2c80d3e8d4fbac541a58a2fb7ad6939f607f8144eff6c8b0adc28ee5609ea158987519892fb",
+		"21001ecb6817f2805d044fd700100000dbd03029",
+		"410277ef0b1fb1f60000000000040000c233000000080000000000000000",
+	}
+
+	for _, pkt := range packets {
+		pkt, err := hex.DecodeString(pkt)
+		require.NoError(t, err)
+
+		metadata, err := sniff.UTP(context.TODO(), pkt)
+		require.NoError(t, err)
+		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
+	}
+}
+
+func TestSniffUDPTracker(t *testing.T) {
+	t.Parallel()
+
+	connectPackets := []string{
+		// connect packets
+		"00000417271019800000000078e90560",
+		"00000417271019800000000022c5d64d",
+		"000004172710198000000000b3863541",
+
+		// announce packets
+		"3d7592ead4b8c9e300000001b871a3820000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002092f616e6e6f756e6365",
+		"3d7592ead4b8c9e30000000188deed1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002092f616e6e6f756e6365",
+		"3d7592ead4b8c9e300000001ceb948ad0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a3362cdb7020ff920e5aa642c3d4066950dd1f01f4d00000000000000000000000000000000000000000000000000000000000000000000000000000000000002092f616e6e6f756e6365",
+
+		// scrape packets
+		"3d7592ead4b8c9e300000002d2f4bba5a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
+		"3d7592ead4b8c9e300000002441243292aae6c35c94fcfb415dbe95f408b9ce91ee846ed",
+		"3d7592ead4b8c9e300000002b2aa461b1ad1fa9661cf3fe45fb2504ad52ec6c67758e294",
+	}
+
+	for _, pkt := range connectPackets {
+		pkt, err := hex.DecodeString(pkt)
+		require.NoError(t, err)
+
+		metadata, err := sniff.UDPTracker(context.TODO(), pkt)
+		require.NoError(t, err)
+		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
+	}
+}

common/tls/ech_quic.go

@@ -27,11 +27,10 @@ func (c *echClientConfig) DialEarly(ctx context.Context, conn net.PacketConn, ad
 	return quic.DialEarly(ctx, conn, addr, c.config, config)
 }
 
-func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config, enableDatagrams bool) http.RoundTripper {
+func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config) http.RoundTripper {
 	return &http3.RoundTripper{
 		TLSClientConfig: c.config,
-		QuicConfig:      quicConfig,
-		EnableDatagrams: enableDatagrams,
+		QUICConfig:      quicConfig,
 		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
 			quicConn, err := quic.DialEarly(ctx, conn, serverAddr.UDPAddr(), tlsCfg, cfg)
 			if err != nil {

constant/protocol.go

@@ -1,9 +1,10 @@
 package constant
 
 const (
-	ProtocolTLS  = "tls"
-	ProtocolHTTP = "http"
-	ProtocolQUIC = "quic"
-	ProtocolDNS  = "dns"
-	ProtocolSTUN = "stun"
+	ProtocolTLS        = "tls"
+	ProtocolHTTP       = "http"
+	ProtocolQUIC       = "quic"
+	ProtocolDNS        = "dns"
+	ProtocolSTUN       = "stun"
+	ProtocolBitTorrent = "bittorrent"
 )

constant/quic.go

@@ -0,0 +1,5 @@
+//go:build with_quic
+
+package constant
+
+const WithQUIC = true

constant/quic_stub.go

@@ -0,0 +1,5 @@
+//go:build !with_quic
+
+package constant
+
+const WithQUIC = false

constant/timeout.go

@@ -3,6 +3,8 @@ package constant
 import "time"
 
 const (
+	TCPKeepAliveInitial        = 10 * time.Minute
+	TCPKeepAliveInterval       = 75 * time.Second
 	TCPTimeout                 = 5 * time.Second
 	ReadPayloadTimeout         = 300 * time.Millisecond
 	DNSTimeout                 = 10 * time.Second

docs/changelog.md

@@ -2,11 +2,139 @@
 icon: material/alert-decagram
 ---
 
+#### 1.10.0-alpha.1
+
+* Add tailing comma support in JSON configuration
+* Add simple auto redirect for Android **1**
+* Add BitTorrent sniffer **2**
+
+**1**:
+
+It allows you to use redirect inbound in the sing-box Android client
+and automatically configures IPv4 TCP redirection via su.
+
+This may alleviate the symptoms of some OCD patients who think that
+redirect can effectively save power compared to the system HTTP Proxy.
+
+See [Redirect](/configuration/inbound/redirect/).
+
+**2**:
+
+See [Protocol Sniff](/configuration/route/sniff/).
+
+### 1.9.0
+
+* Fixes and improvements
+
+Important changes since 1.8:
+
+* `domain_suffix` behavior update **1**
+* `process_path` format update on Windows **2**
+* Add address filter DNS rule items **3**
+* Add support for `client-subnet` DNS options **4**
+* Add rejected DNS response cache support **5**
+* Add `bypass_domain` and `search_domain` platform HTTP proxy options **6**
+* Fix missing `rule_set_ipcidr_match_source` item in DNS rules **7**
+* Handle Windows power events
+* Always disable cache for fake-ip DNS transport if `dns.independent_cache` disabled
+* Improve DNS truncate behavior
+* Update Hysteria protocol
+* Update quic-go to v0.43.1
+* Update gVisor to 20240422.0
+* Mitigating TunnelVision attacks **8**
+
+**1**:
+
+See [Migration](/migration/#domain_suffix-behavior-update).
+
+**2**:
+
+See [Migration](/migration/#process_path-format-update-on-windows).
+
+**3**:
+
+The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS
+if using this method.
+
+See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).
+
+[Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) updated.
+
+**4**:
+
+See [DNS](/configuration/dns), [DNS Server](/configuration/dns/server) and [DNS Rules](/configuration/dns/rule).
+
+Since this feature makes the scenario mentioned in `alpha.1` no longer leak DNS requests,
+the [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) has been updated.
+
+**5**:
+
+The new feature allows you to cache the check results of
+[Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields) until expiration.
+
+**6**:
+
+See [TUN](/configuration/inbound/tun) inbound.
+
+**7**:
+
+See [DNS Rule](/configuration/dns/rule/).
+
+**8**:
+
+See [TunnelVision](/manual/misc/tunnelvision).
+
+#### 1.9.0-rc.22
+
+* Fixes and improvements
+
+#### 1.9.0-rc.20
+
+* Prioritize `*_route_address` in linux auto-route
+* Fix `*_route_address` in darwin auto-route
+
+#### 1.8.14
+
+* Fix hysteria2 panic
+* Fixes and improvements
+
+#### 1.9.0-rc.18
+
+* Add custom prefix support in EDNS0 client subnet options
+* Fix hysteria2 crash
+* Fix `store_rdrc` corrupted
+* Update quic-go to v0.43.1
+* Fixes and improvements
+
+#### 1.9.0-rc.16
+
+* Mitigating TunnelVision attacks **1**
+* Fixes and improvements
+
+**1**:
+
+See [TunnelVision](/manual/misc/tunnelvision).
+
+#### 1.9.0-rc.15
+
+* Fixes and improvements
+
 #### 1.8.13
 
 * Fix fake-ip mapping
 * Fixes and improvements
 
+#### 1.9.0-rc.14
+
+* Fixes and improvements
+
+#### 1.9.0-rc.13
+
+* Update Hysteria protocol
+* Update quic-go to v0.43.0
+* Update gVisor to 20240422.0
+* Fixes and improvements
+
 #### 1.8.12
 
 * Now we have official APT and DNF repositories **1**
@@ -17,6 +145,10 @@ icon: material/alert-decagram
 
 Including stable and beta versions, see https://sing-box.sagernet.org/installation/package-manager/
 
+#### 1.9.0-rc.11
+
+* Fixes and improvements
+
 #### 1.8.11
 
 * Fixes and improvements
@@ -25,6 +157,24 @@ Including stable and beta versions, see https://sing-box.sagernet.org/installati
 
 * Fixes and improvements
 
+#### 1.9.0-beta.17
+
+* Update `quic-go` to v0.42.0
+* Fixes and improvements
+
+#### 1.9.0-beta.16
+
+* Fixes and improvements
+
+_Our Testflight distribution has been temporarily blocked by Apple (possibly due to too many beta versions)
+and you cannot join the test, install or update the sing-box beta app right now.
+Please wait patiently for processing._
+
+#### 1.9.0-beta.14
+
+* Update gVisor to 20240212.0-65-g71212d503
+* Fixes and improvements
+
 #### 1.8.9
 
 * Fixes and improvements
@@ -33,14 +183,125 @@ Including stable and beta versions, see https://sing-box.sagernet.org/installati
 
 * Fixes and improvements
 
+#### 1.9.0-beta.7
+
+* Fixes and improvements
+
+#### 1.9.0-beta.6
+
+* Fix address filter DNS rule items **1**
+* Fix DNS outbound responding with wrong data
+* Fixes and improvements
+
+**1**:
+
+Fixed an issue where address filter DNS rule was incorrectly rejected under certain circumstances.
+If you have enabled `store_rdrc` to save results, consider clearing the cache file.
+
 #### 1.8.7
 
 * Fixes and improvements
 
+#### 1.9.0-alpha.15
+
+* Fixes and improvements
+
+#### 1.9.0-alpha.14
+
+* Improve DNS truncate behavior
+* Fixes and improvements
+
+#### 1.9.0-alpha.13
+
+* Fixes and improvements
+
 #### 1.8.6
 
 * Fixes and improvements
 
+#### 1.9.0-alpha.12
+
+* Handle Windows power events
+* Always disable cache for fake-ip DNS transport if `dns.independent_cache` disabled
+* Fixes and improvements
+
+#### 1.9.0-alpha.11
+
+* Fix missing `rule_set_ipcidr_match_source` item in DNS rules **1**
+* Fixes and improvements
+
+**1**:
+
+See [DNS Rule](/configuration/dns/rule/).
+
+#### 1.9.0-alpha.10
+
+* Add `bypass_domain` and `search_domain` platform HTTP proxy options **1**
+* Fixes and improvements
+
+**1**:
+
+See [TUN](/configuration/inbound/tun) inbound.
+
+#### 1.9.0-alpha.8
+
+* Add rejected DNS response cache support **1**
+* Fixes and improvements
+
+**1**:
+
+The new feature allows you to cache the check results of
+[Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields) until expiration.
+
+#### 1.9.0-alpha.7
+
+* Update gVisor to 20240206.0
+* Fixes and improvements
+
+#### 1.9.0-alpha.6
+
+* Fixes and improvements
+
+#### 1.9.0-alpha.3
+
+* Update `quic-go` to v0.41.0
+* Fixes and improvements
+
+#### 1.9.0-alpha.2
+
+* Add support for `client-subnet` DNS options **1**
+* Fixes and improvements
+
+**1**:
+
+See [DNS](/configuration/dns), [DNS Server](/configuration/dns/server) and [DNS Rules](/configuration/dns/rule).
+
+Since this feature makes the scenario mentioned in `alpha.1` no longer leak DNS requests,
+the [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) has been updated.
+
+#### 1.9.0-alpha.1
+
+* `domain_suffix` behavior update **1**
+* `process_path` format update on Windows **2**
+* Add address filter DNS rule items **3**
+
+**1**:
+
+See [Migration](/migration/#domain_suffix-behavior-update).
+
+**2**:
+
+See [Migration](/migration/#process_path-format-update-on-windows).
+
+**3**:
+
+The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS
+if using this method.
+
+See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).
+
+[Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) updated.
+
 #### 1.8.5
 
 * Fixes and improvements
@@ -57,7 +318,7 @@ Including stable and beta versions, see https://sing-box.sagernet.org/installati
 
 * Fixes and improvements
 
-#### 1.8.0
+### 1.8.0
 
 * Fixes and improvements
 
@@ -348,7 +609,7 @@ New commands manage GeoIP, Geosite and rule set resources, and help you migrate
 
 Logical rules in route rules, DNS rules, and the new headless rule now allow nesting of logical rules.
 
-#### 1.7.0
+### 1.7.0
 
 * Fixes and improvements
 
@@ -390,7 +651,7 @@ see [TCP Brutal](/configuration/shared/tcp-brutal/) for details.
 
 **5**:
 
-Only supported in graphical clients on Android and iOS.
+Only supported in graphical clients on Android and Apple platforms.
 
 #### 1.7.0-rc.3
 
@@ -427,7 +688,7 @@ Only supported in graphical clients on Android and iOS.
 
 **1**:
 
-Only supported in graphical clients on Android and iOS.
+Only supported in graphical clients on Android and Apple platforms.
 
 #### 1.7.0-beta.3
 
@@ -508,7 +769,7 @@ Introduced in V2Ray 5.10.0.
 
 The new HTTPUpgrade transport has better performance than WebSocket and is better suited for CDN abuse.
 
-#### 1.6.0
+### 1.6.0
 
 * Fixes and improvements
 
@@ -687,7 +948,7 @@ introduce new issues.
 None of the existing Golang BBR congestion control implementations have been reviewed or unit tested.
 This update is intended to address the multi-send defects of the old implementation and may introduce new issues.
 
-#### 1.5.0
+### 1.5.0
 
 * Fixes and improvements
 
@@ -881,7 +1142,7 @@ All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria`, `T
 
 * Fixes and improvements
 
-#### 1.4.0
+### 1.4.0
 
 * Fix bugs and update dependencies
 
@@ -1023,7 +1284,7 @@ The old testflight link and app are no longer valid.
 
 * Fixes and improvements
 
-#### 1.3.0
+### 1.3.0
 
 * Fix bugs and update dependencies
 
@@ -1215,7 +1476,7 @@ to `domain` rule.
 * Flush DNS cache for macOS when tun start/close
 * Fix tun's DNS hijacking compatibility with systemd-resolved
 
-#### 1.2.0
+### 1.2.0
 
 * Fix bugs and update dependencies
 

docs/configuration/dns/index.md

@@ -1,3 +1,11 @@
+---
+icon: material/new-box
+---
+
+!!! quote "Changes in sing-box 1.9.0"
+
+    :material-plus: [client_subnet](#client_subnet)
+
 # DNS
 
 ### Structure
@@ -13,6 +21,7 @@
     "disable_expire": false,
     "independent_cache": false,
     "reverse_mapping": false,
+    "client_subnet": "",
     "fakeip": {}
   }
 }
@@ -21,8 +30,8 @@
 
 ### Fields
 
-| Key      | Format                         |
-|----------|--------------------------------|
+| Key      | Format                          |
+|----------|---------------------------------|
 | `server` | List of [DNS Server](./server/) |
 | `rules`  | List of [DNS Rule](./rule/)     |
 | `fakeip` | [FakeIP](./fakeip/)             |
@@ -60,6 +69,12 @@ Stores a reverse mapping of IP addresses after responding to a DNS query in orde
 Since this process relies on the act of resolving domain names by an application before making a request, it can be
 problematic in environments such as macOS, where DNS is proxied and cached by the system.
 
-#### fakeip
+#### client_subnet
 
-[FakeIP](./fakeip/) settings.
+!!! question "Since sing-box 1.9.0"
+
+Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+
+If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
+
+Can be overrides by `servers.[].client_subnet` or `rules.[].client_subnet`.

docs/configuration/dns/index.zh.md

@@ -1,3 +1,11 @@
+---
+icon: material/new-box
+---
+
+!!! quote "sing-box 1.9.0 中的更改"
+
+    :material-plus: [client_subnet](#client_subnet)
+
 # DNS
 
 ### 结构
@@ -13,6 +21,7 @@
     "disable_expire": false,
     "independent_cache": false,
     "reverse_mapping": false,
+    "client_subnet": "",
     "fakeip": {}
   }
 }
@@ -58,6 +67,16 @@
 
 由于此过程依赖于应用程序在发出请求之前解析域名的行为，因此在 macOS 等 DNS 由系统代理和缓存的环境中可能会出现问题。
 
+#### client_subnet
+
+!!! question "自 sing-box 1.9.0 起"
+
+默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
+
+如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
+
+可以被 `servers.[].client_subnet` 或 `rules.[].client_subnet` 覆盖。
+
 #### fakeip
 
 [FakeIP](./fakeip/) 设置。

docs/configuration/dns/rule.md

@@ -1,7 +1,15 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---
 
+!!! quote "Changes in sing-box 1.9.0"
+
+    :material-plus: [geoip](#geoip)  
+    :material-plus: [ip_cidr](#ip_cidr)  
+    :material-plus: [ip_is_private](#ip_is_private)  
+    :material-plus: [client_subnet](#client_subnet)
+    :material-plus: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)
+
 !!! quote "Changes in sing-box 1.8.0"
 
     :material-plus: [rule_set](#rule_set)  
@@ -53,11 +61,19 @@ icon: material/alert-decagram
         "source_geoip": [
           "private"
         ],
+        "geoip": [
+          "cn"
+        ],
         "source_ip_cidr": [
           "10.0.0.0/24",
           "192.168.0.1"
         ],
         "source_ip_is_private": false,
+        "ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "ip_is_private": false,
         "source_port": [
           12345
         ],
@@ -101,13 +117,15 @@ icon: material/alert-decagram
           "geoip-cn",
           "geosite-cn"
         ],
+        "rule_set_ipcidr_match_source": false,
         "invert": false,
         "outbound": [
           "direct"
         ],
         "server": "local",
         "disable_cache": false,
-        "rewrite_ttl": 100
+        "rewrite_ttl": 100,
+        "client_subnet": "127.0.0.1/24"
       },
       {
         "type": "logical",
@@ -115,7 +133,8 @@ icon: material/alert-decagram
         "rules": [],
         "server": "local",
         "disable_cache": false,
-        "rewrite_ttl": 100
+        "rewrite_ttl": 100,
+        "client_subnet": "127.0.0.1/24"
       }
     ]
   }
@@ -266,11 +285,9 @@ Match Clash mode.
 
 #### wifi_ssid
 
-<!-- md:version 1.7.0-beta.4 -->
-
 !!! quote ""
 
-    Only supported in graphical clients on Android and iOS.
+    Only supported in graphical clients on Android and Apple platforms.
 
 Match WiFi SSID.
 
@@ -278,7 +295,7 @@ Match WiFi SSID.
 
 !!! quote ""
 
-    Only supported in graphical clients on Android and iOS.
+    Only supported in graphical clients on Android and Apple platforms.
 
 Match WiFi BSSID.
 
@@ -288,6 +305,12 @@ Match WiFi BSSID.
 
 Match [Rule Set](/configuration/route/#rule_set).
 
+#### rule_set_ipcidr_match_source
+
+!!! question "Since sing-box 1.9.0"
+
+Make `ipcidr` in rule sets match the source IP.
+
 #### invert
 
 Invert match result.
@@ -312,6 +335,46 @@ Disable cache and save cache in this query.
 
 Rewrite TTL in DNS responses.
 
+#### client_subnet
+
+!!! question "Since sing-box 1.9.0"
+
+Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+
+If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
+
+Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
+
+### Address Filter Fields
+
+Only takes effect for IP address requests. When the query results do not match the address filtering rule items, the current rule will be skipped.
+
+!!! info ""
+
+    `ip_cidr` items in included rule sets also takes effect as an address filtering field.
+
+!!! note ""
+
+    Enable `experimental.cache_file.store_rdrc` to cache results.
+
+#### geoip
+
+!!! question "Since sing-box 1.9.0"
+
+Match GeoIP with query response.
+
+#### ip_cidr
+
+!!! question "Since sing-box 1.9.0"
+
+Match IP CIDR with query response.
+
+#### ip_is_private
+
+!!! question "Since sing-box 1.9.0"
+
+Match private IP with query response.
+
 ### Logical Fields
 
 #### type

docs/configuration/dns/rule.zh.md

@@ -1,7 +1,15 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---
 
+!!! quote "sing-box 1.9.0 中的更改"
+
+    :material-plus: [geoip](#geoip)  
+    :material-plus: [ip_cidr](#ip_cidr)  
+    :material-plus: [ip_is_private](#ip_is_private)  
+    :material-plus: [client_subnet](#client_subnet)
+    :material-plus: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)
+
 !!! quote "sing-box 1.8.0 中的更改"
 
     :material-plus: [rule_set](#rule_set)  
@@ -53,10 +61,19 @@ icon: material/alert-decagram
         "source_geoip": [
           "private"
         ],
+        "geoip": [
+          "cn"
+        ],
         "source_ip_cidr": [
-          "10.0.0.0/24"
+          "10.0.0.0/24",
+          "192.168.0.1"
         ],
         "source_ip_is_private": false,
+        "ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "ip_is_private": false,
         "source_port": [
           12345
         ],
@@ -100,19 +117,22 @@ icon: material/alert-decagram
           "geoip-cn",
           "geosite-cn"
         ],
+        "rule_set_ipcidr_match_source": false,
         "invert": false,
         "outbound": [
           "direct"
         ],
         "server": "local",
-        "disable_cache": false
+        "disable_cache": false,
+        "client_subnet": "127.0.0.1/24"
       },
       {
         "type": "logical",
         "mode": "and",
         "rules": [],
         "server": "local",
-        "disable_cache": false
+        "disable_cache": false,
+        "client_subnet": "127.0.0.1/24"
       }
     ]
   }
@@ -265,7 +285,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 !!! quote ""
 
-    仅在 Android 与 iOS 的图形客户端中支持。
+    仅在 Android 与 Apple 平台图形客户端中支持。
 
 匹配 WiFi SSID。
 
@@ -273,7 +293,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 !!! quote ""
 
-    仅在 Android 与 iOS 的图形客户端中支持。
+    仅在 Android 与 Apple 平台图形客户端中支持。
 
 匹配 WiFi BSSID。
 
@@ -283,6 +303,12 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 匹配[规则集](/zh/configuration/route/#rule_set)。
 
+#### rule_set_ipcidr_match_source
+
+!!! question "自 sing-box 1.9.0 起"
+
+使规则集中的 `ipcidr` 规则匹配源 IP。
+
 #### invert
 
 反选匹配结果。
@@ -307,6 +333,46 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 重写 DNS 回应中的 TTL。
 
+#### client_subnet
+
+!!! question "自 sing-box 1.9.0 起"
+
+默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
+
+如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
+
+将覆盖 `dns.client_subnet` 与 `servers.[].client_subnet`。
+
+### 地址筛选字段
+
+仅对IP地址请求生效。 当查询结果与地址筛选规则项不匹配时，将跳过当前规则。
+
+!!! info ""
+
+    引用的规则集中的 `ip_cidr` 项也作为地址筛选字段生效。
+
+!!! note ""
+
+    启用 `experimental.cache_file.store_rdrc` 以缓存结果。
+
+#### geoip
+
+!!! question "自 sing-box 1.9.0 起"
+
+与查询响应匹配 GeoIP。
+
+#### ip_cidr
+
+!!! question "自 sing-box 1.9.0 起"
+
+与查询相应匹配 IP CIDR。
+
+#### ip_is_private
+
+!!! question "自 sing-box 1.9.0 起"
+
+与查询响应匹配非公开 IP。
+
 ### 逻辑字段
 
 #### type
@@ -319,4 +385,4 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### rules
 
-包括的规则。
+包括的规则。

docs/configuration/dns/server.md

@@ -1,3 +1,11 @@
+---
+icon: material/new-box
+---
+
+!!! quote "Changes in sing-box 1.9.0"
+
+    :material-plus: [client_subnet](#client_subnet)
+
 ### Structure
 
 ```json
@@ -5,17 +13,17 @@
   "dns": {
     "servers": [
       {
-        "tag": "google",
-        "address": "tls://dns.google",
-        "address_resolver": "local",
-        "address_strategy": "prefer_ipv4",
-        "strategy": "ipv4_only",
-        "detour": "direct"
+        "tag": "",
+        "address": "",
+        "address_resolver": "",
+        "address_strategy": "",
+        "strategy": "",
+        "detour": "",
+        "client_subnet": ""
       }
     ]
   }
 }
-
 ```
 
 ### Fields
@@ -80,10 +88,22 @@ Default domain strategy for resolving the domain names.
 
 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
 
-Take no effect if override by other settings.
+Take no effect if overridden by other settings.
 
 #### detour
 
 Tag of an outbound for connecting to the dns server.
 
 Default outbound will be used if empty.
+
+#### client_subnet
+
+!!! question "Since sing-box 1.9.0"
+
+Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+
+If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
+
+Can be overrides by `rules.[].client_subnet`.
+
+Will overrides `dns.client_subnet`.

docs/configuration/dns/server.zh.md

@@ -1,3 +1,11 @@
+---
+icon: material/new-box
+---
+
+!!! quote "sing-box 1.9.0 中的更改"
+
+    :material-plus: [client_subnet](#client_subnet)
+
 ### 结构
 
 ```json
@@ -5,17 +13,17 @@
   "dns": {
     "servers": [
       {
-        "tag": "google",
-        "address": "tls://dns.google",
-        "address_resolver": "local",
-        "address_strategy": "prefer_ipv4",
-        "strategy": "ipv4_only",
-        "detour": "direct"
+        "tag": "",
+        "address": "",
+        "address_resolver": "",
+        "address_strategy": "",
+        "strategy": "",
+        "detour": "",
+        "client_subnet": ""
       }
     ]
   }
 }
-
 ```
 
 ### 字段
@@ -87,3 +95,15 @@ DNS 服务器的地址。
 用于连接到 DNS 服务器的出站的标签。
 
 如果为空，将使用默认出站。
+
+#### client_subnet
+
+!!! question "自 sing-box 1.9.0 起"
+
+默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
+
+如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
+
+可以被 `rules.[].client_subnet` 覆盖。
+
+将覆盖 `dns.client_subnet`。

docs/configuration/experimental/cache-file.md

@@ -4,6 +4,11 @@ icon: material/new-box
 
 !!! question "Since sing-box 1.8.0"
 
+!!! quote "Changes in sing-box 1.9.0"
+
+    :material-plus: [store_rdrc](#store_rdrc)  
+    :material-plus: [rdrc_timeout](#rdrc_timeout)  
+
 ### Structure
 
 ```json
@@ -11,7 +16,9 @@ icon: material/new-box
   "enabled": true,
   "path": "",
   "cache_id": "",
-  "store_fakeip": false
+  "store_fakeip": false,
+  "store_rdrc": false,
+  "rdrc_timeout": ""
 }
 ```
 
@@ -29,6 +36,23 @@ Path to the cache file.
 
 #### cache_id
 
-Identifier in cache file.
+Identifier in the cache file
 
 If not empty, configuration specified data will use a separate store keyed by it.
+
+#### store_fakeip
+
+Store fakeip in the cache file
+
+#### store_rdrc
+
+Store rejected DNS response cache in the cache file
+
+The check results of [Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields)
+will be cached until expiration.
+
+#### rdrc_timeout
+
+Timeout of rejected DNS response cache.
+
+`7d` is used by default.

docs/configuration/experimental/cache-file.zh.md

@@ -4,6 +4,11 @@ icon: material/new-box
 
 !!! question "自 sing-box 1.8.0 起"
 
+!!! quote "sing-box 1.9.0 中的更改"
+
+    :material-plus: [store_rdrc](#store_rdrc)  
+    :material-plus: [rdrc_timeout](#rdrc_timeout)  
+
 ### 结构
 
 ```json
@@ -11,7 +16,9 @@ icon: material/new-box
   "enabled": true,
   "path": "",
   "cache_id": "",
-  "store_fakeip": false
+  "store_fakeip": false,
+  "store_rdrc": false,
+  "rdrc_timeout": ""
 }
 ```
 
@@ -30,3 +37,19 @@ icon: material/new-box
 缓存文件中的标识符。
 
 如果不为空，配置特定的数据将使用由其键控的单独存储。
+
+#### store_fakeip
+
+将 fakeip 存储在缓存文件中。
+
+#### store_rdrc
+
+将拒绝的 DNS 响应缓存存储在缓存文件中。
+
+[地址筛选 DNS 规则项](/zh/configuration/dns/rule/#_3) 的检查结果将被缓存至过期。
+
+#### rdrc_timeout
+
+拒绝的 DNS 响应缓存超时。
+
+默认使用 `7d`。

docs/configuration/experimental/clash-api.md

@@ -1,7 +1,3 @@
----
-icon: material/alert-decagram
----
-
 !!! quote "Changes in sing-box 1.8.0"
 
     :material-delete-alert: [store_mode](#store_mode)  

docs/configuration/experimental/clash-api.zh.md

@@ -1,7 +1,3 @@
----
-icon: material/alert-decagram
----
-
 !!! quote "sing-box 1.8.0 中的更改"
 
     :material-delete-alert: [store_mode](#store_mode)  

docs/configuration/experimental/index.md

@@ -1,7 +1,3 @@
----
-icon: material/alert-decagram
----
-
 # Experimental
 
 !!! quote "Changes in sing-box 1.8.0"

docs/configuration/experimental/index.zh.md

@@ -1,7 +1,3 @@
----
-icon: material/alert-decagram
----
-
 # 实验性
 
 !!! quote "sing-box 1.8.0 中的更改"

docs/configuration/inbound/http.md

@@ -42,6 +42,6 @@ No authentication required if empty.
 
 !!! warning ""
 
-    To work on Android and iOS without privileges, use tun.platform.http_proxy instead.
+    To work on Android and Apple platforms without privileges, use tun.platform.http_proxy instead.
 
 Automatically set system proxy configuration when start and clean up when stop.

docs/configuration/inbound/mixed.md

@@ -39,6 +39,6 @@ No authentication required if empty.
 
 !!! warning ""
 
-    To work on Android and iOS without privileges, use tun.platform.http_proxy instead.
+    To work on Android and Apple platforms without privileges, use tun.platform.http_proxy instead.
 
 Automatically set system proxy configuration when start and clean up when stop.

docs/configuration/inbound/redirect.md

@@ -1,3 +1,11 @@
+---
+icon: material/new-box
+---
+
+!!! quote "Changes in sing-box 1.9.0"
+
+    :material-plus: [auto_redirect](#auto_redirect)
+
 !!! quote ""
 
     Only supported on Linux and macOS.
@@ -9,6 +17,11 @@
   "type": "redirect",
   "tag": "redirect-in",
 
+  "auto_redirect": {
+    "enabled": false,
+    "continue_on_no_permission": false
+  },
+
   ... // Listen Fields
 }
 ```
@@ -16,3 +29,23 @@
 ### Listen Fields
 
 See [Listen Fields](/configuration/shared/listen/) for details.
+
+### Fields
+
+#### `auto_redirect`
+
+!!! question "Since sing-box 1.10.0"
+
+!!! quote ""
+
+    Only supported on Android.
+
+Automatically add iptables nat rules to hijack **IPv4 TCP** connections.
+
+It is expected to run with the Android graphical client (it will attempt to su at runtime).
+
+#### `auto_redirect.continue_on_no_permission`
+
+!!! question "Since sing-box 1.10.0"
+
+Ignore errors when the Android device is not rooted or is denied root access.

docs/configuration/inbound/redirect.zh.md

@@ -1,3 +1,11 @@
+---
+icon: material/new-box
+---
+
+!!! quote "sing-box 1.10.0 中的更改"
+
+    :material-plus: [auto_redirect](#auto_redirect)
+
 !!! quote ""
 
     仅支持 Linux 和 macOS。
@@ -9,9 +17,35 @@
   "type": "redirect",
   "tag": "redirect-in",
 
+  "auto_redirect": {
+    "enabled": false,
+    "continue_on_no_permission": false
+  },
+  
   ... // 监听字段
 }
 ```
+
 ### 监听字段
 
 参阅 [监听字段](/zh/configuration/shared/listen/)。
+
+### 字段
+
+#### `auto_redirect`
+
+!!! question "自 sing-box 1.10.0 起"
+
+!!! quote ""
+
+    仅支持 Android。
+
+自动添加 iptables nat 规则以劫持 **IPv4 TCP** 连接。
+
+它预计与 Android 图形客户端一起运行（将在运行时尝试 su）。
+
+#### `auto_redirect.continue_on_no_permission`
+
+!!! question "自 sing-box 1.10.0 起"
+
+当 Android 设备未获得 root 权限或 root 访问权限被拒绝时，忽略错误。

docs/configuration/inbound/tun.md

@@ -1,7 +1,12 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---
 
+!!! quote "Changes in sing-box 1.9.0"
+
+    :material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)  
+    :material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)  
+
 !!! quote "Changes in sing-box 1.8.0"
 
     :material-plus: [gso](#gso)  
@@ -73,7 +78,9 @@ icon: material/alert-decagram
     "http_proxy": {
       "enabled": false,
       "server": "127.0.0.1",
-      "server_port": 8080
+      "server_port": 8080,
+      "bypass_domain": [],
+      "match_domain": []
     }
   },
   
@@ -260,6 +267,38 @@ Platform-specific settings, provided by client applications.
 
 System HTTP proxy settings.
 
+#### platform.http_proxy.enabled
+
+Enable system HTTP proxy.
+
+#### platform.http_proxy.server
+
+==Required==
+
+HTTP proxy server address.
+
+#### platform.http_proxy.server_port
+
+==Required==
+
+HTTP proxy server port.
+
+#### platform.http_proxy.bypass_domain
+
+!!! note ""
+
+    On Apple platforms, `bypass_domain` items matches hostname **suffixes**.
+
+Hostnames that bypass the HTTP proxy.
+
+#### platform.http_proxy.match_domain
+
+!!! quote ""
+
+    Only supported in graphical clients on Apple platforms.
+
+Hostnames that use the HTTP proxy.
+
 ### Listen Fields
 
 See [Listen Fields](/configuration/shared/listen/) for details.

docs/configuration/inbound/tun.zh.md

@@ -1,7 +1,12 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---
 
+!!! quote "sing-box 1.9.0 中的更改"
+
+    :material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)  
+    :material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)  
+
 !!! quote "sing-box 1.8.0 中的更改"
 
     :material-plus: [gso](#gso)  
@@ -73,7 +78,9 @@ icon: material/alert-decagram
     "http_proxy": {
       "enabled": false,
       "server": "127.0.0.1",
-      "server_port": 8080
+      "server_port": 8080,
+      "bypass_domain": [],
+      "match_domain": []
     }
   },
   
@@ -257,6 +264,38 @@ TCP/IP 栈。
 
 系统 HTTP 代理设置。
 
+##### platform.http_proxy.enabled
+
+启用系统 HTTP 代理。
+
+##### platform.http_proxy.server
+
+==必填==
+
+系统 HTTP 代理服务器地址。
+
+##### platform.http_proxy.server_port
+
+==必填==
+
+系统 HTTP 代理服务器端口。
+
+##### platform.http_proxy.bypass_domain
+
+!!! note ""
+
+  在 Apple 平台，`bypass_domain` 项匹配主机名 **后缀**.
+
+绕过代理的主机名列表。
+
+##### platform.http_proxy.match_domain
+
+!!! quote ""
+
+    仅在 Apple 平台图形客户端中支持。
+
+代理的主机名列表。
+
 ### 监听字段
 
 参阅 [监听字段](/zh/configuration/shared/listen/)。

docs/configuration/outbound/wireguard.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 !!! quote "Changes in sing-box 1.8.0"
     
     :material-plus: [gso](#gso)  

docs/configuration/outbound/wireguard.zh.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 !!! quote "sing-box 1.8.0 中的更改"
 
     :material-plus: [gso](#gso)  

docs/configuration/route/index.md

@@ -1,7 +1,3 @@
----
-icon: material/alert-decagram
----
-
 # Route
 
 !!! quote "Changes in sing-box 1.8.0"

docs/configuration/route/index.zh.md

@@ -1,7 +1,3 @@
----
-icon: material/alert-decagram
----
-
 # 路由
 
 !!! quote "sing-box 1.8.0 中的更改"

docs/configuration/route/rule.md

@@ -1,7 +1,3 @@
----
-icon: material/alert-decagram
----
-
 !!! quote "Changes in sing-box 1.8.0"
 
     :material-plus: [rule_set](#rule_set)  
@@ -109,6 +105,7 @@ icon: material/alert-decagram
           "geoip-cn",
           "geosite-cn"
         ],
+        "rule_set_ipcidr_match_source": false,
         "invert": false,
         "outbound": "direct"
       },
@@ -284,7 +281,7 @@ Match Clash mode.
 
 !!! quote ""
 
-    Only supported in graphical clients on Android and iOS.
+    Only supported in graphical clients on Android and Apple platforms.
 
 Match WiFi SSID.
 
@@ -292,7 +289,7 @@ Match WiFi SSID.
 
 !!! quote ""
 
-    Only supported in graphical clients on Android and iOS.
+    Only supported in graphical clients on Android and Apple platforms.
 
 Match WiFi BSSID.
 

docs/configuration/route/rule.zh.md

@@ -1,7 +1,3 @@
----
-icon: material/alert-decagram
----
-
 !!! quote "sing-box 1.8.0 中的更改"
 
     :material-plus: [rule_set](#rule_set)  
@@ -107,6 +103,7 @@ icon: material/alert-decagram
           "geoip-cn",
           "geosite-cn"
         ],
+        "rule_set_ipcidr_match_source": false,
         "invert": false,
         "outbound": "direct"
       },
@@ -282,7 +279,7 @@ icon: material/alert-decagram
 
 !!! quote ""
 
-    仅在 Android 与 iOS 的图形客户端中支持。
+    仅在 Android 与 Apple 平台图形客户端中支持。
 
 匹配 WiFi SSID。
 
@@ -290,7 +287,7 @@ icon: material/alert-decagram
 
 !!! quote ""
 
-    仅在 Android 与 iOS 的图形客户端中支持。
+    仅在 Android 与 Apple 平台图形客户端中支持。
 
 匹配 WiFi BSSID。
 

docs/configuration/route/sniff.md

@@ -2,10 +2,11 @@ If enabled in the inbound, the protocol and domain name (if present) of by the c
 
 #### Supported Protocols
 
-| Network | Protocol | Domain Name |
-|:-------:|:--------:|:-----------:|
-|   TCP   |   HTTP   |    Host     |
-|   TCP   |   TLS    | Server Name |
-|   UDP   |   QUIC   | Server Name |
-|   UDP   |   STUN   |      /      |
-| TCP/UDP |   DNS    |      /      |
+| Network |  Protocol   | Domain Name |
+|:-------:|:-----------:|:-----------:|
+|   TCP   |    HTTP     |    Host     |
+|   TCP   |     TLS     | Server Name |
+|   UDP   |    QUIC     | Server Name |
+|   UDP   |    STUN     |      /      |
+| TCP/UDP |     DNS     |      /      |
+| TCP/UDP | BitTorrent  |      /      |

docs/configuration/route/sniff.zh.md

@@ -2,10 +2,11 @@
 
 #### 支持的协议
 
-|   网络    |  协议  |     域名      |
-|:-------:|:----:|:-----------:|
-|   TCP   | HTTP |    Host     |
-|   TCP   | TLS  | Server Name |
-|   UDP   | QUIC | Server Name |
-|   UDP   | STUN |      /      |
-| TCP/UDP | DNS  |      /      |
+|   网络    |     协议      |     域名      |
+|:-------:|:-----------:|:-----------:|
+|   TCP   |    HTTP     |    Host     |
+|   TCP   |     TLS     | Server Name |
+|   UDP   |    QUIC     | Server Name |
+|   UDP   |    STUN     |      /      |
+| TCP/UDP |     DNS     |      /      |
+| TCP/UDP | BitTorrent  |      /      |

docs/configuration/rule-set/headless-rule.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 ### Structure
 
 !!! question "Since sing-box 1.8.0"
@@ -128,7 +124,7 @@ Match source IP CIDR.
 
 !!! info ""
 
-    `ip_cidr` is an alias for `source_ip_cidr` when the Rule Set is used in DNS rules or `rule_set_ipcidr_match_source` enabled in route rules.
+    `ip_cidr` is an alias for `source_ip_cidr` when `rule_set_ipcidr_match_source` enabled in route/DNS rules.
 
 Match IP CIDR.
 
@@ -172,7 +168,7 @@ Match android package name.
 
 !!! quote ""
 
-    Only supported in graphical clients on Android and iOS.
+    Only supported in graphical clients on Android and Apple platforms.
 
 Match WiFi SSID.
 
@@ -180,7 +176,7 @@ Match WiFi SSID.
 
 !!! quote ""
 
-    Only supported in graphical clients on Android and iOS.
+    Only supported in graphical clients on Android and Apple platforms.
 
 Match WiFi BSSID.
 

docs/configuration/rule-set/index.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 # Rule Set
 
 !!! question "Since sing-box 1.8.0"

docs/configuration/rule-set/source-format.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 # Source Format
 
 !!! question "Since sing-box 1.8.0"

docs/configuration/shared/tls.md

@@ -1,8 +1,3 @@
----
-icon: material/alert-decagram
----
-
-
 !!! quote "Changes in sing-box 1.8.0"
 
     :material-alert-decagram: [utls](#utls)  

docs/configuration/shared/tls.zh.md

@@ -1,7 +1,3 @@
----
-icon: material/alert-decagram
----
-
 !!! quote "sing-box 1.8.0 中的更改"
 
     :material-alert-decagram: [utls](#utls)  

docs/manual/misc/tunnelvision.md

@@ -0,0 +1,38 @@
+---
+icon: material/book-lock-open
+---
+
+# TunnelVision
+
+TunnelVision is an attack that uses DHCP option 121 to set higher priority routes
+so that traffic does not go through the VPN.
+
+Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3661
+
+## Status
+
+### Android
+
+Android does not handle DHCP option 121 and is not affected.
+
+### Apple platforms
+
+Update [sing-box graphical client](/clients/apple/#download) to `1.9.0-rc.16` or newer,
+then enable `includeAllNetworks` in `Settings` — `Packet Tunnel` and you will be unaffected.
+
+Note: when `includeAllNetworks` is enabled, the default TUN stack is changed to `gvisor`,
+and the `system` and `mixed` stacks are not available.
+
+### Linux
+
+Update sing-box to `1.9.0-rc.16` or newer, rules generated by `auto-route` are unaffected.
+
+### Windows
+
+No solution yet.
+
+## Workarounds
+
+* Don't connect to untrusted networks
+* Relay untrusted network through another device
+* Just ignore it

docs/manual/proxy-protocol/tuic.md

@@ -1,208 +0,0 @@
----
-icon: material/alpha-t-box
----
-
-# TUIC
-
-A recently popular Chinese-made simple protocol based on QUIC, the selling point is the BBR congestion control algorithm.
-
-!!! warning
-
-    Even though GFW rarely blocks UDP-based proxies, such protocols actually have far more characteristics than TCP based proxies.
-
-| Specification                                             | Binary Characteristics | Active Detect Hiddenness |
-|-----------------------------------------------------------|------------------------|--------------------------|
-| [GitHub](https://github.com/EAimTY/tuic/blob/dev/SPEC.md) | :material-alert:       | :material-check:         | 
-
-## Password Generator
-
-| Generated UUID         | Generated  Password        | Action                                                          |
-|------------------------|----------------------------|-----------------------------------------------------------------|
-| <code id="uuid"><code> | <code id="password"><code> | <button class="md-button" onclick="generate()">Refresh</button> |
-
-<script>
-    function generateUUID() {
-        const uuid = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
-            let r = Math.random() * 16 | 0,
-            v = c === 'x' ? r : (r & 0x3 | 0x8);
-            return v.toString(16);
-        });
-        document.getElementById("uuid").textContent = uuid;
-    }
-    function generatePassword() {
-        const array = new Uint8Array(16);
-        window.crypto.getRandomValues(array);
-        document.getElementById("password").textContent = btoa(String.fromCharCode.apply(null, array));
-    }
-    function generate() {
-        generateUUID();
-        generatePassword();
-    }
-    generate();
-</script>
-
-## :material-server: Server Example
-
-=== ":material-harddisk: With local certificate"
-
-    ```json
-     {
-      "inbounds": [
-        {
-          "type": "tuic",
-          "listen": "::",
-          "listen_port": 8080,
-          "users": [
-            {
-              "name": "sekai",
-              "uuid": "<uuid>",
-              "password": "<password>"
-            }
-          ],
-          "congestion_control": "bbr",
-          "tls": {
-            "enabled": true,
-            "server_name": "example.org",
-            "key_path": "/path/to/key.pem",
-            "certificate_path": "/path/to/certificate.pem"
-          }
-        }
-      ]
-    }
-    ```
-
-=== ":material-auto-fix: With ACME"
-
-    ```json
-    {
-      "inbounds": [
-        {
-          "type": "tuic",
-          "listen": "::",
-          "listen_port": 8080,
-          "users": [
-            {
-              "name": "sekai",
-              "uuid": "<uuid>",
-              "password": "<password>"
-            }
-          ],
-          "congestion_control": "bbr",
-          "tls": {
-            "enabled": true,
-            "server_name": "example.org",
-            "acme": {
-              "domain": "example.org",
-              "email": "admin@example.org"
-            }
-          }
-        }
-      ]
-    }
-    ```
-
-=== ":material-cloud: With ACME and Cloudflare API"
-
-    ```json
-    {
-      "inbounds": [
-        {
-          "type": "tuic",
-          "listen": "::",
-          "listen_port": 8080,
-          "users": [
-            {
-              "name": "sekai",
-              "uuid": "<uuid>",
-              "password": "<password>"
-            }
-          ],
-          "congestion_control": "bbr",
-          "tls": {
-            "enabled": true,
-            "server_name": "example.org",
-            "acme": {
-              "domain": "example.org",
-              "email": "admin@example.org",
-              "dns01_challenge": {
-                "provider": "cloudflare",
-                "api_token": "my_token"
-              }
-            }
-          }
-        }
-      ]
-    }
-    ```
-
-## :material-cellphone-link: Client Example
-
-=== ":material-web-check: With valid certificate"
-
-    ```json
-    {
-      "outbounds": [
-        {
-          "type": "tuic",
-          "server": "127.0.0.1",
-          "server_port": 8080,
-          "uuid": "<uuid>",
-          "password": "<password>",
-          "congestion_control": "bbr",
-          "tls": {
-            "enabled": true,
-            "server_name": "example.org"
-          }
-        }
-      ]
-    }
-    ```
-
-=== ":material-check: With self-sign certificate"
-
-    !!! info "Tip"
-        
-        Use `sing-box merge` command to merge configuration and certificate into one file.
-
-    ```json
-    {
-      "outbounds": [
-        {
-          "type": "tuic",
-          "server": "127.0.0.1",
-          "server_port": 8080,
-          "uuid": "<uuid>",
-          "password": "<password>",
-          "congestion_control": "bbr",
-          "tls": {
-            "enabled": true,
-            "server_name": "example.org",
-            "certificate_path": "/path/to/certificate.pem"
-          }
-        }
-      ]
-    }
-    ```
-
-=== ":material-alert: Ignore certificate verification"
-
-    ```json
-    {
-      "outbounds": [
-        {
-          "type": "tuic",
-          "server": "127.0.0.1",
-          "server_port": 8080,
-          "uuid": "<uuid>",
-          "password": "<password>",
-          "congestion_control": "bbr",
-          "tls": {
-            "enabled": true,
-            "server_name": "example.org",
-            "insecure": true
-          }
-        }
-      ]
-    }
-    ```
-

docs/manual/proxy/client.md

@@ -290,52 +290,6 @@ flowchart TB
 
 === ":material-dns: DNS rules"
 
-    !!! info
-    
-        DNS rules are optional if FakeIP is used.
-
-    ```json
-    {
-      "dns": {
-        "servers": [
-          {
-            "tag": "google",
-            "address": "tls://8.8.8.8"
-          },
-          {
-            "tag": "local",
-            "address": "223.5.5.5",
-            "detour": "direct"
-          }
-        ],
-        "rules": [
-          {
-            "outbound": "any",
-            "server": "local"
-          },
-          {
-            "clash_mode": "Direct",
-            "server": "local"
-          },
-          {
-            "clash_mode": "Global",
-            "server": "google"
-          },
-          {
-            "geosite": "geolocation-cn",
-            "server": "local"
-          }
-        ]
-      }
-    }
-    ```
-
-=== ":material-dns: DNS rules (1.8.0+)"
-
-    !!! info
-    
-        DNS rules are optional if FakeIP is used.
-
     ```json
     {
       "dns": {
@@ -382,74 +336,180 @@ flowchart TB
     }
     ```
 
-=== ":material-router-network: Route rules"
+=== ":material-dns: DNS rules (Enhanced, but slower) (1.9.0+)"
 
-    ```json
-    {
-      "outbounds": [
+    === ":material-shield-off: With DNS leaks"
+
+        ```json
         {
-          "type": "direct",
-          "tag": "direct"
-        },
-        {
-          "type": "block",
-          "tag": "block"
-        }
-      ],
-      "route": {
-        "rules": [
-          {
-            "type": "logical",
-            "mode": "or",
-            "rules": [
+          "dns": {
+            "servers": [
               {
-                "protocol": "dns"
+                "tag": "google",
+                "address": "tls://8.8.8.8"
               },
               {
-                "port": 53
+                "tag": "local",
+                "address": "https://223.5.5.5/dns-query",
+                "detour": "direct"
               }
             ],
-            "outbound": "dns"
-          },
-          {
-            "geoip": "private",
-            "outbound": "direct"
-          },
-          {
-            "clash_mode": "Direct",
-            "outbound": "direct"
-          },
-          {
-            "clash_mode": "Global",
-            "outbound": "default"
-          },
-          {
-            "type": "logical",
-            "mode": "or",
             "rules": [
               {
-                "port": 853
+                "outbound": "any",
+                "server": "local"
               },
               {
-                "network": "udp",
-                "port": 443
+                "clash_mode": "Direct",
+                "server": "local"
               },
               {
-                "protocol": "stun"
+                "clash_mode": "Global",
+                "server": "google"
+              },
+              {
+                "rule_set": "geosite-geolocation-cn",
+                "server": "local"
+              },
+              {
+                "clash_mode": "Default",
+                "server": "google"
+              },
+              {
+                "type": "logical",
+                "mode": "and",
+                "rules": [
+                  {
+                    "rule_set": "geosite-geolocation-!cn",
+                    "invert": true
+                  },
+                  {
+                    "rule_set": "geoip-cn"
+                  }
+                ],
+                "server": "local"
               }
-            ],
-            "outbound": "block"
+            ]
           },
-          {
-            "geosite": "geolocation-cn",
-            "outbound": "direct"
+          "route": {
+            "rule_set": [
+              {
+                "type": "remote",
+                "tag": "geosite-geolocation-cn",
+                "format": "binary",
+                "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs"
+              },
+              {
+                "type": "remote",
+                "tag": "geosite-geolocation-!cn",
+                "format": "binary",
+                "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-!cn.srs"
+              },
+              {
+                "type": "remote",
+                "tag": "geoip-cn",
+                "format": "binary",
+                "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs"
+              }
+            ]
+          },
+          "experimental": {
+            "cache_file": {
+              "enabled": true,
+              "store_rdrc": true
+            },
+            "clash_api": {
+              "default_mode": "Enhanced"
+            }
           }
-        ]
-      }
-    }
-    ```
+        }
+        ```
 
-=== ":material-router-network: Route rules (1.8.0+)"
+    === ":material-security: Without DNS leaks, but slower (1.9.0-alpha.2+)"
+
+        ```json
+        {
+          "dns": {
+            "servers": [
+              {
+                "tag": "google",
+                "address": "tls://8.8.8.8"
+              },
+              {
+                "tag": "local",
+                "address": "https://223.5.5.5/dns-query",
+                "detour": "direct"
+              }
+            ],
+            "rules": [
+              {
+                "outbound": "any",
+                "server": "local"
+              },
+              {
+                "clash_mode": "Direct",
+                "server": "local"
+              },
+              {
+                "clash_mode": "Global",
+                "server": "google"
+              },
+              {
+                "rule_set": "geosite-geolocation-cn",
+                "server": "local"
+              },
+              {
+                "type": "logical",
+                "mode": "and",
+                "rules": [
+                  {
+                    "rule_set": "geosite-geolocation-!cn",
+                    "invert": true
+                  },
+                  {
+                    "rule_set": "geoip-cn"
+                  }
+                ],
+                "server": "google",
+                "client_subnet": "114.114.114.114/24" // Any China client IP address
+              }
+            ]
+          },
+          "route": {
+            "rule_set": [
+              {
+                "type": "remote",
+                "tag": "geosite-geolocation-cn",
+                "format": "binary",
+                "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs"
+              },
+              {
+                "type": "remote",
+                "tag": "geosite-geolocation-!cn",
+                "format": "binary",
+                "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-!cn.srs"
+              },
+              {
+                "type": "remote",
+                "tag": "geoip-cn",
+                "format": "binary",
+                "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs"
+              }
+            ]
+          },
+          "experimental": {
+            "cache_file": {
+              "enabled": true,
+              "store_rdrc": true
+            },
+            "clash_api": {
+              "default_mode": "Enhanced"
+            }
+          }
+        }
+        ```
+
+=== ":material-router-network: Route rules"
 
     ```json
     {

docs/migration.md

@@ -2,6 +2,28 @@
 icon: material/arrange-bring-forward
 ---
 
+## 1.9.0
+
+!!! warning "Unstable"
+
+    This version is still under development, and the following migration guide may be changed in the future.
+
+### `domain_suffix` behavior update
+
+For historical reasons, sing-box's `domain_suffix` rule matches literal prefixes instead of the same as other projects.
+
+sing-box 1.9.0 modifies the behavior of `domain_suffix`: If the rule value is prefixed with `.`,
+the behavior is unchanged, otherwise it matches `(domain|.+\.domain)` instead.
+
+### `process_path` format update on Windows
+
+The `process_path` rule of sing-box is inherited from Clash,
+the original code uses the local system's path format (e.g. `\Device\HarddiskVolume1\folder\program.exe`),
+but when the device has multiple disks, the HarddiskVolume serial number is not stable.
+
+sing-box 1.9.0 make QueryFullProcessImageNameW output a Win32 path (such as `C:\folder\program.exe`),
+which will disrupt the existing `process_path` use cases in Windows.
+
 ## 1.8.0
 
 ### :material-close-box: Migrate cache file from Clash API to independent options

docs/migration.zh.md

@@ -2,6 +2,27 @@
 icon: material/arrange-bring-forward
 ---
 
+## 1.9.0
+
+!!! warning "不稳定的"
+
+    该版本仍在开发中，迁移指南可能将在未来更改。
+
+### `domain_suffix` 行为更新
+
+由于历史原因，sing-box 的 `domain_suffix` 规则匹配字面前缀，而不与其他项目相同。
+
+sing-box 1.9.0 修改了 `domain_suffix` 的行为：如果规则值以 `.` 为前缀则行为不变，否则改为匹配 `(domain|.+\.domain)`。
+
+### 对 Windows 上 `process_path` 格式的更新
+
+sing-box 的 `process_path` 规则继承自Clash，
+原始代码使用本地系统的路径格式（例如 `\Device\HarddiskVolume1\folder\program.exe`），
+但是当设备有多个硬盘时，该 HarddiskVolume 系列号并不稳定。
+
+sing-box 1.9.0 使 QueryFullProcessImageNameW 输出 Win32 路径（如 `C:\folder\program.exe`），
+这将会破坏现有的 Windows `process_path` 用例。
+
 ## 1.8.0
 
 ### :material-close-box: 将缓存文件从 Clash API 迁移到独立选项

experimental/cachefile/cache.go

@@ -29,6 +29,7 @@ var (
 		string(bucketExpand),
 		string(bucketMode),
 		string(bucketRuleSet),
+		string(bucketRDRC),
 	}
 
 	cacheIDDefault = []byte("default")
@@ -37,17 +38,26 @@ var (
 var _ adapter.CacheFile = (*CacheFile)(nil)
 
 type CacheFile struct {
-	ctx         context.Context
-	path        string
-	cacheID     []byte
-	storeFakeIP bool
-
+	ctx               context.Context
+	path              string
+	cacheID           []byte
+	storeFakeIP       bool
+	storeRDRC         bool
+	rdrcTimeout       time.Duration
 	DB                *bbolt.DB
-	saveAccess        sync.RWMutex
+	saveMetadataTimer *time.Timer
+	saveFakeIPAccess  sync.RWMutex
 	saveDomain        map[netip.Addr]string
 	saveAddress4      map[string]netip.Addr
 	saveAddress6      map[string]netip.Addr
-	saveMetadataTimer *time.Timer
+	saveRDRCAccess    sync.RWMutex
+	saveRDRC          map[saveRDRCCacheKey]bool
+}
+
+type saveRDRCCacheKey struct {
+	TransportName string
+	QuestionName  string
+	QType         uint16
 }
 
 func New(ctx context.Context, options option.CacheFileOptions) *CacheFile {
@@ -61,14 +71,25 @@ func New(ctx context.Context, options option.CacheFileOptions) *CacheFile {
 	if options.CacheID != "" {
 		cacheIDBytes = append([]byte{0}, []byte(options.CacheID)...)
 	}
+	var rdrcTimeout time.Duration
+	if options.StoreRDRC {
+		if options.RDRCTimeout > 0 {
+			rdrcTimeout = time.Duration(options.RDRCTimeout)
+		} else {
+			rdrcTimeout = 7 * 24 * time.Hour
+		}
+	}
 	return &CacheFile{
 		ctx:          ctx,
 		path:         filemanager.BasePath(ctx, path),
 		cacheID:      cacheIDBytes,
 		storeFakeIP:  options.StoreFakeIP,
+		storeRDRC:    options.StoreRDRC,
+		rdrcTimeout:  rdrcTimeout,
 		saveDomain:   make(map[netip.Addr]string),
 		saveAddress4: make(map[string]netip.Addr),
 		saveAddress6: make(map[string]netip.Addr),
+		saveRDRC:     make(map[saveRDRCCacheKey]bool),
 	}
 }
 

experimental/cachefile/fakeip.go

@@ -97,7 +97,7 @@ func (c *CacheFile) FakeIPStore(address netip.Addr, domain string) error {
 }
 
 func (c *CacheFile) FakeIPStoreAsync(address netip.Addr, domain string, logger logger.Logger) {
-	c.saveAccess.Lock()
+	c.saveFakeIPAccess.Lock()
 	if oldDomain, loaded := c.saveDomain[address]; loaded {
 		if address.Is4() {
 			delete(c.saveAddress4, oldDomain)
@@ -111,27 +111,27 @@ func (c *CacheFile) FakeIPStoreAsync(address netip.Addr, domain string, logger l
 	} else {
 		c.saveAddress6[domain] = address
 	}
-	c.saveAccess.Unlock()
+	c.saveFakeIPAccess.Unlock()
 	go func() {
 		err := c.FakeIPStore(address, domain)
 		if err != nil {
-			logger.Warn("save FakeIP address pair: ", err)
+			logger.Warn("save FakeIP cache: ", err)
 		}
-		c.saveAccess.Lock()
+		c.saveFakeIPAccess.Lock()
 		delete(c.saveDomain, address)
 		if address.Is4() {
 			delete(c.saveAddress4, domain)
 		} else {
 			delete(c.saveAddress6, domain)
 		}
-		c.saveAccess.Unlock()
+		c.saveFakeIPAccess.Unlock()
 	}()
 }
 
 func (c *CacheFile) FakeIPLoad(address netip.Addr) (string, bool) {
-	c.saveAccess.RLock()
+	c.saveFakeIPAccess.RLock()
 	cachedDomain, cached := c.saveDomain[address]
-	c.saveAccess.RUnlock()
+	c.saveFakeIPAccess.RUnlock()
 	if cached {
 		return cachedDomain, true
 	}
@@ -152,13 +152,13 @@ func (c *CacheFile) FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr, bo
 		cachedAddress netip.Addr
 		cached        bool
 	)
-	c.saveAccess.RLock()
+	c.saveFakeIPAccess.RLock()
 	if !isIPv6 {
 		cachedAddress, cached = c.saveAddress4[domain]
 	} else {
 		cachedAddress, cached = c.saveAddress6[domain]
 	}
-	c.saveAccess.RUnlock()
+	c.saveFakeIPAccess.RUnlock()
 	if cached {
 		return cachedAddress, true
 	}

experimental/cachefile/rdrc.go

@@ -0,0 +1,109 @@
+package cachefile
+
+import (
+	"encoding/binary"
+	"time"
+
+	"github.com/sagernet/bbolt"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/logger"
+)
+
+var bucketRDRC = []byte("rdrc2")
+
+func (c *CacheFile) StoreRDRC() bool {
+	return c.storeRDRC
+}
+
+func (c *CacheFile) RDRCTimeout() time.Duration {
+	return c.rdrcTimeout
+}
+
+func (c *CacheFile) LoadRDRC(transportName string, qName string, qType uint16) (rejected bool) {
+	c.saveRDRCAccess.RLock()
+	rejected, cached := c.saveRDRC[saveRDRCCacheKey{transportName, qName, qType}]
+	c.saveRDRCAccess.RUnlock()
+	if cached {
+		return
+	}
+	key := buf.Get(2 + len(qName))
+	binary.BigEndian.PutUint16(key, qType)
+	copy(key[2:], qName)
+	defer buf.Put(key)
+	var deleteCache bool
+	err := c.DB.View(func(tx *bbolt.Tx) error {
+		bucket := c.bucket(tx, bucketRDRC)
+		if bucket == nil {
+			return nil
+		}
+		bucket = bucket.Bucket([]byte(transportName))
+		if bucket == nil {
+			return nil
+		}
+		content := bucket.Get(key)
+		if content == nil {
+			return nil
+		}
+		expiresAt := time.Unix(int64(binary.BigEndian.Uint64(content)), 0)
+		if time.Now().After(expiresAt) {
+			deleteCache = true
+			return nil
+		}
+		rejected = true
+		return nil
+	})
+	if err != nil {
+		return
+	}
+	if deleteCache {
+		c.DB.Update(func(tx *bbolt.Tx) error {
+			bucket := c.bucket(tx, bucketRDRC)
+			if bucket == nil {
+				return nil
+			}
+			bucket = bucket.Bucket([]byte(transportName))
+			if bucket == nil {
+				return nil
+			}
+			return bucket.Delete(key)
+		})
+	}
+	return
+}
+
+func (c *CacheFile) SaveRDRC(transportName string, qName string, qType uint16) error {
+	return c.DB.Batch(func(tx *bbolt.Tx) error {
+		bucket, err := c.createBucket(tx, bucketRDRC)
+		if err != nil {
+			return err
+		}
+		bucket, err = bucket.CreateBucketIfNotExists([]byte(transportName))
+		if err != nil {
+			return err
+		}
+		key := buf.Get(2 + len(qName))
+		binary.BigEndian.PutUint16(key, qType)
+		copy(key[2:], qName)
+		defer buf.Put(key)
+		expiresAt := buf.Get(8)
+		defer buf.Put(expiresAt)
+		binary.BigEndian.PutUint64(expiresAt, uint64(time.Now().Add(c.rdrcTimeout).Unix()))
+		return bucket.Put(key, expiresAt)
+	})
+}
+
+func (c *CacheFile) SaveRDRCAsync(transportName string, qName string, qType uint16, logger logger.Logger) {
+	saveKey := saveRDRCCacheKey{transportName, qName, qType}
+	c.saveRDRCAccess.Lock()
+	c.saveRDRC[saveKey] = true
+	c.saveRDRCAccess.Unlock()
+	go func() {
+		err := c.SaveRDRC(transportName, qName, qType)
+		if err != nil {
+			logger.Warn("save RDRC: ", err)
+		}
+		c.saveRDRCAccess.Lock()
+		delete(c.saveRDRC, saveKey)
+		c.saveRDRCAccess.Unlock()
+	}()
+}

experimental/clashapi.go

@@ -3,6 +3,7 @@ package experimental
 import (
 	"context"
 	"os"
+	"sort"
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
@@ -27,11 +28,26 @@ func NewClashServer(ctx context.Context, router adapter.Router, logFactory log.O
 }
 
 func CalculateClashModeList(options option.Options) []string {
-	var clashMode []string
-	clashMode = append(clashMode, extraClashModeFromRule(common.PtrValueOrDefault(options.Route).Rules)...)
-	clashMode = append(clashMode, extraClashModeFromDNSRule(common.PtrValueOrDefault(options.DNS).Rules)...)
-	clashMode = common.FilterNotDefault(common.Uniq(clashMode))
-	return clashMode
+	var clashModes []string
+	clashModes = append(clashModes, extraClashModeFromRule(common.PtrValueOrDefault(options.Route).Rules)...)
+	clashModes = append(clashModes, extraClashModeFromDNSRule(common.PtrValueOrDefault(options.DNS).Rules)...)
+	clashModes = common.FilterNotDefault(common.Uniq(clashModes))
+	predefinedOrder := []string{
+		"Rule", "Global", "Direct",
+	}
+	var newClashModes []string
+	for _, mode := range clashModes {
+		if !common.Contains(predefinedOrder, mode) {
+			newClashModes = append(newClashModes, mode)
+		}
+	}
+	sort.Strings(newClashModes)
+	for _, mode := range predefinedOrder {
+		if common.Contains(clashModes, mode) {
+			newClashModes = append(newClashModes, mode)
+		}
+	}
+	return newClashModes
 }
 
 func extraClashModeFromRule(rules []option.Rule) []string {

experimental/libbox/config.go

@@ -75,7 +75,7 @@ func (s *platformInterfaceStub) UsePlatformInterfaceGetter() bool {
 	return true
 }
 
-func (s *platformInterfaceStub) Interfaces() ([]platform.NetworkInterface, error) {
+func (s *platformInterfaceStub) Interfaces() ([]control.Interface, error) {
 	return nil, os.ErrInvalid
 }
 
@@ -83,6 +83,10 @@ func (s *platformInterfaceStub) UnderNetworkExtension() bool {
 	return false
 }
 
+func (s *platformInterfaceStub) IncludeAllNetworks() bool {
+	return false
+}
+
 func (s *platformInterfaceStub) ClearDNSCache() {
 }
 
@@ -94,6 +98,14 @@ func (s *platformInterfaceStub) FindProcessInfo(ctx context.Context, network str
 	return nil, os.ErrInvalid
 }
 
+func (s *platformInterfaceStub) PerAppProxyList() ([]uint32, error) {
+	return nil, os.ErrInvalid
+}
+
+func (s *platformInterfaceStub) PerAppProxyMode() int32 {
+	return platform.PerAppProxyModeDisabled
+}
+
 type interfaceMonitorStub struct{}
 
 func (s *interfaceMonitorStub) Start() error {

experimental/libbox/dns.go

@@ -9,9 +9,7 @@ import (
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/task"
 
 	mDNS "github.com/miekg/dns"
@@ -25,9 +23,11 @@ type LocalDNSTransport interface {
 
 func RegisterLocalDNSTransport(transport LocalDNSTransport) {
 	if transport == nil {
-		dns.RegisterTransport([]string{"local"}, dns.CreateLocalTransport)
+		dns.RegisterTransport([]string{"local"}, func(options dns.TransportOptions) (dns.Transport, error) {
+			return dns.NewLocalTransport(options), nil
+		})
 	} else {
-		dns.RegisterTransport([]string{"local"}, func(name string, ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, link string) (dns.Transport, error) {
+		dns.RegisterTransport([]string{"local"}, func(options dns.TransportOptions) (dns.Transport, error) {
 			return &platformLocalDNSTransport{
 				iif: transport,
 			}, nil

experimental/libbox/platform.go

@@ -19,8 +19,11 @@ type PlatformInterface interface {
 	UsePlatformInterfaceGetter() bool
 	GetInterfaces() (NetworkInterfaceIterator, error)
 	UnderNetworkExtension() bool
+	IncludeAllNetworks() bool
 	ReadWIFIState() *WIFIState
 	ClearDNSCache()
+	PerAppProxyList() (IntegerIterator, error)
+	PerAppProxyMode() int32
 }
 
 type TunInterface interface {
@@ -53,6 +56,11 @@ type NetworkInterfaceIterator interface {
 	HasNext() bool
 }
 
+type IntegerIterator interface {
+	Next() int32
+	HasNext() bool
+}
+
 type OnDemandRule interface {
 	Target() int32
 	DNSSearchDomainMatch() StringIterator

experimental/libbox/platform/interface.go

@@ -2,7 +2,6 @@ package platform
 
 import (
 	"context"
-	"net/netip"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/process"
@@ -12,6 +11,12 @@ import (
 	"github.com/sagernet/sing/common/logger"
 )
 
+const (
+	PerAppProxyModeDisabled int32 = iota
+	PerAppProxyModeExclude
+	PerAppProxyModeInclude
+)
+
 type Interface interface {
 	Initialize(ctx context.Context, router adapter.Router) error
 	UsePlatformAutoDetectInterfaceControl() bool
@@ -20,16 +25,12 @@ type Interface interface {
 	UsePlatformDefaultInterfaceMonitor() bool
 	CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor
 	UsePlatformInterfaceGetter() bool
-	Interfaces() ([]NetworkInterface, error)
+	Interfaces() ([]control.Interface, error)
 	UnderNetworkExtension() bool
+	IncludeAllNetworks() bool
 	ClearDNSCache()
 	ReadWIFIState() adapter.WIFIState
+	PerAppProxyList() ([]uint32, error)
+	PerAppProxyMode() int32
 	process.Searcher
 }
-
-type NetworkInterface struct {
-	Index     int
-	MTU       int
-	Name      string
-	Addresses []netip.Prefix
-}

experimental/libbox/service.go

@@ -192,14 +192,14 @@ func (w *platformInterfaceWrapper) UsePlatformInterfaceGetter() bool {
 	return w.iif.UsePlatformInterfaceGetter()
 }
 
-func (w *platformInterfaceWrapper) Interfaces() ([]platform.NetworkInterface, error) {
+func (w *platformInterfaceWrapper) Interfaces() ([]control.Interface, error) {
 	interfaceIterator, err := w.iif.GetInterfaces()
 	if err != nil {
 		return nil, err
 	}
-	var interfaces []platform.NetworkInterface
+	var interfaces []control.Interface
 	for _, netInterface := range iteratorToArray[*NetworkInterface](interfaceIterator) {
-		interfaces = append(interfaces, platform.NetworkInterface{
+		interfaces = append(interfaces, control.Interface{
 			Index:     int(netInterface.Index),
 			MTU:       int(netInterface.MTU),
 			Name:      netInterface.Name,
@@ -213,6 +213,10 @@ func (w *platformInterfaceWrapper) UnderNetworkExtension() bool {
 	return w.iif.UnderNetworkExtension()
 }
 
+func (w *platformInterfaceWrapper) IncludeAllNetworks() bool {
+	return w.iif.IncludeAllNetworks()
+}
+
 func (w *platformInterfaceWrapper) ClearDNSCache() {
 	w.iif.ClearDNSCache()
 }
@@ -225,6 +229,18 @@ func (w *platformInterfaceWrapper) ReadWIFIState() adapter.WIFIState {
 	return (adapter.WIFIState)(*wifiState)
 }
 
+func (w *platformInterfaceWrapper) PerAppProxyList() ([]uint32, error) {
+	uidIterator, err := w.iif.PerAppProxyList()
+	if err != nil {
+		return nil, err
+	}
+	return common.Map(iteratorToArray[int32](uidIterator), func(it int32) uint32 { return uint32(it) }), nil
+}
+
+func (w *platformInterfaceWrapper) PerAppProxyMode() int32 {
+	return w.iif.PerAppProxyMode()
+}
+
 func (w *platformInterfaceWrapper) DisableColors() bool {
 	return runtime.GOOS != "android"
 }

experimental/libbox/setup.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/sagernet/sing-box/common/humanize"
 	C "github.com/sagernet/sing-box/constant"
+	_ "github.com/sagernet/sing-box/include"
 )
 
 var (

experimental/libbox/tun.go

@@ -28,6 +28,8 @@ type TunOptions interface {
 	IsHTTPProxyEnabled() bool
 	GetHTTPProxyServer() string
 	GetHTTPProxyServerPort() int32
+	GetHTTPProxyBypassDomain() StringIterator
+	GetHTTPProxyMatchDomain() StringIterator
 }
 
 type RoutePrefix struct {
@@ -156,3 +158,11 @@ func (o *tunOptions) GetHTTPProxyServer() string {
 func (o *tunOptions) GetHTTPProxyServerPort() int32 {
 	return int32(o.TunPlatformOptions.HTTPProxy.ServerPort)
 }
+
+func (o *tunOptions) GetHTTPProxyBypassDomain() StringIterator {
+	return newIterator(o.TunPlatformOptions.HTTPProxy.BypassDomain)
+}
+
+func (o *tunOptions) GetHTTPProxyMatchDomain() StringIterator {
+	return newIterator(o.TunPlatformOptions.HTTPProxy.MatchDomain)
+}

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/go-chi/chi/v5 v5.0.12
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.3
-	github.com/gofrs/uuid/v5 v5.1.0
+	github.com/gofrs/uuid/v5 v5.2.0
 	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2
 	github.com/libdns/alidns v1.0.3
 	github.com/libdns/cloudflare v0.1.1
@@ -23,17 +23,17 @@ require (
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1
 	github.com/sagernet/gomobile v0.1.3
-	github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e
-	github.com/sagernet/quic-go v0.40.1
+	github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f
+	github.com/sagernet/quic-go v0.43.1-beta.1
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.3.8
-	github.com/sagernet/sing-dns v0.1.14
+	github.com/sagernet/sing v0.5.0-alpha.4
+	github.com/sagernet/sing-dns v0.2.0-beta.18
 	github.com/sagernet/sing-mux v0.2.0
-	github.com/sagernet/sing-quic v0.1.12
+	github.com/sagernet/sing-quic v0.2.0-beta.5
 	github.com/sagernet/sing-shadowsocks v0.2.6
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.1.4
-	github.com/sagernet/sing-tun v0.2.7
+	github.com/sagernet/sing-tun v0.3.0-beta.6
 	github.com/sagernet/sing-vmess v0.1.8
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
 	github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6
@@ -44,9 +44,9 @@ require (
 	github.com/stretchr/testify v1.9.0
 	go.uber.org/zap v1.27.0
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.22.0
-	golang.org/x/net v0.24.0
-	golang.org/x/sys v0.19.0
+	golang.org/x/crypto v0.23.0
+	golang.org/x/net v0.25.0
+	golang.org/x/sys v0.20.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	google.golang.org/grpc v1.63.2
 	google.golang.org/protobuf v1.33.0
@@ -78,18 +78,18 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
-	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
+	github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
 	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.20.0 // indirect
+	golang.org/x/tools v0.21.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -34,8 +34,8 @@ github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/gofrs/uuid/v5 v5.1.0 h1:S5rqVKIigghZTCBKPCw0Y+bXkn26K3TB5mvQq2Ix8dk=
-github.com/gofrs/uuid/v5 v5.1.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
+github.com/gofrs/uuid/v5 v5.2.0 h1:qw1GMx6/y8vhVsx626ImfKMuS5CvJmhIKKtuyvfajMM=
+github.com/gofrs/uuid/v5 v5.2.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
@@ -97,31 +97,31 @@ github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1 h1:YbmpqPQ
 github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1/go.mod h1:J2yAxTFPDjrDPhuAi9aWFz2L3ox9it4qAluBBbN0H5k=
 github.com/sagernet/gomobile v0.1.3 h1:ohjIb1Ou2+1558PnZour3od69suSuvkdSVOlO1tC4B8=
 github.com/sagernet/gomobile v0.1.3/go.mod h1:Pqq2+ZVvs10U7xK+UwJgwYWUykewi8H6vlslAO73n9E=
-github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e h1:DOkjByVeAR56dkszjnMZke4wr7yM/1xHaJF3G9olkEE=
-github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e/go.mod h1:fLxq/gtp0qzkaEwywlRRiGmjOK5ES/xUzyIKIFP2Asw=
-github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
-github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.40.1 h1:qLeTIJR0d0JWRmDWo346nLsVN6EWihd1kalJYPEd0TM=
-github.com/sagernet/quic-go v0.40.1/go.mod h1:CcKTpzTAISxrM4PA5M20/wYuz9Tj6Tx4DwGbNl9UQrU=
+github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f h1:NkhuupzH5ch7b/Y/6ZHJWrnNLoiNnSJaow6DPb8VW2I=
+github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f/go.mod h1:KXmw+ouSJNOsuRpg4wgwwCQuunrGz4yoAqQjsLjc6N0=
+github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba h1:EY5AS7CCtfmARNv2zXUOrsEMPFDGYxaw65JzA2p51Vk=
+github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
+github.com/sagernet/quic-go v0.43.1-beta.1 h1:alizUjpvWYcz08dBCQsULOd+1xu0o7UtlyYf6SLbRNg=
+github.com/sagernet/quic-go v0.43.1-beta.1/go.mod h1:BkrQYeop7Jx3hN3TW8/76CXcdhYiNPyYEBL/BVJ1ifc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.3.8 h1:gm4JKalPhydMYX2zFOTnnd4TXtM/16WFRqSjMepYQQk=
-github.com/sagernet/sing v0.3.8/go.mod h1:+60H3Cm91RnL9dpVGWDPHt0zTQImO9Vfqt9a4rSambI=
-github.com/sagernet/sing-dns v0.1.14 h1:kxE/Ik3jMXmD3sXsdt9MgrNzLFWt64mghV+MQqzyf40=
-github.com/sagernet/sing-dns v0.1.14/go.mod h1:AA+vZMNovuPN5i/sPnfF6756Nq94nzb5nXodMWbta5w=
+github.com/sagernet/sing v0.5.0-alpha.4 h1:8ljxrEq1BMcDuGe8FxoeUGasPUXQsIywpUusGrlGkQ0=
+github.com/sagernet/sing v0.5.0-alpha.4/go.mod h1:Xh4KO9nGdvm4K/LVg9Xn9jSxJdqe9KcXbAzNC1S2qfw=
+github.com/sagernet/sing-dns v0.2.0-beta.18 h1:6vzXZThRdA7YUzBOpSbUT48XRumtl/KIpIHFSOP0za8=
+github.com/sagernet/sing-dns v0.2.0-beta.18/go.mod h1:k/dmFcQpg6+m08gC1yQBy+13+QkuLqpKr4bIreq4U24=
 github.com/sagernet/sing-mux v0.2.0 h1:4C+vd8HztJCWNYfufvgL49xaOoOHXty2+EAjnzN3IYo=
 github.com/sagernet/sing-mux v0.2.0/go.mod h1:khzr9AOPocLa+g53dBplwNDz4gdsyx/YM3swtAhlkHQ=
-github.com/sagernet/sing-quic v0.1.12 h1:4KjG7LASZck0svGDfzf3aVNidRRQRC/w2HUMk/PHiNE=
-github.com/sagernet/sing-quic v0.1.12/go.mod h1:L+VtzvuPbf8VW8F4R7KiygqpXY4lO7t2wwcQuHjh8Ew=
+github.com/sagernet/sing-quic v0.2.0-beta.5 h1:ceKFLd1iS5AtM+pScKmcDp5k7R6WgYIe8vl6nB0aVsE=
+github.com/sagernet/sing-quic v0.2.0-beta.5/go.mod h1:lfad61lScAZhAxZ0DHZWvEIcAaT38O6zPTR4vLsHeP0=
 github.com/sagernet/sing-shadowsocks v0.2.6 h1:xr7ylAS/q1cQYS8oxKKajhuQcchd5VJJ4K4UZrrpp0s=
 github.com/sagernet/sing-shadowsocks v0.2.6/go.mod h1:j2YZBIpWIuElPFL/5sJAj470bcn/3QQ5lxZUNKLDNAM=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
-github.com/sagernet/sing-tun v0.2.7 h1:6QtJkeSj6BTTQPGxbbiuV8eh7GdV46w2G0N8CmISwdc=
-github.com/sagernet/sing-tun v0.2.7/go.mod h1:MKAAHUzVfj7d9zos4lsz6wjXu86/mJyd/gejiAnWj/w=
+github.com/sagernet/sing-tun v0.3.0-beta.6 h1:L11kMrM7UfUW0pzQiU66Fffh4o86KZc1SFGbkYi8Ma8=
+github.com/sagernet/sing-tun v0.3.0-beta.6/go.mod h1:DxLIyhjWU/HwGYoX0vNGg2c5QgTQIakphU1MuERR5tQ=
 github.com/sagernet/sing-vmess v0.1.8 h1:XVWad1RpTy9b5tPxdm5MCU8cGfrTGdR8qCq6HV2aCNc=
 github.com/sagernet/sing-vmess v0.1.8/go.mod h1:vhx32UNzTDUkNwOyIjcZQohre1CaytquC5mPplId8uA=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
@@ -163,16 +163,16 @@ go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBs
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
-golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY=
-golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
-golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
+golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -184,19 +184,19 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=
+golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY=
-golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg=
+golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
+golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY=

inbound/builder.go

@@ -19,7 +19,7 @@ func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, o
 	case C.TypeTun:
 		return NewTun(ctx, router, logger, options.Tag, options.TunOptions, platformInterface)
 	case C.TypeRedirect:
-		return NewRedirect(ctx, router, logger, options.Tag, options.RedirectOptions), nil
+		return NewRedirect(ctx, router, logger, options.Tag, options.RedirectOptions, platformInterface)
 	case C.TypeTProxy:
 		return NewTProxy(ctx, router, logger, options.Tag, options.TProxyOptions), nil
 	case C.TypeDirect:

inbound/default_tcp.go

@@ -5,7 +5,9 @@ import (
 	"net"
 
 	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -16,6 +18,9 @@ func (a *myInboundAdapter) ListenTCP() (net.Listener, error) {
 	bindAddr := M.SocksaddrFrom(a.listenOptions.Listen.Build(), a.listenOptions.ListenPort)
 	var tcpListener net.Listener
 	var listenConfig net.ListenConfig
+	// TODO: Add an option to customize the keep alive period
+	listenConfig.KeepAlive = C.TCPKeepAliveInitial
+	listenConfig.Control = control.Append(listenConfig.Control, control.SetKeepAlivePeriod(C.TCPKeepAliveInitial, C.TCPKeepAliveInterval))
 	if a.listenOptions.TCPMultiPath {
 		if !go121Available {
 			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")

inbound/naive.go

@@ -15,7 +15,6 @@ import (
 	"github.com/sagernet/sing-box/common/tls"
 	"github.com/sagernet/sing-box/common/uot"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
@@ -109,8 +108,8 @@ func (n *Naive) Start() error {
 
 	if common.Contains(n.network, N.NetworkUDP) {
 		err := n.configureHTTP3Listener()
-		if !include.WithQUIC && len(n.network) > 1 {
-			log.Warn(E.Cause(err, "naive http3 disabled"))
+		if !C.WithQUIC && len(n.network) > 1 {
+			n.logger.Warn(E.Cause(err, "naive http3 disabled"))
 		} else if err != nil {
 			return err
 		}

inbound/redirect.go

@@ -2,25 +2,39 @@ package inbound
 
 import (
 	"context"
+	"errors"
 	"net"
+	"net/netip"
+	"os"
+	"os/exec"
+	"sort"
+	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/redir"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
 type Redirect struct {
 	myInboundAdapter
+	platformInterface platform.Interface
+	autoRedirect      option.AutoRedirectOptions
+	needSu            bool
+	suPath            string
 }
 
-func NewRedirect(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.RedirectInboundOptions) *Redirect {
+func NewRedirect(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.RedirectInboundOptions, platformInterface platform.Interface) (*Redirect, error) {
 	redirect := &Redirect{
-		myInboundAdapter{
+		myInboundAdapter: myInboundAdapter{
 			protocol:      C.TypeRedirect,
 			network:       []string{N.NetworkTCP},
 			ctx:           ctx,
@@ -29,9 +43,28 @@ func NewRedirect(ctx context.Context, router adapter.Router, logger log.ContextL
 			tag:           tag,
 			listenOptions: options.ListenOptions,
 		},
+		platformInterface: platformInterface,
+		autoRedirect:      common.PtrValueOrDefault(options.AutoRedirect),
+	}
+	if redirect.autoRedirect.Enabled {
+		if !C.IsAndroid {
+			return nil, E.New("auto redirect is only supported on Android")
+		}
+		userId := os.Getuid()
+		if userId != 0 {
+			suPath, err := exec.LookPath("/bin/su")
+			if err == nil {
+				redirect.needSu = true
+				redirect.suPath = suPath
+			} else if redirect.autoRedirect.ContinueOnNoPermission {
+				redirect.autoRedirect.Enabled = false
+			} else {
+				return nil, E.Extend(E.Cause(err, "root permission is required for auto redirect"), os.Getenv("PATH"))
+			}
+		}
 	}
 	redirect.connHandler = redirect
-	return redirect
+	return redirect, nil
 }
 
 func (r *Redirect) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
@@ -42,3 +75,124 @@ func (r *Redirect) NewConnection(ctx context.Context, conn net.Conn, metadata ad
 	metadata.Destination = M.SocksaddrFromNetIP(destination)
 	return r.newConnection(ctx, conn, metadata)
 }
+
+func (r *Redirect) Start() error {
+	err := r.myInboundAdapter.Start()
+	if err != nil {
+		return err
+	}
+	if r.autoRedirect.Enabled {
+		r.cleanupRedirect()
+		err = r.setupRedirect()
+		if err != nil {
+			var exitError *exec.ExitError
+			if errors.As(err, &exitError) && exitError.ExitCode() == 13 && r.autoRedirect.ContinueOnNoPermission {
+				r.logger.Error(E.Cause(err, "setup auto redirect"))
+				return nil
+			}
+			r.cleanupRedirect()
+			return E.Cause(err, "setup auto redirect")
+		}
+	}
+	return nil
+}
+
+func (r *Redirect) Close() error {
+	if r.autoRedirect.Enabled {
+		r.cleanupRedirect()
+	}
+	return r.myInboundAdapter.Close()
+}
+
+func (r *Redirect) setupRedirect() error {
+	tableName := "sing-box"
+	rules := `
+set -e -o pipefail
+iptables -t nat -N sing-box
+`
+	rules += strings.Join(common.FlatMap(r.router.(adapter.Router).InterfaceFinder().Interfaces(), func(it control.Interface) []string {
+		return common.Map(common.Filter(it.Addresses, func(it netip.Prefix) bool { return it.Addr().Is4() }), func(it netip.Prefix) string {
+			return "iptables -t nat -A " + tableName + " -p tcp -j RETURN -d " + it.String()
+		})
+	}), "\n")
+	var (
+		myUid           = uint32(os.Getuid())
+		perAppProxyList []uint32
+		perAppProxyMap  = make(map[uint32]bool)
+		perAppProxyMode int32
+		err             error
+	)
+	if r.platformInterface != nil {
+		perAppProxyMode = r.platformInterface.PerAppProxyMode()
+		if perAppProxyMode != platform.PerAppProxyModeDisabled {
+			perAppProxyList, err = r.platformInterface.PerAppProxyList()
+			if err != nil {
+				return E.Cause(err, "read per app proxy configuration")
+			}
+		}
+		for _, proxyUID := range perAppProxyList {
+			perAppProxyMap[proxyUID] = true
+		}
+	}
+	excludeUser := func(userID uint32) {
+		if perAppProxyMode != platform.PerAppProxyModeInclude {
+			perAppProxyMap[userID] = false
+		} else {
+			delete(perAppProxyMap, userID)
+		}
+	}
+	excludeUser(myUid)
+	if myUid != 0 && myUid != 2000 {
+		excludeUser(0)
+	}
+	perAppProxyList = perAppProxyList[:0]
+	for uid := range perAppProxyMap {
+		perAppProxyList = append(perAppProxyList, uid)
+	}
+	sort.SliceStable(perAppProxyList, func(i, j int) bool {
+		return perAppProxyList[i] < perAppProxyList[j]
+	})
+	redirectPortStr := F.ToString(M.AddrPortFromNet(r.tcpListener.Addr()).Port())
+	if perAppProxyMode != platform.PerAppProxyModeInclude {
+		rules += "\n" + strings.Join(common.Map(perAppProxyList, func(it uint32) string {
+			return "iptables -t nat -A " + tableName + " -j RETURN -m owner --uid-owner " + F.ToString(it)
+		}), "\n")
+		rules += "\niptables -t nat -A " + tableName + " -p tcp -j REDIRECT --to-ports " + redirectPortStr
+	} else {
+		rules += "\n" + strings.Join(common.Map(perAppProxyList, func(it uint32) string {
+			return "iptables -t nat -A " + tableName + " -p tcp -j REDIRECT --to-ports " + redirectPortStr + " -m owner --uid-owner " + F.ToString(it)
+		}), "\n")
+	}
+	rules += "\niptables -t nat -A OUTPUT -p tcp -j " + tableName
+	for _, ruleLine := range strings.Split(rules, "\n") {
+		ruleLine = strings.TrimSpace(ruleLine)
+		if ruleLine == "" {
+			continue
+		}
+		r.logger.Debug("# ", ruleLine)
+	}
+	return r.runAndroidShell(rules)
+}
+
+func (r *Redirect) cleanupRedirect() {
+	_ = r.runAndroidShell(`
+iptables -t nat -D OUTPUT -p tcp -j sing-box
+iptables -t nat -F sing-box
+iptables -t nat -X sing-box
+`)
+}
+
+func (r *Redirect) runAndroidShell(content string) error {
+	var command *exec.Cmd
+	if r.needSu {
+		command = exec.Command(r.suPath, "-c", "sh")
+	} else {
+		command = exec.Command("sh")
+	}
+	command.Stdin = strings.NewReader(content)
+	combinedOutput, err := command.CombinedOutput()
+	if err != nil {
+		return E.Extend(err, string(combinedOutput))
+	}
+	return nil
+}

inbound/tun.go

@@ -166,6 +166,14 @@ func (t *Tun) Start() error {
 	}
 	t.logger.Trace("creating stack")
 	t.tunIf = tunInterface
+	var (
+		forwarderBindInterface bool
+		includeAllNetworks     bool
+	)
+	if t.platformInterface != nil {
+		forwarderBindInterface = true
+		includeAllNetworks = t.platformInterface.IncludeAllNetworks()
+	}
 	t.tunStack, err = tun.NewStack(t.stack, tun.StackOptions{
 		Context:                t.ctx,
 		Tun:                    tunInterface,
@@ -174,8 +182,9 @@ func (t *Tun) Start() error {
 		UDPTimeout:             t.udpTimeout,
 		Handler:                t,
 		Logger:                 t.logger,
-		ForwarderBindInterface: t.platformInterface != nil,
+		ForwarderBindInterface: forwarderBindInterface,
 		InterfaceFinder:        t.router.InterfaceFinder(),
+		IncludeAllNetworks:     includeAllNetworks,
 	})
 	if err != nil {
 		return err

include/dhcp_stub.go

@@ -3,16 +3,12 @@
 package include
 
 import (
-	"context"
-
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	N "github.com/sagernet/sing/common/network"
 )
 
 func init() {
-	dns.RegisterTransport([]string{"dhcp"}, func(name string, ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, link string) (dns.Transport, error) {
+	dns.RegisterTransport([]string{"dhcp"}, func(options dns.TransportOptions) (dns.Transport, error) {
 		return nil, E.New(`DHCP is not included in this build, rebuild with -tags with_dhcp`)
 	})
 }

include/quic.go

@@ -6,5 +6,3 @@ import (
 	_ "github.com/sagernet/sing-box/transport/v2rayquic"
 	_ "github.com/sagernet/sing-dns/quic"
 )
-
-const WithQUIC = true

include/quic_stub.go

@@ -11,15 +11,12 @@ import (
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/v2ray"
 	"github.com/sagernet/sing-dns"
-	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
-const WithQUIC = false
-
 func init() {
-	dns.RegisterTransport([]string{"quic", "h3"}, func(name string, ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, link string) (dns.Transport, error) {
+	dns.RegisterTransport([]string{"quic", "h3"}, func(options dns.TransportOptions) (dns.Transport, error) {
 		return nil, C.ErrQUICNotIncluded
 	})
 	v2ray.RegisterQUICConstructor(

include/tz_android.go

@@ -0,0 +1,21 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// kanged from https://github.com/golang/mobile/blob/c713f31d574bb632a93f169b2cc99c9e753fef0e/app/android.go#L89
+
+package include
+
+// #include <time.h>
+import "C"
+import "time"
+
+func init() {
+	var currentT C.time_t
+	var currentTM C.struct_tm
+	C.time(&currentT)
+	C.localtime_r(&currentT, &currentTM)
+	tzOffset := int(currentTM.tm_gmtoff)
+	tz := C.GoString(currentTM.tm_zone)
+	time.Local = time.FixedZone(tz, tzOffset)
+}

include/tz_ios.go

@@ -0,0 +1,30 @@
+package include
+
+/*
+#cgo CFLAGS: -x objective-c
+#cgo LDFLAGS: -framework Foundation
+#import <Foundation/Foundation.h>
+const char* getSystemTimeZone() {
+    NSTimeZone *timeZone = [NSTimeZone systemTimeZone];
+    NSString *timeZoneName = [timeZone description];
+    return [timeZoneName UTF8String];
+}
+*/
+import "C"
+
+import (
+	"strings"
+	"time"
+)
+
+func init() {
+	tzDescription := C.GoString(C.getSystemTimeZone())
+	if len(tzDescription) == 0 {
+		return
+	}
+	location, err := time.LoadLocation(strings.Split(tzDescription, " ")[0])
+	if err != nil {
+		return
+	}
+	time.Local = location
+}

mkdocs.yml

@@ -66,8 +66,9 @@ nav:
       - Proxy Protocol:
           - Shadowsocks: manual/proxy-protocol/shadowsocks.md
           - Trojan: manual/proxy-protocol/trojan.md
-          - TUIC: manual/proxy-protocol/tuic.md
           - Hysteria 2: manual/proxy-protocol/hysteria2.md
+      - Misc:
+          - TunnelVision: manual/misc/tunnelvision.md
   - Configuration:
       - configuration/index.md
       - Log:

ntp/service.go

@@ -1,112 +0,0 @@
-package ntp
-
-import (
-	"context"
-	"os"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer"
-	"github.com/sagernet/sing-box/common/settings"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/ntp"
-)
-
-var _ ntp.TimeService = (*Service)(nil)
-
-type Service struct {
-	ctx           context.Context
-	cancel        common.ContextCancelCauseFunc
-	server        M.Socksaddr
-	writeToSystem bool
-	dialer        N.Dialer
-	logger        logger.Logger
-	ticker        *time.Ticker
-	clockOffset   time.Duration
-}
-
-func NewService(ctx context.Context, router adapter.Router, logger logger.Logger, options option.NTPOptions) (*Service, error) {
-	ctx, cancel := common.ContextWithCancelCause(ctx)
-	server := M.ParseSocksaddrHostPort(options.Server, options.ServerPort)
-	if server.Port == 0 {
-		server.Port = 123
-	}
-	var interval time.Duration
-	if options.Interval > 0 {
-		interval = time.Duration(options.Interval)
-	} else {
-		interval = 30 * time.Minute
-	}
-	outboundDialer, err := dialer.New(router, options.DialerOptions)
-	if err != nil {
-		return nil, err
-	}
-	return &Service{
-		ctx:           ctx,
-		cancel:        cancel,
-		server:        server,
-		writeToSystem: options.WriteToSystem,
-		dialer:        outboundDialer,
-		logger:        logger,
-		ticker:        time.NewTicker(interval),
-	}, nil
-}
-
-func (s *Service) Start() error {
-	err := s.update()
-	if err != nil {
-		return E.Cause(err, "initialize time")
-	}
-	s.logger.Info("updated time: ", s.TimeFunc()().Local().Format(C.TimeLayout))
-	go s.loopUpdate()
-	return nil
-}
-
-func (s *Service) Close() error {
-	s.ticker.Stop()
-	s.cancel(os.ErrClosed)
-	return nil
-}
-
-func (s *Service) TimeFunc() func() time.Time {
-	return func() time.Time {
-		return time.Now().Add(s.clockOffset)
-	}
-}
-
-func (s *Service) loopUpdate() {
-	for {
-		select {
-		case <-s.ctx.Done():
-			return
-		case <-s.ticker.C:
-		}
-		err := s.update()
-		if err == nil {
-			s.logger.Debug("updated time: ", s.TimeFunc()().Local().Format(C.TimeLayout))
-		} else {
-			s.logger.Warn("update time: ", err)
-		}
-	}
-}
-
-func (s *Service) update() error {
-	response, err := ntp.Exchange(s.ctx, s.dialer, s.server)
-	if err != nil {
-		return err
-	}
-	s.clockOffset = response.ClockOffset
-	if s.writeToSystem {
-		writeErr := settings.SetSystemTime(s.TimeFunc()())
-		if writeErr != nil {
-			s.logger.Warn("write time to system: ", writeErr)
-		}
-	}
-	return nil
-}

option/dns.go

@@ -19,6 +19,7 @@ type DNSServerOptions struct {
 	AddressFallbackDelay Duration       `json:"address_fallback_delay,omitempty"`
 	Strategy             DomainStrategy `json:"strategy,omitempty"`
 	Detour               string         `json:"detour,omitempty"`
+	ClientSubnet         *AddrPrefix    `json:"client_subnet,omitempty"`
 }
 
 type DNSClientOptions struct {
@@ -26,6 +27,7 @@ type DNSClientOptions struct {
 	DisableCache     bool           `json:"disable_cache,omitempty"`
 	DisableExpire    bool           `json:"disable_expire,omitempty"`
 	IndependentCache bool           `json:"independent_cache,omitempty"`
+	ClientSubnet     *AddrPrefix    `json:"client_subnet,omitempty"`
 }
 
 type DNSFakeIPOptions struct {

option/experimental.go

@@ -8,10 +8,12 @@ type ExperimentalOptions struct {
 }
 
 type CacheFileOptions struct {
-	Enabled     bool   `json:"enabled,omitempty"`
-	Path        string `json:"path,omitempty"`
-	CacheID     string `json:"cache_id,omitempty"`
-	StoreFakeIP bool   `json:"store_fakeip,omitempty"`
+	Enabled     bool     `json:"enabled,omitempty"`
+	Path        string   `json:"path,omitempty"`
+	CacheID     string   `json:"cache_id,omitempty"`
+	StoreFakeIP bool     `json:"store_fakeip,omitempty"`
+	StoreRDRC   bool     `json:"store_rdrc,omitempty"`
+	RDRCTimeout Duration `json:"rdrc_timeout,omitempty"`
 }
 
 type ClashAPIOptions struct {

option/ntp.go

@@ -2,9 +2,8 @@ package option
 
 type NTPOptions struct {
 	Enabled       bool     `json:"enabled,omitempty"`
-	Server        string   `json:"server,omitempty"`
-	ServerPort    uint16   `json:"server_port,omitempty"`
 	Interval      Duration `json:"interval,omitempty"`
 	WriteToSystem bool     `json:"write_to_system,omitempty"`
+	ServerOptions
 	DialerOptions
 }

option/redir.go

@@ -2,6 +2,12 @@ package option
 
 type RedirectInboundOptions struct {
 	ListenOptions
+	AutoRedirect *AutoRedirectOptions `json:"auto_redirect,omitempty"`
+}
+
+type AutoRedirectOptions struct {
+	Enabled                bool `json:"enabled,omitempty"`
+	ContinueOnNoPermission bool `json:"continue_on_no_permission,omitempty"`
 }
 
 type TProxyInboundOptions struct {

option/rule_dns.go

@@ -65,38 +65,43 @@ func (r DNSRule) IsValid() bool {
 }
 
 type DefaultDNSRule struct {
-	Inbound           Listable[string]       `json:"inbound,omitempty"`
-	IPVersion         int                    `json:"ip_version,omitempty"`
-	QueryType         Listable[DNSQueryType] `json:"query_type,omitempty"`
-	Network           Listable[string]       `json:"network,omitempty"`
-	AuthUser          Listable[string]       `json:"auth_user,omitempty"`
-	Protocol          Listable[string]       `json:"protocol,omitempty"`
-	Domain            Listable[string]       `json:"domain,omitempty"`
-	DomainSuffix      Listable[string]       `json:"domain_suffix,omitempty"`
-	DomainKeyword     Listable[string]       `json:"domain_keyword,omitempty"`
-	DomainRegex       Listable[string]       `json:"domain_regex,omitempty"`
-	Geosite           Listable[string]       `json:"geosite,omitempty"`
-	SourceGeoIP       Listable[string]       `json:"source_geoip,omitempty"`
-	SourceIPCIDR      Listable[string]       `json:"source_ip_cidr,omitempty"`
-	SourceIPIsPrivate bool                   `json:"source_ip_is_private,omitempty"`
-	SourcePort        Listable[uint16]       `json:"source_port,omitempty"`
-	SourcePortRange   Listable[string]       `json:"source_port_range,omitempty"`
-	Port              Listable[uint16]       `json:"port,omitempty"`
-	PortRange         Listable[string]       `json:"port_range,omitempty"`
-	ProcessName       Listable[string]       `json:"process_name,omitempty"`
-	ProcessPath       Listable[string]       `json:"process_path,omitempty"`
-	PackageName       Listable[string]       `json:"package_name,omitempty"`
-	User              Listable[string]       `json:"user,omitempty"`
-	UserID            Listable[int32]        `json:"user_id,omitempty"`
-	Outbound          Listable[string]       `json:"outbound,omitempty"`
-	ClashMode         string                 `json:"clash_mode,omitempty"`
-	WIFISSID          Listable[string]       `json:"wifi_ssid,omitempty"`
-	WIFIBSSID         Listable[string]       `json:"wifi_bssid,omitempty"`
-	RuleSet           Listable[string]       `json:"rule_set,omitempty"`
-	Invert            bool                   `json:"invert,omitempty"`
-	Server            string                 `json:"server,omitempty"`
-	DisableCache      bool                   `json:"disable_cache,omitempty"`
-	RewriteTTL        *uint32                `json:"rewrite_ttl,omitempty"`
+	Inbound                  Listable[string]       `json:"inbound,omitempty"`
+	IPVersion                int                    `json:"ip_version,omitempty"`
+	QueryType                Listable[DNSQueryType] `json:"query_type,omitempty"`
+	Network                  Listable[string]       `json:"network,omitempty"`
+	AuthUser                 Listable[string]       `json:"auth_user,omitempty"`
+	Protocol                 Listable[string]       `json:"protocol,omitempty"`
+	Domain                   Listable[string]       `json:"domain,omitempty"`
+	DomainSuffix             Listable[string]       `json:"domain_suffix,omitempty"`
+	DomainKeyword            Listable[string]       `json:"domain_keyword,omitempty"`
+	DomainRegex              Listable[string]       `json:"domain_regex,omitempty"`
+	Geosite                  Listable[string]       `json:"geosite,omitempty"`
+	SourceGeoIP              Listable[string]       `json:"source_geoip,omitempty"`
+	GeoIP                    Listable[string]       `json:"geoip,omitempty"`
+	IPCIDR                   Listable[string]       `json:"ip_cidr,omitempty"`
+	IPIsPrivate              bool                   `json:"ip_is_private,omitempty"`
+	SourceIPCIDR             Listable[string]       `json:"source_ip_cidr,omitempty"`
+	SourceIPIsPrivate        bool                   `json:"source_ip_is_private,omitempty"`
+	SourcePort               Listable[uint16]       `json:"source_port,omitempty"`
+	SourcePortRange          Listable[string]       `json:"source_port_range,omitempty"`
+	Port                     Listable[uint16]       `json:"port,omitempty"`
+	PortRange                Listable[string]       `json:"port_range,omitempty"`
+	ProcessName              Listable[string]       `json:"process_name,omitempty"`
+	ProcessPath              Listable[string]       `json:"process_path,omitempty"`
+	PackageName              Listable[string]       `json:"package_name,omitempty"`
+	User                     Listable[string]       `json:"user,omitempty"`
+	UserID                   Listable[int32]        `json:"user_id,omitempty"`
+	Outbound                 Listable[string]       `json:"outbound,omitempty"`
+	ClashMode                string                 `json:"clash_mode,omitempty"`
+	WIFISSID                 Listable[string]       `json:"wifi_ssid,omitempty"`
+	WIFIBSSID                Listable[string]       `json:"wifi_bssid,omitempty"`
+	RuleSet                  Listable[string]       `json:"rule_set,omitempty"`
+	RuleSetIPCIDRMatchSource bool                   `json:"rule_set_ipcidr_match_source,omitempty"`
+	Invert                   bool                   `json:"invert,omitempty"`
+	Server                   string                 `json:"server,omitempty"`
+	DisableCache             bool                   `json:"disable_cache,omitempty"`
+	RewriteTTL               *uint32                `json:"rewrite_ttl,omitempty"`
+	ClientSubnet             *AddrPrefix            `json:"client_subnet,omitempty"`
 }
 
 func (r DefaultDNSRule) IsValid() bool {
@@ -105,16 +110,18 @@ func (r DefaultDNSRule) IsValid() bool {
 	defaultValue.Server = r.Server
 	defaultValue.DisableCache = r.DisableCache
 	defaultValue.RewriteTTL = r.RewriteTTL
+	defaultValue.ClientSubnet = r.ClientSubnet
 	return !reflect.DeepEqual(r, defaultValue)
 }
 
 type LogicalDNSRule struct {
-	Mode         string    `json:"mode"`
-	Rules        []DNSRule `json:"rules,omitempty"`
-	Invert       bool      `json:"invert,omitempty"`
-	Server       string    `json:"server,omitempty"`
-	DisableCache bool      `json:"disable_cache,omitempty"`
-	RewriteTTL   *uint32   `json:"rewrite_ttl,omitempty"`
+	Mode         string      `json:"mode"`
+	Rules        []DNSRule   `json:"rules,omitempty"`
+	Invert       bool        `json:"invert,omitempty"`
+	Server       string      `json:"server,omitempty"`
+	DisableCache bool        `json:"disable_cache,omitempty"`
+	RewriteTTL   *uint32     `json:"rewrite_ttl,omitempty"`
+	ClientSubnet *AddrPrefix `json:"client_subnet,omitempty"`
 }
 
 func (r LogicalDNSRule) IsValid() bool {

option/tun_platform.go

@@ -7,4 +7,6 @@ type TunPlatformOptions struct {
 type HTTPProxyOptions struct {
 	Enabled bool `json:"enabled,omitempty"`
 	ServerOptions
+	BypassDomain Listable[string] `json:"bypass_domain,omitempty"`
+	MatchDomain  Listable[string] `json:"match_domain,omitempty"`
 }

option/types.go

@@ -51,6 +51,40 @@ func (a *ListenAddress) Build() netip.Addr {
 	return (netip.Addr)(*a)
 }
 
+type AddrPrefix netip.Prefix
+
+func (a AddrPrefix) MarshalJSON() ([]byte, error) {
+	prefix := netip.Prefix(a)
+	if prefix.Bits() == prefix.Addr().BitLen() {
+		return json.Marshal(prefix.Addr().String())
+	} else {
+		return json.Marshal(prefix.String())
+	}
+}
+
+func (a *AddrPrefix) UnmarshalJSON(content []byte) error {
+	var value string
+	err := json.Unmarshal(content, &value)
+	if err != nil {
+		return err
+	}
+	prefix, prefixErr := netip.ParsePrefix(value)
+	if prefixErr == nil {
+		*a = AddrPrefix(prefix)
+		return nil
+	}
+	addr, addrErr := netip.ParseAddr(value)
+	if addrErr == nil {
+		*a = AddrPrefix(netip.PrefixFrom(addr, addr.BitLen()))
+		return nil
+	}
+	return prefixErr
+}
+
+func (a AddrPrefix) Build() netip.Prefix {
+	return netip.Prefix(a)
+}
+
 type NetworkList string
 
 func (v *NetworkList) UnmarshalJSON(content []byte) error {

outbound/direct.go

@@ -51,7 +51,7 @@ func NewDirect(router adapter.Router, logger log.ContextLogger, tag string, opti
 		domainStrategy: dns.DomainStrategy(options.DomainStrategy),
 		fallbackDelay:  time.Duration(options.FallbackDelay),
 		dialer:         outboundDialer,
-		loopBack:       newLoopBackDetector(),
+		loopBack:       newLoopBackDetector(router),
 	}
 	if options.ProxyProtocol != 0 {
 		return nil, E.New("Proxy Protocol is deprecated and removed in sing-box 1.6.0")

outbound/direct_loopback_detect.go

@@ -5,21 +5,22 @@ import (
 	"net/netip"
 	"sync"
 
+	"github.com/sagernet/sing-box/adapter"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
 type loopBackDetector struct {
-	// router           adapter.Router
+	router           adapter.Router
 	connAccess       sync.RWMutex
 	packetConnAccess sync.RWMutex
 	connMap          map[netip.AddrPort]netip.AddrPort
 	packetConnMap    map[uint16]uint16
 }
 
-func newLoopBackDetector( /*router adapter.Router*/ ) *loopBackDetector {
+func newLoopBackDetector(router adapter.Router) *loopBackDetector {
 	return &loopBackDetector{
-		// router:        router,
+		router:        router,
 		connMap:       make(map[netip.AddrPort]netip.AddrPort),
 		packetConnMap: make(map[uint16]uint16),
 	}
@@ -31,12 +32,12 @@ func (l *loopBackDetector) NewConn(conn net.Conn) net.Conn {
 		return conn
 	}
 	if udpConn, isUDPConn := conn.(abstractUDPConn); isUDPConn {
-		/*if !source.Addr().IsLoopback() {
+		if !source.Addr().IsLoopback() {
 			_, err := l.router.InterfaceFinder().InterfaceByAddr(source.Addr())
 			if err != nil {
 				return conn
 			}
-		}*/
+		}
 		if !N.IsPublicAddr(source.Addr()) {
 			return conn
 		}
@@ -57,6 +58,12 @@ func (l *loopBackDetector) NewPacketConn(conn N.NetPacketConn, destination M.Soc
 	if !source.IsValid() {
 		return conn
 	}
+	if !source.Addr().IsLoopback() {
+		_, err := l.router.InterfaceFinder().InterfaceByAddr(source.Addr())
+		if err != nil {
+			return conn
+		}
+	}
 	l.packetConnAccess.Lock()
 	l.packetConnMap[source.Port()] = destination.AddrPort().Port()
 	l.packetConnAccess.Unlock()
@@ -74,12 +81,12 @@ func (l *loopBackDetector) CheckPacketConn(source netip.AddrPort, local netip.Ad
 	if !source.IsValid() {
 		return false
 	}
-	/*if !source.Addr().IsLoopback() {
+	if !source.Addr().IsLoopback() {
 		_, err := l.router.InterfaceFinder().InterfaceByAddr(source.Addr())
 		if err != nil {
 			return false
 		}
-	}*/
+	}
 	if N.IsPublicAddr(source.Addr()) {
 		return false
 	}

outbound/dns.go

@@ -46,8 +46,8 @@ func (d *DNS) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.Pa
 }
 
 func (d *DNS) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	metadata.Destination = M.Socksaddr{}
 	defer conn.Close()
-	ctx = adapter.WithContext(ctx, &metadata)
 	for {
 		err := d.handleConnection(ctx, conn, metadata)
 		if err != nil {
@@ -98,6 +98,7 @@ func (d *DNS) handleConnection(ctx context.Context, conn net.Conn, metadata adap
 }
 
 func (d *DNS) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+	metadata.Destination = M.Socksaddr{}
 	var reader N.PacketReader = conn
 	var counters []N.CountFunc
 	var cachedPackets []*N.PacketBuffer
@@ -111,14 +112,11 @@ func (d *DNS) NewPacketConnection(ctx context.Context, conn N.PacketConn, metada
 			}
 		}
 		if readWaiter, created := bufio.CreatePacketReadWaiter(reader); created {
-			readWaiter.InitializeReadWaiter(N.ReadWaitOptions{
-				MTU: dns.FixedPacketSize,
-			})
+			readWaiter.InitializeReadWaiter(N.ReadWaitOptions{})
 			return d.newPacketConnection(ctx, conn, readWaiter, counters, cachedPackets, metadata)
 		}
 		break
 	}
-	ctx = adapter.WithContext(ctx, &metadata)
 	fastClose, cancel := common.ContextWithCancelCause(ctx)
 	timeout := canceler.New(fastClose, cancel, C.DNSTimeout)
 	var group task.Group
@@ -167,15 +165,11 @@ func (d *DNS) NewPacketConnection(ctx context.Context, conn N.PacketConn, metada
 					return err
 				}
 				timeout.Update()
-				responseBuffer := buf.NewPacket()
-				responseBuffer.Resize(1024, 0)
-				n, err := response.PackBuffer(responseBuffer.FreeBytes())
+				responseBuffer, err := dns.TruncateDNSMessage(&message, response, 1024)
 				if err != nil {
 					cancel(err)
-					responseBuffer.Release()
 					return err
 				}
-				responseBuffer.Truncate(len(n))
 				err = conn.WritePacket(responseBuffer, destination)
 				if err != nil {
 					cancel(err)
@@ -241,16 +235,11 @@ func (d *DNS) newPacketConnection(ctx context.Context, conn N.PacketConn, readWa
 					return err
 				}
 				timeout.Update()
-				response = truncateDNSMessage(response, 512) // TODO: add an option to custom UDP buffer size
-				responseBuffer := buf.NewSize(dns.FixedPacketSize)
-				responseBuffer.Resize(1024, 0)
-				n, err := response.PackBuffer(responseBuffer.FreeBytes())
+				responseBuffer, err := dns.TruncateDNSMessage(&message, response, 1024)
 				if err != nil {
 					cancel(err)
-					responseBuffer.Release()
 					return err
 				}
-				responseBuffer.Truncate(len(n))
 				err = conn.WritePacket(responseBuffer, destination)
 				if err != nil {
 					cancel(err)
@@ -264,22 +253,3 @@ func (d *DNS) newPacketConnection(ctx context.Context, conn N.PacketConn, readWa
 	})
 	return group.Run(fastClose)
 }
-
-func truncateDNSMessage(response *mDNS.Msg, maxLen int) *mDNS.Msg {
-	responseLen := response.Len()
-	if responseLen <= maxLen {
-		return response
-	}
-	newResponse := *response
-	response = &newResponse
-	for len(response.Answer) > 0 && responseLen > maxLen {
-		response.Answer = response.Answer[:len(response.Answer)-1]
-		response.Truncated = true
-		responseLen = response.Len()
-	}
-	if responseLen > maxLen {
-		response.Ns = nil
-		response.Extra = nil
-	}
-	return response
-}

outbound/urltest.go

@@ -287,8 +287,23 @@ func (g *URLTestGroup) Close() error {
 
 func (g *URLTestGroup) Select(network string) (adapter.Outbound, bool) {
 	var minDelay uint16
-	var minTime time.Time
 	var minOutbound adapter.Outbound
+	switch network {
+	case N.NetworkTCP:
+		if g.selectedOutboundTCP != nil {
+			if history := g.history.LoadURLTestHistory(RealTag(g.selectedOutboundTCP)); history != nil {
+				minOutbound = g.selectedOutboundTCP
+				minDelay = history.Delay
+			}
+		}
+	case N.NetworkUDP:
+		if g.selectedOutboundUDP != nil {
+			if history := g.history.LoadURLTestHistory(RealTag(g.selectedOutboundUDP)); history != nil {
+				minOutbound = g.selectedOutboundUDP
+				minDelay = history.Delay
+			}
+		}
+	}
 	for _, detour := range g.outbounds {
 		if !common.Contains(detour.Network(), network) {
 			continue
@@ -297,9 +312,8 @@ func (g *URLTestGroup) Select(network string) (adapter.Outbound, bool) {
 		if history == nil {
 			continue
 		}
-		if minDelay == 0 || minDelay > history.Delay+g.tolerance || minDelay > history.Delay-g.tolerance && minTime.Before(history.Time) {
+		if minDelay == 0 || minDelay > history.Delay+g.tolerance {
 			minDelay = history.Delay
-			minTime = history.Time
 			minOutbound = detour
 		}
 	}

route/interface_finder.go

@@ -1,54 +0,0 @@
-package route
-
-import (
-	"net"
-
-	"github.com/sagernet/sing/common/control"
-)
-
-var _ control.InterfaceFinder = (*myInterfaceFinder)(nil)
-
-type myInterfaceFinder struct {
-	interfaces []net.Interface
-}
-
-func (f *myInterfaceFinder) update() error {
-	ifs, err := net.Interfaces()
-	if err != nil {
-		return err
-	}
-	f.interfaces = ifs
-	return nil
-}
-
-func (f *myInterfaceFinder) updateInterfaces(interfaces []net.Interface) {
-	f.interfaces = interfaces
-}
-
-func (f *myInterfaceFinder) InterfaceIndexByName(name string) (interfaceIndex int, err error) {
-	for _, netInterface := range f.interfaces {
-		if netInterface.Name == name {
-			return netInterface.Index, nil
-		}
-	}
-	netInterface, err := net.InterfaceByName(name)
-	if err != nil {
-		return
-	}
-	f.update()
-	return netInterface.Index, nil
-}
-
-func (f *myInterfaceFinder) InterfaceNameByIndex(index int) (interfaceName string, err error) {
-	for _, netInterface := range f.interfaces {
-		if netInterface.Index == index {
-			return netInterface.Name, nil
-		}
-	}
-	netInterface, err := net.InterfaceByIndex(index)
-	if err != nil {
-		return
-	}
-	f.update()
-	return netInterface.Name, nil
-}

route/router.go

@@ -8,6 +8,7 @@ import (
 	"net/url"
 	"os"
 	"os/user"
+	"runtime"
 	"strings"
 	"time"
 
@@ -22,12 +23,11 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/ntp"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/outbound"
 	"github.com/sagernet/sing-box/transport/fakeip"
 	"github.com/sagernet/sing-dns"
-	mux "github.com/sagernet/sing-mux"
+	"github.com/sagernet/sing-mux"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing/common"
@@ -39,9 +39,10 @@ import (
 	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	serviceNTP "github.com/sagernet/sing/common/ntp"
+	"github.com/sagernet/sing/common/ntp"
 	"github.com/sagernet/sing/common/task"
 	"github.com/sagernet/sing/common/uot"
+	"github.com/sagernet/sing/common/winpowrprof"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/pause"
 )
@@ -78,13 +79,14 @@ type Router struct {
 	transportDomainStrategy            map[dns.Transport]dns.DomainStrategy
 	dnsReverseMapping                  *DNSReverseMapping
 	fakeIPStore                        adapter.FakeIPStore
-	interfaceFinder                    myInterfaceFinder
+	interfaceFinder                    *control.DefaultInterfaceFinder
 	autoDetectInterface                bool
 	defaultInterface                   string
 	defaultMark                        int
 	networkMonitor                     tun.NetworkUpdateMonitor
 	interfaceMonitor                   tun.DefaultInterfaceMonitor
 	packageManager                     tun.PackageManager
+	powerListener                      winpowrprof.EventListener
 	processSearcher                    process.Searcher
 	timeService                        *ntp.Service
 	pauseManager                       pause.Manager
@@ -122,6 +124,7 @@ func NewRouter(
 		needFindProcess:       hasRule(options.Rules, isProcessRule) || hasDNSRule(dnsOptions.Rules, isProcessDNSRule) || options.FindProcess,
 		defaultDetour:         options.Final,
 		defaultDomainStrategy: dns.DomainStrategy(dnsOptions.Strategy),
+		interfaceFinder:       control.NewDefaultInterfaceFinder(),
 		autoDetectInterface:   options.AutoDetectInterface,
 		defaultInterface:      options.DefaultInterface,
 		defaultMark:           options.DefaultMark,
@@ -136,7 +139,17 @@ func NewRouter(
 		DisableCache:     dnsOptions.DNSClientOptions.DisableCache,
 		DisableExpire:    dnsOptions.DNSClientOptions.DisableExpire,
 		IndependentCache: dnsOptions.DNSClientOptions.IndependentCache,
-		Logger:           router.dnsLogger,
+		RDRC: func() dns.RDRCStore {
+			cacheFile := service.FromContext[adapter.CacheFile](ctx)
+			if cacheFile == nil {
+				return nil
+			}
+			if !cacheFile.StoreRDRC() {
+				return nil
+			}
+			return cacheFile
+		},
+		Logger: router.dnsLogger,
 	})
 	for i, ruleOptions := range options.Rules {
 		routeRule, err := NewRule(router, router.logger, ruleOptions, true)
@@ -222,7 +235,20 @@ func NewRouter(
 					return nil, E.New("parse dns server[", tag, "]: missing address_resolver")
 				}
 			}
-			transport, err := dns.CreateTransport(tag, ctx, logFactory.NewLogger(F.ToString("dns/transport[", tag, "]")), detour, server.Address)
+			var clientSubnet netip.Prefix
+			if server.ClientSubnet != nil {
+				clientSubnet = server.ClientSubnet.Build()
+			} else if dnsOptions.ClientSubnet != nil {
+				clientSubnet = dnsOptions.ClientSubnet.Build()
+			}
+			transport, err := dns.CreateTransport(dns.TransportOptions{
+				Context:      ctx,
+				Logger:       logFactory.NewLogger(F.ToString("dns/transport[", tag, "]")),
+				Name:         tag,
+				Dialer:       detour,
+				Address:      server.Address,
+				ClientSubnet: clientSubnet,
+			})
 			if err != nil {
 				return nil, E.Cause(err, "parse dns server[", tag, "]")
 			}
@@ -262,7 +288,12 @@ func NewRouter(
 	}
 	if defaultTransport == nil {
 		if len(transports) == 0 {
-			transports = append(transports, dns.NewLocalTransport("local", N.SystemDialer))
+			transports = append(transports, common.Must1(dns.CreateTransport(dns.TransportOptions{
+				Context: ctx,
+				Name:    "local",
+				Address: "local",
+				Dialer:  common.Must1(dialer.NewDefault(router, option.DialerOptions{})),
+			})))
 		}
 		defaultTransport = transports[0]
 	}
@@ -303,7 +334,7 @@ func NewRouter(
 			}
 			router.networkMonitor = networkMonitor
 			networkMonitor.RegisterCallback(func() {
-				_ = router.interfaceFinder.update()
+				_ = router.interfaceFinder.Update()
 			})
 			interfaceMonitor, err := tun.NewDefaultInterfaceMonitor(router.networkMonitor, router.logger, tun.DefaultInterfaceMonitorOptions{
 				OverrideAndroidVPN:    options.OverrideAndroidVPN,
@@ -321,12 +352,28 @@ func NewRouter(
 		router.interfaceMonitor = interfaceMonitor
 	}
 
-	if ntpOptions.Enabled {
-		timeService, err := ntp.NewService(ctx, router, logFactory.NewLogger("ntp"), ntpOptions)
+	if runtime.GOOS == "windows" {
+		powerListener, err := winpowrprof.NewEventListener(router.notifyWindowsPowerEvent)
 		if err != nil {
-			return nil, err
+			return nil, E.Cause(err, "initialize power listener")
 		}
-		service.ContextWith[serviceNTP.TimeService](ctx, timeService)
+		router.powerListener = powerListener
+	}
+
+	if ntpOptions.Enabled {
+		ntpDialer, err := dialer.New(router, ntpOptions.DialerOptions)
+		if err != nil {
+			return nil, E.Cause(err, "create NTP service")
+		}
+		timeService := ntp.NewService(ntp.Options{
+			Context:       ctx,
+			Dialer:        ntpDialer,
+			Logger:        logFactory.NewLogger("ntp"),
+			Server:        ntpOptions.ServerOptions.Build(),
+			Interval:      time.Duration(ntpOptions.Interval),
+			WriteToSystem: ntpOptions.WriteToSystem,
+		})
+		service.MustRegister[ntp.TimeService](ctx, timeService)
 		router.timeService = timeService
 	}
 	return router, nil
@@ -560,6 +607,16 @@ func (r *Router) Start() error {
 			}
 		}
 	}
+
+	if r.powerListener != nil {
+		monitor.Start("start power listener")
+		err := r.powerListener.Start()
+		monitor.Finish()
+		if err != nil {
+			return E.Cause(err, "start power listener")
+		}
+	}
+
 	if (needWIFIStateFromRuleSet || r.needWIFIState) && r.platformInterface != nil {
 		monitor.Start("initialize WIFI state")
 		r.needWIFIState = true
@@ -578,6 +635,11 @@ func (r *Router) Start() error {
 			return E.Cause(err, "initialize rule[", i, "]")
 		}
 	}
+
+	monitor.Start("initialize DNS client")
+	r.dnsClient.Start()
+	monitor.Finish()
+
 	for i, rule := range r.dnsRules {
 		monitor.Start("initialize DNS rule[", i, "]")
 		err := rule.Start()
@@ -657,6 +719,13 @@ func (r *Router) Close() error {
 		})
 		monitor.Finish()
 	}
+	if r.powerListener != nil {
+		monitor.Start("close power listener")
+		err = E.Append(err, r.powerListener.Close(), func(err error) error {
+			return E.Cause(err, "close power listener")
+		})
+		monitor.Finish()
+	}
 	if r.timeService != nil {
 		monitor.Start("close time service")
 		err = E.Append(err, r.timeService.Close(), func(err error) error {
@@ -781,7 +850,16 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
 
 	if metadata.InboundOptions.SniffEnabled {
 		buffer := buf.NewPacket()
-		sniffMetadata, err := sniff.PeekStream(ctx, conn, buffer, time.Duration(metadata.InboundOptions.SniffTimeout), sniff.StreamDomainNameQuery, sniff.TLSClientHello, sniff.HTTPHost)
+		sniffMetadata, err := sniff.PeekStream(
+			ctx,
+			conn,
+			buffer,
+			time.Duration(metadata.InboundOptions.SniffTimeout),
+			sniff.StreamDomainNameQuery,
+			sniff.TLSClientHello,
+			sniff.HTTPHost,
+			sniff.BitTorrent,
+		)
 		if sniffMetadata != nil {
 			metadata.Protocol = sniffMetadata.Protocol
 			metadata.Domain = sniffMetadata.Domain
@@ -908,7 +986,15 @@ func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, m
 			metadata.Destination = destination
 		}
 		if metadata.InboundOptions.SniffEnabled {
-			sniffMetadata, _ := sniff.PeekPacket(ctx, buffer.Bytes(), sniff.DomainNameQuery, sniff.QUICClientHello, sniff.STUNMessage)
+			sniffMetadata, _ := sniff.PeekPacket(
+				ctx,
+				buffer.Bytes(),
+				sniff.DomainNameQuery,
+				sniff.QUICClientHello,
+				sniff.STUNMessage,
+				sniff.UTP,
+				sniff.UDPTracker,
+			)
 			if sniffMetadata != nil {
 				metadata.Protocol = sniffMetadata.Protocol
 				metadata.Domain = sniffMetadata.Domain
@@ -1028,24 +1114,18 @@ func (r *Router) match0(ctx context.Context, metadata *adapter.InboundContext, d
 }
 
 func (r *Router) InterfaceFinder() control.InterfaceFinder {
-	return &r.interfaceFinder
+	return r.interfaceFinder
 }
 
 func (r *Router) UpdateInterfaces() error {
 	if r.platformInterface == nil || !r.platformInterface.UsePlatformInterfaceGetter() {
-		return r.interfaceFinder.update()
+		return r.interfaceFinder.Update()
 	} else {
 		interfaces, err := r.platformInterface.Interfaces()
 		if err != nil {
 			return err
 		}
-		r.interfaceFinder.updateInterfaces(common.Map(interfaces, func(it platform.NetworkInterface) net.Interface {
-			return net.Interface{
-				Name:  it.Name,
-				Index: it.Index,
-				MTU:   it.MTU,
-			}
-		}))
+		r.interfaceFinder.UpdateInterfaces(interfaces)
 		return nil
 	}
 }
@@ -1189,3 +1269,19 @@ func (r *Router) updateWIFIState() {
 		}
 	}
 }
+
+func (r *Router) notifyWindowsPowerEvent(event int) {
+	switch event {
+	case winpowrprof.EVENT_SUSPEND:
+		r.pauseManager.DevicePause()
+		_ = r.ResetNetwork()
+	case winpowrprof.EVENT_RESUME:
+		if !r.pauseManager.IsDevicePaused() {
+			return
+		}
+		fallthrough
+	case winpowrprof.EVENT_RESUME_AUTOMATIC:
+		r.pauseManager.DeviceWake()
+		_ = r.ResetNetwork()
+	}
+}

route/router_dns.go

@@ -2,13 +2,13 @@ package route
 
 import (
 	"context"
+	"errors"
 	"net/netip"
 	"strings"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/cache"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -37,41 +37,55 @@ func (m *DNSReverseMapping) Query(address netip.Addr) (string, bool) {
 	return domain, loaded
 }
 
-func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool) (context.Context, dns.Transport, dns.DomainStrategy) {
+func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, index int) (context.Context, dns.Transport, dns.DomainStrategy, adapter.DNSRule, int) {
 	metadata := adapter.ContextFrom(ctx)
 	if metadata == nil {
 		panic("no context")
 	}
-	for i, rule := range r.dnsRules {
-		metadata.ResetRuleCache()
-		if rule.Match(metadata) {
-			detour := rule.Outbound()
-			transport, loaded := r.transportMap[detour]
-			if !loaded {
-				r.dnsLogger.ErrorContext(ctx, "transport not found: ", detour)
-				continue
-			}
-			if _, isFakeIP := transport.(adapter.FakeIPTransport); isFakeIP && !allowFakeIP {
-				continue
-			}
-			r.dnsLogger.DebugContext(ctx, "match[", i, "] ", rule.String(), " => ", detour)
-			if rule.DisableCache() {
-				ctx = dns.ContextWithDisableCache(ctx, true)
-			}
-			if rewriteTTL := rule.RewriteTTL(); rewriteTTL != nil {
-				ctx = dns.ContextWithRewriteTTL(ctx, *rewriteTTL)
-			}
-			if domainStrategy, dsLoaded := r.transportDomainStrategy[transport]; dsLoaded {
-				return ctx, transport, domainStrategy
-			} else {
-				return ctx, transport, r.defaultDomainStrategy
+	if index < len(r.dnsRules) {
+		dnsRules := r.dnsRules
+		if index != -1 {
+			dnsRules = dnsRules[index+1:]
+		}
+		for currentRuleIndex, rule := range dnsRules {
+			metadata.ResetRuleCache()
+			if rule.Match(metadata) {
+				detour := rule.Outbound()
+				transport, loaded := r.transportMap[detour]
+				if !loaded {
+					r.dnsLogger.ErrorContext(ctx, "transport not found: ", detour)
+					continue
+				}
+				_, isFakeIP := transport.(adapter.FakeIPTransport)
+				if isFakeIP && !allowFakeIP {
+					continue
+				}
+				ruleIndex := currentRuleIndex
+				if index != -1 {
+					ruleIndex += index + 1
+				}
+				r.dnsLogger.DebugContext(ctx, "match[", ruleIndex, "] ", rule.String(), " => ", detour)
+				if isFakeIP || rule.DisableCache() {
+					ctx = dns.ContextWithDisableCache(ctx, true)
+				}
+				if rewriteTTL := rule.RewriteTTL(); rewriteTTL != nil {
+					ctx = dns.ContextWithRewriteTTL(ctx, *rewriteTTL)
+				}
+				if clientSubnet := rule.ClientSubnet(); clientSubnet != nil {
+					ctx = dns.ContextWithClientSubnet(ctx, *clientSubnet)
+				}
+				if domainStrategy, dsLoaded := r.transportDomainStrategy[transport]; dsLoaded {
+					return ctx, transport, domainStrategy, rule, ruleIndex
+				} else {
+					return ctx, transport, r.defaultDomainStrategy, rule, ruleIndex
+				}
 			}
 		}
 	}
 	if domainStrategy, dsLoaded := r.transportDomainStrategy[r.defaultTransport]; dsLoaded {
-		return ctx, r.defaultTransport, domainStrategy
+		return ctx, r.defaultTransport, domainStrategy, nil, -1
 	} else {
-		return ctx, r.defaultTransport, r.defaultDomainStrategy
+		return ctx, r.defaultTransport, r.defaultDomainStrategy, nil, -1
 	}
 }
 
@@ -80,13 +94,15 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, er
 		r.dnsLogger.DebugContext(ctx, "exchange ", formatQuestion(message.Question[0].String()))
 	}
 	var (
-		response *mDNS.Msg
-		cached   bool
-		err      error
+		response  *mDNS.Msg
+		cached    bool
+		transport dns.Transport
+		err       error
 	)
 	response, cached = r.dnsClient.ExchangeCache(ctx, message)
 	if !cached {
-		ctx, metadata := adapter.AppendContext(ctx)
+		var metadata *adapter.InboundContext
+		ctx, metadata = adapter.AppendContext(ctx)
 		if len(message.Question) > 0 {
 			metadata.QueryType = message.Question[0].Qtype
 			switch metadata.QueryType {
@@ -97,50 +113,134 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, er
 			}
 			metadata.Domain = fqdnToDomain(message.Question[0].Name)
 		}
-		ctx, transport, strategy := r.matchDNS(ctx, true)
-		ctx, cancel := context.WithTimeout(ctx, C.DNSTimeout)
-		defer cancel()
-		response, err = r.dnsClient.Exchange(ctx, transport, message, strategy)
-		if err != nil && len(message.Question) > 0 {
-			r.dnsLogger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", formatQuestion(message.Question[0].String())))
+		var (
+			strategy  dns.DomainStrategy
+			rule      adapter.DNSRule
+			ruleIndex int
+		)
+		ruleIndex = -1
+		for {
+			var (
+				dnsCtx       context.Context
+				cancel       context.CancelFunc
+				addressLimit bool
+			)
+
+			dnsCtx, transport, strategy, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex)
+			dnsCtx, cancel = context.WithTimeout(dnsCtx, C.DNSTimeout)
+			if rule != nil && rule.WithAddressLimit() && isAddressQuery(message) {
+				addressLimit = true
+				response, err = r.dnsClient.ExchangeWithResponseCheck(dnsCtx, transport, message, strategy, func(response *mDNS.Msg) bool {
+					metadata.DestinationAddresses, _ = dns.MessageToAddresses(response)
+					return rule.MatchAddressLimit(metadata)
+				})
+			} else {
+				addressLimit = false
+				response, err = r.dnsClient.Exchange(dnsCtx, transport, message, strategy)
+			}
+			cancel()
+			var rejected bool
+			if err != nil {
+				if errors.Is(err, dns.ErrResponseRejectedCached) {
+					rejected = true
+					r.dnsLogger.DebugContext(ctx, E.Cause(err, "response rejected for ", formatQuestion(message.Question[0].String())), " (cached)")
+				} else if errors.Is(err, dns.ErrResponseRejected) {
+					rejected = true
+					r.dnsLogger.DebugContext(ctx, E.Cause(err, "response rejected for ", formatQuestion(message.Question[0].String())))
+				} else if len(message.Question) > 0 {
+					r.dnsLogger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", formatQuestion(message.Question[0].String())))
+				} else {
+					r.dnsLogger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))
+				}
+			}
+			if addressLimit && rejected {
+				continue
+			}
+			break
 		}
 	}
-	if len(message.Question) > 0 && response != nil {
-		LogDNSAnswers(r.dnsLogger, ctx, message.Question[0].Name, response.Answer)
+	if err != nil {
+		return nil, err
 	}
 	if r.dnsReverseMapping != nil && len(message.Question) > 0 && response != nil && len(response.Answer) > 0 {
-		for _, answer := range response.Answer {
-			switch record := answer.(type) {
-			case *mDNS.A:
-				r.dnsReverseMapping.Save(M.AddrFromIP(record.A), fqdnToDomain(record.Hdr.Name), int(record.Hdr.Ttl))
-			case *mDNS.AAAA:
-				r.dnsReverseMapping.Save(M.AddrFromIP(record.AAAA), fqdnToDomain(record.Hdr.Name), int(record.Hdr.Ttl))
+		if _, isFakeIP := transport.(adapter.FakeIPTransport); !isFakeIP {
+			for _, answer := range response.Answer {
+				switch record := answer.(type) {
+				case *mDNS.A:
+					r.dnsReverseMapping.Save(M.AddrFromIP(record.A), fqdnToDomain(record.Hdr.Name), int(record.Hdr.Ttl))
+				case *mDNS.AAAA:
+					r.dnsReverseMapping.Save(M.AddrFromIP(record.AAAA), fqdnToDomain(record.Hdr.Name), int(record.Hdr.Ttl))
+				}
 			}
 		}
 	}
-	return response, err
+	return response, nil
 }
 
 func (r *Router) Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error) {
+	var (
+		responseAddrs []netip.Addr
+		cached        bool
+		err           error
+	)
+	responseAddrs, cached = r.dnsClient.LookupCache(ctx, domain, strategy)
+	if cached {
+		return responseAddrs, nil
+	}
 	r.dnsLogger.DebugContext(ctx, "lookup domain ", domain)
 	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Domain = domain
-	ctx, transport, transportStrategy := r.matchDNS(ctx, false)
-	if strategy == dns.DomainStrategyAsIS {
-		strategy = transportStrategy
+	var (
+		transport         dns.Transport
+		transportStrategy dns.DomainStrategy
+		rule              adapter.DNSRule
+		ruleIndex         int
+	)
+	ruleIndex = -1
+	for {
+		var (
+			dnsCtx       context.Context
+			cancel       context.CancelFunc
+			addressLimit bool
+		)
+		metadata.ResetRuleCache()
+		metadata.DestinationAddresses = nil
+		dnsCtx, transport, transportStrategy, rule, ruleIndex = r.matchDNS(ctx, false, ruleIndex)
+		if strategy == dns.DomainStrategyAsIS {
+			strategy = transportStrategy
+		}
+		dnsCtx, cancel = context.WithTimeout(dnsCtx, C.DNSTimeout)
+		if rule != nil && rule.WithAddressLimit() {
+			addressLimit = true
+			responseAddrs, err = r.dnsClient.LookupWithResponseCheck(dnsCtx, transport, domain, strategy, func(responseAddrs []netip.Addr) bool {
+				metadata.DestinationAddresses = responseAddrs
+				return rule.MatchAddressLimit(metadata)
+			})
+		} else {
+			addressLimit = false
+			responseAddrs, err = r.dnsClient.Lookup(dnsCtx, transport, domain, strategy)
+		}
+		cancel()
+		if err != nil {
+			if errors.Is(err, dns.ErrResponseRejectedCached) {
+				r.dnsLogger.DebugContext(ctx, "response rejected for ", domain, " (cached)")
+			} else if errors.Is(err, dns.ErrResponseRejected) {
+				r.dnsLogger.DebugContext(ctx, "response rejected for ", domain)
+			} else {
+				r.dnsLogger.ErrorContext(ctx, E.Cause(err, "lookup failed for ", domain))
+			}
+		} else if len(responseAddrs) == 0 {
+			r.dnsLogger.ErrorContext(ctx, "lookup failed for ", domain, ": empty result")
+			err = dns.RCodeNameError
+		}
+		if !addressLimit || err == nil {
+			break
+		}
 	}
-	ctx, cancel := context.WithTimeout(ctx, C.DNSTimeout)
-	defer cancel()
-	addrs, err := r.dnsClient.Lookup(ctx, transport, domain, strategy)
-	if len(addrs) > 0 {
-		r.dnsLogger.InfoContext(ctx, "lookup succeed for ", domain, ": ", strings.Join(F.MapToString(addrs), " "))
-	} else if err != nil {
-		r.dnsLogger.ErrorContext(ctx, E.Cause(err, "lookup failed for ", domain))
-	} else {
-		r.dnsLogger.ErrorContext(ctx, "lookup failed for ", domain, ": empty result")
-		err = dns.RCodeNameError
+	if len(responseAddrs) > 0 {
+		r.dnsLogger.InfoContext(ctx, "lookup succeed for ", domain, ": ", strings.Join(F.MapToString(responseAddrs), " "))
 	}
-	return addrs, err
+	return responseAddrs, err
 }
 
 func (r *Router) LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error) {
@@ -154,10 +254,13 @@ func (r *Router) ClearDNSCache() {
 	}
 }
 
-func LogDNSAnswers(logger log.ContextLogger, ctx context.Context, domain string, answers []mDNS.RR) {
-	for _, answer := range answers {
-		logger.InfoContext(ctx, "exchanged ", domain, " ", mDNS.Type(answer.Header().Rrtype).String(), " ", formatQuestion(answer.String()))
+func isAddressQuery(message *mDNS.Msg) bool {
+	for _, question := range message.Question {
+		if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
+			return true
+		}
 	}
+	return false
 }
 
 func fqdnToDomain(fqdn string) string {

route/router_rule.go

@@ -59,7 +59,7 @@ func isGeoIPRule(rule option.DefaultRule) bool {
 }
 
 func isGeoIPDNSRule(rule option.DefaultDNSRule) bool {
-	return len(rule.SourceGeoIP) > 0 && common.Any(rule.SourceGeoIP, notPrivateNode)
+	return len(rule.SourceGeoIP) > 0 && common.Any(rule.SourceGeoIP, notPrivateNode) || len(rule.GeoIP) > 0 && common.Any(rule.GeoIP, notPrivateNode)
 }
 
 func isGeositeRule(rule option.DefaultRule) bool {
@@ -97,3 +97,7 @@ func isWIFIDNSRule(rule option.DefaultDNSRule) bool {
 func isWIFIHeadlessRule(rule option.DefaultHeadlessRule) bool {
 	return len(rule.WIFISSID) > 0 || len(rule.WIFIBSSID) > 0
 }
+
+func isIPCIDRHeadlessRule(rule option.DefaultHeadlessRule) bool {
+	return len(rule.IPCIDR) > 0 || rule.IPSet != nil
+}