refactor: Modular inbounds

refactor: Modular outbounds
Implement dns-hijack
2026-04-13 20:28:32 +10:00 · 2024-11-03 20:24:41 +08:00 · 2024-11-03 19:56:44 +08:00 · 2024-11-03 19:47:17 +08:00 · 2024-11-03 19:47:15 +08:00 · 2024-11-03 19:47:11 +08:00
404 changed files with 16033 additions and 9155 deletions
--- a/.github/workflows/debug.yml
+++ b/.github/workflows/debug.yml
@@ -22,43 +22,22 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.22
+          go-version: ^1.23
        continue-on-error: true
      - name: Run Test
        run: |
          go test -v ./...
  build_go118:
    name: Debug build (Go 1.18)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ~1.18
      - name: Cache go module
        uses: actions/cache@v4
        with:
          path: |
            ~/go/pkg/mod
          key: go118-${{ hashFiles('**/go.sum') }}
      - name: Run Test
        run: make ci_build_go118
  build_go120:
    name: Debug build (Go 1.20)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -78,7 +57,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -93,6 +72,26 @@ jobs:
          key: go121-${{ hashFiles('**/go.sum') }}
      - name: Run Test
        run: make ci_build
  build_go122:
    name: Debug build (Go 1.22)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ~1.22
      - name: Cache go module
        uses: actions/cache@v4
        with:
          path: |
            ~/go/pkg/mod
          key: go122-${{ hashFiles('**/go.sum') }}
      - name: Run Test
        run: make ci_build
  cross:
    strategy:
      matrix:
@@ -208,7 +207,7 @@ jobs:
      TAGS: with_clash_api,with_quic
    steps:
      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,16 +1,93 @@
-name: Build Docker Images
+name: Publish Docker Images
 on:
  release:
    types:
-      - released
+      - published
  workflow_dispatch:
    inputs:
      tag:
        description: "The tag version you want to build"
 env:
  REGISTRY_IMAGE: ghcr.io/sagernet/sing-box
 jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true
      matrix:
        platform:
          - linux/amd64
          - linux/arm/v6
          - linux/arm/v7
          - linux/arm64
          - linux/386
          - linux/ppc64le
          - linux/riscv64
          - linux/s390x
    steps:
      - name: Get commit to build
        id: ref
        run: |-
          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
            ref="${{ github.ref_name }}"
          else
            ref="${{ github.event.inputs.tag }}"
          fi
          echo "ref=$ref"
          echo "ref=$ref" >> $GITHUB_OUTPUT
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          ref: ${{ steps.ref.outputs.ref }}
          fetch-depth: 0
      - name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      - name: Setup QEMU
        uses: docker/setup-qemu-action@v3
      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}
      - name: Build and push by digest
        id: build
        uses: docker/build-push-action@v6
        with:
          platforms: ${{ matrix.platform }}
          context: .
          build-args: |
            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
          labels: ${{ steps.meta.outputs.labels }}
          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
      - name: Export digest
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"
      - name: Upload digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ env.PLATFORM_PAIR }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1
  merge:
    runs-on: ubuntu-latest
    needs:
      - build
    steps:
      - name: Get commit to build
        id: ref
@@ -29,34 +106,28 @@ jobs:
          fi
          echo "latest=$latest"
          echo "latest=$latest" >> $GITHUB_OUTPUT
-      - name: Checkout
+      - name: Download digests
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/download-artifact@v4
        with:
-          ref: ${{ steps.ref.outputs.ref }}
+          path: /tmp/digests
-      - name: Setup Docker Buildx
+          pattern: digests-*
          merge-multiple: true
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Setup QEMU for Docker Buildx
        uses: docker/setup-qemu-action@v3
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Docker metadata
+      - name: Create manifest list and push
-        id: metadata
+        working-directory: /tmp/digests
-        uses: docker/metadata-action@v5
+        run: |
-        with:
+          docker buildx imagetools create \
-          images: ghcr.io/sagernet/sing-box
+            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}" \
-      - name: Build and release Docker images
+            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}" \
-        uses: docker/build-push-action@v5
+            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
-        with:
+      - name: Inspect image
-          platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
+        run: |
-          context: .
+          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}
-          target: dist
+          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}
          build-args: |
            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
          tags: |
            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.latest }}
            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.ref }}
          push: true
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -22,13 +22,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.22
+          go-version: ^1.23
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v6
        with:
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -10,13 +10,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.22
+          go-version: ^1.23
      - name: Extract signing key
        run: |-
          mkdir -p $HOME/.gnupg
@@ -26,7 +26,7 @@ jobs:
          EOF
          echo "HOME=$HOME" >> "$GITHUB_ENV"
      - name: Publish release
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro
          version: latest
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -13,3 +13,4 @@ jobs:
          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
          days-before-stale: 60
          days-before-close: 5
          exempt-issue-labels: 'bug,enhancement'
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,5 @@
 /*.xcframework/
 .DS_Store
 /config.d/
 /venv/
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -6,14 +6,7 @@ linters:
    - gci
    - staticcheck
    - paralleltest
-
+    - ineffassign
 run:
  skip-dirs:
    - transport/simple-obfs
    - transport/clashssr
    - transport/cloudflaretls
    - transport/shadowtls/tls
    - transport/shadowtls/tls_go119
 linters-settings:
  gci:
@@ -23,4 +16,13 @@ linters-settings:
      - prefix(github.com/sagernet/)
      - default
  staticcheck:
-    go: '1.20'
+    checks:
      - all
      - -SA1003
 run:
  go: "1.23"
 issues:
  exclude-dirs:
    - transport/simple-obfs
--- a/.goreleaser.fury.yaml
+++ b/.goreleaser.fury.yaml
@@ -26,6 +26,7 @@ builds:
      - linux_arm_7
      - linux_s390x
      - linux_riscv64
      - linux_mips64le
    mod_timestamp: '{{ .CommitTimestamp }}'
 snapshot:
  name_template: "{{ .Version }}.{{ .ShortCommit }}"
@@ -36,7 +37,6 @@ nfpms:
    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
    builds:
      - main
    vendor: sagernet
    homepage: https://sing-box.sagernet.org/
    maintainer: nekohasekai <contact-git@sekai.icu>
    description: The universal proxy platform.
@@ -49,10 +49,19 @@ nfpms:
      - src: release/config/config.json
        dst: /etc/sing-box/config.json
        type: config
      - src: release/config/sing-box.service
        dst: /usr/lib/systemd/system/sing-box.service
      - src: release/config/sing-box@.service
        dst: /usr/lib/systemd/system/sing-box@.service
      - src: release/completions/sing-box.bash
        dst: /usr/share/bash-completion/completions/sing-box.bash
      - src: release/completions/sing-box.fish
        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
      - src: release/completions/sing-box.zsh
        dst: /usr/share/zsh/site-functions/_sing-box
      - src: LICENSE
        dst: /usr/share/licenses/sing-box/LICENSE
    deb:
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,3 +1,4 @@
 version: 2
 project_name: sing-box
 builds:
  - &template
@@ -7,7 +8,9 @@ builds:
      - -v
      - -trimpath
    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
      - -s
      - -buildid=
    tags:
      - with_gvisor
      - with_quic
@@ -23,13 +26,13 @@ builds:
    targets:
      - linux_386
      - linux_amd64_v1
      - linux_amd64_v3
      - linux_arm64
      - linux_arm_6
      - linux_arm_7
      - linux_s390x
      - linux_riscv64
      - linux_mips64le
      - windows_amd64_v1
      - windows_amd64_v3
      - windows_386
      - windows_arm64
      - darwin_amd64_v1
@@ -86,8 +89,6 @@ builds:
      - android_arm64
      - android_386
      - android_amd64
 snapshot:
  name_template: "{{ .Version }}.{{ .ShortCommit }}"
 archives:
  - &template
    id: archive
@@ -101,7 +102,7 @@ archives:
    wrap_in_directory: true
    files:
      - LICENSE
-    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
  - id: archive-legacy
    <<: *template
    builds:
@@ -110,10 +111,9 @@ archives:
 nfpms:
  - id: package
    package_name: sing-box
-    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
    builds:
      - main
    vendor: sagernet
    homepage: https://sing-box.sagernet.org/
    maintainer: nekohasekai <contact-git@sekai.icu>
    description: The universal proxy platform.
@@ -122,15 +122,26 @@ nfpms:
      - deb
      - rpm
      - archlinux
 #      - apk
 #      - ipk
    priority: extra
    contents:
      - src: release/config/config.json
        dst: /etc/sing-box/config.json
        type: config
      - src: release/config/sing-box.service
        dst: /usr/lib/systemd/system/sing-box.service
      - src: release/config/sing-box@.service
        dst: /usr/lib/systemd/system/sing-box@.service
      - src: release/completions/sing-box.bash
        dst: /usr/share/bash-completion/completions/sing-box.bash
      - src: release/completions/sing-box.fish
        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
      - src: release/completions/sing-box.zsh
        dst: /usr/share/zsh/site-functions/_sing-box
      - src: LICENSE
        dst: /usr/share/licenses/sing-box/LICENSE
    deb:
@@ -142,13 +153,34 @@ nfpms:
      signature:
        key_file: "{{ .Env.NFPM_KEY_PATH }}"
    overrides:
-      deb:
+      apk:
-        conflicts:
+        contents:
-          - sing-box-beta
+          - src: release/config/config.json
-      rpm:
+            dst: /etc/sing-box/config.json
-        conflicts:
+            type: config
          - sing-box-beta
          - src: release/config/sing-box.initd
            dst: /etc/init.d/sing-box
          - src: release/completions/sing-box.bash
            dst: /usr/share/bash-completion/completions/sing-box.bash
          - src: release/completions/sing-box.fish
            dst: /usr/share/fish/vendor_completions.d/sing-box.fish
          - src: release/completions/sing-box.zsh
            dst: /usr/share/zsh/site-functions/_sing-box
          - src: LICENSE
            dst: /usr/share/licenses/sing-box/LICENSE
      ipk:
        contents:
          - src: release/config/config.json
            dst: /etc/sing-box/config.json
            type: config
          - src: release/config/openwrt.init
            dst: /etc/init.d/sing-box
          - src: release/config/openwrt.conf
            dst: /etc/config/sing-box
 source:
  enabled: false
  name_template: '{{ .ProjectName }}-{{ .Version }}.source'
--- a/4
+++ b/4
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.22-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.23-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
@@ -21,7 +21,7 @@ FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
    && apk upgrade \
-    && apk add bash tzdata ca-certificates \
+    && apk add bash tzdata ca-certificates nftables \
    && rm -rf /var/cache/apk/*
 COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]
--- a/88
+++ b/88
@@ -1,7 +1,6 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api
+TAGS_GO120 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api,with_quic,with_utls
 TAGS_GO120 = with_quic,with_utls
 TAGS_GO121 = with_ech
 TAGS ?= $(TAGS_GO118),$(TAGS_GO120),$(TAGS_GO121)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server
@@ -20,18 +19,17 @@ PREFIX ?= $(shell go env GOPATH)
 build:
 	go build $(MAIN_PARAMS) $(MAIN)
 ci_build_go118:
 	go build $(PARAMS) $(MAIN)
 	go build $(PARAMS) -tags "$(TAGS_GO118)" $(MAIN)
 ci_build_go120:
 	go build $(PARAMS) $(MAIN)
-	go build $(PARAMS) -tags "$(TAGS_GO118),$(TAGS_GO120)" $(MAIN)
+	go build $(PARAMS) -tags "$(TAGS_GO120)" $(MAIN)
 ci_build:
 	go build $(PARAMS) $(MAIN)
 	go build $(MAIN_PARAMS) $(MAIN)
 generate_completions:
 	go run -v --tags generate,generate_completions $(MAIN)
 install:
 	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)
@@ -71,7 +69,6 @@ release:
 		dist/*.deb \
 		dist/*.rpm \
 		dist/*_amd64.pkg.tar.zst \
 		dist/*_amd64v3.pkg.tar.zst \
 		dist/*_arm64.pkg.tar.zst \
 		dist/release
 	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
@@ -104,10 +101,12 @@ publish_android:
 publish_android_appcenter:
 	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadPlayRelease
 # TODO: find why and remove `-destination 'generic/platform=iOS'`
 build_ios:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFI.xcarchive && \
-	xcodebuild archive -scheme SFI -configuration Release -archivePath build/SFI.xcarchive
+	xcodebuild archive -scheme SFI -configuration Release -destination 'generic/platform=iOS' -archivePath build/SFI.xcarchive -allowProvisioningUpdates
 upload_ios_app_store:
 	cd ../sing-box-for-apple && \
@@ -118,55 +117,70 @@ release_ios: build_ios upload_ios_app_store
 build_macos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFM.xcarchive && \
-	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive
+	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive -allowProvisioningUpdates
 upload_macos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
 release_macos: build_macos upload_macos_app_store
-build_macos_independent:
+build_macos_standalone:
 	cd ../sing-box-for-apple && \
-	rm -rf build/SFT.System.xcarchive && \
+	rm -rf build/SFM.System.xcarchive && \
-	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive
+	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive -allowProvisioningUpdates
-notarize_macos_independent:
+build_macos_dmg:
 	cd ../sing-box-for-apple && \
 	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist  -allowProvisioningUpdates
 wait_notarize_macos_independent:
 	sleep 60
 export_macos_independent:
 	rm -rf dist/SFM
 	mkdir -p dist/SFM
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportNotarizedApp -archivePath build/SFM.System.xcarchive -exportPath "../sing-box/dist/SFM"
+	rm -rf build/SFM.System && \
 	rm -rf build/SFM.dmg && \
 	xcodebuild -exportArchive \
 		-archivePath "build/SFM.System.xcarchive" \
 		-exportOptionsPlist SFM.System/Export.plist -allowProvisioningUpdates \
 		-exportPath "build/SFM.System" && \
 	create-dmg \
 		--volname "sing-box" \
 		--volicon "build/SFM.System/SFM.app/Contents/Resources/AppIcon.icns" \
 		--icon "SFM.app" 0 0 \
 		--hide-extension "SFM.app" \
 		--app-drop-link 0 0 \
 		--skip-jenkins \
 		--notarize "notarytool-password" \
 		"../sing-box/dist/SFM/SFM.dmg" "build/SFM.System/SFM.app"
-upload_macos_independent:
+upload_macos_dmg:
 	cd dist/SFM && \
-	rm -f *.zip && \
+	cp SFM.dmg "SFM-${VERSION}-universal.dmg" && \
-	zip -ry "SFM-${VERSION}-universal.zip" SFM.app && \
+	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dmg"
 	ghr --replace --draft --prerelease "v${VERSION}" *.zip
-release_macos_independent: build_macos_independent notarize_macos_independent wait_notarize_macos_independent export_macos_independent upload_macos_independent
+upload_macos_dsyms:
 	pushd ../sing-box-for-apple/build/SFM.System.xcarchive && \
 	zip -r SFM.dSYMs.zip dSYMs && \
 	mv SFM.dSYMs.zip ../../../sing-box/dist/SFM && \
 	popd && \
 	cd dist/SFM && \
 	cp SFM.dSYMs.zip "SFM-${VERSION}-universal.dSYMs.zip" && \
 	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dSYMs.zip"
 release_macos_standalone: build_macos_standalone build_macos_dmg upload_macos_dmg upload_macos_dsyms
 build_tvos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFT.xcarchive && \
-	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive
+	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive -allowProvisioningUpdates
 upload_tvos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
 release_tvos: build_tvos upload_tvos_app_store
 update_apple_version:
 	go run ./cmd/internal/update_apple_version
-release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_independent
+release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_standalone
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
@@ -193,17 +207,19 @@ lib:
 	go run ./cmd/internal/build_libbox -target ios
 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.3
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.4
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.3
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.4
 docs:
-	mkdocs serve
+	venv/bin/mkdocs serve
 publish_docs:
-	mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
+	venv/bin/mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
 docs_install:
-	pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
+	python -m venv venv
 	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
 clean:
 	rm -rf bin dist sing-box
 	rm -f $(shell go env GOPATH)/sing-box
--- a/README.md
+++ b/README.md
@@ -8,10 +8,6 @@ The universal proxy platform.
 https://sing-box.sagernet.org
 ## Support
 https://community.sagernet.org/c/sing-box/
 ## License
 ```
--- a/adapter/conn_router.go
+++ b/adapter/conn_router.go
@@ -1,104 +0,0 @@
 package adapter
 import (
 	"context"
 	"net"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 type ConnectionRouter interface {
 	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }
 func NewRouteHandler(
 	metadata InboundContext,
 	router ConnectionRouter,
 	logger logger.ContextLogger,
 ) UpstreamHandlerAdapter {
 	return &routeHandlerWrapper{
 		metadata: metadata,
 		router:   router,
 		logger:   logger,
 	}
 }
 func NewRouteContextHandler(
 	router ConnectionRouter,
 	logger logger.ContextLogger,
 ) UpstreamHandlerAdapter {
 	return &routeContextHandlerWrapper{
 		router: router,
 		logger: logger,
 	}
 }
 var _ UpstreamHandlerAdapter = (*routeHandlerWrapper)(nil)
 type routeHandlerWrapper struct {
 	metadata InboundContext
 	router   ConnectionRouter
 	logger   logger.ContextLogger
 }
 func (w *routeHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := w.metadata
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.router.RouteConnection(ctx, conn, myMetadata)
 }
 func (w *routeHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := w.metadata
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.router.RoutePacketConnection(ctx, conn, myMetadata)
 }
 func (w *routeHandlerWrapper) NewError(ctx context.Context, err error) {
 	w.logger.ErrorContext(ctx, err)
 }
 var _ UpstreamHandlerAdapter = (*routeContextHandlerWrapper)(nil)
 type routeContextHandlerWrapper struct {
 	router ConnectionRouter
 	logger logger.ContextLogger
 }
 func (w *routeContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.router.RouteConnection(ctx, conn, *myMetadata)
 }
 func (w *routeContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.router.RoutePacketConnection(ctx, conn, *myMetadata)
 }
 func (w *routeContextHandlerWrapper) NewError(ctx context.Context, err error) {
 	w.logger.ErrorContext(ctx, err)
 }
--- a/adapter/experimental.go
+++ b/adapter/experimental.go
@@ -4,14 +4,13 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
 	"io"
 	"net"
 	"time"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-dns"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/rw"
+	"github.com/sagernet/sing/common/varbin"
 )
 type ClashServer interface {
@@ -56,16 +55,15 @@ func (s *SavedRuleSet) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	err = rw.WriteUVariant(&buffer, uint64(len(s.Content)))
+	err = varbin.Write(&buffer, binary.BigEndian, s.Content)
 	if err != nil {
 		return nil, err
 	}
 	buffer.Write(s.Content)
 	err = binary.Write(&buffer, binary.BigEndian, s.LastUpdated.Unix())
 	if err != nil {
 		return nil, err
 	}
-	err = rw.WriteVString(&buffer, s.LastEtag)
+	err = varbin.Write(&buffer, binary.BigEndian, s.LastEtag)
 	if err != nil {
 		return nil, err
 	}
@@ -79,12 +77,7 @@ func (s *SavedRuleSet) UnmarshalBinary(data []byte) error {
 	if err != nil {
 		return err
 	}
-	contentLen, err := rw.ReadUVariant(reader)
+	err = varbin.Read(reader, binary.BigEndian, &s.Content)
 	if err != nil {
 		return err
 	}
 	s.Content = make([]byte, contentLen)
 	_, err = io.ReadFull(reader, s.Content)
 	if err != nil {
 		return err
 	}
@@ -94,7 +87,7 @@ func (s *SavedRuleSet) UnmarshalBinary(data []byte) error {
 		return err
 	}
 	s.LastUpdated = time.Unix(lastUpdated, 0)
-	s.LastEtag, err = rw.ReadVString(reader)
+	err = varbin.Read(reader, binary.BigEndian, &s.LastEtag)
 	if err != nil {
 		return err
 	}
--- a/adapter/handler.go
+++ b/adapter/handler.go
@@ -6,27 +6,53 @@ import (
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 // Deprecated
 type ConnectionHandler interface {
 	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 }
 type ConnectionHandlerEx interface {
 	NewConnectionEx(ctx context.Context, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
 }
 // Deprecated: use PacketHandlerEx instead
 type PacketHandler interface {
 	NewPacket(ctx context.Context, conn N.PacketConn, buffer *buf.Buffer, metadata InboundContext) error
 }
 type PacketHandlerEx interface {
 	NewPacketEx(buffer *buf.Buffer, source M.Socksaddr)
 }
 // Deprecated: use OOBPacketHandlerEx instead
 type OOBPacketHandler interface {
 	NewPacket(ctx context.Context, conn N.PacketConn, buffer *buf.Buffer, oob []byte, metadata InboundContext) error
 }
 type OOBPacketHandlerEx interface {
 	NewPacketEx(buffer *buf.Buffer, oob []byte, source M.Socksaddr)
 }
 // Deprecated
 type PacketConnectionHandler interface {
 	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }
 type PacketConnectionHandlerEx interface {
 	NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
 }
 type UpstreamHandlerAdapter interface {
 	N.TCPConnectionHandler
 	N.UDPConnectionHandler
 	E.Handler
 }
 type UpstreamHandlerAdapterEx interface {
 	N.TCPConnectionHandlerEx
 	N.UDPConnectionHandlerEx
 }
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -2,13 +2,12 @@ package adapter
 import (
 	"context"
 	"net"
 	"net/netip"
 	"github.com/sagernet/sing-box/common/process"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 type Inbound interface {
@@ -17,11 +16,19 @@ type Inbound interface {
 	Tag() string
 }
-type InjectableInbound interface {
+type TCPInjectableInbound interface {
 	Inbound
-	Network() []string
+	ConnectionHandlerEx
-	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
+}
-	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+
 type UDPInjectableInbound interface {
 	Inbound
 	PacketConnectionHandlerEx
 }
 type InboundRegistry interface {
 	option.InboundOptionsRegistry
 	CreateInbound(ctx context.Context, router Router, logger log.ContextLogger, tag string, outboundType string, options any) (Inbound, error)
 }
 type InboundContext struct {
@@ -31,17 +38,27 @@ type InboundContext struct {
 	Network     string
 	Source      M.Socksaddr
 	Destination M.Socksaddr
 	Domain      string
 	Protocol    string
 	User        string
 	Outbound    string
 	// sniffer
 	Protocol     string
 	Domain       string
 	Client       string
 	SniffContext any
 	// cache
-	InboundDetour        string
+	// Deprecated: implement in rule action
-	LastInbound          string
+	InboundDetour     string
-	OriginDestination    M.Socksaddr
+	LastInbound       string
-	InboundOptions       option.InboundOptions
+	OriginDestination M.Socksaddr
 	// Deprecated
 	InboundOptions            option.InboundOptions
 	UDPDisableDomainUnmapping bool
 	DNSServer                 string
 	DestinationAddresses []netip.Addr
 	SourceGeoIPCode      string
 	GeoIPCode            string
@@ -51,7 +68,9 @@ type InboundContext struct {
 	// rule cache
-	IPCIDRMatchSource            bool
+	IPCIDRMatchSource bool
 	IPCIDRAcceptEmpty bool
 	SourceAddressMatch           bool
 	SourcePortMatch              bool
 	DestinationAddressMatch      bool
@@ -62,6 +81,7 @@ type InboundContext struct {
 func (c *InboundContext) ResetRuleCache() {
 	c.IPCIDRMatchSource = false
 	c.IPCIDRAcceptEmpty = false
 	c.SourceAddressMatch = false
 	c.SourcePortMatch = false
 	c.DestinationAddressMatch = false
@@ -83,15 +103,6 @@ func ContextFrom(ctx context.Context) *InboundContext {
 	return metadata.(*InboundContext)
 }
 func AppendContext(ctx context.Context) (context.Context, *InboundContext) {
 	metadata := ContextFrom(ctx)
 	if metadata != nil {
 		return ctx, metadata
 	}
 	metadata = new(InboundContext)
 	return WithContext(ctx, metadata), metadata
 }
 func ExtendContext(ctx context.Context) (context.Context, *InboundContext) {
 	var newMetadata InboundContext
 	if metadata := ContextFrom(ctx); metadata != nil {
--- a/adapter/inbound/adapter.go
+++ b/adapter/inbound/adapter.go
@@ -0,0 +1,21 @@
 package inbound
 type Adapter struct {
 	inboundType string
 	inboundTag  string
 }
 func NewAdapter(inboundType string, inboundTag string) Adapter {
 	return Adapter{
 		inboundType: inboundType,
 		inboundTag:  inboundTag,
 	}
 }
 func (a *Adapter) Type() string {
 	return a.inboundType
 }
 func (a *Adapter) Tag() string {
 	return a.inboundTag
 }
--- a/adapter/inbound/registry.go
+++ b/adapter/inbound/registry.go
@@ -0,0 +1,68 @@
 package inbound
 import (
 	"context"
 	"sync"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 type ConstructorFunc[T any] func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options T) (adapter.Inbound, error)
 func Register[Options any](registry *Registry, outboundType string, constructor ConstructorFunc[Options]) {
 	registry.register(outboundType, func() any {
 		return new(Options)
 	}, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Inbound, error) {
 		return constructor(ctx, router, logger, tag, common.PtrValueOrDefault(options.(*Options)))
 	})
 }
 var _ adapter.InboundRegistry = (*Registry)(nil)
 type (
 	optionsConstructorFunc func() any
 	constructorFunc        func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Inbound, error)
 )
 type Registry struct {
 	access       sync.Mutex
 	optionsType  map[string]optionsConstructorFunc
 	constructors map[string]constructorFunc
 }
 func NewRegistry() *Registry {
 	return &Registry{
 		optionsType:  make(map[string]optionsConstructorFunc),
 		constructors: make(map[string]constructorFunc),
 	}
 }
 func (r *Registry) CreateOptions(outboundType string) (any, bool) {
 	r.access.Lock()
 	defer r.access.Unlock()
 	optionsConstructor, loaded := r.optionsType[outboundType]
 	if !loaded {
 		return nil, false
 	}
 	return optionsConstructor(), true
 }
 func (r *Registry) CreateInbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, outboundType string, options any) (adapter.Inbound, error) {
 	r.access.Lock()
 	defer r.access.Unlock()
 	constructor, loaded := r.constructors[outboundType]
 	if !loaded {
 		return nil, E.New("outbound type not found: " + outboundType)
 	}
 	return constructor(ctx, router, logger, tag, options)
 }
 func (r *Registry) register(outboundType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
 	r.access.Lock()
 	defer r.access.Unlock()
 	r.optionsType[outboundType] = optionsConstructor
 	r.constructors[outboundType] = constructor
 }
--- a/adapter/outbound.go
+++ b/adapter/outbound.go
@@ -2,8 +2,9 @@ package adapter
 import (
 	"context"
 	"net"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -15,6 +16,9 @@ type Outbound interface {
 	Network() []string
 	Dependencies() []string
 	N.Dialer
-	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
+}
-	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+
 type OutboundRegistry interface {
 	option.OutboundOptionsRegistry
 	CreateOutbound(ctx context.Context, router Router, logger log.ContextLogger, tag string, outboundType string, options any) (Outbound, error)
 }
--- a/adapter/outbound/adapter.go
+++ b/adapter/outbound/adapter.go
@@ -0,0 +1,45 @@
 package outbound
 import (
 	"github.com/sagernet/sing-box/option"
 )
 type Adapter struct {
 	protocol     string
 	network      []string
 	tag          string
 	dependencies []string
 }
 func NewAdapter(protocol string, network []string, tag string, dependencies []string) Adapter {
 	return Adapter{
 		protocol:     protocol,
 		network:      network,
 		tag:          tag,
 		dependencies: dependencies,
 	}
 }
 func NewAdapterWithDialerOptions(protocol string, network []string, tag string, dialOptions option.DialerOptions) Adapter {
 	var dependencies []string
 	if dialOptions.Detour != "" {
 		dependencies = []string{dialOptions.Detour}
 	}
 	return NewAdapter(protocol, network, tag, dependencies)
 }
 func (a *Adapter) Type() string {
 	return a.protocol
 }
 func (a *Adapter) Tag() string {
 	return a.tag
 }
 func (a *Adapter) Network() []string {
 	return a.network
 }
 func (a *Adapter) Dependencies() []string {
 	return a.dependencies
 }
--- a/adapter/outbound/default.go
+++ b/adapter/outbound/default.go
@@ -9,8 +9,6 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
@@ -21,42 +19,6 @@ import (
 	N "github.com/sagernet/sing/common/network"
 )
 type myOutboundAdapter struct {
 	protocol     string
 	network      []string
 	router       adapter.Router
 	logger       log.ContextLogger
 	tag          string
 	dependencies []string
 }
 func (a *myOutboundAdapter) Type() string {
 	return a.protocol
 }
 func (a *myOutboundAdapter) Tag() string {
 	return a.tag
 }
 func (a *myOutboundAdapter) Network() []string {
 	return a.network
 }
 func (a *myOutboundAdapter) Dependencies() []string {
 	return a.dependencies
 }
 func (a *myOutboundAdapter) NewError(ctx context.Context, err error) {
 	NewError(a.logger, ctx, err)
 }
 func withDialerDependency(options option.DialerOptions) []string {
 	if options.Detour != "" {
 		return []string{options.Detour}
 	}
 	return nil
 }
 func NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata adapter.InboundContext) error {
 	ctx = adapter.WithContext(ctx, &metadata)
 	var outConn net.Conn
@@ -69,7 +31,7 @@ func NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata a
 	if err != nil {
 		return N.ReportHandshakeFailure(conn, err)
 	}
-	err = N.ReportHandshakeSuccess(conn)
+	err = N.ReportConnHandshakeSuccess(conn, outConn)
 	if err != nil {
 		outConn.Close()
 		return err
@@ -96,7 +58,7 @@ func NewDirectConnection(ctx context.Context, router adapter.Router, this N.Dial
 	if err != nil {
 		return N.ReportHandshakeFailure(conn, err)
 	}
-	err = N.ReportHandshakeSuccess(conn)
+	err = N.ReportConnHandshakeSuccess(conn, outConn)
 	if err != nil {
 		outConn.Close()
 		return err
@@ -117,14 +79,14 @@ func NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn,
 	if err != nil {
 		return N.ReportHandshakeFailure(conn, err)
 	}
-	err = N.ReportHandshakeSuccess(conn)
+	err = N.ReportPacketConnHandshakeSuccess(conn, outConn)
 	if err != nil {
 		outConn.Close()
 		return err
 	}
 	if destinationAddress.IsValid() {
 		if metadata.Destination.IsFqdn() {
-			if metadata.InboundOptions.UDPDisableDomainUnmapping {
+			if metadata.UDPDisableDomainUnmapping {
 				outConn = bufio.NewUnidirectionalNATPacketConn(bufio.NewPacketConn(outConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), metadata.Destination)
 			} else {
 				outConn = bufio.NewNATPacketConn(bufio.NewPacketConn(outConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), metadata.Destination)
@@ -165,7 +127,7 @@ func NewDirectPacketConnection(ctx context.Context, router adapter.Router, this
 	if err != nil {
 		return N.ReportHandshakeFailure(conn, err)
 	}
-	err = N.ReportHandshakeSuccess(conn)
+	err = N.ReportPacketConnHandshakeSuccess(conn, outConn)
 	if err != nil {
 		outConn.Close()
 		return err
@@ -233,12 +195,3 @@ func CopyEarlyConn(ctx context.Context, conn net.Conn, serverConn net.Conn) erro
 	}
 	return bufio.CopyConn(ctx, conn, serverConn)
 }
 func NewError(logger log.ContextLogger, ctx context.Context, err error) {
 	common.Close(err)
 	if E.IsClosedOrCanceled(err) {
 		logger.DebugContext(ctx, "connection closed: ", err)
 		return
 	}
 	logger.ErrorContext(ctx, err)
 }
--- a/adapter/outbound/registry.go
+++ b/adapter/outbound/registry.go
@@ -0,0 +1,68 @@
 package outbound
 import (
 	"context"
 	"sync"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 type ConstructorFunc[T any] func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options T) (adapter.Outbound, error)
 func Register[Options any](registry *Registry, outboundType string, constructor ConstructorFunc[Options]) {
 	registry.register(outboundType, func() any {
 		return new(Options)
 	}, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Outbound, error) {
 		return constructor(ctx, router, logger, tag, common.PtrValueOrDefault(options.(*Options)))
 	})
 }
 var _ adapter.OutboundRegistry = (*Registry)(nil)
 type (
 	optionsConstructorFunc func() any
 	constructorFunc        func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Outbound, error)
 )
 type Registry struct {
 	access       sync.Mutex
 	optionsType  map[string]optionsConstructorFunc
 	constructors map[string]constructorFunc
 }
 func NewRegistry() *Registry {
 	return &Registry{
 		optionsType:  make(map[string]optionsConstructorFunc),
 		constructors: make(map[string]constructorFunc),
 	}
 }
 func (r *Registry) CreateOptions(outboundType string) (any, bool) {
 	r.access.Lock()
 	defer r.access.Unlock()
 	optionsConstructor, loaded := r.optionsType[outboundType]
 	if !loaded {
 		return nil, false
 	}
 	return optionsConstructor(), true
 }
 func (r *Registry) CreateOutbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, outboundType string, options any) (adapter.Outbound, error) {
 	r.access.Lock()
 	defer r.access.Unlock()
 	constructor, loaded := r.constructors[outboundType]
 	if !loaded {
 		return nil, E.New("outbound type not found: " + outboundType)
 	}
 	return constructor(ctx, router, logger, tag, options)
 }
 func (r *Registry) register(outboundType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
 	r.access.Lock()
 	defer r.access.Unlock()
 	r.optionsType[outboundType] = optionsConstructor
 	r.constructors[outboundType] = constructor
 }
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -2,23 +2,30 @@ package adapter
 import (
 	"context"
 	"net"
 	"net/http"
 	"net/netip"
 	"sync"
 	"github.com/sagernet/sing-box/common/geoip"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"
 	mdns "github.com/miekg/dns"
 	"go4.org/netipx"
 )
 type Router interface {
 	Service
 	PreStarter
 	PostStarter
 	Cleanup() error
 	Outbounds() []Outbound
 	Outbound(tag string) (Outbound, bool)
@@ -27,6 +34,8 @@ type Router interface {
 	FakeIPStore() FakeIPStore
 	ConnectionRouter
 	PreMatch(metadata InboundContext) error
 	ConnectionRouterEx
 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
@@ -45,7 +54,9 @@ type Router interface {
 	DefaultInterface() string
 	AutoDetectInterface() bool
 	AutoDetectInterfaceFunc() control.Func
-	DefaultMark() int
+	DefaultMark() uint32
 	RegisterAutoRedirectOutputMark(mark uint32) error
 	AutoRedirectOutputMark() uint32
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
@@ -61,6 +72,18 @@ type Router interface {
 	ResetNetwork() error
 }
 // Deprecated: Use ConnectionRouterEx instead.
 type ConnectionRouter interface {
 	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }
 type ConnectionRouterEx interface {
 	ConnectionRouter
 	RouteConnectionEx(ctx context.Context, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
 	RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
 }
 func ContextWithRouter(ctx context.Context, router Router) context.Context {
 	return service.ContextWith(ctx, router)
 }
@@ -69,45 +92,64 @@ func RouterFromContext(ctx context.Context) Router {
 	return service.FromContext[Router](ctx)
 }
 type HeadlessRule interface {
 	Match(metadata *InboundContext) bool
 	String() string
 }
 type Rule interface {
 	HeadlessRule
 	Service
 	Type() string
 	UpdateGeosite() error
 	Outbound() string
 }
 type DNSRule interface {
 	Rule
 	DisableCache() bool
 	RewriteTTL() *uint32
 	ClientSubnet() *netip.Prefix
 	WithAddressLimit() bool
 	MatchAddressLimit(metadata *InboundContext) bool
 }
 type RuleSet interface {
-	StartContext(ctx context.Context, startContext RuleSetStartContext) error
+	Name() string
 	StartContext(ctx context.Context, startContext *HTTPStartContext) error
 	PostStart() error
 	Metadata() RuleSetMetadata
 	ExtractIPSet() []*netipx.IPSet
 	IncRef()
 	DecRef()
 	Cleanup()
 	RegisterCallback(callback RuleSetUpdateCallback) *list.Element[RuleSetUpdateCallback]
 	UnregisterCallback(element *list.Element[RuleSetUpdateCallback])
 	Close() error
 	HeadlessRule
 }
 type RuleSetUpdateCallback func(it RuleSet)
 type RuleSetMetadata struct {
 	ContainsProcessRule bool
 	ContainsWIFIRule    bool
 	ContainsIPCIDRRule  bool
 }
 type HTTPStartContext struct {
 	access          sync.Mutex
 	httpClientCache map[string]*http.Client
 }
-type RuleSetStartContext interface {
+func NewHTTPStartContext() *HTTPStartContext {
-	HTTPClient(detour string, dialer N.Dialer) *http.Client
+	return &HTTPStartContext{
-	Close()
+		httpClientCache: make(map[string]*http.Client),
 	}
 }
 func (c *HTTPStartContext) HTTPClient(detour string, dialer N.Dialer) *http.Client {
 	c.access.Lock()
 	defer c.access.Unlock()
 	if httpClient, loaded := c.httpClientCache[detour]; loaded {
 		return httpClient
 	}
 	httpClient := &http.Client{
 		Transport: &http.Transport{
 			ForceAttemptHTTP2:   true,
 			TLSHandshakeTimeout: C.TCPTimeout,
 			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 				return dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
 			},
 		},
 	}
 	c.httpClientCache[detour] = httpClient
 	return httpClient
 }
 func (c *HTTPStartContext) Close() {
 	c.access.Lock()
 	defer c.access.Unlock()
 	for _, client := range c.httpClientCache {
 		client.CloseIdleConnections()
 	}
 }
 type InterfaceUpdateListener interface {
--- a/adapter/rule.go
+++ b/adapter/rule.go
@@ -0,0 +1,38 @@
 package adapter
 import (
 	C "github.com/sagernet/sing-box/constant"
 )
 type HeadlessRule interface {
 	Match(metadata *InboundContext) bool
 	String() string
 }
 type Rule interface {
 	HeadlessRule
 	Service
 	Type() string
 	UpdateGeosite() error
 	Action() RuleAction
 }
 type DNSRule interface {
 	Rule
 	WithAddressLimit() bool
 	MatchAddressLimit(metadata *InboundContext) bool
 }
 type RuleAction interface {
 	Type() string
 	String() string
 }
 func IsFinalAction(action RuleAction) bool {
 	switch action.Type() {
 	case C.RuleActionTypeSniff, C.RuleActionTypeResolve:
 		return false
 	default:
 		return true
 	}
 }
--- a/adapter/upstream.go
+++ b/adapter/upstream.go
@@ -4,112 +4,165 @@ import (
 	"context"
 	"net"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 type (
-	ConnectionHandlerFunc       = func(ctx context.Context, conn net.Conn, metadata InboundContext) error
+	ConnectionHandlerFuncEx       = func(ctx context.Context, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
-	PacketConnectionHandlerFunc = func(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+	PacketConnectionHandlerFuncEx = func(ctx context.Context, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
 )
-func NewUpstreamHandler(
+func NewUpstreamHandlerEx(
 	metadata InboundContext,
-	connectionHandler ConnectionHandlerFunc,
+	connectionHandler ConnectionHandlerFuncEx,
-	packetHandler PacketConnectionHandlerFunc,
+	packetHandler PacketConnectionHandlerFuncEx,
-	errorHandler E.Handler,
+) UpstreamHandlerAdapterEx {
-) UpstreamHandlerAdapter {
+	return &myUpstreamHandlerWrapperEx{
 	return &myUpstreamHandlerWrapper{
 		metadata:          metadata,
 		connectionHandler: connectionHandler,
 		packetHandler:     packetHandler,
 		errorHandler:      errorHandler,
 	}
 }
-var _ UpstreamHandlerAdapter = (*myUpstreamHandlerWrapper)(nil)
+var _ UpstreamHandlerAdapterEx = (*myUpstreamHandlerWrapperEx)(nil)
-type myUpstreamHandlerWrapper struct {
+type myUpstreamHandlerWrapperEx struct {
 	metadata          InboundContext
-	connectionHandler ConnectionHandlerFunc
+	connectionHandler ConnectionHandlerFuncEx
-	packetHandler     PacketConnectionHandlerFunc
+	packetHandler     PacketConnectionHandlerFuncEx
 	errorHandler      E.Handler
 }
-func (w *myUpstreamHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+func (w *myUpstreamHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
+	if source.IsValid() {
-		myMetadata.Source = metadata.Source
+		myMetadata.Source = source
 	}
-	if metadata.Destination.IsValid() {
+	if destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
+		myMetadata.Destination = destination
 	}
-	return w.connectionHandler(ctx, conn, myMetadata)
+	w.connectionHandler(ctx, conn, myMetadata, onClose)
 }
-func (w *myUpstreamHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+func (w *myUpstreamHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
+	if source.IsValid() {
-		myMetadata.Source = metadata.Source
+		myMetadata.Source = source
 	}
-	if metadata.Destination.IsValid() {
+	if destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
+		myMetadata.Destination = destination
 	}
-	return w.packetHandler(ctx, conn, myMetadata)
+	w.packetHandler(ctx, conn, myMetadata, onClose)
 }
-func (w *myUpstreamHandlerWrapper) NewError(ctx context.Context, err error) {
+var _ UpstreamHandlerAdapterEx = (*myUpstreamContextHandlerWrapperEx)(nil)
-	w.errorHandler.NewError(ctx, err)
+
 type myUpstreamContextHandlerWrapperEx struct {
 	connectionHandler ConnectionHandlerFuncEx
 	packetHandler     PacketConnectionHandlerFuncEx
 }
-func UpstreamMetadata(metadata InboundContext) M.Metadata {
+func NewUpstreamContextHandlerEx(
-	return M.Metadata{
+	connectionHandler ConnectionHandlerFuncEx,
-		Source:      metadata.Source,
+	packetHandler PacketConnectionHandlerFuncEx,
-		Destination: metadata.Destination,
+) UpstreamHandlerAdapterEx {
-	}
+	return &myUpstreamContextHandlerWrapperEx{
 }
 type myUpstreamContextHandlerWrapper struct {
 	connectionHandler ConnectionHandlerFunc
 	packetHandler     PacketConnectionHandlerFunc
 	errorHandler      E.Handler
 }
 func NewUpstreamContextHandler(
 	connectionHandler ConnectionHandlerFunc,
 	packetHandler PacketConnectionHandlerFunc,
 	errorHandler E.Handler,
 ) UpstreamHandlerAdapter {
 	return &myUpstreamContextHandlerWrapper{
 		connectionHandler: connectionHandler,
 		packetHandler:     packetHandler,
 		errorHandler:      errorHandler,
 	}
 }
-func (w *myUpstreamContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
+	if source.IsValid() {
-		myMetadata.Source = metadata.Source
+		myMetadata.Source = source
 	}
-	if metadata.Destination.IsValid() {
+	if destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
+		myMetadata.Destination = destination
 	}
-	return w.connectionHandler(ctx, conn, *myMetadata)
+	w.connectionHandler(ctx, conn, *myMetadata, onClose)
 }
-func (w *myUpstreamContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+func (w *myUpstreamContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
+	if source.IsValid() {
-		myMetadata.Source = metadata.Source
+		myMetadata.Source = source
 	}
-	if metadata.Destination.IsValid() {
+	if destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
+		myMetadata.Destination = destination
 	}
-	return w.packetHandler(ctx, conn, *myMetadata)
+	w.packetHandler(ctx, conn, *myMetadata, onClose)
 }
-func (w *myUpstreamContextHandlerWrapper) NewError(ctx context.Context, err error) {
+func NewRouteHandlerEx(
-	w.errorHandler.NewError(ctx, err)
+	metadata InboundContext,
 	router ConnectionRouterEx,
 ) UpstreamHandlerAdapterEx {
 	return &routeHandlerWrapperEx{
 		metadata: metadata,
 		router:   router,
 	}
 }
 var _ UpstreamHandlerAdapterEx = (*routeHandlerWrapperEx)(nil)
 type routeHandlerWrapperEx struct {
 	metadata InboundContext
 	router   ConnectionRouterEx
 }
 func (r *routeHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	if source.IsValid() {
 		r.metadata.Source = source
 	}
 	if destination.IsValid() {
 		r.metadata.Destination = destination
 	}
 	r.router.RouteConnectionEx(ctx, conn, r.metadata, onClose)
 }
 func (r *routeHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	if source.IsValid() {
 		r.metadata.Source = source
 	}
 	if destination.IsValid() {
 		r.metadata.Destination = destination
 	}
 	r.router.RoutePacketConnectionEx(ctx, conn, r.metadata, onClose)
 }
 func NewRouteContextHandlerEx(
 	router ConnectionRouterEx,
 ) UpstreamHandlerAdapterEx {
 	return &routeContextHandlerWrapperEx{
 		router: router,
 	}
 }
 var _ UpstreamHandlerAdapterEx = (*routeContextHandlerWrapperEx)(nil)
 type routeContextHandlerWrapperEx struct {
 	router ConnectionRouterEx
 }
 func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	metadata := ContextFrom(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}
 	if destination.IsValid() {
 		metadata.Destination = destination
 	}
 	r.router.RouteConnectionEx(ctx, conn, *metadata, onClose)
 }
 func (r *routeContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	metadata := ContextFrom(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}
 	if destination.IsValid() {
 		metadata.Destination = destination
 	}
 	r.router.RoutePacketConnectionEx(ctx, conn, *metadata, onClose)
 }
--- a/adapter/upstream_legacy.go
+++ b/adapter/upstream_legacy.go
@@ -0,0 +1,216 @@
 package adapter
 import (
 	"context"
 	"net"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 type (
 	// Deprecated
 	ConnectionHandlerFunc = func(ctx context.Context, conn net.Conn, metadata InboundContext) error
 	// Deprecated
 	PacketConnectionHandlerFunc = func(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 )
 // Deprecated
 func NewUpstreamHandler(
 	metadata InboundContext,
 	connectionHandler ConnectionHandlerFunc,
 	packetHandler PacketConnectionHandlerFunc,
 	errorHandler E.Handler,
 ) UpstreamHandlerAdapter {
 	return &myUpstreamHandlerWrapper{
 		metadata:          metadata,
 		connectionHandler: connectionHandler,
 		packetHandler:     packetHandler,
 		errorHandler:      errorHandler,
 	}
 }
 var _ UpstreamHandlerAdapter = (*myUpstreamHandlerWrapper)(nil)
 // Deprecated
 type myUpstreamHandlerWrapper struct {
 	metadata          InboundContext
 	connectionHandler ConnectionHandlerFunc
 	packetHandler     PacketConnectionHandlerFunc
 	errorHandler      E.Handler
 }
 func (w *myUpstreamHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := w.metadata
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.connectionHandler(ctx, conn, myMetadata)
 }
 func (w *myUpstreamHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := w.metadata
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.packetHandler(ctx, conn, myMetadata)
 }
 func (w *myUpstreamHandlerWrapper) NewError(ctx context.Context, err error) {
 	w.errorHandler.NewError(ctx, err)
 }
 // Deprecated
 func UpstreamMetadata(metadata InboundContext) M.Metadata {
 	return M.Metadata{
 		Source:      metadata.Source,
 		Destination: metadata.Destination,
 	}
 }
 // Deprecated
 type myUpstreamContextHandlerWrapper struct {
 	connectionHandler ConnectionHandlerFunc
 	packetHandler     PacketConnectionHandlerFunc
 	errorHandler      E.Handler
 }
 // Deprecated
 func NewUpstreamContextHandler(
 	connectionHandler ConnectionHandlerFunc,
 	packetHandler PacketConnectionHandlerFunc,
 	errorHandler E.Handler,
 ) UpstreamHandlerAdapter {
 	return &myUpstreamContextHandlerWrapper{
 		connectionHandler: connectionHandler,
 		packetHandler:     packetHandler,
 		errorHandler:      errorHandler,
 	}
 }
 func (w *myUpstreamContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.connectionHandler(ctx, conn, *myMetadata)
 }
 func (w *myUpstreamContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.packetHandler(ctx, conn, *myMetadata)
 }
 func (w *myUpstreamContextHandlerWrapper) NewError(ctx context.Context, err error) {
 	w.errorHandler.NewError(ctx, err)
 }
 // Deprecated: Use ConnectionRouterEx instead.
 func NewRouteHandler(
 	metadata InboundContext,
 	router ConnectionRouter,
 	logger logger.ContextLogger,
 ) UpstreamHandlerAdapter {
 	return &routeHandlerWrapper{
 		metadata: metadata,
 		router:   router,
 		logger:   logger,
 	}
 }
 // Deprecated: Use ConnectionRouterEx instead.
 func NewRouteContextHandler(
 	router ConnectionRouter,
 	logger logger.ContextLogger,
 ) UpstreamHandlerAdapter {
 	return &routeContextHandlerWrapper{
 		router: router,
 		logger: logger,
 	}
 }
 var _ UpstreamHandlerAdapter = (*routeHandlerWrapper)(nil)
 // Deprecated: Use ConnectionRouterEx instead.
 type routeHandlerWrapper struct {
 	metadata InboundContext
 	router   ConnectionRouter
 	logger   logger.ContextLogger
 }
 func (w *routeHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := w.metadata
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.router.RouteConnection(ctx, conn, myMetadata)
 }
 func (w *routeHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := w.metadata
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.router.RoutePacketConnection(ctx, conn, myMetadata)
 }
 func (w *routeHandlerWrapper) NewError(ctx context.Context, err error) {
 	w.logger.ErrorContext(ctx, err)
 }
 var _ UpstreamHandlerAdapter = (*routeContextHandlerWrapper)(nil)
 // Deprecated: Use ConnectionRouterEx instead.
 type routeContextHandlerWrapper struct {
 	router ConnectionRouter
 	logger logger.ContextLogger
 }
 func (w *routeContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.router.RouteConnection(ctx, conn, *myMetadata)
 }
 func (w *routeContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.router.RoutePacketConnection(ctx, conn, *myMetadata)
 }
 func (w *routeContextHandlerWrapper) NewError(ctx context.Context, err error) {
 	w.logger.ErrorContext(ctx, err)
 }
--- a/adapter/v2ray.go
+++ b/adapter/v2ray.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"net"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -16,10 +15,10 @@ type V2RayServerTransport interface {
 }
 type V2RayServerTransportHandler interface {
-	N.TCPConnectionHandler
+	N.TCPConnectionHandlerEx
 	E.Handler
 }
 type V2RayClientTransport interface {
 	DialContext(ctx context.Context) (net.Conn, error)
 	Close() error
 }
--- a/box.go
+++ b/box.go
@@ -14,10 +14,9 @@ import (
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/cachefile"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/inbound"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/outbound"
+	"github.com/sagernet/sing-box/protocol/direct"
 	"github.com/sagernet/sing-box/route"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -44,16 +43,37 @@ type Box struct {
 type Options struct {
 	option.Options
 	Context           context.Context
 	PlatformInterface platform.Interface
 	PlatformLogWriter log.PlatformWriter
 }
 func Context(ctx context.Context, inboundRegistry adapter.InboundRegistry, outboundRegistry adapter.OutboundRegistry) context.Context {
 	if service.FromContext[option.InboundOptionsRegistry](ctx) == nil ||
 		service.FromContext[adapter.InboundRegistry](ctx) == nil {
 		ctx = service.ContextWith[option.InboundOptionsRegistry](ctx, inboundRegistry)
 		ctx = service.ContextWith[adapter.InboundRegistry](ctx, inboundRegistry)
 	}
 	if service.FromContext[option.OutboundOptionsRegistry](ctx) == nil ||
 		service.FromContext[adapter.OutboundRegistry](ctx) == nil {
 		ctx = service.ContextWith[option.OutboundOptionsRegistry](ctx, outboundRegistry)
 		ctx = service.ContextWith[adapter.OutboundRegistry](ctx, outboundRegistry)
 	}
 	return ctx
 }
 func New(options Options) (*Box, error) {
 	createdAt := time.Now()
 	ctx := options.Context
 	if ctx == nil {
 		ctx = context.Background()
 	}
 	inboundRegistry := service.FromContext[adapter.InboundRegistry](ctx)
 	if inboundRegistry == nil {
 		return nil, E.New("missing inbound registry in context")
 	}
 	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
 	if outboundRegistry == nil {
 		return nil, E.New("missing outbound registry in context")
 	}
 	ctx = service.ContextWithDefaultRegistry(ctx)
 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
@@ -70,8 +90,9 @@ func New(options Options) (*Box, error) {
 	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
 		needV2RayAPI = true
 	}
 	platformInterface := service.FromContext[platform.Interface](ctx)
 	var defaultLogWriter io.Writer
-	if options.PlatformInterface != nil {
+	if platformInterface != nil {
 		defaultLogWriter = io.Discard
 	}
 	logFactory, err := log.New(log.Options{
@@ -92,63 +113,92 @@ func New(options Options) (*Box, error) {
 		common.PtrValueOrDefault(options.DNS),
 		common.PtrValueOrDefault(options.NTP),
 		options.Inbounds,
 		options.PlatformInterface,
 	)
 	if err != nil {
 		return nil, E.Cause(err, "parse route options")
 	}
 	//nolint:staticcheck
 	if len(options.LegacyInbounds) > 0 {
 		for _, legacyInbound := range options.LegacyInbounds {
 			options.Inbounds = append(options.Inbounds, option.Inbound{
 				Type:    legacyInbound.Type,
 				Tag:     legacyInbound.Tag,
 				Options: common.Must1(legacyInbound.RawOptions()),
 			})
 		}
 	}
 	inbounds := make([]adapter.Inbound, 0, len(options.Inbounds))
 	//nolint:staticcheck
 	if len(options.LegacyOutbounds) > 0 {
 		for _, legacyOutbound := range options.LegacyOutbounds {
 			options.Outbounds = append(options.Outbounds, option.Outbound{
 				Type:    legacyOutbound.Type,
 				Tag:     legacyOutbound.Tag,
 				Options: common.Must1(legacyOutbound.RawOptions()),
 			})
 		}
 	}
 	outbounds := make([]adapter.Outbound, 0, len(options.Outbounds))
 	for i, inboundOptions := range options.Inbounds {
-		var in adapter.Inbound
+		var currentInbound adapter.Inbound
 		var tag string
 		if inboundOptions.Tag != "" {
 			tag = inboundOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
-		in, err = inbound.New(
+		currentInbound, err = inboundRegistry.CreateInbound(
 			ctx,
 			router,
 			logFactory.NewLogger(F.ToString("inbound/", inboundOptions.Type, "[", tag, "]")),
-			inboundOptions,
+			tag,
-			options.PlatformInterface,
+			inboundOptions.Type,
 			inboundOptions.Options,
 		)
 		if err != nil {
 			return nil, E.Cause(err, "parse inbound[", i, "]")
 		}
-		inbounds = append(inbounds, in)
+		inbounds = append(inbounds, currentInbound)
 	}
 	for i, outboundOptions := range options.Outbounds {
-		var out adapter.Outbound
+		var currentOutbound adapter.Outbound
 		var tag string
 		if outboundOptions.Tag != "" {
 			tag = outboundOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
-		out, err = outbound.New(
+		outboundCtx := ctx
-			ctx,
+		if tag != "" {
 			// TODO: remove this
 			outboundCtx = adapter.WithContext(outboundCtx, &adapter.InboundContext{
 				Outbound: tag,
 			})
 		}
 		currentOutbound, err = outboundRegistry.CreateOutbound(
 			outboundCtx,
 			router,
 			logFactory.NewLogger(F.ToString("outbound/", outboundOptions.Type, "[", tag, "]")),
 			tag,
-			outboundOptions)
+			outboundOptions.Type,
 			outboundOptions.Options,
 		)
 		if err != nil {
 			return nil, E.Cause(err, "parse outbound[", i, "]")
 		}
-		outbounds = append(outbounds, out)
+		outbounds = append(outbounds, currentOutbound)
 	}
 	err = router.Initialize(inbounds, outbounds, func() adapter.Outbound {
-		out, oErr := outbound.New(ctx, router, logFactory.NewLogger("outbound/direct"), "direct", option.Outbound{Type: "direct", Tag: "default"})
+		defaultOutbound, cErr := direct.NewOutbound(ctx, router, logFactory.NewLogger("outbound/direct"), "direct", option.DirectOutboundOptions{})
-		common.Must(oErr)
+		common.Must(cErr)
-		outbounds = append(outbounds, out)
+		outbounds = append(outbounds, defaultOutbound)
-		return out
+		return defaultOutbound
 	})
 	if err != nil {
 		return nil, err
 	}
-	if options.PlatformInterface != nil {
+	if platformInterface != nil {
-		err = options.PlatformInterface.Initialize(ctx, router)
+		err = platformInterface.Initialize(ctx, router)
 		if err != nil {
 			return nil, E.Cause(err, "initialize platform interface")
 		}
@@ -203,7 +253,7 @@ func (s *Box) PreStart() error {
 		defer func() {
 			v := recover()
 			if v != nil {
-				log.Error(E.Cause(err, "origin error"))
+				println(err.Error())
 				debug.PrintStack()
 				panic("panic on early close: " + fmt.Sprint(v))
 			}
@@ -222,9 +272,9 @@ func (s *Box) Start() error {
 		defer func() {
 			v := recover()
 			if v != nil {
-				log.Error(E.Cause(err, "origin error"))
+				println(err.Error())
 				debug.PrintStack()
-				panic("panic on early close: " + fmt.Sprint(v))
+				println("panic on early start: " + fmt.Sprint(v))
 			}
 		}()
 		s.Close()
@@ -302,7 +352,11 @@ func (s *Box) start() error {
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
-	return s.postStart()
+	err = s.postStart()
 	if err != nil {
 		return err
 	}
 	return s.router.Cleanup()
 }
 func (s *Box) postStart() error {
@@ -312,16 +366,28 @@ func (s *Box) postStart() error {
 			return E.Cause(err, "start ", serviceName)
 		}
 	}
-	for _, outbound := range s.outbounds {
+	// TODO: reorganize ALL start order
-		if lateOutbound, isLateOutbound := outbound.(adapter.PostStarter); isLateOutbound {
+	for _, out := range s.outbounds {
 		if lateOutbound, isLateOutbound := out.(adapter.PostStarter); isLateOutbound {
 			err := lateOutbound.PostStart()
 			if err != nil {
-				return E.Cause(err, "post-start outbound/", outbound.Tag())
+				return E.Cause(err, "post-start outbound/", out.Tag())
 			}
 		}
 	}
-
+	err := s.router.PostStart()
-	return s.router.PostStart()
+	if err != nil {
 		return err
 	}
 	for _, in := range s.inbounds {
 		if lateInbound, isLateInbound := in.(adapter.PostStarter); isLateInbound {
 			err = lateInbound.PostStart()
 			if err != nil {
 				return E.Cause(err, "post-start inbound/", in.Tag())
 			}
 		}
 	}
 	return nil
 }
 func (s *Box) Close() error {
--- a/box_outbound.go
+++ b/box_outbound.go
@@ -45,7 +45,9 @@ func (s *Box) startOutbounds() error {
 			}
 			started[outboundTag] = true
 			canContinue = true
-			if starter, isStarter := outboundToStart.(common.Starter); isStarter {
+			if starter, isStarter := outboundToStart.(interface {
 				Start() error
 			}); isStarter {
 				monitor.Start("initialize outbound/", outboundToStart.Type(), "[", outboundTag, "]")
 				err := starter.Start()
 				monitor.Finish()
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -93,7 +93,7 @@ func buildAndroid() {
 	const name = "libbox.aar"
 	copyPath := filepath.Join("..", "sing-box-for-android", "app", "libs")
-	if rw.FileExists(copyPath) {
+	if rw.IsDir(copyPath) {
 		copyPath, _ = filepath.Abs(copyPath)
 		err = rw.CopyFile(name, filepath.Join(copyPath, name))
 		if err != nil {
@@ -134,7 +134,7 @@ func buildiOS() {
 	}
 	copyPath := filepath.Join("..", "sing-box-for-apple")
-	if rw.FileExists(copyPath) {
+	if rw.IsDir(copyPath) {
 		targetDir := filepath.Join(copyPath, "Libbox.xcframework")
 		targetDir, _ = filepath.Abs(targetDir)
 		os.RemoveAll(targetDir)
--- a/cmd/internal/build_shared/sdk.go
+++ b/cmd/internal/build_shared/sdk.go
@@ -30,7 +30,7 @@ func FindSDK() {
 	}
 	for _, path := range searchPath {
 		path = os.ExpandEnv(path)
-		if rw.FileExists(filepath.Join(path, "licenses", "android-sdk-license")) {
+		if rw.IsFile(filepath.Join(path, "licenses", "android-sdk-license")) {
 			androidSDKPath = path
 			break
 		}
@@ -58,9 +58,9 @@ func FindSDK() {
 }
 func findNDK() bool {
-	const fixedVersion = "26.2.11394342"
+	const fixedVersion = "27.2.12479018"
 	const versionFile = "source.properties"
-	if fixedPath := filepath.Join(androidSDKPath, "ndk", fixedVersion); rw.FileExists(filepath.Join(fixedPath, versionFile)) {
+	if fixedPath := filepath.Join(androidSDKPath, "ndk", fixedVersion); rw.IsFile(filepath.Join(fixedPath, versionFile)) {
 		androidNDKPath = fixedPath
 		return true
 	}
@@ -86,7 +86,7 @@ func findNDK() bool {
 	})
 	for _, versionName := range versionNames {
 		currentNDKPath := filepath.Join(androidSDKPath, "ndk", versionName)
-		if rw.FileExists(filepath.Join(androidSDKPath, versionFile)) {
+		if rw.IsFile(filepath.Join(currentNDKPath, versionFile)) {
 			androidNDKPath = currentNDKPath
 			log.Warn("reproducibility warning: using NDK version " + versionName + " instead of " + fixedVersion)
 			return true
@@ -100,11 +100,11 @@ var GoBinPath string
 func FindMobile() {
 	goBin := filepath.Join(build.Default.GOPATH, "bin")
 	if runtime.GOOS == "windows" {
-		if !rw.FileExists(filepath.Join(goBin, "gobind.exe")) {
+		if !rw.IsFile(filepath.Join(goBin, "gobind.exe")) {
 			log.Fatal("missing gomobile installation")
 		}
 	} else {
-		if !rw.FileExists(filepath.Join(goBin, "gobind")) {
+		if !rw.IsFile(filepath.Join(goBin, "gobind")) {
 			log.Fatal("missing gomobile installation")
 		}
 	}
--- a/cmd/internal/update_apple_version/main.go
+++ b/cmd/internal/update_apple_version/main.go
@@ -26,8 +26,8 @@ func main() {
 	common.Must(decoder.Decode(&project))
 	objectsMap := project["objects"].(map[string]any)
 	projectContent := string(common.Must1(os.ReadFile("sing-box.xcodeproj/project.pbxproj")))
-	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
+	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfavt"}, newVersion.VersionString())
-	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
+	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfavt.standalone", "io.nekohasekai.sfavt.system"}, newVersion.String())
 	if updated0 || updated1 {
 		log.Info("updated version to ", newVersion.VersionString(), " (", newVersion.String(), ")")
 	}
--- a/cmd/sing-box/cmd.go
+++ b/cmd/sing-box/cmd.go
@@ -0,0 +1,73 @@
 package main
 import (
 	"context"
 	"os"
 	"os/user"
 	"strconv"
 	"time"
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/filemanager"
 	"github.com/spf13/cobra"
 )
 var (
 	globalCtx         context.Context
 	configPaths       []string
 	configDirectories []string
 	workingDir        string
 	disableColor      bool
 )
 var mainCommand = &cobra.Command{
 	Use:              "sing-box",
 	PersistentPreRun: preRun,
 }
 func init() {
 	mainCommand.PersistentFlags().StringArrayVarP(&configPaths, "config", "c", nil, "set configuration file path")
 	mainCommand.PersistentFlags().StringArrayVarP(&configDirectories, "config-directory", "C", nil, "set configuration directory path")
 	mainCommand.PersistentFlags().StringVarP(&workingDir, "directory", "D", "", "set working directory")
 	mainCommand.PersistentFlags().BoolVarP(&disableColor, "disable-color", "", false, "disable color output")
 }
 func preRun(cmd *cobra.Command, args []string) {
 	globalCtx = context.Background()
 	sudoUser := os.Getenv("SUDO_USER")
 	sudoUID, _ := strconv.Atoi(os.Getenv("SUDO_UID"))
 	sudoGID, _ := strconv.Atoi(os.Getenv("SUDO_GID"))
 	if sudoUID == 0 && sudoGID == 0 && sudoUser != "" {
 		sudoUserObject, _ := user.Lookup(sudoUser)
 		if sudoUserObject != nil {
 			sudoUID, _ = strconv.Atoi(sudoUserObject.Uid)
 			sudoGID, _ = strconv.Atoi(sudoUserObject.Gid)
 		}
 	}
 	if sudoUID > 0 && sudoGID > 0 {
 		globalCtx = filemanager.WithDefault(globalCtx, "", "", sudoUID, sudoGID)
 	}
 	if disableColor {
 		log.SetStdLogger(log.NewDefaultFactory(context.Background(), log.Formatter{BaseTime: time.Now(), DisableColors: true}, os.Stderr, "", nil, false).Logger())
 	}
 	if workingDir != "" {
 		_, err := os.Stat(workingDir)
 		if err != nil {
 			filemanager.MkdirAll(globalCtx, workingDir, 0o777)
 		}
 		err = os.Chdir(workingDir)
 		if err != nil {
 			log.Fatal(err)
 		}
 	}
 	if len(configPaths) == 0 && len(configDirectories) == 0 {
 		configPaths = append(configPaths, "config.json")
 	}
 	globalCtx = service.ContextWith(globalCtx, deprecated.NewEnvManager(log.StdLogger()))
 	globalCtx = box.Context(globalCtx, include.InboundRegistry(), include.OutboundRegistry())
 }
--- a/cmd/sing-box/cmd_format.go
+++ b/cmd/sing-box/cmd_format.go
@@ -2,6 +2,7 @@ package main
 import (
 	"bytes"
 	"context"
 	"os"
 	"path/filepath"
@@ -38,7 +39,7 @@ func format() error {
 		return err
 	}
 	for _, optionsEntry := range optionsList {
-		optionsEntry.options, err = badjson.Omitempty(optionsEntry.options)
+		optionsEntry.options, err = badjson.Omitempty(context.TODO(), optionsEntry.options)
 		if err != nil {
 			return err
 		}
--- a/cmd/sing-box/cmd_geoip_export.go
+++ b/cmd/sing-box/cmd_geoip_export.go
@@ -87,7 +87,7 @@ func geoipExport(countryCode string) error {
 		headlessRule.IPCIDR = append(headlessRule.IPCIDR, cidr.String())
 	}
 	var plainRuleSet option.PlainRuleSetCompat
-	plainRuleSet.Version = C.RuleSetVersion1
+	plainRuleSet.Version = C.RuleSetVersion2
 	plainRuleSet.Options.Rules = []option.HeadlessRule{
 		{
 			Type:           C.RuleTypeDefault,
--- a/cmd/sing-box/cmd_geosite_export.go
+++ b/cmd/sing-box/cmd_geosite_export.go
@@ -70,7 +70,7 @@ func geositeExport(category string) error {
 	headlessRule.DomainKeyword = defaultRule.DomainKeyword
 	headlessRule.DomainRegex = defaultRule.DomainRegex
 	var plainRuleSet option.PlainRuleSetCompat
-	plainRuleSet.Version = C.RuleSetVersion1
+	plainRuleSet.Version = C.RuleSetVersion2
 	plainRuleSet.Options.Rules = []option.HeadlessRule{
 		{
 			Type:           C.RuleTypeDefault,
--- a/cmd/sing-box/cmd_merge.go
+++ b/cmd/sing-box/cmd_merge.go
@@ -54,7 +54,11 @@ func merge(outputPath string) error {
 			return nil
 		}
 	}
-	err = rw.WriteFile(outputPath, buffer.Bytes())
+	err = rw.MkdirParent(outputPath)
 	if err != nil {
 		return err
 	}
 	err = os.WriteFile(outputPath, buffer.Bytes(), 0o644)
 	if err != nil {
 		return err
 	}
@@ -64,29 +68,19 @@ func merge(outputPath string) error {
 }
 func mergePathResources(options *option.Options) error {
-	for index, inbound := range options.Inbounds {
+	for _, inbound := range options.Inbounds {
-		rawOptions, err := inbound.RawOptions()
+		if tlsOptions, containsTLSOptions := inbound.Options.(option.InboundTLSOptionsWrapper); containsTLSOptions {
 		if err != nil {
 			return err
 		}
 		if tlsOptions, containsTLSOptions := rawOptions.(option.InboundTLSOptionsWrapper); containsTLSOptions {
 			tlsOptions.ReplaceInboundTLSOptions(mergeTLSInboundOptions(tlsOptions.TakeInboundTLSOptions()))
 		}
 		options.Inbounds[index] = inbound
 	}
-	for index, outbound := range options.Outbounds {
+	for _, outbound := range options.Outbounds {
 		rawOptions, err := outbound.RawOptions()
 		if err != nil {
 			return err
 		}
 		switch outbound.Type {
 		case C.TypeSSH:
-			outbound.SSHOptions = mergeSSHOutboundOptions(outbound.SSHOptions)
+			mergeSSHOutboundOptions(outbound.Options.(*option.SSHOutboundOptions))
 		}
-		if tlsOptions, containsTLSOptions := rawOptions.(option.OutboundTLSOptionsWrapper); containsTLSOptions {
+		if tlsOptions, containsTLSOptions := outbound.Options.(option.OutboundTLSOptionsWrapper); containsTLSOptions {
 			tlsOptions.ReplaceOutboundTLSOptions(mergeTLSOutboundOptions(tlsOptions.TakeOutboundTLSOptions()))
 		}
 		options.Outbounds[index] = outbound
 	}
 	return nil
 }
@@ -134,13 +128,12 @@ func mergeTLSOutboundOptions(options *option.OutboundTLSOptions) *option.Outboun
 	return options
 }
-func mergeSSHOutboundOptions(options option.SSHOutboundOptions) option.SSHOutboundOptions {
+func mergeSSHOutboundOptions(options *option.SSHOutboundOptions) {
 	if options.PrivateKeyPath != "" {
 		if content, err := os.ReadFile(os.ExpandEnv(options.PrivateKeyPath)); err == nil {
 			options.PrivateKey = trimStringArray(strings.Split(string(content), "\n"))
 		}
 	}
 	return options
 }
 func trimStringArray(array []string) []string {
--- a/cmd/sing-box/cmd_rule_set.go
+++ b/cmd/sing-box/cmd_rule_set.go
@@ -6,7 +6,7 @@ import (
 var commandRuleSet = &cobra.Command{
 	Use:   "rule-set",
-	Short: "Manage rule sets",
+	Short: "Manage rule-sets",
 }
 func init() {
--- a/cmd/sing-box/cmd_rule_set_compile.go
+++ b/cmd/sing-box/cmd_rule_set_compile.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"github.com/sagernet/sing-box/common/srs"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/json"
@@ -55,10 +56,10 @@ func compileRuleSet(sourcePath string) error {
 	if err != nil {
 		return err
 	}
 	ruleSet, err := plainRuleSet.Upgrade()
 	if err != nil {
 		return err
 	}
 	ruleSet := plainRuleSet.Upgrade()
 	var outputPath string
 	if flagRuleSetCompileOutput == flagRuleSetCompileDefaultOutput {
 		if strings.HasSuffix(sourcePath, ".json") {
@@ -73,7 +74,7 @@ func compileRuleSet(sourcePath string) error {
 	if err != nil {
 		return err
 	}
-	err = srs.Write(outputFile, ruleSet)
+	err = srs.Write(outputFile, ruleSet, plainRuleSet.Version == C.RuleSetVersion2)
 	if err != nil {
 		outputFile.Close()
 		os.Remove(outputPath)
--- a/cmd/sing-box/cmd_rule_set_convert.go
+++ b/cmd/sing-box/cmd_rule_set_convert.go
@@ -0,0 +1,88 @@
 package main
 import (
 	"io"
 	"os"
 	"strings"
 	"github.com/sagernet/sing-box/cmd/sing-box/internal/convertor/adguard"
 	"github.com/sagernet/sing-box/common/srs"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/spf13/cobra"
 )
 var (
 	flagRuleSetConvertType   string
 	flagRuleSetConvertOutput string
 )
 var commandRuleSetConvert = &cobra.Command{
 	Use:   "convert [source-path]",
 	Short: "Convert adguard DNS filter to rule-set",
 	Args:  cobra.ExactArgs(1),
 	Run: func(cmd *cobra.Command, args []string) {
 		err := convertRuleSet(args[0])
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func init() {
 	commandRuleSet.AddCommand(commandRuleSetConvert)
 	commandRuleSetConvert.Flags().StringVarP(&flagRuleSetConvertType, "type", "t", "", "Source type, available: adguard")
 	commandRuleSetConvert.Flags().StringVarP(&flagRuleSetConvertOutput, "output", "o", flagRuleSetCompileDefaultOutput, "Output file")
 }
 func convertRuleSet(sourcePath string) error {
 	var (
 		reader io.Reader
 		err    error
 	)
 	if sourcePath == "stdin" {
 		reader = os.Stdin
 	} else {
 		reader, err = os.Open(sourcePath)
 		if err != nil {
 			return err
 		}
 	}
 	var rules []option.HeadlessRule
 	switch flagRuleSetConvertType {
 	case "adguard":
 		rules, err = adguard.Convert(reader)
 	case "":
 		return E.New("source type is required")
 	default:
 		return E.New("unsupported source type: ", flagRuleSetConvertType)
 	}
 	if err != nil {
 		return err
 	}
 	var outputPath string
 	if flagRuleSetConvertOutput == flagRuleSetCompileDefaultOutput {
 		if strings.HasSuffix(sourcePath, ".txt") {
 			outputPath = sourcePath[:len(sourcePath)-4] + ".srs"
 		} else {
 			outputPath = sourcePath + ".srs"
 		}
 	} else {
 		outputPath = flagRuleSetConvertOutput
 	}
 	outputFile, err := os.Create(outputPath)
 	if err != nil {
 		return err
 	}
 	defer outputFile.Close()
 	err = srs.Write(outputFile, option.PlainRuleSet{Rules: rules}, true)
 	if err != nil {
 		outputFile.Close()
 		os.Remove(outputPath)
 		return err
 	}
 	outputFile.Close()
 	return nil
 }
--- a/cmd/sing-box/cmd_rule_set_decompile.go
+++ b/cmd/sing-box/cmd_rule_set_decompile.go
@@ -0,0 +1,83 @@
 package main
 import (
 	"io"
 	"os"
 	"strings"
 	"github.com/sagernet/sing-box/common/srs"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/json"
 	"github.com/spf13/cobra"
 )
 var flagRuleSetDecompileOutput string
 const flagRuleSetDecompileDefaultOutput = "<file_name>.json"
 var commandRuleSetDecompile = &cobra.Command{
 	Use:   "decompile [binary-path]",
 	Short: "Decompile rule-set binary to json",
 	Args:  cobra.ExactArgs(1),
 	Run: func(cmd *cobra.Command, args []string) {
 		err := decompileRuleSet(args[0])
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func init() {
 	commandRuleSet.AddCommand(commandRuleSetDecompile)
 	commandRuleSetDecompile.Flags().StringVarP(&flagRuleSetDecompileOutput, "output", "o", flagRuleSetDecompileDefaultOutput, "Output file")
 }
 func decompileRuleSet(sourcePath string) error {
 	var (
 		reader io.Reader
 		err    error
 	)
 	if sourcePath == "stdin" {
 		reader = os.Stdin
 	} else {
 		reader, err = os.Open(sourcePath)
 		if err != nil {
 			return err
 		}
 	}
 	plainRuleSet, err := srs.Read(reader, true)
 	if err != nil {
 		return err
 	}
 	ruleSet := option.PlainRuleSetCompat{
 		Version: C.RuleSetVersion1,
 		Options: plainRuleSet,
 	}
 	var outputPath string
 	if flagRuleSetDecompileOutput == flagRuleSetDecompileDefaultOutput {
 		if strings.HasSuffix(sourcePath, ".srs") {
 			outputPath = sourcePath[:len(sourcePath)-4] + ".json"
 		} else {
 			outputPath = sourcePath + ".json"
 		}
 	} else {
 		outputPath = flagRuleSetDecompileOutput
 	}
 	outputFile, err := os.Create(outputPath)
 	if err != nil {
 		return err
 	}
 	encoder := json.NewEncoder(outputFile)
 	encoder.SetIndent("", "  ")
 	err = encoder.Encode(ruleSet)
 	if err != nil {
 		outputFile.Close()
 		os.Remove(outputPath)
 		return err
 	}
 	outputFile.Close()
 	return nil
 }
--- a/cmd/sing-box/cmd_rule_set_match.go
+++ b/cmd/sing-box/cmd_rule_set_match.go
@@ -10,9 +10,11 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/route"
+	"github.com/sagernet/sing-box/route/rule"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/spf13/cobra"
 )
@@ -20,8 +22,8 @@ import (
 var flagRuleSetMatchFormat string
 var commandRuleSetMatch = &cobra.Command{
-	Use:   "match <rule-set path> <domain>",
+	Use:   "match <rule-set path> <IP address/domain>",
-	Short: "Check if a domain matches the rule set",
+	Short: "Check if an IP address or a domain matches the rule-set",
 	Args:  cobra.ExactArgs(2),
 	Run: func(cmd *cobra.Command, args []string) {
 		err := ruleSetMatch(args[0], args[1])
@@ -61,25 +63,33 @@ func ruleSetMatch(sourcePath string, domain string) error {
 		if err != nil {
 			return err
 		}
-		plainRuleSet = compat.Upgrade()
+		plainRuleSet, err = compat.Upgrade()
 		if err != nil {
 			return err
 		}
 	case C.RuleSetFormatBinary:
 		plainRuleSet, err = srs.Read(bytes.NewReader(content), false)
 		if err != nil {
 			return err
 		}
 	default:
-		return E.New("unknown rule set format: ", flagRuleSetMatchFormat)
+		return E.New("unknown rule-set format: ", flagRuleSetMatchFormat)
 	}
 	ipAddress := M.ParseAddr(domain)
 	var metadata adapter.InboundContext
 	if ipAddress.IsValid() {
 		metadata.Destination = M.SocksaddrFrom(ipAddress, 0)
 	} else {
 		metadata.Domain = domain
 	}
 	for i, ruleOptions := range plainRuleSet.Rules {
 		var currentRule adapter.HeadlessRule
-		currentRule, err = route.NewHeadlessRule(nil, ruleOptions)
+		currentRule, err = rule.NewHeadlessRule(nil, ruleOptions)
 		if err != nil {
 			return E.Cause(err, "parse rule_set.rules.[", i, "]")
 		}
-		if currentRule.Match(&adapter.InboundContext{
+		if currentRule.Match(&metadata) {
-			Domain: domain,
+			println(F.ToString("match rules.[", i, "]: ", currentRule))
 		}) {
 			println("match rules.[", i, "]: "+currentRule.String())
 		}
 	}
 	return nil
--- a/cmd/sing-box/cmd_rule_set_upgrade.go
+++ b/cmd/sing-box/cmd_rule_set_upgrade.go
@@ -0,0 +1,94 @@
 package main
 import (
 	"bytes"
 	"io"
 	"os"
 	"path/filepath"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/spf13/cobra"
 )
 var commandRuleSetUpgradeFlagWrite bool
 var commandRuleSetUpgrade = &cobra.Command{
 	Use:   "upgrade <source-path>",
 	Short: "Upgrade rule-set json",
 	Args:  cobra.ExactArgs(1),
 	Run: func(cmd *cobra.Command, args []string) {
 		err := upgradeRuleSet(args[0])
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func init() {
 	commandRuleSetUpgrade.Flags().BoolVarP(&commandRuleSetUpgradeFlagWrite, "write", "w", false, "write result to (source) file instead of stdout")
 	commandRuleSet.AddCommand(commandRuleSetUpgrade)
 }
 func upgradeRuleSet(sourcePath string) error {
 	var (
 		reader io.Reader
 		err    error
 	)
 	if sourcePath == "stdin" {
 		reader = os.Stdin
 	} else {
 		reader, err = os.Open(sourcePath)
 		if err != nil {
 			return err
 		}
 	}
 	content, err := io.ReadAll(reader)
 	if err != nil {
 		return err
 	}
 	plainRuleSetCompat, err := json.UnmarshalExtended[option.PlainRuleSetCompat](content)
 	if err != nil {
 		return err
 	}
 	switch plainRuleSetCompat.Version {
 	case C.RuleSetVersion1:
 	default:
 		log.Info("already up-to-date")
 		return nil
 	}
 	plainRuleSet, err := plainRuleSetCompat.Upgrade()
 	if err != nil {
 		return err
 	}
 	buffer := new(bytes.Buffer)
 	encoder := json.NewEncoder(buffer)
 	encoder.SetIndent("", "  ")
 	err = encoder.Encode(plainRuleSet)
 	if err != nil {
 		return E.Cause(err, "encode config")
 	}
 	outputPath, _ := filepath.Abs(sourcePath)
 	if !commandRuleSetUpgradeFlagWrite || sourcePath == "stdin" {
 		os.Stdout.WriteString(buffer.String() + "\n")
 		return nil
 	}
 	if bytes.Equal(content, buffer.Bytes()) {
 		return nil
 	}
 	output, err := os.Create(sourcePath)
 	if err != nil {
 		return E.Cause(err, "open output")
 	}
 	_, err = output.Write(buffer.Bytes())
 	output.Close()
 	if err != nil {
 		return E.Cause(err, "write output")
 	}
 	os.Stderr.WriteString(outputPath + "\n")
 	return nil
 }
--- a/cmd/sing-box/cmd_run.go
+++ b/cmd/sing-box/cmd_run.go
@@ -57,7 +57,7 @@ func readConfigAt(path string) (*OptionsEntry, error) {
 	if err != nil {
 		return nil, E.Cause(err, "read config at ", path)
 	}
-	options, err := json.UnmarshalExtended[option.Options](configContent)
+	options, err := json.UnmarshalExtendedContext[option.Options](globalCtx, configContent)
 	if err != nil {
 		return nil, E.Cause(err, "decode config at ", path)
 	}
@@ -109,13 +109,13 @@ func readConfigAndMerge() (option.Options, error) {
 	}
 	var mergedMessage json.RawMessage
 	for _, options := range optionsList {
-		mergedMessage, err = badjson.MergeJSON(options.options.RawMessage, mergedMessage)
+		mergedMessage, err = badjson.MergeJSON(globalCtx, options.options.RawMessage, mergedMessage, false)
 		if err != nil {
 			return option.Options{}, E.Cause(err, "merge config at ", options.path)
 		}
 	}
 	var mergedOptions option.Options
-	err = mergedOptions.UnmarshalJSON(mergedMessage)
+	err = mergedOptions.UnmarshalJSONContext(globalCtx, mergedMessage)
 	if err != nil {
 		return option.Options{}, E.Cause(err, "unmarshal merged config")
 	}
@@ -188,9 +188,12 @@ func run() error {
 			cancel()
 			closeCtx, closed := context.WithCancel(context.Background())
 			go closeMonitor(closeCtx)
-			instance.Close()
+			err = instance.Close()
 			closed()
 			if osSignal != syscall.SIGHUP {
 				if err != nil {
 					log.Error(E.Cause(err, "sing-box did not closed properly"))
 				}
 				return nil
 			}
 			break
--- a/cmd/sing-box/cmd_tools.go
+++ b/cmd/sing-box/cmd_tools.go
@@ -1,6 +1,9 @@
 package main
 import (
 	"errors"
 	"os"
 	"github.com/sagernet/sing-box"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
@@ -23,7 +26,9 @@ func init() {
 func createPreStartedClient() (*box.Box, error) {
 	options, err := readConfigAndMerge()
 	if err != nil {
-		return nil, err
+		if !(errors.Is(err, os.ErrNotExist) && len(configDirectories) == 0 && len(configPaths) == 1) || configPaths[0] != "config.json" {
 			return nil, err
 		}
 	}
 	instance, err := box.New(box.Options{Options: options})
 	if err != nil {
--- a/cmd/sing-box/cmd_tools_fetch.go
+++ b/cmd/sing-box/cmd_tools_fetch.go
@@ -9,8 +9,10 @@ import (
 	"net/url"
 	"os"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/spf13/cobra"
@@ -32,7 +34,10 @@ func init() {
 	commandTools.AddCommand(commandFetch)
 }
-var httpClient *http.Client
+var (
 	httpClient  *http.Client
 	http3Client *http.Client
 )
 func fetch(args []string) error {
 	instance, err := createPreStartedClient()
@@ -53,8 +58,16 @@ func fetch(args []string) error {
 		},
 	}
 	defer httpClient.CloseIdleConnections()
 	if C.WithQUIC {
 		err = initializeHTTP3Client(instance)
 		if err != nil {
 			return err
 		}
 		defer http3Client.CloseIdleConnections()
 	}
 	for _, urlString := range args {
-		parsedURL, err := url.Parse(urlString)
+		var parsedURL *url.URL
 		parsedURL, err = url.Parse(urlString)
 		if err != nil {
 			return err
 		}
@@ -63,16 +76,27 @@ func fetch(args []string) error {
 			parsedURL.Scheme = "http"
 			fallthrough
 		case "http", "https":
-			err = fetchHTTP(parsedURL)
+			err = fetchHTTP(httpClient, parsedURL)
 			if err != nil {
 				return err
 			}
 		case "http3":
 			if !C.WithQUIC {
 				return C.ErrQUICNotIncluded
 			}
 			parsedURL.Scheme = "https"
 			err = fetchHTTP(http3Client, parsedURL)
 			if err != nil {
 				return err
 			}
 		default:
 			return E.New("unsupported scheme: ", parsedURL.Scheme)
 		}
 	}
 	return nil
 }
-func fetchHTTP(parsedURL *url.URL) error {
+func fetchHTTP(httpClient *http.Client, parsedURL *url.URL) error {
 	request, err := http.NewRequest("GET", parsedURL.String(), nil)
 	if err != nil {
 		return err
--- a/cmd/sing-box/cmd_tools_fetch_http3.go
+++ b/cmd/sing-box/cmd_tools_fetch_http3.go
@@ -0,0 +1,36 @@
 //go:build with_quic
 package main
 import (
 	"context"
 	"crypto/tls"
 	"net/http"
 	"github.com/sagernet/quic-go"
 	"github.com/sagernet/quic-go/http3"
 	box "github.com/sagernet/sing-box"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 func initializeHTTP3Client(instance *box.Box) error {
 	dialer, err := createDialer(instance, N.NetworkUDP, commandToolsFlagOutbound)
 	if err != nil {
 		return err
 	}
 	http3Client = &http.Client{
 		Transport: &http3.RoundTripper{
 			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
 				destination := M.ParseSocksaddr(addr)
 				udpConn, dErr := dialer.DialContext(ctx, N.NetworkUDP, destination)
 				if dErr != nil {
 					return nil, dErr
 				}
 				return quic.DialEarly(ctx, bufio.NewUnbindPacketConn(udpConn), udpConn.RemoteAddr(), tlsCfg, cfg)
 			},
 		},
 	}
 	return nil
 }
--- a/cmd/sing-box/cmd_tools_fetch_http3_stub.go
+++ b/cmd/sing-box/cmd_tools_fetch_http3_stub.go
@@ -0,0 +1,18 @@
 //go:build !with_quic
 package main
 import (
 	"net/url"
 	"os"
 	box "github.com/sagernet/sing-box"
 )
 func initializeHTTP3Client(instance *box.Box) error {
 	return os.ErrInvalid
 }
 func fetchHTTP3(parsedURL *url.URL) error {
 	return os.ErrInvalid
 }
--- a/cmd/sing-box/generate_completions.go
+++ b/cmd/sing-box/generate_completions.go
@@ -0,0 +1,28 @@
 //go:build generate && generate_completions
 package main
 import "github.com/sagernet/sing-box/log"
 func main() {
 	err := generateCompletions()
 	if err != nil {
 		log.Fatal(err)
 	}
 }
 func generateCompletions() error {
 	err := mainCommand.GenBashCompletionFile("release/completions/sing-box.bash")
 	if err != nil {
 		return err
 	}
 	err = mainCommand.GenFishCompletionFile("release/completions/sing-box.fish", true)
 	if err != nil {
 		return err
 	}
 	err = mainCommand.GenZshCompletionFile("release/completions/sing-box.zsh")
 	if err != nil {
 		return err
 	}
 	return nil
 }
--- a/cmd/sing-box/internal/convertor/adguard/convertor.go
+++ b/cmd/sing-box/internal/convertor/adguard/convertor.go
@@ -0,0 +1,346 @@
 package adguard
 import (
 	"bufio"
 	"io"
 	"net/netip"
 	"os"
 	"strconv"
 	"strings"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 )
 type agdguardRuleLine struct {
 	ruleLine    string
 	isRawDomain bool
 	isExclude   bool
 	isSuffix    bool
 	hasStart    bool
 	hasEnd      bool
 	isRegexp    bool
 	isImportant bool
 }
 func Convert(reader io.Reader) ([]option.HeadlessRule, error) {
 	scanner := bufio.NewScanner(reader)
 	var (
 		ruleLines    []agdguardRuleLine
 		ignoredLines int
 	)
 parseLine:
 	for scanner.Scan() {
 		ruleLine := scanner.Text()
 		if ruleLine == "" || ruleLine[0] == '!' || ruleLine[0] == '#' {
 			continue
 		}
 		originRuleLine := ruleLine
 		if M.IsDomainName(ruleLine) {
 			ruleLines = append(ruleLines, agdguardRuleLine{
 				ruleLine:    ruleLine,
 				isRawDomain: true,
 			})
 			continue
 		}
 		hostLine, err := parseAdGuardHostLine(ruleLine)
 		if err == nil {
 			if hostLine != "" {
 				ruleLines = append(ruleLines, agdguardRuleLine{
 					ruleLine:    hostLine,
 					isRawDomain: true,
 					hasStart:    true,
 					hasEnd:      true,
 				})
 			}
 			continue
 		}
 		if strings.HasSuffix(ruleLine, "|") {
 			ruleLine = ruleLine[:len(ruleLine)-1]
 		}
 		var (
 			isExclude   bool
 			isSuffix    bool
 			hasStart    bool
 			hasEnd      bool
 			isRegexp    bool
 			isImportant bool
 		)
 		if !strings.HasPrefix(ruleLine, "/") && strings.Contains(ruleLine, "$") {
 			params := common.SubstringAfter(ruleLine, "$")
 			for _, param := range strings.Split(params, ",") {
 				paramParts := strings.Split(param, "=")
 				var ignored bool
 				if len(paramParts) > 0 && len(paramParts) <= 2 {
 					switch paramParts[0] {
 					case "app", "network":
 						// maybe support by package_name/process_name
 					case "dnstype":
 						// maybe support by query_type
 					case "important":
 						ignored = true
 						isImportant = true
 					case "dnsrewrite":
 						if len(paramParts) == 2 && M.ParseAddr(paramParts[1]).IsUnspecified() {
 							ignored = true
 						}
 					}
 				}
 				if !ignored {
 					ignoredLines++
 					log.Debug("ignored unsupported rule with modifier: ", paramParts[0], ": ", ruleLine)
 					continue parseLine
 				}
 			}
 			ruleLine = common.SubstringBefore(ruleLine, "$")
 		}
 		if strings.HasPrefix(ruleLine, "@@") {
 			ruleLine = ruleLine[2:]
 			isExclude = true
 		}
 		if strings.HasSuffix(ruleLine, "|") {
 			ruleLine = ruleLine[:len(ruleLine)-1]
 		}
 		if strings.HasPrefix(ruleLine, "||") {
 			ruleLine = ruleLine[2:]
 			isSuffix = true
 		} else if strings.HasPrefix(ruleLine, "|") {
 			ruleLine = ruleLine[1:]
 			hasStart = true
 		}
 		if strings.HasSuffix(ruleLine, "^") {
 			ruleLine = ruleLine[:len(ruleLine)-1]
 			hasEnd = true
 		}
 		if strings.HasPrefix(ruleLine, "/") && strings.HasSuffix(ruleLine, "/") {
 			ruleLine = ruleLine[1 : len(ruleLine)-1]
 			if ignoreIPCIDRRegexp(ruleLine) {
 				ignoredLines++
 				log.Debug("ignored unsupported rule with IPCIDR regexp: ", ruleLine)
 				continue
 			}
 			isRegexp = true
 		} else {
 			if strings.Contains(ruleLine, "://") {
 				ruleLine = common.SubstringAfter(ruleLine, "://")
 			}
 			if strings.Contains(ruleLine, "/") {
 				ignoredLines++
 				log.Debug("ignored unsupported rule with path: ", ruleLine)
 				continue
 			}
 			if strings.Contains(ruleLine, "##") {
 				ignoredLines++
 				log.Debug("ignored unsupported rule with element hiding: ", ruleLine)
 				continue
 			}
 			if strings.Contains(ruleLine, "#$#") {
 				ignoredLines++
 				log.Debug("ignored unsupported rule with element hiding: ", ruleLine)
 				continue
 			}
 			var domainCheck string
 			if strings.HasPrefix(ruleLine, ".") || strings.HasPrefix(ruleLine, "-") {
 				domainCheck = "r" + ruleLine
 			} else {
 				domainCheck = ruleLine
 			}
 			if ruleLine == "" {
 				ignoredLines++
 				log.Debug("ignored unsupported rule with empty domain", originRuleLine)
 				continue
 			} else {
 				domainCheck = strings.ReplaceAll(domainCheck, "*", "x")
 				if !M.IsDomainName(domainCheck) {
 					_, ipErr := parseADGuardIPCIDRLine(ruleLine)
 					if ipErr == nil {
 						ignoredLines++
 						log.Debug("ignored unsupported rule with IPCIDR: ", ruleLine)
 						continue
 					}
 					if M.ParseSocksaddr(domainCheck).Port != 0 {
 						log.Debug("ignored unsupported rule with port: ", ruleLine)
 					} else {
 						log.Debug("ignored unsupported rule with invalid domain: ", ruleLine)
 					}
 					ignoredLines++
 					continue
 				}
 			}
 		}
 		ruleLines = append(ruleLines, agdguardRuleLine{
 			ruleLine:    ruleLine,
 			isExclude:   isExclude,
 			isSuffix:    isSuffix,
 			hasStart:    hasStart,
 			hasEnd:      hasEnd,
 			isRegexp:    isRegexp,
 			isImportant: isImportant,
 		})
 	}
 	if len(ruleLines) == 0 {
 		return nil, E.New("AdGuard rule-set is empty or all rules are unsupported")
 	}
 	if common.All(ruleLines, func(it agdguardRuleLine) bool {
 		return it.isRawDomain
 	}) {
 		return []option.HeadlessRule{
 			{
 				Type: C.RuleTypeDefault,
 				DefaultOptions: option.DefaultHeadlessRule{
 					Domain: common.Map(ruleLines, func(it agdguardRuleLine) string {
 						return it.ruleLine
 					}),
 				},
 			},
 		}, nil
 	}
 	mapDomain := func(it agdguardRuleLine) string {
 		ruleLine := it.ruleLine
 		if it.isSuffix {
 			ruleLine = "||" + ruleLine
 		} else if it.hasStart {
 			ruleLine = "|" + ruleLine
 		}
 		if it.hasEnd {
 			ruleLine += "^"
 		}
 		return ruleLine
 	}
 	importantDomain := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return it.isImportant && !it.isRegexp && !it.isExclude }), mapDomain)
 	importantDomainRegex := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return it.isImportant && it.isRegexp && !it.isExclude }), mapDomain)
 	importantExcludeDomain := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return it.isImportant && !it.isRegexp && it.isExclude }), mapDomain)
 	importantExcludeDomainRegex := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return it.isImportant && it.isRegexp && it.isExclude }), mapDomain)
 	domain := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return !it.isImportant && !it.isRegexp && !it.isExclude }), mapDomain)
 	domainRegex := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return !it.isImportant && it.isRegexp && !it.isExclude }), mapDomain)
 	excludeDomain := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return !it.isImportant && !it.isRegexp && it.isExclude }), mapDomain)
 	excludeDomainRegex := common.Map(common.Filter(ruleLines, func(it agdguardRuleLine) bool { return !it.isImportant && it.isRegexp && it.isExclude }), mapDomain)
 	currentRule := option.HeadlessRule{
 		Type: C.RuleTypeDefault,
 		DefaultOptions: option.DefaultHeadlessRule{
 			AdGuardDomain: domain,
 			DomainRegex:   domainRegex,
 		},
 	}
 	if len(excludeDomain) > 0 || len(excludeDomainRegex) > 0 {
 		currentRule = option.HeadlessRule{
 			Type: C.RuleTypeLogical,
 			LogicalOptions: option.LogicalHeadlessRule{
 				Mode: C.LogicalTypeAnd,
 				Rules: []option.HeadlessRule{
 					{
 						Type: C.RuleTypeDefault,
 						DefaultOptions: option.DefaultHeadlessRule{
 							AdGuardDomain: excludeDomain,
 							DomainRegex:   excludeDomainRegex,
 							Invert:        true,
 						},
 					},
 					currentRule,
 				},
 			},
 		}
 	}
 	if len(importantDomain) > 0 || len(importantDomainRegex) > 0 {
 		currentRule = option.HeadlessRule{
 			Type: C.RuleTypeLogical,
 			LogicalOptions: option.LogicalHeadlessRule{
 				Mode: C.LogicalTypeOr,
 				Rules: []option.HeadlessRule{
 					{
 						Type: C.RuleTypeDefault,
 						DefaultOptions: option.DefaultHeadlessRule{
 							AdGuardDomain: importantDomain,
 							DomainRegex:   importantDomainRegex,
 						},
 					},
 					currentRule,
 				},
 			},
 		}
 	}
 	if len(importantExcludeDomain) > 0 || len(importantExcludeDomainRegex) > 0 {
 		currentRule = option.HeadlessRule{
 			Type: C.RuleTypeLogical,
 			LogicalOptions: option.LogicalHeadlessRule{
 				Mode: C.LogicalTypeAnd,
 				Rules: []option.HeadlessRule{
 					{
 						Type: C.RuleTypeDefault,
 						DefaultOptions: option.DefaultHeadlessRule{
 							AdGuardDomain: importantExcludeDomain,
 							DomainRegex:   importantExcludeDomainRegex,
 							Invert:        true,
 						},
 					},
 					currentRule,
 				},
 			},
 		}
 	}
 	log.Info("parsed rules: ", len(ruleLines), "/", len(ruleLines)+ignoredLines)
 	return []option.HeadlessRule{currentRule}, nil
 }
 func ignoreIPCIDRRegexp(ruleLine string) bool {
 	if strings.HasPrefix(ruleLine, "(http?:\\/\\/)") {
 		ruleLine = ruleLine[12:]
 	} else if strings.HasPrefix(ruleLine, "(https?:\\/\\/)") {
 		ruleLine = ruleLine[13:]
 	} else if strings.HasPrefix(ruleLine, "^") {
 		ruleLine = ruleLine[1:]
 	} else {
 		return false
 	}
 	_, parseErr := strconv.ParseUint(common.SubstringBefore(ruleLine, "\\."), 10, 8)
 	return parseErr == nil
 }
 func parseAdGuardHostLine(ruleLine string) (string, error) {
 	idx := strings.Index(ruleLine, " ")
 	if idx == -1 {
 		return "", os.ErrInvalid
 	}
 	address, err := netip.ParseAddr(ruleLine[:idx])
 	if err != nil {
 		return "", err
 	}
 	if !address.IsUnspecified() {
 		return "", nil
 	}
 	domain := ruleLine[idx+1:]
 	if !M.IsDomainName(domain) {
 		return "", E.New("invalid domain name: ", domain)
 	}
 	return domain, nil
 }
 func parseADGuardIPCIDRLine(ruleLine string) (netip.Prefix, error) {
 	var isPrefix bool
 	if strings.HasSuffix(ruleLine, ".") {
 		isPrefix = true
 		ruleLine = ruleLine[:len(ruleLine)-1]
 	}
 	ruleStringParts := strings.Split(ruleLine, ".")
 	if len(ruleStringParts) > 4 || len(ruleStringParts) < 4 && !isPrefix {
 		return netip.Prefix{}, os.ErrInvalid
 	}
 	ruleParts := make([]uint8, 0, len(ruleStringParts))
 	for _, part := range ruleStringParts {
 		rulePart, err := strconv.ParseUint(part, 10, 8)
 		if err != nil {
 			return netip.Prefix{}, err
 		}
 		ruleParts = append(ruleParts, uint8(rulePart))
 	}
 	bitLen := len(ruleParts) * 8
 	for len(ruleParts) < 4 {
 		ruleParts = append(ruleParts, 0)
 	}
 	return netip.PrefixFrom(netip.AddrFrom4(*(*[4]byte)(ruleParts)), bitLen), nil
 }
--- a/cmd/sing-box/internal/convertor/adguard/convertor_test.go
+++ b/cmd/sing-box/internal/convertor/adguard/convertor_test.go
@@ -0,0 +1,140 @@
 package adguard
 import (
 	"strings"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/route/rule"
 	"github.com/stretchr/testify/require"
 )
 func TestConverter(t *testing.T) {
 	t.Parallel()
 	rules, err := Convert(strings.NewReader(`
 ||example.org^
 |example.com^
 example.net^
 ||example.edu
 ||example.edu.tw^
 |example.gov
 example.arpa
@@|sagernet.example.org|
 ||sagernet.org^$important
@@|sing-box.sagernet.org^$important
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
 	rule, err := rule.NewHeadlessRule(nil, rules[0])
 	require.NoError(t, err)
 	matchDomain := []string{
 		"example.org",
 		"www.example.org",
 		"example.com",
 		"example.net",
 		"isexample.net",
 		"www.example.net",
 		"example.edu",
 		"example.edu.cn",
 		"example.edu.tw",
 		"www.example.edu",
 		"www.example.edu.cn",
 		"example.gov",
 		"example.gov.cn",
 		"example.arpa",
 		"www.example.arpa",
 		"isexample.arpa",
 		"example.arpa.cn",
 		"www.example.arpa.cn",
 		"isexample.arpa.cn",
 		"sagernet.org",
 		"www.sagernet.org",
 	}
 	notMatchDomain := []string{
 		"example.org.cn",
 		"notexample.org",
 		"example.com.cn",
 		"www.example.com.cn",
 		"example.net.cn",
 		"notexample.edu",
 		"notexample.edu.cn",
 		"www.example.gov",
 		"notexample.gov",
 		"sagernet.example.org",
 		"sing-box.sagernet.org",
 	}
 	for _, domain := range matchDomain {
 		require.True(t, rule.Match(&adapter.InboundContext{
 			Domain: domain,
 		}), domain)
 	}
 	for _, domain := range notMatchDomain {
 		require.False(t, rule.Match(&adapter.InboundContext{
 			Domain: domain,
 		}), domain)
 	}
 }
 func TestHosts(t *testing.T) {
 	t.Parallel()
 	rules, err := Convert(strings.NewReader(`
 127.0.0.1 localhost
 ::1 localhost #[IPv6]
 0.0.0.0 google.com
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
 	rule, err := rule.NewHeadlessRule(nil, rules[0])
 	require.NoError(t, err)
 	matchDomain := []string{
 		"google.com",
 	}
 	notMatchDomain := []string{
 		"www.google.com",
 		"notgoogle.com",
 		"localhost",
 	}
 	for _, domain := range matchDomain {
 		require.True(t, rule.Match(&adapter.InboundContext{
 			Domain: domain,
 		}), domain)
 	}
 	for _, domain := range notMatchDomain {
 		require.False(t, rule.Match(&adapter.InboundContext{
 			Domain: domain,
 		}), domain)
 	}
 }
 func TestSimpleHosts(t *testing.T) {
 	t.Parallel()
 	rules, err := Convert(strings.NewReader(`
 example.com
 www.example.org
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
 	rule, err := rule.NewHeadlessRule(nil, rules[0])
 	require.NoError(t, err)
 	matchDomain := []string{
 		"example.com",
 		"www.example.org",
 	}
 	notMatchDomain := []string{
 		"example.com.cn",
 		"www.example.com",
 		"notexample.com",
 		"example.org",
 	}
 	for _, domain := range matchDomain {
 		require.True(t, rule.Match(&adapter.InboundContext{
 			Domain: domain,
 		}), domain)
 	}
 	for _, domain := range notMatchDomain {
 		require.False(t, rule.Match(&adapter.InboundContext{
 			Domain: domain,
 		}), domain)
 	}
 }
--- a/cmd/sing-box/main.go
+++ b/cmd/sing-box/main.go
@@ -1,74 +1,11 @@
 //go:build !generate
 package main
-import (
+import "github.com/sagernet/sing-box/log"
 	"context"
 	"os"
 	"os/user"
 	"strconv"
 	"time"
 	_ "github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/service/filemanager"
 	"github.com/spf13/cobra"
 )
 var (
 	globalCtx         context.Context
 	configPaths       []string
 	configDirectories []string
 	workingDir        string
 	disableColor      bool
 )
 var mainCommand = &cobra.Command{
 	Use:              "sing-box",
 	PersistentPreRun: preRun,
 }
 func init() {
 	mainCommand.PersistentFlags().StringArrayVarP(&configPaths, "config", "c", nil, "set configuration file path")
 	mainCommand.PersistentFlags().StringArrayVarP(&configDirectories, "config-directory", "C", nil, "set configuration directory path")
 	mainCommand.PersistentFlags().StringVarP(&workingDir, "directory", "D", "", "set working directory")
 	mainCommand.PersistentFlags().BoolVarP(&disableColor, "disable-color", "", false, "disable color output")
 }
 func main() {
 	if err := mainCommand.Execute(); err != nil {
 		log.Fatal(err)
 	}
 }
 func preRun(cmd *cobra.Command, args []string) {
 	globalCtx = context.Background()
 	sudoUser := os.Getenv("SUDO_USER")
 	sudoUID, _ := strconv.Atoi(os.Getenv("SUDO_UID"))
 	sudoGID, _ := strconv.Atoi(os.Getenv("SUDO_GID"))
 	if sudoUID == 0 && sudoGID == 0 && sudoUser != "" {
 		sudoUserObject, _ := user.Lookup(sudoUser)
 		if sudoUserObject != nil {
 			sudoUID, _ = strconv.Atoi(sudoUserObject.Uid)
 			sudoGID, _ = strconv.Atoi(sudoUserObject.Gid)
 		}
 	}
 	if sudoUID > 0 && sudoGID > 0 {
 		globalCtx = filemanager.WithDefault(globalCtx, "", "", sudoUID, sudoGID)
 	}
 	if disableColor {
 		log.SetStdLogger(log.NewDefaultFactory(context.Background(), log.Formatter{BaseTime: time.Now(), DisableColors: true}, os.Stderr, "", nil, false).Logger())
 	}
 	if workingDir != "" {
 		_, err := os.Stat(workingDir)
 		if err != nil {
 			filemanager.MkdirAll(globalCtx, workingDir, 0o777)
 		}
 		err = os.Chdir(workingDir)
 		if err != nil {
 			log.Fatal(err)
 		}
 	}
 	if len(configPaths) == 0 && len(configDirectories) == 0 {
 		configPaths = append(configPaths, "config.json")
 	}
 }
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -50,12 +50,26 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	}
-	if options.RoutingMark != 0 {
+	var autoRedirectOutputMark uint32
 	if router != nil {
 		autoRedirectOutputMark = router.AutoRedirectOutputMark()
 	}
 	if autoRedirectOutputMark > 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(autoRedirectOutputMark))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(autoRedirectOutputMark))
 	}
 	if options.RoutingMark > 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(options.RoutingMark))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(options.RoutingMark))
-	} else if router != nil && router.DefaultMark() != 0 {
+		if autoRedirectOutputMark > 0 {
 			return nil, E.New("`auto_redirect` with `route_[_exclude]_address_set is conflict with `routing_mark`")
 		}
 	} else if router != nil && router.DefaultMark() > 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(router.DefaultMark()))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(router.DefaultMark()))
 		if autoRedirectOutputMark > 0 {
 			return nil, E.New("`auto_redirect` with `route_[_exclude]_address_set is conflict with `default_mark`")
 		}
 	}
 	if options.ReuseAddr {
 		listener.Control = control.Append(listener.Control, control.ReuseAddr())
@@ -67,7 +81,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 	if options.ConnectTimeout != 0 {
 		dialer.Timeout = time.Duration(options.ConnectTimeout)
 	} else {
-		dialer.Timeout = C.TCPTimeout
+		dialer.Timeout = C.TCPConnectTimeout
 	}
 	// TODO: Add an option to customize the keep alive period
 	dialer.KeepAlive = C.TCPKeepAliveInitial
@@ -111,7 +125,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		setMultiPathTCP(&dialer4)
 	}
 	if options.IsWireGuardListener {
-		for _, controlFn := range wgControlFns {
+		for _, controlFn := range WgControlFns {
 			listener.Control = control.Append(listener.Control, controlFn)
 		}
 	}
--- a/common/dialer/default_go1.20.go
+++ b/common/dialer/default_go1.20.go
@@ -5,7 +5,7 @@ package dialer
 import (
 	"net"
-	"github.com/sagernet/tfo-go"
+	"github.com/metacubex/tfo-go"
 )
 type tcpDialer = tfo.Dialer
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -28,13 +28,12 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 	} else {
 		dialer = NewDetour(router, options.Detour)
 	}
-	domainStrategy := dns.DomainStrategy(options.DomainStrategy)
+	if options.Detour == "" {
 	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
 		dialer = NewResolveDialer(
 			router,
 			dialer,
 			options.Detour == "" && !options.TCPFastOpen,
-			domainStrategy,
+			dns.DomainStrategy(options.DomainStrategy),
 			time.Duration(options.FallbackDelay))
 	}
 	return dialer, nil
--- a/common/dialer/tfo.go
+++ b/common/dialer/tfo.go
@@ -15,7 +15,8 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/tfo-go"
+
 	"github.com/metacubex/tfo-go"
 )
 type slowOpenConn struct {
--- a/common/dialer/wireguard.go
+++ b/common/dialer/wireguard.go
@@ -2,8 +2,12 @@ package dialer
 import (
 	"net"
 	"github.com/sagernet/sing/common/control"
 )
 type WireGuardListener interface {
 	ListenPacketCompat(network, address string) (net.PacketConn, error)
 }
 var WgControlFns []control.Func
--- a/common/dialer/wireguard_control.go
+++ b/common/dialer/wireguard_control.go
@@ -1,11 +0,0 @@
 //go:build with_wireguard
 package dialer
 import (
 	"github.com/sagernet/wireguard-go/conn"
 )
 var _ WireGuardListener = (conn.Listener)(nil)
 var wgControlFns = conn.ControlFns
--- a/common/dialer/wiregurad_stub.go
+++ b/common/dialer/wiregurad_stub.go
@@ -1,9 +0,0 @@
 //go:build !with_wireguard
 package dialer
 import (
 	"github.com/sagernet/sing/common/control"
 )
 var wgControlFns []control.Func
--- a/common/geosite/geosite_test.go
+++ b/common/geosite/geosite_test.go
@@ -0,0 +1,34 @@
 package geosite_test
 import (
 	"bytes"
 	"testing"
 	"github.com/sagernet/sing-box/common/geosite"
 	"github.com/stretchr/testify/require"
 )
 func TestGeosite(t *testing.T) {
 	t.Parallel()
 	var buffer bytes.Buffer
 	err := geosite.Write(&buffer, map[string][]geosite.Item{
 		"test": {
 			{
 				Type:  geosite.RuleTypeDomain,
 				Value: "example.org",
 			},
 		},
 	})
 	require.NoError(t, err)
 	reader, codes, err := geosite.NewReader(bytes.NewReader(buffer.Bytes()))
 	require.NoError(t, err)
 	require.Equal(t, []string{"test"}, codes)
 	items, err := reader.Read("test")
 	require.NoError(t, err)
 	require.Equal(t, []geosite.Item{{
 		Type:  geosite.RuleTypeDomain,
 		Value: "example.org",
 	}}, items)
 }
--- a/common/geosite/reader.go
+++ b/common/geosite/reader.go
@@ -1,17 +1,24 @@
 package geosite
 import (
 	"bufio"
 	"encoding/binary"
 	"io"
 	"os"
 	"sync"
 	"sync/atomic"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/rw"
+	"github.com/sagernet/sing/common/varbin"
 )
 type Reader struct {
-	reader       io.ReadSeeker
+	access         sync.Mutex
-	domainIndex  map[string]int
+	reader         io.ReadSeeker
-	domainLength map[string]int
+	bufferedReader *bufio.Reader
 	metadataIndex  int64
 	domainIndex    map[string]int
 	domainLength   map[string]int
 }
 func Open(path string) (*Reader, []string, error) {
@@ -19,14 +26,22 @@ func Open(path string) (*Reader, []string, error) {
 	if err != nil {
 		return nil, nil, err
 	}
-	reader := &Reader{
+	reader, codes, err := NewReader(content)
 		reader: content,
 	}
 	err = reader.readMetadata()
 	if err != nil {
 		content.Close()
 		return nil, nil, err
 	}
 	return reader, codes, nil
 }
 func NewReader(readSeeker io.ReadSeeker) (*Reader, []string, error) {
 	reader := &Reader{
 		reader: readSeeker,
 	}
 	err := reader.readMetadata()
 	if err != nil {
 		return nil, nil, err
 	}
 	codes := make([]string, 0, len(reader.domainIndex))
 	for code := range reader.domainIndex {
 		codes = append(codes, code)
@@ -34,15 +49,23 @@ func Open(path string) (*Reader, []string, error) {
 	return reader, codes, nil
 }
 type geositeMetadata struct {
 	Code   string
 	Index  uint64
 	Length uint64
 }
 func (r *Reader) readMetadata() error {
-	version, err := rw.ReadByte(r.reader)
+	counter := &readCounter{Reader: r.reader}
 	reader := bufio.NewReader(counter)
 	version, err := reader.ReadByte()
 	if err != nil {
 		return err
 	}
 	if version != 0 {
 		return E.New("unknown version")
 	}
-	entryLength, err := rw.ReadUVariant(r.reader)
+	entryLength, err := binary.ReadUvarint(reader)
 	if err != nil {
 		return err
 	}
@@ -55,16 +78,16 @@ func (r *Reader) readMetadata() error {
 			codeIndex  uint64
 			codeLength uint64
 		)
-		code, err = rw.ReadVString(r.reader)
+		code, err = varbin.ReadValue[string](reader, binary.BigEndian)
 		if err != nil {
 			return err
 		}
 		keys[i] = code
-		codeIndex, err = rw.ReadUVariant(r.reader)
+		codeIndex, err = binary.ReadUvarint(reader)
 		if err != nil {
 			return err
 		}
-		codeLength, err = rw.ReadUVariant(r.reader)
+		codeLength, err = binary.ReadUvarint(reader)
 		if err != nil {
 			return err
 		}
@@ -73,6 +96,8 @@ func (r *Reader) readMetadata() error {
 	}
 	r.domainIndex = domainIndex
 	r.domainLength = domainLength
 	r.metadataIndex = counter.count - int64(reader.Buffered())
 	r.bufferedReader = reader
 	return nil
 }
@@ -81,31 +106,32 @@ func (r *Reader) Read(code string) ([]Item, error) {
 	if !exists {
 		return nil, E.New("code ", code, " not exists!")
 	}
-	_, err := r.reader.Seek(int64(index), io.SeekCurrent)
+	_, err := r.reader.Seek(r.metadataIndex+int64(index), io.SeekStart)
 	if err != nil {
 		return nil, err
 	}
-	counter := &rw.ReadCounter{Reader: r.reader}
+	r.bufferedReader.Reset(r.reader)
-	domain := make([]Item, r.domainLength[code])
+	itemList := make([]Item, r.domainLength[code])
-	for i := range domain {
+	err = varbin.Read(r.bufferedReader, binary.BigEndian, &itemList)
-		var (
+	if err != nil {
-			item Item
+		return nil, err
 			err  error
 		)
 		item.Type, err = rw.ReadByte(counter)
 		if err != nil {
 			return nil, err
 		}
 		item.Value, err = rw.ReadVString(counter)
 		if err != nil {
 			return nil, err
 		}
 		domain[i] = item
 	}
-	_, err = r.reader.Seek(int64(-index)-counter.Count(), io.SeekCurrent)
+	return itemList, nil
 	return domain, err
 }
 func (r *Reader) Upstream() any {
 	return r.reader
 }
 type readCounter struct {
 	io.Reader
 	count int64
 }
 func (r *readCounter) Read(p []byte) (n int, err error) {
 	n, err = r.Reader.Read(p)
 	if n > 0 {
 		atomic.AddInt64(&r.count, int64(n))
 	}
 	return
 }
--- a/common/geosite/writer.go
+++ b/common/geosite/writer.go
@@ -2,13 +2,13 @@ package geosite
 import (
 	"bytes"
-	"io"
+	"encoding/binary"
 	"sort"
-	"github.com/sagernet/sing/common/rw"
+	"github.com/sagernet/sing/common/varbin"
 )
-func Write(writer io.Writer, domains map[string][]Item) error {
+func Write(writer varbin.Writer, domains map[string][]Item) error {
 	keys := make([]string, 0, len(domains))
 	for code := range domains {
 		keys = append(keys, code)
@@ -19,35 +19,34 @@ func Write(writer io.Writer, domains map[string][]Item) error {
 	index := make(map[string]int)
 	for _, code := range keys {
 		index[code] = content.Len()
-		for _, domain := range domains[code] {
+		for _, item := range domains[code] {
-			content.WriteByte(domain.Type)
+			err := varbin.Write(content, binary.BigEndian, item)
 			err := rw.WriteVString(content, domain.Value)
 			if err != nil {
 				return err
 			}
 		}
 	}
-	err := rw.WriteByte(writer, 0)
+	err := writer.WriteByte(0)
 	if err != nil {
 		return err
 	}
-	err = rw.WriteUVariant(writer, uint64(len(keys)))
+	_, err = varbin.WriteUvarint(writer, uint64(len(keys)))
 	if err != nil {
 		return err
 	}
 	for _, code := range keys {
-		err = rw.WriteVString(writer, code)
+		err = varbin.Write(writer, binary.BigEndian, code)
 		if err != nil {
 			return err
 		}
-		err = rw.WriteUVariant(writer, uint64(index[code]))
+		_, err = varbin.WriteUvarint(writer, uint64(index[code]))
 		if err != nil {
 			return err
 		}
-		err = rw.WriteUVariant(writer, uint64(len(domains[code])))
+		_, err = varbin.WriteUvarint(writer, uint64(len(domains[code])))
 		if err != nil {
 			return err
 		}
--- a/common/ja3/LICENSE
+++ b/common/ja3/LICENSE
@@ -0,0 +1,29 @@
 BSD 3-Clause License
 Copyright (c) 2018, Open Systems AG
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
 * Redistributions of source code must retain the above copyright notice, this
  list of conditions and the following disclaimer.
 * Redistributions in binary form must reproduce the above copyright notice,
  this list of conditions and the following disclaimer in the documentation
  and/or other materials provided with the distribution.
 * Neither the name of the copyright holder nor the names of its
  contributors may be used to endorse or promote products derived from
  this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/common/ja3/README.md
+++ b/common/ja3/README.md
@@ -0,0 +1,3 @@
 # JA3
 mod from: https://github.com/open-ch/ja3
--- a/common/ja3/error.go
+++ b/common/ja3/error.go
@@ -0,0 +1,31 @@
 // Copyright (c) 2018, Open Systems AG. All rights reserved.
 //
 // Use of this source code is governed by a BSD-style license
 // that can be found in the LICENSE file in the root of the source
 // tree.
 package ja3
 import "fmt"
 // Error types
 const (
 	LengthErr        string = "length check %v failed"
 	ContentTypeErr   string = "content type not matching"
 	VersionErr       string = "version check %v failed"
 	HandshakeTypeErr string = "handshake type not matching"
 	SNITypeErr       string = "SNI type not supported"
 )
 // ParseError can be encountered while parsing a segment
 type ParseError struct {
 	errType string
 	check   int
 }
 func (e *ParseError) Error() string {
 	if e.errType == LengthErr || e.errType == VersionErr {
 		return fmt.Sprintf(e.errType, e.check)
 	}
 	return fmt.Sprint(e.errType)
 }
--- a/common/ja3/ja3.go
+++ b/common/ja3/ja3.go
@@ -0,0 +1,83 @@
 // Copyright (c) 2018, Open Systems AG. All rights reserved.
 //
 // Use of this source code is governed by a BSD-style license
 // that can be found in the LICENSE file in the root of the source
 // tree.
 package ja3
 import (
 	"crypto/md5"
 	"encoding/hex"
 	"golang.org/x/exp/slices"
 )
 type ClientHello struct {
 	Version             uint16
 	CipherSuites        []uint16
 	Extensions          []uint16
 	EllipticCurves      []uint16
 	EllipticCurvePF     []uint8
 	Versions            []uint16
 	SignatureAlgorithms []uint16
 	ServerName          string
 	ja3ByteString       []byte
 	ja3Hash             string
 }
 func (j *ClientHello) Equals(another *ClientHello, ignoreExtensionsSequence bool) bool {
 	if j.Version != another.Version {
 		return false
 	}
 	if !slices.Equal(j.CipherSuites, another.CipherSuites) {
 		return false
 	}
 	if !ignoreExtensionsSequence && !slices.Equal(j.Extensions, another.Extensions) {
 		return false
 	}
 	if ignoreExtensionsSequence && !slices.Equal(j.Extensions, another.sortedExtensions()) {
 		return false
 	}
 	if !slices.Equal(j.EllipticCurves, another.EllipticCurves) {
 		return false
 	}
 	if !slices.Equal(j.EllipticCurvePF, another.EllipticCurvePF) {
 		return false
 	}
 	if !slices.Equal(j.SignatureAlgorithms, another.SignatureAlgorithms) {
 		return false
 	}
 	return true
 }
 func (j *ClientHello) sortedExtensions() []uint16 {
 	extensions := make([]uint16, len(j.Extensions))
 	copy(extensions, j.Extensions)
 	slices.Sort(extensions)
 	return extensions
 }
 func Compute(payload []byte) (*ClientHello, error) {
 	ja3 := ClientHello{}
 	err := ja3.parseSegment(payload)
 	return &ja3, err
 }
 func (j *ClientHello) String() string {
 	if j.ja3ByteString == nil {
 		j.marshalJA3()
 	}
 	return string(j.ja3ByteString)
 }
 func (j *ClientHello) Hash() string {
 	if j.ja3ByteString == nil {
 		j.marshalJA3()
 	}
 	if j.ja3Hash == "" {
 		h := md5.Sum(j.ja3ByteString)
 		j.ja3Hash = hex.EncodeToString(h[:])
 	}
 	return j.ja3Hash
 }
--- a/common/ja3/parser.go
+++ b/common/ja3/parser.go
@@ -0,0 +1,357 @@
 // Copyright (c) 2018, Open Systems AG. All rights reserved.
 //
 // Use of this source code is governed by a BSD-style license
 // that can be found in the LICENSE file in the root of the source
 // tree.
 package ja3
 import (
 	"encoding/binary"
 	"strconv"
 )
 const (
 	// Constants used for parsing
 	recordLayerHeaderLen                  int    = 5
 	handshakeHeaderLen                    int    = 6
 	randomDataLen                         int    = 32
 	sessionIDHeaderLen                    int    = 1
 	cipherSuiteHeaderLen                  int    = 2
 	compressMethodHeaderLen               int    = 1
 	extensionsHeaderLen                   int    = 2
 	extensionHeaderLen                    int    = 4
 	sniExtensionHeaderLen                 int    = 5
 	ecExtensionHeaderLen                  int    = 2
 	ecpfExtensionHeaderLen                int    = 1
 	versionExtensionHeaderLen             int    = 1
 	signatureAlgorithmsExtensionHeaderLen int    = 2
 	contentType                           uint8  = 22
 	handshakeType                         uint8  = 1
 	sniExtensionType                      uint16 = 0
 	sniNameDNSHostnameType                uint8  = 0
 	ecExtensionType                       uint16 = 10
 	ecpfExtensionType                     uint16 = 11
 	versionExtensionType                  uint16 = 43
 	signatureAlgorithmsExtensionType      uint16 = 13
 	// Versions
 	// The bitmask covers the versions SSL3.0 to TLS1.2
 	tlsVersionBitmask uint16 = 0xFFFC
 	tls13             uint16 = 0x0304
 	// GREASE values
 	// The bitmask covers all GREASE values
 	GreaseBitmask uint16 = 0x0F0F
 	// Constants used for marshalling
 	dashByte  = byte(45)
 	commaByte = byte(44)
 )
 // parseSegment to populate the corresponding ClientHello object or return an error
 func (j *ClientHello) parseSegment(segment []byte) error {
 	// Check if we can decode the next fields
 	if len(segment) < recordLayerHeaderLen {
 		return &ParseError{LengthErr, 1}
 	}
 	// Check if we have "Content Type: Handshake (22)"
 	contType := uint8(segment[0])
 	if contType != contentType {
 		return &ParseError{errType: ContentTypeErr}
 	}
 	// Check if TLS record layer version is supported
 	tlsRecordVersion := uint16(segment[1])<<8 | uint16(segment[2])
 	if tlsRecordVersion&tlsVersionBitmask != 0x0300 && tlsRecordVersion != tls13 {
 		return &ParseError{VersionErr, 1}
 	}
 	// Check that the Handshake is as long as expected from the length field
 	segmentLen := uint16(segment[3])<<8 | uint16(segment[4])
 	if len(segment[recordLayerHeaderLen:]) < int(segmentLen) {
 		return &ParseError{LengthErr, 2}
 	}
 	// Keep the Handshake messege, ignore any additional following record types
 	hs := segment[recordLayerHeaderLen : recordLayerHeaderLen+int(segmentLen)]
 	err := j.parseHandshake(hs)
 	return err
 }
 // parseHandshake body
 func (j *ClientHello) parseHandshake(hs []byte) error {
 	// Check if we can decode the next fields
 	if len(hs) < handshakeHeaderLen+randomDataLen+sessionIDHeaderLen {
 		return &ParseError{LengthErr, 3}
 	}
 	// Check if we have "Handshake Type: Client Hello (1)"
 	handshType := uint8(hs[0])
 	if handshType != handshakeType {
 		return &ParseError{errType: HandshakeTypeErr}
 	}
 	// Check if actual length of handshake matches (this is a great exclusion criterion for false positives,
 	// as these fields have to match the actual length of the rest of the segment)
 	handshakeLen := uint32(hs[1])<<16 | uint32(hs[2])<<8 | uint32(hs[3])
 	if len(hs[4:]) != int(handshakeLen) {
 		return &ParseError{LengthErr, 4}
 	}
 	// Check if Client Hello version is supported
 	tlsVersion := uint16(hs[4])<<8 | uint16(hs[5])
 	if tlsVersion&tlsVersionBitmask != 0x0300 && tlsVersion != tls13 {
 		return &ParseError{VersionErr, 2}
 	}
 	j.Version = tlsVersion
 	// Check if we can decode the next fields
 	sessionIDLen := uint8(hs[38])
 	if len(hs) < handshakeHeaderLen+randomDataLen+sessionIDHeaderLen+int(sessionIDLen) {
 		return &ParseError{LengthErr, 5}
 	}
 	// Cipher Suites
 	cs := hs[handshakeHeaderLen+randomDataLen+sessionIDHeaderLen+int(sessionIDLen):]
 	// Check if we can decode the next fields
 	if len(cs) < cipherSuiteHeaderLen {
 		return &ParseError{LengthErr, 6}
 	}
 	csLen := uint16(cs[0])<<8 | uint16(cs[1])
 	numCiphers := int(csLen / 2)
 	cipherSuites := make([]uint16, 0, numCiphers)
 	// Check if we can decode the next fields
 	if len(cs) < cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen {
 		return &ParseError{LengthErr, 7}
 	}
 	for i := 0; i < numCiphers; i++ {
 		cipherSuite := uint16(cs[2+i<<1])<<8 | uint16(cs[3+i<<1])
 		cipherSuites = append(cipherSuites, cipherSuite)
 	}
 	j.CipherSuites = cipherSuites
 	// Check if we can decode the next fields
 	compressMethodLen := uint16(cs[cipherSuiteHeaderLen+int(csLen)])
 	if len(cs) < cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen+int(compressMethodLen) {
 		return &ParseError{LengthErr, 8}
 	}
 	// Extensions
 	exs := cs[cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen+int(compressMethodLen):]
 	err := j.parseExtensions(exs)
 	return err
 }
 // parseExtensions of the handshake
 func (j *ClientHello) parseExtensions(exs []byte) error {
 	// Check for no extensions, this fields header is nonexistent if no body is used
 	if len(exs) == 0 {
 		return nil
 	}
 	// Check if we can decode the next fields
 	if len(exs) < extensionsHeaderLen {
 		return &ParseError{LengthErr, 9}
 	}
 	exsLen := uint16(exs[0])<<8 | uint16(exs[1])
 	exs = exs[extensionsHeaderLen:]
 	// Check if we can decode the next fields
 	if len(exs) < int(exsLen) {
 		return &ParseError{LengthErr, 10}
 	}
 	var sni []byte
 	var extensions, ellipticCurves []uint16
 	var ellipticCurvePF []uint8
 	var versions []uint16
 	var signatureAlgorithms []uint16
 	for len(exs) > 0 {
 		// Check if we can decode the next fields
 		if len(exs) < extensionHeaderLen {
 			return &ParseError{LengthErr, 11}
 		}
 		exType := uint16(exs[0])<<8 | uint16(exs[1])
 		exLen := uint16(exs[2])<<8 | uint16(exs[3])
 		// Ignore any GREASE extensions
 		extensions = append(extensions, exType)
 		// Check if we can decode the next fields
 		if len(exs) < extensionHeaderLen+int(exLen) {
 			return &ParseError{LengthErr, 12}
 		}
 		sex := exs[extensionHeaderLen : extensionHeaderLen+int(exLen)]
 		switch exType {
 		case sniExtensionType: // Extensions: server_name
 			// Check if we can decode the next fields
 			if len(sex) < sniExtensionHeaderLen {
 				return &ParseError{LengthErr, 13}
 			}
 			sniType := uint8(sex[2])
 			sniLen := uint16(sex[3])<<8 | uint16(sex[4])
 			sex = sex[sniExtensionHeaderLen:]
 			// Check if we can decode the next fields
 			if len(sex) != int(sniLen) {
 				return &ParseError{LengthErr, 14}
 			}
 			switch sniType {
 			case sniNameDNSHostnameType:
 				sni = sex
 			default:
 				return &ParseError{errType: SNITypeErr}
 			}
 		case ecExtensionType: // Extensions: supported_groups
 			// Check if we can decode the next fields
 			if len(sex) < ecExtensionHeaderLen {
 				return &ParseError{LengthErr, 15}
 			}
 			ecsLen := uint16(sex[0])<<8 | uint16(sex[1])
 			numCurves := int(ecsLen / 2)
 			ellipticCurves = make([]uint16, 0, numCurves)
 			sex = sex[ecExtensionHeaderLen:]
 			// Check if we can decode the next fields
 			if len(sex) != int(ecsLen) {
 				return &ParseError{LengthErr, 16}
 			}
 			for i := 0; i < numCurves; i++ {
 				ecType := uint16(sex[i*2])<<8 | uint16(sex[1+i*2])
 				ellipticCurves = append(ellipticCurves, ecType)
 			}
 		case ecpfExtensionType: // Extensions: ec_point_formats
 			// Check if we can decode the next fields
 			if len(sex) < ecpfExtensionHeaderLen {
 				return &ParseError{LengthErr, 17}
 			}
 			ecpfsLen := uint8(sex[0])
 			numPF := int(ecpfsLen)
 			ellipticCurvePF = make([]uint8, numPF)
 			sex = sex[ecpfExtensionHeaderLen:]
 			// Check if we can decode the next fields
 			if len(sex) != numPF {
 				return &ParseError{LengthErr, 18}
 			}
 			for i := 0; i < numPF; i++ {
 				ellipticCurvePF[i] = uint8(sex[i])
 			}
 		case versionExtensionType:
 			if len(sex) < versionExtensionHeaderLen {
 				return &ParseError{LengthErr, 19}
 			}
 			versionsLen := int(sex[0])
 			for i := 0; i < versionsLen; i += 2 {
 				versions = append(versions, binary.BigEndian.Uint16(sex[1:][i:]))
 			}
 		case signatureAlgorithmsExtensionType:
 			if len(sex) < signatureAlgorithmsExtensionHeaderLen {
 				return &ParseError{LengthErr, 20}
 			}
 			ssaLen := binary.BigEndian.Uint16(sex)
 			for i := 0; i < int(ssaLen); i += 2 {
 				signatureAlgorithms = append(signatureAlgorithms, binary.BigEndian.Uint16(sex[2:][i:]))
 			}
 		}
 		exs = exs[4+exLen:]
 	}
 	j.ServerName = string(sni)
 	j.Extensions = extensions
 	j.EllipticCurves = ellipticCurves
 	j.EllipticCurvePF = ellipticCurvePF
 	j.Versions = versions
 	j.SignatureAlgorithms = signatureAlgorithms
 	return nil
 }
 // marshalJA3 into a byte string
 func (j *ClientHello) marshalJA3() {
 	// An uint16 can contain numbers with up to 5 digits and an uint8 can contain numbers with up to 3 digits, but we
 	// also need a byte for each separating character, except at the end.
 	byteStringLen := 6*(1+len(j.CipherSuites)+len(j.Extensions)+len(j.EllipticCurves)) + 4*len(j.EllipticCurvePF) - 1
 	byteString := make([]byte, 0, byteStringLen)
 	// Version
 	byteString = strconv.AppendUint(byteString, uint64(j.Version), 10)
 	byteString = append(byteString, commaByte)
 	// Cipher Suites
 	if len(j.CipherSuites) != 0 {
 		for _, val := range j.CipherSuites {
 			if val&GreaseBitmask != 0x0A0A {
 				continue
 			}
 			byteString = strconv.AppendUint(byteString, uint64(val), 10)
 			byteString = append(byteString, dashByte)
 		}
 		// Replace last dash with a comma
 		byteString[len(byteString)-1] = commaByte
 	} else {
 		byteString = append(byteString, commaByte)
 	}
 	// Extensions
 	if len(j.Extensions) != 0 {
 		for _, val := range j.Extensions {
 			if val&GreaseBitmask != 0x0A0A {
 				continue
 			}
 			byteString = strconv.AppendUint(byteString, uint64(val), 10)
 			byteString = append(byteString, dashByte)
 		}
 		// Replace last dash with a comma
 		byteString[len(byteString)-1] = commaByte
 	} else {
 		byteString = append(byteString, commaByte)
 	}
 	// Elliptic curves
 	if len(j.EllipticCurves) != 0 {
 		for _, val := range j.EllipticCurves {
 			if val&GreaseBitmask != 0x0A0A {
 				continue
 			}
 			byteString = strconv.AppendUint(byteString, uint64(val), 10)
 			byteString = append(byteString, dashByte)
 		}
 		// Replace last dash with a comma
 		byteString[len(byteString)-1] = commaByte
 	} else {
 		byteString = append(byteString, commaByte)
 	}
 	// ECPF
 	if len(j.EllipticCurvePF) != 0 {
 		for _, val := range j.EllipticCurvePF {
 			byteString = strconv.AppendUint(byteString, uint64(val), 10)
 			byteString = append(byteString, dashByte)
 		}
 		// Remove last dash
 		byteString = byteString[:len(byteString)-1]
 	}
 	j.ja3ByteString = byteString
 }
--- a/common/listener/listener.go
+++ b/common/listener/listener.go
@@ -0,0 +1,136 @@
 package listener
 import (
 	"context"
 	"net"
 	"sync/atomic"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/settings"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 type Listener struct {
 	ctx                      context.Context
 	logger                   logger.ContextLogger
 	network                  []string
 	listenOptions            option.ListenOptions
 	connHandler              adapter.ConnectionHandlerEx
 	packetHandler            adapter.PacketHandlerEx
 	oobPacketHandler         adapter.OOBPacketHandlerEx
 	threadUnsafePacketWriter bool
 	disablePacketOutput      bool
 	setSystemProxy           bool
 	systemProxySOCKS         bool
 	tcpListener          net.Listener
 	systemProxy          settings.SystemProxy
 	udpConn              *net.UDPConn
 	udpAddr              M.Socksaddr
 	packetOutbound       chan *N.PacketBuffer
 	packetOutboundClosed chan struct{}
 	shutdown             atomic.Bool
 }
 type Options struct {
 	Context                  context.Context
 	Logger                   logger.ContextLogger
 	Network                  []string
 	Listen                   option.ListenOptions
 	ConnectionHandler        adapter.ConnectionHandlerEx
 	PacketHandler            adapter.PacketHandlerEx
 	OOBPacketHandler         adapter.OOBPacketHandlerEx
 	ThreadUnsafePacketWriter bool
 	DisablePacketOutput      bool
 	SetSystemProxy           bool
 	SystemProxySOCKS         bool
 }
 func New(
 	options Options,
 ) *Listener {
 	return &Listener{
 		ctx:                      options.Context,
 		logger:                   options.Logger,
 		network:                  options.Network,
 		listenOptions:            options.Listen,
 		connHandler:              options.ConnectionHandler,
 		packetHandler:            options.PacketHandler,
 		oobPacketHandler:         options.OOBPacketHandler,
 		threadUnsafePacketWriter: options.ThreadUnsafePacketWriter,
 		disablePacketOutput:      options.DisablePacketOutput,
 		setSystemProxy:           options.SetSystemProxy,
 		systemProxySOCKS:         options.SystemProxySOCKS,
 	}
 }
 func (l *Listener) Start() error {
 	if common.Contains(l.network, N.NetworkTCP) {
 		_, err := l.ListenTCP()
 		if err != nil {
 			return err
 		}
 		go l.loopTCPIn()
 	}
 	if common.Contains(l.network, N.NetworkUDP) {
 		_, err := l.ListenUDP()
 		if err != nil {
 			return err
 		}
 		l.packetOutboundClosed = make(chan struct{})
 		l.packetOutbound = make(chan *N.PacketBuffer, 64)
 		go l.loopUDPIn()
 		if !l.disablePacketOutput {
 			go l.loopUDPOut()
 		}
 	}
 	if l.setSystemProxy {
 		listenPort := M.SocksaddrFromNet(l.tcpListener.Addr()).Port
 		var listenAddrString string
 		listenAddr := l.listenOptions.Listen.Build()
 		if listenAddr.IsUnspecified() {
 			listenAddrString = "127.0.0.1"
 		} else {
 			listenAddrString = listenAddr.String()
 		}
 		systemProxy, err := settings.NewSystemProxy(l.ctx, M.ParseSocksaddrHostPort(listenAddrString, listenPort), l.systemProxySOCKS)
 		if err != nil {
 			return E.Cause(err, "initialize system proxy")
 		}
 		err = systemProxy.Enable()
 		if err != nil {
 			return E.Cause(err, "set system proxy")
 		}
 		l.systemProxy = systemProxy
 	}
 	return nil
 }
 func (l *Listener) Close() error {
 	l.shutdown.Store(true)
 	var err error
 	if l.systemProxy != nil && l.systemProxy.IsEnabled() {
 		err = l.systemProxy.Disable()
 	}
 	return E.Errors(err, common.Close(
 		l.tcpListener,
 		common.PtrOrNil(l.udpConn),
 	))
 }
 func (l *Listener) TCPListener() net.Listener {
 	return l.tcpListener
 }
 func (l *Listener) UDPConn() *net.UDPConn {
 	return l.udpConn
 }
 func (l *Listener) ListenOptions() option.ListenOptions {
 	return l.listenOptions
 }
--- a/common/listener/listener_go121.go
+++ b/common/listener/listener_go121.go
@@ -1,6 +1,6 @@
 //go:build go1.21
-package inbound
+package listener
 import "net"
--- a/common/listener/listener_go123.go
+++ b/common/listener/listener_go123.go
@@ -0,0 +1,16 @@
 //go:build go1.23
 package listener
 import (
 	"net"
 	"time"
 )
 func setKeepAliveConfig(listener *net.ListenConfig, idle time.Duration, interval time.Duration) {
 	listener.KeepAliveConfig = net.KeepAliveConfig{
 		Enable:   true,
 		Idle:     idle,
 		Interval: interval,
 	}
 }
--- a/common/listener/listener_nongo121.go
+++ b/common/listener/listener_nongo121.go
@@ -1,6 +1,6 @@
 //go:build !go1.21
-package inbound
+package listener
 import "net"
--- a/common/listener/listener_nongo123.go
+++ b/common/listener/listener_nongo123.go
@@ -0,0 +1,15 @@
 //go:build !go1.23
 package listener
 import (
 	"net"
 	"time"
 	"github.com/sagernet/sing/common/control"
 )
 func setKeepAliveConfig(listener *net.ListenConfig, idle time.Duration, interval time.Duration) {
 	listener.KeepAlive = idle
 	listener.Control = control.Append(listener.Control, control.SetKeepAlivePeriod(idle, interval))
 }
--- a/common/listener/listener_tcp.go
+++ b/common/listener/listener_tcp.go
@@ -0,0 +1,85 @@
 package listener
 import (
 	"net"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/metacubex/tfo-go"
 )
 func (l *Listener) ListenTCP() (net.Listener, error) {
 	var err error
 	bindAddr := M.SocksaddrFrom(l.listenOptions.Listen.Build(), l.listenOptions.ListenPort)
 	var tcpListener net.Listener
 	var listenConfig net.ListenConfig
 	if l.listenOptions.TCPKeepAlive >= 0 {
 		keepIdle := time.Duration(l.listenOptions.TCPKeepAlive)
 		if keepIdle == 0 {
 			keepIdle = C.TCPKeepAliveInitial
 		}
 		keepInterval := time.Duration(l.listenOptions.TCPKeepAliveInterval)
 		if keepInterval == 0 {
 			keepInterval = C.TCPKeepAliveInterval
 		}
 		setKeepAliveConfig(&listenConfig, keepIdle, keepInterval)
 	}
 	if l.listenOptions.TCPMultiPath {
 		if !go121Available {
 			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
 		}
 		setMultiPathTCP(&listenConfig)
 	}
 	if l.listenOptions.TCPFastOpen {
 		var tfoConfig tfo.ListenConfig
 		tfoConfig.ListenConfig = listenConfig
 		tcpListener, err = tfoConfig.Listen(l.ctx, M.NetworkFromNetAddr(N.NetworkTCP, bindAddr.Addr), bindAddr.String())
 	} else {
 		tcpListener, err = listenConfig.Listen(l.ctx, M.NetworkFromNetAddr(N.NetworkTCP, bindAddr.Addr), bindAddr.String())
 	}
 	if err == nil {
 		l.logger.Info("tcp server started at ", tcpListener.Addr())
 	}
 	//nolint:staticcheck
 	if l.listenOptions.ProxyProtocol || l.listenOptions.ProxyProtocolAcceptNoHeader {
 		return nil, E.New("Proxy Protocol is deprecated and removed in sing-box 1.6.0")
 	}
 	l.tcpListener = tcpListener
 	return tcpListener, err
 }
 func (l *Listener) loopTCPIn() {
 	tcpListener := l.tcpListener
 	var metadata adapter.InboundContext
 	for {
 		conn, err := tcpListener.Accept()
 		if err != nil {
 			//nolint:staticcheck
 			if netError, isNetError := err.(net.Error); isNetError && netError.Temporary() {
 				l.logger.Error(err)
 				continue
 			}
 			if l.shutdown.Load() && E.IsClosed(err) {
 				return
 			}
 			l.tcpListener.Close()
 			l.logger.Error("tcp listener closed: ", err)
 			continue
 		}
 		//nolint:staticcheck
 		metadata.InboundDetour = l.listenOptions.Detour
 		//nolint:staticcheck
 		metadata.InboundOptions = l.listenOptions.InboundOptions
 		metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr()).Unwrap()
 		metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
 		ctx := log.ContextWithNewID(l.ctx)
 		l.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 		go l.connHandler.NewConnectionEx(ctx, conn, metadata, nil)
 	}
 }
--- a/common/listener/listener_udp.go
+++ b/common/listener/listener_udp.go
@@ -0,0 +1,154 @@
 package listener
 import (
 	"net"
 	"os"
 	"time"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 func (l *Listener) ListenUDP() (net.PacketConn, error) {
 	bindAddr := M.SocksaddrFrom(l.listenOptions.Listen.Build(), l.listenOptions.ListenPort)
 	var lc net.ListenConfig
 	var udpFragment bool
 	if l.listenOptions.UDPFragment != nil {
 		udpFragment = *l.listenOptions.UDPFragment
 	} else {
 		udpFragment = l.listenOptions.UDPFragmentDefault
 	}
 	if !udpFragment {
 		lc.Control = control.Append(lc.Control, control.DisableUDPFragment())
 	}
 	udpConn, err := lc.ListenPacket(l.ctx, M.NetworkFromNetAddr(N.NetworkUDP, bindAddr.Addr), bindAddr.String())
 	if err != nil {
 		return nil, err
 	}
 	l.udpConn = udpConn.(*net.UDPConn)
 	l.udpAddr = bindAddr
 	l.logger.Info("udp server started at ", udpConn.LocalAddr())
 	return udpConn, err
 }
 func (l *Listener) UDPAddr() M.Socksaddr {
 	return l.udpAddr
 }
 func (l *Listener) PacketWriter() N.PacketWriter {
 	return (*packetWriter)(l)
 }
 func (l *Listener) loopUDPIn() {
 	defer close(l.packetOutboundClosed)
 	var buffer *buf.Buffer
 	if !l.threadUnsafePacketWriter {
 		buffer = buf.NewPacket()
 		defer buffer.Release()
 	}
 	buffer.IncRef()
 	defer buffer.DecRef()
 	if l.oobPacketHandler != nil {
 		oob := make([]byte, 1024)
 		for {
 			if l.threadUnsafePacketWriter {
 				buffer = buf.NewPacket()
 			} else {
 				buffer.Reset()
 			}
 			n, oobN, _, addr, err := l.udpConn.ReadMsgUDPAddrPort(buffer.FreeBytes(), oob)
 			if err != nil {
 				if l.threadUnsafePacketWriter {
 					buffer.Release()
 				}
 				if l.shutdown.Load() && E.IsClosed(err) {
 					return
 				}
 				l.udpConn.Close()
 				l.logger.Error("udp listener closed: ", err)
 				return
 			}
 			buffer.Truncate(n)
 			l.oobPacketHandler.NewPacketEx(buffer, oob[:oobN], M.SocksaddrFromNetIP(addr).Unwrap())
 		}
 	} else {
 		for {
 			if l.threadUnsafePacketWriter {
 				buffer = buf.NewPacket()
 			} else {
 				buffer.Reset()
 			}
 			n, addr, err := l.udpConn.ReadFromUDPAddrPort(buffer.FreeBytes())
 			if err != nil {
 				if l.threadUnsafePacketWriter {
 					buffer.Release()
 				}
 				if l.shutdown.Load() && E.IsClosed(err) {
 					return
 				}
 				l.udpConn.Close()
 				l.logger.Error("udp listener closed: ", err)
 				return
 			}
 			buffer.Truncate(n)
 			l.packetHandler.NewPacketEx(buffer, M.SocksaddrFromNetIP(addr).Unwrap())
 		}
 	}
 }
 func (l *Listener) loopUDPOut() {
 	for {
 		select {
 		case packet := <-l.packetOutbound:
 			destination := packet.Destination.AddrPort()
 			_, err := l.udpConn.WriteToUDPAddrPort(packet.Buffer.Bytes(), destination)
 			packet.Buffer.Release()
 			N.PutPacketBuffer(packet)
 			if err != nil {
 				if l.shutdown.Load() && E.IsClosed(err) {
 					return
 				}
 				l.udpConn.Close()
 				l.logger.Error("udp listener write back: ", destination, ": ", err)
 				return
 			}
 			continue
 		case <-l.packetOutboundClosed:
 		}
 		for {
 			select {
 			case packet := <-l.packetOutbound:
 				packet.Buffer.Release()
 				N.PutPacketBuffer(packet)
 			case <-time.After(time.Second):
 				return
 			}
 		}
 	}
 }
 type packetWriter Listener
 func (w *packetWriter) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	packet := N.NewPacketBuffer()
 	packet.Buffer = buffer
 	packet.Destination = destination
 	select {
 	case w.packetOutbound <- packet:
 		return nil
 	default:
 		buffer.Release()
 		N.PutPacketBuffer(packet)
 		if w.shutdown.Load() {
 			return os.ErrClosed
 		}
 		w.logger.Trace("dropped packet to ", destination)
 		return nil
 	}
 }
 func (w *packetWriter) WriteIsThreadUnsafe() {
 }
--- a/common/mux/router.go
+++ b/common/mux/router.go
@@ -15,11 +15,11 @@ import (
 )
 type Router struct {
-	router  adapter.ConnectionRouter
+	router  adapter.ConnectionRouterEx
 	service *mux.Service
 }
-func NewRouterWithOptions(router adapter.ConnectionRouter, logger logger.ContextLogger, options option.InboundMultiplexOptions) (adapter.ConnectionRouter, error) {
+func NewRouterWithOptions(router adapter.ConnectionRouterEx, logger logger.ContextLogger, options option.InboundMultiplexOptions) (adapter.ConnectionRouterEx, error) {
 	if !options.Enabled {
 		return router, nil
 	}
@@ -54,6 +54,7 @@ func NewRouterWithOptions(router adapter.ConnectionRouter, logger logger.Context
 func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
 	if metadata.Destination == mux.Destination {
 		// TODO: check if WithContext is necessary
 		return r.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, adapter.UpstreamMetadata(metadata))
 	} else {
 		return r.router.RouteConnection(ctx, conn, metadata)
@@ -63,3 +64,15 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
 func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return r.router.RoutePacketConnection(ctx, conn, metadata)
 }
 func (r *Router) RouteConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
 	if metadata.Destination == mux.Destination {
 		r.service.NewConnectionEx(adapter.WithContext(ctx, &metadata), conn, metadata.Source, metadata.Destination, onClose)
 		return
 	}
 	r.router.RouteConnectionEx(ctx, conn, metadata, onClose)
 }
 func (r *Router) RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
 	r.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
 }
--- a/common/mux/v2ray_legacy.go
+++ b/common/mux/v2ray_legacy.go
@@ -1,32 +0,0 @@
 package mux
 import (
 	"context"
 	"net"
 	"github.com/sagernet/sing-box/adapter"
 	vmess "github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing/common/logger"
 	N "github.com/sagernet/sing/common/network"
 )
 type V2RayLegacyRouter struct {
 	router adapter.ConnectionRouter
 	logger logger.ContextLogger
 }
 func NewV2RayLegacyRouter(router adapter.ConnectionRouter, logger logger.ContextLogger) adapter.ConnectionRouter {
 	return &V2RayLegacyRouter{router, logger}
 }
 func (r *V2RayLegacyRouter) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
 	if metadata.Destination.Fqdn == vmess.MuxDestination.Fqdn {
 		r.logger.InfoContext(ctx, "inbound legacy multiplex connection")
 		return vmess.HandleMuxConnection(ctx, conn, adapter.NewRouteHandler(metadata, r.router, r.logger))
 	}
 	return r.router.RouteConnection(ctx, conn, metadata)
 }
 func (r *V2RayLegacyRouter) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return r.router.RoutePacketConnection(ctx, conn, metadata)
 }
--- a/common/process/searcher_darwin.go
+++ b/common/process/searcher_darwin.go
@@ -60,12 +60,12 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 	isIPv4 := ip.Is4()
-	value, err := syscall.Sysctl(spath)
+	value, err := unix.SysctlRaw(spath)
 	if err != nil {
 		return "", err
 	}
-	buf := []byte(value)
+	buf := value
 	// from darwin-xnu/bsd/netinet/in_pcblist.c:get_pcblist_n
 	// size/offset are round up (aligned) to 8 bytes in darwin
--- a/common/settings/proxy_linux.go
+++ b/common/settings/proxy_linux.go
@@ -16,30 +16,40 @@ import (
 )
 type LinuxSystemProxy struct {
-	hasGSettings     bool
+	hasGSettings    bool
-	hasKWriteConfig5 bool
+	kWriteConfigCmd string
-	sudoUser         string
+	sudoUser        string
-	serverAddr       M.Socksaddr
+	serverAddr      M.Socksaddr
-	supportSOCKS     bool
+	supportSOCKS    bool
-	isEnabled        bool
+	isEnabled       bool
 }
 func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*LinuxSystemProxy, error) {
 	hasGSettings := common.Error(exec.LookPath("gsettings")) == nil
-	hasKWriteConfig5 := common.Error(exec.LookPath("kwriteconfig5")) == nil
+	kWriteConfigCmds := []string{
 		"kwriteconfig5",
 		"kwriteconfig6",
 	}
 	var kWriteConfigCmd string
 	for _, cmd := range kWriteConfigCmds {
 		if common.Error(exec.LookPath(cmd)) == nil {
 			kWriteConfigCmd = cmd
 			break
 		}
 	}
 	var sudoUser string
 	if os.Getuid() == 0 {
 		sudoUser = os.Getenv("SUDO_USER")
 	}
-	if !hasGSettings && !hasKWriteConfig5 {
+	if !hasGSettings && kWriteConfigCmd == "" {
 		return nil, E.New("unsupported desktop environment")
 	}
 	return &LinuxSystemProxy{
-		hasGSettings:     hasGSettings,
+		hasGSettings:    hasGSettings,
-		hasKWriteConfig5: hasKWriteConfig5,
+		kWriteConfigCmd: kWriteConfigCmd,
-		sudoUser:         sudoUser,
+		sudoUser:        sudoUser,
-		serverAddr:       serverAddr,
+		serverAddr:      serverAddr,
-		supportSOCKS:     supportSOCKS,
+		supportSOCKS:    supportSOCKS,
 	}, nil
 }
@@ -70,8 +80,8 @@ func (p *LinuxSystemProxy) Enable() error {
 			return err
 		}
 	}
-	if p.hasKWriteConfig5 {
+	if p.kWriteConfigCmd != "" {
-		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "1")
+		err := p.runAsUser(p.kWriteConfigCmd, "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "1")
 		if err != nil {
 			return err
 		}
@@ -83,7 +93,7 @@ func (p *LinuxSystemProxy) Enable() error {
 		if err != nil {
 			return err
 		}
-		err = p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "Authmode", "0")
+		err = p.runAsUser(p.kWriteConfigCmd, "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "Authmode", "0")
 		if err != nil {
 			return err
 		}
@@ -103,8 +113,8 @@ func (p *LinuxSystemProxy) Disable() error {
 			return err
 		}
 	}
-	if p.hasKWriteConfig5 {
+	if p.kWriteConfigCmd != "" {
-		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "0")
+		err := p.runAsUser(p.kWriteConfigCmd, "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "0")
 		if err != nil {
 			return err
 		}
@@ -150,7 +160,7 @@ func (p *LinuxSystemProxy) setKDEProxy(proxyTypes ...string) error {
 			proxyUrl = "http://" + p.serverAddr.String()
 		}
 		err := p.runAsUser(
-			"kwriteconfig5",
+			p.kWriteConfigCmd,
 			"--file",
 			"kioslaverc",
 			"--group",
--- a/common/sniff/bittorrent.go
+++ b/common/sniff/bittorrent.go
@@ -0,0 +1,99 @@
 package sniff
 import (
 	"bytes"
 	"context"
 	"encoding/binary"
 	"io"
 	"os"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 )
 const (
 	trackerConnectFlag    = 0
 	trackerProtocolID     = 0x41727101980
 	trackerConnectMinSize = 16
 )
 // BitTorrent detects if the stream is a BitTorrent connection.
 // For the BitTorrent protocol specification, see https://www.bittorrent.org/beps/bep_0003.html
 func BitTorrent(_ context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
 	var first byte
 	err := binary.Read(reader, binary.BigEndian, &first)
 	if err != nil {
 		return err
 	}
 	if first != 19 {
 		return os.ErrInvalid
 	}
 	var protocol [19]byte
 	_, err = reader.Read(protocol[:])
 	if err != nil {
 		return err
 	}
 	if string(protocol[:]) != "BitTorrent protocol" {
 		return os.ErrInvalid
 	}
 	metadata.Protocol = C.ProtocolBitTorrent
 	return nil
 }
 // UTP detects if the packet is a uTP connection packet.
 // For the uTP protocol specification, see
 //  1. https://www.bittorrent.org/beps/bep_0029.html
 //  2. https://github.com/bittorrent/libutp/blob/2b364cbb0650bdab64a5de2abb4518f9f228ec44/utp_internal.cpp#L112
 func UTP(_ context.Context, metadata *adapter.InboundContext, packet []byte) error {
 	// A valid uTP packet must be at least 20 bytes long.
 	if len(packet) < 20 {
 		return os.ErrInvalid
 	}
 	version := packet[0] & 0x0F
 	ty := packet[0] >> 4
 	if version != 1 || ty > 4 {
 		return os.ErrInvalid
 	}
 	// Validate the extensions
 	extension := packet[1]
 	reader := bytes.NewReader(packet[20:])
 	for extension != 0 {
 		err := binary.Read(reader, binary.BigEndian, &extension)
 		if err != nil {
 			return err
 		}
 		var length byte
 		err = binary.Read(reader, binary.BigEndian, &length)
 		if err != nil {
 			return err
 		}
 		_, err = reader.Seek(int64(length), io.SeekCurrent)
 		if err != nil {
 			return err
 		}
 	}
 	metadata.Protocol = C.ProtocolBitTorrent
 	return nil
 }
 // UDPTracker detects if the packet is a UDP Tracker Protocol packet.
 // For the UDP Tracker Protocol specification, see https://www.bittorrent.org/beps/bep_0015.html
 func UDPTracker(_ context.Context, metadata *adapter.InboundContext, packet []byte) error {
 	if len(packet) < trackerConnectMinSize {
 		return os.ErrInvalid
 	}
 	if binary.BigEndian.Uint64(packet[:8]) != trackerProtocolID {
 		return os.ErrInvalid
 	}
 	if binary.BigEndian.Uint32(packet[8:12]) != trackerConnectFlag {
 		return os.ErrInvalid
 	}
 	metadata.Protocol = C.ProtocolBitTorrent
 	return nil
 }
--- a/common/sniff/bittorrent_test.go
+++ b/common/sniff/bittorrent_test.go
@@ -0,0 +1,73 @@
 package sniff_test
 import (
 	"bytes"
 	"context"
 	"encoding/hex"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/stretchr/testify/require"
 )
 func TestSniffBittorrent(t *testing.T) {
 	t.Parallel()
 	packets := []string{
 		"13426974546f7272656e742070726f746f636f6c0000000000100000e21ea9569b69bab33c97851d0298bdfa89bc90922d5554313631302dea812fcd6a3563e3be40c1d1",
 		"13426974546f7272656e742070726f746f636f6c00000000001000052aa4f5a7e209e54b32803d43670971c4c8caaa052d5452333030302d653369733079647675763638",
 		"13426974546f7272656e742070726f746f636f6c00000000001000052aa4f5a7e209e54b32803d43670971c4c8caaa052d5452343035302d6f7a316c6e79377931716130",
 	}
 	for _, pkt := range packets {
 		pkt, err := hex.DecodeString(pkt)
 		require.NoError(t, err)
 		var metadata adapter.InboundContext
 		err = sniff.BitTorrent(context.TODO(), &metadata, bytes.NewReader(pkt))
 		require.NoError(t, err)
 		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
 	}
 }
 func TestSniffUTP(t *testing.T) {
 	t.Parallel()
 	packets := []string{
 		"010041a282d7ee7b583afb160004000006d8318da776968f92d666f7963f32dae23ba0d2c810d8b8209cc4939f54fde9eeaa521c2c20c9ba7f43f4fb0375f28de06643b5e3ca4685ab7ac76adca99783be72ef05ed59ef4234f5712b75b4c7c0d7bee8fe2ca20ad626ba5bb0ffcc16bf06790896f888048cf72716419a07db1a3dca4550fbcea75b53e97235168a221cf3e553dfbb723961bd719fab038d86e0ecb74747f5a2cd669de1c4b9ad375f3a492d09d98cdfad745435625401315bbba98d35d32086299801377b93495a63a9efddb8d05f5b37a5c5b1c0a25e917f12007bb5e05013ada8aff544fab8cadf61d80ddb0b60f12741e44515a109d144fd53ef845acb4b5ccf0d6fc302d7003d76df3fc3423bb0237301c9e88f900c2d392a8e0fdb36d143cf7527a93fd0a2638b746e72f6699fffcd4fd15348fce780d4caa04382fd9faf1ca0ae377ca805da7536662b84f5ee18dd3ae38fcb095a7543e55f9069ae92c8cf54ae44e97b558d35e2545c66601ed2149cbc32bd6df199a2be7cf0da8b2ff137e0d23e776bc87248425013876d3a3cc31a83b424b752bd0346437f24b532978005d8f5b1b0be1a37a2489c32a18a9ad3118e3f9d30eb299bffae18e1f0677c2a5c185e62519093fe6bc2b7339299ea50a587989f726ca6443a75dd5bb936f6367c6355d80fae53ff529d740b2e5576e3eefdf1fdbfc69c3c8d8ac750512635de63e054bee1d3b689bc1b2bc3d2601e42a00b5c89066d173d4ae7ffedfd2274e5cf6d868fbe640aedb69b8246142f00b32d459974287537ddd5373460dcbc92f5cfdd7a3ed6020822ae922d947893752ca1983d0d32977374c384ac8f5ab566859019b7351526b9f13e932037a55bb052d9deb3b3c23317e0784fdc51a64f2159bfea3b069cf5caf02ee2c3c1a6b6b427bb16165713e8802d95b5c8ed77953690e994bd38c9ae113fedaf6ee7fc2b96c032ceafc2a530ad0422e84546b9c6ad8ef6ea02fa508abddd1805c38a7b42e9b7c971b1b636865ebec06ed754bb404cd6b4e6cc8cb77bd4a0c43410d5cd5ef8fe853a66d49b3b9e06cb141236cdbfdd5761601dc54d1250b86c660e0f898fe62526fdd9acf0eab60a3bbbb2151970461f28f10b31689594bea646c4b03ee197d63bdef4e5a7c22716b3bb9494a83b78ecd81b338b80ac6c09c43485b1b09ba41c74343832c78f0520c1d659ac9eb1502094141e82fb9e5e620970ebc0655514c43c294a7714cbf9a499d277daf089f556398a01589a77494bec8bfb60a108f3813b55368672b88c1af40f6b3c8b513f7c70c3e0efce85228b8b9ec67ba0393f9f7305024d8e2da6a26cf85613d14f249170ce1000089df4c9c260df7f8292aa2ecb5d5bac97656d59aa248caedea2d198e51ce87baece338716d114b458de02d65c9ff808ca5b5b73723b4d1e962d9ac2d98176544dc9984cf8554d07820ef3dd0861cfe57b478328046380de589adad94ee44743ffac73bb7361feca5d56f07cf8ce75080e261282ae30350d7882679b15cab9e7e53ddf93310b33f7390ae5d318bb53f387e6af5d0ef4f947fc9cb8e7e38b52c7f8d772ece6156b38d88796ea19df02c53723b44df7c76315a0de9462f27287e682d2b4cda1a68fe00d7e48c51ee981be44e1ca940fb5190c12655edb4a83c3a4f33e48a015692df4f0b3d61656e362aca657b5ae8c12db5a0db3db1e45135ee918b66918f40e53c4f83e9da0cddfe63f736ae751ab3837a30ae3220d8e8e311487093a7b90c7e7e40dd54ca750e19452f9193aa892aa6a6229ab493dadae988b1724f7898ee69c36d3eb7364c4adbeca811cfe2065873e78c2b6dfdf1595f7a7831c07e03cda82e4f86f76438dfb2b07c13638ce7b509cfa71b88b5102b39a203b423202088e1c2103319cb32c13c1e546ff8612fa194c95a7808ab767c265a1bd5fa0efed5c8ec1701876a00ec8",
 		"01001ecb68176f215d04326300100000dbcf30292d14b54e9ee2d115ee5b8ebc7fad3e882d4fcdd0c14c6b917c11cb4c6a9f410b52a33ae97c2ac77c7a2b122b8955e09af3c5c595f1b2e79ca57cfe44c44e069610773b9bc9ba223d7f6b383e3adddd03fb88a8476028e30979c2ef321ffc97c5c132bcf9ac5b410bbb5ec6cefca3c7209202a14c5ae922b6b157b0a80249d13ffe5b996af0bc8e54ba576d148372494303e7ead0602b05b9c8fc97d48508a028a04d63a1fd28b0edfcd5c51715f63188b53eefede98a76912dca98518551a8856567307a56a702cbfcc115ea0c755b418bc2c7b57721239b82f09fb24328a4b0ce0f109bcb2a64e04b8aadb1f8487585425acdf8fc4ec8ea93cfcec5ac098bb29d42ddef6e46b03f34a5de28316726699b7cb5195c33e5c48abe87d591d63f9991c84c30819d186d6e0e95fd83c8dff07aa669c4430989bcaccfeacb9bcadbdb4d8f1964dbeb9687745656edd30b21c66cc0a1d742a78717d134a19a7f02d285a4973b1a198c00cfdff4676608dc4f3e817e3463c3b4e2c80d3e8d4fbac541a58a2fb7ad6939f607f8144eff6c8b0adc28ee5609ea158987519892fb",
 		"21001ecb6817f2805d044fd700100000dbd03029",
 		"410277ef0b1fb1f60000000000040000c233000000080000000000000000",
 	}
 	for _, pkt := range packets {
 		pkt, err := hex.DecodeString(pkt)
 		require.NoError(t, err)
 		var metadata adapter.InboundContext
 		err = sniff.UTP(context.TODO(), &metadata, pkt)
 		require.NoError(t, err)
 		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
 	}
 }
 func TestSniffUDPTracker(t *testing.T) {
 	t.Parallel()
 	connectPackets := []string{
 		"00000417271019800000000078e90560",
 		"00000417271019800000000022c5d64d",
 		"000004172710198000000000b3863541",
 	}
 	for _, pkt := range connectPackets {
 		pkt, err := hex.DecodeString(pkt)
 		require.NoError(t, err)
 		var metadata adapter.InboundContext
 		err = sniff.UDPTracker(context.TODO(), &metadata, pkt)
 		require.NoError(t, err)
 		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
 	}
 }
--- a/common/sniff/dns.go
+++ b/common/sniff/dns.go
@@ -17,18 +17,17 @@ import (
 	mDNS "github.com/miekg/dns"
 )
-func StreamDomainNameQuery(readCtx context.Context, reader io.Reader) (*adapter.InboundContext, error) {
+func StreamDomainNameQuery(readCtx context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
 	var length uint16
 	err := binary.Read(reader, binary.BigEndian, &length)
 	if err != nil {
-		return nil, err
+		return os.ErrInvalid
 	}
 	if length == 0 {
-		return nil, os.ErrInvalid
+		return os.ErrInvalid
 	}
 	buffer := buf.NewSize(int(length))
 	defer buffer.Release()
 	readCtx, cancel := context.WithTimeout(readCtx, time.Millisecond*100)
 	var readTask task.Group
 	readTask.Append0(func(ctx context.Context) error {
@@ -37,19 +36,20 @@ func StreamDomainNameQuery(readCtx context.Context, reader io.Reader) (*adapter.
 	err = readTask.Run(readCtx)
 	cancel()
 	if err != nil {
-		return nil, err
+		return err
 	}
-	return DomainNameQuery(readCtx, buffer.Bytes())
+	return DomainNameQuery(readCtx, metadata, buffer.Bytes())
 }
-func DomainNameQuery(ctx context.Context, packet []byte) (*adapter.InboundContext, error) {
+func DomainNameQuery(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
 	var msg mDNS.Msg
 	err := msg.Unpack(packet)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	if len(msg.Question) == 0 || msg.Question[0].Qclass != mDNS.ClassINET || !M.IsDomainName(msg.Question[0].Name) {
-		return nil, os.ErrInvalid
+		return os.ErrInvalid
 	}
-	return &adapter.InboundContext{Protocol: C.ProtocolDNS}, nil
+	metadata.Protocol = C.ProtocolDNS
 	return nil
 }
--- a/common/sniff/dtls.go
+++ b/common/sniff/dtls.go
@@ -0,0 +1,32 @@
 package sniff
 import (
 	"context"
 	"os"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 )
 func DTLSRecord(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
 	const fixedHeaderSize = 13
 	if len(packet) < fixedHeaderSize {
 		return os.ErrInvalid
 	}
 	contentType := packet[0]
 	switch contentType {
 	case 20, 21, 22, 23, 25:
 	default:
 		return os.ErrInvalid
 	}
 	versionMajor := packet[1]
 	if versionMajor != 0xfe {
 		return os.ErrInvalid
 	}
 	versionMinor := packet[2]
 	if versionMinor != 0xff && versionMinor != 0xfd {
 		return os.ErrInvalid
 	}
 	metadata.Protocol = C.ProtocolDTLS
 	return nil
 }
--- a/common/sniff/dtls_test.go
+++ b/common/sniff/dtls_test.go
@@ -0,0 +1,33 @@
 package sniff_test
 import (
 	"context"
 	"encoding/hex"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/stretchr/testify/require"
 )
 func TestSniffDTLSClientHello(t *testing.T) {
 	t.Parallel()
 	packet, err := hex.DecodeString("16fefd0000000000000000007e010000720000000000000072fefd668a43523798e064bd806d0c87660de9c611a59bbdfc3892c4e072d94f2cafc40000000cc02bc02fc00ac014c02cc0300100003c000d0010000e0403050306030401050106010807ff01000100000a00080006001d00170018000b00020100000e000900060008000700010000170000")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.DTLSRecord(context.Background(), &metadata, packet)
 	require.NoError(t, err)
 	require.Equal(t, metadata.Protocol, C.ProtocolDTLS)
 }
 func TestSniffDTLSClientApplicationData(t *testing.T) {
 	t.Parallel()
 	packet, err := hex.DecodeString("17fefd000100000000000100440001000000000001a4f682b77ecadd10f3f3a2f78d90566212366ff8209fd77314f5a49352f9bb9bd12f4daba0b4736ae29e46b9714d3b424b3e6d0234736619b5aa0d3f")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.DTLSRecord(context.Background(), &metadata, packet)
 	require.NoError(t, err)
 	require.Equal(t, metadata.Protocol, C.ProtocolDTLS)
 }
--- a/common/sniff/http.go
+++ b/common/sniff/http.go
@@ -11,10 +11,12 @@ import (
 	"github.com/sagernet/sing/protocol/http"
 )
-func HTTPHost(ctx context.Context, reader io.Reader) (*adapter.InboundContext, error) {
+func HTTPHost(_ context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
 	request, err := http.ReadRequest(std_bufio.NewReader(reader))
 	if err != nil {
-		return nil, err
+		return err
 	}
-	return &adapter.InboundContext{Protocol: C.ProtocolHTTP, Domain: M.ParseSocksaddr(request.Host).AddrString()}, nil
+	metadata.Protocol = C.ProtocolHTTP
 	metadata.Domain = M.ParseSocksaddr(request.Host).AddrString()
 	return nil
 }
--- a/common/sniff/http_test.go
+++ b/common/sniff/http_test.go
@@ -5,6 +5,7 @@ import (
 	"strings"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	"github.com/stretchr/testify/require"
@@ -13,7 +14,8 @@ import (
 func TestSniffHTTP1(t *testing.T) {
 	t.Parallel()
 	pkt := "GET / HTTP/1.1\r\nHost: www.google.com\r\nAccept: */*\r\n\r\n"
-	metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
+	var metadata adapter.InboundContext
 	err := sniff.HTTPHost(context.Background(), &metadata, strings.NewReader(pkt))
 	require.NoError(t, err)
 	require.Equal(t, metadata.Domain, "www.google.com")
 }
@@ -21,7 +23,8 @@ func TestSniffHTTP1(t *testing.T) {
 func TestSniffHTTP1WithPort(t *testing.T) {
 	t.Parallel()
 	pkt := "GET / HTTP/1.1\r\nHost: www.gov.cn:8080\r\nAccept: */*\r\n\r\n"
-	metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
+	var metadata adapter.InboundContext
 	err := sniff.HTTPHost(context.Background(), &metadata, strings.NewReader(pkt))
 	require.NoError(t, err)
 	require.Equal(t, metadata.Domain, "www.gov.cn")
 }
--- a/common/sniff/quic.go
+++ b/common/sniff/quic.go
@@ -5,95 +5,99 @@ import (
 	"context"
 	"crypto"
 	"crypto/aes"
 	"crypto/tls"
 	"encoding/binary"
 	"io"
 	"os"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/ja3"
 	"github.com/sagernet/sing-box/common/sniff/internal/qtls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	"golang.org/x/crypto/hkdf"
 )
-func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContext, error) {
+var ErrClientHelloFragmented = E.New("need more packet for chromium QUIC connection")
 	reader := bytes.NewReader(packet)
 func QUICClientHello(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
 	reader := bytes.NewReader(packet)
 	typeByte, err := reader.ReadByte()
 	if err != nil {
-		return nil, err
+		return err
 	}
 	if typeByte&0x40 == 0 {
-		return nil, E.New("bad type byte")
+		return E.New("bad type byte")
 	}
 	var versionNumber uint32
 	err = binary.Read(reader, binary.BigEndian, &versionNumber)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	if versionNumber != qtls.VersionDraft29 && versionNumber != qtls.Version1 && versionNumber != qtls.Version2 {
-		return nil, E.New("bad version")
+		return E.New("bad version")
 	}
 	packetType := (typeByte & 0x30) >> 4
 	if packetType == 0 && versionNumber == qtls.Version2 || packetType == 2 && versionNumber != qtls.Version2 || packetType > 2 {
-		return nil, E.New("bad packet type")
+		return E.New("bad packet type")
 	}
 	destConnIDLen, err := reader.ReadByte()
 	if err != nil {
-		return nil, err
+		return err
 	}
 	if destConnIDLen == 0 || destConnIDLen > 20 {
-		return nil, E.New("bad destination connection id length")
+		return E.New("bad destination connection id length")
 	}
 	destConnID := make([]byte, destConnIDLen)
 	_, err = io.ReadFull(reader, destConnID)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	srcConnIDLen, err := reader.ReadByte()
 	if err != nil {
-		return nil, err
+		return err
 	}
 	_, err = io.CopyN(io.Discard, reader, int64(srcConnIDLen))
 	if err != nil {
-		return nil, err
+		return err
 	}
 	tokenLen, err := qtls.ReadUvarint(reader)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	_, err = io.CopyN(io.Discard, reader, int64(tokenLen))
 	if err != nil {
-		return nil, err
+		return err
 	}
 	packetLen, err := qtls.ReadUvarint(reader)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	hdrLen := int(reader.Size()) - reader.Len()
 	if hdrLen+int(packetLen) > len(packet) {
-		return nil, os.ErrInvalid
+		return os.ErrInvalid
 	}
 	_, err = io.CopyN(io.Discard, reader, 4)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	pnBytes := make([]byte, aes.BlockSize)
 	_, err = io.ReadFull(reader, pnBytes)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	var salt []byte
@@ -117,7 +121,7 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
 	hpKey := qtls.HKDFExpandLabel(crypto.SHA256, secret, []byte{}, hkdfHeaderProtectionLabel, 16)
 	block, err := aes.NewCipher(hpKey)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	mask := make([]byte, aes.BlockSize)
 	block.Encrypt(mask, pnBytes)
@@ -129,7 +133,7 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
 	}
 	packetNumberLength := newPacket[0]&0x3 + 1
 	if hdrLen+int(packetNumberLength) > int(packetLen)+hdrLen {
-		return nil, os.ErrInvalid
+		return os.ErrInvalid
 	}
 	var packetNumber uint32
 	switch packetNumberLength {
@@ -142,7 +146,7 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
 	case 4:
 		packetNumber = binary.BigEndian.Uint32(newPacket[hdrLen:])
 	default:
-		return nil, E.New("bad packet number length")
+		return E.New("bad packet number length")
 	}
 	extHdrLen := hdrLen + int(packetNumberLength)
 	copy(newPacket[extHdrLen:hdrLen+4], packet[extHdrLen:])
@@ -166,138 +170,208 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
 	binary.BigEndian.PutUint64(nonce[len(nonce)-8:], uint64(packetNumber))
 	decrypted, err := cipher.Open(newPacket[extHdrLen:extHdrLen], nonce, data, newPacket[:extHdrLen])
 	if err != nil {
-		return nil, err
+		return err
 	}
 	var frameType byte
-	var frameLen uint64
+	var fragments []qCryptoFragment
 	var fragments []struct {
 		offset  uint64
 		length  uint64
 		payload []byte
 	}
 	decryptedReader := bytes.NewReader(decrypted)
 	const (
 		frameTypePadding         = 0x00
 		frameTypePing            = 0x01
 		frameTypeAck             = 0x02
 		frameTypeAck2            = 0x03
 		frameTypeCrypto          = 0x06
 		frameTypeConnectionClose = 0x1c
 	)
 	var frameTypeList []uint8
 	for {
 		frameType, err = decryptedReader.ReadByte()
 		if err == io.EOF {
 			break
 		}
 		frameTypeList = append(frameTypeList, frameType)
 		switch frameType {
-		case 0x00: // PADDING
+		case frameTypePadding:
 			continue
-		case 0x01: // PING
+		case frameTypePing:
 			continue
-		case 0x02, 0x03: // ACK
+		case frameTypeAck, frameTypeAck2:
 			_, err = qtls.ReadUvarint(decryptedReader) // Largest Acknowledged
 			if err != nil {
-				return nil, err
+				return err
 			}
 			_, err = qtls.ReadUvarint(decryptedReader) // ACK Delay
 			if err != nil {
-				return nil, err
+				return err
 			}
 			ackRangeCount, err := qtls.ReadUvarint(decryptedReader) // ACK Range Count
 			if err != nil {
-				return nil, err
+				return err
 			}
 			_, err = qtls.ReadUvarint(decryptedReader) // First ACK Range
 			if err != nil {
-				return nil, err
+				return err
 			}
 			for i := 0; i < int(ackRangeCount); i++ {
 				_, err = qtls.ReadUvarint(decryptedReader) // Gap
 				if err != nil {
-					return nil, err
+					return err
 				}
 				_, err = qtls.ReadUvarint(decryptedReader) // ACK Range Length
 				if err != nil {
-					return nil, err
+					return err
 				}
 			}
 			if frameType == 0x03 {
 				_, err = qtls.ReadUvarint(decryptedReader) // ECT0 Count
 				if err != nil {
-					return nil, err
+					return err
 				}
 				_, err = qtls.ReadUvarint(decryptedReader) // ECT1 Count
 				if err != nil {
-					return nil, err
+					return err
 				}
 				_, err = qtls.ReadUvarint(decryptedReader) // ECN-CE Count
 				if err != nil {
-					return nil, err
+					return err
 				}
 			}
-		case 0x06: // CRYPTO
+		case frameTypeCrypto:
 			var offset uint64
 			offset, err = qtls.ReadUvarint(decryptedReader)
 			if err != nil {
-				return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, err
+				return err
 			}
 			var length uint64
 			length, err = qtls.ReadUvarint(decryptedReader)
 			if err != nil {
-				return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, err
+				return err
 			}
 			index := len(decrypted) - decryptedReader.Len()
-			fragments = append(fragments, struct {
+			fragments = append(fragments, qCryptoFragment{offset, length, decrypted[index : index+int(length)]})
 				offset  uint64
 				length  uint64
 				payload []byte
 			}{offset, length, decrypted[index : index+int(length)]})
 			frameLen += length
 			_, err = decryptedReader.Seek(int64(length), io.SeekCurrent)
 			if err != nil {
-				return nil, err
+				return err
 			}
-		case 0x1c: // CONNECTION_CLOSE
+		case frameTypeConnectionClose:
 			_, err = qtls.ReadUvarint(decryptedReader) // Error Code
 			if err != nil {
-				return nil, err
+				return err
 			}
 			_, err = qtls.ReadUvarint(decryptedReader) // Frame Type
 			if err != nil {
-				return nil, err
+				return err
 			}
 			var length uint64
 			length, err = qtls.ReadUvarint(decryptedReader) // Reason Phrase Length
 			if err != nil {
-				return nil, err
+				return err
 			}
 			_, err = decryptedReader.Seek(int64(length), io.SeekCurrent) // Reason Phrase
 			if err != nil {
-				return nil, err
+				return err
 			}
 		default:
-			return nil, os.ErrInvalid
+			return os.ErrInvalid
 		}
 	}
-	tlsHdr := make([]byte, 5)
+	if metadata.SniffContext != nil {
-	tlsHdr[0] = 0x16
+		fragments = append(fragments, metadata.SniffContext.([]qCryptoFragment)...)
-	binary.BigEndian.PutUint16(tlsHdr[1:], uint16(0x0303))
+		metadata.SniffContext = nil
-	binary.BigEndian.PutUint16(tlsHdr[3:], uint16(frameLen))
+	}
 	var frameLen uint64
 	for _, fragment := range fragments {
 		frameLen += fragment.length
 	}
 	buffer := buf.NewSize(5 + int(frameLen))
 	defer buffer.Release()
 	buffer.WriteByte(0x16)
 	binary.Write(buffer, binary.BigEndian, uint16(0x0303))
 	binary.Write(buffer, binary.BigEndian, uint16(frameLen))
 	var index uint64
 	var length int
 	var readers []io.Reader
 	readers = append(readers, bytes.NewReader(tlsHdr))
 find:
 	for {
 		for _, fragment := range fragments {
 			if fragment.offset == index {
-				readers = append(readers, bytes.NewReader(fragment.payload))
+				buffer.Write(fragment.payload)
 				index = fragment.offset + fragment.length
 				length++
 				continue find
 			}
 		}
-		if length == len(fragments) {
+		break
 			break
 		}
 		return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, E.New("bad fragments")
 	}
 	metadata, err := TLSClientHello(ctx, io.MultiReader(readers...))
 	if err != nil {
 		return &adapter.InboundContext{Protocol: C.ProtocolQUIC}, err
 	}
 	metadata.Protocol = C.ProtocolQUIC
-	return metadata, nil
+	fingerprint, err := ja3.Compute(buffer.Bytes())
 	if err != nil {
 		metadata.Protocol = C.ProtocolQUIC
 		metadata.Client = C.ClientChromium
 		metadata.SniffContext = fragments
 		return ErrClientHelloFragmented
 	}
 	metadata.Domain = fingerprint.ServerName
 	for metadata.Client == "" {
 		if len(frameTypeList) == 1 {
 			metadata.Client = C.ClientFirefox
 			break
 		}
 		if frameTypeList[0] == frameTypeCrypto && isZero(frameTypeList[1:]) {
 			if len(fingerprint.Versions) == 2 && fingerprint.Versions[0]&ja3.GreaseBitmask == 0x0A0A &&
 				len(fingerprint.EllipticCurves) == 5 && fingerprint.EllipticCurves[0]&ja3.GreaseBitmask == 0x0A0A {
 				metadata.Client = C.ClientSafari
 				break
 			}
 			if len(fingerprint.CipherSuites) == 1 && fingerprint.CipherSuites[0] == tls.TLS_AES_256_GCM_SHA384 &&
 				len(fingerprint.EllipticCurves) == 1 && fingerprint.EllipticCurves[0] == uint16(tls.X25519) &&
 				len(fingerprint.SignatureAlgorithms) == 1 && fingerprint.SignatureAlgorithms[0] == uint16(tls.ECDSAWithP256AndSHA256) {
 				metadata.Client = C.ClientSafari
 				break
 			}
 		}
 		if frameTypeList[len(frameTypeList)-1] == frameTypeCrypto && isZero(frameTypeList[:len(frameTypeList)-1]) {
 			metadata.Client = C.ClientQUICGo
 			break
 		}
 		if count(frameTypeList, frameTypeCrypto) > 1 || count(frameTypeList, frameTypePing) > 0 {
 			if maybeUQUIC(fingerprint) {
 				metadata.Client = C.ClientQUICGo
 			} else {
 				metadata.Client = C.ClientChromium
 			}
 			break
 		}
 		metadata.Client = C.ClientUnknown
 		//nolint:staticcheck
 		break
 	}
 	return nil
 }
 func isZero(slices []uint8) bool {
 	for _, slice := range slices {
 		if slice != 0 {
 			return false
 		}
 	}
 	return true
 }
 func count(slices []uint8, value uint8) int {
 	var times int
 	for _, slice := range slices {
 		if slice == value {
 			times++
 		}
 	}
 	return times
 }
 type qCryptoFragment struct {
 	offset  uint64
 	length  uint64
 	payload []byte
 }
--- a/common/sniff/quic_blacklist.go
+++ b/common/sniff/quic_blacklist.go
@@ -0,0 +1,24 @@
 package sniff
 import (
 	"crypto/tls"
 	"github.com/sagernet/sing-box/common/ja3"
 )
 // Chromium sends separate client hello packets, but UQUIC has not yet implemented this behavior
 // The cronet without this behavior does not have version 115
 var uQUICChrome115 = &ja3.ClientHello{
 	Version:             tls.VersionTLS12,
 	CipherSuites:        []uint16{4865, 4866, 4867},
 	Extensions:          []uint16{0, 10, 13, 16, 27, 43, 45, 51, 57, 17513},
 	EllipticCurves:      []uint16{29, 23, 24},
 	SignatureAlgorithms: []uint16{1027, 2052, 1025, 1283, 2053, 1281, 2054, 1537, 513},
 }
 func maybeUQUIC(fingerprint *ja3.ClientHello) bool {
 	if uQUICChrome115.Equals(fingerprint, true) {
 		return true
 	}
 	return false
 }
--- a/common/sniff/quic_test.go
+++ b/common/sniff/quic_test.go
@@ -5,31 +5,69 @@ import (
 	"encoding/hex"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/stretchr/testify/require"
 )
-func TestSniffQUICv1(t *testing.T) {
+func TestSniffQUICChromium(t *testing.T) {
 	t.Parallel()
-	pkt, err := hex.DecodeString("cc0000000108d2dc7bad02241f5003796e71004215a71bfcb05159416c724be418537389acdd9a4047306283dcb4d7a9cad5cc06322042d204da67a8dbaa328ab476bb428b48fd001501863afd203f8d4ef085629d664f1a734a65969a47e4a63d4e01a21f18c1d90db0c027180906dc135f9ae421bb8617314c8d54c175fef3d3383d310d0916ebcbd6eed9329befbbb109d8fd4af1d2cf9d6adce8e6c1260a7f8256e273e326da0aa7cc148d76e7a08489dc9d52ade89c027cbc3491ada46417c2c04e2ca768e9a7dd6aa00c594e48b678927325da796817693499bb727050cb3baf3d3291a397c3a8d868e8ec7b8f7295e347455c9dadbe2252ae917ac793d958c7fb8a3d2cdb34e3891eb4286f18617556ff7216dd60256aa5b1d11ff4753459fc5f9dedf11d483a26a0835dc6cd50e1c1f54f86e8f1e502821183cd874f6447a74e818bf3445c7795acf4559d1c1fac474911d2ead5c8d23e4aa4f67afb66efe305a30a0b5d825679b31ddc186cbea936535795c7e8c378c87b8c5adc065154d15bae8f85ac8fec2da40c3aa623b682a065440831555011d7647cde44446a0fb4cf5892f2c088ae1920643094be72e3c499fe8d265caf939e8ab607a5b9317917d2a32a812e8a0e6a2f84721bbb5984ffd242838f705d13f4cfb249bc6a5c80d58ac2595edf56648ec3fe21d787573c253a79805252d6d81e26d367d4ff29ef66b5fe8992086af7bada8cad10b82a7c0dc406c5b6d0c5ec3c583e767f759ce08cad6c3c8f91e5a8")
+	pkt, err := hex.DecodeString("c30000000108f40d654cc09b27f5000044d08a94548e57e43cc5483f129986187c432d58d46674830442988f869566a6e31e2ae37c9f7acbf61cc81621594fab0b3dfdc1635460b32389563dc8e74006315661cd22694114612973c1c45910621713a48b375854f095e8a77ccf3afa64e972f0f7f7002f50e0b014b1b146ea47c07fb20b73ad5587872b51a0b3fafdf1c4cf4fe6f8b112142392efa25d993abe2f42582be145148bdfe12edcd96c3655b65a4781b093e5594ba8e3ae5320f12e8314fc3ca374128cc43381046c322b964681ed4395c813b28534505118201459665a44b8f0abead877de322e9040631d20b05f15b81fa7ff785d4041aecc37c7e2ccdc5d1532787ce566517e8985fd5c200dbfd1e67bc255efaba94cfc07bb52fea4a90887413b134f2715b5643542aa897c6116486f428d82da64d2a2c1e1bdd40bd592558901a554b003d6966ac5a7b8b9413eddbf6ef21f28386c74981e3ce1d724c341e95494907626659692720c81114ca4acea35a14c402cfa3dc2228446e78dc1b81fa4325cf7e314a9cad6a6bdff33b3351dcba74eb15fae67f1227283aa4cdd64bcadf8f19358333f8549b596f4350297b5c65274565869d497398339947b9d3d064e5b06d39d34b436d8a41c1a3880de10bd26c3b1c5b4e2a49b0d4d07b8d90cd9e92bc611564d19ea8ec33099e92033caf21f5307dbeaa4708b99eb313bff99e2081ac25fd12d6a72e8335e0724f6718fe023cd0ad0d6e6a6309f09c9c391eec2bc08e9c3210a043c08e1759f354c121f6517fff4d6e20711a871e41285d48d930352fddffb92c96ba57df045ce99f8bfdfa8edc0969ce68a51e9fbb4f54b956d9df74a9e4af27ed2b27839bce1cffeca8333c0aaee81a570217442f9029ba8fedb84a2cf4be4d910982d891ea00e816c7fb98e8020e896a9c6fdd9106611da0a99dde18df1b7a8f6327acb1eed9ad93314451e48cb0dfb9571728521ca3db2ac0968159d5622556a55d51a422d11995b650949aaefc5d24c16080446dfc4fbc10353f9f93ce161ab513367bb89ab83988e0630b689e174e27bcfcc31996ee7b0bca909e251b82d69a28fee5a5d662e127508cd19dbbe5097b7d5b62a49203d66764197a527e472e2627e44a93d44177dace9d60e7d0e03305ddf4cfe47cdf2362e14de79ef46a6763ce696cd7854a48d9419a0817507a4713ffd4977b906d4f2b5fb6dbe1bd15bc505d5fea582190bf531a45d5ee026da8918547fd5105f15e5d061c7b0cf80a34990366ed8e91e13c2f0d85e5dad537298808d193cf54b7eaac33f10051f74cb6b75e52f81618c36f03d86aef613ba237a1a793ba1539938a38f62ccaf7bd5f6c5e0ce53cde4012fcf2b758214a0422d2faaa798e86e19d7481b42df2b36a73d287ff28c20cce01ce598771fec16a8f1f00305c06010126013a6c1de9f589b4e79d693717cd88ad1c42a2d99fa96617ba0bc6365b68e21a70ebc447904aa27979e1514433cfd83bfec09f137c747d47582cb63eb28f873fb94cf7a59ff764ddfbb687d79a58bb10f85949269f7f72c611a5e0fbb52adfa298ff060ec2eb7216fd7302ea8fb07798cbb3be25cb53ac8161aac2b5bbcfbcfb01c113d28bd1cb0333fb89ac82a95930f7abded0a2f5a623cc6a1f62bf3f38ef1b81c1e50a634f657dbb6770e4af45879e2fb1e00c742e7b52205c8015b5c0f5b1e40186ff9aa7288ab3e01a51fb87761f9bc6837082af109b39cc9f620")
 	require.NoError(t, err)
-	metadata, err := sniff.QUICClientHello(context.Background(), pkt)
+	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
 	require.Equal(t, metadata.Client, C.ClientChromium)
 	require.ErrorIs(t, err, sniff.ErrClientHelloFragmented)
 	pkt, err = hex.DecodeString("c90000000108f40d654cc09b27f5000044d073eb38807026d4088455e650e7ccf750d01a72f15f9bfc8ff40d223499db1a485cff14dbd45b9be118172834dc35dca3cf62f61a1266f40b92faf3d28d67a466cfdca678ddced15cd606d31959cf441828467857b226d1a241847c82c57312cefe68ba5042d929919bcd4403b39e5699fe87dda05df1b3801e048edee792458e9b1a9b1d4039df05847bcee3be567494b5876e3bd4c3220fe9dfdb2c07d77410f907f744251ef15536cc03b267d3668d5b75bc1ad2fe735cd3bb73519dd9f1625a49e17ad27bdeccf706c83b5ea339a0a05dd0072f4a8f162bd29926b4997f05613c6e4b0270b0c02805ca0543f27c1ff8505a5750bdd33529ee73c491050a10c6903f53c1121dbe0380e84c007c8df74a1b02443ed80ba7766aef5549e618d4fd249844ee28565142005369869299e8c3035ecef3d799f6cada8549e75b4ce4cbf4c85ef071fd7ff067b1ca9b5968dc41d13d011f6d7843823bac97acb1eb8ee45883f0f254b5f9bd4c763b67e2d8c70a7618a0ef0de304cf597a485126e09f8b2fd795b394c0b4bc4cd2634c2057970da2c798c5e8af7aed4f76f5e25d04e3f8c9c5a5b150d17e0d4c74229898c69b8dc7b8bcc9d359eb441de75c68fbdebec62fb669dcccfb1aad03e3fa073adb2ccf7bb14cbaf99e307d2c903ee71a8f028102eb510caee7e7397512086a78d1f95635c7d06845b5a708652dc4e5cd61245aae5b3c05b84815d84d367bce9b9e3f6d6b90701ac3679233c14d5ce2a1eff26469c966266dc6284bdb95c9c6158934c413a872ce22101e4163e3293d236b301592ca4ccacc1fd4c37066e79c2d9857c8a2560dcf0b33b19163c4240c471b19907476e7e25c65f7eb37276594a0f6b4c33c340cc3284178f17ac5e34dbe7509db890e4ddfd0540fbf9deb32a0101d24fe58b26c5f81c627db9d6ae59d7a111a3d5d1f6109f4eec0d0234e6d73c73a44f50999462724b51ce0fd8283535d70d9e83872c79c59897407a0736741011ae5c64862eb0712f9e7b07aa1d5418ca3fde8626257c6fe418f3c5479055bb2b0ab4c25f649923fc2a41c79aaa7d0f3af6d8b8cf06f61f0230d09bbb60bb49b9e49cc5973748a6cf7ffdee7804d424f9423c63e7ff22f4bd24e4867636ef9fe8dd37f59941a8a47c27765caa8e875a30b62834f17c569227e5e6ed15d58e05d36e76332befad065a2cd4079e66d5af189b0337624c89b1560c3b1b0befd5c1f20e6de8e3d664b3ac06b3d154b488983e14aa93266f5f8b621d2a9bb7ccce509eb26e025c9c45f7cccc09ce85b3103af0c93ce9822f82ecb168ca3177829afb2ea0da2c380e7b1728add55a5d42632e2290363d4cbe432b67e13691648e1acfab22cf0d551eee857709b428bb78e27a45aff6eca301c02e4d13cf36cc2494fdd1aef8dede6e18febd79dca4c6964d09b91c25a08f0947c76ab5104de9404459c2edf5f4adb9dfd771be83656f77fbbafb1ad3281717066010be8778952495383c9f2cf0a38527228c662a35171c5981731f1af09bab842fe6c3162ad4152a4221f560eb6f9bea66b294ffbd3643da2fe34096da13c246505452540177a2a0a1a69106e5cfc279a4890fc3be2952f26be245f930e6c2d9e7e26ee960481e72b99594a1185b46b94b6436d00ba6c70ffe135d43907c92c6f1c09fb9453f103730714f5700fa4347f9715c774cb04a7218dacc66d9c2fade18b14e684aa7fc9ebda0a28")
 	require.NoError(t, err)
-	require.Equal(t, metadata.Domain, "cloudflare-quic.com")
+	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.NoError(t, err)
 	require.Equal(t, metadata.Domain, "google.com")
 }
-func TestSniffQUICFragment(t *testing.T) {
+func TestSniffUQUICChrome115(t *testing.T) {
 	t.Parallel()
-	pkt, err := hex.DecodeString("cc00000001082e3d5d1b64040c55000044d0ccea69e773f6631c1d18b04ae9ee75fcfc34ef74fa62533c93534338a86f101a05d70e0697fb483063fa85db1c59ccfbda5c35234931d8524d8aac37eaaad649470a67794cd754b23c98695238b8363452333bc8c4858376b4166e001da2006e35cf98a91e11a56419b2786775284942d0f7163982f7c248867d12dd374957481dbc564013ff785e1916195eef671f725908f761099d992d69231336ba81d9e25fe2fa3a6eff4318a6ccf10176fc841a1b315f7b35c5b292266fc869d76ca533e7d14e86d82db2e22eacd350977e47d2e012d8a5891c5aaf2a0f4c2b2dae897c161e5b68cbb4dee952472bdc1e21504b8f02534ec4366ce3f8bf86efc78e0232778fbd554457567112abdcafcf6d4d8fcf35083c25d9495679614aba21696e338c62b585046cc55ba8c09c844361d889a47c3ea703b4e23545a9ab2c0bb369693a9ddfb5daffa85cf80fdd6ad66738664e5b0a551729b4955cff7255afcb04dee88c2f072c9de7400947a1bd9327ac5d012a33000ada021d4c03d249fb017d6ac9200b2f9436beab8183ddfbe2d8aee31ffb7df9e1cc181c1af80c39a89965d18ed12da8e3ebe2ae1fbe4b348f83ba19e3e3d1c9b22bcf03ab6ad9b30fe180623faa291ebad83bcd71d7b57f2f5e2f3b8e81d24fb70b2f2159239e8f21ffafef2747aba47d97ab4081e603c018b10678cf99cab1fb42156a14486fa435153979d7279fd22cd40af7088bfc7eff41af2f4b3c0c8864d0040d74dff427f7bffdb8c278474ea00311326cf4925471a8cf596cb92119f19e0f789490ba9cb77b98015a987d93e0324cf1a38b55109f00c3e6ddc5180fb107bf468323afec9bb49fd6a86418569789d66cafe3b8253c2aebb3af3782c1c54dd560487d031d28e6a6e23e159581bb1d47efc4da3fe1d169f9ffb0ca9ba61af0a38a92fde5bc5e6ec026e8378a6315a7b95abf1d2da790a391306ce74d0baf8e2ce648ca74c487f2c0a76a28a80cdf5bd34316eb607684fe7e6d9e83824a00e07660d0b90e3cddd61ebf10748263474afa88c300549e64ce2e90560bb1a12dee7e9484f729a8a4ee7c5651adb5194b3b3ae38e501567c7dbf36e7bb37a2c20b74655f47f2d9af18e52e9d4c9c9eee8e63745779b8f0b06f3a09d846ba62eb978ad77c85de1ee2fee3fbb4c2d283c73e1ccba56a4658e48a2665d200f7f9342f8e84c2ba490094a4f94feec89e42d2f654f564c2beb2997bafa1fc2c68ad8e160b63587d49abc31b834878d52acfb05fb73d0e059b206162e3c90b40c4bc08407ffcb3c08431895b691a3fea923f1f3b48db75d3e6b91fd319ffe4d486e0e14bd5c6affc838dee63d9e0b80f169b5e6c02c7321dcb20deb2b8e707b60e345a308d505bbf26a93d8f18b39d62632e9a77cbe48b3b32eb8819d6311a49820d40f5acbf0273c91c36b2269a03e72ee64df3dfb10ddefe73c64ef60870b2b77bd99dea655f5fe791b538a929a14d99f6d69685d72431ea5f0f4b27a044f2f575ab474fcc3857895934de1ca2581798eaef2c17fe5aaf2e6add97fa32997c7026f15c1b1ad0e6043ae506027a7c0242546fdc851cca39a204e56879f2cef838be8ec66e0f2292f8c862e06f810eb9b80c7a467ce6e90155206352c7f82b1173ba3b98d35bb72c259a60db20dd1a43fe6d7aef0265e6eaa5caafd9b64b448ff745a2046acbdb65cf2a5007809808a4828dc99097feedc734c236260c584")
+	pkt, err := hex.DecodeString("cb0000000108181e17c387120abc000044d0705b6a3ef9ee37a8d3949a7d393ed078243c2ee2c3627fad1c3f107c117f4f071131ad61848068fcbbe5c65803c147f7f8ec5e2cd77b77beea23ba779d936dccac540f8396400e3190ea35cc2942af4171a04cb14272491920f90124959f44e80143678c0b52f5d31af319aaa589db2f940f004562724d0af40f737e1bb0002a071e6a1dbc9f52c64f070806a5010abed0298053634d9c9126bd7949ae5087998ade762c0ad06691d99c0875a38c601fc1ee77bfc3b8c11381829f2c9bdd022f4499c43ff1d6aee1a0d296861461dda217d22c568b276016ef3929e59d2f7d7ddf7809920fb7dc805641608949f3f8466ab3d37149aac501f0b107d808f3add4acfc657e4a82e2b88e97a6c74a00c419548760ab3414ba13915c78a1ca79dceee8d59fbe299f20b671ac44823218368b2a026baa55170cf549519ac21dbb6d31d248bd339438a4e663bcdca1fe3ae3f045a5dc19b122e9db9d7af9757076666dda4e9ace1c67def77fa14786f0cab3ebf7a270ea6e2b37838318c95779f80c3b8471948d0046c3614b3a13477c939a39a7855d85d13522a45ae0765739cd5eedef87237e824a929983ace27640c6495dbf5a72fa0b96893dc5d28f3988249a57bdb458d460b4a57043de3da750a76b6e5d2259247ca27cd864ea18f0d09aa62ab6eb7c014fb43179b2a1963d170b756cce83eeaebff78a828d025c811848e16ff862a8080d093478cd2208c8ab0803178325bc0d9d6bb25e62fa50c4ad15cf80916da6578796932036c72e43eb480d1e423ed812ac75a97722f8416529b82ba8ee2219c535012282bb17066bd53e78b87a71abdb7ebdb2a7c2766ff8397962e87d0f85485b64b4ee81cc84f99c47f33f2b0872716441992773f59186e38d32dbf5609a6fda94cb928cd25f5a7a3ab736b5a4236b6d5409ab18892c6a4d3480fc2350abfdf0bab1cedb55bdf0760fdb703e6688f4de596254eed4ed3e67eb03d0717b8e15b31e735214e588c87ae36bc6c310e1894b4c15143e4ccf287b2dbc707a946bf9671ae3c574f9486b2c82eec784bba4cbc76113cbe0f97ac8c13cfa38f2925ab9d06887a612ce48280a91d7e074e6caf898d88e2bbf71360899abf48a03f9a70cf2891199f2d63b116f4871af0ebb4f4906792f66cc21d1609f189138532875c129a68c73e7bcd3b5d8100beac1d8ac4b20d94a59ac8df5a5af58a9acb20413eadf97189f5f19ff889155f0c4d37514ec184eb6903967ff38a41fc087abb0f2cad3761d6e3f95f92a09a72f5c065b16e188088b87460241f27ecdb1bc6ece92c8d36b2d68b58d0fb4d4b3c928c579ade8ae5a995833aadd297c30a37f7bc35440fc97070e1b198e0fac00157452177d16d2803b4239997452b4ad3a951173bdec47a033fd7f8a7942accaa9aaa905b3c5a2175e7c3e07c48bf25331727fd69cd1e64d74d8c9d4a6f8f4491adb7bc911505cb19877083d8f21a12475e313fccf57877ff3556318e81ed9145dd9427f2b65275440893035f417481f721c69215af8ae103530cd0a1d35bf2cb5a27628f8d44d7c6f5ec12ce79d0a8333e0eb48771115d0a191304e46b8db19bbe5c40f1c346dde98e76ff5e21ff38d2c34e60cb07766ed529dd6d2cbacd7fbf1ed8a0e6e40decad0ca5021e91552be87c156d3ae2fffef41c65b14ba6d488f2c3227a1ab11ffce0e2dc47723a69da27a67a7f26e1cb13a7103af9b87a8db8e18ea")
 	require.NoError(t, err)
-	metadata, err := sniff.QUICClientHello(context.Background(), pkt)
+	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.NoError(t, err)
-	require.Equal(t, metadata.Domain, "cloudflare-quic.com")
+	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
 	require.Equal(t, metadata.Client, C.ClientQUICGo)
 	require.Equal(t, metadata.Domain, "www.google.com")
 }
 func TestSniffQUICFirefox(t *testing.T) {
 	t.Parallel()
 	pkt, err := hex.DecodeString("c8000000010867f174d7ebfe1b0803cd9c20004286de068f7963cf1736349ee6ebe0ddcd3e4cd0041a51ced3f7ce9eea1fb595458e74bdb4b792b16449bd8cae71419862c4fcbe766eaec7d1af65cd298e1dd46f8bd94a77ab4ca28c54b8e9773de3f02d7cb2463c9f7dcacfb311f024b0266ec6ab7bfb615b4148333fb4d4ece7c4cd90029ca30c2cbae2216b428499ec873fa125797e71c5a5da85087760ad37ca610020f71b76e82651c47576e20bf33cf676cb2d400b8c09d3c8cb4e21c47d2b21f6b68732bef30c8cefd5c723fc23eb29e6f7f65a5e52aad9055c1fb3d8b1811f0380b38d7e2eee8eb37dd5bd5d4ca4b66540175d916289d88a9df7c161964d713999c5057d27edb298ef5164352568b0d4bac3c15d90456e8fd460e41b81d0ec1b1e94b87d3333cc6908b018e0914ae1f214d73e75398da3d55a0106161d3a75897b4eb66e98c59010fae75f0d367d38be48c3a5c58bc8a30773c3fff50690ac9d487822f85d4f5713d626baa92d36e858dd21259cf814bce0b90d18da88a1ade40113e5a088cdb304a2558879152a8cf15c1839e056378aa41acba6fcb9974dee54bd50b5d4eb2c475654e06c0ec06b7f18f4462c808684843a1071041b9bfb2688324e0120144944416e30e83eedbbbcbc275b1f53762d3db18f0998ce54f0e1c512946b4098f07781d49264fa148f4c8220a3b02e73d7f15554aa370aafeff73cb75c52c494edf90f0261abfdd32a4d670f729de50266162687aa8efe14b8506f313b058b02aaaab5825428f5f4510b8e49451fdcb7b5a4af4b59c831afcb89fb4f64dba78e3b38387e87e9e8cdaa1f3b700a87c7d442388863b8950296e5773b38f308d62f52548c0bbf308e40540747cca5bf99b1345bc0d70b8f0e69a83b85a8d69f795b87f93e2bfccf52b529afea4ff6fd456957000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.NoError(t, err)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
 	require.Equal(t, metadata.Client, C.ClientFirefox)
 	require.Equal(t, metadata.Domain, "www.google.com")
 }
 func TestSniffQUICSafari(t *testing.T) {
 	t.Parallel()
 	pkt, err := hex.DecodeString("c70000000108e4e75af2e223198a0000449ef2d83cb4473a62765eba67424cd4a5817315cbf55a9e8daaca360904b0bae60b1629cfeba11e2dfbbf5ea4c588cb134e31af36fd7a409fb0fcc0187e9b56037ac37964ed20a8c1ca19fd6cfd53398324b3d0c71537294f769db208fa998b6811234a4a7eb3b5eceb457ae92e3a2d98f7c110702db8064b5c29fa3298eb1d0529fd445a84a5fd6ff8709be90f8af4f94998d8a8f2953bb05ad08c80668eca784c6aec959114e68e5b827e7c41c79f2277c716a967e7fcc8d1b77442e6cb18329dbedb34b473516b468cba5fc20659e655fbe37f36408289b9a475fcee091bd82828d3be00367e9e5cec9423bb97854abdada1d7562a3777756eb3bddef826ddc1ef46137cb01bb504a54d410d9bcb74cd5f959050c84edf343fa6a49708c228a758ee7adbbadf260b2f1984911489712e2cb364a3d6520badba4b7e539b9c163eeddfd96c0abb0de151e47496bb9750be76ee17ccdb61d35d2c6795174037d6f9d282c3f36c4d9a90b64f3b6ddd0cf4d9ed8e6f7805e25928fa04b087e63ae02761df30720cc01dfc32b64c575c8a66ef82e9a17400ff80cd8609b93ba16d668f4aa734e71c4a5d145f14ee1151bec970214e0ff83fc3e1e85d8694f2975f9155c57c18b7b69bb6a36832a9435f1f4b346a7be188f3a75f9ad2cc6ad0a3d26d6fa7d4c1179bd49bd5989d15ba43ff602890107db96484695086627356750d7b2b3b714ba65d564654e8f60ac10f5b6d3bfb507e8eaa31bab1da2d676195046d165c7f8b32829c9f9b68d97b2af7ac04a1369357e4b65de2b2f24eaf27cc8d95e05db001adebe726f927a94e43e62ce671e6e306e16f05aafcbe6c49080e80286d7939f375023d110a5ad9069364ae928ca480454a9dcddd61bc48b7efeb716a5bd6c7cd39c486ceb20c738af6abf22ba1ddd8b4a3b781fc2f251173409e1aadccbd7514e97106d0ebfc3af6e59445f74cd733a1ba99b10fce3fb4e9f7c88f5e25b567f5ba2b8dabacd375e7faf7634bfa178cbe51aee63032c5126b196ea47b02385fc3062a000fb7e4b4d0d12e74579f8830ede20d10829496032b2cc56743287f9a9b4d5091877a82fea44deb2cffac8a379f78a151d99e28cbc74d732c083bf06d50584e3f18f254e71a48d6ababaf6fff6f425e9be001510dfbe6a32a27792c00ada036b62ddb90c706d7b882c76a7072f5dd11c69a1f49d4ba183cb0b57545419fa27b9b9706098848935ae9c9e8fbe9fac165d1339128b991a73d20e7795e8d6a8c6adfbf20bf13ada43f2aef3ba78c14697910507132623f721387dce60c4707225b84d9782d469a5d9eaa099f35d6a590ef142ddef766495cf3337815ceef5ff2b3ed352637e72b5c23a2a8ff7d7440236a19b981d47f8e519a0431ebfbc0b78d8a36798b4c060c0c6793499f1e2e818862560a5b501c8d02ba1517be1941da2af5b174e0189c62978d878eb0f9c9db3a9221c28fb94645cf6e85ff2eea8c65ba3083a7382b131b83102dd67aa5453ad7375a4eb8c69fc479fbd29dab8924f801d253f2c997120b705c6e5217fb74702e2f1038917dd5fb0eeb7ae1bf7a668fc7d50c034b4cd5a057a8482e6bc9c921297f44e76967265623a167cd9883eb6e64bc77856dc333bd605d7df3bed0e5cecb5a99fe8b62873d58530f")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.NoError(t, err)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
 	require.Equal(t, metadata.Client, C.ClientSafari)
 	require.Equal(t, metadata.Domain, "www.google.com")
 }
 func FuzzSniffQUIC(f *testing.F) {
 	f.Fuzz(func(t *testing.T, data []byte) {
-		sniff.QUICClientHello(context.Background(), data)
+		var metadata adapter.InboundContext
 		err := sniff.QUICClientHello(context.Background(), &metadata, data)
 		require.Error(t, err)
 	})
 }
--- a/common/sniff/rdp.go
+++ b/common/sniff/rdp.go
@@ -0,0 +1,90 @@
 package sniff
 import (
 	"context"
 	"encoding/binary"
 	"io"
 	"os"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common/rw"
 )
 func RDP(_ context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
 	var tpktVersion uint8
 	err := binary.Read(reader, binary.BigEndian, &tpktVersion)
 	if err != nil {
 		return err
 	}
 	if tpktVersion != 0x03 {
 		return os.ErrInvalid
 	}
 	var tpktReserved uint8
 	err = binary.Read(reader, binary.BigEndian, &tpktReserved)
 	if err != nil {
 		return err
 	}
 	if tpktReserved != 0x00 {
 		return os.ErrInvalid
 	}
 	var tpktLength uint16
 	err = binary.Read(reader, binary.BigEndian, &tpktLength)
 	if err != nil {
 		return err
 	}
 	if tpktLength != 19 {
 		return os.ErrInvalid
 	}
 	var cotpLength uint8
 	err = binary.Read(reader, binary.BigEndian, &cotpLength)
 	if err != nil {
 		return err
 	}
 	if cotpLength != 14 {
 		return os.ErrInvalid
 	}
 	var cotpTpduType uint8
 	err = binary.Read(reader, binary.BigEndian, &cotpTpduType)
 	if err != nil {
 		return err
 	}
 	if cotpTpduType != 0xE0 {
 		return os.ErrInvalid
 	}
 	err = rw.SkipN(reader, 5)
 	if err != nil {
 		return err
 	}
 	var rdpType uint8
 	err = binary.Read(reader, binary.BigEndian, &rdpType)
 	if err != nil {
 		return err
 	}
 	if rdpType != 0x01 {
 		return os.ErrInvalid
 	}
 	var rdpFlags uint8
 	err = binary.Read(reader, binary.BigEndian, &rdpFlags)
 	if err != nil {
 		return err
 	}
 	var rdpLength uint8
 	err = binary.Read(reader, binary.BigEndian, &rdpLength)
 	if err != nil {
 		return err
 	}
 	if rdpLength != 8 {
 		return os.ErrInvalid
 	}
 	metadata.Protocol = C.ProtocolRDP
 	return nil
 }
--- a/common/sniff/rdp_test.go
+++ b/common/sniff/rdp_test.go
@@ -0,0 +1,25 @@
 package sniff_test
 import (
 	"bytes"
 	"context"
 	"encoding/hex"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/stretchr/testify/require"
 )
 func TestSniffRDP(t *testing.T) {
 	t.Parallel()
 	pkt, err := hex.DecodeString("030000130ee00000000000010008000b000000010008000b000000")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.RDP(context.TODO(), &metadata, bytes.NewReader(pkt))
 	require.NoError(t, err)
 	require.Equal(t, C.ProtocolRDP, metadata.Protocol)
 }
--- a/common/sniff/sniff.go
+++ b/common/sniff/sniff.go
@@ -14,49 +14,65 @@ import (
 )
 type (
-	StreamSniffer = func(ctx context.Context, reader io.Reader) (*adapter.InboundContext, error)
+	StreamSniffer = func(ctx context.Context, metadata *adapter.InboundContext, reader io.Reader) error
-	PacketSniffer = func(ctx context.Context, packet []byte) (*adapter.InboundContext, error)
+	PacketSniffer = func(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error
 )
-func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) (*adapter.InboundContext, error) {
+func Skip(metadata *adapter.InboundContext) bool {
 	// skip server first protocols
 	switch metadata.Destination.Port {
 	case 25, 465, 587:
 		// SMTP
 		return true
 	case 143, 993:
 		// IMAP
 		return true
 	case 110, 995:
 		// POP3
 		return true
 	}
 	return false
 }
 func PeekStream(ctx context.Context, metadata *adapter.InboundContext, conn net.Conn, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) error {
 	if timeout == 0 {
 		timeout = C.ReadPayloadTimeout
 	}
 	deadline := time.Now().Add(timeout)
 	var errors []error
-
+	for i := 0; ; i++ {
 	for i := 0; i < 3; i++ {
 		err := conn.SetReadDeadline(deadline)
 		if err != nil {
-			return nil, E.Cause(err, "set read deadline")
+			return E.Cause(err, "set read deadline")
 		}
 		_, err = buffer.ReadOnceFrom(conn)
-		err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
+		_ = conn.SetReadDeadline(time.Time{})
 		if err != nil {
 			if i > 0 {
 				break
 			}
-			return nil, E.Cause(err, "read payload")
+			return E.Cause(err, "read payload")
 		}
 		errors = nil
 		for _, sniffer := range sniffers {
-			metadata, err := sniffer(ctx, bytes.NewReader(buffer.Bytes()))
+			err = sniffer(ctx, metadata, bytes.NewReader(buffer.Bytes()))
-			if metadata != nil {
+			if err == nil {
-				return metadata, nil
+				return nil
 			}
 			errors = append(errors, err)
 		}
 	}
-	return nil, E.Errors(errors...)
+	return E.Errors(errors...)
 }
-func PeekPacket(ctx context.Context, packet []byte, sniffers ...PacketSniffer) (*adapter.InboundContext, error) {
+func PeekPacket(ctx context.Context, metadata *adapter.InboundContext, packet []byte, sniffers ...PacketSniffer) error {
 	var errors []error
 	for _, sniffer := range sniffers {
-		metadata, err := sniffer(ctx, packet)
+		err := sniffer(ctx, metadata, packet)
-		if metadata != nil {
+		if err == nil {
-			return metadata, nil
+			return nil
 		}
 		errors = append(errors, err)
 	}
-	return nil, E.Errors(errors...)
+	return E.Errors(errors...)
 }
--- a/common/sniff/ssh.go
+++ b/common/sniff/ssh.go
@@ -0,0 +1,26 @@
 package sniff
 import (
 	"bufio"
 	"context"
 	"io"
 	"os"
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 )
 func SSH(_ context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
 	scanner := bufio.NewScanner(reader)
 	if !scanner.Scan() {
 		return os.ErrInvalid
 	}
 	fistLine := scanner.Text()
 	if !strings.HasPrefix(fistLine, "SSH-2.0-") {
 		return os.ErrInvalid
 	}
 	metadata.Protocol = C.ProtocolSSH
 	metadata.Client = fistLine[8:]
 	return nil
 }
--- a/common/sniff/ssh_test.go
+++ b/common/sniff/ssh_test.go
@@ -0,0 +1,26 @@
 package sniff_test
 import (
 	"bytes"
 	"context"
 	"encoding/hex"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/stretchr/testify/require"
 )
 func TestSniffSSH(t *testing.T) {
 	t.Parallel()
 	pkt, err := hex.DecodeString("5353482d322e302d64726f70626561720d0a000001a40a1492892570d1223aef61b0d647972c8bd30000009f637572766532353531392d7368613235362c637572766532353531392d736861323536406c69627373682e6f72672c6469666669652d68656c6c6d616e2d67726f757031342d7368613235362c6469666669652d68656c6c6d616e2d67726f757031342d736861312c6b6578677565737332406d6174742e7563632e61736e2e61752c6b65782d7374726963742d732d763030406f70656e7373682e636f6d000000207373682d656432353531392c7273612d736861322d3235362c7373682d7273610000003363686163686132302d706f6c7931333035406f70656e7373682e636f6d2c6165733132382d6374722c6165733235362d6374720000003363686163686132302d706f6c7931333035406f70656e7373682e636f6d2c6165733132382d6374722c6165733235362d63747200000017686d61632d736861312c686d61632d736861322d32353600000017686d61632d736861312c686d61632d736861322d323536000000046e6f6e65000000046e6f6e65000000000000000000000000002aa6ed090585b7d635b6")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.SSH(context.TODO(), &metadata, bytes.NewReader(pkt))
 	require.NoError(t, err)
 	require.Equal(t, C.ProtocolSSH, metadata.Protocol)
 	require.Equal(t, "dropbear", metadata.Client)
 }
--- a/common/sniff/stun.go
+++ b/common/sniff/stun.go
@@ -9,16 +9,17 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 )
-func STUNMessage(ctx context.Context, packet []byte) (*adapter.InboundContext, error) {
+func STUNMessage(_ context.Context, metadata *adapter.InboundContext, packet []byte) error {
 	pLen := len(packet)
 	if pLen < 20 {
-		return nil, os.ErrInvalid
+		return os.ErrInvalid
 	}
 	if binary.BigEndian.Uint32(packet[4:8]) != 0x2112A442 {
-		return nil, os.ErrInvalid
+		return os.ErrInvalid
 	}
 	if len(packet) < 20+int(binary.BigEndian.Uint16(packet[2:4])) {
-		return nil, os.ErrInvalid
+		return os.ErrInvalid
 	}
-	return &adapter.InboundContext{Protocol: C.ProtocolSTUN}, nil
+	metadata.Protocol = C.ProtocolSTUN
 	return nil
 }
--- a/common/sniff/stun_test.go
+++ b/common/sniff/stun_test.go
@@ -5,6 +5,7 @@ import (
 	"encoding/hex"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
@@ -15,14 +16,16 @@ func TestSniffSTUN(t *testing.T) {
 	t.Parallel()
 	packet, err := hex.DecodeString("000100002112a44224b1a025d0c180c484341306")
 	require.NoError(t, err)
-	metadata, err := sniff.STUNMessage(context.Background(), packet)
+	var metadata adapter.InboundContext
 	err = sniff.STUNMessage(context.Background(), &metadata, packet)
 	require.NoError(t, err)
 	require.Equal(t, metadata.Protocol, C.ProtocolSTUN)
 }
 func FuzzSniffSTUN(f *testing.F) {
 	f.Fuzz(func(t *testing.T, data []byte) {
-		if _, err := sniff.STUNMessage(context.Background(), data); err == nil {
+		var metadata adapter.InboundContext
 		if err := sniff.STUNMessage(context.Background(), &metadata, data); err == nil {
 			t.Fail()
 		}
 	})
--- a/common/sniff/tls.go
+++ b/common/sniff/tls.go
@@ -10,7 +10,7 @@ import (
 	"github.com/sagernet/sing/common/bufio"
 )
-func TLSClientHello(ctx context.Context, reader io.Reader) (*adapter.InboundContext, error) {
+func TLSClientHello(ctx context.Context, metadata *adapter.InboundContext, reader io.Reader) error {
 	var clientHello *tls.ClientHelloInfo
 	err := tls.Server(bufio.NewReadOnlyConn(reader), &tls.Config{
 		GetConfigForClient: func(argHello *tls.ClientHelloInfo) (*tls.Config, error) {
@@ -19,7 +19,9 @@ func TLSClientHello(ctx context.Context, reader io.Reader) (*adapter.InboundCont
 		},
 	}).HandshakeContext(ctx)
 	if clientHello != nil {
-		return &adapter.InboundContext{Protocol: C.ProtocolTLS, Domain: clientHello.ServerName}, nil
+		metadata.Protocol = C.ProtocolTLS
 		metadata.Domain = clientHello.ServerName
 		return nil
 	}
-	return nil, err
+	return err
 }
--- a/common/srs/binary.go
+++ b/common/srs/binary.go
@@ -1,6 +1,7 @@
 package srs
 import (
 	"bufio"
 	"compress/zlib"
 	"encoding/binary"
 	"io"
@@ -11,7 +12,7 @@ import (
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/domain"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/rw"
+	"github.com/sagernet/sing/common/varbin"
 	"go4.org/netipx"
 )
@@ -35,17 +36,19 @@ const (
 	ruleItemPackageName
 	ruleItemWIFISSID
 	ruleItemWIFIBSSID
 	ruleItemAdGuardDomain
 	ruleItemProcessPathRegex
 	ruleItemFinal uint8 = 0xFF
 )
-func Read(reader io.Reader, recovery bool) (ruleSet option.PlainRuleSet, err error) {
+func Read(reader io.Reader, recover bool) (ruleSet option.PlainRuleSet, err error) {
 	var magicBytes [3]byte
 	_, err = io.ReadFull(reader, magicBytes[:])
 	if err != nil {
 		return
 	}
 	if magicBytes != MagicBytes {
-		err = E.New("invalid sing-box rule set file")
+		err = E.New("invalid sing-box rule-set file")
 		return
 	}
 	var version uint8
@@ -53,20 +56,21 @@ func Read(reader io.Reader, recovery bool) (ruleSet option.PlainRuleSet, err err
 	if err != nil {
 		return ruleSet, err
 	}
-	if version != 1 {
+	if version > C.RuleSetVersion2 {
 		return ruleSet, E.New("unsupported version: ", version)
 	}
-	zReader, err := zlib.NewReader(reader)
+	compressReader, err := zlib.NewReader(reader)
 	if err != nil {
 		return
 	}
-	length, err := rw.ReadUVariant(zReader)
+	bReader := bufio.NewReader(compressReader)
 	length, err := binary.ReadUvarint(bReader)
 	if err != nil {
 		return
 	}
 	ruleSet.Rules = make([]option.HeadlessRule, length)
 	for i := uint64(0); i < length; i++ {
-		ruleSet.Rules[i], err = readRule(zReader, recovery)
+		ruleSet.Rules[i], err = readRule(bReader, recover)
 		if err != nil {
 			err = E.Cause(err, "read rule[", i, "]")
 			return
@@ -75,33 +79,44 @@ func Read(reader io.Reader, recovery bool) (ruleSet option.PlainRuleSet, err err
 	return
 }
-func Write(writer io.Writer, ruleSet option.PlainRuleSet) error {
+func Write(writer io.Writer, ruleSet option.PlainRuleSet, generateUnstable bool) error {
 	_, err := writer.Write(MagicBytes[:])
 	if err != nil {
 		return err
 	}
-	err = binary.Write(writer, binary.BigEndian, uint8(1))
+	var version uint8
 	if generateUnstable {
 		version = C.RuleSetVersion2
 	} else {
 		version = C.RuleSetVersion1
 	}
 	err = binary.Write(writer, binary.BigEndian, version)
 	if err != nil {
 		return err
 	}
-	zWriter, err := zlib.NewWriterLevel(writer, zlib.BestCompression)
+	compressWriter, err := zlib.NewWriterLevel(writer, zlib.BestCompression)
 	if err != nil {
 		return err
 	}
-	err = rw.WriteUVariant(zWriter, uint64(len(ruleSet.Rules)))
+	bWriter := bufio.NewWriter(compressWriter)
 	_, err = varbin.WriteUvarint(bWriter, uint64(len(ruleSet.Rules)))
 	if err != nil {
 		return err
 	}
 	for _, rule := range ruleSet.Rules {
-		err = writeRule(zWriter, rule)
+		err = writeRule(bWriter, rule, generateUnstable)
 		if err != nil {
 			return err
 		}
 	}
-	return zWriter.Close()
+	err = bWriter.Flush()
 	if err != nil {
 		return err
 	}
 	return compressWriter.Close()
 }
-func readRule(reader io.Reader, recovery bool) (rule option.HeadlessRule, err error) {
+func readRule(reader varbin.Reader, recover bool) (rule option.HeadlessRule, err error) {
 	var ruleType uint8
 	err = binary.Read(reader, binary.BigEndian, &ruleType)
 	if err != nil {
@@ -110,28 +125,28 @@ func readRule(reader io.Reader, recovery bool) (rule option.HeadlessRule, err er
 	switch ruleType {
 	case 0:
 		rule.Type = C.RuleTypeDefault
-		rule.DefaultOptions, err = readDefaultRule(reader, recovery)
+		rule.DefaultOptions, err = readDefaultRule(reader, recover)
 	case 1:
 		rule.Type = C.RuleTypeLogical
-		rule.LogicalOptions, err = readLogicalRule(reader, recovery)
+		rule.LogicalOptions, err = readLogicalRule(reader, recover)
 	default:
 		err = E.New("unknown rule type: ", ruleType)
 	}
 	return
 }
-func writeRule(writer io.Writer, rule option.HeadlessRule) error {
+func writeRule(writer varbin.Writer, rule option.HeadlessRule, generateUnstable bool) error {
 	switch rule.Type {
 	case C.RuleTypeDefault:
-		return writeDefaultRule(writer, rule.DefaultOptions)
+		return writeDefaultRule(writer, rule.DefaultOptions, generateUnstable)
 	case C.RuleTypeLogical:
-		return writeLogicalRule(writer, rule.LogicalOptions)
+		return writeLogicalRule(writer, rule.LogicalOptions, generateUnstable)
 	default:
 		panic("unknown rule type: " + rule.Type)
 	}
 }
-func readDefaultRule(reader io.Reader, recovery bool) (rule option.DefaultHeadlessRule, err error) {
+func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHeadlessRule, err error) {
 	var lastItemType uint8
 	for {
 		var itemType uint8
@@ -158,6 +173,9 @@ func readDefaultRule(reader io.Reader, recovery bool) (rule option.DefaultHeadle
 				return
 			}
 			rule.DomainMatcher = matcher
 			if recover {
 				rule.Domain, rule.DomainSuffix = matcher.Dump()
 			}
 		case ruleItemDomainKeyword:
 			rule.DomainKeyword, err = readRuleItemString(reader)
 		case ruleItemDomainRegex:
@@ -167,7 +185,7 @@ func readDefaultRule(reader io.Reader, recovery bool) (rule option.DefaultHeadle
 			if err != nil {
 				return
 			}
-			if recovery {
+			if recover {
 				rule.SourceIPCIDR = common.Map(rule.SourceIPSet.Prefixes(), netip.Prefix.String)
 			}
 		case ruleItemIPCIDR:
@@ -175,7 +193,7 @@ func readDefaultRule(reader io.Reader, recovery bool) (rule option.DefaultHeadle
 			if err != nil {
 				return
 			}
-			if recovery {
+			if recover {
 				rule.IPCIDR = common.Map(rule.IPSet.Prefixes(), netip.Prefix.String)
 			}
 		case ruleItemSourcePort:
@@ -190,12 +208,25 @@ func readDefaultRule(reader io.Reader, recovery bool) (rule option.DefaultHeadle
 			rule.ProcessName, err = readRuleItemString(reader)
 		case ruleItemProcessPath:
 			rule.ProcessPath, err = readRuleItemString(reader)
 		case ruleItemProcessPathRegex:
 			rule.ProcessPathRegex, err = readRuleItemString(reader)
 		case ruleItemPackageName:
 			rule.PackageName, err = readRuleItemString(reader)
 		case ruleItemWIFISSID:
 			rule.WIFISSID, err = readRuleItemString(reader)
 		case ruleItemWIFIBSSID:
 			rule.WIFIBSSID, err = readRuleItemString(reader)
 		case ruleItemAdGuardDomain:
 			if recover {
 				err = E.New("unable to decompile binary AdGuard rules to rule-set")
 				return
 			}
 			var matcher *domain.AdGuardMatcher
 			matcher, err = domain.ReadAdGuardMatcher(reader)
 			if err != nil {
 				return
 			}
 			rule.AdGuardDomainMatcher = matcher
 		case ruleItemFinal:
 			err = binary.Read(reader, binary.BigEndian, &rule.Invert)
 			return
@@ -209,7 +240,7 @@ func readDefaultRule(reader io.Reader, recovery bool) (rule option.DefaultHeadle
 	}
 }
-func writeDefaultRule(writer io.Writer, rule option.DefaultHeadlessRule) error {
+func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, generateUnstable bool) error {
 	err := binary.Write(writer, binary.BigEndian, uint8(0))
 	if err != nil {
 		return err
@@ -233,7 +264,7 @@ func writeDefaultRule(writer io.Writer, rule option.DefaultHeadlessRule) error {
 		if err != nil {
 			return err
 		}
-		err = domain.NewMatcher(rule.Domain, rule.DomainSuffix).Write(writer)
+		err = domain.NewMatcher(rule.Domain, rule.DomainSuffix, !generateUnstable).Write(writer)
 		if err != nil {
 			return err
 		}
@@ -298,6 +329,12 @@ func writeDefaultRule(writer io.Writer, rule option.DefaultHeadlessRule) error {
 			return err
 		}
 	}
 	if len(rule.ProcessPathRegex) > 0 {
 		err = writeRuleItemString(writer, ruleItemProcessPathRegex, rule.ProcessPathRegex)
 		if err != nil {
 			return err
 		}
 	}
 	if len(rule.PackageName) > 0 {
 		err = writeRuleItemString(writer, ruleItemPackageName, rule.PackageName)
 		if err != nil {
@@ -316,6 +353,16 @@ func writeDefaultRule(writer io.Writer, rule option.DefaultHeadlessRule) error {
 			return err
 		}
 	}
 	if len(rule.AdGuardDomain) > 0 {
 		err = binary.Write(writer, binary.BigEndian, ruleItemAdGuardDomain)
 		if err != nil {
 			return err
 		}
 		err = domain.NewAdGuardMatcher(rule.AdGuardDomain).Write(writer)
 		if err != nil {
 			return err
 		}
 	}
 	err = binary.Write(writer, binary.BigEndian, ruleItemFinal)
 	if err != nil {
 		return err
@@ -327,73 +374,31 @@ func writeDefaultRule(writer io.Writer, rule option.DefaultHeadlessRule) error {
 	return nil
 }
-func readRuleItemString(reader io.Reader) ([]string, error) {
+func readRuleItemString(reader varbin.Reader) ([]string, error) {
-	length, err := rw.ReadUVariant(reader)
+	return varbin.ReadValue[[]string](reader, binary.BigEndian)
 	if err != nil {
 		return nil, err
 	}
 	value := make([]string, length)
 	for i := uint64(0); i < length; i++ {
 		value[i], err = rw.ReadVString(reader)
 		if err != nil {
 			return nil, err
 		}
 	}
 	return value, nil
 }
-func writeRuleItemString(writer io.Writer, itemType uint8, value []string) error {
+func writeRuleItemString(writer varbin.Writer, itemType uint8, value []string) error {
-	err := binary.Write(writer, binary.BigEndian, itemType)
+	err := writer.WriteByte(itemType)
 	if err != nil {
 		return err
 	}
-	err = rw.WriteUVariant(writer, uint64(len(value)))
+	return varbin.Write(writer, binary.BigEndian, value)
 }
 func readRuleItemUint16(reader varbin.Reader) ([]uint16, error) {
 	return varbin.ReadValue[[]uint16](reader, binary.BigEndian)
 }
 func writeRuleItemUint16(writer varbin.Writer, itemType uint8, value []uint16) error {
 	err := writer.WriteByte(itemType)
 	if err != nil {
 		return err
 	}
-	for _, item := range value {
+	return varbin.Write(writer, binary.BigEndian, value)
 		err = rw.WriteVString(writer, item)
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
-func readRuleItemUint16(reader io.Reader) ([]uint16, error) {
+func writeRuleItemCIDR(writer varbin.Writer, itemType uint8, value []string) error {
 	length, err := rw.ReadUVariant(reader)
 	if err != nil {
 		return nil, err
 	}
 	value := make([]uint16, length)
 	for i := uint64(0); i < length; i++ {
 		err = binary.Read(reader, binary.BigEndian, &value[i])
 		if err != nil {
 			return nil, err
 		}
 	}
 	return value, nil
 }
 func writeRuleItemUint16(writer io.Writer, itemType uint8, value []uint16) error {
 	err := binary.Write(writer, binary.BigEndian, itemType)
 	if err != nil {
 		return err
 	}
 	err = rw.WriteUVariant(writer, uint64(len(value)))
 	if err != nil {
 		return err
 	}
 	for _, item := range value {
 		err = binary.Write(writer, binary.BigEndian, item)
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func writeRuleItemCIDR(writer io.Writer, itemType uint8, value []string) error {
 	var builder netipx.IPSetBuilder
 	for i, prefixString := range value {
 		prefix, err := netip.ParsePrefix(prefixString)
@@ -419,9 +424,8 @@ func writeRuleItemCIDR(writer io.Writer, itemType uint8, value []string) error {
 	return writeIPSet(writer, ipSet)
 }
-func readLogicalRule(reader io.Reader, recovery bool) (logicalRule option.LogicalHeadlessRule, err error) {
+func readLogicalRule(reader varbin.Reader, recovery bool) (logicalRule option.LogicalHeadlessRule, err error) {
-	var mode uint8
+	mode, err := reader.ReadByte()
 	err = binary.Read(reader, binary.BigEndian, &mode)
 	if err != nil {
 		return
 	}
@@ -434,7 +438,7 @@ func readLogicalRule(reader io.Reader, recovery bool) (logicalRule option.Logica
 		err = E.New("unknown logical mode: ", mode)
 		return
 	}
-	length, err := rw.ReadUVariant(reader)
+	length, err := binary.ReadUvarint(reader)
 	if err != nil {
 		return
 	}
@@ -453,7 +457,7 @@ func readLogicalRule(reader io.Reader, recovery bool) (logicalRule option.Logica
 	return
 }
-func writeLogicalRule(writer io.Writer, logicalRule option.LogicalHeadlessRule) error {
+func writeLogicalRule(writer varbin.Writer, logicalRule option.LogicalHeadlessRule, generateUnstable bool) error {
 	err := binary.Write(writer, binary.BigEndian, uint8(1))
 	if err != nil {
 		return err
@@ -469,12 +473,12 @@ func writeLogicalRule(writer io.Writer, logicalRule option.LogicalHeadlessRule)
 	if err != nil {
 		return err
 	}
-	err = rw.WriteUVariant(writer, uint64(len(logicalRule.Rules)))
+	_, err = varbin.WriteUvarint(writer, uint64(len(logicalRule.Rules)))
 	if err != nil {
 		return err
 	}
 	for _, rule := range logicalRule.Rules {
-		err = writeRule(writer, rule)
+		err = writeRule(writer, rule, generateUnstable)
 		if err != nil {
 			return err
 		}
--- a/common/srs/ip_set.go
+++ b/common/srs/ip_set.go
@@ -2,11 +2,13 @@ package srs
 import (
 	"encoding/binary"
 	"io"
 	"net/netip"
 	"os"
 	"unsafe"
-	"github.com/sagernet/sing/common/rw"
+	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/varbin"
 	"go4.org/netipx"
 )
@@ -20,94 +22,57 @@ type myIPRange struct {
 	to   netip.Addr
 }
-func readIPSet(reader io.Reader) (*netipx.IPSet, error) {
+type myIPRangeData struct {
-	var version uint8
+	From []byte
-	err := binary.Read(reader, binary.BigEndian, &version)
+	To   []byte
 }
 func readIPSet(reader varbin.Reader) (*netipx.IPSet, error) {
 	version, err := reader.ReadByte()
 	if err != nil {
 		return nil, err
 	}
 	if version != 1 {
 		return nil, os.ErrInvalid
 	}
 	// WTF why using uint64 here
 	var length uint64
 	err = binary.Read(reader, binary.BigEndian, &length)
 	if err != nil {
 		return nil, err
 	}
-	mySet := &myIPSet{
+	ranges := make([]myIPRangeData, length)
-		rr: make([]myIPRange, length),
+	err = varbin.Read(reader, binary.BigEndian, &ranges)
 	if err != nil {
 		return nil, err
 	}
-	for i := uint64(0); i < length; i++ {
+	mySet := &myIPSet{
-		var (
+		rr: make([]myIPRange, len(ranges)),
-			fromLen  uint64
+	}
-			toLen    uint64
+	for i, rangeData := range ranges {
-			fromAddr netip.Addr
+		mySet.rr[i].from = M.AddrFromIP(rangeData.From)
-			toAddr   netip.Addr
+		mySet.rr[i].to = M.AddrFromIP(rangeData.To)
 		)
 		fromLen, err = rw.ReadUVariant(reader)
 		if err != nil {
 			return nil, err
 		}
 		fromBytes := make([]byte, fromLen)
 		_, err = io.ReadFull(reader, fromBytes)
 		if err != nil {
 			return nil, err
 		}
 		err = fromAddr.UnmarshalBinary(fromBytes)
 		if err != nil {
 			return nil, err
 		}
 		toLen, err = rw.ReadUVariant(reader)
 		if err != nil {
 			return nil, err
 		}
 		toBytes := make([]byte, toLen)
 		_, err = io.ReadFull(reader, toBytes)
 		if err != nil {
 			return nil, err
 		}
 		err = toAddr.UnmarshalBinary(toBytes)
 		if err != nil {
 			return nil, err
 		}
 		mySet.rr[i] = myIPRange{fromAddr, toAddr}
 	}
 	return (*netipx.IPSet)(unsafe.Pointer(mySet)), nil
 }
-func writeIPSet(writer io.Writer, set *netipx.IPSet) error {
+func writeIPSet(writer varbin.Writer, set *netipx.IPSet) error {
-	err := binary.Write(writer, binary.BigEndian, uint8(1))
+	err := writer.WriteByte(1)
 	if err != nil {
 		return err
 	}
-	mySet := (*myIPSet)(unsafe.Pointer(set))
+	dataList := common.Map((*myIPSet)(unsafe.Pointer(set)).rr, func(rr myIPRange) myIPRangeData {
-	err = binary.Write(writer, binary.BigEndian, uint64(len(mySet.rr)))
+		return myIPRangeData{
 			From: rr.from.AsSlice(),
 			To:   rr.to.AsSlice(),
 		}
 	})
 	err = binary.Write(writer, binary.BigEndian, uint64(len(dataList)))
 	if err != nil {
 		return err
 	}
-	for _, rr := range mySet.rr {
+	for _, data := range dataList {
-		var (
+		err = varbin.Write(writer, binary.BigEndian, data)
 			fromBinary []byte
 			toBinary   []byte
 		)
 		fromBinary, err = rr.from.MarshalBinary()
 		if err != nil {
 			return err
 		}
 		err = rw.WriteUVariant(writer, uint64(len(fromBinary)))
 		if err != nil {
 			return err
 		}
 		_, err = writer.Write(fromBinary)
 		if err != nil {
 			return err
 		}
 		toBinary, err = rr.to.MarshalBinary()
 		if err != nil {
 			return err
 		}
 		err = rw.WriteUVariant(writer, uint64(len(toBinary)))
 		if err != nil {
 			return err
 		}
 		_, err = writer.Write(toBinary)
 		if err != nil {
 			return err
 		}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	47736b27ba	refactor: Modular inbounds	2024-11-03 20:24:41 +08:00
世界	0b2c7ec35c	refactor: Modular outbounds	2024-11-03 19:56:44 +08:00
世界	e537c56b6b	Implement dns-hijack	2024-11-03 19:47:17 +08:00
世界	b456aff4ac	Implement resolve(server)	2024-11-03 19:47:15 +08:00
世界	4da652ff02	Implement TCP and ICMP rejects	2024-11-03 19:47:11 +08:00
世界	262727ec6c	Crazy sekai overturns the small pond	2024-11-03 19:47:09 +08:00
世界	81dc9e7698	documentation: Bump version	2024-11-02 21:40:38 +08:00
世界	d876077281	Update dependencies	2024-11-02 21:40:28 +08:00
世界	0df81c297b	Update quic-go to v0.48.0	2024-11-02 21:40:28 +08:00
世界	b460484e43	Fix "Fix metadata context"	2024-11-02 21:37:04 +08:00
世界	0e511791e8	platform: Add openURL event	2024-11-02 17:13:13 +08:00
世界	9585c53e9f	release: Add upload dSYMs	2024-10-30 15:35:20 +08:00
世界	d66d5cd457	Add deprecated warnings	2024-10-30 14:01:28 +08:00
世界	8c143feec8	Increase timeouts	2024-10-30 14:01:28 +08:00
世界	419058f466	Update NDK version	2024-10-30 14:01:13 +08:00
世界	1a6047a61b	Fix metadata context	2024-10-30 14:01:13 +08:00
世界	327bb35ddd	Rename HTTP start context	2024-10-30 14:01:13 +08:00
世界	6ed9a06394	Fix rule-set format	2024-10-25 22:12:47 +08:00
世界	b80ec55ba0	Bump version	2024-10-16 21:11:31 +08:00
世界	08718112ae	Retry system forwarder listen	2024-10-16 20:47:26 +08:00
TsingShui	956ee361df	Fix corrected improper use of `reader` and `bReader` Co-authored-by: x_123 <x@a>	2024-10-16 20:45:18 +08:00
世界	e93d0408be	documentation: Fix release notes	2024-10-16 20:45:13 +08:00
世界	137832ff3e	Bump version	2024-10-13 21:17:59 +08:00
世界	3ede29fb6d	documentation: Improve theme	2024-10-13 13:07:18 +08:00
世界	82ab68b542	build: Fix find NDK	2024-10-13 13:07:18 +08:00
renovate[bot]	e55723d84d	[dependencies] Update actions/checkout digest to eef6144	2024-10-13 13:07:18 +08:00
世界	2f4d2d97f9	auto-redirect: Let fw4 take precedence over prerouting	2024-10-13 13:07:18 +08:00
世界	926d6f769e	Update utls to v1.6.7	2024-10-13 13:07:02 +08:00
srk24	846777cd0c	Add `process_path_regex` rule type	2024-10-13 13:07:02 +08:00
世界	06533b7a3b	clash-api: Add PNA support	2024-10-13 13:07:02 +08:00
世界	4a95558c53	Add RDP sniffer	2024-10-13 13:07:02 +08:00
世界	e39a28ed5a	Add SSH sniffer	2024-10-13 13:07:02 +08:00
世界	b2c708a3e6	Write close error to log	2024-10-13 13:07:02 +08:00
世界	a9209bb3e5	Add AdGuard DNS filter support	2024-10-13 13:07:02 +08:00
世界	9dc3bb975a	Improve QUIC sniffer	2024-10-13 13:07:02 +08:00
世界	3a7acaa92a	Add inline rule-set & Add reload for local rule-set	2024-10-13 13:07:02 +08:00
世界	6bebe2483b	Unique rule-set names	2024-10-13 13:07:02 +08:00
世界	93cf134995	Add accept empty DNS rule option	2024-10-13 13:07:02 +08:00
世界	ff7d8c9ba8	Add custom options for TUN `auto-route` and `auto-redirect`	2024-10-13 13:07:02 +08:00
世界	50f07b42f6	Improve base DNS transports & Minor fixes	2024-10-13 13:07:02 +08:00
世界	db3a0c636d	Add auto-redirect & Improve auto-route	2024-10-13 13:07:02 +08:00
世界	fec38f85cd	Add `rule-set decompile` command	2024-10-13 13:07:02 +08:00
世界	dcb0141646	Add IP address support for `rule-set match` match	2024-10-13 13:07:02 +08:00
世界	f4f5a3c925	Improve usages of `json.Unmarshal`	2024-10-13 13:07:02 +08:00
世界	9b8d6c1b73	Bump rule-set version	2024-10-13 13:07:02 +08:00
世界	2f776168de	Implement read deadline for QUIC based UDP inbounds	2024-10-13 13:07:02 +08:00
世界	923d3222b0	WTF is this	2024-10-13 13:07:01 +08:00
世界	bda93d516b	platform: Fix clash server reload on android	2024-10-13 13:06:57 +08:00
世界	7eec3fb57a	platform: Add log update interval	2024-10-13 13:06:57 +08:00
世界	b1d75812c5	platform: Prepare connections list	2024-10-13 13:06:55 +08:00
世界	d44e7d9834	Drop support for go1.18 and go1.19	2024-10-07 04:58:48 +08:00
世界	369bc7cea3	Add DTLS sniffer	2024-10-07 04:58:48 +08:00
iosmanthus	4b7a83da16	Introduce bittorrent related protocol sniffers * Introduce bittorrent related protocol sniffers including, sniffers of 1. BitTorrent Protocol (TCP) 2. uTorrent Transport Protocol (UDP) Signed-off-by: iosmanthus <myosmanthustree@gmail.com> Co-authored-by: 世界 <i@sekai.icu>	2024-10-07 04:58:48 +08:00
世界	0f7154afbd	Update workflow to go1.23	2024-10-07 04:58:47 +08:00
世界	a06d10c3bc	Bump version	2024-10-07 04:34:48 +08:00
世界	63cc6cc76c	Fix Makefile	2024-10-07 04:34:48 +08:00
世界	d55c5b5cab	documentation: Update package status	2024-10-07 04:34:48 +08:00
世界	b624c2dcc7	Fix context used by DNS outbounds	2024-10-07 04:34:48 +08:00
世界	9415444ebd	Fix base path not applied to local rule-sets	2024-10-07 04:34:48 +08:00
世界	95606191d8	Add completions for linux packages	2024-10-07 04:34:48 +08:00
世界	e586d9e9bc	Bump version	2024-09-20 23:37:06 +08:00
世界	8c7eaa4477	Fix docker build	2024-09-20 23:37:06 +08:00
世界	8464c8cb7c	Fix version script	2024-09-20 21:10:15 +08:00
世界	39d7127651	Revert "Fix stream sniffer"	2024-09-20 20:40:02 +08:00
世界	e2077009c4	documentation: Update client status	2024-09-20 20:13:55 +08:00
世界	700a8eb425	Minor fixes	2024-09-20 20:13:14 +08:00
世界	3b0cba0852	Fix wireguard start	2024-09-20 20:12:52 +08:00
世界	f5554dd8b8	Bump version	2024-09-18 07:04:29 +08:00
世界	4d0362d530	Update macOS build workflow	2024-09-17 22:01:05 +08:00
世界	97ccd2ca04	documentation: Add sponsors page	2024-09-17 18:47:33 +08:00
世界	1ed6654ad4	Add mips64 build	2024-09-15 12:12:25 +08:00
世界	5385f75f53	documentation: Update build requirements	2024-09-15 12:10:00 +08:00
世界	ad97d4e11f	Fix disconnected interface selected as default in windows	2024-09-15 11:59:32 +08:00
世界	09d4e91b77	Fix cached conn eats up read deadlines	2024-09-15 11:56:04 +08:00
Monica	3dbdda9555	documentation: Fix dial.zh.md The Chinese documentation incorrectly stated that the default value for the domain_strategy field in the direct outbound module is dns.strategy. The correct value should be inbound.domain_strategy, as specified in the English documentation. This commit corrects the Chinese documentation to align with the accurate behavior described in the English version. Signed-off-by: Monica <1379531829@qq.com>	2024-09-15 11:53:03 +08:00
世界	1f4ed6ff8f	documentation: Update client status	2024-09-13 10:09:08 +08:00
世界	6ddbe19bc0	platform: Update bundle id	2024-09-12 17:55:53 +08:00
世界	d7205ecc60	Fix Makefile	2024-09-12 17:55:53 +08:00
世界	9e243e0ff9	gomobile: Fix go mod version	2024-09-10 23:05:13 +08:00
世界	02bc3e0a0a	Update quic-go to v0.47.0	2024-09-09 14:45:46 +08:00
世界	87be6dc235	Update README	2024-09-09 08:48:35 +08:00
世界	c1c30976dc	Improve docker workflow	2024-09-08 11:11:47 +08:00
世界	9bac18bcd1	wireguard: Fix events chan leak	2024-09-08 10:07:12 +08:00
世界	ceda5cc95d	clash-api: Fix bad redirect	2024-09-08 10:07:07 +08:00
世界	27d6b63e71	Fix stream sniffer	2024-09-08 10:07:07 +08:00
世界	b57abcc73c	tfo: Fix build with go1.23	2024-08-27 11:24:51 +08:00
世界	f1147965dd	documentation: Fix missing zh headline	2024-08-21 18:52:38 +08:00
世界	45f3234c73	documentation: Update package status	2024-08-21 11:39:07 +08:00
Mingye Wang	aae3fded32	documentation: Two updates * Copyedit documentation Close #1378 * remove yum, go full on dnf fixes #2049	2024-08-21 11:32:43 +08:00
世界	090494faf5	Do not close bug and enhancement issues	2024-08-21 08:09:15 +08:00
世界	db5719e22f	Fix no error return when empty DNS cache retrieved	2024-08-20 23:23:48 +08:00
世界	064fb9b873	Fix direct dialer not resolving domain	2024-08-20 21:02:52 +08:00
世界	f6a1e123fc	Make linter happy	2024-08-19 18:42:02 +08:00
世界	3066dfe3b3	Bump version	2024-08-19 10:43:09 +08:00
Liu Bingyan	1128fdd8c7	documentation: Update injectable description	2024-08-19 07:40:31 +08:00
世界	cfd9879b17	documentation: Remove unused	2024-08-19 06:39:33 +08:00
世界	9ceb660c57	documentation: Announce that our apps on Apple platforms are no longer available	2024-08-19 06:39:33 +08:00
世界	7d00d7df28	Update quic-go to v0.46.0	2024-08-19 06:25:15 +08:00
世界	21b1ac26b9	Fix UDP conn stuck on sniff This change only avoids permanent hangs. We need to implement read deadlines for UDP conns in 1.10 for server inbounds.	2024-08-18 11:27:12 +08:00
世界	7fec8d842e	Update golangci-lint configuration	2024-08-18 11:17:01 +08:00
世界	07c678fb85	Fix crash on Android when using process rules	2024-08-18 10:23:28 +08:00
世界	baecfc7778	Update quic-go to v0.45.2	2024-08-18 10:23:17 +08:00
世界	07de36ecdb	Fix tests	2024-08-03 12:46:38 +08:00
世界	2c8a8303cd	dns: Minor fixes	2024-07-27 11:04:57 +08:00
ruokeqx	e5991cae0b	Use `unix.SysctlRaw` for macOS	2024-07-22 12:42:22 +08:00
世界	1349acfd5a	Fix panic caused by possible generation of duplicate keys for `domain_suffix`	2024-07-17 16:02:17 +08:00
世界	98ff897f35	Fix reset outbounds	2024-07-13 17:46:22 +08:00
ayooh	6144c8e340	Fix default end value of the `rangeItem`	2024-07-13 17:45:32 +08:00
HystericalDragon	c8caac9f67	Fix v2rayquic default NextProtos (#1934 )	2024-07-11 23:34:09 +08:00
printfer	81e9eda357	documentation: Fix typo	2024-07-07 16:09:41 +08:00
世界	7cba3da108	shadowsocks: Fix packet process for AEAD multi-user server	2024-07-05 17:09:09 +08:00
世界	82d06b43e7	vless: Fix missing deadline interfaces	2024-07-05 17:08:10 +08:00
世界	a7ac91f573	Move legacy vless implemetation to library	2024-07-03 20:17:32 +08:00
世界	0540a95a43	Fix v2ray-plugin	2024-07-02 14:08:17 +08:00
世界	94707dfcdd	Add name to errors from v2ray HTTP transports	2024-07-02 14:08:17 +08:00
世界	8a17043502	Fix command output for `rule-set match`	2024-06-26 12:26:35 +08:00
世界	b0aaa86806	Minor fixes	2024-06-25 13:14:45 +08:00
世界	8a2d3fbb28	Update quic-go to v0.45.1 & Filter HTTPS ipv4/6hint	2024-06-24 11:07:32 +08:00
renovate[bot]	4652019608	[dependencies] Update docker/build-push-action action to v6	2024-06-24 10:24:13 +08:00
世界	06fa5abf63	Fix non-IP queries accepted by address filter rules	2024-06-24 10:13:16 +08:00
世界	996fbbf0c3	docs: Switch to venv	2024-06-24 10:10:49 +08:00
renovate[bot]	142ff1b455	[dependencies] Update actions/checkout digest to 692973e	2024-06-17 13:05:54 +08:00
世界	74d662f7a3	Fix always create package manager	2024-06-11 21:16:57 +08:00
世界	085f603377	Bump version	2024-06-09 13:20:56 +08:00
世界	460fae83dc	Fix quic-go is caching dialErr since v0.43.0	2024-06-09 13:15:40 +08:00
世界	bb9bd9bff6	Fix package manager start order	2024-06-09 07:21:50 +08:00
世界	c2354ebf25	Bump version	2024-06-08 22:00:46 +08:00
世界	c1f4755c4e	Fix parse UDP DNS server with addr:port address	2024-06-08 22:00:46 +08:00
世界	0ca5909b06	Stop passing device sleep events on Android and Apple platforms	2024-06-08 22:00:46 +08:00
世界	e77a8114c5	Fix rule-set start order	2024-06-08 22:00:46 +08:00
renovate[bot]	f1393235ff	[dependencies] Update actions/checkout digest to a5ac7e5	2024-06-08 22:00:46 +08:00
renovate[bot]	bdba2365de	[dependencies] Update goreleaser/goreleaser-action action to v6	2024-06-08 18:58:22 +08:00
世界	ce0da5b557	Fix typo	2024-06-08 18:58:14 +08:00
世界	3853201412	Bump version	2024-06-07 19:07:46 +08:00
世界	7003ef40a3	Fix wireguard start	2024-06-07 19:07:46 +08:00
世界	59ec92228c	Fix repeatedly no route logs	2024-06-07 15:03:48 +08:00
世界	0eeb2da323	Fix reset HTTP3 DNS transport	2024-06-06 22:28:43 +08:00
世界	977b0fac02	Fix get source address from `X-Forwarded-For`	2024-06-06 22:21:37 +08:00
世界	51964801ff	Fix enforced power listener on windows	2024-06-06 22:20:23 +08:00
世界	e08c052fc9	Fix wireguard client bind	2024-06-06 22:20:21 +08:00
世界	53927d8bbd	Remove logs in router initialize	2024-06-06 22:20:19 +08:00
世界	968b9bc217	Fix crash on *bsd	2024-06-06 22:20:17 +08:00
lgjint	69dc87aa6d	Fix set KDE6 system proxy	2024-06-06 22:20:14 +08:00
Fei1Yang	4193df375f	build: Remove vendor in RPM packages	2024-05-27 19:28:15 +08:00
		`@@ -0,0 +1,3 @@`
							`# JA3`

							`mod from: https://github.com/open-ch/ja3`