Bump version

documentation: Update injectable description
documentation: Remove unused
2026-04-11 17:47:20 +10:00 · 2024-08-19 10:43:09 +08:00 · 2024-08-19 07:40:31 +08:00 · 2024-08-19 06:39:33 +08:00 · 2024-08-19 06:39:33 +08:00 · 2024-08-19 06:25:15 +08:00
64 changed files with 526 additions and 2663 deletions
--- a/.github/workflows/debug.yml
+++ b/.github/workflows/debug.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -58,7 +58,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -78,7 +78,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -208,7 +208,7 @@ jobs:
      TAGS: with_clash_api,with_quic
    steps:
      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -30,7 +30,7 @@ jobs:
          echo "latest=$latest"
          echo "latest=$latest" >> $GITHUB_OUTPUT
      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          ref: ${{ steps.ref.outputs.ref }}
      - name: Setup Docker Buildx
@@ -49,7 +49,7 @@ jobs:
        with:
          images: ghcr.io/sagernet/sing-box
      - name: Build and release Docker images
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
        with:
          platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
          context: .
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,5 @@
 /*.xcframework/
 .DS_Store
 /config.d/
+/venv/
+
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -6,14 +6,7 @@ linters:
    - gci
    - staticcheck
    - paralleltest
-
-run:
-  skip-dirs:
-    - transport/simple-obfs
-    - transport/clashssr
-    - transport/cloudflaretls
-    - transport/shadowtls/tls
-    - transport/shadowtls/tls_go119
+    - ineffassign

 linters-settings:
  gci:
@@ -23,4 +16,13 @@ linters-settings:
      - prefix(github.com/sagernet/)
      - default
  staticcheck:
-    go: '1.20'
+    checks:
+      - all
+      - -SA1003
+
+run:
+  go: "1.23"
+
+issues:
+  exclude-dirs:
+    - transport/simple-obfs
--- a/8
+++ b/8
@@ -197,13 +197,15 @@ lib_install:
 	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.3

 docs:
-	mkdocs serve
+	venv/bin/mkdocs serve

 publish_docs:
-	mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
+	venv/bin/mkdocs gh-deploy -m "Update" --force --ignore-version --no-history

 docs_install:
-	pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
+	python -m venv venv
+	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
+
 clean:
 	rm -rf bin dist sing-box
 	rm -f $(shell go env GOPATH)/sing-box
--- a/README.md
+++ b/README.md
@@ -4,10 +4,6 @@ The universal proxy platform.

 [![Packaging status](https://repology.org/badge/vertical-allrepos/sing-box.svg)](https://repology.org/project/sing-box/versions)

-## Documentation
-
-https://sing-box.sagernet.org
-
 ## Support

 https://community.sagernet.org/c/sing-box/
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -93,7 +93,6 @@ type DNSRule interface {

 type RuleSet interface {
 	StartContext(ctx context.Context, startContext RuleSetStartContext) error
-	PostStart() error
 	Metadata() RuleSetMetadata
 	Close() error
 	HeadlessRule
--- a/adapter/v2ray.go
+++ b/adapter/v2ray.go
@@ -22,4 +22,5 @@ type V2RayServerTransportHandler interface {

 type V2RayClientTransport interface {
 	DialContext(ctx context.Context) (net.Conn, error)
+	Close() error
 }
--- a/box.go
+++ b/box.go
@@ -203,7 +203,7 @@ func (s *Box) PreStart() error {
 		defer func() {
 			v := recover()
 			if v != nil {
-				log.Error(E.Cause(err, "origin error"))
+				println(err.Error())
 				debug.PrintStack()
 				panic("panic on early close: " + fmt.Sprint(v))
 			}
@@ -222,9 +222,9 @@ func (s *Box) Start() error {
 		defer func() {
 			v := recover()
 			if v != nil {
-				log.Error(E.Cause(err, "origin error"))
+				println(err.Error())
 				debug.PrintStack()
-				panic("panic on early close: " + fmt.Sprint(v))
+				println("panic on early start: " + fmt.Sprint(v))
 			}
 		}()
 		s.Close()
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/sing-box/cmd_rule_set_match.go
+++ b/cmd/sing-box/cmd_rule_set_match.go
@@ -12,6 +12,7 @@ import (
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/route"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"

 	"github.com/spf13/cobra"
@@ -79,7 +80,7 @@ func ruleSetMatch(sourcePath string, domain string) error {
 		if currentRule.Match(&adapter.InboundContext{
 			Domain: domain,
 		}) {
-			println("match rules.[", i, "]: "+currentRule.String())
+			println(F.ToString("match rules.[", i, "]: ", currentRule))
 		}
 	}
 	return nil
--- a/common/process/searcher_darwin.go
+++ b/common/process/searcher_darwin.go
@@ -60,12 +60,12 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {

 	isIPv4 := ip.Is4()

-	value, err := syscall.Sysctl(spath)
+	value, err := unix.SysctlRaw(spath)
 	if err != nil {
 		return "", err
 	}

-	buf := []byte(value)
+	buf := value

 	// from darwin-xnu/bsd/netinet/in_pcblist.c:get_pcblist_n
 	// size/offset are round up (aligned) to 8 bytes in darwin
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,6 +2,35 @@
 icon: material/alert-decagram
 ---

+!!! failure "Help needed"
+
+    Due to problems with our Apple developer account, sing-box apps on Apple platforms are temporarily unavailable for download or update.
+
+    If your company or organization is willing to help us return to the App Store, please [contact us](mailto:contact@sagernet.org).
+
+### 1.9.4
+
+* Update quic-go to v0.46.0
+* Update Hysteria2 BBR congestion control
+* Filter HTTPS ipv4hint/ipv6hint with domain strategy
+* Fix crash on Android when using process rules
+* Fix non-IP queries accepted by address filter rules
+* Fix UDP server for shadowsocks AEAD multi-user inbounds
+* Fix default next protos for v2ray QUIC transport
+* Fix default end value of port range configuration options
+* Fix reset v2ray transports
+* Fix panic caused by rule-set generation of duplicate keys for `domain_suffix`
+* Fix UDP connnection leak when sniffing
+* Fixes and improvements
+
+### 1.9.3
+
+* Fixes and improvements
+
+### 1.9.2
+
+* Fixes and improvements
+
 ### 1.9.1

 * Fixes and improvements
--- a/docs/clients/apple/index.md
+++ b/docs/clients/apple/index.md
@@ -7,6 +7,13 @@ icon: material/apple
 SFI/SFM/SFT allows users to manage and run local or remote sing-box configuration files, and provides
 platform-specific function implementation, such as TUN transparent proxy implementation.

+!!! failure "Unavailable"
+
+    Due to problems with our Apple developer account, sing-box apps on Apple platforms are temporarily unavailable for download or update.
+
+    If your company or organization is willing to help us return to the App Store, please [contact us](mailto:contact@sagernet.org).
+
+
 ## :material-graph: Requirements

 * iOS 15.0+ / macOS 13.0+ / Apple tvOS 17.0+
--- a/docs/clients/index.md
+++ b/docs/clients/index.md
@@ -3,9 +3,9 @@
 Maintained by Project S to provide a unified experience and platform-specific functionality.

 | Platform                              | Client                                   |
-|---------------------------------------|------------------------------------------|
+| ------------------------------------- | ---------------------------------------- |
 | :material-android: Android            | [sing-box for Android](./android/)       |
-| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
+| :material-apple: iOS/macOS/Apple tvOS | :material-alert: [Unavailable](./apple/) |
 | :material-laptop: Desktop             | Working in progress                      |

 Some third-party projects that claim to use sing-box or use sing-box as a selling point are not listed here. The core
--- a/docs/clients/index.zh.md
+++ b/docs/clients/index.zh.md
@@ -2,11 +2,11 @@

 由 Project S 维护，提供统一的体验与平台特定的功能。

-| 平台                                    | 客户端                                     |
-|---------------------------------------|-----------------------------------------|
-| :material-android: Android            | [sing-box for Android](./android/)       |
-| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
-| :material-laptop: Desktop             | 施工中                                     |
+| 平台                                  | 客户端                              |
+| ------------------------------------- | ----------------------------------- |
+| :material-android: Android            | [sing-box for Android](./android/)  |
+| :material-apple: iOS/macOS/Apple tvOS | :material-alert: [不可用](./apple/) |
+| :material-laptop: Desktop             | 施工中                              |

 此处没有列出一些声称使用或以 sing-box 为卖点的第三方项目。此类项目维护者的动机是获得更多用户，即使它们提供友好的商业
 VPN 客户端功能， 但代码质量很差且包含广告。
--- a/docs/configuration/inbound/index.md
+++ b/docs/configuration/inbound/index.md
@@ -15,24 +15,24 @@

 ### Fields

-| Type          | Format                        | Injectable |
-|---------------|-------------------------------|------------|
-| `direct`      | [Direct](./direct/)           | X          |
-| `mixed`       | [Mixed](./mixed/)             | TCP        |
-| `socks`       | [SOCKS](./socks/)             | TCP        |
-| `http`        | [HTTP](./http/)               | TCP        |
-| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP        |
-| `vmess`       | [VMess](./vmess/)             | TCP        |
-| `trojan`      | [Trojan](./trojan/)           | TCP        |
-| `naive`       | [Naive](./naive/)             | X          |
-| `hysteria`    | [Hysteria](./hysteria/)       | X          |
-| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP        |
-| `tuic`        | [TUIC](./tuic/)               | X          |
-| `hysteria2`   | [Hysteria2](./hysteria2/)     | X          |
-| `vless`       | [VLESS](./vless/)             | TCP        |
-| `tun`         | [Tun](./tun/)                 | X          |
-| `redirect`    | [Redirect](./redirect/)       | X          |
-| `tproxy`      | [TProxy](./tproxy/)           | X          |
+| Type          | Format                        | Injectable       |
+|---------------|-------------------------------|------------------|
+| `direct`      | [Direct](./direct/)           | :material-close: |
+| `mixed`       | [Mixed](./mixed/)             | TCP              |
+| `socks`       | [SOCKS](./socks/)             | TCP              |
+| `http`        | [HTTP](./http/)               | TCP              |
+| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP              |
+| `vmess`       | [VMess](./vmess/)             | TCP              |
+| `trojan`      | [Trojan](./trojan/)           | TCP              |
+| `naive`       | [Naive](./naive/)             | :material-close: |
+| `hysteria`    | [Hysteria](./hysteria/)       | :material-close: |
+| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP              |
+| `tuic`        | [TUIC](./tuic/)               | :material-close: |
+| `hysteria2`   | [Hysteria2](./hysteria2/)     | :material-close: |
+| `vless`       | [VLESS](./vless/)             | TCP              |
+| `tun`         | [Tun](./tun/)                 | :material-close: |
+| `redirect`    | [Redirect](./redirect/)       | :material-close: |
+| `tproxy`      | [TProxy](./tproxy/)           | :material-close: |

 #### tag

--- a/docs/configuration/inbound/index.zh.md
+++ b/docs/configuration/inbound/index.zh.md
@@ -15,24 +15,24 @@

 ### 字段

-| 类型            | 格式                           | 注入支持 |
-|---------------|------------------------------|------|
-| `direct`      | [Direct](./direct/)           | X    |
-| `mixed`       | [Mixed](./mixed/)             | TCP  |
-| `socks`       | [SOCKS](./socks/)             | TCP  |
-| `http`        | [HTTP](./http/)               | TCP  |
-| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP  |
-| `vmess`       | [VMess](./vmess/)             | TCP  |
-| `trojan`      | [Trojan](./trojan/)           | TCP  |
-| `naive`       | [Naive](./naive/)             | X    |
-| `hysteria`    | [Hysteria](./hysteria/)       | X    |
-| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP  |
-| `tuic`        | [TUIC](./tuic/)               | X    |
-| `hysteria2`   | [Hysteria2](./hysteria2/)     | X    |
-| `vless`       | [VLESS](./vless/)             | TCP  |
-| `tun`         | [Tun](./tun/)                 | X    |
-| `redirect`    | [Redirect](./redirect/)       | X    |
-| `tproxy`      | [TProxy](./tproxy/)           | X    |
+| 类型            | 格式                            | 注入支持             |
+|---------------|-------------------------------|------------------|
+| `direct`      | [Direct](./direct/)           | :material-close: |
+| `mixed`       | [Mixed](./mixed/)             | TCP              |
+| `socks`       | [SOCKS](./socks/)             | TCP              |
+| `http`        | [HTTP](./http/)               | TCP              |
+| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP              |
+| `vmess`       | [VMess](./vmess/)             | TCP              |
+| `trojan`      | [Trojan](./trojan/)           | TCP              |
+| `naive`       | [Naive](./naive/)             | :material-close: |
+| `hysteria`    | [Hysteria](./hysteria/)       | :material-close: |
+| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP              |
+| `tuic`        | [TUIC](./tuic/)               | :material-close: |
+| `hysteria2`   | [Hysteria2](./hysteria2/)     | :material-close: |
+| `vless`       | [VLESS](./vless/)             | TCP              |
+| `tun`         | [Tun](./tun/)                 | :material-close: |
+| `redirect`    | [Redirect](./redirect/)       | :material-close: |
+| `tproxy`      | [TProxy](./tproxy/)           | :material-close: |

 #### tag

--- a/docs/configuration/outbound/block.md
+++ b/docs/configuration/outbound/block.md
@@ -9,6 +9,6 @@
 }
 ```

-### 字段
+### Fields

-No fields.
+No fields.
--- a/docs/index.md
+++ b/docs/index.md
@@ -4,6 +4,12 @@ description: Welcome to the wiki page for the sing-box project.

 # :material-home: Home

+!!! failure "Help needed"
+
+    Due to problems with our Apple developer account, sing-box apps on Apple platforms are temporarily unavailable for download or update.
+
+    If your company or organization is willing to help us return to the App Store, please [contact us](mailto:contact@sagernet.org).
+
 Welcome to the wiki page for the sing-box project.

 The universal proxy platform.
--- a/docs/migration.md
+++ b/docs/migration.md
@@ -4,10 +4,6 @@ icon: material/arrange-bring-forward

 ## 1.9.0

-!!! warning "Unstable"
-
-    This version is still under development, and the following migration guide may be changed in the future.
-
 ### `domain_suffix` behavior update

 For historical reasons, sing-box's `domain_suffix` rule matches literal prefixes instead of the same as other projects.
--- a/docs/migration.zh.md
+++ b/docs/migration.zh.md
@@ -4,10 +4,6 @@ icon: material/arrange-bring-forward

 ## 1.9.0

-!!! warning "不稳定的"
-
-    该版本仍在开发中，迁移指南可能将在未来更改。
-
 ### `domain_suffix` 行为更新

 由于历史原因，sing-box 的 `domain_suffix` 规则匹配字面前缀，而不与其他项目相同。
--- a/docs/support.md
+++ b/docs/support.md
@@ -5,8 +5,7 @@ icon: material/forum
 # Support

 | Channel                       | Link                                        |
-|:------------------------------|:--------------------------------------------|
-| Community                     | https://community.sagernet.org              |
+| :---------------------------- | :------------------------------------------ |
 | GitHub Issues                 | https://github.com/SagerNet/sing-box/issues |
 | Telegram notification channel | https://t.me/yapnc                          |
 | Telegram user group           | https://t.me/yapug                          |
--- a/docs/support.zh.md
+++ b/docs/support.zh.md
@@ -4,11 +4,10 @@ icon: material/forum

 # 支持

-| 通道            | 链接                                          |
-|:--------------|:--------------------------------------------|
-| 社区            | https://community.sagernet.org              |
-| GitHub Issues | https://github.com/SagerNet/sing-box/issues |
+| 通道              | 链接                                        |
+| :---------------- | :------------------------------------------ |
+| GitHub Issues     | https://github.com/SagerNet/sing-box/issues |
 | Telegram 通知频道 | https://t.me/yapnc                          |
-| Telegram 用户组  | https://t.me/yapug                          |
-| 邮件            | contact@sagernet.org                        |
+| Telegram 用户组   | https://t.me/yapug                          |
+| 邮件              | contact@sagernet.org                        |

--- a/experimental/libbox/service_pause.go
+++ b/experimental/libbox/service_pause.go
@@ -16,25 +16,18 @@ func (s *BoxService) Pause() {
 	if s.pauseTimer != nil {
 		s.pauseTimer.Stop()
 	}
-	s.pauseTimer = time.AfterFunc(time.Minute, s.pause)
-}
-
-func (s *BoxService) pause() {
-	s.pauseAccess.Lock()
-	defer s.pauseAccess.Unlock()
-	s.pauseManager.DevicePause()
-	_ = s.instance.Router().ResetNetwork()
-	s.pauseTimer = nil
+	s.pauseTimer = time.AfterFunc(3*time.Second, s.ResetNetwork)
 }

 func (s *BoxService) Wake() {
-	_ = s.instance.Router().ResetNetwork()
 	s.pauseAccess.Lock()
 	defer s.pauseAccess.Unlock()
 	if s.pauseTimer != nil {
 		s.pauseTimer.Stop()
-		s.pauseTimer = nil
-		return
 	}
-	s.pauseManager.DeviceWake()
+	s.pauseTimer = time.AfterFunc(3*time.Minute, s.ResetNetwork)
+}
+
+func (s *BoxService) ResetNetwork() {
+	_ = s.instance.Router().ResetNetwork()
 }
--- a/go.mod
+++ b/go.mod
@@ -24,17 +24,17 @@ require (
 	github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1
 	github.com/sagernet/gomobile v0.1.3
 	github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f
-	github.com/sagernet/quic-go v0.43.1-beta.1
+	github.com/sagernet/quic-go v0.46.0-beta.4
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.4.1
-	github.com/sagernet/sing-dns v0.2.0
+	github.com/sagernet/sing v0.4.2
+	github.com/sagernet/sing-dns v0.2.3
 	github.com/sagernet/sing-mux v0.2.0
-	github.com/sagernet/sing-quic v0.2.0-beta.5
-	github.com/sagernet/sing-shadowsocks v0.2.6
+	github.com/sagernet/sing-quic v0.2.2
+	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.1.4
 	github.com/sagernet/sing-tun v0.3.2
-	github.com/sagernet/sing-vmess v0.1.8
+	github.com/sagernet/sing-vmess v0.1.12
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
 	github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6
 	github.com/sagernet/utls v1.5.4
@@ -84,14 +84,14 @@ require (
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
-	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect
+	golang.org/x/mod v0.18.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.21.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	lukechampine.com/blake3 v1.2.1 // indirect
+	lukechampine.com/blake3 v1.3.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -101,29 +101,29 @@ github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f h1:NkhuupzH5ch7b/Y
 github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f/go.mod h1:KXmw+ouSJNOsuRpg4wgwwCQuunrGz4yoAqQjsLjc6N0=
 github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba h1:EY5AS7CCtfmARNv2zXUOrsEMPFDGYxaw65JzA2p51Vk=
 github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.43.1-beta.1 h1:alizUjpvWYcz08dBCQsULOd+1xu0o7UtlyYf6SLbRNg=
-github.com/sagernet/quic-go v0.43.1-beta.1/go.mod h1:BkrQYeop7Jx3hN3TW8/76CXcdhYiNPyYEBL/BVJ1ifc=
+github.com/sagernet/quic-go v0.46.0-beta.4 h1:k9f7VSKaM47AY6MPND0Qf1KRN7HwimPg9zdOFTXTiCk=
+github.com/sagernet/quic-go v0.46.0-beta.4/go.mod h1:zJmVdJUNqEDXfubf4KtIOUHHerggjBduiGRLNzJspcM=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.4.1 h1:zVlpE+7k7AFoC2pv6ReqLf0PIHjihL/jsBl5k05PQFk=
-github.com/sagernet/sing v0.4.1/go.mod h1:ieZHA/+Y9YZfXs2I3WtuwgyCZ6GPsIR7HdKb1SdEnls=
-github.com/sagernet/sing-dns v0.2.0 h1:dka3weRX6+CrYO3v+hrTy2z68rCOCZXNBiNXpLZ6JNs=
-github.com/sagernet/sing-dns v0.2.0/go.mod h1:BJpJv6XLnrUbSyIntOT6DG9FW0f4fETmPAHvNjOprLg=
+github.com/sagernet/sing v0.4.2 h1:jzGNJdZVRI0xlAfFugsIQUPvyB9SuWvbJK7zQCXc4QM=
+github.com/sagernet/sing v0.4.2/go.mod h1:ieZHA/+Y9YZfXs2I3WtuwgyCZ6GPsIR7HdKb1SdEnls=
+github.com/sagernet/sing-dns v0.2.3 h1:YzeBUn2tR38F7HtvGEQ0kLRLmZWMEgi/+7wqa4Twb1k=
+github.com/sagernet/sing-dns v0.2.3/go.mod h1:BJpJv6XLnrUbSyIntOT6DG9FW0f4fETmPAHvNjOprLg=
 github.com/sagernet/sing-mux v0.2.0 h1:4C+vd8HztJCWNYfufvgL49xaOoOHXty2+EAjnzN3IYo=
 github.com/sagernet/sing-mux v0.2.0/go.mod h1:khzr9AOPocLa+g53dBplwNDz4gdsyx/YM3swtAhlkHQ=
-github.com/sagernet/sing-quic v0.2.0-beta.5 h1:ceKFLd1iS5AtM+pScKmcDp5k7R6WgYIe8vl6nB0aVsE=
-github.com/sagernet/sing-quic v0.2.0-beta.5/go.mod h1:lfad61lScAZhAxZ0DHZWvEIcAaT38O6zPTR4vLsHeP0=
-github.com/sagernet/sing-shadowsocks v0.2.6 h1:xr7ylAS/q1cQYS8oxKKajhuQcchd5VJJ4K4UZrrpp0s=
-github.com/sagernet/sing-shadowsocks v0.2.6/go.mod h1:j2YZBIpWIuElPFL/5sJAj470bcn/3QQ5lxZUNKLDNAM=
+github.com/sagernet/sing-quic v0.2.2 h1:Ryp02zMhHh/ZDrG7MdLsmhuBU8+BEpOdJonFQiqIopo=
+github.com/sagernet/sing-quic v0.2.2/go.mod h1:YLV1dUDv8Eyp/8e55O/EvfsrwxOgEDVgDCIoPqmDREE=
+github.com/sagernet/sing-shadowsocks v0.2.7 h1:zaopR1tbHEw5Nk6FAkM05wCslV6ahVegEZaKMv9ipx8=
+github.com/sagernet/sing-shadowsocks v0.2.7/go.mod h1:0rIKJZBR65Qi0zwdKezt4s57y/Tl1ofkaq6NlkzVuyE=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
 github.com/sagernet/sing-tun v0.3.2 h1:z0bLUT/YXH9RrJS9DsIpB0Bb9afl2hVJOmHd0zA3HJY=
 github.com/sagernet/sing-tun v0.3.2/go.mod h1:DxLIyhjWU/HwGYoX0vNGg2c5QgTQIakphU1MuERR5tQ=
-github.com/sagernet/sing-vmess v0.1.8 h1:XVWad1RpTy9b5tPxdm5MCU8cGfrTGdR8qCq6HV2aCNc=
-github.com/sagernet/sing-vmess v0.1.8/go.mod h1:vhx32UNzTDUkNwOyIjcZQohre1CaytquC5mPplId8uA=
+github.com/sagernet/sing-vmess v0.1.12 h1:2gFD8JJb+eTFMoa8FIVMnknEi+vCSfaiTXTfEYAYAPg=
+github.com/sagernet/sing-vmess v0.1.12/go.mod h1:luTSsfyBGAc9VhtCqwjR+dt1QgqBhuYBCONB/POhF8I=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo=
 github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6 h1:z3SJQhVyU63FT26Wn/UByW6b7q8QKB0ZkPqsyqcz2PI=
@@ -165,10 +165,10 @@ golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaE
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
-golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
@@ -190,13 +190,13 @@ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9sn
 golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
-golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY=
@@ -214,5 +214,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 howett.net/plist v1.0.1 h1:37GdZ8tP09Q35o9ych3ehygcsL+HqKSwzctveSlarvM=
 howett.net/plist v1.0.1/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
-lukechampine.com/blake3 v1.2.1 h1:YuqqRuaqsGV71BV/nm9xlI0MKUv4QC54jQnBChWbGnI=
-lukechampine.com/blake3 v1.2.1/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
+lukechampine.com/blake3 v1.3.0 h1:sJ3XhFINmHSrYCgl958hscfIa3bw8x4DqMP3u1YvoYE=
+lukechampine.com/blake3 v1.3.0/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
--- a/inbound/tun.go
+++ b/inbound/tun.go
@@ -174,7 +174,7 @@ func (t *Tun) Start() error {
 		forwarderBindInterface = true
 		includeAllNetworks = t.platformInterface.IncludeAllNetworks()
 	}
-	t.tunStack, err = tun.NewStack(t.stack, tun.StackOptions{
+	tunStack, err := tun.NewStack(t.stack, tun.StackOptions{
 		Context:                t.ctx,
 		Tun:                    tunInterface,
 		TunOptions:             t.tunOptions,
@@ -190,8 +190,9 @@ func (t *Tun) Start() error {
 		return err
 	}
 	monitor.Start("initiating tun stack")
-	err = t.tunStack.Start()
+	err = tunStack.Start()
 	monitor.Finish()
+	t.tunStack = tunStack
 	if err != nil {
 		return err
 	}
--- a/inbound/vless.go
+++ b/inbound/vless.go
@@ -13,9 +13,9 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/v2ray"
-	"github.com/sagernet/sing-box/transport/vless"
 	"github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing-vmess/packetaddr"
+	"github.com/sagernet/sing-vmess/vless"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/auth"
 	E "github.com/sagernet/sing/common/exceptions"
--- a/outbound/hysteria.go
+++ b/outbound/hysteria.go
@@ -130,8 +130,8 @@ func (h *Hysteria) NewPacketConnection(ctx context.Context, conn N.PacketConn, m
 	return NewPacketConnection(ctx, h, conn, metadata)
 }

-func (h *Hysteria) InterfaceUpdated() error {
-	return h.client.CloseWithError(E.New("network changed"))
+func (h *Hysteria) InterfaceUpdated() {
+	h.client.CloseWithError(E.New("network changed"))
 }

 func (h *Hysteria) Close() error {
--- a/outbound/hysteria2.go
+++ b/outbound/hysteria2.go
@@ -116,8 +116,8 @@ func (h *Hysteria2) NewPacketConnection(ctx context.Context, conn N.PacketConn,
 	return NewPacketConnection(ctx, h, conn, metadata)
 }

-func (h *Hysteria2) InterfaceUpdated() error {
-	return h.client.CloseWithError(E.New("network changed"))
+func (h *Hysteria2) InterfaceUpdated() {
+	h.client.CloseWithError(E.New("network changed"))
 }

 func (h *Hysteria2) Close() error {
--- a/outbound/trojan.go
+++ b/outbound/trojan.go
@@ -108,6 +108,9 @@ func (h *Trojan) NewPacketConnection(ctx context.Context, conn N.PacketConn, met
 }

 func (h *Trojan) InterfaceUpdated() {
+	if h.transport != nil {
+		h.transport.Close()
+	}
 	if h.multiplexDialer != nil {
 		h.multiplexDialer.Reset()
 	}
--- a/outbound/urltest.go
+++ b/outbound/urltest.go
@@ -385,9 +385,9 @@ func (g *URLTestGroup) urlTest(ctx context.Context, force bool) (map[string]uint
 			continue
 		}
 		b.Go(realTag, func() (any, error) {
-			ctx, cancel := context.WithTimeout(context.Background(), C.TCPTimeout)
+			testCtx, cancel := context.WithTimeout(g.ctx, C.TCPTimeout)
 			defer cancel()
-			t, err := urltest.URLTest(ctx, g.link, p)
+			t, err := urltest.URLTest(testCtx, g.link, p)
 			if err != nil {
 				g.logger.Debug("outbound ", tag, " unavailable: ", err)
 				g.history.DeleteURLTestHistory(realTag)
--- a/outbound/vless.go
+++ b/outbound/vless.go
@@ -12,8 +12,8 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/v2ray"
-	"github.com/sagernet/sing-box/transport/vless"
 	"github.com/sagernet/sing-vmess/packetaddr"
+	"github.com/sagernet/sing-vmess/vless"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -127,6 +127,9 @@ func (h *VLESS) NewPacketConnection(ctx context.Context, conn N.PacketConn, meta
 }

 func (h *VLESS) InterfaceUpdated() {
+	if h.transport != nil {
+		h.transport.Close()
+	}
 	if h.multiplexDialer != nil {
 		h.multiplexDialer.Reset()
 	}
--- a/outbound/vmess.go
+++ b/outbound/vmess.go
@@ -103,6 +103,9 @@ func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogg
 }

 func (h *VMess) InterfaceUpdated() {
+	if h.transport != nil {
+		h.transport.Close()
+	}
 	if h.multiplexDialer != nil {
 		h.multiplexDialer.Reset()
 	}
--- a/route/router.go
+++ b/route/router.go
@@ -131,7 +131,7 @@ func NewRouter(
 		pauseManager:          service.FromContext[pause.Manager](ctx),
 		platformInterface:     platformInterface,
 		needWIFIState:         hasRule(options.Rules, isWIFIRule) || hasDNSRule(dnsOptions.Rules, isWIFIDNSRule),
-		needPackageManager: C.IsAndroid && platformInterface == nil && common.Any(inbounds, func(inbound option.Inbound) bool {
+		needPackageManager: common.Any(inbounds, func(inbound option.Inbound) bool {
 			return len(inbound.TunOptions.IncludePackage) > 0 || len(inbound.TunOptions.ExcludePackage) > 0
 		}),
 	}
@@ -221,7 +221,7 @@ func NewRouter(
 				if serverAddress == "" {
 					serverAddress = server.Address
 				}
-				_, notIpAddress := netip.ParseAddr(serverAddress)
+				notIpAddress := !M.ParseSocksaddr(serverAddress).Addr.IsValid()
 				if server.AddressResolver != "" {
 					if !transportTagMap[server.AddressResolver] {
 						return nil, E.New("parse dns server[", tag, "]: address resolver not found: ", server.AddressResolver)
@@ -231,7 +231,7 @@ func NewRouter(
 					} else {
 						continue
 					}
-				} else if notIpAddress != nil && strings.Contains(server.Address, ".") {
+				} else if notIpAddress && strings.Contains(server.Address, ".") {
 					return nil, E.New("parse dns server[", tag, "]: missing address_resolver")
 				}
 			}
@@ -509,78 +509,6 @@ func (r *Router) Start() error {
 		r.geositeReader = nil
 	}

-	if len(r.ruleSets) > 0 {
-		monitor.Start("initialize rule-set")
-		ruleSetStartContext := NewRuleSetStartContext()
-		var ruleSetStartGroup task.Group
-		for i, ruleSet := range r.ruleSets {
-			ruleSetInPlace := ruleSet
-			ruleSetStartGroup.Append0(func(ctx context.Context) error {
-				err := ruleSetInPlace.StartContext(ctx, ruleSetStartContext)
-				if err != nil {
-					return E.Cause(err, "initialize rule-set[", i, "]")
-				}
-				return nil
-			})
-		}
-		ruleSetStartGroup.Concurrency(5)
-		ruleSetStartGroup.FastFail()
-		err := ruleSetStartGroup.Run(r.ctx)
-		monitor.Finish()
-		if err != nil {
-			return err
-		}
-		ruleSetStartContext.Close()
-	}
-	var (
-		needProcessFromRuleSet   bool
-		needWIFIStateFromRuleSet bool
-	)
-	for _, ruleSet := range r.ruleSets {
-		metadata := ruleSet.Metadata()
-		if metadata.ContainsProcessRule {
-			needProcessFromRuleSet = true
-		}
-		if metadata.ContainsWIFIRule {
-			needWIFIStateFromRuleSet = true
-		}
-	}
-	if needProcessFromRuleSet || r.needFindProcess || r.needPackageManager {
-		if C.IsAndroid && r.platformInterface == nil {
-			monitor.Start("initialize package manager")
-			packageManager, err := tun.NewPackageManager(r)
-			monitor.Finish()
-			if err != nil {
-				return E.Cause(err, "create package manager")
-			}
-			monitor.Start("start package manager")
-			err = packageManager.Start()
-			monitor.Finish()
-			if err != nil {
-				return E.Cause(err, "start package manager")
-			}
-			r.packageManager = packageManager
-		}
-
-		if r.platformInterface != nil {
-			r.processSearcher = r.platformInterface
-		} else {
-			monitor.Start("initialize process searcher")
-			searcher, err := process.NewSearcher(process.Config{
-				Logger:         r.logger,
-				PackageManager: r.packageManager,
-			})
-			monitor.Finish()
-			if err != nil {
-				if err != os.ErrInvalid {
-					r.logger.Warn(E.Cause(err, "create process searcher"))
-				}
-			} else {
-				r.processSearcher = searcher
-			}
-		}
-	}
-
 	if runtime.GOOS == "windows" {
 		powerListener, err := winpowrprof.NewEventListener(r.notifyWindowsPowerEvent)
 		if err == nil {
@@ -599,29 +527,28 @@ func (r *Router) Start() error {
 		}
 	}

-	if (needWIFIStateFromRuleSet || r.needWIFIState) && r.platformInterface != nil {
-		monitor.Start("initialize WIFI state")
-		r.needWIFIState = true
-		r.interfaceMonitor.RegisterCallback(func(_ int) {
-			r.updateWIFIState()
-		})
-		r.updateWIFIState()
-		monitor.Finish()
-	}
-
-	for i, rule := range r.rules {
-		monitor.Start("initialize rule[", i, "]")
-		err := rule.Start()
-		monitor.Finish()
-		if err != nil {
-			return E.Cause(err, "initialize rule[", i, "]")
-		}
-	}
-
 	monitor.Start("initialize DNS client")
 	r.dnsClient.Start()
 	monitor.Finish()

+	if C.IsAndroid && r.platformInterface == nil {
+		monitor.Start("initialize package manager")
+		packageManager, err := tun.NewPackageManager(r)
+		monitor.Finish()
+		if err != nil {
+			return E.Cause(err, "create package manager")
+		}
+		if r.needPackageManager {
+			monitor.Start("start package manager")
+			err = packageManager.Start()
+			monitor.Finish()
+			if err != nil {
+				return E.Cause(err, "start package manager")
+			}
+		}
+		r.packageManager = packageManager
+	}
+
 	for i, rule := range r.dnsRules {
 		monitor.Start("initialize DNS rule[", i, "]")
 		err := rule.Start()
@@ -726,12 +653,87 @@ func (r *Router) Close() error {
 }

 func (r *Router) PostStart() error {
+	monitor := taskmonitor.New(r.logger, C.StopTimeout)
 	if len(r.ruleSets) > 0 {
+		monitor.Start("initialize rule-set")
+		ruleSetStartContext := NewRuleSetStartContext()
+		var ruleSetStartGroup task.Group
 		for i, ruleSet := range r.ruleSets {
-			err := ruleSet.PostStart()
+			ruleSetInPlace := ruleSet
+			ruleSetStartGroup.Append0(func(ctx context.Context) error {
+				err := ruleSetInPlace.StartContext(ctx, ruleSetStartContext)
+				if err != nil {
+					return E.Cause(err, "initialize rule-set[", i, "]")
+				}
+				return nil
+			})
+		}
+		ruleSetStartGroup.Concurrency(5)
+		ruleSetStartGroup.FastFail()
+		err := ruleSetStartGroup.Run(r.ctx)
+		monitor.Finish()
+		if err != nil {
+			return err
+		}
+		ruleSetStartContext.Close()
+	}
+	needFindProcess := r.needFindProcess
+	needWIFIState := r.needWIFIState
+	for _, ruleSet := range r.ruleSets {
+		metadata := ruleSet.Metadata()
+		if metadata.ContainsProcessRule {
+			needFindProcess = true
+		}
+		if metadata.ContainsWIFIRule {
+			needWIFIState = true
+		}
+	}
+	if C.IsAndroid && r.platformInterface == nil && !r.needPackageManager {
+		if needFindProcess {
+			monitor.Start("start package manager")
+			err := r.packageManager.Start()
+			monitor.Finish()
 			if err != nil {
-				return E.Cause(err, "post start rule-set[", i, "]")
+				return E.Cause(err, "start package manager")
 			}
+		} else {
+			r.packageManager = nil
+		}
+	}
+	if needFindProcess {
+		if r.platformInterface != nil {
+			r.processSearcher = r.platformInterface
+		} else {
+			monitor.Start("initialize process searcher")
+			searcher, err := process.NewSearcher(process.Config{
+				Logger:         r.logger,
+				PackageManager: r.packageManager,
+			})
+			monitor.Finish()
+			if err != nil {
+				if err != os.ErrInvalid {
+					r.logger.Warn(E.Cause(err, "create process searcher"))
+				}
+			} else {
+				r.processSearcher = searcher
+			}
+		}
+	}
+	if needWIFIState && r.platformInterface != nil {
+		monitor.Start("initialize WIFI state")
+		r.needWIFIState = true
+		r.interfaceMonitor.RegisterCallback(func(_ int) {
+			r.updateWIFIState()
+		})
+		r.updateWIFIState()
+		monitor.Finish()
+	}
+	for i, rule := range r.rules {
+		monitor.Start("initialize rule[", i, "]")
+		err := rule.Start()
+		monitor.Finish()
+		if err != nil {
+			return E.Cause(err, "initialize rule[", i, "]")
 		}
 	}
 	r.started = true
@@ -949,34 +951,57 @@ func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, m
 	}*/

 	if metadata.InboundOptions.SniffEnabled || metadata.Destination.Addr.IsUnspecified() {
-		buffer := buf.NewPacket()
-		destination, err := conn.ReadPacket(buffer)
+		var (
+			buffer      = buf.NewPacket()
+			destination M.Socksaddr
+			done        = make(chan struct{})
+			err         error
+		)
+		go func() {
+			sniffTimeout := C.ReadPayloadTimeout
+			if metadata.InboundOptions.SniffTimeout > 0 {
+				sniffTimeout = time.Duration(metadata.InboundOptions.SniffTimeout)
+			}
+			conn.SetReadDeadline(time.Now().Add(sniffTimeout))
+			destination, err = conn.ReadPacket(buffer)
+			conn.SetReadDeadline(time.Time{})
+			close(done)
+		}()
+		select {
+		case <-done:
+		case <-ctx.Done():
+			conn.Close()
+			return ctx.Err()
+		}
 		if err != nil {
 			buffer.Release()
-			return err
-		}
-		if metadata.Destination.Addr.IsUnspecified() {
-			metadata.Destination = destination
-		}
-		if metadata.InboundOptions.SniffEnabled {
-			sniffMetadata, _ := sniff.PeekPacket(ctx, buffer.Bytes(), sniff.DomainNameQuery, sniff.QUICClientHello, sniff.STUNMessage)
-			if sniffMetadata != nil {
-				metadata.Protocol = sniffMetadata.Protocol
-				metadata.Domain = sniffMetadata.Domain
-				if metadata.InboundOptions.SniffOverrideDestination && M.IsDomainName(metadata.Domain) {
-					metadata.Destination = M.Socksaddr{
-						Fqdn: metadata.Domain,
-						Port: metadata.Destination.Port,
+			if !errors.Is(err, os.ErrDeadlineExceeded) {
+				return err
+			}
+		} else {
+			if metadata.Destination.Addr.IsUnspecified() {
+				metadata.Destination = destination
+			}
+			if metadata.InboundOptions.SniffEnabled {
+				sniffMetadata, _ := sniff.PeekPacket(ctx, buffer.Bytes(), sniff.DomainNameQuery, sniff.QUICClientHello, sniff.STUNMessage)
+				if sniffMetadata != nil {
+					metadata.Protocol = sniffMetadata.Protocol
+					metadata.Domain = sniffMetadata.Domain
+					if metadata.InboundOptions.SniffOverrideDestination && M.IsDomainName(metadata.Domain) {
+						metadata.Destination = M.Socksaddr{
+							Fqdn: metadata.Domain,
+							Port: metadata.Destination.Port,
+						}
+					}
+					if metadata.Domain != "" {
+						r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol, ", domain: ", metadata.Domain)
+					} else {
+						r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol)
 					}
 				}
-				if metadata.Domain != "" {
-					r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol, ", domain: ", metadata.Domain)
-				} else {
-					r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol)
-				}
 			}
+			conn = bufio.NewCachedPacketConn(conn, buffer, destination)
 		}
-		conn = bufio.NewCachedPacketConn(conn, buffer, destination)
 	}
 	if r.dnsReverseMapping != nil && metadata.Domain == "" {
 		domain, loaded := r.dnsReverseMapping.Query(metadata.Destination.Addr)
--- a/route/router_dns.go
+++ b/route/router_dns.go
@@ -37,7 +37,7 @@ func (m *DNSReverseMapping) Query(address netip.Addr) (string, bool) {
 	return domain, loaded
 }

-func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, index int) (context.Context, dns.Transport, dns.DomainStrategy, adapter.DNSRule, int) {
+func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, index int, isAddressQuery bool) (context.Context, dns.Transport, dns.DomainStrategy, adapter.DNSRule, int) {
 	metadata := adapter.ContextFrom(ctx)
 	if metadata == nil {
 		panic("no context")
@@ -48,6 +48,9 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, index int) (con
 			dnsRules = dnsRules[index+1:]
 		}
 		for currentRuleIndex, rule := range dnsRules {
+			if rule.WithAddressLimit() && !isAddressQuery {
+				continue
+			}
 			metadata.ResetRuleCache()
 			if rule.Match(metadata) {
 				detour := rule.Outbound()
@@ -126,9 +129,9 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, er
 				addressLimit bool
 			)

-			dnsCtx, transport, strategy, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex)
+			dnsCtx, transport, strategy, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex, isAddressQuery(message))
 			dnsCtx, cancel = context.WithTimeout(dnsCtx, C.DNSTimeout)
-			if rule != nil && rule.WithAddressLimit() && isAddressQuery(message) {
+			if rule != nil && rule.WithAddressLimit() {
 				addressLimit = true
 				response, err = r.dnsClient.ExchangeWithResponseCheck(dnsCtx, transport, message, strategy, func(response *mDNS.Msg) bool {
 					metadata.DestinationAddresses, _ = dns.MessageToAddresses(response)
@@ -205,7 +208,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, strategy dns.DomainS
 		)
 		metadata.ResetRuleCache()
 		metadata.DestinationAddresses = nil
-		dnsCtx, transport, transportStrategy, rule, ruleIndex = r.matchDNS(ctx, false, ruleIndex)
+		dnsCtx, transport, transportStrategy, rule, ruleIndex = r.matchDNS(ctx, false, ruleIndex, true)
 		if strategy == dns.DomainStrategyAsIS {
 			strategy = transportStrategy
 		}
@@ -256,7 +259,7 @@ func (r *Router) ClearDNSCache() {

 func isAddressQuery(message *mDNS.Msg) bool {
 	for _, question := range message.Question {
-		if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
+		if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA || question.Qtype == mDNS.TypeHTTPS {
 			return true
 		}
 	}
--- a/route/rule_item_port_range.go
+++ b/route/rule_item_port_range.go
@@ -39,7 +39,7 @@ func NewPortRangeItem(isSource bool, rangeList []string) (*PortRangeItem, error)
 			}
 		}
 		if subIndex == len(portRange)-1 {
-			end = 0xFF
+			end = 0xFFFF
 		} else {
 			end, err = strconv.ParseUint(portRange[subIndex+1:], 10, 16)
 			if err != nil {
--- a/route/rule_set_local.go
+++ b/route/rule_set_local.go
@@ -78,10 +78,6 @@ func (s *LocalRuleSet) StartContext(ctx context.Context, startContext adapter.Ru
 	return nil
 }

-func (s *LocalRuleSet) PostStart() error {
-	return nil
-}
-
 func (s *LocalRuleSet) Metadata() adapter.RuleSetMetadata {
 	return s.metadata
 }
--- a/route/rule_set_remote.go
+++ b/route/rule_set_remote.go
@@ -112,16 +112,6 @@ func (s *RemoteRuleSet) StartContext(ctx context.Context, startContext adapter.R
 	return nil
 }

-func (s *RemoteRuleSet) PostStart() error {
-	if s.lastUpdated.IsZero() {
-		err := s.fetchOnce(s.ctx, nil)
-		if err != nil {
-			s.logger.Error("fetch rule-set ", s.options.Tag, ": ", err)
-		}
-	}
-	return nil
-}
-
 func (s *RemoteRuleSet) Metadata() adapter.RuleSetMetadata {
 	return s.metadata
 }
--- a/test/box_test.go
+++ b/test/box_test.go
@@ -113,7 +113,7 @@ func testSuitLargeUDP(t *testing.T, clientPort uint16, testPort uint16) {
 	require.NoError(t, testPingPongWithPacketConn(t, testPort, dialUDP))
 	require.NoError(t, testLargeDataWithConn(t, testPort, dialTCP))
 	require.NoError(t, testLargeDataWithPacketConn(t, testPort, dialUDP))
-	require.NoError(t, testLargeDataWithPacketConnSize(t, testPort, 5000, dialUDP))
+	require.NoError(t, testLargeDataWithPacketConnSize(t, testPort, 4096, dialUDP))
 }

 func testTCP(t *testing.T, clientPort uint16, testPort uint16) {
--- a/test/go.mod
+++ b/test/go.mod
@@ -9,26 +9,25 @@ replace github.com/sagernet/sing-box => ../
 require (
 	github.com/docker/docker v24.0.7+incompatible
 	github.com/docker/go-connections v0.4.0
-	github.com/gofrs/uuid/v5 v5.0.0
-	github.com/sagernet/quic-go v0.40.0
-	github.com/sagernet/sing v0.2.20-0.20231212123824-8836b6754226
-	github.com/sagernet/sing-dns v0.1.11
-	github.com/sagernet/sing-quic v0.1.6-0.20231207143711-eb3cbf9ed054
-	github.com/sagernet/sing-shadowsocks v0.2.6
-	github.com/sagernet/sing-shadowsocks2 v0.1.6-0.20231207143709-50439739601a
+	github.com/gofrs/uuid/v5 v5.2.0
+	github.com/sagernet/quic-go v0.45.1-beta.2
+	github.com/sagernet/sing v0.4.2
+	github.com/sagernet/sing-dns v0.2.3
+	github.com/sagernet/sing-quic v0.2.0-beta.12
+	github.com/sagernet/sing-shadowsocks v0.2.7
+	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/spyzhov/ajson v0.9.0
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.9.0
 	go.uber.org/goleak v1.3.0
-	golang.org/x/net v0.19.0
+	golang.org/x/net v0.25.0
 )

 require (
 	berty.tech/go-libtor v1.0.385 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.6 // indirect
 	github.com/caddyserver/certmagic v0.20.0 // indirect
-	github.com/cloudflare/circl v1.3.6 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/cretz/bine v0.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/distribution/reference v0.5.0 // indirect
@@ -36,28 +35,23 @@ require (
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/gaukas/godicttls v0.0.4 // indirect
-	github.com/go-chi/chi/v5 v5.0.10 // indirect
-	github.com/go-chi/cors v1.2.1 // indirect
-	github.com/go-chi/render v1.0.3 // indirect
+	github.com/go-chi/chi/v5 v5.0.12 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
-	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 // indirect
-	github.com/josharian/native v1.1.0 // indirect
 	github.com/klauspost/compress v1.17.4 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/libdns/alidns v1.0.3 // indirect
-	github.com/libdns/cloudflare v0.1.0 // indirect
-	github.com/libdns/libdns v0.2.1 // indirect
+	github.com/libdns/cloudflare v0.1.1 // indirect
+	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/logrusorgru/aurora v2.0.3+incompatible // indirect
 	github.com/mholt/acmez v1.2.0 // indirect
-	github.com/miekg/dns v1.1.57 // indirect
+	github.com/miekg/dns v1.1.59 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.7 // indirect
@@ -65,43 +59,41 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.2 // indirect
 	github.com/oschwald/maxminddb-golang v1.12.0 // indirect
-	github.com/pierrec/lz4/v4 v4.1.14 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a // indirect
 	github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1 // indirect
-	github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e // indirect
-	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
+	github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f // indirect
+	github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba // indirect
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 // indirect
-	github.com/sagernet/sing-mux v0.1.6-0.20231208180947-9053c29513a2 // indirect
+	github.com/sagernet/sing-mux v0.2.0 // indirect
 	github.com/sagernet/sing-shadowtls v0.1.4 // indirect
-	github.com/sagernet/sing-tun v0.1.24-0.20231212060935-6a1419aeae11 // indirect
-	github.com/sagernet/sing-vmess v0.1.8 // indirect
+	github.com/sagernet/sing-tun v0.3.2 // indirect
+	github.com/sagernet/sing-vmess v0.1.12 // indirect
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 // indirect
 	github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6 // indirect
 	github.com/sagernet/utls v1.5.4 // indirect
-	github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e // indirect
+	github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8 // indirect
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 // indirect
-	github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 // indirect
-	github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.26.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
-	golang.org/x/crypto v0.16.0 // indirect
-	golang.org/x/exp v0.0.0-20231127185646-65229373498e // indirect
-	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/crypto v0.23.0 // indirect
+	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.16.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
-	google.golang.org/grpc v1.59.0 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
+	google.golang.org/grpc v1.63.2 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.1 // indirect
-	lukechampine.com/blake3 v1.2.1 // indirect
+	lukechampine.com/blake3 v1.3.0 // indirect
 )
--- a/test/go.sum
+++ b/test/go.sum
@@ -3,14 +3,12 @@ berty.tech/go-libtor v1.0.385/go.mod h1:9swOOQVb+kmvuAlsgWUK/4c52pm69AdbJsxLzk+f
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
-github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
-github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI=
 github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/caddyserver/certmagic v0.20.0 h1:bTw7LcEZAh9ucYCRXyCpIrSAGplplI0vGYJ4BpCQ/Fc=
 github.com/caddyserver/certmagic v0.20.0/go.mod h1:N4sXgpICQUskEWpj7zVzvWD41p3NYacrNoZYiRM2jTg=
-github.com/cloudflare/circl v1.3.6 h1:/xbKIqSHbZXHwkhbrhrt2YOHIwYJlXH94E3tI/gDlUg=
-github.com/cloudflare/circl v1.3.6/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
+github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/cretz/bine v0.1.0/go.mod h1:6PF6fWAvYtwjRGkAuDEJeWNOv3a2hUouSP/yRYXmvHw=
 github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
@@ -31,12 +29,8 @@ github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nos
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/gaukas/godicttls v0.0.4 h1:NlRaXb3J6hAnTmWdsEKb9bcSBD6BvcIjdGdeb0zfXbk=
 github.com/gaukas/godicttls v0.0.4/go.mod h1:l6EenT4TLWgTdwslVb4sEMOCf7Bv0JAK67deKr9/NCI=
-github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
-github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
-github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
-github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
-github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
-github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
+github.com/go-chi/chi/v5 v5.0.12 h1:9euLV5sTrTNTRUU9POmDUvfxyj6LAABLUcEWO+JJb4s=
+github.com/go-chi/chi/v5 v5.0.12/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
@@ -46,26 +40,18 @@ github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/gofrs/uuid/v5 v5.0.0 h1:p544++a97kEL+svbcFbCQVM9KFu0Yo25UoISXGNNH9M=
-github.com/gofrs/uuid/v5 v5.0.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
+github.com/gofrs/uuid/v5 v5.2.0 h1:qw1GMx6/y8vhVsx626ImfKMuS5CvJmhIKKtuyvfajMM=
+github.com/gofrs/uuid/v5 v5.2.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a h1:fEBsGL/sjAuJrgah5XqmmYsTLzJp/TO9Lhy39gkverk=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
 github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
-github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
-github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
-github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
-github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
-github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
@@ -76,17 +62,17 @@ github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZY
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/libdns/alidns v1.0.3 h1:LFHuGnbseq5+HCeGa1aW8awyX/4M2psB9962fdD2+yQ=
 github.com/libdns/alidns v1.0.3/go.mod h1:e18uAG6GanfRhcJj6/tps2rCMzQJaYVcGKT+ELjdjGE=
-github.com/libdns/cloudflare v0.1.0 h1:93WkJaGaiXCe353LHEP36kAWCUw0YjFqwhkBkU2/iic=
-github.com/libdns/cloudflare v0.1.0/go.mod h1:a44IP6J1YH6nvcNl1PverfJviADgXUnsozR3a7vBKN8=
+github.com/libdns/cloudflare v0.1.1 h1:FVPfWwP8zZCqj268LZjmkDleXlHPlFU9KC4OJ3yn054=
+github.com/libdns/cloudflare v0.1.1/go.mod h1:9VK91idpOjg6v7/WbjkEW49bSCxj00ALesIFDhJ8PBU=
 github.com/libdns/libdns v0.2.0/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
-github.com/libdns/libdns v0.2.1 h1:Wu59T7wSHRgtA0cfxC+n1c/e+O3upJGWytknkmFEDis=
-github.com/libdns/libdns v0.2.1/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
+github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s=
+github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/mholt/acmez v1.2.0 h1:1hhLxSgY5FvH5HCnGUuwbKY2VQVo8IU7rxXKSnZ7F30=
 github.com/mholt/acmez v1.2.0/go.mod h1:VT9YwH1xgNX1kmYY89gY8xPJC84BFAisjo8Egigt4kE=
-github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
-github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
+github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
+github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
@@ -103,8 +89,6 @@ github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrB
 github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/oschwald/maxminddb-golang v1.12.0 h1:9FnTOD0YOhP7DGxGsq4glzpGy5+w7pq50AS6wALUMYs=
 github.com/oschwald/maxminddb-golang v1.12.0/go.mod h1:q0Nob5lTCqyQ8WT6FYgS1L7PXKVVbgiymefNwIjPzgY=
-github.com/pierrec/lz4/v4 v4.1.14 h1:+fL8AQEZtz/ijeNnpduH0bROTu0O3NZAlPjQxGn8LwE=
-github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -117,55 +101,51 @@ github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkk
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1 h1:YbmpqPQEMdlk9oFSKYWRqVuu9qzNiOayIonKmv1gCXY=
 github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1/go.mod h1:J2yAxTFPDjrDPhuAi9aWFz2L3ox9it4qAluBBbN0H5k=
-github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e h1:DOkjByVeAR56dkszjnMZke4wr7yM/1xHaJF3G9olkEE=
-github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e/go.mod h1:fLxq/gtp0qzkaEwywlRRiGmjOK5ES/xUzyIKIFP2Asw=
-github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
-github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.40.0 h1:DvQNPb72lzvNQDe9tcUyHTw8eRv6PLtM2mNYmdlzUMo=
-github.com/sagernet/quic-go v0.40.0/go.mod h1:VqtdhlbkeeG5Okhb3eDMb/9o0EoglReHunNT9ukrJAI=
+github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f h1:NkhuupzH5ch7b/Y/6ZHJWrnNLoiNnSJaow6DPb8VW2I=
+github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f/go.mod h1:KXmw+ouSJNOsuRpg4wgwwCQuunrGz4yoAqQjsLjc6N0=
+github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba h1:EY5AS7CCtfmARNv2zXUOrsEMPFDGYxaw65JzA2p51Vk=
+github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
+github.com/sagernet/quic-go v0.45.1-beta.2 h1:zkEeCbhdFFkrxKcuIRBtXNKci/1t2J/39QSG/sPvlmc=
+github.com/sagernet/quic-go v0.45.1-beta.2/go.mod h1:+N3FqM9DAzOWfe64uxXuBejVJwX7DeW7BslzLO6N/xI=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.2.20-0.20231212123824-8836b6754226 h1:rcII71ho6F/7Nyx7n2kESLcnvNMdcU4i8ZUGF2Fi7yA=
-github.com/sagernet/sing v0.2.20-0.20231212123824-8836b6754226/go.mod h1:Ce5LNojQOgOiWhiD8pPD6E9H7e2KgtOe3Zxx4Ou5u80=
-github.com/sagernet/sing-dns v0.1.11 h1:PPrMCVVrAeR3f5X23I+cmvacXJ+kzuyAsBiWyUKhGSE=
-github.com/sagernet/sing-dns v0.1.11/go.mod h1:zJ/YjnYB61SYE+ubMcMqVdpaSvsyQ2iShQGO3vuLvvE=
-github.com/sagernet/sing-mux v0.1.6-0.20231208180947-9053c29513a2 h1:rRlYQPbMKmzKX+43XC04gEQvxc45/AxfteRWfcl2/rw=
-github.com/sagernet/sing-mux v0.1.6-0.20231208180947-9053c29513a2/go.mod h1:IdSrwwqBeJTrjLZJRFXE+F8mYXNI/rPAjzlgTFuEVmo=
-github.com/sagernet/sing-quic v0.1.6-0.20231207143711-eb3cbf9ed054 h1:Ed7FskwQcep5oQ+QahgVK0F6jPPSV8Nqwjr9MwGatMU=
-github.com/sagernet/sing-quic v0.1.6-0.20231207143711-eb3cbf9ed054/go.mod h1:u758WWv3G1OITG365CYblL0NfAruFL1PpLD9DUVTv1o=
-github.com/sagernet/sing-shadowsocks v0.2.6 h1:xr7ylAS/q1cQYS8oxKKajhuQcchd5VJJ4K4UZrrpp0s=
-github.com/sagernet/sing-shadowsocks v0.2.6/go.mod h1:j2YZBIpWIuElPFL/5sJAj470bcn/3QQ5lxZUNKLDNAM=
-github.com/sagernet/sing-shadowsocks2 v0.1.6-0.20231207143709-50439739601a h1:uYIKfpE1/EJpa+1Bja7b006VixeRuVduOpeuesMk2lU=
-github.com/sagernet/sing-shadowsocks2 v0.1.6-0.20231207143709-50439739601a/go.mod h1:pjeylQ4ApvpEH7B4PUBrdyJf4xmQkg8BaIzT5fI2fR0=
+github.com/sagernet/sing v0.4.2 h1:jzGNJdZVRI0xlAfFugsIQUPvyB9SuWvbJK7zQCXc4QM=
+github.com/sagernet/sing v0.4.2/go.mod h1:ieZHA/+Y9YZfXs2I3WtuwgyCZ6GPsIR7HdKb1SdEnls=
+github.com/sagernet/sing-dns v0.2.3 h1:YzeBUn2tR38F7HtvGEQ0kLRLmZWMEgi/+7wqa4Twb1k=
+github.com/sagernet/sing-dns v0.2.3/go.mod h1:BJpJv6XLnrUbSyIntOT6DG9FW0f4fETmPAHvNjOprLg=
+github.com/sagernet/sing-mux v0.2.0 h1:4C+vd8HztJCWNYfufvgL49xaOoOHXty2+EAjnzN3IYo=
+github.com/sagernet/sing-mux v0.2.0/go.mod h1:khzr9AOPocLa+g53dBplwNDz4gdsyx/YM3swtAhlkHQ=
+github.com/sagernet/sing-quic v0.2.0-beta.12 h1:BhvA5mmrDFEyDUQB5eeu+9UhF+ieyuNJ5Rsb0dAG3QY=
+github.com/sagernet/sing-quic v0.2.0-beta.12/go.mod h1:YVpLfVi8BvYM7NMrjmnvcRm3E8iMETf1gFQmTQDN9jI=
+github.com/sagernet/sing-shadowsocks v0.2.7 h1:zaopR1tbHEw5Nk6FAkM05wCslV6ahVegEZaKMv9ipx8=
+github.com/sagernet/sing-shadowsocks v0.2.7/go.mod h1:0rIKJZBR65Qi0zwdKezt4s57y/Tl1ofkaq6NlkzVuyE=
+github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
+github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
-github.com/sagernet/sing-tun v0.1.24-0.20231212060935-6a1419aeae11 h1:crTOVPJGOGWOW+Q2a0FQiiS/G2+W6uCLKtOofFMisQc=
-github.com/sagernet/sing-tun v0.1.24-0.20231212060935-6a1419aeae11/go.mod h1:DgXPnBqtqWrZj37Mun/W61dW0Q56eLqTZYhcuNLaCtY=
-github.com/sagernet/sing-vmess v0.1.8 h1:XVWad1RpTy9b5tPxdm5MCU8cGfrTGdR8qCq6HV2aCNc=
-github.com/sagernet/sing-vmess v0.1.8/go.mod h1:vhx32UNzTDUkNwOyIjcZQohre1CaytquC5mPplId8uA=
+github.com/sagernet/sing-tun v0.3.2 h1:z0bLUT/YXH9RrJS9DsIpB0Bb9afl2hVJOmHd0zA3HJY=
+github.com/sagernet/sing-tun v0.3.2/go.mod h1:DxLIyhjWU/HwGYoX0vNGg2c5QgTQIakphU1MuERR5tQ=
+github.com/sagernet/sing-vmess v0.1.12 h1:2gFD8JJb+eTFMoa8FIVMnknEi+vCSfaiTXTfEYAYAPg=
+github.com/sagernet/sing-vmess v0.1.12/go.mod h1:luTSsfyBGAc9VhtCqwjR+dt1QgqBhuYBCONB/POhF8I=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo=
 github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6 h1:z3SJQhVyU63FT26Wn/UByW6b7q8QKB0ZkPqsyqcz2PI=
 github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6/go.mod h1:73xRZuxwkFk4aiLw28hG8W6o9cr2UPrGL9pdY2UTbvY=
 github.com/sagernet/utls v1.5.4 h1:KmsEGbB2dKUtCNC+44NwAdNAqnqQ6GA4pTO0Yik56co=
 github.com/sagernet/utls v1.5.4/go.mod h1:CTGxPWExIloRipK3XFpYv0OVyhO8kk3XCGW/ieyTh1s=
-github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e h1:iGH0RMv2FzELOFNFQtvsxH7NPmlo7X5JizEK51UCojo=
-github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e/go.mod h1:YbL4TKHRR6APYQv3U2RGfwLDpPYSyWz6oUlpISBEzBE=
+github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8 h1:R0OMYAScomNAVpTfbHFpxqJpvwuhxSRi+g6z7gZhABs=
+github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8/go.mod h1:K4J7/npM+VAMUeUmTa2JaA02JmyheP0GpRBOUvn3ecc=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854/go.mod h1:LtfoSK3+NG57tvnVEHgcuBW9ujgE8enPSgzgwStwCAA=
-github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 h1:rc/CcqLH3lh8n+csdOuDfP+NuykE0U6AeYSJJHKDgSg=
-github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9/go.mod h1:a/83NAfUXvEuLpmxDssAXxgUgrEy12MId3Wd7OTs76s=
 github.com/spyzhov/ajson v0.9.0 h1:tF46gJGOenYVj+k9K1U1XpCxVWhmiyY5PsVCAs1+OJ0=
 github.com/spyzhov/ajson v0.9.0/go.mod h1:a6oSw0MMb7Z5aD2tPoPO+jq11ETKgXUr2XktHdT8Wt8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 h1:tHNk7XK9GkmKUR6Gh8gVBKXc2MVSZ4G/NnWLtzw4gNA=
-github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -180,8 +160,8 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
-go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -189,26 +169,27 @@ golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaE
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
-golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
-golang.org/x/exp v0.0.0-20231127185646-65229373498e h1:Gvh4YaCaXNs6dKTlfgismwWZKyjVZXwOPfIyUaqU3No=
-golang.org/x/exp v0.0.0-20231127185646-65229373498e/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
-golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -216,40 +197,37 @@ golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
-golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M=
-google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=
-google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:H4O17MA/PE9BsGx3w+a+W2VOLLD1Qf7oJneAoU6WktY=
+google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
+google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -257,5 +235,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-lukechampine.com/blake3 v1.2.1 h1:YuqqRuaqsGV71BV/nm9xlI0MKUv4QC54jQnBChWbGnI=
-lukechampine.com/blake3 v1.2.1/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
+lukechampine.com/blake3 v1.3.0 h1:sJ3XhFINmHSrYCgl958hscfIa3bw8x4DqMP3u1YvoYE=
+lukechampine.com/blake3 v1.3.0/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
--- a/test/reality_test.go
+++ b/test/reality_test.go
@@ -1,354 +0,0 @@
-package main
-
-import (
-	"net/netip"
-	"testing"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/transport/vless"
-)
-
-func TestVLESSVisionReality(t *testing.T) {
-	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
-
-	userUUID := newUUID()
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				Tag:  "mixed-in",
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: clientPort,
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				VLESSOptions: option.VLESSInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: serverPort,
-					},
-					Users: []option.VLESSUser{
-						{
-							Name: "sekai",
-							UUID: userUUID.String(),
-							Flow: vless.FlowVision,
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:    true,
-							ServerName: "google.com",
-							Reality: &option.InboundRealityOptions{
-								Enabled: true,
-								Handshake: option.InboundRealityHandshakeOptions{
-									ServerOptions: option.ServerOptions{
-										Server:     "google.com",
-										ServerPort: 443,
-									},
-								},
-								ShortID:    []string{"0123456789abcdef"},
-								PrivateKey: "UuMBgl7MXTPx9inmQp2UC7Jcnwc6XYbwDNebonM-FCc",
-							},
-						},
-					},
-				},
-			},
-			{
-				Type: C.TypeTrojan,
-				Tag:  "trojan",
-				TrojanOptions: option.TrojanInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: otherPort,
-					},
-					Users: []option.TrojanUser{
-						{
-							Name:     "sekai",
-							Password: userUUID.String(),
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-							KeyPath:         keyPem,
-						},
-					},
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeDirect,
-			},
-			{
-				Type: C.TypeTrojan,
-				Tag:  "trojan-out",
-				TrojanOptions: option.TrojanOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: otherPort,
-					},
-					Password: userUUID.String(),
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-						},
-					},
-					DialerOptions: option.DialerOptions{
-						Detour: "vless-out",
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				Tag:  "vless-out",
-				VLESSOptions: option.VLESSOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: serverPort,
-					},
-					UUID: userUUID.String(),
-					Flow: vless.FlowVision,
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:    true,
-							ServerName: "google.com",
-							Reality: &option.OutboundRealityOptions{
-								Enabled:   true,
-								ShortID:   "0123456789abcdef",
-								PublicKey: "jNXHt1yRo0vDuchQlIP6Z0ZvjT3KtzVI-T4E7RoLJS0",
-							},
-							UTLS: &option.OutboundUTLSOptions{
-								Enabled: true,
-							},
-						},
-					},
-				},
-			},
-		},
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					DefaultOptions: option.DefaultRule{
-						Inbound:  []string{"mixed-in"},
-						Outbound: "trojan-out",
-					},
-				},
-			},
-		},
-	})
-	testSuit(t, clientPort, testPort)
-}
-
-func TestVLESSVisionRealityPlain(t *testing.T) {
-	userUUID := newUUID()
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				Tag:  "mixed-in",
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: clientPort,
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				VLESSOptions: option.VLESSInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: serverPort,
-					},
-					Users: []option.VLESSUser{
-						{
-							Name: "sekai",
-							UUID: userUUID.String(),
-							Flow: vless.FlowVision,
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:    true,
-							ServerName: "google.com",
-							Reality: &option.InboundRealityOptions{
-								Enabled: true,
-								Handshake: option.InboundRealityHandshakeOptions{
-									ServerOptions: option.ServerOptions{
-										Server:     "google.com",
-										ServerPort: 443,
-									},
-								},
-								ShortID:    []string{"0123456789abcdef"},
-								PrivateKey: "UuMBgl7MXTPx9inmQp2UC7Jcnwc6XYbwDNebonM-FCc",
-							},
-						},
-					},
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeDirect,
-			},
-			{
-				Type: C.TypeVLESS,
-				Tag:  "vless-out",
-				VLESSOptions: option.VLESSOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: serverPort,
-					},
-					UUID: userUUID.String(),
-					Flow: vless.FlowVision,
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:    true,
-							ServerName: "google.com",
-							Reality: &option.OutboundRealityOptions{
-								Enabled:   true,
-								ShortID:   "0123456789abcdef",
-								PublicKey: "jNXHt1yRo0vDuchQlIP6Z0ZvjT3KtzVI-T4E7RoLJS0",
-							},
-							UTLS: &option.OutboundUTLSOptions{
-								Enabled: true,
-							},
-						},
-					},
-				},
-			},
-		},
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					DefaultOptions: option.DefaultRule{
-						Inbound:  []string{"mixed-in"},
-						Outbound: "vless-out",
-					},
-				},
-			},
-		},
-	})
-	testSuit(t, clientPort, testPort)
-}
-
-func TestVLESSRealityTransport(t *testing.T) {
-	t.Run("grpc", func(t *testing.T) {
-		testVLESSRealityTransport(t, &option.V2RayTransportOptions{
-			Type: C.V2RayTransportTypeGRPC,
-		})
-	})
-	t.Run("websocket", func(t *testing.T) {
-		testVLESSRealityTransport(t, &option.V2RayTransportOptions{
-			Type: C.V2RayTransportTypeWebsocket,
-		})
-	})
-	t.Run("h2", func(t *testing.T) {
-		testVLESSRealityTransport(t, &option.V2RayTransportOptions{
-			Type: C.V2RayTransportTypeHTTP,
-		})
-	})
-}
-
-func testVLESSRealityTransport(t *testing.T, transport *option.V2RayTransportOptions) {
-	userUUID := newUUID()
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				Tag:  "mixed-in",
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: clientPort,
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				VLESSOptions: option.VLESSInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: serverPort,
-					},
-					Users: []option.VLESSUser{
-						{
-							Name: "sekai",
-							UUID: userUUID.String(),
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:    true,
-							ServerName: "google.com",
-							Reality: &option.InboundRealityOptions{
-								Enabled: true,
-								Handshake: option.InboundRealityHandshakeOptions{
-									ServerOptions: option.ServerOptions{
-										Server:     "google.com",
-										ServerPort: 443,
-									},
-								},
-								ShortID:    []string{"0123456789abcdef"},
-								PrivateKey: "UuMBgl7MXTPx9inmQp2UC7Jcnwc6XYbwDNebonM-FCc",
-							},
-						},
-					},
-					Transport: transport,
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeDirect,
-			},
-			{
-				Type: C.TypeVLESS,
-				Tag:  "vless-out",
-				VLESSOptions: option.VLESSOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: serverPort,
-					},
-					UUID: userUUID.String(),
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:    true,
-							ServerName: "google.com",
-							Reality: &option.OutboundRealityOptions{
-								Enabled:   true,
-								ShortID:   "0123456789abcdef",
-								PublicKey: "jNXHt1yRo0vDuchQlIP6Z0ZvjT3KtzVI-T4E7RoLJS0",
-							},
-							UTLS: &option.OutboundUTLSOptions{
-								Enabled: true,
-							},
-						},
-					},
-					Transport: transport,
-				},
-			},
-		},
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					DefaultOptions: option.DefaultRule{
-						Inbound:  []string{"mixed-in"},
-						Outbound: "vless-out",
-					},
-				},
-			},
-		},
-	})
-	testSuit(t, clientPort, testPort)
-}
--- a/test/vless_test.go
+++ b/test/vless_test.go
@@ -1,559 +0,0 @@
-package main
-
-import (
-	"net/netip"
-	"os"
-	"testing"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/transport/vless"
-
-	"github.com/gofrs/uuid/v5"
-	"github.com/spyzhov/ajson"
-	"github.com/stretchr/testify/require"
-)
-
-func TestVLESS(t *testing.T) {
-	content, err := os.ReadFile("config/vless-server.json")
-	require.NoError(t, err)
-	config, err := ajson.Unmarshal(content)
-	require.NoError(t, err)
-
-	user := newUUID()
-	inbound := config.MustKey("inbounds").MustIndex(0)
-	inbound.MustKey("port").SetNumeric(float64(serverPort))
-	inbound.MustKey("settings").MustKey("clients").MustIndex(0).MustKey("id").SetString(user.String())
-
-	content, err = ajson.Marshal(config)
-	require.NoError(t, err)
-
-	startDockerContainer(t, DockerOptions{
-		Image:      ImageV2RayCore,
-		Ports:      []uint16{serverPort},
-		EntryPoint: "v2ray",
-		Cmd:        []string{"run"},
-		Stdin:      content,
-	})
-
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: clientPort,
-					},
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeVLESS,
-				VLESSOptions: option.VLESSOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: serverPort,
-					},
-					UUID: user.String(),
-				},
-			},
-		},
-	})
-	testTCP(t, clientPort, testPort)
-}
-
-func TestVLESSXRay(t *testing.T) {
-	t.Run("origin", func(t *testing.T) {
-		testVLESSXrayOutbound(t, "", "")
-	})
-	t.Run("xudp", func(t *testing.T) {
-		testVLESSXrayOutbound(t, "xudp", "")
-	})
-	t.Run("vision", func(t *testing.T) {
-		testVLESSXrayOutbound(t, "xudp", vless.FlowVision)
-	})
-}
-
-func testVLESSXrayOutbound(t *testing.T, packetEncoding string, flow string) {
-	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
-
-	content, err := os.ReadFile("config/vless-tls-server.json")
-	require.NoError(t, err)
-	config, err := ajson.Unmarshal(content)
-	require.NoError(t, err)
-
-	userID := newUUID()
-	inbound := config.MustKey("inbounds").MustIndex(0)
-	inbound.MustKey("port").SetNumeric(float64(serverPort))
-	user := inbound.MustKey("settings").MustKey("clients").MustIndex(0)
-	user.MustKey("id").SetString(userID.String())
-	user.MustKey("flow").SetString(flow)
-
-	content, err = ajson.Marshal(config)
-	require.NoError(t, err)
-
-	startDockerContainer(t, DockerOptions{
-		Image:      ImageXRayCore,
-		Ports:      []uint16{serverPort},
-		EntryPoint: "xray",
-		Stdin:      content,
-		Bind: map[string]string{
-			certPem: "/path/to/certificate.crt",
-			keyPem:  "/path/to/private.key",
-		},
-	})
-
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: clientPort,
-					},
-				},
-			},
-			{
-				Type: C.TypeTrojan,
-				Tag:  "trojan",
-				TrojanOptions: option.TrojanInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: otherPort,
-					},
-					Users: []option.TrojanUser{
-						{
-							Name:     "sekai",
-							Password: userID.String(),
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-							KeyPath:         keyPem,
-						},
-					},
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeTrojan,
-				TrojanOptions: option.TrojanOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "host.docker.internal",
-						ServerPort: otherPort,
-					},
-					Password: userID.String(),
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-						},
-					},
-					DialerOptions: option.DialerOptions{
-						Detour: "vless",
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				Tag:  "vless",
-				VLESSOptions: option.VLESSOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: serverPort,
-					},
-					UUID:           userID.String(),
-					Flow:           flow,
-					PacketEncoding: &packetEncoding,
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-						},
-					},
-				},
-			},
-			{
-				Type: C.TypeDirect,
-				Tag:  "direct",
-			},
-		},
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					DefaultOptions: option.DefaultRule{
-						Inbound:  []string{"trojan"},
-						Outbound: "direct",
-					},
-				},
-			},
-		},
-	})
-
-	testSuit(t, clientPort, testPort)
-}
-
-func TestVLESSSelf(t *testing.T) {
-	t.Run("origin", func(t *testing.T) {
-		testVLESSSelf(t, "")
-	})
-	t.Run("vision", func(t *testing.T) {
-		testVLESSSelf(t, vless.FlowVision)
-	})
-	t.Run("vision-tls", func(t *testing.T) {
-		testVLESSSelfTLS(t, vless.FlowVision)
-	})
-}
-
-func testVLESSSelf(t *testing.T, flow string) {
-	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
-
-	userUUID := newUUID()
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				Tag:  "mixed-in",
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: clientPort,
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				VLESSOptions: option.VLESSInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: serverPort,
-					},
-					Users: []option.VLESSUser{
-						{
-							Name: "sekai",
-							UUID: userUUID.String(),
-							Flow: flow,
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-							KeyPath:         keyPem,
-						},
-					},
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeDirect,
-			},
-			{
-				Type: C.TypeVLESS,
-				Tag:  "vless-out",
-				VLESSOptions: option.VLESSOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: serverPort,
-					},
-					UUID: userUUID.String(),
-					Flow: flow,
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-						},
-					},
-				},
-			},
-		},
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					DefaultOptions: option.DefaultRule{
-						Inbound:  []string{"mixed-in"},
-						Outbound: "vless-out",
-					},
-				},
-			},
-		},
-	})
-	testSuit(t, clientPort, testPort)
-}
-
-func testVLESSSelfTLS(t *testing.T, flow string) {
-	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
-
-	userUUID := newUUID()
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				Tag:  "mixed-in",
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: clientPort,
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				VLESSOptions: option.VLESSInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: serverPort,
-					},
-					Users: []option.VLESSUser{
-						{
-							Name: "sekai",
-							UUID: userUUID.String(),
-							Flow: flow,
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-							KeyPath:         keyPem,
-						},
-					},
-				},
-			},
-			{
-				Type: C.TypeTrojan,
-				Tag:  "trojan",
-				TrojanOptions: option.TrojanInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: otherPort,
-					},
-					Users: []option.TrojanUser{
-						{
-							Name:     "sekai",
-							Password: userUUID.String(),
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-							KeyPath:         keyPem,
-						},
-					},
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeDirect,
-			},
-			{
-				Type: C.TypeTrojan,
-				Tag:  "trojan-out",
-				TrojanOptions: option.TrojanOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: otherPort,
-					},
-					Password: userUUID.String(),
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-						},
-					},
-					DialerOptions: option.DialerOptions{
-						Detour: "vless-out",
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				Tag:  "vless-out",
-				VLESSOptions: option.VLESSOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: serverPort,
-					},
-					UUID: userUUID.String(),
-					Flow: flow,
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-						},
-					},
-				},
-			},
-		},
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					DefaultOptions: option.DefaultRule{
-						Inbound:  []string{"mixed-in"},
-						Outbound: "trojan-out",
-					},
-				},
-			},
-		},
-	})
-	testSuit(t, clientPort, testPort)
-}
-
-func TestVLESSXrayInbound(t *testing.T) {
-	testVLESSXrayInbound(t, vless.FlowVision)
-}
-
-func testVLESSXrayInbound(t *testing.T, flow string) {
-	userId, err := uuid.DefaultGenerator.NewV4()
-	require.NoError(t, err)
-	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
-
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeVLESS,
-				VLESSOptions: option.VLESSInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: serverPort,
-					},
-					Users: []option.VLESSUser{
-						{
-							Name: "sekai",
-							UUID: userId.String(),
-							Flow: flow,
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-							KeyPath:         keyPem,
-						},
-					},
-				},
-			},
-			{
-				Type: C.TypeTrojan,
-				Tag:  "trojan",
-				TrojanOptions: option.TrojanInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: otherPort,
-					},
-					Users: []option.TrojanUser{
-						{
-							Name:     "sekai",
-							Password: userId.String(),
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-							KeyPath:         keyPem,
-						},
-					},
-				},
-			},
-		},
-	})
-
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				Tag:  "mixed-in",
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: otherClientPort,
-					},
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeTrojan,
-				Tag:  "trojan-out",
-				TrojanOptions: option.TrojanOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: otherPort,
-					},
-					Password: userId.String(),
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-						},
-					},
-					DialerOptions: option.DialerOptions{
-						Detour: "vless-out",
-					},
-				},
-			},
-			{
-				Type: C.TypeSOCKS,
-				Tag:  "vless-out",
-				SocksOptions: option.SocksOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: clientPort,
-					},
-				},
-			},
-		},
-	})
-
-	content, err := os.ReadFile("config/vless-tls-client.json")
-	require.NoError(t, err)
-	config, err := ajson.Unmarshal(content)
-	require.NoError(t, err)
-
-	config.MustKey("inbounds").MustIndex(0).MustKey("port").SetNumeric(float64(clientPort))
-	outbound := config.MustKey("outbounds").MustIndex(0)
-	settings := outbound.MustKey("settings").MustKey("vnext").MustIndex(0)
-	settings.MustKey("port").SetNumeric(float64(serverPort))
-	user := settings.MustKey("users").MustIndex(0)
-	user.MustKey("id").SetString(userId.String())
-	user.MustKey("flow").SetString(flow)
-	content, err = ajson.Marshal(config)
-	require.NoError(t, err)
-
-	content, err = ajson.Marshal(config)
-	require.NoError(t, err)
-
-	startDockerContainer(t, DockerOptions{
-		Image:      ImageXRayCore,
-		Ports:      []uint16{clientPort},
-		EntryPoint: "xray",
-		Stdin:      content,
-		Bind: map[string]string{
-			certPem: "/path/to/certificate.crt",
-			keyPem:  "/path/to/private.key",
-		},
-	})
-	testTCP(t, otherClientPort, testPort)
-}
--- a/transport/v2raygrpc/client.go
+++ b/transport/v2raygrpc/client.go
@@ -72,12 +72,6 @@ func NewClient(ctx context.Context, dialer N.Dialer, serverAddr M.Socksaddr, opt
 	}, nil
 }

-func (c *Client) Close() error {
-	return common.Close(
-		common.PtrOrNil(c.conn),
-	)
-}
-
 func (c *Client) connect() (*grpc.ClientConn, error) {
 	conn := c.conn
 	if conn != nil && conn.GetState() != connectivity.Shutdown {
@@ -113,3 +107,13 @@ func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
 	}
 	return NewGRPCConn(stream, cancel), nil
 }
+
+func (c *Client) Close() error {
+	c.connAccess.Lock()
+	defer c.connAccess.Unlock()
+	if c.conn != nil {
+		c.conn.Close()
+		c.conn = nil
+	}
+	return nil
+}
--- a/transport/v2raygrpclite/client.go
+++ b/transport/v2raygrpclite/client.go
@@ -100,7 +100,7 @@ func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
 			conn.setup(nil, err)
 		} else if response.StatusCode != 200 {
 			response.Body.Close()
-			conn.setup(nil, E.New("unexpected status: ", response.Status))
+			conn.setup(nil, E.New("v2ray-grpc: unexpected status: ", response.Status))
 		} else {
 			conn.setup(response.Body, nil)
 		}
@@ -109,8 +109,6 @@ func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
 }

 func (c *Client) Close() error {
-	if c.transport != nil {
-		v2rayhttp.CloseIdleConnections(c.transport)
-	}
+	v2rayhttp.ResetTransport(c.transport)
 	return nil
 }
--- a/transport/v2rayhttp/client.go
+++ b/transport/v2rayhttp/client.go
@@ -146,7 +146,7 @@ func (c *Client) dialHTTP2(ctx context.Context) (net.Conn, error) {
 			conn.Setup(nil, err)
 		} else if response.StatusCode != 200 {
 			response.Body.Close()
-			conn.Setup(nil, E.New("unexpected status: ", response.Status))
+			conn.Setup(nil, E.New("v2ray-http: unexpected status: ", response.Status))
 		} else {
 			conn.Setup(response.Body, nil)
 		}
@@ -155,6 +155,6 @@ func (c *Client) dialHTTP2(ctx context.Context) (net.Conn, error) {
 }

 func (c *Client) Close() error {
-	CloseIdleConnections(c.transport)
+	c.transport = ResetTransport(c.transport)
 	return nil
 }
--- a/transport/v2rayhttp/conn.go
+++ b/transport/v2rayhttp/conn.go
@@ -43,7 +43,7 @@ func (c *HTTPConn) Read(b []byte) (n int, err error) {
 			return 0, E.Cause(err, "read response")
 		}
 		if response.StatusCode != 200 {
-			return 0, E.New("unexpected status: ", response.Status)
+			return 0, E.New("v2ray-http: unexpected status: ", response.Status)
 		}
 		if cacheLen := reader.Buffered(); cacheLen > 0 {
 			c.responseCache = buf.NewSize(cacheLen)
--- a/transport/v2rayhttp/force_close.go
+++ b/transport/v2rayhttp/force_close.go
@@ -0,0 +1,47 @@
+package v2rayhttp
+
+import (
+	"net/http"
+	"reflect"
+	"sync"
+	"unsafe"
+
+	E "github.com/sagernet/sing/common/exceptions"
+
+	"golang.org/x/net/http2"
+)
+
+type clientConnPool struct {
+	t     *http2.Transport
+	mu    sync.Mutex
+	conns map[string][]*http2.ClientConn // key is host:port
+}
+
+type efaceWords struct {
+	typ  unsafe.Pointer
+	data unsafe.Pointer
+}
+
+func ResetTransport(rawTransport http.RoundTripper) http.RoundTripper {
+	switch transport := rawTransport.(type) {
+	case *http.Transport:
+		transport.CloseIdleConnections()
+		return transport.Clone()
+	case *http2.Transport:
+		connPool := transportConnPool(transport)
+		p := (*clientConnPool)((*efaceWords)(unsafe.Pointer(&connPool)).data)
+		p.mu.Lock()
+		defer p.mu.Unlock()
+		for _, vv := range p.conns {
+			for _, cc := range vv {
+				cc.Close()
+			}
+		}
+		return transport
+	default:
+		panic(E.New("unknown transport type: ", reflect.TypeOf(transport)))
+	}
+}
+
+//go:linkname transportConnPool golang.org/x/net/http2.(*Transport).connPool
+func transportConnPool(t *http2.Transport) http2.ClientConnPool
--- a/transport/v2rayhttpupgrade/client.go
+++ b/transport/v2rayhttpupgrade/client.go
@@ -104,7 +104,7 @@ func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
 	if response.StatusCode != 101 ||
 		!strings.EqualFold(response.Header.Get("Connection"), "upgrade") ||
 		!strings.EqualFold(response.Header.Get("Upgrade"), "websocket") {
-		return nil, E.New("unexpected status: ", response.Status)
+		return nil, E.New("v2ray-http-upgrade: unexpected status: ", response.Status)
 	}
 	if bufReader.Buffered() > 0 {
 		buffer := buf.NewSize(bufReader.Buffered())
@@ -116,3 +116,7 @@ func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
 	}
 	return conn, nil
 }
+
+func (c *Client) Close() error {
+	return nil
+}
--- a/transport/v2rayquic/client.go
+++ b/transport/v2rayquic/client.go
@@ -8,6 +8,7 @@ import (
 	"sync"

 	"github.com/sagernet/quic-go"
+	"github.com/sagernet/quic-go/http3"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
@@ -37,7 +38,7 @@ func NewClient(ctx context.Context, dialer N.Dialer, serverAddr M.Socksaddr, opt
 		DisablePathMTUDiscovery: !C.IsLinux && !C.IsWindows,
 	}
 	if len(tlsConfig.NextProtos()) == 0 {
-		tlsConfig.SetNextProtos([]string{"h2", "http/1.1"})
+		tlsConfig.SetNextProtos([]string{http3.NextProtoH3})
 	}
 	return &Client{
 		ctx:        ctx,
@@ -96,5 +97,15 @@ func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
 }

 func (c *Client) Close() error {
-	return common.Close(c.conn, c.rawConn)
+	c.connAccess.Lock()
+	defer c.connAccess.Unlock()
+	if c.conn != nil {
+		c.conn.CloseWithError(0, "")
+	}
+	if c.rawConn != nil {
+		c.rawConn.Close()
+	}
+	c.conn = nil
+	c.rawConn = nil
+	return nil
 }
--- a/transport/v2rayquic/server.go
+++ b/transport/v2rayquic/server.go
@@ -8,6 +8,7 @@ import (
 	"os"

 	"github.com/sagernet/quic-go"
+	"github.com/sagernet/quic-go/http3"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
@@ -34,7 +35,7 @@ func NewServer(ctx context.Context, options option.V2RayQUICOptions, tlsConfig t
 		DisablePathMTUDiscovery: !C.IsLinux && !C.IsWindows,
 	}
 	if len(tlsConfig.NextProtos()) == 0 {
-		tlsConfig.SetNextProtos([]string{"h2", "http/1.1"})
+		tlsConfig.SetNextProtos([]string{http3.NextProtoH3})
 	}
 	server := &Server{
 		ctx:        ctx,
--- a/transport/v2raywebsocket/client.go
+++ b/transport/v2raywebsocket/client.go
@@ -127,3 +127,7 @@ func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
 		return &EarlyWebsocketConn{Client: c, ctx: ctx, create: make(chan struct{})}, nil
 	}
 }
+
+func (c *Client) Close() error {
+	return nil
+}
--- a/transport/vless/client.go
+++ b/transport/vless/client.go
@@ -1,294 +0,0 @@
-package vless
-
-import (
-	"encoding/binary"
-	"io"
-	"net"
-	"sync"
-
-	"github.com/sagernet/sing-vmess"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	"github.com/gofrs/uuid/v5"
-)
-
-type Client struct {
-	key    [16]byte
-	flow   string
-	logger logger.Logger
-}
-
-func NewClient(userId string, flow string, logger logger.Logger) (*Client, error) {
-	user := uuid.FromStringOrNil(userId)
-	if user == uuid.Nil {
-		user = uuid.NewV5(user, userId)
-	}
-	switch flow {
-	case "", "xtls-rprx-vision":
-	default:
-		return nil, E.New("unsupported flow: " + flow)
-	}
-	return &Client{user, flow, logger}, nil
-}
-
-func (c *Client) prepareConn(conn net.Conn, tlsConn net.Conn) (net.Conn, error) {
-	if c.flow == FlowVision {
-		protocolConn, err := NewVisionConn(conn, tlsConn, c.key, c.logger)
-		if err != nil {
-			return nil, E.Cause(err, "initialize vision")
-		}
-		conn = protocolConn
-	}
-	return conn, nil
-}
-
-func (c *Client) DialConn(conn net.Conn, destination M.Socksaddr) (net.Conn, error) {
-	remoteConn := NewConn(conn, c.key, vmess.CommandTCP, destination, c.flow)
-	protocolConn, err := c.prepareConn(remoteConn, conn)
-	if err != nil {
-		return nil, err
-	}
-	return protocolConn, common.Error(remoteConn.Write(nil))
-}
-
-func (c *Client) DialEarlyConn(conn net.Conn, destination M.Socksaddr) (net.Conn, error) {
-	return c.prepareConn(NewConn(conn, c.key, vmess.CommandTCP, destination, c.flow), conn)
-}
-
-func (c *Client) DialPacketConn(conn net.Conn, destination M.Socksaddr) (*PacketConn, error) {
-	serverConn := &PacketConn{Conn: conn, key: c.key, destination: destination, flow: c.flow}
-	return serverConn, common.Error(serverConn.Write(nil))
-}
-
-func (c *Client) DialEarlyPacketConn(conn net.Conn, destination M.Socksaddr) (*PacketConn, error) {
-	return &PacketConn{Conn: conn, key: c.key, destination: destination, flow: c.flow}, nil
-}
-
-func (c *Client) DialXUDPPacketConn(conn net.Conn, destination M.Socksaddr) (vmess.PacketConn, error) {
-	remoteConn := NewConn(conn, c.key, vmess.CommandTCP, destination, c.flow)
-	protocolConn, err := c.prepareConn(remoteConn, conn)
-	if err != nil {
-		return nil, err
-	}
-	return vmess.NewXUDPConn(protocolConn, destination), common.Error(remoteConn.Write(nil))
-}
-
-func (c *Client) DialEarlyXUDPPacketConn(conn net.Conn, destination M.Socksaddr) (vmess.PacketConn, error) {
-	remoteConn := NewConn(conn, c.key, vmess.CommandMux, destination, c.flow)
-	protocolConn, err := c.prepareConn(remoteConn, conn)
-	if err != nil {
-		return nil, err
-	}
-	return vmess.NewXUDPConn(protocolConn, destination), common.Error(remoteConn.Write(nil))
-}
-
-var (
-	_ N.EarlyConn        = (*Conn)(nil)
-	_ N.VectorisedWriter = (*Conn)(nil)
-)
-
-type Conn struct {
-	N.ExtendedConn
-	writer         N.VectorisedWriter
-	request        Request
-	requestWritten bool
-	responseRead   bool
-}
-
-func NewConn(conn net.Conn, uuid [16]byte, command byte, destination M.Socksaddr, flow string) *Conn {
-	return &Conn{
-		ExtendedConn: bufio.NewExtendedConn(conn),
-		writer:       bufio.NewVectorisedWriter(conn),
-		request: Request{
-			UUID:        uuid,
-			Command:     command,
-			Destination: destination,
-			Flow:        flow,
-		},
-	}
-}
-
-func (c *Conn) Read(b []byte) (n int, err error) {
-	if !c.responseRead {
-		err = ReadResponse(c.ExtendedConn)
-		if err != nil {
-			return
-		}
-		c.responseRead = true
-	}
-	return c.ExtendedConn.Read(b)
-}
-
-func (c *Conn) ReadBuffer(buffer *buf.Buffer) error {
-	if !c.responseRead {
-		err := ReadResponse(c.ExtendedConn)
-		if err != nil {
-			return err
-		}
-		c.responseRead = true
-	}
-	return c.ExtendedConn.ReadBuffer(buffer)
-}
-
-func (c *Conn) Write(b []byte) (n int, err error) {
-	if !c.requestWritten {
-		err = WriteRequest(c.ExtendedConn, c.request, b)
-		if err == nil {
-			n = len(b)
-		}
-		c.requestWritten = true
-		return
-	}
-	return c.ExtendedConn.Write(b)
-}
-
-func (c *Conn) WriteBuffer(buffer *buf.Buffer) error {
-	if !c.requestWritten {
-		err := EncodeRequest(c.request, buf.With(buffer.ExtendHeader(RequestLen(c.request))))
-		if err != nil {
-			return err
-		}
-		c.requestWritten = true
-	}
-	return c.ExtendedConn.WriteBuffer(buffer)
-}
-
-func (c *Conn) WriteVectorised(buffers []*buf.Buffer) error {
-	if !c.requestWritten {
-		buffer := buf.NewSize(RequestLen(c.request))
-		err := EncodeRequest(c.request, buffer)
-		if err != nil {
-			buffer.Release()
-			return err
-		}
-		c.requestWritten = true
-		return c.writer.WriteVectorised(append([]*buf.Buffer{buffer}, buffers...))
-	}
-	return c.writer.WriteVectorised(buffers)
-}
-
-func (c *Conn) ReaderReplaceable() bool {
-	return c.responseRead
-}
-
-func (c *Conn) WriterReplaceable() bool {
-	return c.requestWritten
-}
-
-func (c *Conn) NeedHandshake() bool {
-	return !c.requestWritten
-}
-
-func (c *Conn) FrontHeadroom() int {
-	if c.requestWritten {
-		return 0
-	}
-	return RequestLen(c.request)
-}
-
-func (c *Conn) Upstream() any {
-	return c.ExtendedConn
-}
-
-type PacketConn struct {
-	net.Conn
-	access         sync.Mutex
-	key            [16]byte
-	destination    M.Socksaddr
-	flow           string
-	requestWritten bool
-	responseRead   bool
-}
-
-func (c *PacketConn) Read(b []byte) (n int, err error) {
-	if !c.responseRead {
-		err = ReadResponse(c.Conn)
-		if err != nil {
-			return
-		}
-		c.responseRead = true
-	}
-	var length uint16
-	err = binary.Read(c.Conn, binary.BigEndian, &length)
-	if err != nil {
-		return
-	}
-	if cap(b) < int(length) {
-		return 0, io.ErrShortBuffer
-	}
-	return io.ReadFull(c.Conn, b[:length])
-}
-
-func (c *PacketConn) Write(b []byte) (n int, err error) {
-	if !c.requestWritten {
-		c.access.Lock()
-		if c.requestWritten {
-			c.access.Unlock()
-		} else {
-			err = WritePacketRequest(c.Conn, Request{c.key, vmess.CommandUDP, c.destination, c.flow}, nil)
-			if err == nil {
-				n = len(b)
-			}
-			c.requestWritten = true
-			c.access.Unlock()
-		}
-	}
-	err = binary.Write(c.Conn, binary.BigEndian, uint16(len(b)))
-	if err != nil {
-		return
-	}
-	return c.Conn.Write(b)
-}
-
-func (c *PacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
-	defer buffer.Release()
-	dataLen := buffer.Len()
-	binary.BigEndian.PutUint16(buffer.ExtendHeader(2), uint16(dataLen))
-	if !c.requestWritten {
-		c.access.Lock()
-		if c.requestWritten {
-			c.access.Unlock()
-		} else {
-			err := WritePacketRequest(c.Conn, Request{c.key, vmess.CommandUDP, c.destination, c.flow}, buffer.Bytes())
-			c.requestWritten = true
-			c.access.Unlock()
-			return err
-		}
-	}
-	return common.Error(c.Conn.Write(buffer.Bytes()))
-}
-
-func (c *PacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
-	n, err = c.Read(p)
-	if err != nil {
-		return
-	}
-	if c.destination.IsFqdn() {
-		addr = c.destination
-	} else {
-		addr = c.destination.UDPAddr()
-	}
-	return
-}
-
-func (c *PacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
-	return c.Write(p)
-}
-
-func (c *PacketConn) FrontHeadroom() int {
-	return 2
-}
-
-func (c *PacketConn) NeedAdditionalReadDeadline() bool {
-	return true
-}
-
-func (c *PacketConn) Upstream() any {
-	return c.Conn
-}
--- a/transport/vless/constant.go
+++ b/transport/vless/constant.go
@@ -1,40 +0,0 @@
-package vless
-
-import (
-	"bytes"
-
-	"github.com/sagernet/sing/common/buf"
-)
-
-var (
-	tls13SupportedVersions  = []byte{0x00, 0x2b, 0x00, 0x02, 0x03, 0x04}
-	tlsClientHandShakeStart = []byte{0x16, 0x03}
-	tlsServerHandShakeStart = []byte{0x16, 0x03, 0x03}
-	tlsApplicationDataStart = []byte{0x17, 0x03, 0x03}
-)
-
-const (
-	commandPaddingContinue byte = iota
-	commandPaddingEnd
-	commandPaddingDirect
-)
-
-var tls13CipherSuiteDic = map[uint16]string{
-	0x1301: "TLS_AES_128_GCM_SHA256",
-	0x1302: "TLS_AES_256_GCM_SHA384",
-	0x1303: "TLS_CHACHA20_POLY1305_SHA256",
-	0x1304: "TLS_AES_128_CCM_SHA256",
-	0x1305: "TLS_AES_128_CCM_8_SHA256",
-}
-
-func reshapeBuffer(b []byte) []*buf.Buffer {
-	const bufferLimit = 8192 - 21
-	if len(b) < bufferLimit {
-		return []*buf.Buffer{buf.As(b)}
-	}
-	index := int32(bytes.LastIndex(b, tlsApplicationDataStart))
-	if index <= 0 {
-		index = 8192 / 2
-	}
-	return []*buf.Buffer{buf.As(b[:index]), buf.As(b[index:])}
-}
--- a/transport/vless/protocol.go
+++ b/transport/vless/protocol.go
@@ -1,297 +0,0 @@
-package vless
-
-import (
-	"bytes"
-	"encoding/binary"
-	"io"
-
-	"github.com/sagernet/sing-vmess"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	"github.com/sagernet/sing/common/rw"
-)
-
-const (
-	Version    = 0
-	FlowVision = "xtls-rprx-vision"
-)
-
-type Request struct {
-	UUID        [16]byte
-	Command     byte
-	Destination M.Socksaddr
-	Flow        string
-}
-
-func ReadRequest(reader io.Reader) (*Request, error) {
-	var request Request
-
-	var version uint8
-	err := binary.Read(reader, binary.BigEndian, &version)
-	if err != nil {
-		return nil, err
-	}
-	if version != Version {
-		return nil, E.New("unknown version: ", version)
-	}
-
-	_, err = io.ReadFull(reader, request.UUID[:])
-	if err != nil {
-		return nil, err
-	}
-
-	var addonsLen uint8
-	err = binary.Read(reader, binary.BigEndian, &addonsLen)
-	if err != nil {
-		return nil, err
-	}
-
-	if addonsLen > 0 {
-		addonsBytes, err := rw.ReadBytes(reader, int(addonsLen))
-		if err != nil {
-			return nil, err
-		}
-
-		addons, err := readAddons(bytes.NewReader(addonsBytes))
-		if err != nil {
-			return nil, err
-		}
-		request.Flow = addons.Flow
-	}
-
-	err = binary.Read(reader, binary.BigEndian, &request.Command)
-	if err != nil {
-		return nil, err
-	}
-
-	if request.Command != vmess.CommandMux {
-		request.Destination, err = vmess.AddressSerializer.ReadAddrPort(reader)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return &request, nil
-}
-
-type Addons struct {
-	Flow string
-	Seed string
-}
-
-func readAddons(reader io.Reader) (*Addons, error) {
-	protoHeader, err := rw.ReadByte(reader)
-	if err != nil {
-		return nil, err
-	}
-	if protoHeader != 10 {
-		return nil, E.New("unknown protobuf message header: ", protoHeader)
-	}
-
-	var addons Addons
-
-	flowLen, err := rw.ReadUVariant(reader)
-	if err != nil {
-		if err == io.EOF {
-			return &addons, nil
-		}
-		return nil, err
-	}
-	flowBytes, err := rw.ReadBytes(reader, int(flowLen))
-	if err != nil {
-		return nil, err
-	}
-	addons.Flow = string(flowBytes)
-
-	seedLen, err := rw.ReadUVariant(reader)
-	if err != nil {
-		if err == io.EOF {
-			return &addons, nil
-		}
-		return nil, err
-	}
-	seedBytes, err := rw.ReadBytes(reader, int(seedLen))
-	if err != nil {
-		return nil, err
-	}
-	addons.Seed = string(seedBytes)
-
-	return &addons, nil
-}
-
-func WriteRequest(writer io.Writer, request Request, payload []byte) error {
-	var requestLen int
-	requestLen += 1  // version
-	requestLen += 16 // uuid
-	requestLen += 1  // protobuf length
-
-	var addonsLen int
-	if request.Flow != "" {
-		addonsLen += 1 // protobuf header
-		addonsLen += rw.UVariantLen(uint64(len(request.Flow)))
-		addonsLen += len(request.Flow)
-		requestLen += addonsLen
-	}
-	requestLen += 1 // command
-	if request.Command != vmess.CommandMux {
-		requestLen += vmess.AddressSerializer.AddrPortLen(request.Destination)
-	}
-	requestLen += len(payload)
-	buffer := buf.NewSize(requestLen)
-	defer buffer.Release()
-	common.Must(
-		buffer.WriteByte(Version),
-		common.Error(buffer.Write(request.UUID[:])),
-		buffer.WriteByte(byte(addonsLen)),
-	)
-	if addonsLen > 0 {
-		common.Must(buffer.WriteByte(10))
-		binary.PutUvarint(buffer.Extend(rw.UVariantLen(uint64(len(request.Flow)))), uint64(len(request.Flow)))
-		common.Must(common.Error(buffer.WriteString(request.Flow)))
-	}
-	common.Must(
-		buffer.WriteByte(request.Command),
-	)
-
-	if request.Command != vmess.CommandMux {
-		err := vmess.AddressSerializer.WriteAddrPort(buffer, request.Destination)
-		if err != nil {
-			return err
-		}
-	}
-
-	common.Must1(buffer.Write(payload))
-	return common.Error(writer.Write(buffer.Bytes()))
-}
-
-func EncodeRequest(request Request, buffer *buf.Buffer) error {
-	var requestLen int
-	requestLen += 1  // version
-	requestLen += 16 // uuid
-	requestLen += 1  // protobuf length
-
-	var addonsLen int
-	if request.Flow != "" {
-		addonsLen += 1 // protobuf header
-		addonsLen += rw.UVariantLen(uint64(len(request.Flow)))
-		addonsLen += len(request.Flow)
-		requestLen += addonsLen
-	}
-	requestLen += 1 // command
-	if request.Command != vmess.CommandMux {
-		requestLen += vmess.AddressSerializer.AddrPortLen(request.Destination)
-	}
-	common.Must(
-		buffer.WriteByte(Version),
-		common.Error(buffer.Write(request.UUID[:])),
-		buffer.WriteByte(byte(addonsLen)),
-	)
-	if addonsLen > 0 {
-		common.Must(buffer.WriteByte(10))
-		binary.PutUvarint(buffer.Extend(rw.UVariantLen(uint64(len(request.Flow)))), uint64(len(request.Flow)))
-		common.Must(common.Error(buffer.WriteString(request.Flow)))
-	}
-	common.Must(
-		buffer.WriteByte(request.Command),
-	)
-
-	if request.Command != vmess.CommandMux {
-		err := vmess.AddressSerializer.WriteAddrPort(buffer, request.Destination)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func RequestLen(request Request) int {
-	var requestLen int
-	requestLen += 1  // version
-	requestLen += 16 // uuid
-	requestLen += 1  // protobuf length
-
-	var addonsLen int
-	if request.Flow != "" {
-		addonsLen += 1 // protobuf header
-		addonsLen += rw.UVariantLen(uint64(len(request.Flow)))
-		addonsLen += len(request.Flow)
-		requestLen += addonsLen
-	}
-	requestLen += 1 // command
-	if request.Command != vmess.CommandMux {
-		requestLen += vmess.AddressSerializer.AddrPortLen(request.Destination)
-	}
-	return requestLen
-}
-
-func WritePacketRequest(writer io.Writer, request Request, payload []byte) error {
-	var requestLen int
-	requestLen += 1  // version
-	requestLen += 16 // uuid
-	requestLen += 1  // protobuf length
-	var addonsLen int
-	/*if request.Flow != "" {
-		addonsLen += 1 // protobuf header
-		addonsLen += rw.UVariantLen(uint64(len(request.Flow)))
-		addonsLen += len(request.Flow)
-		requestLen += addonsLen
-	}*/
-	requestLen += 1 // command
-	requestLen += vmess.AddressSerializer.AddrPortLen(request.Destination)
-	if len(payload) > 0 {
-		requestLen += 2
-		requestLen += len(payload)
-	}
-	buffer := buf.NewSize(requestLen)
-	defer buffer.Release()
-	common.Must(
-		buffer.WriteByte(Version),
-		common.Error(buffer.Write(request.UUID[:])),
-		buffer.WriteByte(byte(addonsLen)),
-	)
-
-	if addonsLen > 0 {
-		common.Must(buffer.WriteByte(10))
-		binary.PutUvarint(buffer.Extend(rw.UVariantLen(uint64(len(request.Flow)))), uint64(len(request.Flow)))
-		common.Must(common.Error(buffer.WriteString(request.Flow)))
-	}
-
-	common.Must(buffer.WriteByte(vmess.CommandUDP))
-
-	err := vmess.AddressSerializer.WriteAddrPort(buffer, request.Destination)
-	if err != nil {
-		return err
-	}
-
-	if len(payload) > 0 {
-		common.Must(
-			binary.Write(buffer, binary.BigEndian, uint16(len(payload))),
-			common.Error(buffer.Write(payload)),
-		)
-	}
-
-	return common.Error(writer.Write(buffer.Bytes()))
-}
-
-func ReadResponse(reader io.Reader) error {
-	version, err := rw.ReadByte(reader)
-	if err != nil {
-		return err
-	}
-	if version != Version {
-		return E.New("unknown version: ", version)
-	}
-	protobufLength, err := rw.ReadByte(reader)
-	if err != nil {
-		return err
-	}
-	if protobufLength > 0 {
-		err = rw.SkipN(reader, int(protobufLength))
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
--- a/transport/vless/service.go
+++ b/transport/vless/service.go
@@ -1,260 +0,0 @@
-package vless
-
-import (
-	"context"
-	"encoding/binary"
-	"io"
-	"net"
-
-	"github.com/sagernet/sing-vmess"
-	"github.com/sagernet/sing/common/auth"
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	"github.com/gofrs/uuid/v5"
-)
-
-type Service[T comparable] struct {
-	userMap  map[[16]byte]T
-	userFlow map[T]string
-	logger   logger.Logger
-	handler  Handler
-}
-
-type Handler interface {
-	N.TCPConnectionHandler
-	N.UDPConnectionHandler
-	E.Handler
-}
-
-func NewService[T comparable](logger logger.Logger, handler Handler) *Service[T] {
-	return &Service[T]{
-		logger:  logger,
-		handler: handler,
-	}
-}
-
-func (s *Service[T]) UpdateUsers(userList []T, userUUIDList []string, userFlowList []string) {
-	userMap := make(map[[16]byte]T)
-	userFlowMap := make(map[T]string)
-	for i, userName := range userList {
-		userID := uuid.FromStringOrNil(userUUIDList[i])
-		if userID == uuid.Nil {
-			userID = uuid.NewV5(uuid.Nil, userUUIDList[i])
-		}
-		userMap[userID] = userName
-		userFlowMap[userName] = userFlowList[i]
-	}
-	s.userMap = userMap
-	s.userFlow = userFlowMap
-}
-
-var _ N.TCPConnectionHandler = (*Service[int])(nil)
-
-func (s *Service[T]) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
-	request, err := ReadRequest(conn)
-	if err != nil {
-		return err
-	}
-	user, loaded := s.userMap[request.UUID]
-	if !loaded {
-		return E.New("unknown UUID: ", uuid.FromBytesOrNil(request.UUID[:]))
-	}
-	ctx = auth.ContextWithUser(ctx, user)
-	metadata.Destination = request.Destination
-
-	userFlow := s.userFlow[user]
-	if request.Flow == FlowVision && request.Command == vmess.NetworkUDP {
-		return E.New(FlowVision, " flow does not support UDP")
-	} else if request.Flow != userFlow {
-		return E.New("flow mismatch: expected ", flowName(userFlow), ", but got ", flowName(request.Flow))
-	}
-
-	if request.Command == vmess.CommandUDP {
-		return s.handler.NewPacketConnection(ctx, &serverPacketConn{ExtendedConn: bufio.NewExtendedConn(conn), destination: request.Destination}, metadata)
-	}
-	responseConn := &serverConn{ExtendedConn: bufio.NewExtendedConn(conn), writer: bufio.NewVectorisedWriter(conn)}
-	switch userFlow {
-	case FlowVision:
-		conn, err = NewVisionConn(responseConn, conn, request.UUID, s.logger)
-		if err != nil {
-			return E.Cause(err, "initialize vision")
-		}
-	case "":
-		conn = responseConn
-	default:
-		return E.New("unknown flow: ", userFlow)
-	}
-	switch request.Command {
-	case vmess.CommandTCP:
-		return s.handler.NewConnection(ctx, conn, metadata)
-	case vmess.CommandMux:
-		return vmess.HandleMuxConnection(ctx, conn, s.handler)
-	default:
-		return E.New("unknown command: ", request.Command)
-	}
-}
-
-func flowName(value string) string {
-	if value == "" {
-		return "none"
-	}
-	return value
-}
-
-var _ N.VectorisedWriter = (*serverConn)(nil)
-
-type serverConn struct {
-	N.ExtendedConn
-	writer          N.VectorisedWriter
-	responseWritten bool
-}
-
-func (c *serverConn) Read(b []byte) (n int, err error) {
-	return c.ExtendedConn.Read(b)
-}
-
-func (c *serverConn) Write(b []byte) (n int, err error) {
-	if !c.responseWritten {
-		_, err = bufio.WriteVectorised(c.writer, [][]byte{{Version, 0}, b})
-		if err == nil {
-			n = len(b)
-		}
-		c.responseWritten = true
-		return
-	}
-	return c.ExtendedConn.Write(b)
-}
-
-func (c *serverConn) WriteBuffer(buffer *buf.Buffer) error {
-	if !c.responseWritten {
-		header := buffer.ExtendHeader(2)
-		header[0] = Version
-		header[1] = 0
-		c.responseWritten = true
-	}
-	return c.ExtendedConn.WriteBuffer(buffer)
-}
-
-func (c *serverConn) WriteVectorised(buffers []*buf.Buffer) error {
-	if !c.responseWritten {
-		err := c.writer.WriteVectorised(append([]*buf.Buffer{buf.As([]byte{Version, 0})}, buffers...))
-		c.responseWritten = true
-		return err
-	}
-	return c.writer.WriteVectorised(buffers)
-}
-
-func (c *serverConn) NeedAdditionalReadDeadline() bool {
-	return true
-}
-
-func (c *serverConn) FrontHeadroom() int {
-	if c.responseWritten {
-		return 0
-	}
-	return 2
-}
-
-func (c *serverConn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *serverConn) WriterReplaceable() bool {
-	return c.responseWritten
-}
-
-func (c *serverConn) Upstream() any {
-	return c.ExtendedConn
-}
-
-type serverPacketConn struct {
-	N.ExtendedConn
-	responseWriter  io.Writer
-	responseWritten bool
-	destination     M.Socksaddr
-}
-
-func (c *serverPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
-	n, err = c.ExtendedConn.Read(p)
-	if err != nil {
-		return
-	}
-	if c.destination.IsFqdn() {
-		addr = c.destination
-	} else {
-		addr = c.destination.UDPAddr()
-	}
-	return
-}
-
-func (c *serverPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
-	if !c.responseWritten {
-		if c.responseWriter == nil {
-			var packetLen [2]byte
-			binary.BigEndian.PutUint16(packetLen[:], uint16(len(p)))
-			_, err = bufio.WriteVectorised(bufio.NewVectorisedWriter(c.ExtendedConn), [][]byte{{Version, 0}, packetLen[:], p})
-			if err == nil {
-				n = len(p)
-			}
-			c.responseWritten = true
-			return
-		} else {
-			_, err = c.responseWriter.Write([]byte{Version, 0})
-			if err != nil {
-				return
-			}
-			c.responseWritten = true
-		}
-	}
-	return c.ExtendedConn.Write(p)
-}
-
-func (c *serverPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
-	var packetLen uint16
-	err = binary.Read(c.ExtendedConn, binary.BigEndian, &packetLen)
-	if err != nil {
-		return
-	}
-
-	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(packetLen))
-	if err != nil {
-		return
-	}
-
-	destination = c.destination
-	return
-}
-
-func (c *serverPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
-	if !c.responseWritten {
-		if c.responseWriter == nil {
-			var packetLen [2]byte
-			binary.BigEndian.PutUint16(packetLen[:], uint16(buffer.Len()))
-			err := bufio.NewVectorisedWriter(c.ExtendedConn).WriteVectorised([]*buf.Buffer{buf.As([]byte{Version, 0}), buf.As(packetLen[:]), buffer})
-			c.responseWritten = true
-			return err
-		} else {
-			_, err := c.responseWriter.Write([]byte{Version, 0})
-			if err != nil {
-				return err
-			}
-			c.responseWritten = true
-		}
-	}
-	packetLen := buffer.Len()
-	binary.BigEndian.PutUint16(buffer.ExtendHeader(2), uint16(packetLen))
-	return c.ExtendedConn.WriteBuffer(buffer)
-}
-
-func (c *serverPacketConn) FrontHeadroom() int {
-	return 2
-}
-
-func (c *serverPacketConn) Upstream() any {
-	return c.ExtendedConn
-}
--- a/transport/vless/vision.go
+++ b/transport/vless/vision.go
@@ -1,380 +0,0 @@
-package vless
-
-import (
-	"bytes"
-	"crypto/rand"
-	"crypto/tls"
-	"io"
-	"math/big"
-	"net"
-	"reflect"
-	"time"
-	"unsafe"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	N "github.com/sagernet/sing/common/network"
-)
-
-var tlsRegistry []func(conn net.Conn) (loaded bool, netConn net.Conn, reflectType reflect.Type, reflectPointer uintptr)
-
-func init() {
-	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, netConn net.Conn, reflectType reflect.Type, reflectPointer uintptr) {
-		tlsConn, loaded := common.Cast[*tls.Conn](conn)
-		if !loaded {
-			return
-		}
-		return true, tlsConn.NetConn(), reflect.TypeOf(tlsConn).Elem(), uintptr(unsafe.Pointer(tlsConn))
-	})
-}
-
-const xrayChunkSize = 8192
-
-type VisionConn struct {
-	net.Conn
-	reader   *bufio.ChunkReader
-	writer   N.VectorisedWriter
-	input    *bytes.Reader
-	rawInput *bytes.Buffer
-	netConn  net.Conn
-	logger   logger.Logger
-
-	userUUID               [16]byte
-	isTLS                  bool
-	numberOfPacketToFilter int
-	isTLS12orAbove         bool
-	remainingServerHello   int32
-	cipher                 uint16
-	enableXTLS             bool
-	isPadding              bool
-	directWrite            bool
-	writeUUID              bool
-	withinPaddingBuffers   bool
-	remainingContent       int
-	remainingPadding       int
-	currentCommand         byte
-	directRead             bool
-	remainingReader        io.Reader
-}
-
-func NewVisionConn(conn net.Conn, tlsConn net.Conn, userUUID [16]byte, logger logger.Logger) (*VisionConn, error) {
-	var (
-		loaded         bool
-		reflectType    reflect.Type
-		reflectPointer uintptr
-		netConn        net.Conn
-	)
-	for _, tlsCreator := range tlsRegistry {
-		loaded, netConn, reflectType, reflectPointer = tlsCreator(tlsConn)
-		if loaded {
-			break
-		}
-	}
-	if !loaded {
-		return nil, C.ErrTLSRequired
-	}
-	input, _ := reflectType.FieldByName("input")
-	rawInput, _ := reflectType.FieldByName("rawInput")
-	return &VisionConn{
-		Conn:     conn,
-		reader:   bufio.NewChunkReader(conn, xrayChunkSize),
-		writer:   bufio.NewVectorisedWriter(conn),
-		input:    (*bytes.Reader)(unsafe.Pointer(reflectPointer + input.Offset)),
-		rawInput: (*bytes.Buffer)(unsafe.Pointer(reflectPointer + rawInput.Offset)),
-		netConn:  netConn,
-		logger:   logger,
-
-		userUUID:               userUUID,
-		numberOfPacketToFilter: 8,
-		remainingServerHello:   -1,
-		isPadding:              true,
-		writeUUID:              true,
-		withinPaddingBuffers:   true,
-		remainingContent:       -1,
-		remainingPadding:       -1,
-	}, nil
-}
-
-func (c *VisionConn) Read(p []byte) (n int, err error) {
-	if c.remainingReader != nil {
-		n, err = c.remainingReader.Read(p)
-		if err == io.EOF {
-			err = nil
-			c.remainingReader = nil
-		}
-		if n > 0 {
-			return
-		}
-	}
-	if c.directRead {
-		return c.netConn.Read(p)
-	}
-	var bufferBytes []byte
-	var chunkBuffer *buf.Buffer
-	if len(p) > xrayChunkSize {
-		n, err = c.Conn.Read(p)
-		if err != nil {
-			return
-		}
-		bufferBytes = p[:n]
-	} else {
-		chunkBuffer, err = c.reader.ReadChunk()
-		if err != nil {
-			return 0, err
-		}
-		bufferBytes = chunkBuffer.Bytes()
-	}
-	if c.withinPaddingBuffers || c.numberOfPacketToFilter > 0 {
-		buffers := c.unPadding(bufferBytes)
-		if chunkBuffer != nil {
-			buffers = common.Map(buffers, func(it *buf.Buffer) *buf.Buffer {
-				return it.ToOwned()
-			})
-			chunkBuffer.Reset()
-		}
-		if c.remainingContent == 0 && c.remainingPadding == 0 {
-			if c.currentCommand == commandPaddingEnd {
-				c.withinPaddingBuffers = false
-				c.remainingContent = -1
-				c.remainingPadding = -1
-			} else if c.currentCommand == commandPaddingDirect {
-				c.withinPaddingBuffers = false
-				c.directRead = true
-
-				inputBuffer, err := io.ReadAll(c.input)
-				if err != nil {
-					return 0, err
-				}
-				buffers = append(buffers, buf.As(inputBuffer))
-
-				rawInputBuffer, err := io.ReadAll(c.rawInput)
-				if err != nil {
-					return 0, err
-				}
-
-				buffers = append(buffers, buf.As(rawInputBuffer))
-
-				c.logger.Trace("XtlsRead readV")
-			} else if c.currentCommand == commandPaddingContinue {
-				c.withinPaddingBuffers = true
-			} else {
-				return 0, E.New("unknown command ", c.currentCommand)
-			}
-		} else if c.remainingContent > 0 || c.remainingPadding > 0 {
-			c.withinPaddingBuffers = true
-		} else {
-			c.withinPaddingBuffers = false
-		}
-		if c.numberOfPacketToFilter > 0 {
-			c.filterTLS(buf.ToSliceMulti(buffers))
-		}
-		c.remainingReader = io.MultiReader(common.Map(buffers, func(it *buf.Buffer) io.Reader { return it })...)
-		return c.Read(p)
-	} else {
-		if c.numberOfPacketToFilter > 0 {
-			c.filterTLS([][]byte{bufferBytes})
-		}
-		if chunkBuffer != nil {
-			n = copy(p, bufferBytes)
-			chunkBuffer.Advance(n)
-		}
-		return
-	}
-}
-
-func (c *VisionConn) Write(p []byte) (n int, err error) {
-	if c.numberOfPacketToFilter > 0 {
-		c.filterTLS([][]byte{p})
-	}
-	if c.isPadding {
-		inputLen := len(p)
-		buffers := reshapeBuffer(p)
-		var specIndex int
-		for i, buffer := range buffers {
-			if c.isTLS && buffer.Len() > 6 && bytes.Equal(tlsApplicationDataStart, buffer.To(3)) {
-				var command byte = commandPaddingEnd
-				if c.enableXTLS {
-					c.directWrite = true
-					specIndex = i
-					command = commandPaddingDirect
-				}
-				c.isPadding = false
-				buffers[i] = c.padding(buffer, command)
-				break
-			} else if !c.isTLS12orAbove && c.numberOfPacketToFilter <= 1 {
-				c.isPadding = false
-				buffers[i] = c.padding(buffer, commandPaddingEnd)
-				break
-			}
-			buffers[i] = c.padding(buffer, commandPaddingContinue)
-		}
-		if c.directWrite {
-			encryptedBuffer := buffers[:specIndex+1]
-			err = c.writer.WriteVectorised(encryptedBuffer)
-			if err != nil {
-				return
-			}
-			buffers = buffers[specIndex+1:]
-			c.writer = bufio.NewVectorisedWriter(c.netConn)
-			c.logger.Trace("XtlsWrite writeV ", specIndex, " ", buf.LenMulti(encryptedBuffer), " ", len(buffers))
-			time.Sleep(5 * time.Millisecond) // wtf
-		}
-		err = c.writer.WriteVectorised(buffers)
-		if err == nil {
-			n = inputLen
-		}
-		return
-	}
-	if c.directWrite {
-		return c.netConn.Write(p)
-	} else {
-		return c.Conn.Write(p)
-	}
-}
-
-func (c *VisionConn) filterTLS(buffers [][]byte) {
-	for _, buffer := range buffers {
-		c.numberOfPacketToFilter--
-		if len(buffer) > 6 {
-			if buffer[0] == 22 && buffer[1] == 3 && buffer[2] == 3 {
-				c.isTLS = true
-				if buffer[5] == 2 {
-					c.isTLS12orAbove = true
-					c.remainingServerHello = (int32(buffer[3])<<8 | int32(buffer[4])) + 5
-					if len(buffer) >= 79 && c.remainingServerHello >= 79 {
-						sessionIdLen := int32(buffer[43])
-						cipherSuite := buffer[43+sessionIdLen+1 : 43+sessionIdLen+3]
-						c.cipher = uint16(cipherSuite[0])<<8 | uint16(cipherSuite[1])
-					} else {
-						c.logger.Trace("XtlsFilterTls short server hello, tls 1.2 or older? ", len(buffer), " ", c.remainingServerHello)
-					}
-				}
-			} else if bytes.Equal(tlsClientHandShakeStart, buffer[:2]) && buffer[5] == 1 {
-				c.isTLS = true
-				c.logger.Trace("XtlsFilterTls found tls client hello! ", len(buffer))
-			}
-		}
-		if c.remainingServerHello > 0 {
-			end := int(c.remainingServerHello)
-			if end > len(buffer) {
-				end = len(buffer)
-			}
-			c.remainingServerHello -= int32(end)
-			if bytes.Contains(buffer[:end], tls13SupportedVersions) {
-				cipher, ok := tls13CipherSuiteDic[c.cipher]
-				if ok && cipher != "TLS_AES_128_CCM_8_SHA256" {
-					c.enableXTLS = true
-				}
-				c.logger.Trace("XtlsFilterTls found tls 1.3! ", len(buffer), " ", c.cipher, " ", c.enableXTLS)
-				c.numberOfPacketToFilter = 0
-				return
-			} else if c.remainingServerHello == 0 {
-				c.logger.Trace("XtlsFilterTls found tls 1.2! ", len(buffer))
-				c.numberOfPacketToFilter = 0
-				return
-			}
-		}
-		if c.numberOfPacketToFilter == 0 {
-			c.logger.Trace("XtlsFilterTls stop filtering ", len(buffer))
-		}
-	}
-}
-
-func (c *VisionConn) padding(buffer *buf.Buffer, command byte) *buf.Buffer {
-	contentLen := 0
-	paddingLen := 0
-	if buffer != nil {
-		contentLen = buffer.Len()
-	}
-	if contentLen < 900 && c.isTLS {
-		l, _ := rand.Int(rand.Reader, big.NewInt(500))
-		paddingLen = int(l.Int64()) + 900 - contentLen
-	} else {
-		l, _ := rand.Int(rand.Reader, big.NewInt(256))
-		paddingLen = int(l.Int64())
-	}
-	var bufferLen int
-	if c.writeUUID {
-		bufferLen += 16
-	}
-	bufferLen += 5
-	if buffer != nil {
-		bufferLen += buffer.Len()
-	}
-	bufferLen += paddingLen
-	newBuffer := buf.NewSize(bufferLen)
-	if c.writeUUID {
-		common.Must1(newBuffer.Write(c.userUUID[:]))
-		c.writeUUID = false
-	}
-	common.Must1(newBuffer.Write([]byte{command, byte(contentLen >> 8), byte(contentLen), byte(paddingLen >> 8), byte(paddingLen)}))
-	if buffer != nil {
-		common.Must1(newBuffer.Write(buffer.Bytes()))
-		buffer.Release()
-	}
-	newBuffer.Extend(paddingLen)
-	c.logger.Trace("XtlsPadding ", contentLen, " ", paddingLen, " ", command)
-	return newBuffer
-}
-
-func (c *VisionConn) unPadding(buffer []byte) []*buf.Buffer {
-	var bufferIndex int
-	if c.remainingContent == -1 && c.remainingPadding == -1 {
-		if len(buffer) >= 21 && bytes.Equal(c.userUUID[:], buffer[:16]) {
-			bufferIndex = 16
-			c.remainingContent = 0
-			c.remainingPadding = 0
-			c.currentCommand = 0
-		}
-	}
-	if c.remainingContent == -1 && c.remainingPadding == -1 {
-		return []*buf.Buffer{buf.As(buffer)}
-	}
-	var buffers []*buf.Buffer
-	for bufferIndex < len(buffer) {
-		if c.remainingContent <= 0 && c.remainingPadding <= 0 {
-			if c.currentCommand == 1 {
-				buffers = append(buffers, buf.As(buffer[bufferIndex:]))
-				break
-			} else {
-				paddingInfo := buffer[bufferIndex : bufferIndex+5]
-				c.currentCommand = paddingInfo[0]
-				c.remainingContent = int(paddingInfo[1])<<8 | int(paddingInfo[2])
-				c.remainingPadding = int(paddingInfo[3])<<8 | int(paddingInfo[4])
-				bufferIndex += 5
-				c.logger.Trace("Xtls Unpadding new block ", bufferIndex, " ", c.remainingContent, " padding ", c.remainingPadding, " ", c.currentCommand)
-			}
-		} else if c.remainingContent > 0 {
-			end := c.remainingContent
-			if end > len(buffer)-bufferIndex {
-				end = len(buffer) - bufferIndex
-			}
-			buffers = append(buffers, buf.As(buffer[bufferIndex:bufferIndex+end]))
-			c.remainingContent -= end
-			bufferIndex += end
-		} else {
-			end := c.remainingPadding
-			if end > len(buffer)-bufferIndex {
-				end = len(buffer) - bufferIndex
-			}
-			c.remainingPadding -= end
-			bufferIndex += end
-		}
-		if bufferIndex == len(buffer) {
-			break
-		}
-	}
-	return buffers
-}
-
-func (c *VisionConn) NeedAdditionalReadDeadline() bool {
-	return true
-}
-
-func (c *VisionConn) Upstream() any {
-	return c.Conn
-}
--- a/transport/vless/vision_reality.go
+++ b/transport/vless/vision_reality.go
@@ -1,22 +0,0 @@
-//go:build with_reality_server
-
-package vless
-
-import (
-	"net"
-	"reflect"
-	"unsafe"
-
-	"github.com/sagernet/reality"
-	"github.com/sagernet/sing/common"
-)
-
-func init() {
-	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, netConn net.Conn, reflectType reflect.Type, reflectPointer uintptr) {
-		tlsConn, loaded := common.Cast[*reality.Conn](conn)
-		if !loaded {
-			return
-		}
-		return true, tlsConn.NetConn(), reflect.TypeOf(tlsConn).Elem(), uintptr(unsafe.Pointer(tlsConn))
-	})
-}
--- a/transport/vless/vision_utls.go
+++ b/transport/vless/vision_utls.go
@@ -1,22 +0,0 @@
-//go:build with_utls
-
-package vless
-
-import (
-	"net"
-	"reflect"
-	"unsafe"
-
-	"github.com/sagernet/sing/common"
-	utls "github.com/sagernet/utls"
-)
-
-func init() {
-	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, netConn net.Conn, reflectType reflect.Type, reflectPointer uintptr) {
-		tlsConn, loaded := common.Cast[*utls.UConn](conn)
-		if !loaded {
-			return
-		}
-		return true, tlsConn.NetConn(), reflect.TypeOf(tlsConn.Conn).Elem(), uintptr(unsafe.Pointer(tlsConn.Conn))
-	})
-}
Author	SHA1	Message	Date
世界	3066dfe3b3	Bump version	2024-08-19 10:43:09 +08:00
Liu Bingyan	1128fdd8c7	documentation: Update injectable description	2024-08-19 07:40:31 +08:00
世界	cfd9879b17	documentation: Remove unused	2024-08-19 06:39:33 +08:00
世界	9ceb660c57	documentation: Announce that our apps on Apple platforms are no longer available	2024-08-19 06:39:33 +08:00
世界	7d00d7df28	Update quic-go to v0.46.0	2024-08-19 06:25:15 +08:00
世界	21b1ac26b9	Fix UDP conn stuck on sniff This change only avoids permanent hangs. We need to implement read deadlines for UDP conns in 1.10 for server inbounds.	2024-08-18 11:27:12 +08:00
世界	7fec8d842e	Update golangci-lint configuration	2024-08-18 11:17:01 +08:00
世界	07c678fb85	Fix crash on Android when using process rules	2024-08-18 10:23:28 +08:00
世界	baecfc7778	Update quic-go to v0.45.2	2024-08-18 10:23:17 +08:00
世界	07de36ecdb	Fix tests	2024-08-03 12:46:38 +08:00
世界	2c8a8303cd	dns: Minor fixes	2024-07-27 11:04:57 +08:00
ruokeqx	e5991cae0b	Use `unix.SysctlRaw` for macOS	2024-07-22 12:42:22 +08:00
世界	1349acfd5a	Fix panic caused by possible generation of duplicate keys for `domain_suffix`	2024-07-17 16:02:17 +08:00
世界	98ff897f35	Fix reset outbounds	2024-07-13 17:46:22 +08:00
ayooh	6144c8e340	Fix default end value of the `rangeItem`	2024-07-13 17:45:32 +08:00
HystericalDragon	c8caac9f67	Fix v2rayquic default NextProtos (#1934 )	2024-07-11 23:34:09 +08:00
printfer	81e9eda357	documentation: Fix typo	2024-07-07 16:09:41 +08:00
世界	7cba3da108	shadowsocks: Fix packet process for AEAD multi-user server	2024-07-05 17:09:09 +08:00
世界	82d06b43e7	vless: Fix missing deadline interfaces	2024-07-05 17:08:10 +08:00
世界	a7ac91f573	Move legacy vless implemetation to library	2024-07-03 20:17:32 +08:00
世界	0540a95a43	Fix v2ray-plugin	2024-07-02 14:08:17 +08:00
世界	94707dfcdd	Add name to errors from v2ray HTTP transports	2024-07-02 14:08:17 +08:00
世界	8a17043502	Fix command output for `rule-set match`	2024-06-26 12:26:35 +08:00
世界	b0aaa86806	Minor fixes	2024-06-25 13:14:45 +08:00
世界	8a2d3fbb28	Update quic-go to v0.45.1 & Filter HTTPS ipv4/6hint	2024-06-24 11:07:32 +08:00
renovate[bot]	4652019608	[dependencies] Update docker/build-push-action action to v6	2024-06-24 10:24:13 +08:00
世界	06fa5abf63	Fix non-IP queries accepted by address filter rules	2024-06-24 10:13:16 +08:00
世界	996fbbf0c3	docs: Switch to venv	2024-06-24 10:10:49 +08:00
renovate[bot]	142ff1b455	[dependencies] Update actions/checkout digest to 692973e	2024-06-17 13:05:54 +08:00
世界	74d662f7a3	Fix always create package manager	2024-06-11 21:16:57 +08:00
世界	085f603377	Bump version	2024-06-09 13:20:56 +08:00
世界	460fae83dc	Fix quic-go is caching dialErr since v0.43.0	2024-06-09 13:15:40 +08:00
世界	bb9bd9bff6	Fix package manager start order	2024-06-09 07:21:50 +08:00
世界	c2354ebf25	Bump version	2024-06-08 22:00:46 +08:00
世界	c1f4755c4e	Fix parse UDP DNS server with addr:port address	2024-06-08 22:00:46 +08:00
世界	0ca5909b06	Stop passing device sleep events on Android and Apple platforms	2024-06-08 22:00:46 +08:00
世界	e77a8114c5	Fix rule-set start order	2024-06-08 22:00:46 +08:00
renovate[bot]	f1393235ff	[dependencies] Update actions/checkout digest to a5ac7e5	2024-06-08 22:00:46 +08:00