Bump version

The Chinese documentation incorrectly stated that the default value for the domain_strategy field in the direct outbound module is dns.strategy. The correct value should be inbound.domain_strategy, as specified in the English documentation. This commit corrects the Chinese documentation to align with the accurate behavior described in the English version.

Signed-off-by: Monica <1379531829@qq.com>

.github/workflows/debug.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -58,7 +58,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -78,7 +78,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
           fetch-depth: 0
       - name: Setup Go
@@ -208,7 +208,7 @@ jobs:
       TAGS: with_clash_api,with_quic
     steps:
       - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
           fetch-depth: 0
       - name: Setup Go

.github/workflows/docker.yml

@@ -1,16 +1,93 @@
-name: Build Docker Images
+name: Publish Docker Images
 
 on:
   release:
     types:
-      - released
+      - published
   workflow_dispatch:
     inputs:
       tag:
         description: "The tag version you want to build"
+
+env:
+  REGISTRY_IMAGE: ghcr.io/sagernet/sing-box
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm/v6
+          - linux/arm/v7
+          - linux/arm64
+          - linux/386
+          - linux/ppc64le
+          - linux/riscv64
+          - linux/s390x
+    steps:
+      - name: Get commit to build
+        id: ref
+        run: |-
+          if [[ -z "${{ github.event.inputs.tag }}" ]]; then
+            ref="${{ github.ref_name }}"
+          else
+            ref="${{ github.event.inputs.tag }}"
+          fi
+          echo "ref=$ref"
+          echo "ref=$ref" >> $GITHUB_OUTPUT
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        with:
+          ref: ${{ steps.ref.outputs.ref }}
+          fetch-depth: 0
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY_IMAGE }}
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          platforms: ${{ matrix.platform }}
+          context: .
+          build-args: |
+            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
+          labels: ${{ steps.meta.outputs.labels }}
+          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+  merge:
+    runs-on: ubuntu-latest
+    needs:
+      - build
     steps:
       - name: Get commit to build
         id: ref
@@ -29,34 +106,28 @@ jobs:
           fi
           echo "latest=$latest"
           echo "latest=$latest" >> $GITHUB_OUTPUT
-      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+      - name: Download digests
+        uses: actions/download-artifact@v4
         with:
-          ref: ${{ steps.ref.outputs.ref }}
-      - name: Setup Docker Buildx
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+      - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: Setup QEMU for Docker Buildx
-        uses: docker/setup-qemu-action@v3
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Docker metadata
-        id: metadata
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/sagernet/sing-box
-      - name: Build and release Docker images
-        uses: docker/build-push-action@v5
-        with:
-          platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
-          context: .
-          target: dist
-          build-args: |
-            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
-          tags: |
-            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.latest }}
-            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.ref }}
-          push: true
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create \
+            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}" \
+            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}" \
+            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}
+          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}

.github/workflows/lint.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
           fetch-depth: 0
       - name: Setup Go

.github/workflows/linux.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
           fetch-depth: 0
       - name: Setup Go

.github/workflows/stale.yml

@@ -12,4 +12,5 @@ jobs:
         with:
           stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
           days-before-stale: 60
-          days-before-close: 5
+          days-before-close: 5
+          exempt-issue-labels: 'bug,enhancement'

.gitignore

@@ -14,3 +14,5 @@
 /*.xcframework/
 .DS_Store
 /config.d/
+/venv/
+

.golangci.yml

@@ -6,14 +6,7 @@ linters:
     - gci
     - staticcheck
     - paralleltest
-
-run:
-  skip-dirs:
-    - transport/simple-obfs
-    - transport/clashssr
-    - transport/cloudflaretls
-    - transport/shadowtls/tls
-    - transport/shadowtls/tls_go119
+    - ineffassign
 
 linters-settings:
   gci:
@@ -23,4 +16,13 @@ linters-settings:
       - prefix(github.com/sagernet/)
       - default
   staticcheck:
-    go: '1.20'
+    checks:
+      - all
+      - -SA1003
+
+run:
+  go: "1.23"
+
+issues:
+  exclude-dirs:
+    - transport/simple-obfs

.goreleaser.fury.yaml

@@ -26,6 +26,7 @@ builds:
       - linux_arm_7
       - linux_s390x
       - linux_riscv64
+      - linux_mips64le
     mod_timestamp: '{{ .CommitTimestamp }}'
 snapshot:
   name_template: "{{ .Version }}.{{ .ShortCommit }}"

.goreleaser.yaml

@@ -7,7 +7,9 @@ builds:
       - -v
       - -trimpath
     ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
+      - -s
+      - -buildid=
     tags:
       - with_gvisor
       - with_quic
@@ -25,9 +27,11 @@ builds:
       - linux_amd64_v1
       - linux_amd64_v3
       - linux_arm64
+      - linux_arm_6
       - linux_arm_7
       - linux_s390x
       - linux_riscv64
+      - linux_mips64le
       - windows_amd64_v1
       - windows_amd64_v3
       - windows_386

Makefile

@@ -104,10 +104,12 @@ publish_android:
 publish_android_appcenter:
 	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadPlayRelease
 
+
+# TODO: find why and remove `-destination 'generic/platform=iOS'`
 build_ios:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFI.xcarchive && \
-	xcodebuild archive -scheme SFI -configuration Release -archivePath build/SFI.xcarchive
+	xcodebuild archive -scheme SFI -configuration Release -destination 'generic/platform=iOS' -archivePath build/SFI.xcarchive -allowProvisioningUpdates
 
 upload_ios_app_store:
 	cd ../sing-box-for-apple && \
@@ -118,55 +120,61 @@ release_ios: build_ios upload_ios_app_store
 build_macos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFM.xcarchive && \
-	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive
+	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive -allowProvisioningUpdates
 
 upload_macos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
 
 release_macos: build_macos upload_macos_app_store
 
-build_macos_independent:
+build_macos_standalone:
 	cd ../sing-box-for-apple && \
-	rm -rf build/SFT.System.xcarchive && \
-	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive
+	rm -rf build/SFM.System.xcarchive && \
+	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive -allowProvisioningUpdates
 
-notarize_macos_independent:
-	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist  -allowProvisioningUpdates
-
-wait_notarize_macos_independent:
-	sleep 60
-
-export_macos_independent:
+build_macos_dmg:
 	rm -rf dist/SFM
 	mkdir -p dist/SFM
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportNotarizedApp -archivePath build/SFM.System.xcarchive -exportPath "../sing-box/dist/SFM"
+	rm -rf build/SFM.System && \
+	rm -rf build/SFM.dmg && \
+	xcodebuild -exportArchive \
+		-archivePath "build/SFM.System.xcarchive" \
+		-exportOptionsPlist SFM.System/Export.plist -allowProvisioningUpdates \
+		-exportPath "build/SFM.System" && \
+	create-dmg \
+		--volname "sing-box" \
+		--volicon "build/SFM.System/SFM.app/Contents/Resources/AppIcon.icns" \
+		--icon "SFM.app" 0 0 \
+ 		--hide-extension "SFM.app" \
+ 		--app-drop-link 0 0 \
+ 		--skip-jenkins \
+		--notarize "notarytool-password" \
+		"../sing-box/dist/SFM/SFM.dmg" "build/SFM.System/SFM.app"
 
-upload_macos_independent:
+upload_macos_dmg:
 	cd dist/SFM && \
-	rm -f *.zip && \
-	zip -ry "SFM-${VERSION}-universal.zip" SFM.app && \
-	ghr --replace --draft --prerelease "v${VERSION}" *.zip
+	cp SFM.dmg "SFM-${VERSION}-universal.dmg" && \
+	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dmg"
 
-release_macos_independent: build_macos_independent notarize_macos_independent wait_notarize_macos_independent export_macos_independent upload_macos_independent
+release_macos_standalone: build_macos_standalone build_macos_dmg upload_macos_dmg
 
 build_tvos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFT.xcarchive && \
-	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive
+	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive -allowProvisioningUpdates
 
 upload_tvos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
 
 release_tvos: build_tvos upload_tvos_app_store
 
 update_apple_version:
 	go run ./cmd/internal/update_apple_version
 
-release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_independent
+release_apple: lib_ios update_apple_version release_ios release_macos release_tvos
 
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
 
@@ -193,17 +201,19 @@ lib:
 	go run ./cmd/internal/build_libbox -target ios
 
 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.3
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.3
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.4
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.4
 
 docs:
-	mkdocs serve
+	venv/bin/mkdocs serve
 
 publish_docs:
-	mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
+	venv/bin/mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
 
 docs_install:
-	pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
+	python -m venv venv
+	source ./venv/bin/activate && pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
+
 clean:
 	rm -rf bin dist sing-box
 	rm -f $(shell go env GOPATH)/sing-box

README.md

@@ -8,10 +8,6 @@ The universal proxy platform.
 
 https://sing-box.sagernet.org
 
-## Support
-
-https://community.sagernet.org/c/sing-box/
-
 ## License
 
 ```

adapter/v2ray.go

@@ -22,4 +22,5 @@ type V2RayServerTransportHandler interface {
 
 type V2RayClientTransport interface {
 	DialContext(ctx context.Context) (net.Conn, error)
+	Close() error
 }

box.go

@@ -203,7 +203,7 @@ func (s *Box) PreStart() error {
 		defer func() {
 			v := recover()
 			if v != nil {
-				log.Error(E.Cause(err, "origin error"))
+				println(err.Error())
 				debug.PrintStack()
 				panic("panic on early close: " + fmt.Sprint(v))
 			}
@@ -222,9 +222,9 @@ func (s *Box) Start() error {
 		defer func() {
 			v := recover()
 			if v != nil {
-				log.Error(E.Cause(err, "origin error"))
+				println(err.Error())
 				debug.PrintStack()
-				panic("panic on early close: " + fmt.Sprint(v))
+				println("panic on early start: " + fmt.Sprint(v))
 			}
 		}()
 		s.Close()

cmd/internal/update_apple_version/main.go

@@ -26,8 +26,8 @@ func main() {
 	common.Must(decoder.Decode(&project))
 	objectsMap := project["objects"].(map[string]any)
 	projectContent := string(common.Must1(os.ReadFile("sing-box.xcodeproj/project.pbxproj")))
-	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
-	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
+	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfavt"}, newVersion.VersionString())
+	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfavt.standalone", "io.nekohasekai.sfavt.system"}, newVersion.String())
 	if updated0 || updated1 {
 		log.Info("updated version to ", newVersion.VersionString(), " (", newVersion.String(), ")")
 	}

cmd/sing-box/cmd_rule_set_match.go

@@ -12,6 +12,7 @@ import (
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/route"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
 
 	"github.com/spf13/cobra"
@@ -79,7 +80,7 @@ func ruleSetMatch(sourcePath string, domain string) error {
 		if currentRule.Match(&adapter.InboundContext{
 			Domain: domain,
 		}) {
-			println("match rules.[", i, "]: "+currentRule.String())
+			println(F.ToString("match rules.[", i, "]: ", currentRule))
 		}
 	}
 	return nil

common/dialer/default_go1.20.go

@@ -5,7 +5,7 @@ package dialer
 import (
 	"net"
 
-	"github.com/sagernet/tfo-go"
+	"github.com/metacubex/tfo-go"
 )
 
 type tcpDialer = tfo.Dialer

common/dialer/dialer.go

@@ -28,13 +28,12 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 	} else {
 		dialer = NewDetour(router, options.Detour)
 	}
-	domainStrategy := dns.DomainStrategy(options.DomainStrategy)
-	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
+	if options.Detour == "" {
 		dialer = NewResolveDialer(
 			router,
 			dialer,
 			options.Detour == "" && !options.TCPFastOpen,
-			domainStrategy,
+			dns.DomainStrategy(options.DomainStrategy),
 			time.Duration(options.FallbackDelay))
 	}
 	return dialer, nil

common/dialer/tfo.go

@@ -15,7 +15,8 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/tfo-go"
+
+	"github.com/metacubex/tfo-go"
 )
 
 type slowOpenConn struct {

common/process/searcher_darwin.go

@@ -60,12 +60,12 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 
 	isIPv4 := ip.Is4()
 
-	value, err := syscall.Sysctl(spath)
+	value, err := unix.SysctlRaw(spath)
 	if err != nil {
 		return "", err
 	}
 
-	buf := []byte(value)
+	buf := value
 
 	// from darwin-xnu/bsd/netinet/in_pcblist.c:get_pcblist_n
 	// size/offset are round up (aligned) to 8 bytes in darwin

common/sniff/sniff.go

@@ -18,28 +18,45 @@ type (
 	PacketSniffer = func(ctx context.Context, packet []byte) (*adapter.InboundContext, error)
 )
 
+func Skip(metadata adapter.InboundContext) bool {
+	// skip server first protocols
+	switch metadata.Destination.Port {
+	case 25, 465, 587:
+		// SMTP
+		return true
+	case 143, 993:
+		// IMAP
+		return true
+	case 110, 995:
+		// POP3
+		return true
+	}
+	return false
+}
+
 func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) (*adapter.InboundContext, error) {
 	if timeout == 0 {
 		timeout = C.ReadPayloadTimeout
 	}
 	deadline := time.Now().Add(timeout)
 	var errors []error
-
-	for i := 0; i < 3; i++ {
+	for i := 0; ; i++ {
 		err := conn.SetReadDeadline(deadline)
 		if err != nil {
 			return nil, E.Cause(err, "set read deadline")
 		}
 		_, err = buffer.ReadOnceFrom(conn)
-		err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
+		_ = conn.SetReadDeadline(time.Time{})
 		if err != nil {
 			if i > 0 {
 				break
 			}
 			return nil, E.Cause(err, "read payload")
 		}
+		errors = nil
+		var metadata *adapter.InboundContext
 		for _, sniffer := range sniffers {
-			metadata, err := sniffer(ctx, bytes.NewReader(buffer.Bytes()))
+			metadata, err = sniffer(ctx, bytes.NewReader(buffer.Bytes()))
 			if metadata != nil {
 				return metadata, nil
 			}

docs/changelog.md

@@ -2,6 +2,56 @@
 icon: material/alert-decagram
 ---
 
+### 1.9.6
+
+* Fixes and improvements
+
+### 1.9.5
+
+* Update quic-go to v0.47.0
+* Fix direct dialer not resolving domain
+* Fix no error return when empty DNS cache retrieved
+* Fix build with go1.23
+* Fix stream sniffer
+* Fix bad redirect in clash-api
+* Fix wireguard events chan leak
+* Fix cached conn eats up read deadlines
+* Fix disconnected interface selected as default in windows
+* Update Bundle Identifiers for Apple platform clients **1**
+
+**1**:
+
+See [Migration](/migration/#bundle-identifier-updates-in-apple-platform-clients).
+
+We are still working on getting all sing-box apps back on the App Store.
+
+This work is expected to be completed within a week
+(SFI on the App Store and others on TestFlight are already available).
+
+### 1.9.4
+
+* Update quic-go to v0.46.0
+* Update Hysteria2 BBR congestion control
+* Filter HTTPS ipv4hint/ipv6hint with domain strategy
+* Fix crash on Android when using process rules
+* Fix non-IP queries accepted by address filter rules
+* Fix UDP server for shadowsocks AEAD multi-user inbounds
+* Fix default next protos for v2ray QUIC transport
+* Fix default end value of port range configuration options
+* Fix reset v2ray transports
+* Fix panic caused by rule-set generation of duplicate keys for `domain_suffix`
+* Fix UDP connnection leak when sniffing
+* Fixes and improvements
+
+_Due to problems with our Apple developer account,
+sing-box apps on Apple platforms are temporarily unavailable for download or update.
+If your company or organization is willing to help us return to the App Store,
+please [contact us](mailto:contact@sagernet.org)._
+
+### 1.9.3
+
+* Fixes and improvements
+
 ### 1.9.2
 
 * Fixes and improvements

docs/clients/apple/index.md

@@ -14,13 +14,13 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 
 ## :material-download: Download
 
-* [App Store](https://apps.apple.com/us/app/sing-box/id6451272673)
-* ~~TestFlight (Beta)~~
+* [App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)
+* TestFlight (Beta)
 
 TestFlight quota is only available to [sponsors](https://github.com/sponsors/nekohasekai)
 (one-time sponsorships are accepted).
-Once you donate, you can get an invitation by sending us your Apple ID [via email](mailto:contact@sagernet.org),
-or join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot).
+Once you donate, you can get an invitation by join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot)
+or sending us your Apple ID [via email](mailto:contact@sagernet.org).
 
 ## :material-file-download: Download (macOS standalone version)
 

docs/clients/index.zh.md

@@ -2,11 +2,11 @@
 
 由 Project S 维护，提供统一的体验与平台特定的功能。
 
-| 平台                                    | 客户端                                     |
-|---------------------------------------|-----------------------------------------|
+| 平台                                    | 客户端                                      |
+|---------------------------------------|------------------------------------------|
 | :material-android: Android            | [sing-box for Android](./android/)       |
 | :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
-| :material-laptop: Desktop             | 施工中                                     |
+| :material-laptop: Desktop             | 施工中                                      |
 
 此处没有列出一些声称使用或以 sing-box 为卖点的第三方项目。此类项目维护者的动机是获得更多用户，即使它们提供友好的商业
 VPN 客户端功能， 但代码质量很差且包含广告。

docs/configuration/inbound/index.md

@@ -15,24 +15,24 @@
 
 ### Fields
 
-| Type          | Format                        | Injectable |
-|---------------|-------------------------------|------------|
-| `direct`      | [Direct](./direct/)           | X          |
-| `mixed`       | [Mixed](./mixed/)             | TCP        |
-| `socks`       | [SOCKS](./socks/)             | TCP        |
-| `http`        | [HTTP](./http/)               | TCP        |
-| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP        |
-| `vmess`       | [VMess](./vmess/)             | TCP        |
-| `trojan`      | [Trojan](./trojan/)           | TCP        |
-| `naive`       | [Naive](./naive/)             | X          |
-| `hysteria`    | [Hysteria](./hysteria/)       | X          |
-| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP        |
-| `tuic`        | [TUIC](./tuic/)               | X          |
-| `hysteria2`   | [Hysteria2](./hysteria2/)     | X          |
-| `vless`       | [VLESS](./vless/)             | TCP        |
-| `tun`         | [Tun](./tun/)                 | X          |
-| `redirect`    | [Redirect](./redirect/)       | X          |
-| `tproxy`      | [TProxy](./tproxy/)           | X          |
+| Type          | Format                        | Injectable       |
+|---------------|-------------------------------|------------------|
+| `direct`      | [Direct](./direct/)           | :material-close: |
+| `mixed`       | [Mixed](./mixed/)             | TCP              |
+| `socks`       | [SOCKS](./socks/)             | TCP              |
+| `http`        | [HTTP](./http/)               | TCP              |
+| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP              |
+| `vmess`       | [VMess](./vmess/)             | TCP              |
+| `trojan`      | [Trojan](./trojan/)           | TCP              |
+| `naive`       | [Naive](./naive/)             | :material-close: |
+| `hysteria`    | [Hysteria](./hysteria/)       | :material-close: |
+| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP              |
+| `tuic`        | [TUIC](./tuic/)               | :material-close: |
+| `hysteria2`   | [Hysteria2](./hysteria2/)     | :material-close: |
+| `vless`       | [VLESS](./vless/)             | TCP              |
+| `tun`         | [Tun](./tun/)                 | :material-close: |
+| `redirect`    | [Redirect](./redirect/)       | :material-close: |
+| `tproxy`      | [TProxy](./tproxy/)           | :material-close: |
 
 #### tag
 

docs/configuration/inbound/index.zh.md

@@ -15,24 +15,24 @@
 
 ### 字段
 
-| 类型            | 格式                           | 注入支持 |
-|---------------|------------------------------|------|
-| `direct`      | [Direct](./direct/)           | X    |
-| `mixed`       | [Mixed](./mixed/)             | TCP  |
-| `socks`       | [SOCKS](./socks/)             | TCP  |
-| `http`        | [HTTP](./http/)               | TCP  |
-| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP  |
-| `vmess`       | [VMess](./vmess/)             | TCP  |
-| `trojan`      | [Trojan](./trojan/)           | TCP  |
-| `naive`       | [Naive](./naive/)             | X    |
-| `hysteria`    | [Hysteria](./hysteria/)       | X    |
-| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP  |
-| `tuic`        | [TUIC](./tuic/)               | X    |
-| `hysteria2`   | [Hysteria2](./hysteria2/)     | X    |
-| `vless`       | [VLESS](./vless/)             | TCP  |
-| `tun`         | [Tun](./tun/)                 | X    |
-| `redirect`    | [Redirect](./redirect/)       | X    |
-| `tproxy`      | [TProxy](./tproxy/)           | X    |
+| 类型            | 格式                            | 注入支持             |
+|---------------|-------------------------------|------------------|
+| `direct`      | [Direct](./direct/)           | :material-close: |
+| `mixed`       | [Mixed](./mixed/)             | TCP              |
+| `socks`       | [SOCKS](./socks/)             | TCP              |
+| `http`        | [HTTP](./http/)               | TCP              |
+| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP              |
+| `vmess`       | [VMess](./vmess/)             | TCP              |
+| `trojan`      | [Trojan](./trojan/)           | TCP              |
+| `naive`       | [Naive](./naive/)             | :material-close: |
+| `hysteria`    | [Hysteria](./hysteria/)       | :material-close: |
+| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP              |
+| `tuic`        | [TUIC](./tuic/)               | :material-close: |
+| `hysteria2`   | [Hysteria2](./hysteria2/)     | :material-close: |
+| `vless`       | [VLESS](./vless/)             | TCP              |
+| `tun`         | [Tun](./tun/)                 | :material-close: |
+| `redirect`    | [Redirect](./redirect/)       | :material-close: |
+| `tproxy`      | [TProxy](./tproxy/)           | :material-close: |
 
 #### tag
 

docs/configuration/outbound/block.md

@@ -9,6 +9,6 @@
 }
 ```
 
-### 字段
+### Fields
 
-No fields.
+No fields.

docs/configuration/shared/dial.zh.md

@@ -83,7 +83,10 @@
 
 如果设置，域名将在请求发出之前解析为 IP。
 
-默认使用 `dns.strategy`。
+| 出站     | 受影响的域名             | 默认回退值                                |
+|----------|--------------------------|-------------------------------------------|
+| `direct` | 请求中的域名              | `inbound.domain_strategy`                 | 
+|  others  | 服务器地址中的域名        | /                                         |
 
 #### fallback_delay
 

docs/installation/build-from-source.md

@@ -6,26 +6,18 @@ icon: material/file-code
 
 ## :material-graph: Requirements
 
-Before sing-box 1.4.0:
+### sing-box 1.10
 
-* Go 1.18.5 - 1.20.x
-
-Since sing-box 1.4.0:
-
-* Go 1.18.5 - ~
-* Go 1.20.0 - ~ with tag `with_quic` enabled
-
-Since sing-box 1.5.0:
-
-* Go 1.18.5 - ~
-* Go 1.20.0 - ~ with tag `with_quic` or `with_ech` enabled
-
-Since sing-box 1.8.0:
-
-* Go 1.18.5 - ~
+* Go 1.20.0 - ~
 * Go 1.20.0 - ~ with tag `with_quic`, or `with_utls` enabled
 * Go 1.21.0 - ~ with tag `with_ech` enabled
 
+### sing-box 1.9
+
+* Go 1.18.5 - 1.22.x
+* Go 1.20.0 - 1.22.x with tag `with_quic`, or `with_utls` enabled
+* Go 1.21.0 - 1.22.x with tag `with_ech` enabled
+
 You can download and install Go from: https://go.dev/doc/install, latest version is recommended.
 
 ## :material-fast-forward: Simple Build

docs/installation/build-from-source.zh.md

@@ -6,25 +6,17 @@ icon: material/file-code
 
 ## :material-graph: 要求
 
-sing-box 1.4.0 前:
+### sing-box 1.10
 
-* Go 1.18.5 - 1.20.x
+* Go 1.20.0 - ~
+* Go 1.20.0 - ~ with tag `with_quic`, or `with_utls` enabled
+* Go 1.21.0 - ~ with tag `with_ech` enabled
 
-从 sing-box 1.4.0:
+### sing-box 1.9
 
-* Go 1.18.5 - ~
-* Go 1.20.0 - ~ 如果启用构建标记 `with_quic`
-
-从 sing-box 1.5.0:
-
-* Go 1.18.5 - ~
-* Go 1.20.0 - ~ 如果启用构建标记 `with_quic` 或 `with_ech`
-
-从 sing-box 1.8.0:
-
-* Go 1.18.5 - ~
-* Go 1.20.0 - ~ 如果启用构建标记 `with_quic` 或 `with_utls`
-* Go 1.20.1 - ~ 如果启用构建标记 `with_ech`
+* Go 1.18.5 - 1.22.x
+* Go 1.20.0 - 1.22.x with tag `with_quic`, or `with_utls` enabled
+* Go 1.21.0 - 1.22.x with tag `with_ech` enabled
 
 您可以从 https://go.dev/doc/install 下载并安装 Go，推荐使用最新版本。
 

docs/installation/package-manager.md

@@ -24,14 +24,7 @@ icon: material/package
     sudo dnf config-manager --add-repo https://sing-box.app/sing-box.repo
     sudo dnf install sing-box # or sing-box-beta
     ```
-
-=== ":material-redhat: CentOS / YUM"
-
-    ```bash
-    sudo yum install -y yum-utils
-    sudo yum-config-manager --add-repo https://sing-box.app/sing-box.repo
-    sudo yum install sing-box # or sing-box-beta
-    ```
+    (This applies to any distribution that uses `dnf` as the package manager: Fedora, CentOS, even OpenSUSE with DNF installed.)
 
 ## :material-download-box: Manual Installation
 
@@ -46,6 +39,7 @@ icon: material/package
     ```bash
     bash <(curl -fsSL https://sing-box.app/rpm-install.sh)
     ```
+    (This applies to any distribution that uses `rpm` and `systemd`.  Because of how `rpm` defines dependencies, if it installs, it probably works.)
 
 === ":simple-archlinux: Archlinux / PKG"
 
@@ -63,6 +57,7 @@ icon: material/package
     | nixpkgs  | NixOS         | `nix-env -iA nixos.sing-box` | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/sing-box.svg)][nixpkgs] |
     | Homebrew | macOS / Linux | `brew install sing-box`      | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew]                |
     | APK      | Alpine        | `apk add sing-box`           | [![Alpine Linux Edge package](https://repology.org/badge/version-for-repo/alpine_edge/sing-box.svg)][alpine]  |
+    | DEB      | AOSC          | `apt install sing-box`       | [![AOSC package](https://repology.org/badge/version-for-repo/aosc/sing-box.svg)][aosc]                        |
 
 === ":material-apple: macOS"
 
@@ -90,6 +85,22 @@ icon: material/package
     |------------|----------|------------------------|--------------------------------------------------------------------------------------------|
     | FreshPorts | FreeBSD  | `pkg install sing-box` | [![FreeBSD port](https://repology.org/badge/version-for-repo/freebsd/sing-box.svg)][ports] |
 
+## :material-alert: Problematic Sources
+
+| Type       | Platform | Link                                                                                      | Promblem(s)                                                      |
+|------------|----------|-------------------------------------------------------------------------------------------|------------------------------------------------------------------|
+| DEB        | AOSC     | [aosc-os-abbs](https://github.com/AOSC-Dev/aosc-os-abbs/tree/stable/app-network/sing-box) | Problematic build tag list modification; Not actively maintained |
+| Homebrew   | /        | [homebrew-core][brew]                                                                     | Problematic build tag list modification                          |
+| Termux     | Android  | [termux-packages][termux]                                                                 | Problematic build tag list modification                          |
+| FreshPorts | FreeBSD  | [FreeBSD ports][ports]                                                                    | Old Go  (go1.20)                                                 |
+
+If you are a user of them, please report issues to them:
+
+1. Please do not modify release build tags without full understanding of the related functionality: enabling non-default
+   labels may result in decreased performance; the lack of default labels may cause user confusion.
+2. sing-box supports compiling with some older Go versions, but it is not recommended (especially versions that are no
+   longer supported by Go).
+
 ## :material-book-multiple: Service Management
 
 For Linux systems with [systemd][systemd], usually the installation already includes a sing-box service,
@@ -128,4 +139,6 @@ you can manage the service using the following command:
 
 [ports]: https://www.freshports.org/net/sing-box
 
+[aosc]: https://packages.aosc.io/packages/sing-box
+
 [systemd]: https://systemd.io/

docs/installation/package-manager.zh.md

@@ -24,14 +24,7 @@ icon: material/package
     sudo dnf config-manager --add-repo https://sing-box.app/sing-box.repo
     sudo dnf install sing-box # or sing-box-beta
     ```
-
-=== ":material-redhat: CentOS / YUM"
-
-    ```bash
-    sudo yum install -y yum-utils
-    sudo yum-config-manager --add-repo https://sing-box.app/sing-box.repo
-    sudo yum install sing-box # or sing-box-beta
-    ```
+    （这适用于任何使用 `dnf` 作为包管理器的发行版：Fedora、CentOS，甚至安装了 DNF 的 OpenSUSE。）
 
 ## :material-download-box: 手动安装
 
@@ -46,6 +39,7 @@ icon: material/package
     ```bash
     bash <(curl -fsSL https://sing-box.app/rpm-install.sh)
     ```
+    （这适用于任何使用 `rpm` 和 `systemd` 的发行版。由于 `rpm` 定义依赖关系的方式，如果安装成功，就多半能用。）
 
 === ":simple-archlinux: Archlinux / PKG"
 
@@ -63,6 +57,7 @@ icon: material/package
     | nixpkgs  | NixOS         | `nix-env -iA nixos.sing-box` | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/sing-box.svg)][nixpkgs] |
     | Homebrew | macOS / Linux | `brew install sing-box`      | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew]                |
     | APK      | Alpine        | `apk add sing-box`           | [![Alpine Linux Edge package](https://repology.org/badge/version-for-repo/alpine_edge/sing-box.svg)][alpine]  |
+    | DEB      | AOSC          | `apt install sing-box`       | [![AOSC package](https://repology.org/badge/version-for-repo/aosc/sing-box.svg)][aosc]                        |
 
 === ":material-apple: macOS"
 
@@ -90,6 +85,21 @@ icon: material/package
     |------------|---------|------------------------|--------------------------------------------------------------------------------------------|
     | FreshPorts | FreeBSD | `pkg install sing-box` | [![FreeBSD port](https://repology.org/badge/version-for-repo/freebsd/sing-box.svg)][ports] |
 
+
+## :material-alert: 存在问题的源
+
+| 类型         | 平台      | 链接                                                                                        | 原因                    |
+|------------|---------|-------------------------------------------------------------------------------------------|-----------------------|
+| DEB        | AOSC    | [aosc-os-abbs](https://github.com/AOSC-Dev/aosc-os-abbs/tree/stable/app-network/sing-box) | 存在问题的构建标志列表修改; 没有活跃维护 |
+| Homebrew   | /       | [homebrew-core][brew]                                                                     | 存在问题的构建标志列表修改         |
+| Termux     | Android | [termux-packages][termux]                                                                 | 存在问题的构建标志列表修改         |
+| FreshPorts | FreeBSD | [FreeBSD ports][ports]                                                                    | 太旧的 Go (go1.20)       |
+
+如果您是其用户，请向他们报告问题：
+
+1. 在未完全了解相关功能的情况下，请勿修改发布版本标签：启用非默认标签可能会导致性能下降；缺少默认标签可能会引起用户混淆。
+2. sing-box 支持使用一些较旧的 Go 版本进行编译，但不推荐使用（特别是已不再受 Go 支持的版本）。
+
 ## :material-book-multiple: 服务管理
 
 对于带有 [systemd][systemd] 的 Linux 系统，通常安装已经包含 sing-box 服务，
@@ -124,4 +134,6 @@ icon: material/package
 
 [ports]: https://www.freshports.org/net/sing-box
 
+[aosc]: https://packages.aosc.io/packages/sing-box
+
 [systemd]: https://systemd.io/

docs/manual/proxy-protocol/hysteria2.md

@@ -4,16 +4,17 @@ icon: material/lightning-bolt
 
 # Hysteria 2
 
-The most popular Chinese-made simple protocol based on QUIC, the selling point is Brutal,
-a congestion control algorithm that can resist packet loss by manually specifying the required rate by the user.
+Hysteria 2 is a simple, Chinese-made protocol based on QUIC.
+The selling point is Brutal, a congestion control algorithm that
+tries to achieve a user-defined bandwidth despite packet loss.
 
 !!! warning
 
-    Even though GFW rarely blocks UDP-based proxies, such protocols actually have far more characteristics than TCP based proxies.
+    Even though GFW rarely blocks UDP-based proxies, such protocols actually have far more obvious characteristics than TCP based proxies.
 
-| Specification                                                             | Binary Characteristics | Active Detect Hiddenness |
-|---------------------------------------------------------------------------|------------------------|--------------------------|
-| [hysteria.network](https://v2.hysteria.network/docs/developers/Protocol/) | :material-alert:       | :material-check:         |
+| Specification                                                             | Resists passive detection | Resists active probes |
+|---------------------------------------------------------------------------|---------------------------|-----------------------|
+| [hysteria.network](https://v2.hysteria.network/docs/developers/Protocol/) | :material-alert:          | :material-check:      |
 
 ## :material-text-box-check: Password Generator
 
@@ -44,7 +45,7 @@ To use sing-box with the official program, you need to fill in that combination
     Replace `up_mbps` and `down_mbps` values with the actual bandwidth of your server.
 
 === ":material-harddisk: With local certificate"
-    
+
     ```json
      {
       "inbounds": [

docs/manual/proxy-protocol/shadowsocks.md

@@ -4,15 +4,18 @@ icon: material/send
 
 # Shadowsocks
 
-As the most well-known Chinese-made proxy protocol,
-Shadowsocks exists in multiple versions,
-but only AEAD 2022 ciphers TCP with multiplexing is recommended.
+Shadowsocks is the most well-known Chinese-made proxy protocol.
+It exists in multiple versions, but only AEAD 2022 ciphers 
+over TCP with multiplexing is recommended.
 
-| Ciphers        | Specification                                              | Cryptographic Security | Binary Characteristics | Active Detect Hiddenness |
-|----------------|------------------------------------------------------------|------------------------|------------------------|--------------------------|
-| Stream Ciphers | [shadowsocks.org](https://shadowsocks.org/doc/stream.html) | :material-alert:       | :material-alert:       | :material-alert:         |
-| AEAD           | [shadowsocks.org](https://shadowsocks.org/doc/aead.html)   | :material-check:       | :material-alert:       | :material-alert:         |
-| AEAD 2022      | [shadowsocks.org](https://shadowsocks.org/doc/sip022.html) | :material-check:       | :material-check:       | :material-help:          |
+| Ciphers        | Specification                                              | Cryptographically sound | Resists passive detection | Resists active probes |
+|----------------|------------------------------------------------------------|-------------------------|---------------------------|-----------------------|
+| Stream Ciphers | [shadowsocks.org](https://shadowsocks.org/doc/stream.html) | :material-alert:        | :material-alert:          | :material-alert:      |
+| AEAD           | [shadowsocks.org](https://shadowsocks.org/doc/aead.html)   | :material-check:        | :material-alert:          | :material-alert:      |
+| AEAD 2022      | [shadowsocks.org](https://shadowsocks.org/doc/sip022.html) | :material-check:        | :material-check:          | :material-help:       |
+
+(We strongly recommend using multiplexing to send UDP traffic over TCP, because
+doing otherwise is vulnerable to passive detection.)
 
 ## :material-text-box-check: Password Generator
 

docs/manual/proxy-protocol/trojan.md

@@ -4,15 +4,15 @@ icon: material/horse
 
 # Trojan
 
-As the most commonly used TLS proxy made in China, Trojan can be used in various combinations,
+Torjan is the most commonly used TLS proxy made in China. It can be used in various combinations,
 but only the combination of uTLS and multiplexing is recommended.
 
-| Protocol and implementation combination | Specification                                                        | Binary Characteristics | Active Detect Hiddenness |
-|-----------------------------------------|----------------------------------------------------------------------|------------------------|--------------------------|
-| Origin / trojan-gfw                     | [trojan-gfw.github.io](https://trojan-gfw.github.io/trojan/protocol) | :material-check:       | :material-check:         |
-| Basic Go implementation                 | /                                                                    | :material-alert:       | :material-check:         |
-| with privates transport by V2Ray        | No formal definition                                                 | :material-alert:       | :material-alert:         |
-| with uTLS enabled                       | No formal definition                                                 | :material-help:        | :material-check:         |                             
+| Protocol and implementation combination | Specification                                                        | Resists passive detection | Resists active probes |
+|-----------------------------------------|----------------------------------------------------------------------|---------------------------|-----------------------|
+| Origin / trojan-gfw                     | [trojan-gfw.github.io](https://trojan-gfw.github.io/trojan/protocol) | :material-check:          | :material-check:      |
+| Basic Go implementation                 | /                                                                    | :material-alert:          | :material-check:      |
+| with privates transport by V2Ray        | No formal definition                                                 | :material-alert:          | :material-alert:      |
+| with uTLS enabled                       | No formal definition                                                 | :material-help:           | :material-check:      |
 
 ## :material-text-box-check: Password Generator
 
@@ -211,4 +211,3 @@ but only the combination of uTLS and multiplexing is recommended.
       ]
     }
     ```
-

docs/migration.md

@@ -2,12 +2,25 @@
 icon: material/arrange-bring-forward
 ---
 
+## 1.9.5
+
+### Bundle Identifier updates in Apple platform clients
+
+Due to problems with our old Apple developer account,
+we can only change Bundle Identifiers to re-list sing-box apps,
+which means the data will not be automatically inherited.
+
+For iOS, you need to back up your old data yourself (if you still have access to it);  
+for tvOS, you need to re-import profiles from your iPhone or iPad or create it manually;  
+for macOS, you can migrate the data folder using the following command:
+
+```bash
+cd ~/Library/Group\ Containers && \ 
+  mv group.io.nekohasekai.sfa group.io.nekohasekai.sfavt
+```
+
 ## 1.9.0
 
-!!! warning "Unstable"
-
-    This version is still under development, and the following migration guide may be changed in the future.
-
 ### `domain_suffix` behavior update
 
 For historical reasons, sing-box's `domain_suffix` rule matches literal prefixes instead of the same as other projects.

docs/migration.zh.md

@@ -2,12 +2,24 @@
 icon: material/arrange-bring-forward
 ---
 
+## 1.9.5
+
+### Apple 平台客户端的 Bundle Identifier 更新
+
+由于我们旧的苹果开发者账户存在问题，我们只能通过更新 Bundle Identifiers
+来重新上架 sing-box 应用， 这意味着数据不会自动继承。
+
+对于 iOS，您需要自行备份旧的数据（如果您仍然可以访问）；  
+对于 Apple tvOS，您需要从 iPhone 或 iPad 重新导入配置或者手动创建；  
+对于 macOS，您可以使用以下命令迁移数据文件夹：
+
+```bash
+cd ~/Library/Group\ Containers && \ 
+  mv group.io.nekohasekai.sfa group.io.nekohasekai.sfavt
+```
+
 ## 1.9.0
 
-!!! warning "不稳定的"
-
-    该版本仍在开发中，迁移指南可能将在未来更改。
-
 ### `domain_suffix` 行为更新
 
 由于历史原因，sing-box 的 `domain_suffix` 规则匹配字面前缀，而不与其他项目相同。

docs/sponsors.md

@@ -0,0 +1,26 @@
+---
+icon: material/hand-coin
+---
+
+# Sponsors
+
+Do you or your friends use sing-box?
+
+You can help keep the project bug-free and feature rich by sponsoring
+the project maintainer via [GitHub Sponsors](https://github.com/sponsors/nekohasekai).
+
+![](https://nekohasekai.github.io/sponsor-images/sponsors.svg)
+
+### Special Sponsors
+
+**Viral Tech, Inc.**
+
+Helping us re-list sing-box apps on the Apple Store.
+
+---
+
+[![JetBrains logo](https://resources.jetbrains.com/storage/products/company/brand/logos/jetbrains.svg)](https://www.jetbrains.com)
+
+Free license for the amazing IDEs.
+
+---

docs/support.md

@@ -5,8 +5,7 @@ icon: material/forum
 # Support
 
 | Channel                       | Link                                        |
-|:------------------------------|:--------------------------------------------|
-| Community                     | https://community.sagernet.org              |
+| :---------------------------- | :------------------------------------------ |
 | GitHub Issues                 | https://github.com/SagerNet/sing-box/issues |
 | Telegram notification channel | https://t.me/yapnc                          |
 | Telegram user group           | https://t.me/yapug                          |

docs/support.zh.md

@@ -4,11 +4,10 @@ icon: material/forum
 
 # 支持
 
-| 通道            | 链接                                          |
-|:--------------|:--------------------------------------------|
-| 社区            | https://community.sagernet.org              |
-| GitHub Issues | https://github.com/SagerNet/sing-box/issues |
+| 通道              | 链接                                        |
+| :---------------- | :------------------------------------------ |
+| GitHub Issues     | https://github.com/SagerNet/sing-box/issues |
 | Telegram 通知频道 | https://t.me/yapnc                          |
-| Telegram 用户组  | https://t.me/yapug                          |
-| 邮件            | contact@sagernet.org                        |
+| Telegram 用户组   | https://t.me/yapug                          |
+| 邮件              | contact@sagernet.org                        |
 

experimental/clashapi/server.go

@@ -308,10 +308,11 @@ func authentication(serverSecret string) func(next http.Handler) http.Handler {
 
 func hello(redirect bool) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		if redirect {
-			http.Redirect(w, r, "/ui/", http.StatusTemporaryRedirect)
-		} else {
+		contentType := r.Header.Get("Content-Type")
+		if !redirect || contentType == "application/json" {
 			render.JSON(w, r, render.M{"hello": "clash"})
+		} else {
+			http.Redirect(w, r, "/ui/", http.StatusTemporaryRedirect)
 		}
 	}
 }

experimental/libbox/dns.go

@@ -69,7 +69,8 @@ func (p *platformLocalDNSTransport) Exchange(ctx context.Context, message *mDNS.
 		context: ctx,
 	}
 	var responseMessage *mDNS.Msg
-	return responseMessage, task.Run(ctx, func() error {
+	var group task.Group
+	group.Append0(func(ctx context.Context) error {
 		err = p.iif.Exchange(response, messageBytes)
 		if err != nil {
 			return err
@@ -80,6 +81,11 @@ func (p *platformLocalDNSTransport) Exchange(ctx context.Context, message *mDNS.
 		responseMessage = &response.message
 		return nil
 	})
+	err = group.Run(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return responseMessage, nil
 }
 
 func (p *platformLocalDNSTransport) Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error) {
@@ -96,7 +102,8 @@ func (p *platformLocalDNSTransport) Lookup(ctx context.Context, domain string, s
 		context: ctx,
 	}
 	var responseAddr []netip.Addr
-	return responseAddr, task.Run(ctx, func() error {
+	var group task.Group
+	group.Append0(func(ctx context.Context) error {
 		err := p.iif.Lookup(response, network, domain)
 		if err != nil {
 			return err
@@ -121,6 +128,11 @@ func (p *platformLocalDNSTransport) Lookup(ctx context.Context, domain string, s
 		}*/
 		return nil
 	})
+	err := group.Run(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return responseAddr, nil
 }
 
 type Func interface {

go.mod

@@ -16,27 +16,27 @@ require (
 	github.com/libdns/alidns v1.0.3
 	github.com/libdns/cloudflare v0.1.1
 	github.com/logrusorgru/aurora v2.0.3+incompatible
+	github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d
 	github.com/mholt/acmez v1.2.0
 	github.com/miekg/dns v1.1.59
 	github.com/ooni/go-libtor v1.1.8
 	github.com/oschwald/maxminddb-golang v1.12.0
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1
-	github.com/sagernet/gomobile v0.1.3
+	github.com/sagernet/gomobile v0.1.4
 	github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f
-	github.com/sagernet/quic-go v0.43.1-beta.1
+	github.com/sagernet/quic-go v0.47.0-beta.2
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.4.1
-	github.com/sagernet/sing-dns v0.2.0
+	github.com/sagernet/sing v0.4.3
+	github.com/sagernet/sing-dns v0.2.3
 	github.com/sagernet/sing-mux v0.2.0
-	github.com/sagernet/sing-quic v0.2.0-beta.5
-	github.com/sagernet/sing-shadowsocks v0.2.6
+	github.com/sagernet/sing-quic v0.2.2
+	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.1.4
-	github.com/sagernet/sing-tun v0.3.2
-	github.com/sagernet/sing-vmess v0.1.8
+	github.com/sagernet/sing-tun v0.3.3
+	github.com/sagernet/sing-vmess v0.1.12
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
-	github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6
 	github.com/sagernet/utls v1.5.4
 	github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
@@ -46,7 +46,7 @@ require (
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
 	golang.org/x/crypto v0.23.0
 	golang.org/x/net v0.25.0
-	golang.org/x/sys v0.21.0
+	golang.org/x/sys v0.25.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	google.golang.org/grpc v1.63.2
 	google.golang.org/protobuf v1.33.0
@@ -84,14 +84,14 @@ require (
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
-	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/text v0.18.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.21.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	lukechampine.com/blake3 v1.2.1 // indirect
+	lukechampine.com/blake3 v1.3.0 // indirect
 )

go.sum

@@ -69,6 +69,8 @@ github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s=
 github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
+github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d h1:j9LtzkYstLFoNvXW824QQeN7Y26uPL5249kzWKbzO9U=
+github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d/go.mod h1:c7bVFM9f5+VzeZ/6Kg77T/jrg1Xp8QpqlSHvG/aXVts=
 github.com/mholt/acmez v1.2.0 h1:1hhLxSgY5FvH5HCnGUuwbKY2VQVo8IU7rxXKSnZ7F30=
 github.com/mholt/acmez v1.2.0/go.mod h1:VT9YwH1xgNX1kmYY89gY8xPJC84BFAisjo8Egigt4kE=
 github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
@@ -95,39 +97,37 @@ github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkk
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1 h1:YbmpqPQEMdlk9oFSKYWRqVuu9qzNiOayIonKmv1gCXY=
 github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1/go.mod h1:J2yAxTFPDjrDPhuAi9aWFz2L3ox9it4qAluBBbN0H5k=
-github.com/sagernet/gomobile v0.1.3 h1:ohjIb1Ou2+1558PnZour3od69suSuvkdSVOlO1tC4B8=
-github.com/sagernet/gomobile v0.1.3/go.mod h1:Pqq2+ZVvs10U7xK+UwJgwYWUykewi8H6vlslAO73n9E=
+github.com/sagernet/gomobile v0.1.4 h1:WzX9ka+iHdupMgy2Vdich+OAt7TM8C2cZbIbzNjBrJY=
+github.com/sagernet/gomobile v0.1.4/go.mod h1:Pqq2+ZVvs10U7xK+UwJgwYWUykewi8H6vlslAO73n9E=
 github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f h1:NkhuupzH5ch7b/Y/6ZHJWrnNLoiNnSJaow6DPb8VW2I=
 github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f/go.mod h1:KXmw+ouSJNOsuRpg4wgwwCQuunrGz4yoAqQjsLjc6N0=
 github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba h1:EY5AS7CCtfmARNv2zXUOrsEMPFDGYxaw65JzA2p51Vk=
 github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.43.1-beta.1 h1:alizUjpvWYcz08dBCQsULOd+1xu0o7UtlyYf6SLbRNg=
-github.com/sagernet/quic-go v0.43.1-beta.1/go.mod h1:BkrQYeop7Jx3hN3TW8/76CXcdhYiNPyYEBL/BVJ1ifc=
+github.com/sagernet/quic-go v0.47.0-beta.2 h1:1tCGWFOSaXIeuQaHrwOMJIYvlupjTcaVInGQw5ArULU=
+github.com/sagernet/quic-go v0.47.0-beta.2/go.mod h1:bLVKvElSEMNv7pu7SZHscW02TYigzQ5lQu3Nh4wNh8Q=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.4.1 h1:zVlpE+7k7AFoC2pv6ReqLf0PIHjihL/jsBl5k05PQFk=
-github.com/sagernet/sing v0.4.1/go.mod h1:ieZHA/+Y9YZfXs2I3WtuwgyCZ6GPsIR7HdKb1SdEnls=
-github.com/sagernet/sing-dns v0.2.0 h1:dka3weRX6+CrYO3v+hrTy2z68rCOCZXNBiNXpLZ6JNs=
-github.com/sagernet/sing-dns v0.2.0/go.mod h1:BJpJv6XLnrUbSyIntOT6DG9FW0f4fETmPAHvNjOprLg=
+github.com/sagernet/sing v0.4.3 h1:Ty/NAiNnVd6844k7ujlL5lkzydhcTH5Psc432jXA4Y8=
+github.com/sagernet/sing v0.4.3/go.mod h1:ieZHA/+Y9YZfXs2I3WtuwgyCZ6GPsIR7HdKb1SdEnls=
+github.com/sagernet/sing-dns v0.2.3 h1:YzeBUn2tR38F7HtvGEQ0kLRLmZWMEgi/+7wqa4Twb1k=
+github.com/sagernet/sing-dns v0.2.3/go.mod h1:BJpJv6XLnrUbSyIntOT6DG9FW0f4fETmPAHvNjOprLg=
 github.com/sagernet/sing-mux v0.2.0 h1:4C+vd8HztJCWNYfufvgL49xaOoOHXty2+EAjnzN3IYo=
 github.com/sagernet/sing-mux v0.2.0/go.mod h1:khzr9AOPocLa+g53dBplwNDz4gdsyx/YM3swtAhlkHQ=
-github.com/sagernet/sing-quic v0.2.0-beta.5 h1:ceKFLd1iS5AtM+pScKmcDp5k7R6WgYIe8vl6nB0aVsE=
-github.com/sagernet/sing-quic v0.2.0-beta.5/go.mod h1:lfad61lScAZhAxZ0DHZWvEIcAaT38O6zPTR4vLsHeP0=
-github.com/sagernet/sing-shadowsocks v0.2.6 h1:xr7ylAS/q1cQYS8oxKKajhuQcchd5VJJ4K4UZrrpp0s=
-github.com/sagernet/sing-shadowsocks v0.2.6/go.mod h1:j2YZBIpWIuElPFL/5sJAj470bcn/3QQ5lxZUNKLDNAM=
+github.com/sagernet/sing-quic v0.2.2 h1:Ryp02zMhHh/ZDrG7MdLsmhuBU8+BEpOdJonFQiqIopo=
+github.com/sagernet/sing-quic v0.2.2/go.mod h1:YLV1dUDv8Eyp/8e55O/EvfsrwxOgEDVgDCIoPqmDREE=
+github.com/sagernet/sing-shadowsocks v0.2.7 h1:zaopR1tbHEw5Nk6FAkM05wCslV6ahVegEZaKMv9ipx8=
+github.com/sagernet/sing-shadowsocks v0.2.7/go.mod h1:0rIKJZBR65Qi0zwdKezt4s57y/Tl1ofkaq6NlkzVuyE=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
-github.com/sagernet/sing-tun v0.3.2 h1:z0bLUT/YXH9RrJS9DsIpB0Bb9afl2hVJOmHd0zA3HJY=
-github.com/sagernet/sing-tun v0.3.2/go.mod h1:DxLIyhjWU/HwGYoX0vNGg2c5QgTQIakphU1MuERR5tQ=
-github.com/sagernet/sing-vmess v0.1.8 h1:XVWad1RpTy9b5tPxdm5MCU8cGfrTGdR8qCq6HV2aCNc=
-github.com/sagernet/sing-vmess v0.1.8/go.mod h1:vhx32UNzTDUkNwOyIjcZQohre1CaytquC5mPplId8uA=
+github.com/sagernet/sing-tun v0.3.3 h1:LZnQNmfGcNG2KPTPkLgc+Lo7k606QJVkPp2DnjriwUk=
+github.com/sagernet/sing-tun v0.3.3/go.mod h1:DxLIyhjWU/HwGYoX0vNGg2c5QgTQIakphU1MuERR5tQ=
+github.com/sagernet/sing-vmess v0.1.12 h1:2gFD8JJb+eTFMoa8FIVMnknEi+vCSfaiTXTfEYAYAPg=
+github.com/sagernet/sing-vmess v0.1.12/go.mod h1:luTSsfyBGAc9VhtCqwjR+dt1QgqBhuYBCONB/POhF8I=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo=
-github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6 h1:z3SJQhVyU63FT26Wn/UByW6b7q8QKB0ZkPqsyqcz2PI=
-github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6/go.mod h1:73xRZuxwkFk4aiLw28hG8W6o9cr2UPrGL9pdY2UTbvY=
 github.com/sagernet/utls v1.5.4 h1:KmsEGbB2dKUtCNC+44NwAdNAqnqQ6GA4pTO0Yik56co=
 github.com/sagernet/utls v1.5.4/go.mod h1:CTGxPWExIloRipK3XFpYv0OVyhO8kk3XCGW/ieyTh1s=
 github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8 h1:R0OMYAScomNAVpTfbHFpxqJpvwuhxSRi+g6z7gZhABs=
@@ -165,16 +165,16 @@ golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaE
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
-golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -184,19 +184,19 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
+golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
+golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
-golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY=
@@ -214,5 +214,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 howett.net/plist v1.0.1 h1:37GdZ8tP09Q35o9ych3ehygcsL+HqKSwzctveSlarvM=
 howett.net/plist v1.0.1/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
-lukechampine.com/blake3 v1.2.1 h1:YuqqRuaqsGV71BV/nm9xlI0MKUv4QC54jQnBChWbGnI=
-lukechampine.com/blake3 v1.2.1/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
+lukechampine.com/blake3 v1.3.0 h1:sJ3XhFINmHSrYCgl958hscfIa3bw8x4DqMP3u1YvoYE=
+lukechampine.com/blake3 v1.3.0/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=

inbound/default_tcp_go1.20.go

@@ -6,7 +6,7 @@ import (
 	"context"
 	"net"
 
-	"github.com/sagernet/tfo-go"
+	"github.com/metacubex/tfo-go"
 )
 
 const go120Available = true

inbound/tun.go

@@ -174,7 +174,7 @@ func (t *Tun) Start() error {
 		forwarderBindInterface = true
 		includeAllNetworks = t.platformInterface.IncludeAllNetworks()
 	}
-	t.tunStack, err = tun.NewStack(t.stack, tun.StackOptions{
+	tunStack, err := tun.NewStack(t.stack, tun.StackOptions{
 		Context:                t.ctx,
 		Tun:                    tunInterface,
 		TunOptions:             t.tunOptions,
@@ -190,8 +190,9 @@ func (t *Tun) Start() error {
 		return err
 	}
 	monitor.Start("initiating tun stack")
-	err = t.tunStack.Start()
+	err = tunStack.Start()
 	monitor.Finish()
+	t.tunStack = tunStack
 	if err != nil {
 		return err
 	}

inbound/vless.go

@@ -13,9 +13,9 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/v2ray"
-	"github.com/sagernet/sing-box/transport/vless"
 	"github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing-vmess/packetaddr"
+	"github.com/sagernet/sing-vmess/vless"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/auth"
 	E "github.com/sagernet/sing/common/exceptions"

mkdocs.yml

@@ -44,6 +44,7 @@ nav:
       - Migration: migration.md
       - Deprecated: deprecated.md
       - Support: support.md
+      - Sponsors: sponsors.md
   - Installation:
       - Package Manager: installation/package-manager.md
       - Docker: installation/docker.md

outbound/hysteria.go

@@ -130,8 +130,8 @@ func (h *Hysteria) NewPacketConnection(ctx context.Context, conn N.PacketConn, m
 	return NewPacketConnection(ctx, h, conn, metadata)
 }
 
-func (h *Hysteria) InterfaceUpdated() error {
-	return h.client.CloseWithError(E.New("network changed"))
+func (h *Hysteria) InterfaceUpdated() {
+	h.client.CloseWithError(E.New("network changed"))
 }
 
 func (h *Hysteria) Close() error {

outbound/hysteria2.go

@@ -116,8 +116,8 @@ func (h *Hysteria2) NewPacketConnection(ctx context.Context, conn N.PacketConn,
 	return NewPacketConnection(ctx, h, conn, metadata)
 }
 
-func (h *Hysteria2) InterfaceUpdated() error {
-	return h.client.CloseWithError(E.New("network changed"))
+func (h *Hysteria2) InterfaceUpdated() {
+	h.client.CloseWithError(E.New("network changed"))
 }
 
 func (h *Hysteria2) Close() error {

outbound/trojan.go

@@ -108,6 +108,9 @@ func (h *Trojan) NewPacketConnection(ctx context.Context, conn N.PacketConn, met
 }
 
 func (h *Trojan) InterfaceUpdated() {
+	if h.transport != nil {
+		h.transport.Close()
+	}
 	if h.multiplexDialer != nil {
 		h.multiplexDialer.Reset()
 	}

outbound/urltest.go

@@ -385,9 +385,9 @@ func (g *URLTestGroup) urlTest(ctx context.Context, force bool) (map[string]uint
 			continue
 		}
 		b.Go(realTag, func() (any, error) {
-			ctx, cancel := context.WithTimeout(context.Background(), C.TCPTimeout)
+			testCtx, cancel := context.WithTimeout(g.ctx, C.TCPTimeout)
 			defer cancel()
-			t, err := urltest.URLTest(ctx, g.link, p)
+			t, err := urltest.URLTest(testCtx, g.link, p)
 			if err != nil {
 				g.logger.Debug("outbound ", tag, " unavailable: ", err)
 				g.history.DeleteURLTestHistory(realTag)

outbound/vless.go

@@ -12,8 +12,8 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/v2ray"
-	"github.com/sagernet/sing-box/transport/vless"
 	"github.com/sagernet/sing-vmess/packetaddr"
+	"github.com/sagernet/sing-vmess/vless"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -127,6 +127,9 @@ func (h *VLESS) NewPacketConnection(ctx context.Context, conn N.PacketConn, meta
 }
 
 func (h *VLESS) InterfaceUpdated() {
+	if h.transport != nil {
+		h.transport.Close()
+	}
 	if h.multiplexDialer != nil {
 		h.multiplexDialer.Reset()
 	}

outbound/vmess.go

@@ -103,6 +103,9 @@ func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogg
 }
 
 func (h *VMess) InterfaceUpdated() {
+	if h.transport != nil {
+		h.transport.Close()
+	}
 	if h.multiplexDialer != nil {
 		h.multiplexDialer.Reset()
 	}

outbound/wireguard.go

@@ -152,6 +152,10 @@ func (w *WireGuard) start() error {
 		}
 		bind = wireguard.NewClientBind(w.ctx, w, w.listener, isConnect, connectAddr, reserved)
 	}
+	err = w.tunDevice.Start()
+	if err != nil {
+		return err
+	}
 	wgDevice := device.NewDevice(w.tunDevice, bind, &device.Logger{
 		Verbosef: func(format string, args ...interface{}) {
 			w.logger.Debug(fmt.Sprintf(strings.ToLower(format), args...))
@@ -170,7 +174,7 @@ func (w *WireGuard) start() error {
 	}
 	w.device = wgDevice
 	w.pauseCallback = w.pauseManager.RegisterCallback(w.onPauseUpdated)
-	return w.tunDevice.Start()
+	return nil
 }
 
 func (w *WireGuard) Close() error {
@@ -180,7 +184,6 @@ func (w *WireGuard) Close() error {
 	if w.pauseCallback != nil {
 		w.pauseManager.UnregisterCallback(w.pauseCallback)
 	}
-	w.tunDevice.Close()
 	return nil
 }
 

route/router.go

@@ -131,7 +131,7 @@ func NewRouter(
 		pauseManager:          service.FromContext[pause.Manager](ctx),
 		platformInterface:     platformInterface,
 		needWIFIState:         hasRule(options.Rules, isWIFIRule) || hasDNSRule(dnsOptions.Rules, isWIFIDNSRule),
-		needPackageManager: C.IsAndroid && platformInterface == nil && common.Any(inbounds, func(inbound option.Inbound) bool {
+		needPackageManager: common.Any(inbounds, func(inbound option.Inbound) bool {
 			return len(inbound.TunOptions.IncludePackage) > 0 || len(inbound.TunOptions.ExcludePackage) > 0
 		}),
 	}
@@ -531,6 +531,24 @@ func (r *Router) Start() error {
 	r.dnsClient.Start()
 	monitor.Finish()
 
+	if C.IsAndroid && r.platformInterface == nil {
+		monitor.Start("initialize package manager")
+		packageManager, err := tun.NewPackageManager(r)
+		monitor.Finish()
+		if err != nil {
+			return E.Cause(err, "create package manager")
+		}
+		if r.needPackageManager {
+			monitor.Start("start package manager")
+			err = packageManager.Start()
+			monitor.Finish()
+			if err != nil {
+				return E.Cause(err, "start package manager")
+			}
+		}
+		r.packageManager = packageManager
+	}
+
 	for i, rule := range r.dnsRules {
 		monitor.Start("initialize DNS rule[", i, "]")
 		err := rule.Start()
@@ -659,36 +677,30 @@ func (r *Router) PostStart() error {
 		}
 		ruleSetStartContext.Close()
 	}
-	var (
-		needProcessFromRuleSet   bool
-		needWIFIStateFromRuleSet bool
-	)
+	needFindProcess := r.needFindProcess
+	needWIFIState := r.needWIFIState
 	for _, ruleSet := range r.ruleSets {
 		metadata := ruleSet.Metadata()
 		if metadata.ContainsProcessRule {
-			needProcessFromRuleSet = true
+			needFindProcess = true
 		}
 		if metadata.ContainsWIFIRule {
-			needWIFIStateFromRuleSet = true
+			needWIFIState = true
 		}
 	}
-	if needProcessFromRuleSet || r.needFindProcess || r.needPackageManager {
-		if C.IsAndroid && r.platformInterface == nil {
-			monitor.Start("initialize package manager")
-			packageManager, err := tun.NewPackageManager(r)
-			monitor.Finish()
-			if err != nil {
-				return E.Cause(err, "create package manager")
-			}
+	if C.IsAndroid && r.platformInterface == nil && !r.needPackageManager {
+		if needFindProcess {
 			monitor.Start("start package manager")
-			err = packageManager.Start()
+			err := r.packageManager.Start()
 			monitor.Finish()
 			if err != nil {
 				return E.Cause(err, "start package manager")
 			}
-			r.packageManager = packageManager
+		} else {
+			r.packageManager = nil
 		}
-
+	}
+	if needFindProcess {
 		if r.platformInterface != nil {
 			r.processSearcher = r.platformInterface
 		} else {
@@ -707,7 +719,7 @@ func (r *Router) PostStart() error {
 			}
 		}
 	}
-	if (needWIFIStateFromRuleSet || r.needWIFIState) && r.platformInterface != nil {
+	if needWIFIState && r.platformInterface != nil {
 		monitor.Start("initialize WIFI state")
 		r.needWIFIState = true
 		r.interfaceMonitor.RegisterCallback(func(_ int) {
@@ -820,7 +832,7 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
 		conn = deadline.NewConn(conn)
 	}
 
-	if metadata.InboundOptions.SniffEnabled {
+	if metadata.InboundOptions.SniffEnabled && !sniff.Skip(metadata) {
 		buffer := buf.NewPacket()
 		sniffMetadata, err := sniff.PeekStream(ctx, conn, buffer, time.Duration(metadata.InboundOptions.SniffTimeout), sniff.StreamDomainNameQuery, sniff.TLSClientHello, sniff.HTTPHost)
 		if sniffMetadata != nil {
@@ -939,34 +951,57 @@ func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, m
 	}*/
 
 	if metadata.InboundOptions.SniffEnabled || metadata.Destination.Addr.IsUnspecified() {
-		buffer := buf.NewPacket()
-		destination, err := conn.ReadPacket(buffer)
+		var (
+			buffer      = buf.NewPacket()
+			destination M.Socksaddr
+			done        = make(chan struct{})
+			err         error
+		)
+		go func() {
+			sniffTimeout := C.ReadPayloadTimeout
+			if metadata.InboundOptions.SniffTimeout > 0 {
+				sniffTimeout = time.Duration(metadata.InboundOptions.SniffTimeout)
+			}
+			conn.SetReadDeadline(time.Now().Add(sniffTimeout))
+			destination, err = conn.ReadPacket(buffer)
+			conn.SetReadDeadline(time.Time{})
+			close(done)
+		}()
+		select {
+		case <-done:
+		case <-ctx.Done():
+			conn.Close()
+			return ctx.Err()
+		}
 		if err != nil {
 			buffer.Release()
-			return err
-		}
-		if metadata.Destination.Addr.IsUnspecified() {
-			metadata.Destination = destination
-		}
-		if metadata.InboundOptions.SniffEnabled {
-			sniffMetadata, _ := sniff.PeekPacket(ctx, buffer.Bytes(), sniff.DomainNameQuery, sniff.QUICClientHello, sniff.STUNMessage)
-			if sniffMetadata != nil {
-				metadata.Protocol = sniffMetadata.Protocol
-				metadata.Domain = sniffMetadata.Domain
-				if metadata.InboundOptions.SniffOverrideDestination && M.IsDomainName(metadata.Domain) {
-					metadata.Destination = M.Socksaddr{
-						Fqdn: metadata.Domain,
-						Port: metadata.Destination.Port,
+			if !errors.Is(err, os.ErrDeadlineExceeded) {
+				return err
+			}
+		} else {
+			if metadata.Destination.Addr.IsUnspecified() {
+				metadata.Destination = destination
+			}
+			if metadata.InboundOptions.SniffEnabled {
+				sniffMetadata, _ := sniff.PeekPacket(ctx, buffer.Bytes(), sniff.DomainNameQuery, sniff.QUICClientHello, sniff.STUNMessage)
+				if sniffMetadata != nil {
+					metadata.Protocol = sniffMetadata.Protocol
+					metadata.Domain = sniffMetadata.Domain
+					if metadata.InboundOptions.SniffOverrideDestination && M.IsDomainName(metadata.Domain) {
+						metadata.Destination = M.Socksaddr{
+							Fqdn: metadata.Domain,
+							Port: metadata.Destination.Port,
+						}
+					}
+					if metadata.Domain != "" {
+						r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol, ", domain: ", metadata.Domain)
+					} else {
+						r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol)
 					}
 				}
-				if metadata.Domain != "" {
-					r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol, ", domain: ", metadata.Domain)
-				} else {
-					r.logger.DebugContext(ctx, "sniffed packet protocol: ", metadata.Protocol)
-				}
 			}
+			conn = bufio.NewCachedPacketConn(conn, buffer, destination)
 		}
-		conn = bufio.NewCachedPacketConn(conn, buffer, destination)
 	}
 	if r.dnsReverseMapping != nil && metadata.Domain == "" {
 		domain, loaded := r.dnsReverseMapping.Query(metadata.Destination.Addr)

route/router_dns.go

@@ -37,7 +37,7 @@ func (m *DNSReverseMapping) Query(address netip.Addr) (string, bool) {
 	return domain, loaded
 }
 
-func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, index int) (context.Context, dns.Transport, dns.DomainStrategy, adapter.DNSRule, int) {
+func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, index int, isAddressQuery bool) (context.Context, dns.Transport, dns.DomainStrategy, adapter.DNSRule, int) {
 	metadata := adapter.ContextFrom(ctx)
 	if metadata == nil {
 		panic("no context")
@@ -48,6 +48,9 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, index int) (con
 			dnsRules = dnsRules[index+1:]
 		}
 		for currentRuleIndex, rule := range dnsRules {
+			if rule.WithAddressLimit() && !isAddressQuery {
+				continue
+			}
 			metadata.ResetRuleCache()
 			if rule.Match(metadata) {
 				detour := rule.Outbound()
@@ -126,9 +129,9 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, er
 				addressLimit bool
 			)
 
-			dnsCtx, transport, strategy, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex)
+			dnsCtx, transport, strategy, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex, isAddressQuery(message))
 			dnsCtx, cancel = context.WithTimeout(dnsCtx, C.DNSTimeout)
-			if rule != nil && rule.WithAddressLimit() && isAddressQuery(message) {
+			if rule != nil && rule.WithAddressLimit() {
 				addressLimit = true
 				response, err = r.dnsClient.ExchangeWithResponseCheck(dnsCtx, transport, message, strategy, func(response *mDNS.Msg) bool {
 					metadata.DestinationAddresses, _ = dns.MessageToAddresses(response)
@@ -185,6 +188,9 @@ func (r *Router) Lookup(ctx context.Context, domain string, strategy dns.DomainS
 	)
 	responseAddrs, cached = r.dnsClient.LookupCache(ctx, domain, strategy)
 	if cached {
+		if len(responseAddrs) == 0 {
+			return nil, dns.RCodeNameError
+		}
 		return responseAddrs, nil
 	}
 	r.dnsLogger.DebugContext(ctx, "lookup domain ", domain)
@@ -205,7 +211,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, strategy dns.DomainS
 		)
 		metadata.ResetRuleCache()
 		metadata.DestinationAddresses = nil
-		dnsCtx, transport, transportStrategy, rule, ruleIndex = r.matchDNS(ctx, false, ruleIndex)
+		dnsCtx, transport, transportStrategy, rule, ruleIndex = r.matchDNS(ctx, false, ruleIndex, true)
 		if strategy == dns.DomainStrategyAsIS {
 			strategy = transportStrategy
 		}
@@ -256,7 +262,7 @@ func (r *Router) ClearDNSCache() {
 
 func isAddressQuery(message *mDNS.Msg) bool {
 	for _, question := range message.Question {
-		if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
+		if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA || question.Qtype == mDNS.TypeHTTPS {
 			return true
 		}
 	}

route/rule_item_port_range.go

@@ -39,7 +39,7 @@ func NewPortRangeItem(isSource bool, rangeList []string) (*PortRangeItem, error)
 			}
 		}
 		if subIndex == len(portRange)-1 {
-			end = 0xFF
+			end = 0xFFFF
 		} else {
 			end, err = strconv.ParseUint(portRange[subIndex+1:], 10, 16)
 			if err != nil {

test/box_test.go

@@ -113,7 +113,7 @@ func testSuitLargeUDP(t *testing.T, clientPort uint16, testPort uint16) {
 	require.NoError(t, testPingPongWithPacketConn(t, testPort, dialUDP))
 	require.NoError(t, testLargeDataWithConn(t, testPort, dialTCP))
 	require.NoError(t, testLargeDataWithPacketConn(t, testPort, dialUDP))
-	require.NoError(t, testLargeDataWithPacketConnSize(t, testPort, 5000, dialUDP))
+	require.NoError(t, testLargeDataWithPacketConnSize(t, testPort, 4096, dialUDP))
 }
 
 func testTCP(t *testing.T, clientPort uint16, testPort uint16) {

test/go.mod

@@ -9,26 +9,25 @@ replace github.com/sagernet/sing-box => ../
 require (
 	github.com/docker/docker v24.0.7+incompatible
 	github.com/docker/go-connections v0.4.0
-	github.com/gofrs/uuid/v5 v5.0.0
-	github.com/sagernet/quic-go v0.40.0
-	github.com/sagernet/sing v0.2.20-0.20231212123824-8836b6754226
-	github.com/sagernet/sing-dns v0.1.11
-	github.com/sagernet/sing-quic v0.1.6-0.20231207143711-eb3cbf9ed054
-	github.com/sagernet/sing-shadowsocks v0.2.6
-	github.com/sagernet/sing-shadowsocks2 v0.1.6-0.20231207143709-50439739601a
+	github.com/gofrs/uuid/v5 v5.2.0
+	github.com/sagernet/quic-go v0.45.1-beta.2
+	github.com/sagernet/sing v0.4.2
+	github.com/sagernet/sing-dns v0.2.3
+	github.com/sagernet/sing-quic v0.2.0-beta.12
+	github.com/sagernet/sing-shadowsocks v0.2.7
+	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/spyzhov/ajson v0.9.0
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.9.0
 	go.uber.org/goleak v1.3.0
-	golang.org/x/net v0.19.0
+	golang.org/x/net v0.25.0
 )
 
 require (
 	berty.tech/go-libtor v1.0.385 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.6 // indirect
 	github.com/caddyserver/certmagic v0.20.0 // indirect
-	github.com/cloudflare/circl v1.3.6 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/cretz/bine v0.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/distribution/reference v0.5.0 // indirect
@@ -36,28 +35,23 @@ require (
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/gaukas/godicttls v0.0.4 // indirect
-	github.com/go-chi/chi/v5 v5.0.10 // indirect
-	github.com/go-chi/cors v1.2.1 // indirect
-	github.com/go-chi/render v1.0.3 // indirect
+	github.com/go-chi/chi/v5 v5.0.12 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
-	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 // indirect
-	github.com/josharian/native v1.1.0 // indirect
 	github.com/klauspost/compress v1.17.4 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/libdns/alidns v1.0.3 // indirect
-	github.com/libdns/cloudflare v0.1.0 // indirect
-	github.com/libdns/libdns v0.2.1 // indirect
+	github.com/libdns/cloudflare v0.1.1 // indirect
+	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/logrusorgru/aurora v2.0.3+incompatible // indirect
 	github.com/mholt/acmez v1.2.0 // indirect
-	github.com/miekg/dns v1.1.57 // indirect
+	github.com/miekg/dns v1.1.59 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.7 // indirect
@@ -65,43 +59,41 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.2 // indirect
 	github.com/oschwald/maxminddb-golang v1.12.0 // indirect
-	github.com/pierrec/lz4/v4 v4.1.14 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a // indirect
 	github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1 // indirect
-	github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e // indirect
-	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
+	github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f // indirect
+	github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba // indirect
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 // indirect
-	github.com/sagernet/sing-mux v0.1.6-0.20231208180947-9053c29513a2 // indirect
+	github.com/sagernet/sing-mux v0.2.0 // indirect
 	github.com/sagernet/sing-shadowtls v0.1.4 // indirect
-	github.com/sagernet/sing-tun v0.1.24-0.20231212060935-6a1419aeae11 // indirect
-	github.com/sagernet/sing-vmess v0.1.8 // indirect
+	github.com/sagernet/sing-tun v0.3.2 // indirect
+	github.com/sagernet/sing-vmess v0.1.12 // indirect
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 // indirect
 	github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6 // indirect
 	github.com/sagernet/utls v1.5.4 // indirect
-	github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e // indirect
+	github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8 // indirect
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 // indirect
-	github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 // indirect
-	github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.26.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
-	golang.org/x/crypto v0.16.0 // indirect
-	golang.org/x/exp v0.0.0-20231127185646-65229373498e // indirect
-	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/crypto v0.23.0 // indirect
+	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.16.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
-	google.golang.org/grpc v1.59.0 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
+	google.golang.org/grpc v1.63.2 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.1 // indirect
-	lukechampine.com/blake3 v1.2.1 // indirect
+	lukechampine.com/blake3 v1.3.0 // indirect
 )

test/go.sum

@@ -3,14 +3,12 @@ berty.tech/go-libtor v1.0.385/go.mod h1:9swOOQVb+kmvuAlsgWUK/4c52pm69AdbJsxLzk+f
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
-github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
-github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI=
 github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/caddyserver/certmagic v0.20.0 h1:bTw7LcEZAh9ucYCRXyCpIrSAGplplI0vGYJ4BpCQ/Fc=
 github.com/caddyserver/certmagic v0.20.0/go.mod h1:N4sXgpICQUskEWpj7zVzvWD41p3NYacrNoZYiRM2jTg=
-github.com/cloudflare/circl v1.3.6 h1:/xbKIqSHbZXHwkhbrhrt2YOHIwYJlXH94E3tI/gDlUg=
-github.com/cloudflare/circl v1.3.6/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
+github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/cretz/bine v0.1.0/go.mod h1:6PF6fWAvYtwjRGkAuDEJeWNOv3a2hUouSP/yRYXmvHw=
 github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
@@ -31,12 +29,8 @@ github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nos
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/gaukas/godicttls v0.0.4 h1:NlRaXb3J6hAnTmWdsEKb9bcSBD6BvcIjdGdeb0zfXbk=
 github.com/gaukas/godicttls v0.0.4/go.mod h1:l6EenT4TLWgTdwslVb4sEMOCf7Bv0JAK67deKr9/NCI=
-github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
-github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
-github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
-github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
-github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
-github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
+github.com/go-chi/chi/v5 v5.0.12 h1:9euLV5sTrTNTRUU9POmDUvfxyj6LAABLUcEWO+JJb4s=
+github.com/go-chi/chi/v5 v5.0.12/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
@@ -46,26 +40,18 @@ github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/gofrs/uuid/v5 v5.0.0 h1:p544++a97kEL+svbcFbCQVM9KFu0Yo25UoISXGNNH9M=
-github.com/gofrs/uuid/v5 v5.0.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
+github.com/gofrs/uuid/v5 v5.2.0 h1:qw1GMx6/y8vhVsx626ImfKMuS5CvJmhIKKtuyvfajMM=
+github.com/gofrs/uuid/v5 v5.2.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a h1:fEBsGL/sjAuJrgah5XqmmYsTLzJp/TO9Lhy39gkverk=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
 github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
-github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
-github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
-github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
-github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
-github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
@@ -76,17 +62,17 @@ github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZY
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/libdns/alidns v1.0.3 h1:LFHuGnbseq5+HCeGa1aW8awyX/4M2psB9962fdD2+yQ=
 github.com/libdns/alidns v1.0.3/go.mod h1:e18uAG6GanfRhcJj6/tps2rCMzQJaYVcGKT+ELjdjGE=
-github.com/libdns/cloudflare v0.1.0 h1:93WkJaGaiXCe353LHEP36kAWCUw0YjFqwhkBkU2/iic=
-github.com/libdns/cloudflare v0.1.0/go.mod h1:a44IP6J1YH6nvcNl1PverfJviADgXUnsozR3a7vBKN8=
+github.com/libdns/cloudflare v0.1.1 h1:FVPfWwP8zZCqj268LZjmkDleXlHPlFU9KC4OJ3yn054=
+github.com/libdns/cloudflare v0.1.1/go.mod h1:9VK91idpOjg6v7/WbjkEW49bSCxj00ALesIFDhJ8PBU=
 github.com/libdns/libdns v0.2.0/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
-github.com/libdns/libdns v0.2.1 h1:Wu59T7wSHRgtA0cfxC+n1c/e+O3upJGWytknkmFEDis=
-github.com/libdns/libdns v0.2.1/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
+github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s=
+github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/mholt/acmez v1.2.0 h1:1hhLxSgY5FvH5HCnGUuwbKY2VQVo8IU7rxXKSnZ7F30=
 github.com/mholt/acmez v1.2.0/go.mod h1:VT9YwH1xgNX1kmYY89gY8xPJC84BFAisjo8Egigt4kE=
-github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
-github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
+github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
+github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
@@ -103,8 +89,6 @@ github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrB
 github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/oschwald/maxminddb-golang v1.12.0 h1:9FnTOD0YOhP7DGxGsq4glzpGy5+w7pq50AS6wALUMYs=
 github.com/oschwald/maxminddb-golang v1.12.0/go.mod h1:q0Nob5lTCqyQ8WT6FYgS1L7PXKVVbgiymefNwIjPzgY=
-github.com/pierrec/lz4/v4 v4.1.14 h1:+fL8AQEZtz/ijeNnpduH0bROTu0O3NZAlPjQxGn8LwE=
-github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -117,55 +101,51 @@ github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkk
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1 h1:YbmpqPQEMdlk9oFSKYWRqVuu9qzNiOayIonKmv1gCXY=
 github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1/go.mod h1:J2yAxTFPDjrDPhuAi9aWFz2L3ox9it4qAluBBbN0H5k=
-github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e h1:DOkjByVeAR56dkszjnMZke4wr7yM/1xHaJF3G9olkEE=
-github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e/go.mod h1:fLxq/gtp0qzkaEwywlRRiGmjOK5ES/xUzyIKIFP2Asw=
-github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
-github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.40.0 h1:DvQNPb72lzvNQDe9tcUyHTw8eRv6PLtM2mNYmdlzUMo=
-github.com/sagernet/quic-go v0.40.0/go.mod h1:VqtdhlbkeeG5Okhb3eDMb/9o0EoglReHunNT9ukrJAI=
+github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f h1:NkhuupzH5ch7b/Y/6ZHJWrnNLoiNnSJaow6DPb8VW2I=
+github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f/go.mod h1:KXmw+ouSJNOsuRpg4wgwwCQuunrGz4yoAqQjsLjc6N0=
+github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba h1:EY5AS7CCtfmARNv2zXUOrsEMPFDGYxaw65JzA2p51Vk=
+github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
+github.com/sagernet/quic-go v0.45.1-beta.2 h1:zkEeCbhdFFkrxKcuIRBtXNKci/1t2J/39QSG/sPvlmc=
+github.com/sagernet/quic-go v0.45.1-beta.2/go.mod h1:+N3FqM9DAzOWfe64uxXuBejVJwX7DeW7BslzLO6N/xI=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.2.20-0.20231212123824-8836b6754226 h1:rcII71ho6F/7Nyx7n2kESLcnvNMdcU4i8ZUGF2Fi7yA=
-github.com/sagernet/sing v0.2.20-0.20231212123824-8836b6754226/go.mod h1:Ce5LNojQOgOiWhiD8pPD6E9H7e2KgtOe3Zxx4Ou5u80=
-github.com/sagernet/sing-dns v0.1.11 h1:PPrMCVVrAeR3f5X23I+cmvacXJ+kzuyAsBiWyUKhGSE=
-github.com/sagernet/sing-dns v0.1.11/go.mod h1:zJ/YjnYB61SYE+ubMcMqVdpaSvsyQ2iShQGO3vuLvvE=
-github.com/sagernet/sing-mux v0.1.6-0.20231208180947-9053c29513a2 h1:rRlYQPbMKmzKX+43XC04gEQvxc45/AxfteRWfcl2/rw=
-github.com/sagernet/sing-mux v0.1.6-0.20231208180947-9053c29513a2/go.mod h1:IdSrwwqBeJTrjLZJRFXE+F8mYXNI/rPAjzlgTFuEVmo=
-github.com/sagernet/sing-quic v0.1.6-0.20231207143711-eb3cbf9ed054 h1:Ed7FskwQcep5oQ+QahgVK0F6jPPSV8Nqwjr9MwGatMU=
-github.com/sagernet/sing-quic v0.1.6-0.20231207143711-eb3cbf9ed054/go.mod h1:u758WWv3G1OITG365CYblL0NfAruFL1PpLD9DUVTv1o=
-github.com/sagernet/sing-shadowsocks v0.2.6 h1:xr7ylAS/q1cQYS8oxKKajhuQcchd5VJJ4K4UZrrpp0s=
-github.com/sagernet/sing-shadowsocks v0.2.6/go.mod h1:j2YZBIpWIuElPFL/5sJAj470bcn/3QQ5lxZUNKLDNAM=
-github.com/sagernet/sing-shadowsocks2 v0.1.6-0.20231207143709-50439739601a h1:uYIKfpE1/EJpa+1Bja7b006VixeRuVduOpeuesMk2lU=
-github.com/sagernet/sing-shadowsocks2 v0.1.6-0.20231207143709-50439739601a/go.mod h1:pjeylQ4ApvpEH7B4PUBrdyJf4xmQkg8BaIzT5fI2fR0=
+github.com/sagernet/sing v0.4.2 h1:jzGNJdZVRI0xlAfFugsIQUPvyB9SuWvbJK7zQCXc4QM=
+github.com/sagernet/sing v0.4.2/go.mod h1:ieZHA/+Y9YZfXs2I3WtuwgyCZ6GPsIR7HdKb1SdEnls=
+github.com/sagernet/sing-dns v0.2.3 h1:YzeBUn2tR38F7HtvGEQ0kLRLmZWMEgi/+7wqa4Twb1k=
+github.com/sagernet/sing-dns v0.2.3/go.mod h1:BJpJv6XLnrUbSyIntOT6DG9FW0f4fETmPAHvNjOprLg=
+github.com/sagernet/sing-mux v0.2.0 h1:4C+vd8HztJCWNYfufvgL49xaOoOHXty2+EAjnzN3IYo=
+github.com/sagernet/sing-mux v0.2.0/go.mod h1:khzr9AOPocLa+g53dBplwNDz4gdsyx/YM3swtAhlkHQ=
+github.com/sagernet/sing-quic v0.2.0-beta.12 h1:BhvA5mmrDFEyDUQB5eeu+9UhF+ieyuNJ5Rsb0dAG3QY=
+github.com/sagernet/sing-quic v0.2.0-beta.12/go.mod h1:YVpLfVi8BvYM7NMrjmnvcRm3E8iMETf1gFQmTQDN9jI=
+github.com/sagernet/sing-shadowsocks v0.2.7 h1:zaopR1tbHEw5Nk6FAkM05wCslV6ahVegEZaKMv9ipx8=
+github.com/sagernet/sing-shadowsocks v0.2.7/go.mod h1:0rIKJZBR65Qi0zwdKezt4s57y/Tl1ofkaq6NlkzVuyE=
+github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
+github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
-github.com/sagernet/sing-tun v0.1.24-0.20231212060935-6a1419aeae11 h1:crTOVPJGOGWOW+Q2a0FQiiS/G2+W6uCLKtOofFMisQc=
-github.com/sagernet/sing-tun v0.1.24-0.20231212060935-6a1419aeae11/go.mod h1:DgXPnBqtqWrZj37Mun/W61dW0Q56eLqTZYhcuNLaCtY=
-github.com/sagernet/sing-vmess v0.1.8 h1:XVWad1RpTy9b5tPxdm5MCU8cGfrTGdR8qCq6HV2aCNc=
-github.com/sagernet/sing-vmess v0.1.8/go.mod h1:vhx32UNzTDUkNwOyIjcZQohre1CaytquC5mPplId8uA=
+github.com/sagernet/sing-tun v0.3.2 h1:z0bLUT/YXH9RrJS9DsIpB0Bb9afl2hVJOmHd0zA3HJY=
+github.com/sagernet/sing-tun v0.3.2/go.mod h1:DxLIyhjWU/HwGYoX0vNGg2c5QgTQIakphU1MuERR5tQ=
+github.com/sagernet/sing-vmess v0.1.12 h1:2gFD8JJb+eTFMoa8FIVMnknEi+vCSfaiTXTfEYAYAPg=
+github.com/sagernet/sing-vmess v0.1.12/go.mod h1:luTSsfyBGAc9VhtCqwjR+dt1QgqBhuYBCONB/POhF8I=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo=
 github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6 h1:z3SJQhVyU63FT26Wn/UByW6b7q8QKB0ZkPqsyqcz2PI=
 github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6/go.mod h1:73xRZuxwkFk4aiLw28hG8W6o9cr2UPrGL9pdY2UTbvY=
 github.com/sagernet/utls v1.5.4 h1:KmsEGbB2dKUtCNC+44NwAdNAqnqQ6GA4pTO0Yik56co=
 github.com/sagernet/utls v1.5.4/go.mod h1:CTGxPWExIloRipK3XFpYv0OVyhO8kk3XCGW/ieyTh1s=
-github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e h1:iGH0RMv2FzELOFNFQtvsxH7NPmlo7X5JizEK51UCojo=
-github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e/go.mod h1:YbL4TKHRR6APYQv3U2RGfwLDpPYSyWz6oUlpISBEzBE=
+github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8 h1:R0OMYAScomNAVpTfbHFpxqJpvwuhxSRi+g6z7gZhABs=
+github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8/go.mod h1:K4J7/npM+VAMUeUmTa2JaA02JmyheP0GpRBOUvn3ecc=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854/go.mod h1:LtfoSK3+NG57tvnVEHgcuBW9ujgE8enPSgzgwStwCAA=
-github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 h1:rc/CcqLH3lh8n+csdOuDfP+NuykE0U6AeYSJJHKDgSg=
-github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9/go.mod h1:a/83NAfUXvEuLpmxDssAXxgUgrEy12MId3Wd7OTs76s=
 github.com/spyzhov/ajson v0.9.0 h1:tF46gJGOenYVj+k9K1U1XpCxVWhmiyY5PsVCAs1+OJ0=
 github.com/spyzhov/ajson v0.9.0/go.mod h1:a6oSw0MMb7Z5aD2tPoPO+jq11ETKgXUr2XktHdT8Wt8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 h1:tHNk7XK9GkmKUR6Gh8gVBKXc2MVSZ4G/NnWLtzw4gNA=
-github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -180,8 +160,8 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
-go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -189,26 +169,27 @@ golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaE
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
-golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
-golang.org/x/exp v0.0.0-20231127185646-65229373498e h1:Gvh4YaCaXNs6dKTlfgismwWZKyjVZXwOPfIyUaqU3No=
-golang.org/x/exp v0.0.0-20231127185646-65229373498e/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
-golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -216,40 +197,37 @@ golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
-golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M=
-google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=
-google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:H4O17MA/PE9BsGx3w+a+W2VOLLD1Qf7oJneAoU6WktY=
+google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
+google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -257,5 +235,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-lukechampine.com/blake3 v1.2.1 h1:YuqqRuaqsGV71BV/nm9xlI0MKUv4QC54jQnBChWbGnI=
-lukechampine.com/blake3 v1.2.1/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
+lukechampine.com/blake3 v1.3.0 h1:sJ3XhFINmHSrYCgl958hscfIa3bw8x4DqMP3u1YvoYE=
+lukechampine.com/blake3 v1.3.0/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=

test/reality_test.go

@@ -1,354 +0,0 @@
-package main
-
-import (
-	"net/netip"
-	"testing"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/transport/vless"
-)
-
-func TestVLESSVisionReality(t *testing.T) {
-	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
-
-	userUUID := newUUID()
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				Tag:  "mixed-in",
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: clientPort,
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				VLESSOptions: option.VLESSInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: serverPort,
-					},
-					Users: []option.VLESSUser{
-						{
-							Name: "sekai",
-							UUID: userUUID.String(),
-							Flow: vless.FlowVision,
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:    true,
-							ServerName: "google.com",
-							Reality: &option.InboundRealityOptions{
-								Enabled: true,
-								Handshake: option.InboundRealityHandshakeOptions{
-									ServerOptions: option.ServerOptions{
-										Server:     "google.com",
-										ServerPort: 443,
-									},
-								},
-								ShortID:    []string{"0123456789abcdef"},
-								PrivateKey: "UuMBgl7MXTPx9inmQp2UC7Jcnwc6XYbwDNebonM-FCc",
-							},
-						},
-					},
-				},
-			},
-			{
-				Type: C.TypeTrojan,
-				Tag:  "trojan",
-				TrojanOptions: option.TrojanInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: otherPort,
-					},
-					Users: []option.TrojanUser{
-						{
-							Name:     "sekai",
-							Password: userUUID.String(),
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-							KeyPath:         keyPem,
-						},
-					},
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeDirect,
-			},
-			{
-				Type: C.TypeTrojan,
-				Tag:  "trojan-out",
-				TrojanOptions: option.TrojanOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: otherPort,
-					},
-					Password: userUUID.String(),
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-						},
-					},
-					DialerOptions: option.DialerOptions{
-						Detour: "vless-out",
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				Tag:  "vless-out",
-				VLESSOptions: option.VLESSOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: serverPort,
-					},
-					UUID: userUUID.String(),
-					Flow: vless.FlowVision,
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:    true,
-							ServerName: "google.com",
-							Reality: &option.OutboundRealityOptions{
-								Enabled:   true,
-								ShortID:   "0123456789abcdef",
-								PublicKey: "jNXHt1yRo0vDuchQlIP6Z0ZvjT3KtzVI-T4E7RoLJS0",
-							},
-							UTLS: &option.OutboundUTLSOptions{
-								Enabled: true,
-							},
-						},
-					},
-				},
-			},
-		},
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					DefaultOptions: option.DefaultRule{
-						Inbound:  []string{"mixed-in"},
-						Outbound: "trojan-out",
-					},
-				},
-			},
-		},
-	})
-	testSuit(t, clientPort, testPort)
-}
-
-func TestVLESSVisionRealityPlain(t *testing.T) {
-	userUUID := newUUID()
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				Tag:  "mixed-in",
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: clientPort,
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				VLESSOptions: option.VLESSInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: serverPort,
-					},
-					Users: []option.VLESSUser{
-						{
-							Name: "sekai",
-							UUID: userUUID.String(),
-							Flow: vless.FlowVision,
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:    true,
-							ServerName: "google.com",
-							Reality: &option.InboundRealityOptions{
-								Enabled: true,
-								Handshake: option.InboundRealityHandshakeOptions{
-									ServerOptions: option.ServerOptions{
-										Server:     "google.com",
-										ServerPort: 443,
-									},
-								},
-								ShortID:    []string{"0123456789abcdef"},
-								PrivateKey: "UuMBgl7MXTPx9inmQp2UC7Jcnwc6XYbwDNebonM-FCc",
-							},
-						},
-					},
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeDirect,
-			},
-			{
-				Type: C.TypeVLESS,
-				Tag:  "vless-out",
-				VLESSOptions: option.VLESSOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: serverPort,
-					},
-					UUID: userUUID.String(),
-					Flow: vless.FlowVision,
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:    true,
-							ServerName: "google.com",
-							Reality: &option.OutboundRealityOptions{
-								Enabled:   true,
-								ShortID:   "0123456789abcdef",
-								PublicKey: "jNXHt1yRo0vDuchQlIP6Z0ZvjT3KtzVI-T4E7RoLJS0",
-							},
-							UTLS: &option.OutboundUTLSOptions{
-								Enabled: true,
-							},
-						},
-					},
-				},
-			},
-		},
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					DefaultOptions: option.DefaultRule{
-						Inbound:  []string{"mixed-in"},
-						Outbound: "vless-out",
-					},
-				},
-			},
-		},
-	})
-	testSuit(t, clientPort, testPort)
-}
-
-func TestVLESSRealityTransport(t *testing.T) {
-	t.Run("grpc", func(t *testing.T) {
-		testVLESSRealityTransport(t, &option.V2RayTransportOptions{
-			Type: C.V2RayTransportTypeGRPC,
-		})
-	})
-	t.Run("websocket", func(t *testing.T) {
-		testVLESSRealityTransport(t, &option.V2RayTransportOptions{
-			Type: C.V2RayTransportTypeWebsocket,
-		})
-	})
-	t.Run("h2", func(t *testing.T) {
-		testVLESSRealityTransport(t, &option.V2RayTransportOptions{
-			Type: C.V2RayTransportTypeHTTP,
-		})
-	})
-}
-
-func testVLESSRealityTransport(t *testing.T, transport *option.V2RayTransportOptions) {
-	userUUID := newUUID()
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				Tag:  "mixed-in",
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: clientPort,
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				VLESSOptions: option.VLESSInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: serverPort,
-					},
-					Users: []option.VLESSUser{
-						{
-							Name: "sekai",
-							UUID: userUUID.String(),
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:    true,
-							ServerName: "google.com",
-							Reality: &option.InboundRealityOptions{
-								Enabled: true,
-								Handshake: option.InboundRealityHandshakeOptions{
-									ServerOptions: option.ServerOptions{
-										Server:     "google.com",
-										ServerPort: 443,
-									},
-								},
-								ShortID:    []string{"0123456789abcdef"},
-								PrivateKey: "UuMBgl7MXTPx9inmQp2UC7Jcnwc6XYbwDNebonM-FCc",
-							},
-						},
-					},
-					Transport: transport,
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeDirect,
-			},
-			{
-				Type: C.TypeVLESS,
-				Tag:  "vless-out",
-				VLESSOptions: option.VLESSOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: serverPort,
-					},
-					UUID: userUUID.String(),
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:    true,
-							ServerName: "google.com",
-							Reality: &option.OutboundRealityOptions{
-								Enabled:   true,
-								ShortID:   "0123456789abcdef",
-								PublicKey: "jNXHt1yRo0vDuchQlIP6Z0ZvjT3KtzVI-T4E7RoLJS0",
-							},
-							UTLS: &option.OutboundUTLSOptions{
-								Enabled: true,
-							},
-						},
-					},
-					Transport: transport,
-				},
-			},
-		},
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					DefaultOptions: option.DefaultRule{
-						Inbound:  []string{"mixed-in"},
-						Outbound: "vless-out",
-					},
-				},
-			},
-		},
-	})
-	testSuit(t, clientPort, testPort)
-}

test/vless_test.go

@@ -1,559 +0,0 @@
-package main
-
-import (
-	"net/netip"
-	"os"
-	"testing"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/transport/vless"
-
-	"github.com/gofrs/uuid/v5"
-	"github.com/spyzhov/ajson"
-	"github.com/stretchr/testify/require"
-)
-
-func TestVLESS(t *testing.T) {
-	content, err := os.ReadFile("config/vless-server.json")
-	require.NoError(t, err)
-	config, err := ajson.Unmarshal(content)
-	require.NoError(t, err)
-
-	user := newUUID()
-	inbound := config.MustKey("inbounds").MustIndex(0)
-	inbound.MustKey("port").SetNumeric(float64(serverPort))
-	inbound.MustKey("settings").MustKey("clients").MustIndex(0).MustKey("id").SetString(user.String())
-
-	content, err = ajson.Marshal(config)
-	require.NoError(t, err)
-
-	startDockerContainer(t, DockerOptions{
-		Image:      ImageV2RayCore,
-		Ports:      []uint16{serverPort},
-		EntryPoint: "v2ray",
-		Cmd:        []string{"run"},
-		Stdin:      content,
-	})
-
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: clientPort,
-					},
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeVLESS,
-				VLESSOptions: option.VLESSOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: serverPort,
-					},
-					UUID: user.String(),
-				},
-			},
-		},
-	})
-	testTCP(t, clientPort, testPort)
-}
-
-func TestVLESSXRay(t *testing.T) {
-	t.Run("origin", func(t *testing.T) {
-		testVLESSXrayOutbound(t, "", "")
-	})
-	t.Run("xudp", func(t *testing.T) {
-		testVLESSXrayOutbound(t, "xudp", "")
-	})
-	t.Run("vision", func(t *testing.T) {
-		testVLESSXrayOutbound(t, "xudp", vless.FlowVision)
-	})
-}
-
-func testVLESSXrayOutbound(t *testing.T, packetEncoding string, flow string) {
-	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
-
-	content, err := os.ReadFile("config/vless-tls-server.json")
-	require.NoError(t, err)
-	config, err := ajson.Unmarshal(content)
-	require.NoError(t, err)
-
-	userID := newUUID()
-	inbound := config.MustKey("inbounds").MustIndex(0)
-	inbound.MustKey("port").SetNumeric(float64(serverPort))
-	user := inbound.MustKey("settings").MustKey("clients").MustIndex(0)
-	user.MustKey("id").SetString(userID.String())
-	user.MustKey("flow").SetString(flow)
-
-	content, err = ajson.Marshal(config)
-	require.NoError(t, err)
-
-	startDockerContainer(t, DockerOptions{
-		Image:      ImageXRayCore,
-		Ports:      []uint16{serverPort},
-		EntryPoint: "xray",
-		Stdin:      content,
-		Bind: map[string]string{
-			certPem: "/path/to/certificate.crt",
-			keyPem:  "/path/to/private.key",
-		},
-	})
-
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: clientPort,
-					},
-				},
-			},
-			{
-				Type: C.TypeTrojan,
-				Tag:  "trojan",
-				TrojanOptions: option.TrojanInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: otherPort,
-					},
-					Users: []option.TrojanUser{
-						{
-							Name:     "sekai",
-							Password: userID.String(),
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-							KeyPath:         keyPem,
-						},
-					},
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeTrojan,
-				TrojanOptions: option.TrojanOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "host.docker.internal",
-						ServerPort: otherPort,
-					},
-					Password: userID.String(),
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-						},
-					},
-					DialerOptions: option.DialerOptions{
-						Detour: "vless",
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				Tag:  "vless",
-				VLESSOptions: option.VLESSOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: serverPort,
-					},
-					UUID:           userID.String(),
-					Flow:           flow,
-					PacketEncoding: &packetEncoding,
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-						},
-					},
-				},
-			},
-			{
-				Type: C.TypeDirect,
-				Tag:  "direct",
-			},
-		},
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					DefaultOptions: option.DefaultRule{
-						Inbound:  []string{"trojan"},
-						Outbound: "direct",
-					},
-				},
-			},
-		},
-	})
-
-	testSuit(t, clientPort, testPort)
-}
-
-func TestVLESSSelf(t *testing.T) {
-	t.Run("origin", func(t *testing.T) {
-		testVLESSSelf(t, "")
-	})
-	t.Run("vision", func(t *testing.T) {
-		testVLESSSelf(t, vless.FlowVision)
-	})
-	t.Run("vision-tls", func(t *testing.T) {
-		testVLESSSelfTLS(t, vless.FlowVision)
-	})
-}
-
-func testVLESSSelf(t *testing.T, flow string) {
-	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
-
-	userUUID := newUUID()
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				Tag:  "mixed-in",
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: clientPort,
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				VLESSOptions: option.VLESSInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: serverPort,
-					},
-					Users: []option.VLESSUser{
-						{
-							Name: "sekai",
-							UUID: userUUID.String(),
-							Flow: flow,
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-							KeyPath:         keyPem,
-						},
-					},
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeDirect,
-			},
-			{
-				Type: C.TypeVLESS,
-				Tag:  "vless-out",
-				VLESSOptions: option.VLESSOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: serverPort,
-					},
-					UUID: userUUID.String(),
-					Flow: flow,
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-						},
-					},
-				},
-			},
-		},
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					DefaultOptions: option.DefaultRule{
-						Inbound:  []string{"mixed-in"},
-						Outbound: "vless-out",
-					},
-				},
-			},
-		},
-	})
-	testSuit(t, clientPort, testPort)
-}
-
-func testVLESSSelfTLS(t *testing.T, flow string) {
-	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
-
-	userUUID := newUUID()
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				Tag:  "mixed-in",
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: clientPort,
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				VLESSOptions: option.VLESSInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: serverPort,
-					},
-					Users: []option.VLESSUser{
-						{
-							Name: "sekai",
-							UUID: userUUID.String(),
-							Flow: flow,
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-							KeyPath:         keyPem,
-						},
-					},
-				},
-			},
-			{
-				Type: C.TypeTrojan,
-				Tag:  "trojan",
-				TrojanOptions: option.TrojanInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: otherPort,
-					},
-					Users: []option.TrojanUser{
-						{
-							Name:     "sekai",
-							Password: userUUID.String(),
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-							KeyPath:         keyPem,
-						},
-					},
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeDirect,
-			},
-			{
-				Type: C.TypeTrojan,
-				Tag:  "trojan-out",
-				TrojanOptions: option.TrojanOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: otherPort,
-					},
-					Password: userUUID.String(),
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-						},
-					},
-					DialerOptions: option.DialerOptions{
-						Detour: "vless-out",
-					},
-				},
-			},
-			{
-				Type: C.TypeVLESS,
-				Tag:  "vless-out",
-				VLESSOptions: option.VLESSOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: serverPort,
-					},
-					UUID: userUUID.String(),
-					Flow: flow,
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-						},
-					},
-				},
-			},
-		},
-		Route: &option.RouteOptions{
-			Rules: []option.Rule{
-				{
-					DefaultOptions: option.DefaultRule{
-						Inbound:  []string{"mixed-in"},
-						Outbound: "trojan-out",
-					},
-				},
-			},
-		},
-	})
-	testSuit(t, clientPort, testPort)
-}
-
-func TestVLESSXrayInbound(t *testing.T) {
-	testVLESSXrayInbound(t, vless.FlowVision)
-}
-
-func testVLESSXrayInbound(t *testing.T, flow string) {
-	userId, err := uuid.DefaultGenerator.NewV4()
-	require.NoError(t, err)
-	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
-
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeVLESS,
-				VLESSOptions: option.VLESSInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: serverPort,
-					},
-					Users: []option.VLESSUser{
-						{
-							Name: "sekai",
-							UUID: userId.String(),
-							Flow: flow,
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-							KeyPath:         keyPem,
-						},
-					},
-				},
-			},
-			{
-				Type: C.TypeTrojan,
-				Tag:  "trojan",
-				TrojanOptions: option.TrojanInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: otherPort,
-					},
-					Users: []option.TrojanUser{
-						{
-							Name:     "sekai",
-							Password: userId.String(),
-						},
-					},
-					InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
-						TLS: &option.InboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-							KeyPath:         keyPem,
-						},
-					},
-				},
-			},
-		},
-	})
-
-	startInstance(t, option.Options{
-		Inbounds: []option.Inbound{
-			{
-				Type: C.TypeMixed,
-				Tag:  "mixed-in",
-				MixedOptions: option.HTTPMixedInboundOptions{
-					ListenOptions: option.ListenOptions{
-						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
-						ListenPort: otherClientPort,
-					},
-				},
-			},
-		},
-		Outbounds: []option.Outbound{
-			{
-				Type: C.TypeTrojan,
-				Tag:  "trojan-out",
-				TrojanOptions: option.TrojanOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: otherPort,
-					},
-					Password: userId.String(),
-					OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-						TLS: &option.OutboundTLSOptions{
-							Enabled:         true,
-							ServerName:      "example.org",
-							CertificatePath: certPem,
-						},
-					},
-					DialerOptions: option.DialerOptions{
-						Detour: "vless-out",
-					},
-				},
-			},
-			{
-				Type: C.TypeSOCKS,
-				Tag:  "vless-out",
-				SocksOptions: option.SocksOutboundOptions{
-					ServerOptions: option.ServerOptions{
-						Server:     "127.0.0.1",
-						ServerPort: clientPort,
-					},
-				},
-			},
-		},
-	})
-
-	content, err := os.ReadFile("config/vless-tls-client.json")
-	require.NoError(t, err)
-	config, err := ajson.Unmarshal(content)
-	require.NoError(t, err)
-
-	config.MustKey("inbounds").MustIndex(0).MustKey("port").SetNumeric(float64(clientPort))
-	outbound := config.MustKey("outbounds").MustIndex(0)
-	settings := outbound.MustKey("settings").MustKey("vnext").MustIndex(0)
-	settings.MustKey("port").SetNumeric(float64(serverPort))
-	user := settings.MustKey("users").MustIndex(0)
-	user.MustKey("id").SetString(userId.String())
-	user.MustKey("flow").SetString(flow)
-	content, err = ajson.Marshal(config)
-	require.NoError(t, err)
-
-	content, err = ajson.Marshal(config)
-	require.NoError(t, err)
-
-	startDockerContainer(t, DockerOptions{
-		Image:      ImageXRayCore,
-		Ports:      []uint16{clientPort},
-		EntryPoint: "xray",
-		Stdin:      content,
-		Bind: map[string]string{
-			certPem: "/path/to/certificate.crt",
-			keyPem:  "/path/to/private.key",
-		},
-	})
-	testTCP(t, otherClientPort, testPort)
-}

transport/v2raygrpc/client.go

@@ -72,12 +72,6 @@ func NewClient(ctx context.Context, dialer N.Dialer, serverAddr M.Socksaddr, opt
 	}, nil
 }
 
-func (c *Client) Close() error {
-	return common.Close(
-		common.PtrOrNil(c.conn),
-	)
-}
-
 func (c *Client) connect() (*grpc.ClientConn, error) {
 	conn := c.conn
 	if conn != nil && conn.GetState() != connectivity.Shutdown {
@@ -113,3 +107,13 @@ func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
 	}
 	return NewGRPCConn(stream, cancel), nil
 }
+
+func (c *Client) Close() error {
+	c.connAccess.Lock()
+	defer c.connAccess.Unlock()
+	if c.conn != nil {
+		c.conn.Close()
+		c.conn = nil
+	}
+	return nil
+}

transport/v2raygrpclite/client.go

@@ -100,7 +100,7 @@ func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
 			conn.setup(nil, err)
 		} else if response.StatusCode != 200 {
 			response.Body.Close()
-			conn.setup(nil, E.New("unexpected status: ", response.Status))
+			conn.setup(nil, E.New("v2ray-grpc: unexpected status: ", response.Status))
 		} else {
 			conn.setup(response.Body, nil)
 		}
@@ -109,8 +109,6 @@ func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
 }
 
 func (c *Client) Close() error {
-	if c.transport != nil {
-		v2rayhttp.CloseIdleConnections(c.transport)
-	}
+	v2rayhttp.ResetTransport(c.transport)
 	return nil
 }

transport/v2rayhttp/client.go

@@ -146,7 +146,7 @@ func (c *Client) dialHTTP2(ctx context.Context) (net.Conn, error) {
 			conn.Setup(nil, err)
 		} else if response.StatusCode != 200 {
 			response.Body.Close()
-			conn.Setup(nil, E.New("unexpected status: ", response.Status))
+			conn.Setup(nil, E.New("v2ray-http: unexpected status: ", response.Status))
 		} else {
 			conn.Setup(response.Body, nil)
 		}
@@ -155,6 +155,6 @@ func (c *Client) dialHTTP2(ctx context.Context) (net.Conn, error) {
 }
 
 func (c *Client) Close() error {
-	CloseIdleConnections(c.transport)
+	c.transport = ResetTransport(c.transport)
 	return nil
 }

transport/v2rayhttp/conn.go

@@ -43,7 +43,7 @@ func (c *HTTPConn) Read(b []byte) (n int, err error) {
 			return 0, E.Cause(err, "read response")
 		}
 		if response.StatusCode != 200 {
-			return 0, E.New("unexpected status: ", response.Status)
+			return 0, E.New("v2ray-http: unexpected status: ", response.Status)
 		}
 		if cacheLen := reader.Buffered(); cacheLen > 0 {
 			c.responseCache = buf.NewSize(cacheLen)

transport/v2rayhttp/force_close.go

@@ -0,0 +1,47 @@
+package v2rayhttp
+
+import (
+	"net/http"
+	"reflect"
+	"sync"
+	"unsafe"
+
+	E "github.com/sagernet/sing/common/exceptions"
+
+	"golang.org/x/net/http2"
+)
+
+type clientConnPool struct {
+	t     *http2.Transport
+	mu    sync.Mutex
+	conns map[string][]*http2.ClientConn // key is host:port
+}
+
+type efaceWords struct {
+	typ  unsafe.Pointer
+	data unsafe.Pointer
+}
+
+func ResetTransport(rawTransport http.RoundTripper) http.RoundTripper {
+	switch transport := rawTransport.(type) {
+	case *http.Transport:
+		transport.CloseIdleConnections()
+		return transport.Clone()
+	case *http2.Transport:
+		connPool := transportConnPool(transport)
+		p := (*clientConnPool)((*efaceWords)(unsafe.Pointer(&connPool)).data)
+		p.mu.Lock()
+		defer p.mu.Unlock()
+		for _, vv := range p.conns {
+			for _, cc := range vv {
+				cc.Close()
+			}
+		}
+		return transport
+	default:
+		panic(E.New("unknown transport type: ", reflect.TypeOf(transport)))
+	}
+}
+
+//go:linkname transportConnPool golang.org/x/net/http2.(*Transport).connPool
+func transportConnPool(t *http2.Transport) http2.ClientConnPool

transport/v2rayhttpupgrade/client.go

@@ -104,7 +104,7 @@ func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
 	if response.StatusCode != 101 ||
 		!strings.EqualFold(response.Header.Get("Connection"), "upgrade") ||
 		!strings.EqualFold(response.Header.Get("Upgrade"), "websocket") {
-		return nil, E.New("unexpected status: ", response.Status)
+		return nil, E.New("v2ray-http-upgrade: unexpected status: ", response.Status)
 	}
 	if bufReader.Buffered() > 0 {
 		buffer := buf.NewSize(bufReader.Buffered())
@@ -116,3 +116,7 @@ func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
 	}
 	return conn, nil
 }
+
+func (c *Client) Close() error {
+	return nil
+}

transport/v2rayquic/client.go

@@ -8,6 +8,7 @@ import (
 	"sync"
 
 	"github.com/sagernet/quic-go"
+	"github.com/sagernet/quic-go/http3"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
@@ -37,7 +38,7 @@ func NewClient(ctx context.Context, dialer N.Dialer, serverAddr M.Socksaddr, opt
 		DisablePathMTUDiscovery: !C.IsLinux && !C.IsWindows,
 	}
 	if len(tlsConfig.NextProtos()) == 0 {
-		tlsConfig.SetNextProtos([]string{"h2", "http/1.1"})
+		tlsConfig.SetNextProtos([]string{http3.NextProtoH3})
 	}
 	return &Client{
 		ctx:        ctx,
@@ -96,5 +97,15 @@ func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
 }
 
 func (c *Client) Close() error {
-	return common.Close(c.conn, c.rawConn)
+	c.connAccess.Lock()
+	defer c.connAccess.Unlock()
+	if c.conn != nil {
+		c.conn.CloseWithError(0, "")
+	}
+	if c.rawConn != nil {
+		c.rawConn.Close()
+	}
+	c.conn = nil
+	c.rawConn = nil
+	return nil
 }

transport/v2rayquic/server.go

@@ -8,6 +8,7 @@ import (
 	"os"
 
 	"github.com/sagernet/quic-go"
+	"github.com/sagernet/quic-go/http3"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
@@ -34,7 +35,7 @@ func NewServer(ctx context.Context, options option.V2RayQUICOptions, tlsConfig t
 		DisablePathMTUDiscovery: !C.IsLinux && !C.IsWindows,
 	}
 	if len(tlsConfig.NextProtos()) == 0 {
-		tlsConfig.SetNextProtos([]string{"h2", "http/1.1"})
+		tlsConfig.SetNextProtos([]string{http3.NextProtoH3})
 	}
 	server := &Server{
 		ctx:        ctx,

transport/v2raywebsocket/client.go

@@ -127,3 +127,7 @@ func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
 		return &EarlyWebsocketConn{Client: c, ctx: ctx, create: make(chan struct{})}, nil
 	}
 }
+
+func (c *Client) Close() error {
+	return nil
+}

transport/vless/client.go

@@ -1,294 +0,0 @@
-package vless
-
-import (
-	"encoding/binary"
-	"io"
-	"net"
-	"sync"
-
-	"github.com/sagernet/sing-vmess"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	"github.com/gofrs/uuid/v5"
-)
-
-type Client struct {
-	key    [16]byte
-	flow   string
-	logger logger.Logger
-}
-
-func NewClient(userId string, flow string, logger logger.Logger) (*Client, error) {
-	user := uuid.FromStringOrNil(userId)
-	if user == uuid.Nil {
-		user = uuid.NewV5(user, userId)
-	}
-	switch flow {
-	case "", "xtls-rprx-vision":
-	default:
-		return nil, E.New("unsupported flow: " + flow)
-	}
-	return &Client{user, flow, logger}, nil
-}
-
-func (c *Client) prepareConn(conn net.Conn, tlsConn net.Conn) (net.Conn, error) {
-	if c.flow == FlowVision {
-		protocolConn, err := NewVisionConn(conn, tlsConn, c.key, c.logger)
-		if err != nil {
-			return nil, E.Cause(err, "initialize vision")
-		}
-		conn = protocolConn
-	}
-	return conn, nil
-}
-
-func (c *Client) DialConn(conn net.Conn, destination M.Socksaddr) (net.Conn, error) {
-	remoteConn := NewConn(conn, c.key, vmess.CommandTCP, destination, c.flow)
-	protocolConn, err := c.prepareConn(remoteConn, conn)
-	if err != nil {
-		return nil, err
-	}
-	return protocolConn, common.Error(remoteConn.Write(nil))
-}
-
-func (c *Client) DialEarlyConn(conn net.Conn, destination M.Socksaddr) (net.Conn, error) {
-	return c.prepareConn(NewConn(conn, c.key, vmess.CommandTCP, destination, c.flow), conn)
-}
-
-func (c *Client) DialPacketConn(conn net.Conn, destination M.Socksaddr) (*PacketConn, error) {
-	serverConn := &PacketConn{Conn: conn, key: c.key, destination: destination, flow: c.flow}
-	return serverConn, common.Error(serverConn.Write(nil))
-}
-
-func (c *Client) DialEarlyPacketConn(conn net.Conn, destination M.Socksaddr) (*PacketConn, error) {
-	return &PacketConn{Conn: conn, key: c.key, destination: destination, flow: c.flow}, nil
-}
-
-func (c *Client) DialXUDPPacketConn(conn net.Conn, destination M.Socksaddr) (vmess.PacketConn, error) {
-	remoteConn := NewConn(conn, c.key, vmess.CommandTCP, destination, c.flow)
-	protocolConn, err := c.prepareConn(remoteConn, conn)
-	if err != nil {
-		return nil, err
-	}
-	return vmess.NewXUDPConn(protocolConn, destination), common.Error(remoteConn.Write(nil))
-}
-
-func (c *Client) DialEarlyXUDPPacketConn(conn net.Conn, destination M.Socksaddr) (vmess.PacketConn, error) {
-	remoteConn := NewConn(conn, c.key, vmess.CommandMux, destination, c.flow)
-	protocolConn, err := c.prepareConn(remoteConn, conn)
-	if err != nil {
-		return nil, err
-	}
-	return vmess.NewXUDPConn(protocolConn, destination), common.Error(remoteConn.Write(nil))
-}
-
-var (
-	_ N.EarlyConn        = (*Conn)(nil)
-	_ N.VectorisedWriter = (*Conn)(nil)
-)
-
-type Conn struct {
-	N.ExtendedConn
-	writer         N.VectorisedWriter
-	request        Request
-	requestWritten bool
-	responseRead   bool
-}
-
-func NewConn(conn net.Conn, uuid [16]byte, command byte, destination M.Socksaddr, flow string) *Conn {
-	return &Conn{
-		ExtendedConn: bufio.NewExtendedConn(conn),
-		writer:       bufio.NewVectorisedWriter(conn),
-		request: Request{
-			UUID:        uuid,
-			Command:     command,
-			Destination: destination,
-			Flow:        flow,
-		},
-	}
-}
-
-func (c *Conn) Read(b []byte) (n int, err error) {
-	if !c.responseRead {
-		err = ReadResponse(c.ExtendedConn)
-		if err != nil {
-			return
-		}
-		c.responseRead = true
-	}
-	return c.ExtendedConn.Read(b)
-}
-
-func (c *Conn) ReadBuffer(buffer *buf.Buffer) error {
-	if !c.responseRead {
-		err := ReadResponse(c.ExtendedConn)
-		if err != nil {
-			return err
-		}
-		c.responseRead = true
-	}
-	return c.ExtendedConn.ReadBuffer(buffer)
-}
-
-func (c *Conn) Write(b []byte) (n int, err error) {
-	if !c.requestWritten {
-		err = WriteRequest(c.ExtendedConn, c.request, b)
-		if err == nil {
-			n = len(b)
-		}
-		c.requestWritten = true
-		return
-	}
-	return c.ExtendedConn.Write(b)
-}
-
-func (c *Conn) WriteBuffer(buffer *buf.Buffer) error {
-	if !c.requestWritten {
-		err := EncodeRequest(c.request, buf.With(buffer.ExtendHeader(RequestLen(c.request))))
-		if err != nil {
-			return err
-		}
-		c.requestWritten = true
-	}
-	return c.ExtendedConn.WriteBuffer(buffer)
-}
-
-func (c *Conn) WriteVectorised(buffers []*buf.Buffer) error {
-	if !c.requestWritten {
-		buffer := buf.NewSize(RequestLen(c.request))
-		err := EncodeRequest(c.request, buffer)
-		if err != nil {
-			buffer.Release()
-			return err
-		}
-		c.requestWritten = true
-		return c.writer.WriteVectorised(append([]*buf.Buffer{buffer}, buffers...))
-	}
-	return c.writer.WriteVectorised(buffers)
-}
-
-func (c *Conn) ReaderReplaceable() bool {
-	return c.responseRead
-}
-
-func (c *Conn) WriterReplaceable() bool {
-	return c.requestWritten
-}
-
-func (c *Conn) NeedHandshake() bool {
-	return !c.requestWritten
-}
-
-func (c *Conn) FrontHeadroom() int {
-	if c.requestWritten {
-		return 0
-	}
-	return RequestLen(c.request)
-}
-
-func (c *Conn) Upstream() any {
-	return c.ExtendedConn
-}
-
-type PacketConn struct {
-	net.Conn
-	access         sync.Mutex
-	key            [16]byte
-	destination    M.Socksaddr
-	flow           string
-	requestWritten bool
-	responseRead   bool
-}
-
-func (c *PacketConn) Read(b []byte) (n int, err error) {
-	if !c.responseRead {
-		err = ReadResponse(c.Conn)
-		if err != nil {
-			return
-		}
-		c.responseRead = true
-	}
-	var length uint16
-	err = binary.Read(c.Conn, binary.BigEndian, &length)
-	if err != nil {
-		return
-	}
-	if cap(b) < int(length) {
-		return 0, io.ErrShortBuffer
-	}
-	return io.ReadFull(c.Conn, b[:length])
-}
-
-func (c *PacketConn) Write(b []byte) (n int, err error) {
-	if !c.requestWritten {
-		c.access.Lock()
-		if c.requestWritten {
-			c.access.Unlock()
-		} else {
-			err = WritePacketRequest(c.Conn, Request{c.key, vmess.CommandUDP, c.destination, c.flow}, nil)
-			if err == nil {
-				n = len(b)
-			}
-			c.requestWritten = true
-			c.access.Unlock()
-		}
-	}
-	err = binary.Write(c.Conn, binary.BigEndian, uint16(len(b)))
-	if err != nil {
-		return
-	}
-	return c.Conn.Write(b)
-}
-
-func (c *PacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
-	defer buffer.Release()
-	dataLen := buffer.Len()
-	binary.BigEndian.PutUint16(buffer.ExtendHeader(2), uint16(dataLen))
-	if !c.requestWritten {
-		c.access.Lock()
-		if c.requestWritten {
-			c.access.Unlock()
-		} else {
-			err := WritePacketRequest(c.Conn, Request{c.key, vmess.CommandUDP, c.destination, c.flow}, buffer.Bytes())
-			c.requestWritten = true
-			c.access.Unlock()
-			return err
-		}
-	}
-	return common.Error(c.Conn.Write(buffer.Bytes()))
-}
-
-func (c *PacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
-	n, err = c.Read(p)
-	if err != nil {
-		return
-	}
-	if c.destination.IsFqdn() {
-		addr = c.destination
-	} else {
-		addr = c.destination.UDPAddr()
-	}
-	return
-}
-
-func (c *PacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
-	return c.Write(p)
-}
-
-func (c *PacketConn) FrontHeadroom() int {
-	return 2
-}
-
-func (c *PacketConn) NeedAdditionalReadDeadline() bool {
-	return true
-}
-
-func (c *PacketConn) Upstream() any {
-	return c.Conn
-}

transport/vless/constant.go

@@ -1,40 +0,0 @@
-package vless
-
-import (
-	"bytes"
-
-	"github.com/sagernet/sing/common/buf"
-)
-
-var (
-	tls13SupportedVersions  = []byte{0x00, 0x2b, 0x00, 0x02, 0x03, 0x04}
-	tlsClientHandShakeStart = []byte{0x16, 0x03}
-	tlsServerHandShakeStart = []byte{0x16, 0x03, 0x03}
-	tlsApplicationDataStart = []byte{0x17, 0x03, 0x03}
-)
-
-const (
-	commandPaddingContinue byte = iota
-	commandPaddingEnd
-	commandPaddingDirect
-)
-
-var tls13CipherSuiteDic = map[uint16]string{
-	0x1301: "TLS_AES_128_GCM_SHA256",
-	0x1302: "TLS_AES_256_GCM_SHA384",
-	0x1303: "TLS_CHACHA20_POLY1305_SHA256",
-	0x1304: "TLS_AES_128_CCM_SHA256",
-	0x1305: "TLS_AES_128_CCM_8_SHA256",
-}
-
-func reshapeBuffer(b []byte) []*buf.Buffer {
-	const bufferLimit = 8192 - 21
-	if len(b) < bufferLimit {
-		return []*buf.Buffer{buf.As(b)}
-	}
-	index := int32(bytes.LastIndex(b, tlsApplicationDataStart))
-	if index <= 0 {
-		index = 8192 / 2
-	}
-	return []*buf.Buffer{buf.As(b[:index]), buf.As(b[index:])}
-}

transport/vless/protocol.go

@@ -1,297 +0,0 @@
-package vless
-
-import (
-	"bytes"
-	"encoding/binary"
-	"io"
-
-	"github.com/sagernet/sing-vmess"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	"github.com/sagernet/sing/common/rw"
-)
-
-const (
-	Version    = 0
-	FlowVision = "xtls-rprx-vision"
-)
-
-type Request struct {
-	UUID        [16]byte
-	Command     byte
-	Destination M.Socksaddr
-	Flow        string
-}
-
-func ReadRequest(reader io.Reader) (*Request, error) {
-	var request Request
-
-	var version uint8
-	err := binary.Read(reader, binary.BigEndian, &version)
-	if err != nil {
-		return nil, err
-	}
-	if version != Version {
-		return nil, E.New("unknown version: ", version)
-	}
-
-	_, err = io.ReadFull(reader, request.UUID[:])
-	if err != nil {
-		return nil, err
-	}
-
-	var addonsLen uint8
-	err = binary.Read(reader, binary.BigEndian, &addonsLen)
-	if err != nil {
-		return nil, err
-	}
-
-	if addonsLen > 0 {
-		addonsBytes, err := rw.ReadBytes(reader, int(addonsLen))
-		if err != nil {
-			return nil, err
-		}
-
-		addons, err := readAddons(bytes.NewReader(addonsBytes))
-		if err != nil {
-			return nil, err
-		}
-		request.Flow = addons.Flow
-	}
-
-	err = binary.Read(reader, binary.BigEndian, &request.Command)
-	if err != nil {
-		return nil, err
-	}
-
-	if request.Command != vmess.CommandMux {
-		request.Destination, err = vmess.AddressSerializer.ReadAddrPort(reader)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return &request, nil
-}
-
-type Addons struct {
-	Flow string
-	Seed string
-}
-
-func readAddons(reader io.Reader) (*Addons, error) {
-	protoHeader, err := rw.ReadByte(reader)
-	if err != nil {
-		return nil, err
-	}
-	if protoHeader != 10 {
-		return nil, E.New("unknown protobuf message header: ", protoHeader)
-	}
-
-	var addons Addons
-
-	flowLen, err := rw.ReadUVariant(reader)
-	if err != nil {
-		if err == io.EOF {
-			return &addons, nil
-		}
-		return nil, err
-	}
-	flowBytes, err := rw.ReadBytes(reader, int(flowLen))
-	if err != nil {
-		return nil, err
-	}
-	addons.Flow = string(flowBytes)
-
-	seedLen, err := rw.ReadUVariant(reader)
-	if err != nil {
-		if err == io.EOF {
-			return &addons, nil
-		}
-		return nil, err
-	}
-	seedBytes, err := rw.ReadBytes(reader, int(seedLen))
-	if err != nil {
-		return nil, err
-	}
-	addons.Seed = string(seedBytes)
-
-	return &addons, nil
-}
-
-func WriteRequest(writer io.Writer, request Request, payload []byte) error {
-	var requestLen int
-	requestLen += 1  // version
-	requestLen += 16 // uuid
-	requestLen += 1  // protobuf length
-
-	var addonsLen int
-	if request.Flow != "" {
-		addonsLen += 1 // protobuf header
-		addonsLen += rw.UVariantLen(uint64(len(request.Flow)))
-		addonsLen += len(request.Flow)
-		requestLen += addonsLen
-	}
-	requestLen += 1 // command
-	if request.Command != vmess.CommandMux {
-		requestLen += vmess.AddressSerializer.AddrPortLen(request.Destination)
-	}
-	requestLen += len(payload)
-	buffer := buf.NewSize(requestLen)
-	defer buffer.Release()
-	common.Must(
-		buffer.WriteByte(Version),
-		common.Error(buffer.Write(request.UUID[:])),
-		buffer.WriteByte(byte(addonsLen)),
-	)
-	if addonsLen > 0 {
-		common.Must(buffer.WriteByte(10))
-		binary.PutUvarint(buffer.Extend(rw.UVariantLen(uint64(len(request.Flow)))), uint64(len(request.Flow)))
-		common.Must(common.Error(buffer.WriteString(request.Flow)))
-	}
-	common.Must(
-		buffer.WriteByte(request.Command),
-	)
-
-	if request.Command != vmess.CommandMux {
-		err := vmess.AddressSerializer.WriteAddrPort(buffer, request.Destination)
-		if err != nil {
-			return err
-		}
-	}
-
-	common.Must1(buffer.Write(payload))
-	return common.Error(writer.Write(buffer.Bytes()))
-}
-
-func EncodeRequest(request Request, buffer *buf.Buffer) error {
-	var requestLen int
-	requestLen += 1  // version
-	requestLen += 16 // uuid
-	requestLen += 1  // protobuf length
-
-	var addonsLen int
-	if request.Flow != "" {
-		addonsLen += 1 // protobuf header
-		addonsLen += rw.UVariantLen(uint64(len(request.Flow)))
-		addonsLen += len(request.Flow)
-		requestLen += addonsLen
-	}
-	requestLen += 1 // command
-	if request.Command != vmess.CommandMux {
-		requestLen += vmess.AddressSerializer.AddrPortLen(request.Destination)
-	}
-	common.Must(
-		buffer.WriteByte(Version),
-		common.Error(buffer.Write(request.UUID[:])),
-		buffer.WriteByte(byte(addonsLen)),
-	)
-	if addonsLen > 0 {
-		common.Must(buffer.WriteByte(10))
-		binary.PutUvarint(buffer.Extend(rw.UVariantLen(uint64(len(request.Flow)))), uint64(len(request.Flow)))
-		common.Must(common.Error(buffer.WriteString(request.Flow)))
-	}
-	common.Must(
-		buffer.WriteByte(request.Command),
-	)
-
-	if request.Command != vmess.CommandMux {
-		err := vmess.AddressSerializer.WriteAddrPort(buffer, request.Destination)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func RequestLen(request Request) int {
-	var requestLen int
-	requestLen += 1  // version
-	requestLen += 16 // uuid
-	requestLen += 1  // protobuf length
-
-	var addonsLen int
-	if request.Flow != "" {
-		addonsLen += 1 // protobuf header
-		addonsLen += rw.UVariantLen(uint64(len(request.Flow)))
-		addonsLen += len(request.Flow)
-		requestLen += addonsLen
-	}
-	requestLen += 1 // command
-	if request.Command != vmess.CommandMux {
-		requestLen += vmess.AddressSerializer.AddrPortLen(request.Destination)
-	}
-	return requestLen
-}
-
-func WritePacketRequest(writer io.Writer, request Request, payload []byte) error {
-	var requestLen int
-	requestLen += 1  // version
-	requestLen += 16 // uuid
-	requestLen += 1  // protobuf length
-	var addonsLen int
-	/*if request.Flow != "" {
-		addonsLen += 1 // protobuf header
-		addonsLen += rw.UVariantLen(uint64(len(request.Flow)))
-		addonsLen += len(request.Flow)
-		requestLen += addonsLen
-	}*/
-	requestLen += 1 // command
-	requestLen += vmess.AddressSerializer.AddrPortLen(request.Destination)
-	if len(payload) > 0 {
-		requestLen += 2
-		requestLen += len(payload)
-	}
-	buffer := buf.NewSize(requestLen)
-	defer buffer.Release()
-	common.Must(
-		buffer.WriteByte(Version),
-		common.Error(buffer.Write(request.UUID[:])),
-		buffer.WriteByte(byte(addonsLen)),
-	)
-
-	if addonsLen > 0 {
-		common.Must(buffer.WriteByte(10))
-		binary.PutUvarint(buffer.Extend(rw.UVariantLen(uint64(len(request.Flow)))), uint64(len(request.Flow)))
-		common.Must(common.Error(buffer.WriteString(request.Flow)))
-	}
-
-	common.Must(buffer.WriteByte(vmess.CommandUDP))
-
-	err := vmess.AddressSerializer.WriteAddrPort(buffer, request.Destination)
-	if err != nil {
-		return err
-	}
-
-	if len(payload) > 0 {
-		common.Must(
-			binary.Write(buffer, binary.BigEndian, uint16(len(payload))),
-			common.Error(buffer.Write(payload)),
-		)
-	}
-
-	return common.Error(writer.Write(buffer.Bytes()))
-}
-
-func ReadResponse(reader io.Reader) error {
-	version, err := rw.ReadByte(reader)
-	if err != nil {
-		return err
-	}
-	if version != Version {
-		return E.New("unknown version: ", version)
-	}
-	protobufLength, err := rw.ReadByte(reader)
-	if err != nil {
-		return err
-	}
-	if protobufLength > 0 {
-		err = rw.SkipN(reader, int(protobufLength))
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}

transport/vless/service.go

@@ -1,260 +0,0 @@
-package vless
-
-import (
-	"context"
-	"encoding/binary"
-	"io"
-	"net"
-
-	"github.com/sagernet/sing-vmess"
-	"github.com/sagernet/sing/common/auth"
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	"github.com/gofrs/uuid/v5"
-)
-
-type Service[T comparable] struct {
-	userMap  map[[16]byte]T
-	userFlow map[T]string
-	logger   logger.Logger
-	handler  Handler
-}
-
-type Handler interface {
-	N.TCPConnectionHandler
-	N.UDPConnectionHandler
-	E.Handler
-}
-
-func NewService[T comparable](logger logger.Logger, handler Handler) *Service[T] {
-	return &Service[T]{
-		logger:  logger,
-		handler: handler,
-	}
-}
-
-func (s *Service[T]) UpdateUsers(userList []T, userUUIDList []string, userFlowList []string) {
-	userMap := make(map[[16]byte]T)
-	userFlowMap := make(map[T]string)
-	for i, userName := range userList {
-		userID := uuid.FromStringOrNil(userUUIDList[i])
-		if userID == uuid.Nil {
-			userID = uuid.NewV5(uuid.Nil, userUUIDList[i])
-		}
-		userMap[userID] = userName
-		userFlowMap[userName] = userFlowList[i]
-	}
-	s.userMap = userMap
-	s.userFlow = userFlowMap
-}
-
-var _ N.TCPConnectionHandler = (*Service[int])(nil)
-
-func (s *Service[T]) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
-	request, err := ReadRequest(conn)
-	if err != nil {
-		return err
-	}
-	user, loaded := s.userMap[request.UUID]
-	if !loaded {
-		return E.New("unknown UUID: ", uuid.FromBytesOrNil(request.UUID[:]))
-	}
-	ctx = auth.ContextWithUser(ctx, user)
-	metadata.Destination = request.Destination
-
-	userFlow := s.userFlow[user]
-	if request.Flow == FlowVision && request.Command == vmess.NetworkUDP {
-		return E.New(FlowVision, " flow does not support UDP")
-	} else if request.Flow != userFlow {
-		return E.New("flow mismatch: expected ", flowName(userFlow), ", but got ", flowName(request.Flow))
-	}
-
-	if request.Command == vmess.CommandUDP {
-		return s.handler.NewPacketConnection(ctx, &serverPacketConn{ExtendedConn: bufio.NewExtendedConn(conn), destination: request.Destination}, metadata)
-	}
-	responseConn := &serverConn{ExtendedConn: bufio.NewExtendedConn(conn), writer: bufio.NewVectorisedWriter(conn)}
-	switch userFlow {
-	case FlowVision:
-		conn, err = NewVisionConn(responseConn, conn, request.UUID, s.logger)
-		if err != nil {
-			return E.Cause(err, "initialize vision")
-		}
-	case "":
-		conn = responseConn
-	default:
-		return E.New("unknown flow: ", userFlow)
-	}
-	switch request.Command {
-	case vmess.CommandTCP:
-		return s.handler.NewConnection(ctx, conn, metadata)
-	case vmess.CommandMux:
-		return vmess.HandleMuxConnection(ctx, conn, s.handler)
-	default:
-		return E.New("unknown command: ", request.Command)
-	}
-}
-
-func flowName(value string) string {
-	if value == "" {
-		return "none"
-	}
-	return value
-}
-
-var _ N.VectorisedWriter = (*serverConn)(nil)
-
-type serverConn struct {
-	N.ExtendedConn
-	writer          N.VectorisedWriter
-	responseWritten bool
-}
-
-func (c *serverConn) Read(b []byte) (n int, err error) {
-	return c.ExtendedConn.Read(b)
-}
-
-func (c *serverConn) Write(b []byte) (n int, err error) {
-	if !c.responseWritten {
-		_, err = bufio.WriteVectorised(c.writer, [][]byte{{Version, 0}, b})
-		if err == nil {
-			n = len(b)
-		}
-		c.responseWritten = true
-		return
-	}
-	return c.ExtendedConn.Write(b)
-}
-
-func (c *serverConn) WriteBuffer(buffer *buf.Buffer) error {
-	if !c.responseWritten {
-		header := buffer.ExtendHeader(2)
-		header[0] = Version
-		header[1] = 0
-		c.responseWritten = true
-	}
-	return c.ExtendedConn.WriteBuffer(buffer)
-}
-
-func (c *serverConn) WriteVectorised(buffers []*buf.Buffer) error {
-	if !c.responseWritten {
-		err := c.writer.WriteVectorised(append([]*buf.Buffer{buf.As([]byte{Version, 0})}, buffers...))
-		c.responseWritten = true
-		return err
-	}
-	return c.writer.WriteVectorised(buffers)
-}
-
-func (c *serverConn) NeedAdditionalReadDeadline() bool {
-	return true
-}
-
-func (c *serverConn) FrontHeadroom() int {
-	if c.responseWritten {
-		return 0
-	}
-	return 2
-}
-
-func (c *serverConn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *serverConn) WriterReplaceable() bool {
-	return c.responseWritten
-}
-
-func (c *serverConn) Upstream() any {
-	return c.ExtendedConn
-}
-
-type serverPacketConn struct {
-	N.ExtendedConn
-	responseWriter  io.Writer
-	responseWritten bool
-	destination     M.Socksaddr
-}
-
-func (c *serverPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
-	n, err = c.ExtendedConn.Read(p)
-	if err != nil {
-		return
-	}
-	if c.destination.IsFqdn() {
-		addr = c.destination
-	} else {
-		addr = c.destination.UDPAddr()
-	}
-	return
-}
-
-func (c *serverPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
-	if !c.responseWritten {
-		if c.responseWriter == nil {
-			var packetLen [2]byte
-			binary.BigEndian.PutUint16(packetLen[:], uint16(len(p)))
-			_, err = bufio.WriteVectorised(bufio.NewVectorisedWriter(c.ExtendedConn), [][]byte{{Version, 0}, packetLen[:], p})
-			if err == nil {
-				n = len(p)
-			}
-			c.responseWritten = true
-			return
-		} else {
-			_, err = c.responseWriter.Write([]byte{Version, 0})
-			if err != nil {
-				return
-			}
-			c.responseWritten = true
-		}
-	}
-	return c.ExtendedConn.Write(p)
-}
-
-func (c *serverPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
-	var packetLen uint16
-	err = binary.Read(c.ExtendedConn, binary.BigEndian, &packetLen)
-	if err != nil {
-		return
-	}
-
-	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(packetLen))
-	if err != nil {
-		return
-	}
-
-	destination = c.destination
-	return
-}
-
-func (c *serverPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
-	if !c.responseWritten {
-		if c.responseWriter == nil {
-			var packetLen [2]byte
-			binary.BigEndian.PutUint16(packetLen[:], uint16(buffer.Len()))
-			err := bufio.NewVectorisedWriter(c.ExtendedConn).WriteVectorised([]*buf.Buffer{buf.As([]byte{Version, 0}), buf.As(packetLen[:]), buffer})
-			c.responseWritten = true
-			return err
-		} else {
-			_, err := c.responseWriter.Write([]byte{Version, 0})
-			if err != nil {
-				return err
-			}
-			c.responseWritten = true
-		}
-	}
-	packetLen := buffer.Len()
-	binary.BigEndian.PutUint16(buffer.ExtendHeader(2), uint16(packetLen))
-	return c.ExtendedConn.WriteBuffer(buffer)
-}
-
-func (c *serverPacketConn) FrontHeadroom() int {
-	return 2
-}
-
-func (c *serverPacketConn) Upstream() any {
-	return c.ExtendedConn
-}

transport/vless/vision.go

@@ -1,380 +0,0 @@
-package vless
-
-import (
-	"bytes"
-	"crypto/rand"
-	"crypto/tls"
-	"io"
-	"math/big"
-	"net"
-	"reflect"
-	"time"
-	"unsafe"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	N "github.com/sagernet/sing/common/network"
-)
-
-var tlsRegistry []func(conn net.Conn) (loaded bool, netConn net.Conn, reflectType reflect.Type, reflectPointer uintptr)
-
-func init() {
-	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, netConn net.Conn, reflectType reflect.Type, reflectPointer uintptr) {
-		tlsConn, loaded := common.Cast[*tls.Conn](conn)
-		if !loaded {
-			return
-		}
-		return true, tlsConn.NetConn(), reflect.TypeOf(tlsConn).Elem(), uintptr(unsafe.Pointer(tlsConn))
-	})
-}
-
-const xrayChunkSize = 8192
-
-type VisionConn struct {
-	net.Conn
-	reader   *bufio.ChunkReader
-	writer   N.VectorisedWriter
-	input    *bytes.Reader
-	rawInput *bytes.Buffer
-	netConn  net.Conn
-	logger   logger.Logger
-
-	userUUID               [16]byte
-	isTLS                  bool
-	numberOfPacketToFilter int
-	isTLS12orAbove         bool
-	remainingServerHello   int32
-	cipher                 uint16
-	enableXTLS             bool
-	isPadding              bool
-	directWrite            bool
-	writeUUID              bool
-	withinPaddingBuffers   bool
-	remainingContent       int
-	remainingPadding       int
-	currentCommand         byte
-	directRead             bool
-	remainingReader        io.Reader
-}
-
-func NewVisionConn(conn net.Conn, tlsConn net.Conn, userUUID [16]byte, logger logger.Logger) (*VisionConn, error) {
-	var (
-		loaded         bool
-		reflectType    reflect.Type
-		reflectPointer uintptr
-		netConn        net.Conn
-	)
-	for _, tlsCreator := range tlsRegistry {
-		loaded, netConn, reflectType, reflectPointer = tlsCreator(tlsConn)
-		if loaded {
-			break
-		}
-	}
-	if !loaded {
-		return nil, C.ErrTLSRequired
-	}
-	input, _ := reflectType.FieldByName("input")
-	rawInput, _ := reflectType.FieldByName("rawInput")
-	return &VisionConn{
-		Conn:     conn,
-		reader:   bufio.NewChunkReader(conn, xrayChunkSize),
-		writer:   bufio.NewVectorisedWriter(conn),
-		input:    (*bytes.Reader)(unsafe.Pointer(reflectPointer + input.Offset)),
-		rawInput: (*bytes.Buffer)(unsafe.Pointer(reflectPointer + rawInput.Offset)),
-		netConn:  netConn,
-		logger:   logger,
-
-		userUUID:               userUUID,
-		numberOfPacketToFilter: 8,
-		remainingServerHello:   -1,
-		isPadding:              true,
-		writeUUID:              true,
-		withinPaddingBuffers:   true,
-		remainingContent:       -1,
-		remainingPadding:       -1,
-	}, nil
-}
-
-func (c *VisionConn) Read(p []byte) (n int, err error) {
-	if c.remainingReader != nil {
-		n, err = c.remainingReader.Read(p)
-		if err == io.EOF {
-			err = nil
-			c.remainingReader = nil
-		}
-		if n > 0 {
-			return
-		}
-	}
-	if c.directRead {
-		return c.netConn.Read(p)
-	}
-	var bufferBytes []byte
-	var chunkBuffer *buf.Buffer
-	if len(p) > xrayChunkSize {
-		n, err = c.Conn.Read(p)
-		if err != nil {
-			return
-		}
-		bufferBytes = p[:n]
-	} else {
-		chunkBuffer, err = c.reader.ReadChunk()
-		if err != nil {
-			return 0, err
-		}
-		bufferBytes = chunkBuffer.Bytes()
-	}
-	if c.withinPaddingBuffers || c.numberOfPacketToFilter > 0 {
-		buffers := c.unPadding(bufferBytes)
-		if chunkBuffer != nil {
-			buffers = common.Map(buffers, func(it *buf.Buffer) *buf.Buffer {
-				return it.ToOwned()
-			})
-			chunkBuffer.Reset()
-		}
-		if c.remainingContent == 0 && c.remainingPadding == 0 {
-			if c.currentCommand == commandPaddingEnd {
-				c.withinPaddingBuffers = false
-				c.remainingContent = -1
-				c.remainingPadding = -1
-			} else if c.currentCommand == commandPaddingDirect {
-				c.withinPaddingBuffers = false
-				c.directRead = true
-
-				inputBuffer, err := io.ReadAll(c.input)
-				if err != nil {
-					return 0, err
-				}
-				buffers = append(buffers, buf.As(inputBuffer))
-
-				rawInputBuffer, err := io.ReadAll(c.rawInput)
-				if err != nil {
-					return 0, err
-				}
-
-				buffers = append(buffers, buf.As(rawInputBuffer))
-
-				c.logger.Trace("XtlsRead readV")
-			} else if c.currentCommand == commandPaddingContinue {
-				c.withinPaddingBuffers = true
-			} else {
-				return 0, E.New("unknown command ", c.currentCommand)
-			}
-		} else if c.remainingContent > 0 || c.remainingPadding > 0 {
-			c.withinPaddingBuffers = true
-		} else {
-			c.withinPaddingBuffers = false
-		}
-		if c.numberOfPacketToFilter > 0 {
-			c.filterTLS(buf.ToSliceMulti(buffers))
-		}
-		c.remainingReader = io.MultiReader(common.Map(buffers, func(it *buf.Buffer) io.Reader { return it })...)
-		return c.Read(p)
-	} else {
-		if c.numberOfPacketToFilter > 0 {
-			c.filterTLS([][]byte{bufferBytes})
-		}
-		if chunkBuffer != nil {
-			n = copy(p, bufferBytes)
-			chunkBuffer.Advance(n)
-		}
-		return
-	}
-}
-
-func (c *VisionConn) Write(p []byte) (n int, err error) {
-	if c.numberOfPacketToFilter > 0 {
-		c.filterTLS([][]byte{p})
-	}
-	if c.isPadding {
-		inputLen := len(p)
-		buffers := reshapeBuffer(p)
-		var specIndex int
-		for i, buffer := range buffers {
-			if c.isTLS && buffer.Len() > 6 && bytes.Equal(tlsApplicationDataStart, buffer.To(3)) {
-				var command byte = commandPaddingEnd
-				if c.enableXTLS {
-					c.directWrite = true
-					specIndex = i
-					command = commandPaddingDirect
-				}
-				c.isPadding = false
-				buffers[i] = c.padding(buffer, command)
-				break
-			} else if !c.isTLS12orAbove && c.numberOfPacketToFilter <= 1 {
-				c.isPadding = false
-				buffers[i] = c.padding(buffer, commandPaddingEnd)
-				break
-			}
-			buffers[i] = c.padding(buffer, commandPaddingContinue)
-		}
-		if c.directWrite {
-			encryptedBuffer := buffers[:specIndex+1]
-			err = c.writer.WriteVectorised(encryptedBuffer)
-			if err != nil {
-				return
-			}
-			buffers = buffers[specIndex+1:]
-			c.writer = bufio.NewVectorisedWriter(c.netConn)
-			c.logger.Trace("XtlsWrite writeV ", specIndex, " ", buf.LenMulti(encryptedBuffer), " ", len(buffers))
-			time.Sleep(5 * time.Millisecond) // wtf
-		}
-		err = c.writer.WriteVectorised(buffers)
-		if err == nil {
-			n = inputLen
-		}
-		return
-	}
-	if c.directWrite {
-		return c.netConn.Write(p)
-	} else {
-		return c.Conn.Write(p)
-	}
-}
-
-func (c *VisionConn) filterTLS(buffers [][]byte) {
-	for _, buffer := range buffers {
-		c.numberOfPacketToFilter--
-		if len(buffer) > 6 {
-			if buffer[0] == 22 && buffer[1] == 3 && buffer[2] == 3 {
-				c.isTLS = true
-				if buffer[5] == 2 {
-					c.isTLS12orAbove = true
-					c.remainingServerHello = (int32(buffer[3])<<8 | int32(buffer[4])) + 5
-					if len(buffer) >= 79 && c.remainingServerHello >= 79 {
-						sessionIdLen := int32(buffer[43])
-						cipherSuite := buffer[43+sessionIdLen+1 : 43+sessionIdLen+3]
-						c.cipher = uint16(cipherSuite[0])<<8 | uint16(cipherSuite[1])
-					} else {
-						c.logger.Trace("XtlsFilterTls short server hello, tls 1.2 or older? ", len(buffer), " ", c.remainingServerHello)
-					}
-				}
-			} else if bytes.Equal(tlsClientHandShakeStart, buffer[:2]) && buffer[5] == 1 {
-				c.isTLS = true
-				c.logger.Trace("XtlsFilterTls found tls client hello! ", len(buffer))
-			}
-		}
-		if c.remainingServerHello > 0 {
-			end := int(c.remainingServerHello)
-			if end > len(buffer) {
-				end = len(buffer)
-			}
-			c.remainingServerHello -= int32(end)
-			if bytes.Contains(buffer[:end], tls13SupportedVersions) {
-				cipher, ok := tls13CipherSuiteDic[c.cipher]
-				if ok && cipher != "TLS_AES_128_CCM_8_SHA256" {
-					c.enableXTLS = true
-				}
-				c.logger.Trace("XtlsFilterTls found tls 1.3! ", len(buffer), " ", c.cipher, " ", c.enableXTLS)
-				c.numberOfPacketToFilter = 0
-				return
-			} else if c.remainingServerHello == 0 {
-				c.logger.Trace("XtlsFilterTls found tls 1.2! ", len(buffer))
-				c.numberOfPacketToFilter = 0
-				return
-			}
-		}
-		if c.numberOfPacketToFilter == 0 {
-			c.logger.Trace("XtlsFilterTls stop filtering ", len(buffer))
-		}
-	}
-}
-
-func (c *VisionConn) padding(buffer *buf.Buffer, command byte) *buf.Buffer {
-	contentLen := 0
-	paddingLen := 0
-	if buffer != nil {
-		contentLen = buffer.Len()
-	}
-	if contentLen < 900 && c.isTLS {
-		l, _ := rand.Int(rand.Reader, big.NewInt(500))
-		paddingLen = int(l.Int64()) + 900 - contentLen
-	} else {
-		l, _ := rand.Int(rand.Reader, big.NewInt(256))
-		paddingLen = int(l.Int64())
-	}
-	var bufferLen int
-	if c.writeUUID {
-		bufferLen += 16
-	}
-	bufferLen += 5
-	if buffer != nil {
-		bufferLen += buffer.Len()
-	}
-	bufferLen += paddingLen
-	newBuffer := buf.NewSize(bufferLen)
-	if c.writeUUID {
-		common.Must1(newBuffer.Write(c.userUUID[:]))
-		c.writeUUID = false
-	}
-	common.Must1(newBuffer.Write([]byte{command, byte(contentLen >> 8), byte(contentLen), byte(paddingLen >> 8), byte(paddingLen)}))
-	if buffer != nil {
-		common.Must1(newBuffer.Write(buffer.Bytes()))
-		buffer.Release()
-	}
-	newBuffer.Extend(paddingLen)
-	c.logger.Trace("XtlsPadding ", contentLen, " ", paddingLen, " ", command)
-	return newBuffer
-}
-
-func (c *VisionConn) unPadding(buffer []byte) []*buf.Buffer {
-	var bufferIndex int
-	if c.remainingContent == -1 && c.remainingPadding == -1 {
-		if len(buffer) >= 21 && bytes.Equal(c.userUUID[:], buffer[:16]) {
-			bufferIndex = 16
-			c.remainingContent = 0
-			c.remainingPadding = 0
-			c.currentCommand = 0
-		}
-	}
-	if c.remainingContent == -1 && c.remainingPadding == -1 {
-		return []*buf.Buffer{buf.As(buffer)}
-	}
-	var buffers []*buf.Buffer
-	for bufferIndex < len(buffer) {
-		if c.remainingContent <= 0 && c.remainingPadding <= 0 {
-			if c.currentCommand == 1 {
-				buffers = append(buffers, buf.As(buffer[bufferIndex:]))
-				break
-			} else {
-				paddingInfo := buffer[bufferIndex : bufferIndex+5]
-				c.currentCommand = paddingInfo[0]
-				c.remainingContent = int(paddingInfo[1])<<8 | int(paddingInfo[2])
-				c.remainingPadding = int(paddingInfo[3])<<8 | int(paddingInfo[4])
-				bufferIndex += 5
-				c.logger.Trace("Xtls Unpadding new block ", bufferIndex, " ", c.remainingContent, " padding ", c.remainingPadding, " ", c.currentCommand)
-			}
-		} else if c.remainingContent > 0 {
-			end := c.remainingContent
-			if end > len(buffer)-bufferIndex {
-				end = len(buffer) - bufferIndex
-			}
-			buffers = append(buffers, buf.As(buffer[bufferIndex:bufferIndex+end]))
-			c.remainingContent -= end
-			bufferIndex += end
-		} else {
-			end := c.remainingPadding
-			if end > len(buffer)-bufferIndex {
-				end = len(buffer) - bufferIndex
-			}
-			c.remainingPadding -= end
-			bufferIndex += end
-		}
-		if bufferIndex == len(buffer) {
-			break
-		}
-	}
-	return buffers
-}
-
-func (c *VisionConn) NeedAdditionalReadDeadline() bool {
-	return true
-}
-
-func (c *VisionConn) Upstream() any {
-	return c.Conn
-}

transport/vless/vision_reality.go

@@ -1,22 +0,0 @@
-//go:build with_reality_server
-
-package vless
-
-import (
-	"net"
-	"reflect"
-	"unsafe"
-
-	"github.com/sagernet/reality"
-	"github.com/sagernet/sing/common"
-)
-
-func init() {
-	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, netConn net.Conn, reflectType reflect.Type, reflectPointer uintptr) {
-		tlsConn, loaded := common.Cast[*reality.Conn](conn)
-		if !loaded {
-			return
-		}
-		return true, tlsConn.NetConn(), reflect.TypeOf(tlsConn).Elem(), uintptr(unsafe.Pointer(tlsConn))
-	})
-}

transport/vless/vision_utls.go

@@ -1,22 +0,0 @@
-//go:build with_utls
-
-package vless
-
-import (
-	"net"
-	"reflect"
-	"unsafe"
-
-	"github.com/sagernet/sing/common"
-	utls "github.com/sagernet/utls"
-)
-
-func init() {
-	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, netConn net.Conn, reflectType reflect.Type, reflectPointer uintptr) {
-		tlsConn, loaded := common.Cast[*utls.UConn](conn)
-		if !loaded {
-			return
-		}
-		return true, tlsConn.NetConn(), reflect.TypeOf(tlsConn.Conn).Elem(), uintptr(unsafe.Pointer(tlsConn.Conn))
-	})
-}

transport/wireguard/device_stack.go

@@ -230,17 +230,13 @@ func (w *StackDevice) Events() <-chan wgTun.Event {
 }
 
 func (w *StackDevice) Close() error {
-	select {
-	case <-w.done:
-		return os.ErrClosed
-	default:
-	}
+	close(w.done)
+	close(w.events)
 	w.stack.Close()
 	for _, endpoint := range w.stack.CleanupEndpoints() {
 		endpoint.Abort()
 	}
 	w.stack.Wait()
-	close(w.done)
 	return nil
 }
 

transport/wireguard/device_system.go

@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"sync"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
@@ -21,14 +22,16 @@ import (
 var _ Device = (*SystemDevice)(nil)
 
 type SystemDevice struct {
-	dialer      N.Dialer
-	device      tun.Tun
-	batchDevice tun.LinuxTUN
-	name        string
-	mtu         int
-	events      chan wgTun.Event
-	addr4       netip.Addr
-	addr6       netip.Addr
+	dialer         N.Dialer
+	device         tun.Tun
+	batchDevice    tun.LinuxTUN
+	name           string
+	mtu            uint32
+	inet4Addresses []netip.Prefix
+	inet6Addresses []netip.Prefix
+	gso            bool
+	events         chan wgTun.Event
+	closeOnce      sync.Once
 }
 
 func NewSystemDevice(router adapter.Router, interfaceName string, localPrefixes []netip.Prefix, mtu uint32, gso bool) (*SystemDevice, error) {
@@ -44,43 +47,17 @@ func NewSystemDevice(router adapter.Router, interfaceName string, localPrefixes
 	if interfaceName == "" {
 		interfaceName = tun.CalculateInterfaceName("wg")
 	}
-	tunInterface, err := tun.New(tun.Options{
-		Name:         interfaceName,
-		Inet4Address: inet4Addresses,
-		Inet6Address: inet6Addresses,
-		MTU:          mtu,
-		GSO:          gso,
-	})
-	if err != nil {
-		return nil, err
-	}
-	var inet4Address netip.Addr
-	var inet6Address netip.Addr
-	if len(inet4Addresses) > 0 {
-		inet4Address = inet4Addresses[0].Addr()
-	}
-	if len(inet6Addresses) > 0 {
-		inet6Address = inet6Addresses[0].Addr()
-	}
-	var batchDevice tun.LinuxTUN
-	if gso {
-		batchTUN, isBatchTUN := tunInterface.(tun.LinuxTUN)
-		if !isBatchTUN {
-			return nil, E.New("GSO is not supported on current platform")
-		}
-		batchDevice = batchTUN
-	}
+
 	return &SystemDevice{
 		dialer: common.Must1(dialer.NewDefault(router, option.DialerOptions{
 			BindInterface: interfaceName,
 		})),
-		device:      tunInterface,
-		batchDevice: batchDevice,
-		name:        interfaceName,
-		mtu:         int(mtu),
-		events:      make(chan wgTun.Event),
-		addr4:       inet4Address,
-		addr6:       inet6Address,
+		name:           interfaceName,
+		mtu:            mtu,
+		inet4Addresses: inet4Addresses,
+		inet6Addresses: inet6Addresses,
+		gso:            gso,
+		events:         make(chan wgTun.Event, 1),
 	}, nil
 }
 
@@ -93,14 +70,39 @@ func (w *SystemDevice) ListenPacket(ctx context.Context, destination M.Socksaddr
 }
 
 func (w *SystemDevice) Inet4Address() netip.Addr {
-	return w.addr4
+	if len(w.inet4Addresses) == 0 {
+		return netip.Addr{}
+	}
+	return w.inet4Addresses[0].Addr()
 }
 
 func (w *SystemDevice) Inet6Address() netip.Addr {
-	return w.addr6
+	if len(w.inet6Addresses) == 0 {
+		return netip.Addr{}
+	}
+	return w.inet6Addresses[0].Addr()
 }
 
 func (w *SystemDevice) Start() error {
+	tunInterface, err := tun.New(tun.Options{
+		Name:         w.name,
+		Inet4Address: w.inet4Addresses,
+		Inet6Address: w.inet6Addresses,
+		MTU:          w.mtu,
+		GSO:          w.gso,
+	})
+	if err != nil {
+		return err
+	}
+	w.device = tunInterface
+	if w.gso {
+		batchTUN, isBatchTUN := tunInterface.(tun.LinuxTUN)
+		if !isBatchTUN {
+			tunInterface.Close()
+			return E.New("GSO is not supported on current platform")
+		}
+		w.batchDevice = batchTUN
+	}
 	w.events <- wgTun.EventUp
 	return nil
 }
@@ -143,7 +145,7 @@ func (w *SystemDevice) Flush() error {
 }
 
 func (w *SystemDevice) MTU() (int, error) {
-	return w.mtu, nil
+	return int(w.mtu), nil
 }
 
 func (w *SystemDevice) Name() (string, error) {
@@ -155,6 +157,7 @@ func (w *SystemDevice) Events() <-chan wgTun.Event {
 }
 
 func (w *SystemDevice) Close() error {
+	close(w.events)
 	return w.device.Close()
 }