Bump version

The Chinese documentation incorrectly stated that the default value for the domain_strategy field in the direct outbound module is dns.strategy. The correct value should be inbound.domain_strategy, as specified in the English documentation. This commit corrects the Chinese documentation to align with the accurate behavior described in the English version.

Signed-off-by: Monica <1379531829@qq.com>

.github/workflows/docker.yml

@@ -1,16 +1,83 @@
-name: Build Docker Images
+name: Publish Docker Images
 
 on:
   release:
     types:
-      - released
+      - published
   workflow_dispatch:
     inputs:
       tag:
         description: "The tag version you want to build"
+
+env:
+  REGISTRY_IMAGE: ghcr.io/sagernet/sing-box
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm/v6
+          - linux/arm/v7
+          - linux/arm64
+          - linux/386
+          - linux/ppc64le
+          - linux/riscv64
+          - linux/s390x
+          - linux/mips64le
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        with:
+          ref: ${{ steps.ref.outputs.ref }}
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY_IMAGE }}
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          platforms: ${{ matrix.platform }}
+          context: .
+          build-args: |
+            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
+          labels: ${{ steps.meta.outputs.labels }}
+          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+  merge:
+    runs-on: ubuntu-latest
+    needs:
+      - build
     steps:
       - name: Get commit to build
         id: ref
@@ -29,34 +96,28 @@ jobs:
           fi
           echo "latest=$latest"
           echo "latest=$latest" >> $GITHUB_OUTPUT
-      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - name: Download digests
+        uses: actions/download-artifact@v4
         with:
-          ref: ${{ steps.ref.outputs.ref }}
-      - name: Setup Docker Buildx
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+      - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: Setup QEMU for Docker Buildx
-        uses: docker/setup-qemu-action@v3
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Docker metadata
-        id: metadata
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/sagernet/sing-box
-      - name: Build and release Docker images
-        uses: docker/build-push-action@v6
-        with:
-          platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
-          context: .
-          target: dist
-          build-args: |
-            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
-          tags: |
-            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.latest }}
-            ghcr.io/sagernet/sing-box:${{ steps.ref.outputs.ref }}
-          push: true
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create \
+            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}" \
+            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}" \
+            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}
+          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}

.github/workflows/stale.yml

@@ -12,4 +12,5 @@ jobs:
         with:
           stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
           days-before-stale: 60
-          days-before-close: 5
+          days-before-close: 5
+          exempt-issue-labels: 'bug,enhancement'

.goreleaser.fury.yaml

@@ -26,6 +26,7 @@ builds:
       - linux_arm_7
       - linux_s390x
       - linux_riscv64
+      - linux_mips64le
     mod_timestamp: '{{ .CommitTimestamp }}'
 snapshot:
   name_template: "{{ .Version }}.{{ .ShortCommit }}"

.goreleaser.yaml

@@ -7,7 +7,9 @@ builds:
       - -v
       - -trimpath
     ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
+      - -s
+      - -buildid=
     tags:
       - with_gvisor
       - with_quic
@@ -25,9 +27,11 @@ builds:
       - linux_amd64_v1
       - linux_amd64_v3
       - linux_arm64
+      - linux_arm_6
       - linux_arm_7
       - linux_s390x
       - linux_riscv64
+      - linux_mips64le
       - windows_amd64_v1
       - windows_amd64_v3
       - windows_386

Makefile

@@ -104,10 +104,12 @@ publish_android:
 publish_android_appcenter:
 	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadPlayRelease
 
+
+# TODO: find why and remove `-destination 'generic/platform=iOS'`
 build_ios:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFI.xcarchive && \
-	xcodebuild archive -scheme SFI -configuration Release -archivePath build/SFI.xcarchive
+	xcodebuild archive -scheme SFI -configuration Release -destination 'generic/platform=iOS' -archivePath build/SFI.xcarchive -allowProvisioningUpdates
 
 upload_ios_app_store:
 	cd ../sing-box-for-apple && \
@@ -118,55 +120,62 @@ release_ios: build_ios upload_ios_app_store
 build_macos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFM.xcarchive && \
-	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive
+	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive -allowProvisioningUpdates
 
 upload_macos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
 
 release_macos: build_macos upload_macos_app_store
 
-build_macos_independent:
+build_macos_standalone:
 	cd ../sing-box-for-apple && \
-	rm -rf build/SFT.System.xcarchive && \
-	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive
+	rm -rf build/SFM.System.xcarchive && \
+	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive -allowProvisioningUpdates
 
-notarize_macos_independent:
-	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist  -allowProvisioningUpdates
-
-wait_notarize_macos_independent:
-	sleep 60
-
-export_macos_independent:
+build_macos_dmg:
 	rm -rf dist/SFM
 	mkdir -p dist/SFM
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportNotarizedApp -archivePath build/SFM.System.xcarchive -exportPath "../sing-box/dist/SFM"
+	rm -rf build/SFM.System && \
+	rm -rf build/SFM.dmg && \
+	xcodebuild -exportArchive \
+		-archivePath "build/SFM.System.xcarchive" \
+		-exportOptionsPlist SFM.System/Export.plist -allowProvisioningUpdates \
+		-exportPath "build/SFM.System" && \
+	create-dmg \
+		--volname "sing-box" \
+		--volicon "build/SFM.System/SFM.app/Contents/Resources/AppIcon.icns" \
+		--icon "SFM.app" 0 0 \
+ 		--hide-extension "SFM.app" \
+ 		--app-drop-link 0 0 \
+ 		--skip-jenkins \
+		--codesign "B2324162A090F01F96111CF802A83F0F36674F80" \
+		--notarize "notarytool-password" \
+		"../sing-box/dist/SFM/SFM.dmg" "build/SFM.System/SFM.app"
 
-upload_macos_independent:
+upload_macos_dmg:
 	cd dist/SFM && \
-	rm -f *.zip && \
-	zip -ry "SFM-${VERSION}-universal.zip" SFM.app && \
-	ghr --replace --draft --prerelease "v${VERSION}" *.zip
+	cp SFM.dmg "SFM-${VERSION}-universal.dmg" && \
+	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dmg"
 
-release_macos_independent: build_macos_independent notarize_macos_independent wait_notarize_macos_independent export_macos_independent upload_macos_independent
+release_macos_standalone: build_macos_standalone build_macos_dmg upload_macos_dmg
 
 build_tvos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFT.xcarchive && \
-	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive
+	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive -allowProvisioningUpdates
 
 upload_tvos_app_store:
 	cd ../sing-box-for-apple && \
-	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
+	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
 
 release_tvos: build_tvos upload_tvos_app_store
 
 update_apple_version:
 	go run ./cmd/internal/update_apple_version
 
-release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_independent
+release_apple: lib_ios update_apple_version release_ios release_macos release_tvos
 
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
 
@@ -193,8 +202,8 @@ lib:
 	go run ./cmd/internal/build_libbox -target ios
 
 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.3
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.3
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.4
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.4
 
 docs:
 	venv/bin/mkdocs serve

README.md

@@ -4,9 +4,9 @@ The universal proxy platform.
 
 [![Packaging status](https://repology.org/badge/vertical-allrepos/sing-box.svg)](https://repology.org/project/sing-box/versions)
 
-## Support
+## Documentation
 
-https://community.sagernet.org/c/sing-box/
+https://sing-box.sagernet.org
 
 ## License
 

cmd/internal/update_apple_version/main.go

@@ -26,8 +26,8 @@ func main() {
 	common.Must(decoder.Decode(&project))
 	objectsMap := project["objects"].(map[string]any)
 	projectContent := string(common.Must1(os.ReadFile("sing-box.xcodeproj/project.pbxproj")))
-	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
-	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
+	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfavt"}, newVersion.VersionString())
+	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.standalone", "io.nekohasekai.sfa.system"}, newVersion.String())
 	if updated0 || updated1 {
 		log.Info("updated version to ", newVersion.VersionString(), " (", newVersion.String(), ")")
 	}

common/dialer/default_go1.20.go

@@ -5,7 +5,7 @@ package dialer
 import (
 	"net"
 
-	"github.com/sagernet/tfo-go"
+	"github.com/metacubex/tfo-go"
 )
 
 type tcpDialer = tfo.Dialer

common/dialer/dialer.go

@@ -28,13 +28,12 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 	} else {
 		dialer = NewDetour(router, options.Detour)
 	}
-	domainStrategy := dns.DomainStrategy(options.DomainStrategy)
-	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
+	if options.Detour == "" {
 		dialer = NewResolveDialer(
 			router,
 			dialer,
 			options.Detour == "" && !options.TCPFastOpen,
-			domainStrategy,
+			dns.DomainStrategy(options.DomainStrategy),
 			time.Duration(options.FallbackDelay))
 	}
 	return dialer, nil

common/dialer/tfo.go

@@ -15,7 +15,8 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/tfo-go"
+
+	"github.com/metacubex/tfo-go"
 )
 
 type slowOpenConn struct {

common/sniff/sniff.go

@@ -18,33 +18,44 @@ type (
 	PacketSniffer = func(ctx context.Context, packet []byte) (*adapter.InboundContext, error)
 )
 
+func Skip(metadata adapter.InboundContext) bool {
+	// skip server first protocols
+	switch metadata.Destination.Port {
+	case 25, 465, 587:
+		// SMTP
+		return true
+	case 143, 993:
+		// IMAP
+		return true
+	case 110, 995:
+		// POP3
+		return true
+	}
+	return false
+}
+
 func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) (*adapter.InboundContext, error) {
 	if timeout == 0 {
 		timeout = C.ReadPayloadTimeout
 	}
 	deadline := time.Now().Add(timeout)
 	var errors []error
-
-	for i := 0; i < 3; i++ {
-		err := conn.SetReadDeadline(deadline)
-		if err != nil {
-			return nil, E.Cause(err, "set read deadline")
+	err := conn.SetReadDeadline(deadline)
+	if err != nil {
+		return nil, E.Cause(err, "set read deadline")
+	}
+	defer conn.SetReadDeadline(time.Time{})
+	var metadata *adapter.InboundContext
+	for _, sniffer := range sniffers {
+		if buffer.IsEmpty() {
+			metadata, err = sniffer(ctx, io.TeeReader(conn, buffer))
+		} else {
+			metadata, err = sniffer(ctx, io.MultiReader(bytes.NewReader(buffer.Bytes()), io.TeeReader(conn, buffer)))
 		}
-		_, err = buffer.ReadOnceFrom(conn)
-		err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
-		if err != nil {
-			if i > 0 {
-				break
-			}
-			return nil, E.Cause(err, "read payload")
-		}
-		for _, sniffer := range sniffers {
-			metadata, err := sniffer(ctx, bytes.NewReader(buffer.Bytes()))
-			if metadata != nil {
-				return metadata, nil
-			}
-			errors = append(errors, err)
+		if metadata != nil {
+			return metadata, nil
 		}
+		errors = append(errors, err)
 	}
 	return nil, E.Errors(errors...)
 }

docs/changelog.md

@@ -2,11 +2,27 @@
 icon: material/alert-decagram
 ---
 
-!!! failure "Help needed"
+### 1.9.5
 
-    Due to problems with our Apple developer account, sing-box apps on Apple platforms are temporarily unavailable for download or update.
+* Update quic-go to v0.47.0
+* Fix direct dialer not resolving domain
+* Fix no error return when empty DNS cache retrieved
+* Fix build with go1.23
+* Fix stream sniffer
+* Fix bad redirect in clash-api
+* Fix wireguard events chan leak
+* Fix cached conn eats up read deadlines
+* Fix disconnected interface selected as default in windows
+* Update Bundle Identifiers for Apple platform clients **1**
 
-    If your company or organization is willing to help us return to the App Store, please [contact us](mailto:contact@sagernet.org).
+**1**:
+
+See [Migration](/migration/#bundle-identifier-updates-in-apple-platform-clients).
+
+We are still working on getting all sing-box apps back on the App Store.
+
+This work is expected to be completed within a week
+(SFI on the App Store and others on TestFlight are already available).
 
 ### 1.9.4
 
@@ -23,6 +39,11 @@ icon: material/alert-decagram
 * Fix UDP connnection leak when sniffing
 * Fixes and improvements
 
+_Due to problems with our Apple developer account,
+sing-box apps on Apple platforms are temporarily unavailable for download or update.
+If your company or organization is willing to help us return to the App Store,
+please [contact us](mailto:contact@sagernet.org)._
+
 ### 1.9.3
 
 * Fixes and improvements

docs/clients/apple/index.md

@@ -11,8 +11,7 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 
     Due to problems with our Apple developer account, sing-box apps on Apple platforms are temporarily unavailable for download or update.
 
-    If your company or organization is willing to help us return to the App Store, please [contact us](mailto:contact@sagernet.org).
-
+    We are working on getting sing-box apps back on the App Store, which should be completed within a week (SFI on the App Store and others on TestFlight are already available).
 
 ## :material-graph: Requirements
 
@@ -21,13 +20,13 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 
 ## :material-download: Download
 
-* [App Store](https://apps.apple.com/us/app/sing-box/id6451272673)
-* ~~TestFlight (Beta)~~
+* [App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)
+* TestFlight (Beta)
 
 TestFlight quota is only available to [sponsors](https://github.com/sponsors/nekohasekai)
 (one-time sponsorships are accepted).
-Once you donate, you can get an invitation by sending us your Apple ID [via email](mailto:contact@sagernet.org),
-or join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot).
+Once you donate, you can get an invitation by join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot)
+or sending us your Apple ID [via email](mailto:contact@sagernet.org).
 
 ## :material-file-download: Download (macOS standalone version)
 

docs/clients/index.md

@@ -3,9 +3,9 @@
 Maintained by Project S to provide a unified experience and platform-specific functionality.
 
 | Platform                              | Client                                   |
-| ------------------------------------- | ---------------------------------------- |
+|---------------------------------------|------------------------------------------|
 | :material-android: Android            | [sing-box for Android](./android/)       |
-| :material-apple: iOS/macOS/Apple tvOS | :material-alert: [Unavailable](./apple/) |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
 | :material-laptop: Desktop             | Working in progress                      |
 
 Some third-party projects that claim to use sing-box or use sing-box as a selling point are not listed here. The core

docs/clients/index.zh.md

@@ -2,11 +2,11 @@
 
 由 Project S 维护，提供统一的体验与平台特定的功能。
 
-| 平台                                  | 客户端                              |
-| ------------------------------------- | ----------------------------------- |
-| :material-android: Android            | [sing-box for Android](./android/)  |
-| :material-apple: iOS/macOS/Apple tvOS | :material-alert: [不可用](./apple/) |
-| :material-laptop: Desktop             | 施工中                              |
+| 平台                                    | 客户端                                      |
+|---------------------------------------|------------------------------------------|
+| :material-android: Android            | [sing-box for Android](./android/)       |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
+| :material-laptop: Desktop             | 施工中                                      |
 
 此处没有列出一些声称使用或以 sing-box 为卖点的第三方项目。此类项目维护者的动机是获得更多用户，即使它们提供友好的商业
 VPN 客户端功能， 但代码质量很差且包含广告。

docs/configuration/shared/dial.zh.md

@@ -83,7 +83,10 @@
 
 如果设置，域名将在请求发出之前解析为 IP。
 
-默认使用 `dns.strategy`。
+| 出站     | 受影响的域名             | 默认回退值                                |
+|----------|--------------------------|-------------------------------------------|
+| `direct` | 请求中的域名              | `inbound.domain_strategy`                 | 
+|  others  | 服务器地址中的域名        | /                                         |
 
 #### fallback_delay
 

docs/index.md

@@ -4,12 +4,6 @@ description: Welcome to the wiki page for the sing-box project.
 
 # :material-home: Home
 
-!!! failure "Help needed"
-
-    Due to problems with our Apple developer account, sing-box apps on Apple platforms are temporarily unavailable for download or update.
-
-    If your company or organization is willing to help us return to the App Store, please [contact us](mailto:contact@sagernet.org).
-
 Welcome to the wiki page for the sing-box project.
 
 The universal proxy platform.

docs/installation/build-from-source.md

@@ -6,26 +6,18 @@ icon: material/file-code
 
 ## :material-graph: Requirements
 
-Before sing-box 1.4.0:
+### sing-box 1.10
 
-* Go 1.18.5 - 1.20.x
-
-Since sing-box 1.4.0:
-
-* Go 1.18.5 - ~
-* Go 1.20.0 - ~ with tag `with_quic` enabled
-
-Since sing-box 1.5.0:
-
-* Go 1.18.5 - ~
-* Go 1.20.0 - ~ with tag `with_quic` or `with_ech` enabled
-
-Since sing-box 1.8.0:
-
-* Go 1.18.5 - ~
+* Go 1.20.0 - ~
 * Go 1.20.0 - ~ with tag `with_quic`, or `with_utls` enabled
 * Go 1.21.0 - ~ with tag `with_ech` enabled
 
+### sing-box 1.9
+
+* Go 1.18.5 - 1.22.x
+* Go 1.20.0 - 1.22.x with tag `with_quic`, or `with_utls` enabled
+* Go 1.21.0 - 1.22.x with tag `with_ech` enabled
+
 You can download and install Go from: https://go.dev/doc/install, latest version is recommended.
 
 ## :material-fast-forward: Simple Build

docs/installation/build-from-source.zh.md

@@ -6,25 +6,17 @@ icon: material/file-code
 
 ## :material-graph: 要求
 
-sing-box 1.4.0 前:
+### sing-box 1.10
 
-* Go 1.18.5 - 1.20.x
+* Go 1.20.0 - ~
+* Go 1.20.0 - ~ with tag `with_quic`, or `with_utls` enabled
+* Go 1.21.0 - ~ with tag `with_ech` enabled
 
-从 sing-box 1.4.0:
+### sing-box 1.9
 
-* Go 1.18.5 - ~
-* Go 1.20.0 - ~ 如果启用构建标记 `with_quic`
-
-从 sing-box 1.5.0:
-
-* Go 1.18.5 - ~
-* Go 1.20.0 - ~ 如果启用构建标记 `with_quic` 或 `with_ech`
-
-从 sing-box 1.8.0:
-
-* Go 1.18.5 - ~
-* Go 1.20.0 - ~ 如果启用构建标记 `with_quic` 或 `with_utls`
-* Go 1.20.1 - ~ 如果启用构建标记 `with_ech`
+* Go 1.18.5 - 1.22.x
+* Go 1.20.0 - 1.22.x with tag `with_quic`, or `with_utls` enabled
+* Go 1.21.0 - 1.22.x with tag `with_ech` enabled
 
 您可以从 https://go.dev/doc/install 下载并安装 Go，推荐使用最新版本。
 

docs/installation/package-manager.md

@@ -24,14 +24,7 @@ icon: material/package
     sudo dnf config-manager --add-repo https://sing-box.app/sing-box.repo
     sudo dnf install sing-box # or sing-box-beta
     ```
-
-=== ":material-redhat: CentOS / YUM"
-
-    ```bash
-    sudo yum install -y yum-utils
-    sudo yum-config-manager --add-repo https://sing-box.app/sing-box.repo
-    sudo yum install sing-box # or sing-box-beta
-    ```
+    (This applies to any distribution that uses `dnf` as the package manager: Fedora, CentOS, even OpenSUSE with DNF installed.)
 
 ## :material-download-box: Manual Installation
 
@@ -46,6 +39,7 @@ icon: material/package
     ```bash
     bash <(curl -fsSL https://sing-box.app/rpm-install.sh)
     ```
+    (This applies to any distribution that uses `rpm` and `systemd`.  Because of how `rpm` defines dependencies, if it installs, it probably works.)
 
 === ":simple-archlinux: Archlinux / PKG"
 
@@ -63,6 +57,7 @@ icon: material/package
     | nixpkgs  | NixOS         | `nix-env -iA nixos.sing-box` | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/sing-box.svg)][nixpkgs] |
     | Homebrew | macOS / Linux | `brew install sing-box`      | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew]                |
     | APK      | Alpine        | `apk add sing-box`           | [![Alpine Linux Edge package](https://repology.org/badge/version-for-repo/alpine_edge/sing-box.svg)][alpine]  |
+    | DEB      | AOSC          | `apt install sing-box`       | [![AOSC package](https://repology.org/badge/version-for-repo/aosc/sing-box.svg)][aosc]                        |
 
 === ":material-apple: macOS"
 
@@ -90,6 +85,22 @@ icon: material/package
     |------------|----------|------------------------|--------------------------------------------------------------------------------------------|
     | FreshPorts | FreeBSD  | `pkg install sing-box` | [![FreeBSD port](https://repology.org/badge/version-for-repo/freebsd/sing-box.svg)][ports] |
 
+## :material-alert: Problematic Sources
+
+| Type       | Platform | Link                                                                                      | Promblem(s)                                                      |
+|------------|----------|-------------------------------------------------------------------------------------------|------------------------------------------------------------------|
+| DEB        | AOSC     | [aosc-os-abbs](https://github.com/AOSC-Dev/aosc-os-abbs/tree/stable/app-network/sing-box) | Problematic build tag list modification; Not actively maintained |
+| Homebrew   | /        | [homebrew-core][brew]                                                                     | Problematic build tag list modification                          |
+| Termux     | Android  | [termux-packages][termux]                                                                 | Problematic build tag list modification                          |
+| FreshPorts | FreeBSD  | [FreeBSD ports][ports]                                                                    | Old Go  (go1.20)                                                 |
+
+If you are a user of them, please report issues to them:
+
+1. Please do not modify release build tags without full understanding of the related functionality: enabling non-default
+   labels may result in decreased performance; the lack of default labels may cause user confusion.
+2. sing-box supports compiling with some older Go versions, but it is not recommended (especially versions that are no
+   longer supported by Go).
+
 ## :material-book-multiple: Service Management
 
 For Linux systems with [systemd][systemd], usually the installation already includes a sing-box service,
@@ -128,4 +139,6 @@ you can manage the service using the following command:
 
 [ports]: https://www.freshports.org/net/sing-box
 
+[aosc]: https://packages.aosc.io/packages/sing-box
+
 [systemd]: https://systemd.io/

docs/installation/package-manager.zh.md

@@ -24,14 +24,7 @@ icon: material/package
     sudo dnf config-manager --add-repo https://sing-box.app/sing-box.repo
     sudo dnf install sing-box # or sing-box-beta
     ```
-
-=== ":material-redhat: CentOS / YUM"
-
-    ```bash
-    sudo yum install -y yum-utils
-    sudo yum-config-manager --add-repo https://sing-box.app/sing-box.repo
-    sudo yum install sing-box # or sing-box-beta
-    ```
+    （这适用于任何使用 `dnf` 作为包管理器的发行版：Fedora、CentOS，甚至安装了 DNF 的 OpenSUSE。）
 
 ## :material-download-box: 手动安装
 
@@ -46,6 +39,7 @@ icon: material/package
     ```bash
     bash <(curl -fsSL https://sing-box.app/rpm-install.sh)
     ```
+    （这适用于任何使用 `rpm` 和 `systemd` 的发行版。由于 `rpm` 定义依赖关系的方式，如果安装成功，就多半能用。）
 
 === ":simple-archlinux: Archlinux / PKG"
 
@@ -63,6 +57,7 @@ icon: material/package
     | nixpkgs  | NixOS         | `nix-env -iA nixos.sing-box` | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/sing-box.svg)][nixpkgs] |
     | Homebrew | macOS / Linux | `brew install sing-box`      | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew]                |
     | APK      | Alpine        | `apk add sing-box`           | [![Alpine Linux Edge package](https://repology.org/badge/version-for-repo/alpine_edge/sing-box.svg)][alpine]  |
+    | DEB      | AOSC          | `apt install sing-box`       | [![AOSC package](https://repology.org/badge/version-for-repo/aosc/sing-box.svg)][aosc]                        |
 
 === ":material-apple: macOS"
 
@@ -90,6 +85,21 @@ icon: material/package
     |------------|---------|------------------------|--------------------------------------------------------------------------------------------|
     | FreshPorts | FreeBSD | `pkg install sing-box` | [![FreeBSD port](https://repology.org/badge/version-for-repo/freebsd/sing-box.svg)][ports] |
 
+
+## :material-alert: 存在问题的源
+
+| 类型         | 平台      | 链接                                                                                        | 原因                    |
+|------------|---------|-------------------------------------------------------------------------------------------|-----------------------|
+| DEB        | AOSC    | [aosc-os-abbs](https://github.com/AOSC-Dev/aosc-os-abbs/tree/stable/app-network/sing-box) | 存在问题的构建标志列表修改; 没有活跃维护 |
+| Homebrew   | /       | [homebrew-core][brew]                                                                     | 存在问题的构建标志列表修改         |
+| Termux     | Android | [termux-packages][termux]                                                                 | 存在问题的构建标志列表修改         |
+| FreshPorts | FreeBSD | [FreeBSD ports][ports]                                                                    | 太旧的 Go (go1.20)       |
+
+如果您是其用户，请向他们报告问题：
+
+1. 在未完全了解相关功能的情况下，请勿修改发布版本标签：启用非默认标签可能会导致性能下降；缺少默认标签可能会引起用户混淆。
+2. sing-box 支持使用一些较旧的 Go 版本进行编译，但不推荐使用（特别是已不再受 Go 支持的版本）。
+
 ## :material-book-multiple: 服务管理
 
 对于带有 [systemd][systemd] 的 Linux 系统，通常安装已经包含 sing-box 服务，
@@ -124,4 +134,6 @@ icon: material/package
 
 [ports]: https://www.freshports.org/net/sing-box
 
+[aosc]: https://packages.aosc.io/packages/sing-box
+
 [systemd]: https://systemd.io/

docs/manual/proxy-protocol/hysteria2.md

@@ -4,16 +4,17 @@ icon: material/lightning-bolt
 
 # Hysteria 2
 
-The most popular Chinese-made simple protocol based on QUIC, the selling point is Brutal,
-a congestion control algorithm that can resist packet loss by manually specifying the required rate by the user.
+Hysteria 2 is a simple, Chinese-made protocol based on QUIC.
+The selling point is Brutal, a congestion control algorithm that
+tries to achieve a user-defined bandwidth despite packet loss.
 
 !!! warning
 
-    Even though GFW rarely blocks UDP-based proxies, such protocols actually have far more characteristics than TCP based proxies.
+    Even though GFW rarely blocks UDP-based proxies, such protocols actually have far more obvious characteristics than TCP based proxies.
 
-| Specification                                                             | Binary Characteristics | Active Detect Hiddenness |
-|---------------------------------------------------------------------------|------------------------|--------------------------|
-| [hysteria.network](https://v2.hysteria.network/docs/developers/Protocol/) | :material-alert:       | :material-check:         |
+| Specification                                                             | Resists passive detection | Resists active probes |
+|---------------------------------------------------------------------------|---------------------------|-----------------------|
+| [hysteria.network](https://v2.hysteria.network/docs/developers/Protocol/) | :material-alert:          | :material-check:      |
 
 ## :material-text-box-check: Password Generator
 
@@ -44,7 +45,7 @@ To use sing-box with the official program, you need to fill in that combination
     Replace `up_mbps` and `down_mbps` values with the actual bandwidth of your server.
 
 === ":material-harddisk: With local certificate"
-    
+
     ```json
      {
       "inbounds": [

docs/manual/proxy-protocol/shadowsocks.md

@@ -4,15 +4,18 @@ icon: material/send
 
 # Shadowsocks
 
-As the most well-known Chinese-made proxy protocol,
-Shadowsocks exists in multiple versions,
-but only AEAD 2022 ciphers TCP with multiplexing is recommended.
+Shadowsocks is the most well-known Chinese-made proxy protocol.
+It exists in multiple versions, but only AEAD 2022 ciphers 
+over TCP with multiplexing is recommended.
 
-| Ciphers        | Specification                                              | Cryptographic Security | Binary Characteristics | Active Detect Hiddenness |
-|----------------|------------------------------------------------------------|------------------------|------------------------|--------------------------|
-| Stream Ciphers | [shadowsocks.org](https://shadowsocks.org/doc/stream.html) | :material-alert:       | :material-alert:       | :material-alert:         |
-| AEAD           | [shadowsocks.org](https://shadowsocks.org/doc/aead.html)   | :material-check:       | :material-alert:       | :material-alert:         |
-| AEAD 2022      | [shadowsocks.org](https://shadowsocks.org/doc/sip022.html) | :material-check:       | :material-check:       | :material-help:          |
+| Ciphers        | Specification                                              | Cryptographically sound | Resists passive detection | Resists active probes |
+|----------------|------------------------------------------------------------|-------------------------|---------------------------|-----------------------|
+| Stream Ciphers | [shadowsocks.org](https://shadowsocks.org/doc/stream.html) | :material-alert:        | :material-alert:          | :material-alert:      |
+| AEAD           | [shadowsocks.org](https://shadowsocks.org/doc/aead.html)   | :material-check:        | :material-alert:          | :material-alert:      |
+| AEAD 2022      | [shadowsocks.org](https://shadowsocks.org/doc/sip022.html) | :material-check:        | :material-check:          | :material-help:       |
+
+(We strongly recommend using multiplexing to send UDP traffic over TCP, because
+doing otherwise is vulnerable to passive detection.)
 
 ## :material-text-box-check: Password Generator
 

docs/manual/proxy-protocol/trojan.md

@@ -4,15 +4,15 @@ icon: material/horse
 
 # Trojan
 
-As the most commonly used TLS proxy made in China, Trojan can be used in various combinations,
+Torjan is the most commonly used TLS proxy made in China. It can be used in various combinations,
 but only the combination of uTLS and multiplexing is recommended.
 
-| Protocol and implementation combination | Specification                                                        | Binary Characteristics | Active Detect Hiddenness |
-|-----------------------------------------|----------------------------------------------------------------------|------------------------|--------------------------|
-| Origin / trojan-gfw                     | [trojan-gfw.github.io](https://trojan-gfw.github.io/trojan/protocol) | :material-check:       | :material-check:         |
-| Basic Go implementation                 | /                                                                    | :material-alert:       | :material-check:         |
-| with privates transport by V2Ray        | No formal definition                                                 | :material-alert:       | :material-alert:         |
-| with uTLS enabled                       | No formal definition                                                 | :material-help:        | :material-check:         |                             
+| Protocol and implementation combination | Specification                                                        | Resists passive detection | Resists active probes |
+|-----------------------------------------|----------------------------------------------------------------------|---------------------------|-----------------------|
+| Origin / trojan-gfw                     | [trojan-gfw.github.io](https://trojan-gfw.github.io/trojan/protocol) | :material-check:          | :material-check:      |
+| Basic Go implementation                 | /                                                                    | :material-alert:          | :material-check:      |
+| with privates transport by V2Ray        | No formal definition                                                 | :material-alert:          | :material-alert:      |
+| with uTLS enabled                       | No formal definition                                                 | :material-help:           | :material-check:      |
 
 ## :material-text-box-check: Password Generator
 
@@ -211,4 +211,3 @@ but only the combination of uTLS and multiplexing is recommended.
       ]
     }
     ```
-

docs/migration.md

@@ -2,6 +2,23 @@
 icon: material/arrange-bring-forward
 ---
 
+## 1.9.5
+
+### Bundle Identifier updates in Apple platform clients
+
+Due to problems with our old Apple developer account,
+we can only change Bundle Identifiers to re-list sing-box apps,
+which means the data will not be automatically inherited.
+
+For iOS, you need to back up your old data yourself (if you still have access to it);  
+for tvOS, you need to re-import profiles from your iPhone or iPad or create it manually;  
+for macOS, you can migrate the data folder using the following command:
+
+```bash
+cd ~/Library/Group\ Containers && \ 
+  mv group.io.nekohasekai.sfa group.io.nekohasekai.sfavt
+```
+
 ## 1.9.0
 
 ### `domain_suffix` behavior update

docs/migration.zh.md

@@ -2,6 +2,22 @@
 icon: material/arrange-bring-forward
 ---
 
+## 1.9.5
+
+### Apple 平台客户端的 Bundle Identifier 更新
+
+由于我们旧的苹果开发者账户存在问题，我们只能通过更新 Bundle Identifiers
+来重新上架 sing-box 应用， 这意味着数据不会自动继承。
+
+对于 iOS，您需要自行备份旧的数据（如果您仍然可以访问）；  
+对于 Apple tvOS，您需要从 iPhone 或 iPad 重新导入配置或者手动创建；  
+对于 macOS，您可以使用以下命令迁移数据文件夹：
+
+```bash
+cd ~/Library/Group\ Containers && \ 
+  mv group.io.nekohasekai.sfa group.io.nekohasekai.sfavt
+```
+
 ## 1.9.0
 
 ### `domain_suffix` 行为更新

docs/sponsors.md

@@ -0,0 +1,26 @@
+---
+icon: material/hand-coin
+---
+
+# Sponsors
+
+Do you or your friends use sing-box?
+
+You can help keep the project bug-free and feature rich by sponsoring
+the project maintainer via [GitHub Sponsors](https://github.com/sponsors/nekohasekai).
+
+![](https://nekohasekai.github.io/sponsor-images/sponsors.svg)
+
+### Special Sponsors
+
+**Viral Tech, Inc.**
+
+Helping us re-list sing-box apps on the Apple Store.
+
+---
+
+[![JetBrains logo](https://resources.jetbrains.com/storage/products/company/brand/logos/jetbrains.svg)](https://www.jetbrains.com)
+
+Free license for the amazing IDEs.
+
+---

experimental/clashapi/server.go

@@ -308,10 +308,11 @@ func authentication(serverSecret string) func(next http.Handler) http.Handler {
 
 func hello(redirect bool) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		if redirect {
-			http.Redirect(w, r, "/ui/", http.StatusTemporaryRedirect)
-		} else {
+		contentType := r.Header.Get("Content-Type")
+		if !redirect || contentType == "application/json" {
 			render.JSON(w, r, render.M{"hello": "clash"})
+		} else {
+			http.Redirect(w, r, "/ui/", http.StatusTemporaryRedirect)
 		}
 	}
 }

experimental/libbox/dns.go

@@ -69,7 +69,8 @@ func (p *platformLocalDNSTransport) Exchange(ctx context.Context, message *mDNS.
 		context: ctx,
 	}
 	var responseMessage *mDNS.Msg
-	return responseMessage, task.Run(ctx, func() error {
+	var group task.Group
+	group.Append0(func(ctx context.Context) error {
 		err = p.iif.Exchange(response, messageBytes)
 		if err != nil {
 			return err
@@ -80,6 +81,11 @@ func (p *platformLocalDNSTransport) Exchange(ctx context.Context, message *mDNS.
 		responseMessage = &response.message
 		return nil
 	})
+	err = group.Run(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return responseMessage, nil
 }
 
 func (p *platformLocalDNSTransport) Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error) {
@@ -96,7 +102,8 @@ func (p *platformLocalDNSTransport) Lookup(ctx context.Context, domain string, s
 		context: ctx,
 	}
 	var responseAddr []netip.Addr
-	return responseAddr, task.Run(ctx, func() error {
+	var group task.Group
+	group.Append0(func(ctx context.Context) error {
 		err := p.iif.Lookup(response, network, domain)
 		if err != nil {
 			return err
@@ -121,6 +128,11 @@ func (p *platformLocalDNSTransport) Lookup(ctx context.Context, domain string, s
 		}*/
 		return nil
 	})
+	err := group.Run(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return responseAddr, nil
 }
 
 type Func interface {

go.mod

@@ -16,27 +16,27 @@ require (
 	github.com/libdns/alidns v1.0.3
 	github.com/libdns/cloudflare v0.1.1
 	github.com/logrusorgru/aurora v2.0.3+incompatible
+	github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d
 	github.com/mholt/acmez v1.2.0
 	github.com/miekg/dns v1.1.59
 	github.com/ooni/go-libtor v1.1.8
 	github.com/oschwald/maxminddb-golang v1.12.0
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1
-	github.com/sagernet/gomobile v0.1.3
+	github.com/sagernet/gomobile v0.1.4
 	github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f
-	github.com/sagernet/quic-go v0.46.0-beta.4
+	github.com/sagernet/quic-go v0.47.0-beta.2
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.4.2
+	github.com/sagernet/sing v0.4.3
 	github.com/sagernet/sing-dns v0.2.3
 	github.com/sagernet/sing-mux v0.2.0
 	github.com/sagernet/sing-quic v0.2.2
 	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.1.4
-	github.com/sagernet/sing-tun v0.3.2
+	github.com/sagernet/sing-tun v0.3.3
 	github.com/sagernet/sing-vmess v0.1.12
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
-	github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6
 	github.com/sagernet/utls v1.5.4
 	github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
@@ -46,7 +46,7 @@ require (
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
 	golang.org/x/crypto v0.23.0
 	golang.org/x/net v0.25.0
-	golang.org/x/sys v0.21.0
+	golang.org/x/sys v0.25.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	google.golang.org/grpc v1.63.2
 	google.golang.org/protobuf v1.33.0
@@ -86,8 +86,8 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect
 	golang.org/x/mod v0.18.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/text v0.18.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect

go.sum

@@ -69,6 +69,8 @@ github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s=
 github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
+github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d h1:j9LtzkYstLFoNvXW824QQeN7Y26uPL5249kzWKbzO9U=
+github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d/go.mod h1:c7bVFM9f5+VzeZ/6Kg77T/jrg1Xp8QpqlSHvG/aXVts=
 github.com/mholt/acmez v1.2.0 h1:1hhLxSgY5FvH5HCnGUuwbKY2VQVo8IU7rxXKSnZ7F30=
 github.com/mholt/acmez v1.2.0/go.mod h1:VT9YwH1xgNX1kmYY89gY8xPJC84BFAisjo8Egigt4kE=
 github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
@@ -95,19 +97,19 @@ github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkk
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1 h1:YbmpqPQEMdlk9oFSKYWRqVuu9qzNiOayIonKmv1gCXY=
 github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1/go.mod h1:J2yAxTFPDjrDPhuAi9aWFz2L3ox9it4qAluBBbN0H5k=
-github.com/sagernet/gomobile v0.1.3 h1:ohjIb1Ou2+1558PnZour3od69suSuvkdSVOlO1tC4B8=
-github.com/sagernet/gomobile v0.1.3/go.mod h1:Pqq2+ZVvs10U7xK+UwJgwYWUykewi8H6vlslAO73n9E=
+github.com/sagernet/gomobile v0.1.4 h1:WzX9ka+iHdupMgy2Vdich+OAt7TM8C2cZbIbzNjBrJY=
+github.com/sagernet/gomobile v0.1.4/go.mod h1:Pqq2+ZVvs10U7xK+UwJgwYWUykewi8H6vlslAO73n9E=
 github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f h1:NkhuupzH5ch7b/Y/6ZHJWrnNLoiNnSJaow6DPb8VW2I=
 github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f/go.mod h1:KXmw+ouSJNOsuRpg4wgwwCQuunrGz4yoAqQjsLjc6N0=
 github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba h1:EY5AS7CCtfmARNv2zXUOrsEMPFDGYxaw65JzA2p51Vk=
 github.com/sagernet/netlink v0.0.0-20240523065131-45e60152f9ba/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.46.0-beta.4 h1:k9f7VSKaM47AY6MPND0Qf1KRN7HwimPg9zdOFTXTiCk=
-github.com/sagernet/quic-go v0.46.0-beta.4/go.mod h1:zJmVdJUNqEDXfubf4KtIOUHHerggjBduiGRLNzJspcM=
+github.com/sagernet/quic-go v0.47.0-beta.2 h1:1tCGWFOSaXIeuQaHrwOMJIYvlupjTcaVInGQw5ArULU=
+github.com/sagernet/quic-go v0.47.0-beta.2/go.mod h1:bLVKvElSEMNv7pu7SZHscW02TYigzQ5lQu3Nh4wNh8Q=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.4.2 h1:jzGNJdZVRI0xlAfFugsIQUPvyB9SuWvbJK7zQCXc4QM=
-github.com/sagernet/sing v0.4.2/go.mod h1:ieZHA/+Y9YZfXs2I3WtuwgyCZ6GPsIR7HdKb1SdEnls=
+github.com/sagernet/sing v0.4.3 h1:Ty/NAiNnVd6844k7ujlL5lkzydhcTH5Psc432jXA4Y8=
+github.com/sagernet/sing v0.4.3/go.mod h1:ieZHA/+Y9YZfXs2I3WtuwgyCZ6GPsIR7HdKb1SdEnls=
 github.com/sagernet/sing-dns v0.2.3 h1:YzeBUn2tR38F7HtvGEQ0kLRLmZWMEgi/+7wqa4Twb1k=
 github.com/sagernet/sing-dns v0.2.3/go.mod h1:BJpJv6XLnrUbSyIntOT6DG9FW0f4fETmPAHvNjOprLg=
 github.com/sagernet/sing-mux v0.2.0 h1:4C+vd8HztJCWNYfufvgL49xaOoOHXty2+EAjnzN3IYo=
@@ -120,14 +122,12 @@ github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wK
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
-github.com/sagernet/sing-tun v0.3.2 h1:z0bLUT/YXH9RrJS9DsIpB0Bb9afl2hVJOmHd0zA3HJY=
-github.com/sagernet/sing-tun v0.3.2/go.mod h1:DxLIyhjWU/HwGYoX0vNGg2c5QgTQIakphU1MuERR5tQ=
+github.com/sagernet/sing-tun v0.3.3 h1:LZnQNmfGcNG2KPTPkLgc+Lo7k606QJVkPp2DnjriwUk=
+github.com/sagernet/sing-tun v0.3.3/go.mod h1:DxLIyhjWU/HwGYoX0vNGg2c5QgTQIakphU1MuERR5tQ=
 github.com/sagernet/sing-vmess v0.1.12 h1:2gFD8JJb+eTFMoa8FIVMnknEi+vCSfaiTXTfEYAYAPg=
 github.com/sagernet/sing-vmess v0.1.12/go.mod h1:luTSsfyBGAc9VhtCqwjR+dt1QgqBhuYBCONB/POhF8I=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo=
-github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6 h1:z3SJQhVyU63FT26Wn/UByW6b7q8QKB0ZkPqsyqcz2PI=
-github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6/go.mod h1:73xRZuxwkFk4aiLw28hG8W6o9cr2UPrGL9pdY2UTbvY=
 github.com/sagernet/utls v1.5.4 h1:KmsEGbB2dKUtCNC+44NwAdNAqnqQ6GA4pTO0Yik56co=
 github.com/sagernet/utls v1.5.4/go.mod h1:CTGxPWExIloRipK3XFpYv0OVyhO8kk3XCGW/ieyTh1s=
 github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8 h1:R0OMYAScomNAVpTfbHFpxqJpvwuhxSRi+g6z7gZhABs=
@@ -173,8 +173,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -184,14 +184,14 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
+golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
+golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

inbound/default_tcp_go1.20.go

@@ -6,7 +6,7 @@ import (
 	"context"
 	"net"
 
-	"github.com/sagernet/tfo-go"
+	"github.com/metacubex/tfo-go"
 )
 
 const go120Available = true

mkdocs.yml

@@ -44,6 +44,7 @@ nav:
       - Migration: migration.md
       - Deprecated: deprecated.md
       - Support: support.md
+      - Sponsors: sponsors.md
   - Installation:
       - Package Manager: installation/package-manager.md
       - Docker: installation/docker.md

outbound/wireguard.go

@@ -152,6 +152,10 @@ func (w *WireGuard) start() error {
 		}
 		bind = wireguard.NewClientBind(w.ctx, w, w.listener, isConnect, connectAddr, reserved)
 	}
+	err = w.tunDevice.Start()
+	if err != nil {
+		return err
+	}
 	wgDevice := device.NewDevice(w.tunDevice, bind, &device.Logger{
 		Verbosef: func(format string, args ...interface{}) {
 			w.logger.Debug(fmt.Sprintf(strings.ToLower(format), args...))
@@ -170,7 +174,7 @@ func (w *WireGuard) start() error {
 	}
 	w.device = wgDevice
 	w.pauseCallback = w.pauseManager.RegisterCallback(w.onPauseUpdated)
-	return w.tunDevice.Start()
+	return nil
 }
 
 func (w *WireGuard) Close() error {
@@ -180,7 +184,6 @@ func (w *WireGuard) Close() error {
 	if w.pauseCallback != nil {
 		w.pauseManager.UnregisterCallback(w.pauseCallback)
 	}
-	w.tunDevice.Close()
 	return nil
 }
 

route/router.go

@@ -832,7 +832,7 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
 		conn = deadline.NewConn(conn)
 	}
 
-	if metadata.InboundOptions.SniffEnabled {
+	if metadata.InboundOptions.SniffEnabled && !sniff.Skip(metadata) {
 		buffer := buf.NewPacket()
 		sniffMetadata, err := sniff.PeekStream(ctx, conn, buffer, time.Duration(metadata.InboundOptions.SniffTimeout), sniff.StreamDomainNameQuery, sniff.TLSClientHello, sniff.HTTPHost)
 		if sniffMetadata != nil {

route/router_dns.go

@@ -188,6 +188,9 @@ func (r *Router) Lookup(ctx context.Context, domain string, strategy dns.DomainS
 	)
 	responseAddrs, cached = r.dnsClient.LookupCache(ctx, domain, strategy)
 	if cached {
+		if len(responseAddrs) == 0 {
+			return nil, dns.RCodeNameError
+		}
 		return responseAddrs, nil
 	}
 	r.dnsLogger.DebugContext(ctx, "lookup domain ", domain)

transport/wireguard/device_stack.go

@@ -230,17 +230,13 @@ func (w *StackDevice) Events() <-chan wgTun.Event {
 }
 
 func (w *StackDevice) Close() error {
-	select {
-	case <-w.done:
-		return os.ErrClosed
-	default:
-	}
+	close(w.done)
+	close(w.events)
 	w.stack.Close()
 	for _, endpoint := range w.stack.CleanupEndpoints() {
 		endpoint.Abort()
 	}
 	w.stack.Wait()
-	close(w.done)
 	return nil
 }
 

transport/wireguard/device_system.go

@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"sync"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
@@ -21,14 +22,16 @@ import (
 var _ Device = (*SystemDevice)(nil)
 
 type SystemDevice struct {
-	dialer      N.Dialer
-	device      tun.Tun
-	batchDevice tun.LinuxTUN
-	name        string
-	mtu         int
-	events      chan wgTun.Event
-	addr4       netip.Addr
-	addr6       netip.Addr
+	dialer         N.Dialer
+	device         tun.Tun
+	batchDevice    tun.LinuxTUN
+	name           string
+	mtu            uint32
+	inet4Addresses []netip.Prefix
+	inet6Addresses []netip.Prefix
+	gso            bool
+	events         chan wgTun.Event
+	closeOnce      sync.Once
 }
 
 func NewSystemDevice(router adapter.Router, interfaceName string, localPrefixes []netip.Prefix, mtu uint32, gso bool) (*SystemDevice, error) {
@@ -44,43 +47,17 @@ func NewSystemDevice(router adapter.Router, interfaceName string, localPrefixes
 	if interfaceName == "" {
 		interfaceName = tun.CalculateInterfaceName("wg")
 	}
-	tunInterface, err := tun.New(tun.Options{
-		Name:         interfaceName,
-		Inet4Address: inet4Addresses,
-		Inet6Address: inet6Addresses,
-		MTU:          mtu,
-		GSO:          gso,
-	})
-	if err != nil {
-		return nil, err
-	}
-	var inet4Address netip.Addr
-	var inet6Address netip.Addr
-	if len(inet4Addresses) > 0 {
-		inet4Address = inet4Addresses[0].Addr()
-	}
-	if len(inet6Addresses) > 0 {
-		inet6Address = inet6Addresses[0].Addr()
-	}
-	var batchDevice tun.LinuxTUN
-	if gso {
-		batchTUN, isBatchTUN := tunInterface.(tun.LinuxTUN)
-		if !isBatchTUN {
-			return nil, E.New("GSO is not supported on current platform")
-		}
-		batchDevice = batchTUN
-	}
+
 	return &SystemDevice{
 		dialer: common.Must1(dialer.NewDefault(router, option.DialerOptions{
 			BindInterface: interfaceName,
 		})),
-		device:      tunInterface,
-		batchDevice: batchDevice,
-		name:        interfaceName,
-		mtu:         int(mtu),
-		events:      make(chan wgTun.Event),
-		addr4:       inet4Address,
-		addr6:       inet6Address,
+		name:           interfaceName,
+		mtu:            mtu,
+		inet4Addresses: inet4Addresses,
+		inet6Addresses: inet6Addresses,
+		gso:            gso,
+		events:         make(chan wgTun.Event),
 	}, nil
 }
 
@@ -93,14 +70,39 @@ func (w *SystemDevice) ListenPacket(ctx context.Context, destination M.Socksaddr
 }
 
 func (w *SystemDevice) Inet4Address() netip.Addr {
-	return w.addr4
+	if len(w.inet4Addresses) == 0 {
+		return netip.Addr{}
+	}
+	return w.inet4Addresses[0].Addr()
 }
 
 func (w *SystemDevice) Inet6Address() netip.Addr {
-	return w.addr6
+	if len(w.inet6Addresses) == 0 {
+		return netip.Addr{}
+	}
+	return w.inet6Addresses[0].Addr()
 }
 
 func (w *SystemDevice) Start() error {
+	tunInterface, err := tun.New(tun.Options{
+		Name:         w.name,
+		Inet4Address: w.inet4Addresses,
+		Inet6Address: w.inet6Addresses,
+		MTU:          w.mtu,
+		GSO:          w.gso,
+	})
+	if err != nil {
+		return err
+	}
+	w.device = tunInterface
+	if w.gso {
+		batchTUN, isBatchTUN := tunInterface.(tun.LinuxTUN)
+		if !isBatchTUN {
+			tunInterface.Close()
+			return E.New("GSO is not supported on current platform")
+		}
+		w.batchDevice = batchTUN
+	}
 	w.events <- wgTun.EventUp
 	return nil
 }
@@ -143,7 +145,7 @@ func (w *SystemDevice) Flush() error {
 }
 
 func (w *SystemDevice) MTU() (int, error) {
-	return w.mtu, nil
+	return int(w.mtu), nil
 }
 
 func (w *SystemDevice) Name() (string, error) {
@@ -155,6 +157,7 @@ func (w *SystemDevice) Events() <-chan wgTun.Event {
 }
 
 func (w *SystemDevice) Close() error {
+	close(w.events)
 	return w.device.Close()
 }