fix: correct typo in ProxyGroup health check log message (#2575 )

feat: support mieru traffic pattern configuration (#2585 )
action: Upgrade loongarch golang version
2026-02-27 17:27:09 +00:00 · 2026-02-27 11:00:47 +08:00 · 2026-02-27 10:31:35 +08:00 · 2026-02-25 13:08:18 +08:00 · 2026-02-25 12:26:08 +08:00 · 2026-02-23 21:03:22 +08:00
158 changed files with 10059 additions and 2244 deletions
--- a/.github/patch/go1.25.patch
+++ b/.github/patch/go1.25.patch
@@ -1,4 +1,5 @@
-Subject: [PATCH] Fix os.RemoveAll not working on Windows7
+Subject: [PATCH] Revert "os: remove 5ms sleep on Windows in (*Process).Wait"
 Fix os.RemoveAll not working on Windows7
 Revert "runtime: always use LoadLibraryEx to load system libraries"
 Revert "syscall: remove Windows 7 console handle workaround"
 Revert "net: remove sysSocket fallback for Windows 7"
@@ -841,3 +842,43 @@ diff --git a/src/os/root_windows.go b/src/os/root_windows.go
 +func checkPathEscapesLstat(r *Root, name string) error {
 +	return checkPathEscapes(r, name)
 +}
 Index: src/os/exec_windows.go
 IDEA additional info:
 Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
 <+>UTF-8
 ===================================================================
 diff --git a/src/os/exec_windows.go b/src/os/exec_windows.go
 --- a/src/os/exec_windows.go	(revision 0a52622d2331ff975fb0442617ec19bc352bb2ed)
 +++ b/src/os/exec_windows.go	(revision fb3d09a67fe97008ad76fea97ae88170072cbdbb)
@@ -10,6 +10,7 @@
 	"runtime"
 	"syscall"
 	"time"
 +	_ "unsafe"
 )
 // Note that Process.handle is never nil because Windows always requires
@@ -49,9 +50,23 @@
 	// than statusDone.
 	p.doRelease(statusReleased)
 +	var maj, min, build uint32
 +	rtlGetNtVersionNumbers(&maj, &min, &build)
 +	if maj < 10 {
 +		// NOTE(brainman): It seems that sometimes process is not dead
 +		// when WaitForSingleObject returns. But we do not know any
 +		// other way to wait for it. Sleeping for a while seems to do
 +		// the trick sometimes.
 +		// See https://golang.org/issue/25965 for details.
 +		time.Sleep(5 * time.Millisecond)
 +	}
 +
 	return &ProcessState{p.Pid, syscall.WaitStatus{ExitCode: ec}, &u}, nil
 }
 +//go:linkname rtlGetNtVersionNumbers syscall.rtlGetNtVersionNumbers
 +func rtlGetNtVersionNumbers(majorVersion *uint32, minorVersion *uint32, buildNumber *uint32)
 +
 func (p *Process) signal(sig Signal) error {
 	handle, status := p.handleTransientAcquire()
 	switch status {
--- a/.github/patch/go1.26.patch
+++ b/.github/patch/go1.26.patch
@@ -1,4 +1,5 @@
-Subject: [PATCH] Fix os.RemoveAll not working on Windows7
+Subject: [PATCH] Revert "os: remove 5ms sleep on Windows in (*Process).Wait"
 Fix os.RemoveAll not working on Windows7
 Revert "runtime: always use LoadLibraryEx to load system libraries"
 Revert "syscall: remove Windows 7 console handle workaround"
 Revert "net: remove sysSocket fallback for Windows 7"
@@ -840,3 +841,43 @@ diff --git a/src/os/root_windows.go b/src/os/root_windows.go
 +func checkPathEscapesLstat(r *Root, name string) error {
 +	return checkPathEscapes(r, name)
 +}
 Index: src/os/exec_windows.go
 IDEA additional info:
 Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
 <+>UTF-8
 ===================================================================
 diff --git a/src/os/exec_windows.go b/src/os/exec_windows.go
 --- a/src/os/exec_windows.go	(revision d47e0d22130d597dcf9daa6b41fd9501274f0cb2)
 +++ b/src/os/exec_windows.go	(revision 00e8daec9a4d88f44a8dc55d3bdb71878e525b41)
@@ -10,6 +10,7 @@
 	"runtime"
 	"syscall"
 	"time"
 +	_ "unsafe"
 )
 // Note that Process.handle is never nil because Windows always requires
@@ -49,9 +50,23 @@
 	// than statusDone.
 	p.doRelease(statusReleased)
 +	var maj, min, build uint32
 +	rtlGetNtVersionNumbers(&maj, &min, &build)
 +	if maj < 10 {
 +		// NOTE(brainman): It seems that sometimes process is not dead
 +		// when WaitForSingleObject returns. But we do not know any
 +		// other way to wait for it. Sleeping for a while seems to do
 +		// the trick sometimes.
 +		// See https://golang.org/issue/25965 for details.
 +		time.Sleep(5 * time.Millisecond)
 +	}
 +
 	return &ProcessState{p.Pid, syscall.WaitStatus{ExitCode: ec}, &u}, nil
 }
 +//go:linkname rtlGetNtVersionNumbers syscall.rtlGetNtVersionNumbers
 +func rtlGetNtVersionNumbers(majorVersion *uint32, minorVersion *uint32, buildNumber *uint32)
 +
 func (p *Process) signal(sig Signal) error {
 	handle, status := p.handleTransientAcquire()
 	switch status {
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -59,8 +59,8 @@ jobs:
          - { goos: linux, goarch: s390x, output: s390x, debian: s390x, rpm: s390x }
          - { goos: linux, goarch: ppc64le, output: ppc64le, debian: ppc64el, rpm: ppc64le }
-          # Go 1.25 with special patch can work on Windows 7
+          # Go 1.26 with special patch can work on Windows 7
-          # https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
+          # https://github.com/MetaCubeX/go/commits/release-branch.go1.26/
          - { goos: windows, goarch: '386', output: '386' }
          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible } # old style file name will be removed in next released
          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64 }
@@ -82,6 +82,13 @@ jobs:
          - { goos: android, goarch: arm, ndk: armv7a-linux-androideabi34, output: armv7 }
          - { goos: android, goarch: arm64, ndk: aarch64-linux-android34, output: arm64-v8 }
          # Go 1.25 with special patch can work on Windows 7
          # https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
          - { goos: windows, goarch: '386', output: '386-go125', goversion: '1.25' }
          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-v1-go125, goversion: '1.25' }
          - { goos: windows, goarch: amd64, goamd64: v2, output: amd64-v2-go125, goversion: '1.25' }
          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-v3-go125, goversion: '1.25' }
          # Go 1.24 with special patch can work on Windows 7
          # https://github.com/MetaCubeX/go/commits/release-branch.go1.24/
          - { goos: windows, goarch: '386', output: '386-go124', goversion: '1.24' }
@@ -154,22 +161,40 @@ jobs:
      if: ${{ matrix.jobs.goversion == '' && matrix.jobs.abi != '1' }}
      uses: actions/setup-go@v6
      with:
-        go-version: '1.25'
+        go-version: '1.26'
        check-latest: true # Always check for the latest patch release
    - name: Set up Go
      if: ${{ matrix.jobs.goversion != '' && matrix.jobs.abi != '1' }}
      uses: actions/setup-go@v6
      with:
        go-version: ${{ matrix.jobs.goversion }}
        check-latest: true # Always check for the latest patch release
-    - name: Set up Go1.24 loongarch abi1
+    - name: Set up Go1.25 loongarch abi1
      if: ${{ matrix.jobs.goarch == 'loong64' && matrix.jobs.abi == '1' }}
      run: |
-        wget -q https://github.com/MetaCubeX/loongarch64-golang/releases/download/1.24.0/go1.24.0.linux-amd64-abi1.tar.gz
+        wget -q https://github.com/MetaCubeX/loongarch64-golang/releases/download/1.25.5/go1.25.5.linux-amd64-abi1.tar.gz
-        sudo tar zxf go1.24.0.linux-amd64-abi1.tar.gz -C /usr/local
+        sudo tar zxf go1.25.5.linux-amd64-abi1.tar.gz -C /usr/local
        echo "/usr/local/go/bin" >> $GITHUB_PATH
-      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
+      # this patch file only works on golang1.26.x
      # that means after golang1.27 release it must be changed
      # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.26/
      # revert:
      # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
      # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
      # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
      # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
      # f0894a00f4b756d4b9b4078af2e686b359493583: "os: remove 5ms sleep on Windows in (*Process).Wait"
      # sepical fix:
      # - os.RemoveAll not working on Windows7
    - name: Revert Golang1.26 commit for Windows7/8
      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }}
      run: |
        cd $(go env GOROOT)
        patch --verbose -p 1 < $GITHUB_WORKSPACE/.github/patch/go1.26.patch
      # this patch file only works on golang1.25.x
      # that means after golang1.26 release it must be changed
      # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
@@ -178,15 +203,15 @@ jobs:
      # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
      # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
      # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
      # f0894a00f4b756d4b9b4078af2e686b359493583: "os: remove 5ms sleep on Windows in (*Process).Wait"
      # sepical fix:
      # - os.RemoveAll not working on Windows7
    - name: Revert Golang1.25 commit for Windows7/8
-      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }}
+      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.25' }}
      run: |
        cd $(go env GOROOT)
        patch --verbose -p 1 < $GITHUB_WORKSPACE/.github/patch/go1.25.patch
      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
      # this patch file only works on golang1.24.x
      # that means after golang1.25 release it must be changed
      # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.24/
@@ -201,7 +226,6 @@ jobs:
        cd $(go env GOROOT)
        patch --verbose -p 1 < $GITHUB_WORKSPACE/.github/patch/go1.24.patch
      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
      # this patch file only works on golang1.23.x
      # that means after golang1.24 release it must be changed
      # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.23/
@@ -216,7 +240,6 @@ jobs:
        cd $(go env GOROOT)
        patch --verbose -p 1 < $GITHUB_WORKSPACE/.github/patch/go1.23.patch
      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
      # this patch file only works on golang1.22.x
      # that means after golang1.23 release it must be changed
      # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.22/
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -24,7 +24,7 @@ jobs:
          - 'ubuntu-24.04-arm' # arm64 linux
          - 'macos-15-intel' # amd64 macos
        go-version:
-          - '1.26.0-rc.1'
+          - '1.26'
          - '1.25'
          - '1.24'
          - '1.23'
@@ -48,19 +48,14 @@ jobs:
        uses: actions/setup-go@v6
        with:
          go-version: ${{ matrix.go-version }}
          check-latest: true # Always check for the latest patch release
      - name: Revert Golang commit for Windows7/8
-        if: ${{ runner.os == 'Windows' && matrix.go-version != '1.20' && matrix.go-version != '1.26.0-rc.1' }}
+        if: ${{ runner.os == 'Windows' && matrix.go-version != '1.20' }}
        run: |
          cd $(go env GOROOT)
          patch --verbose -p 1 < $GITHUB_WORKSPACE/.github/patch/go${{matrix.go-version}}.patch
      - name: Revert Golang commit for Windows7/8
        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.26.0-rc.1' }}
        run: |
          cd $(go env GOROOT)
          patch --verbose -p 1 < $GITHUB_WORKSPACE/.github/patch/go1.26.patch
      - name: Remove inbound test for macOS
        if: ${{ runner.os == 'macOS' }}
        run: |
--- a/adapter/outbound/ech.go
+++ b/adapter/outbound/ech.go
@@ -12,6 +12,8 @@ import (
 type ECHOptions struct {
 	Enable bool   `proxy:"enable,omitempty" obfs:"enable,omitempty"`
 	Config string `proxy:"config,omitempty" obfs:"config,omitempty"`
 	QueryServerName string `proxy:"query-server-name,omitempty" obfs:"query-server-name,omitempty"`
 }
 func (o ECHOptions) Parse() (*ech.Config, error) {
@@ -29,6 +31,9 @@ func (o ECHOptions) Parse() (*ech.Config, error) {
 		}
 	} else {
 		echConfig.GetEncryptedClientHelloConfigList = func(ctx context.Context, serverName string) ([]byte, error) {
 			if o.QueryServerName != "" { // overrides the domain name used for ECH HTTPS record queries
 				serverName = o.QueryServerName
 			}
 			return resolver.ResolveECHWithResolver(ctx, serverName, resolver.ProxyServerHostResolver)
 		}
 	}
--- a/adapter/outbound/masque.go
+++ b/adapter/outbound/masque.go
@@ -0,0 +1,397 @@
 package outbound
 import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/x509"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"net"
 	"net/netip"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 	"github.com/metacubex/mihomo/common/atomic"
 	"github.com/metacubex/mihomo/common/contextutils"
 	"github.com/metacubex/mihomo/common/pool"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/dns"
 	"github.com/metacubex/mihomo/log"
 	"github.com/metacubex/mihomo/transport/masque"
 	"github.com/metacubex/mihomo/transport/tuic/common"
 	connectip "github.com/metacubex/connect-ip-go"
 	"github.com/metacubex/quic-go"
 	wireguard "github.com/metacubex/sing-wireguard"
 	M "github.com/metacubex/sing/common/metadata"
 	"github.com/metacubex/tls"
 )
 type Masque struct {
 	*Base
 	tlsConfig  *tls.Config
 	quicConfig *quic.Config
 	tunDevice  wireguard.Device
 	resolver   resolver.Resolver
 	uri        string
 	runCtx    context.Context
 	runCancel context.CancelFunc
 	runMutex  sync.Mutex
 	running   atomic.Bool
 	runDevice atomic.Bool
 	option MasqueOption
 }
 type MasqueOption struct {
 	BasicOption
 	Name       string `proxy:"name"`
 	Server     string `proxy:"server"`
 	Port       int    `proxy:"port"`
 	PrivateKey string `proxy:"private-key"`
 	PublicKey  string `proxy:"public-key"`
 	Ip         string `proxy:"ip,omitempty"`
 	Ipv6       string `proxy:"ipv6,omitempty"`
 	URI        string `proxy:"uri,omitempty"`
 	SNI        string `proxy:"sni,omitempty"`
 	MTU        int    `proxy:"mtu,omitempty"`
 	UDP        bool   `proxy:"udp,omitempty"`
 	CongestionController string `proxy:"congestion-controller,omitempty"`
 	CWND                 int    `proxy:"cwnd,omitempty"`
 	RemoteDnsResolve bool     `proxy:"remote-dns-resolve,omitempty"`
 	Dns              []string `proxy:"dns,omitempty"`
 }
 func (option MasqueOption) Prefixes() ([]netip.Prefix, error) {
 	localPrefixes := make([]netip.Prefix, 0, 2)
 	if len(option.Ip) > 0 {
 		if !strings.Contains(option.Ip, "/") {
 			option.Ip = option.Ip + "/32"
 		}
 		if prefix, err := netip.ParsePrefix(option.Ip); err == nil {
 			localPrefixes = append(localPrefixes, prefix)
 		} else {
 			return nil, fmt.Errorf("ip address parse error: %w", err)
 		}
 	}
 	if len(option.Ipv6) > 0 {
 		if !strings.Contains(option.Ipv6, "/") {
 			option.Ipv6 = option.Ipv6 + "/128"
 		}
 		if prefix, err := netip.ParsePrefix(option.Ipv6); err == nil {
 			localPrefixes = append(localPrefixes, prefix)
 		} else {
 			return nil, fmt.Errorf("ipv6 address parse error: %w", err)
 		}
 	}
 	if len(localPrefixes) == 0 {
 		return nil, errors.New("missing local address")
 	}
 	return localPrefixes, nil
 }
 func NewMasque(option MasqueOption) (*Masque, error) {
 	outbound := &Masque{
 		Base: &Base{
 			name:   option.Name,
 			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:     C.Masque,
 			pdName: option.ProviderName,
 			udp:    option.UDP,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: option.IPVersion,
 		},
 	}
 	outbound.dialer = option.NewDialer(outbound.DialOptions())
 	ctx, cancel := context.WithCancel(context.Background())
 	outbound.runCtx = ctx
 	outbound.runCancel = cancel
 	privKeyB64, err := base64.StdEncoding.DecodeString(option.PrivateKey)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decode private key: %v", err)
 	}
 	privKey, err := x509.ParseECPrivateKey(privKeyB64)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse private key: %v", err)
 	}
 	endpointPubKeyB64, err := base64.StdEncoding.DecodeString(option.PublicKey)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decode public key: %v", err)
 	}
 	pubKey, err := x509.ParsePKIXPublicKey(endpointPubKeyB64)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse public key: %v", err)
 	}
 	ecPubKey, ok := pubKey.(*ecdsa.PublicKey)
 	if !ok {
 		return nil, fmt.Errorf("failed to assert public key as ECDSA")
 	}
 	uri := option.URI
 	if uri == "" {
 		uri = masque.ConnectURI
 	}
 	outbound.uri = uri
 	sni := option.SNI
 	if sni == "" {
 		sni = masque.ConnectSNI
 	}
 	tlsConfig, err := masque.PrepareTlsConfig(privKey, ecPubKey, sni)
 	if err != nil {
 		return nil, fmt.Errorf("failed to prepare TLS config: %v\n", err)
 	}
 	outbound.tlsConfig = tlsConfig
 	outbound.quicConfig = &quic.Config{
 		EnableDatagrams:   true,
 		InitialPacketSize: 1242,
 		KeepAlivePeriod:   30 * time.Second,
 	}
 	prefixes, err := option.Prefixes()
 	if err != nil {
 		return nil, err
 	}
 	outbound.option = option
 	mtu := option.MTU
 	if mtu == 0 {
 		mtu = 1280
 	}
 	if len(prefixes) == 0 {
 		return nil, errors.New("missing local address")
 	}
 	outbound.tunDevice, err = wireguard.NewStackDevice(prefixes, uint32(mtu))
 	if err != nil {
 		return nil, fmt.Errorf("create device: %w", err)
 	}
 	var has6 bool
 	for _, address := range prefixes {
 		if !address.Addr().Unmap().Is4() {
 			has6 = true
 			break
 		}
 	}
 	if option.RemoteDnsResolve && len(option.Dns) > 0 {
 		nss, err := dns.ParseNameServer(option.Dns)
 		if err != nil {
 			return nil, err
 		}
 		for i := range nss {
 			nss[i].ProxyAdapter = outbound
 		}
 		outbound.resolver = dns.NewResolver(dns.Config{
 			Main: nss,
 			IPv6: has6,
 		})
 	}
 	return outbound, nil
 }
 func (w *Masque) run(ctx context.Context) error {
 	if w.running.Load() {
 		return nil
 	}
 	w.runMutex.Lock()
 	defer w.runMutex.Unlock()
 	// double-check like sync.Once
 	if w.running.Load() {
 		return nil
 	}
 	if w.runCtx.Err() != nil {
 		return w.runCtx.Err()
 	}
 	if !w.runDevice.Load() {
 		err := w.tunDevice.Start()
 		if err != nil {
 			return err
 		}
 		w.runDevice.Store(true)
 	}
 	udpAddr, err := resolveUDPAddr(ctx, "udp", w.addr, w.prefer)
 	if err != nil {
 		return err
 	}
 	pc, err := w.dialer.ListenPacket(ctx, "udp", "", udpAddr.AddrPort())
 	if err != nil {
 		return err
 	}
 	quicConn, err := quic.Dial(ctx, pc, udpAddr, w.tlsConfig, w.quicConfig)
 	if err != nil {
 		return err
 	}
 	common.SetCongestionController(quicConn, w.option.CongestionController, w.option.CWND)
 	tr, ipConn, err := masque.ConnectTunnel(ctx, quicConn, w.uri)
 	if err != nil {
 		_ = pc.Close()
 		return err
 	}
 	w.running.Store(true)
 	runCtx, runCancel := context.WithCancel(w.runCtx)
 	contextutils.AfterFunc(runCtx, func() {
 		w.running.Store(false)
 		_ = ipConn.Close()
 		_ = tr.Close()
 		_ = pc.Close()
 	})
 	go func() {
 		defer runCancel()
 		buf := pool.Get(pool.UDPBufferSize)
 		defer pool.Put(buf)
 		bufs := [][]byte{buf}
 		sizes := []int{0}
 		for runCtx.Err() == nil {
 			_, err := w.tunDevice.Read(bufs, sizes, 0)
 			if err != nil {
 				log.Errorln("[Masque](%s) error reading from TUN device: %v", w.name, err)
 				return
 			}
 			icmp, err := ipConn.WritePacket(buf[:sizes[0]])
 			if err != nil {
 				if errors.As(err, new(*connectip.CloseError)) {
 					log.Errorln("[Masque](%s) connection closed while writing to IP connection: %v", w.name, err)
 					return
 				}
 				log.Warnln("[Masque](%s) error writing to IP connection: %v, continuing...", w.name, err)
 				continue
 			}
 			if len(icmp) > 0 {
 				if _, err := w.tunDevice.Write([][]byte{icmp}, 0); err != nil {
 					log.Warnln("[Masque](%s) error writing ICMP to TUN device: %v, continuing...", w.name, err)
 				}
 			}
 		}
 	}()
 	go func() {
 		defer runCancel()
 		buf := pool.Get(pool.UDPBufferSize)
 		defer pool.Put(buf)
 		for runCtx.Err() == nil {
 			n, err := ipConn.ReadPacket(buf)
 			if err != nil {
 				if errors.As(err, new(*connectip.CloseError)) {
 					log.Errorln("[Masque](%s) connection closed while writing to IP connection: %v", w.name, err)
 					return
 				}
 				log.Warnln("[Masque](%s) error reading from IP connection: %v, continuing...", w.name, err)
 				continue
 			}
 			if _, err := w.tunDevice.Write([][]byte{buf[:n]}, 0); err != nil {
 				log.Errorln("[Masque](%s) error writing to TUN device: %v", w.name, err)
 				return
 			}
 		}
 	}()
 	return nil
 }
 // Close implements C.ProxyAdapter
 func (w *Masque) Close() error {
 	w.runCancel()
 	if w.tunDevice != nil {
 		w.tunDevice.Close()
 	}
 	return nil
 }
 func (w *Masque) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	var conn net.Conn
 	if err = w.run(ctx); err != nil {
 		return nil, err
 	}
 	if !metadata.Resolved() || w.resolver != nil {
 		r := resolver.DefaultResolver
 		if w.resolver != nil {
 			r = w.resolver
 		}
 		options := w.DialOptions()
 		options = append(options, dialer.WithResolver(r))
 		options = append(options, dialer.WithNetDialer(wgNetDialer{tunDevice: w.tunDevice}))
 		conn, err = dialer.NewDialer(options...).DialContext(ctx, "tcp", metadata.RemoteAddress())
 	} else {
 		conn, err = w.tunDevice.DialContext(ctx, "tcp", M.SocksaddrFrom(metadata.DstIP, metadata.DstPort).Unwrap())
 	}
 	if err != nil {
 		return nil, err
 	}
 	if conn == nil {
 		return nil, errors.New("conn is nil")
 	}
 	return NewConn(conn, w), nil
 }
 func (w *Masque) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	var pc net.PacketConn
 	if err = w.run(ctx); err != nil {
 		return nil, err
 	}
 	if err = w.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	pc, err = w.tunDevice.ListenPacket(ctx, M.SocksaddrFrom(metadata.DstIP, metadata.DstPort).Unwrap())
 	if err != nil {
 		return nil, err
 	}
 	if pc == nil {
 		return nil, errors.New("packetConn is nil")
 	}
 	return newPacketConn(pc, w), nil
 }
 func (w *Masque) ResolveUDP(ctx context.Context, metadata *C.Metadata) error {
 	if (!metadata.Resolved() || w.resolver != nil) && metadata.Host != "" {
 		r := resolver.DefaultResolver
 		if w.resolver != nil {
 			r = w.resolver
 		}
 		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, r)
 		if err != nil {
 			return fmt.Errorf("can't resolve ip: %w", err)
 		}
 		metadata.DstIP = ip
 	}
 	return nil
 }
 // ProxyInfo implements C.ProxyAdapter
 func (w *Masque) ProxyInfo() C.ProxyInfo {
 	info := w.Base.ProxyInfo()
 	info.DialerProxy = w.option.DialerProxy
 	return info
 }
 // IsL3Protocol implements C.ProxyAdapter
 func (w *Masque) IsL3Protocol(metadata *C.Metadata) bool {
 	return true
 }
--- a/adapter/outbound/mieru.go
+++ b/adapter/outbound/mieru.go
@@ -15,6 +15,7 @@ import (
 	mieruclient "github.com/enfein/mieru/v3/apis/client"
 	mierucommon "github.com/enfein/mieru/v3/apis/common"
 	mierumodel "github.com/enfein/mieru/v3/apis/model"
 	mierutp "github.com/enfein/mieru/v3/apis/trafficpattern"
 	mierupb "github.com/enfein/mieru/v3/pkg/appctl/appctlpb"
 	"google.golang.org/protobuf/proto"
 )
@@ -28,16 +29,17 @@ type Mieru struct {
 type MieruOption struct {
 	BasicOption
-	Name          string `proxy:"name"`
+	Name           string `proxy:"name"`
-	Server        string `proxy:"server"`
+	Server         string `proxy:"server"`
-	Port          int    `proxy:"port,omitempty"`
+	Port           int    `proxy:"port,omitempty"`
-	PortRange     string `proxy:"port-range,omitempty"`
+	PortRange      string `proxy:"port-range,omitempty"`
-	Transport     string `proxy:"transport"`
+	Transport      string `proxy:"transport"`
-	UDP           bool   `proxy:"udp,omitempty"`
+	UDP            bool   `proxy:"udp,omitempty"`
-	UserName      string `proxy:"username"`
+	UserName       string `proxy:"username"`
-	Password      string `proxy:"password"`
+	Password       string `proxy:"password"`
-	Multiplexing  string `proxy:"multiplexing,omitempty"`
+	Multiplexing   string `proxy:"multiplexing,omitempty"`
-	HandshakeMode string `proxy:"handshake-mode,omitempty"`
+	HandshakeMode  string `proxy:"handshake-mode,omitempty"`
 	TrafficPattern string `proxy:"traffic-pattern,omitempty"`
 }
 type mieruPacketDialer struct {
@@ -291,6 +293,10 @@ func buildMieruClientConfig(option MieruOption) (*mieruclient.ClientConfig, erro
 	if handshakeMode, ok := mierupb.HandshakeMode_value[option.HandshakeMode]; ok {
 		config.Profile.HandshakeMode = (*mierupb.HandshakeMode)(&handshakeMode)
 	}
 	if option.TrafficPattern != "" {
 		trafficPattern, _ := mierutp.Decode(option.TrafficPattern)
 		config.Profile.TrafficPattern = trafficPattern
 	}
 	return config, nil
 }
@@ -345,6 +351,15 @@ func validateMieruOption(option MieruOption) error {
 			return fmt.Errorf("invalid handshake mode: %s", option.HandshakeMode)
 		}
 	}
 	if option.TrafficPattern != "" {
 		trafficPattern, err := mierutp.Decode(option.TrafficPattern)
 		if err != nil {
 			return fmt.Errorf("failed to decode traffic pattern %q: %w", option.TrafficPattern, err)
 		}
 		if err := mierutp.Validate(trafficPattern); err != nil {
 			return fmt.Errorf("invalid traffic pattern %q: %w", option.TrafficPattern, err)
 		}
 	}
 	return nil
 }
--- a/adapter/outbound/mieru_test.go
+++ b/adapter/outbound/mieru_test.go
@@ -31,12 +31,13 @@ func TestNewMieru(t *testing.T) {
 		},
 		{
 			option: MieruOption{
-				Name:      "test",
+				Name:           "test",
-				Server:    "example.com",
+				Server:         "example.com",
-				Port:      10003,
+				Port:           10003,
-				Transport: "UDP",
+				Transport:      "UDP",
-				UserName:  "test",
+				UserName:       "test",
-				Password:  "test",
+				Password:       "test",
 				TrafficPattern: "GgQIARAK",
 			},
 			wantBaseAddr: "example.com:10003",
 		},
--- a/adapter/outbound/reality.go
+++ b/adapter/outbound/reality.go
@@ -12,9 +12,9 @@ import (
 type RealityOptions struct {
 	PublicKey string `proxy:"public-key"`
-	ShortID   string `proxy:"short-id"`
+	ShortID   string `proxy:"short-id,omitempty"`
-	SupportX25519MLKEM768 bool `proxy:"support-x25519mlkem768"`
+	SupportX25519MLKEM768 bool `proxy:"support-x25519mlkem768,omitempty"`
 }
 func (o RealityOptions) Parse() (*tlsC.RealityConfig, error) {
--- a/adapter/outbound/shadowsocks.go
+++ b/adapter/outbound/shadowsocks.go
@@ -114,6 +114,7 @@ type kcpTunOption struct {
 	AutoExpire   int    `obfs:"autoexpire,omitempty"`
 	ScavengeTTL  int    `obfs:"scavengettl,omitempty"`
 	MTU          int    `obfs:"mtu,omitempty"`
 	RateLimit    int    `obfs:"ratelimit,omitempty"`
 	SndWnd       int    `obfs:"sndwnd,omitempty"`
 	RcvWnd       int    `obfs:"rcvwnd,omitempty"`
 	DataShard    int    `obfs:"datashard,omitempty"`
@@ -128,6 +129,7 @@ type kcpTunOption struct {
 	SockBuf      int    `obfs:"sockbuf,omitempty"`
 	SmuxVer      int    `obfs:"smuxver,omitempty"`
 	SmuxBuf      int    `obfs:"smuxbuf,omitempty"`
 	FrameSize    int    `obfs:"framesize,omitempty"`
 	StreamBuf    int    `obfs:"streambuf,omitempty"`
 	KeepAlive    int    `obfs:"keepalive,omitempty"`
 }
@@ -426,6 +428,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			AutoExpire:   kcptunOpt.AutoExpire,
 			ScavengeTTL:  kcptunOpt.ScavengeTTL,
 			MTU:          kcptunOpt.MTU,
 			RateLimit:    kcptunOpt.RateLimit,
 			SndWnd:       kcptunOpt.SndWnd,
 			RcvWnd:       kcptunOpt.RcvWnd,
 			DataShard:    kcptunOpt.DataShard,
@@ -440,6 +443,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			SockBuf:      kcptunOpt.SockBuf,
 			SmuxVer:      kcptunOpt.SmuxVer,
 			SmuxBuf:      kcptunOpt.SmuxBuf,
 			FrameSize:    kcptunOpt.FrameSize,
 			StreamBuf:    kcptunOpt.StreamBuf,
 			KeepAlive:    kcptunOpt.KeepAlive,
 		})
--- a/adapter/outbound/sudoku.go
+++ b/adapter/outbound/sudoku.go
@@ -6,6 +6,7 @@ import (
 	"net"
 	"strconv"
 	"strings"
 	"sync"
 	N "github.com/metacubex/mihomo/common/net"
 	C "github.com/metacubex/mihomo/constant"
@@ -16,6 +17,12 @@ type Sudoku struct {
 	*Base
 	option   *SudokuOption
 	baseConf sudoku.ProtocolConfig
 	httpMaskMu     sync.Mutex
 	httpMaskClient *sudoku.HTTPMaskTunnelClient
 	muxMu     sync.Mutex
 	muxClient *sudoku.MultiplexClient
 }
 type SudokuOption struct {
@@ -30,12 +37,13 @@ type SudokuOption struct {
 	TableType          string   `proxy:"table-type,omitempty"` // "prefer_ascii" or "prefer_entropy"
 	EnablePureDownlink *bool    `proxy:"enable-pure-downlink,omitempty"`
 	HTTPMask           bool     `proxy:"http-mask,omitempty"`
-	HTTPMaskMode       string   `proxy:"http-mask-mode,omitempty"`     // "legacy" (default), "stream", "poll", "auto"
+	HTTPMaskMode       string   `proxy:"http-mask-mode,omitempty"`      // "legacy" (default), "stream", "poll", "auto"
-	HTTPMaskTLS        bool     `proxy:"http-mask-tls,omitempty"`      // only for http-mask-mode stream/poll/auto
+	HTTPMaskTLS        bool     `proxy:"http-mask-tls,omitempty"`       // only for http-mask-mode stream/poll/auto
-	HTTPMaskHost       string   `proxy:"http-mask-host,omitempty"`     // optional Host/SNI override (domain or domain:port)
+	HTTPMaskHost       string   `proxy:"http-mask-host,omitempty"`      // optional Host/SNI override (domain or domain:port)
-	HTTPMaskStrategy   string   `proxy:"http-mask-strategy,omitempty"` // "random" (default), "post", "websocket"
+	PathRoot           string   `proxy:"path-root,omitempty"`           // optional first-level path prefix for HTTP tunnel endpoints
-	CustomTable        string   `proxy:"custom-table,omitempty"`       // optional custom byte layout, e.g. xpxvvpvv
+	HTTPMaskMultiplex  string   `proxy:"http-mask-multiplex,omitempty"` // "off" (default), "auto" (reuse h1/h2), "on" (single tunnel, multi-target)
-	CustomTables       []string `proxy:"custom-tables,omitempty"`      // optional table rotation patterns, overrides custom-table when non-empty
+	CustomTable        string   `proxy:"custom-table,omitempty"`        // optional custom byte layout, e.g. xpxvvpvv
 	CustomTables       []string `proxy:"custom-tables,omitempty"`       // optional table rotation patterns, overrides custom-table when non-empty
 }
 // DialContext implements C.ProxyAdapter
@@ -45,40 +53,20 @@ func (s *Sudoku) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Con
 		return nil, err
 	}
-	var c net.Conn
+	muxMode := normalizeHTTPMaskMultiplex(cfg.HTTPMaskMultiplex)
-	if !cfg.DisableHTTPMask {
+	if muxMode == "on" && !cfg.DisableHTTPMask && httpTunnelModeEnabled(cfg.HTTPMaskMode) {
-		switch strings.ToLower(strings.TrimSpace(cfg.HTTPMaskMode)) {
+		stream, muxErr := s.dialMultiplex(ctx, cfg.TargetAddress)
-		case "stream", "poll", "auto":
+		if muxErr == nil {
-			c, err = sudoku.DialHTTPMaskTunnel(ctx, cfg.ServerAddress, cfg, s.dialer.DialContext)
+			return NewConn(stream, s), nil
 		}
-	}
+		return nil, muxErr
 	if c == nil && err == nil {
 		c, err = s.dialer.DialContext(ctx, "tcp", s.addr)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", s.addr, err)
 	}
-	defer func() {
+	c, err := s.dialAndHandshake(ctx, cfg)
 		safeConnClose(c, err)
 	}()
 	if ctx.Done() != nil {
 		done := N.SetupContextForConn(ctx, c)
 		defer done(&err)
 	}
 	handshakeCfg := *cfg
 	if !handshakeCfg.DisableHTTPMask {
 		switch strings.ToLower(strings.TrimSpace(handshakeCfg.HTTPMaskMode)) {
 		case "stream", "poll", "auto":
 			handshakeCfg.DisableHTTPMask = true
 		}
 	}
 	c, err = sudoku.ClientHandshakeWithOptions(c, &handshakeCfg, sudoku.ClientHandshakeOptions{HTTPMaskStrategy: s.option.HTTPMaskStrategy})
 	if err != nil {
 		return nil, err
 	}
 	defer func() { safeConnClose(c, err) }()
 	addrBuf, err := sudoku.EncodeAddress(cfg.TargetAddress)
 	if err != nil {
@@ -86,7 +74,6 @@ func (s *Sudoku) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Con
 	}
 	if _, err = c.Write(addrBuf); err != nil {
 		_ = c.Close()
 		return nil, fmt.Errorf("send target address failed: %w", err)
 	}
@@ -104,37 +91,7 @@ func (s *Sudoku) ListenPacketContext(ctx context.Context, metadata *C.Metadata)
 		return nil, err
 	}
-	var c net.Conn
+	c, err := s.dialAndHandshake(ctx, cfg)
 	if !cfg.DisableHTTPMask {
 		switch strings.ToLower(strings.TrimSpace(cfg.HTTPMaskMode)) {
 		case "stream", "poll", "auto":
 			c, err = sudoku.DialHTTPMaskTunnel(ctx, cfg.ServerAddress, cfg, s.dialer.DialContext)
 		}
 	}
 	if c == nil && err == nil {
 		c, err = s.dialer.DialContext(ctx, "tcp", s.addr)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", s.addr, err)
 	}
 	defer func() {
 		safeConnClose(c, err)
 	}()
 	if ctx.Done() != nil {
 		done := N.SetupContextForConn(ctx, c)
 		defer done(&err)
 	}
 	handshakeCfg := *cfg
 	if !handshakeCfg.DisableHTTPMask {
 		switch strings.ToLower(strings.TrimSpace(handshakeCfg.HTTPMaskMode)) {
 		case "stream", "poll", "auto":
 			handshakeCfg.DisableHTTPMask = true
 		}
 	}
 	c, err = sudoku.ClientHandshakeWithOptions(c, &handshakeCfg, sudoku.ClientHandshakeOptions{HTTPMaskStrategy: s.option.HTTPMaskStrategy})
 	if err != nil {
 		return nil, err
 	}
@@ -224,10 +181,15 @@ func NewSudoku(option SudokuOption) (*Sudoku, error) {
 		HTTPMaskMode:            defaultConf.HTTPMaskMode,
 		HTTPMaskTLSEnabled:      option.HTTPMaskTLS,
 		HTTPMaskHost:            option.HTTPMaskHost,
 		HTTPMaskPathRoot:        strings.TrimSpace(option.PathRoot),
 		HTTPMaskMultiplex:       defaultConf.HTTPMaskMultiplex,
 	}
 	if option.HTTPMaskMode != "" {
 		baseConf.HTTPMaskMode = option.HTTPMaskMode
 	}
 	if option.HTTPMaskMultiplex != "" {
 		baseConf.HTTPMaskMultiplex = option.HTTPMaskMultiplex
 	}
 	tables, err := sudoku.NewTablesWithCustomPatterns(sudoku.ClientAEADSeed(option.Key), tableType, option.CustomTable, option.CustomTables)
 	if err != nil {
 		return nil, fmt.Errorf("build table(s) failed: %w", err)
@@ -260,3 +222,184 @@ func NewSudoku(option SudokuOption) (*Sudoku, error) {
 	outbound.dialer = option.NewDialer(outbound.DialOptions())
 	return outbound, nil
 }
 func (s *Sudoku) Close() error {
 	s.resetMuxClient()
 	s.resetHTTPMaskClient()
 	return s.Base.Close()
 }
 func normalizeHTTPMaskMultiplex(mode string) string {
 	switch strings.ToLower(strings.TrimSpace(mode)) {
 	case "", "off":
 		return "off"
 	case "auto":
 		return "auto"
 	case "on":
 		return "on"
 	default:
 		return "off"
 	}
 }
 func httpTunnelModeEnabled(mode string) bool {
 	switch strings.ToLower(strings.TrimSpace(mode)) {
 	case "stream", "poll", "auto":
 		return true
 	default:
 		return false
 	}
 }
 func (s *Sudoku) dialAndHandshake(ctx context.Context, cfg *sudoku.ProtocolConfig) (_ net.Conn, err error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("config is required")
 	}
 	handshakeCfg := *cfg
 	if !handshakeCfg.DisableHTTPMask && httpTunnelModeEnabled(handshakeCfg.HTTPMaskMode) {
 		handshakeCfg.DisableHTTPMask = true
 	}
 	upgrade := func(raw net.Conn) (net.Conn, error) {
 		return sudoku.ClientHandshake(raw, &handshakeCfg)
 	}
 	var (
 		c             net.Conn
 		handshakeDone bool
 	)
 	if !cfg.DisableHTTPMask && httpTunnelModeEnabled(cfg.HTTPMaskMode) {
 		muxMode := normalizeHTTPMaskMultiplex(cfg.HTTPMaskMultiplex)
 		switch muxMode {
 		case "auto", "on":
 			client, errX := s.getOrCreateHTTPMaskClient(cfg)
 			if errX != nil {
 				return nil, errX
 			}
 			c, err = client.Dial(ctx, upgrade)
 		default:
 			c, err = sudoku.DialHTTPMaskTunnel(ctx, cfg.ServerAddress, cfg, s.dialer.DialContext, upgrade)
 		}
 		if err == nil && c != nil {
 			handshakeDone = true
 		}
 	}
 	if c == nil && err == nil {
 		c, err = s.dialer.DialContext(ctx, "tcp", s.addr)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", s.addr, err)
 	}
 	defer func() { safeConnClose(c, err) }()
 	if ctx.Done() != nil {
 		done := N.SetupContextForConn(ctx, c)
 		defer done(&err)
 	}
 	if !handshakeDone {
 		c, err = sudoku.ClientHandshake(c, &handshakeCfg)
 		if err != nil {
 			return nil, err
 		}
 	}
 	return c, nil
 }
 func (s *Sudoku) dialMultiplex(ctx context.Context, targetAddress string) (net.Conn, error) {
 	for attempt := 0; attempt < 2; attempt++ {
 		client, err := s.getOrCreateMuxClient(ctx)
 		if err != nil {
 			return nil, err
 		}
 		stream, err := client.Dial(ctx, targetAddress)
 		if err != nil {
 			s.resetMuxClient()
 			continue
 		}
 		return stream, nil
 	}
 	return nil, fmt.Errorf("multiplex open stream failed")
 }
 func (s *Sudoku) getOrCreateMuxClient(ctx context.Context) (*sudoku.MultiplexClient, error) {
 	if s == nil {
 		return nil, fmt.Errorf("nil adapter")
 	}
 	s.muxMu.Lock()
 	if s.muxClient != nil && !s.muxClient.IsClosed() {
 		client := s.muxClient
 		s.muxMu.Unlock()
 		return client, nil
 	}
 	s.muxMu.Unlock()
 	s.muxMu.Lock()
 	defer s.muxMu.Unlock()
 	if s.muxClient != nil && !s.muxClient.IsClosed() {
 		return s.muxClient, nil
 	}
 	baseCfg := s.baseConf
 	baseConn, err := s.dialAndHandshake(ctx, &baseCfg)
 	if err != nil {
 		return nil, err
 	}
 	client, err := sudoku.StartMultiplexClient(baseConn)
 	if err != nil {
 		_ = baseConn.Close()
 		return nil, err
 	}
 	s.muxClient = client
 	return client, nil
 }
 func (s *Sudoku) resetMuxClient() {
 	s.muxMu.Lock()
 	defer s.muxMu.Unlock()
 	if s.muxClient != nil {
 		_ = s.muxClient.Close()
 		s.muxClient = nil
 	}
 }
 func (s *Sudoku) getOrCreateHTTPMaskClient(cfg *sudoku.ProtocolConfig) (*sudoku.HTTPMaskTunnelClient, error) {
 	if s == nil {
 		return nil, fmt.Errorf("nil adapter")
 	}
 	if cfg == nil {
 		return nil, fmt.Errorf("config is required")
 	}
 	s.httpMaskMu.Lock()
 	defer s.httpMaskMu.Unlock()
 	if s.httpMaskClient != nil {
 		return s.httpMaskClient, nil
 	}
 	c, err := sudoku.NewHTTPMaskTunnelClient(cfg.ServerAddress, cfg, s.dialer.DialContext)
 	if err != nil {
 		return nil, err
 	}
 	s.httpMaskClient = c
 	return c, nil
 }
 func (s *Sudoku) resetHTTPMaskClient() {
 	s.httpMaskMu.Lock()
 	defer s.httpMaskMu.Unlock()
 	if s.httpMaskClient != nil {
 		s.httpMaskClient.CloseIdleConnections()
 		s.httpMaskClient = nil
 	}
 }
--- a/adapter/outbound/trojan.go
+++ b/adapter/outbound/trojan.go
@@ -27,9 +27,8 @@ type Trojan struct {
 	hexPassword [trojan.KeyLength]byte
 	// for gun mux
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
-	transport    *gun.TransportWrap
+	gunTransport *gun.TransportWrap
 	realityConfig *tlsC.RealityConfig
 	echConfig     *ech.Config
@@ -66,7 +65,6 @@ type TrojanSSOption struct {
 	Password string `proxy:"password,omitempty"`
 }
 // StreamConnContext implements C.ProxyAdapter
 func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ net.Conn, err error) {
 	switch t.option.Network {
 	case "ws":
@@ -118,7 +116,7 @@ func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.
 		c, err = vmess.StreamWebsocketConn(ctx, c, wsOpts)
 	case "grpc":
-		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig, t.echConfig, t.realityConfig)
+		break // already handle in gun transport
 	default:
 		// default tcp network
 		// handle TLS
@@ -179,27 +177,14 @@ func (t *Trojan) writeHeaderContext(ctx context.Context, c net.Conn, metadata *C
 func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	var c net.Conn
 	// gun transport
-	if t.transport != nil {
+	if t.gunTransport != nil {
-		c, err = gun.StreamGunWithTransport(t.transport, t.gunConfig)
+		c, err = gun.StreamGunWithTransport(t.gunTransport, t.gunConfig)
-		if err != nil {
+	} else {
-			return nil, err
+		c, err = t.dialer.DialContext(ctx, "tcp", t.addr)
 		}
 		defer func(c net.Conn) {
 			safeConnClose(c, err)
 		}(c)
 		c, err = t.streamConnContext(ctx, c, metadata)
 		if err != nil {
 			return nil, err
 		}
 		return NewConn(c, t), nil
 	}
 	c, err = t.dialer.DialContext(ctx, "tcp", t.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
@@ -219,35 +204,19 @@ func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata)
 	}
 	var c net.Conn
 	// grpc transport
-	if t.transport != nil {
+	if t.gunTransport != nil {
-		c, err = gun.StreamGunWithTransport(t.transport, t.gunConfig)
+		c, err = gun.StreamGunWithTransport(t.gunTransport, t.gunConfig)
-		if err != nil {
+	} else {
-			return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
+		c, err = t.dialer.DialContext(ctx, "tcp", t.addr)
 		}
 		defer func(c net.Conn) {
 			safeConnClose(c, err)
 		}(c)
 		c, err = t.streamConnContext(ctx, c, metadata)
 		if err != nil {
 			return nil, err
 		}
 		pc := trojan.NewPacketConn(c)
 		return newPacketConn(pc, t), err
 	}
 	if err = t.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	c, err = t.dialer.DialContext(ctx, "tcp", t.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
 	c, err = t.StreamConnContext(ctx, c, metadata)
 	if err != nil {
 		return nil, err
@@ -271,8 +240,8 @@ func (t *Trojan) ProxyInfo() C.ProxyInfo {
 // Close implements C.ProxyAdapter
 func (t *Trojan) Close() error {
-	if t.transport != nil {
+	if t.gunTransport != nil {
-		return t.transport.Close()
+		return t.gunTransport.Close()
 	}
 	return nil
 }
@@ -336,28 +305,24 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			return c, nil
 		}
-		tlsConfig, err := ca.GetTLSConfig(ca.Option{
+		tlsConfig := &vmess.TLSConfig{
-			TLSConfig: &tls.Config{
+			Host:              option.SNI,
-				NextProtos:         option.ALPN,
+			SkipCertVerify:    option.SkipCertVerify,
-				MinVersion:         tls.VersionTLS12,
+			FingerPrint:       option.Fingerprint,
-				InsecureSkipVerify: option.SkipCertVerify,
+			Certificate:       option.Certificate,
-				ServerName:         option.SNI,
+			PrivateKey:        option.PrivateKey,
-			},
+			ClientFingerprint: option.ClientFingerprint,
-			Fingerprint: option.Fingerprint,
+			NextProtos:        []string{"h2"},
-			Certificate: option.Certificate,
+			ECH:               t.echConfig,
-			PrivateKey:  option.PrivateKey,
+			Reality:           t.realityConfig,
 		})
 		if err != nil {
 			return nil, err
 		}
-		t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, option.ClientFingerprint, t.echConfig, t.realityConfig)
+		t.gunTransport = gun.NewHTTP2Client(dialFn, tlsConfig)
 		t.gunTLSConfig = tlsConfig
 		t.gunConfig = &gun.Config{
-			ServiceName:       option.GrpcOpts.GrpcServiceName,
+			ServiceName: option.GrpcOpts.GrpcServiceName,
-			Host:              option.SNI,
+			UserAgent:   option.GrpcOpts.GrpcUserAgent,
-			ClientFingerprint: option.ClientFingerprint,
+			Host:        option.SNI,
 		}
 	}
--- a/adapter/outbound/trusttunnel.go
+++ b/adapter/outbound/trusttunnel.go
@@ -0,0 +1,144 @@
 package outbound
 import (
 	"context"
 	"net"
 	"net/netip"
 	"strconv"
 	N "github.com/metacubex/mihomo/common/net"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/trusttunnel"
 	"github.com/metacubex/mihomo/transport/vmess"
 )
 type TrustTunnel struct {
 	*Base
 	client *trusttunnel.Client
 	option *TrustTunnelOption
 }
 type TrustTunnelOption struct {
 	BasicOption
 	Name              string     `proxy:"name"`
 	Server            string     `proxy:"server"`
 	Port              int        `proxy:"port"`
 	UserName          string     `proxy:"username,omitempty"`
 	Password          string     `proxy:"password,omitempty"`
 	ALPN              []string   `proxy:"alpn,omitempty"`
 	SNI               string     `proxy:"sni,omitempty"`
 	ECHOpts           ECHOptions `proxy:"ech-opts,omitempty"`
 	ClientFingerprint string     `proxy:"client-fingerprint,omitempty"`
 	SkipCertVerify    bool       `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint       string     `proxy:"fingerprint,omitempty"`
 	Certificate       string     `proxy:"certificate,omitempty"`
 	PrivateKey        string     `proxy:"private-key,omitempty"`
 	UDP               bool       `proxy:"udp,omitempty"`
 	HealthCheck       bool       `proxy:"health-check,omitempty"`
 	Quic                 bool   `proxy:"quic,omitempty"`
 	CongestionController string `proxy:"congestion-controller,omitempty"`
 	CWND                 int    `proxy:"cwnd,omitempty"`
 }
 func (t *TrustTunnel) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	c, err := t.client.Dial(ctx, metadata.RemoteAddress())
 	if err != nil {
 		return nil, err
 	}
 	return NewConn(c, t), nil
 }
 func (t *TrustTunnel) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if err = t.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	pc, err := t.client.ListenPacket(ctx)
 	if err != nil {
 		return nil, err
 	}
 	return newPacketConn(N.NewThreadSafePacketConn(pc), t), nil
 }
 // SupportUOT implements C.ProxyAdapter
 func (t *TrustTunnel) SupportUOT() bool {
 	return true
 }
 // ProxyInfo implements C.ProxyAdapter
 func (t *TrustTunnel) ProxyInfo() C.ProxyInfo {
 	info := t.Base.ProxyInfo()
 	info.DialerProxy = t.option.DialerProxy
 	return info
 }
 // Close implements C.ProxyAdapter
 func (t *TrustTunnel) Close() error {
 	return t.client.Close()
 }
 func NewTrustTunnel(option TrustTunnelOption) (*TrustTunnel, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	outbound := &TrustTunnel{
 		Base: &Base{
 			name:   option.Name,
 			addr:   addr,
 			tp:     C.TrustTunnel,
 			pdName: option.ProviderName,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			mpTcp:  option.MPTCP,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: option.IPVersion,
 		},
 		option: &option,
 	}
 	outbound.dialer = option.NewDialer(outbound.DialOptions())
 	tOption := trusttunnel.ClientOptions{
 		Dialer: outbound.dialer,
 		ResolvUDP: func(ctx context.Context, server string) (netip.AddrPort, error) {
 			udpAddr, err := resolveUDPAddr(ctx, "udp", server, option.IPVersion)
 			if err != nil {
 				return netip.AddrPort{}, err
 			}
 			return udpAddr.AddrPort(), nil
 		},
 		Server:                addr,
 		Username:              option.UserName,
 		Password:              option.Password,
 		QUIC:                  option.Quic,
 		QUICCongestionControl: option.CongestionController,
 		QUICCwnd:              option.CWND,
 		HealthCheck:           option.HealthCheck,
 	}
 	echConfig, err := option.ECHOpts.Parse()
 	if err != nil {
 		return nil, err
 	}
 	tlsConfig := &vmess.TLSConfig{
 		Host:              option.SNI,
 		SkipCertVerify:    option.SkipCertVerify,
 		NextProtos:        option.ALPN,
 		FingerPrint:       option.Fingerprint,
 		Certificate:       option.Certificate,
 		PrivateKey:        option.PrivateKey,
 		ClientFingerprint: option.ClientFingerprint,
 		ECH:               echConfig,
 	}
 	if tlsConfig.Host == "" {
 		tlsConfig.Host = option.Server
 	}
 	tOption.TLSConfig = tlsConfig
 	client, err := trusttunnel.NewClient(context.TODO(), tOption)
 	if err != nil {
 		return nil, err
 	}
 	outbound.client = client
 	return outbound, nil
 }
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@@ -33,9 +33,8 @@ type Vless struct {
 	encryption *encryption.ClientInstance
 	// for gun mux
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
-	transport    *gun.TransportWrap
+	gunTransport *gun.TransportWrap
 	realityConfig *tlsC.RealityConfig
 	echConfig     *ech.Config
@@ -151,7 +150,7 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 		c, err = vmess.StreamH2Conn(ctx, c, h2Opts)
 	case "grpc":
-		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.echConfig, v.realityConfig)
+		break // already handle in gun transport
 	default:
 		// default tcp network
 		// handle TLS
@@ -234,23 +233,11 @@ func (v *Vless) streamTLSConn(ctx context.Context, conn net.Conn, isH2 bool) (ne
 func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	var c net.Conn
 	// gun transport
-	if v.transport != nil {
+	if v.gunTransport != nil {
-		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
+		c, err = gun.StreamGunWithTransport(v.gunTransport, v.gunConfig)
-		if err != nil {
+	} else {
-			return nil, err
+		c, err = v.dialer.DialContext(ctx, "tcp", v.addr)
 		}
 		defer func(c net.Conn) {
 			safeConnClose(c, err)
 		}(c)
 		c, err = v.streamConnContext(ctx, c, metadata)
 		if err != nil {
 			return nil, err
 		}
 		return NewConn(c, v), nil
 	}
 	c, err = v.dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
@@ -272,28 +259,11 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (
 	}
 	var c net.Conn
 	// gun transport
-	if v.transport != nil {
+	if v.gunTransport != nil {
-		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
+		c, err = gun.StreamGunWithTransport(v.gunTransport, v.gunConfig)
-		if err != nil {
+	} else {
-			return nil, err
+		c, err = v.dialer.DialContext(ctx, "tcp", v.addr)
 		}
 		defer func(c net.Conn) {
 			safeConnClose(c, err)
 		}(c)
 		c, err = v.streamConnContext(ctx, c, metadata)
 		if err != nil {
 			return nil, fmt.Errorf("new vless client error: %v", err)
 		}
 		return v.ListenPacketOnStreamConn(ctx, c, metadata)
 	}
 	if err = v.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	c, err = v.dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
@@ -348,8 +318,8 @@ func (v *Vless) ProxyInfo() C.ProxyInfo {
 // Close implements C.ProxyAdapter
 func (v *Vless) Close() error {
-	if v.transport != nil {
+	if v.gunTransport != nil {
-		return v.transport.Close()
+		return v.gunTransport.Close()
 	}
 	return nil
 }
@@ -461,37 +431,35 @@ func NewVless(option VlessOption) (*Vless, error) {
 		}
 		gunConfig := &gun.Config{
-			ServiceName:       v.option.GrpcOpts.GrpcServiceName,
+			ServiceName: option.GrpcOpts.GrpcServiceName,
-			Host:              v.option.ServerName,
+			UserAgent:   option.GrpcOpts.GrpcUserAgent,
-			ClientFingerprint: v.option.ClientFingerprint,
+			Host:        option.ServerName,
 		}
 		if option.ServerName == "" {
 			gunConfig.Host = v.addr
 		}
-		var tlsConfig *tls.Config
+		var tlsConfig *vmess.TLSConfig
 		if option.TLS {
-			tlsConfig, err = ca.GetTLSConfig(ca.Option{
+			tlsConfig = &vmess.TLSConfig{
-				TLSConfig: &tls.Config{
+				Host:              option.ServerName,
-					InsecureSkipVerify: v.option.SkipCertVerify,
+				SkipCertVerify:    option.SkipCertVerify,
-					ServerName:         v.option.ServerName,
+				FingerPrint:       option.Fingerprint,
-				},
+				Certificate:       option.Certificate,
-				Fingerprint: v.option.Fingerprint,
+				PrivateKey:        option.PrivateKey,
-				Certificate: v.option.Certificate,
+				ClientFingerprint: option.ClientFingerprint,
-				PrivateKey:  v.option.PrivateKey,
+				NextProtos:        []string{"h2"},
-			})
+				ECH:               v.echConfig,
-			if err != nil {
+				Reality:           v.realityConfig,
 				return nil, err
 			}
 			if option.ServerName == "" {
 				host, _, _ := net.SplitHostPort(v.addr)
-				tlsConfig.ServerName = host
+				tlsConfig.Host = host
 			}
 		}
 		v.gunTLSConfig = tlsConfig
 		v.gunConfig = gunConfig
-		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.echConfig, v.realityConfig)
+		v.gunTransport = gun.NewHTTP2Client(dialFn, tlsConfig)
 	}
 	return v, nil
--- a/adapter/outbound/vmess.go
+++ b/adapter/outbound/vmess.go
@@ -34,9 +34,8 @@ type Vmess struct {
 	option *VmessOption
 	// for gun mux
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
-	transport    *gun.TransportWrap
+	gunTransport *gun.TransportWrap
 	realityConfig *tlsC.RealityConfig
 	echConfig     *ech.Config
@@ -86,6 +85,7 @@ type HTTP2Options struct {
 type GrpcOptions struct {
 	GrpcServiceName string `proxy:"grpc-service-name,omitempty"`
 	GrpcUserAgent   string `proxy:"grpc-user-agent,omitempty"`
 }
 type WSOptions struct {
@@ -97,7 +97,6 @@ type WSOptions struct {
 	V2rayHttpUpgradeFastOpen bool              `proxy:"v2ray-http-upgrade-fast-open,omitempty"`
 }
 // StreamConnContext implements C.ProxyAdapter
 func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ net.Conn, err error) {
 	switch v.option.Network {
 	case "ws":
@@ -204,7 +203,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 		c, err = mihomoVMess.StreamH2Conn(ctx, c, h2Opts)
 	case "grpc":
-		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.echConfig, v.realityConfig)
+		break // already handle in gun transport
 	default:
 		// handle TLS
 		if v.option.TLS {
@@ -295,23 +294,11 @@ func (v *Vmess) streamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	var c net.Conn
 	// gun transport
-	if v.transport != nil {
+	if v.gunTransport != nil {
-		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
+		c, err = gun.StreamGunWithTransport(v.gunTransport, v.gunConfig)
-		if err != nil {
+	} else {
-			return nil, err
+		c, err = v.dialer.DialContext(ctx, "tcp", v.addr)
 		}
 		defer func(c net.Conn) {
 			safeConnClose(c, err)
 		}(c)
 		c, err = v.streamConnContext(ctx, c, metadata)
 		if err != nil {
 			return nil, err
 		}
 		return NewConn(c, v), nil
 	}
 	c, err = v.dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
@@ -330,27 +317,11 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (
 	}
 	var c net.Conn
 	// gun transport
-	if v.transport != nil {
+	if v.gunTransport != nil {
-		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
+		c, err = gun.StreamGunWithTransport(v.gunTransport, v.gunConfig)
-		if err != nil {
+	} else {
-			return nil, err
+		c, err = v.dialer.DialContext(ctx, "tcp", v.addr)
 		}
 		defer func(c net.Conn) {
 			safeConnClose(c, err)
 		}(c)
 		c, err = v.streamConnContext(ctx, c, metadata)
 		if err != nil {
 			return nil, fmt.Errorf("new vmess client error: %v", err)
 		}
 		return v.ListenPacketOnStreamConn(ctx, c, metadata)
 	}
 	if err = v.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	c, err = v.dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
@@ -374,8 +345,8 @@ func (v *Vmess) ProxyInfo() C.ProxyInfo {
 // Close implements C.ProxyAdapter
 func (v *Vmess) Close() error {
-	if v.transport != nil {
+	if v.gunTransport != nil {
-		return v.transport.Close()
+		return v.gunTransport.Close()
 	}
 	return nil
 }
@@ -466,37 +437,35 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		}
 		gunConfig := &gun.Config{
-			ServiceName:       v.option.GrpcOpts.GrpcServiceName,
+			ServiceName: option.GrpcOpts.GrpcServiceName,
-			Host:              v.option.ServerName,
+			UserAgent:   option.GrpcOpts.GrpcUserAgent,
-			ClientFingerprint: v.option.ClientFingerprint,
+			Host:        option.ServerName,
 		}
 		if option.ServerName == "" {
 			gunConfig.Host = v.addr
 		}
-		var tlsConfig *tls.Config
+		var tlsConfig *mihomoVMess.TLSConfig
 		if option.TLS {
-			tlsConfig, err = ca.GetTLSConfig(ca.Option{
+			tlsConfig = &mihomoVMess.TLSConfig{
-				TLSConfig: &tls.Config{
+				Host:              option.ServerName,
-					InsecureSkipVerify: v.option.SkipCertVerify,
+				SkipCertVerify:    option.SkipCertVerify,
-					ServerName:         v.option.ServerName,
+				FingerPrint:       option.Fingerprint,
-				},
+				Certificate:       option.Certificate,
-				Fingerprint: v.option.Fingerprint,
+				PrivateKey:        option.PrivateKey,
-				Certificate: v.option.Certificate,
+				ClientFingerprint: option.ClientFingerprint,
-				PrivateKey:  v.option.PrivateKey,
+				NextProtos:        []string{"h2"},
-			})
+				ECH:               v.echConfig,
-			if err != nil {
+				Reality:           v.realityConfig,
 				return nil, err
 			}
 			if option.ServerName == "" {
 				host, _, _ := net.SplitHostPort(v.addr)
-				tlsConfig.ServerName = host
+				tlsConfig.Host = host
 			}
 		}
 		v.gunTLSConfig = tlsConfig
 		v.gunConfig = gunConfig
-		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.echConfig, v.realityConfig)
+		v.gunTransport = gun.NewHTTP2Client(dialFn, tlsConfig)
 	}
 	return v, nil
--- a/adapter/outbound/wireguard.go
+++ b/adapter/outbound/wireguard.go
@@ -77,8 +77,8 @@ type WireGuardOption struct {
 }
 type WireGuardPeerOption struct {
-	Server       string   `proxy:"server"`
+	Server       string   `proxy:"server,omitempty"`
-	Port         int      `proxy:"port"`
+	Port         int      `proxy:"port,omitempty"`
 	PublicKey    string   `proxy:"public-key,omitempty"`
 	PreSharedKey string   `proxy:"pre-shared-key,omitempty"`
 	Reserved     []uint8  `proxy:"reserved,omitempty"`
@@ -178,7 +178,7 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 		},
 	}
 	outbound.dialer = option.NewDialer(outbound.DialOptions())
-	singDialer := proxydialer.NewSlowDownSingDialer(proxydialer.NewSingDialer(outbound.dialer), slowdown.New())
+	singDialer := proxydialer.NewSingDialer(proxydialer.NewSlowDownDialer(outbound.dialer, slowdown.New()))
 	var reserved [3]uint8
 	if len(option.Reserved) > 0 {
--- a/adapter/outboundgroup/groupbase.go
+++ b/adapter/outboundgroup/groupbase.go
@@ -272,7 +272,7 @@ func (gb *GroupBase) onDialFailed(adapterType C.AdapterType, err error, fn func(
 			log.Debugln("ProxyGroup: %s failed count: %d", gb.Name(), gb.failedTimes)
 			if gb.failedTimes >= gb.maxFailedTimes {
-				log.Warnln("because %s failed multiple times, active health check", gb.Name())
+				log.Warnln("because %s failed multiple times, activate health check", gb.Name())
 				fn()
 			}
 		}
--- a/adapter/outboundgroup/parser.go
+++ b/adapter/outboundgroup/parser.go
@@ -42,10 +42,6 @@ type GroupCommonOption struct {
 	IncludeAllProviders bool     `group:"include-all-providers,omitempty"`
 	Hidden              bool     `group:"hidden,omitempty"`
 	Icon                string   `group:"icon,omitempty"`
 	// removed configs, only for error logging
 	Interface   string `group:"interface-name,omitempty"`
 	RoutingMark int    `group:"routing-mark,omitempty"`
 }
 func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, providersMap map[string]P.ProxyProvider, AllProxies []string, AllProviders []string) (C.ProxyAdapter, error) {
@@ -62,12 +58,15 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 		return nil, errFormat
 	}
-	if groupOption.RoutingMark != 0 {
+	if _, ok := config["routing-mark"]; ok {
 		log.Errorln("The group [%s] with routing-mark configuration was removed, please set it directly on the proxy instead", groupOption.Name)
 	}
-	if groupOption.Interface != "" {
+	if _, ok := config["interface-name"]; ok {
 		log.Errorln("The group [%s] with interface-name configuration was removed, please set it directly on the proxy instead", groupOption.Name)
 	}
 	if _, ok := config["dialer-proxy"]; ok {
 		log.Errorln("The group [%s] with dialer-proxy configuration is not allowed, please set it directly on the proxy instead", groupOption.Name)
 	}
 	groupName := groupOption.Name
--- a/adapter/parser.go
+++ b/adapter/parser.go
@@ -159,6 +159,20 @@ func ParseProxy(mapping map[string]any, options ...ProxyOption) (C.Proxy, error)
 			break
 		}
 		proxy, err = outbound.NewSudoku(*sudokuOption)
 	case "masque":
 		masqueOption := &outbound.MasqueOption{BasicOption: basicOption}
 		err = decoder.Decode(mapping, masqueOption)
 		if err != nil {
 			break
 		}
 		proxy, err = outbound.NewMasque(*masqueOption)
 	case "trusttunnel":
 		trustTunnelOption := &outbound.TrustTunnelOption{BasicOption: basicOption}
 		err = decoder.Decode(mapping, trustTunnelOption)
 		if err != nil {
 			break
 		}
 		proxy, err = outbound.NewTrustTunnel(*trustTunnelOption)
 	default:
 		return nil, fmt.Errorf("unsupport proxy type: %s", proxyType)
 	}
--- a/adapter/provider/override.go
+++ b/adapter/provider/override.go
@@ -0,0 +1,88 @@
 package provider
 import (
 	"encoding"
 	"fmt"
 	"github.com/dlclark/regexp2"
 )
 type overrideSchema struct {
 	TFO            *bool   `provider:"tfo,omitempty"`
 	MPTcp          *bool   `provider:"mptcp,omitempty"`
 	UDP            *bool   `provider:"udp,omitempty"`
 	UDPOverTCP     *bool   `provider:"udp-over-tcp,omitempty"`
 	Up             *string `provider:"up,omitempty"`
 	Down           *string `provider:"down,omitempty"`
 	DialerProxy    *string `provider:"dialer-proxy,omitempty"`
 	SkipCertVerify *bool   `provider:"skip-cert-verify,omitempty"`
 	Interface      *string `provider:"interface-name,omitempty"`
 	RoutingMark    *int    `provider:"routing-mark,omitempty"`
 	IPVersion      *string `provider:"ip-version,omitempty"`
 	AdditionalPrefix *string                   `provider:"additional-prefix,omitempty"`
 	AdditionalSuffix *string                   `provider:"additional-suffix,omitempty"`
 	ProxyName        []overrideProxyNameSchema `provider:"proxy-name,omitempty"`
 }
 type overrideProxyNameSchema struct {
 	// matching expression for regex replacement
 	Pattern *regexp2.Regexp `provider:"pattern"`
 	// the new content after regex matching
 	Target string `provider:"target"`
 }
 var _ encoding.TextUnmarshaler = (*regexp2.Regexp)(nil) // ensure *regexp2.Regexp can decode direct by structure package
 func (o *overrideSchema) Apply(mapping map[string]any) error {
 	if o.TFO != nil {
 		mapping["tfo"] = *o.TFO
 	}
 	if o.MPTcp != nil {
 		mapping["mptcp"] = *o.MPTcp
 	}
 	if o.UDP != nil {
 		mapping["udp"] = *o.UDP
 	}
 	if o.UDPOverTCP != nil {
 		mapping["udp-over-tcp"] = *o.UDPOverTCP
 	}
 	if o.Up != nil {
 		mapping["up"] = *o.Up
 	}
 	if o.Down != nil {
 		mapping["down"] = *o.Down
 	}
 	if o.DialerProxy != nil {
 		mapping["dialer-proxy"] = *o.DialerProxy
 	}
 	if o.SkipCertVerify != nil {
 		mapping["skip-cert-verify"] = *o.SkipCertVerify
 	}
 	if o.Interface != nil {
 		mapping["interface-name"] = *o.Interface
 	}
 	if o.RoutingMark != nil {
 		mapping["routing-mark"] = *o.RoutingMark
 	}
 	if o.IPVersion != nil {
 		mapping["ip-version"] = *o.IPVersion
 	}
 	for _, expr := range o.ProxyName {
 		name := mapping["name"].(string)
 		newName, err := expr.Pattern.Replace(name, expr.Target, 0, -1)
 		if err != nil {
 			return fmt.Errorf("proxy name replace error: %w", err)
 		}
 		mapping["name"] = newName
 	}
 	if o.AdditionalPrefix != nil {
 		mapping["name"] = fmt.Sprintf("%s%s", *o.AdditionalPrefix, mapping["name"])
 	}
 	if o.AdditionalSuffix != nil {
 		mapping["name"] = fmt.Sprintf("%s%s", mapping["name"], *o.AdditionalSuffix)
 	}
 	return nil
 }
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@@ -1,7 +1,6 @@
 package provider
 import (
 	"encoding"
 	"errors"
 	"fmt"
 	"time"
@@ -11,8 +10,6 @@ import (
 	"github.com/metacubex/mihomo/component/resource"
 	C "github.com/metacubex/mihomo/constant"
 	P "github.com/metacubex/mihomo/constant/provider"
 	"github.com/dlclark/regexp2"
 )
 var (
@@ -28,33 +25,6 @@ type healthCheckSchema struct {
 	ExpectedStatus string `provider:"expected-status,omitempty"`
 }
 type OverrideProxyNameSchema struct {
 	// matching expression for regex replacement
 	Pattern *regexp2.Regexp `provider:"pattern"`
 	// the new content after regex matching
 	Target string `provider:"target"`
 }
 var _ encoding.TextUnmarshaler = (*regexp2.Regexp)(nil) // ensure *regexp2.Regexp can decode direct by structure package
 type OverrideSchema struct {
 	TFO              *bool   `provider:"tfo,omitempty"`
 	MPTcp            *bool   `provider:"mptcp,omitempty"`
 	UDP              *bool   `provider:"udp,omitempty"`
 	UDPOverTCP       *bool   `provider:"udp-over-tcp,omitempty"`
 	Up               *string `provider:"up,omitempty"`
 	Down             *string `provider:"down,omitempty"`
 	DialerProxy      *string `provider:"dialer-proxy,omitempty"`
 	SkipCertVerify   *bool   `provider:"skip-cert-verify,omitempty"`
 	Interface        *string `provider:"interface-name,omitempty"`
 	RoutingMark      *int    `provider:"routing-mark,omitempty"`
 	IPVersion        *string `provider:"ip-version,omitempty"`
 	AdditionalPrefix *string `provider:"additional-prefix,omitempty"`
 	AdditionalSuffix *string `provider:"additional-suffix,omitempty"`
 	ProxyName []OverrideProxyNameSchema `provider:"proxy-name,omitempty"`
 }
 type proxyProviderSchema struct {
 	Type          string           `provider:"type"`
 	Path          string           `provider:"path,omitempty"`
@@ -69,7 +39,7 @@ type proxyProviderSchema struct {
 	Payload       []map[string]any `provider:"payload,omitempty"`
 	HealthCheck healthCheckSchema   `provider:"health-check,omitempty"`
-	Override    OverrideSchema      `provider:"override,omitempty"`
+	Override    overrideSchema      `provider:"override,omitempty"`
 	Header      map[string][]string `provider:"header,omitempty"`
 }
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"reflect"
 	"runtime"
 	"strings"
 	"sync"
@@ -13,6 +12,7 @@ import (
 	"github.com/metacubex/mihomo/adapter"
 	"github.com/metacubex/mihomo/common/convert"
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/common/yaml"
 	"github.com/metacubex/mihomo/component/profile/cachefile"
 	"github.com/metacubex/mihomo/component/resource"
 	C "github.com/metacubex/mihomo/constant"
@@ -21,7 +21,6 @@ import (
 	"github.com/dlclark/regexp2"
 	"github.com/metacubex/http"
 	"gopkg.in/yaml.v3"
 )
 const (
@@ -340,7 +339,7 @@ func (cp *CompatibleProvider) Close() error {
 	return cp.compatibleProvider.Close()
 }
-func NewProxiesParser(pdName string, filter string, excludeFilter string, excludeType string, dialerProxy string, override OverrideSchema) (resource.Parser[[]C.Proxy], error) {
+func NewProxiesParser(pdName string, filter string, excludeFilter string, excludeType string, dialerProxy string, override overrideSchema) (resource.Parser[[]C.Proxy], error) {
 	var excludeTypeArray []string
 	if excludeType != "" {
 		excludeTypeArray = strings.Split(excludeType, "|")
@@ -429,33 +428,9 @@ func NewProxiesParser(pdName string, filter string, excludeFilter string, exclud
 					mapping["dialer-proxy"] = dialerProxy
 				}
-				val := reflect.ValueOf(override)
+				err := override.Apply(mapping)
-				for i := 0; i < val.NumField(); i++ {
+				if err != nil {
-					field := val.Field(i)
+					return nil, fmt.Errorf("proxy %d override error: %w", idx, err)
 					if field.IsNil() {
 						continue
 					}
 					fieldName := strings.Split(val.Type().Field(i).Tag.Get("provider"), ",")[0]
 					switch fieldName {
 					case "additional-prefix":
 						name := mapping["name"].(string)
 						mapping["name"] = *field.Interface().(*string) + name
 					case "additional-suffix":
 						name := mapping["name"].(string)
 						mapping["name"] = name + *field.Interface().(*string)
 					case "proxy-name":
 						// Iterate through all naming replacement rules and perform the replacements.
 						for _, expr := range override.ProxyName {
 							name := mapping["name"].(string)
 							newName, err := expr.Pattern.Replace(name, expr.Target, 0, -1)
 							if err != nil {
 								return nil, fmt.Errorf("proxy name replace error: %w", err)
 							}
 							mapping["name"] = newName
 						}
 					default:
 						mapping[fieldName] = field.Elem().Interface()
 					}
 				}
 				proxy, err := adapter.ParseProxy(mapping, adapter.WithProviderName(pdName))
--- a/android_tz.go
+++ b/android_tz.go
@@ -1,6 +1,8 @@
 // Copyright 2014 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build android && cgo
 // +build android,cgo
 // kanged from https://github.com/golang/mobile/blob/c713f31d574bb632a93f169b2cc99c9e753fef0e/app/android.go#L89
--- a/common/buf/sing.go
+++ b/common/buf/sing.go
@@ -1,7 +1,6 @@
 package buf
 import (
 	"github.com/metacubex/sing/common"
 	"github.com/metacubex/sing/common/buf"
 )
@@ -9,14 +8,52 @@ const BufferSize = buf.BufferSize
 type Buffer = buf.Buffer
-var New = buf.New
+func New() *Buffer {
-var NewPacket = buf.NewPacket
+	return buf.New()
-var NewSize = buf.NewSize
+}
 var With = buf.With
 var As = buf.As
 var ReleaseMulti = buf.ReleaseMulti
-var (
+func NewPacket() *Buffer {
-	Must  = common.Must
+	return buf.NewPacket()
-	Error = common.Error
+}
-)
+
 func NewSize(size int) *Buffer {
 	return buf.NewSize(size)
 }
 func With(data []byte) *Buffer {
 	return buf.With(data)
 }
 func As(data []byte) *Buffer {
 	return buf.As(data)
 }
 func ReleaseMulti(buffers []*Buffer) {
 	buf.ReleaseMulti(buffers)
 }
 func Error(_ any, err error) error {
 	return err
 }
 func Must(errs ...error) {
 	for _, err := range errs {
 		if err != nil {
 			panic(err)
 		}
 	}
 }
 func Must1[T any](result T, err error) T {
 	if err != nil {
 		panic(err)
 	}
 	return result
 }
 func Must2[T any, T2 any](result T, result2 T2, err error) (T, T2) {
 	if err != nil {
 		panic(err)
 	}
 	return result, result2
 }
--- a/common/convert/converter.go
+++ b/common/convert/converter.go
@@ -201,6 +201,10 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				trojan["client-fingerprint"] = fingerprint
 			}
 			if pcs := query.Get("pcs"); pcs != "" {
 				trojan["fingerprint"] = pcs
 			}
 			proxies = append(proxies, trojan)
 		case "vless":
--- a/common/convert/v.go
+++ b/common/convert/v.go
@@ -35,6 +35,9 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 		if alpn := query.Get("alpn"); alpn != "" {
 			proxy["alpn"] = strings.Split(alpn, ",")
 		}
 		if pcs := query.Get("pcs"); pcs != "" {
 			proxy["fingerprint"] = pcs
 		}
 	}
 	if sni := query.Get("sni"); sni != "" {
 		proxy["servername"] = sni
--- a/common/deque/deque.go
+++ b/common/deque/deque.go
@@ -0,0 +1,674 @@
 package deque
 // copy and modified from https://github.com/gammazero/deque/blob/v1.2.0/deque.go
 // which is licensed under MIT.
 import (
 	"fmt"
 )
 // minCapacity is the smallest capacity that deque may have. Must be power of 2
 // for bitwise modulus: x % n == x & (n - 1).
 const minCapacity = 8
 // Deque represents a single instance of the deque data structure. A Deque
 // instance contains items of the type specified by the type argument.
 //
 // For example, to create a Deque that contains strings do one of the
 // following:
 //
 //	var stringDeque deque.Deque[string]
 //	stringDeque := new(deque.Deque[string])
 //	stringDeque := &deque.Deque[string]{}
 //
 // To create a Deque that will never resize to have space for less than 64
 // items, specify a base capacity:
 //
 //	var d deque.Deque[int]
 //	d.SetBaseCap(64)
 //
 // To ensure the Deque can store 1000 items without needing to resize while
 // items are added:
 //
 //	d.Grow(1000)
 //
 // Any values supplied to [SetBaseCap] and [Grow] are rounded up to the nearest
 // power of 2, since the Deque grows by powers of 2.
 type Deque[T any] struct {
 	buf    []T
 	head   int
 	tail   int
 	count  int
 	minCap int
 }
 // Cap returns the current capacity of the Deque. If q is nil, q.Cap() is zero.
 func (q *Deque[T]) Cap() int {
 	if q == nil {
 		return 0
 	}
 	return len(q.buf)
 }
 // Len returns the number of elements currently stored in the queue. If q is
 // nil, q.Len() returns zero.
 func (q *Deque[T]) Len() int {
 	if q == nil {
 		return 0
 	}
 	return q.count
 }
 // PushBack appends an element to the back of the queue. Implements FIFO when
 // elements are removed with [PopFront], and LIFO when elements are removed with
 // [PopBack].
 func (q *Deque[T]) PushBack(elem T) {
 	q.growIfFull()
 	q.buf[q.tail] = elem
 	// Calculate new tail position.
 	q.tail = q.next(q.tail)
 	q.count++
 }
 // PushFront prepends an element to the front of the queue.
 func (q *Deque[T]) PushFront(elem T) {
 	q.growIfFull()
 	// Calculate new head position.
 	q.head = q.prev(q.head)
 	q.buf[q.head] = elem
 	q.count++
 }
 // PopFront removes and returns the element from the front of the queue.
 // Implements FIFO when used with [PushBack]. If the queue is empty, the call
 // panics.
 func (q *Deque[T]) PopFront() T {
 	if q.count <= 0 {
 		panic("deque: PopFront() called on empty queue")
 	}
 	ret := q.buf[q.head]
 	var zero T
 	q.buf[q.head] = zero
 	// Calculate new head position.
 	q.head = q.next(q.head)
 	q.count--
 	q.shrinkIfExcess()
 	return ret
 }
 // IterPopFront returns an iterator that iteratively removes items from the
 // front of the deque. This is more efficient than removing items one at a time
 // because it avoids intermediate resizing. If a resize is necessary, only one
 // is done when iteration ends.
 func (q *Deque[T]) IterPopFront() func(yield func(T) bool) {
 	return func(yield func(T) bool) {
 		if q.Len() == 0 {
 			return
 		}
 		var zero T
 		for q.count != 0 {
 			ret := q.buf[q.head]
 			q.buf[q.head] = zero
 			q.head = q.next(q.head)
 			q.count--
 			if !yield(ret) {
 				break
 			}
 		}
 		q.shrinkToFit()
 	}
 }
 // PopBack removes and returns the element from the back of the queue.
 // Implements LIFO when used with [PushBack]. If the queue is empty, the call
 // panics.
 func (q *Deque[T]) PopBack() T {
 	if q.count <= 0 {
 		panic("deque: PopBack() called on empty queue")
 	}
 	// Calculate new tail position
 	q.tail = q.prev(q.tail)
 	// Remove value at tail.
 	ret := q.buf[q.tail]
 	var zero T
 	q.buf[q.tail] = zero
 	q.count--
 	q.shrinkIfExcess()
 	return ret
 }
 // IterPopBack returns an iterator that iteratively removes items from the back
 // of the deque. This is more efficient than removing items one at a time
 // because it avoids intermediate resizing. If a resize is necessary, only one
 // is done when iteration ends.
 func (q *Deque[T]) IterPopBack() func(yield func(T) bool) {
 	return func(yield func(T) bool) {
 		if q.Len() == 0 {
 			return
 		}
 		var zero T
 		for q.count != 0 {
 			q.tail = q.prev(q.tail)
 			ret := q.buf[q.tail]
 			q.buf[q.tail] = zero
 			q.count--
 			if !yield(ret) {
 				break
 			}
 		}
 		q.shrinkToFit()
 	}
 }
 // Front returns the element at the front of the queue. This is the element
 // that would be returned by [PopFront]. This call panics if the queue is
 // empty.
 func (q *Deque[T]) Front() T {
 	if q.count <= 0 {
 		panic("deque: Front() called when empty")
 	}
 	return q.buf[q.head]
 }
 // Back returns the element at the back of the queue. This is the element that
 // would be returned by [PopBack]. This call panics if the queue is empty.
 func (q *Deque[T]) Back() T {
 	if q.count <= 0 {
 		panic("deque: Back() called when empty")
 	}
 	return q.buf[q.prev(q.tail)]
 }
 // At returns the element at index i in the queue without removing the element
 // from the queue. This method accepts only non-negative index values. At(0)
 // refers to the first element and is the same as [Front]. At(Len()-1) refers
 // to the last element and is the same as [Back]. If the index is invalid, the
 // call panics.
 //
 // The purpose of At is to allow Deque to serve as a more general purpose
 // circular buffer, where items are only added to and removed from the ends of
 // the deque, but may be read from any place within the deque. Consider the
 // case of a fixed-size circular log buffer: A new entry is pushed onto one end
 // and when full the oldest is popped from the other end. All the log entries
 // in the buffer must be readable without altering the buffer contents.
 func (q *Deque[T]) At(i int) T {
 	q.checkRange(i)
 	// bitwise modulus
 	return q.buf[(q.head+i)&(len(q.buf)-1)]
 }
 // Set assigns the item to index i in the queue. Set indexes the deque the same
 // as [At] but perform the opposite operation. If the index is invalid, the call
 // panics.
 func (q *Deque[T]) Set(i int, item T) {
 	q.checkRange(i)
 	// bitwise modulus
 	q.buf[(q.head+i)&(len(q.buf)-1)] = item
 }
 // Iter returns a go iterator to range over all items in the Deque, yielding
 // each item from front (index 0) to back (index Len()-1). Modification of
 // Deque during iteration panics.
 func (q *Deque[T]) Iter() func(yield func(T) bool) {
 	return func(yield func(T) bool) {
 		origHead := q.head
 		origTail := q.tail
 		head := origHead
 		for i := -0; i < q.Len(); i++ {
 			if q.head != origHead || q.tail != origTail {
 				panic("deque: modified during iteration")
 			}
 			if !yield(q.buf[head]) {
 				return
 			}
 			head = q.next(head)
 		}
 	}
 }
 // RIter returns a reverse go iterator to range over all items in the Deque,
 // yielding each item from back (index Len()-1) to front (index 0).
 // Modification of Deque during iteration panics.
 func (q *Deque[T]) RIter() func(yield func(T) bool) {
 	return func(yield func(T) bool) {
 		origHead := q.head
 		origTail := q.tail
 		tail := origTail
 		for i := -0; i < q.Len(); i++ {
 			if q.head != origHead || q.tail != origTail {
 				panic("deque: modified during iteration")
 			}
 			tail = q.prev(tail)
 			if !yield(q.buf[tail]) {
 				return
 			}
 		}
 	}
 }
 // Clear removes all elements from the queue, but retains the current capacity.
 // This is useful when repeatedly reusing the queue at high frequency to avoid
 // GC during reuse. The queue will not be resized smaller as long as items are
 // only added. Only when items are removed is the queue subject to getting
 // resized smaller.
 func (q *Deque[T]) Clear() {
 	if q.Len() == 0 {
 		return
 	}
 	head, tail := q.head, q.tail
 	q.count = 0
 	q.head = 0
 	q.tail = 0
 	if head >= tail {
 		// [DEF....ABC]
 		clearSlice(q.buf[head:])
 		head = 0
 	}
 	clearSlice(q.buf[head:tail])
 }
 func clearSlice[S ~[]E, E any](s S) {
 	var zero E
 	for i := range s {
 		s[i] = zero
 	}
 }
 // Grow grows deque's capacity, if necessary, to guarantee space for another n
 // items. After Grow(n), at least n items can be written to the deque without
 // another allocation. If n is negative, Grow panics.
 func (q *Deque[T]) Grow(n int) {
 	if n < 0 {
 		panic("deque.Grow: negative count")
 	}
 	c := q.Cap()
 	l := q.Len()
 	// If already big enough.
 	if n <= c-l {
 		return
 	}
 	if c == 0 {
 		c = minCapacity
 	}
 	newLen := l + n
 	for c < newLen {
 		c <<= 1
 	}
 	if l == 0 {
 		q.buf = make([]T, c)
 		q.head = 0
 		q.tail = 0
 	} else {
 		q.resize(c)
 	}
 }
 // Copy copies the contents of the given src Deque into this Deque.
 //
 //	n := b.Copy(a)
 //
 // is an efficient shortcut for
 //
 //	b.Clear()
 //	n := a.Len()
 //	b.Grow(n)
 //	for i := 0; i < n; i++ {
 //		b.PushBack(a.At(i))
 //	}
 func (q *Deque[T]) Copy(src Deque[T]) int {
 	q.Clear()
 	q.Grow(src.Len())
 	n := src.CopyOutSlice(q.buf)
 	q.count = n
 	q.tail = n
 	q.head = 0
 	return n
 }
 // AppendToSlice appends from the Deque to the given slice. If the slice has
 // insufficient capacity to store all elements in Deque, then allocate a new
 // slice. Returns the resulting slice.
 //
 //	out = q.AppendToSlice(out)
 //
 // is an efficient shortcut for
 //
 //	for i := 0; i < q.Len(); i++ {
 //		x = append(out, q.At(i))
 //	}
 func (q *Deque[T]) AppendToSlice(out []T) []T {
 	if q.count == 0 {
 		return out
 	}
 	head, tail := q.head, q.tail
 	if head >= tail {
 		// [DEF....ABC]
 		out = append(out, q.buf[head:]...)
 		head = 0
 	}
 	return append(out, q.buf[head:tail]...)
 }
 // CopyInSlice replaces the contents of Deque with all the elements from the
 // given slice, in. If len(in) is zero, then this is equivalent to calling
 // [Clear].
 //
 //	q.CopyInSlice(in)
 //
 // is an efficient shortcut for
 //
 //	q.Clear()
 //	for i := range in {
 //		q.PushBack(in[i])
 //	}
 func (q *Deque[T]) CopyInSlice(in []T) {
 	// Allocate new buffer if more space needed.
 	if len(q.buf) < len(in) {
 		newCap := len(q.buf)
 		if newCap == 0 {
 			newCap = minCapacity
 			q.minCap = minCapacity
 		}
 		for newCap < len(in) {
 			newCap <<= 1
 		}
 		q.buf = make([]T, newCap)
 	} else if len(q.buf) > len(in) {
 		q.Clear()
 	}
 	n := copy(q.buf, in)
 	q.count = n
 	q.tail = n
 	q.head = 0
 }
 // CopyOutSlice copies elements from the Deque into the given slice, up to the
 // size of the buffer. Returns the number of elements copied, which will be the
 // minimum of q.Len() and len(out).
 //
 //	n := q.CopyOutSlice(out)
 //
 // is an efficient shortcut for
 //
 //	n := min(len(out), q.Len())
 //	for i := 0; i < n; i++ {
 //	 	out[i] = q.At(i)
 //	}
 //
 // This function is preferable to one that returns a copy of the internal
 // buffer because this allows reuse of memory receiving data, for repeated copy
 // operations.
 func (q *Deque[T]) CopyOutSlice(out []T) int {
 	if q.count == 0 || len(out) == 0 {
 		return 0
 	}
 	head, tail := q.head, q.tail
 	var n int
 	if head >= tail {
 		// [DEF....ABC]
 		n = copy(out, q.buf[head:])
 		out = out[n:]
 		if len(out) == 0 {
 			return n
 		}
 		head = 0
 	}
 	n += copy(out, q.buf[head:tail])
 	return n
 }
 // Rotate rotates the deque n steps front-to-back. If n is negative, rotates
 // back-to-front. Having Deque provide Rotate avoids resizing that could happen
 // if implementing rotation using only Pop and Push methods. If q.Len() is one
 // or less, or q is nil, then Rotate does nothing.
 func (q *Deque[T]) Rotate(n int) {
 	if q.Len() <= 1 {
 		return
 	}
 	// Rotating a multiple of q.count is same as no rotation.
 	n %= q.count
 	if n == 0 {
 		return
 	}
 	modBits := len(q.buf) - 1
 	// If no empty space in buffer, only move head and tail indexes.
 	if q.head == q.tail {
 		// Calculate new head and tail using bitwise modulus.
 		q.head = (q.head + n) & modBits
 		q.tail = q.head
 		return
 	}
 	var zero T
 	if n < 0 {
 		// Rotate back to front.
 		for ; n < 0; n++ {
 			// Calculate new head and tail using bitwise modulus.
 			q.head = (q.head - 1) & modBits
 			q.tail = (q.tail - 1) & modBits
 			// Put tail value at head and remove value at tail.
 			q.buf[q.head] = q.buf[q.tail]
 			q.buf[q.tail] = zero
 		}
 		return
 	}
 	// Rotate front to back.
 	for ; n > 0; n-- {
 		// Put head value at tail and remove value at head.
 		q.buf[q.tail] = q.buf[q.head]
 		q.buf[q.head] = zero
 		// Calculate new head and tail using bitwise modulus.
 		q.head = (q.head + 1) & modBits
 		q.tail = (q.tail + 1) & modBits
 	}
 }
 // Index returns the index into the Deque of the first item satisfying f(item),
 // or -1 if none do. If q is nil, then -1 is always returned. Search is linear
 // starting with index 0.
 func (q *Deque[T]) Index(f func(T) bool) int {
 	if q.Len() > 0 {
 		modBits := len(q.buf) - 1
 		for i := 0; i < q.count; i++ {
 			if f(q.buf[(q.head+i)&modBits]) {
 				return i
 			}
 		}
 	}
 	return -1
 }
 // RIndex is the same as Index, but searches from Back to Front. The index
 // returned is from Front to Back, where index 0 is the index of the item
 // returned by [Front].
 func (q *Deque[T]) RIndex(f func(T) bool) int {
 	if q.Len() > 0 {
 		modBits := len(q.buf) - 1
 		for i := q.count - 1; i >= 0; i-- {
 			if f(q.buf[(q.head+i)&modBits]) {
 				return i
 			}
 		}
 	}
 	return -1
 }
 // Insert is used to insert an element into the middle of the queue, before the
 // element at the specified index. Insert(0,e) is the same as PushFront(e) and
 // Insert(Len(),e) is the same as PushBack(e). Out of range indexes result in
 // pushing the item onto the front of back of the deque.
 //
 // Important: Deque is optimized for O(1) operations at the ends of the queue,
 // not for operations in the the middle. Complexity of this function is
 // constant plus linear in the lesser of the distances between the index and
 // either of the ends of the queue.
 func (q *Deque[T]) Insert(at int, item T) {
 	if at <= 0 {
 		q.PushFront(item)
 		return
 	}
 	if at >= q.Len() {
 		q.PushBack(item)
 		return
 	}
 	if at*2 < q.count {
 		q.PushFront(item)
 		front := q.head
 		for i := 0; i < at; i++ {
 			next := q.next(front)
 			q.buf[front], q.buf[next] = q.buf[next], q.buf[front]
 			front = next
 		}
 		return
 	}
 	swaps := q.count - at
 	q.PushBack(item)
 	back := q.prev(q.tail)
 	for i := 0; i < swaps; i++ {
 		prev := q.prev(back)
 		q.buf[back], q.buf[prev] = q.buf[prev], q.buf[back]
 		back = prev
 	}
 }
 // Remove removes and returns an element from the middle of the queue, at the
 // specified index. Remove(0) is the same as [PopFront] and Remove(Len()-1) is
 // the same as [PopBack]. Accepts only non-negative index values, and panics if
 // index is out of range.
 //
 // Important: Deque is optimized for O(1) operations at the ends of the queue,
 // not for operations in the the middle. Complexity of this function is
 // constant plus linear in the lesser of the distances between the index and
 // either of the ends of the queue.
 func (q *Deque[T]) Remove(at int) T {
 	q.checkRange(at)
 	rm := (q.head + at) & (len(q.buf) - 1)
 	if at*2 < q.count {
 		for i := 0; i < at; i++ {
 			prev := q.prev(rm)
 			q.buf[prev], q.buf[rm] = q.buf[rm], q.buf[prev]
 			rm = prev
 		}
 		return q.PopFront()
 	}
 	swaps := q.count - at - 1
 	for i := 0; i < swaps; i++ {
 		next := q.next(rm)
 		q.buf[rm], q.buf[next] = q.buf[next], q.buf[rm]
 		rm = next
 	}
 	return q.PopBack()
 }
 // SetBaseCap sets a base capacity so that at least the specified number of
 // items can always be stored without resizing.
 func (q *Deque[T]) SetBaseCap(baseCap int) {
 	minCap := minCapacity
 	for minCap < baseCap {
 		minCap <<= 1
 	}
 	q.minCap = minCap
 }
 // Swap exchanges the two values at idxA and idxB. It panics if either index is
 // out of range.
 func (q *Deque[T]) Swap(idxA, idxB int) {
 	q.checkRange(idxA)
 	q.checkRange(idxB)
 	if idxA == idxB {
 		return
 	}
 	realA := (q.head + idxA) & (len(q.buf) - 1)
 	realB := (q.head + idxB) & (len(q.buf) - 1)
 	q.buf[realA], q.buf[realB] = q.buf[realB], q.buf[realA]
 }
 func (q *Deque[T]) checkRange(i int) {
 	if i < 0 || i >= q.count {
 		panic(fmt.Sprintf("deque: index out of range %d with length %d", i, q.Len()))
 	}
 }
 // prev returns the previous buffer position wrapping around buffer.
 func (q *Deque[T]) prev(i int) int {
 	return (i - 1) & (len(q.buf) - 1) // bitwise modulus
 }
 // next returns the next buffer position wrapping around buffer.
 func (q *Deque[T]) next(i int) int {
 	return (i + 1) & (len(q.buf) - 1) // bitwise modulus
 }
 // growIfFull resizes up if the buffer is full.
 func (q *Deque[T]) growIfFull() {
 	if q.count != len(q.buf) {
 		return
 	}
 	if len(q.buf) == 0 {
 		if q.minCap == 0 {
 			q.minCap = minCapacity
 		}
 		q.buf = make([]T, q.minCap)
 		return
 	}
 	q.resize(q.count << 1)
 }
 // shrinkIfExcess resize down if the buffer 1/4 full.
 func (q *Deque[T]) shrinkIfExcess() {
 	if len(q.buf) > q.minCap && (q.count<<2) == len(q.buf) {
 		q.resize(q.count << 1)
 	}
 }
 func (q *Deque[T]) shrinkToFit() {
 	if len(q.buf) > q.minCap && (q.count<<2) <= len(q.buf) {
 		if q.count == 0 {
 			q.head = 0
 			q.tail = 0
 			q.buf = make([]T, q.minCap)
 			return
 		}
 		c := q.minCap
 		for c < q.count {
 			c <<= 1
 		}
 		q.resize(c)
 	}
 }
 // resize resizes the deque to fit exactly twice its current contents. This is
 // used to grow the queue when it is full, and also to shrink it when it is
 // only a quarter full.
 func (q *Deque[T]) resize(newSize int) {
 	newBuf := make([]T, newSize)
 	if q.tail > q.head {
 		copy(newBuf, q.buf[q.head:q.tail])
 	} else {
 		n := copy(newBuf, q.buf[q.head:])
 		copy(newBuf[n:], q.buf[:q.tail])
 	}
 	q.head = 0
 	q.tail = q.count
 	q.buf = newBuf
 }
--- a/common/orderedmap/doc.go
+++ b/common/orderedmap/doc.go
@@ -0,0 +1,8 @@
 package orderedmap
 // copy and modified from https://github.com/wk8/go-ordered-map/tree/v2.1.8
 // which is licensed under Apache v2.
 //
 // mihomo modified:
 // 1. remove dependence of mailru/easyjson for MarshalJSON
 // 2. remove dependence of buger/jsonparser for UnmarshalJSON
--- a/common/orderedmap/json.go
+++ b/common/orderedmap/json.go
@@ -0,0 +1,139 @@
 package orderedmap
 import (
 	"bytes"
 	"encoding"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"reflect"
 )
 var (
 	_ json.Marshaler   = &OrderedMap[int, any]{}
 	_ json.Unmarshaler = &OrderedMap[int, any]{}
 )
 // MarshalJSON implements the json.Marshaler interface.
 func (om *OrderedMap[K, V]) MarshalJSON() ([]byte, error) { //nolint:funlen
 	if om == nil || om.list == nil {
 		return []byte("null"), nil
 	}
 	var buf bytes.Buffer
 	buf.WriteByte('{')
 	enc := json.NewEncoder(&buf)
 	for pair, firstIteration := om.Oldest(), true; pair != nil; pair = pair.Next() {
 		if firstIteration {
 			firstIteration = false
 		} else {
 			buf.WriteByte(',')
 		}
 		switch key := any(pair.Key).(type) {
 		case string, encoding.TextMarshaler:
 			if err := enc.Encode(pair.Key); err != nil {
 				return nil, err
 			}
 		case int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64:
 			buf.WriteByte('"')
 			buf.WriteString(fmt.Sprint(key))
 			buf.WriteByte('"')
 		default:
 			// this switch takes care of wrapper types around primitive types, such as
 			// type myType string
 			switch keyValue := reflect.ValueOf(key); keyValue.Type().Kind() {
 			case reflect.String:
 				if err := enc.Encode(pair.Key); err != nil {
 					return nil, err
 				}
 			case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
 				reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
 				buf.WriteByte('"')
 				buf.WriteString(fmt.Sprint(key))
 				buf.WriteByte('"')
 			default:
 				return nil, fmt.Errorf("unsupported key type: %T", key)
 			}
 		}
 		buf.WriteByte(':')
 		if err := enc.Encode(pair.Value); err != nil {
 			return nil, err
 		}
 	}
 	buf.WriteByte('}')
 	return buf.Bytes(), nil
 }
 // UnmarshalJSON implements the json.Unmarshaler interface.
 func (om *OrderedMap[K, V]) UnmarshalJSON(data []byte) error {
 	if om.list == nil {
 		om.initialize(0)
 	}
 	d := json.NewDecoder(bytes.NewReader(data))
 	tok, err := d.Token()
 	if err != nil {
 		return err
 	}
 	if tok != json.Delim('{') {
 		return errors.New("expect JSON object open with '{'")
 	}
 	for d.More() {
 		// key
 		tok, err = d.Token()
 		if err != nil {
 			return err
 		}
 		keyStr, ok := tok.(string)
 		if !ok {
 			return fmt.Errorf("key must be a string, got %T\n", tok)
 		}
 		var key K
 		switch typedKey := any(&key).(type) {
 		case *string:
 			*typedKey = keyStr
 		case encoding.TextUnmarshaler:
 			err = typedKey.UnmarshalText([]byte(keyStr))
 		case *int, *int8, *int16, *int32, *int64, *uint, *uint8, *uint16, *uint32, *uint64:
 			err = json.Unmarshal([]byte(keyStr), typedKey)
 		default:
 			// this switch takes care of wrapper types around primitive types, such as
 			// type myType string
 			switch reflect.TypeOf(key).Kind() {
 			case reflect.String:
 				convertedKeyData := reflect.ValueOf(keyStr).Convert(reflect.TypeOf(key))
 				reflect.ValueOf(&key).Elem().Set(convertedKeyData)
 			case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
 				reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
 				err = json.Unmarshal([]byte(keyStr), &key)
 			default:
 				err = fmt.Errorf("unsupported key type: %T", key)
 			}
 		}
 		if err != nil {
 			return err
 		}
 		// value
 		value, _ := om.Get(key)
 		err = d.Decode(&value)
 		if err != nil {
 			return err
 		}
 		om.Set(key, value)
 	}
 	tok, err = d.Token()
 	if err != nil {
 		return err
 	}
 	if tok != json.Delim('}') {
 		return errors.New("expect JSON object close with '}'")
 	}
 	return nil
 }
--- a/common/orderedmap/json_fuzz_test.go
+++ b/common/orderedmap/json_fuzz_test.go
@@ -0,0 +1,117 @@
 package orderedmap
 // Adapted from https://github.com/dvyukov/go-fuzz-corpus/blob/c42c1b2/json/json.go
 import (
 	"encoding/json"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func FuzzRoundTripJSON(f *testing.F) {
 	f.Fuzz(func(t *testing.T, data []byte) {
 		for _, testCase := range []struct {
 			name        string
 			constructor func() any
 			// should be a function that asserts that 2 objects of the type returned by constructor are equal
 			equalityAssertion func(*testing.T, any, any) bool
 		}{
 			{
 				name:              "with a string -> string map",
 				constructor:       func() any { return &OrderedMap[string, string]{} },
 				equalityAssertion: assertOrderedMapsEqual[string, string],
 			},
 			{
 				name:              "with a string -> int map",
 				constructor:       func() any { return &OrderedMap[string, int]{} },
 				equalityAssertion: assertOrderedMapsEqual[string, int],
 			},
 			{
 				name:              "with a string -> any map",
 				constructor:       func() any { return &OrderedMap[string, any]{} },
 				equalityAssertion: assertOrderedMapsEqual[string, any],
 			},
 			{
 				name:              "with a struct with map fields",
 				constructor:       func() any { return new(testFuzzStruct) },
 				equalityAssertion: assertTestFuzzStructEqual,
 			},
 		} {
 			t.Run(testCase.name, func(t *testing.T) {
 				v1 := testCase.constructor()
 				if json.Unmarshal(data, v1) != nil {
 					return
 				}
 				jsonData, err := json.Marshal(v1)
 				require.NoError(t, err)
 				v2 := testCase.constructor()
 				require.NoError(t, json.Unmarshal(jsonData, v2))
 				if !assert.True(t, testCase.equalityAssertion(t, v1, v2), "failed with input data %q", string(data)) {
 					// look at that what the standard lib does with regular map, to help with debugging
 					var m1 map[string]any
 					require.NoError(t, json.Unmarshal(data, &m1))
 					mapJsonData, err := json.Marshal(m1)
 					require.NoError(t, err)
 					var m2 map[string]any
 					require.NoError(t, json.Unmarshal(mapJsonData, &m2))
 					t.Logf("initial data = %s", string(data))
 					t.Logf("unmarshalled map = %v", m1)
 					t.Logf("re-marshalled from map = %s", string(mapJsonData))
 					t.Logf("re-marshalled from test obj = %s", string(jsonData))
 					t.Logf("re-unmarshalled map = %s", m2)
 				}
 			})
 		}
 	})
 }
 // only works for fairly basic maps, that's why it's just in this file
 func assertOrderedMapsEqual[K comparable, V any](t *testing.T, v1, v2 any) bool {
 	om1, ok1 := v1.(*OrderedMap[K, V])
 	om2, ok2 := v2.(*OrderedMap[K, V])
 	if !assert.True(t, ok1, "v1 not an orderedmap") ||
 		!assert.True(t, ok2, "v2 not an orderedmap") {
 		return false
 	}
 	success := assert.Equal(t, om1.Len(), om2.Len(), "om1 and om2 have different lengths: %d vs %d", om1.Len(), om2.Len())
 	for i, pair1, pair2 := 0, om1.Oldest(), om2.Oldest(); pair1 != nil && pair2 != nil; i, pair1, pair2 = i+1, pair1.Next(), pair2.Next() {
 		success = assert.Equal(t, pair1.Key, pair2.Key, "different keys at position %d: %v vs %v", i, pair1.Key, pair2.Key) && success
 		success = assert.Equal(t, pair1.Value, pair2.Value, "different values at position %d: %v vs %v", i, pair1.Value, pair2.Value) && success
 	}
 	return success
 }
 type testFuzzStruct struct {
 	M1 *OrderedMap[int, any]
 	M2 *OrderedMap[int, string]
 	M3 *OrderedMap[string, string]
 }
 func assertTestFuzzStructEqual(t *testing.T, v1, v2 any) bool {
 	s1, ok := v1.(*testFuzzStruct)
 	s2, ok := v2.(*testFuzzStruct)
 	if !assert.True(t, ok, "v1 not an testFuzzStruct") ||
 		!assert.True(t, ok, "v2 not an testFuzzStruct") {
 		return false
 	}
 	success := assertOrderedMapsEqual[int, any](t, s1.M1, s2.M1)
 	success = assertOrderedMapsEqual[int, string](t, s1.M2, s2.M2) && success
 	success = assertOrderedMapsEqual[string, string](t, s1.M3, s2.M3) && success
 	return success
 }
--- a/common/orderedmap/json_test.go
+++ b/common/orderedmap/json_test.go
@@ -0,0 +1,338 @@
 package orderedmap
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"strconv"
 	"strings"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // to test marshalling TextMarshalers and unmarshalling TextUnmarshalers
 type marshallable int
 func (m marshallable) MarshalText() ([]byte, error) {
 	return []byte(fmt.Sprintf("#%d#", m)), nil
 }
 func (m *marshallable) UnmarshalText(text []byte) error {
 	if len(text) < 3 {
 		return errors.New("too short")
 	}
 	if text[0] != '#' || text[len(text)-1] != '#' {
 		return errors.New("missing prefix or suffix")
 	}
 	value, err := strconv.Atoi(string(text[1 : len(text)-1]))
 	if err != nil {
 		return err
 	}
 	*m = marshallable(value)
 	return nil
 }
 func TestMarshalJSON(t *testing.T) {
 	t.Run("int key", func(t *testing.T) {
 		om := New[int, any]()
 		om.Set(1, "bar")
 		om.Set(7, "baz")
 		om.Set(2, 28)
 		om.Set(3, 100)
 		om.Set(4, "baz")
 		om.Set(5, "28")
 		om.Set(6, "100")
 		om.Set(8, "baz")
 		om.Set(8, "baz")
 		om.Set(9, "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque auctor augue accumsan mi maximus, quis viverra massa pretium. Phasellus imperdiet sapien a interdum sollicitudin. Duis at commodo lectus, a lacinia sem.")
 		b, err := json.Marshal(om)
 		assert.NoError(t, err)
 		assert.Equal(t, `{"1":"bar","7":"baz","2":28,"3":100,"4":"baz","5":"28","6":"100","8":"baz","9":"Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque auctor augue accumsan mi maximus, quis viverra massa pretium. Phasellus imperdiet sapien a interdum sollicitudin. Duis at commodo lectus, a lacinia sem."}`, string(b))
 	})
 	t.Run("string key", func(t *testing.T) {
 		om := New[string, any]()
 		om.Set("test", "bar")
 		om.Set("abc", true)
 		b, err := json.Marshal(om)
 		assert.NoError(t, err)
 		assert.Equal(t, `{"test":"bar","abc":true}`, string(b))
 	})
 	t.Run("typed string key", func(t *testing.T) {
 		type myString string
 		om := New[myString, any]()
 		om.Set("test", "bar")
 		om.Set("abc", true)
 		b, err := json.Marshal(om)
 		assert.NoError(t, err)
 		assert.Equal(t, `{"test":"bar","abc":true}`, string(b))
 	})
 	t.Run("typed int key", func(t *testing.T) {
 		type myInt uint32
 		om := New[myInt, any]()
 		om.Set(1, "bar")
 		om.Set(7, "baz")
 		om.Set(2, 28)
 		om.Set(3, 100)
 		om.Set(4, "baz")
 		b, err := json.Marshal(om)
 		assert.NoError(t, err)
 		assert.Equal(t, `{"1":"bar","7":"baz","2":28,"3":100,"4":"baz"}`, string(b))
 	})
 	t.Run("TextMarshaller key", func(t *testing.T) {
 		om := New[marshallable, any]()
 		om.Set(marshallable(1), "bar")
 		om.Set(marshallable(28), true)
 		b, err := json.Marshal(om)
 		assert.NoError(t, err)
 		assert.Equal(t, `{"#1#":"bar","#28#":true}`, string(b))
 	})
 	t.Run("empty map", func(t *testing.T) {
 		om := New[string, any]()
 		b, err := json.Marshal(om)
 		assert.NoError(t, err)
 		assert.Equal(t, `{}`, string(b))
 	})
 }
 func TestUnmarshallJSON(t *testing.T) {
 	t.Run("int key", func(t *testing.T) {
 		data := `{"1":"bar","7":"baz","2":28,"3":100,"4":"baz","5":"28","6":"100","8":"baz"}`
 		om := New[int, any]()
 		require.NoError(t, json.Unmarshal([]byte(data), &om))
 		assertOrderedPairsEqual(t, om,
 			[]int{1, 7, 2, 3, 4, 5, 6, 8},
 			[]any{"bar", "baz", float64(28), float64(100), "baz", "28", "100", "baz"})
 	})
 	t.Run("string key", func(t *testing.T) {
 		data := `{"test":"bar","abc":true}`
 		om := New[string, any]()
 		require.NoError(t, json.Unmarshal([]byte(data), &om))
 		assertOrderedPairsEqual(t, om,
 			[]string{"test", "abc"},
 			[]any{"bar", true})
 	})
 	t.Run("typed string key", func(t *testing.T) {
 		data := `{"test":"bar","abc":true}`
 		type myString string
 		om := New[myString, any]()
 		require.NoError(t, json.Unmarshal([]byte(data), &om))
 		assertOrderedPairsEqual(t, om,
 			[]myString{"test", "abc"},
 			[]any{"bar", true})
 	})
 	t.Run("typed int key", func(t *testing.T) {
 		data := `{"1":"bar","7":"baz","2":28,"3":100,"4":"baz","5":"28","6":"100","8":"baz"}`
 		type myInt uint32
 		om := New[myInt, any]()
 		require.NoError(t, json.Unmarshal([]byte(data), &om))
 		assertOrderedPairsEqual(t, om,
 			[]myInt{1, 7, 2, 3, 4, 5, 6, 8},
 			[]any{"bar", "baz", float64(28), float64(100), "baz", "28", "100", "baz"})
 	})
 	t.Run("TextUnmarshaler key", func(t *testing.T) {
 		data := `{"#1#":"bar","#28#":true}`
 		om := New[marshallable, any]()
 		require.NoError(t, json.Unmarshal([]byte(data), &om))
 		assertOrderedPairsEqual(t, om,
 			[]marshallable{1, 28},
 			[]any{"bar", true})
 	})
 	t.Run("when fed with an input that's not an object", func(t *testing.T) {
 		for _, data := range []string{"true", `["foo"]`, "42", `"foo"`} {
 			om := New[int, any]()
 			require.Error(t, json.Unmarshal([]byte(data), &om))
 		}
 	})
 	t.Run("empty map", func(t *testing.T) {
 		data := `{}`
 		om := New[int, any]()
 		require.NoError(t, json.Unmarshal([]byte(data), &om))
 		assertLenEqual(t, om, 0)
 	})
 }
 // const specialCharacters = "\\\\/\"\b\f\n\r\t\x00\uffff\ufffd世界\u007f\u00ff\U0010FFFF"
 const specialCharacters = "\uffff\ufffd世界\u007f\u00ff\U0010FFFF"
 func TestJSONSpecialCharacters(t *testing.T) {
 	baselineMap := map[string]any{specialCharacters: specialCharacters}
 	baselineData, err := json.Marshal(baselineMap)
 	require.NoError(t, err) // baseline proves this key is supported by official json library
 	t.Logf("specialCharacters: %#v as []rune:%v", specialCharacters, []rune(specialCharacters))
 	t.Logf("baseline json data: %s", baselineData)
 	t.Run("marshal special characters", func(t *testing.T) {
 		om := New[string, any]()
 		om.Set(specialCharacters, specialCharacters)
 		b, err := json.Marshal(om)
 		require.NoError(t, err)
 		require.Equal(t, baselineData, b)
 		type myString string
 		om2 := New[myString, myString]()
 		om2.Set(specialCharacters, specialCharacters)
 		b, err = json.Marshal(om2)
 		require.NoError(t, err)
 		require.Equal(t, baselineData, b)
 	})
 	t.Run("unmarshall special characters", func(t *testing.T) {
 		om := New[string, any]()
 		require.NoError(t, json.Unmarshal(baselineData, &om))
 		assertOrderedPairsEqual(t, om,
 			[]string{specialCharacters},
 			[]any{specialCharacters})
 		type myString string
 		om2 := New[myString, myString]()
 		require.NoError(t, json.Unmarshal(baselineData, &om2))
 		assertOrderedPairsEqual(t, om2,
 			[]myString{specialCharacters},
 			[]myString{specialCharacters})
 	})
 }
 // to test structs that have nested map fields
 type nestedMaps struct {
 	X int                                                               `json:"x" yaml:"x"`
 	M *OrderedMap[string, []*OrderedMap[int, *OrderedMap[string, any]]] `json:"m" yaml:"m"`
 }
 func TestJSONRoundTrip(t *testing.T) {
 	for _, testCase := range []struct {
 		name            string
 		input           string
 		targetFactory   func() any
 		isPrettyPrinted bool
 	}{
 		{
 			name: "",
 			input: `{
    "x": 28,
    "m": {
        "foo": [
            {
                "12": {
                    "i": 12,
                    "b": true,
                    "n": null,
                    "m": {
                        "a": "b",
                        "c": 28
                    }
                },
                "28": {
                    "a": false,
                    "b": [
                        1,
                        2,
                        3
                    ]
                }
            },
            {
                "3": {
                    "c": null,
                    "d": 87
                },
                "4": {
                    "e": true
                },
                "5": {
                    "f": 4,
                    "g": 5,
                    "h": 6
                }
            }
        ],
        "bar": [
            {
                "5": {
                    "foo": "bar"
                }
            }
        ]
    }
 }`,
 			targetFactory:   func() any { return &nestedMaps{} },
 			isPrettyPrinted: true,
 		},
 		{
 			name:          "with UTF-8 special chars in key",
 			input:         `{"<22>":0}`,
 			targetFactory: func() any { return &OrderedMap[string, int]{} },
 		},
 	} {
 		t.Run(testCase.name, func(t *testing.T) {
 			target := testCase.targetFactory()
 			require.NoError(t, json.Unmarshal([]byte(testCase.input), target))
 			var (
 				out []byte
 				err error
 			)
 			if testCase.isPrettyPrinted {
 				out, err = json.MarshalIndent(target, "", "    ")
 			} else {
 				out, err = json.Marshal(target)
 			}
 			if assert.NoError(t, err) {
 				assert.Equal(t, strings.TrimSpace(testCase.input), string(out))
 			}
 		})
 	}
 }
 func BenchmarkMarshalJSON(b *testing.B) {
 	om := New[int, any]()
 	om.Set(1, "bar")
 	om.Set(7, "baz")
 	om.Set(2, 28)
 	om.Set(3, 100)
 	om.Set(4, "baz")
 	om.Set(5, "28")
 	om.Set(6, "100")
 	om.Set(8, "baz")
 	om.Set(8, "baz")
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		_, _ = json.Marshal(om)
 	}
 }
--- a/common/orderedmap/orderedmap.go
+++ b/common/orderedmap/orderedmap.go
@@ -0,0 +1,295 @@
 // Package orderedmap implements an ordered map, i.e. a map that also keeps track of
 // the order in which keys were inserted.
 //
 // All operations are constant-time.
 //
 // Github repo: https://github.com/wk8/go-ordered-map
 package orderedmap
 import (
 	"fmt"
 	list "github.com/bahlo/generic-list-go"
 )
 type Pair[K comparable, V any] struct {
 	Key   K
 	Value V
 	element *list.Element[*Pair[K, V]]
 }
 type OrderedMap[K comparable, V any] struct {
 	pairs map[K]*Pair[K, V]
 	list  *list.List[*Pair[K, V]]
 }
 type initConfig[K comparable, V any] struct {
 	capacity    int
 	initialData []Pair[K, V]
 }
 type InitOption[K comparable, V any] func(config *initConfig[K, V])
 // WithCapacity allows giving a capacity hint for the map, akin to the standard make(map[K]V, capacity).
 func WithCapacity[K comparable, V any](capacity int) InitOption[K, V] {
 	return func(c *initConfig[K, V]) {
 		c.capacity = capacity
 	}
 }
 // WithInitialData allows passing in initial data for the map.
 func WithInitialData[K comparable, V any](initialData ...Pair[K, V]) InitOption[K, V] {
 	return func(c *initConfig[K, V]) {
 		c.initialData = initialData
 		if c.capacity < len(initialData) {
 			c.capacity = len(initialData)
 		}
 	}
 }
 // New creates a new OrderedMap.
 // options can either be one or several InitOption[K, V], or a single integer,
 // which is then interpreted as a capacity hint, à la make(map[K]V, capacity).
 func New[K comparable, V any](options ...any) *OrderedMap[K, V] { //nolint:varnamelen
 	orderedMap := &OrderedMap[K, V]{}
 	var config initConfig[K, V]
 	for _, untypedOption := range options {
 		switch option := untypedOption.(type) {
 		case int:
 			if len(options) != 1 {
 				invalidOption()
 			}
 			config.capacity = option
 		case InitOption[K, V]:
 			option(&config)
 		default:
 			invalidOption()
 		}
 	}
 	orderedMap.initialize(config.capacity)
 	orderedMap.AddPairs(config.initialData...)
 	return orderedMap
 }
 const invalidOptionMessage = `when using orderedmap.New[K,V]() with options, either provide one or several InitOption[K, V]; or a single integer which is then interpreted as a capacity hint, à la make(map[K]V, capacity).` //nolint:lll
 func invalidOption() { panic(invalidOptionMessage) }
 func (om *OrderedMap[K, V]) initialize(capacity int) {
 	om.pairs = make(map[K]*Pair[K, V], capacity)
 	om.list = list.New[*Pair[K, V]]()
 }
 // Get looks for the given key, and returns the value associated with it,
 // or V's nil value if not found. The boolean it returns says whether the key is present in the map.
 func (om *OrderedMap[K, V]) Get(key K) (val V, present bool) {
 	if pair, present := om.pairs[key]; present {
 		return pair.Value, true
 	}
 	return
 }
 // Load is an alias for Get, mostly to present an API similar to `sync.Map`'s.
 func (om *OrderedMap[K, V]) Load(key K) (V, bool) {
 	return om.Get(key)
 }
 // Value returns the value associated with the given key or the zero value.
 func (om *OrderedMap[K, V]) Value(key K) (val V) {
 	if pair, present := om.pairs[key]; present {
 		val = pair.Value
 	}
 	return
 }
 // GetPair looks for the given key, and returns the pair associated with it,
 // or nil if not found. The Pair struct can then be used to iterate over the ordered map
 // from that point, either forward or backward.
 func (om *OrderedMap[K, V]) GetPair(key K) *Pair[K, V] {
 	return om.pairs[key]
 }
 // Set sets the key-value pair, and returns what `Get` would have returned
 // on that key prior to the call to `Set`.
 func (om *OrderedMap[K, V]) Set(key K, value V) (val V, present bool) {
 	if pair, present := om.pairs[key]; present {
 		oldValue := pair.Value
 		pair.Value = value
 		return oldValue, true
 	}
 	pair := &Pair[K, V]{
 		Key:   key,
 		Value: value,
 	}
 	pair.element = om.list.PushBack(pair)
 	om.pairs[key] = pair
 	return
 }
 // AddPairs allows setting multiple pairs at a time. It's equivalent to calling
 // Set on each pair sequentially.
 func (om *OrderedMap[K, V]) AddPairs(pairs ...Pair[K, V]) {
 	for _, pair := range pairs {
 		om.Set(pair.Key, pair.Value)
 	}
 }
 // Store is an alias for Set, mostly to present an API similar to `sync.Map`'s.
 func (om *OrderedMap[K, V]) Store(key K, value V) (V, bool) {
 	return om.Set(key, value)
 }
 // Delete removes the key-value pair, and returns what `Get` would have returned
 // on that key prior to the call to `Delete`.
 func (om *OrderedMap[K, V]) Delete(key K) (val V, present bool) {
 	if pair, present := om.pairs[key]; present {
 		om.list.Remove(pair.element)
 		delete(om.pairs, key)
 		return pair.Value, true
 	}
 	return
 }
 // Len returns the length of the ordered map.
 func (om *OrderedMap[K, V]) Len() int {
 	if om == nil || om.pairs == nil {
 		return 0
 	}
 	return len(om.pairs)
 }
 // Oldest returns a pointer to the oldest pair. It's meant to be used to iterate on the ordered map's
 // pairs from the oldest to the newest, e.g.:
 // for pair := orderedMap.Oldest(); pair != nil; pair = pair.Next() { fmt.Printf("%v => %v\n", pair.Key, pair.Value) }
 func (om *OrderedMap[K, V]) Oldest() *Pair[K, V] {
 	if om == nil || om.list == nil {
 		return nil
 	}
 	return listElementToPair(om.list.Front())
 }
 // Newest returns a pointer to the newest pair. It's meant to be used to iterate on the ordered map's
 // pairs from the newest to the oldest, e.g.:
 // for pair := orderedMap.Oldest(); pair != nil; pair = pair.Next() { fmt.Printf("%v => %v\n", pair.Key, pair.Value) }
 func (om *OrderedMap[K, V]) Newest() *Pair[K, V] {
 	if om == nil || om.list == nil {
 		return nil
 	}
 	return listElementToPair(om.list.Back())
 }
 // Next returns a pointer to the next pair.
 func (p *Pair[K, V]) Next() *Pair[K, V] {
 	return listElementToPair(p.element.Next())
 }
 // Prev returns a pointer to the previous pair.
 func (p *Pair[K, V]) Prev() *Pair[K, V] {
 	return listElementToPair(p.element.Prev())
 }
 func listElementToPair[K comparable, V any](element *list.Element[*Pair[K, V]]) *Pair[K, V] {
 	if element == nil {
 		return nil
 	}
 	return element.Value
 }
 // KeyNotFoundError may be returned by functions in this package when they're called with keys that are not present
 // in the map.
 type KeyNotFoundError[K comparable] struct {
 	MissingKey K
 }
 func (e *KeyNotFoundError[K]) Error() string {
 	return fmt.Sprintf("missing key: %v", e.MissingKey)
 }
 // MoveAfter moves the value associated with key to its new position after the one associated with markKey.
 // Returns an error iff key or markKey are not present in the map. If an error is returned,
 // it will be a KeyNotFoundError.
 func (om *OrderedMap[K, V]) MoveAfter(key, markKey K) error {
 	elements, err := om.getElements(key, markKey)
 	if err != nil {
 		return err
 	}
 	om.list.MoveAfter(elements[0], elements[1])
 	return nil
 }
 // MoveBefore moves the value associated with key to its new position before the one associated with markKey.
 // Returns an error iff key or markKey are not present in the map. If an error is returned,
 // it will be a KeyNotFoundError.
 func (om *OrderedMap[K, V]) MoveBefore(key, markKey K) error {
 	elements, err := om.getElements(key, markKey)
 	if err != nil {
 		return err
 	}
 	om.list.MoveBefore(elements[0], elements[1])
 	return nil
 }
 func (om *OrderedMap[K, V]) getElements(keys ...K) ([]*list.Element[*Pair[K, V]], error) {
 	elements := make([]*list.Element[*Pair[K, V]], len(keys))
 	for i, k := range keys {
 		pair, present := om.pairs[k]
 		if !present {
 			return nil, &KeyNotFoundError[K]{k}
 		}
 		elements[i] = pair.element
 	}
 	return elements, nil
 }
 // MoveToBack moves the value associated with key to the back of the ordered map,
 // i.e. makes it the newest pair in the map.
 // Returns an error iff key is not present in the map. If an error is returned,
 // it will be a KeyNotFoundError.
 func (om *OrderedMap[K, V]) MoveToBack(key K) error {
 	_, err := om.GetAndMoveToBack(key)
 	return err
 }
 // MoveToFront moves the value associated with key to the front of the ordered map,
 // i.e. makes it the oldest pair in the map.
 // Returns an error iff key is not present in the map. If an error is returned,
 // it will be a KeyNotFoundError.
 func (om *OrderedMap[K, V]) MoveToFront(key K) error {
 	_, err := om.GetAndMoveToFront(key)
 	return err
 }
 // GetAndMoveToBack combines Get and MoveToBack in the same call. If an error is returned,
 // it will be a KeyNotFoundError.
 func (om *OrderedMap[K, V]) GetAndMoveToBack(key K) (val V, err error) {
 	if pair, present := om.pairs[key]; present {
 		val = pair.Value
 		om.list.MoveToBack(pair.element)
 	} else {
 		err = &KeyNotFoundError[K]{key}
 	}
 	return
 }
 // GetAndMoveToFront combines Get and MoveToFront in the same call. If an error is returned,
 // it will be a KeyNotFoundError.
 func (om *OrderedMap[K, V]) GetAndMoveToFront(key K) (val V, err error) {
 	if pair, present := om.pairs[key]; present {
 		val = pair.Value
 		om.list.MoveToFront(pair.element)
 	} else {
 		err = &KeyNotFoundError[K]{key}
 	}
 	return
 }
--- a/common/orderedmap/orderedmap_test.go
+++ b/common/orderedmap/orderedmap_test.go
@@ -0,0 +1,384 @@
 package orderedmap
 import (
 	"fmt"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestBasicFeatures(t *testing.T) {
 	n := 100
 	om := New[int, int]()
 	// set(i, 2 * i)
 	for i := 0; i < n; i++ {
 		assertLenEqual(t, om, i)
 		oldValue, present := om.Set(i, 2*i)
 		assertLenEqual(t, om, i+1)
 		assert.Equal(t, 0, oldValue)
 		assert.False(t, present)
 	}
 	// get what we just set
 	for i := 0; i < n; i++ {
 		value, present := om.Get(i)
 		assert.Equal(t, 2*i, value)
 		assert.Equal(t, value, om.Value(i))
 		assert.True(t, present)
 	}
 	// get pairs of what we just set
 	for i := 0; i < n; i++ {
 		pair := om.GetPair(i)
 		assert.NotNil(t, pair)
 		assert.Equal(t, 2*i, pair.Value)
 	}
 	// forward iteration
 	i := 0
 	for pair := om.Oldest(); pair != nil; pair = pair.Next() {
 		assert.Equal(t, i, pair.Key)
 		assert.Equal(t, 2*i, pair.Value)
 		i++
 	}
 	// backward iteration
 	i = n - 1
 	for pair := om.Newest(); pair != nil; pair = pair.Prev() {
 		assert.Equal(t, i, pair.Key)
 		assert.Equal(t, 2*i, pair.Value)
 		i--
 	}
 	// forward iteration starting from known key
 	i = 42
 	for pair := om.GetPair(i); pair != nil; pair = pair.Next() {
 		assert.Equal(t, i, pair.Key)
 		assert.Equal(t, 2*i, pair.Value)
 		i++
 	}
 	// double values for pairs with even keys
 	for j := 0; j < n/2; j++ {
 		i = 2 * j
 		oldValue, present := om.Set(i, 4*i)
 		assert.Equal(t, 2*i, oldValue)
 		assert.True(t, present)
 	}
 	// and delete pairs with odd keys
 	for j := 0; j < n/2; j++ {
 		i = 2*j + 1
 		assertLenEqual(t, om, n-j)
 		value, present := om.Delete(i)
 		assertLenEqual(t, om, n-j-1)
 		assert.Equal(t, 2*i, value)
 		assert.True(t, present)
 		// deleting again shouldn't change anything
 		value, present = om.Delete(i)
 		assertLenEqual(t, om, n-j-1)
 		assert.Equal(t, 0, value)
 		assert.False(t, present)
 	}
 	// get the whole range
 	for j := 0; j < n/2; j++ {
 		i = 2 * j
 		value, present := om.Get(i)
 		assert.Equal(t, 4*i, value)
 		assert.Equal(t, value, om.Value(i))
 		assert.True(t, present)
 		i = 2*j + 1
 		value, present = om.Get(i)
 		assert.Equal(t, 0, value)
 		assert.Equal(t, value, om.Value(i))
 		assert.False(t, present)
 	}
 	// check iterations again
 	i = 0
 	for pair := om.Oldest(); pair != nil; pair = pair.Next() {
 		assert.Equal(t, i, pair.Key)
 		assert.Equal(t, 4*i, pair.Value)
 		i += 2
 	}
 	i = 2 * ((n - 1) / 2)
 	for pair := om.Newest(); pair != nil; pair = pair.Prev() {
 		assert.Equal(t, i, pair.Key)
 		assert.Equal(t, 4*i, pair.Value)
 		i -= 2
 	}
 }
 func TestUpdatingDoesntChangePairsOrder(t *testing.T) {
 	om := New[string, any]()
 	om.Set("foo", "bar")
 	om.Set("wk", 28)
 	om.Set("po", 100)
 	om.Set("bar", "baz")
 	oldValue, present := om.Set("po", 102)
 	assert.Equal(t, 100, oldValue)
 	assert.True(t, present)
 	assertOrderedPairsEqual(t, om,
 		[]string{"foo", "wk", "po", "bar"},
 		[]any{"bar", 28, 102, "baz"})
 }
 func TestDeletingAndReinsertingChangesPairsOrder(t *testing.T) {
 	om := New[string, any]()
 	om.Set("foo", "bar")
 	om.Set("wk", 28)
 	om.Set("po", 100)
 	om.Set("bar", "baz")
 	// delete a pair
 	oldValue, present := om.Delete("po")
 	assert.Equal(t, 100, oldValue)
 	assert.True(t, present)
 	// re-insert the same pair
 	oldValue, present = om.Set("po", 100)
 	assert.Nil(t, oldValue)
 	assert.False(t, present)
 	assertOrderedPairsEqual(t, om,
 		[]string{"foo", "wk", "bar", "po"},
 		[]any{"bar", 28, "baz", 100})
 }
 func TestEmptyMapOperations(t *testing.T) {
 	om := New[string, any]()
 	oldValue, present := om.Get("foo")
 	assert.Nil(t, oldValue)
 	assert.Nil(t, om.Value("foo"))
 	assert.False(t, present)
 	oldValue, present = om.Delete("bar")
 	assert.Nil(t, oldValue)
 	assert.False(t, present)
 	assertLenEqual(t, om, 0)
 	assert.Nil(t, om.Oldest())
 	assert.Nil(t, om.Newest())
 }
 type dummyTestStruct struct {
 	value string
 }
 func TestPackUnpackStructs(t *testing.T) {
 	om := New[string, dummyTestStruct]()
 	om.Set("foo", dummyTestStruct{"foo!"})
 	om.Set("bar", dummyTestStruct{"bar!"})
 	value, present := om.Get("foo")
 	assert.True(t, present)
 	assert.Equal(t, value, om.Value("foo"))
 	if assert.NotNil(t, value) {
 		assert.Equal(t, "foo!", value.value)
 	}
 	value, present = om.Set("bar", dummyTestStruct{"baz!"})
 	assert.True(t, present)
 	if assert.NotNil(t, value) {
 		assert.Equal(t, "bar!", value.value)
 	}
 	value, present = om.Get("bar")
 	assert.Equal(t, value, om.Value("bar"))
 	assert.True(t, present)
 	if assert.NotNil(t, value) {
 		assert.Equal(t, "baz!", value.value)
 	}
 }
 // shamelessly stolen from https://github.com/python/cpython/blob/e19a91e45fd54a56e39c2d12e6aaf4757030507f/Lib/test/test_ordered_dict.py#L55-L61
 func TestShuffle(t *testing.T) {
 	ranLen := 100
 	for _, n := range []int{0, 10, 20, 100, 1000, 10000} {
 		t.Run(fmt.Sprintf("shuffle test with %d items", n), func(t *testing.T) {
 			om := New[string, string]()
 			keys := make([]string, n)
 			values := make([]string, n)
 			for i := 0; i < n; i++ {
 				// we prefix with the number to ensure that we don't get any duplicates
 				keys[i] = fmt.Sprintf("%d_%s", i, randomHexString(t, ranLen))
 				values[i] = randomHexString(t, ranLen)
 				value, present := om.Set(keys[i], values[i])
 				assert.Equal(t, "", value)
 				assert.False(t, present)
 			}
 			assertOrderedPairsEqual(t, om, keys, values)
 		})
 	}
 }
 func TestMove(t *testing.T) {
 	om := New[int, any]()
 	om.Set(1, "bar")
 	om.Set(2, 28)
 	om.Set(3, 100)
 	om.Set(4, "baz")
 	om.Set(5, "28")
 	om.Set(6, "100")
 	om.Set(7, "baz")
 	om.Set(8, "baz")
 	err := om.MoveAfter(2, 3)
 	assert.Nil(t, err)
 	assertOrderedPairsEqual(t, om,
 		[]int{1, 3, 2, 4, 5, 6, 7, 8},
 		[]any{"bar", 100, 28, "baz", "28", "100", "baz", "baz"})
 	err = om.MoveBefore(6, 4)
 	assert.Nil(t, err)
 	assertOrderedPairsEqual(t, om,
 		[]int{1, 3, 2, 6, 4, 5, 7, 8},
 		[]any{"bar", 100, 28, "100", "baz", "28", "baz", "baz"})
 	err = om.MoveToBack(3)
 	assert.Nil(t, err)
 	assertOrderedPairsEqual(t, om,
 		[]int{1, 2, 6, 4, 5, 7, 8, 3},
 		[]any{"bar", 28, "100", "baz", "28", "baz", "baz", 100})
 	err = om.MoveToFront(5)
 	assert.Nil(t, err)
 	assertOrderedPairsEqual(t, om,
 		[]int{5, 1, 2, 6, 4, 7, 8, 3},
 		[]any{"28", "bar", 28, "100", "baz", "baz", "baz", 100})
 	err = om.MoveToFront(100)
 	assert.Equal(t, &KeyNotFoundError[int]{100}, err)
 }
 func TestGetAndMove(t *testing.T) {
 	om := New[int, any]()
 	om.Set(1, "bar")
 	om.Set(2, 28)
 	om.Set(3, 100)
 	om.Set(4, "baz")
 	om.Set(5, "28")
 	om.Set(6, "100")
 	om.Set(7, "baz")
 	om.Set(8, "baz")
 	value, err := om.GetAndMoveToBack(3)
 	assert.Nil(t, err)
 	assert.Equal(t, 100, value)
 	assertOrderedPairsEqual(t, om,
 		[]int{1, 2, 4, 5, 6, 7, 8, 3},
 		[]any{"bar", 28, "baz", "28", "100", "baz", "baz", 100})
 	value, err = om.GetAndMoveToFront(5)
 	assert.Nil(t, err)
 	assert.Equal(t, "28", value)
 	assertOrderedPairsEqual(t, om,
 		[]int{5, 1, 2, 4, 6, 7, 8, 3},
 		[]any{"28", "bar", 28, "baz", "100", "baz", "baz", 100})
 	value, err = om.GetAndMoveToBack(100)
 	assert.Equal(t, &KeyNotFoundError[int]{100}, err)
 }
 func TestAddPairs(t *testing.T) {
 	om := New[int, any]()
 	om.AddPairs(
 		Pair[int, any]{
 			Key:   28,
 			Value: "foo",
 		},
 		Pair[int, any]{
 			Key:   12,
 			Value: "bar",
 		},
 		Pair[int, any]{
 			Key:   28,
 			Value: "baz",
 		},
 	)
 	assertOrderedPairsEqual(t, om,
 		[]int{28, 12},
 		[]any{"baz", "bar"})
 }
 // sadly, we can't test the "actual" capacity here, see https://github.com/golang/go/issues/52157
 func TestNewWithCapacity(t *testing.T) {
 	zero := New[int, string](0)
 	assert.Empty(t, zero.Len())
 	assert.PanicsWithValue(t, invalidOptionMessage, func() {
 		_ = New[int, string](1, 2)
 	})
 	assert.PanicsWithValue(t, invalidOptionMessage, func() {
 		_ = New[int, string](1, 2, 3)
 	})
 	om := New[int, string](-1)
 	om.Set(1337, "quarante-deux")
 	assert.Equal(t, 1, om.Len())
 }
 func TestNewWithOptions(t *testing.T) {
 	t.Run("wih capacity", func(t *testing.T) {
 		om := New[string, any](WithCapacity[string, any](98))
 		assert.Equal(t, 0, om.Len())
 	})
 	t.Run("with initial data", func(t *testing.T) {
 		om := New[string, int](WithInitialData(
 			Pair[string, int]{
 				Key:   "a",
 				Value: 1,
 			},
 			Pair[string, int]{
 				Key:   "b",
 				Value: 2,
 			},
 			Pair[string, int]{
 				Key:   "c",
 				Value: 3,
 			},
 		))
 		assertOrderedPairsEqual(t, om,
 			[]string{"a", "b", "c"},
 			[]int{1, 2, 3})
 	})
 	t.Run("with an invalid option type", func(t *testing.T) {
 		assert.PanicsWithValue(t, invalidOptionMessage, func() {
 			_ = New[int, string]("foo")
 		})
 	})
 }
 func TestNilMap(t *testing.T) {
 	// we want certain behaviors of a nil ordered map to be the same as they are for standard nil maps
 	var om *OrderedMap[int, any]
 	t.Run("len", func(t *testing.T) {
 		assert.Equal(t, 0, om.Len())
 	})
 	t.Run("iterating - akin to range", func(t *testing.T) {
 		assert.Nil(t, om.Oldest())
 		assert.Nil(t, om.Newest())
 	})
 }
--- a/common/orderedmap/utils_test.go
+++ b/common/orderedmap/utils_test.go
@@ -0,0 +1,76 @@
 package orderedmap
 import (
 	"crypto/rand"
 	"encoding/hex"
 	"fmt"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 // assertOrderedPairsEqual asserts that the map contains the given keys and values
 // from oldest to newest.
 func assertOrderedPairsEqual[K comparable, V any](
 	t *testing.T, orderedMap *OrderedMap[K, V], expectedKeys []K, expectedValues []V,
 ) {
 	t.Helper()
 	assertOrderedPairsEqualFromNewest(t, orderedMap, expectedKeys, expectedValues)
 	assertOrderedPairsEqualFromOldest(t, orderedMap, expectedKeys, expectedValues)
 }
 func assertOrderedPairsEqualFromNewest[K comparable, V any](
 	t *testing.T, orderedMap *OrderedMap[K, V], expectedKeys []K, expectedValues []V,
 ) {
 	t.Helper()
 	if assert.Equal(t, len(expectedKeys), len(expectedValues)) && assert.Equal(t, len(expectedKeys), orderedMap.Len()) {
 		i := orderedMap.Len() - 1
 		for pair := orderedMap.Newest(); pair != nil; pair = pair.Prev() {
 			assert.Equal(t, expectedKeys[i], pair.Key, "from newest index=%d on key", i)
 			assert.Equal(t, expectedValues[i], pair.Value, "from newest index=%d on value", i)
 			i--
 		}
 	}
 }
 func assertOrderedPairsEqualFromOldest[K comparable, V any](
 	t *testing.T, orderedMap *OrderedMap[K, V], expectedKeys []K, expectedValues []V,
 ) {
 	t.Helper()
 	if assert.Equal(t, len(expectedKeys), len(expectedValues)) && assert.Equal(t, len(expectedKeys), orderedMap.Len()) {
 		i := 0
 		for pair := orderedMap.Oldest(); pair != nil; pair = pair.Next() {
 			assert.Equal(t, expectedKeys[i], pair.Key, "from oldest index=%d on key", i)
 			assert.Equal(t, expectedValues[i], pair.Value, "from oldest index=%d on value", i)
 			i++
 		}
 	}
 }
 func assertLenEqual[K comparable, V any](t *testing.T, orderedMap *OrderedMap[K, V], expectedLen int) {
 	t.Helper()
 	assert.Equal(t, expectedLen, orderedMap.Len())
 	// also check the list length, for good measure
 	assert.Equal(t, expectedLen, orderedMap.list.Len())
 }
 func randomHexString(t *testing.T, length int) string {
 	t.Helper()
 	b := length / 2 //nolint:gomnd
 	randBytes := make([]byte, b)
 	if n, err := rand.Read(randBytes); err != nil || n != b {
 		if err == nil {
 			err = fmt.Errorf("only got %v random bytes, expected %v", n, b)
 		}
 		t.Fatal(err)
 	}
 	return hex.EncodeToString(randBytes)
 }
--- a/common/orderedmap/yaml.go
+++ b/common/orderedmap/yaml.go
@@ -0,0 +1,71 @@
 package orderedmap
 import (
 	"fmt"
 	"gopkg.in/yaml.v3"
 )
 var (
 	_ yaml.Marshaler   = &OrderedMap[int, any]{}
 	_ yaml.Unmarshaler = &OrderedMap[int, any]{}
 )
 // MarshalYAML implements the yaml.Marshaler interface.
 func (om *OrderedMap[K, V]) MarshalYAML() (interface{}, error) {
 	if om == nil {
 		return []byte("null"), nil
 	}
 	node := yaml.Node{
 		Kind: yaml.MappingNode,
 	}
 	for pair := om.Oldest(); pair != nil; pair = pair.Next() {
 		key, value := pair.Key, pair.Value
 		keyNode := &yaml.Node{}
 		// serialize key to yaml, then deserialize it back into the node
 		// this is a hack to get the correct tag for the key
 		if err := keyNode.Encode(key); err != nil {
 			return nil, err
 		}
 		valueNode := &yaml.Node{}
 		if err := valueNode.Encode(value); err != nil {
 			return nil, err
 		}
 		node.Content = append(node.Content, keyNode, valueNode)
 	}
 	return &node, nil
 }
 // UnmarshalYAML implements the yaml.Unmarshaler interface.
 func (om *OrderedMap[K, V]) UnmarshalYAML(value *yaml.Node) error {
 	if value.Kind != yaml.MappingNode {
 		return fmt.Errorf("pipeline must contain YAML mapping, has %v", value.Kind)
 	}
 	if om.list == nil {
 		om.initialize(0)
 	}
 	for index := 0; index < len(value.Content); index += 2 {
 		var key K
 		var val V
 		if err := value.Content[index].Decode(&key); err != nil {
 			return err
 		}
 		if err := value.Content[index+1].Decode(&val); err != nil {
 			return err
 		}
 		om.Set(key, val)
 	}
 	return nil
 }
--- a/common/orderedmap/yaml_fuzz_test.go
+++ b/common/orderedmap/yaml_fuzz_test.go
@@ -0,0 +1,82 @@
 package orderedmap
 // Adapted from https://github.com/dvyukov/go-fuzz-corpus/blob/c42c1b2/json/json.go
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"gopkg.in/yaml.v3"
 )
 func FuzzRoundTripYAML(f *testing.F) {
 	f.Fuzz(func(t *testing.T, data []byte) {
 		for _, testCase := range []struct {
 			name        string
 			constructor func() any
 			// should be a function that asserts that 2 objects of the type returned by constructor are equal
 			equalityAssertion func(*testing.T, any, any) bool
 		}{
 			{
 				name:              "with a string -> string map",
 				constructor:       func() any { return &OrderedMap[string, string]{} },
 				equalityAssertion: assertOrderedMapsEqual[string, string],
 			},
 			{
 				name:              "with a string -> int map",
 				constructor:       func() any { return &OrderedMap[string, int]{} },
 				equalityAssertion: assertOrderedMapsEqual[string, int],
 			},
 			{
 				name:              "with a string -> any map",
 				constructor:       func() any { return &OrderedMap[string, any]{} },
 				equalityAssertion: assertOrderedMapsEqual[string, any],
 			},
 			{
 				name:              "with a struct with map fields",
 				constructor:       func() any { return new(testFuzzStruct) },
 				equalityAssertion: assertTestFuzzStructEqual,
 			},
 		} {
 			t.Run(testCase.name, func(t *testing.T) {
 				v1 := testCase.constructor()
 				if yaml.Unmarshal(data, v1) != nil {
 					return
 				}
 				t.Log(data)
 				t.Log(v1)
 				yamlData, err := yaml.Marshal(v1)
 				require.NoError(t, err)
 				t.Log(string(yamlData))
 				v2 := testCase.constructor()
 				err = yaml.Unmarshal(yamlData, v2)
 				if err != nil {
 					t.Log(string(yamlData))
 					t.Fatal(err)
 				}
 				if !assert.True(t, testCase.equalityAssertion(t, v1, v2), "failed with input data %q", string(data)) {
 					// look at that what the standard lib does with regular map, to help with debugging
 					var m1 map[string]any
 					require.NoError(t, yaml.Unmarshal(data, &m1))
 					mapJsonData, err := yaml.Marshal(m1)
 					require.NoError(t, err)
 					var m2 map[string]any
 					require.NoError(t, yaml.Unmarshal(mapJsonData, &m2))
 					t.Logf("initial data = %s", string(data))
 					t.Logf("unmarshalled map = %v", m1)
 					t.Logf("re-marshalled from map = %s", string(mapJsonData))
 					t.Logf("re-marshalled from test obj = %s", string(yamlData))
 					t.Logf("re-unmarshalled map = %s", m2)
 				}
 			})
 		}
 	})
 }
--- a/common/orderedmap/yaml_test.go
+++ b/common/orderedmap/yaml_test.go
@@ -0,0 +1,334 @@
 package orderedmap
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"gopkg.in/yaml.v3"
 )
 func TestMarshalYAML(t *testing.T) {
 	t.Run("int key", func(t *testing.T) {
 		om := New[int, any]()
 		om.Set(1, "bar")
 		om.Set(7, "baz")
 		om.Set(2, 28)
 		om.Set(3, 100)
 		om.Set(4, "baz")
 		om.Set(5, "28")
 		om.Set(6, "100")
 		om.Set(8, "baz")
 		om.Set(8, "baz")
 		om.Set(9, "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque auctor augue accumsan mi maximus, quis viverra massa pretium. Phasellus imperdiet sapien a interdum sollicitudin. Duis at commodo lectus, a lacinia sem.")
 		b, err := yaml.Marshal(om)
 		expected := `1: bar
 7: baz
 2: 28
 3: 100
 4: baz
 5: "28"
 6: "100"
 8: baz
 9: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque auctor augue accumsan mi maximus, quis viverra massa pretium. Phasellus imperdiet sapien a interdum sollicitudin. Duis at commodo lectus, a lacinia sem.
 `
 		assert.NoError(t, err)
 		assert.Equal(t, expected, string(b))
 	})
 	t.Run("string key", func(t *testing.T) {
 		om := New[string, any]()
 		om.Set("test", "bar")
 		om.Set("abc", true)
 		b, err := yaml.Marshal(om)
 		assert.NoError(t, err)
 		expected := `test: bar
 abc: true
 `
 		assert.Equal(t, expected, string(b))
 	})
 	t.Run("typed string key", func(t *testing.T) {
 		type myString string
 		om := New[myString, any]()
 		om.Set("test", "bar")
 		om.Set("abc", true)
 		b, err := yaml.Marshal(om)
 		assert.NoError(t, err)
 		assert.Equal(t, `test: bar
 abc: true
 `, string(b))
 	})
 	t.Run("typed int key", func(t *testing.T) {
 		type myInt uint32
 		om := New[myInt, any]()
 		om.Set(1, "bar")
 		om.Set(7, "baz")
 		om.Set(2, 28)
 		om.Set(3, 100)
 		om.Set(4, "baz")
 		b, err := yaml.Marshal(om)
 		assert.NoError(t, err)
 		assert.Equal(t, `1: bar
 7: baz
 2: 28
 3: 100
 4: baz
 `, string(b))
 	})
 	t.Run("TextMarshaller key", func(t *testing.T) {
 		om := New[marshallable, any]()
 		om.Set(marshallable(1), "bar")
 		om.Set(marshallable(28), true)
 		b, err := yaml.Marshal(om)
 		assert.NoError(t, err)
 		assert.Equal(t, `'#1#': bar
 '#28#': true
 `, string(b))
 	})
 	t.Run("empty map with 0 elements", func(t *testing.T) {
 		om := New[string, any]()
 		b, err := yaml.Marshal(om)
 		assert.NoError(t, err)
 		assert.Equal(t, "{}\n", string(b))
 	})
 	t.Run("empty map with no elements (null)", func(t *testing.T) {
 		om := &OrderedMap[string, string]{}
 		b, err := yaml.Marshal(om)
 		assert.NoError(t, err)
 		assert.Equal(t, "{}\n", string(b))
 	})
 }
 func TestUnmarshallYAML(t *testing.T) {
 	t.Run("int key", func(t *testing.T) {
 		data := `
 1: bar
 7: baz
 2: 28
 3: 100
 4: baz
 5: "28"
 6: "100"
 8: baz
 `
 		om := New[int, any]()
 		require.NoError(t, yaml.Unmarshal([]byte(data), &om))
 		assertOrderedPairsEqual(t, om,
 			[]int{1, 7, 2, 3, 4, 5, 6, 8},
 			[]any{"bar", "baz", 28, 100, "baz", "28", "100", "baz"})
 		// serialize back to yaml to make sure things are equal
 	})
 	t.Run("string key", func(t *testing.T) {
 		data := `{"test":"bar","abc":true}`
 		om := New[string, any]()
 		require.NoError(t, yaml.Unmarshal([]byte(data), &om))
 		assertOrderedPairsEqual(t, om,
 			[]string{"test", "abc"},
 			[]any{"bar", true})
 	})
 	t.Run("typed string key", func(t *testing.T) {
 		data := `{"test":"bar","abc":true}`
 		type myString string
 		om := New[myString, any]()
 		require.NoError(t, yaml.Unmarshal([]byte(data), &om))
 		assertOrderedPairsEqual(t, om,
 			[]myString{"test", "abc"},
 			[]any{"bar", true})
 	})
 	t.Run("typed int key", func(t *testing.T) {
 		data := `
 1: bar
 7: baz
 2: 28
 3: 100
 4: baz
 5: "28"
 6: "100"
 8: baz
 `
 		type myInt uint32
 		om := New[myInt, any]()
 		require.NoError(t, yaml.Unmarshal([]byte(data), &om))
 		assertOrderedPairsEqual(t, om,
 			[]myInt{1, 7, 2, 3, 4, 5, 6, 8},
 			[]any{"bar", "baz", 28, 100, "baz", "28", "100", "baz"})
 	})
 	t.Run("TextUnmarshaler key", func(t *testing.T) {
 		data := `{"#1#":"bar","#28#":true}`
 		om := New[marshallable, any]()
 		require.NoError(t, yaml.Unmarshal([]byte(data), &om))
 		assertOrderedPairsEqual(t, om,
 			[]marshallable{1, 28},
 			[]any{"bar", true})
 	})
 	t.Run("when fed with an input that's not an object", func(t *testing.T) {
 		for _, data := range []string{"true", `["foo"]`, "42", `"foo"`} {
 			om := New[int, any]()
 			require.Error(t, yaml.Unmarshal([]byte(data), &om))
 		}
 	})
 	t.Run("empty map", func(t *testing.T) {
 		data := `{}`
 		om := New[int, any]()
 		require.NoError(t, yaml.Unmarshal([]byte(data), &om))
 		assertLenEqual(t, om, 0)
 	})
 }
 func TestYAMLSpecialCharacters(t *testing.T) {
 	baselineMap := map[string]any{specialCharacters: specialCharacters}
 	baselineData, err := yaml.Marshal(baselineMap)
 	require.NoError(t, err) // baseline proves this key is supported by official yaml library
 	t.Logf("specialCharacters: %#v as []rune:%v", specialCharacters, []rune(specialCharacters))
 	t.Logf("baseline yaml data: %s", baselineData)
 	t.Run("marshal special characters", func(t *testing.T) {
 		om := New[string, any]()
 		om.Set(specialCharacters, specialCharacters)
 		b, err := yaml.Marshal(om)
 		require.NoError(t, err)
 		require.Equal(t, baselineData, b)
 		type myString string
 		om2 := New[myString, myString]()
 		om2.Set(specialCharacters, specialCharacters)
 		b, err = yaml.Marshal(om2)
 		require.NoError(t, err)
 		require.Equal(t, baselineData, b)
 	})
 	t.Run("unmarshall special characters", func(t *testing.T) {
 		om := New[string, any]()
 		require.NoError(t, yaml.Unmarshal(baselineData, &om))
 		assertOrderedPairsEqual(t, om,
 			[]string{specialCharacters},
 			[]any{specialCharacters})
 		type myString string
 		om2 := New[myString, myString]()
 		require.NoError(t, yaml.Unmarshal(baselineData, &om2))
 		assertOrderedPairsEqual(t, om2,
 			[]myString{specialCharacters},
 			[]myString{specialCharacters})
 	})
 }
 func TestYAMLRoundTrip(t *testing.T) {
 	for _, testCase := range []struct {
 		name          string
 		input         string
 		targetFactory func() any
 	}{
 		{
 			name:  "empty map",
 			input: "{}\n",
 			targetFactory: func() any {
 				return &OrderedMap[string, any]{}
 			},
 		},
 		{
 			name: "",
 			input: `x: 28
 m:
    bar:
        - 5:
            foo: bar
    foo:
        - 12:
            b: true
            i: 12
            m:
                a: b
                c: 28
            "n": null
          28:
            a: false
            b:
                - 1
                - 2
                - 3
        - 3:
            c: null
            d: 87
          4:
            e: true
          5:
            f: 4
            g: 5
            h: 6
 `,
 			targetFactory: func() any { return &nestedMaps{} },
 		},
 		{
 			name:          "with UTF-8 special chars in key",
 			input:         "<22>: 0\n",
 			targetFactory: func() any { return &OrderedMap[string, int]{} },
 		},
 	} {
 		t.Run(testCase.name, func(t *testing.T) {
 			target := testCase.targetFactory()
 			require.NoError(t, yaml.Unmarshal([]byte(testCase.input), target))
 			var (
 				out []byte
 				err error
 			)
 			out, err = yaml.Marshal(target)
 			if assert.NoError(t, err) {
 				assert.Equal(t, testCase.input, string(out))
 			}
 		})
 	}
 }
 func BenchmarkMarshalYAML(b *testing.B) {
 	om := New[int, any]()
 	om.Set(1, "bar")
 	om.Set(7, "baz")
 	om.Set(2, 28)
 	om.Set(3, 100)
 	om.Set(4, "baz")
 	om.Set(5, "28")
 	om.Set(6, "100")
 	om.Set(8, "baz")
 	om.Set(8, "baz")
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		_, _ = yaml.Marshal(om)
 	}
 }
--- a/common/structure/structure.go
+++ b/common/structure/structure.go
@@ -7,6 +7,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"reflect"
 	"sort"
 	"strconv"
 	"strings"
 )
@@ -38,58 +39,7 @@ func (d *Decoder) Decode(src map[string]any, dst any) error {
 	if reflect.TypeOf(dst).Kind() != reflect.Ptr {
 		return fmt.Errorf("decode must recive a ptr struct")
 	}
-	t := reflect.TypeOf(dst).Elem()
+	return d.decode("", src, reflect.ValueOf(dst).Elem())
 	v := reflect.ValueOf(dst).Elem()
 	for idx := 0; idx < v.NumField(); idx++ {
 		field := t.Field(idx)
 		if field.Anonymous {
 			if err := d.decodeStruct(field.Name, src, v.Field(idx)); err != nil {
 				return err
 			}
 			continue
 		}
 		tag := field.Tag.Get(d.option.TagName)
 		key, omitKey, found := strings.Cut(tag, ",")
 		omitempty := found && omitKey == "omitempty"
 		// As a special case, if the field tag is "-", the field is always omitted.
 		// Note that a field with name "-" can still be generated using the tag "-,".
 		if key == "-" {
 			continue
 		}
 		value, ok := src[key]
 		if !ok {
 			if d.option.KeyReplacer != nil {
 				key = d.option.KeyReplacer.Replace(key)
 			}
 			for _strKey := range src {
 				strKey := _strKey
 				if d.option.KeyReplacer != nil {
 					strKey = d.option.KeyReplacer.Replace(strKey)
 				}
 				if strings.EqualFold(key, strKey) {
 					value = src[_strKey]
 					ok = true
 					break
 				}
 			}
 		}
 		if !ok || value == nil {
 			if omitempty {
 				continue
 			}
 			return fmt.Errorf("key '%s' missing", key)
 		}
 		err := d.decode(key, value, v.Field(idx))
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 // isNil returns true if the input is nil or a typed nil pointer.
@@ -456,6 +406,7 @@ func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) e
 		dataValKeysUnused[dataValKey.Interface()] = struct{}{}
 	}
 	targetValKeysUnused := make(map[any]struct{})
 	errors := make([]string, 0)
 	// This slice will keep track of all the structs we'll be decoding.
@@ -470,6 +421,11 @@ func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) e
 		field reflect.StructField
 		val   reflect.Value
 	}
 	// remainField is set to a valid field set with the "remain" tag if
 	// we are keeping track of remaining values.
 	var remainField *field
 	var fields []field
 	for len(structs) > 0 {
 		structVal := structs[0]
@@ -479,30 +435,47 @@ func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) e
 		for i := 0; i < structType.NumField(); i++ {
 			fieldType := structType.Field(i)
-			fieldKind := fieldType.Type.Kind()
+			fieldVal := structVal.Field(i)
 			if fieldVal.Kind() == reflect.Ptr && fieldVal.Elem().Kind() == reflect.Struct {
 				// Handle embedded struct pointers as embedded structs.
 				fieldVal = fieldVal.Elem()
 			}
 			// If "squash" is specified in the tag, we squash the field down.
-			squash := false
+			squash := fieldVal.Kind() == reflect.Struct && fieldType.Anonymous
 			remain := false
 			// We always parse the tags cause we're looking for other tags too
 			tagParts := strings.Split(fieldType.Tag.Get(d.option.TagName), ",")
 			for _, tag := range tagParts[1:] {
 				if tag == "squash" {
 					squash = true
 					break
 				}
 				if tag == "remain" {
 					remain = true
 					break
 				}
 			}
 			if squash {
-				if fieldKind != reflect.Struct {
+				if fieldVal.Kind() != reflect.Struct {
 					errors = append(errors,
-						fmt.Errorf("%s: unsupported type for squash: %s", fieldType.Name, fieldKind).Error())
+						fmt.Errorf("%s: unsupported type for squash: %s", fieldType.Name, fieldVal.Kind()).Error())
 				} else {
-					structs = append(structs, structVal.FieldByName(fieldType.Name))
+					structs = append(structs, fieldVal)
 				}
 				continue
 			}
-			// Normal struct field, store it away
+			// Build our field
-			fields = append(fields, field{fieldType, structVal.Field(i)})
+			if remain {
 				remainField = &field{fieldType, fieldVal}
 			} else {
 				// Normal struct field, store it away
 				fields = append(fields, field{fieldType, fieldVal})
 			}
 		}
 	}
@@ -511,8 +484,8 @@ func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) e
 		field, fieldValue := f.field, f.val
 		fieldName := field.Name
-		tagValue := field.Tag.Get(d.option.TagName)
+		tagParts := strings.Split(field.Tag.Get(d.option.TagName), ",")
-		tagValue = strings.SplitN(tagValue, ",", 2)[0]
+		tagValue := tagParts[0]
 		if tagValue != "" {
 			fieldName = tagValue
 		}
@@ -521,6 +494,13 @@ func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) e
 			continue
 		}
 		omitempty := false
 		for _, tag := range tagParts[1:] {
 			if tag == "omitempty" {
 				omitempty = true
 			}
 		}
 		rawMapKey := reflect.ValueOf(fieldName)
 		rawMapVal := dataVal.MapIndex(rawMapKey)
 		if !rawMapVal.IsValid() {
@@ -548,7 +528,10 @@ func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) e
 			if !rawMapVal.IsValid() {
 				// There was no matching key in the map for the value in
-				// the struct. Just ignore.
+				// the struct. Remember it for potential errors and metadata.
 				if !omitempty {
 					targetValKeysUnused[fieldName] = struct{}{}
 				}
 				continue
 			}
 		}
@@ -570,7 +553,7 @@ func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) e
 		// If the name is empty string, then we're at the root, and we
 		// don't dot-join the fields.
 		if name != "" {
-			fieldName = fmt.Sprintf("%s.%s", name, fieldName)
+			fieldName = name + "." + fieldName
 		}
 		if err := d.decode(fieldName, rawMapVal.Interface(), fieldValue); err != nil {
@@ -578,6 +561,36 @@ func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) e
 		}
 	}
 	// If we have a "remain"-tagged field and we have unused keys then
 	// we put the unused keys directly into the remain field.
 	if remainField != nil && len(dataValKeysUnused) > 0 {
 		// Build a map of only the unused values
 		remain := map[interface{}]interface{}{}
 		for key := range dataValKeysUnused {
 			remain[key] = dataVal.MapIndex(reflect.ValueOf(key)).Interface()
 		}
 		// Decode it as-if we were just decoding this map onto our map.
 		if err := d.decodeMap(name, remain, remainField.val); err != nil {
 			errors = append(errors, err.Error())
 		}
 		// Set the map to nil so we have none so that the next check will
 		// not error (ErrorUnused)
 		dataValKeysUnused = nil
 	}
 	if len(targetValKeysUnused) > 0 {
 		keys := make([]string, 0, len(targetValKeysUnused))
 		for rawKey := range targetValKeysUnused {
 			keys = append(keys, rawKey.(string))
 		}
 		sort.Strings(keys)
 		err := fmt.Errorf("'%s' has unset fields: %s", name, strings.Join(keys, ", "))
 		errors = append(errors, err.Error())
 	}
 	if len(errors) > 0 {
 		return fmt.Errorf(strings.Join(errors, ","))
 	}
--- a/common/structure/structure_test.go
+++ b/common/structure/structure_test.go
@@ -139,6 +139,49 @@ func TestStructure_Nest(t *testing.T) {
 	assert.Equal(t, s.BazOptional, goal)
 }
 func TestStructure_DoubleNest(t *testing.T) {
 	rawMap := map[string]any{
 		"bar": map[string]any{
 			"foo": 1,
 		},
 	}
 	goal := BazOptional{
 		Foo: 1,
 	}
 	s := &struct {
 		Bar struct {
 			BazOptional
 		} `test:"bar"`
 	}{}
 	err := decoder.Decode(rawMap, s)
 	assert.Nil(t, err)
 	assert.Equal(t, s.Bar.BazOptional, goal)
 }
 func TestStructure_Remain(t *testing.T) {
 	rawMap := map[string]any{
 		"foo":   1,
 		"bar":   "test",
 		"extra": false,
 	}
 	goal := &Baz{
 		Foo: 1,
 		Bar: "test",
 	}
 	s := &struct {
 		Baz
 		Remain map[string]any `test:",remain"`
 	}{}
 	err := decoder.Decode(rawMap, s)
 	assert.Nil(t, err)
 	assert.Equal(t, *goal, s.Baz)
 	assert.Equal(t, map[string]any{"extra": false}, s.Remain)
 }
 func TestStructure_SliceNilValue(t *testing.T) {
 	rawMap := map[string]any{
 		"foo": 1,
@@ -228,6 +271,23 @@ func TestStructure_Pointer(t *testing.T) {
 	assert.Nil(t, s.Bar)
 }
 func TestStructure_PointerStruct(t *testing.T) {
 	rawMap := map[string]any{
 		"foo": "foo",
 	}
 	s := &struct {
 		Foo *string `test:"foo,omitempty"`
 		Bar *Baz    `test:"bar,omitempty"`
 	}{}
 	err := decoder.Decode(rawMap, s)
 	assert.Nil(t, err)
 	assert.NotNil(t, s.Foo)
 	assert.Equal(t, "foo", *s.Foo)
 	assert.Nil(t, s.Bar)
 }
 type num struct {
 	a int
 }
--- a/common/yaml/yaml.go
+++ b/common/yaml/yaml.go
@@ -0,0 +1,14 @@
 // Package yaml provides a common entrance for YAML marshaling and unmarshalling.
 package yaml
 import (
 	"gopkg.in/yaml.v3"
 )
 func Unmarshal(in []byte, out any) (err error) {
 	return yaml.Unmarshal(in, out)
 }
 func Marshal(in any) (out []byte, err error) {
 	return yaml.Marshal(in)
 }
--- a/component/ca/config.go
+++ b/component/ca/config.go
@@ -98,10 +98,16 @@ func GetTLSConfig(opt Option) (tlsConfig *tls.Config, err error) {
 	}
 	if len(opt.Fingerprint) > 0 {
-		tlsConfig.VerifyPeerCertificate, err = NewFingerprintVerifier(opt.Fingerprint, tlsConfig.Time)
+		verifier, err := NewFingerprintVerifier(opt.Fingerprint, tlsConfig.Time)
 		if err != nil {
 			return nil, err
 		}
 		tlsConfig.VerifyConnection = func(state tls.ConnectionState) error {
 			// [ConnectionState.ServerName] can return the actual ServerName needed for verification,
 			// avoiding inconsistencies caused by [tlsConfig.ServerName] being modified after the [NewFingerprintVerifier] call.
 			// https://github.com/golang/go/issues/36736#issuecomment-587925536
 			return verifier(state.PeerCertificates, state.ServerName)
 		}
 		tlsConfig.InsecureSkipVerify = true
 	}
--- a/component/ca/fingerprint.go
+++ b/component/ca/fingerprint.go
@@ -11,7 +11,7 @@ import (
 )
 // NewFingerprintVerifier returns a function that verifies whether a certificate's SHA-256 fingerprint matches the given one.
-func NewFingerprintVerifier(fingerprint string, time func() time.Time) (func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error, error) {
+func NewFingerprintVerifier(fingerprint string, time func() time.Time) (func(certs []*x509.Certificate, serverName string) error, error) {
 	switch fingerprint {
 	case "chrome", "firefox", "safari", "ios", "android", "edge", "360", "qq", "random", "randomized": // WTF???
 		return nil, fmt.Errorf("`fingerprint` is used for TLS certificate pinning. If you need to specify the browser fingerprint, use `client-fingerprint`")
@@ -26,37 +26,24 @@ func NewFingerprintVerifier(fingerprint string, time func() time.Time) (func(raw
 		return nil, fmt.Errorf("fingerprint string length error,need sha256 fingerprint")
 	}
-	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+	return func(certs []*x509.Certificate, serverName string) error {
 		// ssl pining
-		for i, rawCert := range rawCerts {
+		for i, cert := range certs {
-			hash := sha256.Sum256(rawCert)
+			hash := sha256.Sum256(cert.Raw)
 			if bytes.Equal(fpByte, hash[:]) {
 				if i > 0 {
 					// When the fingerprint matches a non-leaf certificate,
 					// the certificate chain validity is verified using the certificate as the trusted root certificate.
 					//
 					// Currently, we do not verify that the SNI matches the certificate's DNS name,
 					// but we do verify the validity of the child certificate,
 					// including the issuance time and whether the child certificate was issued by the parent certificate.
 					certs := make([]*x509.Certificate, i+1) // stop at i
 					for j := range certs {
 						cert, err := x509.ParseCertificate(rawCerts[j])
 						if err != nil {
 							return err
 						}
 						certs[j] = cert
 					}
 					opts := x509.VerifyOptions{
 						Roots:         x509.NewCertPool(),
 						Intermediates: x509.NewCertPool(),
 						DNSName:       serverName,
 					}
 					if time != nil {
 						opts.CurrentTime = time()
 					}
 					opts.Roots.AddCert(certs[i])
-					for _, cert := range certs[1:] {
+					for _, cert := range certs[1 : i+1] { // stop at i
 						opts.Intermediates.AddCert(cert)
 					}
 					_, err := certs[0].Verify(opts)
--- a/component/ca/fingerprint_test.go
+++ b/component/ca/fingerprint_test.go
@@ -1,6 +1,7 @@
 package ca
 import (
 	"crypto/x509"
 	"encoding/pem"
 	"testing"
 	"time"
@@ -10,90 +11,203 @@ import (
 )
 func TestFingerprintVerifierLeaf(t *testing.T) {
-	leafFingerprint := CalculateFingerprint(leafPEM.Bytes)
+	leafFingerprint := CalculateFingerprint(leafCert.Raw)
-	verifier, err := NewFingerprintVerifier(leafFingerprint, func() time.Time {
+	verifier, err := NewFingerprintVerifier(leafFingerprint, certTime)
 		return time.Unix(1677615892, 0)
 	})
 	require.NoError(t, err)
-	err = verifier([][]byte{leafPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafCert, intermediateCert, rootCert}, "")
 	assert.NoError(t, err)
-	err = verifier([][]byte{leafPEM.Bytes, smimeIntermediatePEM.Bytes, rootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafCert, intermediateCert, rootCert}, leafServerName)
 	assert.NoError(t, err)
-	err = verifier([][]byte{leafPEM.Bytes, intermediatePEM.Bytes, smimeRootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafCert, intermediateCert, rootCert}, wrongLeafServerName)
 	assert.NoError(t, err)
-	err = verifier([][]byte{leafWithInvalidHashPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafCert, smimeIntermediateCert, rootCert}, "")
 	assert.NoError(t, err)
 	err = verifier([]*x509.Certificate{leafCert, smimeIntermediateCert, rootCert}, leafServerName)
 	assert.NoError(t, err)
 	err = verifier([]*x509.Certificate{leafCert, smimeIntermediateCert, rootCert}, wrongLeafServerName)
 	assert.NoError(t, err)
 	err = verifier([]*x509.Certificate{leafCert, intermediateCert, smimeRootCert}, "")
 	assert.NoError(t, err)
 	err = verifier([]*x509.Certificate{leafCert, intermediateCert, smimeRootCert}, leafServerName)
 	assert.NoError(t, err)
 	err = verifier([]*x509.Certificate{leafCert, intermediateCert, smimeRootCert}, wrongLeafServerName)
 	assert.NoError(t, err)
 	err = verifier([]*x509.Certificate{leafWithInvalidHashCert, intermediateCert, rootCert}, "")
 	assert.Error(t, err)
-	err = verifier([][]byte{smimeLeafPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafWithInvalidHashCert, intermediateCert, rootCert}, leafServerName)
 	assert.Error(t, err)
-	err = verifier([][]byte{smimeLeafPEM.Bytes, intermediatePEM.Bytes, smimeRootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafWithInvalidHashCert, intermediateCert, rootCert}, wrongLeafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, rootCert}, "")
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, rootCert}, leafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, rootCert}, wrongLeafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, smimeRootCert}, "")
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, smimeRootCert}, leafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, smimeRootCert}, wrongLeafServerName)
 	assert.Error(t, err)
 }
 func TestFingerprintVerifierIntermediate(t *testing.T) {
-	intermediateFingerprint := CalculateFingerprint(intermediatePEM.Bytes)
+	intermediateFingerprint := CalculateFingerprint(intermediateCert.Raw)
-	verifier, err := NewFingerprintVerifier(intermediateFingerprint, func() time.Time {
+	verifier, err := NewFingerprintVerifier(intermediateFingerprint, certTime)
 		return time.Unix(1677615892, 0)
 	})
 	require.NoError(t, err)
-	err = verifier([][]byte{leafPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafCert, intermediateCert, rootCert}, "")
 	assert.NoError(t, err)
-	err = verifier([][]byte{leafPEM.Bytes, smimeIntermediatePEM.Bytes, rootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafCert, intermediateCert, rootCert}, leafServerName)
 	assert.Error(t, err)
 	err = verifier([][]byte{leafPEM.Bytes, intermediatePEM.Bytes, smimeRootPEM.Bytes}, nil)
 	assert.NoError(t, err)
-	err = verifier([][]byte{leafWithInvalidHashPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafCert, intermediateCert, rootCert}, wrongLeafServerName)
 	assert.Error(t, err)
-	err = verifier([][]byte{smimeLeafPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafCert, smimeIntermediateCert, rootCert}, "")
 	assert.Error(t, err)
-	err = verifier([][]byte{smimeLeafPEM.Bytes, intermediatePEM.Bytes, smimeRootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafCert, smimeIntermediateCert, rootCert}, leafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{leafCert, smimeIntermediateCert, rootCert}, wrongLeafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{leafCert, intermediateCert, smimeRootCert}, "")
 	assert.NoError(t, err)
 	err = verifier([]*x509.Certificate{leafCert, intermediateCert, smimeRootCert}, leafServerName)
 	assert.NoError(t, err)
 	err = verifier([]*x509.Certificate{leafCert, intermediateCert, smimeRootCert}, wrongLeafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{leafWithInvalidHashCert, intermediateCert, rootCert}, "")
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{leafWithInvalidHashCert, intermediateCert, rootCert}, leafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{leafWithInvalidHashCert, intermediateCert, rootCert}, wrongLeafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, rootCert}, "")
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, rootCert}, leafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, rootCert}, wrongLeafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, smimeRootCert}, "")
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, smimeRootCert}, leafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, smimeRootCert}, wrongLeafServerName)
 	assert.Error(t, err)
 }
 func TestFingerprintVerifierRoot(t *testing.T) {
-	rootFingerprint := CalculateFingerprint(rootPEM.Bytes)
+	rootFingerprint := CalculateFingerprint(rootCert.Raw)
-	verifier, err := NewFingerprintVerifier(rootFingerprint, func() time.Time {
+	verifier, err := NewFingerprintVerifier(rootFingerprint, certTime)
 		return time.Unix(1677615892, 0)
 	})
 	require.NoError(t, err)
-	err = verifier([][]byte{leafPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafCert, intermediateCert, rootCert}, "")
 	assert.NoError(t, err)
-	err = verifier([][]byte{leafPEM.Bytes, smimeIntermediatePEM.Bytes, rootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafCert, intermediateCert, rootCert}, leafServerName)
 	assert.NoError(t, err)
 	err = verifier([]*x509.Certificate{leafCert, intermediateCert, rootCert}, wrongLeafServerName)
 	assert.Error(t, err)
-	err = verifier([][]byte{leafPEM.Bytes, intermediatePEM.Bytes, smimeRootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafCert, smimeIntermediateCert, rootCert}, "")
 	assert.Error(t, err)
-	err = verifier([][]byte{leafWithInvalidHashPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafCert, smimeIntermediateCert, rootCert}, leafServerName)
 	assert.Error(t, err)
-	err = verifier([][]byte{smimeLeafPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafCert, smimeIntermediateCert, rootCert}, wrongLeafServerName)
 	assert.Error(t, err)
-	err = verifier([][]byte{smimeLeafPEM.Bytes, intermediatePEM.Bytes, smimeRootPEM.Bytes}, nil)
+	err = verifier([]*x509.Certificate{leafCert, intermediateCert, smimeRootCert}, "")
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{leafCert, intermediateCert, smimeRootCert}, leafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{leafCert, intermediateCert, smimeRootCert}, wrongLeafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{leafWithInvalidHashCert, intermediateCert, rootCert}, "")
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{leafWithInvalidHashCert, intermediateCert, rootCert}, leafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{leafWithInvalidHashCert, intermediateCert, rootCert}, wrongLeafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, rootCert}, "")
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, rootCert}, leafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, rootCert}, wrongLeafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, smimeRootCert}, "")
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, smimeRootCert}, leafServerName)
 	assert.Error(t, err)
 	err = verifier([]*x509.Certificate{smimeLeafCert, intermediateCert, smimeRootCert}, wrongLeafServerName)
 	assert.Error(t, err)
 }
 var rootPEM, _ = pem.Decode([]byte(gtsRoot))
 var rootCert, _ = x509.ParseCertificate(rootPEM.Bytes)
 var intermediatePEM, _ = pem.Decode([]byte(gtsIntermediate))
 var intermediateCert, _ = x509.ParseCertificate(intermediatePEM.Bytes)
 var leafPEM, _ = pem.Decode([]byte(googleLeaf))
 var leafCert, _ = x509.ParseCertificate(leafPEM.Bytes)
 var leafWithInvalidHashPEM, _ = pem.Decode([]byte(googleLeafWithInvalidHash))
 var leafWithInvalidHashCert, _ = x509.ParseCertificate(leafWithInvalidHashPEM.Bytes)
 var smimeRootPEM, _ = pem.Decode([]byte(smimeRoot))
 var smimeRootCert, _ = x509.ParseCertificate(smimeRootPEM.Bytes)
 var smimeIntermediatePEM, _ = pem.Decode([]byte(smimeIntermediate))
 var smimeIntermediateCert, _ = x509.ParseCertificate(smimeIntermediatePEM.Bytes)
 var smimeLeafPEM, _ = pem.Decode([]byte(smimeLeaf))
 var smimeLeafCert, _ = x509.ParseCertificate(smimeLeafPEM.Bytes)
 var certTime = func() time.Time { return time.Unix(1677615892, 0) }
 const leafServerName = "www.google.com"
 const wrongLeafServerName = "www.google.com.cn"
 const gtsIntermediate = `-----BEGIN CERTIFICATE-----
 MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw
--- a/component/dialer/dialer.go
+++ b/component/dialer/dialer.go
@@ -12,6 +12,7 @@ import (
 	"syscall"
 	"time"
 	"github.com/metacubex/mihomo/common/atomic"
 	"github.com/metacubex/mihomo/component/keepalive"
 	"github.com/metacubex/mihomo/component/mptcp"
 	"github.com/metacubex/mihomo/component/resolver"
@@ -20,18 +21,22 @@ import (
 const (
 	DefaultTCPTimeout = 5 * time.Second
 	DefaultUDPTimeout = DefaultTCPTimeout
 )
-type dialFunc func(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error)
+	dualStackFallbackTimeout = 300 * time.Millisecond
 )
 var (
-	dialMux                      sync.Mutex
+	tcpConcurrent = atomic.NewBool(false)
 	actualSingleStackDialContext = serialSingleStackDialContext
 	actualDualStackDialContext   = serialDualStackDialContext
 	tcpConcurrent                = false
 	fallbackTimeout              = 300 * time.Millisecond
 )
 func SetTcpConcurrent(concurrent bool) {
 	tcpConcurrent.Store(concurrent)
 }
 func GetTcpConcurrent() bool {
 	return tcpConcurrent.Load()
 }
 func DialContext(ctx context.Context, network, address string, options ...Option) (net.Conn, error) {
 	opt := applyOptions(options...)
@@ -50,11 +55,22 @@ func DialContext(ctx context.Context, network, address string, options ...Option
 		return nil, err
 	}
 	tcpConcurrent := GetTcpConcurrent()
 	switch network {
 	case "tcp4", "tcp6", "udp4", "udp6":
-		return actualSingleStackDialContext(ctx, network, ips, port, opt)
+		if tcpConcurrent {
 			return parallelDialContext(ctx, network, ips, port, opt)
 		}
 		return serialDialContext(ctx, network, ips, port, opt)
 	case "tcp", "udp":
-		return actualDualStackDialContext(ctx, network, ips, port, opt)
+		if tcpConcurrent {
 			if opt.prefer != 4 && opt.prefer != 6 {
 				return parallelDialContext(ctx, network, ips, port, opt)
 			}
 			return dualStackDialContext(ctx, parallelDialContext, network, ips, port, opt)
 		}
 		return dualStackDialContext(ctx, serialDialContext, network, ips, port, opt)
 	default:
 		return nil, ErrorInvalidedNetworkStack
 	}
@@ -104,25 +120,6 @@ func ListenPacket(ctx context.Context, network, address string, rAddrPort netip.
 	return lc.ListenPacket(ctx, network, address)
 }
 func SetTcpConcurrent(concurrent bool) {
 	dialMux.Lock()
 	defer dialMux.Unlock()
 	tcpConcurrent = concurrent
 	if concurrent {
 		actualSingleStackDialContext = concurrentSingleStackDialContext
 		actualDualStackDialContext = concurrentDualStackDialContext
 	} else {
 		actualSingleStackDialContext = serialSingleStackDialContext
 		actualDualStackDialContext = serialDualStackDialContext
 	}
 }
 func GetTcpConcurrent() bool {
 	dialMux.Lock()
 	defer dialMux.Unlock()
 	return tcpConcurrent
 }
 func dialContext(ctx context.Context, network string, destination netip.Addr, port string, opt option) (net.Conn, error) {
 	var address string
 	destination, port = resolver.LookupIP4P(destination, port)
@@ -205,24 +202,7 @@ func ICMPControl(destination netip.Addr) func(network, address string, conn sysc
 	}
 }
-func serialSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
+type dialFunc func(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error)
 	return serialDialContext(ctx, network, ips, port, opt)
 }
 func serialDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	return dualStackDialContext(ctx, serialDialContext, network, ips, port, opt)
 }
 func concurrentSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	return parallelDialContext(ctx, network, ips, port, opt)
 }
 func concurrentDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	if opt.prefer != 4 && opt.prefer != 6 {
 		return parallelDialContext(ctx, network, ips, port, opt)
 	}
 	return dualStackDialContext(ctx, parallelDialContext, network, ips, port, opt)
 }
 func dualStackDialContext(ctx context.Context, dialFn dialFunc, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	ipv4s, ipv6s := resolver.SortationAddr(ips)
@@ -231,7 +211,7 @@ func dualStackDialContext(ctx context.Context, dialFn dialFunc, network string,
 	}
 	preferIPVersion := opt.prefer
-	fallbackTicker := time.NewTicker(fallbackTimeout)
+	fallbackTicker := time.NewTicker(dualStackFallbackTimeout)
 	defer fallbackTicker.Stop()
 	results := make(chan dialResult)
--- a/component/generator/cmd.go
+++ b/component/generator/cmd.go
@@ -58,6 +58,11 @@ func Main(args []string) {
 		fmt.Println("Seed: " + seedBase64)
 		fmt.Println("Client: " + clientBase64)
 		fmt.Println("Hash32: " + hash32Base64)
 		fmt.Println("-----------------------")
 		fmt.Println("      Lazy-Config      ")
 		fmt.Println("-----------------------")
 		fmt.Printf("[Server] decryption: \"mlkem768x25519plus.native.600s.%s\"\n", seedBase64)
 		fmt.Printf("[Client] encryption: \"mlkem768x25519plus.native.0rtt.%s\"\n", clientBase64)
 	case "vless-x25519":
 		var privateKey string
 		if len(args) > 1 {
@@ -70,6 +75,11 @@ func Main(args []string) {
 		fmt.Println("PrivateKey: " + privateKeyBase64)
 		fmt.Println("Password: " + passwordBase64)
 		fmt.Println("Hash32: " + hash32Base64)
 		fmt.Println("-----------------------")
 		fmt.Println("      Lazy-Config      ")
 		fmt.Println("-----------------------")
 		fmt.Printf("[Server] decryption: \"mlkem768x25519plus.native.600s.%s\"\n", privateKeyBase64)
 		fmt.Printf("[Client] encryption: \"mlkem768x25519plus.native.0rtt.%s\"\n", passwordBase64)
 	case "sudoku-keypair":
 		privateKey, publicKey, err := sudoku.GenKeyPair()
 		if err != nil {
--- a/component/http/http.go
+++ b/component/http/http.go
@@ -50,7 +50,7 @@ func HttpRequest(ctx context.Context, url, method string, header map[string][]st
 		}
 	}
-	if _, ok := header["User-Agent"]; !ok {
+	if req.Header.Get("User-Agent") == "" {
 		req.Header.Set("User-Agent", UA())
 	}
--- a/component/resolver/host.go
+++ b/component/resolver/host.go
@@ -8,7 +8,6 @@ import (
 	"strings"
 	_ "unsafe"
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/resolver/hosts"
 	"github.com/metacubex/mihomo/component/trie"
 	"github.com/metacubex/randv2"
@@ -66,37 +65,35 @@ type HostValue struct {
 	Domain   string
 }
-func NewHostValue(value any) (HostValue, error) {
+func NewHostValue(value []string) (HostValue, error) {
 	isDomain := true
-	ips := make([]netip.Addr, 0)
+	ips := make([]netip.Addr, 0, len(value))
 	domain := ""
-	if valueArr, err := utils.ToStringSlice(value); err != nil {
+	switch len(value) {
-		return HostValue{}, err
+	case 0:
-	} else {
+		return HostValue{}, errors.New("value is empty")
-		if len(valueArr) > 1 {
+	case 1:
 		host := value[0]
 		if ip, err := netip.ParseAddr(host); err == nil {
 			ips = append(ips, ip.Unmap())
 			isDomain = false
-			for _, str := range valueArr {
+		} else {
-				if ip, err := netip.ParseAddr(str); err == nil {
+			domain = host
-					ips = append(ips, ip.Unmap())
+		}
-				} else {
+	default: // > 1
-					return HostValue{}, err
+		isDomain = false
-				}
+		for _, str := range value {
-			}
+			if ip, err := netip.ParseAddr(str); err == nil {
 		} else if len(valueArr) == 1 {
 			host := valueArr[0]
 			if ip, err := netip.ParseAddr(host); err == nil {
 				ips = append(ips, ip.Unmap())
 				isDomain = false
 			} else {
-				domain = host
+				return HostValue{}, err
 			}
 		}
 	}
 	if isDomain {
 		return NewHostValueByDomain(domain)
 	} else {
 		return NewHostValueByIPs(ips)
 	}
 	return NewHostValueByIPs(ips)
 }
 func NewHostValueByIPs(ips []netip.Addr) (HostValue, error) {
--- a/component/tls/utls.go
+++ b/component/tls/utls.go
@@ -127,10 +127,47 @@ func UCertificate(it tls.Certificate) utls.Certificate {
 type EncryptedClientHelloKey = utls.EncryptedClientHelloKey
 func UEncryptedClientHelloKey(it tls.EncryptedClientHelloKey) utls.EncryptedClientHelloKey {
 	return utls.EncryptedClientHelloKey{
 		Config:      it.Config,
 		PrivateKey:  it.PrivateKey,
 		SendAsRetry: it.SendAsRetry,
 	}
 }
 type ConnectionState = utls.ConnectionState
 type Config = utls.Config
 var tlsCertificateRequestInfoCtxOffset = utils.MustOK(reflect.TypeOf((*tls.CertificateRequestInfo)(nil)).Elem().FieldByName("ctx")).Offset
 var tlsClientHelloInfoCtxOffset = utils.MustOK(reflect.TypeOf((*tls.ClientHelloInfo)(nil)).Elem().FieldByName("ctx")).Offset
 var tlsConnectionStateEkmOffset = utils.MustOK(reflect.TypeOf((*tls.ConnectionState)(nil)).Elem().FieldByName("ekm")).Offset
 var utlsConnectionStateEkmOffset = utils.MustOK(reflect.TypeOf((*utls.ConnectionState)(nil)).Elem().FieldByName("ekm")).Offset
 func tlsConnectionState(state utls.ConnectionState) (tlsState tls.ConnectionState) {
 	tlsState = tls.ConnectionState{
 		Version:           state.Version,
 		HandshakeComplete: state.HandshakeComplete,
 		DidResume:         state.DidResume,
 		CipherSuite:       state.CipherSuite,
 		//CurveID:                     state.CurveID,
 		NegotiatedProtocol:          state.NegotiatedProtocol,
 		NegotiatedProtocolIsMutual:  state.NegotiatedProtocolIsMutual,
 		ServerName:                  state.ServerName,
 		PeerCertificates:            state.PeerCertificates,
 		VerifiedChains:              state.VerifiedChains,
 		SignedCertificateTimestamps: state.SignedCertificateTimestamps,
 		OCSPResponse:                state.OCSPResponse,
 		TLSUnique:                   state.TLSUnique,
 		ECHAccepted:                 state.ECHAccepted,
 		//HelloRetryRequest:           state.HelloRetryRequest,
 	}
 	// The layout of map, chan, and func types is equivalent to *T.
 	// state.ekm is a func(label string, context []byte, length int) ([]byte, error)
 	*(*unsafe.Pointer)(unsafe.Add(unsafe.Pointer(&tlsState), tlsConnectionStateEkmOffset)) =
 		*(*unsafe.Pointer)(unsafe.Add(unsafe.Pointer(&state), utlsConnectionStateEkmOffset))
 	return
 }
 func UConfig(config *tls.Config) *utls.Config {
 	cfg := &utls.Config{
@@ -152,6 +189,7 @@ func UConfig(config *tls.Config) *utls.Config {
 		}),
 		SessionTicketsDisabled: config.SessionTicketsDisabled,
 		Renegotiation:          utls.RenegotiationSupport(config.Renegotiation),
 		KeyLogWriter:           config.KeyLogWriter,
 	}
 	if config.GetClientCertificate != nil {
 		cfg.GetClientCertificate = func(info *utls.CertificateRequestInfo) (*utls.Certificate, error) {
@@ -198,6 +236,19 @@ func UConfig(config *tls.Config) *utls.Config {
 			return &uCert, err
 		}
 	}
 	if config.VerifyConnection != nil {
 		cfg.VerifyConnection = func(state utls.ConnectionState) error {
 			return config.VerifyConnection(tlsConnectionState(state))
 		}
 	}
 	config.EncryptedClientHelloConfigList = cfg.EncryptedClientHelloConfigList
 	if config.EncryptedClientHelloRejectionVerify != nil {
 		cfg.EncryptedClientHelloRejectionVerify = func(state utls.ConnectionState) error {
 			return config.EncryptedClientHelloRejectionVerify(tlsConnectionState(state))
 		}
 	}
 	//cfg.GetEncryptedClientHelloKeys =
 	cfg.EncryptedClientHelloKeys = utils.Map(config.EncryptedClientHelloKeys, UEncryptedClientHelloKey)
 	return cfg
 }
--- a/config/config.go
+++ b/config/config.go
@@ -15,7 +15,9 @@ import (
 	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/adapter/outboundgroup"
 	"github.com/metacubex/mihomo/adapter/provider"
 	"github.com/metacubex/mihomo/common/orderedmap"
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/common/yaml"
 	"github.com/metacubex/mihomo/component/auth"
 	"github.com/metacubex/mihomo/component/cidr"
 	"github.com/metacubex/mihomo/component/fakeip"
@@ -34,11 +36,10 @@ import (
 	R "github.com/metacubex/mihomo/rules"
 	RC "github.com/metacubex/mihomo/rules/common"
 	RP "github.com/metacubex/mihomo/rules/provider"
 	RW "github.com/metacubex/mihomo/rules/wrapper"
 	T "github.com/metacubex/mihomo/tunnel"
 	orderedmap "github.com/wk8/go-ordered-map/v2"
 	"golang.org/x/exp/slices"
 	"gopkg.in/yaml.v3"
 )
 // General config
@@ -165,6 +166,7 @@ type DNS struct {
 	FakeIPTTL             int
 	NameServerPolicy      []dns.Policy
 	ProxyServerNameserver []dns.NameServer
 	ProxyServerPolicy     []dns.Policy
 	DirectNameServer      []dns.NameServer
 	DirectFollowPolicy    bool
 }
@@ -235,6 +237,7 @@ type RawDNS struct {
 	CacheMaxSize                 int                                 `yaml:"cache-max-size" json:"cache-max-size"`
 	NameServerPolicy             *orderedmap.OrderedMap[string, any] `yaml:"nameserver-policy" json:"nameserver-policy"`
 	ProxyServerNameserver        []string                            `yaml:"proxy-server-nameserver" json:"proxy-server-nameserver"`
 	ProxyServerNameserverPolicy  *orderedmap.OrderedMap[string, any] `yaml:"proxy-server-nameserver-policy" json:"proxy-server-nameserver-policy"`
 	DirectNameServer             []string                            `yaml:"direct-nameserver" json:"direct-nameserver"`
 	DirectNameServerFollowPolicy bool                                `yaml:"direct-nameserver-follow-policy" json:"direct-nameserver-follow-policy"`
 }
@@ -273,35 +276,36 @@ type RawTun struct {
 	GSO        bool   `yaml:"gso" json:"gso,omitempty"`
 	GSOMaxSize uint32 `yaml:"gso-max-size" json:"gso-max-size,omitempty"`
 	//Inet4Address           []netip.Prefix `yaml:"inet4-address" json:"inet4-address,omitempty"`
-	Inet6Address           []netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"`
+	Inet6Address                          []netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"`
-	IPRoute2TableIndex     int            `yaml:"iproute2-table-index" json:"iproute2-table-index,omitempty"`
+	IPRoute2TableIndex                    int            `yaml:"iproute2-table-index" json:"iproute2-table-index,omitempty"`
-	IPRoute2RuleIndex      int            `yaml:"iproute2-rule-index" json:"iproute2-rule-index,omitempty"`
+	IPRoute2RuleIndex                     int            `yaml:"iproute2-rule-index" json:"iproute2-rule-index,omitempty"`
-	AutoRedirect           bool           `yaml:"auto-redirect" json:"auto-redirect,omitempty"`
+	AutoRedirect                          bool           `yaml:"auto-redirect" json:"auto-redirect,omitempty"`
-	AutoRedirectInputMark  uint32         `yaml:"auto-redirect-input-mark" json:"auto-redirect-input-mark,omitempty"`
+	AutoRedirectInputMark                 uint32         `yaml:"auto-redirect-input-mark" json:"auto-redirect-input-mark,omitempty"`
-	AutoRedirectOutputMark uint32         `yaml:"auto-redirect-output-mark" json:"auto-redirect-output-mark,omitempty"`
+	AutoRedirectOutputMark                uint32         `yaml:"auto-redirect-output-mark" json:"auto-redirect-output-mark,omitempty"`
-	LoopbackAddress        []netip.Addr   `yaml:"loopback-address" json:"loopback-address,omitempty"`
+	AutoRedirectIPRoute2FallbackRuleIndex int            `yaml:"auto-redirect-iproute2-fallback-rule-index" json:"auto-redirect-iproute2-fallback-rule-index,omitempty"`
-	StrictRoute            bool           `yaml:"strict-route" json:"strict-route,omitempty"`
+	LoopbackAddress                       []netip.Addr   `yaml:"loopback-address" json:"loopback-address,omitempty"`
-	RouteAddress           []netip.Prefix `yaml:"route-address" json:"route-address,omitempty"`
+	StrictRoute                           bool           `yaml:"strict-route" json:"strict-route,omitempty"`
-	RouteAddressSet        []string       `yaml:"route-address-set" json:"route-address-set,omitempty"`
+	RouteAddress                          []netip.Prefix `yaml:"route-address" json:"route-address,omitempty"`
-	RouteExcludeAddress    []netip.Prefix `yaml:"route-exclude-address" json:"route-exclude-address,omitempty"`
+	RouteAddressSet                       []string       `yaml:"route-address-set" json:"route-address-set,omitempty"`
-	RouteExcludeAddressSet []string       `yaml:"route-exclude-address-set" json:"route-exclude-address-set,omitempty"`
+	RouteExcludeAddress                   []netip.Prefix `yaml:"route-exclude-address" json:"route-exclude-address,omitempty"`
-	IncludeInterface       []string       `yaml:"include-interface" json:"include-interface,omitempty"`
+	RouteExcludeAddressSet                []string       `yaml:"route-exclude-address-set" json:"route-exclude-address-set,omitempty"`
-	ExcludeInterface       []string       `yaml:"exclude-interface" json:"exclude-interface,omitempty"`
+	IncludeInterface                      []string       `yaml:"include-interface" json:"include-interface,omitempty"`
-	IncludeUID             []uint32       `yaml:"include-uid" json:"include-uid,omitempty"`
+	ExcludeInterface                      []string       `yaml:"exclude-interface" json:"exclude-interface,omitempty"`
-	IncludeUIDRange        []string       `yaml:"include-uid-range" json:"include-uid-range,omitempty"`
+	IncludeUID                            []uint32       `yaml:"include-uid" json:"include-uid,omitempty"`
-	ExcludeUID             []uint32       `yaml:"exclude-uid" json:"exclude-uid,omitempty"`
+	IncludeUIDRange                       []string       `yaml:"include-uid-range" json:"include-uid-range,omitempty"`
-	ExcludeUIDRange        []string       `yaml:"exclude-uid-range" json:"exclude-uid-range,omitempty"`
+	ExcludeUID                            []uint32       `yaml:"exclude-uid" json:"exclude-uid,omitempty"`
-	ExcludeSrcPort         []uint16       `yaml:"exclude-src-port" json:"exclude-src-port,omitempty"`
+	ExcludeUIDRange                       []string       `yaml:"exclude-uid-range" json:"exclude-uid-range,omitempty"`
-	ExcludeSrcPortRange    []string       `yaml:"exclude-src-port-range" json:"exclude-src-port-range,omitempty"`
+	ExcludeSrcPort                        []uint16       `yaml:"exclude-src-port" json:"exclude-src-port,omitempty"`
-	ExcludeDstPort         []uint16       `yaml:"exclude-dst-port" json:"exclude-dst-port,omitempty"`
+	ExcludeSrcPortRange                   []string       `yaml:"exclude-src-port-range" json:"exclude-src-port-range,omitempty"`
-	ExcludeDstPortRange    []string       `yaml:"exclude-dst-port-range" json:"exclude-dst-port-range,omitempty"`
+	ExcludeDstPort                        []uint16       `yaml:"exclude-dst-port" json:"exclude-dst-port,omitempty"`
-	IncludeAndroidUser     []int          `yaml:"include-android-user" json:"include-android-user,omitempty"`
+	ExcludeDstPortRange                   []string       `yaml:"exclude-dst-port-range" json:"exclude-dst-port-range,omitempty"`
-	IncludePackage         []string       `yaml:"include-package" json:"include-package,omitempty"`
+	IncludeAndroidUser                    []int          `yaml:"include-android-user" json:"include-android-user,omitempty"`
-	ExcludePackage         []string       `yaml:"exclude-package" json:"exclude-package,omitempty"`
+	IncludePackage                        []string       `yaml:"include-package" json:"include-package,omitempty"`
-	EndpointIndependentNat bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
+	ExcludePackage                        []string       `yaml:"exclude-package" json:"exclude-package,omitempty"`
-	UDPTimeout             int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
+	EndpointIndependentNat                bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
-	DisableICMPForwarding  bool           `yaml:"disable-icmp-forwarding" json:"disable-icmp-forwarding,omitempty"`
+	UDPTimeout                            int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
-	FileDescriptor         int            `yaml:"file-descriptor" json:"file-descriptor"`
+	DisableICMPForwarding                 bool           `yaml:"disable-icmp-forwarding" json:"disable-icmp-forwarding,omitempty"`
 	FileDescriptor                        int            `yaml:"file-descriptor" json:"file-descriptor"`
 	Inet4RouteAddress        []netip.Prefix `yaml:"inet4-route-address" json:"inet4-route-address,omitempty"`
 	Inet6RouteAddress        []netip.Prefix `yaml:"inet6-route-address" json:"inet6-route-address,omitempty"`
@@ -954,6 +958,12 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 		)
 		proxies["GLOBAL"] = adapter.NewProxy(global)
 	}
 	// validate dialer-proxy references
 	if err := validateDialerProxies(proxies); err != nil {
 		return nil, nil, err
 	}
 	return proxies, providersMap, nil
 }
@@ -1083,6 +1093,10 @@ func parseRules(rulesConfig []string, proxies map[string]C.Proxy, ruleProviders
 			}
 		}
 		if format == "rules" { // only wrap top level rules
 			parsed = RW.NewRuleWrapper(parsed)
 		}
 		rules = append(rules, parsed)
 	}
@@ -1101,22 +1115,23 @@ func parseHosts(cfg *RawConfig) (*trie.DomainTrie[resolver.HostValue], error) {
 	if len(cfg.Hosts) != 0 {
 		for domain, anyValue := range cfg.Hosts {
-			if str, ok := anyValue.(string); ok && str == "lan" {
+			hosts, err := utils.ToStringSlice(anyValue)
 			if err != nil {
 				return nil, err
 			}
 			if len(hosts) == 1 && hosts[0] == "lan" {
 				if addrs, err := net.InterfaceAddrs(); err != nil {
 					log.Errorln("insert lan to host error: %s", err)
 				} else {
-					ips := make([]netip.Addr, 0)
+					hosts = make([]string, 0, len(addrs))
 					for _, addr := range addrs {
 						if ipnet, ok := addr.(*net.IPNet); ok && !ipnet.IP.IsLoopback() && !ipnet.IP.IsLinkLocalUnicast() {
-							if ip, err := netip.ParseAddr(ipnet.IP.String()); err == nil {
+							hosts = append(hosts, ipnet.IP.String())
 								ips = append(ips, ip)
 							}
 						}
 					}
 					anyValue = ips
 				}
 			}
-			value, err := resolver.NewHostValue(anyValue)
+			value, err := resolver.NewHostValue(hosts)
 			if err != nil {
 				return nil, fmt.Errorf("%s is not a valid value", anyValue)
 			}
@@ -1184,7 +1199,7 @@ func parseNameServer(servers []string, respectRules bool, preferH3 bool) ([]dns.
 			dnsNetType = "tcp" // TCP
 		case "tls":
 			addr, err = hostWithDefaultPort(u.Host, "853")
-			dnsNetType = "tcp-tls" // DNS over TLS
+			dnsNetType = "tls" // DNS over TLS
 		case "http", "https":
 			addr, err = hostWithDefaultPort(u.Host, "443")
 			dnsNetType = "https" // DNS over HTTPS
@@ -1391,6 +1406,13 @@ func parseDNS(rawCfg *RawConfig, ruleProviders map[string]P.RuleProvider) (*DNS,
 		return nil, err
 	}
 	if dnsCfg.ProxyServerPolicy, err = parseNameServerPolicy(cfg.ProxyServerNameserverPolicy, ruleProviders, false, cfg.PreferH3); err != nil {
 		return nil, err
 	}
 	if len(dnsCfg.ProxyServerPolicy) != 0 && len(dnsCfg.ProxyServerNameserver) == 0 {
 		return nil, errors.New("disallow empty `proxy-server-nameserver` when `proxy-server-nameserver-policy` is set")
 	}
 	if dnsCfg.DirectNameServer, err = parseNameServer(cfg.DirectNameServer, false, cfg.PreferH3); err != nil {
 		return nil, err
 	}
@@ -1628,39 +1650,40 @@ func parseTun(rawTun RawTun, dns *DNS, general *General) error {
 		AutoRoute:           rawTun.AutoRoute,
 		AutoDetectInterface: rawTun.AutoDetectInterface,
-		MTU:                    rawTun.MTU,
+		MTU:                                   rawTun.MTU,
-		GSO:                    rawTun.GSO,
+		GSO:                                   rawTun.GSO,
-		GSOMaxSize:             rawTun.GSOMaxSize,
+		GSOMaxSize:                            rawTun.GSOMaxSize,
-		Inet4Address:           []netip.Prefix{tunAddressPrefix},
+		Inet4Address:                          []netip.Prefix{tunAddressPrefix},
-		Inet6Address:           rawTun.Inet6Address,
+		Inet6Address:                          rawTun.Inet6Address,
-		IPRoute2TableIndex:     rawTun.IPRoute2TableIndex,
+		IPRoute2TableIndex:                    rawTun.IPRoute2TableIndex,
-		IPRoute2RuleIndex:      rawTun.IPRoute2RuleIndex,
+		IPRoute2RuleIndex:                     rawTun.IPRoute2RuleIndex,
-		AutoRedirect:           rawTun.AutoRedirect,
+		AutoRedirect:                          rawTun.AutoRedirect,
-		AutoRedirectInputMark:  rawTun.AutoRedirectInputMark,
+		AutoRedirectInputMark:                 rawTun.AutoRedirectInputMark,
-		AutoRedirectOutputMark: rawTun.AutoRedirectOutputMark,
+		AutoRedirectOutputMark:                rawTun.AutoRedirectOutputMark,
-		LoopbackAddress:        rawTun.LoopbackAddress,
+		AutoRedirectIPRoute2FallbackRuleIndex: rawTun.AutoRedirectIPRoute2FallbackRuleIndex,
-		StrictRoute:            rawTun.StrictRoute,
+		LoopbackAddress:                       rawTun.LoopbackAddress,
-		RouteAddress:           rawTun.RouteAddress,
+		StrictRoute:                           rawTun.StrictRoute,
-		RouteAddressSet:        rawTun.RouteAddressSet,
+		RouteAddress:                          rawTun.RouteAddress,
-		RouteExcludeAddress:    rawTun.RouteExcludeAddress,
+		RouteAddressSet:                       rawTun.RouteAddressSet,
-		RouteExcludeAddressSet: rawTun.RouteExcludeAddressSet,
+		RouteExcludeAddress:                   rawTun.RouteExcludeAddress,
-		IncludeInterface:       rawTun.IncludeInterface,
+		RouteExcludeAddressSet:                rawTun.RouteExcludeAddressSet,
-		ExcludeInterface:       rawTun.ExcludeInterface,
+		IncludeInterface:                      rawTun.IncludeInterface,
-		IncludeUID:             rawTun.IncludeUID,
+		ExcludeInterface:                      rawTun.ExcludeInterface,
-		IncludeUIDRange:        rawTun.IncludeUIDRange,
+		IncludeUID:                            rawTun.IncludeUID,
-		ExcludeUID:             rawTun.ExcludeUID,
+		IncludeUIDRange:                       rawTun.IncludeUIDRange,
-		ExcludeUIDRange:        rawTun.ExcludeUIDRange,
+		ExcludeUID:                            rawTun.ExcludeUID,
-		ExcludeSrcPort:         rawTun.ExcludeSrcPort,
+		ExcludeUIDRange:                       rawTun.ExcludeUIDRange,
-		ExcludeSrcPortRange:    rawTun.ExcludeSrcPortRange,
+		ExcludeSrcPort:                        rawTun.ExcludeSrcPort,
-		ExcludeDstPort:         rawTun.ExcludeDstPort,
+		ExcludeSrcPortRange:                   rawTun.ExcludeSrcPortRange,
-		ExcludeDstPortRange:    rawTun.ExcludeDstPortRange,
+		ExcludeDstPort:                        rawTun.ExcludeDstPort,
-		IncludeAndroidUser:     rawTun.IncludeAndroidUser,
+		ExcludeDstPortRange:                   rawTun.ExcludeDstPortRange,
-		IncludePackage:         rawTun.IncludePackage,
+		IncludeAndroidUser:                    rawTun.IncludeAndroidUser,
-		ExcludePackage:         rawTun.ExcludePackage,
+		IncludePackage:                        rawTun.IncludePackage,
-		EndpointIndependentNat: rawTun.EndpointIndependentNat,
+		ExcludePackage:                        rawTun.ExcludePackage,
-		UDPTimeout:             rawTun.UDPTimeout,
+		EndpointIndependentNat:                rawTun.EndpointIndependentNat,
-		DisableICMPForwarding:  rawTun.DisableICMPForwarding,
+		UDPTimeout:                            rawTun.UDPTimeout,
-		FileDescriptor:         rawTun.FileDescriptor,
+		DisableICMPForwarding:                 rawTun.DisableICMPForwarding,
 		FileDescriptor:                        rawTun.FileDescriptor,
 		Inet4RouteAddress:        rawTun.Inet4RouteAddress,
 		Inet6RouteAddress:        rawTun.Inet6RouteAddress,
--- a/config/utils.go
+++ b/config/utils.go
@@ -9,6 +9,7 @@ import (
 	"github.com/metacubex/mihomo/adapter/outboundgroup"
 	"github.com/metacubex/mihomo/common/structure"
 	C "github.com/metacubex/mihomo/constant"
 )
 // Check if ProxyGroups form DAG(Directed Acyclic Graph), and sort all ProxyGroups by dependency order.
@@ -143,6 +144,64 @@ func proxyGroupsDagSort(groupsConfig []map[string]any) error {
 	return fmt.Errorf("loop is detected in ProxyGroup, please check following ProxyGroups: %v", loopElements)
 }
 // validateDialerProxies checks if all dialer-proxy references are valid
 func validateDialerProxies(proxies map[string]C.Proxy) error {
 	graph := make(map[string]string) // proxy name -> dialer-proxy name
 	// collect all proxies with dialer-proxy configured
 	for name, proxy := range proxies {
 		dialerProxy := proxy.ProxyInfo().DialerProxy
 		if dialerProxy != "" {
 			// validate each dialer-proxy reference
 			_, exist := proxies[dialerProxy]
 			if !exist {
 				return fmt.Errorf("proxy [%s] dialer-proxy [%s] not found", name, dialerProxy)
 			}
 			// build dependency graph
 			graph[name] = dialerProxy
 		}
 	}
 	// perform depth-first search to detect cycles for each proxy
 	for name := range graph {
 		visited := make(map[string]bool, len(graph))
 		path := make([]string, 0, len(graph))
 		if validateDialerProxiesHasCycle(name, graph, visited, path) {
 			return fmt.Errorf("proxy [%s] has circular dialer-proxy dependency", name)
 		}
 	}
 	return nil
 }
 // validateDialerProxiesHasCycle performs DFS to detect if there's a cycle starting from current proxy
 func validateDialerProxiesHasCycle(current string, graph map[string]string, visited map[string]bool, path []string) bool {
 	// check if current is already in path (cycle detected)
 	for _, p := range path {
 		if p == current {
 			return true
 		}
 	}
 	// already visited and no cycle
 	if visited[current] {
 		return false
 	}
 	visited[current] = true
 	path = append(path, current)
 	// check dialer-proxy of current proxy
 	if dialerProxy, exists := graph[current]; exists {
 		if validateDialerProxiesHasCycle(dialerProxy, graph, visited, path) {
 			return true
 		}
 	}
 	return false
 }
 func verifyIP6() bool {
 	if skip, _ := strconv.ParseBool(os.Getenv("SKIP_SYSTEM_IPV6_CHECK")); skip {
 		return true
--- a/config/utils_test.go
+++ b/config/utils_test.go
@@ -0,0 +1,79 @@
 package config
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestValidateDialerProxies(t *testing.T) {
 	testCases := []struct {
 		testName    string
 		proxy       []map[string]any
 		errContains string
 	}{
 		{
 			testName: "ValidReference",
 			proxy: []map[string]any{ // create proxy with valid dialer-proxy reference
 				{"name": "base-proxy", "type": "socks5", "server": "127.0.0.1", "port": 1080},
 				{"name": "proxy-with-dialer", "type": "socks5", "server": "127.0.0.1", "port": 1081, "dialer-proxy": "base-proxy"},
 			},
 			errContains: "",
 		},
 		{
 			testName: "NotFoundReference",
 			proxy: []map[string]any{ // create proxy with non-existent dialer-proxy reference
 				{"name": "proxy-with-dialer", "type": "socks5", "server": "127.0.0.1", "port": 1081, "dialer-proxy": "non-existent-proxy"},
 			},
 			errContains: "not found",
 		},
 		{
 			testName: "CircularDependency",
 			proxy: []map[string]any{
 				// create proxy A that references B
 				{"name": "proxy-a", "type": "socks5", "server": "127.0.0.1", "port": 1080, "dialer-proxy": "proxy-c"},
 				// create proxy B that references C
 				{"name": "proxy-b", "type": "socks5", "server": "127.0.0.1", "port": 1081, "dialer-proxy": "proxy-a"},
 				// create proxy C that references A (creates cycle)
 				{"name": "proxy-c", "type": "socks5", "server": "127.0.0.1", "port": 1082, "dialer-proxy": "proxy-a"},
 			},
 			errContains: "circular",
 		},
 		{
 			testName: "ComplexChain",
 			proxy: []map[string]any{ // create a valid chain: proxy-d -> proxy-c -> proxy-b -> proxy-a
 				{"name": "proxy-a", "type": "socks5", "server": "127.0.0.1", "port": 1080},
 				{"name": "proxy-b", "type": "socks5", "server": "127.0.0.1", "port": 1081, "dialer-proxy": "proxy-a"},
 				{"name": "proxy-c", "type": "socks5", "server": "127.0.0.1", "port": 1082, "dialer-proxy": "proxy-b"},
 				{"name": "proxy-d", "type": "socks5", "server": "127.0.0.1", "port": 1083, "dialer-proxy": "proxy-c"},
 			},
 			errContains: "",
 		},
 		{
 			testName: "EmptyDialerProxy",
 			proxy: []map[string]any{ // create proxy without dialer-proxy
 				{"name": "simple-proxy", "type": "socks5", "server": "127.0.0.1", "port": 1080},
 			},
 			errContains: "",
 		},
 		{
 			testName: "SelfReference",
 			proxy: []map[string]any{ // create proxy that references itself
 				{"name": "self-proxy", "type": "socks5", "server": "127.0.0.1", "port": 1080, "dialer-proxy": "self-proxy"},
 			},
 			errContains: "circular",
 		},
 	}
 	for _, testCase := range testCases {
 		t.Run(testCase.testName, func(t *testing.T) {
 			config := RawConfig{Proxy: testCase.proxy}
 			_, _, err := parseProxies(&config)
 			if testCase.errContains == "" {
 				assert.NoError(t, err, testCase.testName)
 			} else {
 				assert.ErrorContains(t, err, testCase.errContains, testCase.testName)
 			}
 		})
 	}
 }
--- a/constant/adapters.go
+++ b/constant/adapters.go
@@ -45,6 +45,8 @@ const (
 	Mieru
 	AnyTLS
 	Sudoku
 	Masque
 	TrustTunnel
 )
 const (
@@ -212,6 +214,10 @@ func (at AdapterType) String() string {
 		return "AnyTLS"
 	case Sudoku:
 		return "Sudoku"
 	case Masque:
 		return "Masque"
 	case TrustTunnel:
 		return "TrustTunnel"
 	case Relay:
 		return "Relay"
 	case Selector:
--- a/constant/metadata.go
+++ b/constant/metadata.go
@@ -40,6 +40,7 @@ const (
 	ANYTLS
 	MIERU
 	SUDOKU
 	TRUSTTUNNEL
 	INNER
 )
@@ -115,6 +116,8 @@ func (t Type) String() string {
 		return "Mieru"
 	case SUDOKU:
 		return "Sudoku"
 	case TRUSTTUNNEL:
 		return "TrustTunnel"
 	case INNER:
 		return "Inner"
 	default:
@@ -159,6 +162,8 @@ func ParseType(t string) (*Type, error) {
 		res = MIERU
 	case "SUDOKU":
 		res = SUDOKU
 	case "TRUSTTUNNEL":
 		res = TRUSTTUNNEL
 	case "INNER":
 		res = INNER
 	default:
--- a/constant/rule.go
+++ b/constant/rule.go
@@ -1,5 +1,7 @@
 package constant
 import "time"
 // Rule Type
 const (
 	Domain RuleType = iota
@@ -27,6 +29,8 @@ const (
 	ProcessPath
 	ProcessNameRegex
 	ProcessPathRegex
 	ProcessNameWildcard
 	ProcessPathWildcard
 	RuleSet
 	Network
 	Uid
@@ -89,6 +93,10 @@ func (rt RuleType) String() string {
 		return "ProcessNameRegex"
 	case ProcessPathRegex:
 		return "ProcessPathRegex"
 	case ProcessNameWildcard:
 		return "ProcessNameWildcard"
 	case ProcessPathWildcard:
 		return "ProcessPathWildcard"
 	case MATCH:
 		return "Match"
 	case RuleSet:
@@ -120,6 +128,27 @@ type Rule interface {
 	ProviderNames() []string
 }
 type RuleWrapper interface {
 	Rule
 	// SetDisabled to set enable/disable rule
 	SetDisabled(v bool)
 	// IsDisabled return rule is disabled or not
 	IsDisabled() bool
 	// HitCount for statistics
 	HitCount() uint64
 	// HitAt for statistics
 	HitAt() time.Time
 	// MissCount for statistics
 	MissCount() uint64
 	// MissAt for statistics
 	MissAt() time.Time
 	// Unwrap return Rule
 	Unwrap() Rule
 }
 type RuleMatchHelper struct {
 	ResolveIP   func()
 	FindProcess func()
--- a/dns/client.go
+++ b/dns/client.go
@@ -7,20 +7,17 @@ import (
 	"strings"
 	"time"
 	"github.com/metacubex/mihomo/component/ca"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 	"github.com/metacubex/tls"
 	D "github.com/miekg/dns"
 )
 type client struct {
-	port           string
+	port   string
-	host           string
+	host   string
-	dialer         *dnsDialer
+	dialer *dnsDialer
-	schema         string
+	schema string
 	skipCertVerify bool
 }
 var _ dnsClient = (*client)(nil)
@@ -43,23 +40,6 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 	}
 	defer conn.Close()
 	if c.schema == "tls" {
 		tlsConfig, err := ca.GetTLSConfig(ca.Option{
 			TLSConfig: &tls.Config{
 				ServerName:         c.host,
 				InsecureSkipVerify: c.skipCertVerify,
 			},
 		})
 		if err != nil {
 			return nil, err
 		}
 		tlsConn := tls.Client(conn, tlsConfig)
 		if err := tlsConn.HandshakeContext(ctx); err != nil {
 			return nil, err
 		}
 		conn = tlsConn
 	}
 	// miekg/dns ExchangeContext doesn't respond to context cancel.
 	// this is a workaround
 	type result struct {
@@ -117,12 +97,6 @@ func newClient(addr string, resolver *Resolver, netType string, params map[strin
 	}
 	if strings.HasPrefix(netType, "tcp") {
 		c.schema = "tcp"
 		if strings.HasSuffix(netType, "tls") {
 			c.schema = "tls"
 		}
 	}
 	if params["skip-cert-verify"] == "true" {
 		c.skipCertVerify = true
 	}
 	return c
 }
--- a/dns/doh.go
+++ b/dns/doh.go
@@ -725,14 +725,10 @@ func (doh *dnsOverHTTPS) tlsDial(ctx context.Context, network string, config *tl
 	// TLS handshake dialTimeout will be used as connection deadLine.
 	conn := tls.Client(rawConn, config)
-	err = conn.SetDeadline(time.Now().Add(dialTimeout))
+	ctx, cancel := context.WithTimeout(ctx, dialTimeout)
-	if err != nil {
+	defer cancel()
 		// Must not happen in normal circumstances.
 		log.Errorln("cannot set deadline: %v", err)
 		return nil, err
 	}
-	err = conn.Handshake()
+	err = conn.HandshakeContext(ctx)
 	if err != nil {
 		defer conn.Close()
 		return nil, err
--- a/dns/doq.go
+++ b/dns/doq.go
@@ -11,6 +11,7 @@ import (
 	"sync"
 	"time"
 	"github.com/metacubex/mihomo/common/pool"
 	"github.com/metacubex/mihomo/component/ca"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
@@ -55,11 +56,6 @@ type dnsOverQUIC struct {
 	conn   *quic.Conn
 	connMu sync.RWMutex
 	// bytesPool is a *sync.Pool we use to store byte buffers in.  These byte
 	// buffers are used to read responses from the upstream.
 	bytesPool      *sync.Pool
 	bytesPoolGuard sync.Mutex
 	addr           string
 	dialer         *dnsDialer
 	skipCertVerify bool
@@ -203,24 +199,6 @@ func (doq *dnsOverQUIC) shouldRetry(err error) (ok bool) {
 	return isQUICRetryError(err)
 }
 // getBytesPool returns (creates if needed) a pool we store byte buffers in.
 func (doq *dnsOverQUIC) getBytesPool() (pool *sync.Pool) {
 	doq.bytesPoolGuard.Lock()
 	defer doq.bytesPoolGuard.Unlock()
 	if doq.bytesPool == nil {
 		doq.bytesPool = &sync.Pool{
 			New: func() interface{} {
 				b := make([]byte, MaxMsgSize)
 				return &b
 			},
 		}
 	}
 	return doq.bytesPool
 }
 // getConnection opens or returns an existing *quic.Conn. useCached
 // argument controls whether we should try to use the existing cached
 // connection.  If it is false, we will forcibly create a new connection and
@@ -386,12 +364,9 @@ func (doq *dnsOverQUIC) closeConnWithError(err error) {
 // readMsg reads the incoming DNS message from the QUIC stream.
 func (doq *dnsOverQUIC) readMsg(stream *quic.Stream) (m *D.Msg, err error) {
-	pool := doq.getBytesPool()
+	respBuf := pool.Get(MaxMsgSize)
-	bufPtr := pool.Get().(*[]byte)
+	defer pool.Put(respBuf)
 	defer pool.Put(bufPtr)
 	respBuf := *bufPtr
 	n, err := stream.Read(respBuf)
 	if err != nil && n == 0 {
 		return nil, fmt.Errorf("reading response from %s: %w", doq.Address(), err)
--- a/dns/dot.go
+++ b/dns/dot.go
@@ -0,0 +1,176 @@
 package dns
 import (
 	"context"
 	"fmt"
 	"net"
 	"runtime"
 	"sync"
 	"time"
 	"github.com/metacubex/mihomo/common/deque"
 	"github.com/metacubex/mihomo/component/ca"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/tls"
 	D "github.com/miekg/dns"
 )
 const maxOldDotConns = 8
 type dnsOverTLS struct {
 	port           string
 	host           string
 	dialer         *dnsDialer
 	skipCertVerify bool
 	disableReuse   bool
 	access      sync.Mutex
 	connections deque.Deque[net.Conn] // LIFO
 }
 var _ dnsClient = (*dnsOverTLS)(nil)
 // Address implements dnsClient
 func (t *dnsOverTLS) Address() string {
 	return fmt.Sprintf("tls://%s", net.JoinHostPort(t.host, t.port))
 }
 func (t *dnsOverTLS) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error) {
 	// miekg/dns ExchangeContext doesn't respond to context cancel.
 	// this is a workaround
 	type result struct {
 		msg *D.Msg
 		err error
 	}
 	ch := make(chan result, 1)
 	go func() {
 		var msg *D.Msg
 		var err error
 		defer func() { ch <- result{msg, err} }()
 		for { // retry loop; only retry when reusing old conn
 			err = ctx.Err() // check context first
 			if err != nil {
 				return
 			}
 			var conn net.Conn
 			isOldConn := true
 			if !t.disableReuse {
 				t.access.Lock()
 				if t.connections.Len() > 0 {
 					conn = t.connections.PopBack()
 				}
 				t.access.Unlock()
 			}
 			if conn == nil {
 				conn, err = t.dialContext(ctx)
 				if err != nil {
 					return
 				}
 				isOldConn = false
 			}
 			dClient := &D.Client{
 				UDPSize: 4096,
 				Timeout: 5 * time.Second,
 			}
 			dConn := &D.Conn{
 				Conn:    conn,
 				UDPSize: dClient.UDPSize,
 			}
 			msg, _, err = dClient.ExchangeWithConn(m, dConn)
 			if err != nil {
 				_ = conn.Close()
 				conn = nil
 				if isOldConn { // retry
 					continue
 				}
 				return
 			}
 			if !t.disableReuse {
 				t.access.Lock()
 				if t.connections.Len() >= maxOldDotConns {
 					oldConn := t.connections.PopFront()
 					go oldConn.Close() // close in a new goroutine, not blocking the current task
 				}
 				t.connections.PushBack(conn)
 				t.access.Unlock()
 			} else {
 				_ = conn.Close()
 			}
 			return
 		}
 	}()
 	select {
 	case <-ctx.Done():
 		return nil, ctx.Err()
 	case ret := <-ch:
 		return ret.msg, ret.err
 	}
 }
 func (t *dnsOverTLS) dialContext(ctx context.Context) (net.Conn, error) {
 	conn, err := t.dialer.DialContext(ctx, "tcp", net.JoinHostPort(t.host, t.port))
 	if err != nil {
 		return nil, err
 	}
 	tlsConfig, err := ca.GetTLSConfig(ca.Option{
 		TLSConfig: &tls.Config{
 			ServerName:         t.host,
 			InsecureSkipVerify: t.skipCertVerify,
 		},
 	})
 	if err != nil {
 		return nil, err
 	}
 	tlsConn := tls.Client(conn, tlsConfig)
 	if err = tlsConn.HandshakeContext(ctx); err != nil {
 		return nil, err
 	}
 	conn = tlsConn
 	return conn, nil
 }
 func (t *dnsOverTLS) ResetConnection() {
 	if !t.disableReuse {
 		t.access.Lock()
 		for t.connections.Len() > 0 {
 			oldConn := t.connections.PopFront()
 			go oldConn.Close() // close in a new goroutine, not blocking the current task
 		}
 		t.access.Unlock()
 	}
 }
 func (t *dnsOverTLS) Close() error {
 	runtime.SetFinalizer(t, nil)
 	t.ResetConnection()
 	return nil
 }
 func newDoTClient(addr string, resolver *Resolver, params map[string]string, proxyAdapter C.ProxyAdapter, proxyName string) *dnsOverTLS {
 	host, port, _ := net.SplitHostPort(addr)
 	c := &dnsOverTLS{
 		port:   port,
 		host:   host,
 		dialer: newDNSDialer(resolver, proxyAdapter, proxyName),
 	}
 	c.connections.SetBaseCap(maxOldDotConns)
 	if params["skip-cert-verify"] == "true" {
 		c.skipCertVerify = true
 	}
 	if params["disable-reuse"] == "true" {
 		c.disableReuse = true
 	}
 	runtime.SetFinalizer(c, (*dnsOverTLS).Close)
 	return c
 }
--- a/dns/resolver.go
+++ b/dns/resolver.go
@@ -451,6 +451,7 @@ type Config struct {
 	FallbackIPFilter     []C.IpMatcher
 	FallbackDomainFilter []C.DomainMatcher
 	Policy               []Policy
 	ProxyServerPolicy    []Policy
 	CacheAlgorithm       string
 	CacheMaxSize         int
 }
@@ -519,55 +520,20 @@ func NewResolver(config Config) (rs Resolvers) {
 		return
 	}
-	r := &Resolver{
+	makePolicy := func(policies []Policy) (dnsPolicies []dnsPolicy) {
 		ipv6:        config.IPv6,
 		main:        cacheTransform(config.Main),
 		cache:       config.newCache(),
 		ipv6Timeout: time.Duration(config.IPv6Timeout) * time.Millisecond,
 	}
 	r.defaultResolver = defaultResolver
 	rs.Resolver = r
 	if len(config.ProxyServer) != 0 {
 		rs.ProxyResolver = &Resolver{
 			ipv6:        config.IPv6,
 			main:        cacheTransform(config.ProxyServer),
 			cache:       config.newCache(),
 			ipv6Timeout: time.Duration(config.IPv6Timeout) * time.Millisecond,
 		}
 	}
 	if len(config.DirectServer) != 0 {
 		rs.DirectResolver = &Resolver{
 			ipv6:        config.IPv6,
 			main:        cacheTransform(config.DirectServer),
 			cache:       config.newCache(),
 			ipv6Timeout: time.Duration(config.IPv6Timeout) * time.Millisecond,
 		}
 	}
 	if len(config.Fallback) != 0 {
 		r.fallback = cacheTransform(config.Fallback)
 		r.fallbackIPFilters = config.FallbackIPFilter
 		r.fallbackDomainFilters = config.FallbackDomainFilter
 	}
 	if len(config.Policy) != 0 {
 		r.policy = make([]dnsPolicy, 0)
 		var triePolicy *trie.DomainTrie[[]dnsClient]
 		insertPolicy := func(policy dnsPolicy) {
 			if triePolicy != nil {
 				triePolicy.Optimize()
-				r.policy = append(r.policy, domainTriePolicy{triePolicy})
+				dnsPolicies = append(dnsPolicies, domainTriePolicy{triePolicy})
 				triePolicy = nil
 			}
 			if policy != nil {
-				r.policy = append(r.policy, policy)
+				dnsPolicies = append(dnsPolicies, policy)
 			}
 		}
-		for _, policy := range config.Policy {
+		for _, policy := range policies {
 			if policy.Matcher != nil {
 				insertPolicy(domainMatcherPolicy{matcher: policy.Matcher, dnsClients: cacheTransform(policy.NameServers)})
 			} else {
@@ -578,12 +544,47 @@ func NewResolver(config Config) (rs Resolvers) {
 			}
 		}
 		insertPolicy(nil)
 		return
 	}
-		if rs.DirectResolver != nil && config.DirectFollowPolicy {
+	r := &Resolver{
 		ipv6:        config.IPv6,
 		main:        cacheTransform(config.Main),
 		cache:       config.newCache(),
 		ipv6Timeout: time.Duration(config.IPv6Timeout) * time.Millisecond,
 		policy:      makePolicy(config.Policy),
 	}
 	r.defaultResolver = defaultResolver
 	rs.Resolver = r
 	if len(config.ProxyServer) != 0 {
 		rs.ProxyResolver = &Resolver{
 			ipv6:        config.IPv6,
 			main:        cacheTransform(config.ProxyServer),
 			cache:       config.newCache(),
 			ipv6Timeout: time.Duration(config.IPv6Timeout) * time.Millisecond,
 			policy:      makePolicy(config.ProxyServerPolicy),
 		}
 	}
 	if len(config.DirectServer) != 0 {
 		rs.DirectResolver = &Resolver{
 			ipv6:        config.IPv6,
 			main:        cacheTransform(config.DirectServer),
 			cache:       config.newCache(),
 			ipv6Timeout: time.Duration(config.IPv6Timeout) * time.Millisecond,
 		}
 		if config.DirectFollowPolicy {
 			rs.DirectResolver.policy = r.policy
 		}
 	}
 	if len(config.Fallback) != 0 {
 		r.fallback = cacheTransform(config.Fallback)
 		r.fallbackIPFilters = config.FallbackIPFilter
 		r.fallbackDomainFilters = config.FallbackDomainFilter
 	}
 	return
 }
--- a/dns/util.go
+++ b/dns/util.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
 	"strconv"
 	"strings"
 	"time"
@@ -15,6 +16,7 @@ import (
 	D "github.com/miekg/dns"
 	"github.com/samber/lo"
 	"golang.org/x/exp/slices"
 )
 const (
@@ -93,6 +95,8 @@ func transform(servers []NameServer, resolver *Resolver) []dnsClient {
 	for _, s := range servers {
 		var c dnsClient
 		switch s.Net {
 		case "tls":
 			c = newDoTClient(s.Addr, resolver, s.Params, s.ProxyAdapter, s.ProxyName)
 		case "https":
 			c = newDoHClient(s.Addr, resolver, s.PreferH3, s.Params, s.ProxyAdapter, s.ProxyName)
 		case "dhcp":
@@ -108,37 +112,75 @@ func transform(servers []NameServer, resolver *Resolver) []dnsClient {
 		}
 		c = warpClientWithEdns0Subnet(c, s.Params)
-
+		c = warpClientWithDisableTypes(c, s.Params)
 		if s.Params["disable-ipv4"] == "true" {
 			c = warpClientWithDisableType(c, D.TypeA)
 		}
 		if s.Params["disable-ipv6"] == "true" {
 			c = warpClientWithDisableType(c, D.TypeAAAA)
 		}
 		ret = append(ret, c)
 	}
 	return ret
 }
-type clientWithDisableType struct {
+type clientWithDisableTypes struct {
 	dnsClient
-	qType uint16
+	disableTypes map[uint16]struct{}
 }
-func (c clientWithDisableType) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, err error) {
+func (c clientWithDisableTypes) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, err error) {
-	if len(m.Question) > 0 {
+	// filter dns request
-		q := m.Question[0]
+	if slices.ContainsFunc(m.Question, c.inQuestion) {
-		if q.Qtype == c.qType {
+		// In fact, DNS requests are not allowed to contain multiple questions:
-			return handleMsgWithEmptyAnswer(m), nil
+		// https://stackoverflow.com/questions/4082081/requesting-a-and-aaaa-records-in-single-dns-query/4083071
 		// so, when we find a question containing the type, we can simply discard the entire dns request.
 		return handleMsgWithEmptyAnswer(m), nil
 	}
 	// do real exchange
 	msg, err = c.dnsClient.ExchangeContext(ctx, m)
 	if err != nil {
 		return
 	}
 	// filter dns response
 	msg.Answer = slices.DeleteFunc(msg.Answer, c.inRR)
 	msg.Ns = slices.DeleteFunc(msg.Ns, c.inRR)
 	msg.Extra = slices.DeleteFunc(msg.Extra, c.inRR)
 	return
 }
 func (c clientWithDisableTypes) inQuestion(q D.Question) bool {
 	_, ok := c.disableTypes[q.Qtype]
 	return ok
 }
 func (c clientWithDisableTypes) inRR(rr D.RR) bool {
 	_, ok := c.disableTypes[rr.Header().Rrtype]
 	return ok
 }
 func warpClientWithDisableTypes(c dnsClient, params map[string]string) dnsClient {
 	disableTypes := make(map[uint16]struct{})
 	if params["disable-ipv4"] == "true" {
 		disableTypes[D.TypeA] = struct{}{}
 	}
 	if params["disable-ipv6"] == "true" {
 		disableTypes[D.TypeAAAA] = struct{}{}
 	}
 	for key, value := range params {
 		const prefix = "disable-qtype-"
 		if strings.HasPrefix(key, prefix) && value == "true" { // eg: disable-qtype-65=true
 			qType, err := strconv.ParseUint(key[len(prefix):], 10, 16)
 			if err != nil {
 				continue
 			}
 			if _, ok := D.TypeToRR[uint16(qType)]; !ok { // check valid RR_Header.Rrtype and Question.qtype
 				continue
 			}
 			disableTypes[uint16(qType)] = struct{}{}
 		}
 	}
-	return c.dnsClient.ExchangeContext(ctx, m)
+	if len(disableTypes) > 0 {
-}
+		return clientWithDisableTypes{c, disableTypes}
-
+	}
-func warpClientWithDisableType(c dnsClient, qType uint16) dnsClient {
+	return c
 	return clientWithDisableType{c, qType}
 }
 type clientWithEdns0Subnet struct {
--- a/docs/config.yaml
+++ b/docs/config.yaml
@@ -97,11 +97,6 @@ external-doh-server: /dns-query
 # interface-name: en0 # 设置出口网卡
 # 全局 TLS 指纹，优先低于 proxy 内的 client-fingerprint
 # 可选： "chrome","firefox","safari","ios","random","none" options.
 # Utls is currently support TLS transport in TCP/grpc/WS/HTTP for VLESS/Vmess and trojan.
 global-client-fingerprint: chrome
 #  TCP keep alive interval
 # disable-keep-alive: false #目前在android端强制为true
 # keep-alive-idle: 15
@@ -323,8 +318,10 @@ dns:
  # 专用于节点域名解析的 DNS 服务器，非必要配置项，如果不填则遵循nameserver-policy、nameserver和fallback的配置
  # proxy-server-nameserver:
-  #   - https://dns.google/dns-query
+  #   - https://doh.pub/dns-query
-  #   - tls://one.one.one.one
+  #   - tls://223.5.5.5:853
  # proxy-server-nameserver-policy: # 格式同nameserver-policy，仅用于节点域名解析，当且仅当proxy-server-nameserver不为空时生效
  #   'www.yournode.com': '114.114.114.114'
  # 专用于direct出口域名解析的 DNS 服务器，非必要配置项，如果不填则遵循nameserver-policy、nameserver和fallback的配置
  # direct-nameserver:
@@ -464,6 +461,7 @@ proxies: # socks5
      #   enable: true # 必须手动开启
      #   # 如果config为空则通过dns解析，不为空则通过该值指定，格式为经过base64编码的ech参数（dig +short TYPE65 tls-ech.dev）
      #   config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA
      #   # query-server-name: xxx.com # 可选项，不为空时用于指定通过dns解析时的域名
      # skip-cert-verify: true
      # host: bing.com
      # path: "/"
@@ -558,12 +556,13 @@ proxies: # socks5
    plugin: kcptun
    plugin-opts:
      key: it's a secrect # pre-shared secret between client and server
-      crypt: aes # aes, aes-128, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, none, null
+      crypt: aes # aes, aes-128, aes-128-gcm, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, none, null
      mode: fast # profiles: fast3, fast2, fast, normal, manual
      conn: 1 # set num of UDP connections to server
      autoexpire: 0 # set auto expiration time(in seconds) for a single UDP connection, 0 to disable
      scavengettl: 600 # set how long an expired connection can live (in seconds)
      mtu: 1350 # set maximum transmission unit for UDP packets
      ratelimit: 0 # set maximum outgoing speed (in bytes per second) for a single KCP connection, 0 to disable. Also known as packet pacing
      sndwnd: 128 # set send window size(num of packets)
      rcvwnd: 512 # set receive window size(num of packets)
      datashard: 10 # set reed-solomon erasure coding - datashard
@@ -577,6 +576,7 @@ proxies: # socks5
      sockbuf: 4194304 # per-socket buffer in bytes
      smuxver: 1 # specify smux version, available 1,2
      smuxbuf: 4194304 # the overall de-mux buffer in bytes
      framesize: 8192 # smux max frame size
      streambuf: 2097152 # per stream receive buffer in bytes, smux v2+
      keepalive: 10 # seconds between heartbeats
@@ -603,6 +603,7 @@ proxies: # socks5
    #   enable: true # 必须手动开启
    #   # 如果config为空则通过dns解析，不为空则通过该值指定，格式为经过base64编码的ech参数（dig +short TYPE65 tls-ech.dev）
    #   config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA
    #   # query-server-name: xxx.com # 可选项，不为空时用于指定通过dns解析时的域名
    # ws-opts:
      # path: /path
      # headers:
@@ -667,6 +668,7 @@ proxies: # socks5
    # skip-cert-verify: true
    grpc-opts:
      grpc-service-name: "example"
      # grpc-user-agent: "grpc-go/1.36.0"
    # ip-version: ipv4
  # vless
@@ -687,6 +689,7 @@ proxies: # socks5
    #   enable: true # 必须手动开启
    #   # 如果config为空则通过dns解析，不为空则通过该值指定，格式为经过base64编码的ech参数（dig +short TYPE65 tls-ech.dev）
    #   config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA
    #   # query-server-name: xxx.com # 可选项，不为空时用于指定通过dns解析时的域名
  - name: "vless-vision"
    type: vless
@@ -755,6 +758,8 @@ proxies: # socks5
    servername: testingcf.jsdelivr.net
    grpc-opts:
      grpc-service-name: "grpc"
      # grpc-user-agent: "grpc-go/1.36.0"
    reality-opts:
      public-key: CrrQSjAG_YkHLwvM2M-7XkKJilgL5upBKCp0od0tLhE
      short-id: 10f897e26c4b9478
@@ -807,6 +812,7 @@ proxies: # socks5
    #   enable: true # 必须手动开启
    #   # 如果config为空则通过dns解析，不为空则通过该值指定，格式为经过base64编码的ech参数（dig +short TYPE65 tls-ech.dev）
    #   config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA
    #   # query-server-name: xxx.com # 可选项，不为空时用于指定通过dns解析时的域名
  - name: trojan-grpc
    server: server
@@ -823,6 +829,7 @@ proxies: # socks5
    udp: true
    grpc-opts:
      grpc-service-name: "example"
      # grpc-user-agent: "grpc-go/1.36.0"
  - name: trojan-ws
    server: server
@@ -877,6 +884,7 @@ proxies: # socks5
    #   enable: true # 必须手动开启
    #   # 如果config为空则通过dns解析，不为空则通过该值指定，格式为经过base64编码的ech参数（dig +short TYPE65 tls-ech.dev）
    #   config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA
    #   # query-server-name: xxx.com # 可选项，不为空时用于指定通过dns解析时的域名
    # skip-cert-verify: false
    # recv-window-conn: 12582912
    # recv-window: 52428800
@@ -905,6 +913,7 @@ proxies: # socks5
    #   enable: true # 必须手动开启
    #   # 如果config为空则通过dns解析，不为空则通过该值指定，格式为经过base64编码的ech参数（dig +short TYPE65 tls-ech.dev）
    #   config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA
    #   # query-server-name: xxx.com # 可选项，不为空时用于指定通过dns解析时的域名
    # skip-cert-verify: false
    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # 下面两项如果填写则开启 mTLS（需要同时填写）
@@ -932,6 +941,7 @@ proxies: # socks5
    reserved: "U4An"
    # 数组格式也是合法的
    # reserved: [209,98,59]
    # persistent-keepalive: 0
    # 一个出站代理的标识。当值不为空时，将使用指定的 proxy 发出连接
    # dialer-proxy: "ss1"
    # remote-dns-resolve: true # 强制 dns 远程解析，默认值为 false
@@ -972,6 +982,23 @@ proxies: # socks5
    #   j3: <t><b 0xf6ab><c><r 10>                        # AmneziaWG v1.5 only (removed in v2)
    #   itime: 60                                         # AmneziaWG v1.5 only (removed in v2)
  # masque
  - name: "masque"
    type: masque
    server: 162.159.198.1
    port: 443
    private-key: MHcCAQEEILI1eOtnbEIh89Fj4yNDuFR6UjayCKI3NdLl3DhetimWoAoGCCqGSM49AwEHoUQDQgAEgyXrE8v+hHsHy3ewSb3WcRjYgCrM9T9hiE0Uv6k2DZ1+4kefrDT9v1Q/8wdRigTf6t6gGNUV8W+IUMdrfUt+9g==
    public-key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIaU7MToJm9NKp8YfGxR6r+/h4mcG7SxI8tsW8OR1A5tv/zCzVbCRRh2t87/kxnP6lAy0lkr7qYwu+ox+k3dr6w==
    ip: 172.16.0.2
    ipv6: 2606:4700:110:84c0:163a:4914:a0ad:3342
    mtu: 1280
    udp: true
    # 一个出站代理的标识。当值不为空时，将使用指定的 proxy 发出连接
    # dialer-proxy: "ss1"
    # remote-dns-resolve: true # 强制 dns 远程解析，默认值为 false
    # dns: [ 1.1.1.1, 8.8.8.8 ] # 仅在 remote-dns-resolve 为 true 时生效
    # congestion-controller: bbr # 默认不开启
  # tuic
  - name: tuic
    server: www.example.com
@@ -1000,6 +1027,7 @@ proxies: # socks5
    #   enable: true # 必须手动开启
    #   # 如果config为空则通过dns解析，不为空则通过该值指定，格式为经过base64编码的ech参数（dig +short TYPE65 tls-ech.dev）
    #   config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA
    #   # query-server-name: xxx.com # 可选项，不为空时用于指定通过dns解析时的域名
    #
    # meta 和 sing-box 私有扩展，将 ss-uot 用于 udp 中继，开启此选项后 udp-relay-mode 将失效
    # 警告，与原版 tuic 不兼容！！！
@@ -1049,6 +1077,8 @@ proxies: # socks5
    # multiplexing: MULTIPLEXING_LOW
    # 如果想开启 0-RTT 握手，请设置为 HANDSHAKE_NO_WAIT，否则请设置为 HANDSHAKE_STANDARD。默认值为 HANDSHAKE_STANDARD
    # handshake-mode: HANDSHAKE_STANDARD
    # 一个 base64 字符串用于微调网络行为
    # traffic-pattern: ""
  # sudoku
  - name: sudoku
@@ -1056,18 +1086,19 @@ proxies: # socks5
    server: server_ip/domain # 1.2.3.4 or domain
    port: 443 
    key: "<client_key>" # 如果你使用sudoku生成的ED25519密钥对，请填写密钥对中的私钥，否则填入和服务端相同的uuid
-    aead-method: chacha20-poly1305 # 可选值：chacha20-poly1305、aes-128-gcm、none 我们保证在none的情况下sudoku混淆层仍然确保安全
+    aead-method: chacha20-poly1305 # 可选：chacha20-poly1305、aes-128-gcm、none（不建议；且 enable-pure-downlink=false 时不可用）
-    padding-min: 2 # 最小填充字节数
+    padding-min: 2 # 最小填充率（0-100）
-    padding-max: 7 # 最大填充字节数
+    padding-max: 7 # 最大填充率（0-100，必须 >= padding-min）
    table-type: prefer_ascii    # 可选值：prefer_ascii、prefer_entropy 前者全ascii映射，后者保证熵值（汉明1）低于3
    # custom-table: xpxvvpvv    # 可选，自定义字节布局，必须包含2个x、2个p、4个v，可随意组合。启用此处则需配置`table-type`为`prefer_entropy`
    # custom-tables: ["xpxvvpvv", "vxpvxvvp"] # 可选，自定义字节布局列表（x/v/p），用于 xvp 模式轮换；非空时覆盖 custom-table
    http-mask: true # 是否启用http掩码
-    # http-mask-mode: legacy # 可选：legacy（默认）、stream、poll、auto；stream/poll/auto 支持走 CDN/反代
+    # http-mask-mode: legacy # 可选：legacy（默认）、stream（split-stream）、poll、auto（先 stream 再 poll）；stream/poll/auto 支持走 CDN/反代
    # http-mask-tls: true # 可选：仅在 http-mask-mode 为 stream/poll/auto 时生效；true 强制 https；false 强制 http（不会根据端口自动推断）
    # http-mask-host: "" # 可选：覆盖 Host/SNI（支持 example.com 或 example.com:443）；仅在 http-mask-mode 为 stream/poll/auto 时生效
-    # http-mask-strategy: random # 可选：random（默认）、post、websocket；仅 legacy 下生效
+    # path-root: "" # 可选：HTTP 隧道端点一级路径前缀（双方需一致），例如 "aabbcc" 或 "/aabbcc/" => /aabbcc/session、/aabbcc/stream、/aabbcc/api/v1/upload
-    enable-pure-downlink: false # 是否启用混淆下行，false的情况下能在保证数据安全的前提下极大提升下行速度，与服务端端保持相同(如果此处为false，则要求aead不可为none)
+    # http-mask-multiplex: off # 可选：off（默认）、auto（复用底层 HTTP 连接，减少建链 RTT）、on（Sudoku mux 单隧道多目标；仅在 http-mask-mode=stream/poll/auto 生效）
    enable-pure-downlink: false # 可选：false=带宽优化下行（更快，要求 aead-method != none）；true=纯 Sudoku 下行
  # anytls
  - name: anytls
@@ -1086,6 +1117,23 @@ proxies: # socks5
    #   - http/1.1
    # skip-cert-verify: true
  # trusttunnel
  - name: trusttunnel
    type: trusttunnel
    server: 1.2.3.4
    port: 443
    username: username
    password: password
    # client-fingerprint: chrome
    health-check: true
    udp: true
    # sni: "example.com"
    # alpn:
    #   - h2
    # skip-cert-verify: true
    # quic: true # 默认为false
    # congestion-controller: bbr
 # dns 出站会将请求劫持到内部 dns 模块，所有请求均在内部处理
  - name: "dns-out"
    type: dns
@@ -1369,7 +1417,7 @@ listeners:
    #   dC5jb20AAA==
    #   -----END ECH KEYS-----
-  - name: reidr-in-1
+  - name: redir-in-1
    type: redir
    port: 10811 # 支持使用ports格式，例如200,302 or 200,204,401-429,501-503
    listen: 0.0.0.0
@@ -1404,11 +1452,12 @@ listeners:
    # kcp-tun:
    #   enable: false
    #   key: it's a secrect # pre-shared secret between client and server
-    #   crypt: aes # aes, aes-128, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, none, null
+    #   crypt: aes # aes, aes-128, aes-128-gcm, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, none, null
    #   mode: fast # profiles: fast3, fast2, fast, normal, manual
    #   conn: 1 # set num of UDP connections to server
    #   autoexpire: 0 # set auto expiration time(in seconds) for a single UDP connection, 0 to disable
    #   scavengettl: 600 # set how long an expired connection can live (in seconds)
    #   ratelimit: 0 # set maximum outgoing speed (in bytes per second) for a single KCP connection, 0 to disable. Also known as packet pacing
    #   mtu: 1350 # set maximum transmission unit for UDP packets
    #   sndwnd: 128 # set send window size(num of packets)
    #   rcvwnd: 512 # set receive window size(num of packets)
@@ -1423,6 +1472,7 @@ listeners:
    #   sockbuf: 4194304 # per-socket buffer in bytes
    #   smuxver: 1 # specify smux version, available 1,2
    #   smuxbuf: 4194304 # the overall de-mux buffer in bytes
    #   framesize: 8192 # smux max frame size
    #   streambuf: 2097152 # per stream receive buffer in bytes, smux v2+
    #   keepalive: 10 # seconds between heartbeats
@@ -1597,22 +1647,25 @@ listeners:
    users:
      username1: password1
      username2: password2
    # 一个 base64 字符串用于微调网络行为
    # traffic-pattern: ""
  - name: sudoku-in-1
    type: sudoku
    port: 8443 # 仅支持单端口
    listen: 0.0.0.0
    key: "<server_key>" # 如果你使用sudoku生成的ED25519密钥对，此处是密钥对中的公钥，当然，你也可以仅仅使用任意uuid充当key
-    aead-method: chacha20-poly1305 # 支持chacha20-poly1305或者aes-128-gcm以及none，sudoku的混淆层可以确保none情况下数据安全
+    aead-method: chacha20-poly1305 # 可选：chacha20-poly1305、aes-128-gcm、none（不建议；且 enable-pure-downlink=false 时不可用）
-    padding-min: 1 # 填充最小长度
+    padding-min: 1 # 最小填充率（0-100）
-    padding-max: 15 # 填充最大长度，均不建议过大
+    padding-max: 15 # 最大填充率（0-100，必须 >= padding-min）
    table-type: prefer_ascii # 可选值：prefer_ascii、prefer_entropy 前者全ascii映射，后者保证熵值（汉明1）低于3
    # custom-table: xpxvvpvv # 可选，自定义字节布局，必须包含2个x、2个p、4个v，可随意组合。启用此处则需配置`table-type`为`prefer_entropy`
    # custom-tables: ["xpxvvpvv", "vxpvxvvp"] # 可选，自定义字节布局列表（x/v/p），用于 xvp 模式轮换；非空时覆盖 custom-table
-    handshake-timeout: 5   # optional
+    handshake-timeout: 5   # 可选（秒）
-    enable-pure-downlink: false # 是否启用混淆下行，false的情况下能在保证数据安全的前提下极大提升下行速度，与客户端保持相同(如果此处为false，则要求aead不可为none)
+    enable-pure-downlink: false # 可选：false=带宽优化下行（更快，要求 aead-method != none）；true=纯 Sudoku 下行
    disable-http-mask: false # 可选：禁用 http 掩码/隧道（默认为 false）
-    # http-mask-mode: legacy # 可选：legacy（默认）、stream、poll、auto；stream/poll/auto 支持走 CDN/反代
+    # http-mask-mode: legacy # 可选：legacy（默认）、stream（split-stream）、poll、auto（先 stream 再 poll）；stream/poll/auto 支持走 CDN/反代
    # path-root: "" # 可选：HTTP 隧道端点一级路径前缀（双方需一致），例如 "aabbcc" 或 "/aabbcc/" => /aabbcc/session、/aabbcc/stream、/aabbcc/api/v1/upload
@@ -1699,6 +1752,30 @@ listeners:
    #  masquerade: http://127.0.0.1:8080	#作为反向代理
    #  masquerade: https://127.0.0.1:8080	#作为反向代理
  - name: trusttunnel-in-1
    type: trusttunnel
    port: 10821 # 支持使用ports格式，例如200,302 or 200,204,401-429,501-503
    listen: 0.0.0.0
    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
    # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时，这里的 proxy 名称必须合法，否则会出错)
    users:
      - username: 1
        password: 9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68
    certificate: ./server.crt # 证书 PEM 格式，或者 证书的路径
    private-key: ./server.key # 证书对应的私钥 PEM 格式，或者私钥路径
    network: ["tcp", "udp"] # http2+http3
    congestion-controller: bbr
    # 下面两项为mTLS配置项，如果client-auth-type设置为 "verify-if-given" 或 "require-and-verify" 则client-auth-cert必须不为空
    # client-auth-type: "" # 可选值：""、"request"、"require-any"、"verify-if-given"、"require-and-verify"
    # client-auth-cert: string # 证书 PEM 格式，或者 证书的路径
    # 如果填写则开启ech（可由 mihomo generate ech-keypair <明文域名> 生成）
    # ech-key: |
    #   -----BEGIN ECH KEYS-----
    #   ACATwY30o/RKgD6hgeQxwrSiApLaCgU+HKh7B6SUrAHaDwBD/g0APwAAIAAgHjzK
    #   madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz
    #   dC5jb20AAA==
    #   -----END ECH KEYS-----
  # 注意，listeners中的tun仅提供给高级用户使用，普通用户应使用顶层配置中的tun
  - name: tun-in-1
    type: tun
--- a/go.mod
+++ b/go.mod
@@ -3,75 +3,80 @@ module github.com/metacubex/mihomo
 go 1.20
 require (
 	filippo.io/edwards25519 v1.1.0
 	github.com/bahlo/generic-list-go v0.2.0
 	github.com/coreos/go-iptables v0.8.0
 	github.com/dlclark/regexp2 v1.11.5
-	github.com/enfein/mieru/v3 v3.26.0
+	github.com/enfein/mieru/v3 v3.28.0
 	github.com/gobwas/ws v1.4.0
 	github.com/gofrs/uuid/v5 v5.4.0
 	github.com/golang/snappy v1.0.0
 	github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905
 	github.com/klauspost/compress v1.17.9 // lastest version compatible with golang1.20
 	github.com/mdlayher/netlink v1.7.2
 	github.com/metacubex/amneziawg-go v0.0.0-20251104174305-5a0e9f7e361d
 	github.com/metacubex/bart v0.26.0
 	github.com/metacubex/bbolt v0.0.0-20250725135710-010dbbbb7a5b
 	github.com/metacubex/blake3 v0.1.0
 	github.com/metacubex/chacha v0.1.5
 	github.com/metacubex/chi v0.1.0
 	github.com/metacubex/connect-ip-go v0.0.0-20260128031117-1cad62060727
 	github.com/metacubex/cpu v0.1.0
 	github.com/metacubex/edwards25519 v1.2.0
 	github.com/metacubex/fswatch v0.1.1
 	github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759
 	github.com/metacubex/http v0.1.0
-	github.com/metacubex/kcp-go v0.0.0-20251111012849-7455698490e9
+	github.com/metacubex/kcp-go v0.0.0-20260105040817-550693377604
 	github.com/metacubex/mlkem v0.1.0
-	github.com/metacubex/quic-go v0.58.1-0.20251222092318-72a81ab195ec
+	github.com/metacubex/quic-go v0.59.1-0.20260213014310-4df8f0de5b56
 	github.com/metacubex/randv2 v0.2.0
 	github.com/metacubex/restls-client-go v0.1.7
-	github.com/metacubex/sing v0.5.6
+	github.com/metacubex/sing v0.5.7
-	github.com/metacubex/sing-mux v0.3.4
+	github.com/metacubex/sing-mux v0.3.5
-	github.com/metacubex/sing-quic v0.0.0-20251217080445-b15217cb57f3
+	github.com/metacubex/sing-quic v0.0.0-20260112044712-65d17608159e
 	github.com/metacubex/sing-shadowsocks v0.2.12
 	github.com/metacubex/sing-shadowsocks2 v0.2.7
 	github.com/metacubex/sing-shadowtls v0.0.0-20250503063515-5d9f966d17a2
-	github.com/metacubex/sing-tun v0.4.11
+	github.com/metacubex/sing-tun v0.4.16-0.20260213034958-b09e3f5bbae6
-	github.com/metacubex/sing-vmess v0.2.4
+	github.com/metacubex/sing-vmess v0.2.5
 	github.com/metacubex/sing-wireguard v0.0.0-20250503063753-2dc62acc626f
-	github.com/metacubex/smux v0.0.0-20251111013112-03f8d12dafc1
+	github.com/metacubex/smux v0.0.0-20260105030934-d0c8756d3141
 	github.com/metacubex/tfo-go v0.0.0-20251130171125-413e892ac443
-	github.com/metacubex/tls v0.1.0
+	github.com/metacubex/tls v0.1.4
-	github.com/metacubex/utls v1.8.3
+	github.com/metacubex/utls v1.8.4
 	github.com/metacubex/wireguard-go v0.0.0-20250820062549-a6cecdd7f57f
 	github.com/miekg/dns v1.1.63 // lastest version compatible with golang1.20
 	github.com/mroth/weightedrand/v2 v2.1.0
 	github.com/openacid/low v0.1.21
 	github.com/oschwald/maxminddb-golang v1.12.0 // lastest version compatible with golang1.20
 	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a
 	github.com/samber/lo v1.52.0
-	github.com/sirupsen/logrus v1.9.3
+	github.com/sirupsen/logrus v1.9.4
 	github.com/stretchr/testify v1.11.1
 	github.com/vmihailenco/msgpack/v5 v5.4.1
-	github.com/wk8/go-ordered-map/v2 v2.1.8
+	github.com/yosida95/uritemplate/v3 v3.0.2
 	gitlab.com/go-extension/aes-ccm v0.0.0-20230221065045-e58665ef23c7
 	go.uber.org/automaxprocs v1.6.0
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
 	golang.org/x/crypto v0.33.0 // lastest version compatible with golang1.20
 	golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e // lastest version compatible with golang1.20
 	golang.org/x/net v0.35.0 // lastest version compatible with golang1.20
 	golang.org/x/sync v0.11.0 // lastest version compatible with golang1.20
 	golang.org/x/sys v0.30.0 // lastest version compatible with golang1.20
 	google.golang.org/protobuf v1.34.2 // lastest version compatible with golang1.20
 	gopkg.in/yaml.v3 v3.0.1
 )
 // lastest version compatible with golang1.20
 require (
 	github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905
 	github.com/klauspost/compress v1.17.9
 	github.com/mdlayher/netlink v1.7.2
 	github.com/miekg/dns v1.1.63
 	github.com/oschwald/maxminddb-golang v1.12.0
 	golang.org/x/crypto v0.33.0
 	golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e
 	golang.org/x/net v0.35.0
 	golang.org/x/sync v0.11.0
 	golang.org/x/sys v0.30.0
 	google.golang.org/protobuf v1.34.2
 )
 require (
 	github.com/RyuaNerin/go-krypto v1.3.0 // indirect
 	github.com/Yawning/aez v0.0.0-20211027044916-e49e68abd344 // indirect
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.6 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dunglas/httpsfv v1.0.2 // indirect
 	github.com/ericlagergren/aegis v0.0.0-20250325060835-cd0defd64358 // indirect
 	github.com/ericlagergren/polyval v0.0.0-20220411101811-e25bc10ba391 // indirect
 	github.com/ericlagergren/siv v0.0.0-20220507050439-0b757b3aa5f1 // indirect
@@ -88,7 +93,6 @@ require (
 	github.com/klauspost/cpuid/v2 v2.2.6 // indirect
 	github.com/klauspost/reedsolomon v1.12.3 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mdlayher/socket v0.4.1 // indirect
 	github.com/metacubex/ascon v0.1.0 // indirect
 	github.com/metacubex/gvisor v0.0.0-20251227095601-261ec1326fe8 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,3 @@
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/RyuaNerin/go-krypto v1.3.0 h1:smavTzSMAx8iuVlGb4pEwl9MD2qicqMzuXR2QWp2/Pg=
 github.com/RyuaNerin/go-krypto v1.3.0/go.mod h1:9R9TU936laAIqAmjcHo/LsaXYOZlymudOAxjaBf62UM=
 github.com/RyuaNerin/testingutil v0.1.0 h1:IYT6JL57RV3U2ml3dLHZsVtPOP6yNK7WUVdzzlpNrss=
@@ -12,8 +10,6 @@ github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHG
 github.com/bahlo/generic-list-go v0.2.0 h1:5sz/EEAK+ls5wF+NeqDpk5+iNdMDXrh3z3nPnH1Wvgk=
 github.com/bahlo/generic-list-go v0.2.0/go.mod h1:2KvAjgMlE5NNynlg/5iLrrCCZ2+5xWbdbCW3pNTGyYg=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=
 github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
 github.com/coreos/go-iptables v0.8.0 h1:MPc2P89IhuVpLI7ETL/2tx3XZ61VeICZjYqDEgNsPRc=
 github.com/coreos/go-iptables v0.8.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -22,8 +18,10 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=
 github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
-github.com/enfein/mieru/v3 v3.26.0 h1:ZsxCFkh3UfGSu9LL6EQ9+b97uxTJ7/AnJmLMyrbjSDI=
+github.com/dunglas/httpsfv v1.0.2 h1:iERDp/YAfnojSDJ7PW3dj1AReJz4MrwbECSSE59JWL0=
-github.com/enfein/mieru/v3 v3.26.0/go.mod h1:zJBUCsi5rxyvHM8fjFf+GLaEl4OEjjBXr1s5F6Qd3hM=
+github.com/dunglas/httpsfv v1.0.2/go.mod h1:zID2mqw9mFsnt7YC3vYQ9/cjq30q41W+1AnDwH8TiMg=
 github.com/enfein/mieru/v3 v3.28.0 h1:4OsFPUIjKfQ6ymfyX1Laqz7h+zB8TxuK1m0isnYJ8ww=
 github.com/enfein/mieru/v3 v3.28.0/go.mod h1:zJBUCsi5rxyvHM8fjFf+GLaEl4OEjjBXr1s5F6Qd3hM=
 github.com/ericlagergren/aegis v0.0.0-20250325060835-cd0defd64358 h1:kXYqH/sL8dS/FdoFjr12ePjnLPorPo2FsnrHNuXSDyo=
 github.com/ericlagergren/aegis v0.0.0-20250325060835-cd0defd64358/go.mod h1:hkIFzoiIPZYxdFOOLyDho59b7SrDfo+w3h+yWdlg45I=
 github.com/ericlagergren/polyval v0.0.0-20220411101811-e25bc10ba391 h1:8j2RH289RJplhA6WfdaPqzg1MjH2K8wX5e0uhAxrw2g=
@@ -59,7 +57,6 @@ github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73
 github.com/google/tink/go v1.6.1 h1:t7JHqO8Ath2w2ig5vjwQYJzhGEZymedQc90lQXUBa4I=
 github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905 h1:q3OEI9RaN/wwcx+qgGo6ZaoJkCiDYe/gjDLfq7lQQF4=
 github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905/go.mod h1:VvGYjkZoJyKqlmT1yzakUs4mfKMNB0XdODP0+rdml6k=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
@@ -72,8 +69,6 @@ github.com/klauspost/reedsolomon v1.12.3/go.mod h1:3K5rXwABAvzGeR01r6pWZieUALXO/
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
 github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
@@ -92,8 +87,12 @@ github.com/metacubex/chacha v0.1.5 h1:fKWMb/5c7ZrY8Uoqi79PPFxl+qwR7X/q0OrsAubyX2
 github.com/metacubex/chacha v0.1.5/go.mod h1:Djn9bPZxLTXbJFSeyo0/qzEzQI+gUSSzttuzZM75GH8=
 github.com/metacubex/chi v0.1.0 h1:rjNDyDj50nRpicG43CNkIw4ssiCbmDL8d7wJXKlUCsg=
 github.com/metacubex/chi v0.1.0/go.mod h1:zM5u5oMQt8b2DjvDHvzadKrP6B2ztmasL1YHRMbVV+g=
 github.com/metacubex/connect-ip-go v0.0.0-20260128031117-1cad62060727 h1:qbZQ0sO0bDBKPvTd/qNQK6513300WJ5GRsHnw3PO4Ho=
 github.com/metacubex/connect-ip-go v0.0.0-20260128031117-1cad62060727/go.mod h1:xYC8Ik7/rN6no+vTRuWMEziGwm3brA0wNM/zZP9qhOQ=
 github.com/metacubex/cpu v0.1.0 h1:8PeTdV9j6UKbN1K5Jvtbi/Jock7dknvzyYuLb8Conmk=
 github.com/metacubex/cpu v0.1.0/go.mod h1:09VEt4dSRLR+bOA8l4w4NDuzGZ8n5dkMv7e8axgEeTU=
 github.com/metacubex/edwards25519 v1.2.0 h1:pIQZLBsjQgg3Nl/c86YYFEUAbL5qQRnPq4LrgIw0KK4=
 github.com/metacubex/edwards25519 v1.2.0/go.mod h1:NCQF3J/Ki7382FJuokwsywEIIEI/gro/3smyXgQJsx0=
 github.com/metacubex/fswatch v0.1.1 h1:jqU7C/v+g0qc2RUFgmAOPoVvfl2BXXUXEumn6oQuxhU=
 github.com/metacubex/fswatch v0.1.1/go.mod h1:czrTT7Zlbz7vWft8RQu9Qqh+JoX+Nnb+UabuyN1YsgI=
 github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759 h1:cjd4biTvOzK9ubNCCkQ+ldc4YSH/rILn53l/xGBFHHI=
@@ -106,47 +105,46 @@ github.com/metacubex/hpke v0.1.0 h1:gu2jUNhraehWi0P/z5HX2md3d7L1FhPQE6/Q0E9r9xQ=
 github.com/metacubex/hpke v0.1.0/go.mod h1:vfDm6gfgrwlXUxKDkWbcE44hXtmc1uxLDm2BcR11b3U=
 github.com/metacubex/http v0.1.0 h1:Jcy0I9zKjYijSUaksZU34XEe2xNdoFkgUTB7z7K5q0o=
 github.com/metacubex/http v0.1.0/go.mod h1:Nxx0zZAo2AhRfanyL+fmmK6ACMtVsfpwIl1aFAik2Eg=
-github.com/metacubex/kcp-go v0.0.0-20251111012849-7455698490e9 h1:7m3tRPrLpKOLOvZ/Lp4XCxz0t7rg9t9K35x6TahjR8o=
+github.com/metacubex/kcp-go v0.0.0-20260105040817-550693377604 h1:hJwCVlE3ojViC35MGHB+FBr8TuIf3BUFn2EQ1VIamsI=
-github.com/metacubex/kcp-go v0.0.0-20251111012849-7455698490e9/go.mod h1:HIJZW4QMhbBqXuqC1ly6Hn0TEYT2SzRw58ns1yGhXTs=
+github.com/metacubex/kcp-go v0.0.0-20260105040817-550693377604/go.mod h1:lpmN3m269b3V5jFCWtffqBLS4U3QQoIid9ugtO+OhVc=
 github.com/metacubex/mlkem v0.1.0 h1:wFClitonSFcmipzzQvax75beLQU+D7JuC+VK1RzSL8I=
 github.com/metacubex/mlkem v0.1.0/go.mod h1:amhaXZVeYNShuy9BILcR7P0gbeo/QLZsnqCdL8U2PDQ=
 github.com/metacubex/nftables v0.0.0-20250503052935-30a69ab87793 h1:1Qpuy+sU3DmyX9HwI+CrBT/oLNJngvBorR2RbajJcqo=
 github.com/metacubex/nftables v0.0.0-20250503052935-30a69ab87793/go.mod h1:RjRNb4G52yAgfR+Oe/kp9G4PJJ97Fnj89eY1BFO3YyA=
 github.com/metacubex/qpack v0.6.0 h1:YqClGIMOpiRYLjV1qOs483Od08MdPgRnHjt90FuaAKw=
 github.com/metacubex/qpack v0.6.0/go.mod h1:lKGSi7Xk94IMvHGOmxS9eIei3bvIqpOAImEBsaOwTkA=
-github.com/metacubex/quic-go v0.58.1-0.20251222092318-72a81ab195ec h1:5ePGO2Xht06fpwjNIzfY5XS+82xwDHHx4xGbqgLbxjA=
+github.com/metacubex/quic-go v0.59.1-0.20260213014310-4df8f0de5b56 h1:7yfF31COW2hiCovb5+3uSxRl3UKWOXjpS0j4N5U0qZ8=
-github.com/metacubex/quic-go v0.58.1-0.20251222092318-72a81ab195ec/go.mod h1:oNzMrmylS897M3zSMuapIdwSwfq6F2qW01Z3NhVRJhk=
+github.com/metacubex/quic-go v0.59.1-0.20260213014310-4df8f0de5b56/go.mod h1:oNzMrmylS897M3zSMuapIdwSwfq6F2qW01Z3NhVRJhk=
 github.com/metacubex/randv2 v0.2.0 h1:uP38uBvV2SxYfLj53kuvAjbND4RUDfFJjwr4UigMiLs=
 github.com/metacubex/randv2 v0.2.0/go.mod h1:kFi2SzrQ5WuneuoLLCMkABtiBu6VRrMrWFqSPyj2cxY=
 github.com/metacubex/restls-client-go v0.1.7 h1:eCwiXCTQb5WJu9IlgYvDBA1OgrINv58dEe7hcN5H15k=
 github.com/metacubex/restls-client-go v0.1.7/go.mod h1:BN/U52vPw7j8VTSh2vleD/MnmVKCov84mS5VcjVHH4g=
-github.com/metacubex/sing v0.5.2/go.mod h1:ypf0mjwlZm0sKdQSY+yQvmsbWa0hNPtkeqyRMGgoN+w=
+github.com/metacubex/sing v0.5.7 h1:8OC+fhKFSv/l9ehEhJRaZZAOuthfZo68SteBVLe8QqM=
-github.com/metacubex/sing v0.5.6 h1:mEPDCadsCj3DB8gn+t/EtposlYuALEkExa/LUguw6/c=
+github.com/metacubex/sing v0.5.7/go.mod h1:ypf0mjwlZm0sKdQSY+yQvmsbWa0hNPtkeqyRMGgoN+w=
-github.com/metacubex/sing v0.5.6/go.mod h1:ypf0mjwlZm0sKdQSY+yQvmsbWa0hNPtkeqyRMGgoN+w=
+github.com/metacubex/sing-mux v0.3.5 h1:UqVN+o62SR8kJaC9/3VfOc5UiVqgVY/ef9WwfGYYkk0=
-github.com/metacubex/sing-mux v0.3.4 h1:tf4r27CIkzaxq9kBlAXQkgMXq2HPp5Mta60Kb4RCZF0=
+github.com/metacubex/sing-mux v0.3.5/go.mod h1:8bT7ZKT3clRrJjYc/x5CRYibC1TX/bK73a3r3+2E+Fc=
-github.com/metacubex/sing-mux v0.3.4/go.mod h1:SEJfAuykNj/ozbPqngEYqyggwSr81+L7Nu09NRD5mh4=
+github.com/metacubex/sing-quic v0.0.0-20260112044712-65d17608159e h1:MLxp42z9Jd6LtY2suyawnl24oNzIsFxWc15bNeDIGxA=
-github.com/metacubex/sing-quic v0.0.0-20251217080445-b15217cb57f3 h1:3LlkguIRAzyBWLxP5xrETi1AMIt3McZcDlXNgiyXMsE=
+github.com/metacubex/sing-quic v0.0.0-20260112044712-65d17608159e/go.mod h1:+lgKTd52xAarGtqugALISShyw4KxnoEpYe2u0zJh26w=
 github.com/metacubex/sing-quic v0.0.0-20251217080445-b15217cb57f3/go.mod h1:fAyoc/8IFK1yJp8meJvPNyGk7ZnKG1vmNaTwYx6NHA4=
 github.com/metacubex/sing-shadowsocks v0.2.12 h1:Wqzo8bYXrK5aWqxu/TjlTnYZzAKtKsaFQBdr6IHFaBE=
 github.com/metacubex/sing-shadowsocks v0.2.12/go.mod h1:2e5EIaw0rxKrm1YTRmiMnDulwbGxH9hAFlrwQLQMQkU=
 github.com/metacubex/sing-shadowsocks2 v0.2.7 h1:hSuuc0YpsfiqYqt1o+fP4m34BQz4e6wVj3PPBVhor3A=
 github.com/metacubex/sing-shadowsocks2 v0.2.7/go.mod h1:vOEbfKC60txi0ca+yUlqEwOGc3Obl6cnSgx9Gf45KjE=
 github.com/metacubex/sing-shadowtls v0.0.0-20250503063515-5d9f966d17a2 h1:gXU+MYPm7Wme3/OAY2FFzVq9d9GxPHOqu5AQfg/ddhI=
 github.com/metacubex/sing-shadowtls v0.0.0-20250503063515-5d9f966d17a2/go.mod h1:mbfboaXauKJNIHJYxQRa+NJs4JU9NZfkA+I33dS2+9E=
-github.com/metacubex/sing-tun v0.4.11 h1:NG5zpvYPbBXf+9GSUmDaGCDwl3hZXV677tbRAw0QtCM=
+github.com/metacubex/sing-tun v0.4.16-0.20260213034958-b09e3f5bbae6 h1:3yeZyDHGBmI/1XLsWBhr1sLhifWHkJa5J5Kf8djIbqs=
-github.com/metacubex/sing-tun v0.4.11/go.mod h1:L/TjQY5JEGy8nvsuYmy/XgMFMCPiF0+AWSFCYfS6r9w=
+github.com/metacubex/sing-tun v0.4.16-0.20260213034958-b09e3f5bbae6/go.mod h1:L/TjQY5JEGy8nvsuYmy/XgMFMCPiF0+AWSFCYfS6r9w=
-github.com/metacubex/sing-vmess v0.2.4 h1:Tx6AGgCiEf400E/xyDuYyafsel6sGbR8oF7RkAaus6I=
+github.com/metacubex/sing-vmess v0.2.5 h1:m9Zt5I27lB9fmLMZfism9sH2LcnAfShZfwSkf6/KJoE=
-github.com/metacubex/sing-vmess v0.2.4/go.mod h1:21R5R1u90uUvBQF0owoooEu96/SAYYD56nDrwm6nFaM=
+github.com/metacubex/sing-vmess v0.2.5/go.mod h1:AwtlzUgf8COe9tRYAKqWZ+leDH7p5U98a0ZUpYehl8Q=
 github.com/metacubex/sing-wireguard v0.0.0-20250503063753-2dc62acc626f h1:Sr/DYKYofKHKc4GF3qkRGNuj6XA6c0eqPgEDN+VAsYU=
 github.com/metacubex/sing-wireguard v0.0.0-20250503063753-2dc62acc626f/go.mod h1:jpAkVLPnCpGSfNyVmj6Cq4YbuZsFepm/Dc+9BAOcR80=
-github.com/metacubex/smux v0.0.0-20251111013112-03f8d12dafc1 h1:a6DF0ze9miXes+rdwl8a4Wkvfpe0lXYU82sPJfDzz6s=
+github.com/metacubex/smux v0.0.0-20260105030934-d0c8756d3141 h1:DK2l6m2Fc85H2BhiAPgbJygiWhesPlfGmF+9Vw6ARdk=
-github.com/metacubex/smux v0.0.0-20251111013112-03f8d12dafc1/go.mod h1:4bPD8HWx9jPJ9aE4uadgyN7D1/Wz3KmPy+vale8sKLE=
+github.com/metacubex/smux v0.0.0-20260105030934-d0c8756d3141/go.mod h1:/yI4OiGOSn0SURhZdJF3CbtPg3nwK700bG8TZLMBvAg=
 github.com/metacubex/tfo-go v0.0.0-20251130171125-413e892ac443 h1:H6TnfM12tOoTizYE/qBHH3nEuibIelmHI+BVSxVJr8o=
 github.com/metacubex/tfo-go v0.0.0-20251130171125-413e892ac443/go.mod h1:l9oLnLoEXyGZ5RVLsh7QCC5XsouTUyKk4F2nLm2DHLw=
-github.com/metacubex/tls v0.1.0 h1:1kjR/1q2uU1cZIwiHYEnWzS4L+0Cu1/X3yfIQ76BzNY=
+github.com/metacubex/tls v0.1.4 h1:Gm5GrkyMUh52gYOMIAQ1kHIym4v4M3Qb87Wsmd8Kpdc=
-github.com/metacubex/tls v0.1.0/go.mod h1:0XeVdL0cBw+8i5Hqy3lVeP9IyD/LFTq02ExvHM6rzEM=
+github.com/metacubex/tls v0.1.4/go.mod h1:0XeVdL0cBw+8i5Hqy3lVeP9IyD/LFTq02ExvHM6rzEM=
-github.com/metacubex/utls v1.8.3 h1:0m/yCxm3SK6kWve2lKiFb1pue1wHitJ8sQQD4Ikqde4=
+github.com/metacubex/utls v1.8.4 h1:HmL9nUApDdWSkgUyodfwF6hSjtiwCGGdyhaSpEejKpg=
-github.com/metacubex/utls v1.8.3/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko=
+github.com/metacubex/utls v1.8.4/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko=
 github.com/metacubex/wireguard-go v0.0.0-20250820062549-a6cecdd7f57f h1:FGBPRb1zUabhPhDrlKEjQ9lgIwQ6cHL4x8M9lrERhbk=
 github.com/metacubex/wireguard-go v0.0.0-20250820062549-a6cecdd7f57f/go.mod h1:oPGcV994OGJedmmxrcK9+ni7jUEMGhR+uVQAdaduIP4=
 github.com/metacubex/yamux v0.0.0-20250918083631-dd5f17c0be49 h1:lhlqpYHopuTLx9xQt22kSA9HtnyTDmk5XjjQVCGHe2E=
@@ -180,19 +178,12 @@ github.com/sina-ghaderi/rabaead v0.0.0-20220730151906-ab6e06b96e8c h1:DjKMC30y6y
 github.com/sina-ghaderi/rabaead v0.0.0-20220730151906-ab6e06b96e8c/go.mod h1:NV/a66PhhWYVmUMaotlXJ8fIEFB98u+c8l/CQIEFLrU=
 github.com/sina-ghaderi/rabbitio v0.0.0-20220730151941-9ce26f4f872e h1:ur8uMsPIFG3i4Gi093BQITvwH9znsz2VUZmnmwHvpIo=
 github.com/sina-ghaderi/rabbitio v0.0.0-20220730151941-9ce26f4f872e/go.mod h1:+e5fBW3bpPyo+3uLo513gIUblc03egGjMM0+5GKbzK8=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 h1:tHNk7XK9GkmKUR6Gh8gVBKXc2MVSZ4G/NnWLtzw4gNA=
@@ -206,9 +197,9 @@ github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IU
 github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
 github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
 github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
 github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
 github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
 github.com/xtaci/lossyconn v0.0.0-20190602105132-8df528c0c9ae h1:J0GxkO96kL4WF+AIT3M4mfUVinOCPgf2uUWYFUzN0sM=
 github.com/yosida95/uritemplate/v3 v3.0.2 h1:Ed3Oyj9yrmi9087+NczuL5BwkIc4wvTb5zIM+UJPGz4=
 github.com/yosida95/uritemplate/v3 v3.0.2/go.mod h1:ILOh0sOhIJR3+L/8afwt/kE++YT040gmv5BQTMR2HP4=
 gitlab.com/go-extension/aes-ccm v0.0.0-20230221065045-e58665ef23c7 h1:UNrDfkQqiEYzdMlNsVvBYOAJWZjdktqFE9tQh5BT2+4=
 gitlab.com/go-extension/aes-ccm v0.0.0-20230221065045-e58665ef23c7/go.mod h1:E+rxHvJG9H6PUdzq9NRG6csuLN3XUx98BfGOVWNYnXs=
 gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec h1:FpfFs4EhNehiVfzQttTuxanPIT43FtkkCFypIod8LHo=
@@ -241,11 +232,9 @@ golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190804053845-51ab0e2deafa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
--- a/hub/executor/executor.go
+++ b/hub/executor/executor.go
@@ -258,6 +258,7 @@ func updateDNS(c *config.DNS, generalIPv6 bool) {
 		Default:              c.DefaultNameserver,
 		Policy:               c.NameServerPolicy,
 		ProxyServer:          c.ProxyServerNameserver,
 		ProxyServerPolicy:    c.ProxyServerPolicy,
 		DirectServer:         c.DirectNameServer,
 		DirectFollowPolicy:   c.DirectFollowPolicy,
 		CacheAlgorithm:       c.CacheAlgorithm,
@@ -424,6 +425,9 @@ func updateGeneral(general *config.General, logging bool) {
 	mihomoHttp.SetUA(general.GlobalUA)
 	resource.SetETag(general.ETagSupport)
 	if general.GlobalClientFingerprint != "" {
 		log.Warnln("The `global-client-fingerprint` configuration is deprecated, please set `client-fingerprint` directly on the proxy instead")
 	}
 	tlsC.SetGlobalFingerprint(general.GlobalClientFingerprint)
 }
--- a/hub/route/configs.go
+++ b/hub/route/configs.go
@@ -71,30 +71,31 @@ type tunSchema struct {
 	GSO        *bool   `yaml:"gso" json:"gso,omitempty"`
 	GSOMaxSize *uint32 `yaml:"gso-max-size" json:"gso-max-size,omitempty"`
 	//Inet4Address           *[]netip.Prefix `yaml:"inet4-address" json:"inet4-address,omitempty"`
-	Inet6Address           *[]netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"`
+	Inet6Address                          *[]netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"`
-	IPRoute2TableIndex     *int            `yaml:"iproute2-table-index" json:"iproute2-table-index,omitempty"`
+	IPRoute2TableIndex                    *int            `yaml:"iproute2-table-index" json:"iproute2-table-index,omitempty"`
-	IPRoute2RuleIndex      *int            `yaml:"iproute2-rule-index" json:"iproute2-rule-index,omitempty"`
+	IPRoute2RuleIndex                     *int            `yaml:"iproute2-rule-index" json:"iproute2-rule-index,omitempty"`
-	AutoRedirect           *bool           `yaml:"auto-redirect" json:"auto-redirect,omitempty"`
+	AutoRedirect                          *bool           `yaml:"auto-redirect" json:"auto-redirect,omitempty"`
-	AutoRedirectInputMark  *uint32         `yaml:"auto-redirect-input-mark" json:"auto-redirect-input-mark,omitempty"`
+	AutoRedirectInputMark                 *uint32         `yaml:"auto-redirect-input-mark" json:"auto-redirect-input-mark,omitempty"`
-	AutoRedirectOutputMark *uint32         `yaml:"auto-redirect-output-mark" json:"auto-redirect-output-mark,omitempty"`
+	AutoRedirectOutputMark                *uint32         `yaml:"auto-redirect-output-mark" json:"auto-redirect-output-mark,omitempty"`
-	LoopbackAddress        *[]netip.Addr   `yaml:"loopback-address" json:"loopback-address,omitempty"`
+	AutoRedirectIPRoute2FallbackRuleIndex *int            `yaml:"auto-redirect-iproute2-fallback-rule-index" json:"auto-redirect-iproute2-fallback-rule-index,omitempty"`
-	StrictRoute            *bool           `yaml:"strict-route" json:"strict-route,omitempty"`
+	LoopbackAddress                       *[]netip.Addr   `yaml:"loopback-address" json:"loopback-address,omitempty"`
-	RouteAddress           *[]netip.Prefix `yaml:"route-address" json:"route-address,omitempty"`
+	StrictRoute                           *bool           `yaml:"strict-route" json:"strict-route,omitempty"`
-	RouteAddressSet        *[]string       `yaml:"route-address-set" json:"route-address-set,omitempty"`
+	RouteAddress                          *[]netip.Prefix `yaml:"route-address" json:"route-address,omitempty"`
-	RouteExcludeAddress    *[]netip.Prefix `yaml:"route-exclude-address" json:"route-exclude-address,omitempty"`
+	RouteAddressSet                       *[]string       `yaml:"route-address-set" json:"route-address-set,omitempty"`
-	RouteExcludeAddressSet *[]string       `yaml:"route-exclude-address-set" json:"route-exclude-address-set,omitempty"`
+	RouteExcludeAddress                   *[]netip.Prefix `yaml:"route-exclude-address" json:"route-exclude-address,omitempty"`
-	IncludeInterface       *[]string       `yaml:"include-interface" json:"include-interface,omitempty"`
+	RouteExcludeAddressSet                *[]string       `yaml:"route-exclude-address-set" json:"route-exclude-address-set,omitempty"`
-	ExcludeInterface       *[]string       `yaml:"exclude-interface" json:"exclude-interface,omitempty"`
+	IncludeInterface                      *[]string       `yaml:"include-interface" json:"include-interface,omitempty"`
-	IncludeUID             *[]uint32       `yaml:"include-uid" json:"include-uid,omitempty"`
+	ExcludeInterface                      *[]string       `yaml:"exclude-interface" json:"exclude-interface,omitempty"`
-	IncludeUIDRange        *[]string       `yaml:"include-uid-range" json:"include-uid-range,omitempty"`
+	IncludeUID                            *[]uint32       `yaml:"include-uid" json:"include-uid,omitempty"`
-	ExcludeUID             *[]uint32       `yaml:"exclude-uid" json:"exclude-uid,omitempty"`
+	IncludeUIDRange                       *[]string       `yaml:"include-uid-range" json:"include-uid-range,omitempty"`
-	ExcludeUIDRange        *[]string       `yaml:"exclude-uid-range" json:"exclude-uid-range,omitempty"`
+	ExcludeUID                            *[]uint32       `yaml:"exclude-uid" json:"exclude-uid,omitempty"`
-	IncludeAndroidUser     *[]int          `yaml:"include-android-user" json:"include-android-user,omitempty"`
+	ExcludeUIDRange                       *[]string       `yaml:"exclude-uid-range" json:"exclude-uid-range,omitempty"`
-	IncludePackage         *[]string       `yaml:"include-package" json:"include-package,omitempty"`
+	IncludeAndroidUser                    *[]int          `yaml:"include-android-user" json:"include-android-user,omitempty"`
-	ExcludePackage         *[]string       `yaml:"exclude-package" json:"exclude-package,omitempty"`
+	IncludePackage                        *[]string       `yaml:"include-package" json:"include-package,omitempty"`
-	EndpointIndependentNat *bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
+	ExcludePackage                        *[]string       `yaml:"exclude-package" json:"exclude-package,omitempty"`
-	UDPTimeout             *int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
+	EndpointIndependentNat                *bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
-	FileDescriptor         *int            `yaml:"file-descriptor" json:"file-descriptor"`
+	UDPTimeout                            *int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
 	FileDescriptor                        *int            `yaml:"file-descriptor" json:"file-descriptor"`
 	Inet4RouteAddress        *[]netip.Prefix `yaml:"inet4-route-address" json:"inet4-route-address,omitempty"`
 	Inet6RouteAddress        *[]netip.Prefix `yaml:"inet6-route-address" json:"inet6-route-address,omitempty"`
@@ -181,6 +182,9 @@ func pointerOrDefaultTun(p *tunSchema, def LC.Tun) LC.Tun {
 		if p.AutoRedirectOutputMark != nil {
 			def.AutoRedirectOutputMark = *p.AutoRedirectOutputMark
 		}
 		if p.AutoRedirectIPRoute2FallbackRuleIndex != nil {
 			def.AutoRedirectIPRoute2FallbackRuleIndex = *p.AutoRedirectIPRoute2FallbackRuleIndex
 		}
 		if p.LoopbackAddress != nil {
 			def.LoopbackAddress = *p.LoopbackAddress
 		}
--- a/hub/route/proxies.go
+++ b/hub/route/proxies.go
@@ -46,7 +46,7 @@ func parseProxyName(next http.Handler) http.Handler {
 func findProxyByName(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		name := r.Context().Value(CtxKeyProxyName).(string)
-		proxies := tunnel.ProxiesWithProviders()
+		proxies := proxiesWithProviders()
 		proxy, exist := proxies[name]
 		if !exist {
 			render.Status(r, http.StatusNotFound)
@@ -60,7 +60,7 @@ func findProxyByName(next http.Handler) http.Handler {
 }
 func getProxies(w http.ResponseWriter, r *http.Request) {
-	proxies := tunnel.ProxiesWithProviders()
+	proxies := proxiesWithProviders()
 	render.JSON(w, r, render.M{
 		"proxies": proxies,
 	})
@@ -158,3 +158,21 @@ func unfixedProxy(w http.ResponseWriter, r *http.Request) {
 	render.Status(r, http.StatusBadRequest)
 	render.JSON(w, r, ErrBadRequest)
 }
 // proxiesWithProviders merges all proxies from tunnel
 //
 // Deprecated: This function is poorly implemented and should not be called by any new code.
 // It is left here only to ensure the compatibility of the output of the existing RESTful API.
 func proxiesWithProviders() map[string]C.Proxy {
 	allProxies := make(map[string]C.Proxy)
 	for name, proxy := range tunnel.Proxies() {
 		allProxies[name] = proxy
 	}
 	for _, p := range tunnel.Providers() {
 		for _, proxy := range p.Proxies() {
 			name := proxy.Name()
 			allProxies[name] = proxy
 		}
 	}
 	return allProxies
 }
--- a/hub/route/rules.go
+++ b/hub/route/rules.go
@@ -1,6 +1,8 @@
 package route
 import (
 	"time"
 	"github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/tunnel"
@@ -12,26 +14,52 @@ import (
 func ruleRouter() http.Handler {
 	r := chi.NewRouter()
 	r.Get("/", getRules)
 	if !embedMode { // disallow update/patch rules in embed mode
 		r.Patch("/disable", disableRules)
 	}
 	return r
 }
 type Rule struct {
 	Index   int    `json:"index"`
 	Type    string `json:"type"`
 	Payload string `json:"payload"`
 	Proxy   string `json:"proxy"`
 	Size    int    `json:"size"`
 	// Extra contains information from RuleWrapper
 	Extra *RuleExtra `json:"extra,omitempty"`
 }
 type RuleExtra struct {
 	Disabled  bool      `json:"disabled"`
 	HitCount  uint64    `json:"hitCount"`
 	HitAt     time.Time `json:"hitAt"`
 	MissCount uint64    `json:"missCount"`
 	MissAt    time.Time `json:"missAt"`
 }
 func getRules(w http.ResponseWriter, r *http.Request) {
 	rawRules := tunnel.Rules()
-	rules := []Rule{}
+	rules := make([]Rule, 0, len(rawRules))
-	for _, rule := range rawRules {
+	for index, rule := range rawRules {
 		r := Rule{
 			Index:   index,
 			Type:    rule.RuleType().String(),
 			Payload: rule.Payload(),
 			Proxy:   rule.Adapter(),
 			Size:    -1,
 		}
 		if ruleWrapper, ok := rule.(constant.RuleWrapper); ok {
 			r.Extra = &RuleExtra{
 				Disabled:  ruleWrapper.IsDisabled(),
 				HitCount:  ruleWrapper.HitCount(),
 				HitAt:     ruleWrapper.HitAt(),
 				MissCount: ruleWrapper.MissCount(),
 				MissAt:    ruleWrapper.MissAt(),
 			}
 			rule = ruleWrapper.Unwrap() // unwrap RuleWrapper
 		}
 		if rule.RuleType() == constant.GEOIP || rule.RuleType() == constant.GEOSITE {
 			r.Size = rule.(constant.RuleGroup).GetRecodeSize()
 		}
@@ -43,3 +71,29 @@ func getRules(w http.ResponseWriter, r *http.Request) {
 		"rules": rules,
 	})
 }
 // disableRules disable or enable rules by their indexes.
 func disableRules(w http.ResponseWriter, r *http.Request) {
 	// key: rule index, value: disabled
 	var payload map[int]bool
 	if err := render.DecodeJSON(r.Body, &payload); err != nil {
 		render.Status(r, http.StatusBadRequest)
 		render.JSON(w, r, ErrBadRequest)
 		return
 	}
 	if len(payload) != 0 {
 		rules := tunnel.Rules()
 		for index, disabled := range payload {
 			if index < 0 || index >= len(rules) {
 				continue
 			}
 			rule := rules[index]
 			if ruleWrapper, ok := rule.(constant.RuleWrapper); ok {
 				ruleWrapper.SetDisabled(disabled)
 			}
 		}
 	}
 	render.NoContent(w, r)
 }
--- a/listener/config/sudoku.go
+++ b/listener/config/sudoku.go
@@ -22,6 +22,7 @@ type SudokuServer struct {
 	CustomTables           []string `json:"custom-tables,omitempty"`
 	DisableHTTPMask        bool     `json:"disable-http-mask,omitempty"`
 	HTTPMaskMode           string   `json:"http-mask-mode,omitempty"`
 	PathRoot               string   `json:"path-root,omitempty"`
 	// mihomo private extension (not the part of standard Sudoku protocol)
 	MuxOption sing.MuxOption `json:"mux-option,omitempty"`
--- a/listener/config/trusttunnel.go
+++ b/listener/config/trusttunnel.go
@@ -0,0 +1,24 @@
 package config
 import (
 	"encoding/json"
 )
 type TrustTunnelServer struct {
 	Enable               bool              `yaml:"enable" json:"enable"`
 	Listen               string            `yaml:"listen" json:"listen"`
 	Users                map[string]string `yaml:"users" json:"users,omitempty"`
 	Certificate          string            `yaml:"certificate" json:"certificate"`
 	PrivateKey           string            `yaml:"private-key" json:"private-key"`
 	ClientAuthType       string            `yaml:"client-auth-type" json:"client-auth-type,omitempty"`
 	ClientAuthCert       string            `yaml:"client-auth-cert" json:"client-auth-cert,omitempty"`
 	EchKey               string            `yaml:"ech-key" json:"ech-key"`
 	Network              []string          `yaml:"network" json:"network,omitempty"`
 	CongestionController string            `yaml:"congestion-controller" json:"congestion-controller,omitempty"`
 	CWND                 int               `yaml:"cwnd" json:"cwnd,omitempty"`
 }
 func (t TrustTunnelServer) String() string {
 	b, _ := json.Marshal(t)
 	return string(b)
 }
--- a/listener/config/tun.go
+++ b/listener/config/tun.go
@@ -17,39 +17,40 @@ type Tun struct {
 	AutoRoute           bool       `yaml:"auto-route" json:"auto-route"`
 	AutoDetectInterface bool       `yaml:"auto-detect-interface" json:"auto-detect-interface"`
-	MTU                    uint32         `yaml:"mtu" json:"mtu,omitempty"`
+	MTU                                   uint32         `yaml:"mtu" json:"mtu,omitempty"`
-	GSO                    bool           `yaml:"gso" json:"gso,omitempty"`
+	GSO                                   bool           `yaml:"gso" json:"gso,omitempty"`
-	GSOMaxSize             uint32         `yaml:"gso-max-size" json:"gso-max-size,omitempty"`
+	GSOMaxSize                            uint32         `yaml:"gso-max-size" json:"gso-max-size,omitempty"`
-	Inet4Address           []netip.Prefix `yaml:"inet4-address" json:"inet4-address,omitempty"`
+	Inet4Address                          []netip.Prefix `yaml:"inet4-address" json:"inet4-address,omitempty"`
-	Inet6Address           []netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"`
+	Inet6Address                          []netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"`
-	IPRoute2TableIndex     int            `yaml:"iproute2-table-index" json:"iproute2-table-index,omitempty"`
+	IPRoute2TableIndex                    int            `yaml:"iproute2-table-index" json:"iproute2-table-index,omitempty"`
-	IPRoute2RuleIndex      int            `yaml:"iproute2-rule-index" json:"iproute2-rule-index,omitempty"`
+	IPRoute2RuleIndex                     int            `yaml:"iproute2-rule-index" json:"iproute2-rule-index,omitempty"`
-	AutoRedirect           bool           `yaml:"auto-redirect" json:"auto-redirect,omitempty"`
+	AutoRedirect                          bool           `yaml:"auto-redirect" json:"auto-redirect,omitempty"`
-	AutoRedirectInputMark  uint32         `yaml:"auto-redirect-input-mark" json:"auto-redirect-input-mark,omitempty"`
+	AutoRedirectInputMark                 uint32         `yaml:"auto-redirect-input-mark" json:"auto-redirect-input-mark,omitempty"`
-	AutoRedirectOutputMark uint32         `yaml:"auto-redirect-output-mark" json:"auto-redirect-output-mark,omitempty"`
+	AutoRedirectOutputMark                uint32         `yaml:"auto-redirect-output-mark" json:"auto-redirect-output-mark,omitempty"`
-	LoopbackAddress        []netip.Addr   `yaml:"loopback-address" json:"loopback-address,omitempty"`
+	AutoRedirectIPRoute2FallbackRuleIndex int            `yaml:"auto-redirect-iproute2-fallback-rule-index" json:"auto-redirect-iproute2-fallback-rule-index,omitempty"`
-	StrictRoute            bool           `yaml:"strict-route" json:"strict-route,omitempty"`
+	LoopbackAddress                       []netip.Addr   `yaml:"loopback-address" json:"loopback-address,omitempty"`
-	RouteAddress           []netip.Prefix `yaml:"route-address" json:"route-address,omitempty"`
+	StrictRoute                           bool           `yaml:"strict-route" json:"strict-route,omitempty"`
-	RouteAddressSet        []string       `yaml:"route-address-set" json:"route-address-set,omitempty"`
+	RouteAddress                          []netip.Prefix `yaml:"route-address" json:"route-address,omitempty"`
-	RouteExcludeAddress    []netip.Prefix `yaml:"route-exclude-address" json:"route-exclude-address,omitempty"`
+	RouteAddressSet                       []string       `yaml:"route-address-set" json:"route-address-set,omitempty"`
-	RouteExcludeAddressSet []string       `yaml:"route-exclude-address-set" json:"route-exclude-address-set,omitempty"`
+	RouteExcludeAddress                   []netip.Prefix `yaml:"route-exclude-address" json:"route-exclude-address,omitempty"`
-	IncludeInterface       []string       `yaml:"include-interface" json:"include-interface,omitempty"`
+	RouteExcludeAddressSet                []string       `yaml:"route-exclude-address-set" json:"route-exclude-address-set,omitempty"`
-	ExcludeInterface       []string       `yaml:"exclude-interface" json:"exclude-interface,omitempty"`
+	IncludeInterface                      []string       `yaml:"include-interface" json:"include-interface,omitempty"`
-	IncludeUID             []uint32       `yaml:"include-uid" json:"include-uid,omitempty"`
+	ExcludeInterface                      []string       `yaml:"exclude-interface" json:"exclude-interface,omitempty"`
-	IncludeUIDRange        []string       `yaml:"include-uid-range" json:"include-uid-range,omitempty"`
+	IncludeUID                            []uint32       `yaml:"include-uid" json:"include-uid,omitempty"`
-	ExcludeUID             []uint32       `yaml:"exclude-uid" json:"exclude-uid,omitempty"`
+	IncludeUIDRange                       []string       `yaml:"include-uid-range" json:"include-uid-range,omitempty"`
-	ExcludeUIDRange        []string       `yaml:"exclude-uid-range" json:"exclude-uid-range,omitempty"`
+	ExcludeUID                            []uint32       `yaml:"exclude-uid" json:"exclude-uid,omitempty"`
-	ExcludeSrcPort         []uint16       `yaml:"exclude-src-port" json:"exclude-src-port,omitempty"`
+	ExcludeUIDRange                       []string       `yaml:"exclude-uid-range" json:"exclude-uid-range,omitempty"`
-	ExcludeSrcPortRange    []string       `yaml:"exclude-src-port-range" json:"exclude-src-port-range,omitempty"`
+	ExcludeSrcPort                        []uint16       `yaml:"exclude-src-port" json:"exclude-src-port,omitempty"`
-	ExcludeDstPort         []uint16       `yaml:"exclude-dst-port" json:"exclude-dst-port,omitempty"`
+	ExcludeSrcPortRange                   []string       `yaml:"exclude-src-port-range" json:"exclude-src-port-range,omitempty"`
-	ExcludeDstPortRange    []string       `yaml:"exclude-dst-port-range" json:"exclude-dst-port-range,omitempty"`
+	ExcludeDstPort                        []uint16       `yaml:"exclude-dst-port" json:"exclude-dst-port,omitempty"`
-	IncludeAndroidUser     []int          `yaml:"include-android-user" json:"include-android-user,omitempty"`
+	ExcludeDstPortRange                   []string       `yaml:"exclude-dst-port-range" json:"exclude-dst-port-range,omitempty"`
-	IncludePackage         []string       `yaml:"include-package" json:"include-package,omitempty"`
+	IncludeAndroidUser                    []int          `yaml:"include-android-user" json:"include-android-user,omitempty"`
-	ExcludePackage         []string       `yaml:"exclude-package" json:"exclude-package,omitempty"`
+	IncludePackage                        []string       `yaml:"include-package" json:"include-package,omitempty"`
-	EndpointIndependentNat bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
+	ExcludePackage                        []string       `yaml:"exclude-package" json:"exclude-package,omitempty"`
-	UDPTimeout             int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
+	EndpointIndependentNat                bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
-	DisableICMPForwarding  bool           `yaml:"disable-icmp-forwarding" json:"disable-icmp-forwarding,omitempty"`
+	UDPTimeout                            int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
-	FileDescriptor         int            `yaml:"file-descriptor" json:"file-descriptor"`
+	DisableICMPForwarding                 bool           `yaml:"disable-icmp-forwarding" json:"disable-icmp-forwarding,omitempty"`
 	FileDescriptor                        int            `yaml:"file-descriptor" json:"file-descriptor"`
 	Inet4RouteAddress        []netip.Prefix `yaml:"inet4-route-address" json:"inet4-route-address,omitempty"`
 	Inet6RouteAddress        []netip.Prefix `yaml:"inet6-route-address" json:"inet6-route-address,omitempty"`
@@ -136,6 +137,9 @@ func (t *Tun) Equal(other Tun) bool {
 	if t.AutoRedirectOutputMark != other.AutoRedirectOutputMark {
 		return false
 	}
 	if t.AutoRedirectIPRoute2FallbackRuleIndex != other.AutoRedirectIPRoute2FallbackRuleIndex {
 		return false
 	}
 	if !slices.Equal(t.RouteAddress, other.RouteAddress) {
 		return false
 	}
--- a/listener/inbound/kcptun.go
+++ b/listener/inbound/kcptun.go
@@ -14,6 +14,7 @@ type KcpTun struct {
 	AutoExpire   int    `inbound:"autoexpire,omitempty"`
 	ScavengeTTL  int    `inbound:"scavengettl,omitempty"`
 	MTU          int    `inbound:"mtu,omitempty"`
 	RateLimit    int    `inbound:"ratelimit,omitempty"`
 	SndWnd       int    `inbound:"sndwnd,omitempty"`
 	RcvWnd       int    `inbound:"rcvwnd,omitempty"`
 	DataShard    int    `inbound:"datashard,omitempty"`
@@ -28,6 +29,7 @@ type KcpTun struct {
 	SockBuf      int    `inbound:"sockbuf,omitempty"`
 	SmuxVer      int    `inbound:"smuxver,omitempty"`
 	SmuxBuf      int    `inbound:"smuxbuf,omitempty"`
 	FrameSize    int    `inbound:"framesize,omitempty"`
 	StreamBuf    int    `inbound:"streambuf,omitempty"`
 	KeepAlive    int    `inbound:"keepalive,omitempty"`
 }
@@ -43,6 +45,7 @@ func (c KcpTun) Build() LC.KcpTun {
 			AutoExpire:   c.AutoExpire,
 			ScavengeTTL:  c.ScavengeTTL,
 			MTU:          c.MTU,
 			RateLimit:    c.RateLimit,
 			SndWnd:       c.SndWnd,
 			RcvWnd:       c.RcvWnd,
 			DataShard:    c.DataShard,
@@ -57,6 +60,7 @@ func (c KcpTun) Build() LC.KcpTun {
 			SockBuf:      c.SockBuf,
 			SmuxVer:      c.SmuxVer,
 			SmuxBuf:      c.SmuxBuf,
 			FrameSize:    c.FrameSize,
 			StreamBuf:    c.StreamBuf,
 			KeepAlive:    c.KeepAlive,
 		},
--- a/listener/inbound/mieru.go
+++ b/listener/inbound/mieru.go
@@ -14,6 +14,7 @@ import (
 	"google.golang.org/protobuf/proto"
 	mieruserver "github.com/enfein/mieru/v3/apis/server"
 	mierutp "github.com/enfein/mieru/v3/apis/trafficpattern"
 	mierupb "github.com/enfein/mieru/v3/pkg/appctl/appctlpb"
 )
@@ -26,8 +27,9 @@ type Mieru struct {
 type MieruOption struct {
 	BaseOption
-	Transport string            `inbound:"transport"`
+	Transport      string            `inbound:"transport"`
-	Users     map[string]string `inbound:"users"`
+	Users          map[string]string `inbound:"users"`
 	TrafficPattern string            `inbound:"traffic-pattern"`
 }
 type mieruListenerFactory struct{}
@@ -154,10 +156,13 @@ func buildMieruServerConfig(option *MieruOption, ports utils.IntRanges[uint16])
 			Password: proto.String(password),
 		})
 	}
 	var trafficPattern *mierupb.TrafficPattern
 	trafficPattern, _ = mierutp.Decode(option.TrafficPattern)
 	return &mieruserver.ServerConfig{
 		Config: &mierupb.ServerConfig{
-			PortBindings: portBindings,
+			PortBindings:   portBindings,
-			Users:        users,
+			Users:          users,
 			TrafficPattern: trafficPattern,
 		},
 		StreamListenerFactory: mieruListenerFactory{},
 		PacketListenerFactory: mieruListenerFactory{},
@@ -179,5 +184,14 @@ func validateMieruOption(option *MieruOption) error {
 			return fmt.Errorf("password is empty")
 		}
 	}
 	if option.TrafficPattern != "" {
 		trafficPattern, err := mierutp.Decode(option.TrafficPattern)
 		if err != nil {
 			return fmt.Errorf("failed to decode traffic pattern %q: %w", option.TrafficPattern, err)
 		}
 		if err := mierutp.Validate(trafficPattern); err != nil {
 			return fmt.Errorf("invalid traffic pattern %q: %w", option.TrafficPattern, err)
 		}
 	}
 	return nil
 }
--- a/listener/inbound/mieru_test.go
+++ b/listener/inbound/mieru_test.go
@@ -61,6 +61,20 @@ func TestNewMieru(t *testing.T) {
 			},
 			wantErr: false,
 		},
 		{
 			name: "valid traffic pattern",
 			args: args{
 				option: &inbound.MieruOption{
 					BaseOption: inbound.BaseOption{
 						Port: "8080",
 					},
 					Transport:      "TCP",
 					Users:          map[string]string{"user": "pass"},
 					TrafficPattern: "GgQIARAK",
 				},
 			},
 			wantErr: false,
 		},
 		{
 			name: "invalid - no port",
 			args: args{
@@ -135,6 +149,20 @@ func TestNewMieru(t *testing.T) {
 			},
 			wantErr: true,
 		},
 		{
 			name: "invalid traffic pattern",
 			args: args{
 				option: &inbound.MieruOption{
 					BaseOption: inbound.BaseOption{
 						Port: "8080",
 					},
 					Transport:      "TCP",
 					Users:          map[string]string{"user": "pass"},
 					TrafficPattern: "1212ababXYYX",
 				},
 			},
 			wantErr: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/listener/inbound/sudoku.go
+++ b/listener/inbound/sudoku.go
@@ -24,6 +24,7 @@ type SudokuOption struct {
 	CustomTables           []string `inbound:"custom-tables,omitempty"`
 	DisableHTTPMask        bool     `inbound:"disable-http-mask,omitempty"`
 	HTTPMaskMode           string   `inbound:"http-mask-mode,omitempty"` // "legacy" (default), "stream", "poll", "auto"
 	PathRoot               string   `inbound:"path-root,omitempty"`      // optional first-level path prefix for HTTP tunnel endpoints
 	// mihomo private extension (not the part of standard Sudoku protocol)
 	MuxOption MuxOption `inbound:"mux-option,omitempty"`
@@ -63,6 +64,7 @@ func NewSudoku(options *SudokuOption) (*Sudoku, error) {
 		CustomTables:           options.CustomTables,
 		DisableHTTPMask:        options.DisableHTTPMask,
 		HTTPMaskMode:           options.HTTPMaskMode,
 		PathRoot:               strings.TrimSpace(options.PathRoot),
 	}
 	serverConf.MuxOption = options.MuxOption.Build()
--- a/listener/inbound/sudoku_test.go
+++ b/listener/inbound/sudoku_test.go
@@ -2,7 +2,6 @@ package inbound_test
 import (
 	"net/netip"
 	"runtime"
 	"testing"
 	"github.com/metacubex/mihomo/adapter/outbound"
@@ -167,10 +166,6 @@ func TestInboundSudoku_CustomTable(t *testing.T) {
 }
 func TestInboundSudoku_HTTPMaskMode(t *testing.T) {
 	if runtime.GOOS == "windows" {
 		t.Skip("temporarily skipped on windows due to intermittent failures; tracked in PR")
 	}
 	key := "test_key_http_mask_mode"
 	for _, mode := range []string{"legacy", "stream", "poll", "auto"} {
--- a/listener/inbound/trusttunnel.go
+++ b/listener/inbound/trusttunnel.go
@@ -0,0 +1,96 @@
 package inbound
 import (
 	"strings"
 	C "github.com/metacubex/mihomo/constant"
 	LC "github.com/metacubex/mihomo/listener/config"
 	"github.com/metacubex/mihomo/listener/trusttunnel"
 	"github.com/metacubex/mihomo/log"
 )
 type TrustTunnelOption struct {
 	BaseOption
 	Users                AuthUsers `inbound:"users,omitempty"`
 	Certificate          string    `inbound:"certificate"`
 	PrivateKey           string    `inbound:"private-key"`
 	ClientAuthType       string    `inbound:"client-auth-type,omitempty"`
 	ClientAuthCert       string    `inbound:"client-auth-cert,omitempty"`
 	EchKey               string    `inbound:"ech-key,omitempty"`
 	Network              []string  `inbound:"network,omitempty"`
 	CongestionController string    `inbound:"congestion-controller,omitempty"`
 	CWND                 int       `inbound:"cwnd,omitempty"`
 }
 func (o TrustTunnelOption) Equal(config C.InboundConfig) bool {
 	return optionToString(o) == optionToString(config)
 }
 type TrustTunnel struct {
 	*Base
 	config *TrustTunnelOption
 	l      C.MultiAddrListener
 	vs     LC.TrustTunnelServer
 }
 func NewTrustTunnel(options *TrustTunnelOption) (*TrustTunnel, error) {
 	base, err := NewBase(&options.BaseOption)
 	if err != nil {
 		return nil, err
 	}
 	users := make(map[string]string)
 	for _, user := range options.Users {
 		users[user.Username] = user.Password
 	}
 	return &TrustTunnel{
 		Base:   base,
 		config: options,
 		vs: LC.TrustTunnelServer{
 			Enable:               true,
 			Listen:               base.RawAddress(),
 			Users:                users,
 			Certificate:          options.Certificate,
 			PrivateKey:           options.PrivateKey,
 			ClientAuthType:       options.ClientAuthType,
 			ClientAuthCert:       options.ClientAuthCert,
 			EchKey:               options.EchKey,
 			Network:              options.Network,
 			CongestionController: options.CongestionController,
 			CWND:                 options.CWND,
 		},
 	}, nil
 }
 // Config implements constant.InboundListener
 func (v *TrustTunnel) Config() C.InboundConfig {
 	return v.config
 }
 // Address implements constant.InboundListener
 func (v *TrustTunnel) Address() string {
 	var addrList []string
 	if v.l != nil {
 		for _, addr := range v.l.AddrList() {
 			addrList = append(addrList, addr.String())
 		}
 	}
 	return strings.Join(addrList, ",")
 }
 // Listen implements constant.InboundListener
 func (v *TrustTunnel) Listen(tunnel C.Tunnel) error {
 	var err error
 	v.l, err = trusttunnel.New(v.vs, tunnel, v.Additions()...)
 	if err != nil {
 		return err
 	}
 	log.Infoln("TrustTunnel[%s] proxy listening at: %s", v.Name(), v.Address())
 	return nil
 }
 // Close implements constant.InboundListener
 func (v *TrustTunnel) Close() error {
 	return v.l.Close()
 }
 var _ C.InboundListener = (*TrustTunnel)(nil)
--- a/listener/inbound/trusttunnel_test.go
+++ b/listener/inbound/trusttunnel_test.go
@@ -0,0 +1,109 @@
 package inbound_test
 import (
 	"net/netip"
 	"testing"
 	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/listener/inbound"
 	"github.com/stretchr/testify/assert"
 )
 func testInboundTrustTunnel(t *testing.T, inboundOptions inbound.TrustTunnelOption, outboundOptions outbound.TrustTunnelOption) {
 	t.Parallel()
 	inboundOptions.BaseOption = inbound.BaseOption{
 		NameStr: "trusttunnel_inbound",
 		Listen:  "127.0.0.1",
 		Port:    "0",
 	}
 	inboundOptions.Users = []inbound.AuthUser{{Username: "test", Password: userUUID}}
 	in, err := inbound.NewTrustTunnel(&inboundOptions)
 	if !assert.NoError(t, err) {
 		return
 	}
 	tunnel := NewHttpTestTunnel()
 	defer tunnel.Close()
 	err = in.Listen(tunnel)
 	if !assert.NoError(t, err) {
 		return
 	}
 	defer in.Close()
 	addrPort, err := netip.ParseAddrPort(in.Address())
 	if !assert.NoError(t, err) {
 		return
 	}
 	outboundOptions.Name = "trusttunnel_outbound"
 	outboundOptions.Server = addrPort.Addr().String()
 	outboundOptions.Port = int(addrPort.Port())
 	outboundOptions.UserName = "test"
 	outboundOptions.Password = userUUID
 	out, err := outbound.NewTrustTunnel(outboundOptions)
 	if !assert.NoError(t, err) {
 		return
 	}
 	defer out.Close()
 	tunnel.DoTest(t, out)
 }
 func testInboundTrustTunnelTLS(t *testing.T, quic bool) {
 	inboundOptions := inbound.TrustTunnelOption{
 		Certificate: tlsCertificate,
 		PrivateKey:  tlsPrivateKey,
 	}
 	outboundOptions := outbound.TrustTunnelOption{
 		Fingerprint: tlsFingerprint,
 		HealthCheck: true,
 	}
 	if quic {
 		inboundOptions.Network = []string{"udp"}
 		inboundOptions.CongestionController = "bbr"
 		outboundOptions.Quic = true
 	}
 	testInboundTrustTunnel(t, inboundOptions, outboundOptions)
 	t.Run("ECH", func(t *testing.T) {
 		inboundOptions := inboundOptions
 		outboundOptions := outboundOptions
 		inboundOptions.EchKey = echKeyPem
 		outboundOptions.ECHOpts = outbound.ECHOptions{
 			Enable: true,
 			Config: echConfigBase64,
 		}
 		testInboundTrustTunnel(t, inboundOptions, outboundOptions)
 	})
 	t.Run("mTLS", func(t *testing.T) {
 		inboundOptions := inboundOptions
 		outboundOptions := outboundOptions
 		inboundOptions.ClientAuthCert = tlsAuthCertificate
 		outboundOptions.Certificate = tlsAuthCertificate
 		outboundOptions.PrivateKey = tlsAuthPrivateKey
 		testInboundTrustTunnel(t, inboundOptions, outboundOptions)
 	})
 	t.Run("mTLS+ECH", func(t *testing.T) {
 		inboundOptions := inboundOptions
 		outboundOptions := outboundOptions
 		inboundOptions.ClientAuthCert = tlsAuthCertificate
 		outboundOptions.Certificate = tlsAuthCertificate
 		outboundOptions.PrivateKey = tlsAuthPrivateKey
 		inboundOptions.EchKey = echKeyPem
 		outboundOptions.ECHOpts = outbound.ECHOptions{
 			Enable: true,
 			Config: echConfigBase64,
 		}
 		testInboundTrustTunnel(t, inboundOptions, outboundOptions)
 	})
 }
 func TestInboundTrustTunnel_H2(t *testing.T) {
 	testInboundTrustTunnelTLS(t, true)
 }
 func TestInboundTrustTunnel_QUIC(t *testing.T) {
 	testInboundTrustTunnelTLS(t, true)
 }
--- a/listener/inbound/tun.go
+++ b/listener/inbound/tun.go
@@ -18,39 +18,40 @@ type TunOption struct {
 	AutoRoute           bool       `inbound:"auto-route,omitempty"`
 	AutoDetectInterface bool       `inbound:"auto-detect-interface,omitempty"`
-	MTU                    uint32         `inbound:"mtu,omitempty"`
+	MTU                                   uint32         `inbound:"mtu,omitempty"`
-	GSO                    bool           `inbound:"gso,omitempty"`
+	GSO                                   bool           `inbound:"gso,omitempty"`
-	GSOMaxSize             uint32         `inbound:"gso-max-size,omitempty"`
+	GSOMaxSize                            uint32         `inbound:"gso-max-size,omitempty"`
-	Inet4Address           []netip.Prefix `inbound:"inet4-address,omitempty"`
+	Inet4Address                          []netip.Prefix `inbound:"inet4-address,omitempty"`
-	Inet6Address           []netip.Prefix `inbound:"inet6-address,omitempty"`
+	Inet6Address                          []netip.Prefix `inbound:"inet6-address,omitempty"`
-	IPRoute2TableIndex     int            `inbound:"iproute2-table-index,omitempty"`
+	IPRoute2TableIndex                    int            `inbound:"iproute2-table-index,omitempty"`
-	IPRoute2RuleIndex      int            `inbound:"iproute2-rule-index,omitempty"`
+	IPRoute2RuleIndex                     int            `inbound:"iproute2-rule-index,omitempty"`
-	AutoRedirect           bool           `inbound:"auto-redirect,omitempty"`
+	AutoRedirect                          bool           `inbound:"auto-redirect,omitempty"`
-	AutoRedirectInputMark  uint32         `inbound:"auto-redirect-input-mark,omitempty"`
+	AutoRedirectInputMark                 uint32         `inbound:"auto-redirect-input-mark,omitempty"`
-	AutoRedirectOutputMark uint32         `inbound:"auto-redirect-output-mark,omitempty"`
+	AutoRedirectOutputMark                uint32         `inbound:"auto-redirect-output-mark,omitempty"`
-	LoopbackAddress        []netip.Addr   `inbound:"loopback-address,omitempty"`
+	AutoRedirectIPRoute2FallbackRuleIndex int            `inbound:"auto-redirect-iproute2-fallback-rule-index,omitempty"`
-	StrictRoute            bool           `inbound:"strict-route,omitempty"`
+	LoopbackAddress                       []netip.Addr   `inbound:"loopback-address,omitempty"`
-	RouteAddress           []netip.Prefix `inbound:"route-address,omitempty"`
+	StrictRoute                           bool           `inbound:"strict-route,omitempty"`
-	RouteAddressSet        []string       `inbound:"route-address-set,omitempty"`
+	RouteAddress                          []netip.Prefix `inbound:"route-address,omitempty"`
-	RouteExcludeAddress    []netip.Prefix `inbound:"route-exclude-address,omitempty"`
+	RouteAddressSet                       []string       `inbound:"route-address-set,omitempty"`
-	RouteExcludeAddressSet []string       `inbound:"route-exclude-address-set,omitempty"`
+	RouteExcludeAddress                   []netip.Prefix `inbound:"route-exclude-address,omitempty"`
-	IncludeInterface       []string       `inbound:"include-interface,omitempty"`
+	RouteExcludeAddressSet                []string       `inbound:"route-exclude-address-set,omitempty"`
-	ExcludeInterface       []string       `inbound:"exclude-interface,omitempty"`
+	IncludeInterface                      []string       `inbound:"include-interface,omitempty"`
-	IncludeUID             []uint32       `inbound:"include-uid,omitempty"`
+	ExcludeInterface                      []string       `inbound:"exclude-interface,omitempty"`
-	IncludeUIDRange        []string       `inbound:"include-uid-range,omitempty"`
+	IncludeUID                            []uint32       `inbound:"include-uid,omitempty"`
-	ExcludeUID             []uint32       `inbound:"exclude-uid,omitempty"`
+	IncludeUIDRange                       []string       `inbound:"include-uid-range,omitempty"`
-	ExcludeUIDRange        []string       `inbound:"exclude-uid-range,omitempty"`
+	ExcludeUID                            []uint32       `inbound:"exclude-uid,omitempty"`
-	ExcludeSrcPort         []uint16       `inbound:"exclude-src-port,omitempty"`
+	ExcludeUIDRange                       []string       `inbound:"exclude-uid-range,omitempty"`
-	ExcludeSrcPortRange    []string       `inbound:"exclude-src-port-range,omitempty"`
+	ExcludeSrcPort                        []uint16       `inbound:"exclude-src-port,omitempty"`
-	ExcludeDstPort         []uint16       `inbound:"exclude-dst-port,omitempty"`
+	ExcludeSrcPortRange                   []string       `inbound:"exclude-src-port-range,omitempty"`
-	ExcludeDstPortRange    []string       `inbound:"exclude-dst-port-range,omitempty"`
+	ExcludeDstPort                        []uint16       `inbound:"exclude-dst-port,omitempty"`
-	IncludeAndroidUser     []int          `inbound:"include-android-user,omitempty"`
+	ExcludeDstPortRange                   []string       `inbound:"exclude-dst-port-range,omitempty"`
-	IncludePackage         []string       `inbound:"include-package,omitempty"`
+	IncludeAndroidUser                    []int          `inbound:"include-android-user,omitempty"`
-	ExcludePackage         []string       `inbound:"exclude-package,omitempty"`
+	IncludePackage                        []string       `inbound:"include-package,omitempty"`
-	EndpointIndependentNat bool           `inbound:"endpoint-independent-nat,omitempty"`
+	ExcludePackage                        []string       `inbound:"exclude-package,omitempty"`
-	UDPTimeout             int64          `inbound:"udp-timeout,omitempty"`
+	EndpointIndependentNat                bool           `inbound:"endpoint-independent-nat,omitempty"`
-	DisableICMPForwarding  bool           `inbound:"disable-icmp-forwarding,omitempty"`
+	UDPTimeout                            int64          `inbound:"udp-timeout,omitempty"`
-	FileDescriptor         int            `inbound:"file-descriptor,omitempty"`
+	DisableICMPForwarding                 bool           `inbound:"disable-icmp-forwarding,omitempty"`
 	FileDescriptor                        int            `inbound:"file-descriptor,omitempty"`
 	Inet4RouteAddress        []netip.Prefix `inbound:"inet4-route-address,omitempty"`
 	Inet6RouteAddress        []netip.Prefix `inbound:"inet6-route-address,omitempty"`
@@ -86,45 +87,46 @@ func NewTun(options *TunOption) (*Tun, error) {
 		Base:   base,
 		config: options,
 		tun: LC.Tun{
-			Enable:                 true,
+			Enable:                                true,
-			Device:                 options.Device,
+			Device:                                options.Device,
-			Stack:                  options.Stack,
+			Stack:                                 options.Stack,
-			DNSHijack:              options.DNSHijack,
+			DNSHijack:                             options.DNSHijack,
-			AutoRoute:              options.AutoRoute,
+			AutoRoute:                             options.AutoRoute,
-			AutoDetectInterface:    options.AutoDetectInterface,
+			AutoDetectInterface:                   options.AutoDetectInterface,
-			MTU:                    options.MTU,
+			MTU:                                   options.MTU,
-			GSO:                    options.GSO,
+			GSO:                                   options.GSO,
-			GSOMaxSize:             options.GSOMaxSize,
+			GSOMaxSize:                            options.GSOMaxSize,
-			Inet4Address:           options.Inet4Address,
+			Inet4Address:                          options.Inet4Address,
-			Inet6Address:           options.Inet6Address,
+			Inet6Address:                          options.Inet6Address,
-			IPRoute2TableIndex:     options.IPRoute2TableIndex,
+			IPRoute2TableIndex:                    options.IPRoute2TableIndex,
-			IPRoute2RuleIndex:      options.IPRoute2RuleIndex,
+			IPRoute2RuleIndex:                     options.IPRoute2RuleIndex,
-			AutoRedirect:           options.AutoRedirect,
+			AutoRedirect:                          options.AutoRedirect,
-			AutoRedirectInputMark:  options.AutoRedirectInputMark,
+			AutoRedirectInputMark:                 options.AutoRedirectInputMark,
-			AutoRedirectOutputMark: options.AutoRedirectOutputMark,
+			AutoRedirectOutputMark:                options.AutoRedirectOutputMark,
-			LoopbackAddress:        options.LoopbackAddress,
+			AutoRedirectIPRoute2FallbackRuleIndex: options.AutoRedirectIPRoute2FallbackRuleIndex,
-			StrictRoute:            options.StrictRoute,
+			LoopbackAddress:                       options.LoopbackAddress,
-			RouteAddress:           options.RouteAddress,
+			StrictRoute:                           options.StrictRoute,
-			RouteAddressSet:        options.RouteAddressSet,
+			RouteAddress:                          options.RouteAddress,
-			RouteExcludeAddress:    options.RouteExcludeAddress,
+			RouteAddressSet:                       options.RouteAddressSet,
-			RouteExcludeAddressSet: options.RouteExcludeAddressSet,
+			RouteExcludeAddress:                   options.RouteExcludeAddress,
-			IncludeInterface:       options.IncludeInterface,
+			RouteExcludeAddressSet:                options.RouteExcludeAddressSet,
-			ExcludeInterface:       options.ExcludeInterface,
+			IncludeInterface:                      options.IncludeInterface,
-			IncludeUID:             options.IncludeUID,
+			ExcludeInterface:                      options.ExcludeInterface,
-			IncludeUIDRange:        options.IncludeUIDRange,
+			IncludeUID:                            options.IncludeUID,
-			ExcludeUID:             options.ExcludeUID,
+			IncludeUIDRange:                       options.IncludeUIDRange,
-			ExcludeUIDRange:        options.ExcludeUIDRange,
+			ExcludeUID:                            options.ExcludeUID,
-			ExcludeSrcPort:         options.ExcludeSrcPort,
+			ExcludeUIDRange:                       options.ExcludeUIDRange,
-			ExcludeSrcPortRange:    options.ExcludeSrcPortRange,
+			ExcludeSrcPort:                        options.ExcludeSrcPort,
-			ExcludeDstPort:         options.ExcludeDstPort,
+			ExcludeSrcPortRange:                   options.ExcludeSrcPortRange,
-			ExcludeDstPortRange:    options.ExcludeDstPortRange,
+			ExcludeDstPort:                        options.ExcludeDstPort,
-			IncludeAndroidUser:     options.IncludeAndroidUser,
+			ExcludeDstPortRange:                   options.ExcludeDstPortRange,
-			IncludePackage:         options.IncludePackage,
+			IncludeAndroidUser:                    options.IncludeAndroidUser,
-			ExcludePackage:         options.ExcludePackage,
+			IncludePackage:                        options.IncludePackage,
-			EndpointIndependentNat: options.EndpointIndependentNat,
+			ExcludePackage:                        options.ExcludePackage,
-			UDPTimeout:             options.UDPTimeout,
+			EndpointIndependentNat:                options.EndpointIndependentNat,
-			DisableICMPForwarding:  options.DisableICMPForwarding,
+			UDPTimeout:                            options.UDPTimeout,
-			FileDescriptor:         options.FileDescriptor,
+			DisableICMPForwarding:                 options.DisableICMPForwarding,
 			FileDescriptor:                        options.FileDescriptor,
 			Inet4RouteAddress:        options.Inet4RouteAddress,
 			Inet6RouteAddress:        options.Inet6RouteAddress,
--- a/listener/inbound/vmess.go
+++ b/listener/inbound/vmess.go
@@ -26,7 +26,7 @@ type VmessOption struct {
 type VmessUser struct {
 	Username string `inbound:"username,omitempty"`
 	UUID     string `inbound:"uuid"`
-	AlterID  int    `inbound:"alterId"`
+	AlterID  int    `inbound:"alterId,omitempty"`
 }
 func (o VmessOption) Equal(config C.InboundConfig) bool {
--- a/listener/parse.go
+++ b/listener/parse.go
@@ -141,6 +141,13 @@ func ParseListener(mapping map[string]any) (C.InboundListener, error) {
 			return nil, err
 		}
 		listener, err = IN.NewSudoku(sudokuOption)
 	case "trusttunnel":
 		trusttunnelOption := &IN.TrustTunnelOption{}
 		err = decoder.Decode(mapping, trusttunnelOption)
 		if err != nil {
 			return nil, err
 		}
 		listener, err = IN.NewTrustTunnel(trusttunnelOption)
 	default:
 		return nil, fmt.Errorf("unsupport proxy type: %s", proxyType)
 	}
--- a/listener/sing_hysteria2/server.go
+++ b/listener/sing_hysteria2/server.go
@@ -7,6 +7,7 @@ import (
 	"net"
 	"net/url"
 	"strings"
 	"time"
 	"github.com/metacubex/mihomo/adapter/inbound"
 	"github.com/metacubex/mihomo/adapter/outbound"
@@ -15,6 +16,7 @@ import (
 	"github.com/metacubex/mihomo/component/ech"
 	C "github.com/metacubex/mihomo/constant"
 	LC "github.com/metacubex/mihomo/listener/config"
 	"github.com/metacubex/mihomo/listener/inner"
 	"github.com/metacubex/mihomo/listener/sing"
 	"github.com/metacubex/mihomo/log"
 	"github.com/metacubex/mihomo/ntp"
@@ -123,6 +125,21 @@ func New(config LC.Hysteria2Server, tunnel C.Tunnel, additions ...inbound.Additi
 				ErrorHandler: func(w http.ResponseWriter, r *http.Request, err error) {
 					w.WriteHeader(http.StatusBadGateway)
 				},
 				Transport: &http.Transport{
 					// fellow hysteria2's code skip verify
 					TLSClientConfig: &tls.Config{
 						InsecureSkipVerify: true,
 					},
 					// from http.DefaultTransport
 					ForceAttemptHTTP2:     true,
 					MaxIdleConns:          100,
 					IdleConnTimeout:       90 * time.Second,
 					TLSHandshakeTimeout:   10 * time.Second,
 					ExpectContinueTimeout: 1 * time.Second,
 					DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
 						return inner.HandleTcp(tunnel, address, "")
 					},
 				},
 			}
 		default:
 			return nil, E.New("unknown masquerade URL scheme: ", masqueradeURL.Scheme)
--- a/listener/sing_tun/server.go
+++ b/listener/sing_tun/server.go
@@ -153,6 +153,13 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 		tunName = CalculateInterfaceName(InterfaceName)
 		options.Device = tunName
 	}
 	forwarderBindInterface := false
 	if options.FileDescriptor > 0 {
 		if tunnelName, err := getTunnelName(int32(options.FileDescriptor)); err != nil {
 			tunName = tunnelName // sing-tun must have the truth tun interface name even it from a fd
 			forwarderBindInterface = true
 		}
 	}
 	routeAddress := options.RouteAddress
 	if len(options.Inet4RouteAddress) > 0 {
 		routeAddress = append(routeAddress, options.Inet4RouteAddress...)
@@ -197,6 +204,10 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 	if ruleIndex == 0 {
 		ruleIndex = tun.DefaultIPRoute2RuleIndex
 	}
 	autoRedirectFallbackRuleIndex := options.AutoRedirectIPRoute2FallbackRuleIndex
 	if autoRedirectFallbackRuleIndex == 0 {
 		autoRedirectFallbackRuleIndex = tun.DefaultIPRoute2AutoRedirectFallbackRuleIndex
 	}
 	inputMark := options.AutoRedirectInputMark
 	if inputMark == 0 {
 		inputMark = tun.DefaultAutoRedirectInputMark
@@ -349,36 +360,37 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 	}
 	tunOptions := tun.Options{
-		Name:                     tunName,
+		Name:                                  tunName,
-		MTU:                      tunMTU,
+		MTU:                                   tunMTU,
-		GSO:                      options.GSO,
+		GSO:                                   options.GSO,
-		Inet4Address:             options.Inet4Address,
+		Inet4Address:                          options.Inet4Address,
-		Inet6Address:             options.Inet6Address,
+		Inet6Address:                          options.Inet6Address,
-		AutoRoute:                options.AutoRoute,
+		AutoRoute:                             options.AutoRoute,
-		IPRoute2TableIndex:       tableIndex,
+		IPRoute2TableIndex:                    tableIndex,
-		IPRoute2RuleIndex:        ruleIndex,
+		IPRoute2RuleIndex:                     ruleIndex,
-		AutoRedirectInputMark:    inputMark,
+		IPRoute2AutoRedirectFallbackRuleIndex: autoRedirectFallbackRuleIndex,
-		AutoRedirectOutputMark:   outputMark,
+		AutoRedirectInputMark:                 inputMark,
-		Inet4LoopbackAddress:     common.Filter(options.LoopbackAddress, netip.Addr.Is4),
+		AutoRedirectOutputMark:                outputMark,
-		Inet6LoopbackAddress:     common.Filter(options.LoopbackAddress, netip.Addr.Is6),
+		Inet4LoopbackAddress:                  common.Filter(options.LoopbackAddress, netip.Addr.Is4),
-		StrictRoute:              options.StrictRoute,
+		Inet6LoopbackAddress:                  common.Filter(options.LoopbackAddress, netip.Addr.Is6),
-		Inet4RouteAddress:        inet4RouteAddress,
+		StrictRoute:                           options.StrictRoute,
-		Inet6RouteAddress:        inet6RouteAddress,
+		Inet4RouteAddress:                     inet4RouteAddress,
-		Inet4RouteExcludeAddress: inet4RouteExcludeAddress,
+		Inet6RouteAddress:                     inet6RouteAddress,
-		Inet6RouteExcludeAddress: inet6RouteExcludeAddress,
+		Inet4RouteExcludeAddress:              inet4RouteExcludeAddress,
-		IncludeInterface:         options.IncludeInterface,
+		Inet6RouteExcludeAddress:              inet6RouteExcludeAddress,
-		ExcludeInterface:         options.ExcludeInterface,
+		IncludeInterface:                      options.IncludeInterface,
-		IncludeUID:               includeUID,
+		ExcludeInterface:                      options.ExcludeInterface,
-		ExcludeUID:               excludeUID,
+		IncludeUID:                            includeUID,
-		ExcludeSrcPort:           excludeSrcPort,
+		ExcludeUID:                            excludeUID,
-		ExcludeDstPort:           excludeDstPort,
+		ExcludeSrcPort:                        excludeSrcPort,
-		IncludeAndroidUser:       options.IncludeAndroidUser,
+		ExcludeDstPort:                        excludeDstPort,
-		IncludePackage:           options.IncludePackage,
+		IncludeAndroidUser:                    options.IncludeAndroidUser,
-		ExcludePackage:           options.ExcludePackage,
+		IncludePackage:                        options.IncludePackage,
-		FileDescriptor:           options.FileDescriptor,
+		ExcludePackage:                        options.ExcludePackage,
-		InterfaceMonitor:         defaultInterfaceMonitor,
+		FileDescriptor:                        options.FileDescriptor,
-		EXP_RecvMsgX:             options.RecvMsgX,
+		InterfaceMonitor:                      defaultInterfaceMonitor,
-		EXP_SendMsgX:             options.SendMsgX,
+		EXP_RecvMsgX:                          options.RecvMsgX,
 		EXP_SendMsgX:                          options.SendMsgX,
 	}
 	if options.AutoRedirect {
@@ -454,16 +466,10 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 		UDPTimeout:             udpTimeout,
 		Handler:                handler,
 		Logger:                 log.SingLogger,
 		ForwarderBindInterface: forwarderBindInterface,
 		InterfaceFinder:        interfaceFinder,
 		EnforceBindInterface:   EnforceBindInterface,
 	}
 	if options.FileDescriptor > 0 {
 		if tunName, err := getTunnelName(int32(options.FileDescriptor)); err != nil {
 			stackOptions.TunOptions.Name = tunName
 			stackOptions.ForwarderBindInterface = true
 		}
 	}
 	l.tunIf = tunIf
 	tunStack, err := tun.NewStack(strings.ToLower(options.Stack.String()), stackOptions)
--- a/listener/sudoku/server.go
+++ b/listener/sudoku/server.go
@@ -7,6 +7,8 @@ import (
 	"strings"
 	"github.com/metacubex/mihomo/adapter/inbound"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/utils"
 	C "github.com/metacubex/mihomo/constant"
 	LC "github.com/metacubex/mihomo/listener/config"
 	"github.com/metacubex/mihomo/listener/sing"
@@ -78,6 +80,26 @@ func (l *Listener) handleConn(conn net.Conn, tunnel C.Tunnel, additions ...inbou
 	switch session.Type {
 	case sudoku.SessionTypeUoT:
 		l.handleUoTSession(session.Conn, tunnel, additions...)
 	case sudoku.SessionTypeMultiplex:
 		mux, err := sudoku.AcceptMultiplexServer(session.Conn)
 		if err != nil {
 			_ = session.Conn.Close()
 			return
 		}
 		defer mux.Close()
 		for {
 			stream, target, err := mux.AcceptTCP()
 			if err != nil {
 				return
 			}
 			targetAddr := socks5.ParseAddr(target)
 			if targetAddr == nil {
 				_ = stream.Close()
 				continue
 			}
 			go l.handler.HandleSocket(targetAddr, stream, additions...)
 		}
 	default:
 		targetAddr := socks5.ParseAddr(session.Target)
 		if targetAddr == nil {
@@ -92,6 +114,7 @@ func (l *Listener) handleConn(conn net.Conn, tunnel C.Tunnel, additions ...inbou
 func (l *Listener) handleUoTSession(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) {
 	writer := sudoku.NewUoTPacketConn(conn)
 	remoteAddr := conn.RemoteAddr()
 	connID := utils.NewUUIDV4().String() // make a new SNAT key
 	for {
 		addrStr, payload, err := sudoku.ReadDatagram(conn)
@@ -109,12 +132,13 @@ func (l *Listener) handleUoTSession(conn net.Conn, tunnel C.Tunnel, additions ..
 			continue
 		}
-		packet := &uotPacket{
+		cPacket := &uotPacket{
 			payload: payload,
 			writer:  writer,
 			rAddr:   remoteAddr,
 		}
-		tunnel.HandleUDPPacket(inbound.NewPacket(target, packet, C.SUDOKU, additions...))
+		cPacket.rAddr = N.NewCustomAddr(C.SUDOKU.String(), connID, cPacket.rAddr) // for tunnel's handleUDPConn
 		tunnel.HandleUDPPacket(inbound.NewPacket(target, cPacket, C.SUDOKU, additions...))
 	}
 }
@@ -209,6 +233,7 @@ func New(config LC.SudokuServer, tunnel C.Tunnel, additions ...inbound.Addition)
 		HandshakeTimeoutSeconds: handshakeTimeout,
 		DisableHTTPMask:         config.DisableHTTPMask,
 		HTTPMaskMode:            config.HTTPMaskMode,
 		HTTPMaskPathRoot:        strings.TrimSpace(config.PathRoot),
 	}
 	if len(tables) == 1 {
 		protoConf.Table = tables[0]
--- a/listener/trojan/server.go
+++ b/listener/trojan/server.go
@@ -7,6 +7,8 @@ import (
 	"strings"
 	"github.com/metacubex/mihomo/adapter/inbound"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/ech"
 	C "github.com/metacubex/mihomo/constant"
@@ -269,20 +271,25 @@ func (l *Listener) handleConn(inMux bool, conn net.Conn, tunnel C.Tunnel, additi
 		l.handler.HandleSocket(target, conn, additions...)
 	case trojan.CommandUDP:
 		pc := trojan.NewPacketConn(conn)
 		remoteAddr := conn.RemoteAddr()
 		connID := utils.NewUUIDV4().String() // make a new SNAT key
 		for {
-			data, put, remoteAddr, err := pc.WaitReadFrom()
+			data, put, addr, err := pc.WaitReadFrom()
 			if err != nil {
 				if put != nil {
 					put()
 				}
 				break
 			}
 			target := socks5.ParseAddrToSocksAddr(addr)
 			cPacket := &packet{
 				pc:      pc,
 				rAddr:   remoteAddr,
 				payload: data,
 				put:     put,
 			}
 			cPacket.rAddr = N.NewCustomAddr(C.TROJAN.String(), connID, cPacket.rAddr) // for tunnel's handleUDPConn
 			tunnel.HandleUDPPacket(inbound.NewPacket(target, cPacket, C.TROJAN, additions...))
 		}
--- a/listener/trusttunnel/server.go
+++ b/listener/trusttunnel/server.go
@@ -0,0 +1,188 @@
 package trusttunnel
 import (
 	"context"
 	"errors"
 	"net"
 	"strings"
 	"github.com/metacubex/mihomo/adapter/inbound"
 	"github.com/metacubex/mihomo/common/sockopt"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/ech"
 	C "github.com/metacubex/mihomo/constant"
 	LC "github.com/metacubex/mihomo/listener/config"
 	"github.com/metacubex/mihomo/listener/sing"
 	"github.com/metacubex/mihomo/log"
 	"github.com/metacubex/mihomo/ntp"
 	"github.com/metacubex/mihomo/transport/trusttunnel"
 	"github.com/metacubex/tls"
 )
 type Listener struct {
 	closed       bool
 	config       LC.TrustTunnelServer
 	listeners    []net.Listener
 	udpListeners []net.PacketConn
 	tlsConfig    *tls.Config
 	services     []*trusttunnel.Service
 }
 func New(config LC.TrustTunnelServer, tunnel C.Tunnel, additions ...inbound.Addition) (sl *Listener, err error) {
 	if len(additions) == 0 {
 		additions = []inbound.Addition{
 			inbound.WithInName("DEFAULT-TRUSTTUNNEL"),
 			inbound.WithSpecialRules(""),
 		}
 	}
 	tlsConfig := &tls.Config{Time: ntp.Now}
 	if config.Certificate != "" && config.PrivateKey != "" {
 		certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey)
 		if err != nil {
 			return nil, err
 		}
 		tlsConfig.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
 			return certLoader()
 		}
 		if config.EchKey != "" {
 			err = ech.LoadECHKey(config.EchKey, tlsConfig)
 			if err != nil {
 				return nil, err
 			}
 		}
 	}
 	tlsConfig.ClientAuth = ca.ClientAuthTypeFromString(config.ClientAuthType)
 	if len(config.ClientAuthCert) > 0 {
 		if tlsConfig.ClientAuth == tls.NoClientCert {
 			tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
 		}
 	}
 	if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven || tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert {
 		pool, err := ca.LoadCertificates(config.ClientAuthCert)
 		if err != nil {
 			return nil, err
 		}
 		tlsConfig.ClientCAs = pool
 	}
 	sl = &Listener{
 		config:    config,
 		tlsConfig: tlsConfig,
 	}
 	h, err := sing.NewListenerHandler(sing.ListenerConfig{
 		Tunnel:    tunnel,
 		Type:      C.TRUSTTUNNEL,
 		Additions: additions,
 	})
 	if err != nil {
 		return nil, err
 	}
 	if tlsConfig.GetCertificate == nil {
 		return nil, errors.New("disallow using TrustTunnel without certificates config")
 	}
 	if len(config.Network) == 0 {
 		config.Network = []string{"tcp"}
 	}
 	listenTCP, listenUDP := false, false
 	for _, network := range config.Network {
 		network = strings.ToLower(network)
 		switch {
 		case strings.HasPrefix(network, "tcp"):
 			listenTCP = true
 		case strings.HasPrefix(network, "udp"):
 			listenUDP = true
 		}
 	}
 	for _, addr := range strings.Split(config.Listen, ",") {
 		addr := addr
 		var (
 			tcpListener net.Listener
 			udpConn     net.PacketConn
 		)
 		if listenTCP {
 			tcpListener, err = inbound.Listen("tcp", addr)
 			if err != nil {
 				_ = sl.Close()
 				return nil, err
 			}
 			sl.listeners = append(sl.listeners, tcpListener)
 		}
 		if listenUDP {
 			udpConn, err = inbound.ListenPacket("udp", addr)
 			if err != nil {
 				_ = sl.Close()
 				return nil, err
 			}
 			if err := sockopt.UDPReuseaddr(udpConn); err != nil {
 				log.Warnln("Failed to Reuse UDP Address: %s", err)
 			}
 			sl.udpListeners = append(sl.udpListeners, udpConn)
 		}
 		service := trusttunnel.NewService(trusttunnel.ServiceOptions{
 			Ctx:                   context.Background(),
 			Logger:                log.SingLogger,
 			Handler:               h,
 			ICMPHandler:           nil,
 			QUICCongestionControl: config.CongestionController,
 			QUICCwnd:              config.CWND,
 		})
 		service.UpdateUsers(config.Users)
 		err = service.Start(tcpListener, udpConn, tlsConfig)
 		if err != nil {
 			_ = sl.Close()
 			return nil, err
 		}
 		sl.services = append(sl.services, service)
 	}
 	return sl, nil
 }
 func (l *Listener) Close() error {
 	l.closed = true
 	var retErr error
 	for _, lis := range l.services {
 		err := lis.Close()
 		if err != nil {
 			retErr = err
 		}
 	}
 	for _, lis := range l.listeners {
 		err := lis.Close()
 		if err != nil {
 			retErr = err
 		}
 	}
 	for _, lis := range l.udpListeners {
 		err := lis.Close()
 		if err != nil {
 			retErr = err
 		}
 	}
 	return retErr
 }
 func (l *Listener) Config() string {
 	return l.config.String()
 }
 func (l *Listener) AddrList() (addrList []net.Addr) {
 	for _, lis := range l.listeners {
 		addrList = append(addrList, lis.Addr())
 	}
 	for _, lis := range l.udpListeners {
 		addrList = append(addrList, lis.LocalAddr())
 	}
 	return
 }
--- a/rules/common/domain.go
+++ b/rules/common/domain.go
@@ -4,11 +4,10 @@ import (
 	"strings"
 	C "github.com/metacubex/mihomo/constant"
 	"golang.org/x/net/idna"
 )
 type Domain struct {
-	*Base
+	Base
 	domain  string
 	adapter string
 }
@@ -30,12 +29,11 @@ func (d *Domain) Payload() string {
 }
 func NewDomain(domain string, adapter string) *Domain {
 	punycode, _ := idna.ToASCII(strings.ToLower(domain))
 	return &Domain{
-		Base:    &Base{},
+		Base:    Base{},
-		domain:  punycode,
+		domain:  strings.ToLower(domain),
 		adapter: adapter,
 	}
 }
-//var _ C.Rule = (*Domain)(nil)
+var _ C.Rule = (*Domain)(nil)
--- a/rules/common/domain_keyword.go
+++ b/rules/common/domain_keyword.go
@@ -4,11 +4,10 @@ import (
 	"strings"
 	C "github.com/metacubex/mihomo/constant"
 	"golang.org/x/net/idna"
 )
 type DomainKeyword struct {
-	*Base
+	Base
 	keyword string
 	adapter string
 }
@@ -31,12 +30,11 @@ func (dk *DomainKeyword) Payload() string {
 }
 func NewDomainKeyword(keyword string, adapter string) *DomainKeyword {
 	punycode, _ := idna.ToASCII(strings.ToLower(keyword))
 	return &DomainKeyword{
-		Base:    &Base{},
+		Base:    Base{},
-		keyword: punycode,
+		keyword: strings.ToLower(keyword),
 		adapter: adapter,
 	}
 }
-//var _ C.Rule = (*DomainKeyword)(nil)
+var _ C.Rule = (*DomainKeyword)(nil)
--- a/rules/common/domain_regex.go
+++ b/rules/common/domain_regex.go
@@ -7,7 +7,7 @@ import (
 )
 type DomainRegex struct {
-	*Base
+	Base
 	regex   *regexp2.Regexp
 	adapter string
 }
@@ -36,10 +36,10 @@ func NewDomainRegex(regex string, adapter string) (*DomainRegex, error) {
 		return nil, err
 	}
 	return &DomainRegex{
-		Base:    &Base{},
+		Base:    Base{},
 		regex:   r,
 		adapter: adapter,
 	}, nil
 }
-//var _ C.Rule = (*DomainRegex)(nil)
+var _ C.Rule = (*DomainRegex)(nil)
--- a/rules/common/domain_suffix.go
+++ b/rules/common/domain_suffix.go
@@ -4,11 +4,10 @@ import (
 	"strings"
 	C "github.com/metacubex/mihomo/constant"
 	"golang.org/x/net/idna"
 )
 type DomainSuffix struct {
-	*Base
+	Base
 	suffix  string
 	adapter string
 }
@@ -31,12 +30,11 @@ func (ds *DomainSuffix) Payload() string {
 }
 func NewDomainSuffix(suffix string, adapter string) *DomainSuffix {
 	punycode, _ := idna.ToASCII(strings.ToLower(suffix))
 	return &DomainSuffix{
-		Base:    &Base{},
+		Base:    Base{},
-		suffix:  punycode,
+		suffix:  strings.ToLower(suffix),
 		adapter: adapter,
 	}
 }
-//var _ C.Rule = (*DomainSuffix)(nil)
+var _ C.Rule = (*DomainSuffix)(nil)
--- a/rules/common/domain_wildcard.go
+++ b/rules/common/domain_wildcard.go
@@ -8,7 +8,7 @@ import (
 )
 type DomainWildcard struct {
-	*Base
+	Base
 	pattern string
 	adapter string
 }
@@ -34,8 +34,10 @@ var _ C.Rule = (*DomainWildcard)(nil)
 func NewDomainWildcard(pattern string, adapter string) (*DomainWildcard, error) {
 	pattern = strings.ToLower(pattern)
 	return &DomainWildcard{
-		Base:    &Base{},
+		Base:    Base{},
 		pattern: pattern,
 		adapter: adapter,
 	}, nil
 }
 var _ C.Rule = (*DomainWildcard)(nil)
--- a/rules/common/dscp.go
+++ b/rules/common/dscp.go
@@ -8,7 +8,7 @@ import (
 )
 type DSCP struct {
-	*Base
+	Base
 	ranges  utils.IntRanges[uint8]
 	payload string
 	adapter string
@@ -41,9 +41,11 @@ func NewDSCP(dscp string, adapter string) (*DSCP, error) {
 		}
 	}
 	return &DSCP{
-		Base:    &Base{},
+		Base:    Base{},
 		payload: dscp,
 		ranges:  ranges,
 		adapter: adapter,
 	}, nil
 }
 var _ C.Rule = (*DSCP)(nil)
--- a/rules/common/final.go
+++ b/rules/common/final.go
@@ -5,7 +5,7 @@ import (
 )
 type Match struct {
-	*Base
+	Base
 	adapter string
 }
@@ -27,9 +27,9 @@ func (f *Match) Payload() string {
 func NewMatch(adapter string) *Match {
 	return &Match{
-		Base:    &Base{},
+		Base:    Base{},
 		adapter: adapter,
 	}
 }
-//var _ C.Rule = (*Match)(nil)
+var _ C.Rule = (*Match)(nil)
--- a/rules/common/geoip.go
+++ b/rules/common/geoip.go
@@ -17,7 +17,7 @@ import (
 )
 type GEOIP struct {
-	*Base
+	Base
 	country     string
 	adapter     string
 	noResolveIP bool
@@ -205,7 +205,7 @@ func NewGEOIP(country string, adapter string, isSrc, noResolveIP bool) (*GEOIP,
 	country = strings.ToLower(country)
 	geoip := &GEOIP{
-		Base:        &Base{},
+		Base:        Base{},
 		country:     country,
 		adapter:     adapter,
 		noResolveIP: noResolveIP,
@@ -231,3 +231,5 @@ func NewGEOIP(country string, adapter string, isSrc, noResolveIP bool) (*GEOIP,
 	return geoip, nil
 }
 var _ C.Rule = (*GEOIP)(nil)
--- a/rules/common/geosite.go
+++ b/rules/common/geosite.go
@@ -12,7 +12,7 @@ import (
 )
 type GEOSITE struct {
-	*Base
+	Base
 	country    string
 	adapter    string
 	recodeSize int
@@ -68,7 +68,7 @@ func NewGEOSITE(country string, adapter string) (*GEOSITE, error) {
 	}
 	geoSite := &GEOSITE{
-		Base:    &Base{},
+		Base:    Base{},
 		country: country,
 		adapter: adapter,
 	}
--- a/rules/common/in_name.go
+++ b/rules/common/in_name.go
@@ -8,7 +8,7 @@ import (
 )
 type InName struct {
-	*Base
+	Base
 	names   []string
 	adapter string
 	payload string
@@ -46,9 +46,11 @@ func NewInName(iNames, adapter string) (*InName, error) {
 	}
 	return &InName{
-		Base:    &Base{},
+		Base:    Base{},
 		names:   names,
 		adapter: adapter,
 		payload: iNames,
 	}, nil
 }
 var _ C.Rule = (*InName)(nil)
--- a/rules/common/in_type.go
+++ b/rules/common/in_type.go
@@ -8,7 +8,7 @@ import (
 )
 type InType struct {
-	*Base
+	Base
 	types   []C.Type
 	adapter string
 	payload string
@@ -51,7 +51,7 @@ func NewInType(iTypes, adapter string) (*InType, error) {
 	}
 	return &InType{
-		Base:    &Base{},
+		Base:    Base{},
 		types:   tps,
 		adapter: adapter,
 		payload: strings.ToUpper(iTypes),
@@ -77,3 +77,5 @@ func parseInTypes(tps []string) (res []C.Type, err error) {
 	}
 	return
 }
 var _ C.Rule = (*InType)(nil)
--- a/rules/common/in_user.go
+++ b/rules/common/in_user.go
@@ -8,7 +8,7 @@ import (
 )
 type InUser struct {
-	*Base
+	Base
 	users   []string
 	adapter string
 	payload string
@@ -46,9 +46,11 @@ func NewInUser(iUsers, adapter string) (*InUser, error) {
 	}
 	return &InUser{
-		Base:    &Base{},
+		Base:    Base{},
 		users:   users,
 		adapter: adapter,
 		payload: iUsers,
 	}, nil
 }
 var _ C.Rule = (*InUser)(nil)
--- a/rules/common/ipasn.go
+++ b/rules/common/ipasn.go
@@ -8,7 +8,7 @@ import (
 )
 type ASN struct {
-	*Base
+	Base
 	asn         string
 	adapter     string
 	noResolveIP bool
@@ -64,10 +64,12 @@ func NewIPASN(asn string, adapter string, isSrc, noResolveIP bool) (*ASN, error)
 	}
 	return &ASN{
-		Base:        &Base{},
+		Base:        Base{},
 		asn:         asn,
 		adapter:     adapter,
 		noResolveIP: noResolveIP,
 		isSourceIP:  isSrc,
 	}, nil
 }
 var _ C.Rule = (*ASN)(nil)
--- a/rules/common/ipcidr.go
+++ b/rules/common/ipcidr.go
@@ -21,7 +21,7 @@ func WithIPCIDRNoResolve(noResolve bool) IPCIDROption {
 }
 type IPCIDR struct {
-	*Base
+	Base
 	ipnet       netip.Prefix
 	adapter     string
 	isSourceIP  bool
@@ -62,7 +62,7 @@ func NewIPCIDR(s string, adapter string, opts ...IPCIDROption) (*IPCIDR, error)
 	}
 	ipcidr := &IPCIDR{
-		Base:    &Base{},
+		Base:    Base{},
 		ipnet:   ipnet,
 		adapter: adapter,
 	}
@@ -74,4 +74,4 @@ func NewIPCIDR(s string, adapter string, opts ...IPCIDROption) (*IPCIDR, error)
 	return ipcidr, nil
 }
-//var _ C.Rule = (*IPCIDR)(nil)
+var _ C.Rule = (*IPCIDR)(nil)
--- a/rules/common/ipsuffix.go
+++ b/rules/common/ipsuffix.go
@@ -1,12 +1,13 @@
 package common
 import (
 	C "github.com/metacubex/mihomo/constant"
 	"net/netip"
 	C "github.com/metacubex/mihomo/constant"
 )
 type IPSuffix struct {
-	*Base
+	Base
 	ipBytes     []byte
 	bits        int
 	payload     string
@@ -68,7 +69,7 @@ func NewIPSuffix(payload, adapter string, isSrc, noResolveIP bool) (*IPSuffix, e
 	}
 	return &IPSuffix{
-		Base:        &Base{},
+		Base:        Base{},
 		payload:     payload,
 		ipBytes:     ipnet.Addr().AsSlice(),
 		bits:        ipnet.Bits(),
@@ -77,3 +78,5 @@ func NewIPSuffix(payload, adapter string, isSrc, noResolveIP bool) (*IPSuffix, e
 		noResolveIP: noResolveIP,
 	}, nil
 }
 var _ C.Rule = (*IPSuffix)(nil)
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Hung-I Wang	3035ae89e3	fix: correct typo in ProxyGroup health check log message (#2575 )	2026-02-27 11:00:47 +08:00
enfein	c251e411e5	feat: support mieru traffic pattern configuration (#2585 )	2026-02-27 10:31:35 +08:00
wwqgtxx	f6722ab79b	action: Upgrade loongarch golang version	2026-02-25 13:08:18 +08:00
wwqgtxx	4ca515896b	feat: support trusttunnel inbound and outbound	2026-02-25 12:26:08 +08:00
wwqgtxx	836c972c54	chore: cleanup unreachable code	2026-02-23 21:03:22 +08:00
wwqgtxx	43509da1a9	chore: simplify gun code	2026-02-23 21:03:22 +08:00
wwqgtxx	3752cb044f	fix: CVE-2026-26958 of filippo.io/edwards25519	2026-02-21 17:18:15 +08:00
wwqgtxx	30391b40c4	chore: unified UA settings method	2026-02-13 18:11:46 +08:00
Panda	05fbf552ec	fix: make User-Agent check case-insensitive (#2566 )	2026-02-13 17:34:06 +08:00
wwqgtxx	e4143cf1ad	fix: tun doesn't clean up the DNS setting in systemd-resolved when closed	2026-02-13 11:51:11 +08:00
wwqgtxx	5eaf5d16ce	fix: quic gso maybe not working with pppoe	2026-02-13 11:43:20 +08:00
wwqgtxx	9dee264f13	fix: udp/icmp not work on gso with system stack	2026-02-13 00:07:39 +08:00
wwqgtxx	50480406cf	fix: rollback sing-tun commit	2026-02-12 17:42:01 +08:00
wwqgtxx	6eb27ac3dc	chore: align with legacy behavior	2026-02-12 16:43:45 +08:00
wwqgtxx	a949ad883c	chore: update golang to 1.26	2026-02-11 17:13:19 +08:00
wwqgtxx	20bf57c117	feat: add `disable-reuse` params for DoT	2026-02-10 15:03:15 +08:00
wwqgtxx	60a9312057	chore: structure support remain-tagged field	2026-02-10 15:03:15 +08:00
wwqgtxx	9fda032a28	chore: structure unifies the way to handle top-level and sub structs	2026-02-10 15:03:15 +08:00
wwqgtxx	c3399fd346	chore: better logging for removed configurations	2026-02-10 01:16:24 +08:00
wwqgtxx	445083b624	fix: override interface-name broken https://github.com/MetaCubeX/mihomo/issues/2558	2026-02-09 19:55:18 +08:00
wwqgtxx	97f25250a6	chore: code cleanup	2026-02-08 00:10:07 +08:00
wwqgtxx	8b0bcb6740	chore: better generator	2026-02-08 00:09:46 +08:00
wwqgtxx	022f677385	chore: cleanup hostValue code	2026-02-07 12:07:01 +08:00
wwqgtxx	32799662ad	fix: quic data race for crypto/tls	2026-02-07 09:41:08 +08:00
wwqgtxx	86257fc83c	chore: remove reflect-based provider override code	2026-02-05 17:20:47 +08:00
wwqgtxx	f2222b5e02	chore: code cleanup	2026-02-05 16:47:24 +08:00
Chenx Dust	3ac62152cb	fix: race condition of tcpConcurrent in dialer (#2556 )	2026-02-05 15:57:01 +08:00
wwqgtxx	5516ca18fd	chore: code cleanup	2026-02-05 10:46:09 +08:00
wwqgtxx	3bca69c745	chore: add some comments for the fingerprint verifier	2026-02-05 10:34:36 +08:00
wwqgtxx	558b3840ea	action: update Go 1.26rc3 to test	2026-02-04 23:57:47 +08:00
wwqgtxx	f94da9f2b3	chore: fingerprint verifier handle non-leaf certificate will check the SNI matches the certificate's DNS name	2026-02-04 22:41:33 +08:00
wwqgtxx	2cfc4ba044	fix: CVE-2025-68121 for crypto/tls again and again	2026-02-04 15:19:27 +08:00
wwqgtxx	034f1d1e9b	chore: disallow empty `proxy-server-nameserver` when `proxy-server-nameserver-policy` is set	2026-02-04 12:06:45 +08:00
wwqgtxx	dede56fe4b	feat: add `proxy-server-nameserver-policy` to `dns` section	2026-02-03 01:41:00 +08:00
wwqgtxx	5fda87d50e	chore: update sing-tun	2026-02-02 14:39:32 +08:00
wwqgtxx	5e1b133e4e	chore: more callback support for utls	2026-02-01 01:36:30 +08:00
wwqgtxx	27a3ca6afc	chore: converter support fingerprint for vmess/vless/trojan	2026-01-31 21:27:14 +08:00
wwqgtxx	7573affdd4	chore: better logging in masque outbound	2026-01-31 20:25:02 +08:00
wwqgtxx	17fbaf9100	doc: fix typo	2026-01-30 23:16:08 +08:00
sleshep	710772f993	chore: add simple validation for static dialer-proxy config (#2551 ) Currently, it can only validate whether a cycle exists in proxies, and cannot determine if it is caused by groups.	2026-01-30 20:39:06 +08:00
saba-futai	d36b024b10	chore: align sudoku with upstream v0.2.0 (#2549 )	2026-01-30 10:33:22 +08:00
wwqgtxx	f52c9356c2	fix: CVE-2025-68121 for crypto/tls again	2026-01-29 08:53:48 +08:00
wwqgtxx	e45c896185	feat: support masque outbound	2026-01-28 19:01:18 +08:00
wwqgtxx	d18a14afeb	fix: snat key in trojan packet listener	2026-01-28 00:49:27 +08:00
wwqgtxx	6aaabc97ca	chore: decrease unneeded string convert in socks5 addr parsing	2026-01-28 00:41:13 +08:00
wwqgtxx	85c024a4a6	fix: snat key in sudoku packet listener	2026-01-28 00:32:44 +08:00
wwqgtxx	c33c90d7af	chore: clean up duplicate code in sudoku	2026-01-26 09:28:18 +08:00
wwqgtxx	65c3d3e4e2	chore: remove unreachable code in sudoku	2026-01-26 09:28:18 +08:00
wwqgtxx	98b3060558	chore: optimize timeout control in DoH TLS probe	2026-01-25 22:49:04 +08:00
wwqgtxx	b90100645e	chore: using mihomo's global pool in DoQ	2026-01-25 22:48:48 +08:00
wwqgtxx	46ee1649c0	chore: hy2 listener fellow hysteria2's code skip verify in https masquerade	2026-01-25 21:49:02 +08:00
wwqgtxx	e3b8fc2b77	fix: hy2 listener panic with http/https masquerade	2026-01-25 18:12:51 +08:00
wwqgtxx	707fe8b207	chore: remove auto IDNA conversion in domain rules The original upstream does not support it, and there are many places in the current code that do not support it either. Removing it will help maintain consistency in behavior across different parts.	2026-01-23 09:36:13 +08:00
wwqgtxx	1e1434d1de	chore: remove an unnecessary variable	2026-01-20 14:48:59 +08:00
wwqgtxx	26052ba5e5	chore: remove confused varbin using in sing	2026-01-19 23:16:55 +08:00
wwqgtxx	75a0cd5aff	fix: file exists when tun start	2026-01-18 16:37:51 +08:00
wwqgtxx	e03ba23f65	chore: update logrus	2026-01-18 11:00:49 +08:00
wwqgtxx	0c995a2479	chore: move proxiesWithProviders to hub/route internal to disallow external usage of this poorly implemented function	2026-01-17 22:26:14 +08:00
wwqgtxx	3c526ae06e	feat: add `query-server-name` for `ech-opts`	2026-01-17 19:11:57 +08:00
wwqgtxx	0b009b514c	doc: add missing params	2026-01-17 18:52:44 +08:00
wwqgtxx	18d139a15d	chore: rollback tls to restore the session resumption functionality in quic-go	2026-01-17 18:27:19 +08:00
wwqgtxx	5f250413fe	doc: remove deprecated item	2026-01-17 18:27:19 +08:00
wwqgtxx	993595df73	chore: switch to our own common/orderedmap package, remove two unneeded json dependence	2026-01-17 18:27:19 +08:00
H1JK	828fd30dc3	chore: support connection reuse for DoT	2026-01-16 14:20:20 +08:00
wwqgtxx	11000dccd7	chore: add common/deque package	2026-01-16 11:05:15 +08:00
wwqgtxx	0818aa54aa	chore: provider a common entrance for YAML package	2026-01-16 11:05:13 +08:00
wwqgtxx	edbfebeacd	fix: CVE-2025-68121 for crypto/tls	2026-01-16 08:27:29 +08:00
saba-futai	06f5fbac06	feat: add `path-root` for sudoku (#2511 )	2026-01-14 21:25:05 +08:00
Shaw	f38fc2020f	feat: add `grpc-user-agent` to `grpc-opts` (#2512 )	2026-01-14 21:02:09 +08:00
wwqgtxx	97bce45eba	chore: deprecated `global-client-fingerprint`, please set `client-fingerprint` directly on the proxy instead	2026-01-14 10:40:26 +08:00
Davoyan	bc28cd486a	doc: fix typo in config.yaml (#2459 )	2026-01-14 09:01:18 +08:00
wwqgtxx	cdabd1e8b1	chore: update utls	2026-01-14 08:02:37 +08:00
Toby	c5b0f00bb2	fix: logic issues with BBR impl `98872a4f38`	2026-01-12 13:34:59 +08:00
wwqgtxx	c128d23dec	chore: update quic-go to 0.59.0	2026-01-12 12:48:18 +08:00
wwqgtxx	ee37a353d0	fix: incorrect timestamp conversion in brutal	2026-01-12 12:45:52 +08:00
wwqgtxx	0cf37de1a8	chore: better time storage in rule wrapper	2026-01-12 00:50:55 +08:00
potoo0	ae6069c178	chore: moving rules disabled and hit/miss counts data to `extra` for restful api (#2503 )	2026-01-11 21:11:38 +08:00
wwqgtxx	c8e33a4347	chore: decrease rule wrapper memory usage	2026-01-11 20:57:28 +08:00
potoo0	19a6b5d6f7	feat: support rule disabling and hit/miss count/at tracking in restful api (#2502 )	2026-01-11 19:37:08 +08:00
wwqgtxx	efb800866e	chore: update quic-go to 0.58.1	2026-01-11 17:19:53 +08:00
wwqgtxx	94c8d60f72	chore: simplified logic rule parsing	2026-01-08 23:42:01 +08:00
saba-futai	0f2baca2de	chore: refactored the implementation of suduko mux (#2486 )	2026-01-07 00:25:33 +08:00
wwqgtxx	b18a33552c	chore: remove unused pointer in rules implements	2026-01-06 09:29:09 +08:00
wwqgtxx	487de9b548	feat: add `PROCESS-NAME-WILDCARD` and `PROCESS-PATH-WILDCARD`	2026-01-06 08:52:06 +08:00
enfein	1a6230ec03	chore: update mieru version (#2484 ) Fix https://github.com/enfein/mieru/issues/247	2026-01-06 07:48:46 +08:00
wwqgtxx	e6bf56b9af	fix: os.(*Process).Wait not working on Windows7	2026-01-05 20:26:19 +08:00
wwqgtxx	0ad9ac325a	feat: support aes-128-gcm, `ratelimit` and `framesize` for kcptun	2026-01-05 12:25:30 +08:00
saba-futai	d6b1263236	feat: support `http-mask-multiplex` for suduko (#2482 )	2026-01-04 22:24:42 +08:00
wwqgtxx	4d7670339b	feat: all dns client support `disable-qtype-<int>` params	2026-01-02 22:43:58 +08:00
wwqgtxx	0cffc8d76d	chore: revert "chore: update quic-go to 0.58.0" This reverts commit `64015b7634`.	2026-01-02 17:09:40 +08:00