Merge branch 'refs/heads/Alpha' into Meta

https://github.com/MetaCubeX/mihomo/issues/1168

.github/genReleaseNote.sh

@@ -18,15 +18,15 @@ if [ -z "$version_range" ]; then
 fi
 
 echo "## What's Changed" > release.md
-git log --pretty=format:"* %s by @%an" --grep="^feat" -i $version_range | sort -f | uniq >> release.md
+git log --pretty=format:"* %h %s by @%an" --grep="^feat" -i $version_range | sort -f | uniq >> release.md
 echo "" >> release.md
 
 echo "## BUG & Fix" >> release.md
-git log --pretty=format:"* %s by @%an" --grep="^fix" -i $version_range | sort -f | uniq >> release.md
+git log --pretty=format:"* %h %s by @%an" --grep="^fix" -i $version_range | sort -f | uniq >> release.md
 echo "" >> release.md
 
 echo "## Maintenance" >> release.md
-git log --pretty=format:"* %s by @%an" --grep="^chore\|^docs\|^refactor" -i $version_range | sort -f | uniq >> release.md
+git log --pretty=format:"* %h %s by @%an" --grep="^chore\|^docs\|^refactor" -i $version_range | sort -f | uniq >> release.md
 echo "" >> release.md
 
-echo "**Full Changelog**: https://github.com/MetaCubeX/Clash.Meta/compare/$version_range" >> release.md
+echo "**Full Changelog**: https://github.com/MetaCubeX/mihomo/compare/$version_range" >> release.md

.github/mihomo.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=mihomo Daemon, Another Clash Kernel.
+After=network.target NetworkManager.service systemd-networkd.service iwd.service
+
+[Service]
+Type=simple
+LimitNPROC=500
+LimitNOFILE=1000000
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
+Restart=always
+ExecStartPre=/usr/bin/sleep 2s
+ExecStart=/usr/bin/mihomo -d /etc/mihomo
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target

.github/workflows/build.yml

@@ -21,227 +21,242 @@ concurrency:
 env:
   REGISTRY: docker.io
 jobs:
-  Build:
+  build:
-    permissions: write-all
     runs-on: ubuntu-latest
     strategy:
-      fail-fast: false
       matrix:
-        job:
+        jobs:
-          - {
+          - { goos: darwin, goarch: arm64, output: arm64 }
-              type: "WithoutCGO",
+          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible }
-              target: "linux-amd64 linux-amd64-compatible",
+          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64 }
-              id: "1",
+
-            }
+          - { goos: linux, goarch: '386', output: '386' }
-          - {
+          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible, test: test }
-              type: "WithoutCGO",
+          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64 }
-              target: "linux-armv5 linux-armv6 linux-armv7",
+          - { goos: linux, goarch: arm64, output: arm64 }
-              id: "2",
+          - { goos: linux, goarch: arm, goarm: '5', output: armv5 }
-            }
+          - { goos: linux, goarch: arm, goarm: '6', output: armv6 }
-          - {
+          - { goos: linux, goarch: arm, goarm: '7', output: armv7 }
-              type: "WithoutCGO",
+          - { goos: linux, goarch: mips, mips: hardfloat, output: mips-hardfloat }
-              target: "linux-arm64 linux-mips64 linux-mips64le",
+          - { goos: linux, goarch: mips, mips: softfloat, output: mips-softfloat }
-              id: "3",
+          - { goos: linux, goarch: mipsle, mips: hardfloat, output: mipsle-hardfloat }
-            }
+          - { goos: linux, goarch: mipsle, mips: softfloat, output: mipsle-softfloat }
-          - {
+          - { goos: linux, goarch: mips64, output: mips64 }
-              type: "WithoutCGO",
+          - { goos: linux, goarch: mips64le, output: mips64le }
-              target: "linux-mips-softfloat linux-mips-hardfloat linux-mipsle-softfloat linux-mipsle-hardfloat",
+          - { goos: linux, goarch: loong64, output: loong64-abi1, abi: '1' }
-              id: "4",
+          - { goos: linux, goarch: loong64, output: loong64-abi2, abi: '2' }
-            }
+          - { goos: linux, goarch: riscv64, output: riscv64 }
-          - { type: "WithoutCGO", target: "linux-386 linux-riscv64 linux-loong64", id: "5" }
+          - { goos: linux, goarch: s390x, output: s390x }
-          - {
+
-              type: "WithoutCGO",
+          - { goos: windows, goarch: '386', output: '386' }
-              target: "freebsd-386 freebsd-amd64 freebsd-arm64",
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible }
-              id: "6",
+          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64 }
-            }
+          - { goos: windows, goarch: arm, goarm: '7', output: armv7 }
-          - {
+          - { goos: windows, goarch: arm64, output: arm64 }
-              type: "WithoutCGO",
+
-              target: "windows-amd64-compatible windows-amd64 windows-386",
+          - { goos: freebsd, goarch: '386', output: '386' }
-              id: "7",
+          - { goos: freebsd, goarch: amd64, goamd64: v1, output: amd64-compatible }
-            }
+          - { goos: freebsd, goarch: amd64, goamd64: v3, output: amd64 }
-          - {
+          - { goos: freebsd, goarch: arm64, output: arm64 }
-              type: "WithoutCGO",
+
-              target: "windows-arm64 windows-arm32v7",
+          - { goos: android, goarch: '386', ndk: i686-linux-android34, output: '386' }
-              id: "8",
+          - { goos: android, goarch: amd64, ndk: x86_64-linux-android34, output: amd64 }
-            }
+          - { goos: android, goarch: arm, ndk: armv7a-linux-androideabi34, output: armv7 }
-          - {
+          - { goos: android, goarch: arm64, ndk: aarch64-linux-android34, output: arm64-v8 }
-              type: "WithoutCGO",
+
-              target: "darwin-amd64 darwin-arm64 android-arm64",
-              id: "9",
-            }
-          # only for test
-          - { type: "WithoutCGO-GO120", target: "linux-amd64 linux-amd64-compatible",id: "1" }
           # Go 1.20 is the last release that will run on any release of Windows 7, 8, Server 2008 and Server 2012. Go 1.21 will require at least Windows 10 or Server 2016.
-          - { type: "WithoutCGO-GO120", target: "windows-amd64-compatible windows-amd64 windows-386",id: "2" }
+          - { goos: windows, goarch: '386', output: '386-go120', goversion: '1.20' }
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20' }
+          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go120, goversion: '1.20' }
+
           # Go 1.20 is the last release that will run on macOS 10.13 High Sierra or 10.14 Mojave. Go 1.21 will require macOS 10.15 Catalina or later.
-          - { type: "WithoutCGO-GO120", target: "darwin-amd64 darwin-arm64 android-arm64",id: "3" }
+          - { goos: darwin, goarch: arm64, output: arm64-go120, goversion: '1.20' }
-#          - { type: "WithCGO", target: "windows/*", id: "1" }
+          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20' }
-#          - { type: "WithCGO", target: "linux/386", id: "2" }
+          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-go120, goversion: '1.20' }
-#          - { type: "WithCGO", target: "linux/amd64", id: "3" }
+
-#          - { type: "WithCGO", target: "linux/arm64,linux/riscv64", id: "4" }
+          # only for test
-#          - { type: "WithCGO", target: "linux/arm,", id: "5" }
+          - { goos: linux, goarch: '386', output: '386-go120', goversion: '1.20' }
-#          - { type: "WithCGO", target: "linux/arm-6,linux/arm-7", id: "6" }
+          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20', test: test }
-#          - { type: "WithCGO", target: "linux/mips,linux/mipsle", id: "7" }
+          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64-go120, goversion: '1.20' }
-#          - { type: "WithCGO", target: "linux/mips64", id: "8" }
-#          - { type: "WithCGO", target: "linux/mips64le", id: "9" }
-#          - { type: "WithCGO", target: "darwin-10.16/*", id: "10" }
-#          - { type: "WithCGO", target: "android", id: "11" }
 
     steps:
-      - name: Check out code into the Go module directory
+    - uses: actions/checkout@v4
-        uses: actions/checkout@v3
 
-      - name: Set variables
+    - name: Set up Go
-        run: echo "VERSION=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+      if: ${{ matrix.jobs.goversion == '' && matrix.jobs.goarch != 'loong64' }}
-        shell: bash
+      uses: actions/setup-go@v5
+      with:
+        go-version: '1.22'
+
+    - name: Set up Go
+      if: ${{ matrix.jobs.goversion != '' && matrix.jobs.goarch != 'loong64' }}
+      uses: actions/setup-go@v5
+      with:
+        go-version: ${{ matrix.jobs.goversion }}
+
+    - name: Set up Go1.21 loongarch abi1
+      if: ${{ matrix.jobs.goarch == 'loong64' && matrix.jobs.abi == '1' }}
+      run: |
+        wget -q https://github.com/xishang0128/loongarch64-golang/releases/download/1.21.5/go1.21.5.linux-amd64-abi1.tar.gz
+        sudo tar zxf go1.21.5.linux-amd64-abi1.tar.gz -C /usr/local
+        echo "/usr/local/go/bin" >> $GITHUB_PATH
+
+    - name: Set up Go1.21 loongarch abi2
+      if: ${{ matrix.jobs.goarch == 'loong64' && matrix.jobs.abi == '2' }}
+      run: |
+        wget -q https://github.com/xishang0128/loongarch64-golang/releases/download/1.21.5/go1.21.5.linux-amd64-abi2.tar.gz
+        sudo tar zxf go1.21.5.linux-amd64-abi2.tar.gz -C /usr/local
+        echo "/usr/local/go/bin" >> $GITHUB_PATH
 
     - name: Set variables
       if: ${{github.ref_name=='Alpha'}}
       run: echo "VERSION=alpha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
       shell: bash
 
-      - name: Set variables
-        if: ${{github.ref_name=='Beta'}}
-        run: echo "VERSION=beta-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
-        shell: bash
-
-      - name: Set variables
-        if: ${{github.ref_name=='Meta'}}
-        run: echo "VERSION=meta-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
-        shell: bash
-
     - name: Set variables
       if: ${{github.ref_name=='' || github.ref_type=='tag'}}
       run: echo "VERSION=$(git describe --tags)" >> $GITHUB_ENV
       shell: bash
 
-      - name: Set ENV
+    - name: Set Time Variable
       run: |
-          sudo timedatectl set-timezone "Asia/Shanghai"
         echo "BUILDTIME=$(date)" >> $GITHUB_ENV
-        shell: bash
+        echo "CGO_ENABLED=0" >> $GITHUB_ENV
+        echo "BUILDTAG=-extldflags --static" >> $GITHUB_ENV
 
-      - name: Set ENV
+    - name: Setup NDK
+      if: ${{ matrix.jobs.goos == 'android' }}
+      uses: nttld/setup-ndk@v1
+      id: setup-ndk
+      with:
+        ndk-version: r26c
+
+    - name: Set NDK path
+      if: ${{ matrix.jobs.goos == 'android' }}
       run: |
-          echo "TAGS=with_gvisor,with_lwip" >> $GITHUB_ENV
+        echo "CC=${{steps.setup-ndk.outputs.ndk-path}}/toolchains/llvm/prebuilt/linux-x86_64/bin/${{matrix.jobs.ndk}}-clang" >> $GITHUB_ENV
-          echo "LDFLAGS=-X 'github.com/metacubex/mihomo/constant.Version=${VERSION}' -X 'github.com/metacubex/mihomo/constant.BuildTime=${BUILDTIME}' -w -s -buildid=" >> $GITHUB_ENV
+        echo "CGO_ENABLED=1" >> $GITHUB_ENV
-          echo "GOTOOLCHAIN=local" >> $GITHUB_ENV
+        echo "BUILDTAG=" >> $GITHUB_ENV
-        shell: bash
-
-      - name: Setup Go
-        if: ${{ matrix.job.type!='WithoutCGO-GO120' }}
-        uses: actions/setup-go@v4
-        with:
-          go-version: "1.21"
-          check-latest: true
-
-      - name: Setup Go
-        if: ${{ matrix.job.type=='WithoutCGO-GO120' }}
-        uses: actions/setup-go@v4
-        with:
-          go-version: "1.20"
-          check-latest: true
 
     - name: Test
-        if: ${{ matrix.job.id=='1' && matrix.job.type!='WithCGO' }}
+      if: ${{ matrix.jobs.test == 'test' }}
       run: |
         go test ./...
 
-      - name: Build WithoutCGO
+    - name: Update CA
-        if: ${{ matrix.job.type!='WithCGO' }}
+      run: |
+        sudo apt-get install ca-certificates
+        sudo update-ca-certificates
+        cp -f /etc/ssl/certs/ca-certificates.crt component/ca/ca-certificates.crt
+
+    - name: Build core
       env:
-          NAME: mihomo
+        GOOS: ${{matrix.jobs.goos}}
-          BINDIR: bin
+        GOARCH: ${{matrix.jobs.goarch}}
-        run: make -j$(($(nproc) + 1)) ${{ matrix.job.target }}
+        GOAMD64: ${{matrix.jobs.goamd64}}
-
+        GOARM: ${{matrix.jobs.arm}}
-      - uses: nttld/setup-ndk@v1
+        GOMIPS: ${{matrix.jobs.mips}}
-        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target=='android' }}
-        id: setup-ndk
-        with:
-          ndk-version: r26b
-          add-to-path: true
-
-      - name: Build Android
-        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target=='android' }}
-        env:
-          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
       run: |
-          mkdir bin
+        echo $CGO_ENABLED
-          CC=${ANDROID_NDK_HOME}/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android33-clang
+        go build -v -tags "with_gvisor" -trimpath -ldflags "${BUILDTAG} -X 'github.com/metacubex/mihomo/constant.Version=${VERSION}' -X 'github.com/metacubex/mihomo/constant.BuildTime=${BUILDTIME}' -w -s -buildid="
-          CGO_ENABLED=1 CC=${CC} GOARCH=arm64 GOOS=android go build -tags ${TAGS} -trimpath -ldflags "${LDFLAGS}" -o bin/${NAME}-android-arm64
+        if [ "${{matrix.jobs.goos}}" = "windows" ]; then
+          cp mihomo.exe mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}.exe
+          zip -r mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.zip mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}.exe
+        else
+          cp mihomo mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}
+          gzip -c mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}} > mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.gz
+          rm mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}
+        fi
 
-      - name: Set up xgo
+    - name: Create DEB package
-        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target!='android' }}
+      if: ${{ matrix.jobs.goos == 'linux' && !contains(matrix.jobs.goarch, 'mips') }}
       run: |
-          docker pull techknowlogick/xgo:latest
+        sudo apt-get install dpkg
-          go install src.techknowlogick.com/xgo@latest
+        if [ "${{matrix.jobs.abi}}" = "1" ]; then
+          ARCH=loongarch64
+        else
+          ARCH=${{matrix.jobs.goarch}}
+        fi
+        PackageVersion=$(curl -s "https://api.github.com/repos/MetaCubeX/mihomo/releases/latest" | grep -o '"tag_name": "[^"]*' | grep -o '[^"]*$' | sed 's/v//g' )
+        if [ $(git branch | awk -F ' ' '{print $2}') = "Alpha" ]; then
+          PackageVersion="$(echo "${PackageVersion}" | awk -F '.' '{$NF = $NF + 1; print}' OFS='.')-${VERSION}"
+        fi
 
-      - name: Build by xgo
+        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/DEBIAN
-        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target!='android' }}
+        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/bin
-        env:
+        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/etc/mihomo
-          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
+        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/etc/systemd/system/
-        run: |
+        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/share/licenses/mihomo
-          mkdir bin
-          xgo --targets="${{ matrix.job.target }}" --tags="${TAGS}" -ldflags="${LDFLAGS}" --out bin/${NAME} ./
 
-      - name: Rename
+        cp mihomo mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/bin/mihomo
-        if: ${{ matrix.job.type=='WithCGO' }}
+        cp LICENSE mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/share/licenses/mihomo/
-        run: |
+        cp .github/mihomo.service mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/etc/systemd/system/
-          cd bin
-          ls -la
-          cp ../.github/rename-cgo.sh ./
-          bash ./rename-cgo.sh
-          rm ./rename-cgo.sh
-          ls -la
-          cd ..
 
-      - name: Rename
+        cat > mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/etc/mihomo/config.yaml <<EOF
-        if: ${{ matrix.job.type=='WithoutCGO-GO120' }}
+        mixed-port: 7890
-        run: |
+        external-controller: 127.0.0.1:9090
-          cd bin
+        EOF
-          ls -la
-          cp ../.github/rename-go120.sh ./
-          bash ./rename-go120.sh
-          rm ./rename-go120.sh
-          ls -la
-          cd ..
 
-      - name: Zip
+        cat > mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/DEBIAN/control <<EOF
-        if: ${{  success() }}
+        Package: mihomo
+        Version: ${PackageVersion}
+        Section:
+        Priority: extra
+        Architecture: ${ARCH}
+        Maintainer: MetaCubeX <none@example.com>
+        Homepage: https://wiki.metacubex.one/
+        Description: The universal proxy platform.
+        EOF
+
+        dpkg-deb -Z gzip --build mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}
+
+    - name: Convert DEB to RPM
+      if: ${{ matrix.jobs.goos == 'linux' && !contains(matrix.jobs.goarch, 'mips') }}
       run: |
-          cd bin
+        sudo apt-get install -y alien
-          ls -la
+        alien --to-rpm --scripts mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.deb
-          chmod +x *
+        mv mihomo*.rpm mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.rpm
-          cp ../.github/release.sh ./
+
-          bash ./release.sh
+    # - name: Convert DEB to PKG
-          rm ./release.sh
+    #   if: ${{ matrix.jobs.goos == 'linux' && !contains(matrix.jobs.goarch, 'mips') && !contains(matrix.jobs.goarch, 'loong64') }}
-          ls -la
+    #   run: |
-          cd ..
+    #     docker pull archlinux
+    #     docker run --rm -v ./:/mnt archlinux bash -c "
+    #       pacman -Syu pkgfile base-devel --noconfirm
+    #       curl -L https://github.com/helixarch/debtap/raw/master/debtap > /usr/bin/debtap
+    #       chmod 755 /usr/bin/debtap
+    #       debtap -u 
+    #       debtap -Q /mnt/mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.deb
+    #     "
+    #     mv mihomo*.pkg.tar.zst mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.pkg.tar.zst
 
     - name: Save version
-        run: echo ${VERSION} > bin/version.txt
+      run: |
+        echo ${VERSION} > version.txt
       shell: bash
 
-      - uses: actions/upload-artifact@v3
+    - name: Archive production artifacts
-        if: ${{  success() }}
+      uses: actions/upload-artifact@v4
       with:
-          name: artifact
+        name: ${{ matrix.jobs.goos }}-${{ matrix.jobs.output }}
-          path: bin/
+        path: |
+          mihomo*.gz
+          mihomo*.deb
+          mihomo*.rpm
+          mihomo*.zip
+          version.txt
 
   Upload-Prerelease:
     permissions: write-all
     if: ${{ github.ref_type == 'branch' && !startsWith(github.event_name, 'pull_request') }}
-    needs: [Build]
+    needs: [build]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/download-artifact@v3
+    - name: Download all workflow run artifacts
+      uses: actions/download-artifact@v4
       with:
-          name: artifact
         path: bin/
-
+        merge-multiple: true
-      - name: Display structure of downloaded files
-        run: ls -R
-        working-directory: bin
 
     - name: Delete current release assets
       uses: 8Mi-Tech/delete-release-assets-action@main
@@ -249,14 +264,13 @@ jobs:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         tag: Prerelease-${{ github.ref_name }}
         deleteOnlyFromDrafts: false
-
     - name: Set Env
       run: |
         echo "BUILDTIME=$(TZ=Asia/Shanghai date)" >> $GITHUB_ENV
       shell: bash
 
     - name: Tag Repo
-        uses: richardsimko/update-tag@v1.0.6
+      uses: richardsimko/update-tag@v1
       with:
         tag_name: Prerelease-${{ github.ref_name }}
       env:
@@ -268,7 +282,7 @@ jobs:
         Synchronize ${{ github.ref_name }} branch code updates, keeping only the latest version
         <br>
         [我应该下载哪个文件? / Which file should I download?](https://github.com/MetaCubeX/mihomo/wiki/FAQ)
-          [二进制文件筛选 / Binary file selector] (https://metacubex.github.io/Meta-Docs/startup/#_1)
+        [二进制文件筛选 / Binary file selector](https://metacubex.github.io/Meta-Docs/startup/#_1)
         [查看文档 / Docs](https://metacubex.github.io/Meta-Docs/)
         EOF
 
@@ -286,11 +300,11 @@ jobs:
   Upload-Release:
     permissions: write-all
     if: ${{ github.ref_type=='tag' }}
-    needs: [Build]
+    needs: [build]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-        uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
@@ -306,10 +320,10 @@ jobs:
           bash ./genReleaseNote.sh -v ${PREVERSION}...${CURRENTVERSION}
           rm ./genReleaseNote.sh
 
-      - uses: actions/download-artifact@v3
+    - uses: actions/download-artifact@v4
       with:
-          name: artifact
         path: bin/
+        merge-multiple: true
 
     - name: Display structure of downloaded files
       run: ls -R
@@ -327,28 +341,28 @@ jobs:
   Docker:
     if: ${{ !startsWith(github.event_name, 'pull_request') }}
     permissions: write-all
-    needs: [Build]
+    needs: [build]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
-          name: artifact
           path: bin/
+          merge-multiple: true
 
       - name: Display structure of downloaded files
         run: ls -R
         working-directory: bin
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           version: latest
 
@@ -356,7 +370,7 @@ jobs:
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository }}
 

Dockerfile

@@ -12,7 +12,7 @@ COPY docker/file-name.sh /mihomo/file-name.sh
 WORKDIR /mihomo
 COPY bin/ bin/
 RUN FILE_NAME=`sh file-name.sh` && echo $FILE_NAME && \
-    FILE_NAME=`ls bin/ | egrep "$FILE_NAME.*"|awk NR==1` && echo $FILE_NAME && \
+    FILE_NAME=`ls bin/ | egrep "$FILE_NAME.gz"|awk NR==1` && echo $FILE_NAME && \
     mv bin/$FILE_NAME mihomo.gz && gzip -d mihomo.gz && echo "$FILE_NAME" > /mihomo-config/test
 FROM alpine:latest
 LABEL org.opencontainers.image.source="https://github.com/MetaCubeX/mihomo"

Makefile

@@ -17,6 +17,7 @@ GOBUILD=CGO_ENABLED=0 go build -tags with_gvisor -trimpath -ldflags '-X "github.
 		-w -s -buildid='
 
 PLATFORM_LIST = \
+	darwin-amd64-compatible \
 	darwin-amd64 \
 	darwin-arm64 \
 	linux-amd64-compatible \

adapter/inbound/addition.go

@@ -47,7 +47,7 @@ func WithDstAddr(addr net.Addr) Addition {
 func WithSrcAddr(addr net.Addr) Addition {
 	return func(metadata *C.Metadata) {
 		m := C.Metadata{}
-		if err := m.SetRemoteAddr(addr);err ==nil{
+		if err := m.SetRemoteAddr(addr); err == nil {
 			metadata.SrcIP = m.DstIP
 			metadata.SrcPort = m.DstPort
 		}
@@ -57,7 +57,7 @@ func WithSrcAddr(addr net.Addr) Addition {
 func WithInAddr(addr net.Addr) Addition {
 	return func(metadata *C.Metadata) {
 		m := C.Metadata{}
-		if err := m.SetRemoteAddr(addr);err ==nil{
+		if err := m.SetRemoteAddr(addr); err == nil {
 			metadata.InIP = m.DstIP
 			metadata.InPort = m.DstPort
 		}

adapter/inbound/http.go

@@ -14,7 +14,7 @@ func NewHTTP(target socks5.Addr, srcConn net.Conn, conn net.Conn, additions ...A
 	metadata.Type = C.HTTP
 	metadata.RawSrcAddr = srcConn.RemoteAddr()
 	metadata.RawDstAddr = srcConn.LocalAddr()
-	ApplyAdditions(metadata, WithSrcAddr(srcConn.RemoteAddr()), WithInAddr(conn.LocalAddr()))
+	ApplyAdditions(metadata, WithSrcAddr(srcConn.RemoteAddr()), WithInAddr(srcConn.LocalAddr()))
 	ApplyAdditions(metadata, additions...)
 	return conn, metadata
 }

adapter/inbound/listen.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"net"
 
-	"github.com/sagernet/tfo-go"
+	"github.com/metacubex/tfo-go"
 )
 
 var (

adapter/outbound/direct.go

@@ -3,18 +3,18 @@ package outbound
 import (
 	"context"
 	"errors"
-	"fmt"
 	"net/netip"
 
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/dialer"
+	"github.com/metacubex/mihomo/component/loopback"
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 )
 
 type Direct struct {
 	*Base
-	loopBack *loopBackDetector
+	loopBack *loopback.Detector
 }
 
 type DirectOption struct {
@@ -24,8 +24,8 @@ type DirectOption struct {
 
 // DialContext implements C.ProxyAdapter
 func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	if d.loopBack.CheckConn(metadata.SourceAddrPort()) {
+	if err := d.loopBack.CheckConn(metadata); err != nil {
-		return nil, fmt.Errorf("reject loopback connection to: %s", metadata.RemoteAddress())
+		return nil, err
 	}
 	opts = append(opts, dialer.WithResolver(resolver.DefaultResolver))
 	c, err := dialer.DialContext(ctx, "tcp", metadata.RemoteAddress(), d.Base.DialOptions(opts...)...)
@@ -38,8 +38,8 @@ func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 
 // ListenPacketContext implements C.ProxyAdapter
 func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	if d.loopBack.CheckPacketConn(metadata.SourceAddrPort()) {
+	if err := d.loopBack.CheckPacketConn(metadata); err != nil {
-		return nil, fmt.Errorf("reject loopback connection to: %s", metadata.RemoteAddress())
+		return nil, err
 	}
 	// net.UDPConn.WriteTo only working with *net.UDPAddr, so we need a net.UDPAddr
 	if !metadata.Resolved() {
@@ -68,7 +68,7 @@ func NewDirectWithOption(option DirectOption) *Direct {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
-		loopBack: newLoopBackDetector(),
+		loopBack: loopback.NewDetector(),
 	}
 }
 
@@ -80,7 +80,7 @@ func NewDirect() *Direct {
 			udp:    true,
 			prefer: C.DualStack,
 		},
-		loopBack: newLoopBackDetector(),
+		loopBack: loopback.NewDetector(),
 	}
 }
 
@@ -92,6 +92,6 @@ func NewCompatible() *Direct {
 			udp:    true,
 			prefer: C.DualStack,
 		},
-		loopBack: newLoopBackDetector(),
+		loopBack: loopback.NewDetector(),
 	}
 }

adapter/outbound/direct_loopback_detect.go

@@ -1,68 +0,0 @@
-package outbound
-
-import (
-	"net/netip"
-
-	"github.com/metacubex/mihomo/common/callback"
-	C "github.com/metacubex/mihomo/constant"
-
-	"github.com/puzpuzpuz/xsync/v3"
-)
-
-type loopBackDetector struct {
-	connMap       *xsync.MapOf[netip.AddrPort, struct{}]
-	packetConnMap *xsync.MapOf[netip.AddrPort, struct{}]
-}
-
-func newLoopBackDetector() *loopBackDetector {
-	return &loopBackDetector{
-		connMap:       xsync.NewMapOf[netip.AddrPort, struct{}](),
-		packetConnMap: xsync.NewMapOf[netip.AddrPort, struct{}](),
-	}
-}
-
-func (l *loopBackDetector) NewConn(conn C.Conn) C.Conn {
-	metadata := C.Metadata{}
-	if metadata.SetRemoteAddr(conn.LocalAddr()) != nil {
-		return conn
-	}
-	connAddr := metadata.AddrPort()
-	if !connAddr.IsValid() {
-		return conn
-	}
-	l.connMap.Store(connAddr, struct{}{})
-	return callback.NewCloseCallbackConn(conn, func() {
-		l.connMap.Delete(connAddr)
-	})
-}
-
-func (l *loopBackDetector) NewPacketConn(conn C.PacketConn) C.PacketConn {
-	metadata := C.Metadata{}
-	if metadata.SetRemoteAddr(conn.LocalAddr()) != nil {
-		return conn
-	}
-	connAddr := metadata.AddrPort()
-	if !connAddr.IsValid() {
-		return conn
-	}
-	l.packetConnMap.Store(connAddr, struct{}{})
-	return callback.NewCloseCallbackPacketConn(conn, func() {
-		l.packetConnMap.Delete(connAddr)
-	})
-}
-
-func (l *loopBackDetector) CheckConn(connAddr netip.AddrPort) bool {
-	if !connAddr.IsValid() {
-		return false
-	}
-	_, ok := l.connMap.Load(connAddr)
-	return ok
-}
-
-func (l *loopBackDetector) CheckPacketConn(connAddr netip.AddrPort) bool {
-	if !connAddr.IsValid() {
-		return false
-	}
-	_, ok := l.packetConnMap.Load(connAddr)
-	return ok
-}

adapter/outbound/dns.go

@@ -0,0 +1,159 @@
+package outbound
+
+import (
+	"context"
+	"net"
+	"time"
+
+	N "github.com/metacubex/mihomo/common/net"
+	"github.com/metacubex/mihomo/common/pool"
+	"github.com/metacubex/mihomo/component/dialer"
+	"github.com/metacubex/mihomo/component/resolver"
+	C "github.com/metacubex/mihomo/constant"
+	"github.com/metacubex/mihomo/log"
+)
+
+type Dns struct {
+	*Base
+}
+
+type DnsOption struct {
+	BasicOption
+	Name string `proxy:"name"`
+}
+
+// DialContext implements C.ProxyAdapter
+func (d *Dns) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+	left, right := N.Pipe()
+	go resolver.RelayDnsConn(context.Background(), right, 0)
+	return NewConn(left, d), nil
+}
+
+// ListenPacketContext implements C.ProxyAdapter
+func (d *Dns) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+	log.Debugln("[DNS] hijack udp:%s from %s", metadata.RemoteAddress(), metadata.SourceAddrPort())
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	return newPacketConn(&dnsPacketConn{
+		response: make(chan dnsPacket, 1),
+		ctx:      ctx,
+		cancel:   cancel,
+	}, d), nil
+}
+
+type dnsPacket struct {
+	data []byte
+	put  func()
+	addr net.Addr
+}
+
+// dnsPacketConn implements net.PacketConn
+type dnsPacketConn struct {
+	response chan dnsPacket
+	ctx      context.Context
+	cancel   context.CancelFunc
+}
+
+func (d *dnsPacketConn) WaitReadFrom() (data []byte, put func(), addr net.Addr, err error) {
+	select {
+	case packet := <-d.response:
+		return packet.data, packet.put, packet.addr, nil
+	case <-d.ctx.Done():
+		return nil, nil, nil, net.ErrClosed
+	}
+}
+
+func (d *dnsPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
+	select {
+	case packet := <-d.response:
+		n = copy(p, packet.data)
+		if packet.put != nil {
+			packet.put()
+		}
+		return n, packet.addr, nil
+	case <-d.ctx.Done():
+		return 0, nil, net.ErrClosed
+	}
+}
+
+func (d *dnsPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
+	select {
+	case <-d.ctx.Done():
+		return 0, net.ErrClosed
+	default:
+	}
+
+	if len(p) > resolver.SafeDnsPacketSize {
+		// wtf???
+		return len(p), nil
+	}
+
+	buf := pool.Get(resolver.SafeDnsPacketSize)
+	put := func() { _ = pool.Put(buf) }
+	copy(buf, p) // avoid p be changed after WriteTo returned
+
+	go func() { // don't block the WriteTo function
+		ctx, cancel := context.WithTimeout(d.ctx, resolver.DefaultDnsRelayTimeout)
+		defer cancel()
+
+		buf, err = resolver.RelayDnsPacket(ctx, buf[:len(p)], buf)
+		if err != nil {
+			put()
+			return
+		}
+
+		packet := dnsPacket{
+			data: buf,
+			put:  put,
+			addr: addr,
+		}
+		select {
+		case d.response <- packet:
+			break
+		case <-d.ctx.Done():
+			put()
+		}
+	}()
+	return len(p), nil
+}
+
+func (d *dnsPacketConn) Close() error {
+	d.cancel()
+	return nil
+}
+
+func (*dnsPacketConn) LocalAddr() net.Addr {
+	return &net.UDPAddr{
+		IP:   net.IPv4(127, 0, 0, 1),
+		Port: 53,
+		Zone: "",
+	}
+}
+
+func (*dnsPacketConn) SetDeadline(t time.Time) error {
+	return nil
+}
+
+func (*dnsPacketConn) SetReadDeadline(t time.Time) error {
+	return nil
+}
+
+func (*dnsPacketConn) SetWriteDeadline(t time.Time) error {
+	return nil
+}
+
+func NewDnsWithOption(option DnsOption) *Dns {
+	return &Dns{
+		Base: &Base{
+			name:   option.Name,
+			tp:     C.Dns,
+			udp:    true,
+			tfo:    option.TFO,
+			mpTcp:  option.MPTCP,
+			iface:  option.Interface,
+			rmark:  option.RoutingMark,
+			prefer: C.NewDNSPrefer(option.IPVersion),
+		},
+	}
+}

adapter/outbound/hysteria2.go

@@ -8,23 +8,30 @@ import (
 	"net"
 	"runtime"
 	"strconv"
+	"time"
 
 	CN "github.com/metacubex/mihomo/common/net"
+	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	C "github.com/metacubex/mihomo/constant"
+	"github.com/metacubex/mihomo/log"
 	tuicCommon "github.com/metacubex/mihomo/transport/tuic/common"
 
 	"github.com/metacubex/sing-quic/hysteria2"
 
 	M "github.com/sagernet/sing/common/metadata"
+	"github.com/zhangyunhao116/fastrand"
 )
 
 func init() {
 	hysteria2.SetCongestionController = tuicCommon.SetCongestionController
 }
 
+const minHopInterval = 5
+const defaultHopInterval = 30
+
 type Hysteria2 struct {
 	*Base
 
@@ -37,7 +44,9 @@ type Hysteria2Option struct {
 	BasicOption
 	Name           string   `proxy:"name"`
 	Server         string   `proxy:"server"`
-	Port           int      `proxy:"port"`
+	Port           int      `proxy:"port,omitempty"`
+	Ports          string   `proxy:"ports,omitempty"`
+	HopInterval    int      `proxy:"hop-interval,omitempty"`
 	Up             string   `proxy:"up,omitempty"`
 	Down           string   `proxy:"down,omitempty"`
 	Password       string   `proxy:"password,omitempty"`
@@ -129,7 +138,7 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 	clientOptions := hysteria2.ClientOptions{
 		Context:            context.TODO(),
 		Dialer:             singDialer,
-		ServerAddress:      M.ParseSocksaddrHostPort(option.Server, uint16(option.Port)),
+		Logger:             log.SingLogger,
 		SendBPS:            StringToBps(option.Up),
 		ReceiveBPS:         StringToBps(option.Down),
 		SalamanderPassword: salamanderPassword,
@@ -138,6 +147,37 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 		UDPDisabled:        false,
 		CWND:               option.CWND,
 		UdpMTU:             option.UdpMTU,
+		ServerAddress: func(ctx context.Context) (*net.UDPAddr, error) {
+			return resolveUDPAddrWithPrefer(ctx, "udp", addr, C.NewDNSPrefer(option.IPVersion))
+		},
+	}
+
+	var ranges utils.IntRanges[uint16]
+	var serverAddress []string
+	if option.Ports != "" {
+		ranges, err = utils.NewUnsignedRanges[uint16](option.Ports)
+		if err != nil {
+			return nil, err
+		}
+		ranges.Range(func(port uint16) bool {
+			serverAddress = append(serverAddress, net.JoinHostPort(option.Server, strconv.Itoa(int(port))))
+			return true
+		})
+		if len(serverAddress) > 0 {
+			clientOptions.ServerAddress = func(ctx context.Context) (*net.UDPAddr, error) {
+				return resolveUDPAddrWithPrefer(ctx, "udp", serverAddress[fastrand.Intn(len(serverAddress))], C.NewDNSPrefer(option.IPVersion))
+			}
+
+			if option.HopInterval == 0 {
+				option.HopInterval = defaultHopInterval
+			} else if option.HopInterval < minHopInterval {
+				option.HopInterval = minHopInterval
+			}
+			clientOptions.HopInterval = time.Duration(option.HopInterval) * time.Second
+		}
+	}
+	if option.Port == 0 && len(serverAddress) == 0 {
+		return nil, errors.New("invalid port")
 	}
 
 	client, err := hysteria2.NewClient(clientOptions)

adapter/outbound/ssh.go

@@ -0,0 +1,208 @@
+package outbound
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"fmt"
+	"net"
+	"os"
+	"runtime"
+	"strconv"
+	"strings"
+	"sync"
+
+	N "github.com/metacubex/mihomo/common/net"
+	"github.com/metacubex/mihomo/component/dialer"
+	"github.com/metacubex/mihomo/component/proxydialer"
+	C "github.com/metacubex/mihomo/constant"
+
+	"github.com/zhangyunhao116/fastrand"
+	"golang.org/x/crypto/ssh"
+)
+
+type Ssh struct {
+	*Base
+
+	option *SshOption
+	client *sshClient // using a standalone struct to avoid its inner loop invalidate the Finalizer
+}
+
+type SshOption struct {
+	BasicOption
+	Name                 string   `proxy:"name"`
+	Server               string   `proxy:"server"`
+	Port                 int      `proxy:"port"`
+	UserName             string   `proxy:"username"`
+	Password             string   `proxy:"password,omitempty"`
+	PrivateKey           string   `proxy:"private-key,omitempty"`
+	PrivateKeyPassphrase string   `proxy:"private-key-passphrase,omitempty"`
+	HostKey              []string `proxy:"host-key,omitempty"`
+	HostKeyAlgorithms    []string `proxy:"host-key-algorithms,omitempty"`
+}
+
+func (s *Ssh) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+	var cDialer C.Dialer = dialer.NewDialer(s.Base.DialOptions(opts...)...)
+	if len(s.option.DialerProxy) > 0 {
+		cDialer, err = proxydialer.NewByName(s.option.DialerProxy, cDialer)
+		if err != nil {
+			return nil, err
+		}
+	}
+	client, err := s.client.connect(ctx, cDialer, s.addr)
+	if err != nil {
+		return nil, err
+	}
+	c, err := client.DialContext(ctx, "tcp", metadata.RemoteAddress())
+	if err != nil {
+		return nil, err
+	}
+
+	return NewConn(N.NewRefConn(c, s), s), nil
+}
+
+type sshClient struct {
+	config *ssh.ClientConfig
+	client *ssh.Client
+	cMutex sync.Mutex
+}
+
+func (s *sshClient) connect(ctx context.Context, cDialer C.Dialer, addr string) (client *ssh.Client, err error) {
+	s.cMutex.Lock()
+	defer s.cMutex.Unlock()
+	if s.client != nil {
+		return s.client, nil
+	}
+	c, err := cDialer.DialContext(ctx, "tcp", addr)
+	if err != nil {
+		return nil, err
+	}
+	N.TCPKeepAlive(c)
+
+	defer func(c net.Conn) {
+		safeConnClose(c, err)
+	}(c)
+
+	if ctx.Done() != nil {
+		done := N.SetupContextForConn(ctx, c)
+		defer done(&err)
+	}
+
+	clientConn, chans, reqs, err := ssh.NewClientConn(c, addr, s.config)
+	if err != nil {
+		return nil, err
+	}
+	client = ssh.NewClient(clientConn, chans, reqs)
+
+	s.client = client
+
+	go func() {
+		_ = client.Wait() // wait shutdown
+		_ = client.Close()
+		s.cMutex.Lock()
+		defer s.cMutex.Unlock()
+		if s.client == client {
+			s.client = nil
+		}
+	}()
+
+	return client, nil
+}
+
+func (s *sshClient) Close() error {
+	s.cMutex.Lock()
+	defer s.cMutex.Unlock()
+	if s.client != nil {
+		return s.client.Close()
+	}
+	return nil
+}
+
+func closeSsh(s *Ssh) {
+	_ = s.client.Close()
+}
+
+func NewSsh(option SshOption) (*Ssh, error) {
+	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
+
+	config := ssh.ClientConfig{
+		User:              option.UserName,
+		HostKeyCallback:   ssh.InsecureIgnoreHostKey(),
+		HostKeyAlgorithms: option.HostKeyAlgorithms,
+	}
+
+	if option.PrivateKey != "" {
+		var b []byte
+		var err error
+		if strings.Contains(option.PrivateKey, "PRIVATE KEY") {
+			b = []byte(option.PrivateKey)
+		} else {
+			b, err = os.ReadFile(C.Path.Resolve(option.PrivateKey))
+			if err != nil {
+				return nil, err
+			}
+		}
+		var pKey ssh.Signer
+		if option.PrivateKeyPassphrase != "" {
+			pKey, err = ssh.ParsePrivateKeyWithPassphrase(b, []byte(option.PrivateKeyPassphrase))
+		} else {
+			pKey, err = ssh.ParsePrivateKey(b)
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		config.Auth = append(config.Auth, ssh.PublicKeys(pKey))
+	}
+
+	if option.Password != "" {
+		config.Auth = append(config.Auth, ssh.Password(option.Password))
+	}
+
+	if len(option.HostKey) != 0 {
+		keys := make([]ssh.PublicKey, len(option.HostKey))
+		for i, hostKey := range option.HostKey {
+			key, _, _, _, err := ssh.ParseAuthorizedKey([]byte(hostKey))
+			if err != nil {
+				return nil, fmt.Errorf("parse host key :%s", key)
+			}
+			keys[i] = key
+		}
+		config.HostKeyCallback = func(hostname string, remote net.Addr, key ssh.PublicKey) error {
+			serverKey := key.Marshal()
+			for _, hostKey := range keys {
+				if bytes.Equal(serverKey, hostKey.Marshal()) {
+					return nil
+				}
+			}
+			return fmt.Errorf("host key mismatch, server send :%s %s", key.Type(), base64.StdEncoding.EncodeToString(serverKey))
+		}
+	}
+
+	version := "SSH-2.0-OpenSSH_"
+	if fastrand.Intn(2) == 0 {
+		version += "7." + strconv.Itoa(fastrand.Intn(10))
+	} else {
+		version += "8." + strconv.Itoa(fastrand.Intn(9))
+	}
+	config.ClientVersion = version
+
+	outbound := &Ssh{
+		Base: &Base{
+			name:   option.Name,
+			addr:   addr,
+			tp:     C.Ssh,
+			udp:    false,
+			iface:  option.Interface,
+			rmark:  option.RoutingMark,
+			prefer: C.NewDNSPrefer(option.IPVersion),
+		},
+		option: &option,
+		client: &sshClient{
+			config: &config,
+		},
+	}
+	runtime.SetFinalizer(outbound, closeSsh)
+
+	return outbound, nil
+}

adapter/outbound/vless.go

@@ -373,7 +373,7 @@ func (v *Vless) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metada
 			}, M.SocksaddrFromNet(metadata.UDPAddr())),
 		), v), nil
 	}
-	return newPacketConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
+	return newPacketConn(N.NewThreadSafePacketConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}), v), nil
 }
 
 // SupportUOT implements C.ProxyAdapter

adapter/outbound/wireguard.go

@@ -13,6 +13,7 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/metacubex/mihomo/common/atomic"
 	CN "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
@@ -37,16 +38,25 @@ type WireGuard struct {
 	device    *device.Device
 	tunDevice wireguard.Device
 	dialer    proxydialer.SingDialer
-	startOnce sync.Once
-	startErr  error
 	resolver  *dns.Resolver
 	refP      *refProxyAdapter
+
+	initOk        atomic.Bool
+	initMutex     sync.Mutex
+	initErr       error
+	option        WireGuardOption
+	connectAddr   M.Socksaddr
+	localPrefixes []netip.Prefix
+
+	closeCh chan struct{} // for test
 }
 
 type WireGuardOption struct {
 	BasicOption
 	WireGuardPeerOption
 	Name                string `proxy:"name"`
+	Ip                  string `proxy:"ip,omitempty"`
+	Ipv6                string `proxy:"ipv6,omitempty"`
 	PrivateKey          string `proxy:"private-key"`
 	Workers             int    `proxy:"workers,omitempty"`
 	MTU                 int    `proxy:"mtu,omitempty"`
@@ -62,8 +72,6 @@ type WireGuardOption struct {
 type WireGuardPeerOption struct {
 	Server       string   `proxy:"server"`
 	Port         int      `proxy:"port"`
-	Ip           string   `proxy:"ip,omitempty"`
-	Ipv6         string   `proxy:"ipv6,omitempty"`
 	PublicKey    string   `proxy:"public-key,omitempty"`
 	PreSharedKey string   `proxy:"pre-shared-key,omitempty"`
 	Reserved     []uint8  `proxy:"reserved,omitempty"`
@@ -98,7 +106,7 @@ func (option WireGuardPeerOption) Addr() M.Socksaddr {
 	return M.ParseSocksaddrHostPort(option.Server, uint16(option.Port))
 }
 
-func (option WireGuardPeerOption) Prefixes() ([]netip.Prefix, error) {
+func (option WireGuardOption) Prefixes() ([]netip.Prefix, error) {
 	localPrefixes := make([]netip.Prefix, 0, 2)
 	if len(option.Ip) > 0 {
 		if !strings.Contains(option.Ip, "/") {
@@ -149,125 +157,83 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 		copy(reserved[:], option.Reserved)
 	}
 	var isConnect bool
-	var connectAddr M.Socksaddr
 	if len(option.Peers) < 2 {
 		isConnect = true
 		if len(option.Peers) == 1 {
-			connectAddr = option.Peers[0].Addr()
+			outbound.connectAddr = option.Peers[0].Addr()
 		} else {
-			connectAddr = option.Addr()
+			outbound.connectAddr = option.Addr()
 		}
 	}
-	outbound.bind = wireguard.NewClientBind(context.Background(), wgSingErrorHandler{outbound.Name()}, outbound.dialer, isConnect, connectAddr, reserved)
+	outbound.bind = wireguard.NewClientBind(context.Background(), wgSingErrorHandler{outbound.Name()}, outbound.dialer, isConnect, outbound.connectAddr.AddrPort(), reserved)
 
-	var localPrefixes []netip.Prefix
+	var err error
+	outbound.localPrefixes, err = option.Prefixes()
+	if err != nil {
+		return nil, err
+	}
 
-	var privateKey string
 	{
 		bytes, err := base64.StdEncoding.DecodeString(option.PrivateKey)
 		if err != nil {
 			return nil, E.Cause(err, "decode private key")
 		}
-		privateKey = hex.EncodeToString(bytes)
+		option.PrivateKey = hex.EncodeToString(bytes)
 	}
-	ipcConf := "private_key=" + privateKey
+
-	if peersLen := len(option.Peers); peersLen > 0 {
+	if len(option.Peers) > 0 {
-		localPrefixes = make([]netip.Prefix, 0, peersLen*2)
+		for i := range option.Peers {
-		for i, peer := range option.Peers {
+			peer := &option.Peers[i] // we need modify option here
-			var peerPublicKey, preSharedKey string
-			{
 			bytes, err := base64.StdEncoding.DecodeString(peer.PublicKey)
 			if err != nil {
 				return nil, E.Cause(err, "decode public key for peer ", i)
 			}
-				peerPublicKey = hex.EncodeToString(bytes)
+			peer.PublicKey = hex.EncodeToString(bytes)
-			}
+
 			if peer.PreSharedKey != "" {
 				bytes, err := base64.StdEncoding.DecodeString(peer.PreSharedKey)
 				if err != nil {
 					return nil, E.Cause(err, "decode pre shared key for peer ", i)
 				}
-				preSharedKey = hex.EncodeToString(bytes)
+				peer.PreSharedKey = hex.EncodeToString(bytes)
-			}
-			destination := peer.Addr()
-			ipcConf += "\npublic_key=" + peerPublicKey
-			ipcConf += "\nendpoint=" + destination.String()
-			if preSharedKey != "" {
-				ipcConf += "\npreshared_key=" + preSharedKey
 			}
+
 			if len(peer.AllowedIPs) == 0 {
 				return nil, E.New("missing allowed_ips for peer ", i)
 			}
-			for _, allowedIP := range peer.AllowedIPs {
+
-				ipcConf += "\nallowed_ip=" + allowedIP
-			}
 			if len(peer.Reserved) > 0 {
 				if len(peer.Reserved) != 3 {
 					return nil, E.New("invalid reserved value for peer ", i, ", required 3 bytes, got ", len(peer.Reserved))
 				}
-				copy(reserved[:], option.Reserved)
-				outbound.bind.SetReservedForEndpoint(destination, reserved)
 			}
-			prefixes, err := peer.Prefixes()
-			if err != nil {
-				return nil, err
-			}
-			localPrefixes = append(localPrefixes, prefixes...)
 		}
 	} else {
-		var peerPublicKey, preSharedKey string
 		{
 			bytes, err := base64.StdEncoding.DecodeString(option.PublicKey)
 			if err != nil {
 				return nil, E.Cause(err, "decode peer public key")
 			}
-			peerPublicKey = hex.EncodeToString(bytes)
+			option.PublicKey = hex.EncodeToString(bytes)
 		}
 		if option.PreSharedKey != "" {
 			bytes, err := base64.StdEncoding.DecodeString(option.PreSharedKey)
 			if err != nil {
 				return nil, E.Cause(err, "decode pre shared key")
 			}
-			preSharedKey = hex.EncodeToString(bytes)
+			option.PreSharedKey = hex.EncodeToString(bytes)
-		}
-		ipcConf += "\npublic_key=" + peerPublicKey
-		ipcConf += "\nendpoint=" + connectAddr.String()
-		if preSharedKey != "" {
-			ipcConf += "\npreshared_key=" + preSharedKey
-		}
-		var err error
-		localPrefixes, err = option.Prefixes()
-		if err != nil {
-			return nil, err
-		}
-		var has4, has6 bool
-		for _, address := range localPrefixes {
-			if address.Addr().Is4() {
-				has4 = true
-			} else {
-				has6 = true
-			}
-		}
-		if has4 {
-			ipcConf += "\nallowed_ip=0.0.0.0/0"
-		}
-		if has6 {
-			ipcConf += "\nallowed_ip=::/0"
 		}
 	}
+	outbound.option = option
 
-	if option.PersistentKeepalive != 0 {
-		ipcConf += fmt.Sprintf("\npersistent_keepalive_interval=%d", option.PersistentKeepalive)
-	}
 	mtu := option.MTU
 	if mtu == 0 {
 		mtu = 1408
 	}
-	if len(localPrefixes) == 0 {
+	if len(outbound.localPrefixes) == 0 {
 		return nil, E.New("missing local address")
 	}
-	var err error
+	outbound.tunDevice, err = wireguard.NewStackDevice(outbound.localPrefixes, uint32(mtu))
-	outbound.tunDevice, err = wireguard.NewStackDevice(localPrefixes, uint32(mtu))
 	if err != nil {
 		return nil, E.Cause(err, "create WireGuard device")
 	}
@@ -279,17 +245,9 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 			log.SingLogger.Error(fmt.Sprintf("[WG](%s) %s", option.Name, fmt.Sprintf(format, args...)))
 		},
 	}, option.Workers)
-	if debug.Enabled {
-		log.SingLogger.Trace(fmt.Sprintf("[WG](%s) created wireguard ipc conf: \n %s", option.Name, ipcConf))
-	}
-	err = outbound.device.IpcSet(ipcConf)
-	if err != nil {
-		return nil, E.Cause(err, "setup wireguard")
-	}
-	//err = outbound.tunDevice.Start()
 
 	var has6 bool
-	for _, address := range localPrefixes {
+	for _, address := range outbound.localPrefixes {
 		if !address.Addr().Unmap().Is4() {
 			has6 = true
 			break
@@ -315,22 +273,125 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 	return outbound, nil
 }
 
+func (w *WireGuard) resolve(ctx context.Context, address M.Socksaddr) (netip.AddrPort, error) {
+	if address.Addr.IsValid() {
+		return address.AddrPort(), nil
+	}
+	udpAddr, err := resolveUDPAddrWithPrefer(ctx, "udp", address.String(), w.prefer)
+	if err != nil {
+		return netip.AddrPort{}, err
+	}
+	// net.ResolveUDPAddr maybe return 4in6 address, so unmap at here
+	addrPort := udpAddr.AddrPort()
+	return netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port()), nil
+}
+
+func (w *WireGuard) init(ctx context.Context) error {
+	if w.initOk.Load() {
+		return nil
+	}
+	w.initMutex.Lock()
+	defer w.initMutex.Unlock()
+	// double check like sync.Once
+	if w.initOk.Load() {
+		return nil
+	}
+	if w.initErr != nil {
+		return w.initErr
+	}
+
+	w.bind.ResetReservedForEndpoint()
+	ipcConf := "private_key=" + w.option.PrivateKey
+	if len(w.option.Peers) > 0 {
+		for i, peer := range w.option.Peers {
+			destination, err := w.resolve(ctx, peer.Addr())
+			if err != nil {
+				// !!! do not set initErr here !!!
+				// let us can retry domain resolve in next time
+				return E.Cause(err, "resolve endpoint domain for peer ", i)
+			}
+			ipcConf += "\npublic_key=" + peer.PublicKey
+			ipcConf += "\nendpoint=" + destination.String()
+			if peer.PreSharedKey != "" {
+				ipcConf += "\npreshared_key=" + peer.PreSharedKey
+			}
+			for _, allowedIP := range peer.AllowedIPs {
+				ipcConf += "\nallowed_ip=" + allowedIP
+			}
+			if len(peer.Reserved) > 0 {
+				var reserved [3]uint8
+				copy(reserved[:], w.option.Reserved)
+				w.bind.SetReservedForEndpoint(destination, reserved)
+			}
+		}
+	} else {
+		ipcConf += "\npublic_key=" + w.option.PublicKey
+		destination, err := w.resolve(ctx, w.connectAddr)
+		if err != nil {
+			// !!! do not set initErr here !!!
+			// let us can retry domain resolve in next time
+			return E.Cause(err, "resolve endpoint domain")
+		}
+		w.bind.SetConnectAddr(destination)
+		ipcConf += "\nendpoint=" + destination.String()
+		if w.option.PreSharedKey != "" {
+			ipcConf += "\npreshared_key=" + w.option.PreSharedKey
+		}
+		var has4, has6 bool
+		for _, address := range w.localPrefixes {
+			if address.Addr().Is4() {
+				has4 = true
+			} else {
+				has6 = true
+			}
+		}
+		if has4 {
+			ipcConf += "\nallowed_ip=0.0.0.0/0"
+		}
+		if has6 {
+			ipcConf += "\nallowed_ip=::/0"
+		}
+	}
+
+	if w.option.PersistentKeepalive != 0 {
+		ipcConf += fmt.Sprintf("\npersistent_keepalive_interval=%d", w.option.PersistentKeepalive)
+	}
+
+	if debug.Enabled {
+		log.SingLogger.Trace(fmt.Sprintf("[WG](%s) created wireguard ipc conf: \n %s", w.option.Name, ipcConf))
+	}
+	err := w.device.IpcSet(ipcConf)
+	if err != nil {
+		w.initErr = E.Cause(err, "setup wireguard")
+		return w.initErr
+	}
+
+	err = w.tunDevice.Start()
+	if err != nil {
+		w.initErr = err
+		return w.initErr
+	}
+
+	w.initOk.Store(true)
+	return nil
+}
+
 func closeWireGuard(w *WireGuard) {
 	if w.device != nil {
 		w.device.Close()
 	}
 	_ = common.Close(w.tunDevice)
+	if w.closeCh != nil {
+		close(w.closeCh)
+	}
 }
 
 func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
 	options := w.Base.DialOptions(opts...)
 	w.dialer.SetDialer(dialer.NewDialer(options...))
 	var conn net.Conn
-	w.startOnce.Do(func() {
+	if err = w.init(ctx); err != nil {
-		w.startErr = w.tunDevice.Start()
+		return nil, err
-	})
-	if w.startErr != nil {
-		return nil, w.startErr
 	}
 	if !metadata.Resolved() || w.resolver != nil {
 		r := resolver.DefaultResolver
@@ -358,13 +419,7 @@ func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadat
 	options := w.Base.DialOptions(opts...)
 	w.dialer.SetDialer(dialer.NewDialer(options...))
 	var pc net.PacketConn
-	w.startOnce.Do(func() {
+	if err = w.init(ctx); err != nil {
-		w.startErr = w.tunDevice.Start()
-	})
-	if w.startErr != nil {
-		return nil, w.startErr
-	}
-	if err != nil {
 		return nil, err
 	}
 	if (!metadata.Resolved() || w.resolver != nil) && metadata.Host != "" {

adapter/outbound/wireguard_test.go

@@ -0,0 +1,44 @@
+//go:build with_gvisor
+
+package outbound
+
+import (
+	"context"
+	"runtime"
+	"testing"
+	"time"
+)
+
+func TestWireGuardGC(t *testing.T) {
+	option := WireGuardOption{}
+	option.Server = "162.159.192.1"
+	option.Port = 2408
+	option.PrivateKey = "iOx7749AdqH3IqluG7+0YbGKd0m1mcEXAfGRzpy9rG8="
+	option.PublicKey = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="
+	option.Ip = "172.16.0.2"
+	option.Ipv6 = "2606:4700:110:8d29:be92:3a6a:f4:c437"
+	option.Reserved = []uint8{51, 69, 125}
+	wg, err := NewWireGuard(option)
+	if err != nil {
+		t.Error(err)
+	}
+	closeCh := make(chan struct{})
+	wg.closeCh = closeCh
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
+	defer cancel()
+	err = wg.init(ctx)
+	if err != nil {
+		t.Error(err)
+	}
+	// must do a small sleep before test GC
+	// because it maybe deadlocks if w.device.Close call too fast after w.device.Start
+	time.Sleep(10 * time.Millisecond)
+	wg = nil
+	runtime.GC()
+	select {
+	case <-closeCh:
+		return
+	case <-ctx.Done():
+		t.Error("timeout not GC")
+	}
+}

adapter/outboundgroup/fallback.go

@@ -164,6 +164,8 @@ func NewFallback(option *GroupCommonOption, providers []provider.ProxyProvider)
 			option.Filter,
 			option.ExcludeFilter,
 			option.ExcludeType,
+			option.TestTimeout,
+			option.MaxFailedTimes,
 			providers,
 		}),
 		disableUDP:     option.DisableUDP,

adapter/outboundgroup/groupbase.go

@@ -31,6 +31,8 @@ type GroupBase struct {
 	failedTesting    atomic.Bool
 	proxies          [][]C.Proxy
 	versions         []atomic.Uint32
+	TestTimeout      int
+	maxFailedTimes   int
 }
 
 type GroupBaseOption struct {
@@ -38,6 +40,8 @@ type GroupBaseOption struct {
 	filter         string
 	excludeFilter  string
 	excludeType    string
+	TestTimeout    int
+	maxFailedTimes int
 	providers      []provider.ProxyProvider
 }
 
@@ -66,6 +70,15 @@ func NewGroupBase(opt GroupBaseOption) *GroupBase {
 		excludeTypeArray: excludeTypeArray,
 		providers:        opt.providers,
 		failedTesting:    atomic.NewBool(false),
+		TestTimeout:      opt.TestTimeout,
+		maxFailedTimes:   opt.maxFailedTimes,
+	}
+
+	if gb.TestTimeout == 0 {
+		gb.TestTimeout = 5000
+	}
+	if gb.maxFailedTimes == 0 {
+		gb.maxFailedTimes = 5
 	}
 
 	gb.proxies = make([][]C.Proxy, len(opt.providers))
@@ -240,13 +253,13 @@ func (gb *GroupBase) onDialFailed(adapterType C.AdapterType, err error) {
 			log.Debugln("ProxyGroup: %s first failed", gb.Name())
 			gb.failedTime = time.Now()
 		} else {
-			if time.Since(gb.failedTime) > gb.failedTimeoutInterval() {
+			if time.Since(gb.failedTime) > time.Duration(gb.TestTimeout)*time.Millisecond {
 				gb.failedTimes = 0
 				return
 			}
 
 			log.Debugln("ProxyGroup: %s failed count: %d", gb.Name(), gb.failedTimes)
-			if gb.failedTimes >= gb.maxFailedTimes() {
+			if gb.failedTimes >= gb.maxFailedTimes {
 				log.Warnln("because %s failed multiple times, active health check", gb.Name())
 				gb.healthCheck()
 			}
@@ -275,20 +288,8 @@ func (gb *GroupBase) healthCheck() {
 	gb.failedTimes = 0
 }
 
-func (gb *GroupBase) failedIntervalTime() int64 {
-	return 5 * time.Second.Milliseconds()
-}
-
 func (gb *GroupBase) onDialSuccess() {
 	if !gb.failedTesting.Load() {
 		gb.failedTimes = 0
 	}
 }
-
-func (gb *GroupBase) maxFailedTimes() int {
-	return 5
-}
-
-func (gb *GroupBase) failedTimeoutInterval() time.Duration {
-	return 5 * time.Second
-}

adapter/outboundgroup/loadbalance.go

@@ -266,6 +266,8 @@ func NewLoadBalance(option *GroupCommonOption, providers []provider.ProxyProvide
 			option.Filter,
 			option.ExcludeFilter,
 			option.ExcludeType,
+			option.TestTimeout,
+			option.MaxFailedTimes,
 			providers,
 		}),
 		strategyFn:     strategyFn,

adapter/outboundgroup/parser.go

@@ -29,6 +29,7 @@ type GroupCommonOption struct {
 	URL                 string   `group:"url,omitempty"`
 	Interval            int      `group:"interval,omitempty"`
 	TestTimeout         int      `group:"timeout,omitempty"`
+	MaxFailedTimes      int      `group:"max-failed-times,omitempty"`
 	Lazy                bool     `group:"lazy,omitempty"`
 	DisableUDP          bool     `group:"disable-udp,omitempty"`
 	Filter              string   `group:"filter,omitempty"`
@@ -64,20 +65,15 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 		groupOption.IncludeAllProviders = true
 		groupOption.IncludeAllProxies = true
 	}
-	var GroupUse []string
+
-	var GroupProxies []string
 	if groupOption.IncludeAllProviders {
-		GroupUse = append(GroupUse, AllProviders...)
+		groupOption.Use = append(groupOption.Use, AllProviders...)
-	} else {
-		GroupUse = groupOption.Use
 	}
 	if groupOption.IncludeAllProxies {
-		GroupProxies = append(groupOption.Proxies, AllProxies...)
+		groupOption.Proxies = append(groupOption.Proxies, AllProxies...)
-	} else {
-		GroupProxies = groupOption.Proxies
 	}
 
-	if len(GroupProxies) == 0 && len(GroupUse) == 0 {
+	if len(groupOption.Proxies) == 0 && len(groupOption.Use) == 0 {
 		return nil, fmt.Errorf("%s: %w", groupName, errMissProxy)
 	}
 
@@ -91,17 +87,32 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 		status = "*"
 	}
 	groupOption.ExpectedStatus = status
-	testUrl := groupOption.URL
 
-	if groupOption.Type != "select" && groupOption.Type != "relay" {
+	if len(groupOption.Use) != 0 {
+		PDs, err := getProviders(providersMap, groupOption.Use)
+		if err != nil {
+			return nil, fmt.Errorf("%s: %w", groupName, err)
+		}
+
+		// if test URL is empty, use the first health check URL of providers
+		if groupOption.URL == "" {
+			for _, pd := range PDs {
+				if pd.HealthCheckURL() != "" {
+					groupOption.URL = pd.HealthCheckURL()
+					break
+				}
+			}
 			if groupOption.URL == "" {
 				groupOption.URL = C.DefaultTestURL
-			testUrl = groupOption.URL
 			}
+		} else {
+			addTestUrlToProviders(PDs, groupOption.URL, expectedStatus, groupOption.Filter, uint(groupOption.Interval))
+		}
+		providers = append(providers, PDs...)
 	}
 
-	if len(GroupProxies) != 0 {
+	if len(groupOption.Proxies) != 0 {
-		ps, err := getProxies(proxyMap, GroupProxies)
+		ps, err := getProxies(proxyMap, groupOption.Proxies)
 		if err != nil {
 			return nil, fmt.Errorf("%s: %w", groupName, err)
 		}
@@ -110,38 +121,28 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 			return nil, fmt.Errorf("%s: %w", groupName, errDuplicateProvider)
 		}
 
-		// select don't need health check
+		if groupOption.URL == "" {
+			groupOption.URL = C.DefaultTestURL
+		}
+
+		// select don't need auto health check
 		if groupOption.Type != "select" && groupOption.Type != "relay" {
 			if groupOption.Interval == 0 {
 				groupOption.Interval = 300
 			}
 		}
 
-		hc := provider.NewHealthCheck(ps, testUrl, uint(groupOption.TestTimeout), uint(groupOption.Interval), groupOption.Lazy, expectedStatus)
+		hc := provider.NewHealthCheck(ps, groupOption.URL, uint(groupOption.TestTimeout), uint(groupOption.Interval), groupOption.Lazy, expectedStatus)
 
 		pd, err := provider.NewCompatibleProvider(groupName, ps, hc)
 		if err != nil {
 			return nil, fmt.Errorf("%s: %w", groupName, err)
 		}
 
-		providers = append(providers, pd)
+		providers = append([]types.ProxyProvider{pd}, providers...)
 		providersMap[groupName] = pd
 	}
 
-	if len(GroupUse) != 0 {
-		list, err := getProviders(providersMap, GroupUse)
-		if err != nil {
-			return nil, fmt.Errorf("%s: %w", groupName, err)
-		}
-
-		// different proxy groups use different test URL
-		addTestUrlToProviders(list, testUrl, expectedStatus, groupOption.Filter, uint(groupOption.Interval))
-
-		providers = append(providers, list...)
-	} else {
-		groupOption.Filter = ""
-	}
-
 	var group C.ProxyAdapter
 	switch groupOption.Type {
 	case "url-test":

adapter/outboundgroup/relay.go

@@ -160,6 +160,8 @@ func NewRelay(option *GroupCommonOption, providers []provider.ProxyProvider) *Re
 			"",
 			"",
 			"",
+			5000,
+			5,
 			providers,
 		}),
 		Hidden: option.Hidden,

adapter/outboundgroup/selector.go

@@ -114,6 +114,8 @@ func NewSelector(option *GroupCommonOption, providers []provider.ProxyProvider)
 			option.Filter,
 			option.ExcludeFilter,
 			option.ExcludeType,
+			option.TestTimeout,
+			option.MaxFailedTimes,
 			providers,
 		}),
 		selected:   "COMPATIBLE",

adapter/outboundgroup/urltest.go

@@ -235,6 +235,8 @@ func NewURLTest(option *GroupCommonOption, providers []provider.ProxyProvider, o
 			option.Filter,
 			option.ExcludeFilter,
 			option.ExcludeType,
+			option.TestTimeout,
+			option.MaxFailedTimes,
 			providers,
 		}),
 		fastSingle:     singledo.NewSingle[C.Proxy](time.Second * 10),

adapter/parser.go

@@ -120,6 +120,13 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 			break
 		}
 		proxy = outbound.NewDirectWithOption(*directOption)
+	case "dns":
+		dnsOptions := &outbound.DnsOption{}
+		err = decoder.Decode(mapping, dnsOptions)
+		if err != nil {
+			break
+		}
+		proxy = outbound.NewDnsWithOption(*dnsOptions)
 	case "reject":
 		rejectOption := &outbound.RejectOption{}
 		err = decoder.Decode(mapping, rejectOption)
@@ -127,6 +134,13 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 			break
 		}
 		proxy = outbound.NewRejectWithOption(*rejectOption)
+	case "ssh":
+		sshOption := &outbound.SshOption{}
+		err = decoder.Decode(mapping, sshOption)
+		if err != nil {
+			break
+		}
+		proxy, err = outbound.NewSsh(*sshOption)
 	default:
 		return nil, fmt.Errorf("unsupport proxy type: %s", proxyType)
 	}

adapter/provider/healthcheck.go

@@ -211,8 +211,8 @@ func (hc *HealthCheck) close() {
 
 func NewHealthCheck(proxies []C.Proxy, url string, timeout uint, interval uint, lazy bool, expectedStatus utils.IntRanges[uint16]) *HealthCheck {
 	if url == "" {
-		// expectedStatus = nil
+		expectedStatus = nil
-		url = C.DefaultTestURL
+		interval = 0
 	}
 	if timeout == 0 {
 		timeout = 5000

adapter/provider/parser.go

@@ -36,12 +36,15 @@ type OverrideSchema struct {
 	Interface        *string `provider:"interface-name,omitempty"`
 	RoutingMark      *int    `provider:"routing-mark,omitempty"`
 	IPVersion        *string `provider:"ip-version,omitempty"`
+	AdditionalPrefix *string `provider:"additional-prefix,omitempty"`
+	AdditionalSuffix *string `provider:"additional-suffix,omitempty"`
 }
 
 type proxyProviderSchema struct {
 	Type          string `provider:"type"`
 	Path          string `provider:"path,omitempty"`
 	URL           string `provider:"url,omitempty"`
+	Proxy         string `provider:"proxy,omitempty"`
 	Interval      int    `provider:"interval,omitempty"`
 	Filter        string `provider:"filter,omitempty"`
 	ExcludeFilter string `provider:"exclude-filter,omitempty"`
@@ -50,6 +53,7 @@ type proxyProviderSchema struct {
 
 	HealthCheck healthCheckSchema   `provider:"health-check,omitempty"`
 	Override    OverrideSchema      `provider:"override,omitempty"`
+	Header      map[string][]string `provider:"header,omitempty"`
 }
 
 func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvider, error) {
@@ -84,16 +88,14 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 		path := C.Path.Resolve(schema.Path)
 		vehicle = resource.NewFileVehicle(path)
 	case "http":
+		path := C.Path.GetPathByHash("proxies", schema.URL)
 		if schema.Path != "" {
-			path := C.Path.Resolve(schema.Path)
+			path = C.Path.Resolve(schema.Path)
 			if !features.CMFA && !C.Path.IsSafePath(path) {
 				return nil, fmt.Errorf("%w: %s", errSubPath, path)
 			}
-			vehicle = resource.NewHTTPVehicle(schema.URL, path)
-		} else {
-			path := C.Path.GetPathByHash("proxies", schema.URL)
-			vehicle = resource.NewHTTPVehicle(schema.URL, path)
 		}
+		vehicle = resource.NewHTTPVehicle(schema.URL, path, schema.Proxy, schema.Header)
 	default:
 		return nil, fmt.Errorf("%w: %s", errVehicleType, schema.Type)
 	}

adapter/provider/provider.go

@@ -46,18 +46,13 @@ type proxySetProvider struct {
 }
 
 func (pp *proxySetProvider) MarshalJSON() ([]byte, error) {
-	expectedStatus := "*"
-	if pp.healthCheck.expectedStatus != nil {
-		expectedStatus = pp.healthCheck.expectedStatus.ToString()
-	}
-
 	return json.Marshal(map[string]any{
 		"name":             pp.Name(),
 		"type":             pp.Type().String(),
 		"vehicleType":      pp.VehicleType().String(),
 		"proxies":          pp.Proxies(),
 		"testUrl":          pp.healthCheck.url,
-		"expectedStatus":   expectedStatus,
+		"expectedStatus":   pp.healthCheck.expectedStatus.String(),
 		"updatedAt":        pp.UpdatedAt,
 		"subscriptionInfo": pp.subscriptionInfo,
 	})
@@ -106,6 +101,10 @@ func (pp *proxySetProvider) Touch() {
 	pp.healthCheck.touch()
 }
 
+func (pp *proxySetProvider) HealthCheckURL() string {
+	return pp.healthCheck.url
+}
+
 func (pp *proxySetProvider) RegisterHealthCheckTask(url string, expectedStatus utils.IntRanges[uint16], filter string, interval uint) {
 	pp.healthCheck.registerHealthCheckTask(url, expectedStatus, filter, interval)
 }
@@ -125,8 +124,8 @@ func (pp *proxySetProvider) getSubscriptionInfo() {
 	go func() {
 		ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
 		defer cancel()
-		resp, err := mihomoHttp.HttpRequest(ctx, pp.Vehicle().(*resource.HTTPVehicle).Url(),
+		resp, err := mihomoHttp.HttpRequestWithProxy(ctx, pp.Vehicle().(*resource.HTTPVehicle).Url(),
-			http.MethodGet, http.Header{"User-Agent": {C.UA}}, nil)
+			http.MethodGet, http.Header{"User-Agent": {C.UA}}, nil, pp.Vehicle().Proxy())
 		if err != nil {
 			return
 		}
@@ -134,8 +133,8 @@ func (pp *proxySetProvider) getSubscriptionInfo() {
 
 		userInfoStr := strings.TrimSpace(resp.Header.Get("subscription-userinfo"))
 		if userInfoStr == "" {
-			resp2, err := mihomoHttp.HttpRequest(ctx, pp.Vehicle().(*resource.HTTPVehicle).Url(),
+			resp2, err := mihomoHttp.HttpRequestWithProxy(ctx, pp.Vehicle().(*resource.HTTPVehicle).Url(),
-				http.MethodGet, http.Header{"User-Agent": {"Quantumultx"}}, nil)
+				http.MethodGet, http.Header{"User-Agent": {"Quantumultx"}}, nil, pp.Vehicle().Proxy())
 			if err != nil {
 				return
 			}
@@ -217,18 +216,13 @@ type compatibleProvider struct {
 }
 
 func (cp *compatibleProvider) MarshalJSON() ([]byte, error) {
-	expectedStatus := "*"
-	if cp.healthCheck.expectedStatus != nil {
-		expectedStatus = cp.healthCheck.expectedStatus.ToString()
-	}
-
 	return json.Marshal(map[string]any{
 		"name":           cp.Name(),
 		"type":           cp.Type().String(),
 		"vehicleType":    cp.VehicleType().String(),
 		"proxies":        cp.Proxies(),
 		"testUrl":        cp.healthCheck.url,
-		"expectedStatus": expectedStatus,
+		"expectedStatus": cp.healthCheck.expectedStatus.String(),
 	})
 }
 
@@ -271,6 +265,10 @@ func (cp *compatibleProvider) Touch() {
 	cp.healthCheck.touch()
 }
 
+func (cp *compatibleProvider) HealthCheckURL() string {
+	return cp.healthCheck.url
+}
+
 func (cp *compatibleProvider) RegisterHealthCheckTask(url string, expectedStatus utils.IntRanges[uint16], filter string, interval uint) {
 	cp.healthCheck.registerHealthCheckTask(url, expectedStatus, filter, interval)
 }
@@ -399,6 +397,14 @@ func proxiesParseAndFilter(filter string, excludeFilter string, excludeTypeArray
 				if override.IPVersion != nil {
 					mapping["ip-version"] = *override.IPVersion
 				}
+				if override.AdditionalPrefix != nil {
+					name := mapping["name"].(string)
+					mapping["name"] = *override.AdditionalPrefix + name
+				}
+				if override.AdditionalSuffix != nil {
+					name := mapping["name"].(string)
+					mapping["name"] = name + *override.AdditionalSuffix
+				}
 
 				proxy, err := adapter.ParseProxy(mapping)
 				if err != nil {

android_tz.go

@@ -0,0 +1,21 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// kanged from https://github.com/golang/mobile/blob/c713f31d574bb632a93f169b2cc99c9e753fef0e/app/android.go#L89
+
+package main
+
+// #include <time.h>
+import "C"
+import "time"
+
+func init() {
+	var currentT C.time_t
+	var currentTM C.struct_tm
+	C.time(&currentT)
+	C.localtime_r(&currentT, &currentTM)
+	tzOffset := int(currentTM.tm_gmtoff)
+	tz := C.GoString(currentTM.tm_zone)
+	time.Local = time.FixedZone(tz, tzOffset)
+}

common/atomic/value.go

@@ -15,28 +15,39 @@ type TypedValue[T any] struct {
 	value atomic.Value
 }
 
+// tValue is a struct with determined type to resolve atomic.Value usages with interface types
+// https://github.com/golang/go/issues/22550
+//
+// The intention to have an atomic value store for errors. However, running this code panics:
+// panic: sync/atomic: store of inconsistently typed value into Value
+// This is because atomic.Value requires that the underlying concrete type be the same (which is a reasonable expectation for its implementation).
+// When going through the atomic.Value.Store method call, the fact that both these are of the error interface is lost.
+type tValue[T any] struct {
+	value T
+}
+
 func (t *TypedValue[T]) Load() T {
 	value := t.value.Load()
 	if value == nil {
 		return DefaultValue[T]()
 	}
-	return value.(T)
+	return value.(tValue[T]).value
 }
 
 func (t *TypedValue[T]) Store(value T) {
-	t.value.Store(value)
+	t.value.Store(tValue[T]{value})
 }
 
 func (t *TypedValue[T]) Swap(new T) T {
-	old := t.value.Swap(new)
+	old := t.value.Swap(tValue[T]{new})
 	if old == nil {
 		return DefaultValue[T]()
 	}
-	return old.(T)
+	return old.(tValue[T]).value
 }
 
 func (t *TypedValue[T]) CompareAndSwap(old, new T) bool {
-	return t.value.CompareAndSwap(old, new)
+	return t.value.CompareAndSwap(tValue[T]{old}, tValue[T]{new})
 }
 
 func (t *TypedValue[T]) MarshalJSON() ([]byte, error) {

common/convert/converter.go

@@ -330,7 +330,7 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 
 				vmess["h2-opts"] = h2Opts
 
-			case "ws":
+			case "ws", "httpupgrade":
 				headers := make(map[string]any)
 				wsOpts := make(map[string]any)
 				wsOpts["path"] = []string{"/"}
@@ -338,7 +338,30 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 					headers["Host"] = host.(string)
 				}
 				if path, ok := values["path"]; ok && path != "" {
-					wsOpts["path"] = path.(string)
+					path := path.(string)
+					pathURL, err := url.Parse(path)
+					if err == nil {
+						query := pathURL.Query()
+						if earlyData := query.Get("ed"); earlyData != "" {
+							med, err := strconv.Atoi(earlyData)
+							if err == nil {
+								switch network {
+								case "ws":
+									wsOpts["max-early-data"] = med
+									wsOpts["early-data-header-name"] = "Sec-WebSocket-Protocol"
+								case "httpupgrade":
+									wsOpts["v2ray-http-upgrade-fast-open"] = true
+								}
+								query.Del("ed")
+								pathURL.RawQuery = query.Encode()
+								path = pathURL.String()
+							}
+						}
+						if earlyDataHeader := query.Get("eh"); earlyDataHeader != "" {
+							wsOpts["early-data-header-name"] = earlyDataHeader
+						}
+					}
+					wsOpts["path"] = path
 				}
 				wsOpts["headers"] = headers
 				vmess["ws-opts"] = wsOpts

common/convert/v.go

@@ -100,7 +100,7 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 		h2Opts["headers"] = headers
 		proxy["h2-opts"] = h2Opts
 
-	case "ws":
+	case "ws", "httpupgrade":
 		headers := make(map[string]any)
 		wsOpts := make(map[string]any)
 		headers["User-Agent"] = RandUserAgent()
@@ -113,7 +113,13 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 			if err != nil {
 				return fmt.Errorf("bad WebSocket max early data size: %v", err)
 			}
+			switch network {
+			case "ws":
 				wsOpts["max-early-data"] = med
+				wsOpts["early-data-header-name"] = "Sec-WebSocket-Protocol"
+			case "httpupgrade":
+				wsOpts["v2ray-http-upgrade-fast-open"] = true
+			}
 		}
 		if earlyDataHeader := query.Get("eh"); earlyDataHeader != "" {
 			wsOpts["early-data-header-name"] = earlyDataHeader

common/net/deadline/conn.go

@@ -26,6 +26,11 @@ type Conn struct {
 	resultCh     chan *connReadResult
 }
 
+func IsConn(conn any) bool {
+	_, ok := conn.(*Conn)
+	return ok
+}
+
 func NewConn(conn net.Conn) *Conn {
 	c := &Conn{
 		ExtendedConn: bufio.NewExtendedConn(conn),

common/net/deadline/pipe_sing.go

@@ -215,3 +215,8 @@ func (p *pipe) waitReadBuffer() (buffer *buf.Buffer, err error) {
 		return nil, os.ErrDeadlineExceeded
 	}
 }
+
+func IsPipe(conn any) bool {
+	_, ok := conn.(*pipe)
+	return ok
+}

common/net/earlyconn.go

@@ -3,10 +3,9 @@ package net
 import (
 	"net"
 	"sync"
-	"sync/atomic"
-	"unsafe"
 
 	"github.com/metacubex/mihomo/common/buf"
+	"github.com/metacubex/mihomo/common/once"
 )
 
 type earlyConn struct {
@@ -44,8 +43,7 @@ func (conn *earlyConn) Upstream() any {
 }
 
 func (conn *earlyConn) Success() bool {
-	// atomic visit sync.Once.done
+	return once.Done(&conn.resOnce) && conn.resErr == nil
-	return atomic.LoadUint32((*uint32)(unsafe.Pointer(&conn.resOnce))) == 1 && conn.resErr == nil
 }
 
 func (conn *earlyConn) ReaderReplaceable() bool {

common/net/sing.go

@@ -23,6 +23,12 @@ type ExtendedReader = network.ExtendedReader
 var WriteBuffer = bufio.WriteBuffer
 
 func NewDeadlineConn(conn net.Conn) ExtendedConn {
+	if deadline.IsPipe(conn) || deadline.IsPipe(network.UnwrapReader(conn)) {
+		return NewExtendedConn(conn) // pipe always have correctly deadline implement
+	}
+	if deadline.IsConn(conn) || deadline.IsConn(network.UnwrapReader(conn)) {
+		return NewExtendedConn(conn) // was a *deadline.Conn
+	}
 	return deadline.NewConn(conn)
 }
 

common/once/once_go120.go

@@ -0,0 +1,26 @@
+//go:build !go1.22
+
+package once
+
+import (
+	"sync"
+	"sync/atomic"
+	"unsafe"
+)
+
+type Once struct {
+	done uint32
+	m    sync.Mutex
+}
+
+func Done(once *sync.Once) bool {
+	// atomic visit sync.Once.done
+	return atomic.LoadUint32((*uint32)(unsafe.Pointer(once))) == 1
+}
+
+func Reset(once *sync.Once) {
+	o := (*Once)(unsafe.Pointer(once))
+	o.m.Lock()
+	defer o.m.Unlock()
+	atomic.StoreUint32(&o.done, 0)
+}

common/once/once_go122.go

@@ -0,0 +1,26 @@
+//go:build go1.22
+
+package once
+
+import (
+	"sync"
+	"sync/atomic"
+	"unsafe"
+)
+
+type Once struct {
+	done atomic.Uint32
+	m    sync.Mutex
+}
+
+func Done(once *sync.Once) bool {
+	// atomic visit sync.Once.done
+	return (*atomic.Uint32)(unsafe.Pointer(once)).Load() == 1
+}
+
+func Reset(once *sync.Once) {
+	o := (*Once)(unsafe.Pointer(once))
+	o.m.Lock()
+	defer o.m.Unlock()
+	o.done.Store(0)
+}

common/utils/ranges.go

@@ -20,6 +20,8 @@ func newIntRanges[T constraints.Integer](expected string, parseFn func(string) (
 		return nil, nil
 	}
 
+	// support: 200,302 or 200,204,401-429,501-503
+	expected = strings.ReplaceAll(expected, ",", "/")
 	list := strings.Split(expected, "/")
 	if len(list) > 28 {
 		return nil, fmt.Errorf("%w, too many ranges to use, maximum support 28 ranges", errIntRanges)
@@ -47,9 +49,9 @@ func newIntRangesFromList[T constraints.Integer](list []string, parseFn func(str
 		}
 
 		switch statusLen {
-		case 1:
+		case 1: // Port range
 			ranges = append(ranges, NewRange(T(start), T(start)))
-		case 2:
+		case 2: // Single port
 			end, err := parseFn(strings.Trim(status[1], "[ ]"))
 			if err != nil {
 				return nil, errIntRanges
@@ -108,7 +110,7 @@ func (ranges IntRanges[T]) Check(status T) bool {
 	return false
 }
 
-func (ranges IntRanges[T]) ToString() string {
+func (ranges IntRanges[T]) String() string {
 	if len(ranges) == 0 {
 		return "*"
 	}
@@ -130,3 +132,17 @@ func (ranges IntRanges[T]) ToString() string {
 
 	return strings.Join(terms, "/")
 }
+
+func (ranges IntRanges[T]) Range(f func(t T) bool) {
+	if len(ranges) == 0 {
+		return
+	}
+
+	for _, r := range ranges {
+		for i := r.Start(); i <= r.End(); i++ {
+			if !f(i) {
+				return
+			}
+		}
+	}
+}

component/ca/config.go

@@ -5,12 +5,16 @@ import (
 	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
+	_ "embed"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
 	"sync"
+
+	C "github.com/metacubex/mihomo/constant"
 )
 
 var trustCerts []*x509.Certificate
@@ -18,6 +22,11 @@ var globalCertPool *x509.CertPool
 var mutex sync.RWMutex
 var errNotMatch = errors.New("certificate fingerprints do not match")
 
+//go:embed ca-certificates.crt
+var _CaCertificates []byte
+var DisableEmbedCa, _ = strconv.ParseBool(os.Getenv("DISABLE_EMBED_CA"))
+var DisableSystemCa, _ = strconv.ParseBool(os.Getenv("DISABLE_SYSTEM_CA"))
+
 func AddCertificate(certificate string) error {
 	mutex.Lock()
 	defer mutex.Unlock()
@@ -34,13 +43,20 @@ func AddCertificate(certificate string) error {
 
 func initializeCertPool() {
 	var err error
+	if DisableSystemCa {
+		globalCertPool = x509.NewCertPool()
+	} else {
 		globalCertPool, err = x509.SystemCertPool()
 		if err != nil {
 			globalCertPool = x509.NewCertPool()
 		}
+	}
 	for _, cert := range trustCerts {
 		globalCertPool.AddCert(cert)
 	}
+	if !DisableEmbedCa {
+		globalCertPool.AppendCertsFromPEM(_CaCertificates)
+	}
 }
 
 func ResetCertificate() {
@@ -103,7 +119,7 @@ func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, cu
 	var certificate []byte
 	var err error
 	if len(customCA) > 0 {
-		certificate, err = os.ReadFile(customCA)
+		certificate, err = os.ReadFile(C.Path.Resolve(customCA))
 		if err != nil {
 			return nil, fmt.Errorf("load ca error: %w", err)
 		}

component/dhcp/conn.go

@@ -3,6 +3,7 @@ package dhcp
 import (
 	"context"
 	"net"
+	"net/netip"
 	"runtime"
 
 	"github.com/metacubex/mihomo/component/dialer"
@@ -24,5 +25,5 @@ func ListenDHCPClient(ctx context.Context, ifaceName string) (net.PacketConn, er
 		options = append(options, dialer.WithFallbackBind(true))
 	}
 
-	return dialer.ListenPacket(ctx, "udp4", listenAddr, options...)
+	return dialer.ListenPacket(ctx, "udp4", listenAddr, netip.AddrPortFrom(netip.AddrFrom4([4]byte{255, 255, 255, 255}), 67), options...)
 }

component/dialer/bind.go

@@ -14,6 +14,7 @@ func LookupLocalAddrFromIfaceName(ifaceName string, network string, destination
 	if err != nil {
 		return nil, err
 	}
+	destination = destination.Unmap()
 
 	var addr netip.Prefix
 	switch network {
@@ -23,7 +24,7 @@ func LookupLocalAddrFromIfaceName(ifaceName string, network string, destination
 		addr, err = ifaceObj.PickIPv6Addr(destination)
 	default:
 		if destination.IsValid() {
-			if destination.Is4() || destination.Is4In6() {
+			if destination.Is4() {
 				addr, err = ifaceObj.PickIPv4Addr(destination)
 			} else {
 				addr, err = ifaceObj.PickIPv6Addr(destination)
@@ -74,7 +75,7 @@ func fallbackBindIfaceToDialer(ifaceName string, dialer *net.Dialer, network str
 	return nil
 }
 
-func fallbackBindIfaceToListenConfig(ifaceName string, _ *net.ListenConfig, network, address string) (string, error) {
+func fallbackBindIfaceToListenConfig(ifaceName string, _ *net.ListenConfig, network, address string, rAddrPort netip.AddrPort) (string, error) {
 	_, port, err := net.SplitHostPort(address)
 	if err != nil {
 		port = "0"

component/dialer/bind_darwin.go

@@ -46,7 +46,7 @@ func bindIfaceToDialer(ifaceName string, dialer *net.Dialer, _ string, _ netip.A
 	return nil
 }
 
-func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, _, address string) (string, error) {
+func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, _, address string, rAddrPort netip.AddrPort) (string, error) {
 	ifaceObj, err := iface.ResolveInterface(ifaceName)
 	if err != nil {
 		return "", err

component/dialer/bind_linux.go

@@ -35,7 +35,7 @@ func bindIfaceToDialer(ifaceName string, dialer *net.Dialer, _ string, _ netip.A
 	return nil
 }
 
-func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, _, address string) (string, error) {
+func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, _, address string, rAddrPort netip.AddrPort) (string, error) {
 	addControlToListenConfig(lc, bindControl(ifaceName))
 
 	return address, nil

component/dialer/bind_others.go

@@ -11,8 +11,8 @@ func bindIfaceToDialer(ifaceName string, dialer *net.Dialer, network string, des
 	return fallbackBindIfaceToDialer(ifaceName, dialer, network, destination)
 }
 
-func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, network, address string) (string, error) {
+func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, network, address string, rAddrPort netip.AddrPort) (string, error) {
-	return fallbackBindIfaceToListenConfig(ifaceName, lc, network, address)
+	return fallbackBindIfaceToListenConfig(ifaceName, lc, network, address, rAddrPort)
 }
 
 func ParseNetwork(network string, addr netip.Addr) string {

component/dialer/bind_windows.go

@@ -36,7 +36,7 @@ func bind6(handle syscall.Handle, ifaceIdx int) error {
 	return err
 }
 
-func bindControl(ifaceIdx int) controlFn {
+func bindControl(ifaceIdx int, rAddrPort netip.AddrPort) controlFn {
 	return func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
 		addrPort, err := netip.ParseAddrPort(address)
 		if err == nil && !addrPort.Addr().IsGlobalUnicast() {
@@ -55,7 +55,7 @@ func bindControl(ifaceIdx int) controlFn {
 				innerErr = bind4err
 			case "udp6":
 				// golang will set network to udp6 when listenUDP on wildcard ip (eg: ":0", "")
-				if (!addrPort.Addr().IsValid() || addrPort.Addr().IsUnspecified()) && bind6err != nil {
+				if (!addrPort.Addr().IsValid() || addrPort.Addr().IsUnspecified()) && bind6err != nil && rAddrPort.Addr().Unmap().Is4() {
 					// try bind ipv6, if failed, ignore. it's a workaround for windows disable interface ipv6
 					if bind4err != nil {
 						innerErr = fmt.Errorf("%w (%s)", bind6err, bind4err)
@@ -76,23 +76,23 @@ func bindControl(ifaceIdx int) controlFn {
 	}
 }
 
-func bindIfaceToDialer(ifaceName string, dialer *net.Dialer, _ string, _ netip.Addr) error {
+func bindIfaceToDialer(ifaceName string, dialer *net.Dialer, _ string, destination netip.Addr) error {
 	ifaceObj, err := iface.ResolveInterface(ifaceName)
 	if err != nil {
 		return err
 	}
 
-	addControlToDialer(dialer, bindControl(ifaceObj.Index))
+	addControlToDialer(dialer, bindControl(ifaceObj.Index, netip.AddrPortFrom(destination, 0)))
 	return nil
 }
 
-func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, _, address string) (string, error) {
+func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, _, address string, rAddrPort netip.AddrPort) (string, error) {
 	ifaceObj, err := iface.ResolveInterface(ifaceName)
 	if err != nil {
 		return "", err
 	}
 
-	addControlToListenConfig(lc, bindControl(ifaceObj.Index))
+	addControlToListenConfig(lc, bindControl(ifaceObj.Index, rAddrPort))
 	return address, nil
 }
 

component/dialer/dialer.go

@@ -7,12 +7,14 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/metacubex/mihomo/component/resolver"
 	"github.com/metacubex/mihomo/constant/features"
+	"github.com/metacubex/mihomo/log"
 )
 
 const (
@@ -24,6 +26,7 @@ type dialFunc func(ctx context.Context, network string, ips []netip.Addr, port s
 
 var (
 	dialMux                      sync.Mutex
+	IP4PEnable                   bool
 	actualSingleStackDialContext = serialSingleStackDialContext
 	actualDualStackDialContext   = serialDualStackDialContext
 	tcpConcurrent                = false
@@ -75,7 +78,7 @@ func DialContext(ctx context.Context, network, address string, options ...Option
 	}
 }
 
-func ListenPacket(ctx context.Context, network, address string, options ...Option) (net.PacketConn, error) {
+func ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort, options ...Option) (net.PacketConn, error) {
 	if features.CMFA && DefaultSocketHook != nil {
 		return listenPacketHooked(ctx, network, address)
 	}
@@ -88,7 +91,7 @@ func ListenPacket(ctx context.Context, network, address string, options ...Optio
 		if cfg.fallbackBind {
 			bind = fallbackBindIfaceToListenConfig
 		}
-		addr, err := bind(cfg.interfaceName, lc, network, address)
+		addr, err := bind(cfg.interfaceName, lc, network, address, rAddrPort)
 		if err != nil {
 			return nil, err
 		}
@@ -128,7 +131,11 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 		return dialContextHooked(ctx, network, destination, port)
 	}
 
-	address := net.JoinHostPort(destination.String(), port)
+	var address string
+	if IP4PEnable {
+		destination, port = lookupIP4P(destination, port)
+	}
+	address = net.JoinHostPort(destination.String(), port)
 
 	netDialer := opt.netDialer
 	switch netDialer.(type) {
@@ -376,10 +383,28 @@ func (d Dialer) ListenPacket(ctx context.Context, network, address string, rAddr
 		// avoid "The requested address is not valid in its context."
 		opt = WithInterface("")
 	}
-	return ListenPacket(ctx, ParseNetwork(network, rAddrPort.Addr()), address, opt)
+	return ListenPacket(ctx, ParseNetwork(network, rAddrPort.Addr()), address, rAddrPort, opt)
 }
 
 func NewDialer(options ...Option) Dialer {
 	opt := applyOptions(options...)
 	return Dialer{Opt: *opt}
 }
+
+func GetIP4PEnable(enableIP4PConvert bool) {
+	IP4PEnable = enableIP4PConvert
+}
+
+// kanged from https://github.com/heiher/frp/blob/ip4p/client/ip4p.go
+
+func lookupIP4P(addr netip.Addr, port string) (netip.Addr, string) {
+	ip := addr.AsSlice()
+	if ip[0] == 0x20 && ip[1] == 0x01 &&
+		ip[2] == 0x00 && ip[3] == 0x00 {
+		addr = netip.AddrFrom4([4]byte{ip[12], ip[13], ip[14], ip[15]})
+		port = strconv.Itoa(int(ip[10])<<8 + int(ip[11]))
+		log.Debugln("Convert IP4P address %s to %s", ip, net.JoinHostPort(addr.String(), port))
+		return addr, port
+	}
+	return addr, port
+}

component/dialer/tfo.go

@@ -6,7 +6,7 @@ import (
 	"net"
 	"time"
 
-	"github.com/sagernet/tfo-go"
+	"github.com/metacubex/tfo-go"
 )
 
 type tfoConn struct {

component/geodata/init.go

@@ -14,8 +14,11 @@ import (
 	"github.com/metacubex/mihomo/log"
 )
 
-var initGeoSite bool
+var (
-var initGeoIP int
+	initGeoSite bool
+	initGeoIP   int
+	initASN     bool
+)
 
 func InitGeoSite() error {
 	if _, err := os.Stat(C.Path.GeoSite()); os.IsNotExist(err) {
@@ -113,7 +116,7 @@ func InitGeoIP() error {
 	}
 
 	if initGeoIP != 2 {
-		if !mmdb.Verify() {
+		if !mmdb.Verify(C.Path.MMDB()) {
 			log.Warnln("MMDB invalid, remove and download")
 			if err := os.Remove(C.Path.MMDB()); err != nil {
 				return fmt.Errorf("can't remove invalid MMDB: %s", err.Error())
@@ -126,3 +129,27 @@ func InitGeoIP() error {
 	}
 	return nil
 }
+
+func InitASN() error {
+	if _, err := os.Stat(C.Path.ASN()); os.IsNotExist(err) {
+		log.Infoln("Can't find ASN.mmdb, start download")
+		if err := mmdb.DownloadASN(C.Path.ASN()); err != nil {
+			return fmt.Errorf("can't download ASN.mmdb: %s", err.Error())
+		}
+		log.Infoln("Download ASN.mmdb finish")
+		initASN = false
+	}
+	if !initASN {
+		if !mmdb.Verify(C.Path.ASN()) {
+			log.Warnln("ASN invalid, remove and download")
+			if err := os.Remove(C.Path.ASN()); err != nil {
+				return fmt.Errorf("can't remove invalid ASN: %s", err.Error())
+			}
+			if err := mmdb.DownloadASN(C.Path.ASN()); err != nil {
+				return fmt.Errorf("can't download ASN: %s", err.Error())
+			}
+		}
+		initASN = true
+	}
+	return nil
+}

component/geodata/utils.go

@@ -3,19 +3,37 @@ package geodata
 import (
 	"errors"
 	"fmt"
-	"golang.org/x/sync/singleflight"
 	"strings"
 
+	"golang.org/x/sync/singleflight"
+
 	"github.com/metacubex/mihomo/component/geodata/router"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 )
 
-var geoLoaderName = "memconservative"
+var (
-var geoSiteMatcher = "succinct"
+	geoMode        bool
+	AutoUpdate     bool
+	UpdateInterval int
+	geoLoaderName  = "memconservative"
+	geoSiteMatcher = "succinct"
+)
 
 //  geoLoaderName = "standard"
 
+func GeodataMode() bool {
+	return geoMode
+}
+
+func GeoAutoUpdate() bool {
+	return AutoUpdate
+}
+
+func GeoUpdateInterval() int {
+	return UpdateInterval
+}
+
 func LoaderName() string {
 	return geoLoaderName
 }
@@ -24,6 +42,16 @@ func SiteMatcherName() string {
 	return geoSiteMatcher
 }
 
+func SetGeodataMode(newGeodataMode bool) {
+	geoMode = newGeodataMode
+}
+func SetGeoAutoUpdate(newAutoUpdate bool) {
+	AutoUpdate = newAutoUpdate
+}
+func SetGeoUpdateInterval(newGeoUpdateInterval int) {
+	UpdateInterval = newGeoUpdateInterval
+}
+
 func SetLoader(newLoader string) {
 	if newLoader == "memc" {
 		newLoader = "memconservative"

component/http/http.go

@@ -17,7 +17,10 @@ import (
 )
 
 func HttpRequest(ctx context.Context, url, method string, header map[string][]string, body io.Reader) (*http.Response, error) {
-	UA := C.UA
+	return HttpRequestWithProxy(ctx, url, method, header, body, "")
+}
+
+func HttpRequestWithProxy(ctx context.Context, url, method string, header map[string][]string, body io.Reader, specialProxy string) (*http.Response, error) {
 	method = strings.ToUpper(method)
 	urlRes, err := URL.Parse(url)
 	if err != nil {
@@ -32,7 +35,7 @@ func HttpRequest(ctx context.Context, url, method string, header map[string][]st
 	}
 
 	if _, ok := header["User-Agent"]; !ok {
-		req.Header.Set("User-Agent", UA)
+		req.Header.Set("User-Agent", C.UA)
 	}
 
 	if err != nil {
@@ -54,7 +57,7 @@ func HttpRequest(ctx context.Context, url, method string, header map[string][]st
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
-			if conn, err := inner.HandleTcp(address); err == nil {
+			if conn, err := inner.HandleTcp(address, specialProxy); err == nil {
 				return conn, nil
 			} else {
 				d := net.Dialer{}
@@ -66,5 +69,4 @@ func HttpRequest(ctx context.Context, url, method string, header map[string][]st
 
 	client := http.Client{Transport: transport}
 	return client.Do(req)
-
 }

component/iface/iface.go

@@ -4,7 +4,6 @@ import (
 	"errors"
 	"net"
 	"net/netip"
-	"strings"
 	"time"
 
 	"github.com/metacubex/mihomo/common/singledo"
@@ -24,7 +23,7 @@ var (
 
 var interfaces = singledo.NewSingle[map[string]*Interface](time.Second * 20)
 
-func ResolveInterface(name string) (*Interface, error) {
+func Interfaces() (map[string]*Interface, error) {
 	value, err, _ := interfaces.Do(func() (map[string]*Interface, error) {
 		ifaces, err := net.Interfaces()
 		if err != nil {
@@ -38,29 +37,27 @@ func ResolveInterface(name string) (*Interface, error) {
 			if err != nil {
 				continue
 			}
-			// if not available device like Meta, dummy0, docker0, etc.
-			if (iface.Flags&net.FlagMulticast == 0) || (iface.Flags&net.FlagPointToPoint != 0) || (iface.Flags&net.FlagRunning == 0) {
-				continue
-			}
 
 			ipNets := make([]netip.Prefix, 0, len(addrs))
 			for _, addr := range addrs {
-				ipNet := addr.(*net.IPNet)
+				var pf netip.Prefix
+				switch ipNet := addr.(type) {
+				case *net.IPNet:
 					ip, _ := netip.AddrFromSlice(ipNet.IP)
-
-				//unavailable IPv6 Address
-				if ip.Is6() && strings.HasPrefix(ip.String(), "fe80") {
-					continue
-				}
-
 					ones, bits := ipNet.Mask.Size()
 					if bits == 32 {
 						ip = ip.Unmap()
 					}
-
+					pf = netip.PrefixFrom(ip, ones)
-				pf := netip.PrefixFrom(ip, ones)
+				case *net.IPAddr:
+					ip, _ := netip.AddrFromSlice(ipNet.IP)
+					ip = ip.Unmap()
+					pf = netip.PrefixFrom(ip, ip.BitLen())
+				}
+				if pf.IsValid() {
 					ipNets = append(ipNets, pf)
 				}
+			}
 
 			r[iface.Name] = &Interface{
 				Index:        iface.Index,
@@ -72,11 +69,15 @@ func ResolveInterface(name string) (*Interface, error) {
 
 		return r, nil
 	})
+	return value, err
+}
+
+func ResolveInterface(name string) (*Interface, error) {
+	ifaces, err := Interfaces()
 	if err != nil {
 		return nil, err
 	}
 
-	ifaces := value
 	iface, ok := ifaces[name]
 	if !ok {
 		return nil, ErrIfaceNotFound
@@ -85,6 +86,21 @@ func ResolveInterface(name string) (*Interface, error) {
 	return iface, nil
 }
 
+func IsLocalIp(ip netip.Addr) (bool, error) {
+	ifaces, err := Interfaces()
+	if err != nil {
+		return false, err
+	}
+	for _, iface := range ifaces {
+		for _, addr := range iface.Addrs {
+			if addr.Contains(ip) {
+				return true, nil
+			}
+		}
+	}
+	return false, nil
+}
+
 func FlushCache() {
 	interfaces.Reset()
 }

component/loopback/detector.go

@@ -0,0 +1,89 @@
+package loopback
+
+import (
+	"errors"
+	"fmt"
+	"net/netip"
+
+	"github.com/metacubex/mihomo/common/callback"
+	"github.com/metacubex/mihomo/component/iface"
+	C "github.com/metacubex/mihomo/constant"
+
+	"github.com/puzpuzpuz/xsync/v3"
+)
+
+var ErrReject = errors.New("reject loopback connection")
+
+type Detector struct {
+	connMap       *xsync.MapOf[netip.AddrPort, struct{}]
+	packetConnMap *xsync.MapOf[uint16, struct{}]
+}
+
+func NewDetector() *Detector {
+	return &Detector{
+		connMap:       xsync.NewMapOf[netip.AddrPort, struct{}](),
+		packetConnMap: xsync.NewMapOf[uint16, struct{}](),
+	}
+}
+
+func (l *Detector) NewConn(conn C.Conn) C.Conn {
+	metadata := C.Metadata{}
+	if metadata.SetRemoteAddr(conn.LocalAddr()) != nil {
+		return conn
+	}
+	connAddr := metadata.AddrPort()
+	if !connAddr.IsValid() {
+		return conn
+	}
+	l.connMap.Store(connAddr, struct{}{})
+	return callback.NewCloseCallbackConn(conn, func() {
+		l.connMap.Delete(connAddr)
+	})
+}
+
+func (l *Detector) NewPacketConn(conn C.PacketConn) C.PacketConn {
+	metadata := C.Metadata{}
+	if metadata.SetRemoteAddr(conn.LocalAddr()) != nil {
+		return conn
+	}
+	connAddr := metadata.AddrPort()
+	if !connAddr.IsValid() {
+		return conn
+	}
+	port := connAddr.Port()
+	l.packetConnMap.Store(port, struct{}{})
+	return callback.NewCloseCallbackPacketConn(conn, func() {
+		l.packetConnMap.Delete(port)
+	})
+}
+
+func (l *Detector) CheckConn(metadata *C.Metadata) error {
+	connAddr := metadata.SourceAddrPort()
+	if !connAddr.IsValid() {
+		return nil
+	}
+	if _, ok := l.connMap.Load(connAddr); ok {
+		return fmt.Errorf("%w to: %s", ErrReject, metadata.RemoteAddress())
+	}
+	return nil
+}
+
+func (l *Detector) CheckPacketConn(metadata *C.Metadata) error {
+	connAddr := metadata.SourceAddrPort()
+	if !connAddr.IsValid() {
+		return nil
+	}
+
+	isLocalIp, err := iface.IsLocalIp(connAddr.Addr())
+	if err != nil {
+		return err
+	}
+	if !isLocalIp && !connAddr.Addr().IsLoopback() {
+		return nil
+	}
+
+	if _, ok := l.packetConnMap.Load(connAddr.Port()); ok {
+		return fmt.Errorf("%w to: %s", ErrReject, metadata.RemoteAddress())
+	}
+	return nil
+}

component/mmdb/mmdb.go

@@ -8,6 +8,7 @@ import (
 	"sync"
 	"time"
 
+	mihomoOnce "github.com/metacubex/mihomo/common/once"
 	mihomoHttp "github.com/metacubex/mihomo/component/http"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
@@ -24,56 +25,58 @@ const (
 )
 
 var (
-	reader Reader
+	IPreader  IPReader
-	once   sync.Once
+	ASNreader ASNReader
+	IPonce    sync.Once
+	ASNonce   sync.Once
 )
 
 func LoadFromBytes(buffer []byte) {
-	once.Do(func() {
+	IPonce.Do(func() {
 		mmdb, err := maxminddb.FromBytes(buffer)
 		if err != nil {
 			log.Fatalln("Can't load mmdb: %s", err.Error())
 		}
-		reader = Reader{Reader: mmdb}
+		IPreader = IPReader{Reader: mmdb}
 		switch mmdb.Metadata.DatabaseType {
 		case "sing-geoip":
-			reader.databaseType = typeSing
+			IPreader.databaseType = typeSing
 		case "Meta-geoip0":
-			reader.databaseType = typeMetaV0
+			IPreader.databaseType = typeMetaV0
 		default:
-			reader.databaseType = typeMaxmind
+			IPreader.databaseType = typeMaxmind
 		}
 	})
 }
 
-func Verify() bool {
+func Verify(path string) bool {
-	instance, err := maxminddb.Open(C.Path.MMDB())
+	instance, err := maxminddb.Open(path)
 	if err == nil {
 		instance.Close()
 	}
 	return err == nil
 }
 
-func Instance() Reader {
+func IPInstance() IPReader {
-	once.Do(func() {
+	IPonce.Do(func() {
 		mmdbPath := C.Path.MMDB()
-		log.Debugln("Load MMDB file: %s", mmdbPath)
+		log.Infoln("Load MMDB file: %s", mmdbPath)
 		mmdb, err := maxminddb.Open(mmdbPath)
 		if err != nil {
 			log.Fatalln("Can't load MMDB: %s", err.Error())
 		}
-		reader = Reader{Reader: mmdb}
+		IPreader = IPReader{Reader: mmdb}
 		switch mmdb.Metadata.DatabaseType {
 		case "sing-geoip":
-			reader.databaseType = typeSing
+			IPreader.databaseType = typeSing
 		case "Meta-geoip0":
-			reader.databaseType = typeMetaV0
+			IPreader.databaseType = typeMetaV0
 		default:
-			reader.databaseType = typeMaxmind
+			IPreader.databaseType = typeMaxmind
 		}
 	})
 
-	return reader
+	return IPreader
 }
 
 func DownloadMMDB(path string) (err error) {
@@ -94,3 +97,44 @@ func DownloadMMDB(path string) (err error) {
 
 	return err
 }
+
+func ASNInstance() ASNReader {
+	ASNonce.Do(func() {
+		ASNPath := C.Path.ASN()
+		log.Infoln("Load ASN file: %s", ASNPath)
+		asn, err := maxminddb.Open(ASNPath)
+		if err != nil {
+			log.Fatalln("Can't load ASN: %s", err.Error())
+		}
+		ASNreader = ASNReader{Reader: asn}
+	})
+
+	return ASNreader
+}
+
+func DownloadASN(path string) (err error) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
+	defer cancel()
+	resp, err := mihomoHttp.HttpRequest(ctx, C.ASNUrl, http.MethodGet, http.Header{"User-Agent": {C.UA}}, nil)
+	if err != nil {
+		return
+	}
+	defer resp.Body.Close()
+
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	_, err = io.Copy(f, resp.Body)
+
+	return err
+}
+
+func ReloadIP() {
+	mihomoOnce.Reset(&IPonce)
+}
+
+func ReloadASN() {
+	mihomoOnce.Reset(&ASNonce)
+}

component/mmdb/patch_android.go

@@ -5,14 +5,14 @@ package mmdb
 import "github.com/oschwald/maxminddb-golang"
 
 func InstallOverride(override *maxminddb.Reader) {
-	newReader := Reader{Reader: override}
+	newReader := IPReader{Reader: override}
 	switch override.Metadata.DatabaseType {
 	case "sing-geoip":
-		reader.databaseType = typeSing
+		IPreader.databaseType = typeSing
 	case "Meta-geoip0":
-		reader.databaseType = typeMetaV0
+		IPreader.databaseType = typeMetaV0
 	default:
-		reader.databaseType = typeMaxmind
+		IPreader.databaseType = typeMaxmind
 	}
-	reader = newReader
+	IPreader = newReader
 }

component/mmdb/reader.go

@@ -3,9 +3,9 @@ package mmdb
 import (
 	"fmt"
 	"net"
+	"strings"
 
 	"github.com/oschwald/maxminddb-golang"
-	"github.com/sagernet/sing/common"
 )
 
 type geoip2Country struct {
@@ -14,12 +14,21 @@ type geoip2Country struct {
 	} `maxminddb:"country"`
 }
 
-type Reader struct {
+type IPReader struct {
 	*maxminddb.Reader
 	databaseType
 }
 
-func (r Reader) LookupCode(ipAddress net.IP) []string {
+type ASNReader struct {
+	*maxminddb.Reader
+}
+
+type ASNResult struct {
+	AutonomousSystemNumber       uint32 `maxminddb:"autonomous_system_number"`
+	AutonomousSystemOrganization string `maxminddb:"autonomous_system_organization"`
+}
+
+func (r IPReader) LookupCode(ipAddress net.IP) []string {
 	switch r.databaseType {
 	case typeMaxmind:
 		var country geoip2Country
@@ -27,7 +36,7 @@ func (r Reader) LookupCode(ipAddress net.IP) []string {
 		if country.Country.IsoCode == "" {
 			return []string{}
 		}
-		return []string{country.Country.IsoCode}
+		return []string{strings.ToLower(country.Country.IsoCode)}
 
 	case typeSing:
 		var code string
@@ -44,9 +53,11 @@ func (r Reader) LookupCode(ipAddress net.IP) []string {
 		case string:
 			return []string{record}
 		case []any: // lookup returned type of slice is []any
-			return common.Map(record, func(it any) string {
+			result := make([]string, 0, len(record))
-				return it.(string)
+			for _, item := range record {
-			})
+				result = append(result, item.(string))
+			}
+			return result
 		}
 		return []string{}
 
@@ -54,3 +65,9 @@ func (r Reader) LookupCode(ipAddress net.IP) []string {
 		panic(fmt.Sprint("unknown geoip database type:", r.databaseType))
 	}
 }
+
+func (r ASNReader) LookupASN(ip net.IP) ASNResult {
+	var result ASNResult
+	r.Lookup(ip, &result)
+	return result
+}

component/power/event.go

@@ -0,0 +1,22 @@
+package power
+
+type Type uint8
+
+const (
+	SUSPEND Type = iota
+	RESUME
+	RESUMEAUTOMATIC // Because the user is not present, most applications should do nothing.
+)
+
+func (t Type) String() string {
+	switch t {
+	case SUSPEND:
+		return "SUSPEND"
+	case RESUME:
+		return "RESUME"
+	case RESUMEAUTOMATIC:
+		return "RESUMEAUTOMATIC"
+	default:
+		return ""
+	}
+}

component/power/event_other.go

@@ -0,0 +1,9 @@
+//go:build !windows
+
+package power
+
+import "errors"
+
+func NewEventListener(cb func(Type)) (func(), error) {
+	return nil, errors.New("not support on this platform")
+}

component/power/event_windows.go

@@ -0,0 +1,74 @@
+package power
+
+// modify from https://github.com/golang/go/blob/b634f6fdcbebee23b7da709a243f3db217b64776/src/runtime/os_windows.go#L257
+
+import (
+	"runtime"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var (
+	libPowrProf                              = windows.NewLazySystemDLL("powrprof.dll")
+	powerRegisterSuspendResumeNotification   = libPowrProf.NewProc("PowerRegisterSuspendResumeNotification")
+	powerUnregisterSuspendResumeNotification = libPowrProf.NewProc("PowerUnregisterSuspendResumeNotification")
+)
+
+func NewEventListener(cb func(Type)) (func(), error) {
+	if err := powerRegisterSuspendResumeNotification.Find(); err != nil {
+		return nil, err // Running on Windows 7, where we don't need it anyway.
+	}
+	if err := powerUnregisterSuspendResumeNotification.Find(); err != nil {
+		return nil, err // Running on Windows 7, where we don't need it anyway.
+	}
+
+	// Defines the type of event
+	const (
+		PBT_APMSUSPEND         uint32 = 4
+		PBT_APMRESUMESUSPEND   uint32 = 7
+		PBT_APMRESUMEAUTOMATIC uint32 = 18
+	)
+
+	const (
+		_DEVICE_NOTIFY_CALLBACK = 2
+	)
+	type _DEVICE_NOTIFY_SUBSCRIBE_PARAMETERS struct {
+		callback uintptr
+		context  uintptr
+	}
+
+	var fn interface{} = func(context uintptr, changeType uint32, setting uintptr) uintptr {
+		switch changeType {
+		case PBT_APMSUSPEND:
+			cb(SUSPEND)
+		case PBT_APMRESUMESUSPEND:
+			cb(RESUME)
+		case PBT_APMRESUMEAUTOMATIC:
+			cb(RESUMEAUTOMATIC)
+		}
+		return 0
+	}
+
+	params := _DEVICE_NOTIFY_SUBSCRIBE_PARAMETERS{
+		callback: windows.NewCallback(fn),
+	}
+	handle := uintptr(0)
+
+	_, _, err := powerRegisterSuspendResumeNotification.Call(
+		_DEVICE_NOTIFY_CALLBACK,
+		uintptr(unsafe.Pointer(&params)),
+		uintptr(unsafe.Pointer(&handle)),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return func() {
+		_, _, _ = powerUnregisterSuspendResumeNotification.Call(
+			uintptr(unsafe.Pointer(&handle)),
+		)
+		runtime.KeepAlive(params)
+		runtime.KeepAlive(handle)
+	}, nil
+}

component/resolver/host.go

@@ -3,6 +3,8 @@ package resolver
 import (
 	"errors"
 	"net/netip"
+	"os"
+	"strconv"
 	"strings"
 	_ "unsafe"
 
@@ -11,6 +13,8 @@ import (
 	"github.com/zhangyunhao116/fastrand"
 )
 
+var DisableSystemHosts, _ = strconv.ParseBool(os.Getenv("DISABLE_SYSTEM_HOSTS"))
+
 type Hosts struct {
 	*trie.DomainTrie[HostValue]
 }
@@ -47,7 +51,7 @@ func (h *Hosts) Search(domain string, isDomain bool) (*HostValue, bool) {
 
 		return &hostValue, false
 	}
-	if !isDomain {
+	if !isDomain && !DisableSystemHosts {
 		addr, _ := lookupStaticHost(domain)
 		if hostValue, err := NewHostValue(addr); err == nil {
 			return &hostValue, true

component/resolver/relay.go

@@ -0,0 +1,96 @@
+package resolver
+
+import (
+	"context"
+	"encoding/binary"
+	"io"
+	"net"
+	"time"
+
+	"github.com/metacubex/mihomo/common/pool"
+
+	D "github.com/miekg/dns"
+)
+
+const DefaultDnsReadTimeout = time.Second * 10
+const DefaultDnsRelayTimeout = time.Second * 5
+
+const SafeDnsPacketSize = 2 * 1024 // safe size which is 1232 from https://dnsflagday.net/2020/, so 2048 is enough
+
+func RelayDnsConn(ctx context.Context, conn net.Conn, readTimeout time.Duration) error {
+	buff := pool.Get(pool.UDPBufferSize)
+	defer func() {
+		_ = pool.Put(buff)
+		_ = conn.Close()
+	}()
+	for {
+		if readTimeout > 0 {
+			_ = conn.SetReadDeadline(time.Now().Add(readTimeout))
+		}
+
+		length := uint16(0)
+		if err := binary.Read(conn, binary.BigEndian, &length); err != nil {
+			break
+		}
+
+		if int(length) > len(buff) {
+			break
+		}
+
+		n, err := io.ReadFull(conn, buff[:length])
+		if err != nil {
+			break
+		}
+
+		err = func() error {
+			ctx, cancel := context.WithTimeout(ctx, DefaultDnsRelayTimeout)
+			defer cancel()
+			inData := buff[:n]
+			msg, err := relayDnsPacket(ctx, inData, buff, 0)
+			if err != nil {
+				return err
+			}
+
+			err = binary.Write(conn, binary.BigEndian, uint16(len(msg)))
+			if err != nil {
+				return err
+			}
+
+			_, err = conn.Write(msg)
+			if err != nil {
+				return err
+			}
+			return nil
+		}()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func relayDnsPacket(ctx context.Context, payload []byte, target []byte, maxSize int) ([]byte, error) {
+	msg := &D.Msg{}
+	if err := msg.Unpack(payload); err != nil {
+		return nil, err
+	}
+
+	r, err := ServeMsg(ctx, msg)
+	if err != nil {
+		m := new(D.Msg)
+		m.SetRcode(msg, D.RcodeServerFailure)
+		return m.PackBuffer(target)
+	}
+
+	r.SetRcode(msg, r.Rcode)
+	if maxSize > 0 {
+		r.Truncate(maxSize)
+	}
+	r.Compress = true
+	return r.PackBuffer(target)
+}
+
+// RelayDnsPacket will truncate udp message up to SafeDnsPacketSize
+func RelayDnsPacket(ctx context.Context, payload []byte, target []byte) ([]byte, error) {
+	return relayDnsPacket(ctx, payload, target, SafeDnsPacketSize)
+}

component/resolver/resolver.go

@@ -213,11 +213,7 @@ func ResolveIP(ctx context.Context, host string) (netip.Addr, error) {
 // ResolveIPv4ProxyServerHost proxies server host only
 func ResolveIPv4ProxyServerHost(ctx context.Context, host string) (netip.Addr, error) {
 	if ProxyServerHostResolver != nil {
-		if ip, err := ResolveIPv4WithResolver(ctx, host, ProxyServerHostResolver); err != nil {
+		return ResolveIPv4WithResolver(ctx, host, ProxyServerHostResolver)
-			return ResolveIPv4(ctx, host)
-		} else {
-			return ip, nil
-		}
 	}
 	return ResolveIPv4(ctx, host)
 }
@@ -225,11 +221,7 @@ func ResolveIPv4ProxyServerHost(ctx context.Context, host string) (netip.Addr, e
 // ResolveIPv6ProxyServerHost proxies server host only
 func ResolveIPv6ProxyServerHost(ctx context.Context, host string) (netip.Addr, error) {
 	if ProxyServerHostResolver != nil {
-		if ip, err := ResolveIPv6WithResolver(ctx, host, ProxyServerHostResolver); err != nil {
+		return ResolveIPv6WithResolver(ctx, host, ProxyServerHostResolver)
-			return ResolveIPv6(ctx, host)
-		} else {
-			return ip, nil
-		}
 	}
 	return ResolveIPv6(ctx, host)
 }
@@ -237,11 +229,7 @@ func ResolveIPv6ProxyServerHost(ctx context.Context, host string) (netip.Addr, e
 // ResolveProxyServerHost proxies server host only
 func ResolveProxyServerHost(ctx context.Context, host string) (netip.Addr, error) {
 	if ProxyServerHostResolver != nil {
-		if ip, err := ResolveIPWithResolver(ctx, host, ProxyServerHostResolver); err != nil {
+		return ResolveIPWithResolver(ctx, host, ProxyServerHostResolver)
-			return ResolveIP(ctx, host)
-		} else {
-			return ip, err
-		}
 	}
 	return ResolveIP(ctx, host)
 }

component/resolver/system.go

@@ -0,0 +1,39 @@
+package resolver
+
+import "sync"
+
+var blacklist struct {
+	Map   map[string]struct{}
+	Mutex sync.Mutex
+}
+
+func init() {
+	blacklist.Map = make(map[string]struct{})
+}
+
+func AddSystemDnsBlacklist(names ...string) {
+	blacklist.Mutex.Lock()
+	defer blacklist.Mutex.Unlock()
+	for _, name := range names {
+		blacklist.Map[name] = struct{}{}
+	}
+}
+
+func RemoveSystemDnsBlacklist(names ...string) {
+	blacklist.Mutex.Lock()
+	defer blacklist.Mutex.Unlock()
+	for _, name := range names {
+		delete(blacklist.Map, name)
+	}
+}
+
+func IsSystemDnsBlacklisted(names ...string) bool {
+	blacklist.Mutex.Lock()
+	defer blacklist.Mutex.Unlock()
+	for _, name := range names {
+		if _, ok := blacklist.Map[name]; ok {
+			return true
+		}
+	}
+	return false
+}

component/resource/vehicle.go

@@ -28,6 +28,10 @@ func (f *FileVehicle) Read() ([]byte, error) {
 	return os.ReadFile(f.path)
 }
 
+func (f *FileVehicle) Proxy() string {
+	return ""
+}
+
 func NewFileVehicle(path string) *FileVehicle {
 	return &FileVehicle{path: path}
 }
@@ -35,6 +39,8 @@ func NewFileVehicle(path string) *FileVehicle {
 type HTTPVehicle struct {
 	url    string
 	path   string
+	proxy  string
+	header http.Header
 }
 
 func (h *HTTPVehicle) Url() string {
@@ -49,10 +55,14 @@ func (h *HTTPVehicle) Path() string {
 	return h.path
 }
 
+func (h *HTTPVehicle) Proxy() string {
+	return h.proxy
+}
+
 func (h *HTTPVehicle) Read() ([]byte, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*20)
 	defer cancel()
-	resp, err := mihomoHttp.HttpRequest(ctx, h.url, http.MethodGet, nil, nil)
+	resp, err := mihomoHttp.HttpRequestWithProxy(ctx, h.url, http.MethodGet, h.header, nil, h.proxy)
 	if err != nil {
 		return nil, err
 	}
@@ -67,6 +77,6 @@ func (h *HTTPVehicle) Read() ([]byte, error) {
 	return buf, nil
 }
 
-func NewHTTPVehicle(url string, path string) *HTTPVehicle {
+func NewHTTPVehicle(url string, path string, proxy string, header http.Header) *HTTPVehicle {
-	return &HTTPVehicle{url, path}
+	return &HTTPVehicle{url, path, proxy, header}
 }

component/slowdown/slowdown.go

@@ -12,8 +12,10 @@ type SlowDown struct {
 }
 
 func (s *SlowDown) Wait(ctx context.Context) (err error) {
+	timer := time.NewTimer(s.backoff.Duration())
+	defer timer.Stop()
 	select {
-	case <-time.After(s.backoff.Duration()):
+	case <-timer.C:
 	case <-ctx.Done():
 		err = ctx.Err()
 	}

config/config.go

@@ -93,6 +93,7 @@ type Inbound struct {
 type Controller struct {
 	ExternalController     string `json:"-"`
 	ExternalControllerTLS  string `json:"-"`
+	ExternalControllerUnix string `json:"-"`
 	ExternalUI             string `json:"-"`
 	Secret                 string `json:"-"`
 }
@@ -152,6 +153,7 @@ type IPTables struct {
 	Enable           bool     `yaml:"enable" json:"enable"`
 	InboundInterface string   `yaml:"inbound-interface" json:"inbound-interface"`
 	Bypass           []string `yaml:"bypass" json:"bypass"`
+	DnsRedirect      bool     `yaml:"dns-redirect" json:"dns-redirect"`
 }
 
 type Sniffer struct {
@@ -168,6 +170,7 @@ type Experimental struct {
 	Fingerprints     []string `yaml:"fingerprints"`
 	QUICGoDisableGSO bool     `yaml:"quic-go-disable-gso"`
 	QUICGoDisableECN bool     `yaml:"quic-go-disable-ecn"`
+	IP4PEnable       bool     `yaml:"dialer-ip4p-convert"`
 }
 
 // Config is mihomo config manager
@@ -263,6 +266,7 @@ type RawTun struct {
 	EndpointIndependentNat   bool           `yaml:"endpoint-independent-nat" json:"endpoint_independent_nat,omitempty"`
 	UDPTimeout               int64          `yaml:"udp-timeout" json:"udp_timeout,omitempty"`
 	FileDescriptor           int            `yaml:"file-descriptor" json:"file-descriptor"`
+	TableIndex               int            `yaml:"table-index" json:"table-index"`
 }
 
 type RawTuicServer struct {
@@ -301,6 +305,7 @@ type RawConfig struct {
 	LogLevel                log.LogLevel      `yaml:"log-level" json:"log-level"`
 	IPv6                    bool              `yaml:"ipv6" json:"ipv6"`
 	ExternalController      string            `yaml:"external-controller"`
+	ExternalControllerUnix  string            `yaml:"external-controller-unix"`
 	ExternalControllerTLS   string            `yaml:"external-controller-tls"`
 	ExternalUI              string            `yaml:"external-ui"`
 	ExternalUIURL           string            `yaml:"external-ui-url" json:"external-ui-url"`
@@ -346,6 +351,7 @@ type RawConfig struct {
 type GeoXUrl struct {
 	GeoIp   string `yaml:"geoip" json:"geoip"`
 	Mmdb    string `yaml:"mmdb" json:"mmdb"`
+	ASN     string `yaml:"asn" json:"asn"`
 	GeoSite string `yaml:"geosite" json:"geosite"`
 }
 
@@ -409,7 +415,7 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 		ProxyGroup:        []map[string]any{},
 		TCPConcurrent:     false,
 		FindProcessMode:   P.FindProcessStrict,
-		GlobalUA:          "clash.meta",
+		GlobalUA:          "clash.meta/" + C.Version,
 		Tun: RawTun{
 			Enable:              false,
 			Device:              "",
@@ -440,6 +446,7 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 			Enable:           false,
 			InboundInterface: "lo",
 			Bypass:           []string{},
+			DnsRedirect:      true,
 		},
 		NTP: RawNTP{
 			Enable:        false,
@@ -477,6 +484,11 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 				"www.msftconnecttest.com",
 			},
 		},
+		Experimental: Experimental{
+			// https://github.com/quic-go/quic-go/issues/4178
+			// Quic-go currently cannot automatically fall back on platforms that do not support ecn, so this feature is turned off by default.
+			QUICGoDisableECN: true,
+		},
 		Sniffer: RawSniffer{
 			Enable:          false,
 			Sniffing:        []string{},
@@ -492,6 +504,7 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 		},
 		GeoXUrl: GeoXUrl{
 			Mmdb:    "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.metadb",
+			ASN:     "https://github.com/xishang0128/geoip/releases/download/latest/GeoLite2-ASN.mmdb",
 			GeoIp:   "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.dat",
 			GeoSite: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat",
 		},
@@ -607,6 +620,9 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 }
 
 func parseGeneral(cfg *RawConfig) (*General, error) {
+	geodata.SetGeodataMode(cfg.GeodataMode)
+	geodata.SetGeoAutoUpdate(cfg.GeoAutoUpdate)
+	geodata.SetGeoUpdateInterval(cfg.GeoUpdateInterval)
 	geodata.SetLoader(cfg.GeodataLoader)
 	geodata.SetSiteMatcher(cfg.GeositeMatcher)
 	C.GeoAutoUpdate = cfg.GeoAutoUpdate
@@ -614,6 +630,7 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 	C.GeoIpUrl = cfg.GeoXUrl.GeoIp
 	C.GeoSiteUrl = cfg.GeoXUrl.GeoSite
 	C.MmdbUrl = cfg.GeoXUrl.Mmdb
+	C.ASNUrl = cfg.GeoXUrl.ASN
 	C.GeodataMode = cfg.GeodataMode
 	C.UA = cfg.GlobalUA
 	if cfg.KeepAliveInterval != 0 {
@@ -666,6 +683,7 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 			ExternalController:     cfg.ExternalController,
 			ExternalUI:             cfg.ExternalUI,
 			Secret:                 cfg.Secret,
+			ExternalControllerUnix: cfg.ExternalControllerUnix,
 			ExternalControllerTLS:  cfg.ExternalControllerTLS,
 		},
 		UnifiedDelay:            cfg.UnifiedDelay,
@@ -906,7 +924,7 @@ func parseRules(rulesConfig []string, proxies map[string]C.Proxy, subRules map[s
 
 		l := len(rule)
 
-		if ruleName == "NOT" || ruleName == "OR" || ruleName == "AND" || ruleName == "SUB-RULE" {
+		if ruleName == "NOT" || ruleName == "OR" || ruleName == "AND" || ruleName == "SUB-RULE" || ruleName == "DOMAIN-REGEX" {
 			target = rule[l-1]
 			payload = strings.Join(rule[1:l-1], ",")
 		} else {
@@ -1439,6 +1457,7 @@ func parseTun(rawTun RawTun, general *General) error {
 		EndpointIndependentNat:   rawTun.EndpointIndependentNat,
 		UDPTimeout:               rawTun.UDPTimeout,
 		FileDescriptor:           rawTun.FileDescriptor,
+		TableIndex:               rawTun.TableIndex,
 	}
 
 	return nil

config/update_geo.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/metacubex/mihomo/component/geodata"
 	_ "github.com/metacubex/mihomo/component/geodata/standard"
+	"github.com/metacubex/mihomo/component/mmdb"
 	C "github.com/metacubex/mihomo/constant"
 
 	"github.com/oschwald/maxminddb-golang"
@@ -33,6 +34,7 @@ func UpdateGeoDatabases() error {
 		}
 
 	} else {
+		defer mmdb.ReloadIP()
 		data, err := downloadForBytes(C.MmdbUrl)
 		if err != nil {
 			return fmt.Errorf("can't download MMDB database file: %w", err)
@@ -43,11 +45,32 @@ func UpdateGeoDatabases() error {
 			return fmt.Errorf("invalid MMDB database file: %s", err)
 		}
 		_ = instance.Close()
+
+		mmdb.IPInstance().Reader.Close() //  mmdb is loaded with mmap, so it needs to be closed before overwriting the file
 		if err = saveFile(data, C.Path.MMDB()); err != nil {
 			return fmt.Errorf("can't save MMDB database file: %w", err)
 		}
 	}
 
+	if C.ASNEnable {
+		defer mmdb.ReloadASN()
+		data, err := downloadForBytes(C.ASNUrl)
+		if err != nil {
+			return fmt.Errorf("can't download ASN database file: %w", err)
+		}
+
+		instance, err := maxminddb.FromBytes(data)
+		if err != nil {
+			return fmt.Errorf("invalid ASN database file: %s", err)
+		}
+		_ = instance.Close()
+
+		mmdb.ASNInstance().Reader.Close()
+		if err = saveFile(data, C.Path.ASN()); err != nil {
+			return fmt.Errorf("can't save ASN database file: %w", err)
+		}
+	}
+
 	data, err := downloadForBytes(C.GeoSiteUrl)
 	if err != nil {
 		return fmt.Errorf("can't download GeoSite database file: %w", err)

constant/adapters.go

@@ -21,6 +21,7 @@ const (
 	RejectDrop
 	Compatible
 	Pass
+	Dns
 
 	Relay
 	Selector
@@ -40,6 +41,7 @@ const (
 	Hysteria2
 	WireGuard
 	Tuic
+	Ssh
 )
 
 const (
@@ -184,6 +186,8 @@ func (at AdapterType) String() string {
 		return "Compatible"
 	case Pass:
 		return "Pass"
+	case Dns:
+		return "Dns"
 	case Shadowsocks:
 		return "Shadowsocks"
 	case ShadowsocksR:
@@ -219,7 +223,8 @@ func (at AdapterType) String() string {
 		return "URLTest"
 	case LoadBalance:
 		return "LoadBalance"
-
+	case Ssh:
+		return "Ssh"
 	default:
 		return "Unknown"
 	}

constant/geodata.go

@@ -1,10 +1,12 @@
 package constant
 
 var (
+	ASNEnable         bool
 	GeodataMode       bool
 	GeoAutoUpdate     bool
 	GeoUpdateInterval int
 	GeoIpUrl          string
 	MmdbUrl           string
 	GeoSiteUrl        string
+	ASNUrl            string
 )

constant/metadata.go

@@ -133,6 +133,8 @@ type Metadata struct {
 	Type         Type       `json:"type"`
 	SrcIP        netip.Addr `json:"sourceIP"`
 	DstIP        netip.Addr `json:"destinationIP"`
+	DstGeoIP     []string   `json:"destinationGeoIP"` // can be nil if never queried, empty slice if got no result
+	DstIPASN     string     `json:"destinationIPASN"`
 	SrcPort      uint16     `json:"sourcePort,string"`      // `,string` is used to compatible with old version json output
 	DstPort      uint16     `json:"destinationPort,string"` // `,string` is used to compatible with old version json output
 	InIP         netip.Addr `json:"inboundIP"`

constant/path.go

@@ -15,6 +15,7 @@ const Name = "mihomo"
 var (
 	GeositeName = "GeoSite.dat"
 	GeoipName   = "GeoIP.dat"
+	ASNName     = "ASN.mmdb"
 )
 
 // Path is used to get the configuration path
@@ -112,6 +113,25 @@ func (p *path) MMDB() string {
 	return P.Join(p.homeDir, "geoip.metadb")
 }
 
+func (p *path) ASN() string {
+	files, err := os.ReadDir(p.homeDir)
+	if err != nil {
+		return ""
+	}
+	for _, fi := range files {
+		if fi.IsDir() {
+			// 目录则直接跳过
+			continue
+		} else {
+			if strings.EqualFold(fi.Name(), "ASN.mmdb") {
+				ASNName = fi.Name()
+				return P.Join(p.homeDir, fi.Name())
+			}
+		}
+	}
+	return P.Join(p.homeDir, ASNName)
+}
+
 func (p *path) OldCache() string {
 	return P.Join(p.homeDir, ".cache")
 }

constant/provider/interface.go

@@ -31,6 +31,7 @@ func (v VehicleType) String() string {
 type Vehicle interface {
 	Read() ([]byte, error)
 	Path() string
+	Proxy() string
 	Type() VehicleType
 }
 
@@ -73,6 +74,7 @@ type ProxyProvider interface {
 	HealthCheck()
 	Version() uint32
 	RegisterHealthCheckTask(url string, expectedStatus utils.IntRanges[uint16], filter string, interval uint)
+	HealthCheckURL() string
 }
 
 // RuleProvider interface

constant/rule.go

@@ -5,8 +5,12 @@ const (
 	Domain RuleType = iota
 	DomainSuffix
 	DomainKeyword
+	DomainRegex
 	GEOSITE
 	GEOIP
+	SrcGEOIP
+	IPASN
+	SrcIPASN
 	IPCIDR
 	SrcIPCIDR
 	IPSuffix
@@ -40,10 +44,18 @@ func (rt RuleType) String() string {
 		return "DomainSuffix"
 	case DomainKeyword:
 		return "DomainKeyword"
+	case DomainRegex:
+		return "DomainRegex"
 	case GEOSITE:
 		return "GeoSite"
 	case GEOIP:
 		return "GeoIP"
+	case SrcGEOIP:
+		return "SrcGeoIP"
+	case IPASN:
+		return "IPASN"
+	case SrcIPASN:
+		return "SrcIPASN"
 	case IPCIDR:
 		return "IPCIDR"
 	case SrcIPCIDR:

dns/client.go

@@ -12,6 +12,7 @@ import (
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
+	"github.com/metacubex/mihomo/log"
 
 	D "github.com/miekg/dns"
 	"github.com/zhangyunhao116/fastrand"
@@ -77,7 +78,9 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 		options = append(options, dialer.WithInterface(c.iface))
 	}
 
-	conn, err := getDialHandler(c.r, c.proxyAdapter, c.proxyName, options...)(ctx, network, net.JoinHostPort(ip.String(), c.port))
+	dialHandler := getDialHandler(c.r, c.proxyAdapter, c.proxyName, options...)
+	addr := net.JoinHostPort(ip.String(), c.port)
+	conn, err := dialHandler(ctx, network, addr)
 	if err != nil {
 		return nil, err
 	}
@@ -97,12 +100,31 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 			conn = tls.Client(conn, ca.GetGlobalTLSConfig(c.Client.TLSConfig))
 		}
 
-		msg, _, err := c.Client.ExchangeWithConn(m, &D.Conn{
+		dConn := &D.Conn{
 			Conn:         conn,
 			UDPSize:      c.Client.UDPSize,
 			TsigSecret:   c.Client.TsigSecret,
 			TsigProvider: c.Client.TsigProvider,
-		})
+		}
+
+		msg, _, err := c.Client.ExchangeWithConn(m, dConn)
+
+		// Resolvers MUST resend queries over TCP if they receive a truncated UDP response (with TC=1 set)!
+		if msg != nil && msg.Truncated && c.Client.Net == "" {
+			tcpClient := *c.Client // copy a client
+			tcpClient.Net = "tcp"
+			network = "tcp"
+			log.Debugln("[DNS] Truncated reply from %s:%s for %s over UDP, retrying over TCP", c.host, c.port, m.Question[0].String())
+			dConn.Conn, err = dialHandler(ctx, network, addr)
+			if err != nil {
+				ch <- result{msg, err}
+				return
+			}
+			defer func() {
+				_ = conn.Close()
+			}()
+			msg, _, err = tcpClient.ExchangeWithConn(m, dConn)
+		}
 
 		ch <- result{msg, err}
 	}()

dns/doh.go

@@ -709,7 +709,8 @@ func (doh *dnsOverHTTPS) tlsDial(ctx context.Context, dialContext dialHandler, n
 	err = conn.SetDeadline(time.Now().Add(dialTimeout))
 	if err != nil {
 		// Must not happen in normal circumstances.
-		panic(fmt.Errorf("cannot set deadline: %w", err))
+		log.Errorln("cannot set deadline: %v", err)
+		return nil, err
 	}
 
 	err = conn.Handshake()

dns/filters.go

@@ -24,7 +24,7 @@ var geoIPMatcher *router.GeoIPMatcher
 
 func (gf *geoipFilter) Match(ip netip.Addr) bool {
 	if !C.GeodataMode {
-		codes := mmdb.Instance().LookupCode(ip.AsSlice())
+		codes := mmdb.IPInstance().LookupCode(ip.AsSlice())
 		for _, code := range codes {
 			if !strings.EqualFold(code, gf.code) && !ip.IsPrivate() {
 				return true

dns/resolver.go

@@ -324,7 +324,7 @@ func (r *Resolver) ipExchange(ctx context.Context, m *D.Msg) (msg *D.Msg, err er
 func (r *Resolver) lookupIP(ctx context.Context, host string, dnsType uint16) (ips []netip.Addr, err error) {
 	ip, err := netip.ParseAddr(host)
 	if err == nil {
-		isIPv4 := ip.Is4()
+		isIPv4 := ip.Is4() || ip.Is4In6()
 		if dnsType == D.TypeAAAA && !isIPv4 {
 			return []netip.Addr{ip}, nil
 		} else if dnsType == D.TypeA && isIPv4 {

dns/system.go

@@ -8,6 +8,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/metacubex/mihomo/component/resolver"
 	"github.com/metacubex/mihomo/log"
 
 	D "github.com/miekg/dns"
@@ -39,6 +40,9 @@ func (c *systemClient) getDnsClients() ([]dnsClient, error) {
 		if nameservers, err = dnsReadConfig(); err == nil {
 			log.Debugln("[DNS] system dns update to %s", nameservers)
 			for _, addr := range nameservers {
+				if resolver.IsSystemDnsBlacklisted(addr) {
+					continue
+				}
 				if _, ok := c.dnsClients[addr]; !ok {
 					clients := transform(
 						[]NameServer{{

docs/config.yaml

@@ -8,15 +8,15 @@ mixed-port: 10801 # HTTP(S) 和 SOCKS 代理混合端口
 
 allow-lan: true # 允许局域网连接
 bind-address: "*" # 绑定 IP 地址，仅作用于 allow-lan 为 true，'*'表示所有地址
-authentication: # http,socks入口的验证用户名，密码
+authentication: # http,socks 入口的验证用户名，密码
   - "username:password"
-skip-auth-prefixes: # 设置跳过验证的IP段
+skip-auth-prefixes: # 设置跳过验证的 IP 段
   - 127.0.0.1/8
   - ::1/128
-lan-allowed-ips: # 允许连接的 IP 地址段，仅作用于 allow-lan 为 true, 默认值为0.0.0.0/0和::/0
+lan-allowed-ips: # 允许连接的 IP 地址段，仅作用于 allow-lan 为 true, 默认值为 0.0.0.0/0 和::/0
   - 0.0.0.0/0
   - ::/0
-lan-disallowed-ips: # 禁止连接的 IP 地址段, 黑名单优先级高于白名单, 默认值为空
+lan-disallowed-ips: # 禁止连接的 IP 地址段，黑名单优先级高于白名单，默认值为空
   - 192.168.0.3/32
 
 #  find-process-mode has 3 values:always, strict, off
@@ -58,6 +58,11 @@ external-controller: 0.0.0.0:9093 # RESTful API 监听地址
 external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址，需要配置 tls 部分配置文件
 # secret: "123456" # `Authorization:Bearer ${secret}`
 
+# RESTful API Unix socket 监听地址（ windows版本大于17063也可以使用，即大于等于1803/RS4版本即可使用 ）
+# ！！！注意： 从Unix socket访问api接口不会验证secret， 如果开启请自行保证安全问题 ！！！
+# 测试方法： curl -v --unix-socket "mihomo.sock" http://localhost/
+external-controller-unix: mihomo.sock
+
 # tcp-concurrent: true # TCP 并发连接所有 IP, 将使用最快握手的 TCP
 
 # 配置 WEB UI 目录，使用 http://{{external-controller}}/ui 访问
@@ -109,9 +114,9 @@ tun:
   # auto-detect-interface: true # 自动识别出口网卡
   # auto-route: true # 配置路由表
   # mtu: 9000 # 最大传输单元
-  # gso: false # 启用通用分段卸载, 仅支持 Linux
+  # gso: false # 启用通用分段卸载，仅支持 Linux
   # gso-max-size: 65536 # 通用分段卸载包的最大大小
-  # strict-route: true # 将所有连接路由到tun来防止泄漏，但你的设备将无法其他设备被访问
+  # strict-route: true # 将所有连接路由到 tun 来防止泄漏，但你的设备将无法其他设备被访问
   inet4-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由
     - 0.0.0.0/1
     - 128.0.0.0/1
@@ -119,9 +124,9 @@ tun:
     - "::/1"
     - "8000::/1"
   # endpoint-independent-nat: false # 启用独立于端点的 NAT
-  # include-interface: # 限制被路由的接口。默认不限制, 与 `exclude-interface` 冲突
+  # include-interface: # 限制被路由的接口。默认不限制，与 `exclude-interface` 冲突
   #   - "lan0"
-  # exclude-interface: # 排除路由的接口, 与 `include-interface` 冲突
+  # exclude-interface: # 排除路由的接口，与 `include-interface` 冲突
   #   - "lan1"
   # include-uid: # UID 规则仅在 Linux 下被支持，并且需要 auto-route
   # - 0
@@ -143,7 +148,7 @@ tun:
   # exclude-package: # 排除被路由的 Android 应用包名
   # - com.android.captiveportallogin
 
-#ebpf配置
+#ebpf 配置
 ebpf:
   auto-redir: # redirect 模式，仅支持 TCP
     - eth0
@@ -200,7 +205,7 @@ tunnels: # one line config
     target: target.com
     proxy: proxy
 
-# DNS配置
+# DNS 配置
 dns:
   cache-algorithm: arc
   enable: false # 关闭将使用系统 DNS
@@ -208,7 +213,7 @@ dns:
   listen: 0.0.0.0:53 # 开启 DNS 服务器监听
   # ipv6: false # false 将返回 AAAA 的空结果
   # ipv6-timeout: 300 # 单位：ms，内部双栈并发时，向上游查询 AAAA 时，等待 AAAA 的时间，默认 100ms
-  # 用于解析 nameserver，fallback 以及其他DNS服务器配置的，DNS 服务域名
+  # 用于解析 nameserver，fallback 以及其他 DNS 服务器配置的，DNS 服务域名
   # 只能使用纯 IP 地址，可使用加密 DNS
   default-nameserver:
     - 114.114.114.114
@@ -222,12 +227,12 @@ dns:
 
   # use-hosts: true # 查询 hosts
 
-  # 配置不使用fake-ip的域名
+  # 配置不使用 fake-ip 的域名
   # fake-ip-filter:
   #   - '*.lan'
   #   - localhost.ptlogin2.qq.com
 
-  # DNS主要域名配置
+  # DNS 主要域名配置
   # 支持 UDP，TCP，DoT，DoH，DoQ
   # 这部分为主要 DNS 配置，影响所有直连，确保使用对大陆解析精准的 DNS
   nameserver:
@@ -239,7 +244,7 @@ dns:
     - https://mozilla.cloudflare-dns.com/dns-query#DNS&h3=true # 指定策略组和使用 HTTP/3
     - dhcp://en0 # dns from dhcp
     - quic://dns.adguard.com:784 # DNS over QUIC
-    # - '8.8.8.8#en0' # 兼容指定DNS出口网卡
+    # - '8.8.8.8#en0' # 兼容指定 DNS 出口网卡
 
   # 当配置 fallback 时，会查询 nameserver 中返回的 IP 是否为 CN，非必要配置
   # 当不是 CN，则使用 fallback 中的 DNS 查询结果
@@ -249,7 +254,6 @@ dns:
   #   - 'tcp://1.1.1.1#ProxyGroupName' # 指定 DNS 过代理查询，ProxyGroupName 为策略组名或节点名，过代理配置优先于配置出口网卡，当找不到策略组或节点名则设置为出口网卡
 
   # 专用于节点域名解析的 DNS 服务器，非必要配置项
-  # 配置服务器若查询失败将使用 nameserver，非并发查询
   # proxy-server-nameserver:
   # - https://dns.google/dns-query
   # - tls://one.one.one.one
@@ -338,7 +342,7 @@ proxies: # socks5
     # udp-over-tcp: false
     # ip-version: ipv4 # 设置节点使用 IP 版本，可选：dual，ipv4，ipv6，ipv4-prefer，ipv6-prefer。默认使用 dual
     # ipv4：仅使用 IPv4  ipv6：仅使用 IPv6
-    # ipv4-prefer：优先使用 IPv4 对于 TCP 会进行双栈解析，并发链接但是优先使用 IPv4 链接,
+    # ipv4-prefer：优先使用 IPv4 对于 TCP 会进行双栈解析，并发链接但是优先使用 IPv4 链接，
     # UDP 则为双栈解析，获取结果中的第一个 IPv4
     # ipv6-prefer 同 ipv4-prefer
     # 现有协议都支持此参数，TCP 效果仅在开启 tcp-concurrent 生效
@@ -350,7 +354,7 @@ proxies: # socks5
       # max-streams: 0 # Maximum multiplexed streams in a connection before opening a new connection. Conflict with max-connections and min-streams.
       # padding: false # Enable padding. Requires sing-box server version 1.3-beta9 or later.
       # statistic: false # 控制是否将底层连接显示在面板中，方便打断底层连接
-      # only-tcp: false # 如果设置为true, smux的设置将不会对udp生效，udp连接会直接走底层协议
+      # only-tcp: false # 如果设置为 true, smux 的设置将不会对 udp 生效，udp 连接会直接走底层协议
 
   - name: "ss2"
     type: ss
@@ -383,6 +387,7 @@ proxies: # socks5
       # headers:
       #   custom: value
       # v2ray-http-upgrade: false
+      # v2ray-http-upgrade-fast-open: false
 
   - name: "ss4-shadow-tls"
     type: ss
@@ -405,18 +410,18 @@ proxies: # socks5
     password: [YOUR_SS_PASSWORD]
     client-fingerprint:
       chrome # One of: chrome, ios, firefox or safari
-      # 可以是chrome, ios, firefox, safari中的一个
+      # 可以是 chrome, ios, firefox, safari 中的一个
     plugin: restls
     plugin-opts:
       host:
         "www.microsoft.com" # Must be a TLS 1.3 server
-        # 应当是一个TLS 1.3 服务器
+        # 应当是一个 TLS 1.3 服务器
       password: [YOUR_RESTLS_PASSWORD]
       version-hint: "tls13"
       # Control your post-handshake traffic through restls-script
       # Hide proxy behaviors like "tls in tls".
       # see https://github.com/3andne/restls/blob/main/Restls-Script:%20Hide%20Your%20Proxy%20Traffic%20Behavior.md
-      # 用restls剧本来控制握手后的行为，隐藏"tls in tls"等特征
+      # 用 restls 剧本来控制握手后的行为，隐藏"tls in tls"等特征
       # 详情：https://github.com/3andne/restls/blob/main/Restls-Script:%20%E9%9A%90%E8%97%8F%E4%BD%A0%E7%9A%84%E4%BB%A3%E7%90%86%E8%A1%8C%E4%B8%BA.md
       restls-script: "300?100<1,400~100,350~100,600~100,300~200,300~100"
 
@@ -428,18 +433,18 @@ proxies: # socks5
     password: [YOUR_SS_PASSWORD]
     client-fingerprint:
       chrome # One of: chrome, ios, firefox or safari
-      # 可以是chrome, ios, firefox, safari中的一个
+      # 可以是 chrome, ios, firefox, safari 中的一个
     plugin: restls
     plugin-opts:
       host:
         "vscode.dev" # Must be a TLS 1.2 server
-        # 应当是一个TLS 1.2 服务器
+        # 应当是一个 TLS 1.2 服务器
       password: [YOUR_RESTLS_PASSWORD]
       version-hint: "tls12"
       restls-script: "1000?100<1,500~100,350~100,600~100,400~200"
 
   # vmess
-  # cipher支持 auto/aes-128-gcm/chacha20-poly1305/none
+  # cipher 支持 auto/aes-128-gcm/chacha20-poly1305/none
   - name: "vmess"
     type: vmess
     server: server
@@ -461,6 +466,7 @@ proxies: # socks5
       # max-early-data: 2048
       # early-data-header-name: Sec-WebSocket-Protocol
       # v2ray-http-upgrade: false
+      # v2ray-http-upgrade-fast-open: false
 
   - name: "vmess-h2"
     type: vmess
@@ -589,6 +595,7 @@ proxies: # socks5
       headers:
         Host: example.com
       # v2ray-http-upgrade: false
+      # v2ray-http-upgrade-fast-open: false
 
   # Trojan
   - name: "trojan"
@@ -633,6 +640,7 @@ proxies: # socks5
     #   headers:
     #     Host: example.com
     #   v2ray-http-upgrade: false
+    #   v2ray-http-upgrade-fast-open: false
 
   - name: "trojan-xtls"
     type: trojan
@@ -674,11 +682,13 @@ proxies: # socks5
     type: hysteria2
     server: server.com
     port: 443
-    #  up和down均不写或为0则使用BBR流控
+    # ports: 1000,2000-3000,5000 # port 不可省略
+    # hop-interval: 15
+    #  up 和 down 均不写或为 0 则使用 BBR 流控
     # up: "30 Mbps" # 若不写单位，默认为 Mbps
     # down: "200 Mbps" # 若不写单位，默认为 Mbps
     password: yourpassword
-    # obfs: salamander # 默认为空，如果填写则开启obfs，目前仅支持salamander
+    # obfs: salamander # 默认为空，如果填写则开启 obfs，目前仅支持 salamander
     # obfs-password: yourpassword
     # sni: server.com
     # skip-cert-verify: false
@@ -704,14 +714,12 @@ proxies: # socks5
     # reserved: [209,98,59]
     # 一个出站代理的标识。当值不为空时，将使用指定的 proxy 发出连接
     # dialer-proxy: "ss1"
-    # remote-dns-resolve: true # 强制dns远程解析，默认值为false
+    # remote-dns-resolve: true # 强制 dns 远程解析，默认值为 false
-    # dns: [ 1.1.1.1, 8.8.8.8 ] # 仅在remote-dns-resolve为true时生效
+    # dns: [ 1.1.1.1, 8.8.8.8 ] # 仅在 remote-dns-resolve 为 true 时生效
-    # 如果peers不为空，该段落中的allowed-ips不可为空；前面段落的server,port,ip,ipv6,public-key,pre-shared-key均会被忽略，但private-key会被保留且只能在顶层指定
+    # 如果 peers 不为空，该段落中的 allowed-ips 不可为空；前面段落的 server,port,public-key,pre-shared-key 均会被忽略，但 private-key 会被保留且只能在顶层指定
     # peers:
     #   - server: 162.159.192.1
     #     port: 2480
-    #     ip: 172.16.0.2
-    #     ipv6: fd01:5ca1:ab1e:80fa:ab85:6eea:213f:f4a5
     #     public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
     #     # pre-shared-key: 31aIhAPwktDGpH4JDhA8GNvjFXEf/a6+UaQRyOAiyfM=
     #     allowed-ips: ['0.0.0.0/0']
@@ -722,9 +730,9 @@ proxies: # socks5
     server: www.example.com
     port: 10443
     type: tuic
-    # tuicV4必须填写token （不可同时填写uuid和password）
+    # tuicV4 必须填写 token（不可同时填写 uuid 和 password）
     token: TOKEN
-    # tuicV5必须填写uuid和password（不可同时填写token）
+    # tuicV5 必须填写 uuid 和 password（不可同时填写 token）
     uuid: 00000000-0000-0000-0000-000000000001
     password: PASSWORD_1
     # ip: 127.0.0.1 # for overwriting the DNS lookup result of the server address set in option 'server'
@@ -742,8 +750,8 @@ proxies: # socks5
     # max-open-streams: 20 # default 100, too many open streams may hurt performance
     # sni: example.com
     #
-    # meta和sing-box私有扩展，将ss-uot用于udp中继，开启此选项后udp-relay-mode将失效
+    # meta 和 sing-box 私有扩展，将 ss-uot 用于 udp 中继，开启此选项后 udp-relay-mode 将失效
-    # 警告，与原版tuic不兼容！！！
+    # 警告，与原版 tuic 不兼容！！！
     # udp-over-stream: false
     # udp-over-stream-version: 1
 
@@ -767,9 +775,21 @@ proxies: # socks5
     # protocol-param: "#"
     # udp: true
 
+  - name: "ssh-out"
+    type: ssh
+
+    server: 127.0.0.1
+    port: 22
+    username: root
+    password: password
+    privateKey: path
+
+# dns 出站会将请求劫持到内部 dns 模块，所有请求均在内部处理
+  - name: "dns-out"
+    type: dns
 proxy-groups:
-  # 代理链，目前relay可以支持udp的只有vmess/vless/trojan/ss/ssr/tuic
+  # 代理链，目前 relay 可以支持 udp 的只有 vmess/vless/trojan/ss/ssr/tuic
-  # wireguard目前不支持在relay中使用，请使用proxy中的dialer-proxy配置项
+  # wireguard 目前不支持在 relay 中使用，请使用 proxy 中的 dialer-proxy 配置项
   # Traffic: mihomo <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet
   - name: "relay"
     type: relay
@@ -843,10 +863,19 @@ proxy-groups:
 # Mihomo 格式的节点或支持 *ray 的分享格式
 proxy-providers:
   provider1:
-    type: http # http 的 path 可空置,默认储存路径为 homedir的proxies文件夹,文件名为url的md5
+    type: http # http 的 path 可空置，默认储存路径为 homedir 的 proxies 文件夹，文件名为 url 的 md5
     url: "url"
     interval: 3600
     path: ./provider1.yaml # 默认只允许存储在 mihomo 的 Home Dir，如果想存储到任意位置，添加环境变量 SKIP_SAFE_PATH_CHECK=1
+    proxy: DIRECT
+    header:
+      User-Agent:
+      - "Clash/v1.18.0"
+      - "mihomo/1.18.3"
+      # Accept:
+      # - 'application/vnd.github.v3.raw'
+      # Authorization:
+      # - 'token 1231231'
     health-check:
       enable: true
       interval: 600
@@ -862,6 +891,8 @@ proxy-providers:
       # interface-name: tailscale0
       # routing-mark: 233
       # ip-version: ipv4-prefer
+      # additional-prefix: "[provider1]"
+      # additional-suffix: "test"
   test:
     type: file
     path: /test.yaml
@@ -874,8 +905,9 @@ rule-providers:
     behavior: classical # domain ipcidr
     interval: 259200
     path: /path/to/save/file.yaml # 默认只允许存储在 mihomo 的 Home Dir，如果想存储到任意位置，添加环境变量 SKIP_SAFE_PATH_CHECK=1
-    type: http # http 的 path 可空置,默认储存路径为 homedir的rules文件夹,文件名为url的md5
+    type: http # http 的 path 可空置，默认储存路径为 homedir 的 rules 文件夹，文件名为 url 的 md5
     url: "url"
+    proxy: DIRECT
   rule2:
     behavior: classical
     interval: 259200
@@ -883,6 +915,8 @@ rule-providers:
     type: file
 rules:
   - RULE-SET,rule1,REJECT
+  - IP-ASN,1,PROXY
+  - DOMAIN-REGEX,^abc,DIRECT
   - DOMAIN-SUFFIX,baidu.com,DIRECT
   - DOMAIN-KEYWORD,google,ss1
   - IP-CIDR,1.1.1.1/32,ss1
@@ -922,7 +956,7 @@ listeners:
     port: 10808
     #listen: 0.0.0.0 # 默认监听 0.0.0.0
     # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
-    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理
     # udp: false # 默认 true
 
   - name: http-in-1
@@ -930,14 +964,14 @@ listeners:
     port: 10809
     listen: 0.0.0.0
     # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
-    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时，这里的 proxy 名称必须合法，否则会出错)
 
   - name: mixed-in-1
     type: mixed #  HTTP(S) 和 SOCKS 代理混合
     port: 10810
     listen: 0.0.0.0
     # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
-    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时，这里的 proxy 名称必须合法，否则会出错)
     # udp: false # 默认 true
 
   - name: reidr-in-1
@@ -945,14 +979,14 @@ listeners:
     port: 10811
     listen: 0.0.0.0
     # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
-    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时，这里的 proxy 名称必须合法，否则会出错)
 
   - name: tproxy-in-1
     type: tproxy
     port: 10812
     listen: 0.0.0.0
     # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
-    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时，这里的 proxy 名称必须合法，否则会出错)
     # udp: false # 默认 true
 
   - name: shadowsocks-in-1
@@ -960,7 +994,7 @@ listeners:
     port: 10813
     listen: 0.0.0.0
     # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
-    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时，这里的 proxy 名称必须合法，否则会出错)
     password: vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg=
     cipher: 2022-blake3-aes-256-gcm
 
@@ -969,13 +1003,13 @@ listeners:
     port: 10814
     listen: 0.0.0.0
     # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
-    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时，这里的 proxy 名称必须合法，否则会出错)
     users:
       - username: 1
         uuid: 9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68
         alterId: 1
-    # ws-path: "/" # 如果不为空则开启websocket传输层
+    # ws-path: "/" # 如果不为空则开启 websocket 传输层
-    # 下面两项如果填写则开启tls（需要同时填写）
+    # 下面两项如果填写则开启 tls（需要同时填写）
     # certificate: ./server.crt
     # private-key: ./server.key
 
@@ -984,10 +1018,10 @@ listeners:
     port: 10815
     listen: 0.0.0.0
     # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
-    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时，这里的 proxy 名称必须合法，否则会出错)
-    # token:    # tuicV4填写（可以同时填写users）
+    # token:    # tuicV4 填写（可以同时填写 users）
     #   - TOKEN
-    # users:    # tuicV5填写（可以同时填写token）
+    # users:    # tuicV5 填写（可以同时填写 token）
     #   00000000-0000-0000-0000-000000000000: PASSWORD_0
     #   00000000-0000-0000-0000-000000000001: PASSWORD_1
     #  certificate: ./server.crt
@@ -1004,25 +1038,25 @@ listeners:
     port: 10816
     listen: 0.0.0.0
     # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
-    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时，这里的 proxy 名称必须合法，否则会出错)
     network: [tcp, udp]
     target: target.com
 
   - name: tun-in-1
     type: tun
     # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
-    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时，这里的 proxy 名称必须合法，否则会出错)
     stack: system # gvisor / mixed
     dns-hijack:
     - 0.0.0.0:53 # 需要劫持的 DNS
     # auto-detect-interface: false # 自动识别出口网卡
     # auto-route: false # 配置路由表
     # mtu: 9000 # 最大传输单元
-    inet4-address: # 必须手动设置ipv4地址段
+    inet4-address: # 必须手动设置 ipv4 地址段
     - 198.19.0.1/30
-    inet6-address: # 必须手动设置ipv6地址段
+    inet6-address: # 必须手动设置 ipv6 地址段
     - "fdfe:dcba:9877::1/126"
-    # strict-route: true # 将所有连接路由到tun来防止泄漏，但你的设备将无法其他设备被访问
+    # strict-route: true # 将所有连接路由到 tun 来防止泄漏，但你的设备将无法其他设备被访问
     # inet4-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由
     # - 0.0.0.0/1
     # - 128.0.0.0/1
@@ -1050,17 +1084,17 @@ listeners:
     # exclude-package: # 排除被路由的 Android 应用包名
     # - com.android.captiveportallogin
 # 入口配置与 Listener 等价，传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理
-# shadowsocks,vmess 入口配置（传入流量将和socks,mixed等入口一样按照mode所指定的方式进行匹配处理）
+# shadowsocks,vmess 入口配置（传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理）
 # ss-config: ss://2022-blake3-aes-256-gcm:vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg=@:23456
 # vmess-config: vmess://1:9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68@:12345
 
-# tuic服务器入口（传入流量将和socks,mixed等入口一样按照mode所指定的方式进行匹配处理）
+# tuic 服务器入口（传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理）
 # tuic-server:
 #  enable: true
 #  listen: 127.0.0.1:10443
-#  token:    # tuicV4填写（可以同时填写users）
+#  token:    # tuicV4 填写（可以同时填写 users）
 #    - TOKEN
-#  users:    # tuicV5填写（可以同时填写token）
+#  users:    # tuicV5 填写（可以同时填写 token）
 #    00000000-0000-0000-0000-000000000000: PASSWORD_0
 #    00000000-0000-0000-0000-000000000001: PASSWORD_1
 #  certificate: ./server.crt

go.mod

@@ -8,53 +8,53 @@ require (
 	github.com/bahlo/generic-list-go v0.2.0
 	github.com/cilium/ebpf v0.12.3
 	github.com/coreos/go-iptables v0.7.0
-	github.com/dlclark/regexp2 v1.10.0
+	github.com/dlclark/regexp2 v1.11.0
-	github.com/go-chi/chi/v5 v5.0.11
+	github.com/go-chi/chi/v5 v5.0.12
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.3
 	github.com/gobwas/ws v1.3.2
-	github.com/gofrs/uuid/v5 v5.0.0
+	github.com/gofrs/uuid/v5 v5.1.0
-	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2
+	github.com/insomniacslk/dhcp v0.0.0-20240419123447-f1cffa2c0c49
-	github.com/klauspost/cpuid/v2 v2.2.6
+	github.com/klauspost/cpuid/v2 v2.2.7
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
 	github.com/mdlayher/netlink v1.7.2
 	github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759
-	github.com/metacubex/quic-go v0.41.1-0.20240120014142-a02f4a533d4a
+	github.com/metacubex/quic-go v0.42.1-0.20240418003344-f006b5735d98
-	github.com/metacubex/sing-quic v0.0.0-20240130040922-cbe613c88f20
+	github.com/metacubex/sing-quic v0.0.0-20240418004036-814c531c378d
 	github.com/metacubex/sing-shadowsocks v0.2.6
 	github.com/metacubex/sing-shadowsocks2 v0.2.0
-	github.com/metacubex/sing-tun v0.2.1-0.20240130042529-1f983547e9d4
+	github.com/metacubex/sing-tun v0.2.6
 	github.com/metacubex/sing-vmess v0.1.9-0.20231207122118-72303677451f
-	github.com/metacubex/sing-wireguard v0.0.0-20231209125515-0594297f7232
+	github.com/metacubex/sing-wireguard v0.0.0-20240321042214-224f96122a63
-	github.com/miekg/dns v1.1.57
+	github.com/metacubex/tfo-go v0.0.0-20240228025757-be1269474a66
+	github.com/miekg/dns v1.1.59
 	github.com/mroth/weightedrand/v2 v2.1.0
 	github.com/openacid/low v0.1.21
 	github.com/oschwald/maxminddb-golang v1.12.0
-	github.com/puzpuzpuz/xsync/v3 v3.0.2
+	github.com/puzpuzpuz/xsync/v3 v3.1.0
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97
-	github.com/sagernet/sing v0.3.0
+	github.com/sagernet/sing v0.3.8
 	github.com/sagernet/sing-mux v0.2.1-0.20240124034317-9bfb33698bb6
 	github.com/sagernet/sing-shadowtls v0.1.4
-	github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6
 	github.com/sagernet/utls v1.5.4
 	github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e
 	github.com/samber/lo v1.39.0
-	github.com/shirou/gopsutil/v3 v3.23.12
+	github.com/shirou/gopsutil/v3 v3.24.3
 	github.com/sirupsen/logrus v1.9.3
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.9.0
 	github.com/wk8/go-ordered-map/v2 v2.1.8
-	github.com/zhangyunhao116/fastrand v0.3.0
+	github.com/zhangyunhao116/fastrand v0.4.0
 	go.uber.org/automaxprocs v1.5.3
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.18.0
+	golang.org/x/crypto v0.22.0
-	golang.org/x/exp v0.0.0-20240110193028-0dcbfd608b1e
+	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f
-	golang.org/x/net v0.20.0
+	golang.org/x/net v0.24.0
-	golang.org/x/sync v0.6.0
+	golang.org/x/sync v0.7.0
-	golang.org/x/sys v0.16.0
+	golang.org/x/sys v0.19.0
-	google.golang.org/protobuf v1.32.0
+	google.golang.org/protobuf v1.33.0
 	gopkg.in/yaml.v3 v3.0.1
-	lukechampine.com/blake3 v1.2.1
+	lukechampine.com/blake3 v1.2.2
 )
 
 require (
@@ -84,7 +84,7 @@ require (
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mdlayher/socket v0.4.1 // indirect
-	github.com/metacubex/gvisor v0.0.0-20231209122014-3e43224c7bbc // indirect
+	github.com/metacubex/gvisor v0.0.0-20240320004321-933faba989ec // indirect
 	github.com/oasisprotocol/deoxysii v0.0.0-20220228165953-2091330c22b7 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
 	github.com/pierrec/lz4/v4 v4.1.14 // indirect
@@ -93,7 +93,6 @@ require (
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 // indirect
-	github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/sina-ghaderi/poly1305 v0.0.0-20220724002748-c5926b03988b // indirect
 	github.com/sina-ghaderi/rabaead v0.0.0-20220730151906-ab6e06b96e8c // indirect
@@ -102,13 +101,13 @@ require (
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
-	github.com/yusufpapurcu/wmi v1.2.3 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec // indirect
-	go.uber.org/mock v0.3.0 // indirect
+	go.uber.org/mock v0.4.0 // indirect
-	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.16.0 // indirect
+	golang.org/x/tools v0.20.0 // indirect
 )
 
-replace github.com/sagernet/sing => github.com/metacubex/sing v0.0.0-20240111014253-f1818b6a82b2
+replace github.com/sagernet/sing => github.com/metacubex/sing v0.0.0-20240408015159-aa61c96df764

go.sum

@@ -28,8 +28,8 @@ github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFE
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dlclark/regexp2 v1.10.0 h1:+/GIL799phkJqYW+3YbOd8LCcbHzT0Pbo8zl70MHsq0=
+github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
-github.com/dlclark/regexp2 v1.10.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/ericlagergren/aegis v0.0.0-20230312195928-b4ce538b56f9 h1:/5RkVc9Rc81XmMyVqawCiDyrBHZbLAZgTTCqou4mwj8=
 github.com/ericlagergren/aegis v0.0.0-20230312195928-b4ce538b56f9/go.mod h1:hkIFzoiIPZYxdFOOLyDho59b7SrDfo+w3h+yWdlg45I=
 github.com/ericlagergren/polyval v0.0.0-20220411101811-e25bc10ba391 h1:8j2RH289RJplhA6WfdaPqzg1MjH2K8wX5e0uhAxrw2g=
@@ -44,8 +44,8 @@ github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nos
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/gaukas/godicttls v0.0.4 h1:NlRaXb3J6hAnTmWdsEKb9bcSBD6BvcIjdGdeb0zfXbk=
 github.com/gaukas/godicttls v0.0.4/go.mod h1:l6EenT4TLWgTdwslVb4sEMOCf7Bv0JAK67deKr9/NCI=
-github.com/go-chi/chi/v5 v5.0.11 h1:BnpYbFZ3T3S1WMpD79r7R5ThWX40TaFB7L31Y8xqSwA=
+github.com/go-chi/chi/v5 v5.0.12 h1:9euLV5sTrTNTRUU9POmDUvfxyj6LAABLUcEWO+JJb4s=
-github.com/go-chi/chi/v5 v5.0.11/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/chi/v5 v5.0.12/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
@@ -62,8 +62,8 @@ github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
 github.com/gobwas/ws v1.3.2 h1:zlnbNHxumkRvfPWgfXu8RBwyNR1x8wh9cf5PTOCqs9Q=
 github.com/gobwas/ws v1.3.2/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
-github.com/gofrs/uuid/v5 v5.0.0 h1:p544++a97kEL+svbcFbCQVM9KFu0Yo25UoISXGNNH9M=
+github.com/gofrs/uuid/v5 v5.1.0 h1:S5rqVKIigghZTCBKPCw0Y+bXkn26K3TB5mvQq2Ix8dk=
-github.com/gofrs/uuid/v5 v5.0.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
+github.com/gofrs/uuid/v5 v5.1.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
@@ -78,16 +78,18 @@ github.com/google/tink/go v1.6.1 h1:t7JHqO8Ath2w2ig5vjwQYJzhGEZymedQc90lQXUBa4I=
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
 github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
+github.com/insomniacslk/dhcp v0.0.0-20240227161007-c728f5dd21c8 h1:V3plQrMHRWOB5zMm3yNqvBxDQVW1+/wHBSok5uPdmVs=
-github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
+github.com/insomniacslk/dhcp v0.0.0-20240227161007-c728f5dd21c8/go.mod h1:izxuNQZeFrbx2nK2fAyN5iNUB34Fe9j0nK4PwLzAkKw=
+github.com/insomniacslk/dhcp v0.0.0-20240419123447-f1cffa2c0c49 h1:/OuvSMGT9+xnyZ+7MZQ1zdngaCCAdPoSw8B/uurZ7pg=
+github.com/insomniacslk/dhcp v0.0.0-20240419123447-f1cffa2c0c49/go.mod h1:KclMyHxX06VrVr0DJmeFSUb1ankt7xTfoOA35pCkoic=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
 github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
-github.com/klauspost/cpuid/v2 v2.2.6 h1:ndNyv040zDGIDh8thGkXYjnFtiN02M1PVVF+JE/48xc=
+github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM=
-github.com/klauspost/cpuid/v2 v2.2.6/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
+github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4=
@@ -102,26 +104,28 @@ github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U
 github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
 github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759 h1:cjd4biTvOzK9ubNCCkQ+ldc4YSH/rILn53l/xGBFHHI=
 github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759/go.mod h1:UHOv2xu+RIgLwpXca7TLrXleEd4oR3sPatW6IF8wU88=
-github.com/metacubex/gvisor v0.0.0-20231209122014-3e43224c7bbc h1:+yTZ6q2EeQCAJNpKNEu5j32Pm23ShD38ElIa635wTrk=
+github.com/metacubex/gvisor v0.0.0-20240320004321-933faba989ec h1:HxreOiFTUrJXJautEo8rnE1uKTVGY8wtZepY1Tii/Nc=
-github.com/metacubex/gvisor v0.0.0-20231209122014-3e43224c7bbc/go.mod h1:rhBU9tD5ktoGPBtXUquhWuGJ4u+8ZZzBMi2cAdv9q8Y=
+github.com/metacubex/gvisor v0.0.0-20240320004321-933faba989ec/go.mod h1:8BVmQ+3cxjqzWElafm24rb2Ae4jRI6vAXNXWqWjfrXw=
-github.com/metacubex/quic-go v0.41.1-0.20240120014142-a02f4a533d4a h1:IMr75VdMnDUhkANZemUWqmOPLfwnemiIaCHRnGCdAsY=
+github.com/metacubex/quic-go v0.42.1-0.20240418003344-f006b5735d98 h1:oMLlJV4a9AylNo8ZLBNUiqZ02Vme6GLLHjuWJz8amSk=
-github.com/metacubex/quic-go v0.41.1-0.20240120014142-a02f4a533d4a/go.mod h1:F/t8VnA47xoia8ABlNA4InkZjssvFJ5p6E6jKdbkgAs=
+github.com/metacubex/quic-go v0.42.1-0.20240418003344-f006b5735d98/go.mod h1:iGx3Y1zynls/FjFgykLSqDcM81U0IKePRTXEz5g3iiQ=
-github.com/metacubex/sing v0.0.0-20240111014253-f1818b6a82b2 h1:upEO8dt9WDBavhgcgkXB3hRcwVNbkTbnd+xyzy6ZQZo=
+github.com/metacubex/sing v0.0.0-20240408015159-aa61c96df764 h1:+czGKoynxYA90YaL3NlCAIJHnlqwoUlLWgmOhdm5ZU8=
-github.com/metacubex/sing v0.0.0-20240111014253-f1818b6a82b2/go.mod h1:9pfuAH6mZfgnz/YjP6xu5sxx882rfyjpcrTdUpd6w3g=
+github.com/metacubex/sing v0.0.0-20240408015159-aa61c96df764/go.mod h1:+60H3Cm91RnL9dpVGWDPHt0zTQImO9Vfqt9a4rSambI=
-github.com/metacubex/sing-quic v0.0.0-20240130040922-cbe613c88f20 h1:wt7ydRxm9Pvw+un6KD97tjLJHMrkzp83HyiGkoz6e7k=
+github.com/metacubex/sing-quic v0.0.0-20240418004036-814c531c378d h1:RAe0ND8J5SOPGI623oEXfaHKaaUrrzHx+U1DN9Awcco=
-github.com/metacubex/sing-quic v0.0.0-20240130040922-cbe613c88f20/go.mod h1:bdHqEysJclB9BzIa5jcKKSZ1qua+YEPjR8fOzzE3vZU=
+github.com/metacubex/sing-quic v0.0.0-20240418004036-814c531c378d/go.mod h1:WyY0zYxv+o+18R/Ece+QFontlgXoobKbNqbtYn2zjz8=
 github.com/metacubex/sing-shadowsocks v0.2.6 h1:6oEB3QcsFYnNiFeoevcXrCwJ3sAablwVSgtE9R3QeFQ=
 github.com/metacubex/sing-shadowsocks v0.2.6/go.mod h1:zIkMeSnb8Mbf4hdqhw0pjzkn1d99YJ3JQm/VBg5WMTg=
 github.com/metacubex/sing-shadowsocks2 v0.2.0 h1:hqwT/AfI5d5UdPefIzR6onGHJfDXs5zgOM5QSgaM/9A=
 github.com/metacubex/sing-shadowsocks2 v0.2.0/go.mod h1:LCKF6j1P94zN8ZS+LXRK1gmYTVGB3squivBSXAFnOg8=
-github.com/metacubex/sing-tun v0.2.1-0.20240130042529-1f983547e9d4 h1:qz256cI4oGBtLT0H3wQYgazLGYLQUEZqMkf0i8sGH5A=
+github.com/metacubex/sing-tun v0.2.6 h1:frc58BqnIClqcC9KcYBfVAn5bgO6WW1ANKvZW3/HYAQ=
-github.com/metacubex/sing-tun v0.2.1-0.20240130042529-1f983547e9d4/go.mod h1:P+TjrGTG5AdQRaskP6NiI9gZmgnwR3o5ze9CkIQE+/s=
+github.com/metacubex/sing-tun v0.2.6/go.mod h1:4VsMwZH1IlgPGFK1ZbBomZ/B2MYkTgs2+gnBAr5GOIo=
 github.com/metacubex/sing-vmess v0.1.9-0.20231207122118-72303677451f h1:QjXrHKbTMBip/C+R79bvbfr42xH1gZl3uFb0RELdZiQ=
 github.com/metacubex/sing-vmess v0.1.9-0.20231207122118-72303677451f/go.mod h1:olVkD4FChQ5gKMHG4ZzuD7+fMkJY1G8vwOKpRehjrmY=
-github.com/metacubex/sing-wireguard v0.0.0-20231209125515-0594297f7232 h1:loWjR+k9dxqBSgruGyT5hE8UCRMmCEjxqZbryfY9no4=
+github.com/metacubex/sing-wireguard v0.0.0-20240321042214-224f96122a63 h1:AGyIB55UfQm/0ZH0HtQO9u3l//yjtHUpjeRjjPGfGRI=
-github.com/metacubex/sing-wireguard v0.0.0-20231209125515-0594297f7232/go.mod h1:NGCrBZ+fUmp81yaA1kVskcNWBnwl5z4UHxz47A01zm8=
+github.com/metacubex/sing-wireguard v0.0.0-20240321042214-224f96122a63/go.mod h1:uY+BYb0UEknLrqvbGcwi9i++KgrKxsurysgI6G1Pveo=
-github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
+github.com/metacubex/tfo-go v0.0.0-20240228025757-be1269474a66 h1:as/aO/fM8nv4W4pOr9EETP6kV/Oaujk3fUNyQSJK61c=
-github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
+github.com/metacubex/tfo-go v0.0.0-20240228025757-be1269474a66/go.mod h1:c7bVFM9f5+VzeZ/6Kg77T/jrg1Xp8QpqlSHvG/aXVts=
+github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
+github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk=
 github.com/mroth/weightedrand/v2 v2.1.0 h1:o1ascnB1CIVzsqlfArQQjeMy1U0NcIbBO5rfd5E/OeU=
 github.com/mroth/weightedrand/v2 v2.1.0/go.mod h1:f2faGsfOGOwc1p94wzHKKZyTpcJUW7OJ/9U4yfiNAOU=
 github.com/oasisprotocol/deoxysii v0.0.0-20220228165953-2091330c22b7 h1:1102pQc2SEPp5+xrS26wEaeb26sZy6k9/ZXlZN+eXE4=
@@ -144,8 +148,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
-github.com/puzpuzpuz/xsync/v3 v3.0.2 h1:3yESHrRFYr6xzkz61LLkvNiPFXxJEAABanTQpKbAaew=
+github.com/puzpuzpuz/xsync/v3 v3.1.0 h1:EewKT7/LNac5SLiEblJeUu8z5eERHrmRLnMQL2d7qX4=
-github.com/puzpuzpuz/xsync/v3 v3.0.2/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA=
+github.com/puzpuzpuz/xsync/v3 v3.1.0/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
 github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs=
@@ -161,18 +165,14 @@ github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnV
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo=
-github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6 h1:z3SJQhVyU63FT26Wn/UByW6b7q8QKB0ZkPqsyqcz2PI=
-github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6/go.mod h1:73xRZuxwkFk4aiLw28hG8W6o9cr2UPrGL9pdY2UTbvY=
 github.com/sagernet/utls v1.5.4 h1:KmsEGbB2dKUtCNC+44NwAdNAqnqQ6GA4pTO0Yik56co=
 github.com/sagernet/utls v1.5.4/go.mod h1:CTGxPWExIloRipK3XFpYv0OVyhO8kk3XCGW/ieyTh1s=
 github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e h1:iGH0RMv2FzELOFNFQtvsxH7NPmlo7X5JizEK51UCojo=
 github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e/go.mod h1:YbL4TKHRR6APYQv3U2RGfwLDpPYSyWz6oUlpISBEzBE=
 github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
 github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
-github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 h1:rc/CcqLH3lh8n+csdOuDfP+NuykE0U6AeYSJJHKDgSg=
+github.com/shirou/gopsutil/v3 v3.24.3 h1:eoUGJSmdfLzJ3mxIhmOAhgKEKgQkeOwKpz1NbhVnuPE=
-github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9/go.mod h1:a/83NAfUXvEuLpmxDssAXxgUgrEy12MId3Wd7OTs76s=
+github.com/shirou/gopsutil/v3 v3.24.3/go.mod h1:JpND7O217xa72ewWz9zN2eIIkPWsDN/3pl0H8Qt0uwg=
-github.com/shirou/gopsutil/v3 v3.23.12 h1:z90NtUkp3bMtmICZKpC4+WaknU1eXtp5vtbQ11DgpE4=
-github.com/shirou/gopsutil/v3 v3.23.12/go.mod h1:1FrWgea594Jp7qmjHUUPlJDTPgcsb9mGnXDxavtikzM=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
@@ -188,13 +188,15 @@ github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVs
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU=
 github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
 github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk=
@@ -208,35 +210,35 @@ github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695AP
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
 github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
-github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw=
+github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
-github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
+github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-github.com/zhangyunhao116/fastrand v0.3.0 h1:7bwe124xcckPulX6fxtr2lFdO2KQqaefdtbk+mqO/Ig=
+github.com/zhangyunhao116/fastrand v0.4.0 h1:86QB6Y+GGgLZRFRDCjMmAS28QULwspK9sgL5d1Bx3H4=
-github.com/zhangyunhao116/fastrand v0.3.0/go.mod h1:0v5KgHho0VE6HU192HnY15de/oDS8UrbBChIFjIhBtc=
+github.com/zhangyunhao116/fastrand v0.4.0/go.mod h1:vIyo6EyBhjGKpZv6qVlkPl4JVAklpMM4DSKzbAkMguA=
 gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec h1:FpfFs4EhNehiVfzQttTuxanPIT43FtkkCFypIod8LHo=
 gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec/go.mod h1:BZ1RAoRPbCxum9Grlv5aeksu2H8BiKehBYooU2LFiOQ=
 go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
 go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0=
-go.uber.org/mock v0.3.0 h1:3mUxI1No2/60yUYax92Pt8eNOEecx2D3lcXZh2NEZJo=
+go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU=
-go.uber.org/mock v0.3.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
+go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
+golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
+golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
-golang.org/x/exp v0.0.0-20240110193028-0dcbfd608b1e h1:723BNChdd0c2Wk6WOE320qGBiPtYx0F0Bbm1kriShfE=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY=
-golang.org/x/exp v0.0.0-20240110193028-0dcbfd608b1e/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
+golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
-golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
+golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -252,25 +254,26 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
+golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
+golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY=
-golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
-google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-lukechampine.com/blake3 v1.2.1 h1:YuqqRuaqsGV71BV/nm9xlI0MKUv4QC54jQnBChWbGnI=
+lukechampine.com/blake3 v1.2.2 h1:wEAbSg0IVU4ih44CVlpMqMZMpzr5hf/6aqodLlevd/w=
-lukechampine.com/blake3 v1.2.1/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
+lukechampine.com/blake3 v1.2.2/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=

hub/executor/executor.go

@@ -150,6 +150,9 @@ func GetGeneral() *config.General {
 		Mode:              tunnel.Mode(),
 		LogLevel:          log.Level(),
 		IPv6:              !resolver.DisableIPv6,
+		GeodataMode:       G.GeodataMode(),
+		GeoAutoUpdate:     G.GeoAutoUpdate(),
+		GeoUpdateInterval: G.GeoUpdateInterval(),
 		GeodataLoader:     G.LoaderName(),
 		GeositeMatcher:    G.SiteMatcherName(),
 		Interface:         dialer.DefaultInterface.Load(),
@@ -194,6 +197,7 @@ func updateExperimental(c *config.Config) {
 	if c.Experimental.QUICGoDisableECN {
 		_ = os.Setenv("QUIC_GO_DISABLE_ECN", strconv.FormatBool(true))
 	}
+	dialer.GetIP4PEnable(c.Experimental.IP4PEnable)
 }
 
 func updateNTP(c *config.NTP) {
@@ -475,6 +479,9 @@ func updateIPTables(cfg *config.Config) {
 		bypass           = iptables.Bypass
 		tProxyPort       = cfg.General.TProxyPort
 		dnsCfg           = cfg.DNS
+		DnsRedirect      = iptables.DnsRedirect
+
+		dnsPort netip.AddrPort
 	)
 
 	if tProxyPort == 0 {
@@ -482,16 +489,18 @@ func updateIPTables(cfg *config.Config) {
 		return
 	}
 
+	if DnsRedirect {
 		if !dnsCfg.Enable {
 			err = fmt.Errorf("DNS server must be enable")
 			return
 		}
 
-	dnsPort, err := netip.ParseAddrPort(dnsCfg.Listen)
+		dnsPort, err = netip.ParseAddrPort(dnsCfg.Listen)
 		if err != nil {
 			err = fmt.Errorf("DNS server must be correct")
 			return
 		}
+	}
 
 	if iptables.InboundInterface != "" {
 		inboundInterface = iptables.InboundInterface
@@ -501,7 +510,7 @@ func updateIPTables(cfg *config.Config) {
 		dialer.DefaultRoutingMark.Store(2158)
 	}
 
-	err = tproxy.SetTProxyIPTables(inboundInterface, bypass, uint16(tProxyPort), dnsPort.Port())
+	err = tproxy.SetTProxyIPTables(inboundInterface, bypass, uint16(tProxyPort), DnsRedirect, dnsPort.Port())
 	if err != nil {
 		return
 	}

hub/hub.go

@@ -21,6 +21,12 @@ func WithExternalController(externalController string) Option {
 	}
 }
 
+func WithExternalControllerUnix(externalControllerUnix string) Option {
+	return func(cfg *config.Config) {
+		cfg.General.ExternalControllerUnix = externalControllerUnix
+	}
+}
+
 func WithSecret(secret string) Option {
 	return func(cfg *config.Config) {
 		cfg.General.Secret = secret
@@ -47,6 +53,10 @@ func Parse(options ...Option) error {
 			cfg.General.Secret, cfg.TLS.Certificate, cfg.TLS.PrivateKey, cfg.General.LogLevel == log.DEBUG)
 	}
 
+	if cfg.General.ExternalControllerUnix != "" {
+		go route.StartUnix(cfg.General.ExternalControllerUnix, cfg.General.LogLevel == log.DEBUG)
+	}
+
 	executor.ApplyConfig(cfg, true)
 	return nil
 }

hub/route/configs.go

@@ -91,6 +91,7 @@ type tunSchema struct {
 	EndpointIndependentNat   *bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
 	UDPTimeout               *int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
 	FileDescriptor           *int            `yaml:"file-descriptor" json:"file-descriptor"`
+	TableIndex               *int            `yaml:"table-index" json:"table-index"`
 }
 
 type tuicServerSchema struct {
@@ -209,6 +210,9 @@ func pointerOrDefaultTun(p *tunSchema, def LC.Tun) LC.Tun {
 		if p.FileDescriptor != nil {
 			def.FileDescriptor = *p.FileDescriptor
 		}
+		if p.TableIndex != nil {
+			def.TableIndex = *p.TableIndex
+		}
 	}
 	return def
 }

hub/route/server.go

@@ -7,8 +7,11 @@ import (
 	"encoding/json"
 	"net"
 	"net/http"
+	"os"
+	"path/filepath"
 	"runtime/debug"
 	"strings"
+	"syscall"
 	"time"
 
 	"github.com/metacubex/mihomo/adapter/inbound"
@@ -47,15 +50,7 @@ func SetUIPath(path string) {
 	uiPath = C.Path.Resolve(path)
 }
 
-func Start(addr string, tlsAddr string, secret string,
+func router(isDebug bool, withAuth bool) *chi.Mux {
-	certificat, privateKey string, isDebug bool) {
-	if serverAddr != "" {
-		return
-	}
-
-	serverAddr = addr
-	serverSecret = secret
-
 	r := chi.NewRouter()
 	corsM := cors.New(cors.Options{
 		AllowedOrigins: []string{"*"},
@@ -77,7 +72,9 @@ func Start(addr string, tlsAddr string, secret string,
 		}())
 	}
 	r.Group(func(r chi.Router) {
+		if withAuth {
 			r.Use(authentication)
+		}
 		r.Get("/", hello)
 		r.Get("/logs", getLogs)
 		r.Get("/traffic", traffic)
@@ -107,10 +104,21 @@ func Start(addr string, tlsAddr string, secret string,
 			})
 		})
 	}
+	return r
+}
+
+func Start(addr string, tlsAddr string, secret string,
+	certificate, privateKey string, isDebug bool) {
+	if serverAddr != "" {
+		return
+	}
+
+	serverAddr = addr
+	serverSecret = secret
 
 	if len(tlsAddr) > 0 {
 		go func() {
-			c, err := CN.ParseCert(certificat, privateKey, C.Path)
+			c, err := CN.ParseCert(certificate, privateKey, C.Path)
 			if err != nil {
 				log.Errorln("External controller tls listen error: %s", err)
 				return
@@ -125,7 +133,7 @@ func Start(addr string, tlsAddr string, secret string,
 			serverAddr = l.Addr().String()
 			log.Infoln("RESTful API tls listening at: %s", serverAddr)
 			tlsServe := &http.Server{
-				Handler: r,
+				Handler: router(isDebug, true),
 				TLSConfig: &tls.Config{
 					Certificates: []tls.Certificate{c},
 				},
@@ -144,12 +152,45 @@ func Start(addr string, tlsAddr string, secret string,
 	serverAddr = l.Addr().String()
 	log.Infoln("RESTful API listening at: %s", serverAddr)
 
-	if err = http.Serve(l, r); err != nil {
+	if err = http.Serve(l, router(isDebug, true)); err != nil {
 		log.Errorln("External controller serve error: %s", err)
 	}
 
 }
 
+func StartUnix(addr string, isDebug bool) {
+	addr = C.Path.Resolve(addr)
+
+	dir := filepath.Dir(addr)
+	if _, err := os.Stat(dir); os.IsNotExist(err) {
+		if err := os.MkdirAll(dir, 0o755); err != nil {
+			log.Errorln("External controller unix listen error: %s", err)
+			return
+		}
+	}
+
+	// https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/
+	//
+	// Note: As mentioned above in the ‘security’ section, when a socket binds a socket to a valid pathname address,
+	// a socket file is created within the filesystem. On Linux, the application is expected to unlink
+	// (see the notes section in the man page for AF_UNIX) before any other socket can be bound to the same address.
+	// The same applies to Windows unix sockets, except that, DeleteFile (or any other file delete API)
+	// should be used to delete the socket file prior to calling bind with the same path.
+	_ = syscall.Unlink(addr)
+
+	l, err := inbound.Listen("unix", addr)
+	if err != nil {
+		log.Errorln("External controller unix listen error: %s", err)
+		return
+	}
+	serverAddr = l.Addr().String()
+	log.Infoln("RESTful API unix listening at: %s", serverAddr)
+
+	if err = http.Serve(l, router(isDebug, false)); err != nil {
+		log.Errorln("External controller unix serve error: %s", err)
+	}
+}
+
 func setPrivateNetworkAccess(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method == http.MethodOptions && r.Header.Get("Access-Control-Request-Method") != "" {

hub/updater/updater.go

@@ -137,6 +137,8 @@ func prepare(exePath string) (err error) {
 
 	if runtime.GOOS == "windows" {
 		updateExeName = "mihomo" + "-" + runtime.GOOS + "-" + runtime.GOARCH + amd64Compatible + ".exe"
+	} else if runtime.GOOS == "android" && runtime.GOARCH == "arm64" {
+		updateExeName = "mihomo-android-arm64-v8"
 	} else {
 		updateExeName = "mihomo" + "-" + runtime.GOOS + "-" + runtime.GOARCH + amd64Compatible
 	}
@@ -440,7 +442,11 @@ func updateDownloadURL() {
 		middle = fmt.Sprintf("-%s-%s%s-%s", runtime.GOOS, runtime.GOARCH, goarm, latestVersion)
 	} else if runtime.GOARCH == "arm64" {
 		//-linux-arm64-alpha-e552b54.gz
+		if runtime.GOOS == "android" {
+			middle = fmt.Sprintf("-%s-%s-v8-%s", runtime.GOOS, runtime.GOARCH, latestVersion)
+		} else {
 			middle = fmt.Sprintf("-%s-%s-%s", runtime.GOOS, runtime.GOARCH, latestVersion)
+		}
 	} else if isMIPS(runtime.GOARCH) && gomips != "" {
 		middle = fmt.Sprintf("-%s-%s-%s-%s", runtime.GOOS, runtime.GOARCH, gomips, latestVersion)
 	} else {

listener/config/tun.go

@@ -49,4 +49,5 @@ type Tun struct {
 	EndpointIndependentNat   bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
 	UDPTimeout               int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
 	FileDescriptor           int            `yaml:"file-descriptor" json:"file-descriptor"`
+	TableIndex               int            `yaml:"table-index" json:"table-index"`
 }

listener/http/proxy.go

@@ -51,8 +51,9 @@ func HandleConn(c net.Conn, tunnel C.Tunnel, cache *lru.LruCache[string, bool],
 		var resp *http.Response
 
 		if !trusted {
-			resp = authenticate(request, cache)
+			var user string
-
+			resp, user = authenticate(request, cache)
+			additions = append(additions, inbound.WithInUser(user))
 			trusted = resp == nil
 		}
 
@@ -130,7 +131,7 @@ func HandleConn(c net.Conn, tunnel C.Tunnel, cache *lru.LruCache[string, bool],
 	_ = conn.Close()
 }
 
-func authenticate(request *http.Request, cache *lru.LruCache[string, bool]) *http.Response {
+func authenticate(request *http.Request, cache *lru.LruCache[string, bool]) (resp *http.Response, u string) {
 	authenticator := authStore.Authenticator()
 	if inbound.SkipAuthRemoteAddress(request.RemoteAddr) {
 		authenticator = nil
@@ -140,23 +141,24 @@ func authenticate(request *http.Request, cache *lru.LruCache[string, bool]) *htt
 		if credential == "" {
 			resp := responseWith(request, http.StatusProxyAuthRequired)
 			resp.Header.Set("Proxy-Authenticate", "Basic")
-			return resp
+			return resp, ""
 		}
 
 		authed, exist := cache.Get(credential)
 		if !exist {
 			user, pass, err := decodeBasicProxyAuthorization(credential)
 			authed = err == nil && authenticator.Verify(user, pass)
+			u = user
 			cache.Set(credential, authed)
 		}
 		if !authed {
 			log.Infoln("Auth failed from %s", request.RemoteAddr)
 
-			return responseWith(request, http.StatusForbidden)
+			return responseWith(request, http.StatusForbidden), u
 		}
 	}
 
-	return nil
+	return nil, u
 }
 
 func responseWith(request *http.Request, statusCode int) *http.Response {

listener/http/server.go

@@ -36,7 +36,9 @@ func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener
 }
 
 func NewWithAuthenticate(addr string, tunnel C.Tunnel, authenticate bool, additions ...inbound.Addition) (*Listener, error) {
+	isDefault := false
 	if len(additions) == 0 {
+		isDefault = true
 		additions = []inbound.Addition{
 			inbound.WithInName("DEFAULT-HTTP"),
 			inbound.WithSpecialRules(""),
@@ -71,8 +73,8 @@ func NewWithAuthenticate(addr string, tunnel C.Tunnel, authenticate bool, additi
 					t.SetKeepAlive(false)
 				}
 			}
-			if len(additions) == 0 { // only apply on default listener
+			if isDefault { // only apply on default listener
-				if inbound.IsRemoteAddrDisAllowed(conn.RemoteAddr()) {
+				if !inbound.IsRemoteAddrDisAllowed(conn.RemoteAddr()) {
 					_ = conn.Close()
 					continue
 				}

listener/http/utils.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"net"
 	"net/http"
+	"net/netip"
 	"strings"
 )
 
@@ -48,6 +49,11 @@ func removeExtraHTTPHostPort(req *http.Request) {
 
 	if pHost, port, err := net.SplitHostPort(host); err == nil && (port == "80" || port == "443") {
 		host = pHost
+		if ip, err := netip.ParseAddr(pHost); err == nil && ip.Is6() {
+			// RFC 2617 Sec 3.2.2, for IPv6 literal
+			// addresses the Host header needs to follow the RFC 2732 grammar for "host"
+			host = "[" + host + "]"
+		}
 	}
 
 	req.Host = host

listener/inbound/tun.go

@@ -40,6 +40,7 @@ type TunOption struct {
 	EndpointIndependentNat   bool     `inbound:"endpoint_independent_nat,omitempty"`
 	UDPTimeout               int64    `inbound:"udp_timeout,omitempty"`
 	FileDescriptor           int      `inbound:"file-descriptor,omitempty"`
+	TableIndex               int      `inbound:"table-index,omitempty"`
 }
 
 func (o TunOption) Equal(config C.InboundConfig) bool {
@@ -118,6 +119,7 @@ func NewTun(options *TunOption) (*Tun, error) {
 			EndpointIndependentNat:   options.EndpointIndependentNat,
 			UDPTimeout:               options.UDPTimeout,
 			FileDescriptor:           options.FileDescriptor,
+			TableIndex:               options.TableIndex,
 		},
 	}, nil
 }

listener/inner/tcp.go

@@ -16,7 +16,7 @@ func New(t C.Tunnel) {
 	tunnel = t
 }
 
-func HandleTcp(address string) (conn net.Conn, err error) {
+func HandleTcp(address string, proxy string) (conn net.Conn, err error) {
 	if tunnel == nil {
 		return nil, errors.New("tcp uninitialized")
 	}
@@ -28,6 +28,9 @@ func HandleTcp(address string) (conn net.Conn, err error) {
 	metadata.Type = C.INNER
 	metadata.DNSMode = C.DNSNormal
 	metadata.Process = C.MihomoName
+	if proxy != "" {
+		metadata.SpecialProxy = proxy
+	}
 	if h, port, err := net.SplitHostPort(address); err == nil {
 		if port, err := strconv.ParseUint(port, 10, 16); err == nil {
 			metadata.DstPort = uint16(port)

listener/listener.go

@@ -823,7 +823,8 @@ func hasTunConfigChange(tunConf *LC.Tun) bool {
 		LastTunConf.StrictRoute != tunConf.StrictRoute ||
 		LastTunConf.EndpointIndependentNat != tunConf.EndpointIndependentNat ||
 		LastTunConf.UDPTimeout != tunConf.UDPTimeout ||
-		LastTunConf.FileDescriptor != tunConf.FileDescriptor {
+		LastTunConf.FileDescriptor != tunConf.FileDescriptor ||
+		LastTunConf.TableIndex != tunConf.TableIndex {
 		return true
 	}
 

listener/mixed/mixed.go

@@ -37,7 +37,9 @@ func (l *Listener) Close() error {
 }
 
 func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) {
+	isDefault := false
 	if len(additions) == 0 {
+		isDefault = true
 		additions = []inbound.Addition{
 			inbound.WithInName("DEFAULT-MIXED"),
 			inbound.WithSpecialRules(""),
@@ -62,8 +64,8 @@ func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener
 				}
 				continue
 			}
-			if len(additions) == 0 { // only apply on default listener
+			if isDefault { // only apply on default listener
-				if inbound.IsRemoteAddrDisAllowed(c.RemoteAddr()) {
+				if !inbound.IsRemoteAddrDisAllowed(c.RemoteAddr()) {
 					_ = c.Close()
 					continue
 				}

listener/sing_tun/dns.go

@@ -2,29 +2,21 @@ package sing_tun
 
 import (
 	"context"
-	"encoding/binary"
-	"io"
 	"net"
 	"net/netip"
 	"sync"
 	"time"
 
-	"github.com/metacubex/mihomo/common/pool"
 	"github.com/metacubex/mihomo/component/resolver"
 	"github.com/metacubex/mihomo/listener/sing"
 	"github.com/metacubex/mihomo/log"
 
-	D "github.com/miekg/dns"
-
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/network"
 )
 
-const DefaultDnsReadTimeout = time.Second * 10
-const DefaultDnsRelayTimeout = time.Second * 5
-
 type ListenerHandler struct {
 	*sing.ListenerHandler
 	DnsAdds []netip.AddrPort
@@ -45,61 +37,11 @@ func (h *ListenerHandler) ShouldHijackDns(targetAddr netip.AddrPort) bool {
 func (h *ListenerHandler) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	if h.ShouldHijackDns(metadata.Destination.AddrPort()) {
 		log.Debugln("[DNS] hijack tcp:%s", metadata.Destination.String())
-		buff := pool.Get(pool.UDPBufferSize)
+		return resolver.RelayDnsConn(ctx, conn, resolver.DefaultDnsReadTimeout)
-		defer func() {
-			_ = pool.Put(buff)
-			_ = conn.Close()
-		}()
-		for {
-			if conn.SetReadDeadline(time.Now().Add(DefaultDnsReadTimeout)) != nil {
-				break
-			}
-
-			length := uint16(0)
-			if err := binary.Read(conn, binary.BigEndian, &length); err != nil {
-				break
-			}
-
-			if int(length) > len(buff) {
-				break
-			}
-
-			n, err := io.ReadFull(conn, buff[:length])
-			if err != nil {
-				break
-			}
-
-			err = func() error {
-				ctx, cancel := context.WithTimeout(ctx, DefaultDnsRelayTimeout)
-				defer cancel()
-				inData := buff[:n]
-				msg, err := RelayDnsPacket(ctx, inData, buff)
-				if err != nil {
-					return err
-				}
-
-				err = binary.Write(conn, binary.BigEndian, uint16(len(msg)))
-				if err != nil {
-					return err
-				}
-
-				_, err = conn.Write(msg)
-				if err != nil {
-					return err
-				}
-				return nil
-			}()
-			if err != nil {
-				return err
-			}
-		}
-		return nil
 	}
 	return h.ListenerHandler.NewConnection(ctx, conn, metadata)
 }
 
-const SafeDnsPacketSize = 2 * 1024 // safe size which is 1232 from https://dnsflagday.net/2020/, so 2048 is enough
-
 func (h *ListenerHandler) NewPacketConnection(ctx context.Context, conn network.PacketConn, metadata M.Metadata) error {
 	if h.ShouldHijackDns(metadata.Destination.AddrPort()) {
 		log.Debugln("[DNS] hijack udp:%s from %s", metadata.Destination.String(), metadata.Source.String())
@@ -114,7 +56,7 @@ func (h *ListenerHandler) NewPacketConnection(ctx context.Context, conn network.
 		rwOptions := network.ReadWaitOptions{
 			FrontHeadroom: network.CalculateFrontHeadroom(conn),
 			RearHeadroom:  network.CalculateRearHeadroom(conn),
-			MTU:           SafeDnsPacketSize,
+			MTU:           resolver.SafeDnsPacketSize,
 		}
 		readWaiter, isReadWaiter := bufio.CreatePacketReadWaiter(conn)
 		if isReadWaiter {
@@ -126,7 +68,7 @@ func (h *ListenerHandler) NewPacketConnection(ctx context.Context, conn network.
 				dest     M.Socksaddr
 				err      error
 			)
-			_ = conn.SetReadDeadline(time.Now().Add(DefaultDnsReadTimeout))
+			_ = conn.SetReadDeadline(time.Now().Add(resolver.DefaultDnsReadTimeout))
 			readBuff = nil // clear last loop status, avoid repeat release
 			if isReadWaiter {
 				readBuff, dest, err = readWaiter.WaitReadPacket()
@@ -147,15 +89,15 @@ func (h *ListenerHandler) NewPacketConnection(ctx context.Context, conn network.
 				return err
 			}
 			go func() {
-				ctx, cancel := context.WithTimeout(ctx, DefaultDnsRelayTimeout)
+				ctx, cancel := context.WithTimeout(ctx, resolver.DefaultDnsRelayTimeout)
 				defer cancel()
 				inData := readBuff.Bytes()
 				writeBuff := readBuff
 				writeBuff.Resize(writeBuff.Start(), 0)
-				if len(writeBuff.FreeBytes()) < SafeDnsPacketSize { // only create a new buffer when space don't enough
+				if len(writeBuff.FreeBytes()) < resolver.SafeDnsPacketSize { // only create a new buffer when space don't enough
 					writeBuff = rwOptions.NewPacketBuffer()
 				}
-				msg, err := RelayDnsPacket(ctx, inData, writeBuff.FreeBytes())
+				msg, err := resolver.RelayDnsPacket(ctx, inData, writeBuff.FreeBytes())
 				if writeBuff != readBuff {
 					readBuff.Release()
 				}
@@ -182,21 +124,3 @@ func (h *ListenerHandler) NewPacketConnection(ctx context.Context, conn network.
 	}
 	return h.ListenerHandler.NewPacketConnection(ctx, conn, metadata)
 }
-
-func RelayDnsPacket(ctx context.Context, payload []byte, target []byte) ([]byte, error) {
-	msg := &D.Msg{}
-	if err := msg.Unpack(payload); err != nil {
-		return nil, err
-	}
-
-	r, err := resolver.ServeMsg(ctx, msg)
-	if err != nil {
-		m := new(D.Msg)
-		m.SetRcode(msg, D.RcodeServerFailure)
-		return m.PackBuffer(target)
-	}
-
-	r.SetRcode(msg, r.Rcode)
-	r.Compress = true
-	return r.PackBuffer(target)
-}

listener/sing_tun/server.go

@@ -12,6 +12,7 @@ import (
 	"github.com/metacubex/mihomo/adapter/inbound"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/iface"
+	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	LC "github.com/metacubex/mihomo/listener/config"
 	"github.com/metacubex/mihomo/listener/sing"
@@ -39,6 +40,8 @@ type Listener struct {
 	networkUpdateMonitor    tun.NetworkUpdateMonitor
 	defaultInterfaceMonitor tun.DefaultInterfaceMonitor
 	packageManager          tun.PackageManager
+
+	dnsServerIp []string
 }
 
 func CalculateInterfaceName(name string) (tunName string) {
@@ -112,6 +115,10 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 	} else {
 		udpTimeout = int64(sing.UDPTimeout.Seconds())
 	}
+	tableIndex := options.TableIndex
+	if tableIndex == 0 {
+		tableIndex = 2022
+	}
 	includeUID := uidToRange(options.IncludeUID)
 	if len(options.IncludeUIDRange) > 0 {
 		var err error
@@ -143,12 +150,16 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 
 		dnsAdds = append(dnsAdds, addrPort)
 	}
+
+	var dnsServerIp []string
 	for _, a := range options.Inet4Address {
 		addrPort := netip.AddrPortFrom(a.Addr().Next(), 53)
+		dnsServerIp = append(dnsServerIp, a.Addr().Next().String())
 		dnsAdds = append(dnsAdds, addrPort)
 	}
 	for _, a := range options.Inet6Address {
 		addrPort := netip.AddrPortFrom(a.Addr().Next(), 53)
+		dnsServerIp = append(dnsServerIp, a.Addr().Next().String())
 		dnsAdds = append(dnsAdds, addrPort)
 	}
 
@@ -169,6 +180,7 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 		closed:  false,
 		options: options,
 		handler: handler,
+		tunName: tunName,
 	}
 	defer func() {
 		if err != nil {
@@ -225,7 +237,7 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 		ExcludePackage:           options.ExcludePackage,
 		FileDescriptor:           options.FileDescriptor,
 		InterfaceMonitor:         defaultInterfaceMonitor,
-		TableIndex:               2022,
+		TableIndex:               tableIndex,
 	}
 
 	err = l.buildAndroidRules(&tunOptions)
@@ -239,6 +251,10 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 		return
 	}
 
+	l.dnsServerIp = dnsServerIp
+	// after tun.New sing-tun has set DNS to TUN interface
+	resolver.AddSystemDnsBlacklist(dnsServerIp...)
+
 	stackOptions := tun.StackOptions{
 		Context:                context.TODO(),
 		Tun:                    tunIf,
@@ -256,15 +272,17 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 		}
 	}
 	l.tunIf = tunIf
-	l.tunStack, err = tun.NewStack(strings.ToLower(options.Stack.String()), stackOptions)
+
+	tunStack, err := tun.NewStack(strings.ToLower(options.Stack.String()), stackOptions)
 	if err != nil {
 		return
 	}
 
-	err = l.tunStack.Start()
+	err = tunStack.Start()
 	if err != nil {
 		return
 	}
+	l.tunStack = tunStack
 
 	//l.openAndroidHotspot(tunOptions)
 
@@ -275,7 +293,6 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 
 func (l *Listener) FlushDefaultInterface() {
 	if l.options.AutoDetectInterface {
-		targetInterface := dialer.DefaultInterface.Load()
 		for _, destination := range []netip.Addr{netip.IPv4Unspecified(), netip.IPv6Unspecified(), netip.MustParseAddr("1.1.1.1")} {
 			autoDetectInterfaceName := l.defaultInterfaceMonitor.DefaultInterfaceName(destination)
 			if autoDetectInterfaceName == l.tunName {
@@ -283,17 +300,16 @@ func (l *Listener) FlushDefaultInterface() {
 			} else if autoDetectInterfaceName == "" || autoDetectInterfaceName == "<nil>" {
 				log.Warnln("[TUN] Auto detect interface by %s get empty name.", destination.String())
 			} else {
-				targetInterface = autoDetectInterfaceName
+				if old := dialer.DefaultInterface.Swap(autoDetectInterfaceName); old != autoDetectInterfaceName {
-				if old := dialer.DefaultInterface.Load(); old != targetInterface {
+					log.Warnln("[TUN] default interface changed by monitor, %s => %s", old, autoDetectInterfaceName)
-					log.Warnln("[TUN] default interface changed by monitor, %s => %s", old, targetInterface)
-
-					dialer.DefaultInterface.Store(targetInterface)
-
 					iface.FlushCache()
 				}
 				return
 			}
 		}
+		if dialer.DefaultInterface.CompareAndSwap("", "<invalid>") {
+			log.Warnln("[TUN] Auto detect interface failed, set '<invalid>' to DefaultInterface to avoid lookback")
+		}
 	}
 }
 
@@ -331,6 +347,7 @@ func parseRange(uidRanges []ranges.Range[uint32], rangeList []string) ([]ranges.
 
 func (l *Listener) Close() error {
 	l.closed = true
+	resolver.RemoveSystemDnsBlacklist(l.dnsServerIp...)
 	return common.Close(
 		l.tunStack,
 		l.tunIf,

listener/socks/tcp.go

@@ -35,7 +35,9 @@ func (l *Listener) Close() error {
 }
 
 func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener, error) {
+	isDefault := false
 	if len(additions) == 0 {
+		isDefault = true
 		additions = []inbound.Addition{
 			inbound.WithInName("DEFAULT-SOCKS"),
 			inbound.WithSpecialRules(""),
@@ -59,8 +61,8 @@ func New(addr string, tunnel C.Tunnel, additions ...inbound.Addition) (*Listener
 				}
 				continue
 			}
-			if len(additions) == 0 { // only apply on default listener
+			if isDefault { // only apply on default listener
-				if inbound.IsRemoteAddrDisAllowed(c.RemoteAddr()) {
+				if !inbound.IsRemoteAddrDisAllowed(c.RemoteAddr()) {
 					_ = c.Close()
 					continue
 				}
@@ -96,11 +98,12 @@ func HandleSocks4(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition)
 	if inbound.SkipAuthRemoteAddr(conn.RemoteAddr()) {
 		authenticator = nil
 	}
-	addr, _, err := socks4.ServerHandshake(conn, authenticator)
+	addr, _, user, err := socks4.ServerHandshake(conn, authenticator)
 	if err != nil {
 		conn.Close()
 		return
 	}
+	additions = append(additions, inbound.WithInUser(user))
 	tunnel.HandleTCPConn(inbound.NewSocket(socks5.ParseAddr(addr), conn, C.SOCKS4, additions...))
 }
 
@@ -109,7 +112,7 @@ func HandleSocks5(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition)
 	if inbound.SkipAuthRemoteAddr(conn.RemoteAddr()) {
 		authenticator = nil
 	}
-	target, command, err := socks5.ServerHandshake(conn, authenticator)
+	target, command, user, err := socks5.ServerHandshake(conn, authenticator)
 	if err != nil {
 		conn.Close()
 		return
@@ -119,5 +122,6 @@ func HandleSocks5(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition)
 		io.Copy(io.Discard, conn)
 		return
 	}
+	additions = append(additions, inbound.WithInUser(user))
 	tunnel.HandleTCPConn(inbound.NewSocket(target, conn, C.SOCKS5, additions...))
 }

listener/tproxy/setsockopt_linux.go

@@ -36,13 +36,21 @@ func setsockopt(rc syscall.RawConn, addr string) error {
 		}
 
 		if err == nil {
-			err = syscall.SetsockoptInt(int(fd), syscall.SOL_IP, syscall.IP_RECVTOS, 1)
+			_ = setDSCPsockopt(fd, isIPv6)
-		}
-
-		if err == nil {
-			err = syscall.SetsockoptInt(int(fd), syscall.SOL_IPV6, syscall.IPV6_RECVTCLASS, 1)
 		}
 	})
 
 	return err
 }
+
+func setDSCPsockopt(fd uintptr, isIPv6 bool) (err error) {
+	if err == nil {
+		err = syscall.SetsockoptInt(int(fd), syscall.SOL_IP, syscall.IP_RECVTOS, 1)
+	}
+
+	if err == nil && isIPv6 {
+		err = syscall.SetsockoptInt(int(fd), syscall.SOL_IPV6, syscall.IPV6_RECVTCLASS, 1)
+	}
+
+	return
+}

listener/tproxy/tproxy.go

@@ -34,6 +34,8 @@ func (l *Listener) Close() error {
 func (l *Listener) handleTProxy(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) {
 	target := socks5.ParseAddrToSocksAddr(conn.LocalAddr())
 	N.TCPKeepAlive(conn)
+	// TProxy's conn.LocalAddr() is target address, so we set from l.listener
+	additions = append([]inbound.Addition{inbound.WithInAddr(l.listener.Addr())}, additions...)
 	tunnel.HandleTCPConn(inbound.NewSocket(target, conn, C.TPROXY, additions...))
 }
 

listener/tproxy/tproxy_iptables.go

@@ -15,6 +15,7 @@ var (
 	dnsPort       uint16
 	tProxyPort    uint16
 	interfaceName string
+	DnsRedirect   bool
 )
 
 const (
@@ -22,7 +23,7 @@ const (
 	PROXY_ROUTE_TABLE = "0x2d0"
 )
 
-func SetTProxyIPTables(ifname string, bypass []string, tport uint16, dport uint16) error {
+func SetTProxyIPTables(ifname string, bypass []string, tport uint16, dnsredir bool, dport uint16) error {
 	if _, err := cmd.ExecCmd("iptables -V"); err != nil {
 		return fmt.Errorf("current operations system [%s] are not support iptables or command iptables does not exist", runtime.GOOS)
 	}
@@ -33,6 +34,7 @@ func SetTProxyIPTables(ifname string, bypass []string, tport uint16, dport uint1
 
 	interfaceName = ifname
 	tProxyPort = tport
+	DnsRedirect = dnsredir
 	dnsPort = dport
 
 	// add route
@@ -58,8 +60,10 @@ func SetTProxyIPTables(ifname string, bypass []string, tport uint16, dport uint1
 	execCmd("iptables -t mangle -N mihomo_prerouting")
 	execCmd("iptables -t mangle -F mihomo_prerouting")
 	execCmd("iptables -t mangle -A mihomo_prerouting -s 172.17.0.0/16 -j RETURN")
+	if DnsRedirect {
 		execCmd("iptables -t mangle -A mihomo_prerouting -p udp --dport 53 -j ACCEPT")
 		execCmd("iptables -t mangle -A mihomo_prerouting -p tcp --dport 53 -j ACCEPT")
+	}
 	execCmd("iptables -t mangle -A mihomo_prerouting -m addrtype --dst-type LOCAL -j RETURN")
 	addLocalnetworkToChain("mihomo_prerouting", bypass)
 	execCmd("iptables -t mangle -A mihomo_prerouting -p tcp -m socket -j mihomo_divert")
@@ -68,8 +72,10 @@ func SetTProxyIPTables(ifname string, bypass []string, tport uint16, dport uint1
 	execCmd(fmt.Sprintf("iptables -t mangle -A mihomo_prerouting -p udp -j TPROXY --on-port %d --tproxy-mark %s/%s", tProxyPort, PROXY_FWMARK, PROXY_FWMARK))
 	execCmd("iptables -t mangle -A PREROUTING -j mihomo_prerouting")
 
+	if DnsRedirect {
 		execCmd(fmt.Sprintf("iptables -t nat -I PREROUTING ! -s 172.17.0.0/16 ! -d 127.0.0.0/8 -p tcp --dport 53 -j REDIRECT --to %d", dnsPort))
 		execCmd(fmt.Sprintf("iptables -t nat -I PREROUTING ! -s 172.17.0.0/16 ! -d 127.0.0.0/8 -p udp --dport 53 -j REDIRECT --to %d", dnsPort))
+	}
 
 	// set post routing
 	if interfaceName != "lo" {
@@ -80,8 +86,10 @@ func SetTProxyIPTables(ifname string, bypass []string, tport uint16, dport uint1
 	execCmd("iptables -t mangle -N mihomo_output")
 	execCmd("iptables -t mangle -F mihomo_output")
 	execCmd(fmt.Sprintf("iptables -t mangle -A mihomo_output -m mark --mark %#x -j RETURN", dialer.DefaultRoutingMark.Load()))
+	if DnsRedirect {
 		execCmd("iptables -t mangle -A mihomo_output -p udp -m multiport --dports 53,123,137 -j ACCEPT")
 		execCmd("iptables -t mangle -A mihomo_output -p tcp --dport 53 -j ACCEPT")
+	}
 	execCmd("iptables -t mangle -A mihomo_output -m addrtype --dst-type LOCAL -j RETURN")
 	execCmd("iptables -t mangle -A mihomo_output -m addrtype --dst-type BROADCAST -j RETURN")
 	addLocalnetworkToChain("mihomo_output", bypass)
@@ -90,6 +98,7 @@ func SetTProxyIPTables(ifname string, bypass []string, tport uint16, dport uint1
 	execCmd(fmt.Sprintf("iptables -t mangle -I OUTPUT -o %s -j mihomo_output", interfaceName))
 
 	// set dns output
+	if DnsRedirect {
 		execCmd("iptables -t nat -N mihomo_dns_output")
 		execCmd("iptables -t nat -F mihomo_dns_output")
 		execCmd(fmt.Sprintf("iptables -t nat -A mihomo_dns_output -m mark --mark %#x -j RETURN", dialer.DefaultRoutingMark.Load()))
@@ -98,12 +107,13 @@ func SetTProxyIPTables(ifname string, bypass []string, tport uint16, dport uint1
 		execCmd(fmt.Sprintf("iptables -t nat -A mihomo_dns_output -p tcp -j REDIRECT --to-ports %d", dnsPort))
 		execCmd("iptables -t nat -I OUTPUT -p tcp --dport 53 -j mihomo_dns_output")
 		execCmd("iptables -t nat -I OUTPUT -p udp --dport 53 -j mihomo_dns_output")
+	}
 
 	return nil
 }
 
 func CleanupTProxyIPTables() {
-	if runtime.GOOS != "linux" || interfaceName == "" || tProxyPort == 0 || dnsPort == 0 {
+	if runtime.GOOS != "linux" || interfaceName == "" || tProxyPort == 0 {
 		return
 	}
 
@@ -130,8 +140,10 @@ func CleanupTProxyIPTables() {
 	}
 
 	// clean PREROUTING
+	if DnsRedirect {
 		execCmd(fmt.Sprintf("iptables -t nat -D PREROUTING ! -s 172.17.0.0/16 ! -d 127.0.0.0/8 -p tcp --dport 53 -j REDIRECT --to %d", dnsPort))
 		execCmd(fmt.Sprintf("iptables -t nat -D PREROUTING ! -s 172.17.0.0/16 ! -d 127.0.0.0/8 -p udp --dport 53 -j REDIRECT --to %d", dnsPort))
+	}
 	execCmd("iptables -t mangle -D PREROUTING -j mihomo_prerouting")
 
 	// clean POSTROUTING
@@ -141,8 +153,10 @@ func CleanupTProxyIPTables() {
 
 	// clean OUTPUT
 	execCmd(fmt.Sprintf("iptables -t mangle -D OUTPUT -o %s -j mihomo_output", interfaceName))
+	if DnsRedirect {
 		execCmd("iptables -t nat -D OUTPUT -p tcp --dport 53 -j mihomo_dns_output")
 		execCmd("iptables -t nat -D OUTPUT -p udp --dport 53 -j mihomo_dns_output")
+	}
 
 	// clean chain
 	execCmd("iptables -t mangle -F mihomo_prerouting")
@@ -151,9 +165,10 @@ func CleanupTProxyIPTables() {
 	execCmd("iptables -t mangle -X mihomo_divert")
 	execCmd("iptables -t mangle -F mihomo_output")
 	execCmd("iptables -t mangle -X mihomo_output")
+	if DnsRedirect {
 		execCmd("iptables -t nat -F mihomo_dns_output")
 		execCmd("iptables -t nat -X mihomo_dns_output")
-
+	}
 	interfaceName = ""
 	tProxyPort = 0
 	dnsPort = 0