Merge branch 'Alpha' into Meta

e0e75c4630

.github/patch_go122/48042aa09c2f878c4faa576948b07fe625c4707a.diff

@@ -0,0 +1,54 @@
+diff --git a/src/syscall/exec_windows.go b/src/syscall/exec_windows.go
+index 06e684c7116b4..b311a5c74684b 100644
+--- a/src/syscall/exec_windows.go
++++ b/src/syscall/exec_windows.go
+@@ -319,17 +319,6 @@ func StartProcess(argv0 string, argv []string, attr *ProcAttr) (pid int, handle
+ 		}
+ 	}
+
+-	var maj, min, build uint32
+-	rtlGetNtVersionNumbers(&maj, &min, &build)
+-	isWin7 := maj < 6 || (maj == 6 && min <= 1)
+-	// NT kernel handles are divisible by 4, with the bottom 3 bits left as
+-	// a tag. The fully set tag correlates with the types of handles we're
+-	// concerned about here.  Except, the kernel will interpret some
+-	// special handle values, like -1, -2, and so forth, so kernelbase.dll
+-	// checks to see that those bottom three bits are checked, but that top
+-	// bit is not checked.
+-	isLegacyWin7ConsoleHandle := func(handle Handle) bool { return isWin7 && handle&0x10000003 == 3 }
+-
+ 	p, _ := GetCurrentProcess()
+ 	parentProcess := p
+ 	if sys.ParentProcess != 0 {
+@@ -338,15 +327,7 @@ func StartProcess(argv0 string, argv []string, attr *ProcAttr) (pid int, handle
+ 	fd := make([]Handle, len(attr.Files))
+ 	for i := range attr.Files {
+ 		if attr.Files[i] > 0 {
+-			destinationProcessHandle := parentProcess
+-
+-			// On Windows 7, console handles aren't real handles, and can only be duplicated
+-			// into the current process, not a parent one, which amounts to the same thing.
+-			if parentProcess != p && isLegacyWin7ConsoleHandle(Handle(attr.Files[i])) {
+-				destinationProcessHandle = p
+-			}
+-
+-			err := DuplicateHandle(p, Handle(attr.Files[i]), destinationProcessHandle, &fd[i], 0, true, DUPLICATE_SAME_ACCESS)
++			err := DuplicateHandle(p, Handle(attr.Files[i]), parentProcess, &fd[i], 0, true, DUPLICATE_SAME_ACCESS)
+ 			if err != nil {
+ 				return 0, 0, err
+ 			}
+@@ -377,14 +358,6 @@ func StartProcess(argv0 string, argv []string, attr *ProcAttr) (pid int, handle
+
+ 	fd = append(fd, sys.AdditionalInheritedHandles...)
+
+-	// On Windows 7, console handles aren't real handles, so don't pass them
+-	// through to PROC_THREAD_ATTRIBUTE_HANDLE_LIST.
+-	for i := range fd {
+-		if isLegacyWin7ConsoleHandle(fd[i]) {
+-			fd[i] = 0
+-		}
+-	}
+-
+ 	// The presence of a NULL handle in the list is enough to cause PROC_THREAD_ATTRIBUTE_HANDLE_LIST
+ 	// to treat the entire list as empty, so remove NULL handles.
+ 	j := 0

.github/patch_go122/693def151adff1af707d82d28f55dba81ceb08e1.diff

@@ -0,0 +1,158 @@
+diff --git a/src/crypto/rand/rand.go b/src/crypto/rand/rand.go
+index 62738e2cb1a7d..d0dcc7cc71fc0 100644
+--- a/src/crypto/rand/rand.go
++++ b/src/crypto/rand/rand.go
+@@ -15,7 +15,7 @@ import "io"
+ // available, /dev/urandom otherwise.
+ // On OpenBSD and macOS, Reader uses getentropy(2).
+ // On other Unix-like systems, Reader reads from /dev/urandom.
+-// On Windows systems, Reader uses the RtlGenRandom API.
++// On Windows systems, Reader uses the ProcessPrng API.
+ // On JS/Wasm, Reader uses the Web Crypto API.
+ // On WASIP1/Wasm, Reader uses random_get from wasi_snapshot_preview1.
+ var Reader io.Reader
+diff --git a/src/crypto/rand/rand_windows.go b/src/crypto/rand/rand_windows.go
+index 6c0655c72b692..7380f1f0f1e6e 100644
+--- a/src/crypto/rand/rand_windows.go
++++ b/src/crypto/rand/rand_windows.go
+@@ -15,11 +15,8 @@ func init() { Reader = &rngReader{} }
+ 
+ type rngReader struct{}
+ 
+-func (r *rngReader) Read(b []byte) (n int, err error) {
+-	// RtlGenRandom only returns 1<<32-1 bytes at a time. We only read at
+-	// most 1<<31-1 bytes at a time so that  this works the same on 32-bit
+-	// and 64-bit systems.
+-	if err := batched(windows.RtlGenRandom, 1<<31-1)(b); err != nil {
++func (r *rngReader) Read(b []byte) (int, error) {
++	if err := windows.ProcessPrng(b); err != nil {
+ 		return 0, err
+ 	}
+ 	return len(b), nil
+diff --git a/src/internal/syscall/windows/syscall_windows.go b/src/internal/syscall/windows/syscall_windows.go
+index ab4ad2ec64108..5854ca60b5cef 100644
+--- a/src/internal/syscall/windows/syscall_windows.go
++++ b/src/internal/syscall/windows/syscall_windows.go
+@@ -373,7 +373,7 @@ func ErrorLoadingGetTempPath2() error {
+ //sys	DestroyEnvironmentBlock(block *uint16) (err error) = userenv.DestroyEnvironmentBlock
+ //sys	CreateEvent(eventAttrs *SecurityAttributes, manualReset uint32, initialState uint32, name *uint16) (handle syscall.Handle, err error) = kernel32.CreateEventW
+ 
+-//sys	RtlGenRandom(buf []byte) (err error) = advapi32.SystemFunction036
++//sys	ProcessPrng(buf []byte) (err error) = bcryptprimitives.ProcessPrng
+ 
+ type FILE_ID_BOTH_DIR_INFO struct {
+ 	NextEntryOffset uint32
+diff --git a/src/internal/syscall/windows/zsyscall_windows.go b/src/internal/syscall/windows/zsyscall_windows.go
+index e3f6d8d2a2208..5a587ad4f146c 100644
+--- a/src/internal/syscall/windows/zsyscall_windows.go
++++ b/src/internal/syscall/windows/zsyscall_windows.go
+@@ -37,13 +37,14 @@ func errnoErr(e syscall.Errno) error {
+ }
+ 
+ var (
+-	modadvapi32 = syscall.NewLazyDLL(sysdll.Add("advapi32.dll"))
+-	modiphlpapi = syscall.NewLazyDLL(sysdll.Add("iphlpapi.dll"))
+-	modkernel32 = syscall.NewLazyDLL(sysdll.Add("kernel32.dll"))
+-	modnetapi32 = syscall.NewLazyDLL(sysdll.Add("netapi32.dll"))
+-	modpsapi    = syscall.NewLazyDLL(sysdll.Add("psapi.dll"))
+-	moduserenv  = syscall.NewLazyDLL(sysdll.Add("userenv.dll"))
+-	modws2_32   = syscall.NewLazyDLL(sysdll.Add("ws2_32.dll"))
++	modadvapi32         = syscall.NewLazyDLL(sysdll.Add("advapi32.dll"))
++	modbcryptprimitives = syscall.NewLazyDLL(sysdll.Add("bcryptprimitives.dll"))
++	modiphlpapi         = syscall.NewLazyDLL(sysdll.Add("iphlpapi.dll"))
++	modkernel32         = syscall.NewLazyDLL(sysdll.Add("kernel32.dll"))
++	modnetapi32         = syscall.NewLazyDLL(sysdll.Add("netapi32.dll"))
++	modpsapi            = syscall.NewLazyDLL(sysdll.Add("psapi.dll"))
++	moduserenv          = syscall.NewLazyDLL(sysdll.Add("userenv.dll"))
++	modws2_32           = syscall.NewLazyDLL(sysdll.Add("ws2_32.dll"))
+ 
+ 	procAdjustTokenPrivileges             = modadvapi32.NewProc("AdjustTokenPrivileges")
+ 	procDuplicateTokenEx                  = modadvapi32.NewProc("DuplicateTokenEx")
+@@ -55,7 +56,7 @@ var (
+ 	procQueryServiceStatus                = modadvapi32.NewProc("QueryServiceStatus")
+ 	procRevertToSelf                      = modadvapi32.NewProc("RevertToSelf")
+ 	procSetTokenInformation               = modadvapi32.NewProc("SetTokenInformation")
+-	procSystemFunction036                 = modadvapi32.NewProc("SystemFunction036")
++	procProcessPrng                       = modbcryptprimitives.NewProc("ProcessPrng")
+ 	procGetAdaptersAddresses              = modiphlpapi.NewProc("GetAdaptersAddresses")
+ 	procCreateEventW                      = modkernel32.NewProc("CreateEventW")
+ 	procGetACP                            = modkernel32.NewProc("GetACP")
+@@ -179,12 +180,12 @@ func SetTokenInformation(tokenHandle syscall.Token, tokenInformationClass uint32
+ 	return
+ }
+ 
+-func RtlGenRandom(buf []byte) (err error) {
++func ProcessPrng(buf []byte) (err error) {
+ 	var _p0 *byte
+ 	if len(buf) > 0 {
+ 		_p0 = &buf[0]
+ 	}
+-	r1, _, e1 := syscall.Syscall(procSystemFunction036.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0)
++	r1, _, e1 := syscall.Syscall(procProcessPrng.Addr(), 2, uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), 0)
+ 	if r1 == 0 {
+ 		err = errnoErr(e1)
+ 	}
+diff --git a/src/runtime/os_windows.go b/src/runtime/os_windows.go
+index 8ca8d7790909e..3772a864b2ff4 100644
+--- a/src/runtime/os_windows.go
++++ b/src/runtime/os_windows.go
+@@ -127,15 +127,8 @@ var (
+ 	_WriteFile,
+ 	_ stdFunction
+ 
+-	// Use RtlGenRandom to generate cryptographically random data.
+-	// This approach has been recommended by Microsoft (see issue
+-	// 15589 for details).
+-	// The RtlGenRandom is not listed in advapi32.dll, instead
+-	// RtlGenRandom function can be found by searching for SystemFunction036.
+-	// Also some versions of Mingw cannot link to SystemFunction036
+-	// when building executable as Cgo. So load SystemFunction036
+-	// manually during runtime startup.
+-	_RtlGenRandom stdFunction
++	// Use ProcessPrng to generate cryptographically random data.
++	_ProcessPrng stdFunction
+ 
+ 	// Load ntdll.dll manually during startup, otherwise Mingw
+ 	// links wrong printf function to cgo executable (see issue
+@@ -151,11 +144,11 @@ var (
+ )
+ 
+ var (
+-	advapi32dll = [...]uint16{'a', 'd', 'v', 'a', 'p', 'i', '3', '2', '.', 'd', 'l', 'l', 0}
+-	ntdlldll    = [...]uint16{'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0}
+-	powrprofdll = [...]uint16{'p', 'o', 'w', 'r', 'p', 'r', 'o', 'f', '.', 'd', 'l', 'l', 0}
+-	winmmdll    = [...]uint16{'w', 'i', 'n', 'm', 'm', '.', 'd', 'l', 'l', 0}
+-	ws2_32dll   = [...]uint16{'w', 's', '2', '_', '3', '2', '.', 'd', 'l', 'l', 0}
++	bcryptprimitivesdll = [...]uint16{'b', 'c', 'r', 'y', 'p', 't', 'p', 'r', 'i', 'm', 'i', 't', 'i', 'v', 'e', 's', '.', 'd', 'l', 'l', 0}
++	ntdlldll            = [...]uint16{'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0}
++	powrprofdll         = [...]uint16{'p', 'o', 'w', 'r', 'p', 'r', 'o', 'f', '.', 'd', 'l', 'l', 0}
++	winmmdll            = [...]uint16{'w', 'i', 'n', 'm', 'm', '.', 'd', 'l', 'l', 0}
++	ws2_32dll           = [...]uint16{'w', 's', '2', '_', '3', '2', '.', 'd', 'l', 'l', 0}
+ )
+ 
+ // Function to be called by windows CreateThread
+@@ -251,11 +244,11 @@ func windowsLoadSystemLib(name []uint16) uintptr {
+ }
+ 
+ func loadOptionalSyscalls() {
+-	a32 := windowsLoadSystemLib(advapi32dll[:])
+-	if a32 == 0 {
+-		throw("advapi32.dll not found")
++	bcryptPrimitives := windowsLoadSystemLib(bcryptprimitivesdll[:])
++	if bcryptPrimitives == 0 {
++		throw("bcryptprimitives.dll not found")
+ 	}
+-	_RtlGenRandom = windowsFindfunc(a32, []byte("SystemFunction036\000"))
++	_ProcessPrng = windowsFindfunc(bcryptPrimitives, []byte("ProcessPrng\000"))
+ 
+ 	n32 := windowsLoadSystemLib(ntdlldll[:])
+ 	if n32 == 0 {
+@@ -531,7 +524,7 @@ func osinit() {
+ //go:nosplit
+ func readRandom(r []byte) int {
+ 	n := 0
+-	if stdcall2(_RtlGenRandom, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 {
++	if stdcall2(_ProcessPrng, uintptr(unsafe.Pointer(&r[0])), uintptr(len(r)))&0xff != 0 {
+ 		n = len(r)
+ 	}
+ 	return n

.github/patch_go122/7c1157f9544922e96945196b47b95664b1e39108.diff

@@ -0,0 +1,162 @@
+diff --git a/src/net/hook_windows.go b/src/net/hook_windows.go
+index ab8656cbbf343..28c49cc6de7e7 100644
+--- a/src/net/hook_windows.go
++++ b/src/net/hook_windows.go
+@@ -14,7 +14,6 @@ var (
+ 	testHookDialChannel = func() { time.Sleep(time.Millisecond) } // see golang.org/issue/5349
+ 
+ 	// Placeholders for socket system calls.
+-	socketFunc    func(int, int, int) (syscall.Handle, error)                                                 = syscall.Socket
+ 	wsaSocketFunc func(int32, int32, int32, *syscall.WSAProtocolInfo, uint32, uint32) (syscall.Handle, error) = windows.WSASocket
+ 	connectFunc   func(syscall.Handle, syscall.Sockaddr) error                                                = syscall.Connect
+ 	listenFunc    func(syscall.Handle, int) error                                                             = syscall.Listen
+diff --git a/src/net/internal/socktest/main_test.go b/src/net/internal/socktest/main_test.go
+index 0197feb3f199a..967ce6795aedb 100644
+--- a/src/net/internal/socktest/main_test.go
++++ b/src/net/internal/socktest/main_test.go
+@@ -2,7 +2,7 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build !js && !plan9 && !wasip1
++//go:build !js && !plan9 && !wasip1 && !windows
+ 
+ package socktest_test
+ 
+diff --git a/src/net/internal/socktest/main_windows_test.go b/src/net/internal/socktest/main_windows_test.go
+deleted file mode 100644
+index df1cb97784b51..0000000000000
+--- a/src/net/internal/socktest/main_windows_test.go
++++ /dev/null
+@@ -1,22 +0,0 @@
+-// Copyright 2015 The Go Authors. All rights reserved.
+-// Use of this source code is governed by a BSD-style
+-// license that can be found in the LICENSE file.
+-
+-package socktest_test
+-
+-import "syscall"
+-
+-var (
+-	socketFunc func(int, int, int) (syscall.Handle, error)
+-	closeFunc  func(syscall.Handle) error
+-)
+-
+-func installTestHooks() {
+-	socketFunc = sw.Socket
+-	closeFunc = sw.Closesocket
+-}
+-
+-func uninstallTestHooks() {
+-	socketFunc = syscall.Socket
+-	closeFunc = syscall.Closesocket
+-}
+diff --git a/src/net/internal/socktest/sys_windows.go b/src/net/internal/socktest/sys_windows.go
+index 8c1c862f33c9b..1c42e5c7f34b7 100644
+--- a/src/net/internal/socktest/sys_windows.go
++++ b/src/net/internal/socktest/sys_windows.go
+@@ -9,38 +9,6 @@ import (
+ 	"syscall"
+ )
+ 
+-// Socket wraps syscall.Socket.
+-func (sw *Switch) Socket(family, sotype, proto int) (s syscall.Handle, err error) {
+-	sw.once.Do(sw.init)
+-
+-	so := &Status{Cookie: cookie(family, sotype, proto)}
+-	sw.fmu.RLock()
+-	f, _ := sw.fltab[FilterSocket]
+-	sw.fmu.RUnlock()
+-
+-	af, err := f.apply(so)
+-	if err != nil {
+-		return syscall.InvalidHandle, err
+-	}
+-	s, so.Err = syscall.Socket(family, sotype, proto)
+-	if err = af.apply(so); err != nil {
+-		if so.Err == nil {
+-			syscall.Closesocket(s)
+-		}
+-		return syscall.InvalidHandle, err
+-	}
+-
+-	sw.smu.Lock()
+-	defer sw.smu.Unlock()
+-	if so.Err != nil {
+-		sw.stats.getLocked(so.Cookie).OpenFailed++
+-		return syscall.InvalidHandle, so.Err
+-	}
+-	nso := sw.addLocked(s, family, sotype, proto)
+-	sw.stats.getLocked(nso.Cookie).Opened++
+-	return s, nil
+-}
+-
+ // WSASocket wraps [syscall.WSASocket].
+ func (sw *Switch) WSASocket(family, sotype, proto int32, protinfo *syscall.WSAProtocolInfo, group uint32, flags uint32) (s syscall.Handle, err error) {
+ 	sw.once.Do(sw.init)
+diff --git a/src/net/main_windows_test.go b/src/net/main_windows_test.go
+index 07f21b72eb1fc..bc024c0bbd82d 100644
+--- a/src/net/main_windows_test.go
++++ b/src/net/main_windows_test.go
+@@ -8,7 +8,6 @@ import "internal/poll"
+ 
+ var (
+ 	// Placeholders for saving original socket system calls.
+-	origSocket      = socketFunc
+ 	origWSASocket   = wsaSocketFunc
+ 	origClosesocket = poll.CloseFunc
+ 	origConnect     = connectFunc
+@@ -18,7 +17,6 @@ var (
+ )
+ 
+ func installTestHooks() {
+-	socketFunc = sw.Socket
+ 	wsaSocketFunc = sw.WSASocket
+ 	poll.CloseFunc = sw.Closesocket
+ 	connectFunc = sw.Connect
+@@ -28,7 +26,6 @@ func installTestHooks() {
+ }
+ 
+ func uninstallTestHooks() {
+-	socketFunc = origSocket
+ 	wsaSocketFunc = origWSASocket
+ 	poll.CloseFunc = origClosesocket
+ 	connectFunc = origConnect
+diff --git a/src/net/sock_windows.go b/src/net/sock_windows.go
+index fa11c7af2e727..5540135a2c43e 100644
+--- a/src/net/sock_windows.go
++++ b/src/net/sock_windows.go
+@@ -19,21 +19,6 @@ func maxListenerBacklog() int {
+ func sysSocket(family, sotype, proto int) (syscall.Handle, error) {
+ 	s, err := wsaSocketFunc(int32(family), int32(sotype), int32(proto),
+ 		nil, 0, windows.WSA_FLAG_OVERLAPPED|windows.WSA_FLAG_NO_HANDLE_INHERIT)
+-	if err == nil {
+-		return s, nil
+-	}
+-	// WSA_FLAG_NO_HANDLE_INHERIT flag is not supported on some
+-	// old versions of Windows, see
+-	// https://msdn.microsoft.com/en-us/library/windows/desktop/ms742212(v=vs.85).aspx
+-	// for details. Just use syscall.Socket, if windows.WSASocket failed.
+-
+-	// See ../syscall/exec_unix.go for description of ForkLock.
+-	syscall.ForkLock.RLock()
+-	s, err = socketFunc(family, sotype, proto)
+-	if err == nil {
+-		syscall.CloseOnExec(s)
+-	}
+-	syscall.ForkLock.RUnlock()
+ 	if err != nil {
+ 		return syscall.InvalidHandle, os.NewSyscallError("socket", err)
+ 	}
+diff --git a/src/syscall/exec_windows.go b/src/syscall/exec_windows.go
+index 0a93bc0a80d4e..06e684c7116b4 100644
+--- a/src/syscall/exec_windows.go
++++ b/src/syscall/exec_windows.go
+@@ -14,6 +14,7 @@ import (
+ 	"unsafe"
+ )
+ 
++// ForkLock is not used on Windows.
+ var ForkLock sync.RWMutex
+ 
+ // EscapeArg rewrites command line argument s as prescribed

.github/workflows/build.yml

@@ -1,6 +1,10 @@
 name: Build
 on:
   workflow_dispatch:
+    inputs:
+      version:
+        description: "Tag version to release"
+        required: true
   push:
     paths-ignore:
       - "docs/**"
@@ -13,9 +17,8 @@ on:
   pull_request_target:
     branches:
       - Alpha
-      
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: "${{ github.workflow }}-${{ github.ref }}"
   cancel-in-progress: true
   
 env:
@@ -64,6 +67,13 @@ jobs:
           - { goos: android, goarch: arm, ndk: armv7a-linux-androideabi34, output: armv7 }
           - { goos: android, goarch: arm64, ndk: aarch64-linux-android34, output: arm64-v8 }
 
+          # Go 1.21 can revert commit `9e4385` to work on Windows 7
+          # https://github.com/golang/go/issues/64622#issuecomment-1847475161
+          # (OR we can just use golang1.21.4 which unneeded any patch)
+          - { goos: windows, goarch: '386', output: '386-go121', goversion: '1.21' }
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go121, goversion: '1.21' }
+          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go121, goversion: '1.21' }
+
           # Go 1.20 is the last release that will run on any release of Windows 7, 8, Server 2008 and Server 2012. Go 1.21 will require at least Windows 10 or Server 2016.
           - { goos: windows, goarch: '386', output: '386-go120', goversion: '1.20' }
           - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20' }
@@ -94,28 +104,50 @@ jobs:
       with:
         go-version: ${{ matrix.jobs.goversion }}
 
-    - name: Set up Go1.21 loongarch abi1
+    - name: Set up Go1.22 loongarch abi1
       if: ${{ matrix.jobs.goarch == 'loong64' && matrix.jobs.abi == '1' }}
       run: |
-        wget -q https://github.com/xishang0128/loongarch64-golang/releases/download/1.21.5/go1.21.5.linux-amd64-abi1.tar.gz
-        sudo tar zxf go1.21.5.linux-amd64-abi1.tar.gz -C /usr/local
+        wget -q https://github.com/xishang0128/loongarch64-golang/releases/download/1.22.0/go1.22.0.linux-amd64-abi1.tar.gz
+        sudo tar zxf go1.22.0.linux-amd64-abi1.tar.gz -C /usr/local
         echo "/usr/local/go/bin" >> $GITHUB_PATH
 
-    - name: Set up Go1.21 loongarch abi2
+    - name: Set up Go1.22 loongarch abi2
       if: ${{ matrix.jobs.goarch == 'loong64' && matrix.jobs.abi == '2' }}
       run: |
-        wget -q https://github.com/xishang0128/loongarch64-golang/releases/download/1.21.5/go1.21.5.linux-amd64-abi2.tar.gz
-        sudo tar zxf go1.21.5.linux-amd64-abi2.tar.gz -C /usr/local
+        wget -q https://github.com/xishang0128/loongarch64-golang/releases/download/1.22.0/go1.22.0.linux-amd64-abi2.tar.gz
+        sudo tar zxf go1.22.0.linux-amd64-abi2.tar.gz -C /usr/local
         echo "/usr/local/go/bin" >> $GITHUB_PATH
 
+      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
+      # this patch file only works on golang1.22.x
+      # that means after golang1.23 release it must be changed
+      # revert:
+      # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
+      # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
+      # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
+    - name: Revert Golang1.22 commit for Windows7/8
+      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }}
+      run: |
+        cd $(go env GOROOT)
+        patch --verbose -R -p 1 < $GITHUB_WORKSPACE/.github/patch_go122/693def151adff1af707d82d28f55dba81ceb08e1.diff
+        patch --verbose -R -p 1 < $GITHUB_WORKSPACE/.github/patch_go122/7c1157f9544922e96945196b47b95664b1e39108.diff
+        patch --verbose -R -p 1 < $GITHUB_WORKSPACE/.github/patch_go122/48042aa09c2f878c4faa576948b07fe625c4707a.diff
+
+      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
+    - name: Revert Golang1.21 commit for Windows7/8
+      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.21' }}
+      run: |
+        cd $(go env GOROOT)
+        curl https://github.com/golang/go/commit/9e43850a3298a9b8b1162ba0033d4c53f8637571.diff | patch --verbose -R -p 1
+
     - name: Set variables
-      if: ${{github.ref_name=='Alpha'}}
-      run: echo "VERSION=alpha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+      if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.version != '' }}
+      run: echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
       shell: bash
 
     - name: Set variables
-      if: ${{github.ref_name=='' || github.ref_type=='tag'}}
-      run: echo "VERSION=$(git describe --tags)" >> $GITHUB_ENV
+      if: ${{ github.event_name != 'workflow_dispatch' && github.ref_name == 'Alpha' }}
+      run: echo "VERSION=alpha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
       shell: bash
 
     - name: Set Time Variable
@@ -174,6 +206,10 @@ jobs:
         sudo apt-get install dpkg
         if [ "${{matrix.jobs.abi}}" = "1" ]; then
           ARCH=loongarch64
+        elif [ "${{matrix.jobs.goarm}}" = "7" ]; then
+          ARCH=armhf
+        elif [ "${{matrix.jobs.goarch}}" = "arm" ]; then
+          ARCH=armel
         else
           ARCH=${{matrix.jobs.goarch}}
         fi
@@ -238,7 +274,7 @@ jobs:
     - name: Archive production artifacts
       uses: actions/upload-artifact@v4
       with:
-        name: ${{ matrix.jobs.goos }}-${{ matrix.jobs.output }}
+        name: "${{ matrix.jobs.goos }}-${{ matrix.jobs.output }}"
         path: |
           mihomo*.gz
           mihomo*.deb
@@ -248,7 +284,7 @@ jobs:
 
   Upload-Prerelease:
     permissions: write-all
-    if: ${{ github.ref_type == 'branch' && !startsWith(github.event_name, 'pull_request') }}
+    if: ${{ github.event_name != 'workflow_dispatch' && github.ref_type == 'branch' && !startsWith(github.event_name, 'pull_request') }}
     needs: [build]
     runs-on: ubuntu-latest
     steps:
@@ -299,44 +335,62 @@ jobs:
 
   Upload-Release:
     permissions: write-all
-    if: ${{ github.ref_type=='tag' }}
+    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.version != '' }}
     needs: [build]
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: Meta
+          fetch-depth: '0'
+          fetch-tags: 'true'
 
-    - name: Get tags
-      run: |
-        echo "CURRENTVERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-        git fetch --tags
-        echo "PREVERSION=$(git describe --tags --abbrev=0 HEAD^)" >> $GITHUB_ENV
+      - name: Get tags
+        run: |
+          echo "CURRENTVERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
+          git fetch --tags
+          echo "PREVERSION=$(git describe --tags --abbrev=0 HEAD)" >> $GITHUB_ENV
 
-    - name: Generate release notes
-      run: |
-          cp ./.github/genReleaseNote.sh ./
-          bash ./genReleaseNote.sh -v ${PREVERSION}...${CURRENTVERSION}
-          rm ./genReleaseNote.sh
+      - name: Merge Alpha branch into Meta
+        run: |
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
+          git fetch origin Alpha:Alpha
+          git merge Alpha
+          git push origin Meta
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-    - uses: actions/download-artifact@v4
-      with:
-        path: bin/
-        merge-multiple: true
+      - name: Tag the commit
+        run: |
+          git tag ${{ github.event.inputs.version }}
+          git push origin ${{ github.event.inputs.version }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Display structure of downloaded files
-      run: ls -R
-      working-directory: bin
-
-    - name: Upload Release
-      uses: softprops/action-gh-release@v1
-      if: ${{  success() }}
-      with:
-        tag_name: ${{ github.ref_name }}
-        files: bin/*
-        generate_release_notes: true
-        body_path: release.md
+      - name: Generate release notes
+        run: |
+            cp ./.github/genReleaseNote.sh ./
+            bash ./genReleaseNote.sh -v ${PREVERSION}...${CURRENTVERSION}
+            rm ./genReleaseNote.sh
+  
+      - uses: actions/download-artifact@v4
+        with:
+          path: bin/
+          merge-multiple: true
+  
+      - name: Display structure of downloaded files
+        run: ls -R
+        working-directory: bin
+  
+      - name: Upload Release
+        uses: softprops/action-gh-release@v2
+        if: ${{ success() }}
+        with:
+          tag_name: ${{ github.event.inputs.version }}
+          files: bin/*
+          body_path: release.md
 
   Docker:
     if: ${{ !startsWith(github.event_name, 'pull_request') }}
@@ -365,20 +419,35 @@ jobs:
         uses: docker/setup-buildx-action@v3
         with:
           version: latest
-
+      
       # Extract metadata (tags, labels) for Docker
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
-        id: meta
+        if: ${{ github.event_name != 'workflow_dispatch' }}
+        id: meta_alpha
         uses: docker/metadata-action@v5
         with:
-          images: ${{ env.REGISTRY }}/${{ github.repository }}
-
+          images: '${{ env.REGISTRY }}/${{ github.repository }}'
+      
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.version != '' }}
+        id: meta_release
+        uses: docker/metadata-action@v5
+        with:
+          images: '${{ env.REGISTRY }}/${{ github.repository }}'
+          tags: |
+            ${{ github.event.inputs.version }}
+          flavor: |
+            latest=true
+          labels: org.opencontainers.image.version=${{ github.event.inputs.version }}
+      
       - name: Show files
         run: |
           ls .
           ls bin/
-
+      
       - name: login to docker REGISTRY
         uses: docker/login-action@v3
         with:
@@ -389,7 +458,7 @@ jobs:
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
-        id: build-and-push
+        if: ${{ github.event_name != 'workflow_dispatch' }}
         uses: docker/build-push-action@v5
         with:
           context: .
@@ -400,5 +469,20 @@ jobs:
             linux/amd64
             linux/arm64
             linux/arm/v7
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta_alpha.outputs.tags }}
+          labels: ${{ steps.meta_alpha.outputs.labels }}
+      
+      - name: Build and push Docker image
+        if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.version != '' }}
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          platforms: |
+            linux/386
+            linux/amd64
+            linux/arm64
+            linux/arm/v7
+          tags: ${{ steps.meta_release.outputs.tags }}
+          labels: ${{ steps.meta_release.outputs.labels }}

README.md

@@ -98,4 +98,3 @@ API.
 
 This software is released under the GPL-3.0 license.
 
-[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2FMetaCubeX%2Fmihomo.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2FMetaCubeX%2Fmihomo?ref=badge_large)

adapter/adapter.go

@@ -2,6 +2,7 @@ package adapter
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net"
@@ -14,6 +15,7 @@ import (
 	"github.com/metacubex/mihomo/common/atomic"
 	"github.com/metacubex/mihomo/common/queue"
 	"github.com/metacubex/mihomo/common/utils"
+	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/puzpuzpuz/xsync/v3"
@@ -230,6 +232,7 @@ func (p *Proxy) URLTest(ctx context.Context, url string, expectedStatus utils.In
 		IdleConnTimeout:       90 * time.Second,
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
+		TLSClientConfig:       ca.GetGlobalTLSConfig(&tls.Config{}),
 	}
 
 	client := http.Client{

adapter/inbound/listen.go

@@ -3,22 +3,10 @@ package inbound
 import (
 	"context"
 	"net"
-
-	"github.com/metacubex/tfo-go"
 )
 
-var (
-	lc = tfo.ListenConfig{
-		DisableTFO: true,
-	}
-)
-
-func SetTfo(open bool) {
-	lc.DisableTFO = !open
-}
-
 func SetMPTCP(open bool) {
-	setMultiPathTCP(&lc.ListenConfig, open)
+	setMultiPathTCP(getListenConfig(), open)
 }
 
 func ListenContext(ctx context.Context, network, address string) (net.Listener, error) {

adapter/inbound/listen_unix.go

@@ -0,0 +1,23 @@
+//go:build unix
+
+package inbound
+
+import (
+	"net"
+
+	"github.com/metacubex/tfo-go"
+)
+
+var (
+	lc = tfo.ListenConfig{
+		DisableTFO: true,
+	}
+)
+
+func SetTfo(open bool) {
+	lc.DisableTFO = !open
+}
+
+func getListenConfig() *net.ListenConfig {
+	return &lc.ListenConfig
+}

adapter/inbound/listen_windows.go

@@ -0,0 +1,15 @@
+package inbound
+
+import (
+	"net"
+)
+
+var (
+	lc = net.ListenConfig{}
+)
+
+func SetTfo(open bool) {}
+
+func getListenConfig() *net.ListenConfig {
+	return &lc
+}

adapter/outbound/direct.go

@@ -3,15 +3,19 @@ package outbound
 import (
 	"context"
 	"errors"
-	"net/netip"
+	"os"
+	"strconv"
 
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/loopback"
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
+	"github.com/metacubex/mihomo/constant/features"
 )
 
+var DisableLoopBackDetector, _ = strconv.ParseBool(os.Getenv("DISABLE_LOOPBACK_DETECTOR"))
+
 type Direct struct {
 	*Base
 	loopBack *loopback.Detector
@@ -24,8 +28,10 @@ type DirectOption struct {
 
 // DialContext implements C.ProxyAdapter
 func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	if err := d.loopBack.CheckConn(metadata); err != nil {
-		return nil, err
+	if !features.CMFA && !DisableLoopBackDetector {
+		if err := d.loopBack.CheckConn(metadata); err != nil {
+			return nil, err
+		}
 	}
 	opts = append(opts, dialer.WithResolver(resolver.DefaultResolver))
 	c, err := dialer.DialContext(ctx, "tcp", metadata.RemoteAddress(), d.Base.DialOptions(opts...)...)
@@ -38,8 +44,10 @@ func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 
 // ListenPacketContext implements C.ProxyAdapter
 func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	if err := d.loopBack.CheckPacketConn(metadata); err != nil {
-		return nil, err
+	if !features.CMFA && !DisableLoopBackDetector {
+		if err := d.loopBack.CheckPacketConn(metadata); err != nil {
+			return nil, err
+		}
 	}
 	// net.UDPConn.WriteTo only working with *net.UDPAddr, so we need a net.UDPAddr
 	if !metadata.Resolved() {
@@ -49,13 +57,17 @@ func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		}
 		metadata.DstIP = ip
 	}
-	pc, err := dialer.NewDialer(d.Base.DialOptions(opts...)...).ListenPacket(ctx, "udp", "", netip.AddrPortFrom(metadata.DstIP, metadata.DstPort))
+	pc, err := dialer.NewDialer(d.Base.DialOptions(opts...)...).ListenPacket(ctx, "udp", "", metadata.AddrPort())
 	if err != nil {
 		return nil, err
 	}
 	return d.loopBack.NewPacketConn(newPacketConn(pc, d)), nil
 }
 
+func (d *Direct) IsL3Protocol(metadata *C.Metadata) bool {
+	return true // tell DNSDialer don't send domain to DialContext, avoid lookback to DefaultResolver
+}
+
 func NewDirectWithOption(option DirectOption) *Direct {
 	return &Direct{
 		Base: &Base{

adapter/outbound/hysteria2.go

@@ -21,8 +21,8 @@ import (
 
 	"github.com/metacubex/sing-quic/hysteria2"
 
+	"github.com/metacubex/randv2"
 	M "github.com/sagernet/sing/common/metadata"
-	"github.com/zhangyunhao116/fastrand"
 )
 
 func init() {
@@ -165,7 +165,7 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 		})
 		if len(serverAddress) > 0 {
 			clientOptions.ServerAddress = func(ctx context.Context) (*net.UDPAddr, error) {
-				return resolveUDPAddrWithPrefer(ctx, "udp", serverAddress[fastrand.Intn(len(serverAddress))], C.NewDNSPrefer(option.IPVersion))
+				return resolveUDPAddrWithPrefer(ctx, "udp", serverAddress[randv2.IntN(len(serverAddress))], C.NewDNSPrefer(option.IPVersion))
 			}
 
 			if option.HopInterval == 0 {

adapter/outbound/shadowsocks.go

@@ -166,12 +166,6 @@ func (ss *ShadowSocks) ListenPacketContext(ctx context.Context, metadata *C.Meta
 
 // ListenPacketWithDialer implements C.ProxyAdapter
 func (ss *ShadowSocks) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	if len(ss.option.DialerProxy) > 0 {
-		dialer, err = proxydialer.NewByName(ss.option.DialerProxy, dialer)
-		if err != nil {
-			return nil, err
-		}
-	}
 	if ss.option.UDPOverTCP {
 		tcpConn, err := ss.DialContextWithDialer(ctx, dialer, metadata)
 		if err != nil {
@@ -179,6 +173,12 @@ func (ss *ShadowSocks) ListenPacketWithDialer(ctx context.Context, dialer C.Dial
 		}
 		return ss.ListenPacketOnStreamConn(ctx, tcpConn, metadata)
 	}
+	if len(ss.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(ss.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	addr, err := resolveUDPAddrWithPrefer(ctx, "udp", ss.addr, ss.prefer)
 	if err != nil {
 		return nil, err
@@ -273,6 +273,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 		if opts.TLS {
 			v2rayOption.TLS = true
 			v2rayOption.SkipCertVerify = opts.SkipCertVerify
+			v2rayOption.Fingerprint = opts.Fingerprint
 		}
 	} else if option.Plugin == shadowtls.Mode {
 		obfsMode = shadowtls.Mode

adapter/outbound/ssh.go

@@ -17,7 +17,7 @@ import (
 	"github.com/metacubex/mihomo/component/proxydialer"
 	C "github.com/metacubex/mihomo/constant"
 
-	"github.com/zhangyunhao116/fastrand"
+	"github.com/metacubex/randv2"
 	"golang.org/x/crypto/ssh"
 )
 
@@ -180,10 +180,10 @@ func NewSsh(option SshOption) (*Ssh, error) {
 	}
 
 	version := "SSH-2.0-OpenSSH_"
-	if fastrand.Intn(2) == 0 {
-		version += "7." + strconv.Itoa(fastrand.Intn(10))
+	if randv2.IntN(2) == 0 {
+		version += "7." + strconv.Itoa(randv2.IntN(10))
 	} else {
-		version += "8." + strconv.Itoa(fastrand.Intn(9))
+		version += "8." + strconv.Itoa(randv2.IntN(9))
 	}
 	config.ClientVersion = version
 

adapter/outbound/trojan.go

@@ -3,6 +3,7 @@ package outbound
 import (
 	"context"
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"net"
 	"net/http"
@@ -15,6 +16,7 @@ import (
 	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/gun"
+	"github.com/metacubex/mihomo/transport/shadowsocks/core"
 	"github.com/metacubex/mihomo/transport/trojan"
 )
 
@@ -29,6 +31,8 @@ type Trojan struct {
 	transport    *gun.TransportWrap
 
 	realityConfig *tlsC.RealityConfig
+
+	ssCipher core.Cipher
 }
 
 type TrojanOption struct {
@@ -46,9 +50,17 @@ type TrojanOption struct {
 	RealityOpts       RealityOptions `proxy:"reality-opts,omitempty"`
 	GrpcOpts          GrpcOptions    `proxy:"grpc-opts,omitempty"`
 	WSOpts            WSOptions      `proxy:"ws-opts,omitempty"`
+	SSOpts            TrojanSSOption `proxy:"ss-opts,omitempty"`
 	ClientFingerprint string         `proxy:"client-fingerprint,omitempty"`
 }
 
+// TrojanSSOption from https://github.com/p4gefau1t/trojan-go/blob/v0.10.6/tunnel/shadowsocks/config.go#L5
+type TrojanSSOption struct {
+	Enabled  bool   `proxy:"enabled,omitempty"`
+	Method   string `proxy:"method,omitempty"`
+	Password string `proxy:"password,omitempty"`
+}
+
 func (t *Trojan) plainStream(ctx context.Context, c net.Conn) (net.Conn, error) {
 	if t.option.Network == "ws" {
 		host, port, _ := net.SplitHostPort(t.addr)
@@ -95,6 +107,10 @@ func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}
 
+	if t.ssCipher != nil {
+		c = t.ssCipher.StreamConn(c)
+	}
+
 	if metadata.NetWork == C.UDP {
 		err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
 		return c, err
@@ -112,6 +128,10 @@ func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 			return nil, err
 		}
 
+		if t.ssCipher != nil {
+			c = t.ssCipher.StreamConn(c)
+		}
+
 		if err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata)); err != nil {
 			c.Close()
 			return nil, err
@@ -161,6 +181,11 @@ func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		defer func(c net.Conn) {
 			safeConnClose(c, err)
 		}(c)
+
+		if t.ssCipher != nil {
+			c = t.ssCipher.StreamConn(c)
+		}
+
 		err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
 		if err != nil {
 			return nil, err
@@ -193,6 +218,10 @@ func (t *Trojan) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, me
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}
 
+	if t.ssCipher != nil {
+		c = t.ssCipher.StreamConn(c)
+	}
+
 	err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
 	if err != nil {
 		return nil, err
@@ -257,6 +286,20 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 	}
 	tOption.Reality = t.realityConfig
 
+	if option.SSOpts.Enabled {
+		if option.SSOpts.Password == "" {
+			return nil, errors.New("empty password")
+		}
+		if option.SSOpts.Method == "" {
+			option.SSOpts.Method = "AES-128-GCM"
+		}
+		ciph, err := core.PickCipher(option.SSOpts.Method, nil, option.SSOpts.Password)
+		if err != nil {
+			return nil, err
+		}
+		t.ssCipher = ciph
+	}
+
 	if option.Network == "grpc" {
 		dialFn := func(network, addr string) (net.Conn, error) {
 			var err error

adapter/outbound/vmess.go

@@ -179,6 +179,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 		tlsOpts := mihomoVMess.TLSConfig{
 			Host:              host,
 			SkipCertVerify:    v.option.SkipCertVerify,
+			FingerPrint:       v.option.Fingerprint,
 			NextProtos:        []string{"h2"},
 			ClientFingerprint: v.option.ClientFingerprint,
 			Reality:           v.realityConfig,
@@ -208,6 +209,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 			tlsOpts := &mihomoVMess.TLSConfig{
 				Host:              host,
 				SkipCertVerify:    v.option.SkipCertVerify,
+				FingerPrint:       v.option.Fingerprint,
 				ClientFingerprint: v.option.ClientFingerprint,
 				Reality:           v.realityConfig,
 				NextProtos:        v.option.ALPN,

adapter/outbound/wireguard.go

@@ -12,6 +12,7 @@ import (
 	"strconv"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/metacubex/mihomo/common/atomic"
 	CN "github.com/metacubex/mihomo/common/net"
@@ -48,6 +49,10 @@ type WireGuard struct {
 	connectAddr   M.Socksaddr
 	localPrefixes []netip.Prefix
 
+	serverAddrMap   map[M.Socksaddr]netip.AddrPort
+	serverAddrTime  atomic.TypedValue[time.Time]
+	serverAddrMutex sync.Mutex
+
 	closeCh chan struct{} // for test
 }
 
@@ -67,6 +72,8 @@ type WireGuardOption struct {
 
 	RemoteDnsResolve bool     `proxy:"remote-dns-resolve,omitempty"`
 	Dns              []string `proxy:"dns,omitempty"`
+
+	RefreshServerIPInterval int `proxy:"refresh-server-ip-interval,omitempty"`
 }
 
 type WireGuardPeerOption struct {
@@ -287,6 +294,15 @@ func (w *WireGuard) resolve(ctx context.Context, address M.Socksaddr) (netip.Add
 }
 
 func (w *WireGuard) init(ctx context.Context) error {
+	err := w.init0(ctx)
+	if err != nil {
+		return err
+	}
+	w.updateServerAddr(ctx)
+	return nil
+}
+
+func (w *WireGuard) init0(ctx context.Context) error {
 	if w.initOk.Load() {
 		return nil
 	}
@@ -301,41 +317,118 @@ func (w *WireGuard) init(ctx context.Context) error {
 	}
 
 	w.bind.ResetReservedForEndpoint()
-	ipcConf := "private_key=" + w.option.PrivateKey
+	w.serverAddrMap = make(map[M.Socksaddr]netip.AddrPort)
+	ipcConf, err := w.genIpcConf(ctx, false)
+	if err != nil {
+		// !!! do not set initErr here !!!
+		// let us can retry domain resolve in next time
+		return err
+	}
+
+	if debug.Enabled {
+		log.SingLogger.Trace(fmt.Sprintf("[WG](%s) created wireguard ipc conf: \n %s", w.option.Name, ipcConf))
+	}
+	err = w.device.IpcSet(ipcConf)
+	if err != nil {
+		w.initErr = E.Cause(err, "setup wireguard")
+		return w.initErr
+	}
+	w.serverAddrTime.Store(time.Now())
+
+	err = w.tunDevice.Start()
+	if err != nil {
+		w.initErr = err
+		return w.initErr
+	}
+
+	w.initOk.Store(true)
+	return nil
+}
+
+func (w *WireGuard) updateServerAddr(ctx context.Context) {
+	if w.option.RefreshServerIPInterval != 0 && time.Since(w.serverAddrTime.Load()) > time.Second*time.Duration(w.option.RefreshServerIPInterval) {
+		if w.serverAddrMutex.TryLock() {
+			defer w.serverAddrMutex.Unlock()
+			ipcConf, err := w.genIpcConf(ctx, true)
+			if err != nil {
+				log.Warnln("[WG](%s)UpdateServerAddr failed to generate wireguard ipc conf: %s", w.option.Name, err)
+				return
+			}
+			err = w.device.IpcSet(ipcConf)
+			if err != nil {
+				log.Warnln("[WG](%s)UpdateServerAddr failed to update wireguard ipc conf: %s", w.option.Name, err)
+				return
+			}
+			w.serverAddrTime.Store(time.Now())
+		}
+	}
+}
+
+func (w *WireGuard) genIpcConf(ctx context.Context, updateOnly bool) (string, error) {
+	ipcConf := ""
+	if !updateOnly {
+		ipcConf += "private_key=" + w.option.PrivateKey + "\n"
+	}
 	if len(w.option.Peers) > 0 {
 		for i, peer := range w.option.Peers {
-			destination, err := w.resolve(ctx, peer.Addr())
+			peerAddr := peer.Addr()
+			destination, err := w.resolve(ctx, peerAddr)
 			if err != nil {
-				// !!! do not set initErr here !!!
-				// let us can retry domain resolve in next time
-				return E.Cause(err, "resolve endpoint domain for peer ", i)
+				return "", E.Cause(err, "resolve endpoint domain for peer ", i)
 			}
-			ipcConf += "\npublic_key=" + peer.PublicKey
-			ipcConf += "\nendpoint=" + destination.String()
-			if peer.PreSharedKey != "" {
-				ipcConf += "\npreshared_key=" + peer.PreSharedKey
+			if w.serverAddrMap[peerAddr] != destination {
+				w.serverAddrMap[peerAddr] = destination
+			} else if updateOnly {
+				continue
 			}
-			for _, allowedIP := range peer.AllowedIPs {
-				ipcConf += "\nallowed_ip=" + allowedIP
+
+			if len(w.option.Peers) == 1 { // must call SetConnectAddr if isConnect == true
+				w.bind.SetConnectAddr(destination)
 			}
+			ipcConf += "public_key=" + peer.PublicKey + "\n"
+			if updateOnly {
+				ipcConf += "update_only=true\n"
+			}
+			ipcConf += "endpoint=" + destination.String() + "\n"
 			if len(peer.Reserved) > 0 {
 				var reserved [3]uint8
 				copy(reserved[:], w.option.Reserved)
 				w.bind.SetReservedForEndpoint(destination, reserved)
 			}
+			if updateOnly {
+				continue
+			}
+			if peer.PreSharedKey != "" {
+				ipcConf += "preshared_key=" + peer.PreSharedKey + "\n"
+			}
+			for _, allowedIP := range peer.AllowedIPs {
+				ipcConf += "allowed_ip=" + allowedIP + "\n"
+			}
+			if w.option.PersistentKeepalive != 0 {
+				ipcConf += fmt.Sprintf("persistent_keepalive_interval=%d\n", w.option.PersistentKeepalive)
+			}
 		}
 	} else {
-		ipcConf += "\npublic_key=" + w.option.PublicKey
 		destination, err := w.resolve(ctx, w.connectAddr)
 		if err != nil {
-			// !!! do not set initErr here !!!
-			// let us can retry domain resolve in next time
-			return E.Cause(err, "resolve endpoint domain")
+			return "", E.Cause(err, "resolve endpoint domain")
+		}
+		if w.serverAddrMap[w.connectAddr] != destination {
+			w.serverAddrMap[w.connectAddr] = destination
+		} else if updateOnly {
+			return "", nil
+		}
+		w.bind.SetConnectAddr(destination) // must call SetConnectAddr if isConnect == true
+		ipcConf += "public_key=" + w.option.PublicKey + "\n"
+		if updateOnly {
+			ipcConf += "update_only=true\n"
+		}
+		ipcConf += "endpoint=" + destination.String() + "\n"
+		if updateOnly {
+			return ipcConf, nil
 		}
-		w.bind.SetConnectAddr(destination)
-		ipcConf += "\nendpoint=" + destination.String()
 		if w.option.PreSharedKey != "" {
-			ipcConf += "\npreshared_key=" + w.option.PreSharedKey
+			ipcConf += "preshared_key=" + w.option.PreSharedKey + "\n"
 		}
 		var has4, has6 bool
 		for _, address := range w.localPrefixes {
@@ -346,34 +439,17 @@ func (w *WireGuard) init(ctx context.Context) error {
 			}
 		}
 		if has4 {
-			ipcConf += "\nallowed_ip=0.0.0.0/0"
+			ipcConf += "allowed_ip=0.0.0.0/0\n"
 		}
 		if has6 {
-			ipcConf += "\nallowed_ip=::/0"
+			ipcConf += "allowed_ip=::/0\n"
+		}
+
+		if w.option.PersistentKeepalive != 0 {
+			ipcConf += fmt.Sprintf("persistent_keepalive_interval=%d\n", w.option.PersistentKeepalive)
 		}
 	}
-
-	if w.option.PersistentKeepalive != 0 {
-		ipcConf += fmt.Sprintf("\npersistent_keepalive_interval=%d", w.option.PersistentKeepalive)
-	}
-
-	if debug.Enabled {
-		log.SingLogger.Trace(fmt.Sprintf("[WG](%s) created wireguard ipc conf: \n %s", w.option.Name, ipcConf))
-	}
-	err := w.device.IpcSet(ipcConf)
-	if err != nil {
-		w.initErr = E.Cause(err, "setup wireguard")
-		return w.initErr
-	}
-
-	err = w.tunDevice.Start()
-	if err != nil {
-		w.initErr = err
-		return w.initErr
-	}
-
-	w.initOk.Store(true)
-	return nil
+	return ipcConf, nil
 }
 
 func closeWireGuard(w *WireGuard) {

adapter/outboundgroup/groupbase.go

@@ -48,7 +48,7 @@ type GroupBaseOption struct {
 func NewGroupBase(opt GroupBaseOption) *GroupBase {
 	var excludeFilterReg *regexp2.Regexp
 	if opt.excludeFilter != "" {
-		excludeFilterReg = regexp2.MustCompile(opt.excludeFilter, 0)
+		excludeFilterReg = regexp2.MustCompile(opt.excludeFilter, regexp2.None)
 	}
 	var excludeTypeArray []string
 	if opt.excludeType != "" {
@@ -58,7 +58,7 @@ func NewGroupBase(opt GroupBaseOption) *GroupBase {
 	var filterRegs []*regexp2.Regexp
 	if opt.filter != "" {
 		for _, filter := range strings.Split(opt.filter, "`") {
-			filterReg := regexp2.MustCompile(filter, 0)
+			filterReg := regexp2.MustCompile(filter, regexp2.None)
 			filterRegs = append(filterRegs, filterReg)
 		}
 	}
@@ -126,7 +126,7 @@ func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
 				for _, filterReg := range gb.filterRegs {
 					for _, p := range proxies {
 						name := p.Name()
-						if mat, _ := filterReg.FindStringMatch(name); mat != nil {
+						if mat, _ := filterReg.MatchString(name); mat {
 							if _, ok := proxiesSet[name]; !ok {
 								proxiesSet[name] = struct{}{}
 								newProxies = append(newProxies, p)
@@ -150,7 +150,7 @@ func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
 		for _, filterReg := range gb.filterRegs {
 			for _, p := range proxies {
 				name := p.Name()
-				if mat, _ := filterReg.FindStringMatch(name); mat != nil {
+				if mat, _ := filterReg.MatchString(name); mat {
 					if _, ok := proxiesSet[name]; !ok {
 						proxiesSet[name] = struct{}{}
 						newProxies = append(newProxies, p)
@@ -191,7 +191,7 @@ func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
 		var newProxies []C.Proxy
 		for _, p := range proxies {
 			name := p.Name()
-			if mat, _ := gb.excludeFilterReg.FindStringMatch(name); mat != nil {
+			if mat, _ := gb.excludeFilterReg.MatchString(name); mat {
 				continue
 			}
 			newProxies = append(newProxies, p)

adapter/outboundgroup/parser.go

@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/dlclark/regexp2"
+
 	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/adapter/provider"
 	"github.com/metacubex/mihomo/common/structure"
@@ -70,7 +72,22 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 		groupOption.Use = append(groupOption.Use, AllProviders...)
 	}
 	if groupOption.IncludeAllProxies {
-		groupOption.Proxies = append(groupOption.Proxies, AllProxies...)
+		if groupOption.Filter != "" {
+			var filterRegs []*regexp2.Regexp
+			for _, filter := range strings.Split(groupOption.Filter, "`") {
+				filterReg := regexp2.MustCompile(filter, regexp2.None)
+				filterRegs = append(filterRegs, filterReg)
+			}
+			for _, p := range AllProxies {
+				for _, filterReg := range filterRegs {
+					if mat, _ := filterReg.MatchString(p); mat {
+						groupOption.Proxies = append(groupOption.Proxies, p)
+					}
+				}
+			}
+		} else {
+			groupOption.Proxies = append(groupOption.Proxies, AllProxies...)
+		}
 	}
 
 	if len(groupOption.Proxies) == 0 && len(groupOption.Use) == 0 {

adapter/outboundgroup/relay.go

@@ -9,6 +9,7 @@ import (
 	"github.com/metacubex/mihomo/component/proxydialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/provider"
+	"github.com/metacubex/mihomo/log"
 )
 
 type Relay struct {
@@ -149,6 +150,7 @@ func (r *Relay) Addr() string {
 }
 
 func NewRelay(option *GroupCommonOption, providers []provider.ProxyProvider) *Relay {
+	log.Warnln("The group [%s] with relay type is deprecated, please using dialer-proxy instead", option.Name)
 	return &Relay{
 		GroupBase: NewGroupBase(GroupBaseOption{
 			outbound.BaseOption{

adapter/provider/healthcheck.go

@@ -181,14 +181,14 @@ func (hc *HealthCheck) execute(b *batch.Batch[bool], url, uid string, option *ex
 				filters = append(filters, filter)
 			}
 
-			filterReg = regexp2.MustCompile(strings.Join(filters, "|"), 0)
+			filterReg = regexp2.MustCompile(strings.Join(filters, "|"), regexp2.None)
 		}
 	}
 
 	for _, proxy := range hc.proxies {
 		// skip proxies that do not require health check
 		if filterReg != nil {
-			if match, _ := filterReg.FindStringMatch(proxy.Name()); match == nil {
+			if match, _ := filterReg.MatchString(proxy.Name()); !match {
 				continue
 			}
 		}

adapter/provider/parser.go

@@ -28,7 +28,10 @@ type healthCheckSchema struct {
 }
 
 type OverrideSchema struct {
+	TFO              *bool   `provider:"tfo,omitempty"`
+	MPTcp            *bool   `provider:"mptcp,omitempty"`
 	UDP              *bool   `provider:"udp,omitempty"`
+	UDPOverTCP       *bool   `provider:"udp-over-tcp,omitempty"`
 	Up               *string `provider:"up,omitempty"`
 	Down             *string `provider:"down,omitempty"`
 	DialerProxy      *string `provider:"dialer-proxy,omitempty"`

adapter/provider/provider.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"reflect"
 	"runtime"
 	"strings"
 	"time"
@@ -169,7 +170,7 @@ func stopProxyProvider(pd *ProxySetProvider) {
 }
 
 func NewProxySetProvider(name string, interval time.Duration, filter string, excludeFilter string, excludeType string, dialerProxy string, override OverrideSchema, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
-	excludeFilterReg, err := regexp2.Compile(excludeFilter, 0)
+	excludeFilterReg, err := regexp2.Compile(excludeFilter, regexp2.None)
 	if err != nil {
 		return nil, fmt.Errorf("invalid excludeFilter regex: %w", err)
 	}
@@ -180,7 +181,7 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, exc
 
 	var filterRegs []*regexp2.Regexp
 	for _, filter := range strings.Split(filter, "`") {
-		filterReg, err := regexp2.Compile(filter, 0)
+		filterReg, err := regexp2.Compile(filter, regexp2.None)
 		if err != nil {
 			return nil, fmt.Errorf("invalid filter regex: %w", err)
 		}
@@ -356,12 +357,12 @@ func proxiesParseAndFilter(filter string, excludeFilter string, excludeTypeArray
 					continue
 				}
 				if len(excludeFilter) > 0 {
-					if mat, _ := excludeFilterReg.FindStringMatch(name); mat != nil {
+					if mat, _ := excludeFilterReg.MatchString(name); mat {
 						continue
 					}
 				}
 				if len(filter) > 0 {
-					if mat, _ := filterReg.FindStringMatch(name); mat == nil {
+					if mat, _ := filterReg.MatchString(name); !mat {
 						continue
 					}
 				}
@@ -373,37 +374,23 @@ func proxiesParseAndFilter(filter string, excludeFilter string, excludeTypeArray
 					mapping["dialer-proxy"] = dialerProxy
 				}
 
-				if override.UDP != nil {
-					mapping["udp"] = *override.UDP
-				}
-				if override.Up != nil {
-					mapping["up"] = *override.Up
-				}
-				if override.Down != nil {
-					mapping["down"] = *override.Down
-				}
-				if override.DialerProxy != nil {
-					mapping["dialer-proxy"] = *override.DialerProxy
-				}
-				if override.SkipCertVerify != nil {
-					mapping["skip-cert-verify"] = *override.SkipCertVerify
-				}
-				if override.Interface != nil {
-					mapping["interface-name"] = *override.Interface
-				}
-				if override.RoutingMark != nil {
-					mapping["routing-mark"] = *override.RoutingMark
-				}
-				if override.IPVersion != nil {
-					mapping["ip-version"] = *override.IPVersion
-				}
-				if override.AdditionalPrefix != nil {
-					name := mapping["name"].(string)
-					mapping["name"] = *override.AdditionalPrefix + name
-				}
-				if override.AdditionalSuffix != nil {
-					name := mapping["name"].(string)
-					mapping["name"] = name + *override.AdditionalSuffix
+				val := reflect.ValueOf(override)
+				for i := 0; i < val.NumField(); i++ {
+					field := val.Field(i)
+					if field.IsNil() {
+						continue
+					}
+					fieldName := strings.Split(val.Type().Field(i).Tag.Get("provider"), ",")[0]
+					switch fieldName {
+					case "additional-prefix":
+						name := mapping["name"].(string)
+						mapping["name"] = *field.Interface().(*string) + name
+					case "additional-suffix":
+						name := mapping["name"].(string)
+						mapping["name"] = name + *field.Interface().(*string)
+					default:
+						mapping[fieldName] = field.Elem().Interface()
+					}
 				}
 
 				proxy, err := adapter.ParseProxy(mapping)

common/convert/converter.go

@@ -333,7 +333,7 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			case "ws", "httpupgrade":
 				headers := make(map[string]any)
 				wsOpts := make(map[string]any)
-				wsOpts["path"] = []string{"/"}
+				wsOpts["path"] = "/"
 				if host, ok := values["host"]; ok && host != "" {
 					headers["Host"] = host.(string)
 				}

common/convert/util.go

@@ -8,8 +8,8 @@ import (
 
 	"github.com/metacubex/mihomo/common/utils"
 
+	"github.com/metacubex/randv2"
 	"github.com/metacubex/sing-shadowsocks/shadowimpl"
-	"github.com/zhangyunhao116/fastrand"
 )
 
 var hostsSuffix = []string{
@@ -302,11 +302,11 @@ func RandHost() string {
 	prefix += string(buf[6:8]) + "-"
 	prefix += string(buf[len(buf)-8:])
 
-	return prefix + hostsSuffix[fastrand.Intn(hostsLen)]
+	return prefix + hostsSuffix[randv2.IntN(hostsLen)]
 }
 
 func RandUserAgent() string {
-	return userAgents[fastrand.Intn(uaLen)]
+	return userAgents[randv2.IntN(uaLen)]
 }
 
 func SetUserAgent(header http.Header) {

common/pool/alloc_test.go

@@ -3,8 +3,8 @@ package pool
 import (
 	"testing"
 
+	"github.com/metacubex/randv2"
 	"github.com/stretchr/testify/assert"
-	"github.com/zhangyunhao116/fastrand"
 )
 
 func TestAllocGet(t *testing.T) {
@@ -43,6 +43,6 @@ func TestAllocPutThenGet(t *testing.T) {
 
 func BenchmarkMSB(b *testing.B) {
 	for i := 0; i < b.N; i++ {
-		msb(fastrand.Int())
+		msb(randv2.Int())
 	}
 }

common/utils/callback.go

@@ -0,0 +1,50 @@
+package utils
+
+import (
+	"io"
+	"sync"
+
+	list "github.com/bahlo/generic-list-go"
+)
+
+type Callback[T any] struct {
+	list  list.List[func(T)]
+	mutex sync.RWMutex
+}
+
+func NewCallback[T any]() *Callback[T] {
+	return &Callback[T]{}
+}
+
+func (c *Callback[T]) Register(item func(T)) io.Closer {
+	c.mutex.RLock()
+	defer c.mutex.RUnlock()
+	element := c.list.PushBack(item)
+	return &callbackCloser[T]{
+		element:  element,
+		callback: c,
+	}
+}
+
+func (c *Callback[T]) Emit(item T) {
+	c.mutex.RLock()
+	defer c.mutex.RUnlock()
+	for element := c.list.Front(); element != nil; element = element.Next() {
+		go element.Value(item)
+	}
+}
+
+type callbackCloser[T any] struct {
+	element  *list.Element[func(T)]
+	callback *Callback[T]
+	once     sync.Once
+}
+
+func (c *callbackCloser[T]) Close() error {
+	c.once.Do(func() {
+		c.callback.mutex.Lock()
+		defer c.callback.mutex.Unlock()
+		c.callback.list.Remove(c.element)
+	})
+	return nil
+}

common/utils/uuid.go

@@ -2,19 +2,39 @@ package utils
 
 import (
 	"github.com/gofrs/uuid/v5"
-	"github.com/zhangyunhao116/fastrand"
+	"github.com/metacubex/randv2"
 )
 
-type fastRandReader struct{}
+type unsafeRandReader struct{}
 
-func (r fastRandReader) Read(p []byte) (int, error) {
-	return fastrand.Read(p)
+func (r unsafeRandReader) Read(p []byte) (n int, err error) {
+	// modify from https://github.com/golang/go/blob/587c3847da81aa7cfc3b3db2677c8586c94df13a/src/runtime/rand.go#L70-L89
+	// Inspired by wyrand.
+	n = len(p)
+	v := randv2.Uint64()
+	for len(p) > 0 {
+		v ^= 0xa0761d6478bd642f
+		v *= 0xe7037ed1a0b428db
+		size := 8
+		if len(p) < 8 {
+			size = len(p)
+		}
+		for i := 0; i < size; i++ {
+			p[i] ^= byte(v >> (8 * i))
+		}
+		p = p[size:]
+		v = v>>32 | v<<32
+	}
+
+	return
 }
 
-var UnsafeUUIDGenerator = uuid.NewGenWithOptions(uuid.WithRandomReader(fastRandReader{}))
+var UnsafeRandReader = unsafeRandReader{}
+
+var UnsafeUUIDGenerator = uuid.NewGenWithOptions(uuid.WithRandomReader(UnsafeRandReader))
 
 func NewUUIDV1() uuid.UUID {
-	u, _ := UnsafeUUIDGenerator.NewV1() // fastrand.Read wouldn't cause error, so ignore err is safe
+	u, _ := UnsafeUUIDGenerator.NewV1() // unsafeRandReader wouldn't cause error, so ignore err is safe
 	return u
 }
 
@@ -23,7 +43,7 @@ func NewUUIDV3(ns uuid.UUID, name string) uuid.UUID {
 }
 
 func NewUUIDV4() uuid.UUID {
-	u, _ := UnsafeUUIDGenerator.NewV4() // fastrand.Read wouldn't cause error, so ignore err is safe
+	u, _ := UnsafeUUIDGenerator.NewV4() // unsafeRandReader wouldn't cause error, so ignore err is safe
 	return u
 }
 
@@ -32,12 +52,12 @@ func NewUUIDV5(ns uuid.UUID, name string) uuid.UUID {
 }
 
 func NewUUIDV6() uuid.UUID {
-	u, _ := UnsafeUUIDGenerator.NewV6() // fastrand.Read wouldn't cause error, so ignore err is safe
+	u, _ := UnsafeUUIDGenerator.NewV6() // unsafeRandReader wouldn't cause error, so ignore err is safe
 	return u
 }
 
 func NewUUIDV7() uuid.UUID {
-	u, _ := UnsafeUUIDGenerator.NewV7() // fastrand.Read wouldn't cause error, so ignore err is safe
+	u, _ := UnsafeUUIDGenerator.NewV7() // unsafeRandReader wouldn't cause error, so ignore err is safe
 	return u
 }
 

component/ca/config.go

@@ -67,9 +67,6 @@ func ResetCertificate() {
 }
 
 func getCertPool() *x509.CertPool {
-	if len(trustCerts) == 0 {
-		return nil
-	}
 	if globalCertPool == nil {
 		mutex.Lock()
 		defer mutex.Unlock()

component/ca/fix_windows.go

@@ -0,0 +1,14 @@
+package ca
+
+import (
+	"github.com/metacubex/mihomo/constant/features"
+)
+
+func init() {
+	// crypto/x509: certificate validation in Windows fails to validate IP in SAN
+	// https://github.com/golang/go/issues/37176
+	// As far as I can tell this is still the case on most older versions of Windows (but seems to be fixed in 10)
+	if features.WindowsMajorVersion < 10 && len(_CaCertificates) > 0 {
+		DisableSystemCa = true
+	}
+}

component/cidr/ipcidr_set.go

@@ -43,12 +43,12 @@ func (set *IpCidrSet) IsContainForString(ipString string) bool {
 }
 
 func (set *IpCidrSet) IsContain(ip netip.Addr) bool {
-	return set.toIPSet().Contains(ip.WithZone(""))
+	return set.ToIPSet().Contains(ip.WithZone(""))
 }
 
 func (set *IpCidrSet) Merge() error {
 	var b netipx.IPSetBuilder
-	b.AddSet(set.toIPSet())
+	b.AddSet(set.ToIPSet())
 	i, err := b.IPSet()
 	if err != nil {
 		return err
@@ -57,7 +57,9 @@ func (set *IpCidrSet) Merge() error {
 	return nil
 }
 
-func (set *IpCidrSet) toIPSet() *netipx.IPSet {
+// ToIPSet not safe convert to *netipx.IPSet
+// be careful, must be used after Merge
+func (set *IpCidrSet) ToIPSet() *netipx.IPSet {
 	return (*netipx.IPSet)(unsafe.Pointer(set))
 }
 

component/dialer/dialer.go

@@ -164,7 +164,7 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 	if opt.mpTcp {
 		setMultiPathTCP(dialer)
 	}
-	if opt.tfo {
+	if opt.tfo && !DisableTFO {
 		return dialTFO(ctx, *dialer, network, address)
 	}
 	return dialer.DialContext(ctx, network, address)
@@ -378,12 +378,12 @@ func (d Dialer) DialContext(ctx context.Context, network, address string) (net.C
 }
 
 func (d Dialer) ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort) (net.PacketConn, error) {
-	opt := WithOption(d.Opt)
+	opt := d.Opt // make a copy
 	if rAddrPort.Addr().Unmap().IsLoopback() {
 		// avoid "The requested address is not valid in its context."
-		opt = WithInterface("")
+		WithInterface("")(&opt)
 	}
-	return ListenPacket(ctx, ParseNetwork(network, rAddrPort.Addr()), address, rAddrPort, opt)
+	return ListenPacket(ctx, ParseNetwork(network, rAddrPort.Addr()), address, rAddrPort, WithOption(opt))
 }
 
 func NewDialer(options ...Option) Dialer {

component/dialer/tfo.go

@@ -5,8 +5,6 @@ import (
 	"io"
 	"net"
 	"time"
-
-	"github.com/metacubex/tfo-go"
 )
 
 type tfoConn struct {
@@ -122,16 +120,3 @@ func (c *tfoConn) ReaderReplaceable() bool {
 func (c *tfoConn) WriterReplaceable() bool {
 	return c.Conn != nil
 }
-
-func dialTFO(ctx context.Context, netDialer net.Dialer, network, address string) (net.Conn, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), DefaultTCPTimeout)
-	dialer := tfo.Dialer{Dialer: netDialer, DisableTFO: false}
-	return &tfoConn{
-		dialed: make(chan bool, 1),
-		cancel: cancel,
-		ctx:    ctx,
-		dialFn: func(ctx context.Context, earlyData []byte) (net.Conn, error) {
-			return dialer.DialContext(ctx, network, address, earlyData)
-		},
-	}, nil
-}

component/dialer/tfo_unix.go

@@ -0,0 +1,25 @@
+//go:build unix
+
+package dialer
+
+import (
+	"context"
+	"net"
+
+	"github.com/metacubex/tfo-go"
+)
+
+const DisableTFO = false
+
+func dialTFO(ctx context.Context, netDialer net.Dialer, network, address string) (net.Conn, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), DefaultTCPTimeout)
+	dialer := tfo.Dialer{Dialer: netDialer, DisableTFO: false}
+	return &tfoConn{
+		dialed: make(chan bool, 1),
+		cancel: cancel,
+		ctx:    ctx,
+		dialFn: func(ctx context.Context, earlyData []byte) (net.Conn, error) {
+			return dialer.DialContext(ctx, network, address, earlyData)
+		},
+	}, nil
+}

component/dialer/tfo_windows.go

@@ -0,0 +1,12 @@
+package dialer
+
+import (
+	"context"
+	"net"
+)
+
+const DisableTFO = true
+
+func dialTFO(ctx context.Context, netDialer net.Dialer, network, address string) (net.Conn, error) {
+	return netDialer.DialContext(ctx, network, address)
+}

component/iface/iface.go

@@ -11,8 +11,9 @@ import (
 
 type Interface struct {
 	Index        int
+	MTU          int
 	Name         string
-	Addrs        []netip.Prefix
+	Addresses    []netip.Prefix
 	HardwareAddr net.HardwareAddr
 }
 
@@ -61,8 +62,9 @@ func Interfaces() (map[string]*Interface, error) {
 
 			r[iface.Name] = &Interface{
 				Index:        iface.Index,
+				MTU:          iface.MTU,
 				Name:         iface.Name,
-				Addrs:        ipNets,
+				Addresses:    ipNets,
 				HardwareAddr: iface.HardwareAddr,
 			}
 		}
@@ -92,7 +94,7 @@ func IsLocalIp(ip netip.Addr) (bool, error) {
 		return false, err
 	}
 	for _, iface := range ifaces {
-		for _, addr := range iface.Addrs {
+		for _, addr := range iface.Addresses {
 			if addr.Contains(ip) {
 				return true, nil
 			}
@@ -120,7 +122,7 @@ func (iface *Interface) PickIPv6Addr(destination netip.Addr) (netip.Prefix, erro
 func (iface *Interface) pickIPAddr(destination netip.Addr, accept func(addr netip.Prefix) bool) (netip.Prefix, error) {
 	var fallback netip.Prefix
 
-	for _, addr := range iface.Addrs {
+	for _, addr := range iface.Addresses {
 		if !accept(addr) {
 			continue
 		}

component/process/process_linux.go

@@ -2,19 +2,23 @@ package process
 
 import (
 	"bytes"
+	"context"
 	"encoding/binary"
 	"fmt"
 	"net/netip"
 	"os"
-	"path"
 	"path/filepath"
 	"runtime"
 	"strings"
+	"sync"
 	"syscall"
 	"unicode"
 	"unsafe"
 
+	"github.com/metacubex/mihomo/log"
+
 	"github.com/mdlayher/netlink"
+	tun "github.com/metacubex/sing-tun"
 	"golang.org/x/sys/unix"
 )
 
@@ -59,6 +63,19 @@ type inetDiagResponse struct {
 	INode   uint32
 }
 
+type MyCallback struct{}
+
+var (
+	packageManager tun.PackageManager
+	once           sync.Once
+)
+
+func (cb *MyCallback) OnPackagesUpdated(packageCount int, sharedCount int) {}
+
+func (cb *MyCallback) NewError(ctx context.Context, err error) {
+	log.Warnln("%s", err)
+}
+
 func findProcessName(network string, ip netip.Addr, srcPort int) (uint32, string, error) {
 	uid, inode, err := resolveSocketByNetlink(network, ip, srcPort)
 	if err != nil {
@@ -162,12 +179,7 @@ func resolveProcessNameByProcSearch(inode, uid uint32) (string, error) {
 			}
 			if runtime.GOOS == "android" {
 				if bytes.Equal(buffer[:n], socket) {
-					cmdline, err := os.ReadFile(path.Join(processPath, "cmdline"))
-					if err != nil {
-						return "", err
-					}
-
-					return splitCmdline(cmdline), nil
+					return findPackageName(uid), nil
 				}
 			} else {
 				if bytes.Equal(buffer[:n], socket) {
@@ -181,17 +193,28 @@ func resolveProcessNameByProcSearch(inode, uid uint32) (string, error) {
 	return "", fmt.Errorf("process of uid(%d),inode(%d) not found", uid, inode)
 }
 
-func splitCmdline(cmdline []byte) string {
-	cmdline = bytes.Trim(cmdline, " ")
-
-	idx := bytes.IndexFunc(cmdline, func(r rune) bool {
-		return unicode.IsControl(r) || unicode.IsSpace(r) || r == ':'
+func findPackageName(uid uint32) string {
+	once.Do(func() {
+		callback := &MyCallback{}
+		var err error
+		packageManager, err = tun.NewPackageManager(callback)
+		if err != nil {
+			log.Warnln("%s", err)
+		}
+		err = packageManager.Start()
+		if err != nil {
+			log.Warnln("%s", err)
+			return
+		}
 	})
 
-	if idx == -1 {
-		return filepath.Base(string(cmdline))
+	if sharedPackage, loaded := packageManager.SharedPackageByID(uid % 100000); loaded {
+		return sharedPackage
 	}
-	return filepath.Base(string(cmdline[:idx]))
+	if packageName, loaded := packageManager.PackageByID(uid % 100000); loaded {
+		return packageName
+	}
+	return ""
 }
 
 func isPid(s string) bool {

component/resolver/host.go

@@ -9,11 +9,15 @@ import (
 	_ "unsafe"
 
 	"github.com/metacubex/mihomo/common/utils"
+	"github.com/metacubex/mihomo/component/resolver/hosts"
 	"github.com/metacubex/mihomo/component/trie"
-	"github.com/zhangyunhao116/fastrand"
+	"github.com/metacubex/randv2"
 )
 
-var DisableSystemHosts, _ = strconv.ParseBool(os.Getenv("DISABLE_SYSTEM_HOSTS"))
+var (
+	DisableSystemHosts, _ = strconv.ParseBool(os.Getenv("DISABLE_SYSTEM_HOSTS"))
+	UseSystemHosts        bool
+)
 
 type Hosts struct {
 	*trie.DomainTrie[HostValue]
@@ -25,11 +29,6 @@ func NewHosts(hosts *trie.DomainTrie[HostValue]) Hosts {
 	}
 }
 
-// lookupStaticHost looks up the addresses and the canonical name for the given host from /etc/hosts.
-//
-//go:linkname lookupStaticHost net.lookupStaticHost
-func lookupStaticHost(host string) ([]string, string)
-
 // Return the search result and whether to match the parameter `isDomain`
 func (h *Hosts) Search(domain string, isDomain bool) (*HostValue, bool) {
 	if value := h.DomainTrie.Search(domain); value != nil {
@@ -51,8 +50,9 @@ func (h *Hosts) Search(domain string, isDomain bool) (*HostValue, bool) {
 
 		return &hostValue, false
 	}
-	if !isDomain && !DisableSystemHosts {
-		addr, _ := lookupStaticHost(domain)
+
+	if !isDomain && !DisableSystemHosts && UseSystemHosts {
+		addr, _ := hosts.LookupStaticHost(domain)
 		if hostValue, err := NewHostValue(addr); err == nil {
 			return &hostValue, true
 		}
@@ -125,5 +125,5 @@ func (hv HostValue) RandIP() (netip.Addr, error) {
 	if hv.IsDomain {
 		return netip.Addr{}, errors.New("value type is error")
 	}
-	return hv.IPs[fastrand.Intn(len(hv.IPs))], nil
+	return hv.IPs[randv2.IntN(len(hv.IPs))], nil
 }

component/resolver/hosts/hosts.go

@@ -0,0 +1,309 @@
+package hosts
+
+// this file copy and modify from golang's std net/hosts.go
+
+import (
+	"errors"
+	"io"
+	"io/fs"
+	"net/netip"
+	"os"
+	"strings"
+	"sync"
+	"time"
+)
+
+var hostsFilePath = "/etc/hosts"
+
+const cacheMaxAge = 5 * time.Second
+
+func parseLiteralIP(addr string) string {
+	ip, err := netip.ParseAddr(addr)
+	if err != nil {
+		return ""
+	}
+	return ip.String()
+}
+
+type byName struct {
+	addrs         []string
+	canonicalName string
+}
+
+// hosts contains known host entries.
+var hosts struct {
+	sync.Mutex
+
+	// Key for the list of literal IP addresses must be a host
+	// name. It would be part of DNS labels, a FQDN or an absolute
+	// FQDN.
+	// For now the key is converted to lower case for convenience.
+	byName map[string]byName
+
+	// Key for the list of host names must be a literal IP address
+	// including IPv6 address with zone identifier.
+	// We don't support old-classful IP address notation.
+	byAddr map[string][]string
+
+	expire time.Time
+	path   string
+	mtime  time.Time
+	size   int64
+}
+
+func readHosts() {
+	now := time.Now()
+	hp := hostsFilePath
+
+	if now.Before(hosts.expire) && hosts.path == hp && len(hosts.byName) > 0 {
+		return
+	}
+	mtime, size, err := stat(hp)
+	if err == nil && hosts.path == hp && hosts.mtime.Equal(mtime) && hosts.size == size {
+		hosts.expire = now.Add(cacheMaxAge)
+		return
+	}
+
+	hs := make(map[string]byName)
+	is := make(map[string][]string)
+
+	file, err := open(hp)
+	if err != nil {
+		if !errors.Is(err, fs.ErrNotExist) && !errors.Is(err, fs.ErrPermission) {
+			return
+		}
+	}
+
+	if file != nil {
+		defer file.close()
+		for line, ok := file.readLine(); ok; line, ok = file.readLine() {
+			if i := strings.IndexByte(line, '#'); i >= 0 {
+				// Discard comments.
+				line = line[0:i]
+			}
+			f := getFields(line)
+			if len(f) < 2 {
+				continue
+			}
+			addr := parseLiteralIP(f[0])
+			if addr == "" {
+				continue
+			}
+
+			var canonical string
+			for i := 1; i < len(f); i++ {
+				name := absDomainName(f[i])
+				h := []byte(f[i])
+				lowerASCIIBytes(h)
+				key := absDomainName(string(h))
+
+				if i == 1 {
+					canonical = key
+				}
+
+				is[addr] = append(is[addr], name)
+
+				if v, ok := hs[key]; ok {
+					hs[key] = byName{
+						addrs:         append(v.addrs, addr),
+						canonicalName: v.canonicalName,
+					}
+					continue
+				}
+
+				hs[key] = byName{
+					addrs:         []string{addr},
+					canonicalName: canonical,
+				}
+			}
+		}
+	}
+	// Update the data cache.
+	hosts.expire = now.Add(cacheMaxAge)
+	hosts.path = hp
+	hosts.byName = hs
+	hosts.byAddr = is
+	hosts.mtime = mtime
+	hosts.size = size
+}
+
+// LookupStaticHost looks up the addresses and the canonical name for the given host from /etc/hosts.
+func LookupStaticHost(host string) ([]string, string) {
+	hosts.Lock()
+	defer hosts.Unlock()
+	readHosts()
+	if len(hosts.byName) != 0 {
+		if hasUpperCase(host) {
+			lowerHost := []byte(host)
+			lowerASCIIBytes(lowerHost)
+			host = string(lowerHost)
+		}
+		if byName, ok := hosts.byName[absDomainName(host)]; ok {
+			ipsCp := make([]string, len(byName.addrs))
+			copy(ipsCp, byName.addrs)
+			return ipsCp, byName.canonicalName
+		}
+	}
+	return nil, ""
+}
+
+// LookupStaticAddr looks up the hosts for the given address from /etc/hosts.
+func LookupStaticAddr(addr string) []string {
+	hosts.Lock()
+	defer hosts.Unlock()
+	readHosts()
+	addr = parseLiteralIP(addr)
+	if addr == "" {
+		return nil
+	}
+	if len(hosts.byAddr) != 0 {
+		if hosts, ok := hosts.byAddr[addr]; ok {
+			hostsCp := make([]string, len(hosts))
+			copy(hostsCp, hosts)
+			return hostsCp
+		}
+	}
+	return nil
+}
+
+func stat(name string) (mtime time.Time, size int64, err error) {
+	st, err := os.Stat(name)
+	if err != nil {
+		return time.Time{}, 0, err
+	}
+	return st.ModTime(), st.Size(), nil
+}
+
+type file struct {
+	file  *os.File
+	data  []byte
+	atEOF bool
+}
+
+func (f *file) close() { f.file.Close() }
+
+func (f *file) getLineFromData() (s string, ok bool) {
+	data := f.data
+	i := 0
+	for i = 0; i < len(data); i++ {
+		if data[i] == '\n' {
+			s = string(data[0:i])
+			ok = true
+			// move data
+			i++
+			n := len(data) - i
+			copy(data[0:], data[i:])
+			f.data = data[0:n]
+			return
+		}
+	}
+	if f.atEOF && len(f.data) > 0 {
+		// EOF, return all we have
+		s = string(data)
+		f.data = f.data[0:0]
+		ok = true
+	}
+	return
+}
+
+func (f *file) readLine() (s string, ok bool) {
+	if s, ok = f.getLineFromData(); ok {
+		return
+	}
+	if len(f.data) < cap(f.data) {
+		ln := len(f.data)
+		n, err := io.ReadFull(f.file, f.data[ln:cap(f.data)])
+		if n >= 0 {
+			f.data = f.data[0 : ln+n]
+		}
+		if err == io.EOF || err == io.ErrUnexpectedEOF {
+			f.atEOF = true
+		}
+	}
+	s, ok = f.getLineFromData()
+	return
+}
+
+func (f *file) stat() (mtime time.Time, size int64, err error) {
+	st, err := f.file.Stat()
+	if err != nil {
+		return time.Time{}, 0, err
+	}
+	return st.ModTime(), st.Size(), nil
+}
+
+func open(name string) (*file, error) {
+	fd, err := os.Open(name)
+	if err != nil {
+		return nil, err
+	}
+	return &file{fd, make([]byte, 0, 64*1024), false}, nil
+}
+
+func getFields(s string) []string { return splitAtBytes(s, " \r\t\n") }
+
+// Count occurrences in s of any bytes in t.
+func countAnyByte(s string, t string) int {
+	n := 0
+	for i := 0; i < len(s); i++ {
+		if strings.IndexByte(t, s[i]) >= 0 {
+			n++
+		}
+	}
+	return n
+}
+
+// Split s at any bytes in t.
+func splitAtBytes(s string, t string) []string {
+	a := make([]string, 1+countAnyByte(s, t))
+	n := 0
+	last := 0
+	for i := 0; i < len(s); i++ {
+		if strings.IndexByte(t, s[i]) >= 0 {
+			if last < i {
+				a[n] = s[last:i]
+				n++
+			}
+			last = i + 1
+		}
+	}
+	if last < len(s) {
+		a[n] = s[last:]
+		n++
+	}
+	return a[0:n]
+}
+
+// lowerASCIIBytes makes x ASCII lowercase in-place.
+func lowerASCIIBytes(x []byte) {
+	for i, b := range x {
+		if 'A' <= b && b <= 'Z' {
+			x[i] += 'a' - 'A'
+		}
+	}
+}
+
+// hasUpperCase tells whether the given string contains at least one upper-case.
+func hasUpperCase(s string) bool {
+	for i := range s {
+		if 'A' <= s[i] && s[i] <= 'Z' {
+			return true
+		}
+	}
+	return false
+}
+
+// absDomainName returns an absolute domain name which ends with a
+// trailing dot to match pure Go reverse resolver and all other lookup
+// routines.
+// See golang.org/issue/12189.
+// But we don't want to add dots for local names from /etc/hosts.
+// It's hard to tell so we settle on the heuristic that names without dots
+// (like "localhost" or "myhost") do not get trailing dots, but any other
+// names do.
+func absDomainName(s string) string {
+	if strings.IndexByte(s, '.') != -1 && s[len(s)-1] != '.' {
+		s += "."
+	}
+	return s
+}

component/resolver/hosts/hosts_windows.go

@@ -0,0 +1,13 @@
+package hosts
+
+// this file copy and modify from golang's std net/hook_windows.go
+
+import (
+	"golang.org/x/sys/windows"
+)
+
+func init() {
+	if dir, err := windows.GetSystemDirectory(); err == nil {
+		hostsFilePath = dir + "/Drivers/etc/hosts"
+	}
+}

component/resolver/resolver.go

@@ -12,8 +12,8 @@ import (
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/trie"
 
+	"github.com/metacubex/randv2"
 	"github.com/miekg/dns"
-	"github.com/zhangyunhao116/fastrand"
 )
 
 var (
@@ -93,7 +93,7 @@ func ResolveIPv4WithResolver(ctx context.Context, host string, r Resolver) (neti
 	} else if len(ips) == 0 {
 		return netip.Addr{}, fmt.Errorf("%w: %s", ErrIPNotFound, host)
 	}
-	return ips[fastrand.Intn(len(ips))], nil
+	return ips[randv2.IntN(len(ips))], nil
 }
 
 // ResolveIPv4 with a host, return ipv4
@@ -149,7 +149,7 @@ func ResolveIPv6WithResolver(ctx context.Context, host string, r Resolver) (neti
 	} else if len(ips) == 0 {
 		return netip.Addr{}, fmt.Errorf("%w: %s", ErrIPNotFound, host)
 	}
-	return ips[fastrand.Intn(len(ips))], nil
+	return ips[randv2.IntN(len(ips))], nil
 }
 
 func ResolveIPv6(ctx context.Context, host string) (netip.Addr, error) {
@@ -200,9 +200,9 @@ func ResolveIPWithResolver(ctx context.Context, host string, r Resolver) (netip.
 	}
 	ipv4s, ipv6s := SortationAddr(ips)
 	if len(ipv4s) > 0 {
-		return ipv4s[fastrand.Intn(len(ipv4s))], nil
+		return ipv4s[randv2.IntN(len(ipv4s))], nil
 	}
-	return ipv6s[fastrand.Intn(len(ipv6s))], nil
+	return ipv6s[randv2.IntN(len(ipv6s))], nil
 }
 
 // ResolveIP with a host, return ip and priority return TypeA

component/sniffer/dispatcher.go

@@ -116,14 +116,13 @@ func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata
 }
 
 func (sd *SnifferDispatcher) replaceDomain(metadata *C.Metadata, host string, overrideDest bool) {
-	// show log early, since the following code may mutate `metadata.Host`
-	log.Debugln("[Sniffer] Sniff %s [%s]-->[%s] success, replace domain [%s]-->[%s]",
-		metadata.NetWork,
-		metadata.SourceDetail(),
-		metadata.RemoteAddress(),
-		metadata.Host, host)
 	metadata.SniffHost = host
 	if overrideDest {
+		log.Debugln("[Sniffer] Sniff %s [%s]-->[%s] success, replace domain [%s]-->[%s]",
+			metadata.NetWork,
+			metadata.SourceDetail(),
+			metadata.RemoteAddress(),
+			metadata.Host, host)
 		metadata.Host = host
 	}
 	metadata.DNSMode = C.DNSNormal

component/tls/reality.go

@@ -16,17 +16,14 @@ import (
 	"errors"
 	"net"
 	"net/http"
-	"reflect"
 	"strings"
 	"time"
-	"unsafe"
 
-	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/log"
 	"github.com/metacubex/mihomo/ntp"
 
-	utls "github.com/sagernet/utls"
-	"github.com/zhangyunhao116/fastrand"
+	"github.com/metacubex/randv2"
+	utls "github.com/metacubex/utls"
 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/crypto/hkdf"
 	"golang.org/x/net/http2"
@@ -39,9 +36,6 @@ type RealityConfig struct {
 	ShortID   [RealityMaxShortIDLen]byte
 }
 
-//go:linkname aesgcmPreferred crypto/tls.aesgcmPreferred
-func aesgcmPreferred(ciphers []uint16) bool
-
 func GetRealityConn(ctx context.Context, conn net.Conn, ClientFingerprint string, tlsConfig *tls.Config, realityConfig *RealityConfig) (net.Conn, error) {
 	retry := 0
 	for fingerprint, exists := GetFingerprint(ClientFingerprint); exists; retry++ {
@@ -102,7 +96,7 @@ func GetRealityConn(ctx context.Context, conn net.Conn, ClientFingerprint string
 			return nil, err
 		}
 		var aeadCipher cipher.AEAD
-		if aesgcmPreferred(hello.CipherSuites) {
+		if utls.AesgcmPreferred(hello.CipherSuites) {
 			aesBlock, _ := aes.NewCipher(authKey)
 			aeadCipher, _ = cipher.NewGCM(aesBlock)
 		} else {
@@ -139,15 +133,18 @@ func realityClientFallback(uConn net.Conn, serverName string, fingerprint utls.C
 			},
 		},
 	}
-	request, _ := http.NewRequest("GET", "https://"+serverName, nil)
+	request, err := http.NewRequest("GET", "https://"+serverName, nil)
+	if err != nil {
+		return
+	}
 	request.Header.Set("User-Agent", fingerprint.Client)
-	request.AddCookie(&http.Cookie{Name: "padding", Value: strings.Repeat("0", fastrand.Intn(32)+30)})
+	request.AddCookie(&http.Cookie{Name: "padding", Value: strings.Repeat("0", randv2.IntN(32)+30)})
 	response, err := client.Do(request)
 	if err != nil {
 		return
 	}
 	//_, _ = io.Copy(io.Discard, response.Body)
-	time.Sleep(time.Duration(5+fastrand.Int63n(10)) * time.Second)
+	time.Sleep(time.Duration(5+randv2.IntN(10)) * time.Second)
 	response.Body.Close()
 	client.CloseIdleConnections()
 }
@@ -159,11 +156,12 @@ type realityVerifier struct {
 	verified   bool
 }
 
-var pOffset = utils.MustOK(reflect.TypeOf((*utls.Conn)(nil)).Elem().FieldByName("peerCertificates")).Offset
+//var pOffset = utils.MustOK(reflect.TypeOf((*utls.Conn)(nil)).Elem().FieldByName("peerCertificates")).Offset
 
 func (c *realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 	//p, _ := reflect.TypeOf(c.Conn).Elem().FieldByName("peerCertificates")
-	certs := *(*[]*x509.Certificate)(unsafe.Add(unsafe.Pointer(c.Conn), pOffset))
+	//certs := *(*[]*x509.Certificate)(unsafe.Add(unsafe.Pointer(c.Conn), pOffset))
+	certs := c.Conn.PeerCertificates()
 	if pub, ok := certs[0].PublicKey.(ed25519.PublicKey); ok {
 		h := hmac.New(sha512.New, c.authKey)
 		h.Write(pub)

component/tls/utls.go

@@ -6,8 +6,8 @@ import (
 
 	"github.com/metacubex/mihomo/log"
 
+	utls "github.com/metacubex/utls"
 	"github.com/mroth/weightedrand/v2"
-	utls "github.com/sagernet/utls"
 )
 
 type UConn struct {

component/updater/update_core.go

@@ -16,7 +16,6 @@ import (
 	"time"
 
 	mihomoHttp "github.com/metacubex/mihomo/component/http"
-	"github.com/metacubex/mihomo/constant"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 
@@ -52,6 +51,10 @@ func init() {
 	if runtime.GOARCH == "amd64" && cpuid.CPU.X64Level() < 3 {
 		amd64Compatible = "-compatible"
 	}
+	if !strings.HasPrefix(C.Version, "alpha") {
+		baseURL = "https://github.com/MetaCubeX/mihomo/releases/latest/download/mihomo"
+		versionURL = "https://github.com/MetaCubeX/mihomo/releases/latest/download/version.txt"
+	}
 }
 
 type updateError struct {
@@ -64,7 +67,7 @@ func (e *updateError) Error() string {
 
 // Update performs the auto-updater.  It returns an error if the updater failed.
 // If firstRun is true, it assumes the configuration file doesn't exist.
-func Update(execPath string) (err error) {
+func UpdateCore(execPath string) (err error) {
 	mu.Lock()
 	defer mu.Unlock()
 
@@ -73,9 +76,9 @@ func Update(execPath string) (err error) {
 		return err
 	}
 
-	log.Infoln("current version %s, latest version %s", constant.Version, latestVersion)
+	log.Infoln("current version %s, latest version %s", C.Version, latestVersion)
 
-	if latestVersion == constant.Version {
+	if latestVersion == C.Version {
 		err := &updateError{Message: "already using latest version"}
 		return err
 	}

component/updater/update_geo.go

@@ -1,18 +1,27 @@
-package config
+package updater
 
 import (
+	"errors"
 	"fmt"
+	"os"
 	"runtime"
+	"time"
 
+	"github.com/metacubex/mihomo/common/atomic"
 	"github.com/metacubex/mihomo/component/geodata"
 	_ "github.com/metacubex/mihomo/component/geodata/standard"
 	"github.com/metacubex/mihomo/component/mmdb"
 	C "github.com/metacubex/mihomo/constant"
+	"github.com/metacubex/mihomo/log"
 
 	"github.com/oschwald/maxminddb-golang"
 )
 
-func UpdateGeoDatabases() error {
+var (
+	UpdatingGeo atomic.Bool
+)
+
+func updateGeoDatabases() error {
 	defer runtime.GC()
 	geoLoader, err := geodata.GetGeoDataLoader("standard")
 	if err != nil {
@@ -88,3 +97,80 @@ func UpdateGeoDatabases() error {
 
 	return nil
 }
+
+var ErrGetDatabaseUpdateSkip = errors.New("GEO database is updating, skip")
+
+func UpdateGeoDatabases() error {
+	log.Infoln("[GEO] Start updating GEO database")
+
+	if UpdatingGeo.Load() {
+		return ErrGetDatabaseUpdateSkip
+	}
+
+	UpdatingGeo.Store(true)
+	defer UpdatingGeo.Store(false)
+
+	log.Infoln("[GEO] Updating GEO database")
+
+	if err := updateGeoDatabases(); err != nil {
+		log.Errorln("[GEO] update GEO database error: %s", err.Error())
+		return err
+	}
+
+	return nil
+}
+
+func getUpdateTime() (err error, time time.Time) {
+	var fileInfo os.FileInfo
+	if C.GeodataMode {
+		fileInfo, err = os.Stat(C.Path.GeoIP())
+		if err != nil {
+			return err, time
+		}
+	} else {
+		fileInfo, err = os.Stat(C.Path.MMDB())
+		if err != nil {
+			return err, time
+		}
+	}
+
+	return nil, fileInfo.ModTime()
+}
+
+func RegisterGeoUpdater(onSuccess func()) {
+	if C.GeoUpdateInterval <= 0 {
+		log.Errorln("[GEO] Invalid update interval: %d", C.GeoUpdateInterval)
+		return
+	}
+
+	go func() {
+		ticker := time.NewTicker(time.Duration(C.GeoUpdateInterval) * time.Hour)
+		defer ticker.Stop()
+
+		err, lastUpdate := getUpdateTime()
+		if err != nil {
+			log.Errorln("[GEO] Get GEO database update time error: %s", err.Error())
+			return
+		}
+
+		log.Infoln("[GEO] last update time %s", lastUpdate)
+		if lastUpdate.Add(time.Duration(C.GeoUpdateInterval) * time.Hour).Before(time.Now()) {
+			log.Infoln("[GEO] Database has not been updated for %v, update now", time.Duration(C.GeoUpdateInterval)*time.Hour)
+			if err := UpdateGeoDatabases(); err != nil {
+				log.Errorln("[GEO] Failed to update GEO database: %s", err.Error())
+				return
+			} else {
+				onSuccess()
+			}
+		}
+
+		for range ticker.C {
+			log.Infoln("[GEO] updating database every %d hours", C.GeoUpdateInterval)
+			if err := UpdateGeoDatabases(); err != nil {
+				log.Errorln("[GEO] Failed to update GEO database: %s", err.Error())
+			} else {
+				onSuccess()
+			}
+		}
+	}()
+}

component/updater/update_ui.go

@@ -1,4 +1,4 @@
-package config
+package updater
 
 import (
 	"archive/zip"
@@ -29,7 +29,7 @@ func UpdateUI() error {
 	xdMutex.Lock()
 	defer xdMutex.Unlock()
 
-	err := prepare()
+	err := prepare_ui()
 	if err != nil {
 		return err
 	}
@@ -64,7 +64,7 @@ func UpdateUI() error {
 	return nil
 }
 
-func prepare() error {
+func prepare_ui() error {
 	if ExternalUIPath == "" || ExternalUIURL == "" {
 		return ErrIncompleteConf
 	}

component/updater/utils.go

@@ -1,12 +1,35 @@
 package updater
 
 import (
+	"context"
 	"fmt"
 	"io"
+	"net/http"
+	"os"
+	"time"
+
+	mihomoHttp "github.com/metacubex/mihomo/component/http"
+	C "github.com/metacubex/mihomo/constant"
 
 	"golang.org/x/exp/constraints"
 )
 
+func downloadForBytes(url string) ([]byte, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
+	defer cancel()
+	resp, err := mihomoHttp.HttpRequest(ctx, url, http.MethodGet, http.Header{"User-Agent": {C.UA}}, nil)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return io.ReadAll(resp.Body)
+}
+
+func saveFile(bytes []byte, path string) error {
+	return os.WriteFile(path, bytes, 0o644)
+}
+
 // LimitReachedError records the limit and the operation that caused it.
 type LimitReachedError struct {
 	Limit int64

config/config.go

@@ -28,6 +28,7 @@ import (
 	SNIFF "github.com/metacubex/mihomo/component/sniffer"
 	tlsC "github.com/metacubex/mihomo/component/tls"
 	"github.com/metacubex/mihomo/component/trie"
+	"github.com/metacubex/mihomo/component/updater"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/features"
 	providerTypes "github.com/metacubex/mihomo/constant/provider"
@@ -114,6 +115,7 @@ type DNS struct {
 	PreferH3              bool             `yaml:"prefer-h3"`
 	IPv6                  bool             `yaml:"ipv6"`
 	IPv6Timeout           uint             `yaml:"ipv6-timeout"`
+	UseSystemHosts        bool             `yaml:"use-system-hosts"`
 	NameServer            []dns.NameServer `yaml:"nameserver"`
 	Fallback              []dns.NameServer `yaml:"fallback"`
 	FallbackFilter        FallbackFilter   `yaml:"fallback-filter"`
@@ -209,6 +211,8 @@ type RawDNS struct {
 	IPv6                  bool                                `yaml:"ipv6" json:"ipv6"`
 	IPv6Timeout           uint                                `yaml:"ipv6-timeout" json:"ipv6-timeout"`
 	UseHosts              bool                                `yaml:"use-hosts" json:"use-hosts"`
+	UseSystemHosts        bool                                `yaml:"use-system-hosts" json:"use-system-hosts"`
+	RespectRules          bool                                `yaml:"respect-rules" json:"respect-rules"`
 	NameServer            []string                            `yaml:"nameserver" json:"nameserver"`
 	Fallback              []string                            `yaml:"fallback" json:"fallback"`
 	FallbackFilter        RawFallbackFilter                   `yaml:"fallback-filter" json:"fallback-filter"`
@@ -242,31 +246,39 @@ type RawTun struct {
 	DNSHijack           []string   `yaml:"dns-hijack" json:"dns-hijack"`
 	AutoRoute           bool       `yaml:"auto-route" json:"auto-route"`
 	AutoDetectInterface bool       `yaml:"auto-detect-interface"`
-	RedirectToTun       []string   `yaml:"-" json:"-"`
 
 	MTU        uint32 `yaml:"mtu" json:"mtu,omitempty"`
 	GSO        bool   `yaml:"gso" json:"gso,omitempty"`
 	GSOMaxSize uint32 `yaml:"gso-max-size" json:"gso-max-size,omitempty"`
 	//Inet4Address           []netip.Prefix `yaml:"inet4-address" json:"inet4_address,omitempty"`
-	Inet6Address             []netip.Prefix `yaml:"inet6-address" json:"inet6_address,omitempty"`
-	StrictRoute              bool           `yaml:"strict-route" json:"strict_route,omitempty"`
+	Inet6Address           []netip.Prefix `yaml:"inet6-address" json:"inet6_address,omitempty"`
+	IPRoute2TableIndex     int            `yaml:"iproute2-table-index" json:"iproute2_table_index,omitempty"`
+	IPRoute2RuleIndex      int            `yaml:"iproute2-rule-index" json:"iproute2_rule_index,omitempty"`
+	AutoRedirect           bool           `yaml:"auto-redirect" json:"auto_redirect,omitempty"`
+	AutoRedirectInputMark  uint32         `yaml:"auto-redirect-input-mark" json:"auto_redirect_input_mark,omitempty"`
+	AutoRedirectOutputMark uint32         `yaml:"auto-redirect-output-mark" json:"auto_redirect_output_mark,omitempty"`
+	StrictRoute            bool           `yaml:"strict-route" json:"strict_route,omitempty"`
+	RouteAddress           []netip.Prefix `yaml:"route-address" json:"route_address,omitempty"`
+	RouteAddressSet        []string       `yaml:"route-address-set" json:"route_address_set,omitempty"`
+	RouteExcludeAddress    []netip.Prefix `yaml:"route-exclude-address" json:"route_exclude_address,omitempty"`
+	RouteExcludeAddressSet []string       `yaml:"route-exclude-address-set" json:"route_exclude_address_set,omitempty"`
+	IncludeInterface       []string       `yaml:"include-interface" json:"include-interface,omitempty"`
+	ExcludeInterface       []string       `yaml:"exclude-interface" json:"exclude-interface,omitempty"`
+	IncludeUID             []uint32       `yaml:"include-uid" json:"include_uid,omitempty"`
+	IncludeUIDRange        []string       `yaml:"include-uid-range" json:"include_uid_range,omitempty"`
+	ExcludeUID             []uint32       `yaml:"exclude-uid" json:"exclude_uid,omitempty"`
+	ExcludeUIDRange        []string       `yaml:"exclude-uid-range" json:"exclude_uid_range,omitempty"`
+	IncludeAndroidUser     []int          `yaml:"include-android-user" json:"include_android_user,omitempty"`
+	IncludePackage         []string       `yaml:"include-package" json:"include_package,omitempty"`
+	ExcludePackage         []string       `yaml:"exclude-package" json:"exclude_package,omitempty"`
+	EndpointIndependentNat bool           `yaml:"endpoint-independent-nat" json:"endpoint_independent_nat,omitempty"`
+	UDPTimeout             int64          `yaml:"udp-timeout" json:"udp_timeout,omitempty"`
+	FileDescriptor         int            `yaml:"file-descriptor" json:"file-descriptor"`
+
 	Inet4RouteAddress        []netip.Prefix `yaml:"inet4-route-address" json:"inet4_route_address,omitempty"`
 	Inet6RouteAddress        []netip.Prefix `yaml:"inet6-route-address" json:"inet6_route_address,omitempty"`
 	Inet4RouteExcludeAddress []netip.Prefix `yaml:"inet4-route-exclude-address" json:"inet4_route_exclude_address,omitempty"`
 	Inet6RouteExcludeAddress []netip.Prefix `yaml:"inet6-route-exclude-address" json:"inet6_route_exclude_address,omitempty"`
-	IncludeInterface         []string       `yaml:"include-interface" json:"include-interface,omitempty"`
-	ExcludeInterface         []string       `yaml:"exclude-interface" json:"exclude-interface,omitempty"`
-	IncludeUID               []uint32       `yaml:"include-uid" json:"include_uid,omitempty"`
-	IncludeUIDRange          []string       `yaml:"include-uid-range" json:"include_uid_range,omitempty"`
-	ExcludeUID               []uint32       `yaml:"exclude-uid" json:"exclude_uid,omitempty"`
-	ExcludeUIDRange          []string       `yaml:"exclude-uid-range" json:"exclude_uid_range,omitempty"`
-	IncludeAndroidUser       []int          `yaml:"include-android-user" json:"include_android_user,omitempty"`
-	IncludePackage           []string       `yaml:"include-package" json:"include_package,omitempty"`
-	ExcludePackage           []string       `yaml:"exclude-package" json:"exclude_package,omitempty"`
-	EndpointIndependentNat   bool           `yaml:"endpoint-independent-nat" json:"endpoint_independent_nat,omitempty"`
-	UDPTimeout               int64          `yaml:"udp-timeout" json:"udp_timeout,omitempty"`
-	FileDescriptor           int            `yaml:"file-descriptor" json:"file-descriptor"`
-	TableIndex               int            `yaml:"table-index" json:"table-index"`
 }
 
 type RawTuicServer struct {
@@ -456,12 +468,13 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 			Interval:      30,
 		},
 		DNS: RawDNS{
-			Enable:       false,
-			IPv6:         false,
-			UseHosts:     true,
-			IPv6Timeout:  100,
-			EnhancedMode: C.DNSMapping,
-			FakeIPRange:  "198.18.0.1/16",
+			Enable:         false,
+			IPv6:           false,
+			UseHosts:       true,
+			UseSystemHosts: true,
+			IPv6Timeout:    100,
+			EnhancedMode:   C.DNSMapping,
+			FakeIPRange:    "198.18.0.1/16",
 			FallbackFilter: RawFallbackFilter{
 				GeoIP:     true,
 				GeoIPCode: "CN",
@@ -559,13 +572,13 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.RuleProviders = ruleProviders
 
-	subRules, err := parseSubRules(rawCfg, proxies)
+	subRules, err := parseSubRules(rawCfg, proxies, ruleProviders)
 	if err != nil {
 		return nil, err
 	}
 	config.SubRules = subRules
 
-	rules, err := parseRules(rawCfg.Rule, proxies, subRules, "rules")
+	rules, err := parseRules(rawCfg.Rule, proxies, ruleProviders, subRules, "rules")
 	if err != nil {
 		return nil, err
 	}
@@ -637,31 +650,30 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 		N.KeepAliveInterval = time.Duration(cfg.KeepAliveInterval) * time.Second
 	}
 
-	ExternalUIPath = cfg.ExternalUI
+	updater.ExternalUIPath = cfg.ExternalUI
 	// checkout externalUI exist
-	if ExternalUIPath != "" {
-		ExternalUIPath = C.Path.Resolve(ExternalUIPath)
-		if _, err := os.Stat(ExternalUIPath); os.IsNotExist(err) {
+	if updater.ExternalUIPath != "" {
+		updater.ExternalUIPath = C.Path.Resolve(updater.ExternalUIPath)
+		if _, err := os.Stat(updater.ExternalUIPath); os.IsNotExist(err) {
 			defaultUIpath := path.Join(C.Path.HomeDir(), "ui")
-			log.Warnln("external-ui: %s does not exist, creating folder in %s", ExternalUIPath, defaultUIpath)
+			log.Warnln("external-ui: %s does not exist, creating folder in %s", updater.ExternalUIPath, defaultUIpath)
 			if err := os.MkdirAll(defaultUIpath, os.ModePerm); err != nil {
 				return nil, err
 			}
-			ExternalUIPath = defaultUIpath
+			updater.ExternalUIPath = defaultUIpath
 			cfg.ExternalUI = defaultUIpath
 		}
 	}
 	// checkout UIpath/name exist
 	if cfg.ExternalUIName != "" {
-		ExternalUIName = cfg.ExternalUIName
+		updater.ExternalUIName = cfg.ExternalUIName
 	} else {
-		ExternalUIFolder = ExternalUIPath
+		updater.ExternalUIFolder = updater.ExternalUIPath
 	}
 	if cfg.ExternalUIURL != "" {
-		ExternalUIURL = cfg.ExternalUIURL
+		updater.ExternalUIURL = cfg.ExternalUIURL
 	}
 
-	cfg.Tun.RedirectToTun = cfg.EBpf.RedirectToTun
 	return &General{
 		Inbound: Inbound{
 			Port:              cfg.Port,
@@ -712,8 +724,11 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 	groupsConfig := cfg.ProxyGroup
 	providersConfig := cfg.ProxyProvider
 
-	var proxyList []string
-	var AllProxies []string
+	var (
+		proxyList  []string
+		AllProxies []string
+		hasGlobal  bool
+	)
 	proxiesList := list.New()
 	groupsList := list.New()
 
@@ -746,6 +761,9 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 		if !existName {
 			return nil, nil, fmt.Errorf("proxy group %d: missing name", idx)
 		}
+		if groupName == "GLOBAL" {
+			hasGlobal = true
+		}
 		proxyList = append(proxyList, groupName)
 		groupsList.PushBack(mapping)
 	}
@@ -797,13 +815,15 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 	pd, _ := provider.NewCompatibleProvider(provider.ReservedName, ps, hc)
 	providersMap[provider.ReservedName] = pd
 
-	global := outboundgroup.NewSelector(
-		&outboundgroup.GroupCommonOption{
-			Name: "GLOBAL",
-		},
-		[]providerTypes.ProxyProvider{pd},
-	)
-	proxies["GLOBAL"] = adapter.NewProxy(global)
+	if !hasGlobal {
+		global := outboundgroup.NewSelector(
+			&outboundgroup.GroupCommonOption{
+				Name: "GLOBAL",
+			},
+			[]providerTypes.ProxyProvider{pd},
+		)
+		proxies["GLOBAL"] = adapter.NewProxy(global)
+	}
 	ProxiesList = proxiesList
 	GroupsList = groupsList
 	if ParsingProxiesCallback != nil {
@@ -832,6 +852,7 @@ func parseListeners(cfg *RawConfig) (listeners map[string]C.InboundListener, err
 }
 
 func parseRuleProviders(cfg *RawConfig) (ruleProviders map[string]providerTypes.RuleProvider, err error) {
+	RP.SetTunnel(T.Tunnel)
 	ruleProviders = map[string]providerTypes.RuleProvider{}
 	// parse rule provider
 	for name, mapping := range cfg.RuleProvider {
@@ -841,12 +862,11 @@ func parseRuleProviders(cfg *RawConfig) (ruleProviders map[string]providerTypes.
 		}
 
 		ruleProviders[name] = rp
-		RP.SetRuleProvider(rp)
 	}
 	return
 }
 
-func parseSubRules(cfg *RawConfig, proxies map[string]C.Proxy) (subRules map[string][]C.Rule, err error) {
+func parseSubRules(cfg *RawConfig, proxies map[string]C.Proxy, ruleProviders map[string]providerTypes.RuleProvider) (subRules map[string][]C.Rule, err error) {
 	subRules = map[string][]C.Rule{}
 	for name := range cfg.SubRules {
 		subRules[name] = make([]C.Rule, 0)
@@ -856,7 +876,7 @@ func parseSubRules(cfg *RawConfig, proxies map[string]C.Proxy) (subRules map[str
 			return nil, fmt.Errorf("sub-rule name is empty")
 		}
 		var rules []C.Rule
-		rules, err = parseRules(rawRules, proxies, subRules, fmt.Sprintf("sub-rules[%s]", name))
+		rules, err = parseRules(rawRules, proxies, ruleProviders, subRules, fmt.Sprintf("sub-rules[%s]", name))
 		if err != nil {
 			return nil, err
 		}
@@ -909,7 +929,7 @@ func verifySubRuleCircularReferences(n string, subRules map[string][]C.Rule, arr
 	return nil
 }
 
-func parseRules(rulesConfig []string, proxies map[string]C.Proxy, subRules map[string][]C.Rule, format string) ([]C.Rule, error) {
+func parseRules(rulesConfig []string, proxies map[string]C.Proxy, ruleProviders map[string]providerTypes.RuleProvider, subRules map[string][]C.Rule, format string) ([]C.Rule, error) {
 	var rules []C.Rule
 
 	// parse rules
@@ -924,7 +944,7 @@ func parseRules(rulesConfig []string, proxies map[string]C.Proxy, subRules map[s
 
 		l := len(rule)
 
-		if ruleName == "NOT" || ruleName == "OR" || ruleName == "AND" || ruleName == "SUB-RULE" || ruleName == "DOMAIN-REGEX" {
+		if ruleName == "NOT" || ruleName == "OR" || ruleName == "AND" || ruleName == "SUB-RULE" || ruleName == "DOMAIN-REGEX" || ruleName == "PROCESS-NAME-REGEX" || ruleName == "PROCESS-PATH-REGEX" {
 			target = rule[l-1]
 			payload = strings.Join(rule[1:l-1], ",")
 		} else {
@@ -958,6 +978,12 @@ func parseRules(rulesConfig []string, proxies map[string]C.Proxy, subRules map[s
 			return nil, fmt.Errorf("%s[%d] [%s] error: %s", format, idx, line, parseErr.Error())
 		}
 
+		for _, name := range parsed.ProviderNames() {
+			if _, ok := ruleProviders[name]; !ok {
+				return nil, fmt.Errorf("%s[%d] [%s] error: rule set [%s] not found", format, idx, line, name)
+			}
+		}
+
 		rules = append(rules, parsed)
 	}
 
@@ -1027,10 +1053,20 @@ func hostWithDefaultPort(host string, defPort string) (string, error) {
 	return net.JoinHostPort(hostname, port), nil
 }
 
-func parseNameServer(servers []string, preferH3 bool) ([]dns.NameServer, error) {
+func parseNameServer(servers []string, respectRules bool, preferH3 bool) ([]dns.NameServer, error) {
 	var nameservers []dns.NameServer
 
 	for idx, server := range servers {
+		if strings.HasPrefix(server, "dhcp://") {
+			nameservers = append(
+				nameservers,
+				dns.NameServer{
+					Net:  "dhcp",
+					Addr: server[len("dhcp://"):],
+				},
+			)
+			continue
+		}
 		server = parsePureDNSServer(server)
 		u, err := url.Parse(server)
 		if err != nil {
@@ -1073,9 +1109,6 @@ func parseNameServer(servers []string, preferH3 bool) ([]dns.NameServer, error)
 					}
 				}
 			}
-		case "dhcp":
-			addr = u.Host
-			dnsNetType = "dhcp" // UDP from DHCP
 		case "quic":
 			addr, err = hostWithDefaultPort(u.Host, "853")
 			dnsNetType = "quic" // DNS over QUIC
@@ -1102,6 +1135,10 @@ func parseNameServer(servers []string, preferH3 bool) ([]dns.NameServer, error)
 			return nil, fmt.Errorf("DNS NameServer[%d] format error: %s", idx, err.Error())
 		}
 
+		if respectRules && len(proxyName) == 0 {
+			proxyName = dns.RespectRules
+		}
+
 		nameservers = append(
 			nameservers,
 			dns.NameServer{
@@ -1118,7 +1155,7 @@ func parseNameServer(servers []string, preferH3 bool) ([]dns.NameServer, error)
 
 func init() {
 	dns.ParseNameServer = func(servers []string) ([]dns.NameServer, error) { // using by wireguard
-		return parseNameServer(servers, false)
+		return parseNameServer(servers, false, false)
 	}
 }
 
@@ -1144,7 +1181,8 @@ func parsePureDNSServer(server string) string {
 		}
 	}
 }
-func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], ruleProviders map[string]providerTypes.RuleProvider, preferH3 bool) (*orderedmap.OrderedMap[string, []dns.NameServer], error) {
+
+func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], ruleProviders map[string]providerTypes.RuleProvider, respectRules bool, preferH3 bool) (*orderedmap.OrderedMap[string, []dns.NameServer], error) {
 	policy := orderedmap.New[string, []dns.NameServer]()
 	updatedPolicy := orderedmap.New[string, any]()
 	re := regexp.MustCompile(`[a-zA-Z0-9\-]+\.[a-zA-Z]{2,}(\.[a-zA-Z]{2,})?`)
@@ -1190,7 +1228,7 @@ func parseNameServerPolicy(nsPolicy *orderedmap.OrderedMap[string, any], rulePro
 		if err != nil {
 			return nil, err
 		}
-		nameservers, err := parseNameServer(servers, preferH3)
+		nameservers, err := parseNameServer(servers, respectRules, preferH3)
 		if err != nil {
 			return nil, err
 		}
@@ -1284,39 +1322,44 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul
 		return nil, fmt.Errorf("if DNS configuration is turned on, NameServer cannot be empty")
 	}
 
+	if cfg.RespectRules && len(cfg.ProxyServerNameserver) == 0 {
+		return nil, fmt.Errorf("if “respect-rules” is turned on, “proxy-server-nameserver” cannot be empty")
+	}
+
 	dnsCfg := &DNS{
-		Enable:       cfg.Enable,
-		Listen:       cfg.Listen,
-		PreferH3:     cfg.PreferH3,
-		IPv6Timeout:  cfg.IPv6Timeout,
-		IPv6:         cfg.IPv6,
-		EnhancedMode: cfg.EnhancedMode,
+		Enable:         cfg.Enable,
+		Listen:         cfg.Listen,
+		PreferH3:       cfg.PreferH3,
+		IPv6Timeout:    cfg.IPv6Timeout,
+		IPv6:           cfg.IPv6,
+		UseSystemHosts: cfg.UseSystemHosts,
+		EnhancedMode:   cfg.EnhancedMode,
 		FallbackFilter: FallbackFilter{
 			IPCIDR:  []netip.Prefix{},
 			GeoSite: []router.DomainMatcher{},
 		},
 	}
 	var err error
-	if dnsCfg.NameServer, err = parseNameServer(cfg.NameServer, cfg.PreferH3); err != nil {
+	if dnsCfg.NameServer, err = parseNameServer(cfg.NameServer, cfg.RespectRules, cfg.PreferH3); err != nil {
 		return nil, err
 	}
 
-	if dnsCfg.Fallback, err = parseNameServer(cfg.Fallback, cfg.PreferH3); err != nil {
+	if dnsCfg.Fallback, err = parseNameServer(cfg.Fallback, cfg.RespectRules, cfg.PreferH3); err != nil {
 		return nil, err
 	}
 
-	if dnsCfg.NameServerPolicy, err = parseNameServerPolicy(cfg.NameServerPolicy, ruleProviders, cfg.PreferH3); err != nil {
+	if dnsCfg.NameServerPolicy, err = parseNameServerPolicy(cfg.NameServerPolicy, ruleProviders, cfg.RespectRules, cfg.PreferH3); err != nil {
 		return nil, err
 	}
 
-	if dnsCfg.ProxyServerNameserver, err = parseNameServer(cfg.ProxyServerNameserver, cfg.PreferH3); err != nil {
+	if dnsCfg.ProxyServerNameserver, err = parseNameServer(cfg.ProxyServerNameserver, false, cfg.PreferH3); err != nil {
 		return nil, err
 	}
 
 	if len(cfg.DefaultNameserver) == 0 {
 		return nil, errors.New("default nameserver should have at least one nameserver")
 	}
-	if dnsCfg.DefaultNameserver, err = parseNameServer(cfg.DefaultNameserver, cfg.PreferH3); err != nil {
+	if dnsCfg.DefaultNameserver, err = parseNameServer(cfg.DefaultNameserver, false, cfg.PreferH3); err != nil {
 		return nil, err
 	}
 	// check default nameserver is pure ip addr
@@ -1433,31 +1476,39 @@ func parseTun(rawTun RawTun, general *General) error {
 		DNSHijack:           rawTun.DNSHijack,
 		AutoRoute:           rawTun.AutoRoute,
 		AutoDetectInterface: rawTun.AutoDetectInterface,
-		RedirectToTun:       rawTun.RedirectToTun,
 
-		MTU:                      rawTun.MTU,
-		GSO:                      rawTun.GSO,
-		GSOMaxSize:               rawTun.GSOMaxSize,
-		Inet4Address:             []netip.Prefix{tunAddressPrefix},
-		Inet6Address:             rawTun.Inet6Address,
-		StrictRoute:              rawTun.StrictRoute,
+		MTU:                    rawTun.MTU,
+		GSO:                    rawTun.GSO,
+		GSOMaxSize:             rawTun.GSOMaxSize,
+		Inet4Address:           []netip.Prefix{tunAddressPrefix},
+		Inet6Address:           rawTun.Inet6Address,
+		IPRoute2TableIndex:     rawTun.IPRoute2TableIndex,
+		IPRoute2RuleIndex:      rawTun.IPRoute2RuleIndex,
+		AutoRedirect:           rawTun.AutoRedirect,
+		AutoRedirectInputMark:  rawTun.AutoRedirectInputMark,
+		AutoRedirectOutputMark: rawTun.AutoRedirectOutputMark,
+		StrictRoute:            rawTun.StrictRoute,
+		RouteAddress:           rawTun.RouteAddress,
+		RouteAddressSet:        rawTun.RouteAddressSet,
+		RouteExcludeAddress:    rawTun.RouteExcludeAddress,
+		RouteExcludeAddressSet: rawTun.RouteExcludeAddressSet,
+		IncludeInterface:       rawTun.IncludeInterface,
+		ExcludeInterface:       rawTun.ExcludeInterface,
+		IncludeUID:             rawTun.IncludeUID,
+		IncludeUIDRange:        rawTun.IncludeUIDRange,
+		ExcludeUID:             rawTun.ExcludeUID,
+		ExcludeUIDRange:        rawTun.ExcludeUIDRange,
+		IncludeAndroidUser:     rawTun.IncludeAndroidUser,
+		IncludePackage:         rawTun.IncludePackage,
+		ExcludePackage:         rawTun.ExcludePackage,
+		EndpointIndependentNat: rawTun.EndpointIndependentNat,
+		UDPTimeout:             rawTun.UDPTimeout,
+		FileDescriptor:         rawTun.FileDescriptor,
+
 		Inet4RouteAddress:        rawTun.Inet4RouteAddress,
 		Inet6RouteAddress:        rawTun.Inet6RouteAddress,
 		Inet4RouteExcludeAddress: rawTun.Inet4RouteExcludeAddress,
 		Inet6RouteExcludeAddress: rawTun.Inet6RouteExcludeAddress,
-		IncludeInterface:         rawTun.IncludeInterface,
-		ExcludeInterface:         rawTun.ExcludeInterface,
-		IncludeUID:               rawTun.IncludeUID,
-		IncludeUIDRange:          rawTun.IncludeUIDRange,
-		ExcludeUID:               rawTun.ExcludeUID,
-		ExcludeUIDRange:          rawTun.ExcludeUIDRange,
-		IncludeAndroidUser:       rawTun.IncludeAndroidUser,
-		IncludePackage:           rawTun.IncludePackage,
-		ExcludePackage:           rawTun.ExcludePackage,
-		EndpointIndependentNat:   rawTun.EndpointIndependentNat,
-		UDPTimeout:               rawTun.UDPTimeout,
-		FileDescriptor:           rawTun.FileDescriptor,
-		TableIndex:               rawTun.TableIndex,
 	}
 
 	return nil

config/utils.go

@@ -1,38 +1,15 @@
 package config
 
 import (
-	"context"
 	"fmt"
-	"io"
 	"net"
-	"net/http"
 	"net/netip"
-	"os"
 	"strings"
-	"time"
 
 	"github.com/metacubex/mihomo/adapter/outboundgroup"
 	"github.com/metacubex/mihomo/common/structure"
-	mihomoHttp "github.com/metacubex/mihomo/component/http"
-	C "github.com/metacubex/mihomo/constant"
 )
 
-func downloadForBytes(url string) ([]byte, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
-	defer cancel()
-	resp, err := mihomoHttp.HttpRequest(ctx, url, http.MethodGet, http.Header{"User-Agent": {C.UA}}, nil)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	return io.ReadAll(resp.Body)
-}
-
-func saveFile(bytes []byte, path string) error {
-	return os.WriteFile(path, bytes, 0o644)
-}
-
 func trimArr(arr []string) (r []string) {
 	for _, e := range arr {
 		r = append(r, strings.Trim(e, " "))

constant/features/version.go

@@ -0,0 +1,5 @@
+package features
+
+var WindowsMajorVersion uint32
+var WindowsMinorVersion uint32
+var WindowsBuildNumber uint32

constant/features/version_windows.go

@@ -0,0 +1,10 @@
+package features
+
+import "golang.org/x/sys/windows"
+
+func init() {
+	version := windows.RtlGetVersion()
+	WindowsMajorVersion = version.MajorVersion
+	WindowsMinorVersion = version.MinorVersion
+	WindowsBuildNumber = version.BuildNumber
+}

constant/provider/interface.go

@@ -84,7 +84,7 @@ type RuleProvider interface {
 	Match(*constant.Metadata) bool
 	ShouldResolveIP() bool
 	ShouldFindProcess() bool
-	AsRule(adaptor string) constant.Rule
+	Strategy() any
 }
 
 // Rule Behavior
@@ -127,3 +127,9 @@ func (rf RuleFormat) String() string {
 		return "Unknown"
 	}
 }
+
+type Tunnel interface {
+	Providers() map[string]ProxyProvider
+	RuleProviders() map[string]RuleProvider
+	RuleUpdateCallback() *utils.Callback[RuleProvider]
+}

constant/rule.go

@@ -22,8 +22,10 @@ const (
 	InUser
 	InName
 	InType
-	Process
+	ProcessName
 	ProcessPath
+	ProcessNameRegex
+	ProcessPathRegex
 	RuleSet
 	Network
 	Uid
@@ -76,10 +78,14 @@ func (rt RuleType) String() string {
 		return "InName"
 	case InType:
 		return "InType"
-	case Process:
-		return "Process"
+	case ProcessName:
+		return "ProcessName"
 	case ProcessPath:
 		return "ProcessPath"
+	case ProcessNameRegex:
+		return "ProcessNameRegex"
+	case ProcessPathRegex:
+		return "ProcessPathRegex"
 	case MATCH:
 		return "Match"
 	case RuleSet:
@@ -110,4 +116,5 @@ type Rule interface {
 	Payload() string
 	ShouldResolveIP() bool
 	ShouldFindProcess() bool
+	ProviderNames() []string
 }

dns/client.go

@@ -5,28 +5,20 @@ import (
 	"crypto/tls"
 	"fmt"
 	"net"
-	"net/netip"
 	"strings"
 
 	"github.com/metacubex/mihomo/component/ca"
-	"github.com/metacubex/mihomo/component/dialer"
-	"github.com/metacubex/mihomo/component/resolver"
-	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 
 	D "github.com/miekg/dns"
-	"github.com/zhangyunhao116/fastrand"
 )
 
 type client struct {
 	*D.Client
-	r            *Resolver
-	port         string
-	host         string
-	iface        string
-	proxyAdapter C.ProxyAdapter
-	proxyName    string
-	addr         string
+	port   string
+	host   string
+	dialer *dnsDialer
+	addr   string
 }
 
 var _ dnsClient = (*client)(nil)
@@ -49,38 +41,13 @@ func (c *client) Address() string {
 }
 
 func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error) {
-	var (
-		ip  netip.Addr
-		err error
-	)
-	if c.r == nil {
-		// a default ip dns
-		if ip, err = netip.ParseAddr(c.host); err != nil {
-			return nil, fmt.Errorf("dns %s not a valid ip", c.host)
-		}
-	} else {
-		ips, err := resolver.LookupIPWithResolver(ctx, c.host, c.r)
-		if err != nil {
-			return nil, fmt.Errorf("use default dns resolve failed: %w", err)
-		} else if len(ips) == 0 {
-			return nil, fmt.Errorf("%w: %s", resolver.ErrIPNotFound, c.host)
-		}
-		ip = ips[fastrand.Intn(len(ips))]
-	}
-
 	network := "udp"
 	if strings.HasPrefix(c.Client.Net, "tcp") {
 		network = "tcp"
 	}
 
-	var options []dialer.Option
-	if c.iface != "" {
-		options = append(options, dialer.WithInterface(c.iface))
-	}
-
-	dialHandler := getDialHandler(c.r, c.proxyAdapter, c.proxyName, options...)
-	addr := net.JoinHostPort(ip.String(), c.port)
-	conn, err := dialHandler(ctx, network, addr)
+	addr := net.JoinHostPort(c.host, c.port)
+	conn, err := c.dialer.DialContext(ctx, network, addr)
 	if err != nil {
 		return nil, err
 	}
@@ -115,7 +82,7 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 			tcpClient.Net = "tcp"
 			network = "tcp"
 			log.Debugln("[DNS] Truncated reply from %s:%s for %s over UDP, retrying over TCP", c.host, c.port, m.Question[0].String())
-			dConn.Conn, err = dialHandler(ctx, network, addr)
+			dConn.Conn, err = c.dialer.DialContext(ctx, network, addr)
 			if err != nil {
 				ch <- result{msg, err}
 				return

dns/dialer.go

@@ -0,0 +1,11 @@
+package dns
+
+// export functions from tunnel module
+
+import "github.com/metacubex/mihomo/tunnel"
+
+const RespectRules = tunnel.DnsRespectRules
+
+type dnsDialer = tunnel.DNSDialer
+
+var newDNSDialer = tunnel.NewDNSDialer

dns/doh.go

@@ -62,10 +62,8 @@ type dnsOverHTTPS struct {
 	quicConfig      *quic.Config
 	quicConfigGuard sync.Mutex
 	url             *url.URL
-	r               *Resolver
 	httpVersions    []C.HTTPVersion
-	proxyAdapter    C.ProxyAdapter
-	proxyName       string
+	dialer          *dnsDialer
 	addr            string
 }
 
@@ -85,11 +83,9 @@ func newDoHClient(urlString string, r *Resolver, preferH3 bool, params map[strin
 	}
 
 	doh := &dnsOverHTTPS{
-		url:          u,
-		addr:         u.String(),
-		r:            r,
-		proxyAdapter: proxyAdapter,
-		proxyName:    proxyName,
+		url:    u,
+		addr:   u.String(),
+		dialer: newDNSDialer(r, proxyAdapter, proxyName),
 		quicConfig: &quic.Config{
 			KeepAlivePeriod: QUICKeepAlivePeriod,
 			TokenStore:      newQUICTokenStore(),
@@ -388,13 +384,12 @@ func (doh *dnsOverHTTPS) createTransport(ctx context.Context) (t http.RoundTripp
 		nextProtos = append(nextProtos, string(v))
 	}
 	tlsConfig.NextProtos = nextProtos
-	dialContext := getDialHandler(doh.r, doh.proxyAdapter, doh.proxyName)
 
 	if slices.Contains(doh.httpVersions, C.HTTPVersion3) {
 		// First, we attempt to create an HTTP3 transport.  If the probe QUIC
 		// connection is established successfully, we'll be using HTTP3 for this
 		// upstream.
-		transportH3, err := doh.createTransportH3(ctx, tlsConfig, dialContext)
+		transportH3, err := doh.createTransportH3(ctx, tlsConfig)
 		if err == nil {
 			log.Debugln("[%s] using HTTP/3 for this upstream: QUIC was faster", doh.url.String())
 			return transportH3, nil
@@ -410,7 +405,7 @@ func (doh *dnsOverHTTPS) createTransport(ctx context.Context) (t http.RoundTripp
 	transport := &http.Transport{
 		TLSClientConfig:    tlsConfig,
 		DisableCompression: true,
-		DialContext:        dialContext,
+		DialContext:        doh.dialer.DialContext,
 		IdleConnTimeout:    transportDefaultIdleConnTimeout,
 		MaxConnsPerHost:    dohMaxConnsPerHost,
 		MaxIdleConns:       dohMaxIdleConns,
@@ -490,13 +485,12 @@ func (h *http3Transport) Close() (err error) {
 func (doh *dnsOverHTTPS) createTransportH3(
 	ctx context.Context,
 	tlsConfig *tls.Config,
-	dialContext dialHandler,
 ) (roundTripper http.RoundTripper, err error) {
 	if !doh.supportsH3() {
 		return nil, errors.New("HTTP3 support is not enabled")
 	}
 
-	addr, err := doh.probeH3(ctx, tlsConfig, dialContext)
+	addr, err := doh.probeH3(ctx, tlsConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -515,7 +509,7 @@ func (doh *dnsOverHTTPS) createTransportH3(
 		},
 		DisableCompression: true,
 		TLSClientConfig:    tlsConfig,
-		QuicConfig:         doh.getQUICConfig(),
+		QUICConfig:         doh.getQUICConfig(),
 	}
 
 	return &http3Transport{baseTransport: rt}, nil
@@ -534,7 +528,7 @@ func (doh *dnsOverHTTPS) dialQuic(ctx context.Context, addr string, tlsCfg *tls.
 		IP:   net.ParseIP(ip),
 		Port: portInt,
 	}
-	conn, err := listenPacket(ctx, doh.proxyAdapter, doh.proxyName, "udp", addr, doh.r)
+	conn, err := doh.dialer.ListenPacket(ctx, "udp", addr)
 	if err != nil {
 		return nil, err
 	}
@@ -557,12 +551,11 @@ func (doh *dnsOverHTTPS) dialQuic(ctx context.Context, addr string, tlsCfg *tls.
 func (doh *dnsOverHTTPS) probeH3(
 	ctx context.Context,
 	tlsConfig *tls.Config,
-	dialContext dialHandler,
 ) (addr string, err error) {
 	// We're using bootstrapped address instead of what's passed to the function
 	// it does not create an actual connection, but it helps us determine
 	// what IP is actually reachable (when there are v4/v6 addresses).
-	rawConn, err := dialContext(ctx, "udp", doh.url.Host)
+	rawConn, err := doh.dialer.DialContext(ctx, "udp", doh.url.Host)
 	if err != nil {
 		return "", fmt.Errorf("failed to dial: %w", err)
 	}
@@ -592,7 +585,7 @@ func (doh *dnsOverHTTPS) probeH3(
 	chQuic := make(chan error, 1)
 	chTLS := make(chan error, 1)
 	go doh.probeQUIC(ctx, addr, probeTLSCfg, chQuic)
-	go doh.probeTLS(ctx, dialContext, probeTLSCfg, chTLS)
+	go doh.probeTLS(ctx, probeTLSCfg, chTLS)
 
 	select {
 	case quicErr := <-chQuic:
@@ -635,10 +628,10 @@ func (doh *dnsOverHTTPS) probeQUIC(ctx context.Context, addr string, tlsConfig *
 
 // probeTLS attempts to establish a TLS connection to the specified address. We
 // run probeQUIC and probeTLS in parallel and see which one is faster.
-func (doh *dnsOverHTTPS) probeTLS(ctx context.Context, dialContext dialHandler, tlsConfig *tls.Config, ch chan error) {
+func (doh *dnsOverHTTPS) probeTLS(ctx context.Context, tlsConfig *tls.Config, ch chan error) {
 	startTime := time.Now()
 
-	conn, err := doh.tlsDial(ctx, dialContext, "tcp", tlsConfig)
+	conn, err := doh.tlsDial(ctx, "tcp", tlsConfig)
 	if err != nil {
 		ch <- fmt.Errorf("opening TLS connection: %w", err)
 		return
@@ -694,10 +687,10 @@ func isHTTP3(client *http.Client) (ok bool) {
 
 // tlsDial is basically the same as tls.DialWithDialer, but we will call our own
 // dialContext function to get connection.
-func (doh *dnsOverHTTPS) tlsDial(ctx context.Context, dialContext dialHandler, network string, config *tls.Config) (*tls.Conn, error) {
+func (doh *dnsOverHTTPS) tlsDial(ctx context.Context, network string, config *tls.Config) (*tls.Conn, error) {
 	// We're using bootstrapped address instead of what's passed
 	// to the function.
-	rawConn, err := dialContext(ctx, network, doh.url.Host)
+	rawConn, err := doh.dialer.DialContext(ctx, network, doh.url.Host)
 	if err != nil {
 		return nil, err
 	}

dns/doq.go

@@ -60,10 +60,8 @@ type dnsOverQUIC struct {
 	bytesPool      *sync.Pool
 	bytesPoolGuard sync.Mutex
 
-	addr         string
-	proxyAdapter C.ProxyAdapter
-	proxyName    string
-	r            *Resolver
+	addr   string
+	dialer *dnsDialer
 }
 
 // type check
@@ -72,10 +70,8 @@ var _ dnsClient = (*dnsOverQUIC)(nil)
 // newDoQ returns the DNS-over-QUIC Upstream.
 func newDoQ(resolver *Resolver, addr string, proxyAdapter C.ProxyAdapter, proxyName string) (dnsClient, error) {
 	doq := &dnsOverQUIC{
-		addr:         addr,
-		proxyAdapter: proxyAdapter,
-		proxyName:    proxyName,
-		r:            resolver,
+		addr:   addr,
+		dialer: newDNSDialer(resolver, proxyAdapter, proxyName),
 		quicConfig: &quic.Config{
 			KeepAlivePeriod: QUICKeepAlivePeriod,
 			TokenStore:      newQUICTokenStore(),
@@ -300,7 +296,7 @@ func (doq *dnsOverQUIC) openConnection(ctx context.Context) (conn quic.Connectio
 	// we're using bootstrapped address instead of what's passed to the function
 	// it does not create an actual connection, but it helps us determine
 	// what IP is actually reachable (when there're v4/v6 addresses).
-	rawConn, err := getDialHandler(doq.r, doq.proxyAdapter, doq.proxyName)(ctx, "udp", doq.addr)
+	rawConn, err := doq.dialer.DialContext(ctx, "udp", doq.addr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to open a QUIC connection: %w", err)
 	}
@@ -315,7 +311,7 @@ func (doq *dnsOverQUIC) openConnection(ctx context.Context) (conn quic.Connectio
 
 	p, err := strconv.Atoi(port)
 	udpAddr := net.UDPAddr{IP: net.ParseIP(ip), Port: p}
-	udp, err := listenPacket(ctx, doq.proxyAdapter, doq.proxyName, "udp", addr, doq.r)
+	udp, err := doq.dialer.ListenPacket(ctx, "udp", addr)
 	if err != nil {
 		return nil, err
 	}

dns/policy.go

@@ -37,14 +37,17 @@ func (p geositePolicy) Match(domain string) []dnsClient {
 }
 
 type domainSetPolicy struct {
-	domainSetProvider provider.RuleProvider
-	dnsClients        []dnsClient
+	tunnel     provider.Tunnel
+	name       string
+	dnsClients []dnsClient
 }
 
 func (p domainSetPolicy) Match(domain string) []dnsClient {
-	metadata := &C.Metadata{Host: domain}
-	if ok := p.domainSetProvider.Match(metadata); ok {
-		return p.dnsClients
+	if ruleProvider, ok := p.tunnel.RuleProviders()[p.name]; ok {
+		metadata := &C.Metadata{Host: domain}
+		if ok := ruleProvider.Match(metadata); ok {
+			return p.dnsClients
+		}
 	}
 	return nil
 }

dns/resolver.go

@@ -414,7 +414,7 @@ type Config struct {
 	Pool           *fakeip.Pool
 	Hosts          *trie.DomainTrie[resolver.HostValue]
 	Policy         *orderedmap.OrderedMap[string, []NameServer]
-	RuleProviders  map[string]provider.RuleProvider
+	Tunnel         provider.Tunnel
 	CacheAlgorithm string
 }
 
@@ -502,11 +502,12 @@ func NewResolver(config Config) *Resolver {
 				key := temp[1]
 				switch prefix {
 				case "rule-set":
-					if p, ok := config.RuleProviders[key]; ok {
+					if _, ok := config.Tunnel.RuleProviders()[key]; ok {
 						log.Debugln("Adding rule-set policy: %s ", key)
 						insertPolicy(domainSetPolicy{
-							domainSetProvider: p,
-							dnsClients:        cacheTransform(nameserver),
+							tunnel:     config.Tunnel,
+							name:       key,
+							dnsClients: cacheTransform(nameserver),
 						})
 						continue
 					} else {

dns/util.go

@@ -7,18 +7,14 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"strconv"
 	"strings"
 	"time"
 
-	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/nnip"
 	"github.com/metacubex/mihomo/common/picker"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/resolver"
-	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
-	"github.com/metacubex/mihomo/tunnel"
 
 	D "github.com/miekg/dns"
 	"github.com/samber/lo"
@@ -120,6 +116,11 @@ func transform(servers []NameServer, resolver *Resolver) []dnsClient {
 			continue
 		}
 
+		var options []dialer.Option
+		if s.Interface != "" {
+			options = append(options, dialer.WithInterface(s.Interface))
+		}
+
 		host, port, _ := net.SplitHostPort(s.Addr)
 		ret = append(ret, &client{
 			Client: &D.Client{
@@ -130,12 +131,9 @@ func transform(servers []NameServer, resolver *Resolver) []dnsClient {
 				UDPSize: 4096,
 				Timeout: 5 * time.Second,
 			},
-			port:         port,
-			host:         host,
-			iface:        s.Interface,
-			r:            resolver,
-			proxyAdapter: s.ProxyAdapter,
-			proxyName:    s.ProxyName,
+			port:   port,
+			host:   host,
+			dialer: newDNSDialer(resolver, s.ProxyAdapter, s.ProxyName, options...),
 		})
 	}
 	return ret
@@ -175,120 +173,6 @@ func msgToDomain(msg *D.Msg) string {
 	return ""
 }
 
-type dialHandler func(ctx context.Context, network, addr string) (net.Conn, error)
-
-func getDialHandler(r *Resolver, proxyAdapter C.ProxyAdapter, proxyName string, opts ...dialer.Option) dialHandler {
-	return func(ctx context.Context, network, addr string) (net.Conn, error) {
-		if len(proxyName) == 0 && proxyAdapter == nil {
-			opts = append(opts, dialer.WithResolver(r))
-			return dialer.DialContext(ctx, network, addr, opts...)
-		} else {
-			host, port, err := net.SplitHostPort(addr)
-			if err != nil {
-				return nil, err
-			}
-			uintPort, err := strconv.ParseUint(port, 10, 16)
-			if err != nil {
-				return nil, err
-			}
-			if proxyAdapter == nil {
-				var ok bool
-				proxyAdapter, ok = tunnel.Proxies()[proxyName]
-				if !ok {
-					opts = append(opts, dialer.WithInterface(proxyName))
-				}
-			}
-
-			if strings.Contains(network, "tcp") {
-				// tcp can resolve host by remote
-				metadata := &C.Metadata{
-					NetWork: C.TCP,
-					Host:    host,
-					DstPort: uint16(uintPort),
-				}
-				if proxyAdapter != nil {
-					if proxyAdapter.IsL3Protocol(metadata) { // L3 proxy should resolve domain before to avoid loopback
-						dstIP, err := resolver.ResolveIPWithResolver(ctx, host, r)
-						if err != nil {
-							return nil, err
-						}
-						metadata.Host = ""
-						metadata.DstIP = dstIP
-					}
-					return proxyAdapter.DialContext(ctx, metadata, opts...)
-				}
-				opts = append(opts, dialer.WithResolver(r))
-				return dialer.DialContext(ctx, network, addr, opts...)
-			} else {
-				// udp must resolve host first
-				dstIP, err := resolver.ResolveIPWithResolver(ctx, host, r)
-				if err != nil {
-					return nil, err
-				}
-				metadata := &C.Metadata{
-					NetWork: C.UDP,
-					Host:    "",
-					DstIP:   dstIP,
-					DstPort: uint16(uintPort),
-				}
-				if proxyAdapter == nil {
-					return dialer.DialContext(ctx, network, addr, opts...)
-				}
-
-				if !proxyAdapter.SupportUDP() {
-					return nil, fmt.Errorf("proxy adapter [%s] UDP is not supported", proxyAdapter)
-				}
-
-				packetConn, err := proxyAdapter.ListenPacketContext(ctx, metadata, opts...)
-				if err != nil {
-					return nil, err
-				}
-
-				return N.NewBindPacketConn(packetConn, metadata.UDPAddr()), nil
-			}
-		}
-	}
-}
-
-func listenPacket(ctx context.Context, proxyAdapter C.ProxyAdapter, proxyName string, network string, addr string, r *Resolver, opts ...dialer.Option) (net.PacketConn, error) {
-	host, port, err := net.SplitHostPort(addr)
-	if err != nil {
-		return nil, err
-	}
-	uintPort, err := strconv.ParseUint(port, 10, 16)
-	if err != nil {
-		return nil, err
-	}
-	if proxyAdapter == nil {
-		var ok bool
-		proxyAdapter, ok = tunnel.Proxies()[proxyName]
-		if !ok {
-			opts = append(opts, dialer.WithInterface(proxyName))
-		}
-	}
-
-	// udp must resolve host first
-	dstIP, err := resolver.ResolveIPWithResolver(ctx, host, r)
-	if err != nil {
-		return nil, err
-	}
-	metadata := &C.Metadata{
-		NetWork: C.UDP,
-		Host:    "",
-		DstIP:   dstIP,
-		DstPort: uint16(uintPort),
-	}
-	if proxyAdapter == nil {
-		return dialer.NewDialer(opts...).ListenPacket(ctx, network, "", netip.AddrPortFrom(metadata.DstIP, metadata.DstPort))
-	}
-
-	if !proxyAdapter.SupportUDP() {
-		return nil, fmt.Errorf("proxy adapter [%s] UDP is not supported", proxyAdapter)
-	}
-
-	return proxyAdapter.ListenPacketContext(ctx, metadata, opts...)
-}
-
 func batchExchange(ctx context.Context, clients []dnsClient, m *D.Msg) (msg *D.Msg, cache bool, err error) {
 	cache = true
 	fast, ctx := picker.WithTimeout[*D.Msg](ctx, resolver.DefaultDNSTimeout)

docs/config.yaml

@@ -116,13 +116,25 @@ tun:
   # mtu: 9000 # 最大传输单元
   # gso: false # 启用通用分段卸载，仅支持 Linux
   # gso-max-size: 65536 # 通用分段卸载包的最大大小
+  auto-redirect: false # 自动配置 iptables 以重定向 TCP 连接。仅支持 Linux。带有 auto-redirect 的 auto-route 现在可以在路由器上按预期工作，无需干预。
   # strict-route: true # 将所有连接路由到 tun 来防止泄漏，但你的设备将无法其他设备被访问
-  inet4-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由
+  route-address-set: # 将指定规则集中的目标 IP CIDR 规则添加到防火墙, 不匹配的流量将绕过路由, 仅支持 Linux，且需要 nftables，`auto-route` 和 `auto-redirect` 已启用。
+    - ruleset-1
+    - ruleset-2
+  route-exclude-address-set: # 将指定规则集中的目标 IP CIDR 规则添加到防火墙, 匹配的流量将绕过路由, 仅支持 Linux，且需要 nftables，`auto-route` 和 `auto-redirect` 已启用。
+    - ruleset-3
+    - ruleset-4
+  route-address: # 启用 auto-route 时使用自定义路由而不是默认路由
     - 0.0.0.0/1
     - 128.0.0.0/1
-  inet6-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由
     - "::/1"
     - "8000::/1"
+  # inet4-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由（旧写法）
+  #   - 0.0.0.0/1
+  #   - 128.0.0.0/1
+  # inet6-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由（旧写法）
+  #   - "::/1"
+  #   - "8000::/1"
   # endpoint-independent-nat: false # 启用独立于端点的 NAT
   # include-interface: # 限制被路由的接口。默认不限制，与 `exclude-interface` 冲突
   #   - "lan0"
@@ -209,7 +221,7 @@ tunnels: # one line config
 dns:
   cache-algorithm: arc
   enable: false # 关闭将使用系统 DNS
-  prefer-h3: true # 开启 DoH 支持 HTTP/3，将并发尝试
+  prefer-h3: false # 是否开启 DoH 支持 HTTP/3，将并发尝试
   listen: 0.0.0.0:53 # 开启 DNS 服务器监听
   # ipv6: false # false 将返回 AAAA 的空结果
   # ipv6-timeout: 300 # 单位：ms，内部双栈并发时，向上游查询 AAAA 时，等待 AAAA 的时间，默认 100ms
@@ -227,6 +239,13 @@ dns:
 
   # use-hosts: true # 查询 hosts
 
+  # 配置后面的nameserver、fallback和nameserver-policy向dns服务器的连接过程是否遵守遵守rules规则
+  # 如果为false（默认值）则这三部分的dns服务器在未特别指定的情况下会直连
+  # 如果为true，将会按照rules的规则匹配链接方式（走代理或直连），如果有特别指定则任然以指定值为准
+  # 仅当proxy-server-nameserver非空时可以开启此选项, 强烈不建议和prefer-h3一起使用
+  # 此外，这三者配置中的dns服务器如果出现域名会采用default-nameserver配置项解析，也请确保正确配置default-nameserver
+  respect-rules: false
+
   # 配置不使用 fake-ip 的域名
   # fake-ip-filter:
   #   - '*.lan'
@@ -244,6 +263,7 @@ dns:
     - https://mozilla.cloudflare-dns.com/dns-query#DNS&h3=true # 指定策略组和使用 HTTP/3
     - dhcp://en0 # dns from dhcp
     - quic://dns.adguard.com:784 # DNS over QUIC
+    # - '8.8.8.8#RULES' # 效果同respect-rules，但仅对该服务器生效
     # - '8.8.8.8#en0' # 兼容指定 DNS 出口网卡
 
   # 当配置 fallback 时，会查询 nameserver 中返回的 IP 是否为 CN，非必要配置
@@ -611,6 +631,10 @@ proxies: # socks5
     #   - h2
     #   - http/1.1
     # skip-cert-verify: true
+    # ss-opts: # like trojan-go's `shadowsocks` config
+    #   enabled: false
+    #   method: aes-128-gcm # aes-128-gcm/aes-256-gcm/chacha20-ietf-poly1305
+    #   password: "example"
 
   - name: trojan-grpc
     server: server
@@ -716,6 +740,7 @@ proxies: # socks5
     # dialer-proxy: "ss1"
     # remote-dns-resolve: true # 强制 dns 远程解析，默认值为 false
     # dns: [ 1.1.1.1, 8.8.8.8 ] # 仅在 remote-dns-resolve 为 true 时生效
+    # refresh-server-ip-interval: 60 # 重新解析server ip的间隔，单位为秒，默认值为0即仅第一次链接时解析server域名，仅应在server域名对应的IP会发生变化时启用该选项（如家宽ddns）
     # 如果 peers 不为空，该段落中的 allowed-ips 不可为空；前面段落的 server,port,public-key,pre-shared-key 均会被忽略，但 private-key 会被保留且只能在顶层指定
     # peers:
     #   - server: 162.159.192.1

go.mod

@@ -9,52 +9,52 @@ require (
 	github.com/cilium/ebpf v0.12.3
 	github.com/coreos/go-iptables v0.7.0
 	github.com/dlclark/regexp2 v1.11.0
-	github.com/go-chi/chi/v5 v5.0.12
+	github.com/go-chi/chi/v5 v5.0.14
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.3
-	github.com/gobwas/ws v1.3.2
-	github.com/gofrs/uuid/v5 v5.1.0
-	github.com/insomniacslk/dhcp v0.0.0-20240419123447-f1cffa2c0c49
-	github.com/klauspost/cpuid/v2 v2.2.7
+	github.com/gobwas/ws v1.4.0
+	github.com/gofrs/uuid/v5 v5.2.0
+	github.com/insomniacslk/dhcp v0.0.0-20240529192340-51bc6136a0a6
+	github.com/klauspost/cpuid/v2 v2.2.8
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
 	github.com/mdlayher/netlink v1.7.2
 	github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759
-	github.com/metacubex/quic-go v0.42.1-0.20240418003344-f006b5735d98
-	github.com/metacubex/sing-quic v0.0.0-20240418004036-814c531c378d
+	github.com/metacubex/quic-go v0.45.1-0.20240610004319-163fee60637e
+	github.com/metacubex/randv2 v0.2.0
+	github.com/metacubex/sing-quic v0.0.0-20240518034124-7696d3f7da72
 	github.com/metacubex/sing-shadowsocks v0.2.6
 	github.com/metacubex/sing-shadowsocks2 v0.2.0
-	github.com/metacubex/sing-tun v0.2.6
+	github.com/metacubex/sing-tun v0.2.7-0.20240627012306-9d1f5fc0b45e
 	github.com/metacubex/sing-vmess v0.1.9-0.20231207122118-72303677451f
-	github.com/metacubex/sing-wireguard v0.0.0-20240321042214-224f96122a63
+	github.com/metacubex/sing-wireguard v0.0.0-20240618022557-a6efaa37127a
 	github.com/metacubex/tfo-go v0.0.0-20240228025757-be1269474a66
-	github.com/miekg/dns v1.1.59
+	github.com/metacubex/utls v1.6.6
+	github.com/miekg/dns v1.1.61
 	github.com/mroth/weightedrand/v2 v2.1.0
 	github.com/openacid/low v0.1.21
 	github.com/oschwald/maxminddb-golang v1.12.0
-	github.com/puzpuzpuz/xsync/v3 v3.1.0
+	github.com/puzpuzpuz/xsync/v3 v3.2.0
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
-	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97
-	github.com/sagernet/sing v0.3.8
+	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a
+	github.com/sagernet/sing v0.5.0-alpha.10
 	github.com/sagernet/sing-mux v0.2.1-0.20240124034317-9bfb33698bb6
 	github.com/sagernet/sing-shadowtls v0.1.4
-	github.com/sagernet/utls v1.5.4
 	github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e
 	github.com/samber/lo v1.39.0
-	github.com/shirou/gopsutil/v3 v3.24.3
+	github.com/shirou/gopsutil/v3 v3.24.5
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.9.0
 	github.com/wk8/go-ordered-map/v2 v2.1.8
-	github.com/zhangyunhao116/fastrand v0.4.0
 	go.uber.org/automaxprocs v1.5.3
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.22.0
-	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f
-	golang.org/x/net v0.24.0
+	golang.org/x/crypto v0.24.0
+	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8
+	golang.org/x/net v0.26.0
 	golang.org/x/sync v0.7.0
-	golang.org/x/sys v0.19.0
-	google.golang.org/protobuf v1.33.0
+	golang.org/x/sys v0.21.0
+	google.golang.org/protobuf v1.34.2
 	gopkg.in/yaml.v3 v3.0.1
-	lukechampine.com/blake3 v1.2.2
+	lukechampine.com/blake3 v1.3.0
 )
 
 require (
@@ -63,7 +63,7 @@ require (
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.6 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
-	github.com/cloudflare/circl v1.3.6 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/ericlagergren/aegis v0.0.0-20230312195928-b4ce538b56f9 // indirect
 	github.com/ericlagergren/polyval v0.0.0-20220411101811-e25bc10ba391 // indirect
@@ -92,6 +92,7 @@ require (
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
+	github.com/sagernet/nftables v0.3.0-beta.4 // indirect
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/sina-ghaderi/poly1305 v0.0.0-20220724002748-c5926b03988b // indirect
@@ -100,14 +101,14 @@ require (
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
-	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
+	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec // indirect
 	go.uber.org/mock v0.4.0 // indirect
-	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.20.0 // indirect
+	golang.org/x/tools v0.22.0 // indirect
 )
 
-replace github.com/sagernet/sing => github.com/metacubex/sing v0.0.0-20240408015159-aa61c96df764
+replace github.com/sagernet/sing => github.com/metacubex/sing v0.0.0-20240617013425-3e3bd9dab6a2

go.sum

@@ -21,8 +21,8 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/cilium/ebpf v0.12.3 h1:8ht6F9MquybnY97at+VDZb3eQQr8ev79RueWeVaEcG4=
 github.com/cilium/ebpf v0.12.3/go.mod h1:TctK1ivibvI3znr66ljgi4hqOT8EYQjz1KWBfb1UVgM=
-github.com/cloudflare/circl v1.3.6 h1:/xbKIqSHbZXHwkhbrhrt2YOHIwYJlXH94E3tI/gDlUg=
-github.com/cloudflare/circl v1.3.6/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
+github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
 github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -44,8 +44,8 @@ github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nos
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/gaukas/godicttls v0.0.4 h1:NlRaXb3J6hAnTmWdsEKb9bcSBD6BvcIjdGdeb0zfXbk=
 github.com/gaukas/godicttls v0.0.4/go.mod h1:l6EenT4TLWgTdwslVb4sEMOCf7Bv0JAK67deKr9/NCI=
-github.com/go-chi/chi/v5 v5.0.12 h1:9euLV5sTrTNTRUU9POmDUvfxyj6LAABLUcEWO+JJb4s=
-github.com/go-chi/chi/v5 v5.0.12/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/chi/v5 v5.0.14 h1:PyEwo2Vudraa0x/Wl6eDRRW2NXBvekgfxyydcM0WGE0=
+github.com/go-chi/chi/v5 v5.0.14/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
@@ -60,16 +60,15 @@ github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/gobwas/ws v1.3.2 h1:zlnbNHxumkRvfPWgfXu8RBwyNR1x8wh9cf5PTOCqs9Q=
-github.com/gobwas/ws v1.3.2/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
-github.com/gofrs/uuid/v5 v5.1.0 h1:S5rqVKIigghZTCBKPCw0Y+bXkn26K3TB5mvQq2Ix8dk=
-github.com/gofrs/uuid/v5 v5.1.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
+github.com/gobwas/ws v1.4.0 h1:CTaoG1tojrh4ucGPcoJFiAQUAsEWekEWvLy7GsVNqGs=
+github.com/gobwas/ws v1.4.0/go.mod h1:G3gNqMNtPppf5XUz7O4shetPpcZ1VJ7zt18dlUeakrc=
+github.com/gofrs/uuid/v5 v5.2.0 h1:qw1GMx6/y8vhVsx626ImfKMuS5CvJmhIKKtuyvfajMM=
+github.com/gofrs/uuid/v5 v5.2.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE=
@@ -78,18 +77,16 @@ github.com/google/tink/go v1.6.1 h1:t7JHqO8Ath2w2ig5vjwQYJzhGEZymedQc90lQXUBa4I=
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
 github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/insomniacslk/dhcp v0.0.0-20240227161007-c728f5dd21c8 h1:V3plQrMHRWOB5zMm3yNqvBxDQVW1+/wHBSok5uPdmVs=
-github.com/insomniacslk/dhcp v0.0.0-20240227161007-c728f5dd21c8/go.mod h1:izxuNQZeFrbx2nK2fAyN5iNUB34Fe9j0nK4PwLzAkKw=
-github.com/insomniacslk/dhcp v0.0.0-20240419123447-f1cffa2c0c49 h1:/OuvSMGT9+xnyZ+7MZQ1zdngaCCAdPoSw8B/uurZ7pg=
-github.com/insomniacslk/dhcp v0.0.0-20240419123447-f1cffa2c0c49/go.mod h1:KclMyHxX06VrVr0DJmeFSUb1ankt7xTfoOA35pCkoic=
+github.com/insomniacslk/dhcp v0.0.0-20240529192340-51bc6136a0a6 h1:dh8D8FksyMhD64mRMbUhZHWYJfNoNMCxfVq6eexleMw=
+github.com/insomniacslk/dhcp v0.0.0-20240529192340-51bc6136a0a6/go.mod h1:KclMyHxX06VrVr0DJmeFSUb1ankt7xTfoOA35pCkoic=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
 github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
-github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM=
-github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
+github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM=
+github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4=
@@ -106,26 +103,30 @@ github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759 h1:cjd4biTvO
 github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759/go.mod h1:UHOv2xu+RIgLwpXca7TLrXleEd4oR3sPatW6IF8wU88=
 github.com/metacubex/gvisor v0.0.0-20240320004321-933faba989ec h1:HxreOiFTUrJXJautEo8rnE1uKTVGY8wtZepY1Tii/Nc=
 github.com/metacubex/gvisor v0.0.0-20240320004321-933faba989ec/go.mod h1:8BVmQ+3cxjqzWElafm24rb2Ae4jRI6vAXNXWqWjfrXw=
-github.com/metacubex/quic-go v0.42.1-0.20240418003344-f006b5735d98 h1:oMLlJV4a9AylNo8ZLBNUiqZ02Vme6GLLHjuWJz8amSk=
-github.com/metacubex/quic-go v0.42.1-0.20240418003344-f006b5735d98/go.mod h1:iGx3Y1zynls/FjFgykLSqDcM81U0IKePRTXEz5g3iiQ=
-github.com/metacubex/sing v0.0.0-20240408015159-aa61c96df764 h1:+czGKoynxYA90YaL3NlCAIJHnlqwoUlLWgmOhdm5ZU8=
-github.com/metacubex/sing v0.0.0-20240408015159-aa61c96df764/go.mod h1:+60H3Cm91RnL9dpVGWDPHt0zTQImO9Vfqt9a4rSambI=
-github.com/metacubex/sing-quic v0.0.0-20240418004036-814c531c378d h1:RAe0ND8J5SOPGI623oEXfaHKaaUrrzHx+U1DN9Awcco=
-github.com/metacubex/sing-quic v0.0.0-20240418004036-814c531c378d/go.mod h1:WyY0zYxv+o+18R/Ece+QFontlgXoobKbNqbtYn2zjz8=
+github.com/metacubex/quic-go v0.45.1-0.20240610004319-163fee60637e h1:bLYn3GuRvWDcBDAkIv5kUYIhzHwafDVq635BuybnKqI=
+github.com/metacubex/quic-go v0.45.1-0.20240610004319-163fee60637e/go.mod h1:Yza2H7Ax1rxWPUcJx0vW+oAt9EsPuSiyQFhFabUPzwU=
+github.com/metacubex/randv2 v0.2.0 h1:uP38uBvV2SxYfLj53kuvAjbND4RUDfFJjwr4UigMiLs=
+github.com/metacubex/randv2 v0.2.0/go.mod h1:kFi2SzrQ5WuneuoLLCMkABtiBu6VRrMrWFqSPyj2cxY=
+github.com/metacubex/sing v0.0.0-20240617013425-3e3bd9dab6a2 h1:N5tidgg/FRmkgPw/AjRwhLUinKDx/ODCSbvv9xqRoLM=
+github.com/metacubex/sing v0.0.0-20240617013425-3e3bd9dab6a2/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/metacubex/sing-quic v0.0.0-20240518034124-7696d3f7da72 h1:Wr4g1HCb5Z/QIFwFiVNjO2qL+dRu25+Mdn9xtAZZ+ew=
+github.com/metacubex/sing-quic v0.0.0-20240518034124-7696d3f7da72/go.mod h1:g7Mxj7b7zm7YVqD975mk/hSmrb0A0G4bVvIMr2MMzn8=
 github.com/metacubex/sing-shadowsocks v0.2.6 h1:6oEB3QcsFYnNiFeoevcXrCwJ3sAablwVSgtE9R3QeFQ=
 github.com/metacubex/sing-shadowsocks v0.2.6/go.mod h1:zIkMeSnb8Mbf4hdqhw0pjzkn1d99YJ3JQm/VBg5WMTg=
 github.com/metacubex/sing-shadowsocks2 v0.2.0 h1:hqwT/AfI5d5UdPefIzR6onGHJfDXs5zgOM5QSgaM/9A=
 github.com/metacubex/sing-shadowsocks2 v0.2.0/go.mod h1:LCKF6j1P94zN8ZS+LXRK1gmYTVGB3squivBSXAFnOg8=
-github.com/metacubex/sing-tun v0.2.6 h1:frc58BqnIClqcC9KcYBfVAn5bgO6WW1ANKvZW3/HYAQ=
-github.com/metacubex/sing-tun v0.2.6/go.mod h1:4VsMwZH1IlgPGFK1ZbBomZ/B2MYkTgs2+gnBAr5GOIo=
+github.com/metacubex/sing-tun v0.2.7-0.20240627012306-9d1f5fc0b45e h1:o+zohxPRo45P35fS9u1zfdBgr+L/7S0ObGU6YjbVBIc=
+github.com/metacubex/sing-tun v0.2.7-0.20240627012306-9d1f5fc0b45e/go.mod h1:WwJGbCx7bQcBzuQXiDOJvZH27R0kIjKNNlISIWsL6kM=
 github.com/metacubex/sing-vmess v0.1.9-0.20231207122118-72303677451f h1:QjXrHKbTMBip/C+R79bvbfr42xH1gZl3uFb0RELdZiQ=
 github.com/metacubex/sing-vmess v0.1.9-0.20231207122118-72303677451f/go.mod h1:olVkD4FChQ5gKMHG4ZzuD7+fMkJY1G8vwOKpRehjrmY=
-github.com/metacubex/sing-wireguard v0.0.0-20240321042214-224f96122a63 h1:AGyIB55UfQm/0ZH0HtQO9u3l//yjtHUpjeRjjPGfGRI=
-github.com/metacubex/sing-wireguard v0.0.0-20240321042214-224f96122a63/go.mod h1:uY+BYb0UEknLrqvbGcwi9i++KgrKxsurysgI6G1Pveo=
+github.com/metacubex/sing-wireguard v0.0.0-20240618022557-a6efaa37127a h1:NpSGclHJUYndUwBmyIpFBSoBVg8PoVX7QQKhYg0DjM0=
+github.com/metacubex/sing-wireguard v0.0.0-20240618022557-a6efaa37127a/go.mod h1:uY+BYb0UEknLrqvbGcwi9i++KgrKxsurysgI6G1Pveo=
 github.com/metacubex/tfo-go v0.0.0-20240228025757-be1269474a66 h1:as/aO/fM8nv4W4pOr9EETP6kV/Oaujk3fUNyQSJK61c=
 github.com/metacubex/tfo-go v0.0.0-20240228025757-be1269474a66/go.mod h1:c7bVFM9f5+VzeZ/6Kg77T/jrg1Xp8QpqlSHvG/aXVts=
-github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
-github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk=
+github.com/metacubex/utls v1.6.6 h1:3D12YKHTf2Z41UPhQU2dWerNWJ5TVQD9gKoQ+H+iLC8=
+github.com/metacubex/utls v1.6.6/go.mod h1:+WLFUnXjcpdxXCnyX25nggw8C6YonZ8zOK2Zm/oRvdo=
+github.com/miekg/dns v1.1.61 h1:nLxbwF3XxhwVSm8g9Dghm9MHPaUZuqhPiGL+675ZmEs=
+github.com/miekg/dns v1.1.61/go.mod h1:mnAarhS3nWaW+NVP2wTkYVIZyHNJ098SJZUki3eykwQ=
 github.com/mroth/weightedrand/v2 v2.1.0 h1:o1ascnB1CIVzsqlfArQQjeMy1U0NcIbBO5rfd5E/OeU=
 github.com/mroth/weightedrand/v2 v2.1.0/go.mod h1:f2faGsfOGOwc1p94wzHKKZyTpcJUW7OJ/9U4yfiNAOU=
 github.com/oasisprotocol/deoxysii v0.0.0-20220228165953-2091330c22b7 h1:1102pQc2SEPp5+xrS26wEaeb26sZy6k9/ZXlZN+eXE4=
@@ -148,8 +149,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
-github.com/puzpuzpuz/xsync/v3 v3.1.0 h1:EewKT7/LNac5SLiEblJeUu8z5eERHrmRLnMQL2d7qX4=
-github.com/puzpuzpuz/xsync/v3 v3.1.0/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA=
+github.com/puzpuzpuz/xsync/v3 v3.2.0 h1:9AzuUeF88YC5bK8u2vEG1Fpvu4wgpM1wfPIExfaaDxQ=
+github.com/puzpuzpuz/xsync/v3 v3.2.0/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
 github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs=
@@ -157,26 +158,25 @@ github.com/quic-go/qtls-go1-20 v0.4.1/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkkD2QgdTuzQG263YZ+2emfpeyGqW0=
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
-github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
-github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
+github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a h1:ObwtHN2VpqE0ZNjr6sGeT00J8uU7JF4cNUdb44/Duis=
+github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
+github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNenDW2zaXr8I=
+github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
 github.com/sagernet/sing-mux v0.2.1-0.20240124034317-9bfb33698bb6 h1:5bCAkvDDzSMITiHFjolBwpdqYsvycdTu71FsMEFXQ14=
 github.com/sagernet/sing-mux v0.2.1-0.20240124034317-9bfb33698bb6/go.mod h1:khzr9AOPocLa+g53dBplwNDz4gdsyx/YM3swtAhlkHQ=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo=
-github.com/sagernet/utls v1.5.4 h1:KmsEGbB2dKUtCNC+44NwAdNAqnqQ6GA4pTO0Yik56co=
-github.com/sagernet/utls v1.5.4/go.mod h1:CTGxPWExIloRipK3XFpYv0OVyhO8kk3XCGW/ieyTh1s=
 github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e h1:iGH0RMv2FzELOFNFQtvsxH7NPmlo7X5JizEK51UCojo=
 github.com/sagernet/wireguard-go v0.0.0-20231209092712-9a439356a62e/go.mod h1:YbL4TKHRR6APYQv3U2RGfwLDpPYSyWz6oUlpISBEzBE=
 github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
 github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
-github.com/shirou/gopsutil/v3 v3.24.3 h1:eoUGJSmdfLzJ3mxIhmOAhgKEKgQkeOwKpz1NbhVnuPE=
-github.com/shirou/gopsutil/v3 v3.24.3/go.mod h1:JpND7O217xa72ewWz9zN2eIIkPWsDN/3pl0H8Qt0uwg=
+github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI=
+github.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
-github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
 github.com/sina-ghaderi/poly1305 v0.0.0-20220724002748-c5926b03988b h1:rXHg9GrUEtWZhEkrykicdND3VPjlVbYiLdX9J7gimS8=
 github.com/sina-ghaderi/poly1305 v0.0.0-20220724002748-c5926b03988b/go.mod h1:X7qrxNQViEaAN9LNZOPl9PfvQtp3V3c7LTo0dvGi0fM=
 github.com/sina-ghaderi/rabaead v0.0.0-20220730151906-ab6e06b96e8c h1:DjKMC30y6yjG3IxDaeAj3PCoRr+IsO+bzyT+Se2m2Hk=
@@ -206,14 +206,12 @@ github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923/go.mod h1:eLL9Nub3yfAho
 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
 github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
-github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
-github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
+github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
 github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-github.com/zhangyunhao116/fastrand v0.4.0 h1:86QB6Y+GGgLZRFRDCjMmAS28QULwspK9sgL5d1Bx3H4=
-github.com/zhangyunhao116/fastrand v0.4.0/go.mod h1:vIyo6EyBhjGKpZv6qVlkPl4JVAklpMM4DSKzbAkMguA=
 gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec h1:FpfFs4EhNehiVfzQttTuxanPIT43FtkkCFypIod8LHo=
 gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec/go.mod h1:BZ1RAoRPbCxum9Grlv5aeksu2H8BiKehBYooU2LFiOQ=
 go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
@@ -224,18 +222,18 @@ go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBs
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
-golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY=
-golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI=
+golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
+golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 h1:yixxcjnhBmY0nkL253HFVIm0JsFHwrHdT3Yh6szTnfY=
+golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
-golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
@@ -254,26 +252,25 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY=
-golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
-google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-lukechampine.com/blake3 v1.2.2 h1:wEAbSg0IVU4ih44CVlpMqMZMpzr5hf/6aqodLlevd/w=
-lukechampine.com/blake3 v1.2.2/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
+lukechampine.com/blake3 v1.3.0 h1:sJ3XhFINmHSrYCgl958hscfIa3bw8x4DqMP3u1YvoYE=
+lukechampine.com/blake3 v1.3.0/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=

hub/executor/executor.go

@@ -97,7 +97,7 @@ func ApplyConfig(cfg *config.Config, force bool) {
 	updateHosts(cfg.Hosts)
 	updateGeneral(cfg.General)
 	updateNTP(cfg.NTP)
-	updateDNS(cfg.DNS, cfg.RuleProviders, cfg.General.IPv6)
+	updateDNS(cfg.DNS, cfg.General.IPv6)
 	updateListeners(cfg.General, cfg.Listeners, force)
 	updateIPTables(cfg)
 	updateTun(cfg.General)
@@ -211,7 +211,7 @@ func updateNTP(c *config.NTP) {
 	}
 }
 
-func updateDNS(c *config.DNS, ruleProvider map[string]provider.RuleProvider, generalIPv6 bool) {
+func updateDNS(c *config.DNS, generalIPv6 bool) {
 	if !c.Enable {
 		resolver.DefaultResolver = nil
 		resolver.DefaultHostMapper = nil
@@ -237,7 +237,7 @@ func updateDNS(c *config.DNS, ruleProvider map[string]provider.RuleProvider, gen
 		Default:        c.DefaultNameserver,
 		Policy:         c.NameServerPolicy,
 		ProxyServer:    c.ProxyServerNameserver,
-		RuleProviders:  ruleProvider,
+		Tunnel:         tunnel.Tunnel,
 		CacheAlgorithm: c.CacheAlgorithm,
 	}
 
@@ -253,6 +253,7 @@ func updateDNS(c *config.DNS, ruleProvider map[string]provider.RuleProvider, gen
 	resolver.DefaultResolver = r
 	resolver.DefaultHostMapper = m
 	resolver.DefaultLocalServer = dns.NewLocalServer(r, m)
+	resolver.UseSystemHosts = c.UseSystemHosts
 
 	if pr.Invalid() {
 		resolver.ProxyServerHostResolver = pr
@@ -354,7 +355,7 @@ func updateTun(general *config.General) {
 		return
 	}
 	listener.ReCreateTun(general.Tun, tunnel.Tunnel)
-	listener.ReCreateRedirToTun(general.Tun.RedirectToTun)
+	listener.ReCreateRedirToTun(general.EBpf.RedirectToTun)
 }
 
 func updateSniffer(sniffer *config.Sniffer) {
@@ -506,9 +507,7 @@ func updateIPTables(cfg *config.Config) {
 		inboundInterface = iptables.InboundInterface
 	}
 
-	if dialer.DefaultRoutingMark.Load() == 0 {
-		dialer.DefaultRoutingMark.Store(2158)
-	}
+	dialer.DefaultRoutingMark.CompareAndSwap(0, 2158)
 
 	err = tproxy.SetTProxyIPTables(inboundInterface, bypass, uint16(tProxyPort), DnsRedirect, dnsPort.Port())
 	if err != nil {

hub/route/configs.go

@@ -4,11 +4,11 @@ import (
 	"net/http"
 	"net/netip"
 	"path/filepath"
-	"sync"
 
 	"github.com/metacubex/mihomo/adapter/inbound"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/resolver"
+	"github.com/metacubex/mihomo/component/updater"
 	"github.com/metacubex/mihomo/config"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/hub/executor"
@@ -21,11 +21,6 @@ import (
 	"github.com/go-chi/render"
 )
 
-var (
-	updateGeoMux sync.Mutex
-	updatingGeo  = false
-)
-
 func configRouter() http.Handler {
 	r := chi.NewRouter()
 	r.Get("/", getConfigs)
@@ -73,25 +68,34 @@ type tunSchema struct {
 	GSO        *bool   `yaml:"gso" json:"gso,omitempty"`
 	GSOMaxSize *uint32 `yaml:"gso-max-size" json:"gso-max-size,omitempty"`
 	//Inet4Address           *[]netip.Prefix `yaml:"inet4-address" json:"inet4-address,omitempty"`
-	Inet6Address             *[]netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"`
-	StrictRoute              *bool           `yaml:"strict-route" json:"strict-route,omitempty"`
+	Inet6Address           *[]netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"`
+	IPRoute2TableIndex     *int            `yaml:"iproute2-table-index" json:"iproute2_table_index,omitempty"`
+	IPRoute2RuleIndex      *int            `yaml:"iproute2-rule-index" json:"iproute2_rule_index,omitempty"`
+	AutoRedirect           *bool           `yaml:"auto-redirect" json:"auto_redirect,omitempty"`
+	AutoRedirectInputMark  *uint32         `yaml:"auto-redirect-input-mark" json:"auto_redirect_input_mark,omitempty"`
+	AutoRedirectOutputMark *uint32         `yaml:"auto-redirect-output-mark" json:"auto_redirect_output_mark,omitempty"`
+	StrictRoute            *bool           `yaml:"strict-route" json:"strict-route,omitempty"`
+	RouteAddress           *[]netip.Prefix `yaml:"route-address" json:"route_address,omitempty"`
+	RouteAddressSet        *[]string       `yaml:"route-address-set" json:"route_address_set,omitempty"`
+	RouteExcludeAddress    *[]netip.Prefix `yaml:"route-exclude-address" json:"route_exclude_address,omitempty"`
+	RouteExcludeAddressSet *[]string       `yaml:"route-exclude-address-set" json:"route_exclude_address_set,omitempty"`
+	IncludeInterface       *[]string       `yaml:"include-interface" json:"include-interface,omitempty"`
+	ExcludeInterface       *[]string       `yaml:"exclude-interface" json:"exclude-interface,omitempty"`
+	IncludeUID             *[]uint32       `yaml:"include-uid" json:"include-uid,omitempty"`
+	IncludeUIDRange        *[]string       `yaml:"include-uid-range" json:"include-uid-range,omitempty"`
+	ExcludeUID             *[]uint32       `yaml:"exclude-uid" json:"exclude-uid,omitempty"`
+	ExcludeUIDRange        *[]string       `yaml:"exclude-uid-range" json:"exclude-uid-range,omitempty"`
+	IncludeAndroidUser     *[]int          `yaml:"include-android-user" json:"include-android-user,omitempty"`
+	IncludePackage         *[]string       `yaml:"include-package" json:"include-package,omitempty"`
+	ExcludePackage         *[]string       `yaml:"exclude-package" json:"exclude-package,omitempty"`
+	EndpointIndependentNat *bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
+	UDPTimeout             *int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
+	FileDescriptor         *int            `yaml:"file-descriptor" json:"file-descriptor"`
+
 	Inet4RouteAddress        *[]netip.Prefix `yaml:"inet4-route-address" json:"inet4-route-address,omitempty"`
 	Inet6RouteAddress        *[]netip.Prefix `yaml:"inet6-route-address" json:"inet6-route-address,omitempty"`
 	Inet4RouteExcludeAddress *[]netip.Prefix `yaml:"inet4-route-exclude-address" json:"inet4-route-exclude-address,omitempty"`
 	Inet6RouteExcludeAddress *[]netip.Prefix `yaml:"inet6-route-exclude-address" json:"inet6-route-exclude-address,omitempty"`
-	IncludeInterface         *[]string       `yaml:"include-interface" json:"include-interface,omitempty"`
-	ExcludeInterface         *[]string       `yaml:"exclude-interface" json:"exclude-interface,omitempty"`
-	IncludeUID               *[]uint32       `yaml:"include-uid" json:"include-uid,omitempty"`
-	IncludeUIDRange          *[]string       `yaml:"include-uid-range" json:"include-uid-range,omitempty"`
-	ExcludeUID               *[]uint32       `yaml:"exclude-uid" json:"exclude-uid,omitempty"`
-	ExcludeUIDRange          *[]string       `yaml:"exclude-uid-range" json:"exclude-uid-range,omitempty"`
-	IncludeAndroidUser       *[]int          `yaml:"include-android-user" json:"include-android-user,omitempty"`
-	IncludePackage           *[]string       `yaml:"include-package" json:"include-package,omitempty"`
-	ExcludePackage           *[]string       `yaml:"exclude-package" json:"exclude-package,omitempty"`
-	EndpointIndependentNat   *bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
-	UDPTimeout               *int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
-	FileDescriptor           *int            `yaml:"file-descriptor" json:"file-descriptor"`
-	TableIndex               *int            `yaml:"table-index" json:"table-index"`
 }
 
 type tuicServerSchema struct {
@@ -162,6 +166,36 @@ func pointerOrDefaultTun(p *tunSchema, def LC.Tun) LC.Tun {
 		if p.Inet6Address != nil {
 			def.Inet6Address = *p.Inet6Address
 		}
+		if p.IPRoute2TableIndex != nil {
+			def.IPRoute2TableIndex = *p.IPRoute2TableIndex
+		}
+		if p.IPRoute2RuleIndex != nil {
+			def.IPRoute2RuleIndex = *p.IPRoute2RuleIndex
+		}
+		if p.AutoRedirect != nil {
+			def.AutoRedirect = *p.AutoRedirect
+		}
+		if p.AutoRedirectInputMark != nil {
+			def.AutoRedirectInputMark = *p.AutoRedirectInputMark
+		}
+		if p.AutoRedirectOutputMark != nil {
+			def.AutoRedirectOutputMark = *p.AutoRedirectOutputMark
+		}
+		if p.StrictRoute != nil {
+			def.StrictRoute = *p.StrictRoute
+		}
+		if p.RouteAddress != nil {
+			def.RouteAddress = *p.RouteAddress
+		}
+		if p.RouteAddressSet != nil {
+			def.RouteAddressSet = *p.RouteAddressSet
+		}
+		if p.RouteExcludeAddress != nil {
+			def.RouteExcludeAddress = *p.RouteExcludeAddress
+		}
+		if p.RouteExcludeAddressSet != nil {
+			def.RouteExcludeAddressSet = *p.RouteExcludeAddressSet
+		}
 		if p.Inet4RouteAddress != nil {
 			def.Inet4RouteAddress = *p.Inet4RouteAddress
 		}
@@ -210,9 +244,6 @@ func pointerOrDefaultTun(p *tunSchema, def LC.Tun) LC.Tun {
 		if p.FileDescriptor != nil {
 			def.FileDescriptor = *p.FileDescriptor
 		}
-		if p.TableIndex != nil {
-			def.TableIndex = *p.TableIndex
-		}
 	}
 	return def
 }
@@ -369,40 +400,25 @@ func updateConfigs(w http.ResponseWriter, r *http.Request) {
 }
 
 func updateGeoDatabases(w http.ResponseWriter, r *http.Request) {
-	updateGeoMux.Lock()
-
-	if updatingGeo {
-		updateGeoMux.Unlock()
-		render.Status(r, http.StatusBadRequest)
-		render.JSON(w, r, newError("updating..."))
+	err := updater.UpdateGeoDatabases()
+	if err != nil {
+		log.Errorln("[REST-API] update GEO databases failed: %v", err)
+		render.Status(r, http.StatusInternalServerError)
+		render.JSON(w, r, newError(err.Error()))
 		return
 	}
 
-	updatingGeo = true
-	updateGeoMux.Unlock()
+	cfg, err := executor.ParseWithPath(C.Path.Config())
+	if err != nil {
+		log.Errorln("[REST-API] update GEO databases failed: %v", err)
+		render.Status(r, http.StatusInternalServerError)
+		render.JSON(w, r, newError("Error parsing configuration"))
+		return
+	}
 
-	go func() {
-		defer func() {
-			updatingGeo = false
-		}()
+	log.Warnln("[GEO] update GEO databases success, applying config")
 
-		log.Warnln("[REST-API] updating GEO databases...")
-
-		if err := config.UpdateGeoDatabases(); err != nil {
-			log.Errorln("[REST-API] update GEO databases failed: %v", err)
-			return
-		}
-
-		cfg, err := executor.ParseWithPath(C.Path.Config())
-		if err != nil {
-			log.Errorln("[REST-API] update GEO databases failed: %v", err)
-			return
-		}
-
-		log.Warnln("[REST-API] update GEO databases successful, apply config...")
-
-		executor.ApplyConfig(cfg, false)
-	}()
+	executor.ApplyConfig(cfg, false)
 
 	render.NoContent(w, r)
 }

hub/route/upgrade.go

@@ -6,8 +6,7 @@ import (
 	"net/http"
 	"os"
 
-	"github.com/metacubex/mihomo/config"
-	"github.com/metacubex/mihomo/hub/updater"
+	"github.com/metacubex/mihomo/component/updater"
 	"github.com/metacubex/mihomo/log"
 
 	"github.com/go-chi/chi/v5"
@@ -18,6 +17,7 @@ func upgradeRouter() http.Handler {
 	r := chi.NewRouter()
 	r.Post("/", upgradeCore)
 	r.Post("/ui", updateUI)
+	r.Post("/geo", updateGeoDatabases)
 	return r
 }
 
@@ -31,7 +31,7 @@ func upgradeCore(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err = updater.Update(execPath)
+	err = updater.UpdateCore(execPath)
 	if err != nil {
 		log.Warnln("%s", err)
 		render.Status(r, http.StatusInternalServerError)
@@ -48,9 +48,9 @@ func upgradeCore(w http.ResponseWriter, r *http.Request) {
 }
 
 func updateUI(w http.ResponseWriter, r *http.Request) {
-	err := config.UpdateUI()
+	err := updater.UpdateUI()
 	if err != nil {
-		if errors.Is(err, config.ErrIncompleteConf) {
+		if errors.Is(err, updater.ErrIncompleteConf) {
 			log.Warnln("%s", err)
 			render.Status(r, http.StatusNotImplemented)
 			render.JSON(w, r, newError(fmt.Sprintf("%s", err)))

listener/config/tun.go

@@ -27,27 +27,36 @@ type Tun struct {
 	AutoDetectInterface bool       `yaml:"auto-detect-interface" json:"auto-detect-interface"`
 	RedirectToTun       []string   `yaml:"-" json:"-"`
 
-	MTU                      uint32         `yaml:"mtu" json:"mtu,omitempty"`
-	GSO                      bool           `yaml:"gso" json:"gso,omitempty"`
-	GSOMaxSize               uint32         `yaml:"gso-max-size" json:"gso-max-size,omitempty"`
-	Inet4Address             []netip.Prefix `yaml:"inet4-address" json:"inet4-address,omitempty"`
-	Inet6Address             []netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"`
-	StrictRoute              bool           `yaml:"strict-route" json:"strict-route,omitempty"`
+	MTU                    uint32         `yaml:"mtu" json:"mtu,omitempty"`
+	GSO                    bool           `yaml:"gso" json:"gso,omitempty"`
+	GSOMaxSize             uint32         `yaml:"gso-max-size" json:"gso-max-size,omitempty"`
+	Inet4Address           []netip.Prefix `yaml:"inet4-address" json:"inet4-address,omitempty"`
+	Inet6Address           []netip.Prefix `yaml:"inet6-address" json:"inet6-address,omitempty"`
+	IPRoute2TableIndex     int            `yaml:"iproute2-table-index" json:"iproute2_table_index,omitempty"`
+	IPRoute2RuleIndex      int            `yaml:"iproute2-rule-index" json:"iproute2_rule_index,omitempty"`
+	AutoRedirect           bool           `yaml:"auto-redirect" json:"auto_redirect,omitempty"`
+	AutoRedirectInputMark  uint32         `yaml:"auto-redirect-input-mark" json:"auto_redirect_input_mark,omitempty"`
+	AutoRedirectOutputMark uint32         `yaml:"auto-redirect-output-mark" json:"auto_redirect_output_mark,omitempty"`
+	StrictRoute            bool           `yaml:"strict-route" json:"strict-route,omitempty"`
+	RouteAddress           []netip.Prefix `yaml:"route-address" json:"route_address,omitempty"`
+	RouteAddressSet        []string       `yaml:"route-address-set" json:"route_address_set,omitempty"`
+	RouteExcludeAddress    []netip.Prefix `yaml:"route-exclude-address" json:"route_exclude_address,omitempty"`
+	RouteExcludeAddressSet []string       `yaml:"route-exclude-address-set" json:"route_exclude_address_set,omitempty"`
+	IncludeInterface       []string       `yaml:"include-interface" json:"include-interface,omitempty"`
+	ExcludeInterface       []string       `yaml:"exclude-interface" json:"exclude-interface,omitempty"`
+	IncludeUID             []uint32       `yaml:"include-uid" json:"include-uid,omitempty"`
+	IncludeUIDRange        []string       `yaml:"include-uid-range" json:"include-uid-range,omitempty"`
+	ExcludeUID             []uint32       `yaml:"exclude-uid" json:"exclude-uid,omitempty"`
+	ExcludeUIDRange        []string       `yaml:"exclude-uid-range" json:"exclude-uid-range,omitempty"`
+	IncludeAndroidUser     []int          `yaml:"include-android-user" json:"include-android-user,omitempty"`
+	IncludePackage         []string       `yaml:"include-package" json:"include-package,omitempty"`
+	ExcludePackage         []string       `yaml:"exclude-package" json:"exclude-package,omitempty"`
+	EndpointIndependentNat bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
+	UDPTimeout             int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
+	FileDescriptor         int            `yaml:"file-descriptor" json:"file-descriptor"`
+
 	Inet4RouteAddress        []netip.Prefix `yaml:"inet4-route-address" json:"inet4-route-address,omitempty"`
 	Inet6RouteAddress        []netip.Prefix `yaml:"inet6-route-address" json:"inet6-route-address,omitempty"`
 	Inet4RouteExcludeAddress []netip.Prefix `yaml:"inet4-route-exclude-address" json:"inet4-route-exclude-address,omitempty"`
 	Inet6RouteExcludeAddress []netip.Prefix `yaml:"inet6-route-exclude-address" json:"inet6-route-exclude-address,omitempty"`
-	IncludeInterface         []string       `yaml:"include-interface" json:"include-interface,omitempty"`
-	ExcludeInterface         []string       `yaml:"exclude-interface" json:"exclude-interface,omitempty"`
-	IncludeUID               []uint32       `yaml:"include-uid" json:"include-uid,omitempty"`
-	IncludeUIDRange          []string       `yaml:"include-uid-range" json:"include-uid-range,omitempty"`
-	ExcludeUID               []uint32       `yaml:"exclude-uid" json:"exclude-uid,omitempty"`
-	ExcludeUIDRange          []string       `yaml:"exclude-uid-range" json:"exclude-uid-range,omitempty"`
-	IncludeAndroidUser       []int          `yaml:"include-android-user" json:"include-android-user,omitempty"`
-	IncludePackage           []string       `yaml:"include-package" json:"include-package,omitempty"`
-	ExcludePackage           []string       `yaml:"exclude-package" json:"exclude-package,omitempty"`
-	EndpointIndependentNat   bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
-	UDPTimeout               int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
-	FileDescriptor           int            `yaml:"file-descriptor" json:"file-descriptor"`
-	TableIndex               int            `yaml:"table-index" json:"table-index"`
 }

listener/http/proxy.go

@@ -8,7 +8,6 @@ import (
 	"net/http"
 	"strings"
 	"sync"
-	_ "unsafe"
 
 	"github.com/metacubex/mihomo/adapter/inbound"
 	"github.com/metacubex/mihomo/common/lru"
@@ -18,11 +17,19 @@ import (
 	"github.com/metacubex/mihomo/log"
 )
 
-//go:linkname registerOnHitEOF net/http.registerOnHitEOF
-func registerOnHitEOF(rc io.ReadCloser, fn func())
+type bodyWrapper struct {
+	io.ReadCloser
+	once     sync.Once
+	onHitEOF func()
+}
 
-//go:linkname requestBodyRemains net/http.requestBodyRemains
-func requestBodyRemains(rc io.ReadCloser) bool
+func (b *bodyWrapper) Read(p []byte) (n int, err error) {
+	n, err = b.ReadCloser.Read(p)
+	if err == io.EOF && b.onHitEOF != nil {
+		b.once.Do(b.onHitEOF)
+	}
+	return n, err
+}
 
 func HandleConn(c net.Conn, tunnel C.Tunnel, cache *lru.LruCache[string, bool], additions ...inbound.Addition) {
 	client := newClient(c, tunnel, additions...)
@@ -100,10 +107,10 @@ func HandleConn(c net.Conn, tunnel C.Tunnel, cache *lru.LruCache[string, bool],
 						}
 					}()
 				}
-				if requestBodyRemains(request.Body) {
-					registerOnHitEOF(request.Body, startBackgroundRead)
-				} else {
+				if request.Body == nil || request.Body == http.NoBody {
 					startBackgroundRead()
+				} else {
+					request.Body = &bodyWrapper{ReadCloser: request.Body, onHitEOF: startBackgroundRead}
 				}
 				resp, err = client.Do(request)
 				if err != nil {

listener/inbound/tun.go

@@ -18,29 +18,38 @@ type TunOption struct {
 	AutoRoute           bool     `inbound:"auto-route,omitempty"`
 	AutoDetectInterface bool     `inbound:"auto-detect-interface,omitempty"`
 
-	MTU                      uint32   `inbound:"mtu,omitempty"`
-	GSO                      bool     `inbound:"gso,omitempty"`
-	GSOMaxSize               uint32   `inbound:"gso-max-size,omitempty"`
-	Inet4Address             []string `inbound:"inet4_address,omitempty"`
-	Inet6Address             []string `inbound:"inet6_address,omitempty"`
-	StrictRoute              bool     `inbound:"strict_route,omitempty"`
+	MTU                    uint32   `inbound:"mtu,omitempty"`
+	GSO                    bool     `inbound:"gso,omitempty"`
+	GSOMaxSize             uint32   `inbound:"gso-max-size,omitempty"`
+	Inet4Address           []string `inbound:"inet4_address,omitempty"`
+	Inet6Address           []string `inbound:"inet6_address,omitempty"`
+	IPRoute2TableIndex     int      `inbound:"iproute2-table-index"`
+	IPRoute2RuleIndex      int      `inbound:"iproute2-rule-index"`
+	AutoRedirect           bool     `inbound:"auto-redirect"`
+	AutoRedirectInputMark  uint32   `inbound:"auto-redirect-input-mark"`
+	AutoRedirectOutputMark uint32   `inbound:"auto-redirect-output-mark"`
+	StrictRoute            bool     `inbound:"strict_route,omitempty"`
+	RouteAddress           []string `inbound:"route-address"`
+	RouteAddressSet        []string `inbound:"route-address-set"`
+	RouteExcludeAddress    []string `inbound:"route-exclude-address"`
+	RouteExcludeAddressSet []string `inbound:"route-exclude-address-set"`
+	IncludeInterface       []string `inbound:"include-interface,omitempty"`
+	ExcludeInterface       []string `inbound:"exclude-interface"`
+	IncludeUID             []uint32 `inbound:"include_uid,omitempty"`
+	IncludeUIDRange        []string `inbound:"include_uid_range,omitempty"`
+	ExcludeUID             []uint32 `inbound:"exclude_uid,omitempty"`
+	ExcludeUIDRange        []string `inbound:"exclude_uid_range,omitempty"`
+	IncludeAndroidUser     []int    `inbound:"include_android_user,omitempty"`
+	IncludePackage         []string `inbound:"include_package,omitempty"`
+	ExcludePackage         []string `inbound:"exclude_package,omitempty"`
+	EndpointIndependentNat bool     `inbound:"endpoint_independent_nat,omitempty"`
+	UDPTimeout             int64    `inbound:"udp_timeout,omitempty"`
+	FileDescriptor         int      `inbound:"file-descriptor,omitempty"`
+
 	Inet4RouteAddress        []string `inbound:"inet4_route_address,omitempty"`
 	Inet6RouteAddress        []string `inbound:"inet6_route_address,omitempty"`
 	Inet4RouteExcludeAddress []string `inbound:"inet4_route_exclude_address,omitempty"`
 	Inet6RouteExcludeAddress []string `inbound:"inet6_route_exclude_address,omitempty"`
-	IncludeInterface         []string `inbound:"include-interface,omitempty"`
-	ExcludeInterface         []string `inbound:"exclude-interface" json:"exclude-interface,omitempty"`
-	IncludeUID               []uint32 `inbound:"include_uid,omitempty"`
-	IncludeUIDRange          []string `inbound:"include_uid_range,omitempty"`
-	ExcludeUID               []uint32 `inbound:"exclude_uid,omitempty"`
-	ExcludeUIDRange          []string `inbound:"exclude_uid_range,omitempty"`
-	IncludeAndroidUser       []int    `inbound:"include_android_user,omitempty"`
-	IncludePackage           []string `inbound:"include_package,omitempty"`
-	ExcludePackage           []string `inbound:"exclude_package,omitempty"`
-	EndpointIndependentNat   bool     `inbound:"endpoint_independent_nat,omitempty"`
-	UDPTimeout               int64    `inbound:"udp_timeout,omitempty"`
-	FileDescriptor           int      `inbound:"file-descriptor,omitempty"`
-	TableIndex               int      `inbound:"table-index,omitempty"`
 }
 
 func (o TunOption) Equal(config C.InboundConfig) bool {
@@ -63,6 +72,16 @@ func NewTun(options *TunOption) (*Tun, error) {
 	if !exist {
 		return nil, errors.New("invalid tun stack")
 	}
+
+	routeAddress, err := LC.StringSliceToNetipPrefixSlice(options.RouteAddress)
+	if err != nil {
+		return nil, err
+	}
+	routeExcludeAddress, err := LC.StringSliceToNetipPrefixSlice(options.RouteExcludeAddress)
+	if err != nil {
+		return nil, err
+	}
+
 	inet4Address, err := LC.StringSliceToNetipPrefixSlice(options.Inet4Address)
 	if err != nil {
 		return nil, err
@@ -91,35 +110,44 @@ func NewTun(options *TunOption) (*Tun, error) {
 		Base:   base,
 		config: options,
 		tun: LC.Tun{
-			Enable:                   true,
-			Device:                   options.Device,
-			Stack:                    stack,
-			DNSHijack:                options.DNSHijack,
-			AutoRoute:                options.AutoRoute,
-			AutoDetectInterface:      options.AutoDetectInterface,
-			MTU:                      options.MTU,
-			GSO:                      options.GSO,
-			GSOMaxSize:               options.GSOMaxSize,
-			Inet4Address:             inet4Address,
-			Inet6Address:             inet6Address,
-			StrictRoute:              options.StrictRoute,
+			Enable:                 true,
+			Device:                 options.Device,
+			Stack:                  stack,
+			DNSHijack:              options.DNSHijack,
+			AutoRoute:              options.AutoRoute,
+			AutoDetectInterface:    options.AutoDetectInterface,
+			MTU:                    options.MTU,
+			GSO:                    options.GSO,
+			GSOMaxSize:             options.GSOMaxSize,
+			Inet4Address:           inet4Address,
+			Inet6Address:           inet6Address,
+			IPRoute2TableIndex:     options.IPRoute2TableIndex,
+			IPRoute2RuleIndex:      options.IPRoute2RuleIndex,
+			AutoRedirect:           options.AutoRedirect,
+			AutoRedirectInputMark:  options.AutoRedirectInputMark,
+			AutoRedirectOutputMark: options.AutoRedirectOutputMark,
+			StrictRoute:            options.StrictRoute,
+			RouteAddress:           routeAddress,
+			RouteAddressSet:        options.RouteAddressSet,
+			RouteExcludeAddress:    routeExcludeAddress,
+			RouteExcludeAddressSet: options.RouteExcludeAddressSet,
+			IncludeInterface:       options.IncludeInterface,
+			ExcludeInterface:       options.ExcludeInterface,
+			IncludeUID:             options.IncludeUID,
+			IncludeUIDRange:        options.IncludeUIDRange,
+			ExcludeUID:             options.ExcludeUID,
+			ExcludeUIDRange:        options.ExcludeUIDRange,
+			IncludeAndroidUser:     options.IncludeAndroidUser,
+			IncludePackage:         options.IncludePackage,
+			ExcludePackage:         options.ExcludePackage,
+			EndpointIndependentNat: options.EndpointIndependentNat,
+			UDPTimeout:             options.UDPTimeout,
+			FileDescriptor:         options.FileDescriptor,
+
 			Inet4RouteAddress:        inet4RouteAddress,
 			Inet6RouteAddress:        inet6RouteAddress,
 			Inet4RouteExcludeAddress: inet4RouteExcludeAddress,
 			Inet6RouteExcludeAddress: inet6RouteExcludeAddress,
-			IncludeInterface:         options.IncludeInterface,
-			ExcludeInterface:         options.ExcludeInterface,
-			IncludeUID:               options.IncludeUID,
-			IncludeUIDRange:          options.IncludeUIDRange,
-			ExcludeUID:               options.ExcludeUID,
-			ExcludeUIDRange:          options.ExcludeUIDRange,
-			IncludeAndroidUser:       options.IncludeAndroidUser,
-			IncludePackage:           options.IncludePackage,
-			ExcludePackage:           options.ExcludePackage,
-			EndpointIndependentNat:   options.EndpointIndependentNat,
-			UDPTimeout:               options.UDPTimeout,
-			FileDescriptor:           options.FileDescriptor,
-			TableIndex:               options.TableIndex,
 		},
 	}, nil
 }

listener/listener.go

@@ -820,11 +820,15 @@ func hasTunConfigChange(tunConf *LC.Tun) bool {
 		LastTunConf.MTU != tunConf.MTU ||
 		LastTunConf.GSO != tunConf.GSO ||
 		LastTunConf.GSOMaxSize != tunConf.GSOMaxSize ||
+		LastTunConf.IPRoute2TableIndex != tunConf.IPRoute2TableIndex ||
+		LastTunConf.IPRoute2RuleIndex != tunConf.IPRoute2RuleIndex ||
+		LastTunConf.AutoRedirect != tunConf.AutoRedirect ||
+		LastTunConf.AutoRedirectInputMark != tunConf.AutoRedirectInputMark ||
+		LastTunConf.AutoRedirectOutputMark != tunConf.AutoRedirectOutputMark ||
 		LastTunConf.StrictRoute != tunConf.StrictRoute ||
 		LastTunConf.EndpointIndependentNat != tunConf.EndpointIndependentNat ||
 		LastTunConf.UDPTimeout != tunConf.UDPTimeout ||
-		LastTunConf.FileDescriptor != tunConf.FileDescriptor ||
-		LastTunConf.TableIndex != tunConf.TableIndex {
+		LastTunConf.FileDescriptor != tunConf.FileDescriptor {
 		return true
 	}
 
@@ -836,6 +840,22 @@ func hasTunConfigChange(tunConf *LC.Tun) bool {
 		return tunConf.DNSHijack[i] < tunConf.DNSHijack[j]
 	})
 
+	sort.Slice(tunConf.RouteAddress, func(i, j int) bool {
+		return tunConf.RouteAddress[i].String() < tunConf.RouteAddress[j].String()
+	})
+
+	sort.Slice(tunConf.RouteAddressSet, func(i, j int) bool {
+		return tunConf.RouteAddressSet[i] < tunConf.RouteAddressSet[j]
+	})
+
+	sort.Slice(tunConf.RouteExcludeAddress, func(i, j int) bool {
+		return tunConf.RouteExcludeAddress[i].String() < tunConf.RouteExcludeAddress[j].String()
+	})
+
+	sort.Slice(tunConf.RouteExcludeAddressSet, func(i, j int) bool {
+		return tunConf.RouteExcludeAddressSet[i] < tunConf.RouteExcludeAddressSet[j]
+	})
+
 	sort.Slice(tunConf.Inet4Address, func(i, j int) bool {
 		return tunConf.Inet4Address[i].String() < tunConf.Inet4Address[j].String()
 	})
@@ -897,6 +917,10 @@ func hasTunConfigChange(tunConf *LC.Tun) bool {
 	})
 
 	if !slices.Equal(tunConf.DNSHijack, LastTunConf.DNSHijack) ||
+		!slices.Equal(tunConf.RouteAddress, LastTunConf.RouteAddress) ||
+		!slices.Equal(tunConf.RouteAddressSet, LastTunConf.RouteAddressSet) ||
+		!slices.Equal(tunConf.RouteExcludeAddress, LastTunConf.RouteExcludeAddress) ||
+		!slices.Equal(tunConf.RouteExcludeAddressSet, LastTunConf.RouteExcludeAddressSet) ||
 		!slices.Equal(tunConf.Inet4Address, LastTunConf.Inet4Address) ||
 		!slices.Equal(tunConf.Inet6Address, LastTunConf.Inet6Address) ||
 		!slices.Equal(tunConf.Inet4RouteAddress, LastTunConf.Inet4RouteAddress) ||

listener/sing/sing.go

@@ -198,6 +198,12 @@ func (h *ListenerHandler) NewError(ctx context.Context, err error) {
 	log.Warnln("%s listener get error: %+v", h.Type.String(), err)
 }
 
+func (h *ListenerHandler) TypeMutation(typ C.Type) *ListenerHandler {
+	handler := *h
+	handler.Type = typ
+	return &handler
+}
+
 func ShouldIgnorePacketError(err error) bool {
 	// ignore simple error
 	if E.IsTimeout(err) || E.IsClosed(err) || E.IsCanceled(err) {

listener/sing_tun/dns.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/metacubex/mihomo/component/resolver"
+	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/listener/sing"
 	"github.com/metacubex/mihomo/log"
 
@@ -124,3 +125,9 @@ func (h *ListenerHandler) NewPacketConnection(ctx context.Context, conn network.
 	}
 	return h.ListenerHandler.NewPacketConnection(ctx, conn, metadata)
 }
+
+func (h *ListenerHandler) TypeMutation(typ C.Type) *ListenerHandler {
+	handle := *h
+	handle.ListenerHandler = h.ListenerHandler.TypeMutation(typ)
+	return &handle
+}

listener/sing_tun/iface.go

@@ -0,0 +1,70 @@
+package sing_tun
+
+import (
+	"errors"
+	"net/netip"
+
+	"github.com/metacubex/mihomo/component/iface"
+
+	"github.com/sagernet/sing/common/control"
+)
+
+type defaultInterfaceFinder struct{}
+
+var DefaultInterfaceFinder control.InterfaceFinder = (*defaultInterfaceFinder)(nil)
+
+func (f *defaultInterfaceFinder) Interfaces() []control.Interface {
+	ifaces, err := iface.Interfaces()
+	if err != nil {
+		return nil
+	}
+	interfaces := make([]control.Interface, 0, len(ifaces))
+	for _, _interface := range ifaces {
+		interfaces = append(interfaces, control.Interface(*_interface))
+	}
+
+	return interfaces
+}
+
+var errNoSuchInterface = errors.New("no such network interface")
+
+func (f *defaultInterfaceFinder) InterfaceIndexByName(name string) (int, error) {
+	ifaces, err := iface.Interfaces()
+	if err != nil {
+		return 0, err
+	}
+	for _, netInterface := range ifaces {
+		if netInterface.Name == name {
+			return netInterface.Index, nil
+		}
+	}
+	return 0, errNoSuchInterface
+}
+
+func (f *defaultInterfaceFinder) InterfaceNameByIndex(index int) (string, error) {
+	ifaces, err := iface.Interfaces()
+	if err != nil {
+		return "", err
+	}
+	for _, netInterface := range ifaces {
+		if netInterface.Index == index {
+			return netInterface.Name, nil
+		}
+	}
+	return "", errNoSuchInterface
+}
+
+func (f *defaultInterfaceFinder) InterfaceByAddr(addr netip.Addr) (*control.Interface, error) {
+	ifaces, err := iface.Interfaces()
+	if err != nil {
+		return nil, err
+	}
+	for _, netInterface := range ifaces {
+		for _, prefix := range netInterface.Addresses {
+			if prefix.Contains(addr) {
+				return (*control.Interface)(netInterface), nil
+			}
+		}
+	}
+	return nil, errNoSuchInterface
+}

listener/sing_tun/redirect_linux.go

@@ -0,0 +1,3 @@
+package sing_tun
+
+const supportRedirect = true

listener/sing_tun/redirect_stub.go

@@ -0,0 +1,5 @@
+//go:build !linux
+
+package sing_tun
+
+const supportRedirect = false

listener/sing_tun/server.go

@@ -3,17 +3,21 @@ package sing_tun
 import (
 	"context"
 	"fmt"
+	"io"
 	"net"
 	"net/netip"
+	"os"
 	"runtime"
 	"strconv"
 	"strings"
+	"sync"
 
 	"github.com/metacubex/mihomo/adapter/inbound"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/iface"
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
+	"github.com/metacubex/mihomo/constant/provider"
 	LC "github.com/metacubex/mihomo/listener/config"
 	"github.com/metacubex/mihomo/listener/sing"
 	"github.com/metacubex/mihomo/log"
@@ -23,9 +27,14 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/ranges"
+
+	"go4.org/netipx"
+	"golang.org/x/exp/maps"
+	"golang.org/x/exp/slices"
 )
 
 var InterfaceName = "Meta"
+var EnforceBindInterface = false
 
 type Listener struct {
 	closed  bool
@@ -40,10 +49,21 @@ type Listener struct {
 	networkUpdateMonitor    tun.NetworkUpdateMonitor
 	defaultInterfaceMonitor tun.DefaultInterfaceMonitor
 	packageManager          tun.PackageManager
+	autoRedirect            tun.AutoRedirect
+	autoRedirectOutputMark  int32
+
+	ruleUpdateCallbackCloser io.Closer
+	ruleUpdateMutex          sync.Mutex
+	routeAddressMap          map[string]*netipx.IPSet
+	routeExcludeAddressMap   map[string]*netipx.IPSet
+	routeAddressSet          []*netipx.IPSet
+	routeExcludeAddressSet   []*netipx.IPSet
 
 	dnsServerIp []string
 }
 
+var emptyAddressSet = []*netipx.IPSet{{}}
+
 func CalculateInterfaceName(name string) (tunName string) {
 	if runtime.GOOS == "darwin" {
 		tunName = "utun"
@@ -57,15 +77,25 @@ func CalculateInterfaceName(name string) (tunName string) {
 	if err != nil {
 		return
 	}
-	var tunIndex int
+	tunIndex := 0
+	indexArr := make([]int, 0, len(interfaces))
 	for _, netInterface := range interfaces {
 		if strings.HasPrefix(netInterface.Name, tunName) {
 			index, parseErr := strconv.ParseInt(netInterface.Name[len(tunName):], 10, 16)
 			if parseErr == nil {
-				tunIndex = int(index) + 1
+				indexArr = append(indexArr, int(index))
 			}
 		}
 	}
+	slices.Sort(indexArr)
+	indexArr = slices.Compact(indexArr)
+	for _, index := range indexArr {
+		if index == tunIndex {
+			tunIndex += 1
+		} else { // indexArr already sorted and distinct, so this tunIndex nobody used
+			break
+		}
+	}
 	tunName = F.ToString(tunName, tunIndex)
 	return
 }
@@ -97,14 +127,45 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 			inbound.WithSpecialRules(""),
 		}
 	}
+	ctx := context.TODO()
+	rpTunnel := tunnel.(provider.Tunnel)
 	if options.GSOMaxSize == 0 {
 		options.GSOMaxSize = 65536
 	}
+	if !supportRedirect {
+		options.AutoRedirect = false
+	}
 	tunName := options.Device
 	if tunName == "" || !checkTunName(tunName) {
 		tunName = CalculateInterfaceName(InterfaceName)
 		options.Device = tunName
 	}
+	routeAddress := options.RouteAddress
+	if len(options.Inet4RouteAddress) > 0 {
+		routeAddress = append(routeAddress, options.Inet4RouteAddress...)
+	}
+	if len(options.Inet6RouteAddress) > 0 {
+		routeAddress = append(routeAddress, options.Inet6RouteAddress...)
+	}
+	inet4RouteAddress := common.Filter(routeAddress, func(it netip.Prefix) bool {
+		return it.Addr().Is4()
+	})
+	inet6RouteAddress := common.Filter(routeAddress, func(it netip.Prefix) bool {
+		return it.Addr().Is6()
+	})
+	routeExcludeAddress := options.RouteExcludeAddress
+	if len(options.Inet4RouteExcludeAddress) > 0 {
+		routeExcludeAddress = append(routeExcludeAddress, options.Inet4RouteExcludeAddress...)
+	}
+	if len(options.Inet6RouteExcludeAddress) > 0 {
+		routeExcludeAddress = append(routeExcludeAddress, options.Inet6RouteExcludeAddress...)
+	}
+	inet4RouteExcludeAddress := common.Filter(routeExcludeAddress, func(it netip.Prefix) bool {
+		return it.Addr().Is4()
+	})
+	inet6RouteExcludeAddress := common.Filter(routeExcludeAddress, func(it netip.Prefix) bool {
+		return it.Addr().Is6()
+	})
 	tunMTU := options.MTU
 	if tunMTU == 0 {
 		tunMTU = 9000
@@ -115,9 +176,21 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 	} else {
 		udpTimeout = int64(sing.UDPTimeout.Seconds())
 	}
-	tableIndex := options.TableIndex
+	tableIndex := options.IPRoute2TableIndex
 	if tableIndex == 0 {
-		tableIndex = 2022
+		tableIndex = tun.DefaultIPRoute2TableIndex
+	}
+	ruleIndex := options.IPRoute2RuleIndex
+	if ruleIndex == 0 {
+		ruleIndex = tun.DefaultIPRoute2RuleIndex
+	}
+	inputMark := options.AutoRedirectInputMark
+	if inputMark == 0 {
+		inputMark = tun.DefaultAutoRedirectInputMark
+	}
+	outputMark := options.AutoRedirectOutputMark
+	if outputMark == 0 {
+		outputMark = tun.DefaultAutoRedirectOutputMark
 	}
 	includeUID := uidToRange(options.IncludeUID)
 	if len(options.IncludeUIDRange) > 0 {
@@ -189,6 +262,8 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 		}
 	}()
 
+	interfaceFinder := DefaultInterfaceFinder
+
 	networkUpdateMonitor, err := tun.NewNetworkUpdateMonitor(log.SingLogger)
 	if err != nil {
 		err = E.Cause(err, "create NetworkUpdateMonitor")
@@ -223,11 +298,15 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 		Inet4Address:             options.Inet4Address,
 		Inet6Address:             options.Inet6Address,
 		AutoRoute:                options.AutoRoute,
+		IPRoute2TableIndex:       tableIndex,
+		IPRoute2RuleIndex:        ruleIndex,
+		AutoRedirectInputMark:    inputMark,
+		AutoRedirectOutputMark:   outputMark,
 		StrictRoute:              options.StrictRoute,
-		Inet4RouteAddress:        options.Inet4RouteAddress,
-		Inet6RouteAddress:        options.Inet6RouteAddress,
-		Inet4RouteExcludeAddress: options.Inet4RouteExcludeAddress,
-		Inet6RouteExcludeAddress: options.Inet6RouteExcludeAddress,
+		Inet4RouteAddress:        inet4RouteAddress,
+		Inet6RouteAddress:        inet6RouteAddress,
+		Inet4RouteExcludeAddress: inet4RouteExcludeAddress,
+		Inet6RouteExcludeAddress: inet6RouteExcludeAddress,
 		IncludeInterface:         options.IncludeInterface,
 		ExcludeInterface:         options.ExcludeInterface,
 		IncludeUID:               includeUID,
@@ -237,7 +316,56 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 		ExcludePackage:           options.ExcludePackage,
 		FileDescriptor:           options.FileDescriptor,
 		InterfaceMonitor:         defaultInterfaceMonitor,
-		TableIndex:               tableIndex,
+	}
+
+	if options.AutoRedirect {
+		l.routeAddressMap = make(map[string]*netipx.IPSet)
+		l.routeExcludeAddressMap = make(map[string]*netipx.IPSet)
+
+		if !options.AutoRoute {
+			return nil, E.New("`auto-route` is required by `auto-redirect`")
+		}
+		disableNFTables, dErr := strconv.ParseBool(os.Getenv("DISABLE_NFTABLES"))
+		l.autoRedirect, err = tun.NewAutoRedirect(tun.AutoRedirectOptions{
+			TunOptions:             &tunOptions,
+			Context:                ctx,
+			Handler:                handler.TypeMutation(C.REDIR),
+			Logger:                 log.SingLogger,
+			NetworkMonitor:         networkUpdateMonitor,
+			InterfaceFinder:        interfaceFinder,
+			TableName:              "mihomo",
+			DisableNFTables:        dErr == nil && disableNFTables,
+			RouteAddressSet:        &l.routeAddressSet,
+			RouteExcludeAddressSet: &l.routeExcludeAddressSet,
+		})
+		if err != nil {
+			err = E.Cause(err, "initialize auto redirect")
+			return
+		}
+
+		var markMode bool
+		for _, routeAddressSet := range options.RouteAddressSet {
+			rp, loaded := rpTunnel.RuleProviders()[routeAddressSet]
+			if !loaded {
+				err = E.New("parse route-address-set: rule-set not found: ", routeAddressSet)
+				return
+			}
+			l.updateRule(rp, false, false)
+			markMode = true
+		}
+		for _, routeExcludeAddressSet := range options.RouteExcludeAddressSet {
+			rp, loaded := rpTunnel.RuleProviders()[routeExcludeAddressSet]
+			if !loaded {
+				err = E.New("parse route-exclude_address-set: rule-set not found: ", routeExcludeAddressSet)
+				return
+			}
+			l.updateRule(rp, true, false)
+			markMode = true
+		}
+		if markMode {
+			tunOptions.AutoRedirectMarkMode = true
+		}
+
 	}
 
 	err = l.buildAndroidRules(&tunOptions)
@@ -256,13 +384,15 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 	resolver.AddSystemDnsBlacklist(dnsServerIp...)
 
 	stackOptions := tun.StackOptions{
-		Context:                context.TODO(),
+		Context:                ctx,
 		Tun:                    tunIf,
 		TunOptions:             tunOptions,
 		EndpointIndependentNat: options.EndpointIndependentNat,
 		UDPTimeout:             udpTimeout,
 		Handler:                handler,
 		Logger:                 log.SingLogger,
+		InterfaceFinder:        interfaceFinder,
+		EnforceBindInterface:   EnforceBindInterface,
 	}
 
 	if options.FileDescriptor > 0 {
@@ -284,13 +414,80 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 	}
 	l.tunStack = tunStack
 
+	if l.autoRedirect != nil {
+		if len(l.options.RouteAddressSet) > 0 && len(l.routeAddressSet) == 0 {
+			l.routeAddressSet = emptyAddressSet // without this we can't call UpdateRouteAddressSet after Start
+		}
+		if len(l.options.RouteExcludeAddressSet) > 0 && len(l.routeExcludeAddressSet) == 0 {
+			l.routeExcludeAddressSet = emptyAddressSet // without this we can't call UpdateRouteAddressSet after Start
+		}
+		err = l.autoRedirect.Start()
+		if err != nil {
+			err = E.Cause(err, "auto redirect")
+			return
+		}
+		if tunOptions.AutoRedirectMarkMode {
+			l.autoRedirectOutputMark = int32(outputMark)
+			dialer.DefaultRoutingMark.Store(l.autoRedirectOutputMark)
+			l.autoRedirect.UpdateRouteAddressSet()
+			l.ruleUpdateCallbackCloser = rpTunnel.RuleUpdateCallback().Register(l.ruleUpdateCallback)
+		}
+	}
+
 	//l.openAndroidHotspot(tunOptions)
 
-	l.addrStr = fmt.Sprintf("%s(%s,%s), mtu: %d, auto route: %v, ip stack: %s",
-		tunName, tunOptions.Inet4Address, tunOptions.Inet6Address, tunMTU, options.AutoRoute, options.Stack)
+	l.addrStr = fmt.Sprintf("%s(%s,%s), mtu: %d, auto route: %v, auto redir: %v, ip stack: %s",
+		tunName, tunOptions.Inet4Address, tunOptions.Inet6Address, tunMTU, options.AutoRoute, options.AutoRedirect, options.Stack)
 	return
 }
 
+func (l *Listener) ruleUpdateCallback(ruleProvider provider.RuleProvider) {
+	name := ruleProvider.Name()
+	if slices.Contains(l.options.RouteAddressSet, name) {
+		l.updateRule(ruleProvider, false, true)
+		return
+	}
+	if slices.Contains(l.options.RouteExcludeAddressSet, name) {
+		l.updateRule(ruleProvider, true, true)
+		return
+	}
+}
+
+type toIpCidr interface {
+	ToIpCidr() *netipx.IPSet
+}
+
+func (l *Listener) updateRule(ruleProvider provider.RuleProvider, exclude bool, update bool) {
+	l.ruleUpdateMutex.Lock()
+	defer l.ruleUpdateMutex.Unlock()
+	name := ruleProvider.Name()
+	switch rp := ruleProvider.Strategy().(type) {
+	case toIpCidr:
+		if !exclude {
+			ipCidr := rp.ToIpCidr()
+			if ipCidr != nil {
+				l.routeAddressMap[name] = ipCidr
+			} else {
+				delete(l.routeAddressMap, name)
+			}
+			l.routeAddressSet = maps.Values(l.routeAddressMap)
+		} else {
+			ipCidr := rp.ToIpCidr()
+			if ipCidr != nil {
+				l.routeExcludeAddressMap[name] = ipCidr
+			} else {
+				delete(l.routeExcludeAddressMap, name)
+			}
+			l.routeExcludeAddressSet = maps.Values(l.routeExcludeAddressMap)
+		}
+	default:
+		return
+	}
+	if update && l.autoRedirect != nil {
+		l.autoRedirect.UpdateRouteAddressSet()
+	}
+}
+
 func (l *Listener) FlushDefaultInterface() {
 	if l.options.AutoDetectInterface {
 		for _, destination := range []netip.Addr{netip.IPv4Unspecified(), netip.IPv6Unspecified(), netip.MustParseAddr("1.1.1.1")} {
@@ -332,11 +529,11 @@ func parseRange(uidRanges []ranges.Range[uint32], rangeList []string) ([]ranges.
 		}
 		var start, end uint64
 		var err error
-		start, err = strconv.ParseUint(uidRange[:subIndex], 10, 32)
+		start, err = strconv.ParseUint(uidRange[:subIndex], 0, 32)
 		if err != nil {
 			return nil, E.Cause(err, "parse range start")
 		}
-		end, err = strconv.ParseUint(uidRange[subIndex+1:], 10, 32)
+		end, err = strconv.ParseUint(uidRange[subIndex+1:], 0, 32)
 		if err != nil {
 			return nil, E.Cause(err, "parse range end")
 		}
@@ -348,9 +545,14 @@ func parseRange(uidRanges []ranges.Range[uint32], rangeList []string) ([]ranges.
 func (l *Listener) Close() error {
 	l.closed = true
 	resolver.RemoveSystemDnsBlacklist(l.dnsServerIp...)
+	if l.autoRedirectOutputMark != 0 {
+		dialer.DefaultRoutingMark.CompareAndSwap(l.autoRedirectOutputMark, 0)
+	}
 	return common.Close(
+		l.ruleUpdateCallbackCloser,
 		l.tunStack,
 		l.tunIf,
+		l.autoRedirect,
 		l.defaultInterfaceMonitor,
 		l.networkUpdateMonitor,
 		l.packageManager,

listener/sing_tun/server_windows.go

@@ -3,6 +3,7 @@ package sing_tun
 import (
 	"time"
 
+	"github.com/metacubex/mihomo/constant/features"
 	"github.com/metacubex/mihomo/log"
 
 	tun "github.com/metacubex/sing-tun"
@@ -27,4 +28,9 @@ func tunNew(options tun.Options) (tunIf tun.Tun, err error) {
 
 func init() {
 	tun.TunnelType = InterfaceName
+
+	if features.WindowsMajorVersion < 10 {
+		// to resolve "bind: The requested address is not valid in its context"
+		EnforceBindInterface = true
+	}
 }

listener/tproxy/packet.go

@@ -105,9 +105,9 @@ func listenLocalConn(rAddr, lAddr net.Addr, tunnel C.Tunnel) (*net.UDPConn, erro
 			buf := pool.Get(pool.UDPBufferSize)
 			br, err := lc.Read(buf)
 			if err != nil {
-				pool.Put(buf)
 				if errors.Is(err, net.ErrClosed) {
 					log.Debugln("TProxy local conn listener exit.. rAddr=%s lAddr=%s", rAddr.String(), lAddr.String())
+					pool.Put(buf)
 					return
 				}
 			}

listener/tproxy/tproxy_iptables.go

@@ -119,9 +119,7 @@ func CleanupTProxyIPTables() {
 
 	log.Warnln("Cleanup tproxy linux iptables")
 
-	if int(dialer.DefaultRoutingMark.Load()) == 2158 {
-		dialer.DefaultRoutingMark.Store(0)
-	}
+	dialer.DefaultRoutingMark.CompareAndSwap(2158, 0)
 
 	if _, err := cmd.ExecCmd("iptables -t mangle -L mihomo_divert"); err != nil {
 		return

main.go

@@ -8,10 +8,9 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
-	"sync"
 	"syscall"
-	"time"
 
+	"github.com/metacubex/mihomo/component/updater"
 	"github.com/metacubex/mihomo/config"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/features"
@@ -32,8 +31,6 @@ var (
 	externalController     string
 	externalControllerUnix string
 	secret                 string
-	updateGeoMux           sync.Mutex
-	updatingGeo            = false
 )
 
 func init() {
@@ -116,14 +113,17 @@ func main() {
 	}
 
 	if C.GeoAutoUpdate {
-		ticker := time.NewTicker(time.Duration(C.GeoUpdateInterval) * time.Hour)
-
-		log.Infoln("[GEO] Start update GEO database every %d hours", C.GeoUpdateInterval)
-		go func() {
-			for range ticker.C {
-				updateGeoDatabases()
+		updater.RegisterGeoUpdater(func() {
+			cfg, err := executor.ParseWithPath(C.Path.Config())
+			if err != nil {
+				log.Errorln("[GEO] update GEO databases failed: %v", err)
+				return
 			}
-		}()
+
+			log.Warnln("[GEO] update GEO databases success, applying config")
+
+			executor.ApplyConfig(cfg, false)
+		})
 	}
 
 	defer executor.Shutdown()
@@ -145,39 +145,3 @@ func main() {
 		}
 	}
 }
-
-func updateGeoDatabases() {
-	log.Infoln("[GEO] Start updating GEO database")
-	updateGeoMux.Lock()
-
-	if updatingGeo {
-		updateGeoMux.Unlock()
-		log.Infoln("[GEO] GEO database is updating, skip")
-		return
-	}
-
-	updatingGeo = true
-	updateGeoMux.Unlock()
-
-	go func() {
-		defer func() {
-			updatingGeo = false
-		}()
-
-		log.Infoln("[GEO] Updating GEO database")
-
-		if err := config.UpdateGeoDatabases(); err != nil {
-			log.Errorln("[GEO] update GEO database error: %s", err.Error())
-			return
-		}
-
-		cfg, err := executor.ParseWithPath(C.Path.Config())
-		if err != nil {
-			log.Errorln("[GEO] update GEO database failed: %s", err.Error())
-			return
-		}
-
-		log.Infoln("[GEO] Update GEO database success, apply new config")
-		executor.ApplyConfig(cfg, false)
-	}()
-}

rules/common/base.go

@@ -20,6 +20,8 @@ func (b *Base) ShouldResolveIP() bool {
 	return false
 }
 
+func (b *Base) ProviderNames() []string { return nil }
+
 func HasNoResolve(params []string) bool {
 	for _, p := range params {
 		if p == noResolve {

rules/common/domain_regex.go

@@ -1,14 +1,14 @@
 package common
 
 import (
-	"regexp"
-
 	C "github.com/metacubex/mihomo/constant"
+
+	"github.com/dlclark/regexp2"
 )
 
 type DomainRegex struct {
 	*Base
-	regex   *regexp.Regexp
+	regex   *regexp2.Regexp
 	adapter string
 }
 
@@ -18,7 +18,8 @@ func (dr *DomainRegex) RuleType() C.RuleType {
 
 func (dr *DomainRegex) Match(metadata *C.Metadata) (bool, string) {
 	domain := metadata.RuleHost()
-	return dr.regex.MatchString(domain), dr.adapter
+	match, _ := dr.regex.MatchString(domain)
+	return match, dr.adapter
 }
 
 func (dr *DomainRegex) Adapter() string {
@@ -30,7 +31,7 @@ func (dr *DomainRegex) Payload() string {
 }
 
 func NewDomainRegex(regex string, adapter string) (*DomainRegex, error) {
-	r, err := regexp.Compile(regex)
+	r, err := regexp2.Compile(regex, regexp2.IgnoreCase)
 	if err != nil {
 		return nil, err
 	}

rules/common/process.go

@@ -4,6 +4,8 @@ import (
 	"strings"
 
 	C "github.com/metacubex/mihomo/constant"
+
+	"github.com/dlclark/regexp2"
 )
 
 type Process struct {
@@ -11,21 +13,36 @@ type Process struct {
 	adapter  string
 	process  string
 	nameOnly bool
+	regexp   *regexp2.Regexp
 }
 
 func (ps *Process) RuleType() C.RuleType {
 	if ps.nameOnly {
-		return C.Process
+		if ps.regexp != nil {
+			return C.ProcessNameRegex
+		}
+		return C.ProcessName
 	}
 
+	if ps.regexp != nil {
+		return C.ProcessPathRegex
+	}
 	return C.ProcessPath
 }
 
 func (ps *Process) Match(metadata *C.Metadata) (bool, string) {
 	if ps.nameOnly {
+		if ps.regexp != nil {
+			match, _ := ps.regexp.MatchString(metadata.Process)
+			return match, ps.adapter
+		}
 		return strings.EqualFold(metadata.Process, ps.process), ps.adapter
 	}
 
+	if ps.regexp != nil {
+		match, _ := ps.regexp.MatchString(metadata.ProcessPath)
+		return match, ps.adapter
+	}
 	return strings.EqualFold(metadata.ProcessPath, ps.process), ps.adapter
 }
 
@@ -41,11 +58,20 @@ func (ps *Process) ShouldFindProcess() bool {
 	return true
 }
 
-func NewProcess(process string, adapter string, nameOnly bool) (*Process, error) {
+func NewProcess(process string, adapter string, nameOnly bool, regex bool) (*Process, error) {
+	var r *regexp2.Regexp
+	var err error
+	if regex {
+		r, err = regexp2.Compile(process, regexp2.IgnoreCase)
+		if err != nil {
+			return nil, err
+		}
+	}
 	return &Process{
 		Base:     &Base{},
 		adapter:  adapter,
 		process:  process,
 		nameOnly: nameOnly,
+		regexp:   r,
 	}, nil
 }

rules/logic/logic.go

@@ -2,12 +2,13 @@ package logic
 
 import (
 	"fmt"
-	list "github.com/bahlo/generic-list-go"
 	"regexp"
 	"strings"
 
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/rules/common"
+
+	list "github.com/bahlo/generic-list-go"
 )
 
 type Logic struct {
@@ -243,7 +244,7 @@ func matchSubRules(metadata *C.Metadata, name string, subRules map[string][]C.Ru
 	for _, rule := range subRules[name] {
 		if m, a := rule.Match(metadata); m {
 			if rule.RuleType() == C.SubRules {
-				matchSubRules(metadata, rule.Adapter(), subRules)
+				return matchSubRules(metadata, rule.Adapter(), subRules)
 			} else {
 				return m, a
 			}
@@ -298,3 +299,10 @@ func (logic *Logic) ShouldResolveIP() bool {
 func (logic *Logic) ShouldFindProcess() bool {
 	return logic.needProcess
 }
+
+func (logic *Logic) ProviderNames() (names []string) {
+	for _, rule := range logic.rules {
+		names = append(names, rule.ProviderNames()...)
+	}
+	return
+}

rules/parser.go

@@ -50,9 +50,13 @@ func ParseRule(tp, payload, target string, params []string, subRules map[string]
 	case "DSCP":
 		parsed, parseErr = RC.NewDSCP(payload, target)
 	case "PROCESS-NAME":
-		parsed, parseErr = RC.NewProcess(payload, target, true)
+		parsed, parseErr = RC.NewProcess(payload, target, true, false)
 	case "PROCESS-PATH":
-		parsed, parseErr = RC.NewProcess(payload, target, false)
+		parsed, parseErr = RC.NewProcess(payload, target, false, false)
+	case "PROCESS-NAME-REGEX":
+		parsed, parseErr = RC.NewProcess(payload, target, true, true)
+	case "PROCESS-PATH-REGEX":
+		parsed, parseErr = RC.NewProcess(payload, target, false, true)
 	case "NETWORK":
 		parsed, parseErr = RC.NewNetworkType(payload, target)
 	case "UID":

rules/provider/classical_strategy.go

@@ -77,7 +77,7 @@ func ruleParse(ruleRaw string) (string, string, []string) {
 	} else if len(item) == 2 {
 		return item[0], item[1], nil
 	} else if len(item) > 2 {
-		if item[0] == "NOT" || item[0] == "OR" || item[0] == "AND" || item[0] == "SUB-RULE" || item[0] == "DOMAIN-REGEX" {
+		if item[0] == "NOT" || item[0] == "OR" || item[0] == "AND" || item[0] == "SUB-RULE" || item[0] == "DOMAIN-REGEX" || item[0] == "PROCESS-NAME-REGEX" || item[0] == "PROCESS-PATH-REGEX" {
 			return item[0], strings.Join(item[1:len(item)], ","), nil
 		} else {
 			return item[0], item[1], item[2:]

rules/provider/ipcidr_strategy.go

@@ -4,6 +4,8 @@ import (
 	"github.com/metacubex/mihomo/component/cidr"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
+
+	"go4.org/netipx"
 )
 
 type ipcidrStrategy struct {
@@ -52,6 +54,10 @@ func (i *ipcidrStrategy) FinishInsert() {
 	i.cidrSet.Merge()
 }
 
+func (i *ipcidrStrategy) ToIpCidr() *netipx.IPSet {
+	return i.cidrSet.ToIPSet()
+}
+
 func NewIPCidrStrategy() *ipcidrStrategy {
 	return &ipcidrStrategy{}
 }

rules/provider/patch_android.go

@@ -12,8 +12,8 @@ type UpdatableProvider interface {
 	UpdatedAt() time.Time
 }
 
-func (f *ruleSetProvider) UpdatedAt() time.Time {
-	return f.Fetcher.UpdatedAt
+func (rp *ruleSetProvider) UpdatedAt() time.Time {
+	return rp.Fetcher.UpdatedAt
 }
 
 func (rp *ruleSetProvider) Close() error {

rules/provider/provider.go

@@ -4,23 +4,26 @@ import (
 	"bytes"
 	"encoding/json"
 	"errors"
-	"gopkg.in/yaml.v3"
 	"runtime"
 	"strings"
 	"time"
 
+	"gopkg.in/yaml.v3"
+
 	"github.com/metacubex/mihomo/common/pool"
 	"github.com/metacubex/mihomo/component/resource"
 	C "github.com/metacubex/mihomo/constant"
 	P "github.com/metacubex/mihomo/constant/provider"
 )
 
-var (
-	ruleProviders = map[string]P.RuleProvider{}
-)
+var tunnel P.Tunnel
+
+func SetTunnel(t P.Tunnel) {
+	tunnel = t
+}
 
 type ruleSetProvider struct {
-	*resource.Fetcher[any]
+	*resource.Fetcher[ruleStrategy]
 	behavior P.RuleBehavior
 	format   P.RuleFormat
 	strategy ruleStrategy
@@ -49,16 +52,6 @@ type ruleStrategy interface {
 	FinishInsert()
 }
 
-func RuleProviders() map[string]P.RuleProvider {
-	return ruleProviders
-}
-
-func SetRuleProvider(ruleProvider P.RuleProvider) {
-	if ruleProvider != nil {
-		ruleProviders[(ruleProvider).Name()] = ruleProvider
-	}
-}
-
 func (rp *ruleSetProvider) Type() P.ProviderType {
 	return P.Rule
 }
@@ -99,8 +92,8 @@ func (rp *ruleSetProvider) ShouldFindProcess() bool {
 	return rp.strategy.ShouldFindProcess()
 }
 
-func (rp *ruleSetProvider) AsRule(adaptor string) C.Rule {
-	panic("implement me")
+func (rp *ruleSetProvider) Strategy() any {
+	return rp.strategy
 }
 
 func (rp *ruleSetProvider) MarshalJSON() ([]byte, error) {
@@ -123,13 +116,15 @@ func NewRuleSetProvider(name string, behavior P.RuleBehavior, format P.RuleForma
 		format:   format,
 	}
 
-	onUpdate := func(elm interface{}) {
-		strategy := elm.(ruleStrategy)
+	onUpdate := func(strategy ruleStrategy) {
 		rp.strategy = strategy
+		tunnel.RuleUpdateCallback().Emit(rp)
 	}
 
 	rp.strategy = newStrategy(behavior, parse)
-	rp.Fetcher = resource.NewFetcher(name, interval, vehicle, func(bytes []byte) (any, error) { return rulesParse(bytes, newStrategy(behavior, parse), format) }, onUpdate)
+	rp.Fetcher = resource.NewFetcher(name, interval, vehicle, func(bytes []byte) (ruleStrategy, error) {
+		return rulesParse(bytes, newStrategy(behavior, parse), format)
+	}, onUpdate)
 
 	wrapper := &RuleSetProvider{
 		rp,
@@ -158,7 +153,7 @@ func newStrategy(behavior P.RuleBehavior, parse func(tp, payload, target string,
 
 var ErrNoPayload = errors.New("file must have a `payload` field")
 
-func rulesParse(buf []byte, strategy ruleStrategy, format P.RuleFormat) (any, error) {
+func rulesParse(buf []byte, strategy ruleStrategy, format P.RuleFormat) (ruleStrategy, error) {
 	strategy.Reset()
 
 	schema := &RulePayload{}
@@ -176,15 +171,14 @@ func rulesParse(buf []byte, strategy ruleStrategy, format P.RuleFormat) (any, er
 			line = buf[s : i+1]
 			s = i + 1
 		} else {
-			s = len(buf)              // stop loop in next step
-			if firstLineLength == 0 { // no head or only one line body
+			s = len(buf)                                      // stop loop in next step
+			if firstLineLength == 0 && format == P.YamlRule { // no head or only one line body
 				return nil, ErrNoPayload
 			}
 		}
 		var str string
 		switch format {
 		case P.TextRule:
-			firstLineLength = -1 // don't return ErrNoPayload when read last line
 			str = string(line)
 			str = strings.TrimSpace(str)
 			if len(str) == 0 {

rules/provider/rule_set.go

@@ -1,7 +1,6 @@
 package provider
 
 import (
-	"fmt"
 	C "github.com/metacubex/mihomo/constant"
 	P "github.com/metacubex/mihomo/constant/provider"
 	"github.com/metacubex/mihomo/rules/common"
@@ -11,13 +10,18 @@ type RuleSet struct {
 	*common.Base
 	ruleProviderName  string
 	adapter           string
-	ruleProvider      P.RuleProvider
 	noResolveIP       bool
 	shouldFindProcess bool
 }
 
 func (rs *RuleSet) ShouldFindProcess() bool {
-	return rs.shouldFindProcess || rs.getProviders().ShouldFindProcess()
+	if rs.shouldFindProcess {
+		return true
+	}
+	if provider, ok := rs.getProvider(); ok {
+		return provider.ShouldFindProcess()
+	}
+	return false
 }
 
 func (rs *RuleSet) RuleType() C.RuleType {
@@ -25,7 +29,10 @@ func (rs *RuleSet) RuleType() C.RuleType {
 }
 
 func (rs *RuleSet) Match(metadata *C.Metadata) (bool, string) {
-	return rs.getProviders().Match(metadata), rs.adapter
+	if provider, ok := rs.getProvider(); ok {
+		return provider.Match(metadata), rs.adapter
+	}
+	return false, ""
 }
 
 func (rs *RuleSet) Adapter() string {
@@ -33,31 +40,37 @@ func (rs *RuleSet) Adapter() string {
 }
 
 func (rs *RuleSet) Payload() string {
-	return rs.getProviders().Name()
+	if provider, ok := rs.getProvider(); ok {
+		return provider.Name()
+	}
+	return ""
 }
 
 func (rs *RuleSet) ShouldResolveIP() bool {
-	return !rs.noResolveIP && rs.getProviders().ShouldResolveIP()
-}
-func (rs *RuleSet) getProviders() P.RuleProvider {
-	if rs.ruleProvider == nil {
-		rp := RuleProviders()[rs.ruleProviderName]
-		rs.ruleProvider = rp
+	if rs.noResolveIP {
+		return false
 	}
+	if provider, ok := rs.getProvider(); ok {
+		return provider.ShouldResolveIP()
+	}
+	return false
+}
 
-	return rs.ruleProvider
+func (rs *RuleSet) ProviderNames() []string {
+	return []string{rs.ruleProviderName}
+}
+
+func (rs *RuleSet) getProvider() (P.RuleProvider, bool) {
+	pp, ok := tunnel.RuleProviders()[rs.ruleProviderName]
+	return pp, ok
 }
 
 func NewRuleSet(ruleProviderName string, adapter string, noResolveIP bool) (*RuleSet, error) {
-	rp, ok := RuleProviders()[ruleProviderName]
-	if !ok {
-		return nil, fmt.Errorf("rule set %s not found", ruleProviderName)
-	}
-	return &RuleSet{
+	rs := &RuleSet{
 		Base:             &common.Base{},
 		ruleProviderName: ruleProviderName,
 		adapter:          adapter,
-		ruleProvider:     rp,
 		noResolveIP:      noResolveIP,
-	}, nil
+	}
+	return rs, nil
 }

transport/hysteria/conns/udp/hop.go

@@ -12,7 +12,7 @@ import (
 	"github.com/metacubex/mihomo/transport/hysteria/obfs"
 	"github.com/metacubex/mihomo/transport/hysteria/utils"
 
-	"github.com/zhangyunhao116/fastrand"
+	"github.com/metacubex/randv2"
 )
 
 const (
@@ -86,7 +86,7 @@ func NewObfsUDPHopClientPacketConn(server string, serverPorts string, hopInterva
 		serverAddrs: serverAddrs,
 		hopInterval: hopInterval,
 		obfs:        obfs,
-		addrIndex:   fastrand.Intn(len(serverAddrs)),
+		addrIndex:   randv2.IntN(len(serverAddrs)),
 		recvQueue:   make(chan *udpPacket, packetQueueSize),
 		closeChan:   make(chan struct{}),
 		bufPool: sync.Pool{
@@ -177,7 +177,7 @@ func (c *ObfsUDPHopClientPacketConn) hop(dialer utils.PacketDialer, rAddr net.Ad
 		_ = trySetPacketConnWriteBuffer(c.currentConn, c.writeBufferSize)
 	}
 	go c.recvRoutine(c.currentConn)
-	c.addrIndex = fastrand.Intn(len(c.serverAddrs))
+	c.addrIndex = randv2.IntN(len(c.serverAddrs))
 }
 
 func (c *ObfsUDPHopClientPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {

transport/hysteria/conns/wechat/obfs.go

@@ -9,7 +9,7 @@ import (
 	"github.com/metacubex/mihomo/log"
 	"github.com/metacubex/mihomo/transport/hysteria/obfs"
 
-	"github.com/zhangyunhao116/fastrand"
+	"github.com/metacubex/randv2"
 )
 
 const udpBufferSize = 65535
@@ -31,7 +31,7 @@ func NewObfsWeChatUDPConn(orig net.PacketConn, obfs obfs.Obfuscator) *ObfsWeChat
 		obfs:     obfs,
 		readBuf:  make([]byte, udpBufferSize),
 		writeBuf: make([]byte, udpBufferSize),
-		sn:       fastrand.Uint32() & 0xFFFF,
+		sn:       randv2.Uint32() & 0xFFFF,
 	}
 }
 

transport/hysteria/core/client.go

@@ -19,7 +19,7 @@ import (
 	"github.com/lunixbochs/struc"
 	"github.com/metacubex/quic-go"
 	"github.com/metacubex/quic-go/congestion"
-	"github.com/zhangyunhao116/fastrand"
+	"github.com/metacubex/randv2"
 )
 
 var (
@@ -405,8 +405,8 @@ func (c *quicPktConn) WriteTo(p []byte, addr string) error {
 		var errSize *quic.DatagramTooLargeError
 		if errors.As(err, &errSize) {
 			// need to frag
-			msg.MsgID = uint16(fastrand.Intn(0xFFFF)) + 1 // msgID must be > 0 when fragCount > 1
-			fragMsgs := fragUDPMessage(msg, int(errSize.PeerMaxDatagramFrameSize))
+			msg.MsgID = uint16(randv2.IntN(0xFFFF)) + 1 // msgID must be > 0 when fragCount > 1
+			fragMsgs := fragUDPMessage(msg, int(errSize.MaxDatagramPayloadSize))
 			for _, fragMsg := range fragMsgs {
 				msgBuf.Reset()
 				_ = struc.Pack(&msgBuf, &fragMsg)

transport/hysteria/obfs/xplus.go

@@ -1,9 +1,8 @@
 package obfs
 
 import (
+	"crypto/rand"
 	"crypto/sha256"
-
-	"github.com/zhangyunhao116/fastrand"
 )
 
 // [salt][obfuscated payload]
@@ -35,7 +34,7 @@ func (x *XPlusObfuscator) Deobfuscate(in []byte, out []byte) int {
 }
 
 func (x *XPlusObfuscator) Obfuscate(in []byte, out []byte) int {
-	_, _ = fastrand.Read(out[:saltLen]) // salt
+	_, _ = rand.Read(out[:saltLen]) // salt
 	// Obfuscate the payload
 	key := sha256.Sum256(append(x.Key, out[:saltLen]...))
 	for i, c := range in {

transport/simple-obfs/http.go

@@ -2,6 +2,7 @@ package obfs
 
 import (
 	"bytes"
+	"crypto/rand"
 	"encoding/base64"
 	"fmt"
 	"io"
@@ -10,7 +11,7 @@ import (
 
 	"github.com/metacubex/mihomo/common/pool"
 
-	"github.com/zhangyunhao116/fastrand"
+	"github.com/metacubex/randv2"
 )
 
 // HTTPObfs is shadowsocks http simple-obfs implementation
@@ -64,9 +65,12 @@ func (ho *HTTPObfs) Read(b []byte) (int, error) {
 func (ho *HTTPObfs) Write(b []byte) (int, error) {
 	if ho.firstRequest {
 		randBytes := make([]byte, 16)
-		fastrand.Read(randBytes)
-		req, _ := http.NewRequest("GET", fmt.Sprintf("http://%s/", ho.host), bytes.NewBuffer(b[:]))
-		req.Header.Set("User-Agent", fmt.Sprintf("curl/7.%d.%d", fastrand.Int()%54, fastrand.Int()%2))
+		rand.Read(randBytes)
+		req, err := http.NewRequest("GET", fmt.Sprintf("http://%s/", ho.host), bytes.NewBuffer(b[:]))
+		if err != nil {
+			return 0, err
+		}
+		req.Header.Set("User-Agent", fmt.Sprintf("curl/7.%d.%d", randv2.Int()%54, randv2.Int()%2))
 		req.Header.Set("Upgrade", "websocket")
 		req.Header.Set("Connection", "Upgrade")
 		req.Host = ho.host
@@ -75,7 +79,7 @@ func (ho *HTTPObfs) Write(b []byte) (int, error) {
 		}
 		req.Header.Set("Sec-WebSocket-Key", base64.URLEncoding.EncodeToString(randBytes))
 		req.ContentLength = int64(len(b))
-		err := req.Write(ho.Conn)
+		err = req.Write(ho.Conn)
 		ho.firstRequest = false
 		return len(b), err
 	}

transport/simple-obfs/tls.go

@@ -2,14 +2,13 @@ package obfs
 
 import (
 	"bytes"
+	"crypto/rand"
 	"encoding/binary"
 	"io"
 	"net"
 	"time"
 
 	"github.com/metacubex/mihomo/common/pool"
-
-	"github.com/zhangyunhao116/fastrand"
 )
 
 const (
@@ -127,8 +126,8 @@ func NewTLSObfs(conn net.Conn, server string) net.Conn {
 func makeClientHelloMsg(data []byte, server string) []byte {
 	random := make([]byte, 28)
 	sessionID := make([]byte, 32)
-	fastrand.Read(random)
-	fastrand.Read(sessionID)
+	rand.Read(random)
+	rand.Read(sessionID)
 
 	buf := &bytes.Buffer{}
 

transport/sing-shadowtls/shadowtls.go

@@ -9,9 +9,9 @@ import (
 	tlsC "github.com/metacubex/mihomo/component/tls"
 	"github.com/metacubex/mihomo/log"
 
+	utls "github.com/metacubex/utls"
 	"github.com/sagernet/sing-shadowtls"
 	sing_common "github.com/sagernet/sing/common"
-	utls "github.com/sagernet/utls"
 )
 
 const (

transport/ssr/obfs/http_simple.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/metacubex/mihomo/common/pool"
 
-	"github.com/zhangyunhao116/fastrand"
+	"github.com/metacubex/randv2"
 )
 
 func init() {
@@ -82,7 +82,7 @@ func (c *httpConn) Write(b []byte) (int, error) {
 	bLength := len(b)
 	headDataLength := bLength
 	if bLength-headLength > 64 {
-		headDataLength = headLength + fastrand.Intn(65)
+		headDataLength = headLength + randv2.IntN(65)
 	}
 	headData := b[:headDataLength]
 	b = b[headDataLength:]
@@ -100,7 +100,7 @@ func (c *httpConn) Write(b []byte) (int, error) {
 		}
 	}
 	hosts := strings.Split(host, ",")
-	host = hosts[fastrand.Intn(len(hosts))]
+	host = hosts[randv2.IntN(len(hosts))]
 
 	buf := pool.GetBuffer()
 	defer pool.PutBuffer(buf)
@@ -119,7 +119,7 @@ func (c *httpConn) Write(b []byte) (int, error) {
 		buf.WriteString(body + "\r\n\r\n")
 	} else {
 		buf.WriteString("User-Agent: ")
-		buf.WriteString(userAgent[fastrand.Intn(len(userAgent))])
+		buf.WriteString(userAgent[randv2.IntN(len(userAgent))])
 		buf.WriteString("\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.8\r\nAccept-Encoding: gzip, deflate\r\n")
 		if c.post {
 			packBoundary(buf)
@@ -147,7 +147,7 @@ func packBoundary(buf *bytes.Buffer) {
 	buf.WriteString("Content-Type: multipart/form-data; boundary=")
 	set := "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
 	for i := 0; i < 32; i++ {
-		buf.WriteByte(set[fastrand.Intn(62)])
+		buf.WriteByte(set[randv2.IntN(62)])
 	}
 	buf.WriteString("\r\n")
 }

transport/ssr/obfs/random_head.go

@@ -1,13 +1,14 @@
 package obfs
 
 import (
+	"crypto/rand"
 	"encoding/binary"
 	"hash/crc32"
 	"net"
 
 	"github.com/metacubex/mihomo/common/pool"
 
-	"github.com/zhangyunhao116/fastrand"
+	"github.com/metacubex/randv2"
 )
 
 func init() {
@@ -54,10 +55,10 @@ func (c *randomHeadConn) Write(b []byte) (int, error) {
 	c.buf = append(c.buf, b...)
 	if !c.hasSentHeader {
 		c.hasSentHeader = true
-		dataLength := fastrand.Intn(96) + 4
+		dataLength := randv2.IntN(96) + 4
 		buf := pool.Get(dataLength + 4)
 		defer pool.Put(buf)
-		fastrand.Read(buf[:dataLength])
+		rand.Read(buf[:dataLength])
 		binary.LittleEndian.PutUint32(buf[dataLength:], 0xffffffff-crc32.ChecksumIEEE(buf[:dataLength]))
 		_, err := c.Conn.Write(buf)
 		return len(b), err

transport/ssr/obfs/tls1.2_ticket_auth.go

@@ -3,6 +3,7 @@ package obfs
 import (
 	"bytes"
 	"crypto/hmac"
+	"crypto/rand"
 	"encoding/binary"
 	"net"
 	"strings"
@@ -11,7 +12,7 @@ import (
 	"github.com/metacubex/mihomo/common/pool"
 	"github.com/metacubex/mihomo/transport/ssr/tools"
 
-	"github.com/zhangyunhao116/fastrand"
+	"github.com/metacubex/randv2"
 )
 
 func init() {
@@ -26,7 +27,7 @@ type tls12Ticket struct {
 
 func newTLS12Ticket(b *Base) Obfs {
 	r := &tls12Ticket{Base: b, authData: &authData{}}
-	fastrand.Read(r.clientID[:])
+	rand.Read(r.clientID[:])
 	return r
 }
 
@@ -91,7 +92,7 @@ func (c *tls12TicketConn) Write(b []byte) (int, error) {
 		buf := pool.GetBuffer()
 		defer pool.PutBuffer(buf)
 		for len(b) > 2048 {
-			size := fastrand.Intn(4096) + 100
+			size := randv2.IntN(4096) + 100
 			if len(b) < size {
 				size = len(b)
 			}
@@ -197,7 +198,7 @@ func packSNIData(buf *bytes.Buffer, u string) {
 }
 
 func (c *tls12TicketConn) packTicketBuf(buf *bytes.Buffer, u string) {
-	length := 16 * (fastrand.Intn(17) + 8)
+	length := 16 * (randv2.IntN(17) + 8)
 	buf.Write([]byte{0, 0x23})
 	binary.Write(buf, binary.BigEndian, uint16(length))
 	tools.AppendRandBytes(buf, length)
@@ -222,6 +223,6 @@ func (t *tls12Ticket) getHost() string {
 		host = ""
 	}
 	hosts := strings.Split(host, ",")
-	host = hosts[fastrand.Intn(len(hosts))]
+	host = hosts[randv2.IntN(len(hosts))]
 	return host
 }