feat: support mieru protocol (#1702 )

chore: allow upgrade ui in embed mode (#1692 )
fix: DisableKeepAlive default value of android (#1690 )
2026-02-28 17:49:55 +00:00 · 2024-12-09 12:05:11 +08:00 · 2024-12-04 08:54:01 +08:00 · 2024-12-02 22:49:16 +08:00 · 2024-11-27 11:03:38 +08:00 · 2024-11-27 09:28:38 +08:00
70 changed files with 1170 additions and 581 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -104,29 +104,22 @@ jobs:
    - uses: actions/checkout@v4

    - name: Set up Go
-      if: ${{ matrix.jobs.goversion == '' && matrix.jobs.goarch != 'loong64' }}
+      if: ${{ matrix.jobs.goversion == '' && matrix.jobs.abi != '1' }}
      uses: actions/setup-go@v5
      with:
        go-version: '1.23'

    - name: Set up Go
-      if: ${{ matrix.jobs.goversion != '' && matrix.jobs.goarch != 'loong64' }}
+      if: ${{ matrix.jobs.goversion != '' && matrix.jobs.abi != '1' }}
      uses: actions/setup-go@v5
      with:
        go-version: ${{ matrix.jobs.goversion }}

-    - name: Set up Go1.22 loongarch abi1
+    - name: Set up Go1.23 loongarch abi1
      if: ${{ matrix.jobs.goarch == 'loong64' && matrix.jobs.abi == '1' }}
      run: |
-        wget -q https://github.com/MetaCubeX/loongarch64-golang/releases/download/1.22.4/go1.22.4.linux-amd64-abi1.tar.gz
-        sudo tar zxf go1.22.4.linux-amd64-abi1.tar.gz -C /usr/local
-        echo "/usr/local/go/bin" >> $GITHUB_PATH
-
-    - name: Set up Go1.22 loongarch abi2
-      if: ${{ matrix.jobs.goarch == 'loong64' && matrix.jobs.abi == '2' }}
-      run: |
-        wget -q https://github.com/MetaCubeX/loongarch64-golang/releases/download/1.22.4/go1.22.4.linux-amd64-abi2.tar.gz
-        sudo tar zxf go1.22.4.linux-amd64-abi2.tar.gz -C /usr/local
+        wget -q https://github.com/MetaCubeX/loongarch64-golang/releases/download/1.23.0/go1.23.0.linux-amd64-abi1.tar.gz
+        sudo tar zxf go1.23.0.linux-amd64-abi1.tar.gz -C /usr/local
        echo "/usr/local/go/bin" >> $GITHUB_PATH

      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
@@ -194,7 +187,7 @@ jobs:
      uses: nttld/setup-ndk@v1
      id: setup-ndk
      with:
-        ndk-version: r27
+        ndk-version: r28-beta1

    - name: Set NDK path
      if: ${{ matrix.jobs.goos == 'android' }}
--- a/adapter/adapter.go
+++ b/adapter/adapter.go
@@ -10,6 +10,7 @@ import (
 	"net/netip"
 	"net/url"
 	"strconv"
+	"strings"
 	"time"

 	"github.com/metacubex/mihomo/common/atomic"
@@ -18,6 +19,7 @@ import (
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
+	"github.com/metacubex/mihomo/log"
 	"github.com/puzpuzpuz/xsync/v3"
 )

@@ -161,8 +163,17 @@ func (p *Proxy) MarshalJSON() ([]byte, error) {
 	mapping["alive"] = p.alive.Load()
 	mapping["name"] = p.Name()
 	mapping["udp"] = p.SupportUDP()
-	mapping["xudp"] = p.SupportXUDP()
-	mapping["tfo"] = p.SupportTFO()
+	mapping["uot"] = p.SupportUOT()
+
+	proxyInfo := p.ProxyInfo()
+	mapping["xudp"] = proxyInfo.XUDP
+	mapping["tfo"] = proxyInfo.TFO
+	mapping["mptcp"] = proxyInfo.MPTCP
+	mapping["smux"] = proxyInfo.SMUX
+	mapping["interface"] = proxyInfo.Interface
+	mapping["dialer-proxy"] = proxyInfo.DialerProxy
+	mapping["routing-mark"] = proxyInfo.RoutingMark
+
 	return json.Marshal(mapping)
 }

@@ -260,10 +271,18 @@ func (p *Proxy) URLTest(ctx context.Context, url string, expectedStatus utils.In

 	if unifiedDelay {
 		second := time.Now()
-		resp, err = client.Do(req)
-		if err == nil {
+		var ignoredErr error
+		var secondResp *http.Response
+		secondResp, ignoredErr = client.Do(req)
+		if ignoredErr == nil {
+			resp = secondResp
 			_ = resp.Body.Close()
 			start = second
+		} else {
+			if strings.HasPrefix(url, "http://") {
+				log.Errorln("%s failed to get the second response from %s: %v", p.Name(), url, ignoredErr)
+				log.Warnln("It is recommended to use HTTPS for provider.health-check.url and group.url to ensure better reliability. Due to some proxy providers hijacking test addresses and not being compatible with repeated HEAD requests, using HTTP may result in failed tests.")
+			}
 		}
 	}

--- a/adapter/inbound/auth.go
+++ b/adapter/inbound/auth.go
@@ -34,12 +34,5 @@ func SkipAuthRemoteAddress(addr string) bool {
 }

 func skipAuth(addr netip.Addr) bool {
-	if addr.IsValid() {
-		for _, prefix := range skipAuthPrefixes {
-			if prefix.Contains(addr.Unmap()) {
-				return true
-			}
-		}
-	}
-	return false
+	return prefixesContains(skipAuthPrefixes, addr)
 }
--- a/adapter/inbound/ipfilter.go
+++ b/adapter/inbound/ipfilter.go
@@ -31,27 +31,17 @@ func IsRemoteAddrDisAllowed(addr net.Addr) bool {
 	if err := m.SetRemoteAddr(addr); err != nil {
 		return false
 	}
-	return isAllowed(m.AddrPort().Addr().Unmap()) && !isDisAllowed(m.AddrPort().Addr().Unmap())
+	ipAddr := m.AddrPort().Addr()
+	if ipAddr.IsValid() {
+		return isAllowed(ipAddr) && !isDisAllowed(ipAddr)
+	}
+	return false
 }

 func isAllowed(addr netip.Addr) bool {
-	if addr.IsValid() {
-		for _, prefix := range lanAllowedIPs {
-			if prefix.Contains(addr) {
-				return true
-			}
-		}
-	}
-	return false
+	return prefixesContains(lanAllowedIPs, addr)
 }

 func isDisAllowed(addr netip.Addr) bool {
-	if addr.IsValid() {
-		for _, prefix := range lanDisAllowedIPs {
-			if prefix.Contains(addr) {
-				return true
-			}
-		}
-	}
-	return false
+	return prefixesContains(lanDisAllowedIPs, addr)
 }
--- a/adapter/inbound/listen.go
+++ b/adapter/inbound/listen.go
@@ -2,7 +2,9 @@ package inbound

 import (
 	"context"
+	"fmt"
 	"net"
+	"net/netip"
 	"sync"

 	"github.com/metacubex/mihomo/component/keepalive"
@@ -42,6 +44,27 @@ func MPTCP() bool {
 }

 func ListenContext(ctx context.Context, network, address string) (net.Listener, error) {
+	switch network { // like net.Resolver.internetAddrList but filter domain to avoid call net.Resolver.lookupIPAddr
+	case "tcp", "tcp4", "tcp6", "udp", "udp4", "udp6", "ip", "ip4", "ip6":
+		if host, port, err := net.SplitHostPort(address); err == nil {
+			switch host {
+			case "localhost":
+				switch network {
+				case "tcp6", "udp6", "ip6":
+					address = net.JoinHostPort("::1", port)
+				default:
+					address = net.JoinHostPort("127.0.0.1", port)
+				}
+			case "": // internetAddrList can handle this special case
+				break
+			default:
+				if _, err := netip.ParseAddr(host); err != nil { // not ip
+					return nil, fmt.Errorf("invalid network address: %s", address)
+				}
+			}
+		}
+	}
+
 	mutex.RLock()
 	defer mutex.RUnlock()
 	return lc.Listen(ctx, network, address)
--- a/adapter/inbound/util.go
+++ b/adapter/inbound/util.go
@@ -61,3 +61,19 @@ func parseHTTPAddr(request *http.Request) *C.Metadata {

 	return metadata
 }
+
+func prefixesContains(prefixes []netip.Prefix, addr netip.Addr) bool {
+	if len(prefixes) == 0 {
+		return false
+	}
+	if !addr.IsValid() {
+		return false
+	}
+	addr = addr.Unmap().WithZone("") // netip.Prefix.Contains returns false if ip has an IPv6 zone
+	for _, prefix := range prefixes {
+		if prefix.Contains(addr) {
+			return true
+		}
+	}
+	return false
+}
--- a/adapter/outbound/base.go
+++ b/adapter/outbound/base.go
@@ -85,14 +85,15 @@ func (b *Base) SupportUDP() bool {
 	return b.udp
 }

-// SupportXUDP implements C.ProxyAdapter
-func (b *Base) SupportXUDP() bool {
-	return b.xudp
-}
-
-// SupportTFO implements C.ProxyAdapter
-func (b *Base) SupportTFO() bool {
-	return b.tfo
+// ProxyInfo implements C.ProxyAdapter
+func (b *Base) ProxyInfo() (info C.ProxyInfo) {
+	info.XUDP = b.xudp
+	info.TFO = b.tfo
+	info.MPTCP = b.mpTcp
+	info.SMUX = false
+	info.Interface = b.iface
+	info.RoutingMark = b.rmark
+	return
 }

 // IsL3Protocol implements C.ProxyAdapter
--- a/adapter/outbound/direct.go
+++ b/adapter/outbound/direct.go
@@ -3,18 +3,12 @@ package outbound
 import (
 	"context"
 	"errors"
-	"os"
-	"strconv"
-
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/loopback"
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
-	"github.com/metacubex/mihomo/constant/features"
 )

-var DisableLoopBackDetector, _ = strconv.ParseBool(os.Getenv("DISABLE_LOOPBACK_DETECTOR"))
-
 type Direct struct {
 	*Base
 	loopBack *loopback.Detector
@@ -27,12 +21,10 @@ type DirectOption struct {

 // DialContext implements C.ProxyAdapter
 func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	if !features.CMFA && !DisableLoopBackDetector {
-		if err := d.loopBack.CheckConn(metadata); err != nil {
-			return nil, err
-		}
+	if err := d.loopBack.CheckConn(metadata); err != nil {
+		return nil, err
 	}
-	opts = append(opts, dialer.WithResolver(resolver.DefaultResolver))
+	opts = append(opts, dialer.WithResolver(resolver.DirectHostResolver))
 	c, err := dialer.DialContext(ctx, "tcp", metadata.RemoteAddress(), d.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, err
@@ -42,14 +34,12 @@ func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...

 // ListenPacketContext implements C.ProxyAdapter
 func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	if !features.CMFA && !DisableLoopBackDetector {
-		if err := d.loopBack.CheckPacketConn(metadata); err != nil {
-			return nil, err
-		}
+	if err := d.loopBack.CheckPacketConn(metadata); err != nil {
+		return nil, err
 	}
 	// net.UDPConn.WriteTo only working with *net.UDPAddr, so we need a net.UDPAddr
 	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, resolver.DefaultResolver)
+		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, resolver.DirectHostResolver)
 		if err != nil {
 			return nil, errors.New("can't resolve ip")
 		}
--- a/adapter/outbound/http.go
+++ b/adapter/outbound/http.go
@@ -92,6 +92,13 @@ func (h *Http) SupportWithDialer() C.NetWork {
 	return C.TCP
 }

+// ProxyInfo implements C.ProxyAdapter
+func (h *Http) ProxyInfo() C.ProxyInfo {
+	info := h.Base.ProxyInfo()
+	info.DialerProxy = h.option.DialerProxy
+	return info
+}
+
 func (h *Http) shakeHand(metadata *C.Metadata, rw io.ReadWriter) error {
 	addr := metadata.RemoteAddress()
 	HeaderString := "CONNECT " + addr + " HTTP/1.1\r\n"
--- a/adapter/outbound/hysteria.go
+++ b/adapter/outbound/hysteria.go
@@ -69,7 +69,7 @@ func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata
 func (h *Hysteria) genHdc(ctx context.Context, opts ...dialer.Option) utils.PacketDialer {
 	return &hyDialerWithContext{
 		ctx: context.Background(),
-		hyDialer: func(network string) (net.PacketConn, error) {
+		hyDialer: func(network string, rAddr net.Addr) (net.PacketConn, error) {
 			var err error
 			var cDialer C.Dialer = dialer.NewDialer(h.Base.DialOptions(opts...)...)
 			if len(h.option.DialerProxy) > 0 {
@@ -78,7 +78,7 @@ func (h *Hysteria) genHdc(ctx context.Context, opts ...dialer.Option) utils.Pack
 					return nil, err
 				}
 			}
-			rAddrPort, _ := netip.ParseAddrPort(h.Addr())
+			rAddrPort, _ := netip.ParseAddrPort(rAddr.String())
 			return cDialer.ListenPacket(ctx, network, "", rAddrPort)
 		},
 		remoteAddr: func(addr string) (net.Addr, error) {
@@ -87,6 +87,13 @@ func (h *Hysteria) genHdc(ctx context.Context, opts ...dialer.Option) utils.Pack
 	}
 }

+// ProxyInfo implements C.ProxyAdapter
+func (h *Hysteria) ProxyInfo() C.ProxyInfo {
+	info := h.Base.ProxyInfo()
+	info.DialerProxy = h.option.DialerProxy
+	return info
+}
+
 type HysteriaOption struct {
 	BasicOption
 	Name                string   `proxy:"name"`
@@ -131,11 +138,7 @@ func (c *HysteriaOption) Speed() (uint64, uint64, error) {
 }

 func NewHysteria(option HysteriaOption) (*Hysteria, error) {
-	clientTransport := &transport.ClientTransport{
-		Dialer: &net.Dialer{
-			Timeout: 8 * time.Second,
-		},
-	}
+	clientTransport := &transport.ClientTransport{}
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	ports := option.Ports

@@ -284,7 +287,7 @@ func (c *hyPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
 }

 type hyDialerWithContext struct {
-	hyDialer   func(network string) (net.PacketConn, error)
+	hyDialer   func(network string, rAddr net.Addr) (net.PacketConn, error)
 	ctx        context.Context
 	remoteAddr func(host string) (net.Addr, error)
 }
@@ -294,7 +297,7 @@ func (h *hyDialerWithContext) ListenPacket(rAddr net.Addr) (net.PacketConn, erro
 	if addrPort, err := netip.ParseAddrPort(rAddr.String()); err == nil {
 		network = dialer.ParseNetwork(network, addrPort.Addr())
 	}
-	return h.hyDialer(network)
+	return h.hyDialer(network, rAddr)
 }

 func (h *hyDialerWithContext) Context() context.Context {
--- a/adapter/outbound/hysteria2.go
+++ b/adapter/outbound/hysteria2.go
@@ -96,6 +96,13 @@ func closeHysteria2(h *Hysteria2) {
 	}
 }

+// ProxyInfo implements C.ProxyAdapter
+func (h *Hysteria2) ProxyInfo() C.ProxyInfo {
+	info := h.Base.ProxyInfo()
+	info.DialerProxy = h.option.DialerProxy
+	return info
+}
+
 func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	var salamanderPassword string
--- a/adapter/outbound/mieru.go
+++ b/adapter/outbound/mieru.go
@@ -0,0 +1,268 @@
+package outbound
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"runtime"
+	"strconv"
+	"sync"
+
+	mieruclient "github.com/enfein/mieru/v3/apis/client"
+	mierumodel "github.com/enfein/mieru/v3/apis/model"
+	mierupb "github.com/enfein/mieru/v3/pkg/appctl/appctlpb"
+	"github.com/metacubex/mihomo/component/dialer"
+	"github.com/metacubex/mihomo/component/proxydialer"
+	C "github.com/metacubex/mihomo/constant"
+	"google.golang.org/protobuf/proto"
+)
+
+type Mieru struct {
+	*Base
+	option *MieruOption
+	client mieruclient.Client
+	mu     sync.Mutex
+}
+
+type MieruOption struct {
+	BasicOption
+	Name      string `proxy:"name"`
+	Server    string `proxy:"server"`
+	Port      int    `proxy:"port,omitempty"`
+	PortRange string `proxy:"port-range,omitempty"`
+	Transport string `proxy:"transport"`
+	UserName  string `proxy:"username"`
+	Password  string `proxy:"password"`
+}
+
+// DialContext implements C.ProxyAdapter
+func (m *Mieru) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+	if err := m.ensureClientIsRunning(opts...); err != nil {
+		return nil, err
+	}
+	addr := metadataToMieruNetAddrSpec(metadata)
+	c, err := m.client.DialContext(ctx, addr)
+	if err != nil {
+		return nil, fmt.Errorf("dial to %s failed: %w", addr, err)
+	}
+	return NewConn(c, m), nil
+}
+
+// ProxyInfo implements C.ProxyAdapter
+func (m *Mieru) ProxyInfo() C.ProxyInfo {
+	info := m.Base.ProxyInfo()
+	info.DialerProxy = m.option.DialerProxy
+	return info
+}
+
+func (m *Mieru) ensureClientIsRunning(opts ...dialer.Option) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if m.client.IsRunning() {
+		return nil
+	}
+
+	// Create a dialer and add it to the client config, before starting the client.
+	var dialer C.Dialer = dialer.NewDialer(m.Base.DialOptions(opts...)...)
+	var err error
+	if len(m.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(m.option.DialerProxy, dialer)
+		if err != nil {
+			return err
+		}
+	}
+	config, err := m.client.Load()
+	if err != nil {
+		return err
+	}
+	config.Dialer = dialer
+	if err := m.client.Store(config); err != nil {
+		return err
+	}
+
+	if err := m.client.Start(); err != nil {
+		return fmt.Errorf("failed to start mieru client: %w", err)
+	}
+	return nil
+}
+
+func NewMieru(option MieruOption) (*Mieru, error) {
+	config, err := buildMieruClientConfig(option)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build mieru client config: %w", err)
+	}
+	c := mieruclient.NewClient()
+	if err := c.Store(config); err != nil {
+		return nil, fmt.Errorf("failed to store mieru client config: %w", err)
+	}
+	// Client is started lazily on the first use.
+
+	var addr string
+	if option.Port != 0 {
+		addr = net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
+	} else {
+		beginPort, _, _ := beginAndEndPortFromPortRange(option.PortRange)
+		addr = net.JoinHostPort(option.Server, strconv.Itoa(beginPort))
+	}
+	outbound := &Mieru{
+		Base: &Base{
+			name:   option.Name,
+			addr:   addr,
+			iface:  option.Interface,
+			tp:     C.Mieru,
+			udp:    false,
+			xudp:   false,
+			rmark:  option.RoutingMark,
+			prefer: C.NewDNSPrefer(option.IPVersion),
+		},
+		option: &option,
+		client: c,
+	}
+	runtime.SetFinalizer(outbound, closeMieru)
+	return outbound, nil
+}
+
+func closeMieru(m *Mieru) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if m.client != nil && m.client.IsRunning() {
+		m.client.Stop()
+	}
+}
+
+func metadataToMieruNetAddrSpec(metadata *C.Metadata) mierumodel.NetAddrSpec {
+	if metadata.Host != "" {
+		return mierumodel.NetAddrSpec{
+			AddrSpec: mierumodel.AddrSpec{
+				FQDN: metadata.Host,
+				Port: int(metadata.DstPort),
+			},
+			Net: "tcp",
+		}
+	} else {
+		return mierumodel.NetAddrSpec{
+			AddrSpec: mierumodel.AddrSpec{
+				IP:   metadata.DstIP.AsSlice(),
+				Port: int(metadata.DstPort),
+			},
+			Net: "tcp",
+		}
+	}
+}
+
+func buildMieruClientConfig(option MieruOption) (*mieruclient.ClientConfig, error) {
+	if err := validateMieruOption(option); err != nil {
+		return nil, fmt.Errorf("failed to validate mieru option: %w", err)
+	}
+
+	transportProtocol := mierupb.TransportProtocol_TCP.Enum()
+	var server *mierupb.ServerEndpoint
+	if net.ParseIP(option.Server) != nil {
+		// server is an IP address
+		if option.PortRange != "" {
+			server = &mierupb.ServerEndpoint{
+				IpAddress: proto.String(option.Server),
+				PortBindings: []*mierupb.PortBinding{
+					{
+						PortRange: proto.String(option.PortRange),
+						Protocol:  transportProtocol,
+					},
+				},
+			}
+		} else {
+			server = &mierupb.ServerEndpoint{
+				IpAddress: proto.String(option.Server),
+				PortBindings: []*mierupb.PortBinding{
+					{
+						Port:     proto.Int32(int32(option.Port)),
+						Protocol: transportProtocol,
+					},
+				},
+			}
+		}
+	} else {
+		// server is a domain name
+		if option.PortRange != "" {
+			server = &mierupb.ServerEndpoint{
+				DomainName: proto.String(option.Server),
+				PortBindings: []*mierupb.PortBinding{
+					{
+						PortRange: proto.String(option.PortRange),
+						Protocol:  transportProtocol,
+					},
+				},
+			}
+		} else {
+			server = &mierupb.ServerEndpoint{
+				DomainName: proto.String(option.Server),
+				PortBindings: []*mierupb.PortBinding{
+					{
+						Port:     proto.Int32(int32(option.Port)),
+						Protocol: transportProtocol,
+					},
+				},
+			}
+		}
+	}
+	return &mieruclient.ClientConfig{
+		Profile: &mierupb.ClientProfile{
+			ProfileName: proto.String(option.Name),
+			User: &mierupb.User{
+				Name:     proto.String(option.UserName),
+				Password: proto.String(option.Password),
+			},
+			Servers: []*mierupb.ServerEndpoint{server},
+		},
+	}, nil
+}
+
+func validateMieruOption(option MieruOption) error {
+	if option.Name == "" {
+		return fmt.Errorf("name is empty")
+	}
+	if option.Server == "" {
+		return fmt.Errorf("server is empty")
+	}
+	if option.Port == 0 && option.PortRange == "" {
+		return fmt.Errorf("either port or port-range must be set")
+	}
+	if option.Port != 0 && option.PortRange != "" {
+		return fmt.Errorf("port and port-range cannot be set at the same time")
+	}
+	if option.Port != 0 && (option.Port < 1 || option.Port > 65535) {
+		return fmt.Errorf("port must be between 1 and 65535")
+	}
+	if option.PortRange != "" {
+		begin, end, err := beginAndEndPortFromPortRange(option.PortRange)
+		if err != nil {
+			return fmt.Errorf("invalid port-range format")
+		}
+		if begin < 1 || begin > 65535 {
+			return fmt.Errorf("begin port must be between 1 and 65535")
+		}
+		if end < 1 || end > 65535 {
+			return fmt.Errorf("end port must be between 1 and 65535")
+		}
+		if begin > end {
+			return fmt.Errorf("begin port must be less than or equal to end port")
+		}
+	}
+
+	if option.Transport != "TCP" {
+		return fmt.Errorf("transport must be TCP")
+	}
+	if option.UserName == "" {
+		return fmt.Errorf("username is empty")
+	}
+	if option.Password == "" {
+		return fmt.Errorf("password is empty")
+	}
+	return nil
+}
+
+func beginAndEndPortFromPortRange(portRange string) (int, int, error) {
+	var begin, end int
+	_, err := fmt.Sscanf(portRange, "%d-%d", &begin, &end)
+	return begin, end, err
+}
--- a/adapter/outbound/mieru_test.go
+++ b/adapter/outbound/mieru_test.go
@@ -0,0 +1,92 @@
+package outbound
+
+import "testing"
+
+func TestNewMieru(t *testing.T) {
+	testCases := []struct {
+		option       MieruOption
+		wantBaseAddr string
+	}{
+		{
+			option: MieruOption{
+				Name:      "test",
+				Server:    "1.2.3.4",
+				Port:      10000,
+				Transport: "TCP",
+				UserName:  "test",
+				Password:  "test",
+			},
+			wantBaseAddr: "1.2.3.4:10000",
+		},
+		{
+			option: MieruOption{
+				Name:      "test",
+				Server:    "2001:db8::1",
+				PortRange: "10001-10002",
+				Transport: "TCP",
+				UserName:  "test",
+				Password:  "test",
+			},
+			wantBaseAddr: "[2001:db8::1]:10001",
+		},
+		{
+			option: MieruOption{
+				Name:      "test",
+				Server:    "example.com",
+				Port:      10003,
+				Transport: "TCP",
+				UserName:  "test",
+				Password:  "test",
+			},
+			wantBaseAddr: "example.com:10003",
+		},
+	}
+
+	for _, testCase := range testCases {
+		mieru, err := NewMieru(testCase.option)
+		if err != nil {
+			t.Error(err)
+		}
+		if mieru.addr != testCase.wantBaseAddr {
+			t.Errorf("got addr %q, want %q", mieru.addr, testCase.wantBaseAddr)
+		}
+	}
+}
+
+func TestBeginAndEndPortFromPortRange(t *testing.T) {
+	testCases := []struct {
+		input  string
+		begin  int
+		end    int
+		hasErr bool
+	}{
+		{"1-10", 1, 10, false},
+		{"1000-2000", 1000, 2000, false},
+		{"65535-65535", 65535, 65535, false},
+		{"1", 0, 0, true},
+		{"1-", 0, 0, true},
+		{"-10", 0, 0, true},
+		{"a-b", 0, 0, true},
+		{"1-b", 0, 0, true},
+		{"a-10", 0, 0, true},
+	}
+
+	for _, testCase := range testCases {
+		begin, end, err := beginAndEndPortFromPortRange(testCase.input)
+		if testCase.hasErr {
+			if err == nil {
+				t.Errorf("beginAndEndPortFromPortRange(%s) should return an error", testCase.input)
+			}
+		} else {
+			if err != nil {
+				t.Errorf("beginAndEndPortFromPortRange(%s) should not return an error, but got %v", testCase.input, err)
+			}
+			if begin != testCase.begin {
+				t.Errorf("beginAndEndPortFromPortRange(%s) begin port mismatch, got %d, want %d", testCase.input, begin, testCase.begin)
+			}
+			if end != testCase.end {
+				t.Errorf("beginAndEndPortFromPortRange(%s) end port mismatch, got %d, want %d", testCase.input, end, testCase.end)
+			}
+		}
+	}
+}
--- a/adapter/outbound/shadowsocks.go
+++ b/adapter/outbound/shadowsocks.go
@@ -196,6 +196,13 @@ func (ss *ShadowSocks) SupportWithDialer() C.NetWork {
 	return C.ALLNet
 }

+// ProxyInfo implements C.ProxyAdapter
+func (ss *ShadowSocks) ProxyInfo() C.ProxyInfo {
+	info := ss.Base.ProxyInfo()
+	info.DialerProxy = ss.option.DialerProxy
+	return info
+}
+
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (ss *ShadowSocks) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if ss.option.UDPOverTCP {
--- a/adapter/outbound/shadowsocksr.go
+++ b/adapter/outbound/shadowsocksr.go
@@ -122,6 +122,13 @@ func (ssr *ShadowSocksR) SupportWithDialer() C.NetWork {
 	return C.ALLNet
 }

+// ProxyInfo implements C.ProxyAdapter
+func (ssr *ShadowSocksR) ProxyInfo() C.ProxyInfo {
+	info := ssr.Base.ProxyInfo()
+	info.DialerProxy = ssr.option.DialerProxy
+	return info
+}
+
 func NewShadowSocksR(option ShadowSocksROption) (*ShadowSocksR, error) {
 	// SSR protocol compatibility
 	// https://github.com/metacubex/mihomo/pull/2056
--- a/adapter/outbound/singmux.go
+++ b/adapter/outbound/singmux.go
@@ -97,6 +97,12 @@ func (s *SingMux) SupportUOT() bool {
 	return true
 }

+func (s *SingMux) ProxyInfo() C.ProxyInfo {
+	info := s.ProxyAdapter.ProxyInfo()
+	info.SMUX = true
+	return info
+}
+
 func closeSingMux(s *SingMux) {
 	_ = s.client.Close()
 }
--- a/adapter/outbound/snell.go
+++ b/adapter/outbound/snell.go
@@ -141,6 +141,13 @@ func (s *Snell) SupportUOT() bool {
 	return true
 }

+// ProxyInfo implements C.ProxyAdapter
+func (s *Snell) ProxyInfo() C.ProxyInfo {
+	info := s.Base.ProxyInfo()
+	info.DialerProxy = s.option.DialerProxy
+	return info
+}
+
 func NewSnell(option SnellOption) (*Snell, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	psk := []byte(option.Psk)
@@ -204,7 +211,7 @@ func NewSnell(option SnellOption) (*Snell, error) {
 			if err != nil {
 				return nil, err
 			}
-			
+
 			return streamConn(c, streamOption{psk, option.Version, addr, obfsOption}), nil
 		})
 	}
--- a/adapter/outbound/socks5.go
+++ b/adapter/outbound/socks5.go
@@ -171,6 +171,13 @@ func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 	return newPacketConn(&socksPacketConn{PacketConn: pc, rAddr: bindUDPAddr, tcpConn: c}, ss), nil
 }

+// ProxyInfo implements C.ProxyAdapter
+func (ss *Socks5) ProxyInfo() C.ProxyInfo {
+	info := ss.Base.ProxyInfo()
+	info.DialerProxy = ss.option.DialerProxy
+	return info
+}
+
 func NewSocks5(option Socks5Option) (*Socks5, error) {
 	var tlsConfig *tls.Config
 	if option.TLS {
--- a/adapter/outbound/ssh.go
+++ b/adapter/outbound/ssh.go
@@ -121,6 +121,13 @@ func closeSsh(s *Ssh) {
 	_ = s.client.Close()
 }

+// ProxyInfo implements C.ProxyAdapter
+func (s *Ssh) ProxyInfo() C.ProxyInfo {
+	info := s.Base.ProxyInfo()
+	info.DialerProxy = s.option.DialerProxy
+	return info
+}
+
 func NewSsh(option SshOption) (*Ssh, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))

--- a/adapter/outbound/trojan.go
+++ b/adapter/outbound/trojan.go
@@ -244,6 +244,13 @@ func (t *Trojan) SupportUOT() bool {
 	return true
 }

+// ProxyInfo implements C.ProxyAdapter
+func (t *Trojan) ProxyInfo() C.ProxyInfo {
+	info := t.Base.ProxyInfo()
+	info.DialerProxy = t.option.DialerProxy
+	return info
+}
+
 func NewTrojan(option TrojanOption) (*Trojan, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))

--- a/adapter/outbound/tuic.go
+++ b/adapter/outbound/tuic.go
@@ -146,6 +146,13 @@ func (t *Tuic) dialWithDialer(ctx context.Context, dialer C.Dialer) (transport *
 	return
 }

+// ProxyInfo implements C.ProxyAdapter
+func (t *Tuic) ProxyInfo() C.ProxyInfo {
+	info := t.Base.ProxyInfo()
+	info.DialerProxy = t.option.DialerProxy
+	return info
+}
+
 func NewTuic(option TuicOption) (*Tuic, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	serverName := option.Server
--- a/adapter/outbound/util.go
+++ b/adapter/outbound/util.go
@@ -55,7 +55,7 @@ func resolveUDPAddr(ctx context.Context, network, address string) (*net.UDPAddr,
 		return nil, err
 	}

-	ip, err := resolver.ResolveProxyServerHost(ctx, host)
+	ip, err := resolver.ResolveIPWithResolver(ctx, host, resolver.ProxyServerHostResolver)
 	if err != nil {
 		return nil, err
 	}
@@ -71,12 +71,12 @@ func resolveUDPAddrWithPrefer(ctx context.Context, network, address string, pref
 	var fallback netip.Addr
 	switch prefer {
 	case C.IPv4Only:
-		ip, err = resolver.ResolveIPv4ProxyServerHost(ctx, host)
+		ip, err = resolver.ResolveIPv4WithResolver(ctx, host, resolver.ProxyServerHostResolver)
 	case C.IPv6Only:
-		ip, err = resolver.ResolveIPv6ProxyServerHost(ctx, host)
+		ip, err = resolver.ResolveIPv6WithResolver(ctx, host, resolver.ProxyServerHostResolver)
 	case C.IPv6Prefer:
 		var ips []netip.Addr
-		ips, err = resolver.LookupIPProxyServerHost(ctx, host)
+		ips, err = resolver.LookupIPWithResolver(ctx, host, resolver.ProxyServerHostResolver)
 		if err == nil {
 			for _, addr := range ips {
 				if addr.Is6() {
@@ -92,7 +92,7 @@ func resolveUDPAddrWithPrefer(ctx context.Context, network, address string, pref
 	default:
 		// C.IPv4Prefer, C.DualStack and other
 		var ips []netip.Addr
-		ips, err = resolver.LookupIPProxyServerHost(ctx, host)
+		ips, err = resolver.LookupIPWithResolver(ctx, host, resolver.ProxyServerHostResolver)
 		if err == nil {
 			for _, addr := range ips {
 				if addr.Is4() {
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@@ -379,6 +379,13 @@ func (v *Vless) SupportUOT() bool {
 	return true
 }

+// ProxyInfo implements C.ProxyAdapter
+func (v *Vless) ProxyInfo() C.ProxyInfo {
+	info := v.Base.ProxyInfo()
+	info.DialerProxy = v.option.DialerProxy
+	return info
+}
+
 func parseVlessAddr(metadata *C.Metadata, xudp bool) *vless.DstAddr {
 	var addrType byte
 	var addr []byte
--- a/adapter/outbound/vmess.go
+++ b/adapter/outbound/vmess.go
@@ -388,6 +388,13 @@ func (v *Vmess) SupportWithDialer() C.NetWork {
 	return C.ALLNet
 }

+// ProxyInfo implements C.ProxyAdapter
+func (v *Vmess) ProxyInfo() C.ProxyInfo {
+	info := v.Base.ProxyInfo()
+	info.DialerProxy = v.option.DialerProxy
+	return info
+}
+
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (v *Vmess) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
--- a/adapter/outbound/wireguard.go
+++ b/adapter/outbound/wireguard.go
@@ -44,7 +44,7 @@ type WireGuard struct {
 	device    wireguardGoDevice
 	tunDevice wireguard.Device
 	dialer    proxydialer.SingDialer
-	resolver  *dns.Resolver
+	resolver  resolver.Resolver
 	refP      *refProxyAdapter

 	initOk        atomic.Bool
@@ -296,7 +296,7 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 		for i := range nss {
 			nss[i].ProxyAdapter = refP
 		}
-		outbound.resolver, _ = dns.NewResolver(dns.Config{
+		outbound.resolver = dns.NewResolver(dns.Config{
 			Main: nss,
 			IPv6: has6,
 		})
@@ -611,18 +611,11 @@ func (r *refProxyAdapter) SupportUDP() bool {
 	return false
 }

-func (r *refProxyAdapter) SupportXUDP() bool {
+func (r *refProxyAdapter) ProxyInfo() C.ProxyInfo {
 	if r.proxyAdapter != nil {
-		return r.proxyAdapter.SupportXUDP()
+		return r.proxyAdapter.ProxyInfo()
 	}
-	return false
-}
-
-func (r *refProxyAdapter) SupportTFO() bool {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.SupportTFO()
-	}
-	return false
+	return C.ProxyInfo{}
 }

 func (r *refProxyAdapter) MarshalJSON() ([]byte, error) {
--- a/adapter/outboundgroup/loadbalance.go
+++ b/adapter/outboundgroup/loadbalance.go
@@ -204,7 +204,7 @@ func strategyStickySessions(url string) strategyFn {
 		for i := 1; i < maxRetry; i++ {
 			proxy := proxies[nowIdx]
 			if proxy.AliveForTestUrl(url) {
-				if nowIdx != idx {
+				if !has || nowIdx != idx {
 					lruCache.Set(key, nowIdx)
 				}

--- a/adapter/parser.go
+++ b/adapter/parser.go
@@ -141,6 +141,13 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 			break
 		}
 		proxy, err = outbound.NewSsh(*sshOption)
+	case "mieru":
+		mieruOption := &outbound.MieruOption{}
+		err = decoder.Decode(mapping, mieruOption)
+		if err != nil {
+			break
+		}
+		proxy, err = outbound.NewMieru(*mieruOption)
 	default:
 		return nil, fmt.Errorf("unsupport proxy type: %s", proxyType)
 	}
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@@ -66,6 +66,7 @@ type proxyProviderSchema struct {
 	ExcludeFilter string `provider:"exclude-filter,omitempty"`
 	ExcludeType   string `provider:"exclude-type,omitempty"`
 	DialerProxy   string `provider:"dialer-proxy,omitempty"`
+	SizeLimit     int64  `provider:"size-limit,omitempty"`

 	HealthCheck healthCheckSchema   `provider:"health-check,omitempty"`
 	Override    OverrideSchema      `provider:"override,omitempty"`
@@ -111,7 +112,7 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 				return nil, fmt.Errorf("%w: %s", errSubPath, path)
 			}
 		}
-		vehicle = resource.NewHTTPVehicle(schema.URL, path, schema.Proxy, schema.Header, resource.DefaultHttpTimeout)
+		vehicle = resource.NewHTTPVehicle(schema.URL, path, schema.Proxy, schema.Header, resource.DefaultHttpTimeout, schema.SizeLimit)
 	default:
 		return nil, fmt.Errorf("%w: %s", errVehicleType, schema.Type)
 	}
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@@ -1,11 +1,9 @@
 package provider

 import (
-	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"net/http"
 	"reflect"
 	"runtime"
 	"strings"
@@ -14,7 +12,7 @@ import (
 	"github.com/metacubex/mihomo/adapter"
 	"github.com/metacubex/mihomo/common/convert"
 	"github.com/metacubex/mihomo/common/utils"
-	mihomoHttp "github.com/metacubex/mihomo/component/http"
+	"github.com/metacubex/mihomo/component/profile/cachefile"
 	"github.com/metacubex/mihomo/component/resource"
 	C "github.com/metacubex/mihomo/constant"
 	types "github.com/metacubex/mihomo/constant/provider"
@@ -80,7 +78,9 @@ func (pp *proxySetProvider) Initial() error {
 	if err != nil {
 		return err
 	}
-	pp.getSubscriptionInfo()
+	if subscriptionInfo := cachefile.Cache().GetSubscriptionInfo(pp.Name()); subscriptionInfo != "" {
+		pp.SetSubscriptionInfo(subscriptionInfo)
+	}
 	pp.closeAllConnections()
 	return nil
 }
@@ -117,35 +117,14 @@ func (pp *proxySetProvider) setProxies(proxies []C.Proxy) {
 	}
 }

-func (pp *proxySetProvider) getSubscriptionInfo() {
-	if pp.VehicleType() != types.HTTP {
-		return
-	}
-	go func() {
-		ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
-		defer cancel()
-		resp, err := mihomoHttp.HttpRequestWithProxy(ctx, pp.Vehicle().Url(),
-			http.MethodGet, nil, nil, pp.Vehicle().Proxy())
-		if err != nil {
-			return
-		}
-		defer resp.Body.Close()
+func (pp *proxySetProvider) SetSubscriptionInfo(userInfo string) {
+	pp.subscriptionInfo = NewSubscriptionInfo(userInfo)
+}

-		userInfoStr := strings.TrimSpace(resp.Header.Get("subscription-userinfo"))
-		if userInfoStr == "" {
-			resp2, err := mihomoHttp.HttpRequestWithProxy(ctx, pp.Vehicle().Url(),
-				http.MethodGet, http.Header{"User-Agent": {"Quantumultx"}}, nil, pp.Vehicle().Proxy())
-			if err != nil {
-				return
-			}
-			defer resp2.Body.Close()
-			userInfoStr = strings.TrimSpace(resp2.Header.Get("subscription-userinfo"))
-			if userInfoStr == "" {
-				return
-			}
-		}
-		pp.subscriptionInfo = NewSubscriptionInfo(userInfoStr)
-	}()
+func (pp *proxySetProvider) SetProvider(provider types.ProxyProvider) {
+	if httpVehicle, ok := pp.Vehicle().(*resource.HTTPVehicle); ok {
+		httpVehicle.SetProvider(provider)
+	}
 }

 func (pp *proxySetProvider) closeAllConnections() {
@@ -196,6 +175,9 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, exc
 	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, excludeFilter, excludeTypeArray, filterRegs, excludeFilterReg, dialerProxy, override), proxiesOnUpdate(pd))
 	pd.Fetcher = fetcher
 	wrapper := &ProxySetProvider{pd}
+	if httpVehicle, ok := vehicle.(*resource.HTTPVehicle); ok {
+		httpVehicle.SetProvider(wrapper)
+	}
 	runtime.SetFinalizer(wrapper, (*ProxySetProvider).Close)
 	return wrapper, nil
 }
@@ -205,16 +187,21 @@ func (pp *ProxySetProvider) Close() error {
 	return pp.proxySetProvider.Close()
 }

+func (pp *ProxySetProvider) SetProvider(provider types.ProxyProvider) {
+	pp.proxySetProvider.SetProvider(provider)
+}
+
 // CompatibleProvider for auto gc
 type CompatibleProvider struct {
 	*compatibleProvider
 }

 type compatibleProvider struct {
-	name        string
-	healthCheck *HealthCheck
-	proxies     []C.Proxy
-	version     uint32
+	name             string
+	healthCheck      *HealthCheck
+	subscriptionInfo *SubscriptionInfo
+	proxies          []C.Proxy
+	version          uint32
 }

 func (cp *compatibleProvider) MarshalJSON() ([]byte, error) {
@@ -284,6 +271,10 @@ func (cp *compatibleProvider) Close() error {
 	return nil
 }

+func (cp *compatibleProvider) SetSubscriptionInfo(userInfo string) {
+	cp.subscriptionInfo = NewSubscriptionInfo(userInfo)
+}
+
 func NewCompatibleProvider(name string, proxies []C.Proxy, hc *HealthCheck) (*CompatibleProvider, error) {
 	if len(proxies) == 0 {
 		return nil, errors.New("provider need one proxy at least")
@@ -313,7 +304,6 @@ func proxiesOnUpdate(pd *proxySetProvider) func([]C.Proxy) {
 	return func(elm []C.Proxy) {
 		pd.setProxies(elm)
 		pd.version += 1
-		pd.getSubscriptionInfo()
 	}
 }

--- a/adapter/provider/subscription_info.go
+++ b/adapter/provider/subscription_info.go
@@ -16,8 +16,7 @@ type SubscriptionInfo struct {
 }

 func NewSubscriptionInfo(userinfo string) (si *SubscriptionInfo) {
-	userinfo = strings.ToLower(userinfo)
-	userinfo = strings.ReplaceAll(userinfo, " ", "")
+	userinfo = strings.ReplaceAll(strings.ToLower(userinfo), " ", "")
 	si = new(SubscriptionInfo)

 	for _, field := range strings.Split(userinfo, ";") {
--- a/component/dialer/dialer.go
+++ b/component/dialer/dialer.go
@@ -340,26 +340,18 @@ func parseAddr(ctx context.Context, network, address string, preferResolver reso
 		return nil, "-1", err
 	}

+	if preferResolver == nil {
+		preferResolver = resolver.ProxyServerHostResolver
+	}
+
 	var ips []netip.Addr
 	switch network {
 	case "tcp4", "udp4":
-		if preferResolver == nil {
-			ips, err = resolver.LookupIPv4ProxyServerHost(ctx, host)
-		} else {
-			ips, err = resolver.LookupIPv4WithResolver(ctx, host, preferResolver)
-		}
+		ips, err = resolver.LookupIPv4WithResolver(ctx, host, preferResolver)
 	case "tcp6", "udp6":
-		if preferResolver == nil {
-			ips, err = resolver.LookupIPv6ProxyServerHost(ctx, host)
-		} else {
-			ips, err = resolver.LookupIPv6WithResolver(ctx, host, preferResolver)
-		}
+		ips, err = resolver.LookupIPv6WithResolver(ctx, host, preferResolver)
 	default:
-		if preferResolver == nil {
-			ips, err = resolver.LookupIPProxyServerHost(ctx, host)
-		} else {
-			ips, err = resolver.LookupIPWithResolver(ctx, host, preferResolver)
-		}
+		ips, err = resolver.LookupIPWithResolver(ctx, host, preferResolver)
 	}
 	if err != nil {
 		return nil, "-1", fmt.Errorf("dns resolve failed: %w", err)
--- a/component/dialer/resolver.go
+++ b/component/dialer/resolver.go
@@ -1,29 +0,0 @@
-package dialer
-
-import (
-	"context"
-	"net"
-	"net/netip"
-)
-
-func init() {
-	// We must use this DialContext to query DNS
-	// when using net default resolver.
-	net.DefaultResolver.PreferGo = true
-	net.DefaultResolver.Dial = resolverDialContext
-}
-
-func resolverDialContext(ctx context.Context, network, address string) (net.Conn, error) {
-	d := &net.Dialer{}
-
-	interfaceName := DefaultInterface.Load()
-
-	if interfaceName != "" {
-		dstIP, err := netip.ParseAddr(address)
-		if err == nil {
-			_ = bindIfaceToDialer(interfaceName, d, network, dstIP)
-		}
-	}
-
-	return d.DialContext(ctx, network, address)
-}
--- a/component/http/http.go
+++ b/component/http/http.go
@@ -12,6 +12,7 @@ import (
 	"time"

 	"github.com/metacubex/mihomo/component/ca"
+	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/listener/inner"
 )

@@ -71,8 +72,7 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st
 			if conn, err := inner.HandleTcp(address, specialProxy); err == nil {
 				return conn, nil
 			} else {
-				d := net.Dialer{}
-				return d.DialContext(ctx, network, address)
+				return dialer.DialContext(ctx, network, address)
 			}
 		},
 		TLSClientConfig: ca.GetGlobalTLSConfig(&tls.Config{}),
--- a/component/iface/iface.go
+++ b/component/iface/iface.go
@@ -15,6 +15,7 @@ type Interface struct {
 	Name         string
 	Addresses    []netip.Prefix
 	HardwareAddr net.HardwareAddr
+	Flags        net.Flags
 }

 var (
@@ -66,6 +67,7 @@ func Interfaces() (map[string]*Interface, error) {
 				Name:         iface.Name,
 				Addresses:    ipNets,
 				HardwareAddr: iface.HardwareAddr,
+				Flags:        iface.Flags,
 			}
 		}

--- a/component/keepalive/tcp_keepalive.go
+++ b/component/keepalive/tcp_keepalive.go
@@ -35,7 +35,7 @@ func KeepAliveInterval() time.Duration {

 func SetDisableKeepAlive(disable bool) {
 	if runtime.GOOS == "android" {
-		setDisableKeepAlive(false)
+		setDisableKeepAlive(true)
 	} else {
 		setDisableKeepAlive(disable)
 	}
--- a/component/loopback/detector.go
+++ b/component/loopback/detector.go
@@ -4,14 +4,25 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
+	"os"
+	"strconv"

 	"github.com/metacubex/mihomo/common/callback"
 	"github.com/metacubex/mihomo/component/iface"
 	C "github.com/metacubex/mihomo/constant"
+	"github.com/metacubex/mihomo/constant/features"

 	"github.com/puzpuzpuz/xsync/v3"
 )

+var disableLoopBackDetector, _ = strconv.ParseBool(os.Getenv("DISABLE_LOOPBACK_DETECTOR"))
+
+func init() {
+	if features.CMFA {
+		disableLoopBackDetector = true
+	}
+}
+
 var ErrReject = errors.New("reject loopback connection")

 type Detector struct {
@@ -20,6 +31,9 @@ type Detector struct {
 }

 func NewDetector() *Detector {
+	if disableLoopBackDetector {
+		return nil
+	}
 	return &Detector{
 		connMap:       xsync.NewMapOf[netip.AddrPort, struct{}](),
 		packetConnMap: xsync.NewMapOf[uint16, struct{}](),
@@ -27,6 +41,9 @@ func NewDetector() *Detector {
 }

 func (l *Detector) NewConn(conn C.Conn) C.Conn {
+	if l == nil || l.connMap == nil {
+		return conn
+	}
 	metadata := C.Metadata{}
 	if metadata.SetRemoteAddr(conn.LocalAddr()) != nil {
 		return conn
@@ -42,6 +59,9 @@ func (l *Detector) NewConn(conn C.Conn) C.Conn {
 }

 func (l *Detector) NewPacketConn(conn C.PacketConn) C.PacketConn {
+	if l == nil || l.packetConnMap == nil {
+		return conn
+	}
 	metadata := C.Metadata{}
 	if metadata.SetRemoteAddr(conn.LocalAddr()) != nil {
 		return conn
@@ -58,6 +78,9 @@ func (l *Detector) NewPacketConn(conn C.PacketConn) C.PacketConn {
 }

 func (l *Detector) CheckConn(metadata *C.Metadata) error {
+	if l == nil || l.connMap == nil {
+		return nil
+	}
 	connAddr := metadata.SourceAddrPort()
 	if !connAddr.IsValid() {
 		return nil
@@ -69,6 +92,9 @@ func (l *Detector) CheckConn(metadata *C.Metadata) error {
 }

 func (l *Detector) CheckPacketConn(metadata *C.Metadata) error {
+	if l == nil || l.packetConnMap == nil {
+		return nil
+	}
 	connAddr := metadata.SourceAddrPort()
 	if !connAddr.IsValid() {
 		return nil
--- a/component/mmdb/reader.go
+++ b/component/mmdb/reader.go
@@ -5,6 +5,7 @@ import (
 	"net"
 	"strings"

+	"github.com/metacubex/mihomo/log"
 	"github.com/oschwald/maxminddb-golang"
 )

@@ -23,11 +24,16 @@ type ASNReader struct {
 	*maxminddb.Reader
 }

-type ASNResult struct {
+type GeoLite2 struct {
 	AutonomousSystemNumber       uint32 `maxminddb:"autonomous_system_number"`
 	AutonomousSystemOrganization string `maxminddb:"autonomous_system_organization"`
 }

+type IPInfo struct {
+	ASN  string `maxminddb:"asn"`
+	Name string `maxminddb:"name"`
+}
+
 func (r IPReader) LookupCode(ipAddress net.IP) []string {
 	switch r.databaseType {
 	case typeMaxmind:
@@ -66,8 +72,18 @@ func (r IPReader) LookupCode(ipAddress net.IP) []string {
 	}
 }

-func (r ASNReader) LookupASN(ip net.IP) ASNResult {
-	var result ASNResult
-	r.Lookup(ip, &result)
-	return result
+func (r ASNReader) LookupASN(ip net.IP) (string, string) {
+	switch r.Metadata.DatabaseType {
+	case "GeoLite2-ASN", "DBIP-ASN-Lite (compat=GeoLite2-ASN)":
+		var result GeoLite2
+		_ = r.Lookup(ip, &result)
+		return fmt.Sprint(result.AutonomousSystemNumber), result.AutonomousSystemOrganization
+	case "ipinfo generic_asn_free.mmdb":
+		var result IPInfo
+		_ = r.Lookup(ip, &result)
+		return result.ASN[2:], result.Name
+	default:
+		log.Warnln("Unsupported ASN type: %s", r.Metadata.DatabaseType)
+	}
+	return "", ""
 }
--- a/component/process/process_windows.go
+++ b/component/process/process_windows.go
@@ -180,7 +180,7 @@ func newSearcher(isV4, isTCP bool) *searcher {
 func getTransportTable(fn uintptr, family int, class int) ([]byte, error) {
 	for size, buf := uint32(8), make([]byte, 8); ; {
 		ptr := unsafe.Pointer(&buf[0])
-		err, _, _ := syscall.SyscallN(fn, uintptr(ptr), uintptr(unsafe.Pointer(&size)), 0, uintptr(family), uintptr(class), 0)
+		err, _, _ := syscall.Syscall6(fn, 6, uintptr(ptr), uintptr(unsafe.Pointer(&size)), 0, uintptr(family), uintptr(class), 0)

 		switch err {
 		case 0:
@@ -215,13 +215,13 @@ func getExecPathFromPID(pid uint32) (string, error) {

 	buf := make([]uint16, syscall.MAX_LONG_PATH)
 	size := uint32(len(buf))
-	r1, _, err := syscall.SyscallN(
-		queryProcName,
+	r1, _, err := syscall.Syscall6(
+		queryProcName, 4,
 		uintptr(h),
 		uintptr(0),
 		uintptr(unsafe.Pointer(&buf[0])),
 		uintptr(unsafe.Pointer(&size)),
-	)
+		0, 0)
 	if r1 == 0 {
 		return "", err
 	}
--- a/component/profile/cachefile/cache.go
+++ b/component/profile/cachefile/cache.go
@@ -17,9 +17,10 @@ var (
 	fileMode     os.FileMode = 0o666
 	defaultCache *CacheFile

-	bucketSelected = []byte("selected")
-	bucketFakeip   = []byte("fakeip")
-	bucketETag     = []byte("etag")
+	bucketSelected         = []byte("selected")
+	bucketFakeip           = []byte("fakeip")
+	bucketETag             = []byte("etag")
+	bucketSubscriptionInfo = []byte("subscriptioninfo")
 )

 // CacheFile store and update the cache file
--- a/component/profile/cachefile/subscriptioninfo.go
+++ b/component/profile/cachefile/subscriptioninfo.go
@@ -0,0 +1,41 @@
+package cachefile
+
+import (
+	"github.com/metacubex/mihomo/log"
+
+	"github.com/metacubex/bbolt"
+)
+
+func (c *CacheFile) SetSubscriptionInfo(name string, userInfo string) {
+	if c.DB == nil {
+		return
+	}
+
+	err := c.DB.Batch(func(t *bbolt.Tx) error {
+		bucket, err := t.CreateBucketIfNotExists(bucketSubscriptionInfo)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put([]byte(name), []byte(userInfo))
+	})
+	if err != nil {
+		log.Warnln("[CacheFile] write cache to %s failed: %s", c.DB.Path(), err.Error())
+		return
+	}
+}
+func (c *CacheFile) GetSubscriptionInfo(name string) (userInfo string) {
+	if c.DB == nil {
+		return
+	}
+	c.DB.View(func(t *bbolt.Tx) error {
+		if bucket := t.Bucket(bucketSubscriptionInfo); bucket != nil {
+			if v := bucket.Get([]byte(name)); v != nil {
+				userInfo = string(v)
+			}
+		}
+		return nil
+	})
+
+	return
+}
--- a/component/resolver/defaults.go
+++ b/component/resolver/defaults.go
@@ -1,12 +0,0 @@
-//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
-
-package resolver
-
-import _ "unsafe"
-
-//go:linkname defaultNS net.defaultNS
-var defaultNS []string
-
-func init() {
-	defaultNS = []string{"114.114.114.114:53", "8.8.8.8:53"}
-}
--- a/component/resolver/host_windows.go
+++ b/component/resolver/host_windows.go
@@ -1,19 +0,0 @@
-//go:build !go1.22
-
-// a simple standard lib fix from: https://github.com/golang/go/commit/33d4a5105cf2b2d549922e909e9239a48b8cefcc
-
-package resolver
-
-import (
-	"golang.org/x/sys/windows"
-	_ "unsafe"
-)
-
-//go:linkname testHookHostsPath net.testHookHostsPath
-var testHookHostsPath string
-
-func init() {
-	if dir, err := windows.GetSystemDirectory(); err == nil {
-		testHookHostsPath = dir + "/Drivers/etc/hosts"
-	}
-}
--- a/component/resolver/resolver.go
+++ b/component/resolver/resolver.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net"
 	"net/netip"
 	"strings"
 	"time"
@@ -20,9 +19,15 @@ var (
 	// DefaultResolver aim to resolve ip
 	DefaultResolver Resolver

-	// ProxyServerHostResolver resolve ip to proxies server host
+	// ProxyServerHostResolver resolve ip for proxies server host, only nil when DefaultResolver is nil
 	ProxyServerHostResolver Resolver

+	// DirectHostResolver resolve ip for direct outbound host, only nil when DefaultResolver is nil
+	DirectHostResolver Resolver
+
+	// SystemResolver always using system dns, and was init in dns module
+	SystemResolver Resolver
+
 	// DisableIPv6 means don't resolve ipv6 host
 	// default value is true
 	DisableIPv6 = true
@@ -72,14 +77,7 @@ func LookupIPv4WithResolver(ctx context.Context, host string, r Resolver) ([]net
 		return r.LookupIPv4(ctx, host)
 	}

-	ipAddrs, err := net.DefaultResolver.LookupNetIP(ctx, "ip4", host)
-	if err != nil {
-		return nil, err
-	} else if len(ipAddrs) == 0 {
-		return nil, ErrIPNotFound
-	}
-
-	return ipAddrs, nil
+	return SystemResolver.LookupIPv4(ctx, host)
 }

 // LookupIPv4 with a host, return ipv4 list
@@ -128,14 +126,7 @@ func LookupIPv6WithResolver(ctx context.Context, host string, r Resolver) ([]net
 		return r.LookupIPv6(ctx, host)
 	}

-	ipAddrs, err := net.DefaultResolver.LookupNetIP(ctx, "ip6", host)
-	if err != nil {
-		return nil, err
-	} else if len(ipAddrs) == 0 {
-		return nil, ErrIPNotFound
-	}
-
-	return ipAddrs, nil
+	return SystemResolver.LookupIPv6(ctx, host)
 }

 // LookupIPv6 with a host, return ipv6 list
@@ -177,14 +168,7 @@ func LookupIPWithResolver(ctx context.Context, host string, r Resolver) ([]netip
 		return []netip.Addr{ip}, nil
 	}

-	ips, err := net.DefaultResolver.LookupNetIP(ctx, "ip", host)
-	if err != nil {
-		return nil, err
-	} else if len(ips) == 0 {
-		return nil, ErrIPNotFound
-	}
-
-	return ips, nil
+	return SystemResolver.LookupIP(ctx, host)
 }

 // LookupIP with a host, return ip
@@ -212,58 +196,10 @@ func ResolveIP(ctx context.Context, host string) (netip.Addr, error) {
 	return ResolveIPWithResolver(ctx, host, DefaultResolver)
 }

-// ResolveIPv4ProxyServerHost proxies server host only
-func ResolveIPv4ProxyServerHost(ctx context.Context, host string) (netip.Addr, error) {
-	if ProxyServerHostResolver != nil {
-		return ResolveIPv4WithResolver(ctx, host, ProxyServerHostResolver)
-	}
-	return ResolveIPv4(ctx, host)
-}
-
-// ResolveIPv6ProxyServerHost proxies server host only
-func ResolveIPv6ProxyServerHost(ctx context.Context, host string) (netip.Addr, error) {
-	if ProxyServerHostResolver != nil {
-		return ResolveIPv6WithResolver(ctx, host, ProxyServerHostResolver)
-	}
-	return ResolveIPv6(ctx, host)
-}
-
-// ResolveProxyServerHost proxies server host only
-func ResolveProxyServerHost(ctx context.Context, host string) (netip.Addr, error) {
-	if ProxyServerHostResolver != nil {
-		return ResolveIPWithResolver(ctx, host, ProxyServerHostResolver)
-	}
-	return ResolveIP(ctx, host)
-}
-
-func LookupIPv6ProxyServerHost(ctx context.Context, host string) ([]netip.Addr, error) {
-	if ProxyServerHostResolver != nil {
-		return LookupIPv6WithResolver(ctx, host, ProxyServerHostResolver)
-	}
-	return LookupIPv6(ctx, host)
-}
-
-func LookupIPv4ProxyServerHost(ctx context.Context, host string) ([]netip.Addr, error) {
-	if ProxyServerHostResolver != nil {
-		return LookupIPv4WithResolver(ctx, host, ProxyServerHostResolver)
-	}
-	return LookupIPv4(ctx, host)
-}
-
-func LookupIPProxyServerHost(ctx context.Context, host string) ([]netip.Addr, error) {
-	if ProxyServerHostResolver != nil {
-		return LookupIPWithResolver(ctx, host, ProxyServerHostResolver)
-	}
-	return LookupIP(ctx, host)
-}
-
 func ResetConnection() {
 	if DefaultResolver != nil {
 		go DefaultResolver.ResetConnection()
 	}
-	if ProxyServerHostResolver != nil {
-		go ProxyServerHostResolver.ResetConnection()
-	}
 }

 func SortationAddr(ips []netip.Addr) (ipv4s, ipv6s []netip.Addr) {
--- a/component/resource/vehicle.go
+++ b/component/resource/vehicle.go
@@ -84,11 +84,13 @@ func NewFileVehicle(path string) *FileVehicle {
 }

 type HTTPVehicle struct {
-	url     string
-	path    string
-	proxy   string
-	header  http.Header
-	timeout time.Duration
+	url       string
+	path      string
+	proxy     string
+	header    http.Header
+	timeout   time.Duration
+	sizeLimit int64
+	provider  types.ProxyProvider
 }

 func (h *HTTPVehicle) Url() string {
@@ -111,6 +113,10 @@ func (h *HTTPVehicle) Write(buf []byte) error {
 	return safeWrite(h.path, buf)
 }

+func (h *HTTPVehicle) SetProvider(provider types.ProxyProvider) {
+	h.provider = provider
+}
+
 func (h *HTTPVehicle) Read(ctx context.Context, oldHash utils.HashType) (buf []byte, hash utils.HashType, err error) {
 	ctx, cancel := context.WithTimeout(ctx, h.timeout)
 	defer cancel()
@@ -133,6 +139,12 @@ func (h *HTTPVehicle) Read(ctx context.Context, oldHash utils.HashType) (buf []b
 		return
 	}
 	defer resp.Body.Close()
+
+	if subscriptionInfo := resp.Header.Get("subscription-userinfo"); h.provider != nil && subscriptionInfo != "" {
+		cachefile.Cache().SetSubscriptionInfo(h.provider.Name(), subscriptionInfo)
+		h.provider.SetSubscriptionInfo(subscriptionInfo)
+	}
+
 	if resp.StatusCode < 200 || resp.StatusCode > 299 {
 		if setIfNoneMatch && resp.StatusCode == http.StatusNotModified {
 			return nil, oldHash, nil
@@ -140,7 +152,11 @@ func (h *HTTPVehicle) Read(ctx context.Context, oldHash utils.HashType) (buf []b
 		err = errors.New(resp.Status)
 		return
 	}
-	buf, err = io.ReadAll(resp.Body)
+	var reader io.Reader = resp.Body
+	if h.sizeLimit > 0 {
+		reader = io.LimitReader(reader, h.sizeLimit)
+	}
+	buf, err = io.ReadAll(reader)
 	if err != nil {
 		return
 	}
@@ -155,12 +171,13 @@ func (h *HTTPVehicle) Read(ctx context.Context, oldHash utils.HashType) (buf []b
 	return
 }

-func NewHTTPVehicle(url string, path string, proxy string, header http.Header, timeout time.Duration) *HTTPVehicle {
+func NewHTTPVehicle(url string, path string, proxy string, header http.Header, timeout time.Duration, sizeLimit int64) *HTTPVehicle {
 	return &HTTPVehicle{
-		url:     url,
-		path:    path,
-		proxy:   proxy,
-		header:  header,
-		timeout: timeout,
+		url:       url,
+		path:      path,
+		proxy:     proxy,
+		header:    header,
+		timeout:   timeout,
+		sizeLimit: sizeLimit,
 	}
 }
--- a/component/updater/update_geo.go
+++ b/component/updater/update_geo.go
@@ -45,7 +45,7 @@ func SetGeoUpdateInterval(newGeoUpdateInterval int) {
 }

 func UpdateMMDB() (err error) {
-	vehicle := resource.NewHTTPVehicle(geodata.MmdbUrl(), C.Path.MMDB(), "", nil, defaultHttpTimeout)
+	vehicle := resource.NewHTTPVehicle(geodata.MmdbUrl(), C.Path.MMDB(), "", nil, defaultHttpTimeout, 0)
 	var oldHash utils.HashType
 	if buf, err := os.ReadFile(vehicle.Path()); err == nil {
 		oldHash = utils.MakeHash(buf)
@@ -76,7 +76,7 @@ func UpdateMMDB() (err error) {
 }

 func UpdateASN() (err error) {
-	vehicle := resource.NewHTTPVehicle(geodata.ASNUrl(), C.Path.ASN(), "", nil, defaultHttpTimeout)
+	vehicle := resource.NewHTTPVehicle(geodata.ASNUrl(), C.Path.ASN(), "", nil, defaultHttpTimeout, 0)
 	var oldHash utils.HashType
 	if buf, err := os.ReadFile(vehicle.Path()); err == nil {
 		oldHash = utils.MakeHash(buf)
@@ -109,7 +109,7 @@ func UpdateASN() (err error) {
 func UpdateGeoIp() (err error) {
 	geoLoader, err := geodata.GetGeoDataLoader("standard")

-	vehicle := resource.NewHTTPVehicle(geodata.GeoIpUrl(), C.Path.GeoIP(), "", nil, defaultHttpTimeout)
+	vehicle := resource.NewHTTPVehicle(geodata.GeoIpUrl(), C.Path.GeoIP(), "", nil, defaultHttpTimeout, 0)
 	var oldHash utils.HashType
 	if buf, err := os.ReadFile(vehicle.Path()); err == nil {
 		oldHash = utils.MakeHash(buf)
@@ -139,7 +139,7 @@ func UpdateGeoIp() (err error) {
 func UpdateGeoSite() (err error) {
 	geoLoader, err := geodata.GetGeoDataLoader("standard")

-	vehicle := resource.NewHTTPVehicle(geodata.GeoSiteUrl(), C.Path.GeoSite(), "", nil, defaultHttpTimeout)
+	vehicle := resource.NewHTTPVehicle(geodata.GeoSiteUrl(), C.Path.GeoSite(), "", nil, defaultHttpTimeout, 0)
 	var oldHash utils.HashType
 	if buf, err := os.ReadFile(vehicle.Path()); err == nil {
 		oldHash = utils.MakeHash(buf)
@@ -229,20 +229,22 @@ func UpdateGeoDatabases() error {
 }

 func getUpdateTime() (err error, time time.Time) {
-	var fileInfo os.FileInfo
-	if geodata.GeodataMode() {
-		fileInfo, err = os.Stat(C.Path.GeoIP())
-		if err != nil {
-			return err, time
-		}
-	} else {
-		fileInfo, err = os.Stat(C.Path.MMDB())
-		if err != nil {
-			return err, time
+	filesToCheck := []string{
+		C.Path.GeoIP(),
+		C.Path.MMDB(),
+		C.Path.ASN(),
+		C.Path.GeoSite(),
+	}
+
+	for _, file := range filesToCheck {
+		var fileInfo os.FileInfo
+		fileInfo, err = os.Stat(file)
+		if err == nil {
+			return nil, fileInfo.ModTime()
 		}
 	}

-	return nil, fileInfo.ModTime()
+	return
 }

 func RegisterGeoUpdater() {
--- a/component/updater/update_ui.go
+++ b/component/updater/update_ui.go
@@ -14,24 +14,69 @@ import (
 	"github.com/metacubex/mihomo/log"
 )

-var (
-	ExternalUIURL  string
-	ExternalUIPath string
-	AutoDownloadUI bool
-)
+type UIUpdater struct {
+	externalUIURL  string
+	externalUIPath string
+	autoDownloadUI bool

-var xdMutex sync.Mutex
+	mutex sync.Mutex
+}

-func DownloadUI() error {
-	xdMutex.Lock()
-	defer xdMutex.Unlock()
+var DefaultUiUpdater = &UIUpdater{}

-	err := prepareUIPath()
+func NewUiUpdater(externalUI, externalUIURL, externalUIName string) *UIUpdater {
+	updater := &UIUpdater{}
+	// checkout externalUI exist
+	if externalUI != "" {
+		updater.autoDownloadUI = true
+		updater.externalUIPath = C.Path.Resolve(externalUI)
+	} else {
+		// default externalUI path
+		updater.externalUIPath = path.Join(C.Path.HomeDir(), "ui")
+	}
+
+	// checkout UIpath/name exist
+	if externalUIName != "" {
+		updater.autoDownloadUI = true
+		updater.externalUIPath = path.Join(updater.externalUIPath, externalUIName)
+	}
+
+	if externalUIURL != "" {
+		updater.externalUIURL = externalUIURL
+	}
+	return updater
+}
+
+func (u *UIUpdater) AutoDownloadUI() {
+	u.mutex.Lock()
+	defer u.mutex.Unlock()
+	if u.autoDownloadUI {
+		dirEntries, _ := os.ReadDir(u.externalUIPath)
+		if len(dirEntries) > 0 {
+			log.Infoln("UI already exists, skip downloading")
+		} else {
+			log.Infoln("External UI downloading ...")
+			err := u.downloadUI()
+			if err != nil {
+				log.Errorln("Error downloading UI: %s", err)
+			}
+		}
+	}
+}
+
+func (u *UIUpdater) DownloadUI() error {
+	u.mutex.Lock()
+	defer u.mutex.Unlock()
+	return u.downloadUI()
+}
+
+func (u *UIUpdater) downloadUI() error {
+	err := u.prepareUIPath()
 	if err != nil {
 		return fmt.Errorf("prepare UI path failed: %w", err)
 	}

-	data, err := downloadForBytes(ExternalUIURL)
+	data, err := downloadForBytes(u.externalUIURL)
 	if err != nil {
 		return fmt.Errorf("can't download  file: %w", err)
 	}
@@ -42,7 +87,7 @@ func DownloadUI() error {
 	}
 	defer os.Remove(saved)

-	err = cleanup(ExternalUIPath)
+	err = cleanup(u.externalUIPath)
 	if err != nil {
 		if !os.IsNotExist(err) {
 			return fmt.Errorf("cleanup exist file error: %w", err)
@@ -54,18 +99,18 @@ func DownloadUI() error {
 		return fmt.Errorf("can't extract zip file: %w", err)
 	}

-	err = os.Rename(unzipFolder, ExternalUIPath)
+	err = os.Rename(unzipFolder, u.externalUIPath)
 	if err != nil {
 		return fmt.Errorf("rename UI folder failed: %w", err)
 	}
 	return nil
 }

-func prepareUIPath() error {
-	if _, err := os.Stat(ExternalUIPath); os.IsNotExist(err) {
-		log.Infoln("dir %s does not exist, creating", ExternalUIPath)
-		if err := os.MkdirAll(ExternalUIPath, os.ModePerm); err != nil {
-			log.Warnln("create dir %s error: %s", ExternalUIPath, err)
+func (u *UIUpdater) prepareUIPath() error {
+	if _, err := os.Stat(u.externalUIPath); os.IsNotExist(err) {
+		log.Infoln("dir %s does not exist, creating", u.externalUIPath)
+		if err := os.MkdirAll(u.externalUIPath, os.ModePerm); err != nil {
+			log.Warnln("create dir %s error: %s", u.externalUIPath, err)
 		}
 	}
 	return nil
--- a/config/config.go
+++ b/config/config.go
@@ -7,9 +7,9 @@ import (
 	"net"
 	"net/netip"
 	"net/url"
-	"path"
 	"strings"
 	"time"
+	_ "unsafe"

 	"github.com/metacubex/mihomo/adapter"
 	"github.com/metacubex/mihomo/adapter/outbound"
@@ -20,15 +20,10 @@ import (
 	"github.com/metacubex/mihomo/component/cidr"
 	"github.com/metacubex/mihomo/component/fakeip"
 	"github.com/metacubex/mihomo/component/geodata"
-	mihomoHttp "github.com/metacubex/mihomo/component/http"
-	"github.com/metacubex/mihomo/component/keepalive"
 	P "github.com/metacubex/mihomo/component/process"
 	"github.com/metacubex/mihomo/component/resolver"
-	"github.com/metacubex/mihomo/component/resource"
 	"github.com/metacubex/mihomo/component/sniffer"
-	tlsC "github.com/metacubex/mihomo/component/tls"
 	"github.com/metacubex/mihomo/component/trie"
-	"github.com/metacubex/mihomo/component/updater"
 	C "github.com/metacubex/mihomo/constant"
 	providerTypes "github.com/metacubex/mihomo/constant/provider"
 	snifferTypes "github.com/metacubex/mihomo/constant/sniffer"
@@ -67,6 +62,9 @@ type General struct {
 	GlobalClientFingerprint string            `json:"global-client-fingerprint"`
 	GlobalUA                string            `json:"global-ua"`
 	ETagSupport             bool              `json:"etag-support"`
+	KeepAliveIdle           int               `json:"keep-alive-idle"`
+	KeepAliveInterval       int               `json:"keep-alive-interval"`
+	DisableKeepAlive        bool              `json:"disable-keep-alive"`
 }

 // Inbound config
@@ -105,6 +103,8 @@ type Controller struct {
 	ExternalControllerUnix string
 	ExternalControllerPipe string
 	ExternalUI             string
+	ExternalUIURL          string
+	ExternalUIName         string
 	ExternalDohServer      string
 	Secret                 string
 	Cors                   Cors
@@ -160,6 +160,8 @@ type DNS struct {
 	Hosts                 *trie.DomainTrie[resolver.HostValue]
 	NameServerPolicy      []dns.Policy
 	ProxyServerNameserver []dns.NameServer
+	DirectNameServer      []dns.NameServer
+	DirectFollowPolicy    bool
 }

 // Profile config
@@ -203,25 +205,27 @@ type RawCors struct {
 }

 type RawDNS struct {
-	Enable                bool                                `yaml:"enable" json:"enable"`
-	PreferH3              bool                                `yaml:"prefer-h3" json:"prefer-h3"`
-	IPv6                  bool                                `yaml:"ipv6" json:"ipv6"`
-	IPv6Timeout           uint                                `yaml:"ipv6-timeout" json:"ipv6-timeout"`
-	UseHosts              bool                                `yaml:"use-hosts" json:"use-hosts"`
-	UseSystemHosts        bool                                `yaml:"use-system-hosts" json:"use-system-hosts"`
-	RespectRules          bool                                `yaml:"respect-rules" json:"respect-rules"`
-	NameServer            []string                            `yaml:"nameserver" json:"nameserver"`
-	Fallback              []string                            `yaml:"fallback" json:"fallback"`
-	FallbackFilter        RawFallbackFilter                   `yaml:"fallback-filter" json:"fallback-filter"`
-	Listen                string                              `yaml:"listen" json:"listen"`
-	EnhancedMode          C.DNSMode                           `yaml:"enhanced-mode" json:"enhanced-mode"`
-	FakeIPRange           string                              `yaml:"fake-ip-range" json:"fake-ip-range"`
-	FakeIPFilter          []string                            `yaml:"fake-ip-filter" json:"fake-ip-filter"`
-	FakeIPFilterMode      C.FilterMode                        `yaml:"fake-ip-filter-mode" json:"fake-ip-filter-mode"`
-	DefaultNameserver     []string                            `yaml:"default-nameserver" json:"default-nameserver"`
-	CacheAlgorithm        string                              `yaml:"cache-algorithm" json:"cache-algorithm"`
-	NameServerPolicy      *orderedmap.OrderedMap[string, any] `yaml:"nameserver-policy" json:"nameserver-policy"`
-	ProxyServerNameserver []string                            `yaml:"proxy-server-nameserver" json:"proxy-server-nameserver"`
+	Enable                       bool                                `yaml:"enable" json:"enable"`
+	PreferH3                     bool                                `yaml:"prefer-h3" json:"prefer-h3"`
+	IPv6                         bool                                `yaml:"ipv6" json:"ipv6"`
+	IPv6Timeout                  uint                                `yaml:"ipv6-timeout" json:"ipv6-timeout"`
+	UseHosts                     bool                                `yaml:"use-hosts" json:"use-hosts"`
+	UseSystemHosts               bool                                `yaml:"use-system-hosts" json:"use-system-hosts"`
+	RespectRules                 bool                                `yaml:"respect-rules" json:"respect-rules"`
+	NameServer                   []string                            `yaml:"nameserver" json:"nameserver"`
+	Fallback                     []string                            `yaml:"fallback" json:"fallback"`
+	FallbackFilter               RawFallbackFilter                   `yaml:"fallback-filter" json:"fallback-filter"`
+	Listen                       string                              `yaml:"listen" json:"listen"`
+	EnhancedMode                 C.DNSMode                           `yaml:"enhanced-mode" json:"enhanced-mode"`
+	FakeIPRange                  string                              `yaml:"fake-ip-range" json:"fake-ip-range"`
+	FakeIPFilter                 []string                            `yaml:"fake-ip-filter" json:"fake-ip-filter"`
+	FakeIPFilterMode             C.FilterMode                        `yaml:"fake-ip-filter-mode" json:"fake-ip-filter-mode"`
+	DefaultNameserver            []string                            `yaml:"default-nameserver" json:"default-nameserver"`
+	CacheAlgorithm               string                              `yaml:"cache-algorithm" json:"cache-algorithm"`
+	NameServerPolicy             *orderedmap.OrderedMap[string, any] `yaml:"nameserver-policy" json:"nameserver-policy"`
+	ProxyServerNameserver        []string                            `yaml:"proxy-server-nameserver" json:"proxy-server-nameserver"`
+	DirectNameServer             []string                            `yaml:"direct-nameserver" json:"direct-nameserver"`
+	DirectNameServerFollowPolicy bool                                `yaml:"direct-nameserver-follow-policy" json:"direct-nameserver-follow-policy"`
 }

 type RawFallbackFilter struct {
@@ -582,10 +586,11 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.General = general

-	if len(config.General.GlobalClientFingerprint) != 0 {
-		log.Debugln("GlobalClientFingerprint: %s", config.General.GlobalClientFingerprint)
-		tlsC.SetGlobalUtlsClient(config.General.GlobalClientFingerprint)
-	}
+	// We need to temporarily apply some configuration in general and roll back after parsing the complete configuration.
+	// The loading and downloading of geodata in the parseRules and parseRuleProviders rely on these.
+	// This implementation is very disgusting, but there is currently no better solution
+	rollback := temporaryUpdateGeneral(config.General)
+	defer rollback()

 	controller, err := parseController(rawCfg)
 	if err != nil {
@@ -701,46 +706,10 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	return config, nil
 }

+//go:linkname temporaryUpdateGeneral
+func temporaryUpdateGeneral(general *General) func()
+
 func parseGeneral(cfg *RawConfig) (*General, error) {
-	updater.SetGeoAutoUpdate(cfg.GeoAutoUpdate)
-	updater.SetGeoUpdateInterval(cfg.GeoUpdateInterval)
-	geodata.SetGeodataMode(cfg.GeodataMode)
-	geodata.SetLoader(cfg.GeodataLoader)
-	geodata.SetSiteMatcher(cfg.GeositeMatcher)
-	geodata.SetGeoIpUrl(cfg.GeoXUrl.GeoIp)
-	geodata.SetGeoSiteUrl(cfg.GeoXUrl.GeoSite)
-	geodata.SetMmdbUrl(cfg.GeoXUrl.Mmdb)
-	geodata.SetASNUrl(cfg.GeoXUrl.ASN)
-	mihomoHttp.SetUA(cfg.GlobalUA)
-	resource.SetETag(cfg.ETagSupport)
-
-	if cfg.KeepAliveIdle != 0 {
-		keepalive.SetKeepAliveIdle(time.Duration(cfg.KeepAliveIdle) * time.Second)
-	}
-	if cfg.KeepAliveInterval != 0 {
-		keepalive.SetKeepAliveInterval(time.Duration(cfg.KeepAliveInterval) * time.Second)
-	}
-	keepalive.SetDisableKeepAlive(cfg.DisableKeepAlive)
-
-	// checkout externalUI exist
-	if cfg.ExternalUI != "" {
-		updater.AutoDownloadUI = true
-		updater.ExternalUIPath = C.Path.Resolve(cfg.ExternalUI)
-	} else {
-		// default externalUI path
-		updater.ExternalUIPath = path.Join(C.Path.HomeDir(), "ui")
-	}
-
-	// checkout UIpath/name exist
-	if cfg.ExternalUIName != "" {
-		updater.AutoDownloadUI = true
-		updater.ExternalUIPath = path.Join(updater.ExternalUIPath, cfg.ExternalUIName)
-	}
-
-	if cfg.ExternalUIURL != "" {
-		updater.ExternalUIURL = cfg.ExternalUIURL
-	}
-
 	return &General{
 		Inbound: Inbound{
 			Port:              cfg.Port,
@@ -774,11 +743,15 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 		GeoUpdateInterval:       cfg.GeoUpdateInterval,
 		GeodataMode:             cfg.GeodataMode,
 		GeodataLoader:           cfg.GeodataLoader,
+		GeositeMatcher:          cfg.GeositeMatcher,
 		TCPConcurrent:           cfg.TCPConcurrent,
 		FindProcessMode:         cfg.FindProcessMode,
 		GlobalClientFingerprint: cfg.GlobalClientFingerprint,
 		GlobalUA:                cfg.GlobalUA,
 		ETagSupport:             cfg.ETagSupport,
+		KeepAliveIdle:           cfg.KeepAliveIdle,
+		KeepAliveInterval:       cfg.KeepAliveInterval,
+		DisableKeepAlive:        cfg.DisableKeepAlive,
 	}, nil
 }

@@ -786,6 +759,8 @@ func parseController(cfg *RawConfig) (*Controller, error) {
 	return &Controller{
 		ExternalController:     cfg.ExternalController,
 		ExternalUI:             cfg.ExternalUI,
+		ExternalUIURL:          cfg.ExternalUIURL,
+		ExternalUIName:         cfg.ExternalUIName,
 		Secret:                 cfg.Secret,
 		ExternalControllerPipe: cfg.ExternalControllerPipe,
 		ExternalControllerUnix: cfg.ExternalControllerUnix,
@@ -1423,6 +1398,11 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul
 		return nil, err
 	}

+	if dnsCfg.DirectNameServer, err = parseNameServer(cfg.DirectNameServer, false, cfg.PreferH3); err != nil {
+		return nil, err
+	}
+	dnsCfg.DirectFollowPolicy = cfg.DirectNameServerFollowPolicy
+
 	if len(cfg.DefaultNameserver) == 0 {
 		return nil, errors.New("default nameserver should have at least one nameserver")
 	}
--- a/constant/adapters.go
+++ b/constant/adapters.go
@@ -42,6 +42,7 @@ const (
 	WireGuard
 	Tuic
 	Ssh
+	Mieru
 )

 const (
@@ -99,13 +100,24 @@ type Dialer interface {
 	ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort) (net.PacketConn, error)
 }

+type ProxyInfo struct {
+	XUDP        bool
+	TFO         bool
+	MPTCP       bool
+	SMUX        bool
+	Interface   string
+	RoutingMark int
+	DialerProxy string
+}
+
 type ProxyAdapter interface {
 	Name() string
 	Type() AdapterType
 	Addr() string
 	SupportUDP() bool
-	SupportXUDP() bool
-	SupportTFO() bool
+
+	// ProxyInfo contains some extra information maybe useful for MarshalJSON
+	ProxyInfo() ProxyInfo
 	MarshalJSON() ([]byte, error)

 	// Deprecated: use DialContextWithDialer and ListenPacketWithDialer instead.
@@ -213,7 +225,10 @@ func (at AdapterType) String() string {
 		return "WireGuard"
 	case Tuic:
 		return "Tuic"
-
+	case Ssh:
+		return "Ssh"
+	case Mieru:
+		return "Mieru"
 	case Relay:
 		return "Relay"
 	case Selector:
@@ -224,8 +239,6 @@ func (at AdapterType) String() string {
 		return "URLTest"
 	case LoadBalance:
 		return "LoadBalance"
-	case Ssh:
-		return "Ssh"
 	default:
 		return "Unknown"
 	}
--- a/constant/provider/interface.go
+++ b/constant/provider/interface.go
@@ -81,6 +81,7 @@ type ProxyProvider interface {
 	Version() uint32
 	RegisterHealthCheckTask(url string, expectedStatus utils.IntRanges[uint16], filter string, interval uint)
 	HealthCheckURL() string
+	SetSubscriptionInfo(userInfo string)
 }

 // RuleProvider interface
--- a/dns/patch_android.go
+++ b/dns/patch_android.go
@@ -12,6 +12,9 @@ func FlushCacheWithDefaultResolver() {
 	if r := resolver.DefaultResolver; r != nil {
 		r.ClearCache()
 	}
+	if r := resolver.SystemResolver; r != nil {
+		r.ClearCache()
+	}
 	resolver.ResetConnection()
 }

--- a/dns/resolver.go
+++ b/dns/resolver.go
@@ -13,7 +13,6 @@ import (
 	"github.com/metacubex/mihomo/component/resolver"
 	"github.com/metacubex/mihomo/component/trie"
 	C "github.com/metacubex/mihomo/constant"
-	"github.com/metacubex/mihomo/constant/provider"
 	"github.com/metacubex/mihomo/log"

 	D "github.com/miekg/dns"
@@ -428,6 +427,8 @@ type Config struct {
 	Main, Fallback       []NameServer
 	Default              []NameServer
 	ProxyServer          []NameServer
+	DirectServer         []NameServer
+	DirectFollowPolicy   bool
 	IPv6                 bool
 	IPv6Timeout          uint
 	EnhancedMode         C.DNSMode
@@ -436,7 +437,6 @@ type Config struct {
 	Pool                 *fakeip.Pool
 	Hosts                *trie.DomainTrie[resolver.HostValue]
 	Policy               []Policy
-	Tunnel               provider.Tunnel
 	CacheAlgorithm       string
 }

@@ -448,7 +448,25 @@ func (config Config) newCache() dnsCache {
 	}
 }

-func NewResolver(config Config) (r *Resolver, pr *Resolver) {
+type Resolvers struct {
+	*Resolver
+	ProxyResolver  *Resolver
+	DirectResolver *Resolver
+}
+
+func (rs Resolvers) ClearCache() {
+	rs.Resolver.ClearCache()
+	rs.ProxyResolver.ClearCache()
+	rs.DirectResolver.ClearCache()
+}
+
+func (rs Resolvers) ResetConnection() {
+	rs.Resolver.ResetConnection()
+	rs.ProxyResolver.ResetConnection()
+	rs.DirectResolver.ResetConnection()
+}
+
+func NewResolver(config Config) (rs Resolvers) {
 	defaultResolver := &Resolver{
 		main:        transform(config.Default, nil),
 		cache:       config.newCache(),
@@ -482,7 +500,7 @@ func NewResolver(config Config) (r *Resolver, pr *Resolver) {
 		return
 	}

-	r = &Resolver{
+	r := &Resolver{
 		ipv6:        config.IPv6,
 		main:        cacheTransform(config.Main),
 		cache:       config.newCache(),
@@ -490,9 +508,10 @@ func NewResolver(config Config) (r *Resolver, pr *Resolver) {
 		ipv6Timeout: time.Duration(config.IPv6Timeout) * time.Millisecond,
 	}
 	r.defaultResolver = defaultResolver
+	rs.Resolver = r

 	if len(config.ProxyServer) != 0 {
-		pr = &Resolver{
+		rs.ProxyResolver = &Resolver{
 			ipv6:        config.IPv6,
 			main:        cacheTransform(config.ProxyServer),
 			cache:       config.newCache(),
@@ -501,8 +520,20 @@ func NewResolver(config Config) (r *Resolver, pr *Resolver) {
 		}
 	}

+	if len(config.DirectServer) != 0 {
+		rs.DirectResolver = &Resolver{
+			ipv6:        config.IPv6,
+			main:        cacheTransform(config.DirectServer),
+			cache:       config.newCache(),
+			hosts:       config.Hosts,
+			ipv6Timeout: time.Duration(config.IPv6Timeout) * time.Millisecond,
+		}
+	}
+
 	if len(config.Fallback) != 0 {
 		r.fallback = cacheTransform(config.Fallback)
+		r.fallbackIPFilters = config.FallbackIPFilter
+		r.fallbackDomainFilters = config.FallbackDomainFilter
 	}

 	if len(config.Policy) != 0 {
@@ -531,9 +562,11 @@ func NewResolver(config Config) (r *Resolver, pr *Resolver) {
 			}
 		}
 		insertPolicy(nil)
+
+		if rs.DirectResolver != nil && config.DirectFollowPolicy {
+			rs.DirectResolver.policy = r.policy
+		}
 	}
-	r.fallbackIPFilters = config.FallbackIPFilter
-	r.fallbackDomainFilters = config.FallbackDomainFilter

 	return
 }
--- a/dns/system.go
+++ b/dns/system.go
@@ -7,6 +7,8 @@ import (
 	"sync"
 	"time"

+	"github.com/metacubex/mihomo/component/resolver"
+
 	D "github.com/miekg/dns"
 )

@@ -24,10 +26,15 @@ type systemClient struct {
 	mu         sync.Mutex
 	dnsClients map[string]*systemDnsClient
 	lastFlush  time.Time
+	defaultNS  []dnsClient
 }

 func (c *systemClient) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, err error) {
 	dnsClients, err := c.getDnsClients()
+	if len(dnsClients) == 0 && len(c.defaultNS) > 0 {
+		dnsClients = c.defaultNS
+		err = nil
+	}
 	if err != nil {
 		return
 	}
@@ -38,11 +45,16 @@ func (c *systemClient) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Ms
 // Address implements dnsClient
 func (c *systemClient) Address() string {
 	dnsClients, _ := c.getDnsClients()
+	isDefault := ""
+	if len(dnsClients) == 0 && len(c.defaultNS) > 0 {
+		dnsClients = c.defaultNS
+		isDefault = "[defaultNS]"
+	}
 	addrs := make([]string, 0, len(dnsClients))
 	for _, c := range dnsClients {
 		addrs = append(addrs, c.Address())
 	}
-	return fmt.Sprintf("system(%s)", strings.Join(addrs, ","))
+	return fmt.Sprintf("system%s(%s)", isDefault, strings.Join(addrs, ","))
 }

 var _ dnsClient = (*systemClient)(nil)
@@ -52,3 +64,11 @@ func newSystemClient() *systemClient {
 		dnsClients: map[string]*systemDnsClient{},
 	}
 }
+
+func init() {
+	r := NewResolver(Config{})
+	c := newSystemClient()
+	c.defaultNS = transform([]NameServer{{Addr: "114.114.114.114:53"}, {Addr: "8.8.8.8:53"}}, nil)
+	r.main = []dnsClient{c}
+	resolver.SystemResolver = r
+}
--- a/docs/config.yaml
+++ b/docs/config.yaml
@@ -294,10 +294,15 @@ dns:
  #   - tcp://1.1.1.1
  #   - 'tcp://1.1.1.1#ProxyGroupName' # 指定 DNS 过代理查询，ProxyGroupName 为策略组名或节点名，过代理配置优先于配置出口网卡，当找不到策略组或节点名则设置为出口网卡

-  # 专用于节点域名解析的 DNS 服务器，非必要配置项
+  # 专用于节点域名解析的 DNS 服务器，非必要配置项，如果不填则遵循nameserver-policy、nameserver和fallback的配置
  # proxy-server-nameserver:
-  # - https://dns.google/dns-query
-  # - tls://one.one.one.one
+  #   - https://dns.google/dns-query
+  #   - tls://one.one.one.one
+
+  # 专用于direct出口域名解析的 DNS 服务器，非必要配置项，如果不填则遵循nameserver-policy、nameserver和fallback的配置
+  # direct-nameserver:
+  #   - system://
+  # direct-nameserver-follow-policy: false # 是否遵循nameserver-policy，默认为不遵守，仅当direct-nameserver不为空时生效

  # 配置 fallback 使用条件
  # fallback-filter:
@@ -841,6 +846,16 @@ proxies: # socks5
    password: password
    privateKey: path

+  # mieru
+  - name: mieru
+    type: mieru
+    server: 1.2.3.4
+    port: 2999
+    # port-range: 2090-2099 #（不可同时填写 port 和 port-range）
+    transport: TCP # 只支持 TCP
+    username: user
+    password: password
+
 # dns 出站会将请求劫持到内部 dns 模块，所有请求均在内部处理
  - name: "dns-out"
    type: dns
@@ -925,6 +940,7 @@ proxy-providers:
    interval: 3600
    path: ./provider1.yaml # 默认只允许存储在 mihomo 的 Home Dir，如果想存储到任意位置，添加环境变量 SKIP_SAFE_PATH_CHECK=1
    proxy: DIRECT
+    # size-limit: 10240 # 限制下载文件最大为10kb，默认为0即不限制文件大小
    header:
      User-Agent:
      - "Clash/v1.18.0"
@@ -972,6 +988,7 @@ rule-providers:
    type: http # http 的 path 可空置，默认储存路径为 homedir 的 rules 文件夹，文件名为 url 的 md5
    url: "url"
    proxy: DIRECT
+    # size-limit: 10240 # 限制下载文件最大为10kb，默认为0即不限制文件大小
  rule2:
    behavior: classical
    interval: 259200
@@ -1195,4 +1212,4 @@ listeners:
 #  authentication-timeout: 1000
 #  alpn:
 #    - h3
-#  max-udp-relay-packet-size: 1500
+#  max-udp-relay-packet-size: 1500
--- a/go.mod
+++ b/go.mod
@@ -5,13 +5,14 @@ go 1.20
 require (
 	github.com/3andne/restls-client-go v0.1.6
 	github.com/bahlo/generic-list-go v0.2.0
-	github.com/coreos/go-iptables v0.7.0
+	github.com/coreos/go-iptables v0.8.0
 	github.com/dlclark/regexp2 v1.11.4
+	github.com/enfein/mieru/v3 v3.8.3
 	github.com/go-chi/chi/v5 v5.1.0
 	github.com/go-chi/render v1.0.3
 	github.com/gobwas/ws v1.4.0
 	github.com/gofrs/uuid/v5 v5.3.0
-	github.com/insomniacslk/dhcp v0.0.0-20240812123929-b105c29bd1b5
+	github.com/insomniacslk/dhcp v0.0.0-20240829085014-a3a4c1f04475
 	github.com/klauspost/compress v1.17.9
 	github.com/klauspost/cpuid/v2 v2.2.8
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
@@ -20,15 +21,15 @@ require (
 	github.com/metacubex/bbolt v0.0.0-20240822011022-aed6d4850399
 	github.com/metacubex/chacha v0.1.0
 	github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759
-	github.com/metacubex/quic-go v0.47.1-0.20240909010619-6b38f24bfcc4
+	github.com/metacubex/quic-go v0.48.3-0.20241126053724-b69fea3888da
 	github.com/metacubex/randv2 v0.2.0
 	github.com/metacubex/sing-quic v0.0.0-20240827003841-cd97758ed8b4
 	github.com/metacubex/sing-shadowsocks v0.2.8
 	github.com/metacubex/sing-shadowsocks2 v0.2.2
-	github.com/metacubex/sing-tun v0.2.7-0.20240729131039-ed03f557dee1
+	github.com/metacubex/sing-tun v0.4.2
 	github.com/metacubex/sing-vmess v0.1.9-0.20240719134745-1df6fb20bbf9
-	github.com/metacubex/sing-wireguard v0.0.0-20240924052438-b0976fc59ea3
-	github.com/metacubex/tfo-go v0.0.0-20240830120620-c5e019b67785
+	github.com/metacubex/sing-wireguard v0.0.0-20241126021510-0827d417b589
+	github.com/metacubex/tfo-go v0.0.0-20241006021335-daedaf0ca7aa
 	github.com/metacubex/utls v1.6.6
 	github.com/metacubex/wireguard-go v0.0.0-20240922131502-c182e7471181
 	github.com/miekg/dns v1.1.62
@@ -39,7 +40,7 @@ require (
 	github.com/sagernet/cors v1.2.1
 	github.com/sagernet/fswatch v0.1.1
 	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a
-	github.com/sagernet/sing v0.5.0-alpha.13
+	github.com/sagernet/sing v0.5.1
 	github.com/sagernet/sing-mux v0.2.1-0.20240124034317-9bfb33698bb6
 	github.com/sagernet/sing-shadowtls v0.1.4
 	github.com/samber/lo v1.47.0
@@ -51,10 +52,10 @@ require (
 	gitlab.com/go-extension/aes-ccm v0.0.0-20230221065045-e58665ef23c7
 	go.uber.org/automaxprocs v1.6.0
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.27.0
-	golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa
-	golang.org/x/net v0.29.0
-	golang.org/x/sys v0.25.0
+	golang.org/x/crypto v0.29.0
+	golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e // lastest version compatible with golang1.20
+	golang.org/x/net v0.31.0
+	golang.org/x/sys v0.27.0
 	google.golang.org/protobuf v1.34.2
 	gopkg.in/yaml.v3 v3.0.1
 	lukechampine.com/blake3 v1.3.0
@@ -78,7 +79,7 @@ require (
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
 	github.com/gobwas/pool v0.2.1 // indirect
-	github.com/google/btree v1.1.2 // indirect
+	github.com/google/btree v1.1.3 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
@@ -87,7 +88,7 @@ require (
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mdlayher/socket v0.4.1 // indirect
-	github.com/metacubex/gvisor v0.0.0-20240320004321-933faba989ec // indirect
+	github.com/metacubex/gvisor v0.0.0-20241126021258-5b028898cc5a // indirect
 	github.com/oasisprotocol/deoxysii v0.0.0-20220228165953-2091330c22b7 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
 	github.com/pierrec/lz4/v4 v4.1.14 // indirect
@@ -110,10 +111,12 @@ require (
 	gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec // indirect
 	go.uber.org/mock v0.4.0 // indirect
 	golang.org/x/mod v0.20.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/text v0.18.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/sync v0.9.0 // indirect
+	golang.org/x/text v0.20.0 // indirect
+	golang.org/x/time v0.7.0 // indirect
 	golang.org/x/tools v0.24.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240610135401-a8a62080eff3 // indirect
+	google.golang.org/grpc v1.64.1 // indirect
 )

-replace github.com/sagernet/sing => github.com/metacubex/sing v0.0.0-20240724044459-6f3cf5896297
+replace github.com/sagernet/sing => github.com/metacubex/sing v0.0.0-20241121030428-33b6ebc52000
--- a/go.sum
+++ b/go.sum
@@ -19,14 +19,16 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
-github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
-github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
+github.com/coreos/go-iptables v0.8.0 h1:MPc2P89IhuVpLI7ETL/2tx3XZ61VeICZjYqDEgNsPRc=
+github.com/coreos/go-iptables v0.8.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dlclark/regexp2 v1.11.4 h1:rPYF9/LECdNymJufQKmri9gV604RvvABwgOA8un7yAo=
 github.com/dlclark/regexp2 v1.11.4/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/enfein/mieru/v3 v3.8.3 h1:s4K0hMFDg6LHltokR8/nBTVCq15XnnxPsvc1LrHwpoo=
+github.com/enfein/mieru/v3 v3.8.3/go.mod h1:YtU00qjAEt54mCBQu4WZPCey6cBdB1BUtXjvrHLEUNQ=
 github.com/ericlagergren/aegis v0.0.0-20230312195928-b4ce538b56f9 h1:/5RkVc9Rc81XmMyVqawCiDyrBHZbLAZgTTCqou4mwj8=
 github.com/ericlagergren/aegis v0.0.0-20230312195928-b4ce538b56f9/go.mod h1:hkIFzoiIPZYxdFOOLyDho59b7SrDfo+w3h+yWdlg45I=
 github.com/ericlagergren/polyval v0.0.0-20220411101811-e25bc10ba391 h1:8j2RH289RJplhA6WfdaPqzg1MjH2K8wX5e0uhAxrw2g=
@@ -59,9 +61,9 @@ github.com/gobwas/ws v1.4.0/go.mod h1:G3gNqMNtPppf5XUz7O4shetPpcZ1VJ7zt18dlUeakr
 github.com/gofrs/uuid/v5 v5.3.0 h1:m0mUMr+oVYUdxpMLgSYCZiXe7PuVPnI94+OMeVBNedk=
 github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
-github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
+github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -71,8 +73,8 @@ github.com/google/tink/go v1.6.1 h1:t7JHqO8Ath2w2ig5vjwQYJzhGEZymedQc90lQXUBa4I=
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
 github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/insomniacslk/dhcp v0.0.0-20240812123929-b105c29bd1b5 h1:GkMacU5ftc+IEg1449N3UEy2XLDz58W4fkrRu2fibb8=
-github.com/insomniacslk/dhcp v0.0.0-20240812123929-b105c29bd1b5/go.mod h1:KclMyHxX06VrVr0DJmeFSUb1ankt7xTfoOA35pCkoic=
+github.com/insomniacslk/dhcp v0.0.0-20240829085014-a3a4c1f04475 h1:hxST5pwMBEOWmxpkX20w9oZG+hXdhKmAIPQ3NGGAxas=
+github.com/insomniacslk/dhcp v0.0.0-20240829085014-a3a4c1f04475/go.mod h1:KclMyHxX06VrVr0DJmeFSUb1ankt7xTfoOA35pCkoic=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
@@ -102,28 +104,28 @@ github.com/metacubex/chacha v0.1.0 h1:tg9RSJ18NvL38cCWNyYH1eiG6qDCyyXIaTLQthon0s
 github.com/metacubex/chacha v0.1.0/go.mod h1:Djn9bPZxLTXbJFSeyo0/qzEzQI+gUSSzttuzZM75GH8=
 github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759 h1:cjd4biTvOzK9ubNCCkQ+ldc4YSH/rILn53l/xGBFHHI=
 github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759/go.mod h1:UHOv2xu+RIgLwpXca7TLrXleEd4oR3sPatW6IF8wU88=
-github.com/metacubex/gvisor v0.0.0-20240320004321-933faba989ec h1:HxreOiFTUrJXJautEo8rnE1uKTVGY8wtZepY1Tii/Nc=
-github.com/metacubex/gvisor v0.0.0-20240320004321-933faba989ec/go.mod h1:8BVmQ+3cxjqzWElafm24rb2Ae4jRI6vAXNXWqWjfrXw=
-github.com/metacubex/quic-go v0.47.1-0.20240909010619-6b38f24bfcc4 h1:CgdUBRxmNlxEGkp35HwvgQ10jwOOUJKWdOxpi8yWi8o=
-github.com/metacubex/quic-go v0.47.1-0.20240909010619-6b38f24bfcc4/go.mod h1:Y7yRGqFE6UQL/3aKPYmiYdjfVkeujJaStP4+jiZMcN8=
+github.com/metacubex/gvisor v0.0.0-20241126021258-5b028898cc5a h1:cZ6oNVrsmsi3SNlnSnRio4zOgtQq+/XidwsaNgKICcg=
+github.com/metacubex/gvisor v0.0.0-20241126021258-5b028898cc5a/go.mod h1:xBw/SYJPgUMPQ1tklV/brGn2nxhfr3BnvBzNlyi4Nic=
+github.com/metacubex/quic-go v0.48.3-0.20241126053724-b69fea3888da h1:Mq6cbHbPTLLTUfA9scrwBmOGkvl6y99E3WmtMIMqo30=
+github.com/metacubex/quic-go v0.48.3-0.20241126053724-b69fea3888da/go.mod h1:AiZ+UPgrkO1DTnmiAX4b+kRoV1Vfc65UkYD7RbFlIZA=
 github.com/metacubex/randv2 v0.2.0 h1:uP38uBvV2SxYfLj53kuvAjbND4RUDfFJjwr4UigMiLs=
 github.com/metacubex/randv2 v0.2.0/go.mod h1:kFi2SzrQ5WuneuoLLCMkABtiBu6VRrMrWFqSPyj2cxY=
-github.com/metacubex/sing v0.0.0-20240724044459-6f3cf5896297 h1:YG/JkwGPbca5rUtEMHIu8ZuqzR7BSVm1iqY8hNoMeMA=
-github.com/metacubex/sing v0.0.0-20240724044459-6f3cf5896297/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/metacubex/sing v0.0.0-20241121030428-33b6ebc52000 h1:gUbMXcQXhXGj0vCpCVFTUyIH7TMpD1dpTcNv/MCS+ok=
+github.com/metacubex/sing v0.0.0-20241121030428-33b6ebc52000/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/metacubex/sing-quic v0.0.0-20240827003841-cd97758ed8b4 h1:HobpULaPK6OoxrHMmgcwLkwwIduXVmwdcznwUfH1GQM=
 github.com/metacubex/sing-quic v0.0.0-20240827003841-cd97758ed8b4/go.mod h1:g7Mxj7b7zm7YVqD975mk/hSmrb0A0G4bVvIMr2MMzn8=
 github.com/metacubex/sing-shadowsocks v0.2.8 h1:wIhlaigswzjPw4hej75sEvWte3QR0+AJRafgwBHO5B4=
 github.com/metacubex/sing-shadowsocks v0.2.8/go.mod h1:X3x88XtJpBxG0W0/ECOJL6Ib0SJ3xdniAkU/6/RMWU0=
 github.com/metacubex/sing-shadowsocks2 v0.2.2 h1:eaf42uVx4Lr21S6MDYs0ZdTvGA0GEhDpb9no4+gdXPo=
 github.com/metacubex/sing-shadowsocks2 v0.2.2/go.mod h1:BhOug03a/RbI7y6hp6q+6ITM1dXjnLTmeWBHSTwvv2Q=
-github.com/metacubex/sing-tun v0.2.7-0.20240729131039-ed03f557dee1 h1:ypfofGDZbP8p3Y4P/m74JYu7sQViesi3c8nbmT6cS0Y=
-github.com/metacubex/sing-tun v0.2.7-0.20240729131039-ed03f557dee1/go.mod h1:olbEx9yVcaw5tHTNlRamRoxmMKcvDvcVS1YLnQGzvWE=
+github.com/metacubex/sing-tun v0.4.2 h1:fwrQp3P536Pswu6gR1FJ+8GH55e+t2+B8LHIjwRtWbc=
+github.com/metacubex/sing-tun v0.4.2/go.mod h1:V0N4rr0dWPBEE20ESkTXdbtx2riQYcb6YtwC5w/9wl0=
 github.com/metacubex/sing-vmess v0.1.9-0.20240719134745-1df6fb20bbf9 h1:OAXiCosqY8xKDp3pqTW3qbrCprZ1l6WkrXSFSCwyY4I=
 github.com/metacubex/sing-vmess v0.1.9-0.20240719134745-1df6fb20bbf9/go.mod h1:olVkD4FChQ5gKMHG4ZzuD7+fMkJY1G8vwOKpRehjrmY=
-github.com/metacubex/sing-wireguard v0.0.0-20240924052438-b0976fc59ea3 h1:xg71VmzLS6ByAzi/57phwDvjE+dLLs+ozH00k4DnOns=
-github.com/metacubex/sing-wireguard v0.0.0-20240924052438-b0976fc59ea3/go.mod h1:6nitcmzPDL3MXnLdhu6Hm126Zk4S1fBbX3P7jxUxSFw=
-github.com/metacubex/tfo-go v0.0.0-20240830120620-c5e019b67785 h1:NNmI+ZV0DzNuqaAInRQuZFLHlWVuyHeow8jYpdKjHjo=
-github.com/metacubex/tfo-go v0.0.0-20240830120620-c5e019b67785/go.mod h1:c7bVFM9f5+VzeZ/6Kg77T/jrg1Xp8QpqlSHvG/aXVts=
+github.com/metacubex/sing-wireguard v0.0.0-20241126021510-0827d417b589 h1:Z6bNy0HLTjx6BKIkV48sV/yia/GP8Bnyb5JQuGgSGzg=
+github.com/metacubex/sing-wireguard v0.0.0-20241126021510-0827d417b589/go.mod h1:4NclTLIZuk+QkHVCGrP87rHi/y8YjgPytxTgApJNMhc=
+github.com/metacubex/tfo-go v0.0.0-20241006021335-daedaf0ca7aa h1:9mcjV+RGZVC3reJBNDjjNPyS8PmFG97zq56X7WNaFO4=
+github.com/metacubex/tfo-go v0.0.0-20241006021335-daedaf0ca7aa/go.mod h1:4tLB5c8U0CxpkFM+AJJB77jEaVDbLH5XQvy42vAGsWw=
 github.com/metacubex/utls v1.6.6 h1:3D12YKHTf2Z41UPhQU2dWerNWJ5TVQD9gKoQ+H+iLC8=
 github.com/metacubex/utls v1.6.6/go.mod h1:+WLFUnXjcpdxXCnyX25nggw8C6YonZ8zOK2Zm/oRvdo=
 github.com/metacubex/wireguard-go v0.0.0-20240922131502-c182e7471181 h1:hJLQviGySBuaynlCwf/oYgIxbVbGRUIKZCxdya9YrbQ=
@@ -230,21 +232,21 @@ go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBs
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
-golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa h1:ELnwvuAXPNtPk1TJRuGkI9fDTwym6AYBu0qzT8AcHdI=
-golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ=
+golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
+golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e h1:I88y4caeGeuDQxgdoFPUq097j7kNfw6uvuiNxUBfcBk=
+golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
 golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
+golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
+golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -261,19 +263,23 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
-golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
-golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
+golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
 golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240610135401-a8a62080eff3 h1:9Xyg6I9IWQZhRVfCWjKK+l6kI0jHcPesVlMnT//aHNo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240610135401-a8a62080eff3/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0=
+google.golang.org/grpc v1.64.1 h1:LKtvyfbX3UGVPFcGqJ9ItpVWW6oN/2XqTxfAnwRRXiA=
+google.golang.org/grpc v1.64.1/go.mod h1:hiQF4LFZelK2WKaP6W0L92zGHtiQdZxk8CrSdvyjeP0=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
 google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/hub/executor/executor.go
+++ b/hub/executor/executor.go
@@ -9,6 +9,7 @@ import (
 	"strconv"
 	"sync"
 	"time"
+	_ "unsafe"

 	"github.com/metacubex/mihomo/adapter"
 	"github.com/metacubex/mihomo/adapter/inbound"
@@ -16,9 +17,10 @@ import (
 	"github.com/metacubex/mihomo/component/auth"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
-	G "github.com/metacubex/mihomo/component/geodata"
+	"github.com/metacubex/mihomo/component/geodata"
 	mihomoHttp "github.com/metacubex/mihomo/component/http"
 	"github.com/metacubex/mihomo/component/iface"
+	"github.com/metacubex/mihomo/component/keepalive"
 	"github.com/metacubex/mihomo/component/profile"
 	"github.com/metacubex/mihomo/component/profile/cachefile"
 	"github.com/metacubex/mihomo/component/resolver"
@@ -100,7 +102,7 @@ func ApplyConfig(cfg *config.Config, force bool) {
 	updateRules(cfg.Rules, cfg.SubRules, cfg.RuleProviders)
 	updateSniffer(cfg.Sniffer)
 	updateHosts(cfg.Hosts)
-	updateGeneral(cfg.General)
+	updateGeneral(cfg.General, true)
 	updateNTP(cfg.NTP)
 	updateDNS(cfg.DNS, cfg.General.IPv6)
 	updateListeners(cfg.General, cfg.Listeners, force)
@@ -117,7 +119,7 @@ func ApplyConfig(cfg *config.Config, force bool) {
 	runtime.GC()
 	tunnel.OnRunning()
 	hcCompatibleProvider(cfg.Providers)
-	initExternalUI()
+	updateUpdater(cfg)

 	resolver.ResetConnection()
 }
@@ -160,22 +162,25 @@ func GetGeneral() *config.General {
 		Interface:    dialer.DefaultInterface.Load(),
 		RoutingMark:  int(dialer.DefaultRoutingMark.Load()),
 		GeoXUrl: config.GeoXUrl{
-			GeoIp:   G.GeoIpUrl(),
-			Mmdb:    G.MmdbUrl(),
-			ASN:     G.ASNUrl(),
-			GeoSite: G.GeoSiteUrl(),
+			GeoIp:   geodata.GeoIpUrl(),
+			Mmdb:    geodata.MmdbUrl(),
+			ASN:     geodata.ASNUrl(),
+			GeoSite: geodata.GeoSiteUrl(),
 		},
 		GeoAutoUpdate:           updater.GeoAutoUpdate(),
 		GeoUpdateInterval:       updater.GeoUpdateInterval(),
-		GeodataMode:             G.GeodataMode(),
-		GeodataLoader:           G.LoaderName(),
-		GeositeMatcher:          G.SiteMatcherName(),
+		GeodataMode:             geodata.GeodataMode(),
+		GeodataLoader:           geodata.LoaderName(),
+		GeositeMatcher:          geodata.SiteMatcherName(),
 		TCPConcurrent:           dialer.GetTcpConcurrent(),
 		FindProcessMode:         tunnel.FindProcessMode(),
 		Sniffing:                tunnel.IsSniffing(),
 		GlobalClientFingerprint: tlsC.GetGlobalFingerprint(),
 		GlobalUA:                mihomoHttp.UA(),
 		ETagSupport:             resource.ETag(),
+		KeepAliveInterval:       int(keepalive.KeepAliveInterval() / time.Second),
+		KeepAliveIdle:           int(keepalive.KeepAliveIdle() / time.Second),
+		DisableKeepAlive:        keepalive.DisableKeepAlive(),
 	}

 	return general
@@ -235,6 +240,8 @@ func updateDNS(c *config.DNS, generalIPv6 bool) {
 		resolver.DefaultResolver = nil
 		resolver.DefaultHostMapper = nil
 		resolver.DefaultLocalServer = nil
+		resolver.ProxyServerHostResolver = nil
+		resolver.DirectHostResolver = nil
 		dns.ReCreateServer("", nil, nil)
 		return
 	}
@@ -251,11 +258,12 @@ func updateDNS(c *config.DNS, generalIPv6 bool) {
 		Default:              c.DefaultNameserver,
 		Policy:               c.NameServerPolicy,
 		ProxyServer:          c.ProxyServerNameserver,
-		Tunnel:               tunnel.Tunnel,
+		DirectServer:         c.DirectNameServer,
+		DirectFollowPolicy:   c.DirectFollowPolicy,
 		CacheAlgorithm:       c.CacheAlgorithm,
 	}

-	r, pr := dns.NewResolver(cfg)
+	r := dns.NewResolver(cfg)
 	m := dns.NewEnhancer(cfg)

 	// reuse cache of old host mapper
@@ -265,14 +273,22 @@ func updateDNS(c *config.DNS, generalIPv6 bool) {

 	resolver.DefaultResolver = r
 	resolver.DefaultHostMapper = m
-	resolver.DefaultLocalServer = dns.NewLocalServer(r, m)
+	resolver.DefaultLocalServer = dns.NewLocalServer(r.Resolver, m)
 	resolver.UseSystemHosts = c.UseSystemHosts

-	if pr.Invalid() {
-		resolver.ProxyServerHostResolver = pr
+	if r.ProxyResolver.Invalid() {
+		resolver.ProxyServerHostResolver = r.ProxyResolver
+	} else {
+		resolver.ProxyServerHostResolver = r.Resolver
 	}

-	dns.ReCreateServer(c.Listen, r, m)
+	if r.DirectResolver.Invalid() {
+		resolver.DirectHostResolver = r.DirectResolver
+	} else {
+		resolver.DirectHostResolver = r.Resolver
+	}
+
+	dns.ReCreateServer(c.Listen, r.Resolver, m)
 }

 func updateHosts(tree *trie.DomainTrie[resolver.HostValue]) {
@@ -383,42 +399,63 @@ func updateTunnels(tunnels []LC.Tunnel) {
 	listener.PatchTunnel(tunnels, tunnel.Tunnel)
 }

-func initExternalUI() {
-	if updater.AutoDownloadUI {
-		dirEntries, _ := os.ReadDir(updater.ExternalUIPath)
-		if len(dirEntries) > 0 {
-			log.Infoln("UI already exists, skip downloading")
-		} else {
-			log.Infoln("External UI downloading ...")
-			updater.DownloadUI()
-		}
+func updateUpdater(cfg *config.Config) {
+	general := cfg.General
+	updater.SetGeoAutoUpdate(general.GeoAutoUpdate)
+	updater.SetGeoUpdateInterval(general.GeoUpdateInterval)
+
+	controller := cfg.Controller
+	updater.DefaultUiUpdater = updater.NewUiUpdater(controller.ExternalUI, controller.ExternalUIURL, controller.ExternalUIName)
+	updater.DefaultUiUpdater.AutoDownloadUI()
+}
+
+//go:linkname temporaryUpdateGeneral github.com/metacubex/mihomo/config.temporaryUpdateGeneral
+func temporaryUpdateGeneral(general *config.General) func() {
+	oldGeneral := GetGeneral()
+	updateGeneral(general, false)
+	return func() {
+		updateGeneral(oldGeneral, false)
 	}
 }

-func updateGeneral(general *config.General) {
+func updateGeneral(general *config.General, logging bool) {
 	tunnel.SetMode(general.Mode)
 	tunnel.SetFindProcessMode(general.FindProcessMode)
 	resolver.DisableIPv6 = !general.IPv6

-	if general.TCPConcurrent {
-		dialer.SetTcpConcurrent(general.TCPConcurrent)
+	dialer.SetTcpConcurrent(general.TCPConcurrent)
+	if logging && general.TCPConcurrent {
 		log.Infoln("Use tcp concurrent")
 	}

 	inbound.SetTfo(general.InboundTfo)
 	inbound.SetMPTCP(general.InboundMPTCP)

+	keepalive.SetKeepAliveIdle(time.Duration(general.KeepAliveIdle) * time.Second)
+	keepalive.SetKeepAliveInterval(time.Duration(general.KeepAliveInterval) * time.Second)
+	keepalive.SetDisableKeepAlive(general.DisableKeepAlive)
+
 	adapter.UnifiedDelay.Store(general.UnifiedDelay)

 	dialer.DefaultInterface.Store(general.Interface)
 	dialer.DefaultRoutingMark.Store(int32(general.RoutingMark))
-	if general.RoutingMark > 0 {
+	if logging && general.RoutingMark > 0 {
 		log.Infoln("Use routing mark: %#x", general.RoutingMark)
 	}

 	iface.FlushCache()
-	G.SetLoader(general.GeodataLoader)
-	G.SetSiteMatcher(general.GeositeMatcher)
+
+	geodata.SetGeodataMode(general.GeodataMode)
+	geodata.SetLoader(general.GeodataLoader)
+	geodata.SetSiteMatcher(general.GeositeMatcher)
+	geodata.SetGeoIpUrl(general.GeoXUrl.GeoIp)
+	geodata.SetGeoSiteUrl(general.GeoXUrl.GeoSite)
+	geodata.SetMmdbUrl(general.GeoXUrl.Mmdb)
+	geodata.SetASNUrl(general.GeoXUrl.ASN)
+	mihomoHttp.SetUA(general.GlobalUA)
+	resource.SetETag(general.ETagSupport)
+
+	tlsC.SetGlobalUtlsClient(general.GlobalClientFingerprint)
 }

 func updateUsers(users []auth.AuthUser) {
--- a/hub/route/configs.go
+++ b/hub/route/configs.go
@@ -24,9 +24,11 @@ import (
 func configRouter() http.Handler {
 	r := chi.NewRouter()
 	r.Get("/", getConfigs)
-	r.Put("/", updateConfigs)
-	r.Post("/geo", updateGeoDatabases)
-	r.Patch("/", patchConfigs)
+	if !embedMode { // disallow update/patch configs in embed mode
+		r.Put("/", updateConfigs)
+		r.Post("/geo", updateGeoDatabases)
+		r.Patch("/", patchConfigs)
+	}
 	return r
 }

--- a/hub/route/groups.go
+++ b/hub/route/groups.go
@@ -16,7 +16,7 @@ import (
 	"github.com/metacubex/mihomo/tunnel"
 )

-func GroupRouter() http.Handler {
+func groupRouter() http.Handler {
 	r := chi.NewRouter()
 	r.Get("/", getGroups)

--- a/hub/route/patch_android.go
+++ b/hub/route/patch_android.go
@@ -0,0 +1,7 @@
+//go:build android && cmfa
+
+package route
+
+func init() {
+	SetEmbedMode(true) // set embed mode default
+}
--- a/hub/route/server.go
+++ b/hub/route/server.go
@@ -36,8 +36,14 @@ var (
 	tlsServer  *http.Server
 	unixServer *http.Server
 	pipeServer *http.Server
+
+	embedMode = false
 )

+func SetEmbedMode(embed bool) {
+	embedMode = embed
+}
+
 type Traffic struct {
 	Up   int64 `json:"up"`
 	Down int64 `json:"down"`
@@ -114,14 +120,16 @@ func router(isDebug bool, secret string, dohServer string, cors Cors) *chi.Mux {
 		r.Get("/version", version)
 		r.Mount("/configs", configRouter())
 		r.Mount("/proxies", proxyRouter())
-		r.Mount("/group", GroupRouter())
+		r.Mount("/group", groupRouter())
 		r.Mount("/rules", ruleRouter())
 		r.Mount("/connections", connectionRouter())
 		r.Mount("/providers/proxies", proxyProviderRouter())
 		r.Mount("/providers/rules", ruleProviderRouter())
 		r.Mount("/cache", cacheRouter())
 		r.Mount("/dns", dnsRouter())
-		r.Mount("/restart", restartRouter())
+		if !embedMode { // disallow restart in embed mode
+			r.Mount("/restart", restartRouter())
+		}
 		r.Mount("/upgrade", upgradeRouter())
 		addExternalRouters(r)

--- a/hub/route/upgrade.go
+++ b/hub/route/upgrade.go
@@ -14,9 +14,11 @@ import (

 func upgradeRouter() http.Handler {
 	r := chi.NewRouter()
-	r.Post("/", upgradeCore)
 	r.Post("/ui", updateUI)
-	r.Post("/geo", updateGeoDatabases)
+	if !embedMode { // disallow upgrade core/geo in embed mode
+		r.Post("/", upgradeCore)
+		r.Post("/geo", updateGeoDatabases)
+	}
 	return r
 }

@@ -47,7 +49,7 @@ func upgradeCore(w http.ResponseWriter, r *http.Request) {
 }

 func updateUI(w http.ResponseWriter, r *http.Request) {
-	err := updater.DownloadUI()
+	err := updater.DefaultUiUpdater.DownloadUI()
 	if err != nil {
 		log.Warnln("%s", err)
 		render.Status(r, http.StatusInternalServerError)
--- a/listener/sing_tun/server.go
+++ b/listener/sing_tun/server.go
@@ -279,7 +279,11 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 			return
 		}

-		defaultInterfaceMonitor, err = tun.NewDefaultInterfaceMonitor(networkUpdateMonitor, log.SingLogger, tun.DefaultInterfaceMonitorOptions{OverrideAndroidVPN: true})
+		overrideAndroidVPN := true
+		if disable, _ := strconv.ParseBool(os.Getenv("DISABLE_OVERRIDE_ANDROID_VPN")); disable {
+			overrideAndroidVPN = false
+		}
+		defaultInterfaceMonitor, err = tun.NewDefaultInterfaceMonitor(networkUpdateMonitor, log.SingLogger, tun.DefaultInterfaceMonitorOptions{InterfaceFinder: interfaceFinder, OverrideAndroidVPN: overrideAndroidVPN})
 		if err != nil {
 			err = E.Cause(err, "create DefaultInterfaceMonitor")
 			return
--- a/main.go
+++ b/main.go
@@ -1,9 +1,11 @@
 package main

 import (
+	"context"
 	"encoding/base64"
 	"flag"
 	"fmt"
+	"net"
 	"os"
 	"os/signal"
 	"path/filepath"
@@ -55,6 +57,12 @@ func init() {
 }

 func main() {
+	// Defensive programming: panic when code mistakenly calls net.DefaultResolver
+	net.DefaultResolver.PreferGo = true
+	net.DefaultResolver.Dial = func(ctx context.Context, network, address string) (net.Conn, error) {
+		panic("should never be called")
+	}
+
 	_, _ = maxprocs.Set(maxprocs.Logger(func(string, ...any) {}))

 	if len(os.Args) > 1 && os.Args[1] == "convert-ruleset" {
--- a/rules/common/ipasn.go
+++ b/rules/common/ipasn.go
@@ -1,8 +1,6 @@
 package common

 import (
-	"strconv"
-
 	"github.com/metacubex/mihomo/component/geodata"
 	"github.com/metacubex/mihomo/component/mmdb"
 	C "github.com/metacubex/mihomo/constant"
@@ -26,17 +24,14 @@ func (a *ASN) Match(metadata *C.Metadata) (bool, string) {
 		return false, ""
 	}

-	result := mmdb.ASNInstance().LookupASN(ip.AsSlice())
-	asnNumber := strconv.FormatUint(uint64(result.AutonomousSystemNumber), 10)
-	ipASN := asnNumber + " " + result.AutonomousSystemOrganization
+	asn, aso := mmdb.ASNInstance().LookupASN(ip.AsSlice())
 	if a.isSourceIP {
-		metadata.SrcIPASN = ipASN
+		metadata.SrcIPASN = asn + " " + aso
 	} else {
-		metadata.DstIPASN = ipASN
+		metadata.DstIPASN = asn + " " + aso
 	}

-	match := a.asn == asnNumber
-	return match, a.adapter
+	return a.asn == asn, a.adapter
 }

 func (a *ASN) RuleType() C.RuleType {
--- a/rules/common/ipcidr.go
+++ b/rules/common/ipcidr.go
@@ -40,7 +40,7 @@ func (i *IPCIDR) Match(metadata *C.Metadata) (bool, string) {
 	if i.isSourceIP {
 		ip = metadata.SrcIP
 	}
-	return ip.IsValid() && i.ipnet.Contains(ip), i.adapter
+	return ip.IsValid() && i.ipnet.Contains(ip.WithZone("")), i.adapter
 }

 func (i *IPCIDR) Adapter() string {
--- a/rules/provider/parse.go
+++ b/rules/provider/parse.go
@@ -16,13 +16,14 @@ var (
 )

 type ruleProviderSchema struct {
-	Type     string `provider:"type"`
-	Behavior string `provider:"behavior"`
-	Path     string `provider:"path,omitempty"`
-	URL      string `provider:"url,omitempty"`
-	Proxy    string `provider:"proxy,omitempty"`
-	Format   string `provider:"format,omitempty"`
-	Interval int    `provider:"interval,omitempty"`
+	Type      string `provider:"type"`
+	Behavior  string `provider:"behavior"`
+	Path      string `provider:"path,omitempty"`
+	URL       string `provider:"url,omitempty"`
+	Proxy     string `provider:"proxy,omitempty"`
+	Format    string `provider:"format,omitempty"`
+	Interval  int    `provider:"interval,omitempty"`
+	SizeLimit int64  `provider:"size-limit,omitempty"`
 }

 func ParseRuleProvider(name string, mapping map[string]interface{}, parse func(tp, payload, target string, params []string, subRules map[string][]C.Rule) (parsed C.Rule, parseErr error)) (P.RuleProvider, error) {
@@ -53,7 +54,7 @@ func ParseRuleProvider(name string, mapping map[string]interface{}, parse func(t
 				return nil, fmt.Errorf("%w: %s", errSubPath, path)
 			}
 		}
-		vehicle = resource.NewHTTPVehicle(schema.URL, path, schema.Proxy, nil, resource.DefaultHttpTimeout)
+		vehicle = resource.NewHTTPVehicle(schema.URL, path, schema.Proxy, nil, resource.DefaultHttpTimeout, schema.SizeLimit)
 	default:
 		return nil, fmt.Errorf("unsupported vehicle type: %s", schema.Type)
 	}
--- a/transport/hysteria/transport/client.go
+++ b/transport/hysteria/transport/client.go
@@ -4,7 +4,6 @@ import (
 	"crypto/tls"
 	"fmt"
 	"net"
-	"strings"
 	"time"

 	"github.com/metacubex/quic-go"
@@ -16,9 +15,7 @@ import (
 	"github.com/metacubex/mihomo/transport/hysteria/utils"
 )

-type ClientTransport struct {
-	Dialer *net.Dialer
-}
+type ClientTransport struct{}

 func (ct *ClientTransport) quicPacketConn(proto string, rAddr net.Addr, serverPorts string, obfs obfsPkg.Obfuscator, hopInterval time.Duration, dialer utils.PacketDialer) (net.PacketConn, error) {
 	server := rAddr.String()
@@ -86,23 +83,3 @@ func (ct *ClientTransport) QUICDial(proto string, server string, serverPorts str
 	}
 	return qs, nil
 }
-
-func (ct *ClientTransport) DialTCP(raddr *net.TCPAddr) (*net.TCPConn, error) {
-	conn, err := ct.Dialer.Dial("tcp", raddr.String())
-	if err != nil {
-		return nil, err
-	}
-	return conn.(*net.TCPConn), nil
-}
-
-func (ct *ClientTransport) ListenUDP() (*net.UDPConn, error) {
-	return net.ListenUDP("udp", nil)
-}
-
-func isMultiPortAddr(addr string) bool {
-	_, portStr, err := net.SplitHostPort(addr)
-	if err == nil && (strings.Contains(portStr, ",") || strings.Contains(portStr, "-")) {
-		return true
-	}
-	return false
-}
--- a/tunnel/statistic/manager.go
+++ b/tunnel/statistic/manager.go
@@ -114,10 +114,8 @@ func (m *Manager) handle() {
 	ticker := time.NewTicker(time.Second)

 	for range ticker.C {
-		m.uploadBlip.Store(m.uploadTemp.Load())
-		m.uploadTemp.Store(0)
-		m.downloadBlip.Store(m.downloadTemp.Load())
-		m.downloadTemp.Store(0)
+		m.uploadBlip.Store(m.uploadTemp.Swap(0))
+		m.downloadBlip.Store(m.downloadTemp.Swap(0))
 	}
 }

--- a/tunnel/statistic/tracker.go
+++ b/tunnel/statistic/tracker.go
@@ -117,24 +117,19 @@ func (tt *tcpTracker) Upstream() any {
 }

 func parseRemoteDestination(addr net.Addr, conn C.Connection) string {
-	if addr == nil && conn != nil {
-		return conn.RemoteDestination()
-	}
-	if addrPort, err := netip.ParseAddrPort(addr.String()); err == nil && addrPort.Addr().IsValid() {
-		return addrPort.Addr().String()
-	} else {
-		if conn != nil {
-			return conn.RemoteDestination()
-		} else {
-			return ""
+	if addr != nil {
+		if addrPort, err := netip.ParseAddrPort(addr.String()); err == nil && addrPort.Addr().IsValid() {
+			return addrPort.Addr().String()
 		}
 	}
+	if conn != nil {
+		return conn.RemoteDestination()
+	}
+	return ""
 }

 func NewTCPTracker(conn C.Conn, manager *Manager, metadata *C.Metadata, rule C.Rule, uploadTotal int64, downloadTotal int64, pushToManager bool) *tcpTracker {
-	if conn != nil {
-		metadata.RemoteDst = parseRemoteDestination(conn.RemoteAddr(), conn)
-	}
+	metadata.RemoteDst = parseRemoteDestination(conn.RemoteAddr(), conn)

 	t := &tcpTracker{
 		Conn:    conn,
--- a/tunnel/tunnel.go
+++ b/tunnel/tunnel.go
@@ -625,7 +625,7 @@ func match(metadata *C.Metadata) (C.Proxy, C.Rule, error) {
 				// normal check for process
 				uid, path, err := P.FindProcessName(metadata.NetWork.String(), metadata.SrcIP, int(metadata.SrcPort))
 				if err != nil {
-					log.Debugln("[Process] find process %s error: %v", metadata.String(), err)
+					log.Debugln("[Process] find process error for %s: %v", metadata.String(), err)
 				} else {
 					metadata.Process = filepath.Base(path)
 					metadata.ProcessPath = path
@@ -639,7 +639,7 @@ func match(metadata *C.Metadata) (C.Proxy, C.Rule, error) {
 				// check package names
 				pkg, err := P.FindPackageName(metadata)
 				if err != nil {
-					log.Debugln("[Process] find process %s error: %v", metadata.String(), err)
+					log.Debugln("[Process] find process error for %s: %v", metadata.String(), err)
 				} else {
 					metadata.Process = pkg
 				}
Author	SHA1	Message	Date
enfein	613becd8ea	feat: support mieru protocol (#1702 )	2024-12-09 12:05:11 +08:00
hingbong	d6b496d3c0	chore: allow upgrade ui in embed mode (#1692 )	2024-12-04 08:54:01 +08:00
ForestL	5a24efdabf	fix: DisableKeepAlive default value of android (#1690 )	2024-12-02 22:49:16 +08:00
wwqgtxx	9de9f1ef51	fix: don't panic when listen on `localhost` https://github.com/MetaCubeX/mihomo/issues/1655	2024-11-27 11:03:38 +08:00
wwqgtxx	fbead56ec9	feat: add `size-limit` for provider https://github.com/MetaCubeX/mihomo/issues/1645	2024-11-27 09:28:38 +08:00
wwqgtxx	1fff34d30e	chore: update quic-go to 0.48.2	2024-11-26 13:39:54 +08:00
wwqgtxx	a35f712478	chore: update gvisor	2024-11-26 10:28:07 +08:00
wwqgtxx	f805a9f4c6	chore: cleaned up some weird code	2024-11-26 10:04:41 +08:00
xishang0128	eb985b002e	chore: restful api displays more information	2024-11-21 22:50:54 +08:00
wwqgtxx	462343531e	chore: update sing-tun to v0.4.1	2024-11-21 11:06:25 +08:00
wwqgtxx	671d901ee2	ci: align loongarch golang version when it is not abi1	2024-11-18 10:41:15 +08:00
wwqgtxx	80e4eaad14	fix: process IPv6 Link-Local address (#1657 )	2024-11-18 10:34:43 +08:00
xishang0128	25b3c86d31	ci: update loongarch golang and android ndk	2024-11-17 23:31:46 +08:00
Chenx Dust	de19f927e8	chore: restful api display smux and mptcp	2024-11-14 10:08:02 +08:00
Larvan2	792f16265e	fix: find process panic	2024-11-08 16:29:32 +08:00
wwqgtxx	215bf0995f	chore: switch syscall.SyscallN back to syscall.Syscall6 Until the current version, SyscallN always escapes the variadic argument	2024-11-08 09:40:38 +08:00
wwqgtxx	91d54bdac1	fix: android tun start error	2024-11-06 20:04:14 +08:00
wwqgtxx	ce52c3438b	chore: cleaned up some confusing code	2024-11-05 10:03:21 +08:00
wwqgtxx	d4478dbfa2	chore: reduce the performance overhead of not enabling LoopBackDetector	2024-11-05 09:29:56 +08:00
wwqgtxx	69454b030e	chore: allow disabled overrideAndroidVPN by environment variable `DISABLE_OVERRIDE_ANDROID_VPN`	2024-11-05 09:15:30 +08:00
wwqgtxx	e6d1c8cedf	chore: update sing-tun to v0.4.0-rc.5	2024-11-05 09:12:20 +08:00
wwqgtxx	fabd216c34	chore: update quic-go to 0.48.1	2024-11-05 08:58:41 +08:00
xishang0128	a86c562852	chore: Increase support for other format of ASN	2024-11-04 19:31:43 +08:00
wwqgtxx	3e966e82c7	chore: update quic-go to 0.48.0	2024-10-21 09:38:21 +08:00
wwqgtxx	b9171ade7f	chore: update sing-tun to v0.4.0-rc.4	2024-10-21 09:17:37 +08:00
xishang0128	95af5f7325	chore: change subscription-userinfo retrieval	2024-10-20 06:01:02 +08:00
xishang0128	ca3f1ebae6	fix: sticky-sessions may not be effective	2024-10-12 08:26:37 +08:00
ForestL	4437c8861c	chore: better getUpdateTime() for iterating all Geofiles (#1570 )	2024-10-11 08:46:31 +08:00
xishang0128	57725078e0	chore: Adjust the error log for the search process	2024-10-11 07:35:51 +08:00
wwqgtxx	08dcef80bf	fix: mistaken using net.Dialer https://github.com/MetaCubeX/mihomo/issues/1572	2024-10-09 12:04:56 +08:00
wwqgtxx	9fd63fe938	chore: update dependencies	2024-10-06 10:34:54 +08:00
wwqgtxx	8e6eb70e71	chore: temporary update general in ParseRawConfig and rollback before its retur	2024-10-06 00:21:00 +08:00
wwqgtxx	9937ae1002	fix: defaultNS not working in system dns	2024-10-05 14:20:54 +08:00
wwqgtxx	8f5a86410c	chore: cleanup unneeded setting in parseGeneral, move to executor	2024-10-05 13:58:49 +08:00
wwqgtxx	9286e21026	chore: rebuild external ui updater	2024-10-05 13:40:00 +08:00
wwqgtxx	c63a851bba	feat: add `direct-nameserver` and `direct-nameserver-follow-policy` in `dns` section	2024-10-04 14:20:10 +08:00
wwqgtxx	4a16d22398	chore: no longer used net.DefaultResolver when `dns` section is disabled, now is equally only "system://"	2024-10-02 14:45:06 +08:00
wwqgtxx	990de84391	chore: better atomic using	2024-10-02 14:45:06 +08:00
Skyxim	ecd8facd81	chore: add warning for unified delay test when second failed	2024-10-01 03:14:37 +00:00
wwqgtxx	a330fa1506	chore: disallow some restful api for CMFA	2024-09-30 13:08:50 +08:00