chore: update utls to tag version

chore: simplify GetMemoryInfo in darwin
chore: add test for memory module
2026-03-04 12:57:31 +00:00 · 2025-09-24 16:05:38 +08:00 · 2025-09-24 02:53:35 +08:00 · 2025-09-24 02:35:04 +08:00 · 2025-09-24 02:25:26 +08:00 · 2025-09-24 02:21:47 +08:00
213 changed files with 12008 additions and 2440 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -29,14 +29,20 @@ jobs:
    strategy:
      matrix:
        jobs:
-          - { goos: darwin, goarch: arm64, output: arm64 }
+          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible } # old style file name will be removed in next released
          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible }
          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64 }
          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-v1 }
          - { goos: darwin, goarch: amd64, goamd64: v2, output: amd64-v2 }
          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-v3 }
          - { goos: darwin, goarch: arm64, output: arm64 }
          - { goos: linux, goarch: '386', go386: sse2, output: '386', debian: i386, rpm: i386}
          - { goos: linux, goarch: '386', go386: softfloat, output: '386-softfloat' }
-          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible, test: test }
+          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible} # old style file name will be removed in next released
          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64, debian: amd64, rpm: x86_64, pacman: x86_64}
          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-v1, debian: amd64, rpm: x86_64, pacman: x86_64, test: test }
          - { goos: linux, goarch: amd64, goamd64: v2, output: amd64-v2, debian: amd64, rpm: x86_64, pacman: x86_64}
          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64-v3, debian: amd64, rpm: x86_64, pacman: x86_64}
          - { goos: linux, goarch: arm64, output: arm64, debian: arm64, rpm: aarch64, pacman: aarch64}  
          - { goos: linux, goarch: arm, goarm: '5', output: armv5 }
          - { goos: linux, goarch: arm, goarm: '6', output: armv6, debian: armel, rpm: armv6hl} 
@@ -54,13 +60,19 @@ jobs:
          - { goos: linux, goarch: ppc64le, output: ppc64le, debian: ppc64el, rpm: ppc64le }
          - { goos: windows, goarch: '386', output: '386' }
-          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible }
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible } # old style file name will be removed in next released
          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64 }
          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-v1 }
          - { goos: windows, goarch: amd64, goamd64: v2, output: amd64-v2 }
          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-v3 }
          - { goos: windows, goarch: arm64, output: arm64 }
          - { goos: freebsd, goarch: '386', output: '386' }
-          - { goos: freebsd, goarch: amd64, goamd64: v1, output: amd64-compatible }
+          - { goos: freebsd, goarch: amd64, goamd64: v1, output: amd64-compatible } # old style file name will be removed in next released
          - { goos: freebsd, goarch: amd64, goamd64: v3, output: amd64 }
          - { goos: freebsd, goarch: amd64, goamd64: v1, output: amd64-v1 }
          - { goos: freebsd, goarch: amd64, goamd64: v2, output: amd64-v2 }
          - { goos: freebsd, goarch: amd64, goamd64: v3, output: amd64-v3 }
          - { goos: freebsd, goarch: arm64, output: arm64 }
          - { goos: android, goarch: '386', ndk: i686-linux-android34, output: '386' }
@@ -68,49 +80,70 @@ jobs:
          - { goos: android, goarch: arm, ndk: armv7a-linux-androideabi34, output: armv7 }
          - { goos: android, goarch: arm64, ndk: aarch64-linux-android34, output: arm64-v8 }
          # Go 1.24 with special patch can work on Windows 7
          # https://github.com/MetaCubeX/go/commits/release-branch.go1.24/
          - { goos: windows, goarch: '386', output: '386-go124', goversion: '1.24' }
          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-v1-go124, goversion: '1.24' }
          - { goos: windows, goarch: amd64, goamd64: v2, output: amd64-v2-go124, goversion: '1.24' }
          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-v3-go124, goversion: '1.24' }
          # Go 1.23 with special patch can work on Windows 7
          # https://github.com/MetaCubeX/go/commits/release-branch.go1.23/
          - { goos: windows, goarch: '386', output: '386-go123', goversion: '1.23' }
-          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go123, goversion: '1.23' }
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-v1-go123, goversion: '1.23' }
-          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go123, goversion: '1.23' }
+          - { goos: windows, goarch: amd64, goamd64: v2, output: amd64-v2-go123, goversion: '1.23' }
          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-v3-go123, goversion: '1.23' }
          # Go 1.22 with special patch can work on Windows 7
          # https://github.com/MetaCubeX/go/commits/release-branch.go1.22/
          - { goos: windows, goarch: '386', output: '386-go122', goversion: '1.22' }
-          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go122, goversion: '1.22' }
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-v1-go122, goversion: '1.22' }
-          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go122, goversion: '1.22' }
+          - { goos: windows, goarch: amd64, goamd64: v2, output: amd64-v2-go122, goversion: '1.22' }
          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-v3-go122, goversion: '1.22' }
          # Go 1.21 can revert commit `9e4385` to work on Windows 7
          # https://github.com/golang/go/issues/64622#issuecomment-1847475161
          # (OR we can just use golang1.21.4 which unneeded any patch)
          - { goos: windows, goarch: '386', output: '386-go121', goversion: '1.21' }
-          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go121, goversion: '1.21' }
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-v1-go121, goversion: '1.21' }
-          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go121, goversion: '1.21' }
+          - { goos: windows, goarch: amd64, goamd64: v2, output: amd64-v2-go121, goversion: '1.21' }
          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-v3-go121, goversion: '1.21' }
          # Go 1.20 is the last release that will run on any release of Windows 7, 8, Server 2008 and Server 2012. Go 1.21 will require at least Windows 10 or Server 2016.
          - { goos: windows, goarch: '386', output: '386-go120', goversion: '1.20' }
-          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20' }
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-v1-go120, goversion: '1.20' }
-          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go120, goversion: '1.20' }
+          - { goos: windows, goarch: amd64, goamd64: v2, output: amd64-v2-go120, goversion: '1.20' }
          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-v3-go120, goversion: '1.20' }
          # Go 1.24 is the last release that will run on macOS 11 Big Sur. Go 1.25 will require macOS 12 Monterey or later.
          - { goos: darwin, goarch: arm64, output: arm64-go124, goversion: '1.24' }
          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-v1-go124, goversion: '1.24' }
          - { goos: darwin, goarch: amd64, goamd64: v2, output: amd64-v2-go124, goversion: '1.24' }
          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-v3-go124, goversion: '1.24' }
          # Go 1.22 is the last release that will run on macOS 10.15 Catalina. Go 1.23 will require macOS 11 Big Sur or later.
          - { goos: darwin, goarch: arm64, output: arm64-go122, goversion: '1.22' }
-          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible-go122, goversion: '1.22' }
+          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-v1-go122, goversion: '1.22' }
-          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-go122, goversion: '1.22' }
+          - { goos: darwin, goarch: amd64, goamd64: v2, output: amd64-v2-go122, goversion: '1.22' }
          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-v3-go122, goversion: '1.22' }
          # Go 1.20 is the last release that will run on macOS 10.13 High Sierra or 10.14 Mojave. Go 1.21 will require macOS 10.15 Catalina or later.
          - { goos: darwin, goarch: arm64, output: arm64-go120, goversion: '1.20' }
-          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20' }
+          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-v1-go120, goversion: '1.20' }
-          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-go120, goversion: '1.20' }
+          - { goos: darwin, goarch: amd64, goamd64: v2, output: amd64-v2-go120, goversion: '1.20' }
          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-v3-go120, goversion: '1.20' }
          # Go 1.23 is the last release that requires Linux kernel version 2.6.32 or later. Go 1.24 will require Linux kernel version 3.2 or later.
          - { goos: linux, goarch: '386', output: '386-go123', goversion: '1.23' }
-          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible-go123, goversion: '1.23', test: test }
+          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-v1-go123, goversion: '1.23', test: test }
-          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64-go123, goversion: '1.23' }
+          - { goos: linux, goarch: amd64, goamd64: v2, output: amd64-v2-go123, goversion: '1.23' }
          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64-v3-go123, goversion: '1.23' }
          # only for test
          - { goos: linux, goarch: '386', output: '386-go120', goversion: '1.20' }
-          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20', test: test }
+          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-v1-go120, goversion: '1.20', test: test }
-          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64-go120, goversion: '1.20' }
+          - { goos: linux, goarch: amd64, goamd64: v2, output: amd64-v2-go120, goversion: '1.20' }
          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64-v3-go120, goversion: '1.20' }
    steps:
    - uses: actions/checkout@v4
@@ -119,7 +152,7 @@ jobs:
      if: ${{ matrix.jobs.goversion == '' && matrix.jobs.abi != '1' }}
      uses: actions/setup-go@v5
      with:
-        go-version: '1.24'
+        go-version: '1.25'
    - name: Set up Go
      if: ${{ matrix.jobs.goversion != '' && matrix.jobs.abi != '1' }}
@@ -134,6 +167,25 @@ jobs:
        sudo tar zxf go1.24.0.linux-amd64-abi1.tar.gz -C /usr/local
        echo "/usr/local/go/bin" >> $GITHUB_PATH
      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
      # this patch file only works on golang1.25.x
      # that means after golang1.26 release it must be changed
      # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
      # revert:
      # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
      # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
      # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
      # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
    - name: Revert Golang1.25 commit for Windows7/8
      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }}
      run: |
        alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
        cd $(go env GOROOT)
        curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
        curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
        curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
        curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1
      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
      # this patch file only works on golang1.24.x
      # that means after golang1.25 release it must be changed
@@ -144,8 +196,9 @@ jobs:
      # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
      # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
    - name: Revert Golang1.24 commit for Windows7/8
-      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }}
+      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.24' }}
      run: |
        alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
        cd $(go env GOROOT)
        curl https://github.com/MetaCubeX/go/commit/2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8.diff | patch --verbose -p 1
        curl https://github.com/MetaCubeX/go/commit/7b1fd7d39c6be0185fbe1d929578ab372ac5c632.diff | patch --verbose -p 1
@@ -164,6 +217,7 @@ jobs:
    - name: Revert Golang1.23 commit for Windows7/8
      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.23' }}
      run: |
        alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
        cd $(go env GOROOT)
        curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
        curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1
@@ -182,6 +236,7 @@ jobs:
    - name: Revert Golang1.22 commit for Windows7/8
      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.22' }}
      run: |
        alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
        cd $(go env GOROOT)
        curl https://github.com/MetaCubeX/go/commit/9779155f18b6556a034f7bb79fb7fb2aad1e26a9.diff | patch --verbose -p 1
        curl https://github.com/MetaCubeX/go/commit/ef0606261340e608017860b423ffae5c1ce78239.diff | patch --verbose -p 1
@@ -192,6 +247,7 @@ jobs:
    - name: Revert Golang1.21 commit for Windows7/8
      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.21' }}
      run: |
        alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
        cd $(go env GOROOT)
        curl https://github.com/golang/go/commit/9e43850a3298a9b8b1162ba0033d4c53f8637571.diff | patch --verbose -R -p 1
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -24,6 +24,7 @@ jobs:
          - 'ubuntu-24.04-arm' # arm64 linux
          - 'macos-13' # amd64 macos
        go-version:
          - '1.25'
          - '1.24'
          - '1.23'
          - '1.22'
@@ -47,6 +48,25 @@ jobs:
        with:
          go-version: ${{ matrix.go-version }}
      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
      # this patch file only works on golang1.25.x
      # that means after golang1.26 release it must be changed
      # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
      # revert:
      # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
      # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
      # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
      # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
      - name: Revert Golang1.25 commit for Windows7/8
        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.25' }}
        run: |
          alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
          cd $(go env GOROOT)
          curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
          curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
          curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
          curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1
      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
      # this patch file only works on golang1.24.x
      # that means after golang1.25 release it must be changed
@@ -59,6 +79,7 @@ jobs:
      - name: Revert Golang1.24 commit for Windows7/8
        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.24' }}
        run: |
          alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
          cd $(go env GOROOT)
          curl https://github.com/MetaCubeX/go/commit/2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8.diff | patch --verbose -p 1
          curl https://github.com/MetaCubeX/go/commit/7b1fd7d39c6be0185fbe1d929578ab372ac5c632.diff | patch --verbose -p 1
@@ -77,6 +98,7 @@ jobs:
      - name: Revert Golang1.23 commit for Windows7/8
        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.23' }}
        run: |
          alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
          cd $(go env GOROOT)
          curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
          curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1
@@ -95,6 +117,7 @@ jobs:
      - name: Revert Golang1.22 commit for Windows7/8
        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.22' }}
        run: |
          alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
          cd $(go env GOROOT)
          curl https://github.com/MetaCubeX/go/commit/9779155f18b6556a034f7bb79fb7fb2aad1e26a9.diff | patch --verbose -p 1
          curl https://github.com/MetaCubeX/go/commit/ef0606261340e608017860b423ffae5c1ce78239.diff | patch --verbose -p 1
@@ -105,6 +128,7 @@ jobs:
      - name: Revert Golang1.21 commit for Windows7/8
        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.21' }}
        run: |
          alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
          cd $(go env GOROOT)
          curl https://github.com/golang/go/commit/9e43850a3298a9b8b1162ba0033d4c53f8637571.diff | patch --verbose -R -p 1
--- a/57
+++ b/57
@@ -17,11 +17,19 @@ GOBUILD=CGO_ENABLED=0 go build -tags with_gvisor -trimpath -ldflags '-X "github.
 		-w -s -buildid='
 PLATFORM_LIST = \
 	darwin-386 \
 	darwin-amd64-compatible \
 	darwin-amd64 \
 	darwin-amd64-v1 \
 	darwin-amd64-v2 \
 	darwin-amd64-v3 \
 	darwin-arm64 \
 	linux-386 \
 	linux-amd64-compatible \
 	linux-amd64 \
 	linux-amd64-v1 \
 	linux-amd64-v2 \
 	linux-amd64-v3 \
 	linux-armv5 \
 	linux-armv6 \
 	linux-armv7 \
@@ -43,37 +51,61 @@ WINDOWS_ARCH_LIST = \
 	windows-386 \
 	windows-amd64-compatible \
 	windows-amd64 \
 	windows-amd64-v1 \
 	windows-amd64-v2 \
 	windows-amd64-v3 \
 	windows-arm64 \
    windows-arm32v7
-all:linux-amd64 linux-arm64\
+all:linux-amd64-v3 linux-arm64\
-	darwin-amd64 darwin-arm64\
+	darwin-amd64-v3 darwin-arm64\
- 	windows-amd64 windows-arm64\
+ 	windows-amd64-v3 windows-arm64\
-darwin-all: darwin-amd64 darwin-arm64
+darwin-all: darwin-amd64-v3 darwin-arm64
 docker:
 	GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
-darwin-amd64:
+darwin-386:
-	GOARCH=amd64 GOOS=darwin GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+	GOARCH=386 GOOS=darwin $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 darwin-amd64-compatible:
 	GOARCH=amd64 GOOS=darwin GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 darwin-amd64:
 	GOARCH=amd64 GOOS=darwin GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 darwin-amd64-v1:
 	GOARCH=amd64 GOOS=darwin GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 darwin-amd64-v2:
 	GOARCH=amd64 GOOS=darwin GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 darwin-amd64-v3:
 	GOARCH=amd64 GOOS=darwin GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 darwin-arm64:
 	GOARCH=arm64 GOOS=darwin $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 linux-386:
 	GOARCH=386 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 linux-amd64-compatible:
 	GOARCH=amd64 GOOS=linux GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 linux-amd64:
 	GOARCH=amd64 GOOS=linux GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
-linux-amd64-compatible:
+linux-amd64-v1:
 	GOARCH=amd64 GOOS=linux GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 linux-amd64-v2:
 	GOARCH=amd64 GOOS=linux GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 linux-amd64-v3:
 	GOARCH=amd64 GOOS=linux GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 linux-arm64:
 	GOARCH=arm64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
@@ -125,12 +157,21 @@ freebsd-arm64:
 windows-386:
 	GOARCH=386 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
 windows-amd64-compatible:
 	GOARCH=amd64 GOOS=windows GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
 windows-amd64:
 	GOARCH=amd64 GOOS=windows GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
-windows-amd64-compatible:
+windows-amd64-v1:
 	GOARCH=amd64 GOOS=windows GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
 windows-amd64-v2:
 	GOARCH=amd64 GOOS=windows GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
 windows-amd64-v3:
 	GOARCH=amd64 GOOS=windows GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
 windows-arm64:
 	GOARCH=arm64 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
--- a/adapter/adapter.go
+++ b/adapter/adapter.go
@@ -2,7 +2,6 @@ package adapter
 import (
 	"context"
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net"
@@ -14,10 +13,10 @@ import (
 	"github.com/metacubex/mihomo/common/atomic"
 	"github.com/metacubex/mihomo/common/queue"
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/common/xsync"
 	"github.com/metacubex/mihomo/component/ca"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 	"github.com/puzpuzpuz/xsync/v3"
 )
 var UnifiedDelay = atomic.NewBool(false)
@@ -35,7 +34,7 @@ type Proxy struct {
 	C.ProxyAdapter
 	alive   atomic.Bool
 	history *queue.Queue[C.DelayHistory]
-	extra   *xsync.MapOf[string, *internalProxyState]
+	extra   xsync.Map[string, *internalProxyState]
 }
 // Adapter implements C.Proxy
@@ -236,6 +235,11 @@ func (p *Proxy) URLTest(ctx context.Context, url string, expectedStatus utils.In
 	}
 	req = req.WithContext(ctx)
 	tlsConfig, err := ca.GetTLSConfig(ca.Option{})
 	if err != nil {
 		return
 	}
 	transport := &http.Transport{
 		DialContext: func(context.Context, string, string) (net.Conn, error) {
 			return instance, nil
@@ -245,7 +249,7 @@ func (p *Proxy) URLTest(ctx context.Context, url string, expectedStatus utils.In
 		IdleConnTimeout:       90 * time.Second,
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
-		TLSClientConfig:       ca.GetGlobalTLSConfig(&tls.Config{}),
+		TLSClientConfig:       tlsConfig,
 	}
 	client := http.Client{
@@ -293,7 +297,7 @@ func NewProxy(adapter C.ProxyAdapter) *Proxy {
 		ProxyAdapter: adapter,
 		history:      queue.New[C.DelayHistory](defaultHistoriesNum),
 		alive:        atomic.NewBool(true),
-		extra:        xsync.NewMapOf[string, *internalProxyState]()}
+	}
 }
 func urlToMetadata(rawURL string) (addr C.Metadata, err error) {
--- a/adapter/outbound/anytls.go
+++ b/adapter/outbound/anytls.go
@@ -36,6 +36,8 @@ type AnyTLSOption struct {
 	ClientFingerprint        string     `proxy:"client-fingerprint,omitempty"`
 	SkipCertVerify           bool       `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint              string     `proxy:"fingerprint,omitempty"`
 	Certificate              string     `proxy:"certificate,omitempty"`
 	PrivateKey               string     `proxy:"private-key,omitempty"`
 	UDP                      bool       `proxy:"udp,omitempty"`
 	IdleSessionCheckInterval int        `proxy:"idle-session-check-interval,omitempty"`
 	IdleSessionTimeout       int        `proxy:"idle-session-timeout,omitempty"`
@@ -120,6 +122,8 @@ func NewAnyTLS(option AnyTLSOption) (*AnyTLS, error) {
 		SkipCertVerify:    option.SkipCertVerify,
 		NextProtos:        option.ALPN,
 		FingerPrint:       option.Fingerprint,
 		Certificate:       option.Certificate,
 		PrivateKey:        option.PrivateKey,
 		ClientFingerprint: option.ClientFingerprint,
 		ECH:               echConfig,
 	}
--- a/adapter/outbound/http.go
+++ b/adapter/outbound/http.go
@@ -37,6 +37,8 @@ type HttpOption struct {
 	SNI            string            `proxy:"sni,omitempty"`
 	SkipCertVerify bool              `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint    string            `proxy:"fingerprint,omitempty"`
 	Certificate    string            `proxy:"certificate,omitempty"`
 	PrivateKey     string            `proxy:"private-key,omitempty"`
 	Headers        map[string]string `proxy:"headers,omitempty"`
 }
@@ -167,10 +169,15 @@ func NewHttp(option HttpOption) (*Http, error) {
 			sni = option.SNI
 		}
 		var err error
-		tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(&tls.Config{
+		tlsConfig, err = ca.GetTLSConfig(ca.Option{
-			InsecureSkipVerify: option.SkipCertVerify,
+			TLSConfig: &tls.Config{
-			ServerName:         sni,
+				InsecureSkipVerify: option.SkipCertVerify,
-		}, option.Fingerprint)
+				ServerName:         sni,
 			},
 			Fingerprint: option.Fingerprint,
 			Certificate: option.Certificate,
 			PrivateKey:  option.PrivateKey,
 		})
 		if err != nil {
 			return nil, err
 		}
--- a/adapter/outbound/hysteria.go
+++ b/adapter/outbound/hysteria.go
@@ -125,9 +125,9 @@ type HysteriaOption struct {
 	ECHOpts             ECHOptions `proxy:"ech-opts,omitempty"`
 	SkipCertVerify      bool       `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint         string     `proxy:"fingerprint,omitempty"`
 	Certificate         string     `proxy:"certificate,omitempty"`
 	PrivateKey          string     `proxy:"private-key,omitempty"`
 	ALPN                []string   `proxy:"alpn,omitempty"`
 	CustomCA            string     `proxy:"ca,omitempty"`
 	CustomCAString      string     `proxy:"ca-str,omitempty"`
 	ReceiveWindowConn   int        `proxy:"recv-window-conn,omitempty"`
 	ReceiveWindow       int        `proxy:"recv-window,omitempty"`
 	DisableMTUDiscovery bool       `proxy:"disable-mtu-discovery,omitempty"`
@@ -160,19 +160,21 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 		serverName = option.SNI
 	}
-	tlsConfig := &tls.Config{
+	tlsConfig, err := ca.GetTLSConfig(ca.Option{
-		ServerName:         serverName,
+		TLSConfig: &tls.Config{
-		InsecureSkipVerify: option.SkipCertVerify,
+			ServerName:         serverName,
-		MinVersion:         tls.VersionTLS13,
+			InsecureSkipVerify: option.SkipCertVerify,
-	}
+			MinVersion:         tls.VersionTLS13,
-
+		},
-	var err error
+		Fingerprint: option.Fingerprint,
-	tlsConfig, err = ca.GetTLSConfig(tlsConfig, option.Fingerprint, option.CustomCA, option.CustomCAString)
+		Certificate: option.Certificate,
 		PrivateKey:  option.PrivateKey,
 	})
 	if err != nil {
 		return nil, err
 	}
-	if len(option.ALPN) > 0 {
+	if option.ALPN != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array
 		tlsConfig.NextProtos = option.ALPN
 	} else {
 		tlsConfig.NextProtos = []string{DefaultALPN}
--- a/adapter/outbound/hysteria2.go
+++ b/adapter/outbound/hysteria2.go
@@ -55,9 +55,9 @@ type Hysteria2Option struct {
 	ECHOpts        ECHOptions `proxy:"ech-opts,omitempty"`
 	SkipCertVerify bool       `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint    string     `proxy:"fingerprint,omitempty"`
 	Certificate    string     `proxy:"certificate,omitempty"`
 	PrivateKey     string     `proxy:"private-key,omitempty"`
 	ALPN           []string   `proxy:"alpn,omitempty"`
 	CustomCA       string     `proxy:"ca,omitempty"`
 	CustomCAString string     `proxy:"ca-str,omitempty"`
 	CWND           int        `proxy:"cwnd,omitempty"`
 	UdpMTU         int        `proxy:"udp-mtu,omitempty"`
@@ -141,19 +141,21 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 		serverName = option.SNI
 	}
-	tlsConfig := &tls.Config{
+	tlsConfig, err := ca.GetTLSConfig(ca.Option{
-		ServerName:         serverName,
+		TLSConfig: &tls.Config{
-		InsecureSkipVerify: option.SkipCertVerify,
+			ServerName:         serverName,
-		MinVersion:         tls.VersionTLS13,
+			InsecureSkipVerify: option.SkipCertVerify,
-	}
+			MinVersion:         tls.VersionTLS13,
-
+		},
-	var err error
+		Fingerprint: option.Fingerprint,
-	tlsConfig, err = ca.GetTLSConfig(tlsConfig, option.Fingerprint, option.CustomCA, option.CustomCAString)
+		Certificate: option.Certificate,
 		PrivateKey:  option.PrivateKey,
 	})
 	if err != nil {
 		return nil, err
 	}
-	if len(option.ALPN) > 0 {
+	if option.ALPN != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array
 		tlsConfig.NextProtos = option.ALPN
 	}
--- a/adapter/outbound/mieru.go
+++ b/adapter/outbound/mieru.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"strconv"
 	"strings"
 	"sync"
 	CN "github.com/metacubex/mihomo/common/net"
@@ -28,15 +29,16 @@ type Mieru struct {
 type MieruOption struct {
 	BasicOption
-	Name         string `proxy:"name"`
+	Name          string `proxy:"name"`
-	Server       string `proxy:"server"`
+	Server        string `proxy:"server"`
-	Port         int    `proxy:"port,omitempty"`
+	Port          string `proxy:"port,omitempty"`
-	PortRange    string `proxy:"port-range,omitempty"`
+	PortRange     string `proxy:"port-range,omitempty"` // deprecated
-	Transport    string `proxy:"transport"`
+	Transport     string `proxy:"transport"`
-	UDP          bool   `proxy:"udp,omitempty"`
+	UDP           bool   `proxy:"udp,omitempty"`
-	UserName     string `proxy:"username"`
+	UserName      string `proxy:"username"`
-	Password     string `proxy:"password"`
+	Password      string `proxy:"password"`
-	Multiplexing string `proxy:"multiplexing,omitempty"`
+	Multiplexing  string `proxy:"multiplexing,omitempty"`
 	HandshakeMode string `proxy:"handshake-mode,omitempty"`
 }
 // DialContext implements C.ProxyAdapter
@@ -122,13 +124,19 @@ func NewMieru(option MieruOption) (*Mieru, error) {
 	}
 	// Client is started lazily on the first use.
 	// Use the first port to construct the address.
 	var addr string
-	if option.Port != 0 {
+	var portStr string
-		addr = net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
+	if option.Port != "" {
 		portStr = option.Port
 	} else {
-		beginPort, _, _ := beginAndEndPortFromPortRange(option.PortRange)
+		portStr = option.PortRange
 		addr = net.JoinHostPort(option.Server, strconv.Itoa(beginPort))
 	}
 	firstPort, err := getFirstPort(portStr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get first port from port string %q: %w", portStr, err)
 	}
 	addr = net.JoinHostPort(option.Server, strconv.Itoa(firstPort))
 	outbound := &Mieru{
 		Base: &Base{
 			name:   option.Name,
@@ -182,54 +190,62 @@ func buildMieruClientConfig(option MieruOption) (*mieruclient.ClientConfig, erro
 	}
 	transportProtocol := mierupb.TransportProtocol_TCP.Enum()
-	var server *mierupb.ServerEndpoint
+
-	if net.ParseIP(option.Server) != nil {
+	portBindings := make([]*mierupb.PortBinding, 0)
-		// server is an IP address
+	if option.Port != "" {
-		if option.PortRange != "" {
+		parts := strings.Split(option.Port, ",")
-			server = &mierupb.ServerEndpoint{
+		for _, part := range parts {
-				IpAddress: proto.String(option.Server),
+			part = strings.TrimSpace(part)
-				PortBindings: []*mierupb.PortBinding{
+			if strings.Contains(part, "-") {
-					{
+				_, _, err := beginAndEndPortFromPortRange(part)
-						PortRange: proto.String(option.PortRange),
+				if err == nil {
 					portBindings = append(portBindings, &mierupb.PortBinding{
 						PortRange: proto.String(part),
 						Protocol:  transportProtocol,
-					},
+					})
-				},
+				} else {
-			}
+					return nil, err
-		} else {
+				}
-			server = &mierupb.ServerEndpoint{
+			} else {
-				IpAddress: proto.String(option.Server),
+				p, err := strconv.Atoi(part)
-				PortBindings: []*mierupb.PortBinding{
+				if err != nil {
-					{
+					return nil, fmt.Errorf("invalid port value: %s", part)
-						Port:     proto.Int32(int32(option.Port)),
+				}
-						Protocol: transportProtocol,
+				portBindings = append(portBindings, &mierupb.PortBinding{
-					},
+					Port:     proto.Int32(int32(p)),
-				},
+					Protocol: transportProtocol,
-			}
+				})
 		}
 	} else {
 		// server is a domain name
 		if option.PortRange != "" {
 			server = &mierupb.ServerEndpoint{
 				DomainName: proto.String(option.Server),
 				PortBindings: []*mierupb.PortBinding{
 					{
 						PortRange: proto.String(option.PortRange),
 						Protocol:  transportProtocol,
 					},
 				},
 			}
 		} else {
 			server = &mierupb.ServerEndpoint{
 				DomainName: proto.String(option.Server),
 				PortBindings: []*mierupb.PortBinding{
 					{
 						Port:     proto.Int32(int32(option.Port)),
 						Protocol: transportProtocol,
 					},
 				},
 			}
 		}
 	}
 	if option.PortRange != "" {
 		parts := strings.Split(option.PortRange, ",")
 		for _, part := range parts {
 			part = strings.TrimSpace(part)
 			if _, _, err := beginAndEndPortFromPortRange(part); err == nil {
 				portBindings = append(portBindings, &mierupb.PortBinding{
 					PortRange: proto.String(part),
 					Protocol:  transportProtocol,
 				})
 			}
 		}
 	}
 	var server *mierupb.ServerEndpoint
 	if net.ParseIP(option.Server) != nil {
 		// server is an IP address
 		server = &mierupb.ServerEndpoint{
 			IpAddress:    proto.String(option.Server),
 			PortBindings: portBindings,
 		}
 	} else {
 		// server is a domain name
 		server = &mierupb.ServerEndpoint{
 			DomainName:   proto.String(option.Server),
 			PortBindings: portBindings,
 		}
 	}
 	config := &mieruclient.ClientConfig{
 		Profile: &mierupb.ClientProfile{
 			ProfileName: proto.String(option.Name),
@@ -245,6 +261,9 @@ func buildMieruClientConfig(option MieruOption) (*mieruclient.ClientConfig, erro
 			Level: mierupb.MultiplexingLevel(multiplexing).Enum(),
 		}
 	}
 	if handshakeMode, ok := mierupb.HandshakeMode_value[option.HandshakeMode]; ok {
 		config.Profile.HandshakeMode = (*mierupb.HandshakeMode)(&handshakeMode)
 	}
 	return config, nil
 }
@@ -255,31 +274,9 @@ func validateMieruOption(option MieruOption) error {
 	if option.Server == "" {
 		return fmt.Errorf("server is empty")
 	}
-	if option.Port == 0 && option.PortRange == "" {
+	if option.Port == "" && option.PortRange == "" {
-		return fmt.Errorf("either port or port-range must be set")
+		return fmt.Errorf("port must be set")
 	}
 	if option.Port != 0 && option.PortRange != "" {
 		return fmt.Errorf("port and port-range cannot be set at the same time")
 	}
 	if option.Port != 0 && (option.Port < 1 || option.Port > 65535) {
 		return fmt.Errorf("port must be between 1 and 65535")
 	}
 	if option.PortRange != "" {
 		begin, end, err := beginAndEndPortFromPortRange(option.PortRange)
 		if err != nil {
 			return fmt.Errorf("invalid port-range format")
 		}
 		if begin < 1 || begin > 65535 {
 			return fmt.Errorf("begin port must be between 1 and 65535")
 		}
 		if end < 1 || end > 65535 {
 			return fmt.Errorf("end port must be between 1 and 65535")
 		}
 		if begin > end {
 			return fmt.Errorf("begin port must be less than or equal to end port")
 		}
 	}
 	if option.Transport != "TCP" {
 		return fmt.Errorf("transport must be TCP")
 	}
@@ -294,11 +291,44 @@ func validateMieruOption(option MieruOption) error {
 			return fmt.Errorf("invalid multiplexing level: %s", option.Multiplexing)
 		}
 	}
 	if option.HandshakeMode != "" {
 		if _, ok := mierupb.HandshakeMode_value[option.HandshakeMode]; !ok {
 			return fmt.Errorf("invalid handshake mode: %s", option.HandshakeMode)
 		}
 	}
 	return nil
 }
 func getFirstPort(portStr string) (int, error) {
 	if portStr == "" {
 		return 0, fmt.Errorf("port string is empty")
 	}
 	parts := strings.Split(portStr, ",")
 	firstPart := parts[0]
 	if strings.Contains(firstPart, "-") {
 		begin, _, err := beginAndEndPortFromPortRange(firstPart)
 		if err != nil {
 			return 0, err
 		}
 		return begin, nil
 	}
 	port, err := strconv.Atoi(firstPart)
 	if err != nil {
 		return 0, fmt.Errorf("invalid port format: %s", firstPart)
 	}
 	return port, nil
 }
 func beginAndEndPortFromPortRange(portRange string) (int, int, error) {
 	var begin, end int
 	_, err := fmt.Sscanf(portRange, "%d-%d", &begin, &end)
 	if err != nil {
 		return 0, 0, fmt.Errorf("invalid port range format: %w", err)
 	}
 	if begin > end {
 		return 0, 0, fmt.Errorf("begin port is greater than end port: %s", portRange)
 	}
 	return begin, end, err
 }
--- a/adapter/outbound/mieru_test.go
+++ b/adapter/outbound/mieru_test.go
@@ -1,22 +1,51 @@
 package outbound
-import "testing"
+import (
 	"reflect"
 	"testing"
 	mieruclient "github.com/enfein/mieru/v3/apis/client"
 	mierupb "github.com/enfein/mieru/v3/pkg/appctl/appctlpb"
 	"google.golang.org/protobuf/proto"
 )
 func TestNewMieru(t *testing.T) {
 	transportProtocol := mierupb.TransportProtocol_TCP.Enum()
 	testCases := []struct {
 		option       MieruOption
 		wantBaseAddr string
 		wantConfig   *mieruclient.ClientConfig
 	}{
 		{
 			option: MieruOption{
 				Name:      "test",
 				Server:    "1.2.3.4",
-				Port:      10000,
+				Port:      "10000",
 				Transport: "TCP",
 				UserName:  "test",
 				Password:  "test",
 			},
 			wantBaseAddr: "1.2.3.4:10000",
 			wantConfig: &mieruclient.ClientConfig{
 				Profile: &mierupb.ClientProfile{
 					ProfileName: proto.String("test"),
 					User: &mierupb.User{
 						Name:     proto.String("test"),
 						Password: proto.String("test"),
 					},
 					Servers: []*mierupb.ServerEndpoint{
 						{
 							IpAddress: proto.String("1.2.3.4"),
 							PortBindings: []*mierupb.PortBinding{
 								{
 									Port:     proto.Int32(10000),
 									Protocol: transportProtocol,
 								},
 							},
 						},
 					},
 				},
 			},
 		},
 		{
 			option: MieruOption{
@@ -28,28 +57,212 @@ func TestNewMieru(t *testing.T) {
 				Password:  "test",
 			},
 			wantBaseAddr: "[2001:db8::1]:10001",
 			wantConfig: &mieruclient.ClientConfig{
 				Profile: &mierupb.ClientProfile{
 					ProfileName: proto.String("test"),
 					User: &mierupb.User{
 						Name:     proto.String("test"),
 						Password: proto.String("test"),
 					},
 					Servers: []*mierupb.ServerEndpoint{
 						{
 							IpAddress: proto.String("2001:db8::1"),
 							PortBindings: []*mierupb.PortBinding{
 								{
 									PortRange: proto.String("10001-10002"),
 									Protocol:  transportProtocol,
 								},
 							},
 						},
 					},
 				},
 			},
 		},
 		{
 			option: MieruOption{
 				Name:      "test",
 				Server:    "example.com",
-				Port:      10003,
+				Port:      "10003",
 				Transport: "TCP",
 				UserName:  "test",
 				Password:  "test",
 			},
 			wantBaseAddr: "example.com:10003",
 			wantConfig: &mieruclient.ClientConfig{
 				Profile: &mierupb.ClientProfile{
 					ProfileName: proto.String("test"),
 					User: &mierupb.User{
 						Name:     proto.String("test"),
 						Password: proto.String("test"),
 					},
 					Servers: []*mierupb.ServerEndpoint{
 						{
 							DomainName: proto.String("example.com"),
 							PortBindings: []*mierupb.PortBinding{
 								{
 									Port:     proto.Int32(10003),
 									Protocol: transportProtocol,
 								},
 							},
 						},
 					},
 				},
 			},
 		},
 		{
 			option: MieruOption{
 				Name:      "test",
 				Server:    "example.com",
 				Port:      "10004,10005",
 				Transport: "TCP",
 				UserName:  "test",
 				Password:  "test",
 			},
 			wantBaseAddr: "example.com:10004",
 			wantConfig: &mieruclient.ClientConfig{
 				Profile: &mierupb.ClientProfile{
 					ProfileName: proto.String("test"),
 					User: &mierupb.User{
 						Name:     proto.String("test"),
 						Password: proto.String("test"),
 					},
 					Servers: []*mierupb.ServerEndpoint{
 						{
 							DomainName: proto.String("example.com"),
 							PortBindings: []*mierupb.PortBinding{
 								{
 									Port:     proto.Int32(10004),
 									Protocol: transportProtocol,
 								},
 								{
 									Port:     proto.Int32(10005),
 									Protocol: transportProtocol,
 								},
 							},
 						},
 					},
 				},
 			},
 		},
 		{
 			option: MieruOption{
 				Name:      "test",
 				Server:    "example.com",
 				Port:      "10006-10007,11000",
 				Transport: "TCP",
 				UserName:  "test",
 				Password:  "test",
 			},
 			wantBaseAddr: "example.com:10006",
 			wantConfig: &mieruclient.ClientConfig{
 				Profile: &mierupb.ClientProfile{
 					ProfileName: proto.String("test"),
 					User: &mierupb.User{
 						Name:     proto.String("test"),
 						Password: proto.String("test"),
 					},
 					Servers: []*mierupb.ServerEndpoint{
 						{
 							DomainName: proto.String("example.com"),
 							PortBindings: []*mierupb.PortBinding{
 								{
 									PortRange: proto.String("10006-10007"),
 									Protocol:  transportProtocol,
 								},
 								{
 									Port:     proto.Int32(11000),
 									Protocol: transportProtocol,
 								},
 							},
 						},
 					},
 				},
 			},
 		},
 		{
 			option: MieruOption{
 				Name:      "test",
 				Server:    "example.com",
 				Port:      "10008",
 				PortRange: "10009-10010",
 				Transport: "TCP",
 				UserName:  "test",
 				Password:  "test",
 			},
 			wantBaseAddr: "example.com:10008",
 			wantConfig: &mieruclient.ClientConfig{
 				Profile: &mierupb.ClientProfile{
 					ProfileName: proto.String("test"),
 					User: &mierupb.User{
 						Name:     proto.String("test"),
 						Password: proto.String("test"),
 					},
 					Servers: []*mierupb.ServerEndpoint{
 						{
 							DomainName: proto.String("example.com"),
 							PortBindings: []*mierupb.PortBinding{
 								{
 									Port:     proto.Int32(10008),
 									Protocol: transportProtocol,
 								},
 								{
 									PortRange: proto.String("10009-10010"),
 									Protocol:  transportProtocol,
 								},
 							},
 						},
 					},
 				},
 			},
 		},
 	}
 	for _, testCase := range testCases {
 		mieru, err := NewMieru(testCase.option)
 		if err != nil {
-			t.Error(err)
+			t.Fatal(err)
 		}
 		config, err := mieru.client.Load()
 		if err != nil {
 			t.Fatal(err)
 		}
 		config.Dialer = nil
 		if mieru.addr != testCase.wantBaseAddr {
 			t.Errorf("got addr %q, want %q", mieru.addr, testCase.wantBaseAddr)
 		}
 		if !reflect.DeepEqual(config, testCase.wantConfig) {
 			t.Errorf("got config %+v, want %+v", config, testCase.wantConfig)
 		}
 	}
 }
 func TestNewMieruError(t *testing.T) {
 	testCases := []MieruOption{
 		{
 			Name:      "test",
 			Server:    "example.com",
 			Port:      "invalid",
 			PortRange: "invalid",
 			Transport: "TCP",
 			UserName:  "test",
 			Password:  "test",
 		},
 		{
 			Name:      "test",
 			Server:    "example.com",
 			Port:      "",
 			PortRange: "",
 			Transport: "TCP",
 			UserName:  "test",
 			Password:  "test",
 		},
 	}
 	for _, option := range testCases {
 		_, err := NewMieru(option)
 		if err == nil {
 			t.Errorf("expected error for option %+v, but got nil", option)
 		}
 	}
 }
@@ -63,6 +276,7 @@ func TestBeginAndEndPortFromPortRange(t *testing.T) {
 		{"1-10", 1, 10, false},
 		{"1000-2000", 1000, 2000, false},
 		{"65535-65535", 65535, 65535, false},
 		{"2000-1000", 0, 0, true},
 		{"1", 0, 0, true},
 		{"1-", 0, 0, true},
 		{"-10", 0, 0, true},
--- a/adapter/outbound/shadowsocks.go
+++ b/adapter/outbound/shadowsocks.go
@@ -11,7 +11,9 @@ import (
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/ntp"
 	gost "github.com/metacubex/mihomo/transport/gost-plugin"
 	"github.com/metacubex/mihomo/transport/kcptun"
 	"github.com/metacubex/mihomo/transport/restls"
 	obfs "github.com/metacubex/mihomo/transport/simple-obfs"
 	shadowtls "github.com/metacubex/mihomo/transport/sing-shadowtls"
@@ -35,6 +37,7 @@ type ShadowSocks struct {
 	gostOption      *gost.Option
 	shadowTLSOption *shadowtls.ShadowTLSOption
 	restlsConfig    *restls.Config
 	kcptunClient    *kcptun.Client
 }
 type ShadowSocksOption struct {
@@ -64,6 +67,8 @@ type v2rayObfsOption struct {
 	TLS                      bool              `obfs:"tls,omitempty"`
 	ECHOpts                  ECHOptions        `obfs:"ech-opts,omitempty"`
 	Fingerprint              string            `obfs:"fingerprint,omitempty"`
 	Certificate              string            `obfs:"certificate,omitempty"`
 	PrivateKey               string            `obfs:"private-key,omitempty"`
 	Headers                  map[string]string `obfs:"headers,omitempty"`
 	SkipCertVerify           bool              `obfs:"skip-cert-verify,omitempty"`
 	Mux                      bool              `obfs:"mux,omitempty"`
@@ -78,6 +83,8 @@ type gostObfsOption struct {
 	TLS            bool              `obfs:"tls,omitempty"`
 	ECHOpts        ECHOptions        `obfs:"ech-opts,omitempty"`
 	Fingerprint    string            `obfs:"fingerprint,omitempty"`
 	Certificate    string            `obfs:"certificate,omitempty"`
 	PrivateKey     string            `obfs:"private-key,omitempty"`
 	Headers        map[string]string `obfs:"headers,omitempty"`
 	SkipCertVerify bool              `obfs:"skip-cert-verify,omitempty"`
 	Mux            bool              `obfs:"mux,omitempty"`
@@ -87,6 +94,8 @@ type shadowTLSOption struct {
 	Password       string   `obfs:"password,omitempty"`
 	Host           string   `obfs:"host"`
 	Fingerprint    string   `obfs:"fingerprint,omitempty"`
 	Certificate    string   `obfs:"certificate,omitempty"`
 	PrivateKey     string   `obfs:"private-key,omitempty"`
 	SkipCertVerify bool     `obfs:"skip-cert-verify,omitempty"`
 	Version        int      `obfs:"version,omitempty"`
 	ALPN           []string `obfs:"alpn,omitempty"`
@@ -99,6 +108,32 @@ type restlsOption struct {
 	RestlsScript string `obfs:"restls-script,omitempty"`
 }
 type kcpTunOption struct {
 	Key          string `obfs:"key,omitempty"`
 	Crypt        string `obfs:"crypt,omitempty"`
 	Mode         string `obfs:"mode,omitempty"`
 	Conn         int    `obfs:"conn,omitempty"`
 	AutoExpire   int    `obfs:"autoexpire,omitempty"`
 	ScavengeTTL  int    `obfs:"scavengettl,omitempty"`
 	MTU          int    `obfs:"mtu,omitempty"`
 	SndWnd       int    `obfs:"sndwnd,omitempty"`
 	RcvWnd       int    `obfs:"rcvwnd,omitempty"`
 	DataShard    int    `obfs:"datashard,omitempty"`
 	ParityShard  int    `obfs:"parityshard,omitempty"`
 	DSCP         int    `obfs:"dscp,omitempty"`
 	NoComp       bool   `obfs:"nocomp,omitempty"`
 	AckNodelay   bool   `obfs:"acknodelay,omitempty"`
 	NoDelay      int    `obfs:"nodelay,omitempty"`
 	Interval     int    `obfs:"interval,omitempty"`
 	Resend       int    `obfs:"resend,omitempty"`
 	NoCongestion int    `obfs:"nc,omitempty"`
 	SockBuf      int    `obfs:"sockbuf,omitempty"`
 	SmuxVer      int    `obfs:"smuxver,omitempty"`
 	SmuxBuf      int    `obfs:"smuxbuf,omitempty"`
 	StreamBuf    int    `obfs:"streambuf,omitempty"`
 	KeepAlive    int    `obfs:"keepalive,omitempty"`
 }
 // StreamConnContext implements C.ProxyAdapter
 func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ net.Conn, err error) {
 	useEarly := false
@@ -167,7 +202,27 @@ func (ss *ShadowSocks) DialContextWithDialer(ctx context.Context, dialer C.Diale
 			return nil, err
 		}
 	}
-	c, err := dialer.DialContext(ctx, "tcp", ss.addr)
+	var c net.Conn
 	if ss.kcptunClient != nil {
 		c, err = ss.kcptunClient.OpenStream(ctx, func(ctx context.Context) (net.PacketConn, net.Addr, error) {
 			if err = ss.ResolveUDP(ctx, metadata); err != nil {
 				return nil, nil, err
 			}
 			addr, err := resolveUDPAddr(ctx, "udp", ss.addr, ss.prefer)
 			if err != nil {
 				return nil, nil, err
 			}
 			pc, err := dialer.ListenPacket(ctx, "udp", "", addr.AddrPort())
 			if err != nil {
 				return nil, nil, err
 			}
 			return pc, addr, nil
 		})
 	} else {
 		c, err = dialer.DialContext(ctx, "tcp", ss.addr)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 	}
@@ -249,10 +304,18 @@ func (ss *ShadowSocks) SupportUOT() bool {
 	return ss.option.UDPOverTCP
 }
 func (ss *ShadowSocks) Close() error {
 	if ss.kcptunClient != nil {
 		return ss.kcptunClient.Close()
 	}
 	return nil
 }
 func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
-	method, err := shadowsocks.CreateMethod(context.Background(), option.Cipher, shadowsocks.MethodOptions{
+	method, err := shadowsocks.CreateMethod(option.Cipher, shadowsocks.MethodOptions{
 		Password: option.Password,
 		TimeFunc: ntp.Now,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("ss %s cipher: %s initialize error: %w", addr, option.Cipher, err)
@@ -263,6 +326,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 	var obfsOption *simpleObfsOption
 	var shadowTLSOpt *shadowtls.ShadowTLSOption
 	var restlsConfig *restls.Config
 	var kcptunClient *kcptun.Client
 	obfsMode := ""
 	decoder := structure.NewDecoder(structure.Option{TagName: "obfs", WeaklyTypedInput: true})
@@ -300,6 +364,8 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			v2rayOption.TLS = true
 			v2rayOption.SkipCertVerify = opts.SkipCertVerify
 			v2rayOption.Fingerprint = opts.Fingerprint
 			v2rayOption.Certificate = opts.Certificate
 			v2rayOption.PrivateKey = opts.PrivateKey
 			echConfig, err := opts.ECHOpts.Parse()
 			if err != nil {
@@ -328,6 +394,8 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			gostOption.TLS = true
 			gostOption.SkipCertVerify = opts.SkipCertVerify
 			gostOption.Fingerprint = opts.Fingerprint
 			gostOption.Certificate = opts.Certificate
 			gostOption.PrivateKey = opts.PrivateKey
 			echConfig, err := opts.ECHOpts.Parse()
 			if err != nil {
@@ -348,6 +416,8 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			Password:          opt.Password,
 			Host:              opt.Host,
 			Fingerprint:       opt.Fingerprint,
 			Certificate:       opt.Certificate,
 			PrivateKey:        opt.PrivateKey,
 			ClientFingerprint: option.ClientFingerprint,
 			SkipCertVerify:    opt.SkipCertVerify,
 			Version:           opt.Version,
@@ -370,6 +440,39 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
 		}
 	} else if option.Plugin == kcptun.Mode {
 		obfsMode = kcptun.Mode
 		kcptunOpt := &kcpTunOption{}
 		if err := decoder.Decode(option.PluginOpts, kcptunOpt); err != nil {
 			return nil, fmt.Errorf("ss %s initialize kcptun-plugin error: %w", addr, err)
 		}
 		kcptunClient = kcptun.NewClient(kcptun.Config{
 			Key:          kcptunOpt.Key,
 			Crypt:        kcptunOpt.Crypt,
 			Mode:         kcptunOpt.Mode,
 			Conn:         kcptunOpt.Conn,
 			AutoExpire:   kcptunOpt.AutoExpire,
 			ScavengeTTL:  kcptunOpt.ScavengeTTL,
 			MTU:          kcptunOpt.MTU,
 			SndWnd:       kcptunOpt.SndWnd,
 			RcvWnd:       kcptunOpt.RcvWnd,
 			DataShard:    kcptunOpt.DataShard,
 			ParityShard:  kcptunOpt.ParityShard,
 			DSCP:         kcptunOpt.DSCP,
 			NoComp:       kcptunOpt.NoComp,
 			AckNodelay:   kcptunOpt.AckNodelay,
 			NoDelay:      kcptunOpt.NoDelay,
 			Interval:     kcptunOpt.Interval,
 			Resend:       kcptunOpt.Resend,
 			NoCongestion: kcptunOpt.NoCongestion,
 			SockBuf:      kcptunOpt.SockBuf,
 			SmuxVer:      kcptunOpt.SmuxVer,
 			SmuxBuf:      kcptunOpt.SmuxBuf,
 			StreamBuf:    kcptunOpt.StreamBuf,
 			KeepAlive:    kcptunOpt.KeepAlive,
 		})
 		option.UDPOverTCP = true // must open uot
 	}
 	switch option.UDPOverTCPVersion {
 	case uot.Version, uot.LegacyVersion:
@@ -400,5 +503,6 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 		obfsOption:      obfsOption,
 		shadowTLSOption: shadowTLSOpt,
 		restlsConfig:    restlsConfig,
 		kcptunClient:    kcptunClient,
 	}, nil
 }
--- a/adapter/outbound/socks5.go
+++ b/adapter/outbound/socks5.go
@@ -39,6 +39,8 @@ type Socks5Option struct {
 	UDP            bool   `proxy:"udp,omitempty"`
 	SkipCertVerify bool   `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint    string `proxy:"fingerprint,omitempty"`
 	Certificate    string `proxy:"certificate,omitempty"`
 	PrivateKey     string `proxy:"private-key,omitempty"`
 }
 // StreamConnContext implements C.ProxyAdapter
@@ -193,13 +195,16 @@ func (ss *Socks5) clientHandshakeContext(ctx context.Context, c net.Conn, addr s
 func NewSocks5(option Socks5Option) (*Socks5, error) {
 	var tlsConfig *tls.Config
 	if option.TLS {
 		tlsConfig = &tls.Config{
 			InsecureSkipVerify: option.SkipCertVerify,
 			ServerName:         option.Server,
 		}
 		var err error
-		tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint)
+		tlsConfig, err = ca.GetTLSConfig(ca.Option{
 			TLSConfig: &tls.Config{
 				InsecureSkipVerify: option.SkipCertVerify,
 				ServerName:         option.Server,
 			},
 			Fingerprint: option.Fingerprint,
 			Certificate: option.Certificate,
 			PrivateKey:  option.PrivateKey,
 		})
 		if err != nil {
 			return nil, err
 		}
--- a/adapter/outbound/trojan.go
+++ b/adapter/outbound/trojan.go
@@ -48,6 +48,8 @@ type TrojanOption struct {
 	SNI               string         `proxy:"sni,omitempty"`
 	SkipCertVerify    bool           `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint       string         `proxy:"fingerprint,omitempty"`
 	Certificate       string         `proxy:"certificate,omitempty"`
 	PrivateKey        string         `proxy:"private-key,omitempty"`
 	UDP               bool           `proxy:"udp,omitempty"`
 	Network           string         `proxy:"network,omitempty"`
 	ECHOpts           ECHOptions     `proxy:"ech-opts,omitempty"`
@@ -95,19 +97,22 @@ func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.
 		}
 		alpn := trojan.DefaultWebsocketALPN
-		if len(t.option.ALPN) != 0 {
+		if t.option.ALPN != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array
 			alpn = t.option.ALPN
 		}
 		wsOpts.TLS = true
-		tlsConfig := &tls.Config{
+		wsOpts.TLSConfig, err = ca.GetTLSConfig(ca.Option{
-			NextProtos:         alpn,
+			TLSConfig: &tls.Config{
-			MinVersion:         tls.VersionTLS12,
+				NextProtos:         alpn,
-			InsecureSkipVerify: t.option.SkipCertVerify,
+				MinVersion:         tls.VersionTLS12,
-			ServerName:         t.option.SNI,
+				InsecureSkipVerify: t.option.SkipCertVerify,
-		}
+				ServerName:         t.option.SNI,
-
+			},
-		wsOpts.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, t.option.Fingerprint)
+			Fingerprint: t.option.Fingerprint,
 			Certificate: t.option.Certificate,
 			PrivateKey:  t.option.PrivateKey,
 		})
 		if err != nil {
 			return nil, err
 		}
@@ -119,13 +124,15 @@ func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.
 		// default tcp network
 		// handle TLS
 		alpn := trojan.DefaultALPN
-		if len(t.option.ALPN) != 0 {
+		if t.option.ALPN != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array
 			alpn = t.option.ALPN
 		}
 		c, err = vmess.StreamTLSConn(ctx, c, &vmess.TLSConfig{
 			Host:              t.option.SNI,
 			SkipCertVerify:    t.option.SkipCertVerify,
 			FingerPrint:       t.option.Fingerprint,
 			Certificate:       t.option.Certificate,
 			PrivateKey:        t.option.PrivateKey,
 			ClientFingerprint: t.option.ClientFingerprint,
 			NextProtos:        alpn,
 			ECH:               t.echConfig,
@@ -363,15 +370,17 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			return c, nil
 		}
-		tlsConfig := &tls.Config{
+		tlsConfig, err := ca.GetTLSConfig(ca.Option{
-			NextProtos:         option.ALPN,
+			TLSConfig: &tls.Config{
-			MinVersion:         tls.VersionTLS12,
+				NextProtos:         option.ALPN,
-			InsecureSkipVerify: option.SkipCertVerify,
+				MinVersion:         tls.VersionTLS12,
-			ServerName:         option.SNI,
+				InsecureSkipVerify: option.SkipCertVerify,
-		}
+				ServerName:         option.SNI,
-
+			},
-		var err error
+			Fingerprint: option.Fingerprint,
-		tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint)
+			Certificate: option.Certificate,
 			PrivateKey:  option.PrivateKey,
 		})
 		if err != nil {
 			return nil, err
 		}
--- a/adapter/outbound/tuic.go
+++ b/adapter/outbound/tuic.go
@@ -55,8 +55,8 @@ type TuicOption struct {
 	CWND                 int        `proxy:"cwnd,omitempty"`
 	SkipCertVerify       bool       `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint          string     `proxy:"fingerprint,omitempty"`
-	CustomCA             string     `proxy:"ca,omitempty"`
+	Certificate          string     `proxy:"certificate,omitempty"`
-	CustomCAString       string     `proxy:"ca-str,omitempty"`
+	PrivateKey           string     `proxy:"private-key,omitempty"`
 	ReceiveWindowConn    int        `proxy:"recv-window-conn,omitempty"`
 	ReceiveWindow        int        `proxy:"recv-window,omitempty"`
 	DisableMTUDiscovery  bool       `proxy:"disable-mtu-discovery,omitempty"`
@@ -161,17 +161,20 @@ func (t *Tuic) ProxyInfo() C.ProxyInfo {
 func NewTuic(option TuicOption) (*Tuic, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	serverName := option.Server
 	tlsConfig := &tls.Config{
 		ServerName:         serverName,
 		InsecureSkipVerify: option.SkipCertVerify,
 		MinVersion:         tls.VersionTLS13,
 	}
 	if option.SNI != "" {
-		tlsConfig.ServerName = option.SNI
+		serverName = option.SNI
 	}
-	var err error
+	tlsConfig, err := ca.GetTLSConfig(ca.Option{
-	tlsConfig, err = ca.GetTLSConfig(tlsConfig, option.Fingerprint, option.CustomCA, option.CustomCAString)
+		TLSConfig: &tls.Config{
 			ServerName:         serverName,
 			InsecureSkipVerify: option.SkipCertVerify,
 			MinVersion:         tls.VersionTLS13,
 		},
 		Fingerprint: option.Fingerprint,
 		Certificate: option.Certificate,
 		PrivateKey:  option.PrivateKey,
 	})
 	if err != nil {
 		return nil, err
 	}
--- a/adapter/outbound/util.go
+++ b/adapter/outbound/util.go
@@ -39,6 +39,7 @@ func resolveUDPAddr(ctx context.Context, network, address string, prefer C.DNSPr
 	if err != nil {
 		return nil, err
 	}
 	var ip netip.Addr
 	switch prefer {
 	case C.IPv4Only:
@@ -56,7 +57,17 @@ func resolveUDPAddr(ctx context.Context, network, address string, prefer C.DNSPr
 	}
 	ip, port = resolver.LookupIP4P(ip, port)
-	return net.ResolveUDPAddr(network, net.JoinHostPort(ip.String(), port))
+
 	var uint16Port uint16
 	if port, err := strconv.ParseUint(port, 10, 16); err == nil {
 		uint16Port = uint16(port)
 	} else {
 		return nil, err
 	}
 	// our resolver always unmap before return, so unneeded unmap at here
 	// which is different with net.ResolveUDPAddr maybe return 4in6 address
 	// 4in6 addresses can cause some strange effects on sing-based code
 	return net.UDPAddrFromAddrPort(netip.AddrPortFrom(ip, uint16Port)), nil
 }
 func safeConnClose(c net.Conn, err error) {
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@@ -3,14 +3,10 @@ package outbound
 import (
 	"context"
 	"crypto/tls"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"strconv"
 	"sync"
 	"github.com/metacubex/mihomo/common/convert"
 	N "github.com/metacubex/mihomo/common/net"
@@ -23,6 +19,7 @@ import (
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/gun"
 	"github.com/metacubex/mihomo/transport/vless"
 	"github.com/metacubex/mihomo/transport/vless/encryption"
 	"github.com/metacubex/mihomo/transport/vmess"
 	vmessSing "github.com/metacubex/sing-vmess"
@@ -30,16 +27,13 @@ import (
 	M "github.com/metacubex/sing/common/metadata"
 )
 const (
 	// max packet length
 	maxLength = 1024 << 3
 )
 type Vless struct {
 	*Base
 	client *vless.Client
 	option *VlessOption
 	encryption *encryption.ClientInstance
 	// for gun mux
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
@@ -62,6 +56,7 @@ type VlessOption struct {
 	PacketAddr        bool              `proxy:"packet-addr,omitempty"`
 	XUDP              bool              `proxy:"xudp,omitempty"`
 	PacketEncoding    string            `proxy:"packet-encoding,omitempty"`
 	Encryption        string            `proxy:"encryption,omitempty"`
 	Network           string            `proxy:"network,omitempty"`
 	ECHOpts           ECHOptions        `proxy:"ech-opts,omitempty"`
 	RealityOpts       RealityOptions    `proxy:"reality-opts,omitempty"`
@@ -69,10 +64,11 @@ type VlessOption struct {
 	HTTP2Opts         HTTP2Options      `proxy:"h2-opts,omitempty"`
 	GrpcOpts          GrpcOptions       `proxy:"grpc-opts,omitempty"`
 	WSOpts            WSOptions         `proxy:"ws-opts,omitempty"`
 	WSPath            string            `proxy:"ws-path,omitempty"`
 	WSHeaders         map[string]string `proxy:"ws-headers,omitempty"`
 	SkipCertVerify    bool              `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint       string            `proxy:"fingerprint,omitempty"`
 	Certificate       string            `proxy:"certificate,omitempty"`
 	PrivateKey        string            `proxy:"private-key,omitempty"`
 	ServerName        string            `proxy:"servername,omitempty"`
 	ClientFingerprint string            `proxy:"client-fingerprint,omitempty"`
 }
@@ -101,14 +97,17 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 		}
 		if v.option.TLS {
 			wsOpts.TLS = true
-			tlsConfig := &tls.Config{
+			wsOpts.TLSConfig, err = ca.GetTLSConfig(ca.Option{
-				MinVersion:         tls.VersionTLS12,
+				TLSConfig: &tls.Config{
-				ServerName:         host,
+					MinVersion:         tls.VersionTLS12,
-				InsecureSkipVerify: v.option.SkipCertVerify,
+					ServerName:         host,
-				NextProtos:         []string{"http/1.1"},
+					InsecureSkipVerify: v.option.SkipCertVerify,
-			}
+					NextProtos:         []string{"http/1.1"},
-
+				},
-			wsOpts.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint)
+				Fingerprint: v.option.Fingerprint,
 				Certificate: v.option.Certificate,
 				PrivateKey:  v.option.PrivateKey,
 			})
 			if err != nil {
 				return nil, err
 			}
@@ -173,6 +172,12 @@ func (v *Vless) streamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 		done := N.SetupContextForConn(ctx, c)
 		defer done(&err)
 	}
 	if v.encryption != nil {
 		c, err = v.encryption.Handshake(c)
 		if err != nil {
 			return
 		}
 	}
 	if metadata.NetWork == C.UDP {
 		if v.option.PacketAddr {
 			metadata = &C.Metadata{
@@ -188,9 +193,6 @@ func (v *Vless) streamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 			}
 		}
 		conn, err = v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
 		if v.option.PacketAddr {
 			conn = packetaddr.NewBindConn(conn)
 		}
 	} else {
 		conn, err = v.client.StreamConn(c, parseVlessAddr(metadata, false))
 	}
@@ -208,6 +210,8 @@ func (v *Vless) streamTLSConn(ctx context.Context, conn net.Conn, isH2 bool) (ne
 			Host:              host,
 			SkipCertVerify:    v.option.SkipCertVerify,
 			FingerPrint:       v.option.Fingerprint,
 			Certificate:       v.option.Certificate,
 			PrivateKey:        v.option.PrivateKey,
 			ClientFingerprint: v.option.ClientFingerprint,
 			ECH:               v.echConfig,
 			Reality:           v.realityConfig,
@@ -352,12 +356,11 @@ func (v *Vless) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metada
 		), v), nil
 	} else if v.option.PacketAddr {
 		return newPacketConn(N.NewThreadSafePacketConn(
-			packetaddr.NewConn(&vlessPacketConn{
+			packetaddr.NewConn(v.client.PacketConn(c, metadata.UDPAddr()),
-				Conn: c, rAddr: metadata.UDPAddr(),
+				M.SocksaddrFromNet(metadata.UDPAddr())),
 			}, M.SocksaddrFromNet(metadata.UDPAddr())),
 		), v), nil
 	}
-	return newPacketConn(N.NewThreadSafePacketConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}), v), nil
+	return newPacketConn(N.NewThreadSafePacketConn(v.client.PacketConn(c, metadata.UDPAddr())), v), nil
 }
 // SupportUOT implements C.ProxyAdapter
@@ -408,101 +411,9 @@ func parseVlessAddr(metadata *C.Metadata, xudp bool) *vless.DstAddr {
 	}
 }
 type vlessPacketConn struct {
 	net.Conn
 	rAddr  net.Addr
 	remain int
 	mux    sync.Mutex
 	cache  [2]byte
 }
 func (c *vlessPacketConn) writePacket(payload []byte) (int, error) {
 	binary.BigEndian.PutUint16(c.cache[:], uint16(len(payload)))
 	if _, err := c.Conn.Write(c.cache[:]); err != nil {
 		return 0, err
 	}
 	return c.Conn.Write(payload)
 }
 func (c *vlessPacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
 	total := len(b)
 	if total == 0 {
 		return 0, nil
 	}
 	if total <= maxLength {
 		return c.writePacket(b)
 	}
 	offset := 0
 	for offset < total {
 		cursor := offset + maxLength
 		if cursor > total {
 			cursor = total
 		}
 		n, err := c.writePacket(b[offset:cursor])
 		if err != nil {
 			return offset + n, err
 		}
 		offset = cursor
 		if offset == total {
 			break
 		}
 	}
 	return total, nil
 }
 func (c *vlessPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
 	c.mux.Lock()
 	defer c.mux.Unlock()
 	if c.remain > 0 {
 		length := len(b)
 		if c.remain < length {
 			length = c.remain
 		}
 		n, err := c.Conn.Read(b[:length])
 		if err != nil {
 			return 0, c.rAddr, err
 		}
 		c.remain -= n
 		return n, c.rAddr, nil
 	}
 	if _, err := c.Conn.Read(b[:2]); err != nil {
 		return 0, c.rAddr, err
 	}
 	total := int(binary.BigEndian.Uint16(b[:2]))
 	if total == 0 {
 		return 0, c.rAddr, nil
 	}
 	length := len(b)
 	if length > total {
 		length = total
 	}
 	if _, err := io.ReadFull(c.Conn, b[:length]); err != nil {
 		return 0, c.rAddr, errors.New("read packet error")
 	}
 	c.remain = total - length
 	return length, c.rAddr, nil
 }
 func NewVless(option VlessOption) (*Vless, error) {
 	var addons *vless.Addons
-	if option.Network != "ws" && len(option.Flow) >= 16 {
+	if len(option.Flow) >= 16 {
 		option.Flow = option.Flow[:16]
 		if option.Flow != vless.XRV {
 			return nil, fmt.Errorf("unsupported xtls flow type: %s", option.Flow)
@@ -547,6 +458,11 @@ func NewVless(option VlessOption) (*Vless, error) {
 		option: &option,
 	}
 	v.encryption, err = encryption.NewClient(option.Encryption)
 	if err != nil {
 		return nil, err
 	}
 	v.realityConfig, err = v.option.RealityOpts.Parse()
 	if err != nil {
 		return nil, err
@@ -589,10 +505,15 @@ func NewVless(option VlessOption) (*Vless, error) {
 		}
 		var tlsConfig *tls.Config
 		if option.TLS {
-			tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(&tls.Config{
+			tlsConfig, err = ca.GetTLSConfig(ca.Option{
-				InsecureSkipVerify: v.option.SkipCertVerify,
+				TLSConfig: &tls.Config{
-				ServerName:         v.option.ServerName,
+					InsecureSkipVerify: v.option.SkipCertVerify,
-			}, v.option.Fingerprint)
+					ServerName:         v.option.ServerName,
 				},
 				Fingerprint: v.option.Fingerprint,
 				Certificate: v.option.Certificate,
 				PrivateKey:  v.option.PrivateKey,
 			})
 			if err != nil {
 				return nil, err
 			}
--- a/adapter/outbound/vmess.go
+++ b/adapter/outbound/vmess.go
@@ -58,6 +58,8 @@ type VmessOption struct {
 	ALPN                []string       `proxy:"alpn,omitempty"`
 	SkipCertVerify      bool           `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint         string         `proxy:"fingerprint,omitempty"`
 	Certificate         string         `proxy:"certificate,omitempty"`
 	PrivateKey          string         `proxy:"private-key,omitempty"`
 	ServerName          string         `proxy:"servername,omitempty"`
 	ECHOpts             ECHOptions     `proxy:"ech-opts,omitempty"`
 	RealityOpts         RealityOptions `proxy:"reality-opts,omitempty"`
@@ -123,13 +125,16 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 		if v.option.TLS {
 			wsOpts.TLS = true
-			tlsConfig := &tls.Config{
+			wsOpts.TLSConfig, err = ca.GetTLSConfig(ca.Option{
-				ServerName:         host,
+				TLSConfig: &tls.Config{
-				InsecureSkipVerify: v.option.SkipCertVerify,
+					ServerName:         host,
-				NextProtos:         []string{"http/1.1"},
+					InsecureSkipVerify: v.option.SkipCertVerify,
-			}
+					NextProtos:         []string{"http/1.1"},
-
+				},
-			wsOpts.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint)
+				Fingerprint: v.option.Fingerprint,
 				Certificate: v.option.Certificate,
 				PrivateKey:  v.option.PrivateKey,
 			})
 			if err != nil {
 				return nil, err
 			}
@@ -178,6 +183,8 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 			Host:              host,
 			SkipCertVerify:    v.option.SkipCertVerify,
 			FingerPrint:       v.option.Fingerprint,
 			Certificate:       v.option.Certificate,
 			PrivateKey:        v.option.PrivateKey,
 			NextProtos:        []string{"h2"},
 			ClientFingerprint: v.option.ClientFingerprint,
 			Reality:           v.realityConfig,
@@ -208,6 +215,8 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 				Host:              host,
 				SkipCertVerify:    v.option.SkipCertVerify,
 				FingerPrint:       v.option.Fingerprint,
 				Certificate:       v.option.Certificate,
 				PrivateKey:        v.option.PrivateKey,
 				ClientFingerprint: v.option.ClientFingerprint,
 				ECH:               v.echConfig,
 				Reality:           v.realityConfig,
@@ -501,10 +510,15 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		}
 		var tlsConfig *tls.Config
 		if option.TLS {
-			tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(&tls.Config{
+			tlsConfig, err = ca.GetTLSConfig(ca.Option{
-				InsecureSkipVerify: v.option.SkipCertVerify,
+				TLSConfig: &tls.Config{
-				ServerName:         v.option.ServerName,
+					InsecureSkipVerify: v.option.SkipCertVerify,
-			}, v.option.Fingerprint)
+					ServerName:         v.option.ServerName,
 				},
 				Fingerprint: v.option.Fingerprint,
 				Certificate: v.option.Certificate,
 				PrivateKey:  v.option.PrivateKey,
 			})
 			if err != nil {
 				return nil, err
 			}
--- a/adapter/outbound/wireguard.go
+++ b/adapter/outbound/wireguard.go
@@ -87,15 +87,26 @@ type WireGuardPeerOption struct {
 }
 type AmneziaWGOption struct {
-	JC   int    `proxy:"jc"`
+	JC    int    `proxy:"jc,omitempty"`
-	JMin int    `proxy:"jmin"`
+	JMin  int    `proxy:"jmin,omitempty"`
-	JMax int    `proxy:"jmax"`
+	JMax  int    `proxy:"jmax,omitempty"`
-	S1   int    `proxy:"s1"`
+	S1    int    `proxy:"s1,omitempty"`
-	S2   int    `proxy:"s2"`
+	S2    int    `proxy:"s2,omitempty"`
-	H1   uint32 `proxy:"h1"`
+	S3    int    `proxy:"s3,omitempty"`    // AmneziaWG v1.5 and v2
-	H2   uint32 `proxy:"h2"`
+	S4    int    `proxy:"s4,omitempty"`    // AmneziaWG v1.5 and v2
-	H3   uint32 `proxy:"h3"`
+	H1    string `proxy:"h1,omitempty"`    // In AmneziaWG v1.x, it was uint32, but our WeaklyTypedInput can handle this situation
-	H4   uint32 `proxy:"h4"`
+	H2    string `proxy:"h2,omitempty"`    // In AmneziaWG v1.x, it was uint32, but our WeaklyTypedInput can handle this situation
 	H3    string `proxy:"h3,omitempty"`    // In AmneziaWG v1.x, it was uint32, but our WeaklyTypedInput can handle this situation
 	H4    string `proxy:"h4,omitempty"`    // In AmneziaWG v1.x, it was uint32, but our WeaklyTypedInput can handle this situation
 	I1    string `proxy:"i1,omitempty"`    // AmneziaWG v1.5 and v2
 	I2    string `proxy:"i2,omitempty"`    // AmneziaWG v1.5 and v2
 	I3    string `proxy:"i3,omitempty"`    // AmneziaWG v1.5 and v2
 	I4    string `proxy:"i4,omitempty"`    // AmneziaWG v1.5 and v2
 	I5    string `proxy:"i5,omitempty"`    // AmneziaWG v1.5 and v2
 	J1    string `proxy:"j1,omitempty"`    // AmneziaWG v1.5 only (removed in v2)
 	J2    string `proxy:"j2,omitempty"`    // AmneziaWG v1.5 only (removed in v2)
 	J3    string `proxy:"j3,omitempty"`    // AmneziaWG v1.5 only (removed in v2)
 	Itime int64  `proxy:"itime,omitempty"` // AmneziaWG v1.5 only (removed in v2)
 }
 type wgSingErrorHandler struct {
@@ -386,15 +397,66 @@ func (w *WireGuard) genIpcConf(ctx context.Context, updateOnly bool) (string, er
 	if !updateOnly {
 		ipcConf += "private_key=" + w.option.PrivateKey + "\n"
 		if w.option.AmneziaWGOption != nil {
-			ipcConf += "jc=" + strconv.Itoa(w.option.AmneziaWGOption.JC) + "\n"
+			if w.option.AmneziaWGOption.JC != 0 {
-			ipcConf += "jmin=" + strconv.Itoa(w.option.AmneziaWGOption.JMin) + "\n"
+				ipcConf += "jc=" + strconv.Itoa(w.option.AmneziaWGOption.JC) + "\n"
-			ipcConf += "jmax=" + strconv.Itoa(w.option.AmneziaWGOption.JMax) + "\n"
+			}
-			ipcConf += "s1=" + strconv.Itoa(w.option.AmneziaWGOption.S1) + "\n"
+			if w.option.AmneziaWGOption.JMin != 0 {
-			ipcConf += "s2=" + strconv.Itoa(w.option.AmneziaWGOption.S2) + "\n"
+				ipcConf += "jmin=" + strconv.Itoa(w.option.AmneziaWGOption.JMin) + "\n"
-			ipcConf += "h1=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H1), 10) + "\n"
+			}
-			ipcConf += "h2=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H2), 10) + "\n"
+			if w.option.AmneziaWGOption.JMax != 0 {
-			ipcConf += "h3=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H3), 10) + "\n"
+				ipcConf += "jmax=" + strconv.Itoa(w.option.AmneziaWGOption.JMax) + "\n"
-			ipcConf += "h4=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H4), 10) + "\n"
+			}
 			if w.option.AmneziaWGOption.S1 != 0 {
 				ipcConf += "s1=" + strconv.Itoa(w.option.AmneziaWGOption.S1) + "\n"
 			}
 			if w.option.AmneziaWGOption.S2 != 0 {
 				ipcConf += "s2=" + strconv.Itoa(w.option.AmneziaWGOption.S2) + "\n"
 			}
 			if w.option.AmneziaWGOption.S3 != 0 {
 				ipcConf += "s3=" + strconv.Itoa(w.option.AmneziaWGOption.S3) + "\n"
 			}
 			if w.option.AmneziaWGOption.S4 != 0 {
 				ipcConf += "s4=" + strconv.Itoa(w.option.AmneziaWGOption.S4) + "\n"
 			}
 			if w.option.AmneziaWGOption.H1 != "" {
 				ipcConf += "h1=" + w.option.AmneziaWGOption.H1 + "\n"
 			}
 			if w.option.AmneziaWGOption.H2 != "" {
 				ipcConf += "h2=" + w.option.AmneziaWGOption.H2 + "\n"
 			}
 			if w.option.AmneziaWGOption.H3 != "" {
 				ipcConf += "h3=" + w.option.AmneziaWGOption.H3 + "\n"
 			}
 			if w.option.AmneziaWGOption.H4 != "" {
 				ipcConf += "h4=" + w.option.AmneziaWGOption.H4 + "\n"
 			}
 			if w.option.AmneziaWGOption.I1 != "" {
 				ipcConf += "i1=" + w.option.AmneziaWGOption.I1 + "\n"
 			}
 			if w.option.AmneziaWGOption.I2 != "" {
 				ipcConf += "i2=" + w.option.AmneziaWGOption.I2 + "\n"
 			}
 			if w.option.AmneziaWGOption.I3 != "" {
 				ipcConf += "i3=" + w.option.AmneziaWGOption.I3 + "\n"
 			}
 			if w.option.AmneziaWGOption.I4 != "" {
 				ipcConf += "i4=" + w.option.AmneziaWGOption.I4 + "\n"
 			}
 			if w.option.AmneziaWGOption.I5 != "" {
 				ipcConf += "i5=" + w.option.AmneziaWGOption.I5 + "\n"
 			}
 			if w.option.AmneziaWGOption.J1 != "" {
 				ipcConf += "j1=" + w.option.AmneziaWGOption.J1 + "\n"
 			}
 			if w.option.AmneziaWGOption.J2 != "" {
 				ipcConf += "j2=" + w.option.AmneziaWGOption.J2 + "\n"
 			}
 			if w.option.AmneziaWGOption.J3 != "" {
 				ipcConf += "j3=" + w.option.AmneziaWGOption.J3 + "\n"
 			}
 			if w.option.AmneziaWGOption.Itime != 0 {
 				ipcConf += "itime=" + strconv.FormatInt(int64(w.option.AmneziaWGOption.Itime), 10) + "\n"
 			}
 		}
 	}
 	if len(w.option.Peers) > 0 {
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@@ -108,6 +108,9 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 	switch schema.Type {
 	case "file":
 		path := C.Path.Resolve(schema.Path)
 		if !C.Path.IsSafePath(path) {
 			return nil, C.Path.ErrNotSafePath(path)
 		}
 		vehicle = resource.NewFileVehicle(path)
 	case "http":
 		path := C.Path.GetPathByHash("proxies", schema.URL)
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@@ -331,15 +331,22 @@ func (cp *CompatibleProvider) Close() error {
 }
 func NewProxiesParser(filter string, excludeFilter string, excludeType string, dialerProxy string, override OverrideSchema) (resource.Parser[[]C.Proxy], error) {
 	excludeFilterReg, err := regexp2.Compile(excludeFilter, regexp2.None)
 	if err != nil {
 		return nil, fmt.Errorf("invalid excludeFilter regex: %w", err)
 	}
 	var excludeTypeArray []string
 	if excludeType != "" {
 		excludeTypeArray = strings.Split(excludeType, "|")
 	}
 	var excludeFilterRegs []*regexp2.Regexp
 	if excludeFilter != "" {
 		for _, excludeFilter := range strings.Split(excludeFilter, "`") {
 			excludeFilterReg, err := regexp2.Compile(excludeFilter, regexp2.None)
 			if err != nil {
 				return nil, fmt.Errorf("invalid excludeFilter regex: %w", err)
 			}
 			excludeFilterRegs = append(excludeFilterRegs, excludeFilterReg)
 		}
 	}
 	var filterRegs []*regexp2.Regexp
 	for _, filter := range strings.Split(filter, "`") {
 		filterReg, err := regexp2.Compile(filter, regexp2.None)
@@ -367,8 +374,9 @@ func NewProxiesParser(filter string, excludeFilter string, excludeType string, d
 		proxies := []C.Proxy{}
 		proxiesSet := map[string]struct{}{}
 		for _, filterReg := range filterRegs {
 		LOOP1:
 			for idx, mapping := range schema.Proxies {
-				if nil != excludeTypeArray && len(excludeTypeArray) > 0 {
+				if len(excludeTypeArray) > 0 {
 					mType, ok := mapping["type"]
 					if !ok {
 						continue
@@ -377,18 +385,11 @@ func NewProxiesParser(filter string, excludeFilter string, excludeType string, d
 					if !ok {
 						continue
 					}
-					flag := false
+					for _, excludeType := range excludeTypeArray {
-					for i := range excludeTypeArray {
+						if strings.EqualFold(pType, excludeType) {
-						if strings.EqualFold(pType, excludeTypeArray[i]) {
+							continue LOOP1
 							flag = true
 							break
 						}
 					}
 					if flag {
 						continue
 					}
 				}
 				mName, ok := mapping["name"]
 				if !ok {
@@ -398,9 +399,11 @@ func NewProxiesParser(filter string, excludeFilter string, excludeType string, d
 				if !ok {
 					continue
 				}
-				if len(excludeFilter) > 0 {
+				if len(excludeFilterRegs) > 0 {
-					if mat, _ := excludeFilterReg.MatchString(name); mat {
+					for _, excludeFilterReg := range excludeFilterRegs {
-						continue
+						if mat, _ := excludeFilterReg.MatchString(name); mat {
 							continue LOOP1
 						}
 					}
 				}
 				if len(filter) > 0 {
--- a/common/atomic/value.go
+++ b/common/atomic/value.go
@@ -5,58 +5,50 @@ import (
 	"sync/atomic"
 )
 func DefaultValue[T any]() T {
 	var defaultValue T
 	return defaultValue
 }
 type TypedValue[T any] struct {
-	_     noCopy
+	value atomic.Pointer[T]
 	value atomic.Value
 }
-// tValue is a struct with determined type to resolve atomic.Value usages with interface types
+func (t *TypedValue[T]) Load() (v T) {
-// https://github.com/golang/go/issues/22550
+	v, _ = t.LoadOk()
-//
+	return
 // The intention to have an atomic value store for errors. However, running this code panics:
 // panic: sync/atomic: store of inconsistently typed value into Value
 // This is because atomic.Value requires that the underlying concrete type be the same (which is a reasonable expectation for its implementation).
 // When going through the atomic.Value.Store method call, the fact that both these are of the error interface is lost.
 type tValue[T any] struct {
 	value T
 }
-func (t *TypedValue[T]) Load() T {
+func (t *TypedValue[T]) LoadOk() (v T, ok bool) {
 	value, _ := t.LoadOk()
 	return value
 }
 func (t *TypedValue[T]) LoadOk() (_ T, ok bool) {
 	value := t.value.Load()
 	if value == nil {
-		return DefaultValue[T](), false
+		return
 	}
-	return value.(tValue[T]).value, true
+	return *value, true
 }
 func (t *TypedValue[T]) Store(value T) {
-	t.value.Store(tValue[T]{value})
+	t.value.Store(&value)
 }
-func (t *TypedValue[T]) Swap(new T) T {
+func (t *TypedValue[T]) Swap(new T) (v T) {
-	old := t.value.Swap(tValue[T]{new})
+	old := t.value.Swap(&new)
 	if old == nil {
-		return DefaultValue[T]()
+		return
 	}
-	return old.(tValue[T]).value
+	return *old
 }
 func (t *TypedValue[T]) CompareAndSwap(old, new T) bool {
-	return t.value.CompareAndSwap(tValue[T]{old}, tValue[T]{new}) ||
+	for {
-		// In the edge-case where [atomic.Value.Store] is uninitialized
+		currentP := t.value.Load()
-		// and trying to compare with the zero value of T,
+		var currentValue T
-		// then compare-and-swap with the nil any value.
+		if currentP != nil {
-		(any(old) == any(DefaultValue[T]()) && t.value.CompareAndSwap(any(nil), tValue[T]{new}))
+			currentValue = *currentP
 		}
 		// Compare old and current via runtime equality check.
 		if any(currentValue) != any(old) {
 			return false
 		}
 		if t.value.CompareAndSwap(currentP, &new) {
 			return true
 		}
 	}
 }
 func (t *TypedValue[T]) MarshalJSON() ([]byte, error) {
@@ -89,9 +81,3 @@ func NewTypedValue[T any](t T) (v TypedValue[T]) {
 	v.Store(t)
 	return
 }
 type noCopy struct{}
 // Lock is a no-op used by -copylocks checker from `go vet`.
 func (*noCopy) Lock()   {}
 func (*noCopy) Unlock() {}
--- a/common/atomic/value_test.go
+++ b/common/atomic/value_test.go
@@ -7,20 +7,6 @@ import (
 )
 func TestTypedValue(t *testing.T) {
 	{
 		// Always wrapping should not allocate for simple values
 		// because tValue[T] has the same memory layout as T.
 		var v TypedValue[bool]
 		bools := []bool{true, false}
 		if n := int(testing.AllocsPerRun(1000, func() {
 			for _, b := range bools {
 				v.Store(b)
 			}
 		})); n != 0 {
 			t.Errorf("AllocsPerRun = %d, want 0", n)
 		}
 	}
 	{
 		var v TypedValue[int]
 		got, gotOk := v.LoadOk()
@@ -58,20 +44,126 @@ func TestTypedValue(t *testing.T) {
 		}
 	}
 	{
 		e1, e2, e3 := io.EOF, &os.PathError{}, &os.PathError{}
 		var v TypedValue[error]
 		if v.CompareAndSwap(e1, e2) != false {
 			t.Fatalf("CompareAndSwap = true, want false")
 		}
 		if value := v.Load(); value != nil {
 			t.Fatalf("Load = (%v), want (%v)", value, nil)
 		}
 		if v.CompareAndSwap(nil, e1) != true {
 			t.Fatalf("CompareAndSwap = false, want true")
 		}
 		if value := v.Load(); value != e1 {
 			t.Fatalf("Load = (%v), want (%v)", value, e1)
 		}
 		if v.CompareAndSwap(e2, e3) != false {
 			t.Fatalf("CompareAndSwap = true, want false")
 		}
 		if value := v.Load(); value != e1 {
 			t.Fatalf("Load = (%v), want (%v)", value, e1)
 		}
 		if v.CompareAndSwap(e1, e2) != true {
 			t.Fatalf("CompareAndSwap = false, want true")
 		}
 		if value := v.Load(); value != e2 {
 			t.Fatalf("Load = (%v), want (%v)", value, e2)
 		}
 		if v.CompareAndSwap(e3, e2) != false {
 			t.Fatalf("CompareAndSwap = true, want false")
 		}
 		if value := v.Load(); value != e2 {
 			t.Fatalf("Load = (%v), want (%v)", value, e2)
 		}
 		if v.CompareAndSwap(nil, e3) != false {
 			t.Fatalf("CompareAndSwap = true, want false")
 		}
 		if value := v.Load(); value != e2 {
 			t.Fatalf("Load = (%v), want (%v)", value, e2)
 		}
 	}
 	{
 		c1, c2, c3 := make(chan struct{}), make(chan struct{}), make(chan struct{})
 		var v TypedValue[chan struct{}]
 		if v.CompareAndSwap(c1, c2) != false {
 			t.Fatalf("CompareAndSwap = true, want false")
 		}
 		if value := v.Load(); value != nil {
 			t.Fatalf("Load = (%v), want (%v)", value, nil)
 		}
 		if v.CompareAndSwap(nil, c1) != true {
 			t.Fatalf("CompareAndSwap = false, want true")
 		}
 		if value := v.Load(); value != c1 {
 			t.Fatalf("Load = (%v), want (%v)", value, c1)
 		}
 		if v.CompareAndSwap(c2, c3) != false {
 			t.Fatalf("CompareAndSwap = true, want false")
 		}
 		if value := v.Load(); value != c1 {
 			t.Fatalf("Load = (%v), want (%v)", value, c1)
 		}
 		if v.CompareAndSwap(c1, c2) != true {
 			t.Fatalf("CompareAndSwap = false, want true")
 		}
 		if value := v.Load(); value != c2 {
 			t.Fatalf("Load = (%v), want (%v)", value, c2)
 		}
 		if v.CompareAndSwap(c3, c2) != false {
 			t.Fatalf("CompareAndSwap = true, want false")
 		}
 		if value := v.Load(); value != c2 {
 			t.Fatalf("Load = (%v), want (%v)", value, c2)
 		}
 		if v.CompareAndSwap(nil, c3) != false {
 			t.Fatalf("CompareAndSwap = true, want false")
 		}
 		if value := v.Load(); value != c2 {
 			t.Fatalf("Load = (%v), want (%v)", value, c2)
 		}
 	}
 	{
 		c1, c2, c3 := &io.LimitedReader{}, &io.SectionReader{}, &io.SectionReader{}
 		var v TypedValue[io.Reader]
 		if v.CompareAndSwap(c1, c2) != false {
 			t.Fatalf("CompareAndSwap = true, want false")
 		}
 		if value := v.Load(); value != nil {
 			t.Fatalf("Load = (%v), want (%v)", value, nil)
 		}
 		if v.CompareAndSwap(nil, c1) != true {
 			t.Fatalf("CompareAndSwap = false, want true")
 		}
 		if value := v.Load(); value != c1 {
 			t.Fatalf("Load = (%v), want (%v)", value, c1)
 		}
 		if v.CompareAndSwap(c2, c3) != false {
 			t.Fatalf("CompareAndSwap = true, want false")
 		}
 		if value := v.Load(); value != c1 {
 			t.Fatalf("Load = (%v), want (%v)", value, c1)
 		}
 		if v.CompareAndSwap(c1, c2) != true {
 			t.Fatalf("CompareAndSwap = false, want true")
 		}
 		if value := v.Load(); value != c2 {
 			t.Fatalf("Load = (%v), want (%v)", value, c2)
 		}
 		if v.CompareAndSwap(c3, c2) != false {
 			t.Fatalf("CompareAndSwap = true, want false")
 		}
 		if value := v.Load(); value != c2 {
 			t.Fatalf("Load = (%v), want (%v)", value, c2)
 		}
 		if v.CompareAndSwap(nil, c3) != false {
 			t.Fatalf("CompareAndSwap = true, want false")
 		}
 		if value := v.Load(); value != c2 {
 			t.Fatalf("Load = (%v), want (%v)", value, c2)
 		}
 	}
 }
--- a/common/buf/sing.go
+++ b/common/buf/sing.go
@@ -14,6 +14,7 @@ var NewPacket = buf.NewPacket
 var NewSize = buf.NewSize
 var With = buf.With
 var As = buf.As
 var ReleaseMulti = buf.ReleaseMulti
 var (
 	Must  = common.Must
--- a/common/convert/converter.go
+++ b/common/convert/converter.go
@@ -208,6 +208,9 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			if err != nil {
 				continue
 			}
 			if decodedHost, err := tryDecodeBase64([]byte(urlVLess.Host)); err == nil {
 				urlVLess.Host = string(decodedHost)
 			}
 			query := urlVLess.Query()
 			vless := make(map[string]any, 20)
 			err = handleVShareLink(names, urlVLess, scheme, vless)
@@ -218,6 +221,9 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			if flow := query.Get("flow"); flow != "" {
 				vless["flow"] = strings.ToLower(flow)
 			}
 			if encryption := query.Get("encryption"); encryption != "" {
 				vless["encryption"] = encryption
 			}
 			proxies = append(proxies, vless)
 		case "vmess":
--- a/common/maphash/common.go
+++ b/common/maphash/common.go
@@ -0,0 +1,19 @@
 package maphash
 import "hash/maphash"
 type Seed = maphash.Seed
 func MakeSeed() Seed {
 	return maphash.MakeSeed()
 }
 type Hash = maphash.Hash
 func Bytes(seed Seed, b []byte) uint64 {
 	return maphash.Bytes(seed, b)
 }
 func String(seed Seed, s string) uint64 {
 	return maphash.String(seed, s)
 }
--- a/common/maphash/comparable_go120.go
+++ b/common/maphash/comparable_go120.go
@@ -0,0 +1,140 @@
 //go:build !go1.24
 package maphash
 import "unsafe"
 func Comparable[T comparable](s Seed, v T) uint64 {
 	return comparableHash(*(*seedTyp)(unsafe.Pointer(&s)), v)
 }
 func comparableHash[T comparable](seed seedTyp, v T) uint64 {
 	s := seed.s
 	var m map[T]struct{}
 	mTyp := iTypeOf(m)
 	var hasher func(unsafe.Pointer, uintptr) uintptr
 	hasher = (*iMapType)(unsafe.Pointer(mTyp)).Hasher
 	p := escape(unsafe.Pointer(&v))
 	if ptrSize == 8 {
 		return uint64(hasher(p, uintptr(s)))
 	}
 	lo := hasher(p, uintptr(s))
 	hi := hasher(p, uintptr(s>>32))
 	return uint64(hi)<<32 | uint64(lo)
 }
 // WriteComparable adds x to the data hashed by h.
 func WriteComparable[T comparable](h *Hash, x T) {
 	// writeComparable (not in purego mode) directly operates on h.state
 	// without using h.buf. Mix in the buffer length so it won't
 	// commute with a buffered write, which either changes h.n or changes
 	// h.state.
 	hash := (*hashTyp)(unsafe.Pointer(h))
 	if hash.n != 0 {
 		hash.state.s = comparableHash(hash.state, hash.n)
 	}
 	hash.state.s = comparableHash(hash.state, x)
 }
 // go/src/hash/maphash/maphash.go
 type hashTyp struct {
 	_     [0]func() // not comparable
 	seed  seedTyp   // initial seed used for this hash
 	state seedTyp   // current hash of all flushed bytes
 	buf   [128]byte // unflushed byte buffer
 	n     int       // number of unflushed bytes
 }
 type seedTyp struct {
 	s uint64
 }
 type iTFlag uint8
 type iKind uint8
 type iNameOff int32
 // TypeOff is the offset to a type from moduledata.types.  See resolveTypeOff in runtime.
 type iTypeOff int32
 type iType struct {
 	Size_       uintptr
 	PtrBytes    uintptr // number of (prefix) bytes in the type that can contain pointers
 	Hash        uint32  // hash of type; avoids computation in hash tables
 	TFlag       iTFlag  // extra type information flags
 	Align_      uint8   // alignment of variable with this type
 	FieldAlign_ uint8   // alignment of struct field with this type
 	Kind_       iKind   // enumeration for C
 	// function for comparing objects of this type
 	// (ptr to object A, ptr to object B) -> ==?
 	Equal func(unsafe.Pointer, unsafe.Pointer) bool
 	// GCData stores the GC type data for the garbage collector.
 	// Normally, GCData points to a bitmask that describes the
 	// ptr/nonptr fields of the type. The bitmask will have at
 	// least PtrBytes/ptrSize bits.
 	// If the TFlagGCMaskOnDemand bit is set, GCData is instead a
 	// **byte and the pointer to the bitmask is one dereference away.
 	// The runtime will build the bitmask if needed.
 	// (See runtime/type.go:getGCMask.)
 	// Note: multiple types may have the same value of GCData,
 	// including when TFlagGCMaskOnDemand is set. The types will, of course,
 	// have the same pointer layout (but not necessarily the same size).
 	GCData    *byte
 	Str       iNameOff // string form
 	PtrToThis iTypeOff // type for pointer to this type, may be zero
 }
 type iMapType struct {
 	iType
 	Key   *iType
 	Elem  *iType
 	Group *iType // internal type representing a slot group
 	// function for hashing keys (ptr to key, seed) -> hash
 	Hasher func(unsafe.Pointer, uintptr) uintptr
 }
 func iTypeOf(a any) *iType {
 	eface := *(*iEmptyInterface)(unsafe.Pointer(&a))
 	// Types are either static (for compiler-created types) or
 	// heap-allocated but always reachable (for reflection-created
 	// types, held in the central map). So there is no need to
 	// escape types. noescape here help avoid unnecessary escape
 	// of v.
 	return (*iType)(noescape(unsafe.Pointer(eface.Type)))
 }
 type iEmptyInterface struct {
 	Type *iType
 	Data unsafe.Pointer
 }
 // noescape hides a pointer from escape analysis.  noescape is
 // the identity function but escape analysis doesn't think the
 // output depends on the input.  noescape is inlined and currently
 // compiles down to zero instructions.
 // USE CAREFULLY!
 //
 // nolint:all
 //
 //go:nosplit
 //goland:noinspection ALL
 func noescape(p unsafe.Pointer) unsafe.Pointer {
 	x := uintptr(p)
 	return unsafe.Pointer(x ^ 0)
 }
 var alwaysFalse bool
 var escapeSink any
 // escape forces any pointers in x to escape to the heap.
 func escape[T any](x T) T {
 	if alwaysFalse {
 		escapeSink = x
 	}
 	return x
 }
 // ptrSize is the size of a pointer in bytes - unsafe.Sizeof(uintptr(0)) but as an ideal constant.
 // It is also the size of the machine's native word size (that is, 4 on 32-bit systems, 8 on 64-bit).
 const ptrSize = 4 << (^uintptr(0) >> 63)
--- a/common/maphash/comparable_go124.go
+++ b/common/maphash/comparable_go124.go
@@ -0,0 +1,13 @@
 //go:build go1.24
 package maphash
 import "hash/maphash"
 func Comparable[T comparable](seed Seed, v T) uint64 {
 	return maphash.Comparable(seed, v)
 }
 func WriteComparable[T comparable](h *Hash, x T) {
 	maphash.WriteComparable(h, x)
 }
--- a/common/maphash/maphash_test.go
+++ b/common/maphash/maphash_test.go
@@ -0,0 +1,532 @@
 // Copyright 2019 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package maphash
 import (
 	"bytes"
 	"fmt"
 	"hash"
 	"math"
 	"reflect"
 	"strings"
 	"testing"
 	"unsafe"
 	rand "github.com/metacubex/randv2"
 )
 func TestUnseededHash(t *testing.T) {
 	m := map[uint64]struct{}{}
 	for i := 0; i < 1000; i++ {
 		h := new(Hash)
 		m[h.Sum64()] = struct{}{}
 	}
 	if len(m) < 900 {
 		t.Errorf("empty hash not sufficiently random: got %d, want 1000", len(m))
 	}
 }
 func TestSeededHash(t *testing.T) {
 	s := MakeSeed()
 	m := map[uint64]struct{}{}
 	for i := 0; i < 1000; i++ {
 		h := new(Hash)
 		h.SetSeed(s)
 		m[h.Sum64()] = struct{}{}
 	}
 	if len(m) != 1 {
 		t.Errorf("seeded hash is random: got %d, want 1", len(m))
 	}
 }
 func TestHashGrouping(t *testing.T) {
 	b := bytes.Repeat([]byte("foo"), 100)
 	hh := make([]*Hash, 7)
 	for i := range hh {
 		hh[i] = new(Hash)
 	}
 	for _, h := range hh[1:] {
 		h.SetSeed(hh[0].Seed())
 	}
 	hh[0].Write(b)
 	hh[1].WriteString(string(b))
 	writeByte := func(h *Hash, b byte) {
 		err := h.WriteByte(b)
 		if err != nil {
 			t.Fatalf("WriteByte: %v", err)
 		}
 	}
 	writeSingleByte := func(h *Hash, b byte) {
 		_, err := h.Write([]byte{b})
 		if err != nil {
 			t.Fatalf("Write single byte: %v", err)
 		}
 	}
 	writeStringSingleByte := func(h *Hash, b byte) {
 		_, err := h.WriteString(string([]byte{b}))
 		if err != nil {
 			t.Fatalf("WriteString single byte: %v", err)
 		}
 	}
 	for i, x := range b {
 		writeByte(hh[2], x)
 		writeSingleByte(hh[3], x)
 		if i == 0 {
 			writeByte(hh[4], x)
 		} else {
 			writeSingleByte(hh[4], x)
 		}
 		writeStringSingleByte(hh[5], x)
 		if i == 0 {
 			writeByte(hh[6], x)
 		} else {
 			writeStringSingleByte(hh[6], x)
 		}
 	}
 	sum := hh[0].Sum64()
 	for i, h := range hh {
 		if sum != h.Sum64() {
 			t.Errorf("hash %d not identical to a single Write", i)
 		}
 	}
 	if sum1 := Bytes(hh[0].Seed(), b); sum1 != hh[0].Sum64() {
 		t.Errorf("hash using Bytes not identical to a single Write")
 	}
 	if sum1 := String(hh[0].Seed(), string(b)); sum1 != hh[0].Sum64() {
 		t.Errorf("hash using String not identical to a single Write")
 	}
 }
 func TestHashBytesVsString(t *testing.T) {
 	s := "foo"
 	b := []byte(s)
 	h1 := new(Hash)
 	h2 := new(Hash)
 	h2.SetSeed(h1.Seed())
 	n1, err1 := h1.WriteString(s)
 	if n1 != len(s) || err1 != nil {
 		t.Fatalf("WriteString(s) = %d, %v, want %d, nil", n1, err1, len(s))
 	}
 	n2, err2 := h2.Write(b)
 	if n2 != len(b) || err2 != nil {
 		t.Fatalf("Write(b) = %d, %v, want %d, nil", n2, err2, len(b))
 	}
 	if h1.Sum64() != h2.Sum64() {
 		t.Errorf("hash of string and bytes not identical")
 	}
 }
 func TestHashHighBytes(t *testing.T) {
 	// See issue 34925.
 	const N = 10
 	m := map[uint64]struct{}{}
 	for i := 0; i < N; i++ {
 		h := new(Hash)
 		h.WriteString("foo")
 		m[h.Sum64()>>32] = struct{}{}
 	}
 	if len(m) < N/2 {
 		t.Errorf("from %d seeds, wanted at least %d different hashes; got %d", N, N/2, len(m))
 	}
 }
 func TestRepeat(t *testing.T) {
 	h1 := new(Hash)
 	h1.WriteString("testing")
 	sum1 := h1.Sum64()
 	h1.Reset()
 	h1.WriteString("testing")
 	sum2 := h1.Sum64()
 	if sum1 != sum2 {
 		t.Errorf("different sum after resetting: %#x != %#x", sum1, sum2)
 	}
 	h2 := new(Hash)
 	h2.SetSeed(h1.Seed())
 	h2.WriteString("testing")
 	sum3 := h2.Sum64()
 	if sum1 != sum3 {
 		t.Errorf("different sum on the same seed: %#x != %#x", sum1, sum3)
 	}
 }
 func TestSeedFromSum64(t *testing.T) {
 	h1 := new(Hash)
 	h1.WriteString("foo")
 	x := h1.Sum64() // seed generated here
 	h2 := new(Hash)
 	h2.SetSeed(h1.Seed())
 	h2.WriteString("foo")
 	y := h2.Sum64()
 	if x != y {
 		t.Errorf("hashes don't match: want %x, got %x", x, y)
 	}
 }
 func TestSeedFromSeed(t *testing.T) {
 	h1 := new(Hash)
 	h1.WriteString("foo")
 	_ = h1.Seed() // seed generated here
 	x := h1.Sum64()
 	h2 := new(Hash)
 	h2.SetSeed(h1.Seed())
 	h2.WriteString("foo")
 	y := h2.Sum64()
 	if x != y {
 		t.Errorf("hashes don't match: want %x, got %x", x, y)
 	}
 }
 func TestSeedFromFlush(t *testing.T) {
 	b := make([]byte, 65)
 	h1 := new(Hash)
 	h1.Write(b) // seed generated here
 	x := h1.Sum64()
 	h2 := new(Hash)
 	h2.SetSeed(h1.Seed())
 	h2.Write(b)
 	y := h2.Sum64()
 	if x != y {
 		t.Errorf("hashes don't match: want %x, got %x", x, y)
 	}
 }
 func TestSeedFromReset(t *testing.T) {
 	h1 := new(Hash)
 	h1.WriteString("foo")
 	h1.Reset() // seed generated here
 	h1.WriteString("foo")
 	x := h1.Sum64()
 	h2 := new(Hash)
 	h2.SetSeed(h1.Seed())
 	h2.WriteString("foo")
 	y := h2.Sum64()
 	if x != y {
 		t.Errorf("hashes don't match: want %x, got %x", x, y)
 	}
 }
 func negativeZero[T float32 | float64]() T {
 	var f T
 	f = -f
 	return f
 }
 func TestComparable(t *testing.T) {
 	testComparable(t, int64(2))
 	testComparable(t, uint64(8))
 	testComparable(t, uintptr(12))
 	testComparable(t, any("s"))
 	testComparable(t, "s")
 	testComparable(t, true)
 	testComparable(t, new(float64))
 	testComparable(t, float64(9))
 	testComparable(t, complex128(9i+1))
 	testComparable(t, struct{}{})
 	testComparable(t, struct {
 		i int
 		u uint
 		b bool
 		f float64
 		p *int
 		a any
 	}{i: 9, u: 1, b: true, f: 9.9, p: new(int), a: 1})
 	type S struct {
 		s string
 	}
 	s1 := S{s: heapStr(t)}
 	s2 := S{s: heapStr(t)}
 	if unsafe.StringData(s1.s) == unsafe.StringData(s2.s) {
 		t.Fatalf("unexpected two heapStr ptr equal")
 	}
 	if s1.s != s2.s {
 		t.Fatalf("unexpected two heapStr value not equal")
 	}
 	testComparable(t, s1, s2)
 	testComparable(t, s1.s, s2.s)
 	testComparable(t, float32(0), negativeZero[float32]())
 	testComparable(t, float64(0), negativeZero[float64]())
 	testComparableNoEqual(t, math.NaN(), math.NaN())
 	testComparableNoEqual(t, [2]string{"a", ""}, [2]string{"", "a"})
 	testComparableNoEqual(t, struct{ a, b string }{"foo", ""}, struct{ a, b string }{"", "foo"})
 	testComparableNoEqual(t, struct{ a, b any }{int(0), struct{}{}}, struct{ a, b any }{struct{}{}, int(0)})
 }
 func testComparableNoEqual[T comparable](t *testing.T, v1, v2 T) {
 	seed := MakeSeed()
 	if Comparable(seed, v1) == Comparable(seed, v2) {
 		t.Fatalf("Comparable(seed, %v) == Comparable(seed, %v)", v1, v2)
 	}
 }
 var heapStrValue = []byte("aTestString")
 func heapStr(t *testing.T) string {
 	return string(heapStrValue)
 }
 func testComparable[T comparable](t *testing.T, v T, v2 ...T) {
 	t.Run(TypeFor[T]().String(), func(t *testing.T) {
 		var a, b T = v, v
 		if len(v2) != 0 {
 			b = v2[0]
 		}
 		var pa *T = &a
 		seed := MakeSeed()
 		if Comparable(seed, a) != Comparable(seed, b) {
 			t.Fatalf("Comparable(seed, %v) != Comparable(seed, %v)", a, b)
 		}
 		old := Comparable(seed, pa)
 		stackGrow(8192)
 		new := Comparable(seed, pa)
 		if old != new {
 			t.Fatal("Comparable(seed, ptr) != Comparable(seed, ptr)")
 		}
 	})
 }
 var use byte
 //go:noinline
 func stackGrow(dep int) {
 	if dep == 0 {
 		return
 	}
 	var local [1024]byte
 	// make sure local is allocated on the stack.
 	local[rand.Uint64()%1024] = byte(rand.Uint64())
 	use = local[rand.Uint64()%1024]
 	stackGrow(dep - 1)
 }
 func TestWriteComparable(t *testing.T) {
 	testWriteComparable(t, int64(2))
 	testWriteComparable(t, uint64(8))
 	testWriteComparable(t, uintptr(12))
 	testWriteComparable(t, any("s"))
 	testWriteComparable(t, "s")
 	testComparable(t, true)
 	testWriteComparable(t, new(float64))
 	testWriteComparable(t, float64(9))
 	testWriteComparable(t, complex128(9i+1))
 	testWriteComparable(t, struct{}{})
 	testWriteComparable(t, struct {
 		i int
 		u uint
 		b bool
 		f float64
 		p *int
 		a any
 	}{i: 9, u: 1, b: true, f: 9.9, p: new(int), a: 1})
 	type S struct {
 		s string
 	}
 	s1 := S{s: heapStr(t)}
 	s2 := S{s: heapStr(t)}
 	if unsafe.StringData(s1.s) == unsafe.StringData(s2.s) {
 		t.Fatalf("unexpected two heapStr ptr equal")
 	}
 	if s1.s != s2.s {
 		t.Fatalf("unexpected two heapStr value not equal")
 	}
 	testWriteComparable(t, s1, s2)
 	testWriteComparable(t, s1.s, s2.s)
 	testWriteComparable(t, float32(0), negativeZero[float32]())
 	testWriteComparable(t, float64(0), negativeZero[float64]())
 	testWriteComparableNoEqual(t, math.NaN(), math.NaN())
 	testWriteComparableNoEqual(t, [2]string{"a", ""}, [2]string{"", "a"})
 	testWriteComparableNoEqual(t, struct{ a, b string }{"foo", ""}, struct{ a, b string }{"", "foo"})
 	testWriteComparableNoEqual(t, struct{ a, b any }{int(0), struct{}{}}, struct{ a, b any }{struct{}{}, int(0)})
 }
 func testWriteComparableNoEqual[T comparable](t *testing.T, v1, v2 T) {
 	seed := MakeSeed()
 	h1 := Hash{}
 	h2 := Hash{}
 	*(*Seed)(unsafe.Pointer(&h1)), *(*Seed)(unsafe.Pointer(&h2)) = seed, seed
 	WriteComparable(&h1, v1)
 	WriteComparable(&h2, v2)
 	if h1.Sum64() == h2.Sum64() {
 		t.Fatalf("WriteComparable(seed, %v) == WriteComparable(seed, %v)", v1, v2)
 	}
 }
 func testWriteComparable[T comparable](t *testing.T, v T, v2 ...T) {
 	t.Run(TypeFor[T]().String(), func(t *testing.T) {
 		var a, b T = v, v
 		if len(v2) != 0 {
 			b = v2[0]
 		}
 		var pa *T = &a
 		h1 := Hash{}
 		h2 := Hash{}
 		*(*Seed)(unsafe.Pointer(&h1)) = MakeSeed()
 		h2 = h1
 		WriteComparable(&h1, a)
 		WriteComparable(&h2, b)
 		if h1.Sum64() != h2.Sum64() {
 			t.Fatalf("WriteComparable(h, %v) != WriteComparable(h, %v)", a, b)
 		}
 		WriteComparable(&h1, pa)
 		old := h1.Sum64()
 		stackGrow(8192)
 		WriteComparable(&h2, pa)
 		new := h2.Sum64()
 		if old != new {
 			t.Fatal("WriteComparable(seed, ptr) != WriteComparable(seed, ptr)")
 		}
 	})
 }
 func TestComparableShouldPanic(t *testing.T) {
 	s := []byte("s")
 	a := any(s)
 	defer func() {
 		e := recover()
 		err, ok := e.(error)
 		if !ok {
 			t.Fatalf("Comaparable(any([]byte)) should panic")
 		}
 		want := "hash of unhashable type []uint8"
 		if s := err.Error(); !strings.Contains(s, want) {
 			t.Fatalf("want %s, got %s", want, s)
 		}
 	}()
 	Comparable(MakeSeed(), a)
 }
 func TestWriteComparableNoncommute(t *testing.T) {
 	seed := MakeSeed()
 	var h1, h2 Hash
 	h1.SetSeed(seed)
 	h2.SetSeed(seed)
 	h1.WriteString("abc")
 	WriteComparable(&h1, 123)
 	WriteComparable(&h2, 123)
 	h2.WriteString("abc")
 	if h1.Sum64() == h2.Sum64() {
 		t.Errorf("WriteComparable and WriteString unexpectedly commute")
 	}
 }
 func TestComparableAllocations(t *testing.T) {
 	t.Skip("test broken in old golang version")
 	seed := MakeSeed()
 	x := heapStr(t)
 	allocs := testing.AllocsPerRun(10, func() {
 		s := "s" + x
 		Comparable(seed, s)
 	})
 	if allocs > 0 {
 		t.Errorf("got %v allocs, want 0", allocs)
 	}
 	type S struct {
 		a int
 		b string
 	}
 	allocs = testing.AllocsPerRun(10, func() {
 		s := S{123, "s" + x}
 		Comparable(seed, s)
 	})
 	if allocs > 0 {
 		t.Errorf("got %v allocs, want 0", allocs)
 	}
 }
 // Make sure a Hash implements the hash.Hash and hash.Hash64 interfaces.
 var _ hash.Hash = &Hash{}
 var _ hash.Hash64 = &Hash{}
 func benchmarkSize(b *testing.B, size int) {
 	h := &Hash{}
 	buf := make([]byte, size)
 	s := string(buf)
 	b.Run("Write", func(b *testing.B) {
 		b.SetBytes(int64(size))
 		for i := 0; i < b.N; i++ {
 			h.Reset()
 			h.Write(buf)
 			h.Sum64()
 		}
 	})
 	b.Run("Bytes", func(b *testing.B) {
 		b.SetBytes(int64(size))
 		seed := h.Seed()
 		for i := 0; i < b.N; i++ {
 			Bytes(seed, buf)
 		}
 	})
 	b.Run("String", func(b *testing.B) {
 		b.SetBytes(int64(size))
 		seed := h.Seed()
 		for i := 0; i < b.N; i++ {
 			String(seed, s)
 		}
 	})
 }
 func BenchmarkHash(b *testing.B) {
 	sizes := []int{4, 8, 16, 32, 64, 256, 320, 1024, 4096, 16384}
 	for _, size := range sizes {
 		b.Run(fmt.Sprint("n=", size), func(b *testing.B) {
 			benchmarkSize(b, size)
 		})
 	}
 }
 func benchmarkComparable[T comparable](b *testing.B, v T) {
 	b.Run(TypeFor[T]().String(), func(b *testing.B) {
 		seed := MakeSeed()
 		for i := 0; i < b.N; i++ {
 			Comparable(seed, v)
 		}
 	})
 }
 func BenchmarkComparable(b *testing.B) {
 	type testStruct struct {
 		i int
 		u uint
 		b bool
 		f float64
 		p *int
 		a any
 	}
 	benchmarkComparable(b, int64(2))
 	benchmarkComparable(b, uint64(8))
 	benchmarkComparable(b, uintptr(12))
 	benchmarkComparable(b, any("s"))
 	benchmarkComparable(b, "s")
 	benchmarkComparable(b, true)
 	benchmarkComparable(b, new(float64))
 	benchmarkComparable(b, float64(9))
 	benchmarkComparable(b, complex128(9i+1))
 	benchmarkComparable(b, struct{}{})
 	benchmarkComparable(b, testStruct{i: 9, u: 1, b: true, f: 9.9, p: new(int), a: 1})
 }
 // TypeFor returns the [Type] that represents the type argument T.
 func TypeFor[T any]() reflect.Type {
 	var v T
 	if t := reflect.TypeOf(v); t != nil {
 		return t // optimize for T being a non-interface kind
 	}
 	return reflect.TypeOf((*T)(nil)).Elem() // only for an interface kind
 }
--- a/common/net/deadline/conn.go
+++ b/common/net/deadline/conn.go
@@ -149,6 +149,10 @@ func (c *Conn) ReaderReplaceable() bool {
 	return c.disablePipe.Load() || c.deadline.Load().IsZero()
 }
 func (c *Conn) WriterReplaceable() bool {
 	return true
 }
 func (c *Conn) Upstream() any {
 	return c.ExtendedConn
 }
--- a/common/net/sing.go
+++ b/common/net/sing.go
@@ -1,9 +1,8 @@
 package net
 import (
-	"context"
+	"io"
 	"net"
 	"runtime"
 	"github.com/metacubex/mihomo/common/net/deadline"
@@ -22,11 +21,24 @@ type ExtendedReader = network.ExtendedReader
 var WriteBuffer = bufio.WriteBuffer
 type ReadWaitOptions = network.ReadWaitOptions
 var NewReadWaitOptions = network.NewReadWaitOptions
 type ReaderWithUpstream = network.ReaderWithUpstream
 type WithUpstreamReader = network.WithUpstreamReader
 type WriterWithUpstream = network.WriterWithUpstream
 type WithUpstreamWriter = network.WithUpstreamWriter
 type WithUpstream = common.WithUpstream
 var UnwrapReader = network.UnwrapReader
 var UnwrapWriter = network.UnwrapWriter
 func NewDeadlineConn(conn net.Conn) ExtendedConn {
-	if deadline.IsPipe(conn) || deadline.IsPipe(network.UnwrapReader(conn)) {
+	if deadline.IsPipe(conn) || deadline.IsPipe(UnwrapReader(conn)) {
 		return NewExtendedConn(conn) // pipe always have correctly deadline implement
 	}
-	if deadline.IsConn(conn) || deadline.IsConn(network.UnwrapReader(conn)) {
+	if deadline.IsConn(conn) || deadline.IsConn(UnwrapReader(conn)) {
 		return NewExtendedConn(conn) // was a *deadline.Conn
 	}
 	return deadline.NewConn(conn)
@@ -43,9 +55,37 @@ type CountFunc = network.CountFunc
 var Pipe = deadline.Pipe
-// Relay copies between left and right bidirectionally.
+func closeWrite(writer io.Closer) error {
-func Relay(leftConn, rightConn net.Conn) {
+	if c, ok := common.Cast[network.WriteCloser](writer); ok {
-	defer runtime.KeepAlive(leftConn)
+		return c.CloseWrite()
-	defer runtime.KeepAlive(rightConn)
+	}
-	_ = bufio.CopyConn(context.TODO(), leftConn, rightConn)
+	return writer.Close()
 }
 // Relay copies between left and right bidirectionally.
 // like [bufio.CopyConn] but remove unneeded [context.Context] handle and the cost of [task.Group]
 func Relay(leftConn, rightConn net.Conn) {
 	defer func() {
 		_ = leftConn.Close()
 		_ = rightConn.Close()
 	}()
 	ch := make(chan struct{})
 	go func() {
 		_, err := bufio.Copy(leftConn, rightConn)
 		if err == nil {
 			_ = closeWrite(leftConn)
 		} else {
 			_ = leftConn.Close()
 		}
 		close(ch)
 	}()
 	_, err := bufio.Copy(rightConn, leftConn)
 	if err == nil {
 		_ = closeWrite(rightConn)
 	} else {
 		_ = rightConn.Close()
 	}
 	<-ch
 }
--- a/common/queue/queue.go
+++ b/common/queue/queue.go
@@ -2,8 +2,6 @@ package queue
 import (
 	"sync"
 	"github.com/samber/lo"
 )
 // Queue is a simple concurrent safe queue
@@ -24,33 +22,32 @@ func (q *Queue[T]) Put(items ...T) {
 }
 // Pop returns the head of items.
-func (q *Queue[T]) Pop() T {
+func (q *Queue[T]) Pop() (head T) {
 	if len(q.items) == 0 {
-		return lo.Empty[T]()
+		return
 	}
 	q.lock.Lock()
-	head := q.items[0]
+	head = q.items[0]
 	q.items = q.items[1:]
 	q.lock.Unlock()
 	return head
 }
 // Last returns the last of item.
-func (q *Queue[T]) Last() T {
+func (q *Queue[T]) Last() (last T) {
 	if len(q.items) == 0 {
-		return lo.Empty[T]()
+		return
 	}
 	q.lock.RLock()
-	last := q.items[len(q.items)-1]
+	last = q.items[len(q.items)-1]
 	q.lock.RUnlock()
 	return last
 }
 // Copy get the copy of queue.
-func (q *Queue[T]) Copy() []T {
+func (q *Queue[T]) Copy() (items []T) {
 	items := []T{}
 	q.lock.RLock()
 	items = append(items, q.items...)
 	q.lock.RUnlock()
--- a/common/queue/queue_test.go
+++ b/common/queue/queue_test.go
@@ -0,0 +1,215 @@
 package queue
 import (
 	"sync"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 )
 // TestQueuePut tests the Put method of Queue
 func TestQueuePut(t *testing.T) {
 	// Initialize a new queue
 	q := New[int](10)
 	// Test putting a single item
 	q.Put(1)
 	assert.Equal(t, int64(1), q.Len(), "Queue length should be 1 after putting one item")
 	// Test putting multiple items
 	q.Put(2, 3, 4)
 	assert.Equal(t, int64(4), q.Len(), "Queue length should be 4 after putting three more items")
 	// Test putting zero items (should not change queue)
 	q.Put()
 	assert.Equal(t, int64(4), q.Len(), "Queue length should remain unchanged when putting zero items")
 }
 // TestQueuePop tests the Pop method of Queue
 func TestQueuePop(t *testing.T) {
 	// Initialize a new queue with items
 	q := New[int](10)
 	q.Put(1, 2, 3)
 	// Test popping items in FIFO order
 	item := q.Pop()
 	assert.Equal(t, 1, item, "First item popped should be 1")
 	assert.Equal(t, int64(2), q.Len(), "Queue length should be 2 after popping one item")
 	item = q.Pop()
 	assert.Equal(t, 2, item, "Second item popped should be 2")
 	assert.Equal(t, int64(1), q.Len(), "Queue length should be 1 after popping two items")
 	item = q.Pop()
 	assert.Equal(t, 3, item, "Third item popped should be 3")
 	assert.Equal(t, int64(0), q.Len(), "Queue length should be 0 after popping all items")
 }
 // TestQueuePopEmpty tests the Pop method on an empty queue
 func TestQueuePopEmpty(t *testing.T) {
 	// Initialize a new empty queue
 	q := New[int](0)
 	// Test popping from an empty queue
 	item := q.Pop()
 	assert.Equal(t, 0, item, "Popping from an empty queue should return the zero value")
 	assert.Equal(t, int64(0), q.Len(), "Queue length should remain 0 after popping from an empty queue")
 }
 // TestQueueLast tests the Last method of Queue
 func TestQueueLast(t *testing.T) {
 	// Initialize a new queue with items
 	q := New[int](10)
 	q.Put(1, 2, 3)
 	// Test getting the last item
 	item := q.Last()
 	assert.Equal(t, 3, item, "Last item should be 3")
 	assert.Equal(t, int64(3), q.Len(), "Queue length should remain unchanged after calling Last")
 	// Test Last on an empty queue
 	emptyQ := New[int](0)
 	emptyItem := emptyQ.Last()
 	assert.Equal(t, 0, emptyItem, "Last on an empty queue should return the zero value")
 }
 // TestQueueCopy tests the Copy method of Queue
 func TestQueueCopy(t *testing.T) {
 	// Initialize a new queue with items
 	q := New[int](10)
 	q.Put(1, 2, 3)
 	// Test copying the queue
 	copy := q.Copy()
 	assert.Equal(t, 3, len(copy), "Copy should have the same number of items as the original queue")
 	assert.Equal(t, 1, copy[0], "First item in copy should be 1")
 	assert.Equal(t, 2, copy[1], "Second item in copy should be 2")
 	assert.Equal(t, 3, copy[2], "Third item in copy should be 3")
 	// Verify that modifying the copy doesn't affect the original queue
 	copy[0] = 99
 	assert.Equal(t, 1, q.Pop(), "Original queue should not be affected by modifying the copy")
 }
 // TestQueueLen tests the Len method of Queue
 func TestQueueLen(t *testing.T) {
 	// Initialize a new empty queue
 	q := New[int](10)
 	assert.Equal(t, int64(0), q.Len(), "New queue should have length 0")
 	// Add items and check length
 	q.Put(1, 2)
 	assert.Equal(t, int64(2), q.Len(), "Queue length should be 2 after putting two items")
 	// Remove an item and check length
 	q.Pop()
 	assert.Equal(t, int64(1), q.Len(), "Queue length should be 1 after popping one item")
 }
 // TestQueueNew tests the New constructor
 func TestQueueNew(t *testing.T) {
 	// Test creating a new queue with different hints
 	q1 := New[int](0)
 	assert.NotNil(t, q1, "New queue should not be nil")
 	assert.Equal(t, int64(0), q1.Len(), "New queue should have length 0")
 	q2 := New[int](10)
 	assert.NotNil(t, q2, "New queue should not be nil")
 	assert.Equal(t, int64(0), q2.Len(), "New queue should have length 0")
 	// Test with a different type
 	q3 := New[string](5)
 	assert.NotNil(t, q3, "New queue should not be nil")
 	assert.Equal(t, int64(0), q3.Len(), "New queue should have length 0")
 }
 // TestQueueConcurrency tests the concurrency safety of Queue
 func TestQueueConcurrency(t *testing.T) {
 	// Initialize a new queue
 	q := New[int](100)
 	// Number of goroutines and operations
 	goroutines := 10
 	operations := 100
 	// Wait group to synchronize goroutines
 	wg := sync.WaitGroup{}
 	wg.Add(goroutines * 2) // For both producers and consumers
 	// Start producer goroutines
 	for i := 0; i < goroutines; i++ {
 		go func(id int) {
 			defer wg.Done()
 			for j := 0; j < operations; j++ {
 				q.Put(id*operations + j)
 				// Small sleep to increase chance of race conditions
 				time.Sleep(time.Microsecond)
 			}
 		}(i)
 	}
 	// Start consumer goroutines
 	consumed := make(chan int, goroutines*operations)
 	for i := 0; i < goroutines; i++ {
 		go func() {
 			defer wg.Done()
 			for j := 0; j < operations; j++ {
 				// Try to pop an item, but don't block if queue is empty
 				// Use a mutex to avoid race condition between Len() check and Pop()
 				q.lock.Lock()
 				if len(q.items) > 0 {
 					item := q.items[0]
 					q.items = q.items[1:]
 					q.lock.Unlock()
 					consumed <- item
 				} else {
 					q.lock.Unlock()
 				}
 				// Small sleep to increase chance of race conditions
 				time.Sleep(time.Microsecond)
 			}
 		}()
 	}
 	// Wait for all goroutines to finish
 	wg.Wait()
 	// Close the consumed channel
 	close(consumed)
 	// Count the number of consumed items
 	consumedCount := 0
 	for range consumed {
 		consumedCount++
 	}
 	// Check that the queue is in a consistent state
 	totalItems := goroutines * operations
 	remaining := int(q.Len())
 	assert.Equal(t, totalItems, consumedCount+remaining, "Total items should equal consumed items plus remaining items")
 }
 // TestQueueWithDifferentTypes tests the Queue with different types
 func TestQueueWithDifferentTypes(t *testing.T) {
 	// Test with string type
 	qString := New[string](5)
 	qString.Put("hello", "world")
 	assert.Equal(t, int64(2), qString.Len(), "Queue length should be 2")
 	assert.Equal(t, "hello", qString.Pop(), "First item should be 'hello'")
 	assert.Equal(t, "world", qString.Pop(), "Second item should be 'world'")
 	// Test with struct type
 	type Person struct {
 		Name string
 		Age  int
 	}
 	qStruct := New[Person](5)
 	qStruct.Put(Person{Name: "Alice", Age: 30}, Person{Name: "Bob", Age: 25})
 	assert.Equal(t, int64(2), qStruct.Len(), "Queue length should be 2")
 	firstPerson := qStruct.Pop()
 	assert.Equal(t, "Alice", firstPerson.Name, "First person's name should be 'Alice'")
 	secondPerson := qStruct.Pop()
 	assert.Equal(t, "Bob", secondPerson.Name, "Second person's name should be 'Bob'")
 }
--- a/common/xsync/map.go
+++ b/common/xsync/map.go
@@ -0,0 +1,926 @@
 package xsync
 // copy and modified from https://github.com/puzpuzpuz/xsync/blob/v4.1.0/map.go
 // which is licensed under Apache v2.
 //
 // mihomo modified:
 // 1. parallel Map resize has been removed to decrease the memory using.
 // 2. the zero Map is ready for use.
 import (
 	"fmt"
 	"math"
 	"math/bits"
 	"strings"
 	"sync"
 	"sync/atomic"
 	"unsafe"
 	"github.com/metacubex/mihomo/common/maphash"
 )
 const (
 	// number of Map entries per bucket; 5 entries lead to size of 64B
 	// (one cache line) on 64-bit machines
 	entriesPerMapBucket = 5
 	// threshold fraction of table occupation to start a table shrinking
 	// when deleting the last entry in a bucket chain
 	mapShrinkFraction = 128
 	// map load factor to trigger a table resize during insertion;
 	// a map holds up to mapLoadFactor*entriesPerMapBucket*mapTableLen
 	// key-value pairs (this is a soft limit)
 	mapLoadFactor = 0.75
 	// minimal table size, i.e. number of buckets; thus, minimal map
 	// capacity can be calculated as entriesPerMapBucket*defaultMinMapTableLen
 	defaultMinMapTableLen = 32
 	// minimum counter stripes to use
 	minMapCounterLen = 8
 	// maximum counter stripes to use; stands for around 4KB of memory
 	maxMapCounterLen         = 32
 	defaultMeta       uint64 = 0x8080808080808080
 	metaMask          uint64 = 0xffffffffff
 	defaultMetaMasked uint64 = defaultMeta & metaMask
 	emptyMetaSlot     uint8  = 0x80
 )
 type mapResizeHint int
 const (
 	mapGrowHint   mapResizeHint = 0
 	mapShrinkHint mapResizeHint = 1
 	mapClearHint  mapResizeHint = 2
 )
 type ComputeOp int
 const (
 	// CancelOp signals to Compute to not do anything as a result
 	// of executing the lambda. If the entry was not present in
 	// the map, nothing happens, and if it was present, the
 	// returned value is ignored.
 	CancelOp ComputeOp = iota
 	// UpdateOp signals to Compute to update the entry to the
 	// value returned by the lambda, creating it if necessary.
 	UpdateOp
 	// DeleteOp signals to Compute to always delete the entry
 	// from the map.
 	DeleteOp
 )
 type loadOp int
 const (
 	noLoadOp loadOp = iota
 	loadOrComputeOp
 	loadAndDeleteOp
 )
 // Map is like a Go map[K]V but is safe for concurrent
 // use by multiple goroutines without additional locking or
 // coordination. It follows the interface of sync.Map with
 // a number of valuable extensions like Compute or Size.
 //
 // A Map must not be copied after first use.
 //
 // Map uses a modified version of Cache-Line Hash Table (CLHT)
 // data structure: https://github.com/LPD-EPFL/CLHT
 //
 // CLHT is built around idea to organize the hash table in
 // cache-line-sized buckets, so that on all modern CPUs update
 // operations complete with at most one cache-line transfer.
 // Also, Get operations involve no write to memory, as well as no
 // mutexes or any other sort of locks. Due to this design, in all
 // considered scenarios Map outperforms sync.Map.
 //
 // Map also borrows ideas from Java's j.u.c.ConcurrentHashMap
 // (immutable K/V pair structs instead of atomic snapshots)
 // and C++'s absl::flat_hash_map (meta memory and SWAR-based
 // lookups).
 type Map[K comparable, V any] struct {
 	initOnce     sync.Once
 	totalGrowths atomic.Int64
 	totalShrinks atomic.Int64
 	resizing     atomic.Bool // resize in progress flag
 	resizeMu     sync.Mutex  // only used along with resizeCond
 	resizeCond   sync.Cond   // used to wake up resize waiters (concurrent modifications)
 	table        atomic.Pointer[mapTable[K, V]]
 	minTableLen  int
 	growOnly     bool
 }
 type mapTable[K comparable, V any] struct {
 	buckets []bucketPadded[K, V]
 	// striped counter for number of table entries;
 	// used to determine if a table shrinking is needed
 	// occupies min(buckets_memory/1024, 64KB) of memory
 	size []counterStripe
 	seed maphash.Seed
 }
 type counterStripe struct {
 	c int64
 	// Padding to prevent false sharing.
 	_ [cacheLineSize - 8]byte
 }
 // bucketPadded is a CL-sized map bucket holding up to
 // entriesPerMapBucket entries.
 type bucketPadded[K comparable, V any] struct {
 	//lint:ignore U1000 ensure each bucket takes two cache lines on both 32 and 64-bit archs
 	pad [cacheLineSize - unsafe.Sizeof(bucket[K, V]{})]byte
 	bucket[K, V]
 }
 type bucket[K comparable, V any] struct {
 	meta    atomic.Uint64
 	entries [entriesPerMapBucket]atomic.Pointer[entry[K, V]] // *entry
 	next    atomic.Pointer[bucketPadded[K, V]]               // *bucketPadded
 	mu      sync.Mutex
 }
 // entry is an immutable map entry.
 type entry[K comparable, V any] struct {
 	key   K
 	value V
 }
 // MapConfig defines configurable Map options.
 type MapConfig struct {
 	sizeHint int
 	growOnly bool
 }
 // WithPresize configures new Map instance with capacity enough
 // to hold sizeHint entries. The capacity is treated as the minimal
 // capacity meaning that the underlying hash table will never shrink
 // to a smaller capacity. If sizeHint is zero or negative, the value
 // is ignored.
 func WithPresize(sizeHint int) func(*MapConfig) {
 	return func(c *MapConfig) {
 		c.sizeHint = sizeHint
 	}
 }
 // WithGrowOnly configures new Map instance to be grow-only.
 // This means that the underlying hash table grows in capacity when
 // new keys are added, but does not shrink when keys are deleted.
 // The only exception to this rule is the Clear method which
 // shrinks the hash table back to the initial capacity.
 func WithGrowOnly() func(*MapConfig) {
 	return func(c *MapConfig) {
 		c.growOnly = true
 	}
 }
 // NewMap creates a new Map instance configured with the given
 // options.
 func NewMap[K comparable, V any](options ...func(*MapConfig)) *Map[K, V] {
 	c := &MapConfig{}
 	for _, o := range options {
 		o(c)
 	}
 	m := &Map[K, V]{}
 	if c.sizeHint > defaultMinMapTableLen*entriesPerMapBucket {
 		tableLen := nextPowOf2(uint32((float64(c.sizeHint) / entriesPerMapBucket) / mapLoadFactor))
 		m.minTableLen = int(tableLen)
 	}
 	m.growOnly = c.growOnly
 	return m
 }
 func (m *Map[K, V]) init() {
 	if m.minTableLen == 0 {
 		m.minTableLen = defaultMinMapTableLen
 	}
 	m.resizeCond = *sync.NewCond(&m.resizeMu)
 	table := newMapTable[K, V](m.minTableLen)
 	m.minTableLen = len(table.buckets)
 	m.table.Store(table)
 }
 func newMapTable[K comparable, V any](minTableLen int) *mapTable[K, V] {
 	buckets := make([]bucketPadded[K, V], minTableLen)
 	for i := range buckets {
 		buckets[i].meta.Store(defaultMeta)
 	}
 	counterLen := minTableLen >> 10
 	if counterLen < minMapCounterLen {
 		counterLen = minMapCounterLen
 	} else if counterLen > maxMapCounterLen {
 		counterLen = maxMapCounterLen
 	}
 	counter := make([]counterStripe, counterLen)
 	t := &mapTable[K, V]{
 		buckets: buckets,
 		size:    counter,
 		seed:    maphash.MakeSeed(),
 	}
 	return t
 }
 // ToPlainMap returns a native map with a copy of xsync Map's
 // contents. The copied xsync Map should not be modified while
 // this call is made. If the copied Map is modified, the copying
 // behavior is the same as in the Range method.
 func ToPlainMap[K comparable, V any](m *Map[K, V]) map[K]V {
 	pm := make(map[K]V)
 	if m != nil {
 		m.Range(func(key K, value V) bool {
 			pm[key] = value
 			return true
 		})
 	}
 	return pm
 }
 // Load returns the value stored in the map for a key, or zero value
 // of type V if no value is present.
 // The ok result indicates whether value was found in the map.
 func (m *Map[K, V]) Load(key K) (value V, ok bool) {
 	m.initOnce.Do(m.init)
 	table := m.table.Load()
 	hash := maphash.Comparable(table.seed, key)
 	h1 := h1(hash)
 	h2w := broadcast(h2(hash))
 	bidx := uint64(len(table.buckets)-1) & h1
 	b := &table.buckets[bidx]
 	for {
 		metaw := b.meta.Load()
 		markedw := markZeroBytes(metaw^h2w) & metaMask
 		for markedw != 0 {
 			idx := firstMarkedByteIndex(markedw)
 			e := b.entries[idx].Load()
 			if e != nil {
 				if e.key == key {
 					return e.value, true
 				}
 			}
 			markedw &= markedw - 1
 		}
 		b = b.next.Load()
 		if b == nil {
 			return
 		}
 	}
 }
 // Store sets the value for a key.
 func (m *Map[K, V]) Store(key K, value V) {
 	m.doCompute(
 		key,
 		func(V, bool) (V, ComputeOp) {
 			return value, UpdateOp
 		},
 		noLoadOp,
 		false,
 	)
 }
 // LoadOrStore returns the existing value for the key if present.
 // Otherwise, it stores and returns the given value.
 // The loaded result is true if the value was loaded, false if stored.
 func (m *Map[K, V]) LoadOrStore(key K, value V) (actual V, loaded bool) {
 	return m.doCompute(
 		key,
 		func(oldValue V, loaded bool) (V, ComputeOp) {
 			if loaded {
 				return oldValue, CancelOp
 			}
 			return value, UpdateOp
 		},
 		loadOrComputeOp,
 		false,
 	)
 }
 // LoadAndStore returns the existing value for the key if present,
 // while setting the new value for the key.
 // It stores the new value and returns the existing one, if present.
 // The loaded result is true if the existing value was loaded,
 // false otherwise.
 func (m *Map[K, V]) LoadAndStore(key K, value V) (actual V, loaded bool) {
 	return m.doCompute(
 		key,
 		func(V, bool) (V, ComputeOp) {
 			return value, UpdateOp
 		},
 		noLoadOp,
 		false,
 	)
 }
 // LoadOrCompute returns the existing value for the key if
 // present. Otherwise, it tries to compute the value using the
 // provided function and, if successful, stores and returns
 // the computed value. The loaded result is true if the value was
 // loaded, or false if computed. If valueFn returns true as the
 // cancel value, the computation is cancelled and the zero value
 // for type V is returned.
 //
 // This call locks a hash table bucket while the compute function
 // is executed. It means that modifications on other entries in
 // the bucket will be blocked until the valueFn executes. Consider
 // this when the function includes long-running operations.
 func (m *Map[K, V]) LoadOrCompute(
 	key K,
 	valueFn func() (newValue V, cancel bool),
 ) (value V, loaded bool) {
 	return m.doCompute(
 		key,
 		func(oldValue V, loaded bool) (V, ComputeOp) {
 			if loaded {
 				return oldValue, CancelOp
 			}
 			newValue, c := valueFn()
 			if !c {
 				return newValue, UpdateOp
 			}
 			return oldValue, CancelOp
 		},
 		loadOrComputeOp,
 		false,
 	)
 }
 // Compute either sets the computed new value for the key,
 // deletes the value for the key, or does nothing, based on
 // the returned [ComputeOp]. When the op returned by valueFn
 // is [UpdateOp], the value is updated to the new value. If
 // it is [DeleteOp], the entry is removed from the map
 // altogether. And finally, if the op is [CancelOp] then the
 // entry is left as-is. In other words, if it did not already
 // exist, it is not created, and if it did exist, it is not
 // updated. This is useful to synchronously execute some
 // operation on the value without incurring the cost of
 // updating the map every time. The ok result indicates
 // whether the entry is present in the map after the compute
 // operation. The actual result contains the value of the map
 // if a corresponding entry is present, or the zero value
 // otherwise. See the example for a few use cases.
 //
 // This call locks a hash table bucket while the compute function
 // is executed. It means that modifications on other entries in
 // the bucket will be blocked until the valueFn executes. Consider
 // this when the function includes long-running operations.
 func (m *Map[K, V]) Compute(
 	key K,
 	valueFn func(oldValue V, loaded bool) (newValue V, op ComputeOp),
 ) (actual V, ok bool) {
 	return m.doCompute(key, valueFn, noLoadOp, true)
 }
 // LoadAndDelete deletes the value for a key, returning the previous
 // value if any. The loaded result reports whether the key was
 // present.
 func (m *Map[K, V]) LoadAndDelete(key K) (value V, loaded bool) {
 	return m.doCompute(
 		key,
 		func(value V, loaded bool) (V, ComputeOp) {
 			return value, DeleteOp
 		},
 		loadAndDeleteOp,
 		false,
 	)
 }
 // Delete deletes the value for a key.
 func (m *Map[K, V]) Delete(key K) {
 	m.LoadAndDelete(key)
 }
 func (m *Map[K, V]) doCompute(
 	key K,
 	valueFn func(oldValue V, loaded bool) (V, ComputeOp),
 	loadOp loadOp,
 	computeOnly bool,
 ) (V, bool) {
 	m.initOnce.Do(m.init)
 	for {
 	compute_attempt:
 		var (
 			emptyb   *bucketPadded[K, V]
 			emptyidx int
 		)
 		table := m.table.Load()
 		tableLen := len(table.buckets)
 		hash := maphash.Comparable(table.seed, key)
 		h1 := h1(hash)
 		h2 := h2(hash)
 		h2w := broadcast(h2)
 		bidx := uint64(len(table.buckets)-1) & h1
 		rootb := &table.buckets[bidx]
 		if loadOp != noLoadOp {
 			b := rootb
 		load:
 			for {
 				metaw := b.meta.Load()
 				markedw := markZeroBytes(metaw^h2w) & metaMask
 				for markedw != 0 {
 					idx := firstMarkedByteIndex(markedw)
 					e := b.entries[idx].Load()
 					if e != nil {
 						if e.key == key {
 							if loadOp == loadOrComputeOp {
 								return e.value, true
 							}
 							break load
 						}
 					}
 					markedw &= markedw - 1
 				}
 				b = b.next.Load()
 				if b == nil {
 					if loadOp == loadAndDeleteOp {
 						return *new(V), false
 					}
 					break load
 				}
 			}
 		}
 		rootb.mu.Lock()
 		// The following two checks must go in reverse to what's
 		// in the resize method.
 		if m.resizeInProgress() {
 			// Resize is in progress. Wait, then go for another attempt.
 			rootb.mu.Unlock()
 			m.waitForResize()
 			goto compute_attempt
 		}
 		if m.newerTableExists(table) {
 			// Someone resized the table. Go for another attempt.
 			rootb.mu.Unlock()
 			goto compute_attempt
 		}
 		b := rootb
 		for {
 			metaw := b.meta.Load()
 			markedw := markZeroBytes(metaw^h2w) & metaMask
 			for markedw != 0 {
 				idx := firstMarkedByteIndex(markedw)
 				e := b.entries[idx].Load()
 				if e != nil {
 					if e.key == key {
 						// In-place update/delete.
 						// We get a copy of the value via an interface{} on each call,
 						// thus the live value pointers are unique. Otherwise atomic
 						// snapshot won't be correct in case of multiple Store calls
 						// using the same value.
 						oldv := e.value
 						newv, op := valueFn(oldv, true)
 						switch op {
 						case DeleteOp:
 							// Deletion.
 							// First we update the hash, then the entry.
 							newmetaw := setByte(metaw, emptyMetaSlot, idx)
 							b.meta.Store(newmetaw)
 							b.entries[idx].Store(nil)
 							rootb.mu.Unlock()
 							table.addSize(bidx, -1)
 							// Might need to shrink the table if we left bucket empty.
 							if newmetaw == defaultMeta {
 								m.resize(table, mapShrinkHint)
 							}
 							return oldv, !computeOnly
 						case UpdateOp:
 							newe := new(entry[K, V])
 							newe.key = key
 							newe.value = newv
 							b.entries[idx].Store(newe)
 						case CancelOp:
 							newv = oldv
 						}
 						rootb.mu.Unlock()
 						if computeOnly {
 							// Compute expects the new value to be returned.
 							return newv, true
 						}
 						// LoadAndStore expects the old value to be returned.
 						return oldv, true
 					}
 				}
 				markedw &= markedw - 1
 			}
 			if emptyb == nil {
 				// Search for empty entries (up to 5 per bucket).
 				emptyw := metaw & defaultMetaMasked
 				if emptyw != 0 {
 					idx := firstMarkedByteIndex(emptyw)
 					emptyb = b
 					emptyidx = idx
 				}
 			}
 			if b.next.Load() == nil {
 				if emptyb != nil {
 					// Insertion into an existing bucket.
 					var zeroV V
 					newValue, op := valueFn(zeroV, false)
 					switch op {
 					case DeleteOp, CancelOp:
 						rootb.mu.Unlock()
 						return zeroV, false
 					default:
 						newe := new(entry[K, V])
 						newe.key = key
 						newe.value = newValue
 						// First we update meta, then the entry.
 						emptyb.meta.Store(setByte(emptyb.meta.Load(), h2, emptyidx))
 						emptyb.entries[emptyidx].Store(newe)
 						rootb.mu.Unlock()
 						table.addSize(bidx, 1)
 						return newValue, computeOnly
 					}
 				}
 				growThreshold := float64(tableLen) * entriesPerMapBucket * mapLoadFactor
 				if table.sumSize() > int64(growThreshold) {
 					// Need to grow the table. Then go for another attempt.
 					rootb.mu.Unlock()
 					m.resize(table, mapGrowHint)
 					goto compute_attempt
 				}
 				// Insertion into a new bucket.
 				var zeroV V
 				newValue, op := valueFn(zeroV, false)
 				switch op {
 				case DeleteOp, CancelOp:
 					rootb.mu.Unlock()
 					return newValue, false
 				default:
 					// Create and append a bucket.
 					newb := new(bucketPadded[K, V])
 					newb.meta.Store(setByte(defaultMeta, h2, 0))
 					newe := new(entry[K, V])
 					newe.key = key
 					newe.value = newValue
 					newb.entries[0].Store(newe)
 					b.next.Store(newb)
 					rootb.mu.Unlock()
 					table.addSize(bidx, 1)
 					return newValue, computeOnly
 				}
 			}
 			b = b.next.Load()
 		}
 	}
 }
 func (m *Map[K, V]) newerTableExists(table *mapTable[K, V]) bool {
 	return table != m.table.Load()
 }
 func (m *Map[K, V]) resizeInProgress() bool {
 	return m.resizing.Load()
 }
 func (m *Map[K, V]) waitForResize() {
 	m.resizeMu.Lock()
 	for m.resizeInProgress() {
 		m.resizeCond.Wait()
 	}
 	m.resizeMu.Unlock()
 }
 func (m *Map[K, V]) resize(knownTable *mapTable[K, V], hint mapResizeHint) {
 	knownTableLen := len(knownTable.buckets)
 	// Fast path for shrink attempts.
 	if hint == mapShrinkHint {
 		if m.growOnly ||
 			m.minTableLen == knownTableLen ||
 			knownTable.sumSize() > int64((knownTableLen*entriesPerMapBucket)/mapShrinkFraction) {
 			return
 		}
 	}
 	// Slow path.
 	if !m.resizing.CompareAndSwap(false, true) {
 		// Someone else started resize. Wait for it to finish.
 		m.waitForResize()
 		return
 	}
 	var newTable *mapTable[K, V]
 	table := m.table.Load()
 	tableLen := len(table.buckets)
 	switch hint {
 	case mapGrowHint:
 		// Grow the table with factor of 2.
 		m.totalGrowths.Add(1)
 		newTable = newMapTable[K, V](tableLen << 1)
 	case mapShrinkHint:
 		shrinkThreshold := int64((tableLen * entriesPerMapBucket) / mapShrinkFraction)
 		if tableLen > m.minTableLen && table.sumSize() <= shrinkThreshold {
 			// Shrink the table with factor of 2.
 			m.totalShrinks.Add(1)
 			newTable = newMapTable[K, V](tableLen >> 1)
 		} else {
 			// No need to shrink. Wake up all waiters and give up.
 			m.resizeMu.Lock()
 			m.resizing.Store(false)
 			m.resizeCond.Broadcast()
 			m.resizeMu.Unlock()
 			return
 		}
 	case mapClearHint:
 		newTable = newMapTable[K, V](m.minTableLen)
 	default:
 		panic(fmt.Sprintf("unexpected resize hint: %d", hint))
 	}
 	// Copy the data only if we're not clearing the map.
 	if hint != mapClearHint {
 		for i := 0; i < tableLen; i++ {
 			copied := copyBucket(&table.buckets[i], newTable)
 			newTable.addSizePlain(uint64(i), copied)
 		}
 	}
 	// Publish the new table and wake up all waiters.
 	m.table.Store(newTable)
 	m.resizeMu.Lock()
 	m.resizing.Store(false)
 	m.resizeCond.Broadcast()
 	m.resizeMu.Unlock()
 }
 func copyBucket[K comparable, V any](
 	b *bucketPadded[K, V],
 	destTable *mapTable[K, V],
 ) (copied int) {
 	rootb := b
 	rootb.mu.Lock()
 	for {
 		for i := 0; i < entriesPerMapBucket; i++ {
 			if e := b.entries[i].Load(); e != nil {
 				hash := maphash.Comparable(destTable.seed, e.key)
 				bidx := uint64(len(destTable.buckets)-1) & h1(hash)
 				destb := &destTable.buckets[bidx]
 				appendToBucket(h2(hash), b.entries[i].Load(), destb)
 				copied++
 			}
 		}
 		if next := b.next.Load(); next == nil {
 			rootb.mu.Unlock()
 			return
 		} else {
 			b = next
 		}
 	}
 }
 // Range calls f sequentially for each key and value present in the
 // map. If f returns false, range stops the iteration.
 //
 // Range does not necessarily correspond to any consistent snapshot
 // of the Map's contents: no key will be visited more than once, but
 // if the value for any key is stored or deleted concurrently, Range
 // may reflect any mapping for that key from any point during the
 // Range call.
 //
 // It is safe to modify the map while iterating it, including entry
 // creation, modification and deletion. However, the concurrent
 // modification rule apply, i.e. the changes may be not reflected
 // in the subsequently iterated entries.
 func (m *Map[K, V]) Range(f func(key K, value V) bool) {
 	m.initOnce.Do(m.init)
 	// Pre-allocate array big enough to fit entries for most hash tables.
 	bentries := make([]*entry[K, V], 0, 16*entriesPerMapBucket)
 	table := m.table.Load()
 	for i := range table.buckets {
 		rootb := &table.buckets[i]
 		b := rootb
 		// Prevent concurrent modifications and copy all entries into
 		// the intermediate slice.
 		rootb.mu.Lock()
 		for {
 			for i := 0; i < entriesPerMapBucket; i++ {
 				if entry := b.entries[i].Load(); entry != nil {
 					bentries = append(bentries, entry)
 				}
 			}
 			if next := b.next.Load(); next == nil {
 				rootb.mu.Unlock()
 				break
 			} else {
 				b = next
 			}
 		}
 		// Call the function for all copied entries.
 		for j, e := range bentries {
 			if !f(e.key, e.value) {
 				return
 			}
 			// Remove the reference to avoid preventing the copied
 			// entries from being GCed until this method finishes.
 			bentries[j] = nil
 		}
 		bentries = bentries[:0]
 	}
 }
 // Clear deletes all keys and values currently stored in the map.
 func (m *Map[K, V]) Clear() {
 	m.initOnce.Do(m.init)
 	m.resize(m.table.Load(), mapClearHint)
 }
 // Size returns current size of the map.
 func (m *Map[K, V]) Size() int {
 	m.initOnce.Do(m.init)
 	return int(m.table.Load().sumSize())
 }
 func appendToBucket[K comparable, V any](h2 uint8, e *entry[K, V], b *bucketPadded[K, V]) {
 	for {
 		for i := 0; i < entriesPerMapBucket; i++ {
 			if b.entries[i].Load() == nil {
 				b.meta.Store(setByte(b.meta.Load(), h2, i))
 				b.entries[i].Store(e)
 				return
 			}
 		}
 		if next := b.next.Load(); next == nil {
 			newb := new(bucketPadded[K, V])
 			newb.meta.Store(setByte(defaultMeta, h2, 0))
 			newb.entries[0].Store(e)
 			b.next.Store(newb)
 			return
 		} else {
 			b = next
 		}
 	}
 }
 func (table *mapTable[K, V]) addSize(bucketIdx uint64, delta int) {
 	cidx := uint64(len(table.size)-1) & bucketIdx
 	atomic.AddInt64(&table.size[cidx].c, int64(delta))
 }
 func (table *mapTable[K, V]) addSizePlain(bucketIdx uint64, delta int) {
 	cidx := uint64(len(table.size)-1) & bucketIdx
 	table.size[cidx].c += int64(delta)
 }
 func (table *mapTable[K, V]) sumSize() int64 {
 	sum := int64(0)
 	for i := range table.size {
 		sum += atomic.LoadInt64(&table.size[i].c)
 	}
 	return sum
 }
 func h1(h uint64) uint64 {
 	return h >> 7
 }
 func h2(h uint64) uint8 {
 	return uint8(h & 0x7f)
 }
 // MapStats is Map statistics.
 //
 // Warning: map statistics are intented to be used for diagnostic
 // purposes, not for production code. This means that breaking changes
 // may be introduced into this struct even between minor releases.
 type MapStats struct {
 	// RootBuckets is the number of root buckets in the hash table.
 	// Each bucket holds a few entries.
 	RootBuckets int
 	// TotalBuckets is the total number of buckets in the hash table,
 	// including root and their chained buckets. Each bucket holds
 	// a few entries.
 	TotalBuckets int
 	// EmptyBuckets is the number of buckets that hold no entries.
 	EmptyBuckets int
 	// Capacity is the Map capacity, i.e. the total number of
 	// entries that all buckets can physically hold. This number
 	// does not consider the load factor.
 	Capacity int
 	// Size is the exact number of entries stored in the map.
 	Size int
 	// Counter is the number of entries stored in the map according
 	// to the internal atomic counter. In case of concurrent map
 	// modifications this number may be different from Size.
 	Counter int
 	// CounterLen is the number of internal atomic counter stripes.
 	// This number may grow with the map capacity to improve
 	// multithreaded scalability.
 	CounterLen int
 	// MinEntries is the minimum number of entries per a chain of
 	// buckets, i.e. a root bucket and its chained buckets.
 	MinEntries int
 	// MinEntries is the maximum number of entries per a chain of
 	// buckets, i.e. a root bucket and its chained buckets.
 	MaxEntries int
 	// TotalGrowths is the number of times the hash table grew.
 	TotalGrowths int64
 	// TotalGrowths is the number of times the hash table shrinked.
 	TotalShrinks int64
 }
 // ToString returns string representation of map stats.
 func (s *MapStats) ToString() string {
 	var sb strings.Builder
 	sb.WriteString("MapStats{\n")
 	sb.WriteString(fmt.Sprintf("RootBuckets:  %d\n", s.RootBuckets))
 	sb.WriteString(fmt.Sprintf("TotalBuckets: %d\n", s.TotalBuckets))
 	sb.WriteString(fmt.Sprintf("EmptyBuckets: %d\n", s.EmptyBuckets))
 	sb.WriteString(fmt.Sprintf("Capacity:     %d\n", s.Capacity))
 	sb.WriteString(fmt.Sprintf("Size:         %d\n", s.Size))
 	sb.WriteString(fmt.Sprintf("Counter:      %d\n", s.Counter))
 	sb.WriteString(fmt.Sprintf("CounterLen:   %d\n", s.CounterLen))
 	sb.WriteString(fmt.Sprintf("MinEntries:   %d\n", s.MinEntries))
 	sb.WriteString(fmt.Sprintf("MaxEntries:   %d\n", s.MaxEntries))
 	sb.WriteString(fmt.Sprintf("TotalGrowths: %d\n", s.TotalGrowths))
 	sb.WriteString(fmt.Sprintf("TotalShrinks: %d\n", s.TotalShrinks))
 	sb.WriteString("}\n")
 	return sb.String()
 }
 // Stats returns statistics for the Map. Just like other map
 // methods, this one is thread-safe. Yet it's an O(N) operation,
 // so it should be used only for diagnostics or debugging purposes.
 func (m *Map[K, V]) Stats() MapStats {
 	m.initOnce.Do(m.init)
 	stats := MapStats{
 		TotalGrowths: m.totalGrowths.Load(),
 		TotalShrinks: m.totalShrinks.Load(),
 		MinEntries:   math.MaxInt32,
 	}
 	table := m.table.Load()
 	stats.RootBuckets = len(table.buckets)
 	stats.Counter = int(table.sumSize())
 	stats.CounterLen = len(table.size)
 	for i := range table.buckets {
 		nentries := 0
 		b := &table.buckets[i]
 		stats.TotalBuckets++
 		for {
 			nentriesLocal := 0
 			stats.Capacity += entriesPerMapBucket
 			for i := 0; i < entriesPerMapBucket; i++ {
 				if b.entries[i].Load() != nil {
 					stats.Size++
 					nentriesLocal++
 				}
 			}
 			nentries += nentriesLocal
 			if nentriesLocal == 0 {
 				stats.EmptyBuckets++
 			}
 			if next := b.next.Load(); next == nil {
 				break
 			} else {
 				b = next
 			}
 			stats.TotalBuckets++
 		}
 		if nentries < stats.MinEntries {
 			stats.MinEntries = nentries
 		}
 		if nentries > stats.MaxEntries {
 			stats.MaxEntries = nentries
 		}
 	}
 	return stats
 }
 const (
 	// cacheLineSize is used in paddings to prevent false sharing;
 	// 64B are used instead of 128B as a compromise between
 	// memory footprint and performance; 128B usage may give ~30%
 	// improvement on NUMA machines.
 	cacheLineSize = 64
 )
 // nextPowOf2 computes the next highest power of 2 of 32-bit v.
 // Source: https://graphics.stanford.edu/~seander/bithacks.html#RoundUpPowerOf2
 func nextPowOf2(v uint32) uint32 {
 	if v == 0 {
 		return 1
 	}
 	v--
 	v |= v >> 1
 	v |= v >> 2
 	v |= v >> 4
 	v |= v >> 8
 	v |= v >> 16
 	v++
 	return v
 }
 func broadcast(b uint8) uint64 {
 	return 0x101010101010101 * uint64(b)
 }
 func firstMarkedByteIndex(w uint64) int {
 	return bits.TrailingZeros64(w) >> 3
 }
 // SWAR byte search: may produce false positives, e.g. for 0x0100,
 // so make sure to double-check bytes found by this function.
 func markZeroBytes(w uint64) uint64 {
 	return ((w - 0x0101010101010101) & (^w) & 0x8080808080808080)
 }
 func setByte(w uint64, b uint8, idx int) uint64 {
 	shift := idx << 3
 	return (w &^ (0xff << shift)) | (uint64(b) << shift)
 }
--- a/common/xsync/map_extra.go
+++ b/common/xsync/map_extra.go
@@ -0,0 +1,28 @@
 package xsync
 // LoadOrStoreFn returns the existing value for the key if
 // present. Otherwise, it tries to compute the value using the
 // provided function and, if successful, stores and returns
 // the computed value. The loaded result is true if the value was
 // loaded, or false if computed.
 //
 // This call locks a hash table bucket while the compute function
 // is executed. It means that modifications on other entries in
 // the bucket will be blocked until the valueFn executes. Consider
 // this when the function includes long-running operations.
 //
 // Recovery this API and renamed from xsync/v3's LoadOrCompute.
 // We unneeded support no-op (cancel) compute operation, it will only add complexity to existing code.
 func (m *Map[K, V]) LoadOrStoreFn(key K, valueFn func() V) (actual V, loaded bool) {
 	return m.doCompute(
 		key,
 		func(oldValue V, loaded bool) (V, ComputeOp) {
 			if loaded {
 				return oldValue, CancelOp
 			}
 			return valueFn(), UpdateOp
 		},
 		loadOrComputeOp,
 		false,
 	)
 }
--- a/common/xsync/map_extra_test.go
+++ b/common/xsync/map_extra_test.go
@@ -0,0 +1,49 @@
 package xsync
 import (
 	"strconv"
 	"testing"
 )
 func TestMapOfLoadOrStoreFn(t *testing.T) {
 	const numEntries = 1000
 	m := NewMap[string, int]()
 	for i := 0; i < numEntries; i++ {
 		v, loaded := m.LoadOrStoreFn(strconv.Itoa(i), func() int {
 			return i
 		})
 		if loaded {
 			t.Fatalf("value not computed for %d", i)
 		}
 		if v != i {
 			t.Fatalf("values do not match for %d: %v", i, v)
 		}
 	}
 	for i := 0; i < numEntries; i++ {
 		v, loaded := m.LoadOrStoreFn(strconv.Itoa(i), func() int {
 			return i
 		})
 		if !loaded {
 			t.Fatalf("value not loaded for %d", i)
 		}
 		if v != i {
 			t.Fatalf("values do not match for %d: %v", i, v)
 		}
 	}
 }
 func TestMapOfLoadOrStoreFn_FunctionCalledOnce(t *testing.T) {
 	m := NewMap[int, int]()
 	for i := 0; i < 100; {
 		m.LoadOrStoreFn(i, func() (v int) {
 			v, i = i, i+1
 			return v
 		})
 	}
 	m.Range(func(k, v int) bool {
 		if k != v {
 			t.Fatalf("%dth key is not equal to value %d", k, v)
 		}
 		return true
 	})
 }
--- a/common/xsync/map_test.go
+++ b/common/xsync/map_test.go
--- a/component/ca/config.go
+++ b/component/ca/config.go
@@ -10,7 +10,9 @@ import (
 	"strconv"
 	"sync"
 	"github.com/metacubex/mihomo/common/once"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/ntp"
 )
 var globalCertPool *x509.CertPool
@@ -65,70 +67,61 @@ func ResetCertificate() {
 	initializeCertPool()
 }
-func getCertPool() *x509.CertPool {
+func GetCertPool() *x509.CertPool {
 	mutex.Lock()
 	defer mutex.Unlock()
 	if globalCertPool == nil {
 		mutex.Lock()
 		defer mutex.Unlock()
 		if globalCertPool != nil {
 			return globalCertPool
 		}
 		initializeCertPool()
 	}
 	return globalCertPool
 }
-func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error) {
+type Option struct {
-	var certificate []byte
+	TLSConfig   *tls.Config
-	var err error
+	Fingerprint string
-	if len(customCA) > 0 {
+	ZeroTrust   bool
-		path := C.Path.Resolve(customCA)
+	Certificate string
-		if !C.Path.IsSafePath(path) {
+	PrivateKey  string
 			return nil, C.Path.ErrNotSafePath(path)
 		}
 		certificate, err = os.ReadFile(path)
 		if err != nil {
 			return nil, fmt.Errorf("load ca error: %w", err)
 		}
 	} else if customCAString != "" {
 		certificate = []byte(customCAString)
 	}
 	if len(certificate) > 0 {
 		certPool := x509.NewCertPool()
 		if !certPool.AppendCertsFromPEM(certificate) {
 			return nil, fmt.Errorf("failed to parse certificate:\n\n %s", certificate)
 		}
 		return certPool, nil
 	} else {
 		return getCertPool(), nil
 	}
 }
-// GetTLSConfig specified fingerprint, customCA and customCAString
+func GetTLSConfig(opt Option) (tlsConfig *tls.Config, err error) {
-func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, customCAString string) (_ *tls.Config, err error) {
+	tlsConfig = opt.TLSConfig
 	if tlsConfig == nil {
 		tlsConfig = &tls.Config{}
 	}
-	tlsConfig.RootCAs, err = GetCertPool(customCA, customCAString)
+	tlsConfig.Time = ntp.Now
-	if err != nil {
+
-		return nil, err
+	if opt.ZeroTrust {
 		tlsConfig.RootCAs = zeroTrustCertPool()
 	} else {
 		tlsConfig.RootCAs = GetCertPool()
 	}
-	if len(fingerprint) > 0 {
+	if len(opt.Fingerprint) > 0 {
-		tlsConfig.VerifyPeerCertificate, err = NewFingerprintVerifier(fingerprint)
+		tlsConfig.VerifyPeerCertificate, err = NewFingerprintVerifier(opt.Fingerprint, tlsConfig.Time)
 		if err != nil {
 			return nil, err
 		}
 		tlsConfig.InsecureSkipVerify = true
 	}
 	if len(opt.Certificate) > 0 || len(opt.PrivateKey) > 0 {
 		var cert tls.Certificate
 		cert, err = LoadTLSKeyPair(opt.Certificate, opt.PrivateKey, C.Path)
 		if err != nil {
 			return nil, err
 		}
 		tlsConfig.Certificates = []tls.Certificate{cert}
 	}
 	return tlsConfig, nil
 }
-// GetSpecifiedFingerprintTLSConfig specified fingerprint
+var zeroTrustCertPool = once.OnceValue(func() *x509.CertPool {
-func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) (*tls.Config, error) {
+	if len(_CaCertificates) != 0 { // always using embed cert first
-	return GetTLSConfig(tlsConfig, fingerprint, "", "")
+		zeroTrustCertPool := x509.NewCertPool()
-}
+		if zeroTrustCertPool.AppendCertsFromPEM(_CaCertificates) {
-
+			return zeroTrustCertPool
-func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
+		}
-	tlsConfig, _ = GetTLSConfig(tlsConfig, "", "", "")
+	}
-	return tlsConfig
+	return nil // fallback to system pool
-}
+})
--- a/component/ca/fingerprint.go
+++ b/component/ca/fingerprint.go
@@ -7,10 +7,11 @@ import (
 	"encoding/hex"
 	"fmt"
 	"strings"
 	"time"
 )
 // NewFingerprintVerifier returns a function that verifies whether a certificate's SHA-256 fingerprint matches the given one.
-func NewFingerprintVerifier(fingerprint string) (func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error, error) {
+func NewFingerprintVerifier(fingerprint string, time func() time.Time) (func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error, error) {
 	switch fingerprint {
 	case "chrome", "firefox", "safari", "ios", "android", "edge", "360", "qq", "random", "randomized": // WTF???
 		return nil, fmt.Errorf("`fingerprint` is used for TLS certificate pinning. If you need to specify the browser fingerprint, use `client-fingerprint`")
@@ -27,9 +28,40 @@ func NewFingerprintVerifier(fingerprint string) (func(rawCerts [][]byte, verifie
 	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 		// ssl pining
-		for _, rawCert := range rawCerts {
+		for i, rawCert := range rawCerts {
 			hash := sha256.Sum256(rawCert)
 			if bytes.Equal(fpByte, hash[:]) {
 				if i > 0 {
 					// When the fingerprint matches a non-leaf certificate,
 					// the certificate chain validity is verified using the certificate as the trusted root certificate.
 					//
 					// Currently, we do not verify that the SNI matches the certificate's DNS name,
 					// but we do verify the validity of the child certificate,
 					// including the issuance time and whether the child certificate was issued by the parent certificate.
 					certs := make([]*x509.Certificate, i+1) // stop at i
 					for j := range certs {
 						cert, err := x509.ParseCertificate(rawCerts[j])
 						if err != nil {
 							return err
 						}
 						certs[j] = cert
 					}
 					opts := x509.VerifyOptions{
 						Roots:         x509.NewCertPool(),
 						Intermediates: x509.NewCertPool(),
 					}
 					if time != nil {
 						opts.CurrentTime = time()
 					}
 					opts.Roots.AddCert(certs[i])
 					for _, cert := range certs[1:] {
 						opts.Intermediates.AddCert(cert)
 					}
 					_, err := certs[0].Verify(opts)
 					return err
 				}
 				return nil
 			}
 		}
--- a/component/ca/fingerprint_test.go
+++ b/component/ca/fingerprint_test.go
@@ -0,0 +1,351 @@
 package ca
 import (
 	"encoding/pem"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestFingerprintVerifierLeaf(t *testing.T) {
 	leafFingerprint := CalculateFingerprint(leafPEM.Bytes)
 	verifier, err := NewFingerprintVerifier(leafFingerprint, func() time.Time {
 		return time.Unix(1677615892, 0)
 	})
 	require.NoError(t, err)
 	err = verifier([][]byte{leafPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
 	assert.NoError(t, err)
 	err = verifier([][]byte{leafPEM.Bytes, smimeIntermediatePEM.Bytes, rootPEM.Bytes}, nil)
 	assert.NoError(t, err)
 	err = verifier([][]byte{leafPEM.Bytes, intermediatePEM.Bytes, smimeRootPEM.Bytes}, nil)
 	assert.NoError(t, err)
 	err = verifier([][]byte{leafWithInvalidHashPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
 	assert.Error(t, err)
 	err = verifier([][]byte{smimeLeafPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
 	assert.Error(t, err)
 	err = verifier([][]byte{smimeLeafPEM.Bytes, intermediatePEM.Bytes, smimeRootPEM.Bytes}, nil)
 	assert.Error(t, err)
 }
 func TestFingerprintVerifierIntermediate(t *testing.T) {
 	intermediateFingerprint := CalculateFingerprint(intermediatePEM.Bytes)
 	verifier, err := NewFingerprintVerifier(intermediateFingerprint, func() time.Time {
 		return time.Unix(1677615892, 0)
 	})
 	require.NoError(t, err)
 	err = verifier([][]byte{leafPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
 	assert.NoError(t, err)
 	err = verifier([][]byte{leafPEM.Bytes, smimeIntermediatePEM.Bytes, rootPEM.Bytes}, nil)
 	assert.Error(t, err)
 	err = verifier([][]byte{leafPEM.Bytes, intermediatePEM.Bytes, smimeRootPEM.Bytes}, nil)
 	assert.NoError(t, err)
 	err = verifier([][]byte{leafWithInvalidHashPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
 	assert.Error(t, err)
 	err = verifier([][]byte{smimeLeafPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
 	assert.Error(t, err)
 	err = verifier([][]byte{smimeLeafPEM.Bytes, intermediatePEM.Bytes, smimeRootPEM.Bytes}, nil)
 	assert.Error(t, err)
 }
 func TestFingerprintVerifierRoot(t *testing.T) {
 	rootFingerprint := CalculateFingerprint(rootPEM.Bytes)
 	verifier, err := NewFingerprintVerifier(rootFingerprint, func() time.Time {
 		return time.Unix(1677615892, 0)
 	})
 	require.NoError(t, err)
 	err = verifier([][]byte{leafPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
 	assert.NoError(t, err)
 	err = verifier([][]byte{leafPEM.Bytes, smimeIntermediatePEM.Bytes, rootPEM.Bytes}, nil)
 	assert.Error(t, err)
 	err = verifier([][]byte{leafPEM.Bytes, intermediatePEM.Bytes, smimeRootPEM.Bytes}, nil)
 	assert.Error(t, err)
 	err = verifier([][]byte{leafWithInvalidHashPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
 	assert.Error(t, err)
 	err = verifier([][]byte{smimeLeafPEM.Bytes, intermediatePEM.Bytes, rootPEM.Bytes}, nil)
 	assert.Error(t, err)
 	err = verifier([][]byte{smimeLeafPEM.Bytes, intermediatePEM.Bytes, smimeRootPEM.Bytes}, nil)
 	assert.Error(t, err)
 }
 var rootPEM, _ = pem.Decode([]byte(gtsRoot))
 var intermediatePEM, _ = pem.Decode([]byte(gtsIntermediate))
 var leafPEM, _ = pem.Decode([]byte(googleLeaf))
 var leafWithInvalidHashPEM, _ = pem.Decode([]byte(googleLeafWithInvalidHash))
 var smimeRootPEM, _ = pem.Decode([]byte(smimeRoot))
 var smimeIntermediatePEM, _ = pem.Decode([]byte(smimeIntermediate))
 var smimeLeafPEM, _ = pem.Decode([]byte(smimeLeaf))
 const gtsIntermediate = `-----BEGIN CERTIFICATE-----
 MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw
 CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
 MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw
 MDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
 Y2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFDMzCCASIwDQYJKoZIhvcNAQEBBQAD
 ggEPADCCAQoCggEBAPWI3+dijB43+DdCkH9sh9D7ZYIl/ejLa6T/belaI+KZ9hzp
 kgOZE3wJCor6QtZeViSqejOEH9Hpabu5dOxXTGZok3c3VVP+ORBNtzS7XyV3NzsX
 lOo85Z3VvMO0Q+sup0fvsEQRY9i0QYXdQTBIkxu/t/bgRQIh4JZCF8/ZK2VWNAcm
 BA2o/X3KLu/qSHw3TT8An4Pf73WELnlXXPxXbhqW//yMmqaZviXZf5YsBvcRKgKA
 gOtjGDxQSYflispfGStZloEAoPtR28p3CwvJlk/vcEnHXG0g/Zm0tOLKLnf9LdwL
 tmsTDIwZKxeWmLnwi/agJ7u2441Rj72ux5uxiZ0CAwEAAaOCAYAwggF8MA4GA1Ud
 DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0T
 AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUinR/r4XN7pXNPZzQ4kYU83E1HScwHwYD
 VR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYG
 CCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcw
 AoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQt
 MCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsMFcG
 A1UdIARQME4wOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Br
 aS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcN
 AQELBQADggIBAIl9rCBcDDy+mqhXlRu0rvqrpXJxtDaV/d9AEQNMwkYUuxQkq/BQ
 cSLbrcRuf8/xam/IgxvYzolfh2yHuKkMo5uhYpSTld9brmYZCwKWnvy15xBpPnrL
 RklfRuFBsdeYTWU0AIAaP0+fbH9JAIFTQaSSIYKCGvGjRFsqUBITTcFTNvNCCK9U
 +o53UxtkOCcXCb1YyRt8OS1b887U7ZfbFAO/CVMkH8IMBHmYJvJh8VNS/UKMG2Yr
 PxWhu//2m+OBmgEGcYk1KCTd4b3rGS3hSMs9WYNRtHTGnXzGsYZbr8w0xNPM1IER
 lQCh9BIiAfq0g3GvjLeMcySsN1PCAJA/Ef5c7TaUEDu9Ka7ixzpiO2xj2YC/WXGs
 Yye5TBeg2vZzFb8q3o/zpWwygTMD0IZRcZk0upONXbVRWPeyk+gB9lm+cZv9TSjO
 z23HFtz30dZGm6fKa+l3D/2gthsjgx0QGtkJAITgRNOidSOzNIb2ILCkXhAd4FJG
 AJ2xDx8hcFH1mt0G/FX0Kw4zd8NLQsLxdxP8c4CU6x+7Nz/OAipmsHMdMqUybDKw
 juDEI/9bfU1lcKwrmz3O2+BtjjKAvpafkmO8l7tdufThcV4q5O8DIrGKZTqPwJNl
 1IXNDw9bg1kWRxYtnCQ6yICmJhSFm/Y3m6xv+cXDBlHz4n/FsRC6UfTd
 -----END CERTIFICATE-----`
 const gtsRoot = `-----BEGIN CERTIFICATE-----
 MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw
 CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
 MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
 MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
 Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA
 A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo
 27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w
 Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw
 TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl
 qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH
 szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8
 Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk
 MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92
 wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p
 aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN
 VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID
 AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
 FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb
 C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe
 QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy
 h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4
 7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J
 ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef
 MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/
 Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT
 6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ
 0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm
 2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb
 bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c
 -----END CERTIFICATE-----`
 const googleLeaf = `-----BEGIN CERTIFICATE-----
 MIIFUjCCBDqgAwIBAgIQERmRWTzVoz0SMeozw2RM3DANBgkqhkiG9w0BAQsFADBG
 MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
 QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yMzAxMDIwODE5MTlaFw0yMzAzMjcw
 ODE5MThaMBkxFzAVBgNVBAMTDnd3dy5nb29nbGUuY29tMIIBIjANBgkqhkiG9w0B
 AQEFAAOCAQ8AMIIBCgKCAQEAq30odrKMT54TJikMKL8S+lwoCMT5geP0u9pWjk6a
 wdB6i3kO+UE4ijCAmhbcZKeKaLnGJ38weZNwB1ayabCYyX7hDiC/nRcZU49LX5+o
 55kDVaNn14YKkg2kCeX25HDxSwaOsNAIXKPTqiQL5LPvc4Twhl8HY51hhNWQrTEr
 N775eYbixEULvyVLq5BLbCOpPo8n0/MTjQ32ku1jQq3GIYMJC/Rf2VW5doF6t9zs
 KleflAN8OdKp0ME9OHg0T1P3yyb67T7n0SpisHbeG06AmQcKJF9g/9VPJtRf4l1Q
 WRPDC+6JUqzXCxAGmIRGZ7TNMxPMBW/7DRX6w8oLKVNb0wIDAQABo4ICZzCCAmMw
 DgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC
 MAAwHQYDVR0OBBYEFBnboj3lf9+Xat4oEgo6ZtIMr8ZuMB8GA1UdIwQYMBaAFIp0
 f6+Fze6VzT2c0OJGFPNxNR0nMGoGCCsGAQUFBwEBBF4wXDAnBggrBgEFBQcwAYYb
 aHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMWMzMDEGCCsGAQUFBzAChiVodHRwOi8v
 cGtpLmdvb2cvcmVwby9jZXJ0cy9ndHMxYzMuZGVyMBkGA1UdEQQSMBCCDnd3dy5n
 b29nbGUuY29tMCEGA1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYD
 VR0fBDUwMzAxoC+gLYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMWMzL1FPdkow
 TjFzVDJBLmNybDCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AHoyjFTYty22IOo4
 4FIe6YQWcDIThU070ivBOlejUutSAAABhXHHOiUAAAQDAEcwRQIgBUkikUIXdo+S
 3T8PP0/cvokhUlumRE3GRWGL4WRMLpcCIQDY+bwK384mZxyXGZ5lwNRTAPNzT8Fx
 1+//nbaGK3BQMAB2AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAAB
 hXHHOfQAAAQDAEcwRQIgLoVydNfMFKV9IoZR+M0UuJ2zOqbxIRum7Sn9RMPOBGMC
 IQD1/BgzCSDTvYvco6kpB6ifKSbg5gcb5KTnYxQYwRW14TANBgkqhkiG9w0BAQsF
 AAOCAQEA2bQQu30e3OFu0bmvQHmcqYvXBu6tF6e5b5b+hj4O+Rn7BXTTmaYX3M6p
 MsfRH4YVJJMB/dc3PROR2VtnKFC6gAZX+RKM6nXnZhIlOdmQnonS1ecOL19PliUd
 VXbwKjXqAO0Ljd9y9oXaXnyPyHmUJNI5YXAcxE+XXiOZhcZuMYyWmoEKJQ/XlSga
 zWfTn1IcKhA3IC7A1n/5bkkWD1Xi1mdWFQ6DQDMp//667zz7pKOgFMlB93aPDjvI
 c78zEqNswn6xGKXpWF5xVwdFcsx9HKhJ6UAi2bQ/KQ1yb7LPUOR6wXXWrG1cLnNP
 i8eNLnKL9PXQ+5SwJFCzfEhcIZuhzg==
 -----END CERTIFICATE-----`
 // googleLeafWithInvalidHash is the same as googleLeaf, but the signature
 // algorithm in the certificate contains a nonsense OID.
 const googleLeafWithInvalidHash = `-----BEGIN CERTIFICATE-----
 MIIFUjCCBDqgAwIBAgIQERmRWTzVoz0SMeozw2RM3DANBgkqhkiG9w0BAQ4FADBG
 MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
 QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yMzAxMDIwODE5MTlaFw0yMzAzMjcw
 ODE5MThaMBkxFzAVBgNVBAMTDnd3dy5nb29nbGUuY29tMIIBIjANBgkqhkiG9w0B
 AQEFAAOCAQ8AMIIBCgKCAQEAq30odrKMT54TJikMKL8S+lwoCMT5geP0u9pWjk6a
 wdB6i3kO+UE4ijCAmhbcZKeKaLnGJ38weZNwB1ayabCYyX7hDiC/nRcZU49LX5+o
 55kDVaNn14YKkg2kCeX25HDxSwaOsNAIXKPTqiQL5LPvc4Twhl8HY51hhNWQrTEr
 N775eYbixEULvyVLq5BLbCOpPo8n0/MTjQ32ku1jQq3GIYMJC/Rf2VW5doF6t9zs
 KleflAN8OdKp0ME9OHg0T1P3yyb67T7n0SpisHbeG06AmQcKJF9g/9VPJtRf4l1Q
 WRPDC+6JUqzXCxAGmIRGZ7TNMxPMBW/7DRX6w8oLKVNb0wIDAQABo4ICZzCCAmMw
 DgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC
 MAAwHQYDVR0OBBYEFBnboj3lf9+Xat4oEgo6ZtIMr8ZuMB8GA1UdIwQYMBaAFIp0
 f6+Fze6VzT2c0OJGFPNxNR0nMGoGCCsGAQUFBwEBBF4wXDAnBggrBgEFBQcwAYYb
 aHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMWMzMDEGCCsGAQUFBzAChiVodHRwOi8v
 cGtpLmdvb2cvcmVwby9jZXJ0cy9ndHMxYzMuZGVyMBkGA1UdEQQSMBCCDnd3dy5n
 b29nbGUuY29tMCEGA1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYD
 VR0fBDUwMzAxoC+gLYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMWMzL1FPdkow
 TjFzVDJBLmNybDCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AHoyjFTYty22IOo4
 4FIe6YQWcDIThU070ivBOlejUutSAAABhXHHOiUAAAQDAEcwRQIgBUkikUIXdo+S
 3T8PP0/cvokhUlumRE3GRWGL4WRMLpcCIQDY+bwK384mZxyXGZ5lwNRTAPNzT8Fx
 1+//nbaGK3BQMAB2AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAAB
 hXHHOfQAAAQDAEcwRQIgLoVydNfMFKV9IoZR+M0UuJ2zOqbxIRum7Sn9RMPOBGMC
 IQD1/BgzCSDTvYvco6kpB6ifKSbg5gcb5KTnYxQYwRW14TANBgkqhkiG9w0BAQ4F
 AAOCAQEA2bQQu30e3OFu0bmvQHmcqYvXBu6tF6e5b5b+hj4O+Rn7BXTTmaYX3M6p
 MsfRH4YVJJMB/dc3PROR2VtnKFC6gAZX+RKM6nXnZhIlOdmQnonS1ecOL19PliUd
 VXbwKjXqAO0Ljd9y9oXaXnyPyHmUJNI5YXAcxE+XXiOZhcZuMYyWmoEKJQ/XlSga
 zWfTn1IcKhA3IC7A1n/5bkkWD1Xi1mdWFQ6DQDMp//667zz7pKOgFMlB93aPDjvI
 c78zEqNswn6xGKXpWF5xVwdFcsx9HKhJ6UAi2bQ/KQ1yb7LPUOR6wXXWrG1cLnNP
 i8eNLnKL9PXQ+5SwJFCzfEhcIZuhzg==
 -----END CERTIFICATE-----`
 const smimeLeaf = `-----BEGIN CERTIFICATE-----
 MIIIPDCCBiSgAwIBAgIQaMDxFS0pOMxZZeOBxoTJtjANBgkqhkiG9w0BAQsFADCB
 nTELMAkGA1UEBhMCRVMxFDASBgNVBAoMC0laRU5QRSBTLkEuMTowOAYDVQQLDDFB
 WlogWml1cnRhZ2lyaSBwdWJsaWtvYSAtIENlcnRpZmljYWRvIHB1YmxpY28gU0NB
 MTwwOgYDVQQDDDNFQUVrbyBIZXJyaSBBZG1pbmlzdHJhemlvZW4gQ0EgLSBDQSBB
 QVBQIFZhc2NhcyAoMikwHhcNMTcwNzEyMDg1MzIxWhcNMjEwNzEyMDg1MzIxWjCC
 AQwxDzANBgNVBAoMBklaRU5QRTE4MDYGA1UECwwvWml1cnRhZ2lyaSBrb3Jwb3Jh
 dGlib2EtQ2VydGlmaWNhZG8gY29ycG9yYXRpdm8xQzBBBgNVBAsMOkNvbmRpY2lv
 bmVzIGRlIHVzbyBlbiB3d3cuaXplbnBlLmNvbSBub2xhIGVyYWJpbGkgamFraXRl
 a28xFzAVBgNVBC4TDi1kbmkgOTk5OTk5ODlaMSQwIgYDVQQDDBtDT1JQT1JBVElW
 TyBGSUNUSUNJTyBBQ1RJVk8xFDASBgNVBCoMC0NPUlBPUkFUSVZPMREwDwYDVQQE
 DAhGSUNUSUNJTzESMBAGA1UEBRMJOTk5OTk5ODlaMIIBIjANBgkqhkiG9w0BAQEF
 AAOCAQ8AMIIBCgKCAQEAwVOMwUDfBtsH0XuxYnb+v/L774jMH8valX7RPH8cl2Lb
 SiqSo0RchW2RGA2d1yuYHlpChC9jGmt0X/g66/E/+q2hUJlfJtqVDJFwtFYV4u2S
 yzA3J36V4PRkPQrKxAsbzZriFXAF10XgiHQz9aVeMMJ9GBhmh9+DK8Tm4cMF6i8l
 +AuC35KdngPF1x0ealTYrYZplpEJFO7CiW42aLi6vQkDR2R7nmZA4AT69teqBWsK
 0DZ93/f0G/3+vnWwNTBF0lB6dIXoaz8OMSyHLqGnmmAtMrzbjAr/O/WWgbB/BqhR
 qjJQ7Ui16cuDldXaWQ/rkMzsxmsAox0UF+zdQNvXUQIDAQABo4IDBDCCAwAwgccG
 A1UdEgSBvzCBvIYVaHR0cDovL3d3dy5pemVucGUuY29tgQ9pbmZvQGl6ZW5wZS5j
 b22kgZEwgY4xRzBFBgNVBAoMPklaRU5QRSBTLkEuIC0gQ0lGIEEwMTMzNzI2MC1S
 TWVyYy5WaXRvcmlhLUdhc3RlaXogVDEwNTUgRjYyIFM4MUMwQQYDVQQJDDpBdmRh
 IGRlbCBNZWRpdGVycmFuZW8gRXRvcmJpZGVhIDE0IC0gMDEwMTAgVml0b3JpYS1H
 YXN0ZWl6MB4GA1UdEQQXMBWBE2ZpY3RpY2lvQGl6ZW5wZS5ldXMwDgYDVR0PAQH/
 BAQDAgXgMCkGA1UdJQQiMCAGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGCNxQC
 AjAdBgNVHQ4EFgQUyeoOD4cgcljKY0JvrNuX2waFQLAwHwYDVR0jBBgwFoAUwKlK
 90clh/+8taaJzoLSRqiJ66MwggEnBgNVHSAEggEeMIIBGjCCARYGCisGAQQB8zkB
 AQEwggEGMDMGCCsGAQUFBwIBFidodHRwOi8vd3d3Lml6ZW5wZS5jb20vcnBhc2Nh
 Y29ycG9yYXRpdm8wgc4GCCsGAQUFBwICMIHBGoG+Wml1cnRhZ2lyaWEgRXVza2Fs
 IEF1dG9ub21pYSBFcmtpZGVnb2tvIHNla3RvcmUgcHVibGlrb2tvIGVyYWt1bmRl
 ZW4gYmFybmUtc2FyZWV0YW4gYmFrYXJyaWsgZXJhYmlsIGRhaXRla2UuIFVzbyBy
 ZXN0cmluZ2lkbyBhbCBhbWJpdG8gZGUgcmVkZXMgaW50ZXJuYXMgZGUgRW50aWRh
 ZGVzIGRlbCBTZWN0b3IgUHVibGljbyBWYXNjbzAyBggrBgEFBQcBAQQmMCQwIgYI
 KwYBBQUHMAGGFmh0dHA6Ly9vY3NwLml6ZW5wZS5jb20wOgYDVR0fBDMwMTAvoC2g
 K4YpaHR0cDovL2NybC5pemVucGUuY29tL2NnaS1iaW4vY3JsaW50ZXJuYTIwDQYJ
 KoZIhvcNAQELBQADggIBAIy5PQ+UZlCRq6ig43vpHwlwuD9daAYeejV0Q+ZbgWAE
 GtO0kT/ytw95ZEJMNiMw3fYfPRlh27ThqiT0VDXZJDlzmn7JZd6QFcdXkCsiuv4+
 ZoXAg/QwnA3SGUUO9aVaXyuOIIuvOfb9MzoGp9xk23SMV3eiLAaLMLqwB5DTfBdt
 BGI7L1MnGJBv8RfP/TL67aJ5bgq2ri4S8vGHtXSjcZ0+rCEOLJtmDNMnTZxancg3
 /H5edeNd+n6Z48LO+JHRxQufbC4mVNxVLMIP9EkGUejlq4E4w6zb5NwCQczJbSWL
 i31rk2orsNsDlyaLGsWZp3JSNX6RmodU4KAUPor4jUJuUhrrm3Spb73gKlV/gcIw
 bCE7mML1Kss3x1ySaXsis6SZtLpGWKkW2iguPWPs0ydV6RPhmsCxieMwPPIJ87vS
 5IejfgyBae7RSuAIHyNFy4uI5xwvwUFf6OZ7az8qtW7ImFOgng3Ds+W9k1S2CNTx
 d0cnKTfA6IpjGo8EeHcxnIXT8NPImWaRj0qqonvYady7ci6U4m3lkNSdXNn1afgw
 mYust+gxVtOZs1gk2MUCgJ1V1X+g7r/Cg7viIn6TLkLrpS1kS1hvMqkl9M+7XqPo
 Qd95nJKOkusQpy99X4dF/lfbYAQnnjnqh3DLD2gvYObXFaAYFaiBKTiMTV2X72F+
 -----END CERTIFICATE-----`
 const smimeIntermediate = `-----BEGIN CERTIFICATE-----
 MIIHNzCCBSGgAwIBAgIQJMXIqlZvjuhMvqcFXOFkpDALBgkqhkiG9w0BAQswODEL
 MAkGA1UEBhMCRVMxFDASBgNVBAoMC0laRU5QRSBTLkEuMRMwEQYDVQQDDApJemVu
 cGUuY29tMB4XDTEwMTAyMDA4MjMzM1oXDTM3MTIxMjIzMDAwMFowgZ0xCzAJBgNV
 BAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjE6MDgGA1UECwwxQVpaIFppdXJ0
 YWdpcmkgcHVibGlrb2EgLSBDZXJ0aWZpY2FkbyBwdWJsaWNvIFNDQTE8MDoGA1UE
 AwwzRUFFa28gSGVycmkgQWRtaW5pc3RyYXppb2VuIENBIC0gQ0EgQUFQUCBWYXNj
 YXMgKDIpMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoIM7nEdI0N1h
 rR5T4xuV/usKDoMIasaiKvfLhbwxaNtTt+a7W/6wV5bv3svQFIy3sUXjjdzV1nG2
 To2wo/YSPQiOt8exWvOapvL21ogiof+kelWnXFjWaKJI/vThHYLgIYEMj/y4HdtU
 ojI646rZwqsb4YGAopwgmkDfUh5jOhV2IcYE3TgJAYWVkj6jku9PLaIsHiarAHjD
 PY8dig8a4SRv0gm5Yk7FXLmW1d14oxQBDeHZ7zOEXfpafxdEDO2SNaRJjpkh8XRr
 PGqkg2y1Q3gT6b4537jz+StyDIJ3omylmlJsGCwqT7p8mEqjGJ5kC5I2VnjXKuNn
 soShc72khWZVUJiJo5SGuAkNE2ZXqltBVm5Jv6QweQKsX6bkcMc4IZok4a+hx8FM
 8IBpGf/I94pU6HzGXqCyc1d46drJgDY9mXa+6YDAJFl3xeXOOW2iGCfwXqhiCrKL
 MYvyMZzqF3QH5q4nb3ZnehYvraeMFXJXDn+Utqp8vd2r7ShfQJz01KtM4hgKdgSg
 jtW+shkVVN5ng/fPN85ovfAH2BHXFfHmQn4zKsYnLitpwYM/7S1HxlT61cdQ7Nnk
 3LZTYEgAoOmEmdheklT40WAYakksXGM5VrzG7x9S7s1Tm+Vb5LSThdHC8bxxwyTb
 KsDRDNJ84N9fPDO6qHnzaL2upQ43PycCAwEAAaOCAdkwggHVMIHHBgNVHREEgb8w
 gbyGFWh0dHA6Ly93d3cuaXplbnBlLmNvbYEPaW5mb0BpemVucGUuY29tpIGRMIGO
 MUcwRQYDVQQKDD5JWkVOUEUgUy5BLiAtIENJRiBBMDEzMzcyNjAtUk1lcmMuVml0
 b3JpYS1HYXN0ZWl6IFQxMDU1IEY2MiBTODFDMEEGA1UECQw6QXZkYSBkZWwgTWVk
 aXRlcnJhbmVvIEV0b3JiaWRlYSAxNCAtIDAxMDEwIFZpdG9yaWEtR2FzdGVpejAP
 BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUwKlK90cl
 h/+8taaJzoLSRqiJ66MwHwYDVR0jBBgwFoAUHRxlDqjyJXu0kc/ksbHmvVV0bAUw
 OgYDVR0gBDMwMTAvBgRVHSAAMCcwJQYIKwYBBQUHAgEWGWh0dHA6Ly93d3cuaXpl
 bnBlLmNvbS9jcHMwNwYIKwYBBQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8v
 b2NzcC5pemVucGUuY29tOjgwOTQwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2Ny
 bC5pemVucGUuY29tL2NnaS1iaW4vYXJsMjALBgkqhkiG9w0BAQsDggIBAMbjc3HM
 3DG9ubWPkzsF0QsktukpujbTTcGk4h20G7SPRy1DiiTxrRzdAMWGjZioOP3/fKCS
 M539qH0M+gsySNie+iKlbSZJUyE635T1tKw+G7bDUapjlH1xyv55NC5I6wCXGC6E
 3TEP5B/E7dZD0s9E4lS511ubVZivFgOzMYo1DO96diny/N/V1enaTCpRl1qH1OyL
 xUYTijV4ph2gL6exwuG7pxfRcVNHYlrRaXWfTz3F6NBKyULxrI3P/y6JAtN1GqT4
 VF/+vMygx22n0DufGepBwTQz6/rr1ulSZ+eMnuJiTXgh/BzQnkUsXTb8mHII25iR
 0oYF2qAsk6ecWbLiDpkHKIDHmML21MZE13MS8NSvTHoqJO4LyAmDe6SaeNHtrPlK
 b6mzE1BN2ug+ZaX8wLA5IMPFaf0jKhb/Cxu8INsxjt00brsErCc9ip1VNaH0M4bi
 1tGxfiew2436FaeyUxW7Pl6G5GgkNbuUc7QIoRy06DdU/U38BxW3uyJMY60zwHvS
 FlKAn0OvYp4niKhAJwaBVN3kowmJuOU5Rid+TUnfyxbJ9cttSgzaF3hP/N4zgMEM
 5tikXUskeckt8LUK96EH0QyssavAMECUEb/xrupyRdYWwjQGvNLq6T5+fViDGyOw
 k+lzD44wofy8paAy9uC9Owae0zMEzhcsyRm7
 -----END CERTIFICATE-----`
 const smimeRoot = `-----BEGIN CERTIFICATE-----
 MIIF8TCCA9mgAwIBAgIQALC3WhZIX7/hy/WL1xnmfTANBgkqhkiG9w0BAQsFADA4
 MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6
 ZW5wZS5jb20wHhcNMDcxMjEzMTMwODI4WhcNMzcxMjEzMDgyNzI1WjA4MQswCQYD
 VQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6ZW5wZS5j
 b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ03rKDx6sp4boFmVq
 scIbRTJxldn+EFvMr+eleQGPicPK8lVx93e+d5TzcqQsRNiekpsUOqHnJJAKClaO
 xdgmlOHZSOEtPtoKct2jmRXagaKH9HtuJneJWK3W6wyyQXpzbm3benhB6QiIEn6H
 LmYRY2xU+zydcsC8Lv/Ct90NduM61/e0aL6i9eOBbsFGb12N4E3GVFWJGjMxCrFX
 uaOKmMPsOzTFlUFpfnXCPCDFYbpRR6AgkJOhkEvzTnyFRVSa0QUmQbC1TR0zvsQD
 yCV8wXDbO/QJLVQnSKwv4cSsPsjLkkxTOTcj7NMB+eAJRE1NZMDhDVqHIrytG6P+
 JrUV86f8hBnp7KGItERphIPzidF0BqnMC9bC3ieFUCbKF7jJeodWLBoBHmy+E60Q
 rLUk9TiRodZL2vG70t5HtfG8gfZZa88ZU+mNFctKy6lvROUbQc/hhqfK0GqfvEyN
 BjNaooXlkDWgYlwWTvDjovoDGrQscbNYLN57C9saD+veIR8GdwYDsMnvmfzAuU8L
 hij+0rnq49qlw0dpEuDb8PYZi+17cNcC1u2HGCgsBCRMd+RIihrGO5rUD8r6ddIB
 QFqNeb+Lz0vPqhbBleStTIo+F5HUsWLlguWABKQDfo2/2n+iD5dPDNMN+9fR5XJ+
 HMh3/1uaD7euBUbl8agW7EekFwIDAQABo4H2MIHzMIGwBgNVHREEgagwgaWBD2lu
 Zm9AaXplbnBlLmNvbaSBkTCBjjFHMEUGA1UECgw+SVpFTlBFIFMuQS4gLSBDSUYg
 QTAxMzM3MjYwLVJNZXJjLlZpdG9yaWEtR2FzdGVpeiBUMTA1NSBGNjIgUzgxQzBB
 BgNVBAkMOkF2ZGEgZGVsIE1lZGl0ZXJyYW5lbyBFdG9yYmlkZWEgMTQgLSAwMTAx
 MCBWaXRvcmlhLUdhc3RlaXowDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
 AQYwHQYDVR0OBBYEFB0cZQ6o8iV7tJHP5LGx5r1VdGwFMA0GCSqGSIb3DQEBCwUA
 A4ICAQB4pgwWSp9MiDrAyw6lFn2fuUhfGI8NYjb2zRlrrKvV9pF9rnHzP7MOeIWb
 laQnIUdCSnxIOvVFfLMMjlF4rJUT3sb9fbgakEyrkgPH7UIBzg/YsfqikuFgba56
 awmqxinuaElnMIAkejEWOVt+8Rwu3WwJrfIxwYJOubv5vr8qhT/AQKM6WfxZSzwo
 JNu0FXWuDYi6LnPAvViH5ULy617uHjAimcs30cQhbIHsvm0m5hzkQiCeR7Csg1lw
 LDXWrzY0tM07+DKo7+N4ifuNRSzanLh+QBxh5z6ikixL8s36mLYp//Pye6kfLqCT
 VyvehQP5aTfLnnhqBbTFMXiJ7HqnheG5ezzevh55hM6fcA5ZwjUukCox2eRFekGk
 LhObNA5me0mrZJfQRsN5nXJQY6aYWwa9SG3YOYNw6DXwBdGqvOPbyALqfP2C2sJb
 UjWumDqtujWTI6cfSN01RpiyEGjkpTHCClguGYEQyVB1/OpaFs4R1+7vUIgtYf8/
 QnMFlEPVjjxOAToZpR9GTnfQXeWBIiGH/pR9hNiTrdZoQ0iy2+tzJOeRf1SktoA+
 naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1ZWrOZyGls
 QyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxw==
 -----END CERTIFICATE-----`
--- a/component/ca/keypair.go
+++ b/component/ca/keypair.go
@@ -12,6 +12,8 @@ import (
 	"encoding/pem"
 	"fmt"
 	"math/big"
 	"os"
 	"time"
 )
 type Path interface {
@@ -56,6 +58,33 @@ func LoadTLSKeyPair(certificate, privateKey string, path Path) (tls.Certificate,
 	return cert, nil
 }
 func LoadCertificates(certificate string, path Path) (*x509.CertPool, error) {
 	pool := x509.NewCertPool()
 	if pool.AppendCertsFromPEM([]byte(certificate)) {
 		return pool, nil
 	}
 	painTextErr := fmt.Errorf("invalid certificate: %s", certificate)
 	if path == nil {
 		return nil, painTextErr
 	}
 	certificate = path.Resolve(certificate)
 	var loadErr error
 	if !path.IsSafePath(certificate) {
 		loadErr = path.ErrNotSafePath(certificate)
 	} else {
 		certPEMBlock, err := os.ReadFile(certificate)
 		if pool.AppendCertsFromPEM(certPEMBlock) {
 			return pool, nil
 		}
 		loadErr = err
 	}
 	if loadErr != nil {
 		return nil, fmt.Errorf("parse certificate failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())
 	}
 	return pool, nil
 }
 type KeyPairType string
 const (
@@ -85,7 +114,11 @@ func NewRandomTLSKeyPair(keyPairType KeyPairType) (certificate string, privateKe
 		return
 	}
-	template := x509.Certificate{SerialNumber: big.NewInt(1)}
+	template := x509.Certificate{
 		SerialNumber: big.NewInt(1),
 		NotBefore:    time.Now().Add(-time.Hour * 24 * 365),
 		NotAfter:     time.Now().Add(time.Hour * 24 * 365),
 	}
 	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, key.Public(), key)
 	if err != nil {
 		return
--- a/component/dialer/bind_darwin.go
+++ b/component/dialer/bind_darwin.go
@@ -21,10 +21,10 @@ func bindControl(ifaceIdx int) controlFn {
 		var innerErr error
 		err = c.Control(func(fd uintptr) {
 			switch network {
-			case "tcp4", "udp4":
+			case "tcp6", "udp6", "ip6":
 				innerErr = unix.SetsockoptInt(int(fd), unix.IPPROTO_IP, unix.IP_BOUND_IF, ifaceIdx)
 			case "tcp6", "udp6":
 				innerErr = unix.SetsockoptInt(int(fd), unix.IPPROTO_IPV6, unix.IPV6_BOUND_IF, ifaceIdx)
 			default:
 				innerErr = unix.SetsockoptInt(int(fd), unix.IPPROTO_IP, unix.IP_BOUND_IF, ifaceIdx)
 			}
 		})
--- a/component/dialer/dialer.go
+++ b/component/dialer/dialer.go
@@ -9,6 +9,7 @@ import (
 	"os"
 	"strings"
 	"sync"
 	"syscall"
 	"time"
 	"github.com/metacubex/mihomo/component/keepalive"
@@ -177,6 +178,34 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 	return dialer.DialContext(ctx, network, address)
 }
 func ICMPControl(destination netip.Addr) func(network, address string, conn syscall.RawConn) error {
 	return func(network, address string, conn syscall.RawConn) error {
 		if DefaultSocketHook != nil {
 			return DefaultSocketHook(network, address, conn)
 		}
 		dialer := &net.Dialer{}
 		interfaceName := DefaultInterface.Load()
 		if interfaceName == "" {
 			if finder := DefaultInterfaceFinder.Load(); finder != nil {
 				interfaceName = finder.FindInterfaceName(destination)
 			}
 		}
 		if interfaceName != "" {
 			if err := bindIfaceToDialer(interfaceName, dialer, network, destination); err != nil {
 				return err
 			}
 		}
 		routingMark := int(DefaultRoutingMark.Load())
 		if routingMark != 0 {
 			bindMarkToDialer(routingMark, dialer, network, destination)
 		}
 		if dialer.ControlContext != nil {
 			return dialer.ControlContext(context.TODO(), network, address, conn)
 		}
 		return nil
 	}
 }
 func serialSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	return serialDialContext(ctx, network, ips, port, opt)
 }
--- a/component/generater/cmd.go
+++ b/component/generater/cmd.go
@@ -1,49 +0,0 @@
 package generater
 import (
 	"encoding/base64"
 	"fmt"
 	"github.com/metacubex/mihomo/component/ech"
 	"github.com/gofrs/uuid/v5"
 )
 func Main(args []string) {
 	if len(args) < 1 {
 		panic("Using: generate uuid/reality-keypair/wg-keypair/ech-keypair")
 	}
 	switch args[0] {
 	case "uuid":
 		newUUID, err := uuid.NewV4()
 		if err != nil {
 			panic(err)
 		}
 		fmt.Println(newUUID.String())
 	case "reality-keypair":
 		privateKey, err := GeneratePrivateKey()
 		if err != nil {
 			panic(err)
 		}
 		publicKey := privateKey.PublicKey()
 		fmt.Println("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]))
 		fmt.Println("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]))
 	case "wg-keypair":
 		privateKey, err := GeneratePrivateKey()
 		if err != nil {
 			panic(err)
 		}
 		fmt.Println("PrivateKey: " + privateKey.String())
 		fmt.Println("PublicKey: " + privateKey.PublicKey().String())
 	case "ech-keypair":
 		if len(args) < 2 {
 			panic("Using: generate ech-keypair <plain_server_name>")
 		}
 		configBase64, keyPem, err := ech.GenECHConfig(args[1])
 		if err != nil {
 			panic(err)
 		}
 		fmt.Println("Config:", configBase64)
 		fmt.Println("Key:", keyPem)
 	}
 }
--- a/component/generater/types.go
+++ b/component/generater/types.go
@@ -1,97 +0,0 @@
 // Copy from https://github.com/WireGuard/wgctrl-go/blob/a9ab2273dd1075ea74b88c76f8757f8b4003fcbf/wgtypes/types.go#L71-L155
 package generater
 import (
 	"crypto/rand"
 	"encoding/base64"
 	"fmt"
 	"golang.org/x/crypto/curve25519"
 )
 // KeyLen is the expected key length for a WireGuard key.
 const KeyLen = 32 // wgh.KeyLen
 // A Key is a public, private, or pre-shared secret key.  The Key constructor
 // functions in this package can be used to create Keys suitable for each of
 // these applications.
 type Key [KeyLen]byte
 // GenerateKey generates a Key suitable for use as a pre-shared secret key from
 // a cryptographically safe source.
 //
 // The output Key should not be used as a private key; use GeneratePrivateKey
 // instead.
 func GenerateKey() (Key, error) {
 	b := make([]byte, KeyLen)
 	if _, err := rand.Read(b); err != nil {
 		return Key{}, fmt.Errorf("wgtypes: failed to read random bytes: %v", err)
 	}
 	return NewKey(b)
 }
 // GeneratePrivateKey generates a Key suitable for use as a private key from a
 // cryptographically safe source.
 func GeneratePrivateKey() (Key, error) {
 	key, err := GenerateKey()
 	if err != nil {
 		return Key{}, err
 	}
 	// Modify random bytes using algorithm described at:
 	// https://cr.yp.to/ecdh.html.
 	key[0] &= 248
 	key[31] &= 127
 	key[31] |= 64
 	return key, nil
 }
 // NewKey creates a Key from an existing byte slice.  The byte slice must be
 // exactly 32 bytes in length.
 func NewKey(b []byte) (Key, error) {
 	if len(b) != KeyLen {
 		return Key{}, fmt.Errorf("wgtypes: incorrect key size: %d", len(b))
 	}
 	var k Key
 	copy(k[:], b)
 	return k, nil
 }
 // ParseKey parses a Key from a base64-encoded string, as produced by the
 // Key.String method.
 func ParseKey(s string) (Key, error) {
 	b, err := base64.StdEncoding.DecodeString(s)
 	if err != nil {
 		return Key{}, fmt.Errorf("wgtypes: failed to parse base64-encoded key: %v", err)
 	}
 	return NewKey(b)
 }
 // PublicKey computes a public key from the private key k.
 //
 // PublicKey should only be called when k is a private key.
 func (k Key) PublicKey() Key {
 	var (
 		pub  [KeyLen]byte
 		priv = [KeyLen]byte(k)
 	)
 	// ScalarBaseMult uses the correct base value per https://cr.yp.to/ecdh.html,
 	// so no need to specify it.
 	curve25519.ScalarBaseMult(&pub, &priv)
 	return Key(pub)
 }
 // String returns the base64-encoded string representation of a Key.
 //
 // ParseKey can be used to produce a new Key from this string.
 func (k Key) String() string {
 	return base64.StdEncoding.EncodeToString(k[:])
 }
--- a/component/generator/cmd.go
+++ b/component/generator/cmd.go
@@ -0,0 +1,73 @@
 package generator
 import (
 	"encoding/base64"
 	"fmt"
 	"github.com/metacubex/mihomo/component/ech"
 	"github.com/metacubex/mihomo/transport/vless/encryption"
 	"github.com/gofrs/uuid/v5"
 )
 func Main(args []string) {
 	if len(args) < 1 {
 		panic("Using: generate uuid/reality-keypair/wg-keypair/ech-keypair/vless-mlkem768/vless-x25519")
 	}
 	switch args[0] {
 	case "uuid":
 		newUUID, err := uuid.NewV4()
 		if err != nil {
 			panic(err)
 		}
 		fmt.Println(newUUID.String())
 	case "reality-keypair":
 		privateKey, err := GenX25519PrivateKey()
 		if err != nil {
 			panic(err)
 		}
 		fmt.Println("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey.Bytes()))
 		fmt.Println("PublicKey: " + base64.RawURLEncoding.EncodeToString(privateKey.PublicKey().Bytes()))
 	case "wg-keypair":
 		privateKey, err := GenX25519PrivateKey()
 		if err != nil {
 			panic(err)
 		}
 		fmt.Println("PrivateKey: " + base64.StdEncoding.EncodeToString(privateKey.Bytes()))
 		fmt.Println("PublicKey: " + base64.StdEncoding.EncodeToString(privateKey.PublicKey().Bytes()))
 	case "ech-keypair":
 		if len(args) < 2 {
 			panic("Using: generate ech-keypair <plain_server_name>")
 		}
 		configBase64, keyPem, err := ech.GenECHConfig(args[1])
 		if err != nil {
 			panic(err)
 		}
 		fmt.Println("Config:", configBase64)
 		fmt.Println("Key:", keyPem)
 	case "vless-mlkem768":
 		var seed string
 		if len(args) > 1 {
 			seed = args[1]
 		}
 		seedBase64, clientBase64, hash32Base64, err := encryption.GenMLKEM768(seed)
 		if err != nil {
 			panic(err)
 		}
 		fmt.Println("Seed: " + seedBase64)
 		fmt.Println("Client: " + clientBase64)
 		fmt.Println("Hash32: " + hash32Base64)
 	case "vless-x25519":
 		var privateKey string
 		if len(args) > 1 {
 			privateKey = args[1]
 		}
 		privateKeyBase64, passwordBase64, hash32Base64, err := encryption.GenX25519(privateKey)
 		if err != nil {
 			panic(err)
 		}
 		fmt.Println("PrivateKey: " + privateKeyBase64)
 		fmt.Println("Password: " + passwordBase64)
 		fmt.Println("Hash32: " + hash32Base64)
 	}
 }
--- a/component/generator/x25519.go
+++ b/component/generator/x25519.go
@@ -0,0 +1,27 @@
 package generator
 import (
 	"crypto/ecdh"
 	"crypto/rand"
 )
 const X25519KeySize = 32
 func GenX25519PrivateKey() (*ecdh.PrivateKey, error) {
 	var privateKey [X25519KeySize]byte
 	_, err := rand.Read(privateKey[:])
 	if err != nil {
 		return nil, err
 	}
 	// Avoid generating equivalent X25519 private keys
 	// https://github.com/XTLS/Xray-core/pull/1747
 	//
 	// Modify random bytes using algorithm described at:
 	// https://cr.yp.to/ecdh.html.
 	privateKey[0] &= 248
 	privateKey[31] &= 127
 	privateKey[31] |= 64
 	return ecdh.X25519().NewPrivateKey(privateKey[:])
 }
--- a/component/http/http.go
+++ b/component/http/http.go
@@ -2,7 +2,6 @@ package http
 import (
 	"context"
 	"crypto/tls"
 	"io"
 	"net"
 	"net/http"
@@ -28,11 +27,11 @@ func SetUA(UA string) {
 	ua = UA
 }
-func HttpRequest(ctx context.Context, url, method string, header map[string][]string, body io.Reader) (*http.Response, error) {
+func HttpRequest(ctx context.Context, url, method string, header map[string][]string, body io.Reader, options ...Option) (*http.Response, error) {
-	return HttpRequestWithProxy(ctx, url, method, header, body, "")
+	opt := option{}
-}
+	for _, o := range options {
-
+		o(&opt)
-func HttpRequestWithProxy(ctx context.Context, url, method string, header map[string][]string, body io.Reader, specialProxy string) (*http.Response, error) {
+	}
 	method = strings.ToUpper(method)
 	urlRes, err := URL.Parse(url)
 	if err != nil {
@@ -40,6 +39,10 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st
 	}
 	req, err := http.NewRequest(method, urlRes.String(), body)
 	if err != nil {
 		return nil, err
 	}
 	for k, v := range header {
 		for _, v := range v {
 			req.Header.Add(k, v)
@@ -50,10 +53,6 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st
 		req.Header.Set("User-Agent", UA())
 	}
 	if err != nil {
 		return nil, err
 	}
 	if user := urlRes.User; user != nil {
 		password, _ := user.Password()
 		req.SetBasicAuth(user.Username(), password)
@@ -61,6 +60,11 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st
 	req = req.WithContext(ctx)
 	tlsConfig, err := ca.GetTLSConfig(opt.caOption)
 	if err != nil {
 		return nil, err
 	}
 	transport := &http.Transport{
 		// from http.DefaultTransport
 		DisableKeepAlives:     runtime.GOOS == "android",
@@ -69,15 +73,34 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
-			if conn, err := inner.HandleTcp(inner.GetTunnel(), address, specialProxy); err == nil {
+			if conn, err := inner.HandleTcp(inner.GetTunnel(), address, opt.specialProxy); err == nil {
 				return conn, nil
 			} else {
 				return dialer.DialContext(ctx, network, address)
 			}
 		},
-		TLSClientConfig: ca.GetGlobalTLSConfig(&tls.Config{}),
+		TLSClientConfig: tlsConfig,
 	}
 	client := http.Client{Transport: transport}
 	return client.Do(req)
 }
 type Option func(opt *option)
 type option struct {
 	specialProxy string
 	caOption     ca.Option
 }
 func WithSpecialProxy(name string) Option {
 	return func(opt *option) {
 		opt.specialProxy = name
 	}
 }
 func WithCAOption(caOption ca.Option) Option {
 	return func(opt *option) {
 		opt.caOption = caOption
 	}
 }
--- a/component/keepalive/tcp_keepalive.go
+++ b/component/keepalive/tcp_keepalive.go
@@ -10,27 +10,27 @@ import (
 )
 var (
-	keepAliveIdle     = atomic.NewTypedValue[time.Duration](0 * time.Second)
+	keepAliveIdle     = atomic.NewInt64(0)
-	keepAliveInterval = atomic.NewTypedValue[time.Duration](0 * time.Second)
+	keepAliveInterval = atomic.NewInt64(0)
 	disableKeepAlive  = atomic.NewBool(false)
 	SetDisableKeepAliveCallback = utils.NewCallback[bool]()
 )
 func SetKeepAliveIdle(t time.Duration) {
-	keepAliveIdle.Store(t)
+	keepAliveIdle.Store(int64(t))
 }
 func SetKeepAliveInterval(t time.Duration) {
-	keepAliveInterval.Store(t)
+	keepAliveInterval.Store(int64(t))
 }
 func KeepAliveIdle() time.Duration {
-	return keepAliveIdle.Load()
+	return time.Duration(keepAliveIdle.Load())
 }
 func KeepAliveInterval() time.Duration {
-	return keepAliveInterval.Load()
+	return time.Duration(keepAliveInterval.Load())
 }
 func SetDisableKeepAlive(disable bool) {
--- a/component/loopback/detector.go
+++ b/component/loopback/detector.go
@@ -8,11 +8,10 @@ import (
 	"strconv"
 	"github.com/metacubex/mihomo/common/callback"
 	"github.com/metacubex/mihomo/common/xsync"
 	"github.com/metacubex/mihomo/component/iface"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/features"
 	"github.com/puzpuzpuz/xsync/v3"
 )
 var disableLoopBackDetector, _ = strconv.ParseBool(os.Getenv("DISABLE_LOOPBACK_DETECTOR"))
@@ -26,22 +25,19 @@ func init() {
 var ErrReject = errors.New("reject loopback connection")
 type Detector struct {
-	connMap       *xsync.MapOf[netip.AddrPort, struct{}]
+	connMap       xsync.Map[netip.AddrPort, struct{}]
-	packetConnMap *xsync.MapOf[uint16, struct{}]
+	packetConnMap xsync.Map[uint16, struct{}]
 }
 func NewDetector() *Detector {
 	if disableLoopBackDetector {
 		return nil
 	}
-	return &Detector{
+	return &Detector{}
 		connMap:       xsync.NewMapOf[netip.AddrPort, struct{}](),
 		packetConnMap: xsync.NewMapOf[uint16, struct{}](),
 	}
 }
 func (l *Detector) NewConn(conn C.Conn) C.Conn {
-	if l == nil || l.connMap == nil {
+	if l == nil {
 		return conn
 	}
 	metadata := C.Metadata{}
@@ -59,7 +55,7 @@ func (l *Detector) NewConn(conn C.Conn) C.Conn {
 }
 func (l *Detector) NewPacketConn(conn C.PacketConn) C.PacketConn {
-	if l == nil || l.packetConnMap == nil {
+	if l == nil {
 		return conn
 	}
 	metadata := C.Metadata{}
@@ -78,7 +74,7 @@ func (l *Detector) NewPacketConn(conn C.PacketConn) C.PacketConn {
 }
 func (l *Detector) CheckConn(metadata *C.Metadata) error {
-	if l == nil || l.connMap == nil {
+	if l == nil {
 		return nil
 	}
 	connAddr := metadata.SourceAddrPort()
@@ -92,7 +88,7 @@ func (l *Detector) CheckConn(metadata *C.Metadata) error {
 }
 func (l *Detector) CheckPacketConn(metadata *C.Metadata) error {
-	if l == nil || l.packetConnMap == nil {
+	if l == nil {
 		return nil
 	}
 	connAddr := metadata.SourceAddrPort()
--- a/component/memory/memory.go
+++ b/component/memory/memory.go
@@ -0,0 +1,29 @@
 // Package memory return MemoryInfoStat
 // modify from https://github.com/shirou/gopsutil/tree/v4.25.8/process
 package memory
 import (
 	"errors"
 	"fmt"
 	"math"
 )
 var ErrNotImplementedError = errors.New("not implemented yet")
 type MemoryInfoStat struct {
 	RSS uint64 `json:"rss"` // bytes
 	VMS uint64 `json:"vms"` // bytes
 }
 // PrettyByteSize convert size in bytes to Bytes, Kilobytes, Megabytes, GB and TB
 // https://gist.github.com/anikitenko/b41206a49727b83a530142c76b1cb82d?permalink_comment_id=4467913#gistcomment-4467913
 func PrettyByteSize(b uint64) string {
 	bf := float64(b)
 	for _, unit := range []string{"", "Ki", "Mi", "Gi", "Ti", "Pi", "Ei", "Zi"} {
 		if math.Abs(bf) < 1024.0 {
 			return fmt.Sprintf("%3.1f%sB", bf, unit)
 		}
 		bf /= 1024.0
 	}
 	return fmt.Sprintf("%.1fYiB", bf)
 }
--- a/component/memory/memory_darwin.go
+++ b/component/memory/memory_darwin.go
@@ -0,0 +1,56 @@
 package memory
 import (
 	"unsafe"
 	"github.com/ebitengine/purego"
 )
 const PROC_PIDTASKINFO = 4
 type ProcTaskInfo struct {
 	Virtual_size      uint64
 	Resident_size     uint64
 	Total_user        uint64
 	Total_system      uint64
 	Threads_user      uint64
 	Threads_system    uint64
 	Policy            int32
 	Faults            int32
 	Pageins           int32
 	Cow_faults        int32
 	Messages_sent     int32
 	Messages_received int32
 	Syscalls_mach     int32
 	Syscalls_unix     int32
 	Csw               int32
 	Threadnum         int32
 	Numrunning        int32
 	Priority          int32
 }
 const System = "/usr/lib/libSystem.B.dylib"
 type ProcPidInfoFunc func(pid, flavor int32, arg uint64, buffer uintptr, bufferSize int32) int32
 const ProcPidInfoSym = "proc_pidinfo"
 func GetMemoryInfo(pid int32) (*MemoryInfoStat, error) {
 	lib, err := purego.Dlopen(System, purego.RTLD_LAZY|purego.RTLD_GLOBAL)
 	if err != nil {
 		return nil, err
 	}
 	defer purego.Dlclose(lib)
 	var procPidInfo ProcPidInfoFunc
 	purego.RegisterLibFunc(&procPidInfo, lib, ProcPidInfoSym)
 	var ti ProcTaskInfo
 	procPidInfo(pid, PROC_PIDTASKINFO, 0, uintptr(unsafe.Pointer(&ti)), int32(unsafe.Sizeof(ti)))
 	ret := &MemoryInfoStat{
 		RSS: uint64(ti.Resident_size),
 		VMS: uint64(ti.Virtual_size),
 	}
 	return ret, nil
 }
--- a/component/memory/memory_falllback.go
+++ b/component/memory/memory_falllback.go
@@ -0,0 +1,7 @@
 //go:build !darwin && !linux && !freebsd && !openbsd && !windows
 package memory
 func GetMemoryInfo(pid int32) (*MemoryInfoStat, error) {
 	return nil, ErrNotImplementedError
 }
--- a/component/memory/memory_freebsd.go
+++ b/component/memory/memory_freebsd.go
@@ -0,0 +1,97 @@
 package memory
 import (
 	"bytes"
 	"encoding/binary"
 	"errors"
 	"unsafe"
 	"golang.org/x/sys/unix"
 )
 const (
 	CTLKern          = 1
 	KernProc         = 14
 	KernProcPID      = 1
 )
 func CallSyscall(mib []int32) ([]byte, uint64, error) {
 	mibptr := unsafe.Pointer(&mib[0])
 	miblen := uint64(len(mib))
 	// get required buffer size
 	length := uint64(0)
 	_, _, err := unix.Syscall6(
 		unix.SYS___SYSCTL,
 		uintptr(mibptr),
 		uintptr(miblen),
 		0,
 		uintptr(unsafe.Pointer(&length)),
 		0,
 		0)
 	if err != 0 {
 		var b []byte
 		return b, length, err
 	}
 	if length == 0 {
 		var b []byte
 		return b, length, err
 	}
 	// get proc info itself
 	buf := make([]byte, length)
 	_, _, err = unix.Syscall6(
 		unix.SYS___SYSCTL,
 		uintptr(mibptr),
 		uintptr(miblen),
 		uintptr(unsafe.Pointer(&buf[0])),
 		uintptr(unsafe.Pointer(&length)),
 		0,
 		0)
 	if err != 0 {
 		return buf, length, err
 	}
 	return buf, length, nil
 }
 func parseKinfoProc(buf []byte) (KinfoProc, error) {
 	var k KinfoProc
 	br := bytes.NewReader(buf)
 	err := binary.Read(br, binary.LittleEndian, &k)
 	return k, err
 }
 func getKProc(pid int32) (*KinfoProc, error) {
 	mib := []int32{CTLKern, KernProc, KernProcPID, pid}
 	buf, length, err := CallSyscall(mib)
 	if err != nil {
 		return nil, err
 	}
 	if length != sizeOfKinfoProc {
 		return nil, errors.New("unexpected size of KinfoProc")
 	}
 	k, err := parseKinfoProc(buf)
 	if err != nil {
 		return nil, err
 	}
 	return &k, nil
 }
 func GetMemoryInfo(pid int32) (*MemoryInfoStat, error) {
 	k, err := getKProc(pid)
 	if err != nil {
 		return nil, err
 	}
 	v, err := unix.Sysctl("vm.stats.vm.v_page_size")
 	if err != nil {
 		return nil, err
 	}
 	pageSize := binary.LittleEndian.Uint16([]byte(v))
 	return &MemoryInfoStat{
 		RSS: uint64(k.Rssize) * uint64(pageSize),
 		VMS: uint64(k.Size),
 	}, nil
 }
--- a/component/memory/memory_freebsd_386.go
+++ b/component/memory/memory_freebsd_386.go
@@ -0,0 +1,119 @@
 package memory
 const sizeOfKinfoProc    = 0x300
 type Timeval struct {
 	Sec  int32
 	Usec int32
 }
 type Rusage struct {
 	Utime    Timeval
 	Stime    Timeval
 	Maxrss   int32
 	Ixrss    int32
 	Idrss    int32
 	Isrss    int32
 	Minflt   int32
 	Majflt   int32
 	Nswap    int32
 	Inblock  int32
 	Oublock  int32
 	Msgsnd   int32
 	Msgrcv   int32
 	Nsignals int32
 	Nvcsw    int32
 	Nivcsw   int32
 }
 type KinfoProc struct {
 	Structsize   int32
 	Layout       int32
 	Args         int32 /* pargs */
 	Paddr        int32 /* proc */
 	Addr         int32 /* user */
 	Tracep       int32 /* vnode */
 	Textvp       int32 /* vnode */
 	Fd           int32 /* filedesc */
 	Vmspace      int32 /* vmspace */
 	Wchan        int32
 	Pid          int32
 	Ppid         int32
 	Pgid         int32
 	Tpgid        int32
 	Sid          int32
 	Tsid         int32
 	Jobc         int16
 	Spare_short1 int16
 	Tdev         uint32
 	Siglist      [16]byte /* sigset */
 	Sigmask      [16]byte /* sigset */
 	Sigignore    [16]byte /* sigset */
 	Sigcatch     [16]byte /* sigset */
 	Uid          uint32
 	Ruid         uint32
 	Svuid        uint32
 	Rgid         uint32
 	Svgid        uint32
 	Ngroups      int16
 	Spare_short2 int16
 	Groups       [16]uint32
 	Size         uint32
 	Rssize       int32
 	Swrss        int32
 	Tsize        int32
 	Dsize        int32
 	Ssize        int32
 	Xstat        uint16
 	Acflag       uint16
 	Pctcpu       uint32
 	Estcpu       uint32
 	Slptime      uint32
 	Swtime       uint32
 	Cow          uint32
 	Runtime      uint64
 	Start        Timeval
 	Childtime    Timeval
 	Flag         int32
 	Kiflag       int32
 	Traceflag    int32
 	Stat         int8
 	Nice         int8
 	Lock         int8
 	Rqindex      int8
 	Oncpu        uint8
 	Lastcpu      uint8
 	Tdname       [17]int8
 	Wmesg        [9]int8
 	Login        [18]int8
 	Lockname     [9]int8
 	Comm         [20]int8
 	Emul         [17]int8
 	Loginclass   [18]int8
 	Sparestrings [50]int8
 	Spareints    [7]int32
 	Flag2        int32
 	Fibnum       int32
 	Cr_flags     uint32
 	Jid          int32
 	Numthreads   int32
 	Tid          int32
 	Pri          Priority
 	Rusage       Rusage
 	Rusage_ch    Rusage
 	Pcb          int32 /* pcb */
 	Kstack       int32
 	Udata        int32
 	Tdaddr       int32 /* thread */
 	Spareptrs    [6]int32
 	Sparelongs   [12]int32
 	Sflag        int32
 	Tdflags      int32
 }
 type Priority struct {
 	Class  uint8
 	Level  uint8
 	Native uint8
 	User   uint8
 }
--- a/component/memory/memory_freebsd_amd64.go
+++ b/component/memory/memory_freebsd_amd64.go
@@ -0,0 +1,125 @@
 package memory
 const sizeOfKinfoProc = 0x440
 type Timeval struct {
 	Sec  int64
 	Usec int64
 }
 type Rusage struct {
 	Utime    Timeval
 	Stime    Timeval
 	Maxrss   int64
 	Ixrss    int64
 	Idrss    int64
 	Isrss    int64
 	Minflt   int64
 	Majflt   int64
 	Nswap    int64
 	Inblock  int64
 	Oublock  int64
 	Msgsnd   int64
 	Msgrcv   int64
 	Nsignals int64
 	Nvcsw    int64
 	Nivcsw   int64
 }
 type KinfoProc struct {
 	Structsize     int32
 	Layout         int32
 	Args           int64 /* pargs */
 	Paddr          int64 /* proc */
 	Addr           int64 /* user */
 	Tracep         int64 /* vnode */
 	Textvp         int64 /* vnode */
 	Fd             int64 /* filedesc */
 	Vmspace        int64 /* vmspace */
 	Wchan          int64
 	Pid            int32
 	Ppid           int32
 	Pgid           int32
 	Tpgid          int32
 	Sid            int32
 	Tsid           int32
 	Jobc           int16
 	Spare_short1   int16
 	Tdev_freebsd11 uint32
 	Siglist        [16]byte /* sigset */
 	Sigmask        [16]byte /* sigset */
 	Sigignore      [16]byte /* sigset */
 	Sigcatch       [16]byte /* sigset */
 	Uid            uint32
 	Ruid           uint32
 	Svuid          uint32
 	Rgid           uint32
 	Svgid          uint32
 	Ngroups        int16
 	Spare_short2   int16
 	Groups         [16]uint32
 	Size           uint64
 	Rssize         int64
 	Swrss          int64
 	Tsize          int64
 	Dsize          int64
 	Ssize          int64
 	Xstat          uint16
 	Acflag         uint16
 	Pctcpu         uint32
 	Estcpu         uint32
 	Slptime        uint32
 	Swtime         uint32
 	Cow            uint32
 	Runtime        uint64
 	Start          Timeval
 	Childtime      Timeval
 	Flag           int64
 	Kiflag         int64
 	Traceflag      int32
 	Stat           int8
 	Nice           int8
 	Lock           int8
 	Rqindex        int8
 	Oncpu_old      uint8
 	Lastcpu_old    uint8
 	Tdname         [17]int8
 	Wmesg          [9]int8
 	Login          [18]int8
 	Lockname       [9]int8
 	Comm           [20]int8
 	Emul           [17]int8
 	Loginclass     [18]int8
 	Moretdname     [4]int8
 	Sparestrings   [46]int8
 	Spareints      [2]int32
 	Tdev           uint64
 	Oncpu          int32
 	Lastcpu        int32
 	Tracer         int32
 	Flag2          int32
 	Fibnum         int32
 	Cr_flags       uint32
 	Jid            int32
 	Numthreads     int32
 	Tid            int32
 	Pri            Priority
 	Rusage         Rusage
 	Rusage_ch      Rusage
 	Pcb            int64 /* pcb */
 	Kstack         int64
 	Udata          int64
 	Tdaddr         int64 /* thread */
 	Pd             int64 /* pwddesc, not accurate */
 	Spareptrs      [5]int64
 	Sparelongs     [12]int64
 	Sflag          int64
 	Tdflags        int64
 }
 type Priority struct {
 	Class  uint8
 	Level  uint8
 	Native uint8
 	User   uint8
 }
--- a/component/memory/memory_freebsd_arm.go
+++ b/component/memory/memory_freebsd_arm.go
@@ -0,0 +1,119 @@
 package memory
 const sizeOfKinfoProc = 0x440
 type Timeval struct {
 	Sec  int64
 	Usec int64
 }
 type Rusage struct {
 	Utime    Timeval
 	Stime    Timeval
 	Maxrss   int32
 	Ixrss    int32
 	Idrss    int32
 	Isrss    int32
 	Minflt   int32
 	Majflt   int32
 	Nswap    int32
 	Inblock  int32
 	Oublock  int32
 	Msgsnd   int32
 	Msgrcv   int32
 	Nsignals int32
 	Nvcsw    int32
 	Nivcsw   int32
 }
 type KinfoProc struct {
 	Structsize   int32
 	Layout       int32
 	Args         int32 /* pargs */
 	Paddr        int32 /* proc */
 	Addr         int32 /* user */
 	Tracep       int32 /* vnode */
 	Textvp       int32 /* vnode */
 	Fd           int32 /* filedesc */
 	Vmspace      int32 /* vmspace */
 	Wchan        int32
 	Pid          int32
 	Ppid         int32
 	Pgid         int32
 	Tpgid        int32
 	Sid          int32
 	Tsid         int32
 	Jobc         int16
 	Spare_short1 int16
 	Tdev         uint32
 	Siglist      [16]byte /* sigset */
 	Sigmask      [16]byte /* sigset */
 	Sigignore    [16]byte /* sigset */
 	Sigcatch     [16]byte /* sigset */
 	Uid          uint32
 	Ruid         uint32
 	Svuid        uint32
 	Rgid         uint32
 	Svgid        uint32
 	Ngroups      int16
 	Spare_short2 int16
 	Groups       [16]uint32
 	Size         uint32
 	Rssize       int32
 	Swrss        int32
 	Tsize        int32
 	Dsize        int32
 	Ssize        int32
 	Xstat        uint16
 	Acflag       uint16
 	Pctcpu       uint32
 	Estcpu       uint32
 	Slptime      uint32
 	Swtime       uint32
 	Cow          uint32
 	Runtime      uint64
 	Start        Timeval
 	Childtime    Timeval
 	Flag         int32
 	Kiflag       int32
 	Traceflag    int32
 	Stat         int8
 	Nice         int8
 	Lock         int8
 	Rqindex      int8
 	Oncpu        uint8
 	Lastcpu      uint8
 	Tdname       [17]int8
 	Wmesg        [9]int8
 	Login        [18]int8
 	Lockname     [9]int8
 	Comm         [20]int8
 	Emul         [17]int8
 	Loginclass   [18]int8
 	Sparestrings [50]int8
 	Spareints    [4]int32
 	Flag2        int32
 	Fibnum       int32
 	Cr_flags     uint32
 	Jid          int32
 	Numthreads   int32
 	Tid          int32
 	Pri          Priority
 	Rusage       Rusage
 	Rusage_ch    Rusage
 	Pcb          int32 /* pcb */
 	Kstack       int32
 	Udata        int32
 	Tdaddr       int32 /* thread */
 	Spareptrs    [6]int64
 	Sparelongs   [12]int64
 	Sflag        int64
 	Tdflags      int64
 }
 type Priority struct {
 	Class  uint8
 	Level  uint8
 	Native uint8
 	User   uint8
 }
--- a/component/memory/memory_freebsd_arm64.go
+++ b/component/memory/memory_freebsd_arm64.go
@@ -0,0 +1,125 @@
 package memory
 const sizeOfKinfoProc = 0x440
 type Timeval struct {
 	Sec  int64
 	Usec int64
 }
 type Rusage struct {
 	Utime    Timeval
 	Stime    Timeval
 	Maxrss   int64
 	Ixrss    int64
 	Idrss    int64
 	Isrss    int64
 	Minflt   int64
 	Majflt   int64
 	Nswap    int64
 	Inblock  int64
 	Oublock  int64
 	Msgsnd   int64
 	Msgrcv   int64
 	Nsignals int64
 	Nvcsw    int64
 	Nivcsw   int64
 }
 type KinfoProc struct {
 	Structsize     int32
 	Layout         int32
 	Args           int64 /* pargs */
 	Paddr          int64 /* proc */
 	Addr           int64 /* user */
 	Tracep         int64 /* vnode */
 	Textvp         int64 /* vnode */
 	Fd             int64 /* filedesc */
 	Vmspace        int64 /* vmspace */
 	Wchan          int64
 	Pid            int32
 	Ppid           int32
 	Pgid           int32
 	Tpgid          int32
 	Sid            int32
 	Tsid           int32
 	Jobc           int16
 	Spare_short1   int16
 	Tdev_freebsd11 uint32
 	Siglist        [16]byte /* sigset */
 	Sigmask        [16]byte /* sigset */
 	Sigignore      [16]byte /* sigset */
 	Sigcatch       [16]byte /* sigset */
 	Uid            uint32
 	Ruid           uint32
 	Svuid          uint32
 	Rgid           uint32
 	Svgid          uint32
 	Ngroups        int16
 	Spare_short2   int16
 	Groups         [16]uint32
 	Size           uint64
 	Rssize         int64
 	Swrss          int64
 	Tsize          int64
 	Dsize          int64
 	Ssize          int64
 	Xstat          uint16
 	Acflag         uint16
 	Pctcpu         uint32
 	Estcpu         uint32
 	Slptime        uint32
 	Swtime         uint32
 	Cow            uint32
 	Runtime        uint64
 	Start          Timeval
 	Childtime      Timeval
 	Flag           int64
 	Kiflag         int64
 	Traceflag      int32
 	Stat           uint8
 	Nice           int8
 	Lock           uint8
 	Rqindex        uint8
 	Oncpu_old      uint8
 	Lastcpu_old    uint8
 	Tdname         [17]uint8
 	Wmesg          [9]uint8
 	Login          [18]uint8
 	Lockname       [9]uint8
 	Comm           [20]int8 // changed from uint8 by hand
 	Emul           [17]uint8
 	Loginclass     [18]uint8
 	Moretdname     [4]uint8
 	Sparestrings   [46]uint8
 	Spareints      [2]int32
 	Tdev           uint64
 	Oncpu          int32
 	Lastcpu        int32
 	Tracer         int32
 	Flag2          int32
 	Fibnum         int32
 	Cr_flags       uint32
 	Jid            int32
 	Numthreads     int32
 	Tid            int32
 	Pri            Priority
 	Rusage         Rusage
 	Rusage_ch      Rusage
 	Pcb            int64 /* pcb */
 	Kstack         int64
 	Udata          int64
 	Tdaddr         int64 /* thread */
 	Pd             int64 /* pwddesc, not accurate */
 	Spareptrs      [5]int64
 	Sparelongs     [12]int64
 	Sflag          int64
 	Tdflags        int64
 }
 type Priority struct {
 	Class  uint8
 	Level  uint8
 	Native uint8
 	User   uint8
 }
--- a/component/memory/memory_linux.go
+++ b/component/memory/memory_linux.go
@@ -0,0 +1,37 @@
 package memory
 import (
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 )
 var pageSize = uint64(os.Getpagesize())
 func GetMemoryInfo(pid int32) (*MemoryInfoStat, error) {
 	proc := os.Getenv("HOST_PROC")
 	if proc == "" {
 		proc = "/proc"
 	}
 	memPath := filepath.Join(proc, strconv.Itoa(int(pid)), "statm")
 	contents, err := os.ReadFile(memPath)
 	if err != nil {
 		return nil, err
 	}
 	fields := strings.Split(string(contents), " ")
 	vms, err := strconv.ParseUint(fields[0], 10, 64)
 	if err != nil {
 		return nil, err
 	}
 	rss, err := strconv.ParseUint(fields[1], 10, 64)
 	if err != nil {
 		return nil, err
 	}
 	memInfo := &MemoryInfoStat{
 		RSS: rss * pageSize,
 		VMS: vms * pageSize,
 	}
 	return memInfo, nil
 }
--- a/component/memory/memory_openbsd.go
+++ b/component/memory/memory_openbsd.go
@@ -0,0 +1,95 @@
 package memory
 import (
 	"bytes"
 	"encoding/binary"
 	"errors"
 	"unsafe"
 	"golang.org/x/sys/unix"
 )
 const (
 	CTLKern     = 1
 	KernProc    = 14
 	KernProcPID = 1
 )
 func callKernProcSyscall(op int32, arg int32) ([]byte, uint64, error) {
 	mib := []int32{CTLKern, KernProc, op, arg, sizeOfKinfoProc, 0}
 	mibptr := unsafe.Pointer(&mib[0])
 	miblen := uint64(len(mib))
 	length := uint64(0)
 	_, _, err := unix.Syscall6(
 		unix.SYS___SYSCTL,
 		uintptr(mibptr),
 		uintptr(miblen),
 		0,
 		uintptr(unsafe.Pointer(&length)),
 		0,
 		0)
 	if err != 0 {
 		return nil, length, err
 	}
 	count := int32(length / uint64(sizeOfKinfoProc))
 	mib = []int32{CTLKern, KernProc, op, arg, sizeOfKinfoProc, count}
 	mibptr = unsafe.Pointer(&mib[0])
 	miblen = uint64(len(mib))
 	// get proc info itself
 	buf := make([]byte, length)
 	_, _, err = unix.Syscall6(
 		unix.SYS___SYSCTL,
 		uintptr(mibptr),
 		uintptr(miblen),
 		uintptr(unsafe.Pointer(&buf[0])),
 		uintptr(unsafe.Pointer(&length)),
 		0,
 		0)
 	if err != 0 {
 		return buf, length, err
 	}
 	return buf, length, nil
 }
 func parseKinfoProc(buf []byte) (KinfoProc, error) {
 	var k KinfoProc
 	br := bytes.NewReader(buf)
 	err := binary.Read(br, binary.LittleEndian, &k)
 	return k, err
 }
 func getKProc(pid int32) (*KinfoProc, error) {
 	buf, length, err := callKernProcSyscall(KernProcPID, pid)
 	if err != nil {
 		return nil, err
 	}
 	if length != sizeOfKinfoProc {
 		return nil, errors.New("unexpected size of KinfoProc")
 	}
 	k, err := parseKinfoProc(buf)
 	if err != nil {
 		return nil, err
 	}
 	return &k, nil
 }
 func GetMemoryInfo(pid int32) (*MemoryInfoStat, error) {
 	k, err := getKProc(pid)
 	if err != nil {
 		return nil, err
 	}
 	uvmexp, err := unix.SysctlUvmexp("vm.uvmexp")
 	if err != nil {
 		return nil, err
 	}
 	pageSize := uint64(uvmexp.Pagesize)
 	return &MemoryInfoStat{
 		RSS: uint64(k.Vm_rssize) * pageSize,
 		VMS: uint64(k.Vm_tsize) + uint64(k.Vm_dsize) +
 			uint64(k.Vm_ssize),
 	}, nil
 }
--- a/component/memory/memory_openbsd_386.go
+++ b/component/memory/memory_openbsd_386.go
@@ -0,0 +1,99 @@
 package memory
 const sizeOfKinfoProc = 0x264
 type KinfoProc struct {
 	Forw         uint64
 	Back         uint64
 	Paddr        uint64
 	Addr         uint64
 	Fd           uint64
 	Stats        uint64
 	Limit        uint64
 	Vmspace      uint64
 	Sigacts      uint64
 	Sess         uint64
 	Tsess        uint64
 	Ru           uint64
 	Eflag        int32
 	Exitsig      int32
 	Flag         int32
 	Pid          int32
 	Ppid         int32
 	Sid          int32
 	X_pgid       int32
 	Tpgid        int32
 	Uid          uint32
 	Ruid         uint32
 	Gid          uint32
 	Rgid         uint32
 	Groups       [16]uint32
 	Ngroups      int16
 	Jobc         int16
 	Tdev         uint32
 	Estcpu       uint32
 	Rtime_sec    uint32
 	Rtime_usec   uint32
 	Cpticks      int32
 	Pctcpu       uint32
 	Swtime       uint32
 	Slptime      uint32
 	Schedflags   int32
 	Uticks       uint64
 	Sticks       uint64
 	Iticks       uint64
 	Tracep       uint64
 	Traceflag    int32
 	Holdcnt      int32
 	Siglist      int32
 	Sigmask      uint32
 	Sigignore    uint32
 	Sigcatch     uint32
 	Stat         int8
 	Priority     uint8
 	Usrpri       uint8
 	Nice         uint8
 	Xstat        uint16
 	Acflag       uint16
 	Comm         [24]int8
 	Wmesg        [8]int8
 	Wchan        uint64
 	Login        [32]int8
 	Vm_rssize    int32
 	Vm_tsize     int32
 	Vm_dsize     int32
 	Vm_ssize     int32
 	Uvalid       int64
 	Ustart_sec   uint64
 	Ustart_usec  uint32
 	Uutime_sec   uint32
 	Uutime_usec  uint32
 	Ustime_sec   uint32
 	Ustime_usec  uint32
 	Uru_maxrss   uint64
 	Uru_ixrss    uint64
 	Uru_idrss    uint64
 	Uru_isrss    uint64
 	Uru_minflt   uint64
 	Uru_majflt   uint64
 	Uru_nswap    uint64
 	Uru_inblock  uint64
 	Uru_oublock  uint64
 	Uru_msgsnd   uint64
 	Uru_msgrcv   uint64
 	Uru_nsignals uint64
 	Uru_nvcsw    uint64
 	Uru_nivcsw   uint64
 	Uctime_sec   uint32
 	Uctime_usec  uint32
 	Psflags      int32
 	Spare        int32
 	Svuid        uint32
 	Svgid        uint32
 	Emul         [8]int8
 	Rlim_rss_cur uint64
 	Cpuid        uint64
 	Vm_map_size  uint64
 	Tid          int32
 	Rtableid     uint32
 }
--- a/component/memory/memory_openbsd_amd64.go
+++ b/component/memory/memory_openbsd_amd64.go
@@ -0,0 +1,100 @@
 package memory
 const sizeOfKinfoProc = 0x268
 type KinfoProc struct {
 	Forw         uint64
 	Back         uint64
 	Paddr        uint64
 	Addr         uint64
 	Fd           uint64
 	Stats        uint64
 	Limit        uint64
 	Vmspace      uint64
 	Sigacts      uint64
 	Sess         uint64
 	Tsess        uint64
 	Ru           uint64
 	Eflag        int32
 	Exitsig      int32
 	Flag         int32
 	Pid          int32
 	Ppid         int32
 	Sid          int32
 	X_pgid       int32
 	Tpgid        int32
 	Uid          uint32
 	Ruid         uint32
 	Gid          uint32
 	Rgid         uint32
 	Groups       [16]uint32
 	Ngroups      int16
 	Jobc         int16
 	Tdev         uint32
 	Estcpu       uint32
 	Rtime_sec    uint32
 	Rtime_usec   uint32
 	Cpticks      int32
 	Pctcpu       uint32
 	Swtime       uint32
 	Slptime      uint32
 	Schedflags   int32
 	Uticks       uint64
 	Sticks       uint64
 	Iticks       uint64
 	Tracep       uint64
 	Traceflag    int32
 	Holdcnt      int32
 	Siglist      int32
 	Sigmask      uint32
 	Sigignore    uint32
 	Sigcatch     uint32
 	Stat         int8
 	Priority     uint8
 	Usrpri       uint8
 	Nice         uint8
 	Xstat        uint16
 	Acflag       uint16
 	Comm         [24]int8
 	Wmesg        [8]int8
 	Wchan        uint64
 	Login        [32]int8
 	Vm_rssize    int32
 	Vm_tsize     int32
 	Vm_dsize     int32
 	Vm_ssize     int32
 	Uvalid       int64
 	Ustart_sec   uint64
 	Ustart_usec  uint32
 	Uutime_sec   uint32
 	Uutime_usec  uint32
 	Ustime_sec   uint32
 	Ustime_usec  uint32
 	Pad_cgo_0    [4]byte
 	Uru_maxrss   uint64
 	Uru_ixrss    uint64
 	Uru_idrss    uint64
 	Uru_isrss    uint64
 	Uru_minflt   uint64
 	Uru_majflt   uint64
 	Uru_nswap    uint64
 	Uru_inblock  uint64
 	Uru_oublock  uint64
 	Uru_msgsnd   uint64
 	Uru_msgrcv   uint64
 	Uru_nsignals uint64
 	Uru_nvcsw    uint64
 	Uru_nivcsw   uint64
 	Uctime_sec   uint32
 	Uctime_usec  uint32
 	Psflags      int32
 	Spare        int32
 	Svuid        uint32
 	Svgid        uint32
 	Emul         [8]int8
 	Rlim_rss_cur uint64
 	Cpuid        uint64
 	Vm_map_size  uint64
 	Tid          int32
 	Rtableid     uint32
 }
--- a/component/memory/memory_openbsd_arm.go
+++ b/component/memory/memory_openbsd_arm.go
@@ -0,0 +1,99 @@
 package memory
 const sizeOfKinfoProc = 0x264
 type KinfoProc struct {
 	Forw         uint64
 	Back         uint64
 	Paddr        uint64
 	Addr         uint64
 	Fd           uint64
 	Stats        uint64
 	Limit        uint64
 	Vmspace      uint64
 	Sigacts      uint64
 	Sess         uint64
 	Tsess        uint64
 	Ru           uint64
 	Eflag        int32
 	Exitsig      int32
 	Flag         int32
 	Pid          int32
 	Ppid         int32
 	Sid          int32
 	X_pgid       int32
 	Tpgid        int32
 	Uid          uint32
 	Ruid         uint32
 	Gid          uint32
 	Rgid         uint32
 	Groups       [16]uint32
 	Ngroups      int16
 	Jobc         int16
 	Tdev         uint32
 	Estcpu       uint32
 	Rtime_sec    uint32
 	Rtime_usec   uint32
 	Cpticks      int32
 	Pctcpu       uint32
 	Swtime       uint32
 	Slptime      uint32
 	Schedflags   int32
 	Uticks       uint64
 	Sticks       uint64
 	Iticks       uint64
 	Tracep       uint64
 	Traceflag    int32
 	Holdcnt      int32
 	Siglist      int32
 	Sigmask      uint32
 	Sigignore    uint32
 	Sigcatch     uint32
 	Stat         int8
 	Priority     uint8
 	Usrpri       uint8
 	Nice         uint8
 	Xstat        uint16
 	Acflag       uint16
 	Comm         [24]int8
 	Wmesg        [8]int8
 	Wchan        uint64
 	Login        [32]int8
 	Vm_rssize    int32
 	Vm_tsize     int32
 	Vm_dsize     int32
 	Vm_ssize     int32
 	Uvalid       int64
 	Ustart_sec   uint64
 	Ustart_usec  uint32
 	Uutime_sec   uint32
 	Uutime_usec  uint32
 	Ustime_sec   uint32
 	Ustime_usec  uint32
 	Uru_maxrss   uint64
 	Uru_ixrss    uint64
 	Uru_idrss    uint64
 	Uru_isrss    uint64
 	Uru_minflt   uint64
 	Uru_majflt   uint64
 	Uru_nswap    uint64
 	Uru_inblock  uint64
 	Uru_oublock  uint64
 	Uru_msgsnd   uint64
 	Uru_msgrcv   uint64
 	Uru_nsignals uint64
 	Uru_nvcsw    uint64
 	Uru_nivcsw   uint64
 	Uctime_sec   uint32
 	Uctime_usec  uint32
 	Psflags      int32
 	Spare        int32
 	Svuid        uint32
 	Svgid        uint32
 	Emul         [8]int8
 	Rlim_rss_cur uint64
 	Cpuid        uint64
 	Vm_map_size  uint64
 	Tid          int32
 	Rtableid     uint32
 }
--- a/component/memory/memory_openbsd_arm64.go
+++ b/component/memory/memory_openbsd_arm64.go
@@ -0,0 +1,100 @@
 package memory
 const sizeOfKinfoProc = 0x270
 type KinfoProc struct {
 	Forw         uint64
 	Back         uint64
 	Paddr        uint64
 	Addr         uint64
 	Fd           uint64
 	Stats        uint64
 	Limit        uint64
 	Vmspace      uint64
 	Sigacts      uint64
 	Sess         uint64
 	Tsess        uint64
 	Ru           uint64
 	Eflag        int32
 	Exitsig      int32
 	Flag         int32
 	Pid          int32
 	Ppid         int32
 	Sid          int32
 	X_pgid       int32
 	Tpgid        int32
 	Uid          uint32
 	Ruid         uint32
 	Gid          uint32
 	Rgid         uint32
 	Groups       [16]uint32
 	Ngroups      int16
 	Jobc         int16
 	Tdev         uint32
 	Estcpu       uint32
 	Rtime_sec    uint32
 	Rtime_usec   uint32
 	Cpticks      int32
 	Pctcpu       uint32
 	Swtime       uint32
 	Slptime      uint32
 	Schedflags   int32
 	Uticks       uint64
 	Sticks       uint64
 	Iticks       uint64
 	Tracep       uint64
 	Traceflag    int32
 	Holdcnt      int32
 	Siglist      int32
 	Sigmask      uint32
 	Sigignore    uint32
 	Sigcatch     uint32
 	Stat         int8
 	Priority     uint8
 	Usrpri       uint8
 	Nice         uint8
 	Xstat        uint16
 	Acflag       uint16
 	Comm         [24]int8
 	Wmesg        [8]uint8
 	Wchan        uint64
 	Login        [32]uint8
 	Vm_rssize    int32
 	Vm_tsize     int32
 	Vm_dsize     int32
 	Vm_ssize     int32
 	Uvalid       int64
 	Ustart_sec   uint64
 	Ustart_usec  uint32
 	Uutime_sec   uint32
 	Uutime_usec  uint32
 	Ustime_sec   uint32
 	Ustime_usec  uint32
 	Uru_maxrss   uint64
 	Uru_ixrss    uint64
 	Uru_idrss    uint64
 	Uru_isrss    uint64
 	Uru_minflt   uint64
 	Uru_majflt   uint64
 	Uru_nswap    uint64
 	Uru_inblock  uint64
 	Uru_oublock  uint64
 	Uru_msgsnd   uint64
 	Uru_msgrcv   uint64
 	Uru_nsignals uint64
 	Uru_nvcsw    uint64
 	Uru_nivcsw   uint64
 	Uctime_sec   uint32
 	Uctime_usec  uint32
 	Psflags      uint32
 	Spare        int32
 	Svuid        uint32
 	Svgid        uint32
 	Emul         [8]uint8
 	Rlim_rss_cur uint64
 	Cpuid        uint64
 	Vm_map_size  uint64
 	Tid          int32
 	Rtableid     uint32
 	Pledge       uint64
 }
--- a/component/memory/memory_openbsd_riscv64.go
+++ b/component/memory/memory_openbsd_riscv64.go
@@ -0,0 +1,101 @@
 package memory
 const sizeOfKinfoProc = 0x288
 type KinfoProc struct {
 	Forw         uint64
 	Back         uint64
 	Paddr        uint64
 	Addr         uint64
 	Fd           uint64
 	Stats        uint64
 	Limit        uint64
 	Vmspace      uint64
 	Sigacts      uint64
 	Sess         uint64
 	Tsess        uint64
 	Ru           uint64
 	Eflag        int32
 	Exitsig      int32
 	Flag         int32
 	Pid          int32
 	Ppid         int32
 	Sid          int32
 	X_pgid       int32
 	Tpgid        int32
 	Uid          uint32
 	Ruid         uint32
 	Gid          uint32
 	Rgid         uint32
 	Groups       [16]uint32
 	Ngroups      int16
 	Jobc         int16
 	Tdev         uint32
 	Estcpu       uint32
 	Rtime_sec    uint32
 	Rtime_usec   uint32
 	Cpticks      int32
 	Pctcpu       uint32
 	Swtime       uint32
 	Slptime      uint32
 	Schedflags   int32
 	Uticks       uint64
 	Sticks       uint64
 	Iticks       uint64
 	Tracep       uint64
 	Traceflag    int32
 	Holdcnt      int32
 	Siglist      int32
 	Sigmask      uint32
 	Sigignore    uint32
 	Sigcatch     uint32
 	Stat         int8
 	Priority     uint8
 	Usrpri       uint8
 	Nice         uint8
 	Xstat        uint16
 	Spare        uint16
 	Comm         [24]int8
 	Wmesg        [8]uint8
 	Wchan        uint64
 	Login        [32]uint8
 	Vm_rssize    int32
 	Vm_tsize     int32
 	Vm_dsize     int32
 	Vm_ssize     int32
 	Uvalid       int64
 	Ustart_sec   uint64
 	Ustart_usec  uint32
 	Uutime_sec   uint32
 	Uutime_usec  uint32
 	Ustime_sec   uint32
 	Ustime_usec  uint32
 	Uru_maxrss   uint64
 	Uru_ixrss    uint64
 	Uru_idrss    uint64
 	Uru_isrss    uint64
 	Uru_minflt   uint64
 	Uru_majflt   uint64
 	Uru_nswap    uint64
 	Uru_inblock  uint64
 	Uru_oublock  uint64
 	Uru_msgsnd   uint64
 	Uru_msgrcv   uint64
 	Uru_nsignals uint64
 	Uru_nvcsw    uint64
 	Uru_nivcsw   uint64
 	Uctime_sec   uint32
 	Uctime_usec  uint32
 	Psflags      uint32
 	Acflag       uint32
 	Svuid        uint32
 	Svgid        uint32
 	Emul         [8]uint8
 	Rlim_rss_cur uint64
 	Cpuid        uint64
 	Vm_map_size  uint64
 	Tid          int32
 	Rtableid     uint32
 	Pledge       uint64
 	Name         [24]uint8
 }
--- a/component/memory/memory_test.go
+++ b/component/memory/memory_test.go
@@ -0,0 +1,23 @@
 package memory
 import (
 	"errors"
 	"os"
 	"testing"
 	"github.com/stretchr/testify/require"
 )
 func TestMemoryInfo(t *testing.T) {
 	v, err := GetMemoryInfo(int32(os.Getpid()))
 	if errors.Is(err, ErrNotImplementedError) {
 		t.Skip("not implemented")
 	}
 	require.NoErrorf(t, err, "getting memory info error %v", err)
 	empty := MemoryInfoStat{}
 	if v == nil || *v == empty {
 		t.Errorf("could not get memory info %v", v)
 	} else {
 		t.Logf("memory info {RSS:%s, VMS:%s}", PrettyByteSize(v.RSS), PrettyByteSize(v.VMS))
 	}
 }
--- a/component/memory/memory_windows.go
+++ b/component/memory/memory_windows.go
@@ -0,0 +1,66 @@
 package memory
 import (
 	"syscall"
 	"unsafe"
 	"golang.org/x/sys/windows"
 )
 var (
 	modpsapi                 = windows.NewLazySystemDLL("psapi.dll")
 	procGetProcessMemoryInfo = modpsapi.NewProc("GetProcessMemoryInfo")
 )
 const processQueryInformation = windows.PROCESS_QUERY_LIMITED_INFORMATION
 type PROCESS_MEMORY_COUNTERS struct {
 	CB                         uint32
 	PageFaultCount             uint32
 	PeakWorkingSetSize         uint64
 	WorkingSetSize             uint64
 	QuotaPeakPagedPoolUsage    uint64
 	QuotaPagedPoolUsage        uint64
 	QuotaPeakNonPagedPoolUsage uint64
 	QuotaNonPagedPoolUsage     uint64
 	PagefileUsage              uint64
 	PeakPagefileUsage          uint64
 }
 func getProcessMemoryInfo(h windows.Handle, mem *PROCESS_MEMORY_COUNTERS) (err error) {
 	r1, _, e1 := syscall.Syscall(procGetProcessMemoryInfo.Addr(), 3, uintptr(h), uintptr(unsafe.Pointer(mem)), uintptr(unsafe.Sizeof(*mem)))
 	if r1 == 0 {
 		if e1 != 0 {
 			err = error(e1)
 		} else {
 			err = syscall.EINVAL
 		}
 	}
 	return
 }
 func getMemoryInfo(pid int32) (PROCESS_MEMORY_COUNTERS, error) {
 	var mem PROCESS_MEMORY_COUNTERS
 	c, err := windows.OpenProcess(processQueryInformation, false, uint32(pid))
 	if err != nil {
 		return mem, err
 	}
 	defer windows.CloseHandle(c)
 	if err := getProcessMemoryInfo(c, &mem); err != nil {
 		return mem, err
 	}
 	return mem, err
 }
 func GetMemoryInfo(pid int32) (*MemoryInfoStat, error) {
 	mem, err := getMemoryInfo(pid)
 	if err != nil {
 		return nil, err
 	}
 	ret := &MemoryInfoStat{
 		RSS: uint64(mem.WorkingSetSize),
 		VMS: uint64(mem.PagefileUsage),
 	}
 	return ret, nil
 }
--- a/component/nat/table.go
+++ b/component/nat/table.go
@@ -4,27 +4,24 @@ import (
 	"net"
 	"sync"
 	"github.com/metacubex/mihomo/common/xsync"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/puzpuzpuz/xsync/v3"
 )
 type Table struct {
-	mapping *xsync.MapOf[string, *entry]
+	mapping xsync.Map[string, *entry]
 }
 type entry struct {
 	PacketSender    C.PacketSender
-	LocalUDPConnMap *xsync.MapOf[string, *net.UDPConn]
+	LocalUDPConnMap xsync.Map[string, *net.UDPConn]
-	LocalLockMap    *xsync.MapOf[string, *sync.Cond]
+	LocalLockMap    xsync.Map[string, *sync.Cond]
 }
 func (t *Table) GetOrCreate(key string, maker func() C.PacketSender) (C.PacketSender, bool) {
-	item, loaded := t.mapping.LoadOrCompute(key, func() *entry {
+	item, loaded := t.mapping.LoadOrStoreFn(key, func() *entry {
 		return &entry{
-			PacketSender:    maker(),
+			PacketSender: maker(),
 			LocalUDPConnMap: xsync.NewMapOf[string, *net.UDPConn](),
 			LocalLockMap:    xsync.NewMapOf[string, *sync.Cond](),
 		}
 	})
 	return item.PacketSender, loaded
@@ -68,7 +65,7 @@ func (t *Table) GetOrCreateLockForLocalConn(lAddr, key string) (*sync.Cond, bool
 	if !loaded {
 		return nil, false
 	}
-	item, loaded := entry.LocalLockMap.LoadOrCompute(key, makeLock)
+	item, loaded := entry.LocalLockMap.LoadOrStoreFn(key, makeLock)
 	return item, loaded
 }
@@ -98,7 +95,5 @@ func makeLock() *sync.Cond {
 // New return *Cache
 func New() *Table {
-	return &Table{
+	return &Table{}
 		mapping: xsync.NewMapOf[string, *entry](),
 	}
 }
--- a/component/resolver/host.go
+++ b/component/resolver/host.go
@@ -113,7 +113,7 @@ func NewHostValueByDomain(domain string) (HostValue, error) {
 	domain = strings.Trim(domain, ".")
 	item := strings.Split(domain, ".")
 	if len(item) < 2 {
-		return HostValue{}, errors.New("invaild domain")
+		return HostValue{}, errors.New("invalid domain")
 	}
 	return HostValue{
 		IsDomain: true,
--- a/component/resolver/resolver.go
+++ b/component/resolver/resolver.go
@@ -230,10 +230,18 @@ func ResolveECH(ctx context.Context, host string) ([]byte, error) {
 	return ResolveECHWithResolver(ctx, host, DefaultResolver)
 }
 func ClearCache() {
 	if DefaultResolver != nil {
 		go DefaultResolver.ClearCache()
 	}
 	go SystemResolver.ClearCache() // SystemResolver unneeded check nil
 }
 func ResetConnection() {
 	if DefaultResolver != nil {
 		go DefaultResolver.ResetConnection()
 	}
 	go SystemResolver.ResetConnection() // SystemResolver unneeded check nil
 }
 func SortationAddr(ips []netip.Addr) (ipv4s, ipv6s []netip.Addr) {
--- a/component/resource/fetcher.go
+++ b/component/resource/fetcher.go
@@ -183,7 +183,6 @@ func (f *Fetcher[V]) startPullLoop(forceUpdate bool) (err error) {
 	if f.vehicle.Type() == types.File {
 		f.watcher, err = fswatch.NewWatcher(fswatch.Options{
 			Path:     []string{f.vehicle.Path()},
 			Direct:   true,
 			Callback: f.updateCallback,
 		})
 		if err != nil {
--- a/component/resource/vehicle.go
+++ b/component/resource/vehicle.go
@@ -135,7 +135,7 @@ func (h *HTTPVehicle) Read(ctx context.Context, oldHash utils.HashType) (buf []b
 			setIfNoneMatch = true
 		}
 	}
-	resp, err := mihomoHttp.HttpRequestWithProxy(ctx, h.url, http.MethodGet, header, nil, h.proxy)
+	resp, err := mihomoHttp.HttpRequest(ctx, h.url, http.MethodGet, header, nil, mihomoHttp.WithSpecialProxy(h.proxy))
 	if err != nil {
 		return
 	}
--- a/component/tls/auth.go
+++ b/component/tls/auth.go
@@ -0,0 +1,45 @@
 package tls
 import (
 	utls "github.com/metacubex/utls"
 )
 type ClientAuthType = utls.ClientAuthType
 const (
 	NoClientCert               = utls.NoClientCert
 	RequestClientCert          = utls.RequestClientCert
 	RequireAnyClientCert       = utls.RequireAnyClientCert
 	VerifyClientCertIfGiven    = utls.VerifyClientCertIfGiven
 	RequireAndVerifyClientCert = utls.RequireAndVerifyClientCert
 )
 func ClientAuthTypeFromString(s string) ClientAuthType {
 	switch s {
 	case "request":
 		return RequestClientCert
 	case "require-any":
 		return RequireAnyClientCert
 	case "verify-if-given":
 		return VerifyClientCertIfGiven
 	case "require-and-verify":
 		return RequireAndVerifyClientCert
 	default:
 		return NoClientCert
 	}
 }
 func ClientAuthTypeToString(t ClientAuthType) string {
 	switch t {
 	case RequestClientCert:
 		return "request"
 	case RequireAnyClientCert:
 		return "require-any"
 	case VerifyClientCertIfGiven:
 		return "verify-if-given"
 	case RequireAndVerifyClientCert:
 		return "require-and-verify"
 	default:
 		return ""
 	}
 }
--- a/component/tls/reality.go
+++ b/component/tls/reality.go
@@ -24,7 +24,6 @@ import (
 	"github.com/metacubex/randv2"
 	utls "github.com/metacubex/utls"
 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/crypto/hkdf"
 	"golang.org/x/net/http2"
 )
@@ -85,6 +84,9 @@ func GetRealityConn(ctx context.Context, conn net.Conn, fingerprint UClientHello
 			continue // retry
 		}
 		ecdheKey := keyShareKeys.Ecdhe
 		if ecdheKey == nil {
 			ecdheKey = keyShareKeys.MlkemEcdhe
 		}
 		if ecdheKey == nil {
 			// WTF???
 			if retry > 2 {
@@ -104,13 +106,8 @@ func GetRealityConn(ctx context.Context, conn net.Conn, fingerprint UClientHello
 		if err != nil {
 			return nil, err
 		}
-		var aeadCipher cipher.AEAD
+		aesBlock, _ := aes.NewCipher(authKey)
-		if utls.AesgcmPreferred(hello.CipherSuites) {
+		aeadCipher, _ := cipher.NewGCM(aesBlock)
 			aesBlock, _ := aes.NewCipher(authKey)
 			aeadCipher, _ = cipher.NewGCM(aesBlock)
 		} else {
 			aeadCipher, _ = chacha20poly1305.New(authKey)
 		}
 		aeadCipher.Seal(hello.SessionId[:0], hello.Random[20:], hello.SessionId[:16], hello.Raw)
 		copy(hello.Raw[39:], hello.SessionId)
 		//log.Debugln("REALITY hello.sessionId: %v", hello.SessionId)
@@ -167,6 +164,7 @@ type realityVerifier struct {
 //var pOffset = utils.MustOK(reflect.TypeOf((*utls.Conn)(nil)).Elem().FieldByName("peerCertificates")).Offset
 func (c *realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 	log.Debugln("REALITY localAddr: %v is using X25519MLKEM768 for TLS' communication: %v", c.RemoteAddr(), c.HandshakeState.ServerHello.ServerShare.Group == utls.X25519MLKEM768)
 	//p, _ := reflect.TypeOf(c.Conn).Elem().FieldByName("peerCertificates")
 	//certs := *(*[]*x509.Certificate)(unsafe.Add(unsafe.Pointer(c.Conn), pOffset))
 	certs := c.Conn.PeerCertificates()
@@ -181,6 +179,7 @@ func (c *realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChain
 	opts := x509.VerifyOptions{
 		DNSName:       c.serverName,
 		Intermediates: x509.NewCertPool(),
 		CurrentTime:   ntp.Now(),
 	}
 	for _, cert := range certs[1:] {
 		opts.Intermediates.AddCert(cert)
--- a/component/tls/utls.go
+++ b/component/tls/utls.go
@@ -135,6 +135,8 @@ func UConfig(config *tls.Config) *utls.Config {
 		RootCAs:               config.RootCAs,
 		NextProtos:            config.NextProtos,
 		ServerName:            config.ServerName,
 		ClientAuth:            utls.ClientAuthType(config.ClientAuth),
 		ClientCAs:             config.ClientCAs,
 		InsecureSkipVerify:    config.InsecureSkipVerify,
 		CipherSuites:          config.CipherSuites,
 		MinVersion:            config.MinVersion,
--- a/component/updater/update_core.go
+++ b/component/updater/update_core.go
@@ -15,76 +15,102 @@ import (
 	"sync"
 	"time"
 	"github.com/metacubex/mihomo/component/ca"
 	mihomoHttp "github.com/metacubex/mihomo/component/http"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/features"
 	"github.com/metacubex/mihomo/log"
 	"github.com/klauspost/cpuid/v2"
 )
 const (
 	baseReleaseURL    = "https://github.com/MetaCubeX/mihomo/releases/latest/download/"
 	versionReleaseURL = "https://github.com/MetaCubeX/mihomo/releases/latest/download/version.txt"
 	baseAlphaURL    = "https://github.com/MetaCubeX/mihomo/releases/download/Prerelease-Alpha/"
 	versionAlphaURL = "https://github.com/MetaCubeX/mihomo/releases/download/Prerelease-Alpha/version.txt"
 	// MaxPackageFileSize is a maximum package file length in bytes. The largest
 	// package whose size is limited by this constant currently has the size of
 	// approximately 32 MiB.
 	MaxPackageFileSize = 32 * 1024 * 1024
 )
 const (
 	ReleaseChannel = "release"
 	AlphaChannel   = "alpha"
 )
 // CoreUpdater is the mihomo updater.
 // modify from https://github.com/AdguardTeam/AdGuardHome/blob/595484e0b3fb4c457f9bb727a6b94faa78a66c5f/internal/updater/updater.go
-// Updater is the mihomo updater.
+type CoreUpdater struct {
 var (
 	goarm           string
 	gomips          string
 	amd64Compatible string
 	workDir string
 	// mu protects all fields below.
 	mu sync.Mutex
 }
-	currentExeName string // 当前可执行文件
+var DefaultCoreUpdater = CoreUpdater{}
 	updateDir      string // 更新目录
 	packageName    string // 更新压缩文件
 	backupDir      string // 备份目录
 	backupExeName  string // 备份文件名
 	updateExeName  string // 更新后的可执行文件
-	baseURL       string = "https://github.com/MetaCubeX/mihomo/releases/download/Prerelease-Alpha/mihomo"
+func (u *CoreUpdater) CoreBaseName() string {
-	versionURL    string = "https://github.com/MetaCubeX/mihomo/releases/download/Prerelease-Alpha/version.txt"
+	switch runtime.GOARCH {
-	packageURL    string
+	case "arm":
-	latestVersion string
+		// mihomo-linux-armv5
-)
+		return fmt.Sprintf("mihomo-%s-%sv%s", runtime.GOOS, runtime.GOARCH, features.GOARM)
-
+	case "arm64":
-func init() {
+		if runtime.GOOS == "android" {
-	if runtime.GOARCH == "amd64" && cpuid.CPU.X64Level() < 3 {
+			// mihomo-android-arm64-v8
-		amd64Compatible = "-compatible"
+			return fmt.Sprintf("mihomo-%s-%s-v8", runtime.GOOS, runtime.GOARCH)
-	}
+		} else {
-	if !strings.HasPrefix(C.Version, "alpha") {
+			// mihomo-linux-arm64
-		baseURL = "https://github.com/MetaCubeX/mihomo/releases/latest/download/mihomo"
+			return fmt.Sprintf("mihomo-%s-%s", runtime.GOOS, runtime.GOARCH)
-		versionURL = "https://github.com/MetaCubeX/mihomo/releases/latest/download/version.txt"
+		}
 	case "mips", "mipsle":
 		// mihomo-linux-mips-hardfloat
 		return fmt.Sprintf("mihomo-%s-%s-%s", runtime.GOOS, runtime.GOARCH, features.GOMIPS)
 	case "amd64":
 		// mihomo-linux-amd64-v1
 		return fmt.Sprintf("mihomo-%s-%s-%s", runtime.GOOS, runtime.GOARCH, features.GOAMD64)
 	default:
 		// mihomo-linux-386
 		// mihomo-linux-mips64
 		// mihomo-linux-riscv64
 		// mihomo-linux-s390x
 		return fmt.Sprintf("mihomo-%s-%s", runtime.GOOS, runtime.GOARCH)
 	}
 }
-type updateError struct {
+func (u *CoreUpdater) Update(currentExePath string, channel string, force bool) (err error) {
-	Message string
+	u.mu.Lock()
-}
+	defer u.mu.Unlock()
-func (e *updateError) Error() string {
+	info, err := os.Stat(currentExePath)
 	return fmt.Sprintf("update error: %s", e.Message)
 }
 // Update performs the auto-updater.  It returns an error if the updater failed.
 // If firstRun is true, it assumes the configuration file doesn't exist.
 func UpdateCore(execPath string) (err error) {
 	mu.Lock()
 	defer mu.Unlock()
 	latestVersion, err = getLatestVersion()
 	if err != nil {
-		return err
+		return fmt.Errorf("check currentExePath %q: %w", currentExePath, err)
 	}
 	baseURL := baseAlphaURL
 	versionURL := versionAlphaURL
 	switch strings.ToLower(channel) {
 	case ReleaseChannel:
 		baseURL = baseReleaseURL
 		versionURL = versionReleaseURL
 	case AlphaChannel:
 		break
 	default: // auto
 		if !strings.HasPrefix(C.Version, "alpha") {
 			baseURL = baseReleaseURL
 			versionURL = versionReleaseURL
 		}
 	}
 	latestVersion, err := u.getLatestVersion(versionURL)
 	if err != nil {
 		return fmt.Errorf("get latest version: %w", err)
 	}
 	log.Infoln("current version %s, latest version %s", C.Version, latestVersion)
-	if latestVersion == C.Version {
+	if latestVersion == C.Version && !force {
-		err := &updateError{Message: "already using latest version"}
+		// don't change this output, some downstream dependencies on the upgrader's output fields
-		return err
+		return fmt.Errorf("update error: already using latest version %s", C.Version)
 	}
 	updateDownloadURL()
 	defer func() {
 		if err != nil {
 			log.Errorln("updater: failed: %v", err)
@@ -93,31 +119,49 @@ func UpdateCore(execPath string) (err error) {
 		}
 	}()
-	workDir = filepath.Dir(execPath)
+	// ---- prepare ----
 	mihomoBaseName := u.CoreBaseName()
 	packageName := mihomoBaseName + "-" + latestVersion
 	if runtime.GOOS == "windows" {
 		packageName = packageName + ".zip"
 	} else {
 		packageName = packageName + ".gz"
 	}
 	packageURL := baseURL + packageName
 	log.Infoln("updater: updating using url: %s", packageURL)
-	err = prepare(execPath)
+	workDir := filepath.Dir(currentExePath)
 	backupDir := filepath.Join(workDir, "meta-backup")
 	updateDir := filepath.Join(workDir, "meta-update")
 	packagePath := filepath.Join(updateDir, packageName)
 	//log.Infoln(packagePath)
 	updateExeName := mihomoBaseName
 	if runtime.GOOS == "windows" {
 		updateExeName = updateExeName + ".exe"
 	}
 	log.Infoln("updateExeName: %s", updateExeName)
 	updateExePath := filepath.Join(updateDir, updateExeName)
 	backupExePath := filepath.Join(backupDir, filepath.Base(currentExePath))
 	defer u.clean(updateDir)
 	err = u.download(updateDir, packagePath, packageURL)
 	if err != nil {
-		return fmt.Errorf("preparing: %w", err)
+		return fmt.Errorf("downloading: %w", err)
 	}
-	defer clean()
+	err = u.unpack(updateDir, packagePath, info.Mode())
 	err = downloadPackageFile()
 	if err != nil {
 		return fmt.Errorf("downloading package file: %w", err)
 	}
 	err = unpack()
 	if err != nil {
 		return fmt.Errorf("unpacking: %w", err)
 	}
-	err = backup()
+	err = u.backup(currentExePath, backupExePath, backupDir)
 	if err != nil {
 		return fmt.Errorf("backuping: %w", err)
 	}
-	err = replace()
+	err = u.copyFile(updateExePath, currentExePath)
 	if err != nil {
 		return fmt.Errorf("replacing: %w", err)
 	}
@@ -125,119 +169,33 @@ func UpdateCore(execPath string) (err error) {
 	return nil
 }
-// prepare fills all necessary fields in Updater object.
+func (u *CoreUpdater) getLatestVersion(versionURL string) (version string, err error) {
-func prepare(exePath string) (err error) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	updateDir = filepath.Join(workDir, "meta-update")
+	defer cancel()
-	currentExeName = exePath
+	resp, err := mihomoHttp.HttpRequest(ctx, versionURL, http.MethodGet, nil, nil, mihomoHttp.WithCAOption(ca.Option{ZeroTrust: true}))
 	_, pkgNameOnly := filepath.Split(packageURL)
 	if pkgNameOnly == "" {
 		return fmt.Errorf("invalid PackageURL: %q", packageURL)
 	}
 	packageName = filepath.Join(updateDir, pkgNameOnly)
 	//log.Infoln(packageName)
 	backupDir = filepath.Join(workDir, "meta-backup")
 	if runtime.GOOS == "windows" {
 		updateExeName = "mihomo" + "-" + runtime.GOOS + "-" + runtime.GOARCH + amd64Compatible + ".exe"
 	} else if runtime.GOOS == "android" && runtime.GOARCH == "arm64" {
 		updateExeName = "mihomo-android-arm64-v8"
 	} else {
 		updateExeName = "mihomo" + "-" + runtime.GOOS + "-" + runtime.GOARCH + amd64Compatible
 	}
 	log.Infoln("updateExeName: %s ", updateExeName)
 	backupExeName = filepath.Join(backupDir, filepath.Base(exePath))
 	updateExeName = filepath.Join(updateDir, updateExeName)
 	log.Infoln(
 		"updater: updating using url: %s",
 		packageURL,
 	)
 	currentExeName = exePath
 	_, err = os.Stat(currentExeName)
 	if err != nil {
-		return fmt.Errorf("checking %q: %w", currentExeName, err)
+		return "", err
 	}
-
+	defer func() {
-	return nil
+		closeErr := resp.Body.Close()
-}
+		if closeErr != nil && err == nil {
-
+			err = closeErr
 // unpack extracts the files from the downloaded archive.
 func unpack() error {
 	var err error
 	_, pkgNameOnly := filepath.Split(packageURL)
 	log.Infoln("updater: unpacking package")
 	if strings.HasSuffix(pkgNameOnly, ".zip") {
 		_, err = zipFileUnpack(packageName, updateDir)
 		if err != nil {
 			return fmt.Errorf(".zip unpack failed: %w", err)
 		}
 	}()
-	} else if strings.HasSuffix(pkgNameOnly, ".gz") {
+	body, err := io.ReadAll(resp.Body)
 		_, err = gzFileUnpack(packageName, updateDir)
 		if err != nil {
 			return fmt.Errorf(".gz unpack failed: %w", err)
 		}
 	} else {
 		return fmt.Errorf("unknown package extension")
 	}
 	return nil
 }
 // backup makes a backup of the current executable file
 func backup() (err error) {
 	log.Infoln("updater: backing up current ExecFile:%s to %s", currentExeName, backupExeName)
 	_ = os.Mkdir(backupDir, 0o755)
 	err = os.Rename(currentExeName, backupExeName)
 	if err != nil {
-		return err
+		return "", err
 	}
-
+	content := strings.TrimRight(string(body), "\n")
-	return nil
+	return content, nil
 }
-// replace moves the current executable with the updated one
+// download package file and save it to disk
-func replace() error {
+func (u *CoreUpdater) download(updateDir, packagePath, packageURL string) (err error) {
 	var err error
 	log.Infoln("replacing: %s to %s", updateExeName, currentExeName)
 	if runtime.GOOS == "windows" {
 		// rename fails with "File in use" error
 		err = copyFile(updateExeName, currentExeName)
 	} else {
 		err = os.Rename(updateExeName, currentExeName)
 	}
 	if err != nil {
 		return err
 	}
 	log.Infoln("updater: renamed: %s to %s", updateExeName, currentExeName)
 	return nil
 }
 // clean removes the temporary directory itself and all it's contents.
 func clean() {
 	_ = os.RemoveAll(updateDir)
 }
 // MaxPackageFileSize is a maximum package file length in bytes. The largest
 // package whose size is limited by this constant currently has the size of
 // approximately 32 MiB.
 const MaxPackageFileSize = 32 * 1024 * 1024
 // Download package file and save it to disk
 func downloadPackageFile() (err error) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
 	defer cancel()
-	resp, err := mihomoHttp.HttpRequest(ctx, packageURL, http.MethodGet, nil, nil)
+	resp, err := mihomoHttp.HttpRequest(ctx, packageURL, http.MethodGet, nil, nil, mihomoHttp.WithCAOption(ca.Option{ZeroTrust: true}))
 	if err != nil {
 		return fmt.Errorf("http request failed: %w", err)
 	}
@@ -249,38 +207,95 @@ func downloadPackageFile() (err error) {
 		}
 	}()
 	var r io.Reader
 	r, err = LimitReader(resp.Body, MaxPackageFileSize)
 	if err != nil {
 		return fmt.Errorf("http request failed: %w", err)
 	}
 	log.Debugln("updater: reading http body")
 	// This use of ReadAll is now safe, because we limited body's Reader.
 	body, err := io.ReadAll(r)
 	if err != nil {
 		return fmt.Errorf("io.ReadAll() failed: %w", err)
 	}
 	log.Debugln("updateDir %s", updateDir)
 	err = os.Mkdir(updateDir, 0o755)
 	if err != nil {
 		return fmt.Errorf("mkdir error: %w", err)
 	}
-	log.Debugln("updater: saving package to file %s", packageName)
+	log.Debugln("updater: saving package to file %s", packagePath)
-	err = os.WriteFile(packageName, body, 0o644)
+	// Create the output file
 	wc, err := os.OpenFile(packagePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o755)
 	if err != nil {
-		return fmt.Errorf("os.WriteFile() failed: %w", err)
+		return fmt.Errorf("os.OpenFile(%s): %w", packagePath, err)
 	}
 	defer func() {
 		closeErr := wc.Close()
 		if closeErr != nil && err == nil {
 			err = closeErr
 		}
 	}()
 	log.Debugln("updater: reading http body")
 	// This use of io.Copy is now safe, because we limited body's Reader.
 	n, err := io.Copy(wc, io.LimitReader(resp.Body, MaxPackageFileSize))
 	if err != nil {
 		return fmt.Errorf("io.Copy(): %w", err)
 	}
 	if n == MaxPackageFileSize {
 		// Use whether n is equal to MaxPackageFileSize to determine whether the limit has been reached.
 		// It is also possible that the size of the downloaded file is exactly the same as the maximum limit,
 		// but we should not consider this too rare situation.
 		return fmt.Errorf("attempted to read more than %d bytes", MaxPackageFileSize)
 	}
 	log.Debugln("updater: downloaded package to file %s", packagePath)
 	return nil
 }
 // unpack extracts the files from the downloaded archive.
 func (u *CoreUpdater) unpack(updateDir, packagePath string, fileMode os.FileMode) error {
 	log.Infoln("updater: unpacking package")
 	if strings.HasSuffix(packagePath, ".zip") {
 		_, err := u.zipFileUnpack(packagePath, updateDir, fileMode)
 		if err != nil {
 			return fmt.Errorf(".zip unpack failed: %w", err)
 		}
 	} else if strings.HasSuffix(packagePath, ".gz") {
 		_, err := u.gzFileUnpack(packagePath, updateDir, fileMode)
 		if err != nil {
 			return fmt.Errorf(".gz unpack failed: %w", err)
 		}
 	} else {
 		return fmt.Errorf("unknown package extension")
 	}
 	return nil
 }
 // backup creates a backup of the current executable file.
 func (u *CoreUpdater) backup(currentExePath, backupExePath, backupDir string) (err error) {
 	log.Infoln("updater: backing up current ExecFile:%s to %s", currentExePath, backupExePath)
 	_ = os.Mkdir(backupDir, 0o755)
 	// On Windows, since the running executable cannot be overwritten or deleted, it uses os.Rename to move the file to the backup path.
 	// On other platforms, it copies the file to the backup path, preserving the original file and its permissions.
 	// The backup directory is created if it does not exist.
 	if runtime.GOOS == "windows" {
 		err = os.Rename(currentExePath, backupExePath)
 	} else {
 		err = u.copyFile(currentExePath, backupExePath)
 	}
 	if err != nil {
 		return err
 	}
 	return nil
 }
 // clean removes the temporary directory itself and all it's contents.
 func (u *CoreUpdater) clean(updateDir string) {
 	_ = os.RemoveAll(updateDir)
 }
 // Unpack a single .gz file to the specified directory
 // Existing files are overwritten
 // All files are created inside outDir, subdirectories are not created
 // Return the output file name
-func gzFileUnpack(gzfile, outDir string) (string, error) {
+func (u *CoreUpdater) gzFileUnpack(gzfile, outDir string, fileMode os.FileMode) (outputName string, err error) {
 	f, err := os.Open(gzfile)
 	if err != nil {
 		return "", fmt.Errorf("os.Open(): %w", err)
@@ -312,14 +327,10 @@ func gzFileUnpack(gzfile, outDir string) (string, error) {
 		originalName = strings.TrimSuffix(originalName, ".gz")
 	}
-	outputName := filepath.Join(outDir, originalName)
+	outputName = filepath.Join(outDir, originalName)
 	// Create the output file
-	wc, err := os.OpenFile(
+	wc, err := os.OpenFile(outputName, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, fileMode)
 		outputName,
 		os.O_WRONLY|os.O_CREATE|os.O_TRUNC,
 		0o755,
 	)
 	if err != nil {
 		return "", fmt.Errorf("os.OpenFile(%s): %w", outputName, err)
 	}
@@ -344,7 +355,7 @@ func gzFileUnpack(gzfile, outDir string) (string, error) {
 // Existing files are overwritten
 // All files are created inside 'outDir', subdirectories are not created
 // Return the output file name
-func zipFileUnpack(zipfile, outDir string) (string, error) {
+func (u *CoreUpdater) zipFileUnpack(zipfile, outDir string, fileMode os.FileMode) (outputName string, err error) {
 	zrc, err := zip.OpenReader(zipfile)
 	if err != nil {
 		return "", fmt.Errorf("zip.OpenReader(): %w", err)
@@ -376,14 +387,14 @@ func zipFileUnpack(zipfile, outDir string) (string, error) {
 	}()
 	fi := zf.FileInfo()
 	name := fi.Name()
-	outputName := filepath.Join(outDir, name)
+	outputName = filepath.Join(outDir, name)
 	if fi.IsDir() {
 		return "", fmt.Errorf("the target file is a directory")
 	}
 	var wc io.WriteCloser
-	wc, err = os.OpenFile(outputName, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, fi.Mode())
+	wc, err = os.OpenFile(outputName, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, fileMode)
 	if err != nil {
 		return "", fmt.Errorf("os.OpenFile(): %w", err)
 	}
@@ -403,97 +414,60 @@ func zipFileUnpack(zipfile, outDir string) (string, error) {
 }
 // Copy file on disk
-func copyFile(src, dst string) error {
+func (u *CoreUpdater) copyFile(src, dst string) (err error) {
-	d, e := os.ReadFile(src)
+	rc, err := os.Open(src)
 	if e != nil {
 		return e
 	}
 	e = os.WriteFile(dst, d, 0o644)
 	if e != nil {
 		return e
 	}
 	return nil
 }
 func getLatestVersion() (version string, err error) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
 	defer cancel()
 	resp, err := mihomoHttp.HttpRequest(ctx, versionURL, http.MethodGet, nil, nil)
 	if err != nil {
-		return "", fmt.Errorf("get Latest Version fail: %w", err)
+		return fmt.Errorf("os.Open(%s): %w", src, err)
 	}
 	defer func() {
-		closeErr := resp.Body.Close()
+		closeErr := rc.Close()
 		if closeErr != nil && err == nil {
 			err = closeErr
 		}
 	}()
-	body, err := io.ReadAll(resp.Body)
+	info, err := rc.Stat()
 	if err != nil {
-		return "", fmt.Errorf("get Latest Version fail: %w", err)
+		return fmt.Errorf("rc.Stat(): %w", err)
 	}
 	content := strings.TrimRight(string(body), "\n")
 	return content, nil
 }
-func updateDownloadURL() {
+	// Create the output file
-	var middle string
+	// If the file does not exist, creates it with permissions perm (before umask);
-
+	// otherwise truncates it before writing, without changing permissions.
-	if runtime.GOARCH == "arm" && probeGoARM() {
+	wc, err := os.OpenFile(dst, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, info.Mode())
-		//-linux-armv7-alpha-e552b54.gz
+	if err != nil {
-		middle = fmt.Sprintf("-%s-%s%s-%s", runtime.GOOS, runtime.GOARCH, goarm, latestVersion)
+		// On some file system (such as Android's /data) maybe return error: "text file busy"
-	} else if runtime.GOARCH == "arm64" {
+		// Let's delete the target file and recreate it
-		//-linux-arm64-alpha-e552b54.gz
+		err = os.Remove(dst)
-		if runtime.GOOS == "android" {
+		if err != nil {
-			middle = fmt.Sprintf("-%s-%s-v8-%s", runtime.GOOS, runtime.GOARCH, latestVersion)
+			return fmt.Errorf("os.Remove(%s): %w", dst, err)
-		} else {
+		}
-			middle = fmt.Sprintf("-%s-%s-%s", runtime.GOOS, runtime.GOARCH, latestVersion)
+		wc, err = os.OpenFile(dst, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, info.Mode())
 		if err != nil {
 			return fmt.Errorf("os.OpenFile(%s): %w", dst, err)
 		}
 	} else if isMIPS(runtime.GOARCH) && gomips != "" {
 		middle = fmt.Sprintf("-%s-%s-%s-%s", runtime.GOOS, runtime.GOARCH, gomips, latestVersion)
 	} else {
 		middle = fmt.Sprintf("-%s-%s%s-%s", runtime.GOOS, runtime.GOARCH, amd64Compatible, latestVersion)
 	}
-	if runtime.GOOS == "windows" {
+	defer func() {
-		middle += ".zip"
+		closeErr := wc.Close()
-	} else {
+		if closeErr != nil && err == nil {
-		middle += ".gz"
+			err = closeErr
-	}
+		}
-	packageURL = baseURL + middle
+	}()
 	//log.Infoln(packageURL)
 }
-// isMIPS returns true if arch is any MIPS architecture.
+	_, err = io.Copy(wc, rc)
 func isMIPS(arch string) (ok bool) {
 	switch arch {
 	case
 		"mips",
 		"mips64",
 		"mips64le",
 		"mipsle":
 		return true
 	default:
 		return false
 	}
 }
 // linux only
 func probeGoARM() (ok bool) {
 	cmd := exec.Command("cat", "/proc/cpuinfo")
 	output, err := cmd.Output()
 	if err != nil {
-		log.Errorln("probe goarm error:%s", err)
+		return fmt.Errorf("io.Copy(): %w", err)
 		return false
 	}
-	cpuInfo := string(output)
+
-	if strings.Contains(cpuInfo, "vfpv3") || strings.Contains(cpuInfo, "vfpv4") {
+	if runtime.GOOS == "darwin" {
-		goarm = "v7"
+		err = exec.Command("/usr/bin/codesign", "--sign", "-", dst).Run()
-	} else if strings.Contains(cpuInfo, "vfp") {
+		if err != nil {
-		goarm = "v6"
+			log.Warnln("codesign failed: %v", err)
-	} else {
+		}
 		goarm = "v5"
 	}
-	return true
+
 	log.Infoln("updater: copy: %s to %s", src, dst)
 	return nil
 }
--- a/component/updater/update_core_test.go
+++ b/component/updater/update_core_test.go
@@ -0,0 +1,10 @@
 package updater
 import (
 	"fmt"
 	"testing"
 )
 func TestCoreBaseName(t *testing.T) {
 	fmt.Println("Core base name =", DefaultCoreUpdater.CoreBaseName())
 }
--- a/component/updater/update_geo.go
+++ b/component/updater/update_geo.go
@@ -212,7 +212,7 @@ func UpdateGeoDatabases() error {
 	return nil
 }
-func getUpdateTime() (err error, time time.Time) {
+func getUpdateTime() (time time.Time, err error) {
 	filesToCheck := []string{
 		C.Path.GeoIP(),
 		C.Path.MMDB(),
@@ -224,7 +224,7 @@ func getUpdateTime() (err error, time time.Time) {
 		var fileInfo os.FileInfo
 		fileInfo, err = os.Stat(file)
 		if err == nil {
-			return nil, fileInfo.ModTime()
+			return fileInfo.ModTime(), nil
 		}
 	}
@@ -241,7 +241,7 @@ func RegisterGeoUpdater() {
 		ticker := time.NewTicker(time.Duration(updateInterval) * time.Hour)
 		defer ticker.Stop()
-		err, lastUpdate := getUpdateTime()
+		lastUpdate, err := getUpdateTime()
 		if err != nil {
 			log.Errorln("[GEO] Get GEO database update time error: %s", err.Error())
 			return
--- a/component/updater/update_ui.go
+++ b/component/updater/update_ui.go
@@ -5,6 +5,7 @@ import (
 	"archive/zip"
 	"bytes"
 	"compress/gzip"
 	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -12,6 +13,7 @@ import (
 	"path/filepath"
 	"strings"
 	"sync"
 	"syscall"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
@@ -182,7 +184,7 @@ func unzip(data []byte, dest string) error {
 		if err = os.MkdirAll(filepath.Dir(fpath), os.ModePerm); err != nil {
 			return err
 		}
-		outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
+		outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode().Perm())
 		if err != nil {
 			return err
 		}
@@ -209,9 +211,6 @@ func untgz(data []byte, dest string) error {
 	tr := tar.NewReader(gzr)
 	_ = gzr.Reset(bytes.NewReader(data))
 	tr = tar.NewReader(gzr)
 	for {
 		header, err := tr.Next()
 		if err == io.EOF {
@@ -236,7 +235,7 @@ func untgz(data []byte, dest string) error {
 			if err = os.MkdirAll(filepath.Dir(fpath), os.ModePerm); err != nil {
 				return err
 			}
-			outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, os.FileMode(header.Mode))
+			outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, os.FileMode(header.Mode).Perm())
 			if err != nil {
 				return err
 			}
@@ -311,7 +310,16 @@ func moveDir(src string, dst string) error {
 	}
 	for _, dirEntry := range dirEntryList {
-		err = os.Rename(filepath.Join(src, dirEntry.Name()), filepath.Join(dst, dirEntry.Name()))
+		srcPath := filepath.Join(src, dirEntry.Name())
 		dstPath := filepath.Join(dst, dirEntry.Name())
 		err = os.Rename(srcPath, dstPath)
 		if err != nil {
 			// Fallback for invalid cross-device link (errno:18).
 			if errors.Is(err, syscall.Errno(18)) {
 				err = copyAll(srcPath, dstPath)
 				_ = os.RemoveAll(srcPath)
 			}
 		}
 		if err != nil {
 			return err
 		}
@@ -319,6 +327,50 @@ func moveDir(src string, dst string) error {
 	return nil
 }
 // copyAll copy the src path and any children it contains to dst
 // modify from [os.CopyFS]
 func copyAll(src, dst string) error {
 	return filepath.Walk(src, func(path string, info os.FileInfo, err error) error {
 		if err != nil {
 			return err
 		}
 		fpath, err := filepath.Rel(src, path)
 		if err != nil {
 			return err
 		}
 		newPath := filepath.Join(dst, fpath)
 		switch info.Mode().Type() {
 		case os.ModeDir:
 			return os.MkdirAll(newPath, info.Mode().Perm())
 		case os.ModeSymlink:
 			target, err := os.Readlink(path)
 			if err != nil {
 				return err
 			}
 			return os.Symlink(target, newPath)
 		case 0:
 			r, err := os.Open(path)
 			if err != nil {
 				return err
 			}
 			defer r.Close()
 			w, err := os.OpenFile(newPath, os.O_CREATE|os.O_EXCL|os.O_WRONLY, info.Mode().Perm())
 			if err != nil {
 				return err
 			}
 			if _, err := io.Copy(w, r); err != nil {
 				w.Close()
 				return &os.PathError{Op: "Copy", Path: newPath, Err: err}
 			}
 			return w.Close()
 		default:
 			return &os.PathError{Op: "CopyFS", Path: path, Err: os.ErrInvalid}
 		}
 	})
 }
 func inDest(fpath, dest string) bool {
 	if rel, err := filepath.Rel(dest, fpath); err == nil {
 		if filepath.IsLocal(rel) {
--- a/component/updater/utils.go
+++ b/component/updater/utils.go
@@ -2,15 +2,12 @@ package updater
 import (
 	"context"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"time"
 	mihomoHttp "github.com/metacubex/mihomo/component/http"
 	"golang.org/x/exp/constraints"
 )
 const defaultHttpTimeout = time.Second * 90
@@ -30,62 +27,3 @@ func downloadForBytes(url string) ([]byte, error) {
 func saveFile(bytes []byte, path string) error {
 	return os.WriteFile(path, bytes, 0o644)
 }
 // LimitReachedError records the limit and the operation that caused it.
 type LimitReachedError struct {
 	Limit int64
 }
 // Error implements the [error] interface for *LimitReachedError.
 //
 // TODO(a.garipov): Think about error string format.
 func (lre *LimitReachedError) Error() string {
 	return fmt.Sprintf("attempted to read more than %d bytes", lre.Limit)
 }
 // limitedReader is a wrapper for [io.Reader] limiting the input and dealing
 // with errors package.
 type limitedReader struct {
 	r     io.Reader
 	limit int64
 	n     int64
 }
 // Read implements the [io.Reader] interface.
 func (lr *limitedReader) Read(p []byte) (n int, err error) {
 	if lr.n == 0 {
 		return 0, &LimitReachedError{
 			Limit: lr.limit,
 		}
 	}
 	p = p[:Min(lr.n, int64(len(p)))]
 	n, err = lr.r.Read(p)
 	lr.n -= int64(n)
 	return n, err
 }
 // LimitReader wraps Reader to make it's Reader stop with ErrLimitReached after
 // n bytes read.
 func LimitReader(r io.Reader, n int64) (limited io.Reader, err error) {
 	if n < 0 {
 		return nil, &updateError{Message: "limit must be non-negative"}
 	}
 	return &limitedReader{
 		r:     r,
 		limit: n,
 		n:     n,
 	}, nil
 }
 // Min returns the smaller of x or y.
 func Min[T constraints.Integer | ~string](x, y T) (res T) {
 	if x < y {
 		return x
 	}
 	return y
 }
--- a/component/wildcard/wildcard.go
+++ b/component/wildcard/wildcard.go
@@ -0,0 +1,84 @@
 // Package wildcard modified IGLOU-EU/go-wildcard to support:
 //
 //	`*` matches zero or more characters
 //	`?` matches exactly one character
 //
 // The original go-wildcard library used `.` to match exactly one character, and `?` to match zero or one character.
 // `.` is a valid delimiter in domain name matching and should not be used as a wildcard.
 // The `?` matching logic strictly matches only one character in most scenarios.
 // So, the `?` matching logic in the original go-wildcard library has been removed and its wildcard `.` has been replaced with `?`.
 package wildcard
 // copy and modified from https://github.com/IGLOU-EU/go-wildcard/tree/ce22b7af48e487517a492d3727d9386492043e21
 // which is licensed under OpenBSD's ISC-style license.
 // Copyright (c) 2023 Iglou.eu contact@iglou.eu Copyright (c) 2023 Adrien Kara adrien@iglou.eu
 func Match(pattern, s string) bool {
 	if pattern == "" {
 		return s == pattern
 	}
 	if pattern == "*" || s == pattern {
 		return true
 	}
 	return matchByString(pattern, s)
 }
 func matchByString(pattern, s string) bool {
 	var patternIndex, sIndex, lastStar int
 	patternLen := len(pattern)
 	sLen := len(s)
 	star := -1
 Loop:
 	if sIndex >= sLen {
 		goto checkPattern
 	}
 	if patternIndex >= patternLen {
 		if star != -1 {
 			patternIndex = star + 1
 			lastStar++
 			sIndex = lastStar
 			goto Loop
 		}
 		return false
 	}
 	switch pattern[patternIndex] {
 	case '?':
 		// It matches any single character. So, we don't need to check anything.
 	case '*':
 		// '*' matches zero or more characters. Store its position and increment the pattern index.
 		star = patternIndex
 		lastStar = sIndex
 		patternIndex++
 		goto Loop
 	default:
 		// If the characters don't match, check if there was a previous '*' to backtrack.
 		if pattern[patternIndex] != s[sIndex] {
 			if star != -1 {
 				patternIndex = star + 1
 				lastStar++
 				sIndex = lastStar
 				goto Loop
 			}
 			return false
 		}
 	}
 	patternIndex++
 	sIndex++
 	goto Loop
 	// Check if the remaining pattern characters are '*', which can match the end of the string.
 checkPattern:
 	if patternIndex < patternLen {
 		if pattern[patternIndex] == '*' {
 			patternIndex++
 			goto checkPattern
 		}
 	}
 	return patternIndex == patternLen
 }
--- a/component/wildcard/wildcard_test.go
+++ b/component/wildcard/wildcard_test.go
@@ -0,0 +1,192 @@
 package wildcard
 /*
 * copy and modified from https://github.com/IGLOU-EU/go-wildcard/tree/ce22b7af48e487517a492d3727d9386492043e21
 *
 * Copyright (c) 2023 Iglou.eu <contact@iglou.eu>
 * Copyright (c) 2023 Adrien Kara <adrien@iglou.eu>
 *
 * Licensed under the BSD 3-Clause License,
 */
 import (
 	"testing"
 )
 // TestMatch validates the logic of wild card matching,
 // it need to support '*', '?' and only validate for byte comparison
 // over string, not rune or grapheme cluster
 func TestMatch(t *testing.T) {
 	cases := []struct {
 		s       string
 		pattern string
 		result  bool
 	}{
 		{"", "", true},
 		{"", "*", true},
 		{"", "**", true},
 		{"", "?", false},
 		{"", "?*", false},
 		{"", "*?", false},
 		{"a", "", false},
 		{"a", "a", true},
 		{"a", "*", true},
 		{"a", "**", true},
 		{"a", "?", true},
 		{"a", "?*", true},
 		{"a", "*?", true},
 		{"match the exact string", "match the exact string", true},
 		{"do not match a different string", "this is a different string", false},
 		{"Match The Exact String WITH DIFFERENT CASE", "Match The Exact String WITH DIFFERENT CASE", true},
 		{"do not match a different string WITH DIFFERENT CASE", "this is a different string WITH DIFFERENT CASE", false},
 		{"Do Not Match The Exact String With Different Case", "do not match the exact string with different case", false},
 		{"match an emoji 😃", "match an emoji 😃", true},
 		{"do not match because of different emoji 😃", "do not match because of different emoji 😄", false},
 		{"🌅☕️📰👨‍💼👩‍💼🏢🖥️💼💻📊📈📉👨‍👩‍👧‍👦🍝🕰️💪🏋️‍♂️🏋️‍♀️🏋️‍♂️💼🚴‍♂️🚴‍♀️🚴‍♂️🛀💤🌃", "🌅☕️📰👨‍💼👩‍💼🏢🖥️💼💻📊📈📉👨‍👩‍👧‍👦🍝🕰️💪🏋️‍♂️🏋️‍♀️🏋️‍♂️💼🚴‍♂️🚴‍♀️🚴‍♂️🛀💤🌃", true},
 		{"🌅☕️📰👨‍💼👩‍💼🏢🖥️💼💻📊📈📉👨‍👩‍👧‍👦🍝🕰️💪🏋️‍♂️🏋️‍♀️🏋️‍♂️💼🚴‍♂️🚴‍♀️🚴‍♂️🛀💤🌃", "🦌🐇🦡🐿️🌲🌳🏰🌳🌲🌞🌧️❄️🌬️⛈️🔥🎄🎅🎁🎉🎊🥳👨‍👩‍👧‍👦💏👪💖👩‍💼🛀", false},
 		{"match a string with a *", "match a string *", true},
 		{"match a string with a * at the beginning", "* at the beginning", true},
 		{"match a string with two *", "match * with *", true},
 		{"do not match a string with extra and a *", "do not match a string * with more", false},
 		{"match a string with a ?", "match ? string with a ?", true},
 		{"match a string with a ? at the beginning", "?atch a string with a ? at the beginning", true},
 		{"match a string with two ?", "match a ??ring with two ?", true},
 		{"do not match a string with extra ?", "do not match a string with extra ??", false},
 		{"abc.edf.hjg", "abc.edf.hjg", true},
 		{"abc.edf.hjg", "ab.cedf.hjg", false},
 		{"abc.edf.hjg", "abc.edfh.jg", false},
 		{"abc.edf.hjg", "abc.edf.hjq", false},
 		{"abc.edf.hjg", "abc.*.hjg", true},
 		{"abc.edf.hjg", "abc.*.hjq", false},
 		{"abc.edf.hjg", "abc*hjg", true},
 		{"abc.edf.hjg", "abc*hjq", false},
 		{"abc.edf.hjg", "a*g", true},
 		{"abc.edf.hjg", "a*q", false},
 		{"abc.edf.hjg", "ab?.edf.hjg", true},
 		{"abc.edf.hjg", "?b?.edf.hjg", true},
 		{"abc.edf.hjg", "??c.edf.hjg", true},
 		{"abc.edf.hjg", "a??.edf.hjg", true},
 		{"abc.edf.hjg", "ab??.edf.hjg", false},
 		{"abc.edf.hjg", "??.edf.hjg", false},
 	}
 	for i, c := range cases {
 		t.Run(c.s, func(t *testing.T) {
 			result := Match(c.pattern, c.s)
 			if c.result != result {
 				t.Errorf("Test %d: Expected `%v`, found `%v`; With Pattern: `%s` and String: `%s`", i+1, c.result, result, c.pattern, c.s)
 			}
 		})
 	}
 }
 func match(pattern, name string) bool { // https://research.swtch.com/glob
 	px := 0
 	nx := 0
 	nextPx := 0
 	nextNx := 0
 	for px < len(pattern) || nx < len(name) {
 		if px < len(pattern) {
 			c := pattern[px]
 			switch c {
 			default: // ordinary character
 				if nx < len(name) && name[nx] == c {
 					px++
 					nx++
 					continue
 				}
 			case '?': // single-character wildcard
 				if nx < len(name) {
 					px++
 					nx++
 					continue
 				}
 			case '*': // zero-or-more-character wildcard
 				// Try to match at nx.
 				// If that doesn't work out,
 				// restart at nx+1 next.
 				nextPx = px
 				nextNx = nx + 1
 				px++
 				continue
 			}
 		}
 		// Mismatch. Maybe restart.
 		if 0 < nextNx && nextNx <= len(name) {
 			px = nextPx
 			nx = nextNx
 			continue
 		}
 		return false
 	}
 	// Matched all of pattern to all of name. Success.
 	return true
 }
 func FuzzMatch(f *testing.F) {
 	f.Fuzz(func(t *testing.T, pattern, name string) {
 		result1 := Match(pattern, name)
 		result2 := match(pattern, name)
 		if result1 != result2 {
 			t.Fatalf("Match failed for pattern `%s` and name `%s`", pattern, name)
 		}
 	})
 }
 func BenchmarkMatch(b *testing.B) {
 	cases := []struct {
 		s       string
 		pattern string
 		result  bool
 	}{
 		{"abc.edf.hjg", "abc.edf.hjg", true},
 		{"abc.edf.hjg", "ab.cedf.hjg", false},
 		{"abc.edf.hjg", "abc.edfh.jg", false},
 		{"abc.edf.hjg", "abc.edf.hjq", false},
 		{"abc.edf.hjg", "abc.*.hjg", true},
 		{"abc.edf.hjg", "abc.*.hjq", false},
 		{"abc.edf.hjg", "abc*hjg", true},
 		{"abc.edf.hjg", "abc*hjq", false},
 		{"abc.edf.hjg", "a*g", true},
 		{"abc.edf.hjg", "a*q", false},
 		{"abc.edf.hjg", "ab?.edf.hjg", true},
 		{"abc.edf.hjg", "?b?.edf.hjg", true},
 		{"abc.edf.hjg", "??c.edf.hjg", true},
 		{"abc.edf.hjg", "a??.edf.hjg", true},
 		{"abc.edf.hjg", "ab??.edf.hjg", false},
 		{"abc.edf.hjg", "??.edf.hjg", false},
 		{"r4.cdn-aa-wow-this-is-long-a1.video-yajusenpai1145141919810-oh-hell-yeah-this-is-also-very-long-and-sukka-the-fox-has-a-very-big-fluffy-fox-tail-ao-wu-ao-wu-regex-and-wildcard-both-might-have-deadly-back-tracing-issue-be-careful-or-use-linear-matching.com", "*.cdn-*-*.video**.com", true},
 	}
 	b.Run("Match", func(b *testing.B) {
 		for i := 0; i < b.N; i++ {
 			for _, c := range cases {
 				result := Match(c.pattern, c.s)
 				if c.result != result {
 					b.Errorf("Test %d: Expected `%v`, found `%v`; With Pattern: `%s` and String: `%s`", i+1, c.result, result, c.pattern, c.s)
 				}
 			}
 		}
 	})
 	b.Run("match", func(b *testing.B) {
 		for i := 0; i < b.N; i++ {
 			for _, c := range cases {
 				result := match(c.pattern, c.s)
 				if c.result != result {
 					b.Errorf("Test %d: Expected `%v`, found `%v`; With Pattern: `%s` and String: `%s`", i+1, c.result, result, c.pattern, c.s)
 				}
 			}
 		}
 	})
 }
--- a/config/config.go
+++ b/config/config.go
@@ -1,7 +1,6 @@
 package config
 import (
 	"container/list"
 	"errors"
 	"fmt"
 	"net"
@@ -118,7 +117,6 @@ type Cors struct {
 // Experimental config
 type Experimental struct {
 	Fingerprints     []string
 	QUICGoDisableGSO bool
 	QUICGoDisableECN bool
 	IP4PEnable       bool
@@ -157,6 +155,7 @@ type DNS struct {
 	EnhancedMode          C.DNSMode
 	DefaultNameserver     []dns.NameServer
 	CacheAlgorithm        string
 	CacheMaxSize          int
 	FakeIPRange           *fakeip.Pool
 	Hosts                 *trie.DomainTrie[resolver.HostValue]
 	NameServerPolicy      []dns.Policy
@@ -175,6 +174,8 @@ type Profile struct {
 type TLS struct {
 	Certificate     string
 	PrivateKey      string
 	ClientAuthType  string
 	ClientAuthCert  string
 	EchKey          string
 	CustomTrustCert []string
 }
@@ -224,6 +225,7 @@ type RawDNS struct {
 	FakeIPFilterMode             C.FilterMode                        `yaml:"fake-ip-filter-mode" json:"fake-ip-filter-mode"`
 	DefaultNameserver            []string                            `yaml:"default-nameserver" json:"default-nameserver"`
 	CacheAlgorithm               string                              `yaml:"cache-algorithm" json:"cache-algorithm"`
 	CacheMaxSize                 int                                 `yaml:"cache-max-size" json:"cache-max-size"`
 	NameServerPolicy             *orderedmap.OrderedMap[string, any] `yaml:"nameserver-policy" json:"nameserver-policy"`
 	ProxyServerNameserver        []string                            `yaml:"proxy-server-nameserver" json:"proxy-server-nameserver"`
 	DirectNameServer             []string                            `yaml:"direct-nameserver" json:"direct-nameserver"`
@@ -291,12 +293,17 @@ type RawTun struct {
 	ExcludePackage         []string       `yaml:"exclude-package" json:"exclude-package,omitempty"`
 	EndpointIndependentNat bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
 	UDPTimeout             int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
 	DisableICMPForwarding  bool           `yaml:"disable-icmp-forwarding" json:"disable-icmp-forwarding,omitempty"`
 	FileDescriptor         int            `yaml:"file-descriptor" json:"file-descriptor"`
 	Inet4RouteAddress        []netip.Prefix `yaml:"inet4-route-address" json:"inet4-route-address,omitempty"`
 	Inet6RouteAddress        []netip.Prefix `yaml:"inet6-route-address" json:"inet6-route-address,omitempty"`
 	Inet4RouteExcludeAddress []netip.Prefix `yaml:"inet4-route-exclude-address" json:"inet4-route-exclude-address,omitempty"`
 	Inet6RouteExcludeAddress []netip.Prefix `yaml:"inet6-route-exclude-address" json:"inet6-route-exclude-address,omitempty"`
 	// darwin special config
 	RecvMsgX bool `yaml:"recvmsgx" json:"recvmsgx,omitempty"`
 	SendMsgX bool `yaml:"sendmsgx" json:"sendmsgx,omitempty"`
 }
 type RawTuicServer struct {
@@ -363,6 +370,8 @@ type RawSniffingConfig struct {
 type RawTLS struct {
 	Certificate     string   `yaml:"certificate" json:"certificate"`
 	PrivateKey      string   `yaml:"private-key" json:"private-key"`
 	ClientAuthType  string   `yaml:"client-auth-type" json:"client-auth-type"`
 	ClientAuthCert  string   `yaml:"client-auth-cert" json:"client-auth-cert"`
 	EchKey          string   `yaml:"ech-key" json:"ech-key"`
 	CustomTrustCert []string `yaml:"custom-certifactes" json:"custom-certifactes"`
 }
@@ -514,6 +523,8 @@ func DefaultRawConfig() *RawConfig {
 			AutoRoute:           true,
 			AutoDetectInterface: true,
 			Inet6Address:        []netip.Prefix{netip.MustParsePrefix("fdfe:dcba:9876::1/126")},
 			RecvMsgX:            true,
 			SendMsgX:            false, // In the current implementation, if enabled, the kernel may freeze during multi-thread downloads, so it is disabled by default.
 		},
 		TuicServer: RawTuicServer{
 			Enable:                false,
@@ -783,7 +794,6 @@ func parseController(cfg *RawConfig) (*Controller, error) {
 func parseExperimental(cfg *RawConfig) (*Experimental, error) {
 	return &Experimental{
 		Fingerprints:     cfg.Experimental.Fingerprints,
 		QUICGoDisableGSO: cfg.Experimental.QUICGoDisableGSO,
 		QUICGoDisableECN: cfg.Experimental.QUICGoDisableECN,
 		IP4PEnable:       cfg.Experimental.IP4PEnable,
@@ -821,6 +831,8 @@ func parseTLS(cfg *RawConfig) (*TLS, error) {
 	return &TLS{
 		Certificate:     cfg.TLS.Certificate,
 		PrivateKey:      cfg.TLS.PrivateKey,
 		ClientAuthType:  cfg.TLS.ClientAuthType,
 		ClientAuthCert:  cfg.TLS.ClientAuthCert,
 		EchKey:          cfg.TLS.EchKey,
 		CustomTrustCert: cfg.TLS.CustomTrustCert,
 	}, nil
@@ -838,8 +850,6 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 		AllProxies []string
 		hasGlobal  bool
 	)
 	proxiesList := list.New()
 	groupsList := list.New()
 	proxies["DIRECT"] = adapter.NewProxy(outbound.NewDirect())
 	proxies["REJECT"] = adapter.NewProxy(outbound.NewReject())
@@ -861,7 +871,6 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 		proxies[proxy.Name()] = proxy
 		proxyList = append(proxyList, proxy.Name())
 		AllProxies = append(AllProxies, proxy.Name())
 		proxiesList.PushBack(mapping)
 	}
 	// keep the original order of ProxyGroups in config file
@@ -874,7 +883,6 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 			hasGlobal = true
 		}
 		proxyList = append(proxyList, groupName)
 		groupsList.PushBack(mapping)
 	}
 	// check if any loop exists and sort the ProxyGroups
@@ -1040,46 +1048,20 @@ func parseRules(rulesConfig []string, proxies map[string]C.Proxy, ruleProviders
 	// parse rules
 	for idx, line := range rulesConfig {
-		rule := trimArr(strings.Split(line, ","))
+		tp, payload, target, params := RC.ParseRulePayload(line, true)
-		var (
+		if target == "" {
-			payload  string
+			return nil, fmt.Errorf("%s[%d] [%s] error: format invalid", format, idx, line)
 			target   string
 			params   []string
 			ruleName = strings.ToUpper(rule[0])
 		)
 		l := len(rule)
 		if ruleName == "NOT" || ruleName == "OR" || ruleName == "AND" || ruleName == "SUB-RULE" || ruleName == "DOMAIN-REGEX" || ruleName == "PROCESS-NAME-REGEX" || ruleName == "PROCESS-PATH-REGEX" {
 			target = rule[l-1]
 			payload = strings.Join(rule[1:l-1], ",")
 		} else {
 			if l < 2 {
 				return nil, fmt.Errorf("%s[%d] [%s] error: format invalid", format, idx, line)
 			}
 			if l < 4 {
 				rule = append(rule, make([]string, 4-l)...)
 			}
 			if ruleName == "MATCH" {
 				l = 2
 			}
 			if l >= 3 {
 				l = 3
 				payload = rule[1]
 			}
 			target = rule[l-1]
 			params = rule[l:]
 		}
 		if _, ok := proxies[target]; !ok {
-			if ruleName != "SUB-RULE" {
+			if tp != "SUB-RULE" {
 				return nil, fmt.Errorf("%s[%d] [%s] error: proxy [%s] not found", format, idx, line, target)
 			} else if _, ok = subRules[target]; !ok {
 				return nil, fmt.Errorf("%s[%d] [%s] error: sub-rule [%s] not found", format, idx, line, target)
 			}
 		}
-		params = trimArr(params)
+		parsed, parseErr := R.ParseRule(tp, payload, target, params, subRules)
 		parsed, parseErr := R.ParseRule(ruleName, payload, target, params, subRules)
 		if parseErr != nil {
 			return nil, fmt.Errorf("%s[%d] [%s] error: %s", format, idx, line, parseErr.Error())
 		}
@@ -1377,6 +1359,8 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul
 		IPv6:           cfg.IPv6,
 		UseSystemHosts: cfg.UseSystemHosts,
 		EnhancedMode:   cfg.EnhancedMode,
 		CacheAlgorithm: cfg.CacheAlgorithm,
 		CacheMaxSize:   cfg.CacheMaxSize,
 	}
 	var err error
 	if dnsCfg.NameServer, err = parseNameServer(cfg.NameServer, cfg.RespectRules, cfg.PreferH3); err != nil {
@@ -1510,12 +1494,6 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul
 		dnsCfg.Hosts = hosts
 	}
 	if cfg.CacheAlgorithm == "" || cfg.CacheAlgorithm == "lru" {
 		dnsCfg.CacheAlgorithm = "lru"
 	} else {
 		dnsCfg.CacheAlgorithm = "arc"
 	}
 	return dnsCfg, nil
 }
@@ -1579,12 +1557,16 @@ func parseTun(rawTun RawTun, general *General) error {
 		ExcludePackage:         rawTun.ExcludePackage,
 		EndpointIndependentNat: rawTun.EndpointIndependentNat,
 		UDPTimeout:             rawTun.UDPTimeout,
 		DisableICMPForwarding:  rawTun.DisableICMPForwarding,
 		FileDescriptor:         rawTun.FileDescriptor,
 		Inet4RouteAddress:        rawTun.Inet4RouteAddress,
 		Inet6RouteAddress:        rawTun.Inet6RouteAddress,
 		Inet4RouteExcludeAddress: rawTun.Inet4RouteExcludeAddress,
 		Inet6RouteExcludeAddress: rawTun.Inet6RouteExcludeAddress,
 		RecvMsgX: rawTun.RecvMsgX,
 		SendMsgX: rawTun.SendMsgX,
 	}
 	return nil
--- a/config/utils.go
+++ b/config/utils.go
@@ -6,19 +6,11 @@ import (
 	"net/netip"
 	"os"
 	"strconv"
 	"strings"
 	"github.com/metacubex/mihomo/adapter/outboundgroup"
 	"github.com/metacubex/mihomo/common/structure"
 )
 func trimArr(arr []string) (r []string) {
 	for _, e := range arr {
 		r = append(r, strings.Trim(e, " "))
 	}
 	return
 }
 // Check if ProxyGroups form DAG(Directed Acyclic Graph), and sort all ProxyGroups by dependency order.
 // Meanwhile, record the original index in the config file.
 // If loop is detected, return an error with location of loop.
--- a/constant/features/goflags.go
+++ b/constant/features/goflags.go
@@ -0,0 +1,24 @@
 package features
 import "runtime/debug"
 var (
 	GOARM   string
 	GOMIPS  string
 	GOAMD64 string
 )
 func init() {
 	if info, ok := debug.ReadBuildInfo(); ok {
 		for _, bs := range info.Settings {
 			switch bs.Key {
 			case "GOARM":
 				GOARM = bs.Value
 			case "GOMIPS":
 				GOMIPS = bs.Value
 			case "GOAMD64":
 				GOAMD64 = bs.Value
 			}
 		}
 	}
 }
--- a/constant/rule.go
+++ b/constant/rule.go
@@ -6,6 +6,7 @@ const (
 	DomainSuffix
 	DomainKeyword
 	DomainRegex
 	DomainWildcard
 	GEOSITE
 	GEOIP
 	SrcGEOIP
@@ -48,6 +49,8 @@ func (rt RuleType) String() string {
 		return "DomainKeyword"
 	case DomainRegex:
 		return "DomainRegex"
 	case DomainWildcard:
 		return "DomainWildcard"
 	case GEOSITE:
 		return "GeoSite"
 	case GEOIP:
--- a/dns/client.go
+++ b/dns/client.go
@@ -16,35 +16,23 @@ import (
 )
 type client struct {
-	*D.Client
+	port           string
-	port   string
+	host           string
-	host   string
+	dialer         *dnsDialer
-	dialer *dnsDialer
+	schema         string
-	addr   string
+	skipCertVerify bool
 }
 var _ dnsClient = (*client)(nil)
 // Address implements dnsClient
 func (c *client) Address() string {
-	if len(c.addr) != 0 {
+	return fmt.Sprintf("%s://%s", c.schema, net.JoinHostPort(c.host, c.port))
 		return c.addr
 	}
 	schema := "udp"
 	if strings.HasPrefix(c.Client.Net, "tcp") {
 		schema = "tcp"
 		if strings.HasSuffix(c.Client.Net, "tls") {
 			schema = "tls"
 		}
 	}
 	c.addr = fmt.Sprintf("%s://%s", schema, net.JoinHostPort(c.host, c.port))
 	return c.addr
 }
 func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error) {
 	network := "udp"
-	if strings.HasPrefix(c.Client.Net, "tcp") {
+	if c.schema != "udp" {
 		network = "tcp"
 	}
@@ -53,9 +41,24 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 	if err != nil {
 		return nil, err
 	}
-	defer func() {
+	defer conn.Close()
-		_ = conn.Close()
+
-	}()
+	if c.schema == "tls" {
 		tlsConfig, err := ca.GetTLSConfig(ca.Option{
 			TLSConfig: &tls.Config{
 				ServerName:         c.host,
 				InsecureSkipVerify: c.skipCertVerify,
 			},
 		})
 		if err != nil {
 			return nil, err
 		}
 		tlsConn := tls.Client(conn, tlsConfig)
 		if err := tlsConn.HandshakeContext(ctx); err != nil {
 			return nil, err
 		}
 		conn = tlsConn
 	}
 	// miekg/dns ExchangeContext doesn't respond to context cancel.
 	// this is a workaround
@@ -65,34 +68,30 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 	}
 	ch := make(chan result, 1)
 	go func() {
-		if strings.HasSuffix(c.Client.Net, "tls") {
+		dClient := &D.Client{
-			conn = tls.Client(conn, ca.GetGlobalTLSConfig(c.Client.TLSConfig))
+			UDPSize: 4096,
 			Timeout: 5 * time.Second,
 		}
 		dConn := &D.Conn{
-			Conn:         conn,
+			Conn:    conn,
-			UDPSize:      c.Client.UDPSize,
+			UDPSize: dClient.UDPSize,
 			TsigSecret:   c.Client.TsigSecret,
 			TsigProvider: c.Client.TsigProvider,
 		}
-		msg, _, err := c.Client.ExchangeWithConn(m, dConn)
+		msg, _, err := dClient.ExchangeWithConn(m, dConn)
 		// Resolvers MUST resend queries over TCP if they receive a truncated UDP response (with TC=1 set)!
 		if msg != nil && msg.Truncated && network == "udp" {
 			tcpClient := *c.Client // copy a client
 			tcpClient.Net = "tcp"
 			network = "tcp"
 			log.Debugln("[DNS] Truncated reply from %s:%s for %s over UDP, retrying over TCP", c.host, c.port, m.Question[0].String())
-			dConn.Conn, err = c.dialer.DialContext(ctx, network, addr)
+			var tcpConn net.Conn
 			tcpConn, err = c.dialer.DialContext(ctx, network, addr)
 			if err != nil {
 				ch <- result{msg, err}
 				return
 			}
-			defer func() {
+			defer tcpConn.Close()
-				_ = conn.Close()
+			dConn.Conn = tcpConn
-			}()
+			msg, _, err = dClient.ExchangeWithConn(m, dConn)
 			msg, _, err = tcpClient.ExchangeWithConn(m, dConn)
 		}
 		ch <- result{msg, err}
@@ -111,20 +110,19 @@ func (c *client) ResetConnection() {}
 func newClient(addr string, resolver *Resolver, netType string, params map[string]string, proxyAdapter C.ProxyAdapter, proxyName string) *client {
 	host, port, _ := net.SplitHostPort(addr)
 	c := &client{
 		Client: &D.Client{
 			Net: netType,
 			TLSConfig: &tls.Config{
 				ServerName: host,
 			},
 			UDPSize: 4096,
 			Timeout: 5 * time.Second,
 		},
 		port:   port,
 		host:   host,
 		dialer: newDNSDialer(resolver, proxyAdapter, proxyName),
 		schema: "udp",
 	}
 	if strings.HasPrefix(netType, "tcp") {
 		c.schema = "tcp"
 		if strings.HasSuffix(netType, "tls") {
 			c.schema = "tls"
 		}
 	}
 	if params["skip-cert-verify"] == "true" {
-		c.TLSConfig.InsecureSkipVerify = true
+		c.skipCertVerify = true
 	}
 	return c
 }
--- a/dns/doh.go
+++ b/dns/doh.go
@@ -397,12 +397,16 @@ func (doh *dnsOverHTTPS) createTransport(ctx context.Context) (t http.RoundTripp
 		return transport, nil
 	}
-	tlsConfig := ca.GetGlobalTLSConfig(
+	tlsConfig, err := ca.GetTLSConfig(ca.Option{
-		&tls.Config{
+		TLSConfig: &tls.Config{
 			InsecureSkipVerify:     doh.skipCertVerify,
 			MinVersion:             tls.VersionTLS12,
 			SessionTicketsDisabled: false,
-		})
+		},
 	})
 	if err != nil {
 		return nil, err
 	}
 	var nextProtos []string
 	for _, v := range doh.httpVersions {
 		nextProtos = append(nextProtos, string(v))
@@ -447,12 +451,12 @@ func (doh *dnsOverHTTPS) createTransport(ctx context.Context) (t http.RoundTripp
 	return transport, nil
 }
-// http3Transport is a wrapper over *http3.RoundTripper that tries to optimize
+// http3Transport is a wrapper over *http3.Transport that tries to optimize
 // its behavior.  The main thing that it does is trying to force use a single
 // connection to a host instead of creating a new one all the time.  It also
 // helps mitigate race issues with quic-go.
 type http3Transport struct {
-	baseTransport *http3.RoundTripper
+	baseTransport *http3.Transport
 	closed bool
 	mu     sync.RWMutex
@@ -505,7 +509,7 @@ func (h *http3Transport) CloseIdleConnections() {
 // We should be able to fall back to H1/H2 in case if HTTP/3 is unavailable or
 // if it is too slow.  In order to do that, this method will run two probes
 // in parallel (one for TLS, the other one for QUIC) and if QUIC is faster it
-// will create the *http3.RoundTripper instance.
+// will create the *http3.Transport instance.
 func (doh *dnsOverHTTPS) createTransportH3(
 	ctx context.Context,
 	tlsConfig *tls.Config,
@@ -519,7 +523,7 @@ func (doh *dnsOverHTTPS) createTransportH3(
 		return nil, err
 	}
-	rt := &http3.RoundTripper{
+	rt := &http3.Transport{
 		Dial: func(
 			ctx context.Context,
@@ -528,7 +532,7 @@ func (doh *dnsOverHTTPS) createTransportH3(
 			_ string,
 			tlsCfg *tlsC.Config,
 			cfg *quic.Config,
-		) (c quic.EarlyConnection, err error) {
+		) (c *quic.Conn, err error) {
 			return doh.dialQuic(ctx, addr, tlsCfg, cfg)
 		},
 		DisableCompression: true,
@@ -539,7 +543,7 @@ func (doh *dnsOverHTTPS) createTransportH3(
 	return &http3Transport{baseTransport: rt}, nil
 }
-func (doh *dnsOverHTTPS) dialQuic(ctx context.Context, addr string, tlsCfg *tlsC.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
+func (doh *dnsOverHTTPS) dialQuic(ctx context.Context, addr string, tlsCfg *tlsC.Config, cfg *quic.Config) (*quic.Conn, error) {
 	ip, port, err := net.SplitHostPort(addr)
 	if err != nil {
 		return nil, err
--- a/dns/doq.go
+++ b/dns/doq.go
@@ -53,7 +53,7 @@ type dnsOverQUIC struct {
 	// conn is the current active QUIC connection.  It can be closed and
 	// re-opened when needed.
-	conn   quic.Connection
+	conn   *quic.Conn
 	connMu sync.RWMutex
 	// bytesPool is a *sync.Pool we use to store byte buffers in.  These byte
@@ -157,7 +157,7 @@ func (doq *dnsOverQUIC) ResetConnection() {
 // exchangeQUIC attempts to open a QUIC connection, send the DNS message
 // through it and return the response it got from the server.
 func (doq *dnsOverQUIC) exchangeQUIC(ctx context.Context, msg *D.Msg) (resp *D.Msg, err error) {
-	var conn quic.Connection
+	var conn *quic.Conn
 	conn, err = doq.getConnection(ctx, true)
 	if err != nil {
 		return nil, err
@@ -169,7 +169,7 @@ func (doq *dnsOverQUIC) exchangeQUIC(ctx context.Context, msg *D.Msg) (resp *D.M
 		return nil, fmt.Errorf("failed to pack DNS message for DoQ: %w", err)
 	}
-	var stream quic.Stream
+	var stream *quic.Stream
 	stream, err = doq.openStream(ctx, conn)
 	if err != nil {
 		return nil, err
@@ -222,12 +222,12 @@ func (doq *dnsOverQUIC) getBytesPool() (pool *sync.Pool) {
 	return doq.bytesPool
 }
-// getConnection opens or returns an existing quic.Connection. useCached
+// getConnection opens or returns an existing *quic.Conn. useCached
 // argument controls whether we should try to use the existing cached
 // connection.  If it is false, we will forcibly create a new connection and
 // close the existing one if needed.
-func (doq *dnsOverQUIC) getConnection(ctx context.Context, useCached bool) (quic.Connection, error) {
+func (doq *dnsOverQUIC) getConnection(ctx context.Context, useCached bool) (*quic.Conn, error) {
-	var conn quic.Connection
+	var conn *quic.Conn
 	doq.connMu.RLock()
 	conn = doq.conn
 	if conn != nil && useCached {
@@ -282,7 +282,7 @@ func (doq *dnsOverQUIC) resetQUICConfig() {
 }
 // openStream opens a new QUIC stream for the specified connection.
-func (doq *dnsOverQUIC) openStream(ctx context.Context, conn quic.Connection) (quic.Stream, error) {
+func (doq *dnsOverQUIC) openStream(ctx context.Context, conn *quic.Conn) (*quic.Stream, error) {
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
@@ -302,7 +302,7 @@ func (doq *dnsOverQUIC) openStream(ctx context.Context, conn quic.Connection) (q
 }
 // openConnection opens a new QUIC connection.
-func (doq *dnsOverQUIC) openConnection(ctx context.Context) (conn quic.Connection, err error) {
+func (doq *dnsOverQUIC) openConnection(ctx context.Context) (conn *quic.Conn, err error) {
 	// we're using bootstrapped address instead of what's passed to the function
 	// it does not create an actual connection, but it helps us determine
 	// what IP is actually reachable (when there're v4/v6 addresses).
@@ -331,15 +331,19 @@ func (doq *dnsOverQUIC) openConnection(ctx context.Context) (conn quic.Connectio
 		return nil, err
 	}
-	tlsConfig := ca.GetGlobalTLSConfig(
+	tlsConfig, err := ca.GetTLSConfig(ca.Option{
-		&tls.Config{
+		TLSConfig: &tls.Config{
 			ServerName:         host,
 			InsecureSkipVerify: doq.skipCertVerify,
 			NextProtos: []string{
 				NextProtoDQ,
 			},
 			SessionTicketsDisabled: false,
-		})
+		},
 	})
 	if err != nil {
 		return nil, err
 	}
 	transport := quic.Transport{Conn: udp}
 	transport.SetCreatedConn(true) // auto close conn
@@ -382,7 +386,7 @@ func (doq *dnsOverQUIC) closeConnWithError(err error) {
 }
 // readMsg reads the incoming DNS message from the QUIC stream.
-func (doq *dnsOverQUIC) readMsg(stream quic.Stream) (m *D.Msg, err error) {
+func (doq *dnsOverQUIC) readMsg(stream *quic.Stream) (m *D.Msg, err error) {
 	pool := doq.getBytesPool()
 	bufPtr := pool.Get().(*[]byte)
--- a/dns/enhancer.go
+++ b/dns/enhancer.go
@@ -81,8 +81,8 @@ func (h *ResolverEnhancer) InsertHostByIP(ip netip.Addr, host string) {
 }
 func (h *ResolverEnhancer) FlushFakeIP() error {
-	if h.fakePool != nil {
+	if pool := h.fakePool; pool != nil {
-		return h.fakePool.FlushFakeIP()
+		return pool.FlushFakeIP()
 	}
 	return nil
 }
--- a/dns/patch_android.go
+++ b/dns/patch_android.go
@@ -9,12 +9,7 @@ import (
 var systemResolver []dnsClient
 func FlushCacheWithDefaultResolver() {
-	if r := resolver.DefaultResolver; r != nil {
+	resolver.ClearCache()
 		r.ClearCache()
 	}
 	if r := resolver.SystemResolver; r != nil {
 		r.ClearCache()
 	}
 	resolver.ResetConnection()
 }
--- a/dns/resolver.go
+++ b/dns/resolver.go
@@ -459,13 +459,18 @@ type Config struct {
 	Hosts                *trie.DomainTrie[resolver.HostValue]
 	Policy               []Policy
 	CacheAlgorithm       string
 	CacheMaxSize         int
 }
 func (config Config) newCache() dnsCache {
-	if config.CacheAlgorithm == "" || config.CacheAlgorithm == "lru" {
+	if config.CacheMaxSize == 0 {
-		return lru.New(lru.WithSize[string, *D.Msg](4096), lru.WithStale[string, *D.Msg](true))
+		config.CacheMaxSize = 4096
-	} else {
+	}
-		return arc.New(arc.WithSize[string, *D.Msg](4096))
+	switch config.CacheAlgorithm {
 	case "arc":
 		return arc.New(arc.WithSize[string, *D.Msg](config.CacheMaxSize))
 	default:
 		return lru.New(lru.WithSize[string, *D.Msg](config.CacheMaxSize), lru.WithStale[string, *D.Msg](true))
 	}
 }
--- a/dns/util.go
+++ b/dns/util.go
@@ -231,8 +231,7 @@ func batchExchange(ctx context.Context, clients []dnsClient, m *D.Msg) (msg *D.M
 	fast, ctx := picker.WithTimeout[*D.Msg](ctx, resolver.DefaultDNSTimeout)
 	defer fast.Close()
 	domain := msgToDomain(m)
-	qType, qTypeStr := msgToQtype(m)
+	_, qTypeStr := msgToQtype(m)
 	var noIpMsg *D.Msg
 	for _, client := range clients {
 		if _, isRCodeClient := client.(rcodeClient); isRCodeClient {
 			msg, err = client.ExchangeContext(ctx, m)
@@ -251,27 +250,12 @@ func batchExchange(ctx context.Context, clients []dnsClient, m *D.Msg) (msg *D.M
 			}
 			ips := msgToIP(m)
 			log.Debugln("[DNS] %s --> %s %s from %s", domain, ips, qTypeStr, client.Address())
 			switch qType {
 			case D.TypeAAAA:
 				if len(ips) == 0 {
 					noIpMsg = m
 					return nil, resolver.ErrIPNotFound
 				}
 			case D.TypeA:
 				if len(ips) == 0 {
 					noIpMsg = m
 					return nil, resolver.ErrIPNotFound
 				}
 			}
 			return m, nil
 		})
 	}
 	msg = fast.Wait()
 	if msg == nil {
 		if noIpMsg != nil {
 			return noIpMsg, false, nil
 		}
 		err = errors.New("all DNS requests failed")
 		if fErr := fast.Error(); fErr != nil {
 			err = fmt.Errorf("%w, first error: %w", err, fErr)
--- a/docker/file-name.sh
+++ b/docker/file-name.sh
@@ -2,7 +2,7 @@
 os="mihomo-linux-"
 case $TARGETPLATFORM in
    "linux/amd64")
-        arch="amd64-compatible"
+        arch="amd64-v1"
        ;;
    "linux/386")
        arch="386"
--- a/docs/config.yaml
+++ b/docs/config.yaml
@@ -48,6 +48,9 @@ ipv6: true # 开启 IPv6 总开关，关闭阻断所有 IPv6 链接和屏蔽 DNS
 tls:
  certificate: string # 证书 PEM 格式，或者 证书的路径
  private-key: string # 证书对应的私钥 PEM 格式，或者私钥路径
  # 下面两项为mTLS配置项，如果client-auth-type设置为 "verify-if-given" 或 "require-and-verify" 则client-auth-cert必须不为空
  # client-auth-type: "" # 可选值：""、"request"、"require-any"、"verify-if-given"、"require-and-verify"
  # client-auth-cert: string # 证书 PEM 格式，或者 证书的路径
  # 如果填写则开启ech（可由 mihomo generate ech-keypair <明文域名> 生成）
  # ech-key: |
  #   -----BEGIN ECH KEYS-----
@@ -142,6 +145,7 @@ tun:
  # gso-max-size: 65536 # 通用分段卸载包的最大大小
  auto-redirect: false # 自动配置 iptables 以重定向 TCP 连接。仅支持 Linux。带有 auto-redirect 的 auto-route 现在可以在路由器上按预期工作，无需干预。
  # strict-route: true # 将所有连接路由到 tun 来防止泄漏，但你的设备将无法其他设备被访问
  # disable-icmp-forwarding: true # 禁用 ICMP 转发，防止某些情况下的 ICMP 环回问题，ping 将不会显示真实的延迟
  route-address-set: # 将指定规则集中的目标 IP CIDR 规则添加到防火墙, 不匹配的流量将绕过路由, 仅支持 Linux，且需要 nftables，`auto-route` 和 `auto-redirect` 已启用。
    - ruleset-1
    - ruleset-2
@@ -348,7 +352,10 @@ proxies: # socks5
    # username: username
    # password: password
    # tls: true
-    # fingerprint: xxxx
+    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # 下面两项如果填写则开启 mTLS（需要同时填写）
    # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
    # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
    # skip-cert-verify: true
    # udp: true
    # ip-version: ipv6
@@ -363,7 +370,10 @@ proxies: # socks5
    # tls: true # https
    # skip-cert-verify: true
    # sni: custom.com
-    # fingerprint: xxxx # 同 experimental.fingerprints 使用 sha256 指纹，配置协议独立的指纹，将忽略 experimental.fingerprints
+    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # 下面两项如果填写则开启 mTLS（需要同时填写）
    # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
    # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
    # ip-version: dual
  # Snell
@@ -431,9 +441,10 @@ proxies: # socks5
    plugin-opts:
      mode: websocket # no QUIC now
      # tls: true # wss
-      # 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
+      # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
-      # 配置指纹将实现 SSL Pining 效果
+      # 下面两项如果填写则开启 mTLS（需要同时填写）
-      # fingerprint: xxxx
+      # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
      # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
      # ech-opts:
      #   enable: true # 必须手动开启
      #   # 如果config为空则通过dns解析，不为空则通过该值指定，格式为经过base64编码的ech参数（dig +short TYPE65 tls-ech.dev）
@@ -471,9 +482,10 @@ proxies: # socks5
    plugin-opts:
      mode: websocket
      # tls: true # wss
-      # 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
+      # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
-      # 配置指纹将实现 SSL Pining 效果
+      # 下面两项如果填写则开启 mTLS（需要同时填写）
-      # fingerprint: xxxx
+      # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
      # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
      # skip-cert-verify: true
      # host: bing.com
      # path: "/"
@@ -522,6 +534,37 @@ proxies: # socks5
      version-hint: "tls12"
      restls-script: "1000?100<1,500~100,350~100,600~100,400~200"
  - name: "ss-kcptun"
    type: ss
    server: [YOUR_SERVER_IP]
    port: 443
    cipher: chacha20-ietf-poly1305
    password: [YOUR_SS_PASSWORD]
    plugin: kcptun
    plugin-opts:
      key: it's a secrect # pre-shared secret between client and server
      crypt: aes # aes, aes-128, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, sm4, none, null
      mode: fast # profiles: fast3, fast2, fast, normal, manual
      conn: 1 # set num of UDP connections to server
      autoexpire: 0 # set auto expiration time(in seconds) for a single UDP connection, 0 to disable
      scavengettl: 600 # set how long an expired connection can live (in seconds)
      mtu: 1350 # set maximum transmission unit for UDP packets
      sndwnd: 128 # set send window size(num of packets)
      rcvwnd: 512 # set receive window size(num of packets)
      datashard: 10 # set reed-solomon erasure coding - datashard
      parityshard: 3 # set reed-solomon erasure coding - parityshard
      dscp: 0 # set DSCP(6bit)
      nocomp: false # disable compression
      acknodelay: false # flush ack immediately when a packet is received
      nodelay: 0
      interval: 50
      resend: false
      sockbuf: 4194304 # per-socket buffer in bytes
      smuxver: 1 # specify smux version, available 1,2
      smuxbuf: 4194304 # the overall de-mux buffer in bytes
      streambuf: 2097152 # per stream receive buffer in bytes, smux v2+
      keepalive: 10 # seconds between heartbeats
  # vmess
  # cipher 支持 auto/aes-128-gcm/chacha20-poly1305/none
  - name: "vmess"
@@ -533,7 +576,10 @@ proxies: # socks5
    cipher: auto
    # udp: true
    # tls: true
-    # fingerprint: xxxx
+    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # 下面两项如果填写则开启 mTLS（需要同时填写）
    # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
    # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
    # client-fingerprint: chrome    # Available: "chrome","firefox","safari","ios","random", currently only support TLS transport in TCP/GRPC/WS/HTTP for VLESS/Vmess and trojan.
    # skip-cert-verify: true
    # servername: example.com # priority over wss host
@@ -560,7 +606,10 @@ proxies: # socks5
    cipher: auto
    network: h2
    tls: true
-    # fingerprint: xxxx
+    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # 下面两项如果填写则开启 mTLS（需要同时填写）
    # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
    # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
    h2-opts:
      host:
        - http.example.com
@@ -595,7 +644,10 @@ proxies: # socks5
    cipher: auto
    network: grpc
    tls: true
-    # fingerprint: xxxx
+    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # 下面两项如果填写则开启 mTLS（需要同时填写）
    # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
    # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
    servername: example.com
    # skip-cert-verify: true
    grpc-opts:
@@ -610,9 +662,11 @@ proxies: # socks5
    uuid: uuid
    network: tcp
    servername: example.com # AKA SNI
    # flow: xtls-rprx-direct # xtls-rprx-origin  # enable XTLS
    # skip-cert-verify: true
-    # fingerprint: xxxx
+    # 下面两项如果填写则开启 mTLS（需要同时填写）
    # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
    # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # client-fingerprint: random # Available: "chrome","firefox","safari","random","none"
    # ech-opts:
    #   enable: true # 必须手动开启
@@ -629,9 +683,33 @@ proxies: # socks5
    udp: true
    flow: xtls-rprx-vision
    client-fingerprint: chrome
-    # fingerprint: xxxx
+    # 下面两项如果填写则开启 mTLS（需要同时填写）
    # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
    # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # skip-cert-verify: true
  - name: "vless-encryption"
    type: vless
    server: server
    port: 443
    uuid: uuid
    network: tcp
    # -------------------------
    # vless encryption客户端配置：
    # （native/xorpub 的 XTLS Vision 可以 Splice。只使用 1-RTT 模式 / 若服务端发的 ticket 中秒数不为零则 0-RTT 复用）
    # / 是只能选一个，后面 base64 至少一个，无限串联，使用  mihomo generate vless-x25519 和 mihomo generate vless-mlkem768 生成，替换值时需去掉括号
    #
    # Padding 是可选的参数，仅作用于 1-RTT 以消除握手的长度特征，双端默认值均为 "100-111-1111.75-0-111.50-0-3333"：
    # 在 1-RTT client/server hello 后以 100% 的概率粘上随机 111 到 1111 字节的 padding
    # 以 75% 的概率等待随机 0 到 111 毫秒（"probability-from-to"）
    # 再次以 50% 的概率发送随机 0 到 3333 字节的 padding（若为 0 则不 Write()）
    # 服务端、客户端可以设置不同的 padding 参数，按 len、gap 的顺序无限串联，第一个 padding 需概率 100%、至少 35 字节
    # -------------------------
    encryption: "mlkem768x25519plus.native/xorpub/random.1rtt/0rtt.(padding len).(padding gap).(X25519 Password).(ML-KEM-768 Client)..."
    tls: false #可以不开启tls
    udp: true
  - name: "vless-reality-vision"
    type: vless
    server: server
@@ -678,7 +756,10 @@ proxies: # socks5
    # client-fingerprint: random # Available: "chrome","firefox","safari","random","none"
    servername: example.com # priority over wss host
    # skip-cert-verify: true
-    # fingerprint: xxxx
+    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # 下面两项如果填写则开启 mTLS（需要同时填写）
    # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
    # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
    ws-opts:
      path: "/"
      headers:
@@ -693,7 +774,10 @@ proxies: # socks5
    port: 443
    password: yourpsk
    # client-fingerprint: random # Available: "chrome","firefox","safari","random","none"
-    # fingerprint: xxxx
+    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # 下面两项如果填写则开启 mTLS（需要同时填写）
    # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
    # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
    # udp: true
    # sni: example.com # aka server name
    # alpn:
@@ -717,7 +801,10 @@ proxies: # socks5
    network: grpc
    sni: example.com
    # skip-cert-verify: true
-    # fingerprint: xxxx
+    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # 下面两项如果填写则开启 mTLS（需要同时填写）
    # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
    # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
    udp: true
    grpc-opts:
      grpc-service-name: "example"
@@ -730,7 +817,10 @@ proxies: # socks5
    network: ws
    sni: example.com
    # skip-cert-verify: true
-    # fingerprint: xxxx
+    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # 下面两项如果填写则开启 mTLS（需要同时填写）
    # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
    # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
    udp: true
    # ws-opts:
    #   path: /path
@@ -749,7 +839,10 @@ proxies: # socks5
    # udp: true
    # sni: example.com # aka server name
    # skip-cert-verify: true
-    # fingerprint: xxxx
+    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # 下面两项如果填写则开启 mTLS（需要同时填写）
    # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
    # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
  #hysteria
  - name: "hysteria"
@@ -772,10 +865,11 @@ proxies: # socks5
    # skip-cert-verify: false
    # recv-window-conn: 12582912
    # recv-window: 52428800
    # ca: "./my.ca"
    # ca-str: "xyz"
    # disable-mtu-discovery: false
-    # fingerprint: xxxx
+    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # 下面两项如果填写则开启 mTLS（需要同时填写）
    # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
    # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
    # fast-open: true # 支持 TCP 快速打开，默认为 false
  #hysteria2
@@ -797,11 +891,12 @@ proxies: # socks5
    #   # 如果config为空则通过dns解析，不为空则通过该值指定，格式为经过base64编码的ech参数（dig +short TYPE65 tls-ech.dev）
    #   config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA
    # skip-cert-verify: false
-    # fingerprint: xxxx
+    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # 下面两项如果填写则开启 mTLS（需要同时填写）
    # certificate: ./client.crt # 证书 PEM 格式，或者 证书的路径
    # private-key: ./client.key # 证书对应的私钥 PEM 格式，或者私钥路径
    # alpn:
    #   - h3
    # ca: "./my.ca"
    # ca-str: "xyz"
    ###quic-go特殊配置项，不要随意修改除非你知道你在干什么###
    # initial-stream-receive-window： 8388608
    # max-stream-receive-window： 8388608
@@ -842,10 +937,25 @@ proxies: # socks5
    #   jmax: 501
    #   s1: 30
    #   s2: 40
-    #   h1: 123456
+    #   s3: 50                                            # AmneziaWG v1.5 and v2
-    #   h2: 67543
+    #   s4: 5                                             # AmneziaWG v1.5 and v2
-    #   h4: 32345
+    #   h1: 123456                                        # AmneziaWG v1.0 and v1.5
-    #   h3: 123123
+    #   h2: 67543                                         # AmneziaWG v1.0 and v1.5
    #   h3: 123123                                        # AmneziaWG v1.0 and v1.5
    #   h4: 32345                                         # AmneziaWG v1.0 and v1.5
    #   h1: 123456-123500                                 # AmneziaWG v2.0 only
    #   h2: 67543-67550                                   # AmneziaWG v2.0 only
    #   h3: 123123-123200                                 # AmneziaWG v2.0 only
    #   h4: 32345-32350                                   # AmneziaWG v2.0 only
    #   i1: <b 0xf6ab3267fa><c><b 0xf6ab><t><r 10><wt 10> # AmneziaWG v1.5 and v2
    #   i2: <b 0xf6ab3267fa><r 100>                       # AmneziaWG v1.5 and v2
    #   i3: ""                                            # AmneziaWG v1.5 and v2
    #   i4: ""                                            # AmneziaWG v1.5 and v2
    #   i5: ""                                            # AmneziaWG v1.5 and v2
    #   j1: <b 0xffffffff><c><b 0xf6ab><t><r 10>          # AmneziaWG v1.5 only (removed in v2)
    #   j2: <c><b 0xf6ab><t><wt 1000>                     # AmneziaWG v1.5 only (removed in v2)
    #   j3: <t><b 0xf6ab><c><r 10>                        # AmneziaWG v1.5 only (removed in v2)
    #   itime: 60                                         # AmneziaWG v1.5 only (removed in v2)
  # tuic
  - name: tuic
@@ -914,14 +1024,16 @@ proxies: # socks5
  - name: mieru
    type: mieru
    server: 1.2.3.4
-    port: 2999
+    port: 2999 # 支持使用 ports 格式，例如 2999,3999 或 2999-3010,3950,3995-3999
-    # port-range: 2090-2099 #（不可同时填写 port 和 port-range）
+    # port-range: 2090-2099 # 已废弃，请使用 port
    transport: TCP # 只支持 TCP
    udp: true # 支持 UDP over TCP
    username: user
    password: password
    # 可以使用的值包括 MULTIPLEXING_OFF, MULTIPLEXING_LOW, MULTIPLEXING_MIDDLE, MULTIPLEXING_HIGH。其中 MULTIPLEXING_OFF 会关闭多路复用功能。默认值为 MULTIPLEXING_LOW。
    # multiplexing: MULTIPLEXING_LOW
    # 如果想开启 0-RTT 握手，请设置为 HANDSHAKE_NO_WAIT，否则请设置为 HANDSHAKE_STANDARD。默认值为 HANDSHAKE_STANDARD
    # handshake-mode: HANDSHAKE_STANDARD
  # anytls
  - name: anytls
@@ -1119,6 +1231,7 @@ rules:
  - DOMAIN-REGEX,^abc,DIRECT
  - DOMAIN-SUFFIX,baidu.com,DIRECT
  - DOMAIN-KEYWORD,google,ss1
  - DOMAIN-WILDCARD,test.*.mihomo.com,ss1
  - IP-CIDR,1.1.1.1/32,ss1
  - IP-CIDR6,2409::/64,DIRECT
  # 当满足条件是 TCP 或 UDP 流量时，使用名为 sub-rule-name1 的规则集
@@ -1162,8 +1275,11 @@ listeners:
    #   - username: aaa
    #     password: aaa
    # 下面两项如果填写则开启 tls（需要同时填写）
-    # certificate: ./server.crt
+    # certificate: ./server.crt # 证书 PEM 格式，或者 证书的路径
-    # private-key: ./server.key
+    # private-key: ./server.key # 证书对应的私钥 PEM 格式，或者私钥路径
    # 下面两项为mTLS配置项，如果client-auth-type设置为 "verify-if-given" 或 "require-and-verify" 则client-auth-cert必须不为空
    # client-auth-type: "" # 可选值：""、"request"、"require-any"、"verify-if-given"、"require-and-verify"
    # client-auth-cert: string # 证书 PEM 格式，或者 证书的路径
    # 如果填写则开启ech（可由 mihomo generate ech-keypair <明文域名> 生成）
    # ech-key: |
    #   -----BEGIN ECH KEYS-----
@@ -1182,8 +1298,11 @@ listeners:
    #   - username: aaa
    #     password: aaa
    # 下面两项如果填写则开启 tls（需要同时填写）
-    # certificate: ./server.crt
+    # certificate: ./server.crt # 证书 PEM 格式，或者 证书的路径
-    # private-key: ./server.key
+    # private-key: ./server.key # 证书对应的私钥 PEM 格式，或者私钥路径
    # 下面两项为mTLS配置项，如果client-auth-type设置为 "verify-if-given" 或 "require-and-verify" 则client-auth-cert必须不为空
    # client-auth-type: "" # 可选值：""、"request"、"require-any"、"verify-if-given"、"require-and-verify"
    # client-auth-cert: string # 证书 PEM 格式，或者 证书的路径
    # 如果填写则开启ech（可由 mihomo generate ech-keypair <明文域名> 生成）
    # ech-key: |
    #   -----BEGIN ECH KEYS-----
@@ -1203,8 +1322,11 @@ listeners:
    #   - username: aaa
    #     password: aaa
    # 下面两项如果填写则开启 tls（需要同时填写）
-    # certificate: ./server.crt
+    # certificate: ./server.crt # 证书 PEM 格式，或者 证书的路径
-    # private-key: ./server.key
+    # private-key: ./server.key # 证书对应的私钥 PEM 格式，或者私钥路径
    # 下面两项为mTLS配置项，如果client-auth-type设置为 "verify-if-given" 或 "require-and-verify" 则client-auth-cert必须不为空
    # client-auth-type: "" # 可选值：""、"request"、"require-any"、"verify-if-given"、"require-and-verify"
    # client-auth-cert: string # 证书 PEM 格式，或者 证书的路径
    # 如果填写则开启ech（可由 mihomo generate ech-keypair <明文域名> 生成）
    # ech-key: |
    #   -----BEGIN ECH KEYS-----
@@ -1245,6 +1367,30 @@ listeners:
    #       password: password
    #   handshake:
    #     dest: test.com:443
    # kcp-tun:
    #   enable: false
    #   key: it's a secrect # pre-shared secret between client and server
    #   crypt: aes # aes, aes-128, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, sm4, none, null
    #   mode: fast # profiles: fast3, fast2, fast, normal, manual
    #   conn: 1 # set num of UDP connections to server
    #   autoexpire: 0 # set auto expiration time(in seconds) for a single UDP connection, 0 to disable
    #   scavengettl: 600 # set how long an expired connection can live (in seconds)
    #   mtu: 1350 # set maximum transmission unit for UDP packets
    #   sndwnd: 128 # set send window size(num of packets)
    #   rcvwnd: 512 # set receive window size(num of packets)
    #   datashard: 10 # set reed-solomon erasure coding - datashard
    #   parityshard: 3 # set reed-solomon erasure coding - parityshard
    #   dscp: 0 # set DSCP(6bit)
    #   nocomp: false # disable compression
    #   acknodelay: false # flush ack immediately when a packet is received
    #   nodelay: 0
    #   interval: 50
    #   resend: false
    #   sockbuf: 4194304 # per-socket buffer in bytes
    #   smuxver: 1 # specify smux version, available 1,2
    #   smuxbuf: 4194304 # the overall de-mux buffer in bytes
    #   streambuf: 2097152 # per stream receive buffer in bytes, smux v2+
    #   keepalive: 10 # seconds between heartbeats
  - name: vmess-in-1
    type: vmess
@@ -1259,8 +1405,11 @@ listeners:
    # ws-path: "/" # 如果不为空则开启 websocket 传输层
    # grpc-service-name: "GunService" # 如果不为空则开启 grpc 传输层
    # 下面两项如果填写则开启 tls（需要同时填写）
-    # certificate: ./server.crt
+    # certificate: ./server.crt # 证书 PEM 格式，或者 证书的路径
-    # private-key: ./server.key
+    # private-key: ./server.key # 证书对应的私钥 PEM 格式，或者私钥路径
    # 下面两项为mTLS配置项，如果client-auth-type设置为 "verify-if-given" 或 "require-and-verify" 则client-auth-cert必须不为空
    # client-auth-type: "" # 可选值：""、"request"、"require-any"、"verify-if-given"、"require-and-verify"
    # client-auth-cert: string # 证书 PEM 格式，或者 证书的路径
    # 如果填写则开启ech（可由 mihomo generate ech-keypair <明文域名> 生成）
    # ech-key: |
    #   -----BEGIN ECH KEYS-----
@@ -1298,8 +1447,11 @@ listeners:
    # users:    # tuicV5 填写（可以同时填写 token）
    #   00000000-0000-0000-0000-000000000000: PASSWORD_0
    #   00000000-0000-0000-0000-000000000001: PASSWORD_1
-    #  certificate: ./server.crt
+    #  certificate: ./server.crt # 证书 PEM 格式，或者 证书的路径
-    #  private-key: ./server.key
+    #  private-key: ./server.key # 证书对应的私钥 PEM 格式，或者私钥路径
    #  下面两项为mTLS配置项，如果client-auth-type设置为 "verify-if-given" 或 "require-and-verify" 则client-auth-cert必须不为空
    #  client-auth-type: "" # 可选值：""、"request"、"require-any"、"verify-if-given"、"require-and-verify"
    #  client-auth-cert: string # 证书 PEM 格式，或者 证书的路径
    #  如果填写则开启ech（可由 mihomo generate ech-keypair <明文域名> 生成）
    #  ech-key: |
    #    -----BEGIN ECH KEYS-----
@@ -1335,9 +1487,25 @@ listeners:
        flow: xtls-rprx-vision
    # ws-path: "/" # 如果不为空则开启 websocket 传输层
    # grpc-service-name: "GunService" # 如果不为空则开启 grpc 传输层
    # -------------------------
    # vless encryption服务端配置：
    # （原生外观 / 只 XOR 公钥 / 全随机数。1-RTT 每次下发随机 300 到 600 秒的 ticket 以便 0-RTT 复用 / 只允许 1-RTT）
    # 填写 "600s" 会每次随机取 50% 到 100%，即相当于填写 "300-600s"
    # / 是只能选一个，后面 base64 至少一个，无限串联，使用 mihomo generate vless-x25519 和 mihomo generate vless-mlkem768 生成，替换值时需去掉括号
    #
    # Padding 是可选的参数，仅作用于 1-RTT 以消除握手的长度特征，双端默认值均为 "100-111-1111.75-0-111.50-0-3333"：
    # 在 1-RTT client/server hello 后以 100% 的概率粘上随机 111 到 1111 字节的 padding
    # 以 75% 的概率等待随机 0 到 111 毫秒（"probability-from-to"）
    # 再次以 50% 的概率发送随机 0 到 3333 字节的 padding（若为 0 则不 Write()）
    # 服务端、客户端可以设置不同的 padding 参数，按 len、gap 的顺序无限串联，第一个 padding 需概率 100%、至少 35 字节
    # -------------------------
    # decryption: "mlkem768x25519plus.native/xorpub/random.600s(300-600s)/0s.(padding len).(padding gap).(X25519 PrivateKey).(ML-KEM-768 Seed)..."
    # 下面两项如果填写则开启 tls（需要同时填写）
-    # certificate: ./server.crt
+    # certificate: ./server.crt # 证书 PEM 格式，或者 证书的路径
-    # private-key: ./server.key
+    # private-key: ./server.key # 证书对应的私钥 PEM 格式，或者私钥路径
    # 下面两项为mTLS配置项，如果client-auth-type设置为 "verify-if-given" 或 "require-and-verify" 则client-auth-cert必须不为空
    # client-auth-type: "" # 可选值：""、"request"、"require-any"、"verify-if-given"、"require-and-verify"
    # client-auth-cert: string # 证书 PEM 格式，或者 证书的路径
    # 如果填写则开启ech（可由 mihomo generate ech-keypair <明文域名> 生成）
    # ech-key: |
    #   -----BEGIN ECH KEYS-----
@@ -1363,7 +1531,7 @@ listeners:
        after-bytes: 0 # 传输指定字节后开始限速
        bytes-per-sec: 0 # 基准速率（字节/秒）
        burst-bytes-per-sec: 0 # 突发速率（字节/秒），大于 bytesPerSec 时生效
-    ### 注意，对于vless listener, 至少需要填写 “certificate和private-key” 或 “reality-config” 的其中一项 ###
+    ### 注意，对于vless listener, 至少需要填写 “certificate和private-key” 或 “reality-config” 或 “decryption” 的其中一项 ###
  - name: anytls-in-1
    type: anytls
@@ -1373,8 +1541,11 @@ listeners:
      username1: password1
      username2: password2
    # "certificate" and "private-key" are required
-    certificate: ./server.crt
+    certificate: ./server.crt # 证书 PEM 格式，或者 证书的路径
    private-key: ./server.key
    # 下面两项为mTLS配置项，如果client-auth-type设置为 "verify-if-given" 或 "require-and-verify" 则client-auth-cert必须不为空
    # client-auth-type: "" # 可选值：""、"request"、"require-any"、"verify-if-given"、"require-and-verify"
    # client-auth-cert: string # 证书 PEM 格式，或者 证书的路径
    # 如果填写则开启ech（可由 mihomo generate ech-keypair <明文域名> 生成）
    # ech-key: |
    #   -----BEGIN ECH KEYS-----
@@ -1396,8 +1567,11 @@ listeners:
    # ws-path: "/" # 如果不为空则开启 websocket 传输层
    # grpc-service-name: "GunService" # 如果不为空则开启 grpc 传输层
    # 下面两项如果填写则开启 tls（需要同时填写）
-    certificate: ./server.crt
+    certificate: ./server.crt # 证书 PEM 格式，或者 证书的路径
-    private-key: ./server.key
+    private-key: ./server.key # 证书对应的私钥 PEM 格式，或者私钥路径
    # 下面两项为mTLS配置项，如果client-auth-type设置为 "verify-if-given" 或 "require-and-verify" 则client-auth-cert必须不为空
    # client-auth-type: "" # 可选值：""、"request"、"require-any"、"verify-if-given"、"require-and-verify"
    # client-auth-cert: string # 证书 PEM 格式，或者 证书的路径
    # 如果填写则开启ech（可由 mihomo generate ech-keypair <明文域名> 生成）
    # ech-key: |
    #   -----BEGIN ECH KEYS-----
@@ -1438,8 +1612,11 @@ listeners:
    users:
      00000000-0000-0000-0000-000000000000: PASSWORD_0
      00000000-0000-0000-0000-000000000001: PASSWORD_1
-    #  certificate: ./server.crt
+    #  certificate: ./server.crt # 证书 PEM 格式，或者 证书的路径
-    #  private-key: ./server.key
+    #  private-key: ./server.key # 证书对应的私钥 PEM 格式，或者私钥路径
    #  下面两项为mTLS配置项，如果client-auth-type设置为 "verify-if-given" 或 "require-and-verify" 则client-auth-cert必须不为空
    #  client-auth-type: "" # 可选值：""、"request"、"require-any"、"verify-if-given"、"require-and-verify"
    #  client-auth-cert: string # 证书 PEM 格式，或者 证书的路径
    #  如果填写则开启ech（可由 mihomo generate ech-keypair <明文域名> 生成）
    #  ech-key: |
    #    -----BEGIN ECH KEYS-----
@@ -1461,6 +1638,7 @@ listeners:
    #  masquerade: http://127.0.0.1:8080	#作为反向代理
    #  masquerade: https://127.0.0.1:8080	#作为反向代理
  # 注意，listeners中的tun仅提供给高级用户使用，普通用户应使用顶层配置中的tun
  - name: tun-in-1
    type: tun
    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
@@ -1502,6 +1680,7 @@ listeners:
    # - com.android.chrome
    # exclude-package: # 排除被路由的 Android 应用包名
    # - com.android.captiveportallogin
    # disable-icmp-forwarding: true # 禁用 ICMP 转发，防止某些情况下的 ICMP 环回问题，ping 将不会显示真实的延迟
 # 入口配置与 Listener 等价，传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理
 # shadowsocks,vmess 入口配置（传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理）
 # ss-config: ss://2022-blake3-aes-256-gcm:vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg=@:23456
--- a/go.mod
+++ b/go.mod
@@ -3,52 +3,52 @@ module github.com/metacubex/mihomo
 go 1.20
 require (
 	github.com/3andne/restls-client-go v0.1.6
 	github.com/bahlo/generic-list-go v0.2.0
 	github.com/coreos/go-iptables v0.8.0
 	github.com/dlclark/regexp2 v1.11.5
-	github.com/enfein/mieru/v3 v3.13.0
+	github.com/ebitengine/purego v0.9.0
-	github.com/go-chi/chi/v5 v5.2.1
+	github.com/enfein/mieru/v3 v3.20.0
 	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-chi/render v1.0.3
 	github.com/gobwas/ws v1.4.0
 	github.com/gofrs/uuid/v5 v5.3.2
 	github.com/golang/snappy v1.0.0
 	github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905
 	github.com/klauspost/compress v1.17.9 // lastest version compatible with golang1.20
 	github.com/klauspost/cpuid/v2 v2.2.9 // lastest version compatible with golang1.20
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
 	github.com/mdlayher/netlink v1.7.2
-	github.com/metacubex/amneziawg-go v0.0.0-20240922133038-fdf3a4d5a4ab
+	github.com/metacubex/amneziawg-go v0.0.0-20250902133113-a7f637c14281
-	github.com/metacubex/bart v0.20.5
+	github.com/metacubex/bart v0.24.0
-	github.com/metacubex/bbolt v0.0.0-20240822011022-aed6d4850399
+	github.com/metacubex/bbolt v0.0.0-20250725135710-010dbbbb7a5b
 	github.com/metacubex/blake3 v0.1.0
 	github.com/metacubex/chacha v0.1.5
 	github.com/metacubex/fswatch v0.1.1
 	github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759
-	github.com/metacubex/quic-go v0.52.1-0.20250522021943-aef454b9e639
+	github.com/metacubex/kcp-go v0.0.0-20250923001605-1ba6f691c45b
 	github.com/metacubex/quic-go v0.54.1-0.20250730114134-a1ae705fe295
 	github.com/metacubex/randv2 v0.2.0
-	github.com/metacubex/sing v0.5.4-0.20250605054047-54dc6097da29
+	github.com/metacubex/restls-client-go v0.1.7
-	github.com/metacubex/sing-mux v0.3.2
+	github.com/metacubex/sing v0.5.6
-	github.com/metacubex/sing-quic v0.0.0-20250523120938-f1a248e5ec7f
+	github.com/metacubex/sing-mux v0.3.4
-	github.com/metacubex/sing-shadowsocks v0.2.11-0.20250621023810-0e9ef9dd0c92
+	github.com/metacubex/sing-quic v0.0.0-20250909002258-06122df8f231
-	github.com/metacubex/sing-shadowsocks2 v0.2.5-0.20250621023950-93d605a2143d
+	github.com/metacubex/sing-shadowsocks v0.2.12
 	github.com/metacubex/sing-shadowsocks2 v0.2.7
 	github.com/metacubex/sing-shadowtls v0.0.0-20250503063515-5d9f966d17a2
-	github.com/metacubex/sing-tun v0.4.7-0.20250611091011-60774779fdd8
+	github.com/metacubex/sing-tun v0.4.8
-	github.com/metacubex/sing-vmess v0.2.2
+	github.com/metacubex/sing-vmess v0.2.4
 	github.com/metacubex/sing-wireguard v0.0.0-20250503063753-2dc62acc626f
-	github.com/metacubex/smux v0.0.0-20250503055512-501391591dee
+	github.com/metacubex/smux v0.0.0-20250922175018-15c9a6a78719
-	github.com/metacubex/tfo-go v0.0.0-20250516165257-e29c16ae41d4
+	github.com/metacubex/tfo-go v0.0.0-20250921095601-b102db4216c0
-	github.com/metacubex/utls v1.7.4-0.20250610022031-808d767c8c73
+	github.com/metacubex/utls v1.8.1
-	github.com/metacubex/wireguard-go v0.0.0-20240922131502-c182e7471181
+	github.com/metacubex/wireguard-go v0.0.0-20250820062549-a6cecdd7f57f
 	github.com/miekg/dns v1.1.63 // lastest version compatible with golang1.20
 	github.com/mroth/weightedrand/v2 v2.1.0
 	github.com/openacid/low v0.1.21
 	github.com/oschwald/maxminddb-golang v1.12.0 // lastest version compatible with golang1.20
 	github.com/puzpuzpuz/xsync/v3 v3.5.1
 	github.com/sagernet/cors v1.2.1
 	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a
-	github.com/samber/lo v1.50.0
+	github.com/samber/lo v1.51.0
 	github.com/shirou/gopsutil/v4 v4.25.1 // lastest version compatible with golang1.20
 	github.com/sirupsen/logrus v1.9.3
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	github.com/vmihailenco/msgpack/v5 v5.4.1
 	github.com/wk8/go-ordered-map/v2 v2.1.8
 	gitlab.com/go-extension/aes-ccm v0.0.0-20230221065045-e58665ef23c7
@@ -61,7 +61,6 @@ require (
 	golang.org/x/sys v0.30.0 // lastest version compatible with golang1.20
 	google.golang.org/protobuf v1.34.2 // lastest version compatible with golang1.20
 	gopkg.in/yaml.v3 v3.0.1
 	lukechampine.com/blake3 v1.3.0 // lastest version compatible with golang1.20
 )
 require (
@@ -70,9 +69,7 @@ require (
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.6 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/ebitengine/purego v0.8.3 // indirect
 	github.com/ericlagergren/aegis v0.0.0-20250325060835-cd0defd64358 // indirect
 	github.com/ericlagergren/polyval v0.0.0-20220411101811-e25bc10ba391 // indirect
 	github.com/ericlagergren/siv v0.0.0-20220507050439-0b757b3aa5f1 // indirect
@@ -86,28 +83,27 @@ require (
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/josharian/native v1.1.0 // indirect
-	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.6 // indirect
 	github.com/klauspost/reedsolomon v1.12.3 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mdlayher/socket v0.4.1 // indirect
-	github.com/metacubex/gvisor v0.0.0-20250324165734-5857f47bd43b // indirect
+	github.com/metacubex/ascon v0.1.0 // indirect
 	github.com/metacubex/gvisor v0.0.0-20250919004547-6122b699a301 // indirect
 	github.com/metacubex/nftables v0.0.0-20250503052935-30a69ab87793 // indirect
 	github.com/metacubex/yamux v0.0.0-20250918083631-dd5f17c0be49 // indirect
 	github.com/oasisprotocol/deoxysii v0.0.0-20220228165953-2091330c22b7 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
 	github.com/pierrec/lz4/v4 v4.1.14 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/sina-ghaderi/poly1305 v0.0.0-20220724002748-c5926b03988b // indirect
 	github.com/sina-ghaderi/rabaead v0.0.0-20220730151906-ab6e06b96e8c // indirect
 	github.com/sina-ghaderi/rabbitio v0.0.0-20220730151941-9ce26f4f872e // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec // indirect
 	go.uber.org/mock v0.4.0 // indirect
 	golang.org/x/mod v0.20.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,3 @@
 github.com/3andne/restls-client-go v0.1.6 h1:tRx/YilqW7iHpgmEL4E1D8dAsuB0tFF3uvncS+B6I08=
 github.com/3andne/restls-client-go v0.1.6/go.mod h1:iEdTZNt9kzPIxjIGSMScUFSBrUH6bFRNg0BWlP4orEY=
 github.com/RyuaNerin/go-krypto v1.3.0 h1:smavTzSMAx8iuVlGb4pEwl9MD2qicqMzuXR2QWp2/Pg=
 github.com/RyuaNerin/go-krypto v1.3.0/go.mod h1:9R9TU936laAIqAmjcHo/LsaXYOZlymudOAxjaBf62UM=
 github.com/RyuaNerin/testingutil v0.1.0 h1:IYT6JL57RV3U2ml3dLHZsVtPOP6yNK7WUVdzzlpNrss=
@@ -17,19 +15,18 @@ github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx2
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/coreos/go-iptables v0.8.0 h1:MPc2P89IhuVpLI7ETL/2tx3XZ61VeICZjYqDEgNsPRc=
 github.com/coreos/go-iptables v0.8.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=
 github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
-github.com/ebitengine/purego v0.8.3 h1:K+0AjQp63JEZTEMZiwsI9g0+hAMNohwUOtY0RPGexmc=
+github.com/ebitengine/purego v0.9.0 h1:mh0zpKBIXDceC63hpvPuGLiJ8ZAa3DfrFTudmfi8A4k=
-github.com/ebitengine/purego v0.8.3/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/ebitengine/purego v0.9.0/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
-github.com/enfein/mieru/v3 v3.13.0 h1:eGyxLGkb+lut9ebmx+BGwLJ5UMbEc/wGIYO0AXEKy98=
+github.com/enfein/mieru/v3 v3.20.0 h1:1ob7pCIVSH5FYFAfYvim8isLW1vBOS4cFOUF9exJS38=
-github.com/enfein/mieru/v3 v3.13.0/go.mod h1:zJBUCsi5rxyvHM8fjFf+GLaEl4OEjjBXr1s5F6Qd3hM=
+github.com/enfein/mieru/v3 v3.20.0/go.mod h1:zJBUCsi5rxyvHM8fjFf+GLaEl4OEjjBXr1s5F6Qd3hM=
 github.com/ericlagergren/aegis v0.0.0-20250325060835-cd0defd64358 h1:kXYqH/sL8dS/FdoFjr12ePjnLPorPo2FsnrHNuXSDyo=
 github.com/ericlagergren/aegis v0.0.0-20250325060835-cd0defd64358/go.mod h1:hkIFzoiIPZYxdFOOLyDho59b7SrDfo+w3h+yWdlg45I=
 github.com/ericlagergren/polyval v0.0.0-20220411101811-e25bc10ba391 h1:8j2RH289RJplhA6WfdaPqzg1MjH2K8wX5e0uhAxrw2g=
@@ -43,12 +40,11 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/gaukas/godicttls v0.0.4 h1:NlRaXb3J6hAnTmWdsEKb9bcSBD6BvcIjdGdeb0zfXbk=
 github.com/gaukas/godicttls v0.0.4/go.mod h1:l6EenT4TLWgTdwslVb4sEMOCf7Bv0JAK67deKr9/NCI=
-github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
+github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
-github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
 github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
@@ -63,16 +59,15 @@ github.com/gofrs/uuid/v5 v5.3.2 h1:2jfO8j3XgSwlz/wHqemAEugfnTlikAYHhnqQ8Xh4fE0=
 github.com/gofrs/uuid/v5 v5.3.2/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs=
 github.com/golang/snappy v1.0.0/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/tink/go v1.6.1 h1:t7JHqO8Ath2w2ig5vjwQYJzhGEZymedQc90lQXUBa4I=
 github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=
 github.com/hashicorp/yamux v0.1.2/go.mod h1:C+zze2n6e/7wshOZep2A70/aQU6QBRWJO/G6FT1wIns=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905 h1:q3OEI9RaN/wwcx+qgGo6ZaoJkCiDYe/gjDLfq7lQQF4=
 github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905/go.mod h1:VvGYjkZoJyKqlmT1yzakUs4mfKMNB0XdODP0+rdml6k=
@@ -82,75 +77,80 @@ github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtL
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
 github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
-github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
+github.com/klauspost/cpuid/v2 v2.2.6 h1:ndNyv040zDGIDh8thGkXYjnFtiN02M1PVVF+JE/48xc=
-github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
+github.com/klauspost/cpuid/v2 v2.2.6/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
 github.com/klauspost/reedsolomon v1.12.3 h1:tzUznbfc3OFwJaTebv/QdhnFf2Xvb7gZ24XaHLBPmdc=
 github.com/klauspost/reedsolomon v1.12.3/go.mod h1:3K5rXwABAvzGeR01r6pWZieUALXO/Tq7bFKGIb4m4WI=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
 github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 h1:EnfXoSqDfSNJv0VBNqY/88RNnhSGYkrHaO0mmFGbVsc=
 github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40/go.mod h1:vy1vK6wD6j7xX6O6hXe621WabdtNkou2h7uRtTfRMyg=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
 github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
 github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
-github.com/metacubex/amneziawg-go v0.0.0-20240922133038-fdf3a4d5a4ab h1:Chbw+/31UC14YFNr78pESt5Vowlc62zziw05JCUqoL4=
+github.com/metacubex/amneziawg-go v0.0.0-20250902133113-a7f637c14281 h1:09EM0sOLb2kfL0KETGhHujsBLB5iy5U/2yHRHsxf/pI=
-github.com/metacubex/amneziawg-go v0.0.0-20240922133038-fdf3a4d5a4ab/go.mod h1:xVKK8jC5Sd3hfh7WjmCq+HorehIbrBijaUWmcuKjPcI=
+github.com/metacubex/amneziawg-go v0.0.0-20250902133113-a7f637c14281/go.mod h1:MsM/5czONyXMJ3PRr5DbQ4O/BxzAnJWOIcJdLzW6qHY=
-github.com/metacubex/bart v0.20.5 h1:XkgLZ17QxfxkqKdGsojoM2Zu01mmHyyQSFzt2/calTM=
+github.com/metacubex/ascon v0.1.0 h1:6ZWxmXYszT1XXtwkf6nxfFhc/OTtQ9R3Vyj1jN32lGM=
-github.com/metacubex/bart v0.20.5/go.mod h1:DCcyfP4MC+Zy7sLK7XeGuMw+P5K9mIRsYOBgiE8icsI=
+github.com/metacubex/ascon v0.1.0/go.mod h1:eV5oim4cVPPdEL8/EYaTZ0iIKARH9pnhAK/fcT5Kacc=
-github.com/metacubex/bbolt v0.0.0-20240822011022-aed6d4850399 h1:oBowHVKZycNtAFbZ6avaCSZJYeme2Nrj+4RpV2cNJig=
+github.com/metacubex/bart v0.24.0 h1:EyNiPeVOlg0joSHTzi5oentI0j5M89utUq/5dd76pWM=
-github.com/metacubex/bbolt v0.0.0-20240822011022-aed6d4850399/go.mod h1:4xcieuIK+M4bGQmQYZVqEaIYqjS1ahO4kXG7EmDgEro=
+github.com/metacubex/bart v0.24.0/go.mod h1:DCcyfP4MC+Zy7sLK7XeGuMw+P5K9mIRsYOBgiE8icsI=
 github.com/metacubex/bbolt v0.0.0-20250725135710-010dbbbb7a5b h1:j7dadXD8I2KTmMt8jg1JcaP1ANL3JEObJPdANKcSYPY=
 github.com/metacubex/bbolt v0.0.0-20250725135710-010dbbbb7a5b/go.mod h1:+WmP0VJZDkDszvpa83HzfUp6QzARl/IKkMorH4+nODw=
 github.com/metacubex/blake3 v0.1.0 h1:KGnjh/56REO7U+cgZA8dnBhxdP7jByrG7hTP+bu6cqY=
 github.com/metacubex/blake3 v0.1.0/go.mod h1:CCkLdzFrqf7xmxCdhQFvJsRRV2mwOLDoSPg6vUTB9Uk=
 github.com/metacubex/chacha v0.1.5 h1:fKWMb/5c7ZrY8Uoqi79PPFxl+qwR7X/q0OrsAubyX2M=
 github.com/metacubex/chacha v0.1.5/go.mod h1:Djn9bPZxLTXbJFSeyo0/qzEzQI+gUSSzttuzZM75GH8=
 github.com/metacubex/fswatch v0.1.1 h1:jqU7C/v+g0qc2RUFgmAOPoVvfl2BXXUXEumn6oQuxhU=
 github.com/metacubex/fswatch v0.1.1/go.mod h1:czrTT7Zlbz7vWft8RQu9Qqh+JoX+Nnb+UabuyN1YsgI=
 github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759 h1:cjd4biTvOzK9ubNCCkQ+ldc4YSH/rILn53l/xGBFHHI=
 github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759/go.mod h1:UHOv2xu+RIgLwpXca7TLrXleEd4oR3sPatW6IF8wU88=
-github.com/metacubex/gvisor v0.0.0-20250324165734-5857f47bd43b h1:RUh4OdVPz/jDrM9MQ2ySuqu2aeBqcA8rtfWUYLZ8RtI=
+github.com/metacubex/gvisor v0.0.0-20250919004547-6122b699a301 h1:N5GExQJqYAH3gOCshpp2u/J3CtNYzMctmlb0xK9wtbQ=
-github.com/metacubex/gvisor v0.0.0-20250324165734-5857f47bd43b/go.mod h1:8LpS0IJW1VmWzUm3ylb0e2SK5QDm5lO/2qwWLZgRpBU=
+github.com/metacubex/gvisor v0.0.0-20250919004547-6122b699a301/go.mod h1:8LpS0IJW1VmWzUm3ylb0e2SK5QDm5lO/2qwWLZgRpBU=
 github.com/metacubex/kcp-go v0.0.0-20250923001605-1ba6f691c45b h1:z7JLKjugnQ1qvDOAD8yMA5C8AlJY3bG+VrrgRntRlUY=
 github.com/metacubex/kcp-go v0.0.0-20250923001605-1ba6f691c45b/go.mod h1:HIJZW4QMhbBqXuqC1ly6Hn0TEYT2SzRw58ns1yGhXTs=
 github.com/metacubex/nftables v0.0.0-20250503052935-30a69ab87793 h1:1Qpuy+sU3DmyX9HwI+CrBT/oLNJngvBorR2RbajJcqo=
 github.com/metacubex/nftables v0.0.0-20250503052935-30a69ab87793/go.mod h1:RjRNb4G52yAgfR+Oe/kp9G4PJJ97Fnj89eY1BFO3YyA=
-github.com/metacubex/quic-go v0.52.1-0.20250522021943-aef454b9e639 h1:L+1brQNzBhCCxWlicwfK1TlceemCRmrDE4HmcVHc29w=
+github.com/metacubex/quic-go v0.54.1-0.20250730114134-a1ae705fe295 h1:8JVlYuE8uSJAvmyCd4TjvDxs57xjb0WxEoaWafK5+qs=
-github.com/metacubex/quic-go v0.52.1-0.20250522021943-aef454b9e639/go.mod h1:Kc6h++Q/zf3AxcUCevJhJwgrskJumv+pZdR8g/E/10k=
+github.com/metacubex/quic-go v0.54.1-0.20250730114134-a1ae705fe295/go.mod h1:1lktQFtCD17FZliVypbrDHwbsFSsmz2xz2TRXydvB5c=
 github.com/metacubex/randv2 v0.2.0 h1:uP38uBvV2SxYfLj53kuvAjbND4RUDfFJjwr4UigMiLs=
 github.com/metacubex/randv2 v0.2.0/go.mod h1:kFi2SzrQ5WuneuoLLCMkABtiBu6VRrMrWFqSPyj2cxY=
 github.com/metacubex/restls-client-go v0.1.7 h1:eCwiXCTQb5WJu9IlgYvDBA1OgrINv58dEe7hcN5H15k=
 github.com/metacubex/restls-client-go v0.1.7/go.mod h1:BN/U52vPw7j8VTSh2vleD/MnmVKCov84mS5VcjVHH4g=
 github.com/metacubex/sing v0.5.2/go.mod h1:ypf0mjwlZm0sKdQSY+yQvmsbWa0hNPtkeqyRMGgoN+w=
-github.com/metacubex/sing v0.5.4-0.20250605054047-54dc6097da29 h1:SD9q025FNTaepuFXFOKDhnGLVu6PQYChBvw2ZYPXeLo=
+github.com/metacubex/sing v0.5.6 h1:mEPDCadsCj3DB8gn+t/EtposlYuALEkExa/LUguw6/c=
-github.com/metacubex/sing v0.5.4-0.20250605054047-54dc6097da29/go.mod h1:ypf0mjwlZm0sKdQSY+yQvmsbWa0hNPtkeqyRMGgoN+w=
+github.com/metacubex/sing v0.5.6/go.mod h1:ypf0mjwlZm0sKdQSY+yQvmsbWa0hNPtkeqyRMGgoN+w=
-github.com/metacubex/sing-mux v0.3.2 h1:nJv52pyRivHcaZJKk2JgxpaVvj1GAXG81scSa9N7ncw=
+github.com/metacubex/sing-mux v0.3.4 h1:tf4r27CIkzaxq9kBlAXQkgMXq2HPp5Mta60Kb4RCZF0=
-github.com/metacubex/sing-mux v0.3.2/go.mod h1:3rt1soewn0O6j89GCLmwAQFsq257u0jf2zQSPhTL3Bw=
+github.com/metacubex/sing-mux v0.3.4/go.mod h1:SEJfAuykNj/ozbPqngEYqyggwSr81+L7Nu09NRD5mh4=
-github.com/metacubex/sing-quic v0.0.0-20250523120938-f1a248e5ec7f h1:mP3vIm+9hRFI0C0Vl3pE0NESF/L85FDbuB0tGgUii6I=
+github.com/metacubex/sing-quic v0.0.0-20250909002258-06122df8f231 h1:dGvo7UahC/gYBQNBoictr14baJzBjAKUAorP63QFFtg=
-github.com/metacubex/sing-quic v0.0.0-20250523120938-f1a248e5ec7f/go.mod h1:JPTpf7fpnojsSuwRJExhSZSy63pVbp3VM39+zj+sAJM=
+github.com/metacubex/sing-quic v0.0.0-20250909002258-06122df8f231/go.mod h1:B60FxaPHjR1SeQB0IiLrgwgvKsaoASfOWdiqhLjmMGA=
-github.com/metacubex/sing-shadowsocks v0.2.11-0.20250621021503-4f85ef9bf4b3 h1:dtiRj7WaCAXp4UhCkmaIiFF6v886qXiuqeIDN4Z//9E=
+github.com/metacubex/sing-shadowsocks v0.2.12 h1:Wqzo8bYXrK5aWqxu/TjlTnYZzAKtKsaFQBdr6IHFaBE=
-github.com/metacubex/sing-shadowsocks v0.2.11-0.20250621021503-4f85ef9bf4b3/go.mod h1:/squZ38pXrYjqtg8qn+joVvwbpGNYQNp8yxKsMVbCto=
+github.com/metacubex/sing-shadowsocks v0.2.12/go.mod h1:2e5EIaw0rxKrm1YTRmiMnDulwbGxH9hAFlrwQLQMQkU=
-github.com/metacubex/sing-shadowsocks v0.2.11-0.20250621023810-0e9ef9dd0c92 h1:Y9ebcKya6ow7VHoESCN5+l4zZvg5eaL2IhI5LLCQxQA=
+github.com/metacubex/sing-shadowsocks2 v0.2.7 h1:hSuuc0YpsfiqYqt1o+fP4m34BQz4e6wVj3PPBVhor3A=
-github.com/metacubex/sing-shadowsocks v0.2.11-0.20250621023810-0e9ef9dd0c92/go.mod h1:/squZ38pXrYjqtg8qn+joVvwbpGNYQNp8yxKsMVbCto=
+github.com/metacubex/sing-shadowsocks2 v0.2.7/go.mod h1:vOEbfKC60txi0ca+yUlqEwOGc3Obl6cnSgx9Gf45KjE=
 github.com/metacubex/sing-shadowsocks2 v0.2.5-0.20250621021638-dcd503063651 h1:vwLj0DDjPYy4AHEZvfRVf8ih52o6wpBnJxXxqa+ztmE=
 github.com/metacubex/sing-shadowsocks2 v0.2.5-0.20250621021638-dcd503063651/go.mod h1:+ukTd0OPFglT3bnKAYTJWYPbuox6HYNXE235r5tHdUk=
 github.com/metacubex/sing-shadowsocks2 v0.2.5-0.20250621023950-93d605a2143d h1:Ey3A1tA8lVkRbK1FDmwuWj/57Nr8JMdpoVqe45mFzJg=
 github.com/metacubex/sing-shadowsocks2 v0.2.5-0.20250621023950-93d605a2143d/go.mod h1:+ukTd0OPFglT3bnKAYTJWYPbuox6HYNXE235r5tHdUk=
 github.com/metacubex/sing-shadowtls v0.0.0-20250503063515-5d9f966d17a2 h1:gXU+MYPm7Wme3/OAY2FFzVq9d9GxPHOqu5AQfg/ddhI=
 github.com/metacubex/sing-shadowtls v0.0.0-20250503063515-5d9f966d17a2/go.mod h1:mbfboaXauKJNIHJYxQRa+NJs4JU9NZfkA+I33dS2+9E=
-github.com/metacubex/sing-tun v0.4.7-0.20250611091011-60774779fdd8 h1:4zWKqxTx75TbfW2EmlQ3hxM6RTRg2PYOAVMCnU4I61I=
+github.com/metacubex/sing-tun v0.4.8 h1:3PyiUKWXYi37yHptXskzL1723O3OUdyt0Aej4XHVikM=
-github.com/metacubex/sing-tun v0.4.7-0.20250611091011-60774779fdd8/go.mod h1:2YywXPWW8Z97kTH7RffOeykKzU+l0aiKlglWV1PAS64=
+github.com/metacubex/sing-tun v0.4.8/go.mod h1:L/TjQY5JEGy8nvsuYmy/XgMFMCPiF0+AWSFCYfS6r9w=
-github.com/metacubex/sing-vmess v0.2.2 h1:nG6GIKF1UOGmlzs+BIetdGHkFZ20YqFVIYp5Htqzp+4=
+github.com/metacubex/sing-vmess v0.2.4 h1:Tx6AGgCiEf400E/xyDuYyafsel6sGbR8oF7RkAaus6I=
-github.com/metacubex/sing-vmess v0.2.2/go.mod h1:CVDNcdSLVYFgTHQlubr88d8CdqupAUDqLjROos+H9xk=
+github.com/metacubex/sing-vmess v0.2.4/go.mod h1:21R5R1u90uUvBQF0owoooEu96/SAYYD56nDrwm6nFaM=
 github.com/metacubex/sing-wireguard v0.0.0-20250503063753-2dc62acc626f h1:Sr/DYKYofKHKc4GF3qkRGNuj6XA6c0eqPgEDN+VAsYU=
 github.com/metacubex/sing-wireguard v0.0.0-20250503063753-2dc62acc626f/go.mod h1:jpAkVLPnCpGSfNyVmj6Cq4YbuZsFepm/Dc+9BAOcR80=
-github.com/metacubex/smux v0.0.0-20250503055512-501391591dee h1:lp6hJ+4wCLZu113awp7P6odM2okB5s60HUyF0FMqKmo=
+github.com/metacubex/smux v0.0.0-20250922175018-15c9a6a78719 h1:T6qCCfolRDAVJKeaPW/mXwNLjnlo65AYN7WS2jrBNaM=
-github.com/metacubex/smux v0.0.0-20250503055512-501391591dee/go.mod h1:4bPD8HWx9jPJ9aE4uadgyN7D1/Wz3KmPy+vale8sKLE=
+github.com/metacubex/smux v0.0.0-20250922175018-15c9a6a78719/go.mod h1:4bPD8HWx9jPJ9aE4uadgyN7D1/Wz3KmPy+vale8sKLE=
-github.com/metacubex/tfo-go v0.0.0-20250516165257-e29c16ae41d4 h1:j1VRTiC9JLR4nUbSikx9OGdu/3AgFDqgcLj4GoqyQkc=
+github.com/metacubex/tfo-go v0.0.0-20250921095601-b102db4216c0 h1:Ui+/2s5Qz0lSnDUBmEL12M5Oi/PzvFxGTNohm8ZcsmE=
-github.com/metacubex/tfo-go v0.0.0-20250516165257-e29c16ae41d4/go.mod h1:l9oLnLoEXyGZ5RVLsh7QCC5XsouTUyKk4F2nLm2DHLw=
+github.com/metacubex/tfo-go v0.0.0-20250921095601-b102db4216c0/go.mod h1:l9oLnLoEXyGZ5RVLsh7QCC5XsouTUyKk4F2nLm2DHLw=
-github.com/metacubex/utls v1.7.4-0.20250610022031-808d767c8c73 h1:HWKsf92BqLYqugATFIJ3hYiEBZ7JF6AoqyvqF39afuI=
+github.com/metacubex/utls v1.8.1 h1:RW8GeCGWAegjV0HW5nw9DoqNoeGAXXeYUP6AysmRvx4=
-github.com/metacubex/utls v1.7.4-0.20250610022031-808d767c8c73/go.mod h1:oknYT0qTOwE4hjPmZOEpzVdefnW7bAdGLvZcqmk4TLU=
+github.com/metacubex/utls v1.8.1/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko=
-github.com/metacubex/wireguard-go v0.0.0-20240922131502-c182e7471181 h1:hJLQviGySBuaynlCwf/oYgIxbVbGRUIKZCxdya9YrbQ=
+github.com/metacubex/wireguard-go v0.0.0-20250820062549-a6cecdd7f57f h1:FGBPRb1zUabhPhDrlKEjQ9lgIwQ6cHL4x8M9lrERhbk=
-github.com/metacubex/wireguard-go v0.0.0-20240922131502-c182e7471181/go.mod h1:phewKljNYiTVT31Gcif8RiCKnTUOgVWFJjccqYM8s+Y=
+github.com/metacubex/wireguard-go v0.0.0-20250820062549-a6cecdd7f57f/go.mod h1:oPGcV994OGJedmmxrcK9+ni7jUEMGhR+uVQAdaduIP4=
 github.com/metacubex/yamux v0.0.0-20250918083631-dd5f17c0be49 h1:lhlqpYHopuTLx9xQt22kSA9HtnyTDmk5XjjQVCGHe2E=
 github.com/metacubex/yamux v0.0.0-20250918083631-dd5f17c0be49/go.mod h1:MBeEa9IVBphH7vc3LNtW6ZujVXFizotPo3OEiHQ+TNU=
 github.com/miekg/dns v1.1.63 h1:8M5aAw6OMZfFXTT7K5V0Eu5YiiL8l7nUAkyN6C9YwaY=
 github.com/miekg/dns v1.1.63/go.mod h1:6NGHfjhpmr5lt3XPLuyfDJi5AXbNIPM9PY6H6sF1Nfs=
 github.com/mroth/weightedrand/v2 v2.1.0 h1:o1ascnB1CIVzsqlfArQQjeMy1U0NcIbBO5rfd5E/OeU=
 github.com/mroth/weightedrand/v2 v2.1.0/go.mod h1:f2faGsfOGOwc1p94wzHKKZyTpcJUW7OJ/9U4yfiNAOU=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/oasisprotocol/deoxysii v0.0.0-20220228165953-2091330c22b7 h1:1102pQc2SEPp5+xrS26wEaeb26sZy6k9/ZXlZN+eXE4=
 github.com/oasisprotocol/deoxysii v0.0.0-20220228165953-2091330c22b7/go.mod h1:UqoUn6cHESlliMhOnKLWr+CBH+e3bazUPvFj1XZwAjs=
 github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
@@ -168,21 +168,15 @@ github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFu
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
 github.com/puzpuzpuz/xsync/v3 v3.5.1 h1:GJYJZwO6IdxN/IKbneznS6yPkVC+c3zyY/j19c++5Fg=
 github.com/puzpuzpuz/xsync/v3 v3.5.1/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
 github.com/sagernet/cors v1.2.1 h1:Cv5Z8y9YSD6Gm+qSpNrL3LO4lD3eQVvbFYJSG7JCMHQ=
 github.com/sagernet/cors v1.2.1/go.mod h1:O64VyOjjhrkLmQIjF4KGRrJO/5dVXFdpEmCW/eISRAI=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a h1:ObwtHN2VpqE0ZNjr6sGeT00J8uU7JF4cNUdb44/Duis=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/samber/lo v1.50.0 h1:XrG0xOeHs+4FQ8gJR97zDz5uOFMW7OwFWiFVzqopKgY=
+github.com/samber/lo v1.51.0 h1:kysRYLbHy/MB7kQZf5DSN50JHmMsNEdeY24VzJFu7wI=
-github.com/samber/lo v1.50.0/go.mod h1:RjZyNk6WSnUFRKK6EyOhsRJMqft3G+pg7dCWHQCWvsc=
+github.com/samber/lo v1.51.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
 github.com/shirou/gopsutil/v4 v4.25.1 h1:QSWkTc+fu9LTAWfkZwZ6j8MSUk4A2LV7rbH0ZqmLjXs=
 github.com/shirou/gopsutil/v4 v4.25.1/go.mod h1:RoUCUpndaJFtT+2zsZzzmhvbfGoDCJ7nFXKJf8GqJbI=
 github.com/sina-ghaderi/poly1305 v0.0.0-20220724002748-c5926b03988b h1:rXHg9GrUEtWZhEkrykicdND3VPjlVbYiLdX9J7gimS8=
 github.com/sina-ghaderi/poly1305 v0.0.0-20220724002748-c5926b03988b/go.mod h1:X7qrxNQViEaAN9LNZOPl9PfvQtp3V3c7LTo0dvGi0fM=
 github.com/sina-ghaderi/rabaead v0.0.0-20220730151906-ab6e06b96e8c h1:DjKMC30y6yjG3IxDaeAj3PCoRr+IsO+bzyT+Se2m2Hk=
@@ -202,12 +196,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU=
 github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
 github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk=
 github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY=
 github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 h1:tHNk7XK9GkmKUR6Gh8gVBKXc2MVSZ4G/NnWLtzw4gNA=
 github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
@@ -221,8 +211,7 @@ github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAh
 github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
 github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
 github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
-github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
+github.com/xtaci/lossyconn v0.0.0-20190602105132-8df528c0c9ae h1:J0GxkO96kL4WF+AIT3M4mfUVinOCPgf2uUWYFUzN0sM=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 gitlab.com/go-extension/aes-ccm v0.0.0-20230221065045-e58665ef23c7 h1:UNrDfkQqiEYzdMlNsVvBYOAJWZjdktqFE9tQh5BT2+4=
 gitlab.com/go-extension/aes-ccm v0.0.0-20230221065045-e58665ef23c7/go.mod h1:E+rxHvJG9H6PUdzq9NRG6csuLN3XUx98BfGOVWNYnXs=
 gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec h1:FpfFs4EhNehiVfzQttTuxanPIT43FtkkCFypIod8LHo=
@@ -254,16 +243,13 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190804053845-51ab0e2deafa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
@@ -277,13 +263,10 @@ golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapK
 golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
 golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
 google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 lukechampine.com/blake3 v1.3.0 h1:sJ3XhFINmHSrYCgl958hscfIa3bw8x4DqMP3u1YvoYE=
 lukechampine.com/blake3 v1.3.0/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
--- a/hub/executor/executor.go
+++ b/hub/executor/executor.go
@@ -231,6 +231,8 @@ func updateNTP(c *config.NTP) {
 			c.DialerProxy,
 			c.WriteToSystem,
 		)
 	} else {
 		ntp.ReCreateNTPService("", 0, "", false)
 	}
 }
@@ -260,6 +262,7 @@ func updateDNS(c *config.DNS, generalIPv6 bool) {
 		DirectServer:         c.DirectNameServer,
 		DirectFollowPolicy:   c.DirectFollowPolicy,
 		CacheAlgorithm:       c.CacheAlgorithm,
 		CacheMaxSize:         c.CacheMaxSize,
 	}
 	r := dns.NewResolver(cfg)
--- a/hub/hub.go
+++ b/hub/hub.go
@@ -50,16 +50,18 @@ func applyRoute(cfg *config.Config) {
 		route.SetUIPath(cfg.Controller.ExternalUI)
 	}
 	route.ReCreateServer(&route.Config{
-		Addr:        cfg.Controller.ExternalController,
+		Addr:           cfg.Controller.ExternalController,
-		TLSAddr:     cfg.Controller.ExternalControllerTLS,
+		TLSAddr:        cfg.Controller.ExternalControllerTLS,
-		UnixAddr:    cfg.Controller.ExternalControllerUnix,
+		UnixAddr:       cfg.Controller.ExternalControllerUnix,
-		PipeAddr:    cfg.Controller.ExternalControllerPipe,
+		PipeAddr:       cfg.Controller.ExternalControllerPipe,
-		Secret:      cfg.Controller.Secret,
+		Secret:         cfg.Controller.Secret,
-		Certificate: cfg.TLS.Certificate,
+		Certificate:    cfg.TLS.Certificate,
-		PrivateKey:  cfg.TLS.PrivateKey,
+		PrivateKey:     cfg.TLS.PrivateKey,
-		EchKey:      cfg.TLS.EchKey,
+		ClientAuthType: cfg.TLS.ClientAuthType,
-		DohServer:   cfg.Controller.ExternalDohServer,
+		ClientAuthCert: cfg.TLS.ClientAuthCert,
-		IsDebug:     cfg.General.LogLevel == log.DEBUG,
+		EchKey:         cfg.TLS.EchKey,
 		DohServer:      cfg.Controller.ExternalDohServer,
 		IsDebug:        cfg.General.LogLevel == log.DEBUG,
 		Cors: route.Cors{
 			AllowOrigins:        cfg.Controller.Cors.AllowOrigins,
 			AllowPrivateNetwork: cfg.Controller.Cors.AllowPrivateNetwork,
--- a/hub/route/cache.go
+++ b/hub/route/cache.go
@@ -12,6 +12,7 @@ import (
 func cacheRouter() http.Handler {
 	r := chi.NewRouter()
 	r.Post("/fakeip/flush", flushFakeIPPool)
 	r.Post("/dns/flush", flushDnsCache)
 	return r
 }
@@ -24,3 +25,8 @@ func flushFakeIPPool(w http.ResponseWriter, r *http.Request) {
 	}
 	render.NoContent(w, r)
 }
 func flushDnsCache(w http.ResponseWriter, r *http.Request) {
 	resolver.ClearCache()
 	render.NoContent(w, r)
 }
--- a/hub/route/configs.go
+++ b/hub/route/configs.go
@@ -7,6 +7,7 @@ import (
 	"github.com/metacubex/mihomo/adapter/inbound"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/process"
 	"github.com/metacubex/mihomo/component/resolver"
 	"github.com/metacubex/mihomo/component/updater"
 	"github.com/metacubex/mihomo/config"
@@ -33,28 +34,29 @@ func configRouter() http.Handler {
 }
 type configSchema struct {
-	Port              *int               `json:"port"`
+	Port              *int                     `json:"port"`
-	SocksPort         *int               `json:"socks-port"`
+	SocksPort         *int                     `json:"socks-port"`
-	RedirPort         *int               `json:"redir-port"`
+	RedirPort         *int                     `json:"redir-port"`
-	TProxyPort        *int               `json:"tproxy-port"`
+	TProxyPort        *int                     `json:"tproxy-port"`
-	MixedPort         *int               `json:"mixed-port"`
+	MixedPort         *int                     `json:"mixed-port"`
-	Tun               *tunSchema         `json:"tun"`
+	Tun               *tunSchema               `json:"tun"`
-	TuicServer        *tuicServerSchema  `json:"tuic-server"`
+	TuicServer        *tuicServerSchema        `json:"tuic-server"`
-	ShadowSocksConfig *string            `json:"ss-config"`
+	ShadowSocksConfig *string                  `json:"ss-config"`
-	VmessConfig       *string            `json:"vmess-config"`
+	VmessConfig       *string                  `json:"vmess-config"`
-	TcptunConfig      *string            `json:"tcptun-config"`
+	TcptunConfig      *string                  `json:"tcptun-config"`
-	UdptunConfig      *string            `json:"udptun-config"`
+	UdptunConfig      *string                  `json:"udptun-config"`
-	AllowLan          *bool              `json:"allow-lan"`
+	AllowLan          *bool                    `json:"allow-lan"`
-	SkipAuthPrefixes  *[]netip.Prefix    `json:"skip-auth-prefixes"`
+	SkipAuthPrefixes  *[]netip.Prefix          `json:"skip-auth-prefixes"`
-	LanAllowedIPs     *[]netip.Prefix    `json:"lan-allowed-ips"`
+	LanAllowedIPs     *[]netip.Prefix          `json:"lan-allowed-ips"`
-	LanDisAllowedIPs  *[]netip.Prefix    `json:"lan-disallowed-ips"`
+	LanDisAllowedIPs  *[]netip.Prefix          `json:"lan-disallowed-ips"`
-	BindAddress       *string            `json:"bind-address"`
+	BindAddress       *string                  `json:"bind-address"`
-	Mode              *tunnel.TunnelMode `json:"mode"`
+	Mode              *tunnel.TunnelMode       `json:"mode"`
-	LogLevel          *log.LogLevel      `json:"log-level"`
+	LogLevel          *log.LogLevel            `json:"log-level"`
-	IPv6              *bool              `json:"ipv6"`
+	IPv6              *bool                    `json:"ipv6"`
-	Sniffing          *bool              `json:"sniffing"`
+	Sniffing          *bool                    `json:"sniffing"`
-	TcpConcurrent     *bool              `json:"tcp-concurrent"`
+	TcpConcurrent     *bool                    `json:"tcp-concurrent"`
-	InterfaceName     *string            `json:"interface-name"`
+	FindProcessMode   *process.FindProcessMode `json:"find-process-mode"`
 	InterfaceName     *string                  `json:"interface-name"`
 }
 type tunSchema struct {
@@ -98,6 +100,10 @@ type tunSchema struct {
 	Inet6RouteAddress        *[]netip.Prefix `yaml:"inet6-route-address" json:"inet6-route-address,omitempty"`
 	Inet4RouteExcludeAddress *[]netip.Prefix `yaml:"inet4-route-exclude-address" json:"inet4-route-exclude-address,omitempty"`
 	Inet6RouteExcludeAddress *[]netip.Prefix `yaml:"inet6-route-exclude-address" json:"inet6-route-exclude-address,omitempty"`
 	// darwin special config
 	RecvMsgX *bool `yaml:"recvmsgx" json:"recvmsgx,omitempty"`
 	SendMsgX *bool `yaml:"sendmsgx" json:"sendmsgx,omitempty"`
 }
 type tuicServerSchema struct {
@@ -241,6 +247,12 @@ func pointerOrDefaultTun(p *tunSchema, def LC.Tun) LC.Tun {
 		if p.FileDescriptor != nil {
 			def.FileDescriptor = *p.FileDescriptor
 		}
 		if p.RecvMsgX != nil {
 			def.RecvMsgX = *p.RecvMsgX
 		}
 		if p.SendMsgX != nil {
 			def.SendMsgX = *p.SendMsgX
 		}
 	}
 	return def
 }
@@ -341,6 +353,10 @@ func patchConfigs(w http.ResponseWriter, r *http.Request) {
 		tunnel.SetMode(*general.Mode)
 	}
 	if general.FindProcessMode != nil {
 		tunnel.SetFindProcessMode(*general.FindProcessMode)
 	}
 	if general.LogLevel != nil {
 		log.SetLevel(*general.LogLevel)
 	}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
wwqgtxx	fdc46f0471	chore: update utls to tag version	2025-09-24 16:05:38 +08:00
wwqgtxx	57b527d54a	chore: simplify GetMemoryInfo in darwin	2025-09-24 02:53:35 +08:00
wwqgtxx	29eaa4d699	chore: add test for memory module	2025-09-24 02:35:04 +08:00
wwqgtxx	92ecdfcc00	fix: data race on darwin	2025-09-24 02:25:26 +08:00
wwqgtxx	0992ee8adf	chore: remove depend of gopsutil	2025-09-24 02:21:47 +08:00
wwqgtxx	0c25831726	chore: replace HasAESGCMHardwareSupport in vless encryption	2025-09-23 23:14:45 +08:00
wwqgtxx	9cc208bd47	fix: reality shouldn't check chacha	2025-09-23 21:57:47 +08:00
wwqgtxx	b57f3052a8	chore: speedup convid generation	2025-09-23 08:33:11 +08:00
wwqgtxx	3a1caf1316	chore: better batchConn handle in kcp-go	2025-09-23 08:23:30 +08:00
enfein	1b1f95aa9c	chore: consolidate mieru port configuration (#2277 ) Allow multiple port numbers and port ranges in "port" configuration. The "port-range" configuration is deprecated but still functional.	2025-09-23 08:19:12 +08:00
wwqgtxx	8a9300d44e	chore: better WriteBuffers support in smux	2025-09-23 01:53:26 +08:00
wwqgtxx	abe6c3bb35	feat: support kcptun plugin for ss client/server	2025-09-23 00:28:38 +08:00
anytls	e28c8e6a51	chore: sync anytls v0.0.11 (#2276 ) Co-authored-by: anytls <anytls>	2025-09-22 17:29:32 +08:00
wwqgtxx	74a86f147b	chore: update dependencies	2025-09-21 18:48:36 +08:00
wwqgtxx	7917f24f42	chore: more check in listeners start	2025-09-20 01:13:55 +08:00
wwqgtxx	0dc5e3051d	feat: add mTLS support for client & server `certificate` and `private-key` for proxies `client-auth-type` and `client-auth-cert` for listeners	2025-09-20 00:41:39 +08:00
wwqgtxx	40b2cde2b2	chore: cleanup dns client code	2025-09-19 21:18:16 +08:00
wwqgtxx	6786705212	feat: remove `ca` and `ca-str` in hy1/hy2/tuic outbound, using `fingerprint` instead	2025-09-19 18:19:36 +08:00
wwqgtxx	00638f30a7	chore: don't test sing-mux over grpc	2025-09-19 14:46:38 +08:00
wwqgtxx	2222d0e3fa	chore: update gvisor	2025-09-19 08:51:52 +08:00
wwqgtxx	f3ebd5c489	chore: clarify function descriptions and variable names	2025-09-19 08:02:25 +08:00
wwqgtxx	74e64d31e3	fix: maybe "invalid cross-device link" in update ui https://github.com/MetaCubeX/mihomo/issues/2270	2025-09-18 18:49:24 +08:00
wwqgtxx	0c556bcaf3	chore: replace hashicorp/yamux to our forked libp2p/go-yamux	2025-09-18 16:48:33 +08:00
wwqgtxx	7e71d21ab4	chore: improve fingerprint verifier handle non-leaf certificate	2025-09-17 11:18:14 +08:00
wwqgtxx	30bead4e2e	fix: ntp not apply to reality client	2025-09-17 10:46:13 +08:00
wwqgtxx	16836ea465	action: fix test	2025-09-16 17:47:42 +08:00
wwqgtxx	d6f1af5372	chore: cleanup queue code	2025-09-16 14:19:42 +08:00
DNEGEL3125	26335f8ecc	test: add unit tests for queue (#2266 ) Add tests covering all queue operations	2025-09-16 14:04:26 +08:00
wwqgtxx	c4449a9f62	fix: ntp not apply to reality server	2025-09-16 10:23:36 +08:00
wwqgtxx	5e17d6fe01	chore: simplify N.Relay	2025-09-16 09:49:41 +08:00
wwqgtxx	8cdfd87d1e	fix: ip4p port not apply in resolveUDPAddr	2025-09-15 08:34:30 +08:00
wwqgtxx	f02766a765	fix: reshaping buffer maybe too long in vision	2025-09-14 12:24:36 +08:00
wwqgtxx	cea29e2615	chore: sync code style	2025-09-13 14:31:30 +08:00
wwqgtxx	a0f1ac4ef5	chore: apply ntp time function more place	2025-09-13 14:21:33 +08:00
wwqgtxx	57e14e5b62	chore: cleanup internal ca using	2025-09-13 14:13:01 +08:00
wwqgtxx	08fc100c85	chore: cleanup ntp code	2025-09-13 11:19:06 +08:00
enfein	571be856ea	feat: support mieru 0-RTT handshake (#2261 )	2025-09-13 10:59:57 +08:00
wwqgtxx	ad69ee84a9	chore: cleanup ntp code	2025-09-13 10:30:14 +08:00
wwqgtxx	dd7b3c28ad	fix: race codes	2025-09-13 10:29:38 +08:00
wwqgtxx	1b99759eaf	fix: ntp time method not passing to ss2022 client	2025-09-12 23:09:46 +08:00
wwqgtxx	a8f7e25851	fix: backticks cannot be used to separate multiple regular expressions in the exclude-filter of proxy-providers https://github.com/MetaCubeX/mihomo/issues/2259	2025-09-12 17:55:22 +08:00
wwqgtxx	909729ca8f	fix: allow use vision on vless encryption over ws	2025-09-11 23:49:14 +08:00
wwqgtxx	6c527f8d20	fix: panic when wintun dll fails to load	2025-09-10 15:02:27 +08:00
wwqgtxx	7061c5a8ea	fix: possible data location errors in vision read	2025-09-10 10:14:21 +08:00
wwqgtxx	23448ec119	fix: incomplete read filter in vision	2025-09-10 02:36:38 +08:00
wwqgtxx	318b3524c3	chore: better handwritten addons parsing	2025-09-09 15:16:57 +08:00
wwqgtxx	1d09ed82f1	chore: simplify resolveUDPAddr	2025-09-09 08:48:09 +08:00
wwqgtxx	b27325eed0	chore: update dependencies	2025-09-09 08:35:50 +08:00
wwqgtxx	0d3d31dc5f	chore: ready for handwritten addons parsing	2025-09-08 21:51:30 +08:00
wwqgtxx	108bf645fa	chore: merge the server-side and client-side vision implementations	2025-09-08 16:29:07 +08:00
wwqgtxx	50e1afd963	chore: cleanup vless code	2025-09-08 15:58:54 +08:00
wwqgtxx	0336d64e52	chore: cleanup vision code	2025-09-08 10:55:09 +08:00
wwqgtxx	02d954bfa8	fix: server mux conn not close	2025-09-08 10:55:09 +08:00
NuoFang	9a124a390f	feat: add `disable-icmp-forwarding` option to tun (#2248 ) When enabled, the TUN listener will use fake ping echo. This can be useful to prevent potential ICMP routing loops in certain network configurations.	2025-09-07 19:40:30 +08:00
nunu6689	fed4b369a3	fix: auto update local file provider (#2245 ) Using `Direct: true` will ignore the changes when the file was modified using replace method. Which is a common method used by ftp software.	2025-09-05 13:07:51 +08:00
wwqgtxx	f8ee5c1e15	chore: sync vless encryption code	2025-09-04 22:09:11 +08:00
wwqgtxx	8eba1c8afd	chore: sync vless encryption code	2025-09-04 21:57:52 +08:00
wwqgtxx	65d3920f02	chore: update dependencies	2025-09-04 15:48:57 +08:00
wwqgtxx	7e9e12cc4c	fix: SyscallVectorisedPacketWriter not handle inet type in address processing	2025-09-03 10:31:44 +08:00
wwqgtxx	80a90f05f3	feat: support AmneziaWG v2.0	2025-09-02 22:15:56 +08:00
wwqgtxx	3b63fef2eb	chore: better defensive programming	2025-09-02 01:15:40 +08:00
wwqgtxx	29872007b3	chore: sync vless encryption code	2025-09-02 01:09:48 +08:00
wwqgtxx	33cde6592e	chore: sync vless encryption code	2025-08-31 19:43:14 +08:00
wwqgtxx	c98f5f44b7	chore: sync vless encryption code	2025-08-31 12:31:13 +08:00
wwqgtxx	d094075c88	doc: update doc	2025-08-31 10:42:09 +08:00
wwqgtxx	4188277b61	fix: tuic server goroutine leak	2025-08-31 10:42:09 +08:00
wwqgtxx	545d9b844d	chore: sync vless encryption code	2025-08-31 10:42:09 +08:00
wwqgtxx	472cefb6d7	fix: snat key in packet listener	2025-08-29 11:28:50 +08:00
wwqgtxx	ccff0035cb	fix: get localAddr error	2025-08-29 11:28:50 +08:00
wwqgtxx	455f2136f1	fix: xudp server source addr losing	2025-08-29 09:23:45 +08:00
wwqgtxx	63781b3a6a	chore: decrease memory using	2025-08-28 23:44:03 +08:00
wwqgtxx	c6e596f33f	chore: full reset buffer after directRead	2025-08-28 23:44:03 +08:00
wwqgtxx	45cb45accb	chore: simplify randBetween	2025-08-28 23:44:03 +08:00
wwqgtxx	5c73025b53	chore: change vless encryption code to our style	2025-08-28 23:44:03 +08:00
wwqgtxx	cdd02a90c3	chore: sync vless encryption code	2025-08-28 08:49:21 +08:00
wwqgtxx	0ced98da4d	feat: support sending ping requests via direct in tun mode	2025-08-27 18:00:25 +08:00
wwqgtxx	84086a6e6c	chore: update dependencies	2025-08-27 17:14:48 +08:00
wwqgtxx	443200a51e	chore: sync vless encryption code	2025-08-25 20:23:09 +08:00
wwqgtxx	aca0d97beb	chore: sync vless encryption code	2025-08-25 11:31:21 +08:00
xishang0128	2605bf78f9	fix: add code signing for macOS executables during file copy	2025-08-25 11:31:21 +08:00
eWloYW8	d2395fb43a	fix: allow disabling ALPN by setting an empty array (#2225 )	2025-08-25 11:31:21 +08:00
wwqgtxx	e3d9a8e2fd	fix: vision on vless encryption	2025-08-25 11:31:21 +08:00
wwqgtxx	1ae050ca3b	chore: sync vless encryption code	2025-08-25 11:31:21 +08:00
wwqgtxx	7f38763e22	chore: update hkdf using	2025-08-23 20:13:11 +08:00
wwqgtxx	2a8831b0d0	chore: sync vless encryption code	2025-08-22 18:45:17 +08:00
wwqgtxx	cdf5e0c73e	chore: rewrite vision client write	2025-08-22 11:28:17 +08:00
wwqgtxx	48f3ea8bc9	fix: buffer handle in vision server read	2025-08-22 11:28:05 +08:00
wwqgtxx	375e160368	fix: data loss in vision server read	2025-08-22 11:27:55 +08:00
wwqgtxx	b31664beeb	chore: sync vless encryption code	2025-08-21 19:42:56 +08:00
wwqgtxx	7960bcae15	chore: code cleanup	2025-08-21 19:37:26 +08:00
wwqgtxx	664ddb8d55	chore: simplifying generator code	2025-08-21 16:02:17 +08:00
wwqgtxx	e4dfe09744	chore: output vless hash11 in generater	2025-08-21 11:25:41 +08:00
wwqgtxx	b56068ee1c	chore: make vision server support splice	2025-08-21 11:17:36 +08:00
wwqgtxx	99e888c829	fix: missing WriterReplaceable for deadline.Conn	2025-08-21 10:46:55 +08:00
wwqgtxx	873d0deeaa	chore: make XorConn replaceable for splice	2025-08-21 09:03:44 +08:00
wwqgtxx	7e0a77c99c	chore: sync vless encryption code	2025-08-21 08:33:44 +08:00
wwqgtxx	5f09db2655	feat: support AmneziaWG v1.5	2025-08-20 15:42:04 +08:00
wwqgtxx	10174d281c	chore: update wireguard-go	2025-08-20 14:50:19 +08:00
wwqgtxx	12c30acdda	chore: cleanup vision code	2025-08-20 10:34:38 +08:00
wwqgtxx	2790481709	chore: update cast using in sing-vmess	2025-08-19 23:15:51 +08:00
wwqgtxx	182f60d424	chore: sync vless encryption code	2025-08-19 21:37:02 +08:00
wwqgtxx	930c70f065	doc: remind ordinary users that they should use tun in the top-level configuration	2025-08-19 16:56:35 +08:00
wwqgtxx	fc61715e4e	chore: add `handshake-mode` for mieru	2025-08-19 10:16:59 +08:00
enfein	438be2d379	chore: update mieru version (#2215 ) v3.19.0 optimized CPU consumption. Tested: https://github.com/enfein/mieru/actions/runs/17014543289	2025-08-19 07:10:29 +08:00
wwqgtxx	4e20ed65f2	chore: sync vless encryption code	2025-08-18 23:08:30 +08:00
wwqgtxx	ce760fcf19	action: better patch file download	2025-08-18 10:23:43 +08:00
wwqgtxx	0f76fdf4c5	fix: vision on vless encryption	2025-08-18 09:34:20 +08:00
wwqgtxx	03f4513f61	chore: sync vless encryption code	2025-08-18 08:43:17 +08:00
wwqgtxx	26f603057f	fix: `335d54e4` sync mistake	2025-08-18 08:40:52 +08:00
wwqgtxx	b481eca4a4	chore: allow vision with vless encryption	2025-08-17 16:14:20 +08:00
wwqgtxx	eb028b65fc	chore: better reflect using in vision	2025-08-17 16:03:35 +08:00
wwqgtxx	48c1b1cdb2	chore: remove depend on lunixbochs/struc	2025-08-16 11:16:53 +08:00
wwqgtxx	76e40baebc	chore: sync vless encryption code	2025-08-14 23:52:05 +08:00
wwqgtxx	946b4025df	chore: code cleanup	2025-08-14 23:48:59 +08:00
wwqgtxx	089766b285	chore: update TypedValue in sing	2025-08-14 18:36:01 +08:00
wwqgtxx	b643388539	chore: sync vless encryption code	2025-08-14 18:31:56 +08:00
wwqgtxx	0836ec6ee3	chore: change time.Duration atomic using	2025-08-14 16:01:20 +08:00
wwqgtxx	eeb2ad8dae	chore: add more test for TypedValue	2025-08-14 14:37:39 +08:00
wwqgtxx	71290b057f	chore: reimplement TypedValue by atomic.Pointer	2025-08-14 10:57:56 +08:00
wwqgtxx	41b321dfe1	chore: sync vless encryption code	2025-08-14 09:57:20 +08:00
wwqgtxx	a18e99f966	chore: update dependencies	2025-08-14 09:55:26 +08:00
wwqgtxx	f90d0b954c	chore: using atomic.Pointer in anytls	2025-08-14 00:51:55 +08:00
wwqgtxx	0408da2aee	chore: sync vless encryption code	2025-08-13 20:50:46 +08:00
wwqgtxx	335d54e488	chore: sync vless encryption code	2025-08-13 19:50:53 +08:00
wwqgtxx	d11f9c895c	chore: sync vless encryption code	2025-08-13 18:54:26 +08:00
wwqgtxx	e54ca7ceca	chore: sync vless encryption code	2025-08-13 18:51:47 +08:00
wwqgtxx	ce82d49c25	chore: update golang to 1.25	2025-08-13 18:05:24 +08:00
wwqgtxx	8e6be1992b	fix: h2mux client closed	2025-08-13 16:43:26 +08:00
wwqgtxx	0e9102daae	chore: don't test h2mux for the inbound	2025-08-13 01:15:39 +08:00
wwqgtxx	46dccf26d1	chore: sync vless encryption code	2025-08-13 01:14:22 +08:00
wwqgtxx	854c6a13c3	chore: sync vless encryption code	2025-08-12 22:59:25 +08:00
wwqgtxx	b4c3bbf660	chore: sync vless encryption code	2025-08-12 20:06:08 +08:00
wwqgtxx	6c726d6436	chore: test different http data size for inbound	2025-08-12 15:54:39 +08:00
wwqgtxx	a0bdb861a9	chore: rebuild vless encryption string parsing	2025-08-12 08:46:44 +08:00
wwqgtxx	eca5a27774	fix: mlkem768 logging	2025-08-11 23:00:35 +08:00
wwqgtxx	16d95df100	chore: better wildcard test	2025-08-11 22:33:01 +08:00
wwqgtxx	9b90719ddd	feat: support optional aes128xor layer for vless encryption	2025-08-11 20:57:23 +08:00
wwqgtxx	7392529677	chore: add a confused benchmark for wildcard	2025-08-11 18:13:34 +08:00
wwqgtxx	dc52c38179	fix: `?` in `DOMAIN-WILDCARD` should match exactly one character https://github.com/MetaCubeX/mihomo/issues/2204	2025-08-11 16:23:39 +08:00
wwqgtxx	d7999a32d3	chore: using named const value	2025-08-11 16:23:39 +08:00
wwqgtxx	b41ea05481	chore: add `encryption` to converter	2025-08-11 16:23:39 +08:00
wwqgtxx	e6fe895190	chore: sync code `3e19bf9233`	2025-08-11 16:23:39 +08:00
wwqgtxx	adf553a958	fix: generate doc	2025-08-11 16:23:39 +08:00
wwqgtxx	2a915a5c94	fix: vless server close	2025-08-10 22:43:31 +08:00
wwqgtxx	1b0c72bfab	feat: support vless encryption	2025-08-10 22:24:39 +08:00
wwqgtxx	e89af723cd	fix: auto redirect panic	2025-08-01 21:02:59 +08:00
wwqgtxx	e8fddd85af	fix: vless packetaddr not working	2025-07-31 11:39:06 +08:00
wwqgtxx	f04af734e3	chore: update quic-go to 0.54.0	2025-07-30 19:45:36 +08:00
wwqgtxx	00035302a1	chore: let `/upgrade` support `channel` and `force` as parameters in restful api Leaving `channel` blank will automatically determine the channel. Other valid values are `alpha`/`release`. Setting `force` to `true` will bypass the version check and force the update.	2025-07-30 17:50:11 +08:00
wwqgtxx	578e659bb9	chore: keep original file permissions when unpack in updater	2025-07-30 17:09:08 +08:00
wwqgtxx	0f1baeb935	fix: updater may not be able to overwrite files directly	2025-07-28 22:21:57 +08:00
wwqgtxx	16ff9e815b	chore: code cleanup	2025-07-27 22:30:39 +08:00
wwqgtxx	5f1f296213	chore: add `/cache/dns/flush` to restful api	2025-07-27 12:30:33 +08:00
wwqgtxx	66fd5c9f0c	chore: allow setting `cache-max-size` in `dns` section	2025-07-27 10:31:12 +08:00
wwqgtxx	c3a3009a8c	chore: keep original file permissions when copyFile in updater	2025-07-26 22:10:47 +08:00
xishang0128	01cd7e2c0e	chore: improve backup and replace logic in updater	2025-07-26 22:49:20 +09:00
wwqgtxx	deec7aafe5	chore: optimizing download in updater	2025-07-26 15:15:11 +08:00
wwqgtxx	a9b7e705f0	chore: optimizing copyFile in updater	2025-07-26 01:32:49 +08:00
xishang0128	fb043df1b6	chore: use canonical return value order	2025-07-25 23:38:35 +09:00
xishang0128	748b5df902	chore: keep original file permissions after update	2025-07-25 23:38:35 +09:00
wwqgtxx	8cbae59d55	chore: upgrade bbolt	2025-07-25 21:59:54 +08:00
wwqgtxx	a37440c81b	fix: some downstream dependencies on the upgrader's output fields	2025-07-25 17:57:34 +08:00
wwqgtxx	dbb002a5ba	action: add deb/rpm packages for GOAMD64 v1/2/3	2025-07-24 17:40:18 +08:00
wwqgtxx	1a84153213	chore: code cleanup	2025-07-24 15:40:32 +08:00
wwqgtxx	dfe6e0509b	chore: rebuild core updater	2025-07-24 02:08:14 +08:00
xishang0128	b6dde7ded7	action: use a more standardized naming format while retaining some compatibility with the old format	2025-07-23 22:58:41 +09:00
wwqgtxx	9f1da11792	chore: use the compile-time GOAMD64 flag in the updater	2025-07-23 18:08:08 +08:00
白日梦主义	63ad95e10f	fix: remove unconventional bits when unpacking for update_ui (#2178 )	2025-07-22 22:45:20 +08:00
白日梦主义	b06ec5bef8	fix: add path safety check in `file` type providers (#2177 )	2025-07-22 21:37:54 +08:00
wwqgtxx	d4fbffd8e8	chore: update utls to 1.8.0	2025-07-22 15:00:25 +08:00
wwqgtxx	305020175d	fix: darwin system stack problem	2025-07-21 10:11:03 +08:00
wwqgtxx	79decdc253	fix: vision server crash	2025-07-20 15:18:01 +08:00
wwqgtxx	407c13b8a4	fix: hy2 server crash	2025-07-19 00:58:33 +08:00
wwqgtxx	d84b182be3	fix: darwin tun mixed stack not working	2025-07-18 11:29:39 +08:00
wwqgtxx	8f18d3f6db	chore: add `recvmsgx` and `sendmsgx` config to tun Only for advanced users, enabling `recvmsgx` under darwin can improve performance, but enabling `sendmsgx` may cause unknown problems, please use with caution.	2025-07-17 23:42:25 +08:00
wwqgtxx	b9260e06b8	chore: improve darwin tun performance	2025-07-17 22:11:57 +08:00
wwqgtxx	6337151207	chore: upgrade bbolt to 1.4.2	2025-07-15 22:09:51 +08:00
wwqgtxx	aa555ced5f	chore: allow embedded xsync.Map to be lazily initialized	2025-07-15 17:33:36 +08:00
wwqgtxx	349b773b40	chore: upgrade and embed the xsync.Map to v4	2025-07-15 13:39:03 +08:00
wwqgtxx	300eb8b12a	chore: rebuild rule parsing code	2025-07-14 10:35:33 +08:00
wwqgtxx	2b84dd3618	fix: regex in logic rules https://github.com/MetaCubeX/mihomo/issues/2150	2025-07-07 16:16:16 +08:00
wwqgtxx	6a620ba287	chore: revert "chore: better dns batchExchange" This reverts commit `55f626424f`. The previous changes resulted in a situation where no resolution results were found when multiple DNS servers were used concurrently, and the final resolution time was dragged down by the slowest server.	2025-07-05 23:05:49 +08:00
wwqgtxx	56c3462b76	chore: update quic-go to 0.53.0	2025-06-28 18:16:29 +08:00
wwqgtxx	6f4fe71e41	chore: update dependencies	2025-06-28 12:51:06 +08:00
enfein	ba3e7187a6	chore: update mieru to v3.16.1 (#2138 ) Fix a bug that closed session can cause memory leak with bad timing.	2025-06-28 11:00:58 +08:00
JianGuo Wang	0d92b6724b	fix: add base64 decoding for VLESS host in ConvertsV2Ray function (#2125 )	2025-06-27 16:56:31 +08:00
ayanamist	241ae92bce	feat: support `DOMAIN-WILDCARD` rule (#2124 ) only support asterisk(*) and question mark(?)	2025-06-27 16:35:55 +08:00
phanium	91985c1ef8	chore: typo (#2127 )	2025-06-26 07:45:46 +08:00
Leo	6a9d428991	chore: remove unused code (#2126 )	2025-06-25 22:49:00 +08:00
wwqgtxx	765cbbcc01	fix: miss config in patch	2025-06-25 21:19:36 +08:00