chore: rollback incompatible changes to updateConfigs api

https://github.com/golang/go/issues/73617

.github/release/.fpm_systemd

@@ -0,0 +1,18 @@
+-s dir
+--name mihomo
+--category net
+--license GPL-3.0-or-later
+--description "The universal proxy platform."
+--url "https://wiki.metacubex.one/"
+--maintainer "MetaCubeX <none@example.com>"
+--deb-field "Bug: https://github.com/MetaCubeX/mihomo/issues"
+--no-deb-generate-changes
+--config-files /etc/mihomo/config.yaml
+
+.github/release/config.yaml=/etc/mihomo/config.yaml
+
+.github/release/mihomo.service=/usr/lib/systemd/system/mihomo.service
+.github/release/mihomo@.service=/usr/lib/systemd/system/mihomo@.service
+
+
+LICENSE=/usr/share/licenses/mihomo/LICENSE

.github/release/config.yaml

@@ -0,0 +1,15 @@
+mixed-port: 7890
+
+dns:
+  enable: true
+  ipv6: true
+  enhanced-mode: fake-ip
+  fake-ip-filter:
+    - "*"
+    - "+.lan"
+    - "+.local"
+  nameserver:
+    - system
+
+rules:
+  - MATCH,DIRECT

.github/release/mihomo.service

@@ -1,17 +1,17 @@
 [Unit]
 Description=mihomo Daemon, Another Clash Kernel.
-After=network.target NetworkManager.service systemd-networkd.service iwd.service
+Documentation=https://wiki.metacubex.one
+After=network.target nss-lookup.target network-online.target
 
 [Service]
 Type=simple
-LimitNPROC=500
-LimitNOFILE=1000000
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
-Restart=always
-ExecStartPre=/usr/bin/sleep 2s
 ExecStart=/usr/bin/mihomo -d /etc/mihomo
 ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+RestartSec=10
+LimitNOFILE=infinity
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

.github/release/mihomo@.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=mihomo Daemon, Another Clash Kernel.
+Documentation=https://wiki.metacubex.one
+After=network.target nss-lookup.target network-online.target
+
+[Service]
+Type=simple
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
+ExecStart=/usr/bin/mihomo -d /etc/mihomo
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+RestartSec=10
+LimitNOFILE=infinity
+
+[Install]
+WantedBy=multi-user.target

.github/workflows/build.yml

@@ -14,7 +14,7 @@ on:
       - Alpha
     tags:
       - "v*"
-  pull_request_target:
+  pull_request:
     branches:
       - Alpha
 concurrency:
@@ -33,28 +33,29 @@ jobs:
           - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible }
           - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64 }
 
-          - { goos: linux, goarch: '386', output: '386' }
+          - { goos: linux, goarch: '386', go386: sse2, output: '386', debian: i386, rpm: i386}
+          - { goos: linux, goarch: '386', go386: softfloat, output: '386-softfloat' }
           - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible, test: test }
-          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64 }
+          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64, debian: amd64, rpm: x86_64, pacman: x86_64}
-          - { goos: linux, goarch: arm64, output: arm64 }
+          - { goos: linux, goarch: arm64, output: arm64, debian: arm64, rpm: aarch64, pacman: aarch64}  
           - { goos: linux, goarch: arm, goarm: '5', output: armv5 }
-          - { goos: linux, goarch: arm, goarm: '6', output: armv6 }
+          - { goos: linux, goarch: arm, goarm: '6', output: armv6, debian: armel, rpm: armv6hl} 
-          - { goos: linux, goarch: arm, goarm: '7', output: armv7 }
+          - { goos: linux, goarch: arm, goarm: '7', output: armv7, debian: armhf, rpm: armv7hl, pacman: armv7hl}
           - { goos: linux, goarch: mips, gomips: hardfloat, output: mips-hardfloat }
           - { goos: linux, goarch: mips, gomips: softfloat, output: mips-softfloat }
           - { goos: linux, goarch: mipsle, gomips: hardfloat, output: mipsle-hardfloat }
           - { goos: linux, goarch: mipsle, gomips: softfloat, output: mipsle-softfloat }
           - { goos: linux, goarch: mips64, output: mips64 }
-          - { goos: linux, goarch: mips64le, output: mips64le }
+          - { goos: linux, goarch: mips64le, output: mips64le, debian: mips64el, rpm: mips64el }
-          - { goos: linux, goarch: loong64, output: loong64-abi1, abi: '1' }
+          - { goos: linux, goarch: loong64, output: loong64-abi1, abi: '1', debian: loongarch64, rpm: loongarch64 }
-          - { goos: linux, goarch: loong64, output: loong64-abi2, abi: '2' }
+          - { goos: linux, goarch: loong64, output: loong64-abi2, abi: '2', debian: loong64, rpm: loong64 }
-          - { goos: linux, goarch: riscv64, output: riscv64 }
+          - { goos: linux, goarch: riscv64, output: riscv64, debian: riscv64, rpm: riscv64 }
-          - { goos: linux, goarch: s390x, output: s390x }
+          - { goos: linux, goarch: s390x, output: s390x, debian: s390x, rpm: s390x }
+          - { goos: linux, goarch: ppc64le, output: ppc64le, debian: ppc64el, rpm: ppc64le }
 
           - { goos: windows, goarch: '386', output: '386' }
           - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible }
           - { goos: windows, goarch: amd64, goamd64: v3, output: amd64 }
-          - { goos: windows, goarch: arm, goarm: '7', output: armv7 }
           - { goos: windows, goarch: arm64, output: arm64 }
 
           - { goos: freebsd, goarch: '386', output: '386' }
@@ -67,6 +68,12 @@ jobs:
           - { goos: android, goarch: arm, ndk: armv7a-linux-androideabi34, output: armv7 }
           - { goos: android, goarch: arm64, ndk: aarch64-linux-android34, output: arm64-v8 }
 
+          # Go 1.23 with special patch can work on Windows 7
+          # https://github.com/MetaCubeX/go/commits/release-branch.go1.23/
+          - { goos: windows, goarch: '386', output: '386-go123', goversion: '1.23' }
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go123, goversion: '1.23' }
+          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go123, goversion: '1.23' }
+
           # Go 1.22 with special patch can work on Windows 7
           # https://github.com/MetaCubeX/go/commits/release-branch.go1.22/
           - { goos: windows, goarch: '386', output: '386-go122', goversion: '1.22' }
@@ -95,6 +102,11 @@ jobs:
           - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20' }
           - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-go120, goversion: '1.20' }
 
+          # Go 1.23 is the last release that requires Linux kernel version 2.6.32 or later. Go 1.24 will require Linux kernel version 3.2 or later.
+          - { goos: linux, goarch: '386', output: '386-go123', goversion: '1.23' }
+          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible-go123, goversion: '1.23', test: test }
+          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64-go123, goversion: '1.23' }
+
           # only for test
           - { goos: linux, goarch: '386', output: '386-go120', goversion: '1.20' }
           - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20', test: test }
@@ -107,7 +119,7 @@ jobs:
       if: ${{ matrix.jobs.goversion == '' && matrix.jobs.abi != '1' }}
       uses: actions/setup-go@v5
       with:
-        go-version: '1.23'
+        go-version: '1.24'
 
     - name: Set up Go
       if: ${{ matrix.jobs.goversion != '' && matrix.jobs.abi != '1' }}
@@ -115,13 +127,31 @@ jobs:
       with:
         go-version: ${{ matrix.jobs.goversion }}
 
-    - name: Set up Go1.23 loongarch abi1
+    - name: Set up Go1.24 loongarch abi1
       if: ${{ matrix.jobs.goarch == 'loong64' && matrix.jobs.abi == '1' }}
       run: |
-        wget -q https://github.com/MetaCubeX/loongarch64-golang/releases/download/1.23.0/go1.23.0.linux-amd64-abi1.tar.gz
+        wget -q https://github.com/MetaCubeX/loongarch64-golang/releases/download/1.24.0/go1.24.0.linux-amd64-abi1.tar.gz
-        sudo tar zxf go1.23.0.linux-amd64-abi1.tar.gz -C /usr/local
+        sudo tar zxf go1.24.0.linux-amd64-abi1.tar.gz -C /usr/local
         echo "/usr/local/go/bin" >> $GITHUB_PATH
 
+      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
+      # this patch file only works on golang1.24.x
+      # that means after golang1.25 release it must be changed
+      # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.24/
+      # revert:
+      # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
+      # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
+      # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
+      # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
+    - name: Revert Golang1.24 commit for Windows7/8
+      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }}
+      run: |
+        cd $(go env GOROOT)
+        curl https://github.com/MetaCubeX/go/commit/2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8.diff | patch --verbose -p 1
+        curl https://github.com/MetaCubeX/go/commit/7b1fd7d39c6be0185fbe1d929578ab372ac5c632.diff | patch --verbose -p 1
+        curl https://github.com/MetaCubeX/go/commit/979d6d8bab3823ff572ace26767fd2ce3cf351ae.diff | patch --verbose -p 1
+        curl https://github.com/MetaCubeX/go/commit/ac3e93c061779dfefc0dd13a5b6e6f764a25621e.diff | patch --verbose -p 1
+
       # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
       # this patch file only works on golang1.23.x
       # that means after golang1.24 release it must be changed
@@ -132,7 +162,7 @@ jobs:
       # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
       # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
     - name: Revert Golang1.23 commit for Windows7/8
-      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }}
+      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.23' }}
       run: |
         cd $(go env GOROOT)
         curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
@@ -166,17 +196,16 @@ jobs:
         curl https://github.com/golang/go/commit/9e43850a3298a9b8b1162ba0033d4c53f8637571.diff | patch --verbose -R -p 1
 
     - name: Set variables
-      if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.version != '' }}
-      run: echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-      shell: bash
-
-    - name: Set variables
-      if: ${{ github.event_name != 'workflow_dispatch' && github.ref_name == 'Alpha' }}
-      run: echo "VERSION=alpha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
-      shell: bash
-
-    - name: Set Time Variable
       run: |
+        VERSION="${GITHUB_REF_NAME,,}-$(git rev-parse --short HEAD)"
+        PackageVersion="$(curl -s "https://api.github.com/repos/MetaCubeX/mihomo/releases/latest" | jq -r '.tag_name' | sed 's/v//g' | awk -F '.' '{$NF = $NF + 1; print}' OFS='.').${VERSION/-/.}"
+        if [ -n "${{ github.event.inputs.version }}" ]; then
+          VERSION=${{ github.event.inputs.version }}
+          PackageVersion="${VERSION#v}" >> $GITHUB_ENV
+        fi
+        echo "VERSION=${VERSION}" >> $GITHUB_ENV
+        echo "PackageVersion=${PackageVersion}" >> $GITHUB_ENV
+      
         echo "BUILDTIME=$(date)" >> $GITHUB_ENV
         echo "CGO_ENABLED=0" >> $GITHUB_ENV
         echo "BUILDTAG=-extldflags --static" >> $GITHUB_ENV
@@ -187,7 +216,7 @@ jobs:
       uses: nttld/setup-ndk@v1
       id: setup-ndk
       with:
-        ndk-version: r28-beta1
+        ndk-version: r29-beta1
 
     - name: Set NDK path
       if: ${{ matrix.jobs.goos == 'android' }}
@@ -205,7 +234,7 @@ jobs:
 
     - name: Update CA
       run: |
-        sudo apt-get install ca-certificates
+        sudo apt-get update && sudo apt-get install ca-certificates
         sudo update-ca-certificates
         cp -f /etc/ssl/certs/ca-certificates.crt component/ca/ca-certificates.crt
 
@@ -214,6 +243,7 @@ jobs:
         GOOS: ${{matrix.jobs.goos}}
         GOARCH: ${{matrix.jobs.goarch}}
         GOAMD64: ${{matrix.jobs.goamd64}}
+        GO386: ${{matrix.jobs.go386}}
         GOARM: ${{matrix.jobs.goarm}}
         GOMIPS: ${{matrix.jobs.gomips}}
       run: |
@@ -228,71 +258,45 @@ jobs:
           rm mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}
         fi
 
-    - name: Create DEB package
+    - name: Package DEB
-      if: ${{ matrix.jobs.goos == 'linux' && !contains(matrix.jobs.goarch, 'mips') }}
+      if: matrix.jobs.debian != ''
       run: |
-        sudo apt-get install dpkg
+        set -xeuo pipefail
-        if [ "${{matrix.jobs.abi}}" = "1" ]; then
+        sudo gem install fpm
-          ARCH=loongarch64
+        cp .github/release/.fpm_systemd .fpm
-        elif [ "${{matrix.jobs.goarm}}" = "7" ]; then
-          ARCH=armhf
-        elif [ "${{matrix.jobs.goarch}}" = "arm" ]; then
-          ARCH=armel
-        else
-          ARCH=${{matrix.jobs.goarch}}
-        fi
-        PackageVersion=$(curl -s "https://api.github.com/repos/MetaCubeX/mihomo/releases/latest" | grep -o '"tag_name": "[^"]*' | grep -o '[^"]*$' | sed 's/v//g' )
-        if [ $(git branch | awk -F ' ' '{print $2}') = "Alpha" ]; then
-          PackageVersion="$(echo "${PackageVersion}" | awk -F '.' '{$NF = $NF + 1; print}' OFS='.')-${VERSION}"
-        fi
 
-        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/DEBIAN
+        fpm -t deb \
-        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/bin
+          -v "${PackageVersion}" \
-        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/etc/mihomo
+          -p "mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.deb" \
-        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/etc/systemd/system/
+          --architecture ${{ matrix.jobs.debian }} \
-        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/share/licenses/mihomo
+          mihomo=/usr/bin/mihomo
 
-        cp mihomo mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/bin/mihomo
+    - name: Package RPM
-        cp LICENSE mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/share/licenses/mihomo/
+      if: matrix.jobs.rpm != ''
-        cp .github/mihomo.service mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/etc/systemd/system/
-
-        cat > mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/etc/mihomo/config.yaml <<EOF
-        mixed-port: 7890
-        external-controller: 127.0.0.1:9090
-        EOF
-
-        cat > mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/DEBIAN/control <<EOF
-        Package: mihomo
-        Version: ${PackageVersion}
-        Section:
-        Priority: extra
-        Architecture: ${ARCH}
-        Maintainer: MetaCubeX <none@example.com>
-        Homepage: https://wiki.metacubex.one/
-        Description: The universal proxy platform.
-        EOF
-
-        dpkg-deb -Z gzip --build mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}
-
-    - name: Convert DEB to RPM
-      if: ${{ matrix.jobs.goos == 'linux' && !contains(matrix.jobs.goarch, 'mips') }}
       run: |
-        sudo apt-get install -y alien
+        set -xeuo pipefail
-        alien --to-rpm --scripts mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.deb
+        sudo gem install fpm
-        mv mihomo*.rpm mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.rpm
+        cp .github/release/.fpm_systemd .fpm
 
-    # - name: Convert DEB to PKG
+        fpm -t rpm \
-    #   if: ${{ matrix.jobs.goos == 'linux' && !contains(matrix.jobs.goarch, 'mips') && !contains(matrix.jobs.goarch, 'loong64') }}
+          -v "${PackageVersion}" \
-    #   run: |
+          -p "mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.rpm" \
-    #     docker pull archlinux
+          --architecture ${{ matrix.jobs.rpm }} \
-    #     docker run --rm -v ./:/mnt archlinux bash -c "
+          mihomo=/usr/bin/mihomo
-    #       pacman -Syu pkgfile base-devel --noconfirm
+
-    #       curl -L https://github.com/helixarch/debtap/raw/master/debtap > /usr/bin/debtap
+    - name: Package Pacman
-    #       chmod 755 /usr/bin/debtap
+      if: matrix.jobs.pacman != ''
-    #       debtap -u 
+      run: |
-    #       debtap -Q /mnt/mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.deb
+        set -xeuo pipefail
-    #     "
+        sudo gem install fpm
-    #     mv mihomo*.pkg.tar.zst mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.pkg.tar.zst
+        sudo apt-get update && sudo apt-get install -y libarchive-tools
+        cp .github/release/.fpm_systemd .fpm
+
+        fpm -t pacman \
+          -v "${PackageVersion}" \
+          -p "mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.pkg.tar.zst" \
+          --architecture ${{ matrix.jobs.pacman }} \
+          mihomo=/usr/bin/mihomo
 
     - name: Save version
       run: |
@@ -307,8 +311,10 @@ jobs:
           mihomo*.gz
           mihomo*.deb
           mihomo*.rpm
+          mihomo*.pkg.tar.zst
           mihomo*.zip
           version.txt
+          checksums.txt
 
   Upload-Prerelease:
     permissions: write-all
@@ -322,6 +328,13 @@ jobs:
         path: bin/
         merge-multiple: true
 
+    - name: Calculate checksums
+      run: |
+        cd bin/
+        find . -type f -not -name "checksums.*" -not -name "version.txt" | sort | xargs sha256sum > checksums.txt
+        cat checksums.txt
+      shell: bash
+
     - name: Delete current release assets
       uses: 8Mi-Tech/delete-release-assets-action@main
       with:

.github/workflows/test.yml

@@ -0,0 +1,115 @@
+name: Test
+on:
+  push:
+    paths-ignore:
+      - "docs/**"
+      - "README.md"
+      - ".github/ISSUE_TEMPLATE/**"
+    branches:
+      - Alpha
+    tags:
+      - "v*"
+  pull_request:
+    branches:
+      - Alpha
+
+jobs:
+  test:
+    strategy:
+      matrix:
+        os:
+          - 'ubuntu-latest' # amd64 linux
+          - 'windows-latest' # amd64 windows
+          - 'macos-latest' # arm64 macos
+          - 'ubuntu-24.04-arm' # arm64 linux
+          - 'macos-13' # amd64 macos
+        go-version:
+          - '1.24'
+          - '1.23'
+          - '1.22'
+          - '1.21'
+          - '1.20'
+      fail-fast: false
+    runs-on: ${{ matrix.os }}
+    defaults:
+      run:
+        shell: bash
+    env:
+      CGO_ENABLED: 0
+      GOTOOLCHAIN: local
+      # Fix mingw trying to be smart and converting paths https://github.com/moby/moby/issues/24029#issuecomment-250412919
+      MSYS_NO_PATHCONV: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
+      # this patch file only works on golang1.24.x
+      # that means after golang1.25 release it must be changed
+      # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.24/
+      # revert:
+      # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
+      # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
+      # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
+      # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
+      - name: Revert Golang1.24 commit for Windows7/8
+        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.24' }}
+        run: |
+          cd $(go env GOROOT)
+          curl https://github.com/MetaCubeX/go/commit/2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8.diff | patch --verbose -p 1
+          curl https://github.com/MetaCubeX/go/commit/7b1fd7d39c6be0185fbe1d929578ab372ac5c632.diff | patch --verbose -p 1
+          curl https://github.com/MetaCubeX/go/commit/979d6d8bab3823ff572ace26767fd2ce3cf351ae.diff | patch --verbose -p 1
+          curl https://github.com/MetaCubeX/go/commit/ac3e93c061779dfefc0dd13a5b6e6f764a25621e.diff | patch --verbose -p 1
+
+        # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
+        # this patch file only works on golang1.23.x
+        # that means after golang1.24 release it must be changed
+        # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.23/
+        # revert:
+        # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
+        # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
+        # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
+        # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
+      - name: Revert Golang1.23 commit for Windows7/8
+        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.23' }}
+        run: |
+          cd $(go env GOROOT)
+          curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
+          curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1
+          curl https://github.com/MetaCubeX/go/commit/6a31d3fa8e47ddabc10bd97bff10d9a85f4cfb76.diff | patch --verbose -p 1
+          curl https://github.com/MetaCubeX/go/commit/69e2eed6dd0f6d815ebf15797761c13f31213dd6.diff | patch --verbose -p 1
+
+        # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
+        # this patch file only works on golang1.22.x
+        # that means after golang1.23 release it must be changed
+        # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.22/
+        # revert:
+        # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
+        # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
+        # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
+        # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
+      - name: Revert Golang1.22 commit for Windows7/8
+        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.22' }}
+        run: |
+          cd $(go env GOROOT)
+          curl https://github.com/MetaCubeX/go/commit/9779155f18b6556a034f7bb79fb7fb2aad1e26a9.diff | patch --verbose -p 1
+          curl https://github.com/MetaCubeX/go/commit/ef0606261340e608017860b423ffae5c1ce78239.diff | patch --verbose -p 1
+          curl https://github.com/MetaCubeX/go/commit/7f83badcb925a7e743188041cb6e561fc9b5b642.diff | patch --verbose -p 1
+          curl https://github.com/MetaCubeX/go/commit/83ff9782e024cb328b690cbf0da4e7848a327f4f.diff | patch --verbose -p 1
+
+        # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
+      - name: Revert Golang1.21 commit for Windows7/8
+        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.21' }}
+        run: |
+          cd $(go env GOROOT)
+          curl https://github.com/golang/go/commit/9e43850a3298a9b8b1162ba0033d4c53f8637571.diff | patch --verbose -R -p 1
+
+      - name: Test
+        run: go test ./... -v -count=1
+
+      - name: Test with tag with_gvisor
+        run: go test ./... -v -count=1 -tags "with_gvisor"

adapter/adapter.go

@@ -17,7 +17,6 @@ import (
 	"github.com/metacubex/mihomo/common/queue"
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/ca"
-	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 	"github.com/puzpuzpuz/xsync/v3"
@@ -63,8 +62,8 @@ func (p *Proxy) Dial(metadata *C.Metadata) (C.Conn, error) {
 }
 
 // DialContext implements C.ProxyAdapter
-func (p *Proxy) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (p *Proxy) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	conn, err := p.ProxyAdapter.DialContext(ctx, metadata, opts...)
+	conn, err := p.ProxyAdapter.DialContext(ctx, metadata)
 	return conn, err
 }
 
@@ -76,8 +75,8 @@ func (p *Proxy) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (p *Proxy) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (p *Proxy) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
-	pc, err := p.ProxyAdapter.ListenPacketContext(ctx, metadata, opts...)
+	pc, err := p.ProxyAdapter.ListenPacketContext(ctx, metadata)
 	return pc, err
 }
 
@@ -290,6 +289,7 @@ func (p *Proxy) URLTest(ctx context.Context, url string, expectedStatus utils.In
 	t = uint16(time.Since(start) / time.Millisecond)
 	return
 }
+
 func NewProxy(adapter C.ProxyAdapter) *Proxy {
 	return &Proxy{
 		ProxyAdapter: adapter,

adapter/inbound/util.go

@@ -7,7 +7,6 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/metacubex/mihomo/common/nnip"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/socks5"
 )
@@ -21,13 +20,13 @@ func parseSocksAddr(target socks5.Addr) *C.Metadata {
 		metadata.Host = strings.TrimRight(string(target[2:2+target[1]]), ".")
 		metadata.DstPort = uint16((int(target[2+target[1]]) << 8) | int(target[2+target[1]+1]))
 	case socks5.AtypIPv4:
-		metadata.DstIP = nnip.IpToAddr(net.IP(target[1 : 1+net.IPv4len]))
+		metadata.DstIP, _ = netip.AddrFromSlice(target[1 : 1+net.IPv4len])
 		metadata.DstPort = uint16((int(target[1+net.IPv4len]) << 8) | int(target[1+net.IPv4len+1]))
 	case socks5.AtypIPv6:
-		ip6, _ := netip.AddrFromSlice(target[1 : 1+net.IPv6len])
+		metadata.DstIP, _ = netip.AddrFromSlice(target[1 : 1+net.IPv6len])
-		metadata.DstIP = ip6.Unmap()
 		metadata.DstPort = uint16((int(target[1+net.IPv6len]) << 8) | int(target[1+net.IPv6len+1]))
 	}
+	metadata.DstIP = metadata.DstIP.Unmap()
 
 	return metadata
 }

adapter/outbound/anytls.go

@@ -0,0 +1,134 @@
+package outbound
+
+import (
+	"context"
+	"errors"
+	"net"
+	"strconv"
+	"time"
+
+	CN "github.com/metacubex/mihomo/common/net"
+	"github.com/metacubex/mihomo/component/dialer"
+	"github.com/metacubex/mihomo/component/proxydialer"
+	"github.com/metacubex/mihomo/component/resolver"
+	C "github.com/metacubex/mihomo/constant"
+	"github.com/metacubex/mihomo/transport/anytls"
+	"github.com/metacubex/mihomo/transport/vmess"
+
+	M "github.com/metacubex/sing/common/metadata"
+	"github.com/metacubex/sing/common/uot"
+)
+
+type AnyTLS struct {
+	*Base
+	client *anytls.Client
+	dialer proxydialer.SingDialer
+	option *AnyTLSOption
+}
+
+type AnyTLSOption struct {
+	BasicOption
+	Name                     string   `proxy:"name"`
+	Server                   string   `proxy:"server"`
+	Port                     int      `proxy:"port"`
+	Password                 string   `proxy:"password"`
+	ALPN                     []string `proxy:"alpn,omitempty"`
+	SNI                      string   `proxy:"sni,omitempty"`
+	ClientFingerprint        string   `proxy:"client-fingerprint,omitempty"`
+	SkipCertVerify           bool     `proxy:"skip-cert-verify,omitempty"`
+	Fingerprint              string   `proxy:"fingerprint,omitempty"`
+	UDP                      bool     `proxy:"udp,omitempty"`
+	IdleSessionCheckInterval int      `proxy:"idle-session-check-interval,omitempty"`
+	IdleSessionTimeout       int      `proxy:"idle-session-timeout,omitempty"`
+	MinIdleSession           int      `proxy:"min-idle-session,omitempty"`
+}
+
+func (t *AnyTLS) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
+	c, err := t.client.CreateProxy(ctx, M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
+	if err != nil {
+		return nil, err
+	}
+	return NewConn(c, t), nil
+}
+
+func (t *AnyTLS) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	// create tcp
+	c, err := t.client.CreateProxy(ctx, uot.RequestDestination(2))
+	if err != nil {
+		return nil, err
+	}
+
+	// create uot on tcp
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(ctx, metadata.Host)
+		if err != nil {
+			return nil, errors.New("can't resolve ip")
+		}
+		metadata.DstIP = ip
+	}
+	destination := M.SocksaddrFromNet(metadata.UDPAddr())
+	return newPacketConn(CN.NewThreadSafePacketConn(uot.NewLazyConn(c, uot.Request{Destination: destination})), t), nil
+}
+
+// SupportUOT implements C.ProxyAdapter
+func (t *AnyTLS) SupportUOT() bool {
+	return true
+}
+
+// ProxyInfo implements C.ProxyAdapter
+func (t *AnyTLS) ProxyInfo() C.ProxyInfo {
+	info := t.Base.ProxyInfo()
+	info.DialerProxy = t.option.DialerProxy
+	return info
+}
+
+// Close implements C.ProxyAdapter
+func (t *AnyTLS) Close() error {
+	return t.client.Close()
+}
+
+func NewAnyTLS(option AnyTLSOption) (*AnyTLS, error) {
+	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
+	outbound := &AnyTLS{
+		Base: &Base{
+			name:   option.Name,
+			addr:   addr,
+			tp:     C.AnyTLS,
+			udp:    option.UDP,
+			tfo:    option.TFO,
+			mpTcp:  option.MPTCP,
+			iface:  option.Interface,
+			rmark:  option.RoutingMark,
+			prefer: C.NewDNSPrefer(option.IPVersion),
+		},
+		option: &option,
+	}
+
+	singDialer := proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer(outbound.DialOptions()...))
+	outbound.dialer = singDialer
+
+	tOption := anytls.ClientConfig{
+		Password:                 option.Password,
+		Server:                   M.ParseSocksaddrHostPort(option.Server, uint16(option.Port)),
+		Dialer:                   singDialer,
+		IdleSessionCheckInterval: time.Duration(option.IdleSessionCheckInterval) * time.Second,
+		IdleSessionTimeout:       time.Duration(option.IdleSessionTimeout) * time.Second,
+		MinIdleSession:           option.MinIdleSession,
+	}
+	tlsConfig := &vmess.TLSConfig{
+		Host:              option.SNI,
+		SkipCertVerify:    option.SkipCertVerify,
+		NextProtos:        option.ALPN,
+		FingerPrint:       option.Fingerprint,
+		ClientFingerprint: option.ClientFingerprint,
+	}
+	if tlsConfig.Host == "" {
+		tlsConfig.Host = option.Server
+	}
+	tOption.TLSConfig = tlsConfig
+
+	client := anytls.NewClient(context.TODO(), tOption)
+	outbound.client = client
+
+	return outbound, nil
+}

adapter/outbound/base.go

@@ -4,15 +4,23 @@ import (
 	"context"
 	"encoding/json"
 	"net"
+	"runtime"
 	"strings"
+	"sync"
 	"syscall"
 
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
+	"github.com/metacubex/mihomo/log"
 )
 
+type ProxyAdapter interface {
+	C.ProxyAdapter
+	DialOptions() []dialer.Option
+}
+
 type Base struct {
 	name   string
 	addr   string
@@ -51,7 +59,7 @@ func (b *Base) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Me
 	return c, C.ErrNotSupport
 }
 
-func (b *Base) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (b *Base) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	return nil, C.ErrNotSupport
 }
 
@@ -61,7 +69,7 @@ func (b *Base) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metad
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (b *Base) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (b *Base) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
 	return nil, C.ErrNotSupport
 }
 
@@ -120,7 +128,7 @@ func (b *Base) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {
 }
 
 // DialOptions return []dialer.Option from struct
-func (b *Base) DialOptions(opts ...dialer.Option) []dialer.Option {
+func (b *Base) DialOptions() (opts []dialer.Option) {
 	if b.iface != "" {
 		opts = append(opts, dialer.WithInterface(b.iface))
 	}
@@ -152,11 +160,15 @@ func (b *Base) DialOptions(opts ...dialer.Option) []dialer.Option {
 	return opts
 }
 
+func (b *Base) Close() error {
+	return nil
+}
+
 type BasicOption struct {
 	TFO         bool   `proxy:"tfo,omitempty"`
 	MPTCP       bool   `proxy:"mptcp,omitempty"`
-	Interface   string `proxy:"interface-name,omitempty" group:"interface-name,omitempty"`
+	Interface   string `proxy:"interface-name,omitempty"`
-	RoutingMark int    `proxy:"routing-mark,omitempty" group:"routing-mark,omitempty"`
+	RoutingMark int    `proxy:"routing-mark,omitempty"`
 	IPVersion   string `proxy:"ip-version,omitempty"`
 	DialerProxy string `proxy:"dialer-proxy,omitempty"` // don't apply this option into groups, but can set a group name in a proxy
 }
@@ -221,6 +233,10 @@ func (c *conn) ReaderReplaceable() bool {
 	return true
 }
 
+func (c *conn) AddRef(ref any) {
+	c.ExtendedConn = N.NewRefConn(c.ExtendedConn, ref) // add ref for autoCloseProxyAdapter
+}
+
 func NewConn(c net.Conn, a C.ProxyAdapter) C.Conn {
 	if _, ok := c.(syscall.Conn); !ok { // exclusion system conn like *net.TCPConn
 		c = N.NewDeadlineConn(c) // most conn from outbound can't handle readDeadline correctly
@@ -267,6 +283,10 @@ func (c *packetConn) ReaderReplaceable() bool {
 	return true
 }
 
+func (c *packetConn) AddRef(ref any) {
+	c.EnhancePacketConn = N.NewRefPacketConn(c.EnhancePacketConn, ref) // add ref for autoCloseProxyAdapter
+}
+
 func newPacketConn(pc net.PacketConn, a C.ProxyAdapter) C.PacketConn {
 	epc := N.NewEnhancePacketConn(pc)
 	if _, ok := pc.(syscall.Conn); !ok { // exclusion system conn like *net.UDPConn
@@ -286,3 +306,75 @@ func parseRemoteDestination(addr string) string {
 		}
 	}
 }
+
+type AddRef interface {
+	AddRef(ref any)
+}
+
+type autoCloseProxyAdapter struct {
+	ProxyAdapter
+	closeOnce sync.Once
+	closeErr  error
+}
+
+func (p *autoCloseProxyAdapter) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
+	c, err := p.ProxyAdapter.DialContext(ctx, metadata)
+	if err != nil {
+		return nil, err
+	}
+	if c, ok := c.(AddRef); ok {
+		c.AddRef(p)
+	}
+	return c, nil
+}
+
+func (p *autoCloseProxyAdapter) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	c, err := p.ProxyAdapter.DialContextWithDialer(ctx, dialer, metadata)
+	if err != nil {
+		return nil, err
+	}
+	if c, ok := c.(AddRef); ok {
+		c.AddRef(p)
+	}
+	return c, nil
+}
+
+func (p *autoCloseProxyAdapter) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	pc, err := p.ProxyAdapter.ListenPacketContext(ctx, metadata)
+	if err != nil {
+		return nil, err
+	}
+	if pc, ok := pc.(AddRef); ok {
+		pc.AddRef(p)
+	}
+	return pc, nil
+}
+
+func (p *autoCloseProxyAdapter) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	pc, err := p.ProxyAdapter.ListenPacketWithDialer(ctx, dialer, metadata)
+	if err != nil {
+		return nil, err
+	}
+	if pc, ok := pc.(AddRef); ok {
+		pc.AddRef(p)
+	}
+	return pc, nil
+}
+
+func (p *autoCloseProxyAdapter) Close() error {
+	p.closeOnce.Do(func() {
+		log.Debugln("Closing outdated proxy [%s]", p.Name())
+		runtime.SetFinalizer(p, nil)
+		p.closeErr = p.ProxyAdapter.Close()
+	})
+	return p.closeErr
+}
+
+func NewAutoCloseProxyAdapter(adapter ProxyAdapter) ProxyAdapter {
+	proxy := &autoCloseProxyAdapter{
+		ProxyAdapter: adapter,
+	}
+	// auto close ProxyAdapter
+	runtime.SetFinalizer(proxy, (*autoCloseProxyAdapter).Close)
+	return proxy
+}

adapter/outbound/direct.go

@@ -20,12 +20,13 @@ type DirectOption struct {
 }
 
 // DialContext implements C.ProxyAdapter
-func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	if err := d.loopBack.CheckConn(metadata); err != nil {
 		return nil, err
 	}
+	opts := d.DialOptions()
 	opts = append(opts, dialer.WithResolver(resolver.DirectHostResolver))
-	c, err := dialer.DialContext(ctx, "tcp", metadata.RemoteAddress(), d.Base.DialOptions(opts...)...)
+	c, err := dialer.DialContext(ctx, "tcp", metadata.RemoteAddress(), opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -33,7 +34,7 @@ func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
 	if err := d.loopBack.CheckPacketConn(metadata); err != nil {
 		return nil, err
 	}
@@ -45,7 +46,7 @@ func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		}
 		metadata.DstIP = ip
 	}
-	pc, err := dialer.NewDialer(d.Base.DialOptions(opts...)...).ListenPacket(ctx, "udp", "", metadata.AddrPort())
+	pc, err := dialer.NewDialer(d.DialOptions()...).ListenPacket(ctx, "udp", "", metadata.AddrPort())
 	if err != nil {
 		return nil, err
 	}

adapter/outbound/dns.go

@@ -7,7 +7,6 @@ import (
 
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/pool"
-	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
@@ -23,14 +22,14 @@ type DnsOption struct {
 }
 
 // DialContext implements C.ProxyAdapter
-func (d *Dns) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (d *Dns) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	left, right := N.Pipe()
 	go resolver.RelayDnsConn(context.Background(), right, 0)
 	return NewConn(left, d), nil
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (d *Dns) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (d *Dns) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
 	log.Debugln("[DNS] hijack udp:%s from %s", metadata.RemoteAddress(), metadata.SourceAddrPort())
 
 	ctx, cancel := context.WithCancel(context.Background())

adapter/outbound/http.go

@@ -7,11 +7,11 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
-	"io"
 	"net"
 	"net/http"
 	"strconv"
 
+	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
@@ -51,15 +51,15 @@ func (h *Http) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Me
 		}
 	}
 
-	if err := h.shakeHand(metadata, c); err != nil {
+	if err := h.shakeHandContext(ctx, c, metadata); err != nil {
 		return nil, err
 	}
 	return c, nil
 }
 
 // DialContext implements C.ProxyAdapter
-func (h *Http) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (h *Http) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
-	return h.DialContextWithDialer(ctx, dialer.NewDialer(h.Base.DialOptions(opts...)...), metadata)
+	return h.DialContextWithDialer(ctx, dialer.NewDialer(h.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -99,7 +99,12 @@ func (h *Http) ProxyInfo() C.ProxyInfo {
 	return info
 }
 
-func (h *Http) shakeHand(metadata *C.Metadata, rw io.ReadWriter) error {
+func (h *Http) shakeHandContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (err error) {
+	if ctx.Done() != nil {
+		done := N.SetupContextForConn(ctx, c)
+		defer done(&err)
+	}
+
 	addr := metadata.RemoteAddress()
 	HeaderString := "CONNECT " + addr + " HTTP/1.1\r\n"
 	tempHeaders := map[string]string{
@@ -123,13 +128,13 @@ func (h *Http) shakeHand(metadata *C.Metadata, rw io.ReadWriter) error {
 
 	HeaderString += "\r\n"
 
-	_, err := rw.Write([]byte(HeaderString))
+	_, err = c.Write([]byte(HeaderString))
 
 	if err != nil {
 		return err
 	}
 
-	resp, err := http.ReadResponse(bufio.NewReader(rw), nil)
+	resp, err := http.ReadResponse(bufio.NewReader(c), nil)
 
 	if err != nil {
 		return err

adapter/outbound/hysteria.go

@@ -7,18 +7,13 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"runtime"
 	"strconv"
 	"time"
 
-	"github.com/metacubex/quic-go"
-	"github.com/metacubex/quic-go/congestion"
-	M "github.com/sagernet/sing/common/metadata"
-
-	CN "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
+	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 	hyCongestion "github.com/metacubex/mihomo/transport/hysteria/congestion"
@@ -27,6 +22,10 @@ import (
 	"github.com/metacubex/mihomo/transport/hysteria/pmtud_fix"
 	"github.com/metacubex/mihomo/transport/hysteria/transport"
 	"github.com/metacubex/mihomo/transport/hysteria/utils"
+
+	"github.com/metacubex/quic-go"
+	"github.com/metacubex/quic-go/congestion"
+	M "github.com/metacubex/sing/common/metadata"
 )
 
 const (
@@ -45,33 +44,31 @@ type Hysteria struct {
 
 	option *HysteriaOption
 	client *core.Client
-
-	closeCh chan struct{} // for test
 }
 
-func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	tcpConn, err := h.client.DialTCP(metadata.String(), metadata.DstPort, h.genHdc(ctx, opts...))
+	tcpConn, err := h.client.DialTCP(metadata.String(), metadata.DstPort, h.genHdc(ctx))
 	if err != nil {
 		return nil, err
 	}
 
-	return NewConn(CN.NewRefConn(tcpConn, h), h), nil
+	return NewConn(tcpConn, h), nil
 }
 
-func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
-	udpConn, err := h.client.DialUDP(h.genHdc(ctx, opts...))
+	udpConn, err := h.client.DialUDP(h.genHdc(ctx))
 	if err != nil {
 		return nil, err
 	}
-	return newPacketConn(CN.NewRefPacketConn(&hyPacketConn{udpConn}, h), h), nil
+	return newPacketConn(&hyPacketConn{udpConn}, h), nil
 }
 
-func (h *Hysteria) genHdc(ctx context.Context, opts ...dialer.Option) utils.PacketDialer {
+func (h *Hysteria) genHdc(ctx context.Context) utils.PacketDialer {
 	return &hyDialerWithContext{
 		ctx: context.Background(),
 		hyDialer: func(network string, rAddr net.Addr) (net.PacketConn, error) {
 			var err error
-			var cDialer C.Dialer = dialer.NewDialer(h.Base.DialOptions(opts...)...)
+			var cDialer C.Dialer = dialer.NewDialer(h.DialOptions()...)
 			if len(h.option.DialerProxy) > 0 {
 				cDialer, err = proxydialer.NewByName(h.option.DialerProxy, cDialer)
 				if err != nil {
@@ -82,7 +79,7 @@ func (h *Hysteria) genHdc(ctx context.Context, opts ...dialer.Option) utils.Pack
 			return cDialer.ListenPacket(ctx, network, "", rAddrPort)
 		},
 		remoteAddr: func(addr string) (net.Addr, error) {
-			return resolveUDPAddrWithPrefer(ctx, "udp", addr, h.prefer)
+			return resolveUDPAddr(ctx, "udp", addr, h.prefer)
 		},
 	}
 }
@@ -218,7 +215,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 		down = uint64(option.DownSpeed * mbpsToBps)
 	}
 	client, err := core.NewClient(
-		addr, ports, option.Protocol, auth, tlsConfig, quicConfig, clientTransport, up, down, func(refBPS uint64) congestion.CongestionControl {
+		addr, ports, option.Protocol, auth, tlsC.UConfig(tlsConfig), quicConfig, clientTransport, up, down, func(refBPS uint64) congestion.CongestionControl {
 			return hyCongestion.NewBrutalSender(congestion.ByteCount(refBPS))
 		}, obfuscator, hopInterval, option.FastOpen,
 	)
@@ -239,18 +236,16 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 		option: &option,
 		client: client,
 	}
-	runtime.SetFinalizer(outbound, closeHysteria)
 
 	return outbound, nil
 }
 
-func closeHysteria(h *Hysteria) {
+// Close implements C.ProxyAdapter
+func (h *Hysteria) Close() error {
 	if h.client != nil {
-		_ = h.client.Close()
+		return h.client.Close()
-	}
-	if h.closeCh != nil {
-		close(h.closeCh)
 	}
+	return nil
 }
 
 type hyPacketConn struct {

adapter/outbound/hysteria2.go

@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"net"
-	"runtime"
 	"strconv"
 	"time"
 
@@ -15,15 +14,15 @@ import (
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
+	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 	tuicCommon "github.com/metacubex/mihomo/transport/tuic/common"
 
-	"github.com/metacubex/sing-quic/hysteria2"
-
 	"github.com/metacubex/quic-go"
 	"github.com/metacubex/randv2"
-	M "github.com/sagernet/sing/common/metadata"
+	"github.com/metacubex/sing-quic/hysteria2"
+	M "github.com/metacubex/sing/common/metadata"
 )
 
 func init() {
@@ -39,8 +38,6 @@ type Hysteria2 struct {
 	option *Hysteria2Option
 	client *hysteria2.Client
 	dialer proxydialer.SingDialer
-
-	closeCh chan struct{} // for test
 }
 
 type Hysteria2Option struct {
@@ -71,19 +68,15 @@ type Hysteria2Option struct {
 	MaxConnectionReceiveWindow     uint64 `proxy:"max-connection-receive-window,omitempty"`
 }
 
-func (h *Hysteria2) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (h *Hysteria2) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
-	options := h.Base.DialOptions(opts...)
-	h.dialer.SetDialer(dialer.NewDialer(options...))
 	c, err := h.client.DialConn(ctx, M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
 	if err != nil {
 		return nil, err
 	}
-	return NewConn(CN.NewRefConn(c, h), h), nil
+	return NewConn(c, h), nil
 }
 
-func (h *Hysteria2) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (h *Hysteria2) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	options := h.Base.DialOptions(opts...)
-	h.dialer.SetDialer(dialer.NewDialer(options...))
 	pc, err := h.client.ListenPacket(ctx)
 	if err != nil {
 		return nil, err
@@ -91,16 +84,15 @@ func (h *Hysteria2) ListenPacketContext(ctx context.Context, metadata *C.Metadat
 	if pc == nil {
 		return nil, errors.New("packetConn is nil")
 	}
-	return newPacketConn(CN.NewRefPacketConn(CN.NewThreadSafePacketConn(pc), h), h), nil
+	return newPacketConn(CN.NewThreadSafePacketConn(pc), h), nil
 }
 
-func closeHysteria2(h *Hysteria2) {
+// Close implements C.ProxyAdapter
+func (h *Hysteria2) Close() error {
 	if h.client != nil {
-		_ = h.client.CloseWithError(errors.New("proxy removed"))
+		return h.client.CloseWithError(errors.New("proxy removed"))
-	}
-	if h.closeCh != nil {
-		close(h.closeCh)
 	}
+	return nil
 }
 
 // ProxyInfo implements C.ProxyAdapter
@@ -112,6 +104,22 @@ func (h *Hysteria2) ProxyInfo() C.ProxyInfo {
 
 func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
+	outbound := &Hysteria2{
+		Base: &Base{
+			name:   option.Name,
+			addr:   addr,
+			tp:     C.Hysteria2,
+			udp:    true,
+			iface:  option.Interface,
+			rmark:  option.RoutingMark,
+			prefer: C.NewDNSPrefer(option.IPVersion),
+		},
+		option: &option,
+	}
+
+	singDialer := proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer(outbound.DialOptions()...))
+	outbound.dialer = singDialer
+
 	var salamanderPassword string
 	if len(option.Obfs) > 0 {
 		if option.ObfsPassword == "" {
@@ -159,8 +167,6 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 		MaxConnectionReceiveWindow:     option.MaxConnectionReceiveWindow,
 	}
 
-	singDialer := proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer())
-
 	clientOptions := hysteria2.ClientOptions{
 		Context:            context.TODO(),
 		Dialer:             singDialer,
@@ -169,13 +175,13 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 		ReceiveBPS:         StringToBps(option.Down),
 		SalamanderPassword: salamanderPassword,
 		Password:           option.Password,
-		TLSConfig:          tlsConfig,
+		TLSConfig:          tlsC.UConfig(tlsConfig),
 		QUICConfig:         quicConfig,
 		UDPDisabled:        false,
 		CWND:               option.CWND,
 		UdpMTU:             option.UdpMTU,
 		ServerAddress: func(ctx context.Context) (*net.UDPAddr, error) {
-			return resolveUDPAddrWithPrefer(ctx, "udp", addr, C.NewDNSPrefer(option.IPVersion))
+			return resolveUDPAddr(ctx, "udp", addr, C.NewDNSPrefer(option.IPVersion))
 		},
 	}
 
@@ -192,7 +198,7 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 		})
 		if len(serverAddress) > 0 {
 			clientOptions.ServerAddress = func(ctx context.Context) (*net.UDPAddr, error) {
-				return resolveUDPAddrWithPrefer(ctx, "udp", serverAddress[randv2.IntN(len(serverAddress))], C.NewDNSPrefer(option.IPVersion))
+				return resolveUDPAddr(ctx, "udp", serverAddress[randv2.IntN(len(serverAddress))], C.NewDNSPrefer(option.IPVersion))
 			}
 
 			if option.HopInterval == 0 {
@@ -211,22 +217,7 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 	if err != nil {
 		return nil, err
 	}
-
+	outbound.client = client
-	outbound := &Hysteria2{
-		Base: &Base{
-			name:   option.Name,
-			addr:   addr,
-			tp:     C.Hysteria2,
-			udp:    true,
-			iface:  option.Interface,
-			rmark:  option.RoutingMark,
-			prefer: C.NewDNSPrefer(option.IPVersion),
-		},
-		option: &option,
-		client: client,
-		dialer: singDialer,
-	}
-	runtime.SetFinalizer(outbound, closeHysteria2)
 
 	return outbound, nil
 }

adapter/outbound/hysteria2_test.go

@@ -1,38 +0,0 @@
-package outbound
-
-import (
-	"context"
-	"runtime"
-	"testing"
-	"time"
-)
-
-func TestHysteria2GC(t *testing.T) {
-	option := Hysteria2Option{}
-	option.Server = "127.0.0.1"
-	option.Ports = "200,204,401-429,501-503"
-	option.HopInterval = 30
-	option.Password = "password"
-	option.Obfs = "salamander"
-	option.ObfsPassword = "password"
-	option.SNI = "example.com"
-	option.ALPN = []string{"h3"}
-	hy, err := NewHysteria2(option)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	closeCh := make(chan struct{})
-	hy.closeCh = closeCh
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	defer cancel()
-
-	hy = nil
-	runtime.GC()
-	select {
-	case <-closeCh:
-		return
-	case <-ctx.Done():
-		t.Error("timeout not GC")
-	}
-}

adapter/outbound/hysteria_test.go

@@ -1,39 +0,0 @@
-package outbound
-
-import (
-	"context"
-	"runtime"
-	"testing"
-	"time"
-)
-
-func TestHysteriaGC(t *testing.T) {
-	option := HysteriaOption{}
-	option.Server = "127.0.0.1"
-	option.Ports = "200,204,401-429,501-503"
-	option.Protocol = "udp"
-	option.Up = "1Mbps"
-	option.Down = "1Mbps"
-	option.HopInterval = 30
-	option.Obfs = "salamander"
-	option.SNI = "example.com"
-	option.ALPN = []string{"h3"}
-	hy, err := NewHysteria(option)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	closeCh := make(chan struct{})
-	hy.closeCh = closeCh
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	defer cancel()
-
-	hy = nil
-	runtime.GC()
-	select {
-	case <-closeCh:
-		return
-	case <-ctx.Done():
-		t.Error("timeout not GC")
-	}
-}

adapter/outbound/mieru.go

@@ -4,15 +4,16 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"runtime"
 	"strconv"
 	"sync"
 
+	CN "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	C "github.com/metacubex/mihomo/constant"
 
 	mieruclient "github.com/enfein/mieru/v3/apis/client"
+	mierucommon "github.com/enfein/mieru/v3/apis/common"
 	mierumodel "github.com/enfein/mieru/v3/apis/model"
 	mierupb "github.com/enfein/mieru/v3/pkg/appctl/appctlpb"
 	"google.golang.org/protobuf/proto"
@@ -32,14 +33,15 @@ type MieruOption struct {
 	Port         int    `proxy:"port,omitempty"`
 	PortRange    string `proxy:"port-range,omitempty"`
 	Transport    string `proxy:"transport"`
+	UDP          bool   `proxy:"udp,omitempty"`
 	UserName     string `proxy:"username"`
 	Password     string `proxy:"password"`
 	Multiplexing string `proxy:"multiplexing,omitempty"`
 }
 
 // DialContext implements C.ProxyAdapter
-func (m *Mieru) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (m *Mieru) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	if err := m.ensureClientIsRunning(opts...); err != nil {
+	if err := m.ensureClientIsRunning(); err != nil {
 		return nil, err
 	}
 	addr := metadataToMieruNetAddrSpec(metadata)
@@ -50,6 +52,23 @@ func (m *Mieru) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 	return NewConn(c, m), nil
 }
 
+// ListenPacketContext implements C.ProxyAdapter
+func (m *Mieru) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if err := m.ensureClientIsRunning(); err != nil {
+		return nil, err
+	}
+	c, err := m.client.DialContext(ctx, metadata.UDPAddr())
+	if err != nil {
+		return nil, fmt.Errorf("dial to %s failed: %w", metadata.UDPAddr(), err)
+	}
+	return newPacketConn(CN.NewThreadSafePacketConn(mierucommon.NewUDPAssociateWrapper(mierucommon.NewPacketOverStreamTunnel(c))), m), nil
+}
+
+// SupportUOT implements C.ProxyAdapter
+func (m *Mieru) SupportUOT() bool {
+	return true
+}
+
 // ProxyInfo implements C.ProxyAdapter
 func (m *Mieru) ProxyInfo() C.ProxyInfo {
 	info := m.Base.ProxyInfo()
@@ -57,7 +76,7 @@ func (m *Mieru) ProxyInfo() C.ProxyInfo {
 	return info
 }
 
-func (m *Mieru) ensureClientIsRunning(opts ...dialer.Option) error {
+func (m *Mieru) ensureClientIsRunning() error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 
@@ -66,7 +85,7 @@ func (m *Mieru) ensureClientIsRunning(opts ...dialer.Option) error {
 	}
 
 	// Create a dialer and add it to the client config, before starting the client.
-	var dialer C.Dialer = dialer.NewDialer(m.Base.DialOptions(opts...)...)
+	var dialer C.Dialer = dialer.NewDialer(m.DialOptions()...)
 	var err error
 	if len(m.option.DialerProxy) > 0 {
 		dialer, err = proxydialer.NewByName(m.option.DialerProxy, dialer)
@@ -113,7 +132,7 @@ func NewMieru(option MieruOption) (*Mieru, error) {
 			addr:   addr,
 			iface:  option.Interface,
 			tp:     C.Mieru,
-			udp:    false,
+			udp:    option.UDP,
 			xudp:   false,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
@@ -121,16 +140,17 @@ func NewMieru(option MieruOption) (*Mieru, error) {
 		option: &option,
 		client: c,
 	}
-	runtime.SetFinalizer(outbound, closeMieru)
 	return outbound, nil
 }
 
-func closeMieru(m *Mieru) {
+// Close implements C.ProxyAdapter
+func (m *Mieru) Close() error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	if m.client != nil && m.client.IsRunning() {
-		m.client.Stop()
+		return m.client.Stop()
 	}
+	return nil
 }
 
 func metadataToMieruNetAddrSpec(metadata *C.Metadata) mierumodel.NetAddrSpec {

adapter/outbound/reality.go

@@ -20,16 +20,19 @@ func (o RealityOptions) Parse() (*tlsC.RealityConfig, error) {
 		config := new(tlsC.RealityConfig)
 
 		const x25519ScalarSize = 32
-		var publicKey [x25519ScalarSize]byte
+		publicKey, err := base64.RawURLEncoding.DecodeString(o.PublicKey)
-		n, err := base64.RawURLEncoding.Decode(publicKey[:], []byte(o.PublicKey))
+		if err != nil || len(publicKey) != x25519ScalarSize {
-		if err != nil || n != x25519ScalarSize {
 			return nil, errors.New("invalid REALITY public key")
 		}
-		config.PublicKey, err = ecdh.X25519().NewPublicKey(publicKey[:])
+		config.PublicKey, err = ecdh.X25519().NewPublicKey(publicKey)
 		if err != nil {
 			return nil, fmt.Errorf("fail to create REALITY public key: %w", err)
 		}
 
+		n := hex.DecodedLen(len(o.ShortID))
+		if n > tlsC.RealityMaxShortIDLen {
+			return nil, errors.New("invalid REALITY short id")
+		}
 		n, err = hex.Decode(config.ShortID[:], []byte(o.ShortID))
 		if err != nil || n > tlsC.RealityMaxShortIDLen {
 			return nil, errors.New("invalid REALITY short ID")

adapter/outbound/reject.go

@@ -7,7 +7,6 @@ import (
 	"time"
 
 	"github.com/metacubex/mihomo/common/buf"
-	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 )
 
@@ -21,7 +20,7 @@ type RejectOption struct {
 }
 
 // DialContext implements C.ProxyAdapter
-func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	if r.drop {
 		return NewConn(dropConn{}, r), nil
 	}
@@ -29,7 +28,7 @@ func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (r *Reject) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (r *Reject) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
 	return newPacketConn(&nopPacketConn{}, r), nil
 }
 

adapter/outbound/shadowsocks.go

@@ -13,16 +13,16 @@ import (
 	"github.com/metacubex/mihomo/component/proxydialer"
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
+	gost "github.com/metacubex/mihomo/transport/gost-plugin"
 	"github.com/metacubex/mihomo/transport/restls"
 	obfs "github.com/metacubex/mihomo/transport/simple-obfs"
 	shadowtls "github.com/metacubex/mihomo/transport/sing-shadowtls"
 	v2rayObfs "github.com/metacubex/mihomo/transport/v2ray-plugin"
 
-	restlsC "github.com/3andne/restls-client-go"
 	shadowsocks "github.com/metacubex/sing-shadowsocks2"
-	"github.com/sagernet/sing/common/bufio"
+	"github.com/metacubex/sing/common/bufio"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
-	"github.com/sagernet/sing/common/uot"
+	"github.com/metacubex/sing/common/uot"
 )
 
 type ShadowSocks struct {
@@ -34,8 +34,9 @@ type ShadowSocks struct {
 	obfsMode        string
 	obfsOption      *simpleObfsOption
 	v2rayOption     *v2rayObfs.Option
+	gostOption      *gost.Option
 	shadowTLSOption *shadowtls.ShadowTLSOption
-	restlsConfig    *restlsC.Config
+	restlsConfig    *restls.Config
 }
 
 type ShadowSocksOption struct {
@@ -71,12 +72,24 @@ type v2rayObfsOption struct {
 	V2rayHttpUpgradeFastOpen bool              `obfs:"v2ray-http-upgrade-fast-open,omitempty"`
 }
 
+type gostObfsOption struct {
+	Mode           string            `obfs:"mode"`
+	Host           string            `obfs:"host,omitempty"`
+	Path           string            `obfs:"path,omitempty"`
+	TLS            bool              `obfs:"tls,omitempty"`
+	Fingerprint    string            `obfs:"fingerprint,omitempty"`
+	Headers        map[string]string `obfs:"headers,omitempty"`
+	SkipCertVerify bool              `obfs:"skip-cert-verify,omitempty"`
+	Mux            bool              `obfs:"mux,omitempty"`
+}
+
 type shadowTLSOption struct {
-	Password       string `obfs:"password"`
+	Password       string   `obfs:"password,omitempty"`
-	Host           string `obfs:"host"`
+	Host           string   `obfs:"host"`
-	Fingerprint    string `obfs:"fingerprint,omitempty"`
+	Fingerprint    string   `obfs:"fingerprint,omitempty"`
-	SkipCertVerify bool   `obfs:"skip-cert-verify,omitempty"`
+	SkipCertVerify bool     `obfs:"skip-cert-verify,omitempty"`
-	Version        int    `obfs:"version,omitempty"`
+	Version        int      `obfs:"version,omitempty"`
+	ALPN           []string `obfs:"alpn,omitempty"`
 }
 
 type restlsOption struct {
@@ -87,7 +100,7 @@ type restlsOption struct {
 }
 
 // StreamConnContext implements C.ProxyAdapter
-func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ net.Conn, err error) {
 	useEarly := false
 	switch ss.obfsMode {
 	case "tls":
@@ -96,20 +109,23 @@ func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metada
 		_, port, _ := net.SplitHostPort(ss.addr)
 		c = obfs.NewHTTPObfs(c, ss.obfsOption.Host, port)
 	case "websocket":
-		var err error
+		if ss.v2rayOption != nil {
-		c, err = v2rayObfs.NewV2rayObfs(ctx, c, ss.v2rayOption)
+			c, err = v2rayObfs.NewV2rayObfs(ctx, c, ss.v2rayOption)
+		} else if ss.gostOption != nil {
+			c, err = gost.NewGostWebsocket(ctx, c, ss.gostOption)
+		} else {
+			return nil, fmt.Errorf("plugin options is required")
+		}
 		if err != nil {
 			return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 		}
 	case shadowtls.Mode:
-		var err error
 		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
 		if err != nil {
 			return nil, err
 		}
 		useEarly = true
 	case restls.Mode:
-		var err error
 		c, err = restls.NewRestls(ctx, c, ss.restlsConfig)
 		if err != nil {
 			return nil, fmt.Errorf("%s (restls) connect error: %w", ss.addr, err)
@@ -117,6 +133,12 @@ func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metada
 		useEarly = true
 	}
 	useEarly = useEarly || N.NeedHandshake(c)
+	if !useEarly {
+		if ctx.Done() != nil {
+			done := N.SetupContextForConn(ctx, c)
+			defer done(&err)
+		}
+	}
 	if metadata.NetWork == C.UDP && ss.option.UDPOverTCP {
 		uotDestination := uot.RequestDestination(uint8(ss.option.UDPOverTCPVersion))
 		if useEarly {
@@ -133,8 +155,8 @@ func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metada
 }
 
 // DialContext implements C.ProxyAdapter
-func (ss *ShadowSocks) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (ss *ShadowSocks) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
-	return ss.DialContextWithDialer(ctx, dialer.NewDialer(ss.Base.DialOptions(opts...)...), metadata)
+	return ss.DialContextWithDialer(ctx, dialer.NewDialer(ss.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -159,8 +181,8 @@ func (ss *ShadowSocks) DialContextWithDialer(ctx context.Context, dialer C.Diale
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (ss *ShadowSocks) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (ss *ShadowSocks) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
-	return ss.ListenPacketWithDialer(ctx, dialer.NewDialer(ss.Base.DialOptions(opts...)...), metadata)
+	return ss.ListenPacketWithDialer(ctx, dialer.NewDialer(ss.DialOptions()...), metadata)
 }
 
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -178,7 +200,7 @@ func (ss *ShadowSocks) ListenPacketWithDialer(ctx context.Context, dialer C.Dial
 			return nil, err
 		}
 	}
-	addr, err := resolveUDPAddrWithPrefer(ctx, "udp", ss.addr, ss.prefer)
+	addr, err := resolveUDPAddr(ctx, "udp", ss.addr, ss.prefer)
 	if err != nil {
 		return nil, err
 	}
@@ -240,9 +262,10 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 	}
 
 	var v2rayOption *v2rayObfs.Option
+	var gostOption *gost.Option
 	var obfsOption *simpleObfsOption
 	var shadowTLSOpt *shadowtls.ShadowTLSOption
-	var restlsConfig *restlsC.Config
+	var restlsConfig *restls.Config
 	obfsMode := ""
 
 	decoder := structure.NewDecoder(structure.Option{TagName: "obfs", WeaklyTypedInput: true})
@@ -281,6 +304,28 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			v2rayOption.SkipCertVerify = opts.SkipCertVerify
 			v2rayOption.Fingerprint = opts.Fingerprint
 		}
+	} else if option.Plugin == "gost-plugin" {
+		opts := gostObfsOption{Host: "bing.com", Mux: true}
+		if err := decoder.Decode(option.PluginOpts, &opts); err != nil {
+			return nil, fmt.Errorf("ss %s initialize gost-plugin error: %w", addr, err)
+		}
+
+		if opts.Mode != "websocket" {
+			return nil, fmt.Errorf("ss %s obfs mode error: %s", addr, opts.Mode)
+		}
+		obfsMode = opts.Mode
+		gostOption = &gost.Option{
+			Host:    opts.Host,
+			Path:    opts.Path,
+			Headers: opts.Headers,
+			Mux:     opts.Mux,
+		}
+
+		if opts.TLS {
+			gostOption.TLS = true
+			gostOption.SkipCertVerify = opts.SkipCertVerify
+			gostOption.Fingerprint = opts.Fingerprint
+		}
 	} else if option.Plugin == shadowtls.Mode {
 		obfsMode = shadowtls.Mode
 		opt := &shadowTLSOption{
@@ -298,6 +343,12 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			SkipCertVerify:    opt.SkipCertVerify,
 			Version:           opt.Version,
 		}
+
+		if opt.ALPN != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array
+			shadowTLSOpt.ALPN = opt.ALPN
+		} else {
+			shadowTLSOpt.ALPN = shadowtls.DefaultALPN
+		}
 	} else if option.Plugin == restls.Mode {
 		obfsMode = restls.Mode
 		restlsOpt := &restlsOption{}
@@ -305,7 +356,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
 		}
 
-		restlsConfig, err = restlsC.NewRestlsConfig(restlsOpt.Host, restlsOpt.Password, restlsOpt.VersionHint, restlsOpt.RestlsScript, option.ClientFingerprint)
+		restlsConfig, err = restls.NewRestlsConfig(restlsOpt.Host, restlsOpt.Password, restlsOpt.VersionHint, restlsOpt.RestlsScript, option.ClientFingerprint)
 		if err != nil {
 			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
 		}
@@ -336,6 +387,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 		option:          &option,
 		obfsMode:        obfsMode,
 		v2rayOption:     v2rayOption,
+		gostOption:      gostOption,
 		obfsOption:      obfsOption,
 		shadowTLSOption: shadowTLSOpt,
 		restlsConfig:    restlsConfig,

adapter/outbound/shadowsocksr.go

@@ -42,12 +42,15 @@ type ShadowSocksROption struct {
 }
 
 // StreamConnContext implements C.ProxyAdapter
-func (ssr *ShadowSocksR) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+func (ssr *ShadowSocksR) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ net.Conn, err error) {
+	if ctx.Done() != nil {
+		done := N.SetupContextForConn(ctx, c)
+		defer done(&err)
+	}
 	c = ssr.obfs.StreamConn(c)
 	c = ssr.cipher.StreamConn(c)
 	var (
-		iv  []byte
+		iv []byte
-		err error
 	)
 	switch conn := c.(type) {
 	case *shadowstream.Conn:
@@ -64,8 +67,8 @@ func (ssr *ShadowSocksR) StreamConnContext(ctx context.Context, c net.Conn, meta
 }
 
 // DialContext implements C.ProxyAdapter
-func (ssr *ShadowSocksR) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (ssr *ShadowSocksR) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
-	return ssr.DialContextWithDialer(ctx, dialer.NewDialer(ssr.Base.DialOptions(opts...)...), metadata)
+	return ssr.DialContextWithDialer(ctx, dialer.NewDialer(ssr.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -90,8 +93,8 @@ func (ssr *ShadowSocksR) DialContextWithDialer(ctx context.Context, dialer C.Dia
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (ssr *ShadowSocksR) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (ssr *ShadowSocksR) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
-	return ssr.ListenPacketWithDialer(ctx, dialer.NewDialer(ssr.Base.DialOptions(opts...)...), metadata)
+	return ssr.ListenPacketWithDialer(ctx, dialer.NewDialer(ssr.DialOptions()...), metadata)
 }
 
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -102,7 +105,7 @@ func (ssr *ShadowSocksR) ListenPacketWithDialer(ctx context.Context, dialer C.Di
 			return nil, err
 		}
 	}
-	addr, err := resolveUDPAddrWithPrefer(ctx, "udp", ssr.addr, ssr.prefer)
+	addr, err := resolveUDPAddr(ctx, "udp", ssr.addr, ssr.prefer)
 	if err != nil {
 		return nil, err
 	}

adapter/outbound/singmux.go

@@ -3,7 +3,6 @@ package outbound
 import (
 	"context"
 	"errors"
-	"runtime"
 
 	CN "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/dialer"
@@ -12,14 +11,13 @@ import (
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 
-	mux "github.com/sagernet/sing-mux"
+	mux "github.com/metacubex/sing-mux"
-	E "github.com/sagernet/sing/common/exceptions"
+	E "github.com/metacubex/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
 )
 
 type SingMux struct {
-	C.ProxyAdapter
+	ProxyAdapter
-	base    ProxyBase
 	client  *mux.Client
 	dialer  proxydialer.SingDialer
 	onlyTcp bool
@@ -43,26 +41,18 @@ type BrutalOption struct {
 	Down    string `proxy:"down,omitempty"`
 }
 
-type ProxyBase interface {
+func (s *SingMux) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
-	DialOptions(opts ...dialer.Option) []dialer.Option
-}
-
-func (s *SingMux) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	options := s.base.DialOptions(opts...)
-	s.dialer.SetDialer(dialer.NewDialer(options...))
 	c, err := s.client.DialContext(ctx, "tcp", M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
 	if err != nil {
 		return nil, err
 	}
-	return NewConn(CN.NewRefConn(c, s), s.ProxyAdapter), err
+	return NewConn(c, s), err
 }
 
-func (s *SingMux) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (s *SingMux) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if s.onlyTcp {
-		return s.ProxyAdapter.ListenPacketContext(ctx, metadata, opts...)
+		return s.ProxyAdapter.ListenPacketContext(ctx, metadata)
 	}
-	options := s.base.DialOptions(opts...)
-	s.dialer.SetDialer(dialer.NewDialer(options...))
 
 	// sing-mux use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
@@ -80,7 +70,7 @@ func (s *SingMux) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 	if pc == nil {
 		return nil, E.New("packetConn is nil")
 	}
-	return newPacketConn(CN.NewRefPacketConn(CN.NewThreadSafePacketConn(pc), s), s.ProxyAdapter), nil
+	return newPacketConn(CN.NewThreadSafePacketConn(pc), s), nil
 }
 
 func (s *SingMux) SupportUDP() bool {
@@ -103,15 +93,19 @@ func (s *SingMux) ProxyInfo() C.ProxyInfo {
 	return info
 }
 
-func closeSingMux(s *SingMux) {
+// Close implements C.ProxyAdapter
-	_ = s.client.Close()
+func (s *SingMux) Close() error {
+	if s.client != nil {
+		_ = s.client.Close()
+	}
+	return s.ProxyAdapter.Close()
 }
 
-func NewSingMux(option SingMuxOption, proxy C.ProxyAdapter, base ProxyBase) (C.ProxyAdapter, error) {
+func NewSingMux(option SingMuxOption, proxy ProxyAdapter) (ProxyAdapter, error) {
 	// TODO
 	// "TCP Brutal is only supported on Linux-based systems"
 
-	singDialer := proxydialer.NewSingDialer(proxy, dialer.NewDialer(), option.Statistic)
+	singDialer := proxydialer.NewSingDialer(proxy, dialer.NewDialer(proxy.DialOptions()...), option.Statistic)
 	client, err := mux.NewClient(mux.Options{
 		Dialer:         singDialer,
 		Logger:         log.SingLogger,
@@ -131,11 +125,9 @@ func NewSingMux(option SingMuxOption, proxy C.ProxyAdapter, base ProxyBase) (C.P
 	}
 	outbound := &SingMux{
 		ProxyAdapter: proxy,
-		base:         base,
 		client:       client,
 		dialer:       singDialer,
 		onlyTcp:      option.OnlyTcp,
 	}
-	runtime.SetFinalizer(outbound, closeSingMux)
 	return outbound, nil
 }

adapter/outbound/snell.go

@@ -6,6 +6,7 @@ import (
 	"net"
 	"strconv"
 
+	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/structure"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
@@ -41,7 +42,7 @@ type streamOption struct {
 	obfsOption *simpleObfsOption
 }
 
-func streamConn(c net.Conn, option streamOption) *snell.Snell {
+func snellStreamConn(c net.Conn, option streamOption) *snell.Snell {
 	switch option.obfsOption.Mode {
 	case "tls":
 		c = obfs.NewTLSObfs(c, option.obfsOption.Host)
@@ -54,31 +55,41 @@ func streamConn(c net.Conn, option streamOption) *snell.Snell {
 
 // StreamConnContext implements C.ProxyAdapter
 func (s *Snell) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-	c = streamConn(c, streamOption{s.psk, s.version, s.addr, s.obfsOption})
+	c = snellStreamConn(c, streamOption{s.psk, s.version, s.addr, s.obfsOption})
-	if metadata.NetWork == C.UDP {
+	err := s.writeHeaderContext(ctx, c, metadata)
-		err := snell.WriteUDPHeader(c, s.version)
-		return c, err
-	}
-	err := snell.WriteHeader(c, metadata.String(), uint(metadata.DstPort), s.version)
 	return c, err
 }
 
+func (s *Snell) writeHeaderContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (err error) {
+	if ctx.Done() != nil {
+		done := N.SetupContextForConn(ctx, c)
+		defer done(&err)
+	}
+
+	if metadata.NetWork == C.UDP {
+		err = snell.WriteUDPHeader(c, s.version)
+		return
+	}
+	err = snell.WriteHeader(c, metadata.String(), uint(metadata.DstPort), s.version)
+	return
+}
+
 // DialContext implements C.ProxyAdapter
-func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
-	if s.version == snell.Version2 && len(opts) == 0 {
+	if s.version == snell.Version2 {
 		c, err := s.pool.Get()
 		if err != nil {
 			return nil, err
 		}
 
-		if err = snell.WriteHeader(c, metadata.String(), uint(metadata.DstPort), s.version); err != nil {
+		if err = s.writeHeaderContext(ctx, c, metadata); err != nil {
-			c.Close()
+			_ = c.Close()
 			return nil, err
 		}
 		return NewConn(c, s), err
 	}
 
-	return s.DialContextWithDialer(ctx, dialer.NewDialer(s.Base.DialOptions(opts...)...), metadata)
+	return s.DialContextWithDialer(ctx, dialer.NewDialer(s.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -103,8 +114,8 @@ func (s *Snell) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (s *Snell) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (s *Snell) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
-	return s.ListenPacketWithDialer(ctx, dialer.NewDialer(s.Base.DialOptions(opts...)...), metadata)
+	return s.ListenPacketWithDialer(ctx, dialer.NewDialer(s.DialOptions()...), metadata)
 }
 
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -120,12 +131,8 @@ func (s *Snell) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 	if err != nil {
 		return nil, err
 	}
-	c = streamConn(c, streamOption{s.psk, s.version, s.addr, s.obfsOption})
 
-	err = snell.WriteUDPHeader(c, s.version)
+	c, err = s.StreamConnContext(ctx, c, metadata)
-	if err != nil {
-		return nil, err
-	}
 
 	pc := snell.PacketConn(c)
 	return newPacketConn(pc, s), nil
@@ -200,7 +207,7 @@ func NewSnell(option SnellOption) (*Snell, error) {
 	if option.Version == snell.Version2 {
 		s.pool = snell.NewPool(func(ctx context.Context) (*snell.Snell, error) {
 			var err error
-			var cDialer C.Dialer = dialer.NewDialer(s.Base.DialOptions()...)
+			var cDialer C.Dialer = dialer.NewDialer(s.DialOptions()...)
 			if len(s.option.DialerProxy) > 0 {
 				cDialer, err = proxydialer.NewByName(s.option.DialerProxy, cDialer)
 				if err != nil {
@@ -212,7 +219,7 @@ func NewSnell(option SnellOption) (*Snell, error) {
 				return nil, err
 			}
 
-			return streamConn(c, streamOption{psk, option.Version, addr, obfsOption}), nil
+			return snellStreamConn(c, streamOption{psk, option.Version, addr, obfsOption}), nil
 		})
 	}
 	return s, nil

adapter/outbound/socks5.go

@@ -10,6 +10,7 @@ import (
 	"net/netip"
 	"strconv"
 
+	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
@@ -58,15 +59,15 @@ func (ss *Socks5) StreamConnContext(ctx context.Context, c net.Conn, metadata *C
 			Password: ss.pass,
 		}
 	}
-	if _, err := socks5.ClientHandshake(c, serializesSocksAddr(metadata), socks5.CmdConnect, user); err != nil {
+	if _, err := ss.clientHandshakeContext(ctx, c, serializesSocksAddr(metadata), socks5.CmdConnect, user); err != nil {
 		return nil, err
 	}
 	return c, nil
 }
 
 // DialContext implements C.ProxyAdapter
-func (ss *Socks5) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (ss *Socks5) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
-	return ss.DialContextWithDialer(ctx, dialer.NewDialer(ss.Base.DialOptions(opts...)...), metadata)
+	return ss.DialContextWithDialer(ctx, dialer.NewDialer(ss.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -100,8 +101,8 @@ func (ss *Socks5) SupportWithDialer() C.NetWork {
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	var cDialer C.Dialer = dialer.NewDialer(ss.Base.DialOptions(opts...)...)
+	var cDialer C.Dialer = dialer.NewDialer(ss.DialOptions()...)
 	if len(ss.option.DialerProxy) > 0 {
 		cDialer, err = proxydialer.NewByName(ss.option.DialerProxy, cDialer)
 		if err != nil {
@@ -135,7 +136,7 @@ func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 	}
 
 	udpAssocateAddr := socks5.AddrFromStdAddrPort(netip.AddrPortFrom(netip.IPv4Unspecified(), 0))
-	bindAddr, err := socks5.ClientHandshake(c, udpAssocateAddr, socks5.CmdUDPAssociate, user)
+	bindAddr, err := ss.clientHandshakeContext(ctx, c, udpAssocateAddr, socks5.CmdUDPAssociate, user)
 	if err != nil {
 		err = fmt.Errorf("client hanshake error: %w", err)
 		return
@@ -147,7 +148,7 @@ func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		err = errors.New("invalid UDP bind address")
 		return
 	} else if bindUDPAddr.IP.IsUnspecified() {
-		serverAddr, err := resolveUDPAddr(ctx, "udp", ss.Addr())
+		serverAddr, err := resolveUDPAddr(ctx, "udp", ss.Addr(), C.IPv4Prefer)
 		if err != nil {
 			return nil, err
 		}
@@ -178,6 +179,14 @@ func (ss *Socks5) ProxyInfo() C.ProxyInfo {
 	return info
 }
 
+func (ss *Socks5) clientHandshakeContext(ctx context.Context, c net.Conn, addr socks5.Addr, command socks5.Command, user *socks5.User) (_ socks5.Addr, err error) {
+	if ctx.Done() != nil {
+		done := N.SetupContextForConn(ctx, c)
+		defer done(&err)
+	}
+	return socks5.ClientHandshake(c, addr, command, user)
+}
+
 func NewSocks5(option Socks5Option) (*Socks5, error) {
 	var tlsConfig *tls.Config
 	if option.TLS {

adapter/outbound/ssh.go

@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"net"
 	"os"
-	"runtime"
 	"strconv"
 	"strings"
 	"sync"
@@ -25,7 +24,10 @@ type Ssh struct {
 	*Base
 
 	option *SshOption
-	client *sshClient // using a standalone struct to avoid its inner loop invalidate the Finalizer
+
+	config *ssh.ClientConfig
+	client *ssh.Client
+	cMutex sync.Mutex
 }
 
 type SshOption struct {
@@ -41,15 +43,15 @@ type SshOption struct {
 	HostKeyAlgorithms    []string `proxy:"host-key-algorithms,omitempty"`
 }
 
-func (s *Ssh) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (s *Ssh) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
-	var cDialer C.Dialer = dialer.NewDialer(s.Base.DialOptions(opts...)...)
+	var cDialer C.Dialer = dialer.NewDialer(s.DialOptions()...)
 	if len(s.option.DialerProxy) > 0 {
 		cDialer, err = proxydialer.NewByName(s.option.DialerProxy, cDialer)
 		if err != nil {
 			return nil, err
 		}
 	}
-	client, err := s.client.connect(ctx, cDialer, s.addr)
+	client, err := s.connect(ctx, cDialer, s.addr)
 	if err != nil {
 		return nil, err
 	}
@@ -58,16 +60,10 @@ func (s *Ssh) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dia
 		return nil, err
 	}
 
-	return NewConn(N.NewRefConn(c, s), s), nil
+	return NewConn(c, s), nil
 }
 
-type sshClient struct {
+func (s *Ssh) connect(ctx context.Context, cDialer C.Dialer, addr string) (client *ssh.Client, err error) {
-	config *ssh.ClientConfig
-	client *ssh.Client
-	cMutex sync.Mutex
-}
-
-func (s *sshClient) connect(ctx context.Context, cDialer C.Dialer, addr string) (client *ssh.Client, err error) {
 	s.cMutex.Lock()
 	defer s.cMutex.Unlock()
 	if s.client != nil {
@@ -108,7 +104,15 @@ func (s *sshClient) connect(ctx context.Context, cDialer C.Dialer, addr string)
 	return client, nil
 }
 
-func (s *sshClient) Close() error {
+// ProxyInfo implements C.ProxyAdapter
+func (s *Ssh) ProxyInfo() C.ProxyInfo {
+	info := s.Base.ProxyInfo()
+	info.DialerProxy = s.option.DialerProxy
+	return info
+}
+
+// Close implements C.ProxyAdapter
+func (s *Ssh) Close() error {
 	s.cMutex.Lock()
 	defer s.cMutex.Unlock()
 	if s.client != nil {
@@ -117,17 +121,6 @@ func (s *sshClient) Close() error {
 	return nil
 }
 
-func closeSsh(s *Ssh) {
-	_ = s.client.Close()
-}
-
-// ProxyInfo implements C.ProxyAdapter
-func (s *Ssh) ProxyInfo() C.ProxyInfo {
-	info := s.Base.ProxyInfo()
-	info.DialerProxy = s.option.DialerProxy
-	return info
-}
-
 func NewSsh(option SshOption) (*Ssh, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 
@@ -143,7 +136,11 @@ func NewSsh(option SshOption) (*Ssh, error) {
 		if strings.Contains(option.PrivateKey, "PRIVATE KEY") {
 			b = []byte(option.PrivateKey)
 		} else {
-			b, err = os.ReadFile(C.Path.Resolve(option.PrivateKey))
+			path := C.Path.Resolve(option.PrivateKey)
+			if !C.Path.IsSafePath(path) {
+				return nil, fmt.Errorf("path is not subpath of home directory: %s", path)
+			}
+			b, err = os.ReadFile(path)
 			if err != nil {
 				return nil, err
 			}
@@ -204,11 +201,8 @@ func NewSsh(option SshOption) (*Ssh, error) {
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		option: &option,
-		client: &sshClient{
+		config: &config,
-			config: &config,
-		},
 	}
-	runtime.SetFinalizer(outbound, closeSsh)
 
 	return outbound, nil
 }

adapter/outbound/trojan.go

@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"strconv"
 
+	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
@@ -17,12 +18,13 @@ import (
 	"github.com/metacubex/mihomo/transport/gun"
 	"github.com/metacubex/mihomo/transport/shadowsocks/core"
 	"github.com/metacubex/mihomo/transport/trojan"
+	"github.com/metacubex/mihomo/transport/vmess"
 )
 
 type Trojan struct {
 	*Base
-	instance *trojan.Trojan
+	option      *TrojanOption
-	option   *TrojanOption
+	hexPassword [trojan.KeyLength]byte
 
 	// for gun mux
 	gunTLSConfig *tls.Config
@@ -60,15 +62,21 @@ type TrojanSSOption struct {
 	Password string `proxy:"password,omitempty"`
 }
 
-func (t *Trojan) plainStream(ctx context.Context, c net.Conn) (net.Conn, error) {
+// StreamConnContext implements C.ProxyAdapter
-	if t.option.Network == "ws" {
+func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ net.Conn, err error) {
+	switch t.option.Network {
+	case "ws":
 		host, port, _ := net.SplitHostPort(t.addr)
-		wsOpts := &trojan.WebsocketOption{
+
+		wsOpts := &vmess.WebsocketConfig{
 			Host:                     host,
 			Port:                     port,
 			Path:                     t.option.WSOpts.Path,
+			MaxEarlyData:             t.option.WSOpts.MaxEarlyData,
+			EarlyDataHeaderName:      t.option.WSOpts.EarlyDataHeaderName,
 			V2rayHttpUpgrade:         t.option.WSOpts.V2rayHttpUpgrade,
 			V2rayHttpUpgradeFastOpen: t.option.WSOpts.V2rayHttpUpgradeFastOpen,
+			ClientFingerprint:        t.option.ClientFingerprint,
 			Headers:                  http.Header{},
 		}
 
@@ -82,63 +90,101 @@ func (t *Trojan) plainStream(ctx context.Context, c net.Conn) (net.Conn, error)
 			}
 		}
 
-		return t.instance.StreamWebsocketConn(ctx, c, wsOpts)
+		alpn := trojan.DefaultWebsocketALPN
-	}
+		if len(t.option.ALPN) != 0 {
+			alpn = t.option.ALPN
+		}
 
-	return t.instance.StreamConn(ctx, c)
+		wsOpts.TLS = true
-}
+		tlsConfig := &tls.Config{
+			NextProtos:         alpn,
+			MinVersion:         tls.VersionTLS12,
+			InsecureSkipVerify: t.option.SkipCertVerify,
+			ServerName:         t.option.SNI,
+		}
 
-// StreamConnContext implements C.ProxyAdapter
+		wsOpts.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, t.option.Fingerprint)
-func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-	var err error
-
-	if tlsC.HaveGlobalFingerprint() && len(t.option.ClientFingerprint) == 0 {
-		t.option.ClientFingerprint = tlsC.GetGlobalFingerprint()
-	}
-
-	if t.transport != nil {
-		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig, t.realityConfig)
-	} else {
-		c, err = t.plainStream(ctx, c)
-	}
-
-	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
-	}
-
-	if t.ssCipher != nil {
-		c = t.ssCipher.StreamConn(c)
-	}
-
-	if metadata.NetWork == C.UDP {
-		err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
-		return c, err
-	}
-	err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata))
-	return c, err
-}
-
-// DialContext implements C.ProxyAdapter
-func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	// gun transport
-	if t.transport != nil && len(opts) == 0 {
-		c, err := gun.StreamGunWithTransport(t.transport, t.gunConfig)
 		if err != nil {
 			return nil, err
 		}
 
-		if t.ssCipher != nil {
+		c, err = vmess.StreamWebsocketConn(ctx, c, wsOpts)
-			c = t.ssCipher.StreamConn(c)
+	case "grpc":
+		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig, t.realityConfig)
+	default:
+		// default tcp network
+		// handle TLS
+		alpn := trojan.DefaultALPN
+		if len(t.option.ALPN) != 0 {
+			alpn = t.option.ALPN
 		}
+		c, err = vmess.StreamTLSConn(ctx, c, &vmess.TLSConfig{
+			Host:              t.option.SNI,
+			SkipCertVerify:    t.option.SkipCertVerify,
+			FingerPrint:       t.option.Fingerprint,
+			ClientFingerprint: t.option.ClientFingerprint,
+			NextProtos:        alpn,
+			Reality:           t.realityConfig,
+		})
+	}
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
+	}
 
-		if err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata)); err != nil {
+	return t.streamConnContext(ctx, c, metadata)
-			c.Close()
+}
+
+func (t *Trojan) streamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ net.Conn, err error) {
+	if t.ssCipher != nil {
+		c = t.ssCipher.StreamConn(c)
+	}
+
+	if ctx.Done() != nil {
+		done := N.SetupContextForConn(ctx, c)
+		defer done(&err)
+	}
+	command := trojan.CommandTCP
+	if metadata.NetWork == C.UDP {
+		command = trojan.CommandUDP
+	}
+	err = trojan.WriteHeader(c, t.hexPassword, command, serializesSocksAddr(metadata))
+	return c, err
+}
+
+func (t *Trojan) writeHeaderContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (err error) {
+	if ctx.Done() != nil {
+		done := N.SetupContextForConn(ctx, c)
+		defer done(&err)
+	}
+	command := trojan.CommandTCP
+	if metadata.NetWork == C.UDP {
+		command = trojan.CommandUDP
+	}
+	err = trojan.WriteHeader(c, t.hexPassword, command, serializesSocksAddr(metadata))
+	return err
+}
+
+// DialContext implements C.ProxyAdapter
+func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
+	var c net.Conn
+	// gun transport
+	if t.transport != nil {
+		c, err = gun.StreamGunWithTransport(t.transport, t.gunConfig)
+		if err != nil {
+			return nil, err
+		}
+		defer func(c net.Conn) {
+			safeConnClose(c, err)
+		}(c)
+
+		c, err = t.streamConnContext(ctx, c, metadata)
+		if err != nil {
 			return nil, err
 		}
 
 		return NewConn(c, t), nil
 	}
-	return t.DialContextWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+	return t.DialContextWithDialer(ctx, dialer.NewDialer(t.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -167,11 +213,11 @@ func (t *Trojan) DialContextWithDialer(ctx context.Context, dialer C.Dialer, met
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	var c net.Conn
 
 	// grpc transport
-	if t.transport != nil && len(opts) == 0 {
+	if t.transport != nil {
 		c, err = gun.StreamGunWithTransport(t.transport, t.gunConfig)
 		if err != nil {
 			return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
@@ -180,19 +226,15 @@ func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 			safeConnClose(c, err)
 		}(c)
 
-		if t.ssCipher != nil {
+		c, err = t.streamConnContext(ctx, c, metadata)
-			c = t.ssCipher.StreamConn(c)
-		}
-
-		err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
 		if err != nil {
 			return nil, err
 		}
 
-		pc := t.instance.PacketConn(c)
+		pc := trojan.NewPacketConn(c)
 		return newPacketConn(pc, t), err
 	}
-	return t.ListenPacketWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+	return t.ListenPacketWithDialer(ctx, dialer.NewDialer(t.DialOptions()...), metadata)
 }
 
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -210,21 +252,12 @@ func (t *Trojan) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, me
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
-	c, err = t.plainStream(ctx, c)
+	c, err = t.StreamConnContext(ctx, c, metadata)
-	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
-	}
-
-	if t.ssCipher != nil {
-		c = t.ssCipher.StreamConn(c)
-	}
-
-	err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
 	if err != nil {
 		return nil, err
 	}
 
-	pc := t.instance.PacketConn(c)
+	pc := trojan.NewPacketConn(c)
 	return newPacketConn(pc, t), err
 }
 
@@ -235,7 +268,7 @@ func (t *Trojan) SupportWithDialer() C.NetWork {
 
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (t *Trojan) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	pc := t.instance.PacketConn(c)
+	pc := trojan.NewPacketConn(c)
 	return newPacketConn(pc, t), err
 }
 
@@ -251,20 +284,19 @@ func (t *Trojan) ProxyInfo() C.ProxyInfo {
 	return info
 }
 
+// Close implements C.ProxyAdapter
+func (t *Trojan) Close() error {
+	if t.transport != nil {
+		return t.transport.Close()
+	}
+	return nil
+}
+
 func NewTrojan(option TrojanOption) (*Trojan, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 
-	tOption := &trojan.Option{
+	if option.SNI == "" {
-		Password:          option.Password,
+		option.SNI = option.Server
-		ALPN:              option.ALPN,
-		ServerName:        option.Server,
-		SkipCertVerify:    option.SkipCertVerify,
-		Fingerprint:       option.Fingerprint,
-		ClientFingerprint: option.ClientFingerprint,
-	}
-
-	if option.SNI != "" {
-		tOption.ServerName = option.SNI
 	}
 
 	t := &Trojan{
@@ -279,8 +311,8 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
-		instance: trojan.New(tOption),
+		option:      &option,
-		option:   &option,
+		hexPassword: trojan.Key(option.Password),
 	}
 
 	var err error
@@ -288,7 +320,6 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 	if err != nil {
 		return nil, err
 	}
-	tOption.Reality = t.realityConfig
 
 	if option.SSOpts.Enabled {
 		if option.SSOpts.Password == "" {
@@ -305,16 +336,16 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 	}
 
 	if option.Network == "grpc" {
-		dialFn := func(network, addr string) (net.Conn, error) {
+		dialFn := func(ctx context.Context, network, addr string) (net.Conn, error) {
 			var err error
-			var cDialer C.Dialer = dialer.NewDialer(t.Base.DialOptions()...)
+			var cDialer C.Dialer = dialer.NewDialer(t.DialOptions()...)
 			if len(t.option.DialerProxy) > 0 {
 				cDialer, err = proxydialer.NewByName(t.option.DialerProxy, cDialer)
 				if err != nil {
 					return nil, err
 				}
 			}
-			c, err := cDialer.DialContext(context.Background(), "tcp", t.addr)
+			c, err := cDialer.DialContext(ctx, "tcp", t.addr)
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", t.addr, err.Error())
 			}
@@ -324,8 +355,8 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 		tlsConfig := &tls.Config{
 			NextProtos:         option.ALPN,
 			MinVersion:         tls.VersionTLS12,
-			InsecureSkipVerify: tOption.SkipCertVerify,
+			InsecureSkipVerify: option.SkipCertVerify,
-			ServerName:         tOption.ServerName,
+			ServerName:         option.SNI,
 		}
 
 		var err error
@@ -334,12 +365,13 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			return nil, err
 		}
 
-		t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, tOption.ClientFingerprint, t.realityConfig)
+		t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, option.ClientFingerprint, t.realityConfig)
 
 		t.gunTLSConfig = tlsConfig
 		t.gunConfig = &gun.Config{
-			ServiceName: option.GrpcOpts.GrpcServiceName,
+			ServiceName:       option.GrpcOpts.GrpcServiceName,
-			Host:        tOption.ServerName,
+			Host:              option.SNI,
+			ClientFingerprint: option.ClientFingerprint,
 		}
 	}
 

adapter/outbound/tuic.go

@@ -14,13 +14,14 @@ import (
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	"github.com/metacubex/mihomo/component/resolver"
+	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/tuic"
 
 	"github.com/gofrs/uuid/v5"
 	"github.com/metacubex/quic-go"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
-	"github.com/sagernet/sing/common/uot"
+	"github.com/metacubex/sing/common/uot"
 )
 
 type Tuic struct {
@@ -65,8 +66,8 @@ type TuicOption struct {
 }
 
 // DialContext implements C.ProxyAdapter
-func (t *Tuic) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (t *Tuic) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	return t.DialContextWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+	return t.DialContextWithDialer(ctx, dialer.NewDialer(t.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -79,8 +80,8 @@ func (t *Tuic) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metad
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (t *Tuic) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (t *Tuic) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	return t.ListenPacketWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+	return t.ListenPacketWithDialer(ctx, dialer.NewDialer(t.DialOptions()...), metadata)
 }
 
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -130,7 +131,7 @@ func (t *Tuic) dialWithDialer(ctx context.Context, dialer C.Dialer) (transport *
 			return nil, nil, err
 		}
 	}
-	udpAddr, err := resolveUDPAddrWithPrefer(ctx, "udp", t.addr, t.prefer)
+	udpAddr, err := resolveUDPAddr(ctx, "udp", t.addr, t.prefer)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -284,7 +285,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 	if len(option.Token) > 0 {
 		tkn := tuic.GenTKN(option.Token)
 		clientOption := &tuic.ClientOptionV4{
-			TlsConfig:             tlsConfig,
+			TlsConfig:             tlsC.UConfig(tlsConfig),
 			QuicConfig:            quicConfig,
 			Token:                 tkn,
 			UdpRelayMode:          udpRelayMode,
@@ -304,7 +305,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			maxUdpRelayPacketSize = tuic.MaxFragSizeV5
 		}
 		clientOption := &tuic.ClientOptionV5{
-			TlsConfig:             tlsConfig,
+			TlsConfig:             tlsC.UConfig(tlsConfig),
 			QuicConfig:            quicConfig,
 			Uuid:                  uuid.FromStringOrNil(option.UUID),
 			Password:              option.Password,

adapter/outbound/util.go

@@ -3,118 +3,59 @@ package outbound
 import (
 	"bytes"
 	"context"
-	"crypto/tls"
 	"fmt"
 	"net"
 	"net/netip"
 	"regexp"
 	"strconv"
-	"sync"
 
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/socks5"
 )
 
-var (
-	globalClientSessionCache tls.ClientSessionCache
-	once                     sync.Once
-)
-
-func getClientSessionCache() tls.ClientSessionCache {
-	once.Do(func() {
-		globalClientSessionCache = tls.NewLRUClientSessionCache(128)
-	})
-	return globalClientSessionCache
-}
-
 func serializesSocksAddr(metadata *C.Metadata) []byte {
 	var buf [][]byte
 	addrType := metadata.AddrType()
-	aType := uint8(addrType)
 	p := uint(metadata.DstPort)
 	port := []byte{uint8(p >> 8), uint8(p & 0xff)}
 	switch addrType {
-	case socks5.AtypDomainName:
+	case C.AtypDomainName:
 		lenM := uint8(len(metadata.Host))
 		host := []byte(metadata.Host)
-		buf = [][]byte{{aType, lenM}, host, port}
+		buf = [][]byte{{socks5.AtypDomainName, lenM}, host, port}
-	case socks5.AtypIPv4:
+	case C.AtypIPv4:
 		host := metadata.DstIP.AsSlice()
-		buf = [][]byte{{aType}, host, port}
+		buf = [][]byte{{socks5.AtypIPv4}, host, port}
-	case socks5.AtypIPv6:
+	case C.AtypIPv6:
 		host := metadata.DstIP.AsSlice()
-		buf = [][]byte{{aType}, host, port}
+		buf = [][]byte{{socks5.AtypIPv6}, host, port}
 	}
 	return bytes.Join(buf, nil)
 }
 
-func resolveUDPAddr(ctx context.Context, network, address string) (*net.UDPAddr, error) {
+func resolveUDPAddr(ctx context.Context, network, address string, prefer C.DNSPrefer) (*net.UDPAddr, error) {
-	host, port, err := net.SplitHostPort(address)
-	if err != nil {
-		return nil, err
-	}
-
-	ip, err := resolver.ResolveIPWithResolver(ctx, host, resolver.ProxyServerHostResolver)
-	if err != nil {
-		return nil, err
-	}
-	return net.ResolveUDPAddr(network, net.JoinHostPort(ip.String(), port))
-}
-
-func resolveUDPAddrWithPrefer(ctx context.Context, network, address string, prefer C.DNSPrefer) (*net.UDPAddr, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
 	}
 	var ip netip.Addr
-	var fallback netip.Addr
 	switch prefer {
 	case C.IPv4Only:
 		ip, err = resolver.ResolveIPv4WithResolver(ctx, host, resolver.ProxyServerHostResolver)
 	case C.IPv6Only:
 		ip, err = resolver.ResolveIPv6WithResolver(ctx, host, resolver.ProxyServerHostResolver)
 	case C.IPv6Prefer:
-		var ips []netip.Addr
+		ip, err = resolver.ResolveIPPrefer6WithResolver(ctx, host, resolver.ProxyServerHostResolver)
-		ips, err = resolver.LookupIPWithResolver(ctx, host, resolver.ProxyServerHostResolver)
-		if err == nil {
-			for _, addr := range ips {
-				if addr.Is6() {
-					ip = addr
-					break
-				} else {
-					if !fallback.IsValid() {
-						fallback = addr
-					}
-				}
-			}
-		}
 	default:
-		// C.IPv4Prefer, C.DualStack and other
+		ip, err = resolver.ResolveIPWithResolver(ctx, host, resolver.ProxyServerHostResolver)
-		var ips []netip.Addr
-		ips, err = resolver.LookupIPWithResolver(ctx, host, resolver.ProxyServerHostResolver)
-		if err == nil {
-			for _, addr := range ips {
-				if addr.Is4() {
-					ip = addr
-					break
-				} else {
-					if !fallback.IsValid() {
-						fallback = addr
-					}
-				}
-			}
-
-		}
-	}
-
-	if !ip.IsValid() && fallback.IsValid() {
-		ip = fallback
 	}
 
 	if err != nil {
 		return nil, err
 	}
+
+	ip, port = resolver.LookupIP4P(ip, port)
 	return net.ResolveUDPAddr(network, net.JoinHostPort(ip.String(), port))
 }
 

adapter/outbound/vless.go

@@ -22,13 +22,12 @@ import (
 	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/gun"
-	"github.com/metacubex/mihomo/transport/socks5"
 	"github.com/metacubex/mihomo/transport/vless"
 	"github.com/metacubex/mihomo/transport/vmess"
 
 	vmessSing "github.com/metacubex/sing-vmess"
 	"github.com/metacubex/sing-vmess/packetaddr"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
 )
 
 const (
@@ -76,13 +75,7 @@ type VlessOption struct {
 	ClientFingerprint string            `proxy:"client-fingerprint,omitempty"`
 }
 
-func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ net.Conn, err error) {
-	var err error
-
-	if tlsC.HaveGlobalFingerprint() && len(v.option.ClientFingerprint) == 0 {
-		v.option.ClientFingerprint = tlsC.GetGlobalFingerprint()
-	}
-
 	switch v.option.Network {
 	case "ws":
 		host, port, _ := net.SplitHostPort(v.addr)
@@ -156,7 +149,7 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 			Path:  v.option.HTTP2Opts.Path,
 		}
 
-		c, err = vmess.StreamH2Conn(c, h2Opts)
+		c, err = vmess.StreamH2Conn(ctx, c, h2Opts)
 	case "grpc":
 		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.realityConfig)
 	default:
@@ -169,10 +162,14 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 		return nil, err
 	}
 
-	return v.streamConn(c, metadata)
+	return v.streamConnContext(ctx, c, metadata)
 }
 
-func (v *Vless) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err error) {
+func (v *Vless) streamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (conn net.Conn, err error) {
+	if ctx.Done() != nil {
+		done := N.SetupContextForConn(ctx, c)
+		defer done(&err)
+	}
 	if metadata.NetWork == C.UDP {
 		if v.option.PacketAddr {
 			metadata = &C.Metadata{
@@ -228,10 +225,11 @@ func (v *Vless) streamTLSConn(ctx context.Context, conn net.Conn, isH2 bool) (ne
 }
 
 // DialContext implements C.ProxyAdapter
-func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
+	var c net.Conn
 	// gun transport
-	if v.transport != nil && len(opts) == 0 {
+	if v.transport != nil {
-		c, err := gun.StreamGunWithTransport(v.transport, v.gunConfig)
+		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
 		}
@@ -239,14 +237,14 @@ func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 			safeConnClose(c, err)
 		}(c)
 
-		c, err = v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
+		c, err = v.streamConnContext(ctx, c, metadata)
 		if err != nil {
 			return nil, err
 		}
 
 		return NewConn(c, v), nil
 	}
-	return v.DialContextWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+	return v.DialContextWithDialer(ctx, dialer.NewDialer(v.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -273,7 +271,7 @@ func (v *Vless) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
@@ -284,7 +282,7 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 	}
 	var c net.Conn
 	// gun transport
-	if v.transport != nil && len(opts) == 0 {
+	if v.transport != nil {
 		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
@@ -293,14 +291,14 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 			safeConnClose(c, err)
 		}(c)
 
-		c, err = v.streamConn(c, metadata)
+		c, err = v.streamConnContext(ctx, c, metadata)
 		if err != nil {
 			return nil, fmt.Errorf("new vless client error: %v", err)
 		}
 
 		return v.ListenPacketOnStreamConn(ctx, c, metadata)
 	}
-	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.DialOptions()...), metadata)
 }
 
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -385,19 +383,27 @@ func (v *Vless) ProxyInfo() C.ProxyInfo {
 	return info
 }
 
+// Close implements C.ProxyAdapter
+func (v *Vless) Close() error {
+	if v.transport != nil {
+		return v.transport.Close()
+	}
+	return nil
+}
+
 func parseVlessAddr(metadata *C.Metadata, xudp bool) *vless.DstAddr {
 	var addrType byte
 	var addr []byte
 	switch metadata.AddrType() {
-	case socks5.AtypIPv4:
+	case C.AtypIPv4:
 		addrType = vless.AtypIPv4
 		addr = make([]byte, net.IPv4len)
 		copy(addr[:], metadata.DstIP.AsSlice())
-	case socks5.AtypIPv6:
+	case C.AtypIPv6:
 		addrType = vless.AtypIPv6
 		addr = make([]byte, net.IPv6len)
 		copy(addr[:], metadata.DstIP.AsSlice())
-	case socks5.AtypDomainName:
+	case C.AtypDomainName:
 		addrType = vless.AtypDomainName
 		addr = make([]byte, len(metadata.Host)+1)
 		addr[0] = byte(len(metadata.Host))
@@ -563,16 +569,16 @@ func NewVless(option VlessOption) (*Vless, error) {
 			option.HTTP2Opts.Host = append(option.HTTP2Opts.Host, "www.example.com")
 		}
 	case "grpc":
-		dialFn := func(network, addr string) (net.Conn, error) {
+		dialFn := func(ctx context.Context, network, addr string) (net.Conn, error) {
 			var err error
-			var cDialer C.Dialer = dialer.NewDialer(v.Base.DialOptions()...)
+			var cDialer C.Dialer = dialer.NewDialer(v.DialOptions()...)
 			if len(v.option.DialerProxy) > 0 {
 				cDialer, err = proxydialer.NewByName(v.option.DialerProxy, cDialer)
 				if err != nil {
 					return nil, err
 				}
 			}
-			c, err := cDialer.DialContext(context.Background(), "tcp", v.addr)
+			c, err := cDialer.DialContext(ctx, "tcp", v.addr)
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 			}
@@ -589,10 +595,13 @@ func NewVless(option VlessOption) (*Vless, error) {
 		}
 		var tlsConfig *tls.Config
 		if option.TLS {
-			tlsConfig = ca.GetGlobalTLSConfig(&tls.Config{
+			tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(&tls.Config{
 				InsecureSkipVerify: v.option.SkipCertVerify,
 				ServerName:         v.option.ServerName,
-			})
+			}, v.option.Fingerprint)
+			if err != nil {
+				return nil, err
+			}
 			if option.ServerName == "" {
 				host, _, _ := net.SplitHostPort(v.addr)
 				tlsConfig.ServerName = host

adapter/outbound/vmess.go

@@ -25,7 +25,7 @@ import (
 
 	vmess "github.com/metacubex/sing-vmess"
 	"github.com/metacubex/sing-vmess/packetaddr"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
 )
 
 var ErrUDPRemoteAddrMismatch = errors.New("udp packet dropped due to mismatched remote address")
@@ -96,13 +96,7 @@ type WSOptions struct {
 }
 
 // StreamConnContext implements C.ProxyAdapter
-func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ net.Conn, err error) {
-	var err error
-
-	if tlsC.HaveGlobalFingerprint() && (len(v.option.ClientFingerprint) == 0) {
-		v.option.ClientFingerprint = tlsC.GetGlobalFingerprint()
-	}
-
 	switch v.option.Network {
 	case "ws":
 		host, port, _ := net.SplitHostPort(v.addr)
@@ -199,7 +193,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 			Path:  v.option.HTTP2Opts.Path,
 		}
 
-		c, err = mihomoVMess.StreamH2Conn(c, h2Opts)
+		c, err = mihomoVMess.StreamH2Conn(ctx, c, h2Opts)
 	case "grpc":
 		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.realityConfig)
 	default:
@@ -226,17 +220,24 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 	if err != nil {
 		return nil, err
 	}
-	return v.streamConn(c, metadata)
+	return v.streamConnContext(ctx, c, metadata)
 }
 
-func (v *Vmess) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err error) {
+func (v *Vmess) streamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (conn net.Conn, err error) {
+	useEarly := N.NeedHandshake(c)
+	if !useEarly {
+		if ctx.Done() != nil {
+			done := N.SetupContextForConn(ctx, c)
+			defer done(&err)
+		}
+	}
 	if metadata.NetWork == C.UDP {
 		if v.option.XUDP {
 			var globalID [8]byte
 			if metadata.SourceValid() {
 				globalID = utils.GlobalID(metadata.SourceAddress())
 			}
-			if N.NeedHandshake(c) {
+			if useEarly {
 				conn = v.client.DialEarlyXUDPPacketConn(c,
 					globalID,
 					M.SocksaddrFromNet(metadata.UDPAddr()))
@@ -246,7 +247,7 @@ func (v *Vmess) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err
 					M.SocksaddrFromNet(metadata.UDPAddr()))
 			}
 		} else if v.option.PacketAddr {
-			if N.NeedHandshake(c) {
+			if useEarly {
 				conn = v.client.DialEarlyPacketConn(c,
 					M.ParseSocksaddrHostPort(packetaddr.SeqPacketMagicAddress, 443))
 			} else {
@@ -255,7 +256,7 @@ func (v *Vmess) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err
 			}
 			conn = packetaddr.NewBindConn(conn)
 		} else {
-			if N.NeedHandshake(c) {
+			if useEarly {
 				conn = v.client.DialEarlyPacketConn(c,
 					M.SocksaddrFromNet(metadata.UDPAddr()))
 			} else {
@@ -264,7 +265,7 @@ func (v *Vmess) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err
 			}
 		}
 	} else {
-		if N.NeedHandshake(c) {
+		if useEarly {
 			conn = v.client.DialEarlyConn(c,
 				M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
 		} else {
@@ -279,10 +280,11 @@ func (v *Vmess) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err
 }
 
 // DialContext implements C.ProxyAdapter
-func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
+	var c net.Conn
 	// gun transport
-	if v.transport != nil && len(opts) == 0 {
+	if v.transport != nil {
-		c, err := gun.StreamGunWithTransport(v.transport, v.gunConfig)
+		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
 		}
@@ -290,14 +292,14 @@ func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 			safeConnClose(c, err)
 		}(c)
 
-		c, err = v.client.DialConn(c, M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
+		c, err = v.streamConnContext(ctx, c, metadata)
 		if err != nil {
 			return nil, err
 		}
 
 		return NewConn(c, v), nil
 	}
-	return v.DialContextWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+	return v.DialContextWithDialer(ctx, dialer.NewDialer(v.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -321,7 +323,7 @@ func (v *Vmess) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
@@ -332,7 +334,7 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 	}
 	var c net.Conn
 	// gun transport
-	if v.transport != nil && len(opts) == 0 {
+	if v.transport != nil {
 		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
@@ -341,13 +343,13 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 			safeConnClose(c, err)
 		}(c)
 
-		c, err = v.streamConn(c, metadata)
+		c, err = v.streamConnContext(ctx, c, metadata)
 		if err != nil {
 			return nil, fmt.Errorf("new vmess client error: %v", err)
 		}
 		return v.ListenPacketOnStreamConn(ctx, c, metadata)
 	}
-	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.DialOptions()...), metadata)
 }
 
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -395,6 +397,14 @@ func (v *Vmess) ProxyInfo() C.ProxyInfo {
 	return info
 }
 
+// Close implements C.ProxyAdapter
+func (v *Vmess) Close() error {
+	if v.transport != nil {
+		return v.transport.Close()
+	}
+	return nil
+}
+
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (v *Vmess) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
@@ -459,22 +469,27 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		option: &option,
 	}
 
+	v.realityConfig, err = v.option.RealityOpts.Parse()
+	if err != nil {
+		return nil, err
+	}
+
 	switch option.Network {
 	case "h2":
 		if len(option.HTTP2Opts.Host) == 0 {
 			option.HTTP2Opts.Host = append(option.HTTP2Opts.Host, "www.example.com")
 		}
 	case "grpc":
-		dialFn := func(network, addr string) (net.Conn, error) {
+		dialFn := func(ctx context.Context, network, addr string) (net.Conn, error) {
 			var err error
-			var cDialer C.Dialer = dialer.NewDialer(v.Base.DialOptions()...)
+			var cDialer C.Dialer = dialer.NewDialer(v.DialOptions()...)
 			if len(v.option.DialerProxy) > 0 {
 				cDialer, err = proxydialer.NewByName(v.option.DialerProxy, cDialer)
 				if err != nil {
 					return nil, err
 				}
 			}
-			c, err := cDialer.DialContext(context.Background(), "tcp", v.addr)
+			c, err := cDialer.DialContext(ctx, "tcp", v.addr)
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 			}
@@ -491,10 +506,13 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		}
 		var tlsConfig *tls.Config
 		if option.TLS {
-			tlsConfig = ca.GetGlobalTLSConfig(&tls.Config{
+			tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(&tls.Config{
 				InsecureSkipVerify: v.option.SkipCertVerify,
 				ServerName:         v.option.ServerName,
-			})
+			}, v.option.Fingerprint)
+			if err != nil {
+				return nil, err
+			}
 			if option.ServerName == "" {
 				host, _, _ := net.SplitHostPort(v.addr)
 				tlsConfig.ServerName = host
@@ -507,11 +525,6 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.realityConfig)
 	}
 
-	v.realityConfig, err = v.option.RealityOpts.Parse()
-	if err != nil {
-		return nil, err
-	}
-
 	return v, nil
 }
 

adapter/outbound/wireguard.go

@@ -8,14 +8,12 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"runtime"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/metacubex/mihomo/common/atomic"
-	CN "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	"github.com/metacubex/mihomo/component/resolver"
@@ -28,9 +26,9 @@ import (
 	wireguard "github.com/metacubex/sing-wireguard"
 	"github.com/metacubex/wireguard-go/device"
 
-	"github.com/sagernet/sing/common/debug"
+	"github.com/metacubex/sing/common/debug"
-	E "github.com/sagernet/sing/common/exceptions"
+	E "github.com/metacubex/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
 )
 
 type wireguardGoDevice interface {
@@ -45,7 +43,6 @@ type WireGuard struct {
 	tunDevice wireguard.Device
 	dialer    proxydialer.SingDialer
 	resolver  resolver.Resolver
-	refP      *refProxyAdapter
 
 	initOk        atomic.Bool
 	initMutex     sync.Mutex
@@ -57,8 +54,6 @@ type WireGuard struct {
 	serverAddrMap   map[M.Socksaddr]netip.AddrPort
 	serverAddrTime  atomic.TypedValue[time.Time]
 	serverAddrMutex sync.Mutex
-
-	closeCh chan struct{} // for test
 }
 
 type WireGuardOption struct {
@@ -171,9 +166,9 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
-		dialer: proxydialer.NewSlowDownSingDialer(proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer()), slowdown.New()),
 	}
-	runtime.SetFinalizer(outbound, closeWireGuard)
+	singDialer := proxydialer.NewSlowDownSingDialer(proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer(outbound.DialOptions()...)), slowdown.New())
+	outbound.dialer = singDialer
 
 	var reserved [3]uint8
 	if len(option.Reserved) > 0 {
@@ -286,15 +281,13 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 		}
 	}
 
-	refP := &refProxyAdapter{}
-	outbound.refP = refP
 	if option.RemoteDnsResolve && len(option.Dns) > 0 {
 		nss, err := dns.ParseNameServer(option.Dns)
 		if err != nil {
 			return nil, err
 		}
 		for i := range nss {
-			nss[i].ProxyAdapter = refP
+			nss[i].ProxyAdapter = outbound
 		}
 		outbound.resolver = dns.NewResolver(dns.Config{
 			Main: nss,
@@ -309,7 +302,7 @@ func (w *WireGuard) resolve(ctx context.Context, address M.Socksaddr) (netip.Add
 	if address.Addr.IsValid() {
 		return address.AddrPort(), nil
 	}
-	udpAddr, err := resolveUDPAddrWithPrefer(ctx, "udp", address.String(), w.prefer)
+	udpAddr, err := resolveUDPAddr(ctx, "udp", address.String(), w.prefer)
 	if err != nil {
 		return netip.AddrPort{}, err
 	}
@@ -488,18 +481,15 @@ func (w *WireGuard) genIpcConf(ctx context.Context, updateOnly bool) (string, er
 	return ipcConf, nil
 }
 
-func closeWireGuard(w *WireGuard) {
+// Close implements C.ProxyAdapter
+func (w *WireGuard) Close() error {
 	if w.device != nil {
 		w.device.Close()
 	}
-	if w.closeCh != nil {
+	return nil
-		close(w.closeCh)
-	}
 }
 
-func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
-	options := w.Base.DialOptions(opts...)
-	w.dialer.SetDialer(dialer.NewDialer(options...))
 	var conn net.Conn
 	if err = w.init(ctx); err != nil {
 		return nil, err
@@ -507,10 +497,9 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts
 	if !metadata.Resolved() || w.resolver != nil {
 		r := resolver.DefaultResolver
 		if w.resolver != nil {
-			w.refP.SetProxyAdapter(w)
-			defer w.refP.ClearProxyAdapter()
 			r = w.resolver
 		}
+		options := w.DialOptions()
 		options = append(options, dialer.WithResolver(r))
 		options = append(options, dialer.WithNetDialer(wgNetDialer{tunDevice: w.tunDevice}))
 		conn, err = dialer.NewDialer(options...).DialContext(ctx, "tcp", metadata.RemoteAddress())
@@ -523,12 +512,10 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts
 	if conn == nil {
 		return nil, E.New("conn is nil")
 	}
-	return NewConn(CN.NewRefConn(conn, w), w), nil
+	return NewConn(conn, w), nil
 }
 
-func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	options := w.Base.DialOptions(opts...)
-	w.dialer.SetDialer(dialer.NewDialer(options...))
 	var pc net.PacketConn
 	if err = w.init(ctx); err != nil {
 		return nil, err
@@ -536,8 +523,6 @@ func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadat
 	if (!metadata.Resolved() || w.resolver != nil) && metadata.Host != "" {
 		r := resolver.DefaultResolver
 		if w.resolver != nil {
-			w.refP.SetProxyAdapter(w)
-			defer w.refP.ClearProxyAdapter()
 			r = w.resolver
 		}
 		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, r)
@@ -553,139 +538,10 @@ func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadat
 	if pc == nil {
 		return nil, E.New("packetConn is nil")
 	}
-	return newPacketConn(CN.NewRefPacketConn(pc, w), w), nil
+	return newPacketConn(pc, w), nil
 }
 
 // IsL3Protocol implements C.ProxyAdapter
 func (w *WireGuard) IsL3Protocol(metadata *C.Metadata) bool {
 	return true
 }
-
-type refProxyAdapter struct {
-	proxyAdapter C.ProxyAdapter
-	count        int
-	mutex        sync.Mutex
-}
-
-func (r *refProxyAdapter) SetProxyAdapter(proxyAdapter C.ProxyAdapter) {
-	r.mutex.Lock()
-	defer r.mutex.Unlock()
-	r.proxyAdapter = proxyAdapter
-	r.count++
-}
-
-func (r *refProxyAdapter) ClearProxyAdapter() {
-	r.mutex.Lock()
-	defer r.mutex.Unlock()
-	r.count--
-	if r.count == 0 {
-		r.proxyAdapter = nil
-	}
-}
-
-func (r *refProxyAdapter) Name() string {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.Name()
-	}
-	return ""
-}
-
-func (r *refProxyAdapter) Type() C.AdapterType {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.Type()
-	}
-	return C.AdapterType(0)
-}
-
-func (r *refProxyAdapter) Addr() string {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.Addr()
-	}
-	return ""
-}
-
-func (r *refProxyAdapter) SupportUDP() bool {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.SupportUDP()
-	}
-	return false
-}
-
-func (r *refProxyAdapter) ProxyInfo() C.ProxyInfo {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.ProxyInfo()
-	}
-	return C.ProxyInfo{}
-}
-
-func (r *refProxyAdapter) MarshalJSON() ([]byte, error) {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.MarshalJSON()
-	}
-	return nil, C.ErrNotSupport
-}
-
-func (r *refProxyAdapter) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.StreamConnContext(ctx, c, metadata)
-	}
-	return nil, C.ErrNotSupport
-}
-
-func (r *refProxyAdapter) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.DialContext(ctx, metadata, opts...)
-	}
-	return nil, C.ErrNotSupport
-}
-
-func (r *refProxyAdapter) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.ListenPacketContext(ctx, metadata, opts...)
-	}
-	return nil, C.ErrNotSupport
-}
-
-func (r *refProxyAdapter) SupportUOT() bool {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.SupportUOT()
-	}
-	return false
-}
-
-func (r *refProxyAdapter) SupportWithDialer() C.NetWork {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.SupportWithDialer()
-	}
-	return C.InvalidNet
-}
-
-func (r *refProxyAdapter) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (C.Conn, error) {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.DialContextWithDialer(ctx, dialer, metadata)
-	}
-	return nil, C.ErrNotSupport
-}
-
-func (r *refProxyAdapter) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (C.PacketConn, error) {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.ListenPacketWithDialer(ctx, dialer, metadata)
-	}
-	return nil, C.ErrNotSupport
-}
-
-func (r *refProxyAdapter) IsL3Protocol(metadata *C.Metadata) bool {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.IsL3Protocol(metadata)
-	}
-	return false
-}
-
-func (r *refProxyAdapter) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {
-	if r.proxyAdapter != nil {
-		return r.proxyAdapter.Unwrap(metadata, touch)
-	}
-	return nil
-}
-
-var _ C.ProxyAdapter = (*refProxyAdapter)(nil)

adapter/outbound/wireguard_test.go

@@ -1,45 +0,0 @@
-//go:build with_gvisor
-
-package outbound
-
-import (
-	"context"
-	"runtime"
-	"testing"
-	"time"
-)
-
-func TestWireGuardGC(t *testing.T) {
-	option := WireGuardOption{}
-	option.Server = "162.159.192.1"
-	option.Port = 2408
-	option.PrivateKey = "iOx7749AdqH3IqluG7+0YbGKd0m1mcEXAfGRzpy9rG8="
-	option.PublicKey = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="
-	option.Ip = "172.16.0.2"
-	option.Ipv6 = "2606:4700:110:8d29:be92:3a6a:f4:c437"
-	option.Reserved = []uint8{51, 69, 125}
-	wg, err := NewWireGuard(option)
-	if err != nil {
-		t.Error(err)
-	}
-	closeCh := make(chan struct{})
-	wg.closeCh = closeCh
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	defer cancel()
-	err = wg.init(ctx)
-	if err != nil {
-		t.Error(err)
-		return
-	}
-	// must do a small sleep before test GC
-	// because it maybe deadlocks if w.device.Close call too fast after w.device.Start
-	time.Sleep(10 * time.Millisecond)
-	wg = nil
-	runtime.GC()
-	select {
-	case <-closeCh:
-		return
-	case <-ctx.Done():
-		t.Error("timeout not GC")
-	}
-}

adapter/outboundgroup/fallback.go

@@ -6,11 +6,9 @@ import (
 	"errors"
 	"time"
 
-	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/common/callback"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/utils"
-	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/provider"
 )
@@ -31,13 +29,13 @@ func (f *Fallback) Now() string {
 }
 
 // DialContext implements C.ProxyAdapter
-func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	proxy := f.findAliveProxy(true)
-	c, err := proxy.DialContext(ctx, metadata, f.Base.DialOptions(opts...)...)
+	c, err := proxy.DialContext(ctx, metadata)
 	if err == nil {
 		c.AppendToChains(f)
 	} else {
-		f.onDialFailed(proxy.Type(), err)
+		f.onDialFailed(proxy.Type(), err, f.healthCheck)
 	}
 
 	if N.NeedHandshake(c) {
@@ -45,7 +43,7 @@ func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 			if err == nil {
 				f.onDialSuccess()
 			} else {
-				f.onDialFailed(proxy.Type(), err)
+				f.onDialFailed(proxy.Type(), err, f.healthCheck)
 			}
 		})
 	}
@@ -54,9 +52,9 @@ func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (f *Fallback) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (f *Fallback) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
 	proxy := f.findAliveProxy(true)
-	pc, err := proxy.ListenPacketContext(ctx, metadata, f.Base.DialOptions(opts...)...)
+	pc, err := proxy.ListenPacketContext(ctx, metadata)
 	if err == nil {
 		pc.AppendToChains(f)
 	}
@@ -155,18 +153,14 @@ func (f *Fallback) ForceSet(name string) {
 func NewFallback(option *GroupCommonOption, providers []provider.ProxyProvider) *Fallback {
 	return &Fallback{
 		GroupBase: NewGroupBase(GroupBaseOption{
-			outbound.BaseOption{
+			Name:           option.Name,
-				Name:        option.Name,
+			Type:           C.Fallback,
-				Type:        C.Fallback,
+			Filter:         option.Filter,
-				Interface:   option.Interface,
+			ExcludeFilter:  option.ExcludeFilter,
-				RoutingMark: option.RoutingMark,
+			ExcludeType:    option.ExcludeType,
-			},
+			TestTimeout:    option.TestTimeout,
-			option.Filter,
+			MaxFailedTimes: option.MaxFailedTimes,
-			option.ExcludeFilter,
+			Providers:      providers,
-			option.ExcludeType,
-			option.TestTimeout,
-			option.MaxFailedTimes,
-			providers,
 		}),
 		disableUDP:     option.DisableUDP,
 		testUrl:        option.URL,

adapter/outboundgroup/groupbase.go

@@ -2,6 +2,7 @@ package outboundgroup
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 	"sync"
@@ -17,68 +18,70 @@ import (
 	"github.com/metacubex/mihomo/tunnel"
 
 	"github.com/dlclark/regexp2"
+	"golang.org/x/exp/slices"
 )
 
 type GroupBase struct {
 	*outbound.Base
-	filterRegs       []*regexp2.Regexp
+	filterRegs        []*regexp2.Regexp
-	excludeFilterReg *regexp2.Regexp
+	excludeFilterRegs []*regexp2.Regexp
-	excludeTypeArray []string
+	excludeTypeArray  []string
-	providers        []provider.ProxyProvider
+	providers         []provider.ProxyProvider
-	failedTestMux    sync.Mutex
+	failedTestMux     sync.Mutex
-	failedTimes      int
+	failedTimes       int
-	failedTime       time.Time
+	failedTime        time.Time
-	failedTesting    atomic.Bool
+	failedTesting     atomic.Bool
-	proxies          [][]C.Proxy
+	TestTimeout       int
-	versions         []atomic.Uint32
+	maxFailedTimes    int
-	TestTimeout      int
+
-	maxFailedTimes   int
+	// for GetProxies
+	getProxiesMutex  sync.Mutex
+	providerVersions []uint32
+	providerProxies  []C.Proxy
 }
 
 type GroupBaseOption struct {
-	outbound.BaseOption
+	Name           string
-	filter         string
+	Type           C.AdapterType
-	excludeFilter  string
+	Filter         string
-	excludeType    string
+	ExcludeFilter  string
+	ExcludeType    string
 	TestTimeout    int
-	maxFailedTimes int
+	MaxFailedTimes int
-	providers      []provider.ProxyProvider
+	Providers      []provider.ProxyProvider
 }
 
 func NewGroupBase(opt GroupBaseOption) *GroupBase {
-	if opt.RoutingMark != 0 {
+	var excludeTypeArray []string
-		log.Warnln("The group [%s] with routing-mark configuration is deprecated, please set it directly on the proxy instead", opt.Name)
+	if opt.ExcludeType != "" {
-	}
+		excludeTypeArray = strings.Split(opt.ExcludeType, "|")
-	if opt.Interface != "" {
-		log.Warnln("The group [%s] with interface-name configuration is deprecated, please set it directly on the proxy instead", opt.Name)
 	}
 
-	var excludeFilterReg *regexp2.Regexp
+	var excludeFilterRegs []*regexp2.Regexp
-	if opt.excludeFilter != "" {
+	if opt.ExcludeFilter != "" {
-		excludeFilterReg = regexp2.MustCompile(opt.excludeFilter, regexp2.None)
+		for _, excludeFilter := range strings.Split(opt.ExcludeFilter, "`") {
-	}
+			excludeFilterReg := regexp2.MustCompile(excludeFilter, regexp2.None)
-	var excludeTypeArray []string
+			excludeFilterRegs = append(excludeFilterRegs, excludeFilterReg)
-	if opt.excludeType != "" {
+		}
-		excludeTypeArray = strings.Split(opt.excludeType, "|")
 	}
 
 	var filterRegs []*regexp2.Regexp
-	if opt.filter != "" {
+	if opt.Filter != "" {
-		for _, filter := range strings.Split(opt.filter, "`") {
+		for _, filter := range strings.Split(opt.Filter, "`") {
 			filterReg := regexp2.MustCompile(filter, regexp2.None)
 			filterRegs = append(filterRegs, filterReg)
 		}
 	}
 
 	gb := &GroupBase{
-		Base:             outbound.NewBase(opt.BaseOption),
+		Base:              outbound.NewBase(outbound.BaseOption{Name: opt.Name, Type: opt.Type}),
-		filterRegs:       filterRegs,
+		filterRegs:        filterRegs,
-		excludeFilterReg: excludeFilterReg,
+		excludeFilterRegs: excludeFilterRegs,
-		excludeTypeArray: excludeTypeArray,
+		excludeTypeArray:  excludeTypeArray,
-		providers:        opt.providers,
+		providers:         opt.Providers,
-		failedTesting:    atomic.NewBool(false),
+		failedTesting:     atomic.NewBool(false),
-		TestTimeout:      opt.TestTimeout,
+		TestTimeout:       opt.TestTimeout,
-		maxFailedTimes:   opt.maxFailedTimes,
+		maxFailedTimes:    opt.MaxFailedTimes,
 	}
 
 	if gb.TestTimeout == 0 {
@@ -88,9 +91,6 @@ func NewGroupBase(opt GroupBaseOption) *GroupBase {
 		gb.maxFailedTimes = 5
 	}
 
-	gb.proxies = make([][]C.Proxy, len(opt.providers))
-	gb.versions = make([]atomic.Uint32, len(opt.providers))
-
 	return gb
 }
 
@@ -101,56 +101,55 @@ func (gb *GroupBase) Touch() {
 }
 
 func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
+	providerVersions := make([]uint32, len(gb.providers))
+	for i, pd := range gb.providers {
+		if touch { // touch first
+			pd.Touch()
+		}
+		providerVersions[i] = pd.Version()
+	}
+
+	// thread safe
+	gb.getProxiesMutex.Lock()
+	defer gb.getProxiesMutex.Unlock()
+
+	// return the cached proxies if version not changed
+	if slices.Equal(providerVersions, gb.providerVersions) {
+		return gb.providerProxies
+	}
+
 	var proxies []C.Proxy
 	if len(gb.filterRegs) == 0 {
 		for _, pd := range gb.providers {
-			if touch {
-				pd.Touch()
-			}
 			proxies = append(proxies, pd.Proxies()...)
 		}
 	} else {
-		for i, pd := range gb.providers {
+		for _, pd := range gb.providers {
-			if touch {
+			if pd.VehicleType() == types.Compatible { // compatible provider unneeded filter
-				pd.Touch()
+				proxies = append(proxies, pd.Proxies()...)
-			}
-
-			if pd.VehicleType() == types.Compatible {
-				gb.versions[i].Store(pd.Version())
-				gb.proxies[i] = pd.Proxies()
 				continue
 			}
 
-			version := gb.versions[i].Load()
+			var newProxies []C.Proxy
-			if version != pd.Version() && gb.versions[i].CompareAndSwap(version, pd.Version()) {
+			proxiesSet := map[string]struct{}{}
-				var (
+			for _, filterReg := range gb.filterRegs {
-					proxies    []C.Proxy
+				for _, p := range pd.Proxies() {
-					newProxies []C.Proxy
+					name := p.Name()
-				)
+					if mat, _ := filterReg.MatchString(name); mat {
-
+						if _, ok := proxiesSet[name]; !ok {
-				proxies = pd.Proxies()
+							proxiesSet[name] = struct{}{}
-				proxiesSet := map[string]struct{}{}
+							newProxies = append(newProxies, p)
-				for _, filterReg := range gb.filterRegs {
-					for _, p := range proxies {
-						name := p.Name()
-						if mat, _ := filterReg.MatchString(name); mat {
-							if _, ok := proxiesSet[name]; !ok {
-								proxiesSet[name] = struct{}{}
-								newProxies = append(newProxies, p)
-							}
 						}
 					}
 				}
-
-				gb.proxies[i] = newProxies
 			}
-		}
+			proxies = append(proxies, newProxies...)
-
-		for _, p := range gb.proxies {
-			proxies = append(proxies, p...)
 		}
 	}
 
+	// Multiple filers means that proxies are sorted in the order in which the filers appear.
+	// Although the filter has been performed once in the previous process,
+	// when there are multiple providers, the array needs to be reordered as a whole.
 	if len(gb.providers) > 1 && len(gb.filterRegs) > 1 {
 		var newProxies []C.Proxy
 		proxiesSet := map[string]struct{}{}
@@ -174,32 +173,31 @@ func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
 		}
 		proxies = newProxies
 	}
-	if gb.excludeTypeArray != nil {
-		var newProxies []C.Proxy
-		for _, p := range proxies {
-			mType := p.Type().String()
-			flag := false
-			for i := range gb.excludeTypeArray {
-				if strings.EqualFold(mType, gb.excludeTypeArray[i]) {
-					flag = true
-					break
-				}
 
-			}
+	if len(gb.excludeFilterRegs) > 0 {
-			if flag {
+		var newProxies []C.Proxy
-				continue
+	LOOP1:
+		for _, p := range proxies {
+			name := p.Name()
+			for _, excludeFilterReg := range gb.excludeFilterRegs {
+				if mat, _ := excludeFilterReg.MatchString(name); mat {
+					continue LOOP1
+				}
 			}
 			newProxies = append(newProxies, p)
 		}
 		proxies = newProxies
 	}
 
-	if gb.excludeFilterReg != nil {
+	if gb.excludeTypeArray != nil {
 		var newProxies []C.Proxy
+	LOOP2:
 		for _, p := range proxies {
-			name := p.Name()
+			mType := p.Type().String()
-			if mat, _ := gb.excludeFilterReg.MatchString(name); mat {
+			for _, excludeType := range gb.excludeTypeArray {
-				continue
+				if strings.EqualFold(mType, excludeType) {
+					continue LOOP2
+				}
 			}
 			newProxies = append(newProxies, p)
 		}
@@ -207,9 +205,13 @@ func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
 	}
 
 	if len(proxies) == 0 {
-		return append(proxies, tunnel.Proxies()["COMPATIBLE"])
+		return []C.Proxy{tunnel.Proxies()["COMPATIBLE"]}
 	}
 
+	// only cache when proxies not empty
+	gb.providerVersions = providerVersions
+	gb.providerProxies = proxies
+
 	return proxies
 }
 
@@ -241,17 +243,21 @@ func (gb *GroupBase) URLTest(ctx context.Context, url string, expectedStatus uti
 	}
 }
 
-func (gb *GroupBase) onDialFailed(adapterType C.AdapterType, err error) {
+func (gb *GroupBase) onDialFailed(adapterType C.AdapterType, err error, fn func()) {
 	if adapterType == C.Direct || adapterType == C.Compatible || adapterType == C.Reject || adapterType == C.Pass || adapterType == C.RejectDrop {
 		return
 	}
 
-	if strings.Contains(err.Error(), "connection refused") {
+	if errors.Is(err, C.ErrNotSupport) {
-		go gb.healthCheck()
 		return
 	}
 
 	go func() {
+		if strings.Contains(err.Error(), "connection refused") {
+			fn()
+			return
+		}
+
 		gb.failedTestMux.Lock()
 		defer gb.failedTestMux.Unlock()
 
@@ -268,7 +274,7 @@ func (gb *GroupBase) onDialFailed(adapterType C.AdapterType, err error) {
 			log.Debugln("ProxyGroup: %s failed count: %d", gb.Name(), gb.failedTimes)
 			if gb.failedTimes >= gb.maxFailedTimes {
 				log.Warnln("because %s failed multiple times, active health check", gb.Name())
-				gb.healthCheck()
+				fn()
 			}
 		}
 	}()

adapter/outboundgroup/loadbalance.go

@@ -9,12 +9,10 @@ import (
 	"sync"
 	"time"
 
-	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/common/callback"
 	"github.com/metacubex/mihomo/common/lru"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/utils"
-	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/provider"
 
@@ -88,14 +86,14 @@ func jumpHash(key uint64, buckets int32) int32 {
 }
 
 // DialContext implements C.ProxyAdapter
-func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (c C.Conn, err error) {
+func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata) (c C.Conn, err error) {
 	proxy := lb.Unwrap(metadata, true)
-	c, err = proxy.DialContext(ctx, metadata, lb.Base.DialOptions(opts...)...)
+	c, err = proxy.DialContext(ctx, metadata)
 
 	if err == nil {
 		c.AppendToChains(lb)
 	} else {
-		lb.onDialFailed(proxy.Type(), err)
+		lb.onDialFailed(proxy.Type(), err, lb.healthCheck)
 	}
 
 	if N.NeedHandshake(c) {
@@ -103,7 +101,7 @@ func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata, op
 			if err == nil {
 				lb.onDialSuccess()
 			} else {
-				lb.onDialFailed(proxy.Type(), err)
+				lb.onDialFailed(proxy.Type(), err, lb.healthCheck)
 			}
 		})
 	}
@@ -112,7 +110,7 @@ func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata, op
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (lb *LoadBalance) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (pc C.PacketConn, err error) {
+func (lb *LoadBalance) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (pc C.PacketConn, err error) {
 	defer func() {
 		if err == nil {
 			pc.AppendToChains(lb)
@@ -120,7 +118,7 @@ func (lb *LoadBalance) ListenPacketContext(ctx context.Context, metadata *C.Meta
 	}()
 
 	proxy := lb.Unwrap(metadata, true)
-	return proxy.ListenPacketContext(ctx, metadata, lb.Base.DialOptions(opts...)...)
+	return proxy.ListenPacketContext(ctx, metadata)
 }
 
 // SupportUDP implements C.ProxyAdapter
@@ -255,18 +253,14 @@ func NewLoadBalance(option *GroupCommonOption, providers []provider.ProxyProvide
 	}
 	return &LoadBalance{
 		GroupBase: NewGroupBase(GroupBaseOption{
-			outbound.BaseOption{
+			Name:           option.Name,
-				Name:        option.Name,
+			Type:           C.LoadBalance,
-				Type:        C.LoadBalance,
+			Filter:         option.Filter,
-				Interface:   option.Interface,
+			ExcludeFilter:  option.ExcludeFilter,
-				RoutingMark: option.RoutingMark,
+			ExcludeType:    option.ExcludeType,
-			},
+			TestTimeout:    option.TestTimeout,
-			option.Filter,
+			MaxFailedTimes: option.MaxFailedTimes,
-			option.ExcludeFilter,
+			Providers:      providers,
-			option.ExcludeType,
-			option.TestTimeout,
-			option.MaxFailedTimes,
-			providers,
 		}),
 		strategyFn:     strategyFn,
 		disableUDP:     option.DisableUDP,

adapter/outboundgroup/parser.go

@@ -7,12 +7,12 @@ import (
 
 	"github.com/dlclark/regexp2"
 
-	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/adapter/provider"
 	"github.com/metacubex/mihomo/common/structure"
 	"github.com/metacubex/mihomo/common/utils"
 	C "github.com/metacubex/mihomo/constant"
 	types "github.com/metacubex/mihomo/constant/provider"
+	"github.com/metacubex/mihomo/log"
 )
 
 var (
@@ -23,7 +23,6 @@ var (
 )
 
 type GroupCommonOption struct {
-	outbound.BasicOption
 	Name                string   `group:"name"`
 	Type                string   `group:"type"`
 	Proxies             []string `group:"proxies,omitempty"`
@@ -43,6 +42,10 @@ type GroupCommonOption struct {
 	IncludeAllProviders bool     `group:"include-all-providers,omitempty"`
 	Hidden              bool     `group:"hidden,omitempty"`
 	Icon                string   `group:"icon,omitempty"`
+
+	// removed configs, only for error logging
+	Interface   string `group:"interface-name,omitempty"`
+	RoutingMark int    `group:"routing-mark,omitempty"`
 }
 
 func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, providersMap map[string]types.ProxyProvider, AllProxies []string, AllProviders []string) (C.ProxyAdapter, error) {
@@ -59,6 +62,13 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 		return nil, errFormat
 	}
 
+	if groupOption.RoutingMark != 0 {
+		log.Errorln("The group [%s] with routing-mark configuration was removed, please set it directly on the proxy instead", groupOption.Name)
+	}
+	if groupOption.Interface != "" {
+		log.Errorln("The group [%s] with interface-name configuration was removed, please set it directly on the proxy instead", groupOption.Name)
+	}
+
 	groupName := groupOption.Name
 
 	providers := []types.ProxyProvider{}

adapter/outboundgroup/relay.go

@@ -19,17 +19,17 @@ type Relay struct {
 }
 
 // DialContext implements C.ProxyAdapter
-func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	proxies, chainProxies := r.proxies(metadata, true)
 
 	switch len(proxies) {
 	case 0:
-		return outbound.NewDirect().DialContext(ctx, metadata, r.Base.DialOptions(opts...)...)
+		return outbound.NewDirect().DialContext(ctx, metadata)
 	case 1:
-		return proxies[0].DialContext(ctx, metadata, r.Base.DialOptions(opts...)...)
+		return proxies[0].DialContext(ctx, metadata)
 	}
 	var d C.Dialer
-	d = dialer.NewDialer(r.Base.DialOptions(opts...)...)
+	d = dialer.NewDialer()
 	for _, proxy := range proxies[:len(proxies)-1] {
 		d = proxydialer.New(proxy, d, false)
 	}
@@ -49,18 +49,18 @@ func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (r *Relay) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (r *Relay) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	proxies, chainProxies := r.proxies(metadata, true)
 
 	switch len(proxies) {
 	case 0:
-		return outbound.NewDirect().ListenPacketContext(ctx, metadata, r.Base.DialOptions(opts...)...)
+		return outbound.NewDirect().ListenPacketContext(ctx, metadata)
 	case 1:
-		return proxies[0].ListenPacketContext(ctx, metadata, r.Base.DialOptions(opts...)...)
+		return proxies[0].ListenPacketContext(ctx, metadata)
 	}
 
 	var d C.Dialer
-	d = dialer.NewDialer(r.Base.DialOptions(opts...)...)
+	d = dialer.NewDialer()
 	for _, proxy := range proxies[:len(proxies)-1] {
 		d = proxydialer.New(proxy, d, false)
 	}
@@ -153,18 +153,9 @@ func NewRelay(option *GroupCommonOption, providers []provider.ProxyProvider) *Re
 	log.Warnln("The group [%s] with relay type is deprecated, please using dialer-proxy instead", option.Name)
 	return &Relay{
 		GroupBase: NewGroupBase(GroupBaseOption{
-			outbound.BaseOption{
+			Name:      option.Name,
-				Name:        option.Name,
+			Type:      C.Relay,
-				Type:        C.Relay,
+			Providers: providers,
-				Interface:   option.Interface,
-				RoutingMark: option.RoutingMark,
-			},
-			"",
-			"",
-			"",
-			5000,
-			5,
-			providers,
 		}),
 		Hidden: option.Hidden,
 		Icon:   option.Icon,

adapter/outboundgroup/selector.go

@@ -5,8 +5,6 @@ import (
 	"encoding/json"
 	"errors"
 
-	"github.com/metacubex/mihomo/adapter/outbound"
-	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/provider"
 )
@@ -15,13 +13,14 @@ type Selector struct {
 	*GroupBase
 	disableUDP bool
 	selected   string
+	testUrl    string
 	Hidden     bool
 	Icon       string
 }
 
 // DialContext implements C.ProxyAdapter
-func (s *Selector) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (s *Selector) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	c, err := s.selectedProxy(true).DialContext(ctx, metadata, s.Base.DialOptions(opts...)...)
+	c, err := s.selectedProxy(true).DialContext(ctx, metadata)
 	if err == nil {
 		c.AppendToChains(s)
 	}
@@ -29,8 +28,8 @@ func (s *Selector) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (s *Selector) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (s *Selector) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
-	pc, err := s.selectedProxy(true).ListenPacketContext(ctx, metadata, s.Base.DialOptions(opts...)...)
+	pc, err := s.selectedProxy(true).ListenPacketContext(ctx, metadata)
 	if err == nil {
 		pc.AppendToChains(s)
 	}
@@ -57,13 +56,20 @@ func (s *Selector) MarshalJSON() ([]byte, error) {
 	for _, proxy := range s.GetProxies(false) {
 		all = append(all, proxy.Name())
 	}
+	// When testurl is the default value
+	// do not append a value to ensure that the web dashboard follows the settings of the dashboard
+	var url string
+	if s.testUrl != C.DefaultTestURL {
+		url = s.testUrl
+	}
 
 	return json.Marshal(map[string]any{
-		"type":   s.Type().String(),
+		"type":    s.Type().String(),
-		"now":    s.Now(),
+		"now":     s.Now(),
-		"all":    all,
+		"all":     all,
-		"hidden": s.Hidden,
+		"testUrl": url,
-		"icon":   s.Icon,
+		"hidden":  s.Hidden,
+		"icon":    s.Icon,
 	})
 }
 
@@ -105,21 +111,18 @@ func (s *Selector) selectedProxy(touch bool) C.Proxy {
 func NewSelector(option *GroupCommonOption, providers []provider.ProxyProvider) *Selector {
 	return &Selector{
 		GroupBase: NewGroupBase(GroupBaseOption{
-			outbound.BaseOption{
+			Name:           option.Name,
-				Name:        option.Name,
+			Type:           C.Selector,
-				Type:        C.Selector,
+			Filter:         option.Filter,
-				Interface:   option.Interface,
+			ExcludeFilter:  option.ExcludeFilter,
-				RoutingMark: option.RoutingMark,
+			ExcludeType:    option.ExcludeType,
-			},
+			TestTimeout:    option.TestTimeout,
-			option.Filter,
+			MaxFailedTimes: option.MaxFailedTimes,
-			option.ExcludeFilter,
+			Providers:      providers,
-			option.ExcludeType,
-			option.TestTimeout,
-			option.MaxFailedTimes,
-			providers,
 		}),
 		selected:   "COMPATIBLE",
 		disableUDP: option.DisableUDP,
+		testUrl:    option.URL,
 		Hidden:     option.Hidden,
 		Icon:       option.Icon,
 	}

adapter/outboundgroup/urltest.go

@@ -4,16 +4,12 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
-	"fmt"
-	"sync"
 	"time"
 
-	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/common/callback"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/singledo"
 	"github.com/metacubex/mihomo/common/utils"
-	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/provider"
 )
@@ -54,23 +50,23 @@ func (u *URLTest) Set(name string) error {
 	if p == nil {
 		return errors.New("proxy not exist")
 	}
-	u.selected = name
+	u.ForceSet(name)
-	u.fast(false)
 	return nil
 }
 
 func (u *URLTest) ForceSet(name string) {
 	u.selected = name
+	u.fastSingle.Reset()
 }
 
 // DialContext implements C.ProxyAdapter
-func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (c C.Conn, err error) {
+func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata) (c C.Conn, err error) {
 	proxy := u.fast(true)
-	c, err = proxy.DialContext(ctx, metadata, u.Base.DialOptions(opts...)...)
+	c, err = proxy.DialContext(ctx, metadata)
 	if err == nil {
 		c.AppendToChains(u)
 	} else {
-		u.onDialFailed(proxy.Type(), err)
+		u.onDialFailed(proxy.Type(), err, u.healthCheck)
 	}
 
 	if N.NeedHandshake(c) {
@@ -78,7 +74,7 @@ func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata, opts ..
 			if err == nil {
 				u.onDialSuccess()
 			} else {
-				u.onDialFailed(proxy.Type(), err)
+				u.onDialFailed(proxy.Type(), err, u.healthCheck)
 			}
 		})
 	}
@@ -87,10 +83,13 @@ func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata, opts ..
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (u *URLTest) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (u *URLTest) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
-	pc, err := u.fast(true).ListenPacketContext(ctx, metadata, u.Base.DialOptions(opts...)...)
+	proxy := u.fast(true)
+	pc, err := proxy.ListenPacketContext(ctx, metadata)
 	if err == nil {
 		pc.AppendToChains(u)
+	} else {
+		u.onDialFailed(proxy.Type(), err, u.healthCheck)
 	}
 
 	return pc, err
@@ -101,22 +100,27 @@ func (u *URLTest) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {
 	return u.fast(touch)
 }
 
-func (u *URLTest) fast(touch bool) C.Proxy {
+func (u *URLTest) healthCheck() {
+	u.fastSingle.Reset()
+	u.GroupBase.healthCheck()
+	u.fastSingle.Reset()
+}
 
-	proxies := u.GetProxies(touch)
+func (u *URLTest) fast(touch bool) C.Proxy {
-	if u.selected != "" {
+	elm, _, shared := u.fastSingle.Do(func() (C.Proxy, error) {
-		for _, proxy := range proxies {
+		proxies := u.GetProxies(touch)
-			if !proxy.AliveForTestUrl(u.testUrl) {
+		if u.selected != "" {
-				continue
+			for _, proxy := range proxies {
-			}
+				if !proxy.AliveForTestUrl(u.testUrl) {
-			if proxy.Name() == u.selected {
+					continue
-				u.fastNode = proxy
+				}
-				return proxy
+				if proxy.Name() == u.selected {
+					u.fastNode = proxy
+					return proxy, nil
+				}
 			}
 		}
-	}
 
-	elm, _, shared := u.fastSingle.Do(func() (C.Proxy, error) {
 		fast := proxies[0]
 		minDelay := fast.LastDelayForTestUrl(u.testUrl)
 		fastNotExist := true
@@ -182,31 +186,7 @@ func (u *URLTest) MarshalJSON() ([]byte, error) {
 }
 
 func (u *URLTest) URLTest(ctx context.Context, url string, expectedStatus utils.IntRanges[uint16]) (map[string]uint16, error) {
-	var wg sync.WaitGroup
+	return u.GroupBase.URLTest(ctx, u.testUrl, expectedStatus)
-	var lock sync.Mutex
-	mp := map[string]uint16{}
-	proxies := u.GetProxies(false)
-	for _, proxy := range proxies {
-		proxy := proxy
-		wg.Add(1)
-		go func() {
-			delay, err := proxy.URLTest(ctx, u.testUrl, expectedStatus)
-			if err == nil {
-				lock.Lock()
-				mp[proxy.Name()] = delay
-				lock.Unlock()
-			}
-
-			wg.Done()
-		}()
-	}
-	wg.Wait()
-
-	if len(mp) == 0 {
-		return mp, fmt.Errorf("get delay: all proxies timeout")
-	} else {
-		return mp, nil
-	}
 }
 
 func parseURLTestOption(config map[string]any) []urlTestOption {
@@ -225,19 +205,14 @@ func parseURLTestOption(config map[string]any) []urlTestOption {
 func NewURLTest(option *GroupCommonOption, providers []provider.ProxyProvider, options ...urlTestOption) *URLTest {
 	urlTest := &URLTest{
 		GroupBase: NewGroupBase(GroupBaseOption{
-			outbound.BaseOption{
+			Name:           option.Name,
-				Name:        option.Name,
+			Type:           C.URLTest,
-				Type:        C.URLTest,
+			Filter:         option.Filter,
-				Interface:   option.Interface,
+			ExcludeFilter:  option.ExcludeFilter,
-				RoutingMark: option.RoutingMark,
+			ExcludeType:    option.ExcludeType,
-			},
+			TestTimeout:    option.TestTimeout,
-
+			MaxFailedTimes: option.MaxFailedTimes,
-			option.Filter,
+			Providers:      providers,
-			option.ExcludeFilter,
-			option.ExcludeType,
-			option.TestTimeout,
-			option.MaxFailedTimes,
-			providers,
 		}),
 		fastSingle:     singledo.NewSingle[C.Proxy](time.Second * 10),
 		disableUDP:     option.DisableUDP,

adapter/parser.go

@@ -3,8 +3,6 @@ package adapter
 import (
 	"fmt"
 
-	tlsC "github.com/metacubex/mihomo/component/tls"
-
 	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/common/structure"
 	C "github.com/metacubex/mihomo/constant"
@@ -18,12 +16,12 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 	}
 
 	var (
-		proxy C.ProxyAdapter
+		proxy outbound.ProxyAdapter
 		err   error
 	)
 	switch proxyType {
 	case "ss":
-		ssOption := &outbound.ShadowSocksOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
+		ssOption := &outbound.ShadowSocksOption{}
 		err = decoder.Decode(mapping, ssOption)
 		if err != nil {
 			break
@@ -56,7 +54,6 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 				Method: "GET",
 				Path:   []string{"/"},
 			},
-			ClientFingerprint: tlsC.GetGlobalFingerprint(),
 		}
 
 		err = decoder.Decode(mapping, vmessOption)
@@ -65,7 +62,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		}
 		proxy, err = outbound.NewVmess(*vmessOption)
 	case "vless":
-		vlessOption := &outbound.VlessOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
+		vlessOption := &outbound.VlessOption{}
 		err = decoder.Decode(mapping, vlessOption)
 		if err != nil {
 			break
@@ -79,7 +76,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		}
 		proxy, err = outbound.NewSnell(*snellOption)
 	case "trojan":
-		trojanOption := &outbound.TrojanOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
+		trojanOption := &outbound.TrojanOption{}
 		err = decoder.Decode(mapping, trojanOption)
 		if err != nil {
 			break
@@ -148,6 +145,13 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 			break
 		}
 		proxy, err = outbound.NewMieru(*mieruOption)
+	case "anytls":
+		anytlsOption := &outbound.AnyTLSOption{}
+		err = decoder.Decode(mapping, anytlsOption)
+		if err != nil {
+			break
+		}
+		proxy, err = outbound.NewAnyTLS(*anytlsOption)
 	default:
 		return nil, fmt.Errorf("unsupport proxy type: %s", proxyType)
 	}
@@ -163,12 +167,13 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 			return nil, err
 		}
 		if muxOption.Enabled {
-			proxy, err = outbound.NewSingMux(*muxOption, proxy, proxy.(outbound.ProxyBase))
+			proxy, err = outbound.NewSingMux(*muxOption, proxy)
 			if err != nil {
 				return nil, err
 			}
 		}
 	}
 
+	proxy = outbound.NewAutoCloseProxyAdapter(proxy)
 	return NewProxy(proxy), nil
 }

adapter/provider/healthcheck.go

@@ -7,13 +7,13 @@ import (
 	"time"
 
 	"github.com/metacubex/mihomo/common/atomic"
-	"github.com/metacubex/mihomo/common/batch"
 	"github.com/metacubex/mihomo/common/singledo"
 	"github.com/metacubex/mihomo/common/utils"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 
 	"github.com/dlclark/regexp2"
+	"golang.org/x/sync/errgroup"
 )
 
 type HealthCheckOption struct {
@@ -147,7 +147,8 @@ func (hc *HealthCheck) check() {
 	_, _, _ = hc.singleDo.Do(func() (struct{}, error) {
 		id := utils.NewUUIDV4().String()
 		log.Debugln("Start New Health Checking {%s}", id)
-		b, _ := batch.New[bool](hc.ctx, batch.WithConcurrencyNum[bool](10))
+		b := new(errgroup.Group)
+		b.SetLimit(10)
 
 		// execute default health check
 		option := &extraOption{filters: nil, expectedStatus: hc.expectedStatus}
@@ -159,13 +160,13 @@ func (hc *HealthCheck) check() {
 				hc.execute(b, url, id, option)
 			}
 		}
-		b.Wait()
+		_ = b.Wait()
 		log.Debugln("Finish A Health Checking {%s}", id)
 		return struct{}{}, nil
 	})
 }
 
-func (hc *HealthCheck) execute(b *batch.Batch[bool], url, uid string, option *extraOption) {
+func (hc *HealthCheck) execute(b *errgroup.Group, url, uid string, option *extraOption) {
 	url = strings.TrimSpace(url)
 	if len(url) == 0 {
 		log.Debugln("Health Check has been skipped due to testUrl is empty, {%s}", uid)
@@ -195,13 +196,13 @@ func (hc *HealthCheck) execute(b *batch.Batch[bool], url, uid string, option *ex
 		}
 
 		p := proxy
-		b.Go(p.Name(), func() (bool, error) {
+		b.Go(func() error {
 			ctx, cancel := context.WithTimeout(hc.ctx, hc.timeout)
 			defer cancel()
 			log.Debugln("Health Checking, proxy: %s, url: %s, id: {%s}", p.Name(), url, uid)
 			_, _ = p.URLTest(ctx, url, expectedStatus)
 			log.Debugln("Health Checked, proxy: %s, url: %s, alive: %t, delay: %d ms uid: {%s}", p.Name(), url, p.AliveForTestUrl(url), p.LastDelayForTestUrl(url), uid)
-			return false, nil
+			return nil
 		})
 	}
 }

adapter/provider/parser.go

@@ -127,5 +127,5 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 
 	interval := time.Duration(uint(schema.Interval)) * time.Second
 
-	return NewProxySetProvider(name, interval, parser, vehicle, hc)
+	return NewProxySetProvider(name, interval, schema.Payload, parser, vehicle, hc)
 }

adapter/provider/provider.go

@@ -87,6 +87,7 @@ func (bp *baseProvider) RegisterHealthCheckTask(url string, expectedStatus utils
 
 func (bp *baseProvider) setProxies(proxies []C.Proxy) {
 	bp.proxies = proxies
+	bp.version += 1
 	bp.healthCheck.setProxy(proxies)
 	if bp.healthCheck.auto() {
 		go bp.healthCheck.check()
@@ -160,7 +161,7 @@ func (pp *proxySetProvider) Close() error {
 	return pp.Fetcher.Close()
 }
 
-func NewProxySetProvider(name string, interval time.Duration, parser resource.Parser[[]C.Proxy], vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
+func NewProxySetProvider(name string, interval time.Duration, payload []map[string]any, parser resource.Parser[[]C.Proxy], vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
 	if hc.auto() {
 		go hc.process()
 	}
@@ -173,7 +174,20 @@ func NewProxySetProvider(name string, interval time.Duration, parser resource.Pa
 		},
 	}
 
-	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, parser, proxiesOnUpdate(pd))
+	if len(payload) > 0 { // using as fallback proxies
+		ps := ProxySchema{Proxies: payload}
+		buf, err := yaml.Marshal(ps)
+		if err != nil {
+			return nil, err
+		}
+		proxies, err := parser(buf)
+		if err != nil {
+			return nil, err
+		}
+		pd.proxies = proxies
+	}
+
+	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, parser, pd.setProxies)
 	pd.Fetcher = fetcher
 	if httpVehicle, ok := vehicle.(*resource.HTTPVehicle); ok {
 		httpVehicle.SetInRead(func(resp *http.Response) {
@@ -325,13 +339,6 @@ func (cp *CompatibleProvider) Close() error {
 	return cp.compatibleProvider.Close()
 }
 
-func proxiesOnUpdate(pd *proxySetProvider) func([]C.Proxy) {
-	return func(elm []C.Proxy) {
-		pd.setProxies(elm)
-		pd.version += 1
-	}
-}
-
 func NewProxiesParser(filter string, excludeFilter string, excludeType string, dialerProxy string, override OverrideSchema) (resource.Parser[[]C.Proxy], error) {
 	excludeFilterReg, err := regexp2.Compile(excludeFilter, regexp2.None)
 	if err != nil {

common/buf/sing.go

@@ -1,8 +1,8 @@
 package buf
 
 import (
-	"github.com/sagernet/sing/common"
+	"github.com/metacubex/sing/common"
-	"github.com/sagernet/sing/common/buf"
+	"github.com/metacubex/sing/common/buf"
 )
 
 const BufferSize = buf.BufferSize

common/contextutils/afterfunc_compact.go

@@ -0,0 +1,31 @@
+package contextutils
+
+import (
+	"context"
+	"sync"
+)
+
+func afterFunc(ctx context.Context, f func()) (stop func() bool) {
+	stopc := make(chan struct{})
+	once := sync.Once{} // either starts running f or stops f from running
+	if ctx.Done() != nil {
+		go func() {
+			select {
+			case <-ctx.Done():
+				once.Do(func() {
+					go f()
+				})
+			case <-stopc:
+			}
+		}()
+	}
+
+	return func() bool {
+		stopped := false
+		once.Do(func() {
+			stopped = true
+			close(stopc)
+		})
+		return stopped
+	}
+}

common/contextutils/afterfunc_go120.go

@@ -0,0 +1,11 @@
+//go:build !go1.21
+
+package contextutils
+
+import (
+	"context"
+)
+
+func AfterFunc(ctx context.Context, f func()) (stop func() bool) {
+	return afterFunc(ctx, f)
+}

common/contextutils/afterfunc_go121.go

@@ -0,0 +1,9 @@
+//go:build go1.21
+
+package contextutils
+
+import "context"
+
+func AfterFunc(ctx context.Context, f func()) (stop func() bool) {
+	return context.AfterFunc(ctx, f)
+}

common/contextutils/afterfunc_test.go

@@ -0,0 +1,100 @@
+package contextutils
+
+import (
+	"context"
+	"testing"
+	"time"
+)
+
+const (
+	shortDuration    = 1 * time.Millisecond // a reasonable duration to block in a test
+	veryLongDuration = 1000 * time.Hour     // an arbitrary upper bound on the test's running time
+)
+
+func TestAfterFuncCalledAfterCancel(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	donec := make(chan struct{})
+	stop := afterFunc(ctx, func() {
+		close(donec)
+	})
+	select {
+	case <-donec:
+		t.Fatalf("AfterFunc called before context is done")
+	case <-time.After(shortDuration):
+	}
+	cancel()
+	select {
+	case <-donec:
+	case <-time.After(veryLongDuration):
+		t.Fatalf("AfterFunc not called after context is canceled")
+	}
+	if stop() {
+		t.Fatalf("stop() = true, want false")
+	}
+}
+
+func TestAfterFuncCalledAfterTimeout(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.Background(), shortDuration)
+	defer cancel()
+	donec := make(chan struct{})
+	afterFunc(ctx, func() {
+		close(donec)
+	})
+	select {
+	case <-donec:
+	case <-time.After(veryLongDuration):
+		t.Fatalf("AfterFunc not called after context is canceled")
+	}
+}
+
+func TestAfterFuncCalledImmediately(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+	donec := make(chan struct{})
+	afterFunc(ctx, func() {
+		close(donec)
+	})
+	select {
+	case <-donec:
+	case <-time.After(veryLongDuration):
+		t.Fatalf("AfterFunc not called for already-canceled context")
+	}
+}
+
+func TestAfterFuncNotCalledAfterStop(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	donec := make(chan struct{})
+	stop := afterFunc(ctx, func() {
+		close(donec)
+	})
+	if !stop() {
+		t.Fatalf("stop() = false, want true")
+	}
+	cancel()
+	select {
+	case <-donec:
+		t.Fatalf("AfterFunc called for already-canceled context")
+	case <-time.After(shortDuration):
+	}
+	if stop() {
+		t.Fatalf("stop() = true, want false")
+	}
+}
+
+// This test verifies that canceling a context does not block waiting for AfterFuncs to finish.
+func TestAfterFuncCalledAsynchronously(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	donec := make(chan struct{})
+	stop := afterFunc(ctx, func() {
+		// The channel send blocks until donec is read from.
+		donec <- struct{}{}
+	})
+	defer stop()
+	cancel()
+	// After cancel returns, read from donec and unblock the AfterFunc.
+	select {
+	case <-donec:
+	case <-time.After(veryLongDuration):
+		t.Fatalf("AfterFunc not called after context is canceled")
+	}
+}

common/convert/converter.go

@@ -275,22 +275,24 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			vmess["skip-cert-verify"] = false
 
 			vmess["cipher"] = "auto"
-			if cipher, ok := values["scy"]; ok && cipher != "" {
+			if cipher, ok := values["scy"].(string); ok && cipher != "" {
 				vmess["cipher"] = cipher
 			}
 
-			if sni, ok := values["sni"]; ok && sni != "" {
+			if sni, ok := values["sni"].(string); ok && sni != "" {
 				vmess["servername"] = sni
 			}
 
-			network, _ := values["net"].(string)
+			network, ok := values["net"].(string)
-			network = strings.ToLower(network)
+			if ok {
-			if values["type"] == "http" {
+				network = strings.ToLower(network)
-				network = "http"
+				if values["type"] == "http" {
-			} else if network == "http" {
+					network = "http"
-				network = "h2"
+				} else if network == "http" {
+					network = "h2"
+				}
+				vmess["network"] = network
 			}
-			vmess["network"] = network
 
 			tls, ok := values["tls"].(string)
 			if ok {
@@ -307,12 +309,12 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			case "http":
 				headers := make(map[string]any)
 				httpOpts := make(map[string]any)
-				if host, ok := values["host"]; ok && host != "" {
+				if host, ok := values["host"].(string); ok && host != "" {
-					headers["Host"] = []string{host.(string)}
+					headers["Host"] = []string{host}
 				}
 				httpOpts["path"] = []string{"/"}
-				if path, ok := values["path"]; ok && path != "" {
+				if path, ok := values["path"].(string); ok && path != "" {
-					httpOpts["path"] = []string{path.(string)}
+					httpOpts["path"] = []string{path}
 				}
 				httpOpts["headers"] = headers
 
@@ -321,8 +323,8 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			case "h2":
 				headers := make(map[string]any)
 				h2Opts := make(map[string]any)
-				if host, ok := values["host"]; ok && host != "" {
+				if host, ok := values["host"].(string); ok && host != "" {
-					headers["Host"] = []string{host.(string)}
+					headers["Host"] = []string{host}
 				}
 
 				h2Opts["path"] = values["path"]
@@ -334,11 +336,11 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				headers := make(map[string]any)
 				wsOpts := make(map[string]any)
 				wsOpts["path"] = "/"
-				if host, ok := values["host"]; ok && host != "" {
+				if host, ok := values["host"].(string); ok && host != "" {
-					headers["Host"] = host.(string)
+					headers["Host"] = host
 				}
-				if path, ok := values["path"]; ok && path != "" {
+				if path, ok := values["path"].(string); ok && path != "" {
-					path := path.(string)
+					path := path
 					pathURL, err := url.Parse(path)
 					if err == nil {
 						query := pathURL.Query()

common/net/context.go

@@ -3,29 +3,37 @@ package net
 import (
 	"context"
 	"net"
+
+	"github.com/metacubex/mihomo/common/contextutils"
 )
 
-// SetupContextForConn is a helper function that starts connection I/O interrupter goroutine.
+// SetupContextForConn is a helper function that starts connection I/O interrupter.
+// if ctx be canceled before done called, it will close the connection.
+// should use like this:
+//
+//	func streamConn(ctx context.Context, conn net.Conn) (_ net.Conn, err error) {
+//		if ctx.Done() != nil {
+//			done := N.SetupContextForConn(ctx, conn)
+//			defer done(&err)
+//		}
+//		conn, err := xxx
+//		return conn, err
+//	}
 func SetupContextForConn(ctx context.Context, conn net.Conn) (done func(*error)) {
-	var (
+	stopc := make(chan struct{})
-		quit      = make(chan struct{})
+	stop := contextutils.AfterFunc(ctx, func() {
-		interrupt = make(chan error, 1)
+		// Close the connection, discarding the error
-	)
+		_ = conn.Close()
-	go func() {
+		close(stopc)
-		select {
+	})
-		case <-quit:
-			interrupt <- nil
-		case <-ctx.Done():
-			// Close the connection, discarding the error
-			_ = conn.Close()
-			interrupt <- ctx.Err()
-		}
-	}()
 	return func(inputErr *error) {
-		close(quit)
+		if !stop() {
-		if ctxErr := <-interrupt; ctxErr != nil && inputErr != nil {
+			// The AfterFunc was started, wait for it to complete.
-			// Return context error to user.
+			<-stopc
-			inputErr = &ctxErr
+			if ctxErr := ctx.Err(); ctxErr != nil && inputErr != nil {
+				// Return context error to user.
+				*inputErr = ctxErr
+			}
 		}
 	}
 }

common/net/context_test.go

@@ -0,0 +1,103 @@
+package net_test
+
+import (
+	"context"
+	"errors"
+	"net"
+	"testing"
+	"time"
+
+	N "github.com/metacubex/mihomo/common/net"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func testRead(ctx context.Context, conn net.Conn) (err error) {
+	if ctx.Done() != nil {
+		done := N.SetupContextForConn(ctx, conn)
+		defer done(&err)
+	}
+	_, err = conn.Read(make([]byte, 1))
+	return err
+}
+
+func TestSetupContextForConnWithCancel(t *testing.T) {
+	t.Parallel()
+	c1, c2 := N.Pipe()
+	defer c1.Close()
+	defer c2.Close()
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	errc := make(chan error)
+	go func() {
+		errc <- testRead(ctx, c1)
+	}()
+
+	select {
+	case <-errc:
+		t.Fatal("conn closed before cancel")
+	case <-time.After(100 * time.Millisecond):
+		cancel()
+	}
+
+	select {
+	case err := <-errc:
+		assert.ErrorIs(t, err, context.Canceled)
+	case <-time.After(100 * time.Millisecond):
+		t.Fatal("conn not be canceled")
+	}
+}
+
+func TestSetupContextForConnWithTimeout1(t *testing.T) {
+	t.Parallel()
+	c1, c2 := N.Pipe()
+	defer c1.Close()
+	defer c2.Close()
+	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+	defer cancel()
+
+	errc := make(chan error)
+	go func() {
+		errc <- testRead(ctx, c1)
+	}()
+
+	select {
+	case err := <-errc:
+		if !errors.Is(ctx.Err(), context.DeadlineExceeded) {
+			t.Fatal("conn closed before timeout")
+		}
+		assert.ErrorIs(t, err, context.DeadlineExceeded)
+	case <-time.After(200 * time.Millisecond):
+		t.Fatal("conn not be canceled")
+	}
+}
+
+func TestSetupContextForConnWithTimeout2(t *testing.T) {
+	t.Parallel()
+	c1, c2 := N.Pipe()
+	defer c1.Close()
+	defer c2.Close()
+	ctx, cancel := context.WithTimeout(context.Background(), 200*time.Millisecond)
+	defer cancel()
+
+	errc := make(chan error)
+	go func() {
+		errc <- testRead(ctx, c1)
+	}()
+
+	select {
+	case <-errc:
+		t.Fatal("conn closed before cancel")
+	case <-time.After(100 * time.Millisecond):
+		c2.Write(make([]byte, 1))
+	}
+
+	select {
+	case err := <-errc:
+		assert.Nil(t, ctx.Err())
+		assert.Nil(t, err)
+	case <-time.After(200 * time.Millisecond):
+		t.Fatal("conn not be canceled")
+	}
+}

common/net/deadline/conn.go

@@ -7,9 +7,9 @@ import (
 
 	"github.com/metacubex/mihomo/common/atomic"
 
-	"github.com/sagernet/sing/common/buf"
+	"github.com/metacubex/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
+	"github.com/metacubex/sing/common/bufio"
-	"github.com/sagernet/sing/common/network"
+	"github.com/metacubex/sing/common/network"
 )
 
 type connReadResult struct {

common/net/deadline/packet_sing.go

@@ -6,10 +6,10 @@ import (
 
 	"github.com/metacubex/mihomo/common/net/packet"
 
-	"github.com/sagernet/sing/common/buf"
+	"github.com/metacubex/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
+	"github.com/metacubex/sing/common/bufio"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
+	N "github.com/metacubex/sing/common/network"
 )
 
 type SingPacketConn struct {

common/net/deadline/pipe_sing.go

@@ -7,8 +7,8 @@ import (
 	"sync"
 	"time"
 
-	"github.com/sagernet/sing/common/buf"
+	"github.com/metacubex/sing/common/buf"
-	N "github.com/sagernet/sing/common/network"
+	N "github.com/metacubex/sing/common/network"
 )
 
 type pipeAddr struct{}

common/net/listener.go

@@ -0,0 +1,90 @@
+package net
+
+import (
+	"context"
+	"net"
+	"sync"
+)
+
+type handleContextListener struct {
+	net.Listener
+	ctx      context.Context
+	cancel   context.CancelFunc
+	conns    chan net.Conn
+	err      error
+	once     sync.Once
+	handle   func(context.Context, net.Conn) (net.Conn, error)
+	panicLog func(any)
+}
+
+func (l *handleContextListener) init() {
+	go func() {
+		for {
+			c, err := l.Listener.Accept()
+			if err != nil {
+				l.err = err
+				close(l.conns)
+				return
+			}
+			go func() {
+				defer func() {
+					if r := recover(); r != nil {
+						if l.panicLog != nil {
+							l.panicLog(r)
+						}
+					}
+				}()
+				if c, err := l.handle(l.ctx, c); err == nil {
+					l.conns <- c
+				} else {
+					// handle failed, close the underlying connection.
+					_ = c.Close()
+				}
+			}()
+		}
+	}()
+}
+
+func (l *handleContextListener) Accept() (net.Conn, error) {
+	l.once.Do(l.init)
+	if c, ok := <-l.conns; ok {
+		return c, nil
+	}
+	return nil, l.err
+}
+
+func (l *handleContextListener) Close() error {
+	l.cancel()
+	l.once.Do(func() { // l.init has not been called yet, so close related resources directly.
+		l.err = net.ErrClosed
+		close(l.conns)
+	})
+	defer func() {
+		// at here, listener has been closed, so we should close all connections in the channel
+		for c := range l.conns {
+			go func(c net.Conn) {
+				defer func() {
+					if r := recover(); r != nil {
+						if l.panicLog != nil {
+							l.panicLog(r)
+						}
+					}
+				}()
+				_ = c.Close()
+			}(c)
+		}
+	}()
+	return l.Listener.Close()
+}
+
+func NewHandleContextListener(ctx context.Context, l net.Listener, handle func(context.Context, net.Conn) (net.Conn, error), panicLog func(any)) net.Listener {
+	ctx, cancel := context.WithCancel(ctx)
+	return &handleContextListener{
+		Listener: l,
+		ctx:      ctx,
+		cancel:   cancel,
+		conns:    make(chan net.Conn),
+		handle:   handle,
+		panicLog: panicLog,
+	}
+}

common/net/packet/packet_posix.go

@@ -45,7 +45,11 @@ func (c *enhanceUDPConn) WaitReadFrom() (data []byte, put func(), addr net.Addr,
 				addr = &net.UDPAddr{IP: ip[:], Port: from.Port}
 			case *syscall.SockaddrInet6:
 				ip := from.Addr // copy from.Addr; ip escapes, so this line allocates 16 bytes
-				addr = &net.UDPAddr{IP: ip[:], Port: from.Port, Zone: strconv.FormatInt(int64(from.ZoneId), 10)}
+				zone := ""
+				if from.ZoneId != 0 {
+					zone = strconv.FormatInt(int64(from.ZoneId), 10)
+				}
+				addr = &net.UDPAddr{IP: ip[:], Port: from.Port, Zone: zone}
 			}
 		}
 		// udp should not convert readN == 0 to io.EOF

common/net/packet/packet_sing.go

@@ -3,10 +3,10 @@ package packet
 import (
 	"net"
 
-	"github.com/sagernet/sing/common/buf"
+	"github.com/metacubex/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
+	"github.com/metacubex/sing/common/bufio"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
+	N "github.com/metacubex/sing/common/network"
 )
 
 type SingPacketConn = N.NetPacketConn

common/net/packet/packet_windows.go

@@ -54,7 +54,11 @@ func (c *enhanceUDPConn) WaitReadFrom() (data []byte, put func(), addr net.Addr,
 				addr = &net.UDPAddr{IP: ip[:], Port: from.Port}
 			case *windows.SockaddrInet6:
 				ip := from.Addr // copy from.Addr; ip escapes, so this line allocates 16 bytes
-				addr = &net.UDPAddr{IP: ip[:], Port: from.Port, Zone: strconv.FormatInt(int64(from.ZoneId), 10)}
+				zone := ""
+				if from.ZoneId != 0 {
+					zone = strconv.FormatInt(int64(from.ZoneId), 10)
+				}
+				addr = &net.UDPAddr{IP: ip[:], Port: from.Port, Zone: zone}
 			}
 		}
 		// udp should not convert readN == 0 to io.EOF

common/net/packet/ref_sing.go

@@ -3,9 +3,9 @@ package packet
 import (
 	"runtime"
 
-	"github.com/sagernet/sing/common/buf"
+	"github.com/metacubex/sing/common/buf"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
+	N "github.com/metacubex/sing/common/network"
 )
 
 type refSingPacketConn struct {

common/net/packet/thread_sing.go

@@ -1,9 +1,9 @@
 package packet
 
 import (
-	"github.com/sagernet/sing/common/buf"
+	"github.com/metacubex/sing/common/buf"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
+	N "github.com/metacubex/sing/common/network"
 )
 
 type threadSafeSingPacketConn struct {

common/net/refconn.go

@@ -77,6 +77,6 @@ func (c *refConn) WriterReplaceable() bool { // Relay() will handle reference
 
 var _ ExtendedConn = (*refConn)(nil)
 
-func NewRefConn(conn net.Conn, ref any) net.Conn {
+func NewRefConn(conn net.Conn, ref any) ExtendedConn {
 	return &refConn{conn: NewExtendedConn(conn), ref: ref}
 }

common/net/sing.go

@@ -7,9 +7,9 @@ import (
 
 	"github.com/metacubex/mihomo/common/net/deadline"
 
-	"github.com/sagernet/sing/common"
+	"github.com/metacubex/sing/common"
-	"github.com/sagernet/sing/common/bufio"
+	"github.com/metacubex/sing/common/bufio"
-	"github.com/sagernet/sing/common/network"
+	"github.com/metacubex/sing/common/network"
 )
 
 var NewExtendedConn = bufio.NewExtendedConn

common/net/tls.go

@@ -1,58 +0,0 @@
-package net
-
-import (
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/pem"
-	"fmt"
-	"math/big"
-)
-
-type Path interface {
-	Resolve(path string) string
-}
-
-func ParseCert(certificate, privateKey string, path Path) (tls.Certificate, error) {
-	if certificate == "" && privateKey == "" {
-		return newRandomTLSKeyPair()
-	}
-	cert, painTextErr := tls.X509KeyPair([]byte(certificate), []byte(privateKey))
-	if painTextErr == nil {
-		return cert, nil
-	}
-
-	certificate = path.Resolve(certificate)
-	privateKey = path.Resolve(privateKey)
-	cert, loadErr := tls.LoadX509KeyPair(certificate, privateKey)
-	if loadErr != nil {
-		return tls.Certificate{}, fmt.Errorf("parse certificate failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())
-	}
-	return cert, nil
-}
-
-func newRandomTLSKeyPair() (tls.Certificate, error) {
-	key, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	template := x509.Certificate{SerialNumber: big.NewInt(1)}
-	certDER, err := x509.CreateCertificate(
-		rand.Reader,
-		&template,
-		&template,
-		&key.PublicKey,
-		key)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
-	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
-
-	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	return tlsCert, nil
-}

common/nnip/netip.go

@@ -1,73 +0,0 @@
-package nnip
-
-import (
-	"encoding/binary"
-	"net"
-	"net/netip"
-)
-
-// IpToAddr converts the net.IP to netip.Addr.
-// If slice's length is not 4 or 16, IpToAddr returns netip.Addr{}
-func IpToAddr(slice net.IP) netip.Addr {
-	ip := slice
-	if len(ip) != 4 {
-		if ip = slice.To4(); ip == nil {
-			ip = slice
-		}
-	}
-
-	if addr, ok := netip.AddrFromSlice(ip); ok {
-		return addr
-	}
-	return netip.Addr{}
-}
-
-// UnMasked returns p's last IP address.
-// If p is invalid, UnMasked returns netip.Addr{}
-func UnMasked(p netip.Prefix) netip.Addr {
-	if !p.IsValid() {
-		return netip.Addr{}
-	}
-
-	buf := p.Addr().As16()
-
-	hi := binary.BigEndian.Uint64(buf[:8])
-	lo := binary.BigEndian.Uint64(buf[8:])
-
-	bits := p.Bits()
-	if bits <= 32 {
-		bits += 96
-	}
-
-	hi = hi | ^uint64(0)>>bits
-	lo = lo | ^(^uint64(0) << (128 - bits))
-
-	binary.BigEndian.PutUint64(buf[:8], hi)
-	binary.BigEndian.PutUint64(buf[8:], lo)
-
-	addr := netip.AddrFrom16(buf)
-	if p.Addr().Is4() {
-		return addr.Unmap()
-	}
-	return addr
-}
-
-// PrefixCompare returns an integer comparing two prefixes.
-// The result will be 0 if p == p2, -1 if p < p2, and +1 if p > p2.
-// modify from https://github.com/golang/go/issues/61642#issuecomment-1848587909
-func PrefixCompare(p, p2 netip.Prefix) int {
-	// compare by validity, address family and prefix base address
-	if c := p.Masked().Addr().Compare(p2.Masked().Addr()); c != 0 {
-		return c
-	}
-	// compare by prefix length
-	f1, f2 := p.Bits(), p2.Bits()
-	if f1 < f2 {
-		return -1
-	}
-	if f1 > f2 {
-		return 1
-	}
-	// compare by prefix address
-	return p.Addr().Compare(p2.Addr())
-}

common/observable/observable.go

@@ -10,6 +10,7 @@ type Observable[T any] struct {
 	listener map[Subscription[T]]*Subscriber[T]
 	mux      sync.Mutex
 	done     bool
+	stopCh   chan struct{}
 }
 
 func (o *Observable[T]) process() {
@@ -31,6 +32,7 @@ func (o *Observable[T]) close() {
 	for _, sub := range o.listener {
 		sub.Close()
 	}
+	close(o.stopCh)
 }
 
 func (o *Observable[T]) Subscribe() (Subscription[T], error) {
@@ -59,6 +61,7 @@ func NewObservable[T any](iter Iterable[T]) *Observable[T] {
 	observable := &Observable[T]{
 		iterable: iter,
 		listener: map[Subscription[T]]*Subscriber[T]{},
+		stopCh:   make(chan struct{}),
 	}
 	go observable.process()
 	return observable

common/observable/observable_test.go

@@ -70,9 +70,11 @@ func TestObservable_SubscribeClosedSource(t *testing.T) {
 	src := NewObservable[int](iter)
 	data, _ := src.Subscribe()
 	<-data
-
+	select {
-	_, closed := src.Subscribe()
+	case <-src.stopCh:
-	assert.NotNil(t, closed)
+	case <-time.After(time.Second):
+		assert.Fail(t, "timeout not stop")
+	}
 }
 
 func TestObservable_UnSubscribeWithNotExistSubscription(t *testing.T) {

common/once/oncefunc.go

@@ -0,0 +1,102 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package once
+
+import "sync"
+
+// OnceFunc returns a function that invokes f only once. The returned function
+// may be called concurrently.
+//
+// If f panics, the returned function will panic with the same value on every call.
+func OnceFunc(f func()) func() {
+	var (
+		once  sync.Once
+		valid bool
+		p     any
+	)
+	// Construct the inner closure just once to reduce costs on the fast path.
+	g := func() {
+		defer func() {
+			p = recover()
+			if !valid {
+				// Re-panic immediately so on the first call the user gets a
+				// complete stack trace into f.
+				panic(p)
+			}
+		}()
+		f()
+		f = nil      // Do not keep f alive after invoking it.
+		valid = true // Set only if f does not panic.
+	}
+	return func() {
+		once.Do(g)
+		if !valid {
+			panic(p)
+		}
+	}
+}
+
+// OnceValue returns a function that invokes f only once and returns the value
+// returned by f. The returned function may be called concurrently.
+//
+// If f panics, the returned function will panic with the same value on every call.
+func OnceValue[T any](f func() T) func() T {
+	var (
+		once   sync.Once
+		valid  bool
+		p      any
+		result T
+	)
+	g := func() {
+		defer func() {
+			p = recover()
+			if !valid {
+				panic(p)
+			}
+		}()
+		result = f()
+		f = nil
+		valid = true
+	}
+	return func() T {
+		once.Do(g)
+		if !valid {
+			panic(p)
+		}
+		return result
+	}
+}
+
+// OnceValues returns a function that invokes f only once and returns the values
+// returned by f. The returned function may be called concurrently.
+//
+// If f panics, the returned function will panic with the same value on every call.
+func OnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) {
+	var (
+		once  sync.Once
+		valid bool
+		p     any
+		r1    T1
+		r2    T2
+	)
+	g := func() {
+		defer func() {
+			p = recover()
+			if !valid {
+				panic(p)
+			}
+		}()
+		r1, r2 = f()
+		f = nil
+		valid = true
+	}
+	return func() (T1, T2) {
+		once.Do(g)
+		if !valid {
+			panic(p)
+		}
+		return r1, r2
+	}
+}

common/picker/picker_test.go

@@ -22,9 +22,10 @@ func sleepAndSend[T any](ctx context.Context, delay int, input T) func() (T, err
 }
 
 func TestPicker_Basic(t *testing.T) {
+	t.Parallel()
 	picker, ctx := WithContext[int](context.Background())
-	picker.Go(sleepAndSend(ctx, 30, 2))
+	picker.Go(sleepAndSend(ctx, 200, 2))
-	picker.Go(sleepAndSend(ctx, 20, 1))
+	picker.Go(sleepAndSend(ctx, 100, 1))
 
 	number := picker.Wait()
 	assert.NotNil(t, number)
@@ -32,8 +33,9 @@ func TestPicker_Basic(t *testing.T) {
 }
 
 func TestPicker_Timeout(t *testing.T) {
+	t.Parallel()
 	picker, ctx := WithTimeout[int](context.Background(), time.Millisecond*5)
-	picker.Go(sleepAndSend(ctx, 20, 1))
+	picker.Go(sleepAndSend(ctx, 100, 1))
 
 	number := picker.Wait()
 	assert.Equal(t, number, lo.Empty[int]())

common/pool/sing.go

@@ -1,6 +1,6 @@
 package pool
 
-import "github.com/sagernet/sing/common/buf"
+import "github.com/metacubex/sing/common/buf"
 
 func init() {
 	buf.DefaultAllocator = defaultAllocator

common/singledo/singledo.go

@@ -13,25 +13,26 @@ type call[T any] struct {
 
 type Single[T any] struct {
 	mux    sync.Mutex
-	last   time.Time
 	wait   time.Duration
 	call   *call[T]
 	result *Result[T]
 }
 
 type Result[T any] struct {
-	Val T
+	Val  T
-	Err error
+	Err  error
+	Time time.Time
 }
 
 // Do single.Do likes sync.singleFlight
 func (s *Single[T]) Do(fn func() (T, error)) (v T, err error, shared bool) {
 	s.mux.Lock()
-	now := time.Now()
+	result := s.result
-	if now.Before(s.last.Add(s.wait)) {
+	if result != nil && time.Since(result.Time) < s.wait {
 		s.mux.Unlock()
-		return s.result.Val, s.result.Err, true
+		return result.Val, result.Err, true
 	}
+	s.result = nil // The result has expired, clear it
 
 	if callM := s.call; callM != nil {
 		s.mux.Unlock()
@@ -47,15 +48,19 @@ func (s *Single[T]) Do(fn func() (T, error)) (v T, err error, shared bool) {
 	callM.wg.Done()
 
 	s.mux.Lock()
-	s.call = nil
+	if s.call == callM { // maybe reset when fn is running
-	s.result = &Result[T]{callM.val, callM.err}
+		s.call = nil
-	s.last = now
+		s.result = &Result[T]{callM.val, callM.err, time.Now()}
+	}
 	s.mux.Unlock()
 	return callM.val, callM.err, false
 }
 
 func (s *Single[T]) Reset() {
-	s.last = time.Time{}
+	s.mux.Lock()
+	s.call = nil
+	s.result = nil
+	s.mux.Unlock()
 }
 
 func NewSingle[T any](wait time.Duration) *Single[T] {

common/singledo/singledo_test.go

@@ -11,12 +11,13 @@ import (
 )
 
 func TestBasic(t *testing.T) {
-	single := NewSingle[int](time.Millisecond * 30)
+	t.Parallel()
+	single := NewSingle[int](time.Millisecond * 200)
 	foo := 0
 	shardCount := atomic.NewInt32(0)
 	call := func() (int, error) {
 		foo++
-		time.Sleep(time.Millisecond * 5)
+		time.Sleep(time.Millisecond * 20)
 		return 0, nil
 	}
 
@@ -39,7 +40,8 @@ func TestBasic(t *testing.T) {
 }
 
 func TestTimer(t *testing.T) {
-	single := NewSingle[int](time.Millisecond * 30)
+	t.Parallel()
+	single := NewSingle[int](time.Millisecond * 200)
 	foo := 0
 	callM := func() (int, error) {
 		foo++
@@ -47,7 +49,7 @@ func TestTimer(t *testing.T) {
 	}
 
 	_, _, _ = single.Do(callM)
-	time.Sleep(10 * time.Millisecond)
+	time.Sleep(100 * time.Millisecond)
 	_, _, shard := single.Do(callM)
 
 	assert.Equal(t, 1, foo)
@@ -55,7 +57,8 @@ func TestTimer(t *testing.T) {
 }
 
 func TestReset(t *testing.T) {
-	single := NewSingle[int](time.Millisecond * 30)
+	t.Parallel()
+	single := NewSingle[int](time.Millisecond * 200)
 	foo := 0
 	callM := func() (int, error) {
 		foo++

common/utils/ranges.go

@@ -3,6 +3,7 @@ package utils
 import (
 	"errors"
 	"fmt"
+	"sort"
 	"strconv"
 	"strings"
 
@@ -139,10 +140,34 @@ func (ranges IntRanges[T]) Range(f func(t T) bool) {
 	}
 
 	for _, r := range ranges {
-		for i := r.Start(); i <= r.End(); i++ {
+		for i := r.Start(); i <= r.End() && i >= r.Start(); i++ {
 			if !f(i) {
 				return
 			}
+			if i+1 < i { // integer overflow
+				break
+			}
 		}
 	}
 }
+
+func (ranges IntRanges[T]) Merge() (mergedRanges IntRanges[T]) {
+	if len(ranges) == 0 {
+		return
+	}
+	sort.Slice(ranges, func(i, j int) bool {
+		return ranges[i].Start() < ranges[j].Start()
+	})
+	mergedRanges = ranges[:1]
+	var rangeIndex int
+	for _, r := range ranges[1:] {
+		if mergedRanges[rangeIndex].End()+1 > mergedRanges[rangeIndex].End() && // integer overflow
+			r.Start() > mergedRanges[rangeIndex].End()+1 {
+			mergedRanges = append(mergedRanges, r)
+			rangeIndex++
+		} else if r.End() > mergedRanges[rangeIndex].End() {
+			mergedRanges[rangeIndex].end = r.End()
+		}
+	}
+	return
+}

common/utils/ranges_test.go

@@ -0,0 +1,82 @@
+package utils
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestMergeRanges(t *testing.T) {
+	t.Parallel()
+	for _, testRange := range []struct {
+		ranges   IntRanges[uint16]
+		expected IntRanges[uint16]
+	}{
+		{
+			ranges: IntRanges[uint16]{
+				NewRange[uint16](0, 1),
+				NewRange[uint16](1, 2),
+			},
+			expected: IntRanges[uint16]{
+				NewRange[uint16](0, 2),
+			},
+		},
+		{
+			ranges: IntRanges[uint16]{
+				NewRange[uint16](0, 3),
+				NewRange[uint16](5, 7),
+				NewRange[uint16](8, 9),
+				NewRange[uint16](10, 10),
+			},
+			expected: IntRanges[uint16]{
+				NewRange[uint16](0, 3),
+				NewRange[uint16](5, 10),
+			},
+		},
+		{
+			ranges: IntRanges[uint16]{
+				NewRange[uint16](1, 3),
+				NewRange[uint16](2, 6),
+				NewRange[uint16](8, 10),
+				NewRange[uint16](15, 18),
+			},
+			expected: IntRanges[uint16]{
+				NewRange[uint16](1, 6),
+				NewRange[uint16](8, 10),
+				NewRange[uint16](15, 18),
+			},
+		},
+		{
+			ranges: IntRanges[uint16]{
+				NewRange[uint16](1, 3),
+				NewRange[uint16](2, 7),
+				NewRange[uint16](2, 6),
+			},
+			expected: IntRanges[uint16]{
+				NewRange[uint16](1, 7),
+			},
+		},
+		{
+			ranges: IntRanges[uint16]{
+				NewRange[uint16](1, 3),
+				NewRange[uint16](2, 6),
+				NewRange[uint16](2, 7),
+			},
+			expected: IntRanges[uint16]{
+				NewRange[uint16](1, 7),
+			},
+		},
+		{
+			ranges: IntRanges[uint16]{
+				NewRange[uint16](1, 3),
+				NewRange[uint16](2, 65535),
+				NewRange[uint16](2, 7),
+				NewRange[uint16](3, 16),
+			},
+			expected: IntRanges[uint16]{
+				NewRange[uint16](1, 65535),
+			},
+		},
+	} {
+		assert.Equal(t, testRange.expected, testRange.ranges.Merge())
+	}
+}

common/utils/slice.go

@@ -16,6 +16,17 @@ func Filter[T comparable](tSlice []T, filter func(t T) bool) []T {
 	return result
 }
 
+func Map[T any, N any](arr []T, block func(it T) N) []N {
+	if arr == nil { // keep nil
+		return nil
+	}
+	retArr := make([]N, 0, len(arr))
+	for index := range arr {
+		retArr = append(retArr, block(arr[index]))
+	}
+	return retArr
+}
+
 func ToStringSlice(value any) ([]string, error) {
 	strArr := make([]string, 0)
 	switch reflect.TypeOf(value).Kind() {

component/ca/config.go

@@ -1,17 +1,13 @@
 package ca
 
 import (
-	"bytes"
-	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	_ "embed"
-	"encoding/hex"
 	"errors"
 	"fmt"
 	"os"
 	"strconv"
-	"strings"
 	"sync"
 
 	C "github.com/metacubex/mihomo/constant"
@@ -81,45 +77,15 @@ func getCertPool() *x509.CertPool {
 	return globalCertPool
 }
 
-func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error) {
-	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-		// ssl pining
-		for i := range rawCerts {
-			rawCert := rawCerts[i]
-			cert, err := x509.ParseCertificate(rawCert)
-			if err == nil {
-				hash := sha256.Sum256(cert.Raw)
-				if bytes.Equal(fingerprint[:], hash[:]) {
-					return nil
-				}
-			}
-		}
-		return errNotMatch
-	}
-}
-
-func convertFingerprint(fingerprint string) (*[32]byte, error) {
-	fingerprint = strings.TrimSpace(strings.Replace(fingerprint, ":", "", -1))
-	fpByte, err := hex.DecodeString(fingerprint)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(fpByte) != 32 {
-		return nil, fmt.Errorf("fingerprint string length error,need sha256 fingerprint")
-	}
-	return (*[32]byte)(fpByte), nil
-}
-
-// GetTLSConfig specified fingerprint, customCA and customCAString
-func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, customCAString string) (*tls.Config, error) {
-	if tlsConfig == nil {
-		tlsConfig = &tls.Config{}
-	}
 	var certificate []byte
 	var err error
 	if len(customCA) > 0 {
-		certificate, err = os.ReadFile(C.Path.Resolve(customCA))
+		path := C.Path.Resolve(customCA)
+		if !C.Path.IsSafePath(path) {
+			return nil, fmt.Errorf("path is not subpath of home directory: %s", path)
+		}
+		certificate, err = os.ReadFile(path)
 		if err != nil {
 			return nil, fmt.Errorf("load ca error: %w", err)
 		}
@@ -131,18 +97,27 @@ func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, cu
 		if !certPool.AppendCertsFromPEM(certificate) {
 			return nil, fmt.Errorf("failed to parse certificate:\n\n %s", certificate)
 		}
-		tlsConfig.RootCAs = certPool
+		return certPool, nil
 	} else {
-		tlsConfig.RootCAs = getCertPool()
+		return getCertPool(), nil
 	}
+}
+
+// GetTLSConfig specified fingerprint, customCA and customCAString
+func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, customCAString string) (_ *tls.Config, err error) {
+	if tlsConfig == nil {
+		tlsConfig = &tls.Config{}
+	}
+	tlsConfig.RootCAs, err = GetCertPool(customCA, customCAString)
+	if err != nil {
+		return nil, err
+	}
+
 	if len(fingerprint) > 0 {
-		var fingerprintBytes *[32]byte
+		tlsConfig.VerifyPeerCertificate, err = NewFingerprintVerifier(fingerprint)
-		fingerprintBytes, err = convertFingerprint(fingerprint)
 		if err != nil {
 			return nil, err
 		}
-		tlsConfig = GetGlobalTLSConfig(tlsConfig)
-		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
 		tlsConfig.InsecureSkipVerify = true
 	}
 	return tlsConfig, nil

component/ca/fingerprint.go

@@ -0,0 +1,44 @@
+package ca
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/hex"
+	"fmt"
+	"strings"
+)
+
+// NewFingerprintVerifier returns a function that verifies whether a certificate's SHA-256 fingerprint matches the given one.
+func NewFingerprintVerifier(fingerprint string) (func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error, error) {
+	switch fingerprint {
+	case "chrome", "firefox", "safari", "ios", "android", "edge", "360", "qq", "random", "randomized": // WTF???
+		return nil, fmt.Errorf("`fingerprint` is used for TLS certificate pinning. If you need to specify the browser fingerprint, use `client-fingerprint`")
+	}
+	fingerprint = strings.TrimSpace(strings.Replace(fingerprint, ":", "", -1))
+	fpByte, err := hex.DecodeString(fingerprint)
+	if err != nil {
+		return nil, fmt.Errorf("fingerprint string decode error: %w", err)
+	}
+
+	if len(fpByte) != 32 {
+		return nil, fmt.Errorf("fingerprint string length error,need sha256 fingerprint")
+	}
+
+	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+		// ssl pining
+		for _, rawCert := range rawCerts {
+			hash := sha256.Sum256(rawCert)
+			if bytes.Equal(fpByte, hash[:]) {
+				return nil
+			}
+		}
+		return errNotMatch
+	}, nil
+}
+
+// CalculateFingerprint computes the SHA-256 fingerprint of the given DER-encoded certificate and returns it as a hex string.
+func CalculateFingerprint(certDER []byte) string {
+	hash := sha256.Sum256(certDER)
+	return hex.EncodeToString(hash[:])
+}

component/ca/keypair.go

@@ -0,0 +1,98 @@
+package ca
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+)
+
+type Path interface {
+	Resolve(path string) string
+	IsSafePath(path string) bool
+}
+
+// LoadTLSKeyPair loads a TLS key pair from the provided certificate and private key data or file paths, supporting fallback resolution.
+// Returns a tls.Certificate and an error, where the error indicates issues during parsing or file loading.
+// If both certificate and privateKey are empty, generates a random TLS RSA key pair.
+// Accepts a Path interface for resolving file paths when necessary.
+func LoadTLSKeyPair(certificate, privateKey string, path Path) (tls.Certificate, error) {
+	if certificate == "" && privateKey == "" {
+		var err error
+		certificate, privateKey, _, err = NewRandomTLSKeyPair(KeyPairTypeRSA)
+		if err != nil {
+			return tls.Certificate{}, err
+		}
+	}
+	cert, painTextErr := tls.X509KeyPair([]byte(certificate), []byte(privateKey))
+	if painTextErr == nil {
+		return cert, nil
+	}
+	if path == nil {
+		return tls.Certificate{}, painTextErr
+	}
+
+	certificate = path.Resolve(certificate)
+	privateKey = path.Resolve(privateKey)
+	var loadErr error
+	if path.IsSafePath(certificate) && path.IsSafePath(privateKey) {
+		cert, loadErr = tls.LoadX509KeyPair(certificate, privateKey)
+	} else {
+		loadErr = fmt.Errorf("path is not subpath of home directory")
+	}
+	if loadErr != nil {
+		return tls.Certificate{}, fmt.Errorf("parse certificate failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())
+	}
+	return cert, nil
+}
+
+type KeyPairType string
+
+const (
+	KeyPairTypeRSA     KeyPairType = "rsa"
+	KeyPairTypeP256    KeyPairType = "p256"
+	KeyPairTypeP384    KeyPairType = "p384"
+	KeyPairTypeEd25519 KeyPairType = "ed25519"
+)
+
+// NewRandomTLSKeyPair generates a random TLS key pair based on the specified KeyPairType and returns it with a SHA256 fingerprint.
+// Note: Most browsers do not support KeyPairTypeEd25519 type of certificate, and utls.UConn will also reject this type of certificate.
+func NewRandomTLSKeyPair(keyPairType KeyPairType) (certificate string, privateKey string, fingerprint string, err error) {
+	var key crypto.Signer
+	switch keyPairType {
+	case KeyPairTypeRSA:
+		key, err = rsa.GenerateKey(rand.Reader, 2048)
+	case KeyPairTypeP256:
+		key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	case KeyPairTypeP384:
+		key, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+	case KeyPairTypeEd25519:
+		_, key, err = ed25519.GenerateKey(rand.Reader)
+	default: // fallback to KeyPairTypeRSA
+		key, err = rsa.GenerateKey(rand.Reader, 2048)
+	}
+	if err != nil {
+		return
+	}
+
+	template := x509.Certificate{SerialNumber: big.NewInt(1)}
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, key.Public(), key)
+	if err != nil {
+		return
+	}
+	privBytes, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		return
+	}
+	fingerprint = CalculateFingerprint(certDER)
+	privateKey = string(pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}))
+	certificate = string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}))
+	return
+}

component/dhcp/dhcp.go

@@ -6,7 +6,6 @@ import (
 	"net"
 	"net/netip"
 
-	"github.com/metacubex/mihomo/common/nnip"
 	"github.com/metacubex/mihomo/component/iface"
 
 	"github.com/insomniacslk/dhcp/dhcpv4"
@@ -86,12 +85,14 @@ func receiveOffer(conn net.PacketConn, id dhcpv4.TransactionID, result chan<- []
 			return
 		}
 
-		dnsAddr := make([]netip.Addr, l)
+		results := make([]netip.Addr, 0, len(dns))
-		for i := 0; i < l; i++ {
+		for _, ip := range dns {
-			dnsAddr[i] = nnip.IpToAddr(dns[i])
+			if addr, ok := netip.AddrFromSlice(ip); ok {
+				results = append(results, addr.Unmap())
+			}
 		}
 
-		result <- dnsAddr
+		result <- results
 
 		return
 	}

component/dialer/dialer.go

@@ -7,14 +7,12 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strconv"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/metacubex/mihomo/component/keepalive"
 	"github.com/metacubex/mihomo/component/resolver"
-	"github.com/metacubex/mihomo/log"
 )
 
 const (
@@ -22,34 +20,16 @@ const (
 	DefaultUDPTimeout = DefaultTCPTimeout
 )
 
-type dialFunc func(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error)
+type dialFunc func(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error)
 
 var (
 	dialMux                      sync.Mutex
-	IP4PEnable                   bool
 	actualSingleStackDialContext = serialSingleStackDialContext
 	actualDualStackDialContext   = serialDualStackDialContext
 	tcpConcurrent                = false
 	fallbackTimeout              = 300 * time.Millisecond
 )
 
-func applyOptions(options ...Option) *option {
-	opt := &option{
-		interfaceName: DefaultInterface.Load(),
-		routingMark:   int(DefaultRoutingMark.Load()),
-	}
-
-	for _, o := range DefaultOptions {
-		o(opt)
-	}
-
-	for _, o := range options {
-		o(opt)
-	}
-
-	return opt
-}
-
 func DialContext(ctx context.Context, network, address string, options ...Option) (net.Conn, error) {
 	opt := applyOptions(options...)
 
@@ -79,28 +59,43 @@ func DialContext(ctx context.Context, network, address string, options ...Option
 }
 
 func ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort, options ...Option) (net.PacketConn, error) {
-	cfg := applyOptions(options...)
+	opt := applyOptions(options...)
 
 	lc := &net.ListenConfig{}
-	if cfg.addrReuse {
+	if opt.addrReuse {
 		addrReuseToListenConfig(lc)
 	}
 	if DefaultSocketHook != nil { // ignore interfaceName, routingMark when DefaultSocketHook not null (in CMFA)
 		socketHookToListenConfig(lc)
 	} else {
-		if cfg.interfaceName != "" {
+		if opt.interfaceName == "" {
+			opt.interfaceName = DefaultInterface.Load()
+		}
+		if opt.interfaceName == "" {
+			if finder := DefaultInterfaceFinder.Load(); finder != nil {
+				opt.interfaceName = finder.FindInterfaceName(rAddrPort.Addr())
+			}
+		}
+		if rAddrPort.Addr().Unmap().IsLoopback() {
+			// avoid "The requested address is not valid in its context."
+			opt.interfaceName = ""
+		}
+		if opt.interfaceName != "" {
 			bind := bindIfaceToListenConfig
-			if cfg.fallbackBind {
+			if opt.fallbackBind {
 				bind = fallbackBindIfaceToListenConfig
 			}
-			addr, err := bind(cfg.interfaceName, lc, network, address, rAddrPort)
+			addr, err := bind(opt.interfaceName, lc, network, address, rAddrPort)
 			if err != nil {
 				return nil, err
 			}
 			address = addr
 		}
-		if cfg.routingMark != 0 {
+		if opt.routingMark == 0 {
-			bindMarkToListenConfig(cfg.routingMark, lc, network, address)
+			opt.routingMark = int(DefaultRoutingMark.Load())
+		}
+		if opt.routingMark != 0 {
+			bindMarkToListenConfig(opt.routingMark, lc, network, address)
 		}
 	}
 
@@ -126,11 +121,9 @@ func GetTcpConcurrent() bool {
 	return tcpConcurrent
 }
 
-func dialContext(ctx context.Context, network string, destination netip.Addr, port string, opt *option) (net.Conn, error) {
+func dialContext(ctx context.Context, network string, destination netip.Addr, port string, opt option) (net.Conn, error) {
 	var address string
-	if IP4PEnable {
+	destination, port = resolver.LookupIP4P(destination, port)
-		destination, port = lookupIP4P(destination, port)
-	}
 	address = net.JoinHostPort(destination.String(), port)
 
 	netDialer := opt.netDialer
@@ -153,6 +146,14 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 	if DefaultSocketHook != nil { // ignore interfaceName, routingMark and tfo when DefaultSocketHook not null (in CMFA)
 		socketHookToToDialer(dialer)
 	} else {
+		if opt.interfaceName == "" {
+			opt.interfaceName = DefaultInterface.Load()
+		}
+		if opt.interfaceName == "" {
+			if finder := DefaultInterfaceFinder.Load(); finder != nil {
+				opt.interfaceName = finder.FindInterfaceName(destination)
+			}
+		}
 		if opt.interfaceName != "" {
 			bind := bindIfaceToDialer
 			if opt.fallbackBind {
@@ -162,6 +163,9 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 				return nil, err
 			}
 		}
+		if opt.routingMark == 0 {
+			opt.routingMark = int(DefaultRoutingMark.Load())
+		}
 		if opt.routingMark != 0 {
 			bindMarkToDialer(opt.routingMark, dialer, network, destination)
 		}
@@ -173,26 +177,26 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 	return dialer.DialContext(ctx, network, address)
 }
 
-func serialSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+func serialSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	return serialDialContext(ctx, network, ips, port, opt)
 }
 
-func serialDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+func serialDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	return dualStackDialContext(ctx, serialDialContext, network, ips, port, opt)
 }
 
-func concurrentSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+func concurrentSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	return parallelDialContext(ctx, network, ips, port, opt)
 }
 
-func concurrentDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+func concurrentDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	if opt.prefer != 4 && opt.prefer != 6 {
 		return parallelDialContext(ctx, network, ips, port, opt)
 	}
 	return dualStackDialContext(ctx, parallelDialContext, network, ips, port, opt)
 }
 
-func dualStackDialContext(ctx context.Context, dialFn dialFunc, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+func dualStackDialContext(ctx context.Context, dialFn dialFunc, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	ipv4s, ipv6s := resolver.SortationAddr(ips)
 	if len(ipv4s) == 0 && len(ipv6s) == 0 {
 		return nil, ErrorNoIpAddress
@@ -273,7 +277,7 @@ loop:
 	return nil, errors.Join(errs...)
 }
 
-func parallelDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+func parallelDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	if len(ips) == 0 {
 		return nil, ErrorNoIpAddress
 	}
@@ -312,7 +316,7 @@ func parallelDialContext(ctx context.Context, network string, ips []netip.Addr,
 	return nil, os.ErrDeadlineExceeded
 }
 
-func serialDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+func serialDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	if len(ips) == 0 {
 		return nil, ErrorNoIpAddress
 	}
@@ -373,33 +377,10 @@ func (d Dialer) DialContext(ctx context.Context, network, address string) (net.C
 }
 
 func (d Dialer) ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort) (net.PacketConn, error) {
-	opt := d.Opt // make a copy
+	return ListenPacket(ctx, ParseNetwork(network, rAddrPort.Addr()), address, rAddrPort, WithOption(d.Opt))
-	if rAddrPort.Addr().Unmap().IsLoopback() {
-		// avoid "The requested address is not valid in its context."
-		WithInterface("")(&opt)
-	}
-	return ListenPacket(ctx, ParseNetwork(network, rAddrPort.Addr()), address, rAddrPort, WithOption(opt))
 }
 
 func NewDialer(options ...Option) Dialer {
 	opt := applyOptions(options...)
-	return Dialer{Opt: *opt}
+	return Dialer{Opt: opt}
-}
-
-func GetIP4PEnable(enableIP4PConvert bool) {
-	IP4PEnable = enableIP4PConvert
-}
-
-// kanged from https://github.com/heiher/frp/blob/ip4p/client/ip4p.go
-
-func lookupIP4P(addr netip.Addr, port string) (netip.Addr, string) {
-	ip := addr.AsSlice()
-	if ip[0] == 0x20 && ip[1] == 0x01 &&
-		ip[2] == 0x00 && ip[3] == 0x00 {
-		addr = netip.AddrFrom4([4]byte{ip[12], ip[13], ip[14], ip[15]})
-		port = strconv.Itoa(int(ip[10])<<8 + int(ip[11]))
-		log.Debugln("Convert IP4P address %s to %s", ip, net.JoinHostPort(addr.String(), port))
-		return addr, port
-	}
-	return addr, port
 }

component/dialer/options.go

@@ -3,17 +3,23 @@ package dialer
 import (
 	"context"
 	"net"
+	"net/netip"
 
 	"github.com/metacubex/mihomo/common/atomic"
 	"github.com/metacubex/mihomo/component/resolver"
 )
 
 var (
-	DefaultOptions     []Option
 	DefaultInterface   = atomic.NewTypedValue[string]("")
 	DefaultRoutingMark = atomic.NewInt32(0)
+
+	DefaultInterfaceFinder = atomic.NewTypedValue[InterfaceFinder](nil)
 )
 
+type InterfaceFinder interface {
+	FindInterfaceName(destination netip.Addr) string
+}
+
 type NetDialer interface {
 	DialContext(ctx context.Context, network, address string) (net.Conn, error)
 }
@@ -108,3 +114,15 @@ func WithOption(o option) Option {
 		*opt = o
 	}
 }
+
+func IsZeroOptions(opts []Option) bool {
+	return applyOptions(opts...) == option{}
+}
+
+func applyOptions(options ...Option) option {
+	opt := option{}
+	for _, o := range options {
+		o(&opt)
+	}
+	return opt
+}

component/fakeip/pool.go

@@ -6,9 +6,10 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/metacubex/mihomo/common/nnip"
 	"github.com/metacubex/mihomo/component/profile/cachefile"
 	C "github.com/metacubex/mihomo/constant"
+
+	"go4.org/netipx"
 )
 
 const (
@@ -183,7 +184,7 @@ func New(options Options) (*Pool, error) {
 		hostAddr = options.IPNet.Masked().Addr()
 		gateway  = hostAddr.Next()
 		first    = gateway.Next().Next().Next() // default start with 198.18.0.4
-		last     = nnip.UnMasked(options.IPNet)
+		last     = netipx.PrefixLastIP(options.IPNet)
 	)
 
 	if !options.IPNet.IsValid() || !first.IsValid() || !first.Less(last) {

component/http/http.go

@@ -69,7 +69,7 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
-			if conn, err := inner.HandleTcp(address, specialProxy); err == nil {
+			if conn, err := inner.HandleTcp(inner.GetTunnel(), address, specialProxy); err == nil {
 				return conn, nil
 			} else {
 				return dialer.DialContext(ctx, network, address)

component/iface/iface.go

@@ -7,15 +7,17 @@ import (
 	"time"
 
 	"github.com/metacubex/mihomo/common/singledo"
+
+	"github.com/metacubex/bart"
 )
 
 type Interface struct {
 	Index        int
 	MTU          int
 	Name         string
-	Addresses    []netip.Prefix
 	HardwareAddr net.HardwareAddr
 	Flags        net.Flags
+	Addresses    []netip.Prefix
 }
 
 var (
@@ -23,16 +25,23 @@ var (
 	ErrAddrNotFound  = errors.New("addr not found")
 )
 
-var interfaces = singledo.NewSingle[map[string]*Interface](time.Second * 20)
+type ifaceCache struct {
+	ifMap   map[string]*Interface
+	ifTable bart.Table[*Interface]
+}
 
-func Interfaces() (map[string]*Interface, error) {
+var caches = singledo.NewSingle[*ifaceCache](time.Second * 20)
-	value, err, _ := interfaces.Do(func() (map[string]*Interface, error) {
+
+func getCache() (*ifaceCache, error) {
+	value, err, _ := caches.Do(func() (*ifaceCache, error) {
 		ifaces, err := net.Interfaces()
 		if err != nil {
 			return nil, err
 		}
 
-		r := map[string]*Interface{}
+		cache := &ifaceCache{
+			ifMap: make(map[string]*Interface),
+		}
 
 		for _, iface := range ifaces {
 			addrs, err := iface.Addrs()
@@ -61,21 +70,37 @@ func Interfaces() (map[string]*Interface, error) {
 				}
 			}
 
-			r[iface.Name] = &Interface{
+			ifaceObj := &Interface{
 				Index:        iface.Index,
 				MTU:          iface.MTU,
 				Name:         iface.Name,
-				Addresses:    ipNets,
 				HardwareAddr: iface.HardwareAddr,
 				Flags:        iface.Flags,
+				Addresses:    ipNets,
+			}
+			cache.ifMap[iface.Name] = ifaceObj
+
+			if iface.Flags&net.FlagUp == 0 {
+				continue // interface down
+			}
+			for _, prefix := range ipNets {
+				cache.ifTable.Insert(prefix, ifaceObj)
 			}
 		}
 
-		return r, nil
+		return cache, nil
 	})
 	return value, err
 }
 
+func Interfaces() (map[string]*Interface, error) {
+	cache, err := getCache()
+	if err != nil {
+		return nil, err
+	}
+	return cache.ifMap, nil
+}
+
 func ResolveInterface(name string) (*Interface, error) {
 	ifaces, err := Interfaces()
 	if err != nil {
@@ -90,23 +115,29 @@ func ResolveInterface(name string) (*Interface, error) {
 	return iface, nil
 }
 
-func IsLocalIp(ip netip.Addr) (bool, error) {
+func ResolveInterfaceByAddr(addr netip.Addr) (*Interface, error) {
-	ifaces, err := Interfaces()
+	cache, err := getCache()
+	if err != nil {
+		return nil, err
+	}
+	iface, ok := cache.ifTable.Lookup(addr)
+	if !ok {
+		return nil, ErrIfaceNotFound
+	}
+
+	return iface, nil
+}
+
+func IsLocalIp(addr netip.Addr) (bool, error) {
+	cache, err := getCache()
 	if err != nil {
 		return false, err
 	}
-	for _, iface := range ifaces {
+	return cache.ifTable.Contains(addr), nil
-		for _, addr := range iface.Addresses {
-			if addr.Contains(ip) {
-				return true, nil
-			}
-		}
-	}
-	return false, nil
 }
 
 func FlushCache() {
-	interfaces.Reset()
+	caches.Reset()
 }
 
 func (iface *Interface) PickIPv4Addr(destination netip.Addr) (netip.Prefix, error) {

component/keepalive/tcp_keepalive.go

@@ -59,7 +59,7 @@ func SetNetListenConfig(lc *net.ListenConfig) {
 }
 
 func TCPKeepAlive(c net.Conn) {
-	if tcp, ok := c.(*net.TCPConn); ok && tcp != nil {
+	if tcp, ok := c.(TCPConn); ok && tcp != nil {
 		tcpKeepAlive(tcp)
 	}
 }

component/keepalive/tcp_keepalive_go122.go

@@ -2,9 +2,18 @@
 
 package keepalive
 
-import "net"
+import (
+	"net"
+	"time"
+)
 
-func tcpKeepAlive(tcp *net.TCPConn) {
+type TCPConn interface {
+	net.Conn
+	SetKeepAlive(keepalive bool) error
+	SetKeepAlivePeriod(d time.Duration) error
+}
+
+func tcpKeepAlive(tcp TCPConn) {
 	if DisableKeepAlive() {
 		_ = tcp.SetKeepAlive(false)
 	} else {

component/keepalive/tcp_keepalive_go123.go

@@ -4,6 +4,12 @@ package keepalive
 
 import "net"
 
+type TCPConn interface {
+	net.Conn
+	SetKeepAlive(keepalive bool) error
+	SetKeepAliveConfig(config net.KeepAliveConfig) error
+}
+
 func keepAliveConfig() net.KeepAliveConfig {
 	config := net.KeepAliveConfig{
 		Enable:   true,
@@ -18,7 +24,7 @@ func keepAliveConfig() net.KeepAliveConfig {
 	return config
 }
 
-func tcpKeepAlive(tcp *net.TCPConn) {
+func tcpKeepAlive(tcp TCPConn) {
 	if DisableKeepAlive() {
 		_ = tcp.SetKeepAlive(false)
 	} else {

component/process/process_darwin.go

@@ -87,6 +87,7 @@ func findProcessName(network string, ip netip.Addr, port int) (uint32, string, e
 		default:
 			continue
 		}
+		srcIP = srcIP.Unmap()
 
 		if ip == srcIP {
 			// xsocket_n.so_last_pid

component/process/process_freebsd_amd64.go

@@ -10,7 +10,6 @@ import (
 	"syscall"
 	"unsafe"
 
-	"github.com/metacubex/mihomo/common/nnip"
 	"github.com/metacubex/mihomo/log"
 )
 
@@ -136,13 +135,14 @@ func (s *searcher) Search(buf []byte, ip netip.Addr, port uint16, isTCP bool) (u
 		switch {
 		case flag&0x1 > 0 && isIPv4:
 			// ipv4
-			srcIP = nnip.IpToAddr(buf[inp+s.ip : inp+s.ip+4])
+			srcIP, _ = netip.AddrFromSlice(buf[inp+s.ip : inp+s.ip+4])
 		case flag&0x2 > 0 && !isIPv4:
 			// ipv6
-			srcIP = nnip.IpToAddr(buf[inp+s.ip-12 : inp+s.ip+4])
+			srcIP, _ = netip.AddrFromSlice(buf[inp+s.ip-12 : inp+s.ip+4])
 		default:
 			continue
 		}
+		srcIP = srcIP.Unmap()
 
 		if ip != srcIP {
 			continue

component/process/process_windows.go

@@ -7,7 +7,6 @@ import (
 	"syscall"
 	"unsafe"
 
-	"github.com/metacubex/mihomo/common/nnip"
 	"github.com/metacubex/mihomo/log"
 
 	"golang.org/x/sys/windows"
@@ -137,7 +136,8 @@ func (s *searcher) Search(b []byte, ip netip.Addr, port uint16) (uint32, error)
 			continue
 		}
 
-		srcIP := nnip.IpToAddr(row[s.ip : s.ip+s.ipSize])
+		srcIP, _ := netip.AddrFromSlice(row[s.ip : s.ip+s.ipSize])
+		srcIP = srcIP.Unmap()
 		// windows binds an unbound udp socket to 0.0.0.0/[::] while first sendto
 		if ip != srcIP && (!srcIP.IsUnspecified() || s.tcpState != -1) {
 			continue

component/proxydialer/proxydialer.go

@@ -55,8 +55,8 @@ func (p proxyDialer) DialContext(ctx context.Context, network, address string) (
 	}
 	var conn C.Conn
 	var err error
-	if d, ok := p.dialer.(dialer.Dialer); ok { // first using old function to let mux work
+	if _, ok := p.dialer.(dialer.Dialer); ok { // first using old function to let mux work
-		conn, err = p.proxy.DialContext(ctx, currentMeta, dialer.WithOption(d.Opt))
+		conn, err = p.proxy.DialContext(ctx, currentMeta)
 	} else {
 		conn, err = p.proxy.DialContextWithDialer(ctx, p.dialer, currentMeta)
 	}
@@ -78,8 +78,8 @@ func (p proxyDialer) listenPacket(ctx context.Context, currentMeta *C.Metadata)
 	var pc C.PacketConn
 	var err error
 	currentMeta.NetWork = C.UDP
-	if d, ok := p.dialer.(dialer.Dialer); ok { // first using old function to let mux work
+	if _, ok := p.dialer.(dialer.Dialer); ok { // first using old function to let mux work
-		pc, err = p.proxy.ListenPacketContext(ctx, currentMeta, dialer.WithOption(d.Opt))
+		pc, err = p.proxy.ListenPacketContext(ctx, currentMeta)
 	} else {
 		pc, err = p.proxy.ListenPacketWithDialer(ctx, p.dialer, currentMeta)
 	}

component/proxydialer/sing.go

@@ -6,8 +6,8 @@ import (
 
 	C "github.com/metacubex/mihomo/constant"
 
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
+	N "github.com/metacubex/sing/common/network"
 )
 
 type SingDialer interface {

component/proxydialer/slowdown_sing.go

@@ -5,7 +5,7 @@ import (
 	"net"
 
 	"github.com/metacubex/mihomo/component/slowdown"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
 )
 
 type SlowDownSingDialer struct {

component/resolver/ip4p.go

@@ -0,0 +1,37 @@
+package resolver
+
+import (
+	"net"
+	"net/netip"
+	"strconv"
+
+	"github.com/metacubex/mihomo/log"
+)
+
+var (
+	ip4PEnable bool
+)
+
+func GetIP4PEnable() bool {
+	return ip4PEnable
+}
+
+func SetIP4PEnable(enableIP4PConvert bool) {
+	ip4PEnable = enableIP4PConvert
+}
+
+// kanged from https://github.com/heiher/frp/blob/ip4p/client/ip4p.go
+
+func LookupIP4P(addr netip.Addr, port string) (netip.Addr, string) {
+	if ip4PEnable {
+		ip := addr.AsSlice()
+		if ip[0] == 0x20 && ip[1] == 0x01 &&
+			ip[2] == 0x00 && ip[3] == 0x00 {
+			addr = netip.AddrFrom4([4]byte{ip[12], ip[13], ip[14], ip[15]})
+			port = strconv.Itoa(int(ip[10])<<8 + int(ip[11]))
+			log.Debugln("Convert IP4P address %s to %s", ip, net.JoinHostPort(addr.String(), port))
+			return addr, port
+		}
+	}
+	return addr, port
+}

component/resolver/resolver.go

@@ -196,6 +196,26 @@ func ResolveIP(ctx context.Context, host string) (netip.Addr, error) {
 	return ResolveIPWithResolver(ctx, host, DefaultResolver)
 }
 
+// ResolveIPPrefer6WithResolver same as ResolveIP, but with a resolver
+func ResolveIPPrefer6WithResolver(ctx context.Context, host string, r Resolver) (netip.Addr, error) {
+	ips, err := LookupIPWithResolver(ctx, host, r)
+	if err != nil {
+		return netip.Addr{}, err
+	} else if len(ips) == 0 {
+		return netip.Addr{}, fmt.Errorf("%w: %s", ErrIPNotFound, host)
+	}
+	ipv4s, ipv6s := SortationAddr(ips)
+	if len(ipv6s) > 0 {
+		return ipv6s[randv2.IntN(len(ipv6s))], nil
+	}
+	return ipv4s[randv2.IntN(len(ipv4s))], nil
+}
+
+// ResolveIPPrefer6 with a host, return ip and priority return TypeAAAA
+func ResolveIPPrefer6(ctx context.Context, host string) (netip.Addr, error) {
+	return ResolveIPPrefer6WithResolver(ctx, host, DefaultResolver)
+}
+
 func ResetConnection() {
 	if DefaultResolver != nil {
 		go DefaultResolver.ResetConnection()

component/resource/fetcher.go

@@ -3,13 +3,15 @@ package resource
 import (
 	"context"
 	"os"
+	"sync"
 	"time"
 
 	"github.com/metacubex/mihomo/common/utils"
+	"github.com/metacubex/mihomo/component/slowdown"
 	types "github.com/metacubex/mihomo/constant/provider"
 	"github.com/metacubex/mihomo/log"
 
-	"github.com/sagernet/fswatch"
+	"github.com/metacubex/fswatch"
 	"github.com/samber/lo"
 )
 
@@ -27,6 +29,8 @@ type Fetcher[V any] struct {
 	interval     time.Duration
 	onUpdate     func(V)
 	watcher      *fswatch.Watcher
+	loadBufMutex sync.Mutex
+	backoff      slowdown.Backoff
 }
 
 func (f *Fetcher[V]) Name() string {
@@ -46,17 +50,11 @@ func (f *Fetcher[V]) UpdatedAt() time.Time {
 }
 
 func (f *Fetcher[V]) Initial() (V, error) {
-	var (
-		buf      []byte
-		contents V
-		err      error
-	)
-
 	if stat, fErr := os.Stat(f.vehicle.Path()); fErr == nil {
 		// local file exists, use it first
-		buf, err = os.ReadFile(f.vehicle.Path())
+		buf, err := os.ReadFile(f.vehicle.Path())
 		modTime := stat.ModTime()
-		contents, _, err = f.loadBuf(buf, utils.MakeHash(buf), false)
+		contents, _, err := f.loadBuf(buf, utils.MakeHash(buf), false)
 		f.updatedAt = modTime // reset updatedAt to file's modTime
 
 		if err == nil {
@@ -69,21 +67,25 @@ func (f *Fetcher[V]) Initial() (V, error) {
 	}
 
 	// parse local file error, fallback to remote
-	contents, _, err = f.Update()
+	contents, _, updateErr := f.Update()
 
+	// start the pull loop even if f.Update() failed
+	err := f.startPullLoop(false)
 	if err != nil {
 		return lo.Empty[V](), err
 	}
-	err = f.startPullLoop(false)
+
-	if err != nil {
+	if updateErr != nil {
-		return lo.Empty[V](), err
+		return lo.Empty[V](), updateErr
 	}
+
 	return contents, nil
 }
 
 func (f *Fetcher[V]) Update() (V, bool, error) {
 	buf, hash, err := f.vehicle.Read(f.ctx, f.hash)
 	if err != nil {
+		f.backoff.AddAttempt() // add a failed attempt to backoff
 		return lo.Empty[V](), false, err
 	}
 	return f.loadBuf(buf, hash, f.vehicle.Type() != types.File)
@@ -94,6 +96,9 @@ func (f *Fetcher[V]) SideUpdate(buf []byte) (V, bool, error) {
 }
 
 func (f *Fetcher[V]) loadBuf(buf []byte, hash utils.HashType, updateFile bool) (V, bool, error) {
+	f.loadBufMutex.Lock()
+	defer f.loadBufMutex.Unlock()
+
 	now := time.Now()
 	if f.hash.Equal(hash) {
 		if updateFile {
@@ -109,8 +114,10 @@ func (f *Fetcher[V]) loadBuf(buf []byte, hash utils.HashType, updateFile bool) (
 
 	contents, err := f.parser(buf)
 	if err != nil {
+		f.backoff.AddAttempt() // add a failed attempt to backoff
 		return lo.Empty[V](), false, err
 	}
+	f.backoff.Reset() // no error, reset backoff
 
 	if updateFile {
 		if err = f.vehicle.Write(buf); err != nil {
@@ -145,14 +152,25 @@ func (f *Fetcher[V]) pullLoop(forceUpdate bool) {
 		log.Warnln("[Provider] %s not updated for a long time, force refresh", f.Name())
 		f.updateWithLog()
 	}
+	if attempt := f.backoff.Attempt(); attempt > 0 { // f.Update() was failed, decrease the interval from backoff to achieve fast retry
+		if duration := f.backoff.ForAttempt(attempt); duration < initialInterval {
+			initialInterval = duration
+		}
+	}
 
 	timer := time.NewTimer(initialInterval)
 	defer timer.Stop()
 	for {
 		select {
 		case <-timer.C:
-			timer.Reset(f.interval)
 			f.updateWithLog()
+			interval := f.interval
+			if attempt := f.backoff.Attempt(); attempt > 0 { // f.Update() was failed, decrease the interval from backoff to achieve fast retry
+				if duration := f.backoff.ForAttempt(attempt); duration < interval {
+					interval = duration
+				}
+			}
+			timer.Reset(interval)
 		case <-f.ctx.Done():
 			return
 		}
@@ -210,5 +228,11 @@ func NewFetcher[V any](name string, interval time.Duration, vehicle types.Vehicl
 		parser:    parser,
 		onUpdate:  onUpdate,
 		interval:  interval,
+		backoff: slowdown.Backoff{
+			Factor: 2,
+			Jitter: false,
+			Min:    time.Second,
+			Max:    interval,
+		},
 	}
 }

component/slowdown/backoff.go

@@ -4,9 +4,10 @@ package slowdown
 
 import (
 	"math"
-	"math/rand"
 	"sync/atomic"
 	"time"
+
+	"github.com/metacubex/randv2"
 )
 
 // Backoff is a time.Duration counter, starting at Min. After every call to
@@ -63,7 +64,7 @@ func (b *Backoff) ForAttempt(attempt float64) time.Duration {
 	minf := float64(min)
 	durf := minf * math.Pow(factor, attempt)
 	if b.Jitter {
-		durf = rand.Float64()*(durf-minf) + minf
+		durf = randv2.Float64()*(durf-minf) + minf
 	}
 	//ensure float64 wont overflow int64
 	if durf > maxInt64 {
@@ -90,6 +91,11 @@ func (b *Backoff) Attempt() float64 {
 	return float64(b.attempt.Load())
 }
 
+// AddAttempt adds one to the attempt counter.
+func (b *Backoff) AddAttempt() {
+	b.attempt.Add(1)
+}
+
 // Copy returns a backoff with equals constraints as the original
 func (b *Backoff) Copy() *Backoff {
 	return &Backoff{

component/sniffer/dispatcher.go

@@ -60,28 +60,35 @@ func (sd *Dispatcher) forceSniff(metadata *C.Metadata) bool {
 	return false
 }
 
-func (sd *Dispatcher) UDPSniff(packet C.PacketAdapter) bool {
+// UDPSniff is called when a UDP NAT is created and passed the first initialization packet.
+// It may return a wrapped packetSender if the sniffer process needs to wait for multiple packets.
+// This function must be non-blocking, and any blocking operations should be done in the wrapped packetSender.
+func (sd *Dispatcher) UDPSniff(packet C.PacketAdapter, packetSender C.PacketSender) C.PacketSender {
 	metadata := packet.Metadata()
 	if sd.shouldOverride(metadata) {
-		for sniffer, config := range sd.sniffers {
+		for current, config := range sd.sniffers {
-			if sniffer.SupportNetwork() == C.UDP || sniffer.SupportNetwork() == C.ALLNet {
+			if current.SupportNetwork() == C.UDP || current.SupportNetwork() == C.ALLNet {
-				inWhitelist := sniffer.SupportPort(metadata.DstPort)
+				inWhitelist := current.SupportPort(metadata.DstPort)
 				overrideDest := config.OverrideDest
 
 				if inWhitelist {
-					host, err := sniffer.SniffData(packet.Data())
+					if wrapable, ok := current.(sniffer.MultiPacketSniffer); ok {
+						return wrapable.WrapperSender(packetSender, overrideDest)
+					}
+
+					host, err := current.SniffData(packet.Data())
 					if err != nil {
 						continue
 					}
 
-					sd.replaceDomain(metadata, host, overrideDest)
+					replaceDomain(metadata, host, overrideDest)
-					return true
+					return packetSender
 				}
 			}
 		}
 	}
 
-	return false
+	return packetSender
 }
 
 // TCPSniff returns true if the connection is sniffed to have a domain
@@ -130,13 +137,13 @@ func (sd *Dispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata) bool
 
 		sd.skipList.Delete(dst)
 
-		sd.replaceDomain(metadata, host, overrideDest)
+		replaceDomain(metadata, host, overrideDest)
 		return true
 	}
 	return false
 }
 
-func (sd *Dispatcher) replaceDomain(metadata *C.Metadata, host string, overrideDest bool) {
+func replaceDomain(metadata *C.Metadata, host string, overrideDest bool) {
 	metadata.SniffHost = host
 	if overrideDest {
 		log.Debugln("[Sniffer] Sniff %s [%s]-->[%s] success, replace domain [%s]-->[%s]",

component/sniffer/quic_sniffer.go

@@ -7,10 +7,15 @@ import (
 	"encoding/binary"
 	"errors"
 	"io"
+	"sync"
+	"time"
 
 	"github.com/metacubex/mihomo/common/buf"
+	"github.com/metacubex/mihomo/common/pool"
 	"github.com/metacubex/mihomo/common/utils"
+	"github.com/metacubex/mihomo/constant"
 	C "github.com/metacubex/mihomo/constant"
+	"github.com/metacubex/mihomo/constant/sniffer"
 
 	"github.com/metacubex/quic-go/quicvarint"
 	"golang.org/x/crypto/hkdf"
@@ -21,6 +26,16 @@ import (
 const (
 	versionDraft29 uint32 = 0xff00001d
 	version1       uint32 = 0x1
+
+	quicPacketTypeInitial = 0x00
+	quicPacketType0RTT    = 0x01
+
+	// Timeout before quic sniffer all packets
+	quicWaitConn = time.Second * 3
+
+	// maxCryptoStreamOffset is the maximum offset allowed on any of the crypto streams.
+	// This limits the size of the ClientHello and Certificates that can be received.
+	maxCryptoStreamOffset = 16 * (1 << 10)
 )
 
 var (
@@ -30,6 +45,9 @@ var (
 	errNotQuicInitial = errors.New("not QUIC initial packet")
 )
 
+var _ sniffer.Sniffer = (*QuicSniffer)(nil)
+var _ sniffer.MultiPacketSniffer = (*QuicSniffer)(nil)
+
 type QuicSniffer struct {
 	*BaseSniffer
 }
@@ -44,67 +62,160 @@ func NewQuicSniffer(snifferConfig SnifferConfig) (*QuicSniffer, error) {
 	}, nil
 }
 
-func (quic QuicSniffer) Protocol() string {
+func (sniffer *QuicSniffer) Protocol() string {
 	return "quic"
 }
 
-func (quic QuicSniffer) SupportNetwork() C.NetWork {
+func (sniffer *QuicSniffer) SupportNetwork() C.NetWork {
 	return C.UDP
 }
 
-func (quic QuicSniffer) SniffData(b []byte) (string, error) {
+func (sniffer *QuicSniffer) SniffData(b []byte) (string, error) {
+	return "", ErrorUnsupportedSniffer
+}
+
+func (sniffer *QuicSniffer) WrapperSender(packetSender constant.PacketSender, override bool) constant.PacketSender {
+	return &quicPacketSender{
+		sender:   packetSender,
+		chClose:  make(chan struct{}),
+		override: override,
+	}
+}
+
+var _ constant.PacketSender = (*quicPacketSender)(nil)
+
+type quicPacketSender struct {
+	lock     sync.RWMutex
+	ranges   utils.IntRanges[uint64]
+	buffer   []byte
+	result   string
+	override bool
+
+	sender constant.PacketSender
+
+	chClose chan struct{}
+	closed  bool
+}
+
+// Send will send PacketAdapter nonblocking
+// the implement must call UDPPacket.Drop() inside Send
+func (q *quicPacketSender) Send(current constant.PacketAdapter) {
+	defer q.sender.Send(current)
+
+	q.lock.RLock()
+	if q.closed {
+		q.lock.RUnlock()
+		return
+	}
+	q.lock.RUnlock()
+
+	err := q.readQuicData(current.Data())
+	if err != nil {
+		q.close()
+		return
+	}
+}
+
+// Process is a blocking loop to send PacketAdapter to PacketConn and update the WriteBackProxy
+func (q *quicPacketSender) Process(conn constant.PacketConn, proxy constant.WriteBackProxy) {
+	q.sender.Process(conn, proxy)
+}
+
+// ResolveUDP wait sniffer recv all fragments and update the domain
+func (q *quicPacketSender) ResolveUDP(data *constant.Metadata) error {
+	select {
+	case <-q.chClose:
+		q.lock.RLock()
+		replaceDomain(data, q.result, q.override)
+		q.lock.RUnlock()
+		break
+	case <-time.After(quicWaitConn):
+		q.close()
+	}
+
+	return q.sender.ResolveUDP(data)
+}
+
+// Close stop the Process loop
+func (q *quicPacketSender) Close() {
+	q.sender.Close()
+	q.close()
+}
+
+func (q *quicPacketSender) close() {
+	q.lock.Lock()
+	q.closeLocked()
+	q.lock.Unlock()
+}
+
+func (q *quicPacketSender) closeLocked() {
+	if !q.closed {
+		close(q.chClose)
+		q.closed = true
+		if q.buffer != nil {
+			_ = pool.Put(q.buffer)
+			q.buffer = nil
+		}
+		q.ranges = nil
+	}
+}
+
+func (q *quicPacketSender) readQuicData(b []byte) error {
 	buffer := buf.As(b)
 	typeByte, err := buffer.ReadByte()
 	if err != nil {
-		return "", errNotQuic
+		return errNotQuic
 	}
 	isLongHeader := typeByte&0x80 > 0
 	if !isLongHeader || typeByte&0x40 == 0 {
-		return "", errNotQuicInitial
+		return errNotQuicInitial
 	}
 
 	vb, err := buffer.ReadBytes(4)
 	if err != nil {
-		return "", errNotQuic
+		return errNotQuic
 	}
 
 	versionNumber := binary.BigEndian.Uint32(vb)
 
 	if versionNumber != 0 && typeByte&0x40 == 0 {
-		return "", errNotQuic
+		return errNotQuic
 	} else if versionNumber != versionDraft29 && versionNumber != version1 {
-		return "", errNotQuic
+		return errNotQuic
 	}
 
-	if (typeByte&0x30)>>4 != 0x0 {
+	connIdLen, err := buffer.ReadByte()
-		return "", errNotQuicInitial
+	if err != nil || connIdLen == 0 {
+		return errNotQuic
+	}
+	destConnID := make([]byte, int(connIdLen))
+	if _, err := io.ReadFull(buffer, destConnID); err != nil {
+		return errNotQuic
 	}
 
-	var destConnID []byte
+	packetType := (typeByte & 0x30) >> 4
-	if l, err := buffer.ReadByte(); err != nil {
+	if packetType != quicPacketTypeInitial {
-		return "", errNotQuic
+		return nil
-	} else if destConnID, err = buffer.ReadBytes(int(l)); err != nil {
-		return "", errNotQuic
 	}
 
 	if l, err := buffer.ReadByte(); err != nil {
-		return "", errNotQuic
+		return errNotQuic
 	} else if _, err := buffer.ReadBytes(int(l)); err != nil {
-		return "", errNotQuic
+		return errNotQuic
 	}
 
 	tokenLen, err := quicvarint.Read(buffer)
 	if err != nil || tokenLen > uint64(len(b)) {
-		return "", errNotQuic
+		return errNotQuic
 	}
 
 	if _, err = buffer.ReadBytes(int(tokenLen)); err != nil {
-		return "", errNotQuic
+		return errNotQuic
 	}
 
 	packetLen, err := quicvarint.Read(buffer)
 	if err != nil {
-		return "", errNotQuic
+		return errNotQuic
 	}
 
 	hdrLen := len(b) - buffer.Len()
@@ -120,7 +231,7 @@ func (quic QuicSniffer) SniffData(b []byte) (string, error) {
 	hpKey := hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic hp", 16)
 	block, err := aes.NewCipher(hpKey)
 	if err != nil {
-		return "", err
+		return err
 	}
 
 	cache := buf.NewPacket()
@@ -130,6 +241,7 @@ func (quic QuicSniffer) SniffData(b []byte) (string, error) {
 	block.Encrypt(mask, b[hdrLen+4:hdrLen+4+16])
 	firstByte := b[0]
 	// Encrypt/decrypt first byte.
+
 	if isLongHeader {
 		// Long header: 4 bits masked
 		// High 4 bits are not protected.
@@ -153,8 +265,8 @@ func (quic QuicSniffer) SniffData(b []byte) (string, error) {
 		packetNumber[i] ^= mask[1+i]
 	}
 
-	if packetNumber[0] != 0 && packetNumber[0] != 1 {
+	if int(packetLen)+hdrLen > len(b) || extHdrLen > len(b) {
-		return "", errNotQuicInitial
+		return errNotQuic
 	}
 
 	data := b[extHdrLen : int(packetLen)+hdrLen]
@@ -163,12 +275,13 @@ func (quic QuicSniffer) SniffData(b []byte) (string, error) {
 	iv := hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic iv", 12)
 	aesCipher, err := aes.NewCipher(key)
 	if err != nil {
-		return "", err
+		return err
 	}
 	aead, err := cipher.NewGCM(aesCipher)
 	if err != nil {
-		return "", err
+		return err
 	}
+
 	// We only decrypt once, so we do not need to XOR it back.
 	// https://github.com/quic-go/qtls-go1-20/blob/e132a0e6cb45e20ac0b705454849a11d09ba5a54/cipher_suites.go#L496
 	for i, b := range packetNumber {
@@ -177,13 +290,20 @@ func (quic QuicSniffer) SniffData(b []byte) (string, error) {
 	dst := cache.Extend(len(data))
 	decrypted, err := aead.Open(dst[:0], iv, data, extHdr)
 	if err != nil {
-		return "", err
+		return err
 	}
+
 	buffer = buf.As(decrypted)
 
-	cryptoLen := uint(0)
-	cryptoData := cache.Extend(buffer.Len())
 	for i := 0; !buffer.IsEmpty(); i++ {
+		q.lock.RLock()
+		if q.closed {
+			q.lock.RUnlock()
+			// close() was called, just return
+			return nil
+		}
+		q.lock.RUnlock()
+
 		frameType := byte(0x0) // Default to PADDING frame
 		for frameType == 0x0 && !buffer.IsEmpty() {
 			frameType, _ = buffer.ReadByte()
@@ -193,79 +313,131 @@ func (quic QuicSniffer) SniffData(b []byte) (string, error) {
 		case 0x01: // PING frame
 		case 0x02, 0x03: // ACK frame
 			if _, err = quicvarint.Read(buffer); err != nil { // Field: Largest Acknowledged
-				return "", io.ErrUnexpectedEOF
+				return io.ErrUnexpectedEOF
 			}
 			if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Delay
-				return "", io.ErrUnexpectedEOF
+				return io.ErrUnexpectedEOF
 			}
 			ackRangeCount, err := quicvarint.Read(buffer) // Field: ACK Range Count
 			if err != nil {
-				return "", io.ErrUnexpectedEOF
+				return io.ErrUnexpectedEOF
 			}
 			if _, err = quicvarint.Read(buffer); err != nil { // Field: First ACK Range
-				return "", io.ErrUnexpectedEOF
+				return io.ErrUnexpectedEOF
 			}
 			for i := 0; i < int(ackRangeCount); i++ { // Field: ACK Range
 				if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Range -> Gap
-					return "", io.ErrUnexpectedEOF
+					return io.ErrUnexpectedEOF
 				}
 				if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Range -> ACK Range Length
-					return "", io.ErrUnexpectedEOF
+					return io.ErrUnexpectedEOF
 				}
 			}
 			if frameType == 0x03 {
 				if _, err = quicvarint.Read(buffer); err != nil { // Field: ECN Counts -> ECT0 Count
-					return "", io.ErrUnexpectedEOF
+					return io.ErrUnexpectedEOF
 				}
 				if _, err = quicvarint.Read(buffer); err != nil { // Field: ECN Counts -> ECT1 Count
-					return "", io.ErrUnexpectedEOF
+					return io.ErrUnexpectedEOF
 				}
 				if _, err = quicvarint.Read(buffer); err != nil { //nolint:misspell // Field: ECN Counts -> ECT-CE Count
-					return "", io.ErrUnexpectedEOF
+					return io.ErrUnexpectedEOF
 				}
 			}
 		case 0x06: // CRYPTO frame, we will use this frame
 			offset, err := quicvarint.Read(buffer) // Field: Offset
 			if err != nil {
-				return "", io.ErrUnexpectedEOF
+				return io.ErrUnexpectedEOF
 			}
 			length, err := quicvarint.Read(buffer) // Field: Length
 			if err != nil || length > uint64(buffer.Len()) {
-				return "", io.ErrUnexpectedEOF
+				return io.ErrUnexpectedEOF
 			}
-			if cryptoLen < uint(offset+length) {
+
-				cryptoLen = uint(offset + length)
+			end := offset + length
+			if end > maxCryptoStreamOffset {
+				return io.ErrShortBuffer
 			}
-			if _, err := buffer.Read(cryptoData[offset : offset+length]); err != nil { // Field: Crypto Data
+
-				return "", io.ErrUnexpectedEOF
+			q.lock.Lock()
+			if q.closed {
+				q.lock.Unlock()
+				// close() was called, just return
+				return nil
 			}
+			if q.buffer == nil {
+				q.buffer = pool.Get(maxCryptoStreamOffset)[:end]
+			} else if end > uint64(len(q.buffer)) {
+				q.buffer = q.buffer[:end]
+			}
+			target := q.buffer[offset:end]
+			if _, err := buffer.Read(target); err != nil { // Field: Crypto Data
+				q.lock.Unlock()
+				return io.ErrUnexpectedEOF
+			}
+			q.ranges = append(q.ranges, utils.NewRange(offset, end))
+			q.ranges = q.ranges.Merge()
+			q.lock.Unlock()
 		case 0x1c: // CONNECTION_CLOSE frame, only 0x1c is permitted in initial packet
 			if _, err = quicvarint.Read(buffer); err != nil { // Field: Error Code
-				return "", io.ErrUnexpectedEOF
+				return io.ErrUnexpectedEOF
 			}
 			if _, err = quicvarint.Read(buffer); err != nil { // Field: Frame Type
-				return "", io.ErrUnexpectedEOF
+				return io.ErrUnexpectedEOF
 			}
 			length, err := quicvarint.Read(buffer) // Field: Reason Phrase Length
 			if err != nil {
-				return "", io.ErrUnexpectedEOF
+				return io.ErrUnexpectedEOF
 			}
 			if _, err := buffer.ReadBytes(int(length)); err != nil { // Field: Reason Phrase
-				return "", io.ErrUnexpectedEOF
+				return io.ErrUnexpectedEOF
 			}
 		default:
 			// Only above frame types are permitted in initial packet.
 			// See https://www.rfc-editor.org/rfc/rfc9000.html#section-17.2.2-8
-			return "", errNotQuicInitial
+			return errNotQuicInitial
 		}
 	}
 
-	domain, err := ReadClientHello(cryptoData[:cryptoLen])
+	return q.tryAssemble()
-	if err != nil {
+}
-		return "", err
+
+func (q *quicPacketSender) tryAssemble() error {
+	q.lock.RLock()
+
+	if q.closed {
+		q.lock.RUnlock()
+		// close() was called, just return
+		return nil
 	}
 
-	return *domain, nil
+	if len(q.ranges) != 1 || q.ranges[0].Start() != 0 || q.ranges[0].End() != uint64(len(q.buffer)) {
+		q.lock.RUnlock()
+		// incomplete fragment, just return
+		return nil
+	}
+
+	if len(q.buffer) <= 4 ||
+		// Handshake Type (1) + uint24 Length (3) + ClientHello body
+		// maxCryptoStreamOffset is in the valid range of uint16 so just ignore the q.buffer[1]
+		int(binary.BigEndian.Uint16([]byte{q.buffer[2], q.buffer[3]})+4) != len(q.buffer) {
+		q.lock.RUnlock()
+		// end of segment not reached, just return
+		return nil
+	}
+
+	domain, err := ReadClientHello(q.buffer)
+	q.lock.RUnlock()
+	if err != nil {
+		return err
+	}
+
+	q.lock.Lock()
+	q.result = *domain
+	q.closeLocked()
+	q.lock.Unlock()
+
+	return nil
 }
 
 func hkdfExpandLabel(hash crypto.Hash, secret, context []byte, label string, length int) []byte {

component/sniffer/sniff_test.go

@@ -3,35 +3,184 @@ package sniffer
 import (
 	"bytes"
 	"encoding/hex"
-	"github.com/stretchr/testify/assert"
+	"net"
+	"net/netip"
 	"testing"
+
+	"github.com/metacubex/mihomo/constant"
+	"github.com/stretchr/testify/assert"
 )
 
+type fakeSender struct {
+	resultCh chan *constant.Metadata
+}
+
+var _ constant.PacketSender = (*fakeSender)(nil)
+
+func (e *fakeSender) Send(packet constant.PacketAdapter) {
+	// Ensure that the wrapper's Send can correctly handle the situation where the packet is directly discarded.
+	packet.Drop()
+}
+
+func (e *fakeSender) Process(constant.PacketConn, constant.WriteBackProxy) {
+	panic("not implemented")
+}
+
+func (e *fakeSender) ResolveUDP(metadata *constant.Metadata) error {
+	e.resultCh <- metadata
+	return nil
+}
+
+func (e *fakeSender) Close() {
+	panic("not implemented")
+}
+
+type fakeUDPPacket struct {
+	data  []byte
+	data2 []byte // backup
+}
+
+func (s *fakeUDPPacket) InAddr() net.Addr {
+	return net.UDPAddrFromAddrPort(netip.AddrPortFrom(netip.IPv4Unspecified(), 0))
+}
+
+func (s *fakeUDPPacket) LocalAddr() net.Addr {
+	return net.UDPAddrFromAddrPort(netip.AddrPortFrom(netip.IPv4Unspecified(), 0))
+}
+
+func (s *fakeUDPPacket) Data() []byte {
+	return s.data
+}
+
+func (s *fakeUDPPacket) WriteBack(b []byte, addr net.Addr) (n int, err error) {
+	return 0, net.ErrClosed
+}
+
+func (s *fakeUDPPacket) Drop() {
+	for i := range s.data {
+		if s.data[i] != s.data2[i] { // ensure input data not changed
+			panic("data has been changed!")
+		}
+		s.data[i] = 0 // forcing data to become illegal
+	}
+	s.data = nil
+}
+
+var _ constant.UDPPacket = (*fakeUDPPacket)(nil)
+
+func asPacket(data string) constant.PacketAdapter {
+	pktData, _ := hex.DecodeString(data)
+
+	meta := &constant.Metadata{}
+	pkt := &fakeUDPPacket{data: pktData, data2: bytes.Clone(pktData)}
+	pktAdp := constant.NewPacketAdapter(pkt, meta)
+
+	return pktAdp
+}
+
+func testQuicSniffer(data []string, async bool) (string, error) {
+	q, err := NewQuicSniffer(SnifferConfig{})
+	if err != nil {
+		return "", err
+	}
+
+	resultCh := make(chan *constant.Metadata, 1)
+	emptySender := &fakeSender{resultCh: resultCh}
+
+	sender := q.WrapperSender(emptySender, true)
+
+	go func() {
+		meta := constant.Metadata{}
+		err = sender.ResolveUDP(&meta)
+		if err != nil {
+			panic(err)
+		}
+	}()
+
+	for _, d := range data {
+		if async {
+			go sender.Send(asPacket(d))
+		} else {
+			sender.Send(asPacket(d))
+		}
+	}
+
+	meta := <-resultCh
+	return meta.SniffHost, nil
+}
+
 func TestQuicHeaders(t *testing.T) {
+
 	cases := []struct {
-		input  string
+		input  []string
 		domain string
 	}{
+		//Normal domain quic sniff
 		{
-			input:  "cd0000000108f1fb7bcc78aa5e7203a8f86400421531fe825b19541876db6c55c38890cd73149d267a084afee6087304095417a3033df6a81bbb71d8512e7a3e16df1e277cae5df3182cb214b8fe982ba3fdffbaa9ffec474547d55945f0fddbeadfb0b5243890b2fa3da45169e2bd34ec04b2e29382f48d612b28432a559757504d158e9e505407a77dd34f4b60b8d3b555ee85aacd6648686802f4de25e7216b19e54c5f78e8a5963380c742d861306db4c16e4f7fc94957aa50b9578a0b61f1e406b2ad5f0cd3cd271c4d99476409797b0c3cb3efec256118912d4b7e4fd79d9cb9016b6e5eaa4f5e57b637b217755daf8968a4092bed0ed5413f5d04904b3a61e4064f9211b2629e5b52a89c7b19f37a713e41e27743ea6dfa736dfa1bb0a4b2bc8c8dc632c6ce963493a20c550e6fdb2475213665e9a85cfc394da9cec0cf41f0c8abed3fc83be5245b2b5aa5e825d29349f721d30774ef5bf965b540f3d8d98febe20956b1fc8fa047e10e7d2f921c9c6622389e02322e80621a1cf5264e245b7276966eb02932584e3f7038bd36aa908766ad3fb98344025dec18670d6db43a1c5daac00937fce7b7c7d61ff4e6efd01a2bdee0ee183108b926393df4f3d74bbcbb015f240e7e346b7d01c41111a401225ce3b095ab4623a5836169bf9599eeca79d1d2e9b2202b5960a09211e978058d6fc0484eff3e91ce4649a5e3ba15b906d334cf66e28d9ff575406e1ae1ac2febafd72870b6f5d58fc5fb949cb1f40feb7c1d9ce5e71b",
+			input:  []string{"cd0000000108f1fb7bcc78aa5e7203a8f86400421531fe825b19541876db6c55c38890cd73149d267a084afee6087304095417a3033df6a81bbb71d8512e7a3e16df1e277cae5df3182cb214b8fe982ba3fdffbaa9ffec474547d55945f0fddbeadfb0b5243890b2fa3da45169e2bd34ec04b2e29382f48d612b28432a559757504d158e9e505407a77dd34f4b60b8d3b555ee85aacd6648686802f4de25e7216b19e54c5f78e8a5963380c742d861306db4c16e4f7fc94957aa50b9578a0b61f1e406b2ad5f0cd3cd271c4d99476409797b0c3cb3efec256118912d4b7e4fd79d9cb9016b6e5eaa4f5e57b637b217755daf8968a4092bed0ed5413f5d04904b3a61e4064f9211b2629e5b52a89c7b19f37a713e41e27743ea6dfa736dfa1bb0a4b2bc8c8dc632c6ce963493a20c550e6fdb2475213665e9a85cfc394da9cec0cf41f0c8abed3fc83be5245b2b5aa5e825d29349f721d30774ef5bf965b540f3d8d98febe20956b1fc8fa047e10e7d2f921c9c6622389e02322e80621a1cf5264e245b7276966eb02932584e3f7038bd36aa908766ad3fb98344025dec18670d6db43a1c5daac00937fce7b7c7d61ff4e6efd01a2bdee0ee183108b926393df4f3d74bbcbb015f240e7e346b7d01c41111a401225ce3b095ab4623a5836169bf9599eeca79d1d2e9b2202b5960a09211e978058d6fc0484eff3e91ce4649a5e3ba15b906d334cf66e28d9ff575406e1ae1ac2febafd72870b6f5d58fc5fb949cb1f40feb7c1d9ce5e71b"},
 			domain: "www.google.com",
 		},
 		{
-			input:  "c3000000011266f50524e8d0fe88cbf51e3ad71a13198235000044c82dc5d943fb34cc6d5c5e433610dc7a44f5951935c2c1d14ac641b02472340a892c4492dbfe3f8262109108fc36d96bdc1e9e46b5f1f6ef6104add2aafbfd8e79246eb3b4637541aaed7d195571724e642ab4d31c909f1db86e7d8516117ce8716bd1e3acb664c499086b0f3bc7258595420e7bb969f934457d195e832ffff4ffddf11123eeadacc48190e356c8f0f6abc381deb7e285e3b0613a795b19bddb9f002ffdf6fd70f0ff2072302b33d2421aac6540bb9f0e85c7237af0dd56225b2264d769160febab952e64bd5155f23e58c6113891143f946591032b41816aed3ac54f521f60605f86791de24c5765b664c1348cc53d5d631b4bbefe1915f2b21fefafb47badeb72d8ba1fd5c3cfeb0ba9d0112396f170e94cd33952c4fa87997b870931bf1a300e8e127f530815ff087815b4f9d004cbcd17013ac143847572a1655a5b36e054e8b9951d747c2c6ff25d7b2edb13a2a6b8074062332f2191f6830cf435a4ed9db5d9c4eb43a143bf3edf0c48f6f9435dafad4afb743a5a33990379df953ecd388e848aff0ebba9ccc052b8303c0bd1fee7e7553af1894e81b7772818bb69249540ccb8cfb47b1517abaf71c81c3bd271f1a5f1b66465f850f377c9db682b8e543c3d0c10fcd2dee263630889b7d1d521d1d27e866ea4ab5f43790d6a7f76ceefd5783678ca92cc131fa42fc4a01e2a81cad734ddf17a53e1bda8e0a21afc9e8c1118c9459b13519f5b3c3d9692c92234f01129d47ae8ec70625170847472801190b46d36f73b868f55f5a18a3cb05af6d38610e0829e4fbf13ddcc202341702e43dcf33be76ff4afe327e5783287c137aad075752940b41e7d9f5146e36d908897c6d7a9fdc343fde2d9c9d6e6a6b237669bd3e6abe0a732861a679eadfa29a876c6a646953c9361830811b012b26b31c9e7158f8de9c9a108346ddee3dd3886da6258364c1281bff8e055f6384e3a23e198b5e6b726fa7f811b3338072019d4b5fd05891770d11e3ed6ab5f7ed33db1c6220c5aa8fa1909949ac55d5435b75982e17aa80940fa574f0aba4dc340129cad491fdf1f5e05c4e83e36ad29ff38f15e1c9436c792024442f57f07583d671dd05446c84ea20b471303f6ae4e5e13f244d671e0ebe94d3d5c17d3f3f378cdd51fa8a6d2c977c78a2397dd1e251cd979803d617d45f575e5d9db0a28b3c4c25fe2af24af5bddac09786b6d6d8aa19cfbd5409bdbfed7d518ef5c863f3ee757bd9d37cddc546cc57d2e52b6ae58789f297a300f1d76c3842603eae4b1224de31a939a68875c86e697aeebf7ebc65568f43fc681bacab830ac4a2164d324e90067125bad702192d01cb3cb3d2689ae681967e86fd7ac93a25cf2e905c88ca5ad7d11962f021754cf3f61224517bd3411d5b5a83955bcea79d702466d073a6eaadc1202b3693e555b051a5b19457023a01e7f943742bb7f5f8aeba8d4e363973aebdccfb12479619cfb93e833be702a307e796dc7431a48abd9b755b392c510b98cd20ef778e2ac88d6a04f23ba8a253d7eb7c13e0c88c3a21f7e23857c58704d139703a47e0965bf2dc8810dc36894ac1f3da73c155e271c106a718b2d184e4e5637c820fe909984642960edfc9e62ac50af5dd3feee6bc560ced7bda676d4e290c9c5916fad52180bbc83d3483e95c79bac15c209936f21042dc2b6253eefdac06e7f4745044eaa0acedabf1d1c8cd9402738",
+			input:  []string{"c3000000011266f50524e8d0fe88cbf51e3ad71a13198235000044c82dc5d943fb34cc6d5c5e433610dc7a44f5951935c2c1d14ac641b02472340a892c4492dbfe3f8262109108fc36d96bdc1e9e46b5f1f6ef6104add2aafbfd8e79246eb3b4637541aaed7d195571724e642ab4d31c909f1db86e7d8516117ce8716bd1e3acb664c499086b0f3bc7258595420e7bb969f934457d195e832ffff4ffddf11123eeadacc48190e356c8f0f6abc381deb7e285e3b0613a795b19bddb9f002ffdf6fd70f0ff2072302b33d2421aac6540bb9f0e85c7237af0dd56225b2264d769160febab952e64bd5155f23e58c6113891143f946591032b41816aed3ac54f521f60605f86791de24c5765b664c1348cc53d5d631b4bbefe1915f2b21fefafb47badeb72d8ba1fd5c3cfeb0ba9d0112396f170e94cd33952c4fa87997b870931bf1a300e8e127f530815ff087815b4f9d004cbcd17013ac143847572a1655a5b36e054e8b9951d747c2c6ff25d7b2edb13a2a6b8074062332f2191f6830cf435a4ed9db5d9c4eb43a143bf3edf0c48f6f9435dafad4afb743a5a33990379df953ecd388e848aff0ebba9ccc052b8303c0bd1fee7e7553af1894e81b7772818bb69249540ccb8cfb47b1517abaf71c81c3bd271f1a5f1b66465f850f377c9db682b8e543c3d0c10fcd2dee263630889b7d1d521d1d27e866ea4ab5f43790d6a7f76ceefd5783678ca92cc131fa42fc4a01e2a81cad734ddf17a53e1bda8e0a21afc9e8c1118c9459b13519f5b3c3d9692c92234f01129d47ae8ec70625170847472801190b46d36f73b868f55f5a18a3cb05af6d38610e0829e4fbf13ddcc202341702e43dcf33be76ff4afe327e5783287c137aad075752940b41e7d9f5146e36d908897c6d7a9fdc343fde2d9c9d6e6a6b237669bd3e6abe0a732861a679eadfa29a876c6a646953c9361830811b012b26b31c9e7158f8de9c9a108346ddee3dd3886da6258364c1281bff8e055f6384e3a23e198b5e6b726fa7f811b3338072019d4b5fd05891770d11e3ed6ab5f7ed33db1c6220c5aa8fa1909949ac55d5435b75982e17aa80940fa574f0aba4dc340129cad491fdf1f5e05c4e83e36ad29ff38f15e1c9436c792024442f57f07583d671dd05446c84ea20b471303f6ae4e5e13f244d671e0ebe94d3d5c17d3f3f378cdd51fa8a6d2c977c78a2397dd1e251cd979803d617d45f575e5d9db0a28b3c4c25fe2af24af5bddac09786b6d6d8aa19cfbd5409bdbfed7d518ef5c863f3ee757bd9d37cddc546cc57d2e52b6ae58789f297a300f1d76c3842603eae4b1224de31a939a68875c86e697aeebf7ebc65568f43fc681bacab830ac4a2164d324e90067125bad702192d01cb3cb3d2689ae681967e86fd7ac93a25cf2e905c88ca5ad7d11962f021754cf3f61224517bd3411d5b5a83955bcea79d702466d073a6eaadc1202b3693e555b051a5b19457023a01e7f943742bb7f5f8aeba8d4e363973aebdccfb12479619cfb93e833be702a307e796dc7431a48abd9b755b392c510b98cd20ef778e2ac88d6a04f23ba8a253d7eb7c13e0c88c3a21f7e23857c58704d139703a47e0965bf2dc8810dc36894ac1f3da73c155e271c106a718b2d184e4e5637c820fe909984642960edfc9e62ac50af5dd3feee6bc560ced7bda676d4e290c9c5916fad52180bbc83d3483e95c79bac15c209936f21042dc2b6253eefdac06e7f4745044eaa0acedabf1d1c8cd9402738"},
 			domain: "cloudflare-dns.com",
 		},
+
+		// Fragmented quic sniff
+		{
+			input: []string{
+				"c70000000108afb466a232f7f9f2000044d0168a15a021477ecb9731ed77784d42301462e2d59b0395adc1fa6b569d428583f100860d6b6ae29b6c1b8c0f9c0d9081475ff801f34a9e0677adf685f02b1169fe86c683fb51934915ff43921a73b98fb0b734406f8dd90ce6060d75e923b0d3c738291b421bf16de27ed4785d727ce589f5d0957c413c81d6ee75052e3ab50fe53f1abbb24a138a52e1412683992ad769e65ed301a736914843543e2a3e11eb395726d4fcc9283f8607b38685069f63d05ab8bf38aa24d4073a1e68fa1b6087cec44d7fa628342e9d88a0d20b381014cdd1a07b9d913a3bbcad0cfbddd0560617cf26054138075eb86e06db1e68781541587302e6dda86cae779f9848fcefcc33626f8953bfe4dc293d23e74c87020e79e9ffd58ee345382bd4d1d6e5a3389b0a977124708d05e3c305545857041734dc7092901ab54604b3750b3139dd3b8f2bd94cda89d85be3756fda6f0cfb6f66af3d2e36a7808ff7bce271a0272f8dbc88193ede31613433985cd35c7bd9b627d434e7b2e94b38402b8f1b5619a903572dcf4c2b864c6ee66657c9ec81e03fbe765037f83b2229171888ba08651fc78a1b50c7cc52f6dfe8273723e08932b1a16a6b717a80b5520cf3f40e46f9d9c350eaa914bf99dd4ab700cfdae21437daf695916d4f3121235e4913e0657d8cdcf4afd8f2c7ef977a2dfe49f46fef46c8fa6932e745311d4a6eb3124d5e0a204b9e3227e86a55e662f7002d4f4a72cba8c77c3adc3eff076dfb9195cf68455cecbbfc9b5444d9c4a4775bba68d57ff52edac6ce6ff4efbf6466579bf68308f2ba9a59b2c09506064091a86af621e9dae52366a90599db0d64a23944bc48966b6d3ab8e20f4afb5b0e94370d26a89a9c4207b454554e58ac74f62ffb3eb2686eaa596b9610322a5ce8eeb42f2ead1c71b11b51bc4f1800eb549a2bb529ca4a0d165ae461e45b556b2365e9459d531489d59d0dfa544a76c5c00b0a01270741d4061a331c32fd6cd0e68bbce49137b852e215c9db52f3e430416d8979520e5270be324f3d93132358c0eac35a4618ea7aad997dbbd8e99d4ea577271b935e3fe928f90abd94593806d272a565a414686b8e56c28e34b77671de6a696b09414380bc658c69a309d3225ba8493e9076dac776c845ce11a7ccd6cae58fba5434014250f3e211058b2efe3424b991d679a02ba949b086ba12144c7df3e049b5d026f386e4ae712c9b0b4b02730dd6862ed4e72730224cb6ec9101c5cbb7ee4fc30d497bb1dbf74ffdd49d8cae6c7c9a364ede453d9ae25edf27a2153ab285f3e3be66b2968d67a56480f1f74c4fe61dc69db3451f5b113d7ca02e5afa8627f579c07a9b1814853fb8fdaf0c0f220f89725c757f5617ba4e43cb4f3ad9ce18f48f23d10f9e8950b0fd737070655730532896d93df8768860ebf941365d0634db399feab1f8a88bad28d25e689c5a57321debb8d1435130e90a699e17fa5255f2063f09659a432e9ab5f89eeabe12756bfc5e02fcae2b78a9d0f570934b8d4af8f4afbd57549176f465a0cea485dd89c95a8ae915b4b99548a4c939710c16908f968368baf5f547cfee07f3cbb6142041d6e6084aac253a0d3aeac628cfe76f87b94c3806cb14a912ce8e4981e316511d5ede36f526805d6c3fab5b72d9d91f4eacd26e28cb181ec66611818f5c206ddd52488707a940dc12144ae825d25929bc32b718f46e471fdb30762d299b45c84f6310a72b60",
+				"c20000000108afb466a232f7f9f2000044d00582e8683e329a63e5bf4dc93e93e325ff661e74b9cabefdfbf6065c7ab203c8a629534e87e5f2d4c0f463352904642358b8f137e99802c3a26cf22235782a777769ecd134c6b4d0dce6aa10b485c45ccdcf6deb805342e99ef97e2777aee0b2a44073843fccc2f8eb837031f76a8e968cb01c13c1268af095f54f860958e4062a84e2527bcc9b25a7791650a844de1b0c4b2476282a0e00c9de9d39a41914d1e797a88a8997b96b25a4c194762912b2ddee0e01a365f1afa1e82ea266c14ae94e47c90b5679e2cd00e63ee5a834505ca33463751bac22f3b87afc80099335dc7bfd12b7df224a23ced3d2e25b58a04c4b5cb089ca187abc54d782973c7bb157cc515c7508431ff5bdc227871da58b9ca8a9a576960f38edb384112b08e4c70672a6f23d17d9d901342e56c12370deaaafcb22810eb352f1a6d9377e96bdc1ad4dd397dbc6a227b70f204c1a4e9a4db2705763b82ec4df1fab11420aae547155c6b49abceeed997ff01b7d24e369c65f7edf18665d067c7d2bda5ec8623281fce8c77d893cb8a42053756713e910894a58ef5bf3d9f3a41071026660dd7cd05e1640767ec68f78e22c1716700ca9c0f076f90a65cffc394c10a32071c6532d07b59414181070d08c9c84e3d13842718d51bf90dd36ab1b3f708df7eeb3939dc8553787308983c3e9ba971e7d447788477a7140196c2f717b9ba4f5da92d73316dd11c1d1830b4200f26f733a6c65ec1cc21549b485e3a43dc7a2b68e95466a53544082a20d9a43387a7ccbfd353f7e590b7047f13bfc0d91923c2d75dad4f8091ea96502f98e83e5c30e52e4cd5c670f6c2248ce37cd6ee8b3970531fbf0c53c5fa9a0d73200442b755c91fa4f70524ffe8a36063b6709d3aa9f6b53eb0aaecc57a8c8c9a7ac5e57e03e9cfb290b67dd8222a245ff5439914147e2799fd1cd2ca2cb22fda299443b81e8024adc59d098058432fa4bde376b8e59075f6b86427b4ef6cd7c83b5c08add0c3d3543aee8d672c41cb287c1f0a17f1bc30f62a57490afb2d9f401bf302fd473ddbaf63f6883221579743d6aa1f386b8b2f5db06d7d6c36be81f29fafd14b82e863d744f116ce2be4921631f1fb2797289fffa9ee16a3e537ddfa52350546bc544459c0c9d66fdcbd41612cfc0e2744f50927983a3224291c1ae51608fbc00f40c60ec72573a7e128c3415b0d9a7db52de8ff763dd66e2eeb03ef2e67838c9e68cfddae4b86a3f34a69e0a473b5a73ab627282648df7912c11a4bf033ade185a8f438036b99b960aa6213c800abbbd751248a7ae600357ab888433125d49c5643705ecb8c86f2980050edd7e3c579ad6fcae9bbe2c8d8b38004426f35eadb543a3bef42355acb1b94c21d7eae7b6ed422ca0d58fa03b227b035628871465ed6509254c8a3bf43dfadbb247ecbc52d80d65e9c03c4bc7bc35a829502bde3868af9c33737cd88d70f7427790313eed4ed1938955c5dd360212ef700f274efcc8c26ea94c4e2e0937d475c5c4909edfb66714d15d12e153e5586725ce0c47e8a1506bb197366754ca8960508f22fe7b83a5eaa40f05f3cb87464dc6b848080c0e0cecf2dae82bfa42cc6f52694478dc3d00ab0e1ed696b98e26c7fd34d2efd969f83e284c28ce3f27b178f4691c772011f61722266153142dd0d526393e6c6848d201115b256e65f12b911a983bc2f96a5b4b99f63f0b58485a521553a3e1d4498ac5d4ee70c3f9",
+			},
+			domain: "quic.nginx.org",
+		},
+		{
+			input: []string{
+				"c00000000108e63b9140d034563d000044d066e1913892ec1d84c179dfa9596e0ce930171a134a09446a888d9e579a6f7bd77df6deda715b028d64f7866603c6deb468d60ecc6488b5e5ee2e2daa1840b76ead998023593c9ebc4178ec89cb198d3c79a867e27177a74ee5f3db74ea194e36e328047ffc3890192665a6feba09ba1e224967fa9575dc7b094e1c29c7f3be9961ba62e3e063f674a09786b7611138e1edaee32cd1d47839e840a74f25ed786463fc48bf3d38a4c793178ab7cbf5a3eb974415b9f9ef7861dfc73460594332f5545c7b7037043afdfc1aa62ac3dfb76ec2c6ae8ebd351f7483992c762d6483b3e2c1454c8ed939ce43f858ccca22d9149cc9da16af86a010be7f3248cf19fa442e94d625ec7f7144b01ac9afb8fb8c595d4cd12fcd2b2d9986371ae65f6f216bed152b79d2782d60f1f01e06b359f88900c4bb3f987f3ce336854a5beaaa616813af4e5f9bd82dca0af6886b544fff0261807bbd8cf90213299f5802b98edc27a6606be8e2bbc18fa7519eac260dcda139f164796a082908459c31aa964a5d3f6fed8944ad61bda126991468f3b7627f2470179619864f234a395ea3bd4f7ba4c0cdf9f5f0dd95d7d59476f2d2a36521c13886265a2fbbd4345e8d1d1e7b5d01a58fb11de23730b087e2b702200155a1ebd50db5751d279438822ac158173533140998a3056893bf470ac84720cb37a4a3205fa88267abc56520bcddacee06011d929c3a114314822d8ccf7cfef89f2fcf0a4fef800afbfca4a62ee848f22066f68c7d3c5c9a24402d422fc2fd5da6d3b470b0ea253f12a883705f7f78bd67006ade4f1c8a3e8fa052656b5b40dacd8062228871cc3bfb1a9c38472b0a720c3c750430edbcbdcecd46b144dfcaa009fee06770238d0270e80671e8ee5f5df18b86dfe8df2f121245c0710ccaefecbeda0ba3db945c768624dc38f21a4ac53741f4e58a5052f3d667fc466b69905f05d0843cfcb830163fae18dd1eb0ce62a59420db9c44958a0eca9ba4258c8060a9956343f155da6c55b2060427d07d9e311729d2971439c7541ae2babfce25a3f5f361fde86c39ef6c04e4e3cf7dd70c9cc0758ec5db3f0cb368e2447080af51c8a5fa6b84ec3175d2d3e6d877b6953e433b4e94b52e1a5f2a1ca37124c27e47f9de5d4c74644181cd37f3f3863ca529c0847bba91c246dadba94b4566b08eaa06a0db4d58b8cb0c8d3070533306a3089891b24a7c4e11b3aa50d5628fc1d136388e8bfbc420a6f12701333ccdc95dec25d09ce25fa4b654260965b91f05b1542c2ee02008d01de4419f14d6749c4bcfcc45a332ba0772def720ea3c8d207802418137b733e779eb406dace0b4b5f5e5e14c787f3e044e6d8160f90fc3c65bcc7f3449205b63294fbc11e9bb92c007d1cb59183eafbf76be9680224cb442806500d71870777d087bf864890848f4a79424c02304f2a6ee2b07f9257f4a2f185ee21239625e246cf680e74b85d292cca44261c6cee6da39bfac3882d28fe547a500f79519ffcd3f54ff5a905c99f22a5e8142c903c41adbe1eb9770b6cf554688529091b126ed2168a23bb191c2b89728e31773623bc58bcb9baebc2c664c79d6ffee7e4404e039723eb05e7f7835c87212431a0131603fcc3fe090cc2fda8239b8f42188b35f98d7fff949b3044544b3bb962ae236a664d76d0c751d9c9ed1271715d240f111febdf7045502f2afd7de8aaaac650511e7bc7716a5b6622ae925abb7",
+				"c90000000108e63b9140d034563d000044d00b2498988864d8b7f59a00d26165f5ae638fc9b1c12d546ffd86212ccd85f654259cb8b8c9d753c696ddad7ee4847bf3b3c10063606cf3972f75e17ae23e73b6a3029f23541f674256d19677665cdd0b8ac15c3f60984bc14ff5dc7a9ae37395516204f2020965713fccaf35cb0a5823085cd6211d681dc6b39be9db46cbfef154a2b9049ed202e9088961b0b710e94bd73259b0967e4d6b8cdfd5b72774fee2f2ceb16bcafa010f247c43b0a9ca25578e7d45bfda7edb82e91f8e1c0a2cfa990223bf97ece42862d3f329521fe2d12493b717f174f966d173102e5cca10943d5b612101d65d0dd48b44416f9ac1eac4575558ecaaa39c47ade2dee6e25fd219d799b499143b47a5bf449701b939c1dde111349cd0d63efd2ff74fbd3573ed40abfdb2310e2740da40fc50c7a137a3f32c3a26b3d407f80e669fe7f9a3542fdd412a9cb53f845d9c1af0814377bf92e30f05ee387fb8675807a6de083c85d3d7860601c8170923c53e5773ee388b68e510a28cd7009c485bd4cb861eddfdd265de042e5a018d20cb810614e2bb17b0f52d6bf620a6f173e0b41951e1b83ffb29e3b3b3c5d9fff13acd3b409021195201d003e281d8cda7b0f02c273e17b1f9b9e8cec4296d65a1c4923b78a2e4273cb42e4e159980472e440078e542eeddcc5a9bfefa5a72871fbcd9ebb74fef20a50215bf75cfd8572d5ab9ac5945e8d6ca35884caf0af0446ee9aab0a1cc3a452ec79c9de786119e63bb3a75fce0ae29c15a0c320fff87e87cc23a05e75b4f4b30b75c6aa036c4b6657f8200ea014185b31ee7fcd00d1eaf40973f347fae227f89d41794fa57ac1ed1efda3ba840ef27852cf33a9dc9e2d77b56af9ced9e75707837aa8c5395cdc15134ba132de87152ce53d506c53284dab912bbc276542504cc94afaca71a5173ff13ea6cb45b47dde9965428ba5d8eb968cc2a5729c2f9b8f1c1de208943a2cd565196e040dcc415d769ceb6300c7909d7e32bbbe83c4cbf4d49f6e34fe56b651838628f3a0001e99f39cafe45c98e455aff8d98f89942a862f7505b9f7fe3f64dacf8c574affacf91c2c05f094127acaa5187f9dfa188f67db421243a02e583942138c2edf45fec4c6b6a8a791da9055be247e9b252e9f7c1330e76f9cb3aa5feebb21f871315b5fb90a1df0b8056513b74daeb6ac995f85c64150ad115a14830d145e5f4e6638c26987b676a1dd19a9775df29ab442ce6143b0fbf8f8d4618084896e34812ed59d63041e2b4ccf6c959a6c849813dd926082bb7b1adedf69246547f335552bcdbae7e466ac31e07e442530ad114abebc6f58015b786e7f35644307fa7ad3d9248c56c8ff472735c6911da1843fe53821b8f5180f8844db4a9f7a826a919fd93c4db4d25861054929260dcdc46d085827c46d60f1097424a6ef250f5aaf3235c80230eda4eb580ce93e1ac8aac422a7aa1241562af601981b84b74949f1c476705c8030eb5d447b2414f9716ff3fd606cd750030b94345c016078bdcb97b7ebc24f661fbd08802f32df18d6a2aa85bfe2e9b8dc76b121c44ae9f29e4413051b527e99fde29720724337476c0eff325cb6220a290a9eb852151c84836729d6a223032e2c638857d9e7f469b84d7d650c45e56e763aee73f902e82b055425c4568725e2d4efd7fde8b02906bda48af86bf47ea27ff00f4528494b74be9bbff001cc841449a184a4e00d64e51a72660a2c21f704f",
+			},
+			domain: "chat.openai.com",
+		},
+		// Fragmented quic and 0-rtt packet sniff
+		{
+			input: []string{
+				"de0000000108c2751a596bd51c6e004041948ab7d9d493e9e1e9902a7734534fb9eaddc70ca7f821d1b58a406b23ba9db1d03266ae74765b03fac21c284fd50cb0a3d1ca71d8c3cabef5553dd1cb748ac662",
+				"c50000000108c2751a596bd51c6e000044d0538af4ba75e226a6fc7f43e7f1f59610973b8a6670bb8338ca7ef7d90f81aa59f179dae5f8f6dbd24ec6fe576b28f6ce6cd46f26de143b8c99cdadaecf2041948a61bd5a8591486e10022fd100aa20e6423b4f4ca5773edb1aba79b73d6150ee185e66da60e658b2a698098462122b6b80c7fbc5542b0b8e9532898c1f31aa2ef55cbdf036d74c3069abbb261660f048d950b00b7db279ec2bc39912102679ddbffb53f1b1921f137fce43e164af86c72908532f4cdc48eb462a9d9e9cdd6d3c3faaf8aa8aea312dcac5d6aa75b1ade4af6901576649da7e3efd4199b92107d7acee8bbf06734b2484957c3d8cbb1f3fc0ccd56c55223628ed8ea514ffd101bac370c97b28c7da81175ab0508c0002d458cf41f7159dfce22b447c1ec502c186b782c1854718b7fc0fc39e5c09aee31113fc4c5003803fc27ca48850c08a54dbbfdef6ea9a6a138cac0ecd045cfd5607cb6c99c39c0cb21778857f97416b78fa7c6ac8ae3fa2ef2adb3b85fe3fdba70ef9265bb3d54e56ec68b8887d54d02d4a571a6b793ae4df8ff171c881a554b5c5a7848351d446ab94c90ee9c600f03b785fee6300450a4ffc2a55d417952e15449a491296d463ac6942bce4ca93c99440396bc8984073ec028b11ad412e97e26f9248031dc4b1a6ae385803bb578fa1a3b3a58a8ef19c6c511f17b28a275e8c40e51fca8f410a4a1879b5d8749a44a6a9f97c0c9df25318cc28fd0cc61eea78ddc603a17e74eb542c8c08cdbaafa3b44566db4d67e8d1429332375cd30cdaead9594c46d8ce91bce9813c3ca23f55ec2f4dd3ff141471bc3df590367bc65e4830018ff7d845ec4987d11e471d114c48acd1ae9b7670341a34077ae59ea6c3bfc4675cf419d37db48a98a5573b69867039731f537098b46415a193f50b2c85bf9e5da45d6757c5c366e21f04ea62d64b81c28be5148d89e53535414067cf609e59686b7fd135f5cb473e57f6c82dbb291308a1065e0f755935d77517adecee55e72cf37ecaab1b5c0c6e0c7463a014e7e439757913f6e43abb6af775d21ab6e43cbdbcd1935a000cf8025ebc11378d86d6f72d51bf2dfe4be1db5d3b0fcacd13e1b9fbaac6e9153c3d1f4e876f2fa9c3cfc84fd0910b778105b66be70827b1830b7b3c9633af5d83ad527efd81498cbbdd112873cc5ced573e6579acfe817b62280c2122b582b591d52b96cac047bff91192a5cfc001d15c811e055dcb1c9710dc892258ed1ab5152af2cfc57a0b93205dd41fd82b86090b4281b1493a8828ebc96bbd603b888cbca4a15799a5f3eaef93655d5609948080ca57c696d0ffc9a07665bdb063b547bb5a862c3b058c9efb2e7b79cf405fd83efacaa4b8e3a1fd126270587119756562c03d69a9cb67550369030a0204e531cb8df91ab2dfa2e4106c590c59b1b13c447843937929a574d3ea1785db0d52b4b2eeefd1a07c69729bec7c2813c9eb1249f706b3cc14a3d489d6b42a641dfd9e91aa70c7d3222e154af2d7fc1a8f48e5ba11739ae128d1f32ff929aaf4b249df5ea23f7847301e36ffda02342cdf1bd9dfd1979cbd8de32eb8b1eb8c415ddd267efe53f54678d9fc32435b34b00ee2256d8b6190e30a280df5bc48cf9fd669a52469954deccb0f1da37371d513ea57f31ead22a34f9379c7931fd18286d9fde6ecfaac8ca2a9be79d688c5401c65407543c066532f6621f256551c4a98a86b543c576ed0f3254daa4915",
+				"cc0000000108c2751a596bd51c6e000044d07b624bf3d95fb3b7299b67dd836fbbbeb05a51650f9b2da3b2695070a0d19ab0d5334cc04de7ea7494fbe6c438f4e84fa56a3f246132468b5b4f1ba0fcc0251cf278338e15fdd715d5bfed18c1f98ca3cd3cc7b6f904aeeea2914a8b998dd3ae7df694c49c1742dccbf4c3472ddfe2e447959655459c11f18bddd9481eb597b887fb3f90a7d0f05224a144f87a5fdad502ea1e46c1c9f4b4154bafa4542c026296040228703bcd020202acceb772b596bf788341cceca864c8907037c39739e511b04e8ba956efa0fb5cb151ac90eb5817444f6488d593325ad4466058ba45214b965c5738f33d5591624584559ba18e89913b868619d498072e3aa1f333f5d6e3d1db88b28adf7d9350c3c383c1eda894f36bf1bb2a58c7a5e5c8b20597b71a099e46bbd3d8894877e43b0183919185b4e9f059472203979d3334c535fc4eaedebebc79bd1e423184765047a50e6dcc76ba2b23ad23511cae2edd2ad8e7f7f302226dbf6c0e4dbc8c08cda26340b9abfef1ef3333cd511295f14c87197d7890576b4076dd9686047854e67733599d96a99194aecf7b927cae2e5fa4568afc71e748dabd3bd71e6c3984f45b06a068a7c9c3a1ca7b5c245a9bb2cc7e2726e833e283430a25b6ccad55bc5b7644b44f99fedeff3c3bbf995a0387cf1e45a5684e5d1c01350d0cd2d615ffb6d1011d80ad16b75925efcbee483e4e2c0e2386e9e1b35b5a107ed97058adb60e323342989559856faeaafe5149bdcd60c113230f9923b2f654c95f986944a014198686f9c2275053c05080e3bf9fab7d46302948b152e2f2fb1ecbe71b412016b3f25ae512ad45cd096d5f284a0c2808b5eab03b4b9b2dff4d81bf234e75e30d480f39a5f9737563e31a19b14d1038296915af33e0ac0dc18e9c871e539e8772d525e5fa19afc582b1c00ae573af39fe293e16d182bbe57af5bee1c0939862ffb62e3d52a60aeb71e4db2a4a1708e75afa5f37d72cd6c0e036abcb4eb8db6515fbbdf98be95d0a6d261a9445797a8f38c3579a2f04c9f5b74dfd1ffaba2c6aa05959704b9b8cb0db30bcc360711c5afef0d1e7c2b076466dcaab104c70f3cc0cda33d7a47462c3fa3d7e34a99b2d8ff3fe5cafd27ede28b9e09b547cf955b97b0d0d4ec126957601c6982d176252be422df3366118895ca25fe27a96c9c234d484fe98634fb9e970e0d2b096f2ced5d56603505990a65363726c828aed2df0f112e0c44f058424ff5c25ae60aa2cb5fdfa289e8ebb63908365aa4e4609eae87e567f1e86d92c43992e6d505f55226fe3533f9fc9c9facff9dae02a3e3c97ca54191bebab93881c0e89b9de5bb4acd5c6fed5b1e7978803f693bfdbc125b4d08fd34fdc6aaf02444c4b06010b0eb2f15d86850a7aa5af05af438f6b7345fad4315f631bc5b017c7482e7af725a09844472f48e4de79b15284932a7e99a46ae72b187ee3faaa0f31a36726056e86eb706bc8eac04b68a3302307a157c91639f30bafc2d180670625673310a9a45a171063011e59c57c8eb67353a8ea344a87853e7b600c2b49a7a1b60a2904c0ea55951af6430667ecdfa6e90a8d2d0ed9857ba5b876cf78af190d5013d16208d2b30d02cf2c23e6ad1466f76c30d11034d5d2eca113e2764b2fb6298fc4940c16d971e28e3e6e5d0e8eea1ccb9b4b89741ed675861fc3680457ee08547f4efcf68bb6247313f8218ae3ec372e51ba8786ecae115dcff241e0",
+			},
+			domain: "fonts.gstatic.com",
+		},
+		// Test sniffer packet out of order
+		{
+			input: []string{
+				"c50000000108b4b6d5c8b9a19769004047007e07df0d887979774085206f2e7f0146b02a8699715a54fc71ef27ab5a9e8cfbf155497bed9e25934aa74db1b3b270112472b7bf7587423b3ab2aaf99de34cdc591bfe04cc0a448875483ec1f071622121a49c456dc3ce16bae5f61f84ceaef9e8b71db56479845b764507dd9416e8c44b8c93406a230945eb8e484471c1b6207c9afd944fa0fee555a5c966f27ccffb4bfed37fe3936f2c84e9852c0d46c7e2e94b897fcef18c4b0b83d966aef75c0af4240325a24668bc017e0d3f69680ea5b2f59bd0b964062bc40190be86aef3ed0716a18a67057f309faaf3a040222812142a399deb72ebb330d03d59961e2ca10cf78d40886dd094368a881db261068920968f6adf7a7b1266faf8842e71840a29859e877c66e3ebc47d7fe3ee586b6512d9b0e1bea82b302647706473e68dc8209f4e9ca19f1dd25fe386e62c21d9c741e75cb8b11606739ba3de6d6325ee3a9cd1bb2b9613746140ccdaaf936eefdaa1ca7ad73d684e5d82b1ba1dd3356ca0c881f6eee72c02c8b78d02a8217a8fd972e463c77374d0fcbb761459e3ab0bb5492e516d7d4304c19c16a4bed11ea7f4e75616a26a7c81b04ffa580cce04d59825b8ed929578f9219e64bdbc6352ae6e4150a993fc3cc27ce4d66c62893866b9053bb737ac40364094b53d91e8b325b9dab5f537af04f10bf8db644897b0b03b42b1bd6c3aedfe018a6e4f6533183649f4ef6a6300383430f86e802fb4e51976d056a3c40c3b53c847b8308cfbe54dc2d20b8cdc870c73f5fc22c376c35d9a85348ca6a2288ae03dda6b97f0f502f35219e19cff3a810143289cb1f0715f8785028f887bf02c656c9cc372bdc419290f05957ad3dee82b56db352db65aca58e6fa0bd2f753160dd9e7214968c0496be1ab49f978a9252e49266939fedf542760abd653dd38b1659bcf452c753cb89e8235bcf732afcff8f524331be9b6f4a5081c81255e68c358b3444fb1d57bf5659d86b6674544fe2826ca81ee52f93a17b3291826678e488c3074c259223845e4083a413af7fc93d9992823620a8d29d321438a760293e36c4232216207060dd3ee5c4036250ede71ca9cbe335a1e068eb3ff6c10a7f1c8204750d6d0f3145014949a7b4e88a723566ee5446f960a95d9f81cc45155443da561d85a3a311df8172a1c4eb118bf27ec4b3cc4573b1ab421d96d41cc1e5557797ca68f701fe75c474527144d30b9bb00a117637f88896b0b2dcb9bb29ba144ec384b5a085e82e7387e0560a4621423c306b041ad42e84928ce23bc2a7f995ef5c21616de43be8a1657847489b32c8e364846389e7c8cae99530c499f3662a2ae7090e54958ba940b5d3eaf1333ebcecc7f06f29f68ffd97defe65017519c29d355ecb0a4b47ab08dbad8cb0cc5c86de65dfa703110c60a0c55281925018fb4ef49fe5d0132dcc86602c2ab9921a8f3451480d3e931f01c2f9a81873435bb83860128aa78dcc950fb13e416d90ea969aa92763f9caefa0fe3ef4ea82e3af4a3e717fabcc589fe8cb9bfba6810ddf7def8c1445fc0048fb07be043a628e9c920bb72c04d3b9472caafc6c14bffb854a1ba2170dda919322a6d79eab92e3a88888a224093946b87840033fe41941f780f569eaf1fdac55e36b74514d72d09823d71f48f5d5f0ceb7b6d69c5da0e0408c1b13c265d4775db6a0f952ae72bd5c277b22c4be2f2728451ce31e921c856000d20da0489103bad6a6ab4",
+				"c60000000108b4b6d5c8b9a19769004047007e07df0d887979774085206f2e7f0146b02a8699715a54fc71ef27ab5a9e8cfbf155497bed9e25934aa74db1b3b270112472b7bf7587423b3ab2aaf99de34cdc591bfe04cc0a44884e9e716461869ca408431e1ba92740c598aa74e9cd45706f28942f9cc64dbfd7c292cd33e82b50ae0e2e08dc478c19886718cde33e56c38517f8834d64904bf4fb1d30650caedecb9567ea8ef50157c287a2741e98a00f8e7e19e76bbb0143ac7862a49393f17ec66aa0e2c02123ffb5abcc96ccf92cd542c8f571bd7a4382ff81432d11f83796959696c38f2029db6c6a536a9ea24b74c848b95882562d74739ac95f5a069d48e8756d1a9750c7ebc23d4ee22d617b29b415b7458b3bb8106c22de3a9ace9ec689e6e00471aa33e570f7481d15911d7cf46a429cee1a416558c5e78360795d905ff1e0c81d18fcf4954131fa5b9289ed2291e122cdffd666c66209aa2cab01730739249ce293b3ba3abb31683c108bdfd51f54593f47411077e948f01105bd9bfff1578d235674e96a8b9cfdde119edaa960b84e70fd681312514151de1d5939c79abdfe4953e22be5ad3e6e242d0ce9b3f2e589ce3c768f610d4d3a32e33225d8a5ce2ad74a9b40859cdd9ea99f14fa2a7018e4b6aa6e46a0d73d46d161ec5d3b30bd55078e23987865551a605a33472931428ce222040d20c07d1ebe970e576d9d54ae688a3fe9388adda3da4d011a7cbb604f1f19d2ef1be7ef4713bfa84d4d69ffa606a08b61a1ebb99aacc4e19d0c5034642da1ce2d7d5abecc8adbbc6d7f72ff2da4ce5228ff8626509b38e17b31717c0b7821558b021ba81502d54da7e778d4526367109333383e7c67d5d5bde86bd4001fa13a703ff9259e1c2268ca8f4ed2e6c022a7466e2178bc725f59792803ba28c629e3df7696c416dc294b510920077b2d2b258fdc3506c36c42d37796c8fdb20ba797ee68fdc410325a355f6c1189aa9fc9ee220d42186677e3955cd3c844ce505cd601f04201cc390e923db2ea6407fa2fb4ca7f3f82d0a82d52697ff5ba5d4633bb0d655d7ee3348b89c9cb42870cdfe7c0c162babab4208a9a54700c5785d4134e9e33361480e3512ac8b556e11775536e90ee1270a4cb4d6bf2faa72d7e1f23ceb4fc3aded0e423b6be6a55bc25e5a99163b4f5f72ec4a24fe96f68c739d1848c92c4236a5a637d19871456b8dae671ea6ae5c16ed4fc257612a0821e6dc1cbe2ef4963a1436925dcc4e6ce528fa75e41f7721b379fae8ca09e6fb51d0c3e3ae6c19b98860ab9f74013146c6d375656dd1f530abfa64670a510390e9a54bb9a4ad19977491377c8cd743597bc156ee3f58cfcafa5a547b20852749e66fa8838c100ebde039ea25c8ec32b0c6325b793797546a095e79b9388d8e67dc6b4b3892f93ecd13e64ba4b2ad26fc810fedc374b831921531344c581927da9ba822bd625584d98c7582759ae40f01e14277a0a13d30c2c12536df698330d8aa6a3613a42c493c42692b468b4a2cc6bb6dd45684ee6115848110bf517074efd93bf212c071013f4359f140cfed17bbe10328f2026cb8ada16427122d3fc8a933119a1e3e4cfe2b95cbc73af5044cb099cf34247228972495488ebaa4696280d17665c421be5f1727c5d5b013d8aac0e9943bbbb7fbc2162a4000a306dffe3bc4425cf272f1ebb63c8e4998f867fa6b05d71a8642e29392244d4e2e2351bc149d665efe1b9519cb1b15005393f938d",
+			},
+			domain: "ogads-pa.clients6.google.com",
+		},
+		{
+			input: []string{
+				"cf0000000108277148f2b916666000404700403986db57eaa4b165be8ab9c95452bddb922eb35b7610a8e664f6b4620d870507c241290ce885c36d7672c51d94063bf893e01bc79e1d81bf023338da3d22f63bc7aa433f9944884c88b10f198e849dddbc1e9f9bac61f98f67f27d5452da6e2bda1f5210a145b1f1416ad2fc15e60aa00444362630650bcd0ee47999b689a40100dcacf40a4c3d74fa6293d4a5cb0487d8c76787c04dd2b47ec7718df5a2dc6942069062617b3d40a95360802957419433436c9065bda5a6156291d909a079b6d3819941368d7e17a2e97e36be829bb421b44545af47e37d7815ee1f200ca28ffd361d955ebe0484fb234a7e8a7c68ad824fd14d517fa7b35f878beebaf3dd22bd9f7a39cb7e0fd8369cdd28c05a06323be7af0b2d69ed2a2f4ea9f25d000de71bf5bd6765a20ddf81d976cff2321f1a4584ad6c4b7e9a42a6d4aa3a02b59f7d994a8e4a3070a4646e51fdf354448420ebfd0aa9118d010d019cc168f2fe5a9ff0c42e6091676be11f28a372ea97d008a1a02efd58149106cfdec7ef86f5416c4b1a408d8efba6c8d4742d781374ff0a1a8ac183bffa1345dc8e3a7cce04f66cc865f434decb912dc9e8e811eb59b80d3e39d5788639ae7c5ede73a935edb47d907725656be0522195bd2c099b0241f36664fad1543e4ae43862252662707fb424a8f5f9486b8e3779ac24bac457671ad664475d1fc9eb1de3c46f624b559742b3477953552e44f20cc1725a11ab915423fdce7cfbc8dafebc0c43d1ac3d3373ca2f0210924433c46e5fcface47a65579efaa1999d52b2632f69c33c3c63537c01be68fb679f9229f8f68c5caaa23dc4c61d3c45dee90affed984dbbfb06b2659447400b4dcbf6e574719e8d49fe0dacea9509182a42f6463138d8693a3b8d797d3bb6b0b02648829d666341373939ac41a57e90fdc2469623b6e2d772199d7c806d5998f439603c0de8413f9d29f79323ec5410b409ab8c95547ab50bb921fe0c407b7aaaf663389bdea5ba56c023dc4622d6dd9cacd8f318a6a0297d041cc6ed455d906be50dc85a25ecb32f4a565432fec9f359833be1c6a6b7b4bd119d3c4b29932eeec8d140dd467ab4d969bd23e9d2a95b92835587f32428f957b6785b8206a4834e00a3013e0b6a5855f16207268bbdf311572c54d2e6ff9c659cd02c258f494c3b168ea170c69138b63e0dde487b72576e87657befa44548b0b4e1e5a837dbbe66a559cd1df8f2151ba513930243fd2b7705bd29b183dff966224d87ffabb74017d634ab2e4b368052504a7f6bc1c62d39a29dc2dcfba683bee2039e376ff391abbd13a0b89512fd8f6a4e66051dfa04e0e1a3cb4bd56a9b17e27651873bf2ed50f65cf1cc608afaf06fe7e6238347adb66f01d1f0b9b51f0078615553cb8ff8d6786b87e19dbc44000025693c4b34cfd695601a680efdc1e7465a981b0f028cbd3dbb938789f240e39223290e34ec303ff5c78a4a637ac04dad60d744f82e96c3c9e8ed6cb0248ac73b5b3a92007edfc1277c3cc6fa1d0045c1c371820f06bedaf046dd999665cc4745ddf8934084ae02e9238acae6dea330b5798e046138f5b15011875eae72d6eb6689e56e0ac5c5d9e25dc4fc1874cf37265e68ce5b8630b84ad8dab7704474f0bfd08ac295b3a508284fb6ff201f0aee6388d0e1d5cdaaf4c20429874792109f5b8e2f3eae6c397e46a510ed829a6746e523481465f64be4e145c83d6fa6951229d3",
+				"c90000000108277148f2b916666000404700403986db57eaa4b165be8ab9c95452bddb922eb35b7610a8e664f6b4620d870507c241290ce885c36d7672c51d94063bf893e01bc79e1d81bf023338da3d22f63bc7aa433f994488828e6082edd53e228164d8862067483762ea9523c90d565b9e4b185b7805eaf8220664264e82a95164ab6cab4fb3f5e795e246e7205aca236b3c94dde0ff4fa66ce0924d654829d59c3eb690470b20c5011c739102257e9c2247dee67c0b98190d0015154d31041aadb026b8d3a828c861a15dccdab0cec8cc99b8d6c2acddbb93ab66253e87ac39016507dba42e8fa9f5d22c7f27645a02361842a59ebb2eafefd0f3b92bd9692a96b93875defcfe2796243be8861c59ce5ab03f1d65d308ae456cb9656da1f01026ef0807cc9930021b29d69b36881c3e7d70fc68799ca81922008db93c9ca4a365ee191e214d9829481fd430194ad4583a0ab2e920c25244d7d64662872b3b69ab413ccf0dfb6bf2ea9a9b93e04ed19f8a0e146613ca9d511179f80aeab40d573590d38a7c10840e3f8b9ac1bd23b0826aecabf6d1cdb2aef02deb982c2029dd6d8bc21da6c262c8116b7b383ce8c9eec69da3e16c044dd96ae08a98595d128e89dd55e6dc8eb08b8d51327278027137f60a0e1b42878f98ca898587474f6d509c3a58ff4dd7f8b10905c200cf3170bdec725ee14a1ac8ebd1022509d3e499f5e72168eac43264d7246daa0bfc81a216ca97730b7e043cad8d8a9af5c443a5d15e9a88d82b6750c740eecfd63561712a185c69532b1a18b23513d7cf871f14d164ec544f22b6a8cc77d6fae5fc6e47eb64f08617098d229da78a378d6a0864684a7978f650c7922c907f97b0ebf2be29cc834ffe995c9636b310f4a8c2c5623c3b7b533518193d226923f111da1a0e8055b9053ad7f7504d194fbc3ae2b41cef30aa099624d5e229ffb56d5883a5a09163d22455cac52e37ee0ed5367b7c3bbcd4818a46b9b363b592c53c780eeae2c8b80a1d60d296614c998a9774f76453a58bc55d1c26bb10dc321c159858d7ba2f7855ba01aadf3585632c097e5471591dcc24d87e9b76509c10e2710310e4869de710ce0f484d326be751f8e9f765a685312423f1801aefb28dfe0c8f286432356d06857101a67a432497c5849111db2792fa0ee4ffff49a9124c152bcff82da1951258f989681e4f1338357f2c9f82333f6051b188f640bf200a0a75be1d35d2301e8d3813f7ba1926a28a0df05c21413cc0c4090c1e4ba4877dca8e129876c72ab3a801b4093320f5f685120680541d97889eea5dfcaf07a7ecb00c0ba0ae193969a4cddcbd753609a5304ea88783358ab0ae005c6af27bb58b2c4282186461ea50540845e2e2a2f4efced88c8ab9cd9fb4a226a265714c77ce7b79d1a40bd00b24cbba498dafde6bbad91686cf2e13e75669234bc342218887ba910ac81680122ddd36466e7e8a983d5a0fc18a6e9a386762c32132be08abe5554e334ec7d88734cfad9a378553b71222c55f6aa114392e015dfa2bb6cb4ad241c6bca82fdd0a00eb8d6b4afac61268130dea2807a97e4c0adc0e2be39abccbe64dca5c480e09c4bebb8b598e4f60afb0e92dce710859013b1ffa9c78fbf380160f31b1e72340dea86d353ff0e95884b72e2c2c10f6eff5f36c588ee845b7bc97c3b6bec4aa879dd0eb56b838b7bc2ec6e66a5b5517908197a67566dce7df421a8daedc98848c70d1d2c39b2f3538e6f17800bee3d3",
+				"df0000000108277148f2b916666000403a52317841946860def0d7829c06fec03ffe8b97f84e10116fafd93d1d2d39bbfda0d148778c21bb1e1667eb789b1ff70c2e3d557ed9c31570d20d",
+				"d00000000108277148f2b91666600044cd5e860e3fa7ac4769ec75d9b7d20f19e69265939a42afd3c4248a7f5210358a044f42869567e72a05642e96ddffa67bf24ec2d966d860c6accdee01d6917c8c43d4d089d8bb63ff848b617c13fbeefafcbb049ab0822a9ca7716c95af84d019b755b145dfe43c218555d1a7e047deda7d8db352a386b2b6d03f2e7f4510f47ff4ab199348dfa81c86bea5d09d7c7af4ef3f04e99fe4e6c21d53c4335407e27913129152033f17580f97d0345c8487a7ad329dc5c97b298ec7b80fee7813f1d6f94945a44ff662a69453c2dc7ac5e8a1cb90400e63818632d7f9654f140a61280df183b3d9f9b824e53d82f2c14ea3de89befdc79b84a4a3eb659a41db25622add94f2ad4b0d5977f1091aae0a4b83c7b41bca61c6c8d807ef02a8ce6240b76d442559a8b338b39418d27e99aff38840fc79a20995af65b3bbe1e3177074079a47578c51655a4016363364fd2c108d384e602deebd022da3c814549cd57d73c5bfc20e279045e2ad436fbd7e7c9e1985f0ec2f422e310e7aa8cfc48e637f9ac61d06d6482cb40b4376ff3c7abff3c3c26634689ae16d704bab1343d6413fc7b6c076eb0454eda2e0d1e077db40c922ebba6b0b1fa814e3ba76d8d6c4289abbd655f0cf5968eb2aba7131680b44da8910056a76647a6dfea95f27364a7ce694b8fbe19ebcb2a47e7350d33a36f7f5ca67af5e934f449125f4aae870a5b23b4370680ee02b194784d5d188ecdf58ae5454221406bde0ddd3e50d3363a564d6ca9fe0fb57d4df8716cb430cf553be573aa690e5645075ec74edd38cf23215bd50bcda0639dfbbe08dd6c476249e35da819ea6ccef808911b0eef6efaa4947244472795bc071d7154ed87e4a43575b3d61a551fcfccfb7ca3edaee9324f33f54dc9809747e59e24e79f256e8e72f01b8647f71c4b9dc260715fd9d83d3dbd9e124c432c04b3398e74efa3869fe129e368c15b6ca234a243fcac675adcc1db247e3f8485ac4a78f4a1ce2db3b437a1960b02f0c227901d165dcc05abdb3929a80dff2eaf72816185d4af4e28eea05430b736ddd2962e03ec64fa48649dd610e0e221c48f781b45cd9963c176126110e662369874e6a55f28039a23484c5c53714fc2d2030b48f1c895102ca9ad8acae1ec4eb0ae8d8bde31cd74fc515930078d22ad07dc3c7221ddbc4027c746207fa038b31080714091459c9a66ba4f5912d8d3905d3a9a47e4d8829a8110c96c0c9c81291c7985073808814109364df15b04520dc07e8d67cafcda71f0ca59423df5fadae92417a8661b3cdbbf6b1059780fb8b43eb4dcdacf731bb8db26294f978f6be7506b87d17a95367cdb83000565a4986e66dd60d0851f9b593d68790f8097434f62ea7a7396017c3c84754845d3a97f028cf8697d929a2826451653ccf84aba4d2f40fa530b258c13f08c6523c3c02d9669fd46b6a51f20ad323857d767150e3530a66bf88976dbadf99aeea549254c07e11e14085979b60f3b7e1728a4a2d7a35b0377c6501ae7d1d4bba338fb51a17ca8f7e698bd70cd01e8f30edf3e83591a2eb0038811e347bfcfab159b0d1ff6153e0f9ee4c129cfb7687e30b82eed74130c466eee06506dde50805b58c2acccd4cf4b2cc86c52fa2af602a8a7064eb9d90e1c568373b19e43ef4e7c1e4e1c9a58ccedf80a02a46ed64e68e72d4e75c7436e2bc0ba59f95a00456e5680af9e6cf4bf3a6d302ddaf8847cfd5ea606797",
+				"d30000000108277148f2b91666600043d24b66b2531ed9f9c13b07b2654186b0410a608592fdf728479734933197ec06a1cde860f36b3170fb2a9c85c62a7867ba6520dcb2d0ab2f6a484d9ebf8237d7a6f3c1fb16c1e0458ccf20e6d1b298a7530cea42636166027d92812915e76fbcc436a5e414147672dd7b0d19ff24513800e63cd86984f1c93ef1430bb848d37830eed61675d7c9999b92c6e5796d384554c74dd5a163de341ab309d6b0cb028aa08e56d79c60980d4a49a1c095456ca119fc3f04e496c93a084d017f60c6e031d6e9ad2e4fa699bb4b0c92fdcb44131129db0d30ce9efb740d3db0339127d9bdd1d4f677b1cb532a33647851ba9bb20bd8d6aa593271a85c3a9dc9835065663e61faa8dc6af209a0caf183d0fda3d4839d40edd5659dd053778642db8fba21f1f793e45c5c517e68bbef8543e3a727743c7bf87d047d441d13226b9021fac56904872774cf6768dc91db8ea489a244500e9e527acdc0088437357acf9397b014e66fef2db1248f9c6a578af07d7a02b1356fee02e27b8207e57633fa7bfd87ccd382e368c14b946aea780fcbe696d6e4fa3aa589184e104177db2fc3d91d4af120d9da3bdad021d003796b8261b590d8113f995dc1db4fac1c62cb68370d41cc87c982815017ae2143d5a469b742d019e5556d813877fec9d021cb37f80e5987d9f743c2b39093a34f6654164a8185a5caefbbef8ea17f62f6801a3fd89fae333c878cec9b25d10dfee2abca65d7c909ad2e4f11736d13b1642df4c5a0761f8f29f35f37def9ed327f4a9d8e53269fa6c7cedd0f4fd67d6cde81934e291d9fca695cc9745890cb54503e29e09f4a30f80e2f574bbbeedb7d20481c583d8362d22b2dbec09494095a043cdae283e86f905d8807f7b7c0f06ce968487bbca1e20b87245b68f24537a7c7e768c838f1bf26650afdabec2c0bb9736b345473f279c9b73ecf0d2c4aea49330ecfef0949ef7cb81861b05950ec0772db856365b136ba75d5509c01d7a970c84ebc77d8d5c3ceae1ef5f3079afc7d78965ffa3bc4c64ef1b4718ffb488a571528c83b615c43022616bb4c494c838b556df5ede711a688b0315c1ce6e2892247df582b7c3f2b06cac0bd8d670e2b581f074750596ba162189060b8af3dfc650ba3b45932edc4f94f08741d3072bfd1ef8159b27a7f3673a4fc504304c12116e3c2d7636c663c9fa1b2f5571be88769f33ccb94a09abd9c5a7dc8a8c2031bb2bc256b84aeb68a9abf7673151cec41b48bdd74f395a46acf30dae43e060e596bb2e739274210701ee9bb6cc3ff81ace751e375a01f17b3c5cc5f1234c488d69611bb27f6e3ee17e3c3843ebe4a280d6aa8ef017058a872810a437f85331adb3cb8d382650897b1b1589ee6",
+				"dd0000000108277148f2b9166660004053972df1beb451f73eb070e33ed63f681eb9b7e1e03f20baff3f54157598c7dd90a0de49850a3ccd6eb1b1cfc9dc6d3ba9ed1c0a19c69bf433da300d3cecc4ef151c44a721d680e3e3aaaf3eefec23091c5fde22",
+				"c90000000108277148f2b916666000404700403986db57eaa4b165be8ab9c95452bddb922eb35b7610a8e664f6b4620d870507c241290ce885c36d7672c51d94063bf893e01bc79e1d81bf023338da3d22f63bc7aa433f99448825ee873013b006b2a6c87c7581c7117bfeb4ec3d68405a68d9488f6d58474dd16539677e869812ead055e70d655a660062e17083995c0dbecd565c79800b11c8ca0c351ecffa61e707d62d443b3810bc60d4ef87aa99b979ff55ee1ea46b65436c15534e5315113138aed6daa9f04d3050d77a7e379c83b948d3797177c1793e59b2555423bd52595d93e293ea8ffa3c428c6dbba4e202d76933caf6a5609b0a4aa6cf4fd2aadb6505382381ef2d5b33efc43eba24c84b7805baf2ddab44a50180e5e6f2a31f9ea8089aef562d3b578a799d61befec99c016fadec3363f68a1be4ca1e13e8bdd2809a1dacc41134663e22f21978167c5ee8ef49652ae152fc6c1bcf52109cd3076cdd599cb43261941de7aed148d7d3e956cd615549a9647496f43f998daad4c841cc40ce1501fbfc152b957c94be558f6743061e312d746137db2ae6a44e181587dbf6b0d9508cef4aefd99ea5d3369898bd4c3df5e95ac89eaaba54019ffe0402b8f567c91b9371e80c621c67d3c831331acc063892bbd8a81cfc0498e78474b11e8c05dd8f540c449505342ae95f6281940aae973db35b8e31ff801f6bc8975f592538881ae9cc4cedcbdb39a784a9fe962a1f12be51c11b91d4dedf649bb5672dec8e03db97b0d69fce36edfbecb6836644bad1ab8e6d4e13644d9c3476db0e8a8eb4b5a5c32f7a5604c8e19700c53602839478531579cb4c4bb5cc969cf482f325dd837629318baf128920d9978e23296d7016e6c05c954f95881b4f9f7e43bcea393951e91af0e4a671400dc435bd2a1616c60618df2476d0ece060dbbda11e751e256956a0dbcd7e4a8d6d85a3319f22a2c5f26dad50e82f70f3dd91feff19c775aa60499a3b7daa57e344c07c3787e99d53303488801d2b17cdbfdee61ea3fc473f6c146f06eb60d70594a59e0ed79cee6ca4a5f78b037637ddab69fb8522c0f7bf37aa7f59cc7fa659e759db69966455944975cd22a1a1355f35a589a4978c8f3272e1c4f6793288a00ab879299aa6ad02d966e3dc67cee0c808b1a046458cff9bdac25a4071eb10038a6389a0ef7233003641bd4ee1efad0e9b2f693396a89ca0db3c05b6abfed3b246eb1b23a6b77e8b486f26d9c3dde9dd6f3637a8115940ed2ca762ca6320609f61c37ffc9c3f2f7a0f27edc9891c2eeac49ba258a0d09c35c4fe1dc52d4d9319aa9b1a271a5d8d2d3a75fef4d59fb04679ba526aecbd19d73f72fee537630444326e2543ce564c669bf378499738385dda9ac63521a1b91f580d0737a7326009f0ff0dcb05aa8b86222c934d9ddb4628e30b6e12ae370154ab39c605431b4c40683592afcfd6fccf35df9fe5850442595d24be3d9f4298bf3d541f09e7e71f552c88eed9642df46953622d5aea05b5060325304ec81c0447ac95b90f9da4359e3286938f06aea3d45030cb836be15b1c65e3edf44cbcfe2f01ef8d7209c69d7c81334c866ebee50e418a28336cea1982069b4df090eab81303761d1af337e083f1e0ad1440a02ef1eefb03506c39d2377807e335ee64bdb76527f786223cee5233299eda9fcb1d38f19c34480f790a328b0735f80908e3aa70086df828d56b6c79516f71a24c9d94f60335f86e9d29c0c5d3872b",
+				"dd0000000108277148f2b916666000406672db10ab41db38c01f7021709bac4d1659d872623eb5852b12b494535d13779a88d37e9685da572f6b2de35793a519a457493456ac4ee242933cf92d783f783656899c31832274bf1c26d24720d9d8ecfec598e19c58a478d2991dfc1cda3000f7bd7bd17e80",
+				"d60000000108277148f2b916666000404ed98b1b4ac35c0c0ef18c88adf08a6701ccb0876ea75aac8c128349936fa3cb6728e4e58de8673dd7dc8457b092957f26bc8194233bb81c7e78127844f9b833f196dc46c5cb4064c773f3c6e0bc73",
+			},
+			domain: "www.google.com",
+		},
 	}
-	q, err := NewQuicSniffer(SnifferConfig{})
-	assert.NoError(t, err)
 
 	for _, test := range cases {
-		pkt, err := hex.DecodeString(test.input)
+		data, err := testQuicSniffer(test.input, true)
 		assert.NoError(t, err)
-		oriPkt := bytes.Clone(pkt)
+		assert.Equal(t, test.domain, data)
-		domain, err := q.SniffData(pkt)
+
+		data, err = testQuicSniffer(test.input, false)
 		assert.NoError(t, err)
-		assert.Equal(t, test.domain, domain)
+		assert.Equal(t, test.domain, data)
-		assert.Equal(t, oriPkt, pkt) // ensure input data not changed
 	}
 }