chore: update dependencies

v3.19.0 optimized CPU consumption.

Tested: https://github.com/enfein/mieru/actions/runs/17014543289

.github/release/.fpm_systemd

@@ -0,0 +1,18 @@
+-s dir
+--name mihomo
+--category net
+--license GPL-3.0-or-later
+--description "The universal proxy platform."
+--url "https://wiki.metacubex.one/"
+--maintainer "MetaCubeX <none@example.com>"
+--deb-field "Bug: https://github.com/MetaCubeX/mihomo/issues"
+--no-deb-generate-changes
+--config-files /etc/mihomo/config.yaml
+
+.github/release/config.yaml=/etc/mihomo/config.yaml
+
+.github/release/mihomo.service=/usr/lib/systemd/system/mihomo.service
+.github/release/mihomo@.service=/usr/lib/systemd/system/mihomo@.service
+
+
+LICENSE=/usr/share/licenses/mihomo/LICENSE

.github/release/config.yaml

@@ -0,0 +1,15 @@
+mixed-port: 7890
+
+dns:
+  enable: true
+  ipv6: true
+  enhanced-mode: fake-ip
+  fake-ip-filter:
+    - "*"
+    - "+.lan"
+    - "+.local"
+  nameserver:
+    - system
+
+rules:
+  - MATCH,DIRECT

.github/workflows/build.yml

@@ -29,36 +29,50 @@ jobs:
     strategy:
       matrix:
         jobs:
-          - { goos: darwin, goarch: arm64, output: arm64 }
-          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible }
+          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible } # old style file name will be removed in next released
           - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64 }
+          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-v1 }
+          - { goos: darwin, goarch: amd64, goamd64: v2, output: amd64-v2 }
+          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-v3 }
+          - { goos: darwin, goarch: arm64, output: arm64 }
 
-          - { goos: linux, goarch: '386', output: '386' }
-          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible, test: test }
-          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64 }
-          - { goos: linux, goarch: arm64, output: arm64 }
+          - { goos: linux, goarch: '386', go386: sse2, output: '386', debian: i386, rpm: i386}
+          - { goos: linux, goarch: '386', go386: softfloat, output: '386-softfloat' }
+          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible} # old style file name will be removed in next released
+          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64, debian: amd64, rpm: x86_64, pacman: x86_64}
+          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-v1, debian: amd64, rpm: x86_64, pacman: x86_64, test: test }
+          - { goos: linux, goarch: amd64, goamd64: v2, output: amd64-v2, debian: amd64, rpm: x86_64, pacman: x86_64}
+          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64-v3, debian: amd64, rpm: x86_64, pacman: x86_64}
+          - { goos: linux, goarch: arm64, output: arm64, debian: arm64, rpm: aarch64, pacman: aarch64}  
           - { goos: linux, goarch: arm, goarm: '5', output: armv5 }
-          - { goos: linux, goarch: arm, goarm: '6', output: armv6 }
-          - { goos: linux, goarch: arm, goarm: '7', output: armv7 }
+          - { goos: linux, goarch: arm, goarm: '6', output: armv6, debian: armel, rpm: armv6hl} 
+          - { goos: linux, goarch: arm, goarm: '7', output: armv7, debian: armhf, rpm: armv7hl, pacman: armv7hl}
           - { goos: linux, goarch: mips, gomips: hardfloat, output: mips-hardfloat }
           - { goos: linux, goarch: mips, gomips: softfloat, output: mips-softfloat }
           - { goos: linux, goarch: mipsle, gomips: hardfloat, output: mipsle-hardfloat }
           - { goos: linux, goarch: mipsle, gomips: softfloat, output: mipsle-softfloat }
           - { goos: linux, goarch: mips64, output: mips64 }
-          - { goos: linux, goarch: mips64le, output: mips64le }
-          - { goos: linux, goarch: loong64, output: loong64-abi1, abi: '1' }
-          - { goos: linux, goarch: loong64, output: loong64-abi2, abi: '2' }
-          - { goos: linux, goarch: riscv64, output: riscv64 }
-          - { goos: linux, goarch: s390x, output: s390x }
+          - { goos: linux, goarch: mips64le, output: mips64le, debian: mips64el, rpm: mips64el }
+          - { goos: linux, goarch: loong64, output: loong64-abi1, abi: '1', debian: loongarch64, rpm: loongarch64 }
+          - { goos: linux, goarch: loong64, output: loong64-abi2, abi: '2', debian: loong64, rpm: loong64 }
+          - { goos: linux, goarch: riscv64, output: riscv64, debian: riscv64, rpm: riscv64 }
+          - { goos: linux, goarch: s390x, output: s390x, debian: s390x, rpm: s390x }
+          - { goos: linux, goarch: ppc64le, output: ppc64le, debian: ppc64el, rpm: ppc64le }
 
           - { goos: windows, goarch: '386', output: '386' }
-          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible }
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible } # old style file name will be removed in next released
           - { goos: windows, goarch: amd64, goamd64: v3, output: amd64 }
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-v1 }
+          - { goos: windows, goarch: amd64, goamd64: v2, output: amd64-v2 }
+          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-v3 }
           - { goos: windows, goarch: arm64, output: arm64 }
 
           - { goos: freebsd, goarch: '386', output: '386' }
-          - { goos: freebsd, goarch: amd64, goamd64: v1, output: amd64-compatible }
+          - { goos: freebsd, goarch: amd64, goamd64: v1, output: amd64-compatible } # old style file name will be removed in next released
           - { goos: freebsd, goarch: amd64, goamd64: v3, output: amd64 }
+          - { goos: freebsd, goarch: amd64, goamd64: v1, output: amd64-v1 }
+          - { goos: freebsd, goarch: amd64, goamd64: v2, output: amd64-v2 }
+          - { goos: freebsd, goarch: amd64, goamd64: v3, output: amd64-v3 }
           - { goos: freebsd, goarch: arm64, output: arm64 }
 
           - { goos: android, goarch: '386', ndk: i686-linux-android34, output: '386' }
@@ -66,49 +80,70 @@ jobs:
           - { goos: android, goarch: arm, ndk: armv7a-linux-androideabi34, output: armv7 }
           - { goos: android, goarch: arm64, ndk: aarch64-linux-android34, output: arm64-v8 }
 
+          # Go 1.24 with special patch can work on Windows 7
+          # https://github.com/MetaCubeX/go/commits/release-branch.go1.24/
+          - { goos: windows, goarch: '386', output: '386-go124', goversion: '1.24' }
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-v1-go124, goversion: '1.24' }
+          - { goos: windows, goarch: amd64, goamd64: v2, output: amd64-v2-go124, goversion: '1.24' }
+          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-v3-go124, goversion: '1.24' }
+
           # Go 1.23 with special patch can work on Windows 7
           # https://github.com/MetaCubeX/go/commits/release-branch.go1.23/
           - { goos: windows, goarch: '386', output: '386-go123', goversion: '1.23' }
-          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go123, goversion: '1.23' }
-          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go123, goversion: '1.23' }
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-v1-go123, goversion: '1.23' }
+          - { goos: windows, goarch: amd64, goamd64: v2, output: amd64-v2-go123, goversion: '1.23' }
+          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-v3-go123, goversion: '1.23' }
 
           # Go 1.22 with special patch can work on Windows 7
           # https://github.com/MetaCubeX/go/commits/release-branch.go1.22/
           - { goos: windows, goarch: '386', output: '386-go122', goversion: '1.22' }
-          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go122, goversion: '1.22' }
-          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go122, goversion: '1.22' }
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-v1-go122, goversion: '1.22' }
+          - { goos: windows, goarch: amd64, goamd64: v2, output: amd64-v2-go122, goversion: '1.22' }
+          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-v3-go122, goversion: '1.22' }
 
           # Go 1.21 can revert commit `9e4385` to work on Windows 7
           # https://github.com/golang/go/issues/64622#issuecomment-1847475161
           # (OR we can just use golang1.21.4 which unneeded any patch)
           - { goos: windows, goarch: '386', output: '386-go121', goversion: '1.21' }
-          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go121, goversion: '1.21' }
-          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go121, goversion: '1.21' }
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-v1-go121, goversion: '1.21' }
+          - { goos: windows, goarch: amd64, goamd64: v2, output: amd64-v2-go121, goversion: '1.21' }
+          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-v3-go121, goversion: '1.21' }
 
           # Go 1.20 is the last release that will run on any release of Windows 7, 8, Server 2008 and Server 2012. Go 1.21 will require at least Windows 10 or Server 2016.
           - { goos: windows, goarch: '386', output: '386-go120', goversion: '1.20' }
-          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20' }
-          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go120, goversion: '1.20' }
+          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-v1-go120, goversion: '1.20' }
+          - { goos: windows, goarch: amd64, goamd64: v2, output: amd64-v2-go120, goversion: '1.20' }
+          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-v3-go120, goversion: '1.20' }
+
+          # Go 1.24 is the last release that will run on macOS 11 Big Sur. Go 1.25 will require macOS 12 Monterey or later.
+          - { goos: darwin, goarch: arm64, output: arm64-go124, goversion: '1.24' }
+          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-v1-go124, goversion: '1.24' }
+          - { goos: darwin, goarch: amd64, goamd64: v2, output: amd64-v2-go124, goversion: '1.24' }
+          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-v3-go124, goversion: '1.24' }
 
           # Go 1.22 is the last release that will run on macOS 10.15 Catalina. Go 1.23 will require macOS 11 Big Sur or later.
           - { goos: darwin, goarch: arm64, output: arm64-go122, goversion: '1.22' }
-          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible-go122, goversion: '1.22' }
-          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-go122, goversion: '1.22' }
+          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-v1-go122, goversion: '1.22' }
+          - { goos: darwin, goarch: amd64, goamd64: v2, output: amd64-v2-go122, goversion: '1.22' }
+          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-v3-go122, goversion: '1.22' }
 
           # Go 1.20 is the last release that will run on macOS 10.13 High Sierra or 10.14 Mojave. Go 1.21 will require macOS 10.15 Catalina or later.
           - { goos: darwin, goarch: arm64, output: arm64-go120, goversion: '1.20' }
-          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20' }
-          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-go120, goversion: '1.20' }
+          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-v1-go120, goversion: '1.20' }
+          - { goos: darwin, goarch: amd64, goamd64: v2, output: amd64-v2-go120, goversion: '1.20' }
+          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-v3-go120, goversion: '1.20' }
 
           # Go 1.23 is the last release that requires Linux kernel version 2.6.32 or later. Go 1.24 will require Linux kernel version 3.2 or later.
           - { goos: linux, goarch: '386', output: '386-go123', goversion: '1.23' }
-          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible-go123, goversion: '1.23', test: test }
-          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64-go123, goversion: '1.23' }
+          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-v1-go123, goversion: '1.23', test: test }
+          - { goos: linux, goarch: amd64, goamd64: v2, output: amd64-v2-go123, goversion: '1.23' }
+          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64-v3-go123, goversion: '1.23' }
 
           # only for test
           - { goos: linux, goarch: '386', output: '386-go120', goversion: '1.20' }
-          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20', test: test }
-          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64-go120, goversion: '1.20' }
+          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-v1-go120, goversion: '1.20', test: test }
+          - { goos: linux, goarch: amd64, goamd64: v2, output: amd64-v2-go120, goversion: '1.20' }
+          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64-v3-go120, goversion: '1.20' }
 
     steps:
     - uses: actions/checkout@v4
@@ -117,7 +152,7 @@ jobs:
       if: ${{ matrix.jobs.goversion == '' && matrix.jobs.abi != '1' }}
       uses: actions/setup-go@v5
       with:
-        go-version: '1.24'
+        go-version: '1.25'
 
     - name: Set up Go
       if: ${{ matrix.jobs.goversion != '' && matrix.jobs.abi != '1' }}
@@ -125,13 +160,32 @@ jobs:
       with:
         go-version: ${{ matrix.jobs.goversion }}
 
-    - name: Set up Go1.23 loongarch abi1
+    - name: Set up Go1.24 loongarch abi1
       if: ${{ matrix.jobs.goarch == 'loong64' && matrix.jobs.abi == '1' }}
       run: |
-        wget -q https://github.com/MetaCubeX/loongarch64-golang/releases/download/1.23.0/go1.23.0.linux-amd64-abi1.tar.gz
-        sudo tar zxf go1.23.0.linux-amd64-abi1.tar.gz -C /usr/local
+        wget -q https://github.com/MetaCubeX/loongarch64-golang/releases/download/1.24.0/go1.24.0.linux-amd64-abi1.tar.gz
+        sudo tar zxf go1.24.0.linux-amd64-abi1.tar.gz -C /usr/local
         echo "/usr/local/go/bin" >> $GITHUB_PATH
 
+      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
+      # this patch file only works on golang1.25.x
+      # that means after golang1.26 release it must be changed
+      # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
+      # revert:
+      # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
+      # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
+      # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
+      # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
+    - name: Revert Golang1.25 commit for Windows7/8
+      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }}
+      run: |
+        alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
+        cd $(go env GOROOT)
+        curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
+        curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
+        curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
+        curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1
+
       # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
       # this patch file only works on golang1.24.x
       # that means after golang1.25 release it must be changed
@@ -142,8 +196,9 @@ jobs:
       # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
       # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
     - name: Revert Golang1.24 commit for Windows7/8
-      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }}
+      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.24' }}
       run: |
+        alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
         cd $(go env GOROOT)
         curl https://github.com/MetaCubeX/go/commit/2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8.diff | patch --verbose -p 1
         curl https://github.com/MetaCubeX/go/commit/7b1fd7d39c6be0185fbe1d929578ab372ac5c632.diff | patch --verbose -p 1
@@ -162,6 +217,7 @@ jobs:
     - name: Revert Golang1.23 commit for Windows7/8
       if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.23' }}
       run: |
+        alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
         cd $(go env GOROOT)
         curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
         curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1
@@ -180,6 +236,7 @@ jobs:
     - name: Revert Golang1.22 commit for Windows7/8
       if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.22' }}
       run: |
+        alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
         cd $(go env GOROOT)
         curl https://github.com/MetaCubeX/go/commit/9779155f18b6556a034f7bb79fb7fb2aad1e26a9.diff | patch --verbose -p 1
         curl https://github.com/MetaCubeX/go/commit/ef0606261340e608017860b423ffae5c1ce78239.diff | patch --verbose -p 1
@@ -190,21 +247,22 @@ jobs:
     - name: Revert Golang1.21 commit for Windows7/8
       if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.21' }}
       run: |
+        alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
         cd $(go env GOROOT)
         curl https://github.com/golang/go/commit/9e43850a3298a9b8b1162ba0033d4c53f8637571.diff | patch --verbose -R -p 1
 
     - name: Set variables
-      if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.version != '' }}
-      run: echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-      shell: bash
-
-    - name: Set variables
-      if: ${{ github.event_name != 'workflow_dispatch' && github.ref_name == 'Alpha' }}
-      run: echo "VERSION=alpha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
-      shell: bash
-
-    - name: Set Time Variable
       run: |
+        VERSION="${GITHUB_REF_NAME,,}-$(git rev-parse --short HEAD)"
+        VERSION="${VERSION//\//-}"
+        PackageVersion="$(curl -s "https://api.github.com/repos/MetaCubeX/mihomo/releases/latest" | jq -r '.tag_name' | sed 's/v//g' | awk -F '.' '{$NF = $NF + 1; print}' OFS='.').${VERSION/-/.}"
+        if [ -n "${{ github.event.inputs.version }}" ]; then
+          VERSION=${{ github.event.inputs.version }}
+          PackageVersion="${VERSION#v}"
+        fi
+        echo "VERSION=${VERSION}" >> $GITHUB_ENV
+        echo "PackageVersion=${PackageVersion}" >> $GITHUB_ENV
+      
         echo "BUILDTIME=$(date)" >> $GITHUB_ENV
         echo "CGO_ENABLED=0" >> $GITHUB_ENV
         echo "BUILDTAG=-extldflags --static" >> $GITHUB_ENV
@@ -215,7 +273,7 @@ jobs:
       uses: nttld/setup-ndk@v1
       id: setup-ndk
       with:
-        ndk-version: r28-beta1
+        ndk-version: r29-beta1
 
     - name: Set NDK path
       if: ${{ matrix.jobs.goos == 'android' }}
@@ -233,7 +291,7 @@ jobs:
 
     - name: Update CA
       run: |
-        sudo apt-get install ca-certificates
+        sudo apt-get update && sudo apt-get install ca-certificates
         sudo update-ca-certificates
         cp -f /etc/ssl/certs/ca-certificates.crt component/ca/ca-certificates.crt
 
@@ -242,6 +300,7 @@ jobs:
         GOOS: ${{matrix.jobs.goos}}
         GOARCH: ${{matrix.jobs.goarch}}
         GOAMD64: ${{matrix.jobs.goamd64}}
+        GO386: ${{matrix.jobs.go386}}
         GOARM: ${{matrix.jobs.goarm}}
         GOMIPS: ${{matrix.jobs.gomips}}
       run: |
@@ -256,79 +315,51 @@ jobs:
           rm mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}
         fi
 
-    - name: Create DEB package
-      if: ${{ matrix.jobs.goos == 'linux' && !contains(matrix.jobs.goarch, 'mips') }}
+    - name: Package DEB
+      if: matrix.jobs.debian != ''
       run: |
-        sudo apt-get install dpkg
-        if [ "${{matrix.jobs.abi}}" = "1" ]; then
-          ARCH=loongarch64
-        elif [ "${{matrix.jobs.goarm}}" = "7" ]; then
-          ARCH=armhf
-        elif [ "${{matrix.jobs.goarch}}" = "arm" ]; then
-          ARCH=armel
-        else
-          ARCH=${{matrix.jobs.goarch}}
-        fi
-        PackageVersion=$(curl -s "https://api.github.com/repos/MetaCubeX/mihomo/releases/latest" | grep -o '"tag_name": "[^"]*' | grep -o '[^"]*$' | sed 's/v//g' )
-        if [ $(git branch | awk -F ' ' '{print $2}') = "Alpha" ]; then
-          PackageVersion="$(echo "${PackageVersion}" | awk -F '.' '{$NF = $NF + 1; print}' OFS='.')-${VERSION}"
-        fi
+        set -xeuo pipefail
+        sudo gem install fpm
+        cp .github/release/.fpm_systemd .fpm
 
-        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/DEBIAN
-        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/bin
-        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/share/licenses/mihomo
-        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/etc/mihomo
-        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/lib/systemd/system
+        fpm -t deb \
+          -v "${PackageVersion}" \
+          -p "mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.deb" \
+          --architecture ${{ matrix.jobs.debian }} \
+          mihomo=/usr/bin/mihomo
 
-        cp mihomo mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/bin/
-        cp LICENSE mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/share/licenses/mihomo/
-        cp .github/{mihomo.service,mihomo@.service} mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/lib/systemd/system/
-
-        cat > mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/etc/mihomo/config.yaml <<EOF
-        mixed-port: 7890
-        EOF
-
-        cat > mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/DEBIAN/conffiles <<EOF
-        /etc/mihomo/config.yaml
-        EOF
-
-        cat > mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/DEBIAN/control <<EOF
-        Package: mihomo
-        Version: ${PackageVersion}
-        Section:
-        Priority: extra
-        Architecture: ${ARCH}
-        Maintainer: MetaCubeX <none@example.com>
-        Homepage: https://wiki.metacubex.one/
-        Description: The universal proxy platform.
-        EOF
-
-        dpkg-deb -Z gzip --build mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}
-
-    - name: Convert DEB to RPM
-      if: ${{ matrix.jobs.goos == 'linux' && !contains(matrix.jobs.goarch, 'mips') }}
+    - name: Package RPM
+      if: matrix.jobs.rpm != ''
       run: |
-        sudo apt-get install -y alien
-        alien --to-rpm --scripts mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.deb
-        mv mihomo*.rpm mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.rpm
+        set -xeuo pipefail
+        sudo gem install fpm
+        cp .github/release/.fpm_systemd .fpm
 
-    # - name: Convert DEB to PKG
-    #   if: ${{ matrix.jobs.goos == 'linux' && !contains(matrix.jobs.goarch, 'mips') && !contains(matrix.jobs.goarch, 'loong64') }}
-    #   run: |
-    #     docker pull archlinux
-    #     docker run --rm -v ./:/mnt archlinux bash -c "
-    #       pacman -Syu pkgfile base-devel --noconfirm
-    #       curl -L https://github.com/helixarch/debtap/raw/master/debtap > /usr/bin/debtap
-    #       chmod 755 /usr/bin/debtap
-    #       debtap -u 
-    #       debtap -Q /mnt/mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.deb
-    #     "
-    #     mv mihomo*.pkg.tar.zst mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.pkg.tar.zst
+        fpm -t rpm \
+          -v "${PackageVersion}" \
+          -p "mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.rpm" \
+          --architecture ${{ matrix.jobs.rpm }} \
+          mihomo=/usr/bin/mihomo
+
+    - name: Package Pacman
+      if: matrix.jobs.pacman != ''
+      run: |
+        set -xeuo pipefail
+        sudo gem install fpm
+        sudo apt-get update && sudo apt-get install -y libarchive-tools
+        cp .github/release/.fpm_systemd .fpm
+
+        fpm -t pacman \
+          -v "${PackageVersion}" \
+          -p "mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.pkg.tar.zst" \
+          --architecture ${{ matrix.jobs.pacman }} \
+          mihomo=/usr/bin/mihomo
 
     - name: Save version
       run: |
         echo ${VERSION} > version.txt
       shell: bash
+
     - name: Archive production artifacts
       uses: actions/upload-artifact@v4
       with:
@@ -337,6 +368,7 @@ jobs:
           mihomo*.gz
           mihomo*.deb
           mihomo*.rpm
+          mihomo*.pkg.tar.zst
           mihomo*.zip
           version.txt
           checksums.txt

.github/workflows/test.yml

@@ -24,6 +24,7 @@ jobs:
           - 'ubuntu-24.04-arm' # arm64 linux
           - 'macos-13' # amd64 macos
         go-version:
+          - '1.25'
           - '1.24'
           - '1.23'
           - '1.22'
@@ -47,6 +48,25 @@ jobs:
         with:
           go-version: ${{ matrix.go-version }}
 
+      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
+      # this patch file only works on golang1.25.x
+      # that means after golang1.26 release it must be changed
+      # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
+      # revert:
+      # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
+      # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
+      # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
+      # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
+      - name: Revert Golang1.25 commit for Windows7/8
+        if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.25' }}
+        run: |
+          alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
+          cd $(go env GOROOT)
+          curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
+          curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
+          curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
+          curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1
+
       # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
       # this patch file only works on golang1.24.x
       # that means after golang1.25 release it must be changed
@@ -59,6 +79,7 @@ jobs:
       - name: Revert Golang1.24 commit for Windows7/8
         if: ${{ runner.os == 'Windows' && matrix.go-version == '1.24' }}
         run: |
+          alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
           cd $(go env GOROOT)
           curl https://github.com/MetaCubeX/go/commit/2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8.diff | patch --verbose -p 1
           curl https://github.com/MetaCubeX/go/commit/7b1fd7d39c6be0185fbe1d929578ab372ac5c632.diff | patch --verbose -p 1
@@ -77,6 +98,7 @@ jobs:
       - name: Revert Golang1.23 commit for Windows7/8
         if: ${{ runner.os == 'Windows' && matrix.go-version == '1.23' }}
         run: |
+          alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
           cd $(go env GOROOT)
           curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
           curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1
@@ -95,6 +117,7 @@ jobs:
       - name: Revert Golang1.22 commit for Windows7/8
         if: ${{ runner.os == 'Windows' && matrix.go-version == '1.22' }}
         run: |
+          alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
           cd $(go env GOROOT)
           curl https://github.com/MetaCubeX/go/commit/9779155f18b6556a034f7bb79fb7fb2aad1e26a9.diff | patch --verbose -p 1
           curl https://github.com/MetaCubeX/go/commit/ef0606261340e608017860b423ffae5c1ce78239.diff | patch --verbose -p 1
@@ -105,6 +128,7 @@ jobs:
       - name: Revert Golang1.21 commit for Windows7/8
         if: ${{ runner.os == 'Windows' && matrix.go-version == '1.21' }}
         run: |
+          alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
           cd $(go env GOROOT)
           curl https://github.com/golang/go/commit/9e43850a3298a9b8b1162ba0033d4c53f8637571.diff | patch --verbose -R -p 1
 

.github/workflows/trigger-cmfa-update.yml

@@ -10,9 +10,6 @@ on:
       - Alpha
     tags:
       - "v*"
-  pull_request_target:
-    branches:
-      - Alpha
       
 jobs:
   # Send "core-updated" to MetaCubeX/ClashMetaForAndroid to trigger update-dependencies

Makefile

@@ -17,11 +17,19 @@ GOBUILD=CGO_ENABLED=0 go build -tags with_gvisor -trimpath -ldflags '-X "github.
 		-w -s -buildid='
 
 PLATFORM_LIST = \
+	darwin-386 \
 	darwin-amd64-compatible \
 	darwin-amd64 \
+	darwin-amd64-v1 \
+	darwin-amd64-v2 \
+	darwin-amd64-v3 \
 	darwin-arm64 \
+	linux-386 \
 	linux-amd64-compatible \
 	linux-amd64 \
+	linux-amd64-v1 \
+	linux-amd64-v2 \
+	linux-amd64-v3 \
 	linux-armv5 \
 	linux-armv6 \
 	linux-armv7 \
@@ -43,37 +51,61 @@ WINDOWS_ARCH_LIST = \
 	windows-386 \
 	windows-amd64-compatible \
 	windows-amd64 \
+	windows-amd64-v1 \
+	windows-amd64-v2 \
+	windows-amd64-v3 \
 	windows-arm64 \
     windows-arm32v7
 
-all:linux-amd64 linux-arm64\
-	darwin-amd64 darwin-arm64\
- 	windows-amd64 windows-arm64\
+all:linux-amd64-v3 linux-arm64\
+	darwin-amd64-v3 darwin-arm64\
+ 	windows-amd64-v3 windows-arm64\
 
 
-darwin-all: darwin-amd64 darwin-arm64
+darwin-all: darwin-amd64-v3 darwin-arm64
 
 docker:
 	GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 
-darwin-amd64:
-	GOARCH=amd64 GOOS=darwin GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+darwin-386:
+	GOARCH=386 GOOS=darwin $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 
 darwin-amd64-compatible:
 	GOARCH=amd64 GOOS=darwin GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 
+darwin-amd64:
+	GOARCH=amd64 GOOS=darwin GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
+darwin-amd64-v1:
+	GOARCH=amd64 GOOS=darwin GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
+darwin-amd64-v2:
+	GOARCH=amd64 GOOS=darwin GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
+darwin-amd64-v3:
+	GOARCH=amd64 GOOS=darwin GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
 darwin-arm64:
 	GOARCH=arm64 GOOS=darwin $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 
 linux-386:
 	GOARCH=386 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 
+linux-amd64-compatible:
+	GOARCH=amd64 GOOS=linux GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
 linux-amd64:
 	GOARCH=amd64 GOOS=linux GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 
-linux-amd64-compatible:
+linux-amd64-v1:
 	GOARCH=amd64 GOOS=linux GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 
+linux-amd64-v2:
+	GOARCH=amd64 GOOS=linux GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
+linux-amd64-v3:
+	GOARCH=amd64 GOOS=linux GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
 linux-arm64:
 	GOARCH=arm64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 
@@ -125,12 +157,21 @@ freebsd-arm64:
 windows-386:
 	GOARCH=386 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
 
+windows-amd64-compatible:
+	GOARCH=amd64 GOOS=windows GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
+
 windows-amd64:
 	GOARCH=amd64 GOOS=windows GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
 
-windows-amd64-compatible:
+windows-amd64-v1:
 	GOARCH=amd64 GOOS=windows GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
 
+windows-amd64-v2:
+	GOARCH=amd64 GOOS=windows GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
+
+windows-amd64-v3:
+	GOARCH=amd64 GOOS=windows GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
+
 windows-arm64:
 	GOARCH=arm64 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
 

adapter/adapter.go

@@ -7,20 +7,17 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"net/netip"
 	"net/url"
-	"strconv"
 	"strings"
 	"time"
 
 	"github.com/metacubex/mihomo/common/atomic"
 	"github.com/metacubex/mihomo/common/queue"
 	"github.com/metacubex/mihomo/common/utils"
+	"github.com/metacubex/mihomo/common/xsync"
 	"github.com/metacubex/mihomo/component/ca"
-	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
-	"github.com/puzpuzpuz/xsync/v3"
 )
 
 var UnifiedDelay = atomic.NewBool(false)
@@ -38,7 +35,7 @@ type Proxy struct {
 	C.ProxyAdapter
 	alive   atomic.Bool
 	history *queue.Queue[C.DelayHistory]
-	extra   *xsync.MapOf[string, *internalProxyState]
+	extra   xsync.Map[string, *internalProxyState]
 }
 
 // Adapter implements C.Proxy
@@ -63,8 +60,8 @@ func (p *Proxy) Dial(metadata *C.Metadata) (C.Conn, error) {
 }
 
 // DialContext implements C.ProxyAdapter
-func (p *Proxy) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	conn, err := p.ProxyAdapter.DialContext(ctx, metadata, opts...)
+func (p *Proxy) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
+	conn, err := p.ProxyAdapter.DialContext(ctx, metadata)
 	return conn, err
 }
 
@@ -76,8 +73,8 @@ func (p *Proxy) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (p *Proxy) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	pc, err := p.ProxyAdapter.ListenPacketContext(ctx, metadata, opts...)
+func (p *Proxy) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
+	pc, err := p.ProxyAdapter.ListenPacketContext(ctx, metadata)
 	return pc, err
 }
 
@@ -296,7 +293,7 @@ func NewProxy(adapter C.ProxyAdapter) *Proxy {
 		ProxyAdapter: adapter,
 		history:      queue.New[C.DelayHistory](defaultHistoriesNum),
 		alive:        atomic.NewBool(true),
-		extra:        xsync.NewMapOf[string, *internalProxyState]()}
+	}
 }
 
 func urlToMetadata(rawURL string) (addr C.Metadata, err error) {
@@ -317,15 +314,7 @@ func urlToMetadata(rawURL string) (addr C.Metadata, err error) {
 			return
 		}
 	}
-	uintPort, err := strconv.ParseUint(port, 10, 16)
-	if err != nil {
-		return
-	}
 
-	addr = C.Metadata{
-		Host:    u.Hostname(),
-		DstIP:   netip.Addr{},
-		DstPort: uint16(uintPort),
-	}
+	err = addr.SetRemoteAddress(net.JoinHostPort(u.Hostname(), port))
 	return
 }

adapter/inbound/util.go

@@ -4,7 +4,6 @@ import (
 	"net"
 	"net/http"
 	"net/netip"
-	"strconv"
 	"strings"
 
 	C "github.com/metacubex/mihomo/constant"
@@ -41,23 +40,8 @@ func parseHTTPAddr(request *http.Request) *C.Metadata {
 	// trim FQDN (#737)
 	host = strings.TrimRight(host, ".")
 
-	var uint16Port uint16
-	if port, err := strconv.ParseUint(port, 10, 16); err == nil {
-		uint16Port = uint16(port)
-	}
-
-	metadata := &C.Metadata{
-		NetWork: C.TCP,
-		Host:    host,
-		DstIP:   netip.Addr{},
-		DstPort: uint16Port,
-	}
-
-	ip, err := netip.ParseAddr(host)
-	if err == nil {
-		metadata.DstIP = ip
-	}
-
+	metadata := &C.Metadata{}
+	_ = metadata.SetRemoteAddress(net.JoinHostPort(host, port))
 	return metadata
 }
 

adapter/outbound/anytls.go

@@ -2,7 +2,6 @@ package outbound
 
 import (
 	"context"
-	"errors"
 	"net"
 	"strconv"
 	"time"
@@ -10,13 +9,12 @@ import (
 	CN "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
-	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/anytls"
 	"github.com/metacubex/mihomo/transport/vmess"
 
-	M "github.com/sagernet/sing/common/metadata"
-	"github.com/sagernet/sing/common/uot"
+	M "github.com/metacubex/sing/common/metadata"
+	"github.com/metacubex/sing/common/uot"
 )
 
 type AnyTLS struct {
@@ -28,24 +26,23 @@ type AnyTLS struct {
 
 type AnyTLSOption struct {
 	BasicOption
-	Name                     string   `proxy:"name"`
-	Server                   string   `proxy:"server"`
-	Port                     int      `proxy:"port"`
-	Password                 string   `proxy:"password"`
-	ALPN                     []string `proxy:"alpn,omitempty"`
-	SNI                      string   `proxy:"sni,omitempty"`
-	ClientFingerprint        string   `proxy:"client-fingerprint,omitempty"`
-	SkipCertVerify           bool     `proxy:"skip-cert-verify,omitempty"`
-	Fingerprint              string   `proxy:"fingerprint,omitempty"`
-	UDP                      bool     `proxy:"udp,omitempty"`
-	IdleSessionCheckInterval int      `proxy:"idle-session-check-interval,omitempty"`
-	IdleSessionTimeout       int      `proxy:"idle-session-timeout,omitempty"`
-	MinIdleSession           int      `proxy:"min-idle-session,omitempty"`
+	Name                     string     `proxy:"name"`
+	Server                   string     `proxy:"server"`
+	Port                     int        `proxy:"port"`
+	Password                 string     `proxy:"password"`
+	ALPN                     []string   `proxy:"alpn,omitempty"`
+	SNI                      string     `proxy:"sni,omitempty"`
+	ECHOpts                  ECHOptions `proxy:"ech-opts,omitempty"`
+	ClientFingerprint        string     `proxy:"client-fingerprint,omitempty"`
+	SkipCertVerify           bool       `proxy:"skip-cert-verify,omitempty"`
+	Fingerprint              string     `proxy:"fingerprint,omitempty"`
+	UDP                      bool       `proxy:"udp,omitempty"`
+	IdleSessionCheckInterval int        `proxy:"idle-session-check-interval,omitempty"`
+	IdleSessionTimeout       int        `proxy:"idle-session-timeout,omitempty"`
+	MinIdleSession           int        `proxy:"min-idle-session,omitempty"`
 }
 
-func (t *AnyTLS) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	options := t.Base.DialOptions(opts...)
-	t.dialer.SetDialer(dialer.NewDialer(options...))
+func (t *AnyTLS) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	c, err := t.client.CreateProxy(ctx, M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
 	if err != nil {
 		return nil, err
@@ -53,23 +50,18 @@ func (t *AnyTLS) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 	return NewConn(c, t), nil
 }
 
-func (t *AnyTLS) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (t *AnyTLS) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if err = t.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
+	}
+
 	// create tcp
-	options := t.Base.DialOptions(opts...)
-	t.dialer.SetDialer(dialer.NewDialer(options...))
 	c, err := t.client.CreateProxy(ctx, uot.RequestDestination(2))
 	if err != nil {
 		return nil, err
 	}
 
 	// create uot on tcp
-	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(ctx, metadata.Host)
-		if err != nil {
-			return nil, errors.New("can't resolve ip")
-		}
-		metadata.DstIP = ip
-	}
 	destination := M.SocksaddrFromNet(metadata.UDPAddr())
 	return newPacketConn(CN.NewThreadSafePacketConn(uot.NewLazyConn(c, uot.Request{Destination: destination})), t), nil
 }
@@ -93,29 +85,6 @@ func (t *AnyTLS) Close() error {
 
 func NewAnyTLS(option AnyTLSOption) (*AnyTLS, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
-
-	singDialer := proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer())
-
-	tOption := anytls.ClientConfig{
-		Password:                 option.Password,
-		Server:                   M.ParseSocksaddrHostPort(option.Server, uint16(option.Port)),
-		Dialer:                   singDialer,
-		IdleSessionCheckInterval: time.Duration(option.IdleSessionCheckInterval) * time.Second,
-		IdleSessionTimeout:       time.Duration(option.IdleSessionTimeout) * time.Second,
-		MinIdleSession:           option.MinIdleSession,
-	}
-	tlsConfig := &vmess.TLSConfig{
-		Host:              option.SNI,
-		SkipCertVerify:    option.SkipCertVerify,
-		NextProtos:        option.ALPN,
-		FingerPrint:       option.Fingerprint,
-		ClientFingerprint: option.ClientFingerprint,
-	}
-	if tlsConfig.Host == "" {
-		tlsConfig.Host = option.Server
-	}
-	tOption.TLSConfig = tlsConfig
-
 	outbound := &AnyTLS{
 		Base: &Base{
 			name:   option.Name,
@@ -128,10 +97,39 @@ func NewAnyTLS(option AnyTLSOption) (*AnyTLS, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
-		client: anytls.NewClient(context.TODO(), tOption),
 		option: &option,
-		dialer: singDialer,
 	}
 
+	singDialer := proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer(outbound.DialOptions()...))
+	outbound.dialer = singDialer
+
+	tOption := anytls.ClientConfig{
+		Password:                 option.Password,
+		Server:                   M.ParseSocksaddrHostPort(option.Server, uint16(option.Port)),
+		Dialer:                   singDialer,
+		IdleSessionCheckInterval: time.Duration(option.IdleSessionCheckInterval) * time.Second,
+		IdleSessionTimeout:       time.Duration(option.IdleSessionTimeout) * time.Second,
+		MinIdleSession:           option.MinIdleSession,
+	}
+	echConfig, err := option.ECHOpts.Parse()
+	if err != nil {
+		return nil, err
+	}
+	tlsConfig := &vmess.TLSConfig{
+		Host:              option.SNI,
+		SkipCertVerify:    option.SkipCertVerify,
+		NextProtos:        option.ALPN,
+		FingerPrint:       option.Fingerprint,
+		ClientFingerprint: option.ClientFingerprint,
+		ECH:               echConfig,
+	}
+	if tlsConfig.Host == "" {
+		tlsConfig.Host = option.Server
+	}
+	tOption.TLSConfig = tlsConfig
+
+	client := anytls.NewClient(context.TODO(), tOption)
+	outbound.client = client
+
 	return outbound, nil
 }

adapter/outbound/base.go

@@ -3,22 +3,24 @@ package outbound
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"net"
 	"runtime"
-	"strings"
 	"sync"
 	"syscall"
 
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/dialer"
+	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 )
 
 type ProxyAdapter interface {
 	C.ProxyAdapter
-	DialOptions(opts ...dialer.Option) []dialer.Option
+	DialOptions() []dialer.Option
+	ResolveUDP(ctx context.Context, metadata *C.Metadata) error
 }
 
 type Base struct {
@@ -59,7 +61,7 @@ func (b *Base) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Me
 	return c, C.ErrNotSupport
 }
 
-func (b *Base) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (b *Base) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	return nil, C.ErrNotSupport
 }
 
@@ -69,7 +71,7 @@ func (b *Base) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metad
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (b *Base) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (b *Base) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
 	return nil, C.ErrNotSupport
 }
 
@@ -128,7 +130,7 @@ func (b *Base) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {
 }
 
 // DialOptions return []dialer.Option from struct
-func (b *Base) DialOptions(opts ...dialer.Option) []dialer.Option {
+func (b *Base) DialOptions() (opts []dialer.Option) {
 	if b.iface != "" {
 		opts = append(opts, dialer.WithInterface(b.iface))
 	}
@@ -160,6 +162,17 @@ func (b *Base) DialOptions(opts ...dialer.Option) []dialer.Option {
 	return opts
 }
 
+func (b *Base) ResolveUDP(ctx context.Context, metadata *C.Metadata) error {
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(ctx, metadata.Host)
+		if err != nil {
+			return fmt.Errorf("can't resolve ip: %w", err)
+		}
+		metadata.DstIP = ip
+	}
+	return nil
+}
+
 func (b *Base) Close() error {
 	return nil
 }
@@ -167,8 +180,8 @@ func (b *Base) Close() error {
 type BasicOption struct {
 	TFO         bool   `proxy:"tfo,omitempty"`
 	MPTCP       bool   `proxy:"mptcp,omitempty"`
-	Interface   string `proxy:"interface-name,omitempty" group:"interface-name,omitempty"`
-	RoutingMark int    `proxy:"routing-mark,omitempty" group:"routing-mark,omitempty"`
+	Interface   string `proxy:"interface-name,omitempty"`
+	RoutingMark int    `proxy:"routing-mark,omitempty"`
 	IPVersion   string `proxy:"ip-version,omitempty"`
 	DialerProxy string `proxy:"dialer-proxy,omitempty"` // don't apply this option into groups, but can set a group name in a proxy
 }
@@ -203,12 +216,21 @@ func NewBase(opt BaseOption) *Base {
 
 type conn struct {
 	N.ExtendedConn
-	chain                   C.Chain
-	actualRemoteDestination string
+	chain       C.Chain
+	adapterAddr string
 }
 
 func (c *conn) RemoteDestination() string {
-	return c.actualRemoteDestination
+	if remoteAddr := c.RemoteAddr(); remoteAddr != nil {
+		m := C.Metadata{}
+		if err := m.SetRemoteAddr(remoteAddr); err == nil {
+			if m.Valid() {
+				return m.String()
+			}
+		}
+	}
+	host, _, _ := net.SplitHostPort(c.adapterAddr)
+	return host
 }
 
 // Chains implements C.Connection
@@ -241,19 +263,25 @@ func NewConn(c net.Conn, a C.ProxyAdapter) C.Conn {
 	if _, ok := c.(syscall.Conn); !ok { // exclusion system conn like *net.TCPConn
 		c = N.NewDeadlineConn(c) // most conn from outbound can't handle readDeadline correctly
 	}
-	return &conn{N.NewExtendedConn(c), []string{a.Name()}, parseRemoteDestination(a.Addr())}
+	return &conn{N.NewExtendedConn(c), []string{a.Name()}, a.Addr()}
 }
 
 type packetConn struct {
 	N.EnhancePacketConn
-	chain                   C.Chain
-	adapterName             string
-	connID                  string
-	actualRemoteDestination string
+	chain       C.Chain
+	adapterName string
+	connID      string
+	adapterAddr string
+	resolveUDP  func(ctx context.Context, metadata *C.Metadata) error
+}
+
+func (c *packetConn) ResolveUDP(ctx context.Context, metadata *C.Metadata) error {
+	return c.resolveUDP(ctx, metadata)
 }
 
 func (c *packetConn) RemoteDestination() string {
-	return c.actualRemoteDestination
+	host, _, _ := net.SplitHostPort(c.adapterAddr)
+	return host
 }
 
 // Chains implements C.Connection
@@ -287,24 +315,12 @@ func (c *packetConn) AddRef(ref any) {
 	c.EnhancePacketConn = N.NewRefPacketConn(c.EnhancePacketConn, ref) // add ref for autoCloseProxyAdapter
 }
 
-func newPacketConn(pc net.PacketConn, a C.ProxyAdapter) C.PacketConn {
+func newPacketConn(pc net.PacketConn, a ProxyAdapter) C.PacketConn {
 	epc := N.NewEnhancePacketConn(pc)
 	if _, ok := pc.(syscall.Conn); !ok { // exclusion system conn like *net.UDPConn
 		epc = N.NewDeadlineEnhancePacketConn(epc) // most conn from outbound can't handle readDeadline correctly
 	}
-	return &packetConn{epc, []string{a.Name()}, a.Name(), utils.NewUUIDV4().String(), parseRemoteDestination(a.Addr())}
-}
-
-func parseRemoteDestination(addr string) string {
-	if dst, _, err := net.SplitHostPort(addr); err == nil {
-		return dst
-	} else {
-		if addrError, ok := err.(*net.AddrError); ok && strings.Contains(addrError.Err, "missing port") {
-			return dst
-		} else {
-			return ""
-		}
-	}
+	return &packetConn{epc, []string{a.Name()}, a.Name(), utils.NewUUIDV4().String(), a.Addr(), a.ResolveUDP}
 }
 
 type AddRef interface {
@@ -317,8 +333,8 @@ type autoCloseProxyAdapter struct {
 	closeErr  error
 }
 
-func (p *autoCloseProxyAdapter) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	c, err := p.ProxyAdapter.DialContext(ctx, metadata, opts...)
+func (p *autoCloseProxyAdapter) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
+	c, err := p.ProxyAdapter.DialContext(ctx, metadata)
 	if err != nil {
 		return nil, err
 	}
@@ -339,8 +355,8 @@ func (p *autoCloseProxyAdapter) DialContextWithDialer(ctx context.Context, diale
 	return c, nil
 }
 
-func (p *autoCloseProxyAdapter) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	pc, err := p.ProxyAdapter.ListenPacketContext(ctx, metadata, opts...)
+func (p *autoCloseProxyAdapter) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	pc, err := p.ProxyAdapter.ListenPacketContext(ctx, metadata)
 	if err != nil {
 		return nil, err
 	}

adapter/outbound/direct.go

@@ -2,7 +2,8 @@ package outbound
 
 import (
 	"context"
-	"errors"
+	"fmt"
+
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/loopback"
 	"github.com/metacubex/mihomo/component/resolver"
@@ -20,12 +21,13 @@ type DirectOption struct {
 }
 
 // DialContext implements C.ProxyAdapter
-func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	if err := d.loopBack.CheckConn(metadata); err != nil {
 		return nil, err
 	}
+	opts := d.DialOptions()
 	opts = append(opts, dialer.WithResolver(resolver.DirectHostResolver))
-	c, err := dialer.DialContext(ctx, "tcp", metadata.RemoteAddress(), d.Base.DialOptions(opts...)...)
+	c, err := dialer.DialContext(ctx, "tcp", metadata.RemoteAddress(), opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -33,25 +35,31 @@ func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
 	if err := d.loopBack.CheckPacketConn(metadata); err != nil {
 		return nil, err
 	}
-	// net.UDPConn.WriteTo only working with *net.UDPAddr, so we need a net.UDPAddr
-	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, resolver.DirectHostResolver)
-		if err != nil {
-			return nil, errors.New("can't resolve ip")
-		}
-		metadata.DstIP = ip
+	if err := d.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
 	}
-	pc, err := dialer.NewDialer(d.Base.DialOptions(opts...)...).ListenPacket(ctx, "udp", "", metadata.AddrPort())
+	pc, err := dialer.NewDialer(d.DialOptions()...).ListenPacket(ctx, "udp", "", metadata.AddrPort())
 	if err != nil {
 		return nil, err
 	}
 	return d.loopBack.NewPacketConn(newPacketConn(pc, d)), nil
 }
 
+func (d *Direct) ResolveUDP(ctx context.Context, metadata *C.Metadata) error {
+	if (!metadata.Resolved() || resolver.DirectHostResolver != resolver.DefaultResolver) && metadata.Host != "" {
+		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, resolver.DirectHostResolver)
+		if err != nil {
+			return fmt.Errorf("can't resolve ip: %w", err)
+		}
+		metadata.DstIP = ip
+	}
+	return nil
+}
+
 func (d *Direct) IsL3Protocol(metadata *C.Metadata) bool {
 	return true // tell DNSDialer don't send domain to DialContext, avoid lookback to DefaultResolver
 }

adapter/outbound/dns.go

@@ -3,11 +3,11 @@ package outbound
 import (
 	"context"
 	"net"
+	"net/netip"
 	"time"
 
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/pool"
-	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
@@ -23,15 +23,18 @@ type DnsOption struct {
 }
 
 // DialContext implements C.ProxyAdapter
-func (d *Dns) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (d *Dns) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	left, right := N.Pipe()
 	go resolver.RelayDnsConn(context.Background(), right, 0)
 	return NewConn(left, d), nil
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (d *Dns) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (d *Dns) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
 	log.Debugln("[DNS] hijack udp:%s from %s", metadata.RemoteAddress(), metadata.SourceAddrPort())
+	if err := d.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
+	}
 
 	ctx, cancel := context.WithCancel(context.Background())
 
@@ -42,6 +45,13 @@ func (d *Dns) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opt
 	}, d), nil
 }
 
+func (d *Dns) ResolveUDP(ctx context.Context, metadata *C.Metadata) error {
+	if !metadata.Resolved() {
+		metadata.DstIP = netip.AddrFrom4([4]byte{127, 0, 0, 2})
+	}
+	return nil
+}
+
 type dnsPacket struct {
 	data []byte
 	put  func()

adapter/outbound/ech.go

@@ -0,0 +1,36 @@
+package outbound
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+
+	"github.com/metacubex/mihomo/component/ech"
+	"github.com/metacubex/mihomo/component/resolver"
+)
+
+type ECHOptions struct {
+	Enable bool   `proxy:"enable,omitempty" obfs:"enable,omitempty"`
+	Config string `proxy:"config,omitempty" obfs:"config,omitempty"`
+}
+
+func (o ECHOptions) Parse() (*ech.Config, error) {
+	if !o.Enable {
+		return nil, nil
+	}
+	echConfig := &ech.Config{}
+	if o.Config != "" {
+		list, err := base64.StdEncoding.DecodeString(o.Config)
+		if err != nil {
+			return nil, fmt.Errorf("base64 decode ech config string failed: %v", err)
+		}
+		echConfig.GetEncryptedClientHelloConfigList = func(ctx context.Context, serverName string) ([]byte, error) {
+			return list, nil
+		}
+	} else {
+		echConfig.GetEncryptedClientHelloConfigList = func(ctx context.Context, serverName string) ([]byte, error) {
+			return resolver.ResolveECHWithResolver(ctx, serverName, resolver.ProxyServerHostResolver)
+		}
+	}
+	return echConfig, nil
+}

adapter/outbound/http.go

@@ -58,8 +58,8 @@ func (h *Http) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Me
 }
 
 // DialContext implements C.ProxyAdapter
-func (h *Http) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	return h.DialContextWithDialer(ctx, dialer.NewDialer(h.Base.DialOptions(opts...)...), metadata)
+func (h *Http) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
+	return h.DialContextWithDialer(ctx, dialer.NewDialer(h.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter

adapter/outbound/hysteria.go

@@ -10,13 +10,11 @@ import (
 	"strconv"
 	"time"
 
-	"github.com/metacubex/quic-go"
-	"github.com/metacubex/quic-go/congestion"
-	M "github.com/sagernet/sing/common/metadata"
-
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
+	"github.com/metacubex/mihomo/component/ech"
 	"github.com/metacubex/mihomo/component/proxydialer"
+	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 	hyCongestion "github.com/metacubex/mihomo/transport/hysteria/congestion"
@@ -25,6 +23,10 @@ import (
 	"github.com/metacubex/mihomo/transport/hysteria/pmtud_fix"
 	"github.com/metacubex/mihomo/transport/hysteria/transport"
 	"github.com/metacubex/mihomo/transport/hysteria/utils"
+
+	"github.com/metacubex/quic-go"
+	"github.com/metacubex/quic-go/congestion"
+	M "github.com/metacubex/sing/common/metadata"
 )
 
 const (
@@ -43,10 +45,13 @@ type Hysteria struct {
 
 	option *HysteriaOption
 	client *core.Client
+
+	tlsConfig *tlsC.Config
+	echConfig *ech.Config
 }
 
-func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	tcpConn, err := h.client.DialTCP(metadata.String(), metadata.DstPort, h.genHdc(ctx, opts...))
+func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
+	tcpConn, err := h.client.DialTCP(metadata.String(), metadata.DstPort, h.genHdc(ctx))
 	if err != nil {
 		return nil, err
 	}
@@ -54,20 +59,23 @@ func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 	return NewConn(tcpConn, h), nil
 }
 
-func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	udpConn, err := h.client.DialUDP(h.genHdc(ctx, opts...))
+func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
+	if err := h.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
+	}
+	udpConn, err := h.client.DialUDP(h.genHdc(ctx))
 	if err != nil {
 		return nil, err
 	}
 	return newPacketConn(&hyPacketConn{udpConn}, h), nil
 }
 
-func (h *Hysteria) genHdc(ctx context.Context, opts ...dialer.Option) utils.PacketDialer {
+func (h *Hysteria) genHdc(ctx context.Context) utils.PacketDialer {
 	return &hyDialerWithContext{
 		ctx: context.Background(),
 		hyDialer: func(network string, rAddr net.Addr) (net.PacketConn, error) {
 			var err error
-			var cDialer C.Dialer = dialer.NewDialer(h.Base.DialOptions(opts...)...)
+			var cDialer C.Dialer = dialer.NewDialer(h.DialOptions()...)
 			if len(h.option.DialerProxy) > 0 {
 				cDialer, err = proxydialer.NewByName(h.option.DialerProxy, cDialer)
 				if err != nil {
@@ -78,7 +86,15 @@ func (h *Hysteria) genHdc(ctx context.Context, opts ...dialer.Option) utils.Pack
 			return cDialer.ListenPacket(ctx, network, "", rAddrPort)
 		},
 		remoteAddr: func(addr string) (net.Addr, error) {
-			return resolveUDPAddr(ctx, "udp", addr, h.prefer)
+			udpAddr, err := resolveUDPAddr(ctx, "udp", addr, h.prefer)
+			if err != nil {
+				return nil, err
+			}
+			err = h.echConfig.ClientHandle(ctx, h.tlsConfig)
+			if err != nil {
+				return nil, err
+			}
+			return udpAddr, nil
 		},
 	}
 }
@@ -92,30 +108,31 @@ func (h *Hysteria) ProxyInfo() C.ProxyInfo {
 
 type HysteriaOption struct {
 	BasicOption
-	Name                string   `proxy:"name"`
-	Server              string   `proxy:"server"`
-	Port                int      `proxy:"port,omitempty"`
-	Ports               string   `proxy:"ports,omitempty"`
-	Protocol            string   `proxy:"protocol,omitempty"`
-	ObfsProtocol        string   `proxy:"obfs-protocol,omitempty"` // compatible with Stash
-	Up                  string   `proxy:"up"`
-	UpSpeed             int      `proxy:"up-speed,omitempty"` // compatible with Stash
-	Down                string   `proxy:"down"`
-	DownSpeed           int      `proxy:"down-speed,omitempty"` // compatible with Stash
-	Auth                string   `proxy:"auth,omitempty"`
-	AuthString          string   `proxy:"auth-str,omitempty"`
-	Obfs                string   `proxy:"obfs,omitempty"`
-	SNI                 string   `proxy:"sni,omitempty"`
-	SkipCertVerify      bool     `proxy:"skip-cert-verify,omitempty"`
-	Fingerprint         string   `proxy:"fingerprint,omitempty"`
-	ALPN                []string `proxy:"alpn,omitempty"`
-	CustomCA            string   `proxy:"ca,omitempty"`
-	CustomCAString      string   `proxy:"ca-str,omitempty"`
-	ReceiveWindowConn   int      `proxy:"recv-window-conn,omitempty"`
-	ReceiveWindow       int      `proxy:"recv-window,omitempty"`
-	DisableMTUDiscovery bool     `proxy:"disable-mtu-discovery,omitempty"`
-	FastOpen            bool     `proxy:"fast-open,omitempty"`
-	HopInterval         int      `proxy:"hop-interval,omitempty"`
+	Name                string     `proxy:"name"`
+	Server              string     `proxy:"server"`
+	Port                int        `proxy:"port,omitempty"`
+	Ports               string     `proxy:"ports,omitempty"`
+	Protocol            string     `proxy:"protocol,omitempty"`
+	ObfsProtocol        string     `proxy:"obfs-protocol,omitempty"` // compatible with Stash
+	Up                  string     `proxy:"up"`
+	UpSpeed             int        `proxy:"up-speed,omitempty"` // compatible with Stash
+	Down                string     `proxy:"down"`
+	DownSpeed           int        `proxy:"down-speed,omitempty"` // compatible with Stash
+	Auth                string     `proxy:"auth,omitempty"`
+	AuthString          string     `proxy:"auth-str,omitempty"`
+	Obfs                string     `proxy:"obfs,omitempty"`
+	SNI                 string     `proxy:"sni,omitempty"`
+	ECHOpts             ECHOptions `proxy:"ech-opts,omitempty"`
+	SkipCertVerify      bool       `proxy:"skip-cert-verify,omitempty"`
+	Fingerprint         string     `proxy:"fingerprint,omitempty"`
+	ALPN                []string   `proxy:"alpn,omitempty"`
+	CustomCA            string     `proxy:"ca,omitempty"`
+	CustomCAString      string     `proxy:"ca-str,omitempty"`
+	ReceiveWindowConn   int        `proxy:"recv-window-conn,omitempty"`
+	ReceiveWindow       int        `proxy:"recv-window,omitempty"`
+	DisableMTUDiscovery bool       `proxy:"disable-mtu-discovery,omitempty"`
+	FastOpen            bool       `proxy:"fast-open,omitempty"`
+	HopInterval         int        `proxy:"hop-interval,omitempty"`
 }
 
 func (c *HysteriaOption) Speed() (uint64, uint64, error) {
@@ -155,11 +172,18 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 		return nil, err
 	}
 
-	if len(option.ALPN) > 0 {
+	if option.ALPN != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array
 		tlsConfig.NextProtos = option.ALPN
 	} else {
 		tlsConfig.NextProtos = []string{DefaultALPN}
 	}
+
+	echConfig, err := option.ECHOpts.Parse()
+	if err != nil {
+		return nil, err
+	}
+	tlsClientConfig := tlsC.UConfig(tlsConfig)
+
 	quicConfig := &quic.Config{
 		InitialStreamReceiveWindow:     uint64(option.ReceiveWindowConn),
 		MaxStreamReceiveWindow:         uint64(option.ReceiveWindowConn),
@@ -214,7 +238,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 		down = uint64(option.DownSpeed * mbpsToBps)
 	}
 	client, err := core.NewClient(
-		addr, ports, option.Protocol, auth, tlsConfig, quicConfig, clientTransport, up, down, func(refBPS uint64) congestion.CongestionControl {
+		addr, ports, option.Protocol, auth, tlsClientConfig, quicConfig, clientTransport, up, down, func(refBPS uint64) congestion.CongestionControl {
 			return hyCongestion.NewBrutalSender(congestion.ByteCount(refBPS))
 		}, obfuscator, hopInterval, option.FastOpen,
 	)
@@ -232,8 +256,10 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
-		option: &option,
-		client: client,
+		option:    &option,
+		client:    client,
+		tlsConfig: tlsClientConfig,
+		echConfig: echConfig,
 	}
 
 	return outbound, nil

adapter/outbound/hysteria2.go

@@ -14,15 +14,14 @@ import (
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
+	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 	tuicCommon "github.com/metacubex/mihomo/transport/tuic/common"
 
-	"github.com/metacubex/sing-quic/hysteria2"
-
 	"github.com/metacubex/quic-go"
-	"github.com/metacubex/randv2"
-	M "github.com/sagernet/sing/common/metadata"
+	"github.com/metacubex/sing-quic/hysteria2"
+	M "github.com/metacubex/sing/common/metadata"
 )
 
 func init() {
@@ -42,24 +41,25 @@ type Hysteria2 struct {
 
 type Hysteria2Option struct {
 	BasicOption
-	Name           string   `proxy:"name"`
-	Server         string   `proxy:"server"`
-	Port           int      `proxy:"port,omitempty"`
-	Ports          string   `proxy:"ports,omitempty"`
-	HopInterval    int      `proxy:"hop-interval,omitempty"`
-	Up             string   `proxy:"up,omitempty"`
-	Down           string   `proxy:"down,omitempty"`
-	Password       string   `proxy:"password,omitempty"`
-	Obfs           string   `proxy:"obfs,omitempty"`
-	ObfsPassword   string   `proxy:"obfs-password,omitempty"`
-	SNI            string   `proxy:"sni,omitempty"`
-	SkipCertVerify bool     `proxy:"skip-cert-verify,omitempty"`
-	Fingerprint    string   `proxy:"fingerprint,omitempty"`
-	ALPN           []string `proxy:"alpn,omitempty"`
-	CustomCA       string   `proxy:"ca,omitempty"`
-	CustomCAString string   `proxy:"ca-str,omitempty"`
-	CWND           int      `proxy:"cwnd,omitempty"`
-	UdpMTU         int      `proxy:"udp-mtu,omitempty"`
+	Name           string     `proxy:"name"`
+	Server         string     `proxy:"server"`
+	Port           int        `proxy:"port,omitempty"`
+	Ports          string     `proxy:"ports,omitempty"`
+	HopInterval    int        `proxy:"hop-interval,omitempty"`
+	Up             string     `proxy:"up,omitempty"`
+	Down           string     `proxy:"down,omitempty"`
+	Password       string     `proxy:"password,omitempty"`
+	Obfs           string     `proxy:"obfs,omitempty"`
+	ObfsPassword   string     `proxy:"obfs-password,omitempty"`
+	SNI            string     `proxy:"sni,omitempty"`
+	ECHOpts        ECHOptions `proxy:"ech-opts,omitempty"`
+	SkipCertVerify bool       `proxy:"skip-cert-verify,omitempty"`
+	Fingerprint    string     `proxy:"fingerprint,omitempty"`
+	ALPN           []string   `proxy:"alpn,omitempty"`
+	CustomCA       string     `proxy:"ca,omitempty"`
+	CustomCAString string     `proxy:"ca-str,omitempty"`
+	CWND           int        `proxy:"cwnd,omitempty"`
+	UdpMTU         int        `proxy:"udp-mtu,omitempty"`
 
 	// quic-go special config
 	InitialStreamReceiveWindow     uint64 `proxy:"initial-stream-receive-window,omitempty"`
@@ -68,9 +68,7 @@ type Hysteria2Option struct {
 	MaxConnectionReceiveWindow     uint64 `proxy:"max-connection-receive-window,omitempty"`
 }
 
-func (h *Hysteria2) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	options := h.Base.DialOptions(opts...)
-	h.dialer.SetDialer(dialer.NewDialer(options...))
+func (h *Hysteria2) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	c, err := h.client.DialConn(ctx, M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
 	if err != nil {
 		return nil, err
@@ -78,9 +76,10 @@ func (h *Hysteria2) DialContext(ctx context.Context, metadata *C.Metadata, opts
 	return NewConn(c, h), nil
 }
 
-func (h *Hysteria2) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	options := h.Base.DialOptions(opts...)
-	h.dialer.SetDialer(dialer.NewDialer(options...))
+func (h *Hysteria2) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if err = h.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
+	}
 	pc, err := h.client.ListenPacket(ctx)
 	if err != nil {
 		return nil, err
@@ -108,6 +107,22 @@ func (h *Hysteria2) ProxyInfo() C.ProxyInfo {
 
 func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
+	outbound := &Hysteria2{
+		Base: &Base{
+			name:   option.Name,
+			addr:   addr,
+			tp:     C.Hysteria2,
+			udp:    true,
+			iface:  option.Interface,
+			rmark:  option.RoutingMark,
+			prefer: C.NewDNSPrefer(option.IPVersion),
+		},
+		option: &option,
+	}
+
+	singDialer := proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer(outbound.DialOptions()...))
+	outbound.dialer = singDialer
+
 	var salamanderPassword string
 	if len(option.Obfs) > 0 {
 		if option.ObfsPassword == "" {
@@ -138,10 +153,16 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 		return nil, err
 	}
 
-	if len(option.ALPN) > 0 {
+	if option.ALPN != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array
 		tlsConfig.NextProtos = option.ALPN
 	}
 
+	tlsClientConfig := tlsC.UConfig(tlsConfig)
+	echConfig, err := option.ECHOpts.Parse()
+	if err != nil {
+		return nil, err
+	}
+
 	if option.UdpMTU == 0 {
 		// "1200" from quic-go's MaxDatagramSize
 		// "-3" from quic-go's DatagramFrame.MaxDataLen
@@ -155,8 +176,6 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 		MaxConnectionReceiveWindow:     option.MaxConnectionReceiveWindow,
 	}
 
-	singDialer := proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer())
-
 	clientOptions := hysteria2.ClientOptions{
 		Context:            context.TODO(),
 		Dialer:             singDialer,
@@ -165,41 +184,46 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 		ReceiveBPS:         StringToBps(option.Down),
 		SalamanderPassword: salamanderPassword,
 		Password:           option.Password,
-		TLSConfig:          tlsConfig,
+		TLSConfig:          tlsClientConfig,
 		QUICConfig:         quicConfig,
 		UDPDisabled:        false,
 		CWND:               option.CWND,
 		UdpMTU:             option.UdpMTU,
 		ServerAddress: func(ctx context.Context) (*net.UDPAddr, error) {
-			return resolveUDPAddr(ctx, "udp", addr, C.NewDNSPrefer(option.IPVersion))
+			udpAddr, err := resolveUDPAddr(ctx, "udp", addr, C.NewDNSPrefer(option.IPVersion))
+			if err != nil {
+				return nil, err
+			}
+			err = echConfig.ClientHandle(ctx, tlsClientConfig)
+			if err != nil {
+				return nil, err
+			}
+			return udpAddr, nil
 		},
 	}
 
 	var ranges utils.IntRanges[uint16]
-	var serverAddress []string
+	var serverPorts []uint16
 	if option.Ports != "" {
 		ranges, err = utils.NewUnsignedRanges[uint16](option.Ports)
 		if err != nil {
 			return nil, err
 		}
 		ranges.Range(func(port uint16) bool {
-			serverAddress = append(serverAddress, net.JoinHostPort(option.Server, strconv.Itoa(int(port))))
+			serverPorts = append(serverPorts, port)
 			return true
 		})
-		if len(serverAddress) > 0 {
-			clientOptions.ServerAddress = func(ctx context.Context) (*net.UDPAddr, error) {
-				return resolveUDPAddr(ctx, "udp", serverAddress[randv2.IntN(len(serverAddress))], C.NewDNSPrefer(option.IPVersion))
-			}
-
+		if len(serverPorts) > 0 {
 			if option.HopInterval == 0 {
 				option.HopInterval = defaultHopInterval
 			} else if option.HopInterval < minHopInterval {
 				option.HopInterval = minHopInterval
 			}
 			clientOptions.HopInterval = time.Duration(option.HopInterval) * time.Second
+			clientOptions.ServerPorts = serverPorts
 		}
 	}
-	if option.Port == 0 && len(serverAddress) == 0 {
+	if option.Port == 0 && len(serverPorts) == 0 {
 		return nil, errors.New("invalid port")
 	}
 
@@ -207,21 +231,7 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 	if err != nil {
 		return nil, err
 	}
-
-	outbound := &Hysteria2{
-		Base: &Base{
-			name:   option.Name,
-			addr:   addr,
-			tp:     C.Hysteria2,
-			udp:    true,
-			iface:  option.Interface,
-			rmark:  option.RoutingMark,
-			prefer: C.NewDNSPrefer(option.IPVersion),
-		},
-		option: &option,
-		client: client,
-		dialer: singDialer,
-	}
+	outbound.client = client
 
 	return outbound, nil
 }

adapter/outbound/mieru.go

@@ -28,20 +28,21 @@ type Mieru struct {
 
 type MieruOption struct {
 	BasicOption
-	Name         string `proxy:"name"`
-	Server       string `proxy:"server"`
-	Port         int    `proxy:"port,omitempty"`
-	PortRange    string `proxy:"port-range,omitempty"`
-	Transport    string `proxy:"transport"`
-	UDP          bool   `proxy:"udp,omitempty"`
-	UserName     string `proxy:"username"`
-	Password     string `proxy:"password"`
-	Multiplexing string `proxy:"multiplexing,omitempty"`
+	Name          string `proxy:"name"`
+	Server        string `proxy:"server"`
+	Port          int    `proxy:"port,omitempty"`
+	PortRange     string `proxy:"port-range,omitempty"`
+	Transport     string `proxy:"transport"`
+	UDP           bool   `proxy:"udp,omitempty"`
+	UserName      string `proxy:"username"`
+	Password      string `proxy:"password"`
+	Multiplexing  string `proxy:"multiplexing,omitempty"`
+	HandshakeMode string `proxy:"handshake-mode,omitempty"`
 }
 
 // DialContext implements C.ProxyAdapter
-func (m *Mieru) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	if err := m.ensureClientIsRunning(opts...); err != nil {
+func (m *Mieru) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
+	if err := m.ensureClientIsRunning(); err != nil {
 		return nil, err
 	}
 	addr := metadataToMieruNetAddrSpec(metadata)
@@ -53,8 +54,11 @@ func (m *Mieru) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (m *Mieru) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	if err := m.ensureClientIsRunning(opts...); err != nil {
+func (m *Mieru) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if err = m.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
+	}
+	if err := m.ensureClientIsRunning(); err != nil {
 		return nil, err
 	}
 	c, err := m.client.DialContext(ctx, metadata.UDPAddr())
@@ -76,7 +80,7 @@ func (m *Mieru) ProxyInfo() C.ProxyInfo {
 	return info
 }
 
-func (m *Mieru) ensureClientIsRunning(opts ...dialer.Option) error {
+func (m *Mieru) ensureClientIsRunning() error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 
@@ -85,7 +89,7 @@ func (m *Mieru) ensureClientIsRunning(opts ...dialer.Option) error {
 	}
 
 	// Create a dialer and add it to the client config, before starting the client.
-	var dialer C.Dialer = dialer.NewDialer(m.Base.DialOptions(opts...)...)
+	var dialer C.Dialer = dialer.NewDialer(m.DialOptions()...)
 	var err error
 	if len(m.option.DialerProxy) > 0 {
 		dialer, err = proxydialer.NewByName(m.option.DialerProxy, dialer)
@@ -242,6 +246,9 @@ func buildMieruClientConfig(option MieruOption) (*mieruclient.ClientConfig, erro
 			Level: mierupb.MultiplexingLevel(multiplexing).Enum(),
 		}
 	}
+	if handshakeMode, ok := mierupb.HandshakeMode_value[option.HandshakeMode]; ok {
+		config.Profile.HandshakeMode = (*mierupb.HandshakeMode)(&handshakeMode)
+	}
 	return config, nil
 }
 
@@ -291,6 +298,11 @@ func validateMieruOption(option MieruOption) error {
 			return fmt.Errorf("invalid multiplexing level: %s", option.Multiplexing)
 		}
 	}
+	if option.HandshakeMode != "" {
+		if _, ok := mierupb.HandshakeMode_value[option.HandshakeMode]; !ok {
+			return fmt.Errorf("invalid handshake mode: %s", option.HandshakeMode)
+		}
+	}
 	return nil
 }
 

adapter/outbound/reality.go

@@ -13,11 +13,14 @@ import (
 type RealityOptions struct {
 	PublicKey string `proxy:"public-key"`
 	ShortID   string `proxy:"short-id"`
+
+	SupportX25519MLKEM768 bool `proxy:"support-x25519mlkem768"`
 }
 
 func (o RealityOptions) Parse() (*tlsC.RealityConfig, error) {
 	if o.PublicKey != "" {
 		config := new(tlsC.RealityConfig)
+		config.SupportX25519MLKEM768 = o.SupportX25519MLKEM768
 
 		const x25519ScalarSize = 32
 		publicKey, err := base64.RawURLEncoding.DecodeString(o.PublicKey)

adapter/outbound/reject.go

@@ -4,10 +4,10 @@ import (
 	"context"
 	"io"
 	"net"
+	"net/netip"
 	"time"
 
 	"github.com/metacubex/mihomo/common/buf"
-	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 )
 
@@ -21,7 +21,7 @@ type RejectOption struct {
 }
 
 // DialContext implements C.ProxyAdapter
-func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	if r.drop {
 		return NewConn(dropConn{}, r), nil
 	}
@@ -29,10 +29,20 @@ func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (r *Reject) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (r *Reject) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
+	if err := r.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
+	}
 	return newPacketConn(&nopPacketConn{}, r), nil
 }
 
+func (r *Reject) ResolveUDP(ctx context.Context, metadata *C.Metadata) error {
+	if !metadata.Resolved() {
+		metadata.DstIP = netip.IPv4Unspecified()
+	}
+	return nil
+}
+
 func NewRejectWithOption(option RejectOption) *Reject {
 	return &Reject{
 		Base: &Base{

adapter/outbound/shadowsocks.go

@@ -2,7 +2,6 @@ package outbound
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"net"
 	"strconv"
@@ -11,7 +10,6 @@ import (
 	"github.com/metacubex/mihomo/common/structure"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
-	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	gost "github.com/metacubex/mihomo/transport/gost-plugin"
 	"github.com/metacubex/mihomo/transport/restls"
@@ -20,9 +18,9 @@ import (
 	v2rayObfs "github.com/metacubex/mihomo/transport/v2ray-plugin"
 
 	shadowsocks "github.com/metacubex/sing-shadowsocks2"
-	"github.com/sagernet/sing/common/bufio"
-	M "github.com/sagernet/sing/common/metadata"
-	"github.com/sagernet/sing/common/uot"
+	"github.com/metacubex/sing/common/bufio"
+	M "github.com/metacubex/sing/common/metadata"
+	"github.com/metacubex/sing/common/uot"
 )
 
 type ShadowSocks struct {
@@ -64,6 +62,7 @@ type v2rayObfsOption struct {
 	Host                     string            `obfs:"host,omitempty"`
 	Path                     string            `obfs:"path,omitempty"`
 	TLS                      bool              `obfs:"tls,omitempty"`
+	ECHOpts                  ECHOptions        `obfs:"ech-opts,omitempty"`
 	Fingerprint              string            `obfs:"fingerprint,omitempty"`
 	Headers                  map[string]string `obfs:"headers,omitempty"`
 	SkipCertVerify           bool              `obfs:"skip-cert-verify,omitempty"`
@@ -77,6 +76,7 @@ type gostObfsOption struct {
 	Host           string            `obfs:"host,omitempty"`
 	Path           string            `obfs:"path,omitempty"`
 	TLS            bool              `obfs:"tls,omitempty"`
+	ECHOpts        ECHOptions        `obfs:"ech-opts,omitempty"`
 	Fingerprint    string            `obfs:"fingerprint,omitempty"`
 	Headers        map[string]string `obfs:"headers,omitempty"`
 	SkipCertVerify bool              `obfs:"skip-cert-verify,omitempty"`
@@ -84,11 +84,12 @@ type gostObfsOption struct {
 }
 
 type shadowTLSOption struct {
-	Password       string `obfs:"password"`
-	Host           string `obfs:"host"`
-	Fingerprint    string `obfs:"fingerprint,omitempty"`
-	SkipCertVerify bool   `obfs:"skip-cert-verify,omitempty"`
-	Version        int    `obfs:"version,omitempty"`
+	Password       string   `obfs:"password,omitempty"`
+	Host           string   `obfs:"host"`
+	Fingerprint    string   `obfs:"fingerprint,omitempty"`
+	SkipCertVerify bool     `obfs:"skip-cert-verify,omitempty"`
+	Version        int      `obfs:"version,omitempty"`
+	ALPN           []string `obfs:"alpn,omitempty"`
 }
 
 type restlsOption struct {
@@ -154,8 +155,8 @@ func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metada
 }
 
 // DialContext implements C.ProxyAdapter
-func (ss *ShadowSocks) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	return ss.DialContextWithDialer(ctx, dialer.NewDialer(ss.Base.DialOptions(opts...)...), metadata)
+func (ss *ShadowSocks) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
+	return ss.DialContextWithDialer(ctx, dialer.NewDialer(ss.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -180,8 +181,8 @@ func (ss *ShadowSocks) DialContextWithDialer(ctx context.Context, dialer C.Diale
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (ss *ShadowSocks) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	return ss.ListenPacketWithDialer(ctx, dialer.NewDialer(ss.Base.DialOptions(opts...)...), metadata)
+func (ss *ShadowSocks) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
+	return ss.ListenPacketWithDialer(ctx, dialer.NewDialer(ss.DialOptions()...), metadata)
 }
 
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -199,6 +200,9 @@ func (ss *ShadowSocks) ListenPacketWithDialer(ctx context.Context, dialer C.Dial
 			return nil, err
 		}
 	}
+	if err = ss.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
+	}
 	addr, err := resolveUDPAddr(ctx, "udp", ss.addr, ss.prefer)
 	if err != nil {
 		return nil, err
@@ -227,15 +231,9 @@ func (ss *ShadowSocks) ProxyInfo() C.ProxyInfo {
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (ss *ShadowSocks) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if ss.option.UDPOverTCP {
-		// ss uot use stream-oriented udp with a special address, so we need a net.UDPAddr
-		if !metadata.Resolved() {
-			ip, err := resolver.ResolveIP(ctx, metadata.Host)
-			if err != nil {
-				return nil, errors.New("can't resolve ip")
-			}
-			metadata.DstIP = ip
+		if err = ss.ResolveUDP(ctx, metadata); err != nil {
+			return nil, err
 		}
-
 		destination := M.SocksaddrFromNet(metadata.UDPAddr())
 		if ss.option.UDPOverTCPVersion == uot.LegacyVersion {
 			return newPacketConn(N.NewThreadSafePacketConn(uot.NewConn(c, uot.Request{Destination: destination})), ss), nil
@@ -302,6 +300,12 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			v2rayOption.TLS = true
 			v2rayOption.SkipCertVerify = opts.SkipCertVerify
 			v2rayOption.Fingerprint = opts.Fingerprint
+
+			echConfig, err := opts.ECHOpts.Parse()
+			if err != nil {
+				return nil, fmt.Errorf("ss %s initialize v2ray-plugin error: %w", addr, err)
+			}
+			v2rayOption.ECHConfig = echConfig
 		}
 	} else if option.Plugin == "gost-plugin" {
 		opts := gostObfsOption{Host: "bing.com", Mux: true}
@@ -324,6 +328,12 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			gostOption.TLS = true
 			gostOption.SkipCertVerify = opts.SkipCertVerify
 			gostOption.Fingerprint = opts.Fingerprint
+
+			echConfig, err := opts.ECHOpts.Parse()
+			if err != nil {
+				return nil, fmt.Errorf("ss %s initialize gost-plugin error: %w", addr, err)
+			}
+			gostOption.ECHConfig = echConfig
 		}
 	} else if option.Plugin == shadowtls.Mode {
 		obfsMode = shadowtls.Mode
@@ -342,6 +352,12 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			SkipCertVerify:    opt.SkipCertVerify,
 			Version:           opt.Version,
 		}
+
+		if opt.ALPN != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array
+			shadowTLSOpt.ALPN = opt.ALPN
+		} else {
+			shadowTLSOpt.ALPN = shadowtls.DefaultALPN
+		}
 	} else if option.Plugin == restls.Mode {
 		obfsMode = restls.Mode
 		restlsOpt := &restlsOption{}

adapter/outbound/shadowsocksr.go

@@ -67,8 +67,8 @@ func (ssr *ShadowSocksR) StreamConnContext(ctx context.Context, c net.Conn, meta
 }
 
 // DialContext implements C.ProxyAdapter
-func (ssr *ShadowSocksR) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	return ssr.DialContextWithDialer(ctx, dialer.NewDialer(ssr.Base.DialOptions(opts...)...), metadata)
+func (ssr *ShadowSocksR) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
+	return ssr.DialContextWithDialer(ctx, dialer.NewDialer(ssr.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -93,8 +93,8 @@ func (ssr *ShadowSocksR) DialContextWithDialer(ctx context.Context, dialer C.Dia
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (ssr *ShadowSocksR) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	return ssr.ListenPacketWithDialer(ctx, dialer.NewDialer(ssr.Base.DialOptions(opts...)...), metadata)
+func (ssr *ShadowSocksR) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
+	return ssr.ListenPacketWithDialer(ctx, dialer.NewDialer(ssr.DialOptions()...), metadata)
 }
 
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -105,6 +105,9 @@ func (ssr *ShadowSocksR) ListenPacketWithDialer(ctx context.Context, dialer C.Di
 			return nil, err
 		}
 	}
+	if err = ssr.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
+	}
 	addr, err := resolveUDPAddr(ctx, "udp", ssr.addr, ssr.prefer)
 	if err != nil {
 		return nil, err

adapter/outbound/singmux.go

@@ -2,18 +2,16 @@ package outbound
 
 import (
 	"context"
-	"errors"
 
 	CN "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
-	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 
-	mux "github.com/sagernet/sing-mux"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
+	mux "github.com/metacubex/sing-mux"
+	E "github.com/metacubex/sing/common/exceptions"
+	M "github.com/metacubex/sing/common/metadata"
 )
 
 type SingMux struct {
@@ -41,9 +39,7 @@ type BrutalOption struct {
 	Down    string `proxy:"down,omitempty"`
 }
 
-func (s *SingMux) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	options := s.ProxyAdapter.DialOptions(opts...)
-	s.dialer.SetDialer(dialer.NewDialer(options...))
+func (s *SingMux) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	c, err := s.client.DialContext(ctx, "tcp", M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
 	if err != nil {
 		return nil, err
@@ -51,22 +47,13 @@ func (s *SingMux) DialContext(ctx context.Context, metadata *C.Metadata, opts ..
 	return NewConn(c, s), err
 }
 
-func (s *SingMux) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (s *SingMux) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if s.onlyTcp {
-		return s.ProxyAdapter.ListenPacketContext(ctx, metadata, opts...)
+		return s.ProxyAdapter.ListenPacketContext(ctx, metadata)
 	}
-	options := s.ProxyAdapter.DialOptions(opts...)
-	s.dialer.SetDialer(dialer.NewDialer(options...))
-
-	// sing-mux use stream-oriented udp with a special address, so we need a net.UDPAddr
-	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(ctx, metadata.Host)
-		if err != nil {
-			return nil, errors.New("can't resolve ip")
-		}
-		metadata.DstIP = ip
+	if err = s.ProxyAdapter.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
 	}
-
 	pc, err := s.client.ListenPacket(ctx, M.SocksaddrFromNet(metadata.UDPAddr()))
 	if err != nil {
 		return nil, err
@@ -109,7 +96,7 @@ func NewSingMux(option SingMuxOption, proxy ProxyAdapter) (ProxyAdapter, error)
 	// TODO
 	// "TCP Brutal is only supported on Linux-based systems"
 
-	singDialer := proxydialer.NewSingDialer(proxy, dialer.NewDialer(), option.Statistic)
+	singDialer := proxydialer.NewSingDialer(proxy, dialer.NewDialer(proxy.DialOptions()...), option.Statistic)
 	client, err := mux.NewClient(mux.Options{
 		Dialer:         singDialer,
 		Logger:         log.SingLogger,

adapter/outbound/snell.go

@@ -75,8 +75,8 @@ func (s *Snell) writeHeaderContext(ctx context.Context, c net.Conn, metadata *C.
 }
 
 // DialContext implements C.ProxyAdapter
-func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	if s.version == snell.Version2 && dialer.IsZeroOptions(opts) {
+func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
+	if s.version == snell.Version2 {
 		c, err := s.pool.Get()
 		if err != nil {
 			return nil, err
@@ -89,7 +89,7 @@ func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 		return NewConn(c, s), err
 	}
 
-	return s.DialContextWithDialer(ctx, dialer.NewDialer(s.Base.DialOptions(opts...)...), metadata)
+	return s.DialContextWithDialer(ctx, dialer.NewDialer(s.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -114,8 +114,8 @@ func (s *Snell) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (s *Snell) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	return s.ListenPacketWithDialer(ctx, dialer.NewDialer(s.Base.DialOptions(opts...)...), metadata)
+func (s *Snell) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
+	return s.ListenPacketWithDialer(ctx, dialer.NewDialer(s.DialOptions()...), metadata)
 }
 
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -127,6 +127,9 @@ func (s *Snell) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 			return nil, err
 		}
 	}
+	if err = s.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
+	}
 	c, err := dialer.DialContext(ctx, "tcp", s.addr)
 	if err != nil {
 		return nil, err
@@ -207,7 +210,7 @@ func NewSnell(option SnellOption) (*Snell, error) {
 	if option.Version == snell.Version2 {
 		s.pool = snell.NewPool(func(ctx context.Context) (*snell.Snell, error) {
 			var err error
-			var cDialer C.Dialer = dialer.NewDialer(s.Base.DialOptions()...)
+			var cDialer C.Dialer = dialer.NewDialer(s.DialOptions()...)
 			if len(s.option.DialerProxy) > 0 {
 				cDialer, err = proxydialer.NewByName(s.option.DialerProxy, cDialer)
 				if err != nil {

adapter/outbound/socks5.go

@@ -66,8 +66,8 @@ func (ss *Socks5) StreamConnContext(ctx context.Context, c net.Conn, metadata *C
 }
 
 // DialContext implements C.ProxyAdapter
-func (ss *Socks5) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	return ss.DialContextWithDialer(ctx, dialer.NewDialer(ss.Base.DialOptions(opts...)...), metadata)
+func (ss *Socks5) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
+	return ss.DialContextWithDialer(ctx, dialer.NewDialer(ss.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -101,14 +101,17 @@ func (ss *Socks5) SupportWithDialer() C.NetWork {
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	var cDialer C.Dialer = dialer.NewDialer(ss.Base.DialOptions(opts...)...)
+func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	var cDialer C.Dialer = dialer.NewDialer(ss.DialOptions()...)
 	if len(ss.option.DialerProxy) > 0 {
 		cDialer, err = proxydialer.NewByName(ss.option.DialerProxy, cDialer)
 		if err != nil {
 			return nil, err
 		}
 	}
+	if err = ss.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
+	}
 	c, err := cDialer.DialContext(ctx, "tcp", ss.addr)
 	if err != nil {
 		err = fmt.Errorf("%s connect error: %w", ss.addr, err)

adapter/outbound/ssh.go

@@ -43,8 +43,8 @@ type SshOption struct {
 	HostKeyAlgorithms    []string `proxy:"host-key-algorithms,omitempty"`
 }
 
-func (s *Ssh) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	var cDialer C.Dialer = dialer.NewDialer(s.Base.DialOptions(opts...)...)
+func (s *Ssh) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
+	var cDialer C.Dialer = dialer.NewDialer(s.DialOptions()...)
 	if len(s.option.DialerProxy) > 0 {
 		cDialer, err = proxydialer.NewByName(s.option.DialerProxy, cDialer)
 		if err != nil {
@@ -136,7 +136,11 @@ func NewSsh(option SshOption) (*Ssh, error) {
 		if strings.Contains(option.PrivateKey, "PRIVATE KEY") {
 			b = []byte(option.PrivateKey)
 		} else {
-			b, err = os.ReadFile(C.Path.Resolve(option.PrivateKey))
+			path := C.Path.Resolve(option.PrivateKey)
+			if !C.Path.IsSafePath(path) {
+				return nil, C.Path.ErrNotSafePath(path)
+			}
+			b, err = os.ReadFile(path)
 			if err != nil {
 				return nil, err
 			}

adapter/outbound/trojan.go

@@ -12,6 +12,7 @@ import (
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
+	"github.com/metacubex/mihomo/component/ech"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
@@ -32,6 +33,7 @@ type Trojan struct {
 	transport    *gun.TransportWrap
 
 	realityConfig *tlsC.RealityConfig
+	echConfig     *ech.Config
 
 	ssCipher core.Cipher
 }
@@ -48,6 +50,7 @@ type TrojanOption struct {
 	Fingerprint       string         `proxy:"fingerprint,omitempty"`
 	UDP               bool           `proxy:"udp,omitempty"`
 	Network           string         `proxy:"network,omitempty"`
+	ECHOpts           ECHOptions     `proxy:"ech-opts,omitempty"`
 	RealityOpts       RealityOptions `proxy:"reality-opts,omitempty"`
 	GrpcOpts          GrpcOptions    `proxy:"grpc-opts,omitempty"`
 	WSOpts            WSOptions      `proxy:"ws-opts,omitempty"`
@@ -77,6 +80,7 @@ func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.
 			V2rayHttpUpgrade:         t.option.WSOpts.V2rayHttpUpgrade,
 			V2rayHttpUpgradeFastOpen: t.option.WSOpts.V2rayHttpUpgradeFastOpen,
 			ClientFingerprint:        t.option.ClientFingerprint,
+			ECHConfig:                t.echConfig,
 			Headers:                  http.Header{},
 		}
 
@@ -91,7 +95,7 @@ func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.
 		}
 
 		alpn := trojan.DefaultWebsocketALPN
-		if len(t.option.ALPN) != 0 {
+		if t.option.ALPN != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array
 			alpn = t.option.ALPN
 		}
 
@@ -110,12 +114,12 @@ func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.
 
 		c, err = vmess.StreamWebsocketConn(ctx, c, wsOpts)
 	case "grpc":
-		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig, t.realityConfig)
+		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig, t.echConfig, t.realityConfig)
 	default:
 		// default tcp network
 		// handle TLS
 		alpn := trojan.DefaultALPN
-		if len(t.option.ALPN) != 0 {
+		if t.option.ALPN != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array
 			alpn = t.option.ALPN
 		}
 		c, err = vmess.StreamTLSConn(ctx, c, &vmess.TLSConfig{
@@ -124,6 +128,7 @@ func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.
 			FingerPrint:       t.option.Fingerprint,
 			ClientFingerprint: t.option.ClientFingerprint,
 			NextProtos:        alpn,
+			ECH:               t.echConfig,
 			Reality:           t.realityConfig,
 		})
 	}
@@ -165,10 +170,10 @@ func (t *Trojan) writeHeaderContext(ctx context.Context, c net.Conn, metadata *C
 }
 
 // DialContext implements C.ProxyAdapter
-func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	var c net.Conn
 	// gun transport
-	if t.transport != nil && dialer.IsZeroOptions(opts) {
+	if t.transport != nil {
 		c, err = gun.StreamGunWithTransport(t.transport, t.gunConfig)
 		if err != nil {
 			return nil, err
@@ -184,7 +189,7 @@ func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 
 		return NewConn(c, t), nil
 	}
-	return t.DialContextWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+	return t.DialContextWithDialer(ctx, dialer.NewDialer(t.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -213,11 +218,15 @@ func (t *Trojan) DialContextWithDialer(ctx context.Context, dialer C.Dialer, met
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if err = t.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
+	}
+
 	var c net.Conn
 
 	// grpc transport
-	if t.transport != nil && dialer.IsZeroOptions(opts) {
+	if t.transport != nil {
 		c, err = gun.StreamGunWithTransport(t.transport, t.gunConfig)
 		if err != nil {
 			return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
@@ -234,7 +243,7 @@ func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		pc := trojan.NewPacketConn(c)
 		return newPacketConn(pc, t), err
 	}
-	return t.ListenPacketWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+	return t.ListenPacketWithDialer(ctx, dialer.NewDialer(t.DialOptions()...), metadata)
 }
 
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -245,6 +254,9 @@ func (t *Trojan) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, me
 			return nil, err
 		}
 	}
+	if err = t.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
+	}
 	c, err := dialer.DialContext(ctx, "tcp", t.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
@@ -266,12 +278,6 @@ func (t *Trojan) SupportWithDialer() C.NetWork {
 	return C.ALLNet
 }
 
-// ListenPacketOnStreamConn implements C.ProxyAdapter
-func (t *Trojan) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	pc := trojan.NewPacketConn(c)
-	return newPacketConn(pc, t), err
-}
-
 // SupportUOT implements C.ProxyAdapter
 func (t *Trojan) SupportUOT() bool {
 	return true
@@ -295,6 +301,10 @@ func (t *Trojan) Close() error {
 func NewTrojan(option TrojanOption) (*Trojan, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 
+	if option.SNI == "" {
+		option.SNI = option.Server
+	}
+
 	t := &Trojan{
 		Base: &Base{
 			name:   option.Name,
@@ -317,6 +327,11 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 		return nil, err
 	}
 
+	t.echConfig, err = option.ECHOpts.Parse()
+	if err != nil {
+		return nil, err
+	}
+
 	if option.SSOpts.Enabled {
 		if option.SSOpts.Password == "" {
 			return nil, errors.New("empty password")
@@ -334,7 +349,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 	if option.Network == "grpc" {
 		dialFn := func(ctx context.Context, network, addr string) (net.Conn, error) {
 			var err error
-			var cDialer C.Dialer = dialer.NewDialer(t.Base.DialOptions()...)
+			var cDialer C.Dialer = dialer.NewDialer(t.DialOptions()...)
 			if len(t.option.DialerProxy) > 0 {
 				cDialer, err = proxydialer.NewByName(t.option.DialerProxy, cDialer)
 				if err != nil {
@@ -361,7 +376,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			return nil, err
 		}
 
-		t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, option.ClientFingerprint, t.realityConfig)
+		t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, option.ClientFingerprint, t.echConfig, t.realityConfig)
 
 		t.gunTLSConfig = tlsConfig
 		t.gunConfig = &gun.Config{

adapter/outbound/tuic.go

@@ -3,7 +3,6 @@ package outbound
 import (
 	"context"
 	"crypto/tls"
-	"errors"
 	"fmt"
 	"math"
 	"net"
@@ -12,21 +11,25 @@ import (
 
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
+	"github.com/metacubex/mihomo/component/ech"
 	"github.com/metacubex/mihomo/component/proxydialer"
-	"github.com/metacubex/mihomo/component/resolver"
+	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/tuic"
 
 	"github.com/gofrs/uuid/v5"
 	"github.com/metacubex/quic-go"
-	M "github.com/sagernet/sing/common/metadata"
-	"github.com/sagernet/sing/common/uot"
+	M "github.com/metacubex/sing/common/metadata"
+	"github.com/metacubex/sing/common/uot"
 )
 
 type Tuic struct {
 	*Base
 	option *TuicOption
 	client *tuic.PoolClient
+
+	tlsConfig *tlsC.Config
+	echConfig *ech.Config
 }
 
 type TuicOption struct {
@@ -47,26 +50,27 @@ type TuicOption struct {
 	DisableSni            bool     `proxy:"disable-sni,omitempty"`
 	MaxUdpRelayPacketSize int      `proxy:"max-udp-relay-packet-size,omitempty"`
 
-	FastOpen             bool   `proxy:"fast-open,omitempty"`
-	MaxOpenStreams       int    `proxy:"max-open-streams,omitempty"`
-	CWND                 int    `proxy:"cwnd,omitempty"`
-	SkipCertVerify       bool   `proxy:"skip-cert-verify,omitempty"`
-	Fingerprint          string `proxy:"fingerprint,omitempty"`
-	CustomCA             string `proxy:"ca,omitempty"`
-	CustomCAString       string `proxy:"ca-str,omitempty"`
-	ReceiveWindowConn    int    `proxy:"recv-window-conn,omitempty"`
-	ReceiveWindow        int    `proxy:"recv-window,omitempty"`
-	DisableMTUDiscovery  bool   `proxy:"disable-mtu-discovery,omitempty"`
-	MaxDatagramFrameSize int    `proxy:"max-datagram-frame-size,omitempty"`
-	SNI                  string `proxy:"sni,omitempty"`
+	FastOpen             bool       `proxy:"fast-open,omitempty"`
+	MaxOpenStreams       int        `proxy:"max-open-streams,omitempty"`
+	CWND                 int        `proxy:"cwnd,omitempty"`
+	SkipCertVerify       bool       `proxy:"skip-cert-verify,omitempty"`
+	Fingerprint          string     `proxy:"fingerprint,omitempty"`
+	CustomCA             string     `proxy:"ca,omitempty"`
+	CustomCAString       string     `proxy:"ca-str,omitempty"`
+	ReceiveWindowConn    int        `proxy:"recv-window-conn,omitempty"`
+	ReceiveWindow        int        `proxy:"recv-window,omitempty"`
+	DisableMTUDiscovery  bool       `proxy:"disable-mtu-discovery,omitempty"`
+	MaxDatagramFrameSize int        `proxy:"max-datagram-frame-size,omitempty"`
+	SNI                  string     `proxy:"sni,omitempty"`
+	ECHOpts              ECHOptions `proxy:"ech-opts,omitempty"`
 
 	UDPOverStream        bool `proxy:"udp-over-stream,omitempty"`
 	UDPOverStreamVersion int  `proxy:"udp-over-stream-version,omitempty"`
 }
 
 // DialContext implements C.ProxyAdapter
-func (t *Tuic) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	return t.DialContextWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+func (t *Tuic) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
+	return t.DialContextWithDialer(ctx, dialer.NewDialer(t.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -79,12 +83,16 @@ func (t *Tuic) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metad
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (t *Tuic) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	return t.ListenPacketWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+func (t *Tuic) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	return t.ListenPacketWithDialer(ctx, dialer.NewDialer(t.DialOptions()...), metadata)
 }
 
 // ListenPacketWithDialer implements C.ProxyAdapter
 func (t *Tuic) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if err = t.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
+	}
+
 	if t.option.UDPOverStream {
 		uotDestination := uot.RequestDestination(uint8(t.option.UDPOverStreamVersion))
 		uotMetadata := *metadata
@@ -96,13 +104,6 @@ func (t *Tuic) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, meta
 		}
 
 		// tuic uos use stream-oriented udp with a special address, so we need a net.UDPAddr
-		if !metadata.Resolved() {
-			ip, err := resolver.ResolveIP(ctx, metadata.Host)
-			if err != nil {
-				return nil, errors.New("can't resolve ip")
-			}
-			metadata.DstIP = ip
-		}
 
 		destination := M.SocksaddrFromNet(metadata.UDPAddr())
 		if t.option.UDPOverStreamVersion == uot.LegacyVersion {
@@ -134,6 +135,10 @@ func (t *Tuic) dialWithDialer(ctx context.Context, dialer C.Dialer) (transport *
 	if err != nil {
 		return nil, nil, err
 	}
+	err = t.echConfig.ClientHandle(ctx, t.tlsConfig)
+	if err != nil {
+		return nil, nil, err
+	}
 	addr = udpAddr
 	var pc net.PacketConn
 	pc, err = dialer.ListenPacket(ctx, "udp", "", udpAddr.AddrPort())
@@ -248,6 +253,12 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 		tlsConfig.InsecureSkipVerify = true // tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config
 	}
 
+	tlsClientConfig := tlsC.UConfig(tlsConfig)
+	echConfig, err := option.ECHOpts.Parse()
+	if err != nil {
+		return nil, err
+	}
+
 	switch option.UDPOverStreamVersion {
 	case uot.Version, uot.LegacyVersion:
 	case 0:
@@ -267,7 +278,9 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
-		option: &option,
+		option:    &option,
+		tlsConfig: tlsClientConfig,
+		echConfig: echConfig,
 	}
 
 	clientMaxOpenStreams := int64(option.MaxOpenStreams)
@@ -284,7 +297,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 	if len(option.Token) > 0 {
 		tkn := tuic.GenTKN(option.Token)
 		clientOption := &tuic.ClientOptionV4{
-			TlsConfig:             tlsConfig,
+			TlsConfig:             tlsClientConfig,
 			QuicConfig:            quicConfig,
 			Token:                 tkn,
 			UdpRelayMode:          udpRelayMode,
@@ -304,7 +317,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			maxUdpRelayPacketSize = tuic.MaxFragSizeV5
 		}
 		clientOption := &tuic.ClientOptionV5{
-			TlsConfig:             tlsConfig,
+			TlsConfig:             tlsClientConfig,
 			QuicConfig:            quicConfig,
 			Uuid:                  uuid.FromStringOrNil(option.UUID),
 			Password:              option.Password,

adapter/outbound/vless.go

@@ -3,36 +3,28 @@ package outbound
 import (
 	"context"
 	"crypto/tls"
-	"encoding/binary"
-	"errors"
 	"fmt"
-	"io"
 	"net"
 	"net/http"
 	"strconv"
-	"sync"
 
 	"github.com/metacubex/mihomo/common/convert"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
+	"github.com/metacubex/mihomo/component/ech"
 	"github.com/metacubex/mihomo/component/proxydialer"
-	"github.com/metacubex/mihomo/component/resolver"
 	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/gun"
 	"github.com/metacubex/mihomo/transport/vless"
+	"github.com/metacubex/mihomo/transport/vless/encryption"
 	"github.com/metacubex/mihomo/transport/vmess"
 
 	vmessSing "github.com/metacubex/sing-vmess"
 	"github.com/metacubex/sing-vmess/packetaddr"
-	M "github.com/sagernet/sing/common/metadata"
-)
-
-const (
-	// max packet length
-	maxLength = 1024 << 3
+	M "github.com/metacubex/sing/common/metadata"
 )
 
 type Vless struct {
@@ -40,12 +32,15 @@ type Vless struct {
 	client *vless.Client
 	option *VlessOption
 
+	encryption *encryption.ClientInstance
+
 	// for gun mux
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
 	transport    *gun.TransportWrap
 
 	realityConfig *tlsC.RealityConfig
+	echConfig     *ech.Config
 }
 
 type VlessOption struct {
@@ -61,7 +56,9 @@ type VlessOption struct {
 	PacketAddr        bool              `proxy:"packet-addr,omitempty"`
 	XUDP              bool              `proxy:"xudp,omitempty"`
 	PacketEncoding    string            `proxy:"packet-encoding,omitempty"`
+	Encryption        string            `proxy:"encryption,omitempty"`
 	Network           string            `proxy:"network,omitempty"`
+	ECHOpts           ECHOptions        `proxy:"ech-opts,omitempty"`
 	RealityOpts       RealityOptions    `proxy:"reality-opts,omitempty"`
 	HTTPOpts          HTTPOptions       `proxy:"http-opts,omitempty"`
 	HTTP2Opts         HTTP2Options      `proxy:"h2-opts,omitempty"`
@@ -88,6 +85,7 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 			V2rayHttpUpgrade:         v.option.WSOpts.V2rayHttpUpgrade,
 			V2rayHttpUpgradeFastOpen: v.option.WSOpts.V2rayHttpUpgradeFastOpen,
 			ClientFingerprint:        v.option.ClientFingerprint,
+			ECHConfig:                v.echConfig,
 			Headers:                  http.Header{},
 		}
 
@@ -151,7 +149,7 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 
 		c, err = vmess.StreamH2Conn(ctx, c, h2Opts)
 	case "grpc":
-		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.realityConfig)
+		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.echConfig, v.realityConfig)
 	default:
 		// default tcp network
 		// handle TLS
@@ -170,6 +168,12 @@ func (v *Vless) streamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 		done := N.SetupContextForConn(ctx, c)
 		defer done(&err)
 	}
+	if v.encryption != nil {
+		c, err = v.encryption.Handshake(c)
+		if err != nil {
+			return
+		}
+	}
 	if metadata.NetWork == C.UDP {
 		if v.option.PacketAddr {
 			metadata = &C.Metadata{
@@ -185,9 +189,6 @@ func (v *Vless) streamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 			}
 		}
 		conn, err = v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
-		if v.option.PacketAddr {
-			conn = packetaddr.NewBindConn(conn)
-		}
 	} else {
 		conn, err = v.client.StreamConn(c, parseVlessAddr(metadata, false))
 	}
@@ -206,6 +207,7 @@ func (v *Vless) streamTLSConn(ctx context.Context, conn net.Conn, isH2 bool) (ne
 			SkipCertVerify:    v.option.SkipCertVerify,
 			FingerPrint:       v.option.Fingerprint,
 			ClientFingerprint: v.option.ClientFingerprint,
+			ECH:               v.echConfig,
 			Reality:           v.realityConfig,
 			NextProtos:        v.option.ALPN,
 		}
@@ -225,10 +227,10 @@ func (v *Vless) streamTLSConn(ctx context.Context, conn net.Conn, isH2 bool) (ne
 }
 
 // DialContext implements C.ProxyAdapter
-func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	var c net.Conn
 	// gun transport
-	if v.transport != nil && dialer.IsZeroOptions(opts) {
+	if v.transport != nil {
 		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
@@ -244,7 +246,7 @@ func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 
 		return NewConn(c, v), nil
 	}
-	return v.DialContextWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+	return v.DialContextWithDialer(ctx, dialer.NewDialer(v.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -271,18 +273,13 @@ func (v *Vless) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
-	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(ctx, metadata.Host)
-		if err != nil {
-			return nil, errors.New("can't resolve ip")
-		}
-		metadata.DstIP = ip
+func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if err = v.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
 	}
 	var c net.Conn
 	// gun transport
-	if v.transport != nil && dialer.IsZeroOptions(opts) {
+	if v.transport != nil {
 		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
@@ -298,7 +295,7 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 
 		return v.ListenPacketOnStreamConn(ctx, c, metadata)
 	}
-	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.DialOptions()...), metadata)
 }
 
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -310,13 +307,8 @@ func (v *Vless) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 		}
 	}
 
-	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
-	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(ctx, metadata.Host)
-		if err != nil {
-			return nil, errors.New("can't resolve ip")
-		}
-		metadata.DstIP = ip
+	if err = v.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
 	}
 
 	c, err := dialer.DialContext(ctx, "tcp", v.addr)
@@ -342,13 +334,8 @@ func (v *Vless) SupportWithDialer() C.NetWork {
 
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (v *Vless) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
-	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(ctx, metadata.Host)
-		if err != nil {
-			return nil, errors.New("can't resolve ip")
-		}
-		metadata.DstIP = ip
+	if err = v.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
 	}
 
 	if v.option.XUDP {
@@ -363,12 +350,11 @@ func (v *Vless) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metada
 		), v), nil
 	} else if v.option.PacketAddr {
 		return newPacketConn(N.NewThreadSafePacketConn(
-			packetaddr.NewConn(&vlessPacketConn{
-				Conn: c, rAddr: metadata.UDPAddr(),
-			}, M.SocksaddrFromNet(metadata.UDPAddr())),
+			packetaddr.NewConn(v.client.PacketConn(c, metadata.UDPAddr()),
+				M.SocksaddrFromNet(metadata.UDPAddr())),
 		), v), nil
 	}
-	return newPacketConn(N.NewThreadSafePacketConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}), v), nil
+	return newPacketConn(N.NewThreadSafePacketConn(v.client.PacketConn(c, metadata.UDPAddr())), v), nil
 }
 
 // SupportUOT implements C.ProxyAdapter
@@ -419,98 +405,6 @@ func parseVlessAddr(metadata *C.Metadata, xudp bool) *vless.DstAddr {
 	}
 }
 
-type vlessPacketConn struct {
-	net.Conn
-	rAddr  net.Addr
-	remain int
-	mux    sync.Mutex
-	cache  [2]byte
-}
-
-func (c *vlessPacketConn) writePacket(payload []byte) (int, error) {
-	binary.BigEndian.PutUint16(c.cache[:], uint16(len(payload)))
-
-	if _, err := c.Conn.Write(c.cache[:]); err != nil {
-		return 0, err
-	}
-
-	return c.Conn.Write(payload)
-}
-
-func (c *vlessPacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
-	total := len(b)
-	if total == 0 {
-		return 0, nil
-	}
-
-	if total <= maxLength {
-		return c.writePacket(b)
-	}
-
-	offset := 0
-
-	for offset < total {
-		cursor := offset + maxLength
-		if cursor > total {
-			cursor = total
-		}
-
-		n, err := c.writePacket(b[offset:cursor])
-		if err != nil {
-			return offset + n, err
-		}
-
-		offset = cursor
-		if offset == total {
-			break
-		}
-	}
-
-	return total, nil
-}
-
-func (c *vlessPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
-	c.mux.Lock()
-	defer c.mux.Unlock()
-
-	if c.remain > 0 {
-		length := len(b)
-		if c.remain < length {
-			length = c.remain
-		}
-
-		n, err := c.Conn.Read(b[:length])
-		if err != nil {
-			return 0, c.rAddr, err
-		}
-
-		c.remain -= n
-		return n, c.rAddr, nil
-	}
-
-	if _, err := c.Conn.Read(b[:2]); err != nil {
-		return 0, c.rAddr, err
-	}
-
-	total := int(binary.BigEndian.Uint16(b[:2]))
-	if total == 0 {
-		return 0, c.rAddr, nil
-	}
-
-	length := len(b)
-	if length > total {
-		length = total
-	}
-
-	if _, err := io.ReadFull(c.Conn, b[:length]); err != nil {
-		return 0, c.rAddr, errors.New("read packet error")
-	}
-
-	c.remain = total - length
-
-	return length, c.rAddr, nil
-}
-
 func NewVless(option VlessOption) (*Vless, error) {
 	var addons *vless.Addons
 	if option.Network != "ws" && len(option.Flow) >= 16 {
@@ -558,11 +452,21 @@ func NewVless(option VlessOption) (*Vless, error) {
 		option: &option,
 	}
 
+	v.encryption, err = encryption.NewClient(option.Encryption)
+	if err != nil {
+		return nil, err
+	}
+
 	v.realityConfig, err = v.option.RealityOpts.Parse()
 	if err != nil {
 		return nil, err
 	}
 
+	v.echConfig, err = v.option.ECHOpts.Parse()
+	if err != nil {
+		return nil, err
+	}
+
 	switch option.Network {
 	case "h2":
 		if len(option.HTTP2Opts.Host) == 0 {
@@ -571,7 +475,7 @@ func NewVless(option VlessOption) (*Vless, error) {
 	case "grpc":
 		dialFn := func(ctx context.Context, network, addr string) (net.Conn, error) {
 			var err error
-			var cDialer C.Dialer = dialer.NewDialer(v.Base.DialOptions()...)
+			var cDialer C.Dialer = dialer.NewDialer(v.DialOptions()...)
 			if len(v.option.DialerProxy) > 0 {
 				cDialer, err = proxydialer.NewByName(v.option.DialerProxy, cDialer)
 				if err != nil {
@@ -611,7 +515,7 @@ func NewVless(option VlessOption) (*Vless, error) {
 		v.gunTLSConfig = tlsConfig
 		v.gunConfig = gunConfig
 
-		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.realityConfig)
+		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.echConfig, v.realityConfig)
 	}
 
 	return v, nil

adapter/outbound/vmess.go

@@ -15,8 +15,8 @@ import (
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
+	"github.com/metacubex/mihomo/component/ech"
 	"github.com/metacubex/mihomo/component/proxydialer"
-	"github.com/metacubex/mihomo/component/resolver"
 	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/ntp"
@@ -25,7 +25,7 @@ import (
 
 	vmess "github.com/metacubex/sing-vmess"
 	"github.com/metacubex/sing-vmess/packetaddr"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
 )
 
 var ErrUDPRemoteAddrMismatch = errors.New("udp packet dropped due to mismatched remote address")
@@ -41,6 +41,7 @@ type Vmess struct {
 	transport    *gun.TransportWrap
 
 	realityConfig *tlsC.RealityConfig
+	echConfig     *ech.Config
 }
 
 type VmessOption struct {
@@ -58,6 +59,7 @@ type VmessOption struct {
 	SkipCertVerify      bool           `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint         string         `proxy:"fingerprint,omitempty"`
 	ServerName          string         `proxy:"servername,omitempty"`
+	ECHOpts             ECHOptions     `proxy:"ech-opts,omitempty"`
 	RealityOpts         RealityOptions `proxy:"reality-opts,omitempty"`
 	HTTPOpts            HTTPOptions    `proxy:"http-opts,omitempty"`
 	HTTP2Opts           HTTP2Options   `proxy:"h2-opts,omitempty"`
@@ -109,6 +111,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 			V2rayHttpUpgrade:         v.option.WSOpts.V2rayHttpUpgrade,
 			V2rayHttpUpgradeFastOpen: v.option.WSOpts.V2rayHttpUpgradeFastOpen,
 			ClientFingerprint:        v.option.ClientFingerprint,
+			ECHConfig:                v.echConfig,
 			Headers:                  http.Header{},
 		}
 
@@ -146,6 +149,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 				Host:              host,
 				SkipCertVerify:    v.option.SkipCertVerify,
 				ClientFingerprint: v.option.ClientFingerprint,
+				ECH:               v.echConfig,
 				Reality:           v.realityConfig,
 				NextProtos:        v.option.ALPN,
 			}
@@ -195,7 +199,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 
 		c, err = mihomoVMess.StreamH2Conn(ctx, c, h2Opts)
 	case "grpc":
-		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.realityConfig)
+		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.echConfig, v.realityConfig)
 	default:
 		// handle TLS
 		if v.option.TLS {
@@ -205,6 +209,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 				SkipCertVerify:    v.option.SkipCertVerify,
 				FingerPrint:       v.option.Fingerprint,
 				ClientFingerprint: v.option.ClientFingerprint,
+				ECH:               v.echConfig,
 				Reality:           v.realityConfig,
 				NextProtos:        v.option.ALPN,
 			}
@@ -280,10 +285,10 @@ func (v *Vmess) streamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 }
 
 // DialContext implements C.ProxyAdapter
-func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	var c net.Conn
 	// gun transport
-	if v.transport != nil && dialer.IsZeroOptions(opts) {
+	if v.transport != nil {
 		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
@@ -299,7 +304,7 @@ func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 
 		return NewConn(c, v), nil
 	}
-	return v.DialContextWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+	return v.DialContextWithDialer(ctx, dialer.NewDialer(v.DialOptions()...), metadata)
 }
 
 // DialContextWithDialer implements C.ProxyAdapter
@@ -323,18 +328,13 @@ func (v *Vmess) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
-	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(ctx, metadata.Host)
-		if err != nil {
-			return nil, errors.New("can't resolve ip")
-		}
-		metadata.DstIP = ip
+func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if err = v.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
 	}
 	var c net.Conn
 	// gun transport
-	if v.transport != nil && dialer.IsZeroOptions(opts) {
+	if v.transport != nil {
 		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
@@ -349,7 +349,7 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		}
 		return v.ListenPacketOnStreamConn(ctx, c, metadata)
 	}
-	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.DialOptions()...), metadata)
 }
 
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -361,13 +361,8 @@ func (v *Vmess) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 		}
 	}
 
-	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
-	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(ctx, metadata.Host)
-		if err != nil {
-			return nil, errors.New("can't resolve ip")
-		}
-		metadata.DstIP = ip
+	if err = v.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
 	}
 
 	c, err := dialer.DialContext(ctx, "tcp", v.addr)
@@ -407,13 +402,8 @@ func (v *Vmess) Close() error {
 
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (v *Vmess) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
-	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(ctx, metadata.Host)
-		if err != nil {
-			return nil, errors.New("can't resolve ip")
-		}
-		metadata.DstIP = ip
+	if err = v.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
 	}
 
 	if pc, ok := c.(net.PacketConn); ok {
@@ -474,6 +464,11 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		return nil, err
 	}
 
+	v.echConfig, err = v.option.ECHOpts.Parse()
+	if err != nil {
+		return nil, err
+	}
+
 	switch option.Network {
 	case "h2":
 		if len(option.HTTP2Opts.Host) == 0 {
@@ -482,7 +477,7 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 	case "grpc":
 		dialFn := func(ctx context.Context, network, addr string) (net.Conn, error) {
 			var err error
-			var cDialer C.Dialer = dialer.NewDialer(v.Base.DialOptions()...)
+			var cDialer C.Dialer = dialer.NewDialer(v.DialOptions()...)
 			if len(v.option.DialerProxy) > 0 {
 				cDialer, err = proxydialer.NewByName(v.option.DialerProxy, cDialer)
 				if err != nil {
@@ -522,7 +517,7 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		v.gunTLSConfig = tlsConfig
 		v.gunConfig = gunConfig
 
-		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.realityConfig)
+		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.echConfig, v.realityConfig)
 	}
 
 	return v, nil

adapter/outbound/wireguard.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/base64"
 	"encoding/hex"
-	"errors"
 	"fmt"
 	"net"
 	"net/netip"
@@ -26,9 +25,9 @@ import (
 	wireguard "github.com/metacubex/sing-wireguard"
 	"github.com/metacubex/wireguard-go/device"
 
-	"github.com/sagernet/sing/common/debug"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
+	"github.com/metacubex/sing/common/debug"
+	E "github.com/metacubex/sing/common/exceptions"
+	M "github.com/metacubex/sing/common/metadata"
 )
 
 type wireguardGoDevice interface {
@@ -88,15 +87,26 @@ type WireGuardPeerOption struct {
 }
 
 type AmneziaWGOption struct {
-	JC   int    `proxy:"jc"`
-	JMin int    `proxy:"jmin"`
-	JMax int    `proxy:"jmax"`
-	S1   int    `proxy:"s1"`
-	S2   int    `proxy:"s2"`
-	H1   uint32 `proxy:"h1"`
-	H2   uint32 `proxy:"h2"`
-	H3   uint32 `proxy:"h3"`
-	H4   uint32 `proxy:"h4"`
+	JC   int    `proxy:"jc,omitempty"`
+	JMin int    `proxy:"jmin,omitempty"`
+	JMax int    `proxy:"jmax,omitempty"`
+	S1   int    `proxy:"s1,omitempty"`
+	S2   int    `proxy:"s2,omitempty"`
+	H1   uint32 `proxy:"h1,omitempty"`
+	H2   uint32 `proxy:"h2,omitempty"`
+	H3   uint32 `proxy:"h3,omitempty"`
+	H4   uint32 `proxy:"h4,omitempty"`
+
+	// AmneziaWG v1.5
+	I1    string `proxy:"i1,omitempty"`
+	I2    string `proxy:"i2,omitempty"`
+	I3    string `proxy:"i3,omitempty"`
+	I4    string `proxy:"i4,omitempty"`
+	I5    string `proxy:"i5,omitempty"`
+	J1    string `proxy:"j1,omitempty"`
+	J2    string `proxy:"j2,omitempty"`
+	J3    string `proxy:"j3,omitempty"`
+	Itime int64  `proxy:"itime,omitempty"`
 }
 
 type wgSingErrorHandler struct {
@@ -166,8 +176,9 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
-		dialer: proxydialer.NewSlowDownSingDialer(proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer()), slowdown.New()),
 	}
+	singDialer := proxydialer.NewSlowDownSingDialer(proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer(outbound.DialOptions()...)), slowdown.New())
+	outbound.dialer = singDialer
 
 	var reserved [3]uint8
 	if len(option.Reserved) > 0 {
@@ -386,15 +397,60 @@ func (w *WireGuard) genIpcConf(ctx context.Context, updateOnly bool) (string, er
 	if !updateOnly {
 		ipcConf += "private_key=" + w.option.PrivateKey + "\n"
 		if w.option.AmneziaWGOption != nil {
-			ipcConf += "jc=" + strconv.Itoa(w.option.AmneziaWGOption.JC) + "\n"
-			ipcConf += "jmin=" + strconv.Itoa(w.option.AmneziaWGOption.JMin) + "\n"
-			ipcConf += "jmax=" + strconv.Itoa(w.option.AmneziaWGOption.JMax) + "\n"
-			ipcConf += "s1=" + strconv.Itoa(w.option.AmneziaWGOption.S1) + "\n"
-			ipcConf += "s2=" + strconv.Itoa(w.option.AmneziaWGOption.S2) + "\n"
-			ipcConf += "h1=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H1), 10) + "\n"
-			ipcConf += "h2=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H2), 10) + "\n"
-			ipcConf += "h3=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H3), 10) + "\n"
-			ipcConf += "h4=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H4), 10) + "\n"
+			if w.option.AmneziaWGOption.JC != 0 {
+				ipcConf += "jc=" + strconv.Itoa(w.option.AmneziaWGOption.JC) + "\n"
+			}
+			if w.option.AmneziaWGOption.JMin != 0 {
+				ipcConf += "jmin=" + strconv.Itoa(w.option.AmneziaWGOption.JMin) + "\n"
+			}
+			if w.option.AmneziaWGOption.JMax != 0 {
+				ipcConf += "jmax=" + strconv.Itoa(w.option.AmneziaWGOption.JMax) + "\n"
+			}
+			if w.option.AmneziaWGOption.S1 != 0 {
+				ipcConf += "s1=" + strconv.Itoa(w.option.AmneziaWGOption.S1) + "\n"
+			}
+			if w.option.AmneziaWGOption.S2 != 0 {
+				ipcConf += "s2=" + strconv.Itoa(w.option.AmneziaWGOption.S2) + "\n"
+			}
+			if w.option.AmneziaWGOption.H1 != 0 {
+				ipcConf += "h1=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H1), 10) + "\n"
+			}
+			if w.option.AmneziaWGOption.H2 != 0 {
+				ipcConf += "h2=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H2), 10) + "\n"
+			}
+			if w.option.AmneziaWGOption.H3 != 0 {
+				ipcConf += "h3=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H3), 10) + "\n"
+			}
+			if w.option.AmneziaWGOption.H4 != 0 {
+				ipcConf += "h4=" + strconv.FormatUint(uint64(w.option.AmneziaWGOption.H4), 10) + "\n"
+			}
+			if w.option.AmneziaWGOption.I1 != "" {
+				ipcConf += "i1=" + w.option.AmneziaWGOption.I1 + "\n"
+			}
+			if w.option.AmneziaWGOption.I2 != "" {
+				ipcConf += "i2=" + w.option.AmneziaWGOption.I2 + "\n"
+			}
+			if w.option.AmneziaWGOption.I3 != "" {
+				ipcConf += "i3=" + w.option.AmneziaWGOption.I3 + "\n"
+			}
+			if w.option.AmneziaWGOption.I4 != "" {
+				ipcConf += "i4=" + w.option.AmneziaWGOption.I4 + "\n"
+			}
+			if w.option.AmneziaWGOption.I5 != "" {
+				ipcConf += "i5=" + w.option.AmneziaWGOption.I5 + "\n"
+			}
+			if w.option.AmneziaWGOption.J1 != "" {
+				ipcConf += "j1=" + w.option.AmneziaWGOption.J1 + "\n"
+			}
+			if w.option.AmneziaWGOption.J2 != "" {
+				ipcConf += "j2=" + w.option.AmneziaWGOption.J2 + "\n"
+			}
+			if w.option.AmneziaWGOption.J3 != "" {
+				ipcConf += "j3=" + w.option.AmneziaWGOption.J3 + "\n"
+			}
+			if w.option.AmneziaWGOption.Itime != 0 {
+				ipcConf += "itime=" + strconv.FormatInt(int64(w.option.AmneziaWGOption.Itime), 10) + "\n"
+			}
 		}
 	}
 	if len(w.option.Peers) > 0 {
@@ -488,9 +544,7 @@ func (w *WireGuard) Close() error {
 	return nil
 }
 
-func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	options := w.Base.DialOptions(opts...)
-	w.dialer.SetDialer(dialer.NewDialer(options...))
+func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	var conn net.Conn
 	if err = w.init(ctx); err != nil {
 		return nil, err
@@ -500,6 +554,7 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts
 		if w.resolver != nil {
 			r = w.resolver
 		}
+		options := w.DialOptions()
 		options = append(options, dialer.WithResolver(r))
 		options = append(options, dialer.WithNetDialer(wgNetDialer{tunDevice: w.tunDevice}))
 		conn, err = dialer.NewDialer(options...).DialContext(ctx, "tcp", metadata.RemoteAddress())
@@ -515,23 +570,13 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts
 	return NewConn(conn, w), nil
 }
 
-func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	options := w.Base.DialOptions(opts...)
-	w.dialer.SetDialer(dialer.NewDialer(options...))
+func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	var pc net.PacketConn
 	if err = w.init(ctx); err != nil {
 		return nil, err
 	}
-	if (!metadata.Resolved() || w.resolver != nil) && metadata.Host != "" {
-		r := resolver.DefaultResolver
-		if w.resolver != nil {
-			r = w.resolver
-		}
-		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, r)
-		if err != nil {
-			return nil, errors.New("can't resolve ip")
-		}
-		metadata.DstIP = ip
+	if err = w.ResolveUDP(ctx, metadata); err != nil {
+		return nil, err
 	}
 	pc, err = w.tunDevice.ListenPacket(ctx, M.SocksaddrFrom(metadata.DstIP, metadata.DstPort).Unwrap())
 	if err != nil {
@@ -543,6 +588,21 @@ func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadat
 	return newPacketConn(pc, w), nil
 }
 
+func (w *WireGuard) ResolveUDP(ctx context.Context, metadata *C.Metadata) error {
+	if (!metadata.Resolved() || w.resolver != nil) && metadata.Host != "" {
+		r := resolver.DefaultResolver
+		if w.resolver != nil {
+			r = w.resolver
+		}
+		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, r)
+		if err != nil {
+			return fmt.Errorf("can't resolve ip: %w", err)
+		}
+		metadata.DstIP = ip
+	}
+	return nil
+}
+
 // IsL3Protocol implements C.ProxyAdapter
 func (w *WireGuard) IsL3Protocol(metadata *C.Metadata) bool {
 	return true

adapter/outboundgroup/fallback.go

@@ -6,11 +6,9 @@ import (
 	"errors"
 	"time"
 
-	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/common/callback"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/utils"
-	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/provider"
 )
@@ -31,9 +29,9 @@ func (f *Fallback) Now() string {
 }
 
 // DialContext implements C.ProxyAdapter
-func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	proxy := f.findAliveProxy(true)
-	c, err := proxy.DialContext(ctx, metadata, f.Base.DialOptions(opts...)...)
+	c, err := proxy.DialContext(ctx, metadata)
 	if err == nil {
 		c.AppendToChains(f)
 	} else {
@@ -54,9 +52,9 @@ func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (f *Fallback) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (f *Fallback) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
 	proxy := f.findAliveProxy(true)
-	pc, err := proxy.ListenPacketContext(ctx, metadata, f.Base.DialOptions(opts...)...)
+	pc, err := proxy.ListenPacketContext(ctx, metadata)
 	if err == nil {
 		pc.AppendToChains(f)
 	}
@@ -155,18 +153,14 @@ func (f *Fallback) ForceSet(name string) {
 func NewFallback(option *GroupCommonOption, providers []provider.ProxyProvider) *Fallback {
 	return &Fallback{
 		GroupBase: NewGroupBase(GroupBaseOption{
-			outbound.BaseOption{
-				Name:        option.Name,
-				Type:        C.Fallback,
-				Interface:   option.Interface,
-				RoutingMark: option.RoutingMark,
-			},
-			option.Filter,
-			option.ExcludeFilter,
-			option.ExcludeType,
-			option.TestTimeout,
-			option.MaxFailedTimes,
-			providers,
+			Name:           option.Name,
+			Type:           C.Fallback,
+			Filter:         option.Filter,
+			ExcludeFilter:  option.ExcludeFilter,
+			ExcludeType:    option.ExcludeType,
+			TestTimeout:    option.TestTimeout,
+			MaxFailedTimes: option.MaxFailedTimes,
+			Providers:      providers,
 		}),
 		disableUDP:     option.DisableUDP,
 		testUrl:        option.URL,

adapter/outboundgroup/groupbase.go

@@ -41,53 +41,47 @@ type GroupBase struct {
 }
 
 type GroupBaseOption struct {
-	outbound.BaseOption
-	filter         string
-	excludeFilter  string
-	excludeType    string
+	Name           string
+	Type           C.AdapterType
+	Filter         string
+	ExcludeFilter  string
+	ExcludeType    string
 	TestTimeout    int
-	maxFailedTimes int
-	providers      []provider.ProxyProvider
+	MaxFailedTimes int
+	Providers      []provider.ProxyProvider
 }
 
 func NewGroupBase(opt GroupBaseOption) *GroupBase {
-	if opt.RoutingMark != 0 {
-		log.Warnln("The group [%s] with routing-mark configuration is deprecated, please set it directly on the proxy instead", opt.Name)
-	}
-	if opt.Interface != "" {
-		log.Warnln("The group [%s] with interface-name configuration is deprecated, please set it directly on the proxy instead", opt.Name)
-	}
-
 	var excludeTypeArray []string
-	if opt.excludeType != "" {
-		excludeTypeArray = strings.Split(opt.excludeType, "|")
+	if opt.ExcludeType != "" {
+		excludeTypeArray = strings.Split(opt.ExcludeType, "|")
 	}
 
 	var excludeFilterRegs []*regexp2.Regexp
-	if opt.excludeFilter != "" {
-		for _, excludeFilter := range strings.Split(opt.excludeFilter, "`") {
+	if opt.ExcludeFilter != "" {
+		for _, excludeFilter := range strings.Split(opt.ExcludeFilter, "`") {
 			excludeFilterReg := regexp2.MustCompile(excludeFilter, regexp2.None)
 			excludeFilterRegs = append(excludeFilterRegs, excludeFilterReg)
 		}
 	}
 
 	var filterRegs []*regexp2.Regexp
-	if opt.filter != "" {
-		for _, filter := range strings.Split(opt.filter, "`") {
+	if opt.Filter != "" {
+		for _, filter := range strings.Split(opt.Filter, "`") {
 			filterReg := regexp2.MustCompile(filter, regexp2.None)
 			filterRegs = append(filterRegs, filterReg)
 		}
 	}
 
 	gb := &GroupBase{
-		Base:              outbound.NewBase(opt.BaseOption),
+		Base:              outbound.NewBase(outbound.BaseOption{Name: opt.Name, Type: opt.Type}),
 		filterRegs:        filterRegs,
 		excludeFilterRegs: excludeFilterRegs,
 		excludeTypeArray:  excludeTypeArray,
-		providers:         opt.providers,
+		providers:         opt.Providers,
 		failedTesting:     atomic.NewBool(false),
 		TestTimeout:       opt.TestTimeout,
-		maxFailedTimes:    opt.maxFailedTimes,
+		maxFailedTimes:    opt.MaxFailedTimes,
 	}
 
 	if gb.TestTimeout == 0 {

adapter/outboundgroup/loadbalance.go

@@ -9,12 +9,10 @@ import (
 	"sync"
 	"time"
 
-	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/common/callback"
 	"github.com/metacubex/mihomo/common/lru"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/utils"
-	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/provider"
 
@@ -88,9 +86,9 @@ func jumpHash(key uint64, buckets int32) int32 {
 }
 
 // DialContext implements C.ProxyAdapter
-func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (c C.Conn, err error) {
+func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata) (c C.Conn, err error) {
 	proxy := lb.Unwrap(metadata, true)
-	c, err = proxy.DialContext(ctx, metadata, lb.Base.DialOptions(opts...)...)
+	c, err = proxy.DialContext(ctx, metadata)
 
 	if err == nil {
 		c.AppendToChains(lb)
@@ -112,7 +110,7 @@ func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata, op
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (lb *LoadBalance) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (pc C.PacketConn, err error) {
+func (lb *LoadBalance) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (pc C.PacketConn, err error) {
 	defer func() {
 		if err == nil {
 			pc.AppendToChains(lb)
@@ -120,7 +118,7 @@ func (lb *LoadBalance) ListenPacketContext(ctx context.Context, metadata *C.Meta
 	}()
 
 	proxy := lb.Unwrap(metadata, true)
-	return proxy.ListenPacketContext(ctx, metadata, lb.Base.DialOptions(opts...)...)
+	return proxy.ListenPacketContext(ctx, metadata)
 }
 
 // SupportUDP implements C.ProxyAdapter
@@ -255,18 +253,14 @@ func NewLoadBalance(option *GroupCommonOption, providers []provider.ProxyProvide
 	}
 	return &LoadBalance{
 		GroupBase: NewGroupBase(GroupBaseOption{
-			outbound.BaseOption{
-				Name:        option.Name,
-				Type:        C.LoadBalance,
-				Interface:   option.Interface,
-				RoutingMark: option.RoutingMark,
-			},
-			option.Filter,
-			option.ExcludeFilter,
-			option.ExcludeType,
-			option.TestTimeout,
-			option.MaxFailedTimes,
-			providers,
+			Name:           option.Name,
+			Type:           C.LoadBalance,
+			Filter:         option.Filter,
+			ExcludeFilter:  option.ExcludeFilter,
+			ExcludeType:    option.ExcludeType,
+			TestTimeout:    option.TestTimeout,
+			MaxFailedTimes: option.MaxFailedTimes,
+			Providers:      providers,
 		}),
 		strategyFn:     strategyFn,
 		disableUDP:     option.DisableUDP,

adapter/outboundgroup/parser.go

@@ -7,12 +7,12 @@ import (
 
 	"github.com/dlclark/regexp2"
 
-	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/adapter/provider"
 	"github.com/metacubex/mihomo/common/structure"
 	"github.com/metacubex/mihomo/common/utils"
 	C "github.com/metacubex/mihomo/constant"
 	types "github.com/metacubex/mihomo/constant/provider"
+	"github.com/metacubex/mihomo/log"
 )
 
 var (
@@ -23,7 +23,6 @@ var (
 )
 
 type GroupCommonOption struct {
-	outbound.BasicOption
 	Name                string   `group:"name"`
 	Type                string   `group:"type"`
 	Proxies             []string `group:"proxies,omitempty"`
@@ -43,6 +42,10 @@ type GroupCommonOption struct {
 	IncludeAllProviders bool     `group:"include-all-providers,omitempty"`
 	Hidden              bool     `group:"hidden,omitempty"`
 	Icon                string   `group:"icon,omitempty"`
+
+	// removed configs, only for error logging
+	Interface   string `group:"interface-name,omitempty"`
+	RoutingMark int    `group:"routing-mark,omitempty"`
 }
 
 func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, providersMap map[string]types.ProxyProvider, AllProxies []string, AllProviders []string) (C.ProxyAdapter, error) {
@@ -59,6 +62,13 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 		return nil, errFormat
 	}
 
+	if groupOption.RoutingMark != 0 {
+		log.Errorln("The group [%s] with routing-mark configuration was removed, please set it directly on the proxy instead", groupOption.Name)
+	}
+	if groupOption.Interface != "" {
+		log.Errorln("The group [%s] with interface-name configuration was removed, please set it directly on the proxy instead", groupOption.Name)
+	}
+
 	groupName := groupOption.Name
 
 	providers := []types.ProxyProvider{}

adapter/outboundgroup/relay.go

@@ -19,17 +19,17 @@ type Relay struct {
 }
 
 // DialContext implements C.ProxyAdapter
-func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	proxies, chainProxies := r.proxies(metadata, true)
 
 	switch len(proxies) {
 	case 0:
-		return outbound.NewDirect().DialContext(ctx, metadata, r.Base.DialOptions(opts...)...)
+		return outbound.NewDirect().DialContext(ctx, metadata)
 	case 1:
-		return proxies[0].DialContext(ctx, metadata, r.Base.DialOptions(opts...)...)
+		return proxies[0].DialContext(ctx, metadata)
 	}
 	var d C.Dialer
-	d = dialer.NewDialer(r.Base.DialOptions(opts...)...)
+	d = dialer.NewDialer()
 	for _, proxy := range proxies[:len(proxies)-1] {
 		d = proxydialer.New(proxy, d, false)
 	}
@@ -49,18 +49,18 @@ func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (r *Relay) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (r *Relay) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	proxies, chainProxies := r.proxies(metadata, true)
 
 	switch len(proxies) {
 	case 0:
-		return outbound.NewDirect().ListenPacketContext(ctx, metadata, r.Base.DialOptions(opts...)...)
+		return outbound.NewDirect().ListenPacketContext(ctx, metadata)
 	case 1:
-		return proxies[0].ListenPacketContext(ctx, metadata, r.Base.DialOptions(opts...)...)
+		return proxies[0].ListenPacketContext(ctx, metadata)
 	}
 
 	var d C.Dialer
-	d = dialer.NewDialer(r.Base.DialOptions(opts...)...)
+	d = dialer.NewDialer()
 	for _, proxy := range proxies[:len(proxies)-1] {
 		d = proxydialer.New(proxy, d, false)
 	}
@@ -153,18 +153,9 @@ func NewRelay(option *GroupCommonOption, providers []provider.ProxyProvider) *Re
 	log.Warnln("The group [%s] with relay type is deprecated, please using dialer-proxy instead", option.Name)
 	return &Relay{
 		GroupBase: NewGroupBase(GroupBaseOption{
-			outbound.BaseOption{
-				Name:        option.Name,
-				Type:        C.Relay,
-				Interface:   option.Interface,
-				RoutingMark: option.RoutingMark,
-			},
-			"",
-			"",
-			"",
-			5000,
-			5,
-			providers,
+			Name:      option.Name,
+			Type:      C.Relay,
+			Providers: providers,
 		}),
 		Hidden: option.Hidden,
 		Icon:   option.Icon,

adapter/outboundgroup/selector.go

@@ -5,8 +5,6 @@ import (
 	"encoding/json"
 	"errors"
 
-	"github.com/metacubex/mihomo/adapter/outbound"
-	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/provider"
 )
@@ -15,13 +13,14 @@ type Selector struct {
 	*GroupBase
 	disableUDP bool
 	selected   string
+	testUrl    string
 	Hidden     bool
 	Icon       string
 }
 
 // DialContext implements C.ProxyAdapter
-func (s *Selector) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	c, err := s.selectedProxy(true).DialContext(ctx, metadata, s.Base.DialOptions(opts...)...)
+func (s *Selector) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
+	c, err := s.selectedProxy(true).DialContext(ctx, metadata)
 	if err == nil {
 		c.AppendToChains(s)
 	}
@@ -29,8 +28,8 @@ func (s *Selector) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (s *Selector) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	pc, err := s.selectedProxy(true).ListenPacketContext(ctx, metadata, s.Base.DialOptions(opts...)...)
+func (s *Selector) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
+	pc, err := s.selectedProxy(true).ListenPacketContext(ctx, metadata)
 	if err == nil {
 		pc.AppendToChains(s)
 	}
@@ -57,13 +56,20 @@ func (s *Selector) MarshalJSON() ([]byte, error) {
 	for _, proxy := range s.GetProxies(false) {
 		all = append(all, proxy.Name())
 	}
+	// When testurl is the default value
+	// do not append a value to ensure that the web dashboard follows the settings of the dashboard
+	var url string
+	if s.testUrl != C.DefaultTestURL {
+		url = s.testUrl
+	}
 
 	return json.Marshal(map[string]any{
-		"type":   s.Type().String(),
-		"now":    s.Now(),
-		"all":    all,
-		"hidden": s.Hidden,
-		"icon":   s.Icon,
+		"type":    s.Type().String(),
+		"now":     s.Now(),
+		"all":     all,
+		"testUrl": url,
+		"hidden":  s.Hidden,
+		"icon":    s.Icon,
 	})
 }
 
@@ -105,21 +111,18 @@ func (s *Selector) selectedProxy(touch bool) C.Proxy {
 func NewSelector(option *GroupCommonOption, providers []provider.ProxyProvider) *Selector {
 	return &Selector{
 		GroupBase: NewGroupBase(GroupBaseOption{
-			outbound.BaseOption{
-				Name:        option.Name,
-				Type:        C.Selector,
-				Interface:   option.Interface,
-				RoutingMark: option.RoutingMark,
-			},
-			option.Filter,
-			option.ExcludeFilter,
-			option.ExcludeType,
-			option.TestTimeout,
-			option.MaxFailedTimes,
-			providers,
+			Name:           option.Name,
+			Type:           C.Selector,
+			Filter:         option.Filter,
+			ExcludeFilter:  option.ExcludeFilter,
+			ExcludeType:    option.ExcludeType,
+			TestTimeout:    option.TestTimeout,
+			MaxFailedTimes: option.MaxFailedTimes,
+			Providers:      providers,
 		}),
 		selected:   "COMPATIBLE",
 		disableUDP: option.DisableUDP,
+		testUrl:    option.URL,
 		Hidden:     option.Hidden,
 		Icon:       option.Icon,
 	}

adapter/outboundgroup/urltest.go

@@ -6,12 +6,10 @@ import (
 	"errors"
 	"time"
 
-	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/common/callback"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/singledo"
 	"github.com/metacubex/mihomo/common/utils"
-	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/provider"
 )
@@ -62,9 +60,9 @@ func (u *URLTest) ForceSet(name string) {
 }
 
 // DialContext implements C.ProxyAdapter
-func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (c C.Conn, err error) {
+func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata) (c C.Conn, err error) {
 	proxy := u.fast(true)
-	c, err = proxy.DialContext(ctx, metadata, u.Base.DialOptions(opts...)...)
+	c, err = proxy.DialContext(ctx, metadata)
 	if err == nil {
 		c.AppendToChains(u)
 	} else {
@@ -85,9 +83,9 @@ func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata, opts ..
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (u *URLTest) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (u *URLTest) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
 	proxy := u.fast(true)
-	pc, err := proxy.ListenPacketContext(ctx, metadata, u.Base.DialOptions(opts...)...)
+	pc, err := proxy.ListenPacketContext(ctx, metadata)
 	if err == nil {
 		pc.AppendToChains(u)
 	} else {
@@ -207,19 +205,14 @@ func parseURLTestOption(config map[string]any) []urlTestOption {
 func NewURLTest(option *GroupCommonOption, providers []provider.ProxyProvider, options ...urlTestOption) *URLTest {
 	urlTest := &URLTest{
 		GroupBase: NewGroupBase(GroupBaseOption{
-			outbound.BaseOption{
-				Name:        option.Name,
-				Type:        C.URLTest,
-				Interface:   option.Interface,
-				RoutingMark: option.RoutingMark,
-			},
-
-			option.Filter,
-			option.ExcludeFilter,
-			option.ExcludeType,
-			option.TestTimeout,
-			option.MaxFailedTimes,
-			providers,
+			Name:           option.Name,
+			Type:           C.URLTest,
+			Filter:         option.Filter,
+			ExcludeFilter:  option.ExcludeFilter,
+			ExcludeType:    option.ExcludeType,
+			TestTimeout:    option.TestTimeout,
+			MaxFailedTimes: option.MaxFailedTimes,
+			Providers:      providers,
 		}),
 		fastSingle:     singledo.NewSingle[C.Proxy](time.Second * 10),
 		disableUDP:     option.DisableUDP,

adapter/provider/healthcheck.go

@@ -7,13 +7,13 @@ import (
 	"time"
 
 	"github.com/metacubex/mihomo/common/atomic"
-	"github.com/metacubex/mihomo/common/batch"
 	"github.com/metacubex/mihomo/common/singledo"
 	"github.com/metacubex/mihomo/common/utils"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 
 	"github.com/dlclark/regexp2"
+	"golang.org/x/sync/errgroup"
 )
 
 type HealthCheckOption struct {
@@ -32,7 +32,6 @@ type HealthCheck struct {
 	url            string
 	extra          map[string]*extraOption
 	mu             sync.Mutex
-	started        atomic.Bool
 	proxies        []C.Proxy
 	interval       time.Duration
 	lazy           bool
@@ -43,13 +42,8 @@ type HealthCheck struct {
 }
 
 func (hc *HealthCheck) process() {
-	if hc.started.Load() {
-		log.Warnln("Skip start health check timer due to it's started")
-		return
-	}
-
 	ticker := time.NewTicker(hc.interval)
-	hc.start()
+	go hc.check()
 	for {
 		select {
 		case <-ticker.C:
@@ -62,13 +56,12 @@ func (hc *HealthCheck) process() {
 			}
 		case <-hc.ctx.Done():
 			ticker.Stop()
-			hc.stop()
 			return
 		}
 	}
 }
 
-func (hc *HealthCheck) setProxy(proxies []C.Proxy) {
+func (hc *HealthCheck) setProxies(proxies []C.Proxy) {
 	hc.proxies = proxies
 }
 
@@ -105,10 +98,6 @@ func (hc *HealthCheck) registerHealthCheckTask(url string, expectedStatus utils.
 	option := &extraOption{filters: map[string]struct{}{}, expectedStatus: expectedStatus}
 	splitAndAddFiltersToExtra(filter, option)
 	hc.extra[url] = option
-
-	if hc.auto() && !hc.started.Load() {
-		go hc.process()
-	}
 }
 
 func splitAndAddFiltersToExtra(filter string, option *extraOption) {
@@ -131,14 +120,6 @@ func (hc *HealthCheck) touch() {
 	hc.lastTouch.Store(time.Now())
 }
 
-func (hc *HealthCheck) start() {
-	hc.started.Store(true)
-}
-
-func (hc *HealthCheck) stop() {
-	hc.started.Store(false)
-}
-
 func (hc *HealthCheck) check() {
 	if len(hc.proxies) == 0 {
 		return
@@ -147,7 +128,8 @@ func (hc *HealthCheck) check() {
 	_, _, _ = hc.singleDo.Do(func() (struct{}, error) {
 		id := utils.NewUUIDV4().String()
 		log.Debugln("Start New Health Checking {%s}", id)
-		b, _ := batch.New[bool](hc.ctx, batch.WithConcurrencyNum[bool](10))
+		b := new(errgroup.Group)
+		b.SetLimit(10)
 
 		// execute default health check
 		option := &extraOption{filters: nil, expectedStatus: hc.expectedStatus}
@@ -159,13 +141,13 @@ func (hc *HealthCheck) check() {
 				hc.execute(b, url, id, option)
 			}
 		}
-		b.Wait()
+		_ = b.Wait()
 		log.Debugln("Finish A Health Checking {%s}", id)
 		return struct{}{}, nil
 	})
 }
 
-func (hc *HealthCheck) execute(b *batch.Batch[bool], url, uid string, option *extraOption) {
+func (hc *HealthCheck) execute(b *errgroup.Group, url, uid string, option *extraOption) {
 	url = strings.TrimSpace(url)
 	if len(url) == 0 {
 		log.Debugln("Health Check has been skipped due to testUrl is empty, {%s}", uid)
@@ -195,13 +177,13 @@ func (hc *HealthCheck) execute(b *batch.Batch[bool], url, uid string, option *ex
 		}
 
 		p := proxy
-		b.Go(p.Name(), func() (bool, error) {
+		b.Go(func() error {
 			ctx, cancel := context.WithTimeout(hc.ctx, hc.timeout)
 			defer cancel()
 			log.Debugln("Health Checking, proxy: %s, url: %s, id: {%s}", p.Name(), url, uid)
 			_, _ = p.URLTest(ctx, url, expectedStatus)
 			log.Debugln("Health Checked, proxy: %s, url: %s, alive: %t, delay: %d ms uid: {%s}", p.Name(), url, p.AliveForTestUrl(url), p.LastDelayForTestUrl(url), uid)
-			return false, nil
+			return nil
 		})
 	}
 }

adapter/provider/parser.go

@@ -17,7 +17,6 @@ import (
 
 var (
 	errVehicleType = errors.New("unsupport vehicle type")
-	errSubPath     = errors.New("path is not subpath of home directory")
 )
 
 type healthCheckSchema struct {
@@ -109,13 +108,16 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 	switch schema.Type {
 	case "file":
 		path := C.Path.Resolve(schema.Path)
+		if !C.Path.IsSafePath(path) {
+			return nil, C.Path.ErrNotSafePath(path)
+		}
 		vehicle = resource.NewFileVehicle(path)
 	case "http":
 		path := C.Path.GetPathByHash("proxies", schema.URL)
 		if schema.Path != "" {
 			path = C.Path.Resolve(schema.Path)
 			if !C.Path.IsSafePath(path) {
-				return nil, fmt.Errorf("%w: %s", errSubPath, path)
+				return nil, C.Path.ErrNotSafePath(path)
 			}
 		}
 		vehicle = resource.NewHTTPVehicle(schema.URL, path, schema.Proxy, schema.Header, resource.DefaultHttpTimeout, schema.SizeLimit)
@@ -127,5 +129,5 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 
 	interval := time.Duration(uint(schema.Interval)) * time.Second
 
-	return NewProxySetProvider(name, interval, parser, vehicle, hc)
+	return NewProxySetProvider(name, interval, schema.Payload, parser, vehicle, hc)
 }

adapter/provider/provider.go

@@ -57,6 +57,13 @@ func (bp *baseProvider) Version() uint32 {
 	return bp.version
 }
 
+func (bp *baseProvider) Initial() error {
+	if bp.healthCheck.auto() {
+		go bp.healthCheck.process()
+	}
+	return nil
+}
+
 func (bp *baseProvider) HealthCheck() {
 	bp.healthCheck.check()
 }
@@ -88,7 +95,7 @@ func (bp *baseProvider) RegisterHealthCheckTask(url string, expectedStatus utils
 func (bp *baseProvider) setProxies(proxies []C.Proxy) {
 	bp.proxies = proxies
 	bp.version += 1
-	bp.healthCheck.setProxy(proxies)
+	bp.healthCheck.setProxies(proxies)
 	if bp.healthCheck.auto() {
 		go bp.healthCheck.check()
 	}
@@ -133,6 +140,9 @@ func (pp *proxySetProvider) Update() error {
 }
 
 func (pp *proxySetProvider) Initial() error {
+	if err := pp.baseProvider.Initial(); err != nil {
+		return err
+	}
 	_, err := pp.Fetcher.Initial()
 	if err != nil {
 		return err
@@ -161,11 +171,7 @@ func (pp *proxySetProvider) Close() error {
 	return pp.Fetcher.Close()
 }
 
-func NewProxySetProvider(name string, interval time.Duration, parser resource.Parser[[]C.Proxy], vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
-	if hc.auto() {
-		go hc.process()
-	}
-
+func NewProxySetProvider(name string, interval time.Duration, payload []map[string]any, parser resource.Parser[[]C.Proxy], vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
 	pd := &proxySetProvider{
 		baseProvider: baseProvider{
 			name:        name,
@@ -174,6 +180,21 @@ func NewProxySetProvider(name string, interval time.Duration, parser resource.Pa
 		},
 	}
 
+	if len(payload) > 0 { // using as fallback proxies
+		ps := ProxySchema{Proxies: payload}
+		buf, err := yaml.Marshal(ps)
+		if err != nil {
+			return nil, err
+		}
+		proxies, err := parser(buf)
+		if err != nil {
+			return nil, err
+		}
+		pd.proxies = proxies
+		// direct call setProxies on hc to avoid starting a health check process immediately, it should be done by Initial()
+		hc.setProxies(proxies)
+	}
+
 	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, parser, pd.setProxies)
 	pd.Fetcher = fetcher
 	if httpVehicle, ok := vehicle.(*resource.HTTPVehicle); ok {
@@ -221,10 +242,6 @@ func (ip *inlineProvider) VehicleType() types.VehicleType {
 	return types.Inline
 }
 
-func (ip *inlineProvider) Initial() error {
-	return nil
-}
-
 func (ip *inlineProvider) Update() error {
 	// make api update happy
 	ip.updateAt = time.Now()
@@ -232,10 +249,6 @@ func (ip *inlineProvider) Update() error {
 }
 
 func NewInlineProvider(name string, payload []map[string]any, parser resource.Parser[[]C.Proxy], hc *HealthCheck) (*InlineProvider, error) {
-	if hc.auto() {
-		go hc.process()
-	}
-
 	ps := ProxySchema{Proxies: payload}
 	buf, err := yaml.Marshal(ps)
 	if err != nil {
@@ -245,6 +258,8 @@ func NewInlineProvider(name string, payload []map[string]any, parser resource.Pa
 	if err != nil {
 		return nil, err
 	}
+	// direct call setProxies on hc to avoid starting a health check process immediately, it should be done by Initial()
+	hc.setProxies(proxies)
 
 	ip := &inlineProvider{
 		baseProvider: baseProvider{
@@ -288,13 +303,6 @@ func (cp *compatibleProvider) Update() error {
 	return nil
 }
 
-func (cp *compatibleProvider) Initial() error {
-	if cp.healthCheck.interval != 0 && cp.healthCheck.url != "" {
-		cp.HealthCheck()
-	}
-	return nil
-}
-
 func (cp *compatibleProvider) VehicleType() types.VehicleType {
 	return types.Compatible
 }
@@ -304,10 +312,6 @@ func NewCompatibleProvider(name string, proxies []C.Proxy, hc *HealthCheck) (*Co
 		return nil, errors.New("provider need one proxy at least")
 	}
 
-	if hc.auto() {
-		go hc.process()
-	}
-
 	pd := &compatibleProvider{
 		baseProvider: baseProvider{
 			name:        name,

common/atomic/enum.go

@@ -0,0 +1,63 @@
+package atomic
+
+import (
+	"encoding/json"
+	"fmt"
+	"sync/atomic"
+)
+
+type Int32Enum[T ~int32] struct {
+	value atomic.Int32
+}
+
+func (i *Int32Enum[T]) MarshalJSON() ([]byte, error) {
+	return json.Marshal(i.Load())
+}
+
+func (i *Int32Enum[T]) UnmarshalJSON(b []byte) error {
+	var v T
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
+func (i *Int32Enum[T]) MarshalYAML() (any, error) {
+	return i.Load(), nil
+}
+
+func (i *Int32Enum[T]) UnmarshalYAML(unmarshal func(any) error) error {
+	var v T
+	if err := unmarshal(&v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
+func (i *Int32Enum[T]) String() string {
+	return fmt.Sprint(i.Load())
+}
+
+func (i *Int32Enum[T]) Store(v T) {
+	i.value.Store(int32(v))
+}
+
+func (i *Int32Enum[T]) Load() T {
+	return T(i.value.Load())
+}
+
+func (i *Int32Enum[T]) Swap(new T) T {
+	return T(i.value.Swap(int32(new)))
+}
+
+func (i *Int32Enum[T]) CompareAndSwap(old, new T) bool {
+	return i.value.CompareAndSwap(int32(old), int32(new))
+}
+
+func NewInt32Enum[T ~int32](v T) *Int32Enum[T] {
+	a := &Int32Enum[T]{}
+	a.Store(v)
+	return a
+}

common/atomic/type.go

@@ -29,6 +29,19 @@ func (i *Bool) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
+func (i *Bool) MarshalYAML() (any, error) {
+	return i.Load(), nil
+}
+
+func (i *Bool) UnmarshalYAML(unmarshal func(any) error) error {
+	var v bool
+	if err := unmarshal(&v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
 func (i *Bool) String() string {
 	v := i.Load()
 	return strconv.FormatBool(v)
@@ -58,6 +71,19 @@ func (p *Pointer[T]) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
+func (p *Pointer[T]) MarshalYAML() (any, error) {
+	return p.Load(), nil
+}
+
+func (p *Pointer[T]) UnmarshalYAML(unmarshal func(any) error) error {
+	var v *T
+	if err := unmarshal(&v); err != nil {
+		return err
+	}
+	p.Store(v)
+	return nil
+}
+
 func (p *Pointer[T]) String() string {
 	return fmt.Sprint(p.Load())
 }
@@ -84,6 +110,19 @@ func (i *Int32) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
+func (i *Int32) MarshalYAML() (any, error) {
+	return i.Load(), nil
+}
+
+func (i *Int32) UnmarshalYAML(unmarshal func(any) error) error {
+	var v int32
+	if err := unmarshal(&v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
 func (i *Int32) String() string {
 	v := i.Load()
 	return strconv.FormatInt(int64(v), 10)
@@ -111,6 +150,19 @@ func (i *Int64) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
+func (i *Int64) MarshalYAML() (any, error) {
+	return i.Load(), nil
+}
+
+func (i *Int64) UnmarshalYAML(unmarshal func(any) error) error {
+	var v int64
+	if err := unmarshal(&v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
 func (i *Int64) String() string {
 	v := i.Load()
 	return strconv.FormatInt(int64(v), 10)
@@ -138,6 +190,19 @@ func (i *Uint32) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
+func (i *Uint32) MarshalYAML() (any, error) {
+	return i.Load(), nil
+}
+
+func (i *Uint32) UnmarshalYAML(unmarshal func(any) error) error {
+	var v uint32
+	if err := unmarshal(&v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
 func (i *Uint32) String() string {
 	v := i.Load()
 	return strconv.FormatUint(uint64(v), 10)
@@ -165,6 +230,19 @@ func (i *Uint64) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
+func (i *Uint64) MarshalYAML() (any, error) {
+	return i.Load(), nil
+}
+
+func (i *Uint64) UnmarshalYAML(unmarshal func(any) error) error {
+	var v uint64
+	if err := unmarshal(&v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
 func (i *Uint64) String() string {
 	v := i.Load()
 	return strconv.FormatUint(uint64(v), 10)
@@ -192,6 +270,19 @@ func (i *Uintptr) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
+func (i *Uintptr) MarshalYAML() (any, error) {
+	return i.Load(), nil
+}
+
+func (i *Uintptr) UnmarshalYAML(unmarshal func(any) error) error {
+	var v uintptr
+	if err := unmarshal(&v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
 func (i *Uintptr) String() string {
 	v := i.Load()
 	return strconv.FormatUint(uint64(v), 10)

common/atomic/value.go

@@ -5,49 +5,50 @@ import (
 	"sync/atomic"
 )
 
-func DefaultValue[T any]() T {
-	var defaultValue T
-	return defaultValue
-}
-
 type TypedValue[T any] struct {
-	_     noCopy
-	value atomic.Value
+	value atomic.Pointer[T]
 }
 
-// tValue is a struct with determined type to resolve atomic.Value usages with interface types
-// https://github.com/golang/go/issues/22550
-//
-// The intention to have an atomic value store for errors. However, running this code panics:
-// panic: sync/atomic: store of inconsistently typed value into Value
-// This is because atomic.Value requires that the underlying concrete type be the same (which is a reasonable expectation for its implementation).
-// When going through the atomic.Value.Store method call, the fact that both these are of the error interface is lost.
-type tValue[T any] struct {
-	value T
+func (t *TypedValue[T]) Load() (v T) {
+	v, _ = t.LoadOk()
+	return
 }
 
-func (t *TypedValue[T]) Load() T {
+func (t *TypedValue[T]) LoadOk() (v T, ok bool) {
 	value := t.value.Load()
 	if value == nil {
-		return DefaultValue[T]()
+		return
 	}
-	return value.(tValue[T]).value
+	return *value, true
 }
 
 func (t *TypedValue[T]) Store(value T) {
-	t.value.Store(tValue[T]{value})
+	t.value.Store(&value)
 }
 
-func (t *TypedValue[T]) Swap(new T) T {
-	old := t.value.Swap(tValue[T]{new})
+func (t *TypedValue[T]) Swap(new T) (v T) {
+	old := t.value.Swap(&new)
 	if old == nil {
-		return DefaultValue[T]()
+		return
 	}
-	return old.(tValue[T]).value
+	return *old
 }
 
 func (t *TypedValue[T]) CompareAndSwap(old, new T) bool {
-	return t.value.CompareAndSwap(tValue[T]{old}, tValue[T]{new})
+	for {
+		currentP := t.value.Load()
+		var currentValue T
+		if currentP != nil {
+			currentValue = *currentP
+		}
+		// Compare old and current via runtime equality check.
+		if any(currentValue) != any(old) {
+			return false
+		}
+		if t.value.CompareAndSwap(currentP, &new) {
+			return true
+		}
+	}
 }
 
 func (t *TypedValue[T]) MarshalJSON() ([]byte, error) {
@@ -63,13 +64,20 @@ func (t *TypedValue[T]) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
+func (t *TypedValue[T]) MarshalYAML() (any, error) {
+	return t.Load(), nil
+}
+
+func (t *TypedValue[T]) UnmarshalYAML(unmarshal func(any) error) error {
+	var v T
+	if err := unmarshal(&v); err != nil {
+		return err
+	}
+	t.Store(v)
+	return nil
+}
+
 func NewTypedValue[T any](t T) (v TypedValue[T]) {
 	v.Store(t)
 	return
 }
-
-type noCopy struct{}
-
-// Lock is a no-op used by -copylocks checker from `go vet`.
-func (*noCopy) Lock()   {}
-func (*noCopy) Unlock() {}

common/atomic/value_test.go

@@ -0,0 +1,169 @@
+package atomic
+
+import (
+	"io"
+	"os"
+	"testing"
+)
+
+func TestTypedValue(t *testing.T) {
+	{
+		var v TypedValue[int]
+		got, gotOk := v.LoadOk()
+		if got != 0 || gotOk {
+			t.Fatalf("LoadOk = (%v, %v), want (0, false)", got, gotOk)
+		}
+		v.Store(1)
+		got, gotOk = v.LoadOk()
+		if got != 1 || !gotOk {
+			t.Fatalf("LoadOk = (%v, %v), want (1, true)", got, gotOk)
+		}
+	}
+
+	{
+		var v TypedValue[error]
+		got, gotOk := v.LoadOk()
+		if got != nil || gotOk {
+			t.Fatalf("LoadOk = (%v, %v), want (nil, false)", got, gotOk)
+		}
+		v.Store(io.EOF)
+		got, gotOk = v.LoadOk()
+		if got != io.EOF || !gotOk {
+			t.Fatalf("LoadOk = (%v, %v), want (EOF, true)", got, gotOk)
+		}
+		err := &os.PathError{}
+		v.Store(err)
+		got, gotOk = v.LoadOk()
+		if got != err || !gotOk {
+			t.Fatalf("LoadOk = (%v, %v), want (%v, true)", got, gotOk, err)
+		}
+		v.Store(nil)
+		got, gotOk = v.LoadOk()
+		if got != nil || !gotOk {
+			t.Fatalf("LoadOk = (%v, %v), want (nil, true)", got, gotOk)
+		}
+	}
+
+	{
+		e1, e2, e3 := io.EOF, &os.PathError{}, &os.PathError{}
+		var v TypedValue[error]
+		if v.CompareAndSwap(e1, e2) != false {
+			t.Fatalf("CompareAndSwap = true, want false")
+		}
+		if value := v.Load(); value != nil {
+			t.Fatalf("Load = (%v), want (%v)", value, nil)
+		}
+		if v.CompareAndSwap(nil, e1) != true {
+			t.Fatalf("CompareAndSwap = false, want true")
+		}
+		if value := v.Load(); value != e1 {
+			t.Fatalf("Load = (%v), want (%v)", value, e1)
+		}
+		if v.CompareAndSwap(e2, e3) != false {
+			t.Fatalf("CompareAndSwap = true, want false")
+		}
+		if value := v.Load(); value != e1 {
+			t.Fatalf("Load = (%v), want (%v)", value, e1)
+		}
+		if v.CompareAndSwap(e1, e2) != true {
+			t.Fatalf("CompareAndSwap = false, want true")
+		}
+		if value := v.Load(); value != e2 {
+			t.Fatalf("Load = (%v), want (%v)", value, e2)
+		}
+		if v.CompareAndSwap(e3, e2) != false {
+			t.Fatalf("CompareAndSwap = true, want false")
+		}
+		if value := v.Load(); value != e2 {
+			t.Fatalf("Load = (%v), want (%v)", value, e2)
+		}
+		if v.CompareAndSwap(nil, e3) != false {
+			t.Fatalf("CompareAndSwap = true, want false")
+		}
+		if value := v.Load(); value != e2 {
+			t.Fatalf("Load = (%v), want (%v)", value, e2)
+		}
+	}
+
+	{
+		c1, c2, c3 := make(chan struct{}), make(chan struct{}), make(chan struct{})
+		var v TypedValue[chan struct{}]
+		if v.CompareAndSwap(c1, c2) != false {
+			t.Fatalf("CompareAndSwap = true, want false")
+		}
+		if value := v.Load(); value != nil {
+			t.Fatalf("Load = (%v), want (%v)", value, nil)
+		}
+		if v.CompareAndSwap(nil, c1) != true {
+			t.Fatalf("CompareAndSwap = false, want true")
+		}
+		if value := v.Load(); value != c1 {
+			t.Fatalf("Load = (%v), want (%v)", value, c1)
+		}
+		if v.CompareAndSwap(c2, c3) != false {
+			t.Fatalf("CompareAndSwap = true, want false")
+		}
+		if value := v.Load(); value != c1 {
+			t.Fatalf("Load = (%v), want (%v)", value, c1)
+		}
+		if v.CompareAndSwap(c1, c2) != true {
+			t.Fatalf("CompareAndSwap = false, want true")
+		}
+		if value := v.Load(); value != c2 {
+			t.Fatalf("Load = (%v), want (%v)", value, c2)
+		}
+		if v.CompareAndSwap(c3, c2) != false {
+			t.Fatalf("CompareAndSwap = true, want false")
+		}
+		if value := v.Load(); value != c2 {
+			t.Fatalf("Load = (%v), want (%v)", value, c2)
+		}
+		if v.CompareAndSwap(nil, c3) != false {
+			t.Fatalf("CompareAndSwap = true, want false")
+		}
+		if value := v.Load(); value != c2 {
+			t.Fatalf("Load = (%v), want (%v)", value, c2)
+		}
+	}
+
+	{
+		c1, c2, c3 := &io.LimitedReader{}, &io.SectionReader{}, &io.SectionReader{}
+		var v TypedValue[io.Reader]
+		if v.CompareAndSwap(c1, c2) != false {
+			t.Fatalf("CompareAndSwap = true, want false")
+		}
+		if value := v.Load(); value != nil {
+			t.Fatalf("Load = (%v), want (%v)", value, nil)
+		}
+		if v.CompareAndSwap(nil, c1) != true {
+			t.Fatalf("CompareAndSwap = false, want true")
+		}
+		if value := v.Load(); value != c1 {
+			t.Fatalf("Load = (%v), want (%v)", value, c1)
+		}
+		if v.CompareAndSwap(c2, c3) != false {
+			t.Fatalf("CompareAndSwap = true, want false")
+		}
+		if value := v.Load(); value != c1 {
+			t.Fatalf("Load = (%v), want (%v)", value, c1)
+		}
+		if v.CompareAndSwap(c1, c2) != true {
+			t.Fatalf("CompareAndSwap = false, want true")
+		}
+		if value := v.Load(); value != c2 {
+			t.Fatalf("Load = (%v), want (%v)", value, c2)
+		}
+		if v.CompareAndSwap(c3, c2) != false {
+			t.Fatalf("CompareAndSwap = true, want false")
+		}
+		if value := v.Load(); value != c2 {
+			t.Fatalf("Load = (%v), want (%v)", value, c2)
+		}
+		if v.CompareAndSwap(nil, c3) != false {
+			t.Fatalf("CompareAndSwap = true, want false")
+		}
+		if value := v.Load(); value != c2 {
+			t.Fatalf("Load = (%v), want (%v)", value, c2)
+		}
+	}
+}

common/buf/sing.go

@@ -1,8 +1,8 @@
 package buf
 
 import (
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
+	"github.com/metacubex/sing/common"
+	"github.com/metacubex/sing/common/buf"
 )
 
 const BufferSize = buf.BufferSize
@@ -14,6 +14,7 @@ var NewPacket = buf.NewPacket
 var NewSize = buf.NewSize
 var With = buf.With
 var As = buf.As
+var ReleaseMulti = buf.ReleaseMulti
 
 var (
 	Must  = common.Must

common/convert/base64.go

@@ -2,6 +2,7 @@ package convert
 
 import (
 	"encoding/base64"
+	"fmt"
 	"strings"
 )
 
@@ -43,3 +44,22 @@ func decodeUrlSafe(data string) string {
 	}
 	return string(dcBuf)
 }
+
+func TryDecodeBase64(s string) (decoded []byte, err error) {
+	if len(s)%4 == 0 {
+		if decoded, err = base64.StdEncoding.DecodeString(s); err == nil {
+			return
+		}
+		if decoded, err = base64.URLEncoding.DecodeString(s); err == nil {
+			return
+		}
+	} else {
+		if decoded, err = base64.RawStdEncoding.DecodeString(s); err == nil {
+			return
+		}
+		if decoded, err = base64.RawURLEncoding.DecodeString(s); err == nil {
+			return
+		}
+	}
+	return nil, fmt.Errorf("invalid base64-encoded string")
+}

common/convert/converter.go

@@ -208,6 +208,9 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			if err != nil {
 				continue
 			}
+			if decodedHost, err := tryDecodeBase64([]byte(urlVLess.Host)); err == nil {
+				urlVLess.Host = string(decodedHost)
+			}
 			query := urlVLess.Query()
 			vless := make(map[string]any, 20)
 			err = handleVShareLink(names, urlVLess, scheme, vless)
@@ -218,6 +221,9 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			if flow := query.Get("flow"); flow != "" {
 				vless["flow"] = strings.ToLower(flow)
 			}
+			if encryption := query.Get("encryption"); encryption != "" {
+				vless["encryption"] = encryption
+			}
 			proxies = append(proxies, vless)
 
 		case "vmess":
@@ -456,12 +462,12 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			proxies = append(proxies, ss)
 
 		case "ssr":
-			dcBuf, err := encRaw.DecodeString(body)
+			dcBuf, err := TryDecodeBase64(body)
 			if err != nil {
 				continue
 			}
 
-			// ssr://host:port:protocol:method:obfs:urlsafebase64pass/?obfsparam=urlsafebase64&protoparam=&remarks=urlsafebase64&group=urlsafebase64&udpport=0&uot=1
+			// ssr://host:port:protocol:method:obfs:urlsafebase64pass/?obfsparam=urlsafebase64param&protoparam=urlsafebase64param&remarks=urlsafebase64remarks&group=urlsafebase64group&udpport=0&uot=1
 
 			before, after, ok := strings.Cut(string(dcBuf), "/?")
 			if !ok {
@@ -490,7 +496,7 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			name := uniqueName(names, remarks)
 
 			obfsParam := decodeUrlSafe(query.Get("obfsparam"))
-			protocolParam := query.Get("protoparam")
+			protocolParam := decodeUrlSafe(query.Get("protoparam"))
 
 			ssr := make(map[string]any, 20)
 
@@ -513,6 +519,101 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			}
 
 			proxies = append(proxies, ssr)
+
+		case "socks", "socks5", "socks5h", "http", "https":
+			link, err := url.Parse(line)
+			if err != nil {
+				continue
+			}
+			server := link.Hostname()
+			if server == "" {
+				continue
+			}
+			portStr := link.Port()
+			if portStr == "" {
+				continue
+			}
+			remarks := link.Fragment
+			if remarks == "" {
+				remarks = fmt.Sprintf("%s:%s", server, portStr)
+			}
+			name := uniqueName(names, remarks)
+			encodeStr := link.User.String()
+			var username, password string
+			if encodeStr != "" {
+				decodeStr := string(DecodeBase64([]byte(encodeStr)))
+				splitStr := strings.Split(decodeStr, ":")
+
+				// todo: should use url.QueryUnescape ?
+				username = splitStr[0]
+				if len(splitStr) == 2 {
+					password = splitStr[1]
+				}
+			}
+			socks := make(map[string]any, 10)
+			socks["name"] = name
+			socks["type"] = func() string {
+				switch scheme {
+				case "socks", "socks5", "socks5h":
+					return "socks5"
+				case "http", "https":
+					return "http"
+				}
+				return scheme
+			}()
+			socks["server"] = server
+			socks["port"] = portStr
+			socks["username"] = username
+			socks["password"] = password
+			socks["skip-cert-verify"] = true
+			if scheme == "https" {
+				socks["tls"] = true
+			}
+
+			proxies = append(proxies, socks)
+
+		case "anytls":
+			// https://github.com/anytls/anytls-go/blob/main/docs/uri_scheme.md
+			link, err := url.Parse(line)
+			if err != nil {
+				continue
+			}
+			username := link.User.Username()
+			password, exist := link.User.Password()
+			if !exist {
+				password = username
+			}
+			query := link.Query()
+			server := link.Hostname()
+			if server == "" {
+				continue
+			}
+			portStr := link.Port()
+			if portStr == "" {
+				continue
+			}
+			insecure, sni := query.Get("insecure"), query.Get("sni")
+			insecureBool := insecure == "1"
+			fingerprint := query.Get("hpkp")
+
+			remarks := link.Fragment
+			if remarks == "" {
+				remarks = fmt.Sprintf("%s:%s", server, portStr)
+			}
+			name := uniqueName(names, remarks)
+			anytls := make(map[string]any, 10)
+			anytls["name"] = name
+			anytls["type"] = "anytls"
+			anytls["server"] = server
+			anytls["port"] = portStr
+			anytls["username"] = username
+			anytls["password"] = password
+			anytls["sni"] = sni
+			anytls["fingerprint"] = fingerprint
+			anytls["skip-cert-verify"] = insecureBool
+			anytls["udp"] = true
+
+			proxies = append(proxies, anytls)
 		}
 	}
 

common/maphash/common.go

@@ -0,0 +1,19 @@
+package maphash
+
+import "hash/maphash"
+
+type Seed = maphash.Seed
+
+func MakeSeed() Seed {
+	return maphash.MakeSeed()
+}
+
+type Hash = maphash.Hash
+
+func Bytes(seed Seed, b []byte) uint64 {
+	return maphash.Bytes(seed, b)
+}
+
+func String(seed Seed, s string) uint64 {
+	return maphash.String(seed, s)
+}

common/maphash/comparable_go120.go

@@ -0,0 +1,140 @@
+//go:build !go1.24
+
+package maphash
+
+import "unsafe"
+
+func Comparable[T comparable](s Seed, v T) uint64 {
+	return comparableHash(*(*seedTyp)(unsafe.Pointer(&s)), v)
+}
+
+func comparableHash[T comparable](seed seedTyp, v T) uint64 {
+	s := seed.s
+	var m map[T]struct{}
+	mTyp := iTypeOf(m)
+	var hasher func(unsafe.Pointer, uintptr) uintptr
+	hasher = (*iMapType)(unsafe.Pointer(mTyp)).Hasher
+
+	p := escape(unsafe.Pointer(&v))
+
+	if ptrSize == 8 {
+		return uint64(hasher(p, uintptr(s)))
+	}
+	lo := hasher(p, uintptr(s))
+	hi := hasher(p, uintptr(s>>32))
+	return uint64(hi)<<32 | uint64(lo)
+}
+
+// WriteComparable adds x to the data hashed by h.
+func WriteComparable[T comparable](h *Hash, x T) {
+	// writeComparable (not in purego mode) directly operates on h.state
+	// without using h.buf. Mix in the buffer length so it won't
+	// commute with a buffered write, which either changes h.n or changes
+	// h.state.
+	hash := (*hashTyp)(unsafe.Pointer(h))
+	if hash.n != 0 {
+		hash.state.s = comparableHash(hash.state, hash.n)
+	}
+	hash.state.s = comparableHash(hash.state, x)
+}
+
+// go/src/hash/maphash/maphash.go
+type hashTyp struct {
+	_     [0]func() // not comparable
+	seed  seedTyp   // initial seed used for this hash
+	state seedTyp   // current hash of all flushed bytes
+	buf   [128]byte // unflushed byte buffer
+	n     int       // number of unflushed bytes
+}
+
+type seedTyp struct {
+	s uint64
+}
+
+type iTFlag uint8
+type iKind uint8
+type iNameOff int32
+
+// TypeOff is the offset to a type from moduledata.types.  See resolveTypeOff in runtime.
+type iTypeOff int32
+
+type iType struct {
+	Size_       uintptr
+	PtrBytes    uintptr // number of (prefix) bytes in the type that can contain pointers
+	Hash        uint32  // hash of type; avoids computation in hash tables
+	TFlag       iTFlag  // extra type information flags
+	Align_      uint8   // alignment of variable with this type
+	FieldAlign_ uint8   // alignment of struct field with this type
+	Kind_       iKind   // enumeration for C
+	// function for comparing objects of this type
+	// (ptr to object A, ptr to object B) -> ==?
+	Equal func(unsafe.Pointer, unsafe.Pointer) bool
+	// GCData stores the GC type data for the garbage collector.
+	// Normally, GCData points to a bitmask that describes the
+	// ptr/nonptr fields of the type. The bitmask will have at
+	// least PtrBytes/ptrSize bits.
+	// If the TFlagGCMaskOnDemand bit is set, GCData is instead a
+	// **byte and the pointer to the bitmask is one dereference away.
+	// The runtime will build the bitmask if needed.
+	// (See runtime/type.go:getGCMask.)
+	// Note: multiple types may have the same value of GCData,
+	// including when TFlagGCMaskOnDemand is set. The types will, of course,
+	// have the same pointer layout (but not necessarily the same size).
+	GCData    *byte
+	Str       iNameOff // string form
+	PtrToThis iTypeOff // type for pointer to this type, may be zero
+}
+
+type iMapType struct {
+	iType
+	Key   *iType
+	Elem  *iType
+	Group *iType // internal type representing a slot group
+	// function for hashing keys (ptr to key, seed) -> hash
+	Hasher func(unsafe.Pointer, uintptr) uintptr
+}
+
+func iTypeOf(a any) *iType {
+	eface := *(*iEmptyInterface)(unsafe.Pointer(&a))
+	// Types are either static (for compiler-created types) or
+	// heap-allocated but always reachable (for reflection-created
+	// types, held in the central map). So there is no need to
+	// escape types. noescape here help avoid unnecessary escape
+	// of v.
+	return (*iType)(noescape(unsafe.Pointer(eface.Type)))
+}
+
+type iEmptyInterface struct {
+	Type *iType
+	Data unsafe.Pointer
+}
+
+// noescape hides a pointer from escape analysis.  noescape is
+// the identity function but escape analysis doesn't think the
+// output depends on the input.  noescape is inlined and currently
+// compiles down to zero instructions.
+// USE CAREFULLY!
+//
+// nolint:all
+//
+//go:nosplit
+//goland:noinspection ALL
+func noescape(p unsafe.Pointer) unsafe.Pointer {
+	x := uintptr(p)
+	return unsafe.Pointer(x ^ 0)
+}
+
+var alwaysFalse bool
+var escapeSink any
+
+// escape forces any pointers in x to escape to the heap.
+func escape[T any](x T) T {
+	if alwaysFalse {
+		escapeSink = x
+	}
+	return x
+}
+
+// ptrSize is the size of a pointer in bytes - unsafe.Sizeof(uintptr(0)) but as an ideal constant.
+// It is also the size of the machine's native word size (that is, 4 on 32-bit systems, 8 on 64-bit).
+const ptrSize = 4 << (^uintptr(0) >> 63)

common/maphash/comparable_go124.go

@@ -0,0 +1,13 @@
+//go:build go1.24
+
+package maphash
+
+import "hash/maphash"
+
+func Comparable[T comparable](seed Seed, v T) uint64 {
+	return maphash.Comparable(seed, v)
+}
+
+func WriteComparable[T comparable](h *Hash, x T) {
+	maphash.WriteComparable(h, x)
+}

common/maphash/maphash_test.go

@@ -0,0 +1,532 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package maphash
+
+import (
+	"bytes"
+	"fmt"
+	"hash"
+	"math"
+	"reflect"
+	"strings"
+	"testing"
+	"unsafe"
+
+	rand "github.com/metacubex/randv2"
+)
+
+func TestUnseededHash(t *testing.T) {
+	m := map[uint64]struct{}{}
+	for i := 0; i < 1000; i++ {
+		h := new(Hash)
+		m[h.Sum64()] = struct{}{}
+	}
+	if len(m) < 900 {
+		t.Errorf("empty hash not sufficiently random: got %d, want 1000", len(m))
+	}
+}
+
+func TestSeededHash(t *testing.T) {
+	s := MakeSeed()
+	m := map[uint64]struct{}{}
+	for i := 0; i < 1000; i++ {
+		h := new(Hash)
+		h.SetSeed(s)
+		m[h.Sum64()] = struct{}{}
+	}
+	if len(m) != 1 {
+		t.Errorf("seeded hash is random: got %d, want 1", len(m))
+	}
+}
+
+func TestHashGrouping(t *testing.T) {
+	b := bytes.Repeat([]byte("foo"), 100)
+	hh := make([]*Hash, 7)
+	for i := range hh {
+		hh[i] = new(Hash)
+	}
+	for _, h := range hh[1:] {
+		h.SetSeed(hh[0].Seed())
+	}
+	hh[0].Write(b)
+	hh[1].WriteString(string(b))
+
+	writeByte := func(h *Hash, b byte) {
+		err := h.WriteByte(b)
+		if err != nil {
+			t.Fatalf("WriteByte: %v", err)
+		}
+	}
+	writeSingleByte := func(h *Hash, b byte) {
+		_, err := h.Write([]byte{b})
+		if err != nil {
+			t.Fatalf("Write single byte: %v", err)
+		}
+	}
+	writeStringSingleByte := func(h *Hash, b byte) {
+		_, err := h.WriteString(string([]byte{b}))
+		if err != nil {
+			t.Fatalf("WriteString single byte: %v", err)
+		}
+	}
+
+	for i, x := range b {
+		writeByte(hh[2], x)
+		writeSingleByte(hh[3], x)
+		if i == 0 {
+			writeByte(hh[4], x)
+		} else {
+			writeSingleByte(hh[4], x)
+		}
+		writeStringSingleByte(hh[5], x)
+		if i == 0 {
+			writeByte(hh[6], x)
+		} else {
+			writeStringSingleByte(hh[6], x)
+		}
+	}
+
+	sum := hh[0].Sum64()
+	for i, h := range hh {
+		if sum != h.Sum64() {
+			t.Errorf("hash %d not identical to a single Write", i)
+		}
+	}
+
+	if sum1 := Bytes(hh[0].Seed(), b); sum1 != hh[0].Sum64() {
+		t.Errorf("hash using Bytes not identical to a single Write")
+	}
+
+	if sum1 := String(hh[0].Seed(), string(b)); sum1 != hh[0].Sum64() {
+		t.Errorf("hash using String not identical to a single Write")
+	}
+}
+
+func TestHashBytesVsString(t *testing.T) {
+	s := "foo"
+	b := []byte(s)
+	h1 := new(Hash)
+	h2 := new(Hash)
+	h2.SetSeed(h1.Seed())
+	n1, err1 := h1.WriteString(s)
+	if n1 != len(s) || err1 != nil {
+		t.Fatalf("WriteString(s) = %d, %v, want %d, nil", n1, err1, len(s))
+	}
+	n2, err2 := h2.Write(b)
+	if n2 != len(b) || err2 != nil {
+		t.Fatalf("Write(b) = %d, %v, want %d, nil", n2, err2, len(b))
+	}
+	if h1.Sum64() != h2.Sum64() {
+		t.Errorf("hash of string and bytes not identical")
+	}
+}
+
+func TestHashHighBytes(t *testing.T) {
+	// See issue 34925.
+	const N = 10
+	m := map[uint64]struct{}{}
+	for i := 0; i < N; i++ {
+		h := new(Hash)
+		h.WriteString("foo")
+		m[h.Sum64()>>32] = struct{}{}
+	}
+	if len(m) < N/2 {
+		t.Errorf("from %d seeds, wanted at least %d different hashes; got %d", N, N/2, len(m))
+	}
+}
+
+func TestRepeat(t *testing.T) {
+	h1 := new(Hash)
+	h1.WriteString("testing")
+	sum1 := h1.Sum64()
+
+	h1.Reset()
+	h1.WriteString("testing")
+	sum2 := h1.Sum64()
+
+	if sum1 != sum2 {
+		t.Errorf("different sum after resetting: %#x != %#x", sum1, sum2)
+	}
+
+	h2 := new(Hash)
+	h2.SetSeed(h1.Seed())
+	h2.WriteString("testing")
+	sum3 := h2.Sum64()
+
+	if sum1 != sum3 {
+		t.Errorf("different sum on the same seed: %#x != %#x", sum1, sum3)
+	}
+}
+
+func TestSeedFromSum64(t *testing.T) {
+	h1 := new(Hash)
+	h1.WriteString("foo")
+	x := h1.Sum64() // seed generated here
+	h2 := new(Hash)
+	h2.SetSeed(h1.Seed())
+	h2.WriteString("foo")
+	y := h2.Sum64()
+	if x != y {
+		t.Errorf("hashes don't match: want %x, got %x", x, y)
+	}
+}
+
+func TestSeedFromSeed(t *testing.T) {
+	h1 := new(Hash)
+	h1.WriteString("foo")
+	_ = h1.Seed() // seed generated here
+	x := h1.Sum64()
+	h2 := new(Hash)
+	h2.SetSeed(h1.Seed())
+	h2.WriteString("foo")
+	y := h2.Sum64()
+	if x != y {
+		t.Errorf("hashes don't match: want %x, got %x", x, y)
+	}
+}
+
+func TestSeedFromFlush(t *testing.T) {
+	b := make([]byte, 65)
+	h1 := new(Hash)
+	h1.Write(b) // seed generated here
+	x := h1.Sum64()
+	h2 := new(Hash)
+	h2.SetSeed(h1.Seed())
+	h2.Write(b)
+	y := h2.Sum64()
+	if x != y {
+		t.Errorf("hashes don't match: want %x, got %x", x, y)
+	}
+}
+
+func TestSeedFromReset(t *testing.T) {
+	h1 := new(Hash)
+	h1.WriteString("foo")
+	h1.Reset() // seed generated here
+	h1.WriteString("foo")
+	x := h1.Sum64()
+	h2 := new(Hash)
+	h2.SetSeed(h1.Seed())
+	h2.WriteString("foo")
+	y := h2.Sum64()
+	if x != y {
+		t.Errorf("hashes don't match: want %x, got %x", x, y)
+	}
+}
+
+func negativeZero[T float32 | float64]() T {
+	var f T
+	f = -f
+	return f
+}
+
+func TestComparable(t *testing.T) {
+	testComparable(t, int64(2))
+	testComparable(t, uint64(8))
+	testComparable(t, uintptr(12))
+	testComparable(t, any("s"))
+	testComparable(t, "s")
+	testComparable(t, true)
+	testComparable(t, new(float64))
+	testComparable(t, float64(9))
+	testComparable(t, complex128(9i+1))
+	testComparable(t, struct{}{})
+	testComparable(t, struct {
+		i int
+		u uint
+		b bool
+		f float64
+		p *int
+		a any
+	}{i: 9, u: 1, b: true, f: 9.9, p: new(int), a: 1})
+	type S struct {
+		s string
+	}
+	s1 := S{s: heapStr(t)}
+	s2 := S{s: heapStr(t)}
+	if unsafe.StringData(s1.s) == unsafe.StringData(s2.s) {
+		t.Fatalf("unexpected two heapStr ptr equal")
+	}
+	if s1.s != s2.s {
+		t.Fatalf("unexpected two heapStr value not equal")
+	}
+	testComparable(t, s1, s2)
+	testComparable(t, s1.s, s2.s)
+	testComparable(t, float32(0), negativeZero[float32]())
+	testComparable(t, float64(0), negativeZero[float64]())
+	testComparableNoEqual(t, math.NaN(), math.NaN())
+	testComparableNoEqual(t, [2]string{"a", ""}, [2]string{"", "a"})
+	testComparableNoEqual(t, struct{ a, b string }{"foo", ""}, struct{ a, b string }{"", "foo"})
+	testComparableNoEqual(t, struct{ a, b any }{int(0), struct{}{}}, struct{ a, b any }{struct{}{}, int(0)})
+}
+
+func testComparableNoEqual[T comparable](t *testing.T, v1, v2 T) {
+	seed := MakeSeed()
+	if Comparable(seed, v1) == Comparable(seed, v2) {
+		t.Fatalf("Comparable(seed, %v) == Comparable(seed, %v)", v1, v2)
+	}
+}
+
+var heapStrValue = []byte("aTestString")
+
+func heapStr(t *testing.T) string {
+	return string(heapStrValue)
+}
+
+func testComparable[T comparable](t *testing.T, v T, v2 ...T) {
+	t.Run(TypeFor[T]().String(), func(t *testing.T) {
+		var a, b T = v, v
+		if len(v2) != 0 {
+			b = v2[0]
+		}
+		var pa *T = &a
+		seed := MakeSeed()
+		if Comparable(seed, a) != Comparable(seed, b) {
+			t.Fatalf("Comparable(seed, %v) != Comparable(seed, %v)", a, b)
+		}
+		old := Comparable(seed, pa)
+		stackGrow(8192)
+		new := Comparable(seed, pa)
+		if old != new {
+			t.Fatal("Comparable(seed, ptr) != Comparable(seed, ptr)")
+		}
+	})
+}
+
+var use byte
+
+//go:noinline
+func stackGrow(dep int) {
+	if dep == 0 {
+		return
+	}
+	var local [1024]byte
+	// make sure local is allocated on the stack.
+	local[rand.Uint64()%1024] = byte(rand.Uint64())
+	use = local[rand.Uint64()%1024]
+	stackGrow(dep - 1)
+}
+
+func TestWriteComparable(t *testing.T) {
+	testWriteComparable(t, int64(2))
+	testWriteComparable(t, uint64(8))
+	testWriteComparable(t, uintptr(12))
+	testWriteComparable(t, any("s"))
+	testWriteComparable(t, "s")
+	testComparable(t, true)
+	testWriteComparable(t, new(float64))
+	testWriteComparable(t, float64(9))
+	testWriteComparable(t, complex128(9i+1))
+	testWriteComparable(t, struct{}{})
+	testWriteComparable(t, struct {
+		i int
+		u uint
+		b bool
+		f float64
+		p *int
+		a any
+	}{i: 9, u: 1, b: true, f: 9.9, p: new(int), a: 1})
+	type S struct {
+		s string
+	}
+	s1 := S{s: heapStr(t)}
+	s2 := S{s: heapStr(t)}
+	if unsafe.StringData(s1.s) == unsafe.StringData(s2.s) {
+		t.Fatalf("unexpected two heapStr ptr equal")
+	}
+	if s1.s != s2.s {
+		t.Fatalf("unexpected two heapStr value not equal")
+	}
+	testWriteComparable(t, s1, s2)
+	testWriteComparable(t, s1.s, s2.s)
+	testWriteComparable(t, float32(0), negativeZero[float32]())
+	testWriteComparable(t, float64(0), negativeZero[float64]())
+	testWriteComparableNoEqual(t, math.NaN(), math.NaN())
+	testWriteComparableNoEqual(t, [2]string{"a", ""}, [2]string{"", "a"})
+	testWriteComparableNoEqual(t, struct{ a, b string }{"foo", ""}, struct{ a, b string }{"", "foo"})
+	testWriteComparableNoEqual(t, struct{ a, b any }{int(0), struct{}{}}, struct{ a, b any }{struct{}{}, int(0)})
+}
+
+func testWriteComparableNoEqual[T comparable](t *testing.T, v1, v2 T) {
+	seed := MakeSeed()
+	h1 := Hash{}
+	h2 := Hash{}
+	*(*Seed)(unsafe.Pointer(&h1)), *(*Seed)(unsafe.Pointer(&h2)) = seed, seed
+	WriteComparable(&h1, v1)
+	WriteComparable(&h2, v2)
+	if h1.Sum64() == h2.Sum64() {
+		t.Fatalf("WriteComparable(seed, %v) == WriteComparable(seed, %v)", v1, v2)
+	}
+
+}
+
+func testWriteComparable[T comparable](t *testing.T, v T, v2 ...T) {
+	t.Run(TypeFor[T]().String(), func(t *testing.T) {
+		var a, b T = v, v
+		if len(v2) != 0 {
+			b = v2[0]
+		}
+		var pa *T = &a
+		h1 := Hash{}
+		h2 := Hash{}
+		*(*Seed)(unsafe.Pointer(&h1)) = MakeSeed()
+		h2 = h1
+		WriteComparable(&h1, a)
+		WriteComparable(&h2, b)
+		if h1.Sum64() != h2.Sum64() {
+			t.Fatalf("WriteComparable(h, %v) != WriteComparable(h, %v)", a, b)
+		}
+		WriteComparable(&h1, pa)
+		old := h1.Sum64()
+		stackGrow(8192)
+		WriteComparable(&h2, pa)
+		new := h2.Sum64()
+		if old != new {
+			t.Fatal("WriteComparable(seed, ptr) != WriteComparable(seed, ptr)")
+		}
+	})
+}
+
+func TestComparableShouldPanic(t *testing.T) {
+	s := []byte("s")
+	a := any(s)
+	defer func() {
+		e := recover()
+		err, ok := e.(error)
+		if !ok {
+			t.Fatalf("Comaparable(any([]byte)) should panic")
+		}
+		want := "hash of unhashable type []uint8"
+		if s := err.Error(); !strings.Contains(s, want) {
+			t.Fatalf("want %s, got %s", want, s)
+		}
+	}()
+	Comparable(MakeSeed(), a)
+}
+
+func TestWriteComparableNoncommute(t *testing.T) {
+	seed := MakeSeed()
+	var h1, h2 Hash
+	h1.SetSeed(seed)
+	h2.SetSeed(seed)
+
+	h1.WriteString("abc")
+	WriteComparable(&h1, 123)
+	WriteComparable(&h2, 123)
+	h2.WriteString("abc")
+
+	if h1.Sum64() == h2.Sum64() {
+		t.Errorf("WriteComparable and WriteString unexpectedly commute")
+	}
+}
+
+func TestComparableAllocations(t *testing.T) {
+	t.Skip("test broken in old golang version")
+	seed := MakeSeed()
+	x := heapStr(t)
+	allocs := testing.AllocsPerRun(10, func() {
+		s := "s" + x
+		Comparable(seed, s)
+	})
+	if allocs > 0 {
+		t.Errorf("got %v allocs, want 0", allocs)
+	}
+
+	type S struct {
+		a int
+		b string
+	}
+	allocs = testing.AllocsPerRun(10, func() {
+		s := S{123, "s" + x}
+		Comparable(seed, s)
+	})
+	if allocs > 0 {
+		t.Errorf("got %v allocs, want 0", allocs)
+	}
+}
+
+// Make sure a Hash implements the hash.Hash and hash.Hash64 interfaces.
+var _ hash.Hash = &Hash{}
+var _ hash.Hash64 = &Hash{}
+
+func benchmarkSize(b *testing.B, size int) {
+	h := &Hash{}
+	buf := make([]byte, size)
+	s := string(buf)
+
+	b.Run("Write", func(b *testing.B) {
+		b.SetBytes(int64(size))
+		for i := 0; i < b.N; i++ {
+			h.Reset()
+			h.Write(buf)
+			h.Sum64()
+		}
+	})
+
+	b.Run("Bytes", func(b *testing.B) {
+		b.SetBytes(int64(size))
+		seed := h.Seed()
+		for i := 0; i < b.N; i++ {
+			Bytes(seed, buf)
+		}
+	})
+
+	b.Run("String", func(b *testing.B) {
+		b.SetBytes(int64(size))
+		seed := h.Seed()
+		for i := 0; i < b.N; i++ {
+			String(seed, s)
+		}
+	})
+}
+
+func BenchmarkHash(b *testing.B) {
+	sizes := []int{4, 8, 16, 32, 64, 256, 320, 1024, 4096, 16384}
+	for _, size := range sizes {
+		b.Run(fmt.Sprint("n=", size), func(b *testing.B) {
+			benchmarkSize(b, size)
+		})
+	}
+}
+
+func benchmarkComparable[T comparable](b *testing.B, v T) {
+	b.Run(TypeFor[T]().String(), func(b *testing.B) {
+		seed := MakeSeed()
+		for i := 0; i < b.N; i++ {
+			Comparable(seed, v)
+		}
+	})
+}
+
+func BenchmarkComparable(b *testing.B) {
+	type testStruct struct {
+		i int
+		u uint
+		b bool
+		f float64
+		p *int
+		a any
+	}
+	benchmarkComparable(b, int64(2))
+	benchmarkComparable(b, uint64(8))
+	benchmarkComparable(b, uintptr(12))
+	benchmarkComparable(b, any("s"))
+	benchmarkComparable(b, "s")
+	benchmarkComparable(b, true)
+	benchmarkComparable(b, new(float64))
+	benchmarkComparable(b, float64(9))
+	benchmarkComparable(b, complex128(9i+1))
+	benchmarkComparable(b, struct{}{})
+	benchmarkComparable(b, testStruct{i: 9, u: 1, b: true, f: 9.9, p: new(int), a: 1})
+}
+
+// TypeFor returns the [Type] that represents the type argument T.
+func TypeFor[T any]() reflect.Type {
+	var v T
+	if t := reflect.TypeOf(v); t != nil {
+		return t // optimize for T being a non-interface kind
+	}
+	return reflect.TypeOf((*T)(nil)).Elem() // only for an interface kind
+}

common/net/deadline/conn.go

@@ -7,9 +7,9 @@ import (
 
 	"github.com/metacubex/mihomo/common/atomic"
 
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	"github.com/sagernet/sing/common/network"
+	"github.com/metacubex/sing/common/buf"
+	"github.com/metacubex/sing/common/bufio"
+	"github.com/metacubex/sing/common/network"
 )
 
 type connReadResult struct {
@@ -20,7 +20,7 @@ type connReadResult struct {
 type Conn struct {
 	network.ExtendedConn
 	deadline     atomic.TypedValue[time.Time]
-	pipeDeadline pipeDeadline
+	pipeDeadline PipeDeadline
 	disablePipe  atomic.Bool
 	inRead       atomic.Bool
 	resultCh     chan *connReadResult
@@ -34,7 +34,7 @@ func IsConn(conn any) bool {
 func NewConn(conn net.Conn) *Conn {
 	c := &Conn{
 		ExtendedConn: bufio.NewExtendedConn(conn),
-		pipeDeadline: makePipeDeadline(),
+		pipeDeadline: MakePipeDeadline(),
 		resultCh:     make(chan *connReadResult, 1),
 	}
 	c.resultCh <- nil
@@ -58,7 +58,7 @@ func (c *Conn) Read(p []byte) (n int, err error) {
 			c.resultCh <- nil
 			break
 		}
-	case <-c.pipeDeadline.wait():
+	case <-c.pipeDeadline.Wait():
 		return 0, os.ErrDeadlineExceeded
 	}
 
@@ -104,7 +104,7 @@ func (c *Conn) ReadBuffer(buffer *buf.Buffer) (err error) {
 			c.resultCh <- nil
 			break
 		}
-	case <-c.pipeDeadline.wait():
+	case <-c.pipeDeadline.Wait():
 		return os.ErrDeadlineExceeded
 	}
 
@@ -130,7 +130,7 @@ func (c *Conn) SetReadDeadline(t time.Time) error {
 		return c.ExtendedConn.SetReadDeadline(t)
 	}
 	c.deadline.Store(t)
-	c.pipeDeadline.set(t)
+	c.pipeDeadline.Set(t)
 	return nil
 }
 
@@ -149,6 +149,10 @@ func (c *Conn) ReaderReplaceable() bool {
 	return c.disablePipe.Load() || c.deadline.Load().IsZero()
 }
 
+func (c *Conn) WriterReplaceable() bool {
+	return true
+}
+
 func (c *Conn) Upstream() any {
 	return c.ExtendedConn
 }

common/net/deadline/packet.go

@@ -19,7 +19,7 @@ type readResult struct {
 type NetPacketConn struct {
 	net.PacketConn
 	deadline     atomic.TypedValue[time.Time]
-	pipeDeadline pipeDeadline
+	pipeDeadline PipeDeadline
 	disablePipe  atomic.Bool
 	inRead       atomic.Bool
 	resultCh     chan any
@@ -28,7 +28,7 @@ type NetPacketConn struct {
 func NewNetPacketConn(pc net.PacketConn) net.PacketConn {
 	npc := &NetPacketConn{
 		PacketConn:   pc,
-		pipeDeadline: makePipeDeadline(),
+		pipeDeadline: MakePipeDeadline(),
 		resultCh:     make(chan any, 1),
 	}
 	npc.resultCh <- nil
@@ -83,7 +83,7 @@ FOR:
 				c.resultCh <- nil
 				break FOR
 			}
-		case <-c.pipeDeadline.wait():
+		case <-c.pipeDeadline.Wait():
 			return 0, nil, os.ErrDeadlineExceeded
 		}
 	}
@@ -122,7 +122,7 @@ func (c *NetPacketConn) SetReadDeadline(t time.Time) error {
 		return c.PacketConn.SetReadDeadline(t)
 	}
 	c.deadline.Store(t)
-	c.pipeDeadline.set(t)
+	c.pipeDeadline.Set(t)
 	return nil
 }
 

common/net/deadline/packet_enhance.go

@@ -52,7 +52,7 @@ FOR:
 				c.netPacketConn.resultCh <- nil
 				break FOR
 			}
-		case <-c.netPacketConn.pipeDeadline.wait():
+		case <-c.netPacketConn.pipeDeadline.Wait():
 			return nil, nil, nil, os.ErrDeadlineExceeded
 		}
 	}

common/net/deadline/packet_sing.go

@@ -6,10 +6,10 @@ import (
 
 	"github.com/metacubex/mihomo/common/net/packet"
 
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
+	"github.com/metacubex/sing/common/buf"
+	"github.com/metacubex/sing/common/bufio"
+	M "github.com/metacubex/sing/common/metadata"
+	N "github.com/metacubex/sing/common/network"
 )
 
 type SingPacketConn struct {
@@ -69,7 +69,7 @@ FOR:
 				c.netPacketConn.resultCh <- nil
 				break FOR
 			}
-		case <-c.netPacketConn.pipeDeadline.wait():
+		case <-c.netPacketConn.pipeDeadline.Wait():
 			return M.Socksaddr{}, os.ErrDeadlineExceeded
 		}
 	}
@@ -146,7 +146,7 @@ FOR:
 				c.netPacketConn.resultCh <- nil
 				break FOR
 			}
-		case <-c.netPacketConn.pipeDeadline.wait():
+		case <-c.netPacketConn.pipeDeadline.Wait():
 			return nil, M.Socksaddr{}, os.ErrDeadlineExceeded
 		}
 	}

common/net/deadline/pipe.go

@@ -9,24 +9,24 @@ import (
 	"time"
 )
 
-// pipeDeadline is an abstraction for handling timeouts.
-type pipeDeadline struct {
+// PipeDeadline is an abstraction for handling timeouts.
+type PipeDeadline struct {
 	mu     sync.Mutex // Guards timer and cancel
 	timer  *time.Timer
 	cancel chan struct{} // Must be non-nil
 }
 
-func makePipeDeadline() pipeDeadline {
-	return pipeDeadline{cancel: make(chan struct{})}
+func MakePipeDeadline() PipeDeadline {
+	return PipeDeadline{cancel: make(chan struct{})}
 }
 
-// set sets the point in time when the deadline will time out.
+// Set sets the point in time when the deadline will time out.
 // A timeout event is signaled by closing the channel returned by waiter.
 // Once a timeout has occurred, the deadline can be refreshed by specifying a
 // t value in the future.
 //
 // A zero value for t prevents timeout.
-func (d *pipeDeadline) set(t time.Time) {
+func (d *PipeDeadline) Set(t time.Time) {
 	d.mu.Lock()
 	defer d.mu.Unlock()
 
@@ -61,8 +61,8 @@ func (d *pipeDeadline) set(t time.Time) {
 	}
 }
 
-// wait returns a channel that is closed when the deadline is exceeded.
-func (d *pipeDeadline) wait() chan struct{} {
+// Wait returns a channel that is closed when the deadline is exceeded.
+func (d *PipeDeadline) Wait() chan struct{} {
 	d.mu.Lock()
 	defer d.mu.Unlock()
 	return d.cancel

common/net/deadline/pipe_sing.go

@@ -7,8 +7,8 @@ import (
 	"sync"
 	"time"
 
-	"github.com/sagernet/sing/common/buf"
-	N "github.com/sagernet/sing/common/network"
+	"github.com/metacubex/sing/common/buf"
+	N "github.com/metacubex/sing/common/network"
 )
 
 type pipeAddr struct{}
@@ -33,8 +33,8 @@ type pipe struct {
 	localDone  chan struct{}
 	remoteDone <-chan struct{}
 
-	readDeadline  pipeDeadline
-	writeDeadline pipeDeadline
+	readDeadline  PipeDeadline
+	writeDeadline PipeDeadline
 
 	readWaitOptions N.ReadWaitOptions
 }
@@ -56,15 +56,15 @@ func Pipe() (net.Conn, net.Conn) {
 		rdRx: cb1, rdTx: cn1,
 		wrTx: cb2, wrRx: cn2,
 		localDone: done1, remoteDone: done2,
-		readDeadline:  makePipeDeadline(),
-		writeDeadline: makePipeDeadline(),
+		readDeadline:  MakePipeDeadline(),
+		writeDeadline: MakePipeDeadline(),
 	}
 	p2 := &pipe{
 		rdRx: cb2, rdTx: cn2,
 		wrTx: cb1, wrRx: cn1,
 		localDone: done2, remoteDone: done1,
-		readDeadline:  makePipeDeadline(),
-		writeDeadline: makePipeDeadline(),
+		readDeadline:  MakePipeDeadline(),
+		writeDeadline: MakePipeDeadline(),
 	}
 	return p1, p2
 }
@@ -86,7 +86,7 @@ func (p *pipe) read(b []byte) (n int, err error) {
 		return 0, io.ErrClosedPipe
 	case isClosedChan(p.remoteDone):
 		return 0, io.EOF
-	case isClosedChan(p.readDeadline.wait()):
+	case isClosedChan(p.readDeadline.Wait()):
 		return 0, os.ErrDeadlineExceeded
 	}
 
@@ -99,7 +99,7 @@ func (p *pipe) read(b []byte) (n int, err error) {
 		return 0, io.ErrClosedPipe
 	case <-p.remoteDone:
 		return 0, io.EOF
-	case <-p.readDeadline.wait():
+	case <-p.readDeadline.Wait():
 		return 0, os.ErrDeadlineExceeded
 	}
 }
@@ -118,7 +118,7 @@ func (p *pipe) write(b []byte) (n int, err error) {
 		return 0, io.ErrClosedPipe
 	case isClosedChan(p.remoteDone):
 		return 0, io.ErrClosedPipe
-	case isClosedChan(p.writeDeadline.wait()):
+	case isClosedChan(p.writeDeadline.Wait()):
 		return 0, os.ErrDeadlineExceeded
 	}
 
@@ -134,7 +134,7 @@ func (p *pipe) write(b []byte) (n int, err error) {
 			return n, io.ErrClosedPipe
 		case <-p.remoteDone:
 			return n, io.ErrClosedPipe
-		case <-p.writeDeadline.wait():
+		case <-p.writeDeadline.Wait():
 			return n, os.ErrDeadlineExceeded
 		}
 	}
@@ -145,8 +145,8 @@ func (p *pipe) SetDeadline(t time.Time) error {
 	if isClosedChan(p.localDone) || isClosedChan(p.remoteDone) {
 		return io.ErrClosedPipe
 	}
-	p.readDeadline.set(t)
-	p.writeDeadline.set(t)
+	p.readDeadline.Set(t)
+	p.writeDeadline.Set(t)
 	return nil
 }
 
@@ -154,7 +154,7 @@ func (p *pipe) SetReadDeadline(t time.Time) error {
 	if isClosedChan(p.localDone) || isClosedChan(p.remoteDone) {
 		return io.ErrClosedPipe
 	}
-	p.readDeadline.set(t)
+	p.readDeadline.Set(t)
 	return nil
 }
 
@@ -162,7 +162,7 @@ func (p *pipe) SetWriteDeadline(t time.Time) error {
 	if isClosedChan(p.localDone) || isClosedChan(p.remoteDone) {
 		return io.ErrClosedPipe
 	}
-	p.writeDeadline.set(t)
+	p.writeDeadline.Set(t)
 	return nil
 }
 
@@ -192,7 +192,7 @@ func (p *pipe) waitReadBuffer() (buffer *buf.Buffer, err error) {
 		return nil, io.ErrClosedPipe
 	case isClosedChan(p.remoteDone):
 		return nil, io.EOF
-	case isClosedChan(p.readDeadline.wait()):
+	case isClosedChan(p.readDeadline.Wait()):
 		return nil, os.ErrDeadlineExceeded
 	}
 	select {
@@ -211,7 +211,7 @@ func (p *pipe) waitReadBuffer() (buffer *buf.Buffer, err error) {
 		return nil, io.ErrClosedPipe
 	case <-p.remoteDone:
 		return nil, io.EOF
-	case <-p.readDeadline.wait():
+	case <-p.readDeadline.Wait():
 		return nil, os.ErrDeadlineExceeded
 	}
 }

common/net/listener.go

@@ -0,0 +1,90 @@
+package net
+
+import (
+	"context"
+	"net"
+	"sync"
+)
+
+type handleContextListener struct {
+	net.Listener
+	ctx      context.Context
+	cancel   context.CancelFunc
+	conns    chan net.Conn
+	err      error
+	once     sync.Once
+	handle   func(context.Context, net.Conn) (net.Conn, error)
+	panicLog func(any)
+}
+
+func (l *handleContextListener) init() {
+	go func() {
+		for {
+			c, err := l.Listener.Accept()
+			if err != nil {
+				l.err = err
+				close(l.conns)
+				return
+			}
+			go func() {
+				defer func() {
+					if r := recover(); r != nil {
+						if l.panicLog != nil {
+							l.panicLog(r)
+						}
+					}
+				}()
+				if conn, err := l.handle(l.ctx, c); err == nil {
+					l.conns <- conn
+				} else {
+					// handle failed, close the underlying connection.
+					_ = c.Close()
+				}
+			}()
+		}
+	}()
+}
+
+func (l *handleContextListener) Accept() (net.Conn, error) {
+	l.once.Do(l.init)
+	if c, ok := <-l.conns; ok {
+		return c, nil
+	}
+	return nil, l.err
+}
+
+func (l *handleContextListener) Close() error {
+	l.cancel()
+	l.once.Do(func() { // l.init has not been called yet, so close related resources directly.
+		l.err = net.ErrClosed
+		close(l.conns)
+	})
+	defer func() {
+		// at here, listener has been closed, so we should close all connections in the channel
+		for c := range l.conns {
+			go func(c net.Conn) {
+				defer func() {
+					if r := recover(); r != nil {
+						if l.panicLog != nil {
+							l.panicLog(r)
+						}
+					}
+				}()
+				_ = c.Close()
+			}(c)
+		}
+	}()
+	return l.Listener.Close()
+}
+
+func NewHandleContextListener(ctx context.Context, l net.Listener, handle func(context.Context, net.Conn) (net.Conn, error), panicLog func(any)) net.Listener {
+	ctx, cancel := context.WithCancel(ctx)
+	return &handleContextListener{
+		Listener: l,
+		ctx:      ctx,
+		cancel:   cancel,
+		conns:    make(chan net.Conn),
+		handle:   handle,
+		panicLog: panicLog,
+	}
+}

common/net/packet/packet_sing.go

@@ -3,10 +3,10 @@ package packet
 import (
 	"net"
 
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
+	"github.com/metacubex/sing/common/buf"
+	"github.com/metacubex/sing/common/bufio"
+	M "github.com/metacubex/sing/common/metadata"
+	N "github.com/metacubex/sing/common/network"
 )
 
 type SingPacketConn = N.NetPacketConn

common/net/packet/ref_sing.go

@@ -3,9 +3,9 @@ package packet
 import (
 	"runtime"
 
-	"github.com/sagernet/sing/common/buf"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
+	"github.com/metacubex/sing/common/buf"
+	M "github.com/metacubex/sing/common/metadata"
+	N "github.com/metacubex/sing/common/network"
 )
 
 type refSingPacketConn struct {

common/net/packet/thread_sing.go

@@ -1,9 +1,9 @@
 package packet
 
 import (
-	"github.com/sagernet/sing/common/buf"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
+	"github.com/metacubex/sing/common/buf"
+	M "github.com/metacubex/sing/common/metadata"
+	N "github.com/metacubex/sing/common/network"
 )
 
 type threadSafeSingPacketConn struct {

common/net/sing.go

@@ -7,9 +7,9 @@ import (
 
 	"github.com/metacubex/mihomo/common/net/deadline"
 
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/bufio"
-	"github.com/sagernet/sing/common/network"
+	"github.com/metacubex/sing/common"
+	"github.com/metacubex/sing/common/bufio"
+	"github.com/metacubex/sing/common/network"
 )
 
 var NewExtendedConn = bufio.NewExtendedConn
@@ -22,6 +22,10 @@ type ExtendedReader = network.ExtendedReader
 
 var WriteBuffer = bufio.WriteBuffer
 
+type ReadWaitOptions = network.ReadWaitOptions
+
+var NewReadWaitOptions = network.NewReadWaitOptions
+
 func NewDeadlineConn(conn net.Conn) ExtendedConn {
 	if deadline.IsPipe(conn) || deadline.IsPipe(network.UnwrapReader(conn)) {
 		return NewExtendedConn(conn) // pipe always have correctly deadline implement

common/net/tls.go

@@ -1,65 +0,0 @@
-package net
-
-import (
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/hex"
-	"encoding/pem"
-	"fmt"
-	"math/big"
-)
-
-type Path interface {
-	Resolve(path string) string
-}
-
-func ParseCert(certificate, privateKey string, path Path) (tls.Certificate, error) {
-	if certificate == "" && privateKey == "" {
-		var err error
-		certificate, privateKey, _, err = NewRandomTLSKeyPair()
-		if err != nil {
-			return tls.Certificate{}, err
-		}
-	}
-	cert, painTextErr := tls.X509KeyPair([]byte(certificate), []byte(privateKey))
-	if painTextErr == nil {
-		return cert, nil
-	}
-
-	certificate = path.Resolve(certificate)
-	privateKey = path.Resolve(privateKey)
-	cert, loadErr := tls.LoadX509KeyPair(certificate, privateKey)
-	if loadErr != nil {
-		return tls.Certificate{}, fmt.Errorf("parse certificate failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())
-	}
-	return cert, nil
-}
-
-func NewRandomTLSKeyPair() (certificate string, privateKey string, fingerprint string, err error) {
-	key, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return
-	}
-	template := x509.Certificate{SerialNumber: big.NewInt(1)}
-	certDER, err := x509.CreateCertificate(
-		rand.Reader,
-		&template,
-		&template,
-		&key.PublicKey,
-		key)
-	if err != nil {
-		return
-	}
-	cert, err := x509.ParseCertificate(certDER)
-	if err != nil {
-		return
-	}
-	hash := sha256.Sum256(cert.Raw)
-	fingerprint = hex.EncodeToString(hash[:])
-	privateKey = string(pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}))
-	certificate = string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}))
-	return
-}

common/once/oncefunc.go

@@ -0,0 +1,102 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package once
+
+import "sync"
+
+// OnceFunc returns a function that invokes f only once. The returned function
+// may be called concurrently.
+//
+// If f panics, the returned function will panic with the same value on every call.
+func OnceFunc(f func()) func() {
+	var (
+		once  sync.Once
+		valid bool
+		p     any
+	)
+	// Construct the inner closure just once to reduce costs on the fast path.
+	g := func() {
+		defer func() {
+			p = recover()
+			if !valid {
+				// Re-panic immediately so on the first call the user gets a
+				// complete stack trace into f.
+				panic(p)
+			}
+		}()
+		f()
+		f = nil      // Do not keep f alive after invoking it.
+		valid = true // Set only if f does not panic.
+	}
+	return func() {
+		once.Do(g)
+		if !valid {
+			panic(p)
+		}
+	}
+}
+
+// OnceValue returns a function that invokes f only once and returns the value
+// returned by f. The returned function may be called concurrently.
+//
+// If f panics, the returned function will panic with the same value on every call.
+func OnceValue[T any](f func() T) func() T {
+	var (
+		once   sync.Once
+		valid  bool
+		p      any
+		result T
+	)
+	g := func() {
+		defer func() {
+			p = recover()
+			if !valid {
+				panic(p)
+			}
+		}()
+		result = f()
+		f = nil
+		valid = true
+	}
+	return func() T {
+		once.Do(g)
+		if !valid {
+			panic(p)
+		}
+		return result
+	}
+}
+
+// OnceValues returns a function that invokes f only once and returns the values
+// returned by f. The returned function may be called concurrently.
+//
+// If f panics, the returned function will panic with the same value on every call.
+func OnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) {
+	var (
+		once  sync.Once
+		valid bool
+		p     any
+		r1    T1
+		r2    T2
+	)
+	g := func() {
+		defer func() {
+			p = recover()
+			if !valid {
+				panic(p)
+			}
+		}()
+		r1, r2 = f()
+		f = nil
+		valid = true
+	}
+	return func() (T1, T2) {
+		once.Do(g)
+		if !valid {
+			panic(p)
+		}
+		return r1, r2
+	}
+}

common/pool/alloc.go

@@ -8,18 +8,23 @@ import (
 	"sync"
 )
 
-var defaultAllocator = NewAllocator()
+var DefaultAllocator = NewAllocator()
 
-// Allocator for incoming frames, optimized to prevent overwriting after zeroing
-type Allocator struct {
+type Allocator interface {
+	Get(size int) []byte
+	Put(buf []byte) error
+}
+
+// defaultAllocator for incoming frames, optimized to prevent overwriting after zeroing
+type defaultAllocator struct {
 	buffers [11]sync.Pool
 }
 
 // NewAllocator initiates a []byte allocator for frames less than 65536 bytes,
 // the waste(memory fragmentation) of space allocation is guaranteed to be
 // no more than 50%.
-func NewAllocator() *Allocator {
-	return &Allocator{
+func NewAllocator() Allocator {
+	return &defaultAllocator{
 		buffers: [...]sync.Pool{ // 64B -> 64K
 			{New: func() any { return new([1 << 6]byte) }},
 			{New: func() any { return new([1 << 7]byte) }},
@@ -37,7 +42,7 @@ func NewAllocator() *Allocator {
 }
 
 // Get a []byte from pool with most appropriate cap
-func (alloc *Allocator) Get(size int) []byte {
+func (alloc *defaultAllocator) Get(size int) []byte {
 	switch {
 	case size < 0:
 		panic("alloc.Get: len out of range")
@@ -87,7 +92,7 @@ func (alloc *Allocator) Get(size int) []byte {
 
 // Put returns a []byte to pool for future use,
 // which the cap must be exactly 2^n
-func (alloc *Allocator) Put(buf []byte) error {
+func (alloc *defaultAllocator) Put(buf []byte) error {
 	if cap(buf) == 0 || cap(buf) > 65536 {
 		return nil
 	}

common/pool/buffer_low_memory.go

@@ -3,13 +3,12 @@
 package pool
 
 const (
+	// RelayBufferSize using for tcp
 	// io.Copy default buffer size is 32 KiB
-	// but the maximum packet size of vmess/shadowsocks is about 16 KiB
-	// so define a buffer of 20 KiB to reduce the memory of each TCP relay
 	RelayBufferSize = 16 * 1024
 
-	// RelayBufferSize uses 20KiB, but due to the allocator it will actually
-	// request 32Kib. Most UDPs are smaller than the MTU, and the TUN's MTU
+	// UDPBufferSize using for udp
+	// Most UDPs are smaller than the MTU, and the TUN's MTU
 	// set to 9000, so the UDP Buffer size set to 16Kib
 	UDPBufferSize = 8 * 1024
 )

common/pool/buffer_standard.go

@@ -3,13 +3,12 @@
 package pool
 
 const (
+	// RelayBufferSize using for tcp
 	// io.Copy default buffer size is 32 KiB
-	// but the maximum packet size of vmess/shadowsocks is about 16 KiB
-	// so define a buffer of 20 KiB to reduce the memory of each TCP relay
-	RelayBufferSize = 20 * 1024
+	RelayBufferSize = 32 * 1024
 
-	// RelayBufferSize uses 20KiB, but due to the allocator it will actually
-	// request 32Kib. Most UDPs are smaller than the MTU, and the TUN's MTU
+	// UDPBufferSize using for udp
+	// Most UDPs are smaller than the MTU, and the TUN's MTU
 	// set to 9000, so the UDP Buffer size set to 16Kib
 	UDPBufferSize = 16 * 1024
 )

common/pool/pool.go

@@ -1,9 +1,9 @@
 package pool
 
 func Get(size int) []byte {
-	return defaultAllocator.Get(size)
+	return DefaultAllocator.Get(size)
 }
 
 func Put(buf []byte) error {
-	return defaultAllocator.Put(buf)
+	return DefaultAllocator.Put(buf)
 }

common/pool/sing.go

@@ -1,7 +1,7 @@
 package pool
 
-import "github.com/sagernet/sing/common/buf"
+import "github.com/metacubex/sing/common/buf"
 
 func init() {
-	buf.DefaultAllocator = defaultAllocator
+	buf.DefaultAllocator = DefaultAllocator
 }

common/structure/structure_test.go

@@ -239,13 +239,15 @@ func (n *num) UnmarshalText(text []byte) (err error) {
 
 func TestStructure_TextUnmarshaller(t *testing.T) {
 	rawMap := map[string]any{
-		"num":   "255",
-		"num_p": "127",
+		"num":     "255",
+		"num_p":   "127",
+		"num_arr": []string{"1", "2", "3"},
 	}
 
 	s := &struct {
-		Num  num  `test:"num"`
-		NumP *num `test:"num_p"`
+		Num    num   `test:"num"`
+		NumP   *num  `test:"num_p"`
+		NumArr []num `test:"num_arr"`
 	}{}
 
 	err := decoder.Decode(rawMap, s)
@@ -253,6 +255,7 @@ func TestStructure_TextUnmarshaller(t *testing.T) {
 	assert.Equal(t, 255, s.Num.a)
 	assert.NotNil(t, s.NumP)
 	assert.Equal(t, s.NumP.a, 127)
+	assert.Equal(t, s.NumArr, []num{{1}, {2}, {3}})
 
 	// test WeaklyTypedInput
 	rawMap["num"] = 256

common/xsync/map.go

@@ -0,0 +1,926 @@
+package xsync
+
+// copy and modified from https://github.com/puzpuzpuz/xsync/blob/v4.1.0/map.go
+// which is licensed under Apache v2.
+//
+// mihomo modified:
+// 1. parallel Map resize has been removed to decrease the memory using.
+// 2. the zero Map is ready for use.
+
+import (
+	"fmt"
+	"math"
+	"math/bits"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"unsafe"
+
+	"github.com/metacubex/mihomo/common/maphash"
+)
+
+const (
+	// number of Map entries per bucket; 5 entries lead to size of 64B
+	// (one cache line) on 64-bit machines
+	entriesPerMapBucket = 5
+	// threshold fraction of table occupation to start a table shrinking
+	// when deleting the last entry in a bucket chain
+	mapShrinkFraction = 128
+	// map load factor to trigger a table resize during insertion;
+	// a map holds up to mapLoadFactor*entriesPerMapBucket*mapTableLen
+	// key-value pairs (this is a soft limit)
+	mapLoadFactor = 0.75
+	// minimal table size, i.e. number of buckets; thus, minimal map
+	// capacity can be calculated as entriesPerMapBucket*defaultMinMapTableLen
+	defaultMinMapTableLen = 32
+	// minimum counter stripes to use
+	minMapCounterLen = 8
+	// maximum counter stripes to use; stands for around 4KB of memory
+	maxMapCounterLen         = 32
+	defaultMeta       uint64 = 0x8080808080808080
+	metaMask          uint64 = 0xffffffffff
+	defaultMetaMasked uint64 = defaultMeta & metaMask
+	emptyMetaSlot     uint8  = 0x80
+)
+
+type mapResizeHint int
+
+const (
+	mapGrowHint   mapResizeHint = 0
+	mapShrinkHint mapResizeHint = 1
+	mapClearHint  mapResizeHint = 2
+)
+
+type ComputeOp int
+
+const (
+	// CancelOp signals to Compute to not do anything as a result
+	// of executing the lambda. If the entry was not present in
+	// the map, nothing happens, and if it was present, the
+	// returned value is ignored.
+	CancelOp ComputeOp = iota
+	// UpdateOp signals to Compute to update the entry to the
+	// value returned by the lambda, creating it if necessary.
+	UpdateOp
+	// DeleteOp signals to Compute to always delete the entry
+	// from the map.
+	DeleteOp
+)
+
+type loadOp int
+
+const (
+	noLoadOp loadOp = iota
+	loadOrComputeOp
+	loadAndDeleteOp
+)
+
+// Map is like a Go map[K]V but is safe for concurrent
+// use by multiple goroutines without additional locking or
+// coordination. It follows the interface of sync.Map with
+// a number of valuable extensions like Compute or Size.
+//
+// A Map must not be copied after first use.
+//
+// Map uses a modified version of Cache-Line Hash Table (CLHT)
+// data structure: https://github.com/LPD-EPFL/CLHT
+//
+// CLHT is built around idea to organize the hash table in
+// cache-line-sized buckets, so that on all modern CPUs update
+// operations complete with at most one cache-line transfer.
+// Also, Get operations involve no write to memory, as well as no
+// mutexes or any other sort of locks. Due to this design, in all
+// considered scenarios Map outperforms sync.Map.
+//
+// Map also borrows ideas from Java's j.u.c.ConcurrentHashMap
+// (immutable K/V pair structs instead of atomic snapshots)
+// and C++'s absl::flat_hash_map (meta memory and SWAR-based
+// lookups).
+type Map[K comparable, V any] struct {
+	initOnce     sync.Once
+	totalGrowths atomic.Int64
+	totalShrinks atomic.Int64
+	resizing     atomic.Bool // resize in progress flag
+	resizeMu     sync.Mutex  // only used along with resizeCond
+	resizeCond   sync.Cond   // used to wake up resize waiters (concurrent modifications)
+	table        atomic.Pointer[mapTable[K, V]]
+	minTableLen  int
+	growOnly     bool
+}
+
+type mapTable[K comparable, V any] struct {
+	buckets []bucketPadded[K, V]
+	// striped counter for number of table entries;
+	// used to determine if a table shrinking is needed
+	// occupies min(buckets_memory/1024, 64KB) of memory
+	size []counterStripe
+	seed maphash.Seed
+}
+
+type counterStripe struct {
+	c int64
+	// Padding to prevent false sharing.
+	_ [cacheLineSize - 8]byte
+}
+
+// bucketPadded is a CL-sized map bucket holding up to
+// entriesPerMapBucket entries.
+type bucketPadded[K comparable, V any] struct {
+	//lint:ignore U1000 ensure each bucket takes two cache lines on both 32 and 64-bit archs
+	pad [cacheLineSize - unsafe.Sizeof(bucket[K, V]{})]byte
+	bucket[K, V]
+}
+
+type bucket[K comparable, V any] struct {
+	meta    atomic.Uint64
+	entries [entriesPerMapBucket]atomic.Pointer[entry[K, V]] // *entry
+	next    atomic.Pointer[bucketPadded[K, V]]               // *bucketPadded
+	mu      sync.Mutex
+}
+
+// entry is an immutable map entry.
+type entry[K comparable, V any] struct {
+	key   K
+	value V
+}
+
+// MapConfig defines configurable Map options.
+type MapConfig struct {
+	sizeHint int
+	growOnly bool
+}
+
+// WithPresize configures new Map instance with capacity enough
+// to hold sizeHint entries. The capacity is treated as the minimal
+// capacity meaning that the underlying hash table will never shrink
+// to a smaller capacity. If sizeHint is zero or negative, the value
+// is ignored.
+func WithPresize(sizeHint int) func(*MapConfig) {
+	return func(c *MapConfig) {
+		c.sizeHint = sizeHint
+	}
+}
+
+// WithGrowOnly configures new Map instance to be grow-only.
+// This means that the underlying hash table grows in capacity when
+// new keys are added, but does not shrink when keys are deleted.
+// The only exception to this rule is the Clear method which
+// shrinks the hash table back to the initial capacity.
+func WithGrowOnly() func(*MapConfig) {
+	return func(c *MapConfig) {
+		c.growOnly = true
+	}
+}
+
+// NewMap creates a new Map instance configured with the given
+// options.
+func NewMap[K comparable, V any](options ...func(*MapConfig)) *Map[K, V] {
+	c := &MapConfig{}
+	for _, o := range options {
+		o(c)
+	}
+
+	m := &Map[K, V]{}
+	if c.sizeHint > defaultMinMapTableLen*entriesPerMapBucket {
+		tableLen := nextPowOf2(uint32((float64(c.sizeHint) / entriesPerMapBucket) / mapLoadFactor))
+		m.minTableLen = int(tableLen)
+	}
+	m.growOnly = c.growOnly
+	return m
+}
+
+func (m *Map[K, V]) init() {
+	if m.minTableLen == 0 {
+		m.minTableLen = defaultMinMapTableLen
+	}
+	m.resizeCond = *sync.NewCond(&m.resizeMu)
+	table := newMapTable[K, V](m.minTableLen)
+	m.minTableLen = len(table.buckets)
+	m.table.Store(table)
+}
+
+func newMapTable[K comparable, V any](minTableLen int) *mapTable[K, V] {
+	buckets := make([]bucketPadded[K, V], minTableLen)
+	for i := range buckets {
+		buckets[i].meta.Store(defaultMeta)
+	}
+	counterLen := minTableLen >> 10
+	if counterLen < minMapCounterLen {
+		counterLen = minMapCounterLen
+	} else if counterLen > maxMapCounterLen {
+		counterLen = maxMapCounterLen
+	}
+	counter := make([]counterStripe, counterLen)
+	t := &mapTable[K, V]{
+		buckets: buckets,
+		size:    counter,
+		seed:    maphash.MakeSeed(),
+	}
+	return t
+}
+
+// ToPlainMap returns a native map with a copy of xsync Map's
+// contents. The copied xsync Map should not be modified while
+// this call is made. If the copied Map is modified, the copying
+// behavior is the same as in the Range method.
+func ToPlainMap[K comparable, V any](m *Map[K, V]) map[K]V {
+	pm := make(map[K]V)
+	if m != nil {
+		m.Range(func(key K, value V) bool {
+			pm[key] = value
+			return true
+		})
+	}
+	return pm
+}
+
+// Load returns the value stored in the map for a key, or zero value
+// of type V if no value is present.
+// The ok result indicates whether value was found in the map.
+func (m *Map[K, V]) Load(key K) (value V, ok bool) {
+	m.initOnce.Do(m.init)
+	table := m.table.Load()
+	hash := maphash.Comparable(table.seed, key)
+	h1 := h1(hash)
+	h2w := broadcast(h2(hash))
+	bidx := uint64(len(table.buckets)-1) & h1
+	b := &table.buckets[bidx]
+	for {
+		metaw := b.meta.Load()
+		markedw := markZeroBytes(metaw^h2w) & metaMask
+		for markedw != 0 {
+			idx := firstMarkedByteIndex(markedw)
+			e := b.entries[idx].Load()
+			if e != nil {
+				if e.key == key {
+					return e.value, true
+				}
+			}
+			markedw &= markedw - 1
+		}
+		b = b.next.Load()
+		if b == nil {
+			return
+		}
+	}
+}
+
+// Store sets the value for a key.
+func (m *Map[K, V]) Store(key K, value V) {
+	m.doCompute(
+		key,
+		func(V, bool) (V, ComputeOp) {
+			return value, UpdateOp
+		},
+		noLoadOp,
+		false,
+	)
+}
+
+// LoadOrStore returns the existing value for the key if present.
+// Otherwise, it stores and returns the given value.
+// The loaded result is true if the value was loaded, false if stored.
+func (m *Map[K, V]) LoadOrStore(key K, value V) (actual V, loaded bool) {
+	return m.doCompute(
+		key,
+		func(oldValue V, loaded bool) (V, ComputeOp) {
+			if loaded {
+				return oldValue, CancelOp
+			}
+			return value, UpdateOp
+		},
+		loadOrComputeOp,
+		false,
+	)
+}
+
+// LoadAndStore returns the existing value for the key if present,
+// while setting the new value for the key.
+// It stores the new value and returns the existing one, if present.
+// The loaded result is true if the existing value was loaded,
+// false otherwise.
+func (m *Map[K, V]) LoadAndStore(key K, value V) (actual V, loaded bool) {
+	return m.doCompute(
+		key,
+		func(V, bool) (V, ComputeOp) {
+			return value, UpdateOp
+		},
+		noLoadOp,
+		false,
+	)
+}
+
+// LoadOrCompute returns the existing value for the key if
+// present. Otherwise, it tries to compute the value using the
+// provided function and, if successful, stores and returns
+// the computed value. The loaded result is true if the value was
+// loaded, or false if computed. If valueFn returns true as the
+// cancel value, the computation is cancelled and the zero value
+// for type V is returned.
+//
+// This call locks a hash table bucket while the compute function
+// is executed. It means that modifications on other entries in
+// the bucket will be blocked until the valueFn executes. Consider
+// this when the function includes long-running operations.
+func (m *Map[K, V]) LoadOrCompute(
+	key K,
+	valueFn func() (newValue V, cancel bool),
+) (value V, loaded bool) {
+	return m.doCompute(
+		key,
+		func(oldValue V, loaded bool) (V, ComputeOp) {
+			if loaded {
+				return oldValue, CancelOp
+			}
+			newValue, c := valueFn()
+			if !c {
+				return newValue, UpdateOp
+			}
+			return oldValue, CancelOp
+		},
+		loadOrComputeOp,
+		false,
+	)
+}
+
+// Compute either sets the computed new value for the key,
+// deletes the value for the key, or does nothing, based on
+// the returned [ComputeOp]. When the op returned by valueFn
+// is [UpdateOp], the value is updated to the new value. If
+// it is [DeleteOp], the entry is removed from the map
+// altogether. And finally, if the op is [CancelOp] then the
+// entry is left as-is. In other words, if it did not already
+// exist, it is not created, and if it did exist, it is not
+// updated. This is useful to synchronously execute some
+// operation on the value without incurring the cost of
+// updating the map every time. The ok result indicates
+// whether the entry is present in the map after the compute
+// operation. The actual result contains the value of the map
+// if a corresponding entry is present, or the zero value
+// otherwise. See the example for a few use cases.
+//
+// This call locks a hash table bucket while the compute function
+// is executed. It means that modifications on other entries in
+// the bucket will be blocked until the valueFn executes. Consider
+// this when the function includes long-running operations.
+func (m *Map[K, V]) Compute(
+	key K,
+	valueFn func(oldValue V, loaded bool) (newValue V, op ComputeOp),
+) (actual V, ok bool) {
+	return m.doCompute(key, valueFn, noLoadOp, true)
+}
+
+// LoadAndDelete deletes the value for a key, returning the previous
+// value if any. The loaded result reports whether the key was
+// present.
+func (m *Map[K, V]) LoadAndDelete(key K) (value V, loaded bool) {
+	return m.doCompute(
+		key,
+		func(value V, loaded bool) (V, ComputeOp) {
+			return value, DeleteOp
+		},
+		loadAndDeleteOp,
+		false,
+	)
+}
+
+// Delete deletes the value for a key.
+func (m *Map[K, V]) Delete(key K) {
+	m.LoadAndDelete(key)
+}
+
+func (m *Map[K, V]) doCompute(
+	key K,
+	valueFn func(oldValue V, loaded bool) (V, ComputeOp),
+	loadOp loadOp,
+	computeOnly bool,
+) (V, bool) {
+	m.initOnce.Do(m.init)
+	for {
+	compute_attempt:
+		var (
+			emptyb   *bucketPadded[K, V]
+			emptyidx int
+		)
+		table := m.table.Load()
+		tableLen := len(table.buckets)
+		hash := maphash.Comparable(table.seed, key)
+		h1 := h1(hash)
+		h2 := h2(hash)
+		h2w := broadcast(h2)
+		bidx := uint64(len(table.buckets)-1) & h1
+		rootb := &table.buckets[bidx]
+
+		if loadOp != noLoadOp {
+			b := rootb
+		load:
+			for {
+				metaw := b.meta.Load()
+				markedw := markZeroBytes(metaw^h2w) & metaMask
+				for markedw != 0 {
+					idx := firstMarkedByteIndex(markedw)
+					e := b.entries[idx].Load()
+					if e != nil {
+						if e.key == key {
+							if loadOp == loadOrComputeOp {
+								return e.value, true
+							}
+							break load
+						}
+					}
+					markedw &= markedw - 1
+				}
+				b = b.next.Load()
+				if b == nil {
+					if loadOp == loadAndDeleteOp {
+						return *new(V), false
+					}
+					break load
+				}
+			}
+		}
+
+		rootb.mu.Lock()
+		// The following two checks must go in reverse to what's
+		// in the resize method.
+		if m.resizeInProgress() {
+			// Resize is in progress. Wait, then go for another attempt.
+			rootb.mu.Unlock()
+			m.waitForResize()
+			goto compute_attempt
+		}
+		if m.newerTableExists(table) {
+			// Someone resized the table. Go for another attempt.
+			rootb.mu.Unlock()
+			goto compute_attempt
+		}
+		b := rootb
+		for {
+			metaw := b.meta.Load()
+			markedw := markZeroBytes(metaw^h2w) & metaMask
+			for markedw != 0 {
+				idx := firstMarkedByteIndex(markedw)
+				e := b.entries[idx].Load()
+				if e != nil {
+					if e.key == key {
+						// In-place update/delete.
+						// We get a copy of the value via an interface{} on each call,
+						// thus the live value pointers are unique. Otherwise atomic
+						// snapshot won't be correct in case of multiple Store calls
+						// using the same value.
+						oldv := e.value
+						newv, op := valueFn(oldv, true)
+						switch op {
+						case DeleteOp:
+							// Deletion.
+							// First we update the hash, then the entry.
+							newmetaw := setByte(metaw, emptyMetaSlot, idx)
+							b.meta.Store(newmetaw)
+							b.entries[idx].Store(nil)
+							rootb.mu.Unlock()
+							table.addSize(bidx, -1)
+							// Might need to shrink the table if we left bucket empty.
+							if newmetaw == defaultMeta {
+								m.resize(table, mapShrinkHint)
+							}
+							return oldv, !computeOnly
+						case UpdateOp:
+							newe := new(entry[K, V])
+							newe.key = key
+							newe.value = newv
+							b.entries[idx].Store(newe)
+						case CancelOp:
+							newv = oldv
+						}
+						rootb.mu.Unlock()
+						if computeOnly {
+							// Compute expects the new value to be returned.
+							return newv, true
+						}
+						// LoadAndStore expects the old value to be returned.
+						return oldv, true
+					}
+				}
+				markedw &= markedw - 1
+			}
+			if emptyb == nil {
+				// Search for empty entries (up to 5 per bucket).
+				emptyw := metaw & defaultMetaMasked
+				if emptyw != 0 {
+					idx := firstMarkedByteIndex(emptyw)
+					emptyb = b
+					emptyidx = idx
+				}
+			}
+			if b.next.Load() == nil {
+				if emptyb != nil {
+					// Insertion into an existing bucket.
+					var zeroV V
+					newValue, op := valueFn(zeroV, false)
+					switch op {
+					case DeleteOp, CancelOp:
+						rootb.mu.Unlock()
+						return zeroV, false
+					default:
+						newe := new(entry[K, V])
+						newe.key = key
+						newe.value = newValue
+						// First we update meta, then the entry.
+						emptyb.meta.Store(setByte(emptyb.meta.Load(), h2, emptyidx))
+						emptyb.entries[emptyidx].Store(newe)
+						rootb.mu.Unlock()
+						table.addSize(bidx, 1)
+						return newValue, computeOnly
+					}
+				}
+				growThreshold := float64(tableLen) * entriesPerMapBucket * mapLoadFactor
+				if table.sumSize() > int64(growThreshold) {
+					// Need to grow the table. Then go for another attempt.
+					rootb.mu.Unlock()
+					m.resize(table, mapGrowHint)
+					goto compute_attempt
+				}
+				// Insertion into a new bucket.
+				var zeroV V
+				newValue, op := valueFn(zeroV, false)
+				switch op {
+				case DeleteOp, CancelOp:
+					rootb.mu.Unlock()
+					return newValue, false
+				default:
+					// Create and append a bucket.
+					newb := new(bucketPadded[K, V])
+					newb.meta.Store(setByte(defaultMeta, h2, 0))
+					newe := new(entry[K, V])
+					newe.key = key
+					newe.value = newValue
+					newb.entries[0].Store(newe)
+					b.next.Store(newb)
+					rootb.mu.Unlock()
+					table.addSize(bidx, 1)
+					return newValue, computeOnly
+				}
+			}
+			b = b.next.Load()
+		}
+	}
+}
+
+func (m *Map[K, V]) newerTableExists(table *mapTable[K, V]) bool {
+	return table != m.table.Load()
+}
+
+func (m *Map[K, V]) resizeInProgress() bool {
+	return m.resizing.Load()
+}
+
+func (m *Map[K, V]) waitForResize() {
+	m.resizeMu.Lock()
+	for m.resizeInProgress() {
+		m.resizeCond.Wait()
+	}
+	m.resizeMu.Unlock()
+}
+
+func (m *Map[K, V]) resize(knownTable *mapTable[K, V], hint mapResizeHint) {
+	knownTableLen := len(knownTable.buckets)
+	// Fast path for shrink attempts.
+	if hint == mapShrinkHint {
+		if m.growOnly ||
+			m.minTableLen == knownTableLen ||
+			knownTable.sumSize() > int64((knownTableLen*entriesPerMapBucket)/mapShrinkFraction) {
+			return
+		}
+	}
+	// Slow path.
+	if !m.resizing.CompareAndSwap(false, true) {
+		// Someone else started resize. Wait for it to finish.
+		m.waitForResize()
+		return
+	}
+	var newTable *mapTable[K, V]
+	table := m.table.Load()
+	tableLen := len(table.buckets)
+	switch hint {
+	case mapGrowHint:
+		// Grow the table with factor of 2.
+		m.totalGrowths.Add(1)
+		newTable = newMapTable[K, V](tableLen << 1)
+	case mapShrinkHint:
+		shrinkThreshold := int64((tableLen * entriesPerMapBucket) / mapShrinkFraction)
+		if tableLen > m.minTableLen && table.sumSize() <= shrinkThreshold {
+			// Shrink the table with factor of 2.
+			m.totalShrinks.Add(1)
+			newTable = newMapTable[K, V](tableLen >> 1)
+		} else {
+			// No need to shrink. Wake up all waiters and give up.
+			m.resizeMu.Lock()
+			m.resizing.Store(false)
+			m.resizeCond.Broadcast()
+			m.resizeMu.Unlock()
+			return
+		}
+	case mapClearHint:
+		newTable = newMapTable[K, V](m.minTableLen)
+	default:
+		panic(fmt.Sprintf("unexpected resize hint: %d", hint))
+	}
+	// Copy the data only if we're not clearing the map.
+	if hint != mapClearHint {
+		for i := 0; i < tableLen; i++ {
+			copied := copyBucket(&table.buckets[i], newTable)
+			newTable.addSizePlain(uint64(i), copied)
+		}
+	}
+	// Publish the new table and wake up all waiters.
+	m.table.Store(newTable)
+	m.resizeMu.Lock()
+	m.resizing.Store(false)
+	m.resizeCond.Broadcast()
+	m.resizeMu.Unlock()
+}
+
+func copyBucket[K comparable, V any](
+	b *bucketPadded[K, V],
+	destTable *mapTable[K, V],
+) (copied int) {
+	rootb := b
+	rootb.mu.Lock()
+	for {
+		for i := 0; i < entriesPerMapBucket; i++ {
+			if e := b.entries[i].Load(); e != nil {
+				hash := maphash.Comparable(destTable.seed, e.key)
+				bidx := uint64(len(destTable.buckets)-1) & h1(hash)
+				destb := &destTable.buckets[bidx]
+				appendToBucket(h2(hash), b.entries[i].Load(), destb)
+				copied++
+			}
+		}
+		if next := b.next.Load(); next == nil {
+			rootb.mu.Unlock()
+			return
+		} else {
+			b = next
+		}
+	}
+}
+
+// Range calls f sequentially for each key and value present in the
+// map. If f returns false, range stops the iteration.
+//
+// Range does not necessarily correspond to any consistent snapshot
+// of the Map's contents: no key will be visited more than once, but
+// if the value for any key is stored or deleted concurrently, Range
+// may reflect any mapping for that key from any point during the
+// Range call.
+//
+// It is safe to modify the map while iterating it, including entry
+// creation, modification and deletion. However, the concurrent
+// modification rule apply, i.e. the changes may be not reflected
+// in the subsequently iterated entries.
+func (m *Map[K, V]) Range(f func(key K, value V) bool) {
+	m.initOnce.Do(m.init)
+	// Pre-allocate array big enough to fit entries for most hash tables.
+	bentries := make([]*entry[K, V], 0, 16*entriesPerMapBucket)
+	table := m.table.Load()
+	for i := range table.buckets {
+		rootb := &table.buckets[i]
+		b := rootb
+		// Prevent concurrent modifications and copy all entries into
+		// the intermediate slice.
+		rootb.mu.Lock()
+		for {
+			for i := 0; i < entriesPerMapBucket; i++ {
+				if entry := b.entries[i].Load(); entry != nil {
+					bentries = append(bentries, entry)
+				}
+			}
+			if next := b.next.Load(); next == nil {
+				rootb.mu.Unlock()
+				break
+			} else {
+				b = next
+			}
+		}
+		// Call the function for all copied entries.
+		for j, e := range bentries {
+			if !f(e.key, e.value) {
+				return
+			}
+			// Remove the reference to avoid preventing the copied
+			// entries from being GCed until this method finishes.
+			bentries[j] = nil
+		}
+		bentries = bentries[:0]
+	}
+}
+
+// Clear deletes all keys and values currently stored in the map.
+func (m *Map[K, V]) Clear() {
+	m.initOnce.Do(m.init)
+	m.resize(m.table.Load(), mapClearHint)
+}
+
+// Size returns current size of the map.
+func (m *Map[K, V]) Size() int {
+	m.initOnce.Do(m.init)
+	return int(m.table.Load().sumSize())
+}
+
+func appendToBucket[K comparable, V any](h2 uint8, e *entry[K, V], b *bucketPadded[K, V]) {
+	for {
+		for i := 0; i < entriesPerMapBucket; i++ {
+			if b.entries[i].Load() == nil {
+				b.meta.Store(setByte(b.meta.Load(), h2, i))
+				b.entries[i].Store(e)
+				return
+			}
+		}
+		if next := b.next.Load(); next == nil {
+			newb := new(bucketPadded[K, V])
+			newb.meta.Store(setByte(defaultMeta, h2, 0))
+			newb.entries[0].Store(e)
+			b.next.Store(newb)
+			return
+		} else {
+			b = next
+		}
+	}
+}
+
+func (table *mapTable[K, V]) addSize(bucketIdx uint64, delta int) {
+	cidx := uint64(len(table.size)-1) & bucketIdx
+	atomic.AddInt64(&table.size[cidx].c, int64(delta))
+}
+
+func (table *mapTable[K, V]) addSizePlain(bucketIdx uint64, delta int) {
+	cidx := uint64(len(table.size)-1) & bucketIdx
+	table.size[cidx].c += int64(delta)
+}
+
+func (table *mapTable[K, V]) sumSize() int64 {
+	sum := int64(0)
+	for i := range table.size {
+		sum += atomic.LoadInt64(&table.size[i].c)
+	}
+	return sum
+}
+
+func h1(h uint64) uint64 {
+	return h >> 7
+}
+
+func h2(h uint64) uint8 {
+	return uint8(h & 0x7f)
+}
+
+// MapStats is Map statistics.
+//
+// Warning: map statistics are intented to be used for diagnostic
+// purposes, not for production code. This means that breaking changes
+// may be introduced into this struct even between minor releases.
+type MapStats struct {
+	// RootBuckets is the number of root buckets in the hash table.
+	// Each bucket holds a few entries.
+	RootBuckets int
+	// TotalBuckets is the total number of buckets in the hash table,
+	// including root and their chained buckets. Each bucket holds
+	// a few entries.
+	TotalBuckets int
+	// EmptyBuckets is the number of buckets that hold no entries.
+	EmptyBuckets int
+	// Capacity is the Map capacity, i.e. the total number of
+	// entries that all buckets can physically hold. This number
+	// does not consider the load factor.
+	Capacity int
+	// Size is the exact number of entries stored in the map.
+	Size int
+	// Counter is the number of entries stored in the map according
+	// to the internal atomic counter. In case of concurrent map
+	// modifications this number may be different from Size.
+	Counter int
+	// CounterLen is the number of internal atomic counter stripes.
+	// This number may grow with the map capacity to improve
+	// multithreaded scalability.
+	CounterLen int
+	// MinEntries is the minimum number of entries per a chain of
+	// buckets, i.e. a root bucket and its chained buckets.
+	MinEntries int
+	// MinEntries is the maximum number of entries per a chain of
+	// buckets, i.e. a root bucket and its chained buckets.
+	MaxEntries int
+	// TotalGrowths is the number of times the hash table grew.
+	TotalGrowths int64
+	// TotalGrowths is the number of times the hash table shrinked.
+	TotalShrinks int64
+}
+
+// ToString returns string representation of map stats.
+func (s *MapStats) ToString() string {
+	var sb strings.Builder
+	sb.WriteString("MapStats{\n")
+	sb.WriteString(fmt.Sprintf("RootBuckets:  %d\n", s.RootBuckets))
+	sb.WriteString(fmt.Sprintf("TotalBuckets: %d\n", s.TotalBuckets))
+	sb.WriteString(fmt.Sprintf("EmptyBuckets: %d\n", s.EmptyBuckets))
+	sb.WriteString(fmt.Sprintf("Capacity:     %d\n", s.Capacity))
+	sb.WriteString(fmt.Sprintf("Size:         %d\n", s.Size))
+	sb.WriteString(fmt.Sprintf("Counter:      %d\n", s.Counter))
+	sb.WriteString(fmt.Sprintf("CounterLen:   %d\n", s.CounterLen))
+	sb.WriteString(fmt.Sprintf("MinEntries:   %d\n", s.MinEntries))
+	sb.WriteString(fmt.Sprintf("MaxEntries:   %d\n", s.MaxEntries))
+	sb.WriteString(fmt.Sprintf("TotalGrowths: %d\n", s.TotalGrowths))
+	sb.WriteString(fmt.Sprintf("TotalShrinks: %d\n", s.TotalShrinks))
+	sb.WriteString("}\n")
+	return sb.String()
+}
+
+// Stats returns statistics for the Map. Just like other map
+// methods, this one is thread-safe. Yet it's an O(N) operation,
+// so it should be used only for diagnostics or debugging purposes.
+func (m *Map[K, V]) Stats() MapStats {
+	m.initOnce.Do(m.init)
+	stats := MapStats{
+		TotalGrowths: m.totalGrowths.Load(),
+		TotalShrinks: m.totalShrinks.Load(),
+		MinEntries:   math.MaxInt32,
+	}
+	table := m.table.Load()
+	stats.RootBuckets = len(table.buckets)
+	stats.Counter = int(table.sumSize())
+	stats.CounterLen = len(table.size)
+	for i := range table.buckets {
+		nentries := 0
+		b := &table.buckets[i]
+		stats.TotalBuckets++
+		for {
+			nentriesLocal := 0
+			stats.Capacity += entriesPerMapBucket
+			for i := 0; i < entriesPerMapBucket; i++ {
+				if b.entries[i].Load() != nil {
+					stats.Size++
+					nentriesLocal++
+				}
+			}
+			nentries += nentriesLocal
+			if nentriesLocal == 0 {
+				stats.EmptyBuckets++
+			}
+			if next := b.next.Load(); next == nil {
+				break
+			} else {
+				b = next
+			}
+			stats.TotalBuckets++
+		}
+		if nentries < stats.MinEntries {
+			stats.MinEntries = nentries
+		}
+		if nentries > stats.MaxEntries {
+			stats.MaxEntries = nentries
+		}
+	}
+	return stats
+}
+
+const (
+	// cacheLineSize is used in paddings to prevent false sharing;
+	// 64B are used instead of 128B as a compromise between
+	// memory footprint and performance; 128B usage may give ~30%
+	// improvement on NUMA machines.
+	cacheLineSize = 64
+)
+
+// nextPowOf2 computes the next highest power of 2 of 32-bit v.
+// Source: https://graphics.stanford.edu/~seander/bithacks.html#RoundUpPowerOf2
+func nextPowOf2(v uint32) uint32 {
+	if v == 0 {
+		return 1
+	}
+	v--
+	v |= v >> 1
+	v |= v >> 2
+	v |= v >> 4
+	v |= v >> 8
+	v |= v >> 16
+	v++
+	return v
+}
+
+func broadcast(b uint8) uint64 {
+	return 0x101010101010101 * uint64(b)
+}
+
+func firstMarkedByteIndex(w uint64) int {
+	return bits.TrailingZeros64(w) >> 3
+}
+
+// SWAR byte search: may produce false positives, e.g. for 0x0100,
+// so make sure to double-check bytes found by this function.
+func markZeroBytes(w uint64) uint64 {
+	return ((w - 0x0101010101010101) & (^w) & 0x8080808080808080)
+}
+
+func setByte(w uint64, b uint8, idx int) uint64 {
+	shift := idx << 3
+	return (w &^ (0xff << shift)) | (uint64(b) << shift)
+}

common/xsync/map_extra.go

@@ -0,0 +1,28 @@
+package xsync
+
+// LoadOrStoreFn returns the existing value for the key if
+// present. Otherwise, it tries to compute the value using the
+// provided function and, if successful, stores and returns
+// the computed value. The loaded result is true if the value was
+// loaded, or false if computed.
+//
+// This call locks a hash table bucket while the compute function
+// is executed. It means that modifications on other entries in
+// the bucket will be blocked until the valueFn executes. Consider
+// this when the function includes long-running operations.
+//
+// Recovery this API and renamed from xsync/v3's LoadOrCompute.
+// We unneeded support no-op (cancel) compute operation, it will only add complexity to existing code.
+func (m *Map[K, V]) LoadOrStoreFn(key K, valueFn func() V) (actual V, loaded bool) {
+	return m.doCompute(
+		key,
+		func(oldValue V, loaded bool) (V, ComputeOp) {
+			if loaded {
+				return oldValue, CancelOp
+			}
+			return valueFn(), UpdateOp
+		},
+		loadOrComputeOp,
+		false,
+	)
+}

common/xsync/map_extra_test.go

@@ -0,0 +1,49 @@
+package xsync
+
+import (
+	"strconv"
+	"testing"
+)
+
+func TestMapOfLoadOrStoreFn(t *testing.T) {
+	const numEntries = 1000
+	m := NewMap[string, int]()
+	for i := 0; i < numEntries; i++ {
+		v, loaded := m.LoadOrStoreFn(strconv.Itoa(i), func() int {
+			return i
+		})
+		if loaded {
+			t.Fatalf("value not computed for %d", i)
+		}
+		if v != i {
+			t.Fatalf("values do not match for %d: %v", i, v)
+		}
+	}
+	for i := 0; i < numEntries; i++ {
+		v, loaded := m.LoadOrStoreFn(strconv.Itoa(i), func() int {
+			return i
+		})
+		if !loaded {
+			t.Fatalf("value not loaded for %d", i)
+		}
+		if v != i {
+			t.Fatalf("values do not match for %d: %v", i, v)
+		}
+	}
+}
+
+func TestMapOfLoadOrStoreFn_FunctionCalledOnce(t *testing.T) {
+	m := NewMap[int, int]()
+	for i := 0; i < 100; {
+		m.LoadOrStoreFn(i, func() (v int) {
+			v, i = i, i+1
+			return v
+		})
+	}
+	m.Range(func(k, v int) bool {
+		if k != v {
+			t.Fatalf("%dth key is not equal to value %d", k, v)
+		}
+		return true
+	})
+}

component/auth/auth.go

@@ -41,3 +41,11 @@ func NewAuthenticator(users []AuthUser) Authenticator {
 	}
 	return au
 }
+
+var AlwaysValid Authenticator = alwaysValid{}
+
+type alwaysValid struct{}
+
+func (alwaysValid) Verify(string, string) bool { return true }
+
+func (alwaysValid) Users() []string { return nil }

component/ca/config.go

@@ -1,17 +1,13 @@
 package ca
 
 import (
-	"bytes"
-	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	_ "embed"
-	"encoding/hex"
 	"errors"
 	"fmt"
 	"os"
 	"strconv"
-	"strings"
 	"sync"
 
 	C "github.com/metacubex/mihomo/constant"
@@ -81,41 +77,15 @@ func getCertPool() *x509.CertPool {
 	return globalCertPool
 }
 
-func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-		// ssl pining
-		for i := range rawCerts {
-			rawCert := rawCerts[i]
-			cert, err := x509.ParseCertificate(rawCert)
-			if err == nil {
-				hash := sha256.Sum256(cert.Raw)
-				if bytes.Equal(fingerprint[:], hash[:]) {
-					return nil
-				}
-			}
-		}
-		return errNotMatch
-	}
-}
-
-func convertFingerprint(fingerprint string) (*[32]byte, error) {
-	fingerprint = strings.TrimSpace(strings.Replace(fingerprint, ":", "", -1))
-	fpByte, err := hex.DecodeString(fingerprint)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(fpByte) != 32 {
-		return nil, fmt.Errorf("fingerprint string length error,need sha256 fingerprint")
-	}
-	return (*[32]byte)(fpByte), nil
-}
-
 func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error) {
 	var certificate []byte
 	var err error
 	if len(customCA) > 0 {
-		certificate, err = os.ReadFile(C.Path.Resolve(customCA))
+		path := C.Path.Resolve(customCA)
+		if !C.Path.IsSafePath(path) {
+			return nil, C.Path.ErrNotSafePath(path)
+		}
+		certificate, err = os.ReadFile(path)
 		if err != nil {
 			return nil, fmt.Errorf("load ca error: %w", err)
 		}
@@ -133,14 +103,6 @@ func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error)
 	}
 }
 
-func NewFingerprintVerifier(fingerprint string) (func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error, error) {
-	fingerprintBytes, err := convertFingerprint(fingerprint)
-	if err != nil {
-		return nil, err
-	}
-	return verifyFingerprint(fingerprintBytes), nil
-}
-
 // GetTLSConfig specified fingerprint, customCA and customCAString
 func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, customCAString string) (_ *tls.Config, err error) {
 	if tlsConfig == nil {

component/ca/fingerprint.go

@@ -0,0 +1,44 @@
+package ca
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/hex"
+	"fmt"
+	"strings"
+)
+
+// NewFingerprintVerifier returns a function that verifies whether a certificate's SHA-256 fingerprint matches the given one.
+func NewFingerprintVerifier(fingerprint string) (func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error, error) {
+	switch fingerprint {
+	case "chrome", "firefox", "safari", "ios", "android", "edge", "360", "qq", "random", "randomized": // WTF???
+		return nil, fmt.Errorf("`fingerprint` is used for TLS certificate pinning. If you need to specify the browser fingerprint, use `client-fingerprint`")
+	}
+	fingerprint = strings.TrimSpace(strings.Replace(fingerprint, ":", "", -1))
+	fpByte, err := hex.DecodeString(fingerprint)
+	if err != nil {
+		return nil, fmt.Errorf("fingerprint string decode error: %w", err)
+	}
+
+	if len(fpByte) != 32 {
+		return nil, fmt.Errorf("fingerprint string length error,need sha256 fingerprint")
+	}
+
+	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+		// ssl pining
+		for _, rawCert := range rawCerts {
+			hash := sha256.Sum256(rawCert)
+			if bytes.Equal(fpByte, hash[:]) {
+				return nil
+			}
+		}
+		return errNotMatch
+	}, nil
+}
+
+// CalculateFingerprint computes the SHA-256 fingerprint of the given DER-encoded certificate and returns it as a hex string.
+func CalculateFingerprint(certDER []byte) string {
+	hash := sha256.Sum256(certDER)
+	return hex.EncodeToString(hash[:])
+}

component/ca/keypair.go

@@ -0,0 +1,101 @@
+package ca
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+)
+
+type Path interface {
+	Resolve(path string) string
+	IsSafePath(path string) bool
+	ErrNotSafePath(path string) error
+}
+
+// LoadTLSKeyPair loads a TLS key pair from the provided certificate and private key data or file paths, supporting fallback resolution.
+// Returns a tls.Certificate and an error, where the error indicates issues during parsing or file loading.
+// If both certificate and privateKey are empty, generates a random TLS RSA key pair.
+// Accepts a Path interface for resolving file paths when necessary.
+func LoadTLSKeyPair(certificate, privateKey string, path Path) (tls.Certificate, error) {
+	if certificate == "" && privateKey == "" {
+		var err error
+		certificate, privateKey, _, err = NewRandomTLSKeyPair(KeyPairTypeRSA)
+		if err != nil {
+			return tls.Certificate{}, err
+		}
+	}
+	cert, painTextErr := tls.X509KeyPair([]byte(certificate), []byte(privateKey))
+	if painTextErr == nil {
+		return cert, nil
+	}
+	if path == nil {
+		return tls.Certificate{}, painTextErr
+	}
+
+	certificate = path.Resolve(certificate)
+	privateKey = path.Resolve(privateKey)
+	var loadErr error
+	if !path.IsSafePath(certificate) {
+		loadErr = path.ErrNotSafePath(certificate)
+	} else if !path.IsSafePath(privateKey) {
+		loadErr = path.ErrNotSafePath(privateKey)
+	} else {
+		cert, loadErr = tls.LoadX509KeyPair(certificate, privateKey)
+	}
+	if loadErr != nil {
+		return tls.Certificate{}, fmt.Errorf("parse certificate failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())
+	}
+	return cert, nil
+}
+
+type KeyPairType string
+
+const (
+	KeyPairTypeRSA     KeyPairType = "rsa"
+	KeyPairTypeP256    KeyPairType = "p256"
+	KeyPairTypeP384    KeyPairType = "p384"
+	KeyPairTypeEd25519 KeyPairType = "ed25519"
+)
+
+// NewRandomTLSKeyPair generates a random TLS key pair based on the specified KeyPairType and returns it with a SHA256 fingerprint.
+// Note: Most browsers do not support KeyPairTypeEd25519 type of certificate, and utls.UConn will also reject this type of certificate.
+func NewRandomTLSKeyPair(keyPairType KeyPairType) (certificate string, privateKey string, fingerprint string, err error) {
+	var key crypto.Signer
+	switch keyPairType {
+	case KeyPairTypeRSA:
+		key, err = rsa.GenerateKey(rand.Reader, 2048)
+	case KeyPairTypeP256:
+		key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	case KeyPairTypeP384:
+		key, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+	case KeyPairTypeEd25519:
+		_, key, err = ed25519.GenerateKey(rand.Reader)
+	default: // fallback to KeyPairTypeRSA
+		key, err = rsa.GenerateKey(rand.Reader, 2048)
+	}
+	if err != nil {
+		return
+	}
+
+	template := x509.Certificate{SerialNumber: big.NewInt(1)}
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, key.Public(), key)
+	if err != nil {
+		return
+	}
+	privBytes, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		return
+	}
+	fingerprint = CalculateFingerprint(certDER)
+	privateKey = string(pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}))
+	certificate = string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}))
+	return
+}

component/dialer/dialer.go

@@ -73,7 +73,7 @@ func ListenPacket(ctx context.Context, network, address string, rAddrPort netip.
 		}
 		if opt.interfaceName == "" {
 			if finder := DefaultInterfaceFinder.Load(); finder != nil {
-				opt.interfaceName = finder.FindInterfaceName(rAddrPort.Addr())
+				opt.interfaceName = finder.FindInterfaceName(rAddrPort.Addr().Unmap())
 			}
 		}
 		if rAddrPort.Addr().Unmap().IsLoopback() {

component/ech/ech.go

@@ -0,0 +1,31 @@
+package ech
+
+import (
+	"context"
+	"fmt"
+
+	tlsC "github.com/metacubex/mihomo/component/tls"
+)
+
+type Config struct {
+	GetEncryptedClientHelloConfigList func(ctx context.Context, serverName string) ([]byte, error)
+}
+
+func (cfg *Config) ClientHandle(ctx context.Context, tlsConfig *tlsC.Config) (err error) {
+	if cfg == nil {
+		return nil
+	}
+	echConfigList, err := cfg.GetEncryptedClientHelloConfigList(ctx, tlsConfig.ServerName)
+	if err != nil {
+		return fmt.Errorf("resolve ECH config error: %w", err)
+	}
+
+	tlsConfig.EncryptedClientHelloConfigList = echConfigList
+	if tlsConfig.MinVersion != 0 && tlsConfig.MinVersion < tlsC.VersionTLS13 {
+		tlsConfig.MinVersion = tlsC.VersionTLS13
+	}
+	if tlsConfig.MaxVersion != 0 && tlsConfig.MaxVersion < tlsC.VersionTLS13 {
+		tlsConfig.MaxVersion = tlsC.VersionTLS13
+	}
+	return nil
+}

component/ech/key.go

@@ -0,0 +1,143 @@
+package ech
+
+import (
+	"crypto/ecdh"
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/metacubex/mihomo/component/ca"
+	tlsC "github.com/metacubex/mihomo/component/tls"
+
+	"golang.org/x/crypto/cryptobyte"
+)
+
+const (
+	AEAD_AES_128_GCM      = 0x0001
+	AEAD_AES_256_GCM      = 0x0002
+	AEAD_ChaCha20Poly1305 = 0x0003
+)
+
+const extensionEncryptedClientHello = 0xfe0d
+const DHKEM_X25519_HKDF_SHA256 = 0x0020
+const KDF_HKDF_SHA256 = 0x0001
+
+// sortedSupportedAEADs is just a sorted version of hpke.SupportedAEADS.
+// We need this so that when we insert them into ECHConfigs the ordering
+// is stable.
+var sortedSupportedAEADs = []uint16{AEAD_AES_128_GCM, AEAD_AES_256_GCM, AEAD_ChaCha20Poly1305}
+
+func marshalECHConfig(id uint8, pubKey []byte, publicName string, maxNameLen uint8) []byte {
+	builder := cryptobyte.NewBuilder(nil)
+
+	builder.AddUint16(extensionEncryptedClientHello)
+	builder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
+		builder.AddUint8(id)
+
+		builder.AddUint16(DHKEM_X25519_HKDF_SHA256) // The only DHKEM we support
+		builder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
+			builder.AddBytes(pubKey)
+		})
+		builder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
+			for _, aeadID := range sortedSupportedAEADs {
+				builder.AddUint16(KDF_HKDF_SHA256) // The only KDF we support
+				builder.AddUint16(aeadID)
+			}
+		})
+		builder.AddUint8(maxNameLen)
+		builder.AddUint8LengthPrefixed(func(builder *cryptobyte.Builder) {
+			builder.AddBytes([]byte(publicName))
+		})
+		builder.AddUint16(0) // extensions
+	})
+
+	return builder.BytesOrPanic()
+}
+
+func GenECHConfig(publicName string) (configBase64 string, keyPem string, err error) {
+	echKey, err := ecdh.X25519().GenerateKey(rand.Reader)
+	if err != nil {
+		return
+	}
+
+	echConfig := marshalECHConfig(0, echKey.PublicKey().Bytes(), publicName, 0)
+
+	builder := cryptobyte.NewBuilder(nil)
+	builder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
+		builder.AddBytes(echConfig)
+	})
+	echConfigList := builder.BytesOrPanic()
+
+	builder2 := cryptobyte.NewBuilder(nil)
+	builder2.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
+		builder.AddBytes(echKey.Bytes())
+	})
+	builder2.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
+		builder.AddBytes(echConfig)
+	})
+	echConfigKeys := builder2.BytesOrPanic()
+
+	configBase64 = base64.StdEncoding.EncodeToString(echConfigList)
+	keyPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH KEYS", Bytes: echConfigKeys}))
+	return
+}
+
+func UnmarshalECHKeys(raw []byte) ([]tlsC.EncryptedClientHelloKey, error) {
+	var keys []tlsC.EncryptedClientHelloKey
+	rawString := cryptobyte.String(raw)
+	for !rawString.Empty() {
+		var key tlsC.EncryptedClientHelloKey
+		if !rawString.ReadUint16LengthPrefixed((*cryptobyte.String)(&key.PrivateKey)) {
+			return nil, errors.New("error parsing private key")
+		}
+		if !rawString.ReadUint16LengthPrefixed((*cryptobyte.String)(&key.Config)) {
+			return nil, errors.New("error parsing config")
+		}
+		keys = append(keys, key)
+	}
+	if len(keys) == 0 {
+		return nil, errors.New("empty ECH keys")
+	}
+	return keys, nil
+}
+
+func LoadECHKey(key string, tlsConfig *tlsC.Config, path ca.Path) error {
+	if key == "" {
+		return nil
+	}
+	painTextErr := loadECHKey([]byte(key), tlsConfig)
+	if painTextErr == nil {
+		return nil
+	}
+	key = path.Resolve(key)
+	var loadErr error
+	if !path.IsSafePath(key) {
+		loadErr = path.ErrNotSafePath(key)
+	} else {
+		var echKey []byte
+		echKey, loadErr = os.ReadFile(key)
+		if loadErr == nil {
+			loadErr = loadECHKey(echKey, tlsConfig)
+		}
+	}
+	if loadErr != nil {
+		return fmt.Errorf("parse ECH keys failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())
+	}
+	return nil
+}
+
+func loadECHKey(echKey []byte, tlsConfig *tlsC.Config) error {
+	block, rest := pem.Decode(echKey)
+	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
+		return errors.New("invalid ECH keys pem")
+	}
+	echKeys, err := UnmarshalECHKeys(block.Bytes)
+	if err != nil {
+		return fmt.Errorf("parse ECH keys: %w", err)
+	}
+	tlsConfig.EncryptedClientHelloKeys = echKeys
+	return nil
+}

component/generater/cmd.go

@@ -1,37 +0,0 @@
-package generater
-
-import (
-	"encoding/base64"
-	"fmt"
-
-	"github.com/gofrs/uuid/v5"
-)
-
-func Main(args []string) {
-	if len(args) < 1 {
-		panic("Using: generate uuid/reality-keypair/wg-keypair")
-	}
-	switch args[0] {
-	case "uuid":
-		newUUID, err := uuid.NewV4()
-		if err != nil {
-			panic(err)
-		}
-		fmt.Println(newUUID.String())
-	case "reality-keypair":
-		privateKey, err := GeneratePrivateKey()
-		if err != nil {
-			panic(err)
-		}
-		publicKey := privateKey.PublicKey()
-		fmt.Println("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]))
-		fmt.Println("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]))
-	case "wg-keypair":
-		privateKey, err := GeneratePrivateKey()
-		if err != nil {
-			panic(err)
-		}
-		fmt.Println("PrivateKey: " + privateKey.String())
-		fmt.Println("PublicKey: " + privateKey.PublicKey().String())
-	}
-}

component/generater/types.go

@@ -1,97 +0,0 @@
-// Copy from https://github.com/WireGuard/wgctrl-go/blob/a9ab2273dd1075ea74b88c76f8757f8b4003fcbf/wgtypes/types.go#L71-L155
-
-package generater
-
-import (
-	"crypto/rand"
-	"encoding/base64"
-	"fmt"
-
-	"golang.org/x/crypto/curve25519"
-)
-
-// KeyLen is the expected key length for a WireGuard key.
-const KeyLen = 32 // wgh.KeyLen
-
-// A Key is a public, private, or pre-shared secret key.  The Key constructor
-// functions in this package can be used to create Keys suitable for each of
-// these applications.
-type Key [KeyLen]byte
-
-// GenerateKey generates a Key suitable for use as a pre-shared secret key from
-// a cryptographically safe source.
-//
-// The output Key should not be used as a private key; use GeneratePrivateKey
-// instead.
-func GenerateKey() (Key, error) {
-	b := make([]byte, KeyLen)
-	if _, err := rand.Read(b); err != nil {
-		return Key{}, fmt.Errorf("wgtypes: failed to read random bytes: %v", err)
-	}
-
-	return NewKey(b)
-}
-
-// GeneratePrivateKey generates a Key suitable for use as a private key from a
-// cryptographically safe source.
-func GeneratePrivateKey() (Key, error) {
-	key, err := GenerateKey()
-	if err != nil {
-		return Key{}, err
-	}
-
-	// Modify random bytes using algorithm described at:
-	// https://cr.yp.to/ecdh.html.
-	key[0] &= 248
-	key[31] &= 127
-	key[31] |= 64
-
-	return key, nil
-}
-
-// NewKey creates a Key from an existing byte slice.  The byte slice must be
-// exactly 32 bytes in length.
-func NewKey(b []byte) (Key, error) {
-	if len(b) != KeyLen {
-		return Key{}, fmt.Errorf("wgtypes: incorrect key size: %d", len(b))
-	}
-
-	var k Key
-	copy(k[:], b)
-
-	return k, nil
-}
-
-// ParseKey parses a Key from a base64-encoded string, as produced by the
-// Key.String method.
-func ParseKey(s string) (Key, error) {
-	b, err := base64.StdEncoding.DecodeString(s)
-	if err != nil {
-		return Key{}, fmt.Errorf("wgtypes: failed to parse base64-encoded key: %v", err)
-	}
-
-	return NewKey(b)
-}
-
-// PublicKey computes a public key from the private key k.
-//
-// PublicKey should only be called when k is a private key.
-func (k Key) PublicKey() Key {
-	var (
-		pub  [KeyLen]byte
-		priv = [KeyLen]byte(k)
-	)
-
-	// ScalarBaseMult uses the correct base value per https://cr.yp.to/ecdh.html,
-	// so no need to specify it.
-	curve25519.ScalarBaseMult(&pub, &priv)
-
-	return Key(pub)
-}
-
-// String returns the base64-encoded string representation of a Key.
-//
-// ParseKey can be used to produce a new Key from this string.
-func (k Key) String() string {
-	return base64.StdEncoding.EncodeToString(k[:])
-}

component/generator/cmd.go

@@ -0,0 +1,73 @@
+package generator
+
+import (
+	"encoding/base64"
+	"fmt"
+
+	"github.com/metacubex/mihomo/component/ech"
+	"github.com/metacubex/mihomo/transport/vless/encryption"
+
+	"github.com/gofrs/uuid/v5"
+)
+
+func Main(args []string) {
+	if len(args) < 1 {
+		panic("Using: generate uuid/reality-keypair/wg-keypair/ech-keypair/vless-mlkem768/vless-x25519")
+	}
+	switch args[0] {
+	case "uuid":
+		newUUID, err := uuid.NewV4()
+		if err != nil {
+			panic(err)
+		}
+		fmt.Println(newUUID.String())
+	case "reality-keypair":
+		privateKey, err := GenX25519PrivateKey()
+		if err != nil {
+			panic(err)
+		}
+		fmt.Println("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey.Bytes()))
+		fmt.Println("PublicKey: " + base64.RawURLEncoding.EncodeToString(privateKey.PublicKey().Bytes()))
+	case "wg-keypair":
+		privateKey, err := GenX25519PrivateKey()
+		if err != nil {
+			panic(err)
+		}
+		fmt.Println("PrivateKey: " + base64.StdEncoding.EncodeToString(privateKey.Bytes()))
+		fmt.Println("PublicKey: " + base64.StdEncoding.EncodeToString(privateKey.PublicKey().Bytes()))
+	case "ech-keypair":
+		if len(args) < 2 {
+			panic("Using: generate ech-keypair <plain_server_name>")
+		}
+		configBase64, keyPem, err := ech.GenECHConfig(args[1])
+		if err != nil {
+			panic(err)
+		}
+		fmt.Println("Config:", configBase64)
+		fmt.Println("Key:", keyPem)
+	case "vless-mlkem768":
+		var seed string
+		if len(args) > 1 {
+			seed = args[1]
+		}
+		seedBase64, clientBase64, hash32Base64, err := encryption.GenMLKEM768(seed)
+		if err != nil {
+			panic(err)
+		}
+		fmt.Println("Seed: " + seedBase64)
+		fmt.Println("Client: " + clientBase64)
+		fmt.Println("Hash32: " + hash32Base64)
+	case "vless-x25519":
+		var privateKey string
+		if len(args) > 1 {
+			privateKey = args[1]
+		}
+		privateKeyBase64, passwordBase64, hash32Base64, err := encryption.GenX25519(privateKey)
+		if err != nil {
+			panic(err)
+		}
+		fmt.Println("PrivateKey: " + privateKeyBase64)
+		fmt.Println("Password: " + passwordBase64)
+		fmt.Println("Hash32: " + hash32Base64)
+	}
+}

component/generator/x25519.go

@@ -0,0 +1,27 @@
+package generator
+
+import (
+	"crypto/ecdh"
+	"crypto/rand"
+)
+
+const X25519KeySize = 32
+
+func GenX25519PrivateKey() (*ecdh.PrivateKey, error) {
+	var privateKey [X25519KeySize]byte
+	_, err := rand.Read(privateKey[:])
+	if err != nil {
+		return nil, err
+	}
+
+	// Avoid generating equivalent X25519 private keys
+	// https://github.com/XTLS/Xray-core/pull/1747
+	//
+	// Modify random bytes using algorithm described at:
+	// https://cr.yp.to/ecdh.html.
+	privateKey[0] &= 248
+	privateKey[31] &= 127
+	privateKey[31] |= 64
+
+	return ecdh.X25519().NewPrivateKey(privateKey[:])
+}

component/geodata/utils.go

@@ -1,7 +1,6 @@
 package geodata
 
 import (
-	"errors"
 	"fmt"
 	"strings"
 
@@ -76,13 +75,13 @@ func LoadGeoSiteMatcher(countryCode string) (router.DomainMatcher, error) {
 	if countryCode[0] == '!' {
 		not = true
 		countryCode = countryCode[1:]
+		if countryCode == "" {
+			return nil, fmt.Errorf("country code could not be empty")
+		}
 	}
 	countryCode = strings.ToLower(countryCode)
 
 	parts := strings.Split(countryCode, "@")
-	if len(parts) == 0 {
-		return nil, errors.New("empty rule")
-	}
 	listName := strings.TrimSpace(parts[0])
 	attrVal := parts[1:]
 	attrs := parseAttrs(attrVal)

component/iface/iface.go

@@ -26,8 +26,9 @@ var (
 )
 
 type ifaceCache struct {
-	ifMap   map[string]*Interface
-	ifTable bart.Table[*Interface]
+	ifMapByName map[string]*Interface
+	ifMapByAddr map[netip.Addr]*Interface
+	ifTable     bart.Table[*Interface]
 }
 
 var caches = singledo.NewSingle[*ifaceCache](time.Second * 20)
@@ -40,7 +41,8 @@ func getCache() (*ifaceCache, error) {
 		}
 
 		cache := &ifaceCache{
-			ifMap: make(map[string]*Interface),
+			ifMapByName: make(map[string]*Interface),
+			ifMapByAddr: make(map[netip.Addr]*Interface),
 		}
 
 		for _, iface := range ifaces {
@@ -78,9 +80,13 @@ func getCache() (*ifaceCache, error) {
 				Flags:        iface.Flags,
 				Addresses:    ipNets,
 			}
-			cache.ifMap[iface.Name] = ifaceObj
+			cache.ifMapByName[iface.Name] = ifaceObj
 
+			if iface.Flags&net.FlagUp == 0 {
+				continue // interface down
+			}
 			for _, prefix := range ipNets {
+				cache.ifMapByAddr[prefix.Addr()] = ifaceObj
 				cache.ifTable.Insert(prefix, ifaceObj)
 			}
 		}
@@ -95,7 +101,7 @@ func Interfaces() (map[string]*Interface, error) {
 	if err != nil {
 		return nil, err
 	}
-	return cache.ifMap, nil
+	return cache.ifMapByName, nil
 }
 
 func ResolveInterface(name string) (*Interface, error) {
@@ -117,6 +123,11 @@ func ResolveInterfaceByAddr(addr netip.Addr) (*Interface, error) {
 	if err != nil {
 		return nil, err
 	}
+	// maybe two interfaces have the same prefix but different address
+	// so direct check address equal before do a route lookup (longest prefix match)
+	if iface, ok := cache.ifMapByAddr[addr]; ok {
+		return iface, nil
+	}
 	iface, ok := cache.ifTable.Lookup(addr)
 	if !ok {
 		return nil, ErrIfaceNotFound
@@ -130,7 +141,8 @@ func IsLocalIp(addr netip.Addr) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	return cache.ifTable.Contains(addr), nil
+	_, ok := cache.ifMapByAddr[addr]
+	return ok, nil
 }
 
 func FlushCache() {

component/keepalive/tcp_keepalive.go

@@ -10,27 +10,27 @@ import (
 )
 
 var (
-	keepAliveIdle     = atomic.NewTypedValue[time.Duration](0 * time.Second)
-	keepAliveInterval = atomic.NewTypedValue[time.Duration](0 * time.Second)
+	keepAliveIdle     = atomic.NewInt64(0)
+	keepAliveInterval = atomic.NewInt64(0)
 	disableKeepAlive  = atomic.NewBool(false)
 
 	SetDisableKeepAliveCallback = utils.NewCallback[bool]()
 )
 
 func SetKeepAliveIdle(t time.Duration) {
-	keepAliveIdle.Store(t)
+	keepAliveIdle.Store(int64(t))
 }
 
 func SetKeepAliveInterval(t time.Duration) {
-	keepAliveInterval.Store(t)
+	keepAliveInterval.Store(int64(t))
 }
 
 func KeepAliveIdle() time.Duration {
-	return keepAliveIdle.Load()
+	return time.Duration(keepAliveIdle.Load())
 }
 
 func KeepAliveInterval() time.Duration {
-	return keepAliveInterval.Load()
+	return time.Duration(keepAliveInterval.Load())
 }
 
 func SetDisableKeepAlive(disable bool) {

component/loopback/detector.go

@@ -8,11 +8,10 @@ import (
 	"strconv"
 
 	"github.com/metacubex/mihomo/common/callback"
+	"github.com/metacubex/mihomo/common/xsync"
 	"github.com/metacubex/mihomo/component/iface"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/features"
-
-	"github.com/puzpuzpuz/xsync/v3"
 )
 
 var disableLoopBackDetector, _ = strconv.ParseBool(os.Getenv("DISABLE_LOOPBACK_DETECTOR"))
@@ -26,22 +25,19 @@ func init() {
 var ErrReject = errors.New("reject loopback connection")
 
 type Detector struct {
-	connMap       *xsync.MapOf[netip.AddrPort, struct{}]
-	packetConnMap *xsync.MapOf[uint16, struct{}]
+	connMap       xsync.Map[netip.AddrPort, struct{}]
+	packetConnMap xsync.Map[uint16, struct{}]
 }
 
 func NewDetector() *Detector {
 	if disableLoopBackDetector {
 		return nil
 	}
-	return &Detector{
-		connMap:       xsync.NewMapOf[netip.AddrPort, struct{}](),
-		packetConnMap: xsync.NewMapOf[uint16, struct{}](),
-	}
+	return &Detector{}
 }
 
 func (l *Detector) NewConn(conn C.Conn) C.Conn {
-	if l == nil || l.connMap == nil {
+	if l == nil {
 		return conn
 	}
 	metadata := C.Metadata{}
@@ -59,7 +55,7 @@ func (l *Detector) NewConn(conn C.Conn) C.Conn {
 }
 
 func (l *Detector) NewPacketConn(conn C.PacketConn) C.PacketConn {
-	if l == nil || l.packetConnMap == nil {
+	if l == nil {
 		return conn
 	}
 	metadata := C.Metadata{}
@@ -78,7 +74,7 @@ func (l *Detector) NewPacketConn(conn C.PacketConn) C.PacketConn {
 }
 
 func (l *Detector) CheckConn(metadata *C.Metadata) error {
-	if l == nil || l.connMap == nil {
+	if l == nil {
 		return nil
 	}
 	connAddr := metadata.SourceAddrPort()
@@ -92,7 +88,7 @@ func (l *Detector) CheckConn(metadata *C.Metadata) error {
 }
 
 func (l *Detector) CheckPacketConn(metadata *C.Metadata) error {
-	if l == nil || l.packetConnMap == nil {
+	if l == nil {
 		return nil
 	}
 	connAddr := metadata.SourceAddrPort()

component/nat/table.go

@@ -4,27 +4,24 @@ import (
 	"net"
 	"sync"
 
+	"github.com/metacubex/mihomo/common/xsync"
 	C "github.com/metacubex/mihomo/constant"
-
-	"github.com/puzpuzpuz/xsync/v3"
 )
 
 type Table struct {
-	mapping *xsync.MapOf[string, *entry]
+	mapping xsync.Map[string, *entry]
 }
 
 type entry struct {
 	PacketSender    C.PacketSender
-	LocalUDPConnMap *xsync.MapOf[string, *net.UDPConn]
-	LocalLockMap    *xsync.MapOf[string, *sync.Cond]
+	LocalUDPConnMap xsync.Map[string, *net.UDPConn]
+	LocalLockMap    xsync.Map[string, *sync.Cond]
 }
 
 func (t *Table) GetOrCreate(key string, maker func() C.PacketSender) (C.PacketSender, bool) {
-	item, loaded := t.mapping.LoadOrCompute(key, func() *entry {
+	item, loaded := t.mapping.LoadOrStoreFn(key, func() *entry {
 		return &entry{
-			PacketSender:    maker(),
-			LocalUDPConnMap: xsync.NewMapOf[string, *net.UDPConn](),
-			LocalLockMap:    xsync.NewMapOf[string, *sync.Cond](),
+			PacketSender: maker(),
 		}
 	})
 	return item.PacketSender, loaded
@@ -68,7 +65,7 @@ func (t *Table) GetOrCreateLockForLocalConn(lAddr, key string) (*sync.Cond, bool
 	if !loaded {
 		return nil, false
 	}
-	item, loaded := entry.LocalLockMap.LoadOrCompute(key, makeLock)
+	item, loaded := entry.LocalLockMap.LoadOrStoreFn(key, makeLock)
 	return item, loaded
 }
 
@@ -98,7 +95,5 @@ func makeLock() *sync.Cond {
 
 // New return *Cache
 func New() *Table {
-	return &Table{
-		mapping: xsync.NewMapOf[string, *entry](),
-	}
+	return &Table{}
 }

component/process/find_process_mode.go

@@ -1,57 +1,52 @@
 package process
 
 import (
-	"encoding/json"
 	"errors"
 	"strings"
 )
 
 const (
-	FindProcessAlways = "always"
-	FindProcessStrict = "strict"
-	FindProcessOff    = "off"
+	FindProcessStrict FindProcessMode = iota
+	FindProcessAlways
+	FindProcessOff
 )
 
 var (
-	validModes = map[string]struct{}{
-		FindProcessAlways: {},
-		FindProcessOff:    {},
-		FindProcessStrict: {},
+	validModes = map[string]FindProcessMode{
+		FindProcessStrict.String(): FindProcessStrict,
+		FindProcessAlways.String(): FindProcessAlways,
+		FindProcessOff.String():    FindProcessOff,
 	}
 )
 
-type FindProcessMode string
+type FindProcessMode int32
 
-func (m FindProcessMode) Always() bool {
-	return m == FindProcessAlways
-}
-
-func (m FindProcessMode) Off() bool {
-	return m == FindProcessOff
-}
-
-func (m *FindProcessMode) UnmarshalYAML(unmarshal func(any) error) error {
-	var tp string
-	if err := unmarshal(&tp); err != nil {
-		return err
-	}
-	return m.Set(tp)
-}
-
-func (m *FindProcessMode) UnmarshalJSON(data []byte) error {
-	var tp string
-	if err := json.Unmarshal(data, &tp); err != nil {
-		return err
-	}
-	return m.Set(tp)
+// UnmarshalText unserialize FindProcessMode
+func (m *FindProcessMode) UnmarshalText(data []byte) error {
+	return m.Set(string(data))
 }
 
 func (m *FindProcessMode) Set(value string) error {
-	mode := strings.ToLower(value)
-	_, exist := validModes[mode]
+	mode, exist := validModes[strings.ToLower(value)]
 	if !exist {
 		return errors.New("invalid find process mode")
 	}
-	*m = FindProcessMode(mode)
+	*m = mode
 	return nil
 }
+
+// MarshalText serialize FindProcessMode
+func (m FindProcessMode) MarshalText() ([]byte, error) {
+	return []byte(m.String()), nil
+}
+
+func (m FindProcessMode) String() string {
+	switch m {
+	case FindProcessAlways:
+		return "always"
+	case FindProcessOff:
+		return "off"
+	default:
+		return "strict"
+	}
+}

component/proxydialer/proxydialer.go

@@ -2,7 +2,6 @@ package proxydialer
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"net"
 	"net/netip"
@@ -10,7 +9,6 @@ import (
 
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/dialer"
-	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/tunnel"
 	"github.com/metacubex/mihomo/tunnel/statistic"
@@ -40,23 +38,22 @@ func (p proxyDialer) DialContext(ctx context.Context, network, address string) (
 		return nil, err
 	}
 	if strings.Contains(network, "udp") { // using in wireguard outbound
-		if !currentMeta.Resolved() {
-			ip, err := resolver.ResolveIP(ctx, currentMeta.Host)
-			if err != nil {
-				return nil, errors.New("can't resolve ip")
-			}
-			currentMeta.DstIP = ip
-		}
 		pc, err := p.listenPacket(ctx, currentMeta)
 		if err != nil {
 			return nil, err
 		}
+		if !currentMeta.Resolved() { // should not happen, maybe by a wrongly implemented proxy, but we can handle this (:
+			err = pc.ResolveUDP(ctx, currentMeta)
+			if err != nil {
+				return nil, err
+			}
+		}
 		return N.NewBindPacketConn(pc, currentMeta.UDPAddr()), nil
 	}
 	var conn C.Conn
 	var err error
-	if d, ok := p.dialer.(dialer.Dialer); ok { // first using old function to let mux work
-		conn, err = p.proxy.DialContext(ctx, currentMeta, dialer.WithOption(d.Opt))
+	if _, ok := p.dialer.(dialer.Dialer); ok { // first using old function to let mux work
+		conn, err = p.proxy.DialContext(ctx, currentMeta)
 	} else {
 		conn, err = p.proxy.DialContextWithDialer(ctx, p.dialer, currentMeta)
 	}
@@ -78,8 +75,8 @@ func (p proxyDialer) listenPacket(ctx context.Context, currentMeta *C.Metadata)
 	var pc C.PacketConn
 	var err error
 	currentMeta.NetWork = C.UDP
-	if d, ok := p.dialer.(dialer.Dialer); ok { // first using old function to let mux work
-		pc, err = p.proxy.ListenPacketContext(ctx, currentMeta, dialer.WithOption(d.Opt))
+	if _, ok := p.dialer.(dialer.Dialer); ok { // first using old function to let mux work
+		pc, err = p.proxy.ListenPacketContext(ctx, currentMeta)
 	} else {
 		pc, err = p.proxy.ListenPacketWithDialer(ctx, p.dialer, currentMeta)
 	}

component/proxydialer/sing.go

@@ -6,8 +6,8 @@ import (
 
 	C "github.com/metacubex/mihomo/constant"
 
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
+	M "github.com/metacubex/sing/common/metadata"
+	N "github.com/metacubex/sing/common/network"
 )
 
 type SingDialer interface {

component/proxydialer/slowdown_sing.go

@@ -5,7 +5,7 @@ import (
 	"net"
 
 	"github.com/metacubex/mihomo/component/slowdown"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
 )
 
 type SlowDownSingDialer struct {

component/resolver/host.go

@@ -77,7 +77,7 @@ func NewHostValue(value any) (HostValue, error) {
 			isDomain = false
 			for _, str := range valueArr {
 				if ip, err := netip.ParseAddr(str); err == nil {
-					ips = append(ips, ip)
+					ips = append(ips, ip.Unmap())
 				} else {
 					return HostValue{}, err
 				}
@@ -85,7 +85,7 @@ func NewHostValue(value any) (HostValue, error) {
 		} else if len(valueArr) == 1 {
 			host := valueArr[0]
 			if ip, err := netip.ParseAddr(host); err == nil {
-				ips = append(ips, ip)
+				ips = append(ips, ip.Unmap())
 				isDomain = false
 			} else {
 				domain = host
@@ -113,7 +113,7 @@ func NewHostValueByDomain(domain string) (HostValue, error) {
 	domain = strings.Trim(domain, ".")
 	item := strings.Split(domain, ".")
 	if len(item) < 2 {
-		return HostValue{}, errors.New("invaild domain")
+		return HostValue{}, errors.New("invalid domain")
 	}
 	return HostValue{
 		IsDomain: true,

component/resolver/relay.go

@@ -46,17 +46,24 @@ func RelayDnsConn(ctx context.Context, conn net.Conn, readTimeout time.Duration)
 			ctx, cancel := context.WithTimeout(ctx, DefaultDnsRelayTimeout)
 			defer cancel()
 			inData := buff[:n]
-			msg, err := relayDnsPacket(ctx, inData, buff, 0)
+			outBuff := buff[2:]
+			msg, err := relayDnsPacket(ctx, inData, outBuff, 0)
 			if err != nil {
 				return err
 			}
 
-			err = binary.Write(conn, binary.BigEndian, uint16(len(msg)))
-			if err != nil {
-				return err
+			if &msg[0] == &outBuff[0] { // msg is still in the buff
+				binary.BigEndian.PutUint16(buff[:2], uint16(len(msg)))
+				outBuff = buff[:2+len(msg)]
+			} else { // buff not big enough (WTF???)
+				newBuff := pool.Get(len(msg) + 2)
+				defer pool.Put(newBuff)
+				binary.BigEndian.PutUint16(newBuff[:2], uint16(len(msg)))
+				copy(newBuff[2:], msg)
+				outBuff = newBuff
 			}
 
-			_, err = conn.Write(msg)
+			_, err = conn.Write(outBuff)
 			if err != nil {
 				return err
 			}

component/resolver/resolver.go

@@ -5,7 +5,6 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
-	"strings"
 	"time"
 
 	"github.com/metacubex/mihomo/common/utils"
@@ -49,6 +48,7 @@ type Resolver interface {
 	LookupIP(ctx context.Context, host string) (ips []netip.Addr, err error)
 	LookupIPv4(ctx context.Context, host string) (ips []netip.Addr, err error)
 	LookupIPv6(ctx context.Context, host string) (ips []netip.Addr, err error)
+	ResolveECH(ctx context.Context, host string) ([]byte, error)
 	ExchangeContext(ctx context.Context, m *dns.Msg) (msg *dns.Msg, err error)
 	Invalid() bool
 	ClearCache()
@@ -67,7 +67,8 @@ func LookupIPv4WithResolver(ctx context.Context, host string, r Resolver) ([]net
 
 	ip, err := netip.ParseAddr(host)
 	if err == nil {
-		if ip.Is4() || ip.Is4In6() {
+		ip = ip.Unmap()
+		if ip.Is4() {
 			return []netip.Addr{ip}, nil
 		}
 		return []netip.Addr{}, ErrIPVersion
@@ -116,7 +117,8 @@ func LookupIPv6WithResolver(ctx context.Context, host string, r Resolver) ([]net
 	}
 
 	if ip, err := netip.ParseAddr(host); err == nil {
-		if strings.Contains(host, ":") {
+		ip = ip.Unmap()
+		if ip.Is6() {
 			return []netip.Addr{ip}, nil
 		}
 		return nil, ErrIPVersion
@@ -165,6 +167,7 @@ func LookupIPWithResolver(ctx context.Context, host string, r Resolver) ([]netip
 	}
 
 	if ip, err := netip.ParseAddr(host); err == nil {
+		ip = ip.Unmap()
 		return []netip.Addr{ip}, nil
 	}
 
@@ -216,10 +219,29 @@ func ResolveIPPrefer6(ctx context.Context, host string) (netip.Addr, error) {
 	return ResolveIPPrefer6WithResolver(ctx, host, DefaultResolver)
 }
 
+func ResolveECHWithResolver(ctx context.Context, host string, r Resolver) ([]byte, error) {
+	if r != nil && r.Invalid() {
+		return r.ResolveECH(ctx, host)
+	}
+	return SystemResolver.ResolveECH(ctx, host)
+}
+
+func ResolveECH(ctx context.Context, host string) ([]byte, error) {
+	return ResolveECHWithResolver(ctx, host, DefaultResolver)
+}
+
+func ClearCache() {
+	if DefaultResolver != nil {
+		go DefaultResolver.ClearCache()
+	}
+	go SystemResolver.ClearCache() // SystemResolver unneeded check nil
+}
+
 func ResetConnection() {
 	if DefaultResolver != nil {
 		go DefaultResolver.ResetConnection()
 	}
+	go SystemResolver.ResetConnection() // SystemResolver unneeded check nil
 }
 
 func SortationAddr(ips []netip.Addr) (ipv4s, ipv6s []netip.Addr) {

component/resource/fetcher.go

@@ -3,13 +3,15 @@ package resource
 import (
 	"context"
 	"os"
+	"sync"
 	"time"
 
 	"github.com/metacubex/mihomo/common/utils"
+	"github.com/metacubex/mihomo/component/slowdown"
 	types "github.com/metacubex/mihomo/constant/provider"
 	"github.com/metacubex/mihomo/log"
 
-	"github.com/sagernet/fswatch"
+	"github.com/metacubex/fswatch"
 	"github.com/samber/lo"
 )
 
@@ -27,6 +29,8 @@ type Fetcher[V any] struct {
 	interval     time.Duration
 	onUpdate     func(V)
 	watcher      *fswatch.Watcher
+	loadBufMutex sync.Mutex
+	backoff      slowdown.Backoff
 }
 
 func (f *Fetcher[V]) Name() string {
@@ -46,17 +50,11 @@ func (f *Fetcher[V]) UpdatedAt() time.Time {
 }
 
 func (f *Fetcher[V]) Initial() (V, error) {
-	var (
-		buf      []byte
-		contents V
-		err      error
-	)
-
 	if stat, fErr := os.Stat(f.vehicle.Path()); fErr == nil {
 		// local file exists, use it first
-		buf, err = os.ReadFile(f.vehicle.Path())
+		buf, err := os.ReadFile(f.vehicle.Path())
 		modTime := stat.ModTime()
-		contents, _, err = f.loadBuf(buf, utils.MakeHash(buf), false)
+		contents, _, err := f.loadBuf(buf, utils.MakeHash(buf), false)
 		f.updatedAt = modTime // reset updatedAt to file's modTime
 
 		if err == nil {
@@ -69,21 +67,25 @@ func (f *Fetcher[V]) Initial() (V, error) {
 	}
 
 	// parse local file error, fallback to remote
-	contents, _, err = f.Update()
+	contents, _, updateErr := f.Update()
 
+	// start the pull loop even if f.Update() failed
+	err := f.startPullLoop(false)
 	if err != nil {
 		return lo.Empty[V](), err
 	}
-	err = f.startPullLoop(false)
-	if err != nil {
-		return lo.Empty[V](), err
+
+	if updateErr != nil {
+		return lo.Empty[V](), updateErr
 	}
+
 	return contents, nil
 }
 
 func (f *Fetcher[V]) Update() (V, bool, error) {
 	buf, hash, err := f.vehicle.Read(f.ctx, f.hash)
 	if err != nil {
+		f.backoff.AddAttempt() // add a failed attempt to backoff
 		return lo.Empty[V](), false, err
 	}
 	return f.loadBuf(buf, hash, f.vehicle.Type() != types.File)
@@ -94,12 +96,16 @@ func (f *Fetcher[V]) SideUpdate(buf []byte) (V, bool, error) {
 }
 
 func (f *Fetcher[V]) loadBuf(buf []byte, hash utils.HashType, updateFile bool) (V, bool, error) {
+	f.loadBufMutex.Lock()
+	defer f.loadBufMutex.Unlock()
+
 	now := time.Now()
 	if f.hash.Equal(hash) {
 		if updateFile {
 			_ = os.Chtimes(f.vehicle.Path(), now, now)
 		}
 		f.updatedAt = now
+		f.backoff.Reset() // no error, reset backoff
 		return lo.Empty[V](), true, nil
 	}
 
@@ -109,8 +115,10 @@ func (f *Fetcher[V]) loadBuf(buf []byte, hash utils.HashType, updateFile bool) (
 
 	contents, err := f.parser(buf)
 	if err != nil {
+		f.backoff.AddAttempt() // add a failed attempt to backoff
 		return lo.Empty[V](), false, err
 	}
+	f.backoff.Reset() // no error, reset backoff
 
 	if updateFile {
 		if err = f.vehicle.Write(buf); err != nil {
@@ -145,14 +153,25 @@ func (f *Fetcher[V]) pullLoop(forceUpdate bool) {
 		log.Warnln("[Provider] %s not updated for a long time, force refresh", f.Name())
 		f.updateWithLog()
 	}
+	if attempt := f.backoff.Attempt(); attempt > 0 { // f.Update() was failed, decrease the interval from backoff to achieve fast retry
+		if duration := f.backoff.ForAttempt(attempt); duration < initialInterval {
+			initialInterval = duration
+		}
+	}
 
 	timer := time.NewTimer(initialInterval)
 	defer timer.Stop()
 	for {
 		select {
 		case <-timer.C:
-			timer.Reset(f.interval)
 			f.updateWithLog()
+			interval := f.interval
+			if attempt := f.backoff.Attempt(); attempt > 0 { // f.Update() was failed, decrease the interval from backoff to achieve fast retry
+				if duration := f.backoff.ForAttempt(attempt); duration < interval {
+					interval = duration
+				}
+			}
+			timer.Reset(interval)
 		case <-f.ctx.Done():
 			return
 		}
@@ -202,6 +221,10 @@ func (f *Fetcher[V]) updateWithLog() {
 
 func NewFetcher[V any](name string, interval time.Duration, vehicle types.Vehicle, parser Parser[V], onUpdate func(V)) *Fetcher[V] {
 	ctx, cancel := context.WithCancel(context.Background())
+	minBackoff := 10 * time.Second
+	if interval < minBackoff {
+		minBackoff = interval
+	}
 	return &Fetcher[V]{
 		ctx:       ctx,
 		ctxCancel: cancel,
@@ -210,5 +233,11 @@ func NewFetcher[V any](name string, interval time.Duration, vehicle types.Vehicl
 		parser:    parser,
 		onUpdate:  onUpdate,
 		interval:  interval,
+		backoff: slowdown.Backoff{
+			Factor: 2,
+			Jitter: false,
+			Min:    minBackoff,
+			Max:    interval,
+		},
 	}
 }