Fix lint errors

common/badversion/version.go

@@ -112,9 +112,7 @@ func IsValid(versionName string) bool {
 }
 
 func Parse(versionName string) (version Version) {
-	if strings.HasPrefix(versionName, "v") {
-		versionName = versionName[1:]
-	}
+	versionName = strings.TrimPrefix(versionName, "v")
 	if strings.Contains(versionName, "-") {
 		parts := strings.Split(versionName, "-")
 		versionName = parts[0]

common/convertor/adguard/convertor.go

@@ -63,9 +63,7 @@ parseLine:
 			}
 			continue
 		}
-		if strings.HasSuffix(ruleLine, "|") {
-			ruleLine = ruleLine[:len(ruleLine)-1]
-		}
+		ruleLine = strings.TrimSuffix(ruleLine, "|")
 		var (
 			isExclude   bool
 			isSuffix    bool
@@ -76,7 +74,7 @@ parseLine:
 		)
 		if !strings.HasPrefix(ruleLine, "/") && strings.Contains(ruleLine, "$") {
 			params := common.SubstringAfter(ruleLine, "$")
-			for _, param := range strings.Split(params, ",") {
+			for param := range strings.SplitSeq(params, ",") {
 				paramParts := strings.Split(param, "=")
 				var ignored bool
 				if len(paramParts) > 0 && len(paramParts) <= 2 {
@@ -106,9 +104,7 @@ parseLine:
 			ruleLine = ruleLine[2:]
 			isExclude = true
 		}
-		if strings.HasSuffix(ruleLine, "|") {
-			ruleLine = ruleLine[:len(ruleLine)-1]
-		}
+		ruleLine = strings.TrimSuffix(ruleLine, "|")
 		if strings.HasPrefix(ruleLine, "||") {
 			ruleLine = ruleLine[2:]
 			isSuffix = true
@@ -414,18 +410,18 @@ func ignoreIPCIDRRegexp(ruleLine string) bool {
 }
 
 func parseAdGuardHostLine(ruleLine string) (string, error) {
-	idx := strings.Index(ruleLine, " ")
-	if idx == -1 {
+	before, after, ok := strings.Cut(ruleLine, " ")
+	if !ok {
 		return "", os.ErrInvalid
 	}
-	address, err := netip.ParseAddr(ruleLine[:idx])
+	address, err := netip.ParseAddr(before)
 	if err != nil {
 		return "", err
 	}
 	if !address.IsUnspecified() {
 		return "", nil
 	}
-	domain := ruleLine[idx+1:]
+	domain := after
 	if !M.IsDomainName(domain) {
 		return "", E.New("invalid domain name: ", domain)
 	}

common/dialer/default_parallel_interface.go

@@ -136,18 +136,16 @@ func (d *DefaultDialer) dialParallelInterfaceFastFallback(ctx context.Context, d
 		go startRacer(fallbackCtx, false, iif)
 	}
 	var errors []error
-	for {
-		select {
-		case res := <-results:
-			if res.error == nil {
-				return res.Conn, res.primary, nil
-			}
-			errors = append(errors, res.error)
-			if len(errors) == len(primaryInterfaces)+len(fallbackInterfaces) {
-				return nil, false, E.Errors(errors...)
-			}
+	for res := range results {
+		if res.error == nil {
+			return res.Conn, res.primary, nil
+		}
+		errors = append(errors, res.error)
+		if len(errors) == len(primaryInterfaces)+len(fallbackInterfaces) {
+			return nil, false, E.Errors(errors...)
 		}
 	}
+	return nil, false, E.Errors(errors...)
 }
 
 func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listener net.ListenConfig, network string, addr string, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {

common/geosite/compat_test.go

@@ -19,11 +19,6 @@ func oldWriteString(writer varbin.Writer, value string) error {
 	return varbin.Write(writer, binary.BigEndian, value)
 }
 
-func oldWriteItem(writer varbin.Writer, item Item) error {
-	//nolint:staticcheck
-	return varbin.Write(writer, binary.BigEndian, item)
-}
-
 func oldReadString(reader varbin.Reader) (string, error) {
 	//nolint:staticcheck
 	return varbin.ReadValue[string](reader, binary.BigEndian)
@@ -224,7 +219,7 @@ func TestGeositeWriteReadCompat(t *testing.T) {
 
 func generateLargeItems(count int) map[string][]Item {
 	items := make([]Item, count)
-	for i := 0; i < count; i++ {
+	for i := range count {
 		items[i] = Item{
 			Type:  ItemType(i % 4),
 			Value: strings.Repeat("x", i%200) + ".com",

common/geosite/reader.go

@@ -48,12 +48,6 @@ func NewReader(readSeeker io.ReadSeeker) (*Reader, []string, error) {
 	return reader, codes, nil
 }
 
-type geositeMetadata struct {
-	Code   string
-	Index  uint64
-	Length uint64
-}
-
 func (r *Reader) readMetadata() error {
 	counter := &readCounter{Reader: r.reader}
 	reader := bufio.NewReader(counter)
@@ -101,6 +95,9 @@ func (r *Reader) readMetadata() error {
 }
 
 func (r *Reader) Read(code string) ([]Item, error) {
+	r.access.Lock()
+	defer r.access.Unlock()
+
 	index, exists := r.domainIndex[code]
 	if !exists {
 		return nil, E.New("code ", code, " not exists!")

common/ja3/parser.go

@@ -131,7 +131,7 @@ func (j *ClientHello) parseHandshake(hs []byte) error {
 		return &ParseError{LengthErr, 7}
 	}
 
-	for i := 0; i < numCiphers; i++ {
+	for i := range numCiphers {
 		cipherSuite := uint16(cs[2+i<<1])<<8 | uint16(cs[3+i<<1])
 		cipherSuites = append(cipherSuites, cipherSuite)
 	}
@@ -234,7 +234,7 @@ func (j *ClientHello) parseExtensions(exs []byte) error {
 				return &ParseError{LengthErr, 16}
 			}
 
-			for i := 0; i < numCurves; i++ {
+			for i := range numCurves {
 				ecType := uint16(sex[i*2])<<8 | uint16(sex[1+i*2])
 				ellipticCurves = append(ellipticCurves, ecType)
 			}
@@ -256,7 +256,7 @@ func (j *ClientHello) parseExtensions(exs []byte) error {
 				return &ParseError{LengthErr, 18}
 			}
 
-			for i := 0; i < numPF; i++ {
+			for i := range numPF {
 				ellipticCurvePF[i] = uint8(sex[i])
 			}
 		case versionExtensionType:

common/ktls/ktls_handshake_messages.go

@@ -6,48 +6,7 @@
 
 package ktls
 
-import (
-	"fmt"
-
-	"golang.org/x/crypto/cryptobyte"
-)
-
-// The marshalingFunction type is an adapter to allow the use of ordinary
-// functions as cryptobyte.MarshalingValue.
-type marshalingFunction func(b *cryptobyte.Builder) error
-
-func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error {
-	return f(b)
-}
-
-// addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If
-// the length of the sequence is not the value specified, it produces an error.
-func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) {
-	b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error {
-		if len(v) != n {
-			return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v))
-		}
-		b.AddBytes(v)
-		return nil
-	}))
-}
-
-// addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder.
-func addUint64(b *cryptobyte.Builder, v uint64) {
-	b.AddUint32(uint32(v >> 32))
-	b.AddUint32(uint32(v))
-}
-
-// readUint64 decodes a big-endian, 64-bit value into out and advances over it.
-// It reports whether the read was successful.
-func readUint64(s *cryptobyte.String, out *uint64) bool {
-	var hi, lo uint32
-	if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) {
-		return false
-	}
-	*out = uint64(hi)<<32 | uint64(lo)
-	return true
-}
+import "golang.org/x/crypto/cryptobyte"
 
 // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a
 // []byte instead of a cryptobyte.String.
@@ -61,12 +20,6 @@ func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
 	return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out))
 }
 
-// readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a
-// []byte instead of a cryptobyte.String.
-func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
-	return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out))
-}
-
 type keyUpdateMsg struct {
 	updateRequested bool
 }
@@ -125,11 +78,6 @@ const (
 	typeMessageHash           uint8 = 254 // synthetic message
 )
 
-// TLS compression types.
-const (
-	compressionNone uint8 = 0
-)
-
 // TLS extension numbers
 const (
 	extensionServerName              uint16 = 0

common/ktls/ktls_write.go

@@ -77,78 +77,5 @@ func (c *Conn) writeRecordLocked(typ uint16, data []byte) (n int, err error) {
 	if !c.kernelTx {
 		return c.rawConn.WriteRecordLocked(typ, data)
 	}
-	/*for len(data) > 0 {
-		m := len(data)
-		if maxPayload := c.maxPayloadSizeForWrite(typ); m > maxPayload {
-			m = maxPayload
-		}
-		_, err = c.writeKernelRecord(typ, data[:m])
-		if err != nil {
-			return
-		}
-		n += m
-		data = data[m:]
-	}*/
 	return c.writeKernelRecord(typ, data)
 }
-
-const (
-	// tcpMSSEstimate is a conservative estimate of the TCP maximum segment
-	// size (MSS). A constant is used, rather than querying the kernel for
-	// the actual MSS, to avoid complexity. The value here is the IPv6
-	// minimum MTU (1280 bytes) minus the overhead of an IPv6 header (40
-	// bytes) and a TCP header with timestamps (32 bytes).
-	tcpMSSEstimate = 1208
-
-	// recordSizeBoostThreshold is the number of bytes of application data
-	// sent after which the TLS record size will be increased to the
-	// maximum.
-	recordSizeBoostThreshold = 128 * 1024
-)
-
-func (c *Conn) maxPayloadSizeForWrite(typ uint16) int {
-	if /*c.config.DynamicRecordSizingDisabled ||*/ typ != recordTypeApplicationData {
-		return maxPlaintext
-	}
-
-	if *c.rawConn.PacketsSent >= recordSizeBoostThreshold {
-		return maxPlaintext
-	}
-
-	// Subtract TLS overheads to get the maximum payload size.
-	payloadBytes := tcpMSSEstimate - recordHeaderLen - c.rawConn.Out.ExplicitNonceLen()
-	if rawCipher := *c.rawConn.Out.Cipher; rawCipher != nil {
-		switch ciph := rawCipher.(type) {
-		case cipher.Stream:
-			payloadBytes -= (*c.rawConn.Out.Mac).Size()
-		case cipher.AEAD:
-			payloadBytes -= ciph.Overhead()
-		/*case cbcMode:
-		blockSize := ciph.BlockSize()
-		// The payload must fit in a multiple of blockSize, with
-		// room for at least one padding byte.
-		payloadBytes = (payloadBytes & ^(blockSize - 1)) - 1
-		// The RawMac is appended before padding so affects the
-		// payload size directly.
-		payloadBytes -= c.out.mac.Size()*/
-		default:
-			panic("unknown cipher type")
-		}
-	}
-	if *c.rawConn.Vers == tls.VersionTLS13 {
-		payloadBytes-- // encrypted ContentType
-	}
-
-	// Allow packet growth in arithmetic progression up to max.
-	pkt := *c.rawConn.PacketsSent
-	*c.rawConn.PacketsSent++
-	if pkt > 1000 {
-		return maxPlaintext // avoid overflow in multiply below
-	}
-
-	n := payloadBytes * int(pkt+1)
-	if n > maxPlaintext {
-		n = maxPlaintext
-	}
-	return n
-}

common/process/searcher_darwin_shared.go

@@ -81,7 +81,7 @@ func (f *darwinConnectionFinder) find(network string, source netip.AddrPort, des
 	source = normalizeDarwinAddrPort(source)
 	destination = normalizeDarwinAddrPort(destination)
 	var lastOwner *adapter.ConnectionOwner
-	for attempt := 0; attempt < 2; attempt++ {
+	for attempt := range 2 {
 		snapshot, fromCache, err := f.loadSnapshot(networkName, attempt > 0)
 		if err != nil {
 			return nil, err

common/process/searcher_linux_shared.go

@@ -1,5 +1,6 @@
 //go:build linux
 
+//nolint:unused
 package process
 
 import (
@@ -117,7 +118,7 @@ func (c *socketDiagConn) query(source netip.AddrPort, destination netip.AddrPort
 	c.access.Lock()
 	defer c.access.Unlock()
 	request := packSocketDiagRequest(c.family, c.protocol, source, destination, false)
-	for attempt := 0; attempt < 2; attempt++ {
+	for range 2 {
 		err = c.ensureOpenLocked()
 		if err != nil {
 			return 0, 0, E.Cause(err, "dial netlink")

common/settings/proxy_darwin.go

@@ -109,7 +109,7 @@ func getInterfaceDisplayName(name string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	for _, deviceSpan := range strings.Split(string(content), "Ethernet Address") {
+	for deviceSpan := range strings.SplitSeq(string(content), "Ethernet Address") {
 		if strings.Contains(deviceSpan, "Device: "+name) {
 			substr := "Hardware Port: "
 			deviceSpan = deviceSpan[strings.Index(deviceSpan, substr)+len(substr):]

common/settings/wifi_linux_connman.go

@@ -40,14 +40,14 @@ func (m *connmanMonitor) ReadWIFIState() adapter.WIFIState {
 	defer cancel()
 
 	cmObj := m.conn.Object("net.connman", "/")
-	var services []interface{}
+	var services []any
 	err := cmObj.CallWithContext(ctx, "net.connman.Manager.GetServices", 0).Store(&services)
 	if err != nil {
 		return adapter.WIFIState{}
 	}
 
 	for _, service := range services {
-		servicePair, ok := service.([]interface{})
+		servicePair, ok := service.([]any)
 		if !ok || len(servicePair) != 2 {
 			continue
 		}

common/settings/wifi_linux_wpa.go

@@ -1,3 +1,4 @@
+//nolint:unused
 package settings
 
 import (
@@ -73,13 +74,13 @@ func (m *wpaSupplicantMonitor) ReadWIFIState() adapter.WIFIState {
 	scanner := bufio.NewScanner(strings.NewReader(status))
 	for scanner.Scan() {
 		line := scanner.Text()
-		if strings.HasPrefix(line, "wpa_state=") {
-			state := strings.TrimPrefix(line, "wpa_state=")
+		if after, ok := strings.CutPrefix(line, "wpa_state="); ok {
+			state := after
 			connected = state == "COMPLETED"
-		} else if strings.HasPrefix(line, "ssid=") {
-			ssid = strings.TrimPrefix(line, "ssid=")
-		} else if strings.HasPrefix(line, "bssid=") {
-			bssid = strings.TrimPrefix(line, "bssid=")
+		} else if after, ok := strings.CutPrefix(line, "ssid="); ok {
+			ssid = after
+		} else if after, ok := strings.CutPrefix(line, "bssid="); ok {
+			bssid = after
 		}
 	}
 

common/settings/wifi_stub.go

@@ -1,5 +1,6 @@
 //go:build !linux && !windows
 
+//nolint:unused
 package settings
 
 import (

common/sniff/internal/qtls/qtls.go

@@ -54,9 +54,8 @@ type xorNonceAEAD struct {
 	aead      cipher.AEAD
 }
 
-func (f *xorNonceAEAD) NonceSize() int        { return 8 } // 64-bit sequence number
-func (f *xorNonceAEAD) Overhead() int         { return f.aead.Overhead() }
-func (f *xorNonceAEAD) explicitNonceLen() int { return 0 }
+func (f *xorNonceAEAD) NonceSize() int { return 8 } // 64-bit sequence number
+func (f *xorNonceAEAD) Overhead() int  { return f.aead.Overhead() }
 
 func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
 	for i, b := range nonce {

common/sniff/quic_blacklist.go

@@ -1,6 +1,8 @@
 package sniff
 
 import (
+	"slices"
+
 	"github.com/sagernet/sing-box/common/ja3"
 )
 
@@ -15,15 +17,8 @@ const (
 // Note: uQUIC with Chromium mimicry cannot be reliably distinguished from real Chromium
 // since it uses the same TLS fingerprint, so it will be identified as Chromium.
 func isQUICGo(fingerprint *ja3.ClientHello) bool {
-	for _, curve := range fingerprint.EllipticCurves {
-		if curve == x25519Kyber768Draft00 {
-			return true
-		}
+	if slices.Contains(fingerprint.EllipticCurves, x25519Kyber768Draft00) {
+		return true
 	}
-	for _, ext := range fingerprint.Extensions {
-		if ext == extensionRenegotiationInfo {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(fingerprint.Extensions, extensionRenegotiationInfo)
 }

common/sniff/quic_capture_test.go

@@ -30,7 +30,7 @@ func TestSniffQUICQuicGoFingerprint(t *testing.T) {
 	go func() {
 		var packets [][]byte
 		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
-		for i := 0; i < 10; i++ {
+		for range 10 {
 			buf := make([]byte, 2048)
 			n, _, err := udpConn.ReadFromUDP(buf)
 			if err != nil {
@@ -104,7 +104,7 @@ func TestSniffQUICInitialFromQuicGo(t *testing.T) {
 	go func() {
 		var packets [][]byte
 		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
-		for i := 0; i < 5; i++ { // Capture up to 5 packets
+		for range 5 { // Capture up to 5 packets
 			buf := make([]byte, 2048)
 			n, _, err := udpConn.ReadFromUDP(buf)
 			if err != nil {

common/srs/binary.go

@@ -78,7 +78,7 @@ func Read(reader io.Reader, recover bool) (ruleSetCompat option.PlainRuleSetComp
 	}
 	ruleSetCompat.Version = version
 	ruleSetCompat.Options.Rules = make([]option.HeadlessRule, length)
-	for i := uint64(0); i < length; i++ {
+	for i := range length {
 		ruleSetCompat.Options.Rules[i], err = readRule(bReader, recover)
 		if err != nil {
 			err = E.Cause(err, "read rule[", i, "]")
@@ -644,7 +644,7 @@ func readLogicalRule(reader varbin.Reader, recovery bool) (logicalRule option.Lo
 		return
 	}
 	logicalRule.Rules = make([]option.HeadlessRule, length)
-	for i := uint64(0); i < length; i++ {
+	for i := range length {
 		logicalRule.Rules[i], err = readRule(reader, recovery)
 		if err != nil {
 			err = E.Cause(err, "read logical rule [", i, "]")

common/srs/compat_test.go

@@ -450,7 +450,7 @@ func buildIPSet(cidrs ...string) *netipx.IPSet {
 
 func buildLargeIPSet(count int) *netipx.IPSet {
 	var builder netipx.IPSetBuilder
-	for i := 0; i < count; i++ {
+	for i := range count {
 		prefix := netip.PrefixFrom(netip.AddrFrom4([4]byte{10, byte(i / 256), byte(i % 256), 0}), 24)
 		builder.AddPrefix(prefix)
 	}

common/tls/reality_client.go

@@ -267,8 +267,8 @@ type realityVerifier struct {
 }
 
 func (c *realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-	p, _ := reflect.TypeOf(c.Conn).Elem().FieldByName("peerCertificates")
-	certs := *(*([]*x509.Certificate))(unsafe.Pointer(uintptr(unsafe.Pointer(c.Conn)) + p.Offset))
+	p, _ := reflect.TypeFor[utls.Conn]().FieldByName("peerCertificates")
+	certs := *(*([]*x509.Certificate))(unsafe.Add(unsafe.Pointer(c.Conn), p.Offset))
 	if pub, ok := certs[0].PublicKey.(ed25519.PublicKey); ok {
 		h := hmac.New(sha512.New, c.authKey)
 		h.Write(pub)

common/tls/std_server.go

@@ -141,13 +141,14 @@ func (c *STDServerConfig) startWatcher() error {
 
 func (c *STDServerConfig) certificateUpdated(path string) error {
 	if path == c.certificatePath || path == c.keyPath {
-		if path == c.certificatePath {
+		switch path {
+		case c.certificatePath:
 			certificate, err := os.ReadFile(c.certificatePath)
 			if err != nil {
 				return E.Cause(err, "reload certificate from ", c.certificatePath)
 			}
 			c.certificate = certificate
-		} else if path == c.keyPath {
+		case c.keyPath:
 			key, err := os.ReadFile(c.keyPath)
 			if err != nil {
 				return E.Cause(err, "reload key from ", c.keyPath)
@@ -338,9 +339,10 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 			}
 			tlsConfig.ClientCAs = clientCertificateCA
 		} else if len(options.ClientCertificatePublicKeySHA256) > 0 {
-			if tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert {
+			switch tlsConfig.ClientAuth {
+			case tls.RequireAndVerifyClientCert:
 				tlsConfig.ClientAuth = tls.RequireAnyClientCert
-			} else if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven {
+			case tls.VerifyClientCertIfGiven:
 				tlsConfig.ClientAuth = tls.RequestClientCert
 			}
 			tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {