Update sing-box core, refactor MASQUE, update XHTTP

2026-05-31 08:24:24 +03:00 · 2026-05-29 01:31:57 +03:00
parent 1cb7950810
commit b953954b60
111 changed files with 1291 additions and 1660 deletions
--- a/protocol/direct/loopback_detect.go
+++ b/protocol/direct/loopback_detect.go
@@ -1,186 +0,0 @@
-package direct
-
-import (
-	"net"
-	"net/netip"
-	"sync"
-
-	"github.com/sagernet/sing-box/adapter"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type loopBackDetector struct {
-	networkManager   adapter.NetworkManager
-	connAccess       sync.RWMutex
-	packetConnAccess sync.RWMutex
-	connMap          map[netip.AddrPort]netip.AddrPort
-	packetConnMap    map[uint16]uint16
-}
-
-func newLoopBackDetector(networkManager adapter.NetworkManager) *loopBackDetector {
-	return &loopBackDetector{
-		networkManager: networkManager,
-		connMap:        make(map[netip.AddrPort]netip.AddrPort),
-		packetConnMap:  make(map[uint16]uint16),
-	}
-}
-
-func (l *loopBackDetector) NewConn(conn net.Conn) net.Conn {
-	source := M.AddrPortFromNet(conn.LocalAddr())
-	if !source.IsValid() {
-		return conn
-	}
-	if udpConn, isUDPConn := conn.(abstractUDPConn); isUDPConn {
-		if !source.Addr().IsLoopback() {
-			_, err := l.networkManager.InterfaceFinder().ByAddr(source.Addr())
-			if err != nil {
-				return conn
-			}
-		}
-		if !N.IsPublicAddr(source.Addr()) {
-			return conn
-		}
-		l.packetConnAccess.Lock()
-		l.packetConnMap[source.Port()] = M.AddrPortFromNet(conn.RemoteAddr()).Port()
-		l.packetConnAccess.Unlock()
-		return &loopBackDetectUDPWrapper{abstractUDPConn: udpConn, detector: l, connPort: source.Port()}
-	} else {
-		l.connAccess.Lock()
-		l.connMap[source] = M.AddrPortFromNet(conn.RemoteAddr())
-		l.connAccess.Unlock()
-		return &loopBackDetectWrapper{Conn: conn, detector: l, connAddr: source}
-	}
-}
-
-func (l *loopBackDetector) NewPacketConn(conn N.NetPacketConn, destination M.Socksaddr) N.NetPacketConn {
-	source := M.AddrPortFromNet(conn.LocalAddr())
-	if !source.IsValid() {
-		return conn
-	}
-	if !source.Addr().IsLoopback() {
-		_, err := l.networkManager.InterfaceFinder().ByAddr(source.Addr())
-		if err != nil {
-			return conn
-		}
-	}
-	l.packetConnAccess.Lock()
-	l.packetConnMap[source.Port()] = destination.AddrPort().Port()
-	l.packetConnAccess.Unlock()
-	return &loopBackDetectPacketWrapper{NetPacketConn: conn, detector: l, connPort: source.Port()}
-}
-
-func (l *loopBackDetector) CheckConn(source netip.AddrPort, local netip.AddrPort) bool {
-	l.connAccess.RLock()
-	defer l.connAccess.RUnlock()
-	destination, loaded := l.connMap[source]
-	return loaded && destination != local
-}
-
-func (l *loopBackDetector) CheckPacketConn(source netip.AddrPort, local netip.AddrPort) bool {
-	if !source.IsValid() {
-		return false
-	}
-	if !source.Addr().IsLoopback() {
-		_, err := l.networkManager.InterfaceFinder().ByAddr(source.Addr())
-		if err != nil {
-			return false
-		}
-	}
-	if N.IsPublicAddr(source.Addr()) {
-		return false
-	}
-	l.packetConnAccess.RLock()
-	defer l.packetConnAccess.RUnlock()
-	destinationPort, loaded := l.packetConnMap[source.Port()]
-	return loaded && destinationPort != local.Port()
-}
-
-type loopBackDetectWrapper struct {
-	net.Conn
-	detector  *loopBackDetector
-	connAddr  netip.AddrPort
-	closeOnce sync.Once
-}
-
-func (w *loopBackDetectWrapper) Close() error {
-	w.closeOnce.Do(func() {
-		w.detector.connAccess.Lock()
-		delete(w.detector.connMap, w.connAddr)
-		w.detector.connAccess.Unlock()
-	})
-	return w.Conn.Close()
-}
-
-func (w *loopBackDetectWrapper) ReaderReplaceable() bool {
-	return true
-}
-
-func (w *loopBackDetectWrapper) WriterReplaceable() bool {
-	return true
-}
-
-func (w *loopBackDetectWrapper) Upstream() any {
-	return w.Conn
-}
-
-type loopBackDetectPacketWrapper struct {
-	N.NetPacketConn
-	detector  *loopBackDetector
-	connPort  uint16
-	closeOnce sync.Once
-}
-
-func (w *loopBackDetectPacketWrapper) Close() error {
-	w.closeOnce.Do(func() {
-		w.detector.packetConnAccess.Lock()
-		delete(w.detector.packetConnMap, w.connPort)
-		w.detector.packetConnAccess.Unlock()
-	})
-	return w.NetPacketConn.Close()
-}
-
-func (w *loopBackDetectPacketWrapper) ReaderReplaceable() bool {
-	return true
-}
-
-func (w *loopBackDetectPacketWrapper) WriterReplaceable() bool {
-	return true
-}
-
-func (w *loopBackDetectPacketWrapper) Upstream() any {
-	return w.NetPacketConn
-}
-
-type abstractUDPConn interface {
-	net.Conn
-	net.PacketConn
-}
-
-type loopBackDetectUDPWrapper struct {
-	abstractUDPConn
-	detector  *loopBackDetector
-	connPort  uint16
-	closeOnce sync.Once
-}
-
-func (w *loopBackDetectUDPWrapper) Close() error {
-	w.closeOnce.Do(func() {
-		w.detector.packetConnAccess.Lock()
-		delete(w.detector.packetConnMap, w.connPort)
-		w.detector.packetConnAccess.Unlock()
-	})
-	return w.abstractUDPConn.Close()
-}
-
-func (w *loopBackDetectUDPWrapper) ReaderReplaceable() bool {
-	return true
-}
-
-func (w *loopBackDetectUDPWrapper) WriterReplaceable() bool {
-	return true
-}
-
-func (w *loopBackDetectUDPWrapper) Upstream() any {
-	return w.abstractUDPConn
-}
--- a/protocol/direct/outbound.go
+++ b/protocol/direct/outbound.go
@@ -41,7 +41,6 @@ type Outbound struct {
 	domainStrategy C.DomainStrategy
 	fallbackDelay  time.Duration
 	isEmpty        bool
-	// loopBack *loopBackDetector
 }

 func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.DirectOutboundOptions) (adapter.Outbound, error) {
@@ -67,7 +66,6 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		fallbackDelay:  time.Duration(options.FallbackDelay),
 		dialer:         outboundDialer.(dialer.ParallelInterfaceDialer),
 		isEmpty:        reflect.DeepEqual(options.DialerOptions, option.DialerOptions{UDPFragmentDefault: true}),
-		// loopBack:       newLoopBackDetector(router),
 	}
 	//nolint:staticcheck
 	if options.ProxyProtocol != 0 {
@@ -87,11 +85,6 @@ func (h *Outbound) DialContext(ctx context.Context, network string, destination
 	case N.NetworkUDP:
 		h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	}
-	/*conn, err := h.dialer.DialContext(ctx, network, destination)
-	if err != nil {
-		return nil, err
-	}
-	return h.loopBack.NewConn(conn), nil*/
 	return h.dialer.DialContext(ctx, network, destination)
 }

@@ -104,7 +97,6 @@ func (h *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	if err != nil {
 		return nil, err
 	}
-	// conn = h.loopBack.NewPacketConn(bufio.NewPacketConn(conn), destination)
 	return conn, nil
 }

@@ -161,18 +153,3 @@ func (h *Outbound) ListenSerialNetworkPacket(ctx context.Context, destination M.
 func (h *Outbound) IsEmpty() bool {
 	return h.isEmpty
 }
-
-/*func (h *Outbound) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	if h.loopBack.CheckConn(metadata.Source.AddrPort(), M.AddrPortFromNet(conn.LocalAddr())) {
-		return E.New("reject loopback connection to ", metadata.Destination)
-	}
-	return NewConnection(ctx, h, conn, metadata)
-}
-
-func (h *Outbound) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
-	if h.loopBack.CheckPacketConn(metadata.Source.AddrPort(), M.AddrPortFromNet(conn.LocalAddr())) {
-		return E.New("reject loopback packet connection to ", metadata.Destination)
-	}
-	return NewPacketConnection(ctx, h, conn, metadata)
-}
-*/
--- a/protocol/dns/handle.go
+++ b/protocol/dns/handle.go
@@ -82,7 +82,7 @@ func NewDNSPacketConnection(ctx context.Context, router adapter.DNSRouter, conn
 		}
 		break
 	}
-	fastClose, cancel := common.ContextWithCancelCause(ctx)
+	fastClose, cancel := context.WithCancelCause(ctx)
 	timeout := canceler.New(fastClose, cancel, C.DNSTimeout)
 	var group task.Group
 	group.Append0(func(_ context.Context) error {
@@ -150,7 +150,7 @@ func NewDNSPacketConnection(ctx context.Context, router adapter.DNSRouter, conn
 }

 func newDNSPacketConnection(ctx context.Context, router adapter.DNSRouter, conn N.PacketConn, readWaiter N.PacketReadWaiter, readCounters []N.CountFunc, cached []*N.PacketBuffer, metadata adapter.InboundContext) error {
-	fastClose, cancel := common.ContextWithCancelCause(ctx)
+	fastClose, cancel := context.WithCancelCause(ctx)
 	timeout := canceler.New(fastClose, cancel, C.DNSTimeout)
 	var group task.Group
 	group.Append0(func(_ context.Context) error {
--- a/protocol/group/urltest.go
+++ b/protocol/group/urltest.go
@@ -35,7 +35,6 @@ var _ adapter.OutboundGroup = (*URLTest)(nil)
 type URLTest struct {
 	outbound.Adapter
 	ctx                          context.Context
-	router                       adapter.Router
 	outbound                     adapter.OutboundManager
 	connection                   adapter.ConnectionManager
 	logger                       log.ContextLogger
@@ -62,7 +61,6 @@ func NewURLTest(ctx context.Context, router adapter.Router, logger log.ContextLo
 	outbound := &URLTest{
 		Adapter:                      outbound.NewAdapter(C.TypeURLTest, tag, []string{N.NetworkTCP, N.NetworkUDP}, options.Outbounds),
 		ctx:                          ctx,
-		router:                       router,
 		outbound:                     service.FromContext[adapter.OutboundManager](ctx),
 		connection:                   service.FromContext[adapter.ConnectionManager](ctx),
 		logger:                       logger,
@@ -291,7 +289,6 @@ func (s *URLTest) onProviderUpdated(tag string) error {

 type URLTestGroup struct {
 	ctx                          context.Context
-	router                       adapter.Router
 	outbound                     adapter.OutboundManager
 	pause                        pause.Manager
 	pauseCallback                *list.Element[pause.Callback]
@@ -370,9 +367,10 @@ func (g *URLTestGroup) Touch() {
 		g.lastActive.Store(time.Now())
 		return
 	}
-	g.ticker = time.NewTicker(g.interval)
-	go g.loopCheck()
-	g.pauseCallback = pause.RegisterTicker(g.pause, g.ticker, g.interval, nil)
+	ticker := time.NewTicker(g.interval)
+	g.ticker = ticker
+	g.pauseCallback = pause.RegisterTicker(g.pause, ticker, g.interval, nil)
+	go g.loopCheck(ticker, g.close)
 }

 func (g *URLTestGroup) Close() error {
@@ -382,7 +380,9 @@ func (g *URLTestGroup) Close() error {
 		return nil
 	}
 	g.ticker.Stop()
+	g.ticker = nil
 	g.pause.UnregisterCallback(g.pauseCallback)
+	g.pauseCallback = nil
 	close(g.close)
 	return nil
 }
@@ -431,23 +431,25 @@ func (g *URLTestGroup) Select(network string) (adapter.Outbound, bool) {
 	return minOutbound, true
 }

-func (g *URLTestGroup) loopCheck() {
+func (g *URLTestGroup) loopCheck(ticker *time.Ticker, closeChan <-chan struct{}) {
 	if time.Since(g.lastActive.Load()) > g.interval {
 		g.lastActive.Store(time.Now())
 		g.CheckOutbounds(false)
 	}
 	for {
 		select {
-		case <-g.close:
+		case <-closeChan:
 			return
-		case <-g.ticker.C:
+		case <-ticker.C:
 		}
 		if time.Since(g.lastActive.Load()) > g.idleTimeout {
 			g.access.Lock()
-			g.ticker.Stop()
-			g.ticker = nil
-			g.pause.UnregisterCallback(g.pauseCallback)
-			g.pauseCallback = nil
+			if g.ticker == ticker {
+				g.ticker.Stop()
+				g.ticker = nil
+				g.pause.UnregisterCallback(g.pauseCallback)
+				g.pauseCallback = nil
+			}
 			g.access.Unlock()
 			return
 		}
--- a/protocol/naive/inbound.go
+++ b/protocol/naive/inbound.go
@@ -140,7 +140,7 @@ func (n *Inbound) Start(stage adapter.StartStage) error {

 func (n *Inbound) Close() error {
 	return common.Close(
-		&n.listener,
+		n.listener,
 		common.PtrOrNil(n.httpServer),
 		n.h3Server,
 		n.tlsConfig,
--- a/protocol/naive/inbound_conn.go
+++ b/protocol/naive/inbound_conn.go
@@ -22,7 +22,7 @@ func generatePaddingHeader() string {
 	paddingLen := rand.Intn(32) + 30
 	padding := make([]byte, paddingLen)
 	bits := rand.Uint64()
-	for i := 0; i < 16; i++ {
+	for i := range 16 {
 		padding[i] = "!#$()+<>?@[]^`{}"[bits&15]
 		bits >>= 4
 	}
--- a/protocol/tailscale/endpoint.go
+++ b/protocol/tailscale/endpoint.go
@@ -111,6 +111,7 @@ type Endpoint struct {
 	systemInterfaceName string
 	systemInterfaceMTU  uint32
 	serverStarted       bool
+	started             atomic.Bool
 	systemTun           tun.Tun
 	systemDialer        *dialer.DefaultDialer
 	fallbackTCPCloser   func()
@@ -422,6 +423,7 @@ func (t *Endpoint) postStart() error {
 	}
 	t.filter = localBackend.ExportFilter()
 	go t.watchState()
+	t.started.Store(true)
 	return nil
 }

@@ -485,6 +487,7 @@ func (t *Endpoint) watchState() {

 func (t *Endpoint) Close() error {
 	var err error
+	t.started.Store(false)
 	if t.serverStarted {
 		err = common.Close(common.PtrOrNil(t.server))
 		t.serverStarted = false
@@ -509,6 +512,9 @@ func (t *Endpoint) DialContext(ctx context.Context, network string, destination
 	case N.NetworkUDP:
 		t.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	}
+	if !t.started.Load() {
+		return nil, E.New("Tailscale is not ready yet")
+	}
 	if destination.IsDomain() {
 		destinationAddresses, err := t.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
@@ -565,6 +571,9 @@ func (t *Endpoint) DialContext(ctx context.Context, network string, destination
 }

 func (t *Endpoint) listenPacketWithAddress(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	if !t.started.Load() {
+		return nil, E.New("Tailscale is not ready yet")
+	}
 	if t.systemDialer != nil {
 		return t.systemDialer.ListenPacket(ctx, destination)
 	}
@@ -632,6 +641,9 @@ func (t *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 }

 func (t *Endpoint) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
+	if !t.started.Load() {
+		return nil, E.New("Tailscale is not ready yet")
+	}
 	tsFilter := t.filter.Load()
 	if tsFilter != nil {
 		var ipProto ipproto.Proto
@@ -725,6 +737,9 @@ func (t *Endpoint) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 }

 func (t *Endpoint) NewDirectRouteConnection(metadata adapter.InboundContext, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
+	if !t.started.Load() {
+		return nil, E.New("Tailscale is not ready yet")
+	}
 	ctx := log.ContextWithNewID(t.ctx)
 	var destination tun.DirectRouteDestination
 	var err error
--- a/protocol/tailscale/tun_device_unix.go
+++ b/protocol/tailscale/tun_device_unix.go
@@ -11,7 +11,6 @@ import (
 	"sync/atomic"

 	singTun "github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/logger"
 	wgTun "github.com/sagernet/wireguard-go/tun"
 )
@@ -57,7 +56,7 @@ func (a *tunDeviceAdapter) Read(bufs [][]byte, sizes []int, offset int) (count i
 	if a.linuxTUN != nil {
 		n, err := a.linuxTUN.BatchRead(bufs, offset-singTun.PacketOffset, sizes)
 		if err == nil {
-			for i := 0; i < n; i++ {
+			for i := range n {
 				a.debugPacket("read", bufs[i][offset:offset+sizes[i]])
 			}
 		}
@@ -92,7 +91,7 @@ func (a *tunDeviceAdapter) Write(bufs [][]byte, offset int) (count int, err erro
 	for _, packet := range bufs {
 		a.debugPacket("write", packet[offset:])
 		if singTun.PacketOffset > 0 {
-			common.ClearArray(packet[offset-singTun.PacketOffset : offset])
+			clear(packet[offset-singTun.PacketOffset : offset])
 			singTun.PacketFillHeader(packet[offset-singTun.PacketOffset:], singTun.PacketIPVersion(packet[offset:]))
 		}
 		_, err = a.tun.Write(packet[offset-singTun.PacketOffset:])
--- a/protocol/wireguard/endpoint.go
+++ b/protocol/wireguard/endpoint.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	"net/netip"
+	"sync/atomic"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
@@ -41,11 +42,12 @@ type Endpoint struct {
 	logger         logger.ContextLogger
 	localAddresses []netip.Prefix
 	endpoint       *wireguard.Endpoint
+	started        atomic.Bool
 }

 func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.WireGuardEndpointOptions) (adapter.Endpoint, error) {
 	ep := &Endpoint{
-		Adapter:        endpoint.NewAdapterWithDialerOptions(C.TypeWireGuard, tag, []string{N.NetworkTCP, N.NetworkUDP}, options.DialerOptions),
+		Adapter:        endpoint.NewAdapterWithDialerOptions(C.TypeWireGuard, tag, []string{N.NetworkTCP, N.NetworkUDP, N.NetworkICMP}, options.DialerOptions),
 		ctx:            ctx,
 		router:         router,
 		dnsRouter:      service.FromContext[adapter.DNSRouter](ctx),
@@ -148,16 +150,24 @@ func (w *Endpoint) Start(stage adapter.StartStage) error {
 	case adapter.StartStateStart:
 		return w.endpoint.Start(false)
 	case adapter.StartStatePostStart:
-		return w.endpoint.Start(true)
+		err := w.endpoint.Start(true)
+		if err != nil {
+			return err
+		}
+		w.started.Store(true)
 	}
 	return nil
 }

 func (w *Endpoint) Close() error {
+	w.started.Store(false)
 	return w.endpoint.Close()
 }

 func (w *Endpoint) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
+	if !w.started.Load() {
+		return nil, E.New("WireGuard is not ready yet")
+	}
 	var ipVersion uint8
 	if !destination.IsIPv6() {
 		ipVersion = 4
@@ -238,6 +248,9 @@ func (w *Endpoint) DialContext(ctx context.Context, network string, destination
 	case N.NetworkUDP:
 		w.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	}
+	if !w.started.Load() {
+		return nil, E.New("WireGuard is not ready yet")
+	}
 	if destination.IsDomain() {
 		destinationAddresses, err := w.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
@@ -252,6 +265,9 @@ func (w *Endpoint) DialContext(ctx context.Context, network string, destination

 func (w *Endpoint) ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error) {
 	w.logger.InfoContext(ctx, "outbound packet connection to ", destination)
+	if !w.started.Load() {
+		return nil, netip.Addr{}, E.New("WireGuard is not ready yet")
+	}
 	if destination.IsDomain() {
 		destinationAddresses, err := w.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
@@ -285,9 +301,15 @@ func (w *Endpoint) PreferredDomain(domain string) bool {
 }

 func (w *Endpoint) PreferredAddress(address netip.Addr) bool {
+	if !w.started.Load() {
+		return false
+	}
 	return w.endpoint.Lookup(address) != nil
 }

 func (w *Endpoint) NewDirectRouteConnection(metadata adapter.InboundContext, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
+	if !w.started.Load() {
+		return nil, E.New("WireGuard is not ready yet")
+	}
 	return w.endpoint.NewDirectRouteConnection(metadata, routeContext, timeout)
 }