Update sing-box core, refactor MASQUE, update XHTTP

2026-06-23 19:03:11 +03:00 · 2026-05-29 01:31:57 +03:00
parent 1cb7950810
commit b953954b60
111 changed files with 1291 additions and 1660 deletions
--- a/.github/CRONET_GO_VERSION
+++ b/.github/CRONET_GO_VERSION
@@ -1 +1 @@
-e4926ba205fae5351e3d3eeafff7e7029654424a
+2faf34666c2cc8234f10f2ab6d4c4d6104d34ae2
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -18,21 +18,60 @@ on:
      - testing
      - unstable
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }}
  cancel-in-progress: true
 jobs:
  build:
-    name: Build
+    name: Lint ${{ matrix.goos }}/${{ matrix.goarch }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        include:
          - goos: windows
            goarch: amd64
          - goos: windows
            goarch: '386'
          - goos: windows
            goarch: arm64
          - goos: linux
            goarch: amd64
          - goos: linux
            goarch: arm64
          - goos: linux
            goarch: arm
          - goos: linux
            goarch: '386'
          - goos: darwin
            goarch: amd64
          - goos: darwin
            goarch: arm64
          - goos: android
            goarch: arm64
        #  - goos: freebsd
        #    goarch: amd64
    steps:
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ^1.25
      - name: Cache go module
        uses: actions/cache@v4
        with:
          path: |
            ~/go/pkg/mod
          key: go-${{ hashFiles('**/go.sum') }}
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v8
        env:
          GOOS: ${{ matrix.goos }}
          GOARCH: ${{ matrix.goarch }}
        with:
          version: latest
          args: --timeout=30m
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,6 +1,6 @@
 version: "2"
 run:
-  go: "1.25"
+  go: "1.24"
  build-tags:
    - with_gvisor
    - with_quic
@@ -17,30 +17,29 @@ run:
 linters:
  default: none
  enable:
    - govet
    - ineffassign
    - paralleltest
    - staticcheck
    - unused
    - modernize
  settings:
    modernize:
      disable:
        - omitzero # nested struct omitempty -> omitzero changes JSON output semantics
    staticcheck:
      checks:
        - all
-        - -S1000
+        - -QF1008 # could remove embedded field "<interface>" from selector
-        - -S1008
+        - -ST1003 # should not use ALL_CAPS in Go names; use CamelCase instead
-        - -S1017
+        - -QF1001 # could apply De Morgan's law
        - -ST1003
        - -QF1001
        - -QF1003
        - -QF1008
  exclusions:
    generated: lax
    presets:
      - comments
      - common-false-positives
      - legacy
      - std-error-handling
    paths:
      - transport/simple-obfs
      - \.pb\.go$
      - third_party$
      - builtin$
      - examples$
@@ -55,10 +54,3 @@ formatters:
        - prefix(github.com/sagernet/)
        - default
      custom-order: true
  exclusions:
    generated: lax
    paths:
      - transport/simple-obfs
      - third_party$
      - builtin$
      - examples$
--- a/27
+++ b/27
@@ -59,23 +59,17 @@ install:
 	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)
 fmt:
-	@gofumpt -l -w .
+	@golangci-lint fmt
 	@gofmt -s -w .
 	@gci write --custom-order -s standard -s "prefix(github.com/sagernet/)" -s "default" .
 fmt_docs:
 	go run ./cmd/internal/format_docs
 fmt_install:
 	go install -v mvdan.cc/gofumpt@latest
 	go install -v github.com/daixiang0/gci@latest
 lint:
 	GOOS=linux golangci-lint run ./...
 	GOOS=android golangci-lint run ./...
 	GOOS=windows golangci-lint run ./...
 	GOOS=darwin golangci-lint run ./...
-	GOOS=freebsd golangci-lint run ./...
+#	GOOS=freebsd golangci-lint run ./...
 lint_install:
 	go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
@@ -202,14 +196,31 @@ upload_macos_pkg:
 	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Intel.pkg"
 	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}-Universal.pkg"
 replace_macos_pkg:
 	mkdir -p dist/SFM
 	cp ../sing-box-for-apple/build/SFM-Apple.pkg "dist/SFM/SFM-${VERSION}-Apple.pkg"
 	cp ../sing-box-for-apple/build/SFM-Intel.pkg "dist/SFM/SFM-${VERSION}-Intel.pkg"
 	cp ../sing-box-for-apple/build/SFM-Universal.pkg "dist/SFM/SFM-${VERSION}-Universal.pkg"
 	ghr --replace "v${VERSION}" "dist/SFM/SFM-${VERSION}-Apple.pkg"
 	ghr --replace "v${VERSION}" "dist/SFM/SFM-${VERSION}-Intel.pkg"
 	ghr --replace "v${VERSION}" "dist/SFM/SFM-${VERSION}-Universal.pkg"
 upload_macos_dsyms:
 	mkdir -p dist/SFM
 	cd ../sing-box-for-apple/build/SFM.System-universal.xcarchive && zip -r SFM.dSYMs.zip dSYMs
 	cp ../sing-box-for-apple/build/SFM.System-universal.xcarchive/SFM.dSYMs.zip "dist/SFM/SFM-${VERSION}.dSYMs.zip"
 	ghr --replace --draft --prerelease "v${VERSION}" "dist/SFM/SFM-${VERSION}.dSYMs.zip"
 replace_macos_dsyms:
 	mkdir -p dist/SFM
 	cd ../sing-box-for-apple/build/SFM.System-universal.xcarchive && zip -r SFM.dSYMs.zip dSYMs
 	cp ../sing-box-for-apple/build/SFM.System-universal.xcarchive/SFM.dSYMs.zip "dist/SFM/SFM-${VERSION}.dSYMs.zip"
 	ghr --replace "v${VERSION}" "dist/SFM/SFM-${VERSION}.dSYMs.zip"
 release_macos_standalone: build_macos_pkg notarize_macos_pkg upload_macos_pkg upload_macos_dsyms
 replace_macos_standalone: build_macos_pkg notarize_macos_pkg upload_macos_pkg upload_macos_dsyms
 build_tvos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFT.xcarchive && \
--- a/cmd/internal/protogen/main.go
+++ b/cmd/internal/protogen/main.go
@@ -48,8 +48,8 @@ func GetRuntimeEnv(key string) (string, error) {
 	if readErr != nil {
 		return "", readErr
 	}
-	envStrings := strings.Split(string(data), "\n")
+	envStrings := strings.SplitSeq(string(data), "\n")
-	for _, envItem := range envStrings {
+	for envItem := range envStrings {
 		envItem = strings.TrimSuffix(envItem, "\r")
 		envKeyValue := strings.Split(envItem, "=")
 		if strings.EqualFold(strings.TrimSpace(envKeyValue[0]), key) {
--- a/cmd/internal/update_android_version/main.go
+++ b/cmd/internal/update_android_version/main.go
@@ -39,7 +39,7 @@ func main() {
 	common.Must(os.Chdir(androidPath))
 	localProps := common.Must1(os.ReadFile("version.properties"))
 	var propsList [][]string
-	for _, propLine := range strings.Split(string(localProps), "\n") {
+	for propLine := range strings.SplitSeq(string(localProps), "\n") {
 		propsList = append(propsList, strings.Split(propLine, "="))
 	}
 	var (
--- a/cmd/internal/update_certificates/main.go
+++ b/cmd/internal/update_certificates/main.go
@@ -45,10 +45,8 @@ package certificate
 import "crypto/x509"
-var mozillaIncluded *x509.CertPool
+func newMozillaIncluded() *x509.CertPool {
-
+	pool := x509.NewCertPool()
 func init() {
 	mozillaIncluded = x509.NewCertPool()
 `)
 	for {
 		record, err := reader.Read()
@@ -63,14 +61,14 @@ func init() {
 		generated.WriteString("\n	// ")
 		generated.WriteString(record[nameIndex])
 		generated.WriteString("\n")
-		generated.WriteString("	mozillaIncluded.AppendCertsFromPEM([]byte(`")
+		generated.WriteString("	pool.AppendCertsFromPEM([]byte(`")
 		cert := record[certIndex]
 		// Remove single quotes
 		cert = cert[1 : len(cert)-1]
 		generated.WriteString(cert)
 		generated.WriteString("`))\n")
 	}
-	generated.WriteString("}\n")
+	generated.WriteString("\treturn pool\n}\n")
 	return os.WriteFile("common/certificate/mozilla.go", []byte(generated.String()), 0o644)
 }
@@ -131,10 +129,8 @@ package certificate
 import "crypto/x509"
-var chromeIncluded *x509.CertPool
+func newChromeIncluded() *x509.CertPool {
-
+	pool := x509.NewCertPool()
 func init() {
 	chromeIncluded = x509.NewCertPool()
 `)
 	for {
 		record, err := reader.Read()
@@ -152,7 +148,7 @@ func init() {
 		generated.WriteString("\n	// ")
 		generated.WriteString(record[subjectIndex])
 		generated.WriteString("\n")
-		generated.WriteString("	chromeIncluded.AppendCertsFromPEM([]byte(`")
+		generated.WriteString("	pool.AppendCertsFromPEM([]byte(`")
 		cert := record[certIndex]
 		// Remove single quotes if present
 		if len(cert) > 0 && cert[0] == '\'' {
@@ -161,6 +157,6 @@ func init() {
 		generated.WriteString(cert)
 		generated.WriteString("`))\n")
 	}
-	generated.WriteString("}\n")
+	generated.WriteString("\treturn pool\n}\n")
 	return os.WriteFile("common/certificate/chrome.go", []byte(generated.String()), 0o644)
 }
--- a/cmd/sing-box/cmd_geoip_export.go
+++ b/cmd/sing-box/cmd_geoip_export.go
@@ -61,16 +61,17 @@ func geoipExport(countryCode string) error {
 		outputFile   *os.File
 		outputWriter io.Writer
 	)
-	if flagGeoipExportOutput == "stdout" {
+	switch flagGeoipExportOutput {
 	case "stdout":
 		outputWriter = os.Stdout
-	} else if flagGeoipExportOutput == flagGeoipExportDefaultOutput {
+	case flagGeoipExportDefaultOutput:
 		outputFile, err = os.Create("geoip-" + countryCode + ".json")
 		if err != nil {
 			return err
 		}
 		defer outputFile.Close()
 		outputWriter = outputFile
-	} else {
+	default:
 		outputFile, err = os.Create(flagGeoipExportOutput)
 		if err != nil {
 			return err
--- a/cmd/sing-box/cmd_geosite_export.go
+++ b/cmd/sing-box/cmd_geosite_export.go
@@ -43,16 +43,17 @@ func geositeExport(category string) error {
 		outputFile   *os.File
 		outputWriter io.Writer
 	)
-	if commandGeositeExportOutput == "stdout" {
+	switch commandGeositeExportOutput {
 	case "stdout":
 		outputWriter = os.Stdout
-	} else if commandGeositeExportOutput == commandGeositeExportDefaultOutput {
+	case commandGeositeExportDefaultOutput:
 		outputFile, err = os.Create("geosite-" + category + ".json")
 		if err != nil {
 			return err
 		}
 		defer outputFile.Close()
 		outputWriter = outputFile
-	} else {
+	default:
 		outputFile, err = os.Create(commandGeositeExportOutput)
 		if err != nil {
 			return err
--- a/cmd/sing-box/cmd_tools_fetch_http3.go
+++ b/cmd/sing-box/cmd_tools_fetch_http3.go
@@ -1,3 +1,5 @@
 //go:build with_quic
 package main
 import (
--- a/common/badversion/version.go
+++ b/common/badversion/version.go
@@ -112,9 +112,7 @@ func IsValid(versionName string) bool {
 }
 func Parse(versionName string) (version Version) {
-	if strings.HasPrefix(versionName, "v") {
+	versionName = strings.TrimPrefix(versionName, "v")
 		versionName = versionName[1:]
 	}
 	if strings.Contains(versionName, "-") {
 		parts := strings.Split(versionName, "-")
 		versionName = parts[0]
--- a/common/certificate/chrome.go
+++ b/common/certificate/chrome.go
@@ -4,13 +4,11 @@ package certificate
 import "crypto/x509"
-var chromeIncluded *x509.CertPool
+func newChromeIncluded() *x509.CertPool {
-
+	pool := x509.NewCertPool()
 func init() {
 	chromeIncluded = x509.NewCertPool()
 	// CN=Actalis Authentication Root CA; O=Actalis S.p.A./03358520967; L=Milan; C=IT
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UE
 BhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w
 MzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290
@@ -45,7 +43,7 @@ LnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXhlg==
 -----END CERTIFICATE-----`))
 	// CN=TunTrust Root CA; O=Agence Nationale de Certification Electronique; C=TN
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFszCCA5ugAwIBAgIUEwLV4kBMkkaGFmddtLu7sms+/BMwDQYJKoZIhvcNAQEL
 BQAwYTELMAkGA1UEBhMCVE4xNzA1BgNVBAoMLkFnZW5jZSBOYXRpb25hbGUgZGUg
 Q2VydGlmaWNhdGlvbiBFbGVjdHJvbmlxdWUxGTAXBgNVBAMMEFR1blRydXN0IFJv
@@ -80,7 +78,7 @@ d9qDRIueVSjAi1jTkD5OGwDxFa2DK5o=
 -----END CERTIFICATE-----`))
 	// CN=Amazon Root CA 4; O=Amazon; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQDAzA5
 MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g
 Um9vdCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG
@@ -95,7 +93,7 @@ CkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRMStuW
 -----END CERTIFICATE-----`))
 	// CN=Amazon Root CA 1; O=Amazon; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
 ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
 b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
@@ -117,7 +115,7 @@ rqXRfboQnoZsG4q5WTP468SQvvG5
 -----END CERTIFICATE-----`))
 	// CN=Amazon Root CA 2; O=Amazon; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFQTCCAymgAwIBAgITBmyf0pY1hp8KD+WGePhbJruKNzANBgkqhkiG9w0BAQwF
 ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
 b24gUm9vdCBDQSAyMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTEL
@@ -150,7 +148,7 @@ n749sSmvZ6ES8lgQGVMDMBu4Gon2nL2XA46jCfMdiyHxtN/kHNGfZQIG6lzWE7OE
 -----END CERTIFICATE-----`))
 	// CN=Amazon Root CA 3; O=Amazon; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIBtjCCAVugAwIBAgITBmyf1XSXNmY/Owua2eiedgPySjAKBggqhkjOPQQDAjA5
 MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g
 Um9vdCBDQSAzMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG
@@ -164,7 +162,7 @@ YyRIHN8wfdVoOw==
 -----END CERTIFICATE-----`))
 	// CN=Certum Trusted Network CA; OU=Certum Certification Authority; O=Unizeto Technologies S.A.; C=PL
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBM
 MSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5D
 ZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBU
@@ -188,7 +186,7 @@ VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI
 -----END CERTIFICATE-----`))
 	// CN=Certum EC-384 CA; OU=Certum Certification Authority; O=Asseco Data Systems S.A.; C=PL
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICZTCCAeugAwIBAgIQeI8nXIESUiClBNAt3bpz9DAKBggqhkjOPQQDAzB0MQsw
 CQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScw
 JQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGTAXBgNVBAMT
@@ -205,7 +203,7 @@ nvuRlydd3LBbMHHOXjgaatkl5+r3YZJW+OraNsKHZZYuciUvf9/DE8k=
 -----END CERTIFICATE-----`))
 	// CN=Certum Trusted Root CA; OU=Certum Certification Authority; O=Asseco Data Systems S.A.; C=PL
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFwDCCA6igAwIBAgIQHr9ZULjJgDdMBvfrVU+17TANBgkqhkiG9w0BAQ0FADB6
 MQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEu
 MScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxHzAdBgNV
@@ -240,7 +238,7 @@ E2Efv4WstK2tBZQIgx51F9NxO5NQI1mg7TyRVJ12AMXDuDjb
 -----END CERTIFICATE-----`))
 	// CN=Certum Trusted Network CA 2; OU=Certum Certification Authority; O=Unizeto Technologies S.A.; C=PL
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIF0jCCA7qgAwIBAgIQIdbQSk8lD8kyN/yqXhKN6TANBgkqhkiG9w0BAQ0FADCB
 gDELMAkGA1UEBhMCUEwxIjAgBgNVBAoTGVVuaXpldG8gVGVjaG5vbG9naWVzIFMu
 QS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEkMCIG
@@ -276,7 +274,7 @@ DrW5viSP
 -----END CERTIFICATE-----`))
 	// CN=Autoridad de Certificacion Firmaprofesional CIF A62634068; C=ES
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIGFDCCA/ygAwIBAgIIG3Dp0v+ubHEwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UE
 BhMCRVMxQjBABgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1h
 cHJvZmVzaW9uYWwgQ0lGIEE2MjYzNDA2ODAeFw0xNDA5MjMxNTIyMDdaFw0zNjA1
@@ -313,7 +311,7 @@ GbqEZycPvEJdvSRUDewdcAZfpLz6IHxV
 -----END CERTIFICATE-----`))
 	// CN=ANF Secure Server Root CA; OU=ANF CA Raiz; O=ANF Autoridad de Certificacion; C=ES; SerialNumber=G63287510
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIF7zCCA9egAwIBAgIIDdPjvGz5a7EwDQYJKoZIhvcNAQELBQAwgYQxEjAQBgNV
 BAUTCUc2MzI4NzUxMDELMAkGA1UEBhMCRVMxJzAlBgNVBAoTHkFORiBBdXRvcmlk
 YWQgZGUgQ2VydGlmaWNhY2lvbjEUMBIGA1UECxMLQU5GIENBIFJhaXoxIjAgBgNV
@@ -349,7 +347,7 @@ tt7VMVgWglvquxl1AnMaykgaIZOQCo6ThKd9OyMYkomgjaw=
 -----END CERTIFICATE-----`))
 	// CN=Buypass Class 2 Root CA; O=Buypass AS-983163327; C=NO
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd
 MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg
 Q2xhc3MgMiBSb290IENBMB4XDTEwMTAyNjA4MzgwM1oXDTQwMTAyNjA4MzgwM1ow
@@ -382,7 +380,7 @@ Y11aWOIv4x3kqdbQCtCev9eBCfHJxyYNrJgWVqA=
 -----END CERTIFICATE-----`))
 	// CN=Buypass Class 3 Root CA; O=Buypass AS-983163327; C=NO
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd
 MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg
 Q2xhc3MgMyBSb290IENBMB4XDTEwMTAyNjA4Mjg1OFoXDTQwMTAyNjA4Mjg1OFow
@@ -415,7 +413,7 @@ u79leNKGef9JOxqDDPDeeOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq
 -----END CERTIFICATE-----`))
 	// CN=Certainly Root R1; O=Certainly; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFRzCCAy+gAwIBAgIRAI4P+UuQcWhlM1T01EQ5t+AwDQYJKoZIhvcNAQELBQAw
 PTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUNlcnRhaW5seTEaMBgGA1UEAxMRQ2Vy
 dGFpbmx5IFJvb3QgUjEwHhcNMjEwNDAxMDAwMDAwWhcNNDYwNDAxMDAwMDAwWjA9
@@ -448,7 +446,7 @@ OV+KmalBWQewLK8=
 -----END CERTIFICATE-----`))
 	// CN=Certainly Root E1; O=Certainly; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIB9zCCAX2gAwIBAgIQBiUzsUcDMydc+Y2aub/M+DAKBggqhkjOPQQDAzA9MQsw
 CQYDVQQGEwJVUzESMBAGA1UEChMJQ2VydGFpbmx5MRowGAYDVQQDExFDZXJ0YWlu
 bHkgUm9vdCBFMTAeFw0yMTA0MDEwMDAwMDBaFw00NjA0MDEwMDAwMDBaMD0xCzAJ
@@ -463,7 +461,7 @@ BtjOiQRINzf43TNRnXCve1XYAS59BWQOhriR
 -----END CERTIFICATE-----`))
 	// CN=Certigna; O=Dhimyotis; C=FR
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDqDCCApCgAwIBAgIJAP7c4wEPyUj/MA0GCSqGSIb3DQEBBQUAMDQxCzAJBgNV
 BAYTAkZSMRIwEAYDVQQKDAlEaGlteW90aXMxETAPBgNVBAMMCENlcnRpZ25hMB4X
 DTA3MDYyOTE1MTMwNVoXDTI3MDYyOTE1MTMwNVowNDELMAkGA1UEBhMCRlIxEjAQ
@@ -487,7 +485,7 @@ WyH8EZE0vkHve52Xdf+XlcCWWC/qu0bXu+TZLg==
 -----END CERTIFICATE-----`))
 	// CN=Certigna Root CA; OU=0002 48146308100036; O=Dhimyotis; C=FR
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIGWzCCBEOgAwIBAgIRAMrpG4nxVQMNo+ZBbcTjpuEwDQYJKoZIhvcNAQELBQAw
 WjELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCURoaW15b3RpczEcMBoGA1UECwwTMDAw
 MiA0ODE0NjMwODEwMDAzNjEZMBcGA1UEAwwQQ2VydGlnbmEgUm9vdCBDQTAeFw0x
@@ -525,7 +523,7 @@ jWZSaX5LaAzHHjcng6WMxwLkFM1JAbBzs/3GkDpv0mztO+7skb6iQ12LAEpmJURw
 -----END CERTIFICATE-----`))
 	// OU=certSIGN ROOT CA; O=certSIGN; C=RO
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDODCCAiCgAwIBAgIGIAYFFnACMA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNVBAYT
 AlJPMREwDwYDVQQKEwhjZXJ0U0lHTjEZMBcGA1UECxMQY2VydFNJR04gUk9PVCBD
 QTAeFw0wNjA3MDQxNzIwMDRaFw0zMTA3MDQxNzIwMDRaMDsxCzAJBgNVBAYTAlJP
@@ -547,7 +545,7 @@ i/nDhDwTqn6Sm1dTk/pwwpEOMfmbZ13pljheX7NzTogVZ96edhBiIL5VaZVDADlN
 -----END CERTIFICATE-----`))
 	// OU=certSIGN ROOT CA G2; O=CERTSIGN SA; C=RO
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFRzCCAy+gAwIBAgIJEQA0tk7GNi02MA0GCSqGSIb3DQEBCwUAMEExCzAJBgNV
 BAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJR04g
 Uk9PVCBDQSBHMjAeFw0xNzAyMDYwOTI3MzVaFw00MjAyMDYwOTI3MzVaMEExCzAJ
@@ -580,7 +578,7 @@ QRBdJ3NghVdJIgc=
 -----END CERTIFICATE-----`))
 	// CN=HiPKI Root CA - G1; O=Chunghwa Telecom Co., Ltd.; C=TW
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFajCCA1KgAwIBAgIQLd2szmKXlKFD6LDNdmpeYDANBgkqhkiG9w0BAQsFADBP
 MQswCQYDVQQGEwJUVzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNvbSBDby4sIEx0
 ZC4xGzAZBgNVBAMMEkhpUEtJIFJvb3QgQ0EgLSBHMTAeFw0xOTAyMjIwOTQ2MDRa
@@ -613,7 +611,7 @@ YDksswBVLuT1sw5XxJFBAJw/6KXf6vb/yPCtbVKoF6ubYfwSUTXkJf2vqmqGOQ==
 -----END CERTIFICATE-----`))
 	// OU=ePKI Root Certification Authority; O=Chunghwa Telecom Co., Ltd.; C=TW
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFsDCCA5igAwIBAgIQFci9ZUdcr7iXAF7kBtK8nTANBgkqhkiG9w0BAQUFADBe
 MQswCQYDVQQGEwJUVzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNvbSBDby4sIEx0
 ZC4xKjAoBgNVBAsMIWVQS0kgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe
@@ -648,7 +646,7 @@ hNQ+IIX3Sj0rnP0qCglN6oH4EZw=
 -----END CERTIFICATE-----`))
 	// CN=D-TRUST BR Root CA 1 2020; O=D-Trust GmbH; C=DE
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIC2zCCAmCgAwIBAgIQfMmPK4TX3+oPyWWa00tNljAKBggqhkjOPQQDAzBIMQsw
 CQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRS
 VVNUIEJSIFJvb3QgQ0EgMSAyMDIwMB4XDTIwMDIxMTA5NDUwMFoXDTM1MDIxMTA5
@@ -668,7 +666,7 @@ dWNbFJWcHwHP2NVypw87
 -----END CERTIFICATE-----`))
 	// CN=D-TRUST EV Root CA 1 2020; O=D-Trust GmbH; C=DE
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIC2zCCAmCgAwIBAgIQXwJB13qHfEwDo6yWjfv/0DAKBggqhkjOPQQDAzBIMQsw
 CQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRS
 VVNUIEVWIFJvb3QgQ0EgMSAyMDIwMB4XDTIwMDIxMTEwMDAwMFoXDTM1MDIxMTA5
@@ -688,7 +686,7 @@ gfM0agPnIjhQW+0ZT0MW
 -----END CERTIFICATE-----`))
 	// CN=D-TRUST Root Class 3 CA 2 EV 2009; O=D-Trust GmbH; C=DE
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIEQzCCAyugAwIBAgIDCYP0MA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRF
 MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBD
 bGFzcyAzIENBIDIgRVYgMjAwOTAeFw0wOTExMDUwODUwNDZaFw0yOTExMDUwODUw
@@ -715,7 +713,7 @@ KVwvvoFBuYz/6n1gBp7N1z3TLqMVvKjmJuVvw9y4AyHqnxbxLFS1
 -----END CERTIFICATE-----`))
 	// CN=D-TRUST Root Class 3 CA 2 2009; O=D-Trust GmbH; C=DE
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIEMzCCAxugAwIBAgIDCYPzMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNVBAYTAkRF
 MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxJzAlBgNVBAMMHkQtVFJVU1QgUm9vdCBD
 bGFzcyAzIENBIDIgMjAwOTAeFw0wOTExMDUwODM1NThaFw0yOTExMDUwODM1NTha
@@ -742,7 +740,7 @@ Johw1+qRzT65ysCQblrGXnRl11z+o+I=
 -----END CERTIFICATE-----`))
 	// CN=T-TeleSec GlobalRoot Class 3; OU=T-Systems Trust Center; O=T-Systems Enterprise Services GmbH; C=DE
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUx
 KzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd
 BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl
@@ -767,7 +765,7 @@ TpPDpFQUWw==
 -----END CERTIFICATE-----`))
 	// CN=T-TeleSec GlobalRoot Class 2; OU=T-Systems Trust Center; O=T-Systems Enterprise Services GmbH; C=DE
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUx
 KzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd
 BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl
@@ -792,7 +790,7 @@ BSeOE6Fuwg==
 -----END CERTIFICATE-----`))
 	// CN=DigiCert TLS RSA4096 Root G5; O=DigiCert, Inc.; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFZjCCA06gAwIBAgIQCPm0eKj6ftpqMzeJ3nzPijANBgkqhkiG9w0BAQwFADBN
 MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xJTAjBgNVBAMT
 HERpZ2lDZXJ0IFRMUyBSU0E0MDk2IFJvb3QgRzUwHhcNMjEwMTE1MDAwMDAwWhcN
@@ -825,7 +823,7 @@ ovfepEWFJqgejF0pW8hL2JpqA15w8oVPbEtoL8pU9ozaMv7Da4M/OMZ+
 -----END CERTIFICATE-----`))
 	// CN=DigiCert TLS ECC P384 Root G5; O=DigiCert, Inc.; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICGTCCAZ+gAwIBAgIQCeCTZaz32ci5PhwLBCou8zAKBggqhkjOPQQDAzBOMQsw
 CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xJjAkBgNVBAMTHURp
 Z2lDZXJ0IFRMUyBFQ0MgUDM4NCBSb290IEc1MB4XDTIxMDExNTAwMDAwMFoXDTQ2
@@ -841,7 +839,7 @@ DXZDjC5Ty3zfDBeWUA==
 -----END CERTIFICATE-----`))
 	// CN=DigiCert Assured ID Root CA; OU=www.digicert.com; O=DigiCert Inc; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
 d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
@@ -865,7 +863,7 @@ H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe
 -----END CERTIFICATE-----`))
 	// CN=DigiCert Assured ID Root G2; OU=www.digicert.com; O=DigiCert Inc; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDljCCAn6gAwIBAgIQC5McOtY5Z+pnI7/Dr5r0SzANBgkqhkiG9w0BAQsFADBl
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
 d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
@@ -889,7 +887,7 @@ IhNzbM8m9Yop5w==
 -----END CERTIFICATE-----`))
 	// CN=DigiCert Assured ID Root G3; OU=www.digicert.com; O=DigiCert Inc; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICRjCCAc2gAwIBAgIQC6Fa+h3foLVJRK/NJKBs7DAKBggqhkjOPQQDAzBlMQsw
 CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
 ZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3Qg
@@ -906,7 +904,7 @@ JjZ91eQ0hjkCMHw2U/Aw5WJjOpnitqM7mzT6HtoQknFekROn3aRukswy1vUhZscv
 -----END CERTIFICATE-----`))
 	// CN=DigiCert Global Root CA; OU=www.digicert.com; O=DigiCert Inc; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
@@ -930,7 +928,7 @@ CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
 -----END CERTIFICATE-----`))
 	// CN=DigiCert Global Root G2; OU=www.digicert.com; O=DigiCert Inc; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
@@ -954,7 +952,7 @@ MrY=
 -----END CERTIFICATE-----`))
 	// CN=DigiCert Global Root G3; OU=www.digicert.com; O=DigiCert Inc; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICPzCCAcWgAwIBAgIQBVVWvPJepDU1w6QP1atFcjAKBggqhkjOPQQDAzBhMQsw
 CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
 ZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzAe
@@ -971,7 +969,7 @@ sycX
 -----END CERTIFICATE-----`))
 	// CN=DigiCert High Assurance EV Root CA; OU=www.digicert.com; O=DigiCert Inc; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
 d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
@@ -996,7 +994,7 @@ vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
 -----END CERTIFICATE-----`))
 	// CN=DigiCert Trusted Root G4; OU=www.digicert.com; O=DigiCert Inc; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
 d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg
@@ -1030,7 +1028,7 @@ gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
 -----END CERTIFICATE-----`))
 	// CN=QuoVadis Root CA 2; O=QuoVadis Limited; C=BM
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x
 GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv
 b3QgQ0EgMjAeFw0wNjExMjQxODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJBgNV
@@ -1065,7 +1063,7 @@ ohEUGW6yhhtoPkg3Goi3XZZenMfvJ2II4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y
 -----END CERTIFICATE-----`))
 	// CN=QuoVadis Root CA 2 G3; O=QuoVadis Limited; C=BM
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFYDCCA0igAwIBAgIURFc0JFuBiZs18s64KztbpybwdSgwDQYJKoZIhvcNAQEL
 BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc
 BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMiBHMzAeFw0xMjAxMTIxODU5MzJaFw00
@@ -1098,7 +1096,7 @@ WSr2Rz0ZiC3oheGe7IUIarFsNMkd7EgrO3jtZsSOeWmD3n+M
 -----END CERTIFICATE-----`))
 	// CN=QuoVadis Root CA 3 G3; O=QuoVadis Limited; C=BM
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFYDCCA0igAwIBAgIULvWbAiin23r/1aOp7r0DoM8Sah0wDQYJKoZIhvcNAQEL
 BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc
 BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMyBHMzAeFw0xMjAxMTIyMDI2MzJaFw00
@@ -1131,7 +1129,7 @@ ywaZWWDYWGWVjUTR939+J399roD1B0y2PpxxVJkES/1Y+Zj0
 -----END CERTIFICATE-----`))
 	// CN=CA Disig Root R2; O=Disig a.s.; L=Bratislava; C=SK
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFaTCCA1GgAwIBAgIJAJK4iNuwisFjMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV
 BAYTAlNLMRMwEQYDVQQHEwpCcmF0aXNsYXZhMRMwEQYDVQQKEwpEaXNpZyBhLnMu
 MRkwFwYDVQQDExBDQSBEaXNpZyBSb290IFIyMB4XDTEyMDcxOTA5MTUzMFoXDTQy
@@ -1164,7 +1162,7 @@ L4ysEr3vQCj8KWefshNPZiTEUxnpHikV7+ZtsH8tZ/3zbBt1RqPlShfppNcL
 -----END CERTIFICATE-----`))
 	// CN=emSign ECC Root CA - G3; OU=emSign PKI; O=eMudhra Technologies Limited; C=IN
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICTjCCAdOgAwIBAgIKPPYHqWhwDtqLhDAKBggqhkjOPQQDAzBrMQswCQYDVQQG
 EwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNo
 bm9sb2dpZXMgTGltaXRlZDEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0g
@@ -1181,7 +1179,7 @@ CUfvO6wIBHxcmbHtRwfSAjEAnbpV/KlK6O3t5nYBQnvI+GDZjVGLVTv7jHvrZQnD
 -----END CERTIFICATE-----`))
 	// CN=emSign Root CA - G1; OU=emSign PKI; O=eMudhra Technologies Limited; C=IN
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDlDCCAnygAwIBAgIKMfXkYgxsWO3W2DANBgkqhkiG9w0BAQsFADBnMQswCQYD
 VQQGEwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBU
 ZWNobm9sb2dpZXMgTGltaXRlZDEcMBoGA1UEAxMTZW1TaWduIFJvb3QgQ0EgLSBH
@@ -1205,7 +1203,7 @@ iN66zB+Afko=
 -----END CERTIFICATE-----`))
 	// CN=AffirmTrust Commercial; O=AffirmTrust; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDTDCCAjSgAwIBAgIId3cGJyapsXwwDQYJKoZIhvcNAQELBQAwRDELMAkGA1UE
 BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz
 dCBDb21tZXJjaWFsMB4XDTEwMDEyOTE0MDYwNloXDTMwMTIzMTE0MDYwNlowRDEL
@@ -1227,7 +1225,7 @@ nlpOZbWUrhvfKbAW8b8Angc6F2S1BLUjIZkKlTuXfO8=
 -----END CERTIFICATE-----`))
 	// CN=Atos TrustedRoot 2011; O=Atos; C=DE
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDdzCCAl+gAwIBAgIIXDPLYixfszIwDQYJKoZIhvcNAQELBQAwPDEeMBwGA1UE
 AwwVQXRvcyBUcnVzdGVkUm9vdCAyMDExMQ0wCwYDVQQKDARBdG9zMQswCQYDVQQG
 EwJERTAeFw0xMTA3MDcxNDU4MzBaFw0zMDEyMzEyMzU5NTlaMDwxHjAcBgNVBAMM
@@ -1250,7 +1248,7 @@ KrcYPqcZ2Qt9sTdBQrC6YB3y/gkRsPCHe6ed
 -----END CERTIFICATE-----`))
 	// CN=Atos TrustedRoot Root CA ECC TLS 2021; O=Atos; C=DE
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICFTCCAZugAwIBAgIQPZg7pmY9kGP3fiZXOATvADAKBggqhkjOPQQDAzBMMS4w
 LAYDVQQDDCVBdG9zIFRydXN0ZWRSb290IFJvb3QgQ0EgRUNDIFRMUyAyMDIxMQ0w
 CwYDVQQKDARBdG9zMQswCQYDVQQGEwJERTAeFw0yMTA0MjIwOTI2MjNaFw00MTA0
@@ -1266,7 +1264,7 @@ CCrCp1rIAjEAmeMM56PDr9NJLkaCI2ZdyQAUEv049OGYa3cpetskz2VAv9LcjBHo
 -----END CERTIFICATE-----`))
 	// CN=Atos TrustedRoot Root CA RSA TLS 2021; O=Atos; C=DE
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFZDCCA0ygAwIBAgIQU9XP5hmTC/srBRLYwiqipDANBgkqhkiG9w0BAQwFADBM
 MS4wLAYDVQQDDCVBdG9zIFRydXN0ZWRSb290IFJvb3QgQ0EgUlNBIFRMUyAyMDIx
 MQ0wCwYDVQQKDARBdG9zMQswCQYDVQQGEwJERTAeFw0yMTA0MjIwOTIxMTBaFw00
@@ -1299,7 +1297,7 @@ oji2jbDwN/zIIX8/syQbPYtuzE2wFg2WHYMfRsCbvUOZ58SWLs5fyQ==
 -----END CERTIFICATE-----`))
 	// CN=GlobalSign; OU=GlobalSign Root CA - R6; O=GlobalSign
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFgzCCA2ugAwIBAgIORea7A4Mzw4VlSOb/RVEwDQYJKoZIhvcNAQEMBQAwTDEg
 MB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjYxEzARBgNVBAoTCkdsb2Jh
 bFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTQxMjEwMDAwMDAwWhcNMzQx
@@ -1333,7 +1331,7 @@ JJUEeKgDu+6B5dpffItKoZB0JaezPkvILFa9x8jvOOJckvB595yEunQtYQEgfn7R
 -----END CERTIFICATE-----`))
 	// CN=GlobalSign Root E46; O=GlobalSign nv-sa; C=BE
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICCzCCAZGgAwIBAgISEdK7ujNu1LzmJGjFDYQdmOhDMAoGCCqGSM49BAMDMEYx
 CzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRwwGgYDVQQD
 ExNHbG9iYWxTaWduIFJvb3QgRTQ2MB4XDTE5MDMyMDAwMDAwMFoXDTQ2MDMyMDAw
@@ -1348,7 +1346,7 @@ DgQWBBQxCpCPtsad0kRLgLWi5h+xEk8blTAKBggqhkjOPQQDAwNoADBlAjEA31SQ
 -----END CERTIFICATE-----`))
 	// CN=GlobalSign Root R46; O=GlobalSign nv-sa; C=BE
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFWjCCA0KgAwIBAgISEdK7udcjGJ5AXwqdLdDfJWfRMA0GCSqGSIb3DQEBDAUA
 MEYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRwwGgYD
 VQQDExNHbG9iYWxTaWduIFJvb3QgUjQ2MB4XDTE5MDMyMDAwMDAwMFoXDTQ2MDMy
@@ -1381,7 +1379,7 @@ vouXsXgxT7PntgMTzlSdriVZzH81Xwj3QEUxeCp6
 -----END CERTIFICATE-----`))
 	// CN=GlobalSign; OU=GlobalSign ECC Root CA - R5; O=GlobalSign
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICHjCCAaSgAwIBAgIRYFlJ4CYuu1X5CneKcflK2GwwCgYIKoZIzj0EAwMwUDEk
 MCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI1MRMwEQYDVQQKEwpH
 bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTEyMTExMzAwMDAwMFoX
@@ -1397,7 +1395,7 @@ xwy8p2Fp8fc74SrL+SvzZpA3
 -----END CERTIFICATE-----`))
 	// CN=GlobalSign; OU=GlobalSign Root CA - R3; O=GlobalSign
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
 A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
 Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
@@ -1420,7 +1418,7 @@ WD9f
 -----END CERTIFICATE-----`))
 	// CN=Starfield Root Certificate Authority - G2; O=Starfield Technologies, Inc.; L=Scottsdale; ST=Arizona; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
 HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
@@ -1445,7 +1443,7 @@ mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
 -----END CERTIFICATE-----`))
 	// CN=Go Daddy Root Certificate Authority - G2; O=GoDaddy.com, Inc.; L=Scottsdale; ST=Arizona; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
 EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
@@ -1470,7 +1468,7 @@ LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
 -----END CERTIFICATE-----`))
 	// CN=GlobalSign; OU=GlobalSign ECC Root CA - R4; O=GlobalSign
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIB3DCCAYOgAwIBAgINAgPlfvU/k/2lCSGypjAKBggqhkjOPQQDAjBQMSQwIgYD
 VQQLExtHbG9iYWxTaWduIEVDQyBSb290IENBIC0gUjQxEzARBgNVBAoTCkdsb2Jh
 bFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTIxMTEzMDAwMDAwWhcNMzgw
@@ -1484,7 +1482,7 @@ bmF0774BxL4YSFlhgjICICadVGNA3jdgUM/I2O2dgq43mLyjj0xMqTQrbO/7lZsm
 -----END CERTIFICATE-----`))
 	// CN=GTS Root R4; O=Google Trust Services LLC; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICCTCCAY6gAwIBAgINAgPlwGjvYxqccpBQUjAKBggqhkjOPQQDAzBHMQswCQYD
 VQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIG
 A1UEAxMLR1RTIFJvb3QgUjQwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAw
@@ -1499,7 +1497,7 @@ p/SgguMh1YQdc4acLa/KNJvxn7kjNuK8YAOdgLOaVsjh4rsUecrNIdSUtUlD
 -----END CERTIFICATE-----`))
 	// CN=GTS Root R2; O=Google Trust Services LLC; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFVzCCAz+gAwIBAgINAgPlrsWNBCUaqxElqjANBgkqhkiG9w0BAQwFADBHMQsw
 CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
 MBIGA1UEAxMLR1RTIFJvb3QgUjIwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
@@ -1532,7 +1530,7 @@ JPFI/2R80L5cFtHvma3AH/vLrrw4IgYmZNralw4/KBVEqE8AyvCazM90arQ+POuV
 -----END CERTIFICATE-----`))
 	// CN=GTS Root R1; O=Google Trust Services LLC; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw
 CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
 MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
@@ -1565,7 +1563,7 @@ bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c
 -----END CERTIFICATE-----`))
 	// CN=GTS Root R3; O=Google Trust Services LLC; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICCTCCAY6gAwIBAgINAgPluILrIPglJ209ZjAKBggqhkjOPQQDAzBHMQswCQYD
 VQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIG
 A1UEAxMLR1RTIFJvb3QgUjMwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAw
@@ -1580,7 +1578,7 @@ ZuVDFhOD3cffL74UOO0BzrEXGhF16b0DjyZ+hOXJYKaV11RZt+cRLInUue4X
 -----END CERTIFICATE-----`))
 	// CN=ACCVRAIZ1; OU=PKIACCV; O=ACCV; C=ES
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE
 AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw
 CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ
@@ -1626,7 +1624,7 @@ pPVWQxaZLPSkVrQ0uGE3ycJYgBugl6H8WY3pEfbRD0tVNEYqi4Y7
 -----END CERTIFICATE-----`))
 	// OU=AC RAIZ FNMT-RCM; O=FNMT-RCM; C=ES
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFgzCCA2ugAwIBAgIPXZONMGc2yAYdGsdUhGkHMA0GCSqGSIb3DQEBCwUAMDsx
 CzAJBgNVBAYTAkVTMREwDwYDVQQKDAhGTk1ULVJDTTEZMBcGA1UECwwQQUMgUkFJ
 WiBGTk1ULVJDTTAeFw0wODEwMjkxNTU5NTZaFw0zMDAxMDEwMDAwMDBaMDsxCzAJ
@@ -1660,7 +1658,7 @@ uu8wd+RU4riEmViAqhOLUTpPSPaLtrM=
 -----END CERTIFICATE-----`))
 	// CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS; OU=Ceres; O=FNMT-RCM; C=ES; OrganizationIdentifier=VATES-Q2826004J
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICbjCCAfOgAwIBAgIQYvYybOXE42hcG2LdnC6dlTAKBggqhkjOPQQDAzB4MQsw
 CQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xDjAMBgNVBAsMBUNlcmVzMRgw
 FgYDVQRhDA9WQVRFUy1RMjgyNjAwNEoxLDAqBgNVBAMMI0FDIFJBSVogRk5NVC1S
@@ -1678,7 +1676,7 @@ v+c=
 -----END CERTIFICATE-----`))
 	// CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1; OU=Kamu Sertifikasyon Merkezi - Kamu SM; O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK; L=Gebze - Kocaeli; C=TR
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIEYzCCA0ugAwIBAgIBATANBgkqhkiG9w0BAQsFADCB0jELMAkGA1UEBhMCVFIx
 GDAWBgNVBAcTD0dlYnplIC0gS29jYWVsaTFCMEAGA1UEChM5VHVya2l5ZSBCaWxp
 bXNlbCB2ZSBUZWtub2xvamlrIEFyYXN0aXJtYSBLdXJ1bXUgLSBUVUJJVEFLMS0w
@@ -1706,7 +1704,7 @@ lo3Ptv0AnVoUmr8CRPXBwp8iXqIPoeM=
 -----END CERTIFICATE-----`))
 	// CN=HARICA TLS RSA Root CA 2021; O=Hellenic Academic and Research Institutions CA; C=GR
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFpDCCA4ygAwIBAgIQOcqTHO9D88aOk8f0ZIk4fjANBgkqhkiG9w0BAQsFADBs
 MQswCQYDVQQGEwJHUjE3MDUGA1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl
 c2VhcmNoIEluc3RpdHV0aW9ucyBDQTEkMCIGA1UEAwwbSEFSSUNBIFRMUyBSU0Eg
@@ -1741,7 +1739,7 @@ xw/ogM4cKGR0GQjTQuPOAF1/sdwTsOEFy9EgqoZ0njnnkf3/W9b3raYvAwtt41dU
 -----END CERTIFICATE-----`))
 	// CN=HARICA TLS ECC Root CA 2021; O=Hellenic Academic and Research Institutions CA; C=GR
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICVDCCAdugAwIBAgIQZ3SdjXfYO2rbIvT/WeK/zjAKBggqhkjOPQQDAzBsMQsw
 CQYDVQQGEwJHUjE3MDUGA1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2Vh
 cmNoIEluc3RpdHV0aW9ucyBDQTEkMCIGA1UEAwwbSEFSSUNBIFRMUyBFQ0MgUm9v
@@ -1758,7 +1756,7 @@ nxS2PFOiTAZpffpskcYqSUXm7LcT4Tps
 -----END CERTIFICATE-----`))
 	// CN=IdenTrust Commercial Root CA 1; O=IdenTrust; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK
 MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu
 VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw
@@ -1791,7 +1789,7 @@ mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A
 -----END CERTIFICATE-----`))
 	// CN=ISRG Root X1; O=Internet Security Research Group; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
 TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
 cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
@@ -1824,7 +1822,7 @@ emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
 -----END CERTIFICATE-----`))
 	// CN=ISRG Root X2; O=Internet Security Research Group; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
 CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
 R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
@@ -1840,7 +1838,7 @@ tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
 -----END CERTIFICATE-----`))
 	// CN=Izenpe.com; O=IZENPE S.A.; C=ES
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIF8TCCA9mgAwIBAgIQALC3WhZIX7/hy/WL1xnmfTANBgkqhkiG9w0BAQsFADA4
 MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6
 ZW5wZS5jb20wHhcNMDcxMjEzMTMwODI4WhcNMzcxMjEzMDgyNzI1WjA4MQswCQYD
@@ -1876,7 +1874,7 @@ QyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxw==
 -----END CERTIFICATE-----`))
 	// CN=SZAFIR ROOT CA2; O=Krajowa Izba Rozliczeniowa S.A.; C=PL
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDcjCCAlqgAwIBAgIUPopdB+xV0jLVt+O2XwHrLdzk1uQwDQYJKoZIhvcNAQEL
 BQAwUTELMAkGA1UEBhMCUEwxKDAmBgNVBAoMH0tyYWpvd2EgSXpiYSBSb3psaWN6
 ZW5pb3dhIFMuQS4xGDAWBgNVBAMMD1NaQUZJUiBST09UIENBMjAeFw0xNTEwMTkw
@@ -1899,7 +1897,7 @@ LvWpCz/UXeHPhJ/iGcJfitYgHuNztw==
 -----END CERTIFICATE-----`))
 	// CN=e-Szigno Root CA 2017; O=Microsec Ltd.; L=Budapest; C=HU; OrganizationIdentifier=VATHU-23584497
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICQDCCAeWgAwIBAgIMAVRI7yH9l1kN9QQKMAoGCCqGSM49BAMCMHExCzAJBgNV
 BAYTAkhVMREwDwYDVQQHDAhCdWRhcGVzdDEWMBQGA1UECgwNTWljcm9zZWMgTHRk
 LjEXMBUGA1UEYQwOVkFUSFUtMjM1ODQ0OTcxHjAcBgNVBAMMFWUtU3ppZ25vIFJv
@@ -1916,7 +1914,7 @@ jbjcI4qKDdQvfepz7L9NbKgCIQDLpbQS+ue16M9+k/zzNY9vTlp8tLxOsvxyqltZ
 -----END CERTIFICATE-----`))
 	// CN=Microsec e-Szigno Root CA 2009; O=Microsec Ltd.; L=Budapest; C=HU; EmailAddress=info@e-szigno.hu
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIECjCCAvKgAwIBAgIJAMJ+QwRORz8ZMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD
 VQQGEwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFjAUBgNVBAoMDU1pY3Jvc2VjIEx0
 ZC4xJzAlBgNVBAMMHk1pY3Jvc2VjIGUtU3ppZ25vIFJvb3QgQ0EgMjAwOTEfMB0G
@@ -1942,7 +1940,7 @@ HMN1Rq41Bab2XD0h7lbwyYIiLXpUq3DDfSJlgnCW
 -----END CERTIFICATE-----`))
 	// CN=Microsoft ECC Root Certificate Authority 2017; O=Microsoft Corporation; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICWTCCAd+gAwIBAgIQZvI9r4fei7FK6gxXMQHC7DAKBggqhkjOPQQDAzBlMQsw
 CQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYD
 VQQDEy1NaWNyb3NvZnQgRUNDIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw
@@ -1959,7 +1957,7 @@ iudQZsIxtzm6uBoiB078a1QWIP8rtedMDE2mT3M=
 -----END CERTIFICATE-----`))
 	// CN=Microsoft RSA Root Certificate Authority 2017; O=Microsoft Corporation; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFqDCCA5CgAwIBAgIQHtOXCV/YtLNHcB6qvn9FszANBgkqhkiG9w0BAQwFADBl
 MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYw
 NAYDVQQDEy1NaWNyb3NvZnQgUlNBIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
@@ -1994,7 +1992,7 @@ RA+GsCyRxj3qrg+E
 -----END CERTIFICATE-----`))
 	// CN=NAVER Global Root Certification Authority; O=NAVER BUSINESS PLATFORM Corp.; C=KR
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFojCCA4qgAwIBAgIUAZQwHqIL3fXFMyqxQ0Rx+NZQTQ0wDQYJKoZIhvcNAQEM
 BQAwaTELMAkGA1UEBhMCS1IxJjAkBgNVBAoMHU5BVkVSIEJVU0lORVNTIFBMQVRG
 T1JNIENvcnAuMTIwMAYDVQQDDClOQVZFUiBHbG9iYWwgUm9vdCBDZXJ0aWZpY2F0
@@ -2029,7 +2027,7 @@ dh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmgkpzNNIaRkPpkUZ3+/uul
 -----END CERTIFICATE-----`))
 	// CN=NetLock Arany (Class Gold) Főtanúsítvány; OU=Tanúsítványkiadók (Certification Services); O=NetLock Kft.; L=Budapest; C=HU
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIEFTCCAv2gAwIBAgIGSUEs5AAQMA0GCSqGSIb3DQEBCwUAMIGnMQswCQYDVQQG
 EwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFTATBgNVBAoMDE5ldExvY2sgS2Z0LjE3
 MDUGA1UECwwuVGFuw7pzw610dsOhbnlraWFkw7NrIChDZXJ0aWZpY2F0aW9uIFNl
@@ -2055,7 +2053,7 @@ XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E=
 -----END CERTIFICATE-----`))
 	// CN=OISTE WISeKey Global Root GC CA; OU=OISTE Foundation Endorsed; O=WISeKey; C=CH
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICaTCCAe+gAwIBAgIQISpWDK7aDKtARb8roi066jAKBggqhkjOPQQDAzBtMQsw
 CQYDVQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZT0lTVEUgRm91
 bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9iYWwg
@@ -2072,7 +2070,7 @@ Mgj/mkkCtojeFK9dbJlxjRo/i9fgojaGHAeCOnZT/cKi7e97sIBPWA9LUzm9
 -----END CERTIFICATE-----`))
 	// CN=OISTE WISeKey Global Root GB CA; OU=OISTE Foundation Endorsed; O=WISeKey; C=CH
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDtTCCAp2gAwIBAgIQdrEgUnTwhYdGs/gjGvbCwDANBgkqhkiG9w0BAQsFADBt
 MQswCQYDVQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZT0lTVEUg
 Rm91bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9i
@@ -2096,7 +2094,7 @@ Nc1MaRVUGpCY3useX8p3x8uOPUNpnJpY0CQ73xtAln41rYHHTnG6iBM=
 -----END CERTIFICATE-----`))
 	// CN=Security Communication ECC RootCA1; O=SECOM Trust Systems CO.,LTD.; C=JP
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICODCCAb6gAwIBAgIJANZdm7N4gS7rMAoGCCqGSM49BAMDMGExCzAJBgNVBAYT
 AkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMSswKQYD
 VQQDEyJTZWN1cml0eSBDb21tdW5pY2F0aW9uIEVDQyBSb290Q0ExMB4XDTE2MDYx
@@ -2112,7 +2110,7 @@ be0YottT6SXbVQjgUMzfRGEWgqtJsLKB7HOHeLRMsmIbEvoWTSVLY70eN9k=
 -----END CERTIFICATE-----`))
 	// OU=Security Communication RootCA2; O=SECOM Trust Systems CO.,LTD.; C=JP
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDdzCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJKUDEl
 MCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UECxMe
 U2VjdXJpdHkgQ29tbXVuaWNhdGlvbiBSb290Q0EyMB4XDTA5MDUyOTA1MDAzOVoX
@@ -2135,7 +2133,7 @@ SjnRBUkLp7Y3gaVdjKozXoEofKd9J+sAro03
 -----END CERTIFICATE-----`))
 	// CN=Entrust Root Certification Authority; OU=www.entrust.net/CPS is incorporated by reference, (c) 2006 Entrust, Inc.; O=Entrust, Inc.; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC
 VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
 Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
@@ -2164,7 +2162,7 @@ eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0tHuu2guQOHXvgR1m
 -----END CERTIFICATE-----`))
 	// CN=Sectigo Public Server Authentication Root E46; O=Sectigo Limited; C=GB
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICOjCCAcGgAwIBAgIQQvLM2htpN0RfFf51KBC49DAKBggqhkjOPQQDAzBfMQsw
 CQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQDEy1T
 ZWN0aWdvIFB1YmxpYyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBFNDYwHhcN
@@ -2180,7 +2178,7 @@ qCG76UeXlImldCBteU/IvZNeWBj7LRoAasm4PdCkT0RHlAFWovgzJQxC36oCMB3q
 -----END CERTIFICATE-----`))
 	// CN=COMODO ECC Certification Authority; O=COMODO CA Limited; L=Salford; ST=Greater Manchester; C=GB
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTEL
 MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
 BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMT
@@ -2198,7 +2196,7 @@ GDeAU/7dIOA1mjbRxwG55tzd8/8dLDoWV9mSOdY=
 -----END CERTIFICATE-----`))
 	// CN=COMODO Certification Authority; O=COMODO CA Limited; L=Salford; ST=Greater Manchester; C=GB
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIID0DCCArigAwIBAgIQIKTEf93f4cdTYwcTiHdgEjANBgkqhkiG9w0BAQUFADCB
 gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
 A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV
@@ -2223,7 +2221,7 @@ R1uUq27UlTMdphVx8fiUylQ5PsE=
 -----END CERTIFICATE-----`))
 	// CN=COMODO RSA Certification Authority; O=COMODO CA Limited; L=Salford; ST=Greater Manchester; C=GB
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB
 hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
 A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
@@ -2259,7 +2257,7 @@ NVOFBkpdn627G190
 -----END CERTIFICATE-----`))
 	// CN=USERTrust RSA Certification Authority; O=The USERTRUST Network; L=Jersey City; ST=New Jersey; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
 iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
 cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
@@ -2295,7 +2293,7 @@ jjxDah2nGN59PRbxYvnKkKj9
 -----END CERTIFICATE-----`))
 	// CN=USERTrust ECC Certification Authority; O=The USERTRUST Network; L=Jersey City; ST=New Jersey; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICjzCCAhWgAwIBAgIQXIuZxVqUxdJxVt7NiYDMJjAKBggqhkjOPQQDAzCBiDEL
 MAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNl
 eSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMT
@@ -2313,7 +2311,7 @@ RNZu9YO6bVi9JNlWSOrvxKJGgYhqOkbRqZtNyWHa0V1Xahg=
 -----END CERTIFICATE-----`))
 	// CN=Sectigo Public Server Authentication Root R46; O=Sectigo Limited; C=GB
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFijCCA3KgAwIBAgIQdY39i658BwD6qSWn4cetFDANBgkqhkiG9w0BAQwFADBf
 MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQD
 Ey1TZWN0aWdvIFB1YmxpYyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBSNDYw
@@ -2347,7 +2345,7 @@ QqszKbrAKbkTidOIijlBO8n9pu0f9GBj39ItVQGL
 -----END CERTIFICATE-----`))
 	// CN=Entrust Root Certification Authority - G2; OU=See www.entrust.net/legal-terms, (c) 2009 Entrust, Inc. - for authorized use only; O=Entrust, Inc.; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
 VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
 cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
@@ -2374,7 +2372,7 @@ VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
 -----END CERTIFICATE-----`))
 	// CN=Entrust Root Certification Authority - EC1; OU=See www.entrust.net/legal-terms, (c) 2012 Entrust, Inc. - for authorized use only; O=Entrust, Inc.; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIC+TCCAoCgAwIBAgINAKaLeSkAAAAAUNCR+TAKBggqhkjOPQQDAzCBvzELMAkG
 A1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3
 d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDEyIEVu
@@ -2394,7 +2392,7 @@ hTcGtXsI/esni0qU+eH6p44mCOh8kmhtc9hvJqwhAriZtyZBWyVgrtBIGu4G
 -----END CERTIFICATE-----`))
 	// CN=SSL.com Root Certification Authority RSA; O=SSL Corporation; L=Houston; ST=Texas; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIF3TCCA8WgAwIBAgIIeyyb0xaAMpkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE
 BhMCVVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQK
 DA9TU0wgQ29ycG9yYXRpb24xMTAvBgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZp
@@ -2430,7 +2428,7 @@ Ic2wBlX7Jz9TkHCpBB5XJ7k=
 -----END CERTIFICATE-----`))
 	// CN=SSL.com TLS ECC Root CA 2022; O=SSL Corporation; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICOjCCAcCgAwIBAgIQFAP1q/s3ixdAW+JDsqXRxDAKBggqhkjOPQQDAzBOMQsw
 CQYDVQQGEwJVUzEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMSUwIwYDVQQDDBxT
 U0wuY29tIFRMUyBFQ0MgUm9vdCBDQSAyMDIyMB4XDTIyMDgyNTE2MzM0OFoXDTQ2
@@ -2446,7 +2444,7 @@ b0Igj762TVntd00pxCAgRWSGOlDGxK0tk/UYfXLtqc/ErFc2KAhl3zx5Zn6g6g==
 -----END CERTIFICATE-----`))
 	// CN=SSL.com TLS RSA Root CA 2022; O=SSL Corporation; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFiTCCA3GgAwIBAgIQb77arXO9CEDii02+1PdbkTANBgkqhkiG9w0BAQsFADBO
 MQswCQYDVQQGEwJVUzEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMSUwIwYDVQQD
 DBxTU0wuY29tIFRMUyBSU0EgUm9vdCBDQSAyMDIyMB4XDTIyMDgyNTE2MzQyMloX
@@ -2480,7 +2478,7 @@ Mho6/4UIyYOf8kpIEFR3N+2ivEC+5BB09+Rbu7nzifmPQdjH5FCQNYA+HLhNkNPU
 -----END CERTIFICATE-----`))
 	// CN=SSL.com Root Certification Authority ECC; O=SSL Corporation; L=Houston; ST=Texas; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICjTCCAhSgAwIBAgIIdebfy8FoW6gwCgYIKoZIzj0EAwIwfDELMAkGA1UEBhMC
 VVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T
 U0wgQ29ycG9yYXRpb24xMTAvBgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZpY2F0
@@ -2498,7 +2496,7 @@ gA0z5Wajs6O7pdWLjwkspl1+4vAHCGht0nxpbl/f5Wpl
 -----END CERTIFICATE-----`))
 	// CN=SSL.com EV Root Certification Authority RSA R2; O=SSL Corporation; L=Houston; ST=Texas; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIF6zCCA9OgAwIBAgIIVrYpzTS8ePYwDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNV
 BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UE
 CgwPU1NMIENvcnBvcmF0aW9uMTcwNQYDVQQDDC5TU0wuY29tIEVWIFJvb3QgQ2Vy
@@ -2534,7 +2532,7 @@ mKVx01QT2WDz9UtmT/rx7iASjbSsV7FFY6GsdqnC+w==
 -----END CERTIFICATE-----`))
 	// CN=SSL.com EV Root Certification Authority ECC; O=SSL Corporation; L=Houston; ST=Texas; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIClDCCAhqgAwIBAgIILCmcWxbtBZUwCgYIKoZIzj0EAwIwfzELMAkGA1UEBhMC
 VVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T
 U0wgQ29ycG9yYXRpb24xNDAyBgNVBAMMK1NTTC5jb20gRVYgUm9vdCBDZXJ0aWZp
@@ -2552,7 +2550,7 @@ h5Mmm7I1HrrW9zzRHM76JTymGoEVW/MSD2zuZYrJh6j5B+BimoxcSg==
 -----END CERTIFICATE-----`))
 	// CN=SwissSign Gold CA - G2; O=SwissSign AG; C=CH
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
 BAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMTFlN3aXNzU2ln
 biBHb2xkIENBIC0gRzIwHhcNMDYxMDI1MDgzMDM1WhcNMzYxMDI1MDgzMDM1WjBF
@@ -2587,7 +2585,7 @@ Qc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ
 -----END CERTIFICATE-----`))
 	// CN=TWCA CYBER Root CA; OU=Root CA; O=TAIWAN-CA; C=TW
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFjTCCA3WgAwIBAgIQQAE0jMIAAAAAAAAAATzyxjANBgkqhkiG9w0BAQwFADBQ
 MQswCQYDVQQGEwJUVzESMBAGA1UEChMJVEFJV0FOLUNBMRAwDgYDVQQLEwdSb290
 IENBMRswGQYDVQQDExJUV0NBIENZQkVSIFJvb3QgQ0EwHhcNMjIxMTIyMDY1NDI5
@@ -2621,7 +2619,7 @@ t5b5wR9iWqJDB0BeJsas7a5wFsWqynKKTbDPAYsDP27X
 -----END CERTIFICATE-----`))
 	// CN=TWCA Global Root CA; OU=Root CA; O=TAIWAN-CA; C=TW
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFQTCCAymgAwIBAgICDL4wDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVFcx
 EjAQBgNVBAoTCVRBSVdBTi1DQTEQMA4GA1UECxMHUm9vdCBDQTEcMBoGA1UEAxMT
 VFdDQSBHbG9iYWwgUm9vdCBDQTAeFw0xMjA2MjcwNjI4MzNaFw0zMDEyMzExNTU5
@@ -2654,7 +2652,7 @@ KwbQBM0=
 -----END CERTIFICATE-----`))
 	// CN=TeliaSonera Root CA v1; O=TeliaSonera
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFODCCAyCgAwIBAgIRAJW+FqD3LkbxezmCcvqLzZYwDQYJKoZIhvcNAQEFBQAw
 NzEUMBIGA1UECgwLVGVsaWFTb25lcmExHzAdBgNVBAMMFlRlbGlhU29uZXJhIFJv
 b3QgQ0EgdjEwHhcNMDcxMDE4MTIwMDUwWhcNMzIxMDE4MTIwMDUwWjA3MRQwEgYD
@@ -2686,7 +2684,7 @@ SK236thZiNSQvxaz2emsWWFUyBy6ysHK4bkgTI86k4mloMy/0/Z1pHWWbVY=
 -----END CERTIFICATE-----`))
 	// CN=Telia Root CA v2; O=Telia Finland Oyj; C=FI
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIFdDCCA1ygAwIBAgIPAWdfJ9b+euPkrL4JWwWeMA0GCSqGSIb3DQEBCwUAMEQx
 CzAJBgNVBAYTAkZJMRowGAYDVQQKDBFUZWxpYSBGaW5sYW5kIE95ajEZMBcGA1UE
 AwwQVGVsaWEgUm9vdCBDQSB2MjAeFw0xODExMjkxMTU1NTRaFw00MzExMjkxMTU1
@@ -2720,7 +2718,7 @@ rBPuUBQemMc=
 -----END CERTIFICATE-----`))
 	// CN=Trustwave Global ECC P384 Certification Authority; O=Trustwave Holdings, Inc.; L=Chicago; ST=Illinois; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICnTCCAiSgAwIBAgIMCL2Fl2yZJ6SAaEc7MAoGCCqGSM49BAMDMIGRMQswCQYD
 VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAf
 BgNVBAoTGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3
@@ -2739,7 +2737,7 @@ Sw==
 -----END CERTIFICATE-----`))
 	// CN=Trustwave Global ECC P256 Certification Authority; O=Trustwave Holdings, Inc.; L=Chicago; ST=Illinois; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIICYDCCAgegAwIBAgIMDWpfCD8oXD5Rld9dMAoGCCqGSM49BAMCMIGRMQswCQYD
 VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAf
 BgNVBAoTGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3
@@ -2756,7 +2754,7 @@ DDcCIC0mA6AFvWvR9lz4ZcyGbbOcNEhjhAnFjXca4syc4XR7
 -----END CERTIFICATE-----`))
 	// CN=SecureTrust CA; O=SecureTrust Corporation; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIDuDCCAqCgAwIBAgIQDPCOXAgWpa1Cf/DrJxhZ0DANBgkqhkiG9w0BAQUFADBI
 MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24x
 FzAVBgNVBAMTDlNlY3VyZVRydXN0IENBMB4XDTA2MTEwNzE5MzExOFoXDTI5MTIz
@@ -2780,7 +2778,7 @@ CPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR
 -----END CERTIFICATE-----`))
 	// CN=Trustwave Global Certification Authority; O=Trustwave Holdings, Inc.; L=Chicago; ST=Illinois; C=US
-	chromeIncluded.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
+	pool.AppendCertsFromPEM([]byte(`-----BEGIN CERTIFICATE-----
 MIIF2jCCA8KgAwIBAgIMBfcOhtpJ80Y1LrqyMA0GCSqGSIb3DQEBCwUAMIGIMQsw
 CQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28x
 ITAfBgNVBAoMGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1
@@ -2814,4 +2812,5 @@ h6jCJ3zhM0EPz8/8AKAigJ5Kp28AsEFFtyLKaEjFQqKu3R3y4G5OBVixwJAWKqQ9
 EEC+j2Jjg6mcgn0tAumDMHzLJ8n9HmYAsC7TIS+OMxZsmO0QqAfWzJPP29FpHOTK
 yeC2nOnOcXHebD8WpHk=
 -----END CERTIFICATE-----`))
 	return pool
 }
--- a/common/certificate/mozilla.go
+++ b/common/certificate/mozilla.go
--- a/common/certificate/store.go
+++ b/common/certificate/store.go
@@ -22,6 +22,7 @@ var _ adapter.CertificateStore = (*Store)(nil)
 type Store struct {
 	access                    sync.RWMutex
 	storeType                 string
 	systemPool                *x509.CertPool
 	currentPool               *x509.CertPool
 	certificate               string
@@ -31,9 +32,13 @@ type Store struct {
 }
 func NewStore(ctx context.Context, logger logger.Logger, options option.CertificateOptions) (*Store, error) {
 	storeType := options.Store
 	if storeType == "" {
 		storeType = C.CertificateStoreSystem
 	}
 	var systemPool *x509.CertPool
-	switch options.Store {
+	switch storeType {
-	case C.CertificateStoreSystem, "":
+	case C.CertificateStoreSystem:
 		systemPool = x509.NewCertPool()
 		platformInterface := service.FromContext[adapter.PlatformInterface](ctx)
 		var systemValid bool
@@ -51,16 +56,13 @@ func NewStore(ctx context.Context, logger logger.Logger, options option.Certific
 			}
 			systemPool = certPool
 		}
-	case C.CertificateStoreMozilla:
+	case C.CertificateStoreMozilla, C.CertificateStoreChrome:
 		systemPool = mozillaIncluded
 	case C.CertificateStoreChrome:
 		systemPool = chromeIncluded
 	case C.CertificateStoreNone:
 		systemPool = nil
 	default:
 		return nil, E.New("unknown certificate store: ", options.Store)
 	}
 	store := &Store{
 		storeType:                 storeType,
 		systemPool:                systemPool,
 		certificate:               strings.Join(options.Certificate, "\n"),
 		certificatePaths:          options.CertificatePath,
@@ -124,13 +126,9 @@ func (s *Store) Pool() *x509.CertPool {
 }
 func (s *Store) update() error {
-	s.access.Lock()
+	currentPool, err := s.newBasePool()
-	defer s.access.Unlock()
+	if err != nil {
-	var currentPool *x509.CertPool
+		return err
 	if s.systemPool == nil {
 		currentPool = x509.NewCertPool()
 	} else {
 		currentPool = s.systemPool.Clone()
 	}
 	if s.certificate != "" {
 		if !currentPool.AppendCertsFromPEM([]byte(s.certificate)) {
@@ -165,10 +163,30 @@ func (s *Store) update() error {
 	if firstErr != nil {
 		return firstErr
 	}
 	s.access.Lock()
 	defer s.access.Unlock()
 	s.currentPool = currentPool
 	return nil
 }
 func (s *Store) newBasePool() (*x509.CertPool, error) {
 	switch s.storeType {
 	case C.CertificateStoreSystem:
 		if s.systemPool == nil {
 			return x509.NewCertPool(), nil
 		}
 		return s.systemPool.Clone(), nil
 	case C.CertificateStoreMozilla:
 		return newMozillaIncluded(), nil
 	case C.CertificateStoreChrome:
 		return newChromeIncluded(), nil
 	case C.CertificateStoreNone:
 		return x509.NewCertPool(), nil
 	default:
 		return nil, E.New("unknown certificate store: ", s.storeType)
 	}
 }
 func readUniqueDirectoryEntries(dir string) ([]fs.DirEntry, error) {
 	files, err := os.ReadDir(dir)
 	if err != nil {
--- a/common/convertor/adguard/convertor.go
+++ b/common/convertor/adguard/convertor.go
@@ -63,9 +63,7 @@ parseLine:
 			}
 			continue
 		}
-		if strings.HasSuffix(ruleLine, "|") {
+		ruleLine = strings.TrimSuffix(ruleLine, "|")
 			ruleLine = ruleLine[:len(ruleLine)-1]
 		}
 		var (
 			isExclude   bool
 			isSuffix    bool
@@ -76,7 +74,7 @@ parseLine:
 		)
 		if !strings.HasPrefix(ruleLine, "/") && strings.Contains(ruleLine, "$") {
 			params := common.SubstringAfter(ruleLine, "$")
-			for _, param := range strings.Split(params, ",") {
+			for param := range strings.SplitSeq(params, ",") {
 				paramParts := strings.Split(param, "=")
 				var ignored bool
 				if len(paramParts) > 0 && len(paramParts) <= 2 {
@@ -106,9 +104,7 @@ parseLine:
 			ruleLine = ruleLine[2:]
 			isExclude = true
 		}
-		if strings.HasSuffix(ruleLine, "|") {
+		ruleLine = strings.TrimSuffix(ruleLine, "|")
 			ruleLine = ruleLine[:len(ruleLine)-1]
 		}
 		if strings.HasPrefix(ruleLine, "||") {
 			ruleLine = ruleLine[2:]
 			isSuffix = true
@@ -414,18 +410,18 @@ func ignoreIPCIDRRegexp(ruleLine string) bool {
 }
 func parseAdGuardHostLine(ruleLine string) (string, error) {
-	idx := strings.Index(ruleLine, " ")
+	before, after, ok := strings.Cut(ruleLine, " ")
-	if idx == -1 {
+	if !ok {
 		return "", os.ErrInvalid
 	}
-	address, err := netip.ParseAddr(ruleLine[:idx])
+	address, err := netip.ParseAddr(before)
 	if err != nil {
 		return "", err
 	}
 	if !address.IsUnspecified() {
 		return "", nil
 	}
-	domain := ruleLine[idx+1:]
+	domain := after
 	if !M.IsDomainName(domain) {
 		return "", E.New("invalid domain name: ", domain)
 	}
--- a/common/dialer/default_parallel_interface.go
+++ b/common/dialer/default_parallel_interface.go
@@ -136,18 +136,16 @@ func (d *DefaultDialer) dialParallelInterfaceFastFallback(ctx context.Context, d
 		go startRacer(fallbackCtx, false, iif)
 	}
 	var errors []error
-	for {
+	for res := range results {
-		select {
+		if res.error == nil {
-		case res := <-results:
+			return res.Conn, res.primary, nil
-			if res.error == nil {
+		}
-				return res.Conn, res.primary, nil
+		errors = append(errors, res.error)
-			}
+		if len(errors) == len(primaryInterfaces)+len(fallbackInterfaces) {
-			errors = append(errors, res.error)
+			return nil, false, E.Errors(errors...)
 			if len(errors) == len(primaryInterfaces)+len(fallbackInterfaces) {
 				return nil, false, E.Errors(errors...)
 			}
 		}
 	}
 	return nil, false, E.Errors(errors...)
 }
 func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listener net.ListenConfig, network string, addr string, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
--- a/common/geosite/compat_test.go
+++ b/common/geosite/compat_test.go
@@ -19,11 +19,6 @@ func oldWriteString(writer varbin.Writer, value string) error {
 	return varbin.Write(writer, binary.BigEndian, value)
 }
 func oldWriteItem(writer varbin.Writer, item Item) error {
 	//nolint:staticcheck
 	return varbin.Write(writer, binary.BigEndian, item)
 }
 func oldReadString(reader varbin.Reader) (string, error) {
 	//nolint:staticcheck
 	return varbin.ReadValue[string](reader, binary.BigEndian)
@@ -224,7 +219,7 @@ func TestGeositeWriteReadCompat(t *testing.T) {
 func generateLargeItems(count int) map[string][]Item {
 	items := make([]Item, count)
-	for i := 0; i < count; i++ {
+	for i := range count {
 		items[i] = Item{
 			Type:  ItemType(i % 4),
 			Value: strings.Repeat("x", i%200) + ".com",
--- a/common/geosite/reader.go
+++ b/common/geosite/reader.go
@@ -48,12 +48,6 @@ func NewReader(readSeeker io.ReadSeeker) (*Reader, []string, error) {
 	return reader, codes, nil
 }
 type geositeMetadata struct {
 	Code   string
 	Index  uint64
 	Length uint64
 }
 func (r *Reader) readMetadata() error {
 	counter := &readCounter{Reader: r.reader}
 	reader := bufio.NewReader(counter)
@@ -101,6 +95,9 @@ func (r *Reader) readMetadata() error {
 }
 func (r *Reader) Read(code string) ([]Item, error) {
 	r.access.Lock()
 	defer r.access.Unlock()
 	index, exists := r.domainIndex[code]
 	if !exists {
 		return nil, E.New("code ", code, " not exists!")
--- a/common/ja3/parser.go
+++ b/common/ja3/parser.go
@@ -131,7 +131,7 @@ func (j *ClientHello) parseHandshake(hs []byte) error {
 		return &ParseError{LengthErr, 7}
 	}
-	for i := 0; i < numCiphers; i++ {
+	for i := range numCiphers {
 		cipherSuite := uint16(cs[2+i<<1])<<8 | uint16(cs[3+i<<1])
 		cipherSuites = append(cipherSuites, cipherSuite)
 	}
@@ -234,7 +234,7 @@ func (j *ClientHello) parseExtensions(exs []byte) error {
 				return &ParseError{LengthErr, 16}
 			}
-			for i := 0; i < numCurves; i++ {
+			for i := range numCurves {
 				ecType := uint16(sex[i*2])<<8 | uint16(sex[1+i*2])
 				ellipticCurves = append(ellipticCurves, ecType)
 			}
@@ -256,7 +256,7 @@ func (j *ClientHello) parseExtensions(exs []byte) error {
 				return &ParseError{LengthErr, 18}
 			}
-			for i := 0; i < numPF; i++ {
+			for i := range numPF {
 				ellipticCurvePF[i] = uint8(sex[i])
 			}
 		case versionExtensionType:
--- a/common/ktls/ktls_handshake_messages.go
+++ b/common/ktls/ktls_handshake_messages.go
@@ -6,48 +6,7 @@
 package ktls
-import (
+import "golang.org/x/crypto/cryptobyte"
 	"fmt"
 	"golang.org/x/crypto/cryptobyte"
 )
 // The marshalingFunction type is an adapter to allow the use of ordinary
 // functions as cryptobyte.MarshalingValue.
 type marshalingFunction func(b *cryptobyte.Builder) error
 func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error {
 	return f(b)
 }
 // addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If
 // the length of the sequence is not the value specified, it produces an error.
 func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) {
 	b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error {
 		if len(v) != n {
 			return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v))
 		}
 		b.AddBytes(v)
 		return nil
 	}))
 }
 // addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder.
 func addUint64(b *cryptobyte.Builder, v uint64) {
 	b.AddUint32(uint32(v >> 32))
 	b.AddUint32(uint32(v))
 }
 // readUint64 decodes a big-endian, 64-bit value into out and advances over it.
 // It reports whether the read was successful.
 func readUint64(s *cryptobyte.String, out *uint64) bool {
 	var hi, lo uint32
 	if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) {
 		return false
 	}
 	*out = uint64(hi)<<32 | uint64(lo)
 	return true
 }
 // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a
 // []byte instead of a cryptobyte.String.
@@ -61,12 +20,6 @@ func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
 	return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out))
 }
 // readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a
 // []byte instead of a cryptobyte.String.
 func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
 	return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out))
 }
 type keyUpdateMsg struct {
 	updateRequested bool
 }
@@ -125,11 +78,6 @@ const (
 	typeMessageHash           uint8 = 254 // synthetic message
 )
 // TLS compression types.
 const (
 	compressionNone uint8 = 0
 )
 // TLS extension numbers
 const (
 	extensionServerName              uint16 = 0
--- a/common/ktls/ktls_write.go
+++ b/common/ktls/ktls_write.go
@@ -77,78 +77,5 @@ func (c *Conn) writeRecordLocked(typ uint16, data []byte) (n int, err error) {
 	if !c.kernelTx {
 		return c.rawConn.WriteRecordLocked(typ, data)
 	}
 	/*for len(data) > 0 {
 		m := len(data)
 		if maxPayload := c.maxPayloadSizeForWrite(typ); m > maxPayload {
 			m = maxPayload
 		}
 		_, err = c.writeKernelRecord(typ, data[:m])
 		if err != nil {
 			return
 		}
 		n += m
 		data = data[m:]
 	}*/
 	return c.writeKernelRecord(typ, data)
 }
 const (
 	// tcpMSSEstimate is a conservative estimate of the TCP maximum segment
 	// size (MSS). A constant is used, rather than querying the kernel for
 	// the actual MSS, to avoid complexity. The value here is the IPv6
 	// minimum MTU (1280 bytes) minus the overhead of an IPv6 header (40
 	// bytes) and a TCP header with timestamps (32 bytes).
 	tcpMSSEstimate = 1208
 	// recordSizeBoostThreshold is the number of bytes of application data
 	// sent after which the TLS record size will be increased to the
 	// maximum.
 	recordSizeBoostThreshold = 128 * 1024
 )
 func (c *Conn) maxPayloadSizeForWrite(typ uint16) int {
 	if /*c.config.DynamicRecordSizingDisabled ||*/ typ != recordTypeApplicationData {
 		return maxPlaintext
 	}
 	if *c.rawConn.PacketsSent >= recordSizeBoostThreshold {
 		return maxPlaintext
 	}
 	// Subtract TLS overheads to get the maximum payload size.
 	payloadBytes := tcpMSSEstimate - recordHeaderLen - c.rawConn.Out.ExplicitNonceLen()
 	if rawCipher := *c.rawConn.Out.Cipher; rawCipher != nil {
 		switch ciph := rawCipher.(type) {
 		case cipher.Stream:
 			payloadBytes -= (*c.rawConn.Out.Mac).Size()
 		case cipher.AEAD:
 			payloadBytes -= ciph.Overhead()
 		/*case cbcMode:
 		blockSize := ciph.BlockSize()
 		// The payload must fit in a multiple of blockSize, with
 		// room for at least one padding byte.
 		payloadBytes = (payloadBytes & ^(blockSize - 1)) - 1
 		// The RawMac is appended before padding so affects the
 		// payload size directly.
 		payloadBytes -= c.out.mac.Size()*/
 		default:
 			panic("unknown cipher type")
 		}
 	}
 	if *c.rawConn.Vers == tls.VersionTLS13 {
 		payloadBytes-- // encrypted ContentType
 	}
 	// Allow packet growth in arithmetic progression up to max.
 	pkt := *c.rawConn.PacketsSent
 	*c.rawConn.PacketsSent++
 	if pkt > 1000 {
 		return maxPlaintext // avoid overflow in multiply below
 	}
 	n := payloadBytes * int(pkt+1)
 	if n > maxPlaintext {
 		n = maxPlaintext
 	}
 	return n
 }
--- a/common/process/searcher_darwin_shared.go
+++ b/common/process/searcher_darwin_shared.go
@@ -81,7 +81,7 @@ func (f *darwinConnectionFinder) find(network string, source netip.AddrPort, des
 	source = normalizeDarwinAddrPort(source)
 	destination = normalizeDarwinAddrPort(destination)
 	var lastOwner *adapter.ConnectionOwner
-	for attempt := 0; attempt < 2; attempt++ {
+	for attempt := range 2 {
 		snapshot, fromCache, err := f.loadSnapshot(networkName, attempt > 0)
 		if err != nil {
 			return nil, err
--- a/common/process/searcher_linux_shared.go
+++ b/common/process/searcher_linux_shared.go
@@ -1,5 +1,6 @@
 //go:build linux
 //nolint:unused
 package process
 import (
@@ -117,7 +118,7 @@ func (c *socketDiagConn) query(source netip.AddrPort, destination netip.AddrPort
 	c.access.Lock()
 	defer c.access.Unlock()
 	request := packSocketDiagRequest(c.family, c.protocol, source, destination, false)
-	for attempt := 0; attempt < 2; attempt++ {
+	for range 2 {
 		err = c.ensureOpenLocked()
 		if err != nil {
 			return 0, 0, E.Cause(err, "dial netlink")
--- a/common/settings/proxy_darwin.go
+++ b/common/settings/proxy_darwin.go
@@ -109,7 +109,7 @@ func getInterfaceDisplayName(name string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	for _, deviceSpan := range strings.Split(string(content), "Ethernet Address") {
+	for deviceSpan := range strings.SplitSeq(string(content), "Ethernet Address") {
 		if strings.Contains(deviceSpan, "Device: "+name) {
 			substr := "Hardware Port: "
 			deviceSpan = deviceSpan[strings.Index(deviceSpan, substr)+len(substr):]
--- a/common/settings/wifi_linux_connman.go
+++ b/common/settings/wifi_linux_connman.go
@@ -40,14 +40,14 @@ func (m *connmanMonitor) ReadWIFIState() adapter.WIFIState {
 	defer cancel()
 	cmObj := m.conn.Object("net.connman", "/")
-	var services []interface{}
+	var services []any
 	err := cmObj.CallWithContext(ctx, "net.connman.Manager.GetServices", 0).Store(&services)
 	if err != nil {
 		return adapter.WIFIState{}
 	}
 	for _, service := range services {
-		servicePair, ok := service.([]interface{})
+		servicePair, ok := service.([]any)
 		if !ok || len(servicePair) != 2 {
 			continue
 		}
--- a/common/settings/wifi_linux_wpa.go
+++ b/common/settings/wifi_linux_wpa.go
@@ -1,3 +1,4 @@
 //nolint:unused
 package settings
 import (
@@ -73,13 +74,13 @@ func (m *wpaSupplicantMonitor) ReadWIFIState() adapter.WIFIState {
 	scanner := bufio.NewScanner(strings.NewReader(status))
 	for scanner.Scan() {
 		line := scanner.Text()
-		if strings.HasPrefix(line, "wpa_state=") {
+		if after, ok := strings.CutPrefix(line, "wpa_state="); ok {
-			state := strings.TrimPrefix(line, "wpa_state=")
+			state := after
 			connected = state == "COMPLETED"
-		} else if strings.HasPrefix(line, "ssid=") {
+		} else if after, ok := strings.CutPrefix(line, "ssid="); ok {
-			ssid = strings.TrimPrefix(line, "ssid=")
+			ssid = after
-		} else if strings.HasPrefix(line, "bssid=") {
+		} else if after, ok := strings.CutPrefix(line, "bssid="); ok {
-			bssid = strings.TrimPrefix(line, "bssid=")
+			bssid = after
 		}
 	}
--- a/common/settings/wifi_stub.go
+++ b/common/settings/wifi_stub.go
@@ -1,5 +1,6 @@
 //go:build !linux && !windows
 //nolint:unused
 package settings
 import (
--- a/common/sniff/internal/qtls/qtls.go
+++ b/common/sniff/internal/qtls/qtls.go
@@ -54,9 +54,8 @@ type xorNonceAEAD struct {
 	aead      cipher.AEAD
 }
-func (f *xorNonceAEAD) NonceSize() int        { return 8 } // 64-bit sequence number
+func (f *xorNonceAEAD) NonceSize() int { return 8 } // 64-bit sequence number
-func (f *xorNonceAEAD) Overhead() int         { return f.aead.Overhead() }
+func (f *xorNonceAEAD) Overhead() int  { return f.aead.Overhead() }
 func (f *xorNonceAEAD) explicitNonceLen() int { return 0 }
 func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
 	for i, b := range nonce {
--- a/common/sniff/quic_blacklist.go
+++ b/common/sniff/quic_blacklist.go
@@ -1,6 +1,8 @@
 package sniff
 import (
 	"slices"
 	"github.com/sagernet/sing-box/common/ja3"
 )
@@ -15,15 +17,8 @@ const (
 // Note: uQUIC with Chromium mimicry cannot be reliably distinguished from real Chromium
 // since it uses the same TLS fingerprint, so it will be identified as Chromium.
 func isQUICGo(fingerprint *ja3.ClientHello) bool {
-	for _, curve := range fingerprint.EllipticCurves {
+	if slices.Contains(fingerprint.EllipticCurves, x25519Kyber768Draft00) {
-		if curve == x25519Kyber768Draft00 {
+		return true
 			return true
 		}
 	}
-	for _, ext := range fingerprint.Extensions {
+	return slices.Contains(fingerprint.Extensions, extensionRenegotiationInfo)
 		if ext == extensionRenegotiationInfo {
 			return true
 		}
 	}
 	return false
 }
--- a/common/sniff/quic_capture_test.go
+++ b/common/sniff/quic_capture_test.go
@@ -30,7 +30,7 @@ func TestSniffQUICQuicGoFingerprint(t *testing.T) {
 	go func() {
 		var packets [][]byte
 		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
-		for i := 0; i < 10; i++ {
+		for range 10 {
 			buf := make([]byte, 2048)
 			n, _, err := udpConn.ReadFromUDP(buf)
 			if err != nil {
@@ -104,7 +104,7 @@ func TestSniffQUICInitialFromQuicGo(t *testing.T) {
 	go func() {
 		var packets [][]byte
 		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
-		for i := 0; i < 5; i++ { // Capture up to 5 packets
+		for range 5 { // Capture up to 5 packets
 			buf := make([]byte, 2048)
 			n, _, err := udpConn.ReadFromUDP(buf)
 			if err != nil {
--- a/common/srs/binary.go
+++ b/common/srs/binary.go
@@ -78,7 +78,7 @@ func Read(reader io.Reader, recover bool) (ruleSetCompat option.PlainRuleSetComp
 	}
 	ruleSetCompat.Version = version
 	ruleSetCompat.Options.Rules = make([]option.HeadlessRule, length)
-	for i := uint64(0); i < length; i++ {
+	for i := range length {
 		ruleSetCompat.Options.Rules[i], err = readRule(bReader, recover)
 		if err != nil {
 			err = E.Cause(err, "read rule[", i, "]")
@@ -644,7 +644,7 @@ func readLogicalRule(reader varbin.Reader, recovery bool) (logicalRule option.Lo
 		return
 	}
 	logicalRule.Rules = make([]option.HeadlessRule, length)
-	for i := uint64(0); i < length; i++ {
+	for i := range length {
 		logicalRule.Rules[i], err = readRule(reader, recovery)
 		if err != nil {
 			err = E.Cause(err, "read logical rule [", i, "]")
--- a/common/srs/compat_test.go
+++ b/common/srs/compat_test.go
@@ -450,7 +450,7 @@ func buildIPSet(cidrs ...string) *netipx.IPSet {
 func buildLargeIPSet(count int) *netipx.IPSet {
 	var builder netipx.IPSetBuilder
-	for i := 0; i < count; i++ {
+	for i := range count {
 		prefix := netip.PrefixFrom(netip.AddrFrom4([4]byte{10, byte(i / 256), byte(i % 256), 0}), 24)
 		builder.AddPrefix(prefix)
 	}
--- a/common/tls/reality_client.go
+++ b/common/tls/reality_client.go
@@ -267,8 +267,8 @@ type realityVerifier struct {
 }
 func (c *realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-	p, _ := reflect.TypeOf(c.Conn).Elem().FieldByName("peerCertificates")
+	p, _ := reflect.TypeFor[utls.Conn]().FieldByName("peerCertificates")
-	certs := *(*([]*x509.Certificate))(unsafe.Pointer(uintptr(unsafe.Pointer(c.Conn)) + p.Offset))
+	certs := *(*([]*x509.Certificate))(unsafe.Add(unsafe.Pointer(c.Conn), p.Offset))
 	if pub, ok := certs[0].PublicKey.(ed25519.PublicKey); ok {
 		h := hmac.New(sha512.New, c.authKey)
 		h.Write(pub)
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -141,13 +141,14 @@ func (c *STDServerConfig) startWatcher() error {
 func (c *STDServerConfig) certificateUpdated(path string) error {
 	if path == c.certificatePath || path == c.keyPath {
-		if path == c.certificatePath {
+		switch path {
 		case c.certificatePath:
 			certificate, err := os.ReadFile(c.certificatePath)
 			if err != nil {
 				return E.Cause(err, "reload certificate from ", c.certificatePath)
 			}
 			c.certificate = certificate
-		} else if path == c.keyPath {
+		case c.keyPath:
 			key, err := os.ReadFile(c.keyPath)
 			if err != nil {
 				return E.Cause(err, "reload key from ", c.keyPath)
@@ -338,9 +339,10 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 			}
 			tlsConfig.ClientCAs = clientCertificateCA
 		} else if len(options.ClientCertificatePublicKeySHA256) > 0 {
-			if tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert {
+			switch tlsConfig.ClientAuth {
 			case tls.RequireAndVerifyClientCert:
 				tlsConfig.ClientAuth = tls.RequireAnyClientCert
-			} else if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven {
+			case tls.VerifyClientCertIfGiven:
 				tlsConfig.ClientAuth = tls.RequestClientCert
 			}
 			tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
--- a/common/xray/utils/browser.go
+++ b/common/xray/utils/browser.go
@@ -31,9 +31,11 @@ func ChromeVersion() int {
 	return startVersion + (timeDiff / 35) // It's 31.15 currently.
 }
-var safariMinorMap [25]int = [25]int{0, 0, 0, 1, 1,
+var safariMinorMap [25]int = [25]int{
 	0, 0, 0, 1, 1,
 	1, 2, 2, 2, 2, 3, 3, 3, 4, 4,
-	4, 5, 5, 5, 5, 5, 6, 6, 6, 6}
+	4, 5, 5, 5, 5, 5, 6, 6, 6, 6,
 }
 // The following version generators use deterministic generators, but with the distribution scaled by a curve.
 func CurlVersion() string {
@@ -44,41 +46,67 @@ func CurlVersion() string {
 	var minorValue int = int(timeDiff / 57) // The release cadence is actually 56.67 days.
 	return "8." + strconv.Itoa(minorValue) + ".0"
 }
 func FirefoxVersion() int {
 	// Firefox 128 ESR was released on 09/07/2023.
 	var timeCurrent int64 = time.Now().Unix() / 86400
 	var timeStart int64 = time.Date(2024, 7, 29, 0, 0, 0, 0, time.UTC).Unix() / 86400
-	var timeDiff = timeCurrent - timeStart - 25 - int64(math.Floor(math.Pow(globalRng.Float64(), 2)*50))
+	timeDiff := timeCurrent - timeStart - 25 - int64(math.Floor(math.Pow(globalRng.Float64(), 2)*50))
 	return int(timeDiff/30) + 128
 }
 func SafariVersion() string {
 	var anchoredTime time.Time = time.Now()
 	var releaseYear int = anchoredTime.Year()
 	var splitPoint time.Time = time.Date(releaseYear, 9, 23, 0, 0, 0, 0, time.UTC)
-	var delayedDays = int(math.Floor(math.Pow(globalRng.Float64(), 3) * 75))
+	delayedDays := int(math.Floor(math.Pow(globalRng.Float64(), 3) * 75))
 	splitPoint = splitPoint.AddDate(0, 0, delayedDays)
 	if anchoredTime.Compare(splitPoint) < 0 {
 		releaseYear--
 		splitPoint = time.Date(releaseYear, 9, 23, 0, 0, 0, 0, time.UTC)
 		splitPoint = splitPoint.AddDate(0, 0, delayedDays)
 	}
-	var minorVersion = safariMinorMap[(anchoredTime.Unix()-splitPoint.Unix())/1296000]
+	minorVersion := safariMinorMap[(anchoredTime.Unix()-splitPoint.Unix())/1296000]
 	return strconv.Itoa(releaseYear-1999) + "." + strconv.Itoa(minorVersion)
 }
 // The full Chromium brand GREASE implementation
-var clientHintGreaseNA = []string{" ", "(", ":", "-", ".", "/", ")", ";", "=", "?", "_"}
+var (
-var clientHintVersionNA = []string{"8", "99", "24"}
+	clientHintGreaseNA  = []string{" ", "(", ":", "-", ".", "/", ")", ";", "=", "?", "_"}
-var clientHintShuffle3 = [][3]int{{0, 1, 2}, {0, 2, 1}, {1, 0, 2}, {1, 2, 0}, {2, 0, 1}, {2, 1, 0}}
+	clientHintVersionNA = []string{"8", "99", "24"}
-var clientHintShuffle4 = [][4]int{
+	clientHintShuffle3  = [][3]int{{0, 1, 2}, {0, 2, 1}, {1, 0, 2}, {1, 2, 0}, {2, 0, 1}, {2, 1, 0}}
-	{0, 1, 2, 3}, {0, 1, 3, 2}, {0, 2, 1, 3}, {0, 2, 3, 1}, {0, 3, 1, 2}, {0, 3, 2, 1},
+	clientHintShuffle4  = [][4]int{
-	{1, 0, 2, 3}, {1, 0, 3, 2}, {1, 2, 0, 3}, {1, 2, 3, 0}, {1, 3, 0, 2}, {1, 3, 2, 0},
+		{0, 1, 2, 3},
-	{2, 0, 1, 3}, {2, 0, 3, 1}, {2, 1, 0, 3}, {2, 1, 3, 0}, {2, 3, 0, 1}, {2, 3, 1, 0},
+		{0, 1, 3, 2},
-	{3, 0, 1, 2}, {3, 0, 2, 1}, {3, 1, 0, 2}, {3, 1, 2, 0}, {3, 2, 0, 1}, {3, 2, 1, 0}}
+		{0, 2, 1, 3},
 		{0, 2, 3, 1},
 		{0, 3, 1, 2},
 		{0, 3, 2, 1},
 		{1, 0, 2, 3},
 		{1, 0, 3, 2},
 		{1, 2, 0, 3},
 		{1, 2, 3, 0},
 		{1, 3, 0, 2},
 		{1, 3, 2, 0},
 		{2, 0, 1, 3},
 		{2, 0, 3, 1},
 		{2, 1, 0, 3},
 		{2, 1, 3, 0},
 		{2, 3, 0, 1},
 		{2, 3, 1, 0},
 		{3, 0, 1, 2},
 		{3, 0, 2, 1},
 		{3, 1, 0, 2},
 		{3, 1, 2, 0},
 		{3, 2, 0, 1},
 		{3, 2, 1, 0},
 	}
 )
 func getGreasedChInvalidBrand(seed int) string {
 	return "\"Not" + clientHintGreaseNA[seed%len(clientHintGreaseNA)] + "A" + clientHintGreaseNA[(seed+1)%len(clientHintGreaseNA)] + "Brand\";v=\"" + clientHintVersionNA[seed%len(clientHintVersionNA)] + "\""
 }
 func getGreasedChOrder(brandLength int, seed int) []int {
 	switch brandLength {
 	case 1:
@@ -92,6 +120,7 @@ func getGreasedChOrder(brandLength int, seed int) []int {
 	}
 	//return []int{}
 }
 func getUngreasedChUa(majorVersion int, forkName string) []string {
 	// Set the capacity to 4, the maximum allowed brand size, so Go will never allocate memory twice
 	baseChUa := make([]string, 0, 4)
@@ -105,6 +134,7 @@ func getUngreasedChUa(majorVersion int, forkName string) []string {
 	}
 	return baseChUa
 }
 func getGreasedChUa(majorVersion int, forkName string) string {
 	ungreasedCh := getUngreasedChUa(majorVersion, forkName)
 	shuffleMap := getGreasedChOrder(len(ungreasedCh), majorVersion)
@@ -116,17 +146,21 @@ func getGreasedChUa(majorVersion int, forkName string) string {
 }
 // The code below provides a coherent default browser user agent string based on a CPU-seeded PRNG.
-var CurlUA = "curl/" + CurlVersion()
+var (
-var AnchoredFirefoxVersion = strconv.Itoa(FirefoxVersion())
+	CurlUA                 = "curl/" + CurlVersion()
-var FirefoxUA = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:" + AnchoredFirefoxVersion + ".0) Gecko/20100101 Firefox/" + AnchoredFirefoxVersion + ".0"
+	AnchoredFirefoxVersion = strconv.Itoa(FirefoxVersion())
-var SafariUA = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/" + SafariVersion() + " Safari/605.1.15"
+	FirefoxUA              = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:" + AnchoredFirefoxVersion + ".0) Gecko/20100101 Firefox/" + AnchoredFirefoxVersion + ".0"
 	SafariUA               = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/" + SafariVersion() + " Safari/605.1.15"
 )
 // Chromium browsers.
-var AnchoredChromeVersion = ChromeVersion()
+var (
-var ChromeUA = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/" + strconv.Itoa(AnchoredChromeVersion) + ".0.0.0 Safari/537.36"
+	AnchoredChromeVersion = ChromeVersion()
-var ChromeUACH = getGreasedChUa(AnchoredChromeVersion, "chrome")
+	ChromeUA              = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/" + strconv.Itoa(AnchoredChromeVersion) + ".0.0.0 Safari/537.36"
-var MSEdgeUA = ChromeUA + "Edg/" + strconv.Itoa(AnchoredChromeVersion) + ".0.0.0"
+	ChromeUACH            = getGreasedChUa(AnchoredChromeVersion, "chrome")
-var MSEdgeUACH = getGreasedChUa(AnchoredChromeVersion, "edge")
+	MSEdgeUA              = ChromeUA + "Edg/" + strconv.Itoa(AnchoredChromeVersion) + ".0.0.0"
 	MSEdgeUACH            = getGreasedChUa(AnchoredChromeVersion, "edge")
 )
 func applyMasqueradedHeaders(header http.Header, browser string, variant string) {
 	// Browser-specific.
--- a/daemon/started_service.go
+++ b/daemon/started_service.go
@@ -603,10 +603,7 @@ func (s *StartedService) URLTest(ctx context.Context, request *URLTestRequest) (
 				return false
 			}
 			_, isGroup := it.(adapter.OutboundGroup)
-			if isGroup {
+			return !isGroup
 				return false
 			}
 			return true
 		})
 		b, _ := batch.New(boxService.ctx, batch.WithConcurrencyNum[any](10))
 		for _, detour := range outbounds {
--- a/daemon/started_service.pb.go
+++ b/daemon/started_service.pb.go
@@ -1,12 +1,13 @@
 package daemon
 import (
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
 	unsafe "unsafe"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 )
 const (
@@ -1947,40 +1948,42 @@ func file_daemon_started_service_proto_rawDescGZIP() []byte {
 	return file_daemon_started_service_proto_rawDescData
 }
-var file_daemon_started_service_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
+var (
-var file_daemon_started_service_proto_msgTypes = make([]protoimpl.MessageInfo, 26)
+	file_daemon_started_service_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
-var file_daemon_started_service_proto_goTypes = []any{
+	file_daemon_started_service_proto_msgTypes  = make([]protoimpl.MessageInfo, 26)
-	(LogLevel)(0),                        // 0: daemon.LogLevel
+	file_daemon_started_service_proto_goTypes   = []any{
-	(ConnectionEventType)(0),             // 1: daemon.ConnectionEventType
+		LogLevel(0),                          // 0: daemon.LogLevel
-	(ServiceStatus_Type)(0),              // 2: daemon.ServiceStatus.Type
+		ConnectionEventType(0),               // 1: daemon.ConnectionEventType
-	(*ServiceStatus)(nil),                // 3: daemon.ServiceStatus
+		ServiceStatus_Type(0),                // 2: daemon.ServiceStatus.Type
-	(*ReloadServiceRequest)(nil),         // 4: daemon.ReloadServiceRequest
+		(*ServiceStatus)(nil),                // 3: daemon.ServiceStatus
-	(*SubscribeStatusRequest)(nil),       // 5: daemon.SubscribeStatusRequest
+		(*ReloadServiceRequest)(nil),         // 4: daemon.ReloadServiceRequest
-	(*Log)(nil),                          // 6: daemon.Log
+		(*SubscribeStatusRequest)(nil),       // 5: daemon.SubscribeStatusRequest
-	(*DefaultLogLevel)(nil),              // 7: daemon.DefaultLogLevel
+		(*Log)(nil),                          // 6: daemon.Log
-	(*Status)(nil),                       // 8: daemon.Status
+		(*DefaultLogLevel)(nil),              // 7: daemon.DefaultLogLevel
-	(*Groups)(nil),                       // 9: daemon.Groups
+		(*Status)(nil),                       // 8: daemon.Status
-	(*Group)(nil),                        // 10: daemon.Group
+		(*Groups)(nil),                       // 9: daemon.Groups
-	(*GroupItem)(nil),                    // 11: daemon.GroupItem
+		(*Group)(nil),                        // 10: daemon.Group
-	(*URLTestRequest)(nil),               // 12: daemon.URLTestRequest
+		(*GroupItem)(nil),                    // 11: daemon.GroupItem
-	(*SelectOutboundRequest)(nil),        // 13: daemon.SelectOutboundRequest
+		(*URLTestRequest)(nil),               // 12: daemon.URLTestRequest
-	(*SetGroupExpandRequest)(nil),        // 14: daemon.SetGroupExpandRequest
+		(*SelectOutboundRequest)(nil),        // 13: daemon.SelectOutboundRequest
-	(*ClashMode)(nil),                    // 15: daemon.ClashMode
+		(*SetGroupExpandRequest)(nil),        // 14: daemon.SetGroupExpandRequest
-	(*ClashModeStatus)(nil),              // 16: daemon.ClashModeStatus
+		(*ClashMode)(nil),                    // 15: daemon.ClashMode
-	(*SystemProxyStatus)(nil),            // 17: daemon.SystemProxyStatus
+		(*ClashModeStatus)(nil),              // 16: daemon.ClashModeStatus
-	(*SetSystemProxyEnabledRequest)(nil), // 18: daemon.SetSystemProxyEnabledRequest
+		(*SystemProxyStatus)(nil),            // 17: daemon.SystemProxyStatus
-	(*SubscribeConnectionsRequest)(nil),  // 19: daemon.SubscribeConnectionsRequest
+		(*SetSystemProxyEnabledRequest)(nil), // 18: daemon.SetSystemProxyEnabledRequest
-	(*ConnectionEvent)(nil),              // 20: daemon.ConnectionEvent
+		(*SubscribeConnectionsRequest)(nil),  // 19: daemon.SubscribeConnectionsRequest
-	(*ConnectionEvents)(nil),             // 21: daemon.ConnectionEvents
+		(*ConnectionEvent)(nil),              // 20: daemon.ConnectionEvent
-	(*Connection)(nil),                   // 22: daemon.Connection
+		(*ConnectionEvents)(nil),             // 21: daemon.ConnectionEvents
-	(*ProcessInfo)(nil),                  // 23: daemon.ProcessInfo
+		(*Connection)(nil),                   // 22: daemon.Connection
-	(*CloseConnectionRequest)(nil),       // 24: daemon.CloseConnectionRequest
+		(*ProcessInfo)(nil),                  // 23: daemon.ProcessInfo
-	(*DeprecatedWarnings)(nil),           // 25: daemon.DeprecatedWarnings
+		(*CloseConnectionRequest)(nil),       // 24: daemon.CloseConnectionRequest
-	(*DeprecatedWarning)(nil),            // 26: daemon.DeprecatedWarning
+		(*DeprecatedWarnings)(nil),           // 25: daemon.DeprecatedWarnings
-	(*StartedAt)(nil),                    // 27: daemon.StartedAt
+		(*DeprecatedWarning)(nil),            // 26: daemon.DeprecatedWarning
-	(*Log_Message)(nil),                  // 28: daemon.Log.Message
+		(*StartedAt)(nil),                    // 27: daemon.StartedAt
-	(*emptypb.Empty)(nil),                // 29: google.protobuf.Empty
+		(*Log_Message)(nil),                  // 28: daemon.Log.Message
-}
+		(*emptypb.Empty)(nil),                // 29: google.protobuf.Empty
 	}
 )
 var file_daemon_started_service_proto_depIdxs = []int32{
 	2,  // 0: daemon.ServiceStatus.status:type_name -> daemon.ServiceStatus.Type
 	28, // 1: daemon.Log.messages:type_name -> daemon.Log.Message
--- a/daemon/started_service_grpc.pb.go
+++ b/daemon/started_service_grpc.pb.go
@@ -2,6 +2,7 @@ package daemon
 import (
 	context "context"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
@@ -374,63 +375,83 @@ type UnimplementedStartedServiceServer struct{}
 func (UnimplementedStartedServiceServer) StopService(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
 	return nil, status.Error(codes.Unimplemented, "method StopService not implemented")
 }
 func (UnimplementedStartedServiceServer) ReloadService(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
 	return nil, status.Error(codes.Unimplemented, "method ReloadService not implemented")
 }
 func (UnimplementedStartedServiceServer) SubscribeServiceStatus(*emptypb.Empty, grpc.ServerStreamingServer[ServiceStatus]) error {
 	return status.Error(codes.Unimplemented, "method SubscribeServiceStatus not implemented")
 }
 func (UnimplementedStartedServiceServer) SubscribeLog(*emptypb.Empty, grpc.ServerStreamingServer[Log]) error {
 	return status.Error(codes.Unimplemented, "method SubscribeLog not implemented")
 }
 func (UnimplementedStartedServiceServer) GetDefaultLogLevel(context.Context, *emptypb.Empty) (*DefaultLogLevel, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetDefaultLogLevel not implemented")
 }
 func (UnimplementedStartedServiceServer) ClearLogs(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
 	return nil, status.Error(codes.Unimplemented, "method ClearLogs not implemented")
 }
 func (UnimplementedStartedServiceServer) SubscribeStatus(*SubscribeStatusRequest, grpc.ServerStreamingServer[Status]) error {
 	return status.Error(codes.Unimplemented, "method SubscribeStatus not implemented")
 }
 func (UnimplementedStartedServiceServer) SubscribeGroups(*emptypb.Empty, grpc.ServerStreamingServer[Groups]) error {
 	return status.Error(codes.Unimplemented, "method SubscribeGroups not implemented")
 }
 func (UnimplementedStartedServiceServer) GetClashModeStatus(context.Context, *emptypb.Empty) (*ClashModeStatus, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetClashModeStatus not implemented")
 }
 func (UnimplementedStartedServiceServer) SubscribeClashMode(*emptypb.Empty, grpc.ServerStreamingServer[ClashMode]) error {
 	return status.Error(codes.Unimplemented, "method SubscribeClashMode not implemented")
 }
 func (UnimplementedStartedServiceServer) SetClashMode(context.Context, *ClashMode) (*emptypb.Empty, error) {
 	return nil, status.Error(codes.Unimplemented, "method SetClashMode not implemented")
 }
 func (UnimplementedStartedServiceServer) URLTest(context.Context, *URLTestRequest) (*emptypb.Empty, error) {
 	return nil, status.Error(codes.Unimplemented, "method URLTest not implemented")
 }
 func (UnimplementedStartedServiceServer) SelectOutbound(context.Context, *SelectOutboundRequest) (*emptypb.Empty, error) {
 	return nil, status.Error(codes.Unimplemented, "method SelectOutbound not implemented")
 }
 func (UnimplementedStartedServiceServer) SetGroupExpand(context.Context, *SetGroupExpandRequest) (*emptypb.Empty, error) {
 	return nil, status.Error(codes.Unimplemented, "method SetGroupExpand not implemented")
 }
 func (UnimplementedStartedServiceServer) GetSystemProxyStatus(context.Context, *emptypb.Empty) (*SystemProxyStatus, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetSystemProxyStatus not implemented")
 }
 func (UnimplementedStartedServiceServer) SetSystemProxyEnabled(context.Context, *SetSystemProxyEnabledRequest) (*emptypb.Empty, error) {
 	return nil, status.Error(codes.Unimplemented, "method SetSystemProxyEnabled not implemented")
 }
 func (UnimplementedStartedServiceServer) SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[ConnectionEvents]) error {
 	return status.Error(codes.Unimplemented, "method SubscribeConnections not implemented")
 }
 func (UnimplementedStartedServiceServer) CloseConnection(context.Context, *CloseConnectionRequest) (*emptypb.Empty, error) {
 	return nil, status.Error(codes.Unimplemented, "method CloseConnection not implemented")
 }
 func (UnimplementedStartedServiceServer) CloseAllConnections(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
 	return nil, status.Error(codes.Unimplemented, "method CloseAllConnections not implemented")
 }
 func (UnimplementedStartedServiceServer) GetDeprecatedWarnings(context.Context, *emptypb.Empty) (*DeprecatedWarnings, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetDeprecatedWarnings not implemented")
 }
 func (UnimplementedStartedServiceServer) GetStartedAt(context.Context, *emptypb.Empty) (*StartedAt, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetStartedAt not implemented")
 }
--- a/dns/client.go
+++ b/dns/client.go
@@ -70,10 +70,7 @@ func NewClient(options ClientOptions) *Client {
 	if client.timeout == 0 {
 		client.timeout = C.DNSTimeout
 	}
-	cacheCapacity := options.CacheCapacity
+	cacheCapacity := max(options.CacheCapacity, 1024)
 	if cacheCapacity < 1024 {
 		cacheCapacity = 1024
 	}
 	if !client.disableCache {
 		if !client.independentCache {
 			client.cache = common.Must1(freelru.NewSharded[dns.Question, *dns.Msg](cacheCapacity, maphash.NewHasher[dns.Question]().Hash32))
@@ -334,9 +331,10 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 	if options.LookupStrategy != C.DomainStrategyAsIS {
 		lookupOptions.Strategy = strategy
 	}
-	if strategy == C.DomainStrategyIPv4Only {
+	switch strategy {
 	case C.DomainStrategyIPv4Only:
 		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, lookupOptions, responseChecker)
-	} else if strategy == C.DomainStrategyIPv6Only {
+	case C.DomainStrategyIPv6Only:
 		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, lookupOptions, responseChecker)
 	}
 	var response4 []netip.Addr
@@ -500,10 +498,7 @@ func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransp
 				}
 			}
 		}
-		nowTTL := int(expireAt.Sub(timeNow).Seconds())
+		nowTTL := max(int(expireAt.Sub(timeNow).Seconds()), 0)
 		if nowTTL < 0 {
 			nowTTL = 0
 		}
 		response = response.Copy()
 		if originTTL > 0 {
 			duration := uint32(originTTL - nowTTL)
@@ -551,18 +546,6 @@ func MessageToAddresses(response *dns.Msg) []netip.Addr {
 	return addresses
 }
 func wrapError(err error) error {
 	switch dnsErr := err.(type) {
 	case *net.DNSError:
 		if dnsErr.IsNotFound {
 			return RcodeNameError
 		}
 	case *net.AddrError:
 		return RcodeNameError
 	}
 	return err
 }
 type transportKey struct{}
 func contextWithTransportTag(ctx context.Context, transportTag string) context.Context {
--- a/dns/transport/conn_pool.go
+++ b/dns/transport/conn_pool.go
@@ -4,9 +4,10 @@ import (
 	"context"
 	"net"
 	"sync"
 	"time"
 	"github.com/sagernet/sing/common/x/list"
 	"golang.org/x/sync/semaphore"
 )
 type ConnPoolMode int
@@ -17,14 +18,18 @@ const (
 )
 type ConnPoolOptions[T comparable] struct {
-	Mode    ConnPoolMode
+	Mode ConnPoolMode
-	IsAlive func(T) bool
+	// MaxInflight caps concurrent in-progress dials. Only honored in ConnPoolOrdered mode.
-	Close   func(T, error)
+	MaxInflight int
 	IsAlive     func(T) bool
 	Close       func(T, error)
 }
 type ConnPool[T comparable] struct {
 	options ConnPoolOptions[T]
 	sem *semaphore.Weighted
 	access sync.Mutex
 	closed bool
 	state  *connPoolState[T]
@@ -53,24 +58,15 @@ type connPoolConnect[T comparable] struct {
 	err  error
 }
 type connPoolDialContext struct {
 	context.Context
 	parent context.Context
 }
 func (c connPoolDialContext) Deadline() (time.Time, bool) {
 	return c.parent.Deadline()
 }
 func (c connPoolDialContext) Value(key any) any {
 	return c.parent.Value(key)
 }
 func NewConnPool[T comparable](options ConnPoolOptions[T]) *ConnPool[T] {
-	return &ConnPool[T]{
+	p := &ConnPool[T]{
 		options: options,
 		state:   newConnPoolState[T](options.Mode),
 	}
 	if options.Mode == ConnPoolOrdered && options.MaxInflight > 0 {
 		p.sem = semaphore.NewWeighted(int64(options.MaxInflight))
 	}
 	p.state = newConnPoolState[T](options.Mode)
 	return p
 }
 func newConnPoolState[T comparable](mode ConnPoolMode) *connPoolState[T] {
@@ -108,67 +104,27 @@ func (p *ConnPool[T]) AcquireShared(ctx context.Context, dial func(context.Conte
 }
 func (p *ConnPool[T]) Release(conn T, reuse bool) {
 	var (
 		closeConn bool
 		closeErr  error
 	)
 	p.access.Lock()
-	if p.closed || p.state == nil {
+	if p.closed {
 		closeConn = true
 		closeErr = net.ErrClosed
 		p.access.Unlock()
-		if closeConn {
+		p.options.Close(conn, net.ErrClosed)
 			p.options.Close(conn, closeErr)
 		}
 		return
 	}
-
+	state := p.state
-	currentState := p.state
+	if _, tracked := state.all[conn]; !tracked {
 	_, tracked := currentState.all[conn]
 	if !tracked {
 		closeConn = true
 		closeErr = p.closeCause(currentState)
 		p.access.Unlock()
-		if closeConn {
+		p.options.Close(conn, net.ErrClosed)
 			p.options.Close(conn, closeErr)
 		}
 		return
 	}
 	if !reuse || !p.options.IsAlive(conn) {
-		delete(currentState.all, conn)
+		p.removeConn(state, conn, net.ErrClosed)
 		switch p.options.Mode {
 		case ConnPoolSingle:
 			if currentState.hasShared && currentState.shared == conn {
 				var zero T
 				currentState.shared = zero
 				currentState.hasShared = false
 				currentState.sharedClaimed = false
 				currentState.sharedCtx = nil
 				if currentState.sharedCancel != nil {
 					currentState.sharedCancel(net.ErrClosed)
 					currentState.sharedCancel = nil
 				}
 			}
 		case ConnPoolOrdered:
 			if element, loaded := currentState.idleElements[conn]; loaded {
 				currentState.idle.Remove(element)
 				delete(currentState.idleElements, conn)
 			}
 		}
 		closeConn = true
 		closeErr = net.ErrClosed
 		p.access.Unlock()
-		if closeConn {
+		p.options.Close(conn, net.ErrClosed)
 			p.options.Close(conn, closeErr)
 		}
 		return
 	}
 	if p.options.Mode == ConnPoolOrdered {
-		if _, loaded := currentState.idleElements[conn]; !loaded {
+		if _, idle := state.idleElements[conn]; !idle {
-			currentState.idleElements[conn] = currentState.idle.PushBack(conn)
+			state.idleElements[conn] = state.idle.PushBack(conn)
 		}
 	}
 	p.access.Unlock()
@@ -176,42 +132,68 @@ func (p *ConnPool[T]) Release(conn T, reuse bool) {
 func (p *ConnPool[T]) Invalidate(conn T, cause error) {
 	p.access.Lock()
-	if p.closed || p.state == nil {
+	if p.closed {
 		p.access.Unlock()
 		p.options.Close(conn, cause)
 		return
 	}
-
+	state := p.state
-	currentState := p.state
+	if _, tracked := state.all[conn]; !tracked {
 	_, tracked := currentState.all[conn]
 	if !tracked {
 		p.access.Unlock()
 		return
 	}
 	p.removeConn(state, conn, cause)
 	p.access.Unlock()
 	p.options.Close(conn, cause)
 }
-	delete(currentState.all, conn)
+func (p *ConnPool[T]) acquireSlot(ctx context.Context, state *connPoolState[T]) error {
 	if p.sem == nil {
 		return nil
 	}
 	acquireCtx, cancel := context.WithCancel(ctx)
 	stopStateCancel := context.AfterFunc(state.ctx, cancel)
 	err := p.sem.Acquire(acquireCtx, 1)
 	stopStateCancel()
 	cancel()
 	if err == nil {
 		return nil
 	}
 	ctxErr := ctx.Err()
 	if ctxErr != nil {
 		return ctxErr
 	}
 	return context.Cause(state.ctx)
 }
 func (p *ConnPool[T]) releaseSlot() {
 	if p.sem != nil {
 		p.sem.Release(1)
 	}
 }
 // removeConn must be called with p.access held.
 func (p *ConnPool[T]) removeConn(state *connPoolState[T], conn T, cause error) {
 	delete(state.all, conn)
 	switch p.options.Mode {
 	case ConnPoolSingle:
-		if currentState.hasShared && currentState.shared == conn {
+		if state.hasShared && state.shared == conn {
 			var zero T
-			currentState.shared = zero
+			state.shared = zero
-			currentState.hasShared = false
+			state.hasShared = false
-			currentState.sharedClaimed = false
+			state.sharedClaimed = false
-			currentState.sharedCtx = nil
+			state.sharedCtx = nil
-			if currentState.sharedCancel != nil {
+			if state.sharedCancel != nil {
-				currentState.sharedCancel(cause)
+				state.sharedCancel(cause)
-				currentState.sharedCancel = nil
+				state.sharedCancel = nil
 			}
 		}
 	case ConnPoolOrdered:
-		if element, loaded := currentState.idleElements[conn]; loaded {
+		if element, loaded := state.idleElements[conn]; loaded {
-			currentState.idle.Remove(element)
+			state.idle.Remove(element)
-			delete(currentState.idleElements, conn)
+			delete(state.idleElements, conn)
 		}
 	}
 	p.access.Unlock()
 	p.options.Close(conn, cause)
 }
 func (p *ConnPool[T]) Reset() {
@@ -220,7 +202,6 @@ func (p *ConnPool[T]) Reset() {
 		p.access.Unlock()
 		return
 	}
 	oldState := p.state
 	p.state = newConnPoolState[T](p.options.Mode)
 	p.access.Unlock()
@@ -234,7 +215,6 @@ func (p *ConnPool[T]) Close() error {
 		p.access.Unlock()
 		return nil
 	}
 	p.closed = true
 	oldState := p.state
 	p.state = nil
@@ -247,77 +227,83 @@ func (p *ConnPool[T]) Close() error {
 func (p *ConnPool[T]) acquireOrdered(ctx context.Context, dial func(context.Context) (T, error)) (T, bool, error) {
 	var zero T
 	for {
 		var (
 			staleConn T
 			hasStale  bool
 		)
 		p.access.Lock()
 		if p.closed {
 			p.access.Unlock()
 			return zero, false, net.ErrClosed
 		}
-
+		current := p.state
-		currentState := p.state
+		if element := current.idle.Front(); element != nil {
-		if element := currentState.idle.Front(); element != nil {
+			idleConn := current.idle.Remove(element)
-			conn := currentState.idle.Remove(element)
+			delete(current.idleElements, idleConn)
-			delete(currentState.idleElements, conn)
+			if p.options.IsAlive(idleConn) {
 			if p.options.IsAlive(conn) {
 				p.access.Unlock()
-				return conn, false, nil
+				return idleConn, false, nil
 			}
-			delete(currentState.all, conn)
+			delete(current.all, idleConn)
-			staleConn = conn
+			p.access.Unlock()
-			hasStale = true
+			p.options.Close(idleConn, net.ErrClosed)
 		}
 		p.access.Unlock()
 		if hasStale {
 			p.options.Close(staleConn, net.ErrClosed)
 			continue
 		}
 		conn, err := p.dial(ctx, currentState, dial)
 		if err != nil {
 			return zero, false, err
 		}
 		p.access.Lock()
 		if p.closed {
 			p.access.Unlock()
 			p.options.Close(conn, net.ErrClosed)
 			return zero, false, net.ErrClosed
 		}
 		if p.state != currentState {
 			cause := p.closeCause(currentState)
 			p.access.Unlock()
 			p.options.Close(conn, cause)
 			return zero, false, cause
 		}
 		currentState.all[conn] = struct{}{}
 		p.access.Unlock()
-		return conn, true, nil
+		return p.dialAndInstall(ctx, current, dial)
 	}
 }
 func (p *ConnPool[T]) dialAndInstall(ctx context.Context, current *connPoolState[T], dial func(context.Context) (T, error)) (T, bool, error) {
 	var zero T
 	err := p.acquireSlot(ctx, current)
 	if err != nil {
 		return zero, false, err
 	}
 	defer p.releaseSlot()
 	dialCtx, dialCancel := context.WithCancelCause(ctx)
 	stopStateCancel := context.AfterFunc(current.ctx, func() {
 		dialCancel(context.Cause(current.ctx))
 	})
 	conn, err := dial(dialCtx)
 	stateCancelStopped := stopStateCancel()
 	dialErr := context.Cause(dialCtx)
 	if dialErr == nil && !stateCancelStopped {
 		dialErr = context.Cause(current.ctx)
 	}
 	dialCancel(nil)
 	if err != nil {
 		if dialErr != nil {
 			return zero, false, dialErr
 		}
 		return zero, false, err
 	}
 	if dialErr != nil {
 		p.options.Close(conn, dialErr)
 		return zero, false, dialErr
 	}
 	p.access.Lock()
 	if p.closed {
 		p.access.Unlock()
 		p.options.Close(conn, net.ErrClosed)
 		return zero, false, net.ErrClosed
 	}
 	if p.state != current {
 		p.access.Unlock()
 		p.options.Close(conn, net.ErrClosed)
 		return zero, false, net.ErrClosed
 	}
 	current.all[conn] = struct{}{}
 	p.access.Unlock()
 	return conn, true, nil
 }
 func (p *ConnPool[T]) acquireShared(ctx context.Context, dial func(context.Context) (T, error)) (T, context.Context, bool, error) {
 	var zero T
 	for {
 		var (
 			staleConn T
 			hasStale  bool
 			state     *connPoolConnect[T]
 			current   *connPoolState[T]
 			startDial bool
 		)
 		p.access.Lock()
 		if p.closed {
 			p.access.Unlock()
 			return zero, nil, false, net.ErrClosed
 		}
-
+		current := p.state
 		current = p.state
 		if current.hasShared {
 			conn := current.shared
 			if p.options.IsAlive(conn) {
@@ -327,35 +313,19 @@ func (p *ConnPool[T]) acquireShared(ctx context.Context, dial func(context.Conte
 				p.access.Unlock()
 				return conn, connCtx, created, nil
 			}
-			delete(current.all, conn)
+			p.removeConn(current, conn, net.ErrClosed)
 			var zeroConn T
 			current.shared = zeroConn
 			current.hasShared = false
 			current.sharedClaimed = false
 			current.sharedCtx = nil
 			if current.sharedCancel != nil {
 				current.sharedCancel(net.ErrClosed)
 				current.sharedCancel = nil
 			}
 			staleConn = conn
 			hasStale = true
 			p.access.Unlock()
-			p.options.Close(staleConn, net.ErrClosed)
+			p.options.Close(conn, net.ErrClosed)
 			continue
 		}
-		if current.connecting == nil {
+		startDial := current.connecting == nil
-			current.connecting = &connPoolConnect[T]{
+		if startDial {
-				done: make(chan struct{}),
+			current.connecting = &connPoolConnect[T]{done: make(chan struct{})}
 			}
 			startDial = true
 		}
-		state = current.connecting
+		state := current.connecting
 		p.access.Unlock()
 		if hasStale {
 			continue
 		}
 		if startDial {
 			go p.connectSingle(current, state, ctx, dial)
 		}
@@ -381,35 +351,39 @@ func (p *ConnPool[T]) acquireShared(ctx context.Context, dial func(context.Conte
 }
 func (p *ConnPool[T]) connectSingle(current *connPoolState[T], state *connPoolConnect[T], ctx context.Context, dial func(context.Context) (T, error)) {
-	conn, err := p.dial(ctx, current, dial)
+	dialCtx, dialCancel := context.WithCancelCause(ctx)
-	if err != nil {
+	stopStateCancel := context.AfterFunc(current.ctx, func() {
-		p.access.Lock()
+		dialCancel(context.Cause(current.ctx))
-		if current.connecting == state {
+	})
-			current.connecting = nil
+	conn, err := dial(dialCtx)
 	stateCancelStopped := stopStateCancel()
 	dialErr := context.Cause(dialCtx)
 	if dialErr == nil && !stateCancelStopped {
 		dialErr = context.Cause(current.ctx)
 	}
 	dialCancel(nil)
 	if dialErr != nil {
 		if err == nil {
 			p.options.Close(conn, dialErr)
 		}
-		state.err = err
+		err = dialErr
 		p.access.Unlock()
 		close(state.done)
 		return
 	}
 	var closeErr error
 	p.access.Lock()
-	if current.connecting == state {
+	current.connecting = nil
-		current.connecting = nil
+	if err != nil {
-	}
+		state.err = err
-	if p.closed {
+	} else if p.closed {
 		closeErr = net.ErrClosed
 		state.err = closeErr
 	} else if p.state != current {
-		closeErr = p.closeCause(current)
+		closeErr = net.ErrClosed
 		state.err = closeErr
 	} else {
 		sharedCtx, sharedCancel := context.WithCancelCause(current.ctx)
 		current.shared = conn
 		current.hasShared = true
 		current.sharedClaimed = false
 		current.sharedCtx = sharedCtx
 		current.sharedCancel = sharedCancel
 		current.all[conn] = struct{}{}
@@ -439,9 +413,8 @@ func (p *ConnPool[T]) collectShared(current *connPoolState[T], state *connPoolCo
 		return zero, nil, false, false, net.ErrClosed
 	}
 	if p.state != current {
 		cause := p.closeCause(current)
 		p.access.Unlock()
-		return zero, nil, false, false, cause
+		return zero, nil, false, false, net.ErrClosed
 	}
 	if !current.hasShared {
 		p.access.Unlock()
@@ -450,16 +423,7 @@ func (p *ConnPool[T]) collectShared(current *connPoolState[T], state *connPoolCo
 	conn := current.shared
 	if !p.options.IsAlive(conn) {
-		delete(current.all, conn)
+		p.removeConn(current, conn, net.ErrClosed)
 		var zeroConn T
 		current.shared = zeroConn
 		current.hasShared = false
 		current.sharedClaimed = false
 		current.sharedCtx = nil
 		if current.sharedCancel != nil {
 			current.sharedCancel(net.ErrClosed)
 			current.sharedCancel = nil
 		}
 		p.access.Unlock()
 		p.options.Close(conn, net.ErrClosed)
 		return zero, nil, false, true, nil
@@ -472,76 +436,9 @@ func (p *ConnPool[T]) collectShared(current *connPoolState[T], state *connPoolCo
 	return conn, connCtx, created, false, nil
 }
 func (p *ConnPool[T]) dial(ctx context.Context, current *connPoolState[T], dial func(context.Context) (T, error)) (T, error) {
 	var zero T
 	if err := ctx.Err(); err != nil {
 		return zero, err
 	}
 	if cause := context.Cause(current.ctx); cause != nil {
 		return zero, cause
 	}
 	dialCtx, cancel := context.WithCancelCause(current.ctx)
 	var (
 		stateAccess  sync.Mutex
 		dialComplete bool
 	)
 	stopCancel := context.AfterFunc(ctx, func() {
 		stateAccess.Lock()
 		if !dialComplete {
 			cancel(context.Cause(ctx))
 		}
 		stateAccess.Unlock()
 	})
 	select {
 	case <-ctx.Done():
 		stateAccess.Lock()
 		dialComplete = true
 		stateAccess.Unlock()
 		stopCancel()
 		cancel(context.Cause(ctx))
 		return zero, ctx.Err()
 	default:
 	}
 	conn, err := dial(connPoolDialContext{
 		Context: dialCtx,
 		parent:  ctx,
 	})
 	stateAccess.Lock()
 	dialComplete = true
 	stateAccess.Unlock()
 	stopCancel()
 	if err != nil {
 		if cause := context.Cause(dialCtx); cause != nil {
 			return zero, cause
 		}
 		return zero, err
 	}
 	if cause := context.Cause(dialCtx); cause != nil {
 		p.options.Close(conn, cause)
 		return zero, cause
 	}
 	return conn, nil
 }
 func (p *ConnPool[T]) closeState(state *connPoolState[T], cause error) {
 	if state == nil {
 		return
 	}
 	state.cancel(cause)
 	if state.sharedCancel != nil {
 		state.sharedCancel(cause)
 	}
 	for conn := range state.all {
 		p.options.Close(conn, cause)
 	}
 }
 func (p *ConnPool[T]) closeCause(state *connPoolState[T]) error {
 	_ = state
 	return net.ErrClosed
 }
--- a/dns/transport/dhcp/dhcp.go
+++ b/dns/transport/dhcp/dhcp.go
@@ -222,7 +222,7 @@ func (t *Transport) fetchServers0(ctx context.Context, iface *control.Interface)
 		packetConn net.PacketConn
 		err        error
 	)
-	for i := 0; i < 5; i++ {
+	for range 5 {
 		packetConn, err = listener.ListenPacket(t.ctx, "udp4", listenAddr)
 		if err == nil || !errors.Is(err, syscall.EADDRINUSE) {
 			break
--- a/dns/transport/dhcp/dhcp_shared.go
+++ b/dns/transport/dhcp/dhcp_shared.go
@@ -72,7 +72,7 @@ func (t *Transport) tryOneName(ctx context.Context, servers []M.Socksaddr, fqdn
 	sLen := len(servers)
 	var lastErr error
 	for i := 0; i < t.attempts; i++ {
-		for j := 0; j < sLen; j++ {
+		for j := range sLen {
 			server := servers[j]
 			question := message.Question[0]
 			question.Name = fqdn
--- a/dns/transport/local/local_resolved_stub.go
+++ b/dns/transport/local/local_resolved_stub.go
@@ -1,5 +1,6 @@
 //go:build !linux
 //nolint:unused
 package local
 import (
--- a/dns/transport/local/local_shared.go
+++ b/dns/transport/local/local_shared.go
@@ -82,7 +82,7 @@ func (t *Transport) tryOneName(ctx context.Context, config *dnsConfig, fqdn stri
 	sLen := uint32(len(config.servers))
 	var lastErr error
 	for i := 0; i < config.attempts; i++ {
-		for j := uint32(0); j < sLen; j++ {
+		for j := range sLen {
 			server := config.servers[(serverOffset+j)%sLen]
 			question := message.Question[0]
 			question.Name = fqdn
--- a/dns/transport/local/resolv.go
+++ b/dns/transport/local/resolv.go
@@ -1,3 +1,4 @@
 //nolint:unused
 package local
 import (
--- a/dns/transport/local/resolv_default.go
+++ b/dns/transport/local/resolv_default.go
@@ -1,3 +1,4 @@
 //nolint:unused
 package local
 import (
--- a/dns/transport/quic/quic.go
+++ b/dns/transport/quic/quic.go
@@ -100,7 +100,7 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 		err      error
 		response *mDNS.Msg
 	)
-	for i := 0; i < 2; i++ {
+	for range 2 {
 		conn, _, err = t.connection.Acquire(ctx, func(ctx context.Context) (*quic.Conn, error) {
 			rawConn, err := t.dialer.DialContext(ctx, N.NetworkUDP, t.serverAddr)
 			if err != nil {
--- a/dns/transport/tcp.go
+++ b/dns/transport/tcp.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"encoding/binary"
 	"io"
 	"net"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
@@ -13,6 +15,7 @@ import (
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio/deadline"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -71,6 +74,7 @@ func (t *TCPTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.M
 		return nil, E.Cause(err, "dial TCP connection")
 	}
 	defer conn.Close()
 	defer setConnDeadline(ctx, conn, deadline.NeedAdditionalReadDeadline(conn))()
 	err = WriteMessage(conn, 0, message)
 	if err != nil {
 		return nil, E.Cause(err, "write request")
@@ -82,6 +86,20 @@ func (t *TCPTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.M
 	return response, nil
 }
 func setConnDeadline(ctx context.Context, conn net.Conn, needClose bool) func() {
 	if needClose {
 		stop := context.AfterFunc(ctx, func() {
 			conn.Close()
 		})
 		return func() { stop() }
 	}
 	if d, ok := ctx.Deadline(); ok {
 		conn.SetDeadline(d)
 		return func() { conn.SetDeadline(time.Time{}) }
 	}
 	return func() {}
 }
 func ReadMessage(reader io.Reader) (*mDNS.Msg, error) {
 	var responseLen uint16
 	err := binary.Read(reader, binary.BigEndian, &responseLen)
--- a/dns/transport/tls.go
+++ b/dns/transport/tls.go
@@ -2,7 +2,6 @@ package transport
 import (
 	"context"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
@@ -12,6 +11,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio/deadline"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
@@ -22,6 +22,8 @@ import (
 var _ adapter.DNSTransport = (*TLSTransport)(nil)
 const tlsDNSMaxInflight = 8
 func RegisterTLS(registry *dns.TransportRegistry) {
 	dns.RegisterTransport[option.RemoteTLSDNSServerOptions](registry, C.DNSTypeTLS, NewTLS)
 }
@@ -38,7 +40,8 @@ type TLSTransport struct {
 type tlsDNSConn struct {
 	tls.Conn
-	queryId uint16
+	queryId           uint16
 	needDeadlineClose bool
 }
 func NewTLS(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteTLSDNSServerOptions) (adapter.DNSTransport, error) {
@@ -70,7 +73,8 @@ func NewTLSRaw(logger logger.ContextLogger, adapter dns.TransportAdapter, dialer
 		serverAddr:       serverAddr,
 		tlsConfig:        tlsConfig,
 		connections: NewConnPool(ConnPoolOptions[*tlsDNSConn]{
-			Mode: ConnPoolOrdered,
+			Mode:        ConnPoolOrdered,
 			MaxInflight: tlsDNSMaxInflight,
 			IsAlive: func(conn *tlsDNSConn) bool {
 				return conn != nil
 			},
@@ -98,13 +102,16 @@ func (t *TLSTransport) Reset() {
 func (t *TLSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	var lastErr error
-	for attempt := 0; attempt < 2; attempt++ {
+	for range 2 {
 		conn, created, err := t.connections.Acquire(ctx, func(ctx context.Context) (*tlsDNSConn, error) {
 			tlsConn, err := t.dialer.DialTLSContext(ctx, t.serverAddr)
 			if err != nil {
 				return nil, E.Cause(err, "dial TLS connection")
 			}
-			return &tlsDNSConn{Conn: tlsConn}, nil
+			return &tlsDNSConn{
 				Conn:              tlsConn,
 				needDeadlineClose: deadline.NeedAdditionalReadDeadline(tlsConn.NetConn()),
 			}, nil
 		})
 		if err != nil {
 			return nil, err
@@ -125,9 +132,7 @@ func (t *TLSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.M
 }
 func (t *TLSTransport) exchange(ctx context.Context, message *mDNS.Msg, conn *tlsDNSConn) (*mDNS.Msg, error) {
-	if deadline, ok := ctx.Deadline(); ok {
+	defer setConnDeadline(ctx, conn, conn.needDeadlineClose)()
 		conn.SetDeadline(deadline)
 	}
 	conn.queryId++
 	err := WriteMessage(conn, conn.queryId, message)
 	if err != nil {
@@ -137,6 +142,5 @@ func (t *TLSTransport) exchange(ctx context.Context, message *mDNS.Msg, conn *tl
 	if err != nil {
 		return nil, E.Cause(err, "read response")
 	}
 	conn.SetDeadline(time.Time{})
 	return response, nil
 }
--- a/dns/transport/udp.go
+++ b/dns/transport/udp.go
@@ -13,6 +13,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio/deadline"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
@@ -130,6 +131,7 @@ func (t *UDPTransport) exchangeTCP(ctx context.Context, message *mDNS.Msg) (*mDN
 		return nil, E.Cause(err, "dial TCP connection")
 	}
 	defer conn.Close()
 	defer setConnDeadline(ctx, conn, deadline.NeedAdditionalReadDeadline(conn))()
 	err = WriteMessage(conn, message.Id, message)
 	if err != nil {
 		return nil, E.Cause(err, "write request")
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,6 +2,11 @@
 icon: material/alert-decagram
 ---
 #### 1.13.12
 * Update naiveproxy to v148.0.7778.96-1
 * Fixes and improvements
 #### 1.13.11
 * Fix process searcher failure introduced in 1.13.9
--- a/experimental/cachefile/cache.go
+++ b/experimental/cachefile/cache.go
@@ -116,7 +116,7 @@ func (c *CacheFile) Start(stage adapter.StartStage) error {
 		db  *bbolt.DB
 		err error
 	)
-	for i := 0; i < 10; i++ {
+	for range 10 {
 		db, err = bbolt.Open(c.path, fileMode, &options)
 		if err == nil {
 			break
--- a/experimental/clashapi/server.go
+++ b/experimental/clashapi/server.go
@@ -166,7 +166,7 @@ func (s *Server) Start(stage adapter.StartStage) error {
 				listener net.Listener
 				err      error
 			)
-			for i := 0; i < 3; i++ {
+			for range 3 {
 				listener, err = net.Listen("tcp", s.httpServer.Addr)
 				if runtime.GOOS == "android" && errors.Is(err, syscall.EADDRINUSE) {
 					time.Sleep(100 * time.Millisecond)
--- a/experimental/libbox/command_client.go
+++ b/experimental/libbox/command_client.go
@@ -147,7 +147,7 @@ func (c *CommandClient) dialWithRetry(target string, contextDialer func(context.
 	var client daemon.StartedServiceClient
 	var lastError error
-	for attempt := 0; attempt < commandClientDialAttempts; attempt++ {
+	for attempt := range commandClientDialAttempts {
 		if connection == nil {
 			options := []grpc.DialOption{
 				grpc.WithTransportCredentials(insecure.NewCredentials()),
--- a/experimental/libbox/command_server.go
+++ b/experimental/libbox/command_server.go
@@ -114,7 +114,7 @@ func (s *CommandServer) Start() error {
 	if sCommandServerListenPort == 0 {
 		sockPath := filepath.Join(sBasePath, "command.sock")
 		os.Remove(sockPath)
-		for i := 0; i < 30; i++ {
+		for range 30 {
 			listener, err = net.ListenUnix("unix", &net.UnixAddr{
 				Name: sockPath,
 				Net:  "unix",
--- a/experimental/libbox/command_types.go
+++ b/experimental/libbox/command_types.go
@@ -418,13 +418,3 @@ func systemProxyStatusFromGRPC(status *daemon.SystemProxyStatus) *SystemProxySta
 		Enabled:   status.Enabled,
 	}
 }
 func systemProxyStatusToGRPC(status *SystemProxyStatus) *daemon.SystemProxyStatus {
 	if status == nil {
 		return nil
 	}
 	return &daemon.SystemProxyStatus{
 		Available: status.Available,
 		Enabled:   status.Enabled,
 	}
 }
--- a/experimental/libbox/log.go
+++ b/experimental/libbox/log.go
@@ -8,8 +8,6 @@ import (
 	"runtime/debug"
 )
 var crashOutputFile *os.File
 func RedirectStderr(path string) error {
 	if stats, err := os.Stat(path); err == nil && stats.Size() > 0 {
 		_ = os.Rename(path, path+".old")
@@ -32,6 +30,5 @@ func RedirectStderr(path string) error {
 		os.Remove(outputFile.Name())
 		return err
 	}
-	crashOutputFile = outputFile
+	return outputFile.Close()
 	return nil
 }
--- a/experimental/libbox/monitor.go
+++ b/experimental/libbox/monitor.go
@@ -16,7 +16,6 @@ var (
 type platformDefaultInterfaceMonitor struct {
 	*platformInterfaceWrapper
 	logger      logger.Logger
 	element     *list.Element[tun.NetworkUpdateCallback]
 	callbacks   list.List[tun.DefaultInterfaceUpdateCallback]
 	myInterface string
 }
--- a/experimental/libbox/platform.go
+++ b/experimental/libbox/platform.go
@@ -1,9 +1,6 @@
 package libbox
-import (
+import C "github.com/sagernet/sing-box/constant"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 )
 type PlatformInterface interface {
 	LocalDNSTransport() LocalDNSTransport
@@ -98,37 +95,3 @@ type OnDemandRuleIterator interface {
 	Next() OnDemandRule
 	HasNext() bool
 }
 type onDemandRule struct {
 	option.OnDemandRule
 }
 func (r *onDemandRule) Target() int32 {
 	if r.OnDemandRule.Action == nil {
 		return -1
 	}
 	return int32(*r.OnDemandRule.Action)
 }
 func (r *onDemandRule) DNSSearchDomainMatch() StringIterator {
 	return newIterator(r.OnDemandRule.DNSSearchDomainMatch)
 }
 func (r *onDemandRule) DNSServerAddressMatch() StringIterator {
 	return newIterator(r.OnDemandRule.DNSServerAddressMatch)
 }
 func (r *onDemandRule) InterfaceTypeMatch() int32 {
 	if r.OnDemandRule.InterfaceTypeMatch == nil {
 		return -1
 	}
 	return int32(*r.OnDemandRule.InterfaceTypeMatch)
 }
 func (r *onDemandRule) SSIDMatch() StringIterator {
 	return newIterator(r.OnDemandRule.SSIDMatch)
 }
 func (r *onDemandRule) ProbeURL() string {
 	return r.OnDemandRule.ProbeURL
 }
--- a/experimental/libbox/tun_darwin.go
+++ b/experimental/libbox/tun_darwin.go
@@ -11,7 +11,7 @@ const utunControlName = "com.apple.net.utun_control"
 func GetTunnelFileDescriptor() int32 {
 	ctlInfo := &unix.CtlInfo{}
 	copy(ctlInfo.Name[:], utunControlName)
-	for fd := 0; fd < 1024; fd++ {
+	for fd := range 1024 {
 		addr, err := unix.Getpeername(fd)
 		if err != nil {
 			continue
--- a/experimental/v2rayapi/stats.pb.go
+++ b/experimental/v2rayapi/stats.pb.go
@@ -1,11 +1,12 @@
 package v2rayapi
 import (
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
 	unsafe "unsafe"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 )
 const (
@@ -483,16 +484,18 @@ func file_experimental_v2rayapi_stats_proto_rawDescGZIP() []byte {
 	return file_experimental_v2rayapi_stats_proto_rawDescData
 }
-var file_experimental_v2rayapi_stats_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+var (
-var file_experimental_v2rayapi_stats_proto_goTypes = []any{
+	file_experimental_v2rayapi_stats_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
-	(*GetStatsRequest)(nil),    // 0: experimental.v2rayapi.GetStatsRequest
+	file_experimental_v2rayapi_stats_proto_goTypes  = []any{
-	(*Stat)(nil),               // 1: experimental.v2rayapi.Stat
+		(*GetStatsRequest)(nil),    // 0: experimental.v2rayapi.GetStatsRequest
-	(*GetStatsResponse)(nil),   // 2: experimental.v2rayapi.GetStatsResponse
+		(*Stat)(nil),               // 1: experimental.v2rayapi.Stat
-	(*QueryStatsRequest)(nil),  // 3: experimental.v2rayapi.QueryStatsRequest
+		(*GetStatsResponse)(nil),   // 2: experimental.v2rayapi.GetStatsResponse
-	(*QueryStatsResponse)(nil), // 4: experimental.v2rayapi.QueryStatsResponse
+		(*QueryStatsRequest)(nil),  // 3: experimental.v2rayapi.QueryStatsRequest
-	(*SysStatsRequest)(nil),    // 5: experimental.v2rayapi.SysStatsRequest
+		(*QueryStatsResponse)(nil), // 4: experimental.v2rayapi.QueryStatsResponse
-	(*SysStatsResponse)(nil),   // 6: experimental.v2rayapi.SysStatsResponse
+		(*SysStatsRequest)(nil),    // 5: experimental.v2rayapi.SysStatsRequest
-}
+		(*SysStatsResponse)(nil),   // 6: experimental.v2rayapi.SysStatsResponse
 	}
 )
 var file_experimental_v2rayapi_stats_proto_depIdxs = []int32{
 	1, // 0: experimental.v2rayapi.GetStatsResponse.stat:type_name -> experimental.v2rayapi.Stat
 	1, // 1: experimental.v2rayapi.QueryStatsResponse.stat:type_name -> experimental.v2rayapi.Stat
--- a/experimental/v2rayapi/stats_grpc.pb.go
+++ b/experimental/v2rayapi/stats_grpc.pb.go
@@ -2,6 +2,7 @@ package v2rayapi
 import (
 	context "context"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
@@ -85,9 +86,11 @@ type UnimplementedStatsServiceServer struct{}
 func (UnimplementedStatsServiceServer) GetStats(context.Context, *GetStatsRequest) (*GetStatsResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetStats not implemented")
 }
 func (UnimplementedStatsServiceServer) QueryStats(context.Context, *QueryStatsRequest) (*QueryStatsResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method QueryStats not implemented")
 }
 func (UnimplementedStatsServiceServer) GetSysStats(context.Context, *SysStatsRequest) (*SysStatsResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetSysStats not implemented")
 }
--- a/go.mod
+++ b/go.mod
@@ -34,13 +34,13 @@ require (
 	github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cors v1.2.1
-	github.com/sagernet/cronet-go v0.0.0-20260413093659-e4926ba205fa
+	github.com/sagernet/cronet-go v0.0.0-20260513071958-2faf34666c2c
-	github.com/sagernet/cronet-go/all v0.0.0-20260413093659-e4926ba205fa
+	github.com/sagernet/cronet-go/all v0.0.0-20260513071958-2faf34666c2c
 	github.com/sagernet/fswatch v0.1.2
 	github.com/sagernet/gomobile v0.1.12
 	github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1
 	github.com/sagernet/quic-go v0.59.0-sing-box-mod.4
-	github.com/sagernet/sing v0.8.9
+	github.com/sagernet/sing v0.8.10
 	github.com/sagernet/sing-mux v0.3.4
 	github.com/sagernet/sing-quic v0.6.1
 	github.com/sagernet/sing-shadowsocks v0.2.8
@@ -108,7 +108,7 @@ require (
 	github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa // indirect
 	github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 // indirect
 	github.com/dolonet/mtg-multi v1.8.0
-	github.com/ebitengine/purego v0.9.1 // indirect
+	github.com/ebitengine/purego v0.10.0 // indirect
 	github.com/florianl/go-nfqueue/v2 v2.0.2 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
@@ -149,35 +149,35 @@ require (
 	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
-	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260513071149-ade33496efb8 // indirect
-	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260413092954-cd09eb3e271b // indirect
+	github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260513071149-ade33496efb8 // indirect
 	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a // indirect
 	github.com/sagernet/nftables v0.3.0-mod.2 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
@@ -199,7 +199,7 @@ require (
 	go.uber.org/zap/exp v0.3.0 // indirect
 	go4.org/mem v0.0.0-20240501181205-ae6ca9944745 // indirect
 	golang.org/x/oauth2 v0.34.0 // indirect
-	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sync v0.20.0
 	golang.org/x/term v0.41.0 // indirect
 	golang.org/x/text v0.35.0 // indirect
 	golang.org/x/time v0.15.0
--- a/go.sum
+++ b/go.sum
@@ -85,8 +85,8 @@ github.com/dunglas/httpsfv v1.1.0 h1:Jw76nAyKWKZKFrpMMcL76y35tOpYHqQPzHQiwDvpe54
 github.com/dunglas/httpsfv v1.1.0/go.mod h1:zID2mqw9mFsnt7YC3vYQ9/cjq30q41W+1AnDwH8TiMg=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
+github.com/ebitengine/purego v0.10.0 h1:QIw4xfpWT6GWTzaW5XEKy3HXoqrJGx1ijYHzTF0/ISU=
-github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/ebitengine/purego v0.10.0/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/enfein/mieru/v3 v3.17.1 h1:pIKbspsKRYNyUrORVI33t1/yz2syaaUkIanskAbGBHY=
 github.com/enfein/mieru/v3 v3.17.1/go.mod h1:zJBUCsi5rxyvHM8fjFf+GLaEl4OEjjBXr1s5F6Qd3hM=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -283,68 +283,68 @@ github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkk
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a/go.mod h1:63s7jpZqcDAIpj8oI/1v4Izok+npJOHACFCU6+huCkM=
 github.com/sagernet/cors v1.2.1 h1:Cv5Z8y9YSD6Gm+qSpNrL3LO4lD3eQVvbFYJSG7JCMHQ=
 github.com/sagernet/cors v1.2.1/go.mod h1:O64VyOjjhrkLmQIjF4KGRrJO/5dVXFdpEmCW/eISRAI=
-github.com/sagernet/cronet-go v0.0.0-20260413093659-e4926ba205fa h1:7SehNSF1UHbLZa5dk+1rW1aperffJzl5r6TCJIXtAaY=
+github.com/sagernet/cronet-go v0.0.0-20260513071958-2faf34666c2c h1:JatMWK/reVa5Y+x3D3l49SVtHB/EQUEtQnAFTxPBNxY=
-github.com/sagernet/cronet-go v0.0.0-20260413093659-e4926ba205fa/go.mod h1:hwFHBEjjthyEquDULbr4c4ucMedp8Drb6Jvm2kt/0Bw=
+github.com/sagernet/cronet-go v0.0.0-20260513071958-2faf34666c2c/go.mod h1:T/mwtrpC4JlWfScw73CmSBvHzIvc7BatQ1MhRr+cYNw=
-github.com/sagernet/cronet-go/all v0.0.0-20260413093659-e4926ba205fa h1:ijk5v9N/akiMgqu734yMpv7Pk9F4Qmjh8Vfdcb4uJHE=
+github.com/sagernet/cronet-go/all v0.0.0-20260513071958-2faf34666c2c h1:F/tL+VzLZ2F4SNZZze6SRSRL/jcX7LwIsuL1+hECiz0=
-github.com/sagernet/cronet-go/all v0.0.0-20260413093659-e4926ba205fa/go.mod h1:+FENo4+0AOvH9e3oY6/iO7yy7USNt61dgbnI5W0TDZ0=
+github.com/sagernet/cronet-go/all v0.0.0-20260513071958-2faf34666c2c/go.mod h1:GGE1tBbFgHq8kV99AKX1JXFY+9FvgNSK/W6Z5j24Ihc=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260413092954-cd09eb3e271b h1:O+PkYT88ayVWESX5tqxeMeS9OnzC3ZTic8gYiPJNXT8=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260513071149-ade33496efb8 h1:NCKxyAnEkwsEueAEbuuUUjs2FEZAIflr+WN3Mwbvsdg=
-github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
+github.com/sagernet/cronet-go/lib/android_386 v0.0.0-20260513071149-ade33496efb8/go.mod h1:XXDwdjX/T8xftoeJxQmbBoYXZp8MAPFR2CwbFuTpEtw=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260413092954-cd09eb3e271b h1:o0MsgbsJwYkbqlbfaCvmAwb8/LAXeoSP8NE/aNvR/yY=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260513071149-ade33496efb8 h1:o3AGm7/L/zAdBvPu0u1dFgDR/tH086qyuXZkjLNJ7/E=
-github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
+github.com/sagernet/cronet-go/lib/android_amd64 v0.0.0-20260513071149-ade33496efb8/go.mod h1:iNiUGoLtnr8/JTuVNj7XJbmpOAp2C6+B81KDrPxwaZM=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260413092954-cd09eb3e271b h1:JEQnc7cRMUahWJFtWY6n0hs1LE0KgyRv3pD0RWS8Yo8=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260513071149-ade33496efb8 h1:AeO8yHQj7aNj16fiJNU797alyuM3T+3VASnETHeV220=
-github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
+github.com/sagernet/cronet-go/lib/android_arm v0.0.0-20260513071149-ade33496efb8/go.mod h1:19ILNUOGIzRdOqa2mq+iY0JoHxuieB7/lnjYeaA2vEc=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260413092954-cd09eb3e271b h1:69+AKzuUW9hzw2nU79c2DWfuzrIZ3PJm1KAwXh+7xr0=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260513071149-ade33496efb8 h1:ZgW2/Qq/5Q6eTlW80QXLokU56kfjvbLJSEGYTkcG3hU=
-github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
+github.com/sagernet/cronet-go/lib/android_arm64 v0.0.0-20260513071149-ade33496efb8/go.mod h1:JxzGyQf94Cr6sBShKqODGDyRUlESfJK/Njcz9Lz6qMQ=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260413092954-cd09eb3e271b h1:jp9FHUVTCJQ67Ecw3Inoct6/z1VTFXPtNYpXt47pa4E=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260513071149-ade33496efb8 h1:orYgvX5X9aUa+sRrAuuqA6PXiiBUI2D367ZJqan4lIU=
-github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
+github.com/sagernet/cronet-go/lib/darwin_amd64 v0.0.0-20260513071149-ade33496efb8/go.mod h1:KN+9T9TBycGOLzmKU4QdcHAJEj6Nlx48ifnlTvvHMvs=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260413092954-cd09eb3e271b h1:WN3DZoECd2UbhmYQGpOA4jx4QBXiZuN1DvL/35NT61g=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260513071149-ade33496efb8 h1:2w1s3wEk7qW2w4IGwlJflxwXBM97UChNiqAErKpvHr0=
-github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
+github.com/sagernet/cronet-go/lib/darwin_arm64 v0.0.0-20260513071149-ade33496efb8/go.mod h1:kojvtUc29KKnk8hs2QIANynVR59921SnGWA9kXohHc0=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260413092954-cd09eb3e271b h1:H4RKicwrIa4PwTXZOmXOg85hiCrpeFja4daOlX180pE=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260513071149-ade33496efb8 h1:22k6CB3d4gHT+SARUh2bgNyGU4QwYupcCdP8cGuwygY=
-github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
+github.com/sagernet/cronet-go/lib/ios_amd64_simulator v0.0.0-20260513071149-ade33496efb8/go.mod h1:hkQzRE5GDbaH1/ioqYh0Taho4L6i0yLRCVEZ5xHz5M0=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260413092954-cd09eb3e271b h1:Rwi+Cu+Hgwj28F1lh837gGqSqn7oU8+r5i3UJyLPkKc=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260513071149-ade33496efb8 h1:PkJ5EaqLrv6bNR+MHx1/joJXoRcoYcV7JA4NtXbFQsc=
-github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
+github.com/sagernet/cronet-go/lib/ios_arm64 v0.0.0-20260513071149-ade33496efb8/go.mod h1:tzVJFTOm66UxLxy6K0ZN5Ic2PC79e+sKKnt+V9puEa4=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260413092954-cd09eb3e271b h1:v2wcnPX3gt0PngFYXjXYAiarFckwx3pVAP6ETSpbSWE=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260513071149-ade33496efb8 h1:V629H+OQ9yOR2d0Jkq5y42j5btpvoSWJbUaBH7FCGPI=
-github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
+github.com/sagernet/cronet-go/lib/ios_arm64_simulator v0.0.0-20260513071149-ade33496efb8/go.mod h1:M/pN6m3j0HFU6/y83n0HU6GLYys3tYdr/xTE8hVEGMo=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260413092954-cd09eb3e271b h1:Bl0zZ3QZq6pPJMbQlYHDhhaGngVefRlFzxWc0p48eHo=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260513071149-ade33496efb8 h1:gfObF5uoqJslCdMRRm2Yo+gmPJQPVlrci5Myrki0Kzk=
-github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
+github.com/sagernet/cronet-go/lib/linux_386 v0.0.0-20260513071149-ade33496efb8/go.mod h1:cGh5hO6eljCo6KMQ/Cel8Xgq4+etL0awZLRBDVG1EZQ=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260413092954-cd09eb3e271b h1:vf+MbGv6RvvmXUNvganykBOnDIVXxy8XgtKOOqOcxtE=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260513071149-ade33496efb8 h1:JRPN0RBKvoOBEHezJh/54KD9ftWL7YadtcCgOf/vRnw=
-github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
+github.com/sagernet/cronet-go/lib/linux_386_musl v0.0.0-20260513071149-ade33496efb8/go.mod h1:JFE0/cxaKkx0wqPMZU7MgaplQlU0zudv82dROJjClKU=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260413092954-cd09eb3e271b h1:2IAc1bVFYF+B6hof34ChQKVhw7LElBxEEx7S0n+7o78=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260513071149-ade33496efb8 h1:mM8gNdFlXSpjZFs9kgaMgW94oTRF8YdEEQgdOp/OEUA=
-github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
+github.com/sagernet/cronet-go/lib/linux_amd64 v0.0.0-20260513071149-ade33496efb8/go.mod h1:vU8VftFeSt7fURCa3JXD6+k6ss1YAX+idQjPvHmJ2tI=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260413092954-cd09eb3e271b h1:NrJaiOS0VLmWTbUHhXDsLTqelmCW4y3xJqptPs4Sx0s=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260513071149-ade33496efb8 h1:ZtCH0fH07giTK6wqkenA9fdFYt7krjWiyOvC8z9nPwk=
-github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
+github.com/sagernet/cronet-go/lib/linux_amd64_musl v0.0.0-20260513071149-ade33496efb8/go.mod h1:vCe4OUuL+XOUge9v3MyTD45BnuAXiH+DkjN9quDXJzQ=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260413092954-cd09eb3e271b h1:A+ubSkca1nl2cT8pYUqCo1O7M41suNrKpWhZKCM/aIQ=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260513071149-ade33496efb8 h1:Uviqmw+Q4No9kCxJWJ5CYcq6PNHB9f0jQhd15j39+no=
-github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
+github.com/sagernet/cronet-go/lib/linux_arm v0.0.0-20260513071149-ade33496efb8/go.mod h1:w9amBWrvjtohQzBGCKJ7LCh22LhTIJs4sE7cYaKQzM0=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260413092954-cd09eb3e271b h1:WrhGH5FDXlCAoXwN6N44yCMvy6EbIurmTmptkz3mmms=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260513071149-ade33496efb8 h1:la4zRTE9zpZCmsixwzKT2LnHuo0e439EmGwOlB1An9Q=
-github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
+github.com/sagernet/cronet-go/lib/linux_arm64 v0.0.0-20260513071149-ade33496efb8/go.mod h1:TqlsFtcYS/etTeck46kHBeT8Le0Igw1Q/AV88UnMS3s=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260413092954-cd09eb3e271b h1:kgwB5p5e0gdVX5iYRE7VbZS/On4qnb4UKonkGPwhkDI=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260513071149-ade33496efb8 h1:KodFGMqn+X2dqET0O3xww3iemAGmpoC8U4JW8gwt0x4=
-github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
+github.com/sagernet/cronet-go/lib/linux_arm64_musl v0.0.0-20260513071149-ade33496efb8/go.mod h1:B6Qd0vys8sv9OKVRN6J9RqDzYRGE938Fb2zrYdBDyTQ=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260413092954-cd09eb3e271b h1:Z3dOeFlRIOeQhSh+mCYDHui1yR3S/Uw8eupczzBvxqw=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260513071149-ade33496efb8 h1:QTk1RXNLOIcorZYcF0rBrwLpCIZCKEA2Jr69eFrt8xg=
-github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
+github.com/sagernet/cronet-go/lib/linux_arm_musl v0.0.0-20260513071149-ade33496efb8/go.mod h1:3tXMMFY7AHugOVBZ5Al7cL7JKsnFOe5bMVr0hZPk3ow=
-github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260413092954-cd09eb3e271b h1:LPi6jz1k11Q67hm3Pw6aaPJ/Z6e3VtNhzrRjr5/5AQo=
+github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260513071149-ade33496efb8 h1:SXqSlM/GjZFvNdUV3IvHq5gqHfW4iWlQHMGzEsgXGXE=
-github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:Wt5uFdU3tnmm8YzobYewwdF7Mt6SucRQg6xeTNWC3Tk=
+github.com/sagernet/cronet-go/lib/linux_loong64 v0.0.0-20260513071149-ade33496efb8/go.mod h1:Wt5uFdU3tnmm8YzobYewwdF7Mt6SucRQg6xeTNWC3Tk=
-github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260413092954-cd09eb3e271b h1:55sqihyfXWN7y7p7gOEgtUz9cm1mV3SDQ90/v6ROFaA=
+github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260513071149-ade33496efb8 h1:aAgLWpfESvy7rfDVH7ioOZQ7u2kmRsbUqJVrwJtkFWs=
-github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:lyIF6wKBLwWa5ZXaAKbAoewewl+yCHo2iYev39Mbj4E=
+github.com/sagernet/cronet-go/lib/linux_loong64_musl v0.0.0-20260513071149-ade33496efb8/go.mod h1:lyIF6wKBLwWa5ZXaAKbAoewewl+yCHo2iYev39Mbj4E=
-github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260413092954-cd09eb3e271b h1:OTA1cbv5YIDVsYA8AAXHC4NgEc7b6pDiY+edujLWfJU=
+github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260513071149-ade33496efb8 h1:oTLUyhLckc8TZQ8SRCapgTYyRbz1pBpIvzjMCLMPFu8=
-github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:H46PnSTTZNcZokLLiDeMDaHiS1l14PH3tzWi0eykjD8=
+github.com/sagernet/cronet-go/lib/linux_mips64le v0.0.0-20260513071149-ade33496efb8/go.mod h1:H46PnSTTZNcZokLLiDeMDaHiS1l14PH3tzWi0eykjD8=
-github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260413092954-cd09eb3e271b h1:B/rdD/1A+RgqUYUZcoGhLeMqijnBd1mUt8+5LhOH7j8=
+github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260513071149-ade33496efb8 h1:LHm/85Y3zN0kNgG+li5qHvP3dzvavEytCYzdLtrfrrg=
-github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:RBhSUDAKWq7fswtV4nQUQhuaTLcX3ettR7teA7/yf2w=
+github.com/sagernet/cronet-go/lib/linux_mipsle v0.0.0-20260513071149-ade33496efb8/go.mod h1:RBhSUDAKWq7fswtV4nQUQhuaTLcX3ettR7teA7/yf2w=
-github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260413092954-cd09eb3e271b h1:QFRWi6FucrODS4xQ8e9GYIzGSeMFO/DAMtTCVeJiCvM=
+github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260513071149-ade33496efb8 h1:Pom5TSHV8Cln73uOgQlJ+JtmEu9xh+OuLHWq57dBaVg=
-github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:wRzoIOGG4xbpp3Gh3triLKwMwYriScXzFtunLYhY4w0=
+github.com/sagernet/cronet-go/lib/linux_mipsle_musl v0.0.0-20260513071149-ade33496efb8/go.mod h1:wRzoIOGG4xbpp3Gh3triLKwMwYriScXzFtunLYhY4w0=
-github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260413092954-cd09eb3e271b h1:2WJjPKZHLNIB4D17c3o9S+SP9kb3Qh0D26oWlun1+pE=
+github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260513071149-ade33496efb8 h1:1pPcb15BonaFl4153tRo7zOJ7U2zD1vjH+5JipSfJ3g=
-github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:LNiZXmWil1OPwKCheqQjtakZlJuKGFz+iv2eGF76Hhs=
+github.com/sagernet/cronet-go/lib/linux_riscv64 v0.0.0-20260513071149-ade33496efb8/go.mod h1:LNiZXmWil1OPwKCheqQjtakZlJuKGFz+iv2eGF76Hhs=
-github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260413092954-cd09eb3e271b h1:cUNTe4gNncRpYL28jzQf6qcJej40zzGQsH0o6CLUGws=
+github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260513071149-ade33496efb8 h1:3Dy4exYQ/IVJGcnTtvW3LmjfjDaxFgJT1hn/ALBpd2M=
-github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:YFDGKTkpkJGc5+hnX/RYosZyTWg9h+68VB55fYRRLYc=
+github.com/sagernet/cronet-go/lib/linux_riscv64_musl v0.0.0-20260513071149-ade33496efb8/go.mod h1:YFDGKTkpkJGc5+hnX/RYosZyTWg9h+68VB55fYRRLYc=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260413092954-cd09eb3e271b h1:+sc1LJF0FjU2hVO5xBqqT+8qzoU08J2uHwxSle2m/Hw=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260513071149-ade33496efb8 h1:mo9YMCYTGCRUiWNKtPVQb+qEetufxnch372xUOh9q3M=
-github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
+github.com/sagernet/cronet-go/lib/tvos_amd64_simulator v0.0.0-20260513071149-ade33496efb8/go.mod h1:aaX0YGl8nhGmfRWI8bc3BtDjY8Vzx6O0cS/e1uqxDq4=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260413092954-cd09eb3e271b h1:+D/uhFxllI/KTLpeNEl8dwF3omPGmUFbrqt5tJkAyp0=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260513071149-ade33496efb8 h1:mhh3JEDDx68oKT4kfqKlWp5QTyzVR84OS/qgqHYIbq0=
-github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
+github.com/sagernet/cronet-go/lib/tvos_arm64 v0.0.0-20260513071149-ade33496efb8/go.mod h1:EdzMKA96xITc42QEI+ct4SwqX8Dn3ltKK8wzdkLWpSc=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260413092954-cd09eb3e271b h1:nSUzzTUAZdqjGGckayk64sz+F0TGJPHvauTiAn27UKk=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260513071149-ade33496efb8 h1:04KOo38hZojV3bJ5Vqwbpj48ZQy6o7aliYXLN/TNX6g=
-github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
+github.com/sagernet/cronet-go/lib/tvos_arm64_simulator v0.0.0-20260513071149-ade33496efb8/go.mod h1:qix4kv1TTAJ5tY4lJ9vjhe9EY4mM+B7H5giOhbxDVcc=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260413092954-cd09eb3e271b h1:PE/fYBiHzB52gnQMg0soBfQyJCzmWHti48kCe2TBt9w=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260513071149-ade33496efb8 h1:p535QakpDZEeBz/BfFZGZo0D+Pdn74TE8UTr6c6MSog=
-github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
+github.com/sagernet/cronet-go/lib/windows_amd64 v0.0.0-20260513071149-ade33496efb8/go.mod h1:lm9w/oCCRyBiUa3G8lDQTT8x/ONUvgVR2iV9fVzUZB8=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260413092954-cd09eb3e271b h1:hy/3lPV11pKAAojDFnb95l9NpwOym6kME7FxS9p8sXs=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260513071149-ade33496efb8 h1:dovTyKHh3toBIUOS70P4Yx+3Baw6Gppsfy1sJbXoAy0=
-github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260413092954-cd09eb3e271b/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
+github.com/sagernet/cronet-go/lib/windows_arm64 v0.0.0-20260513071149-ade33496efb8/go.mod h1:n34YyLgapgjWdKa0IoeczjAFCwD3/dxbsH5sucKw0bw=
 github.com/sagernet/fswatch v0.1.2 h1:/TT7k4mkce1qFPxamLO842WjqBgbTBiXP2mlUjp9PFk=
 github.com/sagernet/fswatch v0.1.2/go.mod h1:5BpGmpUQVd3Mc5r313HRpvADHRg3/rKn5QbwFteB880=
 github.com/sagernet/gomobile v0.1.12 h1:XwzjZaclFF96deLqwAgK8gU3w0M2A8qxgDmhV+A0wjg=
@@ -357,8 +357,8 @@ github.com/sagernet/nftables v0.3.0-mod.2 h1:ck2KMU02OxL1eDFgGaWYglMDpoOZ7OHzxje
 github.com/sagernet/nftables v0.3.0-mod.2/go.mod h1:8kslHG4VvYNihcco+i6uxIX7qbT8A56T0y5q7U44ZaQ=
 github.com/sagernet/quic-go v0.59.0-sing-box-mod.4 h1:6qvrUW79S+CrPwWz6cMePXohgjHoKxLo3c+MDhNwc3o=
 github.com/sagernet/quic-go v0.59.0-sing-box-mod.4/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
-github.com/sagernet/sing v0.8.9 h1:iX8FyMrWNl/divVgTe7cLT9n36v6bfzfnCYlcM1cLaU=
+github.com/sagernet/sing v0.8.10 h1:V5VZffy8rm4dtBVKIpKa8vibRR2SiJprtu/10DFUalU=
-github.com/sagernet/sing v0.8.9/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.8.10/go.mod h1:olXxWQNqRW/l2Q6JI3b2Qmz8iQnIFlOeeH8bx6JhgUA=
 github.com/sagernet/sing-quic v0.6.1 h1:lx0tcm99wIA1RkyvILNzRSsMy1k7TTQYIhx71E/WBlw=
 github.com/sagernet/sing-quic v0.6.1/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
 github.com/sagernet/sing-shadowsocks v0.2.8 h1:PURj5PRoAkqeHh2ZW205RWzN9E9RtKCVCzByXruQWfE=
--- a/log/id.go
+++ b/log/id.go
@@ -4,14 +4,8 @@ import (
 	"context"
 	"math/rand"
 	"time"
 	"github.com/sagernet/sing/common/random"
 )
 func init() {
 	random.InitializeSeed()
 }
 type (
 	idKey    struct{}
 	muxIdKey struct{}
--- a/option/types.go
+++ b/option/types.go
@@ -28,7 +28,6 @@ func (v *NetworkList) UnmarshalJSON(content []byte) error {
 	for _, networkName := range networkList {
 		switch networkName {
 		case N.NetworkTCP, N.NetworkUDP:
 			break
 		default:
 			return E.New("unknown network: " + networkName)
 		}
--- a/protocol/direct/loopback_detect.go
+++ b/protocol/direct/loopback_detect.go
@@ -1,186 +0,0 @@
 package direct
 import (
 	"net"
 	"net/netip"
 	"sync"
 	"github.com/sagernet/sing-box/adapter"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 type loopBackDetector struct {
 	networkManager   adapter.NetworkManager
 	connAccess       sync.RWMutex
 	packetConnAccess sync.RWMutex
 	connMap          map[netip.AddrPort]netip.AddrPort
 	packetConnMap    map[uint16]uint16
 }
 func newLoopBackDetector(networkManager adapter.NetworkManager) *loopBackDetector {
 	return &loopBackDetector{
 		networkManager: networkManager,
 		connMap:        make(map[netip.AddrPort]netip.AddrPort),
 		packetConnMap:  make(map[uint16]uint16),
 	}
 }
 func (l *loopBackDetector) NewConn(conn net.Conn) net.Conn {
 	source := M.AddrPortFromNet(conn.LocalAddr())
 	if !source.IsValid() {
 		return conn
 	}
 	if udpConn, isUDPConn := conn.(abstractUDPConn); isUDPConn {
 		if !source.Addr().IsLoopback() {
 			_, err := l.networkManager.InterfaceFinder().ByAddr(source.Addr())
 			if err != nil {
 				return conn
 			}
 		}
 		if !N.IsPublicAddr(source.Addr()) {
 			return conn
 		}
 		l.packetConnAccess.Lock()
 		l.packetConnMap[source.Port()] = M.AddrPortFromNet(conn.RemoteAddr()).Port()
 		l.packetConnAccess.Unlock()
 		return &loopBackDetectUDPWrapper{abstractUDPConn: udpConn, detector: l, connPort: source.Port()}
 	} else {
 		l.connAccess.Lock()
 		l.connMap[source] = M.AddrPortFromNet(conn.RemoteAddr())
 		l.connAccess.Unlock()
 		return &loopBackDetectWrapper{Conn: conn, detector: l, connAddr: source}
 	}
 }
 func (l *loopBackDetector) NewPacketConn(conn N.NetPacketConn, destination M.Socksaddr) N.NetPacketConn {
 	source := M.AddrPortFromNet(conn.LocalAddr())
 	if !source.IsValid() {
 		return conn
 	}
 	if !source.Addr().IsLoopback() {
 		_, err := l.networkManager.InterfaceFinder().ByAddr(source.Addr())
 		if err != nil {
 			return conn
 		}
 	}
 	l.packetConnAccess.Lock()
 	l.packetConnMap[source.Port()] = destination.AddrPort().Port()
 	l.packetConnAccess.Unlock()
 	return &loopBackDetectPacketWrapper{NetPacketConn: conn, detector: l, connPort: source.Port()}
 }
 func (l *loopBackDetector) CheckConn(source netip.AddrPort, local netip.AddrPort) bool {
 	l.connAccess.RLock()
 	defer l.connAccess.RUnlock()
 	destination, loaded := l.connMap[source]
 	return loaded && destination != local
 }
 func (l *loopBackDetector) CheckPacketConn(source netip.AddrPort, local netip.AddrPort) bool {
 	if !source.IsValid() {
 		return false
 	}
 	if !source.Addr().IsLoopback() {
 		_, err := l.networkManager.InterfaceFinder().ByAddr(source.Addr())
 		if err != nil {
 			return false
 		}
 	}
 	if N.IsPublicAddr(source.Addr()) {
 		return false
 	}
 	l.packetConnAccess.RLock()
 	defer l.packetConnAccess.RUnlock()
 	destinationPort, loaded := l.packetConnMap[source.Port()]
 	return loaded && destinationPort != local.Port()
 }
 type loopBackDetectWrapper struct {
 	net.Conn
 	detector  *loopBackDetector
 	connAddr  netip.AddrPort
 	closeOnce sync.Once
 }
 func (w *loopBackDetectWrapper) Close() error {
 	w.closeOnce.Do(func() {
 		w.detector.connAccess.Lock()
 		delete(w.detector.connMap, w.connAddr)
 		w.detector.connAccess.Unlock()
 	})
 	return w.Conn.Close()
 }
 func (w *loopBackDetectWrapper) ReaderReplaceable() bool {
 	return true
 }
 func (w *loopBackDetectWrapper) WriterReplaceable() bool {
 	return true
 }
 func (w *loopBackDetectWrapper) Upstream() any {
 	return w.Conn
 }
 type loopBackDetectPacketWrapper struct {
 	N.NetPacketConn
 	detector  *loopBackDetector
 	connPort  uint16
 	closeOnce sync.Once
 }
 func (w *loopBackDetectPacketWrapper) Close() error {
 	w.closeOnce.Do(func() {
 		w.detector.packetConnAccess.Lock()
 		delete(w.detector.packetConnMap, w.connPort)
 		w.detector.packetConnAccess.Unlock()
 	})
 	return w.NetPacketConn.Close()
 }
 func (w *loopBackDetectPacketWrapper) ReaderReplaceable() bool {
 	return true
 }
 func (w *loopBackDetectPacketWrapper) WriterReplaceable() bool {
 	return true
 }
 func (w *loopBackDetectPacketWrapper) Upstream() any {
 	return w.NetPacketConn
 }
 type abstractUDPConn interface {
 	net.Conn
 	net.PacketConn
 }
 type loopBackDetectUDPWrapper struct {
 	abstractUDPConn
 	detector  *loopBackDetector
 	connPort  uint16
 	closeOnce sync.Once
 }
 func (w *loopBackDetectUDPWrapper) Close() error {
 	w.closeOnce.Do(func() {
 		w.detector.packetConnAccess.Lock()
 		delete(w.detector.packetConnMap, w.connPort)
 		w.detector.packetConnAccess.Unlock()
 	})
 	return w.abstractUDPConn.Close()
 }
 func (w *loopBackDetectUDPWrapper) ReaderReplaceable() bool {
 	return true
 }
 func (w *loopBackDetectUDPWrapper) WriterReplaceable() bool {
 	return true
 }
 func (w *loopBackDetectUDPWrapper) Upstream() any {
 	return w.abstractUDPConn
 }
--- a/protocol/direct/outbound.go
+++ b/protocol/direct/outbound.go
@@ -41,7 +41,6 @@ type Outbound struct {
 	domainStrategy C.DomainStrategy
 	fallbackDelay  time.Duration
 	isEmpty        bool
 	// loopBack *loopBackDetector
 }
 func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.DirectOutboundOptions) (adapter.Outbound, error) {
@@ -67,7 +66,6 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		fallbackDelay:  time.Duration(options.FallbackDelay),
 		dialer:         outboundDialer.(dialer.ParallelInterfaceDialer),
 		isEmpty:        reflect.DeepEqual(options.DialerOptions, option.DialerOptions{UDPFragmentDefault: true}),
 		// loopBack:       newLoopBackDetector(router),
 	}
 	//nolint:staticcheck
 	if options.ProxyProtocol != 0 {
@@ -87,11 +85,6 @@ func (h *Outbound) DialContext(ctx context.Context, network string, destination
 	case N.NetworkUDP:
 		h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	}
 	/*conn, err := h.dialer.DialContext(ctx, network, destination)
 	if err != nil {
 		return nil, err
 	}
 	return h.loopBack.NewConn(conn), nil*/
 	return h.dialer.DialContext(ctx, network, destination)
 }
@@ -104,7 +97,6 @@ func (h *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	if err != nil {
 		return nil, err
 	}
 	// conn = h.loopBack.NewPacketConn(bufio.NewPacketConn(conn), destination)
 	return conn, nil
 }
@@ -161,18 +153,3 @@ func (h *Outbound) ListenSerialNetworkPacket(ctx context.Context, destination M.
 func (h *Outbound) IsEmpty() bool {
 	return h.isEmpty
 }
 /*func (h *Outbound) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
 	if h.loopBack.CheckConn(metadata.Source.AddrPort(), M.AddrPortFromNet(conn.LocalAddr())) {
 		return E.New("reject loopback connection to ", metadata.Destination)
 	}
 	return NewConnection(ctx, h, conn, metadata)
 }
 func (h *Outbound) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	if h.loopBack.CheckPacketConn(metadata.Source.AddrPort(), M.AddrPortFromNet(conn.LocalAddr())) {
 		return E.New("reject loopback packet connection to ", metadata.Destination)
 	}
 	return NewPacketConnection(ctx, h, conn, metadata)
 }
 */
--- a/protocol/dns/handle.go
+++ b/protocol/dns/handle.go
@@ -82,7 +82,7 @@ func NewDNSPacketConnection(ctx context.Context, router adapter.DNSRouter, conn
 		}
 		break
 	}
-	fastClose, cancel := common.ContextWithCancelCause(ctx)
+	fastClose, cancel := context.WithCancelCause(ctx)
 	timeout := canceler.New(fastClose, cancel, C.DNSTimeout)
 	var group task.Group
 	group.Append0(func(_ context.Context) error {
@@ -150,7 +150,7 @@ func NewDNSPacketConnection(ctx context.Context, router adapter.DNSRouter, conn
 }
 func newDNSPacketConnection(ctx context.Context, router adapter.DNSRouter, conn N.PacketConn, readWaiter N.PacketReadWaiter, readCounters []N.CountFunc, cached []*N.PacketBuffer, metadata adapter.InboundContext) error {
-	fastClose, cancel := common.ContextWithCancelCause(ctx)
+	fastClose, cancel := context.WithCancelCause(ctx)
 	timeout := canceler.New(fastClose, cancel, C.DNSTimeout)
 	var group task.Group
 	group.Append0(func(_ context.Context) error {
--- a/protocol/group/urltest.go
+++ b/protocol/group/urltest.go
@@ -35,7 +35,6 @@ var _ adapter.OutboundGroup = (*URLTest)(nil)
 type URLTest struct {
 	outbound.Adapter
 	ctx                          context.Context
 	router                       adapter.Router
 	outbound                     adapter.OutboundManager
 	connection                   adapter.ConnectionManager
 	logger                       log.ContextLogger
@@ -62,7 +61,6 @@ func NewURLTest(ctx context.Context, router adapter.Router, logger log.ContextLo
 	outbound := &URLTest{
 		Adapter:                      outbound.NewAdapter(C.TypeURLTest, tag, []string{N.NetworkTCP, N.NetworkUDP}, options.Outbounds),
 		ctx:                          ctx,
 		router:                       router,
 		outbound:                     service.FromContext[adapter.OutboundManager](ctx),
 		connection:                   service.FromContext[adapter.ConnectionManager](ctx),
 		logger:                       logger,
@@ -291,7 +289,6 @@ func (s *URLTest) onProviderUpdated(tag string) error {
 type URLTestGroup struct {
 	ctx                          context.Context
 	router                       adapter.Router
 	outbound                     adapter.OutboundManager
 	pause                        pause.Manager
 	pauseCallback                *list.Element[pause.Callback]
@@ -370,9 +367,10 @@ func (g *URLTestGroup) Touch() {
 		g.lastActive.Store(time.Now())
 		return
 	}
-	g.ticker = time.NewTicker(g.interval)
+	ticker := time.NewTicker(g.interval)
-	go g.loopCheck()
+	g.ticker = ticker
-	g.pauseCallback = pause.RegisterTicker(g.pause, g.ticker, g.interval, nil)
+	g.pauseCallback = pause.RegisterTicker(g.pause, ticker, g.interval, nil)
 	go g.loopCheck(ticker, g.close)
 }
 func (g *URLTestGroup) Close() error {
@@ -382,7 +380,9 @@ func (g *URLTestGroup) Close() error {
 		return nil
 	}
 	g.ticker.Stop()
 	g.ticker = nil
 	g.pause.UnregisterCallback(g.pauseCallback)
 	g.pauseCallback = nil
 	close(g.close)
 	return nil
 }
@@ -431,23 +431,25 @@ func (g *URLTestGroup) Select(network string) (adapter.Outbound, bool) {
 	return minOutbound, true
 }
-func (g *URLTestGroup) loopCheck() {
+func (g *URLTestGroup) loopCheck(ticker *time.Ticker, closeChan <-chan struct{}) {
 	if time.Since(g.lastActive.Load()) > g.interval {
 		g.lastActive.Store(time.Now())
 		g.CheckOutbounds(false)
 	}
 	for {
 		select {
-		case <-g.close:
+		case <-closeChan:
 			return
-		case <-g.ticker.C:
+		case <-ticker.C:
 		}
 		if time.Since(g.lastActive.Load()) > g.idleTimeout {
 			g.access.Lock()
-			g.ticker.Stop()
+			if g.ticker == ticker {
-			g.ticker = nil
+				g.ticker.Stop()
-			g.pause.UnregisterCallback(g.pauseCallback)
+				g.ticker = nil
-			g.pauseCallback = nil
+				g.pause.UnregisterCallback(g.pauseCallback)
 				g.pauseCallback = nil
 			}
 			g.access.Unlock()
 			return
 		}
--- a/protocol/naive/inbound.go
+++ b/protocol/naive/inbound.go
@@ -140,7 +140,7 @@ func (n *Inbound) Start(stage adapter.StartStage) error {
 func (n *Inbound) Close() error {
 	return common.Close(
-		&n.listener,
+		n.listener,
 		common.PtrOrNil(n.httpServer),
 		n.h3Server,
 		n.tlsConfig,
--- a/protocol/naive/inbound_conn.go
+++ b/protocol/naive/inbound_conn.go
@@ -22,7 +22,7 @@ func generatePaddingHeader() string {
 	paddingLen := rand.Intn(32) + 30
 	padding := make([]byte, paddingLen)
 	bits := rand.Uint64()
-	for i := 0; i < 16; i++ {
+	for i := range 16 {
 		padding[i] = "!#$()+<>?@[]^`{}"[bits&15]
 		bits >>= 4
 	}
--- a/protocol/tailscale/endpoint.go
+++ b/protocol/tailscale/endpoint.go
@@ -111,6 +111,7 @@ type Endpoint struct {
 	systemInterfaceName string
 	systemInterfaceMTU  uint32
 	serverStarted       bool
 	started             atomic.Bool
 	systemTun           tun.Tun
 	systemDialer        *dialer.DefaultDialer
 	fallbackTCPCloser   func()
@@ -422,6 +423,7 @@ func (t *Endpoint) postStart() error {
 	}
 	t.filter = localBackend.ExportFilter()
 	go t.watchState()
 	t.started.Store(true)
 	return nil
 }
@@ -485,6 +487,7 @@ func (t *Endpoint) watchState() {
 func (t *Endpoint) Close() error {
 	var err error
 	t.started.Store(false)
 	if t.serverStarted {
 		err = common.Close(common.PtrOrNil(t.server))
 		t.serverStarted = false
@@ -509,6 +512,9 @@ func (t *Endpoint) DialContext(ctx context.Context, network string, destination
 	case N.NetworkUDP:
 		t.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	}
 	if !t.started.Load() {
 		return nil, E.New("Tailscale is not ready yet")
 	}
 	if destination.IsDomain() {
 		destinationAddresses, err := t.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
@@ -565,6 +571,9 @@ func (t *Endpoint) DialContext(ctx context.Context, network string, destination
 }
 func (t *Endpoint) listenPacketWithAddress(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if !t.started.Load() {
 		return nil, E.New("Tailscale is not ready yet")
 	}
 	if t.systemDialer != nil {
 		return t.systemDialer.ListenPacket(ctx, destination)
 	}
@@ -632,6 +641,9 @@ func (t *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 }
 func (t *Endpoint) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
 	if !t.started.Load() {
 		return nil, E.New("Tailscale is not ready yet")
 	}
 	tsFilter := t.filter.Load()
 	if tsFilter != nil {
 		var ipProto ipproto.Proto
@@ -725,6 +737,9 @@ func (t *Endpoint) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 }
 func (t *Endpoint) NewDirectRouteConnection(metadata adapter.InboundContext, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
 	if !t.started.Load() {
 		return nil, E.New("Tailscale is not ready yet")
 	}
 	ctx := log.ContextWithNewID(t.ctx)
 	var destination tun.DirectRouteDestination
 	var err error
--- a/protocol/tailscale/tun_device_unix.go
+++ b/protocol/tailscale/tun_device_unix.go
@@ -11,7 +11,6 @@ import (
 	"sync/atomic"
 	singTun "github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/logger"
 	wgTun "github.com/sagernet/wireguard-go/tun"
 )
@@ -57,7 +56,7 @@ func (a *tunDeviceAdapter) Read(bufs [][]byte, sizes []int, offset int) (count i
 	if a.linuxTUN != nil {
 		n, err := a.linuxTUN.BatchRead(bufs, offset-singTun.PacketOffset, sizes)
 		if err == nil {
-			for i := 0; i < n; i++ {
+			for i := range n {
 				a.debugPacket("read", bufs[i][offset:offset+sizes[i]])
 			}
 		}
@@ -92,7 +91,7 @@ func (a *tunDeviceAdapter) Write(bufs [][]byte, offset int) (count int, err erro
 	for _, packet := range bufs {
 		a.debugPacket("write", packet[offset:])
 		if singTun.PacketOffset > 0 {
-			common.ClearArray(packet[offset-singTun.PacketOffset : offset])
+			clear(packet[offset-singTun.PacketOffset : offset])
 			singTun.PacketFillHeader(packet[offset-singTun.PacketOffset:], singTun.PacketIPVersion(packet[offset:]))
 		}
 		_, err = a.tun.Write(packet[offset-singTun.PacketOffset:])
--- a/protocol/wireguard/endpoint.go
+++ b/protocol/wireguard/endpoint.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	"net/netip"
 	"sync/atomic"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
@@ -41,11 +42,12 @@ type Endpoint struct {
 	logger         logger.ContextLogger
 	localAddresses []netip.Prefix
 	endpoint       *wireguard.Endpoint
 	started        atomic.Bool
 }
 func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.WireGuardEndpointOptions) (adapter.Endpoint, error) {
 	ep := &Endpoint{
-		Adapter:        endpoint.NewAdapterWithDialerOptions(C.TypeWireGuard, tag, []string{N.NetworkTCP, N.NetworkUDP}, options.DialerOptions),
+		Adapter:        endpoint.NewAdapterWithDialerOptions(C.TypeWireGuard, tag, []string{N.NetworkTCP, N.NetworkUDP, N.NetworkICMP}, options.DialerOptions),
 		ctx:            ctx,
 		router:         router,
 		dnsRouter:      service.FromContext[adapter.DNSRouter](ctx),
@@ -148,16 +150,24 @@ func (w *Endpoint) Start(stage adapter.StartStage) error {
 	case adapter.StartStateStart:
 		return w.endpoint.Start(false)
 	case adapter.StartStatePostStart:
-		return w.endpoint.Start(true)
+		err := w.endpoint.Start(true)
 		if err != nil {
 			return err
 		}
 		w.started.Store(true)
 	}
 	return nil
 }
 func (w *Endpoint) Close() error {
 	w.started.Store(false)
 	return w.endpoint.Close()
 }
 func (w *Endpoint) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
 	if !w.started.Load() {
 		return nil, E.New("WireGuard is not ready yet")
 	}
 	var ipVersion uint8
 	if !destination.IsIPv6() {
 		ipVersion = 4
@@ -238,6 +248,9 @@ func (w *Endpoint) DialContext(ctx context.Context, network string, destination
 	case N.NetworkUDP:
 		w.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	}
 	if !w.started.Load() {
 		return nil, E.New("WireGuard is not ready yet")
 	}
 	if destination.IsDomain() {
 		destinationAddresses, err := w.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
@@ -252,6 +265,9 @@ func (w *Endpoint) DialContext(ctx context.Context, network string, destination
 func (w *Endpoint) ListenPacketWithDestination(ctx context.Context, destination M.Socksaddr) (net.PacketConn, netip.Addr, error) {
 	w.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	if !w.started.Load() {
 		return nil, netip.Addr{}, E.New("WireGuard is not ready yet")
 	}
 	if destination.IsDomain() {
 		destinationAddresses, err := w.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{})
 		if err != nil {
@@ -285,9 +301,15 @@ func (w *Endpoint) PreferredDomain(domain string) bool {
 }
 func (w *Endpoint) PreferredAddress(address netip.Addr) bool {
 	if !w.started.Load() {
 		return false
 	}
 	return w.endpoint.Lookup(address) != nil
 }
 func (w *Endpoint) NewDirectRouteConnection(metadata adapter.InboundContext, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
 	if !w.started.Load() {
 		return nil, E.New("WireGuard is not ready yet")
 	}
 	return w.endpoint.NewDirectRouteConnection(metadata, routeContext, timeout)
 }
--- a/route/conn.go
+++ b/route/conn.go
@@ -13,6 +13,7 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/sniff"
 	tf "github.com/sagernet/sing-box/common/tlsfragment"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
@@ -128,11 +129,12 @@ func (m *ConnectionManager) NewConnection(ctx context.Context, this N.Dialer, co
 	if metadata.TLSFragment || metadata.TLSRecordFragment {
 		remoteConn = tf.NewConn(remoteConn, ctx, metadata.TLSFragment, metadata.TLSRecordFragment, metadata.TLSFragmentFallbackDelay)
 	}
 	serverFirst := sniff.Skip(&metadata)
 	var done atomic.Bool
-	if m.kickWriteHandshake(ctx, conn, remoteConn, false, &done, onClose) {
+	if m.kickWriteHandshake(ctx, conn, remoteConn, serverFirst, false, &done, onClose) {
 		return
 	}
-	if m.kickWriteHandshake(ctx, remoteConn, conn, true, &done, onClose) {
+	if m.kickWriteHandshake(ctx, remoteConn, conn, serverFirst, true, &done, onClose) {
 		return
 	}
 	go m.connectionCopy(ctx, conn, remoteConn, false, &done, onClose)
@@ -293,37 +295,43 @@ func (m *ConnectionManager) connectionCopy(ctx context.Context, source net.Conn,
 	}
 }
-func (m *ConnectionManager) kickWriteHandshake(ctx context.Context, source net.Conn, destination net.Conn, direction bool, done *atomic.Bool, onClose N.CloseHandlerFunc) bool {
+func (m *ConnectionManager) kickWriteHandshake(ctx context.Context, source net.Conn, destination net.Conn, serverFirst bool, direction bool, done *atomic.Bool, onClose N.CloseHandlerFunc) bool {
 	if !N.NeedHandshakeForWrite(destination) {
 		return false
 	}
 	var (
-		cachedBuffer *buf.Buffer
+		err          error
 		wrotePayload bool
 	)
-	sourceReader, readCounters := N.UnwrapCountReader(source, nil)
+	if serverFirst {
 	destinationWriter, writeCounters := N.UnwrapCountWriter(destination, nil)
 	if cachedReader, ok := sourceReader.(N.CachedReader); ok {
 		cachedBuffer = cachedReader.ReadCached()
 	}
 	var err error
 	if cachedBuffer != nil {
 		wrotePayload = true
 		dataLen := cachedBuffer.Len()
 		_, err = destinationWriter.Write(cachedBuffer.Bytes())
 		cachedBuffer.Release()
 		if err == nil {
 			for _, counter := range readCounters {
 				counter(int64(dataLen))
 			}
 			for _, counter := range writeCounters {
 				counter(int64(dataLen))
 			}
 		}
 	} else {
 		_ = destination.SetWriteDeadline(time.Now().Add(C.ReadPayloadTimeout))
-		_, err = destinationWriter.Write(nil)
+		_, err = destination.Write(nil)
 		_ = destination.SetWriteDeadline(time.Time{})
 	} else {
 		var cachedBuffer *buf.Buffer
 		sourceReader, readCounters := N.UnwrapCountReader(source, nil)
 		destinationWriter, writeCounters := N.UnwrapCountWriter(destination, nil)
 		if cachedReader, ok := sourceReader.(N.CachedReader); ok {
 			cachedBuffer = cachedReader.ReadCached()
 		}
 		if cachedBuffer != nil {
 			wrotePayload = true
 			dataLen := cachedBuffer.Len()
 			_, err = destinationWriter.Write(cachedBuffer.Bytes())
 			cachedBuffer.Release()
 			if err == nil {
 				for _, counter := range readCounters {
 					counter(int64(dataLen))
 				}
 				for _, counter := range writeCounters {
 					counter(int64(dataLen))
 				}
 			}
 		} else {
 			_ = destination.SetWriteDeadline(time.Now().Add(C.ReadPayloadTimeout))
 			_, err = destinationWriter.Write(nil)
 			_ = destination.SetWriteDeadline(time.Time{})
 		}
 	}
 	if err == nil {
 		return false
--- a/route/process_cache.go
+++ b/route/process_cache.go
@@ -3,6 +3,7 @@ package route
 import (
 	"context"
 	"net/netip"
 	"slices"
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
@@ -78,10 +79,8 @@ func (r *Router) isLocalSource(source netip.Addr) bool {
 		return true
 	}
 	if r.platformInterface != nil {
-		for _, addr := range r.platformInterface.MyInterfaceAddress() {
+		if slices.Contains(r.platformInterface.MyInterfaceAddress(), source) {
-			if addr == source {
+			return true
 				return true
 			}
 		}
 	}
 	for _, netInterface := range r.network.InterfaceFinder().Interfaces() {
--- a/route/route.go
+++ b/route/route.go
@@ -31,7 +31,7 @@ import (
 // Deprecated: use RouteConnectionEx instead.
 func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	done := make(chan interface{})
+	done := make(chan any)
 	err := r.routeConnection(ctx, conn, metadata, N.OnceClose(func(it error) {
 		close(done)
 	}))
@@ -160,7 +160,7 @@ func (r *Router) routeConnection(ctx context.Context, conn net.Conn, metadata ad
 }
 func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
-	done := make(chan interface{})
+	done := make(chan any)
 	err := r.routePacketConnection(ctx, conn, metadata, N.OnceClose(func(it error) {
 		close(done)
 	}))
--- a/route/rule/match_state.go
+++ b/route/rule/match_state.go
@@ -42,11 +42,11 @@ func (s ruleMatchStateSet) combine(other ruleMatchStateSet) ruleMatchStateSet {
 		return 0
 	}
 	var combined ruleMatchStateSet
-	for left := ruleMatchState(0); left < 16; left++ {
+	for left := range ruleMatchState(16) {
 		if !s.contains(left) {
 			continue
 		}
-		for right := ruleMatchState(0); right < 16; right++ {
+		for right := range ruleMatchState(16) {
 			if !other.contains(right) {
 				continue
 			}
@@ -61,7 +61,7 @@ func (s ruleMatchStateSet) withBase(base ruleMatchState) ruleMatchStateSet {
 		return 0
 	}
 	var withBase ruleMatchStateSet
-	for state := ruleMatchState(0); state < 16; state++ {
+	for state := range ruleMatchState(16) {
 		if !s.contains(state) {
 			continue
 		}
@@ -72,7 +72,7 @@ func (s ruleMatchStateSet) withBase(base ruleMatchState) ruleMatchStateSet {
 func (s ruleMatchStateSet) filter(allowed func(ruleMatchState) bool) ruleMatchStateSet {
 	var filtered ruleMatchStateSet
-	for state := ruleMatchState(0); state < 16; state++ {
+	for state := range ruleMatchState(16) {
 		if !s.contains(state) {
 			continue
 		}
@@ -91,10 +91,6 @@ type ruleStateMatcherWithBase interface {
 	matchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet
 }
 func matchHeadlessRuleStates(rule adapter.HeadlessRule, metadata *adapter.InboundContext) ruleMatchStateSet {
 	return matchHeadlessRuleStatesWithBase(rule, metadata, 0)
 }
 func matchHeadlessRuleStatesWithBase(rule adapter.HeadlessRule, metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet {
 	if matcher, isStateMatcher := rule.(ruleStateMatcherWithBase); isStateMatcher {
 		return matcher.matchStatesWithBase(metadata, base)
@@ -108,10 +104,6 @@ func matchHeadlessRuleStatesWithBase(rule adapter.HeadlessRule, metadata *adapte
 	return 0
 }
 func matchRuleItemStates(item RuleItem, metadata *adapter.InboundContext) ruleMatchStateSet {
 	return matchRuleItemStatesWithBase(item, metadata, 0)
 }
 func matchRuleItemStatesWithBase(item RuleItem, metadata *adapter.InboundContext, base ruleMatchState) ruleMatchStateSet {
 	if matcher, isStateMatcher := item.(ruleStateMatcherWithBase); isStateMatcher {
 		return matcher.matchStatesWithBase(metadata, base)
--- a/route/rule/rule_abstract_test.go
+++ b/route/rule/rule_abstract_test.go
@@ -141,7 +141,6 @@ func TestAbstractLogicalRule_And_WithRuleSetInvert(t *testing.T) {
 		},
 	}
 	for _, testCase := range testCases {
 		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			t.Parallel()
 			logicalRule := &abstractLogicalRule{
--- a/route/rule/rule_item_cidr.go
+++ b/route/rule/rule_item_cidr.go
@@ -2,6 +2,7 @@ package rule
 import (
 	"net/netip"
 	"slices"
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
@@ -80,12 +81,7 @@ func (r *IPCIDRItem) Match(metadata *adapter.InboundContext) bool {
 		return r.ipSet.Contains(metadata.Destination.Addr)
 	}
 	if len(metadata.DestinationAddresses) > 0 {
-		for _, address := range metadata.DestinationAddresses {
+		return slices.ContainsFunc(metadata.DestinationAddresses, r.ipSet.Contains)
 			if r.ipSet.Contains(address) {
 				return true
 			}
 		}
 		return false
 	}
 	return metadata.IPCIDRAcceptEmpty
 }
--- a/route/rule/rule_item_domain.go
+++ b/route/rule/rule_item_domain.go
@@ -1,6 +1,7 @@
 package rule
 import (
 	"slices"
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
@@ -16,15 +17,11 @@ type DomainItem struct {
 }
 func NewDomainItem(domains []string, domainSuffixes []string) (*DomainItem, error) {
-	for _, domainItem := range domains {
+	if slices.Contains(domains, "") {
-		if domainItem == "" {
+		return nil, E.New("domain: empty item is not allowed")
 			return nil, E.New("domain: empty item is not allowed")
 		}
 	}
-	for _, domainSuffixItem := range domainSuffixes {
+	if slices.Contains(domainSuffixes, "") {
-		if domainSuffixItem == "" {
+		return nil, E.New("domain_suffix: empty item is not allowed")
 			return nil, E.New("domain_suffix: empty item is not allowed")
 		}
 	}
 	var description string
 	if dLen := len(domains); dLen > 0 {
--- a/route/rule/rule_set_semantics_test.go
+++ b/route/rule/rule_set_semantics_test.go
@@ -57,7 +57,6 @@ func TestRouteRuleSetMergeDestinationAddressGroup(t *testing.T) {
 		},
 	}
 	for _, testCase := range testCases {
 		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			t.Parallel()
 			ruleSet := newLocalRuleSetForTest("merge-destination", testCase.inner)
@@ -223,7 +222,6 @@ func TestRouteRuleSetOuterGroupedStateMergesIntoSameGroup(t *testing.T) {
 		},
 	}
 	for _, testCase := range testCases {
 		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			t.Parallel()
 			ruleSet := newLocalRuleSetForTest("outer-merge-"+testCase.name, headlessDefaultRule(t, func(rule *abstractDefaultRule) {
@@ -652,7 +650,6 @@ func TestDNSInvertAddressLimitPreLookupRegression(t *testing.T) {
 		},
 	}
 	for _, testCase := range testCases {
 		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			t.Parallel()
 			rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
--- a/service/ccm/credential_other.go
+++ b/service/ccm/credential_other.go
@@ -1,4 +1,4 @@
-//go:build !darwin
+//go:build !darwin || !cgo
 package ccm
--- a/service/ccm/service.go
+++ b/service/ccm/service.go
@@ -124,8 +124,6 @@ type Service struct {
 	userManager    *UserManager
 	accessMutex    sync.RWMutex
 	usageTracker   *AggregatedUsage
 	trackingGroup  sync.WaitGroup
 	shuttingDown   bool
 }
 func NewService(ctx context.Context, logger log.ContextLogger, tag string, options option.CCMServiceOptions) (adapter.Service, error) {
@@ -283,8 +281,8 @@ func (s *Service) getAccessToken() (string, error) {
 func detectContextWindow(betaHeader string, totalInputTokens int64) int {
 	if totalInputTokens > premiumContextThreshold {
-		features := strings.Split(betaHeader, ",")
+		features := strings.SplitSeq(betaHeader, ",")
-		for _, feature := range features {
+		for feature := range features {
 			if strings.HasPrefix(strings.TrimSpace(feature), "context-1m") {
 				return contextWindowPremium
 			}
@@ -507,8 +505,8 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 					continue
 				}
-				if bytes.HasPrefix(line, []byte("data: ")) {
+				if after, ok0 := bytes.CutPrefix(line, []byte("data: ")); ok0 {
-					eventData := bytes.TrimPrefix(line, []byte("data: "))
+					eventData := after
 					if bytes.Equal(eventData, []byte("[DONE]")) {
 						continue
 					}
--- a/service/ocm/service.go
+++ b/service/ocm/service.go
@@ -556,8 +556,8 @@ func (s *Service) handleResponseWithTracking(writer http.ResponseWriter, respons
 					continue
 				}
-				if bytes.HasPrefix(line, []byte("data: ")) {
+				if after, ok0 := bytes.CutPrefix(line, []byte("data: ")); ok0 {
-					eventData := bytes.TrimPrefix(line, []byte("data: "))
+					eventData := after
 					if bytes.Equal(eventData, []byte("[DONE]")) {
 						continue
 					}
--- a/service/ocm/service_usage.go
+++ b/service/ocm/service_usage.go
@@ -851,10 +851,7 @@ func normalizeGPT5Model(model string) string {
 func calculateCost(stats UsageStats, model string, serviceTier string, contextWindow int) float64 {
 	pricing := getPricing(model, serviceTier, contextWindow)
-	regularInputTokens := stats.InputTokens - stats.CachedTokens
+	regularInputTokens := max(stats.InputTokens-stats.CachedTokens, 0)
 	if regularInputTokens < 0 {
 		regularInputTokens = 0
 	}
 	cost := (float64(regularInputTokens)*pricing.InputPrice +
 		float64(stats.OutputTokens)*pricing.OutputPrice +
--- a/service/oomkiller/service.go
+++ b/service/oomkiller/service.go
@@ -96,6 +96,7 @@ func (s *Service) Start(stage adapter.StartStage) error {
 	if s.hasTimerMode {
 		s.adaptiveTimer = newAdaptiveTimer(s.logger, s.router, s.timerConfig)
 		s.adaptiveTimer.start(false)
 		if s.memoryLimit > 0 {
 			s.logger.Info("started memory monitor with limit: ", s.memoryLimit/(1024*1024), " MiB")
 		} else {
@@ -164,7 +165,7 @@ func goMemoryPressureCallback(status C.ulong) {
 			if isCritical {
 				s.logger.Warn("memory pressure: ", level, ", usage: ", usage/(1024*1024), " MiB")
 				if s.adaptiveTimer != nil {
-					s.adaptiveTimer.startNow()
+					s.adaptiveTimer.start(true)
 				}
 			} else if isWarning {
 				s.logger.Warn("memory pressure: ", level, ", usage: ", usage/(1024*1024), " MiB")
--- a/service/oomkiller/service_stub.go
+++ b/service/oomkiller/service_stub.go
@@ -64,7 +64,7 @@ func (s *Service) Start(stage adapter.StartStage) error {
 		return E.New("memory pressure monitoring is not available on this platform without memory_limit")
 	}
 	s.adaptiveTimer = newAdaptiveTimer(s.logger, s.router, s.timerConfig)
-	s.adaptiveTimer.start(0)
+	s.adaptiveTimer.start(false)
 	if s.useAvailable {
 		s.logger.Info("started memory monitor with available memory detection")
 	} else {
--- a/service/oomkiller/service_timer.go
+++ b/service/oomkiller/service_timer.go
@@ -55,17 +55,13 @@ func newAdaptiveTimer(logger log.ContextLogger, router adapter.Router, config ti
 	}
 }
-func (t *adaptiveTimer) start(_ uint64) {
+func (t *adaptiveTimer) start(immediate bool) {
 	t.access.Lock()
 	defer t.access.Unlock()
 	t.startLocked()
 }
 func (t *adaptiveTimer) startNow() {
 	t.access.Lock()
 	t.startLocked()
 	t.access.Unlock()
-	t.poll()
+	if immediate {
 		t.poll()
 	}
 }
 func (t *adaptiveTimer) startLocked() {
@@ -90,12 +86,6 @@ func (t *adaptiveTimer) stopLocked() {
 	}
 }
 func (t *adaptiveTimer) running() bool {
 	t.access.Lock()
 	defer t.access.Unlock()
 	return t.timer != nil
 }
 func (t *adaptiveTimer) poll() {
 	t.access.Lock()
 	defer t.access.Unlock()
@@ -144,13 +134,8 @@ func (t *adaptiveTimer) poll() {
 		interval = t.maxInterval
 	} else {
 		timeToLimit := time.Duration(float64(remaining) / float64(delta) * float64(t.lastInterval))
-		interval = timeToLimit / time.Duration(t.checksBeforeLimit)
+		interval = max(timeToLimit/time.Duration(t.checksBeforeLimit), t.minInterval)
-		if interval < t.minInterval {
+		interval = min(interval, t.maxInterval)
 			interval = t.minInterval
 		}
 		if interval > t.maxInterval {
 			interval = t.maxInterval
 		}
 	}
 	t.lastInterval = interval
--- a/service/resolved/resolve1.go
+++ b/service/resolved/resolve1.go
@@ -10,6 +10,7 @@ import (
 	"os"
 	"os/user"
 	"path/filepath"
 	"slices"
 	"strconv"
 	"strings"
 	"syscall"
@@ -127,7 +128,7 @@ func (t *resolve1Manager) createMetadata(sender dbus.Sender) adapter.InboundCont
 	var uidFound bool
 	statusContent, err := os.ReadFile(F.ToString("/proc/", senderPid, "/status"))
 	if err == nil {
-		for _, line := range strings.Split(string(statusContent), "\n") {
+		for line := range strings.SplitSeq(string(statusContent), "\n") {
 			line = strings.TrimSpace(line)
 			if strings.HasPrefix(line, "Uid:") {
 				fields := strings.Fields(line)
@@ -255,8 +256,8 @@ func (t *resolve1Manager) ResolveAddress(sender dbus.Sender, ifIndex int32, fami
 		return
 	}
 	var nibbles []string
-	for i := len(address) - 1; i >= 0; i-- {
+	for _, v := range slices.Backward(address) {
-		b := address[i]
+		b := v
 		nibbles = append(nibbles, fmt.Sprintf("%x", b&0x0F))
 		nibbles = append(nibbles, fmt.Sprintf("%x", b>>4))
 	}
--- a/service/resolved/transport.go
+++ b/service/resolved/transport.go
@@ -248,7 +248,7 @@ func (t *Transport) tryOneName(ctx context.Context, servers *LinkServers, messag
 	sLen := uint32(len(servers.Servers))
 	var lastErr error
 	for i := 0; i < t.attempts; i++ {
-		for j := uint32(0); j < sLen; j++ {
+		for j := range sLen {
 			server := servers.Servers[(serverOffset+j)%sLen]
 			question := message.Question[0]
 			question.Name = fqdn
--- a/transport/masque/buffer.go
+++ b/transport/masque/buffer.go
@@ -1,34 +0,0 @@
 package masque
 import "sync"
 type NetBuffer struct {
 	capacity uint32
 	buf      sync.Pool
 }
 func (n *NetBuffer) Get() []byte {
 	return *n.buf.Get().(*[]byte)
 }
 func (n *NetBuffer) Put(buf []byte) {
 	if cap(buf) != int(n.capacity) {
 		return
 	}
 	n.buf.Put(&buf)
 }
 func NewNetBuffer(capacity uint32) *NetBuffer {
 	if capacity == 0 {
 		panic("capacity must be greater than 0")
 	}
 	return &NetBuffer{
 		capacity: capacity,
 		buf: sync.Pool{
 			New: func() interface{} {
 				b := make([]byte, capacity)
 				return &b
 			},
 		},
 	}
 }
--- a/transport/masque/device_stack.go
+++ b/transport/masque/device_stack.go
@@ -1,3 +1,5 @@
 //go:build with_gvisor
 package masque
 import (
--- a/transport/masque/device_stack_stub.go
+++ b/transport/masque/device_stack_stub.go
@@ -0,0 +1,13 @@
 //go:build !with_gvisor
 package masque
 import "github.com/sagernet/sing-tun"
 func newStackDevice(options DeviceOptions) (Device, error) {
 	return nil, tun.ErrGVisorNotIncluded
 }
 func newSystemStackDevice(options DeviceOptions) (Device, error) {
 	return nil, tun.ErrGVisorNotIncluded
 }
--- a/transport/masque/masque.go
+++ b/transport/masque/masque.go
@@ -8,7 +8,6 @@ import (
 	"net"
 	"net/http"
 	"net/netip"
 	"net/url"
 	"strings"
 	connectip "github.com/Diniboy1123/connect-ip-go"
@@ -85,7 +84,9 @@ func ConnectTunnel(ctx context.Context, dialer N.Dialer, tlsConfig aTLS.Config,
 	hconn := tr.NewClientConn(conn)
 	ipConn, rsp, err := connectip.Dial(ctx, hconn, template, "cf-connect-ip", additionalHeaders, true)
 	if err != nil {
-		if err.Error() == "CRYPTO_ERROR 0x131 (remote): tls: access denied" {
+		_ = tr.Close()
 		_ = conn.CloseWithError(0, "connect-ip dial failed")
 		if strings.Contains(err.Error(), "tls: access denied") {
 			return udpConn, nil, nil, nil, errors.New("login failed! Please double-check if your tls key and cert is enrolled in the Cloudflare Access service")
 		}
 		return udpConn, nil, nil, nil, fmt.Errorf("failed to dial connect-ip: %w", err)
@@ -139,28 +140,3 @@ func newHTTP2Client(dialer N.Dialer, baseTLSConfig aTLS.Config, endpoint *net.TC
 		},
 	}, nil
 }
 func authorityWithDefaultPort(u *url.URL, defaultPort string) string {
 	if u == nil {
 		return ""
 	}
 	host := u.Hostname()
 	if host == "" {
 		return u.Host
 	}
 	port := u.Port()
 	if port == "" {
 		port = defaultPort
 	}
 	return net.JoinHostPort(host, port)
 }
 func proxyDefaultPort(u *url.URL) string {
 	if u != nil && u.Scheme == "https" {
 		return "443"
 	}
 	return "80"
 }
--- a/transport/masque/tunnel.go
+++ b/transport/masque/tunnel.go
@@ -6,9 +6,11 @@ import (
 	"fmt"
 	"net"
 	"os"
 	"sync"
 	"time"
 	connectip "github.com/Diniboy1123/connect-ip-go"
 	"github.com/sagernet/quic-go/http3"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
@@ -25,6 +27,12 @@ type Tunnel struct {
 	options      TunnelOptions
 	tunDevice    Device
 	tunnelDevice TunnelDevice
 	udpConn net.PacketConn
 	tr      *http3.Transport
 	ipConn  *connectip.Conn
 	mtx sync.Mutex
 }
 func NewTunnel(ctx context.Context, logger logger.ContextLogger, options TunnelOptions) (*Tunnel, error) {
@@ -55,7 +63,7 @@ func (e *Tunnel) Start(resolve bool) error {
 		if err != nil {
 			return err
 		}
-		go e.MaintainTunnel()
+		go e.maintainTunnel()
 	}
 	return nil
 }
@@ -75,19 +83,95 @@ func (e *Tunnel) ListenPacket(ctx context.Context, destination M.Socksaddr) (net
 }
 func (e *Tunnel) Close() error {
 	e.mtx.Lock()
 	defer e.mtx.Unlock()
 	if e.ipConn != nil {
 		e.ipConn.Close()
 		if e.udpConn != nil {
 			e.udpConn.Close()
 		}
 		if e.tr != nil {
 			e.tr.Close()
 		}
 		e.ipConn = nil
 	}
 	return e.tunDevice.Close()
 }
-func (e *Tunnel) MaintainTunnel() {
+func (e *Tunnel) maintainTunnel() {
-	packetBufferPool := NewNetBuffer(1280)
+	go func() {
 		buf := make([]byte, 1280)
 		for e.ctx.Err() == nil {
 			n, err := e.tunnelDevice.ReadPacket(buf)
 			if err != nil {
 				e.logger.ErrorContext(e.ctx, fmt.Errorf("failed to read from TUN device: %v", err))
 				continue
 			}
 			ipConn, err := e.getIpConn()
 			if err != nil {
 				return
 			}
 			icmp, err := ipConn.WritePacket(buf[:n])
 			if err != nil {
 				if errors.As(err, new(*connectip.CloseError)) {
 					if ok := e.closeIpConn(ipConn); ok {
 						e.logger.ErrorContext(e.ctx, fmt.Errorf("connection closed while writing to IP connection: %w", err))
 					}
 					continue
 				}
 				e.logger.ErrorContext(e.ctx, fmt.Errorf("Error writing to IP connection: %v, continuing...", err))
 				continue
 			}
 			if len(icmp) > 0 {
 				if err := e.tunnelDevice.WritePacket(icmp); err != nil {
 					if errors.As(err, new(*connectip.CloseError)) {
 						e.logger.ErrorContext(e.ctx, fmt.Errorf("connection closed while writing ICMP to TUN device: %v", err))
 						continue
 					}
 					e.logger.ErrorContext(e.ctx, fmt.Errorf("Error writing ICMP to TUN device: %v, continuing...", err))
 				}
 			}
 		}
 	}()
 	go func() {
 		buf := make([]byte, 1280)
 		for e.ctx.Err() == nil {
 			ipConn, err := e.getIpConn()
 			if err != nil {
 				return
 			}
 			n, err := ipConn.ReadPacket(buf, true)
 			if err != nil {
 				if e.options.UseHTTP2 || errors.As(err, new(*connectip.CloseError)) {
 					if ok := e.closeIpConn(ipConn); ok {
 						e.logger.ErrorContext(e.ctx, fmt.Errorf("connection closed while reading from IP connection: %v", err))
 					}
 					continue
 				}
 				e.logger.ErrorContext(e.ctx, fmt.Errorf("Error reading from IP connection: %v, continuine...", err))
 				continue
 			}
 			if err := e.tunnelDevice.WritePacket(buf[:n]); err != nil {
 				continue
 			}
 		}
 	}()
 	<-e.ctx.Done()
 }
 func (e *Tunnel) getIpConn() (*connectip.Conn, error) {
 	e.mtx.Lock()
 	defer e.mtx.Unlock()
 	if e.ctx.Err() != nil {
 		return nil, e.ctx.Err()
 	}
 	if e.ipConn != nil {
 		return e.ipConn, nil
 	}
 	e.logger.InfoContext(e.ctx, "Establishing MASQUE connection to ", e.options.Endpoint)
 	timer := time.NewTimer(0)
 	defer timer.Stop()
 	for {
 		select {
 		case <-e.ctx.Done():
 			return
 		default:
 		}
 		e.logger.InfoContext(e.ctx, fmt.Errorf("Establishing MASQUE connection to %s", e.options.Endpoint))
 		udpConn, tr, ipConn, rsp, err := ConnectTunnel(
 			e.ctx,
@@ -99,17 +183,17 @@ func (e *Tunnel) MaintainTunnel() {
 			e.options.UseHTTP2,
 		)
 		if err != nil {
-			e.logger.InfoContext(e.ctx, fmt.Errorf("Failed to connect tunnel: %v", err))
+			e.logger.ErrorContext(e.ctx, fmt.Errorf("Failed to connect tunnel: %v", err))
 			timer.Reset(e.options.ReconnectDelay)
 			select {
 			case <-e.ctx.Done():
-				return
+				return nil, err
 			case <-timer.C:
 			}
 			continue
 		}
 		if rsp.StatusCode != 200 {
-			e.logger.InfoContext(e.ctx, fmt.Errorf("Tunnel connection failed: %s", rsp.Status))
+			e.logger.ErrorContext(e.ctx, fmt.Errorf("Tunnel connection failed: %s", rsp.Status))
 			ipConn.Close()
 			if udpConn != nil {
 				udpConn.Close()
@@ -120,81 +204,32 @@ func (e *Tunnel) MaintainTunnel() {
 			timer.Reset(e.options.ReconnectDelay)
 			select {
 			case <-e.ctx.Done():
-				return
+				return nil, err
 			case <-timer.C:
 			}
 			continue
 		}
-		e.logger.InfoContext(e.ctx, "Connected to MASQUE server")
+		e.udpConn = udpConn
-		errChan := make(chan error, 2)
+		e.tr = tr
-		go func() {
+		e.ipConn = ipConn
-			for {
+		e.logger.InfoContext(e.ctx, "Connected to MASQUE server", e.options.Endpoint)
-				buf := packetBufferPool.Get()
+		return ipConn, nil
 				n, err := e.tunnelDevice.ReadPacket(buf)
 				if err != nil {
 					packetBufferPool.Put(buf)
 					errChan <- fmt.Errorf("failed to read from TUN device: %w", err)
 					return
 				}
 				icmp, err := ipConn.WritePacket(buf[:n])
 				if err != nil {
 					packetBufferPool.Put(buf)
 					if errors.As(err, new(*connectip.CloseError)) {
 						errChan <- fmt.Errorf("connection closed while writing to IP connection: %w", err)
 						return
 					}
 					e.logger.InfoContext(e.ctx, fmt.Errorf("Error writing to IP connection: %v, continuing...", err))
 					continue
 				}
 				packetBufferPool.Put(buf)
 				if len(icmp) > 0 {
 					if err := e.tunnelDevice.WritePacket(icmp); err != nil {
 						if errors.As(err, new(*connectip.CloseError)) {
 							errChan <- fmt.Errorf("connection closed while writing ICMP to TUN device: %w", err)
 							return
 						}
 						e.logger.InfoContext(e.ctx, fmt.Errorf("Error writing ICMP to TUN device: %v, continuing...", err))
 					}
 				}
 			}
 		}()
 		go func() {
 			buf := packetBufferPool.Get()
 			defer packetBufferPool.Put(buf)
 			for {
 				n, err := ipConn.ReadPacket(buf, true)
 				if err != nil {
 					if e.options.UseHTTP2 {
 						errChan <- fmt.Errorf("connection closed while reading from IP connection: %w", err)
 						return
 					}
 					if errors.As(err, new(*connectip.CloseError)) {
 						errChan <- fmt.Errorf("connection closed while reading from IP connection: %w", err)
 						return
 					}
 					e.logger.InfoContext(e.ctx, fmt.Errorf("Error reading from IP connection: %v, continuing...", err))
 					continue
 				}
 				if err := e.tunnelDevice.WritePacket(buf[:n]); err != nil {
 					errChan <- fmt.Errorf("failed to write to TUN device: %w", err)
 					return
 				}
 			}
 		}()
 		err = <-errChan
 		e.logger.InfoContext(e.ctx, fmt.Errorf("Tunnel connection lost: %v. Reconnecting...", err))
 		ipConn.Close()
 		if udpConn != nil {
 			udpConn.Close()
 		}
 		if tr != nil {
 			tr.Close()
 		}
 		timer.Reset(e.options.ReconnectDelay)
 		select {
 		case <-e.ctx.Done():
 			return
 		case <-timer.C:
 		}
 	}
 }
 func (e *Tunnel) closeIpConn(ipConn *connectip.Conn) bool {
 	e.mtx.Lock()
 	defer e.mtx.Unlock()
 	if ipConn == e.ipConn {
 		e.ipConn.Close()
 		if e.udpConn != nil {
 			e.udpConn.Close()
 		}
 		if e.tr != nil {
 			e.tr.Close()
 		}
 		e.ipConn = nil
 		return true
 	}
 	return false
 }
--- a/transport/sip003/args.go
+++ b/transport/sip003/args.go
@@ -105,15 +105,3 @@ func ParsePluginOptions(s string) (opts Args, err error) {
 	}
 	return opts, nil
 }
 // Escape backslashes and all the bytes that are in set.
 func backslashEscape(s string, set []byte) string {
 	var buf bytes.Buffer
 	for _, b := range []byte(s) {
 		if b == '\\' || bytes.IndexByte(set, b) != -1 {
 			buf.WriteByte('\\')
 		}
 		buf.WriteByte(b)
 	}
 	return buf.String()
 }
--- a/transport/v2raygrpc/client.go
+++ b/transport/v2raygrpc/client.go
@@ -10,7 +10,6 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tls"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -100,7 +99,7 @@ func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
 		return nil, err
 	}
 	client := NewGunServiceClient(clientConn).(GunServiceCustomNameClient)
-	ctx, cancel := common.ContextWithCancelCause(ctx)
+	ctx, cancel := context.WithCancelCause(ctx)
 	stream, err := client.TunCustomName(ctx, c.serviceName)
 	if err != nil {
 		cancel(err)
--- a/transport/v2raygrpc/credentials/credentials.go
+++ b/transport/v2raygrpc/credentials/credentials.go
@@ -25,12 +25,12 @@ import (
 type requestInfoKey struct{}
 // NewRequestInfoContext creates a context with ri.
-func NewRequestInfoContext(ctx context.Context, ri interface{}) context.Context {
+func NewRequestInfoContext(ctx context.Context, ri any) context.Context {
 	return context.WithValue(ctx, requestInfoKey{}, ri)
 }
 // RequestInfoFromContext extracts the RequestInfo from ctx.
-func RequestInfoFromContext(ctx context.Context) interface{} {
+func RequestInfoFromContext(ctx context.Context) any {
 	return ctx.Value(requestInfoKey{})
 }
@@ -39,11 +39,11 @@ func RequestInfoFromContext(ctx context.Context) interface{} {
 type clientHandshakeInfoKey struct{}
 // ClientHandshakeInfoFromContext extracts the ClientHandshakeInfo from ctx.
-func ClientHandshakeInfoFromContext(ctx context.Context) interface{} {
+func ClientHandshakeInfoFromContext(ctx context.Context) any {
 	return ctx.Value(clientHandshakeInfoKey{})
 }
 // NewClientHandshakeInfoContext creates a context with chi.
-func NewClientHandshakeInfoContext(ctx context.Context, chi interface{}) context.Context {
+func NewClientHandshakeInfoContext(ctx context.Context, chi any) context.Context {
 	return context.WithValue(ctx, clientHandshakeInfoKey{}, chi)
 }
--- a/Show More
+++ b/Show More
`@@ -1 +1 @@`
	`e4926ba205fae5351e3d3eeafff7e7029654424a`	`2faf34666c2cc8234f10f2ab6d4c4d6104d34ae2`
`@@ -1,4 +1,4 @@`
	`//go:build !darwin`	`//go:build !darwin \|\| !cgo`

	`package ccm`	`package ccm`