Add admin panel, manager, node_manager, bandwidth limiter, connection limiter, bonding, failover, vless encryption, mkcp transport

protocol/limiter/bandwidth/limiter.go

@@ -0,0 +1,158 @@
+package bandwidth
+
+import (
+	"context"
+	"net"
+
+	"golang.org/x/time/rate"
+)
+
+type connWithDownloadBandwidthLimiter struct {
+	net.Conn
+	ctx     context.Context
+	limiter *rate.Limiter
+	burst   int
+}
+
+func NewConnWithDownloadBandwidthLimiter(ctx context.Context, conn net.Conn, limiter *rate.Limiter) *connWithDownloadBandwidthLimiter {
+	return &connWithDownloadBandwidthLimiter{conn, ctx, limiter, limiter.Burst()}
+}
+
+func (conn *connWithDownloadBandwidthLimiter) Write(p []byte) (n int, err error) {
+	var nn int
+	for {
+		end := len(p)
+		if end == 0 {
+			break
+		}
+		if conn.burst < len(p) {
+			end = conn.burst
+		}
+		err = conn.limiter.WaitN(conn.ctx, end)
+		if err != nil {
+			return
+		}
+		nn, err = conn.Conn.Write(p[:end])
+		n += nn
+		if err != nil {
+			return
+		}
+		p = p[end:]
+	}
+	return
+}
+
+type connWithUploadBandwidthLimiter struct {
+	net.Conn
+	ctx     context.Context
+	limiter *rate.Limiter
+	burst   int
+}
+
+func NewConnWithUploadBandwidthLimiter(ctx context.Context, conn net.Conn, limiter *rate.Limiter) *connWithUploadBandwidthLimiter {
+	return &connWithUploadBandwidthLimiter{conn, ctx, limiter, limiter.Burst()}
+}
+
+func (conn *connWithUploadBandwidthLimiter) Read(p []byte) (n int, err error) {
+	if conn.burst < len(p) {
+		p = p[:conn.burst]
+	}
+	n, err = conn.Conn.Read(p)
+	if err != nil {
+		return
+	}
+	err = conn.limiter.WaitN(conn.ctx, n)
+	if err != nil {
+		return
+	}
+	return
+}
+
+type connWithCloseHandler struct {
+	net.Conn
+	onClose CloseHandlerFunc
+}
+
+func NewConnWithCloseHandler(conn net.Conn, onClose CloseHandlerFunc) *connWithCloseHandler {
+	return &connWithCloseHandler{conn, onClose}
+}
+
+func (conn *connWithCloseHandler) Close() error {
+	conn.onClose()
+	return conn.Conn.Close()
+}
+
+type packetConnWithDownloadBandwidthLimiter struct {
+	net.PacketConn
+	ctx     context.Context
+	limiter *rate.Limiter
+	burst   int
+}
+
+func NewPacketConnWithDownloadBandwidthLimiter(ctx context.Context, conn net.PacketConn, limiter *rate.Limiter) *packetConnWithDownloadBandwidthLimiter {
+	return &packetConnWithDownloadBandwidthLimiter{conn, ctx, limiter, limiter.Burst()}
+}
+
+func (conn *packetConnWithDownloadBandwidthLimiter) WriteTo(p []byte, addr net.Addr) (n int, err error) {
+	var nn int
+	for {
+		end := len(p)
+		if end == 0 {
+			break
+		}
+		if conn.burst < len(p) {
+			end = conn.burst
+		}
+		err = conn.limiter.WaitN(conn.ctx, end)
+		if err != nil {
+			return
+		}
+		nn, err = conn.PacketConn.WriteTo(p[:end], addr)
+		n += nn
+		if err != nil {
+			return
+		}
+		p = p[end:]
+	}
+	return
+}
+
+type packetConnWithUploadBandwidthLimiter struct {
+	net.PacketConn
+	ctx     context.Context
+	limiter *rate.Limiter
+	burst   int
+}
+
+func NewPacketConnWithUploadBandwidthLimiter(ctx context.Context, conn net.PacketConn, limiter *rate.Limiter) *packetConnWithUploadBandwidthLimiter {
+	return &packetConnWithUploadBandwidthLimiter{conn, ctx, limiter, limiter.Burst()}
+}
+
+func (conn *packetConnWithUploadBandwidthLimiter) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
+	if conn.burst < len(p) {
+		p = p[:conn.burst]
+	}
+	n, addr, err = conn.PacketConn.ReadFrom(p)
+	if err != nil {
+		return
+	}
+	err = conn.limiter.WaitN(conn.ctx, n)
+	if err != nil {
+		return
+	}
+	return
+}
+
+type packetConnWithCloseHandler struct {
+	net.PacketConn
+	onClose CloseHandlerFunc
+}
+
+func NewPacketConnWithCloseHandler(conn net.PacketConn, onClose CloseHandlerFunc) *packetConnWithCloseHandler {
+	return &packetConnWithCloseHandler{conn, onClose}
+}
+
+func (conn *packetConnWithCloseHandler) Close() error {
+	conn.onClose()
+	return conn.PacketConn.Close()
+}

protocol/limiter/bandwidth/outbound.go

@@ -0,0 +1,146 @@
+package bandwidth
+
+import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/adapter/outbound"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/route"
+
+	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
+)
+
+func RegisterOutbound(registry *outbound.Registry) {
+	outbound.Register[option.BandwidthLimiterOutboundOptions](registry, C.TypeBandwidthLimiter, NewOutbound)
+}
+
+type Outbound struct {
+	outbound.Adapter
+	ctx         context.Context
+	outbound    adapter.OutboundManager
+	connection  adapter.ConnectionManager
+	logger      logger.ContextLogger
+	strategy    BandwidthStrategy
+	outboundTag string
+	detour      adapter.Outbound
+	router      *route.Router
+}
+
+func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.BandwidthLimiterOutboundOptions) (adapter.Outbound, error) {
+	if options.Strategy == "" {
+		return nil, E.New("missing strategy")
+	}
+	if options.Route.Final == "" {
+		return nil, E.New("missing final outbound")
+	}
+	var strategy BandwidthStrategy
+	var err error
+	switch options.Strategy {
+	case "users":
+		usersStrategies := make(map[string]BandwidthStrategy, len(options.Users))
+		for _, user := range options.Users {
+			userStrategy, err := CreateStrategy(user.Strategy, user.Mode, user.ConnectionType, options.Speed.Value())
+			if err != nil {
+				return nil, err
+			}
+			usersStrategies[user.Name] = userStrategy
+		}
+		strategy = NewUsersBandwidthStrategy(usersStrategies)
+	case "manager":
+		strategy = NewManagerBandwidthStrategy()
+	default:
+		strategy, err = CreateStrategy(options.Strategy, options.Mode, options.ConnectionType, options.Speed.Value())
+		if err != nil {
+			return nil, err
+		}
+	}
+	logFactory := service.FromContext[log.Factory](ctx)
+	r := route.NewRouter(ctx, logFactory, options.Route, option.DNSOptions{})
+	err = r.Initialize(options.Route.Rules, options.Route.RuleSet)
+	if err != nil {
+		return nil, err
+	}
+	outbound := &Outbound{
+		Adapter:     outbound.NewAdapter(C.TypeBandwidthLimiter, tag, nil, []string{}),
+		ctx:         ctx,
+		outbound:    service.FromContext[adapter.OutboundManager](ctx),
+		connection:  service.FromContext[adapter.ConnectionManager](ctx),
+		logger:      logger,
+		strategy:    strategy,
+		outboundTag: options.Route.Final,
+		router:      r,
+	}
+	return outbound, nil
+}
+
+func (h *Outbound) Network() []string {
+	return []string{N.NetworkTCP, N.NetworkUDP}
+}
+
+func (h *Outbound) Start() error {
+	detour, loaded := h.outbound.Outbound(h.outboundTag)
+	if !loaded {
+		return E.New("outbound not found: ", h.outboundTag)
+	}
+	h.detour = detour
+	for _, stage := range []adapter.StartStage{adapter.StartStateStart, adapter.StartStatePostStart, adapter.StartStateStarted} {
+		err := h.router.Start(stage)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (h *Outbound) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	conn, err := h.detour.DialContext(ctx, network, destination)
+	if err != nil {
+		return nil, err
+	}
+	return h.strategy.wrapConn(ctx, conn, adapter.ContextFrom(ctx), true)
+}
+
+func (h *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	conn, err := h.detour.ListenPacket(ctx, destination)
+	if err != nil {
+		return nil, err
+	}
+	return h.strategy.wrapPacketConn(ctx, conn, adapter.ContextFrom(ctx), true)
+}
+
+func (h *Outbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	conn, err := h.strategy.wrapConn(ctx, conn, &metadata, false)
+	if err != nil {
+		h.logger.ErrorContext(ctx, err)
+		return
+	}
+	metadata.Inbound = h.Tag()
+	metadata.InboundType = h.Type()
+	h.router.RouteConnectionEx(ctx, conn, metadata, onClose)
+	return
+}
+
+func (h *Outbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	packetConn, err := h.strategy.wrapPacketConn(ctx, bufio.NewNetPacketConn(conn), &metadata, false)
+	if err != nil {
+		h.logger.ErrorContext(ctx, err)
+		return
+	}
+	metadata.Inbound = h.Tag()
+	metadata.InboundType = h.Type()
+	h.router.RoutePacketConnectionEx(ctx, bufio.NewPacketConn(packetConn), metadata, onClose)
+	return
+}
+
+func (h *Outbound) GetStrategy() BandwidthStrategy {
+	return h.strategy
+}

protocol/limiter/bandwidth/strategy.go

@@ -0,0 +1,266 @@
+package bandwidth
+
+import (
+	"context"
+	"net"
+	"strconv"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	E "github.com/sagernet/sing/common/exceptions"
+	"golang.org/x/time/rate"
+)
+
+type (
+	CloseHandlerFunc  = func()
+	ConnIDGetter      = func(context.Context, *adapter.InboundContext) (string, bool)
+	ConnWrapper       = func(ctx context.Context, conn net.Conn, limiter *rate.Limiter, reverse bool) net.Conn
+	PacketConnWrapper = func(ctx context.Context, conn net.PacketConn, limiter *rate.Limiter, reverse bool) net.PacketConn
+)
+
+type BandwidthStrategy interface {
+	wrapConn(ctx context.Context, conn net.Conn, metadata *adapter.InboundContext, reverse bool) (net.Conn, error)
+	wrapPacketConn(ctx context.Context, conn net.PacketConn, metadata *adapter.InboundContext, reverse bool) (net.PacketConn, error)
+}
+
+type BandwidthLimiterStrategy interface {
+	getLimiter(ctx context.Context, metadata *adapter.InboundContext) (*rate.Limiter, CloseHandlerFunc, error)
+}
+
+type DefaultWrapStrategy struct {
+	limiterStrategy   BandwidthLimiterStrategy
+	connWrapper       ConnWrapper
+	packetConnWrapper PacketConnWrapper
+}
+
+func NewDefaultWrapStrategy(limiterStrategy BandwidthLimiterStrategy, connWrapper ConnWrapper, packetConnWrapper PacketConnWrapper) *DefaultWrapStrategy {
+	return &DefaultWrapStrategy{limiterStrategy, connWrapper, packetConnWrapper}
+}
+
+func (s *DefaultWrapStrategy) wrapConn(ctx context.Context, conn net.Conn, metadata *adapter.InboundContext, reverse bool) (net.Conn, error) {
+	limiter, onClose, err := s.limiterStrategy.getLimiter(ctx, metadata)
+	if err != nil {
+		return nil, err
+	}
+	return NewConnWithCloseHandler(s.connWrapper(ctx, conn, limiter, reverse), onClose), nil
+}
+
+func (s *DefaultWrapStrategy) wrapPacketConn(ctx context.Context, conn net.PacketConn, metadata *adapter.InboundContext, reverse bool) (net.PacketConn, error) {
+	limiter, onClose, err := s.limiterStrategy.getLimiter(ctx, metadata)
+	if err != nil {
+		return nil, err
+	}
+	return NewPacketConnWithCloseHandler(s.packetConnWrapper(ctx, conn, limiter, reverse), onClose), nil
+}
+
+type GlobalBandwidthStrategy struct {
+	limiter *rate.Limiter
+}
+
+func NewGlobalBandwidthStrategy(speed uint64) *GlobalBandwidthStrategy {
+	return &GlobalBandwidthStrategy{
+		limiter: createSpeedLimiter(speed),
+	}
+}
+
+func (s *GlobalBandwidthStrategy) getLimiter(ctx context.Context, metadata *adapter.InboundContext) (*rate.Limiter, CloseHandlerFunc, error) {
+	return s.limiter, func() {}, nil
+}
+
+type idBandwidthLimiter struct {
+	limiter *rate.Limiter
+	handles uint32
+}
+
+type ConnectionBandwidthStrategy struct {
+	limiters     map[string]*idBandwidthLimiter
+	connIDGetter ConnIDGetter
+	speed        uint64
+	mtx          sync.Mutex
+}
+
+func NewConnectionBandwidthStrategy(connIDGetter ConnIDGetter, speed uint64) *ConnectionBandwidthStrategy {
+	return &ConnectionBandwidthStrategy{
+		limiters:     make(map[string]*idBandwidthLimiter),
+		connIDGetter: connIDGetter,
+		speed:        speed,
+	}
+}
+
+func (s *ConnectionBandwidthStrategy) getLimiter(ctx context.Context, metadata *adapter.InboundContext) (*rate.Limiter, CloseHandlerFunc, error) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	id, ok := s.connIDGetter(ctx, metadata)
+	if !ok {
+		return nil, nil, E.New("id not found")
+	}
+	limiter, ok := s.limiters[id]
+	if !ok {
+		limiter = &idBandwidthLimiter{
+			limiter: createSpeedLimiter(s.speed),
+		}
+		s.limiters[id] = limiter
+	}
+	limiter.handles++
+	var once sync.Once
+	return limiter.limiter, func() {
+		once.Do(func() {
+			s.mtx.Lock()
+			defer s.mtx.Unlock()
+			limiter.handles--
+			if limiter.handles == 0 {
+				delete(s.limiters, id)
+			}
+		})
+	}, nil
+}
+
+type UsersBandwidthStrategy struct {
+	strategies map[string]BandwidthStrategy
+	mtx        sync.Mutex
+}
+
+func NewUsersBandwidthStrategy(strategies map[string]BandwidthStrategy) *UsersBandwidthStrategy {
+	return &UsersBandwidthStrategy{
+		strategies: strategies,
+	}
+}
+
+func (s *UsersBandwidthStrategy) wrapConn(ctx context.Context, conn net.Conn, metadata *adapter.InboundContext, reverse bool) (net.Conn, error) {
+	strategy, err := s.getStrategy(ctx, metadata)
+	if err != nil {
+		return nil, err
+	}
+	return strategy.wrapConn(ctx, conn, metadata, reverse)
+}
+
+func (s *UsersBandwidthStrategy) wrapPacketConn(ctx context.Context, conn net.PacketConn, metadata *adapter.InboundContext, reverse bool) (net.PacketConn, error) {
+	strategy, err := s.getStrategy(ctx, metadata)
+	if err != nil {
+		return nil, err
+	}
+	return strategy.wrapPacketConn(ctx, conn, metadata, reverse)
+}
+
+func (s *UsersBandwidthStrategy) getStrategy(ctx context.Context, metadata *adapter.InboundContext) (BandwidthStrategy, error) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	var user string
+	if metadata != nil {
+		user = metadata.User
+	}
+	strategy, ok := s.strategies[user]
+	if ok {
+		return strategy, nil
+	}
+	return nil, E.New("user strategy not found: ", user)
+}
+
+type ManagerBandwidthStrategy struct {
+	*UsersBandwidthStrategy
+}
+
+func NewManagerBandwidthStrategy() *ManagerBandwidthStrategy {
+	return &ManagerBandwidthStrategy{
+		UsersBandwidthStrategy: NewUsersBandwidthStrategy(map[string]BandwidthStrategy{}),
+	}
+}
+
+func (s *ManagerBandwidthStrategy) UpdateStrategies(strategies map[string]BandwidthStrategy) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	s.strategies = strategies
+}
+
+func CreateStrategy(strategy string, mode string, connectionType string, speed uint64) (BandwidthStrategy, error) {
+	var limiterStrategy BandwidthLimiterStrategy
+	switch strategy {
+	case "global":
+		limiterStrategy = NewGlobalBandwidthStrategy(speed)
+	case "connection":
+		var connIDGetter ConnIDGetter
+		switch connectionType {
+		case "mux":
+			connIDGetter = func(ctx context.Context, metadata *adapter.InboundContext) (string, bool) {
+				id, ok := log.MuxIDFromContext(ctx)
+				if !ok {
+					return "", ok
+				}
+				return strconv.FormatUint(uint64(id.ID), 10), ok
+			}
+		case "hwid":
+			connIDGetter = func(ctx context.Context, metadata *adapter.InboundContext) (string, bool) {
+				id, ok := ctx.Value("hwid").(string)
+				return id, ok
+			}
+		case "ip":
+			connIDGetter = func(ctx context.Context, metadata *adapter.InboundContext) (string, bool) {
+				return metadata.Source.IPAddr().String(), true
+			}
+		default:
+			return nil, E.New("connection type not found: ", connectionType)
+		}
+		limiterStrategy = NewConnectionBandwidthStrategy(connIDGetter, speed)
+	default:
+		return nil, E.New("strategy not found: ", strategy)
+	}
+	var (
+		connWrapper       ConnWrapper
+		packetConnWrapper PacketConnWrapper
+	)
+	switch mode {
+	case "download":
+		connWrapper = connWithDownloadBandwidthWrapper
+		packetConnWrapper = packetConnWithDownloadBandwidthWrapper
+	case "upload":
+		connWrapper = connWithUploadBandwidthWrapper
+		packetConnWrapper = packetConnWithUploadBandwidthWrapper
+	case "duplex":
+		connWrapper = connWithDuplexBandwidthWrapper
+		packetConnWrapper = packetConnWithDuplexBandwidthWrapper
+	default:
+		return nil, E.New("mode not found: ", mode)
+	}
+	return NewDefaultWrapStrategy(limiterStrategy, connWrapper, packetConnWrapper), nil
+}
+
+func createSpeedLimiter(speed uint64) *rate.Limiter {
+	return rate.NewLimiter(rate.Limit(float64(speed)), 10000)
+}
+
+func connWithDownloadBandwidthWrapper(ctx context.Context, conn net.Conn, limiter *rate.Limiter, reverse bool) net.Conn {
+	if reverse {
+		return NewConnWithUploadBandwidthLimiter(ctx, conn, limiter)
+	}
+	return NewConnWithDownloadBandwidthLimiter(ctx, conn, limiter)
+}
+
+func connWithUploadBandwidthWrapper(ctx context.Context, conn net.Conn, limiter *rate.Limiter, reverse bool) net.Conn {
+	if reverse {
+		return NewConnWithDownloadBandwidthLimiter(ctx, conn, limiter)
+	}
+	return NewConnWithUploadBandwidthLimiter(ctx, conn, limiter)
+}
+
+func connWithDuplexBandwidthWrapper(ctx context.Context, conn net.Conn, limiter *rate.Limiter, reverse bool) net.Conn {
+	return NewConnWithUploadBandwidthLimiter(ctx, NewConnWithDownloadBandwidthLimiter(ctx, conn, limiter), limiter)
+}
+
+func packetConnWithDownloadBandwidthWrapper(ctx context.Context, conn net.PacketConn, limiter *rate.Limiter, reverse bool) net.PacketConn {
+	if reverse {
+		return NewPacketConnWithUploadBandwidthLimiter(ctx, conn, limiter)
+	}
+	return NewPacketConnWithDownloadBandwidthLimiter(ctx, conn, limiter)
+}
+
+func packetConnWithUploadBandwidthWrapper(ctx context.Context, conn net.PacketConn, limiter *rate.Limiter, reverse bool) net.PacketConn {
+	if reverse {
+		return NewPacketConnWithDownloadBandwidthLimiter(ctx, conn, limiter)
+	}
+	return NewPacketConnWithUploadBandwidthLimiter(ctx, conn, limiter)
+}
+
+func packetConnWithDuplexBandwidthWrapper(ctx context.Context, conn net.PacketConn, limiter *rate.Limiter, reverse bool) net.PacketConn {
+	return NewPacketConnWithUploadBandwidthLimiter(ctx, NewPacketConnWithDownloadBandwidthLimiter(ctx, conn, limiter), limiter)
+}

protocol/limiter/connection/lock.go

@@ -0,0 +1,37 @@
+package connection
+
+import (
+	"context"
+	"sync"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func NewDefaultLock(max uint32) LockIDGetter {
+	locks := make(map[string]*uint32)
+	mtx := sync.Mutex{}
+	return func(id string) (CloseHandlerFunc, context.Context, error) {
+		mtx.Lock()
+		defer mtx.Unlock()
+		handles, ok := locks[id]
+		if !ok {
+			if len(locks) == int(max) {
+				return nil, nil, E.New("not enough free locks")
+			}
+			handles = new(uint32)
+			locks[id] = handles
+		}
+		*handles++
+		var once sync.Once
+		return func() {
+			once.Do(func() {
+				mtx.Lock()
+				defer mtx.Unlock()
+				*handles--
+				if *handles == 0 {
+					delete(locks, id)
+				}
+			})
+		}, nil, nil
+	}
+}

protocol/limiter/connection/outbound.go

@@ -0,0 +1,204 @@
+package connection
+
+import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/adapter/outbound"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/route"
+	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
+)
+
+func RegisterOutbound(registry *outbound.Registry) {
+	outbound.Register[option.ConnectionLimiterOutboundOptions](registry, C.TypeConnectionLimiter, NewOutbound)
+}
+
+type Outbound struct {
+	outbound.Adapter
+	ctx         context.Context
+	outbound    adapter.OutboundManager
+	connection  adapter.ConnectionManager
+	logger      logger.ContextLogger
+	strategy    ConnectionStrategy
+	outboundTag string
+	detour      adapter.Outbound
+	router      *route.Router
+}
+
+func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ConnectionLimiterOutboundOptions) (adapter.Outbound, error) {
+	if options.Strategy == "" {
+		return nil, E.New("missing strategy")
+	}
+	if options.Route.Final == "" {
+		return nil, E.New("missing final outbound")
+	}
+	var strategy ConnectionStrategy
+	var err error
+	switch options.Strategy {
+	case "users":
+		usersStrategies := make(map[string]ConnectionStrategy, len(options.Users))
+		for _, user := range options.Users {
+			userStrategy, err := CreateStrategy(user.Strategy, user.ConnectionType, NewDefaultLock(user.Count))
+			if err != nil {
+				return nil, err
+			}
+			usersStrategies[user.Name] = userStrategy
+		}
+		strategy = NewUsersConnectionStrategy(usersStrategies)
+	case "manager":
+		strategy = NewManagerConnectionStrategy()
+	default:
+		strategy, err = CreateStrategy(options.Strategy, options.ConnectionType, NewDefaultLock(options.Count))
+		if err != nil {
+			return nil, err
+		}
+	}
+	logFactory := service.FromContext[log.Factory](ctx)
+	r := route.NewRouter(ctx, logFactory, options.Route, option.DNSOptions{})
+	err = r.Initialize(options.Route.Rules, options.Route.RuleSet)
+	if err != nil {
+		return nil, err
+	}
+	outbound := &Outbound{
+		Adapter:     outbound.NewAdapter(C.TypeConnectionLimiter, tag, nil, []string{}),
+		ctx:         ctx,
+		outbound:    service.FromContext[adapter.OutboundManager](ctx),
+		connection:  service.FromContext[adapter.ConnectionManager](ctx),
+		logger:      logger,
+		outboundTag: options.Route.Final,
+		strategy:    strategy,
+		router:      r,
+	}
+	return outbound, nil
+}
+
+func (h *Outbound) Network() []string {
+	return []string{N.NetworkTCP, N.NetworkUDP}
+}
+
+func (h *Outbound) Start() error {
+	detour, loaded := h.outbound.Outbound(h.outboundTag)
+	if !loaded {
+		return E.New("outbound not found: ", h.outboundTag)
+	}
+	h.detour = detour
+	for _, stage := range []adapter.StartStage{adapter.StartStateStart, adapter.StartStatePostStart, adapter.StartStateStarted} {
+		err := h.router.Start(stage)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (h *Outbound) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	onClose, lockCtx, err := h.strategy.request(ctx, adapter.ContextFrom(ctx))
+	if err != nil {
+		return nil, err
+	}
+	conn, err := h.detour.DialContext(ctx, network, destination)
+	if err != nil {
+		onClose()
+		return nil, err
+	}
+	conn = newConnWithCloseHandlerFunc(conn, onClose)
+	if lockCtx != nil {
+		go connChecker(lockCtx, conn.Close)
+	}
+	return conn, nil
+}
+
+func (h *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	onClose, lockCtx, err := h.strategy.request(ctx, adapter.ContextFrom(ctx))
+	if err != nil {
+		return nil, err
+	}
+	conn, err := h.detour.ListenPacket(ctx, destination)
+	if err != nil {
+		onClose()
+		return nil, err
+	}
+	conn = newPacketConnWithCloseHandlerFunc(conn, onClose)
+	if lockCtx != nil {
+		go connChecker(lockCtx, conn.Close)
+	}
+	return conn, nil
+}
+
+func (h *Outbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	limiterOnClose, lockCtx, err := h.strategy.request(ctx, &metadata)
+	if err != nil {
+		h.logger.ErrorContext(ctx, err)
+		return
+	}
+	conn = newConnWithCloseHandlerFunc(conn, limiterOnClose)
+	if lockCtx != nil {
+		go connChecker(lockCtx, conn.Close)
+	}
+	metadata.Inbound = h.Tag()
+	metadata.InboundType = h.Type()
+	h.router.RouteConnectionEx(ctx, conn, metadata, onClose)
+	return
+}
+
+func (h *Outbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	limiterOnClose, lockCtx, err := h.strategy.request(ctx, &metadata)
+	if err != nil {
+		h.logger.ErrorContext(ctx, err)
+		return
+	}
+	conn = bufio.NewPacketConn(newPacketConnWithCloseHandlerFunc(bufio.NewNetPacketConn(conn), limiterOnClose))
+	if lockCtx != nil {
+		go connChecker(lockCtx, conn.Close)
+	}
+	metadata.Inbound = h.Tag()
+	metadata.InboundType = h.Type()
+	h.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
+	return
+}
+
+func (h *Outbound) GetStrategy() ConnectionStrategy {
+	return h.strategy
+}
+
+type connWithCloseHandlerFunc struct {
+	net.Conn
+	onClose CloseHandlerFunc
+}
+
+func newConnWithCloseHandlerFunc(conn net.Conn, onClose CloseHandlerFunc) *connWithCloseHandlerFunc {
+	return &connWithCloseHandlerFunc{conn, onClose}
+}
+
+func (conn *connWithCloseHandlerFunc) Close() error {
+	conn.onClose()
+	return conn.Conn.Close()
+}
+
+type packetConnWithCloseHandlerFunc struct {
+	net.PacketConn
+	onClose CloseHandlerFunc
+}
+
+func newPacketConnWithCloseHandlerFunc(conn net.PacketConn, onClose CloseHandlerFunc) *packetConnWithCloseHandlerFunc {
+	return &packetConnWithCloseHandlerFunc{conn, onClose}
+}
+
+func (conn *packetConnWithCloseHandlerFunc) Close() error {
+	conn.onClose()
+	return conn.PacketConn.Close()
+}
+
+func connChecker(ctx context.Context, closeFunc func() error) {
+	<-ctx.Done()
+	closeFunc()
+}

protocol/limiter/connection/strategy.go

@@ -0,0 +1,119 @@
+package connection
+
+import (
+	"context"
+	"strconv"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type (
+	CloseHandlerFunc = func()
+
+	ConnIDGetter = func(context.Context, *adapter.InboundContext) (string, bool)
+	LockIDGetter = func(string) (CloseHandlerFunc, context.Context, error)
+
+	ConnectionStrategy interface {
+		request(ctx context.Context, metadata *adapter.InboundContext) (onClose CloseHandlerFunc, lockCtx context.Context, err error)
+	}
+)
+
+type DefaultConnectionStrategy struct {
+	connIDGetter ConnIDGetter
+	lockIDGetter LockIDGetter
+
+	mtx sync.Mutex
+}
+
+func NewDefaultConnectionStrategy(connIDGetter ConnIDGetter, lockIDGetter LockIDGetter) *DefaultConnectionStrategy {
+	outbound := &DefaultConnectionStrategy{
+		connIDGetter: connIDGetter,
+		lockIDGetter: lockIDGetter,
+	}
+	return outbound
+}
+
+func (s *DefaultConnectionStrategy) request(ctx context.Context, metadata *adapter.InboundContext) (CloseHandlerFunc, context.Context, error) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	id, ok := s.connIDGetter(ctx, metadata)
+	if !ok {
+		return nil, nil, E.New("id not found")
+	}
+	return s.lockIDGetter(id)
+}
+
+type UsersConnectionStrategy struct {
+	strategies map[string]ConnectionStrategy
+	mtx        sync.Mutex
+}
+
+func NewUsersConnectionStrategy(strategies map[string]ConnectionStrategy) *UsersConnectionStrategy {
+	return &UsersConnectionStrategy{
+		strategies: strategies,
+	}
+}
+
+func (s *UsersConnectionStrategy) request(ctx context.Context, metadata *adapter.InboundContext) (CloseHandlerFunc, context.Context, error) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	var user string
+	if metadata != nil {
+		user = metadata.User
+	}
+	strategy, ok := s.strategies[user]
+	if ok {
+		return strategy.request(ctx, metadata)
+	}
+	return nil, nil, E.New("user strategy not found: ", user)
+}
+
+type ManagerConnectionStrategy struct {
+	*UsersConnectionStrategy
+}
+
+func NewManagerConnectionStrategy() *ManagerConnectionStrategy {
+	return &ManagerConnectionStrategy{
+		UsersConnectionStrategy: NewUsersConnectionStrategy(map[string]ConnectionStrategy{}),
+	}
+}
+
+func (s *ManagerConnectionStrategy) UpdateStrategies(strategies map[string]ConnectionStrategy) {
+	s.mtx.Lock()
+	defer s.mtx.Unlock()
+	s.strategies = strategies
+}
+
+func CreateStrategy(strategy string, connectionType string, lockIDGetter LockIDGetter) (ConnectionStrategy, error) {
+	switch strategy {
+	case "connection":
+		var connIDGetter ConnIDGetter
+		switch connectionType {
+		case "mux":
+			connIDGetter = func(ctx context.Context, metadata *adapter.InboundContext) (string, bool) {
+				id, ok := log.MuxIDFromContext(ctx)
+				if !ok {
+					return "", ok
+				}
+				return strconv.FormatUint(uint64(id.ID), 10), ok
+			}
+		case "hwid":
+			connIDGetter = func(ctx context.Context, metadata *adapter.InboundContext) (string, bool) {
+				id, ok := ctx.Value("hwid").(string)
+				return id, ok
+			}
+		case "ip":
+			connIDGetter = func(ctx context.Context, metadata *adapter.InboundContext) (string, bool) {
+				return metadata.Source.IPAddr().String(), true
+			}
+		default:
+			return nil, E.New("connection type not found: ", connectionType)
+		}
+		return NewDefaultConnectionStrategy(connIDGetter, lockIDGetter), nil
+	default:
+		return nil, E.New("strategy not found: ", strategy)
+	}
+}