Add Snell protocol. Refactor MASQUE HTTP/2, Fair Queue. Update XHTTP, OpenVPN, Sudoku, Fallback. Fixes

route/route.go

@@ -58,6 +58,13 @@ func (r *Router) RouteConnectionEx(ctx context.Context, conn net.Conn, metadata
 }
 
 func (r *Router) routeConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) error {
+	select {
+	case <-r.started:
+	case <-ctx.Done():
+		return ctx.Err()
+	case <-r.ctx.Done():
+		return r.ctx.Err()
+	}
 	//nolint:staticcheck
 	if metadata.InboundDetour != "" {
 		if metadata.LastInbound == metadata.InboundDetour {
@@ -192,6 +199,13 @@ func (r *Router) RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn,
 }
 
 func (r *Router) routePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) error {
+	select {
+	case <-r.started:
+	case <-ctx.Done():
+		return ctx.Err()
+	case <-r.ctx.Done():
+		return r.ctx.Err()
+	}
 	//nolint:staticcheck
 	if metadata.InboundDetour != "" {
 		if metadata.LastInbound == metadata.InboundDetour {

route/route_start_test.go

@@ -0,0 +1,146 @@
+package route
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+)
+
+// newGateTestRouter builds the minimal Router needed to exercise the
+// "wait until started" gate in routeConnection / routePacketConnection.
+func newGateTestRouter(ctx context.Context) *Router {
+	return &Router{
+		ctx:     ctx,
+		started: make(chan struct{}),
+	}
+}
+
+// gateMetadata returns metadata that hits the InboundDetour loop-detection
+// branch (LastInbound == InboundDetour), so routeConnection /
+// routePacketConnection return immediately once the gate is open, without
+// needing any outbound/inbound managers.
+func gateMetadata() adapter.InboundContext {
+	return adapter.InboundContext{InboundDetour: "self", LastInbound: "self"}
+}
+
+// TestRouteConnectionWaitsForStart verifies that a connection arriving before
+// the router finishes starting (StartStatePostStart) blocks until the started
+// channel is closed, then proceeds, instead of dereferencing a nil
+// defaultOutbound.
+func TestRouteConnectionWaitsForStart(t *testing.T) {
+	r := newGateTestRouter(context.Background())
+
+	done := make(chan error, 1)
+	go func() {
+		done <- r.routeConnection(context.Background(), nil, gateMetadata(), nil)
+	}()
+
+	// The gate must block while the router is not yet started.
+	select {
+	case <-done:
+		t.Fatal("routeConnection returned before router was started")
+	case <-time.After(50 * time.Millisecond):
+	}
+
+	// Simulate StartStatePostStart completing.
+	close(r.started)
+
+	select {
+	case err := <-done:
+		// We expect to have passed the gate and reached the loop-detection branch,
+		// which returns the "routing loop on detour" error.
+		if err == nil {
+			t.Fatal("expected routing-loop error after gate opened, got nil")
+		}
+	case <-time.After(time.Second):
+		t.Fatal("routeConnection did not proceed after router started")
+	}
+}
+
+// TestRoutePacketConnectionWaitsForStart is the UDP counterpart.
+func TestRoutePacketConnectionWaitsForStart(t *testing.T) {
+	r := newGateTestRouter(context.Background())
+
+	done := make(chan error, 1)
+	go func() {
+		done <- r.routePacketConnection(context.Background(), nil, gateMetadata(), nil)
+	}()
+
+	select {
+	case <-done:
+		t.Fatal("routePacketConnection returned before router was started")
+	case <-time.After(50 * time.Millisecond):
+	}
+
+	close(r.started)
+
+	select {
+	case err := <-done:
+		if err == nil {
+			t.Fatal("expected routing-loop error after gate opened, got nil")
+		}
+	case <-time.After(time.Second):
+		t.Fatal("routePacketConnection did not proceed after router started")
+	}
+}
+
+// TestRouteConnectionAbortsOnConnContext verifies that a client disconnecting
+// during startup unblocks the gate via the per-connection context, instead of
+// hanging until the router starts.
+func TestRouteConnectionAbortsOnConnContext(t *testing.T) {
+	r := newGateTestRouter(context.Background())
+
+	connCtx, cancel := context.WithCancel(context.Background())
+	done := make(chan error, 1)
+	go func() {
+		done <- r.routeConnection(connCtx, nil, gateMetadata(), nil)
+	}()
+
+	select {
+	case <-done:
+		t.Fatal("routeConnection returned before context was cancelled")
+	case <-time.After(50 * time.Millisecond):
+	}
+
+	cancel()
+
+	select {
+	case err := <-done:
+		if err != context.Canceled {
+			t.Fatalf("expected context.Canceled, got %v", err)
+		}
+	case <-time.After(time.Second):
+		t.Fatal("routeConnection did not abort on connection context cancellation")
+	}
+}
+
+// TestRouteConnectionAbortsOnRouterContext verifies that shutting down the box
+// (router context cancellation) unblocks an in-flight early connection.
+func TestRouteConnectionAbortsOnRouterContext(t *testing.T) {
+	routerCtx, cancel := context.WithCancel(context.Background())
+	r := newGateTestRouter(routerCtx)
+
+	done := make(chan error, 1)
+	go func() {
+		done <- r.routeConnection(context.Background(), nil, gateMetadata(), nil)
+	}()
+
+	select {
+	case <-done:
+		t.Fatal("routeConnection returned before router context was cancelled")
+	case <-time.After(50 * time.Millisecond):
+	}
+
+	cancel()
+
+	select {
+	case err := <-done:
+		if err != context.Canceled {
+			t.Fatalf("expected context.Canceled, got %v", err)
+		}
+	case <-time.After(time.Second):
+		t.Fatal("routeConnection did not abort on router context cancellation")
+	}
+}

route/router.go

@@ -44,7 +44,7 @@ type Router struct {
 	pauseManager      pause.Manager
 	trackers          []adapter.ConnectionTracker
 	platformInterface adapter.PlatformInterface
-	started           bool
+	started           chan struct{}
 }
 
 func NewRouter(ctx context.Context, logFactory log.Factory, options option.RouteOptions, dnsOptions option.DNSOptions) *Router {
@@ -63,6 +63,7 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.Route
 		needFindProcess:   hasRule(options.Rules, isProcessRule) || hasDNSRule(dnsOptions.Rules, isProcessDNSRule) || options.FindProcess,
 		pauseManager:      service.FromContext[pause.Manager](ctx),
 		platformInterface: service.FromContext[adapter.PlatformInterface](ctx),
+		started:           make(chan struct{}),
 	}
 }
 
@@ -180,7 +181,7 @@ func (r *Router) Start(stage adapter.StartStage) error {
 		} else {
 			r.defaultOutbound = r.outbound.Default()
 		}
-		r.started = true
+		close(r.started)
 		return nil
 	case adapter.StartStateStarted:
 		for _, ruleSet := range r.ruleSets {

route/rule/rule_action.go

@@ -29,13 +29,17 @@ func NewRuleAction(ctx context.Context, logger logger.ContextLogger, action opti
 	case "":
 		return nil, nil
 	case C.RuleActionTypeRoute:
-		overrideGateway := M.ParseAddr(action.RouteOptions.OverrideGateway)
+		var overrideGateway *netip.Addr
+		if action.RouteOptions.OverrideGateway != "" {
+			parsed := M.ParseAddr(action.RouteOptions.OverrideGateway)
+			overrideGateway = &parsed
+		}
 		return &RuleActionRoute{
 			Outbound: action.RouteOptions.Outbound,
 			RuleActionRouteOptions: RuleActionRouteOptions{
 				OverrideAddress:           M.ParseSocksaddrHostPort(action.RouteOptions.OverrideAddress, 0),
 				OverridePort:              action.RouteOptions.OverridePort,
-				OverrideGateway:           &overrideGateway,
+				OverrideGateway:           overrideGateway,
 				NetworkStrategy:           (*C.NetworkStrategy)(action.RouteOptions.NetworkStrategy),
 				FallbackDelay:             time.Duration(action.RouteOptions.FallbackDelay),
 				UDPDisableDomainUnmapping: action.RouteOptions.UDPDisableDomainUnmapping,