[dependencies] Update actions/checkout digest to eef6144

documentation: Bump version
Update utls to v1.6.7
2026-05-17 02:08:00 +03:00 · 2024-10-07 18:49:40 +00:00 · 2024-10-07 04:58:58 +08:00 · 2024-10-07 04:58:58 +08:00 · 2024-10-07 04:58:58 +08:00 · 2024-10-07 04:58:57 +08:00
69 changed files with 342 additions and 821 deletions
--- a/23
+++ b/23
@@ -96,7 +96,11 @@ upload_android:
 release_android: lib_android update_android_version build_android upload_android

 publish_android:
-	cd ../sing-box-for-android && ./gradlew :app:publishPlayReleaseBundle && ./gradlew --stop
+	cd ../sing-box-for-android && ./gradlew :app:publishPlayReleaseBundle
+
+publish_android_appcenter:
+	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadPlayRelease
+

 # TODO: find why and remove `-destination 'generic/platform=iOS'`
 build_ios:
@@ -143,28 +147,15 @@ build_macos_dmg:
 		--hide-extension "SFM.app" \
 		--app-drop-link 0 0 \
 		--skip-jenkins \
+		--notarize "notarytool-password" \
 		"../sing-box/dist/SFM/SFM.dmg" "build/SFM.System/SFM.app"

-notarize_macos_dmg:
-	xcrun notarytool submit "dist/SFM/SFM.dmg" --wait \
-	  --keychain-profile "notarytool-password" \
-  	  --no-s3-acceleration
-
 upload_macos_dmg:
 	cd dist/SFM && \
 	cp SFM.dmg "SFM-${VERSION}-universal.dmg" && \
 	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dmg"

-upload_macos_dsyms:
-	pushd ../sing-box-for-apple/build/SFM.System.xcarchive && \
-	zip -r SFM.dSYMs.zip dSYMs && \
-	mv SFM.dSYMs.zip ../../../sing-box/dist/SFM && \
-	popd && \
-	cd dist/SFM && \
-	cp SFM.dSYMs.zip "SFM-${VERSION}-universal.dSYMs.zip" && \
-	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dSYMs.zip"
-
-release_macos_standalone: build_macos_standalone build_macos_dmg notarize_macos_dmg upload_macos_dmg upload_macos_dsyms
+release_macos_standalone: build_macos_standalone build_macos_dmg upload_macos_dmg

 build_tvos:
 	cd ../sing-box-for-apple && \
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -91,6 +91,15 @@ func ContextFrom(ctx context.Context) *InboundContext {
 	return metadata.(*InboundContext)
 }

+func AppendContext(ctx context.Context) (context.Context, *InboundContext) {
+	metadata := ContextFrom(ctx)
+	if metadata != nil {
+		return ctx, metadata
+	}
+	metadata = new(InboundContext)
+	return WithContext(ctx, metadata), metadata
+}
+
 func ExtendContext(ctx context.Context) (context.Context, *InboundContext) {
 	var newMetadata InboundContext
 	if metadata := ContextFrom(ctx); metadata != nil {
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -2,17 +2,13 @@ package adapter

 import (
 	"context"
-	"net"
 	"net/http"
 	"net/netip"
-	"sync"

 	"github.com/sagernet/sing-box/common/geoip"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
-	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"
@@ -102,7 +98,7 @@ type DNSRule interface {

 type RuleSet interface {
 	Name() string
-	StartContext(ctx context.Context, startContext *HTTPStartContext) error
+	StartContext(ctx context.Context, startContext RuleSetStartContext) error
 	PostStart() error
 	Metadata() RuleSetMetadata
 	ExtractIPSet() []*netipx.IPSet
@@ -122,42 +118,10 @@ type RuleSetMetadata struct {
 	ContainsWIFIRule    bool
 	ContainsIPCIDRRule  bool
 }
-type HTTPStartContext struct {
-	access          sync.Mutex
-	httpClientCache map[string]*http.Client
-}

-func NewHTTPStartContext() *HTTPStartContext {
-	return &HTTPStartContext{
-		httpClientCache: make(map[string]*http.Client),
-	}
-}
-
-func (c *HTTPStartContext) HTTPClient(detour string, dialer N.Dialer) *http.Client {
-	c.access.Lock()
-	defer c.access.Unlock()
-	if httpClient, loaded := c.httpClientCache[detour]; loaded {
-		return httpClient
-	}
-	httpClient := &http.Client{
-		Transport: &http.Transport{
-			ForceAttemptHTTP2:   true,
-			TLSHandshakeTimeout: C.TCPTimeout,
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				return dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
-			},
-		},
-	}
-	c.httpClientCache[detour] = httpClient
-	return httpClient
-}
-
-func (c *HTTPStartContext) Close() {
-	c.access.Lock()
-	defer c.access.Unlock()
-	for _, client := range c.httpClientCache {
-		client.CloseIdleConnections()
-	}
+type RuleSetStartContext interface {
+	HTTPClient(detour string, dialer N.Dialer) *http.Client
+	Close()
 }

 type InterfaceUpdateListener interface {
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/internal/build_shared/sdk.go
+++ b/cmd/internal/build_shared/sdk.go
@@ -86,7 +86,7 @@ func findNDK() bool {
 	})
 	for _, versionName := range versionNames {
 		currentNDKPath := filepath.Join(androidSDKPath, "ndk", versionName)
-		if rw.IsFile(filepath.Join(currentNDKPath, versionFile)) {
+		if rw.IsFile(filepath.Join(androidSDKPath, versionFile)) {
 			androidNDKPath = currentNDKPath
 			log.Warn("reproducibility warning: using NDK version " + versionName + " instead of " + fixedVersion)
 			return true
--- a/cmd/sing-box/cmd.go
+++ b/cmd/sing-box/cmd.go
@@ -7,10 +7,8 @@ import (
 	"strconv"
 	"time"

-	"github.com/sagernet/sing-box/experimental/deprecated"
 	_ "github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/filemanager"

 	"github.com/spf13/cobra"
@@ -67,5 +65,4 @@ func preRun(cmd *cobra.Command, args []string) {
 	if len(configPaths) == 0 && len(configDirectories) == 0 {
 		configPaths = append(configPaths, "config.json")
 	}
-	globalCtx = service.ContextWith(globalCtx, deprecated.NewStderrManager(log.StdLogger()))
 }
--- a/cmd/sing-box/cmd_check.go
+++ b/cmd/sing-box/cmd_check.go
@@ -30,7 +30,7 @@ func check() error {
 	if err != nil {
 		return err
 	}
-	ctx, cancel := context.WithCancel(globalCtx)
+	ctx, cancel := context.WithCancel(context.Background())
 	instance, err := box.New(box.Options{
 		Context: ctx,
 		Options: options,
--- a/cmd/sing-box/cmd_rule_set_compile.go
+++ b/cmd/sing-box/cmd_rule_set_compile.go
@@ -6,6 +6,7 @@ import (
 	"strings"

 	"github.com/sagernet/sing-box/common/srs"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/json"
@@ -55,6 +56,10 @@ func compileRuleSet(sourcePath string) error {
 	if err != nil {
 		return err
 	}
+	ruleSet, err := plainRuleSet.Upgrade()
+	if err != nil {
+		return err
+	}
 	var outputPath string
 	if flagRuleSetCompileOutput == flagRuleSetCompileDefaultOutput {
 		if strings.HasSuffix(sourcePath, ".json") {
@@ -69,7 +74,7 @@ func compileRuleSet(sourcePath string) error {
 	if err != nil {
 		return err
 	}
-	err = srs.Write(outputFile, plainRuleSet.Options, plainRuleSet.Version)
+	err = srs.Write(outputFile, ruleSet, plainRuleSet.Version == C.RuleSetVersion2)
 	if err != nil {
 		outputFile.Close()
 		os.Remove(outputPath)
--- a/cmd/sing-box/cmd_rule_set_convert.go
+++ b/cmd/sing-box/cmd_rule_set_convert.go
@@ -7,7 +7,6 @@ import (

 	"github.com/sagernet/sing-box/cmd/sing-box/internal/convertor/adguard"
 	"github.com/sagernet/sing-box/common/srs"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -78,7 +77,7 @@ func convertRuleSet(sourcePath string) error {
 		return err
 	}
 	defer outputFile.Close()
-	err = srs.Write(outputFile, option.PlainRuleSet{Rules: rules}, C.RuleSetVersion2)
+	err = srs.Write(outputFile, option.PlainRuleSet{Rules: rules}, true)
 	if err != nil {
 		outputFile.Close()
 		os.Remove(outputPath)
--- a/cmd/sing-box/cmd_rule_set_decompile.go
+++ b/cmd/sing-box/cmd_rule_set_decompile.go
@@ -6,7 +6,9 @@ import (
 	"strings"

 	"github.com/sagernet/sing-box/common/srs"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/json"

 	"github.com/spf13/cobra"
@@ -46,10 +48,14 @@ func decompileRuleSet(sourcePath string) error {
 			return err
 		}
 	}
-	ruleSet, err := srs.Read(reader, true)
+	plainRuleSet, err := srs.Read(reader, true)
 	if err != nil {
 		return err
 	}
+	ruleSet := option.PlainRuleSetCompat{
+		Version: C.RuleSetVersion1,
+		Options: plainRuleSet,
+	}
 	var outputPath string
 	if flagRuleSetDecompileOutput == flagRuleSetDecompileDefaultOutput {
 		if strings.HasSuffix(sourcePath, ".srs") {
--- a/cmd/sing-box/cmd_rule_set_match.go
+++ b/cmd/sing-box/cmd_rule_set_match.go
@@ -55,25 +55,26 @@ func ruleSetMatch(sourcePath string, domain string) error {
 	if err != nil {
 		return E.Cause(err, "read rule-set")
 	}
-	var ruleSet option.PlainRuleSetCompat
+	var plainRuleSet option.PlainRuleSet
 	switch flagRuleSetMatchFormat {
 	case C.RuleSetFormatSource:
-		ruleSet, err = json.UnmarshalExtended[option.PlainRuleSetCompat](content)
+		var compat option.PlainRuleSetCompat
+		compat, err = json.UnmarshalExtended[option.PlainRuleSetCompat](content)
+		if err != nil {
+			return err
+		}
+		plainRuleSet, err = compat.Upgrade()
 		if err != nil {
 			return err
 		}
 	case C.RuleSetFormatBinary:
-		ruleSet, err = srs.Read(bytes.NewReader(content), false)
+		plainRuleSet, err = srs.Read(bytes.NewReader(content), false)
 		if err != nil {
 			return err
 		}
 	default:
 		return E.New("unknown rule-set format: ", flagRuleSetMatchFormat)
 	}
-	plainRuleSet, err := ruleSet.Upgrade()
-	if err != nil {
-		return err
-	}
 	ipAddress := M.ParseAddr(domain)
 	var metadata adapter.InboundContext
 	if ipAddress.IsValid() {
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -81,7 +81,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 	if options.ConnectTimeout != 0 {
 		dialer.Timeout = time.Duration(options.ConnectTimeout)
 	} else {
-		dialer.Timeout = C.TCPConnectTimeout
+		dialer.Timeout = C.TCPTimeout
 	}
 	// TODO: Add an option to customize the keep alive period
 	dialer.KeepAlive = C.TCPKeepAliveInitial
--- a/common/srs/binary.go
+++ b/common/srs/binary.go
@@ -41,7 +41,7 @@ const (
 	ruleItemFinal uint8 = 0xFF
 )

-func Read(reader io.Reader, recover bool) (ruleSetCompat option.PlainRuleSetCompat, err error) {
+func Read(reader io.Reader, recover bool) (ruleSet option.PlainRuleSet, err error) {
 	var magicBytes [3]byte
 	_, err = io.ReadFull(reader, magicBytes[:])
 	if err != nil {
@@ -54,10 +54,10 @@ func Read(reader io.Reader, recover bool) (ruleSetCompat option.PlainRuleSetComp
 	var version uint8
 	err = binary.Read(reader, binary.BigEndian, &version)
 	if err != nil {
-		return ruleSetCompat, err
+		return ruleSet, err
 	}
-	if version > C.RuleSetVersionCurrent {
-		return ruleSetCompat, E.New("unsupported version: ", version)
+	if version > C.RuleSetVersion2 {
+		return ruleSet, E.New("unsupported version: ", version)
 	}
 	compressReader, err := zlib.NewReader(reader)
 	if err != nil {
@@ -68,10 +68,9 @@ func Read(reader io.Reader, recover bool) (ruleSetCompat option.PlainRuleSetComp
 	if err != nil {
 		return
 	}
-	ruleSetCompat.Version = version
-	ruleSetCompat.Options.Rules = make([]option.HeadlessRule, length)
+	ruleSet.Rules = make([]option.HeadlessRule, length)
 	for i := uint64(0); i < length; i++ {
-		ruleSetCompat.Options.Rules[i], err = readRule(bReader, recover)
+		ruleSet.Rules[i], err = readRule(bReader, recover)
 		if err != nil {
 			err = E.Cause(err, "read rule[", i, "]")
 			return
@@ -80,12 +79,18 @@ func Read(reader io.Reader, recover bool) (ruleSetCompat option.PlainRuleSetComp
 	return
 }

-func Write(writer io.Writer, ruleSet option.PlainRuleSet, generateVersion uint8) error {
+func Write(writer io.Writer, ruleSet option.PlainRuleSet, generateUnstable bool) error {
 	_, err := writer.Write(MagicBytes[:])
 	if err != nil {
 		return err
 	}
-	err = binary.Write(writer, binary.BigEndian, generateVersion)
+	var version uint8
+	if generateUnstable {
+		version = C.RuleSetVersion2
+	} else {
+		version = C.RuleSetVersion1
+	}
+	err = binary.Write(writer, binary.BigEndian, version)
 	if err != nil {
 		return err
 	}
@@ -99,7 +104,7 @@ func Write(writer io.Writer, ruleSet option.PlainRuleSet, generateVersion uint8)
 		return err
 	}
 	for _, rule := range ruleSet.Rules {
-		err = writeRule(bWriter, rule, generateVersion)
+		err = writeRule(bWriter, rule, generateUnstable)
 		if err != nil {
 			return err
 		}
@@ -130,12 +135,12 @@ func readRule(reader varbin.Reader, recover bool) (rule option.HeadlessRule, err
 	return
 }

-func writeRule(writer varbin.Writer, rule option.HeadlessRule, generateVersion uint8) error {
+func writeRule(writer varbin.Writer, rule option.HeadlessRule, generateUnstable bool) error {
 	switch rule.Type {
 	case C.RuleTypeDefault:
-		return writeDefaultRule(writer, rule.DefaultOptions, generateVersion)
+		return writeDefaultRule(writer, rule.DefaultOptions, generateUnstable)
 	case C.RuleTypeLogical:
-		return writeLogicalRule(writer, rule.LogicalOptions, generateVersion)
+		return writeLogicalRule(writer, rule.LogicalOptions, generateUnstable)
 	default:
 		panic("unknown rule type: " + rule.Type)
 	}
@@ -235,7 +240,7 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 	}
 }

-func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, generateVersion uint8) error {
+func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, generateUnstable bool) error {
 	err := binary.Write(writer, binary.BigEndian, uint8(0))
 	if err != nil {
 		return err
@@ -259,7 +264,7 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 		if err != nil {
 			return err
 		}
-		err = domain.NewMatcher(rule.Domain, rule.DomainSuffix, generateVersion == C.RuleSetVersion1).Write(writer)
+		err = domain.NewMatcher(rule.Domain, rule.DomainSuffix, !generateUnstable).Write(writer)
 		if err != nil {
 			return err
 		}
@@ -349,9 +354,6 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 		}
 	}
 	if len(rule.AdGuardDomain) > 0 {
-		if generateVersion < C.RuleSetVersion2 {
-			return E.New("AdGuard rule items is only supported in version 2 or later")
-		}
 		err = binary.Write(writer, binary.BigEndian, ruleItemAdGuardDomain)
 		if err != nil {
 			return err
@@ -455,7 +457,7 @@ func readLogicalRule(reader varbin.Reader, recovery bool) (logicalRule option.Lo
 	return
 }

-func writeLogicalRule(writer varbin.Writer, logicalRule option.LogicalHeadlessRule, generateVersion uint8) error {
+func writeLogicalRule(writer varbin.Writer, logicalRule option.LogicalHeadlessRule, generateUnstable bool) error {
 	err := binary.Write(writer, binary.BigEndian, uint8(1))
 	if err != nil {
 		return err
@@ -476,7 +478,7 @@ func writeLogicalRule(writer varbin.Writer, logicalRule option.LogicalHeadlessRu
 		return err
 	}
 	for _, rule := range logicalRule.Rules {
-		err = writeRule(writer, rule, generateVersion)
+		err = writeRule(writer, rule, generateUnstable)
 		if err != nil {
 			return err
 		}
--- a/common/tls/ech_server.go
+++ b/common/tls/ech_server.go
@@ -97,10 +97,6 @@ func (c *echServerConfig) startWatcher() error {
 	if err != nil {
 		return err
 	}
-	err = watcher.Start()
-	if err != nil {
-		return err
-	}
 	c.watcher = watcher
 	return nil
 }
@@ -236,7 +232,7 @@ func NewECHServer(ctx context.Context, logger log.Logger, options option.Inbound
 	var echKey []byte
 	if len(options.ECH.Key) > 0 {
 		echKey = []byte(strings.Join(options.ECH.Key, "\n"))
-	} else if options.ECH.KeyPath != "" {
+	} else if options.KeyPath != "" {
 		content, err := os.ReadFile(options.ECH.KeyPath)
 		if err != nil {
 			return nil, E.Cause(err, "read ECH key")
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -106,10 +106,6 @@ func (c *STDServerConfig) startWatcher() error {
 	if err != nil {
 		return err
 	}
-	err = watcher.Start()
-	if err != nil {
-		return err
-	}
 	c.watcher = watcher
 	return nil
 }
--- a/common/urltest/urltest.go
+++ b/common/urltest/urltest.go
@@ -8,7 +8,6 @@ import (
 	"sync"
 	"time"

-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -114,7 +113,6 @@ func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err e
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		},
-		Timeout: C.TCPTimeout,
 	}
 	defer client.CloseIdleConnections()
 	resp, err := client.Do(req.WithContext(ctx))
--- a/constant/rule.go
+++ b/constant/rule.go
@@ -21,5 +21,4 @@ const (
 const (
 	RuleSetVersion1 = 1 + iota
 	RuleSetVersion2
-	RuleSetVersionCurrent = RuleSetVersion2
 )
--- a/constant/timeout.go
+++ b/constant/timeout.go
@@ -5,8 +5,7 @@ import "time"
 const (
 	TCPKeepAliveInitial        = 10 * time.Minute
 	TCPKeepAliveInterval       = 75 * time.Second
-	TCPConnectTimeout          = 5 * time.Second
-	TCPTimeout                 = 15 * time.Second
+	TCPTimeout                 = 5 * time.Second
 	ReadPayloadTimeout         = 300 * time.Millisecond
 	DNSTimeout                 = 10 * time.Second
 	QUICTimeout                = 30 * time.Second
--- a/debug_http.go
+++ b/debug_http.go
@@ -46,7 +46,7 @@ func applyDebugListenOption(options option.DebugOptions) {

 			encoder := json.NewEncoder(writer)
 			encoder.SetIndent("", "  ")
-			encoder.Encode(&memObject)
+			encoder.Encode(memObject)
 		})
 		r.Route("/pprof", func(r chi.Router) {
 			r.HandleFunc("/", func(writer http.ResponseWriter, request *http.Request) {
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,114 +2,10 @@
 icon: material/alert-decagram
 ---

-### 1.10.2
-
-* Add deprecated warnings
-* Fix proxying websocket connections in HTTP/mixed inbounds
-* Fixes and improvements
-
-### 1.10.1
+#### 1.10.0-beta.12

 * Fixes and improvements

-### 1.10.0
-
-Important changes since 1.9:
-
-* Introducing auto-redirect **1**
-* Add AdGuard DNS Filter support **2**
-* TUN address fields are merged **3**
-* Add custom options for `auto-route` and `auto-redirect` **4**
-* Drop support for go1.18 and go1.19 **5**
-* Add tailing comma support in JSON configuration
-* Improve sniffers **6**
-* Add new `inline` rule-set type **7**
-* Add access control options for Clash API **8**
-* Add `rule_set_ip_cidr_accept_empty` DNS address filter rule item **9**
-* Add auto reload support for local rule-set
-* Update fsnotify usages **10**
-* Add IP address support for `rule-set match` command
-* Add `rule-set decompile` command
-* Add `process_path_regex` rule item
-* Update uTLS to v1.6.7 **11**
-* Optimize memory usages of rule-sets **12**
-
-**1**:
-
-The new auto-redirect feature allows TUN to automatically
-configure connection redirection to improve proxy performance.
-
-When auto-redirect is enabled, new route address set options will allow you to
-automatically configure destination IP CIDR rules from a specified rule set to the firewall.
-
-Specified or unspecified destinations will bypass the sing-box routes to get better performance
-(for example, keep hardware offloading of direct traffics on the router).
-
-See [TUN](/configuration/inbound/tun).
-
-**2**:
-
-The new feature allows you to use AdGuard DNS Filter lists in a sing-box without AdGuard Home.
-
-See [AdGuard DNS Filter](/configuration/rule-set/adguard/).
-
-**3**:
-
-See [Migration](/migration/#tun-address-fields-are-merged).
-
-**4**:
-
-See [iproute2_table_index](/configuration/inbound/tun/#iproute2_table_index),
-[iproute2_rule_index](/configuration/inbound/tun/#iproute2_rule_index),
-[auto_redirect_input_mark](/configuration/inbound/tun/#auto_redirect_input_mark) and
-[auto_redirect_output_mark](/configuration/inbound/tun/#auto_redirect_output_mark).
-
-**5**:
-
-Due to maintenance difficulties, sing-box 1.10.0 requires at least Go 1.20 to compile.
-
-**6**:
-
-BitTorrent, DTLS, RDP, SSH sniffers are added.
-
-Now the QUIC sniffer can correctly extract the server name from Chromium requests and
-can identify common QUIC clients, including
-Chromium, Safari, Firefox, quic-go (including uquic disguised as Chrome).
-
-**7**:
-
-The new [rule-set](/configuration/rule-set/) type inline (which also becomes the default type)
-allows you to write headless rules directly without creating a rule-set file.
-
-**8**:
-
-With the new access control options, not only can you allow Clash dashboards
-to access the Clash API on your local network,
-you can also manually limit the websites that can access the API instead of allowing everyone.
-
-See [Clash API](/configuration/experimental/clash-api/).
-
-**9**:
-
-See [DNS Rule](/configuration/dns/rule/#rule_set_ip_cidr_accept_empty).
-
-**10**:
-
-sing-box now uses fsnotify correctly and will not cancel watching
-if the target file is deleted or recreated via rename (e.g. `mv`).
-
-This affects all path options that support reload, including
-`tls.certificate_path`, `tls.key_path`, `tls.ech.key_path` and `rule_set.path`.
-
-**11**:
-
-Some legacy chrome fingerprints have been removed and will fallback to chrome,
-see [utls](/configuration/shared/tls#utls).
-
-**12**:
-
-See [Source Format](/configuration/rule-set/source-format/#version).
-
 ### 1.9.7

 * Fixes and improvements
@@ -117,20 +13,18 @@ See [Source Format](/configuration/rule-set/source-format/#version).
 #### 1.10.0-beta.11

 * Update uTLS to v1.6.7 **1**
+* Add ipk in release artifacts

 **1**:

-Some legacy chrome fingerprints have been removed and will fallback to chrome,
-see [utls](/configuration/shared/tls#utls).
+Some legacy chrome fingerprints have been removed and will fallback to chrome, see [utls](/configuration/shared/tls#utls).

 #### 1.10.0-beta.10

 * Add `process_path_regex` rule item
 * Fixes and improvements

-_The macOS standalone versions of sing-box (>=1.9.5/<1.10.0-beta.11) now silently fail and require manual granting of
-the **Full Disk Access** permission to system extension to start, probably due to Apple's changed security policy. We
-will prompt users about this in feature versions._
+_The macOS standalone versions of sing-box (>=1.9.5/<1.10.0-beta.11) now silently fail and require manual granting of the **Full Disk Access** permission to system extension to start, probably due to Apple's changed security policy. We will prompt users about this in feature versions._

 ### 1.9.6

@@ -160,8 +54,7 @@ We are still working on getting all sing-box apps back on the App Store, which s

 * Fixes and improvements

-_With the help of a netizen, we are in the process of getting sing-box apps back on the App Store, which should be
-completed within a month (TestFlight is already available)._
+_With the help of a netizen, we are in the process of getting sing-box apps back on the App Store, which should be completed within a month (TestFlight is already available)._

 #### 1.10.0-beta.7

@@ -266,9 +159,11 @@ See [Source Format](/configuration/rule-set/source-format/#version).

 **1**:

-The new [rule-set](/configuration/rule-set/) type inline (which also becomes the default type)
+The new [rule-set] type inline (which also becomes the default type)
 allows you to write headless rules directly without creating a rule-set file.

+[rule-set]: /configuration/rule-set/
+
 **2**:

 sing-box now uses fsnotify correctly and will not cancel watching
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -232,12 +232,12 @@ Automatically configure iptables/nftables to redirect connections.

 *In Android*：

-Only local IPv4 connections are forwarded. To share your VPN connection over hotspot or repeater,
+Only local connections are forwarded. To share your VPN connection over hotspot or repeater,
 use [VPNHotspot](https://github.com/Mygod/VPNHotspot).

 *In Linux*:

-`auto_route` with `auto_redirect` works as expected on routers **without intervention**.
+`auto_route` with `auto_redirect` now works as expected on routers **without intervention**.

 #### auto_redirect_input_mark

--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -232,7 +232,7 @@ tun 接口的 IPv6 前缀。

    仅支持 Linux，且需要 `auto_route` 已启用。 

-自动配置 iptables/nftables 以重定向连接。
+自动配置 iptables 以重定向 TCP 连接。

 *在 Android 中*：

@@ -240,7 +240,7 @@ tun 接口的 IPv6 前缀。

 *在 Linux 中*:

-带有 `auto_redirect `的 `auto_route` 可以在路由器上按预期工作，**无需干预**。
+带有 `auto_redirect `的 `auto_route` 现在可以在路由器上按预期工作，**无需干预**。

 #### auto_redirect_input_mark

--- a/docs/deprecated.md
+++ b/docs/deprecated.md
@@ -14,11 +14,6 @@ icon: material/delete-alert

 Old fields are deprecated and will be removed in sing-box 1.11.0.

-#### Match source rule items are renamed
-
-`rule_set_ipcidr_match_source` route and DNS rule items are renamed to
-`rule_set_ip_cidr_match_source` and will be remove in sing-box 1.11.0.
-
 #### Drop support for go1.18 and go1.19

 Due to maintenance difficulties, sing-box 1.10.0 requires at least Go 1.20 to compile.
--- a/docs/deprecated.zh.md
+++ b/docs/deprecated.zh.md
@@ -6,18 +6,13 @@ icon: material/delete-alert

 ## 1.10.0

-#### Match source 规则项已重命名
-
-`rule_set_ipcidr_match_source` 路由和 DNS 规则项已被重命名为
-`rule_set_ip_cidr_match_source` 且将在 sing-box 1.11.0 中被移除。
-
 #### TUN 地址字段已合并

 `inet4_address` 和 `inet6_address` 已合并为 `address`，
 `inet4_route_address` 和 `inet6_route_address` 已合并为 `route_address`，
 `inet4_route_exclude_address` 和 `inet6_route_exclude_address` 已合并为 `route_exclude_address`。

-旧字段已废弃，且将在 sing-box 1.11.0 中被移除。
+旧字段已废弃，且将在 sing-box 1.11.0 中移除。

 #### 移除对 go1.18 和 go1.19 的支持

--- a/experimental/clashapi/server_resources.go
+++ b/experimental/clashapi/server_resources.go
@@ -9,9 +9,9 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
@@ -60,7 +60,7 @@ func (s *Server) downloadExternalUI() error {
 	httpClient := &http.Client{
 		Transport: &http.Transport{
 			ForceAttemptHTTP2:   true,
-			TLSHandshakeTimeout: C.TCPTimeout,
+			TLSHandshakeTimeout: 5 * time.Second,
 			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 				return detour.DialContext(ctx, network, M.ParseSocksaddr(addr))
 			},
--- a/experimental/deprecated/constants.go
+++ b/experimental/deprecated/constants.go
@@ -1,90 +0,0 @@
-package deprecated
-
-import (
-	"github.com/sagernet/sing-box/common/badversion"
-	C "github.com/sagernet/sing-box/constant"
-	F "github.com/sagernet/sing/common/format"
-
-	"golang.org/x/mod/semver"
-)
-
-type Note struct {
-	Name              string
-	Description       string
-	DeprecatedVersion string
-	ScheduledVersion  string
-	EnvName           string
-	MigrationLink     string
-}
-
-func (n Note) Impending() bool {
-	if n.ScheduledVersion == "" {
-		return false
-	}
-	if !semver.IsValid("v" + C.Version) {
-		return false
-	}
-	versionCurrent := badversion.Parse(C.Version)
-	versionMinor := badversion.Parse(n.ScheduledVersion).Minor - versionCurrent.Minor
-	if versionCurrent.PreReleaseIdentifier == "" && versionMinor < 0 {
-		panic("invalid deprecated note: " + n.Name)
-	}
-	return versionMinor <= 1
-}
-
-func (n Note) Message() string {
-	return F.ToString(
-		n.Description, " is deprecated in sing-box ", n.DeprecatedVersion,
-		" and will be removed in sing-box ", n.ScheduledVersion, ", please checkout documentation for migration.",
-	)
-}
-
-func (n Note) MessageWithLink() string {
-	return F.ToString(
-		n.Description, " is deprecated in sing-box ", n.DeprecatedVersion,
-		" and will be removed in sing-box ", n.ScheduledVersion, ", checkout documentation for migration: ", n.MigrationLink,
-	)
-}
-
-var OptionBadMatchSource = Note{
-	Name:              "bad-match-source",
-	Description:       "legacy match source rule item",
-	DeprecatedVersion: "1.10.0",
-	ScheduledVersion:  "1.11.0",
-	EnvName:           "BAD_MATCH_SOURCE",
-	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#match-source-rule-items-are-renamed",
-}
-
-var OptionGEOIP = Note{
-	Name:              "geoip",
-	Description:       "geoip database",
-	DeprecatedVersion: "1.8.0",
-	ScheduledVersion:  "1.12.0",
-	EnvName:           "GEOIP",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-geoip-to-rule-sets",
-}
-
-var OptionGEOSITE = Note{
-	Name:              "geosite",
-	Description:       "geosite database",
-	DeprecatedVersion: "1.8.0",
-	ScheduledVersion:  "1.12.0",
-	EnvName:           "GEOSITE",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-geosite-to-rule-sets",
-}
-
-var OptionTUNAddressX = Note{
-	Name:              "tun-address-x",
-	Description:       "legacy tun address fields",
-	DeprecatedVersion: "1.10.0",
-	ScheduledVersion:  "1.12.0",
-	EnvName:           "TUN_ADDRESS_X",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#tun-address-fields-are-merged",
-}
-
-var Options = []Note{
-	OptionBadMatchSource,
-	OptionGEOIP,
-	OptionGEOSITE,
-	OptionTUNAddressX,
-}
--- a/experimental/deprecated/manager.go
+++ b/experimental/deprecated/manager.go
@@ -1,19 +0,0 @@
-package deprecated
-
-import (
-	"context"
-
-	"github.com/sagernet/sing/service"
-)
-
-type Manager interface {
-	ReportDeprecated(feature Note)
-}
-
-func Report(ctx context.Context, feature Note) {
-	manager := service.FromContext[Manager](ctx)
-	if manager == nil {
-		return
-	}
-	manager.ReportDeprecated(feature)
-}
--- a/experimental/deprecated/stderr.go
+++ b/experimental/deprecated/stderr.go
@@ -1,38 +0,0 @@
-package deprecated
-
-import (
-	"os"
-	"strconv"
-
-	"github.com/sagernet/sing/common/logger"
-)
-
-type stderrManager struct {
-	logger   logger.Logger
-	reported map[string]bool
-}
-
-func NewStderrManager(logger logger.Logger) Manager {
-	return &stderrManager{
-		logger:   logger,
-		reported: make(map[string]bool),
-	}
-}
-
-func (f *stderrManager) ReportDeprecated(feature Note) {
-	if f.reported[feature.Name] {
-		return
-	}
-	f.reported[feature.Name] = true
-	if !feature.Impending() {
-		f.logger.Warn(feature.MessageWithLink())
-		return
-	}
-	enable, enableErr := strconv.ParseBool(os.Getenv("ENABLE_DEPRECATED_" + feature.EnvName))
-	if enableErr == nil && enable {
-		f.logger.Warn(feature.MessageWithLink())
-		return
-	}
-	f.logger.Error(feature.MessageWithLink())
-	f.logger.Fatal("to continuing using this feature, set ENABLE_DEPRECATED_" + feature.EnvName + "=true")
-}
--- a/experimental/libbox/command.go
+++ b/experimental/libbox/command.go
@@ -16,5 +16,4 @@ const (
 	CommandSetSystemProxyEnabled
 	CommandConnections
 	CommandCloseConnection
-	CommandGetDeprecatedNotes
 )
--- a/experimental/libbox/command_close_connection.go
+++ b/experimental/libbox/command_close_connection.go
@@ -18,10 +18,6 @@ func (c *CommandClient) CloseConnection(connId string) error {
 		return err
 	}
 	defer conn.Close()
-	err = binary.Write(conn, binary.BigEndian, uint8(CommandCloseConnection))
-	if err != nil {
-		return err
-	}
 	writer := bufio.NewWriter(conn)
 	err = varbin.Write(writer, binary.BigEndian, connId)
 	if err != nil {
--- a/experimental/libbox/command_connections.go
+++ b/experimental/libbox/command_connections.go
@@ -25,7 +25,6 @@ func (c *CommandClient) handleConnectionsConn(conn net.Conn) {
 		connections    Connections
 	)
 	for {
-		rawConnections = nil
 		err := varbin.Read(reader, binary.BigEndian, &rawConnections)
 		if err != nil {
 			c.handler.Disconnected(err.Error())
--- a/experimental/libbox/command_deprecated_report.go
+++ b/experimental/libbox/command_deprecated_report.go
@@ -1,46 +0,0 @@
-package libbox
-
-import (
-	"encoding/binary"
-	"net"
-
-	"github.com/sagernet/sing-box/experimental/deprecated"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/varbin"
-	"github.com/sagernet/sing/service"
-)
-
-func (c *CommandClient) GetDeprecatedNotes() (DeprecatedNoteIterator, error) {
-	conn, err := c.directConnect()
-	if err != nil {
-		return nil, err
-	}
-	defer conn.Close()
-	err = binary.Write(conn, binary.BigEndian, uint8(CommandGetDeprecatedNotes))
-	if err != nil {
-		return nil, err
-	}
-	err = readError(conn)
-	if err != nil {
-		return nil, err
-	}
-	var features []deprecated.Note
-	err = varbin.Read(conn, binary.BigEndian, &features)
-	if err != nil {
-		return nil, err
-	}
-	return newIterator(common.Map(features, func(it deprecated.Note) *DeprecatedNote { return (*DeprecatedNote)(&it) })), nil
-}
-
-func (s *CommandServer) handleGetDeprecatedNotes(conn net.Conn) error {
-	boxService := s.service
-	if boxService == nil {
-		return writeError(conn, E.New("service not ready"))
-	}
-	err := writeError(conn, nil)
-	if err != nil {
-		return err
-	}
-	return varbin.Write(conn, binary.BigEndian, service.FromContext[deprecated.Manager](boxService.ctx).(*deprecatedManager).Get())
-}
--- a/experimental/libbox/command_server.go
+++ b/experimental/libbox/command_server.go
@@ -174,8 +174,6 @@ func (s *CommandServer) handleConnection(conn net.Conn) error {
 		return s.handleConnectionsConn(conn)
 	case CommandCloseConnection:
 		return s.handleCloseConnection(conn)
-	case CommandGetDeprecatedNotes:
-		return s.handleGetDeprecatedNotes(conn)
 	default:
 		return E.New("unknown command: ", command)
 	}
--- a/experimental/libbox/config.go
+++ b/experimental/libbox/config.go
@@ -9,7 +9,6 @@ import (
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/process"
-	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
@@ -55,7 +54,7 @@ func (s *platformInterfaceStub) UsePlatformAutoDetectInterfaceControl() bool {
 	return true
 }

-func (s *platformInterfaceStub) AutoDetectInterfaceControl(fd int) error {
+func (s *platformInterfaceStub) AutoDetectInterfaceControl() control.Func {
 	return nil
 }

@@ -135,10 +134,6 @@ func (s *interfaceMonitorStub) RegisterCallback(callback tun.DefaultInterfaceUpd
 func (s *interfaceMonitorStub) UnregisterCallback(element *list.Element[tun.DefaultInterfaceUpdateCallback]) {
 }

-func (s *platformInterfaceStub) SendNotification(notification *platform.Notification) error {
-	return nil
-}
-
 func FormatConfig(configContent string) (string, error) {
 	options, err := parseConfig(configContent)
 	if err != nil {
--- a/experimental/libbox/deprecated.go
+++ b/experimental/libbox/deprecated.go
@@ -1,57 +0,0 @@
-package libbox
-
-import (
-	"sync"
-
-	"github.com/sagernet/sing-box/experimental/deprecated"
-	"github.com/sagernet/sing/common"
-)
-
-var _ deprecated.Manager = (*deprecatedManager)(nil)
-
-type deprecatedManager struct {
-	access sync.Mutex
-	notes  []deprecated.Note
-}
-
-func (m *deprecatedManager) ReportDeprecated(feature deprecated.Note) {
-	m.access.Lock()
-	defer m.access.Unlock()
-	m.notes = common.Uniq(append(m.notes, feature))
-}
-
-func (m *deprecatedManager) Get() []deprecated.Note {
-	m.access.Lock()
-	defer m.access.Unlock()
-	notes := m.notes
-	m.notes = nil
-	return notes
-}
-
-var _ = deprecated.Note(DeprecatedNote{})
-
-type DeprecatedNote struct {
-	Name              string
-	Description       string
-	DeprecatedVersion string
-	ScheduledVersion  string
-	EnvName           string
-	MigrationLink     string
-}
-
-func (n DeprecatedNote) Impending() bool {
-	return deprecated.Note(n).Impending()
-}
-
-func (n DeprecatedNote) Message() string {
-	return deprecated.Note(n).Message()
-}
-
-func (n DeprecatedNote) MessageWithLink() string {
-	return deprecated.Note(n).MessageWithLink()
-}
-
-type DeprecatedNoteIterator interface {
-	HasNext() bool
-	Next() *DeprecatedNote
-}
--- a/experimental/libbox/http.go
+++ b/experimental/libbox/http.go
@@ -17,8 +17,8 @@ import (
 	"os"
 	"strconv"
 	"sync"
+	"time"

-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -69,9 +69,8 @@ type httpClient struct {

 func NewHTTPClient() HTTPClient {
 	client := new(httpClient)
+	client.client.Timeout = 15 * time.Second
 	client.client.Transport = &client.transport
-	client.transport.ForceAttemptHTTP2 = true
-	client.transport.TLSHandshakeTimeout = C.TCPTimeout
 	client.transport.TLSClientConfig = &client.tls
 	client.transport.DisableKeepAlives = true
 	return client
@@ -128,6 +127,7 @@ func (c *httpClient) TrySocks5(port int32) {
 }

 func (c *httpClient) KeepAlive() {
+	c.transport.ForceAttemptHTTP2 = true
 	c.transport.DisableKeepAlives = false
 }

--- a/experimental/libbox/link_flags_linux.go
+++ b/experimental/libbox/link_flags_linux.go
@@ -1,30 +0,0 @@
-package libbox
-
-import (
-	"net"
-	"syscall"
-)
-
-// copied from net.linkFlags
-func linkFlags(rawFlags uint32) net.Flags {
-	var f net.Flags
-	if rawFlags&syscall.IFF_UP != 0 {
-		f |= net.FlagUp
-	}
-	if rawFlags&syscall.IFF_RUNNING != 0 {
-		f |= net.FlagRunning
-	}
-	if rawFlags&syscall.IFF_BROADCAST != 0 {
-		f |= net.FlagBroadcast
-	}
-	if rawFlags&syscall.IFF_LOOPBACK != 0 {
-		f |= net.FlagLoopback
-	}
-	if rawFlags&syscall.IFF_POINTOPOINT != 0 {
-		f |= net.FlagPointToPoint
-	}
-	if rawFlags&syscall.IFF_MULTICAST != 0 {
-		f |= net.FlagMulticast
-	}
-	return f
-}
--- a/experimental/libbox/link_flags_stub.go
+++ b/experimental/libbox/link_flags_stub.go
@@ -1,11 +0,0 @@
-//go:build !linux
-
-package libbox
-
-import (
-	"net"
-)
-
-func linkFlags(rawFlags uint32) net.Flags {
-	panic("stub!")
-}
--- a/experimental/libbox/platform.go
+++ b/experimental/libbox/platform.go
@@ -22,7 +22,6 @@ type PlatformInterface interface {
 	IncludeAllNetworks() bool
 	ReadWIFIState() *WIFIState
 	ClearDNSCache()
-	SendNotification(notification *Notification) error
 }

 type TunInterface interface {
@@ -39,7 +38,6 @@ type NetworkInterface struct {
 	MTU       int32
 	Name      string
 	Addresses StringIterator
-	Flags     int32
 }

 type WIFIState struct {
@@ -56,16 +54,6 @@ type NetworkInterfaceIterator interface {
 	HasNext() bool
 }

-type Notification struct {
-	Identifier string
-	TypeName   string
-	TypeID     int32
-	Title      string
-	Subtitle   string
-	Body       string
-	OpenURL    string
-}
-
 type OnDemandRule interface {
 	Target() int32
 	DNSSearchDomainMatch() StringIterator
--- a/experimental/libbox/platform/interface.go
+++ b/experimental/libbox/platform/interface.go
@@ -14,7 +14,7 @@ import (
 type Interface interface {
 	Initialize(ctx context.Context, router adapter.Router) error
 	UsePlatformAutoDetectInterfaceControl() bool
-	AutoDetectInterfaceControl(fd int) error
+	AutoDetectInterfaceControl() control.Func
 	OpenTun(options *tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error)
 	UsePlatformDefaultInterfaceMonitor() bool
 	CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor
@@ -25,15 +25,4 @@ type Interface interface {
 	ClearDNSCache()
 	ReadWIFIState() adapter.WIFIState
 	process.Searcher
-	SendNotification(notification *Notification) error
-}
-
-type Notification struct {
-	Identifier string
-	TypeName   string
-	TypeID     int32
-	Title      string
-	Subtitle   string
-	Body       string
-	OpenURL    string
 }
--- a/experimental/libbox/profile_import.go
+++ b/experimental/libbox/profile_import.go
@@ -218,7 +218,7 @@ func DecodeProfileContent(data []byte) (*ProfileContent, error) {
 	if err != nil {
 		return nil, err
 	}
-	err = binary.Read(bReader, binary.BigEndian, &content.Type)
+	err = binary.Read(reader, binary.BigEndian, &content.Type)
 	if err != nil {
 		return nil, err
 	}
@@ -233,17 +233,17 @@ func DecodeProfileContent(data []byte) (*ProfileContent, error) {
 		}
 	}
 	if content.Type == ProfileTypeRemote || (version == 0 && content.Type != ProfileTypeLocal) {
-		err = binary.Read(bReader, binary.BigEndian, &content.AutoUpdate)
+		err = binary.Read(reader, binary.BigEndian, &content.AutoUpdate)
 		if err != nil {
 			return nil, err
 		}
 		if version >= 1 {
-			err = binary.Read(bReader, binary.BigEndian, &content.AutoUpdateInterval)
+			err = binary.Read(reader, binary.BigEndian, &content.AutoUpdateInterval)
 			if err != nil {
 				return nil, err
 			}
 		}
-		err = binary.Read(bReader, binary.BigEndian, &content.LastUpdated)
+		err = binary.Read(reader, binary.BigEndian, &content.LastUpdated)
 		if err != nil {
 			return nil, err
 		}
--- a/experimental/libbox/service.go
+++ b/experimental/libbox/service.go
@@ -14,7 +14,6 @@ import (
 	"github.com/sagernet/sing-box/common/process"
 	"github.com/sagernet/sing-box/common/urltest"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/experimental/libbox/internal/procfs"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/log"
@@ -50,7 +49,6 @@ func NewService(configContent string, platformInterface PlatformInterface) (*Box
 	ctx = filemanager.WithDefault(ctx, sWorkingPath, sTempPath, sUserID, sGroupID)
 	urlTestHistoryStorage := urltest.NewHistoryStorage()
 	ctx = service.ContextWithPtr(ctx, urlTestHistoryStorage)
-	ctx = service.ContextWith[deprecated.Manager](ctx, new(deprecatedManager))
 	platformWrapper := &platformInterfaceWrapper{iif: platformInterface, useProcFS: platformInterface.UseProcFS()}
 	instance, err := box.New(box.Options{
 		Context:           ctx,
@@ -116,8 +114,12 @@ func (w *platformInterfaceWrapper) UsePlatformAutoDetectInterfaceControl() bool
 	return w.iif.UsePlatformAutoDetectInterfaceControl()
 }

-func (w *platformInterfaceWrapper) AutoDetectInterfaceControl(fd int) error {
-	return w.iif.AutoDetectInterfaceControl(int32(fd))
+func (w *platformInterfaceWrapper) AutoDetectInterfaceControl() control.Func {
+	return func(network, address string, conn syscall.RawConn) error {
+		return control.Raw(conn, func(fd uintptr) error {
+			return w.iif.AutoDetectInterfaceControl(int32(fd))
+		})
+	}
 }

 func (w *platformInterfaceWrapper) OpenTun(options *tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error) {
@@ -175,7 +177,6 @@ func (w *platformInterfaceWrapper) Interfaces() ([]control.Interface, error) {
 			MTU:       int(netInterface.MTU),
 			Name:      netInterface.Name,
 			Addresses: common.Map(iteratorToArray[string](netInterface.Addresses), netip.MustParsePrefix),
-			Flags:     linkFlags(uint32(netInterface.Flags)),
 		})
 	}
 	return interfaces, nil
@@ -235,7 +236,3 @@ func (w *platformInterfaceWrapper) DisableColors() bool {
 func (w *platformInterfaceWrapper) WriteMessage(level log.Level, message string) {
 	w.iif.WriteLog(message)
 }
-
-func (w *platformInterfaceWrapper) SendNotification(notification *platform.Notification) error {
-	return w.iif.SendNotification((*Notification)(notification))
-}
--- a/experimental/libbox/setup.go
+++ b/experimental/libbox/setup.go
@@ -24,6 +24,7 @@ var (

 func init() {
 	debug.SetPanicOnFault(true)
+	debug.SetTraceback("all")
 }

 func Setup(basePath string, workingPath string, tempPath string, isTVOS bool) {
--- a/go.mod
+++ b/go.mod
@@ -7,16 +7,16 @@ require (
 	github.com/caddyserver/certmagic v0.20.0
 	github.com/cloudflare/circl v1.3.7
 	github.com/cretz/bine v0.2.0
-	github.com/go-chi/chi/v5 v5.1.0
+	github.com/go-chi/chi/v5 v5.0.12
 	github.com/go-chi/render v1.0.3
-	github.com/gofrs/uuid/v5 v5.3.0
+	github.com/gofrs/uuid/v5 v5.2.0
 	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2
 	github.com/libdns/alidns v1.0.3
 	github.com/libdns/cloudflare v0.1.1
 	github.com/logrusorgru/aurora v2.0.3+incompatible
-	github.com/metacubex/tfo-go v0.0.0-20241006021335-daedaf0ca7aa
+	github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d
 	github.com/mholt/acmez v1.2.0
-	github.com/miekg/dns v1.1.62
+	github.com/miekg/dns v1.1.61
 	github.com/ooni/go-libtor v1.1.8
 	github.com/oschwald/maxminddb-golang v1.12.0
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
@@ -24,31 +24,30 @@ require (
 	github.com/sagernet/cors v1.2.1
 	github.com/sagernet/fswatch v0.1.1
 	github.com/sagernet/gomobile v0.1.4
-	github.com/sagernet/gvisor v0.0.0-20241021032506-a4324256e4a3
-	github.com/sagernet/quic-go v0.48.1-beta.1
+	github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f
+	github.com/sagernet/quic-go v0.47.0-beta.2
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.5.1
-	github.com/sagernet/sing-dns v0.3.0
-	github.com/sagernet/sing-mux v0.2.1
-	github.com/sagernet/sing-quic v0.3.1
+	github.com/sagernet/sing v0.5.0-beta.2
+	github.com/sagernet/sing-dns v0.3.0-beta.14
+	github.com/sagernet/sing-mux v0.2.0
+	github.com/sagernet/sing-quic v0.3.0-beta.3
 	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
-	github.com/sagernet/sing-shadowtls v0.1.5
-	github.com/sagernet/sing-tun v0.4.1
+	github.com/sagernet/sing-shadowtls v0.1.4
+	github.com/sagernet/sing-tun v0.4.0-beta.16
 	github.com/sagernet/sing-vmess v0.1.12
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
 	github.com/sagernet/utls v1.6.7
 	github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
-	github.com/spf13/cobra v1.8.1
+	github.com/spf13/cobra v1.8.0
 	github.com/stretchr/testify v1.9.0
 	go.uber.org/zap v1.27.0
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.29.0
+	golang.org/x/crypto v0.25.0
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
-	golang.org/x/mod v0.20.0
-	golang.org/x/net v0.31.0
-	golang.org/x/sys v0.27.0
+	golang.org/x/net v0.27.0
+	golang.org/x/sys v0.25.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	google.golang.org/grpc v1.63.2
 	google.golang.org/protobuf v1.33.0
@@ -66,10 +65,10 @@ require (
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
 	github.com/gobwas/pool v0.2.1 // indirect
-	github.com/google/btree v1.1.3 // indirect
+	github.com/google/btree v1.1.2 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a // indirect
-	github.com/hashicorp/yamux v0.1.2 // indirect
+	github.com/hashicorp/yamux v0.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/native v1.1.0 // indirect
 	github.com/klauspost/compress v1.17.4 // indirect
@@ -90,10 +89,11 @@ require (
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/sync v0.9.0 // indirect
-	golang.org/x/text v0.20.0 // indirect
-	golang.org/x/time v0.7.0 // indirect
-	golang.org/x/tools v0.24.0 // indirect
+	golang.org/x/mod v0.19.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/text v0.18.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/tools v0.23.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -8,7 +8,7 @@ github.com/caddyserver/certmagic v0.20.0 h1:bTw7LcEZAh9ucYCRXyCpIrSAGplplI0vGYJ4
 github.com/caddyserver/certmagic v0.20.0/go.mod h1:N4sXgpICQUskEWpj7zVzvWD41p3NYacrNoZYiRM2jTg=
 github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
-github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cretz/bine v0.1.0/go.mod h1:6PF6fWAvYtwjRGkAuDEJeWNOv3a2hUouSP/yRYXmvHw=
 github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
@@ -17,8 +17,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw=
-github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/chi/v5 v5.0.12 h1:9euLV5sTrTNTRUU9POmDUvfxyj6LAABLUcEWO+JJb4s=
+github.com/go-chi/chi/v5 v5.0.12/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
 github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
@@ -30,17 +30,17 @@ github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/gofrs/uuid/v5 v5.3.0 h1:m0mUMr+oVYUdxpMLgSYCZiXe7PuVPnI94+OMeVBNedk=
-github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
+github.com/gofrs/uuid/v5 v5.2.0 h1:qw1GMx6/y8vhVsx626ImfKMuS5CvJmhIKKtuyvfajMM=
+github.com/gofrs/uuid/v5 v5.2.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
-github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
-github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
+github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a h1:fEBsGL/sjAuJrgah5XqmmYsTLzJp/TO9Lhy39gkverk=
 github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
-github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=
-github.com/hashicorp/yamux v0.1.2/go.mod h1:C+zze2n6e/7wshOZep2A70/aQU6QBRWJO/G6FT1wIns=
+github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
+github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
@@ -70,12 +70,12 @@ github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
 github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
 github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
-github.com/metacubex/tfo-go v0.0.0-20241006021335-daedaf0ca7aa h1:9mcjV+RGZVC3reJBNDjjNPyS8PmFG97zq56X7WNaFO4=
-github.com/metacubex/tfo-go v0.0.0-20241006021335-daedaf0ca7aa/go.mod h1:4tLB5c8U0CxpkFM+AJJB77jEaVDbLH5XQvy42vAGsWw=
+github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d h1:j9LtzkYstLFoNvXW824QQeN7Y26uPL5249kzWKbzO9U=
+github.com/metacubex/tfo-go v0.0.0-20240821025650-e9be0afd5e7d/go.mod h1:c7bVFM9f5+VzeZ/6Kg77T/jrg1Xp8QpqlSHvG/aXVts=
 github.com/mholt/acmez v1.2.0 h1:1hhLxSgY5FvH5HCnGUuwbKY2VQVo8IU7rxXKSnZ7F30=
 github.com/mholt/acmez v1.2.0/go.mod h1:VT9YwH1xgNX1kmYY89gY8xPJC84BFAisjo8Egigt4kE=
-github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
-github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
+github.com/miekg/dns v1.1.61 h1:nLxbwF3XxhwVSm8g9Dghm9MHPaUZuqhPiGL+675ZmEs=
+github.com/miekg/dns v1.1.61/go.mod h1:mnAarhS3nWaW+NVP2wTkYVIZyHNJ098SJZUki3eykwQ=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/onsi/ginkgo/v2 v2.9.7 h1:06xGQy5www2oN160RtEZoTvnP2sPhEfePYmCDc2szss=
@@ -104,33 +104,33 @@ github.com/sagernet/fswatch v0.1.1 h1:YqID+93B7VRfqIH3PArW/XpJv5H4OLEVWDfProGoRQ
 github.com/sagernet/fswatch v0.1.1/go.mod h1:nz85laH0mkQqJfaOrqPpkwtU1znMFNVTpT/5oRsVz/o=
 github.com/sagernet/gomobile v0.1.4 h1:WzX9ka+iHdupMgy2Vdich+OAt7TM8C2cZbIbzNjBrJY=
 github.com/sagernet/gomobile v0.1.4/go.mod h1:Pqq2+ZVvs10U7xK+UwJgwYWUykewi8H6vlslAO73n9E=
-github.com/sagernet/gvisor v0.0.0-20241021032506-a4324256e4a3 h1:RxEz7LhPNiF/gX/Hg+OXr5lqsM9iVAgmaK1L1vzlDRM=
-github.com/sagernet/gvisor v0.0.0-20241021032506-a4324256e4a3/go.mod h1:ehZwnT2UpmOWAHFL48XdBhnd4Qu4hN2O3Ji0us3ZHMw=
+github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f h1:NkhuupzH5ch7b/Y/6ZHJWrnNLoiNnSJaow6DPb8VW2I=
+github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f/go.mod h1:KXmw+ouSJNOsuRpg4wgwwCQuunrGz4yoAqQjsLjc6N0=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a h1:ObwtHN2VpqE0ZNjr6sGeT00J8uU7JF4cNUdb44/Duis=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNenDW2zaXr8I=
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
-github.com/sagernet/quic-go v0.48.1-beta.1 h1:ElPaV5yzlXIKZpqFMAcUGax6vddi3zt4AEpT94Z0vwo=
-github.com/sagernet/quic-go v0.48.1-beta.1/go.mod h1:1WgdDIVD1Gybp40JTWketeSfKA/+or9YMLaG5VeTk4k=
+github.com/sagernet/quic-go v0.47.0-beta.2 h1:1tCGWFOSaXIeuQaHrwOMJIYvlupjTcaVInGQw5ArULU=
+github.com/sagernet/quic-go v0.47.0-beta.2/go.mod h1:bLVKvElSEMNv7pu7SZHscW02TYigzQ5lQu3Nh4wNh8Q=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.5.1 h1:mhL/MZVq0TjuvHcpYcFtmSD1BFOxZ/+8ofbNZcg1k1Y=
-github.com/sagernet/sing v0.5.1/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
-github.com/sagernet/sing-dns v0.3.0 h1:uHCIlbCwBxALJwXcEK1d75d7t3vzCSVEQsPfZR1cxQE=
-github.com/sagernet/sing-dns v0.3.0/go.mod h1:TqLIelI+FAbVEdiTRolhGLOwvhVjY7oT+wezlOJUQ7M=
-github.com/sagernet/sing-mux v0.2.1 h1:N/3MHymfnFZRd29tE3TaXwPUVVgKvxhtOkiCMLp9HVo=
-github.com/sagernet/sing-mux v0.2.1/go.mod h1:dm3BWL6NvES9pbib7llpylrq7Gq+LjlzG+0RacdxcyE=
-github.com/sagernet/sing-quic v0.3.1 h1:kLg2n4JPnuzUPg7myJGbfGVJGeXiccXfV+PhXIlkSEc=
-github.com/sagernet/sing-quic v0.3.1/go.mod h1:g8b5Fj88KRM0H9lpKAxJj0EpkL/Yk06qXJAG7FuZd2I=
+github.com/sagernet/sing v0.5.0-beta.2 h1:V12EpwtsgYo5OLGjAiGoJobDJZeUsKv0b5y+yGAM6W0=
+github.com/sagernet/sing v0.5.0-beta.2/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing-dns v0.3.0-beta.14 h1:/s+fJzYKsvLaNDt/2rjpsrDcN8wmCO2JbX6OFrl8Nww=
+github.com/sagernet/sing-dns v0.3.0-beta.14/go.mod h1:rscgSr5ixOPk8XM9ZMLuMXCyldEQ1nLvdl0nfv+lp00=
+github.com/sagernet/sing-mux v0.2.0 h1:4C+vd8HztJCWNYfufvgL49xaOoOHXty2+EAjnzN3IYo=
+github.com/sagernet/sing-mux v0.2.0/go.mod h1:khzr9AOPocLa+g53dBplwNDz4gdsyx/YM3swtAhlkHQ=
+github.com/sagernet/sing-quic v0.3.0-beta.3 h1:8S98VXZxtSiOqVCFbCNbMEvKDPhOF/VNBYMjVC3xMhw=
+github.com/sagernet/sing-quic v0.3.0-beta.3/go.mod h1:rFPUlYnSj1Bx9gFSghjCqrCzfGvpjhkisOiTKpjq5vQ=
 github.com/sagernet/sing-shadowsocks v0.2.7 h1:zaopR1tbHEw5Nk6FAkM05wCslV6ahVegEZaKMv9ipx8=
 github.com/sagernet/sing-shadowsocks v0.2.7/go.mod h1:0rIKJZBR65Qi0zwdKezt4s57y/Tl1ofkaq6NlkzVuyE=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
-github.com/sagernet/sing-shadowtls v0.1.5 h1:uXxmq/HXh8DIiBGLzpMjCbWnzIAFs+lIxiTOjdgG5qo=
-github.com/sagernet/sing-shadowtls v0.1.5/go.mod h1:tvrDPTGLrSM46Wnf7mSr+L8NHvgvF8M4YnJF790rZX4=
-github.com/sagernet/sing-tun v0.4.1 h1:VKjKX93fUlEbYiabX3OhnqEylYzrcYcQthnaO0u2cI0=
-github.com/sagernet/sing-tun v0.4.1/go.mod h1:hHNVxjL7X0vNjkfN0GTkMk2CrGdgk0zZMEinkmz8XeM=
+github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
+github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
+github.com/sagernet/sing-tun v0.4.0-beta.16 h1:05VdL5BZiKLQsDNrpdXMseSO1NwPfl9Y4o76PqAd9sY=
+github.com/sagernet/sing-tun v0.4.0-beta.16/go.mod h1:81JwnnYw8X9W9XvmZetSTTiPgIE3SbAbnc+EHKwPJ5U=
 github.com/sagernet/sing-vmess v0.1.12 h1:2gFD8JJb+eTFMoa8FIVMnknEi+vCSfaiTXTfEYAYAPg=
 github.com/sagernet/sing-vmess v0.1.12/go.mod h1:luTSsfyBGAc9VhtCqwjR+dt1QgqBhuYBCONB/POhF8I=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
@@ -141,8 +141,8 @@ github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8 h1:R0OMYASco
 github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8/go.mod h1:K4J7/npM+VAMUeUmTa2JaA02JmyheP0GpRBOUvn3ecc=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854/go.mod h1:LtfoSK3+NG57tvnVEHgcuBW9ujgE8enPSgzgwStwCAA=
-github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
-github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
+github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
+github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -170,18 +170,18 @@ go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBs
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
-golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
-golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
-golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
+golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
-golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
-golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
-golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -190,19 +190,19 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
-golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
+golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
+golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
-golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
-golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
-golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
+golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
+golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
-golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
+golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
+golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY=
--- a/inbound/tun.go
+++ b/inbound/tun.go
@@ -13,7 +13,6 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
@@ -55,18 +54,15 @@ type Tun struct {

 func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TunInboundOptions, platformInterface platform.Interface) (*Tun, error) {
 	address := options.Address
-	var deprecatedAddressUsed bool
 	//nolint:staticcheck
 	//goland:noinspection GoDeprecation
 	if len(options.Inet4Address) > 0 {
 		address = append(address, options.Inet4Address...)
-		deprecatedAddressUsed = true
 	}
 	//nolint:staticcheck
 	//goland:noinspection GoDeprecation
 	if len(options.Inet6Address) > 0 {
 		address = append(address, options.Inet6Address...)
-		deprecatedAddressUsed = true
 	}
 	inet4Address := common.Filter(address, func(it netip.Prefix) bool {
 		return it.Addr().Is4()
@@ -80,13 +76,11 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 	//goland:noinspection GoDeprecation
 	if len(options.Inet4RouteAddress) > 0 {
 		routeAddress = append(routeAddress, options.Inet4RouteAddress...)
-		deprecatedAddressUsed = true
 	}
 	//nolint:staticcheck
 	//goland:noinspection GoDeprecation
 	if len(options.Inet6RouteAddress) > 0 {
 		routeAddress = append(routeAddress, options.Inet6RouteAddress...)
-		deprecatedAddressUsed = true
 	}
 	inet4RouteAddress := common.Filter(routeAddress, func(it netip.Prefix) bool {
 		return it.Addr().Is4()
@@ -100,13 +94,11 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 	//goland:noinspection GoDeprecation
 	if len(options.Inet4RouteExcludeAddress) > 0 {
 		routeExcludeAddress = append(routeExcludeAddress, options.Inet4RouteExcludeAddress...)
-		deprecatedAddressUsed = true
 	}
 	//nolint:staticcheck
 	//goland:noinspection GoDeprecation
 	if len(options.Inet6RouteExcludeAddress) > 0 {
 		routeExcludeAddress = append(routeExcludeAddress, options.Inet6RouteExcludeAddress...)
-		deprecatedAddressUsed = true
 	}
 	inet4RouteExcludeAddress := common.Filter(routeExcludeAddress, func(it netip.Prefix) bool {
 		return it.Addr().Is4()
@@ -115,10 +107,6 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 		return it.Addr().Is6()
 	})

-	if deprecatedAddressUsed {
-		deprecated.Report(ctx, deprecated.OptionTUNAddressX)
-	}
-
 	tunMTU := options.MTU
 	if tunMTU == 0 {
 		tunMTU = 9000
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -11,22 +11,18 @@ theme:
  logo: assets/icon.svg
  favicon: assets/icon.svg
  palette:
-    - media: "(prefers-color-scheme)"
-      toggle:
-        icon: material/link
-        name: Switch to light mode
    - media: "(prefers-color-scheme: light)"
      scheme: default
      primary: white
      toggle:
-        icon: material/toggle-switch
+        icon: material/brightness-7
        name: Switch to dark mode
    - media: "(prefers-color-scheme: dark)"
      scheme: slate
      primary: black
      toggle:
-        icon: material/toggle-switch-off
-        name: Switch to system preference
+        icon: material/brightness-4
+        name: Switch to light mode
  features:
    #    - navigation.instant
    - navigation.tracking
--- a/option/rule.go
+++ b/option/rule.go
@@ -64,7 +64,7 @@ func (r Rule) IsValid() bool {
 	}
 }

-type DefaultRule struct {
+type _DefaultRule struct {
 	Inbound                  Listable[string] `json:"inbound,omitempty"`
 	IPVersion                int              `json:"ip_version,omitempty"`
 	Network                  Listable[string] `json:"network,omitempty"`
@@ -104,6 +104,22 @@ type DefaultRule struct {
 	Deprecated_RulesetIPCIDRMatchSource bool `json:"rule_set_ipcidr_match_source,omitempty"`
 }

+type DefaultRule _DefaultRule
+
+func (r *DefaultRule) UnmarshalJSON(bytes []byte) error {
+	err := json.Unmarshal(bytes, (*_DefaultRule)(r))
+	if err != nil {
+		return err
+	}
+	//nolint:staticcheck
+	//goland:noinspection GoDeprecation
+	if r.Deprecated_RulesetIPCIDRMatchSource {
+		r.Deprecated_RulesetIPCIDRMatchSource = false
+		r.RuleSetIPCIDRMatchSource = true
+	}
+	return nil
+}
+
 func (r *DefaultRule) IsValid() bool {
 	var defaultValue DefaultRule
 	defaultValue.Invert = r.Invert
--- a/option/rule_dns.go
+++ b/option/rule_dns.go
@@ -64,7 +64,7 @@ func (r DNSRule) IsValid() bool {
 	}
 }

-type DefaultDNSRule struct {
+type _DefaultDNSRule struct {
 	Inbound                  Listable[string]       `json:"inbound,omitempty"`
 	IPVersion                int                    `json:"ip_version,omitempty"`
 	QueryType                Listable[DNSQueryType] `json:"query_type,omitempty"`
@@ -109,6 +109,22 @@ type DefaultDNSRule struct {
 	Deprecated_RulesetIPCIDRMatchSource bool `json:"rule_set_ipcidr_match_source,omitempty"`
 }

+type DefaultDNSRule _DefaultDNSRule
+
+func (r *DefaultDNSRule) UnmarshalJSON(bytes []byte) error {
+	err := json.UnmarshalDisallowUnknownFields(bytes, (*_DefaultDNSRule)(r))
+	if err != nil {
+		return err
+	}
+	//nolint:staticcheck
+	//goland:noinspection GoDeprecation
+	if r.Deprecated_RulesetIPCIDRMatchSource {
+		r.Deprecated_RulesetIPCIDRMatchSource = false
+		r.RuleSetIPCIDRMatchSource = true
+	}
+	return nil
+}
+
 func (r *DefaultDNSRule) IsValid() bool {
 	var defaultValue DefaultDNSRule
 	defaultValue.Invert = r.Invert
--- a/option/rule_set.go
+++ b/option/rule_set.go
@@ -48,6 +48,17 @@ func (r *RuleSet) UnmarshalJSON(bytes []byte) error {
 	if r.Tag == "" {
 		return E.New("missing tag")
 	}
+	if r.Type != C.RuleSetTypeInline {
+		switch r.Format {
+		case "":
+			return E.New("missing format")
+		case C.RuleSetFormatSource, C.RuleSetFormatBinary:
+		default:
+			return E.New("unknown rule-set format: " + r.Format)
+		}
+	} else {
+		r.Format = ""
+	}
 	var v any
 	switch r.Type {
 	case "", C.RuleSetTypeInline:
@@ -60,17 +71,6 @@ func (r *RuleSet) UnmarshalJSON(bytes []byte) error {
 	default:
 		return E.New("unknown rule-set type: " + r.Type)
 	}
-	if r.Type != C.RuleSetTypeInline {
-		switch r.Format {
-		case "":
-			return E.New("missing format")
-		case C.RuleSetFormatSource, C.RuleSetFormatBinary:
-		default:
-			return E.New("unknown rule-set format: " + r.Format)
-		}
-	} else {
-		r.Format = ""
-	}
 	err = UnmarshallExcluded(bytes, (*_RuleSet)(r), v)
 	if err != nil {
 		return err
@@ -189,7 +189,7 @@ func (r LogicalHeadlessRule) IsValid() bool {
 }

 type _PlainRuleSetCompat struct {
-	Version uint8        `json:"version"`
+	Version int          `json:"version"`
 	Options PlainRuleSet `json:"-"`
 }

--- a/outbound/builder.go
+++ b/outbound/builder.go
@@ -11,10 +11,10 @@ import (
 )

 func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.Outbound) (adapter.Outbound, error) {
+	var metadata *adapter.InboundContext
 	if tag != "" {
-		ctx = adapter.WithContext(ctx, &adapter.InboundContext{
-			Outbound: tag,
-		})
+		ctx, metadata = adapter.AppendContext(ctx)
+		metadata.Outbound = tag
 	}
 	if options.Type == "" {
 		return nil, E.New("missing outbound type")
--- a/outbound/direct.go
+++ b/outbound/direct.go
@@ -70,7 +70,7 @@ func NewDirect(router adapter.Router, logger log.ContextLogger, tag string, opti
 }

 func (h *Direct) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	switch h.overrideOption {
@@ -98,7 +98,7 @@ func (h *Direct) DialContext(ctx context.Context, network string, destination M.
 }

 func (h *Direct) DialParallel(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr) (net.Conn, error) {
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	switch h.overrideOption {
--- a/outbound/http.go
+++ b/outbound/http.go
@@ -54,7 +54,7 @@ func NewHTTP(ctx context.Context, router adapter.Router, logger log.ContextLogge
 }

 func (h *HTTP) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	h.logger.InfoContext(ctx, "outbound connection to ", destination)
--- a/outbound/selector.go
+++ b/outbound/selector.go
@@ -97,11 +97,7 @@ func (s *Selector) Start() error {
 }

 func (s *Selector) Now() string {
-	selected := s.selected
-	if selected == nil {
-		return s.tags[0]
-	}
-	return selected.Tag()
+	return s.selected.Tag()
 }

 func (s *Selector) All() []string {
--- a/outbound/shadowsocks.go
+++ b/outbound/shadowsocks.go
@@ -79,7 +79,7 @@ func NewShadowsocks(ctx context.Context, router adapter.Router, logger log.Conte
 }

 func (h *Shadowsocks) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	if h.multiplexDialer == nil {
@@ -107,7 +107,7 @@ func (h *Shadowsocks) DialContext(ctx context.Context, network string, destinati
 }

 func (h *Shadowsocks) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	if h.multiplexDialer == nil {
@@ -149,7 +149,7 @@ var _ N.Dialer = (*shadowsocksDialer)(nil)
 type shadowsocksDialer Shadowsocks

 func (h *shadowsocksDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	switch N.NetworkName(network) {
@@ -177,7 +177,7 @@ func (h *shadowsocksDialer) DialContext(ctx context.Context, network string, des
 }

 func (h *shadowsocksDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	outConn, err := h.dialer.DialContext(ctx, N.NetworkUDP, h.serverAddr)
--- a/outbound/shadowtls.go
+++ b/outbound/shadowtls.go
@@ -92,7 +92,7 @@ func NewShadowTLS(ctx context.Context, router adapter.Router, logger log.Context
 }

 func (h *ShadowTLS) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	switch N.NetworkName(network) {
--- a/outbound/socks.go
+++ b/outbound/socks.go
@@ -65,7 +65,7 @@ func NewSocks(router adapter.Router, logger log.ContextLogger, tag string, optio
 }

 func (h *Socks) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	switch N.NetworkName(network) {
@@ -91,7 +91,7 @@ func (h *Socks) DialContext(ctx context.Context, network string, destination M.S
 }

 func (h *Socks) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	if h.uotClient != nil {
--- a/outbound/trojan.go
+++ b/outbound/trojan.go
@@ -124,7 +124,7 @@ func (h *Trojan) Close() error {
 type trojanDialer Trojan

 func (h *trojanDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	var conn net.Conn
--- a/outbound/vless.go
+++ b/outbound/vless.go
@@ -143,7 +143,7 @@ func (h *VLESS) Close() error {
 type vlessDialer VLESS

 func (h *vlessDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	var conn net.Conn
@@ -186,7 +186,7 @@ func (h *vlessDialer) DialContext(ctx context.Context, network string, destinati

 func (h *vlessDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	var conn net.Conn
--- a/outbound/vmess.go
+++ b/outbound/vmess.go
@@ -157,7 +157,7 @@ func (h *VMess) NewPacketConnection(ctx context.Context, conn N.PacketConn, meta
 type vmessDialer VMess

 func (h *vmessDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	var conn net.Conn
@@ -185,7 +185,7 @@ func (h *vmessDialer) DialContext(ctx context.Context, network string, destinati
 }

 func (h *vmessDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Outbound = h.tag
 	metadata.Destination = destination
 	var conn net.Conn
--- a/route/router.go
+++ b/route/router.go
@@ -10,7 +10,6 @@ import (
 	"os/user"
 	"runtime"
 	"strings"
-	"syscall"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
@@ -154,14 +153,14 @@ func NewRouter(
 		Logger: router.dnsLogger,
 	})
 	for i, ruleOptions := range options.Rules {
-		routeRule, err := NewRule(ctx, router, router.logger, ruleOptions, true)
+		routeRule, err := NewRule(router, router.logger, ruleOptions, true)
 		if err != nil {
 			return nil, E.Cause(err, "parse rule[", i, "]")
 		}
 		router.rules = append(router.rules, routeRule)
 	}
 	for i, dnsRuleOptions := range dnsOptions.Rules {
-		dnsRule, err := NewDNSRule(ctx, router, router.logger, dnsRuleOptions, true)
+		dnsRule, err := NewDNSRule(router, router.logger, dnsRuleOptions, true)
 		if err != nil {
 			return nil, E.Cause(err, "parse dns rule[", i, "]")
 		}
@@ -212,19 +211,12 @@ func NewRouter(
 			} else {
 				detour = dialer.NewDetour(router, server.Detour)
 			}
-			var serverProtocol string
 			switch server.Address {
 			case "local":
-				serverProtocol = "local"
 			default:
 				serverURL, _ := url.Parse(server.Address)
 				var serverAddress string
 				if serverURL != nil {
-					if serverURL.Scheme == "" {
-						serverProtocol = "udp"
-					} else {
-						serverProtocol = serverURL.Scheme
-					}
 					serverAddress = serverURL.Hostname()
 				}
 				if serverAddress == "" {
@@ -250,12 +242,9 @@ func NewRouter(
 			} else if dnsOptions.ClientSubnet != nil {
 				clientSubnet = dnsOptions.ClientSubnet.Build()
 			}
-			if serverProtocol == "" {
-				serverProtocol = "transport"
-			}
 			transport, err := dns.CreateTransport(dns.TransportOptions{
 				Context:      ctx,
-				Logger:       logFactory.NewLogger(F.ToString("dns/", serverProtocol, "[", tag, "]")),
+				Logger:       logFactory.NewLogger(F.ToString("dns/transport[", tag, "]")),
 				Name:         tag,
 				Dialer:       detour,
 				Address:      server.Address,
@@ -349,7 +338,6 @@ func NewRouter(
 				_ = router.interfaceFinder.Update()
 			})
 			interfaceMonitor, err := tun.NewDefaultInterfaceMonitor(router.networkMonitor, router.logger, tun.DefaultInterfaceMonitorOptions{
-				InterfaceFinder:       router.interfaceFinder,
 				OverrideAndroidVPN:    options.OverrideAndroidVPN,
 				UnderNetworkExtension: platformInterface != nil && platformInterface.UnderNetworkExtension(),
 			})
@@ -670,15 +658,14 @@ func (r *Router) Close() error {

 func (r *Router) PostStart() error {
 	monitor := taskmonitor.New(r.logger, C.StopTimeout)
-	var cacheContext *adapter.HTTPStartContext
 	if len(r.ruleSets) > 0 {
 		monitor.Start("initialize rule-set")
-		cacheContext = adapter.NewHTTPStartContext()
+		ruleSetStartContext := NewRuleSetStartContext()
 		var ruleSetStartGroup task.Group
 		for i, ruleSet := range r.ruleSets {
 			ruleSetInPlace := ruleSet
 			ruleSetStartGroup.Append0(func(ctx context.Context) error {
-				err := ruleSetInPlace.StartContext(ctx, cacheContext)
+				err := ruleSetInPlace.StartContext(ctx, ruleSetStartContext)
 				if err != nil {
 					return E.Cause(err, "initialize rule-set[", i, "]")
 				}
@@ -692,9 +679,7 @@ func (r *Router) PostStart() error {
 		if err != nil {
 			return err
 		}
-	}
-	if cacheContext != nil {
-		cacheContext.Close()
+		ruleSetStartContext.Close()
 	}
 	needFindProcess := r.needFindProcess
 	needWIFIState := r.needWIFIState
@@ -1199,11 +1184,7 @@ func (r *Router) AutoDetectInterface() bool {

 func (r *Router) AutoDetectInterfaceFunc() control.Func {
 	if r.platformInterface != nil && r.platformInterface.UsePlatformAutoDetectInterfaceControl() {
-		return func(network, address string, conn syscall.RawConn) error {
-			return control.Raw(conn, func(fd uintptr) error {
-				return r.platformInterface.AutoDetectInterfaceControl(int(fd))
-			})
-		}
+		return r.platformInterface.AutoDetectInterfaceControl()
 	} else {
 		if r.interfaceMonitor == nil {
 			return nil
--- a/route/router_geo_resources.go
+++ b/route/router_geo_resources.go
@@ -7,12 +7,12 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/geoip"
 	"github.com/sagernet/sing-box/common/geosite"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/rw"
@@ -32,7 +32,7 @@ func (r *Router) LoadGeosite(code string) (adapter.Rule, error) {
 	if err != nil {
 		return nil, err
 	}
-	rule, err = NewDefaultRule(r.ctx, r, nil, geosite.Compile(items))
+	rule, err = NewDefaultRule(r, nil, geosite.Compile(items))
 	if err != nil {
 		return nil, err
 	}
@@ -41,7 +41,6 @@ func (r *Router) LoadGeosite(code string) (adapter.Rule, error) {
 }

 func (r *Router) prepareGeoIPDatabase() error {
-	deprecated.Report(r.ctx, deprecated.OptionGEOIP)
 	var geoPath string
 	if r.geoIPOptions.Path != "" {
 		geoPath = r.geoIPOptions.Path
@@ -88,7 +87,6 @@ func (r *Router) prepareGeoIPDatabase() error {
 }

 func (r *Router) prepareGeositeDatabase() error {
-	deprecated.Report(r.ctx, deprecated.OptionGEOSITE)
 	var geoPath string
 	if r.geositeOptions.Path != "" {
 		geoPath = r.geositeOptions.Path
@@ -160,7 +158,7 @@ func (r *Router) downloadGeoIPDatabase(savePath string) error {
 	httpClient := &http.Client{
 		Transport: &http.Transport{
 			ForceAttemptHTTP2:   true,
-			TLSHandshakeTimeout: C.TCPTimeout,
+			TLSHandshakeTimeout: 5 * time.Second,
 			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 				return detour.DialContext(ctx, network, M.ParseSocksaddr(addr))
 			},
@@ -215,7 +213,7 @@ func (r *Router) downloadGeositeDatabase(savePath string) error {
 	httpClient := &http.Client{
 		Transport: &http.Transport{
 			ForceAttemptHTTP2:   true,
-			TLSHandshakeTimeout: C.TCPTimeout,
+			TLSHandshakeTimeout: 5 * time.Second,
 			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 				return detour.DialContext(ctx, network, M.ParseSocksaddr(addr))
 			},
--- a/route/rule_default.go
+++ b/route/rule_default.go
@@ -1,17 +1,14 @@
 package route

 import (
-	"context"
-
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )

-func NewRule(ctx context.Context, router adapter.Router, logger log.ContextLogger, options option.Rule, checkOutbound bool) (adapter.Rule, error) {
+func NewRule(router adapter.Router, logger log.ContextLogger, options option.Rule, checkOutbound bool) (adapter.Rule, error) {
 	switch options.Type {
 	case "", C.RuleTypeDefault:
 		if !options.DefaultOptions.IsValid() {
@@ -20,7 +17,7 @@ func NewRule(ctx context.Context, router adapter.Router, logger log.ContextLogge
 		if options.DefaultOptions.Outbound == "" && checkOutbound {
 			return nil, E.New("missing outbound field")
 		}
-		return NewDefaultRule(ctx, router, logger, options.DefaultOptions)
+		return NewDefaultRule(router, logger, options.DefaultOptions)
 	case C.RuleTypeLogical:
 		if !options.LogicalOptions.IsValid() {
 			return nil, E.New("missing conditions")
@@ -28,7 +25,7 @@ func NewRule(ctx context.Context, router adapter.Router, logger log.ContextLogge
 		if options.LogicalOptions.Outbound == "" && checkOutbound {
 			return nil, E.New("missing outbound field")
 		}
-		return NewLogicalRule(ctx, router, logger, options.LogicalOptions)
+		return NewLogicalRule(router, logger, options.LogicalOptions)
 	default:
 		return nil, E.New("unknown rule type: ", options.Type)
 	}
@@ -45,7 +42,7 @@ type RuleItem interface {
 	String() string
 }

-func NewDefaultRule(ctx context.Context, router adapter.Router, logger log.ContextLogger, options option.DefaultRule) (*DefaultRule, error) {
+func NewDefaultRule(router adapter.Router, logger log.ContextLogger, options option.DefaultRule) (*DefaultRule, error) {
 	rule := &DefaultRule{
 		abstractDefaultRule{
 			invert:   options.Invert,
@@ -221,16 +218,7 @@ func NewDefaultRule(ctx context.Context, router adapter.Router, logger log.Conte
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.RuleSet) > 0 {
-		var matchSource bool
-		if options.RuleSetIPCIDRMatchSource {
-			matchSource = true
-		} else
-		//nolint:staticcheck
-		if options.Deprecated_RulesetIPCIDRMatchSource {
-			matchSource = true
-			deprecated.Report(ctx, deprecated.OptionBadMatchSource)
-		}
-		item := NewRuleSetItem(router, options.RuleSet, matchSource, false)
+		item := NewRuleSetItem(router, options.RuleSet, options.RuleSetIPCIDRMatchSource, false)
 		rule.items = append(rule.items, item)
 		rule.allItems = append(rule.allItems, item)
 	}
@@ -243,7 +231,7 @@ type LogicalRule struct {
 	abstractLogicalRule
 }

-func NewLogicalRule(ctx context.Context, router adapter.Router, logger log.ContextLogger, options option.LogicalRule) (*LogicalRule, error) {
+func NewLogicalRule(router adapter.Router, logger log.ContextLogger, options option.LogicalRule) (*LogicalRule, error) {
 	r := &LogicalRule{
 		abstractLogicalRule{
 			rules:    make([]adapter.HeadlessRule, len(options.Rules)),
@@ -260,7 +248,7 @@ func NewLogicalRule(ctx context.Context, router adapter.Router, logger log.Conte
 		return nil, E.New("unknown logical mode: ", options.Mode)
 	}
 	for i, subRule := range options.Rules {
-		rule, err := NewRule(ctx, router, logger, subRule, false)
+		rule, err := NewRule(router, logger, subRule, false)
 		if err != nil {
 			return nil, E.Cause(err, "sub rule[", i, "]")
 		}
--- a/route/rule_dns.go
+++ b/route/rule_dns.go
@@ -1,19 +1,17 @@
 package route

 import (
-	"context"
 	"net/netip"

 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 )

-func NewDNSRule(ctx context.Context, router adapter.Router, logger log.ContextLogger, options option.DNSRule, checkServer bool) (adapter.DNSRule, error) {
+func NewDNSRule(router adapter.Router, logger log.ContextLogger, options option.DNSRule, checkServer bool) (adapter.DNSRule, error) {
 	switch options.Type {
 	case "", C.RuleTypeDefault:
 		if !options.DefaultOptions.IsValid() {
@@ -22,7 +20,7 @@ func NewDNSRule(ctx context.Context, router adapter.Router, logger log.ContextLo
 		if options.DefaultOptions.Server == "" && checkServer {
 			return nil, E.New("missing server field")
 		}
-		return NewDefaultDNSRule(ctx, router, logger, options.DefaultOptions)
+		return NewDefaultDNSRule(router, logger, options.DefaultOptions)
 	case C.RuleTypeLogical:
 		if !options.LogicalOptions.IsValid() {
 			return nil, E.New("missing conditions")
@@ -30,7 +28,7 @@ func NewDNSRule(ctx context.Context, router adapter.Router, logger log.ContextLo
 		if options.LogicalOptions.Server == "" && checkServer {
 			return nil, E.New("missing server field")
 		}
-		return NewLogicalDNSRule(ctx, router, logger, options.LogicalOptions)
+		return NewLogicalDNSRule(router, logger, options.LogicalOptions)
 	default:
 		return nil, E.New("unknown rule type: ", options.Type)
 	}
@@ -45,7 +43,7 @@ type DefaultDNSRule struct {
 	clientSubnet *netip.Prefix
 }

-func NewDefaultDNSRule(ctx context.Context, router adapter.Router, logger log.ContextLogger, options option.DefaultDNSRule) (*DefaultDNSRule, error) {
+func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options option.DefaultDNSRule) (*DefaultDNSRule, error) {
 	rule := &DefaultDNSRule{
 		abstractDefaultRule: abstractDefaultRule{
 			invert:   options.Invert,
@@ -229,16 +227,7 @@ func NewDefaultDNSRule(ctx context.Context, router adapter.Router, logger log.Co
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.RuleSet) > 0 {
-		var matchSource bool
-		if options.RuleSetIPCIDRMatchSource {
-			matchSource = true
-		} else
-		//nolint:staticcheck
-		if options.Deprecated_RulesetIPCIDRMatchSource {
-			matchSource = true
-			deprecated.Report(ctx, deprecated.OptionBadMatchSource)
-		}
-		item := NewRuleSetItem(router, options.RuleSet, matchSource, options.RuleSetIPCIDRAcceptEmpty)
+		item := NewRuleSetItem(router, options.RuleSet, options.RuleSetIPCIDRMatchSource, options.RuleSetIPCIDRAcceptEmpty)
 		rule.items = append(rule.items, item)
 		rule.allItems = append(rule.allItems, item)
 	}
@@ -294,7 +283,7 @@ type LogicalDNSRule struct {
 	clientSubnet *netip.Prefix
 }

-func NewLogicalDNSRule(ctx context.Context, router adapter.Router, logger log.ContextLogger, options option.LogicalDNSRule) (*LogicalDNSRule, error) {
+func NewLogicalDNSRule(router adapter.Router, logger log.ContextLogger, options option.LogicalDNSRule) (*LogicalDNSRule, error) {
 	r := &LogicalDNSRule{
 		abstractLogicalRule: abstractLogicalRule{
 			rules:    make([]adapter.HeadlessRule, len(options.Rules)),
@@ -314,7 +303,7 @@ func NewLogicalDNSRule(ctx context.Context, router adapter.Router, logger log.Co
 		return nil, E.New("unknown logical mode: ", options.Mode)
 	}
 	for i, subRule := range options.Rules {
-		rule, err := NewDNSRule(ctx, router, logger, subRule, false)
+		rule, err := NewDNSRule(router, logger, subRule, false)
 		if err != nil {
 			return nil, E.Cause(err, "sub rule[", i, "]")
 		}
--- a/route/rule_set.go
+++ b/route/rule_set.go
@@ -2,6 +2,9 @@ package route

 import (
 	"context"
+	"net"
+	"net/http"
+	"sync"

 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
@@ -9,6 +12,8 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"

 	"go4.org/netipx"
 )
@@ -41,3 +46,43 @@ func extractIPSetFromRule(rawRule adapter.HeadlessRule) []*netipx.IPSet {
 		panic("unexpected rule type")
 	}
 }
+
+var _ adapter.RuleSetStartContext = (*RuleSetStartContext)(nil)
+
+type RuleSetStartContext struct {
+	access          sync.Mutex
+	httpClientCache map[string]*http.Client
+}
+
+func NewRuleSetStartContext() *RuleSetStartContext {
+	return &RuleSetStartContext{
+		httpClientCache: make(map[string]*http.Client),
+	}
+}
+
+func (c *RuleSetStartContext) HTTPClient(detour string, dialer N.Dialer) *http.Client {
+	c.access.Lock()
+	defer c.access.Unlock()
+	if httpClient, loaded := c.httpClientCache[detour]; loaded {
+		return httpClient
+	}
+	httpClient := &http.Client{
+		Transport: &http.Transport{
+			ForceAttemptHTTP2:   true,
+			TLSHandshakeTimeout: C.TCPTimeout,
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				return dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
+			},
+		},
+	}
+	c.httpClientCache[detour] = httpClient
+	return httpClient
+}
+
+func (c *RuleSetStartContext) Close() {
+	c.access.Lock()
+	defer c.access.Unlock()
+	for _, client := range c.httpClientCache {
+		client.CloseIdleConnections()
+	}
+}
--- a/route/rule_set_local.go
+++ b/route/rule_set_local.go
@@ -58,6 +58,7 @@ func NewLocalRuleSet(ctx context.Context, router adapter.Router, logger logger.L
 		}
 	}
 	if options.Type == C.RuleSetTypeLocal {
+		var watcher *fswatch.Watcher
 		filePath, _ := filepath.Abs(options.LocalOptions.Path)
 		watcher, err := fswatch.NewWatcher(fswatch.Options{
 			Path: []string{filePath},
@@ -84,7 +85,7 @@ func (s *LocalRuleSet) String() string {
 	return strings.Join(F.MapToString(s.rules), " ")
 }

-func (s *LocalRuleSet) StartContext(ctx context.Context, startContext *adapter.HTTPStartContext) error {
+func (s *LocalRuleSet) StartContext(ctx context.Context, startContext adapter.RuleSetStartContext) error {
 	if s.watcher != nil {
 		err := s.watcher.Start()
 		if err != nil {
@@ -95,34 +96,33 @@ func (s *LocalRuleSet) StartContext(ctx context.Context, startContext *adapter.H
 }

 func (s *LocalRuleSet) reloadFile(path string) error {
-	var ruleSet option.PlainRuleSetCompat
+	var plainRuleSet option.PlainRuleSet
 	switch s.fileFormat {
 	case C.RuleSetFormatSource, "":
 		content, err := os.ReadFile(path)
 		if err != nil {
 			return err
 		}
-		ruleSet, err = json.UnmarshalExtended[option.PlainRuleSetCompat](content)
+		compat, err := json.UnmarshalExtended[option.PlainRuleSetCompat](content)
+		if err != nil {
+			return err
+		}
+		plainRuleSet, err = compat.Upgrade()
 		if err != nil {
 			return err
 		}
-
 	case C.RuleSetFormatBinary:
 		setFile, err := os.Open(path)
 		if err != nil {
 			return err
 		}
-		ruleSet, err = srs.Read(setFile, false)
+		plainRuleSet, err = srs.Read(setFile, false)
 		if err != nil {
 			return err
 		}
 	default:
 		return E.New("unknown rule-set format: ", s.fileFormat)
 	}
-	plainRuleSet, err := ruleSet.Upgrade()
-	if err != nil {
-		return err
-	}
 	return s.reloadRules(plainRuleSet.Rules)
 }

--- a/route/rule_set_remote.go
+++ b/route/rule_set_remote.go
@@ -45,7 +45,6 @@ type RemoteRuleSet struct {
 	lastUpdated    time.Time
 	lastEtag       string
 	updateTicker   *time.Ticker
-	cacheFile      adapter.CacheFile
 	pauseManager   pause.Manager
 	callbackAccess sync.Mutex
 	callbacks      list.List[adapter.RuleSetUpdateCallback]
@@ -79,8 +78,7 @@ func (s *RemoteRuleSet) String() string {
 	return strings.Join(F.MapToString(s.rules), " ")
 }

-func (s *RemoteRuleSet) StartContext(ctx context.Context, startContext *adapter.HTTPStartContext) error {
-	s.cacheFile = service.FromContext[adapter.CacheFile](s.ctx)
+func (s *RemoteRuleSet) StartContext(ctx context.Context, startContext adapter.RuleSetStartContext) error {
 	var dialer N.Dialer
 	if s.options.RemoteOptions.DownloadDetour != "" {
 		outbound, loaded := s.router.Outbound(s.options.RemoteOptions.DownloadDetour)
@@ -96,8 +94,9 @@ func (s *RemoteRuleSet) StartContext(ctx context.Context, startContext *adapter.
 		dialer = outbound
 	}
 	s.dialer = dialer
-	if s.cacheFile != nil {
-		if savedSet := s.cacheFile.LoadRuleSet(s.options.Tag); savedSet != nil {
+	cacheFile := service.FromContext[adapter.CacheFile](s.ctx)
+	if cacheFile != nil {
+		if savedSet := cacheFile.LoadRuleSet(s.options.Tag); savedSet != nil {
 			err := s.loadBytes(savedSet.Content)
 			if err != nil {
 				return E.Cause(err, "restore cached rule-set")
@@ -159,27 +158,28 @@ func (s *RemoteRuleSet) UnregisterCallback(element *list.Element[adapter.RuleSet

 func (s *RemoteRuleSet) loadBytes(content []byte) error {
 	var (
-		ruleSet option.PlainRuleSetCompat
-		err     error
+		plainRuleSet option.PlainRuleSet
+		err          error
 	)
 	switch s.options.Format {
 	case C.RuleSetFormatSource:
-		ruleSet, err = json.UnmarshalExtended[option.PlainRuleSetCompat](content)
+		var compat option.PlainRuleSetCompat
+		compat, err = json.UnmarshalExtended[option.PlainRuleSetCompat](content)
+		if err != nil {
+			return err
+		}
+		plainRuleSet, err = compat.Upgrade()
 		if err != nil {
 			return err
 		}
 	case C.RuleSetFormatBinary:
-		ruleSet, err = srs.Read(bytes.NewReader(content), false)
+		plainRuleSet, err = srs.Read(bytes.NewReader(content), false)
 		if err != nil {
 			return err
 		}
 	default:
 		return E.New("unknown rule-set format: ", s.options.Format)
 	}
-	plainRuleSet, err := ruleSet.Upgrade()
-	if err != nil {
-		return err
-	}
 	rules := make([]adapter.HeadlessRule, len(plainRuleSet.Rules))
 	for i, ruleOptions := range plainRuleSet.Rules {
 		rules[i], err = NewHeadlessRule(s.router, ruleOptions)
@@ -226,7 +226,7 @@ func (s *RemoteRuleSet) loopUpdate() {
 	}
 }

-func (s *RemoteRuleSet) fetchOnce(ctx context.Context, startContext *adapter.HTTPStartContext) error {
+func (s *RemoteRuleSet) fetchOnce(ctx context.Context, startContext adapter.RuleSetStartContext) error {
 	s.logger.Debug("updating rule-set ", s.options.Tag, " from URL: ", s.options.RemoteOptions.URL)
 	var httpClient *http.Client
 	if startContext != nil {
@@ -257,11 +257,12 @@ func (s *RemoteRuleSet) fetchOnce(ctx context.Context, startContext *adapter.HTT
 	case http.StatusOK:
 	case http.StatusNotModified:
 		s.lastUpdated = time.Now()
-		if s.cacheFile != nil {
-			savedRuleSet := s.cacheFile.LoadRuleSet(s.options.Tag)
+		cacheFile := service.FromContext[adapter.CacheFile](s.ctx)
+		if cacheFile != nil {
+			savedRuleSet := cacheFile.LoadRuleSet(s.options.Tag)
 			if savedRuleSet != nil {
 				savedRuleSet.LastUpdated = s.lastUpdated
-				err = s.cacheFile.SaveRuleSet(s.options.Tag, savedRuleSet)
+				err = cacheFile.SaveRuleSet(s.options.Tag, savedRuleSet)
 				if err != nil {
 					s.logger.Error("save rule-set updated time: ", err)
 					return nil
@@ -289,8 +290,9 @@ func (s *RemoteRuleSet) fetchOnce(ctx context.Context, startContext *adapter.HTT
 		s.lastEtag = eTagHeader
 	}
 	s.lastUpdated = time.Now()
-	if s.cacheFile != nil {
-		err = s.cacheFile.SaveRuleSet(s.options.Tag, &adapter.SavedRuleSet{
+	cacheFile := service.FromContext[adapter.CacheFile](s.ctx)
+	if cacheFile != nil {
+		err = cacheFile.SaveRuleSet(s.options.Tag, &adapter.SavedRuleSet{
 			LastUpdated: s.lastUpdated,
 			Content:     content,
 			LastEtag:    s.lastEtag,
--- a/transport/wireguard/device_stack.go
+++ b/transport/wireguard/device_stack.go
@@ -252,9 +252,6 @@ func (ep *wireEndpoint) MTU() uint32 {
 	return ep.mtu
 }

-func (ep *wireEndpoint) SetMTU(mtu uint32) {
-}
-
 func (ep *wireEndpoint) MaxHeaderLength() uint16 {
 	return 0
 }
@@ -263,9 +260,6 @@ func (ep *wireEndpoint) LinkAddress() tcpip.LinkAddress {
 	return ""
 }

-func (ep *wireEndpoint) SetLinkAddress(addr tcpip.LinkAddress) {
-}
-
 func (ep *wireEndpoint) Capabilities() stack.LinkEndpointCapabilities {
 	return stack.CapabilityRXChecksumOffload
 }
@@ -303,9 +297,3 @@ func (ep *wireEndpoint) WritePackets(list stack.PacketBufferList) (int, tcpip.Er
 	}
 	return list.Len(), nil
 }
-
-func (ep *wireEndpoint) Close() {
-}
-
-func (ep *wireEndpoint) SetOnCloseAction(f func()) {
-}
Author	SHA1	Message	Date
renovate[bot]	05a431d203	[dependencies] Update actions/checkout digest to eef6144	2024-10-07 18:49:40 +00:00
世界	e68a9e623f	documentation: Bump version	2024-10-07 04:58:58 +08:00
世界	a9bb07db4a	Update utls to v1.6.7	2024-10-07 04:58:58 +08:00
srk24	a07219d16d	Add `process_path_regex` rule type	2024-10-07 04:58:58 +08:00
世界	6362b778c9	clash-api: Add PNA support	2024-10-07 04:58:57 +08:00
世界	cb46b648d7	Add RDP sniffer	2024-10-07 04:58:57 +08:00
世界	04613c27e2	Add SSH sniffer	2024-10-07 04:58:57 +08:00
世界	795e1cf2f0	Write close error to log	2024-10-07 04:58:56 +08:00
世界	1e36c75336	Add AdGuard DNS filter support	2024-10-07 04:58:56 +08:00
世界	5a2c7037fe	Improve QUIC sniffer	2024-10-07 04:58:56 +08:00
世界	852c07c050	Add inline rule-set & Add reload for local rule-set	2024-10-07 04:58:56 +08:00
世界	c2ab497ff4	Unique rule-set names	2024-10-07 04:58:54 +08:00
世界	1e3c136440	Add accept empty DNS rule option	2024-10-07 04:58:54 +08:00
世界	7a2cd77798	Add custom options for TUN `auto-route` and `auto-redirect`	2024-10-07 04:58:54 +08:00
世界	1cdaea49b6	Improve base DNS transports & Minor fixes	2024-10-07 04:58:53 +08:00
世界	a50b0bc1a9	Add auto-redirect & Improve auto-route	2024-10-07 04:58:53 +08:00
世界	00e6210928	Add `rule-set decompile` command	2024-10-07 04:58:53 +08:00
世界	2dbeb63b4e	Add IP address support for `rule-set match` match	2024-10-07 04:58:52 +08:00
世界	744cc985ba	Improve usages of `json.Unmarshal`	2024-10-07 04:58:52 +08:00
世界	bd122478fc	Bump rule-set version	2024-10-07 04:58:51 +08:00
世界	a18179ad24	Implement read deadline for QUIC based UDP inbounds	2024-10-07 04:58:50 +08:00
世界	388c75a815	WTF is this	2024-10-07 04:58:50 +08:00
世界	8d0d49c388	platform: Fix clash server reload on android	2024-10-07 04:58:50 +08:00
世界	03f5d6e4f2	platform: Add log update interval	2024-10-07 04:58:50 +08:00
世界	25065d766a	platform: Prepare connections list	2024-10-07 04:58:49 +08:00