Bump version

.github/workflows/build.yml

@@ -0,0 +1,599 @@
+name: Build
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version name"
+        required: true
+        type: string
+      build:
+        description: "Build type"
+        required: true
+        type: choice
+        default: "All"
+        options:
+          - All
+          - Binary
+          - Android
+          - Apple
+          - app-store
+          - iOS
+          - macOS
+          - tvOS
+          - macOS-standalone
+          - publish-android
+  push:
+    branches:
+      - main-next
+      - dev-next
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }}
+  cancel-in-progress: true
+
+jobs:
+  calculate_version:
+    name: Calculate version
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.outputs.outputs.version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.23
+      - name: Check input version
+        if: github.event_name == 'workflow_dispatch'
+        run: |-
+          echo "version=${{ inputs.version }}" 
+          echo "version=${{ inputs.version }}" >> "$GITHUB_ENV"
+      - name: Calculate version
+        if: github.event_name != 'workflow_dispatch'
+        run: |-
+          go run -v ./cmd/internal/read_tag --nightly
+      - name: Set outputs
+        id: outputs
+        run: |-
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+  build:
+    name: Build binary
+    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
+    runs-on: ubuntu-latest
+    needs:
+      - calculate_version
+    strategy:
+      matrix:
+        include:
+          - name: linux_386
+            goos: linux
+            goarch: 386
+          - name: linux_amd64
+            goos: linux
+            goarch: amd64
+          - name: linux_arm64
+            goos: linux
+            goarch: arm64
+          - name: linux_arm
+            goos: linux
+            goarch: arm
+            goarm: 6
+          - name: linux_arm_v7
+            goos: linux
+            goarch: arm
+            goarm: 7
+          - name: linux_s390x
+            goos: linux
+            goarch: s390x
+          - name: linux_riscv64
+            goos: linux
+            goarch: riscv64
+          - name: linux_mips64le
+            goos: linux
+            goarch: mips64le
+          - name: windows_amd64
+            goos: windows
+            goarch: amd64
+            require_legacy_go: true
+          - name: windows_386
+            goos: windows
+            goarch: 386
+            require_legacy_go: true
+          - name: windows_arm64
+            goos: windows
+            goarch: arm64
+          - name: darwin_arm64
+            goos: darwin
+            goarch: arm64
+          - name: darwin_amd64
+            goos: darwin
+            goarch: amd64
+            require_legacy_go: true
+          - name: android_arm64
+            goos: android
+            goarch: arm64
+          - name: android_arm
+            goos: android
+            goarch: arm
+            goarm: 7
+          - name: android_amd64
+            goos: android
+            goarch: amd64
+          - name: android_386
+            goos: android
+            goarch: 386
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.23
+      - name: Cache legacy Go
+        if: matrix.require_legacy_go
+        id: cache-legacy-go
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/go/go1.20.14
+          key: go120
+      - name: Setup legacy Go
+        if: matrix.require_legacy_go == 'true' && steps.cache-legacy-go.outputs.cache-hit != 'true'
+        run: |-
+          wget https://dl.google.com/go/go1.20.14.linux-amd64.tar.gz
+          tar -xzf go1.20.14.linux-amd64.tar.gz
+          mv go $HOME/go/go1.20.14
+      - name: Setup Android NDK
+        if: matrix.goos == 'android'
+        uses: nttld/setup-ndk@v1
+        with:
+          ndk-version: r28-beta2
+          local-cache: true
+      - name: Setup Goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser-pro
+          version: latest
+          install-only: true
+      - name: Extract signing key
+        run: |-
+          mkdir -p $HOME/.gnupg
+          cat > $HOME/.gnupg/sagernet.key <<EOF
+          ${{ secrets.GPG_KEY }}
+          EOF
+          echo "HOME=$HOME" >> "$GITHUB_ENV"
+      - name: Set tag
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+      - name: Build
+        if: matrix.goos != 'android'
+        run: |-
+          goreleaser release --clean --split
+        env:
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+          GOPATH: ${{ env.HOME }}/go
+          GOARM: ${{ matrix.goarm }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
+          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+      - name: Build Android
+        if: matrix.goos == 'android'
+        run: |-
+          go install -v ./cmd/internal/build
+          GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build goreleaser release --clean --split
+        env:
+          BUILD_GOOS: ${{ matrix.goos }}
+          BUILD_GOARCH: ${{ matrix.goarch }}
+          GOARM: ${{ matrix.goarm }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
+          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+      - name: Upload artifact
+        if: github.event_name == 'workflow_dispatch'
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-${{ matrix.name }}
+          path: 'dist'
+  build_android:
+    name: Build Android
+    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
+    runs-on: ubuntu-latest
+    needs:
+      - calculate_version
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+          submodules: 'recursive'
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.23
+      - name: Setup Android NDK
+        id: setup-ndk
+        uses: nttld/setup-ndk@v1
+        with:
+          ndk-version: r28-beta2
+      - name: Setup OpenJDK
+        run: |-
+          sudo apt update && sudo apt install -y openjdk-17-jdk-headless
+          /usr/lib/jvm/java-17-openjdk-amd64/bin/java --version
+      - name: Set tag
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+      - name: Build library
+        run: |-
+          make lib_install
+          export PATH="$PATH:$(go env GOPATH)/bin"
+          make lib_android
+        env:
+          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
+          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
+      - name: Checkout main branch
+        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        run: |-
+          cd clients/android
+          git checkout main
+      - name: Checkout dev branch
+        if: github.ref == 'refs/heads/dev-next'
+        run: |-
+          cd clients/android
+          git checkout dev
+      - name: Gradle cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.gradle
+          key: gradle-${{ hashFiles('**/*.gradle') }}
+      - name: Build
+        run: |-
+          go run -v ./cmd/internal/update_android_version --ci
+          mkdir clients/android/app/libs
+          cp libbox.aar clients/android/app/libs
+          cd clients/android
+          ./gradlew :app:assemblePlayRelease :app:assembleOtherRelease
+        env:
+          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
+          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
+          LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
+      - name: Prepare upload
+        if: github.event_name == 'workflow_dispatch'
+        run: |-
+          mkdir -p dist/release
+          cp clients/android/app/build/outputs/apk/play/release/*.apk dist/release
+          cp clients/android/app/build/outputs/apk/other/release/*-universal.apk dist/release
+      - name: Upload artifact
+        if: github.event_name == 'workflow_dispatch'
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-android-apks
+          path: 'dist'
+  publish_android:
+    name: Publish Android
+    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
+    runs-on: ubuntu-latest
+    needs:
+      - calculate_version
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+          submodules: 'recursive'
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.23
+      - name: Setup Android NDK
+        id: setup-ndk
+        uses: nttld/setup-ndk@v1
+        with:
+          ndk-version: r28-beta2
+      - name: Setup OpenJDK
+        run: |-
+          sudo apt update && sudo apt install -y openjdk-17-jdk-headless
+          /usr/lib/jvm/java-17-openjdk-amd64/bin/java --version
+      - name: Set tag
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+      - name: Build library
+        run: |-
+          make lib_install
+          export PATH="$PATH:$(go env GOPATH)/bin"
+          make lib_android
+        env:
+          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
+          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
+      - name: Checkout main branch
+        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        run: |-
+          cd clients/android
+          git checkout main
+      - name: Checkout dev branch
+        if: github.ref == 'refs/heads/dev-next'
+        run: |-
+          cd clients/android
+          git checkout dev
+      - name: Gradle cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.gradle
+          key: gradle-${{ hashFiles('**/*.gradle') }}
+      - name: Build
+        run: |-
+          go run -v ./cmd/internal/update_android_version --ci
+          mkdir clients/android/app/libs
+          cp libbox.aar clients/android/app/libs
+          cd clients/android
+          echo -n "$SERVICE_ACCOUNT_CREDENTIALS" | base64 --decode > service-account-credentials.json
+          ./gradlew :app:publishPlayReleaseBundle
+        env:
+          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
+          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
+          LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
+          SERVICE_ACCOUNT_CREDENTIALS: ${{ secrets.SERVICE_ACCOUNT_CREDENTIALS }}
+  build_apple:
+    name: Build Apple clients
+    runs-on: macos-15
+    needs:
+      - calculate_version
+    strategy:
+      matrix:
+        include:
+          - name: iOS
+            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'iOS' }}
+            platform: ios
+            scheme: SFI
+            destination: 'generic/platform=iOS'
+            archive: build/SFI.xcarchive
+            upload: SFI/Upload.plist
+          - name: macOS
+            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'macOS' }}
+            platform: macos
+            scheme: SFM
+            destination: 'generic/platform=macOS'
+            archive: build/SFM.xcarchive
+            upload: SFI/Upload.plist
+          - name: tvOS
+            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'tvOS' }}
+            platform: tvos
+            scheme: SFT
+            destination: 'generic/platform=tvOS'
+            archive: build/SFT.xcarchive
+            upload: SFI/Upload.plist
+          - name: macOS-standalone
+            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone' }}
+            platform: macos
+            scheme: SFM.System
+            destination: 'generic/platform=macOS'
+            archive: build/SFM.System.xcarchive
+            export: SFM.System/Export.plist
+            export_path: build/SFM.System
+    steps:
+      - name: Checkout
+        if: matrix.if
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+          submodules: 'recursive'
+      - name: Setup Go
+        if: matrix.if
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.23
+      - name: Setup Xcode stable
+        if: matrix.if && github.ref == 'refs/heads/main-next'
+        run: |-
+          sudo xcode-select -s /Applications/Xcode_16.2.app
+      - name: Setup Xcode beta
+        if: matrix.if && github.ref == 'refs/heads/dev-next'
+        run: |-
+          sudo xcode-select -s /Applications/Xcode_16.2.app
+      - name: Set tag
+        if: matrix.if
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
+      - name: Checkout main branch
+        if: matrix.if && github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        run: |-
+          cd clients/apple
+          git checkout main
+      - name: Checkout dev branch
+        if: matrix.if && github.ref == 'refs/heads/dev-next'
+        run: |-
+          cd clients/apple
+          git checkout dev
+      - name: Setup certificates
+        if: matrix.if
+        run: |-
+          CERTIFICATE_PATH=$RUNNER_TEMP/Certificates.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/certificates.keychain-db
+          echo -n "$CERTIFICATES_P12" | base64 --decode -o $CERTIFICATE_PATH
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+
+          PROFILES_ZIP_PATH=$RUNNER_TEMP/Profiles.zip
+          echo -n "$PROVISIONING_PROFILES" | base64 --decode -o $PROFILES_ZIP_PATH
+          
+          PROFILES_PATH="$HOME/Library/MobileDevice/Provisioning Profiles"
+          mkdir -p "$PROFILES_PATH"
+          unzip $PROFILES_ZIP_PATH -d "$PROFILES_PATH"
+          
+          ASC_KEY_PATH=$RUNNER_TEMP/Key.p12
+          echo -n "$ASC_KEY" | base64 --decode -o $ASC_KEY_PATH
+          
+          xcrun notarytool store-credentials "notarytool-password" \
+            --key $ASC_KEY_PATH \
+            --key-id $ASC_KEY_ID \
+            --issuer $ASC_KEY_ISSUER_ID
+          
+          echo "ASC_KEY_PATH=$ASC_KEY_PATH" >> "$GITHUB_ENV"
+          echo "ASC_KEY_ID=$ASC_KEY_ID" >> "$GITHUB_ENV"
+          echo "ASC_KEY_ISSUER_ID=$ASC_KEY_ISSUER_ID" >> "$GITHUB_ENV"
+        env:
+          CERTIFICATES_P12: ${{ secrets.CERTIFICATES_P12 }}
+          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.P12_PASSWORD }}
+          PROVISIONING_PROFILES: ${{ secrets.PROVISIONING_PROFILES }}
+          ASC_KEY: ${{ secrets.ASC_KEY }}
+          ASC_KEY_ID: ${{ secrets.ASC_KEY_ID }}
+          ASC_KEY_ISSUER_ID: ${{ secrets.ASC_KEY_ISSUER_ID }}
+      - name: Build library
+        if: matrix.if
+        run: |-
+          make lib_install
+          export PATH="$PATH:$(go env GOPATH)/bin"
+          go run ./cmd/internal/build_libbox -target apple -platform ${{ matrix.platform }}
+          mv Libbox.xcframework clients/apple
+      - name: Update macOS version
+        if: matrix.if && matrix.name == 'macOS' && github.event_name == 'workflow_dispatch'
+        run: |-
+          MACOS_PROJECT_VERSION=$(go run -v ./cmd/internal/app_store_connect next_macos_project_version)
+          echo "MACOS_PROJECT_VERSION=$MACOS_PROJECT_VERSION"
+          echo "MACOS_PROJECT_VERSION=$MACOS_PROJECT_VERSION" >> "$GITHUB_ENV"
+      - name: Build
+        if: matrix.if
+        run: |-
+          go run -v ./cmd/internal/update_apple_version --ci
+          cd clients/apple
+          xcodebuild archive \
+            -scheme "${{ matrix.scheme }}" \
+            -configuration Release \
+            -destination "${{ matrix.destination }}" \
+            -archivePath "${{ matrix.archive }}" \
+            -allowProvisioningUpdates \
+            -authenticationKeyPath $ASC_KEY_PATH \
+            -authenticationKeyID $ASC_KEY_ID \
+            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
+      - name: Upload to App Store Connect
+        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch'
+        run: |-
+          go run -v ./cmd/internal/app_store_connect cancel_app_store ${{ matrix.platform }}
+          cd clients/apple
+          xcodebuild -exportArchive \
+            -archivePath "${{ matrix.archive }}" \
+            -exportOptionsPlist ${{ matrix.upload }} \
+            -allowProvisioningUpdates \
+            -authenticationKeyPath $ASC_KEY_PATH \
+            -authenticationKeyID $ASC_KEY_ID \
+            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
+      - name: Publish to TestFlight
+        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/dev-next'
+        run: |-
+          go run -v ./cmd/internal/app_store_connect publish_testflight ${{ matrix.platform }}
+      - name: Build image
+        if: matrix.if && matrix.name == 'macOS-standalone' && github.event_name == 'workflow_dispatch'
+        run: |-
+          pushd clients/apple
+          xcodebuild -exportArchive \
+          	-archivePath "${{ matrix.archive }}" \
+          	-exportOptionsPlist ${{ matrix.export }} \
+          	-exportPath "${{ matrix.export_path }}"
+          brew install create-dmg
+          create-dmg \
+          	--volname "sing-box" \
+          	--volicon "${{ matrix.export_path }}/SFM.app/Contents/Resources/AppIcon.icns" \
+          	--icon "SFM.app" 0 0 \
+          		--hide-extension "SFM.app" \
+          		--app-drop-link 0 0 \
+          		--skip-jenkins \
+          	SFM.dmg "${{ matrix.export_path }}/SFM.app"
+          xcrun notarytool submit "SFM.dmg" --wait --keychain-profile "notarytool-password"          
+          cd "${{ matrix.archive }}"
+          zip -r SFM.dSYMs.zip dSYMs
+          popd
+          
+          mkdir -p dist/release
+          cp clients/apple/SFM.dmg "dist/release/SFM-${VERSION}-universal.dmg"
+          cp "clients/apple/${{ matrix.archive }}/SFM.dSYMs.zip" "dist/release/SFM-${VERSION}-universal.dSYMs.zip"
+      - name: Upload image
+        if: matrix.if && matrix.name == 'macOS-standalone' && github.event_name == 'workflow_dispatch'
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-macos-dmg
+          path: 'dist'
+  upload:
+    name: Upload builds
+    if: always() && github.event_name == 'workflow_dispatch' && (inputs.build == 'All' || inputs.build == 'Binary' || inputs.build == 'Android' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone')
+    runs-on: ubuntu-latest
+    needs:
+      - calculate_version
+      - build
+      - build_android
+      - build_apple
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser-pro
+          version: latest
+          install-only: true
+      - name: Cache ghr
+        uses: actions/cache@v4
+        id: cache-ghr
+        with:
+          path: |
+            ~/go/bin/ghr
+          key: ghr
+      - name: Setup ghr
+        if: steps.cache-ghr.outputs.cache-hit != 'true'
+        run: |-
+          cd $HOME
+          git clone https://github.com/nekohasekai/ghr ghr
+          cd ghr
+          go install -v .
+      - name: Set tag
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
+      - name: Download builds
+        uses: actions/download-artifact@v4
+        with:
+          path: dist
+          merge-multiple: true
+      - name: Merge builds
+        if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
+        run: |-
+          goreleaser continue --merge --skip publish
+          mkdir -p dist/release
+          mv dist/*/sing-box*{tar.gz,zip,deb,rpm,_amd64.pkg.tar.zst,_arm64.pkg.tar.zst} dist/release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      - name: Upload builds
+        if: ${{ env.PUBLISHED == 'false' }}
+        run: |-
+          export PATH="$PATH:$HOME/go/bin"
+          ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Replace builds
+        if: ${{ env.PUBLISHED != 'false' }}
+        run: |-
+          export PATH="$PATH:$HOME/go/bin"
+          ghr --replace -p 5 "v${VERSION}" dist/release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/debug.yml

@@ -1,219 +0,0 @@
-name: Debug build
-
-on:
-  push:
-    branches:
-      - stable-next
-      - main-next
-      - dev-next
-    paths-ignore:
-      - '**.md'
-      - '.github/**'
-      - '!.github/workflows/debug.yml'
-  pull_request:
-    branches:
-      - stable-next
-      - main-next
-      - dev-next
-
-jobs:
-  build:
-    name: Debug build
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ^1.23
-      - name: Run Test
-        run: |
-          go test -v ./...
-  build_go120:
-    name: Debug build (Go 1.20)
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.20
-      - name: Cache go module
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/go/pkg/mod
-          key: go120-${{ hashFiles('**/go.sum') }}
-      - name: Run Test
-        run: make ci_build_go120
-  build_go121:
-    name: Debug build (Go 1.21)
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.21
-      - name: Cache go module
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/go/pkg/mod
-          key: go121-${{ hashFiles('**/go.sum') }}
-      - name: Run Test
-        run: make ci_build
-  build_go122:
-    name: Debug build (Go 1.22)
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.22
-      - name: Cache go module
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/go/pkg/mod
-          key: go122-${{ hashFiles('**/go.sum') }}
-      - name: Run Test
-        run: make ci_build
-  cross:
-    strategy:
-      matrix:
-        include:
-          # windows
-          - name: windows-amd64
-            goos: windows
-            goarch: amd64
-            goamd64: v1
-          - name: windows-amd64-v3
-            goos: windows
-            goarch: amd64
-            goamd64: v3
-          - name: windows-386
-            goos: windows
-            goarch: 386
-          - name: windows-arm64
-            goos: windows
-            goarch: arm64
-          - name: windows-arm32v7
-            goos: windows
-            goarch: arm
-            goarm: 7
-          
-          # linux
-          - name: linux-amd64
-            goos: linux
-            goarch: amd64
-            goamd64: v1
-          - name: linux-amd64-v3
-            goos: linux
-            goarch: amd64
-            goamd64: v3
-          - name: linux-386
-            goos: linux
-            goarch: 386
-          - name: linux-arm64
-            goos: linux
-            goarch: arm64
-          - name: linux-armv5
-            goos: linux
-            goarch: arm
-            goarm: 5
-          - name: linux-armv6
-            goos: linux
-            goarch: arm
-            goarm: 6
-          - name: linux-armv7
-            goos: linux
-            goarch: arm
-            goarm: 7
-          - name: linux-mips-softfloat
-            goos: linux
-            goarch: mips
-            gomips: softfloat
-          - name: linux-mips-hardfloat
-            goos: linux
-            goarch: mips
-            gomips: hardfloat
-          - name: linux-mipsel-softfloat
-            goos: linux
-            goarch: mipsle
-            gomips: softfloat
-          - name: linux-mipsel-hardfloat
-            goos: linux
-            goarch: mipsle
-            gomips: hardfloat
-          - name: linux-mips64
-            goos: linux
-            goarch: mips64
-          - name: linux-mips64el
-            goos: linux
-            goarch: mips64le
-          - name: linux-s390x
-            goos: linux
-            goarch: s390x
-          # darwin
-          - name: darwin-amd64
-            goos: darwin
-            goarch: amd64
-            goamd64: v1
-          - name: darwin-amd64-v3
-            goos: darwin
-            goarch: amd64
-            goamd64: v3
-          - name: darwin-arm64
-            goos: darwin
-            goarch: arm64
-          # freebsd
-          - name: freebsd-amd64
-            goos: freebsd
-            goarch: amd64
-            goamd64: v1
-          - name: freebsd-amd64-v3
-            goos: freebsd
-            goarch: amd64
-            goamd64: v3
-          - name: freebsd-386
-            goos: freebsd
-            goarch: 386
-          - name: freebsd-arm64
-            goos: freebsd
-            goarch: arm64
-      fail-fast: true
-    runs-on: ubuntu-latest
-    env:
-      GOOS: ${{ matrix.goos }}
-      GOARCH: ${{ matrix.goarch }}
-      GOAMD64: ${{ matrix.goamd64 }}
-      GOARM: ${{ matrix.goarm }}
-      GOMIPS: ${{ matrix.gomips }}
-      CGO_ENABLED: 0
-      TAGS: with_clash_api,with_quic
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ^1.21
-      - name: Build
-        id: build
-        run: make

.github/workflows/linux.yml

@@ -22,7 +22,6 @@ jobs:
           mkdir -p $HOME/.gnupg
           cat > $HOME/.gnupg/sagernet.key <<EOF
           ${{ secrets.GPG_KEY }}
-          echo "HOME=$HOME" >> "$GITHUB_ENV"
           EOF
           echo "HOME=$HOME" >> "$GITHUB_ENV"
       - name: Publish release

.golangci.yml

@@ -22,6 +22,16 @@ linters-settings:
 
 run:
   go: "1.23"
+  build-tags:
+    - with_gvisor
+    - with_quic
+    - with_dhcp
+    - with_wireguard
+    - with_ech
+    - with_utls
+    - with_reality_server
+    - with_acme
+    - with_clash_api
 
 issues:
   exclude-dirs:

.goreleaser.yaml

@@ -200,4 +200,6 @@ release:
   ids:
     - archive
     - package
-  skip_upload: true
+  skip_upload: true
+partial:
+  by: target

Makefile

@@ -71,7 +71,7 @@ release:
 		dist/*_amd64.pkg.tar.zst \
 		dist/*_arm64.pkg.tar.zst \
 		dist/release
-	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
+	ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release
 	rm -r dist/release
 
 release_repo:
@@ -90,22 +90,20 @@ upload_android:
 	mkdir -p dist/release_android
 	cp ../sing-box-for-android/app/build/outputs/apk/play/release/*.apk dist/release_android
 	cp ../sing-box-for-android/app/build/outputs/apk/other/release/*-universal.apk dist/release_android
-	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release_android
+	ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release_android
 	rm -rf dist/release_android
 
 release_android: lib_android update_android_version build_android upload_android
 
 publish_android:
-	cd ../sing-box-for-android && ./gradlew :app:publishPlayReleaseBundle
-
-publish_android_appcenter:
-	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadPlayRelease
-
+	cd ../sing-box-for-android && ./gradlew :app:publishPlayReleaseBundle && ./gradlew --stop
 
 # TODO: find why and remove `-destination 'generic/platform=iOS'`
+# TODO: remove xcode clean when fix control widget fixed
 build_ios:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFI.xcarchive && \
+	xcodebuild clean -scheme SFI && \
 	xcodebuild archive -scheme SFI -configuration Release -destination 'generic/platform=iOS' -archivePath build/SFI.xcarchive -allowProvisioningUpdates
 
 upload_ios_app_store:
@@ -147,9 +145,13 @@ build_macos_dmg:
  		--hide-extension "SFM.app" \
  		--app-drop-link 0 0 \
  		--skip-jenkins \
-		--notarize "notarytool-password" \
 		"../sing-box/dist/SFM/SFM.dmg" "build/SFM.System/SFM.app"
 
+notarize_macos_dmg:
+	xcrun notarytool submit "dist/SFM/SFM.dmg" --wait \
+	  --keychain-profile "notarytool-password" \
+  	  --no-s3-acceleration
+
 upload_macos_dmg:
 	cd dist/SFM && \
 	cp SFM.dmg "SFM-${VERSION}-universal.dmg" && \
@@ -164,7 +166,7 @@ upload_macos_dsyms:
 	cp SFM.dSYMs.zip "SFM-${VERSION}-universal.dSYMs.zip" && \
 	ghr --replace --draft --prerelease "v${VERSION}" "SFM-${VERSION}-universal.dSYMs.zip"
 
-release_macos_standalone: build_macos_standalone build_macos_dmg upload_macos_dmg upload_macos_dsyms
+release_macos_standalone: build_macos_standalone build_macos_dmg notarize_macos_dmg upload_macos_dmg upload_macos_dsyms
 
 build_tvos:
 	cd ../sing-box-for-apple && \
@@ -180,10 +182,22 @@ release_tvos: build_tvos upload_tvos_app_store
 update_apple_version:
 	go run ./cmd/internal/update_apple_version
 
+update_macos_version:
+	MACOS_PROJECT_VERSION=$(shell go run -v ./cmd/internal/app_store_connect next_macos_project_version) go run ./cmd/internal/update_apple_version
+
 release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_standalone
 
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
 
+publish_testflight:
+	go run -v ./cmd/internal/app_store_connect publish_testflight
+
+prepare_app_store:
+	go run -v ./cmd/internal/app_store_connect prepare_app_store
+
+publish_app_store:
+	go run -v ./cmd/internal/app_store_connect publish_app_store
+
 test:
 	@go test -v ./... && \
 	cd test && \
@@ -199,8 +213,14 @@ test_stdio:
 lib_android:
 	go run ./cmd/internal/build_libbox -target android
 
+lib_android_debug:
+	go run ./cmd/internal/build_libbox -target android -debug
+
+lib_apple:
+	go run ./cmd/internal/build_libbox -target apple
+
 lib_ios:
-	go run ./cmd/internal/build_libbox -target ios
+	go run ./cmd/internal/build_libbox -target apple -platform ios -debug
 
 lib:
 	go run ./cmd/internal/build_libbox -target android

adapter/conn_router.go

@@ -0,0 +1,104 @@
+package adapter
+
+import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type ConnectionRouter interface {
+	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
+	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+}
+
+func NewRouteHandler(
+	metadata InboundContext,
+	router ConnectionRouter,
+	logger logger.ContextLogger,
+) UpstreamHandlerAdapter {
+	return &routeHandlerWrapper{
+		metadata: metadata,
+		router:   router,
+		logger:   logger,
+	}
+}
+
+func NewRouteContextHandler(
+	router ConnectionRouter,
+	logger logger.ContextLogger,
+) UpstreamHandlerAdapter {
+	return &routeContextHandlerWrapper{
+		router: router,
+		logger: logger,
+	}
+}
+
+var _ UpstreamHandlerAdapter = (*routeHandlerWrapper)(nil)
+
+type routeHandlerWrapper struct {
+	metadata InboundContext
+	router   ConnectionRouter
+	logger   logger.ContextLogger
+}
+
+func (w *routeHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RouteConnection(ctx, conn, myMetadata)
+}
+
+func (w *routeHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RoutePacketConnection(ctx, conn, myMetadata)
+}
+
+func (w *routeHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.logger.ErrorContext(ctx, err)
+}
+
+var _ UpstreamHandlerAdapter = (*routeContextHandlerWrapper)(nil)
+
+type routeContextHandlerWrapper struct {
+	router ConnectionRouter
+	logger logger.ContextLogger
+}
+
+func (w *routeContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RouteConnection(ctx, conn, *myMetadata)
+}
+
+func (w *routeContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RoutePacketConnection(ctx, conn, *myMetadata)
+}
+
+func (w *routeContextHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.logger.ErrorContext(ctx, err)
+}

adapter/handler.go

@@ -6,53 +6,27 @@ import (
 
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
-// Deprecated
 type ConnectionHandler interface {
 	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 }
 
-type ConnectionHandlerEx interface {
-	NewConnectionEx(ctx context.Context, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
-}
-
-// Deprecated: use PacketHandlerEx instead
 type PacketHandler interface {
 	NewPacket(ctx context.Context, conn N.PacketConn, buffer *buf.Buffer, metadata InboundContext) error
 }
 
-type PacketHandlerEx interface {
-	NewPacketEx(buffer *buf.Buffer, source M.Socksaddr)
-}
-
-// Deprecated: use OOBPacketHandlerEx instead
 type OOBPacketHandler interface {
 	NewPacket(ctx context.Context, conn N.PacketConn, buffer *buf.Buffer, oob []byte, metadata InboundContext) error
 }
 
-type OOBPacketHandlerEx interface {
-	NewPacketEx(buffer *buf.Buffer, oob []byte, source M.Socksaddr)
-}
-
-// Deprecated
 type PacketConnectionHandler interface {
 	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }
 
-type PacketConnectionHandlerEx interface {
-	NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
-}
-
 type UpstreamHandlerAdapter interface {
 	N.TCPConnectionHandler
 	N.UDPConnectionHandler
 	E.Handler
 }
-
-type UpstreamHandlerAdapterEx interface {
-	N.TCPConnectionHandlerEx
-	N.UDPConnectionHandlerEx
-}

adapter/inbound.go

@@ -2,12 +2,13 @@ package adapter
 
 import (
 	"context"
+	"net"
 	"net/netip"
 
 	"github.com/sagernet/sing-box/common/process"
-	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
 )
 
 type Inbound interface {
@@ -16,19 +17,11 @@ type Inbound interface {
 	Tag() string
 }
 
-type TCPInjectableInbound interface {
+type InjectableInbound interface {
 	Inbound
-	ConnectionHandlerEx
-}
-
-type UDPInjectableInbound interface {
-	Inbound
-	PacketConnectionHandlerEx
-}
-
-type InboundRegistry interface {
-	option.InboundOptionsRegistry
-	CreateInbound(ctx context.Context, router Router, logger log.ContextLogger, tag string, outboundType string, options any) (Inbound, error)
+	Network() []string
+	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
+	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }
 
 type InboundContext struct {
@@ -50,17 +43,10 @@ type InboundContext struct {
 
 	// cache
 
-	// Deprecated: implement in rule action
-	InboundDetour     string
-	LastInbound       string
-	OriginDestination M.Socksaddr
-	// Deprecated
-	InboundOptions            option.InboundOptions
-	UDPDisableDomainUnmapping bool
-	UDPConnect                bool
-
-	DNSServer string
-
+	InboundDetour        string
+	LastInbound          string
+	OriginDestination    M.Socksaddr
+	InboundOptions       option.InboundOptions
 	DestinationAddresses []netip.Addr
 	SourceGeoIPCode      string
 	GeoIPCode            string

adapter/inbound/adapter.go

@@ -1,21 +0,0 @@
-package inbound
-
-type Adapter struct {
-	inboundType string
-	inboundTag  string
-}
-
-func NewAdapter(inboundType string, inboundTag string) Adapter {
-	return Adapter{
-		inboundType: inboundType,
-		inboundTag:  inboundTag,
-	}
-}
-
-func (a *Adapter) Type() string {
-	return a.inboundType
-}
-
-func (a *Adapter) Tag() string {
-	return a.inboundTag
-}

adapter/inbound/registry.go

@@ -1,68 +0,0 @@
-package inbound
-
-import (
-	"context"
-	"sync"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type ConstructorFunc[T any] func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options T) (adapter.Inbound, error)
-
-func Register[Options any](registry *Registry, outboundType string, constructor ConstructorFunc[Options]) {
-	registry.register(outboundType, func() any {
-		return new(Options)
-	}, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Inbound, error) {
-		return constructor(ctx, router, logger, tag, common.PtrValueOrDefault(options.(*Options)))
-	})
-}
-
-var _ adapter.InboundRegistry = (*Registry)(nil)
-
-type (
-	optionsConstructorFunc func() any
-	constructorFunc        func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Inbound, error)
-)
-
-type Registry struct {
-	access       sync.Mutex
-	optionsType  map[string]optionsConstructorFunc
-	constructors map[string]constructorFunc
-}
-
-func NewRegistry() *Registry {
-	return &Registry{
-		optionsType:  make(map[string]optionsConstructorFunc),
-		constructors: make(map[string]constructorFunc),
-	}
-}
-
-func (r *Registry) CreateOptions(outboundType string) (any, bool) {
-	r.access.Lock()
-	defer r.access.Unlock()
-	optionsConstructor, loaded := r.optionsType[outboundType]
-	if !loaded {
-		return nil, false
-	}
-	return optionsConstructor(), true
-}
-
-func (r *Registry) CreateInbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, outboundType string, options any) (adapter.Inbound, error) {
-	r.access.Lock()
-	defer r.access.Unlock()
-	constructor, loaded := r.constructors[outboundType]
-	if !loaded {
-		return nil, E.New("outbound type not found: " + outboundType)
-	}
-	return constructor(ctx, router, logger, tag, options)
-}
-
-func (r *Registry) register(outboundType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
-	r.access.Lock()
-	defer r.access.Unlock()
-	r.optionsType[outboundType] = optionsConstructor
-	r.constructors[outboundType] = constructor
-}

adapter/outbound.go

@@ -2,9 +2,8 @@ package adapter
 
 import (
 	"context"
+	"net"
 
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
 	N "github.com/sagernet/sing/common/network"
 )
 
@@ -16,9 +15,6 @@ type Outbound interface {
 	Network() []string
 	Dependencies() []string
 	N.Dialer
-}
-
-type OutboundRegistry interface {
-	option.OutboundOptionsRegistry
-	CreateOutbound(ctx context.Context, router Router, logger log.ContextLogger, tag string, outboundType string, options any) (Outbound, error)
+	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
+	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }

adapter/outbound/adapter.go

@@ -1,45 +0,0 @@
-package outbound
-
-import (
-	"github.com/sagernet/sing-box/option"
-)
-
-type Adapter struct {
-	protocol     string
-	network      []string
-	tag          string
-	dependencies []string
-}
-
-func NewAdapter(protocol string, network []string, tag string, dependencies []string) Adapter {
-	return Adapter{
-		protocol:     protocol,
-		network:      network,
-		tag:          tag,
-		dependencies: dependencies,
-	}
-}
-
-func NewAdapterWithDialerOptions(protocol string, network []string, tag string, dialOptions option.DialerOptions) Adapter {
-	var dependencies []string
-	if dialOptions.Detour != "" {
-		dependencies = []string{dialOptions.Detour}
-	}
-	return NewAdapter(protocol, network, tag, dependencies)
-}
-
-func (a *Adapter) Type() string {
-	return a.protocol
-}
-
-func (a *Adapter) Tag() string {
-	return a.tag
-}
-
-func (a *Adapter) Network() []string {
-	return a.network
-}
-
-func (a *Adapter) Dependencies() []string {
-	return a.dependencies
-}

adapter/outbound/registry.go

@@ -1,68 +0,0 @@
-package outbound
-
-import (
-	"context"
-	"sync"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type ConstructorFunc[T any] func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options T) (adapter.Outbound, error)
-
-func Register[Options any](registry *Registry, outboundType string, constructor ConstructorFunc[Options]) {
-	registry.register(outboundType, func() any {
-		return new(Options)
-	}, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Outbound, error) {
-		return constructor(ctx, router, logger, tag, common.PtrValueOrDefault(options.(*Options)))
-	})
-}
-
-var _ adapter.OutboundRegistry = (*Registry)(nil)
-
-type (
-	optionsConstructorFunc func() any
-	constructorFunc        func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Outbound, error)
-)
-
-type Registry struct {
-	access       sync.Mutex
-	optionsType  map[string]optionsConstructorFunc
-	constructors map[string]constructorFunc
-}
-
-func NewRegistry() *Registry {
-	return &Registry{
-		optionsType:  make(map[string]optionsConstructorFunc),
-		constructors: make(map[string]constructorFunc),
-	}
-}
-
-func (r *Registry) CreateOptions(outboundType string) (any, bool) {
-	r.access.Lock()
-	defer r.access.Unlock()
-	optionsConstructor, loaded := r.optionsType[outboundType]
-	if !loaded {
-		return nil, false
-	}
-	return optionsConstructor(), true
-}
-
-func (r *Registry) CreateOutbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, outboundType string, options any) (adapter.Outbound, error) {
-	r.access.Lock()
-	defer r.access.Unlock()
-	constructor, loaded := r.constructors[outboundType]
-	if !loaded {
-		return nil, E.New("outbound type not found: " + outboundType)
-	}
-	return constructor(ctx, router, logger, tag, options)
-}
-
-func (r *Registry) register(outboundType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
-	r.access.Lock()
-	defer r.access.Unlock()
-	r.optionsType[outboundType] = optionsConstructor
-	r.constructors[outboundType] = constructor
-}

adapter/router.go

@@ -34,8 +34,6 @@ type Router interface {
 	FakeIPStore() FakeIPStore
 
 	ConnectionRouter
-	PreMatch(metadata InboundContext) error
-	ConnectionRouterEx
 
 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
@@ -72,18 +70,6 @@ type Router interface {
 	ResetNetwork() error
 }
 
-// Deprecated: Use ConnectionRouterEx instead.
-type ConnectionRouter interface {
-	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
-	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
-}
-
-type ConnectionRouterEx interface {
-	ConnectionRouter
-	RouteConnectionEx(ctx context.Context, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
-	RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
-}
-
 func ContextWithRouter(ctx context.Context, router Router) context.Context {
 	return service.ContextWith(ctx, router)
 }
@@ -92,6 +78,28 @@ func RouterFromContext(ctx context.Context) Router {
 	return service.FromContext[Router](ctx)
 }
 
+type HeadlessRule interface {
+	Match(metadata *InboundContext) bool
+	String() string
+}
+
+type Rule interface {
+	HeadlessRule
+	Service
+	Type() string
+	UpdateGeosite() error
+	Outbound() string
+}
+
+type DNSRule interface {
+	Rule
+	DisableCache() bool
+	RewriteTTL() *uint32
+	ClientSubnet() *netip.Prefix
+	WithAddressLimit() bool
+	MatchAddressLimit(metadata *InboundContext) bool
+}
+
 type RuleSet interface {
 	Name() string
 	StartContext(ctx context.Context, startContext *HTTPStartContext) error

adapter/rule.go

@@ -1,38 +0,0 @@
-package adapter
-
-import (
-	C "github.com/sagernet/sing-box/constant"
-)
-
-type HeadlessRule interface {
-	Match(metadata *InboundContext) bool
-	String() string
-}
-
-type Rule interface {
-	HeadlessRule
-	Service
-	Type() string
-	UpdateGeosite() error
-	Action() RuleAction
-}
-
-type DNSRule interface {
-	Rule
-	WithAddressLimit() bool
-	MatchAddressLimit(metadata *InboundContext) bool
-}
-
-type RuleAction interface {
-	Type() string
-	String() string
-}
-
-func IsFinalAction(action RuleAction) bool {
-	switch action.Type() {
-	case C.RuleActionTypeSniff, C.RuleActionTypeResolve:
-		return false
-	default:
-		return true
-	}
-}

adapter/upstream.go

@@ -4,165 +4,112 @@ import (
 	"context"
 	"net"
 
+	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
 type (
-	ConnectionHandlerFuncEx       = func(ctx context.Context, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
-	PacketConnectionHandlerFuncEx = func(ctx context.Context, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
+	ConnectionHandlerFunc       = func(ctx context.Context, conn net.Conn, metadata InboundContext) error
+	PacketConnectionHandlerFunc = func(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 )
 
-func NewUpstreamHandlerEx(
+func NewUpstreamHandler(
 	metadata InboundContext,
-	connectionHandler ConnectionHandlerFuncEx,
-	packetHandler PacketConnectionHandlerFuncEx,
-) UpstreamHandlerAdapterEx {
-	return &myUpstreamHandlerWrapperEx{
+	connectionHandler ConnectionHandlerFunc,
+	packetHandler PacketConnectionHandlerFunc,
+	errorHandler E.Handler,
+) UpstreamHandlerAdapter {
+	return &myUpstreamHandlerWrapper{
 		metadata:          metadata,
 		connectionHandler: connectionHandler,
 		packetHandler:     packetHandler,
+		errorHandler:      errorHandler,
 	}
 }
 
-var _ UpstreamHandlerAdapterEx = (*myUpstreamHandlerWrapperEx)(nil)
+var _ UpstreamHandlerAdapter = (*myUpstreamHandlerWrapper)(nil)
 
-type myUpstreamHandlerWrapperEx struct {
+type myUpstreamHandlerWrapper struct {
 	metadata          InboundContext
-	connectionHandler ConnectionHandlerFuncEx
-	packetHandler     PacketConnectionHandlerFuncEx
+	connectionHandler ConnectionHandlerFunc
+	packetHandler     PacketConnectionHandlerFunc
+	errorHandler      E.Handler
 }
 
-func (w *myUpstreamHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+func (w *myUpstreamHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := w.metadata
-	if source.IsValid() {
-		myMetadata.Source = source
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
 	}
-	if destination.IsValid() {
-		myMetadata.Destination = destination
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
 	}
-	w.connectionHandler(ctx, conn, myMetadata, onClose)
+	return w.connectionHandler(ctx, conn, myMetadata)
 }
 
-func (w *myUpstreamHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+func (w *myUpstreamHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := w.metadata
-	if source.IsValid() {
-		myMetadata.Source = source
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
 	}
-	if destination.IsValid() {
-		myMetadata.Destination = destination
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
 	}
-	w.packetHandler(ctx, conn, myMetadata, onClose)
+	return w.packetHandler(ctx, conn, myMetadata)
 }
 
-var _ UpstreamHandlerAdapterEx = (*myUpstreamContextHandlerWrapperEx)(nil)
-
-type myUpstreamContextHandlerWrapperEx struct {
-	connectionHandler ConnectionHandlerFuncEx
-	packetHandler     PacketConnectionHandlerFuncEx
+func (w *myUpstreamHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.errorHandler.NewError(ctx, err)
 }
 
-func NewUpstreamContextHandlerEx(
-	connectionHandler ConnectionHandlerFuncEx,
-	packetHandler PacketConnectionHandlerFuncEx,
-) UpstreamHandlerAdapterEx {
-	return &myUpstreamContextHandlerWrapperEx{
+func UpstreamMetadata(metadata InboundContext) M.Metadata {
+	return M.Metadata{
+		Source:      metadata.Source,
+		Destination: metadata.Destination,
+	}
+}
+
+type myUpstreamContextHandlerWrapper struct {
+	connectionHandler ConnectionHandlerFunc
+	packetHandler     PacketConnectionHandlerFunc
+	errorHandler      E.Handler
+}
+
+func NewUpstreamContextHandler(
+	connectionHandler ConnectionHandlerFunc,
+	packetHandler PacketConnectionHandlerFunc,
+	errorHandler E.Handler,
+) UpstreamHandlerAdapter {
+	return &myUpstreamContextHandlerWrapper{
 		connectionHandler: connectionHandler,
 		packetHandler:     packetHandler,
+		errorHandler:      errorHandler,
 	}
 }
 
-func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+func (w *myUpstreamContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
-	if source.IsValid() {
-		myMetadata.Source = source
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
 	}
-	if destination.IsValid() {
-		myMetadata.Destination = destination
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
 	}
-	w.connectionHandler(ctx, conn, *myMetadata, onClose)
+	return w.connectionHandler(ctx, conn, *myMetadata)
 }
 
-func (w *myUpstreamContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+func (w *myUpstreamContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
-	if source.IsValid() {
-		myMetadata.Source = source
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
 	}
-	if destination.IsValid() {
-		myMetadata.Destination = destination
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
 	}
-	w.packetHandler(ctx, conn, *myMetadata, onClose)
+	return w.packetHandler(ctx, conn, *myMetadata)
 }
 
-func NewRouteHandlerEx(
-	metadata InboundContext,
-	router ConnectionRouterEx,
-) UpstreamHandlerAdapterEx {
-	return &routeHandlerWrapperEx{
-		metadata: metadata,
-		router:   router,
-	}
-}
-
-var _ UpstreamHandlerAdapterEx = (*routeHandlerWrapperEx)(nil)
-
-type routeHandlerWrapperEx struct {
-	metadata InboundContext
-	router   ConnectionRouterEx
-}
-
-func (r *routeHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	if source.IsValid() {
-		r.metadata.Source = source
-	}
-	if destination.IsValid() {
-		r.metadata.Destination = destination
-	}
-	r.router.RouteConnectionEx(ctx, conn, r.metadata, onClose)
-}
-
-func (r *routeHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	if source.IsValid() {
-		r.metadata.Source = source
-	}
-	if destination.IsValid() {
-		r.metadata.Destination = destination
-	}
-	r.router.RoutePacketConnectionEx(ctx, conn, r.metadata, onClose)
-}
-
-func NewRouteContextHandlerEx(
-	router ConnectionRouterEx,
-) UpstreamHandlerAdapterEx {
-	return &routeContextHandlerWrapperEx{
-		router: router,
-	}
-}
-
-var _ UpstreamHandlerAdapterEx = (*routeContextHandlerWrapperEx)(nil)
-
-type routeContextHandlerWrapperEx struct {
-	router ConnectionRouterEx
-}
-
-func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	metadata := ContextFrom(ctx)
-	if source.IsValid() {
-		metadata.Source = source
-	}
-	if destination.IsValid() {
-		metadata.Destination = destination
-	}
-	r.router.RouteConnectionEx(ctx, conn, *metadata, onClose)
-}
-
-func (r *routeContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	metadata := ContextFrom(ctx)
-	if source.IsValid() {
-		metadata.Source = source
-	}
-	if destination.IsValid() {
-		metadata.Destination = destination
-	}
-	r.router.RoutePacketConnectionEx(ctx, conn, *metadata, onClose)
+func (w *myUpstreamContextHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.errorHandler.NewError(ctx, err)
 }

adapter/upstream_legacy.go

@@ -1,216 +0,0 @@
-package adapter
-
-import (
-	"context"
-	"net"
-
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type (
-	// Deprecated
-	ConnectionHandlerFunc = func(ctx context.Context, conn net.Conn, metadata InboundContext) error
-	// Deprecated
-	PacketConnectionHandlerFunc = func(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
-)
-
-// Deprecated
-func NewUpstreamHandler(
-	metadata InboundContext,
-	connectionHandler ConnectionHandlerFunc,
-	packetHandler PacketConnectionHandlerFunc,
-	errorHandler E.Handler,
-) UpstreamHandlerAdapter {
-	return &myUpstreamHandlerWrapper{
-		metadata:          metadata,
-		connectionHandler: connectionHandler,
-		packetHandler:     packetHandler,
-		errorHandler:      errorHandler,
-	}
-}
-
-var _ UpstreamHandlerAdapter = (*myUpstreamHandlerWrapper)(nil)
-
-// Deprecated
-type myUpstreamHandlerWrapper struct {
-	metadata          InboundContext
-	connectionHandler ConnectionHandlerFunc
-	packetHandler     PacketConnectionHandlerFunc
-	errorHandler      E.Handler
-}
-
-func (w *myUpstreamHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
-	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.connectionHandler(ctx, conn, myMetadata)
-}
-
-func (w *myUpstreamHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
-	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.packetHandler(ctx, conn, myMetadata)
-}
-
-func (w *myUpstreamHandlerWrapper) NewError(ctx context.Context, err error) {
-	w.errorHandler.NewError(ctx, err)
-}
-
-// Deprecated
-func UpstreamMetadata(metadata InboundContext) M.Metadata {
-	return M.Metadata{
-		Source:      metadata.Source,
-		Destination: metadata.Destination,
-	}
-}
-
-// Deprecated
-type myUpstreamContextHandlerWrapper struct {
-	connectionHandler ConnectionHandlerFunc
-	packetHandler     PacketConnectionHandlerFunc
-	errorHandler      E.Handler
-}
-
-// Deprecated
-func NewUpstreamContextHandler(
-	connectionHandler ConnectionHandlerFunc,
-	packetHandler PacketConnectionHandlerFunc,
-	errorHandler E.Handler,
-) UpstreamHandlerAdapter {
-	return &myUpstreamContextHandlerWrapper{
-		connectionHandler: connectionHandler,
-		packetHandler:     packetHandler,
-		errorHandler:      errorHandler,
-	}
-}
-
-func (w *myUpstreamContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
-	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.connectionHandler(ctx, conn, *myMetadata)
-}
-
-func (w *myUpstreamContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
-	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.packetHandler(ctx, conn, *myMetadata)
-}
-
-func (w *myUpstreamContextHandlerWrapper) NewError(ctx context.Context, err error) {
-	w.errorHandler.NewError(ctx, err)
-}
-
-// Deprecated: Use ConnectionRouterEx instead.
-func NewRouteHandler(
-	metadata InboundContext,
-	router ConnectionRouter,
-	logger logger.ContextLogger,
-) UpstreamHandlerAdapter {
-	return &routeHandlerWrapper{
-		metadata: metadata,
-		router:   router,
-		logger:   logger,
-	}
-}
-
-// Deprecated: Use ConnectionRouterEx instead.
-func NewRouteContextHandler(
-	router ConnectionRouter,
-	logger logger.ContextLogger,
-) UpstreamHandlerAdapter {
-	return &routeContextHandlerWrapper{
-		router: router,
-		logger: logger,
-	}
-}
-
-var _ UpstreamHandlerAdapter = (*routeHandlerWrapper)(nil)
-
-// Deprecated: Use ConnectionRouterEx instead.
-type routeHandlerWrapper struct {
-	metadata InboundContext
-	router   ConnectionRouter
-	logger   logger.ContextLogger
-}
-
-func (w *routeHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
-	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RouteConnection(ctx, conn, myMetadata)
-}
-
-func (w *routeHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
-	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RoutePacketConnection(ctx, conn, myMetadata)
-}
-
-func (w *routeHandlerWrapper) NewError(ctx context.Context, err error) {
-	w.logger.ErrorContext(ctx, err)
-}
-
-var _ UpstreamHandlerAdapter = (*routeContextHandlerWrapper)(nil)
-
-// Deprecated: Use ConnectionRouterEx instead.
-type routeContextHandlerWrapper struct {
-	router ConnectionRouter
-	logger logger.ContextLogger
-}
-
-func (w *routeContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
-	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RouteConnection(ctx, conn, *myMetadata)
-}
-
-func (w *routeContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
-	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RoutePacketConnection(ctx, conn, *myMetadata)
-}
-
-func (w *routeContextHandlerWrapper) NewError(ctx context.Context, err error) {
-	w.logger.ErrorContext(ctx, err)
-}

adapter/v2ray.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 
+	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
 )
 
@@ -15,7 +16,8 @@ type V2RayServerTransport interface {
 }
 
 type V2RayServerTransportHandler interface {
-	N.TCPConnectionHandlerEx
+	N.TCPConnectionHandler
+	E.Handler
 }
 
 type V2RayClientTransport interface {

box.go

@@ -14,9 +14,10 @@ import (
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/cachefile"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
+	"github.com/sagernet/sing-box/inbound"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/protocol/direct"
+	"github.com/sagernet/sing-box/outbound"
 	"github.com/sagernet/sing-box/route"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -43,37 +44,16 @@ type Box struct {
 type Options struct {
 	option.Options
 	Context           context.Context
+	PlatformInterface platform.Interface
 	PlatformLogWriter log.PlatformWriter
 }
 
-func Context(ctx context.Context, inboundRegistry adapter.InboundRegistry, outboundRegistry adapter.OutboundRegistry) context.Context {
-	if service.FromContext[option.InboundOptionsRegistry](ctx) == nil ||
-		service.FromContext[adapter.InboundRegistry](ctx) == nil {
-		ctx = service.ContextWith[option.InboundOptionsRegistry](ctx, inboundRegistry)
-		ctx = service.ContextWith[adapter.InboundRegistry](ctx, inboundRegistry)
-	}
-	if service.FromContext[option.OutboundOptionsRegistry](ctx) == nil ||
-		service.FromContext[adapter.OutboundRegistry](ctx) == nil {
-		ctx = service.ContextWith[option.OutboundOptionsRegistry](ctx, outboundRegistry)
-		ctx = service.ContextWith[adapter.OutboundRegistry](ctx, outboundRegistry)
-	}
-	return ctx
-}
-
 func New(options Options) (*Box, error) {
 	createdAt := time.Now()
 	ctx := options.Context
 	if ctx == nil {
 		ctx = context.Background()
 	}
-	inboundRegistry := service.FromContext[adapter.InboundRegistry](ctx)
-	if inboundRegistry == nil {
-		return nil, E.New("missing inbound registry in context")
-	}
-	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
-	if outboundRegistry == nil {
-		return nil, E.New("missing outbound registry in context")
-	}
 	ctx = service.ContextWithDefaultRegistry(ctx)
 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
@@ -90,9 +70,8 @@ func New(options Options) (*Box, error) {
 	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
 		needV2RayAPI = true
 	}
-	platformInterface := service.FromContext[platform.Interface](ctx)
 	var defaultLogWriter io.Writer
-	if platformInterface != nil {
+	if options.PlatformInterface != nil {
 		defaultLogWriter = io.Discard
 	}
 	logFactory, err := log.New(log.Options{
@@ -113,92 +92,64 @@ func New(options Options) (*Box, error) {
 		common.PtrValueOrDefault(options.DNS),
 		common.PtrValueOrDefault(options.NTP),
 		options.Inbounds,
+		options.PlatformInterface,
 	)
 	if err != nil {
 		return nil, E.Cause(err, "parse route options")
 	}
-	//nolint:staticcheck
-	if len(options.LegacyInbounds) > 0 {
-		for _, legacyInbound := range options.LegacyInbounds {
-			options.Inbounds = append(options.Inbounds, option.Inbound{
-				Type:    legacyInbound.Type,
-				Tag:     legacyInbound.Tag,
-				Options: common.Must1(legacyInbound.RawOptions()),
-			})
-		}
-	}
 	inbounds := make([]adapter.Inbound, 0, len(options.Inbounds))
-	//nolint:staticcheck
-	if len(options.LegacyOutbounds) > 0 {
-		for _, legacyOutbound := range options.LegacyOutbounds {
-			options.Outbounds = append(options.Outbounds, option.Outbound{
-				Type:    legacyOutbound.Type,
-				Tag:     legacyOutbound.Tag,
-				Options: common.Must1(legacyOutbound.RawOptions()),
-			})
-		}
-	}
 	outbounds := make([]adapter.Outbound, 0, len(options.Outbounds))
 	for i, inboundOptions := range options.Inbounds {
-		var currentInbound adapter.Inbound
+		var in adapter.Inbound
 		var tag string
 		if inboundOptions.Tag != "" {
 			tag = inboundOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
-		currentInbound, err = inboundRegistry.CreateInbound(
+		in, err = inbound.New(
 			ctx,
 			router,
 			logFactory.NewLogger(F.ToString("inbound/", inboundOptions.Type, "[", tag, "]")),
 			tag,
-			inboundOptions.Type,
-			inboundOptions.Options,
+			inboundOptions,
+			options.PlatformInterface,
 		)
 		if err != nil {
 			return nil, E.Cause(err, "parse inbound[", i, "]")
 		}
-		inbounds = append(inbounds, currentInbound)
+		inbounds = append(inbounds, in)
 	}
 	for i, outboundOptions := range options.Outbounds {
-		var currentOutbound adapter.Outbound
+		var out adapter.Outbound
 		var tag string
 		if outboundOptions.Tag != "" {
 			tag = outboundOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
-		outboundCtx := ctx
-		if tag != "" {
-			// TODO: remove this
-			outboundCtx = adapter.WithContext(outboundCtx, &adapter.InboundContext{
-				Outbound: tag,
-			})
-		}
-		currentOutbound, err = outboundRegistry.CreateOutbound(
-			outboundCtx,
+		out, err = outbound.New(
+			ctx,
 			router,
 			logFactory.NewLogger(F.ToString("outbound/", outboundOptions.Type, "[", tag, "]")),
 			tag,
-			outboundOptions.Type,
-			outboundOptions.Options,
-		)
+			outboundOptions)
 		if err != nil {
 			return nil, E.Cause(err, "parse outbound[", i, "]")
 		}
-		outbounds = append(outbounds, currentOutbound)
+		outbounds = append(outbounds, out)
 	}
 	err = router.Initialize(inbounds, outbounds, func() adapter.Outbound {
-		defaultOutbound, cErr := direct.NewOutbound(ctx, router, logFactory.NewLogger("outbound/direct"), "direct", option.DirectOutboundOptions{})
-		common.Must(cErr)
-		outbounds = append(outbounds, defaultOutbound)
-		return defaultOutbound
+		out, oErr := outbound.New(ctx, router, logFactory.NewLogger("outbound/direct"), "direct", option.Outbound{Type: "direct", Tag: "default"})
+		common.Must(oErr)
+		outbounds = append(outbounds, out)
+		return out
 	})
 	if err != nil {
 		return nil, err
 	}
-	if platformInterface != nil {
-		err = platformInterface.Initialize(ctx, router)
+	if options.PlatformInterface != nil {
+		err = options.PlatformInterface.Initialize(ctx, router)
 		if err != nil {
 			return nil, E.Cause(err, "initialize platform interface")
 		}

cmd/internal/app_store_connect/main.go

@@ -0,0 +1,445 @@
+package main
+
+import (
+	"context"
+	"net/http"
+	"os"
+	"strconv"
+	"time"
+
+	"github.com/sagernet/asc-go/asc"
+	"github.com/sagernet/sing-box/cmd/internal/build_shared"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+)
+
+func main() {
+	ctx := context.Background()
+	switch os.Args[1] {
+	case "next_macos_project_version":
+		err := fetchMacOSVersion(ctx)
+		if err != nil {
+			log.Fatal(err)
+		}
+	case "publish_testflight":
+		err := publishTestflight(ctx)
+		if err != nil {
+			log.Fatal(err)
+		}
+	case "cancel_app_store":
+		err := cancelAppStore(ctx, os.Args[2])
+		if err != nil {
+			log.Fatal(err)
+		}
+	case "prepare_app_store":
+		err := prepareAppStore(ctx)
+		if err != nil {
+			log.Fatal(err)
+		}
+	case "publish_app_store":
+		err := publishAppStore(ctx)
+		if err != nil {
+			log.Fatal(err)
+		}
+	default:
+		log.Fatal("unknown action: ", os.Args[1])
+	}
+}
+
+const (
+	appID   = "6673731168"
+	groupID = "5c5f3b78-b7a0-40c0-bcad-e6ef87bbefda"
+)
+
+func createClient(expireDuration time.Duration) *asc.Client {
+	privateKey, err := os.ReadFile(os.Getenv("ASC_KEY_PATH"))
+	if err != nil {
+		log.Fatal(err)
+	}
+	tokenConfig, err := asc.NewTokenConfig(os.Getenv("ASC_KEY_ID"), os.Getenv("ASC_KEY_ISSUER_ID"), expireDuration, privateKey)
+	if err != nil {
+		log.Fatal(err)
+	}
+	return asc.NewClient(tokenConfig.Client())
+}
+
+func fetchMacOSVersion(ctx context.Context) error {
+	client := createClient(time.Minute)
+	versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
+		FilterPlatform: []string{"MAC_OS"},
+	})
+	if err != nil {
+		return err
+	}
+	var versionID string
+findVersion:
+	for _, version := range versions.Data {
+		switch *version.Attributes.AppStoreState {
+		case asc.AppStoreVersionStateReadyForSale,
+			asc.AppStoreVersionStatePendingDeveloperRelease:
+			versionID = version.ID
+			break findVersion
+		}
+	}
+	if versionID == "" {
+		return E.New("no version found")
+	}
+	latestBuild, _, err := client.Builds.GetBuildForAppStoreVersion(ctx, versionID, &asc.GetBuildForAppStoreVersionQuery{})
+	if err != nil {
+		return err
+	}
+	versionInt, err := strconv.Atoi(*latestBuild.Data.Attributes.Version)
+	if err != nil {
+		return E.Cause(err, "parse version code")
+	}
+	os.Stdout.WriteString(F.ToString(versionInt+1, "\n"))
+	return nil
+}
+
+func publishTestflight(ctx context.Context) error {
+	tagVersion, err := build_shared.ReadTagVersion()
+	if err != nil {
+		return err
+	}
+	tag := tagVersion.VersionString()
+	client := createClient(10 * time.Minute)
+
+	log.Info(tag, " list build IDs")
+	buildIDsResponse, _, err := client.TestFlight.ListBuildIDsForBetaGroup(ctx, groupID, nil)
+	if err != nil {
+		return err
+	}
+	buildIDs := common.Map(buildIDsResponse.Data, func(it asc.RelationshipData) string {
+		return it.ID
+	})
+	var platforms []asc.Platform
+	if len(os.Args) == 3 {
+		switch os.Args[2] {
+		case "ios":
+			platforms = []asc.Platform{asc.PlatformIOS}
+		case "macos":
+			platforms = []asc.Platform{asc.PlatformMACOS}
+		case "tvos":
+			platforms = []asc.Platform{asc.PlatformTVOS}
+		default:
+			return E.New("unknown platform: ", os.Args[2])
+		}
+	} else {
+		platforms = []asc.Platform{
+			asc.PlatformIOS,
+			asc.PlatformMACOS,
+			asc.PlatformTVOS,
+		}
+	}
+	for _, platform := range platforms {
+		log.Info(string(platform), " list builds")
+		for {
+			builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
+				FilterApp:                       []string{appID},
+				FilterPreReleaseVersionPlatform: []string{string(platform)},
+			})
+			if err != nil {
+				return err
+			}
+			build := builds.Data[0]
+			if common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 5*time.Minute {
+				log.Info(string(platform), " ", tag, " waiting for process")
+				time.Sleep(15 * time.Second)
+				continue
+			}
+			if *build.Attributes.ProcessingState != "VALID" {
+				log.Info(string(platform), " ", tag, " waiting for process: ", *build.Attributes.ProcessingState)
+				time.Sleep(15 * time.Second)
+				continue
+			}
+			log.Info(string(platform), " ", tag, " list localizations")
+			localizations, _, err := client.TestFlight.ListBetaBuildLocalizationsForBuild(ctx, build.ID, nil)
+			if err != nil {
+				return err
+			}
+			localization := common.Find(localizations.Data, func(it asc.BetaBuildLocalization) bool {
+				return *it.Attributes.Locale == "en-US"
+			})
+			if localization.ID == "" {
+				log.Fatal(string(platform), " ", tag, " no en-US localization found")
+			}
+			if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
+				log.Info(string(platform), " ", tag, " update localization")
+				_, _, err = client.TestFlight.UpdateBetaBuildLocalization(ctx, localization.ID, common.Ptr(
+					F.ToString("sing-box ", tagVersion.String()),
+				))
+				if err != nil {
+					return err
+				}
+			}
+			log.Info(string(platform), " ", tag, " publish")
+			response, err := client.TestFlight.AddBuildsToBetaGroup(ctx, groupID, []string{build.ID})
+			if response != nil && response.StatusCode == http.StatusUnprocessableEntity {
+				log.Info("waiting for process")
+				time.Sleep(15 * time.Second)
+				continue
+			} else if err != nil {
+				return err
+			}
+			log.Info(string(platform), " ", tag, " list submissions")
+			betaSubmissions, _, err := client.TestFlight.ListBetaAppReviewSubmissions(ctx, &asc.ListBetaAppReviewSubmissionsQuery{
+				FilterBuild: []string{build.ID},
+			})
+			if err != nil {
+				return err
+			}
+			if len(betaSubmissions.Data) == 0 {
+				log.Info(string(platform), " ", tag, " create submission")
+				_, _, err = client.TestFlight.CreateBetaAppReviewSubmission(ctx, build.ID)
+				if err != nil {
+					return err
+				}
+			}
+			break
+		}
+	}
+	return nil
+}
+
+func cancelAppStore(ctx context.Context, platform string) error {
+	switch platform {
+	case "ios":
+		platform = string(asc.PlatformIOS)
+	case "macos":
+		platform = string(asc.PlatformMACOS)
+	case "tvos":
+		platform = string(asc.PlatformTVOS)
+	}
+	tag, err := build_shared.ReadTag()
+	if err != nil {
+		return err
+	}
+	client := createClient(time.Minute)
+	for {
+		log.Info(platform, " list versions")
+		versions, response, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
+			FilterPlatform: []string{string(platform)},
+		})
+		if isRetryable(response) {
+			continue
+		} else if err != nil {
+			return err
+		}
+		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
+			return *it.Attributes.VersionString == tag
+		})
+		if version.ID == "" {
+			return nil
+		}
+		log.Info(platform, " ", tag, " get submission")
+		submission, response, err := client.Submission.GetAppStoreVersionSubmissionForAppStoreVersion(ctx, version.ID, nil)
+		if response != nil && response.StatusCode == http.StatusNotFound {
+			return nil
+		}
+		if isRetryable(response) {
+			continue
+		} else if err != nil {
+			return err
+		}
+		log.Info(platform, " ", tag, " delete submission")
+		_, err = client.Submission.DeleteSubmission(ctx, submission.Data.ID)
+		if err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+func prepareAppStore(ctx context.Context) error {
+	tag, err := build_shared.ReadTag()
+	if err != nil {
+		return err
+	}
+	client := createClient(time.Minute)
+	for _, platform := range []asc.Platform{
+		asc.PlatformIOS,
+		asc.PlatformMACOS,
+		asc.PlatformTVOS,
+	} {
+		log.Info(string(platform), " list versions")
+		versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
+			FilterPlatform: []string{string(platform)},
+		})
+		if err != nil {
+			return err
+		}
+		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
+			return *it.Attributes.VersionString == tag
+		})
+		log.Info(string(platform), " ", tag, " list builds")
+		builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
+			FilterApp:                       []string{appID},
+			FilterPreReleaseVersionPlatform: []string{string(platform)},
+		})
+		if err != nil {
+			return err
+		}
+		if len(builds.Data) == 0 {
+			log.Fatal(platform, " ", tag, " no build found")
+		}
+		buildID := common.Ptr(builds.Data[0].ID)
+		if version.ID == "" {
+			log.Info(string(platform), " ", tag, " create version")
+			newVersion, _, err := client.Apps.CreateAppStoreVersion(ctx, asc.AppStoreVersionCreateRequestAttributes{
+				Platform:      platform,
+				VersionString: tag,
+			}, appID, buildID)
+			if err != nil {
+				return err
+			}
+			version = newVersion.Data
+
+		} else {
+			log.Info(string(platform), " ", tag, " check build")
+			currentBuild, response, err := client.Apps.GetBuildIDForAppStoreVersion(ctx, version.ID)
+			if err != nil {
+				return err
+			}
+			if response.StatusCode != http.StatusOK || currentBuild.Data.ID != *buildID {
+				switch *version.Attributes.AppStoreState {
+				case asc.AppStoreVersionStatePrepareForSubmission,
+					asc.AppStoreVersionStateRejected,
+					asc.AppStoreVersionStateDeveloperRejected:
+				case asc.AppStoreVersionStateWaitingForReview,
+					asc.AppStoreVersionStateInReview,
+					asc.AppStoreVersionStatePendingDeveloperRelease:
+					submission, _, err := client.Submission.GetAppStoreVersionSubmissionForAppStoreVersion(ctx, version.ID, nil)
+					if err != nil {
+						return err
+					}
+					if submission != nil {
+						log.Info(string(platform), " ", tag, " delete submission")
+						_, err = client.Submission.DeleteSubmission(ctx, submission.Data.ID)
+						if err != nil {
+							return err
+						}
+						time.Sleep(5 * time.Second)
+					}
+				default:
+					log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
+				}
+				log.Info(string(platform), " ", tag, " update build")
+				response, err = client.Apps.UpdateBuildForAppStoreVersion(ctx, version.ID, buildID)
+				if err != nil {
+					return err
+				}
+				if response.StatusCode != http.StatusNoContent {
+					response.Write(os.Stderr)
+					log.Fatal(string(platform), " ", tag, " unexpected response: ", response.Status)
+				}
+			} else {
+				switch *version.Attributes.AppStoreState {
+				case asc.AppStoreVersionStatePrepareForSubmission,
+					asc.AppStoreVersionStateRejected,
+					asc.AppStoreVersionStateDeveloperRejected:
+				case asc.AppStoreVersionStateWaitingForReview,
+					asc.AppStoreVersionStateInReview,
+					asc.AppStoreVersionStatePendingDeveloperRelease:
+					continue
+				default:
+					log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
+				}
+			}
+		}
+		log.Info(string(platform), " ", tag, " list localization")
+		localizations, _, err := client.Apps.ListLocalizationsForAppStoreVersion(ctx, version.ID, nil)
+		if err != nil {
+			return err
+		}
+		localization := common.Find(localizations.Data, func(it asc.AppStoreVersionLocalization) bool {
+			return *it.Attributes.Locale == "en-US"
+		})
+		if localization.ID == "" {
+			log.Info(string(platform), " ", tag, " no en-US localization found")
+		}
+		if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
+			log.Info(string(platform), " ", tag, " update localization")
+			_, _, err = client.Apps.UpdateAppStoreVersionLocalization(ctx, localization.ID, &asc.AppStoreVersionLocalizationUpdateRequestAttributes{
+				PromotionalText: common.Ptr("Yet another distribution for sing-box, the universal proxy platform."),
+				WhatsNew:        common.Ptr(F.ToString("sing-box ", tag, ": Fixes and improvements.")),
+			})
+			if err != nil {
+				return err
+			}
+		}
+		log.Info(string(platform), " ", tag, " create submission")
+	fixSubmit:
+		for {
+			_, response, err := client.Submission.CreateSubmission(ctx, version.ID)
+			if err != nil {
+				switch response.StatusCode {
+				case http.StatusInternalServerError:
+					continue
+				default:
+					return err
+				}
+			}
+			switch response.StatusCode {
+			case http.StatusCreated:
+				break fixSubmit
+			default:
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func publishAppStore(ctx context.Context) error {
+	tag, err := build_shared.ReadTag()
+	if err != nil {
+		return err
+	}
+	client := createClient(time.Minute)
+	for _, platform := range []asc.Platform{
+		asc.PlatformIOS,
+		asc.PlatformMACOS,
+		asc.PlatformTVOS,
+	} {
+		log.Info(string(platform), " list versions")
+		versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
+			FilterPlatform: []string{string(platform)},
+		})
+		if err != nil {
+			return err
+		}
+		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
+			return *it.Attributes.VersionString == tag
+		})
+		switch *version.Attributes.AppStoreState {
+		case asc.AppStoreVersionStatePrepareForSubmission, asc.AppStoreVersionStateDeveloperRejected:
+			log.Fatal(string(platform), " ", tag, " not submitted")
+		case asc.AppStoreVersionStateWaitingForReview,
+			asc.AppStoreVersionStateInReview:
+			log.Warn(string(platform), " ", tag, " waiting for review")
+			continue
+		case asc.AppStoreVersionStatePendingDeveloperRelease:
+		default:
+			log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
+		}
+		_, _, err = client.Publishing.CreatePhasedRelease(ctx, common.Ptr(asc.PhasedReleaseStateComplete), version.ID)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func isRetryable(response *asc.Response) bool {
+	if response == nil {
+		return false
+	}
+	switch response.StatusCode {
+	case http.StatusInternalServerError, http.StatusUnprocessableEntity:
+		return true
+	default:
+		return false
+	}
+}

cmd/internal/build_libbox/main.go

@@ -10,17 +10,21 @@ import (
 	_ "github.com/sagernet/gomobile"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
+	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
+	"github.com/sagernet/sing/common/shell"
 )
 
 var (
 	debugEnabled bool
 	target       string
+	platform     string
 )
 
 func init() {
 	flag.BoolVar(&debugEnabled, "debug", false, "enable debug")
 	flag.StringVar(&target, "target", "android", "target platform")
+	flag.StringVar(&platform, "platform", "", "specify platform")
 }
 
 func main() {
@@ -31,8 +35,8 @@ func main() {
 	switch target {
 	case "android":
 		buildAndroid()
-	case "ios":
-		buildiOS()
+	case "apple":
+		buildApple()
 	}
 }
 
@@ -62,9 +66,35 @@ func init() {
 func buildAndroid() {
 	build_shared.FindSDK()
 
+	var javaPath string
+	javaHome := os.Getenv("JAVA_HOME")
+	if javaHome == "" {
+		javaPath = "java"
+	} else {
+		javaPath = filepath.Join(javaHome, "bin", "java")
+	}
+
+	javaVersion, err := shell.Exec(javaPath, "--version").ReadOutput()
+	if err != nil {
+		log.Fatal(E.Cause(err, "check java version"))
+	}
+	if !strings.Contains(javaVersion, "openjdk 17") {
+		log.Fatal("java version should be openjdk 17")
+	}
+
+	var bindTarget string
+	if platform != "" {
+		bindTarget = platform
+	} else if debugEnabled {
+		bindTarget = "android/arm64"
+	} else {
+		bindTarget = "android"
+	}
+
 	args := []string{
 		"bind",
 		"-v",
+		"-target", bindTarget,
 		"-androidapi", "21",
 		"-javapkg=io.nekohasekai",
 		"-libname=box",
@@ -86,7 +116,7 @@ func buildAndroid() {
 	command := exec.Command(build_shared.GoBinPath+"/gomobile", args...)
 	command.Stdout = os.Stdout
 	command.Stderr = os.Stderr
-	err := command.Run()
+	err = command.Run()
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -103,11 +133,20 @@ func buildAndroid() {
 	}
 }
 
-func buildiOS() {
+func buildApple() {
+	var bindTarget string
+	if platform != "" {
+		bindTarget = platform
+	} else if debugEnabled {
+		bindTarget = "ios"
+	} else {
+		bindTarget = "ios,tvos,macos"
+	}
+
 	args := []string{
 		"bind",
 		"-v",
-		"-target", "ios,iossimulator,tvos,tvossimulator,macos",
+		"-target", bindTarget,
 		"-libname=box",
 	}
 	if !debugEnabled {

cmd/internal/build_shared/sdk.go

@@ -11,9 +11,7 @@ import (
 
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
-	"github.com/sagernet/sing/common/shell"
 )
 
 var (
@@ -42,14 +40,6 @@ func FindSDK() {
 		log.Fatal("android NDK not found")
 	}
 
-	javaVersion, err := shell.Exec("java", "--version").ReadOutput()
-	if err != nil {
-		log.Fatal(E.Cause(err, "check java version"))
-	}
-	if !strings.Contains(javaVersion, "openjdk 17") {
-		log.Fatal("java version should be openjdk 17")
-	}
-
 	os.Setenv("ANDROID_HOME", androidSDKPath)
 	os.Setenv("ANDROID_SDK_HOME", androidSDKPath)
 	os.Setenv("ANDROID_NDK_HOME", androidNDKPath)
@@ -58,12 +48,16 @@ func FindSDK() {
 }
 
 func findNDK() bool {
-	const fixedVersion = "26.3.11579264"
+	const fixedVersion = "28.0.12674087"
 	const versionFile = "source.properties"
 	if fixedPath := filepath.Join(androidSDKPath, "ndk", fixedVersion); rw.IsFile(filepath.Join(fixedPath, versionFile)) {
 		androidNDKPath = fixedPath
 		return true
 	}
+	if ndkHomeEnv := os.Getenv("ANDROID_NDK_HOME"); rw.IsFile(filepath.Join(ndkHomeEnv, versionFile)) {
+		androidNDKPath = ndkHomeEnv
+		return true
+	}
 	ndkVersions, err := os.ReadDir(filepath.Join(androidSDKPath, "ndk"))
 	if err != nil {
 		return false

cmd/internal/build_shared/tag.go

@@ -20,6 +20,11 @@ func ReadTag() (string, error) {
 	return version.String() + "-" + shortCommit, nil
 }
 
+func ReadTagVersionRev() (badversion.Version, error) {
+	currentTagRev := common.Must1(shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput())
+	return badversion.Parse(currentTagRev[1:]), nil
+}
+
 func ReadTagVersion() (badversion.Version, error) {
 	currentTag := common.Must1(shell.Exec("git", "describe", "--tags").ReadOutput())
 	currentTagRev := common.Must1(shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput())

cmd/internal/read_tag/main.go

@@ -1,21 +1,62 @@
 package main
 
 import (
+	"flag"
 	"os"
 
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
 )
 
+var nightly bool
+
+func init() {
+	flag.BoolVar(&nightly, "nightly", false, "Print nightly tag")
+}
+
 func main() {
-	currentTag, err := build_shared.ReadTag()
-	if err != nil {
-		log.Error(err)
-		_, err = os.Stdout.WriteString("unknown\n")
+	flag.Parse()
+	if nightly {
+		version, err := build_shared.ReadTagVersionRev()
+		if err != nil {
+			log.Fatal(err)
+		}
+		var versionStr string
+		if version.PreReleaseIdentifier != "" {
+			versionStr = version.VersionString() + "-nightly"
+		} else {
+			version.Patch++
+			versionStr = version.VersionString() + "-nightly"
+		}
+		err = setGitHubEnv("version", versionStr)
+		if err != nil {
+			log.Fatal(err)
+		}
 	} else {
-		_, err = os.Stdout.WriteString(currentTag + "\n")
-	}
-	if err != nil {
-		log.Error(err)
+		tag, err := build_shared.ReadTag()
+		if err != nil {
+			log.Error(err)
+			os.Stdout.WriteString("unknown\n")
+		} else {
+			os.Stdout.WriteString(tag + "\n")
+		}
 	}
 }
+
+func setGitHubEnv(name string, value string) error {
+	outputFile, err := os.OpenFile(os.Getenv("GITHUB_ENV"), os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0o644)
+	if err != nil {
+		return err
+	}
+	_, err = outputFile.WriteString(name + "=" + value + "\n")
+	if err != nil {
+		outputFile.Close()
+		return err
+	}
+	err = outputFile.Close()
+	if err != nil {
+		return err
+	}
+	os.Stderr.WriteString(name + "=" + value + "\n")
+	return nil
+}

cmd/internal/update_android_version/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"flag"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -12,9 +13,22 @@ import (
 	"github.com/sagernet/sing/common"
 )
 
+var flagRunInCI bool
+
+func init() {
+	flag.BoolVar(&flagRunInCI, "ci", false, "Run in CI")
+}
+
 func main() {
-	newVersion := common.Must1(build_shared.ReadTagVersion())
-	androidPath, err := filepath.Abs("../sing-box-for-android")
+	flag.Parse()
+	newVersion := common.Must1(build_shared.ReadTag())
+	var androidPath string
+	if flagRunInCI {
+		androidPath = "clients/android"
+	} else {
+		androidPath = "../sing-box-for-android"
+	}
+	androidPath, err := filepath.Abs(androidPath)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -31,10 +45,10 @@ func main() {
 	for _, propPair := range propsList {
 		switch propPair[0] {
 		case "VERSION_NAME":
-			if propPair[1] != newVersion.String() {
+			if propPair[1] != newVersion {
 				versionUpdated = true
-				propPair[1] = newVersion.String()
-				log.Info("updated version to ", newVersion.String())
+				propPair[1] = newVersion
+				log.Info("updated version to ", newVersion)
 			}
 		case "GO_VERSION":
 			if propPair[1] != runtime.Version() {

cmd/internal/update_apple_version/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"flag"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -13,9 +14,22 @@ import (
 	"howett.net/plist"
 )
 
+var flagRunInCI bool
+
+func init() {
+	flag.BoolVar(&flagRunInCI, "ci", false, "Run in CI")
+}
+
 func main() {
+	flag.Parse()
 	newVersion := common.Must1(build_shared.ReadTagVersion())
-	applePath, err := filepath.Abs("../sing-box-for-apple")
+	var applePath string
+	if flagRunInCI {
+		applePath = "clients/apple"
+	} else {
+		applePath = "../sing-box-for-apple"
+	}
+	applePath, err := filepath.Abs(applePath)
 	if err != nil {
 		log.Fatal(err)
 	}

cmd/sing-box/cmd.go

@@ -7,9 +7,8 @@ import (
 	"strconv"
 	"time"
 
-	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/experimental/deprecated"
-	"github.com/sagernet/sing-box/include"
+	_ "github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/filemanager"
@@ -69,5 +68,4 @@ func preRun(cmd *cobra.Command, args []string) {
 		configPaths = append(configPaths, "config.json")
 	}
 	globalCtx = service.ContextWith(globalCtx, deprecated.NewStderrManager(log.StdLogger()))
-	globalCtx = box.Context(globalCtx, include.InboundRegistry(), include.OutboundRegistry())
 }

cmd/sing-box/cmd_format.go

@@ -38,7 +38,7 @@ func format() error {
 		return err
 	}
 	for _, optionsEntry := range optionsList {
-		optionsEntry.options, err = badjson.Omitempty(globalCtx, optionsEntry.options)
+		optionsEntry.options, err = badjson.Omitempty(optionsEntry.options)
 		if err != nil {
 			return err
 		}

cmd/sing-box/cmd_merge.go

@@ -68,19 +68,29 @@ func merge(outputPath string) error {
 }
 
 func mergePathResources(options *option.Options) error {
-	for _, inbound := range options.Inbounds {
-		if tlsOptions, containsTLSOptions := inbound.Options.(option.InboundTLSOptionsWrapper); containsTLSOptions {
+	for index, inbound := range options.Inbounds {
+		rawOptions, err := inbound.RawOptions()
+		if err != nil {
+			return err
+		}
+		if tlsOptions, containsTLSOptions := rawOptions.(option.InboundTLSOptionsWrapper); containsTLSOptions {
 			tlsOptions.ReplaceInboundTLSOptions(mergeTLSInboundOptions(tlsOptions.TakeInboundTLSOptions()))
 		}
+		options.Inbounds[index] = inbound
 	}
-	for _, outbound := range options.Outbounds {
+	for index, outbound := range options.Outbounds {
+		rawOptions, err := outbound.RawOptions()
+		if err != nil {
+			return err
+		}
 		switch outbound.Type {
 		case C.TypeSSH:
-			mergeSSHOutboundOptions(outbound.Options.(*option.SSHOutboundOptions))
+			outbound.SSHOptions = mergeSSHOutboundOptions(outbound.SSHOptions)
 		}
-		if tlsOptions, containsTLSOptions := outbound.Options.(option.OutboundTLSOptionsWrapper); containsTLSOptions {
+		if tlsOptions, containsTLSOptions := rawOptions.(option.OutboundTLSOptionsWrapper); containsTLSOptions {
 			tlsOptions.ReplaceOutboundTLSOptions(mergeTLSOutboundOptions(tlsOptions.TakeOutboundTLSOptions()))
 		}
+		options.Outbounds[index] = outbound
 	}
 	return nil
 }
@@ -128,12 +138,13 @@ func mergeTLSOutboundOptions(options *option.OutboundTLSOptions) *option.Outboun
 	return options
 }
 
-func mergeSSHOutboundOptions(options *option.SSHOutboundOptions) {
+func mergeSSHOutboundOptions(options option.SSHOutboundOptions) option.SSHOutboundOptions {
 	if options.PrivateKeyPath != "" {
 		if content, err := os.ReadFile(os.ExpandEnv(options.PrivateKeyPath)); err == nil {
 			options.PrivateKey = trimStringArray(strings.Split(string(content), "\n"))
 		}
 	}
+	return options
 }
 
 func trimStringArray(array []string) []string {

cmd/sing-box/cmd_rule_set_compile.go

@@ -6,7 +6,6 @@ import (
 	"strings"
 
 	"github.com/sagernet/sing-box/common/srs"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/json"
@@ -56,10 +55,6 @@ func compileRuleSet(sourcePath string) error {
 	if err != nil {
 		return err
 	}
-	ruleSet, err := plainRuleSet.Upgrade()
-	if err != nil {
-		return err
-	}
 	var outputPath string
 	if flagRuleSetCompileOutput == flagRuleSetCompileDefaultOutput {
 		if strings.HasSuffix(sourcePath, ".json") {
@@ -74,7 +69,7 @@ func compileRuleSet(sourcePath string) error {
 	if err != nil {
 		return err
 	}
-	err = srs.Write(outputFile, ruleSet, plainRuleSet.Version == C.RuleSetVersion2)
+	err = srs.Write(outputFile, plainRuleSet.Options, plainRuleSet.Version)
 	if err != nil {
 		outputFile.Close()
 		os.Remove(outputPath)

cmd/sing-box/cmd_rule_set_convert.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/sagernet/sing-box/cmd/sing-box/internal/convertor/adguard"
 	"github.com/sagernet/sing-box/common/srs"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -77,7 +78,7 @@ func convertRuleSet(sourcePath string) error {
 		return err
 	}
 	defer outputFile.Close()
-	err = srs.Write(outputFile, option.PlainRuleSet{Rules: rules}, true)
+	err = srs.Write(outputFile, option.PlainRuleSet{Rules: rules}, C.RuleSetVersion2)
 	if err != nil {
 		outputFile.Close()
 		os.Remove(outputPath)

cmd/sing-box/cmd_rule_set_decompile.go

@@ -6,9 +6,7 @@ import (
 	"strings"
 
 	"github.com/sagernet/sing-box/common/srs"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/json"
 
 	"github.com/spf13/cobra"
@@ -48,14 +46,10 @@ func decompileRuleSet(sourcePath string) error {
 			return err
 		}
 	}
-	plainRuleSet, err := srs.Read(reader, true)
+	ruleSet, err := srs.Read(reader, true)
 	if err != nil {
 		return err
 	}
-	ruleSet := option.PlainRuleSetCompat{
-		Version: C.RuleSetVersion1,
-		Options: plainRuleSet,
-	}
 	var outputPath string
 	if flagRuleSetDecompileOutput == flagRuleSetDecompileDefaultOutput {
 		if strings.HasSuffix(sourcePath, ".srs") {

cmd/sing-box/cmd_rule_set_match.go

@@ -10,7 +10,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/route/rule"
+	"github.com/sagernet/sing-box/route"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
@@ -55,26 +55,25 @@ func ruleSetMatch(sourcePath string, domain string) error {
 	if err != nil {
 		return E.Cause(err, "read rule-set")
 	}
-	var plainRuleSet option.PlainRuleSet
+	var ruleSet option.PlainRuleSetCompat
 	switch flagRuleSetMatchFormat {
 	case C.RuleSetFormatSource:
-		var compat option.PlainRuleSetCompat
-		compat, err = json.UnmarshalExtended[option.PlainRuleSetCompat](content)
-		if err != nil {
-			return err
-		}
-		plainRuleSet, err = compat.Upgrade()
+		ruleSet, err = json.UnmarshalExtended[option.PlainRuleSetCompat](content)
 		if err != nil {
 			return err
 		}
 	case C.RuleSetFormatBinary:
-		plainRuleSet, err = srs.Read(bytes.NewReader(content), false)
+		ruleSet, err = srs.Read(bytes.NewReader(content), false)
 		if err != nil {
 			return err
 		}
 	default:
 		return E.New("unknown rule-set format: ", flagRuleSetMatchFormat)
 	}
+	plainRuleSet, err := ruleSet.Upgrade()
+	if err != nil {
+		return err
+	}
 	ipAddress := M.ParseAddr(domain)
 	var metadata adapter.InboundContext
 	if ipAddress.IsValid() {
@@ -84,7 +83,7 @@ func ruleSetMatch(sourcePath string, domain string) error {
 	}
 	for i, ruleOptions := range plainRuleSet.Rules {
 		var currentRule adapter.HeadlessRule
-		currentRule, err = rule.NewHeadlessRule(nil, ruleOptions)
+		currentRule, err = route.NewHeadlessRule(nil, ruleOptions)
 		if err != nil {
 			return E.Cause(err, "parse rule_set.rules.[", i, "]")
 		}

cmd/sing-box/cmd_run.go

@@ -57,7 +57,7 @@ func readConfigAt(path string) (*OptionsEntry, error) {
 	if err != nil {
 		return nil, E.Cause(err, "read config at ", path)
 	}
-	options, err := json.UnmarshalExtendedContext[option.Options](globalCtx, configContent)
+	options, err := json.UnmarshalExtended[option.Options](configContent)
 	if err != nil {
 		return nil, E.Cause(err, "decode config at ", path)
 	}
@@ -109,13 +109,13 @@ func readConfigAndMerge() (option.Options, error) {
 	}
 	var mergedMessage json.RawMessage
 	for _, options := range optionsList {
-		mergedMessage, err = badjson.MergeJSON(globalCtx, options.options.RawMessage, mergedMessage, false)
+		mergedMessage, err = badjson.MergeJSON(options.options.RawMessage, mergedMessage, false)
 		if err != nil {
 			return option.Options{}, E.Cause(err, "merge config at ", options.path)
 		}
 	}
 	var mergedOptions option.Options
-	err = mergedOptions.UnmarshalJSONContext(globalCtx, mergedMessage)
+	err = mergedOptions.UnmarshalJSON(mergedMessage)
 	if err != nil {
 		return option.Options{}, E.Cause(err, "unmarshal merged config")
 	}

cmd/sing-box/cmd_tools.go

@@ -1,9 +1,6 @@
 package main
 
 import (
-	"errors"
-	"os"
-
 	"github.com/sagernet/sing-box"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
@@ -26,9 +23,7 @@ func init() {
 func createPreStartedClient() (*box.Box, error) {
 	options, err := readConfigAndMerge()
 	if err != nil {
-		if !(errors.Is(err, os.ErrNotExist) && len(configDirectories) == 0 && len(configPaths) == 1) || configPaths[0] != "config.json" {
-			return nil, err
-		}
+		return nil, err
 	}
 	instance, err := box.New(box.Options{Options: options})
 	if err != nil {

cmd/sing-box/cmd_tools_fetch_http3.go

@@ -21,7 +21,7 @@ func initializeHTTP3Client(instance *box.Box) error {
 		return err
 	}
 	http3Client = &http.Client{
-		Transport: &http3.RoundTripper{
+		Transport: &http3.Transport{
 			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
 				destination := M.ParseSocksaddr(addr)
 				udpConn, dErr := dialer.DialContext(ctx, N.NetworkUDP, destination)

cmd/sing-box/internal/convertor/adguard/convertor_test.go

@@ -5,7 +5,7 @@ import (
 	"testing"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/route/rule"
+	"github.com/sagernet/sing-box/route"
 
 	"github.com/stretchr/testify/require"
 )
@@ -26,7 +26,7 @@ example.arpa
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
-	rule, err := rule.NewHeadlessRule(nil, rules[0])
+	rule, err := route.NewHeadlessRule(nil, rules[0])
 	require.NoError(t, err)
 	matchDomain := []string{
 		"example.org",
@@ -85,7 +85,7 @@ func TestHosts(t *testing.T) {
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
-	rule, err := rule.NewHeadlessRule(nil, rules[0])
+	rule, err := route.NewHeadlessRule(nil, rules[0])
 	require.NoError(t, err)
 	matchDomain := []string{
 		"google.com",
@@ -115,7 +115,7 @@ www.example.org
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
-	rule, err := rule.NewHeadlessRule(nil, rules[0])
+	rule, err := route.NewHeadlessRule(nil, rules[0])
 	require.NoError(t, err)
 	matchDomain := []string{
 		"example.com",

common/dialer/default.go

@@ -3,7 +3,6 @@ package dialer
 import (
 	"context"
 	"net"
-	"net/netip"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
@@ -103,7 +102,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		udpAddr4   string
 	)
 	if options.Inet4BindAddress != nil {
-		bindAddr := options.Inet4BindAddress.Build(netip.IPv4Unspecified())
+		bindAddr := options.Inet4BindAddress.Build()
 		dialer4.LocalAddr = &net.TCPAddr{IP: bindAddr.AsSlice()}
 		udpDialer4.LocalAddr = &net.UDPAddr{IP: bindAddr.AsSlice()}
 		udpAddr4 = M.SocksaddrFrom(bindAddr, 0).String()
@@ -114,7 +113,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		udpAddr6   string
 	)
 	if options.Inet6BindAddress != nil {
-		bindAddr := options.Inet6BindAddress.Build(netip.IPv6Unspecified())
+		bindAddr := options.Inet6BindAddress.Build()
 		dialer6.LocalAddr = &net.TCPAddr{IP: bindAddr.AsSlice()}
 		udpDialer6.LocalAddr = &net.UDPAddr{IP: bindAddr.AsSlice()}
 		udpAddr6 = M.SocksaddrFrom(bindAddr, 0).String()
@@ -126,7 +125,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		setMultiPathTCP(&dialer4)
 	}
 	if options.IsWireGuardListener {
-		for _, controlFn := range WgControlFns {
+		for _, controlFn := range wgControlFns {
 			listener.Control = control.Append(listener.Control, controlFn)
 		}
 	}
@@ -180,7 +179,7 @@ func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 }
 
 func (d *DefaultDialer) ListenPacketCompat(network, address string) (net.PacketConn, error) {
-	return trackPacketConn(d.udpListener.ListenPacket(context.Background(), network, address))
+	return d.udpListener.ListenPacket(context.Background(), network, address)
 }
 
 func trackConn(conn net.Conn, err error) (net.Conn, error) {

common/dialer/wireguard.go

@@ -2,12 +2,8 @@ package dialer
 
 import (
 	"net"
-
-	"github.com/sagernet/sing/common/control"
 )
 
 type WireGuardListener interface {
 	ListenPacketCompat(network, address string) (net.PacketConn, error)
 }
-
-var WgControlFns []control.Func

common/dialer/wireguard_control.go

@@ -0,0 +1,11 @@
+//go:build with_wireguard
+
+package dialer
+
+import (
+	"github.com/sagernet/wireguard-go/conn"
+)
+
+var _ WireGuardListener = (conn.Listener)(nil)
+
+var wgControlFns = conn.ControlFns

common/dialer/wiregurad_stub.go

@@ -0,0 +1,9 @@
+//go:build !with_wireguard
+
+package dialer
+
+import (
+	"github.com/sagernet/sing/common/control"
+)
+
+var wgControlFns []control.Func

common/listener/listener.go

@@ -1,137 +0,0 @@
-package listener
-
-import (
-	"context"
-	"net"
-	"net/netip"
-	"sync/atomic"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/settings"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type Listener struct {
-	ctx                      context.Context
-	logger                   logger.ContextLogger
-	network                  []string
-	listenOptions            option.ListenOptions
-	connHandler              adapter.ConnectionHandlerEx
-	packetHandler            adapter.PacketHandlerEx
-	oobPacketHandler         adapter.OOBPacketHandlerEx
-	threadUnsafePacketWriter bool
-	disablePacketOutput      bool
-	setSystemProxy           bool
-	systemProxySOCKS         bool
-
-	tcpListener          net.Listener
-	systemProxy          settings.SystemProxy
-	udpConn              *net.UDPConn
-	udpAddr              M.Socksaddr
-	packetOutbound       chan *N.PacketBuffer
-	packetOutboundClosed chan struct{}
-	shutdown             atomic.Bool
-}
-
-type Options struct {
-	Context                  context.Context
-	Logger                   logger.ContextLogger
-	Network                  []string
-	Listen                   option.ListenOptions
-	ConnectionHandler        adapter.ConnectionHandlerEx
-	PacketHandler            adapter.PacketHandlerEx
-	OOBPacketHandler         adapter.OOBPacketHandlerEx
-	ThreadUnsafePacketWriter bool
-	DisablePacketOutput      bool
-	SetSystemProxy           bool
-	SystemProxySOCKS         bool
-}
-
-func New(
-	options Options,
-) *Listener {
-	return &Listener{
-		ctx:                      options.Context,
-		logger:                   options.Logger,
-		network:                  options.Network,
-		listenOptions:            options.Listen,
-		connHandler:              options.ConnectionHandler,
-		packetHandler:            options.PacketHandler,
-		oobPacketHandler:         options.OOBPacketHandler,
-		threadUnsafePacketWriter: options.ThreadUnsafePacketWriter,
-		disablePacketOutput:      options.DisablePacketOutput,
-		setSystemProxy:           options.SetSystemProxy,
-		systemProxySOCKS:         options.SystemProxySOCKS,
-	}
-}
-
-func (l *Listener) Start() error {
-	if common.Contains(l.network, N.NetworkTCP) {
-		_, err := l.ListenTCP()
-		if err != nil {
-			return err
-		}
-		go l.loopTCPIn()
-	}
-	if common.Contains(l.network, N.NetworkUDP) {
-		_, err := l.ListenUDP()
-		if err != nil {
-			return err
-		}
-		l.packetOutboundClosed = make(chan struct{})
-		l.packetOutbound = make(chan *N.PacketBuffer, 64)
-		go l.loopUDPIn()
-		if !l.disablePacketOutput {
-			go l.loopUDPOut()
-		}
-	}
-	if l.setSystemProxy {
-		listenPort := M.SocksaddrFromNet(l.tcpListener.Addr()).Port
-		var listenAddrString string
-		listenAddr := l.listenOptions.Listen.Build(netip.IPv4Unspecified())
-		if listenAddr.IsUnspecified() {
-			listenAddrString = "127.0.0.1"
-		} else {
-			listenAddrString = listenAddr.String()
-		}
-		systemProxy, err := settings.NewSystemProxy(l.ctx, M.ParseSocksaddrHostPort(listenAddrString, listenPort), l.systemProxySOCKS)
-		if err != nil {
-			return E.Cause(err, "initialize system proxy")
-		}
-		err = systemProxy.Enable()
-		if err != nil {
-			return E.Cause(err, "set system proxy")
-		}
-		l.systemProxy = systemProxy
-	}
-	return nil
-}
-
-func (l *Listener) Close() error {
-	l.shutdown.Store(true)
-	var err error
-	if l.systemProxy != nil && l.systemProxy.IsEnabled() {
-		err = l.systemProxy.Disable()
-	}
-	return E.Errors(err, common.Close(
-		l.tcpListener,
-		common.PtrOrNil(l.udpConn),
-	))
-}
-
-func (l *Listener) TCPListener() net.Listener {
-	return l.tcpListener
-}
-
-func (l *Listener) UDPConn() *net.UDPConn {
-	return l.udpConn
-}
-
-func (l *Listener) ListenOptions() option.ListenOptions {
-	return l.listenOptions
-}

common/listener/listener_go123.go

@@ -1,16 +0,0 @@
-//go:build go1.23
-
-package listener
-
-import (
-	"net"
-	"time"
-)
-
-func setKeepAliveConfig(listener *net.ListenConfig, idle time.Duration, interval time.Duration) {
-	listener.KeepAliveConfig = net.KeepAliveConfig{
-		Enable:   true,
-		Idle:     idle,
-		Interval: interval,
-	}
-}

common/listener/listener_nongo123.go

@@ -1,15 +0,0 @@
-//go:build !go1.23
-
-package listener
-
-import (
-	"net"
-	"time"
-
-	"github.com/sagernet/sing/common/control"
-)
-
-func setKeepAliveConfig(listener *net.ListenConfig, idle time.Duration, interval time.Duration) {
-	listener.KeepAlive = idle
-	listener.Control = control.Append(listener.Control, control.SetKeepAlivePeriod(idle, interval))
-}

common/listener/listener_tcp.go

@@ -1,86 +0,0 @@
-package listener
-
-import (
-	"net"
-	"net/netip"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	"github.com/metacubex/tfo-go"
-)
-
-func (l *Listener) ListenTCP() (net.Listener, error) {
-	var err error
-	bindAddr := M.SocksaddrFrom(l.listenOptions.Listen.Build(netip.AddrFrom4([4]byte{127, 0, 0, 1})), l.listenOptions.ListenPort)
-	var tcpListener net.Listener
-	var listenConfig net.ListenConfig
-	if l.listenOptions.TCPKeepAlive >= 0 {
-		keepIdle := time.Duration(l.listenOptions.TCPKeepAlive)
-		if keepIdle == 0 {
-			keepIdle = C.TCPKeepAliveInitial
-		}
-		keepInterval := time.Duration(l.listenOptions.TCPKeepAliveInterval)
-		if keepInterval == 0 {
-			keepInterval = C.TCPKeepAliveInterval
-		}
-		setKeepAliveConfig(&listenConfig, keepIdle, keepInterval)
-	}
-	if l.listenOptions.TCPMultiPath {
-		if !go121Available {
-			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
-		}
-		setMultiPathTCP(&listenConfig)
-	}
-	if l.listenOptions.TCPFastOpen {
-		var tfoConfig tfo.ListenConfig
-		tfoConfig.ListenConfig = listenConfig
-		tcpListener, err = tfoConfig.Listen(l.ctx, M.NetworkFromNetAddr(N.NetworkTCP, bindAddr.Addr), bindAddr.String())
-	} else {
-		tcpListener, err = listenConfig.Listen(l.ctx, M.NetworkFromNetAddr(N.NetworkTCP, bindAddr.Addr), bindAddr.String())
-	}
-	if err == nil {
-		l.logger.Info("tcp server started at ", tcpListener.Addr())
-	}
-	//nolint:staticcheck
-	if l.listenOptions.ProxyProtocol || l.listenOptions.ProxyProtocolAcceptNoHeader {
-		return nil, E.New("Proxy Protocol is deprecated and removed in sing-box 1.6.0")
-	}
-	l.tcpListener = tcpListener
-	return tcpListener, err
-}
-
-func (l *Listener) loopTCPIn() {
-	tcpListener := l.tcpListener
-	var metadata adapter.InboundContext
-	for {
-		conn, err := tcpListener.Accept()
-		if err != nil {
-			//nolint:staticcheck
-			if netError, isNetError := err.(net.Error); isNetError && netError.Temporary() {
-				l.logger.Error(err)
-				continue
-			}
-			if l.shutdown.Load() && E.IsClosed(err) {
-				return
-			}
-			l.tcpListener.Close()
-			l.logger.Error("tcp listener closed: ", err)
-			continue
-		}
-		//nolint:staticcheck
-		metadata.InboundDetour = l.listenOptions.Detour
-		//nolint:staticcheck
-		metadata.InboundOptions = l.listenOptions.InboundOptions
-		metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr()).Unwrap()
-		metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
-		ctx := log.ContextWithNewID(l.ctx)
-		l.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
-		go l.connHandler.NewConnectionEx(ctx, conn, metadata, nil)
-	}
-}

common/listener/listener_udp.go

@@ -1,155 +0,0 @@
-package listener
-
-import (
-	"net"
-	"net/netip"
-	"os"
-	"time"
-
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/control"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func (l *Listener) ListenUDP() (net.PacketConn, error) {
-	bindAddr := M.SocksaddrFrom(l.listenOptions.Listen.Build(netip.AddrFrom4([4]byte{127, 0, 0, 1})), l.listenOptions.ListenPort)
-	var lc net.ListenConfig
-	var udpFragment bool
-	if l.listenOptions.UDPFragment != nil {
-		udpFragment = *l.listenOptions.UDPFragment
-	} else {
-		udpFragment = l.listenOptions.UDPFragmentDefault
-	}
-	if !udpFragment {
-		lc.Control = control.Append(lc.Control, control.DisableUDPFragment())
-	}
-	udpConn, err := lc.ListenPacket(l.ctx, M.NetworkFromNetAddr(N.NetworkUDP, bindAddr.Addr), bindAddr.String())
-	if err != nil {
-		return nil, err
-	}
-	l.udpConn = udpConn.(*net.UDPConn)
-	l.udpAddr = bindAddr
-	l.logger.Info("udp server started at ", udpConn.LocalAddr())
-	return udpConn, err
-}
-
-func (l *Listener) UDPAddr() M.Socksaddr {
-	return l.udpAddr
-}
-
-func (l *Listener) PacketWriter() N.PacketWriter {
-	return (*packetWriter)(l)
-}
-
-func (l *Listener) loopUDPIn() {
-	defer close(l.packetOutboundClosed)
-	var buffer *buf.Buffer
-	if !l.threadUnsafePacketWriter {
-		buffer = buf.NewPacket()
-		defer buffer.Release()
-		buffer.IncRef()
-		defer buffer.DecRef()
-	}
-	if l.oobPacketHandler != nil {
-		oob := make([]byte, 1024)
-		for {
-			if l.threadUnsafePacketWriter {
-				buffer = buf.NewPacket()
-			} else {
-				buffer.Reset()
-			}
-			n, oobN, _, addr, err := l.udpConn.ReadMsgUDPAddrPort(buffer.FreeBytes(), oob)
-			if err != nil {
-				if l.threadUnsafePacketWriter {
-					buffer.Release()
-				}
-				if l.shutdown.Load() && E.IsClosed(err) {
-					return
-				}
-				l.udpConn.Close()
-				l.logger.Error("udp listener closed: ", err)
-				return
-			}
-			buffer.Truncate(n)
-			l.oobPacketHandler.NewPacketEx(buffer, oob[:oobN], M.SocksaddrFromNetIP(addr).Unwrap())
-		}
-	} else {
-		for {
-			if l.threadUnsafePacketWriter {
-				buffer = buf.NewPacket()
-			} else {
-				buffer.Reset()
-			}
-			n, addr, err := l.udpConn.ReadFromUDPAddrPort(buffer.FreeBytes())
-			if err != nil {
-				if l.threadUnsafePacketWriter {
-					buffer.Release()
-				}
-				if l.shutdown.Load() && E.IsClosed(err) {
-					return
-				}
-				l.udpConn.Close()
-				l.logger.Error("udp listener closed: ", err)
-				return
-			}
-			buffer.Truncate(n)
-			l.packetHandler.NewPacketEx(buffer, M.SocksaddrFromNetIP(addr).Unwrap())
-		}
-	}
-}
-
-func (l *Listener) loopUDPOut() {
-	for {
-		select {
-		case packet := <-l.packetOutbound:
-			destination := packet.Destination.AddrPort()
-			_, err := l.udpConn.WriteToUDPAddrPort(packet.Buffer.Bytes(), destination)
-			packet.Buffer.Release()
-			N.PutPacketBuffer(packet)
-			if err != nil {
-				if l.shutdown.Load() && E.IsClosed(err) {
-					return
-				}
-				l.udpConn.Close()
-				l.logger.Error("udp listener write back: ", destination, ": ", err)
-				return
-			}
-			continue
-		case <-l.packetOutboundClosed:
-		}
-		for {
-			select {
-			case packet := <-l.packetOutbound:
-				packet.Buffer.Release()
-				N.PutPacketBuffer(packet)
-			case <-time.After(time.Second):
-				return
-			}
-		}
-	}
-}
-
-type packetWriter Listener
-
-func (w *packetWriter) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
-	packet := N.NewPacketBuffer()
-	packet.Buffer = buffer
-	packet.Destination = destination
-	select {
-	case w.packetOutbound <- packet:
-		return nil
-	default:
-		buffer.Release()
-		N.PutPacketBuffer(packet)
-		if w.shutdown.Load() {
-			return os.ErrClosed
-		}
-		w.logger.Trace("dropped packet to ", destination)
-		return nil
-	}
-}
-
-func (w *packetWriter) WriteIsThreadUnsafe() {
-}

common/mux/router.go

@@ -15,11 +15,11 @@ import (
 )
 
 type Router struct {
-	router  adapter.ConnectionRouterEx
+	router  adapter.ConnectionRouter
 	service *mux.Service
 }
 
-func NewRouterWithOptions(router adapter.ConnectionRouterEx, logger logger.ContextLogger, options option.InboundMultiplexOptions) (adapter.ConnectionRouterEx, error) {
+func NewRouterWithOptions(router adapter.ConnectionRouter, logger logger.ContextLogger, options option.InboundMultiplexOptions) (adapter.ConnectionRouter, error) {
 	if !options.Enabled {
 		return router, nil
 	}
@@ -54,7 +54,6 @@ func NewRouterWithOptions(router adapter.ConnectionRouterEx, logger logger.Conte
 
 func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
 	if metadata.Destination == mux.Destination {
-		// TODO: check if WithContext is necessary
 		return r.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, adapter.UpstreamMetadata(metadata))
 	} else {
 		return r.router.RouteConnection(ctx, conn, metadata)
@@ -64,15 +63,3 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
 func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return r.router.RoutePacketConnection(ctx, conn, metadata)
 }
-
-func (r *Router) RouteConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
-	if metadata.Destination == mux.Destination {
-		r.service.NewConnectionEx(adapter.WithContext(ctx, &metadata), conn, metadata.Source, metadata.Destination, onClose)
-		return
-	}
-	r.router.RouteConnectionEx(ctx, conn, metadata, onClose)
-}
-
-func (r *Router) RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
-	r.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
-}

common/mux/v2ray_legacy.go

@@ -0,0 +1,32 @@
+package mux
+
+import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing-box/adapter"
+	vmess "github.com/sagernet/sing-vmess"
+	"github.com/sagernet/sing/common/logger"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type V2RayLegacyRouter struct {
+	router adapter.ConnectionRouter
+	logger logger.ContextLogger
+}
+
+func NewV2RayLegacyRouter(router adapter.ConnectionRouter, logger logger.ContextLogger) adapter.ConnectionRouter {
+	return &V2RayLegacyRouter{router, logger}
+}
+
+func (r *V2RayLegacyRouter) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	if metadata.Destination.Fqdn == vmess.MuxDestination.Fqdn {
+		r.logger.InfoContext(ctx, "inbound legacy multiplex connection")
+		return vmess.HandleMuxConnection(ctx, conn, adapter.NewRouteHandler(metadata, r.router, r.logger))
+	}
+	return r.router.RouteConnection(ctx, conn, metadata)
+}
+
+func (r *V2RayLegacyRouter) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+	return r.router.RoutePacketConnection(ctx, conn, metadata)
+}

common/sniff/sniff.go

@@ -18,7 +18,7 @@ type (
 	PacketSniffer = func(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error
 )
 
-func Skip(metadata *adapter.InboundContext) bool {
+func Skip(metadata adapter.InboundContext) bool {
 	// skip server first protocols
 	switch metadata.Destination.Port {
 	case 25, 465, 587:

common/srs/binary.go

@@ -41,7 +41,7 @@ const (
 	ruleItemFinal uint8 = 0xFF
 )
 
-func Read(reader io.Reader, recover bool) (ruleSet option.PlainRuleSet, err error) {
+func Read(reader io.Reader, recover bool) (ruleSetCompat option.PlainRuleSetCompat, err error) {
 	var magicBytes [3]byte
 	_, err = io.ReadFull(reader, magicBytes[:])
 	if err != nil {
@@ -54,10 +54,10 @@ func Read(reader io.Reader, recover bool) (ruleSet option.PlainRuleSet, err erro
 	var version uint8
 	err = binary.Read(reader, binary.BigEndian, &version)
 	if err != nil {
-		return ruleSet, err
+		return ruleSetCompat, err
 	}
-	if version > C.RuleSetVersion2 {
-		return ruleSet, E.New("unsupported version: ", version)
+	if version > C.RuleSetVersionCurrent {
+		return ruleSetCompat, E.New("unsupported version: ", version)
 	}
 	compressReader, err := zlib.NewReader(reader)
 	if err != nil {
@@ -68,9 +68,10 @@ func Read(reader io.Reader, recover bool) (ruleSet option.PlainRuleSet, err erro
 	if err != nil {
 		return
 	}
-	ruleSet.Rules = make([]option.HeadlessRule, length)
+	ruleSetCompat.Version = version
+	ruleSetCompat.Options.Rules = make([]option.HeadlessRule, length)
 	for i := uint64(0); i < length; i++ {
-		ruleSet.Rules[i], err = readRule(bReader, recover)
+		ruleSetCompat.Options.Rules[i], err = readRule(bReader, recover)
 		if err != nil {
 			err = E.Cause(err, "read rule[", i, "]")
 			return
@@ -79,18 +80,12 @@ func Read(reader io.Reader, recover bool) (ruleSet option.PlainRuleSet, err erro
 	return
 }
 
-func Write(writer io.Writer, ruleSet option.PlainRuleSet, generateUnstable bool) error {
+func Write(writer io.Writer, ruleSet option.PlainRuleSet, generateVersion uint8) error {
 	_, err := writer.Write(MagicBytes[:])
 	if err != nil {
 		return err
 	}
-	var version uint8
-	if generateUnstable {
-		version = C.RuleSetVersion2
-	} else {
-		version = C.RuleSetVersion1
-	}
-	err = binary.Write(writer, binary.BigEndian, version)
+	err = binary.Write(writer, binary.BigEndian, generateVersion)
 	if err != nil {
 		return err
 	}
@@ -104,7 +99,7 @@ func Write(writer io.Writer, ruleSet option.PlainRuleSet, generateUnstable bool)
 		return err
 	}
 	for _, rule := range ruleSet.Rules {
-		err = writeRule(bWriter, rule, generateUnstable)
+		err = writeRule(bWriter, rule, generateVersion)
 		if err != nil {
 			return err
 		}
@@ -135,12 +130,12 @@ func readRule(reader varbin.Reader, recover bool) (rule option.HeadlessRule, err
 	return
 }
 
-func writeRule(writer varbin.Writer, rule option.HeadlessRule, generateUnstable bool) error {
+func writeRule(writer varbin.Writer, rule option.HeadlessRule, generateVersion uint8) error {
 	switch rule.Type {
 	case C.RuleTypeDefault:
-		return writeDefaultRule(writer, rule.DefaultOptions, generateUnstable)
+		return writeDefaultRule(writer, rule.DefaultOptions, generateVersion)
 	case C.RuleTypeLogical:
-		return writeLogicalRule(writer, rule.LogicalOptions, generateUnstable)
+		return writeLogicalRule(writer, rule.LogicalOptions, generateVersion)
 	default:
 		panic("unknown rule type: " + rule.Type)
 	}
@@ -240,7 +235,7 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 	}
 }
 
-func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, generateUnstable bool) error {
+func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, generateVersion uint8) error {
 	err := binary.Write(writer, binary.BigEndian, uint8(0))
 	if err != nil {
 		return err
@@ -264,7 +259,7 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 		if err != nil {
 			return err
 		}
-		err = domain.NewMatcher(rule.Domain, rule.DomainSuffix, !generateUnstable).Write(writer)
+		err = domain.NewMatcher(rule.Domain, rule.DomainSuffix, generateVersion == C.RuleSetVersion1).Write(writer)
 		if err != nil {
 			return err
 		}
@@ -354,6 +349,9 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 		}
 	}
 	if len(rule.AdGuardDomain) > 0 {
+		if generateVersion < C.RuleSetVersion2 {
+			return E.New("AdGuard rule items is only supported in version 2 or later")
+		}
 		err = binary.Write(writer, binary.BigEndian, ruleItemAdGuardDomain)
 		if err != nil {
 			return err
@@ -457,7 +455,7 @@ func readLogicalRule(reader varbin.Reader, recovery bool) (logicalRule option.Lo
 	return
 }
 
-func writeLogicalRule(writer varbin.Writer, logicalRule option.LogicalHeadlessRule, generateUnstable bool) error {
+func writeLogicalRule(writer varbin.Writer, logicalRule option.LogicalHeadlessRule, generateVersion uint8) error {
 	err := binary.Write(writer, binary.BigEndian, uint8(1))
 	if err != nil {
 		return err
@@ -478,7 +476,7 @@ func writeLogicalRule(writer varbin.Writer, logicalRule option.LogicalHeadlessRu
 		return err
 	}
 	for _, rule := range logicalRule.Rules {
-		err = writeRule(writer, rule, generateUnstable)
+		err = writeRule(writer, rule, generateVersion)
 		if err != nil {
 			return err
 		}

common/tls/ech_client.go

@@ -63,6 +63,7 @@ type echConnWrapper struct {
 
 func (c *echConnWrapper) ConnectionState() tls.ConnectionState {
 	state := c.Conn.ConnectionState()
+	//nolint:staticcheck
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,

common/tls/ech_keygen.go

@@ -147,6 +147,9 @@ func echKeygen(version uint16, serverName string, conf []myECHKeyConfig, suite [
 		pair.rawConf = b
 
 		secBuf, err := sec.MarshalBinary()
+		if err != nil {
+			return nil, E.Cause(err, "serialize ECH private key")
+		}
 		sk := []byte{}
 		sk = be.AppendUint16(sk, uint16(len(secBuf)))
 		sk = append(sk, secBuf...)

common/tls/ech_quic.go

@@ -28,7 +28,7 @@ func (c *echClientConfig) DialEarly(ctx context.Context, conn net.PacketConn, ad
 }
 
 func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config) http.RoundTripper {
-	return &http3.RoundTripper{
+	return &http3.Transport{
 		TLSClientConfig: c.config,
 		QUICConfig:      quicConfig,
 		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {

common/tls/ech_server.go

@@ -97,6 +97,10 @@ func (c *echServerConfig) startWatcher() error {
 	if err != nil {
 		return err
 	}
+	err = watcher.Start()
+	if err != nil {
+		return err
+	}
 	c.watcher = watcher
 	return nil
 }
@@ -232,7 +236,7 @@ func NewECHServer(ctx context.Context, logger log.Logger, options option.Inbound
 	var echKey []byte
 	if len(options.ECH.Key) > 0 {
 		echKey = []byte(strings.Join(options.ECH.Key, "\n"))
-	} else if options.KeyPath != "" {
+	} else if options.ECH.KeyPath != "" {
 		content, err := os.ReadFile(options.ECH.KeyPath)
 		if err != nil {
 			return nil, E.Cause(err, "read ECH key")

common/tls/reality_client.go

@@ -184,7 +184,7 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 		return nil, E.New("reality verification failed")
 	}
 
-	return &utlsConnWrapper{uConn}, nil
+	return &realityClientConnWrapper{uConn}, nil
 }
 
 func realityClientFallback(uConn net.Conn, serverName string, fingerprint utls.ClientHelloID) {
@@ -249,3 +249,36 @@ func (c *realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChain
 	}
 	return nil
 }
+
+type realityClientConnWrapper struct {
+	*utls.UConn
+}
+
+func (c *realityClientConnWrapper) ConnectionState() tls.ConnectionState {
+	state := c.Conn.ConnectionState()
+	//nolint:staticcheck
+	return tls.ConnectionState{
+		Version:                     state.Version,
+		HandshakeComplete:           state.HandshakeComplete,
+		DidResume:                   state.DidResume,
+		CipherSuite:                 state.CipherSuite,
+		NegotiatedProtocol:          state.NegotiatedProtocol,
+		NegotiatedProtocolIsMutual:  state.NegotiatedProtocolIsMutual,
+		ServerName:                  state.ServerName,
+		PeerCertificates:            state.PeerCertificates,
+		VerifiedChains:              state.VerifiedChains,
+		SignedCertificateTimestamps: state.SignedCertificateTimestamps,
+		OCSPResponse:                state.OCSPResponse,
+		TLSUnique:                   state.TLSUnique,
+	}
+}
+
+func (c *realityClientConnWrapper) Upstream() any {
+	return c.UConn
+}
+
+// Due to low implementation quality, the reality server intercepted half close and caused memory leaks.
+// We fixed it by calling Close() directly.
+func (c *realityClientConnWrapper) CloseWrite() error {
+	return c.Close()
+}

common/tls/reality_server.go

@@ -175,6 +175,7 @@ type realityConnWrapper struct {
 
 func (c *realityConnWrapper) ConnectionState() ConnectionState {
 	state := c.Conn.ConnectionState()
+	//nolint:staticcheck
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,
@@ -194,3 +195,9 @@ func (c *realityConnWrapper) ConnectionState() ConnectionState {
 func (c *realityConnWrapper) Upstream() any {
 	return c.Conn
 }
+
+// Due to low implementation quality, the reality server intercepted half close and caused memory leaks.
+// We fixed it by calling Close() directly.
+func (c *realityConnWrapper) CloseWrite() error {
+	return c.Close()
+}

common/tls/std_server.go

@@ -106,6 +106,10 @@ func (c *STDServerConfig) startWatcher() error {
 	if err != nil {
 		return err
 	}
+	err = watcher.Start()
+	if err != nil {
+		return err
+	}
 	c.watcher = watcher
 	return nil
 }

common/tls/utls_client.go

@@ -69,6 +69,7 @@ type utlsConnWrapper struct {
 
 func (c *utlsConnWrapper) ConnectionState() tls.ConnectionState {
 	state := c.Conn.ConnectionState()
+	//nolint:staticcheck
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,

common/uot/router.go

@@ -13,14 +13,14 @@ import (
 	"github.com/sagernet/sing/common/uot"
 )
 
-var _ adapter.ConnectionRouterEx = (*Router)(nil)
+var _ adapter.ConnectionRouter = (*Router)(nil)
 
 type Router struct {
-	router adapter.ConnectionRouterEx
+	router adapter.ConnectionRouter
 	logger logger.ContextLogger
 }
 
-func NewRouter(router adapter.ConnectionRouterEx, logger logger.ContextLogger) *Router {
+func NewRouter(router adapter.ConnectionRouter, logger logger.ContextLogger) *Router {
 	return &Router{router, logger}
 }
 
@@ -51,36 +51,3 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
 func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return r.router.RoutePacketConnection(ctx, conn, metadata)
 }
-
-func (r *Router) RouteConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
-	switch metadata.Destination.Fqdn {
-	case uot.MagicAddress:
-		request, err := uot.ReadRequest(conn)
-		if err != nil {
-			err = E.Cause(err, "UoT read request")
-			r.logger.ErrorContext(ctx, "process connection from ", metadata.Source, ": ", err)
-			N.CloseOnHandshakeFailure(conn, onClose, err)
-			return
-		}
-		if request.IsConnect {
-			r.logger.InfoContext(ctx, "inbound UoT connect connection to ", request.Destination)
-		} else {
-			r.logger.InfoContext(ctx, "inbound UoT connection to ", request.Destination)
-		}
-		metadata.Domain = metadata.Destination.Fqdn
-		metadata.Destination = request.Destination
-		r.router.RoutePacketConnectionEx(ctx, uot.NewConn(conn, *request), metadata, onClose)
-		return
-	case uot.LegacyMagicAddress:
-		r.logger.InfoContext(ctx, "inbound legacy UoT connection")
-		metadata.Domain = metadata.Destination.Fqdn
-		metadata.Destination = M.Socksaddr{Addr: netip.IPv4Unspecified()}
-		r.RoutePacketConnectionEx(ctx, uot.NewConn(conn, uot.Request{}), metadata, onClose)
-		return
-	}
-	r.router.RouteConnectionEx(ctx, conn, metadata, onClose)
-}
-
-func (r *Router) RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
-	r.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
-}

constant/rule.go

@@ -21,19 +21,5 @@ const (
 const (
 	RuleSetVersion1 = 1 + iota
 	RuleSetVersion2
-)
-
-const (
-	RuleActionTypeRoute        = "route"
-	RuleActionTypeRouteOptions = "route-options"
-	RuleActionTypeDirect       = "direct"
-	RuleActionTypeReject       = "reject"
-	RuleActionTypeHijackDNS    = "hijack-dns"
-	RuleActionTypeSniff        = "sniff"
-	RuleActionTypeResolve      = "resolve"
-)
-
-const (
-	RuleActionRejectMethodDefault = "default"
-	RuleActionRejectMethodDrop    = "drop"
+	RuleSetVersionCurrent = RuleSetVersion2
 )

debug_http.go

@@ -46,7 +46,7 @@ func applyDebugListenOption(options option.DebugOptions) {
 
 			encoder := json.NewEncoder(writer)
 			encoder.SetIndent("", "  ")
-			encoder.Encode(memObject)
+			encoder.Encode(&memObject)
 		})
 		r.Route("/pprof", func(r chi.Router) {
 			r.HandleFunc("/", func(writer http.ResponseWriter, request *http.Request) {

docs/changelog.md

@@ -2,60 +2,14 @@
 icon: material/alert-decagram
 ---
 
-#### 1.11.0-alpha.9
+### 1.10.7
 
-* Improve tun compatibility **1**
 * Fixes and improvements
 
-**1**:
+### 1.10.2
 
-When `gvisor` tun stack is enabled, even if the request passes routing,
-if the outbound connection establishment fails,
-the connection still does not need to be established and a TCP RST is replied.
-
-#### 1.11.0-alpha.7
-
-* Introducing rule actions **1**
-
-**1**:
-
-New rule actions replace legacy inbound fields and special outbound fields,
-and can be used for pre-matching **2**.
-
-See [Rule](/configuration/route/rule/),
-[Rule Action](/configuration/route/rule_action/),
-[DNS Rule](/configuration/dns/rule/) and
-[DNS Rule Action](/configuration/dns/rule_action/).
-
-For migration, see
-[Migrate legacy special outbounds to rule actions](/migration/#migrate-legacy-special-outbounds-to-rule-actions), 
-[Migrate legacy inbound fields to rule actions](/migration/#migrate-legacy-inbound-fields-to-rule-actions)
-and [Migrate legacy DNS route options to rule actions](/migration/#migrate-legacy-dns-route-options-to-rule-actions).
-
-**2**:
-
-Similar to Surge's pre-matching.
-
-Specifically, the new rule actions allow you to reject connections with
-TCP RST (for TCP connections) and ICMP port unreachable (for UDP packets)
-before connection established to improve tun's compatibility.
-
-See [Rule Action](/configuration/route/rule_action/).
-
-#### 1.11.0-alpha.6
-
-* Update quic-go to v0.48.1
-* Set gateway for tun correctly
-* Fixes and improvements
-
-#### 1.11.0-alpha.2
-
-* Add warnings for usage of deprecated features
-* Fixes and improvements
-
-#### 1.11.0-alpha.1
-
-* Update quic-go to v0.48.0
+* Add deprecated warnings
+* Fix proxying websocket connections in HTTP/mixed inbounds
 * Fixes and improvements
 
 ### 1.10.1

docs/configuration/dns/index.md

@@ -1,3 +1,7 @@
+---
+icon: material/new-box
+---
+
 !!! quote "Changes in sing-box 1.9.0"
 
     :material-plus: [client_subnet](#client_subnet)

docs/configuration/dns/index.zh.md

@@ -1,3 +1,7 @@
+---
+icon: material/new-box
+---
+
 !!! quote "sing-box 1.9.0 中的更改"
 
     :material-plus: [client_subnet](#client_subnet)

docs/configuration/dns/rule.md

@@ -2,14 +2,6 @@
 icon: material/new-box
 ---
 
-!!! quote "Changes in sing-box 1.11.0"
-
-    :material-plus: [action](#action)  
-    :material-alert: [server](#server)  
-    :material-alert: [disable_cache](#disable_cache)  
-    :material-alert: [rewrite_ttl](#rewrite_ttl)  
-    :material-alert: [client_subnet](#client_subnet)
-
 !!! quote "Changes in sing-box 1.10.0"
 
     :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
@@ -22,7 +14,7 @@ icon: material/new-box
     :material-plus: [geoip](#geoip)  
     :material-plus: [ip_cidr](#ip_cidr)  
     :material-plus: [ip_is_private](#ip_is_private)  
-    :material-plus: [client_subnet](#client_subnet)  
+    :material-plus: [client_subnet](#client_subnet)
     :material-plus: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)
 
 !!! quote "Changes in sing-box 1.8.0"
@@ -143,15 +135,19 @@ icon: material/new-box
         "outbound": [
           "direct"
         ],
-        "action": "route",
-        "server": "local"
+        "server": "local",
+        "disable_cache": false,
+        "rewrite_ttl": 100,
+        "client_subnet": "127.0.0.1/24"
       },
       {
         "type": "logical",
         "mode": "and",
         "rules": [],
-        "action": "route",
-        "server": "local"
+        "server": "local",
+        "disable_cache": false,
+        "rewrite_ttl": 100,
+        "client_subnet": "127.0.0.1/24"
       }
     ]
   }
@@ -222,7 +218,7 @@ Match domain using regular expression.
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    Geosite is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geosite-to-rule-sets).
+    Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-sets).
 
 Match geosite.
 
@@ -230,7 +226,7 @@ Match geosite.
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    GeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).
+    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 Match source geoip.
 
@@ -358,35 +354,29 @@ Match outbound.
 
 `any` can be used as a value to match any outbound.
 
-#### action
+#### server
 
 ==Required==
 
-See [DNS Rule Actions](../rule_action/) for details.
-
-#### server
-
-!!! failure "Deprecated in sing-box 1.11.0"
-
-    Moved to [DNS Rule Action](../rule_action#route).
+Tag of the target dns server.
 
 #### disable_cache
 
-!!! failure "Deprecated in sing-box 1.11.0"
-
-    Moved to [DNS Rule Action](../rule_action#route).
+Disable cache and save cache in this query.
 
 #### rewrite_ttl
 
-!!! failure "Deprecated in sing-box 1.11.0"
-
-    Moved to [DNS Rule Action](../rule_action#route).
+Rewrite TTL in DNS responses.
 
 #### client_subnet
 
-!!! failure "Deprecated in sing-box 1.11.0"
+!!! question "Since sing-box 1.9.0"
 
-    Moved to [DNS Rule Action](../rule_action#route).
+Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+
+If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
+
+Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
 
 ### Address Filter Fields
 

docs/configuration/dns/rule.zh.md

@@ -14,7 +14,7 @@ icon: material/new-box
     :material-plus: [geoip](#geoip)  
     :material-plus: [ip_cidr](#ip_cidr)  
     :material-plus: [ip_is_private](#ip_is_private)  
-    :material-plus: [client_subnet](#client_subnet)  
+    :material-plus: [client_subnet](#client_subnet)
     :material-plus: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)
 
 !!! quote "sing-box 1.8.0 中的更改"

docs/configuration/dns/rule_action.md

@@ -1,85 +0,0 @@
----
-icon: material/new-box
----
-
-# DNS Rule Action
-
-!!! question "Since sing-box 1.11.0"
-
-### route
-
-```json
-{
-  "action": "route",  // default
-  "server": "",
-  
-  // for compatibility
-  "disable_cache": false,
-  "rewrite_ttl": 0,
-  "client_subnet": null
-}
-```
-
-`route` inherits the classic rule behavior of routing DNS requests to the specified server.
-
-#### server
-
-==Required==
-
-Tag of target server.
-
-#### disable_cache/rewrite_ttl/client_subnet
-
-!!! failure "Deprecated in sing-box 1.11.0"
-
-    Legacy route options is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-legacy-dns-route-options-to-rule-actions).
-
-### route-options
-
-```json
-{
-  "action": "route-options",
-  "disable_cache": false,
-  "rewrite_ttl": null,
-  "client_subnet": null
-}
-```
-
-#### disable_cache
-
-Disable cache and save cache in this query.
-
-#### rewrite_ttl
-
-Rewrite TTL in DNS responses.
-
-#### client_subnet
-
-Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
-
-If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
-
-Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
-
-### reject
-
-```json
-{
-  "action": "reject",
-  "method": "default", // default
-  "no_drop": false
-}
-```
-
-`reject` reject DNS requests.
-
-#### method
-
-- `default`: Reply with NXDOMAIN.
-- `drop`: Drop the request.
-
-#### no_drop
-
-If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.
-
-Not available when `method` is set to drop.

docs/configuration/dns/rule_action.zh.md

@@ -1,86 +0,0 @@
----
-icon: material/new-box
----
-
-# DNS 规则动作
-
-!!! question "自 sing-box 1.11.0 起"
-
-### route
-
-```json
-{
-  "action": "route",  // 默认
-  "server": "",
-  
-  // 兼容性
-  "disable_cache": false,
-  "rewrite_ttl": 0,
-  "client_subnet": null
-}
-```
-
-`route` 继承了将 DNS 请求 路由到指定服务器的经典规则动作。
-
-#### server
-
-==必填==
-
-目标 DNS 服务器的标签。
-
-#### disable_cache/rewrite_ttl/client_subnet
-
-!!! failure "自 sing-box 1.11.0 起"
-
-    旧的路由选项已弃用，且将在 sing-box 1.12.0 中移除，参阅 [迁移指南](/migration/#migrate-legacy-dns-route-options-to-rule-actions).
-
-### route-options
-
-```json
-{
-  "action": "route-options",
-  "disable_cache": false,
-  "rewrite_ttl": null,
-  "client_subnet": null
-}
-```
-
-
-#### disable_cache
-
-在此查询中禁用缓存。
-
-#### rewrite_ttl
-
-重写 DNS 回应中的 TTL。
-
-#### client_subnet
-
-默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
-
-如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
-
-将覆盖 `dns.client_subnet` 与 `servers.[].client_subnet`。
-
-### reject
-
-```json
-{
-  "action": "reject",
-  "method": "default", // default
-  "no_drop": false
-}
-```
-
-`reject` 拒绝 DNS 请求。
-
-#### method
-
-- `default`: 返回 NXDOMAIN。
-- `drop`: 丢弃请求。
-
-#### no_drop
-
-如果未启用，则 30 秒内触发 50 次后，`method` 将被暂时覆盖为 `drop`。
-
-当 `method` 设为 `drop` 时不可用。

docs/configuration/dns/server.md

@@ -1,3 +1,7 @@
+---
+icon: material/new-box
+---
+
 !!! quote "Changes in sing-box 1.9.0"
 
     :material-plus: [client_subnet](#client_subnet)

docs/configuration/dns/server.zh.md

@@ -1,3 +1,7 @@
+---
+icon: material/new-box
+---
+
 !!! quote "sing-box 1.9.0 中的更改"
 
     :material-plus: [client_subnet](#client_subnet)

docs/configuration/experimental/cache-file.md

@@ -1,3 +1,7 @@
+---
+icon: material/new-box
+---
+
 !!! question "Since sing-box 1.8.0"
 
 !!! quote "Changes in sing-box 1.9.0"

docs/configuration/experimental/cache-file.zh.md

@@ -1,3 +1,7 @@
+---
+icon: material/new-box
+---
+
 !!! question "自 sing-box 1.8.0 起"
 
 !!! quote "sing-box 1.9.0 中的更改"

docs/configuration/inbound/tun.md

@@ -110,13 +110,13 @@ icon: material/new-box
     0
   ],
   "include_uid_range": [
-    "1000-99999"
+    "1000:99999"
   ],
   "exclude_uid": [
     1000
   ],
   "exclude_uid_range": [
-    "1000-99999"
+    "1000:99999"
   ],
   "include_android_user": [
     0,

docs/configuration/inbound/tun.zh.md

@@ -110,13 +110,13 @@ icon: material/new-box
     0
   ],
   "include_uid_range": [
-    "1000-99999"
+    "1000:99999"
   ],
   "exclude_uid": [
     1000
   ],
   "exclude_uid_range": [
-    "1000-99999"
+    "1000:99999"
   ],
   "include_android_user": [
     0,

docs/configuration/outbound/block.md

@@ -1,14 +1,8 @@
----
-icon: material/delete-clock
----
-
-!!! failure "Deprecated in sing-box 1.11.0"
-
-    Legacy special outbounds are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 
+`block` outbound closes all incoming requests.
 
 ### Structure
 
-```json F
+```json
 {
   "type": "block",
   "tag": "block"

docs/configuration/outbound/block.zh.md

@@ -1,11 +1,3 @@
----
-icon: material/delete-clock
----
-
-!!! failure "已在 sing-box 1.11.0 废弃"
-
-    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 
-
 `block` 出站关闭所有传入请求。
 
 ### 结构
@@ -19,4 +11,4 @@ icon: material/delete-clock
 
 ### 字段
 
-无字段。
+无字段。

docs/configuration/outbound/dns.md

@@ -1,11 +1,3 @@
----
-icon: material/delete-clock
----
-
-!!! failure "Deprecated in sing-box 1.11.0"
-
-    Legacy special outbounds are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-special-outbounds-to-rule-actions).
-
 `dns` outbound is a internal DNS server.
 
 ### Structure

docs/configuration/outbound/dns.zh.md

@@ -1,11 +1,3 @@
----
-icon: material/delete-clock
----
-
-!!! failure "已在 sing-box 1.11.0 废弃"
-
-    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除, 参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 
-
 `dns` 出站是一个内部 DNS 服务器。
 
 ### 结构

docs/configuration/route/geoip.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    GeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).
+    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 ### Structure
 

docs/configuration/route/geoip.zh.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "已在 sing-box 1.8.0 废弃"
 
-    GeoIP 已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。
+    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geoip)。
 
 ### 结构
 

docs/configuration/route/geosite.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    Geosite is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geosite-to-rule-sets).
+    Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-sets).
 
 ### Structure
 

docs/configuration/route/geosite.zh.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "已在 sing-box 1.8.0 废弃"
 
-    Geosite 已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geosite)。
+    Geosite 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geosite)。
 
 ### 结构
 

docs/configuration/route/rule.md

@@ -1,12 +1,7 @@
 ---
-icon: material/new-box
+icon: material/alert-decagram
 ---
 
-!!! quote "Changes in sing-box 1.11.0"
-
-    :material-plus: [action](#action)  
-    :material-alert: [outbound](#outbound)
-
 !!! quote "Changes in sing-box 1.10.0"
 
     :material-plus: [client](#client)  
@@ -134,7 +129,6 @@ icon: material/new-box
         "rule_set_ipcidr_match_source": false,
         "rule_set_ip_cidr_match_source": false,
         "invert": false,
-        "action": "route",
         "outbound": "direct"
       },
       {
@@ -142,7 +136,6 @@ icon: material/new-box
         "mode": "and",
         "rules": [],
         "invert": false,
-        "action": "route",
         "outbound": "direct"
       }
     ]
@@ -216,7 +209,7 @@ Match domain using regular expression.
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    Geosite is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geosite-to-rule-sets).
+    Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-sets).
 
 Match geosite.
 
@@ -224,7 +217,7 @@ Match geosite.
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    GeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).
+    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 Match source geoip.
 
@@ -232,7 +225,7 @@ Match source geoip.
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    GeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).
+    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 Match geoip.
 
@@ -364,17 +357,11 @@ Make `ip_cidr` in rule-sets match the source IP.
 
 Invert match result.
 
-#### action
+#### outbound
 
 ==Required==
 
-See [Rule Actions](../rule_action/) for details.
-
-#### outbound
-
-!!! failure "Deprecated in sing-box 1.11.0"
-
-    Moved to [Rule Action](../rule_action#route).
+Tag of the target outbound.
 
 ### Logical Fields
 

docs/configuration/route/rule.zh.md

@@ -1,12 +1,7 @@
 ---
-icon: material/new-box
+icon: material/alert-decagram
 ---
 
-!!! quote "sing-box 1.11.0 中的更改"
-
-    :material-plus: [action](#action)  
-    :material-alert: [outbound](#outbound)
-
 !!! quote "sing-box 1.10.0 中的更改"
 
     :material-plus: [client](#client)  
@@ -132,7 +127,6 @@ icon: material/new-box
         "rule_set_ipcidr_match_source": false,
         "rule_set_ip_cidr_match_source": false,
         "invert": false,
-        "action": "route",
         "outbound": "direct"
       },
       {
@@ -140,7 +134,6 @@ icon: material/new-box
         "mode": "and",
         "rules": [],
         "invert": false,
-        "action": "route",
         "outbound": "direct"
       }
     ]
@@ -362,17 +355,11 @@ icon: material/new-box
 
 反选匹配结果。
 
-#### action
+#### outbound
 
 ==必填==
 
-参阅 [规则行动](../rule_action/)。
-
-#### outbound
-
-!!! failure "已在 sing-box 1.11.0 废弃"
-
-    已移动到 [规则行动](../rule_action#route).
+目标出站的标签。
 
 ### 逻辑字段
 

docs/configuration/route/rule_action.md

@@ -1,139 +0,0 @@
----
-icon: material/new-box
----
-
-# Rule Action
-
-!!! question "Since sing-box 1.11.0"
-
-## Final actions
-
-### route
-
-```json
-{
-  "action": "route", // default
-  "outbound": ""
-}
-```
-
-`route` inherits the classic rule behavior of routing connection to the specified outbound.
-
-#### outbound
-
-==Required==
-
-Tag of target outbound.
-
-### route-options
-
-```json
-{
-  "action": "route-options",
-  "udp_disable_domain_unmapping": false,
-  "udp_connect": false
-}
-```
-
-`route-options` set options for routing.
-
-#### udp_disable_domain_unmapping
-
-If enabled, for UDP proxy requests addressed to a domain,
-the original packet address will be sent in the response instead of the mapped domain.
-
-This option is used for compatibility with clients that
-do not support receiving UDP packets with domain addresses, such as Surge.
-
-#### udp_connect
-
-If enabled, attempts to connect UDP connection to the destination instead of listen.
-
-### reject
-
-```json
-{
-  "action": "reject",
-  "method": "default", // default
-  "no_drop": false
-}
-```
-
-`reject` reject connections
-
-The specified method is used for reject tun connections if `sniff` action has not been performed yet.
-
-For non-tun connections and already established connections, will just be closed.
-
-#### method
-
-- `default`: Reply with TCP RST for TCP connections, and ICMP port unreachable for UDP packets.
-- `drop`: Drop packets.
-
-#### no_drop
-
-If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.
-
-Not available when `method` is set to drop.
-
-### hijack-dns
-
-```json
-{
-  "action": "hijack-dns"
-}
-```
-
-`hijack-dns` hijack DNS requests to the sing-box DNS module.
-
-## Non-final actions
-
-### sniff
-
-```json
-{
-  "action": "sniff",
-  "sniffer": [],
-  "timeout": ""
-}
-```
-
-`sniff` performs protocol sniffing on connections.
-
-For deprecated `inbound.sniff` options, it is considered to `sniff()` performed before routing.
-
-#### sniffer
-
-Enabled sniffers.
-
-All sniffers enabled by default.
-
-Available protocol values an be found on in [Protocol Sniff](../sniff/)
-
-#### timeout
-
-Timeout for sniffing.
-
-`300ms` is used by default.
-
-### resolve
-
-```json
-{
-  "action": "resolve",
-  "strategy": "",
-  "server": ""
-}
-```
-
-`resolve` resolve request destination from domain to IP addresses.
-
-#### strategy
-
-DNS resolution strategy, available values are: `prefer_ipv4`, `prefer_ipv6`, `ipv4_only`, `ipv6_only`.
-
-`dns.strategy` will be used by default.
-
-#### server
-
-Specifies DNS server tag to use instead of selecting through DNS routing.

docs/configuration/route/rule_action.zh.md

@@ -1,136 +0,0 @@
----
-icon: material/new-box
----
-
-# 规则动作
-
-!!! question "自 sing-box 1.11.0 起"
-
-## 最终动作
-
-### route
-
-```json
-{
-  "action": "route", // 默认
-  "outbound": "",
-  "udp_disable_domain_unmapping": false
-}
-```
-
-`route` 继承了将连接路由到指定出站的经典规则动作。
-
-#### outbound
-
-==必填==
-
-目标出站的标签。
-
-### route-options
-
-```json
-{
-  "action": "route-options",
-  "udp_disable_domain_unmapping": false,
-    "udp_connect": false
-}
-```
-
-#### udp_disable_domain_unmapping
-
-如果启用，对于地址为域的 UDP 代理请求，将在响应中发送原始包地址而不是映射的域。
-
-此选项用于兼容不支持接收带有域地址的 UDP 包的客户端，如 Surge。
-
-#### udp_connect
-
-如果启用，将尝试将 UDP 连接 connect 到目标而不是 listen。
-
-### reject
-
-```json
-{
-  "action": "reject",
-  "method": "default",  // 默认
-  "no_drop": false
-}
-```
-
-`reject` 拒绝连接。
-
-如果尚未执行 `sniff` 操作，则将使用指定方法拒绝 tun 连接。
-
-对于非 tun 连接和已建立的连接，将直接关闭。
-
-#### method
-
-- `default`: 对于 TCP 连接回复 RST，对于 UDP 包回复 ICMP 端口不可达。
-- `drop`: 丢弃数据包。
-
-#### no_drop
-
-如果未启用，则 30 秒内触发 50 次后，`method` 将被暂时覆盖为 `drop`。
-
-当 `method` 设为 `drop` 时不可用。
-
-### hijack-dns
-
-```json
-{
-  "action": "hijack-dns"
-}
-```
-
-`hijack-dns` 劫持 DNS 请求至 sing-box DNS 模块。
-
-## 非最终动作
-
-### sniff
-
-```json
-{
-  "action": "sniff",
-  "sniffer": [],
-  "timeout": ""
-}
-```
-
-`sniff` 对连接执行协议嗅探。
-
-对于已弃用的 `inbound.sniff` 选项，被视为在路由之前执行的 `sniff`。
-
-#### sniffer
-
-启用的探测器。
-
-默认启用所有探测器。
-
-可用的协议值可以在 [协议嗅探](../sniff/) 中找到。
-
-#### timeout
-
-探测超时时间。
-
-默认使用 300ms。
-
-### resolve
-
-```json
-{
-  "action": "resolve",
-  "strategy": "",
-  "server": ""
-}
-```
-
-`resolve` 将请求的目标从域名解析为 IP 地址。
-
-#### strategy
-
-DNS 解析策略，可用值有：`prefer_ipv4`、`prefer_ipv6`、`ipv4_only`、`ipv6_only`。
-
-默认使用 `dns.strategy`。
-
-#### server
-
-指定要使用的 DNS 服务器的标签，而不是通过 DNS 路由进行选择。

docs/configuration/shared/listen.md

@@ -1,15 +1,3 @@
----
-icon: material/delete-clock
----
-
-!!! quote "Changes in sing-box 1.11.0"
-
-    :material-delete-clock: [sniff](#sniff)  
-    :material-delete-clock: [sniff_override_destination](#sniff_override_destination)  
-    :material-delete-clock: [sniff_timeout](#sniff_timeout)  
-    :material-delete-clock: [domain_strategy](#domain_strategy)  
-    :material-delete-clock: [udp_disable_domain_unmapping](#udp_disable_domain_unmapping)
-
 ### Structure
 
 ```json
@@ -80,40 +68,24 @@ Requires target inbound support, see [Injectable](/configuration/inbound/#fields
 
 #### sniff
 
-!!! failure "Deprecated in sing-box 1.11.0"
-
-    Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
-
 Enable sniffing.
 
 See [Protocol Sniff](/configuration/route/sniff/) for details.
 
 #### sniff_override_destination
 
-!!! failure "Deprecated in sing-box 1.11.0"
-
-    Inbound fields are deprecated and will be removed in sing-box 1.13.0.
-
 Override the connection destination address with the sniffed domain.
 
 If the domain name is invalid (like tor), this will not work.
 
 #### sniff_timeout
 
-!!! failure "Deprecated in sing-box 1.11.0"
-
-    Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
-
 Timeout for sniffing.
 
-`300ms` is used by default.
+300ms is used by default.
 
 #### domain_strategy
 
-!!! failure "Deprecated in sing-box 1.11.0"
-
-    Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
-
 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
 
 If set, the requested domain name will be resolved to IP before routing.
@@ -122,10 +94,6 @@ If `sniff_override_destination` is in effect, its value will be taken as a fallb
 
 #### udp_disable_domain_unmapping
 
-!!! failure "Deprecated in sing-box 1.11.0"
-
-    Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
-
 If enabled, for UDP proxy requests addressed to a domain, 
 the original packet address will be sent in the response instead of the mapped domain.
 

docs/configuration/shared/listen.zh.md

@@ -1,15 +1,3 @@
----
-icon: material/delete-clock
----
-
-!!! quote "sing-box 1.11.0 中的更改"
-
-    :material-delete-clock: [sniff](#sniff)  
-    :material-delete-clock: [sniff_override_destination](#sniff_override_destination)  
-    :material-delete-clock: [sniff_timeout](#sniff_timeout)  
-    :material-delete-clock: [domain_strategy](#domain_strategy)  
-    :material-delete-clock: [udp_disable_domain_unmapping](#udp_disable_domain_unmapping)
-
 ### 结构
 
 ```json
@@ -81,40 +69,24 @@ UDP NAT 过期时间，以秒为单位。
 
 #### sniff
 
-!!! failure "已在 sing-box 1.11.0 废弃"
-
-    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
-
 启用协议探测。
 
 参阅 [协议探测](/zh/configuration/route/sniff/)
 
 #### sniff_override_destination
 
-!!! failure "已在 sing-box 1.11.0 废弃"
-
-    入站字段已废弃且将在 sing-box 1.12.0 中被移除。
-
 用探测出的域名覆盖连接目标地址。
 
 如果域名无效（如 Tor），将不生效。
 
 #### sniff_timeout
 
-!!! failure "已在 sing-box 1.11.0 废弃"
-
-    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
-
 探测超时时间。
 
 默认使用 300ms。
 
 #### domain_strategy
 
-!!! failure "已在 sing-box 1.11.0 废弃"
-
-    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
-
 可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
 
 如果设置，请求的域名将在路由之前解析为 IP。
@@ -123,10 +95,6 @@ UDP NAT 过期时间，以秒为单位。
 
 #### udp_disable_domain_unmapping
 
-!!! failure "已在 sing-box 1.11.0 废弃"
-
-    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
-
 如果启用，对于地址为域的 UDP 代理请求，将在响应中发送原始包地址而不是映射的域。
 
 此选项用于兼容不支持接收带有域地址的 UDP 包的客户端，如 Surge。

docs/deprecated.md

@@ -4,32 +4,6 @@ icon: material/delete-alert
 
 # Deprecated Feature List
 
-## 1.11.0
-
-#### Legacy special outbounds
-
-Legacy special outbounds (`block` / `dns`) are deprecated
-and can be replaced by rule actions,
-check [Migration](../migration/#migrate-legacy-special-outbounds-to-rule-actions).
-
-Old fields will be removed in sing-box 1.13.0.
-
-#### Legacy inbound fields
-
-Legacy inbound fields （`inbound.<sniff/domain_strategy/...>` are deprecated
-and can be replaced by rule actions,
-check [Migration](../migration/#migrate-legacy-inbound-fields-to-rule-actions).
-
-Old fields will be removed in sing-box 1.13.0.
-
-#### Legacy DNS route options
-
-Legacy DNS route options (`disable_cache`, `rewrite_ttl`, `client_subnet`) are deprecated
-and can be replaced by rule actions,
-check [Migration](../migration/#migrate-legacy-dns-route-options-to-rule-actions).
-
-Old fields will be removed in sing-box 1.12.0.
-
 ## 1.10.0
 
 #### TUN address fields are merged
@@ -38,7 +12,7 @@ Old fields will be removed in sing-box 1.12.0.
 `inet4_route_address` and `inet6_route_address` are merged into `route_address`,
 `inet4_route_exclude_address` and `inet6_route_exclude_address` are merged into `route_exclude_address`.
 
-Old fields will be removed in sing-box 1.12.0.
+Old fields are deprecated and will be removed in sing-box 1.11.0.
 
 #### Match source rule items are renamed
 
@@ -58,7 +32,7 @@ check [Migration](/migration/#migrate-cache-file-from-clash-api-to-independent-o
 
 #### GeoIP
 
-GeoIP is deprecated and will be removed in sing-box 1.12.0.
+GeoIP is deprecated and may be removed in the future.
 
 The maxmind GeoIP National Database, as an IP classification database,
 is not entirely suitable for traffic bypassing,
@@ -69,7 +43,7 @@ check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 #### Geosite
 
-Geosite is deprecated and will be removed in sing-box 1.12.0.
+Geosite is deprecated and may be removed in the future.
 
 Geosite, the `domain-list-community` project maintained by V2Ray as an early traffic bypassing solution,
 suffers from a number of problems, including lack of maintenance, inaccurate rules, and difficult management.

docs/deprecated.zh.md

@@ -4,29 +4,6 @@ icon: material/delete-alert
 
 # 废弃功能列表
 
-## 1.11.0
-
-#### 旧的特殊出站
-
-旧的特殊出站（`block` / `dns`）已废弃且可以通过规则动作替代，
-参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions)。
-
-旧字段将在 sing-box 1.13.0 中被移除。
-
-#### 旧的入站字段
-
-旧的入站字段（`inbound.<sniff/domain_strategy/...>`）已废弃且可以通过规则动作替代，
-参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions)。
-
-旧字段将在 sing-box 1.13.0 中被移除。
-
-#### 旧的 DNS 路由参数
-
-旧的 DNS 路由参数（`disable_cache`、`rewrite_ttl`、`client_subnet`）已废弃且可以通过规则动作替代，
-参阅 [迁移指南](/migration/#migrate-legacy-dns-route-options-to-rule-actions)。
-
-旧字段将在 sing-box 1.12.0 中被移除。
-
 ## 1.10.0
 
 #### Match source 规则项已重命名
@@ -40,7 +17,7 @@ icon: material/delete-alert
 `inet4_route_address` 和 `inet6_route_address` 已合并为 `route_address`，
 `inet4_route_exclude_address` 和 `inet6_route_exclude_address` 已合并为 `route_exclude_address`。
 
-旧字段将在 sing-box 1.11.0 中被移除。
+旧字段已废弃，且将在 sing-box 1.11.0 中被移除。
 
 #### 移除对 go1.18 和 go1.19 的支持
 
@@ -55,7 +32,7 @@ Clash API 中的 `cache_file` 及相关功能已废弃且已迁移到独立的 `
 
 #### GeoIP
 
-GeoIP 已废弃且将在 sing-box 1.12.0 中被移除。
+GeoIP 已废弃且可能在不久的将来移除。
 
 maxmind GeoIP 国家数据库作为 IP 分类数据库，不完全适合流量绕过，
 且现有的实现均存在内存使用大与管理困难的问题。
@@ -65,7 +42,7 @@ sing-box 1.8.0 引入了[规则集](/configuration/rule-set/)，
 
 #### Geosite
 
-Geosite 已废弃且将在 sing-box 1.12.0 中被移除。
+Geosite 已废弃且可能在不久的将来移除。
 
 Geosite，即由 V2Ray 维护的 domain-list-community 项目，作为早期流量绕过解决方案，
 存在着包括缺少维护、规则不准确和管理困难内的大量问题。

docs/migration.md

@@ -2,212 +2,6 @@
 icon: material/arrange-bring-forward
 ---
 
-## 1.11.0
-
-### Migrate legacy special outbounds to rule actions
-
-Legacy special outbounds are deprecated and can be replaced by rule actions.
-
-!!! info "References"
-
-    [Rule Action](/configuration/route/rule_action/) / 
-    [Block](/configuration/outbound/block/) / 
-    [DNS](/configuration/outbound/dns)
-
-=== "Block"
-
-    === ":material-card-remove: Deprecated"
-    
-        ```json
-        {
-          "outbounds": [
-            {
-              "type": "block",
-              "tag": "block"
-            }
-          ],
-          "route": {
-            "rules": [
-              {
-                ...,
-                
-                "outbound": "block"
-              }
-            ]
-          }
-        }
-        ```
-
-    === ":material-card-multiple: New"
-    
-        ```json
-        {
-          "route": {
-            "rules": [
-              {
-                ...,
-                
-                "action": "reject"
-              }
-            ]
-          }
-        }
-        ```
-
-=== "DNS"
-
-    === ":material-card-remove: Deprecated"
-    
-        ```json
-        {
-          "inbound": [
-            {
-              ...,
-              
-              "sniff": true
-            }
-          ],
-          "outbounds": [
-            {
-              "tag": "dns",
-              "type": "dns"
-            }
-          ],
-          "route": {
-            "rules": [
-              {
-                "protocol": "dns",
-                "outbound": "dns"
-              }
-            ]
-          }
-        }
-        ```
-    
-    === ":material-card-multiple: New"
-    
-        ```json
-        {
-          "route": {
-            "rules": [
-              {
-                "action": "sniff"
-              },
-              {
-                "protocol": "dns",
-                "action": "hijack-dns"
-              }
-            ]
-          }
-        }
-        ```
-
-### Migrate legacy inbound fields to rule actions
-
-Inbound fields are deprecated and can be replaced by rule actions.
-
-!!! info "References"
-
-    [Listen Fields](/configuration/inbound/listen/) /
-    [Rule](/configuration/route/rule/) / 
-    [Rule Action](/configuration/route/rule_action/) / 
-    [DNS Rule](/configuration/dns/rule/) / 
-    [DNS Rule Action](/configuration/dns/rule_action/)
-
-=== ":material-card-remove: Deprecated"
-
-    ```json
-    {
-      "inbounds": [
-        {
-          "type": "mixed",
-          "sniff": true,
-          "sniff_timeout": "1s",
-          "domain_strategy": "prefer_ipv4"
-        }
-      ]
-    }
-    ```
-
-=== ":material-card-multiple: New"
-
-    ```json
-    {
-      "inbounds": [
-        {
-          "type": "mixed",
-          "tag": "in"
-        }
-      ],
-      "route": {
-        "rules": [
-          {
-            "inbound": "in",
-            "action": "resolve",
-            "strategy": "prefer_ipv4"
-          },
-          {
-            "inbound": "in",
-            "action": "sniff",
-            "timeout": "1s"
-          }
-        ]
-      }
-    }
-    ```
-
-### Migrate legacy DNS route options to rule actions
-
-Legacy DNS route options are deprecated and can be replaced by rule actions.
-
-!!! info "References"
-
-    [DNS Rule](/configuration/dns/rule/) / 
-    [DNS Rule Action](/configuration/dns/rule_action/)
-
-=== ":material-card-remove: Deprecated"
-
-    ```json
-    {
-      "dns": {
-        "rules": [
-          {
-            ...,
-            
-            "server": "local",
-            "disable_cache": true,
-            "rewrite_ttl": 600,
-            "client_subnet": "1.1.1.1/24"
-          }
-        ]
-      }
-    }
-    ```
-
-=== ":material-card-multiple: New"
-
-    ```json
-    {
-      "dns": {
-        "rules": [
-          {
-            ...,
-            
-            "action": "route-options",
-            "disable_cache": true,
-            "rewrite_ttl": 600,
-            "client_subnet": "1.1.1.1/24"
-          },
-          {
-            ...,
-            
-            "server": "local"
-          }
-        ]
-      }
-    }
-    ```
-
 ## 1.10.0
 
 ### TUN address fields are merged
@@ -216,6 +10,8 @@ Legacy DNS route options are deprecated and can be replaced by rule actions.
 `inet4_route_address` and `inet6_route_address` are merged into `route_address`,
 `inet4_route_exclude_address` and `inet6_route_exclude_address` are merged into `route_exclude_address`.
 
+Old fields are deprecated and will be removed in sing-box 1.11.0.
+
 !!! info "References"
 
     [TUN](/configuration/inbound/tun/)

docs/migration.zh.md

@@ -2,212 +2,6 @@
 icon: material/arrange-bring-forward
 ---
 
-## 1.11.0
-
-### 迁移旧的特殊出站到规则动作
-
-旧的特殊出站已被弃用，且可以被规则动作替代。
-
-!!! info "参考"
-
-    [规则动作](/zh/configuration/route/rule_action/) /
-    [Block](/zh/configuration/outbound/block/) / 
-    [DNS](/zh/configuration/outbound/dns)
-
-=== "Block"
-
-    === ":material-card-remove: 弃用的"
-    
-        ```json
-        {
-          "outbounds": [
-            {
-              "type": "block",
-              "tag": "block"
-            }
-          ],
-          "route": {
-            "rules": [
-              {
-                ...,
-                
-                "outbound": "block"
-              }
-            ]
-          }
-        }
-        ```
-
-    === ":material-card-multiple: 新的"
-    
-        ```json
-        {
-          "route": {
-            "rules": [
-              {
-                ...,
-                
-                "action": "reject"
-              }
-            ]
-          }
-        }
-        ```
-
-=== "DNS"
-
-    === ":material-card-remove: 弃用的"
-    
-        ```json
-        {
-          "inbound": [
-            {
-              ...,
-              
-              "sniff": true
-            }
-          ],
-          "outbounds": [
-            {
-              "tag": "dns",
-              "type": "dns"
-            }
-          ],
-          "route": {
-            "rules": [
-              {
-                "protocol": "dns",
-                "outbound": "dns"
-              }
-            ]
-          }
-        }
-        ```
-    
-    === ":material-card-multiple: 新的"
-    
-        ```json
-        {
-          "route": {
-            "rules": [
-              {
-                "action": "sniff"
-              },
-              {
-                "protocol": "dns",
-                "action": "hijack-dns"
-              }
-            ]
-          }
-        }
-        ```
-
-### 迁移旧的入站字段到规则动作
-
-入站选项已被弃用，且可以被规则动作替代。
-
-!!! info "参考"
-
-    [监听字段](/zh/configuration/shared/listen/) /
-    [规则](/zh/configuration/route/rule/) /
-    [规则动作](/zh/configuration/route/rule_action/) /
-    [DNS 规则](/zh/configuration/dns/rule/) /
-    [DNS 规则动作](/zh/configuration/dns/rule_action/)
-
-=== ":material-card-remove: 弃用的"
-
-    ```json
-    {
-      "inbounds": [
-        {
-          "type": "mixed",
-          "sniff": true,
-          "sniff_timeout": "1s",
-          "domain_strategy": "prefer_ipv4"
-        }
-      ]
-    }
-    ```
-
-=== ":material-card-multiple: New"
-
-    ```json
-    {
-      "inbounds": [
-        {
-          "type": "mixed",
-          "tag": "in"
-        }
-      ],
-      "route": {
-        "rules": [
-          {
-            "inbound": "in",
-            "action": "resolve",
-            "strategy": "prefer_ipv4"
-          },
-          {
-            "inbound": "in",
-            "action": "sniff",
-            "timeout": "1s"
-          }
-        ]
-      }
-    }
-    ```
-
-### 迁移旧的 DNS 路由选项到规则动作
-
-旧的 DNS 路由选项已被弃用，且可以被规则动作替代。
-
-!!! info "参考"
-
-    [DNS 规则](/zh/configuration/dns/rule/) / 
-    [DNS 规则动作](/zh/configuration/dns/rule_action/)
-
-=== ":material-card-remove: 弃用的"
-
-    ```json
-    {
-      "dns": {
-        "rules": [
-          {
-            ...,
-            
-            "server": "local",
-            "disable_cache": true,
-            "rewrite_ttl": 600,
-            "client_subnet": "1.1.1.1/24"
-          }
-        ]
-      }
-    }
-    ```
-
-=== ":material-card-multiple: 新的"
-
-    ```json
-    {
-      "dns": {
-        "rules": [
-          {
-            ...,
-            
-            "action": "route-options",
-            "disable_cache": true,
-            "rewrite_ttl": 600,
-            "client_subnet": "1.1.1.1/24"
-          },
-          {
-            ...,
-            
-            "server": "local"
-          }
-        ]
-      }
-    }
-    ```
-
 ## 1.10.0
 
 ### TUN 地址字段已合并

experimental/clashapi/api_meta_group.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
-	"github.com/sagernet/sing-box/protocol/group"
+	"github.com/sagernet/sing-box/outbound"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/batch"
 	"github.com/sagernet/sing/common/json/badjson"
@@ -59,7 +59,7 @@ func getGroup(server *Server) func(w http.ResponseWriter, r *http.Request) {
 func getGroupDelay(server *Server) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		proxy := r.Context().Value(CtxKeyProxy).(adapter.Outbound)
-		outboundGroup, ok := proxy.(adapter.OutboundGroup)
+		group, ok := proxy.(adapter.OutboundGroup)
 		if !ok {
 			render.Status(r, http.StatusNotFound)
 			render.JSON(w, r, ErrNotFound)
@@ -82,10 +82,10 @@ func getGroupDelay(server *Server) func(w http.ResponseWriter, r *http.Request)
 		defer cancel()
 
 		var result map[string]uint16
-		if urlTestGroup, isURLTestGroup := outboundGroup.(adapter.URLTestGroup); isURLTestGroup {
+		if urlTestGroup, isURLTestGroup := group.(adapter.URLTestGroup); isURLTestGroup {
 			result, err = urlTestGroup.URLTest(ctx)
 		} else {
-			outbounds := common.FilterNotNil(common.Map(outboundGroup.All(), func(it string) adapter.Outbound {
+			outbounds := common.FilterNotNil(common.Map(group.All(), func(it string) adapter.Outbound {
 				itOutbound, _ := server.router.Outbound(it)
 				return itOutbound
 			}))
@@ -95,7 +95,7 @@ func getGroupDelay(server *Server) func(w http.ResponseWriter, r *http.Request)
 			var resultAccess sync.Mutex
 			for _, detour := range outbounds {
 				tag := detour.Tag()
-				realTag := group.RealTag(detour)
+				realTag := outbound.RealTag(detour)
 				if checked[realTag] {
 					continue
 				}

experimental/clashapi/configs.go

@@ -18,17 +18,19 @@ func configRouter(server *Server, logFactory log.Factory) http.Handler {
 }
 
 type configSchema struct {
-	Port        int            `json:"port"`
-	SocksPort   int            `json:"socks-port"`
-	RedirPort   int            `json:"redir-port"`
-	TProxyPort  int            `json:"tproxy-port"`
-	MixedPort   int            `json:"mixed-port"`
-	AllowLan    bool           `json:"allow-lan"`
-	BindAddress string         `json:"bind-address"`
-	Mode        string         `json:"mode"`
-	LogLevel    string         `json:"log-level"`
-	IPv6        bool           `json:"ipv6"`
-	Tun         map[string]any `json:"tun"`
+	Port        int    `json:"port"`
+	SocksPort   int    `json:"socks-port"`
+	RedirPort   int    `json:"redir-port"`
+	TProxyPort  int    `json:"tproxy-port"`
+	MixedPort   int    `json:"mixed-port"`
+	AllowLan    bool   `json:"allow-lan"`
+	BindAddress string `json:"bind-address"`
+	Mode        string `json:"mode"`
+	// sing-box added
+	ModeList []string       `json:"mode-list"`
+	LogLevel string         `json:"log-level"`
+	IPv6     bool           `json:"ipv6"`
+	Tun      map[string]any `json:"tun"`
 }
 
 func getConfigs(server *Server, logFactory log.Factory) func(w http.ResponseWriter, r *http.Request) {
@@ -41,6 +43,7 @@ func getConfigs(server *Server, logFactory log.Factory) func(w http.ResponseWrit
 		}
 		render.JSON(w, r, &configSchema{
 			Mode:        server.mode,
+			ModeList:    server.modeList,
 			BindAddress: "*",
 			LogLevel:    log.FormatLevel(logLevel),
 		})

experimental/clashapi/proxies.go

@@ -11,7 +11,7 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/protocol/group"
+	"github.com/sagernet/sing-box/outbound"
 	"github.com/sagernet/sing/common"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json/badjson"
@@ -168,7 +168,7 @@ func updateProxy(w http.ResponseWriter, r *http.Request) {
 	}
 
 	proxy := r.Context().Value(CtxKeyProxy).(adapter.Outbound)
-	selector, ok := proxy.(*group.Selector)
+	selector, ok := proxy.(*outbound.Selector)
 	if !ok {
 		render.Status(r, http.StatusBadRequest)
 		render.JSON(w, r, newError("Must be a Selector"))
@@ -204,7 +204,7 @@ func getProxyDelay(server *Server) func(w http.ResponseWriter, r *http.Request)
 
 		delay, err := urltest.URLTest(ctx, url, proxy)
 		defer func() {
-			realTag := group.RealTag(proxy)
+			realTag := outbound.RealTag(proxy)
 			if err != nil {
 				server.urlTestHistory.DeleteURLTestHistory(realTag)
 			} else {

experimental/clashapi/rules.go

@@ -30,9 +30,10 @@ func getRules(router adapter.Router) func(w http.ResponseWriter, r *http.Request
 			rules = append(rules, Rule{
 				Type:    rule.Type(),
 				Payload: rule.String(),
-				Proxy:   rule.Action().String(),
+				Proxy:   rule.Outbound(),
 			})
 		}
+
 		render.JSON(w, r, render.M{
 			"rules": rules,
 		})

experimental/clashapi/server.go

@@ -124,11 +124,8 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 	if options.ExternalUI != "" {
 		server.externalUI = filemanager.BasePath(ctx, os.ExpandEnv(options.ExternalUI))
 		chiRouter.Group(func(r chi.Router) {
-			fs := http.StripPrefix("/ui", http.FileServer(http.Dir(server.externalUI)))
-			r.Get("/ui", http.RedirectHandler("/ui/", http.StatusTemporaryRedirect).ServeHTTP)
-			r.Get("/ui/*", func(w http.ResponseWriter, r *http.Request) {
-				fs.ServeHTTP(w, r)
-			})
+			r.Get("/ui", http.RedirectHandler("/ui/", http.StatusMovedPermanently).ServeHTTP)
+			r.Handle("/ui/*", http.StripPrefix("/ui/", http.FileServer(http.Dir(server.externalUI))))
 		})
 	}
 	return server, nil
@@ -316,27 +313,29 @@ func traffic(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter,
 		tick := time.NewTicker(time.Second)
 		defer tick.Stop()
 		buf := &bytes.Buffer{}
-		var err error
+		uploadTotal, downloadTotal := trafficManager.Total()
 		for range tick.C {
 			buf.Reset()
-			up, down := trafficManager.Now()
-			if err := json.NewEncoder(buf).Encode(Traffic{
-				Up:   up,
-				Down: down,
-			}); err != nil {
+			uploadTotalNew, downloadTotalNew := trafficManager.Total()
+			err := json.NewEncoder(buf).Encode(Traffic{
+				Up:   uploadTotalNew - uploadTotal,
+				Down: downloadTotalNew - downloadTotal,
+			})
+			if err != nil {
 				break
 			}
-
 			if conn == nil {
 				_, err = w.Write(buf.Bytes())
 				w.(http.Flusher).Flush()
 			} else {
 				err = wsutil.WriteServerText(conn, buf.Bytes())
 			}
-
 			if err != nil {
 				break
 			}
+
+			uploadTotal = uploadTotalNew
+			downloadTotal = downloadTotalNew
 		}
 	}
 }