Resolve conflicts

Previously, the buffer was not reset within the response loop. If a packet
handle failed or completed, the buffer retained its state. Specifically,
if `ReadPacketFrom` returned `io.ErrShortBuffer`, the error was ignored
via `continue`, but the buffer remained full. This caused the next
read attempt to immediately fail with the same error, creating a tight
busy-wait loop that consumed 100% CPU.

Validates `buffer.Reset()` is called at the start of each iteration to
ensure a clean state for 'ReadPacketFrom'.

.github/setup_go_for_windows7.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-VERSION="1.25.3"
+VERSION="1.25.5"
 
 mkdir -p $HOME/go
 cd $HOME/go

.github/workflows/build.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.3
+          go-version: ^1.25.5
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -107,15 +107,15 @@ jobs:
         with:
           fetch-depth: 0
       - name: Setup Go
-        if: ${{ ! (matrix.legacy_go123 || matrix.legacy_go124) }}
+        if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.3
+          go-version: ^1.25.5
       - name: Setup Go 1.24
         if: matrix.legacy_go124
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.24.6
+          go-version: ~1.24.10
       - name: Cache Go for Windows 7
         if: matrix.legacy_win7
         id: cache-go-for-windows7
@@ -123,7 +123,7 @@ jobs:
         with:
           path: |
             ~/go/go_win7
-          key: go_win7_1253
+          key: go_win7_1255
       - name: Setup Go for Windows 7
         if: matrix.legacy_win7 && steps.cache-go-for-windows7.outputs.cache-hit != 'true'
         run: |-
@@ -300,7 +300,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.3
+          go-version: ^1.25.5
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -380,7 +380,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.3
+          go-version: ^1.25.5
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -479,7 +479,7 @@ jobs:
         if: matrix.if
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.3
+          go-version: ^1.25.5
       - name: Set tag
         if: matrix.if
         run: |-

.github/workflows/lint.yml

@@ -28,11 +28,11 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ~1.24.6
+          go-version: ~1.24.10
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v8
         with:
-          version: v2.4.0
+          version: latest
           args: --timeout=30m
           install-mode: binary
           verify: false

.github/workflows/linux.yml

@@ -30,7 +30,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.3
+          go-version: ^1.25.5
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -71,7 +71,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.25.3
+          go-version: ^1.25.5
       - name: Setup Android NDK
         if: matrix.os == 'android'
         uses: nttld/setup-ndk@v1

Dockerfile

@@ -20,8 +20,6 @@ RUN set -ex \
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
-    && apk upgrade \
-    && apk add bash tzdata ca-certificates nftables \
-    && rm -rf /var/cache/apk/*
+    && apk add --no-cache --upgrade bash tzdata ca-certificates nftables
 COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
 ENTRYPOINT ["sing-box"]

Makefile

@@ -38,7 +38,7 @@ fmt:
 	@gci write --custom-order -s standard -s "prefix(github.com/sagernet/)" -s "default" .
 
 fmt_install:
-	go install -v mvdan.cc/gofumpt@v0.8.0
+	go install -v mvdan.cc/gofumpt@latest
 	go install -v github.com/daixiang0/gci@latest
 
 lint:
@@ -49,7 +49,7 @@ lint:
 	GOOS=freebsd golangci-lint run ./...
 
 lint_install:
-	go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.4.0
+	go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
 
 proto:
 	@go run ./cmd/internal/protogen

README.md

@@ -10,6 +10,7 @@ Sing-box with extended features.
 * Mieru
 * XHTTP
 * SDNS (DNSCrypt)
+* Extended Wireguard options
 * Unified delay
 
 ## Examples

adapter/dns.go

@@ -27,8 +27,6 @@ type DNSClient interface {
 	Start()
 	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error)
 	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error)
-	LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool)
-	ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool)
 	ClearCache()
 }
 

adapter/upstream.go

@@ -73,7 +73,7 @@ func NewUpstreamContextHandlerEx(
 }
 
 func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	myMetadata := ContextFrom(ctx)
+	_, myMetadata := ExtendContext(ctx)
 	if source.IsValid() {
 		myMetadata.Source = source
 	}
@@ -84,7 +84,7 @@ func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context,
 }
 
 func (w *myUpstreamContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	myMetadata := ContextFrom(ctx)
+	_, myMetadata := ExtendContext(ctx)
 	if source.IsValid() {
 		myMetadata.Source = source
 	}
@@ -146,7 +146,7 @@ type routeContextHandlerWrapperEx struct {
 }
 
 func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	metadata := ContextFrom(ctx)
+	_, metadata := ExtendContext(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}
@@ -157,7 +157,7 @@ func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn
 }
 
 func (r *routeContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	metadata := ContextFrom(ctx)
+	_, metadata := ExtendContext(ctx)
 	if source.IsValid() {
 		metadata.Source = source
 	}

common/sniff/quic.go

@@ -303,8 +303,6 @@ find:
 	metadata.Protocol = C.ProtocolQUIC
 	fingerprint, err := ja3.Compute(buffer.Bytes())
 	if err != nil {
-		metadata.Protocol = C.ProtocolQUIC
-		metadata.Client = C.ClientChromium
 		metadata.SniffContext = fragments
 		return E.Cause1(ErrNeedMoreData, err)
 	}
@@ -334,7 +332,7 @@ find:
 		}
 
 		if count(frameTypeList, frameTypeCrypto) > 1 || count(frameTypeList, frameTypePing) > 0 {
-			if maybeUQUIC(fingerprint) {
+			if isQUICGo(fingerprint) {
 				metadata.Client = C.ClientQUICGo
 			} else {
 				metadata.Client = C.ClientChromium

common/sniff/quic_blacklist.go

@@ -1,21 +1,29 @@
 package sniff
 
 import (
-	"crypto/tls"
-
 	"github.com/sagernet/sing-box/common/ja3"
 )
 
-// Chromium sends separate client hello packets, but UQUIC has not yet implemented this behavior
-// The cronet without this behavior does not have version 115
-var uQUICChrome115 = &ja3.ClientHello{
-	Version:             tls.VersionTLS12,
-	CipherSuites:        []uint16{4865, 4866, 4867},
-	Extensions:          []uint16{0, 10, 13, 16, 27, 43, 45, 51, 57, 17513},
-	EllipticCurves:      []uint16{29, 23, 24},
-	SignatureAlgorithms: []uint16{1027, 2052, 1025, 1283, 2053, 1281, 2054, 1537, 513},
-}
+const (
+	// X25519Kyber768Draft00 - post-quantum curve used by Go crypto/tls
+	x25519Kyber768Draft00 uint16 = 0x11EC // 4588
+	// renegotiation_info extension used by Go crypto/tls
+	extensionRenegotiationInfo uint16 = 0xFF01 // 65281
+)
 
-func maybeUQUIC(fingerprint *ja3.ClientHello) bool {
-	return !uQUICChrome115.Equals(fingerprint, true)
+// isQUICGo detects native quic-go by checking for Go crypto/tls specific features.
+// Note: uQUIC with Chromium mimicry cannot be reliably distinguished from real Chromium
+// since it uses the same TLS fingerprint, so it will be identified as Chromium.
+func isQUICGo(fingerprint *ja3.ClientHello) bool {
+	for _, curve := range fingerprint.EllipticCurves {
+		if curve == x25519Kyber768Draft00 {
+			return true
+		}
+	}
+	for _, ext := range fingerprint.Extensions {
+		if ext == extensionRenegotiationInfo {
+			return true
+		}
+	}
+	return false
 }

common/sniff/quic_capture_test.go

@@ -0,0 +1,188 @@
+package sniff_test
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/hex"
+	"errors"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/sagernet/quic-go"
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/sniff"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSniffQUICQuicGoFingerprint(t *testing.T) {
+	t.Parallel()
+	const testSNI = "test.example.com"
+
+	udpConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer udpConn.Close()
+
+	serverAddr := udpConn.LocalAddr().(*net.UDPAddr)
+	packetsChan := make(chan [][]byte, 1)
+
+	go func() {
+		var packets [][]byte
+		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
+		for i := 0; i < 10; i++ {
+			buf := make([]byte, 2048)
+			n, _, err := udpConn.ReadFromUDP(buf)
+			if err != nil {
+				break
+			}
+			packets = append(packets, buf[:n])
+		}
+		packetsChan <- packets
+	}()
+
+	clientConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer clientConn.Close()
+
+	tlsConfig := &tls.Config{
+		ServerName:         testSNI,
+		InsecureSkipVerify: true,
+		NextProtos:         []string{"h3"},
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	_, _ = quic.Dial(ctx, clientConn, serverAddr, tlsConfig, &quic.Config{})
+
+	select {
+	case packets := <-packetsChan:
+		t.Logf("Captured %d packets", len(packets))
+
+		var metadata adapter.InboundContext
+		for i, pkt := range packets {
+			err := sniff.QUICClientHello(context.Background(), &metadata, pkt)
+			t.Logf("Packet %d: err=%v, domain=%s, client=%s", i, err, metadata.Domain, metadata.Client)
+			if metadata.Domain != "" {
+				break
+			}
+		}
+
+		t.Logf("\n=== quic-go TLS Fingerprint Analysis ===")
+		t.Logf("Domain: %s", metadata.Domain)
+		t.Logf("Client: %s", metadata.Client)
+		t.Logf("Protocol: %s", metadata.Protocol)
+
+		// The client should be identified as quic-go, not chromium
+		// Current issue: it's being identified as chromium
+		if metadata.Client == "chromium" {
+			t.Log("WARNING: quic-go is being misidentified as chromium!")
+		}
+
+	case <-time.After(5 * time.Second):
+		t.Fatal("Timeout")
+	}
+}
+
+func TestSniffQUICInitialFromQuicGo(t *testing.T) {
+	t.Parallel()
+
+	const testSNI = "test.example.com"
+
+	// Create UDP listener to capture ALL initial packets
+	udpConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer udpConn.Close()
+
+	serverAddr := udpConn.LocalAddr().(*net.UDPAddr)
+
+	// Channel to receive captured packets
+	packetsChan := make(chan [][]byte, 1)
+
+	// Start goroutine to capture packets
+	go func() {
+		var packets [][]byte
+		udpConn.SetReadDeadline(time.Now().Add(3 * time.Second))
+		for i := 0; i < 5; i++ { // Capture up to 5 packets
+			buf := make([]byte, 2048)
+			n, _, err := udpConn.ReadFromUDP(buf)
+			if err != nil {
+				break
+			}
+			packets = append(packets, buf[:n])
+		}
+		packetsChan <- packets
+	}()
+
+	// Create QUIC client connection (will fail but we capture the initial packet)
+	clientConn, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer clientConn.Close()
+
+	tlsConfig := &tls.Config{
+		ServerName:         testSNI,
+		InsecureSkipVerify: true,
+		NextProtos:         []string{"h3"},
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	// This will fail (no server) but sends initial packet
+	_, _ = quic.Dial(ctx, clientConn, serverAddr, tlsConfig, &quic.Config{})
+
+	// Wait for captured packets
+	select {
+	case packets := <-packetsChan:
+		t.Logf("Captured %d QUIC packets", len(packets))
+
+		for i, packet := range packets {
+			t.Logf("Packet %d: length=%d, first 30 bytes: %x", i, len(packet), packet[:min(30, len(packet))])
+		}
+
+		// Test sniffer with first packet
+		if len(packets) > 0 {
+			var metadata adapter.InboundContext
+			err := sniff.QUICClientHello(context.Background(), &metadata, packets[0])
+
+			t.Logf("First packet sniff error: %v", err)
+			t.Logf("Protocol: %s", metadata.Protocol)
+			t.Logf("Domain: %s", metadata.Domain)
+			t.Logf("Client: %s", metadata.Client)
+
+			// If first packet needs more data, try with subsequent packets
+			// IMPORTANT: reuse metadata to accumulate CRYPTO fragments via SniffContext
+			if errors.Is(err, sniff.ErrNeedMoreData) && len(packets) > 1 {
+				t.Log("First packet needs more data, trying subsequent packets with shared context...")
+				for i := 1; i < len(packets); i++ {
+					// Reuse same metadata to accumulate fragments
+					err = sniff.QUICClientHello(context.Background(), &metadata, packets[i])
+					t.Logf("Packet %d sniff result: err=%v, domain=%s, sniffCtx=%v", i, err, metadata.Domain, metadata.SniffContext != nil)
+					if metadata.Domain != "" || (err != nil && !errors.Is(err, sniff.ErrNeedMoreData)) {
+						break
+					}
+				}
+			}
+
+			// Print hex dump for debugging
+			t.Logf("First packet hex:\n%s", hex.Dump(packets[0][:min(256, len(packets[0]))]))
+
+			// Log final results
+			t.Logf("Final: Protocol=%s, Domain=%s, Client=%s", metadata.Protocol, metadata.Domain, metadata.Client)
+
+			// Verify SNI extraction
+			if metadata.Domain == "" {
+				t.Errorf("Failed to extract SNI, expected: %s", testSNI)
+			} else {
+				require.Equal(t, testSNI, metadata.Domain, "SNI should match")
+			}
+
+			// Check client identification - quic-go should be identified as quic-go, not chromium
+			t.Logf("Client identified as: %s (expected: quic-go)", metadata.Client)
+		}
+
+	case <-time.After(5 * time.Second):
+		t.Fatal("Timeout waiting for QUIC packets")
+	}
+}

common/sniff/quic_test.go

@@ -19,7 +19,7 @@ func TestSniffQUICChromeNew(t *testing.T) {
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Equal(t, metadata.Client, C.ClientChromium)
+	require.Empty(t, metadata.Client)
 	require.ErrorIs(t, err, sniff.ErrNeedMoreData)
 	pkt, err = hex.DecodeString("cc0000000108e241a0c601413b4f004046006d8f15dae9999edf39d58df6762822b9a2ab996d7f6a10044338af3b51b1814bc4ac0fa5a87c34c6ae604af8cabc5957c5240174deefc8e378719ffdab2ae4e15bf4514bea44894b626c685cd5d5c965f7e97b3a1bdc520b75813e747f37a3ae83ad38b9ca2acb0de4fc9424839a50c8fb815a62b498609fbbc59145698860e0509cc08a04d1b119daef844ba2f09c16e2665e5cc0b47624b71f7b950c54fd56b4a1fbb826cba44eeeee3949ced8f5de60d4c81b19ee59f75aa1abb33f22c6b13c27095eb1e99cff01fdc93e6e88da2622ee18c08a79f508befd7e33e99bca60e64bef9a47b764384bd93823daeeb6fcb4d7cfbc4ab53eff59b3636f6dcaaf229b5a94941b5712807166b9bd5e82cb4a9708a71451c4cd6f6e33fb2fe40c8c70dd51a30b37ff9c5e35783debde0093fde19ce074b4887b3c90980b107b9c0f32cf61a66f37c251b789abc4d27fc421207966846c8cc7faa42d9af6ad355a6bc94cb78223b612be8b3e2a4df61fee83a674a0ceb8b7c3a29b97102cda22fecdf6a4628e5b612bc17eab64d6f75feedd0b106c0419e484e66725759964cb5935ac5125e5ae920cd280bd40df57c1d7ae1845700bd4eb7b7ab12bc0850950bfe6e69edd6ac1daa5db2c2b07484327196e561c513462d72872dc6771c39f6b60d46a1f2c92343b7338450a0ef8e39f97fa70652b3a12cd04043698951627aaaa82cc95e76df92021d30e8014c984f12eea0143de8b17e5e4a36ec07bf4814251b391f168a59ef75afcd2319249aaba930f06bb7a11b9491e6f71b3d5774a6503a965e94edd0a67737282fc9cb0271779ff14151b7aa9267bb8f7d643185512515aeea513c0c98bfae782381a3317064195d8825cf8b25c17cdab5fced02612a3f2870e40df57e6ca3f08228a2b04e8de1425eb4b970118f9bbdc212223ff86a5d6b648cdf2366722f21de4b14a1014879eadb69215cdb1aa2a9f4f310ecfe3116214fe3ab0a23f4775a0a54b48d7dfd8f7283ed687b3ac7e1a7e42a0bdc3478aba8651c03e1e9cc9df17d106b8130afe854269b0103b7a696f452721887b19d8181830073c9f10684c65f96d3a6c6efbae044eec03d6399e001fa44d54635dc72f9b8ea6b87d0f452cad1e1e32273e2b47c40f2730235adcae8523b8282f86b8cf1ab63ae54aaa06130df3bbf6ecac7d7d1d43d2a87aea837267ff8ccfaa4b7e47b7ded909e6603d0b928a304f8915c839153598adc4178eb48bc0e98ad7793d7980275e1e491ba4847a4a04ae30fe7f5cc7d4b6f4f63a525e9964d72245860ca76a668a4654adb6619f16e9db79131e5675b93cafb96c92f1da8464d4fef2a22e7f9db695965fe2cc27ea30974629c8fe17cfa2f860179e1eb9faaa88a91ec9ce6da28c1a2894c3b932b5e1c807146718cc77ca13c61eaae00c7c99e019f599772064b198c5c2c5e863336367673630b417ac845ddb7c93b0856317e5d64bab208c5730abc2c63536784fbeaaec139dffc917e775715f1e42164ddef5138d4d163609ab3fbdcab968f8738385c0e7e34ff3cf7771a1dc5ba25a8850fdf96dabafa21f9065f307457ce9af4b7a73450c9d20a3b46fa8d3a1163d22bd01a7d17f0ec274181bf9640fa941427694bfeb1346089f7a851efe0fbb7a2041fa6bb6541ccbad77dd3e1a97999fc05f1fef070e7b5c4b385b8b2a8cc32483fdeba6a373970de2fa4139ba18e5916f949aab0aab2894")
 	require.NoError(t, err)
@@ -39,7 +39,7 @@ func TestSniffQUICChromium(t *testing.T) {
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Equal(t, metadata.Client, C.ClientChromium)
+	require.Empty(t, metadata.Client)
 	require.ErrorIs(t, err, sniff.ErrNeedMoreData)
 	pkt, err = hex.DecodeString("c90000000108f40d654cc09b27f5000044d073eb38807026d4088455e650e7ccf750d01a72f15f9bfc8ff40d223499db1a485cff14dbd45b9be118172834dc35dca3cf62f61a1266f40b92faf3d28d67a466cfdca678ddced15cd606d31959cf441828467857b226d1a241847c82c57312cefe68ba5042d929919bcd4403b39e5699fe87dda05df1b3801e048edee792458e9b1a9b1d4039df05847bcee3be567494b5876e3bd4c3220fe9dfdb2c07d77410f907f744251ef15536cc03b267d3668d5b75bc1ad2fe735cd3bb73519dd9f1625a49e17ad27bdeccf706c83b5ea339a0a05dd0072f4a8f162bd29926b4997f05613c6e4b0270b0c02805ca0543f27c1ff8505a5750bdd33529ee73c491050a10c6903f53c1121dbe0380e84c007c8df74a1b02443ed80ba7766aef5549e618d4fd249844ee28565142005369869299e8c3035ecef3d799f6cada8549e75b4ce4cbf4c85ef071fd7ff067b1ca9b5968dc41d13d011f6d7843823bac97acb1eb8ee45883f0f254b5f9bd4c763b67e2d8c70a7618a0ef0de304cf597a485126e09f8b2fd795b394c0b4bc4cd2634c2057970da2c798c5e8af7aed4f76f5e25d04e3f8c9c5a5b150d17e0d4c74229898c69b8dc7b8bcc9d359eb441de75c68fbdebec62fb669dcccfb1aad03e3fa073adb2ccf7bb14cbaf99e307d2c903ee71a8f028102eb510caee7e7397512086a78d1f95635c7d06845b5a708652dc4e5cd61245aae5b3c05b84815d84d367bce9b9e3f6d6b90701ac3679233c14d5ce2a1eff26469c966266dc6284bdb95c9c6158934c413a872ce22101e4163e3293d236b301592ca4ccacc1fd4c37066e79c2d9857c8a2560dcf0b33b19163c4240c471b19907476e7e25c65f7eb37276594a0f6b4c33c340cc3284178f17ac5e34dbe7509db890e4ddfd0540fbf9deb32a0101d24fe58b26c5f81c627db9d6ae59d7a111a3d5d1f6109f4eec0d0234e6d73c73a44f50999462724b51ce0fd8283535d70d9e83872c79c59897407a0736741011ae5c64862eb0712f9e7b07aa1d5418ca3fde8626257c6fe418f3c5479055bb2b0ab4c25f649923fc2a41c79aaa7d0f3af6d8b8cf06f61f0230d09bbb60bb49b9e49cc5973748a6cf7ffdee7804d424f9423c63e7ff22f4bd24e4867636ef9fe8dd37f59941a8a47c27765caa8e875a30b62834f17c569227e5e6ed15d58e05d36e76332befad065a2cd4079e66d5af189b0337624c89b1560c3b1b0befd5c1f20e6de8e3d664b3ac06b3d154b488983e14aa93266f5f8b621d2a9bb7ccce509eb26e025c9c45f7cccc09ce85b3103af0c93ce9822f82ecb168ca3177829afb2ea0da2c380e7b1728add55a5d42632e2290363d4cbe432b67e13691648e1acfab22cf0d551eee857709b428bb78e27a45aff6eca301c02e4d13cf36cc2494fdd1aef8dede6e18febd79dca4c6964d09b91c25a08f0947c76ab5104de9404459c2edf5f4adb9dfd771be83656f77fbbafb1ad3281717066010be8778952495383c9f2cf0a38527228c662a35171c5981731f1af09bab842fe6c3162ad4152a4221f560eb6f9bea66b294ffbd3643da2fe34096da13c246505452540177a2a0a1a69106e5cfc279a4890fc3be2952f26be245f930e6c2d9e7e26ee960481e72b99594a1185b46b94b6436d00ba6c70ffe135d43907c92c6f1c09fb9453f103730714f5700fa4347f9715c774cb04a7218dacc66d9c2fade18b14e684aa7fc9ebda0a28")
 	require.NoError(t, err)

common/xray/buf/buffer.go

@@ -13,7 +13,7 @@ const (
 	Size = 8192
 )
 
-var zero = [Size * 10]byte{0}
+var ErrBufferFull = E.New("buffer is full")
 
 var pool = bytespool.GetPool(Size)
 
@@ -144,7 +144,7 @@ func (b *Buffer) Bytes() []byte {
 }
 
 // Extend increases the buffer size by n bytes, and returns the extended part.
-// It panics if result size is larger than buf.Size.
+// It panics if result size is larger than size of this buffer.
 func (b *Buffer) Extend(n int32) []byte {
 	end := b.end + n
 	if end > int32(len(b.v)) {
@@ -152,7 +152,7 @@ func (b *Buffer) Extend(n int32) []byte {
 	}
 	ext := b.v[b.end:end]
 	b.end = end
-	copy(ext, zero[:])
+	clear(ext)
 	return ext
 }
 
@@ -215,7 +215,7 @@ func (b *Buffer) Resize(from, to int32) {
 	b.start += from
 	b.Check()
 	if b.end > oldEnd {
-		copy(b.v[oldEnd:b.end], zero[:])
+		clear(b.v[oldEnd:b.end])
 	}
 }
 
@@ -244,6 +244,14 @@ func (b *Buffer) Cap() int32 {
 	return int32(len(b.v))
 }
 
+// Available returns the available capacity of the buffer content.
+func (b *Buffer) Available() int32 {
+	if b == nil {
+		return 0
+	}
+	return int32(len(b.v)) - b.end
+}
+
 // IsEmpty returns true if the buffer is empty.
 func (b *Buffer) IsEmpty() bool {
 	return b.Len() == 0
@@ -258,13 +266,16 @@ func (b *Buffer) IsFull() bool {
 func (b *Buffer) Write(data []byte) (int, error) {
 	nBytes := copy(b.v[b.end:], data)
 	b.end += int32(nBytes)
+	if nBytes < len(data) {
+		return nBytes, ErrBufferFull
+	}
 	return nBytes, nil
 }
 
 // WriteByte writes a single byte into the buffer.
 func (b *Buffer) WriteByte(v byte) error {
 	if b.IsFull() {
-		return E.New("buffer full")
+		return ErrBufferFull
 	}
 	b.v[b.end] = v
 	b.end++

common/xray/buf/io.go

@@ -22,6 +22,7 @@ var ErrReadTimeout = E.New("IO timeout")
 
 // TimeoutReader is a reader that returns error if Read() operation takes longer than the given timeout.
 type TimeoutReader interface {
+	Reader
 	ReadMultiBufferTimeout(time.Duration) (MultiBuffer, error)
 }
 

common/xray/buf/multi_buffer.go

@@ -144,7 +144,7 @@ func Compact(mb MultiBuffer) MultiBuffer {
 
 	for i := 1; i < len(mb); i++ {
 		curr := mb[i]
-		if last.Len()+curr.Len() > Size {
+		if curr.Len() > last.Available() {
 			mb2 = append(mb2, last)
 			last = curr
 		} else {

common/xray/buf/writer.go

@@ -75,9 +75,10 @@ func (w *BufferToBytesWriter) ReadFrom(reader io.Reader) (int64, error) {
 // BufferedWriter is a Writer with internal buffer.
 type BufferedWriter struct {
 	sync.Mutex
-	writer   Writer
-	buffer   *Buffer
-	buffered bool
+	writer    Writer
+	buffer    *Buffer
+	buffered  bool
+	flushNext bool
 }
 
 // NewBufferedWriter creates a new BufferedWriter.
@@ -161,6 +162,12 @@ func (w *BufferedWriter) WriteMultiBuffer(b MultiBuffer) error {
 		}
 	}
 
+	if w.flushNext {
+		w.buffered = false
+		w.flushNext = false
+		return w.flushInternal()
+	}
+
 	return nil
 }
 
@@ -201,6 +208,13 @@ func (w *BufferedWriter) SetBuffered(f bool) error {
 	return nil
 }
 
+// SetFlushNext will wait the next WriteMultiBuffer to flush and set buffered = false
+func (w *BufferedWriter) SetFlushNext() {
+	w.Lock()
+	defer w.Unlock()
+	w.flushNext = true
+}
+
 // ReadFrom implements io.ReaderFrom.
 func (w *BufferedWriter) ReadFrom(reader io.Reader) (int64, error) {
 	if err := w.SetBuffered(false); err != nil {

common/xray/common.go

@@ -1,5 +1,7 @@
 package common
 
+import "reflect"
+
 // Must panics if err is not nil.
 func Must(err error) {
 	if err != nil {
@@ -17,3 +19,14 @@ func Must2(v interface{}, err error) interface{} {
 func Error2(v interface{}, err error) error {
 	return err
 }
+
+// CloseIfExists call obj.Close() if obj is not nil.
+func CloseIfExists(obj any) error {
+	if obj != nil {
+		v := reflect.ValueOf(obj)
+		if !v.IsNil() {
+			return Close(obj)
+		}
+	}
+	return nil
+}

common/xray/crypto/crypto.go

@@ -9,6 +9,9 @@ func RandBetween(from int64, to int64) int64 {
 	if from == to {
 		return from
 	}
+	if from > to {
+		from, to = to, from
+	}
 	bigInt, _ := rand.Int(rand.Reader, big.NewInt(to-from))
 	return from + bigInt.Int64()
 }

common/xray/pipe/impl.go

@@ -200,16 +200,19 @@ func (p *pipe) Interrupt() {
 	p.Lock()
 	defer p.Unlock()
 
+	if !p.data.IsEmpty() {
+		buf.ReleaseMulti(p.data)
+		p.data = nil
+		if p.state == closed {
+			p.state = errord
+		}
+	}
+
 	if p.state == closed || p.state == errord {
 		return
 	}
 
 	p.state = errord
 
-	if !p.data.IsEmpty() {
-		buf.ReleaseMulti(p.data)
-		p.data = nil
-	}
-
 	common.Must(p.done.Close())
 }

common/xray/signal/timer.go

@@ -3,6 +3,7 @@ package signal
 import (
 	"context"
 	"sync"
+	"sync/atomic"
 	"time"
 
 	"github.com/sagernet/sing-box/common/xray"
@@ -14,10 +15,12 @@ type ActivityUpdater interface {
 }
 
 type ActivityTimer struct {
-	sync.RWMutex
+	mu        sync.RWMutex
 	updated   chan struct{}
 	checkTask *task.Periodic
 	onTimeout func()
+	consumed  atomic.Bool
+	once      sync.Once
 }
 
 func (t *ActivityTimer) Update() {
@@ -37,39 +40,39 @@ func (t *ActivityTimer) check() error {
 }
 
 func (t *ActivityTimer) finish() {
-	t.Lock()
-	defer t.Unlock()
+	t.once.Do(func() {
+		t.consumed.Store(true)
+		t.mu.Lock()
+		defer t.mu.Unlock()
 
-	if t.onTimeout != nil {
+		common.CloseIfExists(t.checkTask)
 		t.onTimeout()
-		t.onTimeout = nil
-	}
-	if t.checkTask != nil {
-		t.checkTask.Close()
-		t.checkTask = nil
-	}
+	})
 }
 
 func (t *ActivityTimer) SetTimeout(timeout time.Duration) {
+	if t.consumed.Load() {
+		return
+	}
 	if timeout == 0 {
 		t.finish()
 		return
 	}
 
-	checkTask := &task.Periodic{
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	// double check, just in case
+	if t.consumed.Load() {
+		return
+	}
+	newCheckTask := &task.Periodic{
 		Interval: timeout,
 		Execute:  t.check,
 	}
-
-	t.Lock()
-
-	if t.checkTask != nil {
-		t.checkTask.Close()
-	}
-	t.checkTask = checkTask
-	t.Unlock()
+	common.CloseIfExists(t.checkTask)
+	t.checkTask = newCheckTask
 	t.Update()
-	common.Must(checkTask.Start())
+	common.Must(newCheckTask.Start())
 }
 
 func CancelAfterInactivity(ctx context.Context, cancel context.CancelFunc, timeout time.Duration) *ActivityTimer {

dns/client.go

@@ -353,68 +353,6 @@ func (c *Client) ClearCache() {
 	}
 }
 
-func (c *Client) LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool) {
-	if c.disableCache || c.independentCache {
-		return nil, false
-	}
-	if dns.IsFqdn(domain) {
-		domain = domain[:len(domain)-1]
-	}
-	dnsName := dns.Fqdn(domain)
-	if strategy == C.DomainStrategyIPv4Only {
-		addresses, err := c.questionCache(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		if err != ErrNotCached {
-			return addresses, true
-		}
-	} else if strategy == C.DomainStrategyIPv6Only {
-		addresses, err := c.questionCache(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeAAAA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		if err != ErrNotCached {
-			return addresses, true
-		}
-	} else {
-		response4, _ := c.loadResponse(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		if response4 == nil {
-			return nil, false
-		}
-		response6, _ := c.loadResponse(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeAAAA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		if response6 == nil {
-			return nil, false
-		}
-		return sortAddresses(MessageToAddresses(response4), MessageToAddresses(response6), strategy), true
-	}
-	return nil, false
-}
-
-func (c *Client) ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool) {
-	if c.disableCache || c.independentCache || len(message.Question) != 1 {
-		return nil, false
-	}
-	question := message.Question[0]
-	response, ttl := c.loadResponse(question, nil)
-	if response == nil {
-		return nil, false
-	}
-	logCachedResponse(c.logger, ctx, response, ttl)
-	response.Id = message.Id
-	return response, true
-}
-
 func sortAddresses(response4 []netip.Addr, response6 []netip.Addr, strategy C.DomainStrategy) []netip.Addr {
 	if strategy == C.DomainStrategyPreferIPv6 {
 		return append(response6, response4...)

dns/router.go

@@ -214,97 +214,95 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 	}
 	r.logger.DebugContext(ctx, "exchange ", FormatQuestion(message.Question[0].String()))
 	var (
+		response  *mDNS.Msg
 		transport adapter.DNSTransport
 		err       error
 	)
-	response, cached := r.client.ExchangeCache(ctx, message)
-	if !cached {
-		var metadata *adapter.InboundContext
-		ctx, metadata = adapter.ExtendContext(ctx)
-		metadata.Destination = M.Socksaddr{}
-		metadata.QueryType = message.Question[0].Qtype
-		switch metadata.QueryType {
-		case mDNS.TypeA:
-			metadata.IPVersion = 4
-		case mDNS.TypeAAAA:
-			metadata.IPVersion = 6
-		}
-		metadata.Domain = FqdnToDomain(message.Question[0].Name)
-		if options.Transport != nil {
-			transport = options.Transport
-			if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-				if options.Strategy == C.DomainStrategyAsIS {
-					options.Strategy = legacyTransport.LegacyStrategy()
-				}
-				if !options.ClientSubnet.IsValid() {
-					options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-				}
-			}
+	var metadata *adapter.InboundContext
+	ctx, metadata = adapter.ExtendContext(ctx)
+	metadata.Destination = M.Socksaddr{}
+	metadata.QueryType = message.Question[0].Qtype
+	switch metadata.QueryType {
+	case mDNS.TypeA:
+		metadata.IPVersion = 4
+	case mDNS.TypeAAAA:
+		metadata.IPVersion = 6
+	}
+	metadata.Domain = FqdnToDomain(message.Question[0].Name)
+	if options.Transport != nil {
+		transport = options.Transport
+		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
 			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = r.defaultDomainStrategy
+				options.Strategy = legacyTransport.LegacyStrategy()
 			}
-			response, err = r.client.Exchange(ctx, transport, message, options, nil)
-		} else {
-			var (
-				rule      adapter.DNSRule
-				ruleIndex int
-			)
-			ruleIndex = -1
-			for {
-				dnsCtx := adapter.OverrideContext(ctx)
-				dnsOptions := options
-				transport, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex, isAddressQuery(message), &dnsOptions)
-				if rule != nil {
-					switch action := rule.Action().(type) {
-					case *R.RuleActionReject:
-						switch action.Method {
-						case C.RuleActionRejectMethodDefault:
-							return &mDNS.Msg{
-								MsgHdr: mDNS.MsgHdr{
-									Id:       message.Id,
-									Rcode:    mDNS.RcodeRefused,
-									Response: true,
-								},
-								Question: []mDNS.Question{message.Question[0]},
-							}, nil
-						case C.RuleActionRejectMethodDrop:
-							return nil, tun.ErrDrop
-						}
-					case *R.RuleActionPredefined:
-						return action.Response(message), nil
-					}
-				}
-				var responseCheck func(responseAddrs []netip.Addr) bool
-				if rule != nil && rule.WithAddressLimit() {
-					responseCheck = func(responseAddrs []netip.Addr) bool {
-						metadata.DestinationAddresses = responseAddrs
-						return rule.MatchAddressLimit(metadata)
-					}
-				}
-				if dnsOptions.Strategy == C.DomainStrategyAsIS {
-					dnsOptions.Strategy = r.defaultDomainStrategy
-				}
-				response, err = r.client.Exchange(dnsCtx, transport, message, dnsOptions, responseCheck)
-				var rejected bool
-				if err != nil {
-					if errors.Is(err, ErrResponseRejectedCached) {
-						rejected = true
-						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())), " (cached)")
-					} else if errors.Is(err, ErrResponseRejected) {
-						rejected = true
-						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
-					} else if len(message.Question) > 0 {
-						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
-					} else {
-						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))
-					}
-				}
-				if responseCheck != nil && rejected {
-					continue
-				}
-				break
+			if !options.ClientSubnet.IsValid() {
+				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
 			}
 		}
+		if options.Strategy == C.DomainStrategyAsIS {
+			options.Strategy = r.defaultDomainStrategy
+		}
+		response, err = r.client.Exchange(ctx, transport, message, options, nil)
+	} else {
+		var (
+			rule      adapter.DNSRule
+			ruleIndex int
+		)
+		ruleIndex = -1
+		for {
+			dnsCtx := adapter.OverrideContext(ctx)
+			dnsOptions := options
+			transport, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex, isAddressQuery(message), &dnsOptions)
+			if rule != nil {
+				switch action := rule.Action().(type) {
+				case *R.RuleActionReject:
+					switch action.Method {
+					case C.RuleActionRejectMethodDefault:
+						return &mDNS.Msg{
+							MsgHdr: mDNS.MsgHdr{
+								Id:       message.Id,
+								Rcode:    mDNS.RcodeRefused,
+								Response: true,
+							},
+							Question: []mDNS.Question{message.Question[0]},
+						}, nil
+					case C.RuleActionRejectMethodDrop:
+						return nil, tun.ErrDrop
+					}
+				case *R.RuleActionPredefined:
+					return action.Response(message), nil
+				}
+			}
+			var responseCheck func(responseAddrs []netip.Addr) bool
+			if rule != nil && rule.WithAddressLimit() {
+				responseCheck = func(responseAddrs []netip.Addr) bool {
+					metadata.DestinationAddresses = responseAddrs
+					return rule.MatchAddressLimit(metadata)
+				}
+			}
+			if dnsOptions.Strategy == C.DomainStrategyAsIS {
+				dnsOptions.Strategy = r.defaultDomainStrategy
+			}
+			response, err = r.client.Exchange(dnsCtx, transport, message, dnsOptions, responseCheck)
+			var rejected bool
+			if err != nil {
+				if errors.Is(err, ErrResponseRejectedCached) {
+					rejected = true
+					r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())), " (cached)")
+				} else if errors.Is(err, ErrResponseRejected) {
+					rejected = true
+					r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
+				} else if len(message.Question) > 0 {
+					r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
+				} else {
+					r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))
+				}
+			}
+			if responseCheck != nil && rejected {
+				continue
+			}
+			break
+		}
 	}
 	if err != nil {
 		return nil, err
@@ -327,7 +325,6 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
 	var (
 		responseAddrs []netip.Addr
-		cached        bool
 		err           error
 	)
 	printResult := func() {
@@ -347,13 +344,6 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 			err = E.Cause(err, "lookup ", domain)
 		}
 	}
-	responseAddrs, cached = r.client.LookupCache(domain, options.Strategy)
-	if cached {
-		if len(responseAddrs) == 0 {
-			return nil, E.New("lookup ", domain, ": empty result (cached)")
-		}
-		return responseAddrs, nil
-	}
 	r.logger.DebugContext(ctx, "lookup domain ", domain)
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Destination = M.Socksaddr{}

dns/transport/dhcp/dhcp.go

@@ -243,6 +243,7 @@ func (t *Transport) fetchServersResponse(iface *control.Interface, packetConn ne
 	defer buffer.Release()
 
 	for {
+		buffer.Reset()
 		_, _, err := buffer.ReadPacketFrom(packetConn)
 		if err != nil {
 			if errors.Is(err, io.ErrShortBuffer) {

docs/changelog.md

@@ -2,6 +2,42 @@
 icon: material/alert-decagram
 ---
 
+#### 1.12.17
+
+* Update uTLS to v1.8.2 **1**
+* Fixes and improvements
+
+**1**:
+
+This update fixes missing padding extension for Chrome 120+ fingerprints.
+
+Also, documentation has been updated with a warning about uTLS fingerprinting vulnerabilities.
+uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
+use NaiveProxy instead for TLS fingerprint resistance.
+
+#### 1.12.16
+
+* Fixes and improvements
+
+#### 1.12.15
+
+* Fixes and improvements
+
+#### 1.12.14
+
+* Fixes and improvements
+
+#### 1.12.13
+
+* Fix naive inbound
+* Fixes and improvements
+
+__Unfortunately, for non-technical reasons, we are currently unable to notarize the standalone version of the macOS client:
+because system extensions require signatures to function, we have had to temporarily halt its release.__
+
+__We plan to fix the App Store release issue and launch a new standalone desktop client, but until then,
+only clients on TestFlight will be available (unless you have an Apple Developer Program and compile from source code).__
+
 #### 1.12.12
 
 * Fixes and improvements

docs/clients/apple/index.md

@@ -9,7 +9,7 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 
 !!! failure ""
 
-    We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected).
+    Due to non-technical reasons, we are temporarily unable to update the sing-box app on the App Store and release the standalone version of the macOS client (TestFlight users are not affected)
 
 ## :material-graph: Requirements
 
@@ -18,7 +18,7 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 
 ## :material-download: Download
 
-* [App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)
+* ~~[App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)~~
 * TestFlight (Beta)
 
 TestFlight quota is only available to [sponsors](https://github.com/sponsors/nekohasekai)
@@ -26,15 +26,15 @@ TestFlight quota is only available to [sponsors](https://github.com/sponsors/nek
 Once you donate, you can get an invitation by join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot)
 or sending us your Apple ID [via email](mailto:contact@sagernet.org).
 
-## :material-file-download: Download (macOS standalone version)
+## ~~:material-file-download: Download (macOS standalone version)~~
 
-* [Homebrew Cask](https://formulae.brew.sh/cask/sfm)
+* ~~[Homebrew Cask](https://formulae.brew.sh/cask/sfm)~~
 
 ```bash
-brew install sfm
+# brew install sfm
 ```
 
-* [GitHub Releases](https://github.com/SagerNet/sing-box/releases)
+* ~~[GitHub Releases](https://github.com/SagerNet/sing-box/releases)~~
 
 ## :material-source-repository: Source code
 

docs/configuration/inbound/shadowsocks.md

@@ -9,6 +9,7 @@
 
   "method": "2022-blake3-aes-128-gcm",
   "password": "8JCsPssfgS8tiRwiMlhARg==",
+  "managed": false,
   "multiplex": {}
 }
 ```
@@ -86,6 +87,10 @@ Both if empty.
 | 2022 methods  | `sing-box generate rand --base64 <Key Length>` |
 | other methods | any string                                     |
 
+#### managed
+
+Defaults to `false`. Enable this when the inbound is managed by the [SSM API](/configuration/service/ssm-api) for dynamic user.
+
 #### multiplex
 
 See [Multiplex](/configuration/shared/multiplex#inbound) for details.

docs/configuration/inbound/shadowsocks.zh.md

@@ -9,6 +9,7 @@
 
   "method": "2022-blake3-aes-128-gcm",
   "password": "8JCsPssfgS8tiRwiMlhARg==",
+  "managed": false,
   "multiplex": {}
 }
 ```
@@ -86,6 +87,10 @@ See [Listen Fields](/configuration/shared/listen/) for details.
 | 2022 methods  | `sing-box generate rand --base64 <密钥长度>` |
 | other methods | 任意字符串                                    |
 
+#### managed
+
+默认为 `false`。当该入站需要由 [SSM API](/zh/configuration/service/ssm-api) 管理用户时必须启用此字段。
+
 #### multiplex
 
 参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。

docs/configuration/shared/tls.md

@@ -230,9 +230,18 @@ The path to the server private key, in PEM format.
 
 ==Client only==
 
-!!! failure ""
-    
-    There is no evidence that GFW detects and blocks servers based on TLS client fingerprinting, and using an imperfect emulation that has not been security reviewed could pose security risks.
+!!! failure "Not Recommended"
+
+    uTLS has had repeated fingerprinting vulnerabilities discovered by researchers.
+
+    uTLS is a Go library that attempts to imitate browser TLS fingerprints by copying
+    ClientHello structure. However, browsers use completely different TLS stacks
+    (Chrome uses BoringSSL, Firefox uses NSS) with distinct implementation behaviors
+    that cannot be replicated by simply copying the handshake format, making detection possible.
+    Additionally, the library lacks active maintenance and has poor code quality,
+    making it unsuitable for censorship circumvention.
+
+    For TLS fingerprint resistance, use [NaiveProxy](/configuration/inbound/naive/) instead.
 
 uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance.
 

docs/configuration/shared/tls.zh.md

@@ -220,9 +220,16 @@ TLS 版本值：
 
 ==仅客户端==
 
-!!! failure ""
+!!! failure "不推荐"
 
-    没有证据表明 GFW 根据 TLS 客户端指纹检测并阻止服务器，并且，使用一个未经安全审查的不完美模拟可能带来安全隐患。
+    uTLS 已被研究人员多次发现其指纹可被识别的漏洞。
+
+    uTLS 是一个试图通过复制 ClientHello 结构来模仿浏览器 TLS 指纹的 Go 库。
+    然而，浏览器使用完全不同的 TLS 实现（Chrome 使用 BoringSSL，Firefox 使用 NSS），
+    其实现行为无法通过简单复制握手格式来复现，其行为细节必然存在差异，使得检测成为可能。
+    此外，此库缺乏积极维护，且代码质量较差，不建议用于反审查场景。
+
+    如需 TLS 指纹抵抗，请改用 [NaiveProxy](/configuration/inbound/naive/)。
 
 uTLS 是 "crypto/tls" 的一个分支，它提供了 ClientHello 指纹识别阻力。
 

docs/manual/proxy-protocol/trojan.md

@@ -4,8 +4,7 @@ icon: material/horse
 
 # Trojan
 
-Torjan is the most commonly used TLS proxy made in China. It can be used in various combinations,
-but only the combination of uTLS and multiplexing is recommended.
+Trojan is the most commonly used TLS proxy made in China. It can be used in various combinations.
 
 | Protocol and implementation combination | Specification                                                        | Resists passive detection | Resists active probes |
 |-----------------------------------------|----------------------------------------------------------------------|---------------------------|-----------------------|
@@ -140,11 +139,7 @@ but only the combination of uTLS and multiplexing is recommended.
           "password": "password",
           "tls": {
             "enabled": true,
-            "server_name": "example.org",
-            "utls": {
-              "enabled": true,
-              "fingerprint": "firefox"
-            }
+            "server_name": "example.org"
           },
           "multiplex": {
             "enabled": true
@@ -171,11 +166,7 @@ but only the combination of uTLS and multiplexing is recommended.
           "tls": {
             "enabled": true,
             "server_name": "example.org",
-            "certificate_path": "/path/to/certificate.pem",
-            "utls": {
-              "enabled": true,
-              "fingerprint": "firefox"
-            }
+            "certificate_path": "/path/to/certificate.pem"
           },
           "multiplex": {
             "enabled": true
@@ -198,11 +189,7 @@ but only the combination of uTLS and multiplexing is recommended.
           "tls": {
             "enabled": true,
             "server_name": "example.org",
-            "insecure": true,
-            "utls": {
-              "enabled": true,
-              "fingerprint": "firefox"
-            }
+            "insecure": true
           },
           "multiplex": {
             "enabled": true

examples/warp/client.json

@@ -27,7 +27,7 @@
       },
       "profile": {
         "detour": "direct",
-        // for getting existing WARP device profile
+        // For getting existing WARP device profile, else sing-box will create new profile
         "id": "",
         "private_key": "",
         "auth_token": ""
@@ -56,7 +56,7 @@
   "experimental": {
     "cache_file": {
       "enabled": true,
-      "store_warp_config": true
+      "store_warp_config": true // For saving WARP device profiles
     }
   }
 }

examples/wireguard/client.json

@@ -0,0 +1,52 @@
+{
+  "log": {
+    "level": "error"
+  },
+  "dns": {
+    "servers": [
+      {
+        "type": "local",
+        "tag": "default"
+      }
+    ]
+  },
+  "endpoints": [
+    {
+      "type": "wireguard",
+      "tag": "wireguard-out",
+      "mtu": 1408,
+      "address": null,
+      "private_key": "",
+      "listen_port": 10000,
+      "peers": [
+        {
+          "address": "example.com",
+          "port": 10001,
+          "reserved": "AAAA"
+        }
+      ],
+      "udp_timeout": "5m0s",
+      // Extended options
+      "preallocated_buffers_per_pool": 256, // Set limit for preallocated buffers (can be useful for devices with low RAM)
+      "disable_pauses": true, // Disable pauses when android device in sleep mode
+    }
+  ],
+  "inbounds": [
+    {
+      "type": "mixed",
+      "tag": "mixed-in",
+      "listen_port": 7897
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "direct",
+      "tag": "direct"
+    },
+  ],
+  "route": {
+    "final": "wireguard-out",
+    "default_domain_resolver": "default",
+    "auto_detect_interface": true
+  }
+}

examples/xhttp/client.json

@@ -48,7 +48,6 @@
           "h_keep_alive_period": 60
         },
         "download": {
-          "mode": "",
           "host": "example.com",
           "path": "/xhttp",
           "domain_strategy": "prefer_ipv4",

go.mod

@@ -19,11 +19,10 @@ require (
 	github.com/libdns/cloudflare v0.2.2-0.20250708034226-c574dccb31a6
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/metacubex/tfo-go v0.0.0-20250921095601-b102db4216c0
-	github.com/metacubex/utls v1.8.3
+	github.com/metacubex/utls v1.8.4
 	github.com/mholt/acmez/v3 v3.1.2
 	github.com/miekg/dns v1.1.67
 	github.com/oschwald/maxminddb-golang v1.13.1
-	github.com/quic-go/quic-go v0.54.0
 	github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cors v1.2.1
@@ -31,15 +30,15 @@ require (
 	github.com/sagernet/gomobile v0.1.8
 	github.com/sagernet/gvisor v0.0.0-20250325023245-7a9c0f5725fb
 	github.com/sagernet/quic-go v0.52.0-sing-box-mod.3
-	github.com/sagernet/sing v0.7.13
-	github.com/sagernet/sing-mux v0.3.3
-	github.com/sagernet/sing-quic v0.5.2-0.20250909083218-00a55617c0fb
+	github.com/sagernet/sing v0.7.14
+	github.com/sagernet/sing-mux v0.3.4
+	github.com/sagernet/sing-quic v0.5.2
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11
 	github.com/sagernet/sing-tun v0.7.3
 	github.com/sagernet/sing-vmess v0.2.7
-	github.com/sagernet/smux v1.5.34-mod.2
+	github.com/sagernet/smux v1.5.50-sing-box-mod.1
 	github.com/sagernet/tailscale v1.80.3-sing-box-1.12-mod.2
 	github.com/sagernet/wireguard-go v0.0.1-beta.7
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
@@ -66,7 +65,6 @@ require (
 	github.com/ameshkov/dnsstamps v1.0.3 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
-	go.uber.org/mock v0.5.0 // indirect
 	golang.org/x/sync v0.16.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
 	golang.org/x/tools v0.36.0 // indirect
@@ -150,7 +148,9 @@ require (
 	lukechampine.com/blake3 v1.4.1 // indirect
 )
 
-replace github.com/sagernet/wireguard-go => github.com/shtorm-7/wireguard-go v0.0.1-beta.7-extended-1.0.1
+replace github.com/sagernet/wireguard-go => github.com/shtorm-7/wireguard-go v0.0.1-beta.7-extended-1.1.0
+
+replace github.com/sagernet/tailscale => github.com/shtorm-7/tailscale v1.80.3-sing-box-1.12-mod.2-extended-1.0.0
 
 replace github.com/sagernet/sing-dns => github.com/shtorm-7/sing-dns v0.4.6-extended-1.0.0
 

go.sum

@@ -32,7 +32,6 @@ github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6N
 github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa h1:h8TfIT1xc8FWbwwpmHn1J5i43Y0uZP97GqasGCzSRJk=
@@ -130,8 +129,8 @@ github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos
 github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
 github.com/metacubex/tfo-go v0.0.0-20250921095601-b102db4216c0 h1:Ui+/2s5Qz0lSnDUBmEL12M5Oi/PzvFxGTNohm8ZcsmE=
 github.com/metacubex/tfo-go v0.0.0-20250921095601-b102db4216c0/go.mod h1:l9oLnLoEXyGZ5RVLsh7QCC5XsouTUyKk4F2nLm2DHLw=
-github.com/metacubex/utls v1.8.3 h1:0m/yCxm3SK6kWve2lKiFb1pue1wHitJ8sQQD4Ikqde4=
-github.com/metacubex/utls v1.8.3/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko=
+github.com/metacubex/utls v1.8.4 h1:HmL9nUApDdWSkgUyodfwF6hSjtiwCGGdyhaSpEejKpg=
+github.com/metacubex/utls v1.8.4/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko=
 github.com/mholt/acmez/v3 v3.1.2 h1:auob8J/0FhmdClQicvJvuDavgd5ezwLBfKuYmynhYzc=
 github.com/mholt/acmez/v3 v3.1.2/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
 github.com/miekg/dns v1.1.67 h1:kg0EHj0G4bfT5/oOys6HhZw4vmMlnoZ+gDu8tJ/AlI0=
@@ -151,8 +150,6 @@ github.com/prometheus-community/pro-bing v0.4.0 h1:YMbv+i08gQz97OZZBwLyvmmQEEzyf
 github.com/prometheus-community/pro-bing v0.4.0/go.mod h1:b7wRYZtCcPmt4Sz319BykUU241rWLe1VFXyiyWK/dH4=
 github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
 github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.54.0 h1:6s1YB9QotYI6Ospeiguknbp2Znb/jZYjZLRXn9kMQBg=
-github.com/quic-go/quic-go v0.54.0/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/safchain/ethtool v0.3.0 h1:gimQJpsI6sc1yIqP/y8GYgiXn/NjgvpM0RNoWLVVmP0=
 github.com/safchain/ethtool v0.3.0/go.mod h1:SA9BwrgyAqNo7M+uaL6IYbxpm5wk3L7Mm6ocLW+CJUs=
@@ -174,13 +171,12 @@ github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNen
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
 github.com/sagernet/quic-go v0.52.0-sing-box-mod.3 h1:ySqffGm82rPqI1TUPqmtHIYd12pfEGScygnOxjTL56w=
 github.com/sagernet/quic-go v0.52.0-sing-box-mod.3/go.mod h1:OV+V5kEBb8kJS7k29MzDu6oj9GyMc7HA07sE1tedxz4=
-github.com/sagernet/sing v0.6.9/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
-github.com/sagernet/sing v0.7.13 h1:XNYgd8e3cxMULs/LLJspdn/deHrnPWyrrglNHeCUAYM=
-github.com/sagernet/sing v0.7.13/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
-github.com/sagernet/sing-mux v0.3.3 h1:YFgt9plMWzH994BMZLmyKL37PdIVaIilwP0Jg+EcLfw=
-github.com/sagernet/sing-mux v0.3.3/go.mod h1:pht8iFY4c9Xltj7rhVd208npkNaeCxzyXCgulDPLUDA=
-github.com/sagernet/sing-quic v0.5.2-0.20250909083218-00a55617c0fb h1:5Wx3XeTiKrrrcrAky7Hc1bO3CGxrvho2Vu5b/adlEIM=
-github.com/sagernet/sing-quic v0.5.2-0.20250909083218-00a55617c0fb/go.mod h1:evP1e++ZG8TJHVV5HudXV4vWeYzGfCdF4HwSJZcdqkI=
+github.com/sagernet/sing v0.7.14 h1:5QQRDCUvYNOMyVp3LuK/hYEBAIv0VsbD3x/l9zH467s=
+github.com/sagernet/sing v0.7.14/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing-mux v0.3.4 h1:ZQplKl8MNXutjzbMVtWvWG31fohhgOfCuUZR4dVQ8+s=
+github.com/sagernet/sing-mux v0.3.4/go.mod h1:QvlKMyNBNrQoyX4x+gq028uPbLM2XeRpWtDsWBJbFSk=
+github.com/sagernet/sing-quic v0.5.2 h1:I3vlfRImhr0uLwRS3b3ib70RMG9FcXtOKKUDz3eKRWc=
+github.com/sagernet/sing-quic v0.5.2/go.mod h1:evP1e++ZG8TJHVV5HudXV4vWeYzGfCdF4HwSJZcdqkI=
 github.com/sagernet/sing-shadowsocks v0.2.8 h1:PURj5PRoAkqeHh2ZW205RWzN9E9RtKCVCzByXruQWfE=
 github.com/sagernet/sing-shadowsocks v0.2.8/go.mod h1:lo7TWEMDcN5/h5B8S0ew+r78ZODn6SwVaFhvB6H+PTI=
 github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnqqs2gQ2/Qioo=
@@ -191,29 +187,22 @@ github.com/sagernet/sing-tun v0.7.3 h1:MFnAir+l24ElEyxdfwtY8mqvUUL9nPnL9TDYLkOmV
 github.com/sagernet/sing-tun v0.7.3/go.mod h1:pUEjh9YHQ2gJT6Lk0TYDklh3WJy7lz+848vleGM3JPM=
 github.com/sagernet/sing-vmess v0.2.7 h1:2ee+9kO0xW5P4mfe6TYVWf9VtY8k1JhNysBqsiYj0sk=
 github.com/sagernet/sing-vmess v0.2.7/go.mod h1:5aYoOtYksAyS0NXDm0qKeTYW1yoE1bJVcv+XLcVoyJs=
-github.com/sagernet/smux v1.5.34-mod.2 h1:gkmBjIjlJ2zQKpLigOkFur5kBKdV6bNRoFu2WkltRQ4=
-github.com/sagernet/smux v1.5.34-mod.2/go.mod h1:0KW0+R+ycvA2INW4gbsd7BNyg+HEfLIAxa5N02/28Zc=
-github.com/sagernet/tailscale v1.80.3-sing-box-1.12-mod.2 h1:MO7s4ni2bSfAOhcan2rdQSWCztkMXmqyg6jYPZp8bEE=
-github.com/sagernet/tailscale v1.80.3-sing-box-1.12-mod.2/go.mod h1:EBxXsWu4OH2ELbQLq32WoBeIubG8KgDrg4/Oaxjs6lI=
+github.com/sagernet/smux v1.5.50-sing-box-mod.1 h1:XkJcivBC9V4wBjiGXIXZ229aZCU1hzcbp6kSkkyQ478=
+github.com/sagernet/smux v1.5.50-sing-box-mod.1/go.mod h1:NjhsCEWedJm7eFLyhuBgIEzwfhRmytrUoiLluxs5Sk8=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854/go.mod h1:LtfoSK3+NG57tvnVEHgcuBW9ujgE8enPSgzgwStwCAA=
 github.com/shtorm-7/dnscrypt/v2 v2.4.0-extended-1.0.0 h1:e5s7RKBd2rIPR0StbvZ2vTVtJ5jDTsTk5wtIIapZTRg=
 github.com/shtorm-7/dnscrypt/v2 v2.4.0-extended-1.0.0/go.mod h1:WpEFV2uhebXb8Jhes/5/fSdpmhGV8TL22RDaeWwV6hI=
-github.com/shtorm-7/wireguard-go v0.0.1-beta.7-extended-1.0.1 h1:IjsKFhL4HlvRo6IpU5kjLnL7TkP5vvCTJyOD6QzKADo=
-github.com/shtorm-7/wireguard-go v0.0.1-beta.7-extended-1.0.1/go.mod h1:DHxMTUaBGHP3tf8nJ/N8AkcoJDD0PHECLhTfLsw+ylQ=
+github.com/shtorm-7/tailscale v1.80.3-sing-box-1.12-mod.2-extended-1.0.0 h1:Yp4dIRwiwLda9JXyGMHkfYRr2r01NarkzsNd/oi10dk=
+github.com/shtorm-7/tailscale v1.80.3-sing-box-1.12-mod.2-extended-1.0.0/go.mod h1:+znUAXWwgcgza5mb5do8j9RC95rpY9lbSc/TyEyCGa4=
+github.com/shtorm-7/wireguard-go v0.0.1-beta.7-extended-1.1.0 h1:bTmx3NiEeH7mdgsifyNUxIEAA0wokRMSm8iS/hln6n0=
+github.com/shtorm-7/wireguard-go v0.0.1-beta.7-extended-1.1.0/go.mod h1:DHxMTUaBGHP3tf8nJ/N8AkcoJDD0PHECLhTfLsw+ylQ=
 github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
 github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
 github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
@@ -271,8 +260,6 @@ go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
-go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
@@ -306,7 +293,6 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
 golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

option/options.go

@@ -5,6 +5,7 @@ import (
 	"context"
 
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
 )
 
@@ -60,37 +61,40 @@ func checkOptions(options *Options) error {
 
 func checkInbounds(inbounds []Inbound) error {
 	seen := make(map[string]bool)
-	for _, inbound := range inbounds {
-		if inbound.Tag == "" {
-			continue
+	for i, inbound := range inbounds {
+		tag := inbound.Tag
+		if tag == "" {
+			tag = F.ToString(i)
 		}
-		if seen[inbound.Tag] {
-			return E.New("duplicate inbound tag: ", inbound.Tag)
+		if seen[tag] {
+			return E.New("duplicate inbound tag: ", tag)
 		}
-		seen[inbound.Tag] = true
+		seen[tag] = true
 	}
 	return nil
 }
 
 func checkOutbounds(outbounds []Outbound, endpoints []Endpoint) error {
 	seen := make(map[string]bool)
-	for _, outbound := range outbounds {
-		if outbound.Tag == "" {
-			continue
+	for i, outbound := range outbounds {
+		tag := outbound.Tag
+		if tag == "" {
+			tag = F.ToString(i)
 		}
-		if seen[outbound.Tag] {
-			return E.New("duplicate outbound/endpoint tag: ", outbound.Tag)
+		if seen[tag] {
+			return E.New("duplicate outbound/endpoint tag: ", tag)
 		}
-		seen[outbound.Tag] = true
+		seen[tag] = true
 	}
-	for _, endpoint := range endpoints {
-		if endpoint.Tag == "" {
-			continue
+	for i, endpoint := range endpoints {
+		tag := endpoint.Tag
+		if tag == "" {
+			tag = F.ToString(i)
 		}
-		if seen[endpoint.Tag] {
-			return E.New("duplicate outbound/endpoint tag: ", endpoint.Tag)
+		if seen[tag] {
+			return E.New("duplicate outbound/endpoint tag: ", tag)
 		}
-		seen[endpoint.Tag] = true
+		seen[tag] = true
 	}
 	return nil
 }

option/v2ray_transport.go

@@ -110,7 +110,6 @@ type V2RayHTTPUpgradeOptions struct {
 }
 
 type V2RayXHTTPBaseOptions struct {
-	Mode                 string                 `json:"mode"`
 	Host                 string                 `json:"host,omitempty"`
 	Path                 string                 `json:"path,omitempty"`
 	Headers              map[string]string      `json:"headers,omitempty"`
@@ -126,6 +125,7 @@ type V2RayXHTTPBaseOptions struct {
 }
 
 type V2RayXHTTPOptions struct {
+	Mode string `json:"mode"`
 	V2RayXHTTPBaseOptions
 	Download *V2RayXHTTPDownloadOptions `json:"download"`
 }

option/wireguard.go

@@ -7,16 +7,18 @@ import (
 )
 
 type WireGuardEndpointOptions struct {
-	System     bool                             `json:"system,omitempty"`
-	Name       string                           `json:"name,omitempty"`
-	MTU        uint32                           `json:"mtu,omitempty"`
-	Address    badoption.Listable[netip.Prefix] `json:"address"`
-	PrivateKey string                           `json:"private_key"`
-	ListenPort uint16                           `json:"listen_port,omitempty"`
-	Peers      []WireGuardPeer                  `json:"peers,omitempty"`
-	UDPTimeout badoption.Duration               `json:"udp_timeout,omitempty"`
-	Workers    int                              `json:"workers,omitempty"`
-	Amnezia    *WireGuardAmnezia                `json:"amnezia,omitempty"`
+	System                     bool                             `json:"system,omitempty"`
+	Name                       string                           `json:"name,omitempty"`
+	MTU                        uint32                           `json:"mtu,omitempty"`
+	Address                    badoption.Listable[netip.Prefix] `json:"address"`
+	PrivateKey                 string                           `json:"private_key"`
+	ListenPort                 uint16                           `json:"listen_port,omitempty"`
+	Peers                      []WireGuardPeer                  `json:"peers,omitempty"`
+	UDPTimeout                 badoption.Duration               `json:"udp_timeout,omitempty"`
+	Workers                    int                              `json:"workers,omitempty"`
+	PreallocatedBuffersPerPool uint32                           `json:"preallocated_buffers_per_pool,omitempty"`
+	DisablePauses              bool                             `json:"disable_pauses,omitempty"`
+	Amnezia                    *WireGuardAmnezia                `json:"amnezia,omitempty"`
 	DialerOptions
 }
 
@@ -31,13 +33,15 @@ type WireGuardPeer struct {
 }
 
 type WireGuardWARPEndpointOptions struct {
-	System     bool               `json:"system,omitempty"`
-	Name       string             `json:"name,omitempty"`
-	ListenPort uint16             `json:"listen_port,omitempty"`
-	UDPTimeout badoption.Duration `json:"udp_timeout,omitempty"`
-	Workers    int                `json:"workers,omitempty"`
-	Amnezia    *WireGuardAmnezia  `json:"amnezia,omitempty"`
-	Profile    WARPProfile        `json:"profile,omitempty"`
+	System                     bool               `json:"system,omitempty"`
+	Name                       string             `json:"name,omitempty"`
+	ListenPort                 uint16             `json:"listen_port,omitempty"`
+	UDPTimeout                 badoption.Duration `json:"udp_timeout,omitempty"`
+	Workers                    int                `json:"workers,omitempty"`
+	PreallocatedBuffersPerPool uint32             `json:"preallocated_buffers_per_pool,omitempty"`
+	DisablePauses              bool               `json:"disable_pauses,omitempty"`
+	Amnezia                    *WireGuardAmnezia  `json:"amnezia,omitempty"`
+	Profile                    WARPProfile        `json:"profile,omitempty"`
 	DialerOptions
 }
 
@@ -58,13 +62,15 @@ type LegacyWireGuardOutboundOptions struct {
 	PrivateKey      string                           `json:"private_key"`
 	Peers           []LegacyWireGuardPeer            `json:"peers,omitempty"`
 	ServerOptions
-	PeerPublicKey string            `json:"peer_public_key"`
-	PreSharedKey  string            `json:"pre_shared_key,omitempty"`
-	Reserved      []uint8           `json:"reserved,omitempty"`
-	Workers       int               `json:"workers,omitempty"`
-	MTU           uint32            `json:"mtu,omitempty"`
-	Network       NetworkList       `json:"network,omitempty"`
-	Amnezia       *WireGuardAmnezia `json:"amnezia,omitempty"`
+	PeerPublicKey              string            `json:"peer_public_key"`
+	PreSharedKey               string            `json:"pre_shared_key,omitempty"`
+	Reserved                   []uint8           `json:"reserved,omitempty"`
+	Workers                    int               `json:"workers,omitempty"`
+	PreallocatedBuffersPerPool uint32            `json:"preallocated_buffers_per_pool,omitempty"`
+	DisablePauses              bool              `json:"disable_pauses,omitempty"`
+	MTU                        uint32            `json:"mtu,omitempty"`
+	Network                    NetworkList       `json:"network,omitempty"`
+	Amnezia                    *WireGuardAmnezia `json:"amnezia,omitempty"`
 }
 
 type LegacyWireGuardPeer struct {

protocol/dns/handle.go

@@ -46,7 +46,8 @@ func HandleStreamDNSRequest(ctx context.Context, router adapter.DNSRouter, conn
 			conn.Close()
 			return err
 		}
-		responseBuffer := buf.NewPacket()
+		responseLength := response.Len()
+		responseBuffer := buf.NewSize(3 + responseLength)
 		defer responseBuffer.Release()
 		responseBuffer.Resize(2, 0)
 		n, err := response.PackBuffer(responseBuffer.FreeBytes())

protocol/naive/inbound.go

@@ -2,8 +2,8 @@ package naive
 
 import (
 	"context"
+	"errors"
 	"io"
-	"math/rand"
 	"net"
 	"net/http"
 
@@ -22,7 +22,11 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	aTLS "github.com/sagernet/sing/common/tls"
 	sHttp "github.com/sagernet/sing/protocol/http"
+
+	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
 )
 
 var ConfigureHTTP3ListenerFunc func(listener *listener.Listener, handler http.Handler, tlsConfig tls.ServerConfig, logger logger.Logger) (io.Closer, error)
@@ -82,16 +86,11 @@ func (n *Inbound) Start(stage adapter.StartStage) error {
 	if stage != adapter.StartStateStart {
 		return nil
 	}
-	var tlsConfig *tls.STDConfig
 	if n.tlsConfig != nil {
 		err := n.tlsConfig.Start()
 		if err != nil {
 			return E.Cause(err, "create TLS config")
 		}
-		tlsConfig, err = n.tlsConfig.Config()
-		if err != nil {
-			return err
-		}
 	}
 	if common.Contains(n.network, N.NetworkTCP) {
 		tcpListener, err := n.listener.ListenTCP()
@@ -99,20 +98,23 @@ func (n *Inbound) Start(stage adapter.StartStage) error {
 			return err
 		}
 		n.httpServer = &http.Server{
-			Handler:   n,
-			TLSConfig: tlsConfig,
+			Handler: h2c.NewHandler(n, &http2.Server{}),
 			BaseContext: func(listener net.Listener) context.Context {
 				return n.ctx
 			},
 		}
 		go func() {
-			var sErr error
-			if tlsConfig != nil {
-				sErr = n.httpServer.ServeTLS(tcpListener, "", "")
-			} else {
-				sErr = n.httpServer.Serve(tcpListener)
+			listener := net.Listener(tcpListener)
+			if n.tlsConfig != nil {
+				if len(n.tlsConfig.NextProtos()) == 0 {
+					n.tlsConfig.SetNextProtos([]string{http2.NextProtoTLS, "http/1.1"})
+				} else if !common.Contains(n.tlsConfig.NextProtos(), http2.NextProtoTLS) {
+					n.tlsConfig.SetNextProtos(append([]string{http2.NextProtoTLS}, n.tlsConfig.NextProtos()...))
+				}
+				listener = aTLS.NewListener(tcpListener, n.tlsConfig)
 			}
-			if sErr != nil && !E.IsClosedOrCanceled(sErr) {
+			sErr := n.httpServer.Serve(listener)
+			if sErr != nil && !errors.Is(sErr, http.ErrServerClosed) {
 				n.logger.Error("http server serve error: ", sErr)
 			}
 		}()
@@ -161,13 +163,16 @@ func (n *Inbound) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 		n.badRequest(ctx, request, E.New("authorization failed"))
 		return
 	}
-	writer.Header().Set("Padding", generateNaivePaddingHeader())
+	writer.Header().Set("Padding", generatePaddingHeader())
 	writer.WriteHeader(http.StatusOK)
 	writer.(http.Flusher).Flush()
 
-	hostPort := request.URL.Host
+	hostPort := request.Header.Get("-connect-authority")
 	if hostPort == "" {
-		hostPort = request.Host
+		hostPort = request.URL.Host
+		if hostPort == "" {
+			hostPort = request.Host
+		}
 	}
 	source := sHttp.SourceAddress(request)
 	destination := M.ParseSocksaddr(hostPort).Unwrap()
@@ -178,9 +183,14 @@ func (n *Inbound) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 			n.badRequest(ctx, request, E.New("hijack failed"))
 			return
 		}
-		n.newConnection(ctx, false, &naiveH1Conn{Conn: conn}, userName, source, destination)
+		n.newConnection(ctx, false, &naiveConn{Conn: conn}, userName, source, destination)
 	} else {
-		n.newConnection(ctx, true, &naiveH2Conn{reader: request.Body, writer: writer, flusher: writer.(http.Flusher)}, userName, source, destination)
+		n.newConnection(ctx, true, &naiveH2Conn{
+			reader:        request.Body,
+			writer:        writer,
+			flusher:       writer.(http.Flusher),
+			remoteAddress: source,
+		}, userName, source, destination)
 	}
 }
 
@@ -236,18 +246,3 @@ func rejectHTTP(writer http.ResponseWriter, statusCode int) {
 	}
 	conn.Close()
 }
-
-func generateNaivePaddingHeader() string {
-	paddingLen := rand.Intn(32) + 30
-	padding := make([]byte, paddingLen)
-	bits := rand.Uint64()
-	for i := 0; i < 16; i++ {
-		// Codes that won't be Huffman coded.
-		padding[i] = "!#$()+<>?@[]^`{}"[bits&15]
-		bits >>= 4
-	}
-	for i := 16; i < paddingLen; i++ {
-		padding[i] = '~'
-	}
-	return string(padding)
-}

protocol/naive/inbound_conn.go

@@ -7,417 +7,242 @@ import (
 	"net"
 	"net/http"
 	"os"
-	"strings"
 	"time"
 
 	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/baderror"
 	"github.com/sagernet/sing/common/buf"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/rw"
 )
 
-const kFirstPaddings = 8
+const paddingCount = 8
 
-type naiveH1Conn struct {
-	net.Conn
+func generatePaddingHeader() string {
+	paddingLen := rand.Intn(32) + 30
+	padding := make([]byte, paddingLen)
+	bits := rand.Uint64()
+	for i := 0; i < 16; i++ {
+		padding[i] = "!#$()+<>?@[]^`{}"[bits&15]
+		bits >>= 4
+	}
+	for i := 16; i < paddingLen; i++ {
+		padding[i] = '~'
+	}
+	return string(padding)
+}
+
+type paddingConn struct {
 	readPadding      int
 	writePadding     int
 	readRemaining    int
 	paddingRemaining int
 }
 
-func (c *naiveH1Conn) Read(p []byte) (n int, err error) {
-	n, err = c.read(p)
-	return n, wrapHttpError(err)
-}
-
-func (c *naiveH1Conn) read(p []byte) (n int, err error) {
-	if c.readRemaining > 0 {
-		if len(p) > c.readRemaining {
-			p = p[:c.readRemaining]
+func (p *paddingConn) readWithPadding(reader io.Reader, buffer []byte) (n int, err error) {
+	if p.readRemaining > 0 {
+		if len(buffer) > p.readRemaining {
+			buffer = buffer[:p.readRemaining]
 		}
-		n, err = c.Conn.Read(p)
+		n, err = reader.Read(buffer)
 		if err != nil {
 			return
 		}
-		c.readRemaining -= n
+		p.readRemaining -= n
 		return
 	}
-	if c.paddingRemaining > 0 {
-		err = rw.SkipN(c.Conn, c.paddingRemaining)
+	if p.paddingRemaining > 0 {
+		err = rw.SkipN(reader, p.paddingRemaining)
 		if err != nil {
 			return
 		}
-		c.paddingRemaining = 0
+		p.paddingRemaining = 0
 	}
-	if c.readPadding < kFirstPaddings {
-		var paddingHdr []byte
-		if len(p) >= 3 {
-			paddingHdr = p[:3]
+	if p.readPadding < paddingCount {
+		var paddingHeader []byte
+		if len(buffer) >= 3 {
+			paddingHeader = buffer[:3]
 		} else {
-			paddingHdr = make([]byte, 3)
+			paddingHeader = make([]byte, 3)
 		}
-		_, err = io.ReadFull(c.Conn, paddingHdr)
+		_, err = io.ReadFull(reader, paddingHeader)
 		if err != nil {
 			return
 		}
-		originalDataSize := int(binary.BigEndian.Uint16(paddingHdr[:2]))
-		paddingSize := int(paddingHdr[2])
-		if len(p) > originalDataSize {
-			p = p[:originalDataSize]
+		originalDataSize := int(binary.BigEndian.Uint16(paddingHeader[:2]))
+		paddingSize := int(paddingHeader[2])
+		if len(buffer) > originalDataSize {
+			buffer = buffer[:originalDataSize]
 		}
-		n, err = c.Conn.Read(p)
+		n, err = reader.Read(buffer)
 		if err != nil {
 			return
 		}
-		c.readPadding++
-		c.readRemaining = originalDataSize - n
-		c.paddingRemaining = paddingSize
+		p.readPadding++
+		p.readRemaining = originalDataSize - n
+		p.paddingRemaining = paddingSize
 		return
 	}
-	return c.Conn.Read(p)
+	return reader.Read(buffer)
 }
 
-func (c *naiveH1Conn) Write(p []byte) (n int, err error) {
-	for pLen := len(p); pLen > 0; {
-		var data []byte
-		if pLen > 65535 {
-			data = p[:65535]
-			p = p[65535:]
-			pLen -= 65535
-		} else {
-			data = p
-			pLen = 0
-		}
-		var writeN int
-		writeN, err = c.write(data)
-		n += writeN
-		if err != nil {
-			break
-		}
-	}
-	return n, wrapHttpError(err)
-}
-
-func (c *naiveH1Conn) write(p []byte) (n int, err error) {
-	if c.writePadding < kFirstPaddings {
+func (p *paddingConn) writeWithPadding(writer io.Writer, data []byte) (n int, err error) {
+	if p.writePadding < paddingCount {
 		paddingSize := rand.Intn(256)
-
-		buffer := buf.NewSize(3 + len(p) + paddingSize)
+		buffer := buf.NewSize(3 + len(data) + paddingSize)
 		defer buffer.Release()
 		header := buffer.Extend(3)
-		binary.BigEndian.PutUint16(header, uint16(len(p)))
+		binary.BigEndian.PutUint16(header, uint16(len(data)))
 		header[2] = byte(paddingSize)
-
-		common.Must1(buffer.Write(p))
-		_, err = c.Conn.Write(buffer.Bytes())
+		common.Must1(buffer.Write(data))
+		_, err = writer.Write(buffer.Bytes())
 		if err == nil {
-			n = len(p)
+			n = len(data)
 		}
-		c.writePadding++
+		p.writePadding++
 		return
 	}
-	return c.Conn.Write(p)
+	return writer.Write(data)
 }
 
-func (c *naiveH1Conn) FrontHeadroom() int {
-	if c.writePadding < kFirstPaddings {
-		return 3
-	}
-	return 0
-}
-
-func (c *naiveH1Conn) RearHeadroom() int {
-	if c.writePadding < kFirstPaddings {
-		return 255
-	}
-	return 0
-}
-
-func (c *naiveH1Conn) WriterMTU() int {
-	if c.writePadding < kFirstPaddings {
-		return 65535
-	}
-	return 0
-}
-
-func (c *naiveH1Conn) WriteBuffer(buffer *buf.Buffer) error {
-	defer buffer.Release()
-	if c.writePadding < kFirstPaddings {
+func (p *paddingConn) writeBufferWithPadding(writer io.Writer, buffer *buf.Buffer) error {
+	if p.writePadding < paddingCount {
 		bufferLen := buffer.Len()
 		if bufferLen > 65535 {
-			return common.Error(c.Write(buffer.Bytes()))
+			_, err := p.writeChunked(writer, buffer.Bytes())
+			return err
 		}
 		paddingSize := rand.Intn(256)
 		header := buffer.ExtendHeader(3)
 		binary.BigEndian.PutUint16(header, uint16(bufferLen))
 		header[2] = byte(paddingSize)
 		buffer.Extend(paddingSize)
-		c.writePadding++
+		p.writePadding++
 	}
-	return wrapHttpError(common.Error(c.Conn.Write(buffer.Bytes())))
+	return common.Error(writer.Write(buffer.Bytes()))
 }
 
-// FIXME
-/*func (c *naiveH1Conn) WriteTo(w io.Writer) (n int64, err error) {
-	if c.readPadding < kFirstPaddings {
-		n, err = bufio.WriteToN(c, w, kFirstPaddings-c.readPadding)
-	} else {
-		n, err = bufio.Copy(w, c.Conn)
-	}
-	return n, wrapHttpError(err)
-}
-
-func (c *naiveH1Conn) ReadFrom(r io.Reader) (n int64, err error) {
-	if c.writePadding < kFirstPaddings {
-		n, err = bufio.ReadFromN(c, r, kFirstPaddings-c.writePadding)
-	} else {
-		n, err = bufio.Copy(c.Conn, r)
-	}
-	return n, wrapHttpError(err)
-}
-*/
-
-func (c *naiveH1Conn) Upstream() any {
-	return c.Conn
-}
-
-func (c *naiveH1Conn) ReaderReplaceable() bool {
-	return c.readPadding == kFirstPaddings
-}
-
-func (c *naiveH1Conn) WriterReplaceable() bool {
-	return c.writePadding == kFirstPaddings
-}
-
-type naiveH2Conn struct {
-	reader           io.Reader
-	writer           io.Writer
-	flusher          http.Flusher
-	rAddr            net.Addr
-	readPadding      int
-	writePadding     int
-	readRemaining    int
-	paddingRemaining int
-}
-
-func (c *naiveH2Conn) Read(p []byte) (n int, err error) {
-	n, err = c.read(p)
-	return n, wrapHttpError(err)
-}
-
-func (c *naiveH2Conn) read(p []byte) (n int, err error) {
-	if c.readRemaining > 0 {
-		if len(p) > c.readRemaining {
-			p = p[:c.readRemaining]
-		}
-		n, err = c.reader.Read(p)
-		if err != nil {
-			return
-		}
-		c.readRemaining -= n
-		return
-	}
-	if c.paddingRemaining > 0 {
-		err = rw.SkipN(c.reader, c.paddingRemaining)
-		if err != nil {
-			return
-		}
-		c.paddingRemaining = 0
-	}
-	if c.readPadding < kFirstPaddings {
-		var paddingHdr []byte
-		if len(p) >= 3 {
-			paddingHdr = p[:3]
+func (p *paddingConn) writeChunked(writer io.Writer, data []byte) (n int, err error) {
+	for len(data) > 0 {
+		var chunk []byte
+		if len(data) > 65535 {
+			chunk = data[:65535]
+			data = data[65535:]
 		} else {
-			paddingHdr = make([]byte, 3)
+			chunk = data
+			data = nil
 		}
-		_, err = io.ReadFull(c.reader, paddingHdr)
+		var written int
+		written, err = p.writeWithPadding(writer, chunk)
+		n += written
 		if err != nil {
 			return
 		}
-		originalDataSize := int(binary.BigEndian.Uint16(paddingHdr[:2]))
-		paddingSize := int(paddingHdr[2])
-		if len(p) > originalDataSize {
-			p = p[:originalDataSize]
-		}
-		n, err = c.reader.Read(p)
-		if err != nil {
-			return
-		}
-		c.readPadding++
-		c.readRemaining = originalDataSize - n
-		c.paddingRemaining = paddingSize
-		return
 	}
-	return c.reader.Read(p)
+	return
 }
 
-func (c *naiveH2Conn) Write(p []byte) (n int, err error) {
-	for pLen := len(p); pLen > 0; {
-		var data []byte
-		if pLen > 65535 {
-			data = p[:65535]
-			p = p[65535:]
-			pLen -= 65535
-		} else {
-			data = p
-			pLen = 0
-		}
-		var writeN int
-		writeN, err = c.write(data)
-		n += writeN
-		if err != nil {
-			break
-		}
-	}
-	if err == nil {
-		c.flusher.Flush()
-	}
-	return n, wrapHttpError(err)
-}
-
-func (c *naiveH2Conn) write(p []byte) (n int, err error) {
-	if c.writePadding < kFirstPaddings {
-		paddingSize := rand.Intn(256)
-
-		buffer := buf.NewSize(3 + len(p) + paddingSize)
-		defer buffer.Release()
-		header := buffer.Extend(3)
-		binary.BigEndian.PutUint16(header, uint16(len(p)))
-		header[2] = byte(paddingSize)
-
-		common.Must1(buffer.Write(p))
-		_, err = c.writer.Write(buffer.Bytes())
-		if err == nil {
-			n = len(p)
-		}
-		c.writePadding++
-		return
-	}
-	return c.writer.Write(p)
-}
-
-func (c *naiveH2Conn) FrontHeadroom() int {
-	if c.writePadding < kFirstPaddings {
+func (p *paddingConn) frontHeadroom() int {
+	if p.writePadding < paddingCount {
 		return 3
 	}
 	return 0
 }
 
-func (c *naiveH2Conn) RearHeadroom() int {
-	if c.writePadding < kFirstPaddings {
+func (p *paddingConn) rearHeadroom() int {
+	if p.writePadding < paddingCount {
 		return 255
 	}
 	return 0
 }
 
-func (c *naiveH2Conn) WriterMTU() int {
-	if c.writePadding < kFirstPaddings {
+func (p *paddingConn) writerMTU() int {
+	if p.writePadding < paddingCount {
 		return 65535
 	}
 	return 0
 }
 
+func (p *paddingConn) readerReplaceable() bool {
+	return p.readPadding == paddingCount
+}
+
+func (p *paddingConn) writerReplaceable() bool {
+	return p.writePadding == paddingCount
+}
+
+type naiveConn struct {
+	net.Conn
+	paddingConn
+}
+
+func (c *naiveConn) Read(p []byte) (n int, err error) {
+	n, err = c.readWithPadding(c.Conn, p)
+	return n, baderror.WrapH2(err)
+}
+
+func (c *naiveConn) Write(p []byte) (n int, err error) {
+	n, err = c.writeChunked(c.Conn, p)
+	return n, baderror.WrapH2(err)
+}
+
+func (c *naiveConn) WriteBuffer(buffer *buf.Buffer) error {
+	defer buffer.Release()
+	err := c.writeBufferWithPadding(c.Conn, buffer)
+	return baderror.WrapH2(err)
+}
+
+func (c *naiveConn) FrontHeadroom() int      { return c.frontHeadroom() }
+func (c *naiveConn) RearHeadroom() int       { return c.rearHeadroom() }
+func (c *naiveConn) WriterMTU() int          { return c.writerMTU() }
+func (c *naiveConn) Upstream() any           { return c.Conn }
+func (c *naiveConn) ReaderReplaceable() bool { return c.readerReplaceable() }
+func (c *naiveConn) WriterReplaceable() bool { return c.writerReplaceable() }
+
+type naiveH2Conn struct {
+	reader        io.Reader
+	writer        io.Writer
+	flusher       http.Flusher
+	remoteAddress net.Addr
+	paddingConn
+}
+
+func (c *naiveH2Conn) Read(p []byte) (n int, err error) {
+	n, err = c.readWithPadding(c.reader, p)
+	return n, baderror.WrapH2(err)
+}
+
+func (c *naiveH2Conn) Write(p []byte) (n int, err error) {
+	n, err = c.writeChunked(c.writer, p)
+	if err == nil {
+		c.flusher.Flush()
+	}
+	return n, baderror.WrapH2(err)
+}
+
 func (c *naiveH2Conn) WriteBuffer(buffer *buf.Buffer) error {
 	defer buffer.Release()
-	if c.writePadding < kFirstPaddings {
-		bufferLen := buffer.Len()
-		if bufferLen > 65535 {
-			return common.Error(c.Write(buffer.Bytes()))
-		}
-		paddingSize := rand.Intn(256)
-		header := buffer.ExtendHeader(3)
-		binary.BigEndian.PutUint16(header, uint16(bufferLen))
-		header[2] = byte(paddingSize)
-		buffer.Extend(paddingSize)
-		c.writePadding++
-	}
-	err := common.Error(c.writer.Write(buffer.Bytes()))
+	err := c.writeBufferWithPadding(c.writer, buffer)
 	if err == nil {
 		c.flusher.Flush()
 	}
-	return wrapHttpError(err)
+	return baderror.WrapH2(err)
 }
 
-// FIXME
-/*func (c *naiveH2Conn) WriteTo(w io.Writer) (n int64, err error) {
-	if c.readPadding < kFirstPaddings {
-		n, err = bufio.WriteToN(c, w, kFirstPaddings-c.readPadding)
-	} else {
-		n, err = bufio.Copy(w, c.reader)
-	}
-	return n, wrapHttpError(err)
-}
-
-func (c *naiveH2Conn) ReadFrom(r io.Reader) (n int64, err error) {
-	if c.writePadding < kFirstPaddings {
-		n, err = bufio.ReadFromN(c, r, kFirstPaddings-c.writePadding)
-	} else {
-		n, err = bufio.Copy(c.writer, r)
-	}
-	return n, wrapHttpError(err)
-}*/
-
 func (c *naiveH2Conn) Close() error {
-	return common.Close(
-		c.reader,
-		c.writer,
-	)
+	return common.Close(c.reader, c.writer)
 }
 
-func (c *naiveH2Conn) LocalAddr() net.Addr {
-	return M.Socksaddr{}
-}
-
-func (c *naiveH2Conn) RemoteAddr() net.Addr {
-	return c.rAddr
-}
-
-func (c *naiveH2Conn) SetDeadline(t time.Time) error {
-	return os.ErrInvalid
-}
-
-func (c *naiveH2Conn) SetReadDeadline(t time.Time) error {
-	return os.ErrInvalid
-}
-
-func (c *naiveH2Conn) SetWriteDeadline(t time.Time) error {
-	return os.ErrInvalid
-}
-
-func (c *naiveH2Conn) NeedAdditionalReadDeadline() bool {
-	return true
-}
-
-func (c *naiveH2Conn) UpstreamReader() any {
-	return c.reader
-}
-
-func (c *naiveH2Conn) UpstreamWriter() any {
-	return c.writer
-}
-
-func (c *naiveH2Conn) ReaderReplaceable() bool {
-	return c.readPadding == kFirstPaddings
-}
-
-func (c *naiveH2Conn) WriterReplaceable() bool {
-	return c.writePadding == kFirstPaddings
-}
-
-func wrapHttpError(err error) error {
-	if err == nil {
-		return err
-	}
-	if strings.Contains(err.Error(), "client disconnected") {
-		return net.ErrClosed
-	}
-	if strings.Contains(err.Error(), "body closed by handler") {
-		return net.ErrClosed
-	}
-	if strings.Contains(err.Error(), "canceled with error code 268") {
-		return io.EOF
-	}
-	return err
-}
+func (c *naiveH2Conn) LocalAddr() net.Addr                { return M.Socksaddr{} }
+func (c *naiveH2Conn) RemoteAddr() net.Addr               { return c.remoteAddress }
+func (c *naiveH2Conn) SetDeadline(t time.Time) error      { return os.ErrInvalid }
+func (c *naiveH2Conn) SetReadDeadline(t time.Time) error  { return os.ErrInvalid }
+func (c *naiveH2Conn) SetWriteDeadline(t time.Time) error { return os.ErrInvalid }
+func (c *naiveH2Conn) NeedAdditionalReadDeadline() bool   { return true }
+func (c *naiveH2Conn) UpstreamReader() any                { return c.reader }
+func (c *naiveH2Conn) UpstreamWriter() any                { return c.writer }
+func (c *naiveH2Conn) FrontHeadroom() int                 { return c.frontHeadroom() }
+func (c *naiveH2Conn) RearHeadroom() int                  { return c.rearHeadroom() }
+func (c *naiveH2Conn) WriterMTU() int                     { return c.writerMTU() }
+func (c *naiveH2Conn) ReaderReplaceable() bool            { return c.readerReplaceable() }
+func (c *naiveH2Conn) WriterReplaceable() bool            { return c.writerReplaceable() }

protocol/tailscale/endpoint.go

@@ -38,6 +38,7 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/ntp"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/filemanager"
 	"github.com/sagernet/tailscale/ipn"
@@ -158,6 +159,7 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 				},
 				TLSClientConfig: &tls.Config{
 					RootCAs: adapter.RootPoolFromContext(ctx),
+					Time:    ntp.TimeFuncFromContext(ctx),
 				},
 			},
 		},
@@ -339,26 +341,42 @@ func (t *Endpoint) DialContext(ctx context.Context, network string, destination
 		}
 		return N.DialSerial(ctx, t, network, destination, destinationAddresses)
 	}
-	addr := tcpip.FullAddress{
+	addr4, addr6 := t.server.TailscaleIPs()
+	remoteAddr := tcpip.FullAddress{
 		NIC:  1,
 		Port: destination.Port,
 		Addr: addressFromAddr(destination.Addr),
 	}
+	var localAddr tcpip.FullAddress
 	var networkProtocol tcpip.NetworkProtocolNumber
 	if destination.IsIPv4() {
+		if !addr4.IsValid() {
+			return nil, E.New("missing Tailscale IPv4 address")
+		}
 		networkProtocol = header.IPv4ProtocolNumber
+		localAddr = tcpip.FullAddress{
+			NIC:  1,
+			Addr: addressFromAddr(addr4),
+		}
 	} else {
+		if !addr6.IsValid() {
+			return nil, E.New("missing Tailscale IPv6 address")
+		}
 		networkProtocol = header.IPv6ProtocolNumber
+		localAddr = tcpip.FullAddress{
+			NIC:  1,
+			Addr: addressFromAddr(addr6),
+		}
 	}
 	switch N.NetworkName(network) {
 	case N.NetworkTCP:
-		tcpConn, err := gonet.DialContextTCP(ctx, t.stack, addr, networkProtocol)
+		tcpConn, err := gonet.DialTCPWithBind(ctx, t.stack, localAddr, remoteAddr, networkProtocol)
 		if err != nil {
 			return nil, err
 		}
 		return tcpConn, nil
 	case N.NetworkUDP:
-		udpConn, err := gonet.DialUDP(t.stack, nil, &addr, networkProtocol)
+		udpConn, err := gonet.DialUDP(t.stack, &localAddr, &remoteAddr, networkProtocol)
 		if err != nil {
 			return nil, err
 		}
@@ -456,20 +474,20 @@ func (t *Endpoint) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	metadata.Inbound = t.Tag()
 	metadata.InboundType = t.Type()
 	metadata.Source = source
-	metadata.Destination = destination
 	addr4, addr6 := t.server.TailscaleIPs()
 	switch destination.Addr {
 	case addr4:
 		metadata.OriginDestination = destination
 		destination.Addr = netip.AddrFrom4([4]uint8{127, 0, 0, 1})
-		conn = bufio.NewNATPacketConn(bufio.NewNetPacketConn(conn), metadata.OriginDestination, metadata.Destination)
+		conn = bufio.NewNATPacketConn(bufio.NewNetPacketConn(conn), metadata.OriginDestination, destination)
 	case addr6:
 		metadata.OriginDestination = destination
 		destination.Addr = netip.IPv6Loopback()
-		conn = bufio.NewNATPacketConn(bufio.NewNetPacketConn(conn), metadata.OriginDestination, metadata.Destination)
+		conn = bufio.NewNATPacketConn(bufio.NewNetPacketConn(conn), metadata.OriginDestination, destination)
 	}
+	metadata.Destination = destination
 	t.logger.InfoContext(ctx, "inbound packet connection from ", source)
-	t.logger.InfoContext(ctx, "inbound packet connection to ", destination)
+	t.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
 	t.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
 }
 

protocol/wireguard/endpoint.go

@@ -124,8 +124,10 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 				Reserved:                    it.Reserved,
 			}
 		}),
-		Workers: options.Workers,
-		Amnezia: amnezia,
+		Workers:                    options.Workers,
+		PreallocatedBuffersPerPool: options.PreallocatedBuffersPerPool,
+		DisablePauses:              options.DisablePauses,
+		Amnezia:                    amnezia,
 	})
 	if err != nil {
 		return nil, err

protocol/wireguard/endpoint_warp.go

@@ -130,13 +130,15 @@ func NewWARPEndpoint(ctx context.Context, router adapter.Router, logger log.Cont
 			logger,
 			tag,
 			option.WireGuardEndpointOptions{
-				System:        options.System,
-				Name:          options.Name,
-				ListenPort:    options.ListenPort,
-				UDPTimeout:    options.UDPTimeout,
-				Workers:       options.Workers,
-				Amnezia:       options.Amnezia,
-				DialerOptions: options.DialerOptions,
+				System:                     options.System,
+				Name:                       options.Name,
+				ListenPort:                 options.ListenPort,
+				UDPTimeout:                 options.UDPTimeout,
+				Workers:                    options.Workers,
+				PreallocatedBuffersPerPool: options.PreallocatedBuffersPerPool,
+				DisablePauses:              options.DisablePauses,
+				Amnezia:                    options.Amnezia,
+				DialerOptions:              options.DialerOptions,
 
 				Address: badoption.Listable[netip.Prefix]{
 					netip.MustParsePrefix(config.Interface.Addresses.V4 + "/32"),

protocol/wireguard/outbound.go

@@ -125,9 +125,11 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 			}
 			return endpointAddresses[0], nil
 		},
-		Peers:   peers,
-		Workers: options.Workers,
-		Amnezia: amnezia,
+		Peers:                      peers,
+		Workers:                    options.Workers,
+		PreallocatedBuffersPerPool: options.PreallocatedBuffersPerPool,
+		DisablePauses:              options.DisablePauses,
+		Amnezia:                    amnezia,
 	})
 	if err != nil {
 		return nil, err

route/conn.go

@@ -303,7 +303,7 @@ func (m *ConnectionManager) connectionCopy(ctx context.Context, source net.Conn,
 	} else {
 		if err == nil {
 			m.logger.DebugContext(ctx, "connection download finished")
-		} else if !E.IsClosedOrCanceled(err) && !strings.Contains(err.Error(), "NO_ERROR") {
+		} else if !E.IsClosedOrCanceled(err) && !strings.Contains(err.Error(), "NO_ERROR") && !strings.Contains(err.Error(), "response body closed") {
 			m.logger.ErrorContext(ctx, "connection download closed: ", err)
 		} else {
 			m.logger.TraceContext(ctx, "connection download closed")

service/derp/service.go

@@ -3,6 +3,7 @@ package derp
 import (
 	"bufio"
 	"context"
+	stdTLS "crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -31,6 +32,7 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/ntp"
 	aTLS "github.com/sagernet/sing/common/tls"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/filemanager"
@@ -159,6 +161,10 @@ func (d *Service) Start(stage adapter.StartStage) error {
 				httpClients = append(httpClients, &http.Client{
 					Transport: &http.Transport{
 						ForceAttemptHTTP2: true,
+						TLSClientConfig: &stdTLS.Config{
+							RootCAs: adapter.RootPoolFromContext(d.ctx),
+							Time:    ntp.TimeFuncFromContext(d.ctx),
+						},
 						DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 							return verifyDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
 						},

service/ssmapi/cache.go

@@ -49,6 +49,9 @@ func (s *Service) loadCache() error {
 		os.RemoveAll(basePath)
 		return err
 	}
+	s.cacheMutex.Lock()
+	s.lastSavedCache = cacheBinary
+	s.cacheMutex.Unlock()
 	return nil
 }
 
@@ -56,16 +59,30 @@ func (s *Service) saveCache() error {
 	if s.cachePath == "" {
 		return nil
 	}
+	cacheBinary, err := s.encodeCache()
+	if err != nil {
+		return err
+	}
+	s.cacheMutex.Lock()
+	defer s.cacheMutex.Unlock()
+	if bytes.Equal(s.lastSavedCache, cacheBinary) {
+		return nil
+	}
+	return s.writeCache(cacheBinary)
+}
+
+func (s *Service) writeCache(cacheBinary []byte) error {
 	basePath := filemanager.BasePath(s.ctx, s.cachePath)
 	err := os.MkdirAll(filepath.Dir(basePath), 0o777)
 	if err != nil {
 		return err
 	}
-	cacheBinary, err := s.encodeCache()
+	err = os.WriteFile(basePath, cacheBinary, 0o644)
 	if err != nil {
 		return err
 	}
-	return os.WriteFile(s.cachePath, cacheBinary, 0o644)
+	s.lastSavedCache = cacheBinary
+	return nil
 }
 
 func (s *Service) decodeCache(cacheBinary []byte) error {

service/ssmapi/server.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"errors"
 	"net/http"
+	"sync"
+	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	boxService "github.com/sagernet/sing-box/adapter/service"
@@ -28,21 +30,27 @@ func RegisterService(registry *boxService.Registry) {
 
 type Service struct {
 	boxService.Adapter
-	ctx        context.Context
-	logger     log.ContextLogger
-	listener   *listener.Listener
-	tlsConfig  tls.ServerConfig
-	httpServer *http.Server
-	traffics   map[string]*TrafficManager
-	users      map[string]*UserManager
-	cachePath  string
+	ctx            context.Context
+	cancel         context.CancelFunc
+	logger         log.ContextLogger
+	listener       *listener.Listener
+	tlsConfig      tls.ServerConfig
+	httpServer     *http.Server
+	traffics       map[string]*TrafficManager
+	users          map[string]*UserManager
+	cachePath      string
+	saveTicker     *time.Ticker
+	lastSavedCache []byte
+	cacheMutex     sync.Mutex
 }
 
 func NewService(ctx context.Context, logger log.ContextLogger, tag string, options option.SSMAPIServiceOptions) (adapter.Service, error) {
+	ctx, cancel := context.WithCancel(ctx)
 	chiRouter := chi.NewRouter()
 	s := &Service{
 		Adapter: boxService.NewAdapter(C.TypeSSMAPI, tag),
 		ctx:     ctx,
+		cancel:  cancel,
 		logger:  logger,
 		listener: listener.New(listener.Options{
 			Context: ctx,
@@ -95,6 +103,8 @@ func (s *Service) Start(stage adapter.StartStage) error {
 	if err != nil {
 		s.logger.Error(E.Cause(err, "load cache"))
 	}
+	s.saveTicker = time.NewTicker(1 * time.Minute)
+	go s.loopSaveCache()
 	if s.tlsConfig != nil {
 		err = s.tlsConfig.Start()
 		if err != nil {
@@ -120,7 +130,27 @@ func (s *Service) Start(stage adapter.StartStage) error {
 	return nil
 }
 
+func (s *Service) loopSaveCache() {
+	for {
+		select {
+		case <-s.ctx.Done():
+			return
+		case <-s.saveTicker.C:
+			err := s.saveCache()
+			if err != nil {
+				s.logger.Error(E.Cause(err, "save cache"))
+			}
+		}
+	}
+}
+
 func (s *Service) Close() error {
+	if s.cancel != nil {
+		s.cancel()
+	}
+	if s.saveTicker != nil {
+		s.saveTicker.Stop()
+	}
 	err := s.saveCache()
 	if err != nil {
 		s.logger.Error(E.Cause(err, "save cache"))

transport/v2rayquic/stream.go

@@ -14,11 +14,13 @@ type StreamWrapper struct {
 
 func (s *StreamWrapper) Read(p []byte) (n int, err error) {
 	n, err = s.Stream.Read(p)
+	//nolint:staticcheck
 	return n, baderror.WrapQUIC(err)
 }
 
 func (s *StreamWrapper) Write(p []byte) (n int, err error) {
 	n, err = s.Stream.Write(p)
+	//nolint:staticcheck
 	return n, baderror.WrapQUIC(err)
 }
 

transport/v2rayxhttp/client.go

@@ -13,8 +13,8 @@ import (
 	"sync/atomic"
 	"time"
 
-	"github.com/quic-go/quic-go"
-	"github.com/quic-go/quic-go/http3"
+	"github.com/sagernet/quic-go"
+	"github.com/sagernet/quic-go/http3"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tls"
 	"github.com/sagernet/sing-box/common/xray/buf"
@@ -23,6 +23,7 @@ import (
 	"github.com/sagernet/sing-box/common/xray/signal/done"
 	"github.com/sagernet/sing-box/common/xray/uuid"
 	"github.com/sagernet/sing-box/option"
+	qtls "github.com/sagernet/sing-quic"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -47,14 +48,6 @@ func NewClient(ctx context.Context, dialer N.Dialer, serverAddr M.Socksaddr, opt
 		return nil, E.New("mode is not set")
 	}
 	dest := serverAddr
-	var gotlsConfig *gotls.Config
-	if tlsConfig != nil {
-		var err error
-		gotlsConfig, err = tlsConfig.Config()
-		if err != nil {
-			return nil, err
-		}
-	}
 	baseRequestURL, err := getBaseRequestURL(
 		&options.V2RayXHTTPBaseOptions, dest, tlsConfig,
 	)
@@ -71,7 +64,7 @@ func NewClient(ctx context.Context, dialer N.Dialer, serverAddr M.Socksaddr, opt
 		xmuxOptions = *options.Xmux
 	}
 	xmuxManager := NewXmuxManager(xmuxOptions, func() XmuxConn {
-		return createHTTPClient(dest, dialer, &options.V2RayXHTTPBaseOptions, tlsConfig, gotlsConfig)
+		return createHTTPClient(dest, dialer, &options.V2RayXHTTPBaseOptions, tlsConfig)
 	})
 	getHTTPClient := func() (DialerClient, *XmuxClient) {
 		xmuxClient := xmuxManager.GetXmuxClient(ctx)
@@ -91,16 +84,11 @@ func NewClient(ctx context.Context, dialer N.Dialer, serverAddr M.Socksaddr, opt
 		}
 		dest2 := options2.ServerOptions.Build()
 		var tlsConfig2 tls.Config
-		var gotlsConfig2 *gotls.Config
 		if options2.TLS != nil {
 			tlsConfig2, err = tls.NewClient(ctx, options2.Server, common.PtrValueOrDefault(options2.TLS))
 			if err != nil {
 				return nil, err
 			}
-			gotlsConfig2, err = tlsConfig2.Config()
-			if err != nil {
-				return nil, err
-			}
 		}
 		baseRequestURL2, err := getBaseRequestURL(&options2.V2RayXHTTPBaseOptions, dest2, tlsConfig2)
 		if err != nil {
@@ -116,7 +104,7 @@ func NewClient(ctx context.Context, dialer N.Dialer, serverAddr M.Socksaddr, opt
 			xmuxOptions2 = *options2.Xmux
 		}
 		xmuxManager2 := NewXmuxManager(xmuxOptions2, func() XmuxConn {
-			return createHTTPClient(dest2, dialer2, &options2.V2RayXHTTPBaseOptions, tlsConfig2, gotlsConfig2)
+			return createHTTPClient(dest2, dialer2, &options2.V2RayXHTTPBaseOptions, tlsConfig2)
 		})
 		getHTTPClient2 = func() (DialerClient, *XmuxClient) {
 			xmuxClient2 := xmuxManager2.GetXmuxClient(ctx)
@@ -262,11 +250,11 @@ func (c *Client) Close() error {
 	return nil
 }
 
-func decideHTTPVersion(gotlsConfig *gotls.Config) string {
-	if gotlsConfig == nil || len(gotlsConfig.NextProtos) == 0 || gotlsConfig.NextProtos[0] == "http/1.1" {
+func decideHTTPVersion(tlsConfig tls.Config) string {
+	if tlsConfig == nil || len(tlsConfig.NextProtos()) == 0 || tlsConfig.NextProtos()[0] == "http/1.1" {
 		return "1.1"
 	}
-	if gotlsConfig.NextProtos[0] == "h3" {
+	if tlsConfig.NextProtos()[0] == "h3" {
 		return "3"
 	}
 	return "2"
@@ -298,8 +286,8 @@ func getBaseRequestURL(options *option.V2RayXHTTPBaseOptions, dest M.Socksaddr,
 	return requestURL, nil
 }
 
-func createHTTPClient(dest M.Socksaddr, dialer N.Dialer, options *option.V2RayXHTTPBaseOptions, tlsConfig tls.Config, gotlsConfig *gotls.Config) DialerClient {
-	httpVersion := decideHTTPVersion(gotlsConfig)
+func createHTTPClient(dest M.Socksaddr, dialer N.Dialer, options *option.V2RayXHTTPBaseOptions, tlsConfig tls.Config) DialerClient {
+	httpVersion := decideHTTPVersion(tlsConfig)
 	dialContext := func(ctxInner context.Context) (net.Conn, error) {
 		conn, err := dialer.DialContext(ctxInner, "tcp", dest)
 		if err != nil {
@@ -332,14 +320,13 @@ func createHTTPClient(dest M.Socksaddr, dialer N.Dialer, options *option.V2RayXH
 			KeepAlivePeriod:    keepAlivePeriod,
 		}
 		transport = &http3.Transport{
-			QUICConfig:      quicConfig,
-			TLSClientConfig: gotlsConfig.Clone(),
-			Dial: func(ctx context.Context, addr string, tlsCfg *gotls.Config, cfg *quic.Config) (*quic.Conn, error) {
+			QUICConfig: quicConfig,
+			Dial: func(ctx context.Context, addr string, tlsCfg *gotls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
 				udpConn, dErr := dialer.DialContext(ctx, N.NetworkUDP, dest)
 				if dErr != nil {
 					return nil, dErr
 				}
-				return quic.DialEarly(ctx, bufio.NewUnbindPacketConn(udpConn), udpConn.RemoteAddr(), tlsCfg, cfg)
+				return qtls.DialEarly(ctx, bufio.NewUnbindPacketConn(udpConn), udpConn.RemoteAddr(), tlsConfig, cfg)
 			},
 		}
 	case "2":

transport/v2rayxhttp/writer.go

@@ -1,6 +1,7 @@
 package xhttp
 
 import (
+	common "github.com/sagernet/sing-box/common/xray"
 	"github.com/sagernet/sing-box/common/xray/buf"
 	"github.com/sagernet/sing-box/common/xray/pipe"
 )
@@ -24,15 +25,17 @@ func (w uploadWriter) Write(b []byte) (int, error) {
 			b = b[:capacity]
 		}
 	*/
-	buffer := buf.New()
-	n, err := buffer.Write(b)
-	if err != nil {
-		return 0, err
-	}
 
-	err = w.WriteMultiBuffer([]*buf.Buffer{buffer})
-	if err != nil {
-		return 0, err
+	buffer := buf.MultiBufferContainer{}
+	common.Must2(buffer.Write(b))
+
+	var writed int
+	for _, buff := range buffer.MultiBuffer {
+		err := w.WriteMultiBuffer(buf.MultiBuffer{buff})
+		if err != nil {
+			return writed, err
+		}
+		writed += int(buff.Len())
 	}
-	return n, nil
+	return writed, nil
 }

transport/wireguard/endpoint.go

@@ -177,7 +177,7 @@ func (e *Endpoint) Start(resolve bool) error {
 			e.options.Logger.Error(fmt.Sprintf(strings.ToLower(format), args...))
 		},
 	}
-	wgDevice := device.NewDevice(e.options.Context, e.tunDevice, bind, logger, e.options.Workers)
+	wgDevice := device.NewDevice(e.options.Context, e.tunDevice, bind, logger, e.options.Workers, e.options.PreallocatedBuffersPerPool, e.options.DisablePauses)
 	e.tunDevice.SetDevice(wgDevice)
 	ipcConf := e.ipcConf
 	if e.options.Amnezia != nil {

transport/wireguard/endpoint_options.go

@@ -12,22 +12,24 @@ import (
 )
 
 type EndpointOptions struct {
-	Context      context.Context
-	Logger       logger.ContextLogger
-	System       bool
-	Handler      tun.Handler
-	UDPTimeout   time.Duration
-	Dialer       N.Dialer
-	CreateDialer func(interfaceName string) N.Dialer
-	Name         string
-	MTU          uint32
-	Address      []netip.Prefix
-	PrivateKey   string
-	ListenPort   uint16
-	ResolvePeer  func(domain string) (netip.Addr, error)
-	Peers        []PeerOptions
-	Workers      int
-	Amnezia      *AmneziaOptions
+	Context                    context.Context
+	Logger                     logger.ContextLogger
+	System                     bool
+	Handler                    tun.Handler
+	UDPTimeout                 time.Duration
+	Dialer                     N.Dialer
+	CreateDialer               func(interfaceName string) N.Dialer
+	Name                       string
+	MTU                        uint32
+	Address                    []netip.Prefix
+	PrivateKey                 string
+	ListenPort                 uint16
+	ResolvePeer                func(domain string) (netip.Addr, error)
+	Peers                      []PeerOptions
+	Workers                    int
+	PreallocatedBuffersPerPool uint32
+	DisablePauses              bool
+	Amnezia                    *AmneziaOptions
 }
 
 type PeerOptions struct {