Merge branch 'dev-next' into origin/tls-client-auth

Signed-off-by: jose-C2OaWi <111356383+jose-C2OaWi@users.noreply.github.com>

adapter/router.go

@@ -2,12 +2,14 @@ package adapter
 
 import (
 	"context"
+	"net/http"
 	"net/netip"
 
 	"github.com/sagernet/sing-box/common/geoip"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
+	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
 
 	mdns "github.com/miekg/dns"
@@ -83,8 +85,14 @@ type DNSRule interface {
 }
 
 type RuleSet interface {
+	StartContext(ctx context.Context, startContext RuleSetStartContext) error
+	Close() error
 	HeadlessRule
-	Service
+}
+
+type RuleSetStartContext interface {
+	HTTPClient(detour string, dialer N.Dialer) *http.Client
+	Close()
 }
 
 type InterfaceUpdateListener interface {

docs/changelog.md

@@ -4,6 +4,16 @@ icon: material/alert-decagram
 
 # ChangeLog
 
+#### 1.8.0-alpha.5
+
+* Parallel rule-set initialization
+* Independent `source_ip_is_private` and `ip_is_private` rules **1**
+
+**1**:
+
+The `private` GeoIP country never existed and was actually implemented inside V2Ray. 
+Since GeoIP was deprecated, we made this rule independent, see [Migration](/migration/#migrate-geoip-to-rule-sets).
+
 #### 1.8.0-alpha.1
 
 * Migrate cache file from Clash API to independent options **1**

docs/configuration/dns/rule.md

@@ -5,6 +5,7 @@ icon: material/alert-decagram
 !!! quote "Changes in sing-box 1.8.0"
 
     :material-plus: [rule_set](#rule_set)  
+    :material-plus: [source_ip_is_private](#source_ip_is_private)  
     :material-delete-clock: [geoip](#geoip)  
     :material-delete-clock: [geosite](#geosite)
 
@@ -56,6 +57,7 @@ icon: material/alert-decagram
           "10.0.0.0/24",
           "192.168.0.1"
         ],
+        "source_ip_is_private": false,
         "source_port": [
           12345
         ],
@@ -182,7 +184,7 @@ Match domain using regular expression.
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-set).
+    Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-sets).
 
 Match geosite.
 
@@ -190,7 +192,7 @@ Match geosite.
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-set).
+    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 Match source geoip.
 
@@ -198,6 +200,12 @@ Match source geoip.
 
 Match source IP CIDR.
 
+#### source_ip_is_private
+
+!!! question "Since sing-box 1.8.0"
+
+Match non-public source IP.
+
 #### source_port
 
 Match source port.

docs/configuration/dns/rule.zh.md

@@ -5,6 +5,7 @@ icon: material/alert-decagram
 !!! quote "sing-box 1.8.0 中的更改"
 
     :material-plus: [rule_set](#rule_set)  
+    :material-plus: [source_ip_is_private](#source_ip_is_private)  
     :material-delete-clock: [geoip](#geoip)  
     :material-delete-clock: [geosite](#geosite)
 
@@ -55,6 +56,7 @@ icon: material/alert-decagram
         "source_ip_cidr": [
           "10.0.0.0/24"
         ],
+        "source_ip_is_private": false,
         "source_port": [
           12345
         ],
@@ -179,7 +181,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 !!! failure "已在 sing-box 1.8.0 废弃"
 
-    Geosite 已废弃且可能在不久的将来移除，参阅 [迁移指南](/migration/#migrate-geosite-to-rule-set)。
+    Geosite 已废弃且可能在不久的将来移除，参阅 [迁移指南](/migration/#migrate-geosite-to-rule-sets)。
 
 匹配 Geosite。
 
@@ -187,7 +189,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 !!! failure "已在 sing-box 1.8.0 废弃"
 
-    GeoIp 已废弃且可能在不久的将来移除，参阅 [迁移指南](/migration/#migrate-geoip-to-rule-set)。
+    GeoIp 已废弃且可能在不久的将来移除，参阅 [迁移指南](/migration/#migrate-geoip-to-rule-sets)。
 
 匹配源 GeoIP。
 
@@ -195,6 +197,12 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 匹配源 IP CIDR。
 
+#### source_ip_is_private
+
+!!! question "自 sing-box 1.8.0 起"
+
+匹配非公开源 IP。
+
 #### source_port
 
 匹配源端口。

docs/configuration/route/geoip.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-set).
+    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 ### Structure
 

docs/configuration/route/geosite.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-set).
+    Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-sets).
 
 ### Structure
 

docs/configuration/route/rule.md

@@ -6,6 +6,8 @@ icon: material/alert-decagram
 
     :material-plus: [rule_set](#rule_set)  
     :material-plus: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
+    :material-plus: [source_ip_is_private](#source_ip_is_private)  
+    :material-plus: [ip_is_private](#ip_is_private)  
     :material-delete-clock: [source_geoip](#source_geoip)  
     :material-delete-clock: [geoip](#geoip)  
     :material-delete-clock: [geosite](#geosite)
@@ -58,10 +60,12 @@ icon: material/alert-decagram
           "10.0.0.0/24",
           "192.168.0.1"
         ],
+        "source_ip_is_private": false,
         "ip_cidr": [
           "10.0.0.0/24",
           "192.168.0.1"
         ],
+        "ip_is_private": false,
         "source_port": [
           12345
         ],
@@ -178,7 +182,7 @@ Match domain using regular expression.
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-set).
+    Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-sets).
 
 Match geosite.
 
@@ -186,7 +190,7 @@ Match geosite.
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-set).
+    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 Match source geoip.
 
@@ -194,7 +198,7 @@ Match source geoip.
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-set).
+    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 Match geoip.
 
@@ -202,10 +206,22 @@ Match geoip.
 
 Match source IP CIDR.
 
+#### ip_is_private
+
+!!! question "Since sing-box 1.8.0"
+
+Match non-public IP.
+
 #### ip_cidr
 
 Match IP CIDR.
 
+#### source_ip_is_private
+
+!!! question "Since sing-box 1.8.0"
+
+Match non-public source IP.
+
 #### source_port
 
 Match source port.

docs/configuration/route/rule.zh.md

@@ -6,6 +6,8 @@ icon: material/alert-decagram
 
     :material-plus: [rule_set](#rule_set)  
     :material-plus: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
+    :material-plus: [source_ip_is_private](#source_ip_is_private)  
+    :material-plus: [ip_is_private](#ip_is_private)  
     :material-delete-clock: [source_geoip](#source_geoip)  
     :material-delete-clock: [geoip](#geoip)  
     :material-delete-clock: [geosite](#geosite)
@@ -57,9 +59,11 @@ icon: material/alert-decagram
         "source_ip_cidr": [
           "10.0.0.0/24"
         ],
+        "source_ip_is_private": false,
         "ip_cidr": [
           "10.0.0.0/24"
         ],
+        "ip_is_private": false,
         "source_port": [
           12345
         ],
@@ -176,7 +180,7 @@ icon: material/alert-decagram
 
 !!! failure "已在 sing-box 1.8.0 废弃"
 
-    Geosite 已废弃且可能在不久的将来移除，参阅 [迁移指南](/migration/#migrate-geosite-to-rule-set)。
+    Geosite 已废弃且可能在不久的将来移除，参阅 [迁移指南](/migration/#migrate-geosite-to-rule-sets)。
 
 匹配 Geosite。
 
@@ -184,7 +188,7 @@ icon: material/alert-decagram
 
 !!! failure "已在 sing-box 1.8.0 废弃"
 
-    GeoIp 已废弃且可能在不久的将来移除，参阅 [迁移指南](/migration/#migrate-geoip-to-rule-set)。
+    GeoIp 已废弃且可能在不久的将来移除，参阅 [迁移指南](/migration/#migrate-geoip-to-rule-sets)。
 
 匹配源 GeoIP。
 
@@ -192,7 +196,7 @@ icon: material/alert-decagram
 
 !!! failure "已在 sing-box 1.8.0 废弃"
 
-    GeoIp 已废弃且可能在不久的将来移除，参阅 [迁移指南](/migration/#migrate-geoip-to-rule-set)。
+    GeoIp 已废弃且可能在不久的将来移除，参阅 [迁移指南](/migration/#migrate-geoip-to-rule-sets)。
 
 匹配 GeoIP。
 
@@ -200,10 +204,22 @@ icon: material/alert-decagram
 
 匹配源 IP CIDR。
 
+#### source_ip_is_private
+
+!!! question "自 sing-box 1.8.0 起"
+
+匹配非公开源 IP。
+
 #### ip_cidr
 
 匹配 IP CIDR。
 
+#### ip_is_private
+
+!!! question "自 sing-box 1.8.0 起"
+
+匹配非公开 IP。
+
 #### source_port
 
 匹配源端口。

docs/manual/proxy/client.md

@@ -531,7 +531,7 @@ flowchart TB
             "outbound": "dns"
           },
           {
-            "geoip": "private",
+            "ip_is_private": true,
             "outbound": "direct"
           },
           {

docs/migration.md

@@ -68,6 +68,10 @@ icon: material/arrange-bring-forward
     {
       "route": {
         "rules": [
+          {
+            "geoip": "private",
+            "outbound": "direct"
+          },
           {
             "geoip": "cn",
             "outbound": "direct"
@@ -90,6 +94,10 @@ icon: material/arrange-bring-forward
     {
       "route": {
         "rules": [
+          {
+            "ip_is_private": true,
+            "outbound": "direct"
+          },
           {
             "rule_set": "geoip-cn",
             "outbound": "direct"

go.mod

@@ -26,7 +26,7 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20231119034329-07cfb6aaf930
 	github.com/sagernet/quic-go v0.40.0
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.2.18-0.20231129075305-eb56a60214be
+	github.com/sagernet/sing v0.2.18-0.20231130092223-1f82310f0375
 	github.com/sagernet/sing-dns v0.1.11
 	github.com/sagernet/sing-mux v0.1.5-0.20231109075101-6b086ed6bb07
 	github.com/sagernet/sing-quic v0.1.5-0.20231123150216-00957d136203

go.sum

@@ -110,8 +110,8 @@ github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byL
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
-github.com/sagernet/sing v0.2.18-0.20231129075305-eb56a60214be h1:FigAM9kq7RRXmHvgn8w2a8tqCY5CMV5GIk0id84dI0o=
+github.com/sagernet/sing v0.2.18-0.20231130092223-1f82310f0375 h1:5Q5K/twBNT1Hrpjd5Ghft0Sv0V+eVfTZX17CiPItSV8=
-github.com/sagernet/sing v0.2.18-0.20231129075305-eb56a60214be/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
+github.com/sagernet/sing v0.2.18-0.20231130092223-1f82310f0375/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
 github.com/sagernet/sing-dns v0.1.11 h1:PPrMCVVrAeR3f5X23I+cmvacXJ+kzuyAsBiWyUKhGSE=
 github.com/sagernet/sing-dns v0.1.11/go.mod h1:zJ/YjnYB61SYE+ubMcMqVdpaSvsyQ2iShQGO3vuLvvE=
 github.com/sagernet/sing-mux v0.1.5-0.20231109075101-6b086ed6bb07 h1:ncKb5tVOsCQgCsv6UpsA0jinbNb5OQ5GMPJlyQP3EHM=

option/rule.go

@@ -78,7 +78,9 @@ type DefaultRule struct {
 	SourceGeoIP              Listable[string] `json:"source_geoip,omitempty"`
 	GeoIP                    Listable[string] `json:"geoip,omitempty"`
 	SourceIPCIDR             Listable[string] `json:"source_ip_cidr,omitempty"`
+	SourceIPIsPrivate        bool             `json:"source_ip_is_private,omitempty"`
 	IPCIDR                   Listable[string] `json:"ip_cidr,omitempty"`
+	IPIsPrivate              bool             `json:"ip_is_private,omitempty"`
 	SourcePort               Listable[uint16] `json:"source_port,omitempty"`
 	SourcePortRange          Listable[string] `json:"source_port_range,omitempty"`
 	Port                     Listable[uint16] `json:"port,omitempty"`

option/rule_dns.go

@@ -65,37 +65,38 @@ func (r DNSRule) IsValid() bool {
 }
 
 type DefaultDNSRule struct {
-	Inbound         Listable[string]       `json:"inbound,omitempty"`
+	Inbound           Listable[string]       `json:"inbound,omitempty"`
-	IPVersion       int                    `json:"ip_version,omitempty"`
+	IPVersion         int                    `json:"ip_version,omitempty"`
-	QueryType       Listable[DNSQueryType] `json:"query_type,omitempty"`
+	QueryType         Listable[DNSQueryType] `json:"query_type,omitempty"`
-	Network         Listable[string]       `json:"network,omitempty"`
+	Network           Listable[string]       `json:"network,omitempty"`
-	AuthUser        Listable[string]       `json:"auth_user,omitempty"`
+	AuthUser          Listable[string]       `json:"auth_user,omitempty"`
-	Protocol        Listable[string]       `json:"protocol,omitempty"`
+	Protocol          Listable[string]       `json:"protocol,omitempty"`
-	Domain          Listable[string]       `json:"domain,omitempty"`
+	Domain            Listable[string]       `json:"domain,omitempty"`
-	DomainSuffix    Listable[string]       `json:"domain_suffix,omitempty"`
+	DomainSuffix      Listable[string]       `json:"domain_suffix,omitempty"`
-	DomainKeyword   Listable[string]       `json:"domain_keyword,omitempty"`
+	DomainKeyword     Listable[string]       `json:"domain_keyword,omitempty"`
-	DomainRegex     Listable[string]       `json:"domain_regex,omitempty"`
+	DomainRegex       Listable[string]       `json:"domain_regex,omitempty"`
-	Geosite         Listable[string]       `json:"geosite,omitempty"`
+	Geosite           Listable[string]       `json:"geosite,omitempty"`
-	SourceGeoIP     Listable[string]       `json:"source_geoip,omitempty"`
+	SourceGeoIP       Listable[string]       `json:"source_geoip,omitempty"`
-	SourceIPCIDR    Listable[string]       `json:"source_ip_cidr,omitempty"`
+	SourceIPCIDR      Listable[string]       `json:"source_ip_cidr,omitempty"`
-	SourcePort      Listable[uint16]       `json:"source_port,omitempty"`
+	SourceIPIsPrivate bool                   `json:"source_ip_is_private,omitempty"`
-	SourcePortRange Listable[string]       `json:"source_port_range,omitempty"`
+	SourcePort        Listable[uint16]       `json:"source_port,omitempty"`
-	Port            Listable[uint16]       `json:"port,omitempty"`
+	SourcePortRange   Listable[string]       `json:"source_port_range,omitempty"`
-	PortRange       Listable[string]       `json:"port_range,omitempty"`
+	Port              Listable[uint16]       `json:"port,omitempty"`
-	ProcessName     Listable[string]       `json:"process_name,omitempty"`
+	PortRange         Listable[string]       `json:"port_range,omitempty"`
-	ProcessPath     Listable[string]       `json:"process_path,omitempty"`
+	ProcessName       Listable[string]       `json:"process_name,omitempty"`
-	PackageName     Listable[string]       `json:"package_name,omitempty"`
+	ProcessPath       Listable[string]       `json:"process_path,omitempty"`
-	User            Listable[string]       `json:"user,omitempty"`
+	PackageName       Listable[string]       `json:"package_name,omitempty"`
-	UserID          Listable[int32]        `json:"user_id,omitempty"`
+	User              Listable[string]       `json:"user,omitempty"`
-	Outbound        Listable[string]       `json:"outbound,omitempty"`
+	UserID            Listable[int32]        `json:"user_id,omitempty"`
-	ClashMode       string                 `json:"clash_mode,omitempty"`
+	Outbound          Listable[string]       `json:"outbound,omitempty"`
-	WIFISSID        Listable[string]       `json:"wifi_ssid,omitempty"`
+	ClashMode         string                 `json:"clash_mode,omitempty"`
-	WIFIBSSID       Listable[string]       `json:"wifi_bssid,omitempty"`
+	WIFISSID          Listable[string]       `json:"wifi_ssid,omitempty"`
-	RuleSet         Listable[string]       `json:"rule_set,omitempty"`
+	WIFIBSSID         Listable[string]       `json:"wifi_bssid,omitempty"`
-	Invert          bool                   `json:"invert,omitempty"`
+	RuleSet           Listable[string]       `json:"rule_set,omitempty"`
-	Server          string                 `json:"server,omitempty"`
+	Invert            bool                   `json:"invert,omitempty"`
-	DisableCache    bool                   `json:"disable_cache,omitempty"`
+	Server            string                 `json:"server,omitempty"`
-	RewriteTTL      *uint32                `json:"rewrite_ttl,omitempty"`
+	DisableCache      bool                   `json:"disable_cache,omitempty"`
+	RewriteTTL        *uint32                `json:"rewrite_ttl,omitempty"`
 }
 
 func (r DefaultDNSRule) IsValid() bool {

outbound/urltest.go

@@ -38,6 +38,7 @@ type URLTest struct {
 	tolerance                    uint16
 	group                        *URLTestGroup
 	interruptExternalConnections bool
+	started                      bool
 }
 
 func NewURLTest(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.URLTestOutboundOptions) (*URLTest, error) {
@@ -83,6 +84,7 @@ func (s *URLTest) Start() error {
 }
 
 func (s *URLTest) PostStart() error {
+	s.started = true
 	go s.CheckOutbounds()
 	return nil
 }
@@ -110,7 +112,9 @@ func (s *URLTest) CheckOutbounds() {
 }
 
 func (s *URLTest) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	s.group.Start()
+	if s.started {
+		s.group.Start()
+	}
 	outbound := s.group.Select(network)
 	conn, err := outbound.DialContext(ctx, network, destination)
 	if err == nil {
@@ -122,7 +126,9 @@ func (s *URLTest) DialContext(ctx context.Context, network string, destination M
 }
 
 func (s *URLTest) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	s.group.Start()
+	if s.started {
+		s.group.Start()
+	}
 	outbound := s.group.Select(N.NetworkUDP)
 	conn, err := outbound.ListenPacket(ctx, destination)
 	if err == nil {

route/router.go

@@ -39,6 +39,7 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	serviceNTP "github.com/sagernet/sing/common/ntp"
+	"github.com/sagernet/sing/common/task"
 	"github.com/sagernet/sing/common/uot"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/pause"
@@ -490,12 +491,33 @@ func (r *Router) Start() error {
 	if r.needWIFIState {
 		r.updateWIFIState()
 	}
-	for i, ruleSet := range r.ruleSets {
+	if r.fakeIPStore != nil {
-		err := ruleSet.Start()
+		err := r.fakeIPStore.Start()
 		if err != nil {
-			return E.Cause(err, "initialize rule-set[", i, "]")
+			return err
 		}
 	}
+	if len(r.ruleSets) > 0 {
+		ruleSetStartContext := NewRuleSetStartContext()
+		var ruleSetStartGroup task.Group
+		for i, ruleSet := range r.ruleSets {
+			ruleSetInPlace := ruleSet
+			ruleSetStartGroup.Append0(func(ctx context.Context) error {
+				err := ruleSetInPlace.StartContext(ctx, ruleSetStartContext)
+				if err != nil {
+					return E.Cause(err, "initialize rule-set[", i, "]")
+				}
+				return nil
+			})
+		}
+		ruleSetStartGroup.Concurrency(5)
+		ruleSetStartGroup.FastFail()
+		err := ruleSetStartGroup.Run(r.ctx)
+		if err != nil {
+			return err
+		}
+		ruleSetStartContext.Close()
+	}
 	for i, rule := range r.rules {
 		err := rule.Start()
 		if err != nil {
@@ -508,12 +530,6 @@ func (r *Router) Start() error {
 			return E.Cause(err, "initialize DNS rule[", i, "]")
 		}
 	}
-	if r.fakeIPStore != nil {
-		err := r.fakeIPStore.Start()
-		if err != nil {
-			return err
-		}
-	}
 	for i, transport := range r.transports {
 		err := transport.Start()
 		if err != nil {

route/rule_default.go

@@ -120,6 +120,11 @@ func NewDefaultRule(router adapter.Router, logger log.ContextLogger, options opt
 		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
+	if options.SourceIPIsPrivate {
+		item := NewIPIsPrivateItem(true)
+		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
 	if len(options.IPCIDR) > 0 {
 		item, err := NewIPCIDRItem(false, options.IPCIDR)
 		if err != nil {
@@ -128,6 +133,11 @@ func NewDefaultRule(router adapter.Router, logger log.ContextLogger, options opt
 		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
+	if options.IPIsPrivate {
+		item := NewIPIsPrivateItem(false)
+		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
 	if len(options.SourcePort) > 0 {
 		item := NewPortItem(true, options.SourcePort)
 		rule.sourcePortItems = append(rule.sourcePortItems, item)

route/rule_dns.go

@@ -119,6 +119,11 @@ func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options
 		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
+	if options.SourceIPIsPrivate {
+		item := NewIPIsPrivateItem(true)
+		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
 	if len(options.SourcePort) > 0 {
 		item := NewPortItem(true, options.SourcePort)
 		rule.sourcePortItems = append(rule.sourcePortItems, item)

route/rule_item_ip_is_private.go

@@ -0,0 +1,44 @@
+package route
+
+import (
+	"net/netip"
+
+	"github.com/sagernet/sing-box/adapter"
+	N "github.com/sagernet/sing/common/network"
+)
+
+var _ RuleItem = (*IPIsPrivateItem)(nil)
+
+type IPIsPrivateItem struct {
+	isSource bool
+}
+
+func NewIPIsPrivateItem(isSource bool) *IPIsPrivateItem {
+	return &IPIsPrivateItem{isSource}
+}
+
+func (r *IPIsPrivateItem) Match(metadata *adapter.InboundContext) bool {
+	var destination netip.Addr
+	if r.isSource {
+		destination = metadata.Source.Addr
+	} else {
+		destination = metadata.Destination.Addr
+	}
+	if destination.IsValid() && !N.IsPublicAddr(destination) {
+		return true
+	}
+	for _, destinationAddress := range metadata.DestinationAddresses {
+		if !N.IsPublicAddr(destinationAddress) {
+			return true
+		}
+	}
+	return false
+}
+
+func (r *IPIsPrivateItem) String() string {
+	if r.isSource {
+		return "source_ip_is_private=true"
+	} else {
+		return "ip_is_private=true"
+	}
+}

route/rule_set.go

@@ -2,12 +2,17 @@ package route
 
 import (
 	"context"
+	"net"
+	"net/http"
+	"sync"
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
 )
 
 func NewRuleSet(ctx context.Context, router adapter.Router, logger logger.ContextLogger, options option.RuleSet) (adapter.RuleSet, error) {
@@ -20,3 +25,43 @@ func NewRuleSet(ctx context.Context, router adapter.Router, logger logger.Contex
 		return nil, E.New("unknown rule set type: ", options.Type)
 	}
 }
+
+var _ adapter.RuleSetStartContext = (*RuleSetStartContext)(nil)
+
+type RuleSetStartContext struct {
+	access          sync.Mutex
+	httpClientCache map[string]*http.Client
+}
+
+func NewRuleSetStartContext() *RuleSetStartContext {
+	return &RuleSetStartContext{
+		httpClientCache: make(map[string]*http.Client),
+	}
+}
+
+func (c *RuleSetStartContext) HTTPClient(detour string, dialer N.Dialer) *http.Client {
+	c.access.Lock()
+	defer c.access.Unlock()
+	if httpClient, loaded := c.httpClientCache[detour]; loaded {
+		return httpClient
+	}
+	httpClient := &http.Client{
+		Transport: &http.Transport{
+			ForceAttemptHTTP2:   true,
+			TLSHandshakeTimeout: C.TCPTimeout,
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				return dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
+			},
+		},
+	}
+	c.httpClientCache[detour] = httpClient
+	return httpClient
+}
+
+func (c *RuleSetStartContext) Close() {
+	c.access.Lock()
+	defer c.access.Unlock()
+	for _, client := range c.httpClientCache {
+		client.CloseIdleConnections()
+	}
+}

route/rule_set_local.go

@@ -1,6 +1,7 @@
 package route
 
 import (
+	"context"
 	"os"
 
 	"github.com/sagernet/sing-box/adapter"
@@ -60,7 +61,7 @@ func (s *LocalRuleSet) Match(metadata *adapter.InboundContext) bool {
 	return false
 }
 
-func (s *LocalRuleSet) Start() error {
+func (s *LocalRuleSet) StartContext(ctx context.Context, startContext adapter.RuleSetStartContext) error {
 	return nil
 }
 

route/rule_set_remote.go

@@ -42,7 +42,7 @@ func NewRemoteRuleSet(ctx context.Context, router adapter.Router, logger logger.
 	if options.RemoteOptions.UpdateInterval > 0 {
 		updateInterval = time.Duration(options.RemoteOptions.UpdateInterval)
 	} else {
-		updateInterval = 12 * time.Hour
+		updateInterval = 24 * time.Hour
 	}
 	return &RemoteRuleSet{
 		ctx:            ctx,
@@ -63,7 +63,7 @@ func (s *RemoteRuleSet) Match(metadata *adapter.InboundContext) bool {
 	return false
 }
 
-func (s *RemoteRuleSet) Start() error {
+func (s *RemoteRuleSet) StartContext(ctx context.Context, startContext adapter.RuleSetStartContext) error {
 	var dialer N.Dialer
 	if s.options.RemoteOptions.DownloadDetour != "" {
 		outbound, loaded := s.router.Outbound(s.options.RemoteOptions.DownloadDetour)
@@ -91,7 +91,7 @@ func (s *RemoteRuleSet) Start() error {
 		}
 	}
 	if s.lastUpdated.IsZero() || time.Since(s.lastUpdated) > s.updateInterval {
-		err := s.fetchOnce()
+		err := s.fetchOnce(ctx, startContext)
 		if err != nil {
 			return E.Cause(err, "fetch rule-set ", s.options.Tag)
 		}
@@ -141,7 +141,7 @@ func (s *RemoteRuleSet) loopUpdate() {
 		case <-s.ctx.Done():
 			return
 		case <-s.updateTicker.C:
-			err := s.fetchOnce()
+			err := s.fetchOnce(s.ctx, nil)
 			if err != nil {
 				s.logger.Error("fetch rule-set ", s.options.Tag, ": ", err)
 			}
@@ -149,18 +149,22 @@ func (s *RemoteRuleSet) loopUpdate() {
 	}
 }
 
-func (s *RemoteRuleSet) fetchOnce() error {
+func (s *RemoteRuleSet) fetchOnce(ctx context.Context, startContext adapter.RuleSetStartContext) error {
 	s.logger.Debug("updating rule-set ", s.options.Tag, " from URL: ", s.options.RemoteOptions.URL)
-	httpClient := &http.Client{
+	var httpClient *http.Client
-		Transport: &http.Transport{
+	if startContext != nil {
-			ForceAttemptHTTP2:   true,
+		httpClient = startContext.HTTPClient(s.options.RemoteOptions.DownloadDetour, s.dialer)
-			TLSHandshakeTimeout: C.TCPTimeout,
+	} else {
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+		httpClient = &http.Client{
-				return s.dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
+			Transport: &http.Transport{
+				ForceAttemptHTTP2:   true,
+				TLSHandshakeTimeout: C.TCPTimeout,
+				DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+					return s.dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
+				},
 			},
-		},
+		}
 	}
-	defer httpClient.CloseIdleConnections()
 	request, err := http.NewRequest("GET", s.options.RemoteOptions.URL, nil)
 	if err != nil {
 		return err
@@ -168,7 +172,7 @@ func (s *RemoteRuleSet) fetchOnce() error {
 	if s.lastEtag != "" {
 		request.Header.Set("If-None-Match", s.lastEtag)
 	}
-	response, err := httpClient.Do(request.WithContext(s.ctx))
+	response, err := httpClient.Do(request.WithContext(ctx))
 	if err != nil {
 		return err
 	}