.fpm

@@ -1,12 +1,11 @@
 -s dir
 --name sing-box
 --category net
---license GPL-3.0-or-later
+--license GPLv3-or-later
 --description "The universal proxy platform."
 --url "https://sing-box.sagernet.org/"
 --maintainer "nekohasekai <contact-git@sekai.icu>"
 --deb-field "Bug: https://github.com/SagerNet/sing-box/issues"
---no-deb-generate-changes
 --config-files /etc/sing-box/config.json
 
 release/config/config.json=/etc/sing-box/config.json

.fpm_openwrt

@@ -1,30 +0,0 @@
--s dir
---name sing-box
---category net
---license GPL-3.0-or-later
---description "The universal proxy platform."
---url "https://sing-box.sagernet.org/"
---maintainer "nekohasekai <contact-git@sekai.icu>"
---no-deb-generate-changes
-
---config-files /etc/config/sing-box
---config-files /etc/sing-box/config.json
-
---depends ca-bundle
---depends kmod-inet-diag
---depends kmod-tun
---depends firewall4
-
---before-remove release/config/openwrt.prerm
-
-release/config/config.json=/etc/sing-box/config.json
-
-release/config/openwrt.conf=/etc/config/sing-box
-release/config/openwrt.init=/etc/init.d/sing-box
-release/config/openwrt.keep=/lib/upgrade/keep.d/sing-box
-
-release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
-release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish
-release/completions/sing-box.zsh=/usr/share/zsh/site-functions/_sing-box
-
-LICENSE=/usr/share/licenses/sing-box/LICENSE

.github/deb2ipk.sh

@@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-# mod from https://gist.github.com/pldubouilh/c5703052986bfdd404005951dee54683
-
-set -e -o pipefail
-
-PROJECT=$(dirname "$0")/../..
-TMP_PATH=`mktemp -d`
-cp $2 $TMP_PATH
-pushd $TMP_PATH
-
-DEB_NAME=`ls *.deb`
-ar x $DEB_NAME
-
-mkdir control
-pushd control
-tar xf ../control.tar.gz
-rm md5sums
-sed "s/Architecture:\\ \w*/Architecture:\\ $1/g" ./control -i
-cat control
-tar czf ../control.tar.gz ./*
-popd
-
-DEB_NAME=${DEB_NAME%.deb}
-tar czf $DEB_NAME.ipk control.tar.gz data.tar.gz debian-binary
-popd
-
-cp $TMP_PATH/$DEB_NAME.ipk $3
-rm -r $TMP_PATH

.github/workflows/build.yml

@@ -68,39 +68,32 @@ jobs:
       - calculate_version
     strategy:
       matrix:
+        os: [ linux, windows, darwin, android ]
+        arch: [ "386", amd64, arm64 ]
+        legacy_go: [ false ]
         include:
-          - { os: linux, arch: amd64, debian: amd64, rpm: x86_64, pacman: x86_64, openwrt: "x86_64" }
-          - { os: linux, arch: "386", go386: sse2, debian: i386, rpm: i386, openwrt: "i386_pentium4" }
-          - { os: linux, arch: "386", go386: softfloat, openwrt: "i386_pentium-mmx" }
-          - { os: linux, arch: arm64, debian: arm64, rpm: aarch64, pacman: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
-          - { os: linux, arch: arm, goarm: "5", openwrt: "arm_arm926ej-s arm_cortex-a7 arm_cortex-a9 arm_fa526 arm_xscale" }
-          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl, openwrt: "arm_arm1176jzf-s_vfp" }
-          - { os: linux, arch: arm, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
-          - { os: linux, arch: mips, gomips: softfloat, openwrt: "mips_24kc mips_4kec mips_mips32" }
-          - { os: linux, arch: mipsle, gomips: hardfloat, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc_24kf" }
-          - { os: linux, arch: mipsle, gomips: softfloat, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
-          - { os: linux, arch: mips64, gomips: softfloat, openwrt: "mips64_mips64r2 mips64_octeonplus" }
-          - { os: linux, arch: mips64le, gomips: hardfloat, debian: mips64el, rpm: mips64el }
-          - { os: linux, arch: mips64le, gomips: softfloat, openwrt: "mips64el_mips64r2" }
+          - { os: linux, arch: amd64, debian: amd64, rpm: x86_64, pacman: x86_64 }
+          - { os: linux, arch: "386", debian: i386, rpm: i386 }
+          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
+          - { os: linux, arch: arm, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl }
+          - { os: linux, arch: arm64, debian: arm64, rpm: aarch64, pacman: aarch64 }
+          - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
+          - { os: linux, arch: mipsle, debian: mipsel, rpm: mipsel }
           - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
           - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
-          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
-          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
+          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64 }
+          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64 }
 
-          - { os: windows, arch: amd64 }
-          - { os: windows, arch: amd64, legacy_go: true }
-          - { os: windows, arch: "386" }
           - { os: windows, arch: "386", legacy_go: true }
-          - { os: windows, arch: arm64 }
-
-          - { os: darwin, arch: amd64 }
+          - { os: windows, arch: amd64, legacy_go: true }
           - { os: darwin, arch: amd64, legacy_go: true }
-          - { os: darwin, arch: arm64 }
 
+          - { os: android, arch: "386", ndk: "i686-linux-android21" }
+          - { os: android, arch: amd64, ndk: "x86_64-linux-android21" }
           - { os: android, arch: arm64, ndk: "aarch64-linux-android21" }
           - { os: android, arch: arm, ndk: "armv7a-linux-androideabi21" }
-          - { os: android, arch: amd64, ndk: "x86_64-linux-android21" }
-          - { os: android, arch: "386", ndk: "i686-linux-android21" }
+        exclude:
+          - { os: darwin, arch: "386" }
     steps:
       - name: Checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
@@ -146,10 +139,7 @@ jobs:
           CGO_ENABLED: "0"
           GOOS: ${{ matrix.os }}
           GOARCH: ${{ matrix.arch }}
-          GO386: ${{ matrix.go386 }}
           GOARM: ${{ matrix.goarm }}
-          GOMIPS: ${{ matrix.gomips }}
-          GOMIPS64: ${{ matrix.gomips }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Android
         if: matrix.os == 'android'
@@ -169,19 +159,14 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Set name
         run: |-
-          DIR_NAME="sing-box-${{ needs.calculate_version.outputs.version }}-${{ matrix.os }}-${{ matrix.arch }}"
-          if [[ -n "${{ matrix.goarm }}" ]]; then
-            DIR_NAME="${DIR_NAME}v${{ matrix.goarm }}"
-          elif [[ -n "${{ matrix.go386 }}" && "${{ matrix.go386 }}" != 'sse2' ]]; then
-            DIR_NAME="${DIR_NAME}-${{ matrix.go386 }}"
-          elif [[ -n "${{ matrix.gomips }}" && "${{ matrix.gomips }}" != 'hardfloat' ]]; then
-            DIR_NAME="${DIR_NAME}-${{ matrix.gomips }}"
-          elif [[ "${{ matrix.legacy_go }}" == 'true' ]]; then
-            DIR_NAME="${DIR_NAME}-legacy"
-          fi
+          ARM_VERSION=$([ -n '${{ matrix.goarm}}' ] && echo 'v${{ matrix.goarm}}' || true)
+          LEGACY=$([ '${{ matrix.legacy_go }}' = 'true' ] && echo "-legacy" || true)
+          DIR_NAME="sing-box-${{ needs.calculate_version.outputs.version }}-${{ matrix.os }}-${{ matrix.arch }}${ARM_VERSION}${LEGACY}"
+          PKG_NAME="sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.arch }}${ARM_VERSION}"
           echo "DIR_NAME=${DIR_NAME}" >> "${GITHUB_ENV}"
+          echo "PKG_NAME=${PKG_NAME}" >> "${GITHUB_ENV}"
           PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
-          PKG_VERSION="${PKG_VERSION//-/\~}-1"
+          PKG_VERSION="${PKG_VERSION//-/\~}"
           echo "PKG_VERSION=${PKG_VERSION}" >> "${GITHUB_ENV}"
       - name: Package DEB
         if: matrix.debian != ''
@@ -189,10 +174,9 @@ jobs:
           set -xeuo pipefail
           sudo gem install fpm
           sudo apt-get install -y debsigs
-          cp .fpm_systemd .fpm
           fpm -t deb \
             -v "$PKG_VERSION" \
-            -p "dist/sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.debian }}.deb" \
+            -p "dist/${PKG_NAME}.deb" \
             --architecture ${{ matrix.debian }} \
             dist/sing-box=/usr/bin/sing-box
           curl -Lo '/tmp/debsigs.diff' 'https://gitlab.com/debsigs/debsigs/-/commit/160138f5de1ec110376d3c807b60a37388bc7c90.diff'
@@ -207,10 +191,9 @@ jobs:
         run: |-
           set -xeuo pipefail
           sudo gem install fpm
-          cp .fpm_systemd .fpm
           fpm -t rpm \
             -v "$PKG_VERSION" \
-            -p "dist/sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.rpm }}.rpm" \
+            -p "dist/${PKG_NAME}.rpm" \
             --architecture ${{ matrix.rpm }} \
             dist/sing-box=/usr/bin/sing-box
           cat > $HOME/.rpmmacros <<EOF
@@ -227,27 +210,11 @@ jobs:
           set -xeuo pipefail
           sudo gem install fpm
           sudo apt-get install -y libarchive-tools
-          cp .fpm_systemd .fpm
           fpm -t pacman \
             -v "$PKG_VERSION" \
-            -p "dist/sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.pacman }}.pkg.tar.zst" \
+            -p "dist/${PKG_NAME}.pkg.tar.zst" \
             --architecture ${{ matrix.pacman }} \
             dist/sing-box=/usr/bin/sing-box
-      - name: Package OpenWrt
-        if: matrix.openwrt != ''
-        run: |-
-          set -xeuo pipefail
-          sudo gem install fpm
-          cp .fpm_openwrt .fpm
-          fpm -t deb \
-            -v "$PKG_VERSION" \
-            -p "dist/openwrt.deb" \
-            --architecture all \
-            dist/sing-box=/usr/bin/sing-box
-          for architecture in ${{ matrix.openwrt }}; do
-            .github/deb2ipk.sh "$architecture" "dist/openwrt.deb" "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.ipk"
-          done
-          rm "dist/openwrt.deb"
       - name: Archive
         run: |
           set -xeuo pipefail
@@ -267,7 +234,7 @@ jobs:
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:
-          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.go386 && format('_{0}', matrix.go386) }}${{ matrix.gomips && format('_{0}', matrix.gomips) }}${{ matrix.legacy_go && '-legacy' || '' }}
+          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.legacy_go && '-legacy' || '' }}
           path: "dist"
   build_android:
     name: Build Android

Makefile

@@ -10,7 +10,7 @@ GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run ./cmd/internal/read_tag)
 
 PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
-MAIN_PARAMS = $(PARAMS) -tags "$(TAGS)"
+MAIN_PARAMS = $(PARAMS) -tags $(TAGS)
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
 
@@ -28,7 +28,7 @@ ci_build:
 	go build $(MAIN_PARAMS) $(MAIN)
 
 generate_completions:
-	go run -v --tags "$(TAGS),generate,generate_completions" $(MAIN)
+	go run -v --tags $(TAGS),generate,generate_completions $(MAIN)
 
 install:
 	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)
@@ -247,4 +247,4 @@ clean:
 update:
 	git fetch
 	git reset FETCH_HEAD --hard
-	git clean -fdx
+	git clean -fdx

clients/android

@@ -1 +1 @@
-Subproject commit 55f31c29bb68895ce544e0dfbf852b4b3e32b530
+Subproject commit 8354b78e5d002d636827cfeed6ed5df8ea057452

common/tls/reality_server.go

@@ -89,20 +89,16 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 	tlsConfig.MaxTimeDiff = time.Duration(options.Reality.MaxTimeDifference)
 
 	tlsConfig.ShortIds = make(map[[8]byte]bool)
-	if len(options.Reality.ShortID) == 0 {
-		tlsConfig.ShortIds[[8]byte{0}] = true
-	} else {
-		for i, shortIDString := range options.Reality.ShortID {
-			var shortID [8]byte
-			decodedLen, err := hex.Decode(shortID[:], []byte(shortIDString))
-			if err != nil {
-				return nil, E.Cause(err, "decode short_id[", i, "]: ", shortIDString)
-			}
-			if decodedLen > 8 {
-				return nil, E.New("invalid short_id[", i, "]: ", shortIDString)
-			}
-			tlsConfig.ShortIds[shortID] = true
+	for i, shortIDString := range options.Reality.ShortID {
+		var shortID [8]byte
+		decodedLen, err := hex.Decode(shortID[:], []byte(shortIDString))
+		if err != nil {
+			return nil, E.Cause(err, "decode short_id[", i, "]: ", shortIDString)
 		}
+		if decodedLen > 8 {
+			return nil, E.New("invalid short_id[", i, "]: ", shortIDString)
+		}
+		tlsConfig.ShortIds[shortID] = true
 	}
 
 	handshakeDialer, err := dialer.New(ctx, options.Reality.Handshake.DialerOptions)

common/tls/std_server.go

@@ -6,7 +6,6 @@ import (
 	"net"
 	"os"
 	"strings"
-	"time"
 
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
@@ -222,12 +221,8 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 			key = content
 		}
 		if certificate == nil && key == nil && options.Insecure {
-			timeFunc := ntp.TimeFuncFromContext(ctx)
-			if timeFunc == nil {
-				timeFunc = time.Now
-			}
 			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				return GenerateKeyPair(nil, nil, timeFunc, info.ServerName)
+				return GenerateKeyPair(nil, nil, ntp.TimeFuncFromContext(ctx), info.ServerName)
 			}
 		} else {
 			if certificate == nil {

docs/changelog.md

@@ -2,18 +2,6 @@
 icon: material/alert-decagram
 ---
 
-### 1.11.8
-
-* Improve `auto_redirect` **1**
-* Fixes and improvements
-
-**1**:
-
-Now `auto_redirect` fixes compatibility issues between TUN and Docker bridge networks,
-see [Tun](/configuration/inbound/tun/#auto_redirect).
-
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._
-
 ### 1.11.7
 
 * Fixes and improvements

docs/configuration/inbound/tun.md

@@ -211,10 +211,6 @@ Set the default route to the Tun.
 
     By default, VPN takes precedence over tun. To make tun go through VPN, enable `route.override_android_vpn`.
 
-!!! note "Also enable `auto_redirect`"
-
-    `auto_redirect` is always recommended on Linux, it provides better routing, higher performance (better than tproxy), and avoids conflicts between TUN and Docker bridge networks.
-
 #### iproute2_table_index
 
 !!! question "Since sing-box 1.10.0"
@@ -239,29 +235,22 @@ Linux iproute2 rule start index generated by `auto_route`.
 
     Only supported on Linux with `auto_route` enabled.
 
-Improve TUN routing and performance using nftables.
+Automatically configure iptables/nftables to redirect connections.
 
-`auto_redirect` is always recommended on Linux, it provides better routing,
-higher performance (better than tproxy),
-and avoids conflicts between TUN and Docker bridge networks.
+*In Android*：
 
-Note that `auto_redirect` also works on Android, 
-but due to the lack of `nftables` and `ip6tables`,
-only simple IPv4 TCP forwarding is performed.
-To share your VPN connection over hotspot or repeater on Android,
+Only local IPv4 connections are forwarded. To share your VPN connection over hotspot or repeater,
 use [VPNHotspot](https://github.com/Mygod/VPNHotspot).
 
-`auto_redirect` also automatically inserts compatibility rules
-into the OpenWrt fw4 table, i.e. 
-it will work on routers without any extra configuration.
+*In Linux*:
 
-Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
+`auto_route` with `auto_redirect` works as expected on routers **without intervention**.
 
 #### auto_redirect_input_mark
 
 !!! question "Since sing-box 1.10.0"
 
-Connection input mark used by `auto_redirect`.
+Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`.
 
 `0x2023` is used by default.
 
@@ -269,7 +258,7 @@ Connection input mark used by `auto_redirect`.
 
 !!! question "Since sing-box 1.10.0"
 
-Connection output mark used by `auto_redirect`.
+Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`.
 
 `0x2024` is used by default.
 
@@ -280,15 +269,17 @@ Enforce strict routing rules when `auto_route` is enabled:
 *In Linux*:
 
 * Let unsupported network unreachable
-* For legacy reasons, when neither `strict_route` nor `auto_redirect` are enabled, all ICMP traffic will not go through TUN.
+* Make ICMP traffic route to tun instead of upstream interfaces
+* Route all connections to tun
+
+It prevents IP address leaks and makes DNS hijacking work on Android.
 
 *In Windows*:
 
-* Let unsupported network unreachable
-* prevent DNS leak caused by
+* Add firewall rules to prevent DNS leak caused by
   Windows' [ordinary multihomed DNS resolution behavior](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29)
 
-It may prevent some Windows applications (such as VirtualBox) from working properly in certain situations.
+It may prevent some applications (such as VirtualBox) from working properly in certain situations.
 
 #### route_address
 
@@ -376,6 +367,8 @@ Exclude custom routes when `auto_route` is enabled.
 
     Add the destination IP CIDR rules in the specified rule-sets to the firewall.
     Matched traffic will bypass the sing-box routes.
+    
+    Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
 
 === "Without `auto_redirect` enabled"
 

docs/configuration/inbound/tun.zh.md

@@ -215,10 +215,6 @@ tun 接口的 IPv6 前缀。
 
     VPN 默认优先于 tun。要使 tun 经过 VPN，启用 `route.override_android_vpn`。
 
-!!! note "也启用 `auto_redirect`"
-
-  在 Linux 上始终推荐使用 `auto_redirect`，它提供更好的路由， 更高的性能（优于 tproxy）， 并避免 TUN 与 Docker 桥接网络冲突。
-
 #### iproute2_table_index
 
 !!! question "自 sing-box 1.10.0 起"
@@ -241,24 +237,23 @@ tun 接口的 IPv6 前缀。
 
 !!! quote ""
 
-    仅支持 Linux，且需要 `auto_route` 已启用。
+    仅支持 Linux，且需要 `auto_route` 已启用。 
 
-通过使用 nftables 改善 TUN 路由和性能。
+自动配置 iptables/nftables 以重定向连接。
 
-在 Linux 上始终推荐使用 `auto_redirect`，它提供更好的路由、更高的性能（优于 tproxy），并避免了 TUN 和 Docker 桥接网络之间的冲突。
+*在 Android 中*：
 
-请注意，`auto_redirect` 也适用于 Android，但由于缺少 `nftables` 和 `ip6tables`，仅执行简单的 IPv4 TCP 转发。  
-若要在 Android 上通过热点或中继器共享 VPN 连接，请使用 [VPNHotspot](https://github.com/Mygod/VPNHotspot)。
+仅转发本地 IPv4 连接。 要通过热点或中继共享您的 VPN 连接，请使用 [VPNHotspot](https://github.com/Mygod/VPNHotspot)。
 
-`auto_redirect` 还会自动将兼容性规则插入 OpenWrt 的 fw4 表中，即无需额外配置即可在路由器上工作。
+*在 Linux 中*:
 
-与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
+带有 `auto_redirect `的 `auto_route` 可以在路由器上按预期工作，**无需干预**。
 
 #### auto_redirect_input_mark
 
 !!! question "自 sing-box 1.10.0 起"
 
-`auto_redirect` 使用的连接输入标记。
+`route_address_set` 和 `route_exclude_address_set` 使用的连接输入标记。
 
 默认使用 `0x2023`。
 
@@ -266,25 +261,29 @@ tun 接口的 IPv6 前缀。
 
 !!! question "自 sing-box 1.10.0 起"
 
-`auto_redirect` 使用的连接输出标记。
+`route_address_set` 和 `route_exclude_address_set` 使用的连接输出标记。
 
 默认使用 `0x2024`。
 
 #### strict_route
 
-当启用 `auto_route` 时，强制执行严格的路由规则：
+启用 `auto_route` 时执行严格的路由规则。
 
-*在 Linux 中*：
+*在 Linux 中*:
 
-* 使不支持的网络不可达。
-* 出于历史遗留原因，当未启用 `strict_route` 或 `auto_redirect` 时，所有 ICMP 流量将不会通过 TUN。
+* 让不支持的网络无法到达
+* 使 ICMP 流量路由到 tun 而不是上游接口
+* 将所有连接路由到 tun
 
-*在 Windows 中*：
+它可以防止 IP 地址泄漏，并使 DNS 劫持在 Android 上工作。
 
-* 使不支持的网络不可达。
-* 阻止 Windows 的 [普通多宿主 DNS 解析行为](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29) 造成的 DNS 泄露
+*在 Windows 中*:
 
-它可能会使某些 Windows 应用程序（如 VirtualBox）在某些情况下无法正常工作。
+* 添加防火墙规则以阻止 Windows
+  的 [普通多宿主 DNS 解析行为](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29)
+  造成的 DNS 泄露
+
+它可能会使某些应用程序（如 VirtualBox）在某些情况下无法正常工作。
 
 #### route_address
 
@@ -342,6 +341,8 @@ tun 接口的 IPv6 前缀。
     
     将指定规则集中的目标 IP CIDR 规则添加到防火墙。
     不匹配的流量将绕过 sing-box 路由。
+    
+    与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
 
 === "`auto_redirect` 未启用"
 

docs/installation/package-manager.md

@@ -8,56 +8,44 @@ icon: material/package
 
 === ":material-debian: Debian / APT"
 
-   ```bash
-   sudo mkdir -p /etc/apt/keyrings &&
-      sudo curl -fsSL https://sing-box.app/gpg.key -o /etc/apt/keyrings/sagernet.asc &&
-      sudo chmod a+r /etc/apt/keyrings/sagernet.asc &&
-      echo '
-   Types: deb
-   URIs: https://deb.sagernet.org/
-   Suites: *
-   Components: *
-   Enabled: yes
-   Signed-By: /etc/apt/keyrings/sagernet.asc
-   ' | sudo tee /etc/apt/sources.list.d/sagernet.sources &&
-      sudo apt-get update &&
-      sudo apt-get install sing-box # or sing-box-beta
-   ```
+    ```bash
+    sudo curl -fsSL https://sing-box.app/gpg.key -o /etc/apt/keyrings/sagernet.asc
+    sudo chmod a+r /etc/apt/keyrings/sagernet.asc
+    echo "deb [arch=`dpkg --print-architecture` signed-by=/etc/apt/keyrings/sagernet.asc] https://deb.sagernet.org/ * *" | \
+      sudo tee /etc/apt/sources.list.d/sagernet.list > /dev/null
+    sudo apt-get update
+    sudo apt-get install sing-box # or sing-box-beta
+    ```
 
-=== ":material-redhat: Redhat / DNF 5"
+=== ":material-redhat: Redhat / DNF"
 
-   ```bash
-   sudo dnf config-manager addrepo --from-repofile=https://sing-box.app/sing-box.repo &&
-   sudo dnf install sing-box # or sing-box-beta
-   ```
-
-=== ":material-redhat: Redhat / DNF 4"
-
-   ```bash
-   sudo dnf config-manager --add-repo https://sing-box.app/sing-box.repo &&
-   sudo dnf -y install dnf-plugins-core &&
-   sudo dnf install sing-box # or sing-box-beta
-   ```
+    ```bash
+    sudo dnf -y install dnf-plugins-core
+    sudo dnf config-manager --add-repo https://sing-box.app/sing-box.repo
+    sudo dnf install sing-box # or sing-box-beta
+    ```
+    (This applies to any distribution that uses `dnf` as the package manager: Fedora, CentOS, even OpenSUSE with DNF installed.)
 
 ## :material-download-box: Manual Installation
 
-   The script download and install the latest package from GitHub releases for deb or rpm based Linux distributions, ArchLinux and OpenWrt.
-   
-   ```shell
-   curl -fsSL https://sing-box.app/install.sh | sh
-   ```
-   
-   or latest beta:
-   
-   ```shell
-   curl -fsSL https://sing-box.app/install.sh | sh -s -- --beta
-   ```
-   
-   or specific version:
-   
-   ```shell
-   curl -fsSL https://sing-box.app/install.sh | sh -s -- --version <version>
-   ```
+=== ":material-debian: Debian / DEB"
+
+    ```bash
+    bash <(curl -fsSL https://sing-box.app/deb-install.sh)
+    ```
+
+=== ":material-redhat: Redhat / RPM"
+
+    ```bash
+    bash <(curl -fsSL https://sing-box.app/rpm-install.sh)
+    ```
+    (This applies to any distribution that uses `rpm` and `systemd`.  Because of how `rpm` defines dependencies, if it installs, it probably works.)
+
+=== ":simple-archlinux: Archlinux / PKG"
+
+    ```bash
+    bash <(curl -fsSL https://sing-box.app/arch-install.sh)
+    ```
 
 ## :material-book-lock-open: Managed Installation
 

docs/installation/package-manager.zh.md

@@ -9,35 +9,22 @@ icon: material/package
 === ":material-debian: Debian / APT"
 
     ```bash
-    sudo mkdir -p /etc/apt/keyrings &&
-       sudo curl -fsSL https://sing-box.app/gpg.key -o /etc/apt/keyrings/sagernet.asc &&
-       sudo chmod a+r /etc/apt/keyrings/sagernet.asc &&
-       echo '
-    Types: deb
-    URIs: https://deb.sagernet.org/
-    Suites: *
-    Components: *
-    Enabled: yes
-    Signed-By: /etc/apt/keyrings/sagernet.asc
-    ' | sudo tee /etc/apt/sources.list.d/sagernet.sources &&
-       sudo apt-get update &&
-       sudo apt-get install sing-box # or sing-box-beta
+    sudo curl -fsSL https://sing-box.app/gpg.key -o /etc/apt/keyrings/sagernet.asc
+    sudo chmod a+r /etc/apt/keyrings/sagernet.asc
+    echo "deb [arch=`dpkg --print-architecture` signed-by=/etc/apt/keyrings/sagernet.asc] https://deb.sagernet.org/ * *" | \
+      sudo tee /etc/apt/sources.list.d/sagernet.list > /dev/null
+    sudo apt-get update
+    sudo apt-get install sing-box # or sing-box-beta
     ```
 
-=== ":material-redhat: Redhat / DNF 5"
+=== ":material-redhat: Redhat / DNF"
 
-   ```bash
-   sudo dnf config-manager addrepo --from-repofile=https://sing-box.app/sing-box.repo &&
-   sudo dnf install sing-box # or sing-box-beta
-   ```
-
-=== ":material-redhat: Redhat / DNF 4"
-
-   ```bash
-   sudo dnf config-manager --add-repo https://sing-box.app/sing-box.repo &&
-   sudo dnf -y install dnf-plugins-core &&
-   sudo dnf install sing-box # or sing-box-beta
-   ```
+    ```bash
+    sudo dnf -y install dnf-plugins-core
+    sudo dnf config-manager --add-repo https://sing-box.app/sing-box.repo
+    sudo dnf install sing-box # or sing-box-beta
+    ```
+    （这适用于任何使用 `dnf` 作为包管理器的发行版：Fedora、CentOS，甚至安装了 DNF 的 OpenSUSE。）
 
 ## :material-download-box: 手动安装
 

docs/installation/tools/install.sh

@@ -1,97 +0,0 @@
-#!/bin/sh
-
-download_beta=false
-download_version=""
-
-for arg in "$@"; do
-  if [[ "$arg" == "--beta" ]]; then
-    download_beta=true
-  elif [[ "$arg" == "--version" ]]; then
-    download_version=true
-  elif [[ "$download_version" == 'true' ]]; then
-    download_version="$arg"
-  else
-    echo "Unknown argument: $arg"
-    echo "Usage: $0 [--beta] [--version <version>]"
-    exit 1
-  fi
-done
-
-if [[ $(command -v dpkg) ]]; then
-  os="linux"
-  arch=$(dpkg --print-architecture)
-  package_suffix=".deb"
-  package_install="dpkg -i"
-elif [[ $(command -v dnf) ]]; then
-  os="linux"
-  arch=$(uname -m)
-  package_suffix=".rpm"
-  package_install="dnf install -y"
-elif [[ $(command -v rpm) ]]; then
-  os="linux"
-  arch=$(uname -m)
-  package_suffix=".rpm"
-  package_install="rpm -i"
-elif [[ $(command -v pacman) ]]; then
-  os="linux"
-  arch=$(uname -m)
-  package_suffix=".pkg.tar.zst"
-  package_install="pacman -U --noconfirm"
-elif [[ $(command -v opkg) ]]; then
-  os="openwrt"
-  source /etc/os-release
-  arch="$OPENWRT_ARCH"
-  package_suffix=".ipk"
-  package_install="opkg update && opkg install -y"
-else
-  echo "Missing supported package manager."
-  exit 1
-fi
-
-if [[ -z "$download_version" ]]; then
-  if [[ "$download_beta" != 'true' ]]; then
-    if [[ -n "$GITHUB_TOKEN" ]]; then
-      latest_release=$(curl -s --fail-with-body -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com/repos/SagerNet/sing-box/releases/latest)
-    else
-      latest_release=$(curl -s --fail-with-body https://api.github.com/repos/SagerNet/sing-box/releases/latest)
-    fi
-    curl_exit_status=$?
-    if [[ $curl_exit_status -ne 0 ]]; then
-      echo "$latest_release"
-      exit $?
-    fi
-    download_version=$(echo "$latest_release" | grep tag_name | cut -d ":" -f2 | sed 's/\"//g;s/\,//g;s/\ //g;s/v//')
-  else
-    if [[ -n "$GITHUB_TOKEN" ]]; then
-      latest_release=$(curl -s --fail-with-body -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com/repos/SagerNet/sing-box/releases)
-    else
-      latest_release=$(curl -s --fail-with-body https://api.github.com/repos/SagerNet/sing-box/releases)
-    fi
-    curl_exit_status=$?
-    if [[ $? -ne 0 ]]; then
-      echo "$latest_release"
-      exit $?
-    fi
-    download_version=$(echo "$latest_release" | grep tag_name | head -n 1 | cut -d ":" -f2 | sed 's/\"//g;s/\,//g;s/\ //g;s/v//')
-  fi
-fi
-
-package_name="sing-box_${download_version}_${os}_${arch}${package_suffix}"
-package_url="https://github.com/SagerNet/sing-box/releases/download/v${download_version}/${package_name}"
-
-echo "Downloading $package_url"
-if [[ -n "$GITHUB_TOKEN" ]]; then
-  curl --fail-with-body -Lo "$package_name" -H "Authorization: token ${GITHUB_TOKEN}" "$package_url"
-else
-  curl --fail-with-body -Lo "$package_name" "$package_url"
-fi
-
-if [[ $? -ne 0 ]]; then
-  exit $?
-fi
-
-if [[ $(command -v sudo) ]]; then
-  package_install="sudo $package_install"
-fi
-
-echo "$package_install $package_name" && $package_install "$package_name" && rm "$package_name"

go.mod

@@ -26,14 +26,14 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20241123041152-536d05261cff
 	github.com/sagernet/quic-go v0.49.0-beta.1
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.6.6
+	github.com/sagernet/sing v0.6.6-0.20250406121928-926a5a1e8bb7
 	github.com/sagernet/sing-dns v0.4.1
 	github.com/sagernet/sing-mux v0.3.1
 	github.com/sagernet/sing-quic v0.4.1
 	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.2.0
-	github.com/sagernet/sing-tun v0.6.4
+	github.com/sagernet/sing-tun v0.6.1
 	github.com/sagernet/sing-vmess v0.2.0
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
 	github.com/sagernet/utls v1.6.7

go.sum

@@ -121,8 +121,6 @@ github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4Wk
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
 github.com/sagernet/sing v0.6.6-0.20250406121928-926a5a1e8bb7 h1:ZJauxLmH12Gzv3nucfjsSBQw9UA8t7Sxu8pYHBSP2TU=
 github.com/sagernet/sing v0.6.6-0.20250406121928-926a5a1e8bb7/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
-github.com/sagernet/sing v0.6.6 h1:3JkvJ0vqDj/jJcx0a+ve/6lMOrSzZm30I3wrIuZtmRE=
-github.com/sagernet/sing v0.6.6/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-dns v0.4.1 h1:nozS7iqpxZ7aV73oHbkD/8haOvf3XXDCgT//8NdYirk=
 github.com/sagernet/sing-dns v0.4.1/go.mod h1:dweQs54ng2YGzoJfz+F9dGuDNdP5pJ3PLeggnK5VWc8=
 github.com/sagernet/sing-mux v0.3.1 h1:kvCc8HyGAskDHDQ0yQvoTi/7J4cZPB/VJMsAM3MmdQI=
@@ -135,8 +133,8 @@ github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wK
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.0 h1:cLKe4OAOFwuhmAIuPLj//CIL7Q9js+pIDardhJ+/osk=
 github.com/sagernet/sing-shadowtls v0.2.0/go.mod h1:agU+Fw5X+xnWVyRHyFthoZCX3MfWKCFPm4JUf+1oaxo=
-github.com/sagernet/sing-tun v0.6.4 h1:3Iew6UtAf1+mucVeHKNhAEQI5xmq3CUCbGptUbjebts=
-github.com/sagernet/sing-tun v0.6.4/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
+github.com/sagernet/sing-tun v0.6.1 h1:4l0+gnEKcGjlWfUVTD+W0BRApqIny/lU2ZliurE+VMo=
+github.com/sagernet/sing-tun v0.6.1/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
 github.com/sagernet/sing-vmess v0.2.0 h1:pCMGUXN2k7RpikQV65/rtXtDHzb190foTfF9IGTMZrI=
 github.com/sagernet/sing-vmess v0.2.0/go.mod h1:jDAZ0A0St1zVRkyvhAPRySOFfhC+4SQtO5VYyeFotgA=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=

protocol/direct/inbound.go

@@ -94,7 +94,7 @@ func (i *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata a
 	case 2:
 		destination.Addr = i.overrideDestination.Addr
 	case 3:
-		destination.Port = i.overrideDestination.Port
+		destination.Port = metadata.Destination.Port
 	}
 	metadata.Destination = destination
 	if i.overrideOption != 0 {

protocol/group/urltest.go

@@ -395,16 +395,12 @@ func (g *URLTestGroup) urlTest(ctx context.Context, force bool) (map[string]uint
 func (g *URLTestGroup) performUpdateCheck() {
 	var updated bool
 	if outbound, exists := g.Select(N.NetworkTCP); outbound != nil && (g.selectedOutboundTCP == nil || (exists && outbound != g.selectedOutboundTCP)) {
-		if g.selectedOutboundTCP != nil {
-			updated = true
-		}
 		g.selectedOutboundTCP = outbound
+		updated = true
 	}
 	if outbound, exists := g.Select(N.NetworkUDP); outbound != nil && (g.selectedOutboundUDP == nil || (exists && outbound != g.selectedOutboundUDP)) {
-		if g.selectedOutboundUDP != nil {
-			updated = true
-		}
 		g.selectedOutboundUDP = outbound
+		updated = true
 	}
 	if updated {
 		g.interruptGroup.Interrupt(g.interruptExternalConnections)

protocol/tun/inbound.go

@@ -245,7 +245,7 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		if err != nil {
 			return nil, E.Cause(err, "initialize auto-redirect")
 		}
-		if !C.IsAndroid {
+		if !C.IsAndroid && (len(inbound.routeRuleSet) > 0 || len(inbound.routeExcludeRuleSet) > 0) {
 			inbound.tunOptions.AutoRedirectMarkMode = true
 			err = networkManager.RegisterAutoRedirectOutputMark(inbound.tunOptions.AutoRedirectOutputMark)
 			if err != nil {

protocol/wireguard/endpoint.go

@@ -26,6 +26,11 @@ func RegisterEndpoint(registry *endpoint.Registry) {
 	endpoint.Register[option.WireGuardEndpointOptions](registry, C.TypeWireGuard, NewEndpoint)
 }
 
+var (
+	_ adapter.Endpoint                = (*Endpoint)(nil)
+	_ adapter.InterfaceUpdateListener = (*Endpoint)(nil)
+)
+
 type Endpoint struct {
 	endpoint.Adapter
 	ctx            context.Context
@@ -113,6 +118,10 @@ func (w *Endpoint) Close() error {
 	return w.endpoint.Close()
 }
 
+func (w *Endpoint) InterfaceUpdated() {
+	w.endpoint.BindUpdate()
+}
+
 func (w *Endpoint) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr) error {
 	return w.router.PreMatch(adapter.InboundContext{
 		Inbound:     w.Tag(),

protocol/wireguard/outbound.go

@@ -25,6 +25,11 @@ func RegisterOutbound(registry *outbound.Registry) {
 	outbound.Register[option.LegacyWireGuardOutboundOptions](registry, C.TypeWireGuard, NewOutbound)
 }
 
+var (
+	_ adapter.Endpoint                = (*Endpoint)(nil)
+	_ adapter.InterfaceUpdateListener = (*Endpoint)(nil)
+)
+
 type Outbound struct {
 	outbound.Adapter
 	ctx            context.Context
@@ -119,6 +124,10 @@ func (o *Outbound) Close() error {
 	return o.endpoint.Close()
 }
 
+func (o *Outbound) InterfaceUpdated() {
+	o.endpoint.BindUpdate()
+}
+
 func (o *Outbound) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	switch network {
 	case N.NetworkTCP:

release/config/openwrt.init

@@ -1,27 +1,26 @@
 #!/bin/sh /etc/rc.common
 
-USE_PROCD=1
-START=99
 PROG="/usr/bin/sing-box"
 
 start_service() {
   config_load "sing-box"
 
   local enabled config_file working_directory
-  local log_stderr
+  local log_stdout log_stderr
   config_get_bool enabled "main" "enabled" "0"
   [ "$enabled" -eq "1" ] || return 0
 
   config_get config_file "main" "conffile" "/etc/sing-box/config.json"
   config_get working_directory "main" "workdir" "/usr/share/sing-box"
+  config_get_bool log_stdout "main" "log_stdout" "1"
   config_get_bool log_stderr "main" "log_stderr" "1"
 
   procd_open_instance
-  procd_set_param command "$PROG" run -c "$config_file" -D "$working_directory"
-  procd_set_param file "$config_file"
+  procd_swet_param command "$PROG" run -c "$conffile" -D "$workdir"
+  procd_set_param file "$conffile"
   procd_set_param stderr "$log_stderr"
   procd_set_param limits core="unlimited"
-  procd_set_param limits nofile="1000000 1000000"
+  sprocd_set_param limits nofile="1000000 1000000"
   procd_set_param respawn
 
   procd_close_instance
@@ -29,4 +28,4 @@ start_service() {
 
 service_triggers() {
   procd_add_reload_trigger "sing-box"
-}
+}

release/config/openwrt.keep

@@ -1 +0,0 @@
-/etc/sing-box/

release/config/openwrt.prerm

@@ -1,4 +0,0 @@
-#!/bin/sh
-[ -s ${IPKG_INSTROOT}/lib/functions.sh ] || exit 0
-. ${IPKG_INSTROOT}/lib/functions.sh
-default_prerm $0 $@

transport/wireguard/endpoint.go

@@ -150,7 +150,7 @@ func (e *Endpoint) Start(resolve bool) error {
 			connectAddr netip.AddrPort
 			reserved    [3]uint8
 		)
-		if len(e.peers) == 1 && e.peers[0].endpoint.IsValid() {
+		if len(e.peers) == 1 {
 			isConnect = true
 			connectAddr = e.peers[0].endpoint
 			reserved = e.peers[0].reserved
@@ -208,6 +208,10 @@ func (e *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	return e.tunDevice.ListenPacket(ctx, destination)
 }
 
+func (e *Endpoint) BindUpdate() error {
+	return e.device.BindUpdate()
+}
+
 func (e *Endpoint) Close() error {
 	if e.device != nil {
 		e.device.Close()