docs/changelog.md

@@ -2,18 +2,6 @@
 icon: material/alert-decagram
 ---
 
-### 1.11.7
-
-* Improve `auto_redirect` **1**
-* Fixes and improvements
-
-**1**:
-
-Now `auto_redirect` fixes compatibility issues between tun and Docker bridge networks,
-see [Tun](/configuration/inbound/tun/#auto_redirect).
-
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._
-
 ### 1.11.6
 
 * Fixes and improvements

docs/configuration/inbound/tun.md

@@ -211,10 +211,6 @@ Set the default route to the Tun.
 
     By default, VPN takes precedence over tun. To make tun go through VPN, enable `route.override_android_vpn`.
 
-!!! note "Also enable `auto_redirect`"
-
-    `auto_redirect` is always recommended on Linux, it provides better routing, higher performance (better than tproxy), and avoids conflicts with Docker bridge networks.
-
 #### iproute2_table_index
 
 !!! question "Since sing-box 1.10.0"
@@ -241,10 +237,6 @@ Linux iproute2 rule start index generated by `auto_route`.
 
 Automatically configure iptables/nftables to redirect connections.
 
-Auto redirect is always recommended on Linux, it provides better routing,
-higher performance (better than tproxy),
-and avoids conflicts with Docker bridge networks.
-
 *In Android*：
 
 Only local IPv4 connections are forwarded. To share your VPN connection over hotspot or repeater,
@@ -254,13 +246,11 @@ use [VPNHotspot](https://github.com/Mygod/VPNHotspot).
 
 `auto_route` with `auto_redirect` works as expected on routers **without intervention**.
 
-Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
-
 #### auto_redirect_input_mark
 
 !!! question "Since sing-box 1.10.0"
 
-Connection input mark used by `auto_redirect`.
+Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`.
 
 `0x2023` is used by default.
 
@@ -268,7 +258,7 @@ Connection input mark used by `auto_redirect`.
 
 !!! question "Since sing-box 1.10.0"
 
-Connection output mark used by `auto_redirect`.
+Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`.
 
 `0x2024` is used by default.
 
@@ -377,6 +367,8 @@ Exclude custom routes when `auto_route` is enabled.
 
     Add the destination IP CIDR rules in the specified rule-sets to the firewall.
     Matched traffic will bypass the sing-box routes.
+    
+    Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
 
 === "Without `auto_redirect` enabled"
 

docs/configuration/inbound/tun.zh.md

@@ -215,10 +215,6 @@ tun 接口的 IPv6 前缀。
 
     VPN 默认优先于 tun。要使 tun 经过 VPN，启用 `route.override_android_vpn`。
 
-!!! note "也启用 `auto_redirect`"
-
-  在 Linux 上始终推荐使用 `auto_redirect`，它提供更好的路由， 更高的性能（优于 tproxy）， 并避免与 Docker 桥接网络冲突。
-
 #### iproute2_table_index
 
 !!! question "自 sing-box 1.10.0 起"
@@ -245,23 +241,19 @@ tun 接口的 IPv6 前缀。
 
 自动配置 iptables/nftables 以重定向连接。
 
-在 Linux 上始终推荐使用 auto redirect，它提供更好的路由， 更高的性能（优于 tproxy）， 并避免与 Docker 桥接网络冲突。
-
 *在 Android 中*：
 
 仅转发本地 IPv4 连接。 要通过热点或中继共享您的 VPN 连接，请使用 [VPNHotspot](https://github.com/Mygod/VPNHotspot)。
 
 *在 Linux 中*:
 
-带有 `auto_redirect` 的 `auto_route` 在路由器上**无需干预**即可按预期工作。
+带有 `auto_redirect `的 `auto_route` 可以在路由器上按预期工作，**无需干预**。
-
-与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
 
 #### auto_redirect_input_mark
 
 !!! question "自 sing-box 1.10.0 起"
 
-`auto_redriect` 使用的连接输入标记。
+`route_address_set` 和 `route_exclude_address_set` 使用的连接输入标记。
 
 默认使用 `0x2023`。
 
@@ -269,7 +261,7 @@ tun 接口的 IPv6 前缀。
 
 !!! question "自 sing-box 1.10.0 起"
 
-`auto_redriect` 使用的连接输出标记。
+`route_address_set` 和 `route_exclude_address_set` 使用的连接输出标记。
 
 默认使用 `0x2024`。
 
@@ -349,6 +341,8 @@ tun 接口的 IPv6 前缀。
     
     将指定规则集中的目标 IP CIDR 规则添加到防火墙。
     不匹配的流量将绕过 sing-box 路由。
+    
+    与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
 
 === "`auto_redirect` 未启用"
 

go.mod

@@ -33,7 +33,7 @@ require (
 	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.2.0
-	github.com/sagernet/sing-tun v0.6.2
+	github.com/sagernet/sing-tun v0.6.1
 	github.com/sagernet/sing-vmess v0.2.0
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
 	github.com/sagernet/utls v1.6.7

go.sum

@@ -133,8 +133,8 @@ github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wK
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.0 h1:cLKe4OAOFwuhmAIuPLj//CIL7Q9js+pIDardhJ+/osk=
 github.com/sagernet/sing-shadowtls v0.2.0/go.mod h1:agU+Fw5X+xnWVyRHyFthoZCX3MfWKCFPm4JUf+1oaxo=
-github.com/sagernet/sing-tun v0.6.2 h1:SoylB/8dA6bRWoUhi4GbFb4WkKL0SMCpmYcvumPndo0=
+github.com/sagernet/sing-tun v0.6.1 h1:4l0+gnEKcGjlWfUVTD+W0BRApqIny/lU2ZliurE+VMo=
-github.com/sagernet/sing-tun v0.6.2/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
+github.com/sagernet/sing-tun v0.6.1/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
 github.com/sagernet/sing-vmess v0.2.0 h1:pCMGUXN2k7RpikQV65/rtXtDHzb190foTfF9IGTMZrI=
 github.com/sagernet/sing-vmess v0.2.0/go.mod h1:jDAZ0A0St1zVRkyvhAPRySOFfhC+4SQtO5VYyeFotgA=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=

protocol/tun/inbound.go

@@ -245,7 +245,7 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		if err != nil {
 			return nil, E.Cause(err, "initialize auto-redirect")
 		}
-		if !C.IsAndroid {
+		if !C.IsAndroid && (len(inbound.routeRuleSet) > 0 || len(inbound.routeExcludeRuleSet) > 0) {
 			inbound.tunOptions.AutoRedirectMarkMode = true
 			err = networkManager.RegisterAutoRedirectOutputMark(inbound.tunOptions.AutoRedirectOutputMark)
 			if err != nil {