Improve sniffer

Co-authored-by: anytls <anytls>

.github/workflows/lint.yml

@@ -30,7 +30,7 @@ jobs:
         with:
           go-version: ^1.24.2
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v7
+        uses: golangci/golangci-lint-action@v6
         with:
           version: latest
           args: --timeout=30m

adapter/router.go

@@ -24,7 +24,7 @@ type Router interface {
 	RuleSet(tag string) (RuleSet, bool)
 	NeedWIFIState() bool
 	Rules() []Rule
-	AppendTracker(tracker ConnectionTracker)
+	SetTracker(tracker ConnectionTracker)
 	ResetNetwork()
 }
 

box.go

@@ -314,7 +314,7 @@ func New(options Options) (*Box, error) {
 		if err != nil {
 			return nil, E.Cause(err, "create clash-server")
 		}
-		router.AppendTracker(clashServer)
+		router.SetTracker(clashServer)
 		service.MustRegister[adapter.ClashServer](ctx, clashServer)
 		services = append(services, clashServer)
 	}
@@ -324,7 +324,7 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "create v2ray-server")
 		}
 		if v2rayServer.StatsService() != nil {
-			router.AppendTracker(v2rayServer.StatsService())
+			router.SetTracker(v2rayServer.StatsService())
 			services = append(services, v2rayServer)
 			service.MustRegister[adapter.V2RayServer](ctx, v2rayServer)
 		}

common/sniff/bittorrent.go

@@ -68,9 +68,7 @@ func UTP(_ context.Context, metadata *adapter.InboundContext, packet []byte) err
 		if err != nil {
 			return err
 		}
-		if extension > 0x04 {
+
-			return os.ErrInvalid
-		}
 		var length byte
 		err = binary.Read(reader, binary.BigEndian, &length)
 		if err != nil {

common/sniff/bittorrent_test.go

@@ -71,19 +71,3 @@ func TestSniffUDPTracker(t *testing.T) {
 		require.Equal(t, C.ProtocolBitTorrent, metadata.Protocol)
 	}
 }
-
-func TestSniffNotUTP(t *testing.T) {
-	t.Parallel()
-
-	packets := []string{
-		"0102736470696e674958d580121500000000000079aaed6717a39c27b07c0c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
-	}
-	for _, pkt := range packets {
-		pkt, err := hex.DecodeString(pkt)
-		require.NoError(t, err)
-
-		var metadata adapter.InboundContext
-		err = sniff.UTP(context.TODO(), &metadata, pkt)
-		require.Error(t, err)
-	}
-}

common/tls/ech.go

@@ -123,7 +123,6 @@ func (s *STDECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn)
 		if response.Rcode != mDNS.RcodeSuccess {
 			return nil, E.Cause(dns.RcodeError(response.Rcode), "fetch ECH config list")
 		}
-	match:
 		for _, rr := range response.Answer {
 			switch resource := rr.(type) {
 			case *mDNS.HTTPS:
@@ -134,15 +133,12 @@ func (s *STDECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn)
 							return nil, E.Cause(err, "decode ECH config")
 						}
 						s.config.EncryptedClientHelloConfigList = echConfigList
-						break match
 					}
 				}
 			}
 		}
-		if len(s.config.EncryptedClientHelloConfigList) == 0 {
 		return nil, E.New("no ECH config found in DNS records")
 	}
-	}
 	tlsConn, err := s.Client(conn)
 	if err != nil {
 		return nil, err

constant/protocol.go

@@ -11,6 +11,7 @@ const (
 	ProtocolSSH        = "ssh"
 	ProtocolRDP        = "rdp"
 	ProtocolNTP        = "ntp"
+	ProtocolMTProto    = "mtproto"
 )
 
 const (

dns/transport/udp.go

@@ -212,8 +212,8 @@ type dnsConnection struct {
 
 func (c *dnsConnection) Close(err error) {
 	c.closeOnce.Do(func() {
-		c.err = err
 		close(c.done)
+		c.err = err
 	})
 	c.Conn.Close()
 }

docs/configuration/route/sniff.md

@@ -26,7 +26,7 @@ If enabled in the inbound, the protocol and domain name (if present) of by the c
 
 |       QUIC Client        |    Type    |
 |:------------------------:|:----------:|
-|     Chromium/Cronet      | `chromium` |
+|     Chromium/Cronet      | `chrimium` |
 | Safari/Apple Network API |  `safari`  |
 | Firefox / uquic firefox  | `firefox`  |
 |  quic-go / uquic chrome  | `quic-go`  |

experimental/libbox/service.go

@@ -39,7 +39,7 @@ type BoxService struct {
 	clashServer           adapter.ClashServer
 	pauseManager          pause.Manager
 
-	iOSPauseFields
+	servicePauseFields
 }
 
 func NewService(configContent string, platformInterface PlatformInterface) (*BoxService, error) {

experimental/libbox/service_pause.go

@@ -1,33 +1,31 @@
 package libbox
 
 import (
+	"sync"
 	"time"
-
-	C "github.com/sagernet/sing-box/constant"
 )
 
-type iOSPauseFields struct {
+type servicePauseFields struct {
-	endPauseTimer *time.Timer
+	pauseAccess sync.Mutex
+	pauseTimer  *time.Timer
 }
 
 func (s *BoxService) Pause() {
-	s.pauseManager.DevicePause()
+	s.pauseAccess.Lock()
-	if !C.IsIos {
+	defer s.pauseAccess.Unlock()
-		s.instance.Router().ResetNetwork()
+	if s.pauseTimer != nil {
-	} else {
+		s.pauseTimer.Stop()
-		if s.endPauseTimer == nil {
-			s.endPauseTimer = time.AfterFunc(time.Minute, s.pauseManager.DeviceWake)
-		} else {
-			s.endPauseTimer.Reset(time.Minute)
-		}
 	}
+	s.pauseTimer = time.AfterFunc(3*time.Second, s.ResetNetwork)
 }
 
 func (s *BoxService) Wake() {
-	if !C.IsIos {
+	s.pauseAccess.Lock()
-		s.pauseManager.DeviceWake()
+	defer s.pauseAccess.Unlock()
-		s.instance.Router().ResetNetwork()
+	if s.pauseTimer != nil {
+		s.pauseTimer.Stop()
 	}
+	s.pauseTimer = time.AfterFunc(3*time.Minute, s.ResetNetwork)
 }
 
 func (s *BoxService) ResetNetwork() {

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/cretz/bine v0.2.0
 	github.com/go-chi/chi/v5 v5.2.1
 	github.com/go-chi/render v1.0.3
-	github.com/gofrs/uuid/v5 v5.3.2
+	github.com/gofrs/uuid/v5 v5.3.1
 	github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905
 	github.com/libdns/alidns v1.0.3
 	github.com/libdns/cloudflare v0.1.1
@@ -26,9 +26,9 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20250325023245-7a9c0f5725fb
 	github.com/sagernet/quic-go v0.49.0-beta.1
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.6.6-0.20250406122223-d47540857e58
+	github.com/sagernet/sing v0.6.6-0.20250403102645-159e489fc399
 	github.com/sagernet/sing-mux v0.3.1
-	github.com/sagernet/sing-quic v0.4.1
+	github.com/sagernet/sing-quic v0.4.1-beta.1
 	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250316154757-6f9e732e5056

go.sum

@@ -66,8 +66,8 @@ github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
-github.com/gofrs/uuid/v5 v5.3.2 h1:2jfO8j3XgSwlz/wHqemAEugfnTlikAYHhnqQ8Xh4fE0=
+github.com/gofrs/uuid/v5 v5.3.1 h1:aPx49MwJbekCzOyhZDjJVb0hx3A0KLjlbLx6p2gY0p0=
-github.com/gofrs/uuid/v5 v5.3.2/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
+github.com/gofrs/uuid/v5 v5.3.1/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
@@ -178,12 +178,12 @@ github.com/sagernet/quic-go v0.49.0-beta.1/go.mod h1:uesWD1Ihrldq1M3XtjuEvIUqi8W
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.6.6-0.20250406122223-d47540857e58 h1:hq0W1/K6/UOrv+tCm9YrZ/yDFZJlPVtLmBvayuwUxDM=
+github.com/sagernet/sing v0.6.6-0.20250403102645-159e489fc399 h1:jQ5sGyxICxdPqoakOEE6TbSTYOf/grmt31e/ad749O4=
-github.com/sagernet/sing v0.6.6-0.20250406122223-d47540857e58/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.6.6-0.20250403102645-159e489fc399/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-mux v0.3.1 h1:kvCc8HyGAskDHDQ0yQvoTi/7J4cZPB/VJMsAM3MmdQI=
 github.com/sagernet/sing-mux v0.3.1/go.mod h1:Mkdz8LnDstthz0HWuA/5foncnDIdcNN5KZ6AdJX+x78=
-github.com/sagernet/sing-quic v0.4.1 h1:pxlMa4efZu/M07RgGagNNDDyl6ZUwpmNUjRTpgHOWK4=
+github.com/sagernet/sing-quic v0.4.1-beta.1 h1:V2VfMckT3EQR3ZdfSzJgZZDsvfZZH42QAZpnOnHKa0s=
-github.com/sagernet/sing-quic v0.4.1/go.mod h1:tqPa0/Wqa19MkkSlKVZZX5sHxtiDR9BROcn4ufcbVdY=
+github.com/sagernet/sing-quic v0.4.1-beta.1/go.mod h1:c+CytOEyeN20KCTFIP8YQUkNDVFLSzjrEPqP7Hlnxys=
 github.com/sagernet/sing-shadowsocks v0.2.7 h1:zaopR1tbHEw5Nk6FAkM05wCslV6ahVegEZaKMv9ipx8=
 github.com/sagernet/sing-shadowsocks v0.2.7/go.mod h1:0rIKJZBR65Qi0zwdKezt4s57y/Tl1ofkaq6NlkzVuyE=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=

protocol/group/urltest.go

@@ -19,7 +19,6 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/pause"
 )
@@ -28,7 +27,10 @@ func RegisterURLTest(registry *outbound.Registry) {
 	outbound.Register[option.URLTestOutboundOptions](registry, C.TypeURLTest, NewURLTest)
 }
 
-var _ adapter.OutboundGroup = (*URLTest)(nil)
+var (
+	_ adapter.OutboundGroup           = (*URLTest)(nil)
+	_ adapter.InterfaceUpdateListener = (*URLTest)(nil)
+)
 
 type URLTest struct {
 	outbound.Adapter
@@ -170,12 +172,15 @@ func (s *URLTest) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	s.connection.NewPacketConnection(ctx, s, conn, metadata, onClose)
 }
 
+func (s *URLTest) InterfaceUpdated() {
+	go s.group.CheckOutbounds(true)
+	return
+}
+
 type URLTestGroup struct {
 	ctx                          context.Context
 	router                       adapter.Router
-	outbound                     adapter.OutboundManager
+	outboundManager              adapter.OutboundManager
-	pause                        pause.Manager
-	pauseCallback                *list.Element[pause.Callback]
 	logger                       log.Logger
 	outbounds                    []adapter.Outbound
 	link                         string
@@ -184,10 +189,12 @@ type URLTestGroup struct {
 	idleTimeout                  time.Duration
 	history                      adapter.URLTestHistoryStorage
 	checking                     atomic.Bool
+	pauseManager                 pause.Manager
 	selectedOutboundTCP          adapter.Outbound
 	selectedOutboundUDP          adapter.Outbound
 	interruptGroup               *interrupt.Group
 	interruptExternalConnections bool
+
 	access     sync.Mutex
 	ticker     *time.Ticker
 	close      chan struct{}
@@ -218,7 +225,7 @@ func NewURLTestGroup(ctx context.Context, outboundManager adapter.OutboundManage
 	}
 	return &URLTestGroup{
 		ctx:                          ctx,
-		outbound:                     outboundManager,
+		outboundManager:              outboundManager,
 		logger:                       logger,
 		outbounds:                    outbounds,
 		link:                         link,
@@ -227,15 +234,13 @@ func NewURLTestGroup(ctx context.Context, outboundManager adapter.OutboundManage
 		idleTimeout:                  idleTimeout,
 		history:                      history,
 		close:                        make(chan struct{}),
-		pause:                        service.FromContext[pause.Manager](ctx),
+		pauseManager:                 service.FromContext[pause.Manager](ctx),
 		interruptGroup:               interrupt.NewGroup(),
 		interruptExternalConnections: interruptExternalConnections,
 	}, nil
 }
 
 func (g *URLTestGroup) PostStart() {
-	g.access.Lock()
-	defer g.access.Unlock()
 	g.started = true
 	g.lastActive.Store(time.Now())
 	go g.CheckOutbounds(false)
@@ -245,25 +250,24 @@ func (g *URLTestGroup) Touch() {
 	if !g.started {
 		return
 	}
-	g.access.Lock()
-	defer g.access.Unlock()
 	if g.ticker != nil {
 		g.lastActive.Store(time.Now())
 		return
 	}
+	g.access.Lock()
+	defer g.access.Unlock()
+	if g.ticker != nil {
+		return
+	}
 	g.ticker = time.NewTicker(g.interval)
 	go g.loopCheck()
-	g.pauseCallback = pause.RegisterTicker(g.pause, g.ticker, g.interval, nil)
 }
 
 func (g *URLTestGroup) Close() error {
-	g.access.Lock()
-	defer g.access.Unlock()
 	if g.ticker == nil {
 		return nil
 	}
 	g.ticker.Stop()
-	g.pause.UnregisterCallback(g.pauseCallback)
 	close(g.close)
 	return nil
 }
@@ -327,11 +331,10 @@ func (g *URLTestGroup) loopCheck() {
 			g.access.Lock()
 			g.ticker.Stop()
 			g.ticker = nil
-			g.pause.UnregisterCallback(g.pauseCallback)
-			g.pauseCallback = nil
 			g.access.Unlock()
 			return
 		}
+		g.pauseManager.WaitActive()
 		g.CheckOutbounds(false)
 	}
 }
@@ -364,7 +367,7 @@ func (g *URLTestGroup) urlTest(ctx context.Context, force bool) (map[string]uint
 			continue
 		}
 		checked[realTag] = true
-		p, loaded := g.outbound.Outbound(realTag)
+		p, loaded := g.outboundManager.Outbound(realTag)
 		if !loaded {
 			continue
 		}

protocol/wireguard/endpoint.go

@@ -129,6 +129,7 @@ func (w *Endpoint) Close() error {
 
 func (w *Endpoint) InterfaceUpdated() {
 	w.endpoint.BindUpdate()
+	return
 }
 
 func (w *Endpoint) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr) error {

protocol/wireguard/outbound.go

@@ -133,6 +133,7 @@ func (o *Outbound) Close() error {
 
 func (o *Outbound) InterfaceUpdated() {
 	o.endpoint.BindUpdate()
+	return
 }
 
 func (o *Outbound) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {

route/route.go

@@ -59,6 +59,10 @@ func (r *Router) RouteConnectionEx(ctx context.Context, conn net.Conn, metadata
 }
 
 func (r *Router) routeConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) error {
+	if r.pauseManager.IsDevicePaused() {
+		return E.New("reject connection to ", metadata.Destination, " while device paused")
+	}
+
 	//nolint:staticcheck
 	if metadata.InboundDetour != "" {
 		if metadata.LastInbound == metadata.InboundDetour {
@@ -135,8 +139,8 @@ func (r *Router) routeConnection(ctx context.Context, conn net.Conn, metadata ad
 	for _, buffer := range buffers {
 		conn = bufio.NewCachedConn(conn, buffer)
 	}
-	for _, tracker := range r.trackers {
+	if r.tracker != nil {
-		conn = tracker.RoutedConnection(ctx, conn, metadata, selectedRule, selectedOutbound)
+		conn = r.tracker.RoutedConnection(ctx, conn, metadata, selectedRule, selectedOutbound)
 	}
 	if outboundHandler, isHandler := selectedOutbound.(adapter.ConnectionHandlerEx); isHandler {
 		outboundHandler.NewConnectionEx(ctx, conn, metadata, onClose)
@@ -181,6 +185,9 @@ func (r *Router) RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn,
 }
 
 func (r *Router) routePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) error {
+	if r.pauseManager.IsDevicePaused() {
+		return E.New("reject packet connection to ", metadata.Destination, " while device paused")
+	}
 	//nolint:staticcheck
 	if metadata.InboundDetour != "" {
 		if metadata.LastInbound == metadata.InboundDetour {
@@ -250,8 +257,8 @@ func (r *Router) routePacketConnection(ctx context.Context, conn N.PacketConn, m
 		conn = bufio.NewCachedPacketConn(conn, buffer.Buffer, buffer.Destination)
 		N.PutPacketBuffer(buffer)
 	}
-	for _, tracker := range r.trackers {
+	if r.tracker != nil {
-		conn = tracker.RoutedPacketConnection(ctx, conn, metadata, selectedRule, selectedOutbound)
+		conn = r.tracker.RoutedPacketConnection(ctx, conn, metadata, selectedRule, selectedOutbound)
 	}
 	if metadata.FakeIP {
 		conn = bufio.NewNATPacketConn(bufio.NewNetPacketConn(conn), metadata.OriginDestination, metadata.Destination)

route/router.go

@@ -36,7 +36,7 @@ type Router struct {
 	ruleSetMap        map[string]adapter.RuleSet
 	processSearcher   process.Searcher
 	pauseManager      pause.Manager
-	trackers          []adapter.ConnectionTracker
+	tracker           adapter.ConnectionTracker
 	platformInterface platform.Interface
 	needWIFIState     bool
 	started           bool
@@ -203,8 +203,8 @@ func (r *Router) Rules() []adapter.Rule {
 	return r.rules
 }
 
-func (r *Router) AppendTracker(tracker adapter.ConnectionTracker) {
+func (r *Router) SetTracker(tracker adapter.ConnectionTracker) {
-	r.trackers = append(r.trackers, tracker)
+	r.tracker = tracker
 }
 
 func (r *Router) ResetNetwork() {

route/rule/rule_action.go

@@ -305,9 +305,6 @@ func (r *RuleActionReject) Error(ctx context.Context) error {
 	default:
 		panic(F.ToString("unknown reject method: ", r.Method))
 	}
-	if r.NoDrop {
-		return returnErr
-	}
 	r.dropAccess.Lock()
 	defer r.dropAccess.Unlock()
 	timeNow := time.Now()

route/rule/rule_set_remote.go

@@ -105,7 +105,7 @@ func (s *RemoteRuleSet) StartContext(ctx context.Context, startContext *adapter.
 		}
 	}
 	if s.lastUpdated.IsZero() {
-		err := s.fetch(ctx, startContext)
+		err := s.fetchOnce(ctx, startContext)
 		if err != nil {
 			return E.Cause(err, "initial rule-set: ", s.options.Tag)
 		}
@@ -200,7 +200,7 @@ func (s *RemoteRuleSet) loadBytes(content []byte) error {
 
 func (s *RemoteRuleSet) loopUpdate() {
 	if time.Since(s.lastUpdated) > s.updateInterval {
-		err := s.fetch(s.ctx, nil)
+		err := s.fetchOnce(s.ctx, nil)
 		if err != nil {
 			s.logger.Error("fetch rule-set ", s.options.Tag, ": ", err)
 		} else if s.refs.Load() == 0 {
@@ -213,21 +213,18 @@ func (s *RemoteRuleSet) loopUpdate() {
 		case <-s.ctx.Done():
 			return
 		case <-s.updateTicker.C:
-			s.updateOnce()
+			s.pauseManager.WaitActive()
-		}
+			err := s.fetchOnce(s.ctx, nil)
-	}
-}
-
-func (s *RemoteRuleSet) updateOnce() {
-	err := s.fetch(s.ctx, nil)
 			if err != nil {
 				s.logger.Error("fetch rule-set ", s.options.Tag, ": ", err)
 			} else if s.refs.Load() == 0 {
 				s.rules = nil
 			}
 		}
+	}
+}
 
-func (s *RemoteRuleSet) fetch(ctx context.Context, startContext *adapter.HTTPStartContext) error {
+func (s *RemoteRuleSet) fetchOnce(ctx context.Context, startContext *adapter.HTTPStartContext) error {
 	s.logger.Debug("updating rule-set ", s.options.Tag, " from URL: ", s.options.RemoteOptions.URL)
 	var httpClient *http.Client
 	if startContext != nil {

transport/wireguard/endpoint.go

@@ -30,7 +30,7 @@ type Endpoint struct {
 	allowedAddress []netip.Prefix
 	tunDevice      Device
 	device         *device.Device
-	pause          pause.Manager
+	pauseManager   pause.Manager
 	pauseCallback  *list.Element[pause.Callback]
 }
 
@@ -187,9 +187,9 @@ func (e *Endpoint) Start(resolve bool) error {
 		return E.Cause(err, "setup wireguard: \n", ipcConf)
 	}
 	e.device = wgDevice
-	e.pause = service.FromContext[pause.Manager](e.options.Context)
+	e.pauseManager = service.FromContext[pause.Manager](e.options.Context)
-	if e.pause != nil {
+	if e.pauseManager != nil {
-		e.pauseCallback = e.pause.RegisterCallback(e.onPauseUpdated)
+		e.pauseCallback = e.pauseManager.RegisterCallback(e.onPauseUpdated)
 	}
 	return nil
 }
@@ -217,16 +217,16 @@ func (e *Endpoint) Close() error {
 		e.device.Close()
 	}
 	if e.pauseCallback != nil {
-		e.pause.UnregisterCallback(e.pauseCallback)
+		e.pauseManager.UnregisterCallback(e.pauseCallback)
 	}
 	return nil
 }
 
 func (e *Endpoint) onPauseUpdated(event int) {
 	switch event {
-	case pause.EventDevicePaused, pause.EventNetworkPause:
+	case pause.EventDevicePaused:
 		e.device.Down()
-	case pause.EventDeviceWake, pause.EventNetworkWake:
+	case pause.EventDeviceWake:
 		e.device.Up()
 	}
 }