documentation: Bump version

Reference: https://gitlab.com/go-extension/tls

.github/setup_legacy_go.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-VERSION="1.23.6"
+VERSION="1.23.12"
 
 mkdir -p $HOME/go
 cd $HOME/go

.github/workflows/build.yml

@@ -40,13 +40,13 @@ jobs:
       version: ${{ steps.outputs.outputs.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24.6
+          go-version: ^1.25.1
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -88,13 +88,14 @@ jobs:
           - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
 
           - { os: windows, arch: amd64 }
-          - { os: windows, arch: amd64, legacy_go: true }
+          - { os: windows, arch: amd64, legacy_go123: true, legacy_name: "windows-7" }
           - { os: windows, arch: "386" }
-          - { os: windows, arch: "386", legacy_go: true }
+          - { os: windows, arch: "386", legacy_go123: true, legacy_name: "windows-7" }
           - { os: windows, arch: arm64 }
 
           - { os: darwin, arch: amd64 }
           - { os: darwin, arch: arm64 }
+          - { os: darwin, arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
 
           - { os: android, arch: arm64, ndk: "aarch64-linux-android21" }
           - { os: android, arch: arm, ndk: "armv7a-linux-androideabi21" }
@@ -102,28 +103,33 @@ jobs:
           - { os: android, arch: "386", ndk: "i686-linux-android21" }
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
       - name: Setup Go
-        if: ${{ ! matrix.legacy_go }}
+        if: ${{ ! (matrix.legacy_go123 || matrix.legacy_go124) }}
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24.6
-      - name: Cache Legacy Go
-        if: matrix.require_legacy_go
+          go-version: ^1.25.1
+      - name: Setup Go 1.24
+        if: matrix.legacy_go124
+        uses: actions/setup-go@v5
+        with:
+          go-version: ~1.24.6
+      - name: Cache Go 1.23
+        if: matrix.legacy_go123
         id: cache-legacy-go
         uses: actions/cache@v4
         with:
           path: |
             ~/go/go_legacy
-          key: go_legacy_1236
-      - name: Setup Legacy Go
-        if: matrix.legacy_go && steps.cache-legacy-go.outputs.cache-hit != 'true'
+          key: go_legacy_12312
+      - name: Setup Go 1.23
+        if: matrix.legacy_go123 && steps.cache-legacy-go.outputs.cache-hit != 'true'
         run: |-
           .github/setup_legacy_go.sh
-      - name: Setup Legacy Go 2
-        if: matrix.legacy_go
+      - name: Setup Go 1.23
+        if: matrix.legacy_go123
         run: |-
           echo "PATH=$HOME/go/go_legacy/bin:$PATH" >> $GITHUB_ENV
           echo "GOROOT=$HOME/go/go_legacy" >> $GITHUB_ENV
@@ -148,7 +154,7 @@ jobs:
           set -xeuo pipefail
           mkdir -p dist
           go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "0"
@@ -168,7 +174,7 @@ jobs:
           export CXX="${CC}++"
           mkdir -p dist
           GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
-          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
           ./cmd/sing-box
         env:
           CGO_ENABLED: "1"
@@ -184,8 +190,8 @@ jobs:
             DIR_NAME="${DIR_NAME}-${{ matrix.go386 }}"
           elif [[ -n "${{ matrix.gomips }}" && "${{ matrix.gomips }}" != 'hardfloat' ]]; then
             DIR_NAME="${DIR_NAME}-${{ matrix.gomips }}"
-          elif [[ "${{ matrix.legacy_go }}" == 'true' ]]; then
-            DIR_NAME="${DIR_NAME}-legacy"
+          elif [[ -n "${{ matrix.legacy_name }}" ]]; then
+            DIR_NAME="${DIR_NAME}-legacy-${{ matrix.legacy_name }}"
           fi
           echo "DIR_NAME=${DIR_NAME}" >> "${GITHUB_ENV}"
           PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
@@ -277,7 +283,7 @@ jobs:
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:
-          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.go386 && format('_{0}', matrix.go386) }}${{ matrix.gomips && format('_{0}', matrix.gomips) }}${{ matrix.legacy_go && '-legacy' || '' }}
+          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.go386 && format('_{0}', matrix.go386) }}${{ matrix.gomips && format('_{0}', matrix.gomips) }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}
           path: "dist"
   build_android:
     name: Build Android
@@ -287,14 +293,14 @@ jobs:
       - calculate_version
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
           submodules: 'recursive'
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24.6
+          go-version: ^1.25.1
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -367,14 +373,14 @@ jobs:
       - calculate_version
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
           submodules: 'recursive'
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24.6
+          go-version: ^1.25.1
       - name: Setup Android NDK
         id: setup-ndk
         uses: nttld/setup-ndk@v1
@@ -464,7 +470,7 @@ jobs:
     steps:
       - name: Checkout
         if: matrix.if
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
           submodules: 'recursive'
@@ -472,7 +478,7 @@ jobs:
         if: matrix.if
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24.6
+          go-version: ^1.25.1
       - name: Setup Xcode stable
         if: matrix.if && github.ref == 'refs/heads/main-next'
         run: |-
@@ -624,7 +630,7 @@ jobs:
       - build_apple
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
       - name: Cache ghr
@@ -647,7 +653,7 @@ jobs:
           git tag v${{ needs.calculate_version.outputs.version }} -f
           echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
       - name: Download builds
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           path: dist
           merge-multiple: true

.github/workflows/docker.yml

@@ -39,7 +39,7 @@ jobs:
           echo "ref=$ref"
           echo "ref=$ref" >> $GITHUB_OUTPUT
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           ref: ${{ steps.ref.outputs.ref }}
           fetch-depth: 0
@@ -107,7 +107,7 @@ jobs:
           echo "latest=$latest"
           echo "latest=$latest" >> $GITHUB_OUTPUT
       - name: Download digests
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           path: /tmp/digests
           pattern: digests-*

.github/workflows/lint.yml

@@ -22,15 +22,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24.6
+          go-version: ^1.25
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v8
         with:
           version: latest
           args: --timeout=30m

.github/workflows/linux.yml

@@ -7,6 +7,11 @@ on:
         description: "Version name"
         required: true
         type: string
+      forceBeta:
+        description: "Force beta"
+        required: false
+        type: boolean
+        default: false
   release:
     types:
       - published
@@ -19,13 +24,13 @@ jobs:
       version: ${{ steps.outputs.outputs.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24.6
+          go-version: ^1.25.1
       - name: Check input version
         if: github.event_name == 'workflow_dispatch'
         run: |-
@@ -60,13 +65,13 @@ jobs:
           - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64 }
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.24.6
+          go-version: ^1.25.1
       - name: Setup Android NDK
         if: matrix.os == 'android'
         uses: nttld/setup-ndk@v1
@@ -99,11 +104,11 @@ jobs:
         run: |-
           TZ=UTC touch -t '197001010000' dist/sing-box
       - name: Set name
-        if: ${{ ! contains(needs.calculate_version.outputs.version, '-') }}
+        if: (! contains(needs.calculate_version.outputs.version, '-')) && !inputs.forceBeta
         run: |-
           echo "NAME=sing-box" >> "$GITHUB_ENV"
       - name: Set beta name
-        if: contains(needs.calculate_version.outputs.version, '-')
+        if: contains(needs.calculate_version.outputs.version, '-') || inputs.forceBeta
         run: |-
           echo "NAME=sing-box-beta" >> "$GITHUB_ENV"
       - name: Set version
@@ -166,7 +171,7 @@ jobs:
       - build
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
       - name: Set tag
@@ -175,7 +180,7 @@ jobs:
           git tag v${{ needs.calculate_version.outputs.version }} -f
           echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
       - name: Download builds
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           path: dist
           merge-multiple: true

.golangci.yml

@@ -1,27 +1,6 @@
-linters:
-  disable-all: true
-  enable:
-    - gofumpt
-    - govet
-    - gci
-    - staticcheck
-    - paralleltest
-    - ineffassign
-
-linters-settings:
-  gci:
-    custom-order: true
-    sections:
-      - standard
-      - prefix(github.com/sagernet/)
-      - default
-  staticcheck:
-    checks:
-      - all
-      - -SA1003
-
+version: "2"
 run:
-  go: "1.23"
+  go: "1.25"
   build-tags:
     - with_gvisor
     - with_quic
@@ -30,7 +9,51 @@ run:
     - with_utls
     - with_acme
     - with_clash_api
-
-issues:
-  exclude-dirs:
-    - transport/simple-obfs
+linters:
+  default: none
+  enable:
+    - govet
+    - ineffassign
+    - paralleltest
+    - staticcheck
+  settings:
+    staticcheck:
+      checks:
+        - all
+        - -S1000
+        - -S1008
+        - -S1017
+        - -ST1003
+        - -QF1001
+        - -QF1003
+        - -QF1008
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - transport/simple-obfs
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gci
+    - gofumpt
+  settings:
+    gci:
+      sections:
+        - standard
+        - prefix(github.com/sagernet/)
+        - default
+      custom-order: true
+  exclusions:
+    generated: lax
+    paths:
+      - transport/simple-obfs
+      - third_party$
+      - builtin$
+      - examples$

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
@@ -15,7 +15,7 @@ RUN set -ex \
     && go build -v -trimpath -tags \
         "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale" \
         -o /go/bin/sing-box \
-        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
+        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid= -checklinkname=0" \
         ./cmd/sing-box
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"

Makefile

@@ -6,7 +6,7 @@ GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)
 
-PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
+PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid= -checklinkname=0"
 MAIN_PARAMS = $(PARAMS) -tags "$(TAGS)"
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
@@ -45,7 +45,7 @@ lint:
 	GOOS=freebsd golangci-lint run ./...
 
 lint_install:
-	go install -v github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+	go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
 
 proto:
 	@go run ./cmd/internal/protogen
@@ -245,8 +245,8 @@ lib:
 	go run ./cmd/internal/build_libbox -target ios
 
 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.7
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.7
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.8
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.8
 
 docs:
 	venv/bin/mkdocs serve

adapter/inbound.go

@@ -57,6 +57,7 @@ type InboundContext struct {
 	Domain       string
 	Client       string
 	SniffContext any
+	SnifferNames []string
 	SniffError   error
 
 	// cache
@@ -135,8 +136,7 @@ func ExtendContext(ctx context.Context) (context.Context, *InboundContext) {
 
 func OverrideContext(ctx context.Context) context.Context {
 	if metadata := ContextFrom(ctx); metadata != nil {
-		var newMetadata InboundContext
-		newMetadata = *metadata
+		newMetadata := *metadata
 		return WithContext(ctx, &newMetadata)
 	}
 	return ctx

adapter/network.go

@@ -20,6 +20,7 @@ type NetworkManager interface {
 	DefaultOptions() NetworkOptions
 	RegisterAutoRedirectOutputMark(mark uint32) error
 	AutoRedirectOutputMark() uint32
+	AutoRedirectOutputMarkFunc() control.Func
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager

adapter/outbound.go

@@ -2,9 +2,12 @@ package adapter
 
 import (
 	"context"
+	"net/netip"
+	"time"
 
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-tun"
 	N "github.com/sagernet/sing/common/network"
 )
 
@@ -18,6 +21,17 @@ type Outbound interface {
 	N.Dialer
 }
 
+type OutboundWithPreferredRoutes interface {
+	Outbound
+	PreferredDomain(domain string) bool
+	PreferredAddress(address netip.Addr) bool
+}
+
+type DirectRouteOutbound interface {
+	Outbound
+	NewDirectRouteConnection(metadata InboundContext, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error)
+}
+
 type OutboundRegistry interface {
 	option.OutboundOptionsRegistry
 	CreateOutbound(ctx context.Context, router Router, logger log.ContextLogger, tag string, outboundType string, options any) (Outbound, error)

adapter/outbound/manager.go

@@ -30,7 +30,7 @@ type Manager struct {
 	outboundByTag           map[string]adapter.Outbound
 	dependByTag             map[string][]string
 	defaultOutbound         adapter.Outbound
-	defaultOutboundFallback adapter.Outbound
+	defaultOutboundFallback func() (adapter.Outbound, error)
 }
 
 func NewManager(logger logger.ContextLogger, registry adapter.OutboundRegistry, endpoint adapter.EndpointManager, defaultTag string) *Manager {
@@ -44,7 +44,7 @@ func NewManager(logger logger.ContextLogger, registry adapter.OutboundRegistry,
 	}
 }
 
-func (m *Manager) Initialize(defaultOutboundFallback adapter.Outbound) {
+func (m *Manager) Initialize(defaultOutboundFallback func() (adapter.Outbound, error)) {
 	m.defaultOutboundFallback = defaultOutboundFallback
 }
 
@@ -55,18 +55,31 @@ func (m *Manager) Start(stage adapter.StartStage) error {
 	}
 	m.started = true
 	m.stage = stage
-	outbounds := m.outbounds
-	m.access.Unlock()
 	if stage == adapter.StartStateStart {
 		if m.defaultTag != "" && m.defaultOutbound == nil {
 			defaultEndpoint, loaded := m.endpoint.Get(m.defaultTag)
 			if !loaded {
+				m.access.Unlock()
 				return E.New("default outbound not found: ", m.defaultTag)
 			}
 			m.defaultOutbound = defaultEndpoint
 		}
+		if m.defaultOutbound == nil {
+			directOutbound, err := m.defaultOutboundFallback()
+			if err != nil {
+				m.access.Unlock()
+				return E.Cause(err, "create direct outbound for fallback")
+			}
+			m.outbounds = append(m.outbounds, directOutbound)
+			m.outboundByTag[directOutbound.Tag()] = directOutbound
+			m.defaultOutbound = directOutbound
+		}
+		outbounds := m.outbounds
+		m.access.Unlock()
 		return m.startOutbounds(append(outbounds, common.Map(m.endpoint.Endpoints(), func(it adapter.Endpoint) adapter.Outbound { return it })...))
 	} else {
+		outbounds := m.outbounds
+		m.access.Unlock()
 		for _, outbound := range outbounds {
 			err := adapter.LegacyStart(outbound, stage)
 			if err != nil {
@@ -187,11 +200,7 @@ func (m *Manager) Outbound(tag string) (adapter.Outbound, bool) {
 func (m *Manager) Default() adapter.Outbound {
 	m.access.RLock()
 	defer m.access.RUnlock()
-	if m.defaultOutbound != nil {
-		return m.defaultOutbound
-	} else {
-		return m.defaultOutboundFallback
-	}
+	return m.defaultOutbound
 }
 
 func (m *Manager) Remove(tag string) error {

adapter/router.go

@@ -6,8 +6,10 @@ import (
 	"net"
 	"net/http"
 	"sync"
+	"time"
 
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-tun"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ntp"
@@ -19,7 +21,7 @@ import (
 type Router interface {
 	Lifecycle
 	ConnectionRouter
-	PreMatch(metadata InboundContext) error
+	PreMatch(metadata InboundContext, context tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error)
 	ConnectionRouterEx
 	RuleSet(tag string) (RuleSet, bool)
 	NeedWIFIState() bool

adapter/upstream_legacy.go

@@ -78,8 +78,8 @@ func (w *myUpstreamHandlerWrapper) NewError(ctx context.Context, err error) {
 // Deprecated: removed
 func UpstreamMetadata(metadata InboundContext) M.Metadata {
 	return M.Metadata{
-		Source:      metadata.Source,
-		Destination: metadata.Destination,
+		Source:      metadata.Source.Unwrap(),
+		Destination: metadata.Destination.Unwrap(),
 	}
 }
 

box.go

@@ -314,22 +314,23 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "initialize service[", i, "]")
 		}
 	}
-	outboundManager.Initialize(common.Must1(
-		direct.NewOutbound(
+	outboundManager.Initialize(func() (adapter.Outbound, error) {
+		return direct.NewOutbound(
 			ctx,
 			router,
 			logFactory.NewLogger("outbound/direct"),
 			"direct",
 			option.DirectOutboundOptions{},
-		),
-	))
-	dnsTransportManager.Initialize(common.Must1(
-		local.NewTransport(
+		)
+	})
+	dnsTransportManager.Initialize(func() (adapter.DNSTransport, error) {
+		return local.NewTransport(
 			ctx,
 			logFactory.NewLogger("dns/local"),
 			"local",
 			option.LocalDNSServerOptions{},
-		)))
+		)
+	})
 	if platformInterface != nil {
 		err = platformInterface.Initialize(networkManager)
 		if err != nil {

clients/android

@@ -1 +1 @@
-Subproject commit 6db8e06e8d6c77648e79e3f93bdd41a4d48cc319
+Subproject commit 9d71ede01a1a51bb459847bb5d4444b2846c77de

cmd/internal/build_libbox/main.go

@@ -46,7 +46,7 @@ var (
 	sharedFlags []string
 	debugFlags  []string
 	sharedTags  []string
-	darwinTags  []string
+	macOSTags   []string
 	memcTags    []string
 	notMemcTags []string
 	debugTags   []string
@@ -59,11 +59,11 @@ func init() {
 	if err != nil {
 		currentTag = "unknown"
 	}
-	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
-	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
+	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=  -checklinkname=0")
+	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -checklinkname=0")
 
 	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api", "with_conntrack")
-	darwinTags = append(darwinTags, "with_dhcp")
+	macOSTags = append(macOSTags, "with_dhcp")
 	memcTags = append(memcTags, "with_tailscale")
 	notMemcTags = append(notMemcTags, "with_low_memory")
 	debugTags = append(debugTags, "debug")
@@ -107,13 +107,13 @@ func buildAndroid() {
 	}
 
 	if !debugEnabled {
+		// sharedFlags[3] = sharedFlags[3] + " -checklinkname=0"
 		args = append(args, sharedFlags...)
 	} else {
+		// debugFlags[1] = debugFlags[1] + " -checklinkname=0"
 		args = append(args, debugFlags...)
 	}
 
-	args = append(args, "-ldflags", "-checklinkname=0")
-
 	tags := append(sharedTags, memcTags...)
 	if debugEnabled {
 		tags = append(tags, debugTags...)
@@ -160,7 +160,9 @@ func buildApple() {
 		"-tags-not-macos=with_low_memory",
 	}
 	if !withTailscale {
-		args = append(args, "-tags-macos="+strings.Join(memcTags, ","))
+		args = append(args, "-tags-macos="+strings.Join(append(macOSTags, memcTags...), ","))
+	} else {
+		args = append(args, "-tags-macos="+strings.Join(macOSTags, ","))
 	}
 
 	if !debugEnabled {
@@ -169,7 +171,7 @@ func buildApple() {
 		args = append(args, debugFlags...)
 	}
 
-	tags := append(sharedTags, darwinTags...)
+	tags := sharedTags
 	if withTailscale {
 		tags = append(tags, memcTags...)
 	}

cmd/internal/tun_bench/main.go

@@ -151,9 +151,7 @@ func testOnce(boxPath string, stackName string, mtu int, multiThread bool, flags
 	var sudoArgs []string
 	if len(flags) > 0 {
 		sudoArgs = append(sudoArgs, "env")
-		for _, flag := range flags {
-			sudoArgs = append(sudoArgs, flag)
-		}
+		sudoArgs = append(sudoArgs, flags...)
 	}
 	sudoArgs = append(sudoArgs, boxPath, "run", "-c", tempConfig.Name())
 	boxProcess := shell.Exec("sudo", sudoArgs...)

cmd/sing-box/cmd_rule_set_compile.go

@@ -6,8 +6,10 @@ import (
 	"strings"
 
 	"github.com/sagernet/sing-box/common/srs"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/route/rule"
 	"github.com/sagernet/sing/common/json"
 
 	"github.com/spf13/cobra"
@@ -69,7 +71,7 @@ func compileRuleSet(sourcePath string) error {
 	if err != nil {
 		return err
 	}
-	err = srs.Write(outputFile, plainRuleSet.Options, plainRuleSet.Version)
+	err = srs.Write(outputFile, plainRuleSet.Options, downgradeRuleSetVersion(plainRuleSet.Version, plainRuleSet.Options))
 	if err != nil {
 		outputFile.Close()
 		os.Remove(outputPath)
@@ -78,3 +80,18 @@ func compileRuleSet(sourcePath string) error {
 	outputFile.Close()
 	return nil
 }
+
+func downgradeRuleSetVersion(version uint8, options option.PlainRuleSet) uint8 {
+	if version == C.RuleSetVersion4 && !rule.HasHeadlessRule(options.Rules, func(rule option.DefaultHeadlessRule) bool {
+		return rule.NetworkInterfaceAddress != nil && rule.NetworkInterfaceAddress.Size() > 0 ||
+			len(rule.DefaultInterfaceAddress) > 0
+	}) {
+		version = C.RuleSetVersion3
+	}
+	if version == C.RuleSetVersion3 && !rule.HasHeadlessRule(options.Rules, func(rule option.DefaultHeadlessRule) bool {
+		return len(rule.NetworkType) > 0 || rule.NetworkIsExpensive || rule.NetworkIsConstrained
+	}) {
+		version = C.RuleSetVersion2
+	}
+	return version
+}

common/badtls/raw_conn.go

@@ -0,0 +1,176 @@
+//go:build go1.25 && !without_badtls
+
+package badtls
+
+import (
+	"bytes"
+	"os"
+	"reflect"
+	"sync/atomic"
+	"unsafe"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/tls"
+)
+
+type RawConn struct {
+	pointer unsafe.Pointer
+	methods *Methods
+
+	IsClient            *bool
+	IsHandshakeComplete *atomic.Bool
+	Vers                *uint16
+	CipherSuite         *uint16
+
+	RawInput *bytes.Buffer
+	Input    *bytes.Reader
+	Hand     *bytes.Buffer
+
+	CloseNotifySent *bool
+	CloseNotifyErr  *error
+
+	In  *RawHalfConn
+	Out *RawHalfConn
+
+	BytesSent   *int64
+	PacketsSent *int64
+
+	ActiveCall *atomic.Int32
+	Tmp        *[16]byte
+}
+
+func NewRawConn(rawTLSConn tls.Conn) (*RawConn, error) {
+	var (
+		pointer unsafe.Pointer
+		methods *Methods
+		loaded  bool
+	)
+	for _, tlsCreator := range methodRegistry {
+		pointer, methods, loaded = tlsCreator(rawTLSConn)
+		if loaded {
+			break
+		}
+	}
+	if !loaded {
+		return nil, os.ErrInvalid
+	}
+
+	conn := &RawConn{
+		pointer: pointer,
+		methods: methods,
+	}
+
+	rawConn := reflect.Indirect(reflect.ValueOf(rawTLSConn))
+
+	rawIsClient := rawConn.FieldByName("isClient")
+	if !rawIsClient.IsValid() || rawIsClient.Kind() != reflect.Bool {
+		return nil, E.New("invalid Conn.isClient")
+	}
+	conn.IsClient = (*bool)(unsafe.Pointer(rawIsClient.UnsafeAddr()))
+
+	rawIsHandshakeComplete := rawConn.FieldByName("isHandshakeComplete")
+	if !rawIsHandshakeComplete.IsValid() || rawIsHandshakeComplete.Kind() != reflect.Struct {
+		return nil, E.New("invalid Conn.isHandshakeComplete")
+	}
+	conn.IsHandshakeComplete = (*atomic.Bool)(unsafe.Pointer(rawIsHandshakeComplete.UnsafeAddr()))
+
+	rawVers := rawConn.FieldByName("vers")
+	if !rawVers.IsValid() || rawVers.Kind() != reflect.Uint16 {
+		return nil, E.New("invalid Conn.vers")
+	}
+	conn.Vers = (*uint16)(unsafe.Pointer(rawVers.UnsafeAddr()))
+
+	rawCipherSuite := rawConn.FieldByName("cipherSuite")
+	if !rawCipherSuite.IsValid() || rawCipherSuite.Kind() != reflect.Uint16 {
+		return nil, E.New("invalid Conn.cipherSuite")
+	}
+	conn.CipherSuite = (*uint16)(unsafe.Pointer(rawCipherSuite.UnsafeAddr()))
+
+	rawRawInput := rawConn.FieldByName("rawInput")
+	if !rawRawInput.IsValid() || rawRawInput.Kind() != reflect.Struct {
+		return nil, E.New("invalid Conn.rawInput")
+	}
+	conn.RawInput = (*bytes.Buffer)(unsafe.Pointer(rawRawInput.UnsafeAddr()))
+
+	rawInput := rawConn.FieldByName("input")
+	if !rawInput.IsValid() || rawInput.Kind() != reflect.Struct {
+		return nil, E.New("invalid Conn.input")
+	}
+	conn.Input = (*bytes.Reader)(unsafe.Pointer(rawInput.UnsafeAddr()))
+
+	rawHand := rawConn.FieldByName("hand")
+	if !rawHand.IsValid() || rawHand.Kind() != reflect.Struct {
+		return nil, E.New("invalid Conn.hand")
+	}
+	conn.Hand = (*bytes.Buffer)(unsafe.Pointer(rawHand.UnsafeAddr()))
+
+	rawCloseNotifySent := rawConn.FieldByName("closeNotifySent")
+	if !rawCloseNotifySent.IsValid() || rawCloseNotifySent.Kind() != reflect.Bool {
+		return nil, E.New("invalid Conn.closeNotifySent")
+	}
+	conn.CloseNotifySent = (*bool)(unsafe.Pointer(rawCloseNotifySent.UnsafeAddr()))
+
+	rawCloseNotifyErr := rawConn.FieldByName("closeNotifyErr")
+	if !rawCloseNotifyErr.IsValid() || rawCloseNotifyErr.Kind() != reflect.Interface {
+		return nil, E.New("invalid Conn.closeNotifyErr")
+	}
+	conn.CloseNotifyErr = (*error)(unsafe.Pointer(rawCloseNotifyErr.UnsafeAddr()))
+
+	rawIn := rawConn.FieldByName("in")
+	if !rawIn.IsValid() || rawIn.Kind() != reflect.Struct {
+		return nil, E.New("invalid Conn.in")
+	}
+	halfIn, err := NewRawHalfConn(rawIn, methods)
+	if err != nil {
+		return nil, E.Cause(err, "invalid Conn.in")
+	}
+	conn.In = halfIn
+
+	rawOut := rawConn.FieldByName("out")
+	if !rawOut.IsValid() || rawOut.Kind() != reflect.Struct {
+		return nil, E.New("invalid Conn.out")
+	}
+	halfOut, err := NewRawHalfConn(rawOut, methods)
+	if err != nil {
+		return nil, E.Cause(err, "invalid Conn.out")
+	}
+	conn.Out = halfOut
+
+	rawBytesSent := rawConn.FieldByName("bytesSent")
+	if !rawBytesSent.IsValid() || rawBytesSent.Kind() != reflect.Int64 {
+		return nil, E.New("invalid Conn.bytesSent")
+	}
+	conn.BytesSent = (*int64)(unsafe.Pointer(rawBytesSent.UnsafeAddr()))
+
+	rawPacketsSent := rawConn.FieldByName("packetsSent")
+	if !rawPacketsSent.IsValid() || rawPacketsSent.Kind() != reflect.Int64 {
+		return nil, E.New("invalid Conn.packetsSent")
+	}
+	conn.PacketsSent = (*int64)(unsafe.Pointer(rawPacketsSent.UnsafeAddr()))
+
+	rawActiveCall := rawConn.FieldByName("activeCall")
+	if !rawActiveCall.IsValid() || rawActiveCall.Kind() != reflect.Struct {
+		return nil, E.New("invalid Conn.activeCall")
+	}
+	conn.ActiveCall = (*atomic.Int32)(unsafe.Pointer(rawActiveCall.UnsafeAddr()))
+
+	rawTmp := rawConn.FieldByName("tmp")
+	if !rawTmp.IsValid() || rawTmp.Kind() != reflect.Array || rawTmp.Len() != 16 || rawTmp.Type().Elem().Kind() != reflect.Uint8 {
+		return nil, E.New("invalid Conn.tmp")
+	}
+	conn.Tmp = (*[16]byte)(unsafe.Pointer(rawTmp.UnsafeAddr()))
+
+	return conn, nil
+}
+
+func (c *RawConn) ReadRecord() error {
+	return c.methods.readRecord(c.pointer)
+}
+
+func (c *RawConn) HandlePostHandshakeMessage() error {
+	return c.methods.handlePostHandshakeMessage(c.pointer)
+}
+
+func (c *RawConn) WriteRecordLocked(typ uint16, data []byte) (int, error) {
+	return c.methods.writeRecordLocked(c.pointer, typ, data)
+}

common/badtls/raw_half_conn.go

@@ -0,0 +1,121 @@
+//go:build go1.25 && !without_badtls
+
+package badtls
+
+import (
+	"hash"
+	"reflect"
+	"sync"
+	"unsafe"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type RawHalfConn struct {
+	pointer unsafe.Pointer
+	methods *Methods
+	*sync.Mutex
+	Err           *error
+	Version       *uint16
+	Cipher        *any
+	Seq           *[8]byte
+	ScratchBuf    *[13]byte
+	TrafficSecret *[]byte
+	Mac           *hash.Hash
+	RawKey        *[]byte
+	RawIV         *[]byte
+	RawMac        *[]byte
+}
+
+func NewRawHalfConn(rawHalfConn reflect.Value, methods *Methods) (*RawHalfConn, error) {
+	halfConn := &RawHalfConn{
+		pointer: (unsafe.Pointer)(rawHalfConn.UnsafeAddr()),
+		methods: methods,
+	}
+
+	rawMutex := rawHalfConn.FieldByName("Mutex")
+	if !rawMutex.IsValid() || rawMutex.Kind() != reflect.Struct {
+		return nil, E.New("badtls: invalid halfConn.Mutex")
+	}
+	halfConn.Mutex = (*sync.Mutex)(unsafe.Pointer(rawMutex.UnsafeAddr()))
+
+	rawErr := rawHalfConn.FieldByName("err")
+	if !rawErr.IsValid() || rawErr.Kind() != reflect.Interface {
+		return nil, E.New("badtls: invalid halfConn.err")
+	}
+	halfConn.Err = (*error)(unsafe.Pointer(rawErr.UnsafeAddr()))
+
+	rawVersion := rawHalfConn.FieldByName("version")
+	if !rawVersion.IsValid() || rawVersion.Kind() != reflect.Uint16 {
+		return nil, E.New("badtls: invalid halfConn.version")
+	}
+	halfConn.Version = (*uint16)(unsafe.Pointer(rawVersion.UnsafeAddr()))
+
+	rawCipher := rawHalfConn.FieldByName("cipher")
+	if !rawCipher.IsValid() || rawCipher.Kind() != reflect.Interface {
+		return nil, E.New("badtls: invalid halfConn.cipher")
+	}
+	halfConn.Cipher = (*any)(unsafe.Pointer(rawCipher.UnsafeAddr()))
+
+	rawSeq := rawHalfConn.FieldByName("seq")
+	if !rawSeq.IsValid() || rawSeq.Kind() != reflect.Array || rawSeq.Len() != 8 || rawSeq.Type().Elem().Kind() != reflect.Uint8 {
+		return nil, E.New("badtls: invalid halfConn.seq")
+	}
+	halfConn.Seq = (*[8]byte)(unsafe.Pointer(rawSeq.UnsafeAddr()))
+
+	rawScratchBuf := rawHalfConn.FieldByName("scratchBuf")
+	if !rawScratchBuf.IsValid() || rawScratchBuf.Kind() != reflect.Array || rawScratchBuf.Len() != 13 || rawScratchBuf.Type().Elem().Kind() != reflect.Uint8 {
+		return nil, E.New("badtls: invalid halfConn.scratchBuf")
+	}
+	halfConn.ScratchBuf = (*[13]byte)(unsafe.Pointer(rawScratchBuf.UnsafeAddr()))
+
+	rawTrafficSecret := rawHalfConn.FieldByName("trafficSecret")
+	if !rawTrafficSecret.IsValid() || rawTrafficSecret.Kind() != reflect.Slice || rawTrafficSecret.Type().Elem().Kind() != reflect.Uint8 {
+		return nil, E.New("badtls: invalid halfConn.trafficSecret")
+	}
+	halfConn.TrafficSecret = (*[]byte)(unsafe.Pointer(rawTrafficSecret.UnsafeAddr()))
+
+	rawMac := rawHalfConn.FieldByName("mac")
+	if !rawMac.IsValid() || rawMac.Kind() != reflect.Interface {
+		return nil, E.New("badtls: invalid halfConn.mac")
+	}
+	halfConn.Mac = (*hash.Hash)(unsafe.Pointer(rawMac.UnsafeAddr()))
+
+	rawKey := rawHalfConn.FieldByName("rawKey")
+	if rawKey.IsValid() {
+		if /*!rawKey.IsValid() || */ rawKey.Kind() != reflect.Slice || rawKey.Type().Elem().Kind() != reflect.Uint8 {
+			return nil, E.New("badtls: invalid halfConn.rawKey")
+		}
+		halfConn.RawKey = (*[]byte)(unsafe.Pointer(rawKey.UnsafeAddr()))
+
+		rawIV := rawHalfConn.FieldByName("rawIV")
+		if !rawIV.IsValid() || rawIV.Kind() != reflect.Slice || rawIV.Type().Elem().Kind() != reflect.Uint8 {
+			return nil, E.New("badtls: invalid halfConn.rawIV")
+		}
+		halfConn.RawIV = (*[]byte)(unsafe.Pointer(rawIV.UnsafeAddr()))
+
+		rawMAC := rawHalfConn.FieldByName("rawMac")
+		if !rawMAC.IsValid() || rawMAC.Kind() != reflect.Slice || rawMAC.Type().Elem().Kind() != reflect.Uint8 {
+			return nil, E.New("badtls: invalid halfConn.rawMac")
+		}
+		halfConn.RawMac = (*[]byte)(unsafe.Pointer(rawMAC.UnsafeAddr()))
+	}
+
+	return halfConn, nil
+}
+
+func (hc *RawHalfConn) Decrypt(record []byte) ([]byte, uint8, error) {
+	return hc.methods.decrypt(hc.pointer, record)
+}
+
+func (hc *RawHalfConn) SetErrorLocked(err error) error {
+	return hc.methods.setErrorLocked(hc.pointer, err)
+}
+
+func (hc *RawHalfConn) SetTrafficSecret(suite unsafe.Pointer, level int, secret []byte) {
+	hc.methods.setTrafficSecret(hc.pointer, suite, level, secret)
+}
+
+func (hc *RawHalfConn) ExplicitNonceLen() int {
+	return hc.methods.explicitNonceLen(hc.pointer)
+}

common/badtls/read_wait.go

@@ -1,18 +1,9 @@
-//go:build go1.21 && !without_badtls
+//go:build go1.25 && !without_badtls
 
 package badtls
 
 import (
-	"bytes"
-	"context"
-	"net"
-	"os"
-	"reflect"
-	"sync"
-	"unsafe"
-
 	"github.com/sagernet/sing/common/buf"
-	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/tls"
 )
@@ -21,63 +12,21 @@ var _ N.ReadWaiter = (*ReadWaitConn)(nil)
 
 type ReadWaitConn struct {
 	tls.Conn
-	halfAccess                    *sync.Mutex
-	rawInput                      *bytes.Buffer
-	input                         *bytes.Reader
-	hand                          *bytes.Buffer
-	readWaitOptions               N.ReadWaitOptions
-	tlsReadRecord                 func() error
-	tlsHandlePostHandshakeMessage func() error
+	rawConn         *RawConn
+	readWaitOptions N.ReadWaitOptions
 }
 
 func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
-	var (
-		loaded                        bool
-		tlsReadRecord                 func() error
-		tlsHandlePostHandshakeMessage func() error
-	)
-	for _, tlsCreator := range tlsRegistry {
-		loaded, tlsReadRecord, tlsHandlePostHandshakeMessage = tlsCreator(conn)
-		if loaded {
-			break
-		}
+	if _, isReadWaitConn := conn.(N.ReadWaiter); isReadWaitConn {
+		return conn, nil
 	}
-	if !loaded {
-		return nil, os.ErrInvalid
+	rawConn, err := NewRawConn(conn)
+	if err != nil {
+		return nil, err
 	}
-	rawConn := reflect.Indirect(reflect.ValueOf(conn))
-	rawHalfConn := rawConn.FieldByName("in")
-	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid half conn")
-	}
-	rawHalfMutex := rawHalfConn.FieldByName("Mutex")
-	if !rawHalfMutex.IsValid() || rawHalfMutex.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid half mutex")
-	}
-	halfAccess := (*sync.Mutex)(unsafe.Pointer(rawHalfMutex.UnsafeAddr()))
-	rawRawInput := rawConn.FieldByName("rawInput")
-	if !rawRawInput.IsValid() || rawRawInput.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid raw input")
-	}
-	rawInput := (*bytes.Buffer)(unsafe.Pointer(rawRawInput.UnsafeAddr()))
-	rawInput0 := rawConn.FieldByName("input")
-	if !rawInput0.IsValid() || rawInput0.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid input")
-	}
-	input := (*bytes.Reader)(unsafe.Pointer(rawInput0.UnsafeAddr()))
-	rawHand := rawConn.FieldByName("hand")
-	if !rawHand.IsValid() || rawHand.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid hand")
-	}
-	hand := (*bytes.Buffer)(unsafe.Pointer(rawHand.UnsafeAddr()))
 	return &ReadWaitConn{
-		Conn:                          conn,
-		halfAccess:                    halfAccess,
-		rawInput:                      rawInput,
-		input:                         input,
-		hand:                          hand,
-		tlsReadRecord:                 tlsReadRecord,
-		tlsHandlePostHandshakeMessage: tlsHandlePostHandshakeMessage,
+		Conn:    conn,
+		rawConn: rawConn,
 	}, nil
 }
 
@@ -87,36 +36,36 @@ func (c *ReadWaitConn) InitializeReadWaiter(options N.ReadWaitOptions) (needCopy
 }
 
 func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
-	err = c.HandshakeContext(context.Background())
-	if err != nil {
-		return
-	}
-	c.halfAccess.Lock()
-	defer c.halfAccess.Unlock()
-	for c.input.Len() == 0 {
-		err = c.tlsReadRecord()
+	//err = c.HandshakeContext(context.Background())
+	//if err != nil {
+	//	return
+	//}
+	c.rawConn.In.Lock()
+	defer c.rawConn.In.Unlock()
+	for c.rawConn.Input.Len() == 0 {
+		err = c.rawConn.ReadRecord()
 		if err != nil {
 			return
 		}
-		for c.hand.Len() > 0 {
-			err = c.tlsHandlePostHandshakeMessage()
+		for c.rawConn.Hand.Len() > 0 {
+			err = c.rawConn.HandlePostHandshakeMessage()
 			if err != nil {
 				return
 			}
 		}
 	}
 	buffer = c.readWaitOptions.NewBuffer()
-	n, err := c.input.Read(buffer.FreeBytes())
+	n, err := c.rawConn.Input.Read(buffer.FreeBytes())
 	if err != nil {
 		buffer.Release()
 		return
 	}
 	buffer.Truncate(n)
 
-	if n != 0 && c.input.Len() == 0 && c.rawInput.Len() > 0 &&
-		// recordType(c.rawInput.Bytes()[0]) == recordTypeAlert {
-		c.rawInput.Bytes()[0] == 21 {
-		_ = c.tlsReadRecord()
+	if n != 0 && c.rawConn.Input.Len() == 0 && c.rawConn.Input.Len() > 0 &&
+		// recordType(c.RawInput.Bytes()[0]) == recordTypeAlert {
+		c.rawConn.RawInput.Bytes()[0] == 21 {
+		_ = c.rawConn.ReadRecord()
 		// return n, err // will be io.EOF on closeNotify
 	}
 
@@ -128,24 +77,6 @@ func (c *ReadWaitConn) Upstream() any {
 	return c.Conn
 }
 
-var tlsRegistry []func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error)
-
-func init() {
-	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
-		tlsConn, loaded := conn.(*tls.STDConn)
-		if !loaded {
-			return
-		}
-		return true, func() error {
-				return stdTLSReadRecord(tlsConn)
-			}, func() error {
-				return stdTLSHandlePostHandshakeMessage(tlsConn)
-			}
-	})
+func (c *ReadWaitConn) ReaderReplaceable() bool {
+	return true
 }
-
-//go:linkname stdTLSReadRecord crypto/tls.(*Conn).readRecord
-func stdTLSReadRecord(c *tls.STDConn) error
-
-//go:linkname stdTLSHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
-func stdTLSHandlePostHandshakeMessage(c *tls.STDConn) error

common/badtls/read_wait_stub.go

@@ -1,4 +1,4 @@
-//go:build !go1.21 || without_badtls
+//go:build !go1.25 || without_badtls
 
 package badtls
 

common/badtls/read_wait_utls.go

@@ -1,32 +0,0 @@
-//go:build go1.21 && !without_badtls && with_utls
-
-package badtls
-
-import (
-	"net"
-	_ "unsafe"
-
-	"github.com/sagernet/sing/common"
-
-	"github.com/metacubex/utls"
-)
-
-func init() {
-	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
-		tlsConn, loaded := common.Cast[*tls.UConn](conn)
-		if !loaded {
-			return
-		}
-		return true, func() error {
-				return utlsReadRecord(tlsConn.Conn)
-			}, func() error {
-				return utlsHandlePostHandshakeMessage(tlsConn.Conn)
-			}
-	})
-}
-
-//go:linkname utlsReadRecord github.com/metacubex/utls.(*Conn).readRecord
-func utlsReadRecord(c *tls.Conn) error
-
-//go:linkname utlsHandlePostHandshakeMessage github.com/metacubex/utls.(*Conn).handlePostHandshakeMessage
-func utlsHandlePostHandshakeMessage(c *tls.Conn) error

common/badtls/registry.go

@@ -0,0 +1,62 @@
+//go:build go1.25 && !without_badtls
+
+package badtls
+
+import (
+	"crypto/tls"
+	"net"
+	"unsafe"
+)
+
+type Methods struct {
+	readRecord                 func(c unsafe.Pointer) error
+	handlePostHandshakeMessage func(c unsafe.Pointer) error
+	writeRecordLocked          func(c unsafe.Pointer, typ uint16, data []byte) (int, error)
+
+	setErrorLocked   func(hc unsafe.Pointer, err error) error
+	decrypt          func(hc unsafe.Pointer, record []byte) ([]byte, uint8, error)
+	setTrafficSecret func(hc unsafe.Pointer, suite unsafe.Pointer, level int, secret []byte)
+	explicitNonceLen func(hc unsafe.Pointer) int
+}
+
+var methodRegistry []func(conn net.Conn) (unsafe.Pointer, *Methods, bool)
+
+func init() {
+	methodRegistry = append(methodRegistry, func(conn net.Conn) (unsafe.Pointer, *Methods, bool) {
+		tlsConn, loaded := conn.(*tls.Conn)
+		if !loaded {
+			return nil, nil, false
+		}
+		return unsafe.Pointer(tlsConn), &Methods{
+			readRecord:                 stdTLSReadRecord,
+			handlePostHandshakeMessage: stdTLSHandlePostHandshakeMessage,
+			writeRecordLocked:          stdWriteRecordLocked,
+
+			setErrorLocked:   stdSetErrorLocked,
+			decrypt:          stdDecrypt,
+			setTrafficSecret: stdSetTrafficSecret,
+			explicitNonceLen: stdExplicitNonceLen,
+		}, true
+	})
+}
+
+//go:linkname stdTLSReadRecord crypto/tls.(*Conn).readRecord
+func stdTLSReadRecord(c unsafe.Pointer) error
+
+//go:linkname stdTLSHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
+func stdTLSHandlePostHandshakeMessage(c unsafe.Pointer) error
+
+//go:linkname stdWriteRecordLocked crypto/tls.(*Conn).writeRecordLocked
+func stdWriteRecordLocked(c unsafe.Pointer, typ uint16, data []byte) (int, error)
+
+//go:linkname stdSetErrorLocked crypto/tls.(*halfConn).setErrorLocked
+func stdSetErrorLocked(hc unsafe.Pointer, err error) error
+
+//go:linkname stdDecrypt crypto/tls.(*halfConn).decrypt
+func stdDecrypt(hc unsafe.Pointer, record []byte) ([]byte, uint8, error)
+
+//go:linkname stdSetTrafficSecret crypto/tls.(*halfConn).setTrafficSecret
+func stdSetTrafficSecret(hc unsafe.Pointer, suite unsafe.Pointer, level int, secret []byte)
+
+//go:linkname stdExplicitNonceLen crypto/tls.(*halfConn).explicitNonceLen
+func stdExplicitNonceLen(hc unsafe.Pointer) int

common/badtls/registry_utls.go

@@ -0,0 +1,56 @@
+//go:build go1.25 && !without_badtls
+
+package badtls
+
+import (
+	"net"
+	"unsafe"
+
+	N "github.com/sagernet/sing/common/network"
+
+	"github.com/metacubex/utls"
+)
+
+func init() {
+	methodRegistry = append(methodRegistry, func(conn net.Conn) (unsafe.Pointer, *Methods, bool) {
+		var pointer unsafe.Pointer
+		if uConn, loaded := N.CastReader[*tls.Conn](conn); loaded {
+			pointer = unsafe.Pointer(uConn)
+		} else if uConn, loaded := N.CastReader[*tls.UConn](conn); loaded {
+			pointer = unsafe.Pointer(uConn.Conn)
+		} else {
+			return nil, nil, false
+		}
+		return pointer, &Methods{
+			readRecord:                 utlsReadRecord,
+			handlePostHandshakeMessage: utlsHandlePostHandshakeMessage,
+			writeRecordLocked:          utlsWriteRecordLocked,
+
+			setErrorLocked:   utlsSetErrorLocked,
+			decrypt:          utlsDecrypt,
+			setTrafficSecret: utlsSetTrafficSecret,
+			explicitNonceLen: utlsExplicitNonceLen,
+		}, true
+	})
+}
+
+//go:linkname utlsReadRecord github.com/metacubex/utls.(*Conn).readRecord
+func utlsReadRecord(c unsafe.Pointer) error
+
+//go:linkname utlsHandlePostHandshakeMessage github.com/metacubex/utls.(*Conn).handlePostHandshakeMessage
+func utlsHandlePostHandshakeMessage(c unsafe.Pointer) error
+
+//go:linkname utlsWriteRecordLocked github.com/metacubex/utls.(*Conn).writeRecordLocked
+func utlsWriteRecordLocked(hc unsafe.Pointer, typ uint16, data []byte) (int, error)
+
+//go:linkname utlsSetErrorLocked github.com/metacubex/utls.(*halfConn).setErrorLocked
+func utlsSetErrorLocked(hc unsafe.Pointer, err error) error
+
+//go:linkname utlsDecrypt github.com/metacubex/utls.(*halfConn).decrypt
+func utlsDecrypt(hc unsafe.Pointer, record []byte) ([]byte, uint8, error)
+
+//go:linkname utlsSetTrafficSecret github.com/metacubex/utls.(*halfConn).setTrafficSecret
+func utlsSetTrafficSecret(hc unsafe.Pointer, suite unsafe.Pointer, level int, secret []byte)
+
+//go:linkname utlsExplicitNonceLen github.com/metacubex/utls.(*halfConn).explicitNonceLen
+func utlsExplicitNonceLen(hc unsafe.Pointer) int

common/badversion/version.go

@@ -5,6 +5,8 @@ import (
 	"strings"
 
 	F "github.com/sagernet/sing/common/format"
+
+	"golang.org/x/mod/semver"
 )
 
 type Version struct {
@@ -16,7 +18,19 @@ type Version struct {
 	PreReleaseVersion    int
 }
 
-func (v Version) After(anotherVersion Version) bool {
+func (v Version) LessThan(anotherVersion Version) bool {
+	return !v.GreaterThanOrEqual(anotherVersion)
+}
+
+func (v Version) LessThanOrEqual(anotherVersion Version) bool {
+	return v == anotherVersion || anotherVersion.GreaterThan(v)
+}
+
+func (v Version) GreaterThanOrEqual(anotherVersion Version) bool {
+	return v == anotherVersion || v.GreaterThan(anotherVersion)
+}
+
+func (v Version) GreaterThan(anotherVersion Version) bool {
 	if v.Major > anotherVersion.Major {
 		return true
 	} else if v.Major < anotherVersion.Major {
@@ -44,19 +58,29 @@ func (v Version) After(anotherVersion Version) bool {
 			} else if v.PreReleaseVersion < anotherVersion.PreReleaseVersion {
 				return false
 			}
-		} else if v.PreReleaseIdentifier == "rc" && anotherVersion.PreReleaseIdentifier == "beta" {
+		}
+		preReleaseIdentifier := parsePreReleaseIdentifier(v.PreReleaseIdentifier)
+		anotherPreReleaseIdentifier := parsePreReleaseIdentifier(anotherVersion.PreReleaseIdentifier)
+		if preReleaseIdentifier < anotherPreReleaseIdentifier {
 			return true
-		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "rc" {
-			return false
-		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "alpha" {
-			return true
-		} else if v.PreReleaseIdentifier == "alpha" && anotherVersion.PreReleaseIdentifier == "beta" {
+		} else if preReleaseIdentifier > anotherPreReleaseIdentifier {
 			return false
 		}
 	}
 	return false
 }
 
+func parsePreReleaseIdentifier(identifier string) int {
+	if strings.HasPrefix(identifier, "rc") {
+		return 1
+	} else if strings.HasPrefix(identifier, "beta") {
+		return 2
+	} else if strings.HasPrefix(identifier, "alpha") {
+		return 3
+	}
+	return 0
+}
+
 func (v Version) VersionString() string {
 	return F.ToString(v.Major, ".", v.Minor, ".", v.Patch)
 }
@@ -83,6 +107,10 @@ func (v Version) BadString() string {
 	return version
 }
 
+func IsValid(versionName string) bool {
+	return semver.IsValid("v" + versionName)
+}
+
 func Parse(versionName string) (version Version) {
 	if strings.HasPrefix(versionName, "v") {
 		versionName = versionName[1:]

common/badversion/version_test.go

@@ -10,9 +10,9 @@ func TestCompareVersion(t *testing.T) {
 	t.Parallel()
 	require.Equal(t, "1.3.0-beta.1", Parse("v1.3.0-beta1").String())
 	require.Equal(t, "1.3-beta1", Parse("v1.3.0-beta.1").BadString())
-	require.True(t, Parse("1.3.0").After(Parse("1.3-beta1")))
-	require.True(t, Parse("1.3.0").After(Parse("1.3.0-beta1")))
-	require.True(t, Parse("1.3.0-beta1").After(Parse("1.3.0-alpha1")))
-	require.True(t, Parse("1.3.1").After(Parse("1.3.0")))
-	require.True(t, Parse("1.4").After(Parse("1.3")))
+	require.True(t, Parse("1.3.0").GreaterThan(Parse("1.3-beta1")))
+	require.True(t, Parse("1.3.0").GreaterThan(Parse("1.3.0-beta1")))
+	require.True(t, Parse("1.3.0-beta1").GreaterThan(Parse("1.3.0-alpha1")))
+	require.True(t, Parse("1.3.1").GreaterThan(Parse("1.3.0")))
+	require.True(t, Parse("1.4").GreaterThan(Parse("1.3")))
 }

common/dialer/default.go

@@ -15,7 +15,6 @@ import (
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/atomic"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
@@ -43,7 +42,7 @@ type DefaultDialer struct {
 	networkType            []C.InterfaceType
 	fallbackNetworkType    []C.InterfaceType
 	networkFallbackDelay   time.Duration
-	networkLastFallback    atomic.TypedValue[time.Time]
+	networkLastFallback    common.TypedValue[time.Time]
 }
 
 func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDialer, error) {
@@ -89,37 +88,35 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 
 	if networkManager != nil {
 		defaultOptions := networkManager.DefaultOptions()
-		if !disableDefaultBind {
-			if defaultOptions.BindInterface != "" {
-				bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
+		if defaultOptions.BindInterface != "" {
+			bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
+			dialer.Control = control.Append(dialer.Control, bindFunc)
+			listener.Control = control.Append(listener.Control, bindFunc)
+		} else if networkManager.AutoDetectInterface() && !disableDefaultBind {
+			if platformInterface != nil {
+				networkStrategy = (*C.NetworkStrategy)(options.NetworkStrategy)
+				networkType = common.Map(options.NetworkType, option.InterfaceType.Build)
+				fallbackNetworkType = common.Map(options.FallbackNetworkType, option.InterfaceType.Build)
+				if networkStrategy == nil && len(networkType) == 0 && len(fallbackNetworkType) == 0 {
+					networkStrategy = defaultOptions.NetworkStrategy
+					networkType = defaultOptions.NetworkType
+					fallbackNetworkType = defaultOptions.FallbackNetworkType
+				}
+				networkFallbackDelay = time.Duration(options.FallbackDelay)
+				if networkFallbackDelay == 0 && defaultOptions.FallbackDelay != 0 {
+					networkFallbackDelay = defaultOptions.FallbackDelay
+				}
+				if networkStrategy == nil {
+					networkStrategy = common.Ptr(C.NetworkStrategyDefault)
+					defaultNetworkStrategy = true
+				}
+				bindFunc := networkManager.ProtectFunc()
+				dialer.Control = control.Append(dialer.Control, bindFunc)
+				listener.Control = control.Append(listener.Control, bindFunc)
+			} else {
+				bindFunc := networkManager.AutoDetectInterfaceFunc()
 				dialer.Control = control.Append(dialer.Control, bindFunc)
 				listener.Control = control.Append(listener.Control, bindFunc)
-			} else if networkManager.AutoDetectInterface() {
-				if platformInterface != nil {
-					networkStrategy = (*C.NetworkStrategy)(options.NetworkStrategy)
-					networkType = common.Map(options.NetworkType, option.InterfaceType.Build)
-					fallbackNetworkType = common.Map(options.FallbackNetworkType, option.InterfaceType.Build)
-					if networkStrategy == nil && len(networkType) == 0 && len(fallbackNetworkType) == 0 {
-						networkStrategy = defaultOptions.NetworkStrategy
-						networkType = defaultOptions.NetworkType
-						fallbackNetworkType = defaultOptions.FallbackNetworkType
-					}
-					networkFallbackDelay = time.Duration(options.FallbackDelay)
-					if networkFallbackDelay == 0 && defaultOptions.FallbackDelay != 0 {
-						networkFallbackDelay = defaultOptions.FallbackDelay
-					}
-					if networkStrategy == nil {
-						networkStrategy = common.Ptr(C.NetworkStrategyDefault)
-						defaultNetworkStrategy = true
-					}
-					bindFunc := networkManager.ProtectFunc()
-					dialer.Control = control.Append(dialer.Control, bindFunc)
-					listener.Control = control.Append(listener.Control, bindFunc)
-				} else {
-					bindFunc := networkManager.AutoDetectInterfaceFunc()
-					dialer.Control = control.Append(dialer.Control, bindFunc)
-					listener.Control = control.Append(listener.Control, bindFunc)
-				}
 			}
 		}
 		if options.RoutingMark == 0 && defaultOptions.RoutingMark != 0 {
@@ -127,6 +124,11 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 			listener.Control = control.Append(listener.Control, setMarkWrapper(networkManager, defaultOptions.RoutingMark, true))
 		}
 	}
+	if networkManager != nil {
+		markFunc := networkManager.AutoRedirectOutputMarkFunc()
+		dialer.Control = control.Append(dialer.Control, markFunc)
+		listener.Control = control.Append(listener.Control, markFunc)
+	}
 	if options.ReuseAddr {
 		listener.Control = control.Append(listener.Control, control.ReuseAddr())
 	}
@@ -271,7 +273,7 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 	} else {
 		dialer = d.udpDialer4
 	}
-	fastFallback := time.Now().Sub(d.networkLastFallback.Load()) < C.TCPTimeout
+	fastFallback := time.Since(d.networkLastFallback.Load()) < C.TCPTimeout
 	var (
 		conn      net.Conn
 		isPrimary bool
@@ -313,6 +315,14 @@ func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	}
 }
 
+func (d *DefaultDialer) DialerForICMPDestination(destination netip.Addr) net.Dialer {
+	if !destination.Is6() {
+		return dialerFromTCPDialer(d.dialer6)
+	} else {
+		return dialerFromTCPDialer(d.dialer4)
+	}
+}
+
 func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
 	if strategy == nil {
 		strategy = d.networkStrategy

common/dialer/tfo.go

@@ -8,8 +8,10 @@ import (
 	"net"
 	"os"
 	"sync"
+	"sync/atomic"
 	"time"
 
+	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -22,7 +24,7 @@ type slowOpenConn struct {
 	ctx         context.Context
 	network     string
 	destination M.Socksaddr
-	conn        net.Conn
+	conn        atomic.Pointer[net.TCPConn]
 	create      chan struct{}
 	done        chan struct{}
 	access      sync.Mutex
@@ -50,22 +52,25 @@ func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, des
 }
 
 func (c *slowOpenConn) Read(b []byte) (n int, err error) {
-	if c.conn == nil {
-		select {
-		case <-c.create:
-			if c.err != nil {
-				return 0, c.err
-			}
-		case <-c.done:
-			return 0, os.ErrClosed
-		}
+	conn := c.conn.Load()
+	if conn != nil {
+		return conn.Read(b)
+	}
+	select {
+	case <-c.create:
+		if c.err != nil {
+			return 0, c.err
+		}
+		return c.conn.Load().Read(b)
+	case <-c.done:
+		return 0, os.ErrClosed
 	}
-	return c.conn.Read(b)
 }
 
 func (c *slowOpenConn) Write(b []byte) (n int, err error) {
-	if c.conn != nil {
-		return c.conn.Write(b)
+	tcpConn := c.conn.Load()
+	if tcpConn != nil {
+		return tcpConn.Write(b)
 	}
 	c.access.Lock()
 	defer c.access.Unlock()
@@ -74,7 +79,7 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 		if c.err != nil {
 			return 0, c.err
 		}
-		return c.conn.Write(b)
+		return c.conn.Load().Write(b)
 	case <-c.done:
 		return 0, os.ErrClosed
 	default:
@@ -83,7 +88,7 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 	if err != nil {
 		c.err = err
 	} else {
-		c.conn = conn
+		c.conn.Store(conn.(*net.TCPConn))
 	}
 	n = len(b)
 	close(c.create)
@@ -93,70 +98,77 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 func (c *slowOpenConn) Close() error {
 	c.closeOnce.Do(func() {
 		close(c.done)
-		if c.conn != nil {
-			c.conn.Close()
+		conn := c.conn.Load()
+		if conn != nil {
+			conn.Close()
 		}
 	})
 	return nil
 }
 
 func (c *slowOpenConn) LocalAddr() net.Addr {
-	if c.conn == nil {
+	conn := c.conn.Load()
+	if conn == nil {
 		return M.Socksaddr{}
 	}
-	return c.conn.LocalAddr()
+	return conn.LocalAddr()
 }
 
 func (c *slowOpenConn) RemoteAddr() net.Addr {
-	if c.conn == nil {
+	conn := c.conn.Load()
+	if conn == nil {
 		return M.Socksaddr{}
 	}
-	return c.conn.RemoteAddr()
+	return conn.RemoteAddr()
 }
 
 func (c *slowOpenConn) SetDeadline(t time.Time) error {
-	if c.conn == nil {
+	conn := c.conn.Load()
+	if conn == nil {
 		return os.ErrInvalid
 	}
-	return c.conn.SetDeadline(t)
+	return conn.SetDeadline(t)
 }
 
 func (c *slowOpenConn) SetReadDeadline(t time.Time) error {
-	if c.conn == nil {
+	conn := c.conn.Load()
+	if conn == nil {
 		return os.ErrInvalid
 	}
-	return c.conn.SetReadDeadline(t)
+	return conn.SetReadDeadline(t)
 }
 
 func (c *slowOpenConn) SetWriteDeadline(t time.Time) error {
-	if c.conn == nil {
+	conn := c.conn.Load()
+	if conn == nil {
 		return os.ErrInvalid
 	}
-	return c.conn.SetWriteDeadline(t)
+	return conn.SetWriteDeadline(t)
 }
 
 func (c *slowOpenConn) Upstream() any {
-	return c.conn
+	return common.PtrOrNil(c.conn.Load())
 }
 
 func (c *slowOpenConn) ReaderReplaceable() bool {
-	return c.conn != nil
+	return c.conn.Load() != nil
 }
 
 func (c *slowOpenConn) WriterReplaceable() bool {
-	return c.conn != nil
+	return c.conn.Load() != nil
 }
 
 func (c *slowOpenConn) LazyHeadroom() bool {
-	return c.conn == nil
+	return c.conn.Load() == nil
 }
 
 func (c *slowOpenConn) NeedHandshake() bool {
-	return c.conn == nil
+	return c.conn.Load() == nil
 }
 
 func (c *slowOpenConn) WriteTo(w io.Writer) (n int64, err error) {
-	if c.conn == nil {
+	conn := c.conn.Load()
+	if conn == nil {
 		select {
 		case <-c.create:
 			if c.err != nil {
@@ -166,5 +178,5 @@ func (c *slowOpenConn) WriteTo(w io.Writer) (n int64, err error) {
 			return 0, c.err
 		}
 	}
-	return bufio.Copy(w, c.conn)
+	return bufio.Copy(w, c.conn.Load())
 }

common/ktls/ktls.go

@@ -0,0 +1,131 @@
+//go:build linux && go1.25 && !without_badtls
+
+package ktls
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"errors"
+	"io"
+	"net"
+	"os"
+	"syscall"
+
+	"github.com/sagernet/sing-box/common/badtls"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	N "github.com/sagernet/sing/common/network"
+	aTLS "github.com/sagernet/sing/common/tls"
+
+	"golang.org/x/sys/unix"
+)
+
+type Conn struct {
+	aTLS.Conn
+	ctx             context.Context
+	logger          logger.ContextLogger
+	conn            net.Conn
+	rawConn         *badtls.RawConn
+	syscallConn     syscall.Conn
+	rawSyscallConn  syscall.RawConn
+	readWaitOptions N.ReadWaitOptions
+	kernelTx        bool
+	kernelRx        bool
+}
+
+func NewConn(ctx context.Context, logger logger.ContextLogger, conn aTLS.Conn, txOffload, rxOffload bool) (aTLS.Conn, error) {
+	err := Load()
+	if err != nil {
+		return nil, err
+	}
+	syscallConn, isSyscallConn := N.CastReader[interface {
+		io.Reader
+		syscall.Conn
+	}](conn.NetConn())
+	if !isSyscallConn {
+		return nil, os.ErrInvalid
+	}
+	rawSyscallConn, err := syscallConn.SyscallConn()
+	if err != nil {
+		return nil, err
+	}
+	rawConn, err := badtls.NewRawConn(conn)
+	if err != nil {
+		return nil, err
+	}
+	if *rawConn.Vers != tls.VersionTLS13 {
+		return nil, os.ErrInvalid
+	}
+	for rawConn.RawInput.Len() > 0 {
+		err = rawConn.ReadRecord()
+		if err != nil {
+			return nil, err
+		}
+		for rawConn.Hand.Len() > 0 {
+			err = rawConn.HandlePostHandshakeMessage()
+			if err != nil {
+				return nil, E.Cause(err, "handle post-handshake messages")
+			}
+		}
+	}
+	kConn := &Conn{
+		Conn:           conn,
+		ctx:            ctx,
+		logger:         logger,
+		conn:           conn.NetConn(),
+		rawConn:        rawConn,
+		syscallConn:    syscallConn,
+		rawSyscallConn: rawSyscallConn,
+	}
+	err = kConn.setupKernel(txOffload, rxOffload)
+	if err != nil {
+		return nil, err
+	}
+	return kConn, nil
+}
+
+func (c *Conn) Upstream() any {
+	return c.Conn
+}
+
+func (c *Conn) SyscallConnForRead() syscall.RawConn {
+	if !c.kernelRx {
+		return nil
+	}
+	if !*c.rawConn.IsClient {
+		c.logger.WarnContext(c.ctx, "ktls: RX splice is unavailable on the server size, since it will cause an unknown failure")
+		return nil
+	}
+	c.logger.DebugContext(c.ctx, "ktls: RX splice requested")
+	return c.rawSyscallConn
+}
+
+func (c *Conn) HandleSyscallReadError(inputErr error) ([]byte, error) {
+	if errors.Is(inputErr, unix.EINVAL) {
+		err := c.readRecord()
+		if err != nil {
+			return nil, E.Cause(err, "ktls: handle non-application-data record")
+		}
+		var input bytes.Buffer
+		if c.rawConn.Input.Len() > 0 {
+			_, err = c.rawConn.Input.WriteTo(&input)
+			if err != nil {
+				return nil, err
+			}
+		}
+		return input.Bytes(), nil
+	} else if errors.Is(inputErr, unix.EBADMSG) {
+		return nil, c.rawConn.In.SetErrorLocked(c.sendAlert(alertBadRecordMAC))
+	} else {
+		return nil, E.Cause(inputErr, "ktls: unexpected errno")
+	}
+}
+
+func (c *Conn) SyscallConnForWrite() syscall.RawConn {
+	if !c.kernelTx {
+		return nil
+	}
+	c.logger.DebugContext(c.ctx, "ktls: TX splice requested")
+	return c.rawSyscallConn
+}

common/ktls/ktls_alert.go

@@ -0,0 +1,80 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux && go1.25 && !without_badtls
+
+package ktls
+
+import (
+	"crypto/tls"
+	"net"
+)
+
+const (
+	// alert level
+	alertLevelWarning = 1
+	alertLevelError   = 2
+)
+
+const (
+	alertCloseNotify                  = 0
+	alertUnexpectedMessage            = 10
+	alertBadRecordMAC                 = 20
+	alertDecryptionFailed             = 21
+	alertRecordOverflow               = 22
+	alertDecompressionFailure         = 30
+	alertHandshakeFailure             = 40
+	alertBadCertificate               = 42
+	alertUnsupportedCertificate       = 43
+	alertCertificateRevoked           = 44
+	alertCertificateExpired           = 45
+	alertCertificateUnknown           = 46
+	alertIllegalParameter             = 47
+	alertUnknownCA                    = 48
+	alertAccessDenied                 = 49
+	alertDecodeError                  = 50
+	alertDecryptError                 = 51
+	alertExportRestriction            = 60
+	alertProtocolVersion              = 70
+	alertInsufficientSecurity         = 71
+	alertInternalError                = 80
+	alertInappropriateFallback        = 86
+	alertUserCanceled                 = 90
+	alertNoRenegotiation              = 100
+	alertMissingExtension             = 109
+	alertUnsupportedExtension         = 110
+	alertCertificateUnobtainable      = 111
+	alertUnrecognizedName             = 112
+	alertBadCertificateStatusResponse = 113
+	alertBadCertificateHashValue      = 114
+	alertUnknownPSKIdentity           = 115
+	alertCertificateRequired          = 116
+	alertNoApplicationProtocol        = 120
+	alertECHRequired                  = 121
+)
+
+func (c *Conn) sendAlertLocked(err uint8) error {
+	switch err {
+	case alertNoRenegotiation, alertCloseNotify:
+		c.rawConn.Tmp[0] = alertLevelWarning
+	default:
+		c.rawConn.Tmp[0] = alertLevelError
+	}
+	c.rawConn.Tmp[1] = byte(err)
+
+	_, writeErr := c.writeRecordLocked(recordTypeAlert, c.rawConn.Tmp[0:2])
+	if err == alertCloseNotify {
+		// closeNotify is a special case in that it isn't an error.
+		return writeErr
+	}
+
+	return c.rawConn.Out.SetErrorLocked(&net.OpError{Op: "local error", Err: tls.AlertError(err)})
+}
+
+// sendAlert sends a TLS alert message.
+func (c *Conn) sendAlert(err uint8) error {
+	c.rawConn.Out.Lock()
+	defer c.rawConn.Out.Unlock()
+	return c.sendAlertLocked(err)
+}

common/ktls/ktls_cipher_suites_linux.go

@@ -0,0 +1,326 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux && go1.25 && !without_badtls
+
+package ktls
+
+import (
+	"crypto/tls"
+	"unsafe"
+
+	"github.com/sagernet/sing-box/common/badtls"
+)
+
+type kernelCryptoCipherType uint16
+
+const (
+	TLS_CIPHER_AES_GCM_128              kernelCryptoCipherType = 51
+	TLS_CIPHER_AES_GCM_128_IV_SIZE      kernelCryptoCipherType = 8
+	TLS_CIPHER_AES_GCM_128_KEY_SIZE     kernelCryptoCipherType = 16
+	TLS_CIPHER_AES_GCM_128_SALT_SIZE    kernelCryptoCipherType = 4
+	TLS_CIPHER_AES_GCM_128_TAG_SIZE     kernelCryptoCipherType = 16
+	TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE kernelCryptoCipherType = 8
+
+	TLS_CIPHER_AES_GCM_256              kernelCryptoCipherType = 52
+	TLS_CIPHER_AES_GCM_256_IV_SIZE      kernelCryptoCipherType = 8
+	TLS_CIPHER_AES_GCM_256_KEY_SIZE     kernelCryptoCipherType = 32
+	TLS_CIPHER_AES_GCM_256_SALT_SIZE    kernelCryptoCipherType = 4
+	TLS_CIPHER_AES_GCM_256_TAG_SIZE     kernelCryptoCipherType = 16
+	TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE kernelCryptoCipherType = 8
+
+	TLS_CIPHER_AES_CCM_128              kernelCryptoCipherType = 53
+	TLS_CIPHER_AES_CCM_128_IV_SIZE      kernelCryptoCipherType = 8
+	TLS_CIPHER_AES_CCM_128_KEY_SIZE     kernelCryptoCipherType = 16
+	TLS_CIPHER_AES_CCM_128_SALT_SIZE    kernelCryptoCipherType = 4
+	TLS_CIPHER_AES_CCM_128_TAG_SIZE     kernelCryptoCipherType = 16
+	TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE kernelCryptoCipherType = 8
+
+	TLS_CIPHER_CHACHA20_POLY1305              kernelCryptoCipherType = 54
+	TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE      kernelCryptoCipherType = 12
+	TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE     kernelCryptoCipherType = 32
+	TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE    kernelCryptoCipherType = 0
+	TLS_CIPHER_CHACHA20_POLY1305_TAG_SIZE     kernelCryptoCipherType = 16
+	TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE kernelCryptoCipherType = 8
+
+	// TLS_CIPHER_SM4_GCM              kernelCryptoCipherType = 55
+	// TLS_CIPHER_SM4_GCM_IV_SIZE      kernelCryptoCipherType = 8
+	// TLS_CIPHER_SM4_GCM_KEY_SIZE     kernelCryptoCipherType = 16
+	// TLS_CIPHER_SM4_GCM_SALT_SIZE    kernelCryptoCipherType = 4
+	// TLS_CIPHER_SM4_GCM_TAG_SIZE     kernelCryptoCipherType = 16
+	// TLS_CIPHER_SM4_GCM_REC_SEQ_SIZE kernelCryptoCipherType = 8
+
+	// TLS_CIPHER_SM4_CCM              kernelCryptoCipherType = 56
+	// TLS_CIPHER_SM4_CCM_IV_SIZE      kernelCryptoCipherType = 8
+	// TLS_CIPHER_SM4_CCM_KEY_SIZE     kernelCryptoCipherType = 16
+	// TLS_CIPHER_SM4_CCM_SALT_SIZE    kernelCryptoCipherType = 4
+	// TLS_CIPHER_SM4_CCM_TAG_SIZE     kernelCryptoCipherType = 16
+	// TLS_CIPHER_SM4_CCM_REC_SEQ_SIZE kernelCryptoCipherType = 8
+
+	TLS_CIPHER_ARIA_GCM_128              kernelCryptoCipherType = 57
+	TLS_CIPHER_ARIA_GCM_128_IV_SIZE      kernelCryptoCipherType = 8
+	TLS_CIPHER_ARIA_GCM_128_KEY_SIZE     kernelCryptoCipherType = 16
+	TLS_CIPHER_ARIA_GCM_128_SALT_SIZE    kernelCryptoCipherType = 4
+	TLS_CIPHER_ARIA_GCM_128_TAG_SIZE     kernelCryptoCipherType = 16
+	TLS_CIPHER_ARIA_GCM_128_REC_SEQ_SIZE kernelCryptoCipherType = 8
+
+	TLS_CIPHER_ARIA_GCM_256              kernelCryptoCipherType = 58
+	TLS_CIPHER_ARIA_GCM_256_IV_SIZE      kernelCryptoCipherType = 8
+	TLS_CIPHER_ARIA_GCM_256_KEY_SIZE     kernelCryptoCipherType = 32
+	TLS_CIPHER_ARIA_GCM_256_SALT_SIZE    kernelCryptoCipherType = 4
+	TLS_CIPHER_ARIA_GCM_256_TAG_SIZE     kernelCryptoCipherType = 16
+	TLS_CIPHER_ARIA_GCM_256_REC_SEQ_SIZE kernelCryptoCipherType = 8
+)
+
+type kernelCrypto interface {
+	String() string
+}
+
+type kernelCryptoInfo struct {
+	version     uint16
+	cipher_type kernelCryptoCipherType
+}
+
+var _ kernelCrypto = &kernelCryptoAES128GCM{}
+
+type kernelCryptoAES128GCM struct {
+	kernelCryptoInfo
+	iv      [TLS_CIPHER_AES_GCM_128_IV_SIZE]byte
+	key     [TLS_CIPHER_AES_GCM_128_KEY_SIZE]byte
+	salt    [TLS_CIPHER_AES_GCM_128_SALT_SIZE]byte
+	rec_seq [TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE]byte
+}
+
+func (crypto *kernelCryptoAES128GCM) String() string {
+	crypto.cipher_type = TLS_CIPHER_AES_GCM_128
+	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
+}
+
+var _ kernelCrypto = &kernelCryptoAES256GCM{}
+
+type kernelCryptoAES256GCM struct {
+	kernelCryptoInfo
+	iv      [TLS_CIPHER_AES_GCM_256_IV_SIZE]byte
+	key     [TLS_CIPHER_AES_GCM_256_KEY_SIZE]byte
+	salt    [TLS_CIPHER_AES_GCM_256_SALT_SIZE]byte
+	rec_seq [TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE]byte
+}
+
+func (crypto *kernelCryptoAES256GCM) String() string {
+	crypto.cipher_type = TLS_CIPHER_AES_GCM_256
+	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
+}
+
+var _ kernelCrypto = &kernelCryptoAES128CCM{}
+
+type kernelCryptoAES128CCM struct {
+	kernelCryptoInfo
+	iv      [TLS_CIPHER_AES_CCM_128_IV_SIZE]byte
+	key     [TLS_CIPHER_AES_CCM_128_KEY_SIZE]byte
+	salt    [TLS_CIPHER_AES_CCM_128_SALT_SIZE]byte
+	rec_seq [TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE]byte
+}
+
+func (crypto *kernelCryptoAES128CCM) String() string {
+	crypto.cipher_type = TLS_CIPHER_AES_CCM_128
+	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
+}
+
+var _ kernelCrypto = &kernelCryptoChacha20Poly1035{}
+
+type kernelCryptoChacha20Poly1035 struct {
+	kernelCryptoInfo
+	iv      [TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE]byte
+	key     [TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE]byte
+	salt    [TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE]byte
+	rec_seq [TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE]byte
+}
+
+func (crypto *kernelCryptoChacha20Poly1035) String() string {
+	crypto.cipher_type = TLS_CIPHER_CHACHA20_POLY1305
+	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
+}
+
+// var _ kernelCrypto = &kernelCryptoSM4GCM{}
+
+// type kernelCryptoSM4GCM struct {
+// 	kernelCryptoInfo
+// 	iv      [TLS_CIPHER_SM4_GCM_IV_SIZE]byte
+// 	key     [TLS_CIPHER_SM4_GCM_KEY_SIZE]byte
+// 	salt    [TLS_CIPHER_SM4_GCM_SALT_SIZE]byte
+// 	rec_seq [TLS_CIPHER_SM4_GCM_REC_SEQ_SIZE]byte
+// }
+
+// func (crypto *kernelCryptoSM4GCM) String() string {
+// 	crypto.cipher_type = TLS_CIPHER_SM4_GCM
+// 	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
+// }
+
+// var _ kernelCrypto = &kernelCryptoSM4CCM{}
+
+// type kernelCryptoSM4CCM struct {
+// 	kernelCryptoInfo
+// 	iv      [TLS_CIPHER_SM4_CCM_IV_SIZE]byte
+// 	key     [TLS_CIPHER_SM4_CCM_KEY_SIZE]byte
+// 	salt    [TLS_CIPHER_SM4_CCM_SALT_SIZE]byte
+// 	rec_seq [TLS_CIPHER_SM4_CCM_REC_SEQ_SIZE]byte
+// }
+
+// func (crypto *kernelCryptoSM4CCM) String() string {
+// 	crypto.cipher_type = TLS_CIPHER_SM4_CCM
+// 	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
+// }
+
+var _ kernelCrypto = &kernelCryptoARIA128GCM{}
+
+type kernelCryptoARIA128GCM struct {
+	kernelCryptoInfo
+	iv      [TLS_CIPHER_ARIA_GCM_128_IV_SIZE]byte
+	key     [TLS_CIPHER_ARIA_GCM_128_KEY_SIZE]byte
+	salt    [TLS_CIPHER_ARIA_GCM_128_SALT_SIZE]byte
+	rec_seq [TLS_CIPHER_ARIA_GCM_128_REC_SEQ_SIZE]byte
+}
+
+func (crypto *kernelCryptoARIA128GCM) String() string {
+	crypto.cipher_type = TLS_CIPHER_ARIA_GCM_128
+	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
+}
+
+var _ kernelCrypto = &kernelCryptoARIA256GCM{}
+
+type kernelCryptoARIA256GCM struct {
+	kernelCryptoInfo
+	iv      [TLS_CIPHER_ARIA_GCM_256_IV_SIZE]byte
+	key     [TLS_CIPHER_ARIA_GCM_256_KEY_SIZE]byte
+	salt    [TLS_CIPHER_ARIA_GCM_256_SALT_SIZE]byte
+	rec_seq [TLS_CIPHER_ARIA_GCM_256_REC_SEQ_SIZE]byte
+}
+
+func (crypto *kernelCryptoARIA256GCM) String() string {
+	crypto.cipher_type = TLS_CIPHER_ARIA_GCM_256
+	return string((*[unsafe.Sizeof(*crypto)]byte)(unsafe.Pointer(crypto))[:])
+}
+
+func kernelCipher(kernel *Support, hc *badtls.RawHalfConn, cipherSuite uint16, isRX bool) kernelCrypto {
+	if !kernel.TLS {
+		return nil
+	}
+
+	switch *hc.Version {
+	case tls.VersionTLS12:
+		if isRX && !kernel.TLS_Version13_RX {
+			return nil
+		}
+
+	case tls.VersionTLS13:
+		if !kernel.TLS_Version13 {
+			return nil
+		}
+
+		if isRX && !kernel.TLS_Version13_RX {
+			return nil
+		}
+
+	default:
+		return nil
+	}
+
+	var key, iv []byte
+	if *hc.Version == tls.VersionTLS13 {
+		key, iv = trafficKey(cipherSuiteTLS13ByID(cipherSuite), *hc.TrafficSecret)
+		/*if isRX {
+			key, iv = trafficKey(cipherSuiteTLS13ByID(cipherSuite), keyLog.RemoteTrafficSecret)
+		} else {
+			key, iv = trafficKey(cipherSuiteTLS13ByID(cipherSuite), keyLog.TrafficSecret)
+		}*/
+	} else {
+		// csPtr := cipherSuiteByID(cipherSuite)
+		// keysFromMasterSecret(*hc.Version, csPtr, keyLog.Secret, keyLog.Random)
+		return nil
+	}
+
+	switch cipherSuite {
+	case tls.TLS_AES_128_GCM_SHA256, tls.TLS_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
+		crypto := new(kernelCryptoAES128GCM)
+
+		crypto.version = *hc.Version
+		copy(crypto.key[:], key)
+		copy(crypto.iv[:], iv[4:])
+		copy(crypto.salt[:], iv[:4])
+		crypto.rec_seq = *hc.Seq
+
+		return crypto
+	case tls.TLS_AES_256_GCM_SHA384, tls.TLS_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
+		if !kernel.TLS_AES_256_GCM {
+			return nil
+		}
+
+		crypto := new(kernelCryptoAES256GCM)
+
+		crypto.version = *hc.Version
+		copy(crypto.key[:], key)
+		copy(crypto.iv[:], iv[4:])
+		copy(crypto.salt[:], iv[:4])
+		crypto.rec_seq = *hc.Seq
+
+		return crypto
+	//case tls.TLS_AES_128_CCM_SHA256, tls.TLS_RSA_WITH_AES_128_CCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_SHA256:
+	//	if !kernel.TLS_AES_128_CCM {
+	//		return nil
+	//	}
+	//
+	//	crypto := new(kernelCryptoAES128CCM)
+	//
+	//	crypto.version = *hc.Version
+	//	copy(crypto.key[:], key)
+	//	copy(crypto.iv[:], iv[4:])
+	//	copy(crypto.salt[:], iv[:4])
+	//	crypto.rec_seq = *hc.Seq
+	//
+	//	return crypto
+	case tls.TLS_CHACHA20_POLY1305_SHA256, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
+		if !kernel.TLS_CHACHA20_POLY1305 {
+			return nil
+		}
+
+		crypto := new(kernelCryptoChacha20Poly1035)
+
+		crypto.version = *hc.Version
+		copy(crypto.key[:], key)
+		copy(crypto.iv[:], iv)
+		crypto.rec_seq = *hc.Seq
+
+		return crypto
+	//case tls.TLS_RSA_WITH_ARIA_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256:
+	//	if !kernel.TLS_ARIA_GCM {
+	//		return nil
+	//	}
+	//
+	//	crypto := new(kernelCryptoARIA128GCM)
+	//
+	//	crypto.version = *hc.Version
+	//	copy(crypto.key[:], key)
+	//	copy(crypto.iv[:], iv[4:])
+	//	copy(crypto.salt[:], iv[:4])
+	//	crypto.rec_seq = *hc.Seq
+	//
+	//	return crypto
+	//case tls.TLS_RSA_WITH_ARIA_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384:
+	//	if !kernel.TLS_ARIA_GCM {
+	//		return nil
+	//	}
+	//
+	//	crypto := new(kernelCryptoARIA256GCM)
+	//
+	//	crypto.version = *hc.Version
+	//	copy(crypto.key[:], key)
+	//	copy(crypto.iv[:], iv[4:])
+	//	copy(crypto.salt[:], iv[:4])
+	//	crypto.rec_seq = *hc.Seq
+	//
+	//	return crypto
+	default:
+		return nil
+	}
+}

common/ktls/ktls_close.go

@@ -0,0 +1,67 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux && go1.25 && !without_badtls
+
+package ktls
+
+import (
+	"fmt"
+	"net"
+	"time"
+)
+
+func (c *Conn) Close() error {
+	if !c.kernelTx {
+		return c.Conn.Close()
+	}
+
+	// Interlock with Conn.Write above.
+	var x int32
+	for {
+		x = c.rawConn.ActiveCall.Load()
+		if x&1 != 0 {
+			return net.ErrClosed
+		}
+		if c.rawConn.ActiveCall.CompareAndSwap(x, x|1) {
+			break
+		}
+	}
+	if x != 0 {
+		// io.Writer and io.Closer should not be used concurrently.
+		// If Close is called while a Write is currently in-flight,
+		// interpret that as a sign that this Close is really just
+		// being used to break the Write and/or clean up resources and
+		// avoid sending the alertCloseNotify, which may block
+		// waiting on handshakeMutex or the c.out mutex.
+		return c.conn.Close()
+	}
+
+	var alertErr error
+	if c.rawConn.IsHandshakeComplete.Load() {
+		if err := c.closeNotify(); err != nil {
+			alertErr = fmt.Errorf("tls: failed to send closeNotify alert (but connection was closed anyway): %w", err)
+		}
+	}
+
+	if err := c.conn.Close(); err != nil {
+		return err
+	}
+	return alertErr
+}
+
+func (c *Conn) closeNotify() error {
+	c.rawConn.Out.Lock()
+	defer c.rawConn.Out.Unlock()
+
+	if !*c.rawConn.CloseNotifySent {
+		// Set a Write Deadline to prevent possibly blocking forever.
+		c.SetWriteDeadline(time.Now().Add(time.Second * 5))
+		*c.rawConn.CloseNotifyErr = c.sendAlertLocked(alertCloseNotify)
+		*c.rawConn.CloseNotifySent = true
+		// Any subsequent writes will fail.
+		c.SetWriteDeadline(time.Now())
+	}
+	return *c.rawConn.CloseNotifyErr
+}

common/ktls/ktls_const.go

@@ -0,0 +1,24 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux && go1.25 && !without_badtls
+
+package ktls
+
+const (
+	maxPlaintext               = 16384        // maximum plaintext payload length
+	maxCiphertext              = 16384 + 2048 // maximum ciphertext payload length
+	maxCiphertextTLS13         = 16384 + 256  // maximum ciphertext length in TLS 1.3
+	recordHeaderLen            = 5            // record header length
+	maxHandshake               = 65536        // maximum handshake we support (protocol max is 16 MB)
+	maxHandshakeCertificateMsg = 262144       // maximum certificate message size (256 KiB)
+	maxUselessRecords          = 16           // maximum number of consecutive non-advancing records
+)
+
+const (
+	recordTypeChangeCipherSpec = 20
+	recordTypeAlert            = 21
+	recordTypeHandshake        = 22
+	recordTypeApplicationData  = 23
+)

common/ktls/ktls_handshake_messages.go

@@ -0,0 +1,238 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux && go1.25 && !without_badtls
+
+package ktls
+
+import (
+	"fmt"
+
+	"golang.org/x/crypto/cryptobyte"
+)
+
+// The marshalingFunction type is an adapter to allow the use of ordinary
+// functions as cryptobyte.MarshalingValue.
+type marshalingFunction func(b *cryptobyte.Builder) error
+
+func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error {
+	return f(b)
+}
+
+// addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If
+// the length of the sequence is not the value specified, it produces an error.
+func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) {
+	b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error {
+		if len(v) != n {
+			return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v))
+		}
+		b.AddBytes(v)
+		return nil
+	}))
+}
+
+// addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder.
+func addUint64(b *cryptobyte.Builder, v uint64) {
+	b.AddUint32(uint32(v >> 32))
+	b.AddUint32(uint32(v))
+}
+
+// readUint64 decodes a big-endian, 64-bit value into out and advances over it.
+// It reports whether the read was successful.
+func readUint64(s *cryptobyte.String, out *uint64) bool {
+	var hi, lo uint32
+	if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) {
+		return false
+	}
+	*out = uint64(hi)<<32 | uint64(lo)
+	return true
+}
+
+// readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a
+// []byte instead of a cryptobyte.String.
+func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
+	return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out))
+}
+
+// readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a
+// []byte instead of a cryptobyte.String.
+func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
+	return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out))
+}
+
+// readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a
+// []byte instead of a cryptobyte.String.
+func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
+	return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out))
+}
+
+type keyUpdateMsg struct {
+	updateRequested bool
+}
+
+func (m *keyUpdateMsg) marshal() ([]byte, error) {
+	var b cryptobyte.Builder
+	b.AddUint8(typeKeyUpdate)
+	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
+		if m.updateRequested {
+			b.AddUint8(1)
+		} else {
+			b.AddUint8(0)
+		}
+	})
+
+	return b.Bytes()
+}
+
+func (m *keyUpdateMsg) unmarshal(data []byte) bool {
+	s := cryptobyte.String(data)
+
+	var updateRequested uint8
+	if !s.Skip(4) || // message type and uint24 length field
+		!s.ReadUint8(&updateRequested) || !s.Empty() {
+		return false
+	}
+	switch updateRequested {
+	case 0:
+		m.updateRequested = false
+	case 1:
+		m.updateRequested = true
+	default:
+		return false
+	}
+	return true
+}
+
+// TLS handshake message types.
+const (
+	typeHelloRequest          uint8 = 0
+	typeClientHello           uint8 = 1
+	typeServerHello           uint8 = 2
+	typeNewSessionTicket      uint8 = 4
+	typeEndOfEarlyData        uint8 = 5
+	typeEncryptedExtensions   uint8 = 8
+	typeCertificate           uint8 = 11
+	typeServerKeyExchange     uint8 = 12
+	typeCertificateRequest    uint8 = 13
+	typeServerHelloDone       uint8 = 14
+	typeCertificateVerify     uint8 = 15
+	typeClientKeyExchange     uint8 = 16
+	typeFinished              uint8 = 20
+	typeCertificateStatus     uint8 = 22
+	typeKeyUpdate             uint8 = 24
+	typeCompressedCertificate uint8 = 25
+	typeMessageHash           uint8 = 254 // synthetic message
+)
+
+// TLS compression types.
+const (
+	compressionNone uint8 = 0
+)
+
+// TLS extension numbers
+const (
+	extensionServerName              uint16 = 0
+	extensionStatusRequest           uint16 = 5
+	extensionSupportedCurves         uint16 = 10 // supported_groups in TLS 1.3, see RFC 8446, Section 4.2.7
+	extensionSupportedPoints         uint16 = 11
+	extensionSignatureAlgorithms     uint16 = 13
+	extensionALPN                    uint16 = 16
+	extensionSCT                     uint16 = 18
+	extensionPadding                 uint16 = 21
+	extensionExtendedMasterSecret    uint16 = 23
+	extensionCompressCertificate     uint16 = 27 // compress_certificate in TLS 1.3
+	extensionSessionTicket           uint16 = 35
+	extensionPreSharedKey            uint16 = 41
+	extensionEarlyData               uint16 = 42
+	extensionSupportedVersions       uint16 = 43
+	extensionCookie                  uint16 = 44
+	extensionPSKModes                uint16 = 45
+	extensionCertificateAuthorities  uint16 = 47
+	extensionSignatureAlgorithmsCert uint16 = 50
+	extensionKeyShare                uint16 = 51
+	extensionQUICTransportParameters uint16 = 57
+	extensionALPS                    uint16 = 17513
+	extensionRenegotiationInfo       uint16 = 0xff01
+	extensionECHOuterExtensions      uint16 = 0xfd00
+	extensionEncryptedClientHello    uint16 = 0xfe0d
+)
+
+type handshakeMessage interface {
+	marshal() ([]byte, error)
+	unmarshal([]byte) bool
+}
+type newSessionTicketMsgTLS13 struct {
+	lifetime     uint32
+	ageAdd       uint32
+	nonce        []byte
+	label        []byte
+	maxEarlyData uint32
+}
+
+func (m *newSessionTicketMsgTLS13) marshal() ([]byte, error) {
+	var b cryptobyte.Builder
+	b.AddUint8(typeNewSessionTicket)
+	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
+		b.AddUint32(m.lifetime)
+		b.AddUint32(m.ageAdd)
+		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
+			b.AddBytes(m.nonce)
+		})
+		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
+			b.AddBytes(m.label)
+		})
+
+		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
+			if m.maxEarlyData > 0 {
+				b.AddUint16(extensionEarlyData)
+				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
+					b.AddUint32(m.maxEarlyData)
+				})
+			}
+		})
+	})
+
+	return b.Bytes()
+}
+
+func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool {
+	*m = newSessionTicketMsgTLS13{}
+	s := cryptobyte.String(data)
+
+	var extensions cryptobyte.String
+	if !s.Skip(4) || // message type and uint24 length field
+		!s.ReadUint32(&m.lifetime) ||
+		!s.ReadUint32(&m.ageAdd) ||
+		!readUint8LengthPrefixed(&s, &m.nonce) ||
+		!readUint16LengthPrefixed(&s, &m.label) ||
+		!s.ReadUint16LengthPrefixed(&extensions) ||
+		!s.Empty() {
+		return false
+	}
+
+	for !extensions.Empty() {
+		var extension uint16
+		var extData cryptobyte.String
+		if !extensions.ReadUint16(&extension) ||
+			!extensions.ReadUint16LengthPrefixed(&extData) {
+			return false
+		}
+
+		switch extension {
+		case extensionEarlyData:
+			if !extData.ReadUint32(&m.maxEarlyData) {
+				return false
+			}
+		default:
+			// Ignore unknown extensions.
+			continue
+		}
+
+		if !extData.Empty() {
+			return false
+		}
+	}
+
+	return true
+}

common/ktls/ktls_key_update.go

@@ -0,0 +1,173 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux && go1.25 && !without_badtls
+
+package ktls
+
+import (
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+)
+
+// handlePostHandshakeMessage processes a handshake message arrived after the
+// handshake is complete. Up to TLS 1.2, it indicates the start of a renegotiation.
+func (c *Conn) handlePostHandshakeMessage() error {
+	if *c.rawConn.Vers != tls.VersionTLS13 {
+		return errors.New("ktls: kernel does not support TLS 1.2 renegotiation")
+	}
+
+	msg, err := c.readHandshake(nil)
+	if err != nil {
+		return err
+	}
+	//c.retryCount++
+	//if c.retryCount > maxUselessRecords {
+	//	c.sendAlert(alertUnexpectedMessage)
+	//	return c.in.setErrorLocked(errors.New("tls: too many non-advancing records"))
+	//}
+
+	switch msg := msg.(type) {
+	case *newSessionTicketMsgTLS13:
+		// return errors.New("ktls: received new session ticket")
+		return nil
+	case *keyUpdateMsg:
+		return c.handleKeyUpdate(msg)
+	}
+	// The QUIC layer is supposed to treat an unexpected post-handshake CertificateRequest
+	// as a QUIC-level PROTOCOL_VIOLATION error (RFC 9001, Section 4.4). Returning an
+	// unexpected_message alert here doesn't provide it with enough information to distinguish
+	// this condition from other unexpected messages. This is probably fine.
+	c.sendAlert(alertUnexpectedMessage)
+	return fmt.Errorf("tls: received unexpected handshake message of type %T", msg)
+}
+
+func (c *Conn) handleKeyUpdate(keyUpdate *keyUpdateMsg) error {
+	//if c.quic != nil {
+	//	c.sendAlert(alertUnexpectedMessage)
+	//	return c.in.setErrorLocked(errors.New("tls: received unexpected key update message"))
+	//}
+
+	cipherSuite := cipherSuiteTLS13ByID(*c.rawConn.CipherSuite)
+	if cipherSuite == nil {
+		return c.rawConn.In.SetErrorLocked(c.sendAlert(alertInternalError))
+	}
+
+	newSecret := nextTrafficSecret(cipherSuite, *c.rawConn.In.TrafficSecret)
+	c.rawConn.In.SetTrafficSecret(cipherSuite, 0 /*tls.QUICEncryptionLevelInitial*/, newSecret)
+
+	err := c.resetupRX()
+	if err != nil {
+		c.sendAlert(alertInternalError)
+		return c.rawConn.In.SetErrorLocked(fmt.Errorf("ktls: resetupRX failed: %w", err))
+	}
+
+	if keyUpdate.updateRequested {
+		c.rawConn.Out.Lock()
+		defer c.rawConn.Out.Unlock()
+
+		resetup, err := c.resetupTX()
+		if err != nil {
+			c.sendAlertLocked(alertInternalError)
+			return c.rawConn.Out.SetErrorLocked(fmt.Errorf("ktls: resetupTX failed: %w", err))
+		}
+
+		msg := &keyUpdateMsg{}
+		msgBytes, err := msg.marshal()
+		if err != nil {
+			return err
+		}
+		_, err = c.writeRecordLocked(recordTypeHandshake, msgBytes)
+		if err != nil {
+			// Surface the error at the next write.
+			c.rawConn.Out.SetErrorLocked(err)
+			return nil
+		}
+
+		newSecret := nextTrafficSecret(cipherSuite, *c.rawConn.Out.TrafficSecret)
+		c.rawConn.Out.SetTrafficSecret(cipherSuite, 0 /*QUICEncryptionLevelInitial*/, newSecret)
+
+		err = resetup()
+		if err != nil {
+			return c.rawConn.Out.SetErrorLocked(fmt.Errorf("ktls: resetupTX failed: %w", err))
+		}
+	}
+
+	return nil
+}
+
+func (c *Conn) readHandshakeBytes(n int) error {
+	//if c.quic != nil {
+	//	return c.quicReadHandshakeBytes(n)
+	//}
+	for c.rawConn.Hand.Len() < n {
+		if err := c.readRecord(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (c *Conn) readHandshake(transcript io.Writer) (any, error) {
+	if err := c.readHandshakeBytes(4); err != nil {
+		return nil, err
+	}
+	data := c.rawConn.Hand.Bytes()
+
+	maxHandshakeSize := maxHandshake
+	// hasVers indicates we're past the first message, forcing someone trying to
+	// make us just allocate a large buffer to at least do the initial part of
+	// the handshake first.
+	//if c.haveVers && data[0] == typeCertificate {
+	// Since certificate messages are likely to be the only messages that
+	// can be larger than maxHandshake, we use a special limit for just
+	// those messages.
+	//maxHandshakeSize = maxHandshakeCertificateMsg
+	//}
+
+	n := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
+	if n > maxHandshakeSize {
+		c.sendAlertLocked(alertInternalError)
+		return nil, c.rawConn.In.SetErrorLocked(fmt.Errorf("tls: handshake message of length %d bytes exceeds maximum of %d bytes", n, maxHandshakeSize))
+	}
+	if err := c.readHandshakeBytes(4 + n); err != nil {
+		return nil, err
+	}
+	data = c.rawConn.Hand.Next(4 + n)
+	return c.unmarshalHandshakeMessage(data, transcript)
+}
+
+func (c *Conn) unmarshalHandshakeMessage(data []byte, transcript io.Writer) (any, error) {
+	var m handshakeMessage
+	switch data[0] {
+	case typeNewSessionTicket:
+		if *c.rawConn.Vers == tls.VersionTLS13 {
+			m = new(newSessionTicketMsgTLS13)
+		} else {
+			return nil, os.ErrInvalid
+		}
+	case typeKeyUpdate:
+		m = new(keyUpdateMsg)
+	default:
+		return nil, c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
+	}
+
+	// The handshake message unmarshalers
+	// expect to be able to keep references to data,
+	// so pass in a fresh copy that won't be overwritten.
+	data = append([]byte(nil), data...)
+
+	if !m.unmarshal(data) {
+		return nil, c.rawConn.In.SetErrorLocked(c.sendAlert(alertDecodeError))
+	}
+
+	if transcript != nil {
+		transcript.Write(data)
+	}
+
+	return m, nil
+}

common/ktls/ktls_linux.go

@@ -0,0 +1,329 @@
+//go:build linux && go1.25 && !without_badtls
+
+package ktls
+
+import (
+	"crypto/tls"
+	"errors"
+	"io"
+	"os"
+	"strings"
+	"sync"
+	"syscall"
+	"unsafe"
+
+	"github.com/sagernet/sing-box/common/badversion"
+	"github.com/sagernet/sing/common/control"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/shell"
+
+	"golang.org/x/sys/unix"
+)
+
+// mod from https://gitlab.com/go-extension/tls
+
+const (
+	TLS_TX               = 1
+	TLS_RX               = 2
+	TLS_TX_ZEROCOPY_RO   = 3 // TX zerocopy (only sendfile now)
+	TLS_RX_EXPECT_NO_PAD = 4 // Attempt opportunistic zero-copy, TLS 1.3 only
+
+	TLS_SET_RECORD_TYPE = 1
+	TLS_GET_RECORD_TYPE = 2
+)
+
+type Support struct {
+	TLS, TLS_RX                     bool
+	TLS_Version13, TLS_Version13_RX bool
+
+	TLS_TX_ZEROCOPY  bool
+	TLS_RX_NOPADDING bool
+
+	TLS_AES_256_GCM       bool
+	TLS_AES_128_CCM       bool
+	TLS_CHACHA20_POLY1305 bool
+	TLS_SM4               bool
+	TLS_ARIA_GCM          bool
+
+	TLS_Version13_KeyUpdate bool
+}
+
+var KernelSupport = sync.OnceValues(func() (*Support, error) {
+	var uname unix.Utsname
+	err := unix.Uname(&uname)
+	if err != nil {
+		return nil, err
+	}
+
+	kernelVersion := badversion.Parse(strings.Trim(string(uname.Release[:]), "\x00"))
+	if err != nil {
+		return nil, err
+	}
+	var support Support
+	switch {
+	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 6, Minor: 14}):
+		support.TLS_Version13_KeyUpdate = true
+		fallthrough
+	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 6, Minor: 1}):
+		support.TLS_ARIA_GCM = true
+		fallthrough
+	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 6}):
+		support.TLS_Version13_RX = true
+		support.TLS_RX_NOPADDING = true
+		fallthrough
+	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 5, Minor: 19}):
+		support.TLS_TX_ZEROCOPY = true
+		fallthrough
+	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 5, Minor: 16}):
+		support.TLS_SM4 = true
+		fallthrough
+	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 5, Minor: 11}):
+		support.TLS_CHACHA20_POLY1305 = true
+		fallthrough
+	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 5, Minor: 2}):
+		support.TLS_AES_128_CCM = true
+		fallthrough
+	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 5, Minor: 1}):
+		support.TLS_AES_256_GCM = true
+		support.TLS_Version13 = true
+		fallthrough
+	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 4, Minor: 17}):
+		support.TLS_RX = true
+		fallthrough
+	case kernelVersion.GreaterThanOrEqual(badversion.Version{Major: 4, Minor: 13}):
+		support.TLS = true
+	}
+
+	if support.TLS && support.TLS_Version13 {
+		_, err := os.Stat("/sys/module/tls")
+		if err != nil {
+			if os.Getuid() == 0 {
+				output, err := shell.Exec("modprobe", "tls").Read()
+				if err != nil {
+					return nil, E.Extend(E.Cause(err, "modprobe tls"), output)
+				}
+			} else {
+				return nil, E.New("ktls: kernel TLS module not loaded")
+			}
+		}
+	}
+
+	return &support, nil
+})
+
+func Load() error {
+	support, err := KernelSupport()
+	if err != nil {
+		return E.Cause(err, "ktls: check availability")
+	}
+	if !support.TLS || !support.TLS_Version13 {
+		return E.New("ktls: kernel does not support TLS 1.3")
+	}
+	return nil
+}
+
+func (c *Conn) setupKernel(txOffload, rxOffload bool) error {
+	if !txOffload && !rxOffload {
+		return os.ErrInvalid
+	}
+	support, err := KernelSupport()
+	if err != nil {
+		return E.Cause(err, "check availability")
+	}
+	if !support.TLS || !support.TLS_Version13 {
+		return E.New("kernel does not support TLS 1.3")
+	}
+	c.rawConn.Out.Lock()
+	defer c.rawConn.Out.Unlock()
+	err = control.Raw(c.rawSyscallConn, func(fd uintptr) error {
+		return syscall.SetsockoptString(int(fd), unix.SOL_TCP, unix.TCP_ULP, "tls")
+	})
+	if err != nil {
+		return os.NewSyscallError("setsockopt", err)
+	}
+
+	if txOffload {
+		txCrypto := kernelCipher(support, c.rawConn.Out, *c.rawConn.CipherSuite, false)
+		if txCrypto == nil {
+			return E.New("unsupported cipher suite")
+		}
+		err = control.Raw(c.rawSyscallConn, func(fd uintptr) error {
+			return syscall.SetsockoptString(int(fd), unix.SOL_TLS, TLS_TX, txCrypto.String())
+		})
+		if err != nil {
+			return err
+		}
+		if support.TLS_TX_ZEROCOPY {
+			err = control.Raw(c.rawSyscallConn, func(fd uintptr) error {
+				return syscall.SetsockoptInt(int(fd), unix.SOL_TLS, TLS_TX_ZEROCOPY_RO, 1)
+			})
+			if err != nil {
+				return err
+			}
+		}
+		c.kernelTx = true
+		c.logger.DebugContext(c.ctx, "ktls: kernel TLS TX enabled")
+	}
+
+	if rxOffload {
+		rxCrypto := kernelCipher(support, c.rawConn.In, *c.rawConn.CipherSuite, true)
+		if rxCrypto == nil {
+			return E.New("unsupported cipher suite")
+		}
+		err = control.Raw(c.rawSyscallConn, func(fd uintptr) error {
+			return syscall.SetsockoptString(int(fd), unix.SOL_TLS, TLS_RX, rxCrypto.String())
+		})
+		if err != nil {
+			return err
+		}
+		if *c.rawConn.Vers >= tls.VersionTLS13 && support.TLS_RX_NOPADDING {
+			err = control.Raw(c.rawSyscallConn, func(fd uintptr) error {
+				return syscall.SetsockoptInt(int(fd), unix.SOL_TLS, TLS_RX_EXPECT_NO_PAD, 1)
+			})
+			if err != nil {
+				return err
+			}
+		}
+		c.kernelRx = true
+		c.logger.DebugContext(c.ctx, "ktls: kernel TLS RX enabled")
+	}
+	return nil
+}
+
+func (c *Conn) resetupTX() (func() error, error) {
+	if !c.kernelTx {
+		return nil, nil
+	}
+	support, err := KernelSupport()
+	if err != nil {
+		return nil, err
+	}
+	if !support.TLS_Version13_KeyUpdate {
+		return nil, errors.New("ktls: kernel does not support rekey")
+	}
+	txCrypto := kernelCipher(support, c.rawConn.Out, *c.rawConn.CipherSuite, false)
+	if txCrypto == nil {
+		return nil, errors.New("ktls: set kernelCipher on unsupported tls session")
+	}
+	return func() error {
+		return control.Raw(c.rawSyscallConn, func(fd uintptr) error {
+			return syscall.SetsockoptString(int(fd), unix.SOL_TLS, TLS_TX, txCrypto.String())
+		})
+	}, nil
+}
+
+func (c *Conn) resetupRX() error {
+	if !c.kernelRx {
+		return nil
+	}
+	support, err := KernelSupport()
+	if err != nil {
+		return err
+	}
+	if !support.TLS_Version13_KeyUpdate {
+		return errors.New("ktls: kernel does not support rekey")
+	}
+	rxCrypto := kernelCipher(support, c.rawConn.In, *c.rawConn.CipherSuite, true)
+	if rxCrypto == nil {
+		return errors.New("ktls: set kernelCipher on unsupported tls session")
+	}
+	return control.Raw(c.rawSyscallConn, func(fd uintptr) error {
+		return syscall.SetsockoptString(int(fd), unix.SOL_TLS, TLS_RX, rxCrypto.String())
+	})
+}
+
+func (c *Conn) readKernelRecord() (uint8, []byte, error) {
+	if c.rawConn.RawInput.Len() < maxPlaintext {
+		c.rawConn.RawInput.Grow(maxPlaintext - c.rawConn.RawInput.Len())
+	}
+
+	data := c.rawConn.RawInput.Bytes()[:maxPlaintext]
+
+	// cmsg for record type
+	buffer := make([]byte, unix.CmsgSpace(1))
+	cmsg := (*unix.Cmsghdr)(unsafe.Pointer(&buffer[0]))
+	cmsg.SetLen(unix.CmsgLen(1))
+
+	var iov unix.Iovec
+	iov.Base = &data[0]
+	iov.SetLen(len(data))
+
+	var msg unix.Msghdr
+	msg.Control = &buffer[0]
+	msg.Controllen = cmsg.Len
+	msg.Iov = &iov
+	msg.Iovlen = 1
+
+	var n int
+	var err error
+	er := c.rawSyscallConn.Read(func(fd uintptr) bool {
+		n, err = recvmsg(int(fd), &msg, 0)
+		return err != unix.EAGAIN
+	})
+	if er != nil {
+		return 0, nil, er
+	}
+	switch err {
+	case nil:
+	case syscall.EINVAL:
+		return 0, nil, c.rawConn.In.SetErrorLocked(c.sendAlert(alertProtocolVersion))
+	case syscall.EMSGSIZE:
+		return 0, nil, c.rawConn.In.SetErrorLocked(c.sendAlert(alertRecordOverflow))
+	case syscall.EBADMSG:
+		return 0, nil, c.rawConn.In.SetErrorLocked(c.sendAlert(alertDecryptError))
+	default:
+		return 0, nil, err
+	}
+
+	if n <= 0 {
+		return 0, nil, io.EOF
+	}
+
+	if cmsg.Level == unix.SOL_TLS && cmsg.Type == TLS_GET_RECORD_TYPE {
+		typ := buffer[unix.CmsgLen(0)]
+		return typ, data[:n], nil
+	}
+
+	return recordTypeApplicationData, data[:n], nil
+}
+
+func (c *Conn) writeKernelRecord(typ uint16, data []byte) (int, error) {
+	if typ == recordTypeApplicationData {
+		return c.conn.Write(data)
+	}
+
+	// cmsg for record type
+	buffer := make([]byte, unix.CmsgSpace(1))
+	cmsg := (*unix.Cmsghdr)(unsafe.Pointer(&buffer[0]))
+	cmsg.SetLen(unix.CmsgLen(1))
+	buffer[unix.CmsgLen(0)] = byte(typ)
+	cmsg.Level = unix.SOL_TLS
+	cmsg.Type = TLS_SET_RECORD_TYPE
+
+	var iov unix.Iovec
+	iov.Base = &data[0]
+	iov.SetLen(len(data))
+
+	var msg unix.Msghdr
+	msg.Control = &buffer[0]
+	msg.Controllen = cmsg.Len
+	msg.Iov = &iov
+	msg.Iovlen = 1
+
+	var n int
+	var err error
+	ew := c.rawSyscallConn.Write(func(fd uintptr) bool {
+		n, err = sendmsg(int(fd), &msg, 0)
+		return err != unix.EAGAIN
+	})
+	if ew != nil {
+		return 0, ew
+	}
+	return n, err
+}
+
+//go:linkname recvmsg golang.org/x/sys/unix.recvmsg
+func recvmsg(fd int, msg *unix.Msghdr, flags int) (n int, err error)
+
+//go:linkname sendmsg golang.org/x/sys/unix.sendmsg
+func sendmsg(fd int, msg *unix.Msghdr, flags int) (n int, err error)

common/ktls/ktls_prf.go

@@ -0,0 +1,24 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux && go1.25 && !without_badtls
+
+package ktls
+
+import "unsafe"
+
+//go:linkname cipherSuiteByID github.com/metacubex/utls.cipherSuiteByID
+func cipherSuiteByID(id uint16) unsafe.Pointer
+
+//go:linkname keysFromMasterSecret github.com/metacubex/utls.keysFromMasterSecret
+func keysFromMasterSecret(version uint16, suite unsafe.Pointer, masterSecret, clientRandom, serverRandom []byte, macLen, keyLen, ivLen int) (clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV []byte)
+
+//go:linkname cipherSuiteTLS13ByID github.com/metacubex/utls.cipherSuiteTLS13ByID
+func cipherSuiteTLS13ByID(id uint16) unsafe.Pointer
+
+//go:linkname nextTrafficSecret github.com/metacubex/utls.(*cipherSuiteTLS13).nextTrafficSecret
+func nextTrafficSecret(cs unsafe.Pointer, trafficSecret []byte) []byte
+
+//go:linkname trafficKey github.com/metacubex/utls.(*cipherSuiteTLS13).trafficKey
+func trafficKey(cs unsafe.Pointer, trafficSecret []byte) (key, iv []byte)

common/ktls/ktls_read.go

@@ -0,0 +1,292 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux && go1.25 && !without_badtls
+
+package ktls
+
+import (
+	"bytes"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"net"
+)
+
+func (c *Conn) Read(b []byte) (int, error) {
+	if !c.kernelRx {
+		return c.Conn.Read(b)
+	}
+
+	if len(b) == 0 {
+		// Put this after Handshake, in case people were calling
+		// Read(nil) for the side effect of the Handshake.
+		return 0, nil
+	}
+
+	c.rawConn.In.Lock()
+	defer c.rawConn.In.Unlock()
+
+	for c.rawConn.Input.Len() == 0 {
+		if err := c.readRecord(); err != nil {
+			return 0, err
+		}
+		for c.rawConn.Hand.Len() > 0 {
+			if err := c.handlePostHandshakeMessage(); err != nil {
+				return 0, err
+			}
+		}
+	}
+
+	n, _ := c.rawConn.Input.Read(b)
+
+	// If a close-notify alert is waiting, read it so that we can return (n,
+	// EOF) instead of (n, nil), to signal to the HTTP response reading
+	// goroutine that the connection is now closed. This eliminates a race
+	// where the HTTP response reading goroutine would otherwise not observe
+	// the EOF until its next read, by which time a client goroutine might
+	// have already tried to reuse the HTTP connection for a new request.
+	// See https://golang.org/cl/76400046 and https://golang.org/issue/3514
+	if n != 0 && c.rawConn.Input.Len() == 0 && c.rawConn.RawInput.Len() > 0 &&
+		c.rawConn.RawInput.Bytes()[0] == recordTypeAlert {
+		if err := c.readRecord(); err != nil {
+			return n, err // will be io.EOF on closeNotify
+		}
+	}
+
+	return n, nil
+}
+
+func (c *Conn) readRecord() error {
+	if *c.rawConn.In.Err != nil {
+		return *c.rawConn.In.Err
+	}
+
+	typ, data, err := c.readRawRecord()
+	if err != nil {
+		return err
+	}
+
+	if len(data) > maxPlaintext {
+		return c.rawConn.In.SetErrorLocked(c.sendAlert(alertRecordOverflow))
+	}
+
+	// Application Data messages are always protected.
+	if c.rawConn.In.Cipher == nil && typ == recordTypeApplicationData {
+		return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
+	}
+
+	//if typ != recordTypeAlert && typ != recordTypeChangeCipherSpec && len(data) > 0 {
+	// This is a state-advancing message: reset the retry count.
+	// c.retryCount = 0
+	//}
+
+	// Handshake messages MUST NOT be interleaved with other record types in TLS 1.3.
+	if *c.rawConn.Vers == tls.VersionTLS13 && typ != recordTypeHandshake && c.rawConn.Hand.Len() > 0 {
+		return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
+	}
+
+	switch typ {
+	default:
+		return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
+	case recordTypeAlert:
+		//if c.quic != nil {
+		//	return c.rawConn.In.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
+		//}
+		if len(data) != 2 {
+			return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
+		}
+		if data[1] == alertCloseNotify {
+			return c.rawConn.In.SetErrorLocked(io.EOF)
+		}
+		if *c.rawConn.Vers == tls.VersionTLS13 {
+			// TLS 1.3 removed warning-level alerts except for alertUserCanceled
+			// (RFC 8446, § 6.1). Since at least one major implementation
+			// (https://bugs.openjdk.org/browse/JDK-8323517) misuses this alert,
+			// many TLS stacks now ignore it outright when seen in a TLS 1.3
+			// handshake (e.g. BoringSSL, NSS, Rustls).
+			if data[1] == alertUserCanceled {
+				// Like TLS 1.2 alertLevelWarning alerts, we drop the record and retry.
+				return c.retryReadRecord( /*expectChangeCipherSpec*/ )
+			}
+			return c.rawConn.In.SetErrorLocked(&net.OpError{Op: "remote error", Err: tls.AlertError(data[1])})
+		}
+		switch data[0] {
+		case alertLevelWarning:
+			// Drop the record on the floor and retry.
+			return c.retryReadRecord( /*expectChangeCipherSpec*/ )
+		case alertLevelError:
+			return c.rawConn.In.SetErrorLocked(&net.OpError{Op: "remote error", Err: tls.AlertError(data[1])})
+		default:
+			return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
+		}
+
+	case recordTypeChangeCipherSpec:
+		if len(data) != 1 || data[0] != 1 {
+			return c.rawConn.In.SetErrorLocked(c.sendAlert(alertDecodeError))
+		}
+		// Handshake messages are not allowed to fragment across the CCS.
+		if c.rawConn.Hand.Len() > 0 {
+			return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
+		}
+		// In TLS 1.3, change_cipher_spec records are ignored until the
+		// Finished. See RFC 8446, Appendix D.4. Note that according to Section
+		// 5, a server can send a ChangeCipherSpec before its ServerHello, when
+		// c.vers is still unset. That's not useful though and suspicious if the
+		// server then selects a lower protocol version, so don't allow that.
+		if *c.rawConn.Vers == tls.VersionTLS13 {
+			return c.retryReadRecord( /*expectChangeCipherSpec*/ )
+		}
+		// if !expectChangeCipherSpec {
+		return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
+		//}
+		//if err := c.rawConn.In.changeCipherSpec(); err != nil {
+		//	return c.rawConn.In.setErrorLocked(c.sendAlert(err.(alert)))
+		//}
+
+	case recordTypeApplicationData:
+		// Some OpenSSL servers send empty records in order to randomize the
+		// CBC RawIV. Ignore a limited number of empty records.
+		if len(data) == 0 {
+			return c.retryReadRecord( /*expectChangeCipherSpec*/ )
+		}
+		// Note that data is owned by c.rawInput, following the Next call above,
+		// to avoid copying the plaintext. This is safe because c.rawInput is
+		// not read from or written to until c.input is drained.
+		c.rawConn.Input.Reset(data)
+	case recordTypeHandshake:
+		if len(data) == 0 {
+			return c.rawConn.In.SetErrorLocked(c.sendAlert(alertUnexpectedMessage))
+		}
+		c.rawConn.Hand.Write(data)
+	}
+
+	return nil
+}
+
+//nolint:staticcheck
+func (c *Conn) readRawRecord() (typ uint8, data []byte, err error) {
+	// Read from kernel.
+	if c.kernelRx {
+		return c.readKernelRecord()
+	}
+
+	// Read header, payload.
+	if err = c.readFromUntil(c.conn, recordHeaderLen); err != nil {
+		// RFC 8446, Section 6.1 suggests that EOF without an alertCloseNotify
+		// is an error, but popular web sites seem to do this, so we accept it
+		// if and only if at the record boundary.
+		if err == io.ErrUnexpectedEOF && c.rawConn.RawInput.Len() == 0 {
+			err = io.EOF
+		}
+		if e, ok := err.(net.Error); !ok || !e.Temporary() {
+			c.rawConn.In.SetErrorLocked(err)
+		}
+		return
+	}
+	hdr := c.rawConn.RawInput.Bytes()[:recordHeaderLen]
+	typ = hdr[0]
+
+	vers := uint16(hdr[1])<<8 | uint16(hdr[2])
+	expectedVers := *c.rawConn.Vers
+	if expectedVers == tls.VersionTLS13 {
+		// All TLS 1.3 records are expected to have 0x0303 (1.2) after
+		// the initial hello (RFC 8446 Section 5.1).
+		expectedVers = tls.VersionTLS12
+	}
+	n := int(hdr[3])<<8 | int(hdr[4])
+	if /*c.haveVers && */ vers != expectedVers {
+		c.sendAlert(alertProtocolVersion)
+		msg := fmt.Sprintf("received record with version %x when expecting version %x", vers, expectedVers)
+		err = c.rawConn.In.SetErrorLocked(c.newRecordHeaderError(nil, msg))
+		return
+	}
+	//if !c.haveVers {
+	//	// First message, be extra suspicious: this might not be a TLS
+	//	// client. Bail out before reading a full 'body', if possible.
+	//	// The current max version is 3.3 so if the version is >= 16.0,
+	//	// it's probably not real.
+	//	if (typ != recordTypeAlert && typ != recordTypeHandshake) || vers >= 0x1000 {
+	//		err = c.rawConn.In.SetErrorLocked(c.newRecordHeaderError(c.conn, "first record does not look like a TLS handshake"))
+	//		return
+	//	}
+	//}
+	if *c.rawConn.Vers == tls.VersionTLS13 && n > maxCiphertextTLS13 || n > maxCiphertext {
+		c.sendAlert(alertRecordOverflow)
+		msg := fmt.Sprintf("oversized record received with length %d", n)
+		err = c.rawConn.In.SetErrorLocked(c.newRecordHeaderError(nil, msg))
+		return
+	}
+	if err = c.readFromUntil(c.conn, recordHeaderLen+n); err != nil {
+		if e, ok := err.(net.Error); !ok || !e.Temporary() {
+			c.rawConn.In.SetErrorLocked(err)
+		}
+		return
+	}
+
+	// Process message.
+	record := c.rawConn.RawInput.Next(recordHeaderLen + n)
+	data, typ, err = c.rawConn.In.Decrypt(record)
+	if err != nil {
+		err = c.rawConn.In.SetErrorLocked(c.sendAlert(uint8(err.(tls.AlertError))))
+		return
+	}
+	return
+}
+
+// retryReadRecord recurs into readRecordOrCCS to drop a non-advancing record, like
+// a warning alert, empty application_data, or a change_cipher_spec in TLS 1.3.
+func (c *Conn) retryReadRecord( /*expectChangeCipherSpec bool*/ ) error {
+	//c.retryCount++
+	//if c.retryCount > maxUselessRecords {
+	//	c.sendAlert(alertUnexpectedMessage)
+	//	return c.in.setErrorLocked(errors.New("tls: too many ignored records"))
+	//}
+	return c.readRecord( /*expectChangeCipherSpec*/ )
+}
+
+// atLeastReader reads from R, stopping with EOF once at least N bytes have been
+// read. It is different from an io.LimitedReader in that it doesn't cut short
+// the last Read call, and in that it considers an early EOF an error.
+type atLeastReader struct {
+	R io.Reader
+	N int64
+}
+
+func (r *atLeastReader) Read(p []byte) (int, error) {
+	if r.N <= 0 {
+		return 0, io.EOF
+	}
+	n, err := r.R.Read(p)
+	r.N -= int64(n) // won't underflow unless len(p) >= n > 9223372036854775809
+	if r.N > 0 && err == io.EOF {
+		return n, io.ErrUnexpectedEOF
+	}
+	if r.N <= 0 && err == nil {
+		return n, io.EOF
+	}
+	return n, err
+}
+
+// readFromUntil reads from r into c.rawConn.RawInput until c.rawConn.RawInput contains
+// at least n bytes or else returns an error.
+func (c *Conn) readFromUntil(r io.Reader, n int) error {
+	if c.rawConn.RawInput.Len() >= n {
+		return nil
+	}
+	needs := n - c.rawConn.RawInput.Len()
+	// There might be extra input waiting on the wire. Make a best effort
+	// attempt to fetch it so that it can be used in (*Conn).Read to
+	// "predict" closeNotify alerts.
+	c.rawConn.RawInput.Grow(needs + bytes.MinRead)
+	_, err := c.rawConn.RawInput.ReadFrom(&atLeastReader{r, int64(needs)})
+	return err
+}
+
+func (c *Conn) newRecordHeaderError(conn net.Conn, msg string) (err tls.RecordHeaderError) {
+	err.Msg = msg
+	err.Conn = conn
+	copy(err.RecordHeader[:], c.rawConn.RawInput.Bytes())
+	return err
+}

common/ktls/ktls_read_wait.go

@@ -0,0 +1,41 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux && go1.25 && !without_badtls
+
+package ktls
+
+import (
+	"github.com/sagernet/sing/common/buf"
+	N "github.com/sagernet/sing/common/network"
+)
+
+func (c *Conn) InitializeReadWaiter(options N.ReadWaitOptions) (needCopy bool) {
+	c.readWaitOptions = options
+	return false
+}
+
+func (c *Conn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
+	c.rawConn.In.Lock()
+	defer c.rawConn.In.Unlock()
+	for c.rawConn.Input.Len() == 0 {
+		err = c.readRecord()
+		if err != nil {
+			return
+		}
+	}
+	buffer = c.readWaitOptions.NewBuffer()
+	n, err := c.rawConn.Input.Read(buffer.FreeBytes())
+	if err != nil {
+		buffer.Release()
+		return
+	}
+	buffer.Truncate(n)
+	if n != 0 && c.rawConn.Input.Len() == 0 && c.rawConn.Input.Len() > 0 &&
+		c.rawConn.RawInput.Bytes()[0] == recordTypeAlert {
+		_ = c.rawConn.ReadRecord()
+	}
+	c.readWaitOptions.PostReturn(buffer)
+	return
+}

common/ktls/ktls_stub.go

@@ -0,0 +1,15 @@
+//go:build !linux || !go1.25 || without_badtls
+
+package ktls
+
+import (
+	"context"
+	"os"
+
+	"github.com/sagernet/sing/common/logger"
+	aTLS "github.com/sagernet/sing/common/tls"
+)
+
+func NewConn(ctx context.Context, logger logger.ContextLogger, conn aTLS.Conn, txOffload, rxOffload bool) (aTLS.Conn, error) {
+	return nil, os.ErrInvalid
+}

common/ktls/ktls_write.go

@@ -0,0 +1,154 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux && go1.25 && !without_badtls
+
+package ktls
+
+import (
+	"crypto/cipher"
+	"crypto/tls"
+	"errors"
+	"net"
+)
+
+func (c *Conn) Write(b []byte) (int, error) {
+	if !c.kernelTx {
+		return c.Conn.Write(b)
+	}
+	// interlock with Close below
+	for {
+		x := c.rawConn.ActiveCall.Load()
+		if x&1 != 0 {
+			return 0, net.ErrClosed
+		}
+		if c.rawConn.ActiveCall.CompareAndSwap(x, x+2) {
+			break
+		}
+	}
+	defer c.rawConn.ActiveCall.Add(-2)
+
+	//if err := c.Conn.HandshakeContext(context.Background()); err != nil {
+	//	return 0, err
+	//}
+
+	c.rawConn.Out.Lock()
+	defer c.rawConn.Out.Unlock()
+
+	if err := *c.rawConn.Out.Err; err != nil {
+		return 0, err
+	}
+
+	if !c.rawConn.IsHandshakeComplete.Load() {
+		return 0, tls.AlertError(alertInternalError)
+	}
+
+	if *c.rawConn.CloseNotifySent {
+		// return 0, errShutdown
+		return 0, errors.New("tls: protocol is shutdown")
+	}
+
+	// TLS 1.0 is susceptible to a chosen-plaintext
+	// attack when using block mode ciphers due to predictable IVs.
+	// This can be prevented by splitting each Application Data
+	// record into two records, effectively randomizing the RawIV.
+	//
+	// https://www.openssl.org/~bodo/tls-cbc.txt
+	// https://bugzilla.mozilla.org/show_bug.cgi?id=665814
+	// https://www.imperialviolet.org/2012/01/15/beastfollowup.html
+
+	var m int
+	if len(b) > 1 && *c.rawConn.Vers == tls.VersionTLS10 {
+		if _, ok := (*c.rawConn.Out.Cipher).(cipher.BlockMode); ok {
+			n, err := c.writeRecordLocked(recordTypeApplicationData, b[:1])
+			if err != nil {
+				return n, c.rawConn.Out.SetErrorLocked(err)
+			}
+			m, b = 1, b[1:]
+		}
+	}
+
+	n, err := c.writeRecordLocked(recordTypeApplicationData, b)
+	return n + m, c.rawConn.Out.SetErrorLocked(err)
+}
+
+func (c *Conn) writeRecordLocked(typ uint16, data []byte) (n int, err error) {
+	if !c.kernelTx {
+		return c.rawConn.WriteRecordLocked(typ, data)
+	}
+	/*for len(data) > 0 {
+		m := len(data)
+		if maxPayload := c.maxPayloadSizeForWrite(typ); m > maxPayload {
+			m = maxPayload
+		}
+		_, err = c.writeKernelRecord(typ, data[:m])
+		if err != nil {
+			return
+		}
+		n += m
+		data = data[m:]
+	}*/
+	return c.writeKernelRecord(typ, data)
+}
+
+const (
+	// tcpMSSEstimate is a conservative estimate of the TCP maximum segment
+	// size (MSS). A constant is used, rather than querying the kernel for
+	// the actual MSS, to avoid complexity. The value here is the IPv6
+	// minimum MTU (1280 bytes) minus the overhead of an IPv6 header (40
+	// bytes) and a TCP header with timestamps (32 bytes).
+	tcpMSSEstimate = 1208
+
+	// recordSizeBoostThreshold is the number of bytes of application data
+	// sent after which the TLS record size will be increased to the
+	// maximum.
+	recordSizeBoostThreshold = 128 * 1024
+)
+
+func (c *Conn) maxPayloadSizeForWrite(typ uint16) int {
+	if /*c.config.DynamicRecordSizingDisabled ||*/ typ != recordTypeApplicationData {
+		return maxPlaintext
+	}
+
+	if *c.rawConn.PacketsSent >= recordSizeBoostThreshold {
+		return maxPlaintext
+	}
+
+	// Subtract TLS overheads to get the maximum payload size.
+	payloadBytes := tcpMSSEstimate - recordHeaderLen - c.rawConn.Out.ExplicitNonceLen()
+	if rawCipher := *c.rawConn.Out.Cipher; rawCipher != nil {
+		switch ciph := rawCipher.(type) {
+		case cipher.Stream:
+			payloadBytes -= (*c.rawConn.Out.Mac).Size()
+		case cipher.AEAD:
+			payloadBytes -= ciph.Overhead()
+		/*case cbcMode:
+		blockSize := ciph.BlockSize()
+		// The payload must fit in a multiple of blockSize, with
+		// room for at least one padding byte.
+		payloadBytes = (payloadBytes & ^(blockSize - 1)) - 1
+		// The RawMac is appended before padding so affects the
+		// payload size directly.
+		payloadBytes -= c.out.mac.Size()*/
+		default:
+			panic("unknown cipher type")
+		}
+	}
+	if *c.rawConn.Vers == tls.VersionTLS13 {
+		payloadBytes-- // encrypted ContentType
+	}
+
+	// Allow packet growth in arithmetic progression up to max.
+	pkt := *c.rawConn.PacketsSent
+	*c.rawConn.PacketsSent++
+	if pkt > 1000 {
+		return maxPlaintext // avoid overflow in multiply below
+	}
+
+	n := payloadBytes * int(pkt+1)
+	if n > maxPlaintext {
+		n = maxPlaintext
+	}
+	return n
+}

common/listener/listener_tcp.go

@@ -3,6 +3,7 @@ package listener
 import (
 	"net"
 	"net/netip"
+	"strings"
 	"syscall"
 	"time"
 
@@ -56,7 +57,7 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 	if l.tproxy {
 		listenConfig.Control = control.Append(listenConfig.Control, func(network, address string, conn syscall.RawConn) error {
 			return control.Raw(conn, func(fd uintptr) error {
-				return redir.TProxy(fd, !M.ParseSocksaddr(address).IsIPv4(), false)
+				return redir.TProxy(fd, !strings.HasSuffix(network, "4"), false)
 			})
 		})
 	}

common/listener/listener_udp.go

@@ -5,6 +5,7 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"strings"
 	"syscall"
 
 	"github.com/sagernet/sing-box/adapter"
@@ -41,7 +42,7 @@ func (l *Listener) ListenUDP() (net.PacketConn, error) {
 	if l.tproxy {
 		listenConfig.Control = control.Append(listenConfig.Control, func(network, address string, conn syscall.RawConn) error {
 			return control.Raw(conn, func(fd uintptr) error {
-				return redir.TProxy(fd, !M.ParseSocksaddr(address).IsIPv4(), true)
+				return redir.TProxy(fd, !strings.HasSuffix(network, "4"), true)
 			})
 		})
 	}

common/sniff/quic_blacklist.go

@@ -17,8 +17,5 @@ var uQUICChrome115 = &ja3.ClientHello{
 }
 
 func maybeUQUIC(fingerprint *ja3.ClientHello) bool {
-	if uQUICChrome115.Equals(fingerprint, true) {
-		return true
-	}
-	return false
+	return !uQUICChrome115.Equals(fingerprint, true)
 }

common/sniff/quic_test.go

@@ -56,7 +56,7 @@ func TestSniffUQUICChrome115(t *testing.T) {
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.NoError(t, err)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
-	require.Equal(t, metadata.Client, C.ClientQUICGo)
+	require.Equal(t, metadata.Client, C.ClientChromium)
 	require.Equal(t, metadata.Domain, "www.google.com")
 }
 

common/srs/binary.go

@@ -12,6 +12,8 @@ import (
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/domain"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json/badjson"
+	"github.com/sagernet/sing/common/json/badoption"
 	"github.com/sagernet/sing/common/varbin"
 
 	"go4.org/netipx"
@@ -41,6 +43,8 @@ const (
 	ruleItemNetworkType
 	ruleItemNetworkIsExpensive
 	ruleItemNetworkIsConstrained
+	ruleItemNetworkInterfaceAddress
+	ruleItemDefaultInterfaceAddress
 	ruleItemFinal uint8 = 0xFF
 )
 
@@ -230,6 +234,51 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 			rule.NetworkIsExpensive = true
 		case ruleItemNetworkIsConstrained:
 			rule.NetworkIsConstrained = true
+		case ruleItemNetworkInterfaceAddress:
+			rule.NetworkInterfaceAddress = new(badjson.TypedMap[option.InterfaceType, badoption.Listable[*badoption.Prefixable]])
+			var size uint64
+			size, err = binary.ReadUvarint(reader)
+			if err != nil {
+				return
+			}
+			for i := uint64(0); i < size; i++ {
+				var key uint8
+				err = binary.Read(reader, binary.BigEndian, &key)
+				if err != nil {
+					return
+				}
+				var value []*badoption.Prefixable
+				var prefixCount uint64
+				prefixCount, err = binary.ReadUvarint(reader)
+				if err != nil {
+					return
+				}
+				for j := uint64(0); j < prefixCount; j++ {
+					var prefix netip.Prefix
+					prefix, err = readPrefix(reader)
+					if err != nil {
+						return
+					}
+					value = append(value, common.Ptr(badoption.Prefixable(prefix)))
+				}
+				rule.NetworkInterfaceAddress.Put(option.InterfaceType(key), value)
+			}
+		case ruleItemDefaultInterfaceAddress:
+			var value []*badoption.Prefixable
+			var prefixCount uint64
+			prefixCount, err = binary.ReadUvarint(reader)
+			if err != nil {
+				return
+			}
+			for j := uint64(0); j < prefixCount; j++ {
+				var prefix netip.Prefix
+				prefix, err = readPrefix(reader)
+				if err != nil {
+					return
+				}
+				value = append(value, common.Ptr(badoption.Prefixable(prefix)))
+			}
+			rule.DefaultInterfaceAddress = value
 		case ruleItemFinal:
 			err = binary.Read(reader, binary.BigEndian, &rule.Invert)
 			return
@@ -346,7 +395,7 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 	}
 	if len(rule.NetworkType) > 0 {
 		if generateVersion < C.RuleSetVersion3 {
-			return E.New("network_type rule item is only supported in version 3 or later")
+			return E.New("`network_type` rule item is only supported in version 3 or later")
 		}
 		err = writeRuleItemUint8(writer, ruleItemNetworkType, rule.NetworkType)
 		if err != nil {
@@ -354,17 +403,71 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 		}
 	}
 	if rule.NetworkIsExpensive {
+		if generateVersion < C.RuleSetVersion3 {
+			return E.New("`network_is_expensive` rule item is only supported in version 3 or later")
+		}
 		err = binary.Write(writer, binary.BigEndian, ruleItemNetworkIsExpensive)
 		if err != nil {
 			return err
 		}
 	}
 	if rule.NetworkIsConstrained {
+		if generateVersion < C.RuleSetVersion3 {
+			return E.New("`network_is_constrained` rule item is only supported in version 3 or later")
+		}
 		err = binary.Write(writer, binary.BigEndian, ruleItemNetworkIsConstrained)
 		if err != nil {
 			return err
 		}
 	}
+	if rule.NetworkInterfaceAddress != nil && rule.NetworkInterfaceAddress.Size() > 0 {
+		if generateVersion < C.RuleSetVersion4 {
+			return E.New("`network_interface_address` rule item is only supported in version 4 or later")
+		}
+		err = writer.WriteByte(ruleItemNetworkInterfaceAddress)
+		if err != nil {
+			return err
+		}
+		_, err = varbin.WriteUvarint(writer, uint64(rule.NetworkInterfaceAddress.Size()))
+		if err != nil {
+			return err
+		}
+		for _, entry := range rule.NetworkInterfaceAddress.Entries() {
+			err = binary.Write(writer, binary.BigEndian, uint8(entry.Key.Build()))
+			if err != nil {
+				return err
+			}
+			_, err = varbin.WriteUvarint(writer, uint64(len(entry.Value)))
+			if err != nil {
+				return err
+			}
+			for _, rawPrefix := range entry.Value {
+				err = writePrefix(writer, rawPrefix.Build(netip.Prefix{}))
+				if err != nil {
+					return err
+				}
+			}
+		}
+	}
+	if len(rule.DefaultInterfaceAddress) > 0 {
+		if generateVersion < C.RuleSetVersion4 {
+			return E.New("`default_interface_address` rule item is only supported in version 4 or later")
+		}
+		err = writer.WriteByte(ruleItemDefaultInterfaceAddress)
+		if err != nil {
+			return err
+		}
+		_, err = varbin.WriteUvarint(writer, uint64(len(rule.DefaultInterfaceAddress)))
+		if err != nil {
+			return err
+		}
+		for _, rawPrefix := range rule.DefaultInterfaceAddress {
+			err = writePrefix(writer, rawPrefix.Build(netip.Prefix{}))
+			if err != nil {
+				return err
+			}
+		}
+	}
 	if len(rule.WIFISSID) > 0 {
 		err = writeRuleItemString(writer, ruleItemWIFISSID, rule.WIFISSID)
 		if err != nil {

common/srs/ip_cidr.go

@@ -0,0 +1,33 @@
+package srs
+
+import (
+	"encoding/binary"
+	"net/netip"
+
+	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/common/varbin"
+)
+
+func readPrefix(reader varbin.Reader) (netip.Prefix, error) {
+	addrSlice, err := varbin.ReadValue[[]byte](reader, binary.BigEndian)
+	if err != nil {
+		return netip.Prefix{}, err
+	}
+	prefixBits, err := varbin.ReadValue[uint8](reader, binary.BigEndian)
+	if err != nil {
+		return netip.Prefix{}, err
+	}
+	return netip.PrefixFrom(M.AddrFromIP(addrSlice), int(prefixBits)), nil
+}
+
+func writePrefix(writer varbin.Writer, prefix netip.Prefix) error {
+	err := varbin.Write(writer, binary.BigEndian, prefix.Addr().AsSlice())
+	if err != nil {
+		return err
+	}
+	err = binary.Write(writer, binary.BigEndian, uint8(prefix.Bits()))
+	if err != nil {
+		return err
+	}
+	return nil
+}

common/tls/client.go

@@ -2,39 +2,71 @@ package tls
 
 import (
 	"context"
+	"crypto/tls"
+	"errors"
 	"net"
 	"os"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/badtls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-func NewDialerFromOptions(ctx context.Context, router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
+func NewDialerFromOptions(ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
 	if !options.Enabled {
 		return dialer, nil
 	}
-	config, err := NewClient(ctx, serverAddress, options)
+	config, err := NewClientWithOptions(ClientOptions{
+		Context:       ctx,
+		Logger:        logger,
+		ServerAddress: serverAddress,
+		Options:       options,
+	})
 	if err != nil {
 		return nil, err
 	}
 	return NewDialer(dialer, config), nil
 }
 
-func NewClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	if !options.Enabled {
+func NewClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+	return NewClientWithOptions(ClientOptions{
+		Context:       ctx,
+		Logger:        logger,
+		ServerAddress: serverAddress,
+		Options:       options,
+	})
+}
+
+type ClientOptions struct {
+	Context        context.Context
+	Logger         logger.ContextLogger
+	ServerAddress  string
+	Options        option.OutboundTLSOptions
+	KTLSCompatible bool
+}
+
+func NewClientWithOptions(options ClientOptions) (Config, error) {
+	if !options.Options.Enabled {
 		return nil, nil
 	}
-	if options.Reality != nil && options.Reality.Enabled {
-		return NewRealityClient(ctx, serverAddress, options)
-	} else if options.UTLS != nil && options.UTLS.Enabled {
-		return NewUTLSClient(ctx, serverAddress, options)
+	if !options.KTLSCompatible {
+		if options.Options.KernelTx {
+			options.Logger.Warn("enabling kTLS TX in current scenarios will definitely reduce performance, please checkout https://sing-box.sagernet.org/configuration/shared/tls/#kernel_tx")
+		}
 	}
-	return NewSTDClient(ctx, serverAddress, options)
+	if options.Options.KernelRx {
+		options.Logger.Warn("enabling kTLS RX will definitely reduce performance, please checkout https://sing-box.sagernet.org/configuration/shared/tls/#kernel_rx")
+	}
+	if options.Options.Reality != nil && options.Options.Reality.Enabled {
+		return NewRealityClient(options.Context, options.Logger, options.ServerAddress, options.Options)
+	} else if options.Options.UTLS != nil && options.Options.UTLS.Enabled {
+		return NewUTLSClient(options.Context, options.Logger, options.ServerAddress, options.Options)
+	}
+	return NewSTDClient(options.Context, options.Logger, options.ServerAddress, options.Options)
 }
 
 func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, error) {
@@ -53,26 +85,57 @@ func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, e
 	return tlsConn, nil
 }
 
-type Dialer struct {
+type Dialer interface {
+	N.Dialer
+	DialTLSContext(ctx context.Context, destination M.Socksaddr) (Conn, error)
+}
+
+type defaultDialer struct {
 	dialer N.Dialer
 	config Config
 }
 
-func NewDialer(dialer N.Dialer, config Config) N.Dialer {
-	return &Dialer{dialer, config}
+func NewDialer(dialer N.Dialer, config Config) Dialer {
+	return &defaultDialer{dialer, config}
 }
 
-func (d *Dialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	if network != N.NetworkTCP {
+func (d *defaultDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	if N.NetworkName(network) != N.NetworkTCP {
 		return nil, os.ErrInvalid
 	}
-	conn, err := d.dialer.DialContext(ctx, network, destination)
+	return d.DialTLSContext(ctx, destination)
+}
+
+func (d *defaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	return nil, os.ErrInvalid
+}
+
+func (d *defaultDialer) DialTLSContext(ctx context.Context, destination M.Socksaddr) (Conn, error) {
+	return d.dialContext(ctx, destination, true)
+}
+
+func (d *defaultDialer) dialContext(ctx context.Context, destination M.Socksaddr, echRetry bool) (Conn, error) {
+	conn, err := d.dialer.DialContext(ctx, N.NetworkTCP, destination)
 	if err != nil {
 		return nil, err
 	}
-	return ClientHandshake(ctx, conn, d.config)
+	tlsConn, err := ClientHandshake(ctx, conn, d.config)
+	if err == nil {
+		return tlsConn, nil
+	}
+	conn.Close()
+	if echRetry {
+		var echErr *tls.ECHRejectionError
+		if errors.As(err, &echErr) && len(echErr.RetryConfigList) > 0 {
+			if echConfig, isECH := d.config.(ECHCapableConfig); isECH {
+				echConfig.SetECHConfigList(echErr.RetryConfigList)
+			}
+		}
+		return d.dialContext(ctx, destination, false)
+	}
+	return nil, err
 }
 
-func (d *Dialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	return nil, os.ErrInvalid
+func (d *defaultDialer) Upstream() any {
+	return d.dialer
 }

common/tls/ech.go

@@ -125,7 +125,7 @@ func (s *ECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (a
 func (s *ECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
 	s.access.Lock()
 	defer s.access.Unlock()
-	if len(s.ECHConfigList()) == 0 || s.lastTTL == 0 || time.Now().Sub(s.lastUpdate) > s.lastTTL {
+	if len(s.ECHConfigList()) == 0 || s.lastTTL == 0 || time.Since(s.lastUpdate) > s.lastTTL {
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,

common/tls/ktls.go

@@ -0,0 +1,67 @@
+package tls
+
+import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing-box/common/ktls"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	aTLS "github.com/sagernet/sing/common/tls"
+)
+
+type KTLSClientConfig struct {
+	Config
+	logger             logger.ContextLogger
+	kernelTx, kernelRx bool
+}
+
+func (w *KTLSClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
+	tlsConn, err := aTLS.ClientHandshake(ctx, conn, w.Config)
+	if err != nil {
+		return nil, err
+	}
+	kConn, err := ktls.NewConn(ctx, w.logger, tlsConn, w.kernelTx, w.kernelRx)
+	if err != nil {
+		tlsConn.Close()
+		return nil, E.Cause(err, "initialize kernel TLS")
+	}
+	return kConn, nil
+}
+
+func (w *KTLSClientConfig) Clone() Config {
+	return &KTLSClientConfig{
+		w.Config.Clone(),
+		w.logger,
+		w.kernelTx,
+		w.kernelRx,
+	}
+}
+
+type KTlSServerConfig struct {
+	ServerConfig
+	logger             logger.ContextLogger
+	kernelTx, kernelRx bool
+}
+
+func (w *KTlSServerConfig) ServerHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
+	tlsConn, err := aTLS.ServerHandshake(ctx, conn, w.ServerConfig)
+	if err != nil {
+		return nil, err
+	}
+	kConn, err := ktls.NewConn(ctx, w.logger, tlsConn, w.kernelTx, w.kernelRx)
+	if err != nil {
+		tlsConn.Close()
+		return nil, E.Cause(err, "initialize kernel TLS")
+	}
+	return kConn, nil
+}
+
+func (w *KTlSServerConfig) Clone() Config {
+	return &KTlSServerConfig{
+		w.ServerConfig.Clone().(ServerConfig),
+		w.logger,
+		w.kernelTx,
+		w.kernelRx,
+	}
+}

common/tls/reality_client.go

@@ -28,10 +28,12 @@ import (
 	"unsafe"
 
 	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 	"github.com/sagernet/sing/common/ntp"
 	aTLS "github.com/sagernet/sing/common/tls"
 
@@ -49,12 +51,12 @@ type RealityClientConfig struct {
 	shortID   [8]byte
 }
 
-func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
+func NewRealityClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	if options.UTLS == nil || !options.UTLS.Enabled {
 		return nil, E.New("uTLS is required by reality client")
 	}
 
-	uClient, err := NewUTLSClient(ctx, serverAddress, options)
+	uClient, err := NewUTLSClient(ctx, logger, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}
@@ -74,7 +76,20 @@ func NewRealityClient(ctx context.Context, serverAddress string, options option.
 	if decodedLen > 8 {
 		return nil, E.New("invalid short_id")
 	}
-	return &RealityClientConfig{ctx, uClient.(*UTLSClientConfig), publicKey, shortID}, nil
+
+	var config Config = &RealityClientConfig{ctx, uClient.(*UTLSClientConfig), publicKey, shortID}
+	if options.KernelRx || options.KernelTx {
+		if !C.IsLinux {
+			return nil, E.New("kTLS is only supported on Linux")
+		}
+		config = &KTLSClientConfig{
+			Config:   config,
+			logger:   logger,
+			kernelTx: options.KernelTx,
+			kernelRx: options.KernelRx,
+		}
+	}
+	return config, nil
 }
 
 func (e *RealityClientConfig) ServerName() string {
@@ -93,7 +108,7 @@ func (e *RealityClientConfig) SetNextProtos(nextProto []string) {
 	e.uClient.SetNextProtos(nextProto)
 }
 
-func (e *RealityClientConfig) Config() (*STDConfig, error) {
+func (e *RealityClientConfig) STDConfig() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for reality")
 }
 
@@ -307,3 +322,11 @@ func (c *realityClientConnWrapper) Upstream() any {
 func (c *realityClientConnWrapper) CloseWrite() error {
 	return c.Close()
 }
+
+func (c *realityClientConnWrapper) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *realityClientConnWrapper) WriterReplaceable() bool {
+	return true
+}

common/tls/reality_server.go

@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/common/dialer"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -28,7 +29,7 @@ type RealityServerConfig struct {
 	config *utls.RealityConfig
 }
 
-func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
+func NewRealityServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
 	var tlsConfig utls.RealityConfig
 
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
@@ -119,7 +120,22 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 		return handshakeDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
 	}
 
-	return &RealityServerConfig{&tlsConfig}, nil
+	if options.ECH != nil && options.ECH.Enabled {
+		return nil, E.New("Reality is conflict with ECH")
+	}
+	var config ServerConfig = &RealityServerConfig{&tlsConfig}
+	if options.KernelTx || options.KernelRx {
+		if !C.IsLinux {
+			return nil, E.New("kTLS is only supported on Linux")
+		}
+		config = &KTlSServerConfig{
+			ServerConfig: config,
+			logger:       logger,
+			kernelTx:     options.KernelTx,
+			kernelRx:     options.KernelRx,
+		}
+	}
+	return config, nil
 }
 
 func (c *RealityServerConfig) ServerName() string {
@@ -138,7 +154,7 @@ func (c *RealityServerConfig) SetNextProtos(nextProto []string) {
 	c.config.NextProtos = nextProto
 }
 
-func (c *RealityServerConfig) Config() (*tls.Config, error) {
+func (c *RealityServerConfig) STDConfig() (*tls.Config, error) {
 	return nil, E.New("unsupported usage for reality")
 }
 
@@ -206,3 +222,11 @@ func (c *realityConnWrapper) Upstream() any {
 func (c *realityConnWrapper) CloseWrite() error {
 	return c.Close()
 }
+
+func (c *realityConnWrapper) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *realityConnWrapper) WriterReplaceable() bool {
+	return true
+}

common/tls/server.go

@@ -12,14 +12,37 @@ import (
 	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
-	if !options.Enabled {
+type ServerOptions struct {
+	Context        context.Context
+	Logger         log.ContextLogger
+	Options        option.InboundTLSOptions
+	KTLSCompatible bool
+}
+
+func NewServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
+	return NewServerWithOptions(ServerOptions{
+		Context: ctx,
+		Logger:  logger,
+		Options: options,
+	})
+}
+
+func NewServerWithOptions(options ServerOptions) (ServerConfig, error) {
+	if !options.Options.Enabled {
 		return nil, nil
 	}
-	if options.Reality != nil && options.Reality.Enabled {
-		return NewRealityServer(ctx, logger, options)
+	if !options.KTLSCompatible {
+		if options.Options.KernelTx {
+			options.Logger.Warn("enabling kTLS TX in current scenarios will definitely reduce performance, please checkout https://sing-box.sagernet.org/configuration/shared/tls/#kernel_tx")
+		}
 	}
-	return NewSTDServer(ctx, logger, options)
+	if options.Options.KernelRx {
+		options.Logger.Warn("enabling kTLS RX will definitely reduce performance, please checkout https://sing-box.sagernet.org/configuration/shared/tls/#kernel_rx")
+	}
+	if options.Options.Reality != nil && options.Options.Reality.Enabled {
+		return NewRealityServer(options.Context, options.Logger, options.Options)
+	}
+	return NewSTDServer(options.Context, options.Logger, options.Options)
 }
 
 func ServerHandshake(ctx context.Context, conn net.Conn, config ServerConfig) (Conn, error) {

common/tls/std_client.go

@@ -11,8 +11,10 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tlsfragment"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 	"github.com/sagernet/sing/common/ntp"
 )
 
@@ -40,7 +42,7 @@ func (c *STDClientConfig) SetNextProtos(nextProto []string) {
 	c.config.NextProtos = nextProto
 }
 
-func (c *STDClientConfig) Config() (*STDConfig, error) {
+func (c *STDClientConfig) STDConfig() (*STDConfig, error) {
 	return c.config, nil
 }
 
@@ -52,7 +54,13 @@ func (c *STDClientConfig) Client(conn net.Conn) (Conn, error) {
 }
 
 func (c *STDClientConfig) Clone() Config {
-	return &STDClientConfig{c.ctx, c.config.Clone(), c.fragment, c.fragmentFallbackDelay, c.recordFragment}
+	return &STDClientConfig{
+		ctx:                   c.ctx,
+		config:                c.config.Clone(),
+		fragment:              c.fragment,
+		fragmentFallbackDelay: c.fragmentFallbackDelay,
+		recordFragment:        c.recordFragment,
+	}
 }
 
 func (c *STDClientConfig) ECHConfigList() []byte {
@@ -63,7 +71,7 @@ func (c *STDClientConfig) SetECHConfigList(EncryptedClientHelloConfigList []byte
 	c.config.EncryptedClientHelloConfigList = EncryptedClientHelloConfigList
 }
 
-func NewSTDClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -146,10 +154,24 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 		tlsConfig.RootCAs = certPool
 	}
-	stdConfig := &STDClientConfig{ctx, &tlsConfig, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
+	var config Config = &STDClientConfig{ctx, &tlsConfig, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
 	if options.ECH != nil && options.ECH.Enabled {
-		return parseECHClientConfig(ctx, stdConfig, options)
-	} else {
-		return stdConfig, nil
+		var err error
+		config, err = parseECHClientConfig(ctx, config.(ECHCapableConfig), options)
+		if err != nil {
+			return nil, err
+		}
 	}
+	if options.KernelRx || options.KernelTx {
+		if !C.IsLinux {
+			return nil, E.New("kTLS is only supported on Linux")
+		}
+		config = &KTLSClientConfig{
+			Config:   config,
+			logger:   logger,
+			kernelTx: options.KernelTx,
+			kernelRx: options.KernelRx,
+		}
+	}
+	return config, nil
 }

common/tls/std_server.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
@@ -55,7 +56,7 @@ func (c *STDServerConfig) SetNextProtos(nextProto []string) {
 	}
 }
 
-func (c *STDServerConfig) Config() (*STDConfig, error) {
+func (c *STDServerConfig) STDConfig() (*STDConfig, error) {
 	return c.config, nil
 }
 
@@ -160,7 +161,7 @@ func (c *STDServerConfig) Close() error {
 	return nil
 }
 
-func NewSTDServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
@@ -262,7 +263,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 			return nil, err
 		}
 	}
-	return &STDServerConfig{
+	var config ServerConfig = &STDServerConfig{
 		config:          tlsConfig,
 		logger:          logger,
 		acmeService:     acmeService,
@@ -271,5 +272,17 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		certificatePath: options.CertificatePath,
 		keyPath:         options.KeyPath,
 		echKeyPath:      echKeyPath,
-	}, nil
+	}
+	if options.KernelTx || options.KernelRx {
+		if !C.IsLinux {
+			return nil, E.New("kTLS is only supported on Linux")
+		}
+		config = &KTlSServerConfig{
+			ServerConfig: config,
+			logger:       logger,
+			kernelTx:     options.KernelTx,
+			kernelRx:     options.KernelRx,
+		}
+	}
+	return config, nil
 }

common/tls/utls_client.go

@@ -14,8 +14,11 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tlsfragment"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 	"github.com/sagernet/sing/common/ntp"
 
 	utls "github.com/metacubex/utls"
@@ -50,7 +53,7 @@ func (c *UTLSClientConfig) SetNextProtos(nextProto []string) {
 	c.config.NextProtos = nextProto
 }
 
-func (c *UTLSClientConfig) Config() (*STDConfig, error) {
+func (c *UTLSClientConfig) STDConfig() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for uTLS")
 }
 
@@ -106,6 +109,14 @@ func (c *utlsConnWrapper) Upstream() any {
 	return c.UConn
 }
 
+func (c *utlsConnWrapper) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *utlsConnWrapper) WriterReplaceable() bool {
+	return true
+}
+
 type utlsALPNWrapper struct {
 	utlsConnWrapper
 	nextProtocols []string
@@ -131,7 +142,7 @@ func (c *utlsALPNWrapper) HandshakeContext(ctx context.Context) error {
 	return c.UConn.HandshakeContext(ctx)
 }
 
-func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -206,15 +217,28 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 	if err != nil {
 		return nil, err
 	}
-	uConfig := &UTLSClientConfig{ctx, &tlsConfig, id, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
+	var config Config = &UTLSClientConfig{ctx, &tlsConfig, id, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
 	if options.ECH != nil && options.ECH.Enabled {
 		if options.Reality != nil && options.Reality.Enabled {
 			return nil, E.New("Reality is conflict with ECH")
 		}
-		return parseECHClientConfig(ctx, uConfig, options)
-	} else {
-		return uConfig, nil
+		config, err = parseECHClientConfig(ctx, config.(ECHCapableConfig), options)
+		if err != nil {
+			return nil, err
+		}
 	}
+	if (options.KernelRx || options.KernelTx) && !common.PtrValueOrDefault(options.Reality).Enabled {
+		if !C.IsLinux {
+			return nil, E.New("kTLS is only supported on Linux")
+		}
+		config = &KTLSClientConfig{
+			Config:   config,
+			logger:   logger,
+			kernelTx: options.KernelTx,
+			kernelRx: options.KernelRx,
+		}
+	}
+	return config, nil
 }
 
 var (

common/tls/utls_stub.go

@@ -8,13 +8,14 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 )
 
-func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS is not included in this build, rebuild with -tags with_utls`)
 }
 
-func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewRealityClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS, which is required by reality is not included in this build, rebuild with -tags with_utls`)
 }
 

common/tlsfragment/conn.go

@@ -109,6 +109,9 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 						if err != nil {
 							return
 						}
+						if i != len(splitIndexes) {
+							time.Sleep(c.fallbackDelay)
+						}
 					}
 				}
 			}

common/tlsfragment/wait_stub.go

@@ -9,6 +9,10 @@ import (
 )
 
 func writeAndWaitAck(ctx context.Context, conn *net.TCPConn, payload []byte, fallbackDelay time.Duration) error {
+	_, err := conn.Write(payload)
+	if err != nil {
+		return err
+	}
 	time.Sleep(fallbackDelay)
 	return nil
 }

common/tlsfragment/wait_windows.go

@@ -16,6 +16,9 @@ func writeAndWaitAck(ctx context.Context, conn *net.TCPConn, payload []byte, fal
 	err := winiphlpapi.WriteAndWaitAck(ctx, conn, payload)
 	if err != nil {
 		if errors.Is(err, windows.ERROR_ACCESS_DENIED) {
+			if _, err := conn.Write(payload); err != nil {
+				return err
+			}
 			time.Sleep(fallbackDelay)
 			return nil
 		}

common/urltest/urltest.go

@@ -11,7 +11,6 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ntp"
@@ -98,7 +97,7 @@ func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err e
 		return
 	}
 	defer instance.Close()
-	if earlyConn, isEarlyConn := common.Cast[N.EarlyConn](instance); isEarlyConn && earlyConn.NeedHandshake() {
+	if N.NeedHandshakeForWrite(instance) {
 		start = time.Now()
 	}
 	req, err := http.NewRequest(http.MethodHead, link, nil)

constant/rule.go

@@ -22,7 +22,8 @@ const (
 	RuleSetVersion1 = 1 + iota
 	RuleSetVersion2
 	RuleSetVersion3
-	RuleSetVersionCurrent = RuleSetVersion3
+	RuleSetVersion4
+	RuleSetVersionCurrent = RuleSetVersion4
 )
 
 const (
@@ -39,4 +40,5 @@ const (
 const (
 	RuleActionRejectMethodDefault = "default"
 	RuleActionRejectMethodDrop    = "drop"
+	RuleActionRejectMethodReply   = "reply"
 )

dns/client.go

@@ -2,12 +2,14 @@ package dns
 
 import (
 	"context"
+	"errors"
 	"net"
 	"net/netip"
 	"strings"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/compatible"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -17,7 +19,7 @@ import (
 	"github.com/sagernet/sing/contrab/freelru"
 	"github.com/sagernet/sing/contrab/maphash"
 
-	dns "github.com/miekg/dns"
+	"github.com/miekg/dns"
 )
 
 var (
@@ -30,16 +32,18 @@ var (
 var _ adapter.DNSClient = (*Client)(nil)
 
 type Client struct {
-	timeout          time.Duration
-	disableCache     bool
-	disableExpire    bool
-	independentCache bool
-	clientSubnet     netip.Prefix
-	rdrc             adapter.RDRCStore
-	initRDRCFunc     func() adapter.RDRCStore
-	logger           logger.ContextLogger
-	cache            freelru.Cache[dns.Question, *dns.Msg]
-	transportCache   freelru.Cache[transportCacheKey, *dns.Msg]
+	timeout            time.Duration
+	disableCache       bool
+	disableExpire      bool
+	independentCache   bool
+	clientSubnet       netip.Prefix
+	rdrc               adapter.RDRCStore
+	initRDRCFunc       func() adapter.RDRCStore
+	logger             logger.ContextLogger
+	cache              freelru.Cache[dns.Question, *dns.Msg]
+	cacheLock          compatible.Map[dns.Question, chan struct{}]
+	transportCache     freelru.Cache[transportCacheKey, *dns.Msg]
+	transportCacheLock compatible.Map[dns.Question, chan struct{}]
 }
 
 type ClientOptions struct {
@@ -96,17 +100,15 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		if c.logger != nil {
 			c.logger.WarnContext(ctx, "bad question size: ", len(message.Question))
 		}
-		responseMessage := dns.Msg{
-			MsgHdr: dns.MsgHdr{
-				Id:       message.Id,
-				Response: true,
-				Rcode:    dns.RcodeFormatError,
-			},
-			Question: message.Question,
-		}
-		return &responseMessage, nil
+		return FixedResponseStatus(message, dns.RcodeFormatError), nil
 	}
 	question := message.Question[0]
+	if question.Qtype == dns.TypeA && options.Strategy == C.DomainStrategyIPv6Only || question.Qtype == dns.TypeAAAA && options.Strategy == C.DomainStrategyIPv4Only {
+		if c.logger != nil {
+			c.logger.DebugContext(ctx, "strategy rejected")
+		}
+		return FixedResponseStatus(message, dns.RcodeSuccess), nil
+	}
 	clientSubnet := options.ClientSubnet
 	if !clientSubnet.IsValid() {
 		clientSubnet = c.clientSubnet
@@ -114,12 +116,38 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	if clientSubnet.IsValid() {
 		message = SetClientSubnet(message, clientSubnet)
 	}
+
 	isSimpleRequest := len(message.Question) == 1 &&
 		len(message.Ns) == 0 &&
-		len(message.Extra) == 0 &&
+		(len(message.Extra) == 0 || len(message.Extra) == 1 &&
+			message.Extra[0].Header().Rrtype == dns.TypeOPT &&
+			message.Extra[0].Header().Class > 0 &&
+			message.Extra[0].Header().Ttl == 0 &&
+			len(message.Extra[0].(*dns.OPT).Option) == 0) &&
 		!options.ClientSubnet.IsValid()
 	disableCache := !isSimpleRequest || c.disableCache || options.DisableCache
 	if !disableCache {
+		if c.cache != nil {
+			cond, loaded := c.cacheLock.LoadOrStore(question, make(chan struct{}))
+			if loaded {
+				<-cond
+			} else {
+				defer func() {
+					c.cacheLock.Delete(question)
+					close(cond)
+				}()
+			}
+		} else if c.transportCache != nil {
+			cond, loaded := c.transportCacheLock.LoadOrStore(question, make(chan struct{}))
+			if loaded {
+				<-cond
+			} else {
+				defer func() {
+					c.transportCacheLock.Delete(question)
+					close(cond)
+				}()
+			}
+		}
 		response, ttl := c.loadResponse(question, transport)
 		if response != nil {
 			logCachedResponse(c.logger, ctx, response, ttl)
@@ -127,27 +155,14 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			return response, nil
 		}
 	}
-	if question.Qtype == dns.TypeA && options.Strategy == C.DomainStrategyIPv6Only || question.Qtype == dns.TypeAAAA && options.Strategy == C.DomainStrategyIPv4Only {
-		responseMessage := dns.Msg{
-			MsgHdr: dns.MsgHdr{
-				Id:       message.Id,
-				Response: true,
-				Rcode:    dns.RcodeSuccess,
-			},
-			Question: []dns.Question{question},
-		}
-		if c.logger != nil {
-			c.logger.DebugContext(ctx, "strategy rejected")
-		}
-		return &responseMessage, nil
-	}
+
 	messageId := message.Id
 	contextTransport, clientSubnetLoaded := transportTagFromContext(ctx)
 	if clientSubnetLoaded && transport.Tag() == contextTransport {
 		return nil, E.New("DNS query loopback in transport[", contextTransport, "]")
 	}
 	ctx = contextWithTransportTag(ctx, transport.Tag())
-	if responseChecker != nil && c.rdrc != nil {
+	if !disableCache && responseChecker != nil && c.rdrc != nil {
 		rejected := c.rdrc.LoadRDRC(transport.Tag(), question.Name, question.Qtype)
 		if rejected {
 			return nil, ErrResponseRejectedCached
@@ -157,7 +172,12 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	response, err := transport.Exchange(ctx, message)
 	cancel()
 	if err != nil {
-		return nil, err
+		var rcodeError RcodeError
+		if errors.As(err, &rcodeError) {
+			response = FixedResponseStatus(message, int(rcodeError))
+		} else {
+			return nil, err
+		}
 	}
 	/*if question.Qtype == dns.TypeA || question.Qtype == dns.TypeAAAA {
 		validResponse := response
@@ -196,13 +216,14 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	}*/
 	if responseChecker != nil {
 		var rejected bool
-		if !(response.Rcode == dns.RcodeSuccess || response.Rcode == dns.RcodeNameError) {
+		// TODO: add accept_any rule and support to check response instead of addresses
+		if response.Rcode != dns.RcodeSuccess || len(response.Answer) == 0 {
 			rejected = true
 		} else {
 			rejected = !responseChecker(MessageToAddresses(response))
 		}
 		if rejected {
-			if c.rdrc != nil {
+			if !disableCache && c.rdrc != nil {
 				c.rdrc.SaveRDRCAsync(transport.Tag(), question.Name, question.Qtype, c.logger)
 			}
 			logRejectedResponse(c.logger, ctx, response)
@@ -305,8 +326,7 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 func (c *Client) ClearCache() {
 	if c.cache != nil {
 		c.cache.Purge()
-	}
-	if c.transportCache != nil {
+	} else if c.transportCache != nil {
 		c.transportCache.Purge()
 	}
 }
@@ -320,36 +340,36 @@ func (c *Client) LookupCache(domain string, strategy C.DomainStrategy) ([]netip.
 	}
 	dnsName := dns.Fqdn(domain)
 	if strategy == C.DomainStrategyIPv4Only {
-		response, err := c.questionCache(dns.Question{
+		addresses, err := c.questionCache(dns.Question{
 			Name:   dnsName,
 			Qtype:  dns.TypeA,
 			Qclass: dns.ClassINET,
 		}, nil)
 		if err != ErrNotCached {
-			return response, true
+			return addresses, true
 		}
 	} else if strategy == C.DomainStrategyIPv6Only {
-		response, err := c.questionCache(dns.Question{
+		addresses, err := c.questionCache(dns.Question{
 			Name:   dnsName,
 			Qtype:  dns.TypeAAAA,
 			Qclass: dns.ClassINET,
 		}, nil)
 		if err != ErrNotCached {
-			return response, true
+			return addresses, true
 		}
 	} else {
-		response4, _ := c.questionCache(dns.Question{
+		response4, _ := c.loadResponse(dns.Question{
 			Name:   dnsName,
 			Qtype:  dns.TypeA,
 			Qclass: dns.ClassINET,
 		}, nil)
-		response6, _ := c.questionCache(dns.Question{
+		response6, _ := c.loadResponse(dns.Question{
 			Name:   dnsName,
 			Qtype:  dns.TypeAAAA,
 			Qclass: dns.ClassINET,
 		}, nil)
-		if len(response4) > 0 || len(response6) > 0 {
-			return sortAddresses(response4, response6, strategy), true
+		if response4 != nil || response6 != nil {
+			return sortAddresses(MessageToAddresses(response4), MessageToAddresses(response6), strategy), true
 		}
 	}
 	return nil, false
@@ -390,15 +410,15 @@ func (c *Client) storeCache(transport adapter.DNSTransport, question dns.Questio
 				transportTag: transport.Tag(),
 			}, message)
 		}
-		return
-	}
-	if !c.independentCache {
-		c.cache.AddWithLifetime(question, message, time.Second*time.Duration(timeToLive))
 	} else {
-		c.transportCache.AddWithLifetime(transportCacheKey{
-			Question:     question,
-			transportTag: transport.Tag(),
-		}, message, time.Second*time.Duration(timeToLive))
+		if !c.independentCache {
+			c.cache.AddWithLifetime(question, message, time.Second*time.Duration(timeToLive))
+		} else {
+			c.transportCache.AddWithLifetime(transportCacheKey{
+				Question:     question,
+				transportTag: transport.Tag(),
+			}, message, time.Second*time.Duration(timeToLive))
+		}
 	}
 }
 
@@ -517,6 +537,9 @@ func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransp
 }
 
 func MessageToAddresses(response *dns.Msg) []netip.Addr {
+	if response == nil || response.Rcode != dns.RcodeSuccess {
+		return nil
+	}
 	addresses := make([]netip.Addr, 0, len(response.Answer))
 	for _, rawAnswer := range response.Answer {
 		switch answer := rawAnswer.(type) {
@@ -561,9 +584,12 @@ func transportTagFromContext(ctx context.Context) (string, bool) {
 func FixedResponseStatus(message *dns.Msg, rcode int) *dns.Msg {
 	return &dns.Msg{
 		MsgHdr: dns.MsgHdr{
-			Id:       message.Id,
-			Rcode:    rcode,
-			Response: true,
+			Id:                 message.Id,
+			Response:           true,
+			Authoritative:      true,
+			RecursionDesired:   true,
+			RecursionAvailable: true,
+			Rcode:              rcode,
 		},
 		Question: message.Question,
 	}

dns/router.go

@@ -293,12 +293,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 					} else if errors.Is(err, ErrResponseRejected) {
 						rejected = true
 						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
-						/*} else if responseCheck!= nil && errors.Is(err, RcodeError(mDNS.RcodeNameError)) {
-						rejected = true
-						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
-						*/
 					} else if len(message.Question) > 0 {
-						rejected = true
 						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
 					} else {
 						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))

dns/transport/dhcp/dhcp.go

@@ -9,10 +9,8 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-tun"
@@ -29,6 +27,7 @@ import (
 
 	"github.com/insomniacslk/dhcp/dhcpv4"
 	mDNS "github.com/miekg/dns"
+	"golang.org/x/exp/slices"
 )
 
 func RegisterTransport(registry *dns.TransportRegistry) {
@@ -45,9 +44,12 @@ type Transport struct {
 	networkManager    adapter.NetworkManager
 	interfaceName     string
 	interfaceCallback *list.Element[tun.DefaultInterfaceUpdateCallback]
-	transports        []adapter.DNSTransport
-	updateAccess      sync.Mutex
+	transportLock     sync.RWMutex
 	updatedAt         time.Time
+	servers           []M.Socksaddr
+	search            []string
+	ndots             int
+	attempts          int
 }
 
 func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, options option.DHCPDNSServerOptions) (adapter.DNSTransport, error) {
@@ -62,27 +64,40 @@ func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, opt
 		logger:           logger,
 		networkManager:   service.FromContext[adapter.NetworkManager](ctx),
 		interfaceName:    options.Interface,
+		ndots:            1,
+		attempts:         2,
 	}, nil
 }
 
+func NewRawTransport(transportAdapter dns.TransportAdapter, ctx context.Context, dialer N.Dialer, logger log.ContextLogger) *Transport {
+	return &Transport{
+		TransportAdapter: transportAdapter,
+		ctx:              ctx,
+		dialer:           dialer,
+		logger:           logger,
+		networkManager:   service.FromContext[adapter.NetworkManager](ctx),
+		ndots:            1,
+		attempts:         2,
+	}
+}
+
 func (t *Transport) Start(stage adapter.StartStage) error {
 	if stage != adapter.StartStateStart {
 		return nil
 	}
-	err := t.fetchServers()
-	if err != nil {
-		return err
-	}
 	if t.interfaceName == "" {
 		t.interfaceCallback = t.networkManager.InterfaceMonitor().RegisterCallback(t.interfaceUpdated)
 	}
+	go func() {
+		_, err := t.Fetch()
+		if err != nil {
+			t.logger.Error(E.Cause(err, "fetch DNS servers"))
+		}
+	}()
 	return nil
 }
 
 func (t *Transport) Close() error {
-	for _, transport := range t.transports {
-		transport.Close()
-	}
 	if t.interfaceCallback != nil {
 		t.networkManager.InterfaceMonitor().UnregisterCallback(t.interfaceCallback)
 	}
@@ -90,23 +105,44 @@ func (t *Transport) Close() error {
 }
 
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	err := t.fetchServers()
+	servers, err := t.Fetch()
 	if err != nil {
 		return nil, err
 	}
-
-	if len(t.transports) == 0 {
+	if len(servers) == 0 {
 		return nil, E.New("dhcp: empty DNS servers from response")
 	}
+	return t.Exchange0(ctx, message, servers)
+}
 
-	var response *mDNS.Msg
-	for _, transport := range t.transports {
-		response, err = transport.Exchange(ctx, message)
-		if err == nil {
-			return response, nil
-		}
+func (t *Transport) Exchange0(ctx context.Context, message *mDNS.Msg, servers []M.Socksaddr) (*mDNS.Msg, error) {
+	question := message.Question[0]
+	domain := dns.FqdnToDomain(question.Name)
+	if len(servers) == 1 || !(message.Question[0].Qtype == mDNS.TypeA || message.Question[0].Qtype == mDNS.TypeAAAA) {
+		return t.exchangeSingleRequest(ctx, servers, message, domain)
+	} else {
+		return t.exchangeParallel(ctx, servers, message, domain)
 	}
-	return nil, err
+}
+
+func (t *Transport) Fetch() ([]M.Socksaddr, error) {
+	t.transportLock.RLock()
+	updatedAt := t.updatedAt
+	servers := t.servers
+	t.transportLock.RUnlock()
+	if time.Since(updatedAt) < C.DHCPTTL {
+		return servers, nil
+	}
+	t.transportLock.Lock()
+	defer t.transportLock.Unlock()
+	if time.Since(t.updatedAt) < C.DHCPTTL {
+		return t.servers, nil
+	}
+	err := t.updateServers()
+	if err != nil {
+		return nil, err
+	}
+	return t.servers, nil
 }
 
 func (t *Transport) fetchInterface() (*control.Interface, error) {
@@ -124,18 +160,6 @@ func (t *Transport) fetchInterface() (*control.Interface, error) {
 	}
 }
 
-func (t *Transport) fetchServers() error {
-	if time.Since(t.updatedAt) < C.DHCPTTL {
-		return nil
-	}
-	t.updateAccess.Lock()
-	defer t.updateAccess.Unlock()
-	if time.Since(t.updatedAt) < C.DHCPTTL {
-		return nil
-	}
-	return t.updateServers()
-}
-
 func (t *Transport) updateServers() error {
 	iface, err := t.fetchInterface()
 	if err != nil {
@@ -148,7 +172,7 @@ func (t *Transport) updateServers() error {
 	cancel()
 	if err != nil {
 		return err
-	} else if len(t.transports) == 0 {
+	} else if len(t.servers) == 0 {
 		return E.New("dhcp: empty DNS servers response")
 	} else {
 		t.updatedAt = time.Now()
@@ -177,7 +201,11 @@ func (t *Transport) fetchServers0(ctx context.Context, iface *control.Interface)
 	}
 	defer packetConn.Close()
 
-	discovery, err := dhcpv4.NewDiscovery(iface.HardwareAddr, dhcpv4.WithBroadcast(true), dhcpv4.WithRequestedOptions(dhcpv4.OptionDomainNameServer))
+	discovery, err := dhcpv4.NewDiscovery(iface.HardwareAddr, dhcpv4.WithBroadcast(true), dhcpv4.WithRequestedOptions(
+		dhcpv4.OptionDomainName,
+		dhcpv4.OptionDomainNameServer,
+		dhcpv4.OptionDNSDomainSearchList,
+	))
 	if err != nil {
 		return err
 	}
@@ -223,31 +251,23 @@ func (t *Transport) fetchServersResponse(iface *control.Interface, packetConn ne
 			continue
 		}
 
-		dns := dhcpPacket.DNS()
-		if len(dns) == 0 {
-			return nil
-		}
-		return t.recreateServers(iface, common.Map(dns, func(it net.IP) M.Socksaddr {
-			return M.SocksaddrFrom(M.AddrFromIP(it), 53)
-		}))
+		return t.recreateServers(iface, dhcpPacket)
 	}
 }
 
-func (t *Transport) recreateServers(iface *control.Interface, serverAddrs []M.Socksaddr) error {
-	if len(serverAddrs) > 0 {
-		t.logger.Info("dhcp: updated DNS servers from ", iface.Name, ": [", strings.Join(common.Map(serverAddrs, M.Socksaddr.String), ","), "]")
+func (t *Transport) recreateServers(iface *control.Interface, dhcpPacket *dhcpv4.DHCPv4) error {
+	searchList := dhcpPacket.DomainSearch()
+	if searchList != nil && len(searchList.Labels) > 0 {
+		t.search = searchList.Labels
+	} else if dhcpPacket.DomainName() != "" {
+		t.search = []string{dhcpPacket.DomainName()}
 	}
-	serverDialer := common.Must1(dialer.NewDefault(t.ctx, option.DialerOptions{
-		BindInterface:      iface.Name,
-		UDPFragmentDefault: true,
-	}))
-	var transports []adapter.DNSTransport
-	for _, serverAddr := range serverAddrs {
-		transports = append(transports, transport.NewUDPRaw(t.logger, t.TransportAdapter, serverDialer, serverAddr))
+	serverAddrs := common.Map(dhcpPacket.DNS(), func(it net.IP) M.Socksaddr {
+		return M.SocksaddrFrom(M.AddrFromIP(it), 53)
+	})
+	if len(serverAddrs) > 0 && !slices.Equal(t.servers, serverAddrs) {
+		t.logger.Info("dhcp: updated DNS servers from ", iface.Name, ": [", strings.Join(common.Map(serverAddrs, M.Socksaddr.String), ","), "], search: [", strings.Join(t.search, ","), "]")
 	}
-	for _, transport := range t.transports {
-		transport.Close()
-	}
-	t.transports = transports
+	t.servers = serverAddrs
 	return nil
 }

dns/transport/dhcp/dhcp_shared.go

@@ -0,0 +1,197 @@
+package dhcp
+
+import (
+	"context"
+	"math/rand"
+	"strings"
+	"time"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+
+	mDNS "github.com/miekg/dns"
+)
+
+func (t *Transport) exchangeSingleRequest(ctx context.Context, servers []M.Socksaddr, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
+	var lastErr error
+	for _, fqdn := range t.nameList(domain) {
+		response, err := t.tryOneName(ctx, servers, fqdn, message)
+		if err != nil {
+			lastErr = err
+			continue
+		}
+		return response, nil
+	}
+	return nil, lastErr
+}
+
+func (t *Transport) exchangeParallel(ctx context.Context, servers []M.Socksaddr, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
+	returned := make(chan struct{})
+	defer close(returned)
+	type queryResult struct {
+		response *mDNS.Msg
+		err      error
+	}
+	results := make(chan queryResult)
+	startRacer := func(ctx context.Context, fqdn string) {
+		response, err := t.tryOneName(ctx, servers, fqdn, message)
+		if err == nil {
+			if response.Rcode != mDNS.RcodeSuccess {
+				err = dns.RcodeError(response.Rcode)
+			} else if len(dns.MessageToAddresses(response)) == 0 {
+				err = E.New(fqdn, ": empty result")
+			}
+		}
+		select {
+		case results <- queryResult{response, err}:
+		case <-returned:
+		}
+	}
+	queryCtx, queryCancel := context.WithCancel(ctx)
+	defer queryCancel()
+	var nameCount int
+	for _, fqdn := range t.nameList(domain) {
+		nameCount++
+		go startRacer(queryCtx, fqdn)
+	}
+	var errors []error
+	for {
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case result := <-results:
+			if result.err == nil {
+				return result.response, nil
+			}
+			errors = append(errors, result.err)
+			if len(errors) == nameCount {
+				return nil, E.Errors(errors...)
+			}
+		}
+	}
+}
+
+func (t *Transport) tryOneName(ctx context.Context, servers []M.Socksaddr, fqdn string, message *mDNS.Msg) (*mDNS.Msg, error) {
+	sLen := len(servers)
+	var lastErr error
+	for i := 0; i < t.attempts; i++ {
+		for j := 0; j < sLen; j++ {
+			server := servers[j]
+			question := message.Question[0]
+			question.Name = fqdn
+			response, err := t.exchangeOne(ctx, server, question, C.DNSTimeout, false, true)
+			if err != nil {
+				lastErr = err
+				continue
+			}
+			return response, nil
+		}
+	}
+	return nil, E.Cause(lastErr, fqdn)
+}
+
+func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, question mDNS.Question, timeout time.Duration, useTCP, ad bool) (*mDNS.Msg, error) {
+	if server.Port == 0 {
+		server.Port = 53
+	}
+	var networks []string
+	if useTCP {
+		networks = []string{N.NetworkTCP}
+	} else {
+		networks = []string{N.NetworkUDP, N.NetworkTCP}
+	}
+	request := &mDNS.Msg{
+		MsgHdr: mDNS.MsgHdr{
+			Id:                uint16(rand.Uint32()),
+			RecursionDesired:  true,
+			AuthenticatedData: ad,
+		},
+		Question: []mDNS.Question{question},
+		Compress: true,
+	}
+	request.SetEdns0(buf.UDPBufferSize, false)
+	buffer := buf.Get(buf.UDPBufferSize)
+	defer buf.Put(buffer)
+	for _, network := range networks {
+		ctx, cancel := context.WithDeadline(ctx, time.Now().Add(timeout))
+		defer cancel()
+		conn, err := t.dialer.DialContext(ctx, network, server)
+		if err != nil {
+			return nil, err
+		}
+		defer conn.Close()
+		if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
+			conn.SetDeadline(deadline)
+		}
+		rawMessage, err := request.PackBuffer(buffer)
+		if err != nil {
+			return nil, E.Cause(err, "pack request")
+		}
+		_, err = conn.Write(rawMessage)
+		if err != nil {
+			return nil, E.Cause(err, "write request")
+		}
+		n, err := conn.Read(buffer)
+		if err != nil {
+			return nil, E.Cause(err, "read response")
+		}
+		var response mDNS.Msg
+		err = response.Unpack(buffer[:n])
+		if err != nil {
+			return nil, E.Cause(err, "unpack response")
+		}
+		if response.Truncated && network == N.NetworkUDP {
+			continue
+		}
+		return &response, nil
+	}
+	panic("unexpected")
+}
+
+func (t *Transport) nameList(name string) []string {
+	l := len(name)
+	rooted := l > 0 && name[l-1] == '.'
+	if l > 254 || l == 254 && !rooted {
+		return nil
+	}
+
+	if rooted {
+		if avoidDNS(name) {
+			return nil
+		}
+		return []string{name}
+	}
+
+	hasNdots := strings.Count(name, ".") >= t.ndots
+	name += "."
+	// l++
+
+	names := make([]string, 0, 1+len(t.search))
+	if hasNdots && !avoidDNS(name) {
+		names = append(names, name)
+	}
+	for _, suffix := range t.search {
+		fqdn := name + suffix
+		if !avoidDNS(fqdn) && len(fqdn) <= 254 {
+			names = append(names, fqdn)
+		}
+	}
+	if !hasNdots && !avoidDNS(name) {
+		names = append(names, name)
+	}
+	return names
+}
+
+func avoidDNS(name string) bool {
+	if name == "" {
+		return true
+	}
+	if name[len(name)-1] == '.' {
+		name = name[:len(name)-1]
+	}
+	return strings.HasSuffix(name, ".onion")
+}

dns/transport/https.go

@@ -59,11 +59,11 @@ func NewHTTPS(ctx context.Context, logger log.ContextLogger, tag string, options
 	}
 	tlsOptions := common.PtrValueOrDefault(options.TLS)
 	tlsOptions.Enabled = true
-	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
+	tlsConfig, err := tls.NewClient(ctx, logger, options.Server, tlsOptions)
 	if err != nil {
 		return nil, err
 	}
-	if common.Error(tlsConfig.Config()) == nil && !common.Contains(tlsConfig.NextProtos(), http2.NextProtoTLS) {
+	if common.Error(tlsConfig.STDConfig()) == nil && !common.Contains(tlsConfig.NextProtos(), http2.NextProtoTLS) {
 		tlsConfig.SetNextProtos(append(tlsConfig.NextProtos(), http2.NextProtoTLS))
 	}
 	if !common.Contains(tlsConfig.NextProtos(), "http/1.1") {

dns/transport/local/local.go

@@ -1,9 +1,9 @@
+//go:build !darwin
+
 package local
 
 import (
 	"context"
-	"math/rand"
-	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
@@ -11,21 +11,27 @@ import (
 	"github.com/sagernet/sing-box/dns/transport/hosts"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/common/logger"
 	N "github.com/sagernet/sing/common/network"
 
 	mDNS "github.com/miekg/dns"
 )
 
+func RegisterTransport(registry *dns.TransportRegistry) {
+	dns.RegisterTransport[option.LocalDNSServerOptions](registry, C.DNSTypeLocal, NewTransport)
+}
+
 var _ adapter.DNSTransport = (*Transport)(nil)
 
 type Transport struct {
 	dns.TransportAdapter
-	ctx    context.Context
-	hosts  *hosts.File
-	dialer N.Dialer
+	ctx      context.Context
+	logger   logger.ContextLogger
+	hosts    *hosts.File
+	dialer   N.Dialer
+	preferGo bool
+	resolved ResolvedResolver
 }
 
 func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, options option.LocalDNSServerOptions) (adapter.DNSTransport, error) {
@@ -36,20 +42,45 @@ func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, opt
 	return &Transport{
 		TransportAdapter: dns.NewTransportAdapterWithLocalOptions(C.DNSTypeLocal, tag, options),
 		ctx:              ctx,
+		logger:           logger,
 		hosts:            hosts.NewFile(hosts.DefaultPath),
 		dialer:           transportDialer,
+		preferGo:         options.PreferGo,
 	}, nil
 }
 
 func (t *Transport) Start(stage adapter.StartStage) error {
+	switch stage {
+	case adapter.StartStateInitialize:
+		if !t.preferGo {
+			resolvedResolver, err := NewResolvedResolver(t.ctx, t.logger)
+			if err == nil {
+				err = resolvedResolver.Start()
+				if err == nil {
+					t.resolved = resolvedResolver
+				} else {
+					t.logger.Warn(E.Cause(err, "initialize resolved resolver"))
+				}
+			}
+		}
+	}
 	return nil
 }
 
 func (t *Transport) Close() error {
+	if t.resolved != nil {
+		return t.resolved.Close()
+	}
 	return nil
 }
 
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	if t.resolved != nil {
+		resolverObject := t.resolved.Object()
+		if resolverObject != nil {
+			return t.resolved.Exchange(resolverObject, ctx, message)
+		}
+	}
 	question := message.Question[0]
 	domain := dns.FqdnToDomain(question.Name)
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
@@ -58,147 +89,5 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 			return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
 		}
 	}
-	systemConfig := getSystemDNSConfig(t.ctx)
-	if systemConfig.singleRequest || !(message.Question[0].Qtype == mDNS.TypeA || message.Question[0].Qtype == mDNS.TypeAAAA) {
-		return t.exchangeSingleRequest(ctx, systemConfig, message, domain)
-	} else {
-		return t.exchangeParallel(ctx, systemConfig, message, domain)
-	}
-}
-
-func (t *Transport) exchangeSingleRequest(ctx context.Context, systemConfig *dnsConfig, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
-	var lastErr error
-	for _, fqdn := range systemConfig.nameList(domain) {
-		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
-		if err != nil {
-			lastErr = err
-			continue
-		}
-		return response, nil
-	}
-	return nil, lastErr
-}
-
-func (t *Transport) exchangeParallel(ctx context.Context, systemConfig *dnsConfig, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
-	returned := make(chan struct{})
-	defer close(returned)
-	type queryResult struct {
-		response *mDNS.Msg
-		err      error
-	}
-	results := make(chan queryResult)
-	startRacer := func(ctx context.Context, fqdn string) {
-		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
-		if err == nil {
-			if response.Rcode != mDNS.RcodeSuccess {
-				err = dns.RcodeError(response.Rcode)
-			} else if len(dns.MessageToAddresses(response)) == 0 {
-				err = E.New(fqdn, ": empty result")
-			}
-		}
-		select {
-		case results <- queryResult{response, err}:
-		case <-returned:
-		}
-	}
-	queryCtx, queryCancel := context.WithCancel(ctx)
-	defer queryCancel()
-	var nameCount int
-	for _, fqdn := range systemConfig.nameList(domain) {
-		nameCount++
-		go startRacer(queryCtx, fqdn)
-	}
-	var errors []error
-	for {
-		select {
-		case <-ctx.Done():
-			return nil, ctx.Err()
-		case result := <-results:
-			if result.err == nil {
-				return result.response, nil
-			}
-			errors = append(errors, result.err)
-			if len(errors) == nameCount {
-				return nil, E.Errors(errors...)
-			}
-		}
-	}
-}
-
-func (t *Transport) tryOneName(ctx context.Context, config *dnsConfig, fqdn string, message *mDNS.Msg) (*mDNS.Msg, error) {
-	serverOffset := config.serverOffset()
-	sLen := uint32(len(config.servers))
-	var lastErr error
-	for i := 0; i < config.attempts; i++ {
-		for j := uint32(0); j < sLen; j++ {
-			server := config.servers[(serverOffset+j)%sLen]
-			question := message.Question[0]
-			question.Name = fqdn
-			response, err := t.exchangeOne(ctx, M.ParseSocksaddr(server), question, config.timeout, config.useTCP, config.trustAD)
-			if err != nil {
-				lastErr = err
-				continue
-			}
-			return response, nil
-		}
-	}
-	return nil, E.Cause(lastErr, fqdn)
-}
-
-func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, question mDNS.Question, timeout time.Duration, useTCP, ad bool) (*mDNS.Msg, error) {
-	if server.Port == 0 {
-		server.Port = 53
-	}
-	var networks []string
-	if useTCP {
-		networks = []string{N.NetworkTCP}
-	} else {
-		networks = []string{N.NetworkUDP, N.NetworkTCP}
-	}
-	request := &mDNS.Msg{
-		MsgHdr: mDNS.MsgHdr{
-			Id:                uint16(rand.Uint32()),
-			RecursionDesired:  true,
-			AuthenticatedData: ad,
-		},
-		Question: []mDNS.Question{question},
-		Compress: true,
-	}
-	request.SetEdns0(maxDNSPacketSize, false)
-	buffer := buf.Get(buf.UDPBufferSize)
-	defer buf.Put(buffer)
-	for _, network := range networks {
-		ctx, cancel := context.WithDeadline(ctx, time.Now().Add(timeout))
-		defer cancel()
-		conn, err := t.dialer.DialContext(ctx, network, server)
-		if err != nil {
-			return nil, err
-		}
-		defer conn.Close()
-		if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
-			conn.SetDeadline(deadline)
-		}
-		rawMessage, err := request.PackBuffer(buffer)
-		if err != nil {
-			return nil, E.Cause(err, "pack request")
-		}
-		_, err = conn.Write(rawMessage)
-		if err != nil {
-			return nil, E.Cause(err, "write request")
-		}
-		n, err := conn.Read(buffer)
-		if err != nil {
-			return nil, E.Cause(err, "read response")
-		}
-		var response mDNS.Msg
-		err = response.Unpack(buffer[:n])
-		if err != nil {
-			return nil, E.Cause(err, "unpack response")
-		}
-		if response.Truncated && network == N.NetworkUDP {
-			continue
-		}
-		return &response, nil
-	}
-	panic("unexpected")
+	return t.exchange(ctx, message, domain)
 }

dns/transport/local/local_darwin.go

@@ -0,0 +1,143 @@
+//go:build darwin
+
+package local
+
+import (
+	"context"
+	"errors"
+	"net"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/dns/transport/hosts"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
+
+	mDNS "github.com/miekg/dns"
+)
+
+func RegisterTransport(registry *dns.TransportRegistry) {
+	dns.RegisterTransport[option.LocalDNSServerOptions](registry, C.DNSTypeLocal, NewTransport)
+}
+
+var _ adapter.DNSTransport = (*Transport)(nil)
+
+type Transport struct {
+	dns.TransportAdapter
+	ctx           context.Context
+	logger        logger.ContextLogger
+	hosts         *hosts.File
+	dialer        N.Dialer
+	preferGo      bool
+	fallback      bool
+	dhcpTransport dhcpTransport
+	resolver      net.Resolver
+}
+
+type dhcpTransport interface {
+	adapter.DNSTransport
+	Fetch() ([]M.Socksaddr, error)
+	Exchange0(ctx context.Context, message *mDNS.Msg, servers []M.Socksaddr) (*mDNS.Msg, error)
+}
+
+func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, options option.LocalDNSServerOptions) (adapter.DNSTransport, error) {
+	transportDialer, err := dns.NewLocalDialer(ctx, options)
+	if err != nil {
+		return nil, err
+	}
+	transportAdapter := dns.NewTransportAdapterWithLocalOptions(C.DNSTypeLocal, tag, options)
+	return &Transport{
+		TransportAdapter: transportAdapter,
+		ctx:              ctx,
+		logger:           logger,
+		hosts:            hosts.NewFile(hosts.DefaultPath),
+		dialer:           transportDialer,
+		preferGo:         options.PreferGo,
+	}, nil
+}
+
+func (t *Transport) Start(stage adapter.StartStage) error {
+	if stage != adapter.StartStateStart {
+		return nil
+	}
+	inboundManager := service.FromContext[adapter.InboundManager](t.ctx)
+	for _, inbound := range inboundManager.Inbounds() {
+		if inbound.Type() == C.TypeTun {
+			t.fallback = true
+			break
+		}
+	}
+	if !C.IsIos {
+		if t.fallback {
+			t.dhcpTransport = newDHCPTransport(t.TransportAdapter, log.ContextWithOverrideLevel(t.ctx, log.LevelDebug), t.dialer, t.logger)
+			if t.dhcpTransport != nil {
+				err := t.dhcpTransport.Start(stage)
+				if err != nil {
+					return err
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func (t *Transport) Close() error {
+	return common.Close(
+		t.dhcpTransport,
+	)
+}
+
+func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	question := message.Question[0]
+	domain := dns.FqdnToDomain(question.Name)
+	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
+		addresses := t.hosts.Lookup(domain)
+		if len(addresses) > 0 {
+			return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
+		}
+	}
+	if !t.fallback {
+		return t.exchange(ctx, message, domain)
+	}
+	if !C.IsIos {
+		if t.dhcpTransport != nil {
+			dhcpTransports, _ := t.dhcpTransport.Fetch()
+			if len(dhcpTransports) > 0 {
+				return t.dhcpTransport.Exchange0(ctx, message, dhcpTransports)
+			}
+		}
+	}
+	if t.preferGo {
+		// Assuming the user knows what they are doing, we still execute the query which will fail.
+		return t.exchange(ctx, message, domain)
+	}
+	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
+		var network string
+		if question.Qtype == mDNS.TypeA {
+			network = "ip4"
+		} else {
+			network = "ip6"
+		}
+		addresses, err := t.resolver.LookupNetIP(ctx, network, domain)
+		if err != nil {
+			var dnsError *net.DNSError
+			if errors.As(err, &dnsError) && dnsError.IsNotFound {
+				return nil, dns.RcodeRefused
+			}
+			return nil, err
+		}
+		return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
+	}
+	if C.IsIos {
+		return nil, E.New("only A and AAAA queries are supported on iOS and tvOS when using NetworkExtension.")
+	} else {
+		return nil, E.New("only A and AAAA queries are supported on macOS when using NetworkExtension and DHCP unavailable.")
+	}
+}

dns/transport/local/local_darwin_dhcp.go

@@ -0,0 +1,16 @@
+//go:build darwin && with_dhcp
+
+package local
+
+import (
+	"context"
+
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/dns/transport/dhcp"
+	"github.com/sagernet/sing-box/log"
+	N "github.com/sagernet/sing/common/network"
+)
+
+func newDHCPTransport(transportAdapter dns.TransportAdapter, ctx context.Context, dialer N.Dialer, logger log.ContextLogger) dhcpTransport {
+	return dhcp.NewRawTransport(transportAdapter, ctx, dialer, logger)
+}

dns/transport/local/local_darwin_nodhcp.go

@@ -0,0 +1,15 @@
+//go:build darwin && !with_dhcp
+
+package local
+
+import (
+	"context"
+
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/log"
+	N "github.com/sagernet/sing/common/network"
+)
+
+func newDHCPTransport(transportAdapter dns.TransportAdapter, ctx context.Context, dialer N.Dialer, logger log.ContextLogger) dhcpTransport {
+	return nil
+}

dns/transport/local/local_fallback.go

@@ -1,205 +0,0 @@
-package local
-
-import (
-	"context"
-	"errors"
-	"net"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/experimental/libbox/platform"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/service"
-
-	mDNS "github.com/miekg/dns"
-)
-
-func RegisterTransport(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.LocalDNSServerOptions](registry, C.DNSTypeLocal, NewFallbackTransport)
-}
-
-type FallbackTransport struct {
-	adapter.DNSTransport
-	ctx      context.Context
-	fallback bool
-	resolver net.Resolver
-}
-
-func NewFallbackTransport(ctx context.Context, logger log.ContextLogger, tag string, options option.LocalDNSServerOptions) (adapter.DNSTransport, error) {
-	transport, err := NewTransport(ctx, logger, tag, options)
-	if err != nil {
-		return nil, err
-	}
-	return &FallbackTransport{
-		DNSTransport: transport,
-		ctx:          ctx,
-	}, nil
-}
-
-func (f *FallbackTransport) Start(stage adapter.StartStage) error {
-	if stage != adapter.StartStateStart {
-		return nil
-	}
-	platformInterface := service.FromContext[platform.Interface](f.ctx)
-	if platformInterface == nil {
-		return nil
-	}
-	inboundManager := service.FromContext[adapter.InboundManager](f.ctx)
-	for _, inbound := range inboundManager.Inbounds() {
-		if inbound.Type() == C.TypeTun {
-			// platform tun hijacks DNS, so we can only use cgo resolver here
-			f.fallback = true
-			break
-		}
-	}
-	return nil
-}
-
-func (f *FallbackTransport) Close() error {
-	return nil
-}
-
-func (f *FallbackTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	if !f.fallback {
-		return f.DNSTransport.Exchange(ctx, message)
-	}
-	question := message.Question[0]
-	domain := dns.FqdnToDomain(question.Name)
-	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
-		var network string
-		if question.Qtype == mDNS.TypeA {
-			network = "ip4"
-		} else {
-			network = "ip6"
-		}
-		addresses, err := f.resolver.LookupNetIP(ctx, network, domain)
-		if err != nil {
-			var dnsError *net.DNSError
-			if errors.As(err, &dnsError) && dnsError.IsNotFound {
-				return nil, dns.RcodeRefused
-			}
-			return nil, err
-		}
-		return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
-	} else if question.Qtype == mDNS.TypeNS {
-		records, err := f.resolver.LookupNS(ctx, domain)
-		if err != nil {
-			var dnsError *net.DNSError
-			if errors.As(err, &dnsError) && dnsError.IsNotFound {
-				return nil, dns.RcodeRefused
-			}
-			return nil, err
-		}
-		response := &mDNS.Msg{
-			MsgHdr: mDNS.MsgHdr{
-				Id:       message.Id,
-				Rcode:    mDNS.RcodeSuccess,
-				Response: true,
-			},
-			Question: []mDNS.Question{question},
-		}
-		for _, record := range records {
-			response.Answer = append(response.Answer, &mDNS.NS{
-				Hdr: mDNS.RR_Header{
-					Name:   question.Name,
-					Rrtype: mDNS.TypeNS,
-					Class:  mDNS.ClassINET,
-					Ttl:    C.DefaultDNSTTL,
-				},
-				Ns: record.Host,
-			})
-		}
-		return response, nil
-	} else if question.Qtype == mDNS.TypeCNAME {
-		cname, err := f.resolver.LookupCNAME(ctx, domain)
-		if err != nil {
-			var dnsError *net.DNSError
-			if errors.As(err, &dnsError) && dnsError.IsNotFound {
-				return nil, dns.RcodeRefused
-			}
-			return nil, err
-		}
-		return &mDNS.Msg{
-			MsgHdr: mDNS.MsgHdr{
-				Id:       message.Id,
-				Rcode:    mDNS.RcodeSuccess,
-				Response: true,
-			},
-			Question: []mDNS.Question{question},
-			Answer: []mDNS.RR{
-				&mDNS.CNAME{
-					Hdr: mDNS.RR_Header{
-						Name:   question.Name,
-						Rrtype: mDNS.TypeCNAME,
-						Class:  mDNS.ClassINET,
-						Ttl:    C.DefaultDNSTTL,
-					},
-					Target: cname,
-				},
-			},
-		}, nil
-	} else if question.Qtype == mDNS.TypeTXT {
-		records, err := f.resolver.LookupTXT(ctx, domain)
-		if err != nil {
-			var dnsError *net.DNSError
-			if errors.As(err, &dnsError) && dnsError.IsNotFound {
-				return nil, dns.RcodeRefused
-			}
-			return nil, err
-		}
-		return &mDNS.Msg{
-			MsgHdr: mDNS.MsgHdr{
-				Id:       message.Id,
-				Rcode:    mDNS.RcodeSuccess,
-				Response: true,
-			},
-			Question: []mDNS.Question{question},
-			Answer: []mDNS.RR{
-				&mDNS.TXT{
-					Hdr: mDNS.RR_Header{
-						Name:   question.Name,
-						Rrtype: mDNS.TypeCNAME,
-						Class:  mDNS.ClassINET,
-						Ttl:    C.DefaultDNSTTL,
-					},
-					Txt: records,
-				},
-			},
-		}, nil
-	} else if question.Qtype == mDNS.TypeMX {
-		records, err := f.resolver.LookupMX(ctx, domain)
-		if err != nil {
-			var dnsError *net.DNSError
-			if errors.As(err, &dnsError) && dnsError.IsNotFound {
-				return nil, dns.RcodeRefused
-			}
-			return nil, err
-		}
-		response := &mDNS.Msg{
-			MsgHdr: mDNS.MsgHdr{
-				Id:       message.Id,
-				Rcode:    mDNS.RcodeSuccess,
-				Response: true,
-			},
-			Question: []mDNS.Question{question},
-		}
-		for _, record := range records {
-			response.Answer = append(response.Answer, &mDNS.MX{
-				Hdr: mDNS.RR_Header{
-					Name:   question.Name,
-					Rrtype: mDNS.TypeA,
-					Class:  mDNS.ClassINET,
-					Ttl:    C.DefaultDNSTTL,
-				},
-				Preference: record.Pref,
-				Mx:         record.Host,
-			})
-		}
-		return response, nil
-	} else {
-		return nil, E.New("only A, AAAA, NS, CNAME, TXT, MX queries are supported on current platform when using TUN, please switch to a fixed DNS server.")
-	}
-}

dns/transport/local/local_resolved.go

@@ -0,0 +1,14 @@
+package local
+
+import (
+	"context"
+
+	mDNS "github.com/miekg/dns"
+)
+
+type ResolvedResolver interface {
+	Start() error
+	Close() error
+	Object() any
+	Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error)
+}

dns/transport/local/local_resolved_linux.go

@@ -0,0 +1,230 @@
+package local
+
+import (
+	"context"
+	"errors"
+	"os"
+	"sync"
+	"sync/atomic"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/service/resolved"
+	"github.com/sagernet/sing-tun"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/control"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	"github.com/sagernet/sing/common/x/list"
+	"github.com/sagernet/sing/service"
+
+	"github.com/godbus/dbus/v5"
+	mDNS "github.com/miekg/dns"
+)
+
+type DBusResolvedResolver struct {
+	ctx               context.Context
+	logger            logger.ContextLogger
+	interfaceMonitor  tun.DefaultInterfaceMonitor
+	interfaceCallback *list.Element[tun.DefaultInterfaceUpdateCallback]
+	systemBus         *dbus.Conn
+	resoledObject     atomic.Pointer[ResolvedObject]
+	closeOnce         sync.Once
+}
+
+type ResolvedObject struct {
+	dbus.BusObject
+	InterfaceIndex int32
+}
+
+func NewResolvedResolver(ctx context.Context, logger logger.ContextLogger) (ResolvedResolver, error) {
+	interfaceMonitor := service.FromContext[adapter.NetworkManager](ctx).InterfaceMonitor()
+	if interfaceMonitor == nil {
+		return nil, os.ErrInvalid
+	}
+	systemBus, err := dbus.SystemBus()
+	if err != nil {
+		return nil, err
+	}
+	return &DBusResolvedResolver{
+		ctx:              ctx,
+		logger:           logger,
+		interfaceMonitor: interfaceMonitor,
+		systemBus:        systemBus,
+	}, nil
+}
+
+func (t *DBusResolvedResolver) Start() error {
+	t.updateStatus()
+	t.interfaceCallback = t.interfaceMonitor.RegisterCallback(t.updateDefaultInterface)
+	err := t.systemBus.BusObject().AddMatchSignal(
+		"org.freedesktop.DBus",
+		"NameOwnerChanged",
+		dbus.WithMatchSender("org.freedesktop.DBus"),
+		dbus.WithMatchArg(0, "org.freedesktop.resolve1.Manager"),
+	).Err
+	if err != nil {
+		return E.Cause(err, "configure resolved restart listener")
+	}
+	go t.loopUpdateStatus()
+	return nil
+}
+
+func (t *DBusResolvedResolver) Close() error {
+	t.closeOnce.Do(func() {
+		if t.interfaceCallback != nil {
+			t.interfaceMonitor.UnregisterCallback(t.interfaceCallback)
+		}
+		if t.systemBus != nil {
+			_ = t.systemBus.Close()
+		}
+	})
+	return nil
+}
+
+func (t *DBusResolvedResolver) Object() any {
+	return common.PtrOrNil(t.resoledObject.Load())
+}
+
+func (t *DBusResolvedResolver) Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	question := message.Question[0]
+	resolvedObject := object.(*ResolvedObject)
+	call := resolvedObject.CallWithContext(
+		ctx,
+		"org.freedesktop.resolve1.Manager.ResolveRecord",
+		0,
+		resolvedObject.InterfaceIndex,
+		question.Name,
+		question.Qclass,
+		question.Qtype,
+		uint64(0),
+	)
+	if call.Err != nil {
+		var dbusError dbus.Error
+		if errors.As(call.Err, &dbusError) && dbusError.Name == "org.freedesktop.resolve1.NoNameServers" {
+			t.updateStatus()
+		}
+		return nil, E.Cause(call.Err, " resolve record via resolved")
+	}
+	var (
+		records  []resolved.ResourceRecord
+		outflags uint64
+	)
+	err := call.Store(&records, &outflags)
+	if err != nil {
+		return nil, err
+	}
+	response := &mDNS.Msg{
+		MsgHdr: mDNS.MsgHdr{
+			Id:                 message.Id,
+			Response:           true,
+			Authoritative:      true,
+			RecursionDesired:   true,
+			RecursionAvailable: true,
+			Rcode:              mDNS.RcodeSuccess,
+		},
+		Question: []mDNS.Question{question},
+	}
+	for _, record := range records {
+		var rr mDNS.RR
+		rr, _, err = mDNS.UnpackRR(record.Data, 0)
+		if err != nil {
+			return nil, E.Cause(err, "unpack resource record")
+		}
+		response.Answer = append(response.Answer, rr)
+	}
+	return response, nil
+}
+
+func (t *DBusResolvedResolver) loopUpdateStatus() {
+	signalChan := make(chan *dbus.Signal, 1)
+	t.systemBus.Signal(signalChan)
+	for signal := range signalChan {
+		var restarted bool
+		if signal.Name == "org.freedesktop.DBus.NameOwnerChanged" {
+			if len(signal.Body) != 3 || signal.Body[2].(string) == "" {
+				continue
+			} else {
+				restarted = true
+			}
+		}
+		if restarted {
+			t.updateStatus()
+		}
+	}
+}
+
+func (t *DBusResolvedResolver) updateStatus() {
+	dbusObject, err := t.checkResolved(context.Background())
+	oldValue := t.resoledObject.Swap(dbusObject)
+	if err != nil {
+		var dbusErr dbus.Error
+		if !errors.As(err, &dbusErr) || dbusErr.Name != "org.freedesktop.DBus.Error.NameHasNoOwnerCould" {
+			t.logger.Debug(E.Cause(err, "systemd-resolved service unavailable"))
+		}
+		if oldValue != nil {
+			t.logger.Debug("systemd-resolved service is gone")
+		}
+		return
+	} else if oldValue == nil {
+		t.logger.Debug("using systemd-resolved service as resolver")
+	}
+}
+
+func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObject, error) {
+	dbusObject := t.systemBus.Object("org.freedesktop.resolve1", "/org/freedesktop/resolve1")
+	err := dbusObject.Call("org.freedesktop.DBus.Peer.Ping", 0).Err
+	if err != nil {
+		return nil, err
+	}
+	defaultInterface := t.interfaceMonitor.DefaultInterface()
+	if defaultInterface == nil {
+		return nil, E.New("missing default interface")
+	}
+	call := dbusObject.(*dbus.Object).CallWithContext(
+		ctx,
+		"org.freedesktop.resolve1.Manager.GetLink",
+		0,
+		int32(defaultInterface.Index),
+	)
+	if call.Err != nil {
+		return nil, err
+	}
+	var linkPath dbus.ObjectPath
+	err = call.Store(&linkPath)
+	if err != nil {
+		return nil, err
+	}
+	linkObject := t.systemBus.Object("org.freedesktop.resolve1", linkPath)
+	if linkObject == nil {
+		return nil, E.New("missing link object for default interface")
+	}
+	dnsProp, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNS")
+	if err != nil {
+		return nil, err
+	}
+	var linkDNS []resolved.LinkDNS
+	err = dnsProp.Store(&linkDNS)
+	if err != nil {
+		return nil, err
+	}
+	if len(linkDNS) == 0 {
+		for _, inbound := range service.FromContext[adapter.InboundManager](t.ctx).Inbounds() {
+			if inbound.Type() == C.TypeTun {
+				return nil, E.New("No appropriate name servers or networks for name found")
+			}
+		}
+		return &ResolvedObject{
+			BusObject: dbusObject,
+		}, nil
+	} else {
+		return &ResolvedObject{
+			BusObject:      dbusObject,
+			InterfaceIndex: int32(defaultInterface.Index),
+		}, nil
+	}
+}
+
+func (t *DBusResolvedResolver) updateDefaultInterface(defaultInterface *control.Interface, flags int) {
+	t.updateStatus()
+}

dns/transport/local/local_resolved_stub.go

@@ -0,0 +1,14 @@
+//go:build !linux
+
+package local
+
+import (
+	"context"
+	"os"
+
+	"github.com/sagernet/sing/common/logger"
+)
+
+func NewResolvedResolver(ctx context.Context, logger logger.ContextLogger) (ResolvedResolver, error) {
+	return nil, os.ErrInvalid
+}

dns/transport/local/local_shared.go

@@ -0,0 +1,163 @@
+package local
+
+import (
+	"context"
+	"fmt"
+	"math/rand"
+	"time"
+
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+
+	mDNS "github.com/miekg/dns"
+)
+
+func (t *Transport) exchange(ctx context.Context, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
+	systemConfig := getSystemDNSConfig(t.ctx)
+	fmt.Println(systemConfig.servers)
+	if systemConfig.singleRequest || !(message.Question[0].Qtype == mDNS.TypeA || message.Question[0].Qtype == mDNS.TypeAAAA) {
+		return t.exchangeSingleRequest(ctx, systemConfig, message, domain)
+	} else {
+		return t.exchangeParallel(ctx, systemConfig, message, domain)
+	}
+}
+
+func (t *Transport) exchangeSingleRequest(ctx context.Context, systemConfig *dnsConfig, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
+	var lastErr error
+	for _, fqdn := range systemConfig.nameList(domain) {
+		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
+		if err != nil {
+			lastErr = err
+			continue
+		}
+		return response, nil
+	}
+	return nil, lastErr
+}
+
+func (t *Transport) exchangeParallel(ctx context.Context, systemConfig *dnsConfig, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
+	returned := make(chan struct{})
+	defer close(returned)
+	type queryResult struct {
+		response *mDNS.Msg
+		err      error
+	}
+	results := make(chan queryResult)
+	startRacer := func(ctx context.Context, fqdn string) {
+		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
+		if err == nil {
+			if response.Rcode != mDNS.RcodeSuccess {
+				err = dns.RcodeError(response.Rcode)
+			} else if len(dns.MessageToAddresses(response)) == 0 {
+				err = E.New(fqdn, ": empty result")
+			}
+		}
+		select {
+		case results <- queryResult{response, err}:
+		case <-returned:
+		}
+	}
+	queryCtx, queryCancel := context.WithCancel(ctx)
+	defer queryCancel()
+	var nameCount int
+	for _, fqdn := range systemConfig.nameList(domain) {
+		nameCount++
+		go startRacer(queryCtx, fqdn)
+	}
+	var errors []error
+	for {
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case result := <-results:
+			if result.err == nil {
+				return result.response, nil
+			}
+			errors = append(errors, result.err)
+			if len(errors) == nameCount {
+				return nil, E.Errors(errors...)
+			}
+		}
+	}
+}
+
+func (t *Transport) tryOneName(ctx context.Context, config *dnsConfig, fqdn string, message *mDNS.Msg) (*mDNS.Msg, error) {
+	serverOffset := config.serverOffset()
+	sLen := uint32(len(config.servers))
+	var lastErr error
+	for i := 0; i < config.attempts; i++ {
+		for j := uint32(0); j < sLen; j++ {
+			server := config.servers[(serverOffset+j)%sLen]
+			question := message.Question[0]
+			question.Name = fqdn
+			response, err := t.exchangeOne(ctx, M.ParseSocksaddr(server), question, config.timeout, config.useTCP, config.trustAD)
+			if err != nil {
+				lastErr = err
+				continue
+			}
+			return response, nil
+		}
+	}
+	return nil, E.Cause(lastErr, fqdn)
+}
+
+func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, question mDNS.Question, timeout time.Duration, useTCP, ad bool) (*mDNS.Msg, error) {
+	if server.Port == 0 {
+		server.Port = 53
+	}
+	var networks []string
+	if useTCP {
+		networks = []string{N.NetworkTCP}
+	} else {
+		networks = []string{N.NetworkUDP, N.NetworkTCP}
+	}
+	request := &mDNS.Msg{
+		MsgHdr: mDNS.MsgHdr{
+			Id:                uint16(rand.Uint32()),
+			RecursionDesired:  true,
+			AuthenticatedData: ad,
+		},
+		Question: []mDNS.Question{question},
+		Compress: true,
+	}
+	request.SetEdns0(buf.UDPBufferSize, false)
+	buffer := buf.Get(buf.UDPBufferSize)
+	defer buf.Put(buffer)
+	for _, network := range networks {
+		ctx, cancel := context.WithDeadline(ctx, time.Now().Add(timeout))
+		defer cancel()
+		conn, err := t.dialer.DialContext(ctx, network, server)
+		if err != nil {
+			return nil, err
+		}
+		defer conn.Close()
+		if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
+			conn.SetDeadline(deadline)
+		}
+		rawMessage, err := request.PackBuffer(buffer)
+		if err != nil {
+			return nil, E.Cause(err, "pack request")
+		}
+		_, err = conn.Write(rawMessage)
+		if err != nil {
+			return nil, E.Cause(err, "write request")
+		}
+		n, err := conn.Read(buffer)
+		if err != nil {
+			return nil, E.Cause(err, "read response")
+		}
+		var response mDNS.Msg
+		err = response.Unpack(buffer[:n])
+		if err != nil {
+			return nil, E.Cause(err, "unpack response")
+		}
+		if response.Truncated && network == N.NetworkUDP {
+			continue
+		}
+		return &response, nil
+	}
+	panic("unexpected")
+}

dns/transport/local/resolv.go

@@ -10,11 +10,6 @@ import (
 	"time"
 )
 
-const (
-	// net.maxDNSPacketSize
-	maxDNSPacketSize = 1232
-)
-
 type resolverConfig struct {
 	initOnce    sync.Once
 	ch          chan struct{}
@@ -104,7 +99,7 @@ func (c *dnsConfig) serverOffset() uint32 {
 	return 0
 }
 
-func (conf *dnsConfig) nameList(name string) []string {
+func (c *dnsConfig) nameList(name string) []string {
 	l := len(name)
 	rooted := l > 0 && name[l-1] == '.'
 	if l > 254 || l == 254 && !rooted {
@@ -118,15 +113,15 @@ func (conf *dnsConfig) nameList(name string) []string {
 		return []string{name}
 	}
 
-	hasNdots := strings.Count(name, ".") >= conf.ndots
+	hasNdots := strings.Count(name, ".") >= c.ndots
 	name += "."
 	// l++
 
-	names := make([]string, 0, 1+len(conf.search))
+	names := make([]string, 0, 1+len(c.search))
 	if hasNdots && !avoidDNS(name) {
 		names = append(names, name)
 	}
-	for _, suffix := range conf.search {
+	for _, suffix := range c.search {
 		fqdn := name + suffix
 		if !avoidDNS(fqdn) && len(fqdn) <= 254 {
 			names = append(names, fqdn)

dns/transport/local/resolv_darwin_cgo.go

@@ -1,55 +0,0 @@
-//go:build darwin && cgo
-
-package local
-
-/*
-#include <stdlib.h>
-#include <stdio.h>
-#include <resolv.h>
-#include <arpa/inet.h>
-*/
-import "C"
-
-import (
-	"context"
-	"time"
-
-	E "github.com/sagernet/sing/common/exceptions"
-
-	"github.com/miekg/dns"
-)
-
-func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
-	var state C.struct___res_state
-	if C.res_ninit(&state) != 0 {
-		return &dnsConfig{
-			servers:  defaultNS,
-			search:   dnsDefaultSearch(),
-			ndots:    1,
-			timeout:  5 * time.Second,
-			attempts: 2,
-			err:      E.New("libresolv initialization failed"),
-		}
-	}
-	conf := &dnsConfig{
-		ndots:    1,
-		timeout:  5 * time.Second,
-		attempts: int(state.retry),
-	}
-	for i := 0; i < int(state.nscount); i++ {
-		ns := state.nsaddr_list[i]
-		addr := C.inet_ntoa(ns.sin_addr)
-		if addr == nil {
-			continue
-		}
-		conf.servers = append(conf.servers, C.GoString(addr))
-	}
-	for i := 0; ; i++ {
-		search := state.dnsrch[i]
-		if search == nil {
-			break
-		}
-		conf.search = append(conf.search, dns.Fqdn(C.GoString(search)))
-	}
-	return conf
-}

dns/transport/local/resolv_unix.go

@@ -1,4 +1,4 @@
-//go:build !windows && !(darwin && cgo)
+//go:build !windows
 
 package local
 

dns/transport/quic/http3.go

@@ -51,11 +51,11 @@ func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options
 	}
 	tlsOptions := common.PtrValueOrDefault(options.TLS)
 	tlsOptions.Enabled = true
-	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
+	tlsConfig, err := tls.NewClient(ctx, logger, options.Server, tlsOptions)
 	if err != nil {
 		return nil, err
 	}
-	stdConfig, err := tlsConfig.Config()
+	stdConfig, err := tlsConfig.STDConfig()
 	if err != nil {
 		return nil, err
 	}

dns/transport/quic/quic.go

@@ -48,7 +48,7 @@ func NewQUIC(ctx context.Context, logger log.ContextLogger, tag string, options
 	}
 	tlsOptions := common.PtrValueOrDefault(options.TLS)
 	tlsOptions.Enabled = true
-	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
+	tlsConfig, err := tls.NewClient(ctx, logger, options.Server, tlsOptions)
 	if err != nil {
 		return nil, err
 	}

dns/transport/tls.go

@@ -30,7 +30,7 @@ func RegisterTLS(registry *dns.TransportRegistry) {
 type TLSTransport struct {
 	dns.TransportAdapter
 	logger      logger.ContextLogger
-	dialer      N.Dialer
+	dialer      tls.Dialer
 	serverAddr  M.Socksaddr
 	tlsConfig   tls.Config
 	access      sync.Mutex
@@ -49,7 +49,7 @@ func NewTLS(ctx context.Context, logger log.ContextLogger, tag string, options o
 	}
 	tlsOptions := common.PtrValueOrDefault(options.TLS)
 	tlsOptions.Enabled = true
-	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
+	tlsConfig, err := tls.NewClient(ctx, logger, options.Server, tlsOptions)
 	if err != nil {
 		return nil, err
 	}
@@ -67,7 +67,7 @@ func NewTLSRaw(logger logger.ContextLogger, adapter dns.TransportAdapter, dialer
 	return &TLSTransport{
 		TransportAdapter: adapter,
 		logger:           logger,
-		dialer:           dialer,
+		dialer:           tls.NewDialer(dialer, tlsConfig),
 		serverAddr:       serverAddr,
 		tlsConfig:        tlsConfig,
 	}
@@ -100,15 +100,10 @@ func (t *TLSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.M
 			return response, nil
 		}
 	}
-	tcpConn, err := t.dialer.DialContext(ctx, N.NetworkTCP, t.serverAddr)
+	tlsConn, err := t.dialer.DialTLSContext(ctx, t.serverAddr)
 	if err != nil {
 		return nil, err
 	}
-	tlsConn, err := tls.ClientHandshake(ctx, tcpConn, t.tlsConfig)
-	if err != nil {
-		tcpConn.Close()
-		return nil, err
-	}
 	return t.exchange(message, &tlsDNSConn{Conn: tlsConn})
 }
 

dns/transport_manager.go

@@ -30,7 +30,7 @@ type TransportManager struct {
 	transportByTag           map[string]adapter.DNSTransport
 	dependByTag              map[string][]string
 	defaultTransport         adapter.DNSTransport
-	defaultTransportFallback adapter.DNSTransport
+	defaultTransportFallback func() (adapter.DNSTransport, error)
 	fakeIPTransport          adapter.FakeIPTransport
 }
 
@@ -45,7 +45,7 @@ func NewTransportManager(logger logger.ContextLogger, registry adapter.DNSTransp
 	}
 }
 
-func (m *TransportManager) Initialize(defaultTransportFallback adapter.DNSTransport) {
+func (m *TransportManager) Initialize(defaultTransportFallback func() (adapter.DNSTransport, error)) {
 	m.defaultTransportFallback = defaultTransportFallback
 }
 
@@ -56,14 +56,27 @@ func (m *TransportManager) Start(stage adapter.StartStage) error {
 	}
 	m.started = true
 	m.stage = stage
-	transports := m.transports
-	m.access.Unlock()
 	if stage == adapter.StartStateStart {
 		if m.defaultTag != "" && m.defaultTransport == nil {
+			m.access.Unlock()
 			return E.New("default DNS server not found: ", m.defaultTag)
 		}
-		return m.startTransports(m.transports)
+		if m.defaultTransport == nil {
+			defaultTransport, err := m.defaultTransportFallback()
+			if err != nil {
+				m.access.Unlock()
+				return E.Cause(err, "default DNS server fallback")
+			}
+			m.transports = append(m.transports, defaultTransport)
+			m.transportByTag[defaultTransport.Tag()] = defaultTransport
+			m.defaultTransport = defaultTransport
+		}
+		transports := m.transports
+		m.access.Unlock()
+		return m.startTransports(transports)
 	} else {
+		transports := m.transports
+		m.access.Unlock()
 		for _, outbound := range transports {
 			err := adapter.LegacyStart(outbound, stage)
 			if err != nil {
@@ -172,11 +185,7 @@ func (m *TransportManager) Transport(tag string) (adapter.DNSTransport, bool) {
 func (m *TransportManager) Default() adapter.DNSTransport {
 	m.access.RLock()
 	defer m.access.RUnlock()
-	if m.defaultTransport != nil {
-		return m.defaultTransport
-	} else {
-		return m.defaultTransportFallback
-	}
+	return m.defaultTransport
 }
 
 func (m *TransportManager) FakeIP() adapter.FakeIPTransport {

docs/changelog.md

@@ -2,11 +2,107 @@
 icon: material/alert-decagram
 ---
 
+#### 1.13.0-alpha.10
+
+* Improve kTLS support **1**
+* Fixes and improvements
+
+**1**:
+
+kTLS is now compatible with custom TLS implementations other than uTLS.
+
+See [TLS](/configuration/shared/tls/).
+
+#### 1.13.0-alpha.9
+
+* Add kTLS support **1**
+* Fixes and improvements
+
+**1**:
+
+See [TLS](/configuration/shared/tls/).
+
+#### 1.12.4
+
+* Fixes and improvements
+
+#### 1.13.0-alpha.7
+
+* Add reject support for ICMP echo supports **1**
+* Fixes and improvements
+
+**1**:
+
+You can now reject, drop, or directly reply to ICMP echo (ping) requests using `reject` Route Action.
+
+See [Route Action](/configuration/route/rule_action/#reject).
+
+#### 1.13.0-alpha.6
+
+* Add proxy support for ICMP echo requests **1**
+* Fixes and improvements
+
+**1**:
+
+You can now match ICMP echo (ping) requests using the new `icmp` network in routing rules.
+
+Such traffic originates from `TUN`, `WireGuard`, and `Tailscale` inbounds and can be routed to `Direct`, `WireGuard`, and `Tailscale` outbounds.
+
+See [Route Rule](/configuration/route/rule/#network).
+
+#### 1.12.3
+
+* Fixes and improvements
+
+#### 1.13.0-alpha.4
+
+* Fixes and improvements
+
+#### 1.12.2
+
+* Fixes and improvements
+
+#### 1.13.0-alpha.3
+
+* Improve `local` DNS server **1**
+* Fixes and improvements
+
+**1**:
+
+On Apple platforms, Windows, and Linux (when using systemd-resolved), 
+`local` DNS server now works with Tun inbound which overrides system DNS servers.
+
+See [Local DNS Server](/configuration/dns/server/local/).
+
+#### 1.13.0-alpha.2
+
+* Add `preferred_by` rule item **1**
+* Fixes and improvements
+
+**1**:
+
+The new `preferred_by` routing rule item allows you to
+match preferred domains and addresses for specific outbounds.
+
+See [Route Rule](/configuration/route/rule/#preferred_by).
+
+#### 1.13.0-alpha.1
+
+* Add interface address rule items **1**
+* Fixes and improvements
+
+**1**:
+
+New interface address rules allow you to dynamically adjust rules based on your network environment.
+
+See [Route Rule](/configuration/route/rule/), [DNS Route Rule](/configuration/dns/rule/)
+and [Headless Rule](/configuration/rule-set/headless-rule/).
+
 #### 1.12.1
 
 * Fixes and improvements
 
-#### 1.12.0
+### 1.12.0
 
 * Refactor DNS servers **1**
 * Add domain resolver options**2**
@@ -157,7 +253,7 @@ We continue to experience issues updating our sing-box apps on the App Store and
 Until we rewrite and resubmit the apps, they are considered irrecoverable. 
 Therefore, after this release, we will not be repeating this notice unless there is new information.
 
-### 1.11.15
+#### 1.11.15
 
 * Fixes and improvements
 
@@ -173,7 +269,7 @@ violated the rules (TestFlight users are not affected)._
 
 We have significantly improved the performance of tun inbound on Apple platforms, especially in the gVisor stack.
 
-### 1.11.14
+#### 1.11.14
 
 * Fixes and improvements
 
@@ -223,7 +319,7 @@ You can now choose what the DERP home page shows, just like with derper's `-home
 
 See [DERP](/configuration/service/derp/#home).
 
-### 1.11.13
+#### 1.11.13
 
 * Fixes and improvements
 
@@ -261,7 +357,7 @@ SSM API service is a RESTful API server for managing Shadowsocks servers.
 
 See [SSM API Service](/configuration/service/ssm-api/).
 
-### 1.11.11
+#### 1.11.11
 
 * Fixes and improvements
 
@@ -293,7 +389,7 @@ You can now set `bind_interface`, `routing_mark` and `reuse_addr` in Listen Fiel
 
 See [Listen Fields](/configuration/shared/listen/).
 
-### 1.11.10
+#### 1.11.10
 
 * Undeprecate the `block` outbound **1**
 * Fixes and improvements
@@ -311,7 +407,7 @@ violated the rules (TestFlight users are not affected)._
 * Update quic-go to v0.51.0
 * Fixes and improvements
 
-### 1.11.9
+#### 1.11.9
 
 * Fixes and improvements
 
@@ -322,7 +418,7 @@ violated the rules (TestFlight users are not affected)._
 
 * Fixes and improvements
 
-### 1.11.8
+#### 1.11.8
 
 * Improve `auto_redirect` **1**
 * Fixes and improvements
@@ -339,7 +435,7 @@ violated the rules (TestFlight users are not affected)._
 
 * Fixes and improvements
 
-### 1.11.7
+#### 1.11.7
 
 * Fixes and improvements
 
@@ -355,7 +451,7 @@ violated the rules (TestFlight users are not affected)._
 Now `auto_redirect` fixes compatibility issues between tun and Docker bridge networks,
 see [Tun](/configuration/inbound/tun/#auto_redirect).
 
-### 1.11.6
+#### 1.11.6
 
 * Fixes and improvements
 
@@ -396,7 +492,7 @@ See [Protocol Sniff](/configuration/route/sniff/).
 
 See [Dial Fields](/configuration/shared/dial/#domain_resolver).
 
-### 1.11.5
+#### 1.11.5
 
 * Fixes and improvements
 
@@ -412,7 +508,7 @@ violated the rules (TestFlight users are not affected)._
 
 See [DNS Rule Action](/configuration/dns/rule_action/#predefined).
 
-### 1.11.4
+#### 1.11.4
 
 * Fixes and improvements
 
@@ -468,7 +564,7 @@ Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to co
 
 For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from [MetaCubeX/go](https://github.com/MetaCubeX/go).
 
-### 1.11.3
+#### 1.11.3
 
 * Fixes and improvements
 
@@ -479,7 +575,7 @@ process._
 
 * Fixes and improvements
 
-### 1.11.1
+#### 1.11.1
 
 * Fixes and improvements
 
@@ -658,7 +754,7 @@ See [Hysteria2](/configuration/outbound/hysteria2/).
 
 When `up_mbps` and `down_mbps` are set, `ignore_client_bandwidth` instead denies clients from using BBR CC.
 
-### 1.10.7
+#### 1.10.7
 
 * Fixes and improvements
 
@@ -753,7 +849,7 @@ and the old outbound will be removed in sing-box 1.13.0.
 See [Endpoint](/configuration/endpoint/), [WireGuard Endpoint](/configuration/endpoint/wireguard/)
 and [Migrate WireGuard outbound fields to route options](/migration/#migrate-wireguard-outbound-to-endpoint).
 
-### 1.10.2
+#### 1.10.2
 
 * Add deprecated warnings
 * Fix proxying websocket connections in HTTP/mixed inbounds
@@ -890,7 +986,7 @@ See [Rule Action](/configuration/route/rule_action/).
 * Update quic-go to v0.48.0
 * Fixes and improvements
 
-### 1.10.1
+#### 1.10.1
 
 * Fixes and improvements
 

docs/configuration/dns/rule.md

@@ -2,6 +2,12 @@
 icon: material/alert-decagram
 ---
 
+!!! quote "Changes in sing-box 1.13.0"
+
+    :material-plus: [interface_address](#interface_address)  
+    :material-plus: [network_interface_address](#network_interface_address)  
+    :material-plus: [default_interface_address](#default_interface_address)
+
 !!! quote "Changes in sing-box 1.12.0"
 
     :material-plus: [ip_accept_any](#ip_accept_any)  
@@ -130,6 +136,19 @@ icon: material/alert-decagram
         ],
         "network_is_expensive": false,
         "network_is_constrained": false,
+        "interface_address": {
+          "en0": [
+            "2000::/3"
+          ]
+        },
+        "network_interface_address": {
+          "wifi": [
+            "2000::/3"
+          ]
+        },
+        "default_interface_address": [
+          "2000::/3"
+        ],
         "wifi_ssid": [
           "My WIFI"
         ],
@@ -359,6 +378,36 @@ such as Cellular or a Personal Hotspot (on Apple platforms).
 
 Match if network is in Low Data Mode.
 
+#### interface_address
+
+!!! question "Since sing-box 1.13.0"
+
+!!! quote ""
+
+    Only supported on Linux, Windows, and macOS.
+
+Match interface address.
+
+#### network_interface_address
+
+!!! question "Since sing-box 1.13.0"
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and Apple platforms.
+
+Matches network interface (same values as `network_type`) address.
+
+#### default_interface_address
+
+!!! question "Since sing-box 1.13.0"
+
+!!! quote ""
+
+    Only supported on Linux, Windows, and macOS.
+
+Match default interface address.
+
 #### wifi_ssid
 
 !!! quote ""

docs/configuration/dns/rule.zh.md

@@ -2,6 +2,12 @@
 icon: material/alert-decagram
 ---
 
+!!! quote "sing-box 1.13.0 中的更改"
+
+    :material-plus: [interface_address](#interface_address)  
+    :material-plus: [network_interface_address](#network_interface_address)  
+    :material-plus: [default_interface_address](#default_interface_address)
+
 !!! quote "sing-box 1.12.0 中的更改"
 
     :material-plus: [ip_accept_any](#ip_accept_any)  
@@ -130,6 +136,19 @@ icon: material/alert-decagram
         ],
         "network_is_expensive": false,
         "network_is_constrained": false,
+        "interface_address": {
+          "en0": [
+            "2000::/3"
+          ]
+        },
+        "network_interface_address": {
+          "wifi": [
+            "2000::/3"
+          ]
+        },
+        "default_interface_address": [
+          "2000::/3"
+        ],
         "wifi_ssid": [
           "My WIFI"
         ],
@@ -358,6 +377,36 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 匹配如果网络在低数据模式下。
 
+#### interface_address
+
+!!! question "自 sing-box 1.13.0 起"
+
+!!! quote ""
+
+    仅支持 Linux、Windows 和 macOS.
+
+匹配接口地址。
+
+#### network_interface_address
+
+!!! question "自 sing-box 1.13.0 起"
+
+!!! quote ""
+
+    仅在 Android 与 Apple 平台图形客户端中支持。
+
+匹配网络接口（可用值同 `network_type`）地址。
+
+#### default_interface_address
+
+!!! question "自 sing-box 1.13.0 起"
+
+!!! quote ""
+
+    仅支持 Linux、Windows 和 macOS.
+
+匹配默认接口地址。
+
 #### wifi_ssid
 
 !!! quote ""

docs/configuration/dns/server/local.md

@@ -2,6 +2,10 @@
 icon: material/new-box
 ---
 
+!!! quote "Changes in sing-box 1.13.0"
+
+    :material-plus: [prefer_go](#prefer_go)  
+
 !!! question "Since sing-box 1.12.0"
 
 # Local
@@ -15,6 +19,7 @@ icon: material/new-box
       {
         "type": "local",
         "tag": "",
+        "prefer_go": false
 
         // Dial Fields
       }
@@ -24,10 +29,33 @@ icon: material/new-box
 ```
 
 !!! info "Difference from legacy local server"
-    
+
     * The old legacy local server only handles IP requests; the new one handles all types of requests and supports concurrent for IP requests.
     * The old local server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
 
+### Fields
+
+#### prefer_go
+
+!!! question "Since sing-box 1.13.0"
+
+When enabled, `local` DNS server will resolve DNS by dialing itself whenever possible.
+
+Specifically, it disables following behaviors which was added as features in sing-box 1.13.0:
+
+1. On Apple platforms: Attempt to resolve A/AAAA requests using `getaddrinfo` in NetworkExtension.
+2. On Linux: Resolve through `systemd-resolvd`'s DBus interface when available.
+
+As a sole exception, it cannot disable the following behavior:
+
+1. In the Android graphical client,
+`local` will always resolve DNS through the platform interface,
+as there is no other way to obtain upstream DNS servers;
+On devices running Android versions lower than 10, this interface can only resolve A/AAAA requests.
+
+2. On macOS, `local` will try DHCP first in Network Extension, since DHCP respects DIal Fields,
+it will not be disabled by `prefer_go`.
+
 ### Dial Fields
 
 See [Dial Fields](/configuration/shared/dial/) for details.

docs/configuration/endpoint/index.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 !!! question "Since sing-box 1.11.0"
 
 # Endpoint

docs/configuration/endpoint/index.zh.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 !!! question "自 sing-box 1.11.0 起"
 
 # 端点

docs/configuration/endpoint/wireguard.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 !!! question "Since sing-box 1.11.0"
 
 ### Structure

docs/configuration/endpoint/wireguard.zh.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 !!! question "自 sing-box 1.11.0 起"
 
 ### 结构
@@ -61,7 +57,7 @@ WireGuard MTU。
 
 ==必填==
 
-接口的 IPv4/IPv6 地址或地址段的列表您。
+接口的 IPv4/IPv6 地址或地址段的列表。
 
 要分配给接口的 IP（v4 或 v6）地址段列表。
 

docs/configuration/outbound/hysteria2.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 !!! quote "Changes in sing-box 1.11.0"
 
     :material-plus: [server_ports](#server_ports)  

docs/configuration/outbound/hysteria2.zh.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 !!! quote "sing-box 1.11.0 中的更改"
 
     :material-plus: [server_ports](#server_ports)  

docs/configuration/outbound/wireguard.zh.md

@@ -88,7 +88,7 @@ icon: material/delete-clock
 
 ==必填==
 
-接口的 IPv4/IPv6 地址或地址段的列表您。
+接口的 IPv4/IPv6 地址或地址段的列表。
 
 要分配给接口的 IP（v4 或 v6）地址段列表。
 

docs/configuration/route/rule.md

@@ -2,6 +2,14 @@
 icon: material/new-box
 ---
 
+!!! quote "Changes in sing-box 1.13.0"
+
+    :material-plus: [interface_address](#interface_address)  
+    :material-plus: [network_interface_address](#network_interface_address)  
+    :material-plus: [default_interface_address](#default_interface_address)  
+    :material-plus: [preferred_by](#preferred_by)  
+    :material-alert: [network](#network)
+
 !!! quote "Changes in sing-box 1.11.0"
 
     :material-plus: [action](#action)  
@@ -128,12 +136,29 @@ icon: material/new-box
         ],
         "network_is_expensive": false,
         "network_is_constrained": false,
+        "interface_address": {
+          "en0": [
+            "2000::/3"
+          ]
+        },
+        "network_interface_address": {
+          "wifi": [
+            "2000::/3"
+          ]
+        },
+        "default_interface_address": [
+          "2000::/3"
+        ],
         "wifi_ssid": [
           "My WIFI"
         ],
         "wifi_bssid": [
           "00:00:00:00:00:00"
         ],
+        "preferred_by": [
+          "tailscale",
+          "wireguard"
+        ],
         "rule_set": [
           "geoip-cn",
           "geosite-cn"
@@ -202,7 +227,15 @@ Sniffed client type, see [Protocol Sniff](/configuration/route/sniff/) for detai
 
 #### network
 
-`tcp` or `udp`.
+!!! quote "Changes in sing-box 1.13.0"
+
+    Since sing-box 1.13.0, you can match ICMP echo (ping) requests via the new `icmp` network.
+    
+    Such traffic originates from `TUN`, `WireGuard`, and `Tailscale` inbounds and can be routed to `Direct`, `WireGuard`, and `Tailscale` outbounds.
+
+Match network type.
+
+`tcp`, `udp` or `icmp`.
 
 #### domain
 
@@ -363,6 +396,36 @@ such as Cellular or a Personal Hotspot (on Apple platforms).
 
 Match if network is in Low Data Mode.
 
+#### interface_address
+
+!!! question "Since sing-box 1.13.0"
+
+!!! quote ""
+
+    Only supported on Linux, Windows, and macOS.
+
+Match interface address.
+
+#### network_interface_address
+
+!!! question "Since sing-box 1.13.0"
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and Apple platforms.
+
+Matches network interface (same values as `network_type`) address.
+
+#### default_interface_address
+
+!!! question "Since sing-box 1.13.0"
+
+!!! quote ""
+
+    Only supported on Linux, Windows, and macOS.
+
+Match default interface address.
+
 #### wifi_ssid
 
 !!! quote ""
@@ -379,6 +442,17 @@ Match WiFi SSID.
 
 Match WiFi BSSID.
 
+#### preferred_by
+
+!!! question "Since sing-box 1.13.0"
+
+Match specified outbounds' preferred routes.
+
+| Type        | Match                                         |
+|-------------|-----------------------------------------------|
+| `tailscale` | Match MagicDNS domains and peers' allowed IPs |
+| `wireguard` | Match peers's allowed IPs                     |
+
 #### rule_set
 
 !!! question "Since sing-box 1.8.0"

docs/configuration/route/rule.zh.md

@@ -2,6 +2,14 @@
 icon: material/new-box
 ---
 
+!!! quote "sing-box 1.13.0 中的更改"
+
+    :material-plus: [interface_address](#interface_address)  
+    :material-plus: [network_interface_address](#network_interface_address)  
+    :material-plus: [default_interface_address](#default_interface_address)  
+    :material-plus: [preferred_by](#preferred_by)  
+    :material-alert: [network](#network)
+
 !!! quote "sing-box 1.11.0 中的更改"
 
     :material-plus: [action](#action)  
@@ -125,12 +133,29 @@ icon: material/new-box
         ],
         "network_is_expensive": false,
         "network_is_constrained": false,
+        "interface_address": {
+          "en0": [
+            "2000::/3"
+          ]
+        },
+        "network_interface_address": {
+          "wifi": [
+            "2000::/3"
+          ]
+        },
+        "default_interface_address": [
+          "2000::/3"
+        ],
         "wifi_ssid": [
           "My WIFI"
         ],
         "wifi_bssid": [
           "00:00:00:00:00:00"
         ],
+        "preferred_by": [
+          "tailscale",
+          "wireguard"
+        ],
         "rule_set": [
           "geoip-cn",
           "geosite-cn"
@@ -199,7 +224,15 @@ icon: material/new-box
 
 #### network
 
-`tcp` 或 `udp`。
+!!! quote "sing-box 1.13.0 中的更改"
+
+    自 sing-box 1.13.0 起，您可以通过新的 `icmp` 网络匹配 ICMP 回显（ping）请求。
+
+    此类流量源自 `TUN`、`WireGuard` 和 `Tailscale` 入站，并可路由至 `Direct`、`WireGuard` 和 `Tailscale` 出站。
+
+匹配网络类型。
+
+`tcp`、`udp` 或 `icmp`。
 
 #### domain
 
@@ -337,7 +370,7 @@ icon: material/new-box
 
 匹配网络类型。
 
-Available values: `wifi`, `cellular`, `ethernet` and `other`.
+可用值: `wifi`, `cellular`, `ethernet` and `other`.
 
 #### network_is_expensive
 
@@ -360,6 +393,36 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 匹配如果网络在低数据模式下。
 
+#### interface_address
+
+!!! question "自 sing-box 1.13.0 起"
+
+!!! quote ""
+
+    仅支持 Linux、Windows 和 macOS.
+
+匹配接口地址。
+
+#### network_interface_address
+
+!!! question "自 sing-box 1.13.0 起"
+
+!!! quote ""
+
+    仅在 Android 与 Apple 平台图形客户端中支持。
+
+匹配网络接口（可用值同 `network_type`）地址。
+
+#### default_interface_address
+
+!!! question "自 sing-box 1.13.0 起"
+
+!!! quote ""
+
+    仅支持 Linux、Windows 和 macOS.
+
+匹配默认接口地址。
+
 #### wifi_ssid
 
 !!! quote ""
@@ -376,6 +439,17 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 匹配 WiFi BSSID。
 
+#### preferred_by
+
+!!! question "自 sing-box 1.13.0 起"
+
+匹配制定出站的首选路由。
+
+| 类型          | 匹配                             |
+|-------------|--------------------------------|
+| `tailscale` | 匹配 MagicDNS 域名和对端的 allowed IPs |
+| `wireguard` | 匹配对端的 allowed IPs              |
+
 #### rule_set
 
 !!! question "自 sing-box 1.8.0 起"

docs/configuration/route/rule_action.md

@@ -2,6 +2,10 @@
 icon: material/new-box
 ---
 
+!!! quote "Changes in sing-box 1.13.0"
+
+    :material-alert: [reject](#reject)
+
 !!! quote "Changes in sing-box 1.12.0"
 
     :material-plus: [tls_fragment](#tls_fragment)  
@@ -42,6 +46,10 @@ See `route-options` fields below.
 
 ### reject
 
+!!! quote "Changes in sing-box 1.13.0"
+
+    Since sing-box 1.13.0, you can reject (or directly reply to) ICMP echo (ping) requests using `reject` action.
+
 ```json
 {
   "action": "reject",
@@ -58,9 +66,17 @@ For non-tun connections and already established connections, will just be closed
 
 #### method
 
+For TCP and UDP connections:
+
 - `default`: Reply with TCP RST for TCP connections, and ICMP port unreachable for UDP packets.
 - `drop`: Drop packets.
 
+For ICMP echo requests:
+
+- `default`: Reply with ICMP host unreachable.
+- `drop`: Drop packets.
+- `reply`: Reply with ICMP echo reply.
+
 #### no_drop
 
 If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.