Revert "chore: update quic-go to 0.36.0"

This reverts commit 2284acce94.
chore: better resolv.conf parsing
2023-06-29 14:25:25 +08:00 · 2023-06-29 14:25:25 +08:00 · 2023-06-29 14:25:25 +08:00 · 2023-06-29 14:25:25 +08:00 · 2023-06-29 14:25:25 +08:00 · 2023-06-29 14:25:25 +08:00
148 changed files with 1998 additions and 4881 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,82 @@
 name: Bug report
 description: Create a report to help us improve
 title: "[Bug] "
 body:
  - type: checkboxes
    id: ensure
    attributes:
      label: Verify steps
      description: "
 在提交之前，请确认
 Please verify that you've followed these steps
 "
      options:
        - label: "
 确保你使用的是**本仓库**最新的的 clash 或 clash Alpha 版本
 Ensure you are using the latest version of Clash or Clash Premium from **this repository**.
 "
          required: true
        - label: "
 如果你可以自己 debug 并解决的话，提交 PR 吧
 Is this something you can **debug and fix**? Send a pull request! Bug fixes and documentation fixes are welcome.
 "
          required: false
        - label: "
 我已经在 [Issue Tracker](……/) 中找过我要提出的问题
 I have searched on the [issue tracker](……/) for a related issue.
 "
          required: true
        - label: "
 我已经使用 Alpha 分支版本测试过，问题依旧存在
 I have tested using the dev branch, and the issue still exists.
 "
          required: true
        - label: "
 我已经仔细看过 [Documentation](https://wiki.metacubex.one/) 并无法自行解决问题
 I have read the [documentation](https://wiki.metacubex.one/) and was unable to solve the issue.
 "
          required: true
        - label: "
 这是 Clash 核心的问题，并非我所使用的 Clash 衍生版本（如 OpenClash、KoolClash 等）的特定问题
 This is an issue of the Clash core *per se*, not to the derivatives of Clash, like OpenClash or KoolClash.
 "
          required: true
  - type: input
    attributes:
      label: Clash version
      description: "use `clash -v`"
    validations:
      required: true
  - type: dropdown
    id: os
    attributes:
      label: What OS are you seeing the problem on?
      multiple: true
      options:
        - macOS
        - Windows
        - Linux
        - OpenBSD/FreeBSD
  - type: textarea
    attributes:
      render: yaml
      label: "Clash config"
      description: "
 在下方附上 Clash core 配置文件，请确保配置文件中没有敏感信息（比如：服务器地址，密码，端口等）
 Paste the Clash core configuration file below, please make sure that there is no sensitive information in the configuration file (e.g., server address/url, password, port)
 "
    validations:
      required: true
  - type: textarea
    attributes:
      render: shell
      label: Clash log
      description: "
 在下方附上 Clash Core 的日志，log level 使用 DEBUG
 Paste the Clash core log below with the log level set to `DEBUG`.
 "
  - type: textarea
    attributes:
      label: Description
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -0,0 +1,36 @@
 name: Feature request
 description: Suggest an idea for this project
 title: "[Feature] "
 body:
  - type: checkboxes
    id: ensure
    attributes:
      label: Verify steps
      description: "
 在提交之前，请确认
 Please verify that you've followed these steps
 "
      options:
        - label: "
 我已经在 [Issue Tracker](……/) 中找过我要提出的请求
 I have searched on the [issue tracker](……/) for a related feature request.
 "
          required: true
        - label: "
 我已经仔细看过 [Documentation](https://wiki.metacubex.one/) 并无法找到这个功能
 I have read the [documentation](https://wiki.metacubex.one/) and was unable to solve the issue.
 "
          required: true
  - type: textarea
    attributes:
      label: Description
      description: 请详细、清晰地表达你要提出的论述，例如这个问题如何影响到你？你想实现什么功能？目前 Clash Core 的行为是什麽？
    validations:
      required: true
  - type: textarea
    attributes:
      label: Possible Solution
      description: "
 此项非必须，但是如果你有想法的话欢迎提出。
 Not obligatory, but suggest a fix/reason for the bug, or ideas how to implement the addition or change
 "
--- a/.github/genReleaseNote.sh
+++ b/.github/genReleaseNote.sh
@@ -0,0 +1,32 @@
 #!/bin/bash
 while getopts "v:" opt; do
  case $opt in
    v)
      version_range=$OPTARG
      ;;
    \?)
      echo "Invalid option: -$OPTARG" >&2
      exit 1
      ;;
  esac
 done
 if [ -z "$version_range" ]; then
  echo "Please provide the version range using -v option. Example: ./genReleashNote.sh -v v1.14.1...v1.14.2"
  exit 1
 fi
 echo "## What's Changed" > release.md
 git log --pretty=format:"* %s by @%an" --grep="^feat" -i $version_range | sort -f | uniq >> release.md
 echo "" >> release.md
 echo "## BUG & Fix" >> release.md
 git log --pretty=format:"* %s by @%an" --grep="^fix" -i $version_range | sort -f | uniq >> release.md
 echo "" >> release.md
 echo "## Maintenance" >> release.md
 git log --pretty=format:"* %s by @%an" --grep="^chore\|^docs\|^refactor" -i $version_range | sort -f | uniq >> release.md
 echo "" >> release.md
 echo "**Full Changelog**: https://github.com/MetaCubeX/Clash.Meta/compare/$version_range" >> release.md
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -94,11 +94,6 @@ jobs:
        run: echo "VERSION=alpha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
        shell: bash
      - name: Set variables
        if: ${{github.ref_name=='Beta'}}
        run: echo "VERSION=beta-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
        shell: bash
      - name: Set variables
        if: ${{github.ref_name=='Meta'}}
        run: echo "VERSION=meta-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
@@ -128,7 +123,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v4
        with:
-          go-version: "1.21"
+          go-version: "1.20"
          check-latest: true
      - name: Test
@@ -267,6 +262,23 @@ jobs:
    needs: [Build]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Get tags
        run: |
          echo "CURRENTVERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
          git fetch --tags
          echo "PREVERSION=$(git describe --tags --abbrev=0 HEAD^)" >> $GITHUB_ENV
      - name: Generate release notes
        run: |
          cp ./.github/genReleaseNote.sh ./
          bash ./genReleaseNote.sh -v ${PREVERSION}...${CURRENTVERSION}
          rm ./genReleaseNote.sh
      - uses: actions/download-artifact@v3
        with:
          name: artifact
@@ -283,6 +295,7 @@ jobs:
          tag_name: ${{ github.ref_name }}
          files: bin/*
          generate_release_notes: true
          body_path: release.md
  Docker:
    if: ${{ github.event_name != 'pull_request'  }}
--- a/.github/workflows/delete.yml
+++ b/.github/workflows/delete.yml
@@ -0,0 +1,15 @@
 name: Delete old workflow runs
 on:
  schedule:
    - cron: "0 0 * * SUN"
 jobs:
  del_runs:
    runs-on: ubuntu-latest
    steps:
      - name: Delete workflow runs
        uses: GitRML/delete-workflow-runs@main
        with:
          token: ${{ secrets.AUTH_PAT }}
          repository: ${{ github.repository }}
          retain_days: 30
--- a/6
+++ b/6
@@ -4,9 +4,9 @@ RUN echo "I'm building for $TARGETPLATFORM"
 RUN apk add --no-cache gzip && \
    mkdir /clash-config && \
-    wget -O /clash-config/geoip.metadb https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.metadb && \
+    wget -O /clash-config/Country.mmdb https://raw.githubusercontent.com/Loyalsoldier/geoip/release/Country.mmdb && \
-    wget -O /clash-config/geosite.dat https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat && \
+    wget -O /clash-config/geosite.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat && \
-    wget -O /clash-config/geoip.dat https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat
+    wget -O /clash-config/geoip.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat
 COPY docker/file-name.sh /clash/file-name.sh
 WORKDIR /clash
--- a/adapter/adapter.go
+++ b/adapter/adapter.go
@@ -9,7 +9,6 @@ import (
 	"net/http"
 	"net/netip"
 	"net/url"
 	"strconv"
 	"time"
 	"github.com/Dreamacro/clash/common/atomic"
@@ -18,8 +17,6 @@ import (
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	"github.com/puzpuzpuz/xsync/v2"
 )
 var UnifiedDelay = atomic.NewBool(false)
@@ -38,7 +35,7 @@ type Proxy struct {
 	history *queue.Queue[C.DelayHistory]
 	alive   *atomic.Bool
 	url     string
-	extra   *xsync.MapOf[string, *extraProxyState]
+	extra   map[string]*extraProxyState
 }
 // Alive implements C.Proxy
@@ -48,9 +45,11 @@ func (p *Proxy) Alive() bool {
 // AliveForTestUrl implements C.Proxy
 func (p *Proxy) AliveForTestUrl(url string) bool {
-	if state, ok := p.extra.Load(url); ok {
+	if p.extra != nil {
 		if state, ok := p.extra[url]; ok {
 			return state.alive.Load()
 		}
 	}
 	return p.alive.Load()
 }
@@ -88,17 +87,17 @@ func (p *Proxy) DelayHistory() []C.DelayHistory {
 	for _, item := range queueM {
 		histories = append(histories, item)
 	}
 	return histories
 }
 // DelayHistoryForTestUrl implements C.Proxy
 func (p *Proxy) DelayHistoryForTestUrl(url string) []C.DelayHistory {
 	var queueM []C.DelayHistory
-
+	if p.extra != nil {
-	if state, ok := p.extra.Load(url); ok {
+		if state, ok := p.extra[url]; ok {
 			queueM = state.history.Copy()
 		}
 	}
 	if queueM == nil {
 		queueM = p.history.Copy()
@@ -112,25 +111,19 @@ func (p *Proxy) DelayHistoryForTestUrl(url string) []C.DelayHistory {
 }
 func (p *Proxy) ExtraDelayHistory() map[string][]C.DelayHistory {
-	extraHistory := map[string][]C.DelayHistory{}
+	extra := map[string][]C.DelayHistory{}
-
+	if p.extra != nil && len(p.extra) != 0 {
-	p.extra.Range(func(k string, v *extraProxyState) bool {
+		for testUrl, option := range p.extra {
 		testUrl := k
 		state := v
 			histories := []C.DelayHistory{}
-		queueM := state.history.Copy()
+			queueM := option.history.Copy()
 			for _, item := range queueM {
 				histories = append(histories, item)
 			}
-		extraHistory[testUrl] = histories
+			extra[testUrl] = histories
-
+		}
-		return true
+	}
-	})
+	return extra
 	return extraHistory
 }
 // LastDelay return last history record. if proxy is not alive, return the max value of uint16.
@@ -155,10 +148,12 @@ func (p *Proxy) LastDelayForTestUrl(url string) (delay uint16) {
 	alive := p.alive.Load()
 	history := p.history.Last()
-	if state, ok := p.extra.Load(url); ok {
+	if p.extra != nil {
 		if state, ok := p.extra[url]; ok {
 			alive = state.alive.Load()
 			history = state.history.Last()
 		}
 	}
 	if !alive {
 		return max
@@ -181,7 +176,6 @@ func (p *Proxy) MarshalJSON() ([]byte, error) {
 	_ = json.Unmarshal(inner, &mapping)
 	mapping["history"] = p.DelayHistory()
 	mapping["extra"] = p.ExtraDelayHistory()
 	mapping["alive"] = p.Alive()
 	mapping["name"] = p.Name()
 	mapping["udp"] = p.SupportUDP()
 	mapping["xudp"] = p.SupportXUDP()
@@ -218,13 +212,17 @@ func (p *Proxy) URLTest(ctx context.Context, url string, expectedStatus utils.In
 				record.Delay = t
 			}
-			state, ok := p.extra.Load(url)
+			if p.extra == nil {
 				p.extra = map[string]*extraProxyState{}
 			}
 			state, ok := p.extra[url]
 			if !ok {
 				state = &extraProxyState{
 					history: queue.New[C.DelayHistory](defaultHistoriesNum),
 					alive:   atomic.NewBool(true),
 				}
-				p.extra.Store(url, state)
+				p.extra[url] = state
 			}
 			state.alive.Store(alive)
@@ -307,12 +305,7 @@ func (p *Proxy) URLTest(ctx context.Context, url string, expectedStatus utils.In
 }
 func NewProxy(adapter C.ProxyAdapter) *Proxy {
-	return &Proxy{
+	return &Proxy{adapter, queue.New[C.DelayHistory](defaultHistoriesNum), atomic.NewBool(true), "", map[string]*extraProxyState{}}
 		ProxyAdapter: adapter,
 		history:      queue.New[C.DelayHistory](defaultHistoriesNum),
 		alive:        atomic.NewBool(true),
 		url:          "",
 		extra:        xsync.NewMapOf[*extraProxyState]()}
 }
 func urlToMetadata(rawURL string) (addr C.Metadata, err error) {
@@ -333,15 +326,11 @@ func urlToMetadata(rawURL string) (addr C.Metadata, err error) {
 			return
 		}
 	}
 	uintPort, err := strconv.ParseUint(port, 10, 16)
 	if err != nil {
 		return
 	}
 	addr = C.Metadata{
 		Host:    u.Hostname(),
 		DstIP:   netip.Addr{},
-		DstPort: uint16(uintPort),
+		DstPort: port,
 	}
 	return
 }
@@ -355,14 +344,14 @@ func (p *Proxy) determineFinalStoreType(store C.DelayHistoryStoreType, url strin
 		return C.OriginalHistory
 	}
-	if p.extra.Size() < 2*C.DefaultMaxHealthCheckUrlNum {
+	if p.extra == nil {
-		return C.ExtraHistory
+		store = C.ExtraHistory
 	} else {
 		if _, ok := p.extra[url]; ok {
 			store = C.ExtraHistory
 		} else if len(p.extra) < 2*C.DefaultMaxHealthCheckUrlNum {
 			store = C.ExtraHistory
 		}
 	_, ok := p.extra.Load(url)
 	if ok {
 		return C.ExtraHistory
 	}
 	return store
 }
--- a/adapter/inbound/listen.go
+++ b/adapter/inbound/listen.go
@@ -17,10 +17,6 @@ func SetTfo(open bool) {
 	lc.DisableTFO = !open
 }
 func SetMPTCP(open bool) {
 	setMultiPathTCP(&lc.ListenConfig, open)
 }
 func ListenContext(ctx context.Context, network, address string) (net.Listener, error) {
 	return lc.Listen(ctx, network, address)
 }
--- a/adapter/inbound/mitm.go
+++ b/adapter/inbound/mitm.go
@@ -1,22 +0,0 @@
 package inbound
 import (
 	"net"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/context"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
 // NewMitm receive mitm request and return MitmContext
 func NewMitm(target socks5.Addr, source net.Addr, userAgent string, conn net.Conn) *context.ConnContext {
 	metadata := parseSocksAddr(target)
 	metadata.NetWork = C.TCP
 	metadata.Type = C.MITM
 	metadata.UserAgent = userAgent
 	if ip, port, err := parseAddr(source); err == nil {
 		metadata.SrcIP = ip
 		metadata.SrcPort = port
 	}
 	return context.NewConnContext(conn, metadata)
 }
--- a/adapter/inbound/mptcp_go120.go
+++ b/adapter/inbound/mptcp_go120.go
@@ -1,10 +0,0 @@
 //go:build !go1.21
 package inbound
 import "net"
 const multipathTCPAvailable = false
 func setMultiPathTCP(listenConfig *net.ListenConfig, open bool) {
 }
--- a/adapter/inbound/mptcp_go121.go
+++ b/adapter/inbound/mptcp_go121.go
@@ -1,11 +0,0 @@
 //go:build go1.21
 package inbound
 import "net"
 const multipathTCPAvailable = true
 func setMultiPathTCP(listenConfig *net.ListenConfig, open bool) {
 	listenConfig.SetMultipathTCP(open)
 }
--- a/adapter/inbound/socket.go
+++ b/adapter/inbound/socket.go
@@ -3,7 +3,6 @@ package inbound
 import (
 	"net"
 	"net/netip"
 	"strconv"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/context"
@@ -38,9 +37,7 @@ func NewInner(conn net.Conn, address string) *context.ConnContext {
 	metadata.DNSMode = C.DNSNormal
 	metadata.Process = C.ClashName
 	if h, port, err := net.SplitHostPort(address); err == nil {
-		if port, err := strconv.ParseUint(port, 10, 16); err == nil {
+		metadata.DstPort = port
 			metadata.DstPort = uint16(port)
 		}
 		if ip, err := netip.ParseAddr(h); err == nil {
 			metadata.DstIP = ip
 		} else {
--- a/adapter/inbound/util.go
+++ b/adapter/inbound/util.go
@@ -20,14 +20,14 @@ func parseSocksAddr(target socks5.Addr) *C.Metadata {
 	case socks5.AtypDomainName:
 		// trim for FQDN
 		metadata.Host = strings.TrimRight(string(target[2:2+target[1]]), ".")
-		metadata.DstPort = uint16((int(target[2+target[1]]) << 8) | int(target[2+target[1]+1]))
+		metadata.DstPort = strconv.Itoa((int(target[2+target[1]]) << 8) | int(target[2+target[1]+1]))
 	case socks5.AtypIPv4:
 		metadata.DstIP = nnip.IpToAddr(net.IP(target[1 : 1+net.IPv4len]))
-		metadata.DstPort = uint16((int(target[1+net.IPv4len]) << 8) | int(target[1+net.IPv4len+1]))
+		metadata.DstPort = strconv.Itoa((int(target[1+net.IPv4len]) << 8) | int(target[1+net.IPv4len+1]))
 	case socks5.AtypIPv6:
 		ip6, _ := netip.AddrFromSlice(target[1 : 1+net.IPv6len])
 		metadata.DstIP = ip6.Unmap()
-		metadata.DstPort = uint16((int(target[1+net.IPv6len]) << 8) | int(target[1+net.IPv6len+1]))
+		metadata.DstPort = strconv.Itoa((int(target[1+net.IPv6len]) << 8) | int(target[1+net.IPv6len+1]))
 	}
 	return metadata
@@ -43,16 +43,11 @@ func parseHTTPAddr(request *http.Request) *C.Metadata {
 	// trim FQDN (#737)
 	host = strings.TrimRight(host, ".")
 	var uint16Port uint16
 	if port, err := strconv.ParseUint(port, 10, 16); err == nil {
 		uint16Port = uint16(port)
 	}
 	metadata := &C.Metadata{
 		NetWork: C.TCP,
 		Host:    host,
 		DstIP:   netip.Addr{},
-		DstPort: uint16Port,
+		DstPort: port,
 	}
 	ip, err := netip.ParseAddr(host)
@@ -63,10 +58,10 @@ func parseHTTPAddr(request *http.Request) *C.Metadata {
 	return metadata
 }
-func parseAddr(addr net.Addr) (netip.Addr, uint16, error) {
+func parseAddr(addr net.Addr) (netip.Addr, string, error) {
 	// Filter when net.Addr interface is nil
 	if addr == nil {
-		return netip.Addr{}, 0, errors.New("nil addr")
+		return netip.Addr{}, "", errors.New("nil addr")
 	}
 	if rawAddr, ok := addr.(interface{ RawAddr() net.Addr }); ok {
 		ip, port, err := parseAddr(rawAddr.RawAddr())
@@ -77,14 +72,9 @@ func parseAddr(addr net.Addr) (netip.Addr, uint16, error) {
 	addrStr := addr.String()
 	host, port, err := net.SplitHostPort(addrStr)
 	if err != nil {
-		return netip.Addr{}, 0, err
+		return netip.Addr{}, "", err
 	}
 	var uint16Port uint16
 	if port, err := strconv.ParseUint(port, 10, 16); err == nil {
 		uint16Port = uint16(port)
 	}
 	ip, err := netip.ParseAddr(host)
-	return ip, uint16Port, err
+	return ip, port, err
 }
--- a/adapter/outbound/base.go
+++ b/adapter/outbound/base.go
@@ -21,7 +21,6 @@ type Base struct {
 	udp    bool
 	xudp   bool
 	tfo    bool
 	mpTcp  bool
 	rmark  int
 	id     string
 	prefer C.DNSPrefer
@@ -144,16 +143,11 @@ func (b *Base) DialOptions(opts ...dialer.Option) []dialer.Option {
 		opts = append(opts, dialer.WithTFO(true))
 	}
 	if b.mpTcp {
 		opts = append(opts, dialer.WithMPTCP(true))
 	}
 	return opts
 }
 type BasicOption struct {
 	TFO         bool   `proxy:"tfo,omitempty" group:"tfo,omitempty"`
 	MPTCP       bool   `proxy:"mptcp,omitempty" group:"mptcp,omitempty"`
 	Interface   string `proxy:"interface-name,omitempty" group:"interface-name,omitempty"`
 	RoutingMark int    `proxy:"routing-mark,omitempty" group:"routing-mark,omitempty"`
 	IPVersion   string `proxy:"ip-version,omitempty" group:"ip-version,omitempty"`
@@ -167,7 +161,6 @@ type BaseOption struct {
 	UDP         bool
 	XUDP        bool
 	TFO         bool
 	MPTCP       bool
 	Interface   string
 	RoutingMark int
 	Prefer      C.DNSPrefer
@@ -181,7 +174,6 @@ func NewBase(opt BaseOption) *Base {
 		udp:    opt.UDP,
 		xudp:   opt.XUDP,
 		tfo:    opt.TFO,
 		mpTcp:  opt.MPTCP,
 		iface:  opt.Interface,
 		rmark:  opt.RoutingMark,
 		prefer: opt.Prefer,
--- a/adapter/outbound/direct.go
+++ b/adapter/outbound/direct.go
@@ -3,8 +3,6 @@ package outbound
 import (
 	"context"
 	"errors"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
@@ -14,11 +12,6 @@ type Direct struct {
 	*Base
 }
 type DirectOption struct {
 	BasicOption
 	Name string `proxy:"name"`
 }
 // DialContext implements C.ProxyAdapter
 func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
 	opts = append(opts, dialer.WithResolver(resolver.DefaultResolver))
@@ -26,7 +19,7 @@ func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 	if err != nil {
 		return nil, err
 	}
-	N.TCPKeepAlive(c)
+	tcpKeepAlive(c)
 	return NewConn(c, d), nil
 }
@@ -47,21 +40,6 @@ func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 	return newPacketConn(pc, d), nil
 }
 func NewDirectWithOption(option DirectOption) *Direct {
 	return &Direct{
 		Base: &Base{
 			name:   option.Name,
 			tp:     C.Direct,
 			udp:    true,
 			tfo:    option.TFO,
 			mpTcp:  option.MPTCP,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 	}
 }
 func NewDirect() *Direct {
 	return &Direct{
 		Base: &Base{
--- a/adapter/outbound/http.go
+++ b/adapter/outbound/http.go
@@ -7,13 +7,11 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"strconv"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
@@ -76,7 +74,7 @@ func (h *Http) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metad
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", h.addr, err)
 	}
-	N.TCPKeepAlive(c)
+	tcpKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
@@ -113,10 +111,6 @@ func (h *Http) shakeHand(metadata *C.Metadata, rw io.ReadWriter) error {
 		tempHeaders["Proxy-Authorization"] = "Basic " + base64.StdEncoding.EncodeToString([]byte(auth))
 	}
 	if metadata.Type == C.MITM {
 		tempHeaders["Origin-Request-Source-Address"] = metadata.SourceAddress()
 	}
 	for key, value := range tempHeaders {
 		HeaderString += key + ": " + value + "\r\n"
 	}
@@ -183,7 +177,6 @@ func NewHttp(option HttpOption) (*Http, error) {
 			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:     C.Http,
 			tfo:    option.TFO,
 			mpTcp:  option.MPTCP,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
--- a/adapter/outbound/mitm.go
+++ b/adapter/outbound/mitm.go
@@ -1,50 +0,0 @@
 package outbound
 import (
 	"context"
 	"net"
 	"time"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 )
 type Mitm struct {
 	*Base
 	serverAddr      *net.TCPAddr
 	httpProxyClient *Http
 }
 // DialContext implements C.ProxyAdapter
 func (m *Mitm) DialContext(ctx context.Context, metadata *C.Metadata, _ ...dialer.Option) (C.Conn, error) {
 	c, err := net.DialTCP("tcp", nil, m.serverAddr)
 	if err != nil {
 		return nil, err
 	}
 	_ = c.SetKeepAlive(true)
 	_ = c.SetKeepAlivePeriod(60 * time.Second)
 	metadata.Type = C.MITM
 	hc, err := m.httpProxyClient.StreamConnContext(ctx, c, metadata)
 	if err != nil {
 		_ = c.Close()
 		return nil, err
 	}
 	return NewConn(hc, m), nil
 }
 func NewMitm(serverAddr string) *Mitm {
 	tcpAddr, _ := net.ResolveTCPAddr("tcp", serverAddr)
 	http, _ := NewHttp(HttpOption{})
 	return &Mitm{
 		Base: &Base{
 			name: "Mitm",
 			tp:   C.Mitm,
 		},
 		serverAddr:      tcpAddr,
 		httpProxyClient: http,
 	}
 }
--- a/adapter/outbound/shadowsocks.go
+++ b/adapter/outbound/shadowsocks.go
@@ -19,7 +19,7 @@ import (
 	v2rayObfs "github.com/Dreamacro/clash/transport/v2ray-plugin"
 	restlsC "github.com/3andne/restls-client-go"
-	shadowsocks "github.com/metacubex/sing-shadowsocks2"
+	"github.com/metacubex/sing-shadowsocks2"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/uot"
 )
@@ -146,7 +146,7 @@ func (ss *ShadowSocks) DialContextWithDialer(ctx context.Context, dialer C.Diale
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 	}
-	N.TCPKeepAlive(c)
+	tcpKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
@@ -294,6 +294,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 		}
 		restlsConfig, err = restlsC.NewRestlsConfig(restlsOpt.Host, restlsOpt.Password, restlsOpt.VersionHint, restlsOpt.RestlsScript, option.ClientFingerprint)
 		restlsConfig.SessionTicketsDisabled = true
 		if err != nil {
 			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
 		}
@@ -314,7 +315,6 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			tp:     C.Shadowsocks,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			mpTcp:  option.MPTCP,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
--- a/adapter/outbound/shadowsocksr.go
+++ b/adapter/outbound/shadowsocksr.go
@@ -80,7 +80,7 @@ func (ssr *ShadowSocksR) DialContextWithDialer(ctx context.Context, dialer C.Dia
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ssr.addr, err)
 	}
-	N.TCPKeepAlive(c)
+	tcpKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
@@ -181,7 +181,6 @@ func NewShadowSocksR(option ShadowSocksROption) (*ShadowSocksR, error) {
 			tp:     C.ShadowsocksR,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			mpTcp:  option.MPTCP,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
--- a/adapter/outbound/snell.go
+++ b/adapter/outbound/snell.go
@@ -6,7 +6,6 @@ import (
 	"net"
 	"strconv"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
@@ -60,7 +59,8 @@ func (s *Snell) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 		err := snell.WriteUDPHeader(c, s.version)
 		return c, err
 	}
-	err := snell.WriteHeader(c, metadata.String(), uint(metadata.DstPort), s.version)
+	port, _ := strconv.ParseUint(metadata.DstPort, 10, 16)
 	err := snell.WriteHeader(c, metadata.String(), uint(port), s.version)
 	return c, err
 }
@@ -72,7 +72,8 @@ func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 			return nil, err
 		}
-		if err = snell.WriteHeader(c, metadata.String(), uint(metadata.DstPort), s.version); err != nil {
+		port, _ := strconv.ParseUint(metadata.DstPort, 10, 16)
 		if err = snell.WriteHeader(c, metadata.String(), uint(port), s.version); err != nil {
 			c.Close()
 			return nil, err
 		}
@@ -94,7 +95,7 @@ func (s *Snell) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", s.addr, err)
 	}
-	N.TCPKeepAlive(c)
+	tcpKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
@@ -122,7 +123,7 @@ func (s *Snell) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 	if err != nil {
 		return nil, err
 	}
-	N.TCPKeepAlive(c)
+	tcpKeepAlive(c)
 	c = streamConn(c, streamOption{s.psk, s.version, s.addr, s.obfsOption})
 	err = snell.WriteUDPHeader(c, s.version)
@@ -182,7 +183,6 @@ func NewSnell(option SnellOption) (*Snell, error) {
 			tp:     C.Snell,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			mpTcp:  option.MPTCP,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
@@ -208,7 +208,7 @@ func NewSnell(option SnellOption) (*Snell, error) {
 				return nil, err
 			}
-			N.TCPKeepAlive(c)
+			tcpKeepAlive(c)
 			return streamConn(c, streamOption{psk, option.Version, addr, obfsOption}), nil
 		})
 	}
--- a/adapter/outbound/socks5.go
+++ b/adapter/outbound/socks5.go
@@ -9,7 +9,6 @@ import (
 	"net"
 	"strconv"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
@@ -81,7 +80,7 @@ func (ss *Socks5) DialContextWithDialer(ctx context.Context, dialer C.Dialer, me
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 	}
-	N.TCPKeepAlive(c)
+	tcpKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
@@ -127,7 +126,7 @@ func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		safeConnClose(c, err)
 	}(c)
-	N.TCPKeepAlive(c)
+	tcpKeepAlive(c)
 	var user *socks5.User
 	if ss.user != "" {
 		user = &socks5.User{
@@ -197,7 +196,6 @@ func NewSocks5(option Socks5Option) (*Socks5, error) {
 			tp:     C.Socks5,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			mpTcp:  option.MPTCP,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
--- a/adapter/outbound/trojan.go
+++ b/adapter/outbound/trojan.go
@@ -8,13 +8,13 @@ import (
 	"net/http"
 	"strconv"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/gun"
 	"github.com/Dreamacro/clash/transport/trojan"
 	"github.com/Dreamacro/clash/transport/vless"
 )
 type Trojan struct {
@@ -45,6 +45,8 @@ type TrojanOption struct {
 	RealityOpts       RealityOptions `proxy:"reality-opts,omitempty"`
 	GrpcOpts          GrpcOptions    `proxy:"grpc-opts,omitempty"`
 	WSOpts            WSOptions      `proxy:"ws-opts,omitempty"`
 	Flow              string         `proxy:"flow,omitempty"`
 	FlowShow          bool           `proxy:"flow-show,omitempty"`
 	ClientFingerprint string         `proxy:"client-fingerprint,omitempty"`
 }
@@ -93,6 +95,11 @@ func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}
 	c, err = t.instance.PresetXTLSConn(c)
 	if err != nil {
 		return nil, err
 	}
 	if metadata.NetWork == C.UDP {
 		err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
 		return c, err
@@ -110,6 +117,12 @@ func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 			return nil, err
 		}
 		c, err = t.instance.PresetXTLSConn(c)
 		if err != nil {
 			c.Close()
 			return nil, err
 		}
 		if err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata)); err != nil {
 			c.Close()
 			return nil, err
@@ -132,7 +145,7 @@ func (t *Trojan) DialContextWithDialer(ctx context.Context, dialer C.Dialer, met
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}
-	N.TCPKeepAlive(c)
+	tcpKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
@@ -185,7 +198,7 @@ func (t *Trojan) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, me
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
-	N.TCPKeepAlive(c)
+	tcpKeepAlive(c)
 	c, err = t.plainStream(ctx, c)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
@@ -224,10 +237,24 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 		ALPN:              option.ALPN,
 		ServerName:        option.Server,
 		SkipCertVerify:    option.SkipCertVerify,
 		FlowShow:          option.FlowShow,
 		Fingerprint:       option.Fingerprint,
 		ClientFingerprint: option.ClientFingerprint,
 	}
 	switch option.Network {
 	case "", "tcp":
 		if len(option.Flow) >= 16 {
 			option.Flow = option.Flow[:16]
 			switch option.Flow {
 			case vless.XRO, vless.XRD, vless.XRS:
 				tOption.Flow = option.Flow
 			default:
 				return nil, fmt.Errorf("unsupported xtls flow type: %s", option.Flow)
 			}
 		}
 	}
 	if option.SNI != "" {
 		tOption.ServerName = option.SNI
 	}
@@ -239,7 +266,6 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			tp:     C.Trojan,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			mpTcp:  option.MPTCP,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
@@ -269,7 +295,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", t.addr, err.Error())
 			}
-			N.TCPKeepAlive(c)
+			tcpKeepAlive(c)
 			return c, nil
 		}
--- a/adapter/outbound/tuic.go
+++ b/adapter/outbound/tuic.go
@@ -6,7 +6,6 @@ import (
 	"crypto/tls"
 	"encoding/hex"
 	"encoding/pem"
 	"errors"
 	"fmt"
 	"math"
 	"net"
@@ -16,15 +15,12 @@ import (
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/tuic"
 	"github.com/gofrs/uuid/v5"
 	"github.com/metacubex/quic-go"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/uot"
 )
 type Tuic struct {
@@ -63,9 +59,6 @@ type TuicOption struct {
 	DisableMTUDiscovery  bool   `proxy:"disable-mtu-discovery,omitempty"`
 	MaxDatagramFrameSize int    `proxy:"max-datagram-frame-size,omitempty"`
 	SNI                  string `proxy:"sni,omitempty"`
 	UDPOverStream        bool `proxy:"udp-over-stream,omitempty"`
 	UDPOverStreamVersion int  `proxy:"udp-over-stream-version,omitempty"`
 }
 // DialContext implements C.ProxyAdapter
@@ -89,32 +82,6 @@ func (t *Tuic) ListenPacketContext(ctx context.Context, metadata *C.Metadata, op
 // ListenPacketWithDialer implements C.ProxyAdapter
 func (t *Tuic) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if t.option.UDPOverStream {
 		uotDestination := uot.RequestDestination(uint8(t.option.UDPOverStreamVersion))
 		uotMetadata := *metadata
 		uotMetadata.Host = uotDestination.Fqdn
 		uotMetadata.DstPort = uotDestination.Port
 		c, err := t.DialContextWithDialer(ctx, dialer, &uotMetadata)
 		if err != nil {
 			return nil, err
 		}
 		// tuic uos use stream-oriented udp with a special address, so we need a net.UDPAddr
 		if !metadata.Resolved() {
 			ip, err := resolver.ResolveIP(ctx, metadata.Host)
 			if err != nil {
 				return nil, errors.New("can't resolve ip")
 			}
 			metadata.DstIP = ip
 		}
 		destination := M.SocksaddrFromNet(metadata.UDPAddr())
 		if t.option.UDPOverStreamVersion == uot.LegacyVersion {
 			return newPacketConn(uot.NewConn(c, uot.Request{Destination: destination}), t), nil
 		} else {
 			return newPacketConn(uot.NewLazyConn(c, uot.Request{Destination: destination}), t), nil
 		}
 	}
 	pc, err := t.client.ListenPacketWithDialer(ctx, metadata, dialer, t.dialWithDialer)
 	if err != nil {
 		return nil, err
@@ -195,7 +162,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 		tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 	}
-	if option.ALPN != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array
+	if len(option.ALPN) > 0 {
 		tlsConfig.NextProtos = option.ALPN
 	} else {
 		tlsConfig.NextProtos = []string{"h3"}
@@ -272,14 +239,6 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 		tlsConfig.InsecureSkipVerify = true // tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config
 	}
 	switch option.UDPOverStreamVersion {
 	case uot.Version, uot.LegacyVersion:
 	case 0:
 		option.UDPOverStreamVersion = uot.LegacyVersion
 	default:
 		return nil, fmt.Errorf("tuic %s unknown udp over stream protocol version: %d", addr, option.UDPOverStreamVersion)
 	}
 	t := &Tuic{
 		Base: &Base{
 			name:   option.Name,
--- a/adapter/outbound/util.go
+++ b/adapter/outbound/util.go
@@ -4,9 +4,12 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
 	xtls "github.com/xtls/go"
 	"net"
 	"net/netip"
 	"strconv"
 	"sync"
 	"time"
 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
@@ -15,9 +18,17 @@ import (
 var (
 	globalClientSessionCache  tls.ClientSessionCache
 	globalClientXSessionCache xtls.ClientSessionCache
 	once                      sync.Once
 )
 func tcpKeepAlive(c net.Conn) {
 	if tcp, ok := c.(*net.TCPConn); ok {
 		_ = tcp.SetKeepAlive(true)
 		_ = tcp.SetKeepAlivePeriod(30 * time.Second)
 	}
 }
 func getClientSessionCache() tls.ClientSessionCache {
 	once.Do(func() {
 		globalClientSessionCache = tls.NewLRUClientSessionCache(128)
@@ -25,11 +36,18 @@ func getClientSessionCache() tls.ClientSessionCache {
 	return globalClientSessionCache
 }
 func getClientXSessionCache() xtls.ClientSessionCache {
 	once.Do(func() {
 		globalClientXSessionCache = xtls.NewLRUClientSessionCache(128)
 	})
 	return globalClientXSessionCache
 }
 func serializesSocksAddr(metadata *C.Metadata) []byte {
 	var buf [][]byte
 	addrType := metadata.AddrType()
 	aType := uint8(addrType)
-	p := uint(metadata.DstPort)
+	p, _ := strconv.ParseUint(metadata.DstPort, 10, 16)
 	port := []byte{uint8(p >> 8), uint8(p & 0xff)}
 	switch addrType {
 	case socks5.AtypDomainName:
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@@ -56,8 +56,8 @@ type VlessOption struct {
 	Port              int               `proxy:"port"`
 	UUID              string            `proxy:"uuid"`
 	Flow              string            `proxy:"flow,omitempty"`
 	FlowShow          bool              `proxy:"flow-show,omitempty"`
 	TLS               bool              `proxy:"tls,omitempty"`
 	ALPN              []string          `proxy:"alpn,omitempty"`
 	UDP               bool              `proxy:"udp,omitempty"`
 	PacketAddr        bool              `proxy:"packet-addr,omitempty"`
 	XUDP              bool              `proxy:"xudp,omitempty"`
@@ -133,7 +133,7 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 		c, err = vmess.StreamWebsocketConn(ctx, c, wsOpts)
 	case "http":
 		// readability first, so just copy default TLS logic
-		c, err = v.streamTLSConn(ctx, c, false)
+		c, err = v.streamTLSOrXTLSConn(ctx, c, false)
 		if err != nil {
 			return nil, err
 		}
@@ -148,7 +148,7 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 		c = vmess.StreamHTTPConn(c, httpOpts)
 	case "h2":
-		c, err = v.streamTLSConn(ctx, c, true)
+		c, err = v.streamTLSOrXTLSConn(ctx, c, true)
 		if err != nil {
 			return nil, err
 		}
@@ -163,8 +163,8 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.realityConfig)
 	default:
 		// default tcp network
-		// handle TLS
+		// handle TLS And XTLS
-		c, err = v.streamTLSConn(ctx, c, false)
+		c, err = v.streamTLSOrXTLSConn(ctx, c, false)
 	}
 	if err != nil {
@@ -180,7 +180,7 @@ func (v *Vless) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err
 			metadata = &C.Metadata{
 				NetWork: C.UDP,
 				Host:    packetaddr.SeqPacketMagicAddress,
-				DstPort: 443,
+				DstPort: "443",
 			}
 		} else {
 			metadata = &C.Metadata{ // a clear metadata only contains ip
@@ -202,17 +202,29 @@ func (v *Vless) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err
 	return
 }
-func (v *Vless) streamTLSConn(ctx context.Context, conn net.Conn, isH2 bool) (net.Conn, error) {
+func (v *Vless) streamTLSOrXTLSConn(ctx context.Context, conn net.Conn, isH2 bool) (net.Conn, error) {
 	if v.option.TLS {
 	host, _, _ := net.SplitHostPort(v.addr)
 	if v.isLegacyXTLSEnabled() && !isH2 {
 		xtlsOpts := vless.XTLSConfig{
 			Host:           host,
 			SkipCertVerify: v.option.SkipCertVerify,
 			Fingerprint:    v.option.Fingerprint,
 		}
 		if v.option.ServerName != "" {
 			xtlsOpts.Host = v.option.ServerName
 		}
 		return vless.StreamXTLSConn(ctx, conn, &xtlsOpts)
 	} else if v.option.TLS {
 		tlsOpts := vmess.TLSConfig{
 			Host:              host,
 			SkipCertVerify:    v.option.SkipCertVerify,
 			FingerPrint:       v.option.Fingerprint,
 			ClientFingerprint: v.option.ClientFingerprint,
 			Reality:           v.realityConfig,
 			NextProtos:        v.option.ALPN,
 		}
 		if isH2 {
@@ -229,6 +241,10 @@ func (v *Vless) streamTLSConn(ctx context.Context, conn net.Conn, isH2 bool) (ne
 	return conn, nil
 }
 func (v *Vless) isLegacyXTLSEnabled() bool {
 	return v.client.Addons != nil && v.client.Addons.Flow != vless.XRV
 }
 // DialContext implements C.ProxyAdapter
 func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
 	// gun transport
@@ -263,7 +279,7 @@ func (v *Vless) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
-	N.TCPKeepAlive(c)
+	tcpKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
@@ -328,7 +344,7 @@ func (v *Vless) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
-	N.TCPKeepAlive(c)
+	tcpKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
@@ -401,11 +417,12 @@ func parseVlessAddr(metadata *C.Metadata, xudp bool) *vless.DstAddr {
 		copy(addr[1:], metadata.Host)
 	}
 	port, _ := strconv.ParseUint(metadata.DstPort, 10, 16)
 	return &vless.DstAddr{
 		UDP:      metadata.NetWork == C.UDP,
 		AddrType: addrType,
 		Addr:     addr,
-		Port:     metadata.DstPort,
+		Port:     uint16(port),
 		Mux:      metadata.NetWork == C.UDP && xudp,
 	}
 }
@@ -509,11 +526,11 @@ func NewVless(option VlessOption) (*Vless, error) {
 		switch option.Flow {
 		case vless.XRV:
 			log.Warnln("To use %s, ensure your server is upgrade to Xray-core v1.8.0+", vless.XRV)
 			fallthrough
 		case vless.XRO, vless.XRD, vless.XRS:
 			addons = &vless.Addons{
 				Flow: option.Flow,
 			}
 		case vless.XRO, vless.XRD, vless.XRS:
 			log.Fatalln("Legacy XTLS protocol %s is deprecated and no longer supported", option.Flow)
 		default:
 			return nil, fmt.Errorf("unsupported xtls flow type: %s", option.Flow)
 		}
@@ -532,7 +549,7 @@ func NewVless(option VlessOption) (*Vless, error) {
 		option.PacketAddr = false
 	}
-	client, err := vless.NewClient(option.UUID, addons)
+	client, err := vless.NewClient(option.UUID, addons, option.FlowShow)
 	if err != nil {
 		return nil, err
 	}
@@ -545,7 +562,6 @@ func NewVless(option VlessOption) (*Vless, error) {
 			udp:    option.UDP,
 			xudp:   option.XUDP,
 			tfo:    option.TFO,
 			mpTcp:  option.MPTCP,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
@@ -578,7 +594,7 @@ func NewVless(option VlessOption) (*Vless, error) {
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 			}
-			N.TCPKeepAlive(c)
+			tcpKeepAlive(c)
 			return c, nil
 		}
--- a/adapter/outbound/vmess.go
+++ b/adapter/outbound/vmess.go
@@ -18,7 +18,6 @@ import (
 	"github.com/Dreamacro/clash/component/resolver"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/ntp"
 	"github.com/Dreamacro/clash/transport/gun"
 	clashVMess "github.com/Dreamacro/clash/transport/vmess"
@@ -53,7 +52,6 @@ type VmessOption struct {
 	UDP                 bool           `proxy:"udp,omitempty"`
 	Network             string         `proxy:"network,omitempty"`
 	TLS                 bool           `proxy:"tls,omitempty"`
 	ALPN                []string       `proxy:"alpn,omitempty"`
 	SkipCertVerify      bool           `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint         string         `proxy:"fingerprint,omitempty"`
 	ServerName          string         `proxy:"servername,omitempty"`
@@ -151,7 +149,6 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 				SkipCertVerify:    v.option.SkipCertVerify,
 				ClientFingerprint: v.option.ClientFingerprint,
 				Reality:           v.realityConfig,
 				NextProtos:        v.option.ALPN,
 			}
 			if v.option.ServerName != "" {
@@ -208,7 +205,6 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 				SkipCertVerify:    v.option.SkipCertVerify,
 				ClientFingerprint: v.option.ClientFingerprint,
 				Reality:           v.realityConfig,
 				NextProtos:        v.option.ALPN,
 			}
 			if v.option.ServerName != "" {
@@ -308,7 +304,7 @@ func (v *Vmess) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
-	N.TCPKeepAlive(c)
+	tcpKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
@@ -369,7 +365,7 @@ func (v *Vmess) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
-	N.TCPKeepAlive(c)
+	tcpKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
@@ -417,7 +413,6 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 	if option.AuthenticatedLength {
 		options = append(options, vmess.ClientWithAuthenticatedLength())
 	}
 	options = append(options, vmess.ClientWithTimeFunc(ntp.Now))
 	client, err := vmess.NewClient(option.UUID, security, option.AlterID, options...)
 	if err != nil {
 		return nil, err
@@ -441,7 +436,6 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 			udp:    option.UDP,
 			xudp:   option.XUDP,
 			tfo:    option.TFO,
 			mpTcp:  option.MPTCP,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
@@ -469,7 +463,7 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 			}
-			N.TCPKeepAlive(c)
+			tcpKeepAlive(c)
 			return c, nil
 		}
--- a/adapter/outbound/wireguard.go
+++ b/adapter/outbound/wireguard.go
@@ -302,7 +302,7 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 	if err != nil {
 		return nil, E.Cause(err, "create WireGuard device")
 	}
-	outbound.device = device.NewDevice(context.Background(), outbound.tunDevice, outbound.bind, &device.Logger{
+	outbound.device = device.NewDevice(outbound.tunDevice, outbound.bind, &device.Logger{
 		Verbosef: func(format string, args ...interface{}) {
 			log.SingLogger.Debug(fmt.Sprintf("[WG](%s) %s", option.Name, fmt.Sprintf(format, args...)))
 		},
@@ -374,7 +374,8 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts
 		options = append(options, dialer.WithNetDialer(wgNetDialer{tunDevice: w.tunDevice}))
 		conn, err = dialer.NewDialer(options...).DialContext(ctx, "tcp", metadata.RemoteAddress())
 	} else {
-		conn, err = w.tunDevice.DialContext(ctx, "tcp", M.SocksaddrFrom(metadata.DstIP, metadata.DstPort).Unwrap())
+		port, _ := strconv.Atoi(metadata.DstPort)
 		conn, err = w.tunDevice.DialContext(ctx, "tcp", M.SocksaddrFrom(metadata.DstIP, uint16(port)).Unwrap())
 	}
 	if err != nil {
 		return nil, err
@@ -411,7 +412,8 @@ func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadat
 		}
 		metadata.DstIP = ip
 	}
-	pc, err = w.tunDevice.ListenPacket(ctx, M.SocksaddrFrom(metadata.DstIP, metadata.DstPort).Unwrap())
+	port, _ := strconv.Atoi(metadata.DstPort)
 	pc, err = w.tunDevice.ListenPacket(ctx, M.SocksaddrFrom(metadata.DstIP, uint16(port)).Unwrap())
 	if err != nil {
 		return nil, err
 	}
--- a/adapter/outboundgroup/util.go
+++ b/adapter/outboundgroup/util.go
@@ -1,5 +1,17 @@
 package outboundgroup
 import (
 	"net"
 	"time"
 )
 func tcpKeepAlive(c net.Conn) {
 	if tcp, ok := c.(*net.TCPConn); ok {
 		_ = tcp.SetKeepAlive(true)
 		_ = tcp.SetKeepAlivePeriod(30 * time.Second)
 	}
 }
 type SelectAble interface {
 	Set(string) error
 	ForceSet(name string)
--- a/adapter/parser.go
+++ b/adapter/parser.go
@@ -106,13 +106,6 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 			break
 		}
 		proxy, err = outbound.NewTuic(*tuicOption)
 	case "direct":
 		directOption := &outbound.DirectOption{}
 		err = decoder.Decode(mapping, directOption)
 		if err != nil {
 			break
 		}
 		proxy = outbound.NewDirectWithOption(*directOption)
 	default:
 		return nil, fmt.Errorf("unsupport proxy type: %s", proxyType)
 	}
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@@ -299,7 +299,7 @@ func proxiesParseAndFilter(filter string, excludeFilter string, excludeTypeArray
 		if err := yaml.Unmarshal(buf, schema); err != nil {
 			proxies, err1 := convert.ConvertsV2Ray(buf)
 			if err1 != nil {
-				return nil, fmt.Errorf("%w, %w", err, err1)
+				return nil, fmt.Errorf("%s, %w", err.Error(), err1)
 			}
 			schema.Proxies = proxies
 		}
--- a/common/buf/sing.go
+++ b/common/buf/sing.go
@@ -11,9 +11,18 @@ type Buffer = buf.Buffer
 var New = buf.New
 var NewSize = buf.NewSize
 var StackNew = buf.StackNew
 var StackNewSize = buf.StackNewSize
 var With = buf.With
 var As = buf.As
 var KeepAlive = common.KeepAlive
 //go:norace
 func Dup[T any](obj T) T {
 	return common.Dup(obj)
 }
 var (
 	Must  = common.Must
 	Error = common.Error
--- a/common/cache/lrucache.go
+++ b/common/cache/lrucache.go
@@ -7,8 +7,6 @@ import (
 	"time"
 	"github.com/Dreamacro/clash/common/generics/list"
 	"github.com/samber/lo"
 )
 // Option is part of Functional Options Pattern
@@ -84,27 +82,9 @@ func New[K comparable, V any](options ...Option[K, V]) *LruCache[K, V] {
 // Get returns the any representation of a cached response and a bool
 // set to true if the key was found.
 func (c *LruCache[K, V]) Get(key K) (V, bool) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	el := c.get(key)
 	if el == nil {
-		return lo.Empty[V](), false
+		return getZero[V](), false
 	}
 	value := el.value
 	return value, true
 }
 func (c *LruCache[K, V]) GetOrStore(key K, constructor func() V) (V, bool) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	el := c.get(key)
 	if el == nil {
 		value := constructor()
 		c.set(key, value)
 		return value, false
 	}
 	value := el.value
@@ -116,12 +96,9 @@ func (c *LruCache[K, V]) GetOrStore(key K, constructor func() V) (V, bool) {
 // and a bool set to true if the key was found.
 // This method will NOT check the maxAge of element and will NOT update the expires.
 func (c *LruCache[K, V]) GetWithExpire(key K) (V, time.Time, bool) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	el := c.get(key)
 	if el == nil {
-		return lo.Empty[V](), time.Time{}, false
+		return getZero[V](), time.Time{}, false
 	}
 	return el.value, time.Unix(el.expires, 0), true
@@ -138,18 +115,11 @@ func (c *LruCache[K, V]) Exist(key K) bool {
 // Set stores the any representation of a response for a given key.
 func (c *LruCache[K, V]) Set(key K, value V) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	c.set(key, value)
 }
 func (c *LruCache[K, V]) set(key K, value V) {
 	expires := int64(0)
 	if c.maxAge > 0 {
 		expires = time.Now().Unix() + c.maxAge
 	}
-	c.setWithExpire(key, value, time.Unix(expires, 0))
+	c.SetWithExpire(key, value, time.Unix(expires, 0))
 }
 // SetWithExpire stores the any representation of a response for a given key and given expires.
@@ -158,10 +128,6 @@ func (c *LruCache[K, V]) SetWithExpire(key K, value V, expires time.Time) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	c.setWithExpire(key, value, expires)
 }
 func (c *LruCache[K, V]) setWithExpire(key K, value V, expires time.Time) {
 	if le, ok := c.cache[key]; ok {
 		c.lru.MoveToBack(le)
 		e := le.Value
@@ -199,6 +165,9 @@ func (c *LruCache[K, V]) CloneTo(n *LruCache[K, V]) {
 }
 func (c *LruCache[K, V]) get(key K) *entry[K, V] {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	le, ok := c.cache[key]
 	if !ok {
 		return nil
@@ -222,11 +191,12 @@ func (c *LruCache[K, V]) get(key K) *entry[K, V] {
 // Delete removes the value associated with a key.
 func (c *LruCache[K, V]) Delete(key K) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	if le, ok := c.cache[key]; ok {
 		c.deleteElement(le)
 	}
 	c.mu.Unlock()
 }
 func (c *LruCache[K, V]) maybeDeleteOldest() {
@@ -249,10 +219,10 @@ func (c *LruCache[K, V]) deleteElement(le *list.Element[*entry[K, V]]) {
 func (c *LruCache[K, V]) Clear() error {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	c.cache = make(map[K]*list.Element[*entry[K, V]])
 	c.mu.Unlock()
 	return nil
 }
@@ -261,3 +231,8 @@ type entry[K comparable, V any] struct {
 	value   V
 	expires int64
 }
 func getZero[T any]() T {
 	var result T
 	return result
 }
--- a/common/cert/cert.go
+++ b/common/cert/cert.go
@@ -1,303 +0,0 @@
 package cert
 import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha1"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"math/big"
 	"net"
 	"os"
 	"strings"
 	"sync/atomic"
 	"time"
 )
 var currentSerialNumber = time.Now().Unix()
 type Config struct {
 	ca           *x509.Certificate
 	caPrivateKey *rsa.PrivateKey
 	roots *x509.CertPool
 	privateKey *rsa.PrivateKey
 	validity     time.Duration
 	keyID        []byte
 	organization string
 	certsStorage CertsStorage
 }
 type CertsStorage interface {
 	Get(key string) (*tls.Certificate, bool)
 	Set(key string, cert *tls.Certificate)
 }
 func NewAuthority(name, organization string, validity time.Duration) (*x509.Certificate, *rsa.PrivateKey, error) {
 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return nil, nil, err
 	}
 	pub := privateKey.Public()
 	pkixPub, err := x509.MarshalPKIXPublicKey(pub)
 	if err != nil {
 		return nil, nil, err
 	}
 	h := sha1.New()
 	_, err = h.Write(pkixPub)
 	if err != nil {
 		return nil, nil, err
 	}
 	keyID := h.Sum(nil)
 	serial := atomic.AddInt64(&currentSerialNumber, 1)
 	tmpl := &x509.Certificate{
 		SerialNumber: big.NewInt(serial),
 		Subject: pkix.Name{
 			CommonName:   name,
 			Organization: []string{organization},
 		},
 		SubjectKeyId:          keyID,
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
 		NotBefore:             time.Now().Add(-validity),
 		NotAfter:              time.Now().Add(validity),
 		DNSNames:              []string{name},
 		IsCA:                  true,
 	}
 	raw, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, pub, privateKey)
 	if err != nil {
 		return nil, nil, err
 	}
 	x509c, err := x509.ParseCertificate(raw)
 	if err != nil {
 		return nil, nil, err
 	}
 	return x509c, privateKey, nil
 }
 func NewConfig(ca *x509.Certificate, caPrivateKey *rsa.PrivateKey) (*Config, error) {
 	roots := x509.NewCertPool()
 	roots.AddCert(ca)
 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return nil, err
 	}
 	pub := privateKey.Public()
 	pkixPub, err := x509.MarshalPKIXPublicKey(pub)
 	if err != nil {
 		return nil, err
 	}
 	h := sha1.New()
 	_, err = h.Write(pkixPub)
 	if err != nil {
 		return nil, err
 	}
 	keyID := h.Sum(nil)
 	return &Config{
 		ca:           ca,
 		caPrivateKey: caPrivateKey,
 		privateKey:   privateKey,
 		keyID:        keyID,
 		validity:     time.Hour,
 		organization: "Clash",
 		certsStorage: NewDomainTrieCertsStorage(),
 		roots:        roots,
 	}, nil
 }
 func (c *Config) GetCA() *x509.Certificate {
 	return c.ca
 }
 func (c *Config) SetOrganization(organization string) {
 	c.organization = organization
 }
 func (c *Config) SetValidity(validity time.Duration) {
 	c.validity = validity
 }
 func (c *Config) NewTLSConfigForHost(hostname string) *tls.Config {
 	tlsConfig := &tls.Config{
 		GetCertificate: func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 			host := clientHello.ServerName
 			if host == "" {
 				host = hostname
 			}
 			return c.GetOrCreateCert(host)
 		},
 		NextProtos: []string{"http/1.1"},
 	}
 	tlsConfig.InsecureSkipVerify = true
 	return tlsConfig
 }
 func (c *Config) GetOrCreateCert(hostname string, ips ...net.IP) (*tls.Certificate, error) {
 	var leaf *x509.Certificate
 	tlsCertificate, ok := c.certsStorage.Get(hostname)
 	if ok {
 		leaf = tlsCertificate.Leaf
 		if _, err := leaf.Verify(x509.VerifyOptions{
 			DNSName: hostname,
 			Roots:   c.roots,
 		}); err == nil {
 			return tlsCertificate, nil
 		}
 	}
 	var (
 		key          = hostname
 		topHost      = hostname
 		wildcardHost = "*." + hostname
 		dnsNames     []string
 	)
 	if ip := net.ParseIP(hostname); ip != nil {
 		ips = append(ips, ip)
 	} else {
 		parts := strings.Split(hostname, ".")
 		l := len(parts)
 		if leaf != nil {
 			dnsNames = append(dnsNames, leaf.DNSNames...)
 		}
 		if l > 2 {
 			topIndex := l - 2
 			topHost = strings.Join(parts[topIndex:], ".")
 			for i := topIndex; i > 0; i-- {
 				wildcardHost = "*." + strings.Join(parts[i:], ".")
 				if i == topIndex && (len(dnsNames) == 0 || dnsNames[0] != topHost) {
 					dnsNames = append(dnsNames, topHost, wildcardHost)
 				} else if !hasDnsNames(dnsNames, wildcardHost) {
 					dnsNames = append(dnsNames, wildcardHost)
 				}
 			}
 		} else {
 			dnsNames = append(dnsNames, topHost, wildcardHost)
 		}
 		key = "+." + topHost
 	}
 	serial := atomic.AddInt64(&currentSerialNumber, 1)
 	tmpl := &x509.Certificate{
 		SerialNumber: big.NewInt(serial),
 		Subject: pkix.Name{
 			CommonName:   topHost,
 			Organization: []string{c.organization},
 		},
 		SubjectKeyId:          c.keyID,
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
 		NotBefore:             time.Now().Add(-c.validity),
 		NotAfter:              time.Now().Add(c.validity),
 		DNSNames:              dnsNames,
 		IPAddresses:           ips,
 	}
 	raw, err := x509.CreateCertificate(rand.Reader, tmpl, c.ca, c.privateKey.Public(), c.caPrivateKey)
 	if err != nil {
 		return nil, err
 	}
 	x509c, err := x509.ParseCertificate(raw)
 	if err != nil {
 		return nil, err
 	}
 	tlsCertificate = &tls.Certificate{
 		Certificate: [][]byte{raw, c.ca.Raw},
 		PrivateKey:  c.privateKey,
 		Leaf:        x509c,
 	}
 	c.certsStorage.Set(key, tlsCertificate)
 	return tlsCertificate, nil
 }
 // GenerateAndSave generate CA private key and CA certificate and dump them to file
 func GenerateAndSave(caPath string, caKeyPath string) error {
 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return err
 	}
 	tmpl := &x509.Certificate{
 		SerialNumber: big.NewInt(time.Now().Unix()),
 		Subject: pkix.Name{
 			Country:      []string{"US"},
 			CommonName:   "Clash Root CA",
 			Organization: []string{"Clash Trust Services"},
 		},
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		NotBefore:             time.Now().Add(-(time.Hour * 24 * 60)),
 		NotAfter:              time.Now().Add(time.Hour * 24 * 365 * 25),
 		BasicConstraintsValid: true,
 		IsCA:                  true,
 	}
 	caRaw, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, privateKey.Public(), privateKey)
 	if err != nil {
 		return err
 	}
 	caOut, err := os.OpenFile(caPath, os.O_CREATE|os.O_WRONLY, 0o600)
 	if err != nil {
 		return err
 	}
 	defer func(caOut *os.File) {
 		_ = caOut.Close()
 	}(caOut)
 	if err = pem.Encode(caOut, &pem.Block{Type: "CERTIFICATE", Bytes: caRaw}); err != nil {
 		return err
 	}
 	caKeyOut, err := os.OpenFile(caKeyPath, os.O_CREATE|os.O_WRONLY, 0o600)
 	if err != nil {
 		return err
 	}
 	defer func(caKeyOut *os.File) {
 		_ = caKeyOut.Close()
 	}(caKeyOut)
 	if err = pem.Encode(caKeyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}); err != nil {
 		return err
 	}
 	return nil
 }
 func hasDnsNames(dnsNames []string, hostname string) bool {
 	for _, name := range dnsNames {
 		if name == hostname {
 			return true
 		}
 	}
 	return false
 }
--- a/common/cert/storage.go
+++ b/common/cert/storage.go
@@ -1,32 +0,0 @@
 package cert
 import (
 	"crypto/tls"
 	"github.com/Dreamacro/clash/component/trie"
 )
 // DomainTrieCertsStorage cache wildcard certificates
 type DomainTrieCertsStorage struct {
 	certsCache *trie.DomainTrie[*tls.Certificate]
 }
 // Get gets the certificate from the storage
 func (c *DomainTrieCertsStorage) Get(key string) (*tls.Certificate, bool) {
 	ca := c.certsCache.Search(key)
 	if ca == nil {
 		return nil, false
 	}
 	return ca.Data(), true
 }
 // Set saves the certificate to the storage
 func (c *DomainTrieCertsStorage) Set(key string, cert *tls.Certificate) {
 	_ = c.certsCache.Insert(key, cert)
 }
 func NewDomainTrieCertsStorage() *DomainTrieCertsStorage {
 	return &DomainTrieCertsStorage{
 		certsCache: trie.New[*tls.Certificate](),
 	}
 }
--- a/common/cmd/cmd_test.go
+++ b/common/cmd/cmd_test.go
@@ -21,7 +21,7 @@ func TestSplitArgs(t *testing.T) {
 func TestExecCmd(t *testing.T) {
 	if runtime.GOOS == "windows" {
-		_, err := ExecCmd("cmd -c 'dir'")
+		_, err := ExecCmd("dir")
 		assert.Nil(t, err)
 		return
 	}
--- a/common/convert/converter.go
+++ b/common/convert/converter.go
@@ -50,9 +50,7 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			hysteria["port"] = urlHysteria.Port()
 			hysteria["sni"] = query.Get("peer")
 			hysteria["obfs"] = query.Get("obfs")
-			if alpn := query.Get("alpn"); alpn != "" {
+			hysteria["alpn"] = []string{query.Get("alpn")}
 				hysteria["alpn"] = strings.Split(alpn, ",")
 			}
 			hysteria["auth_str"] = query.Get("auth")
 			hysteria["protocol"] = query.Get("protocol")
 			up := query.Get("up")
@@ -69,47 +67,6 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			proxies = append(proxies, hysteria)
 		case "tuic":
 			// A temporary unofficial TUIC share link standard
 			// Modified from https://github.com/daeuniverse/dae/discussions/182
 			// Changes:
 			//   1. Support TUICv4, just replace uuid:password with token
 			//   2. Remove `allow_insecure` field
 			urlTUIC, err := url.Parse(line)
 			if err != nil {
 				continue
 			}
 			query := urlTUIC.Query()
 			tuic := make(map[string]any, 20)
 			tuic["name"] = uniqueName(names, urlTUIC.Fragment)
 			tuic["type"] = scheme
 			tuic["server"] = urlTUIC.Hostname()
 			tuic["port"] = urlTUIC.Port()
 			tuic["udp"] = true
 			password, v5 := urlTUIC.User.Password()
 			if v5 {
 				tuic["uuid"] = urlTUIC.User.Username()
 				tuic["password"] = password
 			} else {
 				tuic["token"] = urlTUIC.User.Username()
 			}
 			if cc := query.Get("congestion_control"); cc != "" {
 				tuic["congestion-controller"] = cc
 			}
 			if alpn := query.Get("alpn"); alpn != "" {
 				tuic["alpn"] = strings.Split(alpn, ",")
 			}
 			if sni := query.Get("sni"); sni != "" {
 				tuic["sni"] = sni
 			}
 			if query.Get("disable_sni") == "1" {
 				tuic["disable-sni"] = true
 			}
 			if udpRelayMode := query.Get("udp_relay_mode"); udpRelayMode != "" {
 				tuic["udp-relay-mode"] = udpRelayMode
 			}
 		case "trojan":
 			urlTrojan, err := url.Parse(line)
 			if err != nil {
@@ -129,12 +86,10 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			trojan["udp"] = true
 			trojan["skip-cert-verify"], _ = strconv.ParseBool(query.Get("allowInsecure"))
-			if sni := query.Get("sni"); sni != "" {
+			sni := query.Get("sni")
 			if sni != "" {
 				trojan["sni"] = sni
 			}
 			if alpn := query.Get("alpn"); alpn != "" {
 				trojan["alpn"] = strings.Split(alpn, ",")
 			}
 			network := strings.ToLower(query.Get("type"))
 			if network != "" {
@@ -262,9 +217,6 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				if strings.HasSuffix(tls, "tls") {
 					vmess["tls"] = true
 				}
 				if alpn, ok := values["alpn"].(string); ok {
 					vmess["alpn"] = strings.Split(alpn, ",")
 				}
 			}
 			switch network {
@@ -380,7 +332,6 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				}
 			}
 			proxies = append(proxies, ss)
 		case "ssr":
 			dcBuf, err := encRaw.DecodeString(body)
 			if err != nil {
--- a/common/convert/v.go
+++ b/common/convert/v.go
@@ -24,6 +24,8 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 	proxy["port"] = url.Port()
 	proxy["uuid"] = url.User.Username()
 	proxy["udp"] = true
 	proxy["skip-cert-verify"] = false
 	proxy["tls"] = false
 	tls := strings.ToLower(query.Get("security"))
 	if strings.HasSuffix(tls, "tls") || tls == "reality" {
 		proxy["tls"] = true
@@ -32,9 +34,6 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 		} else {
 			proxy["client-fingerprint"] = fingerprint
 		}
 		if alpn := query.Get("alpn"); alpn != "" {
 			proxy["alpn"] = strings.Split(alpn, ",")
 		}
 	}
 	if sni := query.Get("sni"); sni != "" {
 		proxy["servername"] = sni
--- a/common/net/tcpip.go
+++ b/common/net/tcpip.go
@@ -4,11 +4,8 @@ import (
 	"fmt"
 	"net"
 	"strings"
 	"time"
 )
 var KeepAliveInterval time.Duration
 func SplitNetworkType(s string) (string, string, error) {
 	var (
 		shecme   string
@@ -47,10 +44,3 @@ func SplitHostPort(s string) (host, port string, hasPort bool, err error) {
 	host, port, err = net.SplitHostPort(temp)
 	return
 }
 func TCPKeepAlive(c net.Conn) {
 	if tcp, ok := c.(*net.TCPConn); ok {
 		_ = tcp.SetKeepAlive(true)
 		_ = tcp.SetKeepAlivePeriod(KeepAliveInterval * time.Second)
 	}
 }
--- a/common/picker/picker.go
+++ b/common/picker/picker.go
@@ -47,7 +47,6 @@ func (p *Picker[T]) Wait() T {
 	p.wg.Wait()
 	if p.cancel != nil {
 		p.cancel()
 		p.cancel = nil
 	}
 	return p.result
 }
@@ -70,7 +69,6 @@ func (p *Picker[T]) Go(f func() (T, error)) {
 				p.result = ret
 				if p.cancel != nil {
 					p.cancel()
 					p.cancel = nil
 				}
 			})
 		} else {
@@ -80,13 +78,3 @@ func (p *Picker[T]) Go(f func() (T, error)) {
 		}
 	}()
 }
 // Close cancels the picker context and releases resources associated with it.
 // If Wait has been called, then there is no need to call Close.
 func (p *Picker[T]) Close() error {
 	if p.cancel != nil {
 		p.cancel()
 		p.cancel = nil
 	}
 	return nil
 }
--- a/common/picker/picker_test.go
+++ b/common/picker/picker_test.go
@@ -5,7 +5,6 @@ import (
 	"testing"
 	"time"
 	"github.com/samber/lo"
 	"github.com/stretchr/testify/assert"
 )
@@ -16,7 +15,7 @@ func sleepAndSend[T any](ctx context.Context, delay int, input T) func() (T, err
 		case <-timer.C:
 			return input, nil
 		case <-ctx.Done():
-			return lo.Empty[T](), ctx.Err()
+			return getZero[T](), ctx.Err()
 		}
 	}
 }
@@ -36,6 +35,11 @@ func TestPicker_Timeout(t *testing.T) {
 	picker.Go(sleepAndSend(ctx, 20, 1))
 	number := picker.Wait()
-	assert.Equal(t, number, lo.Empty[int]())
+	assert.Equal(t, number, getZero[int]())
 	assert.NotNil(t, picker.Error())
 }
 func getZero[T any]() T {
 	var result T
 	return result
 }
--- a/common/pool/alloc.go
+++ b/common/pool/alloc.go
@@ -32,32 +32,23 @@ func NewAllocator() *Allocator {
 // Get a []byte from pool with most appropriate cap
 func (alloc *Allocator) Get(size int) []byte {
-	switch {
+	if size <= 0 || size > 65536 {
 	case size < 0:
 		panic("alloc.Get: len out of range")
 	case size == 0:
 		return nil
-	case size > 65536:
+	}
-		return make([]byte, size)
+
 	default:
 	bits := msb(size)
 	if size == 1<<bits {
 		return alloc.buffers[bits].Get().([]byte)[:size]
 	}
 	return alloc.buffers[bits+1].Get().([]byte)[:size]
 	}
 }
 // Put returns a []byte to pool for future use,
 // which the cap must be exactly 2^n
 func (alloc *Allocator) Put(buf []byte) error {
 	if cap(buf) == 0 || cap(buf) > 65536 {
 		return nil
 	}
 	bits := msb(cap(buf))
-	if cap(buf) != 1<<bits {
+	if cap(buf) == 0 || cap(buf) > 65536 || cap(buf) != 1<<bits {
 		return errors.New("allocator Put() incorrect buffer size")
 	}
--- a/common/pool/alloc_test.go
+++ b/common/pool/alloc_test.go
@@ -19,17 +19,17 @@ func TestAllocGet(t *testing.T) {
 	assert.Equal(t, 1024, cap(alloc.Get(1023)))
 	assert.Equal(t, 1024, len(alloc.Get(1024)))
 	assert.Equal(t, 65536, len(alloc.Get(65536)))
-	assert.Equal(t, 65537, len(alloc.Get(65537)))
+	assert.Nil(t, alloc.Get(65537))
 }
 func TestAllocPut(t *testing.T) {
 	alloc := NewAllocator()
-	assert.Nil(t, alloc.Put(nil), "put nil misbehavior")
+	assert.NotNil(t, alloc.Put(nil), "put nil misbehavior")
 	assert.NotNil(t, alloc.Put(make([]byte, 3)), "put elem:3 []bytes misbehavior")
 	assert.Nil(t, alloc.Put(make([]byte, 4)), "put elem:4 []bytes misbehavior")
 	assert.Nil(t, alloc.Put(make([]byte, 1023, 1024)), "put elem:1024 []bytes misbehavior")
 	assert.Nil(t, alloc.Put(make([]byte, 65536)), "put elem:65536 []bytes misbehavior")
-	assert.Nil(t, alloc.Put(make([]byte, 65537)), "put elem:65537 []bytes misbehavior")
+	assert.NotNil(t, alloc.Put(make([]byte, 65537)), "put elem:65537 []bytes misbehavior")
 }
 func TestAllocPutThenGet(t *testing.T) {
--- a/common/queue/queue.go
+++ b/common/queue/queue.go
@@ -2,8 +2,6 @@ package queue
 import (
 	"sync"
 	"github.com/samber/lo"
 )
 // Queue is a simple concurrent safe queue
@@ -26,7 +24,7 @@ func (q *Queue[T]) Put(items ...T) {
 // Pop returns the head of items.
 func (q *Queue[T]) Pop() T {
 	if len(q.items) == 0 {
-		return lo.Empty[T]()
+		return GetZero[T]()
 	}
 	q.lock.Lock()
@@ -39,7 +37,7 @@ func (q *Queue[T]) Pop() T {
 // Last returns the last of item.
 func (q *Queue[T]) Last() T {
 	if len(q.items) == 0 {
-		return lo.Empty[T]()
+		return GetZero[T]()
 	}
 	q.lock.RLock()
@@ -71,3 +69,8 @@ func New[T any](hint int64) *Queue[T] {
 		items: make([]T, 0, hint),
 	}
 }
 func GetZero[T any]() T {
 	var result T
 	return result
 }
--- a/common/structure/structure.go
+++ b/common/structure/structure.go
@@ -96,11 +96,6 @@ func (d *Decoder) decode(name string, data any, val reflect.Value) error {
 		return d.decodeFloat(name, data, val)
 	}
 	switch kind {
 	case reflect.Pointer:
 		if val.IsNil() {
 			val.Set(reflect.New(val.Type().Elem()))
 		}
 		return d.decode(name, data, val.Elem())
 	case reflect.String:
 		return d.decodeString(name, data, val)
 	case reflect.Bool:
@@ -287,9 +282,6 @@ func (d *Decoder) decodeSlice(name string, data any, val reflect.Value) error {
 	}
 	valSlice := val
 	// make a new slice with cap(val)==cap(dataVal)
 	// the caller can determine whether the original configuration contains this item by judging whether the value is nil.
 	valSlice = reflect.MakeSlice(valType, 0, dataVal.Len())
 	for i := 0; i < dataVal.Len(); i++ {
 		currentData := dataVal.Index(i).Interface()
 		for valSlice.Len() <= i {
--- a/common/utils/string_unsafe.go
+++ b/common/utils/string_unsafe.go
@@ -2,20 +2,48 @@ package utils
 import "unsafe"
 // sliceHeader is equivalent to reflect.SliceHeader, but represents the pointer
 // to the underlying array as unsafe.Pointer rather than uintptr, allowing
 // sliceHeaders to be directly converted to slice objects.
 type sliceHeader struct {
 	Data unsafe.Pointer
 	Len  int
 	Cap  int
 }
 // slice returns a slice whose underlying array starts at ptr an which length
 // and capacity are len.
 func slice[T any](ptr *T, length int) []T {
 	var s []T
 	hdr := (*sliceHeader)(unsafe.Pointer(&s))
 	hdr.Data = unsafe.Pointer(ptr)
 	hdr.Len = length
 	hdr.Cap = length
 	return s
 }
 // stringHeader is equivalent to reflect.StringHeader, but represents the
 // pointer to the underlying array as unsafe.Pointer rather than uintptr,
 // allowing StringHeaders to be directly converted to strings.
 type stringHeader struct {
 	Data unsafe.Pointer
 	Len  int
 }
 // ImmutableBytesFromString is equivalent to []byte(s), except that it uses the
 // same memory backing s instead of making a heap-allocated copy. This is only
 // valid if the returned slice is never mutated.
 func ImmutableBytesFromString(s string) []byte {
-	b := unsafe.StringData(s)
+	shdr := (*stringHeader)(unsafe.Pointer(&s))
-	return unsafe.Slice(b, len(s))
+	return slice((*byte)(shdr.Data), shdr.Len)
 }
 // StringFromImmutableBytes is equivalent to string(bs), except that it uses
 // the same memory backing bs instead of making a heap-allocated copy. This is
 // only valid if bs is never mutated after StringFromImmutableBytes returns.
 func StringFromImmutableBytes(bs []byte) string {
-	if len(bs) == 0 {
+	// This is cheaper than messing with StringHeader and SliceHeader, which as
-		return ""
+	// of this writing produces many dead stores of zeroes. Compare
-	}
+	// strings.Builder.String().
-	return unsafe.String(&bs[0], len(bs))
+	return *(*string)(unsafe.Pointer(&bs))
 }
--- a/component/auth/auth.go
+++ b/component/auth/auth.go
@@ -1,7 +1,7 @@
 package auth
 import (
-	"github.com/puzpuzpuz/xsync/v2"
+	"sync"
 )
 type Authenticator interface {
@@ -15,7 +15,7 @@ type AuthUser struct {
 }
 type inMemoryAuthenticator struct {
-	storage   *xsync.MapOf[string, string]
+	storage   *sync.Map
 	usernames []string
 }
@@ -31,13 +31,13 @@ func NewAuthenticator(users []AuthUser) Authenticator {
 		return nil
 	}
-	au := &inMemoryAuthenticator{storage: xsync.NewMapOf[string]()}
+	au := &inMemoryAuthenticator{storage: &sync.Map{}}
 	for _, user := range users {
 		au.storage.Store(user.User, user.Pass)
 	}
 	usernames := make([]string, 0, len(users))
-	au.storage.Range(func(key string, value string) bool {
+	au.storage.Range(func(key, value any) bool {
-		usernames = append(usernames, key)
+		usernames = append(usernames, key.(string))
 		return true
 	})
 	au.usernames = usernames
--- a/component/dialer/control.go
+++ b/component/dialer/control.go
@@ -20,20 +20,3 @@ func addControlToListenConfig(lc *net.ListenConfig, fn controlFn) {
 		return fn(context.Background(), network, address, c)
 	}
 }
 func addControlToDialer(d *net.Dialer, fn controlFn) {
 	ld := *d
 	d.ControlContext = func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
 		switch {
 		case ld.ControlContext != nil:
 			if err = ld.ControlContext(ctx, network, address, c); err != nil {
 				return
 			}
 		case ld.Control != nil:
 			if err = ld.Control(network, address, c); err != nil {
 				return
 			}
 		}
 		return fn(ctx, network, address, c)
 	}
 }
--- a/component/dialer/control_go119.go
+++ b/component/dialer/control_go119.go
@@ -0,0 +1,22 @@
 //go:build !go1.20
 package dialer
 import (
 	"context"
 	"net"
 	"syscall"
 )
 func addControlToDialer(d *net.Dialer, fn controlFn) {
 	ld := *d
 	d.Control = func(network, address string, c syscall.RawConn) (err error) {
 		switch {
 		case ld.Control != nil:
 			if err = ld.Control(network, address, c); err != nil {
 				return
 			}
 		}
 		return fn(context.Background(), network, address, c)
 	}
 }
--- a/component/dialer/control_go120.go
+++ b/component/dialer/control_go120.go
@@ -0,0 +1,26 @@
 //go:build go1.20
 package dialer
 import (
 	"context"
 	"net"
 	"syscall"
 )
 func addControlToDialer(d *net.Dialer, fn controlFn) {
 	ld := *d
 	d.ControlContext = func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
 		switch {
 		case ld.ControlContext != nil:
 			if err = ld.ControlContext(ctx, network, address, c); err != nil {
 				return
 			}
 		case ld.Control != nil:
 			if err = ld.Control(network, address, c); err != nil {
 				return
 			}
 		}
 		return fn(ctx, network, address, c)
 	}
 }
--- a/component/dialer/dialer.go
+++ b/component/dialer/dialer.go
@@ -2,7 +2,6 @@ package dialer
 import (
 	"context"
 	"errors"
 	"fmt"
 	"net"
 	"net/netip"
@@ -132,9 +131,6 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 	if opt.routingMark != 0 {
 		bindMarkToDialer(opt.routingMark, dialer, network, destination)
 	}
 	if opt.mpTcp {
 		setMultiPathTCP(dialer)
 	}
 	if opt.tfo {
 		return dialTFO(ctx, *dialer, network, address)
 	}
@@ -162,22 +158,14 @@ func concurrentDualStackDialContext(ctx context.Context, network string, ips []n
 func dualStackDialContext(ctx context.Context, dialFn dialFunc, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
 	ipv4s, ipv6s := resolver.SortationAddr(ips)
 	if len(ipv4s) == 0 && len(ipv6s) == 0 {
 		return nil, ErrorNoIpAddress
 	}
 	preferIPVersion := opt.prefer
 	fallbackTicker := time.NewTicker(fallbackTimeout)
 	defer fallbackTicker.Stop()
 	results := make(chan dialResult)
 	returned := make(chan struct{})
 	defer close(returned)
 	var wg sync.WaitGroup
 	racer := func(ips []netip.Addr, isPrimary bool) {
 		defer wg.Done()
 		result := dialResult{isPrimary: isPrimary}
 		defer func() {
 			select {
@@ -190,36 +178,18 @@ func dualStackDialContext(ctx context.Context, dialFn dialFunc, network string,
 		}()
 		result.Conn, result.error = dialFn(ctx, network, ips, port, opt)
 	}
 	if len(ipv4s) != 0 {
 		wg.Add(1)
 	go racer(ipv4s, preferIPVersion != 6)
 	}
 	if len(ipv6s) != 0 {
 		wg.Add(1)
 	go racer(ipv6s, preferIPVersion != 4)
 	}
 	go func() {
 		wg.Wait()
 		close(results)
 	}()
 	var fallback dialResult
 	var errs []error
-
+	for i := 0; i < 2; {
 loop:
 	for {
 		select {
 		case <-fallbackTicker.C:
 			if fallback.error == nil && fallback.Conn != nil {
 				return fallback.Conn, nil
 			}
-		case res, ok := <-results:
+		case res := <-results:
-			if !ok {
+			i++
 				break loop
 			}
 			if res.error == nil {
 				if res.isPrimary {
 					return res.Conn, nil
@@ -234,11 +204,10 @@ loop:
 			}
 		}
 	}
 	if fallback.error == nil && fallback.Conn != nil {
 		return fallback.Conn, nil
 	}
-	return nil, errors.Join(errs...)
+	return nil, errorsJoin(errs...)
 }
 func parallelDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
@@ -275,7 +244,7 @@ func parallelDialContext(ctx context.Context, network string, ips []netip.Addr,
 	}
 	if len(errs) > 0 {
-		return nil, errors.Join(errs...)
+		return nil, errorsJoin(errs...)
 	}
 	return nil, os.ErrDeadlineExceeded
 }
@@ -292,7 +261,7 @@ func serialDialContext(ctx context.Context, network string, ips []netip.Addr, po
 			errs = append(errs, err)
 		}
 	}
-	return nil, errors.Join(errs...)
+	return nil, errorsJoin(errs...)
 }
 type dialResult struct {
--- a/component/dialer/error.go
+++ b/component/dialer/error.go
@@ -2,9 +2,17 @@ package dialer
 import (
 	"errors"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 var (
 	ErrorNoIpAddress           = errors.New("no ip address")
 	ErrorInvalidedNetworkStack = errors.New("invalided network stack")
 )
 func errorsJoin(errs ...error) error {
 	// compatibility with golang<1.20
 	// maybe use errors.Join(errs...) is better after we drop the old version's support
 	return E.Errors(errs...)
 }
--- a/component/dialer/mptcp_go120.go
+++ b/component/dialer/mptcp_go120.go
@@ -1,12 +0,0 @@
 //go:build !go1.21
 package dialer
 import (
 	"net"
 )
 const multipathTCPAvailable = false
 func setMultiPathTCP(dialer *net.Dialer) {
 }
--- a/component/dialer/mptcp_go121.go
+++ b/component/dialer/mptcp_go121.go
@@ -1,11 +0,0 @@
 //go:build go1.21
 package dialer
 import "net"
 const multipathTCPAvailable = true
 func setMultiPathTCP(dialer *net.Dialer) {
 	dialer.SetMultipathTCP(true)
 }
--- a/component/dialer/options.go
+++ b/component/dialer/options.go
@@ -25,7 +25,6 @@ type option struct {
 	network       int
 	prefer        int
 	tfo           bool
 	mpTcp         bool
 	resolver      resolver.Resolver
 	netDialer     NetDialer
 }
@@ -84,12 +83,6 @@ func WithTFO(tfo bool) Option {
 	}
 }
 func WithMPTCP(mpTcp bool) Option {
 	return func(opt *option) {
 		opt.mpTcp = mpTcp
 	}
 }
 func WithNetDialer(netDialer NetDialer) Option {
 	return func(opt *option) {
 		opt.netDialer = netDialer
--- a/component/geodata/memconservative/cache.go
+++ b/component/geodata/memconservative/cache.go
@@ -32,7 +32,7 @@ func (g GeoIPCache) Set(key string, value *router.GeoIP) {
 }
 func (g GeoIPCache) Unmarshal(filename, code string) (*router.GeoIP, error) {
-	asset := C.Path.Resolve(filename)
+	asset := C.Path.GetAssetLocation(filename)
 	idx := strings.ToLower(asset + ":" + code)
 	if g.Has(idx) {
 		return g.Get(idx), nil
@@ -97,7 +97,7 @@ func (g GeoSiteCache) Set(key string, value *router.GeoSite) {
 }
 func (g GeoSiteCache) Unmarshal(filename, code string) (*router.GeoSite, error) {
-	asset := C.Path.Resolve(filename)
+	asset := C.Path.GetAssetLocation(filename)
 	idx := strings.ToLower(asset + ":" + code)
 	if g.Has(idx) {
 		return g.Get(idx), nil
--- a/component/geodata/standard/standard.go
+++ b/component/geodata/standard/standard.go
@@ -26,7 +26,7 @@ func ReadFile(path string) ([]byte, error) {
 }
 func ReadAsset(file string) ([]byte, error) {
-	return ReadFile(C.Path.Resolve(file))
+	return ReadFile(C.Path.GetAssetLocation(file))
 }
 func loadIP(geoipBytes []byte, country string) ([]*router.CIDR, error) {
--- a/component/iface/iface.go
+++ b/component/iface/iface.go
@@ -24,6 +24,8 @@ var (
 var interfaces = singledo.NewSingle[map[string]*Interface](time.Second * 20)
 const FlagRunning = 32 // interface is in running state, compatibility with golang<1.20
 func ResolveInterface(name string) (*Interface, error) {
 	value, err, _ := interfaces.Do(func() (map[string]*Interface, error) {
 		ifaces, err := net.Interfaces()
@@ -39,7 +41,7 @@ func ResolveInterface(name string) (*Interface, error) {
 				continue
 			}
 			// if not available device like Meta, dummy0, docker0, etc.
-			if (iface.Flags&net.FlagMulticast == 0) || (iface.Flags&net.FlagPointToPoint != 0) || (iface.Flags&net.FlagRunning == 0) {
+			if (iface.Flags&net.FlagMulticast == 0) || (iface.Flags&net.FlagPointToPoint != 0) || (iface.Flags&FlagRunning == 0) {
 				continue
 			}
--- a/component/mmdb/mmdb.go
+++ b/component/mmdb/mmdb.go
@@ -12,68 +12,42 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
-	"github.com/oschwald/maxminddb-golang"
+	"github.com/oschwald/geoip2-golang"
 )
 type databaseType = uint8
 const (
 	typeMaxmind databaseType = iota
 	typeSing
 	typeMetaV0
 )
 var (
-	reader Reader
+	mmdb *geoip2.Reader
 	once sync.Once
 )
 func LoadFromBytes(buffer []byte) {
 	once.Do(func() {
-		mmdb, err := maxminddb.FromBytes(buffer)
+		var err error
 		mmdb, err = geoip2.FromBytes(buffer)
 		if err != nil {
 			log.Fatalln("Can't load mmdb: %s", err.Error())
 		}
 		reader = Reader{Reader: mmdb}
 		switch mmdb.Metadata.DatabaseType {
 		case "sing-geoip":
 			reader.databaseType = typeSing
 		case "Meta-geoip0":
 			reader.databaseType = typeMetaV0
 		default:
 			reader.databaseType = typeMaxmind
 		}
 	})
 }
 func Verify() bool {
-	instance, err := maxminddb.Open(C.Path.MMDB())
+	instance, err := geoip2.Open(C.Path.MMDB())
 	if err == nil {
 		instance.Close()
 	}
 	return err == nil
 }
-func Instance() Reader {
+func Instance() *geoip2.Reader {
 	once.Do(func() {
-		mmdbPath := C.Path.MMDB()
+		var err error
-		log.Debugln("Load MMDB file: %s", mmdbPath)
+		mmdb, err = geoip2.Open(C.Path.MMDB())
 		mmdb, err := maxminddb.Open(mmdbPath)
 		if err != nil {
-			log.Fatalln("Can't load MMDB: %s", err.Error())
+			log.Fatalln("Can't load mmdb: %s", err.Error())
 		}
 		reader = Reader{Reader: mmdb}
 		switch mmdb.Metadata.DatabaseType {
 		case "sing-geoip":
 			reader.databaseType = typeSing
 		case "Meta-geoip0":
 			reader.databaseType = typeMetaV0
 		default:
 			reader.databaseType = typeMaxmind
 		}
 	})
-	return reader
+	return mmdb
 }
 func DownloadMMDB(path string) (err error) {
--- a/component/mmdb/reader.go
+++ b/component/mmdb/reader.go
@@ -1,56 +0,0 @@
 package mmdb
 import (
 	"fmt"
 	"net"
 	"github.com/oschwald/maxminddb-golang"
 	"github.com/sagernet/sing/common"
 )
 type geoip2Country struct {
 	Country struct {
 		IsoCode string `maxminddb:"iso_code"`
 	} `maxminddb:"country"`
 }
 type Reader struct {
 	*maxminddb.Reader
 	databaseType
 }
 func (r Reader) LookupCode(ipAddress net.IP) []string {
 	switch r.databaseType {
 	case typeMaxmind:
 		var country geoip2Country
 		_ = r.Lookup(ipAddress, &country)
 		if country.Country.IsoCode == "" {
 			return []string{}
 		}
 		return []string{country.Country.IsoCode}
 	case typeSing:
 		var code string
 		_ = r.Lookup(ipAddress, &code)
 		if code == "" {
 			return []string{}
 		}
 		return []string{code}
 	case typeMetaV0:
 		var record any
 		_ = r.Lookup(ipAddress, &record)
 		switch record := record.(type) {
 		case string:
 			return []string{record}
 		case []any: // lookup returned type of slice is []any
 			return common.Map(record, func(it any) string {
 				return it.(string)
 			})
 		}
 		return []string{}
 	default:
 		panic(fmt.Sprint("unknown geoip database type:", r.databaseType))
 	}
 }
--- a/component/nat/table.go
+++ b/component/nat/table.go
@@ -5,28 +5,23 @@ import (
 	"sync"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/puzpuzpuz/xsync/v2"
 )
 type Table struct {
-	mapping *xsync.MapOf[string, *Entry]
+	mapping sync.Map
 	lockMap *xsync.MapOf[string, *sync.Cond]
 }
 type Entry struct {
 	PacketConn      C.PacketConn
 	WriteBackProxy  C.WriteBackProxy
-	LocalUDPConnMap *xsync.MapOf[string, *net.UDPConn]
+	LocalUDPConnMap sync.Map
 	LocalLockMap    *xsync.MapOf[string, *sync.Cond]
 }
 func (t *Table) Set(key string, e C.PacketConn, w C.WriteBackProxy) {
 	t.mapping.Store(key, &Entry{
 		PacketConn:      e,
 		WriteBackProxy:  w,
-		LocalUDPConnMap: xsync.NewMapOf[*net.UDPConn](),
+		LocalUDPConnMap: sync.Map{},
 		LocalLockMap:    xsync.NewMapOf[*sync.Cond](),
 	})
 }
@@ -39,19 +34,15 @@ func (t *Table) Get(key string) (C.PacketConn, C.WriteBackProxy) {
 }
 func (t *Table) GetOrCreateLock(key string) (*sync.Cond, bool) {
-	item, loaded := t.lockMap.LoadOrCompute(key, makeLock)
+	item, loaded := t.mapping.LoadOrStore(key, sync.NewCond(&sync.Mutex{}))
-	return item, loaded
+	return item.(*sync.Cond), loaded
 }
 func (t *Table) Delete(key string) {
 	t.mapping.Delete(key)
 }
-func (t *Table) DeleteLock(lockKey string) {
+func (t *Table) GetLocalConn(lAddr, rAddr string) *net.UDPConn {
 	t.lockMap.Delete(lockKey)
 }
 func (t *Table) GetForLocalConn(lAddr, rAddr string) *net.UDPConn {
 	entry, exist := t.getEntry(lAddr)
 	if !exist {
 		return nil
@@ -60,10 +51,10 @@ func (t *Table) GetForLocalConn(lAddr, rAddr string) *net.UDPConn {
 	if !exist {
 		return nil
 	}
-	return item
+	return item.(*net.UDPConn)
 }
-func (t *Table) AddForLocalConn(lAddr, rAddr string, conn *net.UDPConn) bool {
+func (t *Table) AddLocalConn(lAddr, rAddr string, conn *net.UDPConn) bool {
 	entry, exist := t.getEntry(lAddr)
 	if !exist {
 		return false
@@ -72,7 +63,7 @@ func (t *Table) AddForLocalConn(lAddr, rAddr string, conn *net.UDPConn) bool {
 	return true
 }
-func (t *Table) RangeForLocalConn(lAddr string, f func(key string, value *net.UDPConn) bool) {
+func (t *Table) RangeLocalConn(lAddr string, f func(key, value any) bool) {
 	entry, exist := t.getEntry(lAddr)
 	if !exist {
 		return
@@ -85,11 +76,11 @@ func (t *Table) GetOrCreateLockForLocalConn(lAddr, key string) (*sync.Cond, bool
 	if !loaded {
 		return nil, false
 	}
-	item, loaded := entry.LocalLockMap.LoadOrCompute(key, makeLock)
+	item, loaded := entry.LocalUDPConnMap.LoadOrStore(key, sync.NewCond(&sync.Mutex{}))
-	return item, loaded
+	return item.(*sync.Cond), loaded
 }
-func (t *Table) DeleteForLocalConn(lAddr, key string) {
+func (t *Table) DeleteLocalConnMap(lAddr, key string) {
 	entry, loaded := t.getEntry(lAddr)
 	if !loaded {
 		return
@@ -97,26 +88,17 @@ func (t *Table) DeleteForLocalConn(lAddr, key string) {
 	entry.LocalUDPConnMap.Delete(key)
 }
 func (t *Table) DeleteLockForLocalConn(lAddr, key string) {
 	entry, loaded := t.getEntry(lAddr)
 	if !loaded {
 		return
 	}
 	entry.LocalLockMap.Delete(key)
 }
 func (t *Table) getEntry(key string) (*Entry, bool) {
-	return t.mapping.Load(key)
+	item, ok := t.mapping.Load(key)
-}
+	// This should not happen usually since this function called after PacketConn created
-
+	if !ok {
-func makeLock() *sync.Cond {
+		return nil, false
-	return sync.NewCond(&sync.Mutex{})
+	}
 	entry, ok := item.(*Entry)
 	return entry, ok
 }
 // New return *Cache
 func New() *Table {
-	return &Table{
+	return &Table{}
 		mapping: xsync.NewMapOf[*Entry](),
 		lockMap: xsync.NewMapOf[*sync.Cond](),
 	}
 }
--- a/component/resource/fetcher.go
+++ b/component/resource/fetcher.go
@@ -9,8 +9,6 @@ import (
 	types "github.com/Dreamacro/clash/constant/provider"
 	"github.com/Dreamacro/clash/log"
 	"github.com/samber/lo"
 )
 var (
@@ -67,7 +65,7 @@ func (f *Fetcher[V]) Initial() (V, error) {
 	}
 	if err != nil {
-		return lo.Empty[V](), err
+		return getZero[V](), err
 	}
 	var contents V
@@ -87,18 +85,18 @@ func (f *Fetcher[V]) Initial() (V, error) {
 	if err != nil {
 		if !isLocal {
-			return lo.Empty[V](), err
+			return getZero[V](), err
 		}
 		// parse local file error, fallback to remote
 		buf, err = f.vehicle.Read()
 		if err != nil {
-			return lo.Empty[V](), err
+			return getZero[V](), err
 		}
 		contents, err = f.parser(buf)
 		if err != nil {
-			return lo.Empty[V](), err
+			return getZero[V](), err
 		}
 		isLocal = false
@@ -106,7 +104,7 @@ func (f *Fetcher[V]) Initial() (V, error) {
 	if f.vehicle.Type() != types.File && !isLocal {
 		if err := safeWrite(f.vehicle.Path(), buf); err != nil {
-			return lo.Empty[V](), err
+			return getZero[V](), err
 		}
 	}
@@ -123,7 +121,7 @@ func (f *Fetcher[V]) Initial() (V, error) {
 func (f *Fetcher[V]) Update() (V, bool, error) {
 	buf, err := f.vehicle.Read()
 	if err != nil {
-		return lo.Empty[V](), false, err
+		return getZero[V](), false, err
 	}
 	now := time.Now()
@@ -131,17 +129,17 @@ func (f *Fetcher[V]) Update() (V, bool, error) {
 	if bytes.Equal(f.hash[:], hash[:]) {
 		f.UpdatedAt = &now
 		_ = os.Chtimes(f.vehicle.Path(), now, now)
-		return lo.Empty[V](), true, nil
+		return getZero[V](), true, nil
 	}
 	contents, err := f.parser(buf)
 	if err != nil {
-		return lo.Empty[V](), false, err
+		return getZero[V](), false, err
 	}
 	if f.vehicle.Type() != types.File {
 		if err := safeWrite(f.vehicle.Path(), buf); err != nil {
-			return lo.Empty[V](), false, err
+			return getZero[V](), false, err
 		}
 	}
@@ -212,3 +210,8 @@ func NewFetcher[V any](name string, interval time.Duration, vehicle types.Vehicl
 		interval: interval,
 	}
 }
 func getZero[V any]() V {
 	var result V
 	return result
 }
--- a/component/resource/vehicle.go
+++ b/component/resource/vehicle.go
@@ -2,14 +2,12 @@ package resource
 import (
 	"context"
-	"errors"
+	clashHttp "github.com/Dreamacro/clash/component/http"
 	types "github.com/Dreamacro/clash/constant/provider"
 	"io"
 	"net/http"
 	"os"
 	"time"
 	clashHttp "github.com/Dreamacro/clash/component/http"
 	types "github.com/Dreamacro/clash/constant/provider"
 )
 type FileVehicle struct {
@@ -56,10 +54,8 @@ func (h *HTTPVehicle) Read() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode < 200 || resp.StatusCode > 299 {
 		return nil, errors.New(resp.Status)
 	}
 	buf, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
--- a/component/sniffer/dispatcher.go
+++ b/component/sniffer/dispatcher.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
 	"strconv"
 	"sync"
 	"time"
@@ -37,11 +38,17 @@ type SnifferDispatcher struct {
 func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata) {
 	if (metadata.Host == "" && sd.parsePureIp) || sd.forceDomain.Has(metadata.Host) || (metadata.DNSMode == C.DNSMapping && sd.forceDnsMapping) {
 		port, err := strconv.ParseUint(metadata.DstPort, 10, 16)
 		if err != nil {
 			log.Debugln("[Sniffer] Dst port is error")
 			return
 		}
 		inWhitelist := false
 		overrideDest := false
 		for sniffer, config := range sd.sniffers {
 			if sniffer.SupportNetwork() == C.TCP || sniffer.SupportNetwork() == C.ALLNet {
-				inWhitelist = sniffer.SupportPort(metadata.DstPort)
+				inWhitelist = sniffer.SupportPort(uint16(port))
 				if inWhitelist {
 					overrideDest = config.OverrideDest
 					break
@@ -54,7 +61,7 @@ func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata
 		}
 		sd.rwMux.RLock()
-		dst := fmt.Sprintf("%s:%d", metadata.DstIP, metadata.DstPort)
+		dst := fmt.Sprintf("%s:%s", metadata.DstIP, metadata.DstPort)
 		if count, ok := sd.skipList.Get(dst); ok && count > 5 {
 			log.Debugln("[Sniffer] Skip sniffing[%s] due to multiple failures", dst)
 			defer sd.rwMux.RUnlock()
@@ -64,7 +71,7 @@ func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata
 		if host, err := sd.sniffDomain(conn, metadata); err != nil {
 			sd.cacheSniffFailed(metadata)
-			log.Debugln("[Sniffer] All sniffing sniff failed with from [%s:%d] to [%s:%d]", metadata.SrcIP, metadata.SrcPort, metadata.String(), metadata.DstPort)
+			log.Debugln("[Sniffer] All sniffing sniff failed with from [%s:%s] to [%s:%s]", metadata.SrcIP, metadata.SrcPort, metadata.String(), metadata.DstPort)
 			return
 		} else {
 			if sd.skipSNI.Has(host) {
@@ -142,7 +149,7 @@ func (sd *SnifferDispatcher) sniffDomain(conn *N.BufferedConn, metadata *C.Metad
 func (sd *SnifferDispatcher) cacheSniffFailed(metadata *C.Metadata) {
 	sd.rwMux.Lock()
-	dst := fmt.Sprintf("%s:%d", metadata.DstIP, metadata.DstPort)
+	dst := fmt.Sprintf("%s:%s", metadata.DstIP, metadata.DstPort)
 	count, _ := sd.skipList.Get(dst)
 	if count <= 5 {
 		count++
--- a/component/tls/config.go
+++ b/component/tls/config.go
@@ -10,6 +10,8 @@ import (
 	"fmt"
 	"strings"
 	"sync"
 	xtls "github.com/xtls/go"
 )
 var trustCerts []*x509.Certificate
@@ -120,3 +122,27 @@ func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
 	tlsConfig.RootCAs = certPool
 	return tlsConfig
 }
 // GetSpecifiedFingerprintXTLSConfig specified fingerprint
 func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint string) (*xtls.Config, error) {
 	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
 		return nil, err
 	} else {
 		tlsConfig = GetGlobalXTLSConfig(tlsConfig)
 		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
 		tlsConfig.InsecureSkipVerify = true
 		return tlsConfig, nil
 	}
 }
 func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
 	certPool := getCertPool()
 	if tlsConfig == nil {
 		return &xtls.Config{
 			RootCAs: certPool,
 		}
 	}
 	tlsConfig.RootCAs = certPool
 	return tlsConfig
 }
--- a/component/tls/reality.go
+++ b/component/tls/reality.go
@@ -22,7 +22,6 @@ import (
 	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/log"
 	"github.com/Dreamacro/clash/ntp"
 	utls "github.com/sagernet/utls"
 	"github.com/zhangyunhao116/fastrand"
@@ -71,7 +70,7 @@ func GetRealityConn(ctx context.Context, conn net.Conn, ClientFingerprint string
 			rawSessionID[i] = 0
 		}
-		binary.BigEndian.PutUint64(hello.SessionId, uint64(ntp.Now().Unix()))
+		binary.BigEndian.PutUint64(hello.SessionId, uint64(time.Now().Unix()))
 		copy(hello.SessionId[8:], realityConfig.ShortID[:])
 		hello.SessionId[0] = 1
--- a/config/config.go
+++ b/config/config.go
@@ -16,7 +16,6 @@ import (
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/adapter/outboundgroup"
 	"github.com/Dreamacro/clash/adapter/provider"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/component/auth"
 	"github.com/Dreamacro/clash/component/dialer"
@@ -35,7 +34,6 @@ import (
 	L "github.com/Dreamacro/clash/listener"
 	LC "github.com/Dreamacro/clash/listener/config"
 	"github.com/Dreamacro/clash/log"
 	rewrites "github.com/Dreamacro/clash/rewrite"
 	R "github.com/Dreamacro/clash/rules"
 	RP "github.com/Dreamacro/clash/rules/provider"
 	T "github.com/Dreamacro/clash/tunnel"
@@ -53,7 +51,6 @@ type General struct {
 	IPv6                    bool              `json:"ipv6"`
 	Interface               string            `json:"interface-name"`
 	RoutingMark             int               `json:"-"`
 	GeoXUrl                 GeoXUrl           `json:"geox-url"`
 	GeodataMode             bool              `json:"geodata-mode"`
 	GeodataLoader           string            `json:"geodata-loader"`
 	TCPConcurrent           bool              `json:"tcp-concurrent"`
@@ -61,7 +58,6 @@ type General struct {
 	Sniffing                bool              `json:"sniffing"`
 	EBpf                    EBpf              `json:"-"`
 	GlobalClientFingerprint string            `json:"global-client-fingerprint"`
 	KeepAliveInterval       int               `json:"keep-alive-interval"`
 }
 // Inbound config
@@ -79,8 +75,6 @@ type Inbound struct {
 	AllowLan          bool          `json:"allow-lan"`
 	BindAddress       string        `json:"bind-address"`
 	InboundTfo        bool          `json:"inbound-tfo"`
 	InboundMPTCP      bool          `json:"inbound-mptcp"`
 	MitmPort          int           `json:"mitm-port"`
 }
 // Controller config
@@ -91,14 +85,6 @@ type Controller struct {
 	Secret                string `json:"-"`
 }
 // NTP config
 type NTP struct {
 	Enable   bool   `yaml:"enable"`
 	Server   string `yaml:"server"`
 	Port     int    `yaml:"port"`
 	Interval int    `yaml:"interval"`
 }
 // DNS config
 type DNS struct {
 	Enable                bool             `yaml:"enable"`
@@ -154,12 +140,6 @@ type Sniffer struct {
 	ParsePureIp     bool
 }
 // Mitm config
 type Mitm struct {
 	Port  int           `yaml:"port" json:"port"`
 	Rules C.RewriteRule `yaml:"rules" json:"rules"`
 }
 // Experimental config
 type Experimental struct {
 	Fingerprints []string `yaml:"fingerprints"`
@@ -169,8 +149,6 @@ type Experimental struct {
 type Config struct {
 	General       *General
 	IPTables      *IPTables
 	Mitm          *Mitm
 	NTP           *NTP
 	DNS           *DNS
 	Experimental  *Experimental
 	Hosts         *trie.DomainTrie[resolver.HostValue]
@@ -187,13 +165,6 @@ type Config struct {
 	TLS           *TLS
 }
 type RawNTP struct {
 	Enable     bool   `yaml:"enable"`
 	Server     string `yaml:"server"`
 	ServerPort int    `yaml:"server-port"`
 	Interval   int    `yaml:"interval"`
 }
 type RawDNS struct {
 	Enable                bool              `yaml:"enable"`
 	PreferH3              bool              `yaml:"prefer-h3"`
@@ -262,22 +233,15 @@ type RawTuicServer struct {
 	CWND                  int               `yaml:"cwnd" json:"cwnd,omitempty"`
 }
 type RawMitm struct {
 	Port  int                    `yaml:"port" json:"port"`
 	Rules []rewrites.RawMitmRule `yaml:"rules" json:"rules"`
 }
 type RawConfig struct {
 	Port                    int               `yaml:"port"`
 	SocksPort               int               `yaml:"socks-port"`
 	RedirPort               int               `yaml:"redir-port"`
 	TProxyPort              int               `yaml:"tproxy-port"`
 	MixedPort               int               `yaml:"mixed-port"`
 	MitmPort                int               `yaml:"mitm-port"`
 	ShadowSocksConfig       string            `yaml:"ss-config"`
 	VmessConfig             string            `yaml:"vmess-config"`
 	InboundTfo              bool              `yaml:"inbound-tfo"`
 	InboundMPTCP            bool              `yaml:"inbound-mptcp"`
 	Authentication          []string          `yaml:"authentication"`
 	AllowLan                bool              `yaml:"allow-lan"`
 	BindAddress             string            `yaml:"bind-address"`
@@ -297,22 +261,19 @@ type RawConfig struct {
 	TCPConcurrent           bool              `yaml:"tcp-concurrent" json:"tcp-concurrent"`
 	FindProcessMode         P.FindProcessMode `yaml:"find-process-mode" json:"find-process-mode"`
 	GlobalClientFingerprint string            `yaml:"global-client-fingerprint"`
 	KeepAliveInterval       int               `yaml:"keep-alive-interval"`
 	Sniffer       RawSniffer                `yaml:"sniffer"`
 	ProxyProvider map[string]map[string]any `yaml:"proxy-providers"`
 	RuleProvider  map[string]map[string]any `yaml:"rule-providers"`
 	Hosts         map[string]any            `yaml:"hosts"`
 	NTP           RawNTP                    `yaml:"ntp"`
 	DNS           RawDNS                    `yaml:"dns"`
 	Tun           RawTun                    `yaml:"tun"`
 	TuicServer    RawTuicServer             `yaml:"tuic-server"`
 	EBpf          EBpf                      `yaml:"ebpf"`
 	IPTables      IPTables                  `yaml:"iptables"`
 	MITM          RawMitm                   `yaml:"mitm"`
 	Experimental  Experimental              `yaml:"experimental"`
 	Profile       Profile                   `yaml:"profile"`
-	GeoXUrl       GeoXUrl                   `yaml:"geox-url"`
+	GeoXUrl       RawGeoXUrl                `yaml:"geox-url"`
 	Proxy         []map[string]any          `yaml:"proxies"`
 	ProxyGroup    []map[string]any          `yaml:"proxy-groups"`
 	Rule          []string                  `yaml:"rules"`
@@ -321,7 +282,7 @@ type RawConfig struct {
 	Listeners     []map[string]any          `yaml:"listeners"`
 }
-type GeoXUrl struct {
+type RawGeoXUrl struct {
 	GeoIp   string `yaml:"geoip" json:"geoip"`
 	Mmdb    string `yaml:"mmdb" json:"mmdb"`
 	GeoSite string `yaml:"geosite" json:"geosite"`
@@ -454,17 +415,13 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 			ParsePureIp:     true,
 			OverrideDest:    true,
 		},
 		MITM: RawMitm{
 			Port:  0,
 			Rules: []rewrites.RawMitmRule{},
 		},
 		Profile: Profile{
 			StoreSelected: true,
 		},
-		GeoXUrl: GeoXUrl{
+		GeoXUrl: RawGeoXUrl{
-			Mmdb:    "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.metadb",
+			Mmdb:    "https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/country.mmdb",
-			GeoIp:   "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat",
+			GeoIp:   "https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat",
-			GeoSite: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat",
+			GeoSite: "https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat",
 		},
 	}
@@ -491,7 +448,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	config.General = general
 	if len(config.General.GlobalClientFingerprint) != 0 {
-		log.Debugln("GlobalClientFingerprint: %s", config.General.GlobalClientFingerprint)
+		log.Debugln("GlobalClientFingerprint:%s", config.General.GlobalClientFingerprint)
 		tlsC.SetGlobalUtlsClient(config.General.GlobalClientFingerprint)
 	}
@@ -533,9 +490,6 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.Hosts = hosts
 	ntpCfg := paresNTP(rawCfg)
 	config.NTP = ntpCfg
 	dnsCfg, err := parseDNS(rawCfg, hosts, rules, ruleProviders)
 	if err != nil {
 		return nil, err
@@ -552,12 +506,6 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 		return nil, err
 	}
 	mitm, err := parseMitm(rawCfg.MITM)
 	if err != nil {
 		return nil, err
 	}
 	config.Mitm = mitm
 	config.Users = parseAuthentication(rawCfg.Authentication)
 	config.Tunnels = rawCfg.Tunnels
@@ -584,15 +532,6 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 func parseGeneral(cfg *RawConfig) (*General, error) {
 	externalUI := cfg.ExternalUI
 	geodata.SetLoader(cfg.GeodataLoader)
 	C.GeoIpUrl = cfg.GeoXUrl.GeoIp
 	C.GeoSiteUrl = cfg.GeoXUrl.GeoSite
 	C.MmdbUrl = cfg.GeoXUrl.Mmdb
 	C.GeodataMode = cfg.GeodataMode
 	if cfg.KeepAliveInterval == 0 {
 		cfg.KeepAliveInterval = 30
 	}
 	N.KeepAliveInterval = time.Duration(cfg.KeepAliveInterval) * time.Second
 	log.Infoln("Keep Alive Interval set %+v", N.KeepAliveInterval)
 	// checkout externalUI exist
 	if externalUI != "" {
 		externalUI = C.Path.Resolve(externalUI)
@@ -608,13 +547,11 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 			RedirPort:         cfg.RedirPort,
 			TProxyPort:        cfg.TProxyPort,
 			MixedPort:         cfg.MixedPort,
 			MitmPort:          cfg.MitmPort,
 			ShadowSocksConfig: cfg.ShadowSocksConfig,
 			VmessConfig:       cfg.VmessConfig,
 			AllowLan:          cfg.AllowLan,
 			BindAddress:       cfg.BindAddress,
 			InboundTfo:        cfg.InboundTfo,
 			InboundMPTCP:      cfg.InboundMPTCP,
 		},
 		Controller: Controller{
 			ExternalController:    cfg.ExternalController,
@@ -628,14 +565,12 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 		IPv6:                    cfg.IPv6,
 		Interface:               cfg.Interface,
 		RoutingMark:             cfg.RoutingMark,
 		GeoXUrl:                 cfg.GeoXUrl,
 		GeodataMode:             cfg.GeodataMode,
 		GeodataLoader:           cfg.GeodataLoader,
 		TCPConcurrent:           cfg.TCPConcurrent,
 		FindProcessMode:         cfg.FindProcessMode,
 		EBpf:                    cfg.EBpf,
 		GlobalClientFingerprint: cfg.GlobalClientFingerprint,
 		KeepAliveInterval:       cfg.KeepAliveInterval,
 	}, nil
 }
@@ -656,11 +591,6 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 	proxies["PASS"] = adapter.NewProxy(outbound.NewPass())
 	proxyList = append(proxyList, "DIRECT", "REJECT")
 	if cfg.MITM.Port != 0 {
 		proxies["MITM"] = adapter.NewProxy(outbound.NewMitm(fmt.Sprintf("127.0.0.1:%d", cfg.MITM.Port)))
 		proxyList = append(proxyList, "MITM")
 	}
 	// parse proxy
 	for idx, mapping := range proxiesConfig {
 		proxy, err := adapter.ParseProxy(mapping)
@@ -782,9 +712,6 @@ func parseRuleProviders(cfg *RawConfig) (ruleProviders map[string]providerTypes.
 func parseSubRules(cfg *RawConfig, proxies map[string]C.Proxy) (subRules map[string][]C.Rule, err error) {
 	subRules = map[string][]C.Rule{}
 	for name := range cfg.SubRules {
 		subRules[name] = make([]C.Rule, 0)
 	}
 	for name, rawRules := range cfg.SubRules {
 		if len(name) == 0 {
 			return nil, fmt.Errorf("sub-rule name is empty")
@@ -941,14 +868,6 @@ func parseHosts(cfg *RawConfig) (*trie.DomainTrie[resolver.HostValue], error) {
 			_ = tree.Insert(domain, value)
 		}
 	}
 	if cfg.MITM.Port != 0 {
 		value, _ := resolver.NewHostValue("8.8.9.9")
 		if err := tree.Insert("mitm.clash", value); err != nil {
 			log.Errorln("insert mitm.clash to host error: %s", err.Error())
 		}
 	}
 	tree.Optimize()
 	return tree, nil
@@ -1201,29 +1120,6 @@ func parseFallbackGeoSite(countries []string, rules []C.Rule) ([]*router.DomainM
 	return sites, nil
 }
 func paresNTP(rawCfg *RawConfig) *NTP {
 	var server = "time.apple.com"
 	var port = 123
 	var interval = 30
 	cfg := rawCfg.NTP
 	if len(cfg.Server) != 0 {
 		server = cfg.Server
 	}
 	if cfg.ServerPort != 0 {
 		port = cfg.ServerPort
 	}
 	if cfg.Interval != 0 {
 		interval = cfg.Interval
 	}
 	ntpCfg := &NTP{
 		Enable:   cfg.Enable,
 		Server:   server,
 		Port:     port,
 		Interval: interval,
 	}
 	return ntpCfg
 }
 func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rules []C.Rule, ruleProviders map[string]providerTypes.RuleProvider) (*DNS, error) {
 	cfg := rawCfg.DNS
 	if cfg.Enable && len(cfg.NameServer) == 0 {
@@ -1497,28 +1393,3 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) {
 	return sniffer, nil
 }
 func parseMitm(rawMitm RawMitm) (*Mitm, error) {
 	var (
 		req []C.Rewrite
 		res []C.Rewrite
 	)
 	for _, line := range rawMitm.Rules {
 		rule, err := rewrites.ParseRewrite(line)
 		if err != nil {
 			return nil, fmt.Errorf("parse rewrite rule failure: %w", err)
 		}
 		if rule.RuleType() == C.MitmResponseHeader || rule.RuleType() == C.MitmResponseBody {
 			res = append(res, rule)
 		} else {
 			req = append(req, rule)
 		}
 	}
 	return &Mitm{
 		Port:  rawMitm.Port,
 		Rules: rewrites.NewRewriteRules(req, res),
 	}, nil
 }
--- a/config/initial.go
+++ b/config/initial.go
@@ -2,6 +2,7 @@ package config
 import (
 	"fmt"
 	"github.com/Dreamacro/clash/component/geodata"
 	"os"
 	C "github.com/Dreamacro/clash/constant"
@@ -27,6 +28,23 @@ func Init(dir string) error {
 		f.Write([]byte(`mixed-port: 7890`))
 		f.Close()
 	}
 	buf, _ := os.ReadFile(C.Path.Config())
 	rawCfg, err := UnmarshalRawConfig(buf)
 	if err != nil {
 		log.Errorln(err.Error())
 		fmt.Printf("configuration file %s test failed\n", C.Path.Config())
 		os.Exit(1)
 	}
 	if !C.GeodataMode {
 		C.GeodataMode = rawCfg.GeodataMode
 	}
 	C.GeoIpUrl = rawCfg.GeoXUrl.GeoIp
 	C.GeoSiteUrl = rawCfg.GeoXUrl.GeoSite
 	C.MmdbUrl = rawCfg.GeoXUrl.Mmdb
 	// initial GeoIP
 	if err := geodata.InitGeoIP(); err != nil {
 		return fmt.Errorf("can't initial GeoIP: %w", err)
 	}
 	return nil
 }
--- a/config/updateGeo.go
+++ b/config/updateGeo.go
@@ -14,7 +14,7 @@ import (
 	clashHttp "github.com/Dreamacro/clash/component/http"
 	C "github.com/Dreamacro/clash/constant"
-	"github.com/oschwald/maxminddb-golang"
+	"github.com/oschwald/geoip2-golang"
 )
 func UpdateGeoDatabases() error {
@@ -44,7 +44,7 @@ func UpdateGeoDatabases() error {
 			return fmt.Errorf("can't download MMDB database file: %w", err)
 		}
-		instance, err := maxminddb.FromBytes(data)
+		instance, err := geoip2.FromBytes(data)
 		if err != nil {
 			return fmt.Errorf("invalid MMDB database file: %s", err)
 		}
--- a/constant/adapters.go
+++ b/constant/adapters.go
@@ -19,7 +19,6 @@ const (
 	Direct AdapterType = iota
 	Reject
 	Compatible
 	Mitm
 	Pass
 	Relay
@@ -183,8 +182,6 @@ func (at AdapterType) String() string {
 		return "Compatible"
 	case Pass:
 		return "Pass"
 	case Mitm:
 		return "Mitm"
 	case Shadowsocks:
 		return "Shadowsocks"
 	case ShadowsocksR:
@@ -270,17 +267,13 @@ type NatTable interface {
 	Delete(key string)
-	DeleteLock(key string)
+	GetLocalConn(lAddr, rAddr string) *net.UDPConn
-	GetForLocalConn(lAddr, rAddr string) *net.UDPConn
+	AddLocalConn(lAddr, rAddr string, conn *net.UDPConn) bool
-	AddForLocalConn(lAddr, rAddr string, conn *net.UDPConn) bool
+	RangeLocalConn(lAddr string, f func(key, value any) bool)
-	RangeForLocalConn(lAddr string, f func(key string, value *net.UDPConn) bool)
+	GetOrCreateLockForLocalConn(lAddr, key string) (*sync.Cond, bool)
-	GetOrCreateLockForLocalConn(lAddr string, key string) (*sync.Cond, bool)
+	DeleteLocalConnMap(lAddr, key string)
 	DeleteForLocalConn(lAddr, key string)
 	DeleteLockForLocalConn(lAddr, key string)
 }
--- a/constant/metadata.go
+++ b/constant/metadata.go
@@ -31,7 +31,6 @@ const (
 	TUN
 	TUIC
 	INNER
 	MITM
 )
 type NetWork int
@@ -81,8 +80,6 @@ func (t Type) String() string {
 		return "Tuic"
 	case INNER:
 		return "Inner"
 	case MITM:
 		return "Mitm"
 	default:
 		return "Unknown"
 	}
@@ -131,10 +128,10 @@ type Metadata struct {
 	Type         Type       `json:"type"`
 	SrcIP        netip.Addr `json:"sourceIP"`
 	DstIP        netip.Addr `json:"destinationIP"`
-	SrcPort      uint16     `json:"sourcePort,string"`      // `,string` is used to compatible with old version json output
+	SrcPort      string     `json:"sourcePort"`
-	DstPort      uint16     `json:"destinationPort,string"` // `,string` is used to compatible with old version json output
+	DstPort      string     `json:"destinationPort"`
 	InIP         netip.Addr `json:"inboundIP"`
-	InPort       uint16     `json:"inboundPort,string"` // `,string` is used to compatible with old version json output
+	InPort       string     `json:"inboundPort"`
 	InName       string     `json:"inboundName"`
 	InUser       string     `json:"inboundUser"`
 	Host         string     `json:"host"`
@@ -147,23 +144,19 @@ type Metadata struct {
 	RemoteDst    string     `json:"remoteDestination"`
 	// Only domain rule
 	SniffHost string `json:"sniffHost"`
 	// Only Mitm rule
 	UserAgent string `json:"userAgent"`
 }
 func (m *Metadata) RemoteAddress() string {
-	return net.JoinHostPort(m.String(), strconv.FormatUint(uint64(m.DstPort), 10))
+	return net.JoinHostPort(m.String(), m.DstPort)
 }
 func (m *Metadata) SourceAddress() string {
-	return net.JoinHostPort(m.SrcIP.String(), strconv.FormatUint(uint64(m.SrcPort), 10))
+	return net.JoinHostPort(m.SrcIP.String(), m.SrcPort)
 }
 func (m *Metadata) SourceDetail() string {
 	if m.Type == INNER {
 		return fmt.Sprintf("%s", ClashName)
 	} else if m.Type == MITM {
 		return fmt.Sprintf("%s-MITM", ClashName)
 	}
 	switch {
@@ -179,7 +172,7 @@ func (m *Metadata) SourceDetail() string {
 }
 func (m *Metadata) SourceValid() bool {
-	return m.SrcPort != 0 && m.SrcIP.IsValid()
+	return m.SrcPort != "" && m.SrcIP.IsValid()
 }
 func (m *Metadata) AddrType() int {
@@ -218,7 +211,8 @@ func (m *Metadata) Pure() *Metadata {
 }
 func (m *Metadata) AddrPort() netip.AddrPort {
-	return netip.AddrPortFrom(m.DstIP.Unmap(), m.DstPort)
+	port, _ := strconv.ParseUint(m.DstPort, 10, 16)
 	return netip.AddrPortFrom(m.DstIP.Unmap(), uint16(port))
 }
 func (m *Metadata) UDPAddr() *net.UDPAddr {
@@ -248,11 +242,6 @@ func (m *Metadata) SetRemoteAddress(rawAddress string) error {
 		return err
 	}
 	var uint16Port uint16
 	if port, err := strconv.ParseUint(port, 10, 16); err == nil {
 		uint16Port = uint16(port)
 	}
 	if ip, err := netip.ParseAddr(host); err != nil {
 		m.Host = host
 		m.DstIP = netip.Addr{}
@@ -260,7 +249,7 @@ func (m *Metadata) SetRemoteAddress(rawAddress string) error {
 		m.Host = ""
 		m.DstIP = ip.Unmap()
 	}
-	m.DstPort = uint16Port
+	m.DstPort = port
 	return nil
 }
--- a/constant/path.go
+++ b/constant/path.go
@@ -6,7 +6,6 @@ import (
 	"os"
 	P "path"
 	"path/filepath"
 	"strconv"
 	"strings"
 )
@@ -23,7 +22,7 @@ var Path = func() *path {
 	if err != nil {
 		homeDir, _ = os.Getwd()
 	}
-	allowUnsafePath, _ := strconv.ParseBool(os.Getenv("SKIP_SAFE_PATH_CHECK"))
+	allowUnsafePath := strings.TrimSpace(os.Getenv("SKIP_SAFE_PATH_CHECK")) == "1"
 	homeDir = P.Join(homeDir, ".config", Name)
 	return &path{homeDir: homeDir, configFile: "config.yaml", allowUnsafePath: allowUnsafePath}
 }()
@@ -91,15 +90,13 @@ func (p *path) MMDB() string {
 			// 目录则直接跳过
 			continue
 		} else {
-			if strings.EqualFold(fi.Name(), "Country.mmdb") ||
+			if strings.EqualFold(fi.Name(), "Country.mmdb") {
 				strings.EqualFold(fi.Name(), "geoip.db") ||
 				strings.EqualFold(fi.Name(), "geoip.metadb") {
 				GeoipName = fi.Name()
 				return P.Join(p.homeDir, fi.Name())
 			}
 		}
 	}
-	return P.Join(p.homeDir, "geoip.metadb")
+	return P.Join(p.homeDir, "Country.mmdb")
 }
 func (p *path) OldCache() string {
@@ -148,12 +145,8 @@ func (p *path) GeoSite() string {
 	return P.Join(p.homeDir, "GeoSite.dat")
 }
-func (p *path) RootCA() string {
+func (p *path) GetAssetLocation(file string) string {
-	return p.Resolve("mitm_ca.crt")
+	return P.Join(p.homeDir, file)
 }
 func (p *path) CAKey() string {
 	return p.Resolve("mitm_ca.key")
 }
 func (p *path) GetExecutableFullPath() string {
--- a/constant/rewrite.go
+++ b/constant/rewrite.go
@@ -1,120 +0,0 @@
 package constant
 import (
 	"encoding/json"
 	"errors"
 	regexp "github.com/dlclark/regexp2"
 )
 var RewriteTypeMapping = map[string]RewriteType{
 	MitmReject.String():         MitmReject,
 	MitmReject200.String():      MitmReject200,
 	MitmRejectImg.String():      MitmRejectImg,
 	MitmRejectDict.String():     MitmRejectDict,
 	MitmRejectArray.String():    MitmRejectArray,
 	Mitm302.String():            Mitm302,
 	Mitm307.String():            Mitm307,
 	MitmRequestHeader.String():  MitmRequestHeader,
 	MitmRequestBody.String():    MitmRequestBody,
 	MitmResponseHeader.String(): MitmResponseHeader,
 	MitmResponseBody.String():   MitmResponseBody,
 }
 const (
 	MitmReject RewriteType = iota
 	MitmReject200
 	MitmRejectImg
 	MitmRejectDict
 	MitmRejectArray
 	Mitm302
 	Mitm307
 	MitmRequestHeader
 	MitmRequestBody
 	MitmResponseHeader
 	MitmResponseBody
 )
 type RewriteType int
 // UnmarshalYAML unserialize RewriteType with yaml
 func (e *RewriteType) UnmarshalYAML(unmarshal func(any) error) error {
 	var tp string
 	if err := unmarshal(&tp); err != nil {
 		return err
 	}
 	mode, exist := RewriteTypeMapping[tp]
 	if !exist {
 		return errors.New("invalid MITM Action")
 	}
 	*e = mode
 	return nil
 }
 // MarshalYAML serialize RewriteType with yaml
 func (e RewriteType) MarshalYAML() (any, error) {
 	return e.String(), nil
 }
 // UnmarshalJSON unserialize RewriteType with json
 func (e *RewriteType) UnmarshalJSON(data []byte) error {
 	var tp string
 	json.Unmarshal(data, &tp)
 	mode, exist := RewriteTypeMapping[tp]
 	if !exist {
 		return errors.New("invalid MITM Action")
 	}
 	*e = mode
 	return nil
 }
 // MarshalJSON serialize RewriteType with json
 func (e RewriteType) MarshalJSON() ([]byte, error) {
 	return json.Marshal(e.String())
 }
 func (rt RewriteType) String() string {
 	switch rt {
 	case MitmReject:
 		return "reject" // 404
 	case MitmReject200:
 		return "reject-200"
 	case MitmRejectImg:
 		return "reject-img"
 	case MitmRejectDict:
 		return "reject-dict"
 	case MitmRejectArray:
 		return "reject-array"
 	case Mitm302:
 		return "302"
 	case Mitm307:
 		return "307"
 	case MitmRequestHeader:
 		return "request-header"
 	case MitmRequestBody:
 		return "request-body"
 	case MitmResponseHeader:
 		return "response-header"
 	case MitmResponseBody:
 		return "response-body"
 	default:
 		return "Unknown"
 	}
 }
 type Rewrite interface {
 	ID() string
 	URLRegx() *regexp.Regexp
 	RuleType() RewriteType
 	RuleRegx() *regexp.Regexp
 	RulePayload() string
 	ReplaceURLPayload([]string) string
 	ReplaceSubPayload(string) string
 }
 type RewriteRule interface {
 	SearchInRequest(func(Rewrite) bool) bool
 	SearchInResponse(func(Rewrite) bool) bool
 }
--- a/constant/rule.go
+++ b/constant/rule.go
@@ -23,7 +23,6 @@ const (
 	Network
 	Uid
 	SubRules
 	UserAgent
 	MATCH
 	AND
 	OR
@@ -68,8 +67,6 @@ func (rt RuleType) String() string {
 		return "Process"
 	case ProcessPath:
 		return "ProcessPath"
 	case UserAgent:
 		return "UserAgent"
 	case MATCH:
 		return "Match"
 	case RuleSet:
--- a/constant/tun.go
+++ b/constant/tun.go
@@ -10,14 +10,12 @@ var StackTypeMapping = map[string]TUNStack{
 	strings.ToLower(TunGvisor.String()): TunGvisor,
 	strings.ToLower(TunSystem.String()): TunSystem,
 	strings.ToLower(TunLWIP.String()):   TunLWIP,
 	strings.ToLower(TunMixed.String()):  TunMixed,
 }
 const (
 	TunGvisor TUNStack = iota
 	TunSystem
 	TunLWIP
 	TunMixed
 )
 type TUNStack int
@@ -66,8 +64,6 @@ func (e TUNStack) String() string {
 		return "System"
 	case TunLWIP:
 		return "LWIP"
 	case TunMixed:
 		return "Mixed"
 	default:
 		return "unknown"
 	}
--- a/dns/enhancer.go
+++ b/dns/enhancer.go
@@ -109,7 +109,7 @@ func NewEnhancer(cfg Config) *ResolverEnhancer {
 	if cfg.EnhancedMode != C.DNSNormal {
 		fakePool = cfg.Pool
-		mapping = cache.New(cache.WithSize[netip.Addr, string](4096))
+		mapping = cache.New(cache.WithSize[netip.Addr, string](4096), cache.WithStale[netip.Addr, string](true))
 	}
 	return &ResolverEnhancer{
--- a/dns/filters.go
+++ b/dns/filters.go
@@ -2,7 +2,6 @@ package dns
 import (
 	"net/netip"
 	"strings"
 	"github.com/Dreamacro/clash/component/geodata"
 	"github.com/Dreamacro/clash/component/geodata/router"
@@ -10,6 +9,7 @@ import (
 	"github.com/Dreamacro/clash/component/trie"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	"strings"
 )
 type fallbackIPFilter interface {
@@ -24,13 +24,8 @@ var geoIPMatcher *router.GeoIPMatcher
 func (gf *geoipFilter) Match(ip netip.Addr) bool {
 	if !C.GeodataMode {
-		codes := mmdb.Instance().LookupCode(ip.AsSlice())
+		record, _ := mmdb.Instance().Country(ip.AsSlice())
-		for _, code := range codes {
+		return !strings.EqualFold(record.Country.IsoCode, gf.code) && !ip.IsPrivate()
 			if !strings.EqualFold(code, gf.code) && !ip.IsPrivate() {
 				return true
 			}
 		}
 		return false
 	}
 	if geoIPMatcher == nil {
--- a/dns/middleware.go
+++ b/dns/middleware.go
@@ -129,10 +129,6 @@ func withMapping(mapping *cache.LruCache[netip.Addr, string]) middleware {
 					continue
 				}
 				if ttl < 1 {
 					ttl = 1
 				}
 				mapping.SetWithExpire(ip, host, time.Now().Add(time.Second*time.Duration(ttl)))
 			}
--- a/dns/util.go
+++ b/dns/util.go
@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
 	"strconv"
 	"strings"
 	"time"
@@ -194,10 +193,6 @@ func getDialHandler(r *Resolver, proxyAdapter C.ProxyAdapter, proxyName string,
 			if err != nil {
 				return nil, err
 			}
 			uintPort, err := strconv.ParseUint(port, 10, 16)
 			if err != nil {
 				return nil, err
 			}
 			if proxyAdapter == nil {
 				var ok bool
 				proxyAdapter, ok = tunnel.Proxies()[proxyName]
@@ -211,7 +206,7 @@ func getDialHandler(r *Resolver, proxyAdapter C.ProxyAdapter, proxyName string,
 				metadata := &C.Metadata{
 					NetWork: C.TCP,
 					Host:    host,
-					DstPort: uint16(uintPort),
+					DstPort: port,
 				}
 				if proxyAdapter != nil {
 					if proxyAdapter.IsL3Protocol(metadata) { // L3 proxy should resolve domain before to avoid loopback
@@ -236,7 +231,7 @@ func getDialHandler(r *Resolver, proxyAdapter C.ProxyAdapter, proxyName string,
 					NetWork: C.UDP,
 					Host:    "",
 					DstIP:   dstIP,
-					DstPort: uint16(uintPort),
+					DstPort: port,
 				}
 				if proxyAdapter == nil {
 					return dialer.DialContext(ctx, network, addr, opts...)
@@ -262,10 +257,6 @@ func listenPacket(ctx context.Context, proxyAdapter C.ProxyAdapter, proxyName st
 	if err != nil {
 		return nil, err
 	}
 	uintPort, err := strconv.ParseUint(port, 10, 16)
 	if err != nil {
 		return nil, err
 	}
 	if proxyAdapter == nil {
 		var ok bool
 		proxyAdapter, ok = tunnel.Proxies()[proxyName]
@@ -283,7 +274,7 @@ func listenPacket(ctx context.Context, proxyAdapter C.ProxyAdapter, proxyName st
 		NetWork: C.UDP,
 		Host:    "",
 		DstIP:   dstIP,
-		DstPort: uint16(uintPort),
+		DstPort: port,
 	}
 	if proxyAdapter == nil {
 		return dialer.ListenPacket(ctx, dialer.ParseNetwork(network, dstIP), "", opts...)
@@ -297,16 +288,12 @@ func listenPacket(ctx context.Context, proxyAdapter C.ProxyAdapter, proxyName st
 }
 func batchExchange(ctx context.Context, clients []dnsClient, m *D.Msg) (msg *D.Msg, cache bool, err error) {
 	cache = true
 	fast, ctx := picker.WithTimeout[*D.Msg](ctx, resolver.DefaultDNSTimeout)
 	defer fast.Close()
 	domain := msgToDomain(m)
 	for _, client := range clients {
 		if _, isRCodeClient := client.(rcodeClient); isRCodeClient {
 			msg, err = client.Exchange(m)
 			return msg, false, err
 		}
 		client := client // shadow define client to ensure the value captured by the closure will not be changed in the next loop
 		_, cache = client.(rcodeClient)
 		cache = !cache
 		fast.Go(func() (*D.Msg, error) {
 			log.Debugln("[DNS] resolve %s from %s", domain, client.Address())
 			m, err := client.ExchangeContext(ctx, m)
@@ -315,19 +302,21 @@ func batchExchange(ctx context.Context, clients []dnsClient, m *D.Msg) (msg *D.M
 			} else if cache && (m.Rcode == D.RcodeServerFailure || m.Rcode == D.RcodeRefused) {
 				// currently, cache indicates whether this msg was from a RCode client,
 				// so we would ignore RCode errors from RCode clients.
-				return nil, errors.New("server failure: " + D.RcodeToString[m.Rcode])
+				return nil, errors.New("server failure")
 			}
 			log.Debugln("[DNS] %s --> %s, from %s", domain, msgToIP(m), client.Address())
 			return m, nil
 		})
 	}
-	msg = fast.Wait()
+	elm := fast.Wait()
-	if msg == nil {
+	if elm == nil {
-		err = errors.New("all DNS requests failed")
+		err := errors.New("all DNS requests failed")
 		if fErr := fast.Error(); fErr != nil {
-			err = fmt.Errorf("%w, first error: %w", err, fErr)
+			err = fmt.Errorf("%w, first error: %s", err, fErr.Error())
 		}
 		return nil, true, err
 	}
 	msg = elm
 	return
 }
--- a/docs/config.yaml
+++ b/docs/config.yaml
@@ -19,9 +19,9 @@ mode: rule
 #自定义 geodata url
 geox-url:
-  geoip: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat"
+  geoip: "https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geoip.dat"
-  geosite: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat"
+  geosite: "https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geosite.dat"
-  mmdb: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.metadb"
+  mmdb: "https://cdn.jsdelivr.net/gh/Loyalsoldier/geoip@release/Country.mmdb"
 log-level: debug # 日志等级 silent/error/warning/info/debug
@@ -50,8 +50,6 @@ external-ui: /path/to/ui/folder # 配置 WEB UI 目录，使用 http://{{externa
 # Utls is currently support TLS transport in TCP/grpc/WS/HTTP for VLESS/Vmess and trojan.
 global-client-fingerprint: chrome
 keep-alive-interval: 30
 # routing-mark:6666 # 配置 fwmark 仅用于 Linux
 experimental:
@@ -683,11 +681,6 @@ proxies: # socks5
    # skip-cert-verify: true
    # max-open-streams: 20 # default 100, too many open streams may hurt performance
    # sni: example.com
    #
    # meta和sing-box私有扩展，将ss-uot用于udp中继，开启此选项后udp-relay-mode将失效
    # 警告，与原版tuic不兼容！！！
    # udp-over-stream: false
    # udp-over-stream-version: 1
  # ShadowsocksR
  # The supported ciphers (encryption methods): all stream ciphers in ss
--- a/go.mod
+++ b/go.mod
@@ -1,59 +1,56 @@
 module github.com/Dreamacro/clash
-go 1.20
+go 1.19
 require (
-	github.com/3andne/restls-client-go v0.1.6
+	github.com/3andne/restls-client-go v0.1.4
 	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da
-	github.com/beevik/ntp v1.3.0
+	github.com/cilium/ebpf v0.10.0
-	github.com/cilium/ebpf v0.11.0
+	github.com/coreos/go-iptables v0.6.0
 	github.com/coreos/go-iptables v0.7.0
 	github.com/dlclark/regexp2 v1.10.0
-	github.com/go-chi/chi/v5 v5.0.10
+	github.com/go-chi/chi/v5 v5.0.8
 	github.com/go-chi/cors v1.2.1
-	github.com/go-chi/render v1.0.3
+	github.com/go-chi/render v1.0.2
 	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/gofrs/uuid/v5 v5.0.0
 	github.com/gorilla/websocket v1.5.0
-	github.com/insomniacslk/dhcp v0.0.0-20230731140434-0f9eb93a696c
+	github.com/hashicorp/golang-lru v0.5.4
 	github.com/insomniacslk/dhcp v0.0.0-20230516061539-49801966e6cb
 	github.com/jpillora/backoff v1.0.0
 	github.com/klauspost/cpuid/v2 v2.2.5
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
 	github.com/mdlayher/netlink v1.7.2
 	github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759
-	github.com/metacubex/quic-go v0.38.1-0.20230821081539-517fdb17fb28
+	github.com/metacubex/quic-go v0.35.2-0.20230603072621-ea2663348ebb
-	github.com/metacubex/sing-shadowsocks v0.2.4
+	github.com/metacubex/sing-shadowsocks v0.2.2
-	github.com/metacubex/sing-shadowsocks2 v0.1.3
+	github.com/metacubex/sing-shadowsocks2 v0.1.0
-	github.com/metacubex/sing-tun v0.1.11
+	github.com/metacubex/sing-tun v0.1.5-0.20230618235243-65051e73b018
-	github.com/metacubex/sing-vmess v0.1.8-0.20230801054944-603005461ff8
+	github.com/metacubex/sing-vmess v0.1.5
 	github.com/metacubex/sing-wireguard v0.0.0-20230611155257-1498ae315a28
-	github.com/miekg/dns v1.1.55
+	github.com/miekg/dns v1.1.54
-	github.com/mroth/weightedrand/v2 v2.1.0
+	github.com/mroth/weightedrand/v2 v2.0.1
 	github.com/openacid/low v0.1.21
-	github.com/oschwald/maxminddb-golang v1.12.0
+	github.com/oschwald/geoip2-golang v1.8.0
 	github.com/puzpuzpuz/xsync/v2 v2.5.0
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97
-	github.com/sagernet/sing v0.2.10-0.20230807080248-4db0062caa0a
+	github.com/sagernet/sing v0.2.5
-	github.com/sagernet/sing-mux v0.1.3-0.20230811111955-dc1639b5204c
+	github.com/sagernet/sing-mux v0.1.0
-	github.com/sagernet/sing-shadowtls v0.1.4
+	github.com/sagernet/sing-shadowtls v0.1.2
-	github.com/sagernet/tfo-go v0.0.0-20230816093905-5a5c285d44a6
+	github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9
 	github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2
-	github.com/sagernet/wireguard-go v0.0.0-20230807125731-5d4a7ef2dc5f
+	github.com/sagernet/wireguard-go v0.0.0-20230420044414-a7bac1754e77
 	github.com/samber/lo v1.38.1
-	github.com/shirou/gopsutil/v3 v3.23.7
+	github.com/shirou/gopsutil/v3 v3.23.5
-	github.com/sirupsen/logrus v1.9.3
+	github.com/sirupsen/logrus v1.9.2
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.8.3
 	github.com/xtls/go v0.0.0-20230107031059-4610f88d00f3
 	github.com/zhangyunhao116/fastrand v0.3.0
 	go.etcd.io/bbolt v1.3.7
-	go.uber.org/atomic v1.9.0
+	go.uber.org/automaxprocs v1.5.2
-	go.uber.org/automaxprocs v1.5.3
+	golang.org/x/crypto v0.10.0
-	golang.org/x/crypto v0.12.0
+	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
-	golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb
+	golang.org/x/net v0.11.0
-	golang.org/x/net v0.14.0
+	golang.org/x/sync v0.2.0
-	golang.org/x/sync v0.3.0
+	golang.org/x/sys v0.9.0
-	golang.org/x/sys v0.11.0
+	google.golang.org/protobuf v1.30.0
 	golang.org/x/text v0.12.0
 	google.golang.org/protobuf v1.31.0
 	gopkg.in/yaml.v3 v3.0.1
 	lukechampine.com/blake3 v1.2.1
 )
@@ -69,26 +66,27 @@ require (
 	github.com/ericlagergren/siv v0.0.0-20220507050439-0b757b3aa5f1 // indirect
 	github.com/ericlagergren/subtle v0.0.0-20220507045147-890d697da010 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/gaukas/godicttls v0.0.4 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
 	github.com/golang/mock v1.6.0 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
 	github.com/josharian/native v1.1.0 // indirect
-	github.com/klauspost/compress v1.16.7 // indirect
+	github.com/klauspost/compress v1.15.15 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/mdlayher/socket v0.4.1 // indirect
 	github.com/metacubex/gvisor v0.0.0-20230611153922-78842f086475 // indirect
 	github.com/oasisprotocol/deoxysii v0.0.0-20220228165953-2091330c22b7 // indirect
-	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
+	github.com/onsi/ginkgo/v2 v2.2.0 // indirect
 	github.com/oschwald/maxminddb-golang v1.10.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.14 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-20 v0.3.2 // indirect
+	github.com/quic-go/qtls-go1-19 v0.3.2 // indirect
 	github.com/quic-go/qtls-go1-20 v0.2.2 // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
 	github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 // indirect
 	github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 // indirect
@@ -102,9 +100,10 @@ require (
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
 	gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec // indirect
-	golang.org/x/mod v0.11.0 // indirect
+	golang.org/x/mod v0.8.0 // indirect
 	golang.org/x/text v0.10.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.9.1 // indirect
+	golang.org/x/tools v0.6.0 // indirect
 )
-replace github.com/sagernet/sing => github.com/metacubex/sing v0.0.0-20230817143035-28d23f152579
+replace github.com/sagernet/sing => github.com/metacubex/sing v0.0.0-20230618234508-ce8816d0274b
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,5 @@
-github.com/3andne/restls-client-go v0.1.6 h1:tRx/YilqW7iHpgmEL4E1D8dAsuB0tFF3uvncS+B6I08=
+github.com/3andne/restls-client-go v0.1.4 h1:kLNC2aSRHPlEVYmTj6EOqJoorCpobEe2toMRSfBF7FU=
-github.com/3andne/restls-client-go v0.1.6/go.mod h1:iEdTZNt9kzPIxjIGSMScUFSBrUH6bFRNg0BWlP4orEY=
+github.com/3andne/restls-client-go v0.1.4/go.mod h1:04CGbRk1BwBiEDles8b5mlKgTqIwE5MqF7JDloJV47I=
 github.com/RyuaNerin/go-krypto v1.0.2 h1:9KiZrrBs+tDrQ66dNy4nrX6SzntKtSKdm0wKHhdB4WM=
 github.com/RyuaNerin/go-krypto v1.0.2/go.mod h1:17LzMeJCgzGTkPH3TmfzRnEJ/yA7ErhTPp9sxIqONtA=
 github.com/Yawning/aez v0.0.0-20211027044916-e49e68abd344 h1:cDVUiFo+npB0ZASqnw4q90ylaVAbnYyx0JYqK4YcGok=
@@ -10,16 +10,14 @@ github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
 github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/beevik/ntp v1.3.0 h1:/w5VhpW5BGKS37vFm1p9oVk/t4HnnkKZAZIubHM6F7Q=
 github.com/beevik/ntp v1.3.0/go.mod h1:vD6h1um4kzXpqmLTuu0cCLcC+NfvC0IC+ltmEDA8E78=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cilium/ebpf v0.11.0 h1:V8gS/bTCCjX9uUnkUFUpPsksM8n1lXBAvHcpiFk1X2Y=
+github.com/cilium/ebpf v0.10.0 h1:nk5HPMeoBXtOzbkZBWym+ZWq1GIiHUsBFXxwewXAHLQ=
-github.com/cilium/ebpf v0.11.0/go.mod h1:WE7CZAnqOL2RouJ4f1uyNhqr2P4CCvXFIqdRDUgWsVs=
+github.com/cilium/ebpf v0.10.0/go.mod h1:DPiVdY/kT534dgc9ERmvP8mWA+9gvwgKfRvk4nNWnoE=
-github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
+github.com/coreos/go-iptables v0.6.0 h1:is9qnZMPYjLd8LYqmm/qlE+wwEgJIkTYdhV3rfZo4jk=
-github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
+github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -34,31 +32,26 @@ github.com/ericlagergren/siv v0.0.0-20220507050439-0b757b3aa5f1 h1:tlDMEdcPRQKBE
 github.com/ericlagergren/siv v0.0.0-20220507050439-0b757b3aa5f1/go.mod h1:4RfsapbGx2j/vU5xC/5/9qB3kn9Awp1YDiEnN43QrJ4=
 github.com/ericlagergren/subtle v0.0.0-20220507045147-890d697da010 h1:fuGucgPk5dN6wzfnxl3D0D3rVLw4v2SbBT9jb4VnxzA=
 github.com/ericlagergren/subtle v0.0.0-20220507045147-890d697da010/go.mod h1:JtBcj7sBuTTRupn7c2bFspMDIObMJsVK8TeUvpShPok=
-github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA=
+github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
-github.com/gaukas/godicttls v0.0.4 h1:NlRaXb3J6hAnTmWdsEKb9bcSBD6BvcIjdGdeb0zfXbk=
+github.com/go-chi/chi/v5 v5.0.8 h1:lD+NLqFcAi1ovnVZpsnObHGW4xb4J8lNmoYVfECH1Y0=
-github.com/gaukas/godicttls v0.0.4/go.mod h1:l6EenT4TLWgTdwslVb4sEMOCf7Bv0JAK67deKr9/NCI=
+github.com/go-chi/chi/v5 v5.0.8/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
 github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
-github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
+github.com/go-chi/render v1.0.2 h1:4ER/udB0+fMWB2Jlf15RV3F4A2FDuYi/9f+lFttR/Lg=
-github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
+github.com/go-chi/render v1.0.2/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
 github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA=
 github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gofrs/uuid/v5 v5.0.0 h1:p544++a97kEL+svbcFbCQVM9KFu0Yo25UoISXGNNH9M=
 github.com/gofrs/uuid/v5 v5.0.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
@@ -70,18 +63,20 @@ github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLe
 github.com/google/tink/go v1.6.1 h1:t7JHqO8Ath2w2ig5vjwQYJzhGEZymedQc90lQXUBa4I=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
 github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/insomniacslk/dhcp v0.0.0-20230731140434-0f9eb93a696c h1:P/3mFnHCv1A/ej4m8pF5EB6FUt9qEL2Q9lfrcUNwCYs=
+github.com/insomniacslk/dhcp v0.0.0-20230516061539-49801966e6cb h1:6fDKEAXwe3rsfS4khW3EZ8kEqmSiV9szhMPcDrD+Y7Q=
-github.com/insomniacslk/dhcp v0.0.0-20230731140434-0f9eb93a696c/go.mod h1:7474bZ1YNCvarT6WFKie4kEET6J0KYRDC4XJqqXzQW4=
+github.com/insomniacslk/dhcp v0.0.0-20230516061539-49801966e6cb/go.mod h1:7474bZ1YNCvarT6WFKie4kEET6J0KYRDC4XJqqXzQW4=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
-github.com/klauspost/compress v1.16.7 h1:2mk3MPGNzKyxErAw8YaohYh69+pa4sIQSC0fPGCFR9I=
+github.com/klauspost/compress v1.15.15 h1:EF27CXIuDsYJ6mmvtBRlEuB2UVOqHG1tAXgZ7yIO+lw=
-github.com/klauspost/compress v1.16.7/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/compress v1.15.15/go.mod h1:ZcK2JAFqKOpnBlxcLsJzYfrS9X1akm9fHZNnD9+Vo/4=
 github.com/klauspost/cpuid/v2 v2.2.5 h1:0E5MSMDEoAulmXNFquVs//DdoomxaoTY1kUhbc/qbZg=
 github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -98,36 +93,38 @@ github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759 h1:cjd4biTvO
 github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759/go.mod h1:UHOv2xu+RIgLwpXca7TLrXleEd4oR3sPatW6IF8wU88=
 github.com/metacubex/gvisor v0.0.0-20230611153922-78842f086475 h1:qSEOvPPaMrWggFyFhFYGyMR8i1HKyhXjdi1QYUAa2ww=
 github.com/metacubex/gvisor v0.0.0-20230611153922-78842f086475/go.mod h1:wehEpqiogdeyncfhckJP5gD2LtBgJW0wnDC24mJ+8Jg=
-github.com/metacubex/quic-go v0.38.1-0.20230821081539-517fdb17fb28 h1:ggSo4B1LDH9ZIROoUibxlrUpi7YCMri7HMXn4aNQkiM=
+github.com/metacubex/quic-go v0.35.2-0.20230603072621-ea2663348ebb h1:92YTNmYXCSycERjKn/zPbeK5DiW3dd80j3+oVTEWTE8=
-github.com/metacubex/quic-go v0.38.1-0.20230821081539-517fdb17fb28/go.mod h1:SthFvvoqgrEUgIxQXRnqdUAAYQECBavkhl7iA0geVd8=
+github.com/metacubex/quic-go v0.35.2-0.20230603072621-ea2663348ebb/go.mod h1:6pg8+Tje9KOltnj1whuvB2i5KFUMPp1TAF3oPhc5axM=
-github.com/metacubex/sing v0.0.0-20230817143035-28d23f152579 h1:dE1dBB6CTzNdSMFTE5OCHvzHLewiqiA1nhD+7egtvAc=
+github.com/metacubex/sing v0.0.0-20230618234508-ce8816d0274b h1:mVd3v+zMQq61rJe/pJJSh0/Iin9UnkQaZTH2NOg/2Vg=
-github.com/metacubex/sing v0.0.0-20230817143035-28d23f152579/go.mod h1:9uOZwWkhT2Z2WldolLxX34s+1svAX4i4vvz5hy8u1MA=
+github.com/metacubex/sing v0.0.0-20230618234508-ce8816d0274b/go.mod h1:Ta8nHnDLAwqySzKhGoKk4ZIB+vJ3GTKj7UPrWYvM+4w=
-github.com/metacubex/sing-shadowsocks v0.2.4 h1:Gc99Z17JVif1PKKq1pjqhSmc2kvHUgk+AqxOstCzhQ0=
+github.com/metacubex/sing-shadowsocks v0.2.2 h1:prciO78IwtR4Sp+/CnP+aZSzpBRfL7zKaYez1S4EOnI=
-github.com/metacubex/sing-shadowsocks v0.2.4/go.mod h1:w9qoEZSh9aKeXSLXHe0DGbG2UE9/2VlLGwukzQZ7byI=
+github.com/metacubex/sing-shadowsocks v0.2.2/go.mod h1:haolI+8Yc8MhNDqNuoRP4X5vaquXWNYeL1YxrQZ5kCU=
-github.com/metacubex/sing-shadowsocks2 v0.1.3 h1:nZvH+4jQXZ92NeNdR9fXaUGTPNJPt6u0nkcuh/NEt5Y=
+github.com/metacubex/sing-shadowsocks2 v0.1.0 h1:ZxPEToY1RaRtG6ljz2n13ASMVqyAM7Bh11TmWoExYu4=
-github.com/metacubex/sing-shadowsocks2 v0.1.3/go.mod h1:5Mt93RlmRlIcDmvtapkhQJ8YTRGLFhHciLYopJjs7j8=
+github.com/metacubex/sing-shadowsocks2 v0.1.0/go.mod h1:6C4EkvqMz5h7jECKrQeIByoLDHxiepsgPajIrxqxj/s=
-github.com/metacubex/sing-tun v0.1.11 h1:B8meDewklvKkeUfjqR2ViuYLam0/m4IgkTi3qcJIOuc=
+github.com/metacubex/sing-tun v0.1.5-0.20230618235243-65051e73b018 h1:M7vBGA4RL4BBLSYfi15u/9QdVSqPkhuL4KRCuRhxuQY=
-github.com/metacubex/sing-tun v0.1.11/go.mod h1:vbki176Y5sxXC1DWXucrPh3q5j8cKai1D87y8m8rjQc=
+github.com/metacubex/sing-tun v0.1.5-0.20230618235243-65051e73b018/go.mod h1:DSVNjWT0rkkg8zn2+wpDvxgXuXRmMiNFDnVmnUctbAc=
-github.com/metacubex/sing-vmess v0.1.8-0.20230801054944-603005461ff8 h1:AqqZCr9gOeKdO6oIzFh4b2puOUFcw8MdpmGHWRehyX8=
+github.com/metacubex/sing-vmess v0.1.5 h1:wODu17P27aGw0GhSIb/rIZWNh3/F5ghF/1PDDt95CQY=
-github.com/metacubex/sing-vmess v0.1.8-0.20230801054944-603005461ff8/go.mod h1:tyJg7b4s8NrSztl/Y1ajA7X0sJLlIsEJWkgRVocjmgY=
+github.com/metacubex/sing-vmess v0.1.5/go.mod h1:s00xTd3c/zOMQHyPec0G/pbUklndleiH0QaHZRd4Ykg=
 github.com/metacubex/sing-wireguard v0.0.0-20230611155257-1498ae315a28 h1:mXFpxfR/1nADh+GoT8maWEvc6LO6uatPsARD8WzUDMA=
 github.com/metacubex/sing-wireguard v0.0.0-20230611155257-1498ae315a28/go.mod h1:KrDPq/dE793jGIJw9kcIvjA/proAfU0IeU7WlMXW7rs=
-github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
+github.com/miekg/dns v1.1.54 h1:5jon9mWcb0sFJGpnI99tOMhCPyJ+RPVz5b63MQG0VWI=
-github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
+github.com/miekg/dns v1.1.54/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
-github.com/mroth/weightedrand/v2 v2.1.0 h1:o1ascnB1CIVzsqlfArQQjeMy1U0NcIbBO5rfd5E/OeU=
+github.com/mroth/weightedrand/v2 v2.0.1 h1:zrEVDIaau/E4QLOKu02kpg8T8myweFlMGikIgbIdrRA=
-github.com/mroth/weightedrand/v2 v2.1.0/go.mod h1:f2faGsfOGOwc1p94wzHKKZyTpcJUW7OJ/9U4yfiNAOU=
+github.com/mroth/weightedrand/v2 v2.0.1/go.mod h1:f2faGsfOGOwc1p94wzHKKZyTpcJUW7OJ/9U4yfiNAOU=
 github.com/oasisprotocol/deoxysii v0.0.0-20220228165953-2091330c22b7 h1:1102pQc2SEPp5+xrS26wEaeb26sZy6k9/ZXlZN+eXE4=
 github.com/oasisprotocol/deoxysii v0.0.0-20220228165953-2091330c22b7/go.mod h1:UqoUn6cHESlliMhOnKLWr+CBH+e3bazUPvFj1XZwAjs=
-github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
+github.com/onsi/ginkgo/v2 v2.2.0 h1:3ZNA3L1c5FYDFTTxbFeVGGD8jYvjYauHD30YgLxVsNI=
-github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k=
+github.com/onsi/ginkgo/v2 v2.2.0/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk=
-github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
+github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q=
 github.com/openacid/errors v0.8.1/go.mod h1:GUQEJJOJE3W9skHm8E8Y4phdl2LLEN8iD7c5gcGgdx0=
 github.com/openacid/low v0.1.21 h1:Tr2GNu4N/+rGRYdOsEHOE89cxUIaDViZbVmKz29uKGo=
 github.com/openacid/low v0.1.21/go.mod h1:q+MsKI6Pz2xsCkzV4BLj7NR5M4EX0sGz5AqotpZDVh0=
 github.com/openacid/must v0.1.3/go.mod h1:luPiXCuJlEo3UUFQngVQokV0MPGryeYvtCbQPs3U1+I=
 github.com/openacid/testkeys v0.1.6/go.mod h1:MfA7cACzBpbiwekivj8StqX0WIRmqlMsci1c37CA3Do=
-github.com/oschwald/maxminddb-golang v1.12.0 h1:9FnTOD0YOhP7DGxGsq4glzpGy5+w7pq50AS6wALUMYs=
+github.com/oschwald/geoip2-golang v1.8.0 h1:KfjYB8ojCEn/QLqsDU0AzrJ3R5Qa9vFlx3z6SLNcKTs=
-github.com/oschwald/maxminddb-golang v1.12.0/go.mod h1:q0Nob5lTCqyQ8WT6FYgS1L7PXKVVbgiymefNwIjPzgY=
+github.com/oschwald/geoip2-golang v1.8.0/go.mod h1:R7bRvYjOeaoenAp9sKRS8GX5bJWcZ0laWO5+DauEktw=
 github.com/oschwald/maxminddb-golang v1.10.0 h1:Xp1u0ZhqkSuopaKmk1WwHtjF0H9Hd9181uj2MQ5Vndg=
 github.com/oschwald/maxminddb-golang v1.10.0/go.mod h1:Y2ELenReaLAZ0b400URyGwvYxHV1dLIxBuyOsyYjHK0=
 github.com/pierrec/lz4/v4 v4.1.14 h1:+fL8AQEZtz/ijeNnpduH0bROTu0O3NZAlPjQxGn8LwE=
 github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -136,35 +133,35 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
 github.com/puzpuzpuz/xsync/v2 v2.5.0 h1:2k4qrO/orvmEXZ3hmtHqIy9XaQtPTwzMZk1+iErpE8c=
 github.com/puzpuzpuz/xsync/v2 v2.5.0/go.mod h1:gD2H2krq/w52MfPLE+Uy64TzJDVY7lP2znR9qmR35kU=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
-github.com/quic-go/qtls-go1-20 v0.3.2 h1:rRgN3WfnKbyik4dBV8A6girlJVxGand/d+jVKbQq5GI=
+github.com/quic-go/qtls-go1-19 v0.3.2 h1:tFxjCFcTQzK+oMxG6Zcvp4Dq8dx4yD3dDiIiyc86Z5U=
-github.com/quic-go/qtls-go1-20 v0.3.2/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
+github.com/quic-go/qtls-go1-19 v0.3.2/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
 github.com/quic-go/qtls-go1-20 v0.2.2 h1:WLOPx6OY/hxtTxKV1Zrq20FtXtDEkeY00CGQm8GEa3E=
 github.com/quic-go/qtls-go1-20 v0.2.2/go.mod h1:JKtK6mjbAVcUTN/9jZpvLbGxvdWIKS8uT7EiStoU1SM=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c6AkmAylhauulqN/c5dnh8/KssrE9c93TQrXldA=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/sing-mux v0.1.3-0.20230811111955-dc1639b5204c h1:35/FowAvt3Z62mck0TXzVc4jS5R5CWq62qcV2P1cp0I=
+github.com/sagernet/sing-mux v0.1.0 h1:xihlDRNs1J+hYwmvW9/ZmaghjDx7O0Y5dty0pOLQGB4=
-github.com/sagernet/sing-mux v0.1.3-0.20230811111955-dc1639b5204c/go.mod h1:TKxqIvfQQgd36jp2tzsPavGjYTVZilV+atip1cssjIY=
+github.com/sagernet/sing-mux v0.1.0/go.mod h1:i3jKjV4pRTFTV/ly5V3oa2JMPy0SAZ5X8X4tDU9Hw94=
-github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
+github.com/sagernet/sing-shadowtls v0.1.2 h1:wkPf4gF+cmaP0cIbArpyq+mc6GcwbMx60CssmmhEQ0s=
-github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
+github.com/sagernet/sing-shadowtls v0.1.2/go.mod h1:rTxhbSY8jGWZOWjdeOe1vP3E+hkgen8aRA2p7YccM88=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 h1:HuE6xSwco/Xed8ajZ+coeYLmioq0Qp1/Z2zczFaV8as=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37/go.mod h1:3skNSftZDJWTGVtVaM2jfbce8qHnmH/AGDRe62iNOg0=
-github.com/sagernet/tfo-go v0.0.0-20230816093905-5a5c285d44a6 h1:Px+hN4Vzgx+iCGVnWH5A8eR7JhNnIV3rGQmBxA7cw6Q=
+github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9 h1:2ItpW1nMNkPzmBTxV0/eClCklHrFSQMnUGcpUmJxVeE=
-github.com/sagernet/tfo-go v0.0.0-20230816093905-5a5c285d44a6/go.mod h1:zovq6vTvEM6ECiqE3Eeb9rpIylPpamPcmrJ9tv0Bt0M=
+github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9/go.mod h1:FUyTEc5ye5NjKnDTDMuiLF2M6T4BE6y6KZuax//UCEg=
 github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2 h1:kDUqhc9Vsk5HJuhfIATJ8oQwBmpOZJuozQG7Vk88lL4=
 github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2/go.mod h1:JKQMZq/O2qnZjdrt+B57olmfgEmLtY9iiSIEYtWvoSM=
-github.com/sagernet/wireguard-go v0.0.0-20230807125731-5d4a7ef2dc5f h1:Kvo8w8Y9lzFGB/7z09MJ3TR99TFtfI/IuY87Ygcycho=
+github.com/sagernet/wireguard-go v0.0.0-20230420044414-a7bac1754e77 h1:g6QtRWQ2dKX7EQP++1JLNtw4C2TNxd4/ov8YUpOPOSo=
-github.com/sagernet/wireguard-go v0.0.0-20230807125731-5d4a7ef2dc5f/go.mod h1:mySs0abhpc/gLlvhoq7HP1RzOaRmIXVeZGCh++zoApk=
+github.com/sagernet/wireguard-go v0.0.0-20230420044414-a7bac1754e77/go.mod h1:pJDdXzZIwJ+2vmnT0TKzmf8meeum+e2mTDSehw79eE0=
 github.com/samber/lo v1.38.1 h1:j2XEAqXKb09Am4ebOg31SpvzUTTs6EN3VfgeLUhPdXM=
 github.com/samber/lo v1.38.1/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 h1:rc/CcqLH3lh8n+csdOuDfP+NuykE0U6AeYSJJHKDgSg=
 github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9/go.mod h1:a/83NAfUXvEuLpmxDssAXxgUgrEy12MId3Wd7OTs76s=
-github.com/shirou/gopsutil/v3 v3.23.7 h1:C+fHO8hfIppoJ1WdsVm1RoI0RwXoNdfTK7yWXV0wVj4=
+github.com/shirou/gopsutil/v3 v3.23.5 h1:5SgDCeQ0KW0S4N0znjeM/eFHXXOKyv2dVNgRq/c9P6Y=
-github.com/shirou/gopsutil/v3 v3.23.7/go.mod h1:c4gnmoRC0hQuaLqvxnx1//VXQ0Ms/X9UnJF8pddY5z4=
+github.com/shirou/gopsutil/v3 v3.23.5/go.mod h1:Ng3Maa27Q2KARVJ0SPZF5NdrQSC3XHKP8IIWrHgMeLY=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
@@ -175,18 +172,19 @@ github.com/sina-ghaderi/rabaead v0.0.0-20220730151906-ab6e06b96e8c h1:DjKMC30y6y
 github.com/sina-ghaderi/rabaead v0.0.0-20220730151906-ab6e06b96e8c/go.mod h1:NV/a66PhhWYVmUMaotlXJ8fIEFB98u+c8l/CQIEFLrU=
 github.com/sina-ghaderi/rabbitio v0.0.0-20220730151941-9ce26f4f872e h1:ur8uMsPIFG3i4Gi093BQITvwH9znsz2VUZmnmwHvpIo=
 github.com/sina-ghaderi/rabbitio v0.0.0-20220730151941-9ce26f4f872e/go.mod h1:+e5fBW3bpPyo+3uLo513gIUblc03egGjMM0+5GKbzK8=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.2 h1:oxx1eChJGI6Uks2ZC4W1zpLlVgqB8ner4EuQwV4Ik1Y=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.2/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM=
 github.com/tklauser/go-sysconf v0.3.11/go.mod h1:GqXfhXY3kiPa0nAXPDIQIWzJbMCB7AmcWpGR8lSZfqI=
 github.com/tklauser/numcpus v0.6.0 h1:kebhY2Qt+3U6RNK7UqpYNA+tJ23IBEGKkB7JQBfDYms=
@@ -198,8 +196,9 @@ github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17
 github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/xtls/go v0.0.0-20230107031059-4610f88d00f3 h1:a3Y4WVjCxwoyO4E2xdNvq577tW8lkSBgyrA8E9+2NtM=
 github.com/xtls/go v0.0.0-20230107031059-4610f88d00f3/go.mod h1:YJTRELIWrGxR1s8xcEBgxcxBfwQfMGjdvNLTjN9XFgY=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw=
 github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 github.com/zhangyunhao116/fastrand v0.3.0 h1:7bwe124xcckPulX6fxtr2lFdO2KQqaefdtbk+mqO/Ig=
@@ -208,41 +207,28 @@ gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec h1:FpfFs4EhNehiV
 gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec/go.mod h1:BZ1RAoRPbCxum9Grlv5aeksu2H8BiKehBYooU2LFiOQ=
 go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
 go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
-go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
+go.uber.org/automaxprocs v1.5.2 h1:2LxUOGiR3O6tw8ui5sZa2LAaHnsviZdVOUZw4fvbnME=
-go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/automaxprocs v1.5.2/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0=
 go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
 go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM=
 golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
-golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc=
-golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
 golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb h1:mIKbk8weKhSeLH2GmUTrvx8CjkyJmnU1wFmg59CUjFA=
 golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
 golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.11.0 h1:Gi2tvZIJyBtO9SDr1q9h5hEQCp/4L2RQ+ar0qjx2oNU=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
 golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
 golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -254,51 +240,38 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
 golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo=
 golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/hub/executor/executor.go
+++ b/hub/executor/executor.go
@@ -2,15 +2,11 @@ package executor
 import (
 	"fmt"
 	"github.com/Dreamacro/clash/ntp"
 	"net"
 	"net/netip"
 	"os"
 	"runtime"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 	"github.com/Dreamacro/clash/adapter"
 	"github.com/Dreamacro/clash/adapter/inbound"
@@ -91,13 +87,11 @@ func ApplyConfig(cfg *config.Config, force bool) {
 	}
 	updateUsers(cfg.Users)
-	updateProxies(cfg.Mitm, cfg.Proxies, cfg.Providers)
+	updateProxies(cfg.Proxies, cfg.Providers)
 	updateRules(cfg.Rules, cfg.SubRules, cfg.RuleProviders)
 	updateSniffer(cfg.Sniffer)
 	updateHosts(cfg.Hosts)
 	updateMitm(cfg.Mitm)
 	updateGeneral(cfg.General)
 	updateNTP(cfg.NTP)
 	updateDNS(cfg.DNS, cfg.RuleProviders, cfg.General.IPv6)
 	updateListeners(cfg.General, cfg.Listeners, force)
 	updateIPTables(cfg)
@@ -135,7 +129,6 @@ func GetGeneral() *config.General {
 			RedirPort:         ports.RedirPort,
 			TProxyPort:        ports.TProxyPort,
 			MixedPort:         ports.MixedPort,
 			MitmPort:          ports.MitmPort,
 			Tun:               listener.GetTunConf(),
 			TuicServer:        listener.GetTuicConf(),
 			ShadowSocksConfig: ports.ShadowSocksConfig,
@@ -185,13 +178,6 @@ func updateListeners(general *config.General, listeners map[string]C.InboundList
 func updateExperimental(c *config.Config) {
 }
 func updateNTP(c *config.NTP) {
 	if c.Enable {
 		ntp.ReCreateNTPService(net.JoinHostPort(c.Server, strconv.Itoa(c.Port)),
 			time.Duration(c.Interval))
 	}
 }
 func updateDNS(c *config.DNS, ruleProvider map[string]provider.RuleProvider, generalIPv6 bool) {
 	if !c.Enable {
 		resolver.DefaultResolver = nil
@@ -264,7 +250,7 @@ func updateHosts(tree *trie.DomainTrie[resolver.HostValue]) {
 	resolver.DefaultHosts = resolver.NewHosts(tree)
 }
-func updateProxies(mitm *config.Mitm, proxies map[string]C.Proxy, providers map[string]provider.ProxyProvider) {
+func updateProxies(proxies map[string]C.Proxy, providers map[string]provider.ProxyProvider) {
 	tunnel.UpdateProxies(proxies, providers)
 }
@@ -374,7 +360,6 @@ func updateGeneral(general *config.General) {
 	}
 	inbound.SetTfo(general.InboundTfo)
 	inbound.SetMPTCP(general.InboundMPTCP)
 	adapter.UnifiedDelay.Store(general.UnifiedDelay)
@@ -492,13 +477,8 @@ func updateIPTables(cfg *config.Config) {
 	log.Infoln("[IPTABLES] Setting iptables completed")
 }
 func updateMitm(mitm *config.Mitm) {
 	listener.ReCreateMitm(mitm.Port, tunnel.TCPIn())
 	tunnel.UpdateRewrites(mitm.Rules)
 }
 func Shutdown() {
-	listener.Cleanup()
+	listener.Cleanup(false)
 	tproxy.CleanupTProxyIPTables()
 	resolver.StoreFakePoolState()
--- a/hub/route/configs.go
+++ b/hub/route/configs.go
@@ -40,7 +40,6 @@ type configSchema struct {
 	RedirPort         *int               `json:"redir-port"`
 	TProxyPort        *int               `json:"tproxy-port"`
 	MixedPort         *int               `json:"mixed-port"`
 	MitmPort          *int               `json:"mitm-port"`
 	Tun               *tunSchema         `json:"tun"`
 	TuicServer        *tuicServerSchema  `json:"tuic-server"`
 	ShadowSocksConfig *string            `json:"ss-config"`
@@ -263,7 +262,6 @@ func patchConfigs(w http.ResponseWriter, r *http.Request) {
 	P.ReCreateShadowSocks(pointerOrDefaultString(general.ShadowSocksConfig, ports.ShadowSocksConfig), tcpIn, udpIn)
 	P.ReCreateVmess(pointerOrDefaultString(general.VmessConfig, ports.VmessConfig), tcpIn, udpIn)
 	P.ReCreateTuic(pointerOrDefaultTuicServer(general.TuicServer, P.LastTuicConf), tcpIn, udpIn)
 	P.ReCreateMitm(pointerOrDefault(general.MitmPort, ports.MitmPort), tcpIn)
 	if general.Mode != nil {
 		tunnel.SetMode(*general.Mode)
--- a/hub/route/groups.go
+++ b/hub/route/groups.go
@@ -9,7 +9,6 @@ import (
 	"time"
 	"github.com/Dreamacro/clash/adapter"
 	"github.com/Dreamacro/clash/adapter/outboundgroup"
 	"github.com/Dreamacro/clash/common/utils"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/tunnel"
@@ -58,11 +57,6 @@ func getGroupDelay(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if proxy.(*adapter.Proxy).Type() == C.URLTest {
 		URLTestGroup := proxy.(*adapter.Proxy).ProxyAdapter.(*outboundgroup.URLTest)
 		URLTestGroup.ForceSet("")
 	}
 	query := r.URL.Query()
 	url := query.Get("url")
 	timeout, err := strconv.ParseInt(query.Get("timeout"), 10, 32)
@@ -83,6 +77,7 @@ func getGroupDelay(w http.ResponseWriter, r *http.Request) {
 	defer cancel()
 	dm, err := group.URLTest(ctx, url, expectedStatus)
 	if err != nil {
 		render.Status(r, http.StatusGatewayTimeout)
 		render.JSON(w, r, newError(err.Error()))
--- a/hub/route/restart.go
+++ b/hub/route/restart.go
@@ -8,7 +8,7 @@ import (
 	"runtime"
 	"syscall"
-	"github.com/Dreamacro/clash/hub/executor"
+	"github.com/Dreamacro/clash/listener"
 	"github.com/Dreamacro/clash/log"
 	"github.com/go-chi/chi/v5"
@@ -39,12 +39,12 @@ func restart(w http.ResponseWriter, r *http.Request) {
 	// The background context is used because the underlying functions wrap it
 	// with timeout and shut down the server, which handles current request.  It
 	// also should be done in a separate goroutine for the same reason.
-	go restartExecutable(execPath)
+	go runRestart(execPath)
 }
-func restartExecutable(execPath string) {
+func runRestart(execPath string) {
 	var err error
-	executor.Shutdown()
+	listener.Cleanup(false)
 	if runtime.GOOS == "windows" {
 		cmd := exec.Command(execPath, os.Args[1:]...)
 		log.Infoln("restarting: %q %q", execPath, os.Args[1:])
--- a/hub/route/upgrade.go
+++ b/hub/route/upgrade.go
@@ -41,5 +41,5 @@ func upgrade(w http.ResponseWriter, r *http.Request) {
 		f.Flush()
 	}
-	go restartExecutable(execPath)
+	go runRestart(execPath)
 }
--- a/listener/autoredir/tcp.go
+++ b/listener/autoredir/tcp.go
@@ -5,7 +5,6 @@ import (
 	"net/netip"
 	"github.com/Dreamacro/clash/adapter/inbound"
 	N "github.com/Dreamacro/clash/common/net"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	"github.com/Dreamacro/clash/transport/socks5"
@@ -56,7 +55,7 @@ func (l *Listener) handleRedir(conn net.Conn, in chan<- C.ConnContext) {
 		return
 	}
-	N.TCPKeepAlive(conn)
+	_ = conn.(*net.TCPConn).SetKeepAlive(true)
 	in <- inbound.NewSocket(target, conn, C.REDIR, l.additions...)
 }
--- a/listener/http/proxy.go
+++ b/listener/http/proxy.go
@@ -36,7 +36,7 @@ func HandleConn(c net.Conn, in chan<- C.ConnContext, cache *cache.LruCache[strin
 		var resp *http.Response
 		if !trusted {
-			resp = Authenticate(request, cache)
+			resp = authenticate(request, cache)
 			trusted = resp == nil
 		}
@@ -66,19 +66,19 @@ func HandleConn(c net.Conn, in chan<- C.ConnContext, cache *cache.LruCache[strin
 				return // hijack connection
 			}
-			RemoveHopByHopHeaders(request.Header)
+			removeHopByHopHeaders(request.Header)
-			RemoveExtraHTTPHostPort(request)
+			removeExtraHTTPHostPort(request)
 			if request.URL.Scheme == "" || request.URL.Host == "" {
-				resp = ResponseWith(request, http.StatusBadRequest)
+				resp = responseWith(request, http.StatusBadRequest)
 			} else {
 				resp, err = client.Do(request)
 				if err != nil {
-					resp = ResponseWith(request, http.StatusBadGateway)
+					resp = responseWith(request, http.StatusBadGateway)
 				}
 			}
-			RemoveHopByHopHeaders(resp.Header)
+			removeHopByHopHeaders(resp.Header)
 		}
 		if keepAlive {
@@ -98,12 +98,12 @@ func HandleConn(c net.Conn, in chan<- C.ConnContext, cache *cache.LruCache[strin
 	_ = conn.Close()
 }
-func Authenticate(request *http.Request, cache *cache.LruCache[string, bool]) *http.Response {
+func authenticate(request *http.Request, cache *cache.LruCache[string, bool]) *http.Response {
 	authenticator := authStore.Authenticator()
 	if authenticator != nil {
 		credential := parseBasicProxyAuthorization(request)
 		if credential == "" {
-			resp := ResponseWith(request, http.StatusProxyAuthRequired)
+			resp := responseWith(request, http.StatusProxyAuthRequired)
 			resp.Header.Set("Proxy-Authenticate", "Basic")
 			return resp
 		}
@@ -117,14 +117,14 @@ func Authenticate(request *http.Request, cache *cache.LruCache[string, bool]) *h
 		if !authed {
 			log.Infoln("Auth failed from %s", request.RemoteAddr)
-			return ResponseWith(request, http.StatusForbidden)
+			return responseWith(request, http.StatusForbidden)
 		}
 	}
 	return nil
 }
-func ResponseWith(request *http.Request, statusCode int) *http.Response {
+func responseWith(request *http.Request, statusCode int) *http.Response {
 	return &http.Response{
 		StatusCode: statusCode,
 		Status:     http.StatusText(statusCode),
--- a/listener/http/upgrade.go
+++ b/listener/http/upgrade.go
@@ -6,7 +6,6 @@ import (
 	"net"
 	"net/http"
 	"strings"
 	"time"
 	"github.com/Dreamacro/clash/adapter/inbound"
 	N "github.com/Dreamacro/clash/common/net"
@@ -30,7 +29,7 @@ func handleUpgrade(conn net.Conn, request *http.Request, in chan<- C.ConnContext
 	defer conn.Close()
 	removeProxyHeaders(request.Header)
-	RemoveExtraHTTPHostPort(request)
+	removeExtraHTTPHostPort(request)
 	address := request.Host
 	if _, _, err := net.SplitHostPort(address); err != nil {
@@ -88,65 +87,3 @@ func handleUpgrade(conn net.Conn, request *http.Request, in chan<- C.ConnContext
 		N.Relay(bufferedLeft, conn)
 	}
 }
 func HandleUpgradeY(localConn net.Conn, serverConn *N.BufferedConn, request *http.Request, in chan<- C.ConnContext) (resp *http.Response) {
 	removeProxyHeaders(request.Header)
 	RemoveExtraHTTPHostPort(request)
 	if serverConn == nil {
 		address := request.Host
 		if _, _, err := net.SplitHostPort(address); err != nil {
 			port := "80"
 			if request.TLS != nil {
 				port = "443"
 			}
 			address = net.JoinHostPort(address, port)
 		}
 		dstAddr := socks5.ParseAddr(address)
 		if dstAddr == nil {
 			return
 		}
 		left, right := net.Pipe()
 		in <- inbound.NewHTTP(dstAddr, localConn.RemoteAddr(), right)
 		serverConn = N.NewBufferedConn(left)
 		defer func() {
 			_ = serverConn.Close()
 		}()
 	}
 	err := request.Write(serverConn)
 	if err != nil {
 		_ = localConn.Close()
 		return
 	}
 	resp, err = http.ReadResponse(serverConn.Reader(), request)
 	if err != nil {
 		_ = localConn.Close()
 		return
 	}
 	if resp.StatusCode == http.StatusSwitchingProtocols {
 		removeProxyHeaders(resp.Header)
 		err = localConn.SetReadDeadline(time.Time{}) // set to not time out
 		if err != nil {
 			return
 		}
 		err = resp.Write(localConn)
 		if err != nil {
 			return
 		}
 		N.Relay(serverConn, localConn) // blocking here
 		_ = localConn.Close()
 		resp = nil
 	}
 	return
 }
--- a/listener/http/utils.go
+++ b/listener/http/utils.go
@@ -15,8 +15,8 @@ func removeProxyHeaders(header http.Header) {
 	header.Del("Proxy-Authorization")
 }
-// RemoveHopByHopHeaders remove hop-by-hop header
+// removeHopByHopHeaders remove hop-by-hop header
-func RemoveHopByHopHeaders(header http.Header) {
+func removeHopByHopHeaders(header http.Header) {
 	// Strip hop-by-hop header based on RFC:
 	// http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.5.1
 	// https://www.mnot.net/blog/2011/07/11/what_proxies_must_do
@@ -38,9 +38,9 @@ func RemoveHopByHopHeaders(header http.Header) {
 	}
 }
-// RemoveExtraHTTPHostPort remove extra host port (example.com:80 --> example.com)
+// removeExtraHTTPHostPort remove extra host port (example.com:80 --> example.com)
 // It resolves the behavior of some HTTP servers that do not handle host:80 (e.g. baidu.com)
-func RemoveExtraHTTPHostPort(req *http.Request) {
+func removeExtraHTTPHostPort(req *http.Request) {
 	host := req.Host
 	if host == "" {
 		host = req.URL.Host
--- a/listener/listener.go
+++ b/listener/listener.go
@@ -1,26 +1,19 @@
 package listener
 import (
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"golang.org/x/exp/slices"
 	"net"
 	"os"
 	"sort"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 	"github.com/Dreamacro/clash/common/cert"
 	"github.com/Dreamacro/clash/component/ebpf"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/listener/autoredir"
 	LC "github.com/Dreamacro/clash/listener/config"
 	"github.com/Dreamacro/clash/listener/http"
 	"github.com/Dreamacro/clash/listener/mitm"
 	"github.com/Dreamacro/clash/listener/mixed"
 	"github.com/Dreamacro/clash/listener/redir"
 	embedSS "github.com/Dreamacro/clash/listener/shadowsocks"
@@ -30,10 +23,9 @@ import (
 	"github.com/Dreamacro/clash/listener/socks"
 	"github.com/Dreamacro/clash/listener/tproxy"
 	"github.com/Dreamacro/clash/listener/tuic"
-	LT "github.com/Dreamacro/clash/listener/tunnel"
+	"github.com/Dreamacro/clash/listener/tunnel"
 	"github.com/Dreamacro/clash/log"
 	rewrites "github.com/Dreamacro/clash/rewrite"
 	"github.com/samber/lo"
 )
@@ -50,8 +42,8 @@ var (
 	tproxyUDPListener   *tproxy.UDPListener
 	mixedListener       *mixed.Listener
 	mixedUDPLister      *socks.UDPListener
-	tunnelTCPListeners  = map[string]*LT.Listener{}
+	tunnelTCPListeners  = map[string]*tunnel.Listener{}
-	tunnelUDPListeners  = map[string]*LT.PacketConn{}
+	tunnelUDPListeners  = map[string]*tunnel.PacketConn{}
 	inboundListeners    = map[string]C.InboundListener{}
 	tunLister           *sing_tun.Listener
 	shadowSocksListener C.MultiAddrListener
@@ -60,7 +52,6 @@ var (
 	autoRedirListener   *autoredir.Listener
 	autoRedirProgram    *ebpf.TcEBpfProgram
 	tcProgram           *ebpf.TcEBpfProgram
 	mitmListener        *mitm.Listener
 	// lock for recreate function
 	socksMux     sync.Mutex
@@ -76,7 +67,6 @@ var (
 	tuicMux      sync.Mutex
 	autoRedirMux sync.Mutex
 	tcMux        sync.Mutex
 	mitmMux      sync.Mutex
 	LastTunConf  LC.Tun
 	LastTuicConf LC.TuicServer
@@ -90,12 +80,13 @@ type Ports struct {
 	MixedPort         int    `json:"mixed-port"`
 	ShadowSocksConfig string `json:"ss-config"`
 	VmessConfig       string `json:"vmess-config"`
 	MitmPort          int    `json:"mitm-port"`
 }
 func GetTunConf() LC.Tun {
 	if tunLister == nil {
-		return LastTunConf
+		return LC.Tun{
 			Enable: false,
 		}
 	}
 	return tunLister.Config()
 }
@@ -525,7 +516,7 @@ func ReCreateTun(tunConf LC.Tun, tcpIn chan<- C.ConnContext, udpIn chan<- C.Pack
 	defer func() {
 		if err != nil {
 			log.Errorln("Start TUN listening error: %s", err.Error())
-			tunConf.Enable = false
+			Cleanup(false)
 		}
 	}()
@@ -536,7 +527,7 @@ func ReCreateTun(tunConf LC.Tun, tcpIn chan<- C.ConnContext, udpIn chan<- C.Pack
 		return
 	}
-	closeTunListener()
+	Cleanup(true)
 	if !tunConf.Enable {
 		return
@@ -710,7 +701,7 @@ func PatchTunnel(tunnels []LC.Tunnel, tcpIn chan<- C.ConnContext, udpIn chan<- C
 	for _, elm := range needCreate {
 		key := fmt.Sprintf("%s/%s/%s", elm.addr, elm.target, elm.proxy)
 		if elm.network == "tcp" {
-			l, err := LT.New(elm.addr, elm.target, elm.proxy, tcpIn)
+			l, err := tunnel.New(elm.addr, elm.target, elm.proxy, tcpIn)
 			if err != nil {
 				log.Errorln("Start tunnel %s error: %s", elm.target, err.Error())
 				continue
@@ -718,7 +709,7 @@ func PatchTunnel(tunnels []LC.Tunnel, tcpIn chan<- C.ConnContext, udpIn chan<- C
 			tunnelTCPListeners[key] = l
 			log.Infoln("Tunnel(tcp/%s) proxy %s listening at: %s", elm.target, elm.proxy, tunnelTCPListeners[key].Address())
 		} else {
-			l, err := LT.NewUDP(elm.addr, elm.target, elm.proxy, udpIn)
+			l, err := tunnel.NewUDP(elm.addr, elm.target, elm.proxy, udpIn)
 			if err != nil {
 				log.Errorln("Start tunnel %s error: %s", elm.target, err.Error())
 				continue
@@ -758,79 +749,6 @@ func PatchInboundListeners(newListenerMap map[string]C.InboundListener, tcpIn ch
 	}
 }
 func ReCreateMitm(port int, tcpIn chan<- C.ConnContext) {
 	mitmMux.Lock()
 	defer mitmMux.Unlock()
 	var err error
 	defer func() {
 		if err != nil {
 			log.Errorln("Start MITM server error: %s", err.Error())
 		}
 	}()
 	addr := genAddr(bindAddress, port, allowLan)
 	if mitmListener != nil {
 		if mitmListener.RawAddress() == addr {
 			return
 		}
 		_ = mitmListener.Close()
 		mitmListener = nil
 	}
 	if portIsZero(addr) {
 		return
 	}
 	if err = initCert(); err != nil {
 		return
 	}
 	var (
 		rootCACert tls.Certificate
 		x509c      *x509.Certificate
 		certOption *cert.Config
 	)
 	rootCACert, err = tls.LoadX509KeyPair(C.Path.RootCA(), C.Path.CAKey())
 	if err != nil {
 		return
 	}
 	privateKey := rootCACert.PrivateKey.(*rsa.PrivateKey)
 	x509c, err = x509.ParseCertificate(rootCACert.Certificate[0])
 	if err != nil {
 		return
 	}
 	certOption, err = cert.NewConfig(
 		x509c,
 		privateKey,
 	)
 	if err != nil {
 		return
 	}
 	certOption.SetValidity(time.Hour * 24 * 365 * 2) // 2 years
 	certOption.SetOrganization("Clash ManInTheMiddle Proxy Services")
 	opt := &mitm.Option{
 		Addr:       addr,
 		ApiHost:    "mitm.clash",
 		CertConfig: certOption,
 		Handler:    &rewrites.RewriteHandler{},
 	}
 	mitmListener, err = mitm.New(opt, tcpIn)
 	if err != nil {
 		return
 	}
 	log.Infoln("Mitm proxy listening at: %s", mitmListener.Address())
 }
 // GetPorts return the ports of proxy servers
 func GetPorts() *Ports {
 	ports := &Ports{}
@@ -873,12 +791,6 @@ func GetPorts() *Ports {
 		ports.VmessConfig = vmessListener.Config()
 	}
 	if mitmListener != nil {
 		_, portStr, _ := net.SplitHostPort(mitmListener.Address())
 		port, _ := strconv.Atoi(portStr)
 		ports.MitmPort = port
 	}
 	return ports
 }
@@ -985,26 +897,10 @@ func hasTunConfigChange(tunConf *LC.Tun) bool {
 	return false
 }
-func closeTunListener() {
+func Cleanup(wait bool) {
 	if tunLister != nil {
 		tunLister.Close()
 		tunLister = nil
 	}
-}
+	LastTunConf = LC.Tun{}
 func initCert() error {
 	if _, err := os.Stat(C.Path.RootCA()); os.IsNotExist(err) {
 		log.Infoln("Can't find mitm_ca.crt, start generate")
 		err = cert.GenerateAndSave(C.Path.RootCA(), C.Path.CAKey())
 		if err != nil {
 			return err
 		}
 		log.Infoln("Generated CA private key and CA certificate finish")
 	}
 	return nil
 }
 func Cleanup() {
 	closeTunListener()
 }
--- a/listener/mitm/client.go
+++ b/listener/mitm/client.go
@@ -1,55 +0,0 @@
 package mitm
 import (
 	"context"
 	"crypto/tls"
 	"net"
 	"net/http"
 	"github.com/Dreamacro/clash/adapter/inbound"
 	N "github.com/Dreamacro/clash/common/net"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
 func getServerConn(serverConn *N.BufferedConn, request *http.Request, srcAddr net.Addr, in chan<- C.ConnContext) (*N.BufferedConn, error) {
 	if serverConn != nil {
 		return serverConn, nil
 	}
 	address := request.URL.Host
 	if _, _, err := net.SplitHostPort(address); err != nil {
 		port := "80"
 		if request.TLS != nil {
 			port = "443"
 		}
 		address = net.JoinHostPort(address, port)
 	}
 	dstAddr := socks5.ParseAddr(address)
 	if dstAddr == nil {
 		return nil, socks5.ErrAddressNotSupported
 	}
 	left, right := net.Pipe()
 	in <- inbound.NewMitm(dstAddr, srcAddr, request.Header.Get("User-Agent"), right)
 	if request.TLS != nil {
 		tlsConn := tls.Client(left, &tls.Config{
 			ServerName: request.TLS.ServerName,
 		})
 		ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
 		defer cancel()
 		if err := tlsConn.HandshakeContext(ctx); err != nil {
 			return nil, err
 		}
 		serverConn = N.NewBufferedConn(tlsConn)
 	} else {
 		serverConn = N.NewBufferedConn(left)
 	}
 	return serverConn, nil
 }
--- a/listener/mitm/hack.go
+++ b/listener/mitm/hack.go
@@ -1,9 +0,0 @@
 package mitm
 import (
 	_ "net/http"
 	_ "unsafe"
 )
 //go:linkname validMethod net/http.validMethod
 func validMethod(method string) bool
--- a/listener/mitm/proxy.go
+++ b/listener/mitm/proxy.go
@@ -1,349 +0,0 @@
 package mitm
 import (
 	"bufio"
 	"bytes"
 	"context"
 	"crypto/tls"
 	"encoding/pem"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/netip"
 	"os"
 	"strings"
 	"time"
 	"github.com/Dreamacro/clash/common/cache"
 	N "github.com/Dreamacro/clash/common/net"
 	C "github.com/Dreamacro/clash/constant"
 	H "github.com/Dreamacro/clash/listener/http"
 )
 func HandleConn(c net.Conn, opt *Option, in chan<- C.ConnContext, cache *cache.LruCache[string, bool]) {
 	var (
 		clientIP   = netip.MustParseAddrPort(c.RemoteAddr().String()).Addr()
 		sourceAddr net.Addr
 		serverConn *N.BufferedConn
 		connState  *tls.ConnectionState
 	)
 	defer func() {
 		if serverConn != nil {
 			_ = serverConn.Close()
 		}
 	}()
 	conn := N.NewBufferedConn(c)
 	trusted := cache == nil // disable authenticate if cache is nil
 	if !trusted {
 		trusted = clientIP.IsLoopback() || clientIP.IsUnspecified()
 	}
 readLoop:
 	for {
 		// use SetReadDeadline instead of Proxy-Connection keep-alive
 		if err := conn.SetReadDeadline(time.Now().Add(65 * time.Second)); err != nil {
 			break
 		}
 		request, err := H.ReadRequest(conn.Reader())
 		if err != nil {
 			break
 		}
 		var response *http.Response
 		session := newSession(conn, request, response)
 		sourceAddr = parseSourceAddress(session.request, conn.RemoteAddr(), sourceAddr)
 		session.request.RemoteAddr = sourceAddr.String()
 		if !trusted {
 			session.response = H.Authenticate(session.request, cache)
 			trusted = session.response == nil
 		}
 		if trusted {
 			if session.request.Method == http.MethodConnect {
 				if session.request.ProtoMajor > 1 {
 					session.request.ProtoMajor = 1
 					session.request.ProtoMinor = 1
 				}
 				// Manual writing to support CONNECT for http 1.0 (workaround for uplay client)
 				if _, err = fmt.Fprintf(session.conn, "HTTP/%d.%d %03d %s\r\n\r\n", session.request.ProtoMajor, session.request.ProtoMinor, http.StatusOK, "Connection established"); err != nil {
 					handleError(opt, session, err)
 					break // close connection
 				}
 				if strings.HasSuffix(session.request.URL.Host, ":80") {
 					goto readLoop
 				}
 				b, err1 := conn.Peek(1)
 				if err1 != nil {
 					handleError(opt, session, err1)
 					break // close connection
 				}
 				// TLS handshake.
 				if b[0] == 0x16 {
 					tlsConn := tls.Server(conn, opt.CertConfig.NewTLSConfigForHost(session.request.URL.Hostname()))
 					ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
 					// handshake with the local client
 					if err = tlsConn.HandshakeContext(ctx); err != nil {
 						cancel()
 						session.response = session.NewErrorResponse(fmt.Errorf("handshake failed: %w", err))
 						_ = writeResponse(session, false)
 						break // close connection
 					}
 					cancel()
 					cs := tlsConn.ConnectionState()
 					connState = &cs
 					conn = N.NewBufferedConn(tlsConn)
 				}
 				if strings.HasSuffix(session.request.URL.Host, ":443") {
 					goto readLoop
 				}
 				if conn.SetReadDeadline(time.Now().Add(time.Second)) != nil {
 					break
 				}
 				buf, err2 := conn.Peek(7)
 				if err2 != nil {
 					if err2 != bufio.ErrBufferFull && !os.IsTimeout(err2) {
 						handleError(opt, session, err2)
 						break // close connection
 					}
 				}
 				// others protocol over tcp
 				if !isHTTPTraffic(buf) {
 					if connState != nil {
 						session.request.TLS = connState
 					}
 					serverConn, err = getServerConn(serverConn, session.request, sourceAddr, in)
 					if err != nil {
 						break
 					}
 					if conn.SetReadDeadline(time.Time{}) != nil {
 						break
 					}
 					N.Relay(serverConn, conn)
 					return // hijack connection
 				}
 				goto readLoop
 			}
 			prepareRequest(connState, session.request)
 			// hijack api
 			if session.request.URL.Hostname() == opt.ApiHost {
 				if err = handleApiRequest(session, opt); err != nil {
 					handleError(opt, session, err)
 				}
 				break
 			}
 			// forward websocket
 			if isWebsocketRequest(request) {
 				serverConn, err = getServerConn(serverConn, session.request, sourceAddr, in)
 				if err != nil {
 					break
 				}
 				session.request.RequestURI = ""
 				if session.response = H.HandleUpgradeY(conn, serverConn, request, in); session.response == nil {
 					return // hijack connection
 				}
 			}
 			if session.response == nil {
 				H.RemoveHopByHopHeaders(session.request.Header)
 				H.RemoveExtraHTTPHostPort(session.request)
 				// hijack custom request and write back custom response if necessary
 				newReq, newRes := opt.Handler.HandleRequest(session)
 				if newReq != nil {
 					session.request = newReq
 				}
 				if newRes != nil {
 					session.response = newRes
 					if err = writeResponse(session, false); err != nil {
 						handleError(opt, session, err)
 						break
 					}
 					continue
 				}
 				session.request.RequestURI = ""
 				if session.request.URL.Host == "" {
 					session.response = session.NewErrorResponse(ErrInvalidURL)
 				} else {
 					serverConn, err = getServerConn(serverConn, session.request, sourceAddr, in)
 					if err != nil {
 						break
 					}
 					// send the request to remote server
 					err = session.request.Write(serverConn)
 					if err != nil {
 						break
 					}
 					session.response, err = http.ReadResponse(serverConn.Reader(), request)
 					if err != nil {
 						break
 					}
 				}
 			}
 		}
 		if err = writeResponseWithHandler(session, opt); err != nil {
 			handleError(opt, session, err)
 			break // close connection
 		}
 	}
 	_ = conn.Close()
 }
 func writeResponseWithHandler(session *Session, opt *Option) error {
 	res := opt.Handler.HandleResponse(session)
 	if res != nil {
 		session.response = res
 	}
 	return writeResponse(session, true)
 }
 func writeResponse(session *Session, keepAlive bool) error {
 	H.RemoveHopByHopHeaders(session.response.Header)
 	if keepAlive {
 		session.response.Header.Set("Connection", "keep-alive")
 		session.response.Header.Set("Keep-Alive", "timeout=60")
 	}
 	return session.writeResponse()
 }
 func handleApiRequest(session *Session, opt *Option) error {
 	if opt.CertConfig != nil && strings.ToLower(session.request.URL.Path) == "/cert.crt" {
 		b := pem.EncodeToMemory(&pem.Block{
 			Type:  "CERTIFICATE",
 			Bytes: opt.CertConfig.GetCA().Raw,
 		})
 		session.response = session.NewResponse(http.StatusOK, bytes.NewReader(b))
 		session.response.Close = true
 		session.response.Header.Set("Content-Type", "application/x-x509-ca-cert")
 		session.response.ContentLength = int64(len(b))
 		return session.writeResponse()
 	}
 	b := `<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 <html><head>
 <title>Clash MITM Proxy Services - 404 Not Found</title>
 </head><body>
 <h1>Not Found</h1>
 <p>The requested URL %s was not found on this server.</p>
 </body></html>
 `
 	if opt.Handler.HandleApiRequest(session) {
 		return nil
 	}
 	b = fmt.Sprintf(b, session.request.URL.Path)
 	session.response = session.NewResponse(http.StatusNotFound, bytes.NewReader([]byte(b)))
 	session.response.Close = true
 	session.response.Header.Set("Content-Type", "text/html;charset=utf-8")
 	session.response.ContentLength = int64(len(b))
 	return session.writeResponse()
 }
 func handleError(opt *Option, session *Session, err error) {
 	if session.response != nil {
 		defer func() {
 			_, _ = io.Copy(io.Discard, session.response.Body)
 			_ = session.response.Body.Close()
 		}()
 	}
 	opt.Handler.HandleError(session, err)
 }
 func prepareRequest(connState *tls.ConnectionState, request *http.Request) {
 	host := request.Header.Get("Host")
 	if host != "" {
 		request.Host = host
 	}
 	if request.URL.Host == "" {
 		request.URL.Host = request.Host
 	}
 	if request.URL.Scheme == "" {
 		request.URL.Scheme = "http"
 	}
 	if connState != nil {
 		request.TLS = connState
 		request.URL.Scheme = "https"
 	}
 	if request.Header.Get("Accept-Encoding") != "" {
 		request.Header.Set("Accept-Encoding", "gzip")
 	}
 }
 func parseSourceAddress(req *http.Request, connSource, source net.Addr) net.Addr {
 	if source != nil {
 		return source
 	}
 	sourceAddress := req.Header.Get("Origin-Request-Source-Address")
 	if sourceAddress == "" {
 		return connSource
 	}
 	req.Header.Del("Origin-Request-Source-Address")
 	addrPort, err := netip.ParseAddrPort(sourceAddress)
 	if err != nil {
 		return connSource
 	}
 	return &net.TCPAddr{
 		IP:   addrPort.Addr().AsSlice(),
 		Port: int(addrPort.Port()),
 	}
 }
 func isWebsocketRequest(req *http.Request) bool {
 	return strings.EqualFold(req.Header.Get("Connection"), "Upgrade") && strings.EqualFold(req.Header.Get("Upgrade"), "websocket")
 }
 func isHTTPTraffic(buf []byte) bool {
 	method, _, _ := strings.Cut(string(buf), " ")
 	return validMethod(method)
 }
--- a/listener/mitm/server.go
+++ b/listener/mitm/server.go
@@ -1,88 +0,0 @@
 package mitm
 import (
 	"crypto/tls"
 	"github.com/Dreamacro/clash/common/cache"
 	"github.com/Dreamacro/clash/common/cert"
 	C "github.com/Dreamacro/clash/constant"
 	"net"
 	"net/http"
 )
 type Handler interface {
 	HandleRequest(*Session) (*http.Request, *http.Response) // Session.Response maybe nil
 	HandleResponse(*Session) *http.Response
 	HandleApiRequest(*Session) bool
 	HandleError(*Session, error) // Session maybe nil
 }
 type Option struct {
 	Addr    string
 	ApiHost string
 	TLSConfig  *tls.Config
 	CertConfig *cert.Config
 	Handler Handler
 }
 type Listener struct {
 	*Option
 	listener net.Listener
 	addr     string
 	closed   bool
 }
 // RawAddress implements C.Listener
 func (l *Listener) RawAddress() string {
 	return l.addr
 }
 // Address implements C.Listener
 func (l *Listener) Address() string {
 	return l.listener.Addr().String()
 }
 // Close implements C.Listener
 func (l *Listener) Close() error {
 	l.closed = true
 	return l.listener.Close()
 }
 // New the MITM proxy actually is a type of HTTP proxy
 func New(option *Option, in chan<- C.ConnContext) (*Listener, error) {
 	return NewWithAuthenticate(option, in, true)
 }
 func NewWithAuthenticate(option *Option, in chan<- C.ConnContext, authenticate bool) (*Listener, error) {
 	l, err := net.Listen("tcp", option.Addr)
 	if err != nil {
 		return nil, err
 	}
 	var c *cache.LruCache[string, bool]
 	if authenticate {
 		c = cache.New[string, bool](cache.WithAge[string, bool](90))
 	}
 	hl := &Listener{
 		listener: l,
 		addr:     option.Addr,
 		Option:   option,
 	}
 	go func() {
 		for {
 			conn, err1 := hl.listener.Accept()
 			if err1 != nil {
 				if hl.closed {
 					break
 				}
 				continue
 			}
 			go HandleConn(conn, option, in, c)
 		}
 	}()
 	return hl, nil
 }
--- a/listener/mitm/session.go
+++ b/listener/mitm/session.go
@@ -1,59 +0,0 @@
 package mitm
 import (
 	"io"
 	"net"
 	"net/http"
 )
 type Session struct {
 	conn     net.Conn
 	request  *http.Request
 	response *http.Response
 	props map[string]any
 }
 func (s *Session) Request() *http.Request {
 	return s.request
 }
 func (s *Session) Response() *http.Response {
 	return s.response
 }
 func (s *Session) GetProperties(key string) (any, bool) {
 	v, ok := s.props[key]
 	return v, ok
 }
 func (s *Session) SetProperties(key string, val any) {
 	s.props[key] = val
 }
 func (s *Session) NewResponse(code int, body io.Reader) *http.Response {
 	return NewResponse(code, body, s.request)
 }
 func (s *Session) NewErrorResponse(err error) *http.Response {
 	return NewErrorResponse(s.request, err)
 }
 func (s *Session) writeResponse() error {
 	if s.response == nil {
 		return ErrInvalidResponse
 	}
 	defer func(resp *http.Response) {
 		_ = resp.Body.Close()
 	}(s.response)
 	return s.response.Write(s.conn)
 }
 func newSession(conn net.Conn, request *http.Request, response *http.Response) *Session {
 	return &Session{
 		conn:     conn,
 		request:  request,
 		response: response,
 		props:    map[string]any{},
 	}
 }
--- a/listener/mitm/utils.go
+++ b/listener/mitm/utils.go
@@ -1,95 +0,0 @@
 package mitm
 import (
 	"bytes"
 	"compress/gzip"
 	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"net/http"
 	"time"
 	"golang.org/x/text/encoding/charmap"
 	"golang.org/x/text/transform"
 )
 var (
 	ErrInvalidResponse = errors.New("invalid response")
 	ErrInvalidURL      = errors.New("invalid URL")
 )
 func NewResponse(code int, body io.Reader, req *http.Request) *http.Response {
 	if body == nil {
 		body = &bytes.Buffer{}
 	}
 	rc, ok := body.(io.ReadCloser)
 	if !ok {
 		rc = ioutil.NopCloser(body)
 	}
 	res := &http.Response{
 		StatusCode: code,
 		Status:     fmt.Sprintf("%d %s", code, http.StatusText(code)),
 		Proto:      "HTTP/1.1",
 		ProtoMajor: 1,
 		ProtoMinor: 1,
 		Header:     http.Header{},
 		Body:       rc,
 		Request:    req,
 	}
 	if req != nil {
 		res.Close = req.Close
 		res.Proto = req.Proto
 		res.ProtoMajor = req.ProtoMajor
 		res.ProtoMinor = req.ProtoMinor
 	}
 	return res
 }
 func NewErrorResponse(req *http.Request, err error) *http.Response {
 	res := NewResponse(http.StatusBadGateway, nil, req)
 	res.Close = true
 	date := res.Header.Get("Date")
 	if date == "" {
 		date = time.Now().Format(http.TimeFormat)
 	}
 	w := fmt.Sprintf(`199 "clash" %q %q`, err.Error(), date)
 	res.Header.Add("Warning", w)
 	return res
 }
 func ReadDecompressedBody(res *http.Response) ([]byte, error) {
 	rBody := res.Body
 	if res.Header.Get("Content-Encoding") == "gzip" {
 		gzReader, err := gzip.NewReader(rBody)
 		if err != nil {
 			return nil, err
 		}
 		rBody = gzReader
 		defer func(gzReader *gzip.Reader) {
 			_ = gzReader.Close()
 		}(gzReader)
 	}
 	return ioutil.ReadAll(rBody)
 }
 func DecodeLatin1(reader io.Reader) (string, error) {
 	r := transform.NewReader(reader, charmap.ISO8859_1.NewDecoder())
 	b, err := ioutil.ReadAll(r)
 	if err != nil {
 		return "", err
 	}
 	return string(b), nil
 }
 func EncodeLatin1(str string) ([]byte, error) {
 	return charmap.ISO8859_1.NewEncoder().Bytes([]byte(str))
 }
--- a/listener/mixed/mixed.go
+++ b/listener/mixed/mixed.go
@@ -1,9 +1,9 @@
 package mixed
 import (
 	"github.com/Dreamacro/clash/adapter/inbound"
 	"net"
 	"github.com/Dreamacro/clash/adapter/inbound"
 	"github.com/Dreamacro/clash/common/cache"
 	N "github.com/Dreamacro/clash/common/net"
 	C "github.com/Dreamacro/clash/constant"
@@ -70,7 +70,7 @@ func New(addr string, in chan<- C.ConnContext, additions ...inbound.Addition) (*
 }
 func handleConn(conn net.Conn, in chan<- C.ConnContext, cache *cache.LruCache[string, bool], additions ...inbound.Addition) {
-	N.TCPKeepAlive(conn)
+	conn.(*net.TCPConn).SetKeepAlive(true)
 	bufConn := N.NewBufferedConn(conn)
 	head, err := bufConn.Peek(1)
--- a/listener/redir/tcp.go
+++ b/listener/redir/tcp.go
@@ -4,7 +4,6 @@ import (
 	"net"
 	"github.com/Dreamacro/clash/adapter/inbound"
 	N "github.com/Dreamacro/clash/common/net"
 	C "github.com/Dreamacro/clash/constant"
 )
@@ -67,6 +66,6 @@ func handleRedir(conn net.Conn, in chan<- C.ConnContext, additions ...inbound.Ad
 		conn.Close()
 		return
 	}
-	N.TCPKeepAlive(conn)
+	conn.(*net.TCPConn).SetKeepAlive(true)
 	in <- inbound.NewSocket(target, conn, C.REDIR, additions...)
 }
--- a/listener/shadowsocks/tcp.go
+++ b/listener/shadowsocks/tcp.go
@@ -59,7 +59,7 @@ func New(config LC.ShadowsocksServer, tcpIn chan<- C.ConnContext, udpIn chan<- C
 					}
 					continue
 				}
-				N.TCPKeepAlive(c)
+				_ = c.(*net.TCPConn).SetKeepAlive(true)
 				go sl.HandleConn(c, tcpIn)
 			}
 		}()
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Larvan2	53f9e1ee71	Revert "chore: update quic-go to 0.36.0" This reverts commit `2284acce94`.	2023-06-29 14:25:25 +08:00
wwqgtxx	fa94403629	chore: better resolv.conf parsing	2023-06-29 14:25:25 +08:00
Skyxim	1beb2919e7	fix: panic when add 4in6 ipcidr	2023-06-29 14:25:25 +08:00
wwqgtxx	75c5d0482e	chore: better close single connection in restful api	2023-06-29 14:25:25 +08:00
wwqgtxx	55bcabdf46	chore: statistic's Snapshot only contains TrackerInfo	2023-06-29 14:25:25 +08:00
wwqgtxx	abf80601e1	chore: avoid unneeded map copy when close connection in restful api	2023-06-29 14:25:25 +08:00
wwqgtxx	26f97b45d6	chore: update quic-go to 0.36.0	2023-06-29 14:25:25 +08:00
wwqgtxx	29315ce8e5	fix: tuic server cwnd parsing	2023-06-29 14:25:25 +08:00
wwqgtxx	65f84d21ea	chore: tuic server can handle V4 and V5 in same port	2023-06-29 14:25:25 +08:00
Larvan2	e3ac58bc51	chore: fix TUIC cwnd parsing	2023-06-29 14:25:25 +08:00
wwqgtxx	c66438d794	Revert "chore: Refine adapter type name" This reverts commit `61734e5cac`.	2023-06-29 14:25:25 +08:00
wwqgtxx	411e587460	chore: function rename	2023-06-29 14:25:25 +08:00
wwqgtxx	6cc9c68458	chore: Update dependencies	2023-06-29 14:25:25 +08:00
xishang0128	d1c858d7ff	update docs	2023-06-29 14:25:25 +08:00
Larvan2	3eef1ee064	chore: adjustable cwnd for cc in quic	2023-06-29 14:25:25 +08:00
H1JK	514d374b8c	chore: Refine adapter type name	2023-06-29 14:25:25 +08:00
汐殇	a2334430c1	feat: optional provider path (#624 )	2023-06-29 14:25:25 +08:00
H1JK	c8a3d6edd9	Add REALITY ChaCha20-Poly1305 auth mode support	2023-06-29 14:25:25 +08:00
wwqgtxx	bda2ca3c13	fix: singmux return wrong supportUDP value	2023-06-29 14:25:25 +08:00
wwqgtxx	f4b734c74c	fix: tuicV5's heartbeat should be a datagram packet	2023-06-29 14:25:25 +08:00
Skyxim	c2cdf43239	fix: dns concurrent not work	2023-06-29 14:25:25 +08:00
wwqgtxx	b939c81d3e	feat: support tuicV5	2023-06-29 14:25:25 +08:00
wwqgtxx	0e92496eeb	chore: Update dependencies	2023-06-29 14:25:25 +08:00
H1JK	ea482598e0	chore: Disable cache for RCode client	2023-06-29 14:25:25 +08:00
H1JK	16f3567ddc	feat: Add RCode DNS client	2023-06-29 14:25:25 +08:00
Skyxim	73f8da091e	chore: allow unsafe path for provider by environment variable	2023-06-29 14:25:25 +08:00
H1JK	6bdaadc581	chore: Replace murmur3 with maphash	2023-06-29 14:25:24 +08:00
Skyxim	73a2cf593e	chore: reduce process lookup attempts when process not exist #613	2023-06-29 14:25:24 +08:00
H1JK	665bfcab2d	fix: Disable XUDP global ID if source address invalid	2023-06-29 14:25:24 +08:00
wwqgtxx	8be860472a	chore: init gopacket only when dial fake-tcp to decrease memory using	2023-06-29 14:25:24 +08:00
H1JK	1ec74f13f7	feat: Add XUDP migration support	2023-06-29 14:25:24 +08:00
Larvan2	564b834e00	fix: Resolve delay omission in the presence of nested proxy-groups	2023-06-29 14:25:24 +08:00
wzdnzd	da04e00767	When testing the delay through REST API, determine whether to store the delay data based on certain conditions instead of discarding it directly (#609 )	2023-06-29 14:25:24 +08:00
wwqgtxx	e0faffbfbd	fix: go1.19 compile	2023-06-29 14:25:24 +08:00
タイムライン	a0c7641ad5	chore: Something update from clash :) (#606 )	2023-06-29 14:25:24 +08:00
wzdnzd	1f592c43de	fix: nil pointer in urltest (#603 )	2023-06-29 14:25:24 +08:00
Mars160	4d7350923c	fix hysteria faketcp lookback in TUN mode (#601 )	2023-06-29 14:25:24 +08:00
Larvan2	76a7945994	chore: Ignore PR in Docker build	2023-06-29 14:25:24 +08:00
wzdnzd	a2bbd1cc8d	ProxyProvider health check also supports specifying expected status (#600 ) Co-authored-by: wwqgtxx <wwqgtxx@gmail.com>	2023-06-29 14:25:24 +08:00
wzdnzd	4ec66d299a	[Feature] Proxy stores delay data of different URLs. And supports specifying different test URLs and expected statue by group (#588 ) Co-authored-by: Larvan2 <78135608+Larvan2@users.noreply.github.com> Co-authored-by: wwqgtxx <wwqgtxx@gmail.com>	2023-06-29 14:25:24 +08:00
wwqgtxx	4e46cbfbde	fix: hysteria faketcp loopback in tun mode	2023-06-29 14:25:24 +08:00
wwqgtxx	1a44dcee55	chore: update proxy's udpConn when received a new packet	2023-06-29 14:25:24 +08:00
wwqgtxx	6c7d1657a5	chore: update quic-go to 0.35.1	2023-06-29 14:25:24 +08:00
H1JK	38e210a851	chore: Update dependencies	2023-06-29 14:25:24 +08:00
wwqgtxx	359ee70daa	chore: update quic-go to 0.34.0	2023-06-29 14:25:24 +08:00
Larvan2	8d1251f128	chore: generate release note automatically	2023-06-09 12:59:59 +00:00
Larvan2	fb6a032872	chore: genReleaseNote support verrsion range This commit updates the release script to handle the input version range provided via command line options. Now, you can specify the version range using the '-v' option, such as '-v v1.14.1...v1.14.2', and the script will generate the release notes based on the specified range. The script parses the command line options, extracts the version range, and uses it in the 'git log' commands to capture the relevant commits. The output is then organized into different sections, including 'What's Changed', 'BUG & Fix', and 'Maintenance', along with the full changelog link. This enhancement improves the flexibility and usability of the release script, allowing users to generate release notes for specific version ranges easily. Co-authored-by: ChatGPT	2023-06-03 10:25:00 +00:00
Skyxim	47ad8e08be	chore: Random only if the certificate and private-key are empty	2023-06-03 10:02:31 +00:00
H1JK	e1af4ddda3	chore: Reject packet conn implement wait read	2023-06-03 10:01:50 +00:00
Larvan2	58e05c42c9	fix: handle manually select in url-test	2023-06-03 09:55:29 +00:00
Larvan2	880cc90e10	Merge branch 'Alpha' into Meta	2023-06-03 09:54:25 +00:00
Skyxim	a4334e1d52	fix: wildcard matching problem (#536 )	2023-04-29 01:10:55 +08:00
Larvan2	3ba94842cc	chore: update genReleaseNote.sh	2023-04-28 07:29:58 +00:00
Larvan2	a266589faf	Merge branch 'Alpha' into Meta	2023-04-28 07:05:21 +00:00
Skyxim	d9319ec09a	chore: update bug_report	2023-04-27 12:19:59 +00:00
Larvan2	070f8f8949	Merge branch 'Alpha' into Meta	2023-04-26 14:14:46 +00:00
Larvan2	bf3c6a044c	chore: update templates	2023-04-14 05:26:44 +00:00
Larvan2	d6d2d90502	add issue templates	2023-04-04 06:45:21 +00:00
Larvan2	a1d0f4c6ee	chore: rename delete.yml	2023-03-31 06:34:23 +00:00
Larvan2	d569d8186d	chore: add genReleaseNote.sh	2023-03-30 16:43:05 +00:00
Larvan2	9b7aab1fc7	chore: rename delete.yml	2023-03-30 16:04:09 +00:00
Larvan2	3c717097cb	Merge branch 'Alpha' into Meta	2023-03-30 16:03:47 +00:00
wwqgtxx	8293b7fdae	Merge branch 'Beta' into Meta # Conflicts: # .github/workflows/docker.yaml # .github/workflows/prerelease.yml	2023-02-19 01:25:34 +08:00
wwqgtxx	0ba415866e	Merge branch 'Alpha' into Beta	2023-02-19 01:25:01 +08:00
Larvan2	53b41ca166	Chore: Add action for deleting old workflow	2023-01-30 18:17:22 +08:00
metacubex	8a75f78e63	chore: adjust Dockerfile	2023-01-12 02:24:12 +08:00
metacubex	d9692c6366	Merge branch 'Beta' into Meta	2023-01-12 02:15:14 +08:00
metacubex	f4b0062dfc	Merge branch 'Alpha' into Beta	2023-01-12 02:14:49 +08:00
metacubex	b9ffc82e53	Merge branch 'Beta' into Meta	2023-01-12 01:33:56 +08:00
metacubex	78aaea6a45	Merge branch 'Alpha' into Beta	2023-01-12 01:33:16 +08:00
cubemaze	3645fbf161	Merge pull request #327 from Rasphino/Meta Update flake.nix hash	2023-01-08 00:29:29 +08:00
Rasphino	a1d0f22132	fix: update flake.nix hash	2023-01-07 23:38:32 +08:00
metacubex	fa73b0f4bf	Merge remote-tracking branch 'origin/Beta' into Meta	2023-01-01 19:41:36 +08:00
metacubex	3b76a8b839	Merge remote-tracking branch 'origin/Alpha' into Beta	2023-01-01 19:40:36 +08:00
cubemaze	667f42dcdc	Merge pull request #282 from tdjnodj/Meta Update README.md	2022-12-03 17:23:51 +08:00
tdjnodj	dfbe09860f	Update README.md	2022-12-03 17:17:08 +08:00
metacubex	9e20f9c26a	chore: update dependencies	2022-11-28 20:33:10 +08:00
Skimmle	f968d0cb82	chore: update github action	2022-11-26 20:16:12 +08:00
metacubex	2ad84f4379	Merge branch 'Beta' into Meta	2022-11-02 18:08:22 +08:00
metacubex	c7aa16426f	Merge branch 'Alpha' into Beta	2022-11-02 18:07:29 +08:00
Skyxim	5987f8e3b5	Merge branch 'Beta' into Meta	2022-08-29 13:08:29 +08:00
Skyxim	3a8eb72de2	Merge branch 'Alpha' into Beta	2022-08-29 13:08:22 +08:00
zhudan	33abbdfd24	Merge pull request #174 from MetaCubeX/Alpha Alpha	2022-08-29 11:24:07 +08:00
zhudan	0703d6cbff	Merge pull request #173 from MetaCubeX/Alpha Alpha	2022-08-29 11:22:14 +08:00
Skyxim	10d2d14938	Merge branch 'Beta' into Meta # Conflicts: # rules/provider/classical_strategy.go	2022-07-02 10:41:41 +08:00
wwqgtxx	691cf1d8d6	Merge pull request #94 from bash99/Meta Update README.md	2022-06-15 19:15:51 +08:00
bash99	d1decb8e58	Update README.md add permissions for systemctl services clash-dashboard change to updated one	2022-06-15 14:00:05 +08:00
Skyxim	7d04904109	fix: leak dns when domain in hosts list	2022-06-11 18:51:26 +08:00
Skyxim	a5acd3aa97	refactor: clear linkname,reduce cycle dependencies,transport init geosite function	2022-06-11 18:51:22 +08:00
Skyxim	eea9a12560	fix: 规则匹配默认策略组返回错误	2022-06-09 14:18:35 +08:00
adlyq	0a4570b55c	fix: group filter touch provider	2022-06-09 14:18:29 +08:00