Chore: update dependencies

`header` value is type of string array
header:
  Accept:
    - 'application/vnd.github.v3.raw'
  Authorization:
    - ' token xxxxxxxxxxx'
  User-Agent:
    - 'Clash/v1.10.6'

`prefix-name` add a prefix to proxy name
prefix-name: 'XXX-'

.github/workflows/docker.yml

@@ -3,8 +3,7 @@ on:
   push:
     branches:
       - rm
-    tags:
+
-      - '*'
 jobs:
 
   build:

.github/workflows/release.yml

@@ -38,24 +38,24 @@ jobs:
           go test ./...
 
       - name: Build
-        #if: startsWith(github.ref, 'refs/tags/')
+        if: startsWith(github.ref, 'refs/tags/')
         env:
           NAME: clash
           BINDIR: bin
         run: make -j releases
 
-      - name: Prepare upload
+      #- name: Prepare upload
-        run: |
+      #  run: |
-          echo "FILE_DATE=_$(date +"%Y%m%d%H%M")" >> $GITHUB_ENV
+      #    echo "FILE_DATE=_$(date +"%Y%m%d%H%M")" >> $GITHUB_ENV
-          echo "FILE_SHA=$(git describe --tags --always 2>/dev/null)" >> $GITHUB_ENV
+      #    echo "FILE_SHA=$(git describe --tags --always 2>/dev/null)" >> $GITHUB_ENV
-
+      #
-      - name: Upload files to Artifacts
+      #- name: Upload files to Artifacts
-        uses: actions/upload-artifact@v2
+      #  uses: actions/upload-artifact@v2
-        if: startsWith(github.ref, 'refs/tags/') == false
+      #  if: startsWith(github.ref, 'refs/tags/') == false
-        with:
+      #  with:
-          name: clash_${{ env.FILE_SHA }}${{ env.FILE_DATE }}
+      #    name: clash_${{ env.FILE_SHA }}${{ env.FILE_DATE }}
-          path: |
+      #    path: |
-            bin/*
+      #      bin/*
 
       - name: Upload Release
         uses: softprops/action-gh-release@v1
@@ -66,8 +66,8 @@ jobs:
           prerelease: true
           generate_release_notes: true
 
-      - name: Delete workflow runs
+      #- name: Delete workflow runs
-        uses: GitRML/delete-workflow-runs@main
+      #  uses: GitRML/delete-workflow-runs@main
-        with:
+      #  with:
-          retain_days: 1
+      #    retain_days: 1
-          keep_minimum_runs: 2
+      #    keep_minimum_runs: 2

Makefile

@@ -1,6 +1,6 @@
 NAME=clash
 BINDIR=bin
-VERSION=$(shell git describe --tags --always 2>/dev/null ||  date +%F)
+VERSION=$(shell git describe --tags --always 2>/dev/null || echo "unknown version")
 BUILDTIME=$(shell date -u)
 GOBUILD=CGO_ENABLED=0 go build -trimpath -ldflags '-X "github.com/Dreamacro/clash/constant.Version=$(VERSION)" \
 		-X "github.com/Dreamacro/clash/constant.BuildTime=$(BUILDTIME)" \
@@ -16,7 +16,7 @@ PLATFORM_LIST = \
 	linux-armv5 \
 	linux-armv6 \
 	linux-armv7 \
-	linux-arm64 \
+	linux-armv8 \
 	linux-mips-softfloat \
 	linux-mips-hardfloat \
 	linux-mipsle-softfloat \
@@ -67,7 +67,7 @@ linux-armv6:
 linux-armv7:
 	GOARCH=arm GOOS=linux GOARM=7 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 
-linux-arm64:
+linux-armv8:
 	GOARCH=arm64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 
 linux-mips-softfloat:

README.md

@@ -13,11 +13,11 @@
     <img src="https://goreportcard.com/badge/github.com/Dreamacro/clash?style=flat-square">
   </a>
   <img src="https://img.shields.io/github/go-mod/go-version/Dreamacro/clash?style=flat-square">
-  <a href="https://github.com/Dreamacro/clash/releases">
+  <a href="https://github.com/yaling888/clash/releases">
-    <img src="https://img.shields.io/github/release/Dreamacro/clash/all.svg?style=flat-square">
+    <img src="https://img.shields.io/github/release/yaling888/clash/all.svg?style=flat-square">
   </a>
-  <a href="https://github.com/Dreamacro/clash/releases/tag/premium">
+  <a href="https://github.com/yaling888/clash/releases/tag/plus_pro">
-    <img src="https://img.shields.io/badge/release-Premium-00b4f0?style=flat-square">
+    <img src="https://img.shields.io/badge/release-Plus Pro-00b4f0?style=flat-square">
   </a>
 </p>
 
@@ -36,6 +36,13 @@
 Documentations are now moved to [GitHub Wiki](https://github.com/Dreamacro/clash/wiki).
 
 ## Advanced usage for this branch
+### General configuration
+```yaml
+sniffing: true # Sniff TLS SNI
+
+force-cert-verify: true # force verify TLS Certificate, prevent machine-in-the-middle attacks
+```
+
 ### MITM configuration
 A root CA certificate is required, the 
 MITM proxy server will generate a CA certificate file and a CA private key file in your Clash home directory, you can use your own certificate replace it. 
@@ -69,7 +76,7 @@ mitm:
 ```
 
 ### DNS configuration
-Support resolve ip with a proxy tunnel.
+Support resolve ip with a proxy tunnel or interface.
 
 Support `geosite` with `fallback-filter`.
 
@@ -89,8 +96,8 @@ Use `curl -X POST controllerip:port/cache/fakeip/flush` to flush persistence fak
      - https://doh.pub/dns-query
      - tls://223.5.5.5:853
    fallback:
+     - 'tls://8.8.4.4:853#proxy or interface'
      - 'https://1.0.0.1/dns-query#Proxy'  # append the proxy adapter name to the end of DNS URL with '#' prefix.
-     - 'tls://8.8.4.4:853#Proxy'
    fallback-filter:
      geoip: false
      geosite:
@@ -102,19 +109,59 @@ Use `curl -X POST controllerip:port/cache/fakeip/flush` to flush persistence fak
  ```
 
 ### TUN configuration
-Supports macOS, Linux and Windows.
+Simply add the following to the main configuration:
+
+#### NOTE:
+> auto-route and auto-detect-interface only available on macOS, Windows and Linux, receive IPv4 traffic
 
-On Windows, you should download the [Wintun](https://www.wintun.net) driver and copy `wintun.dll` into the system32 directory.
 ```yaml
-# Enable the TUN listener
 tun:
   enable: true
-  stack: gvisor # System or gVisor
+  stack: system # or gvisor
   # device: tun://utun8 # or fd://xxx, it's optional
-  dns-hijack: 
+  # dns-hijack:
-    - 0.0.0.0:53 # hijack all public
+  #   - 8.8.8.8:53
+  #   - tcp://8.8.8.8:53
+  #   - any:53
+  #   - tcp://any:53
+  auto-route: true # auto set global route
+  auto-detect-interface: true # conflict with interface-name
+```
+or
+```yaml
+interface-name: en0
+
+tun:
+  enable: true
+  stack: system # or gvisor
+  # dns-hijack:
+  #   - 8.8.8.8:53
+  #   - tcp://8.8.8.8:53
   auto-route: true # auto set global route
 ```
+It's recommended to use fake-ip mode for the DNS server.
+
+Clash needs elevated permission to create TUN device:
+```sh
+$ sudo ./clash
+```
+Then manually create the default route and DNS server. If your device already has some TUN device, Clash TUN might not work. In this case, fake-ip-filter may helpful.
+
+Enjoy! :)
+
+#### For Windows:
+```yaml
+tun:
+  enable: true
+  stack: gvisor # or system
+  dns-hijack:
+    - 198.18.0.2:53 # when `fake-ip-range` is 198.18.0.1/16, should hijack 198.18.0.2:53
+  auto-route: true # auto set global route for Windows
+  # It is recommended to use `interface-name`
+  auto-detect-interface: true # auto detect interface, conflict with `interface-name`
+```
+Finally, open the Clash
+
 ### Rules configuration
 - Support rule `GEOSITE`.
 - Support rule `USER-AGENT`.
@@ -167,7 +214,11 @@ Support outbound protocol `VLESS`.
 
 Support `Trojan` with XTLS.
 
-Currently XTLS only supports TCP transport.
+Support relay `UDP` traffic.
+
+Support filtering proxy providers in proxy groups.
+
+Support custom http request header, prefix name and V2Ray subscription URL in proxy providers.
 ```yaml
 proxies:
   # VLESS
@@ -204,6 +255,56 @@ proxies:
     # udp: true
     # sni: example.com # aka server name
     # skip-cert-verify: true
+
+proxy-groups:
+  # Relay chains the proxies. proxies shall not contain a relay.
+  # Support relay UDP traffic.
+  # Traffic: clash <-> ss1 <-> trojan <-> vmess <-> ss2 <-> Internet
+  - name: "relay-udp-over-tcp"
+    type: relay
+    proxies:
+      - ss1
+      - trojan
+      - vmess
+      - ss2
+
+  - name: "relay-raw-udp"
+    type: relay
+    proxies:
+      - ss1
+      - ss2
+      - ss3
+        
+  - name: "filtering-proxy-providers"
+    type: url-test
+    url: "http://www.gstatic.com/generate_204"
+    interval: 300
+    tolerance: 200
+    # lazy: true
+    filter: "XXX" # a regular expression
+    use:
+      - provider1
+
+proxy-providers:
+  provider1:
+    type: http
+    url: "url" # support V2Ray subscription URL
+    interval: 3600
+    path: ./providers/provider1.yaml
+    # filter: "xxx"
+    # prefix-name: "XXX-"
+    header:  # custom http request header
+      User-Agent:
+        - "Clash/v1.10.6"
+    #   Accept:
+    #     - 'application/vnd.github.v3.raw'
+    #   Authorization:
+    #     - ' token xxxxxxxxxxx'
+    health-check:
+      enable: false
+      interval: 1200
+      # lazy: false # default value is true
+      url: http://www.gstatic.com/generate_204
 ```
 
 ### IPTABLES configuration
@@ -220,7 +321,7 @@ iptables:
 Run Clash as a daemon.
 
 Create the systemd configuration file at /etc/systemd/system/clash.service:
-```shell
+```sh
 [Unit]
 Description=Clash daemon, A rule-based proxy in Go.
 After=network.target
@@ -235,22 +336,23 @@ ExecStart=/usr/local/bin/clash -d /etc/clash
 WantedBy=multi-user.target
 ```
 Launch clashd on system startup with:
-```shell
+```sh
 $ systemctl enable clash
 ```
 Launch clashd immediately with:
-```shell
+```sh
 $ systemctl start clash
 ```
 
 ### Display Process name
-To display process name online by click [https://yaling888.github.io/yacd/](https://yaling888.github.io/yacd/).
+To display process name online by click [http://yacd.clash-plus.cf](http://yacd.clash-plus.cf) for local API by Safari or [https://yacd.clash-plus.cf](https://yacd.clash-plus.cf) for local API by Chrome.
 
 You can download the [Dashboard](https://github.com/yaling888/yacd/archive/gh-pages.zip) into Clash home directory:
-```shell
+```sh
-cd ~/.config/clash
+$ cd ~/.config/clash
-curl -LJ https://github.com/yaling888/yacd/archive/gh-pages.zip -o dashboard.zip
+$ curl -LJ https://github.com/yaling888/yacd/archive/gh-pages.zip -o yacd-gh-pages.zip
-unzip dashboard.zip
+$ unzip yacd-gh-pages.zip
+$ mv yacd-gh-pages dashboard
 ```
 
 Add to config file:
@@ -260,6 +362,9 @@ external-ui: dashboard
 ```
 Open [http://127.0.0.1:9090/ui/](http://127.0.0.1:9090/ui/) by web browser.
 
+## Plus Pro Release
+[Release](https://github.com/yaling888/clash/releases/tag/plus_pro)
+
 ## Development
 If you want to build an application that uses clash as a library, check out the the [GitHub Wiki](https://github.com/Dreamacro/clash/wiki/use-clash-as-a-library)
 

adapter/adapter.go

@@ -3,14 +3,12 @@ package adapter
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"net/netip"
 	"net/url"
 	"time"
-	_ "unsafe"
 
 	"github.com/Dreamacro/clash/common/queue"
 	"github.com/Dreamacro/clash/component/dialer"
@@ -19,9 +17,6 @@ import (
 	"go.uber.org/atomic"
 )
 
-//go:linkname errCanceled net.errCanceled
-var errCanceled error
-
 type Proxy struct {
 	C.ProxyAdapter
 	history *queue.Queue[C.DelayHistory]
@@ -43,7 +38,7 @@ func (p *Proxy) Dial(metadata *C.Metadata) (C.Conn, error) {
 // DialContext implements C.ProxyAdapter
 func (p *Proxy) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
 	conn, err := p.ProxyAdapter.DialContext(ctx, metadata, opts...)
-	p.alive.Store(err == nil || errors.Is(err, errCanceled))
+	p.alive.Store(err == nil)
 	return conn, err
 }
 

adapter/outbound/base.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"io"
 	"net"
 
 	"github.com/Dreamacro/clash/component/dialer"
@@ -30,12 +31,17 @@ func (b *Base) Type() C.AdapterType {
 }
 
 // StreamConn implements C.ProxyAdapter
-func (b *Base) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+func (b *Base) StreamConn(c net.Conn, _ *C.Metadata) (net.Conn, error) {
+	return c, errors.New("no support")
+}
+
+// StreamPacketConn implements C.ProxyAdapter
+func (b *Base) StreamPacketConn(c net.Conn, _ *C.Metadata) (net.Conn, error) {
 	return c, errors.New("no support")
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (b *Base) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (b *Base) ListenPacketContext(_ context.Context, _ *C.Metadata, _ ...dialer.Option) (C.PacketConn, error) {
 	return nil, errors.New("no support")
 }
 
@@ -57,7 +63,7 @@ func (b *Base) Addr() string {
 }
 
 // Unwrap implements C.ProxyAdapter
-func (b *Base) Unwrap(metadata *C.Metadata) C.Proxy {
+func (b *Base) Unwrap(_ *C.Metadata) C.Proxy {
 	return nil
 }
 
@@ -133,6 +139,40 @@ func (c *packetConn) AppendToChains(a C.ProxyAdapter) {
 	c.chain = append(c.chain, a.Name())
 }
 
-func newPacketConn(pc net.PacketConn, a C.ProxyAdapter) C.PacketConn {
+func NewPacketConn(pc net.PacketConn, a C.ProxyAdapter) C.PacketConn {
 	return &packetConn{pc, []string{a.Name()}}
 }
+
+type wrapConn struct {
+	net.PacketConn
+}
+
+func (*wrapConn) Read([]byte) (int, error) {
+	return 0, io.EOF
+}
+
+func (*wrapConn) Write([]byte) (int, error) {
+	return 0, io.EOF
+}
+
+func (*wrapConn) RemoteAddr() net.Addr {
+	return nil
+}
+
+func WrapConn(packetConn net.PacketConn) net.Conn {
+	return &wrapConn{
+		PacketConn: packetConn,
+	}
+}
+
+func IsPacketConn(c net.Conn) bool {
+	if _, ok := c.(net.PacketConn); !ok {
+		return false
+	}
+
+	if ua, ok := c.LocalAddr().(*net.UnixAddr); ok {
+		return ua.Net == "unixgram"
+	}
+
+	return true
+}

adapter/outbound/direct.go

@@ -3,6 +3,7 @@ package outbound
 import (
 	"context"
 	"net"
+	"net/netip"
 
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
@@ -19,18 +20,26 @@ func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 	if err != nil {
 		return nil, err
 	}
+
 	tcpKeepAlive(c)
+
+	if !metadata.Resolved() && c.RemoteAddr() != nil {
+		if h, _, err := net.SplitHostPort(c.RemoteAddr().String()); err == nil {
+			metadata.DstIP = netip.MustParseAddr(h)
+		}
+	}
+
 	return NewConn(c, d), nil
 }
 
 // ListenPacketContext implements C.ProxyAdapter
-func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (d *Direct) ListenPacketContext(ctx context.Context, _ *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
 	opts = append(opts, dialer.WithDirect())
 	pc, err := dialer.ListenPacket(ctx, "udp", "", d.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, err
 	}
-	return newPacketConn(&directPacketConn{pc}, d), nil
+	return NewPacketConn(&directPacketConn{pc}, d), nil
 }
 
 type directPacketConn struct {

adapter/outbound/mitm.go

@@ -24,6 +24,7 @@ func (m *Mitm) DialContext(_ context.Context, metadata *C.Metadata, _ ...dialer.
 
 	_ = c.SetKeepAlive(true)
 	_ = c.SetKeepAlivePeriod(60 * time.Second)
+	_ = c.SetLinger(0)
 
 	metadata.Type = C.MITM
 

adapter/outbound/reject.go

@@ -48,7 +48,7 @@ func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 
 // ListenPacketContext implements C.ProxyAdapter
 func (r *Reject) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	return newPacketConn(&nopPacketConn{}, r), nil
+	return NewPacketConn(&nopPacketConn{}, r), nil
 }
 
 func NewReject() *Reject {

adapter/outbound/shadowsocks.go

@@ -10,11 +10,10 @@ import (
 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/transport/shadowsocks/core"
 	obfs "github.com/Dreamacro/clash/transport/simple-obfs"
 	"github.com/Dreamacro/clash/transport/socks5"
 	v2rayObfs "github.com/Dreamacro/clash/transport/v2ray-plugin"
-
-	"github.com/Dreamacro/go-shadowsocks2/core"
 )
 
 type ShadowSocks struct {
@@ -74,6 +73,21 @@ func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, e
 	return c, err
 }
 
+// StreamPacketConn implements C.ProxyAdapter
+func (ss *ShadowSocks) StreamPacketConn(c net.Conn, _ *C.Metadata) (net.Conn, error) {
+	if !IsPacketConn(c) {
+		return c, fmt.Errorf("%s connect error: can not convert net.Conn to net.PacketConn", ss.addr)
+	}
+
+	addr, err := resolveUDPAddr("udp", ss.addr)
+	if err != nil {
+		return c, err
+	}
+
+	pc := ss.cipher.PacketConn(c.(net.PacketConn))
+	return WrapConn(&ssPacketConn{PacketConn: pc, rAddr: addr}), nil
+}
+
 // DialContext implements C.ProxyAdapter
 func (ss *ShadowSocks) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
 	c, err := dialer.DialContext(ctx, "tcp", ss.addr, ss.Base.DialOptions(opts...)...)
@@ -95,14 +109,13 @@ func (ss *ShadowSocks) ListenPacketContext(ctx context.Context, metadata *C.Meta
 		return nil, err
 	}
 
-	addr, err := resolveUDPAddr("udp", ss.addr)
+	c, err := ss.StreamPacketConn(WrapConn(pc), metadata)
 	if err != nil {
-		pc.Close()
+		_ = pc.Close()
 		return nil, err
 	}
 
-	pc = ss.cipher.PacketConn(pc)
+	return NewPacketConn(c.(net.PacketConn), ss), nil
-	return newPacketConn(&ssPacketConn{PacketConn: pc, rAddr: addr}, ss), nil
 }
 
 func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {

adapter/outbound/shadowsocksr.go

@@ -8,12 +8,11 @@ import (
 
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/transport/shadowsocks/core"
+	"github.com/Dreamacro/clash/transport/shadowsocks/shadowaead"
+	"github.com/Dreamacro/clash/transport/shadowsocks/shadowstream"
 	"github.com/Dreamacro/clash/transport/ssr/obfs"
 	"github.com/Dreamacro/clash/transport/ssr/protocol"
-
-	"github.com/Dreamacro/go-shadowsocks2/core"
-	"github.com/Dreamacro/go-shadowsocks2/shadowaead"
-	"github.com/Dreamacro/go-shadowsocks2/shadowstream"
 )
 
 type ShadowSocksR struct {
@@ -59,6 +58,22 @@ func (ssr *ShadowSocksR) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn,
 	return c, err
 }
 
+// StreamPacketConn implements C.ProxyAdapter
+func (ssr *ShadowSocksR) StreamPacketConn(c net.Conn, _ *C.Metadata) (net.Conn, error) {
+	if !IsPacketConn(c) {
+		return c, fmt.Errorf("%s connect error: can not convert net.Conn to net.PacketConn", ssr.addr)
+	}
+
+	addr, err := resolveUDPAddr("udp", ssr.addr)
+	if err != nil {
+		return c, err
+	}
+
+	pc := ssr.cipher.PacketConn(c.(net.PacketConn))
+	pc = ssr.protocol.PacketConn(pc)
+	return WrapConn(&ssPacketConn{PacketConn: pc, rAddr: addr}), nil
+}
+
 // DialContext implements C.ProxyAdapter
 func (ssr *ShadowSocksR) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
 	c, err := dialer.DialContext(ctx, "tcp", ssr.addr, ssr.Base.DialOptions(opts...)...)
@@ -80,15 +95,13 @@ func (ssr *ShadowSocksR) ListenPacketContext(ctx context.Context, metadata *C.Me
 		return nil, err
 	}
 
-	addr, err := resolveUDPAddr("udp", ssr.addr)
+	c, err := ssr.StreamPacketConn(WrapConn(pc), metadata)
 	if err != nil {
-		pc.Close()
+		_ = pc.Close()
 		return nil, err
 	}
 
-	pc = ssr.cipher.PacketConn(pc)
+	return NewPacketConn(c.(net.PacketConn), ssr), nil
-	pc = ssr.protocol.PacketConn(pc)
-	return newPacketConn(&ssPacketConn{PacketConn: pc, rAddr: addr}, ssr), nil
 }
 
 func NewShadowSocksR(option ShadowSocksROption) (*ShadowSocksR, error) {

adapter/outbound/snell.go

@@ -58,6 +58,18 @@ func (s *Snell) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	return c, err
 }
 
+// StreamPacketConn implements C.ProxyAdapter
+func (s *Snell) StreamPacketConn(c net.Conn, _ *C.Metadata) (net.Conn, error) {
+	c = streamConn(c, streamOption{s.psk, s.version, s.addr, s.obfsOption})
+
+	err := snell.WriteUDPHeader(c, s.version)
+	if err != nil {
+		return c, err
+	}
+
+	return WrapConn(snell.PacketConn(c)), nil
+}
+
 // DialContext implements C.ProxyAdapter
 func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
 	if s.version == snell.Version2 && len(opts) == 0 {
@@ -68,7 +80,7 @@ func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 
 		port, _ := strconv.ParseUint(metadata.DstPort, 10, 16)
 		if err = snell.WriteHeader(c, metadata.String(), uint(port), s.version); err != nil {
-			c.Close()
+			_ = c.Close()
 			return nil, err
 		}
 		return NewConn(c, s), err
@@ -93,15 +105,14 @@ func (s *Snell) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		return nil, err
 	}
 	tcpKeepAlive(c)
-	c = streamConn(c, streamOption{s.psk, s.version, s.addr, s.obfsOption})
 
-	err = snell.WriteUDPHeader(c, s.version)
+	pc, err := s.StreamPacketConn(c, metadata)
 	if err != nil {
+		_ = c.Close()
 		return nil, err
 	}
 
-	pc := snell.PacketConn(c)
+	return NewPacketConn(pc.(net.PacketConn), s), nil
-	return newPacketConn(pc, s), nil
 }
 
 func NewSnell(option SnellOption) (*Snell, error) {

adapter/outbound/socks5.go

@@ -37,12 +37,59 @@ type Socks5Option struct {
 
 // StreamConn implements C.ProxyAdapter
 func (ss *Socks5) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	var err error
+	c, _, err = ss.streamConn(c, metadata)
+
+	return c, err
+}
+
+func (ss *Socks5) StreamSocks5PacketConn(c net.Conn, pc net.PacketConn, metadata *C.Metadata) (net.PacketConn, error) {
+	if c == nil {
+		return pc, fmt.Errorf("%s connect error: parameter net.Conn is nil", ss.addr)
+	}
+
+	if pc == nil {
+		return pc, fmt.Errorf("%s connect error: parameter net.PacketConn is nil", ss.addr)
+	}
+
+	cc, bindAddr, err := ss.streamConn(c, metadata)
+	if err != nil {
+		return pc, err
+	}
+
+	c = cc
+
+	go func() {
+		_, _ = io.Copy(io.Discard, c)
+		_ = c.Close()
+		// A UDP association terminates when the TCP connection that the UDP
+		// ASSOCIATE request arrived on terminates. RFC1928
+		_ = pc.Close()
+	}()
+
+	// Support unspecified UDP bind address.
+	bindUDPAddr := bindAddr.UDPAddr()
+	if bindUDPAddr == nil {
+		return pc, errors.New("invalid UDP bind address")
+	} else if bindUDPAddr.IP.IsUnspecified() {
+		serverAddr, err := resolveUDPAddr("udp", ss.Addr())
+		if err != nil {
+			return pc, err
+		}
+
+		bindUDPAddr.IP = serverAddr.IP
+	}
+
+	return &socksPacketConn{PacketConn: pc, rAddr: bindUDPAddr, tcpConn: c}, nil
+}
+
+func (ss *Socks5) streamConn(c net.Conn, metadata *C.Metadata) (_ net.Conn, bindAddr socks5.Addr, err error) {
 	if ss.tls {
 		cc := tls.Client(c, ss.tlsConfig)
 		err := cc.Handshake()
 		c = cc
 		if err != nil {
-			return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
+			return c, nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 		}
 	}
 
@@ -53,10 +100,14 @@ func (ss *Socks5) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error)
 			Password: ss.pass,
 		}
 	}
-	if _, err := socks5.ClientHandshake(c, serializesSocksAddr(metadata), socks5.CmdConnect, user); err != nil {
+
-		return nil, err
+	if metadata.NetWork == C.UDP {
+		bindAddr, err = socks5.ClientHandshake(c, serializesSocksAddr(metadata), socks5.CmdUDPAssociate, user)
+	} else {
+		bindAddr, err = socks5.ClientHandshake(c, serializesSocksAddr(metadata), socks5.CmdConnect, user)
 	}
-	return c, nil
+
+	return c, bindAddr, err
 }
 
 // DialContext implements C.ProxyAdapter
@@ -81,61 +132,24 @@ func (ss *Socks5) DialContext(ctx context.Context, metadata *C.Metadata, opts ..
 func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
 	c, err := dialer.DialContext(ctx, "tcp", ss.addr, ss.Base.DialOptions(opts...)...)
 	if err != nil {
-		err = fmt.Errorf("%s connect error: %w", ss.addr, err)
+		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
-		return
-	}
-
-	if ss.tls {
-		cc := tls.Client(c, ss.tlsConfig)
-		err = cc.Handshake()
-		c = cc
 	}
 
 	defer safeConnClose(c, err)
 
-	tcpKeepAlive(c)
-	var user *socks5.User
-	if ss.user != "" {
-		user = &socks5.User{
-			Username: ss.user,
-			Password: ss.pass,
-		}
-	}
-
-	bindAddr, err := socks5.ClientHandshake(c, serializesSocksAddr(metadata), socks5.CmdUDPAssociate, user)
-	if err != nil {
-		err = fmt.Errorf("client hanshake error: %w", err)
-		return
-	}
-
 	pc, err := dialer.ListenPacket(ctx, "udp", "", ss.Base.DialOptions(opts...)...)
 	if err != nil {
 		return
 	}
 
-	go func() {
+	tcpKeepAlive(c)
-		io.Copy(io.Discard, c)
-		c.Close()
-		// A UDP association terminates when the TCP connection that the UDP
-		// ASSOCIATE request arrived on terminates. RFC1928
-		pc.Close()
-	}()
 
-	// Support unspecified UDP bind address.
+	pc, err = ss.StreamSocks5PacketConn(c, pc, metadata)
-	bindUDPAddr := bindAddr.UDPAddr()
-	if bindUDPAddr == nil {
-		err = errors.New("invalid UDP bind address")
-		return
-	} else if bindUDPAddr.IP.IsUnspecified() {
-		serverAddr, err := resolveUDPAddr("udp", ss.Addr())
 	if err != nil {
-			return nil, err
+		return
 	}
 
-		bindUDPAddr.IP = serverAddr.IP
+	return NewPacketConn(pc, ss), nil
-	}
-
-	return newPacketConn(&socksPacketConn{PacketConn: pc, rAddr: bindUDPAddr, tcpConn: c}, ss), nil
 }
 
 func NewSocks5(option Socks5Option) *Socks5 {
@@ -199,6 +213,6 @@ func (uc *socksPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
 }
 
 func (uc *socksPacketConn) Close() error {
-	uc.tcpConn.Close()
+	_ = uc.tcpConn.Close()
 	return uc.PacketConn.Close()
 }

adapter/outbound/trojan.go

@@ -72,8 +72,7 @@ func (t *Trojan) plainStream(c net.Conn) (net.Conn, error) {
 	return t.instance.StreamConn(c)
 }
 
-// StreamConn implements C.ProxyAdapter
+func (t *Trojan) trojanStream(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-func (t *Trojan) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
 	if t.transport != nil {
 		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig)
@@ -85,39 +84,63 @@ func (t *Trojan) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error)
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}
 
-	c, err = t.instance.PresetXTLSConn(c)
+	c, err = t.instance.PrepareXTLSConn(c)
 	if err != nil {
-		return nil, err
+		return c, err
+	}
+
+	if metadata.NetWork == C.UDP {
+		err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
+		return c, err
 	}
 
 	err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata))
 	return c, err
 }
 
+// StreamConn implements C.ProxyAdapter
+func (t *Trojan) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	return t.trojanStream(c, metadata)
+}
+
+// StreamPacketConn implements C.ProxyAdapter
+func (t *Trojan) StreamPacketConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	var err error
+	c, err = t.trojanStream(c, metadata)
+	if err != nil {
+		return c, err
+	}
+
+	pc := t.instance.PacketConn(c)
+	return WrapConn(pc), nil
+}
+
 // DialContext implements C.ProxyAdapter
 func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+	var c net.Conn
+
 	// gun transport
 	if t.transport != nil && len(opts) == 0 {
-		c, err := gun.StreamGunWithTransport(t.transport, t.gunConfig)
+		c, err = gun.StreamGunWithTransport(t.transport, t.gunConfig)
 		if err != nil {
 			return nil, err
 		}
 
-		c, err = t.instance.PresetXTLSConn(c)
+		defer safeConnClose(c, err)
+
+		c, err = t.instance.PrepareXTLSConn(c)
 		if err != nil {
-			c.Close()
 			return nil, err
 		}
 
 		if err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata)); err != nil {
-			c.Close()
 			return nil, err
 		}
 
 		return NewConn(c, t), nil
 	}
 
-	c, err := dialer.DialContext(ctx, "tcp", t.addr, t.Base.DialOptions(opts...)...)
+	c, err = dialer.DialContext(ctx, "tcp", t.addr, t.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}
@@ -137,33 +160,44 @@ func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
 	var c net.Conn
 
-	// grpc transport
+	// gun transport
 	if t.transport != nil && len(opts) == 0 {
 		c, err = gun.StreamGunWithTransport(t.transport, t.gunConfig)
-		if err != nil {
-			return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
-		}
-		defer safeConnClose(c, err)
-	} else {
-		c, err = dialer.DialContext(ctx, "tcp", t.addr, t.Base.DialOptions(opts...)...)
-		if err != nil {
-			return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
-		}
-		defer safeConnClose(c, err)
-		tcpKeepAlive(c)
-		c, err = t.plainStream(c)
-		if err != nil {
-			return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
-		}
-	}
-
-	err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
 		if err != nil {
 			return nil, err
 		}
 
+		defer safeConnClose(c, err)
+
+		c, err = t.instance.PrepareXTLSConn(c)
+		if err != nil {
+			return nil, err
+		}
+
+		if err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata)); err != nil {
+			return nil, err
+		}
+
 		pc := t.instance.PacketConn(c)
-	return newPacketConn(pc, t), err
+
+		return NewPacketConn(pc, t), nil
+	}
+
+	c, err = dialer.DialContext(ctx, "tcp", t.addr, t.Base.DialOptions(opts...)...)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
+	}
+
+	tcpKeepAlive(c)
+
+	defer safeConnClose(c, err)
+
+	c, err = t.StreamPacketConn(c, metadata)
+	if err != nil {
+		return nil, err
+	}
+
+	return NewPacketConn(c.(net.PacketConn), t), nil
 }
 
 func NewTrojan(option TrojanOption) (*Trojan, error) {

adapter/outbound/util.go

@@ -15,6 +15,7 @@ func tcpKeepAlive(c net.Conn) {
 	if tcp, ok := c.(*net.TCPConn); ok {
 		_ = tcp.SetKeepAlive(true)
 		_ = tcp.SetKeepAlivePeriod(30 * time.Second)
+		_ = tcp.SetLinger(0)
 	}
 }
 
@@ -52,7 +53,7 @@ func resolveUDPAddr(network, address string) (*net.UDPAddr, error) {
 }
 
 func safeConnClose(c net.Conn, err error) {
-	if err != nil {
+	if err != nil && c != nil {
 		_ = c.Close()
 	}
 }

adapter/outbound/vless.go

@@ -58,6 +58,7 @@ type VlessOption struct {
 	ServerName     string            `proxy:"servername,omitempty"`
 }
 
+// StreamConn implements C.ProxyAdapter
 func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
 	switch v.option.Network {
@@ -147,6 +148,26 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	return v.client.StreamConn(c, parseVlessAddr(metadata))
 }
 
+// StreamPacketConn implements C.ProxyAdapter
+func (v *Vless) StreamPacketConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	// vmess use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(metadata.Host)
+		if err != nil {
+			return nil, errors.New("can't resolve ip")
+		}
+		metadata.DstIP = ip
+	}
+
+	var err error
+	c, err = v.StreamConn(c, metadata)
+	if err != nil {
+		return nil, fmt.Errorf("new vmess client error: %v", err)
+	}
+
+	return WrapConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}), nil
+}
+
 func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error) {
 	host, _, _ := net.SplitHostPort(v.addr)
 
@@ -219,6 +240,9 @@ func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 
 // ListenPacketContext implements C.ProxyAdapter
 func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+	var c net.Conn
+	// gun transport
+	if v.transport != nil && len(opts) == 0 {
 		// vless use stream-oriented udp with a special address, so we needs a net.UDPAddr
 		if !metadata.Resolved() {
 			ip, err := resolver.ResolveIP(metadata.Host)
@@ -228,9 +252,6 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 			metadata.DstIP = ip
 		}
 
-	var c net.Conn
-	// gun transport
-	if v.transport != nil && len(opts) == 0 {
 		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
@@ -238,22 +259,27 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		defer safeConnClose(c, err)
 
 		c, err = v.client.StreamConn(c, parseVlessAddr(metadata))
-	} else {
-		c, err = dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
-		if err != nil {
-			return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
-		}
-		tcpKeepAlive(c)
-		defer safeConnClose(c, err)
-
-		c, err = v.StreamConn(c, metadata)
-	}
-
 		if err != nil {
 			return nil, fmt.Errorf("new vless client error: %v", err)
 		}
 
-	return newPacketConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
+		return NewPacketConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
+	}
+
+	c, err = dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
+	}
+
+	tcpKeepAlive(c)
+	defer safeConnClose(c, err)
+
+	c, err = v.StreamPacketConn(c, metadata)
+	if err != nil {
+		return nil, fmt.Errorf("new vless client error: %v", err)
+	}
+
+	return NewPacketConn(c.(net.PacketConn), v), nil
 }
 
 func parseVlessAddr(metadata *C.Metadata) *vless.DstAddr {
@@ -292,7 +318,7 @@ type vlessPacketConn struct {
 	mux    sync.Mutex
 }
 
-func (vc *vlessPacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
+func (vc *vlessPacketConn) WriteTo(b []byte, _ net.Addr) (int, error) {
 	total := len(b)
 	if total == 0 {
 		return 0, nil

adapter/outbound/vmess.go

@@ -3,13 +3,13 @@ package outbound
 import (
 	"context"
 	"crypto/tls"
-	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"strconv"
 	"strings"
 
+	"github.com/Dreamacro/clash/common/convert"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
@@ -91,17 +91,16 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 		wsOpts := &vmess.WebsocketConfig{
 			Host:                host,
 			Port:                port,
+			Headers:             http.Header{},
 			Path:                v.option.WSOpts.Path,
 			MaxEarlyData:        v.option.WSOpts.MaxEarlyData,
 			EarlyDataHeaderName: v.option.WSOpts.EarlyDataHeaderName,
 		}
 
 		if len(v.option.WSOpts.Headers) != 0 {
-			header := http.Header{}
 			for key, value := range v.option.WSOpts.Headers {
-				header.Add(key, value)
+				wsOpts.Headers.Add(key, value)
 			}
-			wsOpts.Headers = header
 		}
 
 		if v.option.TLS {
@@ -116,6 +115,11 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			} else if host := wsOpts.Headers.Get("Host"); host != "" {
 				wsOpts.TLSConfig.ServerName = host
 			}
+		} else {
+			if wsOpts.Headers.Get("Host") == "" {
+				wsOpts.Headers.Set("Host", convert.RandHost())
+			}
+			convert.SetUserAgent(wsOpts.Headers)
 		}
 		c, err = vmess.StreamWebsocketConn(c, wsOpts)
 	case "http":
@@ -195,6 +199,26 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	return v.client.StreamConn(c, parseVmessAddr(metadata))
 }
 
+// StreamPacketConn implements C.ProxyAdapter
+func (v *Vmess) StreamPacketConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	// vmess use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(metadata.Host)
+		if err != nil {
+			return c, fmt.Errorf("can't resolve ip: %w", err)
+		}
+		metadata.DstIP = ip
+	}
+
+	var err error
+	c, err = v.StreamConn(c, metadata)
+	if err != nil {
+		return c, fmt.Errorf("new vmess client error: %v", err)
+	}
+
+	return WrapConn(&vmessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}), nil
+}
+
 // DialContext implements C.ProxyAdapter
 func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
 	// gun transport
@@ -226,18 +250,18 @@ func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 
 // ListenPacketContext implements C.ProxyAdapter
 func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+	var c net.Conn
+	// gun transport
+	if v.transport != nil && len(opts) == 0 {
 		// vmess use stream-oriented udp with a special address, so we needs a net.UDPAddr
 		if !metadata.Resolved() {
 			ip, err := resolver.ResolveIP(metadata.Host)
 			if err != nil {
-			return nil, errors.New("can't resolve ip")
+				return nil, fmt.Errorf("can't resolve ip: %w", err)
 			}
 			metadata.DstIP = ip
 		}
 
-	var c net.Conn
-	// gun transport
-	if v.transport != nil && len(opts) == 0 {
 		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
@@ -245,22 +269,27 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		defer safeConnClose(c, err)
 
 		c, err = v.client.StreamConn(c, parseVmessAddr(metadata))
-	} else {
-		c, err = dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
-		if err != nil {
-			return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
-		}
-		tcpKeepAlive(c)
-		defer safeConnClose(c, err)
-
-		c, err = v.StreamConn(c, metadata)
-	}
-
 		if err != nil {
 			return nil, fmt.Errorf("new vmess client error: %v", err)
 		}
 
-	return newPacketConn(&vmessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
+		return NewPacketConn(&vmessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
+	}
+
+	c, err = dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
+	}
+
+	tcpKeepAlive(c)
+	defer safeConnClose(c, err)
+
+	c, err = v.StreamPacketConn(c, metadata)
+	if err != nil {
+		return nil, fmt.Errorf("new vmess client error: %v", err)
+	}
+
+	return NewPacketConn(c.(net.PacketConn), v), nil
 }
 
 func NewVmess(option VmessOption) (*Vmess, error) {
@@ -368,7 +397,7 @@ type vmessPacketConn struct {
 	rAddr net.Addr
 }
 
-func (uc *vmessPacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
+func (uc *vmessPacketConn) WriteTo(b []byte, _ net.Addr) (int, error) {
 	return uc.Conn.Write(b)
 }
 

adapter/outboundgroup/parser.go

@@ -3,6 +3,7 @@ package outboundgroup
 import (
 	"errors"
 	"fmt"
+	"regexp"
 
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/adapter/provider"
@@ -29,6 +30,7 @@ type GroupCommonOption struct {
 	Interval   int      `group:"interval,omitempty"`
 	Lazy       bool     `group:"lazy,omitempty"`
 	DisableUDP bool     `group:"disable-udp,omitempty"`
+	Filter     string   `group:"filter,omitempty"`
 }
 
 func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, providersMap map[string]types.ProxyProvider) (C.ProxyAdapter, error) {
@@ -37,10 +39,23 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 	groupOption := &GroupCommonOption{
 		Lazy: true,
 	}
-	if err := decoder.Decode(config, groupOption); err != nil {
+
+	var (
+		filterRegx *regexp.Regexp
+		err        error
+	)
+
+	if err = decoder.Decode(config, groupOption); err != nil {
 		return nil, errFormat
 	}
 
+	if groupOption.Filter != "" {
+		filterRegx, err = regexp.Compile(groupOption.Filter)
+		if err != nil {
+			return nil, fmt.Errorf("invalid filter regex: %w", err)
+		}
+	}
+
 	if groupOption.Type == "" || groupOption.Name == "" {
 		return nil, errFormat
 	}
@@ -90,7 +105,7 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 	}
 
 	if len(groupOption.Use) != 0 {
-		list, err := getProviders(providersMap, groupOption.Use)
+		list, err := getProviders(providersMap, groupOption, filterRegx)
 		if err != nil {
 			return nil, err
 		}
@@ -130,8 +145,13 @@ func getProxies(mapping map[string]C.Proxy, list []string) ([]C.Proxy, error) {
 	return ps, nil
 }
 
-func getProviders(mapping map[string]types.ProxyProvider, list []string) ([]types.ProxyProvider, error) {
+func getProviders(mapping map[string]types.ProxyProvider, groupOption *GroupCommonOption, filterRegx *regexp.Regexp) ([]types.ProxyProvider, error) {
-	var ps []types.ProxyProvider
+	var (
+		ps        []types.ProxyProvider
+		list      = groupOption.Use
+		groupName = groupOption.Name
+	)
+
 	for _, name := range list {
 		p, ok := mapping[name]
 		if !ok {
@@ -141,6 +161,27 @@ func getProviders(mapping map[string]types.ProxyProvider, list []string) ([]type
 		if p.VehicleType() == types.Compatible {
 			return nil, fmt.Errorf("proxy group %s can't contains in `use`", name)
 		}
+
+		if filterRegx != nil {
+			var hc *provider.HealthCheck
+			if groupOption.Type == "select" || groupOption.Type == "relay" {
+				hc = provider.NewHealthCheck([]C.Proxy{}, "", 0, true)
+			} else {
+				if groupOption.URL == "" || groupOption.Interval == 0 {
+					return nil, errMissHealthCheck
+				}
+				hc = provider.NewHealthCheck([]C.Proxy{}, groupOption.URL, uint(groupOption.Interval), groupOption.Lazy)
+			}
+
+			if _, ok = mapping[groupName]; ok {
+				groupName += "->" + p.Name()
+			}
+
+			pd := p.(*provider.ProxySetProvider)
+			p = provider.NewProxyFilterProvider(groupName, pd, hc, filterRegx)
+			pd.RegisterProvidersInUse(p)
+		}
+
 		ps = append(ps, p)
 	}
 	return ps, nil

adapter/outboundgroup/relay.go

@@ -4,10 +4,14 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net"
+	"net/netip"
 
+	"github.com/Dreamacro/clash/adapter"
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/common/singledo"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
 )
@@ -34,30 +38,12 @@ func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 		return proxies[0].DialContext(ctx, metadata, r.Base.DialOptions(opts...)...)
 	}
 
-	first := proxies[0]
+	c, err := r.streamContext(ctx, proxies, r.Base.DialOptions(opts...)...)
-	last := proxies[len(proxies)-1]
-
-	c, err := dialer.DialContext(ctx, "tcp", first.Addr(), r.Base.DialOptions(opts...)...)
-	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
-	}
-	tcpKeepAlive(c)
-
-	var currentMeta *C.Metadata
-	for _, proxy := range proxies[1:] {
-		currentMeta, err = addrToMetadata(proxy.Addr())
 	if err != nil {
 		return nil, err
 	}
 
-		c, err = first.StreamConn(c, currentMeta)
+	last := proxies[len(proxies)-1]
-		if err != nil {
-			return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
-		}
-
-		first = proxy
-	}
-
 	c, err = last.StreamConn(c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", last.Addr(), err)
@@ -66,6 +52,147 @@ func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 	return outbound.NewConn(c, r), nil
 }
 
+// ListenPacketContext implements C.ProxyAdapter
+func (r *Relay) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+	var proxies []C.Proxy
+	for _, proxy := range r.proxies(metadata, true) {
+		if proxy.Type() != C.Direct {
+			proxies = append(proxies, proxy)
+		}
+	}
+
+	length := len(proxies)
+
+	switch length {
+	case 0:
+		return outbound.NewDirect().ListenPacketContext(ctx, metadata, r.Base.DialOptions(opts...)...)
+	case 1:
+		proxy := proxies[0]
+		if !proxy.SupportUDP() {
+			return nil, fmt.Errorf("%s connect error: proxy [%s] UDP is not supported", proxy.Addr(), proxy.Name())
+		}
+		return proxy.ListenPacketContext(ctx, metadata, r.Base.DialOptions(opts...)...)
+	}
+
+	var (
+		firstIndex          = 0
+		nextIndex           = 1
+		lastUDPOverTCPIndex = -1
+		rawUDPRelay         = false
+
+		first = proxies[firstIndex]
+		last  = proxies[length-1]
+
+		c           net.Conn
+		cc          net.Conn
+		err         error
+		currentMeta *C.Metadata
+	)
+
+	if !last.SupportUDP() {
+		return nil, fmt.Errorf("%s connect error: proxy [%s] UDP is not supported in relay chains", last.Addr(), last.Name())
+	}
+
+	rawUDPRelay, lastUDPOverTCPIndex = isRawUDPRelay(proxies)
+
+	if first.Type() == C.Socks5 {
+		cc1, err1 := dialer.DialContext(ctx, "tcp", first.Addr(), r.Base.DialOptions(opts...)...)
+		if err1 != nil {
+			return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
+		}
+		cc = cc1
+		tcpKeepAlive(cc)
+
+		var pc net.PacketConn
+		pc, err = dialer.ListenPacket(ctx, "udp", "", r.Base.DialOptions(opts...)...)
+		c = outbound.WrapConn(pc)
+	} else if rawUDPRelay {
+		var pc net.PacketConn
+		pc, err = dialer.ListenPacket(ctx, "udp", "", r.Base.DialOptions(opts...)...)
+		c = outbound.WrapConn(pc)
+	} else {
+		firstIndex = lastUDPOverTCPIndex
+		nextIndex = firstIndex + 1
+		first = proxies[firstIndex]
+		c, err = r.streamContext(ctx, proxies[:nextIndex], r.Base.DialOptions(opts...)...)
+	}
+
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
+	}
+
+	if nextIndex < length {
+		for i, proxy := range proxies[nextIndex:] { // raw udp in loop
+			currentMeta, err = addrToMetadata(proxy.Addr())
+			if err != nil {
+				return nil, err
+			}
+			currentMeta.NetWork = C.UDP
+
+			if !isRawUDP(first) && !first.SupportUDP() {
+				return nil, fmt.Errorf("%s connect error: proxy [%s] UDP is not supported in relay chains", first.Addr(), first.Name())
+			}
+
+			if needResolveIP(first, currentMeta) {
+				var ip netip.Addr
+				ip, err = resolver.ResolveProxyServerHost(currentMeta.Host)
+				if err != nil {
+					return nil, fmt.Errorf("can't resolve ip: %w", err)
+				}
+				currentMeta.DstIP = ip
+			}
+
+			if cc != nil { // socks5
+				c, err = streamSocks5PacketConn(first, cc, c, currentMeta)
+				cc = nil
+			} else {
+				c, err = first.StreamPacketConn(c, currentMeta)
+			}
+
+			if err != nil {
+				return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
+			}
+
+			if proxy.Type() == C.Socks5 {
+				endIndex := nextIndex + i + 1
+				cc, err = r.streamContext(ctx, proxies[:endIndex], r.Base.DialOptions(opts...)...)
+				if err != nil {
+					return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
+				}
+			}
+
+			first = proxy
+		}
+	}
+
+	if cc != nil {
+		c, err = streamSocks5PacketConn(last, cc, c, metadata)
+	} else {
+		c, err = last.StreamPacketConn(c, metadata)
+	}
+
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", last.Addr(), err)
+	}
+
+	return outbound.NewPacketConn(c.(net.PacketConn), r), nil
+}
+
+// SupportUDP implements C.ProxyAdapter
+func (r *Relay) SupportUDP() bool {
+	proxies := r.rawProxies(true)
+
+	l := len(proxies)
+
+	if l == 0 {
+		return true
+	}
+
+	last := proxies[l-1]
+
+	return isRawUDP(last) || last.SupportUDP()
+}
+
 // MarshalJSON implements C.ProxyAdapter
 func (r *Relay) MarshalJSON() ([]byte, error) {
 	var all []string
@@ -100,6 +227,83 @@ func (r *Relay) proxies(metadata *C.Metadata, touch bool) []C.Proxy {
 	return proxies
 }
 
+func (r *Relay) streamContext(ctx context.Context, proxies []C.Proxy, opts ...dialer.Option) (net.Conn, error) {
+	first := proxies[0]
+
+	c, err := dialer.DialContext(ctx, "tcp", first.Addr(), opts...)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
+	}
+	tcpKeepAlive(c)
+
+	if len(proxies) > 1 {
+		var currentMeta *C.Metadata
+		for _, proxy := range proxies[1:] {
+			currentMeta, err = addrToMetadata(proxy.Addr())
+			if err != nil {
+				return nil, err
+			}
+
+			c, err = first.StreamConn(c, currentMeta)
+			if err != nil {
+				return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
+			}
+
+			first = proxy
+		}
+	}
+
+	return c, nil
+}
+
+func streamSocks5PacketConn(proxy C.Proxy, cc, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	pc, err := proxy.(*adapter.Proxy).ProxyAdapter.(*outbound.Socks5).StreamSocks5PacketConn(cc, c.(net.PacketConn), metadata)
+	return outbound.WrapConn(pc), err
+}
+
+func isRawUDPRelay(proxies []C.Proxy) (bool, int) {
+	var (
+		lastIndex           = len(proxies) - 1
+		last                = proxies[lastIndex]
+		isLastRawUDP        = isRawUDP(last)
+		isUDPOverTCP        = false
+		lastUDPOverTCPIndex = -1
+	)
+
+	for i := lastIndex; i >= 0; i-- {
+		p := proxies[i]
+
+		isUDPOverTCP = isUDPOverTCP || !isRawUDP(p)
+
+		if isLastRawUDP && isUDPOverTCP && lastUDPOverTCPIndex == -1 {
+			lastUDPOverTCPIndex = i
+		}
+	}
+
+	if !isLastRawUDP {
+		lastUDPOverTCPIndex = lastIndex
+	}
+
+	return !isUDPOverTCP, lastUDPOverTCPIndex
+}
+
+func isRawUDP(proxy C.ProxyAdapter) bool {
+	if proxy.Type() == C.Shadowsocks || proxy.Type() == C.ShadowsocksR || proxy.Type() == C.Socks5 {
+		return true
+	}
+	return false
+}
+
+func needResolveIP(proxy C.ProxyAdapter, metadata *C.Metadata) bool {
+	if metadata.Resolved() {
+		return false
+	}
+	if proxy.Type() != C.Vmess && proxy.Type() != C.Vless {
+		return false
+	}
+	return true
+}
+
 func NewRelay(option *GroupCommonOption, providers []provider.ProxyProvider) *Relay {
 	return &Relay{
 		Base: outbound.NewBase(outbound.BaseOption{

adapter/outboundgroup/util.go

@@ -24,7 +24,7 @@ func addrToMetadata(rawAddress string) (addr *C.Metadata, err error) {
 			DstIP:    netip.Addr{},
 			DstPort:  port,
 		}
-		return
+		return addr, nil
 	} else if ip.Is4() {
 		addr = &C.Metadata{
 			AddrType: C.AtypIPv4,
@@ -48,5 +48,6 @@ func tcpKeepAlive(c net.Conn) {
 	if tcp, ok := c.(*net.TCPConn); ok {
 		_ = tcp.SetKeepAlive(true)
 		_ = tcp.SetKeepAlivePeriod(30 * time.Second)
+		_ = tcp.SetLinger(0)
 	}
 }

adapter/parser.go

@@ -8,7 +8,7 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 )
 
-func ParseProxy(mapping map[string]any) (C.Proxy, error) {
+func ParseProxy(mapping map[string]any, forceCertVerify bool) (C.Proxy, error) {
 	decoder := structure.NewDecoder(structure.Option{TagName: "proxy", WeaklyTypedInput: true})
 	proxyType, existType := mapping["type"].(string)
 	if !existType {
@@ -40,6 +40,9 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		if err != nil {
 			break
 		}
+		if forceCertVerify {
+			socksOption.SkipCertVerify = false
+		}
 		proxy = outbound.NewSocks5(*socksOption)
 	case "http":
 		httpOption := &outbound.HttpOption{}
@@ -47,18 +50,25 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		if err != nil {
 			break
 		}
+		if forceCertVerify {
+			httpOption.SkipCertVerify = false
+		}
 		proxy = outbound.NewHttp(*httpOption)
 	case "vmess":
 		vmessOption := &outbound.VmessOption{
 			HTTPOpts: outbound.HTTPOptions{
 				Method:  "GET",
 				Path:    []string{"/"},
+				Headers: make(map[string][]string),
 			},
 		}
 		err = decoder.Decode(mapping, vmessOption)
 		if err != nil {
 			break
 		}
+		if forceCertVerify {
+			vmessOption.SkipCertVerify = false
+		}
 		proxy, err = outbound.NewVmess(*vmessOption)
 	case "vless":
 		vlessOption := &outbound.VlessOption{}
@@ -66,6 +76,9 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		if err != nil {
 			break
 		}
+		if forceCertVerify {
+			vlessOption.SkipCertVerify = false
+		}
 		proxy, err = outbound.NewVless(*vlessOption)
 	case "snell":
 		snellOption := &outbound.SnellOption{}
@@ -80,6 +93,9 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		if err != nil {
 			break
 		}
+		if forceCertVerify {
+			trojanOption.SkipCertVerify = false
+		}
 		proxy, err = outbound.NewTrojan(*trojanOption)
 	default:
 		return nil, fmt.Errorf("unsupport proxy type: %s", proxyType)

adapter/provider/fetcher.go

@@ -16,28 +16,28 @@ var (
 	dirMode  os.FileMode = 0o755
 )
 
-type parser = func([]byte) (any, error)
+type parser[V any] func([]byte) (V, error)
 
-type fetcher struct {
+type fetcher[V any] struct {
 	name      string
 	vehicle   types.Vehicle
 	updatedAt *time.Time
 	ticker    *time.Ticker
 	done      chan struct{}
 	hash      [16]byte
-	parser    parser
+	parser    parser[V]
-	onUpdate  func(any)
+	onUpdate  func(V)
 }
 
-func (f *fetcher) Name() string {
+func (f *fetcher[V]) Name() string {
 	return f.name
 }
 
-func (f *fetcher) VehicleType() types.VehicleType {
+func (f *fetcher[V]) VehicleType() types.VehicleType {
 	return f.vehicle.Type()
 }
 
-func (f *fetcher) Initial() (any, error) {
+func (f *fetcher[V]) Initial() (V, error) {
 	var (
 		buf     []byte
 		err     error
@@ -53,24 +53,24 @@ func (f *fetcher) Initial() (any, error) {
 	}
 
 	if err != nil {
-		return nil, err
+		return getZero[V](), err
 	}
 
 	proxies, err := f.parser(buf)
 	if err != nil {
 		if !isLocal {
-			return nil, err
+			return getZero[V](), err
 		}
 
 		// parse local file error, fallback to remote
 		buf, err = f.vehicle.Read()
 		if err != nil {
-			return nil, err
+			return getZero[V](), err
 		}
 
 		proxies, err = f.parser(buf)
 		if err != nil {
-			return nil, err
+			return getZero[V](), err
 		}
 
 		isLocal = false
@@ -78,7 +78,7 @@ func (f *fetcher) Initial() (any, error) {
 
 	if f.vehicle.Type() != types.File && !isLocal {
 		if err := safeWrite(f.vehicle.Path(), buf); err != nil {
-			return nil, err
+			return getZero[V](), err
 		}
 	}
 
@@ -92,28 +92,28 @@ func (f *fetcher) Initial() (any, error) {
 	return proxies, nil
 }
 
-func (f *fetcher) Update() (any, bool, error) {
+func (f *fetcher[V]) Update() (V, bool, error) {
 	buf, err := f.vehicle.Read()
 	if err != nil {
-		return nil, false, err
+		return getZero[V](), false, err
 	}
 
 	now := time.Now()
 	hash := md5.Sum(buf)
 	if bytes.Equal(f.hash[:], hash[:]) {
 		f.updatedAt = &now
-		os.Chtimes(f.vehicle.Path(), now, now)
+		_ = os.Chtimes(f.vehicle.Path(), now, now)
-		return nil, true, nil
+		return getZero[V](), true, nil
 	}
 
 	proxies, err := f.parser(buf)
 	if err != nil {
-		return nil, false, err
+		return getZero[V](), false, err
 	}
 
 	if f.vehicle.Type() != types.File {
 		if err := safeWrite(f.vehicle.Path(), buf); err != nil {
-			return nil, false, err
+			return getZero[V](), false, err
 		}
 	}
 
@@ -123,14 +123,14 @@ func (f *fetcher) Update() (any, bool, error) {
 	return proxies, false, nil
 }
 
-func (f *fetcher) Destroy() error {
+func (f *fetcher[V]) Destroy() error {
 	if f.ticker != nil {
 		f.done <- struct{}{}
 	}
 	return nil
 }
 
-func (f *fetcher) pullLoop() {
+func (f *fetcher[V]) pullLoop() {
 	for {
 		select {
 		case <-f.ticker.C:
@@ -168,13 +168,13 @@ func safeWrite(path string, buf []byte) error {
 	return os.WriteFile(path, buf, fileMode)
 }
 
-func newFetcher(name string, interval time.Duration, vehicle types.Vehicle, parser parser, onUpdate func(any)) *fetcher {
+func newFetcher[V any](name string, interval time.Duration, vehicle types.Vehicle, parser parser[V], onUpdate func(V)) *fetcher[V] {
 	var ticker *time.Ticker
 	if interval != 0 {
 		ticker = time.NewTicker(interval)
 	}
 
-	return &fetcher{
+	return &fetcher[V]{
 		name:     name,
 		ticker:   ticker,
 		vehicle:  vehicle,
@@ -183,3 +183,8 @@ func newFetcher(name string, interval time.Duration, vehicle types.Vehicle, pars
 		onUpdate: onUpdate,
 	}
 }
+
+func getZero[V any]() V {
+	var result V
+	return result
+}

adapter/provider/healthcheck.go

@@ -65,8 +65,13 @@ func (hc *HealthCheck) touch() {
 }
 
 func (hc *HealthCheck) check() {
+	proxies := hc.proxies
+	if len(proxies) == 0 {
+		return
+	}
+
 	b, _ := batch.New[bool](context.Background(), batch.WithConcurrencyNum[bool](10))
-	for _, proxy := range hc.proxies {
+	for _, proxy := range proxies {
 		p := proxy
 		b.Go(p.Name(), func() (bool, error) {
 			ctx, cancel := context.WithTimeout(context.Background(), defaultURLTestTimeout)

adapter/provider/parser.go

@@ -26,9 +26,12 @@ type proxyProviderSchema struct {
 	Interval        int                 `provider:"interval,omitempty"`
 	Filter          string              `provider:"filter,omitempty"`
 	HealthCheck     healthCheckSchema   `provider:"health-check,omitempty"`
+	ForceCertVerify bool                `provider:"force-cert-verify,omitempty"`
+	PrefixName      string              `provider:"prefix-name,omitempty"`
+	Header          map[string][]string `provider:"header,omitempty"`
 }
 
-func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvider, error) {
+func ParseProxyProvider(name string, mapping map[string]any, forceCertVerify bool) (types.ProxyProvider, error) {
 	decoder := structure.NewDecoder(structure.Option{TagName: "provider", WeaklyTypedInput: true})
 
 	schema := &proxyProviderSchema{
@@ -36,6 +39,11 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 			Lazy: true,
 		},
 	}
+
+	if forceCertVerify {
+		schema.ForceCertVerify = true
+	}
+
 	if err := decoder.Decode(mapping, schema); err != nil {
 		return nil, err
 	}
@@ -53,12 +61,12 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 	case "file":
 		vehicle = NewFileVehicle(path)
 	case "http":
-		vehicle = NewHTTPVehicle(schema.URL, path)
+		vehicle = NewHTTPVehicle(schema.URL, path, schema.Header)
 	default:
 		return nil, fmt.Errorf("%w: %s", errVehicleType, schema.Type)
 	}
 
 	interval := time.Duration(uint(schema.Interval)) * time.Second
 	filter := schema.Filter
-	return NewProxySetProvider(name, interval, filter, vehicle, hc)
+	return NewProxySetProvider(name, interval, filter, vehicle, hc, schema.ForceCertVerify, schema.PrefixName)
 }

adapter/provider/provider.go

@@ -9,10 +9,11 @@ import (
 	"time"
 
 	"github.com/Dreamacro/clash/adapter"
+	"github.com/Dreamacro/clash/common/convert"
 	C "github.com/Dreamacro/clash/constant"
 	types "github.com/Dreamacro/clash/constant/provider"
 
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 const (
@@ -23,15 +24,16 @@ type ProxySchema struct {
 	Proxies []map[string]any `yaml:"proxies"`
 }
 
-// for auto gc
+// ProxySetProvider for auto gc
 type ProxySetProvider struct {
 	*proxySetProvider
 }
 
 type proxySetProvider struct {
-	*fetcher
+	*fetcher[[]C.Proxy]
 	proxies        []C.Proxy
 	healthCheck    *HealthCheck
+	providersInUse []types.ProxyProvider
 }
 
 func (pp *proxySetProvider) MarshalJSON() ([]byte, error) {
@@ -86,17 +88,22 @@ func (pp *proxySetProvider) ProxiesWithTouch() []C.Proxy {
 func (pp *proxySetProvider) setProxies(proxies []C.Proxy) {
 	pp.proxies = proxies
 	pp.healthCheck.setProxy(proxies)
-	if pp.healthCheck.auto() {
+
-		go pp.healthCheck.check()
+	for _, use := range pp.providersInUse {
+		_ = use.Update()
 	}
 }
 
+func (pp *proxySetProvider) RegisterProvidersInUse(providers ...types.ProxyProvider) {
+	pp.providersInUse = append(pp.providersInUse, providers...)
+}
+
 func stopProxyProvider(pd *ProxySetProvider) {
 	pd.healthCheck.close()
-	pd.fetcher.Destroy()
+	_ = pd.fetcher.Destroy()
 }
 
-func NewProxySetProvider(name string, interval time.Duration, filter string, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
+func NewProxySetProvider(name string, interval time.Duration, filter string, vehicle types.Vehicle, hc *HealthCheck, forceCertVerify bool, prefixName string) (*ProxySetProvider, error) {
 	filterReg, err := regexp.Compile(filter)
 	if err != nil {
 		return nil, fmt.Errorf("invalid filter regex: %w", err)
@@ -111,45 +118,7 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, veh
 		healthCheck: hc,
 	}
 
-	onUpdate := func(elm any) {
+	fetcher := newFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, filterReg, forceCertVerify, prefixName), proxiesOnUpdate(pd))
-		ret := elm.([]C.Proxy)
-		pd.setProxies(ret)
-	}
-
-	proxiesParseAndFilter := func(buf []byte) (any, error) {
-		schema := &ProxySchema{}
-
-		if err := yaml.Unmarshal(buf, schema); err != nil {
-			return nil, err
-		}
-
-		if schema.Proxies == nil {
-			return nil, errors.New("file must have a `proxies` field")
-		}
-
-		proxies := []C.Proxy{}
-		for idx, mapping := range schema.Proxies {
-			if name, ok := mapping["name"]; ok && len(filter) > 0 && !filterReg.MatchString(name.(string)) {
-				continue
-			}
-			proxy, err := adapter.ParseProxy(mapping)
-			if err != nil {
-				return nil, fmt.Errorf("proxy %d error: %w", idx, err)
-			}
-			proxies = append(proxies, proxy)
-		}
-
-		if len(proxies) == 0 {
-			if len(filter) > 0 {
-				return nil, errors.New("doesn't match any proxy, please check your filter")
-			}
-			return nil, errors.New("file doesn't have any proxy")
-		}
-
-		return proxies, nil
-	}
-
-	fetcher := newFetcher(name, interval, vehicle, proxiesParseAndFilter, onUpdate)
 	pd.fetcher = fetcher
 
 	wrapper := &ProxySetProvider{pd}
@@ -157,7 +126,7 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, veh
 	return wrapper, nil
 }
 
-// for auto gc
+// CompatibleProvider for auto gc
 type CompatibleProvider struct {
 	*compatibleProvider
 }
@@ -233,3 +202,145 @@ func NewCompatibleProvider(name string, proxies []C.Proxy, hc *HealthCheck) (*Co
 	runtime.SetFinalizer(wrapper, stopCompatibleProvider)
 	return wrapper, nil
 }
+
+// ProxyFilterProvider for filter provider
+type ProxyFilterProvider struct {
+	*proxyFilterProvider
+}
+
+type proxyFilterProvider struct {
+	name        string
+	psd         *ProxySetProvider
+	proxies     []C.Proxy
+	filter      *regexp.Regexp
+	healthCheck *HealthCheck
+}
+
+func (pf *proxyFilterProvider) MarshalJSON() ([]byte, error) {
+	return json.Marshal(map[string]any{
+		"name":        pf.Name(),
+		"type":        pf.Type().String(),
+		"vehicleType": pf.VehicleType().String(),
+		"proxies":     pf.Proxies(),
+	})
+}
+
+func (pf *proxyFilterProvider) Name() string {
+	return pf.name
+}
+
+func (pf *proxyFilterProvider) HealthCheck() {
+	pf.healthCheck.check()
+}
+
+func (pf *proxyFilterProvider) Update() error {
+	var proxies []C.Proxy
+	if pf.filter != nil {
+		for _, proxy := range pf.psd.Proxies() {
+			if !pf.filter.MatchString(proxy.Name()) {
+				continue
+			}
+			proxies = append(proxies, proxy)
+		}
+	} else {
+		proxies = pf.psd.Proxies()
+	}
+
+	pf.proxies = proxies
+	pf.healthCheck.setProxy(proxies)
+	return nil
+}
+
+func (pf *proxyFilterProvider) Initial() error {
+	return nil
+}
+
+func (pf *proxyFilterProvider) VehicleType() types.VehicleType {
+	return pf.psd.VehicleType()
+}
+
+func (pf *proxyFilterProvider) Type() types.ProviderType {
+	return types.Proxy
+}
+
+func (pf *proxyFilterProvider) Proxies() []C.Proxy {
+	return pf.proxies
+}
+
+func (pf *proxyFilterProvider) ProxiesWithTouch() []C.Proxy {
+	pf.healthCheck.touch()
+	return pf.Proxies()
+}
+
+func stopProxyFilterProvider(pf *ProxyFilterProvider) {
+	pf.healthCheck.close()
+}
+
+func NewProxyFilterProvider(name string, psd *ProxySetProvider, hc *HealthCheck, filterRegx *regexp.Regexp) *ProxyFilterProvider {
+	pd := &proxyFilterProvider{
+		psd:         psd,
+		name:        name,
+		healthCheck: hc,
+		filter:      filterRegx,
+	}
+
+	_ = pd.Update()
+
+	if hc.auto() {
+		go hc.process()
+	}
+
+	wrapper := &ProxyFilterProvider{pd}
+	runtime.SetFinalizer(wrapper, stopProxyFilterProvider)
+	return wrapper
+}
+
+func proxiesOnUpdate(pd *proxySetProvider) func([]C.Proxy) {
+	return func(elm []C.Proxy) {
+		pd.setProxies(elm)
+	}
+}
+
+func proxiesParseAndFilter(filter string, filterReg *regexp.Regexp, forceCertVerify bool, prefixName string) parser[[]C.Proxy] {
+	return func(buf []byte) ([]C.Proxy, error) {
+		schema := &ProxySchema{}
+
+		if err := yaml.Unmarshal(buf, schema); err != nil {
+			proxies, err1 := convert.ConvertsV2Ray(buf)
+			if err1 != nil {
+				return nil, fmt.Errorf("%w, %s", err, err1.Error())
+			}
+			schema.Proxies = proxies
+		}
+
+		if schema.Proxies == nil {
+			return nil, errors.New("file must have a `proxies` field")
+		}
+
+		proxies := []C.Proxy{}
+		for idx, mapping := range schema.Proxies {
+			if name, ok := mapping["name"]; ok && len(filter) > 0 && !filterReg.MatchString(name.(string)) {
+				continue
+			}
+
+			if prefixName != "" {
+				mapping["name"] = prefixName + mapping["name"].(string)
+			}
+
+			proxy, err := adapter.ParseProxy(mapping, forceCertVerify)
+			if err != nil {
+				return nil, fmt.Errorf("proxy %d error: %w", idx, err)
+			}
+			proxies = append(proxies, proxy)
+		}
+
+		if len(proxies) == 0 {
+			if len(filter) > 0 {
+				return nil, errors.New("doesn't match any proxy, please check your filter")
+			}
+			return nil, errors.New("file doesn't have any proxy")
+		}
+
+		return proxies, nil
+	}
+}

adapter/provider/vehicle.go

@@ -9,6 +9,7 @@ import (
 	"os"
 	"time"
 
+	"github.com/Dreamacro/clash/common/convert"
 	"github.com/Dreamacro/clash/component/dialer"
 	types "github.com/Dreamacro/clash/constant/provider"
 )
@@ -36,6 +37,7 @@ func NewFileVehicle(path string) *FileVehicle {
 type HTTPVehicle struct {
 	url    string
 	path   string
+	header http.Header
 }
 
 func (h *HTTPVehicle) Type() types.VehicleType {
@@ -60,11 +62,17 @@ func (h *HTTPVehicle) Read() ([]byte, error) {
 		return nil, err
 	}
 
+	if h.header != nil {
+		req.Header = h.header
+	}
+
 	if user := uri.User; user != nil {
 		password, _ := user.Password()
 		req.SetBasicAuth(user.Username(), password)
 	}
 
+	convert.SetUserAgent(req.Header)
+
 	req = req.WithContext(ctx)
 
 	transport := &http.Transport{
@@ -74,7 +82,10 @@ func (h *HTTPVehicle) Read() ([]byte, error) {
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
-			return dialer.DialContext(ctx, network, address)
+			if req.URL.Scheme == "https" {
+				return (&net.Dialer{}).DialContext(ctx, network, address) // forward to tun if tun enabled
+			}
+			return dialer.DialContext(ctx, network, address, dialer.WithDirect()) // with direct
 		},
 	}
 
@@ -83,7 +94,9 @@ func (h *HTTPVehicle) Read() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer resp.Body.Close()
+	defer func() {
+		_ = resp.Body.Close()
+	}()
 
 	buf, err := io.ReadAll(resp.Body)
 	if err != nil {
@@ -93,6 +106,6 @@ func (h *HTTPVehicle) Read() ([]byte, error) {
 	return buf, nil
 }
 
-func NewHTTPVehicle(url string, path string) *HTTPVehicle {
+func NewHTTPVehicle(url string, path string, header http.Header) *HTTPVehicle {
-	return &HTTPVehicle{url, path}
+	return &HTTPVehicle{url, path, header}
 }

common/cache/cache.go

@@ -61,7 +61,7 @@ func (c *cache[K, V]) GetWithExpire(key K) (payload V, expired time.Time) {
 
 func (c *cache[K, V]) cleanup() {
 	c.mapping.Range(func(k, v any) bool {
-		key := k.(string)
+		key := k
 		elm := v.(*element[V])
 		if time.Since(elm.Expired) > 0 {
 			c.mapping.Delete(key)

common/convert/converter.go

@@ -0,0 +1,347 @@
+package convert
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"net/url"
+	"strings"
+)
+
+var enc = base64.StdEncoding
+
+func DecodeBase64(buf []byte) ([]byte, error) {
+	dBuf := make([]byte, enc.DecodedLen(len(buf)))
+	n, err := enc.Decode(dBuf, buf)
+	if err != nil {
+		return nil, err
+	}
+
+	return dBuf[:n], nil
+}
+
+func DecodeRawBase64(buf []byte) ([]byte, error) {
+	dBuf := make([]byte, base64.RawStdEncoding.DecodedLen(len(buf)))
+	n, err := base64.RawStdEncoding.Decode(dBuf, buf)
+	if err != nil {
+		return nil, err
+	}
+
+	return dBuf[:n], nil
+}
+
+// ConvertsV2Ray convert V2Ray subscribe proxies data to clash proxies config
+func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
+	data, err := DecodeBase64(buf)
+	if err != nil {
+		data, err = DecodeRawBase64(buf)
+		if err != nil {
+			data = buf
+		}
+	}
+
+	arr := strings.Split(string(data), "\n")
+
+	proxies := make([]map[string]any, 0, len(arr))
+	names := make(map[string]int, 200)
+
+	for _, line := range arr {
+		line = strings.TrimRight(line, " \r")
+		if line == "" {
+			continue
+		}
+
+		scheme, body, found := strings.Cut(line, "://")
+		if !found {
+			continue
+		}
+
+		scheme = strings.ToLower(scheme)
+		switch scheme {
+		case "trojan":
+			urlTrojan, err := url.Parse(line)
+			if err != nil {
+				continue
+			}
+
+			query := urlTrojan.Query()
+
+			name := uniqueName(names, urlTrojan.Fragment)
+			trojan := make(map[string]any, 20)
+
+			trojan["name"] = name
+			trojan["type"] = scheme
+			trojan["server"] = urlTrojan.Hostname()
+			trojan["port"] = urlTrojan.Port()
+			trojan["password"] = urlTrojan.User.Username()
+			trojan["udp"] = true
+			trojan["skip-cert-verify"] = false
+
+			sni := query.Get("sni")
+			if sni != "" {
+				trojan["sni"] = sni
+			}
+
+			network := strings.ToLower(query.Get("type"))
+			if network != "" {
+				trojan["network"] = network
+			}
+
+			if network == "ws" {
+				headers := make(map[string]any)
+				wsOpts := make(map[string]any)
+
+				headers["Host"] = RandHost()
+				headers["User-Agent"] = RandUserAgent()
+
+				wsOpts["path"] = query.Get("path")
+				wsOpts["headers"] = headers
+
+				trojan["ws-opts"] = wsOpts
+			}
+
+			proxies = append(proxies, trojan)
+		case "vmess":
+			dcBuf, err := enc.DecodeString(body)
+			if err != nil {
+				continue
+			}
+
+			jsonDc := json.NewDecoder(bytes.NewReader(dcBuf))
+			values := make(map[string]any, 20)
+
+			if jsonDc.Decode(&values) != nil {
+				continue
+			}
+
+			name := uniqueName(names, values["ps"].(string))
+			vmess := make(map[string]any, 20)
+
+			vmess["name"] = name
+			vmess["type"] = scheme
+			vmess["server"] = values["add"]
+			vmess["port"] = values["port"]
+			vmess["uuid"] = values["id"]
+			vmess["alterId"] = values["aid"]
+			vmess["cipher"] = "auto"
+			vmess["udp"] = true
+			vmess["skip-cert-verify"] = false
+
+			host := values["host"]
+			network := strings.ToLower(values["net"].(string))
+
+			vmess["network"] = network
+
+			tls := strings.ToLower(values["tls"].(string))
+			if tls != "" && tls != "0" && tls != "null" {
+				if host != nil {
+					vmess["servername"] = host
+				}
+				vmess["tls"] = true
+			}
+
+			if network == "ws" {
+				headers := make(map[string]any)
+				wsOpts := make(map[string]any)
+
+				headers["Host"] = RandHost()
+				headers["User-Agent"] = RandUserAgent()
+
+				if values["path"] != nil {
+					wsOpts["path"] = values["path"]
+				}
+				wsOpts["headers"] = headers
+
+				vmess["ws-opts"] = wsOpts
+			}
+
+			proxies = append(proxies, vmess)
+		case "ss":
+			urlSS, err := url.Parse(line)
+			if err != nil {
+				continue
+			}
+
+			name := uniqueName(names, urlSS.Fragment)
+			port := urlSS.Port()
+
+			if port == "" {
+				dcBuf, err := enc.DecodeString(urlSS.Host)
+				if err != nil {
+					continue
+				}
+
+				urlSS, err = url.Parse("ss://" + string(dcBuf))
+				if err != nil {
+					continue
+				}
+			}
+
+			var (
+				cipher   = urlSS.User.Username()
+				password string
+			)
+
+			if password, found = urlSS.User.Password(); !found {
+				dcBuf, err := enc.DecodeString(cipher)
+				if err != nil {
+					continue
+				}
+
+				cipher, password, found = strings.Cut(string(dcBuf), ":")
+				if !found {
+					continue
+				}
+			}
+
+			ss := make(map[string]any, 20)
+
+			ss["name"] = name
+			ss["type"] = scheme
+			ss["server"] = urlSS.Hostname()
+			ss["port"] = urlSS.Port()
+			ss["cipher"] = cipher
+			ss["password"] = password
+			ss["udp"] = true
+
+			proxies = append(proxies, ss)
+		case "ssr":
+			dcBuf, err := enc.DecodeString(body)
+			if err != nil {
+				continue
+			}
+
+			// ssr://host:port:protocol:method:obfs:urlsafebase64pass/?obfsparam=urlsafebase64&protoparam=&remarks=urlsafebase64&group=urlsafebase64&udpport=0&uot=1
+
+			before, after, ok := strings.Cut(string(dcBuf), "/?")
+			if !ok {
+				continue
+			}
+
+			beforeArr := strings.Split(before, ":")
+
+			if len(beforeArr) != 6 {
+				continue
+			}
+
+			host := beforeArr[0]
+			port := beforeArr[1]
+			protocol := beforeArr[2]
+			method := beforeArr[3]
+			obfs := beforeArr[4]
+			password := decodeUrlSafe(urlSafe(beforeArr[5]))
+
+			query, err := url.ParseQuery(urlSafe(after))
+			if err != nil {
+				continue
+			}
+
+			remarks := decodeUrlSafe(query.Get("remarks"))
+			name := uniqueName(names, remarks)
+
+			obfsParam := decodeUrlSafe(query.Get("obfsparam"))
+			protocolParam := query.Get("protoparam")
+
+			ssr := make(map[string]any, 20)
+
+			ssr["name"] = name
+			ssr["type"] = scheme
+			ssr["server"] = host
+			ssr["port"] = port
+			ssr["cipher"] = method
+			ssr["password"] = password
+			ssr["obfs"] = obfs
+			ssr["protocol"] = protocol
+			ssr["udp"] = true
+
+			if obfsParam != "" {
+				ssr["obfs-param"] = obfsParam
+			}
+
+			if protocolParam != "" {
+				ssr["protocol-param"] = protocolParam
+			}
+
+			proxies = append(proxies, ssr)
+		case "vless":
+			urlVless, err := url.Parse(line)
+			if err != nil {
+				continue
+			}
+
+			query := urlVless.Query()
+
+			name := uniqueName(names, urlVless.Fragment)
+			vless := make(map[string]any, 20)
+
+			vless["name"] = name
+			vless["type"] = scheme
+			vless["server"] = urlVless.Hostname()
+			vless["port"] = urlVless.Port()
+			vless["uuid"] = urlVless.User.Username()
+			vless["udp"] = true
+			vless["skip-cert-verify"] = false
+
+			sni := query.Get("sni")
+			if sni != "" {
+				vless["servername"] = sni
+			}
+
+			flow := strings.ToLower(query.Get("flow"))
+			if flow != "" {
+				vless["flow"] = flow
+			}
+
+			network := strings.ToLower(query.Get("type"))
+			if network != "" {
+				vless["network"] = network
+			}
+
+			if network == "ws" {
+				headers := make(map[string]any)
+				wsOpts := make(map[string]any)
+
+				headers["Host"] = RandHost()
+				headers["User-Agent"] = RandUserAgent()
+
+				wsOpts["path"] = query.Get("path")
+				wsOpts["headers"] = headers
+
+				vless["ws-opts"] = wsOpts
+			}
+
+			proxies = append(proxies, vless)
+		}
+	}
+
+	if len(proxies) == 0 {
+		return nil, fmt.Errorf("convert v2ray subscribe error: format invalid")
+	}
+
+	return proxies, nil
+}
+
+func urlSafe(data string) string {
+	return strings.ReplaceAll(strings.ReplaceAll(data, "+", "-"), "/", "_")
+}
+
+func decodeUrlSafe(data string) string {
+	dcBuf, err := base64.URLEncoding.DecodeString(data)
+	if err != nil {
+		return ""
+	}
+	return string(dcBuf)
+}
+
+func uniqueName(names map[string]int, name string) string {
+	if index, ok := names[name]; ok {
+		index++
+		names[name] = index
+		name = fmt.Sprintf("%s-%02d", name, index)
+	} else {
+		index = 0
+		names[name] = index
+	}
+	return name
+}

common/convert/util.go

@@ -0,0 +1,315 @@
+package convert
+
+import (
+	"encoding/base64"
+	"math/rand"
+	"net/http"
+	"strings"
+
+	"github.com/gofrs/uuid"
+)
+
+var hostsSuffix = []string{
+	"-cdn.aliyuncs.com",
+	".alicdn.com",
+	".pan.baidu.com",
+	".tbcache.com",
+	".aliyuncdn.com",
+	".vod.miguvideo.com",
+	".cibntv.net",
+	".myqcloud.com",
+	".smtcdns.com",
+	".alikunlun.com",
+	".smtcdns.net",
+	".apcdns.net",
+	".cdn-go.cn",
+	".cdntip.com",
+	".cdntips.com",
+	".alidayu.com",
+	".alidns.com",
+	".cdngslb.com",
+	".mxhichina.com",
+}
+
+var userAgents = []string{
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 7.0; Moto C Build/NRD90M.059) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 6.0.1; SM-G532M Build/MMB29T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 5.1.1; SM-J120M Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 7.0; Moto G (5) Build/NPPS25.137-93-14) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 7.0; SM-G570M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 6.0; CAM-L03 Build/HUAWEICAM-L03) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36",
+	"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3",
+	"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36",
+	"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7",
+	"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+	"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3",
+	"Mozilla/5.0 (Linux; Android 8.0.0; FIG-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36",
+	"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10",
+	"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+	"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/533.2 (KHTML, like Gecko) Chrome/5.0.342.1 Safari/533.2",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36",
+	"Mozilla/5.0 (X11; Datanyze; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 5.1.1; SM-J111M Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36",
+	"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 6.0.1; SM-J700M Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.63 Safari/537.36",
+	"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Slackware/Chrome/12.0.742.100 Safari/534.30",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+	"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.100 Safari/534.30",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 8.0.0; WAS-LX3 Build/HUAWEIWAS-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.1805 Safari/537.36 MVisionPlayer/1.0.0.0",
+	"Mozilla/5.0 (Linux; Android 7.0; TRT-LX3 Build/HUAWEITRT-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+	"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 6.0; vivo 1610 Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.124 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG GT-I9195 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36",
+	"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 8.0.0; ANE-LX3 Build/HUAWEIANE-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+	"Mozilla/5.0 (X11; U; Linux i586; en-US) AppleWebKit/533.2 (KHTML, like Gecko) Chrome/5.0.342.1 Safari/533.2",
+	"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 7.0; SM-G610M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 6.0.1; SM-J500M Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7",
+	"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.104 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 6.0; vivo 1606 Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.124 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+	"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 7.0; SM-G610M Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 7.1; vivo 1716 Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.98 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 7.0; SM-G570M Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 6.0; MYA-L22 Build/HUAWEIMYA-L22) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 5.1; A1601 Build/LMY47I) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 7.0; TRT-LX2 Build/HUAWEITRT-LX2; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/59.0.3071.125 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+	"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.17 (KHTML, like Gecko) Chrome/10.0.649.0 Safari/534.17",
+	"Mozilla/5.0 (Linux; Android 6.0; CAM-L21 Build/HUAWEICAM-L21; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/62.0.3202.84 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36",
+	"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.3 Safari/534.24",
+	"Mozilla/5.0 (Linux; Android 7.1.2; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 4.4.2; SM-G7102 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 5.1; HUAWEI CUN-L22 Build/HUAWEICUN-L22; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/62.0.3202.84 Mobile Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 5.1.1; A37fw Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 7.0; SM-J730GM Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 7.0; SM-G610F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 7.1.2; Redmi Note 5A Build/N2G47H; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/63.0.3239.111 Mobile Safari/537.36",
+	"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 7.0; Redmi Note 4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36",
+	"Mozilla/5.0 (Unknown; Linux) AppleWebKit/538.1 (KHTML, like Gecko) Chrome/v1.0.0 Safari/538.1",
+	"Mozilla/5.0 (Linux; Android 7.0; BLL-L22 Build/HUAWEIBLL-L22) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 7.0; SM-J710F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 6.0.1; SM-G532M Build/MMB29T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 7.1.1; CPH1723 Build/N6F26Q) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.98 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 8.0.0; FIG-LX3 Build/HUAWEIFIG-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows; U; Windows NT 6.1; de-DE) AppleWebKit/534.17 (KHTML, like Gecko) Chrome/10.0.649.0 Safari/534.17",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.63 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 7.1; Mi A1 Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.83 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
+	"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 MVisionPlayer/1.0.0.0",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 5.1; A37f Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 6.0.1; CPH1607 Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/63.0.3239.111 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36",
+	"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 6.0.1; vivo 1603 Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.83 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 6.0.1; SM-G532M Build/MMB29T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 6.0.1; Redmi 4A Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.116 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+	"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 6.0.1; SM-G532G Build/MMB29T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.83 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36",
+	"Mozilla/5.0 (Linux; Android 6.0; vivo 1713 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.124 Mobile Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+	"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36",
+}
+
+var (
+	hostsLen = len(hostsSuffix)
+	uaLen    = len(userAgents)
+)
+
+func RandHost() string {
+	id, _ := uuid.NewV4()
+	base := strings.ToLower(base64.RawURLEncoding.EncodeToString(id.Bytes()))
+	base = strings.ReplaceAll(base, "-", "")
+	base = strings.ReplaceAll(base, "_", "")
+	buf := []byte(base)
+	prefix := string(buf[:3]) + "---"
+	prefix += string(buf[6:8]) + "-"
+	prefix += string(buf[len(buf)-8:])
+
+	return prefix + hostsSuffix[rand.Intn(hostsLen)]
+}
+
+func RandUserAgent() string {
+	return userAgents[rand.Intn(uaLen)]
+}
+
+func SetUserAgent(header http.Header) {
+	if header.Get("User-Agent") != "" {
+		return
+	}
+	userAgent := RandUserAgent()
+	header.Set("User-Agent", userAgent)
+}

common/net/relay.go

@@ -4,8 +4,6 @@ import (
 	"io"
 	"net"
 	"time"
-
-	"github.com/Dreamacro/clash/common/pool"
 )
 
 // Relay copies between left and right bidirectionally.
@@ -16,18 +14,14 @@ func Relay(leftConn, rightConn net.Conn) {
 	tcpKeepAlive(rightConn)
 
 	go func() {
-		buf := pool.Get(pool.RelayBufferSize)
 		// Wrapping to avoid using *net.TCPConn.(ReadFrom)
 		// See also https://github.com/Dreamacro/clash/pull/1209
-		_, err := io.CopyBuffer(WriteOnlyWriter{Writer: leftConn}, ReadOnlyReader{Reader: rightConn}, buf)
+		_, err := io.Copy(WriteOnlyWriter{Writer: leftConn}, ReadOnlyReader{Reader: rightConn})
-		_ = pool.Put(buf)
 		_ = leftConn.SetReadDeadline(time.Now())
 		ch <- err
 	}()
 
-	buf := pool.Get(pool.RelayBufferSize)
+	_, _ = io.Copy(WriteOnlyWriter{Writer: rightConn}, ReadOnlyReader{Reader: leftConn})
-	_, _ = io.CopyBuffer(WriteOnlyWriter{Writer: rightConn}, ReadOnlyReader{Reader: leftConn}, buf)
-	_ = pool.Put(buf)
 	_ = rightConn.SetReadDeadline(time.Now())
 	<-ch
 }

common/pool/alloc.go

@@ -52,8 +52,8 @@ func (alloc *Allocator) Put(buf []byte) error {
 		return errors.New("allocator Put() incorrect buffer size")
 	}
 
-	//lint:ignore SA6002 ignore temporarily
 	//nolint
+	//lint:ignore SA6002 ignore temporarily
 	alloc.buffers[bits].Put(buf)
 	return nil
 }

common/singledo/singledo.go

@@ -25,7 +25,6 @@ type Result[T any] struct {
 }
 
 // Do single.Do likes sync.singleFlight
-//lint:ignore ST1008 it likes sync.singleFlight
 func (s *Single[T]) Do(fn func() (T, error)) (v T, err error, shared bool) {
 	s.mux.Lock()
 	now := time.Now()

component/geodata/utils.go

@@ -2,9 +2,11 @@ package geodata
 
 import (
 	"github.com/Dreamacro/clash/component/geodata/router"
+
+	"golang.org/x/exp/maps"
 )
 
-func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error) {
+func loadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error) {
 	geoLoaderName := "standard"
 	geoLoader, err := GetGeoDataLoader(geoLoaderName)
 	if err != nil {
@@ -28,3 +30,33 @@ func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error)
 
 	return matcher, len(domains), nil
 }
+
+var ruleProviders = make(map[string]*router.DomainMatcher)
+
+// HasProvider has geo site provider by county code
+func HasProvider(countyCode string) (ok bool) {
+	_, ok = ruleProviders[countyCode]
+	return ok
+}
+
+// GetProvidersList get geo site providers
+func GetProvidersList(countyCode string) []*router.DomainMatcher {
+	return maps.Values(ruleProviders)
+}
+
+// GetProviderByCode get geo site provider by county code
+func GetProviderByCode(countyCode string) (matcher *router.DomainMatcher, ok bool) {
+	matcher, ok = ruleProviders[countyCode]
+	return
+}
+
+func LoadProviderByCode(countyCode string) (matcher *router.DomainMatcher, count int, err error) {
+	var ok bool
+	matcher, ok = ruleProviders[countyCode]
+	if !ok {
+		if matcher, count, err = loadGeoSiteMatcher(countyCode); err == nil {
+			ruleProviders[countyCode] = matcher
+		}
+	}
+	return
+}

config/config.go

@@ -19,6 +19,7 @@ import (
 	"github.com/Dreamacro/clash/component/fakeip"
 	"github.com/Dreamacro/clash/component/geodata"
 	"github.com/Dreamacro/clash/component/geodata/router"
+	_ "github.com/Dreamacro/clash/component/geodata/standard"
 	"github.com/Dreamacro/clash/component/trie"
 	C "github.com/Dreamacro/clash/constant"
 	providerTypes "github.com/Dreamacro/clash/constant/provider"
@@ -29,7 +30,7 @@ import (
 	R "github.com/Dreamacro/clash/rule"
 	T "github.com/Dreamacro/clash/tunnel"
 
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 // General config
@@ -39,6 +40,7 @@ type General struct {
 	Mode        T.TunnelMode `json:"mode"`
 	LogLevel    log.LogLevel `json:"log-level"`
 	IPv6        bool         `json:"ipv6"`
+	Sniffing    bool         `json:"sniffing"`
 	Interface   string       `json:"-"`
 	RoutingMark int          `json:"-"`
 	Tun         Tun          `json:"tun"`
@@ -100,8 +102,9 @@ type Tun struct {
 	Enable              bool       `yaml:"enable" json:"enable"`
 	Device              string     `yaml:"device" json:"device"`
 	Stack               C.TUNStack `yaml:"stack" json:"stack"`
-	DNSHijack []netip.AddrPort `yaml:"dns-hijack" json:"dns-hijack"`
+	DNSHijack           []C.DNSUrl `yaml:"dns-hijack" json:"dns-hijack"`
 	AutoRoute           bool       `yaml:"auto-route" json:"auto-route"`
+	AutoDetectInterface bool       `yaml:"auto-detect-interface" json:"auto-detect-interface"`
 }
 
 // IPTables config
@@ -122,7 +125,6 @@ type Experimental struct{}
 // Config is clash config manager
 type Config struct {
 	General      *General
-	Tun          *Tun
 	IPTables     *IPTables
 	Mitm         *Mitm
 	DNS          *DNS
@@ -159,14 +161,6 @@ type RawFallbackFilter struct {
 	GeoSite   []string `yaml:"geosite"`
 }
 
-type RawTun struct {
-	Enable    bool       `yaml:"enable" json:"enable"`
-	Device    string     `yaml:"device" json:"device"`
-	Stack     C.TUNStack `yaml:"stack" json:"stack"`
-	DNSHijack []string   `yaml:"dns-hijack" json:"dns-hijack"`
-	AutoRoute bool       `yaml:"auto-route" json:"auto-route"`
-}
-
 type RawMitm struct {
 	Hosts []string `yaml:"hosts" json:"hosts"`
 	Rules []string `yaml:"rules" json:"rules"`
@@ -190,11 +184,13 @@ type RawConfig struct {
 	Secret             string       `yaml:"secret"`
 	Interface          string       `yaml:"interface-name"`
 	RoutingMark        int          `yaml:"routing-mark"`
+	Sniffing           bool         `yaml:"sniffing"`
+	ForceCertVerify    bool         `yaml:"force-cert-verify"`
 
 	ProxyProvider map[string]map[string]any `yaml:"proxy-providers"`
 	Hosts         map[string]string         `yaml:"hosts"`
 	DNS           RawDNS                    `yaml:"dns"`
-	Tun           RawTun                    `yaml:"tun"`
+	Tun           Tun                       `yaml:"tun"`
 	IPTables      IPTables                  `yaml:"iptables"`
 	MITM          RawMitm                   `yaml:"mitm"`
 	Experimental  Experimental              `yaml:"experimental"`
@@ -218,6 +214,8 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 	// config with default value
 	rawCfg := &RawConfig{
 		AllowLan:        false,
+		Sniffing:        false,
+		ForceCertVerify: false,
 		BindAddress:     "*",
 		Mode:            T.Rule,
 		Authentication:  []string{},
@@ -226,12 +224,26 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 		Rule:            []string{},
 		Proxy:           []map[string]any{},
 		ProxyGroup:      []map[string]any{},
-		Tun: RawTun{
+		Tun: Tun{
 			Enable: false,
 			Device: "",
 			Stack:  C.TunGvisor,
-			DNSHijack: []string{"0.0.0.0:53"}, // default hijack all dns query
+			DNSHijack: []C.DNSUrl{ // default hijack all dns lookup
-			AutoRoute: true,
+				{
+					Network: "udp",
+					AddrPort: C.DNSAddrPort{
+						AddrPort: netip.MustParseAddrPort("0.0.0.0:53"),
+					},
+				},
+				{
+					Network: "tcp",
+					AddrPort: C.DNSAddrPort{
+						AddrPort: netip.MustParseAddrPort("0.0.0.0:53"),
+					},
+				},
+			},
+			AutoRoute:           false,
+			AutoDetectInterface: false,
 		},
 		IPTables: IPTables{
 			Enable:           false,
@@ -253,7 +265,7 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 				"223.5.5.5",
 			},
 			NameServer: []string{ // default if user not set
-				"https://doh.pub/dns-query",
+				"https://120.53.53.53/dns-query",
 				"tls://223.5.5.5:853",
 			},
 		},
@@ -286,14 +298,6 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.General = general
 
-	tunCfg, err := parseTun(rawCfg.Tun, config.General)
-	if err != nil {
-		return nil, err
-	}
-	config.Tun = tunCfg
-
-	dialer.DefaultInterface.Store(config.General.Interface)
-
 	proxies, providers, err := parseProxies(rawCfg)
 	if err != nil {
 		return nil, err
@@ -313,7 +317,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.Hosts = hosts
 
-	dnsCfg, err := parseDNS(rawCfg, hosts, rules)
+	dnsCfg, err := parseDNS(rawCfg, hosts)
 	if err != nil {
 		return nil, err
 	}
@@ -342,6 +346,19 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 		}
 	}
 
+	if cfg.Tun.Enable && cfg.Tun.AutoDetectInterface {
+		outboundInterface, err := commons.GetAutoDetectInterface()
+		if err != nil && cfg.Interface == "" {
+			return nil, fmt.Errorf("get auto detect interface fail: %w", err)
+		}
+
+		if outboundInterface != "" {
+			cfg.Interface = outboundInterface
+		}
+	}
+
+	dialer.DefaultInterface.Store(cfg.Interface)
+
 	return &General{
 		Inbound: Inbound{
 			Port:        cfg.Port,
@@ -363,6 +380,8 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 		IPv6:        cfg.IPv6,
 		Interface:   cfg.Interface,
 		RoutingMark: cfg.RoutingMark,
+		Sniffing:    cfg.Sniffing,
+		Tun:         cfg.Tun,
 	}, nil
 }
 
@@ -372,6 +391,7 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 	proxiesConfig := cfg.Proxy
 	groupsConfig := cfg.ProxyGroup
 	providersConfig := cfg.ProxyProvider
+	forceCertVerify := cfg.ForceCertVerify
 
 	var proxyList []string
 
@@ -381,7 +401,7 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 
 	// parse proxy
 	for idx, mapping := range proxiesConfig {
-		proxy, err := adapter.ParseProxy(mapping)
+		proxy, err := adapter.ParseProxy(mapping, forceCertVerify)
 		if err != nil {
 			return nil, nil, fmt.Errorf("proxy %d: %w", idx, err)
 		}
@@ -413,7 +433,7 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 			return nil, nil, fmt.Errorf("can not defined a provider called `%s`", provider.ReservedName)
 		}
 
-		pd, err := provider.ParseProxyProvider(name, mapping)
+		pd, err := provider.ParseProxyProvider(name, mapping, forceCertVerify)
 		if err != nil {
 			return nil, nil, fmt.Errorf("parse proxy provider %s error: %w", name, err)
 		}
@@ -422,7 +442,7 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 	}
 
 	for _, proxyProvider := range providersMap {
-		log.Infoln("Start initial provider %s", proxyProvider.Name())
+		log.Infoln("Start initial proxy provider %s", proxyProvider.Name())
 		if err := proxyProvider.Initial(); err != nil {
 			return nil, nil, fmt.Errorf("initial proxy provider %s error: %w", proxyProvider.Name(), err)
 		}
@@ -655,37 +675,27 @@ func parseFallbackIPCIDR(ips []string) ([]*netip.Prefix, error) {
 	return ipNets, nil
 }
 
-func parseFallbackGeoSite(countries []string, rules []C.Rule) ([]*router.DomainMatcher, error) {
+func parseFallbackGeoSite(countries []string) ([]*router.DomainMatcher, error) {
 	var sites []*router.DomainMatcher
-
 	for _, country := range countries {
-		found := false
+		matcher, recordsCount, err := geodata.LoadProviderByCode(country)
-		for _, rule := range rules {
-			if rule.RuleType() == C.GEOSITE {
-				if strings.EqualFold(country, rule.Payload()) {
-					found = true
-					sites = append(sites, rule.(C.RuleGeoSite).GetDomainMatcher())
-					log.Infoln("Start initial GeoSite dns fallback filter from rule `%s`", country)
-				}
-			}
-		}
-
-		if !found {
-			matcher, recordsCount, err := geodata.LoadGeoSiteMatcher(country)
 		if err != nil {
 			return nil, err
 		}
 
 		sites = append(sites, matcher)
 
-			log.Infoln("Start initial GeoSite dns fallback filter `%s`, records: %d", country, recordsCount)
+		cont := fmt.Sprintf("%d", recordsCount)
+		if recordsCount == 0 {
+			cont = "from cache"
 		}
+		log.Infoln("Start initial GeoSite dns fallback filter `%s`, records: %s", country, cont)
 	}
 	runtime.GC()
 	return sites, nil
 }
 
-func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[netip.Addr], rules []C.Rule) (*DNS, error) {
+func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[netip.Addr]) (*DNS, error) {
 	cfg := rawCfg.DNS
 	if cfg.Enable && len(cfg.NameServer) == 0 {
 		return nil, fmt.Errorf("if DNS configuration is turned on, NameServer cannot be empty")
@@ -779,7 +789,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[netip.Addr], rules []C.R
 			dnsCfg.FallbackFilter.IPCIDR = fallbackip
 		}
 		dnsCfg.FallbackFilter.Domain = cfg.FallbackFilter.Domain
-		fallbackGeoSite, err := parseFallbackGeoSite(cfg.FallbackFilter.GeoSite, rules)
+		fallbackGeoSite, err := parseFallbackGeoSite(cfg.FallbackFilter.GeoSite)
 		if err != nil {
 			return nil, fmt.Errorf("load GeoSite dns fallback filter error, %w", err)
 		}
@@ -794,7 +804,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[netip.Addr], rules []C.R
 }
 
 func parseAuthentication(rawRecords []string) []auth.AuthUser {
-	users := []auth.AuthUser{}
+	var users []auth.AuthUser
 	for _, line := range rawRecords {
 		if user, pass, found := strings.Cut(line, ":"); found {
 			users = append(users, auth.AuthUser{User: user, Pass: pass})
@@ -803,40 +813,6 @@ func parseAuthentication(rawRecords []string) []auth.AuthUser {
 	return users
 }
 
-func parseTun(rawTun RawTun, general *General) (*Tun, error) {
-	if (rawTun.Enable || general.TProxyPort != 0) && general.Interface == "" {
-		autoDetectInterfaceName, err := commons.GetAutoDetectInterface()
-		if err != nil || autoDetectInterfaceName == "" {
-			return nil, fmt.Errorf("can not find auto detect interface: %w. you must be detect `interface-name` if tun set to enable or `tproxy-port` isn't zore", err)
-		}
-
-		general.Interface = autoDetectInterfaceName
-	}
-
-	var dnsHijack []netip.AddrPort
-
-	for _, d := range rawTun.DNSHijack {
-		if _, after, ok := strings.Cut(d, "://"); ok {
-			d = after
-		}
-
-		addrPort, err := netip.ParseAddrPort(d)
-		if err != nil {
-			return nil, fmt.Errorf("parse dns-hijack url error: %w", err)
-		}
-
-		dnsHijack = append(dnsHijack, addrPort)
-	}
-
-	return &Tun{
-		Enable:    rawTun.Enable,
-		Device:    rawTun.Device,
-		Stack:     rawTun.Stack,
-		DNSHijack: dnsHijack,
-		AutoRoute: rawTun.AutoRoute,
-	}, nil
-}
-
 func parseMitm(rawMitm RawMitm) (*Mitm, error) {
 	var (
 		req []C.Rewrite

config/initial.go

@@ -6,13 +6,14 @@ import (
 	"net/http"
 	"os"
 
+	"github.com/Dreamacro/clash/common/convert"
 	"github.com/Dreamacro/clash/component/mmdb"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 )
 
 func downloadMMDB(path string) (err error) {
-	resp, err := http.Get("https://cdn.jsdelivr.net/gh/Loyalsoldier/geoip@release/Country.mmdb")
+	resp, err := doGet("https://raw.githubusercontent.com/Loyalsoldier/geoip/release/Country.mmdb")
 	if err != nil {
 		return
 	}
@@ -32,18 +33,18 @@ func initMMDB() error {
 	if _, err := os.Stat(C.Path.MMDB()); os.IsNotExist(err) {
 		log.Infoln("Can't find MMDB, start download")
 		if err := downloadMMDB(C.Path.MMDB()); err != nil {
-			return fmt.Errorf("can't download MMDB: %s", err.Error())
+			return fmt.Errorf("can't download MMDB: %w", err)
 		}
 	}
 
 	if !mmdb.Verify() {
 		log.Warnln("MMDB invalid, remove and download")
 		if err := os.Remove(C.Path.MMDB()); err != nil {
-			return fmt.Errorf("can't remove invalid MMDB: %s", err.Error())
+			return fmt.Errorf("can't remove invalid MMDB: %w", err)
 		}
 
 		if err := downloadMMDB(C.Path.MMDB()); err != nil {
-			return fmt.Errorf("can't download MMDB: %s", err.Error())
+			return fmt.Errorf("can't download MMDB: %w", err)
 		}
 	}
 
@@ -51,7 +52,7 @@ func initMMDB() error {
 }
 
 func downloadGeoSite(path string) (err error) {
-	resp, err := http.Get("https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geosite.dat")
+	resp, err := doGet("https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat")
 	if err != nil {
 		return
 	}
@@ -71,7 +72,7 @@ func initGeoSite() error {
 	if _, err := os.Stat(C.Path.GeoSite()); os.IsNotExist(err) {
 		log.Infoln("Can't find GeoSite.dat, start download")
 		if err := downloadGeoSite(C.Path.GeoSite()); err != nil {
-			return fmt.Errorf("can't download GeoSite.dat: %s", err.Error())
+			return fmt.Errorf("can't download GeoSite.dat: %w", err)
 		}
 		log.Infoln("Download GeoSite.dat finish")
 	}
@@ -84,7 +85,7 @@ func Init(dir string) error {
 	// initial homedir
 	if _, err := os.Stat(dir); os.IsNotExist(err) {
 		if err := os.MkdirAll(dir, 0o777); err != nil {
-			return fmt.Errorf("can't create config directory %s: %s", dir, err.Error())
+			return fmt.Errorf("can't create config directory %s: %w", dir, err)
 		}
 	}
 
@@ -93,10 +94,10 @@ func Init(dir string) error {
 		log.Infoln("Can't find config, create a initial config file")
 		f, err := os.OpenFile(C.Path.Config(), os.O_CREATE|os.O_WRONLY, 0o644)
 		if err != nil {
-			return fmt.Errorf("can't create file %s: %s", C.Path.Config(), err.Error())
+			return fmt.Errorf("can't create file %s: %w", C.Path.Config(), err)
 		}
-		f.Write([]byte(`mixed-port: 7890`))
+		_, _ = f.Write([]byte(`mixed-port: 7890`))
-		f.Close()
+		_ = f.Close()
 	}
 
 	// initial mmdb
@@ -110,3 +111,16 @@ func Init(dir string) error {
 	}
 	return nil
 }
+
+func doGet(url string) (resp *http.Response, err error) {
+	var req *http.Request
+	req, err = http.NewRequest("GET", url, nil)
+	if err != nil {
+		return
+	}
+
+	convert.SetUserAgent(req.Header)
+
+	resp, err = http.DefaultClient.Do(req)
+	return
+}

config/updateGeo.go

@@ -0,0 +1,68 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+
+	"github.com/Dreamacro/clash/component/geodata"
+	C "github.com/Dreamacro/clash/constant"
+
+	"github.com/oschwald/geoip2-golang"
+)
+
+func UpdateGeoDatabases() error {
+	var (
+		tmpMMDB    = C.Path.Resolve("temp_country.mmdb")
+		tmpGeoSite = C.Path.Resolve("temp_geosite.dat")
+	)
+
+	if err := downloadMMDB(tmpMMDB); err != nil {
+		return fmt.Errorf("can't download MMDB database file: %w", err)
+	}
+
+	if err := verifyMMDB(tmpMMDB); err != nil {
+		_ = os.Remove(tmpMMDB)
+		return fmt.Errorf("invalid MMDB database file, %w", err)
+	}
+
+	if err := os.Rename(tmpMMDB, C.Path.MMDB()); err != nil {
+		return fmt.Errorf("can't rename MMDB database file: %w", err)
+	}
+
+	if err := downloadGeoSite(tmpGeoSite); err != nil {
+		return fmt.Errorf("can't download GeoSite database file: %w", err)
+	}
+
+	if err := verifyGeoSite(tmpGeoSite); err != nil {
+		_ = os.Remove(tmpGeoSite)
+		return fmt.Errorf("invalid GeoSite database file, %w", err)
+	}
+
+	if err := os.Rename(tmpGeoSite, C.Path.GeoSite()); err != nil {
+		return fmt.Errorf("can't rename GeoSite database file: %w", err)
+	}
+
+	return nil
+}
+
+func verifyMMDB(path string) error {
+	instance, err := geoip2.Open(path)
+	if err == nil {
+		_ = instance.Close()
+	}
+	return err
+}
+
+func verifyGeoSite(path string) error {
+	geoLoader, err := geodata.GetGeoDataLoader("standard")
+	if err != nil {
+		return err
+	}
+
+	_, err = geoLoader.LoadSite(path, "cn")
+
+	runtime.GC()
+
+	return err
+}

constant/adapters.go

@@ -93,9 +93,14 @@ type ProxyAdapter interface {
 	// a new session (if any)
 	StreamConn(c net.Conn, metadata *Metadata) (net.Conn, error)
 
+	// StreamPacketConn wraps a UDP protocol around net.Conn with Metadata.
+	StreamPacketConn(c net.Conn, metadata *Metadata) (net.Conn, error)
+
 	// DialContext return a C.Conn with protocol which
 	// contains multiplexing-related reuse logic (if any)
 	DialContext(ctx context.Context, metadata *Metadata, opts ...dialer.Option) (Conn, error)
+
+	// ListenPacketContext listen for a PacketConn
 	ListenPacketContext(ctx context.Context, metadata *Metadata, opts ...dialer.Option) (PacketConn, error)
 
 	// Unwrap extracts the proxy from a proxy-group. It returns nil when nothing to extract.

constant/metadata.go

@@ -101,8 +101,8 @@ func (m *Metadata) Resolved() bool {
 
 // Pure is used to solve unexpected behavior
 // when dialing proxy connection in DNSMapping mode.
-func (m *Metadata) Pure() *Metadata {
+func (m *Metadata) Pure(isMitmOutbound bool) *Metadata {
-	if m.DNSMode == DNSMapping && m.DstIP.IsValid() {
+	if !isMitmOutbound && m.DNSMode == DNSMapping && m.DstIP.IsValid() {
 		copyM := *m
 		copyM.Host = ""
 		if copyM.DstIP.Is4() {

constant/tun.go

@@ -3,7 +3,11 @@ package constant
 import (
 	"encoding/json"
 	"errors"
+	"net/netip"
+	"strconv"
 	"strings"
+
+	"golang.org/x/exp/slices"
 )
 
 var StackTypeMapping = map[string]TUNStack{
@@ -14,10 +18,21 @@ var StackTypeMapping = map[string]TUNStack{
 const (
 	TunGvisor TUNStack = iota
 	TunSystem
+
+	TunDisabled TUNState = iota
+	TunEnabled
+	TunPaused
 )
 
 type TUNStack int
 
+type TUNState int
+
+type TUNChangeCallback interface {
+	Pause()
+	Resume()
+}
+
 // UnmarshalYAML unserialize TUNStack with yaml
 func (e *TUNStack) UnmarshalYAML(unmarshal func(any) error) error {
 	var tp string
@@ -40,7 +55,7 @@ func (e TUNStack) MarshalYAML() (any, error) {
 // UnmarshalJSON unserialize TUNStack with json
 func (e *TUNStack) UnmarshalJSON(data []byte) error {
 	var tp string
-	json.Unmarshal(data, &tp)
+	_ = json.Unmarshal(data, &tp)
 	mode, exist := StackTypeMapping[strings.ToUpper(tp)]
 	if !exist {
 		return errors.New("invalid tun stack")
@@ -64,3 +79,113 @@ func (e TUNStack) String() string {
 		return "unknown"
 	}
 }
+
+type DNSAddrPort struct {
+	netip.AddrPort
+}
+
+func (p *DNSAddrPort) UnmarshalText(text []byte) error {
+	if len(text) == 0 {
+		*p = DNSAddrPort{}
+		return nil
+	}
+
+	addrPort := string(text)
+	if strings.HasPrefix(addrPort, "any") {
+		_, port, _ := strings.Cut(addrPort, "any")
+		addrPort = "0.0.0.0" + port
+	}
+
+	ap, err := netip.ParseAddrPort(addrPort)
+	*p = DNSAddrPort{AddrPort: ap}
+	return err
+}
+
+func (p DNSAddrPort) String() string {
+	addrPort := p.AddrPort.String()
+	if p.AddrPort.Addr().IsUnspecified() {
+		addrPort = "any:" + strconv.Itoa(int(p.AddrPort.Port()))
+	}
+	return addrPort
+}
+
+type DNSUrl struct {
+	Network  string
+	AddrPort DNSAddrPort
+}
+
+func (d *DNSUrl) UnmarshalYAML(unmarshal func(any) error) error {
+	var text string
+	if err := unmarshal(&text); err != nil {
+		return err
+	}
+
+	text = strings.ToLower(text)
+	network := "udp"
+	if before, after, found := strings.Cut(text, "://"); found {
+		network = before
+		text = after
+	}
+
+	if network != "udp" && network != "tcp" {
+		return errors.New("invalid dns url schema")
+	}
+
+	ap := &DNSAddrPort{}
+	if err := ap.UnmarshalText([]byte(text)); err != nil {
+		return err
+	}
+
+	*d = DNSUrl{Network: network, AddrPort: *ap}
+
+	return nil
+}
+
+func (d DNSUrl) MarshalYAML() (any, error) {
+	return d.String(), nil
+}
+
+func (d *DNSUrl) UnmarshalJSON(data []byte) error {
+	var text string
+	if err := json.Unmarshal(data, &text); err != nil {
+		return err
+	}
+
+	text = strings.ToLower(text)
+	network := "udp"
+	if before, after, found := strings.Cut(text, "://"); found {
+		network = before
+		text = after
+	}
+
+	if network != "udp" && network != "tcp" {
+		return errors.New("invalid dns url schema")
+	}
+
+	ap := &DNSAddrPort{}
+	if err := ap.UnmarshalText([]byte(text)); err != nil {
+		return err
+	}
+
+	*d = DNSUrl{Network: network, AddrPort: *ap}
+
+	return nil
+}
+
+func (d DNSUrl) MarshalJSON() ([]byte, error) {
+	return json.Marshal(d.String())
+}
+
+func (d DNSUrl) String() string {
+	return d.Network + "://" + d.AddrPort.String()
+}
+
+func RemoveDuplicateDNSUrl(slice []DNSUrl) []DNSUrl {
+	slices.SortFunc[DNSUrl](slice, func(a, b DNSUrl) bool {
+		return a.Network < b.Network || (a.Network == b.Network && a.AddrPort.Addr().Less(b.AddrPort.Addr()))
+	})
+
+	return slices.CompactFunc[[]DNSUrl, DNSUrl](slice, func(a, b DNSUrl) bool {
+		return a.Network == b.Network && a.AddrPort == b.AddrPort
+	})
+}

dns/client.go

@@ -54,10 +54,14 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 	}
 
 	var conn net.Conn
-	if c.proxyAdapter == "" {
+	if c.proxyAdapter != "" {
-		conn, err = dialer.DialContext(ctx, network, net.JoinHostPort(ip.String(), c.port), options...)
-	} else {
 		conn, err = dialContextWithProxyAdapter(ctx, c.proxyAdapter, network, ip, c.port, options...)
+		if err == errProxyNotFound {
+			options = append(options[:0], dialer.WithInterface(c.proxyAdapter), dialer.WithRoutingMark(0))
+			conn, err = dialer.DialContext(ctx, network, net.JoinHostPort(ip.String(), c.port), options...)
+		}
+	} else {
+		conn, err = dialer.DialContext(ctx, network, net.JoinHostPort(ip.String(), c.port), options...)
 	}
 
 	if err != nil {

dns/doh.go

@@ -69,7 +69,9 @@ func (dc *dohClient) doRequest(req *http.Request) (msg *D.Msg, err error) {
 	if err != nil {
 		return nil, err
 	}
-	defer resp.Body.Close()
+	defer func() {
+		_ = resp.Body.Close()
+	}()
 
 	buf, err := io.ReadAll(resp.Body)
 	if err != nil {
@@ -97,11 +99,17 @@ func newDoHClient(url string, r *Resolver, proxyAdapter string) *dohClient {
 					return nil, err
 				}
 
-				if proxyAdapter == "" {
+				if proxyAdapter != "" {
-					return dialer.DialContext(ctx, "tcp", net.JoinHostPort(ip.String(), port))
+					var conn net.Conn
-				} else {
+					conn, err = dialContextWithProxyAdapter(ctx, proxyAdapter, "tcp", ip, port)
-					return dialContextWithProxyAdapter(ctx, proxyAdapter, "tcp", ip, port)
+					if err == errProxyNotFound {
+						options := []dialer.Option{dialer.WithInterface(proxyAdapter), dialer.WithRoutingMark(0)}
+						conn, err = dialer.DialContext(ctx, "tcp", net.JoinHostPort(ip.String(), port), options...)
 					}
+					return conn, err
+				}
+
+				return dialer.DialContext(ctx, "tcp", net.JoinHostPort(ip.String(), port))
 			},
 		},
 	}

dns/util.go

@@ -3,11 +3,13 @@ package dns
 import (
 	"context"
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"net"
 	"net/netip"
 	"time"
 
+	"github.com/Dreamacro/clash/adapter"
 	"github.com/Dreamacro/clash/common/cache"
 	"github.com/Dreamacro/clash/common/nnip"
 	"github.com/Dreamacro/clash/component/dialer"
@@ -18,6 +20,8 @@ import (
 	D "github.com/miekg/dns"
 )
 
+var errProxyNotFound = errors.New("proxy adapter not found")
+
 func putMsgToCache(c *cache.LruCache[string, *D.Msg], key string, msg *D.Msg) {
 	var ttl uint32
 	switch {
@@ -132,16 +136,13 @@ func (wpc *wrapPacketConn) RemoteAddr() net.Addr {
 }
 
 func dialContextWithProxyAdapter(ctx context.Context, adapterName string, network string, dstIP netip.Addr, port string, opts ...dialer.Option) (net.Conn, error) {
-	adapter, ok := tunnel.Proxies()[adapterName]
+	proxy, ok := tunnel.Proxies()[adapterName]
 	if !ok {
-		return nil, fmt.Errorf("proxy adapter [%s] not found", adapterName)
+		return nil, errProxyNotFound
 	}
 
 	networkType := C.TCP
 	if network == "udp" {
-		if !adapter.SupportUDP() {
-			return nil, fmt.Errorf("proxy adapter [%s] UDP is not supported", adapterName)
-		}
 		networkType = C.UDP
 	}
 
@@ -158,8 +159,14 @@ func dialContextWithProxyAdapter(ctx context.Context, adapterName string, networ
 		DstPort:  port,
 	}
 
+	rawAdapter := fetchRawProxyAdapter(proxy.(*adapter.Proxy).ProxyAdapter, metadata)
+
 	if networkType == C.UDP {
-		packetConn, err := adapter.ListenPacketContext(ctx, metadata, opts...)
+		if !rawAdapter.SupportUDP() {
+			return nil, fmt.Errorf("proxy adapter [%s] UDP is not supported", rawAdapter.Name())
+		}
+
+		packetConn, err := rawAdapter.ListenPacketContext(ctx, metadata, opts...)
 		if err != nil {
 			return nil, err
 		}
@@ -170,5 +177,13 @@ func dialContextWithProxyAdapter(ctx context.Context, adapterName string, networ
 		}, nil
 	}
 
-	return adapter.DialContext(ctx, metadata, opts...)
+	return rawAdapter.DialContext(ctx, metadata, opts...)
+}
+
+func fetchRawProxyAdapter(proxyAdapter C.ProxyAdapter, metadata *C.Metadata) C.ProxyAdapter {
+	if p := proxyAdapter.Unwrap(metadata); p != nil {
+		return fetchRawProxyAdapter(p.(*adapter.Proxy).ProxyAdapter, metadata)
+	}
+
+	return proxyAdapter
 }

go.mod

@@ -3,14 +3,13 @@ module github.com/Dreamacro/clash
 go 1.18
 
 require (
-	github.com/Dreamacro/go-shadowsocks2 v0.1.8
 	github.com/go-chi/chi/v5 v5.0.7
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.1
 	github.com/gofrs/uuid v4.2.0+incompatible
 	github.com/gorilla/websocket v1.5.0
 	github.com/insomniacslk/dhcp v0.0.0-20220504074936-1ca156eafb9f
-	github.com/miekg/dns v1.1.48
+	github.com/miekg/dns v1.1.49
 	github.com/oschwald/geoip2-golang v1.7.0
 	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.7.1
@@ -18,17 +17,18 @@ require (
 	go.etcd.io/bbolt v1.3.6
 	go.uber.org/atomic v1.9.0
 	go.uber.org/automaxprocs v1.5.1
-	golang.org/x/crypto v0.0.0-20220507011949-2cf3adece122
+	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e
-	golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4
+	golang.org/x/exp v0.0.0-20220613132600-b0d781184e0d
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
+	golang.org/x/net v0.0.0-20220614195744-fb05da6f9022
-	golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6
+	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
+	golang.org/x/sys v0.0.0-20220614162138-6c1b26c55098
 	golang.org/x/text v0.3.8-0.20220124021120-d1c84af989ab
-	golang.org/x/time v0.0.0-20220411224347-583f2d630306
+	golang.org/x/time v0.0.0-20220609170525-579cf78fd858
-	golang.zx2c4.com/wireguard v0.0.0-20220407013110-ef5c587f782d
+	golang.zx2c4.com/wireguard v0.0.0-20220601130007-6a08d81f6bc4
 	golang.zx2c4.com/wireguard/windows v0.5.4-0.20220328111914-004c22c5647e
 	google.golang.org/protobuf v1.28.0
-	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
-	gvisor.dev/gvisor v0.0.0-20220506231117-8ef340c14150
+	gvisor.dev/gvisor v0.0.0-20220614011939-d89c08b0f364
 )
 
 require (
@@ -39,9 +39,8 @@ require (
 	github.com/oschwald/maxminddb-golang v1.9.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/u-root/uio v0.0.0-20210528114334-82958018845c // indirect
-	golang.org/x/mod v0.6.0-dev.0.20211013180041-c96bc1413d57 // indirect
+	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
-	golang.org/x/tools v0.1.9 // indirect
+	golang.org/x/tools v0.1.10 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 )

go.sum

@@ -1,5 +1,3 @@
-github.com/Dreamacro/go-shadowsocks2 v0.1.8 h1:Ixejp5JscEc866gAvm/l6TFd7BOBvDviKgwb1quWw3g=
-github.com/Dreamacro/go-shadowsocks2 v0.1.8/go.mod h1:51y4Q6tJoCE7e8TmYXcQRqfoxPfE9Cvn79V6pB6Df7Y=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -22,7 +20,7 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
+github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
@@ -47,8 +45,8 @@ github.com/mdlayher/netlink v1.1.0/go.mod h1:H4WCitaheIsdF9yOYu8CFmCgQthAPIWZmcK
 github.com/mdlayher/netlink v1.1.1/go.mod h1:WTYpFb/WTvlRJAyKhZL5/uy69TDDpHHu2VZmb2XgV7o=
 github.com/mdlayher/raw v0.0.0-20190606142536-fef19f00fc18/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
 github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
-github.com/miekg/dns v1.1.48 h1:Ucfr7IIVyMBz4lRE8qmGUuZ4Wt3/ZGu9hmcMT3Uu4tQ=
+github.com/miekg/dns v1.1.49 h1:qe0mQU3Z/XpFeE+AEBo2rqaS1IPBJ3anmqZ4XiZJVG8=
-github.com/miekg/dns v1.1.48/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
+github.com/miekg/dns v1.1.49/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
 github.com/oschwald/geoip2-golang v1.7.0 h1:JW1r5AKi+vv2ujSxjKthySK3jo8w8oKWPyXsw+Qs/S8=
 github.com/oschwald/geoip2-golang v1.7.0/go.mod h1:mdI/C7iK7NVMcIDDtf4bCKMJ7r0o7UwGeCo9eiitCMQ=
 github.com/oschwald/maxminddb-golang v1.9.0 h1:tIk4nv6VT9OiPyrnDAfJS1s1xKDQMZOsGojab6EjC1Y=
@@ -80,11 +78,13 @@ go.uber.org/automaxprocs v1.5.1/go.mod h1:BF4eumQw0P9GtnuxxovUd06vwm1o18oMzFtK66
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20220507011949-2cf3adece122 h1:NvGWuYG8dkDHFSKksI1P9faiVJ9rayE6l0+ouWVIDs8=
+golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e h1:T8NU3HyQ8ClP4SEE+KbFlg6n0NhuTsN4MyznaarGsZM=
-golang.org/x/crypto v0.0.0-20220507011949-2cf3adece122/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/exp v0.0.0-20220613132600-b0d781184e0d h1:vtUKgx8dahOomfFzLREU8nSv25YHnTgLBn4rDnWZdU0=
+golang.org/x/exp v0.0.0-20220613132600-b0d781184e0d/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20211013180041-c96bc1413d57 h1:LQmS1nU0twXLA96Kt7U9qtHJEbBk3z6Q0V4UXjZkpr4=
+golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 h1:kQgndtyPBW/JIYERgdxfwMYh3AVStj88WQTlNDi2a+o=
-golang.org/x/mod v0.6.0-dev.0.20211013180041-c96bc1413d57/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
+golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190419010253-1f3472d942ba/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -97,11 +97,12 @@ golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 h1:HVyaeDAYux4pnY+D/SiwmLOR36ewZ4iGQIIrtnuCjFA=
+golang.org/x/net v0.0.0-20220614195744-fb05da6f9022 h1:0qjDla5xICC2suMtyRH/QqX3B1btXTfNsIt/i4LFgO0=
-golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.0.0-20220614195744-fb05da6f9022/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f h1:Ax0t5p6N38Ga0dThY21weqDEyz2oklo4IvDkpigvkD8=
+golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -122,22 +123,22 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6 h1:nonptSpoQ4vQjyraW20DXPAglgQfVnM9ZC6MmNLMR60=
+golang.org/x/sys v0.0.0-20220614162138-6c1b26c55098 h1:PgOr27OhUx2IRqGJ2RxAWI4dJQ7bi9cSrB82uzFzfUA=
-golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220614162138-6c1b26c55098/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.8-0.20220124021120-d1c84af989ab h1:eHo2TTVBaAPw9lDGK2Gb9GyPMXT6g7O63W6sx3ylbzU=
 golang.org/x/text v0.3.8-0.20220124021120-d1c84af989ab/go.mod h1:EFNZuWvGYxIRUEX+K8UmCFwYmZjqcrnq15ZuVldZkZ0=
-golang.org/x/time v0.0.0-20220411224347-583f2d630306 h1:+gHMid33q6pen7kv9xvT+JRinntgeXO2AeZVd0AWD3w=
+golang.org/x/time v0.0.0-20220609170525-579cf78fd858 h1:Dpdu/EMxGMFgq0CeYMh4fazTD2vtlZRYE7wyynxJb9U=
-golang.org/x/time v0.0.0-20220411224347-583f2d630306/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20220609170525-579cf78fd858/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.9 h1:j9KsMiaP1c3B0OTQGth0/k+miLGTgLsAFUCrF2vLcF8=
+golang.org/x/tools v0.1.10 h1:QjFRCZxdOhBJ/UNgnBZLbNV13DlbnK0quyivTnXJM20=
-golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
+golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -145,8 +146,8 @@ golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1N
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20220407013110-ef5c587f782d h1:q4JksJ2n0fmbXC0Aj0eOs6E0AcPqnKglxWXWFqGD6x0=
+golang.zx2c4.com/wireguard v0.0.0-20220601130007-6a08d81f6bc4 h1:QlbNZ9SwDAepRQwgeWHLi3rfEMo/kVEU4SmgsNM7HmQ=
-golang.zx2c4.com/wireguard v0.0.0-20220407013110-ef5c587f782d/go.mod h1:bVQfyl2sCM/QIIGHpWbFGfHPuDvqnCNkT6MQLTCjO/U=
+golang.zx2c4.com/wireguard v0.0.0-20220601130007-6a08d81f6bc4/go.mod h1:bVQfyl2sCM/QIIGHpWbFGfHPuDvqnCNkT6MQLTCjO/U=
 golang.zx2c4.com/wireguard/windows v0.5.4-0.20220328111914-004c22c5647e h1:yV04h6Tx19uDR6LvuEbR19cDU+3QrB9LuGjtF7F5G0w=
 golang.zx2c4.com/wireguard/windows v0.5.4-0.20220328111914-004c22c5647e/go.mod h1:1CeiatTZwcwSFA3cAtMm8CQoroviTldnxd7DOgM/vI4=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
@@ -154,10 +155,8 @@ google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscL
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gvisor.dev/gvisor v0.0.0-20220506231117-8ef340c14150 h1:bspdBY1iCLtW6JXold8yhXHkAiE9UoWfmHShNkTc9JA=
+gvisor.dev/gvisor v0.0.0-20220614011939-d89c08b0f364 h1:D+X2kUQINrsyxdwX71CUWxxQCGRU4tS6gni5WRYLCjs=
-gvisor.dev/gvisor v0.0.0-20220506231117-8ef340c14150/go.mod h1:tWwEcFvJavs154OdjFCw78axNrsDlz4Zh8jvPqwcpGI=
+gvisor.dev/gvisor v0.0.0-20220614011939-d89c08b0f364/go.mod h1:TIvkJD0sxe8pIob3p6T8IzxXunlp6yfgktvTNp+DGNM=

hub/executor/executor.go

@@ -82,10 +82,9 @@ func ApplyConfig(cfg *config.Config, force bool) {
 	updateHosts(cfg.Hosts)
 	updateMitm(cfg.Mitm)
 	updateProfile(cfg)
-	updateDNS(cfg.DNS, cfg.Tun)
+	updateDNS(cfg.DNS, cfg.General.Tun)
 	updateGeneral(cfg.General, force)
 	updateIPTables(cfg)
-	updateTun(cfg.Tun, cfg.DNS)
 	updateExperimental(cfg)
 
 	log.SetLevel(cfg.General.LogLevel)
@@ -94,8 +93,8 @@ func ApplyConfig(cfg *config.Config, force bool) {
 func GetGeneral() *config.General {
 	ports := P.GetPorts()
 	authenticator := []string{}
-	if auth := authStore.Authenticator(); auth != nil {
+	if authM := authStore.Authenticator(); authM != nil {
-		authenticator = auth.Users()
+		authenticator = authM.Users()
 	}
 
 	general := &config.General{
@@ -113,15 +112,16 @@ func GetGeneral() *config.General {
 		Mode:     tunnel.Mode(),
 		LogLevel: log.Level(),
 		IPv6:     !resolver.DisableIPv6,
+		Sniffing: tunnel.Sniffing(),
 		Tun:      P.GetTunConf(),
 	}
 
 	return general
 }
 
-func updateExperimental(c *config.Config) {}
+func updateExperimental(_ *config.Config) {}
 
-func updateDNS(c *config.DNS, t *config.Tun) {
+func updateDNS(c *config.DNS, t config.Tun) {
 	cfg := dns.Config{
 		Main:         c.NameServer,
 		Fallback:     c.Fallback,
@@ -141,6 +141,11 @@ func updateDNS(c *config.DNS, t *config.Tun) {
 		ProxyServer: c.ProxyServerNameserver,
 	}
 
+	// deprecated warnning
+	if cfg.EnhancedMode == C.DNSMapping {
+		log.Warnln("[DNS] %s is deprecated, please use %s instead", cfg.EnhancedMode.String(), C.DNSFakeIP.String())
+	}
+
 	r := dns.NewResolver(cfg)
 	pr := dns.NewProxyServerHostResolver(r)
 	m := dns.NewEnhancer(cfg)
@@ -172,6 +177,10 @@ func updateDNS(c *config.DNS, t *config.Tun) {
 		}
 		dns.ReCreateServer("", nil, nil)
 	}
+
+	if cfg.Pool != nil {
+		P.SetTunAddressPrefix(cfg.Pool.IPNet())
+	}
 }
 
 func updateHosts(tree *trie.DomainTrie[netip.Addr]) {
@@ -186,15 +195,6 @@ func updateRules(rules []C.Rule) {
 	tunnel.UpdateRules(rules)
 }
 
-func updateTun(tun *config.Tun, dns *config.DNS) {
-	var tunAddressPrefix *netip.Prefix
-	if dns.FakeIPRange != nil {
-		tunAddressPrefix = dns.FakeIPRange.IPNet()
-	}
-
-	P.ReCreateTun(tun, tunAddressPrefix, tunnel.TCPIn(), tunnel.UDPIn())
-}
-
 func updateGeneral(general *config.General, force bool) {
 	tunnel.SetMode(general.Mode)
 	resolver.DisableIPv6 = !general.IPv6
@@ -223,6 +223,11 @@ func updateGeneral(general *config.General, force bool) {
 	bindAddress := general.BindAddress
 	P.SetBindAddress(bindAddress)
 
+	sniffing := general.Sniffing
+	tunnel.SetSniffing(sniffing)
+
+	log.Infoln("Use TLS SNI sniffer: %v", sniffing)
+
 	tcpIn := tunnel.TCPIn()
 	udpIn := tunnel.UDPIn()
 
@@ -232,6 +237,7 @@ func updateGeneral(general *config.General, force bool) {
 	P.ReCreateTProxy(general.TProxyPort, tcpIn, udpIn)
 	P.ReCreateMixed(general.MixedPort, tcpIn, udpIn)
 	P.ReCreateMitm(general.MitmPort, tcpIn)
+	P.ReCreateTun(&general.Tun, tcpIn, udpIn)
 }
 
 func updateUsers(users []auth.AuthUser) {
@@ -273,7 +279,7 @@ func patchSelectGroup(proxies map[string]C.Proxy) {
 			continue
 		}
 
-		selector.Set(selected)
+		_ = selector.Set(selected)
 	}
 }
 

hub/route/configs.go

@@ -1,15 +1,17 @@
 package route
 
 import (
+	"encoding/json"
 	"net/http"
-	"net/netip"
 	"path/filepath"
 
+	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	"github.com/Dreamacro/clash/config"
 	"github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/hub/executor"
 	P "github.com/Dreamacro/clash/listener"
+	"github.com/Dreamacro/clash/listener/tun/ipstack/commons"
 	"github.com/Dreamacro/clash/log"
 	"github.com/Dreamacro/clash/tunnel"
 
@@ -26,26 +28,28 @@ func configRouter() http.Handler {
 }
 
 type configSchema struct {
-	Port        *int               `json:"port"`
+	Port        *int               `json:"port,omitempty"`
-	SocksPort   *int               `json:"socks-port"`
+	SocksPort   *int               `json:"socks-port,omitempty"`
-	RedirPort   *int               `json:"redir-port"`
+	RedirPort   *int               `json:"redir-port,omitempty"`
-	TProxyPort  *int               `json:"tproxy-port"`
+	TProxyPort  *int               `json:"tproxy-port,omitempty"`
-	MixedPort   *int               `json:"mixed-port"`
+	MixedPort   *int               `json:"mixed-port,omitempty"`
-	MitmPort    *int               `json:"mitm-port"`
+	MitmPort    *int               `json:"mitm-port,omitempty"`
-	AllowLan    *bool              `json:"allow-lan"`
+	AllowLan    *bool              `json:"allow-lan,omitempty"`
-	BindAddress *string            `json:"bind-address"`
+	BindAddress *string            `json:"bind-address,omitempty"`
-	Mode        *tunnel.TunnelMode `json:"mode"`
+	Mode        *tunnel.TunnelMode `json:"mode,omitempty"`
-	LogLevel    *log.LogLevel      `json:"log-level"`
+	LogLevel    *log.LogLevel      `json:"log-level,omitempty"`
-	IPv6        *bool              `json:"ipv6"`
+	IPv6        *bool              `json:"ipv6,omitempty"`
-	Tun         *tunConfigSchema   `json:"tun"`
+	Sniffing    *bool              `json:"sniffing,omitempty"`
+	Tun         *tunConfigSchema   `json:"tun,omitempty"`
 }
 
 type tunConfigSchema struct {
-	Enable    *bool              `json:"enable"`
+	Enable              *bool              `json:"enable,omitempty"`
-	Device    *string            `json:"device"`
+	Device              *string            `json:"device,omitempty"`
-	Stack     *constant.TUNStack `json:"stack"`
+	Stack               *constant.TUNStack `json:"stack,omitempty"`
-	DNSHijack *[]netip.AddrPort  `json:"dns-hijack"`
+	DNSHijack           *[]constant.DNSUrl `json:"dns-hijack,omitempty"`
-	AutoRoute *bool              `json:"auto-route"`
+	AutoRoute           *bool              `json:"auto-route,omitempty"`
+	AutoDetectInterface *bool              `json:"auto-detect-interface,omitempty"`
 }
 
 func getConfigs(w http.ResponseWriter, r *http.Request) {
@@ -101,6 +105,10 @@ func patchConfigs(w http.ResponseWriter, r *http.Request) {
 		resolver.DisableIPv6 = !*general.IPv6
 	}
 
+	if general.Sniffing != nil {
+		tunnel.SetSniffing(*general.Sniffing)
+	}
+
 	if general.Tun != nil {
 		tunSchema := general.Tun
 		tunConf := P.GetTunConf()
@@ -120,10 +128,26 @@ func patchConfigs(w http.ResponseWriter, r *http.Request) {
 		if tunSchema.AutoRoute != nil {
 			tunConf.AutoRoute = *tunSchema.AutoRoute
 		}
-
+		if tunSchema.AutoDetectInterface != nil {
-		P.ReCreateTun(&tunConf, nil, tcpIn, udpIn)
+			tunConf.AutoDetectInterface = *tunSchema.AutoDetectInterface
 		}
 
+		if dialer.DefaultInterface.Load() == "" && tunConf.Enable {
+			outboundInterface, err := commons.GetAutoDetectInterface()
+			if err != nil {
+				render.Status(r, http.StatusBadRequest)
+				render.JSON(w, r, newError("Get auto detect interface fail: "+err.Error()))
+				return
+			}
+			dialer.DefaultInterface.Store(outboundInterface)
+		}
+
+		P.ReCreateTun(&tunConf, tcpIn, udpIn)
+	}
+
+	msg, _ := json.Marshal(general)
+	log.Warnln("[REST-API] patch config by: %s", string(msg))
+
 	render.NoContent(w, r)
 }
 
@@ -145,6 +169,7 @@ func updateConfigs(w http.ResponseWriter, r *http.Request) {
 	var err error
 
 	if req.Payload != "" {
+		log.Warnln("[REST-API] update config by payload")
 		cfg, err = executor.ParseWithBytes([]byte(req.Payload))
 		if err != nil {
 			render.Status(r, http.StatusBadRequest)
@@ -161,6 +186,7 @@ func updateConfigs(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
+		log.Warnln("[REST-API] reload config from path: %s", req.Path)
 		cfg, err = executor.ParseWithPath(req.Path)
 		if err != nil {
 			render.Status(r, http.StatusBadRequest)

hub/route/configsGeo.go

@@ -0,0 +1,64 @@
+package route
+
+import (
+	"net/http"
+	"sync"
+
+	"github.com/Dreamacro/clash/config"
+	"github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/hub/executor"
+	"github.com/Dreamacro/clash/log"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/render"
+)
+
+var (
+	updatingGeo  bool
+	updateGeoMux sync.Mutex
+)
+
+func configGeoRouter() http.Handler {
+	r := chi.NewRouter()
+	r.Post("/", updateGeoDatabases)
+	return r
+}
+
+func updateGeoDatabases(w http.ResponseWriter, r *http.Request) {
+	updateGeoMux.Lock()
+
+	if updatingGeo {
+		updateGeoMux.Unlock()
+		render.Status(r, http.StatusBadRequest)
+		render.JSON(w, r, newError("updating..."))
+		return
+	}
+
+	updatingGeo = true
+	updateGeoMux.Unlock()
+
+	go func() {
+		defer func() {
+			updatingGeo = false
+		}()
+
+		log.Warnln("[REST-API] updating GEO databases...")
+
+		if err := config.UpdateGeoDatabases(); err != nil {
+			log.Errorln("[REST-API] update GEO databases failed: %v", err)
+			return
+		}
+
+		log.Warnln("[REST-API] update GEO databases successful, apply config...")
+
+		cfg, err := executor.ParseWithPath(constant.Path.Config())
+		if err != nil {
+			log.Errorln("[REST-API] update GEO databases failed: %v", err)
+			return
+		}
+
+		executor.ApplyConfig(cfg, false)
+	}()
+
+	render.NoContent(w, r)
+}

hub/route/proxies.go

@@ -11,6 +11,7 @@ import (
 	"github.com/Dreamacro/clash/adapter/outboundgroup"
 	"github.com/Dreamacro/clash/component/profile/cachefile"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/constant/provider"
 	"github.com/Dreamacro/clash/tunnel"
 
 	"github.com/go-chi/chi/v5"
@@ -43,6 +44,10 @@ func findProxyByName(next http.Handler) http.Handler {
 		name := r.Context().Value(CtxKeyProxyName).(string)
 		proxies := tunnel.Proxies()
 		proxy, exist := proxies[name]
+		if !exist {
+			proxy, exist = findProxyInNonCompatibleProviderByName(name)
+		}
+
 		if !exist {
 			render.Status(r, http.StatusNotFound)
 			render.JSON(w, r, ErrNotFound)
@@ -128,3 +133,20 @@ func getProxyDelay(w http.ResponseWriter, r *http.Request) {
 		"delay": delay,
 	})
 }
+
+func findProxyInNonCompatibleProviderByName(name string) (proxy C.Proxy, found bool) {
+	providers := tunnel.Providers()
+	for _, pd := range providers {
+		if pd.VehicleType() == provider.Compatible {
+			continue
+		}
+		for _, pp := range pd.Proxies() {
+			found = pp.Name() == name
+			if found {
+				proxy = pp
+				return
+			}
+		}
+	}
+	return
+}

hub/route/server.go

@@ -67,6 +67,7 @@ func Start(addr string, secret string) {
 		r.Get("/traffic", traffic)
 		r.Get("/version", version)
 		r.Mount("/configs", configRouter())
+		r.Mount("/configs/geo", configGeoRouter())
 		r.Mount("/proxies", proxyRouter())
 		r.Mount("/rules", ruleRouter())
 		r.Mount("/connections", connectionRouter())

listener/http/upgrade.go

@@ -13,7 +13,15 @@ import (
 )
 
 func isUpgradeRequest(req *http.Request) bool {
-	return strings.EqualFold(req.Header.Get("Connection"), "Upgrade")
+	for _, header := range req.Header["Connection"] {
+		for _, elm := range strings.Split(header, ",") {
+			if strings.EqualFold(strings.TrimSpace(elm), "Upgrade") {
+				return true
+			}
+		}
+	}
+
+	return false
 }
 
 func HandleUpgrade(localConn net.Conn, serverConn *N.BufferedConn, request *http.Request, in chan<- C.ConnContext) (resp *http.Response) {

listener/listener.go

@@ -8,7 +8,6 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"sort"
 	"strconv"
 	"sync"
 	"time"
@@ -36,6 +35,7 @@ var (
 	bindAddress          = "*"
 	lastTunConf          *config.Tun
 	lastTunAddressPrefix *netip.Prefix
+	tunAddressPrefix     *netip.Prefix
 
 	socksListener     *socks.Listener
 	socksUDPListener  *socks.UDPListener
@@ -70,11 +70,24 @@ type Ports struct {
 
 func GetTunConf() config.Tun {
 	if lastTunConf == nil {
+		addrPort := C.DNSAddrPort{
+			AddrPort: netip.MustParseAddrPort("0.0.0.0:53"),
+		}
 		return config.Tun{
 			Enable: false,
 			Stack:  C.TunGvisor,
-			DNSHijack: []netip.AddrPort{netip.MustParseAddrPort("0.0.0.0:53")},
+			DNSHijack: []C.DNSUrl{ // default hijack all dns query
+				{
+					Network:  "udp",
+					AddrPort: addrPort,
+				},
+				{
+					Network:  "tcp",
+					AddrPort: addrPort,
+				},
+			},
 			AutoRoute:           true,
+			AutoDetectInterface: false,
 		}
 	}
 	return *lastTunConf
@@ -96,6 +109,10 @@ func SetBindAddress(host string) {
 	bindAddress = host
 }
 
+func SetTunAddressPrefix(tunAddress *netip.Prefix) {
+	tunAddressPrefix = tunAddress
+}
+
 func ReCreateHTTP(port int, tcpIn chan<- C.ConnContext) {
 	httpMux.Lock()
 	defer httpMux.Unlock()
@@ -335,7 +352,7 @@ func ReCreateMixed(port int, tcpIn chan<- C.ConnContext, udpIn chan<- *inbound.P
 	log.Infoln("Mixed(http+socks) proxy listening at: %s", mixedListener.Address())
 }
 
-func ReCreateTun(tunConf *config.Tun, tunAddressPrefix *netip.Prefix, tcpIn chan<- C.ConnContext, udpIn chan<- *inbound.PacketAdapter) {
+func ReCreateTun(tunConf *config.Tun, tcpIn chan<- C.ConnContext, udpIn chan<- *inbound.PacketAdapter) {
 	tunMux.Lock()
 	defer tunMux.Unlock()
 
@@ -350,6 +367,8 @@ func ReCreateTun(tunConf *config.Tun, tunAddressPrefix *netip.Prefix, tcpIn chan
 		tunAddressPrefix = lastTunAddressPrefix
 	}
 
+	tunConf.DNSHijack = C.RemoveDuplicateDNSUrl(tunConf.DNSHijack)
+
 	if tunStackListener != nil {
 		if !hasTunConfigChange(tunConf, tunAddressPrefix) {
 			return
@@ -366,7 +385,13 @@ func ReCreateTun(tunConf *config.Tun, tunAddressPrefix *netip.Prefix, tcpIn chan
 		return
 	}
 
-	tunStackListener, err = tun.New(tunConf, tunAddressPrefix, tcpIn, udpIn)
+	callback := &tunChangeCallback{
+		tunConf: *tunConf,
+		tcpIn:   tcpIn,
+		udpIn:   udpIn,
+	}
+
+	tunStackListener, err = tun.New(tunConf, tunAddressPrefix, tcpIn, udpIn, callback)
 	if err != nil {
 		return
 	}
@@ -519,14 +544,6 @@ func hasTunConfigChange(tunConf *config.Tun, tunAddressPrefix *netip.Prefix) boo
 		return true
 	}
 
-	sort.Slice(lastTunConf.DNSHijack, func(i, j int) bool {
-		return lastTunConf.DNSHijack[i].Addr().Less(lastTunConf.DNSHijack[j].Addr())
-	})
-
-	sort.Slice(tunConf.DNSHijack, func(i, j int) bool {
-		return tunConf.DNSHijack[i].Addr().Less(tunConf.DNSHijack[j].Addr())
-	})
-
 	for i, dns := range tunConf.DNSHijack {
 		if dns != lastTunConf.DNSHijack[i] {
 			return true
@@ -536,7 +553,8 @@ func hasTunConfigChange(tunConf *config.Tun, tunAddressPrefix *netip.Prefix) boo
 	if lastTunConf.Enable != tunConf.Enable ||
 		lastTunConf.Device != tunConf.Device ||
 		lastTunConf.Stack != tunConf.Stack ||
-		lastTunConf.AutoRoute != tunConf.AutoRoute {
+		lastTunConf.AutoRoute != tunConf.AutoRoute ||
+		lastTunConf.AutoDetectInterface != tunConf.AutoDetectInterface {
 		return true
 	}
 
@@ -551,6 +569,24 @@ func hasTunConfigChange(tunConf *config.Tun, tunAddressPrefix *netip.Prefix) boo
 	return false
 }
 
+type tunChangeCallback struct {
+	tunConf config.Tun
+	tcpIn   chan<- C.ConnContext
+	udpIn   chan<- *inbound.PacketAdapter
+}
+
+func (t *tunChangeCallback) Pause() {
+	conf := t.tunConf
+	conf.Enable = false
+	ReCreateTun(&conf, t.tcpIn, t.udpIn)
+}
+
+func (t *tunChangeCallback) Resume() {
+	conf := t.tunConf
+	conf.Enable = true
+	ReCreateTun(&conf, t.tcpIn, t.udpIn)
+}
+
 func initCert() error {
 	if _, err := os.Stat(C.Path.RootCA()); os.IsNotExist(err) {
 		log.Infoln("Can't find mitm_ca.crt, start generate")

listener/tproxy/iptables.go

@@ -162,15 +162,12 @@ func CleanupTProxyIPTables() {
 func addLocalnetworkToChain(chain string) {
 	execCmd(fmt.Sprintf("iptables -t mangle -A %s -d 0.0.0.0/8 -j RETURN", chain))
 	execCmd(fmt.Sprintf("iptables -t mangle -A %s -d 10.0.0.0/8 -j RETURN", chain))
-	execCmd(fmt.Sprintf("iptables -t mangle -A %s -d 100.64.0.0/10 -j RETURN", chain))
 	execCmd(fmt.Sprintf("iptables -t mangle -A %s -d 127.0.0.0/8 -j RETURN", chain))
 	execCmd(fmt.Sprintf("iptables -t mangle -A %s -d 169.254.0.0/16 -j RETURN", chain))
-	execCmd(fmt.Sprintf("iptables -t mangle -A %s -d 172.16.0.0/12 -j RETURN", chain))
 	execCmd(fmt.Sprintf("iptables -t mangle -A %s -d 192.0.0.0/24 -j RETURN", chain))
 	execCmd(fmt.Sprintf("iptables -t mangle -A %s -d 192.0.2.0/24 -j RETURN", chain))
 	execCmd(fmt.Sprintf("iptables -t mangle -A %s -d 192.88.99.0/24 -j RETURN", chain))
 	execCmd(fmt.Sprintf("iptables -t mangle -A %s -d 192.168.0.0/16 -j RETURN", chain))
-	execCmd(fmt.Sprintf("iptables -t mangle -A %s -d 198.51.100.0/24 -j RETURN", chain))
 	execCmd(fmt.Sprintf("iptables -t mangle -A %s -d 203.0.113.0/24 -j RETURN", chain))
 	execCmd(fmt.Sprintf("iptables -t mangle -A %s -d 224.0.0.0/4 -j RETURN", chain))
 	execCmd(fmt.Sprintf("iptables -t mangle -A %s -d 240.0.0.0/4 -j RETURN", chain))

listener/tproxy/packet.go

@@ -2,12 +2,13 @@ package tproxy
 
 import (
 	"net"
+	"net/netip"
 
 	"github.com/Dreamacro/clash/common/pool"
 )
 
 type packet struct {
-	lAddr *net.UDPAddr
+	lAddr netip.AddrPort
 	buf   []byte
 }
 
@@ -17,21 +18,21 @@ func (c *packet) Data() []byte {
 
 // WriteBack opens a new socket binding `addr` to write UDP packet back
 func (c *packet) WriteBack(b []byte, addr net.Addr) (n int, err error) {
-	tc, err := dialUDP("udp", addr.(*net.UDPAddr), c.lAddr)
+	tc, err := dialUDP("udp", addr.(*net.UDPAddr).AddrPort(), c.lAddr)
 	if err != nil {
 		n = 0
 		return
 	}
 	n, err = tc.Write(b)
-	tc.Close()
+	_ = tc.Close()
 	return
 }
 
 // LocalAddr returns the source IP/Port of UDP Packet
 func (c *packet) LocalAddr() net.Addr {
-	return c.lAddr
+	return net.UDPAddrFromAddrPort(c.lAddr)
 }
 
 func (c *packet) Drop() {
-	pool.Put(c.buf)
+	_ = pool.Put(c.buf)
 }

listener/tproxy/tcp.go

@@ -32,7 +32,7 @@ func (l *Listener) Close() error {
 
 func (l *Listener) handleTProxy(conn net.Conn, in chan<- C.ConnContext) {
 	target := socks5.ParseAddrToSocksAddr(conn.LocalAddr())
-	conn.(*net.TCPConn).SetKeepAlive(true)
+	_ = conn.(*net.TCPConn).SetKeepAlive(true)
 	in <- inbound.NewSocket(target, conn, C.TPROXY)
 }
 

listener/tproxy/udp.go

@@ -2,6 +2,7 @@ package tproxy
 
 import (
 	"net"
+	"net/netip"
 
 	"github.com/Dreamacro/clash/adapter/inbound"
 	"github.com/Dreamacro/clash/common/pool"
@@ -58,28 +59,28 @@ func NewUDP(addr string, in chan<- *inbound.PacketAdapter) (*UDPListener, error)
 		oob := make([]byte, 1024)
 		for {
 			buf := pool.Get(pool.UDPBufferSize)
-			n, oobn, _, lAddr, err := c.ReadMsgUDP(buf, oob)
+			n, oobn, _, lAddr, err := c.ReadMsgUDPAddrPort(buf, oob)
 			if err != nil {
-				pool.Put(buf)
+				_ = pool.Put(buf)
 				if rl.closed {
 					break
 				}
 				continue
 			}
 
-			rAddr, err := getOrigDst(oob, oobn)
+			rAddr, err := getOrigDst(oob[:oobn])
 			if err != nil {
 				continue
 			}
-			handlePacketConn(l, in, buf[:n], lAddr, rAddr)
+			handlePacketConn(in, buf[:n], lAddr, rAddr)
 		}
 	}()
 
 	return rl, nil
 }
 
-func handlePacketConn(pc net.PacketConn, in chan<- *inbound.PacketAdapter, buf []byte, lAddr *net.UDPAddr, rAddr *net.UDPAddr) {
+func handlePacketConn(in chan<- *inbound.PacketAdapter, buf []byte, lAddr, rAddr netip.AddrPort) {
-	target := socks5.ParseAddrToSocksAddr(rAddr)
+	target := socks5.AddrFromStdAddrPort(rAddr)
 	pkt := &packet{
 		lAddr: lAddr,
 		buf:   buf,

listener/tproxy/udp_linux.go

@@ -3,13 +3,14 @@
 package tproxy
 
 import (
-	"encoding/binary"
-	"errors"
 	"fmt"
 	"net"
+	"net/netip"
 	"os"
 	"strconv"
 	"syscall"
+
+	"golang.org/x/sys/unix"
 )
 
 const (
@@ -19,7 +20,7 @@ const (
 
 // dialUDP acts like net.DialUDP for transparent proxy.
 // It binds to a non-local address(`lAddr`).
-func dialUDP(network string, lAddr *net.UDPAddr, rAddr *net.UDPAddr) (*net.UDPConn, error) {
+func dialUDP(network string, lAddr, rAddr netip.AddrPort) (uc *net.UDPConn, err error) {
 	rSockAddr, err := udpAddrToSockAddr(rAddr)
 	if err != nil {
 		return nil, err
@@ -35,23 +36,25 @@ func dialUDP(network string, lAddr *net.UDPAddr, rAddr *net.UDPAddr) (*net.UDPCo
 		return nil, err
 	}
 
-	if err = syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_REUSEADDR, 1); err != nil {
+	defer func() {
+		if err != nil {
 			syscall.Close(fd)
+		}
+	}()
+
+	if err = syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_REUSEADDR, 1); err != nil {
 		return nil, err
 	}
 
 	if err = syscall.SetsockoptInt(fd, syscall.SOL_IP, syscall.IP_TRANSPARENT, 1); err != nil {
-		syscall.Close(fd)
 		return nil, err
 	}
 
 	if err = syscall.Bind(fd, lSockAddr); err != nil {
-		syscall.Close(fd)
 		return nil, err
 	}
 
 	if err = syscall.Connect(fd, rSockAddr); err != nil {
-		syscall.Close(fd)
 		return nil, err
 	}
 
@@ -60,35 +63,26 @@ func dialUDP(network string, lAddr *net.UDPAddr, rAddr *net.UDPAddr) (*net.UDPCo
 
 	c, err := net.FileConn(fdFile)
 	if err != nil {
-		syscall.Close(fd)
 		return nil, err
 	}
 
 	return c.(*net.UDPConn), nil
 }
 
-func udpAddrToSockAddr(addr *net.UDPAddr) (syscall.Sockaddr, error) {
+func udpAddrToSockAddr(addr netip.AddrPort) (syscall.Sockaddr, error) {
-	switch {
+	if addr.Addr().Is4() {
-	case addr.IP.To4() != nil:
+		return &syscall.SockaddrInet4{Addr: addr.Addr().As4(), Port: int(addr.Port())}, nil
-		ip := [4]byte{}
+	}
-		copy(ip[:], addr.IP.To4())
 
-		return &syscall.SockaddrInet4{Addr: ip, Port: addr.Port}, nil
+	zoneID, err := strconv.ParseUint(addr.Addr().Zone(), 10, 32)
-
-	default:
-		ip := [16]byte{}
-		copy(ip[:], addr.IP.To16())
-
-		zoneID, err := strconv.ParseUint(addr.Zone, 10, 32)
 	if err != nil {
 		zoneID = 0
 	}
 
-		return &syscall.SockaddrInet6{Addr: ip, Port: addr.Port, ZoneId: uint32(zoneID)}, nil
+	return &syscall.SockaddrInet6{Addr: addr.Addr().As16(), Port: int(addr.Port()), ZoneId: uint32(zoneID)}, nil
-	}
 }
 
-func udpAddrFamily(net string, lAddr, rAddr *net.UDPAddr) int {
+func udpAddrFamily(net string, lAddr, rAddr netip.AddrPort) int {
 	switch net[len(net)-1] {
 	case '4':
 		return syscall.AF_INET
@@ -96,29 +90,35 @@ func udpAddrFamily(net string, lAddr, rAddr *net.UDPAddr) int {
 		return syscall.AF_INET6
 	}
 
-	if (lAddr == nil || lAddr.IP.To4() != nil) && (rAddr == nil || lAddr.IP.To4() != nil) {
+	if lAddr.Addr().Is4() && rAddr.Addr().Is4() {
 		return syscall.AF_INET
 	}
 	return syscall.AF_INET6
 }
 
-func getOrigDst(oob []byte, oobn int) (*net.UDPAddr, error) {
+func getOrigDst(oob []byte) (netip.AddrPort, error) {
-	msgs, err := syscall.ParseSocketControlMessage(oob[:oobn])
+	// oob contains socket control messages which we need to parse.
+	scms, err := unix.ParseSocketControlMessage(oob)
 	if err != nil {
-		return nil, err
+		return netip.AddrPort{}, fmt.Errorf("parse control message: %w", err)
 	}
 
-	for _, msg := range msgs {
+	// retrieve the destination address from the SCM.
-		if msg.Header.Level == syscall.SOL_IP && msg.Header.Type == syscall.IP_RECVORIGDSTADDR {
+	sa, err := unix.ParseOrigDstAddr(&scms[0])
-			ip := net.IP(msg.Data[4:8])
+	if err != nil {
-			port := binary.BigEndian.Uint16(msg.Data[2:4])
+		return netip.AddrPort{}, fmt.Errorf("retrieve destination: %w", err)
-			return &net.UDPAddr{IP: ip, Port: int(port)}, nil
-		} else if msg.Header.Level == syscall.SOL_IPV6 && msg.Header.Type == IPV6_RECVORIGDSTADDR {
-			ip := net.IP(msg.Data[8:24])
-			port := binary.BigEndian.Uint16(msg.Data[2:4])
-			return &net.UDPAddr{IP: ip, Port: int(port)}, nil
-		}
 	}
 
-	return nil, errors.New("cannot find origDst")
+	// encode the destination address into a cmsg.
+	var rAddr netip.AddrPort
+	switch v := sa.(type) {
+	case *unix.SockaddrInet4:
+		rAddr = netip.AddrPortFrom(netip.AddrFrom4(v.Addr), uint16(v.Port))
+	case *unix.SockaddrInet6:
+		rAddr = netip.AddrPortFrom(netip.AddrFrom16(v.Addr), uint16(v.Port))
+	default:
+		return netip.AddrPort{}, fmt.Errorf("unsupported address type: %T", v)
+	}
+
+	return rAddr, nil
 }

listener/tproxy/udp_other.go

@@ -5,12 +5,13 @@ package tproxy
 import (
 	"errors"
 	"net"
+	"net/netip"
 )
 
-func getOrigDst(oob []byte, oobn int) (*net.UDPAddr, error) {
+func getOrigDst(oob []byte) (netip.AddrPort, error) {
-	return nil, errors.New("UDP redir not supported on current platform")
+	return netip.AddrPort{}, errors.New("UDP redir not supported on current platform")
 }
 
-func dialUDP(network string, lAddr *net.UDPAddr, rAddr *net.UDPAddr) (*net.UDPConn, error) {
+func dialUDP(network string, lAddr, rAddr netip.AddrPort) (*net.UDPConn, error) {
 	return nil, errors.New("UDP redir not supported on current platform")
 }

listener/tun/device/iobased/endpoint.go

@@ -8,8 +8,10 @@ import (
 	"io"
 	"sync"
 
+	"github.com/Dreamacro/clash/common/pool"
+
+	"gvisor.dev/gvisor/pkg/buffer"
 	"gvisor.dev/gvisor/pkg/tcpip"
-	"gvisor.dev/gvisor/pkg/tcpip/buffer"
 	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"gvisor.dev/gvisor/pkg/tcpip/link/channel"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
@@ -93,23 +95,29 @@ func (e *Endpoint) dispatchLoop(cancel context.CancelFunc) {
 
 	mtu := int(e.mtu)
 	for {
-		data := make([]byte, mtu)
+		data := pool.Get(mtu)
 
 		n, err := e.rw.Read(data)
 		if err != nil {
+			_ = pool.Put(data)
 			break
 		}
 
 		if n == 0 || n > mtu {
+			_ = pool.Put(data)
 			continue
 		}
 
 		if !e.IsAttached() {
+			_ = pool.Put(data)
 			continue /* unattached, drop packet */
 		}
 
 		pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
-			Data: buffer.View(data[:n]).ToVectorisedView(),
+			Payload: buffer.NewWithData(data[:n]),
+			OnRelease: func() {
+				_ = pool.Put(data)
+			},
 		})
 
 		switch header.IPVersion(data) {
@@ -117,6 +125,8 @@ func (e *Endpoint) dispatchLoop(cancel context.CancelFunc) {
 			e.InjectInbound(header.IPv4ProtocolNumber, pkt)
 		case header.IPv6Version:
 			e.InjectInbound(header.IPv6ProtocolNumber, pkt)
+		default:
+			_ = pool.Put(data)
 		}
 		pkt.DecRef()
 	}
@@ -138,11 +148,8 @@ func (e *Endpoint) outboundLoop(ctx context.Context) {
 func (e *Endpoint) writePacket(pkt *stack.PacketBuffer) tcpip.Error {
 	defer pkt.DecRef()
 
-	size := pkt.Size()
+	buf := pkt.Buffer()
-	views := pkt.Views()
+	if _, err := e.rw.Write(buf.Flatten()); err != nil {
-
-	vView := buffer.NewVectorisedView(size, views)
-	if _, err := e.rw.Write(vView.ToView()); err != nil {
 		return &tcpip.ErrInvalidEndpointState{}
 	}
 	return nil

listener/tun/device/tun/driver/dll_windows.go

@@ -0,0 +1,216 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package driver
+
+import (
+	"fmt"
+	"runtime"
+	"sync"
+	"sync/atomic"
+	"syscall"
+	"unsafe"
+
+	"github.com/Dreamacro/clash/log"
+
+	"golang.org/x/sys/windows"
+	"golang.zx2c4.com/wireguard/windows/driver/memmod"
+)
+
+//go:linkname modwintun golang.zx2c4.com/wintun.modwintun
+
+//go:linkname procWintunCreateAdapter golang.zx2c4.com/wintun.procWintunCreateAdapter
+
+//go:linkname procWintunOpenAdapter golang.zx2c4.com/wintun.procWintunOpenAdapter
+
+//go:linkname procWintunCloseAdapter golang.zx2c4.com/wintun.procWintunCloseAdapter
+
+//go:linkname procWintunDeleteDriver golang.zx2c4.com/wintun.procWintunDeleteDriver
+
+//go:linkname procWintunGetAdapterLUID golang.zx2c4.com/wintun.procWintunGetAdapterLUID
+
+//go:linkname procWintunGetRunningDriverVersion golang.zx2c4.com/wintun.procWintunGetRunningDriverVersion
+
+//go:linkname procWintunAllocateSendPacket golang.zx2c4.com/wintun.procWintunAllocateSendPacket
+
+//go:linkname procWintunEndSession golang.zx2c4.com/wintun.procWintunEndSession
+
+//go:linkname procWintunGetReadWaitEvent golang.zx2c4.com/wintun.procWintunGetReadWaitEvent
+
+//go:linkname procWintunReceivePacket golang.zx2c4.com/wintun.procWintunReceivePacket
+
+//go:linkname procWintunReleaseReceivePacket golang.zx2c4.com/wintun.procWintunReleaseReceivePacket
+
+//go:linkname procWintunSendPacket golang.zx2c4.com/wintun.procWintunSendPacket
+
+//go:linkname procWintunStartSession golang.zx2c4.com/wintun.procWintunStartSession
+
+var (
+	modwintun                         = newLazyDLL("wintun.dll", setupLogger)
+	procWintunCreateAdapter           = modwintun.NewProc("WintunCreateAdapter")
+	procWintunOpenAdapter             = modwintun.NewProc("WintunOpenAdapter")
+	procWintunCloseAdapter            = modwintun.NewProc("WintunCloseAdapter")
+	procWintunDeleteDriver            = modwintun.NewProc("WintunDeleteDriver")
+	procWintunGetAdapterLUID          = modwintun.NewProc("WintunGetAdapterLUID")
+	procWintunGetRunningDriverVersion = modwintun.NewProc("WintunGetRunningDriverVersion")
+	procWintunAllocateSendPacket      = modwintun.NewProc("WintunAllocateSendPacket")
+	procWintunEndSession              = modwintun.NewProc("WintunEndSession")
+	procWintunGetReadWaitEvent        = modwintun.NewProc("WintunGetReadWaitEvent")
+	procWintunReceivePacket           = modwintun.NewProc("WintunReceivePacket")
+	procWintunReleaseReceivePacket    = modwintun.NewProc("WintunReleaseReceivePacket")
+	procWintunSendPacket              = modwintun.NewProc("WintunSendPacket")
+	procWintunStartSession            = modwintun.NewProc("WintunStartSession")
+)
+
+type loggerLevel int
+
+const (
+	logInfo loggerLevel = iota
+	logWarn
+	logErr
+)
+
+func InitWintun() (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			err = fmt.Errorf("init wintun.dll error: %v", r)
+		}
+	}()
+
+	if err = modwintun.Load(); err != nil {
+		return
+	}
+
+	procWintunCreateAdapter.Addr()
+	procWintunOpenAdapter.Addr()
+	procWintunCloseAdapter.Addr()
+	procWintunDeleteDriver.Addr()
+	procWintunGetAdapterLUID.Addr()
+	procWintunGetRunningDriverVersion.Addr()
+	procWintunAllocateSendPacket.Addr()
+	procWintunEndSession.Addr()
+	procWintunGetReadWaitEvent.Addr()
+	procWintunReceivePacket.Addr()
+	procWintunReleaseReceivePacket.Addr()
+	procWintunSendPacket.Addr()
+	procWintunStartSession.Addr()
+
+	return
+}
+
+func newLazyDLL(name string, onLoad func(d *lazyDLL)) *lazyDLL {
+	return &lazyDLL{Name: name, onLoad: onLoad}
+}
+
+func logMessage(level loggerLevel, _ uint64, msg *uint16) int {
+	switch level {
+	case logInfo:
+		log.Infoln("[TUN] %s", windows.UTF16PtrToString(msg))
+	case logWarn:
+		log.Warnln("[TUN] %s", windows.UTF16PtrToString(msg))
+	case logErr:
+		log.Errorln("[TUN] %s", windows.UTF16PtrToString(msg))
+	default:
+		log.Debugln("[TUN] %s", windows.UTF16PtrToString(msg))
+	}
+	return 0
+}
+
+func setupLogger(dll *lazyDLL) {
+	var callback uintptr
+	if runtime.GOARCH == "386" {
+		callback = windows.NewCallback(func(level loggerLevel, _, _ uint32, msg *uint16) int {
+			return logMessage(level, 0, msg)
+		})
+	} else if runtime.GOARCH == "arm" {
+		callback = windows.NewCallback(func(level loggerLevel, _, _, _ uint32, msg *uint16) int {
+			return logMessage(level, 0, msg)
+		})
+	} else if runtime.GOARCH == "amd64" || runtime.GOARCH == "arm64" {
+		callback = windows.NewCallback(logMessage)
+	}
+	_, _, _ = syscall.SyscallN(dll.NewProc("WintunSetLogger").Addr(), callback)
+}
+
+func (d *lazyDLL) NewProc(name string) *lazyProc {
+	return &lazyProc{dll: d, Name: name}
+}
+
+type lazyProc struct {
+	Name string
+	mu   sync.Mutex
+	dll  *lazyDLL
+	addr uintptr
+}
+
+func (p *lazyProc) Find() error {
+	if atomic.LoadPointer((*unsafe.Pointer)(unsafe.Pointer(&p.addr))) != nil {
+		return nil
+	}
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	if p.addr != 0 {
+		return nil
+	}
+
+	err := p.dll.Load()
+	if err != nil {
+		return fmt.Errorf("error loading DLL: %s, MODULE: %s, error: %w", p.dll.Name, p.Name, err)
+	}
+	addr, err := p.nameToAddr()
+	if err != nil {
+		return fmt.Errorf("error getting %s address: %w", p.Name, err)
+	}
+
+	atomic.StorePointer((*unsafe.Pointer)(unsafe.Pointer(&p.addr)), unsafe.Pointer(addr))
+	return nil
+}
+
+func (p *lazyProc) Addr() uintptr {
+	err := p.Find()
+	if err != nil {
+		panic(err)
+	}
+	return p.addr
+}
+
+func (p *lazyProc) Load() error {
+	return p.dll.Load()
+}
+
+type lazyDLL struct {
+	Name   string
+	Base   windows.Handle
+	mu     sync.Mutex
+	module *memmod.Module
+	onLoad func(d *lazyDLL)
+}
+
+func (d *lazyDLL) Load() error {
+	if atomic.LoadPointer((*unsafe.Pointer)(unsafe.Pointer(&d.module))) != nil {
+		return nil
+	}
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	if d.module != nil {
+		return nil
+	}
+
+	module, err := memmod.LoadLibrary(dllData)
+	if err != nil {
+		return fmt.Errorf("unable to load library: %w", err)
+	}
+	d.Base = windows.Handle(module.BaseAddr())
+
+	atomic.StorePointer((*unsafe.Pointer)(unsafe.Pointer(&d.module)), unsafe.Pointer(module))
+	if d.onLoad != nil {
+		d.onLoad(d)
+	}
+	return nil
+}
+
+func (p *lazyProc) nameToAddr() (uintptr, error) {
+	return p.dll.module.ProcAddressByName(p.Name)
+}

listener/tun/device/tun/driver/dll_windows_386.go

@@ -0,0 +1,13 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package driver
+
+import (
+	_ "embed"
+)
+
+//go:embed x86/wintun.dll
+var dllData []byte

listener/tun/device/tun/driver/dll_windows_amd64.go

@@ -0,0 +1,13 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package driver
+
+import (
+	_ "embed"
+)
+
+//go:embed amd64/wintun.dll
+var dllData []byte

listener/tun/device/tun/driver/dll_windows_arm.go

@@ -0,0 +1,13 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package driver
+
+import (
+	_ "embed"
+)
+
+//go:embed arm/wintun.dll
+var dllData []byte

listener/tun/device/tun/driver/dll_windows_arm64.go

@@ -0,0 +1,13 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package driver
+
+import (
+	_ "embed"
+)
+
+//go:embed arm64/wintun.dll
+var dllData []byte

listener/tun/device/tun/driver/package_info.go

@@ -0,0 +1,10 @@
+//go:build windows
+
+// https://git.zx2c4.com/wireguard-go/tree/tun/wintun
+
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package driver

listener/tun/device/tun/tun_wireguard.go

@@ -3,7 +3,6 @@
 package tun
 
 import (
-	"errors"
 	"fmt"
 	"os"
 	"runtime"
@@ -43,11 +42,11 @@ func Open(name string, mtu uint32) (_ device.Device, err error) {
 		forcedMTU = int(t.mtu)
 	}
 
-	nt, err := tun.CreateTUN(t.name, forcedMTU) // forcedMTU do not work on wintun, need to be setting by other way
+	nt, err := newDevice(t.name, forcedMTU) // forcedMTU do not work on wintun, need to be setting by other way
 
-	// retry if abnormal exit on Windows at last time
+	// retry if abnormal exit at last time on Windows
-	if err != nil && runtime.GOOS == "windows" && errors.Is(err, os.ErrExist) {
+	if err != nil && runtime.GOOS == "windows" && os.IsExist(err) {
-		nt, err = tun.CreateTUN(t.name, forcedMTU)
+		nt, err = newDevice(t.name, forcedMTU)
 	}
 
 	if err != nil {
@@ -88,7 +87,11 @@ func (t *TUN) Write(packet []byte) (int, error) {
 
 	packet = append(t.cache[:t.offset], packet...)
 
-	return t.nt.Write(packet, t.offset)
+	n, err := t.nt.Write(packet, t.offset)
+	if n < t.offset {
+		return 0, err
+	}
+	return n - t.offset, err
 }
 
 func (t *TUN) Close() error {

listener/tun/device/tun/tun_wireguard_unix.go

@@ -2,7 +2,13 @@
 
 package tun
 
+import "golang.zx2c4.com/wireguard/tun"
+
 const (
 	offset     = 4 /* 4 bytes TUN_PI */
 	defaultMTU = 1500
 )
+
+func newDevice(name string, mtu int) (tun.Device, error) {
+	return tun.CreateTUN(name, mtu)
+}

listener/tun/device/tun/tun_wireguard_windows.go

@@ -1,6 +1,8 @@
 package tun
 
 import (
+	"github.com/Dreamacro/clash/listener/tun/device/tun/driver"
+
 	"golang.org/x/sys/windows"
 	"golang.zx2c4.com/wireguard/tun"
 )
@@ -20,3 +22,11 @@ func init() {
 func (t *TUN) LUID() uint64 {
 	return t.nt.LUID()
 }
+
+func newDevice(name string, mtu int) (nt tun.Device, err error) {
+	if err = driver.InitWintun(); err != nil {
+		return
+	}
+
+	return tun.CreateTUN(name, mtu)
+}

listener/tun/ipstack/commons/dns.go

@@ -5,15 +5,16 @@ import (
 	"time"
 
 	"github.com/Dreamacro/clash/component/resolver"
+	C "github.com/Dreamacro/clash/constant"
 
 	D "github.com/miekg/dns"
 )
 
 const DefaultDnsReadTimeout = time.Second * 10
 
-func ShouldHijackDns(dnsAdds []netip.AddrPort, targetAddr netip.AddrPort) bool {
+func ShouldHijackDns(dnsHijack []C.DNSUrl, targetAddr netip.AddrPort, network string) bool {
-	for _, addrPort := range dnsAdds {
+	for _, dns := range dnsHijack {
-		if addrPort == targetAddr || (addrPort.Addr().IsUnspecified() && targetAddr.Port() == 53) {
+		if dns.Network == network && (dns.AddrPort.AddrPort == targetAddr || (dns.AddrPort.Addr().IsUnspecified() && dns.AddrPort.Port() == targetAddr.Port())) {
 			return true
 		}
 	}

listener/tun/ipstack/commons/router.go

@@ -1,18 +1,26 @@
 package commons
 
 import (
+	"errors"
 	"fmt"
 	"net"
+	"sync"
 	"time"
 
-	"github.com/Dreamacro/clash/component/dialer"
+	C "github.com/Dreamacro/clash/constant"
-	"github.com/Dreamacro/clash/log"
 )
 
 var (
 	defaultRoutes = []string{"1.0.0.0/8", "2.0.0.0/7", "4.0.0.0/6", "8.0.0.0/5", "16.0.0.0/4", "32.0.0.0/3", "64.0.0.0/2", "128.0.0.0/1"}
 
-	defaultInterfaceMonitorDuration = 20 * time.Second
+	monitorDuration = 10 * time.Second
+	monitorStarted  = false
+	monitorStop     = make(chan struct{}, 2)
+	monitorMux      sync.Mutex
+
+	tunStatus            = C.TunDisabled
+	tunChangeCallback    C.TUNChangeCallback
+	errInterfaceNotFound = errors.New("default interface not found")
 )
 
 func ipv4MaskString(bits int) string {
@@ -24,26 +32,6 @@ func ipv4MaskString(bits int) string {
 	return fmt.Sprintf("%d.%d.%d.%d", m[0], m[1], m[2], m[3])
 }
 
-func defaultInterfaceChangeMonitor() {
+func SetTunChangeCallback(callback C.TUNChangeCallback) {
-	t := time.NewTicker(defaultInterfaceMonitorDuration)
+	tunChangeCallback = callback
-	defer t.Stop()
-
-	for {
-		<-t.C
-
-		interfaceName, err := GetAutoDetectInterface()
-		if err != nil {
-			log.Warnln("[TUN] default interface monitor exited, cause: %v", err)
-			break
-		}
-
-		old := dialer.DefaultInterface.Load()
-		if interfaceName == old {
-			continue
-		}
-
-		dialer.DefaultInterface.Store(interfaceName)
-
-		log.Warnln("[TUN] default interface changed by monitor, %s => %s", old, interfaceName)
-	}
 }

listener/tun/ipstack/commons/router_darwin.go

@@ -2,17 +2,30 @@ package commons
 
 import (
 	"fmt"
+	"net"
 	"net/netip"
+	"strings"
+	"syscall"
+	"time"
 
 	"github.com/Dreamacro/clash/common/cmd"
+	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/iface"
 	"github.com/Dreamacro/clash/listener/tun/device"
+	"github.com/Dreamacro/clash/log"
+
+	"golang.org/x/net/route"
 )
 
 func GetAutoDetectInterface() (string, error) {
-	return cmd.ExecCmd("/bin/bash -c /sbin/route -n get default | grep 'interface:' | awk -F ' ' 'NR==1{print $2}' | xargs echo -n")
+	ifaceM, err := defaultRouteInterface()
+	if err != nil {
+		return "", err
+	}
+	return ifaceM.Name, nil
 }
 
-func ConfigInterfaceAddress(dev device.Device, addr netip.Prefix, forceMTU int, autoRoute bool) error {
+func ConfigInterfaceAddress(dev device.Device, addr netip.Prefix, _ int, autoRoute bool) error {
 	if !addr.Addr().Is4() {
 		return fmt.Errorf("supported ipv4 only")
 	}
@@ -54,8 +67,6 @@ func configInterfaceRouting(interfaceName string, addr netip.Prefix) error {
 		}
 	}
 
-	go defaultInterfaceChangeMonitor()
-
 	return execRouterCmd("add", "-inet6", "2000::/3", interfaceName)
 }
 
@@ -63,3 +74,95 @@ func execRouterCmd(action, inet, route string, interfaceName string) error {
 	_, err := cmd.ExecCmd(fmt.Sprintf("/sbin/route %s %s %s -interface %s", action, inet, route, interfaceName))
 	return err
 }
+
+func defaultRouteInterface() (*net.Interface, error) {
+	rib, err := route.FetchRIB(syscall.AF_UNSPEC, syscall.NET_RT_DUMP2, 0)
+	if err != nil {
+		return nil, fmt.Errorf("route.FetchRIB: %w", err)
+	}
+
+	msgs, err := route.ParseRIB(syscall.NET_RT_IFLIST2, rib)
+	if err != nil {
+		return nil, fmt.Errorf("route.ParseRIB: %w", err)
+	}
+
+	for _, message := range msgs {
+		routeMessage := message.(*route.RouteMessage)
+		if routeMessage.Flags&(syscall.RTF_UP|syscall.RTF_GATEWAY|syscall.RTF_STATIC) == 0 {
+			continue
+		}
+
+		addresses := routeMessage.Addrs
+
+		if (addresses[0].Family() == syscall.AF_INET && addresses[0].(*route.Inet4Addr).IP != *(*[4]byte)(net.IPv4zero)) ||
+			(addresses[0].Family() == syscall.AF_INET6 && addresses[0].(*route.Inet6Addr).IP != *(*[16]byte)(net.IPv6zero)) {
+
+			continue
+		}
+
+		ifaceM, err1 := net.InterfaceByIndex(routeMessage.Index)
+		if err1 != nil {
+			continue
+		}
+
+		if strings.HasPrefix(ifaceM.Name, "utun") {
+			continue
+		}
+
+		return ifaceM, nil
+	}
+
+	return nil, fmt.Errorf("ambiguous gateway interfaces found")
+}
+
+func StartDefaultInterfaceChangeMonitor() {
+	monitorMux.Lock()
+	if monitorStarted {
+		monitorMux.Unlock()
+		return
+	}
+	monitorStarted = true
+	monitorMux.Unlock()
+
+	select {
+	case <-monitorStop:
+	default:
+	}
+
+	t := time.NewTicker(monitorDuration)
+	defer t.Stop()
+
+	for {
+		select {
+		case <-t.C:
+			interfaceName, err := GetAutoDetectInterface()
+			if err != nil {
+				log.Warnln("[TUN] default interface monitor err: %v", err)
+				continue
+			}
+
+			old := dialer.DefaultInterface.Load()
+			if interfaceName == old {
+				continue
+			}
+
+			dialer.DefaultInterface.Store(interfaceName)
+
+			iface.FlushCache()
+
+			log.Warnln("[TUN] default interface changed by monitor, %s => %s", old, interfaceName)
+		case <-monitorStop:
+			break
+		}
+	}
+}
+
+func StopDefaultInterfaceChangeMonitor() {
+	monitorMux.Lock()
+	defer monitorMux.Unlock()
+
+	if monitorStarted {
+		monitorStop <- struct{}{}
+		monitorStarted = false
+	}
+}

listener/tun/ipstack/commons/router_linux.go

@@ -3,16 +3,20 @@ package commons
 import (
 	"fmt"
 	"net/netip"
+	"time"
 
 	"github.com/Dreamacro/clash/common/cmd"
+	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/iface"
 	"github.com/Dreamacro/clash/listener/tun/device"
+	"github.com/Dreamacro/clash/log"
 )
 
 func GetAutoDetectInterface() (string, error) {
 	return cmd.ExecCmd("bash -c ip route show | grep 'default via' | awk -F ' ' 'NR==1{print $5}' | xargs echo -n")
 }
 
-func ConfigInterfaceAddress(dev device.Device, addr netip.Prefix, forceMTU int, autoRoute bool) error {
+func ConfigInterfaceAddress(dev device.Device, addr netip.Prefix, _ int, autoRoute bool) error {
 	var (
 		interfaceName = dev.Name()
 		ip            = addr.Masked().Addr().Next()
@@ -42,8 +46,6 @@ func configInterfaceRouting(interfaceName string, addr netip.Prefix) error {
 		}
 	}
 
-	go defaultInterfaceChangeMonitor()
-
 	return nil
 }
 
@@ -53,3 +55,55 @@ func execRouterCmd(action, route string, interfaceName string, linkIP string) er
 	_, err := cmd.ExecCmd(cmdStr)
 	return err
 }
+
+func StartDefaultInterfaceChangeMonitor() {
+	monitorMux.Lock()
+	if monitorStarted {
+		monitorMux.Unlock()
+		return
+	}
+	monitorStarted = true
+	monitorMux.Unlock()
+
+	select {
+	case <-monitorStop:
+	default:
+	}
+
+	t := time.NewTicker(monitorDuration)
+	defer t.Stop()
+
+	for {
+		select {
+		case <-t.C:
+			interfaceName, err := GetAutoDetectInterface()
+			if err != nil {
+				log.Warnln("[TUN] default interface monitor err: %v", err)
+				continue
+			}
+
+			old := dialer.DefaultInterface.Load()
+			if interfaceName == old {
+				continue
+			}
+
+			dialer.DefaultInterface.Store(interfaceName)
+
+			iface.FlushCache()
+
+			log.Warnln("[TUN] default interface changed by monitor, %s => %s", old, interfaceName)
+		case <-monitorStop:
+			break
+		}
+	}
+}
+
+func StopDefaultInterfaceChangeMonitor() {
+	monitorMux.Lock()
+	defer monitorMux.Unlock()
+
+	if monitorStarted {
+		monitorStop <- struct{}{}
+		monitorStarted = false
+	}
+}

listener/tun/ipstack/commons/router_others.go

@@ -17,3 +17,7 @@ func GetAutoDetectInterface() (string, error) {
 func ConfigInterfaceAddress(device.Device, netip.Prefix, int, bool) error {
 	return fmt.Errorf("unsupported on this OS: %s", runtime.GOOS)
 }
+
+func StartDefaultInterfaceChangeMonitor() {}
+
+func StopDefaultInterfaceChangeMonitor() {}

listener/tun/ipstack/commons/router_windows.go

@@ -1,12 +1,16 @@
 package commons
 
 import (
-	"errors"
 	"fmt"
+	"net"
 	"net/netip"
+	"sync"
 	"time"
 
 	"github.com/Dreamacro/clash/common/nnip"
+	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/iface"
+	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/listener/tun/device"
 	"github.com/Dreamacro/clash/listener/tun/device/tun"
 	"github.com/Dreamacro/clash/log"
@@ -16,7 +20,11 @@ import (
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )
 
-var wintunInterfaceName string
+var (
+	wintunInterfaceName          string
+	unicastAddressChangeCallback *winipcfg.UnicastAddressChangeCallback
+	unicastAddressChangeLock     sync.Mutex
+)
 
 func GetAutoDetectInterface() (string, error) {
 	ifname, err := getAutoDetectInterfaceByFamily(winipcfg.AddressFamily(windows.AF_INET))
@@ -205,8 +213,6 @@ startOver:
 
 	wintunInterfaceName = dev.Name()
 
-	go defaultInterfaceChangeMonitor()
-
 	return nil
 }
 
@@ -222,15 +228,15 @@ func cleanupAddressesOnDisconnectedInterfaces(family winipcfg.AddressFamily, add
 	if err != nil {
 		return
 	}
-	for _, iface := range interfaces {
+	for _, ifaceM := range interfaces {
-		if iface.OperStatus == winipcfg.IfOperStatusUp {
+		if ifaceM.OperStatus == winipcfg.IfOperStatusUp {
 			continue
 		}
-		for address := iface.FirstUnicastAddress; address != nil; address = address.Next {
+		for address := ifaceM.FirstUnicastAddress; address != nil; address = address.Next {
 			if ip := nnip.IpToAddr(address.Address.IP()); addrHash[ip] {
 				prefix := netip.PrefixFrom(ip, int(address.OnLinkPrefixLength))
-				log.Infoln("[TUN] cleaning up stale address %s from interface ‘%s’", prefix.String(), iface.FriendlyName())
+				log.Infoln("[TUN] cleaning up stale address %s from interface ‘%s’", prefix.String(), ifaceM.FriendlyName())
-				_ = iface.LUID.DeleteIPAddress(prefix)
+				_ = ifaceM.LUID.DeleteIPAddress(prefix)
 			}
 		}
 	}
@@ -239,7 +245,7 @@ func cleanupAddressesOnDisconnectedInterfaces(family winipcfg.AddressFamily, add
 func getAutoDetectInterfaceByFamily(family winipcfg.AddressFamily) (string, error) {
 	interfaces, err := winipcfg.GetAdaptersAddresses(family, winipcfg.GAAFlagIncludeGateways)
 	if err != nil {
-		return "", fmt.Errorf("get ethernet interface failure. %w", err)
+		return "", fmt.Errorf("get default interface failure. %w", err)
 	}
 
 	var destination netip.Prefix
@@ -249,25 +255,96 @@ func getAutoDetectInterfaceByFamily(family winipcfg.AddressFamily) (string, erro
 		destination = netip.PrefixFrom(netip.IPv6Unspecified(), 0)
 	}
 
-	for _, iface := range interfaces {
+	for _, ifaceM := range interfaces {
-		if iface.OperStatus != winipcfg.IfOperStatusUp {
+		if ifaceM.OperStatus != winipcfg.IfOperStatusUp {
 			continue
 		}
 
-		ifname := iface.FriendlyName()
+		ifname := ifaceM.FriendlyName()
 
 		if wintunInterfaceName == ifname {
 			continue
 		}
 
-		for gatewayAddress := iface.FirstGatewayAddress; gatewayAddress != nil; gatewayAddress = gatewayAddress.Next {
+		for gatewayAddress := ifaceM.FirstGatewayAddress; gatewayAddress != nil; gatewayAddress = gatewayAddress.Next {
 			nextHop := nnip.IpToAddr(gatewayAddress.Address.IP())
 
-			if _, err = iface.LUID.Route(destination, nextHop); err == nil {
+			if _, err = ifaceM.LUID.Route(destination, nextHop); err == nil {
 				return ifname, nil
 			}
 		}
 	}
 
-	return "", errors.New("ethernet interface not found")
+	return "", errInterfaceNotFound
+}
+
+func unicastAddressChange(_ winipcfg.MibNotificationType, unicastAddress *winipcfg.MibUnicastIPAddressRow) {
+	unicastAddressChangeLock.Lock()
+	defer unicastAddressChangeLock.Unlock()
+
+	interfaceName, err := GetAutoDetectInterface()
+	if err != nil {
+		if err == errInterfaceNotFound && tunStatus == C.TunEnabled {
+			log.Warnln("[TUN] lost the default interface, pause tun adapter")
+
+			tunStatus = C.TunPaused
+			tunChangeCallback.Pause()
+		}
+		return
+	}
+
+	ifaceM, err := net.InterfaceByIndex(int(unicastAddress.InterfaceIndex))
+	if err != nil {
+		log.Warnln("[TUN] default interface monitor err: %v", err)
+		return
+	}
+
+	newName := ifaceM.Name
+
+	if newName != interfaceName {
+		return
+	}
+
+	dialer.DefaultInterface.Store(interfaceName)
+
+	iface.FlushCache()
+
+	if tunStatus == C.TunPaused {
+		log.Warnln("[TUN] found interface %s(%s), resume tun adapter", interfaceName, unicastAddress.Address.Addr())
+
+		tunStatus = C.TunEnabled
+		tunChangeCallback.Resume()
+		return
+	}
+
+	log.Warnln("[TUN] default interface changed to %s(%s) by monitor", interfaceName, unicastAddress.Address.Addr())
+}
+
+func StartDefaultInterfaceChangeMonitor() {
+	if unicastAddressChangeCallback != nil {
+		return
+	}
+
+	var err error
+	unicastAddressChangeCallback, err = winipcfg.RegisterUnicastAddressChangeCallback(unicastAddressChange)
+
+	if err != nil {
+		log.Errorln("[TUN] register uni-cast address change callback failed: %v", err)
+		return
+	}
+
+	tunStatus = C.TunEnabled
+
+	log.Infoln("[TUN] register uni-cast address change callback")
+}
+
+func StopDefaultInterfaceChangeMonitor() {
+	if unicastAddressChangeCallback == nil || tunStatus == C.TunPaused {
+		return
+	}
+
+	_ = unicastAddressChangeCallback.Unregister()
+	unicastAddressChangeCallback = nil
+	tunChangeCallback = nil
+	tunStatus = C.TunDisabled
 }

listener/tun/ipstack/gvisor/adapter/adapter.go

@@ -2,23 +2,15 @@ package adapter
 
 import (
 	"net"
-
-	"gvisor.dev/gvisor/pkg/tcpip/stack"
 )
 
 // TCPConn implements the net.Conn interface.
 type TCPConn interface {
 	net.Conn
-
-	// ID returns the transport endpoint id of TCPConn.
-	ID() *stack.TransportEndpointID
 }
 
 // UDPConn implements net.Conn and net.PacketConn.
 type UDPConn interface {
 	net.Conn
 	net.PacketConn
-
-	// ID returns the transport endpoint id of UDPConn.
-	ID() *stack.TransportEndpointID
 }

listener/tun/ipstack/gvisor/handler.go

@@ -7,7 +7,6 @@ import (
 	"time"
 
 	"github.com/Dreamacro/clash/adapter/inbound"
-	"github.com/Dreamacro/clash/common/nnip"
 	"github.com/Dreamacro/clash/common/pool"
 	C "github.com/Dreamacro/clash/constant"
 	D "github.com/Dreamacro/clash/listener/tun/ipstack/commons"
@@ -20,31 +19,23 @@ var _ adapter.Handler = (*gvHandler)(nil)
 
 type gvHandler struct {
 	gateway   netip.Addr
-	dnsHijack []netip.AddrPort
+	dnsHijack []C.DNSUrl
 
 	tcpIn chan<- C.ConnContext
 	udpIn chan<- *inbound.PacketAdapter
 }
 
 func (gh *gvHandler) HandleTCP(tunConn adapter.TCPConn) {
-	id := tunConn.ID()
+	rAddrPort := tunConn.LocalAddr().(*net.TCPAddr).AddrPort()
 
-	rAddr := &net.UDPAddr{
+	if D.ShouldHijackDns(gh.dnsHijack, rAddrPort, "tcp") {
-		IP:   net.IP(id.LocalAddress),
-		Port: int(id.LocalPort),
-		Zone: "",
-	}
-
-	rAddrPort := netip.AddrPortFrom(nnip.IpToAddr(rAddr.IP), id.LocalPort)
-
-	if D.ShouldHijackDns(gh.dnsHijack, rAddrPort) {
 		go func() {
 			log.Debugln("[TUN] hijack dns tcp: %s", rAddrPort.String())
 
 			buf := pool.Get(pool.UDPBufferSize)
 			defer func() {
-				_ = pool.Put(buf)
 				_ = tunConn.Close()
+				_ = pool.Put(buf)
 			}()
 
 			for {
@@ -78,26 +69,18 @@ func (gh *gvHandler) HandleTCP(tunConn adapter.TCPConn) {
 		return
 	}
 
-	gh.tcpIn <- inbound.NewSocket(socks5.ParseAddrToSocksAddr(rAddr), tunConn, C.TUN)
+	gh.tcpIn <- inbound.NewSocket(socks5.AddrFromStdAddrPort(rAddrPort), tunConn, C.TUN)
 }
 
 func (gh *gvHandler) HandleUDP(tunConn adapter.UDPConn) {
-	id := tunConn.ID()
+	rAddrPort := tunConn.LocalAddr().(*net.UDPAddr).AddrPort()
-
-	rAddr := &net.UDPAddr{
-		IP:   net.IP(id.LocalAddress),
-		Port: int(id.LocalPort),
-		Zone: "",
-	}
-
-	rAddrPort := netip.AddrPortFrom(nnip.IpToAddr(rAddr.IP), id.LocalPort)
 
 	if rAddrPort.Addr() == gh.gateway {
 		_ = tunConn.Close()
 		return
 	}
 
-	target := socks5.ParseAddrToSocksAddr(rAddr)
+	target := socks5.AddrFromStdAddrPort(rAddrPort)
 
 	go func() {
 		for {
@@ -109,22 +92,20 @@ func (gh *gvHandler) HandleUDP(tunConn adapter.UDPConn) {
 				break
 			}
 
-			payload := buf[:n]
+			if D.ShouldHijackDns(gh.dnsHijack, rAddrPort, "udp") {
-
-			if D.ShouldHijackDns(gh.dnsHijack, rAddrPort) {
 				go func() {
 					defer func() {
 						_ = pool.Put(buf)
 					}()
 
-					msg, err1 := D.RelayDnsPacket(payload)
+					msg, err1 := D.RelayDnsPacket(buf[:n])
 					if err1 != nil {
 						return
 					}
 
 					_, _ = tunConn.WriteTo(msg, addr)
 
-					log.Debugln("[TUN] hijack dns udp: %s", rAddr.String())
+					log.Debugln("[TUN] hijack dns udp: %s", rAddrPort.String())
 				}()
 
 				continue
@@ -133,12 +114,14 @@ func (gh *gvHandler) HandleUDP(tunConn adapter.UDPConn) {
 			gvPacket := &packet{
 				pc:      tunConn,
 				rAddr:   addr,
-				payload: payload,
+				payload: buf,
+				offset:  n,
 			}
 
 			select {
 			case gh.udpIn <- inbound.NewPacket(target, gvPacket, C.TUN):
 			default:
+				gvPacket.Drop()
 			}
 		}
 	}()

listener/tun/ipstack/gvisor/stack.go

@@ -8,6 +8,7 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/listener/tun/device"
 	"github.com/Dreamacro/clash/listener/tun/ipstack"
+	"github.com/Dreamacro/clash/listener/tun/ipstack/commons"
 	"github.com/Dreamacro/clash/listener/tun/ipstack/gvisor/option"
 
 	"gvisor.dev/gvisor/pkg/tcpip"
@@ -25,6 +26,8 @@ type gvStack struct {
 }
 
 func (s *gvStack) Close() error {
+	commons.StopDefaultInterfaceChangeMonitor()
+
 	var err error
 	if s.device != nil {
 		err = s.device.Close()
@@ -37,7 +40,7 @@ func (s *gvStack) Close() error {
 }
 
 // New allocates a new *gvStack with given options.
-func New(device device.Device, dnsHijack []netip.AddrPort, tunAddress netip.Prefix, tcpIn chan<- C.ConnContext, udpIn chan<- *inbound.PacketAdapter, opts ...option.Option) (ipstack.Stack, error) {
+func New(device device.Device, dnsHijack []C.DNSUrl, tunAddress netip.Prefix, tcpIn chan<- C.ConnContext, udpIn chan<- *inbound.PacketAdapter, opts ...option.Option) (ipstack.Stack, error) {
 	s := &gvStack{
 		Stack: stack.New(stack.Options{
 			NetworkProtocols: []stack.NetworkProtocolFactory{

listener/tun/ipstack/gvisor/tcp.go

@@ -70,7 +70,6 @@ func withTCPHandler(handle adapter.TCPHandleFunc) option.Option {
 
 			conn := &tcpConn{
 				TCPConn: gonet.NewTCPConn(&wq, ep),
-				id:      id,
 			}
 			handle(conn)
 		})
@@ -113,9 +112,4 @@ func setSocketOptions(s *stack.Stack, ep tcpip.Endpoint) tcpip.Error {
 
 type tcpConn struct {
 	*gonet.TCPConn
-	id stack.TransportEndpointID
-}
-
-func (c *tcpConn) ID() *stack.TransportEndpointID {
-	return &c.id
 }

listener/tun/ipstack/gvisor/udp.go

@@ -29,7 +29,6 @@ func withUDPHandler(handle adapter.UDPHandleFunc) option.Option {
 
 			conn := &udpConn{
 				UDPConn: gonet.NewUDPConn(s, &wq, ep),
-				id:      id,
 			}
 			handle(conn)
 		})
@@ -40,21 +39,17 @@ func withUDPHandler(handle adapter.UDPHandleFunc) option.Option {
 
 type udpConn struct {
 	*gonet.UDPConn
-	id stack.TransportEndpointID
-}
-
-func (c *udpConn) ID() *stack.TransportEndpointID {
-	return &c.id
 }
 
 type packet struct {
 	pc      adapter.UDPConn
 	rAddr   net.Addr
 	payload []byte
+	offset  int
 }
 
 func (c *packet) Data() []byte {
-	return c.payload
+	return c.payload[:c.offset]
 }
 
 // WriteBack write UDP packet with source(ip, port) = `addr`

listener/tun/ipstack/system/mars/nat/nat.go

@@ -5,7 +5,6 @@ import (
 	"net"
 	"net/netip"
 
-	"github.com/Dreamacro/clash/common/pool"
 	"github.com/Dreamacro/clash/listener/tun/ipstack/system/mars/tcpip"
 )
 
@@ -22,7 +21,7 @@ func Start(device io.ReadWriter, gateway, portal, broadcast netip.Addr) (*TCP, *
 	tab := newTable()
 	udp := &UDP{
 		device: device,
-		buf:    [pool.UDPBufferSize]byte{},
+		buf:    [0xffff]byte{},
 	}
 	tcp := &TCP{
 		listener: listener,
@@ -38,7 +37,7 @@ func Start(device io.ReadWriter, gateway, portal, broadcast netip.Addr) (*TCP, *
 			_ = udp.Close()
 		}()
 
-		buf := make([]byte, pool.RelayBufferSize)
+		buf := make([]byte, 0xffff)
 
 		for {
 			n, err := device.Read(buf)
@@ -152,7 +151,7 @@ func Start(device io.ReadWriter, gateway, portal, broadcast netip.Addr) (*TCP, *
 					continue
 				}
 
-				udp.handleUDPPacket(ip, u)
+				go udp.handleUDPPacket(ip, u)
 			case tcpip.ICMP:
 				i := tcpip.ICMPPacket(ip.Payload())
 

listener/tun/ipstack/system/mars/nat/table.go

@@ -2,8 +2,11 @@ package nat
 
 import (
 	"net/netip"
+	"sync"
 
 	"github.com/Dreamacro/clash/common/generics/list"
+
+	"golang.org/x/exp/maps"
 )
 
 const (
@@ -27,6 +30,7 @@ type table struct {
 	tuples    map[tuple]*list.Element[*binding]
 	ports     [portLength]*list.Element[*binding]
 	available *list.List[*binding]
+	mux       sync.Mutex
 }
 
 func (t *table) tupleOf(port uint16) tuple {
@@ -43,10 +47,13 @@ func (t *table) tupleOf(port uint16) tuple {
 }
 
 func (t *table) portOf(tuple tuple) uint16 {
+	t.mux.Lock()
 	elm := t.tuples[tuple]
 	if elm == nil {
+		t.mux.Unlock()
 		return 0
 	}
+	t.mux.Unlock()
 
 	t.available.MoveToFront(elm)
 
@@ -54,18 +61,40 @@ func (t *table) portOf(tuple tuple) uint16 {
 }
 
 func (t *table) newConn(tuple tuple) uint16 {
-	elm := t.available.Back()
+	t.mux.Lock()
+	elm := t.availableConn()
 	b := elm.Value
-
-	delete(t.tuples, b.tuple)
 	t.tuples[tuple] = elm
 	b.tuple = tuple
+	t.mux.Unlock()
 
 	t.available.MoveToFront(elm)
 
 	return portBegin + b.offset
 }
 
+func (t *table) availableConn() *list.Element[*binding] {
+	elm := t.available.Back()
+	offset := elm.Value.offset
+	_, ok := t.tuples[t.ports[offset].Value.tuple]
+	if !ok {
+		if offset != 0 && offset%portLength == 0 { // resize
+			tuples := make(map[tuple]*list.Element[*binding], portLength)
+			maps.Copy(tuples, t.tuples)
+			t.tuples = tuples
+		}
+		return elm
+	}
+	t.available.MoveToFront(elm)
+	return t.availableConn()
+}
+
+func (t *table) closeConn(tuple tuple) {
+	t.mux.Lock()
+	delete(t.tuples, tuple)
+	t.mux.Unlock()
+}
+
 func newTable() *table {
 	result := &table{
 		tuples:    make(map[tuple]*list.Element[*binding], portLength),

listener/tun/ipstack/system/mars/nat/tcp.go

@@ -16,6 +16,8 @@ type conn struct {
 	net.Conn
 
 	tuple tuple
+
+	close func()
 }
 
 func (t *TCP) Accept() (net.Conn, error) {
@@ -24,9 +26,9 @@ func (t *TCP) Accept() (net.Conn, error) {
 		return nil, err
 	}
 
-	addr := c.RemoteAddr().(*net.TCPAddr)
+	addr := c.RemoteAddr().(*net.TCPAddr).AddrPort()
-	tup := t.table.tupleOf(uint16(addr.Port))
+	tup := t.table.tupleOf(addr.Port())
-	if !addr.IP.Equal(t.portal.AsSlice()) || tup == zeroTuple {
+	if addr.Addr() != t.portal || tup == zeroTuple {
 		_ = c.Close()
 
 		return nil, net.InvalidAddrError("unknown remote addr")
@@ -34,9 +36,14 @@ func (t *TCP) Accept() (net.Conn, error) {
 
 	addition(c)
 
+	_ = c.SetLinger(0)
+
 	return &conn{
 		Conn:  c,
 		tuple: tup,
+		close: func() {
+			t.table.closeConn(tup)
+		},
 	}, nil
 }
 
@@ -52,16 +59,15 @@ func (t *TCP) SetDeadline(time time.Time) error {
 	return t.listener.SetDeadline(time)
 }
 
+func (c *conn) Close() error {
+	c.close()
+	return c.Conn.Close()
+}
+
 func (c *conn) LocalAddr() net.Addr {
-	return &net.TCPAddr{
+	return net.TCPAddrFromAddrPort(c.tuple.SourceAddr)
-		IP:   c.tuple.SourceAddr.Addr().AsSlice(),
-		Port: int(c.tuple.SourceAddr.Port()),
-	}
 }
 
 func (c *conn) RemoteAddr() net.Addr {
-	return &net.TCPAddr{
+	return net.TCPAddrFromAddrPort(c.tuple.DestinationAddr)
-		IP:   c.tuple.DestinationAddr.Addr().AsSlice(),
-		Port: int(c.tuple.DestinationAddr.Port()),
-	}
 }

listener/tun/ipstack/system/mars/nat/udp.go

@@ -7,8 +7,6 @@ import (
 	"net/netip"
 	"sync"
 
-	"github.com/Dreamacro/clash/common/nnip"
-	"github.com/Dreamacro/clash/common/pool"
 	"github.com/Dreamacro/clash/listener/tun/ipstack/system/mars/tcpip"
 )
 
@@ -16,8 +14,8 @@ type call struct {
 	cond        *sync.Cond
 	buf         []byte
 	n           int
-	source      net.Addr
+	source      netip.AddrPort
-	destination net.Addr
+	destination netip.AddrPort
 }
 
 type UDP struct {
@@ -26,10 +24,10 @@ type UDP struct {
 	queueLock sync.Mutex
 	queue     []*call
 	bufLock   sync.Mutex
-	buf       [pool.UDPBufferSize]byte
+	buf       [0xffff]byte
 }
 
-func (u *UDP) ReadFrom(buf []byte) (int, net.Addr, net.Addr, error) {
+func (u *UDP) ReadFrom(buf []byte) (int, netip.AddrPort, netip.AddrPort, error) {
 	u.queueLock.Lock()
 	defer u.queueLock.Unlock()
 
@@ -38,8 +36,8 @@ func (u *UDP) ReadFrom(buf []byte) (int, net.Addr, net.Addr, error) {
 			cond:        sync.NewCond(&u.queueLock),
 			buf:         buf,
 			n:           -1,
-			source:      nil,
+			source:      netip.AddrPort{},
-			destination: nil,
+			destination: netip.AddrPort{},
 		}
 
 		u.queue = append(u.queue, c)
@@ -51,10 +49,10 @@ func (u *UDP) ReadFrom(buf []byte) (int, net.Addr, net.Addr, error) {
 		}
 	}
 
-	return -1, nil, nil, net.ErrClosed
+	return -1, netip.AddrPort{}, netip.AddrPort{}, net.ErrClosed
 }
 
-func (u *UDP) WriteTo(buf []byte, local net.Addr, remote net.Addr) (int, error) {
+func (u *UDP) WriteTo(buf []byte, local netip.AddrPort, remote netip.AddrPort) (int, error) {
 	if u.closed {
 		return 0, net.ErrClosed
 	}
@@ -66,16 +64,7 @@ func (u *UDP) WriteTo(buf []byte, local net.Addr, remote net.Addr) (int, error)
 		return 0, net.InvalidAddrError("invalid ip version")
 	}
 
-	srcAddr, srcOk := local.(*net.UDPAddr)
+	if !local.Addr().Is4() || !remote.Addr().Is4() {
-	dstAddr, dstOk := remote.(*net.UDPAddr)
-	if !srcOk || !dstOk {
-		return 0, net.InvalidAddrError("invalid addr")
-	}
-
-	srcAddrPort := netip.AddrPortFrom(nnip.IpToAddr(srcAddr.IP), uint16(srcAddr.Port))
-	dstAddrPort := netip.AddrPortFrom(nnip.IpToAddr(dstAddr.IP), uint16(dstAddr.Port))
-
-	if !srcAddrPort.Addr().Is4() || !dstAddrPort.Addr().Is4() {
 		return 0, net.InvalidAddrError("invalid ip version")
 	}
 
@@ -89,13 +78,13 @@ func (u *UDP) WriteTo(buf []byte, local net.Addr, remote net.Addr) (int, error)
 	ip.SetFragmentOffset(0)
 	ip.SetTimeToLive(64)
 	ip.SetProtocol(tcpip.UDP)
-	ip.SetSourceIP(srcAddrPort.Addr())
+	ip.SetSourceIP(local.Addr())
-	ip.SetDestinationIP(dstAddrPort.Addr())
+	ip.SetDestinationIP(remote.Addr())
 
 	udp := tcpip.UDPPacket(ip.Payload())
 	udp.SetLength(tcpip.UDPHeaderSize + uint16(len(buf)))
-	udp.SetSourcePort(srcAddrPort.Port())
+	udp.SetSourcePort(local.Port())
-	udp.SetDestinationPort(dstAddrPort.Port())
+	udp.SetDestinationPort(remote.Port())
 	copy(udp.Payload(), buf)
 
 	ip.ResetChecksum()
@@ -131,14 +120,8 @@ func (u *UDP) handleUDPPacket(ip tcpip.IP, pkt tcpip.UDPPacket) {
 	u.queueLock.Unlock()
 
 	if c != nil {
-		c.source = &net.UDPAddr{
+		c.source = netip.AddrPortFrom(ip.SourceIP(), pkt.SourcePort())
-			IP:   ip.SourceIP().AsSlice(),
+		c.destination = netip.AddrPortFrom(ip.DestinationIP(), pkt.DestinationPort())
-			Port: int(pkt.SourcePort()),
-		}
-		c.destination = &net.UDPAddr{
-			IP:   ip.DestinationIP().AsSlice(),
-			Port: int(pkt.DestinationPort()),
-		}
 		c.n = copy(c.buf, pkt.Payload())
 		c.cond.Signal()
 	}

listener/tun/ipstack/system/stack.go

@@ -34,6 +34,8 @@ type sysStack struct {
 }
 
 func (s *sysStack) Close() error {
+	D.StopDefaultInterfaceChangeMonitor()
+
 	defer func() {
 		if s.device != nil {
 			_ = s.device.Close()
@@ -49,7 +51,7 @@ func (s *sysStack) Close() error {
 	return err
 }
 
-func New(device device.Device, dnsHijack []netip.AddrPort, tunAddress netip.Prefix, tcpIn chan<- C.ConnContext, udpIn chan<- *inbound.PacketAdapter) (ipstack.Stack, error) {
+func New(device device.Device, dnsHijack []C.DNSUrl, tunAddress netip.Prefix, tcpIn chan<- C.ConnContext, udpIn chan<- *inbound.PacketAdapter) (ipstack.Stack, error) {
 	var (
 		gateway   = tunAddress.Masked().Addr().Next()
 		portal    = gateway.Next()
@@ -79,26 +81,23 @@ func New(device device.Device, dnsHijack []netip.AddrPort, tunAddress netip.Pref
 				continue
 			}
 
-			lAddr := conn.LocalAddr().(*net.TCPAddr)
+			lAddr := conn.LocalAddr().(*net.TCPAddr).AddrPort()
-			rAddr := conn.RemoteAddr().(*net.TCPAddr)
+			rAddr := conn.RemoteAddr().(*net.TCPAddr).AddrPort()
 
-			lAddrPort := netip.AddrPortFrom(nnip.IpToAddr(lAddr.IP), uint16(lAddr.Port))
+			if rAddr.Addr().IsLoopback() {
-			rAddrPort := netip.AddrPortFrom(nnip.IpToAddr(rAddr.IP), uint16(rAddr.Port))
-
-			if rAddrPort.Addr().IsLoopback() {
 				_ = conn.Close()
 
 				continue
 			}
 
-			if D.ShouldHijackDns(dnsAddr, rAddrPort) {
+			if D.ShouldHijackDns(dnsAddr, rAddr, "tcp") {
 				go func() {
-					log.Debugln("[TUN] hijack dns tcp: %s", rAddrPort.String())
+					log.Debugln("[TUN] hijack dns tcp: %s", rAddr.String())
 
 					buf := pool.Get(pool.UDPBufferSize)
 					defer func() {
-						_ = pool.Put(buf)
 						_ = conn.Close()
+						_ = pool.Put(buf)
 					}()
 
 					for {
@@ -135,10 +134,10 @@ func New(device device.Device, dnsHijack []netip.AddrPort, tunAddress netip.Pref
 			metadata := &C.Metadata{
 				NetWork:  C.TCP,
 				Type:     C.TUN,
-				SrcIP:    lAddrPort.Addr(),
+				SrcIP:    lAddr.Addr(),
-				DstIP:    rAddrPort.Addr(),
+				DstIP:    rAddr.Addr(),
-				SrcPort:  strconv.Itoa(lAddr.Port),
+				SrcPort:  strconv.FormatUint(uint64(lAddr.Port()), 10),
-				DstPort:  strconv.Itoa(rAddr.Port),
+				DstPort:  strconv.FormatUint(uint64(rAddr.Port()), 10),
 				AddrType: C.AtypIPv4,
 				Host:     "",
 			}
@@ -157,37 +156,32 @@ func New(device device.Device, dnsHijack []netip.AddrPort, tunAddress netip.Pref
 		for !ipStack.closed {
 			buf := pool.Get(pool.UDPBufferSize)
 
-			n, lRAddr, rRAddr, err := stack.UDP().ReadFrom(buf)
+			n, lAddr, rAddr, err := stack.UDP().ReadFrom(buf)
 			if err != nil {
 				_ = pool.Put(buf)
 				break
 			}
 
-			raw := buf[:n]
+			if rAddr.Addr().IsLoopback() || rAddr.Addr() == gateway {
-			lAddr := lRAddr.(*net.UDPAddr)
-			rAddr := rRAddr.(*net.UDPAddr)
-
-			rAddrPort := netip.AddrPortFrom(nnip.IpToAddr(rAddr.IP), uint16(rAddr.Port))
-
-			if rAddrPort.Addr().IsLoopback() || rAddrPort.Addr() == gateway {
 				_ = pool.Put(buf)
 
 				continue
 			}
 
-			if D.ShouldHijackDns(dnsAddr, rAddrPort) {
+			if D.ShouldHijackDns(dnsAddr, rAddr, "udp") {
 				go func() {
-					msg, err := D.RelayDnsPacket(raw)
+					defer func() {
-					if err != nil {
 						_ = pool.Put(buf)
+					}()
+
+					msg, err := D.RelayDnsPacket(buf[:n])
+					if err != nil {
 						return
 					}
 
 					_, _ = stack.UDP().WriteTo(msg, rAddr, lAddr)
 
-					_ = pool.Put(buf)
+					log.Debugln("[TUN] hijack dns udp: %s", rAddr.String())
-
-					log.Debugln("[TUN] hijack dns udp: %s", rAddrPort.String())
 				}()
 
 				continue
@@ -195,18 +189,17 @@ func New(device device.Device, dnsHijack []netip.AddrPort, tunAddress netip.Pref
 
 			pkt := &packet{
 				local:  lAddr,
-				data:  raw,
+				data:   buf,
+				offset: n,
 				writeBack: func(b []byte, addr net.Addr) (int, error) {
 					return stack.UDP().WriteTo(b, rAddr, lAddr)
 				},
-				drop: func() {
-					_ = pool.Put(buf)
-				},
 			}
 
 			select {
-			case udpIn <- inbound.NewPacket(socks5.ParseAddrToSocksAddr(rAddr), pkt, C.TUN):
+			case udpIn <- inbound.NewPacket(socks5.AddrFromStdAddrPort(rAddr), pkt, C.TUN):
 			default:
+				pkt.Drop()
 			}
 		}
 

listener/tun/ipstack/system/udp.go

@@ -1,16 +1,21 @@
 package system
 
-import "net"
+import (
+	"net"
+	"net/netip"
+
+	"github.com/Dreamacro/clash/common/pool"
+)
 
 type packet struct {
-	local     *net.UDPAddr
+	local     netip.AddrPort
 	data      []byte
+	offset    int
 	writeBack func(b []byte, addr net.Addr) (int, error)
-	drop      func()
 }
 
 func (pkt *packet) Data() []byte {
-	return pkt.data
+	return pkt.data[:pkt.offset]
 }
 
 func (pkt *packet) WriteBack(b []byte, addr net.Addr) (n int, err error) {
@@ -18,9 +23,9 @@ func (pkt *packet) WriteBack(b []byte, addr net.Addr) (n int, err error) {
 }
 
 func (pkt *packet) Drop() {
-	pkt.drop()
+	_ = pool.Put(pkt.data)
 }
 
 func (pkt *packet) LocalAddr() net.Addr {
-	return pkt.local
+	return net.UDPAddrFromAddrPort(pkt.local)
 }

listener/tun/tun_adapter.go

@@ -24,7 +24,7 @@ import (
 )
 
 // New TunAdapter
-func New(tunConf *config.Tun, tunAddressPrefix *netip.Prefix, tcpIn chan<- C.ConnContext, udpIn chan<- *inbound.PacketAdapter) (ipstack.Stack, error) {
+func New(tunConf *config.Tun, tunAddressPrefix *netip.Prefix, tcpIn chan<- C.ConnContext, udpIn chan<- *inbound.PacketAdapter, tunChangeCallback C.TUNChangeCallback) (ipstack.Stack, error) {
 	var (
 		tunAddress = netip.Prefix{}
 		devName    = tunConf.Device
@@ -38,6 +38,12 @@ func New(tunConf *config.Tun, tunAddressPrefix *netip.Prefix, tcpIn chan<- C.Con
 		err error
 	)
 
+	defer func() {
+		if err != nil && tunDevice != nil {
+			_ = tunDevice.Close()
+		}
+	}()
+
 	if devName == "" {
 		devName = generateDeviceName()
 	}
@@ -63,26 +69,22 @@ func New(tunConf *config.Tun, tunAddressPrefix *netip.Prefix, tcpIn chan<- C.Con
 	case C.TunGvisor:
 		err = tunDevice.UseEndpoint()
 		if err != nil {
-			_ = tunDevice.Close()
 			return nil, fmt.Errorf("can't attach endpoint to tun: %w", err)
 		}
 
 		tunStack, err = gvisor.New(tunDevice, tunConf.DNSHijack, tunAddress, tcpIn, udpIn, option.WithDefault())
 
 		if err != nil {
-			_ = tunDevice.Close()
 			return nil, fmt.Errorf("can't New gvisor stack: %w", err)
 		}
 	case C.TunSystem:
 		err = tunDevice.UseIOBased()
 		if err != nil {
-			_ = tunDevice.Close()
 			return nil, fmt.Errorf("can't New system stack: %w", err)
 		}
 
 		tunStack, err = system.New(tunDevice, tunConf.DNSHijack, tunAddress, tcpIn, udpIn)
 		if err != nil {
-			_ = tunDevice.Close()
 			return nil, fmt.Errorf("can't New system stack: %w", err)
 		}
 	default:
@@ -92,10 +94,14 @@ func New(tunConf *config.Tun, tunAddressPrefix *netip.Prefix, tcpIn chan<- C.Con
 	// setting address and routing
 	err = commons.ConfigInterfaceAddress(tunDevice, tunAddress, mtu, autoRoute)
 	if err != nil {
-		_ = tunDevice.Close()
 		return nil, fmt.Errorf("setting interface address and routing failed: %w", err)
 	}
 
+	if tunConf.AutoDetectInterface {
+		commons.SetTunChangeCallback(tunChangeCallback)
+		go commons.StartDefaultInterfaceChangeMonitor()
+	}
+
 	setAtLatest(stackType, devName)
 
 	log.Infoln("TUN stack listening at: %s(%s), mtu: %d, auto route: %v, ip stack: %s", tunDevice.Name(), tunAddress.Masked().Addr().Next().String(), mtu, autoRoute, stackType)

rule/geosite.go

@@ -5,7 +5,6 @@ import (
 
 	"github.com/Dreamacro/clash/component/geodata"
 	"github.com/Dreamacro/clash/component/geodata/router"
-	_ "github.com/Dreamacro/clash/component/geodata/standard"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 )
@@ -47,12 +46,16 @@ func (gs *GEOSITE) GetDomainMatcher() *router.DomainMatcher {
 }
 
 func NewGEOSITE(country string, adapter string) (*GEOSITE, error) {
-	matcher, recordsCount, err := geodata.LoadGeoSiteMatcher(country)
+	matcher, recordsCount, err := geodata.LoadProviderByCode(country)
 	if err != nil {
 		return nil, fmt.Errorf("load GeoSite data error, %s", err.Error())
 	}
 
-	log.Infoln("Start initial GeoSite rule %s => %s, records: %d", country, adapter, recordsCount)
+	count := fmt.Sprintf("%d", recordsCount)
+	if recordsCount == 0 {
+		count = "from cache"
+	}
+	log.Infoln("Start initial GeoSite rule %s => %s, records: %s", country, adapter, count)
 
 	geoSite := &GEOSITE{
 		Base:    &Base{},

test/.golangci.yaml

@@ -0,0 +1,16 @@
+linters:
+  disable-all: true
+  enable:
+    - gofumpt
+    - govet
+    - gci
+    - staticcheck
+
+linters-settings:
+  gci:
+    sections:
+      - standard
+      - prefix(github.com/Dreamacro/clash)
+      - default
+  staticcheck:
+    go: '1.18'

test/Makefile

@@ -1,8 +1,9 @@
 lint:
-	golangci-lint run --disable-all -E govet -E gofumpt -E megacheck ./...
+	GOOS=darwin golangci-lint run ./...
+	GOOS=linux golangci-lint run ./...
 
 test:
 	go test -p 1 -v ./...
 
 benchmark:
-	go test -benchmem -run=^$ -bench .
+	go test -benchmem -run=^$$ -bench .

test/clash_test.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -24,6 +25,7 @@ import (
 	"github.com/docker/docker/client"
 	"github.com/docker/go-connections/nat"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 const (
@@ -38,7 +40,7 @@ const (
 
 var (
 	waitTime = time.Second
-	localIP  = net.ParseIP("127.0.0.1")
+	localIP  = netip.MustParseAddr("127.0.0.1")
 
 	defaultExposedPorts = nat.PortSet{
 		"10002/tcp": struct{}{},
@@ -52,13 +54,10 @@ var (
 			{HostPort: "10002", HostIP: "0.0.0.0"},
 		},
 	}
+	isDarwin = runtime.GOOS == "darwin"
 )
 
 func init() {
-	if runtime.GOOS == "darwin" {
-		isDarwin = true
-	}
-
 	currentDir, err := os.Getwd()
 	if err != nil {
 		panic(err)
@@ -67,10 +66,11 @@ func init() {
 	C.SetHomeDir(homeDir)
 
 	if isDarwin {
-		localIP, err = defaultRouteIP()
+		routeIp, err := defaultRouteIP()
 		if err != nil {
 			panic(err)
 		}
+		localIP = netip.MustParseAddr(routeIp.String())
 	}
 
 	c, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
@@ -110,6 +110,7 @@ func init() {
 			continue
 		}
 
+		println("pulling image:", image)
 		imageStream, err := c.ImagePull(context.Background(), image, types.ImagePullOptions{})
 		if err != nil {
 			panic(err)
@@ -214,46 +215,35 @@ func testPingPongWithSocksPort(t *testing.T, port int) {
 	pingCh, pongCh, test := newPingPongPair()
 	go func() {
 		l, err := Listen("tcp", ":10001")
-		if err != nil {
+		require.NoError(t, err)
-			assert.FailNow(t, err.Error())
-		}
 		defer l.Close()
 
 		c, err := l.Accept()
-		if err != nil {
+		require.NoError(t, err)
-			assert.FailNow(t, err.Error())
-		}
 
 		buf := make([]byte, 4)
-		if _, err := io.ReadFull(c, buf); err != nil {
+		_, err = io.ReadFull(c, buf)
-			assert.FailNow(t, err.Error())
+		require.NoError(t, err)
-		}
 
 		pingCh <- buf
-		if _, err := c.Write([]byte("pong")); err != nil {
+		_, err = c.Write([]byte("pong"))
-			assert.FailNow(t, err.Error())
+		require.NoError(t, err)
-		}
 	}()
 
 	go func() {
 		c, err := net.Dial("tcp", fmt.Sprintf("127.0.0.1:%d", port))
-		if err != nil {
+		require.NoError(t, err)
-			assert.FailNow(t, err.Error())
-		}
 		defer c.Close()
 
-		if _, err := socks5.ClientHandshake(c, socks5.ParseAddr("127.0.0.1:10001"), socks5.CmdConnect, nil); err != nil {
+		_, err = socks5.ClientHandshake(c, socks5.ParseAddr("127.0.0.1:10001"), socks5.CmdConnect, nil)
-			assert.FailNow(t, err.Error())
+		require.NoError(t, err)
-		}
 
-		if _, err := c.Write([]byte("ping")); err != nil {
+		_, err = c.Write([]byte("ping"))
-			assert.FailNow(t, err.Error())
+		require.NoError(t, err)
-		}
 
 		buf := make([]byte, 4)
-		if _, err := io.ReadFull(c, buf); err != nil {
+		_, err = io.ReadFull(c, buf)
-			assert.FailNow(t, err.Error())
+		require.NoError(t, err)
-		}
 
 		pongCh <- buf
 	}()
@@ -304,12 +294,10 @@ func testPingPongWithConn(t *testing.T, c net.Conn) error {
 
 func testPingPongWithPacketConn(t *testing.T, pc net.PacketConn) error {
 	l, err := ListenPacket("udp", ":10001")
-	if err != nil {
+	require.NoError(t, err)
-		return err
-	}
 	defer l.Close()
 
-	rAddr := &net.UDPAddr{IP: localIP, Port: 10001}
+	rAddr := &net.UDPAddr{IP: localIP.AsSlice(), Port: 10001}
 
 	pingCh, pongCh, test := newPingPongPair()
 	go func() {
@@ -349,9 +337,7 @@ type hashPair struct {
 
 func testLargeDataWithConn(t *testing.T, c net.Conn) error {
 	l, err := Listen("tcp", ":10001")
-	if err != nil {
+	require.NoError(t, err)
-		return err
-	}
 	defer l.Close()
 
 	times := 100
@@ -443,12 +429,10 @@ func testLargeDataWithConn(t *testing.T, c net.Conn) error {
 
 func testLargeDataWithPacketConn(t *testing.T, pc net.PacketConn) error {
 	l, err := ListenPacket("udp", ":10001")
-	if err != nil {
+	require.NoError(t, err)
-		return err
-	}
 	defer l.Close()
 
-	rAddr := &net.UDPAddr{IP: localIP, Port: 10001}
+	rAddr := &net.UDPAddr{IP: localIP.AsSlice(), Port: 10001}
 
 	times := 50
 	chunkSize := int64(1024)
@@ -541,7 +525,7 @@ func testLargeDataWithPacketConn(t *testing.T, pc net.PacketConn) error {
 
 func testPacketConnTimeout(t *testing.T, pc net.PacketConn) error {
 	err := pc.SetReadDeadline(time.Now().Add(time.Millisecond * 300))
-	assert.NoError(t, err)
+	require.NoError(t, err)
 
 	errCh := make(chan error, 1)
 	go func() {
@@ -564,9 +548,7 @@ func testSuit(t *testing.T, proxy C.ProxyAdapter) {
 		DstPort:  "10001",
 		AddrType: socks5.AtypDomainName,
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 	defer conn.Close()
 	assert.NoError(t, testPingPongWithConn(t, conn))
 
@@ -575,9 +557,7 @@ func testSuit(t *testing.T, proxy C.ProxyAdapter) {
 		DstPort:  "10001",
 		AddrType: socks5.AtypDomainName,
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 	defer conn.Close()
 	assert.NoError(t, testLargeDataWithConn(t, conn))
 
@@ -591,9 +571,7 @@ func testSuit(t *testing.T, proxy C.ProxyAdapter) {
 		DstPort:  "10001",
 		AddrType: socks5.AtypIPv4,
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 	defer pc.Close()
 
 	assert.NoError(t, testPingPongWithPacketConn(t, pc))
@@ -604,9 +582,7 @@ func testSuit(t *testing.T, proxy C.ProxyAdapter) {
 		DstPort:  "10001",
 		AddrType: socks5.AtypIPv4,
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 	defer pc.Close()
 
 	assert.NoError(t, testLargeDataWithPacketConn(t, pc))
@@ -617,9 +593,7 @@ func testSuit(t *testing.T, proxy C.ProxyAdapter) {
 		DstPort:  "10001",
 		AddrType: socks5.AtypIPv4,
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 	defer pc.Close()
 
 	assert.NoError(t, testPacketConnTimeout(t, pc))
@@ -627,40 +601,55 @@ func testSuit(t *testing.T, proxy C.ProxyAdapter) {
 
 func benchmarkProxy(b *testing.B, proxy C.ProxyAdapter) {
 	l, err := Listen("tcp", ":10001")
-	if err != nil {
+	require.NoError(b, err)
-		assert.FailNow(b, err.Error())
-	}
 	defer l.Close()
 
-	go func() {
-		c, err := l.Accept()
-		if err != nil {
-			assert.FailNow(b, err.Error())
-		}
-		defer c.Close()
-
-		io.Copy(io.Discard, c)
-	}()
-
 	chunkSize := int64(16 * 1024)
 	chunk := make([]byte, chunkSize)
 	rand.Read(chunk)
+
+	go func() {
+		c, err := l.Accept()
+		if err != nil {
+			return
+		}
+		defer c.Close()
+
+		go func() {
+			for {
+				_, err := c.Write(chunk)
+				if err != nil {
+					return
+				}
+			}
+		}()
+		io.Copy(io.Discard, c)
+	}()
+
 	conn, err := proxy.DialContext(context.Background(), &C.Metadata{
 		Host:     localIP.String(),
 		DstPort:  "10001",
 		AddrType: socks5.AtypDomainName,
 	})
-	if err != nil {
+	require.NoError(b, err)
-		assert.FailNow(b, err.Error())
-	}
 
+	_, err = conn.Write([]byte("skip protocol handshake"))
+	require.NoError(b, err)
+
+	b.Run("Write", func(b *testing.B) {
 		b.SetBytes(chunkSize)
-	b.ResetTimer()
 		for i := 0; i < b.N; i++ {
-		if _, err := conn.Write(chunk); err != nil {
+			conn.Write(chunk)
-			assert.FailNow(b, err.Error())
 		}
+	})
+
+	b.Run("Read", func(b *testing.B) {
+		b.SetBytes(chunkSize)
+		buf := make([]byte, chunkSize)
+		for i := 0; i < b.N; i++ {
+			io.ReadFull(conn, buf)
 		}
+	})
 }
 
 func TestClash_Basic(t *testing.T) {
@@ -669,12 +658,11 @@ mixed-port: 10000
 log-level: silent
 `
 
-	if err := parseAndApply(basic); err != nil {
+	err := parseAndApply(basic)
-		assert.FailNow(t, err.Error())
+	require.NoError(t, err)
-	}
 	defer cleanup()
 
-	time.Sleep(waitTime)
+	require.True(t, TCPing(net.JoinHostPort(localIP.String(), "10000")))
 	testPingPongWithSocksPort(t, 10000)
 }
 

test/dns_test.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func exchange(address, domain string, tp uint16) ([]dns.RR, error) {
@@ -30,18 +31,15 @@ dns:
     - 119.29.29.29
 `
 
-	if err := parseAndApply(basic); err != nil {
+	err := parseAndApply(basic)
-		assert.FailNow(t, err.Error())
+	require.NoError(t, err)
-	}
 	defer cleanup()
 
 	time.Sleep(waitTime)
 
 	rr, err := exchange("127.0.0.1:8553", "1.1.1.1.nip.io", dns.TypeA)
 	assert.NoError(t, err)
-	if !assert.NotEmpty(t, rr) {
+	assert.NotEmptyf(t, rr, "record empty")
-		assert.FailNow(t, "record empty")
-	}
 
 	record := rr[0].(*dns.A)
 	assert.Equal(t, record.A.String(), "1.1.1.1")
@@ -68,9 +66,8 @@ dns:
     - 119.29.29.29
 `
 
-	if err := parseAndApply(basic); err != nil {
+	err := parseAndApply(basic)
-		assert.FailNow(t, err.Error())
+	require.NoError(t, err)
-	}
 	defer cleanup()
 
 	time.Sleep(waitTime)

test/docker_test.go

@@ -8,8 +8,6 @@ import (
 	"github.com/docker/docker/client"
 )
 
-var isDarwin = false
-
 func startContainer(cfg *container.Config, hostCfg *container.HostConfig, name string) (string, error) {
 	c, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
 	if err != nil {

test/go.mod

@@ -3,31 +3,28 @@ module clash-test
 go 1.18
 
 require (
-	github.com/Dreamacro/clash v1.7.2-0.20211108085948-bd2ea2b917aa
+	github.com/Dreamacro/clash v0.0.0
-	github.com/docker/docker v20.10.13+incompatible
+	github.com/docker/docker v20.10.16+incompatible
 	github.com/docker/go-connections v0.4.0
-	github.com/miekg/dns v1.1.48
+	github.com/miekg/dns v1.1.49
 	github.com/stretchr/testify v1.7.1
-	golang.org/x/net v0.0.0-20220421235706-1d1ef9303861
+	golang.org/x/net v0.0.0-20220526153639-5463443f8c37
 )
 
 replace github.com/Dreamacro/clash => ../
 
 require (
-	github.com/Dreamacro/go-shadowsocks2 v0.1.7 // indirect
+	github.com/Microsoft/go-winio v0.5.1 // indirect
-	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/containerd/containerd v1.6.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/gofrs/uuid v4.2.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/btree v1.0.1 // indirect
-	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
-	github.com/insomniacslk/dhcp v0.0.0-20220119180841-3c283ff8b7dd // indirect
+	github.com/insomniacslk/dhcp v0.0.0-20220504074936-1ca156eafb9f // indirect
 	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.2 // indirect
 	github.com/oschwald/geoip2-golang v1.7.0 // indirect
@@ -39,22 +36,21 @@ require (
 	github.com/xtls/go v0.0.0-20210920065950-d4af136d3672 // indirect
 	go.etcd.io/bbolt v1.3.6 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
-	golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect
+	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e // indirect
-	golang.org/x/mod v0.6.0-dev.0.20211013180041-c96bc1413d57 // indirect
+	golang.org/x/exp v0.0.0-20220518171630-0b5c67f07fdf // indirect
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
+	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
-	golang.org/x/sys v0.0.0-20220422013727-9388b58f7150 // indirect
+	golang.org/x/sync v0.0.0-20220513210516-0976fa681c29 // indirect
+	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
 	golang.org/x/text v0.3.8-0.20220124021120-d1c84af989ab // indirect
 	golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
-	golang.org/x/tools v0.1.9 // indirect
+	golang.org/x/tools v0.1.10 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
-	golang.zx2c4.com/wireguard v0.0.0-20220318042302-193cf8d6a5d6 // indirect
+	golang.zx2c4.com/wireguard v0.0.0-20220407013110-ef5c587f782d // indirect
-	golang.zx2c4.com/wireguard/windows v0.5.4-0.20220317000008-6432784c2469 // indirect
+	golang.zx2c4.com/wireguard/windows v0.5.4-0.20220328111914-004c22c5647e // indirect
-	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
-	google.golang.org/grpc v1.45.0 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.1.0 // indirect
-	gvisor.dev/gvisor v0.0.0-20220422224113-2cca6b79d9f4 // indirect
+	gvisor.dev/gvisor v0.0.0-20220527053002-8ab279227ac8 // indirect
 )

test/snell_test.go

@@ -9,7 +9,7 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 
 	"github.com/docker/docker/api/types/container"
-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestClash_SnellObfsHTTP(t *testing.T) {
@@ -24,9 +24,7 @@ func TestClash_SnellObfsHTTP(t *testing.T) {
 	}
 
 	id, err := startContainer(cfg, hostCfg, "snell-http")
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	t.Cleanup(func() {
 		cleanContainer(id)
@@ -41,9 +39,7 @@ func TestClash_SnellObfsHTTP(t *testing.T) {
 			"mode": "http",
 		},
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	time.Sleep(waitTime)
 	testSuit(t, proxy)
@@ -61,9 +57,7 @@ func TestClash_SnellObfsTLS(t *testing.T) {
 	}
 
 	id, err := startContainer(cfg, hostCfg, "snell-tls")
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	t.Cleanup(func() {
 		cleanContainer(id)
@@ -78,9 +72,7 @@ func TestClash_SnellObfsTLS(t *testing.T) {
 			"mode": "tls",
 		},
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	time.Sleep(waitTime)
 	testSuit(t, proxy)
@@ -98,9 +90,7 @@ func TestClash_Snell(t *testing.T) {
 	}
 
 	id, err := startContainer(cfg, hostCfg, "snell")
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	t.Cleanup(func() {
 		cleanContainer(id)
@@ -112,9 +102,7 @@ func TestClash_Snell(t *testing.T) {
 		Port:   10002,
 		Psk:    "password",
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	time.Sleep(waitTime)
 	testSuit(t, proxy)
@@ -132,9 +120,7 @@ func TestClash_Snellv3(t *testing.T) {
 	}
 
 	id, err := startContainer(cfg, hostCfg, "snell")
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	t.Cleanup(func() {
 		cleanContainer(id)
@@ -148,9 +134,7 @@ func TestClash_Snellv3(t *testing.T) {
 		UDP:     true,
 		Version: 3,
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	time.Sleep(waitTime)
 	testSuit(t, proxy)
@@ -167,10 +151,8 @@ func Benchmark_Snell(b *testing.B) {
 		Binds:        []string{fmt.Sprintf("%s:/config.conf", C.Path.Resolve("snell-http.conf"))},
 	}
 
-	id, err := startContainer(cfg, hostCfg, "snell-http")
+	id, err := startContainer(cfg, hostCfg, "snell-bench")
-	if err != nil {
+	require.NoError(b, err)
-		assert.FailNow(b, err.Error())
-	}
 
 	b.Cleanup(func() {
 		cleanContainer(id)
@@ -185,9 +167,7 @@ func Benchmark_Snell(b *testing.B) {
 			"mode": "http",
 		},
 	})
-	if err != nil {
+	require.NoError(b, err)
-		assert.FailNow(b, err.Error())
-	}
 
 	time.Sleep(waitTime)
 	benchmarkProxy(b, proxy)

test/ss_test.go

@@ -1,13 +1,14 @@
 package main
 
 import (
+	"net"
 	"testing"
 	"time"
 
 	"github.com/Dreamacro/clash/adapter/outbound"
 
 	"github.com/docker/docker/api/types/container"
-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestClash_Shadowsocks(t *testing.T) {
@@ -22,9 +23,7 @@ func TestClash_Shadowsocks(t *testing.T) {
 	}
 
 	id, err := startContainer(cfg, hostCfg, "ss")
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	t.Cleanup(func() {
 		cleanContainer(id)
@@ -38,9 +37,7 @@ func TestClash_Shadowsocks(t *testing.T) {
 		Cipher:   "chacha20-ietf-poly1305",
 		UDP:      true,
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	time.Sleep(waitTime)
 	testSuit(t, proxy)
@@ -60,9 +57,7 @@ func TestClash_ShadowsocksObfsHTTP(t *testing.T) {
 	}
 
 	id, err := startContainer(cfg, hostCfg, "ss-obfs-http")
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	t.Cleanup(func() {
 		cleanContainer(id)
@@ -80,9 +75,7 @@ func TestClash_ShadowsocksObfsHTTP(t *testing.T) {
 			"mode": "http",
 		},
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	time.Sleep(waitTime)
 	testSuit(t, proxy)
@@ -102,9 +95,7 @@ func TestClash_ShadowsocksObfsTLS(t *testing.T) {
 	}
 
 	id, err := startContainer(cfg, hostCfg, "ss-obfs-tls")
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	t.Cleanup(func() {
 		cleanContainer(id)
@@ -122,9 +113,7 @@ func TestClash_ShadowsocksObfsTLS(t *testing.T) {
 			"mode": "tls",
 		},
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	time.Sleep(waitTime)
 	testSuit(t, proxy)
@@ -144,9 +133,7 @@ func TestClash_ShadowsocksV2RayPlugin(t *testing.T) {
 	}
 
 	id, err := startContainer(cfg, hostCfg, "ss-v2ray-plugin")
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	t.Cleanup(func() {
 		cleanContainer(id)
@@ -164,9 +151,7 @@ func TestClash_ShadowsocksV2RayPlugin(t *testing.T) {
 			"mode": "websocket",
 		},
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	time.Sleep(waitTime)
 	testSuit(t, proxy)
@@ -183,10 +168,8 @@ func Benchmark_Shadowsocks(b *testing.B) {
 		PortBindings: defaultPortBindings,
 	}
 
-	id, err := startContainer(cfg, hostCfg, "ss")
+	id, err := startContainer(cfg, hostCfg, "ss-bench")
-	if err != nil {
+	require.NoError(b, err)
-		assert.FailNow(b, err.Error())
-	}
 
 	b.Cleanup(func() {
 		cleanContainer(id)
@@ -200,10 +183,8 @@ func Benchmark_Shadowsocks(b *testing.B) {
 		Cipher:   "aes-256-gcm",
 		UDP:      true,
 	})
-	if err != nil {
+	require.NoError(b, err)
-		assert.FailNow(b, err.Error())
-	}
 
-	time.Sleep(waitTime)
+	require.True(b, TCPing(net.JoinHostPort(localIP.String(), "10002")))
 	benchmarkProxy(b, proxy)
 }

test/trojan_test.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"fmt"
+	"net"
 	"testing"
 	"time"
 
@@ -9,7 +10,7 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 
 	"github.com/docker/docker/api/types/container"
-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestClash_Trojan(t *testing.T) {
@@ -27,9 +28,7 @@ func TestClash_Trojan(t *testing.T) {
 	}
 
 	id, err := startContainer(cfg, hostCfg, "trojan")
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	t.Cleanup(func() {
 		cleanContainer(id)
@@ -44,9 +43,7 @@ func TestClash_Trojan(t *testing.T) {
 		SkipCertVerify: true,
 		UDP:            true,
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	time.Sleep(waitTime)
 	testSuit(t, proxy)
@@ -67,10 +64,10 @@ func TestClash_TrojanGrpc(t *testing.T) {
 	}
 
 	id, err := startContainer(cfg, hostCfg, "trojan-grpc")
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
+	t.Cleanup(func() {
-	}
+		cleanContainer(id)
-	defer cleanContainer(id)
+	})
 
 	proxy, err := outbound.NewTrojan(outbound.TrojanOption{
 		Name:           "trojan",
@@ -85,9 +82,7 @@ func TestClash_TrojanGrpc(t *testing.T) {
 			GrpcServiceName: "example",
 		},
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	time.Sleep(waitTime)
 	testSuit(t, proxy)
@@ -108,10 +103,10 @@ func TestClash_TrojanWebsocket(t *testing.T) {
 	}
 
 	id, err := startContainer(cfg, hostCfg, "trojan-ws")
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
+	t.Cleanup(func() {
-	}
+		cleanContainer(id)
-	defer cleanContainer(id)
+	})
 
 	proxy, err := outbound.NewTrojan(outbound.TrojanOption{
 		Name:           "trojan",
@@ -123,9 +118,7 @@ func TestClash_TrojanWebsocket(t *testing.T) {
 		UDP:            true,
 		Network:        "ws",
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	time.Sleep(waitTime)
 	testSuit(t, proxy)
@@ -146,10 +139,11 @@ func TestClash_TrojanXTLS(t *testing.T) {
 	}
 
 	id, err := startContainer(cfg, hostCfg, "trojan-xtls")
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
+
-	}
+	t.Cleanup(func() {
-	defer cleanContainer(id)
+		cleanContainer(id)
+	})
 
 	proxy, err := outbound.NewTrojan(outbound.TrojanOption{
 		Name:           "trojan",
@@ -163,9 +157,7 @@ func TestClash_TrojanXTLS(t *testing.T) {
 		Flow:           "xtls-rprx-direct",
 		FlowShow:       true,
 	})
-	if err != nil {
+	require.NoError(t, err)
-		assert.FailNow(t, err.Error())
-	}
 
 	time.Sleep(waitTime)
 	testSuit(t, proxy)
@@ -185,10 +177,8 @@ func Benchmark_Trojan(b *testing.B) {
 		},
 	}
 
-	id, err := startContainer(cfg, hostCfg, "trojan")
+	id, err := startContainer(cfg, hostCfg, "trojan-bench")
-	if err != nil {
+	require.NoError(b, err)
-		assert.FailNow(b, err.Error())
-	}
 
 	b.Cleanup(func() {
 		cleanContainer(id)
@@ -203,10 +193,8 @@ func Benchmark_Trojan(b *testing.B) {
 		SkipCertVerify: true,
 		UDP:            true,
 	})
-	if err != nil {
+	require.NoError(b, err)
-		assert.FailNow(b, err.Error())
-	}
 
-	time.Sleep(waitTime)
+	require.True(b, TCPing(net.JoinHostPort(localIP.String(), "10002")))
 	benchmarkProxy(b, proxy)
 }