chore: rename delete.yml

Merge branch 'Alpha' into Meta
chore: update readme
2023-03-30 16:04:09 +00:00 · 2023-03-30 16:03:47 +00:00 · 2023-03-30 15:57:52 +00:00 · 2023-03-29 13:59:36 +00:00 · 2023-03-29 20:50:46 +08:00 · 2023-03-29 12:28:16 +00:00
61 changed files with 1394 additions and 413 deletions
--- a/.github/rename-cgo.sh
+++ b/.github/rename-cgo.sh
@ -15,6 +15,15 @@ do
    elif [[ $FILENAME =~ "windows-4.0-amd64" ]];then
        echo "rename windows amd64 $FILENAME"
        mv $FILENAME clash.meta-windows-amd64-cgo.exe
+    elif [[ $FILENAME =~ "clash.meta-linux-arm-5" ]];then
+        echo "rename clash.meta-linux-arm-5 $FILENAME"
+        mv $FILENAME clash.meta-linux-armv5-cgo
+    elif [[ $FILENAME =~ "clash.meta-linux-arm-6" ]];then
+        echo "rename clash.meta-linux-arm-6 $FILENAME"
+        mv $FILENAME clash.meta-linux-armv6-cgo
+    elif [[ $FILENAME =~ "clash.meta-linux-arm-7" ]];then
+        echo "rename clash.meta-linux-arm-7 $FILENAME"
+        mv $FILENAME clash.meta-linux-armv7-cgo
    elif [[ $FILENAME =~ "linux" ]];then
        echo "rename linux $FILENAME"
        mv $FILENAME $FILENAME-cgo
--- a/.github/workflows/Delete.yml
+++ b/.github/workflows/Delete.yml
@ -0,0 +1,16 @@
+name: Delete old workflow runs
+on:
+  schedule:
+    - cron: '0 0 1 * *'
+# Run monthly, at 00:00 on the 1st day of month.
+
+jobs:
+  del_runs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete workflow runs
+        uses: GitRML/delete-workflow-runs@main
+        with:
+          token: ${{ secrets.AUTH_PAT }}
+          repository: ${{ github.repository }}
+          retain_days: 30
--- a/.github/workflows/delete.yml
+++ b/.github/workflows/delete.yml
@ -0,0 +1,16 @@
+name: Delete old workflow runs
+on:
+  schedule:
+    - cron: '0 0 1 * *'
+# Run monthly, at 00:00 on the 1st day of month.
+
+jobs:
+  del_runs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete workflow runs
+        uses: GitRML/delete-workflow-runs@main
+        with:
+          token: ${{ secrets.AUTH_PAT }}
+          repository: ${{ github.repository }}
+          retain_days: 30
--- a/README.md
+++ b/README.md
@ -30,8 +30,7 @@
 - Comprehensive HTTP RESTful API controller

 ## Wiki
-
-Documentation and configuring examples are available on [wiki](https://github.com/MetaCubeX/Clash.Meta/wiki) and [Clash.Meta Wiki](https://docs.metacubex.one/).
+Configuration examples can be found at [/docs/config.yaml](https://github.com/MetaCubeX/Clash.Meta/blob/Alpha/docs/config.yaml), while documentation can be found [Clash.Meta Wiki](https://clash-meta.wiki).

 ## Build

--- a/adapter/inbound/socket.go
+++ b/adapter/inbound/socket.go
@ -42,6 +42,8 @@ func NewInner(conn net.Conn, dst string, host string) *context.ConnContext {
 		if host == "" {
 			if ip, err := netip.ParseAddr(h); err == nil {
 				metadata.DstIP = ip
+			} else {
+				metadata.Host = h
 			}
 		}
 	}
--- a/adapter/outbound/base.go
+++ b/adapter/outbound/base.go
@ -34,12 +34,7 @@ func (b *Base) Name() string {
 // Id implements C.ProxyAdapter
 func (b *Base) Id() string {
 	if b.id == "" {
-		id, err := utils.UnsafeUUIDGenerator.NewV6()
-		if err != nil {
-			b.id = b.name
-		} else {
-			b.id = id.String()
-		}
+		b.id = utils.NewUUIDV6().String()
 	}

 	return b.id
@ -210,6 +205,8 @@ func NewConn(c net.Conn, a C.ProxyAdapter) C.Conn {
 type packetConn struct {
 	net.PacketConn
 	chain                   C.Chain
+	adapterName             string
+	connID                  string
 	actualRemoteDestination string
 }

@ -227,8 +224,13 @@ func (c *packetConn) AppendToChains(a C.ProxyAdapter) {
 	c.chain = append(c.chain, a.Name())
 }

+func (c *packetConn) LocalAddr() net.Addr {
+	lAddr := c.PacketConn.LocalAddr()
+	return N.NewCustomAddr(c.adapterName, c.connID, lAddr) // make quic-go's connMultiplexer happy
+}
+
 func newPacketConn(pc net.PacketConn, a C.ProxyAdapter) C.PacketConn {
-	return &packetConn{pc, []string{a.Name()}, parseRemoteDestination(a.Addr())}
+	return &packetConn{pc, []string{a.Name()}, a.Name(), utils.NewUUIDV4().String(), parseRemoteDestination(a.Addr())}
 }

 func parseRemoteDestination(addr string) string {
--- a/adapter/outbound/shadowsocks.go
+++ b/adapter/outbound/shadowsocks.go
@ -12,11 +12,13 @@ import (
 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/transport/restls"
 	obfs "github.com/Dreamacro/clash/transport/simple-obfs"
 	shadowtls "github.com/Dreamacro/clash/transport/sing-shadowtls"
 	"github.com/Dreamacro/clash/transport/socks5"
 	v2rayObfs "github.com/Dreamacro/clash/transport/v2ray-plugin"

+	restlsC "github.com/3andne/restls-client-go"
 	shadowsocks "github.com/metacubex/sing-shadowsocks"
 	"github.com/metacubex/sing-shadowsocks/shadowimpl"
 	"github.com/sagernet/sing/common/bufio"
@ -34,6 +36,7 @@ type ShadowSocks struct {
 	obfsOption      *simpleObfsOption
 	v2rayOption     *v2rayObfs.Option
 	shadowTLSOption *shadowtls.ShadowTLSOption
+	restlsConfig    *restlsC.Config
 }

 type ShadowSocksOption struct {
@ -47,6 +50,8 @@ type ShadowSocksOption struct {
 	Plugin            string         `proxy:"plugin,omitempty"`
 	PluginOpts        map[string]any `proxy:"plugin-opts,omitempty"`
 	UDPOverTCP        bool           `proxy:"udp-over-tcp,omitempty"`
+	UDPOverTCPVersion int            `proxy:"udp-over-tcp-version,omitempty"`
+	ClientFingerprint string         `proxy:"client-fingerprint,omitempty"`
 }

 type simpleObfsOption struct {
@ -69,28 +74,27 @@ type shadowTLSOption struct {
 	Password       string `obfs:"password"`
 	Host           string `obfs:"host"`
 	Fingerprint    string `obfs:"fingerprint,omitempty"`
-	ClientFingerprint string `obfs:"client-fingerprint,omitempty"`
 	SkipCertVerify bool   `obfs:"skip-cert-verify,omitempty"`
 	Version        int    `obfs:"version,omitempty"`
 }

+type restlsOption struct {
+	Password     string `obfs:"password"`
+	Host         string `obfs:"host"`
+	VersionHint  string `obfs:"version-hint"`
+	RestlsScript string `obfs:"restls-script,omitempty"`
+}
+
 // StreamConn implements C.ProxyAdapter
 func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-	switch ss.obfsMode {
-	case shadowtls.Mode:
 	// fix tls handshake not timeout
 	ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
 	defer cancel()
-		var err error
-		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return ss.streamConn(c, metadata)
+	return ss.StreamConnContext(ctx, c, metadata)
 }

-func (ss *ShadowSocks) streamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	useEarly := false
 	switch ss.obfsMode {
 	case "tls":
 		c = obfs.NewTLSObfs(c, ss.obfsOption.Host)
@ -103,15 +107,31 @@ func (ss *ShadowSocks) streamConn(c net.Conn, metadata *C.Metadata) (net.Conn, e
 		if err != nil {
 			return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 		}
+	case shadowtls.Mode:
+		var err error
+		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
+		if err != nil {
+			return nil, err
 		}
+		useEarly = true
+	case restls.Mode:
+		var err error
+		c, err = restls.NewRestls(ctx, c, ss.restlsConfig)
+		if err != nil {
+			return nil, fmt.Errorf("%s (restls) connect error: %w", ss.addr, err)
+		}
+		useEarly = true
+	}
+	useEarly = useEarly || N.NeedHandshake(c)
 	if metadata.NetWork == C.UDP && ss.option.UDPOverTCP {
-		if N.NeedHandshake(c) {
-			return ss.method.DialEarlyConn(c, M.ParseSocksaddr(uot.UOTMagicAddress+":443")), nil
+		uotDestination := uot.RequestDestination(uint8(ss.option.UDPOverTCPVersion))
+		if useEarly {
+			return ss.method.DialEarlyConn(c, uotDestination), nil
 		} else {
-			return ss.method.DialConn(c, M.ParseSocksaddr(uot.UOTMagicAddress+":443"))
+			return ss.method.DialConn(c, uotDestination)
 		}
 	}
-	if N.NeedHandshake(c) {
+	if useEarly {
 		return ss.method.DialEarlyConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
 	} else {
 		return ss.method.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
@ -135,15 +155,7 @@ func (ss *ShadowSocks) DialContextWithDialer(ctx context.Context, dialer C.Diale
 		safeConnClose(c, err)
 	}(c)

-	switch ss.obfsMode {
-	case shadowtls.Mode:
-		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	c, err = ss.streamConn(c, metadata)
+	c, err = ss.StreamConnContext(ctx, c, metadata)
 	return NewConn(c, ss), err
 }

@ -159,7 +171,12 @@ func (ss *ShadowSocks) ListenPacketWithDialer(ctx context.Context, dialer C.Dial
 		if err != nil {
 			return nil, err
 		}
-		return newPacketConn(uot.NewClientConn(tcpConn), ss), nil
+		destination := M.ParseSocksaddr(metadata.RemoteAddress())
+		if ss.option.UDPOverTCPVersion == 1 {
+			return newPacketConn(uot.NewConn(tcpConn, uot.Request{Destination: destination}), ss), nil
+		} else {
+			return newPacketConn(uot.NewLazyConn(tcpConn, uot.Request{Destination: destination}), ss), nil
+		}
 	}
 	addr, err := resolveUDPAddrWithPrefer(ctx, "udp", ss.addr, ss.prefer)
 	if err != nil {
@ -182,7 +199,12 @@ func (ss *ShadowSocks) SupportWithDialer() bool {
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (ss *ShadowSocks) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if ss.option.UDPOverTCP {
-		return newPacketConn(uot.NewClientConn(c), ss), nil
+		destination := M.ParseSocksaddr(metadata.RemoteAddress())
+		if ss.option.UDPOverTCPVersion == uot.LegacyVersion {
+			return newPacketConn(uot.NewConn(c, uot.Request{Destination: destination}), ss), nil
+		} else {
+			return newPacketConn(uot.NewLazyConn(c, uot.Request{Destination: destination}), ss), nil
+		}
 	}
 	return nil, errors.New("no support")
 }
@ -202,6 +224,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 	var v2rayOption *v2rayObfs.Option
 	var obfsOption *simpleObfsOption
 	var shadowTLSOpt *shadowtls.ShadowTLSOption
+	var restlsConfig *restlsC.Config
 	obfsMode := ""

 	decoder := structure.NewDecoder(structure.Option{TagName: "obfs", WeaklyTypedInput: true})
@ -250,10 +273,30 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			Password:          opt.Password,
 			Host:              opt.Host,
 			Fingerprint:       opt.Fingerprint,
-			ClientFingerprint: opt.ClientFingerprint,
+			ClientFingerprint: option.ClientFingerprint,
 			SkipCertVerify:    opt.SkipCertVerify,
 			Version:           opt.Version,
 		}
+	} else if option.Plugin == restls.Mode {
+		obfsMode = restls.Mode
+		restlsOpt := &restlsOption{}
+		if err := decoder.Decode(option.PluginOpts, restlsOpt); err != nil {
+			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
+		}
+
+		restlsConfig, err = restlsC.NewRestlsConfig(restlsOpt.Host, restlsOpt.Password, restlsOpt.VersionHint, restlsOpt.RestlsScript, option.ClientFingerprint)
+		restlsConfig.SessionTicketsDisabled = true
+		if err != nil {
+			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
+		}
+
+	}
+	switch option.UDPOverTCPVersion {
+	case uot.Version, uot.LegacyVersion:
+	case 0:
+		option.UDPOverTCPVersion = uot.Version
+	default:
+		return nil, fmt.Errorf("ss %s unknown udp over tcp protocol version: %d", addr, option.UDPOverTCPVersion)
 	}

 	return &ShadowSocks{
@ -274,6 +317,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 		v2rayOption:     v2rayOption,
 		obfsOption:      obfsOption,
 		shadowTLSOption: shadowTLSOpt,
+		restlsConfig:    restlsConfig,
 	}, nil
 }

--- a/adapter/outbound/tuic.go
+++ b/adapter/outbound/tuic.go
@ -51,6 +51,7 @@ type TuicOption struct {
 	ReceiveWindowConn    int    `proxy:"recv-window-conn,omitempty"`
 	ReceiveWindow        int    `proxy:"recv-window,omitempty"`
 	DisableMTUDiscovery  bool   `proxy:"disable-mtu-discovery,omitempty"`
+	MaxDatagramFrameSize int    `proxy:"max-datagram-frame-size,omitempty"`
 	SNI                  string `proxy:"sni,omitempty"`
 }

@ -175,6 +176,15 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 		option.MaxOpenStreams = 100
 	}

+	if option.MaxDatagramFrameSize == 0 {
+		option.MaxDatagramFrameSize = option.MaxUdpRelayPacketSize + tuic.PacketOverHead
+	}
+
+	if option.MaxDatagramFrameSize > 1400 {
+		option.MaxDatagramFrameSize = 1400
+	}
+	option.MaxUdpRelayPacketSize = option.MaxDatagramFrameSize - tuic.PacketOverHead
+
 	// ensure server's incoming stream can handle correctly, increase to 1.1x
 	quicMaxOpenStreams := int64(option.MaxOpenStreams)
 	quicMaxOpenStreams = quicMaxOpenStreams + int64(math.Ceil(float64(quicMaxOpenStreams)/10.0))
@ -187,6 +197,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 		MaxIncomingUniStreams:          quicMaxOpenStreams,
 		KeepAlivePeriod:                time.Duration(option.HeartbeatInterval) * time.Millisecond,
 		DisablePathMTUDiscovery:        option.DisableMTUDiscovery,
+		MaxDatagramFrameSize:           int64(option.MaxDatagramFrameSize),
 		EnableDatagrams:                true,
 	}
 	if option.ReceiveWindowConn == 0 {
--- a/adapter/parser.go
+++ b/adapter/parser.go
@ -23,7 +23,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 	)
 	switch proxyType {
 	case "ss":
-		ssOption := &outbound.ShadowSocksOption{}
+		ssOption := &outbound.ShadowSocksOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
 		err = decoder.Decode(mapping, ssOption)
 		if err != nil {
 			break
@ -56,10 +56,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 				Method: "GET",
 				Path:   []string{"/"},
 			},
-		}
-
-		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
-			vmessOption.ClientFingerprint = GlobalUtlsClient
+			ClientFingerprint: tlsC.GetGlobalFingerprint(),
 		}

 		err = decoder.Decode(mapping, vmessOption)
@ -68,12 +65,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		}
 		proxy, err = outbound.NewVmess(*vmessOption)
 	case "vless":
-		vlessOption := &outbound.VlessOption{}
-
-		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
-			vlessOption.ClientFingerprint = GlobalUtlsClient
-		}
-
+		vlessOption := &outbound.VlessOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
 		err = decoder.Decode(mapping, vlessOption)
 		if err != nil {
 			break
@ -87,12 +79,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		}
 		proxy, err = outbound.NewSnell(*snellOption)
 	case "trojan":
-		trojanOption := &outbound.TrojanOption{}
-
-		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
-			trojanOption.ClientFingerprint = GlobalUtlsClient
-		}
-
+		trojanOption := &outbound.TrojanOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
 		err = decoder.Decode(mapping, trojanOption)
 		if err != nil {
 			break
--- a/adapter/provider/healthcheck.go
+++ b/adapter/provider/healthcheck.go
@ -34,16 +34,15 @@ type HealthCheck struct {

 func (hc *HealthCheck) process() {
 	ticker := time.NewTicker(time.Duration(hc.interval) * time.Second)
-
-	go func() {
-		time.Sleep(30 * time.Second)
-		hc.lazyCheck()
-	}()
-
 	for {
 		select {
 		case <-ticker.C:
-			hc.lazyCheck()
+			now := time.Now().Unix()
+			if !hc.lazy || now-hc.lastTouch.Load() < int64(hc.interval) {
+				hc.check()
+			} else {
+				log.Debugln("Skip once health check because we are lazy")
+			}
 		case <-hc.done:
 			ticker.Stop()
 			return
@ -51,17 +50,6 @@ func (hc *HealthCheck) process() {
 	}
 }

-func (hc *HealthCheck) lazyCheck() bool {
-	now := time.Now().Unix()
-	if !hc.lazy || now-hc.lastTouch.Load() < int64(hc.interval) {
-		hc.check()
-		return true
-	} else {
-		log.Debugln("Skip once health check because we are lazy")
-		return false
-	}
-}
-
 func (hc *HealthCheck) setProxy(proxies []C.Proxy) {
 	hc.proxies = proxies
 }
@ -76,10 +64,7 @@ func (hc *HealthCheck) touch() {

 func (hc *HealthCheck) check() {
 	_, _, _ = hc.singleDo.Do(func() (struct{}, error) {
-		id := ""
-		if uid, err := utils.UnsafeUUIDGenerator.NewV4(); err == nil {
-			id = uid.String()
-		}
+		id := utils.NewUUIDV4().String()
 		log.Debugln("Start New Health Checking {%s}", id)
 		b, _ := batch.New[bool](context.Background(), batch.WithConcurrencyNum[bool](10))
 		for _, proxy := range hc.proxies {
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@ -80,6 +80,7 @@ func (pp *proxySetProvider) Initial() error {
 		return err
 	}
 	pp.OnUpdate(elm)
+	pp.getSubscriptionInfo()
 	return nil
 }

@ -99,7 +100,7 @@ func (pp *proxySetProvider) setProxies(proxies []C.Proxy) {
 	pp.proxies = proxies
 	pp.healthCheck.setProxy(proxies)
 	if pp.healthCheck.auto() {
-		defer func() { go pp.healthCheck.lazyCheck() }()
+		go pp.healthCheck.check()
 	}
 }

@ -172,8 +173,6 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, exc

 	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, excludeFilter, excludeTypeArray, filterRegs, excludeFilterReg), proxiesOnUpdate(pd))
 	pd.Fetcher = fetcher
-
-	pd.getSubscriptionInfo()
 	wrapper := &ProxySetProvider{pd}
 	runtime.SetFinalizer(wrapper, stopProxyProvider)
 	return wrapper, nil
--- a/common/convert/util.go
+++ b/common/convert/util.go
@ -294,8 +294,7 @@ var (
 )

 func RandHost() string {
-	id, _ := utils.UnsafeUUIDGenerator.NewV4()
-	base := strings.ToLower(base64.RawURLEncoding.EncodeToString(id.Bytes()))
+	base := strings.ToLower(base64.RawURLEncoding.EncodeToString(utils.NewUUIDV4().Bytes()))
 	base = strings.ReplaceAll(base, "-", "")
 	base = strings.ReplaceAll(base, "_", "")
 	buf := []byte(base)
--- a/common/convert/v.go
+++ b/common/convert/v.go
@ -27,7 +27,7 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 	proxy["skip-cert-verify"] = false
 	proxy["tls"] = false
 	tls := strings.ToLower(query.Get("security"))
-	if strings.HasSuffix(tls, "tls") {
+	if strings.HasSuffix(tls, "tls") || tls == "reality" {
 		proxy["tls"] = true
 		if fingerprint := query.Get("fp"); fingerprint == "" {
 			proxy["client-fingerprint"] = "chrome"
@ -38,6 +38,12 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 	if sni := query.Get("sni"); sni != "" {
 		proxy["servername"] = sni
 	}
+	if realityPublicKey := query.Get("pbk"); realityPublicKey != "" {
+		proxy["reality-opts"] = map[string]any{
+			"public-key": realityPublicKey,
+			"short-id":   query.Get("sid"),
+		}
+	}

 	switch query.Get("packetEncoding") {
 	case "none":
--- a/common/net/addr.go
+++ b/common/net/addr.go
@ -0,0 +1,36 @@
+package net
+
+import (
+	"net"
+)
+
+type CustomAddr interface {
+	net.Addr
+	RawAddr() net.Addr
+}
+
+type customAddr struct {
+	networkStr string
+	addrStr    string
+	rawAddr    net.Addr
+}
+
+func (a customAddr) Network() string {
+	return a.networkStr
+}
+
+func (a customAddr) String() string {
+	return a.addrStr
+}
+
+func (a customAddr) RawAddr() net.Addr {
+	return a.rawAddr
+}
+
+func NewCustomAddr(networkStr string, addrStr string, rawAddr net.Addr) CustomAddr {
+	return customAddr{
+		networkStr: networkStr,
+		addrStr:    addrStr,
+		rawAddr:    rawAddr,
+	}
+}
--- a/common/utils/uuid.go
+++ b/common/utils/uuid.go
@ -13,11 +13,39 @@ func (r fastRandReader) Read(p []byte) (int, error) {

 var UnsafeUUIDGenerator = uuid.NewGenWithOptions(uuid.WithRandomReader(fastRandReader{}))

+func NewUUIDV1() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV1() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}
+
+func NewUUIDV3(ns uuid.UUID, name string) uuid.UUID {
+	return UnsafeUUIDGenerator.NewV3(ns, name)
+}
+
+func NewUUIDV4() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV4() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}
+
+func NewUUIDV5(ns uuid.UUID, name string) uuid.UUID {
+	return UnsafeUUIDGenerator.NewV5(ns, name)
+}
+
+func NewUUIDV6() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV6() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}
+
+func NewUUIDV7() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV7() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}
+
 // UUIDMap https://github.com/XTLS/Xray-core/issues/158#issue-783294090
 func UUIDMap(str string) (uuid.UUID, error) {
 	u, err := uuid.FromString(str)
 	if err != nil {
-		return UnsafeUUIDGenerator.NewV5(uuid.Nil, str), nil
+		return NewUUIDV5(uuid.Nil, str), nil
 	}
 	return u, nil
 }
--- a/component/geodata/geodata.go
+++ b/component/geodata/geodata.go
@ -1,13 +1,10 @@
 package geodata

 import (
-	"errors"
 	"fmt"
-	C "github.com/Dreamacro/clash/constant"
-	"strings"

 	"github.com/Dreamacro/clash/component/geodata/router"
-	"github.com/Dreamacro/clash/log"
+	C "github.com/Dreamacro/clash/constant"
 )

 type loader struct {
@ -15,47 +12,7 @@ type loader struct {
 }

 func (l *loader) LoadGeoSite(list string) ([]*router.Domain, error) {
-	return l.LoadGeoSiteWithAttr(C.GeositeName, list)
-}
-
-func (l *loader) LoadGeoSiteWithAttr(file string, siteWithAttr string) ([]*router.Domain, error) {
-	parts := strings.Split(siteWithAttr, "@")
-	if len(parts) == 0 {
-		return nil, errors.New("empty rule")
-	}
-	list := strings.TrimSpace(parts[0])
-	attrVal := parts[1:]
-
-	if len(list) == 0 {
-		return nil, fmt.Errorf("empty listname in rule: %s", siteWithAttr)
-	}
-
-	domains, err := l.LoadSiteByPath(file, list)
-	if err != nil {
-		return nil, err
-	}
-
-	attrs := parseAttrs(attrVal)
-	if attrs.IsEmpty() {
-		if strings.Contains(siteWithAttr, "@") {
-			log.Warnln("empty attribute list: %s", siteWithAttr)
-		}
-		return domains, nil
-	}
-
-	filteredDomains := make([]*router.Domain, 0, len(domains))
-	hasAttrMatched := false
-	for _, domain := range domains {
-		if attrs.Match(domain) {
-			hasAttrMatched = true
-			filteredDomains = append(filteredDomains, domain)
-		}
-	}
-	if !hasAttrMatched {
-		log.Warnln("attribute match no rule: geosite: %s", siteWithAttr)
-	}
-
-	return filteredDomains, nil
+	return l.LoadSiteByPath(C.GeositeName, list)
 }

 func (l *loader) LoadGeoIP(country string) ([]*router.CIDR, error) {
--- a/component/geodata/geodataproto.go
+++ b/component/geodata/geodataproto.go
@ -14,6 +14,5 @@ type LoaderImplementation interface {
 type Loader interface {
 	LoaderImplementation
 	LoadGeoSite(list string) ([]*router.Domain, error)
-	LoadGeoSiteWithAttr(file string, siteWithAttr string) ([]*router.Domain, error)
 	LoadGeoIP(country string) ([]*router.CIDR, error)
 }
--- a/component/geodata/memconservative/cache.go
+++ b/component/geodata/memconservative/cache.go
@ -118,7 +118,7 @@ func (g GeoSiteCache) Unmarshal(filename, code string) (*router.GeoSite, error)

 	case errFailedToReadBytes, errFailedToReadExpectedLenBytes,
 		errInvalidGeodataFile, errInvalidGeodataVarintLength:
-		log.Warnln("failed to decode geoip file: %s%s", filename, ", fallback to the original ReadFile method")
+		log.Warnln("failed to decode geosite file: %s%s", filename, ", fallback to the original ReadFile method")
 		geositeBytes, err = os.ReadFile(asset)
 		if err != nil {
 			return nil, err
--- a/component/geodata/utils.go
+++ b/component/geodata/utils.go
@ -1,9 +1,14 @@
 package geodata

 import (
+	"errors"
 	"fmt"
+	"golang.org/x/sync/singleflight"
+	"strings"
+
 	"github.com/Dreamacro/clash/component/geodata/router"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
 )

 var geoLoaderName = "memconservative"
@ -34,6 +39,8 @@ func Verify(name string) error {
 	}
 }

+var loadGeoSiteMatcherSF = singleflight.Group{}
+
 func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error) {
 	if len(countryCode) == 0 {
 		return nil, 0, fmt.Errorf("country code could not be empty")
@ -44,16 +51,53 @@ func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error)
 		not = true
 		countryCode = countryCode[1:]
 	}
+	countryCode = strings.ToLower(countryCode)

-	geoLoader, err := GetGeoDataLoader(geoLoaderName)
-	if err != nil {
-		return nil, 0, err
+	parts := strings.Split(countryCode, "@")
+	if len(parts) == 0 {
+		return nil, 0, errors.New("empty rule")
+	}
+	listName := strings.TrimSpace(parts[0])
+	attrVal := parts[1:]
+
+	if len(listName) == 0 {
+		return nil, 0, fmt.Errorf("empty listname in rule: %s", countryCode)
 	}

-	domains, err := geoLoader.LoadGeoSite(countryCode)
+	v, err, shared := loadGeoSiteMatcherSF.Do(listName, func() (interface{}, error) {
+		geoLoader, err := GetGeoDataLoader(geoLoaderName)
 		if err != nil {
+			return nil, err
+		}
+		return geoLoader.LoadGeoSite(listName)
+	})
+	if err != nil {
+		if !shared {
+			loadGeoSiteMatcherSF.Forget(listName) // don't store the error result
+		}
 		return nil, 0, err
 	}
+	domains := v.([]*router.Domain)
+
+	attrs := parseAttrs(attrVal)
+	if attrs.IsEmpty() {
+		if strings.Contains(countryCode, "@") {
+			log.Warnln("empty attribute list: %s", countryCode)
+		}
+	} else {
+		filteredDomains := make([]*router.Domain, 0, len(domains))
+		hasAttrMatched := false
+		for _, domain := range domains {
+			if attrs.Match(domain) {
+				hasAttrMatched = true
+				filteredDomains = append(filteredDomains, domain)
+			}
+		}
+		if !hasAttrMatched {
+			log.Warnln("attribute match no rule: geosite: %s", countryCode)
+		}
+		domains = filteredDomains
+	}

 	/**
 	linear: linear algorithm
@ -68,25 +112,34 @@ func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error)
 	return matcher, len(domains), nil
 }

+var loadGeoIPMatcherSF = singleflight.Group{}
+
 func LoadGeoIPMatcher(country string) (*router.GeoIPMatcher, int, error) {
 	if len(country) == 0 {
 		return nil, 0, fmt.Errorf("country code could not be empty")
 	}
-	geoLoader, err := GetGeoDataLoader(geoLoaderName)
-	if err != nil {
-		return nil, 0, err
-	}

 	not := false
 	if country[0] == '!' {
 		not = true
 		country = country[1:]
 	}
+	country = strings.ToLower(country)

-	records, err := geoLoader.LoadGeoIP(country)
+	v, err, shared := loadGeoIPMatcherSF.Do(country, func() (interface{}, error) {
+		geoLoader, err := GetGeoDataLoader(geoLoaderName)
 		if err != nil {
+			return nil, err
+		}
+		return geoLoader.LoadGeoIP(country)
+	})
+	if err != nil {
+		if !shared {
+			loadGeoIPMatcherSF.Forget(country) // don't store the error result
+		}
 		return nil, 0, err
 	}
+	records := v.([]*router.CIDR)

 	geoIP := &router.GeoIP{
 		CountryCode:  country,
@ -98,6 +151,10 @@ func LoadGeoIPMatcher(country string) (*router.GeoIPMatcher, int, error) {
 	if err != nil {
 		return nil, 0, err
 	}
-
 	return matcher, len(records), nil
 }
+
+func ClearCache() {
+	loadGeoSiteMatcherSF = singleflight.Group{}
+	loadGeoIPMatcherSF = singleflight.Group{}
+}
--- a/component/http/http.go
+++ b/component/http/http.go
@ -2,14 +2,15 @@ package http

 import (
 	"context"
-	"github.com/Dreamacro/clash/component/tls"
-	"github.com/Dreamacro/clash/listener/inner"
 	"io"
 	"net"
 	"net/http"
 	URL "net/url"
 	"strings"
 	"time"
+
+	"github.com/Dreamacro/clash/component/tls"
+	"github.com/Dreamacro/clash/listener/inner"
 )

 const (
@ -52,7 +53,7 @@ func HttpRequest(ctx context.Context, url, method string, header map[string][]st
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
-			conn := inner.HandleTcp(address, urlRes.Hostname())
+			conn := inner.HandleTcp(address, "")
 			return conn, nil
 		},
 		TLSClientConfig: tls.GetDefaultTLSConfig(),
--- a/component/tls/config.go
+++ b/component/tls/config.go
@ -14,7 +14,7 @@ import (
 	xtls "github.com/xtls/go"
 )

-var trustCert, _ = x509.SystemCertPool()
+var trustCerts []*x509.Certificate

 var mutex sync.RWMutex
 var errNotMacth error = errors.New("certificate fingerprints do not match")
@ -25,16 +25,28 @@ func AddCertificate(certificate string) error {
 	if certificate == "" {
 		return fmt.Errorf("certificate is empty")
 	}
-	if ok := trustCert.AppendCertsFromPEM([]byte(certificate)); !ok {
+	if cert, err := x509.ParseCertificate([]byte(certificate)); err == nil {
+		trustCerts = append(trustCerts, cert)
+		return nil
+	} else {
 		return fmt.Errorf("add certificate failed")
 	}
-	return nil
 }

 func ResetCertificate() {
 	mutex.Lock()
 	defer mutex.Unlock()
-	trustCert, _ = x509.SystemCertPool()
+	trustCerts = nil
+}
+
+func getCertPool() *x509.CertPool {
+	certPool, err := x509.SystemCertPool()
+	if err == nil {
+		for _, cert := range trustCerts {
+			certPool.AddCert(cert)
+		}
+	}
+	return certPool
 }

 func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
@ -84,12 +96,13 @@ func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string)
 }

 func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
+	certPool := getCertPool()
 	if tlsConfig == nil {
 		return &tls.Config{
-			RootCAs: trustCert,
+			RootCAs: certPool,
 		}
 	}
-	tlsConfig.RootCAs = trustCert
+	tlsConfig.RootCAs = certPool
 	return tlsConfig
 }

@ -106,12 +119,13 @@ func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint strin
 }

 func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
+	certPool := getCertPool()
 	if tlsConfig == nil {
 		return &xtls.Config{
-			RootCAs: trustCert,
+			RootCAs: certPool,
 		}
 	}

-	tlsConfig.RootCAs = trustCert
+	tlsConfig.RootCAs = certPool
 	return tlsConfig
 }
--- a/component/tls/reality.go
+++ b/component/tls/reality.go
@ -44,7 +44,6 @@ func GetRealityConn(ctx context.Context, conn net.Conn, ClientFingerprint string
 		}
 		uConfig := &utls.Config{
 			ServerName:             tlsConfig.ServerName,
-			NextProtos:             tlsConfig.NextProtos,
 			InsecureSkipVerify:     true,
 			SessionTicketsDisabled: true,
 			VerifyPeerCertificate:  verifier.VerifyPeerCertificate,
@ -62,20 +61,16 @@ func GetRealityConn(ctx context.Context, conn net.Conn, ClientFingerprint string
 		}

 		hello := uConn.HandshakeState.Hello
-		hello.SessionId = make([]byte, 32)
+		for i := range hello.SessionId { // https://github.com/golang/go/issues/5373
+			hello.SessionId[i] = 0
+		}
 		copy(hello.Raw[39:], hello.SessionId)

-		var nowTime time.Time
-		if uConfig.Time != nil {
-			nowTime = uConfig.Time()
-		} else {
-			nowTime = time.Now()
-		}
-		binary.BigEndian.PutUint64(hello.SessionId, uint64(nowTime.Unix()))
+		binary.BigEndian.PutUint64(hello.SessionId, uint64(time.Now().Unix()))

 		hello.SessionId[0] = 1
-		hello.SessionId[1] = 7
-		hello.SessionId[2] = 5
+		hello.SessionId[1] = 8
+		hello.SessionId[2] = 0
 		copy(hello.SessionId[8:], realityConfig.ShortID[:])

 		//log.Debugln("REALITY hello.sessionId[:16]: %v", hello.SessionId[:16])
@ -130,7 +125,7 @@ func realityClientFallback(uConn net.Conn, serverName string, fingerprint utls.C
 		return
 	}
 	//_, _ = io.Copy(io.Discard, response.Body)
-	time.Sleep(time.Duration(5 + fastrand.Int63n(10)))
+	time.Sleep(time.Duration(5+fastrand.Int63n(10)) * time.Second)
 	response.Body.Close()
 	client.CloseIdleConnections()
 }
--- a/component/tls/utls.go
+++ b/component/tls/utls.go
@ -45,8 +45,13 @@ func GetFingerprint(ClientFingerprint string) (UClientHelloID, bool) {
 	}

 	fingerprint, ok := Fingerprints[ClientFingerprint]
+	if ok {
 		log.Debugln("use specified fingerprint:%s", fingerprint.Client)
 		return fingerprint, ok
+	} else {
+		log.Warnln("wrong ClientFingerprint:%s", ClientFingerprint)
+		return UClientHelloID{}, false
+	}
 }

 func RollFingerprint() (UClientHelloID, bool) {
@ -89,7 +94,6 @@ func copyConfig(c *tls.Config) *utls.Config {
 	return &utls.Config{
 		RootCAs:               c.RootCAs,
 		ServerName:            c.ServerName,
-		NextProtos:            c.NextProtos,
 		InsecureSkipVerify:    c.InsecureSkipVerify,
 		VerifyPeerCertificate: c.VerifyPeerCertificate,
 	}
@ -128,10 +132,7 @@ func SetGlobalUtlsClient(Client string) {
 }

 func HaveGlobalFingerprint() bool {
-	if len(initUtlsClient) != 0 && initUtlsClient != "none" {
-		return true
-	}
-	return false
+	return len(initUtlsClient) != 0 && initUtlsClient != "none"
 }

 func GetGlobalFingerprint() string {
--- a/config/config.go
+++ b/config/config.go
@ -218,6 +218,7 @@ type RawTun struct {
 	ExcludePackage         []string          `yaml:"exclude-package" json:"exclude_package,omitempty"`
 	EndpointIndependentNat bool              `yaml:"endpoint-independent-nat" json:"endpoint_independent_nat,omitempty"`
 	UDPTimeout             int64             `yaml:"udp-timeout" json:"udp_timeout,omitempty"`
+	FileDescriptor         int               `yaml:"file-descriptor" json:"file-descriptor"`
 }

 type RawTuicServer struct {
@ -451,7 +452,6 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 		tlsC.SetGlobalUtlsClient(config.General.GlobalClientFingerprint)
 	}

-	dialer.DefaultInterface.Store(config.General.Interface)
 	proxies, providers, err := parseProxies(rawCfg)
 	if err != nil {
 		return nil, err
@ -989,30 +989,27 @@ func parseNameServerPolicy(nsPolicy map[string]any, preferH3 bool) (map[string][
 	re := regexp.MustCompile(`[a-zA-Z0-9\-]+\.[a-zA-Z]{2,}(\.[a-zA-Z]{2,})?`)

 	for k, v := range nsPolicy {
+		if strings.Contains(k, ",") {
 			if strings.Contains(k, "geosite:") {
 				subkeys := strings.Split(k, ":")
 				subkeys = subkeys[1:]
 				subkeys = strings.Split(subkeys[0], ",")
-			//log.Infoln("subkeys:%+v", subkeys)
 				for _, subkey := range subkeys {
 					newKey := "geosite:" + subkey
-				//log.Infoln("newKey:%+v", newKey)
 					updatedPolicy[newKey] = v
 				}
 			} else if re.MatchString(k) {
 				subkeys := strings.Split(k, ",")
-			//log.Infoln("subkeys:%+v", subkeys)
 				for _, subkey := range subkeys {
 					updatedPolicy[subkey] = v
 				}
+			}
 		} else {
 			updatedPolicy[k] = v
 		}
 	}
-	//log.Infoln("updatedPolicy:%+v", updatedPolicy)

 	for domain, server := range updatedPolicy {
-
 		servers, err := utils.ToStringSlice(server)
 		if err != nil {
 			return nil, err
@ -1243,6 +1240,7 @@ func parseTun(rawTun RawTun, general *General) error {
 		ExcludePackage:         rawTun.ExcludePackage,
 		EndpointIndependentNat: rawTun.EndpointIndependentNat,
 		UDPTimeout:             rawTun.UDPTimeout,
+		FileDescriptor:         rawTun.FileDescriptor,
 	}

 	return nil
--- a/config/updateGeo.go
+++ b/config/updateGeo.go
@ -63,6 +63,8 @@ func UpdateGeoDatabases() error {
 		return fmt.Errorf("can't save GeoSite database file: %w", err)
 	}

+	geodata.ClearCache()
+
 	return nil
 }

--- a/context/conn.go
+++ b/context/conn.go
@ -17,10 +17,8 @@ type ConnContext struct {
 }

 func NewConnContext(conn net.Conn, metadata *C.Metadata) *ConnContext {
-	id, _ := utils.UnsafeUUIDGenerator.NewV4()
-
 	return &ConnContext{
-		id:       id,
+		id:       utils.NewUUIDV4(),
 		metadata: metadata,
 		conn:     N.NewBufferedConn(conn),
 	}
--- a/context/dns.go
+++ b/context/dns.go
@ -23,11 +23,10 @@ type DNSContext struct {
 }

 func NewDNSContext(ctx context.Context, msg *dns.Msg) *DNSContext {
-	id, _ := utils.UnsafeUUIDGenerator.NewV4()
 	return &DNSContext{
 		Context: ctx,

-		id:  id,
+		id:  utils.NewUUIDV4(),
 		msg: msg,
 	}
 }
--- a/context/packetconn.go
+++ b/context/packetconn.go
@ -16,9 +16,8 @@ type PacketConnContext struct {
 }

 func NewPacketConnContext(metadata *C.Metadata) *PacketConnContext {
-	id, _ := utils.UnsafeUUIDGenerator.NewV4()
 	return &PacketConnContext{
-		id:       id,
+		id:       utils.NewUUIDV4(),
 		metadata: metadata,
 	}
 }
--- a/dns/filters.go
+++ b/dns/filters.go
@ -29,29 +29,10 @@ func (gf *geoipFilter) Match(ip netip.Addr) bool {
 	}

 	if geoIPMatcher == nil {
-		countryCode := "cn"
-		geoLoader, err := geodata.GetGeoDataLoader(geodata.LoaderName())
+		var err error
+		geoIPMatcher, _, err = geodata.LoadGeoIPMatcher("CN")
 		if err != nil {
-			log.Errorln("[GeoIPFilter] GetGeoDataLoader error: %s", err.Error())
-			return false
-		}
-
-		records, err := geoLoader.LoadGeoIP(countryCode)
-		if err != nil {
-			log.Errorln("[GeoIPFilter] LoadGeoIP error: %s", err.Error())
-			return false
-		}
-
-		geoIP := &router.GeoIP{
-			CountryCode:  countryCode,
-			Cidr:         records,
-			ReverseMatch: false,
-		}
-
-		geoIPMatcher, err = router.NewGeoIPMatcher(geoIP)
-
-		if err != nil {
-			log.Errorln("[GeoIPFilter] NewGeoIPMatcher error: %s", err.Error())
+			log.Errorln("[GeoIPFilter] LoadGeoIPMatcher error: %s", err.Error())
 			return false
 		}
 	}
@ -92,6 +73,10 @@ type geoSiteFilter struct {
 }

 func NewGeoSite(group string) (fallbackDomainFilter, error) {
+	if err := geodata.InitGeoSite(); err != nil {
+		log.Errorln("can't initial GeoSite: %s", err)
+		return nil, err
+	}
 	matcher, _, err := geodata.LoadGeoSiteMatcher(group)
 	if err != nil {
 		return nil, err
--- a/dns/resolver.go
+++ b/dns/resolver.go
@ -516,7 +516,7 @@ func NewProxyServerHostResolver(old *Resolver) *Resolver {
 		main:        old.proxyServer,
 		lruCache:    old.lruCache,
 		hosts:       old.hosts,
-		policy:      old.policy,
+		policy:      trie.New[*Policy](),
 		ipv6Timeout: old.ipv6Timeout,
 	}
 	return r
--- a/docs/config.yaml
+++ b/docs/config.yaml
@ -331,18 +331,56 @@ proxies: # socks5
    # headers:
    #   custom: value
  
-  - name: "ss4"
+  - name: "ss4-shadow-tls"
    type: ss
    server: server
    port: 443
    cipher: chacha20-ietf-poly1305
    password: "password"
    plugin: shadow-tls
+    client-fingerprint: chrome
    plugin-opts:
      host: "cloud.tencent.com"
      password: "shadow_tls_password"
      version: 2 # support 1/2/3

+  - name: "ss-restls-tls13"
+    type: ss
+    server: [YOUR_SERVER_IP]
+    port: 443
+    cipher: chacha20-ietf-poly1305
+    password: [YOUR_SS_PASSWORD]
+    client-fingerprint: chrome # One of: chrome, ios, firefox or safari
+                               # 可以是chrome, ios, firefox, safari中的一个
+    plugin: restls
+    plugin-opts:
+        host: "www.microsoft.com" # Must be a TLS 1.3 server
+                                  # 应当是一个TLS 1.3 服务器
+        password: [YOUR_RESTLS_PASSWORD]
+        version-hint: "tls13"
+        # Control your post-handshake traffic through restls-script
+        # Hide proxy behaviors like "tls in tls". 
+        # see https://github.com/3andne/restls/blob/main/Restls-Script:%20Hide%20Your%20Proxy%20Traffic%20Behavior.md
+        # 用restls剧本来控制握手后的行为，隐藏"tls in tls"等特征
+        # 详情：https://github.com/3andne/restls/blob/main/Restls-Script:%20%E9%9A%90%E8%97%8F%E4%BD%A0%E7%9A%84%E4%BB%A3%E7%90%86%E8%A1%8C%E4%B8%BA.md
+        restls-script: "300?100<1,400~100,350~100,600~100,300~200,300~100"
+
+  - name: "ss-restls-tls12"
+    type: ss
+    server: [YOUR_SERVER_IP]
+    port: 443
+    cipher: chacha20-ietf-poly1305
+    password: [YOUR_SS_PASSWORD]
+    client-fingerprint: chrome # One of: chrome, ios, firefox or safari
+                               # 可以是chrome, ios, firefox, safari中的一个
+    plugin: restls
+    plugin-opts:
+        host: "vscode.dev" # Must be a TLS 1.2 server
+                           # 应当是一个TLS 1.2 服务器
+        password: [YOUR_RESTLS_PASSWORD]
+        version-hint: "tls12"
+        restls-script: "1000?100<1,500~100,350~100,600~100,400~200"
+  
  # vmess
  # cipher支持 auto/aes-128-gcm/chacha20-poly1305/none
  - name: "vmess"
--- a/flake.nix
+++ b/flake.nix
@ -28,7 +28,7 @@
            inherit version;
            src = ./.;

-            vendorSha256 = "sha256-8cbcE9gKJjU14DNTLPc6nneEPZg7Akt+FlSDlPRvG5k=";
+            vendorSha256 = "sha256-W5oiPtTRin0731QQWr98xZ2Vpk97HYcBtKoi1OKZz+w=";

            # Do not build testing suit
            excludedPackages = [ "./test" ];
--- a/go.mod
+++ b/go.mod
@ -3,6 +3,7 @@ module github.com/Dreamacro/clash
 go 1.19

 require (
+	github.com/3andne/restls-client-go v0.1.4
 	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da
 	github.com/cilium/ebpf v0.9.3
 	github.com/coreos/go-iptables v0.6.0
@ -18,33 +19,33 @@ require (
 	github.com/jpillora/backoff v1.0.0
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
 	github.com/mdlayher/netlink v1.7.2-0.20221213171556-9881fafed8c7
-	github.com/metacubex/quic-go v0.33.1
+	github.com/metacubex/quic-go v0.33.3-0.20230322045857-901b636b4594
 	github.com/metacubex/sing-shadowsocks v0.1.1-0.20230226153717-4e80da7e6947
-	github.com/metacubex/sing-tun v0.1.1-0.20230304153753-5058534177f3
+	github.com/metacubex/sing-tun v0.1.3-0.20230323115055-7935ba0ac8b3
 	github.com/metacubex/sing-wireguard v0.0.0-20230310035749-f7595fcae5cb
-	github.com/miekg/dns v1.1.50
+	github.com/miekg/dns v1.1.52
 	github.com/mroth/weightedrand/v2 v2.0.0
 	github.com/oschwald/geoip2-golang v1.8.0
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97
-	github.com/sagernet/sing v0.1.8
+	github.com/sagernet/sing v0.2.1-0.20230323071235-f8038854d286
 	github.com/sagernet/sing-shadowtls v0.1.0
-	github.com/sagernet/sing-vmess v0.1.3-0.20230307060529-d110e81a50bc
-	github.com/sagernet/tfo-go v0.0.0-20230207095944-549363a7327d
+	github.com/sagernet/sing-vmess v0.1.3
+	github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9
 	github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2
 	github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c
 	github.com/samber/lo v1.37.0
 	github.com/sirupsen/logrus v1.9.0
-	github.com/stretchr/testify v1.8.1
+	github.com/stretchr/testify v1.8.2
 	github.com/xtls/go v0.0.0-20220914232946-0441cf4cf837
 	github.com/zhangyunhao116/fastrand v0.3.0
 	go.etcd.io/bbolt v1.3.6
 	go.uber.org/atomic v1.10.0
 	go.uber.org/automaxprocs v1.5.1
-	golang.org/x/crypto v0.6.0
-	golang.org/x/exp v0.0.0-20221205204356-47842c84f3db
-	golang.org/x/net v0.7.0
+	golang.org/x/crypto v0.7.0
+	golang.org/x/exp v0.0.0-20230321023759-10a507213a29
+	golang.org/x/net v0.8.0
 	golang.org/x/sync v0.1.0
-	golang.org/x/sys v0.5.0
+	golang.org/x/sys v0.6.0
 	google.golang.org/protobuf v1.28.2-0.20230118093459-a9481185b34d
 	gopkg.in/yaml.v3 v3.0.1
 	lukechampine.com/blake3 v1.1.7
@ -64,7 +65,7 @@ require (
 	github.com/klauspost/compress v1.15.15 // indirect
 	github.com/klauspost/cpuid/v2 v2.0.12 // indirect
 	github.com/mdlayher/socket v0.4.0 // indirect
-	github.com/metacubex/gvisor v0.0.0-20230304153416-e2bb9c726005 // indirect
+	github.com/metacubex/gvisor v0.0.0-20230323114922-412956fb6a03 // indirect
 	github.com/onsi/ginkgo/v2 v2.2.0 // indirect
 	github.com/oschwald/maxminddb-golang v1.10.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@ -74,10 +75,10 @@ require (
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
 	github.com/u-root/uio v0.0.0-20221213070652-c3537552635f // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
-	golang.org/x/mod v0.7.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/mod v0.8.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
-	golang.org/x/tools v0.5.0 // indirect
+	golang.org/x/tools v0.6.0 // indirect
 )

 replace go.uber.org/atomic v1.10.0 => github.com/metacubex/uber-atomic v0.0.0-20230202125923-feb10b770370
--- a/go.sum
+++ b/go.sum
@ -1,3 +1,5 @@
+github.com/3andne/restls-client-go v0.1.4 h1:kLNC2aSRHPlEVYmTj6EOqJoorCpobEe2toMRSfBF7FU=
+github.com/3andne/restls-client-go v0.1.4/go.mod h1:04CGbRk1BwBiEDles8b5mlKgTqIwE5MqF7JDloJV47I=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
@ -87,20 +89,20 @@ github.com/mdlayher/raw v0.0.0-20190606142536-fef19f00fc18/go.mod h1:7EpbotpCmVZ
 github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
 github.com/mdlayher/socket v0.4.0 h1:280wsy40IC9M9q1uPGcLBwXpcTQDtoGwVt+BNoITxIw=
 github.com/mdlayher/socket v0.4.0/go.mod h1:xxFqz5GRCUN3UEOm9CZqEJsAbe1C8OwSK46NlmWuVoc=
-github.com/metacubex/gvisor v0.0.0-20230304153416-e2bb9c726005 h1:0TEvReK/D6YLszjGj/bdx4d7amQSjQ2X/98r4ZiUbxU=
-github.com/metacubex/gvisor v0.0.0-20230304153416-e2bb9c726005/go.mod h1:wqEuzdImyqD2MCGE8CYRJXbB77oSEJeoSSXXdwKjnsE=
-github.com/metacubex/quic-go v0.33.1 h1:ZIxZFGivpSLOEZuuNkLy+aPvo1RP4uRBjNg3SAkXwIg=
-github.com/metacubex/quic-go v0.33.1/go.mod h1:9nOiGX6kqV3+ZbkDKdTNzdFD726QQHPH6WDb36jUSpA=
+github.com/metacubex/gvisor v0.0.0-20230323114922-412956fb6a03 h1:gREIdurac9fpyBMBRPPMF/Sk3gKfPfdNCa4GQyR9FoA=
+github.com/metacubex/gvisor v0.0.0-20230323114922-412956fb6a03/go.mod h1:wqEuzdImyqD2MCGE8CYRJXbB77oSEJeoSSXXdwKjnsE=
+github.com/metacubex/quic-go v0.33.3-0.20230322045857-901b636b4594 h1:KD96JPdTIayTGGgRl6PuVqo2Bpo6+x3LqDDyqrYDDXw=
+github.com/metacubex/quic-go v0.33.3-0.20230322045857-901b636b4594/go.mod h1:9nOiGX6kqV3+ZbkDKdTNzdFD726QQHPH6WDb36jUSpA=
 github.com/metacubex/sing-shadowsocks v0.1.1-0.20230226153717-4e80da7e6947 h1:NnjC2+aIiyzzvFlo+C2WzBOJdsp+HAtu18FZomqYhUE=
 github.com/metacubex/sing-shadowsocks v0.1.1-0.20230226153717-4e80da7e6947/go.mod h1:U2gwhxzqgbhKCgn2B4z3t0Cj0LpMWFl/02BGCoG421w=
-github.com/metacubex/sing-tun v0.1.1-0.20230304153753-5058534177f3 h1:oQLThm1a8E7hHmoM9XF2cO0FZPsHVynC4YXW4b3liUI=
-github.com/metacubex/sing-tun v0.1.1-0.20230304153753-5058534177f3/go.mod h1:b/19bRRhwampNPV+1gVDyDsQHmuGDaplxPQkwJh1kj4=
+github.com/metacubex/sing-tun v0.1.3-0.20230323115055-7935ba0ac8b3 h1:LnKcLs0HI0HX4xH/2XerX+1BLXS1Uj6Xvzn20xFuCOk=
+github.com/metacubex/sing-tun v0.1.3-0.20230323115055-7935ba0ac8b3/go.mod h1:0i22nk0tgkQz/N96hrhPib1O/C5AjxSnco7Mwi2YSF0=
 github.com/metacubex/sing-wireguard v0.0.0-20230310035749-f7595fcae5cb h1:uhvzbtOvyg2c1k1H2EeVPuPvTEjDHCq4+U0AljG40P8=
 github.com/metacubex/sing-wireguard v0.0.0-20230310035749-f7595fcae5cb/go.mod h1:7mPG9qYln+CLKBcDt7Dk4c7b3S53VzEfexMVPe6T6FM=
 github.com/metacubex/uber-atomic v0.0.0-20230202125923-feb10b770370 h1:UkViS4DCESAUEYgbIEQdD02hyMacFt6Dny+1MOJtNIo=
 github.com/metacubex/uber-atomic v0.0.0-20230202125923-feb10b770370/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
-github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
-github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
+github.com/miekg/dns v1.1.52 h1:Bmlc/qsNNULOe6bpXcUTsuOajd0DzRHwup6D9k1An0c=
+github.com/miekg/dns v1.1.52/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
 github.com/mroth/weightedrand/v2 v2.0.0 h1:ADehnByWbliEDIazDAKFdBHoqgHSXAkgyKqM/9YsPoo=
 github.com/mroth/weightedrand/v2 v2.0.0/go.mod h1:f2faGsfOGOwc1p94wzHKKZyTpcJUW7OJ/9U4yfiNAOU=
 github.com/onsi/ginkgo/v2 v2.2.0 h1:3ZNA3L1c5FYDFTTxbFeVGGD8jYvjYauHD30YgLxVsNI=
@ -125,14 +127,14 @@ github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
-github.com/sagernet/sing v0.1.8 h1:6DKo2FkSHn0nUcjO7bAext/ai7y7pCusK/+fScBJ5Jk=
-github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
+github.com/sagernet/sing v0.2.1-0.20230323071235-f8038854d286 h1:0Td2b5l1KgrdlOnbRWgFFWsyb0TLoq/tP6j9Lut4JN0=
+github.com/sagernet/sing v0.2.1-0.20230323071235-f8038854d286/go.mod h1:9uHswk2hITw8leDbiLS/xn0t9nzBcbePxzm9PJhwdlw=
 github.com/sagernet/sing-shadowtls v0.1.0 h1:05MYce8aR5xfKIn+y7xRFsdKhKt44QZTSEQW+lG5IWQ=
 github.com/sagernet/sing-shadowtls v0.1.0/go.mod h1:Kn1VUIprdkwCgkS6SXYaLmIpKzQbqBIKJBMY+RvBhYc=
-github.com/sagernet/sing-vmess v0.1.3-0.20230307060529-d110e81a50bc h1:vqlYWupvVDRpvv2F+RtECJN+VbuKjLtmQculQvOecls=
-github.com/sagernet/sing-vmess v0.1.3-0.20230307060529-d110e81a50bc/go.mod h1:V14iffGwhZPU2S7wgIiPlLWXygSjAXazYzD1w0ejBl4=
-github.com/sagernet/tfo-go v0.0.0-20230207095944-549363a7327d h1:trP/l6ZPWvQ/5Gv99Z7/t/v8iYy06akDMejxW1sznUk=
-github.com/sagernet/tfo-go v0.0.0-20230207095944-549363a7327d/go.mod h1:jk6Ii8Y3En+j2KQDLgdgQGwb3M6y7EL567jFnGYhN9g=
+github.com/sagernet/sing-vmess v0.1.3 h1:q/+tsF46dvvapL6CpQBgPHJ6nQrDUZqEtLHCbsjO7iM=
+github.com/sagernet/sing-vmess v0.1.3/go.mod h1:GVXqAHwe9U21uS+Voh4YBIrADQyE4F9v0ayGSixSQAE=
+github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9 h1:2ItpW1nMNkPzmBTxV0/eClCklHrFSQMnUGcpUmJxVeE=
+github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9/go.mod h1:FUyTEc5ye5NjKnDTDMuiLF2M6T4BE6y6KZuax//UCEg=
 github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2 h1:kDUqhc9Vsk5HJuhfIATJ8oQwBmpOZJuozQG7Vk88lL4=
 github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2/go.mod h1:JKQMZq/O2qnZjdrt+B57olmfgEmLtY9iiSIEYtWvoSM=
 github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c h1:vK2wyt9aWYHHvNLWniwijBu/n4pySypiKRhN32u/JGo=
@ -151,8 +153,8 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
+github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/u-root/uio v0.0.0-20221213070652-c3537552635f h1:dpx1PHxYqAnXzbryJrWP1NQLzEjwcVgFLhkknuFQ7ww=
 github.com/u-root/uio v0.0.0-20221213070652-c3537552635f/go.mod h1:IogEAUBXDEwX7oR/BMmCctShYs80ql4hF0ySdzGxf7E=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
@ -169,15 +171,15 @@ go.uber.org/automaxprocs v1.5.1/go.mod h1:BF4eumQw0P9GtnuxxovUd06vwm1o18oMzFtK66
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/exp v0.0.0-20221205204356-47842c84f3db h1:D/cFflL63o2KSLJIwjlcIt8PR064j/xsmdEJL/YvY/o=
-golang.org/x/exp v0.0.0-20221205204356-47842c84f3db/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
+golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/exp v0.0.0-20230321023759-10a507213a29 h1:ooxPy7fPvB4kwsA2h+iBNHkAbp/4JxTSwCmvdjEYmug=
+golang.org/x/exp v0.0.0-20230321023759-10a507213a29/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA=
-golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190419010253-1f3472d942ba/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@ -189,9 +191,8 @@ golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
@ -213,21 +214,18 @@ golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -235,9 +233,8 @@ golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.5.0 h1:+bSpV5HIeWkuvgaMfI3UmKRThoTA5ODJTUd8T17NO+4=
-golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
+golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/hub/executor/executor.go
+++ b/hub/executor/executor.go
@ -75,24 +75,38 @@ func ParseWithBytes(buf []byte) (*config.Config, error) {
 func ApplyConfig(cfg *config.Config, force bool) {
 	mux.Lock()
 	defer mux.Unlock()
-	preUpdateExperimental(cfg)
+
+	tunnel.OnSuspend()
+
+	CTLS.ResetCertificate()
+	for _, c := range cfg.TLS.CustomTrustCert {
+		if err := CTLS.AddCertificate(c); err != nil {
+			log.Warnln("%s\nadd error: %s", c, err.Error())
+		}
+	}
+
 	updateUsers(cfg.Users)
 	updateProxies(cfg.Proxies, cfg.Providers)
 	updateRules(cfg.Rules, cfg.SubRules, cfg.RuleProviders)
 	updateSniffer(cfg.Sniffer)
 	updateHosts(cfg.Hosts)
 	updateGeneral(cfg.General)
-	initInnerTcp()
 	updateDNS(cfg.DNS, cfg.General.IPv6)
-	loadProxyProvider(cfg.Providers)
-	updateProfile(cfg)
-	loadRuleProvider(cfg.RuleProviders)
 	updateListeners(cfg.General, cfg.Listeners, force)
 	updateIPTables(cfg)
 	updateTun(cfg.General)
 	updateExperimental(cfg)
 	updateTunnels(cfg.Tunnels)

+	tunnel.OnInnerLoading()
+
+	initInnerTcp()
+	loadProxyProvider(cfg.Providers)
+	updateProfile(cfg)
+	loadRuleProvider(cfg.RuleProviders)
+
+	tunnel.OnRunning()
+
 	log.SetLevel(cfg.General.LogLevel)
 }

@ -144,10 +158,6 @@ func updateListeners(general *config.General, listeners map[string]C.InboundList
 		return
 	}

-	if general.Interface == "" && (!general.Tun.Enable || !general.Tun.AutoDetectInterface) {
-		dialer.DefaultInterface.Store(general.Interface)
-	}
-
 	allowLan := general.AllowLan
 	listener.SetAllowLan(allowLan)

@ -168,15 +178,6 @@ func updateExperimental(c *config.Config) {
 	runtime.GC()
 }

-func preUpdateExperimental(c *config.Config) {
-	CTLS.ResetCertificate()
-	for _, c := range c.TLS.CustomTrustCert {
-		if err := CTLS.AddCertificate(c); err != nil {
-			log.Warnln("%s\nadd error: %s", c, err.Error())
-		}
-	}
-}
-
 func updateDNS(c *config.DNS, generalIPv6 bool) {
 	if !c.Enable {
 		resolver.DefaultResolver = nil
@ -342,17 +343,8 @@ func updateGeneral(general *config.General) {
 	inbound.SetTfo(general.InboundTfo)

 	adapter.UnifiedDelay.Store(general.UnifiedDelay)
-	// Avoid reload configuration clean the value, causing traffic loops
-	if listener.GetTunConf().Enable && listener.GetTunConf().AutoDetectInterface {
-		// changed only when the name is specified
-		// if name is empty, setting delay until after tun loaded
-		if general.Interface != "" && (!general.Tun.Enable || !general.Tun.AutoDetectInterface) {
-			dialer.DefaultInterface.Store(general.Interface)
-		}
-	} else {
-		dialer.DefaultInterface.Store(general.Interface)
-	}

+	dialer.DefaultInterface.Store(general.Interface)
 	dialer.DefaultRoutingMark.Store(int32(general.RoutingMark))
 	if general.RoutingMark > 0 {
 		log.Infoln("Use routing mark: %#x", general.RoutingMark)
--- a/hub/route/configs.go
+++ b/hub/route/configs.go
@ -80,6 +80,7 @@ type tunSchema struct {
 	ExcludePackage         *[]string          `yaml:"exclude-package" json:"exclude-package,omitempty"`
 	EndpointIndependentNat *bool              `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
 	UDPTimeout             *int64             `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
+	FileDescriptor         *int               `yaml:"file-descriptor" json:"file-descriptor"`
 }

 type tuicServerSchema struct {
@ -169,6 +170,9 @@ func pointerOrDefaultTun(p *tunSchema, def LC.Tun) LC.Tun {
 		if p.UDPTimeout != nil {
 			def.UDPTimeout = *p.UDPTimeout
 		}
+		if p.FileDescriptor != nil {
+			def.FileDescriptor = *p.FileDescriptor
+		}
 	}
 	return def
 }
--- a/hub/route/restart.go
+++ b/hub/route/restart.go
@ -0,0 +1,62 @@
+package route
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+	"os/exec"
+	"runtime"
+	"syscall"
+
+	"github.com/Dreamacro/clash/log"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/render"
+)
+
+func restartRouter() http.Handler {
+	r := chi.NewRouter()
+	r.Post("/", restart)
+	return r
+}
+
+func restart(w http.ResponseWriter, r *http.Request) {
+	// modify from https://github.com/AdguardTeam/AdGuardHome/blob/595484e0b3fb4c457f9bb727a6b94faa78a66c5f/internal/home/controlupdate.go#L108
+	execPath, err := os.Executable()
+	if err != nil {
+		render.Status(r, http.StatusInternalServerError)
+		render.JSON(w, r, newError(fmt.Sprintf("getting path: %s", err)))
+		return
+	}
+
+	render.JSON(w, r, render.M{"status": "ok"})
+	if f, ok := w.(http.Flusher); ok {
+		f.Flush()
+	}
+
+	// modify from https://github.com/AdguardTeam/AdGuardHome/blob/595484e0b3fb4c457f9bb727a6b94faa78a66c5f/internal/home/controlupdate.go#L180
+	// The background context is used because the underlying functions wrap it
+	// with timeout and shut down the server, which handles current request.  It
+	// also should be done in a separate goroutine for the same reason.
+	go func() {
+		if runtime.GOOS == "windows" {
+			cmd := exec.Command(execPath, os.Args[1:]...)
+			log.Infoln("restarting: %q %q", execPath, os.Args[1:])
+			cmd.Stdin = os.Stdin
+			cmd.Stdout = os.Stdout
+			cmd.Stderr = os.Stderr
+			err = cmd.Start()
+			if err != nil {
+				log.Fatalln("restarting: %s", err)
+			}
+
+			os.Exit(0)
+		}
+
+		log.Infoln("restarting: %q %q", execPath, os.Args[1:])
+		err = syscall.Exec(execPath, os.Args, os.Environ())
+		if err != nil {
+			log.Fatalln("restarting: %s", err)
+		}
+	}()
+}
--- a/hub/route/server.go
+++ b/hub/route/server.go
@ -86,6 +86,9 @@ func Start(addr string, tlsAddr string, secret string,
 		r.Mount("/providers/rules", ruleProviderRouter())
 		r.Mount("/cache", cacheRouter())
 		r.Mount("/dns", dnsRouter())
+		r.Mount("/restart", restartRouter())
+		r.Mount("/upgrade", upgradeRouter())
+
 	})

 	if uiPath != "" {
--- a/hub/route/upgrade.go
+++ b/hub/route/upgrade.go
@ -0,0 +1,28 @@
+package route
+
+import (
+	"net/http"
+
+	"github.com/Dreamacro/clash/hub/updater"
+	"github.com/Dreamacro/clash/log"
+
+	"github.com/go-chi/chi/v5"
+)
+
+func upgradeRouter() http.Handler {
+	r := chi.NewRouter()
+	r.Post("/", upgrade)
+	return r
+}
+
+func upgrade(w http.ResponseWriter, r *http.Request) {
+	// modify from https://github.com/AdguardTeam/AdGuardHome/blob/595484e0b3fb4c457f9bb727a6b94faa78a66c5f/internal/home/controlupdate.go#L108
+	log.Infoln("start update")
+	err := updater.Update()
+	if err != nil {
+		log.Errorln("err:%s", err)
+		return
+	}
+
+	restart(w, r)
+}
--- a/hub/updater/limitedreader.go
+++ b/hub/updater/limitedreader.go
@ -0,0 +1,67 @@
+package updater
+
+import (
+	"fmt"
+	"io"
+
+	"golang.org/x/exp/constraints"
+)
+
+// LimitReachedError records the limit and the operation that caused it.
+type LimitReachedError struct {
+	Limit int64
+}
+
+// Error implements the [error] interface for *LimitReachedError.
+//
+// TODO(a.garipov): Think about error string format.
+func (lre *LimitReachedError) Error() string {
+	return fmt.Sprintf("attempted to read more than %d bytes", lre.Limit)
+}
+
+// limitedReader is a wrapper for [io.Reader] limiting the input and dealing
+// with errors package.
+type limitedReader struct {
+	r     io.Reader
+	limit int64
+	n     int64
+}
+
+// Read implements the [io.Reader] interface.
+func (lr *limitedReader) Read(p []byte) (n int, err error) {
+	if lr.n == 0 {
+		return 0, &LimitReachedError{
+			Limit: lr.limit,
+		}
+	}
+
+	p = p[:Min(lr.n, int64(len(p)))]
+
+	n, err = lr.r.Read(p)
+	lr.n -= int64(n)
+
+	return n, err
+}
+
+// LimitReader wraps Reader to make it's Reader stop with ErrLimitReached after
+// n bytes read.
+func LimitReader(r io.Reader, n int64) (limited io.Reader, err error) {
+	if n < 0 {
+		return nil, &updateError{Message: "limit must be non-negative"}
+	}
+
+	return &limitedReader{
+		r:     r,
+		limit: n,
+		n:     n,
+	}, nil
+}
+
+// Min returns the smaller of x or y.
+func Min[T constraints.Integer | ~string](x, y T) (res T) {
+	if x < y {
+		return x
+	}
+
+	return y
+}
--- a/hub/updater/updater.go
+++ b/hub/updater/updater.go
@ -0,0 +1,475 @@
+package updater
+
+import (
+	"archive/zip"
+	"compress/gzip"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+	"time"
+
+	clashHttp "github.com/Dreamacro/clash/component/http"
+	"github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
+)
+
+// modify from https://github.com/AdguardTeam/AdGuardHome/blob/595484e0b3fb4c457f9bb727a6b94faa78a66c5f/internal/updater/updater.go
+// Updater is the Clash.Meta updater.
+var (
+	goarch string
+	goos   string
+	goarm  string
+	gomips string
+
+	workDir string
+
+	// mu protects all fields below.
+	mu sync.RWMutex
+
+	currentExeName string // 当前可执行文件
+	updateDir      string // 更新目录
+	packageName    string // 更新压缩文件
+	backupDir      string // 备份目录
+	backupExeName  string // 备份文件名
+	updateExeName  string // 更新后的可执行文件
+
+	baseURL       string = "https://github.com/MetaCubeX/Clash.Meta/releases/download/Prerelease-Alpha/clash.meta"
+	versionURL    string = "https://github.com/MetaCubeX/Clash.Meta/releases/download/Prerelease-Alpha/version.txt"
+	packageURL    string
+	latestVersion string
+)
+
+type updateError struct {
+	Message string
+}
+
+func (e *updateError) Error() string {
+	return fmt.Sprintf("error: %s", e.Message)
+}
+
+// Update performs the auto-updater.  It returns an error if the updater failed.
+// If firstRun is true, it assumes the configuration file doesn't exist.
+func Update() (err error) {
+	mu.Lock()
+	defer mu.Unlock()
+
+	goos = runtime.GOOS
+	goarch = runtime.GOARCH
+	latestVersion, err = getLatestVersion()
+	if err != nil {
+		err := &updateError{Message: err.Error()}
+		return err
+	}
+
+	log.Infoln("current version alpha-%s, latest version alpha-%s", constant.Version, latestVersion)
+
+	if latestVersion == constant.Version {
+		err := &updateError{Message: "Already using latest version"}
+		return err
+	}
+
+	updateDownloadURL()
+
+	defer func() {
+		if err != nil {
+			log.Errorln("updater: failed: %v", err)
+		} else {
+			log.Infoln("updater: finished")
+		}
+	}()
+
+	execPath, err := os.Executable()
+	if err != nil {
+		return fmt.Errorf("getting executable path: %w", err)
+	}
+
+	workDir = filepath.Dir(execPath)
+
+	err = prepare(execPath)
+	if err != nil {
+		return fmt.Errorf("preparing: %w", err)
+	}
+
+	defer clean()
+
+	err = downloadPackageFile()
+	if err != nil {
+		return fmt.Errorf("downloading package file: %w", err)
+	}
+
+	err = unpack()
+	if err != nil {
+		return fmt.Errorf("unpacking: %w", err)
+	}
+
+	err = backup()
+	if err != nil {
+		return fmt.Errorf("replacing: %w", err)
+	}
+
+	err = replace()
+	if err != nil {
+		return fmt.Errorf("replacing: %w", err)
+	}
+
+	return nil
+}
+
+// prepare fills all necessary fields in Updater object.
+func prepare(exePath string) (err error) {
+	updateDir = filepath.Join(workDir, "meta-update")
+	currentExeName = exePath
+	_, pkgNameOnly := filepath.Split(packageURL)
+	if pkgNameOnly == "" {
+		return fmt.Errorf("invalid PackageURL: %q", packageURL)
+	}
+
+	packageName = filepath.Join(updateDir, pkgNameOnly)
+	//log.Infoln(packageName)
+	backupDir = filepath.Join(workDir, "meta-backup")
+
+	if goos == "windows" {
+		updateExeName = "clash.meta" + "-" + goos + "-" + goarch + ".exe"
+	} else {
+		updateExeName = "clash.meta" + "-" + goos + "-" + goarch
+	}
+
+	log.Infoln("updateExeName: %s ", updateExeName)
+
+	backupExeName = filepath.Join(backupDir, filepath.Base(exePath))
+	updateExeName = filepath.Join(updateDir, updateExeName)
+
+	log.Infoln(
+		"updater: updating using url: %s",
+		packageURL,
+	)
+
+	currentExeName = exePath
+	_, err = os.Stat(currentExeName)
+	if err != nil {
+		return fmt.Errorf("checking %q: %w", currentExeName, err)
+	}
+
+	return nil
+}
+
+// unpack extracts the files from the downloaded archive.
+func unpack() error {
+	var err error
+	_, pkgNameOnly := filepath.Split(packageURL)
+
+	log.Debugln("updater: unpacking package")
+	if strings.HasSuffix(pkgNameOnly, ".zip") {
+		_, err = zipFileUnpack(packageName, updateDir)
+		if err != nil {
+			return fmt.Errorf(".zip unpack failed: %w", err)
+		}
+
+	} else if strings.HasSuffix(pkgNameOnly, ".gz") {
+		_, err = gzFileUnpack(packageName, updateDir)
+		if err != nil {
+			return fmt.Errorf(".gz unpack failed: %w", err)
+		}
+
+	} else {
+		return fmt.Errorf("unknown package extension")
+	}
+
+	return nil
+}
+
+// backup makes a backup of the current configuration and supporting files.  It
+// ignores the configuration file if firstRun is true.
+func backup() (err error) {
+	log.Infoln("updater: backing up current Exefile")
+	_ = os.Mkdir(backupDir, 0o755)
+
+	err = copyFile(currentExeName, backupExeName)
+	if err != nil {
+		return fmt.Errorf("copySupportingFiles(%s, %s) failed: %w", currentExeName, backupExeName, err)
+	}
+
+	return nil
+}
+
+// replace moves the current executable with the updated one and also copies the
+// supporting files.
+func replace() error {
+	var err error
+
+	// log.Infoln("updater: renaming: %s to %s", currentExeName, backupExeName)
+	// err := os.Rename(currentExeName, backupExeName)
+	// if err != nil {
+	// 	return err
+	// }
+
+	if goos == "windows" {
+		// rename fails with "File in use" error
+		log.Infoln("copying: %s to %s", updateExeName, currentExeName)
+		err = copyFile(updateExeName, currentExeName)
+	} else {
+		log.Infoln("copying: %s to %s", updateExeName, currentExeName)
+		err = os.Rename(updateExeName, currentExeName)
+	}
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// clean removes the temporary directory itself and all it's contents.
+func clean() {
+	_ = os.RemoveAll(updateDir)
+}
+
+// MaxPackageFileSize is a maximum package file length in bytes. The largest
+// package whose size is limited by this constant currently has the size of
+// approximately 9 MiB.
+const MaxPackageFileSize = 32 * 1024 * 1024
+
+// Download package file and save it to disk
+func downloadPackageFile() (err error) {
+	// var resp *http.Response
+	// resp, err = client.Get(packageURL)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
+	defer cancel()
+	resp, err := clashHttp.HttpRequest(ctx, packageURL, http.MethodGet, http.Header{"User-Agent": {"clash"}}, nil)
+	if err != nil {
+		return fmt.Errorf("http request failed: %w", err)
+	}
+
+	defer func() {
+		closeErr := resp.Body.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+
+	var r io.Reader
+	r, err = LimitReader(resp.Body, MaxPackageFileSize)
+	if err != nil {
+		return fmt.Errorf("http request failed: %w", err)
+	}
+
+	log.Debugln("updater: reading http body")
+	// This use of ReadAll is now safe, because we limited body's Reader.
+	body, err := io.ReadAll(r)
+	if err != nil {
+		return fmt.Errorf("io.ReadAll() failed: %w", err)
+	}
+
+	log.Debugln("updateDir %s", updateDir)
+	err = os.Mkdir(updateDir, 0o755)
+	if err != nil {
+		return fmt.Errorf("mkdir error: %w", err)
+	}
+
+	log.Debugln("updater: saving package to file %s", packageName)
+	err = os.WriteFile(packageName, body, 0o644)
+	if err != nil {
+		return fmt.Errorf("os.WriteFile() failed: %w", err)
+	}
+	return nil
+}
+
+// Unpack a single .gz file to the specified directory
+// Existing files are overwritten
+// All files are created inside outDir, subdirectories are not created
+// Return the output file name
+func gzFileUnpack(gzfile, outDir string) (string, error) {
+	f, err := os.Open(gzfile)
+	if err != nil {
+		return "", fmt.Errorf("os.Open(): %w", err)
+	}
+
+	defer func() {
+		closeErr := f.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+
+	gzReader, err := gzip.NewReader(f)
+	if err != nil {
+		return "", fmt.Errorf("gzip.NewReader(): %w", err)
+	}
+
+	defer func() {
+		closeErr := gzReader.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+	// Get the original file name from the .gz file header
+	originalName := gzReader.Header.Name
+	if originalName == "" {
+		// Fallback: remove the .gz extension from the input file name if the header doesn't provide the original name
+		originalName = filepath.Base(gzfile)
+		originalName = strings.TrimSuffix(originalName, ".gz")
+	}
+
+	outputName := filepath.Join(outDir, originalName)
+
+	// Create the output file
+	wc, err := os.OpenFile(
+		outputName,
+		os.O_WRONLY|os.O_CREATE|os.O_TRUNC,
+		0o755,
+	)
+	if err != nil {
+		return "", fmt.Errorf("os.OpenFile(%s): %w", outputName, err)
+	}
+
+	defer func() {
+		closeErr := wc.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+
+	// Copy the contents of the gzReader to the output file
+	_, err = io.Copy(wc, gzReader)
+	if err != nil {
+		return "", fmt.Errorf("io.Copy(): %w", err)
+	}
+
+	return outputName, nil
+}
+
+// Unpack a single file from .zip file to the specified directory
+// Existing files are overwritten
+// All files are created inside 'outDir', subdirectories are not created
+// Return the output file name
+func zipFileUnpack(zipfile, outDir string) (string, error) {
+	zrc, err := zip.OpenReader(zipfile)
+	if err != nil {
+		return "", fmt.Errorf("zip.OpenReader(): %w", err)
+	}
+
+	defer func() {
+		closeErr := zrc.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+	if len(zrc.File) == 0 {
+		return "", fmt.Errorf("no files in the zip archive")
+	}
+
+	// Assuming the first file in the zip archive is the target file
+	zf := zrc.File[0]
+	var rc io.ReadCloser
+	rc, err = zf.Open()
+	if err != nil {
+		return "", fmt.Errorf("zip file Open(): %w", err)
+	}
+
+	defer func() {
+		closeErr := rc.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+	fi := zf.FileInfo()
+	name := fi.Name()
+	outputName := filepath.Join(outDir, name)
+
+	if fi.IsDir() {
+		return "", fmt.Errorf("the target file is a directory")
+	}
+
+	var wc io.WriteCloser
+	wc, err = os.OpenFile(outputName, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, fi.Mode())
+	if err != nil {
+		return "", fmt.Errorf("os.OpenFile(): %w", err)
+	}
+
+	defer func() {
+		closeErr := wc.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+	_, err = io.Copy(wc, rc)
+	if err != nil {
+		return "", fmt.Errorf("io.Copy(): %w", err)
+	}
+
+	return outputName, nil
+}
+
+// Copy file on disk
+func copyFile(src, dst string) error {
+	d, e := os.ReadFile(src)
+	if e != nil {
+		return e
+	}
+	e = os.WriteFile(dst, d, 0o644)
+	if e != nil {
+		return e
+	}
+	return nil
+}
+
+func getLatestVersion() (version string, err error) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
+	defer cancel()
+	resp, err := clashHttp.HttpRequest(ctx, versionURL, http.MethodGet, http.Header{"User-Agent": {"clash"}}, nil)
+	if err != nil {
+		return "", fmt.Errorf("get Latest Version fail: %w", err)
+	}
+	defer func() {
+		closeErr := resp.Body.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", fmt.Errorf("get Latest Version fail: %w", err)
+	}
+	content := strings.TrimRight(string(body), "\n")
+	return content, nil
+}
+
+func updateDownloadURL() {
+	var middle string
+
+	if goarch == "arm" && goarm != "" {
+		middle = fmt.Sprintf("-%s-%sv%s-%s", goos, goarch, goarm, latestVersion)
+	} else if isMIPS(goarch) && gomips != "" {
+		middle = fmt.Sprintf("-%s-%s-%s-%s", goos, goarch, gomips, latestVersion)
+	} else {
+		middle = fmt.Sprintf("-%s-%s-%s", goos, goarch, latestVersion)
+	}
+
+	if goos == "windows" {
+		middle += ".zip"
+	} else {
+		middle += ".gz"
+	}
+	packageURL = baseURL + middle
+	//log.Infoln(packageURL)
+}
+
+// isMIPS returns true if arch is any MIPS architecture.
+func isMIPS(arch string) (ok bool) {
+	switch arch {
+	case
+		"mips",
+		"mips64",
+		"mips64le",
+		"mipsle":
+		return true
+	default:
+		return false
+	}
+}
--- a/listener/config/shadowsocks.go
+++ b/listener/config/shadowsocks.go
@ -9,6 +9,7 @@ type ShadowsocksServer struct {
 	Listen   string
 	Password string
 	Cipher   string
+	Udp      bool
 }

 func (t ShadowsocksServer) String() string {
--- a/listener/config/tuic.go
+++ b/listener/config/tuic.go
@ -15,6 +15,7 @@ type TuicServer struct {
 	AuthenticationTimeout int      `yaml:"authentication-timeout" json:"authentication-timeout,omitempty"`
 	ALPN                  []string `yaml:"alpn" json:"alpn,omitempty"`
 	MaxUdpRelayPacketSize int      `yaml:"max-udp-relay-packet-size" json:"max-udp-relay-packet-size,omitempty"`
+	MaxDatagramFrameSize  int      `yaml:"max-datagram-frame-size" json:"max-datagram-frame-size,omitempty"`
 }

 func (t TuicServer) String() string {
--- a/listener/config/tun.go
+++ b/listener/config/tun.go
@ -95,4 +95,5 @@ type Tun struct {
 	ExcludePackage         []string       `yaml:"exclude-package" json:"exclude-package,omitempty"`
 	EndpointIndependentNat bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
 	UDPTimeout             int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
+	FileDescriptor         int            `yaml:"file-descriptor" json:"file-descriptor"`
 }
--- a/listener/inbound/shadowsocks.go
+++ b/listener/inbound/shadowsocks.go
@ -11,6 +11,7 @@ type ShadowSocksOption struct {
 	BaseOption
 	Password string `inbound:"password"`
 	Cipher   string `inbound:"cipher"`
+	UDP      bool   `inbound:"udp,omitempty"`
 }

 func (o ShadowSocksOption) Equal(config C.InboundConfig) bool {
@ -37,6 +38,7 @@ func NewShadowSocks(options *ShadowSocksOption) (*ShadowSocks, error) {
 			Listen:   base.RawAddress(),
 			Password: options.Password,
 			Cipher:   options.Cipher,
+			Udp:      options.UDP,
 		},
 	}, nil
 }
--- a/listener/inbound/tproxy.go
+++ b/listener/inbound/tproxy.go
@ -56,14 +56,11 @@ func (t *TProxy) Listen(tcpIn chan<- C.ConnContext, udpIn chan<- C.PacketAdapter
 		return err
 	}
 	if t.udp {
-		if t.lUDP != nil {
 		t.lUDP, err = tproxy.NewUDP(t.RawAddress(), udpIn, natTable, t.Additions()...)
 		if err != nil {
 			return err
 		}
 	}
-
-	}
 	log.Infoln("TProxy[%s] proxy listening at: %s", t.Name(), t.Address())
 	return nil
 }
--- a/listener/inbound/tun.go
+++ b/listener/inbound/tun.go
@ -33,6 +33,7 @@ type TunOption struct {
 	ExcludePackage         []string `inbound:"exclude_package,omitempty"`
 	EndpointIndependentNat bool     `inbound:"endpoint_independent_nat,omitempty"`
 	UDPTimeout             int64    `inbound:"udp_timeout,omitempty"`
+	FileDescriptor         int      `inbound:"file-descriptor,omitempty"`
 }

 func (o TunOption) Equal(config C.InboundConfig) bool {
@ -96,6 +97,7 @@ func NewTun(options *TunOption) (*Tun, error) {
 			ExcludePackage:         options.ExcludePackage,
 			EndpointIndependentNat: options.EndpointIndependentNat,
 			UDPTimeout:             options.UDPTimeout,
+			FileDescriptor:         options.FileDescriptor,
 		},
 	}, nil
 }
--- a/listener/listener.go
+++ b/listener/listener.go
@ -271,6 +271,7 @@ func ReCreateShadowSocks(shadowSocksConfig string, tcpIn chan<- C.ConnContext, u
 			Listen:   addr,
 			Password: password,
 			Cipher:   cipher,
+			Udp:      true,
 		}
 	}

@ -821,7 +822,8 @@ func hasTunConfigChange(tunConf *LC.Tun) bool {
 		LastTunConf.MTU != tunConf.MTU ||
 		LastTunConf.StrictRoute != tunConf.StrictRoute ||
 		LastTunConf.EndpointIndependentNat != tunConf.EndpointIndependentNat ||
-		LastTunConf.UDPTimeout != tunConf.UDPTimeout {
+		LastTunConf.UDPTimeout != tunConf.UDPTimeout ||
+		LastTunConf.FileDescriptor != tunConf.FileDescriptor {
 		return true
 	}

--- a/listener/parse.go
+++ b/listener/parse.go
@ -73,7 +73,7 @@ func ParseListener(mapping map[string]any) (C.InboundListener, error) {
 		}
 		listener, err = IN.NewTun(tunOption)
 	case "shadowsocks":
-		shadowsocksOption := &IN.ShadowSocksOption{}
+		shadowsocksOption := &IN.ShadowSocksOption{UDP: true}
 		err = decoder.Decode(mapping, shadowsocksOption)
 		if err != nil {
 			return nil, err
--- a/listener/shadowsocks/tcp.go
+++ b/listener/shadowsocks/tcp.go
@ -33,12 +33,14 @@ func New(config LC.ShadowsocksServer, tcpIn chan<- C.ConnContext, udpIn chan<- C
 	for _, addr := range strings.Split(config.Listen, ",") {
 		addr := addr

+		if config.Udp {
 			//UDP
 			ul, err := NewUDP(addr, pickCipher, udpIn)
 			if err != nil {
 				return nil, err
 			}
 			sl.udpListeners = append(sl.udpListeners, ul)
+		}

 		//TCP
 		l, err := inbound.Listen("tcp", addr)
--- a/listener/sing/sing.go
+++ b/listener/sing/sing.go
@ -5,6 +5,7 @@ import (
 	"errors"
 	"golang.org/x/exp/slices"
 	"net"
+	"net/netip"
 	"sync"
 	"time"

@ -28,6 +29,7 @@ type ListenerHandler struct {
 	UdpIn      chan<- C.PacketAdapter
 	Type       C.Type
 	Additions  []inbound.Addition
+	UDPTimeout time.Duration
 }

 type waitCloseConn struct {
@ -61,9 +63,16 @@ func (h *ListenerHandler) NewConnection(ctx context.Context, conn net.Conn, meta
 	switch metadata.Destination.Fqdn {
 	case vmess.MuxDestination.Fqdn:
 		return vmess.HandleMuxConnection(ctx, conn, h)
-	case uot.UOTMagicAddress:
-		metadata.Destination = M.Socksaddr{}
-		return h.NewPacketConnection(ctx, uot.NewClientConn(conn), metadata)
+	case uot.MagicAddress:
+		request, err := uot.ReadRequest(conn)
+		if err != nil {
+			return E.Cause(err, "read UoT request")
+		}
+		metadata.Destination = request.Destination
+		return h.NewPacketConnection(ctx, uot.NewConn(conn, *request), metadata)
+	case uot.LegacyMagicAddress:
+		metadata.Destination = M.Socksaddr{Addr: netip.IPv4Unspecified()}
+		return h.NewPacketConnection(ctx, uot.NewConn(conn, uot.Request{}), metadata)
 	}
 	target := socks5.ParseAddr(metadata.Destination.String())
 	wg := &sync.WaitGroup{}
@ -151,6 +160,9 @@ func (c *packet) WriteBack(b []byte, addr net.Addr) (n int, err error) {
 		return
 	}
 	err = conn.WritePacket(buff, M.SocksaddrFromNet(addr))
+	if err != nil {
+		return
+	}
 	return
 }

--- a/listener/sing_shadowsocks/server.go
+++ b/listener/sing_shadowsocks/server.go
@ -76,6 +76,7 @@ func New(config LC.ShadowsocksServer, tcpIn chan<- C.ConnContext, udpIn chan<- C
 	for _, addr := range strings.Split(config.Listen, ",") {
 		addr := addr

+		if config.Udp {
 			//UDP
 			ul, err := net.ListenPacket("udp", addr)
 			if err != nil {
@ -107,6 +108,7 @@ func New(config LC.ShadowsocksServer, tcpIn chan<- C.ConnContext, udpIn chan<- C
 					})
 				}
 			}()
+		}

 		//TCP
 		l, err := inbound.Listen("tcp", addr)
--- a/listener/sing_tun/server.go
+++ b/listener/sing_tun/server.go
@ -8,6 +8,7 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"time"

 	"github.com/Dreamacro/clash/adapter/inbound"
 	"github.com/Dreamacro/clash/component/dialer"
@ -155,6 +156,7 @@ func New(options LC.Tun, tcpIn chan<- C.ConnContext, udpIn chan<- C.PacketAdapte
 			UdpIn:      udpIn,
 			Type:       C.TUN,
 			Additions:  additions,
+			UDPTimeout: time.Second * time.Duration(udpTimeout),
 		},
 		DnsAdds: dnsAdds,
 	}
@ -212,6 +214,7 @@ func New(options LC.Tun, tcpIn chan<- C.ConnContext, udpIn chan<- C.PacketAdapte
 		IncludeAndroidUser: options.IncludeAndroidUser,
 		IncludePackage:     options.IncludePackage,
 		ExcludePackage:     options.ExcludePackage,
+		FileDescriptor:     options.FileDescriptor,
 		InterfaceMonitor:   defaultInterfaceMonitor,
 		TableIndex:         2022,
 	}
--- a/listener/tuic/server.go
+++ b/listener/tuic/server.go
@ -61,6 +61,16 @@ func New(config LC.TuicServer, tcpIn chan<- C.ConnContext, udpIn chan<- C.Packet
 	quicConfig.InitialConnectionReceiveWindow = tuic.DefaultConnectionReceiveWindow / 10
 	quicConfig.MaxConnectionReceiveWindow = tuic.DefaultConnectionReceiveWindow

+	if config.MaxUdpRelayPacketSize == 0 {
+		config.MaxUdpRelayPacketSize = 1500
+	}
+	maxDatagramFrameSize := config.MaxUdpRelayPacketSize + tuic.PacketOverHead
+	if maxDatagramFrameSize > 1400 {
+		maxDatagramFrameSize = 1400
+	}
+	config.MaxUdpRelayPacketSize = maxDatagramFrameSize - tuic.PacketOverHead
+	quicConfig.MaxDatagramFrameSize = int64(maxDatagramFrameSize)
+
 	tokens := make([][32]byte, len(config.Token))
 	for i, token := range config.Token {
 		tokens[i] = tuic.GenTKN(token)
--- a/transport/restls/restls.go
+++ b/transport/restls/restls.go
@ -0,0 +1,39 @@
+package restls
+
+import (
+	"context"
+	"net"
+
+	tls "github.com/3andne/restls-client-go"
+)
+
+const (
+	Mode string = "restls"
+)
+
+type Restls struct {
+	*tls.UConn
+}
+
+func (r *Restls) Upstream() any {
+	return r.UConn.NetConn()
+}
+
+// NewRestls return a Restls Connection
+func NewRestls(ctx context.Context, conn net.Conn, config *tls.Config) (net.Conn, error) {
+	clientHellowID := tls.HelloChrome_Auto
+	if config != nil {
+		clientIDPtr := config.ClientID.Load()
+		if clientIDPtr != nil {
+			clientHellowID = *clientIDPtr
+		}
+	}
+	restls := &Restls{
+		UConn: tls.UClient(conn, config, clientHellowID),
+	}
+	if err := restls.HandshakeContext(ctx); err != nil {
+		return nil, err
+	}
+
+	return restls, nil
+}
--- a/transport/tuic/conn.go
+++ b/transport/tuic/conn.go
@ -1,7 +1,6 @@
 package tuic

 import (
-	"fmt"
 	"net"
 	"net/netip"
 	"sync"
@ -201,7 +200,7 @@ func (q *quicStreamPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err err

 func (q *quicStreamPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
 	if q.udpRelayMode != "quic" && len(p) > q.maxUdpRelayPacketSize {
-		return 0, fmt.Errorf("udp packet too large(%d > %d)", len(p), q.maxUdpRelayPacketSize)
+		return 0, quic.ErrMessageTooLarge(q.maxUdpRelayPacketSize)
 	}
 	if q.closed {
 		return 0, net.ErrClosed
@ -250,29 +249,7 @@ func (q *quicStreamPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err erro
 }

 func (q *quicStreamPacketConn) LocalAddr() net.Addr {
-	addr := q.quicConn.LocalAddr()
-	if q.inputConn != nil { // client
-		return &packetAddr{addrStr: q.quicConn.LocalAddr().String(), connId: q.connId, rawAddr: addr}
-	}
-	return addr // server
+	return q.quicConn.LocalAddr()
 }

 var _ net.PacketConn = &quicStreamPacketConn{}
-
-type packetAddr struct {
-	addrStr string
-	connId  uint32
-	rawAddr net.Addr
-}
-
-func (a packetAddr) Network() string {
-	return "tuic"
-}
-
-func (a packetAddr) String() string {
-	return fmt.Sprintf("%s-%d", a.addrStr, a.connId)
-}
-
-func (a packetAddr) RawAddr() net.Addr {
-	return a.rawAddr
-}
--- a/transport/tuic/protocol.go
+++ b/transport/tuic/protocol.go
@ -282,6 +282,8 @@ func (c Packet) BytesLen() int {
 	return c.CommandHead.BytesLen() + 4 + 2 + c.ADDR.BytesLen() + len(c.DATA)
 }

+var PacketOverHead = NewPacket(0, 0, NewAddressAddrPort(netip.AddrPortFrom(netip.IPv6Unspecified(), 0)), nil).BytesLen()
+
 type Dissociate struct {
 	CommandHead
 	ASSOC_ID uint32
--- a/transport/tuic/server.go
+++ b/transport/tuic/server.go
@ -5,6 +5,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"fmt"
 	"net"
 	"sync"
 	"sync/atomic"
@ -55,14 +56,10 @@ func (s *Server) Serve() error {
 			return err
 		}
 		SetCongestionController(conn, s.CongestionController)
-		uuid, err := utils.UnsafeUUIDGenerator.NewV4()
-		if err != nil {
-			return err
-		}
 		h := &serverHandler{
 			Server:   s,
 			quicConn: conn,
-			uuid:     uuid,
+			uuid:     utils.NewUUIDV4(),
 			authCh:   make(chan struct{}),
 		}
 		go h.handle()
@ -153,7 +150,7 @@ func (s *serverHandler) parsePacket(packet Packet, udpRelayMode string) (err err
 	return s.HandleUdpFn(packet.ADDR.SocksAddr(), &serverUDPPacket{
 		pc:     pc,
 		packet: &packet,
-		rAddr:  &packetAddr{addrStr: "tuic-" + s.uuid.String(), connId: assocId, rawAddr: s.quicConn.RemoteAddr()},
+		rAddr:  N.NewCustomAddr("tuic", fmt.Sprintf("tuic-%s-%d", s.uuid, assocId), s.quicConn.RemoteAddr()), // for tunnel's handleUDPConn
 	})
 }

--- a/tunnel/statistic/tracker.go
+++ b/tunnel/statistic/tracker.go
@ -83,7 +83,6 @@ func (tt *tcpTracker) Upstream() any {
 }

 func NewTCPTracker(conn C.Conn, manager *Manager, metadata *C.Metadata, rule C.Rule, uploadTotal int64, downloadTotal int64) *tcpTracker {
-	uuid, _ := utils.UnsafeUUIDGenerator.NewV4()
 	if conn != nil {
 		if tcpAddr, ok := conn.RemoteAddr().(*net.TCPAddr); ok {
 			metadata.RemoteDst = tcpAddr.IP.String()
@ -96,7 +95,7 @@ func NewTCPTracker(conn C.Conn, manager *Manager, metadata *C.Metadata, rule C.R
 		Conn:    conn,
 		manager: manager,
 		trackerInfo: &trackerInfo{
-			UUID:          uuid,
+			UUID:          utils.NewUUIDV4(),
 			Start:         time.Now(),
 			Metadata:      metadata,
 			Chain:         conn.Chains(),
@ -149,14 +148,13 @@ func (ut *udpTracker) Close() error {
 }

 func NewUDPTracker(conn C.PacketConn, manager *Manager, metadata *C.Metadata, rule C.Rule, uploadTotal int64, downloadTotal int64) *udpTracker {
-	uuid, _ := utils.UnsafeUUIDGenerator.NewV4()
 	metadata.RemoteDst = conn.RemoteDestination()

 	ut := &udpTracker{
 		PacketConn: conn,
 		manager:    manager,
 		trackerInfo: &trackerInfo{
-			UUID:          uuid,
+			UUID:          utils.NewUUIDV4(),
 			Start:         time.Now(),
 			Metadata:      metadata,
 			Chain:         conn.Chains(),
--- a/tunnel/status.go
+++ b/tunnel/status.go
@ -0,0 +1,92 @@
+package tunnel
+
+import (
+	"encoding/json"
+	"errors"
+	"strings"
+	"sync/atomic"
+)
+
+type TunnelStatus int
+
+// StatusMapping is a mapping for Status enum
+var StatusMapping = map[string]TunnelStatus{
+	Suspend.String(): Suspend,
+	Inner.String():   Inner,
+	Running.String(): Running,
+}
+
+const (
+	Suspend TunnelStatus = iota
+	Inner
+	Running
+)
+
+// UnmarshalJSON unserialize Status
+func (s *TunnelStatus) UnmarshalJSON(data []byte) error {
+	var tp string
+	json.Unmarshal(data, &tp)
+	status, exist := StatusMapping[strings.ToLower(tp)]
+	if !exist {
+		return errors.New("invalid mode")
+	}
+	*s = status
+	return nil
+}
+
+// UnmarshalYAML unserialize Status with yaml
+func (s *TunnelStatus) UnmarshalYAML(unmarshal func(any) error) error {
+	var tp string
+	unmarshal(&tp)
+	status, exist := StatusMapping[strings.ToLower(tp)]
+	if !exist {
+		return errors.New("invalid status")
+	}
+	*s = status
+	return nil
+}
+
+// MarshalJSON serialize Status
+func (s TunnelStatus) MarshalJSON() ([]byte, error) {
+	return json.Marshal(s.String())
+}
+
+// MarshalYAML serialize TunnelMode with yaml
+func (s TunnelStatus) MarshalYAML() (any, error) {
+	return s.String(), nil
+}
+
+func (s TunnelStatus) String() string {
+	switch s {
+	case Suspend:
+		return "suspend"
+	case Inner:
+		return "inner"
+	case Running:
+		return "running"
+	default:
+		return "Unknown"
+	}
+}
+
+type AtomicStatus struct {
+	value atomic.Int32
+}
+
+func (a *AtomicStatus) Store(s TunnelStatus) {
+	a.value.Store(int32(s))
+}
+
+func (a *AtomicStatus) Load() TunnelStatus {
+	return TunnelStatus(a.value.Load())
+}
+
+func (a *AtomicStatus) String() string {
+	return a.Load().String()
+}
+
+func newAtomicStatus(s TunnelStatus) *AtomicStatus {
+	a := &AtomicStatus{}
+	a.Store(s)
+	return a
+}
--- a/tunnel/tunnel.go
+++ b/tunnel/tunnel.go
@ -26,6 +26,7 @@ import (
 )

 var (
+	status         = newAtomicStatus(Suspend)
 	tcpQueue       = make(chan C.ConnContext, 200)
 	udpQueue       = make(chan C.PacketAdapter, 200)
 	natTable       = nat.New()
@ -49,6 +50,22 @@ var (
 	fakeIPRange netip.Prefix
 )

+func OnSuspend() {
+	status.Store(Suspend)
+}
+
+func OnInnerLoading() {
+	status.Store(Inner)
+}
+
+func OnRunning() {
+	status.Store(Running)
+}
+
+func Status() TunnelStatus {
+	return status.Load()
+}
+
 func SetFakeIPRange(p netip.Prefix) {
 	fakeIPRange = p
 }
@ -158,10 +175,19 @@ func SetFindProcessMode(mode P.FindProcessMode) {
 	findProcessMode = mode
 }

+func isHandle(t C.Type) bool {
+	status := status.Load()
+	return status == Running || (status == Inner && t == C.INNER)
+}
+
 // processUDP starts a loop to handle udp packet
 func processUDP() {
 	queue := udpQueue
 	for conn := range queue {
+		if !isHandle(conn.Metadata().Type) {
+			conn.Drop()
+			continue
+		}
 		handleUDPConn(conn)
 	}
 }
@ -177,6 +203,10 @@ func process() {

 	queue := tcpQueue
 	for conn := range queue {
+		if !isHandle(conn.Metadata().Type) {
+			_ = conn.Conn().Close()
+			continue
+		}
 		go handleTCPConn(conn)
 	}
 }
Author	SHA1	Message	Date
Larvan2	9b7aab1fc7	chore: rename delete.yml	2023-03-30 16:04:09 +00:00
Larvan2	3c717097cb	Merge branch 'Alpha' into Meta	2023-03-30 16:03:47 +00:00
Larvan2	991de009be	chore: update readme	2023-03-30 15:57:52 +00:00
Larvan2	2fef329319	fix: upgrade backup	2023-03-29 13:59:36 +00:00
Skyxim	db7623968d	fix: inner http use host of address	2023-03-29 20:50:46 +08:00
Larvan2	7c80c88feb	chore: push latest alpha core to `MetaCubeX/AlphaBinary`	2023-03-29 12:28:16 +00:00
wwqgtxx	2c7153cd7a	chore: clean up code	2023-03-29 16:19:26 +08:00
Larvan2	d730feecb4	chore: use inner for upgrade core	2023-03-29 06:03:13 +00:00
Larvan2	1fdd1f702e	chore: better rename	2023-03-28 17:00:21 +00:00
Larvan2	34c91e5fe0	chore: add release branch	2023-03-28 16:40:45 +00:00
Skyxim	6d40de2179	chore: adjust trust cert	2023-03-27 22:27:59 +08:00
Skyxim	6ca14c814e	fix: tproxy listener cannot listen udp	2023-03-27 22:18:54 +08:00
Larvan2	545cbeeec0	chore: skip restart when update error	2023-03-27 00:49:47 +08:00
H1JK	431dcfa914	fix: Converter REALITY security type	2023-03-26 11:03:32 +08:00
Larvan2	4d30788738	chore: clean up code	2023-03-25 22:56:24 +08:00
Larvan2	e4364cc985	chore: update for testing the updater	2023-03-23 21:04:04 +08:00
Larvan2	99ede63a9a	feat: add upgrade api example: curl -X POST -H "Authorization: Bearer 123456" http://ip:port/upgrade	2023-03-23 20:48:20 +08:00
wwqgtxx	291b5be986	chore: move sing-tun's udpTimeout fix to there lib	2023-03-23 19:53:28 +08:00
wwqgtxx	a7944f1369	chore: better geodata shared	2023-03-23 18:58:24 +08:00
wwqgtxx	7e10d78d53	chore: share the same geodata in different rule	2023-03-23 18:35:37 +08:00
wwqgtxx	fd0580bfdd	fix: sing_tun apply udpTimeout when using gvisor stack	2023-03-23 14:05:31 +08:00
Skyxim	5737fbc23c	chore: `proxy-server-nameserver` does not follow the `nameserver-policy`	2023-03-23 12:58:59 +08:00
Larvan2	e026ac6a2a	chore: update xray-core version	2023-03-22 23:45:26 +08:00
wwqgtxx	e7bb1f42b1	chore: update quic-go to release unused buffer when error	2023-03-22 13:01:58 +08:00
Larvan2	a22000c41b	Update README.md	2023-03-21 23:56:40 +08:00
wwqgtxx	0336435ebc	chore: shadowsocks listener support the "udp" setting	2023-03-21 12:40:36 +08:00
metacubex	154fbb34ea	fix: log typo	2023-03-21 00:45:25 +08:00
H1JK	3e47bfacf0	feat: Converter support REALITY share standard	2023-03-19 17:31:52 +08:00
metacubex	9316c1293e	fix: geosite of nameserver-policy cannot be loaded correctly	2023-03-18 22:33:39 +08:00
Larvan2	f6f02bb5eb	fix: ToLower first	2023-03-18 22:20:31 +08:00
Phie Ash	84967ace53	Update flake.nix (#452 )	2023-03-18 19:55:29 +08:00
Larvan2	c7362fce9c	chore: do not modify ALPN in utls	2023-03-17 14:49:42 +08:00
世界	8cb67b6480	Update UoT protocol	2023-03-17 13:23:45 +08:00
wwqgtxx	3ae4285702	fix: tuic udp native mode can't relay packetSize>1200	2023-03-16 21:09:44 +08:00
wwqgtxx	998d407d44	Feat: support set tun file-descriptor in config file Co-authored-by: DuFoxit <DuFoxit@users.noreply.github.com>	2023-03-15 23:43:58 +08:00
wwqgtxx	520cc807d6	chore: Update dependencies	2023-03-15 18:58:59 +08:00
H1JK	7404bfdc44	chore: Improve REALITY handshake	2023-03-15 15:55:18 +08:00
世界	e8d4f8ae7b	Update UoT protocol	2023-03-15 14:46:35 +08:00
wwqgtxx	f7610ce2ad	chore: better uuid using	2023-03-15 10:10:03 +08:00
wwqgtxx	516c219580	fix: let quic-go works on outbound's packetConn	2023-03-15 09:56:00 +08:00
Skyxim	5d0efb5472	chore: keep existing connections	2023-03-15 09:18:03 +08:00
Skyxim	9d9bd245f3	fix: Adjust the timing of subscription information acquisition	2023-03-15 09:05:16 +08:00
wwqgtxx	53928eb895	chore: better TunnelStatus define	2023-03-15 00:11:31 +08:00
Skyxim	8dda9fdb70	fix: The default interface is actually configured incorrectly	2023-03-14 23:52:27 +08:00
Skyxim	cf7520ec22	chore: disconnect when suspended	2023-03-14 22:57:43 +08:00
wwqgtxx	68d7a6da7f	fix: ensure restart api return ok	2023-03-14 22:38:59 +08:00
Skyxim	09c53e7cb7	chore: Chore: adjust the loading order, and then load the resource at last	2023-03-14 22:37:07 +08:00
wwqgtxx	0f24c2f849	chore: add /restart to restful api	2023-03-14 22:19:12 +08:00
Skyxim	88116d9032	fix: optimize health check	2023-03-14 20:10:52 +08:00
wwqgtxx	6ba82c6d85	chore: cleanup code	2023-03-14 17:45:37 +08:00
wwqgtxx	5816dc2955	chore: better restls	2023-03-14 16:50:27 +08:00
Larvan2	f4251e58a5	chore: clean up code	2023-03-14 14:23:10 +08:00
3andne	2fef00d2a8	Support Restls-V1 in Clash.Meta (#441 ) * feat: impl restls * fix: don't break shadowtls' working * chores: correct restls-client-go version * feat: bump restls-client-go version * fix: consistent naming `client-fingerprint` * docs: update example config * chore: adjust client-fingerprint's snippet --------- Co-authored-by: wwqgtxx <wwqgtxx@gmail.com> Co-authored-by: Larvan2 <78135608+Larvan2@users.noreply.github.com>	2023-03-14 13:33:24 +08:00
Larvan2	2f992e9863	chore: fix issues #440	2023-03-13 21:19:39 +08:00
wwqgtxx	8293b7fdae	Merge branch 'Beta' into Meta # Conflicts: # .github/workflows/docker.yaml # .github/workflows/prerelease.yml	2023-02-19 01:25:34 +08:00
wwqgtxx	0ba415866e	Merge branch 'Alpha' into Beta	2023-02-19 01:25:01 +08:00
Larvan2	53b41ca166	Chore: Add action for deleting old workflow	2023-01-30 18:17:22 +08:00
metacubex	8a75f78e63	chore: adjust Dockerfile	2023-01-12 02:24:12 +08:00
metacubex	d9692c6366	Merge branch 'Beta' into Meta	2023-01-12 02:15:14 +08:00
metacubex	f4b0062dfc	Merge branch 'Alpha' into Beta	2023-01-12 02:14:49 +08:00
metacubex	b9ffc82e53	Merge branch 'Beta' into Meta	2023-01-12 01:33:56 +08:00
metacubex	78aaea6a45	Merge branch 'Alpha' into Beta	2023-01-12 01:33:16 +08:00
cubemaze	3645fbf161	Merge pull request #327 from Rasphino/Meta Update flake.nix hash	2023-01-08 00:29:29 +08:00
Rasphino	a1d0f22132	fix: update flake.nix hash	2023-01-07 23:38:32 +08:00
metacubex	fa73b0f4bf	Merge remote-tracking branch 'origin/Beta' into Meta	2023-01-01 19:41:36 +08:00
metacubex	3b76a8b839	Merge remote-tracking branch 'origin/Alpha' into Beta	2023-01-01 19:40:36 +08:00
cubemaze	667f42dcdc	Merge pull request #282 from tdjnodj/Meta Update README.md	2022-12-03 17:23:51 +08:00
tdjnodj	dfbe09860f	Update README.md	2022-12-03 17:17:08 +08:00
metacubex	9e20f9c26a	chore: update dependencies	2022-11-28 20:33:10 +08:00
Skimmle	f968d0cb82	chore: update github action	2022-11-26 20:16:12 +08:00
metacubex	2ad84f4379	Merge branch 'Beta' into Meta	2022-11-02 18:08:22 +08:00
metacubex	c7aa16426f	Merge branch 'Alpha' into Beta	2022-11-02 18:07:29 +08:00
Skyxim	5987f8e3b5	Merge branch 'Beta' into Meta	2022-08-29 13:08:29 +08:00
Skyxim	3a8eb72de2	Merge branch 'Alpha' into Beta	2022-08-29 13:08:22 +08:00
zhudan	33abbdfd24	Merge pull request #174 from MetaCubeX/Alpha Alpha	2022-08-29 11:24:07 +08:00
zhudan	0703d6cbff	Merge pull request #173 from MetaCubeX/Alpha Alpha	2022-08-29 11:22:14 +08:00
Skyxim	10d2d14938	Merge branch 'Beta' into Meta # Conflicts: # rules/provider/classical_strategy.go	2022-07-02 10:41:41 +08:00
wwqgtxx	691cf1d8d6	Merge pull request #94 from bash99/Meta Update README.md	2022-06-15 19:15:51 +08:00
bash99	d1decb8e58	Update README.md add permissions for systemctl services clash-dashboard change to updated one	2022-06-15 14:00:05 +08:00
Skyxim	7d04904109	fix: leak dns when domain in hosts list	2022-06-11 18:51:26 +08:00
Skyxim	a5acd3aa97	refactor: clear linkname,reduce cycle dependencies,transport init geosite function	2022-06-11 18:51:22 +08:00
Skyxim	eea9a12560	fix: 规则匹配默认策略组返回错误	2022-06-09 14:18:35 +08:00
adlyq	0a4570b55c	fix: group filter touch provider	2022-06-09 14:18:29 +08:00